-
Notifications
You must be signed in to change notification settings - Fork 14.3k
Cayin xPost and CMS exploits #13607
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cayin xPost and CMS exploits #13607
Conversation
|
@liquidworm your CMS one, while the NTP IP field was vulnerable, we had different paths and parameters as compared to your EDB code. What device(s) did you test it against? @liquidworm did you apply for CVEs for these findings? If not @todb-r7 can put in for them if you want. |
|
@ccondon-r7 No rush on assigning this, but the website only lets you download the 'latest', so someone may want to go download the files now in case they get patched. Then they can let it sit for a while till they get to reviewing this. I also have them and can provide |
|
https://www.cayintech.com/download/digital_signage_trial/CAYIN_CMS-SE_v110.zip <- Grabbed a copy of the CMS from here for safe keeping. https://www.cayintech.com/download/digital_signage_trial/xPost_v2.5.zip <- Grabbed a copy of the xPost software from here for safe keeping. Thanks @h00die for the heads up :) (Edit: Woops see you mentioned you already have copies as well 😅) |
@h00die The CMS was tested against version 11.0, but i've noticed in different builds there are slight changes in parameters and code for NTP server testing feature, remaining vulnerable. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a few minor things
documentation/modules/exploit/windows/http/cayin_xpost_sql_rce.md
Outdated
Show resolved
Hide resolved
|
@liquidworm no hassle at all, I’ll put in for a CVE and bug you for anything that’s unclear. |
|
@liquidworm Okay here's some CVEs to use:
Let's see if I can ninja-edit these into the modules. (cc @djordan-r7 ) |
|
Thanks @todb-r7 ! |
|
Thanks @todb-r7 ^^ |
|
Tested both modules: |
Release NotesCayin CMS NTP Server RCE and Cayin xPost wayfinder_seqid SQLi to RCE modules exploit Cayin software. The Cayin xPost module exploits a blind SQL injection vulnerability that results in code execution as SYSTEM. The Cayin CMS NTP module gets authenticated code execution by injecting code into the |
This PR adds 2 exploits by @liquidworm against Cayin products.
The first is Cayin xPost with an unauthenticated SQLi to RCE on windows. Luckily they bundle mysql and tomcat, so the env is pretty static. Gives SYSTEM level access. Once landed, this may be a good candidate for @red0xff to convert to his
sqlilibrary (and pull the user table, optionally as we discussed in slack).The second is Cayin CMS (-SE) with an authenticated RCE. The guide said to install it on Ubuntu 16.04, my attempt on 20.04 failed, use 16.04!!! This is a pretty trivial RCE in an NTP field for root access.
Verification
msfconsole